fix: small conflicts

chore: switching env var for NB_PROXY_DOMAIN
chore: build
2026-04-01 23:23:54 -04:00 · 2026-02-12 18:41:57 +01:00 · 2026-02-12 18:35:30 +01:00 · 2026-02-12 17:42:03 +01:00 · 2026-02-12 17:18:23 +01:00 · 2026-02-12 17:18:23 +01:00
499 changed files with 8108 additions and 66574 deletions
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,14 +0,0 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Community Support
-    url: https://forum.netbird.io/
-    about: Community support forum
-  - name: Cloud Support
-    url: https://docs.netbird.io/help/report-bug-issues
-    about: Contact us for support
-  - name: Client/Connection Troubleshooting
-    url: https://docs.netbird.io/help/troubleshooting-client
-    about: See our client troubleshooting guide for help addressing common issues
-  - name: Self-host Troubleshooting
-    url: https://docs.netbird.io/selfhosted/troubleshooting
-    about: See our self-host troubleshooting guide for help addressing common issues
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -39,7 +39,7 @@ jobs:
            else
              echo "✓ No problematic dependencies found"
            fi
-          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name "combined" -not -name ".git*" | sort)
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name ".git*" | sort)

          echo ""
          if [ $FOUND_ISSUES -eq 1 ]; then
@@ -88,7 +88,7 @@ jobs:
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")

              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" | head -1)

              if [ -n "$BSD_IMPORTER" ]; then
                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -43,5 +43,5 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy)

--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -97,16 +97,6 @@ jobs:
        working-directory: relay
        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .

-      - name: Build combined
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build combined 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 GOARCH=386 go build -o combined-386 .
-
  test:
    name: "Client / Unit"
    needs: [build-cache]
@@ -154,7 +144,7 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy)

  test_client_on_docker:
    name: "Client (Docker) / Unit"
@@ -214,7 +204,7 @@ jobs:
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /client/ui -e /upload-server)
            '

  test_relay:
@@ -409,19 +399,12 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
-
      - name: download mysql image
        if: matrix.store == 'mysql'
        run: docker pull mlsmaycon/warmed-mysql:8
@@ -504,18 +487,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
        run: |
@@ -596,18 +576,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
        run: |
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -63,15 +63,10 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - name: Generate test script
-        run: |
-          $packages = go list ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' }
-          $goExe = "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe"
-          $cmd = "$goExe test -tags=devcert -timeout 10m -p 1 $($packages -join ' ') > test-out.txt 2>&1"
-          Set-Content -Path "${{ github.workspace }}\run-tests.cmd" -Value $cmd
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' })" >> $env:GITHUB_ENV

      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "${{ github.workspace }}\run-tests.cmd"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
      - name: test output
        if: ${{ always() }}
        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans
          skip: go.mod,go.sum,**/proxy/web/**
  golangci:
    strategy:
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -1,51 +0,0 @@
-name: PR Title Check
-
-on:
-  pull_request:
-    types: [opened, edited, synchronize, reopened]
-
-jobs:
-  check-title:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Validate PR title prefix
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const title = context.payload.pull_request.title;
-            const allowedTags = [
-              'management',
-              'client',
-              'signal',
-              'proxy',
-              'relay',
-              'misc',
-              'infrastructure',
-              'self-hosted',
-              'doc',
-            ];
-
-            const pattern = /^\[([^\]]+)\]\s+.+/;
-            const match = title.match(pattern);
-
-            if (!match) {
-              core.setFailed(
-                `PR title must start with a tag in brackets.\n` +
-                `Example: [client] fix something\n` +
-                `Allowed tags: ${allowedTags.join(', ')}`
-              );
-              return;
-            }
-
-            const tags = match[1].split(',').map(t => t.trim().toLowerCase());
-
-            const invalid = tags.filter(t => !allowedTags.includes(t));
-            if (invalid.length > 0) {
-              core.setFailed(
-                `Invalid tag(s): ${invalid.join(', ')}\n` +
-                `Allowed tags: ${allowedTags.join(', ')}`
-              );
-              return;
-            }
-
-            console.log(`Valid PR title tags: [${tags.join(', ')}]`);
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,7 +10,7 @@ on:

 env:
  SIGN_PIPE_VER: "v0.1.1"
-  GORELEASER_VER: "v2.14.3"
+  GORELEASER_VER: "v2.3.2"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"

@@ -160,7 +160,7 @@ jobs:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@@ -169,14 +169,6 @@ jobs:
      - name: Install OS build dependencies
        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu

-      - name: Decode GPG signing key
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        env:
-          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
-        run: |
-          echo "$GPG_RPM_PRIVATE_KEY" | base64 -d > /tmp/gpg-rpm-signing-key.asc
-          echo "GPG_RPM_KEY_FILE=/tmp/gpg-rpm-signing-key.asc" >> $GITHUB_ENV
-
      - name: Install goversioninfo
        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
      - name: Generate windows syso amd64
@@ -184,7 +176,6 @@ jobs:
      - name: Generate windows syso arm64
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
-        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
@@ -194,55 +185,6 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
-          NFPM_NETBIRD_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
-      - name: Verify RPM signatures
-        run: |
-          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
-            dnf install -y -q rpm-sign curl >/dev/null 2>&1
-            curl -sSL https://pkgs.netbird.io/yum/repodata/repomd.xml.key -o /tmp/rpm-pub.key
-            rpm --import /tmp/rpm-pub.key
-            echo "=== Verifying RPM signatures ==="
-            for rpm_file in /dist/*amd64*.rpm; do
-              [ -f "$rpm_file" ] || continue
-              echo "--- $(basename $rpm_file) ---"
-              rpm -K "$rpm_file"
-            done
-          '
-      - name: Clean up GPG key
-        if: always()
-        run: rm -f /tmp/gpg-rpm-signing-key.asc
-      - name: Tag and push images (amd64 only)
-        if: |
-          (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
-          (github.event_name == 'push' && github.ref == 'refs/heads/main')
-        run: |
-          resolve_tags() {
-            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              echo "pr-${{ github.event.pull_request.number }}"
-            else
-              echo "main sha-$(git rev-parse --short HEAD)"
-            fi
-          }
-
-          tag_and_push() {
-            local src="$1" img_name tag dst
-            img_name="${src%%:*}"
-            for tag in $(resolve_tags); do
-              dst="${img_name}:${tag}"
-              echo "Tagging ${src} -> ${dst}"
-              docker tag "$src" "$dst"
-              docker push "$dst"
-            done
-          }
-
-          export -f tag_and_push resolve_tags
-
-          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
-            grep '^ghcr.io/' | while read -r SRC; do
-              tag_and_push "$SRC"
-            done
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
@@ -309,14 +251,6 @@ jobs:
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64

-      - name: Decode GPG signing key
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        env:
-          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
-        run: |
-          echo "$GPG_RPM_PRIVATE_KEY" | base64 -d > /tmp/gpg-rpm-signing-key.asc
-          echo "GPG_RPM_KEY_FILE=/tmp/gpg-rpm-signing-key.asc" >> $GITHUB_ENV
-
      - name: Install LLVM-MinGW for ARM64 cross-compilation
        run: |
          cd /tmp
@@ -341,24 +275,6 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
-          NFPM_NETBIRD_UI_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
-      - name: Verify RPM signatures
-        run: |
-          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
-            dnf install -y -q rpm-sign curl >/dev/null 2>&1
-            curl -sSL https://pkgs.netbird.io/yum/repodata/repomd.xml.key -o /tmp/rpm-pub.key
-            rpm --import /tmp/rpm-pub.key
-            echo "=== Verifying RPM signatures ==="
-            for rpm_file in /dist/*.rpm; do
-              [ -f "$rpm_file" ] || continue
-              echo "--- $(basename $rpm_file) ---"
-              rpm -K "$rpm_file"
-            done
-          '
-      - name: Clean up GPG key
-        if: always()
-        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -61,8 +61,8 @@ jobs:

          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"

-          if [ ${SIZE} -gt 58720256 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
+          if [ ${SIZE} -gt 57671680 ]; then
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 55MB limit!"
            exit 1
          fi

--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -106,26 +106,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

-  - id: netbird-server
-    dir: combined
-    env:
-      - CGO_ENABLED=1
-      - >-
-        {{- if eq .Runtime.Goos "linux" }}
-          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-        {{- end }}
-    binary: netbird-server
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
  - id: netbird-upload
    dir: upload-server
    env: [CGO_ENABLED=0]
@@ -140,20 +120,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

-  - id: netbird-proxy
-    dir: proxy/cmd/proxy
-    env: [CGO_ENABLED=0]
-    binary: netbird-proxy
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
  - id: netbird

@@ -171,13 +137,13 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    license: BSD-3-Clause
-    id: netbird_deb
+    id: netbird-deb
    bindir: /usr/bin
    builds:
      - netbird
    formats:
      - deb
+
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
@@ -185,19 +151,16 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    license: BSD-3-Clause
-    id: netbird_rpm
+    id: netbird-rpm
    bindir: /usr/bin
    builds:
      - netbird
    formats:
      - rpm
+
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
-    rpm:
-      signature:
-        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
 dockers:
  - image_templates:
      - netbirdio/netbird:{{ .Version }}-amd64
@@ -557,104 +520,6 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-    ids:
-      - netbird-server
-    goarch: amd64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-    ids:
-      - netbird-server
-    goarch: arm64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-    ids:
-      - netbird-server
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-    ids:
-      - netbird-proxy
-    goarch: amd64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-    ids:
-      - netbird-proxy
-    goarch: arm64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-    ids:
-      - netbird-proxy
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
@@ -733,18 +598,6 @@ docker_manifests:
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64

-  - name_template: netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/netbird-server:latest
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
@@ -822,43 +675,6 @@ docker_manifests:
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:latest
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
 brews:
  - ids:
      - default
@@ -879,7 +695,7 @@ brews:
 uploads:
  - name: debian
    ids:
-      - netbird_deb
+      - netbird-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -887,7 +703,7 @@ uploads:

  - name: yum
    ids:
-      - netbird_rpm
+      - netbird-rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -61,7 +61,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
-    id: netbird_ui_deb
+    id: netbird-ui-deb
    package_name: netbird-ui
    builds:
      - netbird-ui
@@ -80,7 +80,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
-    id: netbird_ui_rpm
+    id: netbird-ui-rpm
    package_name: netbird-ui
    builds:
      - netbird-ui
@@ -95,14 +95,11 @@ nfpms:
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
-    rpm:
-      signature:
-        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'

 uploads:
  - name: debian
    ids:
-      - netbird_ui_deb
+      - netbird-ui-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -110,7 +107,7 @@ uploads:

  - name: yum
    ids:
-      - netbird_ui_rpm
+      - netbird-ui-rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
--- a/CONTRIBUTOR_LICENSE_AGREEMENT.md
+++ b/CONTRIBUTOR_LICENSE_AGREEMENT.md
@@ -1,7 +1,7 @@
 ##  Contributor License Agreement

 This Contributor License Agreement (referred to as the "Agreement") is entered into by the individual 
-submitting this Agreement and NetBird GmbH, Brunnenstraße 196, 10119 Berlin, Germany, 
+submitting this Agreement and NetBird GmbH, c/o Max-Beer-Straße 2-4 Münzstraße 12 10178 Berlin, Germany, 
 referred to as "NetBird" (collectively, the "Parties"). The Agreement outlines the terms and conditions 
 under which NetBird may utilize software contributions provided by the Contributor for inclusion in 
 its software development projects. By submitting this Agreement, the Contributor confirms their acceptance 
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/, relay/ and combined/.
+This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

 BSD 3-Clause License
--- a/README.md
+++ b/README.md
@@ -126,7 +126,6 @@ See a complete [architecture overview](https://docs.netbird.io/about-netbird/how
 ### Community projects
 -  [NetBird installer script](https://github.com/physk/netbird-installer)
 -  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings

 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest

-FROM alpine:3.23.3
+FROM alpine:3.23.2
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
    bash \
@@ -17,7 +17,8 @@ ENV \
    NETBIRD_BIN="/usr/local/bin/netbird" \
    NB_LOG_FILE="console,/var/log/netbird/client.log" \
    NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
+    NB_ENTRYPOINT_LOGIN_TIMEOUT="5"

 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

--- a/client/Dockerfile-rootless
+++ b/client/Dockerfile-rootless
@@ -23,7 +23,8 @@ ENV \
    NB_DAEMON_ADDR="unix:///var/lib/netbird/netbird.sock" \
    NB_LOG_FILE="console,/var/lib/netbird/client.log" \
    NB_DISABLE_DNS="true" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
+    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"

 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

--- a/client/android/client.go
+++ b/client/android/client.go
@@ -124,7 +124,7 @@ func (c *Client) Run(platformFiles PlatformFiles, urlOpener URLOpener, isAndroid

 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, false)
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
 }

@@ -157,7 +157,7 @@ func (c *Client) RunWithoutLogin(platformFiles PlatformFiles, dns *DNSList, dnsR

 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, false)
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
 }

@@ -205,7 +205,7 @@ func (c *Client) PeersList() *PeerInfoArray {
 		pi := PeerInfo{
 			p.IP,
 			p.FQDN,
-			int(p.ConnStatus),
+			p.ConnStatus.String(),
 			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi
--- a/client/android/env_list.go
+++ b/client/android/env_list.go
@@ -1,19 +1,10 @@
 package android

-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"

 var (
-	// EnvKeyNBForceRelay Exported for Android java client to force relay connections
+	// EnvKeyNBForceRelay Exported for Android java client
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
-
-	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
-	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
-
-	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
-	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold
 )

 // EnvList wraps a Go map for export to Java
--- a/client/android/peer_notifier.go
+++ b/client/android/peer_notifier.go
@@ -2,20 +2,11 @@

 package android

-import "github.com/netbirdio/netbird/client/internal/peer"
-
-// Connection status constants exported via gomobile.
-const (
-	ConnStatusIdle       = int(peer.StatusIdle)
-	ConnStatusConnecting = int(peer.StatusConnecting)
-	ConnStatusConnected  = int(peer.StatusConnected)
-)
-
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
 	IP         string
 	FQDN       string
-	ConnStatus int
+	ConnStatus string // Todo replace to enum
 	Routes     PeerRoutes
 }

--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -181,11 +181,10 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	if stateWasDown {
 		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird up")
-			time.Sleep(time.Second * 10)
+			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 		}
+		cmd.Println("netbird up")
+		time.Sleep(time.Second * 10)
 	}

 	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
@@ -200,10 +199,9 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	}

 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-		cmd.PrintErrf("Failed to bring service down: %v\n", status.Convert(err).Message())
-	} else {
-		cmd.Println("netbird down")
+		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 	}
+	cmd.Println("netbird down")

 	time.Sleep(1 * time.Second)

@@ -211,14 +209,13 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if _, err := client.SetSyncResponsePersistence(cmd.Context(), &proto.SetSyncResponsePersistenceRequest{
 		Enabled: true,
 	}); err != nil {
-		cmd.PrintErrf("Failed to enable sync response persistence: %v\n", status.Convert(err).Message())
+		return fmt.Errorf("failed to enable sync response persistence: %v", status.Convert(err).Message())
 	}

 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-		cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
-	} else {
-		cmd.Println("netbird up")
+		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 	}
+	cmd.Println("netbird up")

 	time.Sleep(3 * time.Second)

@@ -266,18 +263,16 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-			cmd.PrintErrf("Failed to restore service down state: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird down")
+			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 		}
+		cmd.Println("netbird down")
 	}

 	if !initialLevelTrace {
 		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
-			cmd.PrintErrf("Failed to restore log level: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("Log level restored to", initialLogLevel.GetLevel())
+			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
 		}
+		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}

 	cmd.Printf("Local file:\n%s\n", resp.GetPath())
--- a/client/cmd/expose.go
+++ b/client/cmd/expose.go
@@ -1,286 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"os/signal"
-	"regexp"
-	"strconv"
-	"strings"
-	"syscall"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/internal/expose"
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util"
-)
-
-var pinRegexp = regexp.MustCompile(`^\d{6}$`)
-
-var (
-	exposePin          string
-	exposePassword     string
-	exposeUserGroups   []string
-	exposeDomain       string
-	exposeNamePrefix   string
-	exposeProtocol     string
-	exposeExternalPort uint16
-)
-
-var exposeCmd = &cobra.Command{
-	Use:   "expose <port>",
-	Short: "Expose a local port via the NetBird reverse proxy",
-	Args:  cobra.ExactArgs(1),
-	Example: `  netbird expose --with-password safe-pass 8080
-  netbird expose --protocol tcp 5432
-  netbird expose --protocol tcp --with-external-port 5433 5432
-  netbird expose --protocol tls --with-custom-domain tls.example.com 4443`,
-	RunE: exposeFn,
-}
-
-func init() {
-	exposeCmd.Flags().StringVar(&exposePin, "with-pin", "", "Protect the exposed service with a 6-digit PIN (e.g. --with-pin 123456)")
-	exposeCmd.Flags().StringVar(&exposePassword, "with-password", "", "Protect the exposed service with a password (e.g. --with-password my-secret)")
-	exposeCmd.Flags().StringSliceVar(&exposeUserGroups, "with-user-groups", nil, "Restrict access to specific user groups with SSO (e.g. --with-user-groups devops,Backend)")
-	exposeCmd.Flags().StringVar(&exposeDomain, "with-custom-domain", "", "Custom domain for the exposed service, must be configured to your account (e.g. --with-custom-domain myapp.example.com)")
-	exposeCmd.Flags().StringVar(&exposeNamePrefix, "with-name-prefix", "", "Prefix for the generated service name (e.g. --with-name-prefix my-app)")
-	exposeCmd.Flags().StringVar(&exposeProtocol, "protocol", "http", "Protocol to use: http, https, tcp, udp, or tls (e.g. --protocol tcp)")
-	exposeCmd.Flags().Uint16Var(&exposeExternalPort, "with-external-port", 0, "Public-facing external port on the proxy cluster (defaults to the target port for L4)")
-}
-
-// isClusterProtocol returns true for L4/TLS protocols that reject HTTP-style auth flags.
-func isClusterProtocol(protocol string) bool {
-	switch strings.ToLower(protocol) {
-	case "tcp", "udp", "tls":
-		return true
-	default:
-		return false
-	}
-}
-
-// isPortBasedProtocol returns true for pure port-based protocols (TCP/UDP)
-// where domain display doesn't apply. TLS uses SNI so it has a domain.
-func isPortBasedProtocol(protocol string) bool {
-	switch strings.ToLower(protocol) {
-	case "tcp", "udp":
-		return true
-	default:
-		return false
-	}
-}
-
-// extractPort returns the port portion of a URL like "tcp://host:12345", or
-// falls back to the given default formatted as a string.
-func extractPort(serviceURL string, fallback uint16) string {
-	u := serviceURL
-	if idx := strings.Index(u, "://"); idx != -1 {
-		u = u[idx+3:]
-	}
-	if i := strings.LastIndex(u, ":"); i != -1 {
-		if p := u[i+1:]; p != "" {
-			return p
-		}
-	}
-	return strconv.FormatUint(uint64(fallback), 10)
-}
-
-// resolveExternalPort returns the effective external port, defaulting to the target port.
-func resolveExternalPort(targetPort uint64) uint16 {
-	if exposeExternalPort != 0 {
-		return exposeExternalPort
-	}
-	return uint16(targetPort)
-}
-
-func validateExposeFlags(cmd *cobra.Command, portStr string) (uint64, error) {
-	port, err := strconv.ParseUint(portStr, 10, 32)
-	if err != nil {
-		return 0, fmt.Errorf("invalid port number: %s", portStr)
-	}
-	if port == 0 || port > 65535 {
-		return 0, fmt.Errorf("invalid port number: must be between 1 and 65535")
-	}
-
-	if !isProtocolValid(exposeProtocol) {
-		return 0, fmt.Errorf("unsupported protocol %q: must be http, https, tcp, udp, or tls", exposeProtocol)
-	}
-
-	if isClusterProtocol(exposeProtocol) {
-		if exposePin != "" || exposePassword != "" || len(exposeUserGroups) > 0 {
-			return 0, fmt.Errorf("auth flags (--with-pin, --with-password, --with-user-groups) are not supported for %s protocol", exposeProtocol)
-		}
-	} else if cmd.Flags().Changed("with-external-port") {
-		return 0, fmt.Errorf("--with-external-port is not supported for %s protocol", exposeProtocol)
-	}
-
-	if exposePin != "" && !pinRegexp.MatchString(exposePin) {
-		return 0, fmt.Errorf("invalid pin: must be exactly 6 digits")
-	}
-
-	if cmd.Flags().Changed("with-password") && exposePassword == "" {
-		return 0, fmt.Errorf("password cannot be empty")
-	}
-
-	if cmd.Flags().Changed("with-user-groups") && len(exposeUserGroups) == 0 {
-		return 0, fmt.Errorf("user groups cannot be empty")
-	}
-
-	return port, nil
-}
-
-func isProtocolValid(exposeProtocol string) bool {
-	switch strings.ToLower(exposeProtocol) {
-	case "http", "https", "tcp", "udp", "tls":
-		return true
-	default:
-		return false
-	}
-}
-
-func exposeFn(cmd *cobra.Command, args []string) error {
-	SetFlagsFromEnvVars(rootCmd)
-
-	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
-		log.Errorf("failed initializing log %v", err)
-		return err
-	}
-
-	cmd.Root().SilenceUsage = false
-
-	port, err := validateExposeFlags(cmd, args[0])
-	if err != nil {
-		return err
-	}
-
-	cmd.Root().SilenceUsage = true
-
-	ctx, cancel := context.WithCancel(cmd.Context())
-	defer cancel()
-
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		<-sigCh
-		cancel()
-	}()
-
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to daemon: %w", err)
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Debugf("failed to close daemon connection: %v", err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-
-	protocol, err := toExposeProtocol(exposeProtocol)
-	if err != nil {
-		return err
-	}
-
-	req := &proto.ExposeServiceRequest{
-		Port:       uint32(port),
-		Protocol:   protocol,
-		Pin:        exposePin,
-		Password:   exposePassword,
-		UserGroups: exposeUserGroups,
-		Domain:     exposeDomain,
-		NamePrefix: exposeNamePrefix,
-	}
-	if isClusterProtocol(exposeProtocol) {
-		req.ListenPort = uint32(resolveExternalPort(port))
-	}
-
-	stream, err := client.ExposeService(ctx, req)
-	if err != nil {
-		return fmt.Errorf("expose service: %w", err)
-	}
-
-	if err := handleExposeReady(cmd, stream, port); err != nil {
-		return err
-	}
-
-	return waitForExposeEvents(cmd, ctx, stream)
-}
-
-func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
-	p, err := expose.ParseProtocolType(exposeProtocol)
-	if err != nil {
-		return 0, fmt.Errorf("invalid protocol: %w", err)
-	}
-
-	switch p {
-	case expose.ProtocolHTTP:
-		return proto.ExposeProtocol_EXPOSE_HTTP, nil
-	case expose.ProtocolHTTPS:
-		return proto.ExposeProtocol_EXPOSE_HTTPS, nil
-	case expose.ProtocolTCP:
-		return proto.ExposeProtocol_EXPOSE_TCP, nil
-	case expose.ProtocolUDP:
-		return proto.ExposeProtocol_EXPOSE_UDP, nil
-	case expose.ProtocolTLS:
-		return proto.ExposeProtocol_EXPOSE_TLS, nil
-	default:
-		return 0, fmt.Errorf("unhandled protocol type: %d", p)
-	}
-}
-
-func handleExposeReady(cmd *cobra.Command, stream proto.DaemonService_ExposeServiceClient, port uint64) error {
-	event, err := stream.Recv()
-	if err != nil {
-		return fmt.Errorf("receive expose event: %w", err)
-	}
-
-	ready, ok := event.Event.(*proto.ExposeServiceEvent_Ready)
-	if !ok {
-		return fmt.Errorf("unexpected expose event: %T", event.Event)
-	}
-	printExposeReady(cmd, ready.Ready, port)
-	return nil
-}
-
-func printExposeReady(cmd *cobra.Command, r *proto.ExposeServiceReady, port uint64) {
-	cmd.Println("Service exposed successfully!")
-	cmd.Printf("  Name:     %s\n", r.ServiceName)
-	if r.ServiceUrl != "" {
-		cmd.Printf("  URL:      %s\n", r.ServiceUrl)
-	}
-	if r.Domain != "" && !isPortBasedProtocol(exposeProtocol) {
-		cmd.Printf("  Domain:   %s\n", r.Domain)
-	}
-	cmd.Printf("  Protocol: %s\n", exposeProtocol)
-	cmd.Printf("  Internal: %d\n", port)
-	if isClusterProtocol(exposeProtocol) {
-		cmd.Printf("  External: %s\n", extractPort(r.ServiceUrl, resolveExternalPort(port)))
-	}
-	if r.PortAutoAssigned && exposeExternalPort != 0 {
-		cmd.Printf("\n  Note: requested port %d was reassigned\n", exposeExternalPort)
-	}
-	cmd.Println()
-	cmd.Println("Press Ctrl+C to stop exposing.")
-}
-
-func waitForExposeEvents(cmd *cobra.Command, ctx context.Context, stream proto.DaemonService_ExposeServiceClient) error {
-	for {
-		_, err := stream.Recv()
-		if err != nil {
-			if ctx.Err() != nil {
-				cmd.Println("\nService stopped.")
-				//nolint:nilerr
-				return nil
-			}
-			if errors.Is(err, io.EOF) {
-				return fmt.Errorf("connection to daemon closed unexpectedly")
-			}
-			return fmt.Errorf("stream error: %w", err)
-		}
-	}
-}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -22,7 +22,6 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

-	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )

@@ -81,15 +80,6 @@ var (
 		Short:        "",
 		Long:         "",
 		SilenceUsage: true,
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars(cmd.Root())
-
-			// Don't resolve for service commands — they create the socket, not connect to it.
-			if !isServiceCmd(cmd) {
-				daemonAddr = daddr.ResolveUnixDaemonAddr(daemonAddr)
-			}
-			return nil
-		},
 	}
 )

@@ -154,7 +144,6 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
-	rootCmd.AddCommand(exposeCmd)

 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
@@ -396,6 +385,7 @@ func migrateToNetbird(oldPath, newPath string) bool {
 }

 func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
+	SetFlagsFromEnvVars(rootCmd)
 	cmd.SetOut(cmd.OutOrStdout())

 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
@@ -408,13 +398,3 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {

 	return conn, nil
 }
-
-// isServiceCmd returns true if cmd is the "service" command or a child of it.
-func isServiceCmd(cmd *cobra.Command) bool {
-	for c := cmd; c != nil; c = c.Parent() {
-		if c.Name() == "service" {
-			return true
-		}
-	}
-	return false
-}
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -41,7 +41,7 @@ func init() {
 		defaultServiceName = "Netbird"
 	}

-	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")

--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -103,7 +103,7 @@ func (p *program) Stop(srv service.Service) error {

 // Common setup for service control commands
 func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc) (service.Service, error) {
-	// rootCmd env vars are already applied by PersistentPreRunE.
+	SetFlagsFromEnvVars(rootCmd)
 	SetFlagsFromEnvVars(serviceCmd)

 	cmd.SetOut(cmd.OutOrStdout())
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -119,10 +119,6 @@ var installCmd = &cobra.Command{
 			return err
 		}

-		if err := loadAndApplyServiceParams(cmd); err != nil {
-			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
-		}
-
 		svcConfig, err := createServiceConfigForInstall()
 		if err != nil {
 			return err
@@ -140,10 +136,6 @@ var installCmd = &cobra.Command{
 			return fmt.Errorf("install service: %w", err)
 		}

-		if err := saveServiceParams(currentServiceParams()); err != nil {
-			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
-		}
-
 		cmd.Println("NetBird service has been installed")
 		return nil
 	},
@@ -195,10 +187,6 @@ This command will temporarily stop the service, update its configuration, and re
 			return err
 		}

-		if err := loadAndApplyServiceParams(cmd); err != nil {
-			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
-		}
-
 		wasRunning, err := isServiceRunning()
 		if err != nil && !errors.Is(err, ErrGetServiceStatus) {
 			return fmt.Errorf("check service status: %w", err)
@@ -234,10 +222,6 @@ This command will temporarily stop the service, update its configuration, and re
 			return fmt.Errorf("install service with new config: %w", err)
 		}

-		if err := saveServiceParams(currentServiceParams()); err != nil {
-			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
-		}
-
 		if wasRunning {
 			cmd.Println("Starting NetBird service...")
 			if err := s.Start(); err != nil {
--- a/client/cmd/service_params.go
+++ b/client/cmd/service_params.go
@@ -1,201 +0,0 @@
-//go:build !ios && !android
-
-package cmd
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"maps"
-	"os"
-	"path/filepath"
-
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/configs"
-	"github.com/netbirdio/netbird/util"
-)
-
-const serviceParamsFile = "service.json"
-
-// serviceParams holds install-time service parameters that persist across
-// uninstall/reinstall cycles. Saved to <stateDir>/service.json.
-type serviceParams struct {
-	LogLevel              string            `json:"log_level"`
-	DaemonAddr            string            `json:"daemon_addr"`
-	ManagementURL         string            `json:"management_url,omitempty"`
-	ConfigPath            string            `json:"config_path,omitempty"`
-	LogFiles              []string          `json:"log_files,omitempty"`
-	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
-	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
-	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
-}
-
-// serviceParamsPath returns the path to the service params file.
-func serviceParamsPath() string {
-	return filepath.Join(configs.StateDir, serviceParamsFile)
-}
-
-// loadServiceParams reads saved service parameters from disk.
-// Returns nil with no error if the file does not exist.
-func loadServiceParams() (*serviceParams, error) {
-	path := serviceParamsPath()
-
-	data, err := os.ReadFile(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil, nil //nolint:nilnil
-		}
-		return nil, fmt.Errorf("read service params %s: %w", path, err)
-	}
-
-	var params serviceParams
-	if err := json.Unmarshal(data, &params); err != nil {
-		return nil, fmt.Errorf("parse service params %s: %w", path, err)
-	}
-
-	return &params, nil
-}
-
-// saveServiceParams writes current service parameters to disk atomically
-// with restricted permissions.
-func saveServiceParams(params *serviceParams) error {
-	path := serviceParamsPath()
-	if err := util.WriteJsonWithRestrictedPermission(context.Background(), path, params); err != nil {
-		return fmt.Errorf("save service params: %w", err)
-	}
-	return nil
-}
-
-// currentServiceParams captures the current state of all package-level
-// variables into a serviceParams struct.
-func currentServiceParams() *serviceParams {
-	params := &serviceParams{
-		LogLevel:              logLevel,
-		DaemonAddr:            daemonAddr,
-		ManagementURL:         managementURL,
-		ConfigPath:            configPath,
-		LogFiles:              logFiles,
-		DisableProfiles:       profilesDisabled,
-		DisableUpdateSettings: updateSettingsDisabled,
-	}
-
-	if len(serviceEnvVars) > 0 {
-		parsed, err := parseServiceEnvVars(serviceEnvVars)
-		if err == nil && len(parsed) > 0 {
-			params.ServiceEnvVars = parsed
-		}
-	}
-
-	return params
-}
-
-// loadAndApplyServiceParams loads saved params from disk and applies them
-// to any flags that were not explicitly set.
-func loadAndApplyServiceParams(cmd *cobra.Command) error {
-	params, err := loadServiceParams()
-	if err != nil {
-		return err
-	}
-	applyServiceParams(cmd, params)
-	return nil
-}
-
-// applyServiceParams merges saved parameters into package-level variables
-// for any flag that was not explicitly set by the user (via CLI or env var).
-// Flags that were Changed() are left untouched.
-func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
-	if params == nil {
-		return
-	}
-
-	// For fields with non-empty defaults (log-level, daemon-addr), keep the
-	// != "" guard so that an older service.json missing the field doesn't
-	// clobber the default with an empty string.
-	if !rootCmd.PersistentFlags().Changed("log-level") && params.LogLevel != "" {
-		logLevel = params.LogLevel
-	}
-
-	if !rootCmd.PersistentFlags().Changed("daemon-addr") && params.DaemonAddr != "" {
-		daemonAddr = params.DaemonAddr
-	}
-
-	// For optional fields where empty means "use default", always apply so
-	// that an explicit clear (--management-url "") persists across reinstalls.
-	if !rootCmd.PersistentFlags().Changed("management-url") {
-		managementURL = params.ManagementURL
-	}
-
-	if !rootCmd.PersistentFlags().Changed("config") {
-		configPath = params.ConfigPath
-	}
-
-	if !rootCmd.PersistentFlags().Changed("log-file") {
-		logFiles = params.LogFiles
-	}
-
-	if !serviceCmd.PersistentFlags().Changed("disable-profiles") {
-		profilesDisabled = params.DisableProfiles
-	}
-
-	if !serviceCmd.PersistentFlags().Changed("disable-update-settings") {
-		updateSettingsDisabled = params.DisableUpdateSettings
-	}
-
-	applyServiceEnvParams(cmd, params)
-}
-
-// applyServiceEnvParams merges saved service environment variables.
-// If --service-env was explicitly set, explicit values win on key conflict
-// but saved keys not in the explicit set are carried over.
-// If --service-env was not set, saved env vars are used entirely.
-func applyServiceEnvParams(cmd *cobra.Command, params *serviceParams) {
-	if len(params.ServiceEnvVars) == 0 {
-		return
-	}
-
-	if !cmd.Flags().Changed("service-env") {
-		// No explicit env vars: rebuild serviceEnvVars from saved params.
-		serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
-		return
-	}
-
-	// Explicit env vars were provided: merge saved values underneath.
-	explicit, err := parseServiceEnvVars(serviceEnvVars)
-	if err != nil {
-		cmd.PrintErrf("Warning: parse explicit service env vars for merge: %v\n", err)
-		return
-	}
-
-	merged := make(map[string]string, len(params.ServiceEnvVars)+len(explicit))
-	maps.Copy(merged, params.ServiceEnvVars)
-	maps.Copy(merged, explicit) // explicit wins on conflict
-	serviceEnvVars = envMapToSlice(merged)
-}
-
-var resetParamsCmd = &cobra.Command{
-	Use:   "reset-params",
-	Short: "Remove saved service install parameters",
-	Long:  "Removes the saved service.json file so the next install uses default parameters.",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		path := serviceParamsPath()
-		if err := os.Remove(path); err != nil {
-			if os.IsNotExist(err) {
-				cmd.Println("No saved service parameters found")
-				return nil
-			}
-			return fmt.Errorf("remove service params: %w", err)
-		}
-		cmd.Printf("Removed saved service parameters (%s)\n", path)
-		return nil
-	},
-}
-
-// envMapToSlice converts a map of env vars to a KEY=VALUE slice.
-func envMapToSlice(m map[string]string) []string {
-	s := make([]string, 0, len(m))
-	for k, v := range m {
-		s = append(s, k+"="+v)
-	}
-	return s
-}
--- a/client/cmd/service_params_test.go
+++ b/client/cmd/service_params_test.go
@@ -1,523 +0,0 @@
-//go:build !ios && !android
-
-package cmd
-
-import (
-	"encoding/json"
-	"go/ast"
-	"go/parser"
-	"go/token"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/configs"
-)
-
-func TestServiceParamsPath(t *testing.T) {
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-
-	configs.StateDir = "/var/lib/netbird"
-	assert.Equal(t, "/var/lib/netbird/service.json", serviceParamsPath())
-
-	configs.StateDir = "/custom/state"
-	assert.Equal(t, "/custom/state/service.json", serviceParamsPath())
-}
-
-func TestSaveAndLoadServiceParams(t *testing.T) {
-	tmpDir := t.TempDir()
-
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-	configs.StateDir = tmpDir
-
-	params := &serviceParams{
-		LogLevel:              "debug",
-		DaemonAddr:            "unix:///var/run/netbird.sock",
-		ManagementURL:         "https://my.server.com",
-		ConfigPath:            "/etc/netbird/config.json",
-		LogFiles:              []string{"/var/log/netbird/client.log", "console"},
-		DisableProfiles:       true,
-		DisableUpdateSettings: false,
-		ServiceEnvVars:        map[string]string{"NB_LOG_FORMAT": "json", "CUSTOM": "val"},
-	}
-
-	err := saveServiceParams(params)
-	require.NoError(t, err)
-
-	// Verify the file exists and is valid JSON.
-	data, err := os.ReadFile(filepath.Join(tmpDir, "service.json"))
-	require.NoError(t, err)
-	assert.True(t, json.Valid(data))
-
-	loaded, err := loadServiceParams()
-	require.NoError(t, err)
-	require.NotNil(t, loaded)
-
-	assert.Equal(t, params.LogLevel, loaded.LogLevel)
-	assert.Equal(t, params.DaemonAddr, loaded.DaemonAddr)
-	assert.Equal(t, params.ManagementURL, loaded.ManagementURL)
-	assert.Equal(t, params.ConfigPath, loaded.ConfigPath)
-	assert.Equal(t, params.LogFiles, loaded.LogFiles)
-	assert.Equal(t, params.DisableProfiles, loaded.DisableProfiles)
-	assert.Equal(t, params.DisableUpdateSettings, loaded.DisableUpdateSettings)
-	assert.Equal(t, params.ServiceEnvVars, loaded.ServiceEnvVars)
-}
-
-func TestLoadServiceParams_FileNotExists(t *testing.T) {
-	tmpDir := t.TempDir()
-
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-	configs.StateDir = tmpDir
-
-	params, err := loadServiceParams()
-	assert.NoError(t, err)
-	assert.Nil(t, params)
-}
-
-func TestLoadServiceParams_InvalidJSON(t *testing.T) {
-	tmpDir := t.TempDir()
-
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-	configs.StateDir = tmpDir
-
-	err := os.WriteFile(filepath.Join(tmpDir, "service.json"), []byte("not json"), 0600)
-	require.NoError(t, err)
-
-	params, err := loadServiceParams()
-	assert.Error(t, err)
-	assert.Nil(t, params)
-}
-
-func TestCurrentServiceParams(t *testing.T) {
-	origLogLevel := logLevel
-	origDaemonAddr := daemonAddr
-	origManagementURL := managementURL
-	origConfigPath := configPath
-	origLogFiles := logFiles
-	origProfilesDisabled := profilesDisabled
-	origUpdateSettingsDisabled := updateSettingsDisabled
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() {
-		logLevel = origLogLevel
-		daemonAddr = origDaemonAddr
-		managementURL = origManagementURL
-		configPath = origConfigPath
-		logFiles = origLogFiles
-		profilesDisabled = origProfilesDisabled
-		updateSettingsDisabled = origUpdateSettingsDisabled
-		serviceEnvVars = origServiceEnvVars
-	})
-
-	logLevel = "trace"
-	daemonAddr = "tcp://127.0.0.1:9999"
-	managementURL = "https://mgmt.example.com"
-	configPath = "/tmp/test-config.json"
-	logFiles = []string{"/tmp/test.log"}
-	profilesDisabled = true
-	updateSettingsDisabled = true
-	serviceEnvVars = []string{"FOO=bar", "BAZ=qux"}
-
-	params := currentServiceParams()
-
-	assert.Equal(t, "trace", params.LogLevel)
-	assert.Equal(t, "tcp://127.0.0.1:9999", params.DaemonAddr)
-	assert.Equal(t, "https://mgmt.example.com", params.ManagementURL)
-	assert.Equal(t, "/tmp/test-config.json", params.ConfigPath)
-	assert.Equal(t, []string{"/tmp/test.log"}, params.LogFiles)
-	assert.True(t, params.DisableProfiles)
-	assert.True(t, params.DisableUpdateSettings)
-	assert.Equal(t, map[string]string{"FOO": "bar", "BAZ": "qux"}, params.ServiceEnvVars)
-}
-
-func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
-	origLogLevel := logLevel
-	origDaemonAddr := daemonAddr
-	origManagementURL := managementURL
-	origConfigPath := configPath
-	origLogFiles := logFiles
-	origProfilesDisabled := profilesDisabled
-	origUpdateSettingsDisabled := updateSettingsDisabled
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() {
-		logLevel = origLogLevel
-		daemonAddr = origDaemonAddr
-		managementURL = origManagementURL
-		configPath = origConfigPath
-		logFiles = origLogFiles
-		profilesDisabled = origProfilesDisabled
-		updateSettingsDisabled = origUpdateSettingsDisabled
-		serviceEnvVars = origServiceEnvVars
-	})
-
-	// Reset all flags to defaults.
-	logLevel = "info"
-	daemonAddr = "unix:///var/run/netbird.sock"
-	managementURL = ""
-	configPath = "/etc/netbird/config.json"
-	logFiles = []string{"/var/log/netbird/client.log"}
-	profilesDisabled = false
-	updateSettingsDisabled = false
-	serviceEnvVars = nil
-
-	// Reset Changed state on all relevant flags.
-	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-
-	// Simulate user explicitly setting --log-level via CLI.
-	logLevel = "warn"
-	require.NoError(t, rootCmd.PersistentFlags().Set("log-level", "warn"))
-
-	saved := &serviceParams{
-		LogLevel:              "debug",
-		DaemonAddr:            "tcp://127.0.0.1:5555",
-		ManagementURL:         "https://saved.example.com",
-		ConfigPath:            "/saved/config.json",
-		LogFiles:              []string{"/saved/client.log"},
-		DisableProfiles:       true,
-		DisableUpdateSettings: true,
-		ServiceEnvVars:        map[string]string{"SAVED_KEY": "saved_val"},
-	}
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	applyServiceParams(cmd, saved)
-
-	// log-level was Changed, so it should keep "warn", not use saved "debug".
-	assert.Equal(t, "warn", logLevel)
-
-	// All other fields were not Changed, so they should use saved values.
-	assert.Equal(t, "tcp://127.0.0.1:5555", daemonAddr)
-	assert.Equal(t, "https://saved.example.com", managementURL)
-	assert.Equal(t, "/saved/config.json", configPath)
-	assert.Equal(t, []string{"/saved/client.log"}, logFiles)
-	assert.True(t, profilesDisabled)
-	assert.True(t, updateSettingsDisabled)
-	assert.Equal(t, []string{"SAVED_KEY=saved_val"}, serviceEnvVars)
-}
-
-func TestApplyServiceParams_BooleanRevertToFalse(t *testing.T) {
-	origProfilesDisabled := profilesDisabled
-	origUpdateSettingsDisabled := updateSettingsDisabled
-	t.Cleanup(func() {
-		profilesDisabled = origProfilesDisabled
-		updateSettingsDisabled = origUpdateSettingsDisabled
-	})
-
-	// Simulate current state where booleans are true (e.g. set by previous install).
-	profilesDisabled = true
-	updateSettingsDisabled = true
-
-	// Reset Changed state so flags appear unset.
-	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-
-	// Saved params have both as false.
-	saved := &serviceParams{
-		DisableProfiles:       false,
-		DisableUpdateSettings: false,
-	}
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	applyServiceParams(cmd, saved)
-
-	assert.False(t, profilesDisabled, "saved false should override current true")
-	assert.False(t, updateSettingsDisabled, "saved false should override current true")
-}
-
-func TestApplyServiceParams_ClearManagementURL(t *testing.T) {
-	origManagementURL := managementURL
-	t.Cleanup(func() { managementURL = origManagementURL })
-
-	managementURL = "https://leftover.example.com"
-
-	// Simulate saved params where management URL was explicitly cleared.
-	saved := &serviceParams{
-		LogLevel:   "info",
-		DaemonAddr: "unix:///var/run/netbird.sock",
-		// ManagementURL intentionally empty: was cleared with --management-url "".
-	}
-
-	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	applyServiceParams(cmd, saved)
-
-	assert.Equal(t, "", managementURL, "saved empty management URL should clear the current value")
-}
-
-func TestApplyServiceParams_NilParams(t *testing.T) {
-	origLogLevel := logLevel
-	t.Cleanup(func() { logLevel = origLogLevel })
-
-	logLevel = "info"
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-
-	// Should be a no-op.
-	applyServiceParams(cmd, nil)
-	assert.Equal(t, "info", logLevel)
-}
-
-func TestApplyServiceEnvParams_MergeExplicitAndSaved(t *testing.T) {
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
-
-	// Set up a command with --service-env marked as Changed.
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	require.NoError(t, cmd.Flags().Set("service-env", "EXPLICIT=yes,OVERLAP=explicit"))
-
-	serviceEnvVars = []string{"EXPLICIT=yes", "OVERLAP=explicit"}
-
-	saved := &serviceParams{
-		ServiceEnvVars: map[string]string{
-			"SAVED":   "val",
-			"OVERLAP": "saved",
-		},
-	}
-
-	applyServiceEnvParams(cmd, saved)
-
-	// Parse result for easier assertion.
-	result, err := parseServiceEnvVars(serviceEnvVars)
-	require.NoError(t, err)
-
-	assert.Equal(t, "yes", result["EXPLICIT"])
-	assert.Equal(t, "val", result["SAVED"])
-	// Explicit wins on conflict.
-	assert.Equal(t, "explicit", result["OVERLAP"])
-}
-
-func TestApplyServiceEnvParams_NotChanged(t *testing.T) {
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
-
-	serviceEnvVars = nil
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-
-	saved := &serviceParams{
-		ServiceEnvVars: map[string]string{"FROM_SAVED": "val"},
-	}
-
-	applyServiceEnvParams(cmd, saved)
-
-	result, err := parseServiceEnvVars(serviceEnvVars)
-	require.NoError(t, err)
-	assert.Equal(t, map[string]string{"FROM_SAVED": "val"}, result)
-}
-
-// TestServiceParams_FieldsCoveredInFunctions ensures that all serviceParams fields are
-// referenced in both currentServiceParams() and applyServiceParams(). If a new field is
-// added to serviceParams but not wired into these functions, this test fails.
-func TestServiceParams_FieldsCoveredInFunctions(t *testing.T) {
-	fset := token.NewFileSet()
-	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
-	require.NoError(t, err)
-
-	// Collect all JSON field names from the serviceParams struct.
-	structFields := extractStructJSONFields(t, file, "serviceParams")
-	require.NotEmpty(t, structFields, "failed to find serviceParams struct fields")
-
-	// Collect field names referenced in currentServiceParams and applyServiceParams.
-	currentFields := extractFuncFieldRefs(t, file, "currentServiceParams", structFields)
-	applyFields := extractFuncFieldRefs(t, file, "applyServiceParams", structFields)
-	// applyServiceEnvParams handles ServiceEnvVars indirectly.
-	applyEnvFields := extractFuncFieldRefs(t, file, "applyServiceEnvParams", structFields)
-	for k, v := range applyEnvFields {
-		applyFields[k] = v
-	}
-
-	for _, field := range structFields {
-		assert.Contains(t, currentFields, field,
-			"serviceParams field %q is not captured in currentServiceParams()", field)
-		assert.Contains(t, applyFields, field,
-			"serviceParams field %q is not restored in applyServiceParams()/applyServiceEnvParams()", field)
-	}
-}
-
-// TestServiceParams_BuildArgsCoversAllFlags ensures that buildServiceArguments references
-// all serviceParams fields that should become CLI args. ServiceEnvVars is excluded because
-// it flows through newSVCConfig() EnvVars, not CLI args.
-func TestServiceParams_BuildArgsCoversAllFlags(t *testing.T) {
-	fset := token.NewFileSet()
-	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
-	require.NoError(t, err)
-
-	structFields := extractStructJSONFields(t, file, "serviceParams")
-	require.NotEmpty(t, structFields)
-
-	installerFile, err := parser.ParseFile(fset, "service_installer.go", nil, 0)
-	require.NoError(t, err)
-
-	// Fields that are handled outside of buildServiceArguments (env vars go through newSVCConfig).
-	fieldsNotInArgs := map[string]bool{
-		"ServiceEnvVars": true,
-	}
-
-	buildFields := extractFuncGlobalRefs(t, installerFile, "buildServiceArguments")
-
-	// Forward: every struct field must appear in buildServiceArguments.
-	for _, field := range structFields {
-		if fieldsNotInArgs[field] {
-			continue
-		}
-		globalVar := fieldToGlobalVar(field)
-		assert.Contains(t, buildFields, globalVar,
-			"serviceParams field %q (global %q) is not referenced in buildServiceArguments()", field, globalVar)
-	}
-
-	// Reverse: every service-related global used in buildServiceArguments must
-	// have a corresponding serviceParams field. This catches a developer adding
-	// a new flag to buildServiceArguments without adding it to the struct.
-	globalToField := make(map[string]string, len(structFields))
-	for _, field := range structFields {
-		globalToField[fieldToGlobalVar(field)] = field
-	}
-	// Identifiers in buildServiceArguments that are not service params
-	// (builtins, boilerplate, loop variables).
-	nonParamGlobals := map[string]bool{
-		"args": true, "append": true, "string": true, "_": true,
-		"logFile": true, // range variable over logFiles
-	}
-	for ref := range buildFields {
-		if nonParamGlobals[ref] {
-			continue
-		}
-		_, inStruct := globalToField[ref]
-		assert.True(t, inStruct,
-			"buildServiceArguments() references global %q which has no corresponding serviceParams field", ref)
-	}
-}
-
-// extractStructJSONFields returns field names from a named struct type.
-func extractStructJSONFields(t *testing.T, file *ast.File, structName string) []string {
-	t.Helper()
-	var fields []string
-	ast.Inspect(file, func(n ast.Node) bool {
-		ts, ok := n.(*ast.TypeSpec)
-		if !ok || ts.Name.Name != structName {
-			return true
-		}
-		st, ok := ts.Type.(*ast.StructType)
-		if !ok {
-			return false
-		}
-		for _, f := range st.Fields.List {
-			if len(f.Names) > 0 {
-				fields = append(fields, f.Names[0].Name)
-			}
-		}
-		return false
-	})
-	return fields
-}
-
-// extractFuncFieldRefs returns which of the given field names appear inside the
-// named function, either as selector expressions (params.FieldName) or as
-// composite literal keys (&serviceParams{FieldName: ...}).
-func extractFuncFieldRefs(t *testing.T, file *ast.File, funcName string, fields []string) map[string]bool {
-	t.Helper()
-	fieldSet := make(map[string]bool, len(fields))
-	for _, f := range fields {
-		fieldSet[f] = true
-	}
-
-	found := make(map[string]bool)
-	fn := findFuncDecl(file, funcName)
-	require.NotNil(t, fn, "function %s not found", funcName)
-
-	ast.Inspect(fn.Body, func(n ast.Node) bool {
-		switch v := n.(type) {
-		case *ast.SelectorExpr:
-			if fieldSet[v.Sel.Name] {
-				found[v.Sel.Name] = true
-			}
-		case *ast.KeyValueExpr:
-			if ident, ok := v.Key.(*ast.Ident); ok && fieldSet[ident.Name] {
-				found[ident.Name] = true
-			}
-		}
-		return true
-	})
-	return found
-}
-
-// extractFuncGlobalRefs returns all identifier names referenced in the named function body.
-func extractFuncGlobalRefs(t *testing.T, file *ast.File, funcName string) map[string]bool {
-	t.Helper()
-	fn := findFuncDecl(file, funcName)
-	require.NotNil(t, fn, "function %s not found", funcName)
-
-	refs := make(map[string]bool)
-	ast.Inspect(fn.Body, func(n ast.Node) bool {
-		if ident, ok := n.(*ast.Ident); ok {
-			refs[ident.Name] = true
-		}
-		return true
-	})
-	return refs
-}
-
-func findFuncDecl(file *ast.File, name string) *ast.FuncDecl {
-	for _, decl := range file.Decls {
-		fn, ok := decl.(*ast.FuncDecl)
-		if ok && fn.Name.Name == name {
-			return fn
-		}
-	}
-	return nil
-}
-
-// fieldToGlobalVar maps serviceParams field names to the package-level variable
-// names used in buildServiceArguments and applyServiceParams.
-func fieldToGlobalVar(field string) string {
-	m := map[string]string{
-		"LogLevel":              "logLevel",
-		"DaemonAddr":            "daemonAddr",
-		"ManagementURL":         "managementURL",
-		"ConfigPath":            "configPath",
-		"LogFiles":              "logFiles",
-		"DisableProfiles":       "profilesDisabled",
-		"DisableUpdateSettings": "updateSettingsDisabled",
-		"ServiceEnvVars":        "serviceEnvVars",
-	}
-	if v, ok := m[field]; ok {
-		return v
-	}
-	// Default: lowercase first letter.
-	return strings.ToLower(field[:1]) + field[1:]
-}
-
-func TestEnvMapToSlice(t *testing.T) {
-	m := map[string]string{"A": "1", "B": "2"}
-	s := envMapToSlice(m)
-	assert.Len(t, s, 2)
-	assert.Contains(t, s, "A=1")
-	assert.Contains(t, s, "B=2")
-}
-
-func TestEnvMapToSlice_Empty(t *testing.T) {
-	s := envMapToSlice(map[string]string{})
-	assert.Empty(t, s)
-}
--- a/client/cmd/signer/artifactkey.go
+++ b/client/cmd/signer/artifactkey.go
@@ -7,7 +7,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 var (
--- a/client/cmd/signer/artifactsign.go
+++ b/client/cmd/signer/artifactsign.go
@@ -6,7 +6,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 const (
--- a/client/cmd/signer/revocation.go
+++ b/client/cmd/signer/revocation.go
@@ -7,7 +7,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 const (
--- a/client/cmd/signer/rootkey.go
+++ b/client/cmd/signer/rootkey.go
@@ -7,7 +7,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 var (
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -28,7 +28,6 @@ var (
 	ipsFilterMap         map[string]struct{}
 	prefixNamesFilterMap map[string]struct{}
 	connectionTypeFilter string
-	checkFlag            string
 )

 var statusCmd = &cobra.Command{
@@ -50,7 +49,6 @@ func init() {
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
 	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
 	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
-	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }

 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -58,10 +56,6 @@ func statusFunc(cmd *cobra.Command, args []string) error {

 	cmd.SetOut(cmd.OutOrStdout())

-	if checkFlag != "" {
-		return runHealthCheck(cmd)
-	}
-
 	err := parseFilters()
 	if err != nil {
 		return err
@@ -74,17 +68,15 @@ func statusFunc(cmd *cobra.Command, args []string) error {

 	ctx := internal.CtxInitState(cmd.Context())

-	resp, err := getStatus(ctx, true, false)
+	resp, err := getStatus(ctx, false)
 	if err != nil {
 		return err
 	}

 	status := resp.GetStatus()

-	needsAuth := status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
-		status == string(internal.StatusSessionExpired)
-
-	if needsAuth && !jsonFlag && !yamlFlag {
+	if status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
+		status == string(internal.StatusSessionExpired) {
 		cmd.Printf("Daemon status: %s\n\n"+
 			"Run UP command to log in with SSO (interactive login):\n\n"+
 			" netbird up \n\n"+
@@ -107,17 +99,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		profName = activeProf.Name
 	}

-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), nbstatus.ConvertOptions{
-		Anonymize:            anonymizeFlag,
-		DaemonVersion:        resp.GetDaemonVersion(),
-		DaemonStatus:         nbstatus.ParseDaemonStatus(status),
-		StatusFilter:         statusFilter,
-		PrefixNamesFilter:    prefixNamesFilter,
-		PrefixNamesFilterMap: prefixNamesFilterMap,
-		IPsFilter:            ipsFilterMap,
-		ConnectionTypeFilter: connectionTypeFilter,
-		ProfileName:          profName,
-	})
+	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), anonymizeFlag, resp.GetDaemonVersion(), statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
 	var statusOutputString string
 	switch {
 	case detailFlag:
@@ -139,7 +121,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (*proto.StatusResponse, error) {
+func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
@@ -149,7 +131,7 @@ func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (
 	}
 	defer conn.Close()

-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: fullPeerStatus, ShouldRunProbes: shouldRunProbes})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: shouldRunProbes})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}
@@ -203,83 +185,6 @@ func enableDetailFlagWhenFilterFlag() {
 	}
 }

-func runHealthCheck(cmd *cobra.Command) error {
-	check := strings.ToLower(checkFlag)
-	switch check {
-	case "live", "ready", "startup":
-	default:
-		return fmt.Errorf("unknown check %q, must be one of: live, ready, startup", checkFlag)
-	}
-
-	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := internal.CtxInitState(cmd.Context())
-
-	isStartup := check == "startup"
-	resp, err := getStatus(ctx, isStartup, false)
-	if err != nil {
-		return err
-	}
-
-	switch check {
-	case "live":
-		return nil
-	case "ready":
-		return checkReadiness(resp)
-	case "startup":
-		return checkStartup(resp)
-	default:
-		return nil
-	}
-}
-
-func checkReadiness(resp *proto.StatusResponse) error {
-	daemonStatus := internal.StatusType(resp.GetStatus())
-	switch daemonStatus {
-	case internal.StatusIdle, internal.StatusConnecting, internal.StatusConnected:
-		return nil
-	case internal.StatusNeedsLogin, internal.StatusLoginFailed, internal.StatusSessionExpired:
-		return fmt.Errorf("readiness check: daemon status is %s", daemonStatus)
-	default:
-		return fmt.Errorf("readiness check: unexpected daemon status %q", daemonStatus)
-	}
-}
-
-func checkStartup(resp *proto.StatusResponse) error {
-	fullStatus := resp.GetFullStatus()
-	if fullStatus == nil {
-		return fmt.Errorf("startup check: no full status available")
-	}
-
-	if !fullStatus.GetManagementState().GetConnected() {
-		return fmt.Errorf("startup check: management not connected")
-	}
-
-	if !fullStatus.GetSignalState().GetConnected() {
-		return fmt.Errorf("startup check: signal not connected")
-	}
-
-	var relayCount, relaysConnected int
-	for _, r := range fullStatus.GetRelays() {
-		uri := r.GetURI()
-		if !strings.HasPrefix(uri, "rel://") && !strings.HasPrefix(uri, "rels://") {
-			continue
-		}
-		relayCount++
-		if r.GetAvailable() {
-			relaysConnected++
-		}
-	}
-
-	if relayCount > 0 && relaysConnected == 0 {
-		return fmt.Errorf("startup check: no relay servers available (0/%d connected)", relayCount)
-	}
-
-	return nil
-}
-
 func parseInterfaceIP(interfaceIP string) string {
 	ip, _, err := net.ParseCIDR(interfaceIP)
 	if err != nil {
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -197,7 +197,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 	r := peer.NewRecorder(config.ManagementURL.String())
 	r.GetFullStatus()

-	connectClient := internal.NewConnectClient(ctx, config, r)
+	connectClient := internal.NewConnectClient(ctx, config, r, false)
 	SetupDebugHandler(ctx, config, r, connectClient, "")

 	return connectClient.Run(nil, util.FindFirstLogPath(logFiles))
--- a/client/cmd/update_supported.go
+++ b/client/cmd/update_supported.go
@@ -11,7 +11,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/installer"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/installer"
 	"github.com/netbirdio/netbird/util"
 )

--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -14,7 +14,6 @@ import (
 	"github.com/sirupsen/logrus"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"

-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
@@ -22,7 +21,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sshcommon "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )

@@ -33,14 +31,14 @@ var (
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )

+// PeerConnStatus is a peer's connection status.
+type PeerConnStatus = peer.ConnStatus
+
 const (
 	// PeerStatusConnected indicates the peer is in connected state.
 	PeerStatusConnected = peer.StatusConnected
 )

-// PeerConnStatus is a peer's connection status.
-type PeerConnStatus = peer.ConnStatus
-
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string
@@ -83,14 +81,6 @@ type Options struct {
 	BlockInbound bool
 	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
 	WireguardPort *int
-	// MTU is the MTU for the WireGuard interface.
-	// Valid values are in the range 576..8192 bytes.
-	// If non-nil, this value overrides any value stored in the config file.
-	// If nil, the existing config MTU (if non-zero) is preserved; otherwise it defaults to 1280.
-	// Set to a higher value (e.g. 1400) if carrying QUIC or other protocols that require larger datagrams.
-	MTU *uint16
-	// DNSLabels defines additional DNS labels configured in the peer.
-	DNSLabels []string
 }

 // validateCredentials checks that exactly one credential type is provided
@@ -122,12 +112,6 @@ func New(opts Options) (*Client, error) {
 		return nil, err
 	}

-	if opts.MTU != nil {
-		if err := iface.ValidateMTU(*opts.MTU); err != nil {
-			return nil, fmt.Errorf("invalid MTU: %w", err)
-		}
-	}
-
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -156,14 +140,9 @@ func New(opts Options) (*Client, error) {
 		}
 	}

-	var err error
-	var parsedLabels domain.List
-	if parsedLabels, err = domain.FromStringList(opts.DNSLabels); err != nil {
-		return nil, fmt.Errorf("invalid dns labels: %w", err)
-	}
-
 	t := true
 	var config *profilemanager.Config
+	var err error
 	input := profilemanager.ConfigInput{
 		ConfigPath:          opts.ConfigPath,
 		ManagementURL:       opts.ManagementURL,
@@ -172,8 +151,6 @@ func New(opts Options) (*Client, error) {
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		BlockInbound:        &opts.BlockInbound,
 		WireguardPort:       opts.WireguardPort,
-		MTU:                 opts.MTU,
-		DNSLabels:           parsedLabels,
 	}
 	if opts.ConfigPath != "" {
 		config, err = profilemanager.UpdateOrCreateConfig(input)
@@ -225,7 +202,7 @@ func (c *Client) Start(startCtx context.Context) error {
 	if err, _ := authClient.Login(ctx, c.setupKey, c.jwtToken); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
-	client := internal.NewConnectClient(ctx, c.config, c.recorder)
+	client := internal.NewConnectClient(ctx, c.config, c.recorder, false)
 	client.SetSyncResponsePersistence(true)

 	// either startup error (permanent backoff err) or nil err (successful engine up)
@@ -375,32 +352,6 @@ func (c *Client) NewHTTPClient() *http.Client {
 	}
 }

-// Expose exposes a local service via the NetBird reverse proxy, making it accessible through a public URL.
-// It returns an ExposeSession. Call Wait on the session to keep it alive.
-func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession, error) {
-	engine, err := c.getEngine()
-	if err != nil {
-		return nil, err
-	}
-
-	mgr := engine.GetExposeManager()
-	if mgr == nil {
-		return nil, fmt.Errorf("expose manager not available")
-	}
-
-	resp, err := mgr.Expose(ctx, req)
-	if err != nil {
-		return nil, fmt.Errorf("expose: %w", err)
-	}
-
-	return &ExposeSession{
-		Domain:      resp.Domain,
-		ServiceName: resp.ServiceName,
-		ServiceURL:  resp.ServiceURL,
-		mgr:         mgr,
-	}, nil
-}
-
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
--- a/client/embed/expose.go
+++ b/client/embed/expose.go
@@ -1,45 +0,0 @@
-package embed
-
-import (
-	"context"
-	"errors"
-
-	"github.com/netbirdio/netbird/client/internal/expose"
-)
-
-const (
-	// ExposeProtocolHTTP exposes the service as HTTP.
-	ExposeProtocolHTTP = expose.ProtocolHTTP
-	// ExposeProtocolHTTPS exposes the service as HTTPS.
-	ExposeProtocolHTTPS = expose.ProtocolHTTPS
-	// ExposeProtocolTCP exposes the service as TCP.
-	ExposeProtocolTCP = expose.ProtocolTCP
-	// ExposeProtocolUDP exposes the service as UDP.
-	ExposeProtocolUDP = expose.ProtocolUDP
-	// ExposeProtocolTLS exposes the service as TLS.
-	ExposeProtocolTLS = expose.ProtocolTLS
-)
-
-// ExposeRequest is a request to expose a local service via the NetBird reverse proxy.
-type ExposeRequest = expose.Request
-
-// ExposeProtocolType represents the protocol used for exposing a service.
-type ExposeProtocolType = expose.ProtocolType
-
-// ExposeSession represents an active expose session. Use Wait to block until the session ends.
-type ExposeSession struct {
-	Domain      string
-	ServiceName string
-	ServiceURL  string
-
-	mgr *expose.Manager
-}
-
-// Wait blocks while keeping the expose session alive.
-// It returns when ctx is cancelled or a keep-alive error occurs, then terminates the session.
-func (s *ExposeSession) Wait(ctx context.Context) error {
-	if s == nil || s.mgr == nil {
-		return errors.New("expose session is not initialized")
-	}
-	return s.mgr.KeepAlive(ctx, s.Domain)
-}
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -23,10 +23,9 @@ type Manager struct {

 	wgIface iFaceMapper

-	ipv4Client   *iptables.IPTables
-	aclMgr       *aclManager
-	router       *router
-	rawSupported bool
+	ipv4Client *iptables.IPTables
+	aclMgr     *aclManager
+	router     *router
 }

 // iFaceMapper defines subset methods of interface required for manager
@@ -85,7 +84,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	}

 	if err := m.initNoTrackChain(); err != nil {
-		log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
+		return fmt.Errorf("init notrack chain: %w", err)
 	}

 	// persist early to ensure cleanup of chains
@@ -319,10 +318,6 @@ func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if !m.rawSupported {
-		return fmt.Errorf("raw table not available")
-	}
-
 	wgPortStr := fmt.Sprintf("%d", wgPort)
 	proxyPortStr := fmt.Sprintf("%d", proxyPort)

@@ -380,16 +375,12 @@ func (m *Manager) initNoTrackChain() error {
 		return fmt.Errorf("add prerouting jump rule: %w", err)
 	}

-	m.rawSupported = true
 	return nil
 }

 func (m *Manager) cleanupNoTrackChain() error {
 	exists, err := m.ipv4Client.ChainExists(tableRaw, chainNameRaw)
 	if err != nil {
-		if !m.rawSupported {
-			return nil
-		}
 		return fmt.Errorf("check chain exists: %w", err)
 	}
 	if !exists {
@@ -410,7 +401,6 @@ func (m *Manager) cleanupNoTrackChain() error {
 		return fmt.Errorf("clear and delete chain: %w", err)
 	}

-	m.rawSupported = false
 	return nil
 }

--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -95,7 +95,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	}

 	if err := m.initNoTrackChains(workTable); err != nil {
-		log.Warnf("raw priority chains not available, notrack rules will be disabled: %v", err)
+		return fmt.Errorf("init notrack chains: %w", err)
 	}

 	stateManager.RegisterState(&ShutdownState{})
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -358,9 +358,9 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	// Fast path for IPv4 addresses (4 bytes) - most common case
 	if len(oldBytes) == 4 && len(newBytes) == 4 {
 		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
 		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
 	} else {
 		// Fallback for other lengths
 		for i := 0; i < len(oldBytes)-1; i += 2 {
--- a/client/grpc/dialer.go
+++ b/client/grpc/dialer.go
@@ -28,7 +28,7 @@ func Backoff(ctx context.Context) backoff.BackOff {

 // CreateConnection creates a gRPC client connection with the appropriate transport options.
 // The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
-func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string, extraOpts ...grpc.DialOption) (*grpc.ClientConn, error) {
+func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string) (*grpc.ClientConn, error) {
 	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	// for js, the outer websocket layer takes care of tls
 	if tlsEnabled && runtime.GOOS != "js" {
@@ -46,7 +46,9 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 	connCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()

-	opts := []grpc.DialOption{
+	conn, err := grpc.DialContext(
+		connCtx,
+		addr,
 		transportOption,
 		WithCustomDialer(tlsEnabled, component),
 		grpc.WithBlock(),
@@ -54,10 +56,7 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 			Time:    30 * time.Second,
 			Timeout: 10 * time.Second,
 		}),
-	}
-	opts = append(opts, extraOpts...)
-
-	conn, err := grpc.DialContext(connCtx, addr, opts...)
+	)
 	if err != nil {
 		return nil, fmt.Errorf("dial context: %w", err)
 	}
--- a/client/iface/configurer/uapi.go
+++ b/client/iface/configurer/uapi.go
@@ -5,18 +5,20 @@ package configurer
 import (
 	"net"

+	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/ipc"
 )

 func openUAPI(deviceName string) (net.Listener, error) {
 	uapiSock, err := ipc.UAPIOpen(deviceName)
 	if err != nil {
+		log.Errorf("failed to open uapi socket: %v", err)
 		return nil, err
 	}

 	listener, err := ipc.UAPIListen(deviceName, uapiSock)
 	if err != nil {
-		_ = uapiSock.Close()
+		log.Errorf("failed to listen on uapi socket: %v", err)
 		return nil, err
 	}

--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -54,14 +54,6 @@ func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder
 	return wgCfg
 }

-func NewUSPConfigurerNoUAPI(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
-	return &WGUSPConfigurer{
-		device:           device,
-		deviceName:       deviceName,
-		activityRecorder: activityRecorder,
-	}
-}
-
 func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error {
 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -79,7 +79,7 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)

-	t.configurer = configurer.NewUSPConfigurerNoUAPI(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		if cErr := tunIface.Close(); cErr != nil {
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -23,13 +23,12 @@ import (
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
-	"github.com/netbirdio/netbird/client/internal/metrics"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/client/internal/updater"
-	"github.com/netbirdio/netbird/client/internal/updater/installer"
+	"github.com/netbirdio/netbird/client/internal/updatemanager"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/installer"
 	nbnet "github.com/netbirdio/netbird/client/net"
 	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ssh"
@@ -45,14 +44,13 @@ import (
 )

 type ConnectClient struct {
-	ctx            context.Context
-	config         *profilemanager.Config
-	statusRecorder *peer.Status
+	ctx                 context.Context
+	config              *profilemanager.Config
+	statusRecorder      *peer.Status
+	doInitialAutoUpdate bool

-	engine        *Engine
-	engineMutex   sync.Mutex
-	clientMetrics *metrics.ClientMetrics
-	updateManager *updater.Manager
+	engine      *Engine
+	engineMutex sync.Mutex

 	persistSyncResponse bool
 }
@@ -61,19 +59,17 @@ func NewConnectClient(
 	ctx context.Context,
 	config *profilemanager.Config,
 	statusRecorder *peer.Status,
+	doInitalAutoUpdate bool,
 ) *ConnectClient {
 	return &ConnectClient{
-		ctx:            ctx,
-		config:         config,
-		statusRecorder: statusRecorder,
-		engineMutex:    sync.Mutex{},
+		ctx:                 ctx,
+		config:              config,
+		statusRecorder:      statusRecorder,
+		doInitialAutoUpdate: doInitalAutoUpdate,
+		engineMutex:         sync.Mutex{},
 	}
 }

-func (c *ConnectClient) SetUpdateManager(um *updater.Manager) {
-	c.updateManager = um
-}
-
 // Run with main logic.
 func (c *ConnectClient) Run(runningChan chan struct{}, logPath string) error {
 	return c.run(MobileDependency{}, runningChan, logPath)
@@ -135,34 +131,10 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		}
 	}()

-	// Stop metrics push on exit
-	defer func() {
-		if c.clientMetrics != nil {
-			c.clientMetrics.StopPush()
-		}
-	}()
-
 	log.Infof("starting NetBird client version %s on %s/%s", version.NetbirdVersion(), runtime.GOOS, runtime.GOARCH)

 	nbnet.Init()

-	// Initialize metrics once at startup (always active for debug bundles)
-	if c.clientMetrics == nil {
-		agentInfo := metrics.AgentInfo{
-			DeploymentType: metrics.DeploymentTypeUnknown,
-			Version:        version.NetbirdVersion(),
-			OS:             runtime.GOOS,
-			Arch:           runtime.GOARCH,
-		}
-		c.clientMetrics = metrics.NewClientMetrics(agentInfo)
-		log.Debugf("initialized client metrics")
-
-		// Start metrics push if enabled (uses daemon context, persists across engine restarts)
-		if metrics.IsMetricsPushEnabled() {
-			c.clientMetrics.StartPush(c.ctx, metrics.PushConfigFromEnv())
-		}
-	}
-
 	backOff := &backoff.ExponentialBackOff{
 		InitialInterval:     time.Second,
 		RandomizationFactor: 1,
@@ -215,13 +187,14 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 	stateManager := statemanager.New(path)
 	stateManager.RegisterState(&sshconfig.ShutdownState{})

-	if c.updateManager != nil {
-		c.updateManager.CheckUpdateSuccess(c.ctx)
-	}
+	updateManager, err := updatemanager.NewManager(c.statusRecorder, stateManager)
+	if err == nil {
+		updateManager.CheckUpdateSuccess(c.ctx)

-	inst := installer.New()
-	if err := inst.CleanUpInstallerFiles(); err != nil {
-		log.Errorf("failed to clean up temporary installer file: %v", err)
+		inst := installer.New()
+		if err := inst.CleanUpInstallerFiles(); err != nil {
+			log.Errorf("failed to clean up temporary installer file: %v", err)
+		}
 	}

 	defer c.statusRecorder.ClientStop()
@@ -249,16 +222,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		mgmNotifier := statusRecorderToMgmConnStateNotifier(c.statusRecorder)
 		mgmClient.SetConnStateListener(mgmNotifier)

-		// Update metrics with actual deployment type after connection
-		deploymentType := metrics.DetermineDeploymentType(mgmClient.GetServerURL())
-		agentInfo := metrics.AgentInfo{
-			DeploymentType: deploymentType,
-			Version:        version.NetbirdVersion(),
-			OS:             runtime.GOOS,
-			Arch:           runtime.GOARCH,
-		}
-		c.clientMetrics.UpdateAgentInfo(agentInfo, myPrivateKey.PublicKey().String())
-
 		log.Debugf("connected to the Management service %s", c.config.ManagementURL.Host)
 		defer func() {
 			if err = mgmClient.Close(); err != nil {
@@ -267,10 +230,8 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		}()

 		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Netbird config
-		loginStarted := time.Now()
 		loginResp, err := loginToManagement(engineCtx, mgmClient, publicSSHKey, c.config)
 		if err != nil {
-			c.clientMetrics.RecordLoginDuration(engineCtx, time.Since(loginStarted), false)
 			log.Debug(err)
 			if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
 				state.Set(StatusNeedsLogin)
@@ -279,7 +240,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			}
 			return wrapErr(err)
 		}
-		c.clientMetrics.RecordLoginDuration(engineCtx, time.Since(loginStarted), true)
 		c.statusRecorder.MarkManagementConnected()

 		localPeerState := peer.LocalPeerState{
@@ -348,16 +308,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		checks := loginResp.GetChecks()

 		c.engineMutex.Lock()
-		engine := NewEngine(engineCtx, cancel, engineConfig, EngineServices{
-			SignalClient:   signalClient,
-			MgmClient:      mgmClient,
-			RelayManager:   relayManager,
-			StatusRecorder: c.statusRecorder,
-			Checks:         checks,
-			StateManager:   stateManager,
-			UpdateManager:  c.updateManager,
-			ClientMetrics:  c.clientMetrics,
-		}, mobileDependency)
+		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, checks, stateManager)
 		engine.SetSyncResponsePersistence(c.persistSyncResponse)
 		c.engine = engine
 		c.engineMutex.Unlock()
@@ -367,15 +318,21 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			return wrapErr(err)
 		}

+		if loginResp.PeerConfig != nil && loginResp.PeerConfig.AutoUpdate != nil {
+			// AutoUpdate will be true when the user click on "Connect" menu on the UI
+			if c.doInitialAutoUpdate {
+				log.Infof("start engine by ui, run auto-update check")
+				c.engine.InitialUpdateHandling(loginResp.PeerConfig.AutoUpdate)
+				c.doInitialAutoUpdate = false
+			}
+		}
+
 		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)

 		if runningChan != nil {
-			select {
-			case <-runningChan:
-			default:
-				close(runningChan)
-			}
+			close(runningChan)
+			runningChan = nil
 		}

 		<-engineCtx.Done()
--- a/client/internal/daemonaddr/resolve.go
+++ b/client/internal/daemonaddr/resolve.go
@@ -1,60 +0,0 @@
-//go:build !windows && !ios && !android
-
-package daemonaddr
-
-import (
-	"os"
-	"path/filepath"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-)
-
-var scanDir = "/var/run/netbird"
-
-// setScanDir overrides the scan directory (used by tests).
-func setScanDir(dir string) {
-	scanDir = dir
-}
-
-// ResolveUnixDaemonAddr checks whether the default Unix socket exists and, if not,
-// scans /var/run/netbird/ for a single .sock file to use instead. This handles the
-// mismatch between the netbird@.service template (which places the socket under
-// /var/run/netbird/<instance>.sock) and the CLI default (/var/run/netbird.sock).
-func ResolveUnixDaemonAddr(addr string) string {
-	if !strings.HasPrefix(addr, "unix://") {
-		return addr
-	}
-
-	sockPath := strings.TrimPrefix(addr, "unix://")
-	if _, err := os.Stat(sockPath); err == nil {
-		return addr
-	}
-
-	entries, err := os.ReadDir(scanDir)
-	if err != nil {
-		return addr
-	}
-
-	var found []string
-	for _, e := range entries {
-		if e.IsDir() {
-			continue
-		}
-		if strings.HasSuffix(e.Name(), ".sock") {
-			found = append(found, filepath.Join(scanDir, e.Name()))
-		}
-	}
-
-	switch len(found) {
-	case 1:
-		resolved := "unix://" + found[0]
-		log.Debugf("Default daemon socket not found, using discovered socket: %s", resolved)
-		return resolved
-	case 0:
-		return addr
-	default:
-		log.Warnf("Default daemon socket not found and multiple sockets discovered in %s; pass --daemon-addr explicitly", scanDir)
-		return addr
-	}
-}
--- a/client/internal/daemonaddr/resolve_stub.go
+++ b/client/internal/daemonaddr/resolve_stub.go
@@ -1,8 +0,0 @@
-//go:build windows || ios || android
-
-package daemonaddr
-
-// ResolveUnixDaemonAddr is a no-op on platforms that don't use Unix sockets.
-func ResolveUnixDaemonAddr(addr string) string {
-	return addr
-}
--- a/client/internal/daemonaddr/resolve_test.go
+++ b/client/internal/daemonaddr/resolve_test.go
@@ -1,121 +0,0 @@
-//go:build !windows && !ios && !android
-
-package daemonaddr
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-// createSockFile creates a regular file with a .sock extension.
-// ResolveUnixDaemonAddr uses os.Stat (not net.Dial), so a regular file is
-// sufficient and avoids Unix socket path-length limits on macOS.
-func createSockFile(t *testing.T, path string) {
-	t.Helper()
-	if err := os.WriteFile(path, nil, 0o600); err != nil {
-		t.Fatalf("failed to create test sock file at %s: %v", path, err)
-	}
-}
-
-func TestResolveUnixDaemonAddr_DefaultExists(t *testing.T) {
-	tmp := t.TempDir()
-	sock := filepath.Join(tmp, "netbird.sock")
-	createSockFile(t, sock)
-
-	addr := "unix://" + sock
-	got := ResolveUnixDaemonAddr(addr)
-	if got != addr {
-		t.Errorf("expected %s, got %s", addr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_SingleDiscovered(t *testing.T) {
-	tmp := t.TempDir()
-
-	// Default socket does not exist
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	// Create a scan dir with one socket
-	sd := filepath.Join(tmp, "netbird")
-	if err := os.MkdirAll(sd, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	instanceSock := filepath.Join(sd, "main.sock")
-	createSockFile(t, instanceSock)
-
-	origScanDir := scanDir
-	setScanDir(sd)
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	expected := "unix://" + instanceSock
-	if got != expected {
-		t.Errorf("expected %s, got %s", expected, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_MultipleDiscovered(t *testing.T) {
-	tmp := t.TempDir()
-
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	sd := filepath.Join(tmp, "netbird")
-	if err := os.MkdirAll(sd, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	createSockFile(t, filepath.Join(sd, "main.sock"))
-	createSockFile(t, filepath.Join(sd, "other.sock"))
-
-	origScanDir := scanDir
-	setScanDir(sd)
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	if got != defaultAddr {
-		t.Errorf("expected original %s, got %s", defaultAddr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_NoSocketsFound(t *testing.T) {
-	tmp := t.TempDir()
-
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	sd := filepath.Join(tmp, "netbird")
-	if err := os.MkdirAll(sd, 0o755); err != nil {
-		t.Fatal(err)
-	}
-
-	origScanDir := scanDir
-	setScanDir(sd)
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	if got != defaultAddr {
-		t.Errorf("expected original %s, got %s", defaultAddr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_NonUnixAddr(t *testing.T) {
-	addr := "tcp://127.0.0.1:41731"
-	got := ResolveUnixDaemonAddr(addr)
-	if got != addr {
-		t.Errorf("expected %s, got %s", addr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_ScanDirMissing(t *testing.T) {
-	tmp := t.TempDir()
-
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	origScanDir := scanDir
-	setScanDir(filepath.Join(tmp, "nonexistent"))
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	if got != defaultAddr {
-		t.Errorf("expected original %s, got %s", defaultAddr, got)
-	}
-}
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -27,10 +27,11 @@ import (
 	"github.com/netbirdio/netbird/client/anonymize"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	"github.com/netbirdio/netbird/client/internal/updater/installer"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/installer"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
 )

 const readmeContent = `Netbird debug bundle
@@ -52,7 +53,6 @@ resolved_domains.txt: Anonymized resolved domain IP addresses from the status re
 config.txt: Anonymized configuration information of the NetBird client.
 network_map.json: Anonymized sync response containing peer configurations, routes, DNS settings, and firewall rules.
 state.json: Anonymized client state dump containing netbird states for the active profile.
-metrics.txt: Buffered client metrics in InfluxDB line protocol format. Only present when metrics collection is enabled. Peer identifiers are anonymized.
 mutex.prof: Mutex profiling information.
 goroutine.prof: Goroutine profiling information.
 block.prof: Block profiling information.
@@ -219,11 +219,6 @@ const (
 	darwinStdoutLogPath = "/var/log/netbird.err.log"
 )

-// MetricsExporter is an interface for exporting metrics
-type MetricsExporter interface {
-	Export(w io.Writer) error
-}
-
 type BundleGenerator struct {
 	anonymizer *anonymize.Anonymizer

@@ -234,7 +229,6 @@ type BundleGenerator struct {
 	logPath        string
 	cpuProfile     []byte
 	refreshStatus  func() // Optional callback to refresh status before bundle generation
-	clientMetrics  MetricsExporter

 	anonymize         bool
 	includeSystemInfo bool
@@ -256,7 +250,6 @@ type GeneratorDependencies struct {
 	LogPath        string
 	CPUProfile     []byte
 	RefreshStatus  func() // Optional callback to refresh status before bundle generation
-	ClientMetrics  MetricsExporter
 }

 func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGenerator {
@@ -275,7 +268,6 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		logPath:        deps.LogPath,
 		cpuProfile:     deps.CPUProfile,
 		refreshStatus:  deps.RefreshStatus,
-		clientMetrics:  deps.ClientMetrics,

 		anonymize:         cfg.Anonymize,
 		includeSystemInfo: cfg.IncludeSystemInfo,
@@ -359,10 +351,6 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("failed to add corrupted state files to debug bundle: %v", err)
 	}

-	if err := g.addMetrics(); err != nil {
-		log.Errorf("failed to add metrics to debug bundle: %v", err)
-	}
-
 	if err := g.addWgShow(); err != nil {
 		log.Errorf("failed to add wg show output: %v", err)
 	}
@@ -430,10 +418,7 @@ func (g *BundleGenerator) addStatus() error {
 		fullStatus := g.statusRecorder.GetFullStatus()
 		protoFullStatus := nbstatus.ToProtoFullStatus(fullStatus)
 		protoFullStatus.Events = g.statusRecorder.GetEventHistory()
-		overview := nbstatus.ConvertToStatusOutputOverview(protoFullStatus, nbstatus.ConvertOptions{
-			Anonymize:   g.anonymize,
-			ProfileName: profName,
-		})
+		overview := nbstatus.ConvertToStatusOutputOverview(protoFullStatus, g.anonymize, version.NetbirdVersion(), "", nil, nil, nil, "", profName)
 		statusOutput := overview.FullDetailSummary()

 		statusReader := strings.NewReader(statusOutput)
@@ -759,30 +744,6 @@ func (g *BundleGenerator) addCorruptedStateFiles() error {
 	return nil
 }

-func (g *BundleGenerator) addMetrics() error {
-	if g.clientMetrics == nil {
-		log.Debugf("skipping metrics in debug bundle: no metrics collector")
-		return nil
-	}
-
-	var buf bytes.Buffer
-	if err := g.clientMetrics.Export(&buf); err != nil {
-		return fmt.Errorf("export metrics: %w", err)
-	}
-
-	if buf.Len() == 0 {
-		log.Debugf("skipping metrics.txt in debug bundle: no metrics data")
-		return nil
-	}
-
-	if err := g.addFileToZip(&buf, "metrics.txt"); err != nil {
-		return fmt.Errorf("add metrics file to zip: %w", err)
-	}
-
-	log.Debugf("added metrics to debug bundle")
-	return nil
-}
-
 func (g *BundleGenerator) addLogfile() error {
 	if g.logPath == "" {
 		log.Debugf("skipping empty log file in debug bundle")
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -14,8 +14,6 @@ import (
 	"strings"
 	"sync"

-	"github.com/hashicorp/go-multierror"
-	nberrors "github.com/netbirdio/netbird/client/errors"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"

@@ -24,7 +22,6 @@ import (

 const (
 	netbirdDNSStateKeyFormat            = "State:/Network/Service/NetBird-%s/DNS"
-	netbirdDNSStateKeyIndexedFormat     = "State:/Network/Service/NetBird-%s-%d/DNS"
 	globalIPv4State                     = "State:/Network/Global/IPv4"
 	primaryServiceStateKeyFormat        = "State:/Network/Service/%s/DNS"
 	keySupplementalMatchDomains         = "SupplementalMatchDomains"
@@ -38,14 +35,6 @@ const (
 	searchSuffix                        = "Search"
 	matchSuffix                         = "Match"
 	localSuffix                         = "Local"
-
-	// maxDomainsPerResolverEntry is the max number of domains per scutil resolver key.
-	// scutil's d.add has maxArgs=101 (key + * + 99 values), so 99 is the hard cap.
-	maxDomainsPerResolverEntry = 50
-
-	// maxDomainBytesPerResolverEntry is the max total bytes of domain strings per key.
-	// scutil has an undocumented ~2048 byte value buffer; we stay well under it.
-	maxDomainBytesPerResolverEntry = 1500
 )

 type systemConfigurator struct {
@@ -95,23 +84,28 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 		searchDomains = append(searchDomains, strings.TrimSuffix(""+dConf.Domain, "."))
 	}

-	if err := s.removeKeysContaining(matchSuffix); err != nil {
-		log.Warnf("failed to remove old match keys: %v", err)
-	}
+	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
+	var err error
 	if len(matchDomains) != 0 {
-		if err := s.addBatchedDomains(matchSuffix, matchDomains, config.ServerIP, config.ServerPort, false); err != nil {
-			return fmt.Errorf("add match domains: %w", err)
-		}
+		err = s.addMatchDomains(matchKey, strings.Join(matchDomains, " "), config.ServerIP, config.ServerPort)
+	} else {
+		log.Infof("removing match domains from the system")
+		err = s.removeKeyFromSystemConfig(matchKey)
+	}
+	if err != nil {
+		return fmt.Errorf("add match domains: %w", err)
 	}
 	s.updateState(stateManager)

-	if err := s.removeKeysContaining(searchSuffix); err != nil {
-		log.Warnf("failed to remove old search keys: %v", err)
-	}
+	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
 	if len(searchDomains) != 0 {
-		if err := s.addBatchedDomains(searchSuffix, searchDomains, config.ServerIP, config.ServerPort, true); err != nil {
-			return fmt.Errorf("add search domains: %w", err)
-		}
+		err = s.addSearchDomains(searchKey, strings.Join(searchDomains, " "), config.ServerIP, config.ServerPort)
+	} else {
+		log.Infof("removing search domains from the system")
+		err = s.removeKeyFromSystemConfig(searchKey)
+	}
+	if err != nil {
+		return fmt.Errorf("add search domains: %w", err)
 	}
 	s.updateState(stateManager)

@@ -155,7 +149,8 @@ func (s *systemConfigurator) restoreHostDNS() error {

 func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
 	if len(s.createdKeys) == 0 {
-		return s.discoverExistingKeys()
+		// return defaults for startup calls
+		return []string{getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix), getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)}
 	}

 	keys := make([]string, 0, len(s.createdKeys))
@@ -165,47 +160,6 @@ func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
 	return keys
 }

-// discoverExistingKeys probes scutil for all NetBird DNS keys that may exist.
-// This handles the case where createdKeys is empty (e.g., state file lost after unclean shutdown).
-func (s *systemConfigurator) discoverExistingKeys() []string {
-	dnsKeys, err := getSystemDNSKeys()
-	if err != nil {
-		log.Errorf("failed to get system DNS keys: %v", err)
-		return nil
-	}
-
-	var keys []string
-
-	for _, suffix := range []string{searchSuffix, matchSuffix, localSuffix} {
-		key := getKeyWithInput(netbirdDNSStateKeyFormat, suffix)
-		if strings.Contains(dnsKeys, key) {
-			keys = append(keys, key)
-		}
-	}
-
-	for _, suffix := range []string{searchSuffix, matchSuffix} {
-		for i := 0; ; i++ {
-			key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, suffix, i)
-			if !strings.Contains(dnsKeys, key) {
-				break
-			}
-			keys = append(keys, key)
-		}
-	}
-
-	return keys
-}
-
-// getSystemDNSKeys gets all DNS keys
-func getSystemDNSKeys() (string, error) {
-	command := "list .*DNS\nquit\n"
-	out, err := runSystemConfigCommand(command)
-	if err != nil {
-		return "", err
-	}
-	return string(out), nil
-}
-
 func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 	line := buildRemoveKeyOperation(key)
 	_, err := runSystemConfigCommand(wrapCommand(line))
@@ -230,11 +184,12 @@ func (s *systemConfigurator) addLocalDNS() error {
 		return nil
 	}

-	domainsStr := strings.Join(s.systemDNSSettings.Domains, " ")
-	if err := s.addDNSState(localKey, domainsStr, s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort, true); err != nil {
-		return fmt.Errorf("add local dns state: %w", err)
+	if err := s.addSearchDomains(
+		localKey,
+		strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort,
+	); err != nil {
+		return fmt.Errorf("add search domains: %w", err)
 	}
-	s.createdKeys[localKey] = struct{}{}

 	return nil
 }
@@ -325,77 +280,28 @@ func (s *systemConfigurator) getOriginalNameservers() []netip.Addr {
 	return slices.Clone(s.origNameservers)
 }

-// splitDomainsIntoBatches splits domains into batches respecting both element count and byte size limits.
-func splitDomainsIntoBatches(domains []string) [][]string {
-	if len(domains) == 0 {
-		return nil
+func (s *systemConfigurator) addSearchDomains(key, domains string, ip netip.Addr, port int) error {
+	err := s.addDNSState(key, domains, ip, port, true)
+	if err != nil {
+		return fmt.Errorf("add dns state: %w", err)
 	}

-	var batches [][]string
-	var current []string
-	currentBytes := 0
+	log.Infof("added %d search domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)

-	for _, d := range domains {
-		domainLen := len(d)
-		newBytes := currentBytes + domainLen
-		if currentBytes > 0 {
-			newBytes++ // space separator
-		}
+	s.createdKeys[key] = struct{}{}

-		if len(current) > 0 && (len(current) >= maxDomainsPerResolverEntry || newBytes > maxDomainBytesPerResolverEntry) {
-			batches = append(batches, current)
-			current = nil
-			currentBytes = 0
-		}
-
-		current = append(current, d)
-		if currentBytes > 0 {
-			currentBytes += 1 + domainLen
-		} else {
-			currentBytes = domainLen
-		}
-	}
-
-	if len(current) > 0 {
-		batches = append(batches, current)
-	}
-
-	return batches
+	return nil
 }

-// removeKeysContaining removes all created keys that contain the given substring.
-func (s *systemConfigurator) removeKeysContaining(suffix string) error {
-	var toRemove []string
-	for key := range s.createdKeys {
-		if strings.Contains(key, suffix) {
-			toRemove = append(toRemove, key)
-		}
-	}
-	var multiErr *multierror.Error
-	for _, key := range toRemove {
-		if err := s.removeKeyFromSystemConfig(key); err != nil {
-			multiErr = multierror.Append(multiErr, fmt.Errorf("couldn't remove key %s: %w", key, err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(multiErr)
-}
-
-// addBatchedDomains splits domains into batches and creates indexed scutil keys for each batch.
-func (s *systemConfigurator) addBatchedDomains(suffix string, domains []string, ip netip.Addr, port int, enableSearch bool) error {
-	batches := splitDomainsIntoBatches(domains)
-
-	for i, batch := range batches {
-		key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, suffix, i)
-		domainsStr := strings.Join(batch, " ")
-
-		if err := s.addDNSState(key, domainsStr, ip, port, enableSearch); err != nil {
-			return fmt.Errorf("add dns state for batch %d: %w", i, err)
-		}
-
-		s.createdKeys[key] = struct{}{}
+func (s *systemConfigurator) addMatchDomains(key, domains string, dnsServer netip.Addr, port int) error {
+	err := s.addDNSState(key, domains, dnsServer, port, false)
+	if err != nil {
+		return fmt.Errorf("add dns state: %w", err)
 	}

-	log.Infof("added %d %s domains across %d resolver entries", len(domains), suffix, len(batches))
+	log.Infof("added %d match domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)
+
+	s.createdKeys[key] = struct{}{}

 	return nil
 }
@@ -458,6 +364,7 @@ func (s *systemConfigurator) flushDNSCache() error {
 	if out, err := cmd.CombinedOutput(); err != nil {
 		return fmt.Errorf("restart mDNSResponder: %w, output: %s", err, out)
 	}
+
 	log.Info("flushed DNS cache")
 	return nil
 }
--- a/client/internal/dns/host_darwin_test.go
+++ b/client/internal/dns/host_darwin_test.go
@@ -3,10 +3,7 @@
 package dns

 import (
-	"bufio"
-	"bytes"
 	"context"
-	"fmt"
 	"net/netip"
 	"os/exec"
 	"path/filepath"
@@ -52,22 +49,17 @@ func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {

 	require.NoError(t, sm.PersistState(context.Background()))

+	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
+	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)

-	// Collect all created keys for cleanup verification
-	createdKeys := make([]string, 0, len(configurator.createdKeys))
-	for key := range configurator.createdKeys {
-		createdKeys = append(createdKeys, key)
-	}
-
 	defer func() {
-		for _, key := range createdKeys {
+		for _, key := range []string{searchKey, matchKey, localKey} {
 			_ = removeTestDNSKey(key)
 		}
-		_ = removeTestDNSKey(localKey)
 	}()

-	for _, key := range createdKeys {
+	for _, key := range []string{searchKey, matchKey, localKey} {
 		exists, err := checkDNSKeyExists(key)
 		require.NoError(t, err)
 		if exists {
@@ -91,223 +83,13 @@ func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {
 	err = shutdownState.Cleanup()
 	require.NoError(t, err)

-	for _, key := range createdKeys {
+	for _, key := range []string{searchKey, matchKey, localKey} {
 		exists, err := checkDNSKeyExists(key)
 		require.NoError(t, err)
 		assert.False(t, exists, "Key %s should NOT exist after cleanup", key)
 	}
 }

-// generateShortDomains generates domains like a.com, b.com, ..., aa.com, ab.com, etc.
-func generateShortDomains(count int) []string {
-	domains := make([]string, 0, count)
-	for i := range count {
-		label := ""
-		n := i
-		for {
-			label = string(rune('a'+n%26)) + label
-			n = n/26 - 1
-			if n < 0 {
-				break
-			}
-		}
-		domains = append(domains, label+".com")
-	}
-	return domains
-}
-
-// generateLongDomains generates domains like subdomain-000.department.organization-name.example.com
-func generateLongDomains(count int) []string {
-	domains := make([]string, 0, count)
-	for i := range count {
-		domains = append(domains, fmt.Sprintf("subdomain-%03d.department.organization-name.example.com", i))
-	}
-	return domains
-}
-
-// readDomainsFromKey reads the SupplementalMatchDomains array back from scutil for a given key.
-func readDomainsFromKey(t *testing.T, key string) []string {
-	t.Helper()
-
-	cmd := exec.Command(scutilPath)
-	cmd.Stdin = strings.NewReader(fmt.Sprintf("open\nshow %s\nquit\n", key))
-	out, err := cmd.Output()
-	require.NoError(t, err, "scutil show should succeed")
-
-	var domains []string
-	inArray := false
-	scanner := bufio.NewScanner(bytes.NewReader(out))
-	for scanner.Scan() {
-		line := strings.TrimSpace(scanner.Text())
-		if strings.HasPrefix(line, "SupplementalMatchDomains") && strings.Contains(line, "<array>") {
-			inArray = true
-			continue
-		}
-		if inArray {
-			if line == "}" {
-				break
-			}
-			// lines look like: "0 : a.com"
-			parts := strings.SplitN(line, " : ", 2)
-			if len(parts) == 2 {
-				domains = append(domains, parts[1])
-			}
-		}
-	}
-	require.NoError(t, scanner.Err())
-	return domains
-}
-
-func TestSplitDomainsIntoBatches(t *testing.T) {
-	tests := []struct {
-		name            string
-		domains         []string
-		expectedCount   int
-		checkAllPresent bool
-	}{
-		{
-			name:          "empty",
-			domains:       nil,
-			expectedCount: 0,
-		},
-		{
-			name:            "under_limit",
-			domains:         generateShortDomains(10),
-			expectedCount:   1,
-			checkAllPresent: true,
-		},
-		{
-			name:            "at_element_limit",
-			domains:         generateShortDomains(50),
-			expectedCount:   1,
-			checkAllPresent: true,
-		},
-		{
-			name:            "over_element_limit",
-			domains:         generateShortDomains(51),
-			expectedCount:   2,
-			checkAllPresent: true,
-		},
-		{
-			name:            "triple_element_limit",
-			domains:         generateShortDomains(150),
-			expectedCount:   3,
-			checkAllPresent: true,
-		},
-		{
-			name:            "long_domains_hit_byte_limit",
-			domains:         generateLongDomains(50),
-			checkAllPresent: true,
-		},
-		{
-			name:            "500_short_domains",
-			domains:         generateShortDomains(500),
-			expectedCount:   10,
-			checkAllPresent: true,
-		},
-		{
-			name:            "500_long_domains",
-			domains:         generateLongDomains(500),
-			checkAllPresent: true,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			batches := splitDomainsIntoBatches(tc.domains)
-
-			if tc.expectedCount > 0 {
-				assert.Len(t, batches, tc.expectedCount, "expected %d batches", tc.expectedCount)
-			}
-
-			// Verify each batch respects limits
-			for i, batch := range batches {
-				assert.LessOrEqual(t, len(batch), maxDomainsPerResolverEntry,
-					"batch %d exceeds element limit", i)
-
-				totalBytes := 0
-				for j, d := range batch {
-					if j > 0 {
-						totalBytes++
-					}
-					totalBytes += len(d)
-				}
-				assert.LessOrEqual(t, totalBytes, maxDomainBytesPerResolverEntry,
-					"batch %d exceeds byte limit (%d bytes)", i, totalBytes)
-			}
-
-			if tc.checkAllPresent {
-				var all []string
-				for _, batch := range batches {
-					all = append(all, batch...)
-				}
-				assert.Equal(t, tc.domains, all, "all domains should be present in order")
-			}
-		})
-	}
-}
-
-// TestMatchDomainBatching writes increasing numbers of domains via the batching mechanism
-// and verifies all domains are readable across multiple scutil keys.
-func TestMatchDomainBatching(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping scutil integration test in short mode")
-	}
-
-	testCases := []struct {
-		name      string
-		count     int
-		generator func(int) []string
-	}{
-		{"short_10", 10, generateShortDomains},
-		{"short_50", 50, generateShortDomains},
-		{"short_100", 100, generateShortDomains},
-		{"short_200", 200, generateShortDomains},
-		{"short_500", 500, generateShortDomains},
-		{"long_10", 10, generateLongDomains},
-		{"long_50", 50, generateLongDomains},
-		{"long_100", 100, generateLongDomains},
-		{"long_200", 200, generateLongDomains},
-		{"long_500", 500, generateLongDomains},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			configurator := &systemConfigurator{
-				createdKeys: make(map[string]struct{}),
-			}
-
-			defer func() {
-				for key := range configurator.createdKeys {
-					_ = removeTestDNSKey(key)
-				}
-			}()
-
-			domains := tc.generator(tc.count)
-			err := configurator.addBatchedDomains(matchSuffix, domains, netip.MustParseAddr("100.64.0.1"), 53, false)
-			require.NoError(t, err)
-
-			batches := splitDomainsIntoBatches(domains)
-			t.Logf("wrote %d domains across %d batched keys", tc.count, len(batches))
-
-			// Read back all domains from all batched keys
-			var got []string
-			for i := range batches {
-				key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, matchSuffix, i)
-				exists, err := checkDNSKeyExists(key)
-				require.NoError(t, err)
-				require.True(t, exists, "key %s should exist", key)
-
-				got = append(got, readDomainsFromKey(t, key)...)
-			}
-
-			t.Logf("read back %d/%d domains from %d keys", len(got), tc.count, len(batches))
-			assert.Equal(t, tc.count, len(got), "all domains should be readable")
-			assert.Equal(t, domains, got, "domains should match in order")
-		})
-	}
-}
-
 func checkDNSKeyExists(key string) (bool, error) {
 	cmd := exec.Command(scutilPath)
 	cmd.Stdin = strings.NewReader("show " + key + "\nquit\n")
@@ -376,15 +158,15 @@ func setupTestConfigurator(t *testing.T) (*systemConfigurator, *statemanager.Man
 		createdKeys: make(map[string]struct{}),
 	}

+	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
+	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
+	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
+
 	cleanup := func() {
 		_ = sm.Stop(context.Background())
-		for key := range configurator.createdKeys {
+		for _, key := range []string{searchKey, matchKey, localKey} {
 			_ = removeTestDNSKey(key)
 		}
-		// Also clean up old-format keys and local key in case they exist
-		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix))
-		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix))
-		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix))
 	}

 	return configurator, sm, cleanup
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -42,8 +42,6 @@ const (
 	dnsPolicyConfigConfigOptionsKey     = "ConfigOptions"
 	dnsPolicyConfigConfigOptionsValue   = 0x8

-	nrptMaxDomainsPerRule = 50
-
 	interfaceConfigPath          = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
 	interfaceConfigNameServerKey = "NameServer"
 	interfaceConfigSearchListKey = "SearchList"
@@ -200,11 +198,10 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager

 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
-		// Update count even on error to ensure cleanup covers partially created rules
-		r.nrptEntryCount = count
 		if err != nil {
 			return fmt.Errorf("add dns match policy: %w", err)
 		}
+		r.nrptEntryCount = count
 	} else {
 		r.nrptEntryCount = 0
 	}
@@ -242,33 +239,23 @@ func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr) (int, error) {
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
+	for i, domain := range domains {
+		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)

-	// We need to batch domains into chunks and create one NRPT rule per batch.
-	ruleIndex := 0
-	for i := 0; i < len(domains); i += nrptMaxDomainsPerRule {
-		end := i + nrptMaxDomainsPerRule
-		if end > len(domains) {
-			end = len(domains)
+		singleDomain := []string{domain}
+
+		if err := r.configureDNSPolicy(localPath, singleDomain, ip); err != nil {
+			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
 		}
-		batchDomains := domains[i:end]
-
-		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, ruleIndex)
-		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, ruleIndex)
-
-		if err := r.configureDNSPolicy(localPath, batchDomains, ip); err != nil {
-			return ruleIndex, fmt.Errorf("configure DNS Local policy for rule %d: %w", ruleIndex, err)
-		}
-
-		// Increment immediately so the caller's cleanup path knows about this rule
-		ruleIndex++

 		if r.gpo {
-			if err := r.configureDNSPolicy(gpoPath, batchDomains, ip); err != nil {
-				return ruleIndex, fmt.Errorf("configure gpo DNS policy for rule %d: %w", ruleIndex-1, err)
+			if err := r.configureDNSPolicy(gpoPath, singleDomain, ip); err != nil {
+				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
 			}
 		}

-		log.Debugf("added NRPT rule %d with %d domains", ruleIndex-1, len(batchDomains))
+		log.Debugf("added NRPT entry for domain: %s", domain)
 	}

 	if r.gpo {
@@ -277,8 +264,8 @@ func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr
 		}
 	}

-	log.Infof("added %d NRPT rules for %d domains", ruleIndex, len(domains))
-	return ruleIndex, nil
+	log.Infof("added %d separate NRPT entries. Domain list: %s", len(domains), domains)
+	return len(domains), nil
 }

 func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []string, ip netip.Addr) error {
--- a/client/internal/dns/host_windows_test.go
+++ b/client/internal/dns/host_windows_test.go
@@ -12,7 +12,6 @@ import (

 // TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
 // when the number of match domains decreases between configuration changes.
-// With batching enabled (50 domains per rule), we need enough domains to create multiple rules.
 func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping registry integration test in short mode")
@@ -38,60 +37,51 @@ func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 		gpo:  false,
 	}

-	// Create 125 domains which will result in 3 NRPT rules (50+50+25)
-	domains125 := make([]DomainConfig, 125)
-	for i := 0; i < 125; i++ {
-		domains125[i] = DomainConfig{
-			Domain:    fmt.Sprintf("domain%d.com", i+1),
-			MatchOnly: true,
-		}
-	}
-
-	config125 := HostDNSConfig{
+	config5 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains:  domains125,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+			{Domain: "domain3.com", MatchOnly: true},
+			{Domain: "domain4.com", MatchOnly: true},
+			{Domain: "domain5.com", MatchOnly: true},
+		},
 	}

-	err = cfg.applyDNSConfig(config125, nil)
+	err = cfg.applyDNSConfig(config5, nil)
 	require.NoError(t, err)

-	// Verify 3 NRPT rules exist
-	assert.Equal(t, 3, cfg.nrptEntryCount, "Should create 3 NRPT rules for 125 domains")
-	for i := 0; i < 3; i++ {
+	// Verify all 5 entries exist
+	for i := 0; i < 5; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "NRPT rule %d should exist after first config", i)
+		assert.True(t, exists, "Entry %d should exist after first config", i)
 	}

-	// Reduce to 75 domains which will result in 2 NRPT rules (50+25)
-	domains75 := make([]DomainConfig, 75)
-	for i := 0; i < 75; i++ {
-		domains75[i] = DomainConfig{
-			Domain:    fmt.Sprintf("domain%d.com", i+1),
-			MatchOnly: true,
-		}
-	}
-
-	config75 := HostDNSConfig{
+	config2 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains:  domains75,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+		},
 	}

-	err = cfg.applyDNSConfig(config75, nil)
+	err = cfg.applyDNSConfig(config2, nil)
 	require.NoError(t, err)

-	// Verify first 2 NRPT rules exist
-	assert.Equal(t, 2, cfg.nrptEntryCount, "Should create 2 NRPT rules for 75 domains")
+	// Verify first 2 entries exist
 	for i := 0; i < 2; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "NRPT rule %d should exist after second config", i)
+		assert.True(t, exists, "Entry %d should exist after second config", i)
 	}

-	// Verify rule 2 is cleaned up
-	exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, 2))
-	require.NoError(t, err)
-	assert.False(t, exists, "NRPT rule 2 should NOT exist after reducing to 75 domains")
+	// Verify entries 2-4 are cleaned up
+	for i := 2; i < 5; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
+	}
 }

 func registryKeyExists(path string) (bool, error) {
@@ -107,106 +97,6 @@ func registryKeyExists(path string) (bool, error) {
 }

 func cleanupRegistryKeys(*testing.T) {
-	// Clean up more entries to account for batching tests with many domains
-	cfg := &registryConfigurator{nrptEntryCount: 20}
+	cfg := &registryConfigurator{nrptEntryCount: 10}
 	_ = cfg.removeDNSMatchPolicies()
 }
-
-// TestNRPTDomainBatching verifies that domains are correctly batched into NRPT rules.
-func TestNRPTDomainBatching(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping registry integration test in short mode")
-	}
-
-	defer cleanupRegistryKeys(t)
-	cleanupRegistryKeys(t)
-
-	testIP := netip.MustParseAddr("100.64.0.1")
-
-	// Create a test interface registry key so updateSearchDomains doesn't fail
-	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
-	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
-	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
-	require.NoError(t, err, "Should create test interface registry key")
-	testKey.Close()
-	defer func() {
-		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
-	}()
-
-	cfg := &registryConfigurator{
-		guid: testGUID,
-		gpo:  false,
-	}
-
-	testCases := []struct {
-		name              string
-		domainCount       int
-		expectedRuleCount int
-	}{
-		{
-			name:              "Less than 50 domains (single rule)",
-			domainCount:       30,
-			expectedRuleCount: 1,
-		},
-		{
-			name:              "Exactly 50 domains (single rule)",
-			domainCount:       50,
-			expectedRuleCount: 1,
-		},
-		{
-			name:              "51 domains (two rules)",
-			domainCount:       51,
-			expectedRuleCount: 2,
-		},
-		{
-			name:              "100 domains (two rules)",
-			domainCount:       100,
-			expectedRuleCount: 2,
-		},
-		{
-			name:              "125 domains (three rules: 50+50+25)",
-			domainCount:       125,
-			expectedRuleCount: 3,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			// Clean up before each subtest
-			cleanupRegistryKeys(t)
-
-			// Generate domains
-			domains := make([]DomainConfig, tc.domainCount)
-			for i := 0; i < tc.domainCount; i++ {
-				domains[i] = DomainConfig{
-					Domain:    fmt.Sprintf("domain%d.com", i+1),
-					MatchOnly: true,
-				}
-			}
-
-			config := HostDNSConfig{
-				ServerIP: testIP,
-				Domains:  domains,
-			}
-
-			err := cfg.applyDNSConfig(config, nil)
-			require.NoError(t, err)
-
-			// Verify that exactly expectedRuleCount rules were created
-			assert.Equal(t, tc.expectedRuleCount, cfg.nrptEntryCount,
-				"Should create %d NRPT rules for %d domains", tc.expectedRuleCount, tc.domainCount)
-
-			// Verify all expected rules exist
-			for i := 0; i < tc.expectedRuleCount; i++ {
-				exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-				require.NoError(t, err)
-				assert.True(t, exists, "NRPT rule %d should exist", i)
-			}
-
-			// Verify no extra rules were created
-			exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, tc.expectedRuleCount))
-			require.NoError(t, err)
-			assert.False(t, exists, "No NRPT rule should exist at index %d", tc.expectedRuleCount)
-		})
-	}
-}
--- a/client/internal/dns/local/local.go
+++ b/client/internal/dns/local/local.go
@@ -77,7 +77,7 @@ func (d *Resolver) ID() types.HandlerID {
 	return "local-resolver"
 }

-func (d *Resolver) ProbeAvailability(context.Context) {}
+func (d *Resolver) ProbeAvailability() {}

 // ServeDNS handles a DNS request
 func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
--- a/client/internal/dns/mgmt/mgmt.go
+++ b/client/internal/dns/mgmt/mgmt.go
@@ -376,9 +376,9 @@ func (m *Resolver) extractDomainsFromServerDomains(serverDomains dnsconfig.Serve
 		}
 	}

-	// Flow receiver domain is intentionally excluded from caching.
-	// Cloud providers may rotate the IP behind this domain; a stale cached record
-	// causes TLS certificate verification failures on reconnect.
+	if serverDomains.Flow != "" {
+		domains = append(domains, serverDomains.Flow)
+	}

 	for _, stun := range serverDomains.Stuns {
 		if stun != "" {
--- a/client/internal/dns/mgmt/mgmt_test.go
+++ b/client/internal/dns/mgmt/mgmt_test.go
@@ -391,8 +391,7 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 	}
 	assert.Len(t, resolver.GetCachedDomains(), 3)

-	// Update with partial ServerDomains (only flow domain - flow is intentionally excluded from
-	// caching to prevent TLS failures from stale records, so all existing domains are preserved)
+	// Update with partial ServerDomains (only flow domain - new type, should preserve all existing)
 	partialDomains := dnsconfig.ServerDomains{
 		Flow: "github.com",
 	}
@@ -401,10 +400,10 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
 	}

-	assert.Len(t, removedDomains, 0, "Should not remove any domains when only flow domain is provided")
+	assert.Len(t, removedDomains, 0, "Should not remove any domains when adding new type")

 	finalDomains := resolver.GetCachedDomains()
-	assert.Len(t, finalDomains, 3, "Flow domain is not cached; all original domains should be preserved")
+	assert.Len(t, finalDomains, 4, "Should have all original domains plus new flow domain")

 	domainStrings := make([]string, len(finalDomains))
 	for i, d := range finalDomains {
@@ -413,5 +412,5 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 	assert.Contains(t, domainStrings, "example.org")
 	assert.Contains(t, domainStrings, "google.com")
 	assert.Contains(t, domainStrings, "cloudflare.com")
-	assert.NotContains(t, domainStrings, "github.com")
+	assert.Contains(t, domainStrings, "github.com")
 }
--- a/client/internal/dns/mock_server.go
+++ b/client/internal/dns/mock_server.go
@@ -84,23 +84,3 @@ func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
 func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }
-
-// SetRouteChecker mock implementation of SetRouteChecker from Server interface
-func (m *MockServer) SetRouteChecker(func(netip.Addr) bool) {
-	// Mock implementation - no-op
-}
-
-// BeginBatch mock implementation of BeginBatch from Server interface
-func (m *MockServer) BeginBatch() {
-	// Mock implementation - no-op
-}
-
-// EndBatch mock implementation of EndBatch from Server interface
-func (m *MockServer) EndBatch() {
-	// Mock implementation - no-op
-}
-
-// CancelBatch mock implementation of CancelBatch from Server interface
-func (m *MockServer) CancelBatch() {
-	// Mock implementation - no-op
-}
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -45,9 +45,6 @@ type IosDnsManager interface {
 type Server interface {
 	RegisterHandler(domains domain.List, handler dns.Handler, priority int)
 	DeregisterHandler(domains domain.List, priority int)
-	BeginBatch()
-	EndBatch()
-	CancelBatch()
 	Initialize() error
 	Stop()
 	DnsIP() netip.Addr
@@ -57,7 +54,6 @@ type Server interface {
 	ProbeAvailability()
 	UpdateServerConfig(domains dnsconfig.ServerDomains) error
 	PopulateManagementDomain(mgmtURL *url.URL) error
-	SetRouteChecker(func(netip.Addr) bool)
 }

 type nsGroupsByDomain struct {
@@ -91,7 +87,6 @@ type DefaultServer struct {
 	currentConfigHash  uint64
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int
-	batchMode          bool

 	mgmtCacheResolver *mgmt.Resolver

@@ -105,17 +100,12 @@ type DefaultServer struct {

 	statusRecorder *peer.Status
 	stateManager   *statemanager.Manager
-	routeMatch     func(netip.Addr) bool
-
-	probeMu     sync.Mutex
-	probeCancel context.CancelFunc
-	probeWg     sync.WaitGroup
 }

 type handlerWithStop interface {
 	dns.Handler
 	Stop()
-	ProbeAvailability(context.Context)
+	ProbeAvailability()
 	ID() types.HandlerID
 }

@@ -231,14 +221,6 @@ func newDefaultServer(
 	return defaultServer
 }

-// SetRouteChecker sets the function used by upstream resolvers to determine
-// whether an IP is routed through the tunnel.
-func (s *DefaultServer) SetRouteChecker(f func(netip.Addr) bool) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	s.routeMatch = f
-}
-
 // RegisterHandler registers a handler for the given domains with the given priority.
 // Any previously registered handler for the same domain and priority will be replaced.
 func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler, priority int) {
@@ -252,9 +234,7 @@ func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler
 		// convert to zone with simple ref counter
 		s.extraDomains[toZone(domain)]++
 	}
-	if !s.batchMode {
-		s.applyHostConfig()
-	}
+	s.applyHostConfig()
 }

 func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
@@ -283,41 +263,9 @@ func (s *DefaultServer) DeregisterHandler(domains domain.List, priority int) {
 			delete(s.extraDomains, zone)
 		}
 	}
-	if !s.batchMode {
-		s.applyHostConfig()
-	}
-}
-
-// BeginBatch starts batch mode for DNS handler registration/deregistration.
-// In batch mode, applyHostConfig() is not called after each handler operation,
-// allowing multiple handlers to be registered/deregistered efficiently.
-// Must be followed by EndBatch() to apply the accumulated changes.
-func (s *DefaultServer) BeginBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode enabled")
-	s.batchMode = true
-}
-
-// EndBatch ends batch mode and applies all accumulated DNS configuration changes.
-func (s *DefaultServer) EndBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode disabled, applying accumulated changes")
-	s.batchMode = false
 	s.applyHostConfig()
 }

-// CancelBatch cancels batch mode without applying accumulated changes.
-// This is useful when operations fail partway through and you want to
-// discard partial state rather than applying it.
-func (s *DefaultServer) CancelBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode cancelled, discarding accumulated changes")
-	s.batchMode = false
-}
-
 func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
 	log.Debugf("deregistering handler with priority %d for %v", priority, domains)

@@ -376,13 +324,7 @@ func (s *DefaultServer) DnsIP() netip.Addr {

 // Stop stops the server
 func (s *DefaultServer) Stop() {
-	s.probeMu.Lock()
-	if s.probeCancel != nil {
-		s.probeCancel()
-	}
 	s.ctxCancel()
-	s.probeMu.Unlock()
-	s.probeWg.Wait()
 	s.shutdownWg.Wait()

 	s.mux.Lock()
@@ -499,8 +441,7 @@ func (s *DefaultServer) SearchDomains() []string {
 }

 // ProbeAvailability tests each upstream group's servers for availability
-// and deactivates the group if no server responds.
-// If a previous probe is still running, it will be cancelled before starting a new one.
+// and deactivates the group if no server responds
 func (s *DefaultServer) ProbeAvailability() {
 	if val := os.Getenv(envSkipDNSProbe); val != "" {
 		skipProbe, err := strconv.ParseBool(val)
@@ -513,52 +454,15 @@ func (s *DefaultServer) ProbeAvailability() {
 		}
 	}

-	s.probeMu.Lock()
-
-	// don't start probes on a stopped server
-	if s.ctx.Err() != nil {
-		s.probeMu.Unlock()
-		return
-	}
-
-	// cancel any running probe
-	if s.probeCancel != nil {
-		s.probeCancel()
-		s.probeCancel = nil
-	}
-
-	// wait for the previous probe goroutines to finish while holding
-	// the mutex so no other caller can start a new probe concurrently
-	s.probeWg.Wait()
-
-	// start a new probe
-	probeCtx, probeCancel := context.WithCancel(s.ctx)
-	s.probeCancel = probeCancel
-
-	s.probeWg.Add(1)
-	defer s.probeWg.Done()
-
-	// Snapshot handlers under s.mux to avoid racing with updateMux/dnsMuxMap writers.
-	s.mux.Lock()
-	handlers := make([]handlerWithStop, 0, len(s.dnsMuxMap))
-	for _, mux := range s.dnsMuxMap {
-		handlers = append(handlers, mux.handler)
-	}
-	s.mux.Unlock()
-
 	var wg sync.WaitGroup
-	for _, handler := range handlers {
+	for _, mux := range s.dnsMuxMap {
 		wg.Add(1)
-		go func(h handlerWithStop) {
+		go func(mux handlerWithStop) {
 			defer wg.Done()
-			h.ProbeAvailability(probeCtx)
-		}(handler)
+			mux.ProbeAvailability()
+		}(mux.handler)
 	}
-
-	s.probeMu.Unlock()
-
 	wg.Wait()
-	probeCancel()
 }

 func (s *DefaultServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
@@ -619,7 +523,6 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.currentConfig.RouteAll = false
 	}

-	// Always apply host config for management updates, regardless of batch mode
 	s.applyHostConfig()

 	s.shutdownWg.Add(1)
@@ -753,7 +656,6 @@ func (s *DefaultServer) registerFallback(config HostDNSConfig) {
 		log.Errorf("failed to create upstream resolver for original nameservers: %v", err)
 		return
 	}
-	handler.routeMatch = s.routeMatch

 	for _, ns := range originalNameservers {
 		if ns == config.ServerIP {
@@ -863,7 +765,6 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		if err != nil {
 			return nil, fmt.Errorf("create upstream resolver: %v", err)
 		}
-		handler.routeMatch = s.routeMatch

 		for _, ns := range nsGroup.NameServers {
 			if ns.NSType != nbdns.UDPNameServerType {
@@ -986,7 +887,6 @@ func (s *DefaultServer) upstreamCallbacks(
 			}
 		}

-		// Always apply host config when nameserver goes down, regardless of batch mode
 		s.applyHostConfig()

 		go func() {
@@ -1022,7 +922,6 @@ func (s *DefaultServer) upstreamCallbacks(
 			s.registerHandler([]string{nbdns.RootZone}, handler, priority)
 		}

-		// Always apply host config when nameserver reactivates, regardless of batch mode
 		s.applyHostConfig()

 		s.updateNSState(nsGroup, nil, true)
@@ -1048,7 +947,6 @@ func (s *DefaultServer) addHostRootZone() {
 		log.Errorf("unable to create a new upstream resolver, error: %v", err)
 		return
 	}
-	handler.routeMatch = s.routeMatch

 	handler.upstreamServers = maps.Keys(hostDNSServers)
 	handler.deactivate = func(error) {}
--- a/client/internal/dns/server_export_test.go
+++ b/client/internal/dns/server_export_test.go
@@ -18,12 +18,7 @@ func TestGetServerDns(t *testing.T) {
 		t.Errorf("invalid dns server instance: %s", err)
 	}

-	mockSrvB, ok := srvB.(*MockServer)
-	if !ok {
-		t.Errorf("returned server is not a MockServer")
-	}
-
-	if mockSrvB != srv {
+	if srvB != srv {
 		t.Errorf("mismatch dns instances")
 	}
 }
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -1065,7 +1065,7 @@ type mockHandler struct {

 func (m *mockHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
 func (m *mockHandler) Stop()                                 {}
-func (m *mockHandler) ProbeAvailability(context.Context)     {}
+func (m *mockHandler) ProbeAvailability()                    {}
 func (m *mockHandler) ID() types.HandlerID                   { return types.HandlerID(m.Id) }

 type mockService struct{}
--- a/client/internal/dns/service_listener.go
+++ b/client/internal/dns/service_listener.go
@@ -6,7 +6,6 @@ import (
 	"net"
 	"net/netip"
 	"runtime"
-	"strconv"
 	"sync"
 	"time"

@@ -70,7 +69,7 @@ func (s *serviceViaListener) Listen() error {
 		return fmt.Errorf("eval listen address: %w", err)
 	}
 	s.listenIP = s.listenIP.Unmap()
-	s.server.Addr = net.JoinHostPort(s.listenIP.String(), strconv.Itoa(int(s.listenPort)))
+	s.server.Addr = fmt.Sprintf("%s:%d", s.listenIP, s.listenPort)
 	log.Debugf("starting dns on %s", s.server.Addr)
 	go func() {
 		s.setListenerStatus(true)
@@ -187,7 +186,7 @@ func (s *serviceViaListener) testFreePort(port int) (netip.Addr, bool) {
 }

 func (s *serviceViaListener) tryToBind(ip netip.Addr, port int) bool {
-	addrString := net.JoinHostPort(ip.String(), strconv.Itoa(port))
+	addrString := fmt.Sprintf("%s:%d", ip, port)
 	udpAddr := net.UDPAddrFromAddrPort(netip.MustParseAddrPort(addrString))
 	probeListener, err := net.ListenUDP("udp", udpAddr)
 	if err != nil {
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -65,12 +65,10 @@ type upstreamResolverBase struct {
 	mutex            sync.Mutex
 	reactivatePeriod time.Duration
 	upstreamTimeout  time.Duration
-	wg               sync.WaitGroup

 	deactivate     func(error)
 	reactivate     func()
 	statusRecorder *peer.Status
-	routeMatch     func(netip.Addr) bool
 }

 type upstreamFailure struct {
@@ -117,11 +115,6 @@ func (u *upstreamResolverBase) MatchSubdomains() bool {
 func (u *upstreamResolverBase) Stop() {
 	log.Debugf("stopping serving DNS for upstreams %s", u.upstreamServers)
 	u.cancel()
-
-	u.mutex.Lock()
-	u.wg.Wait()
-	u.mutex.Unlock()
-
 }

 // ServeDNS handles a DNS request
@@ -267,10 +260,16 @@ func formatFailures(failures []upstreamFailure) string {

 // ProbeAvailability tests all upstream servers simultaneously and
 // disables the resolver if none work
-func (u *upstreamResolverBase) ProbeAvailability(ctx context.Context) {
+func (u *upstreamResolverBase) ProbeAvailability() {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()

+	select {
+	case <-u.ctx.Done():
+		return
+	default:
+	}
+
 	// avoid probe if upstreams could resolve at least one query
 	if u.successCount.Load() > 0 {
 		return
@@ -280,39 +279,31 @@ func (u *upstreamResolverBase) ProbeAvailability(ctx context.Context) {
 	var mu sync.Mutex
 	var wg sync.WaitGroup

-	var errs *multierror.Error
+	var errors *multierror.Error
 	for _, upstream := range u.upstreamServers {
+		upstream := upstream
+
 		wg.Add(1)
-		go func(upstream netip.AddrPort) {
+		go func() {
 			defer wg.Done()
-			err := u.testNameserver(u.ctx, ctx, upstream, 500*time.Millisecond)
+			err := u.testNameserver(upstream, 500*time.Millisecond)
 			if err != nil {
-				mu.Lock()
-				errs = multierror.Append(errs, err)
-				mu.Unlock()
+				errors = multierror.Append(errors, err)
 				log.Warnf("probing upstream nameserver %s: %s", upstream, err)
 				return
 			}

 			mu.Lock()
+			defer mu.Unlock()
 			success = true
-			mu.Unlock()
-		}(upstream)
+		}()
 	}

 	wg.Wait()

-	select {
-	case <-ctx.Done():
-		return
-	case <-u.ctx.Done():
-		return
-	default:
-	}
-
 	// didn't find a working upstream server, let's disable and try later
 	if !success {
-		u.disable(errs.ErrorOrNil())
+		u.disable(errors.ErrorOrNil())

 		if u.statusRecorder == nil {
 			return
@@ -348,7 +339,7 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 		}

 		for _, upstream := range u.upstreamServers {
-			if err := u.testNameserver(u.ctx, nil, upstream, probeTimeout); err != nil {
+			if err := u.testNameserver(upstream, probeTimeout); err != nil {
 				log.Tracef("upstream check for %s: %s", upstream, err)
 			} else {
 				// at least one upstream server is available, stop probing
@@ -360,22 +351,16 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 		return fmt.Errorf("upstream check call error")
 	}

-	err := backoff.Retry(operation, backoff.WithContext(exponentialBackOff, u.ctx))
+	err := backoff.Retry(operation, exponentialBackOff)
 	if err != nil {
-		if errors.Is(err, context.Canceled) {
-			log.Debugf("upstream retry loop exited for upstreams %s", u.upstreamServersString())
-		} else {
-			log.Warnf("upstream retry loop exited for upstreams %s: %v", u.upstreamServersString(), err)
-		}
+		log.Warn(err)
 		return
 	}

 	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServersString())
 	u.successCount.Add(1)
 	u.reactivate()
-	u.mutex.Lock()
 	u.disabled = false
-	u.mutex.Unlock()
 }

 // isTimeout returns true if the given error is a network timeout error.
@@ -398,11 +383,7 @@ func (u *upstreamResolverBase) disable(err error) {
 	u.successCount.Store(0)
 	u.deactivate(err)
 	u.disabled = true
-	u.wg.Add(1)
-	go func() {
-		defer u.wg.Done()
-		u.waitUntilResponse()
-	}()
+	go u.waitUntilResponse()
 }

 func (u *upstreamResolverBase) upstreamServersString() string {
@@ -413,18 +394,13 @@ func (u *upstreamResolverBase) upstreamServersString() string {
 	return strings.Join(servers, ", ")
 }

-func (u *upstreamResolverBase) testNameserver(baseCtx context.Context, externalCtx context.Context, server netip.AddrPort, timeout time.Duration) error {
-	mergedCtx, cancel := context.WithTimeout(baseCtx, timeout)
+func (u *upstreamResolverBase) testNameserver(server netip.AddrPort, timeout time.Duration) error {
+	ctx, cancel := context.WithTimeout(u.ctx, timeout)
 	defer cancel()

-	if externalCtx != nil {
-		stop2 := context.AfterFunc(externalCtx, cancel)
-		defer stop2()
-	}
-
 	r := new(dns.Msg).SetQuestion(testRecord, dns.TypeSOA)

-	_, _, err := u.upstreamClient.exchange(mergedCtx, server.String(), r)
+	_, _, err := u.upstreamClient.exchange(ctx, server.String(), r)
 	return err
 }

--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -65,13 +65,11 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	} else {
 		upstreamIP = upstreamIP.Unmap()
 	}
-	needsPrivate := u.lNet.Contains(upstreamIP) ||
-		(u.routeMatch != nil && u.routeMatch(upstreamIP))
-	if needsPrivate {
-		log.Debugf("using private client to query %s via upstream %s", r.Question[0].Name, upstream)
+	if u.lNet.Contains(upstreamIP) || upstreamIP.IsPrivate() {
+		log.Debugf("using private client to query upstream: %s", upstream)
 		client, err = GetClientPrivate(u.lIP, u.interfaceName, timeout)
 		if err != nil {
-			return nil, 0, fmt.Errorf("create private client: %s", err)
+			return nil, 0, fmt.Errorf("error while creating private client: %s", err)
 		}
 	}

--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -188,7 +188,7 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 		reactivated = true
 	}

-	resolver.ProbeAvailability(context.TODO())
+	resolver.ProbeAvailability()

 	if !failed {
 		t.Errorf("expected that resolving was deactivated")
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -28,17 +28,15 @@ import (
 	"github.com/netbirdio/netbird/client/firewall"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
+	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
-	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
-	"github.com/netbirdio/netbird/client/internal/metrics"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/networkmonitor"
@@ -52,14 +50,16 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	"github.com/netbirdio/netbird/client/internal/updater"
+	"github.com/netbirdio/netbird/client/internal/updatemanager"
 	"github.com/netbirdio/netbird/client/jobexec"
 	cProto "github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/shared/management/domain"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
+
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	auth "github.com/netbirdio/netbird/shared/relay/auth/hmac"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -75,11 +75,13 @@ import (
 const (
 	PeerConnectionTimeoutMax = 45000 // ms
 	PeerConnectionTimeoutMin = 30000 // ms
+	connInitLimit            = 200
 	disableAutoUpdate        = "disabled"
 )

 var ErrResetConnection = fmt.Errorf("reset connection")

+// EngineConfig is a config for the Engine
 type EngineConfig struct {
 	WgPort      int
 	WgIfaceName string
@@ -141,18 +143,6 @@ type EngineConfig struct {
 	LogPath string
 }

-// EngineServices holds the external service dependencies required by the Engine.
-type EngineServices struct {
-	SignalClient   signal.Client
-	MgmClient      mgm.Client
-	RelayManager   *relayClient.Manager
-	StatusRecorder *peer.Status
-	Checks         []*mgmProto.Checks
-	StateManager   *statemanager.Manager
-	UpdateManager  *updater.Manager
-	ClientMetrics  *metrics.ClientMetrics
-}
-
 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
 type Engine struct {
 	// signal is a Signal Service client
@@ -218,10 +208,11 @@ type Engine struct {
 	syncRespMux         sync.RWMutex
 	persistSyncResponse bool
 	latestSyncResponse  *mgmProto.SyncResponse
+	connSemaphore       *semaphoregroup.SemaphoreGroup
 	flowManager         nftypes.FlowManager

 	// auto-update
-	updateManager *updater.Manager
+	updateManager *updatemanager.Manager

 	// WireGuard interface monitor
 	wgIfaceMonitor *WGIfaceMonitor
@@ -231,13 +222,8 @@ type Engine struct {

 	probeStunTurn *relay.StunTurnProbe

-	// clientMetrics collects and pushes metrics
-	clientMetrics *metrics.ClientMetrics
-
 	jobExecutor   *jobexec.Executor
 	jobExecutorWG sync.WaitGroup
-
-	exposeManager *expose.Manager
 }

 // Peer is an instance of the Connection Peer
@@ -254,17 +240,22 @@ type localIpUpdater interface {
 func NewEngine(
 	clientCtx context.Context,
 	clientCancel context.CancelFunc,
+	signalClient signal.Client,
+	mgmClient mgm.Client,
+	relayManager *relayClient.Manager,
 	config *EngineConfig,
-	services EngineServices,
 	mobileDep MobileDependency,
+	statusRecorder *peer.Status,
+	checks []*mgmProto.Checks,
+	stateManager *statemanager.Manager,
 ) *Engine {
 	engine := &Engine{
 		clientCtx:      clientCtx,
 		clientCancel:   clientCancel,
-		signal:         services.SignalClient,
-		signaler:       peer.NewSignaler(services.SignalClient, config.WgPrivateKey),
-		mgmClient:      services.MgmClient,
-		relayManager:   services.RelayManager,
+		signal:         signalClient,
+		signaler:       peer.NewSignaler(signalClient, config.WgPrivateKey),
+		mgmClient:      mgmClient,
+		relayManager:   relayManager,
 		peerStore:      peerstore.NewConnStore(),
 		syncMsgMux:     &sync.Mutex{},
 		config:         config,
@@ -272,13 +263,12 @@ func NewEngine(
 		STUNs:          []*stun.URI{},
 		TURNs:          []*stun.URI{},
 		networkSerial:  0,
-		statusRecorder: services.StatusRecorder,
-		stateManager:   services.StateManager,
-		checks:         services.Checks,
+		statusRecorder: statusRecorder,
+		stateManager:   stateManager,
+		checks:         checks,
+		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
 		probeStunTurn:  relay.NewStunTurnProbe(relay.DefaultCacheTTL),
 		jobExecutor:    jobexec.NewExecutor(),
-		clientMetrics:  services.ClientMetrics,
-		updateManager:  services.UpdateManager,
 	}

 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
@@ -321,7 +311,7 @@ func (e *Engine) Stop() error {
 	}

 	if e.updateManager != nil {
-		e.updateManager.SetDownloadOnly()
+		e.updateManager.Stop()
 	}

 	log.Info("cleaning up status recorder states")
@@ -429,7 +419,6 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		e.cancel()
 	}
 	e.ctx, e.cancel = context.WithCancel(e.clientCtx)
-	e.exposeManager = expose.NewManager(e.ctx, e.mgmClient)

 	wgIface, err := e.newWgIface()
 	if err != nil {
@@ -499,17 +488,6 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)

 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)

-	e.dnsServer.SetRouteChecker(func(ip netip.Addr) bool {
-		for _, routes := range e.routeManager.GetClientRoutes() {
-			for _, r := range routes {
-				if r.Network.Contains(ip) {
-					return true
-				}
-			}
-		}
-		return false
-	})
-
 	if err = e.wgInterfaceCreate(); err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
 		e.close()
@@ -582,6 +560,13 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	return nil
 }

+func (e *Engine) InitialUpdateHandling(autoUpdateSettings *mgmProto.AutoUpdateSettings) {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	e.handleAutoUpdateVersion(autoUpdateSettings, true)
+}
+
 func (e *Engine) createFirewall() error {
 	if e.config.DisableFirewall {
 		log.Infof("firewall is disabled")
@@ -809,30 +794,45 @@ func (e *Engine) PopulateNetbirdConfig(netbirdConfig *mgmProto.NetbirdConfig, mg
 	return nil
 }

-func (e *Engine) handleAutoUpdateVersion(autoUpdateSettings *mgmProto.AutoUpdateSettings) {
-	if e.updateManager == nil {
-		return
-	}
-
+func (e *Engine) handleAutoUpdateVersion(autoUpdateSettings *mgmProto.AutoUpdateSettings, initialCheck bool) {
 	if autoUpdateSettings == nil {
 		return
 	}

-	if autoUpdateSettings.Version == disableAutoUpdate {
-		log.Infof("auto-update is disabled")
-		e.updateManager.SetDownloadOnly()
+	disabled := autoUpdateSettings.Version == disableAutoUpdate
+
+	// Stop and cleanup if disabled
+	if e.updateManager != nil && disabled {
+		log.Infof("auto-update is disabled, stopping update manager")
+		e.updateManager.Stop()
+		e.updateManager = nil
 		return
 	}

-	e.updateManager.SetVersion(autoUpdateSettings.Version, autoUpdateSettings.AlwaysUpdate)
+	// Skip check unless AlwaysUpdate is enabled or this is the initial check at startup
+	if !autoUpdateSettings.AlwaysUpdate && !initialCheck {
+		log.Debugf("skipping auto-update check, AlwaysUpdate is false and this is not the initial check")
+		return
+	}
+
+	// Start manager if needed
+	if e.updateManager == nil {
+		log.Infof("starting auto-update manager")
+		updateManager, err := updatemanager.NewManager(e.statusRecorder, e.stateManager)
+		if err != nil {
+			return
+		}
+		e.updateManager = updateManager
+		e.updateManager.Start(e.ctx)
+	}
+	log.Infof("handling auto-update version: %s", autoUpdateSettings.Version)
+	e.updateManager.SetVersion(autoUpdateSettings.Version)
 }

 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	started := time.Now()
 	defer func() {
-		duration := time.Since(started)
-		log.Infof("sync finished in %s", duration)
-		e.clientMetrics.RecordSyncDuration(e.ctx, duration)
+		log.Infof("sync finished in %s", time.Since(started))
 	}()
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
@@ -843,7 +843,7 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	}

 	if update.NetworkMap != nil && update.NetworkMap.PeerConfig != nil {
-		e.handleAutoUpdateVersion(update.NetworkMap.PeerConfig.AutoUpdate)
+		e.handleAutoUpdateVersion(update.NetworkMap.PeerConfig.AutoUpdate, false)
 	}

 	if update.GetNetbirdConfig() != nil {
@@ -1008,11 +1008,10 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 		return errors.New("wireguard interface is not initialized")
 	}

+	// Cannot update the IP address without restarting the engine because
+	// the firewall, route manager, and other components cache the old address
 	if e.wgInterface.Address().String() != conf.Address {
-		log.Infof("peer IP address changed from %s to %s, restarting client", e.wgInterface.Address().String(), conf.Address)
-		_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
-		e.clientCancel()
-		return ErrResetConnection
+		log.Infof("peer IP address has changed from %s to %s", e.wgInterface.Address().String(), conf.Address)
 	}

 	if conf.GetSshConfig() != nil {
@@ -1080,7 +1079,6 @@ func (e *Engine) handleBundle(params *mgmProto.BundleParameters) (*mgmProto.JobR
 		StatusRecorder: e.statusRecorder,
 		SyncResponse:   syncResponse,
 		LogPath:        e.config.LogPath,
-		ClientMetrics:  e.clientMetrics,
 		RefreshStatus: func() {
 			e.RunHealthProbes(true)
 		},
@@ -1318,7 +1316,8 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {

 	// Test received (upstream) servers for availability right away instead of upon usage.
 	// If no server of a server group responds this will disable the respective handler and retry later.
-	go e.dnsServer.ProbeAvailability()
+	e.dnsServer.ProbeAvailability()
+
 	return nil
 }

@@ -1535,12 +1534,12 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 	}

 	serviceDependencies := peer.ServiceDependencies{
-		StatusRecorder:  e.statusRecorder,
-		Signaler:        e.signaler,
-		IFaceDiscover:   e.mobileDep.IFaceDiscover,
-		RelayManager:    e.relayManager,
-		SrWatcher:       e.srWatcher,
-		MetricsRecorder: e.clientMetrics,
+		StatusRecorder: e.statusRecorder,
+		Signaler:       e.signaler,
+		IFaceDiscover:  e.mobileDep.IFaceDiscover,
+		RelayManager:   e.relayManager,
+		SrWatcher:      e.srWatcher,
+		Semaphore:      e.connSemaphore,
 	}
 	peerConn, err := peer.NewConn(config, serviceDependencies)
 	if err != nil {
@@ -1563,10 +1562,8 @@ func (e *Engine) receiveSignalEvents() {
 		defer e.shutdownWg.Done()
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
-			start := time.Now()
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()
-			gotLock := time.Since(start)

 			// Check context INSIDE lock to ensure atomicity with shutdown
 			if e.ctx.Err() != nil {
@@ -1590,8 +1587,6 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}

-				log.Debugf("receiveMSG: took %s to get lock for peer %s with session id %s", gotLock, msg.Key, offerAnswer.SessionID)
-
 				if msg.Body.Type == sProto.Body_OFFER {
 					conn.OnRemoteOffer(*offerAnswer)
 				} else {
@@ -1825,23 +1820,11 @@ func (e *Engine) GetRouteManager() routemanager.Manager {
 	return e.routeManager
 }

-// GetFirewallManager returns the firewall manager.
+// GetFirewallManager returns the firewall manager
 func (e *Engine) GetFirewallManager() firewallManager.Manager {
 	return e.firewall
 }

-// GetExposeManager returns the expose session manager.
-func (e *Engine) GetExposeManager() *expose.Manager {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-	return e.exposeManager
-}
-
-// GetClientMetrics returns the client metrics
-func (e *Engine) GetClientMetrics() *metrics.ClientMetrics {
-	return e.clientMetrics
-}
-
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -251,6 +251,9 @@ func TestEngine_SSH(t *testing.T) {
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
 	engine := NewEngine(
 		ctx, cancel,
+		&signal.MockClient{},
+		&mgmt.MockClient{},
+		relayMgr,
 		&EngineConfig{
 			WgIfaceName:      "utun101",
 			WgAddr:           "100.64.0.1/24",
@@ -260,13 +263,10 @@ func TestEngine_SSH(t *testing.T) {
 			MTU:              iface.DefaultMTU,
 			SSHKey:           sshKey,
 		},
-		EngineServices{
-			SignalClient:   &signal.MockClient{},
-			MgmClient:      &mgmt.MockClient{},
-			RelayManager:   relayMgr,
-			StatusRecorder: peer.NewRecorder("https://mgm"),
-		},
 		MobileDependency{},
+		peer.NewRecorder("https://mgm"),
+		nil,
+		nil,
 	)

 	engine.dnsServer = &dns.MockServer{
@@ -428,18 +428,13 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	defer cancel()

 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
-	engine := NewEngine(ctx, cancel, &EngineConfig{
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
 		WgIfaceName:  "utun102",
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
 		MTU:          iface.DefaultMTU,
-	}, EngineServices{
-		SignalClient:   &signal.MockClient{},
-		MgmClient:      &mgmt.MockClient{},
-		RelayManager:   relayMgr,
-		StatusRecorder: peer.NewRecorder("https://mgm"),
-	}, MobileDependency{})
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)

 	wgIface := &MockWGIface{
 		NameFunc: func() string { return "utun102" },
@@ -652,18 +647,13 @@ func TestEngine_Sync(t *testing.T) {
 		return nil
 	}
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
-	engine := NewEngine(ctx, cancel, &EngineConfig{
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, relayMgr, &EngineConfig{
 		WgIfaceName:  "utun103",
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
 		MTU:          iface.DefaultMTU,
-	}, EngineServices{
-		SignalClient:   &signal.MockClient{},
-		MgmClient:      &mgmt.MockClient{SyncFunc: syncFunc},
-		RelayManager:   relayMgr,
-		StatusRecorder: peer.NewRecorder("https://mgm"),
-	}, MobileDependency{})
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
 	engine.ctx = ctx

 	engine.dnsServer = &dns.MockServer{
@@ -822,18 +812,13 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)

 			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
-			engine := NewEngine(ctx, cancel, &EngineConfig{
+			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
 				MTU:          iface.DefaultMTU,
-	}, EngineServices{
-				SignalClient:   &signal.MockClient{},
-				MgmClient:      &mgmt.MockClient{},
-				RelayManager:   relayMgr,
-				StatusRecorder: peer.NewRecorder("https://mgm"),
-			}, MobileDependency{})
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
 			engine.ctx = ctx
 			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
@@ -1029,18 +1014,13 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)

 			relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
-			engine := NewEngine(ctx, cancel, &EngineConfig{
+			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
 				MTU:          iface.DefaultMTU,
-	}, EngineServices{
-				SignalClient:   &signal.MockClient{},
-				MgmClient:      &mgmt.MockClient{},
-				RelayManager:   relayMgr,
-				StatusRecorder: peer.NewRecorder("https://mgm"),
-			}, MobileDependency{})
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
 			engine.ctx = ctx

 			newNet, err := stdnet.NewNet(context.Background(), nil)
@@ -1566,12 +1546,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 	}

 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
-e, err := NewEngine(ctx, cancel, conf, EngineServices{
-		SignalClient:   signalClient,
-		MgmClient:      mgmtClient,
-		RelayManager:   relayMgr,
-		StatusRecorder: peer.NewRecorder("https://mgm"),
-	}, MobileDependency{}), nil
+	e, err := NewEngine(ctx, cancel, signalClient, mgmtClient, relayMgr, conf, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil), nil
 	e.ctx = ctx
 	return e, err
 }
--- a/client/internal/expose/manager.go
+++ b/client/internal/expose/manager.go
@@ -1,104 +0,0 @@
-package expose
-
-import (
-	"context"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	mgm "github.com/netbirdio/netbird/shared/management/client"
-)
-
-const (
-	renewTimeout = 10 * time.Second
-)
-
-// Response holds the response from exposing a service.
-type Response struct {
-	ServiceName      string
-	ServiceURL       string
-	Domain           string
-	PortAutoAssigned bool
-}
-
-// Request holds the parameters for exposing a local service via the management server.
-// It is part of the embed API surface and exposed via a type alias.
-type Request struct {
-	NamePrefix string
-	Domain     string
-	Port       uint16
-	Protocol   ProtocolType
-	Pin        string
-	Password   string
-	UserGroups []string
-	ListenPort uint16
-}
-
-type ManagementClient interface {
-	CreateExpose(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error)
-	RenewExpose(ctx context.Context, domain string) error
-	StopExpose(ctx context.Context, domain string) error
-}
-
-// Manager handles expose session lifecycle via the management client.
-type Manager struct {
-	mgmClient ManagementClient
-	ctx       context.Context
-}
-
-// NewManager creates a new expose Manager using the given management client.
-func NewManager(ctx context.Context, mgmClient ManagementClient) *Manager {
-	return &Manager{mgmClient: mgmClient, ctx: ctx}
-}
-
-// Expose creates a new expose session via the management server.
-func (m *Manager) Expose(ctx context.Context, req Request) (*Response, error) {
-	log.Infof("exposing service on port %d", req.Port)
-	resp, err := m.mgmClient.CreateExpose(ctx, toClientExposeRequest(req))
-	if err != nil {
-		return nil, err
-	}
-
-	log.Infof("expose session created for %s", resp.Domain)
-
-	return fromClientExposeResponse(resp), nil
-}
-
-// KeepAlive periodically renews the expose session for the given domain until the context is canceled or an error occurs.
-// It is part of the embed API surface and exposed via a type alias.
-func (m *Manager) KeepAlive(ctx context.Context, domain string) error {
-	ticker := time.NewTicker(30 * time.Second)
-	defer ticker.Stop()
-	defer m.stop(domain)
-
-	for {
-		select {
-		case <-ctx.Done():
-			log.Infof("context canceled, stopping keep alive for %s", domain)
-
-			return nil
-		case <-ticker.C:
-			if err := m.renew(ctx, domain); err != nil {
-				log.Errorf("renewing expose session for %s: %v", domain, err)
-				return err
-			}
-		}
-	}
-}
-
-// renew extends the TTL of an active expose session.
-func (m *Manager) renew(ctx context.Context, domain string) error {
-	renewCtx, cancel := context.WithTimeout(ctx, renewTimeout)
-	defer cancel()
-	return m.mgmClient.RenewExpose(renewCtx, domain)
-}
-
-// stop terminates an active expose session.
-func (m *Manager) stop(domain string) {
-	stopCtx, cancel := context.WithTimeout(m.ctx, renewTimeout)
-	defer cancel()
-	err := m.mgmClient.StopExpose(stopCtx, domain)
-	if err != nil {
-		log.Warnf("Failed stopping expose session for %s: %v", domain, err)
-	}
-}
--- a/client/internal/expose/manager_test.go
+++ b/client/internal/expose/manager_test.go
@@ -1,95 +0,0 @@
-package expose
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	daemonProto "github.com/netbirdio/netbird/client/proto"
-	mgm "github.com/netbirdio/netbird/shared/management/client"
-)
-
-func TestManager_Expose_Success(t *testing.T) {
-	mock := &mgm.MockClient{
-		CreateExposeFunc: func(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error) {
-			return &mgm.ExposeResponse{
-				ServiceName: "my-service",
-				ServiceURL:  "https://my-service.example.com",
-				Domain:      "my-service.example.com",
-			}, nil
-		},
-	}
-
-	m := NewManager(context.Background(), mock)
-	result, err := m.Expose(context.Background(), Request{Port: 8080})
-	require.NoError(t, err)
-	assert.Equal(t, "my-service", result.ServiceName, "service name should match")
-	assert.Equal(t, "https://my-service.example.com", result.ServiceURL, "service URL should match")
-	assert.Equal(t, "my-service.example.com", result.Domain, "domain should match")
-}
-
-func TestManager_Expose_Error(t *testing.T) {
-	mock := &mgm.MockClient{
-		CreateExposeFunc: func(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error) {
-			return nil, errors.New("permission denied")
-		},
-	}
-
-	m := NewManager(context.Background(), mock)
-	_, err := m.Expose(context.Background(), Request{Port: 8080})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "permission denied", "error should propagate")
-}
-
-func TestManager_Renew_Success(t *testing.T) {
-	mock := &mgm.MockClient{
-		RenewExposeFunc: func(ctx context.Context, domain string) error {
-			assert.Equal(t, "my-service.example.com", domain, "domain should be passed through")
-			return nil
-		},
-	}
-
-	m := NewManager(context.Background(), mock)
-	err := m.renew(context.Background(), "my-service.example.com")
-	require.NoError(t, err)
-}
-
-func TestManager_Renew_Timeout(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	mock := &mgm.MockClient{
-		RenewExposeFunc: func(ctx context.Context, domain string) error {
-			return ctx.Err()
-		},
-	}
-
-	m := NewManager(ctx, mock)
-	err := m.renew(ctx, "my-service.example.com")
-	require.Error(t, err)
-}
-
-func TestNewRequest(t *testing.T) {
-	req := &daemonProto.ExposeServiceRequest{
-		Port:       8080,
-		Protocol:   daemonProto.ExposeProtocol_EXPOSE_HTTPS,
-		Pin:        "123456",
-		Password:   "secret",
-		UserGroups: []string{"group1", "group2"},
-		Domain:     "custom.example.com",
-		NamePrefix: "my-prefix",
-	}
-
-	exposeReq := NewRequest(req)
-
-	assert.Equal(t, uint16(8080), exposeReq.Port, "port should match")
-	assert.Equal(t, ProtocolType(daemonProto.ExposeProtocol_EXPOSE_HTTPS), exposeReq.Protocol, "protocol should match")
-	assert.Equal(t, "123456", exposeReq.Pin, "pin should match")
-	assert.Equal(t, "secret", exposeReq.Password, "password should match")
-	assert.Equal(t, []string{"group1", "group2"}, exposeReq.UserGroups, "user groups should match")
-	assert.Equal(t, "custom.example.com", exposeReq.Domain, "domain should match")
-	assert.Equal(t, "my-prefix", exposeReq.NamePrefix, "name prefix should match")
-}
--- a/client/internal/expose/protocol.go
+++ b/client/internal/expose/protocol.go
@@ -1,40 +0,0 @@
-package expose
-
-import (
-	"fmt"
-	"strings"
-)
-
-// ProtocolType represents the protocol used for exposing a service.
-type ProtocolType int
-
-const (
-	// ProtocolHTTP exposes the service as HTTP.
-	ProtocolHTTP ProtocolType = 0
-	// ProtocolHTTPS exposes the service as HTTPS.
-	ProtocolHTTPS ProtocolType = 1
-	// ProtocolTCP exposes the service as TCP.
-	ProtocolTCP ProtocolType = 2
-	// ProtocolUDP exposes the service as UDP.
-	ProtocolUDP ProtocolType = 3
-	// ProtocolTLS exposes the service as TLS.
-	ProtocolTLS ProtocolType = 4
-)
-
-// ParseProtocolType parses a protocol string into a ProtocolType.
-func ParseProtocolType(s string) (ProtocolType, error) {
-	switch strings.ToLower(s) {
-	case "http":
-		return ProtocolHTTP, nil
-	case "https":
-		return ProtocolHTTPS, nil
-	case "tcp":
-		return ProtocolTCP, nil
-	case "udp":
-		return ProtocolUDP, nil
-	case "tls":
-		return ProtocolTLS, nil
-	default:
-		return 0, fmt.Errorf("unsupported protocol %q: must be http, https, tcp, udp, or tls", s)
-	}
-}
--- a/client/internal/expose/request.go
+++ b/client/internal/expose/request.go
@@ -1,42 +0,0 @@
-package expose
-
-import (
-	daemonProto "github.com/netbirdio/netbird/client/proto"
-	mgm "github.com/netbirdio/netbird/shared/management/client"
-)
-
-// NewRequest converts a daemon ExposeServiceRequest to a management ExposeServiceRequest.
-func NewRequest(req *daemonProto.ExposeServiceRequest) *Request {
-	return &Request{
-		Port:       uint16(req.Port),
-		Protocol:   ProtocolType(req.Protocol),
-		Pin:        req.Pin,
-		Password:   req.Password,
-		UserGroups: req.UserGroups,
-		Domain:     req.Domain,
-		NamePrefix: req.NamePrefix,
-		ListenPort: uint16(req.ListenPort),
-	}
-}
-
-func toClientExposeRequest(req Request) mgm.ExposeRequest {
-	return mgm.ExposeRequest{
-		NamePrefix: req.NamePrefix,
-		Domain:     req.Domain,
-		Port:       req.Port,
-		Protocol:   int(req.Protocol),
-		Pin:        req.Pin,
-		Password:   req.Password,
-		UserGroups: req.UserGroups,
-		ListenPort: req.ListenPort,
-	}
-}
-
-func fromClientExposeResponse(response *mgm.ExposeResponse) *Response {
-	return &Response{
-		ServiceName:      response.ServiceName,
-		Domain:           response.Domain,
-		ServiceURL:       response.ServiceURL,
-		PortAutoAssigned: response.PortAutoAssigned,
-	}
-}
--- a/client/internal/metrics/connection_type.go
+++ b/client/internal/metrics/connection_type.go
@@ -1,17 +0,0 @@
-package metrics
-
-// ConnectionType represents the type of peer connection
-type ConnectionType string
-
-const (
-	// ConnectionTypeICE represents a direct peer-to-peer connection using ICE
-	ConnectionTypeICE ConnectionType = "ice"
-
-	// ConnectionTypeRelay represents a relayed connection
-	ConnectionTypeRelay ConnectionType = "relay"
-)
-
-// String returns the string representation of the connection type
-func (c ConnectionType) String() string {
-	return string(c)
-}
--- a/client/internal/metrics/deployment_type.go
+++ b/client/internal/metrics/deployment_type.go
@@ -1,51 +0,0 @@
-package metrics
-
-import (
-	"net/url"
-	"strings"
-)
-
-// DeploymentType represents the type of NetBird deployment
-type DeploymentType int
-
-const (
-	// DeploymentTypeUnknown represents an unknown or uninitialized deployment type
-	DeploymentTypeUnknown DeploymentType = iota
-
-	// DeploymentTypeCloud represents a cloud-hosted NetBird deployment
-	DeploymentTypeCloud
-
-	// DeploymentTypeSelfHosted represents a self-hosted NetBird deployment
-	DeploymentTypeSelfHosted
-)
-
-// String returns the string representation of the deployment type
-func (d DeploymentType) String() string {
-	switch d {
-	case DeploymentTypeCloud:
-		return "cloud"
-	case DeploymentTypeSelfHosted:
-		return "selfhosted"
-	default:
-		return "unknown"
-	}
-}
-
-// DetermineDeploymentType determines if the deployment is cloud or self-hosted
-// based on the management URL string
-func DetermineDeploymentType(managementURL string) DeploymentType {
-	if managementURL == "" {
-		return DeploymentTypeUnknown
-	}
-
-	u, err := url.Parse(managementURL)
-	if err != nil {
-		return DeploymentTypeSelfHosted
-	}
-
-	if strings.ToLower(u.Hostname()) == "api.netbird.io" {
-		return DeploymentTypeCloud
-	}
-
-	return DeploymentTypeSelfHosted
-}
--- a/client/internal/metrics/env.go
+++ b/client/internal/metrics/env.go
@@ -1,93 +0,0 @@
-package metrics
-
-import (
-	"net/url"
-	"os"
-	"strconv"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	// EnvMetricsPushEnabled controls whether collected metrics are pushed to the backend.
-	// Metrics collection itself is always active (for debug bundles).
-	// Disabled by default. Set NB_METRICS_PUSH_ENABLED=true to enable push.
-	EnvMetricsPushEnabled = "NB_METRICS_PUSH_ENABLED"
-
-	// EnvMetricsForceSending if set to true, skips remote configuration fetch and forces metric sending
-	EnvMetricsForceSending = "NB_METRICS_FORCE_SENDING"
-
-	// EnvMetricsConfigURL is the environment variable to override the metrics push config ServerAddress
-	EnvMetricsConfigURL = "NB_METRICS_CONFIG_URL"
-
-	// EnvMetricsServerURL is the environment variable to override the metrics server address.
-	// When set, this takes precedence over the server_url from remote push config.
-	EnvMetricsServerURL = "NB_METRICS_SERVER_URL"
-
-	// EnvMetricsInterval overrides the push interval from the remote config.
-	// Only affects how often metrics are pushed; remote config availability
-	// and version range checks are still respected.
-	// Format: duration string like "1h", "30m", "4h"
-	EnvMetricsInterval = "NB_METRICS_INTERVAL"
-
-	defaultMetricsConfigURL = "https://ingest.netbird.io/config"
-)
-
-// IsMetricsPushEnabled returns true if metrics push is enabled via NB_METRICS_PUSH_ENABLED env var.
-// Disabled by default. Metrics collection is always active for debug bundles.
-func IsMetricsPushEnabled() bool {
-	enabled, _ := strconv.ParseBool(os.Getenv(EnvMetricsPushEnabled))
-	return enabled
-}
-
-// getMetricsInterval returns the metrics push interval from NB_METRICS_INTERVAL env var.
-// Returns 0 if not set or invalid.
-func getMetricsInterval() time.Duration {
-	intervalStr := os.Getenv(EnvMetricsInterval)
-	if intervalStr == "" {
-		return 0
-	}
-	interval, err := time.ParseDuration(intervalStr)
-	if err != nil {
-		log.Warnf("invalid metrics interval from env %q: %v", intervalStr, err)
-		return 0
-	}
-	if interval <= 0 {
-		log.Warnf("invalid metrics interval from env %q: must be positive", intervalStr)
-		return 0
-	}
-	return interval
-}
-
-func isForceSending() bool {
-	force, _ := strconv.ParseBool(os.Getenv(EnvMetricsForceSending))
-	return force
-}
-
-// getMetricsConfigURL returns the URL to fetch push configuration from
-func getMetricsConfigURL() string {
-	if envURL := os.Getenv(EnvMetricsConfigURL); envURL != "" {
-		return envURL
-	}
-	return defaultMetricsConfigURL
-}
-
-// getMetricsServerURL returns the metrics server URL from NB_METRICS_SERVER_URL env var.
-// Returns nil if not set or invalid.
-func getMetricsServerURL() *url.URL {
-	envURL := os.Getenv(EnvMetricsServerURL)
-	if envURL == "" {
-		return nil
-	}
-	parsed, err := url.ParseRequestURI(envURL)
-	if err != nil || parsed.Host == "" {
-		log.Warnf("invalid metrics server URL %q: must be an absolute HTTP(S) URL", envURL)
-		return nil
-	}
-	if parsed.Scheme != "http" && parsed.Scheme != "https" {
-		log.Warnf("invalid metrics server URL %q: unsupported scheme %q", envURL, parsed.Scheme)
-		return nil
-	}
-	return parsed
-}
--- a/client/internal/metrics/influxdb.go
+++ b/client/internal/metrics/influxdb.go
@@ -1,219 +0,0 @@
-package metrics
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"maps"
-	"slices"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	maxSampleAge  = 5 * 24 * time.Hour // drop samples older than 5 days
-	maxBufferSize = 5 * 1024 * 1024    // drop oldest samples when estimated size exceeds 5 MB
-	// estimatedSampleSize is a rough per-sample memory estimate (measurement + tags + fields + timestamp)
-	estimatedSampleSize = 256
-)
-
-// influxSample is a single InfluxDB line protocol entry.
-type influxSample struct {
-	measurement string
-	tags        string
-	fields      map[string]float64
-	timestamp   time.Time
-}
-
-// influxDBMetrics collects metric events as timestamped samples.
-// Each event is recorded with its exact timestamp, pushed once, then cleared.
-type influxDBMetrics struct {
-	mu      sync.Mutex
-	samples []influxSample
-}
-
-func newInfluxDBMetrics() metricsImplementation {
-	return &influxDBMetrics{}
-}
-func (m *influxDBMetrics) RecordConnectionStages(
-	_ context.Context,
-	agentInfo AgentInfo,
-	connectionPairID string,
-	connectionType ConnectionType,
-	isReconnection bool,
-	timestamps ConnectionStageTimestamps,
-) {
-	var signalingReceivedToConnection, connectionToWgHandshake, totalDuration float64
-
-	if !timestamps.SignalingReceived.IsZero() && !timestamps.ConnectionReady.IsZero() {
-		signalingReceivedToConnection = timestamps.ConnectionReady.Sub(timestamps.SignalingReceived).Seconds()
-	}
-
-	if !timestamps.ConnectionReady.IsZero() && !timestamps.WgHandshakeSuccess.IsZero() {
-		connectionToWgHandshake = timestamps.WgHandshakeSuccess.Sub(timestamps.ConnectionReady).Seconds()
-	}
-
-	if !timestamps.SignalingReceived.IsZero() && !timestamps.WgHandshakeSuccess.IsZero() {
-		totalDuration = timestamps.WgHandshakeSuccess.Sub(timestamps.SignalingReceived).Seconds()
-	}
-
-	attemptType := "initial"
-	if isReconnection {
-		attemptType = "reconnection"
-	}
-
-	connTypeStr := connectionType.String()
-	tags := fmt.Sprintf("deployment_type=%s,connection_type=%s,attempt_type=%s,version=%s,os=%s,arch=%s,peer_id=%s,connection_pair_id=%s",
-		agentInfo.DeploymentType.String(),
-		connTypeStr,
-		attemptType,
-		agentInfo.Version,
-		agentInfo.OS,
-		agentInfo.Arch,
-		agentInfo.peerID,
-		connectionPairID,
-	)
-
-	now := time.Now()
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	m.samples = append(m.samples, influxSample{
-		measurement: "netbird_peer_connection",
-		tags:        tags,
-		fields: map[string]float64{
-			"signaling_to_connection_seconds":    signalingReceivedToConnection,
-			"connection_to_wg_handshake_seconds": connectionToWgHandshake,
-			"total_seconds":                      totalDuration,
-		},
-		timestamp: now,
-	})
-	m.trimLocked()
-
-	log.Tracef("peer connection metrics [%s, %s, %s]: signalingReceived→connection: %.3fs, connection→wg_handshake: %.3fs, total: %.3fs",
-		agentInfo.DeploymentType.String(), connTypeStr, attemptType, signalingReceivedToConnection, connectionToWgHandshake, totalDuration)
-}
-
-func (m *influxDBMetrics) RecordSyncDuration(_ context.Context, agentInfo AgentInfo, duration time.Duration) {
-	tags := fmt.Sprintf("deployment_type=%s,version=%s,os=%s,arch=%s,peer_id=%s",
-		agentInfo.DeploymentType.String(),
-		agentInfo.Version,
-		agentInfo.OS,
-		agentInfo.Arch,
-		agentInfo.peerID,
-	)
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	m.samples = append(m.samples, influxSample{
-		measurement: "netbird_sync",
-		tags:        tags,
-		fields: map[string]float64{
-			"duration_seconds": duration.Seconds(),
-		},
-		timestamp: time.Now(),
-	})
-	m.trimLocked()
-}
-
-func (m *influxDBMetrics) RecordLoginDuration(_ context.Context, agentInfo AgentInfo, duration time.Duration, success bool) {
-	result := "success"
-	if !success {
-		result = "failure"
-	}
-
-	tags := fmt.Sprintf("deployment_type=%s,result=%s,version=%s,os=%s,arch=%s,peer_id=%s",
-		agentInfo.DeploymentType.String(),
-		result,
-		agentInfo.Version,
-		agentInfo.OS,
-		agentInfo.Arch,
-		agentInfo.peerID,
-	)
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	m.samples = append(m.samples, influxSample{
-		measurement: "netbird_login",
-		tags:        tags,
-		fields: map[string]float64{
-			"duration_seconds": duration.Seconds(),
-		},
-		timestamp: time.Now(),
-	})
-	m.trimLocked()
-
-	log.Tracef("login metrics [%s, %s]: duration=%.3fs", agentInfo.DeploymentType.String(), result, duration.Seconds())
-}
-
-// Export writes pending samples in InfluxDB line protocol format.
-// Format: measurement,tag=val,tag=val field=val,field=val timestamp_ns
-func (m *influxDBMetrics) Export(w io.Writer) error {
-	m.mu.Lock()
-	samples := make([]influxSample, len(m.samples))
-	copy(samples, m.samples)
-	m.mu.Unlock()
-
-	for _, s := range samples {
-		if _, err := fmt.Fprintf(w, "%s,%s ", s.measurement, s.tags); err != nil {
-			return err
-		}
-
-		sortedKeys := slices.Sorted(maps.Keys(s.fields))
-		first := true
-		for _, k := range sortedKeys {
-			if !first {
-				if _, err := fmt.Fprint(w, ","); err != nil {
-					return err
-				}
-			}
-			if _, err := fmt.Fprintf(w, "%s=%g", k, s.fields[k]); err != nil {
-				return err
-			}
-			first = false
-		}
-
-		if _, err := fmt.Fprintf(w, " %d\n", s.timestamp.UnixNano()); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// Reset clears pending samples after a successful push
-func (m *influxDBMetrics) Reset() {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.samples = m.samples[:0]
-}
-
-// trimLocked removes samples that exceed age or size limits.
-// Must be called with m.mu held.
-func (m *influxDBMetrics) trimLocked() {
-	now := time.Now()
-
-	// drop samples older than maxSampleAge
-	cutoff := 0
-	for cutoff < len(m.samples) && now.Sub(m.samples[cutoff].timestamp) > maxSampleAge {
-		cutoff++
-	}
-	if cutoff > 0 {
-		copy(m.samples, m.samples[cutoff:])
-		m.samples = m.samples[:len(m.samples)-cutoff]
-		log.Debugf("influxdb metrics: dropped %d samples older than %s", cutoff, maxSampleAge)
-	}
-
-	// drop oldest samples if estimated size exceeds maxBufferSize
-	maxSamples := maxBufferSize / estimatedSampleSize
-	if len(m.samples) > maxSamples {
-		drop := len(m.samples) - maxSamples
-		copy(m.samples, m.samples[drop:])
-		m.samples = m.samples[:maxSamples]
-		log.Debugf("influxdb metrics: dropped %d oldest samples to stay under %d MB size limit", drop, maxBufferSize/(1024*1024))
-	}
-}
--- a/client/internal/metrics/influxdb_test.go
+++ b/client/internal/metrics/influxdb_test.go
@@ -1,229 +0,0 @@
-package metrics
-
-import (
-	"bytes"
-	"context"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestInfluxDBMetrics_RecordAndExport(t *testing.T) {
-	m := newInfluxDBMetrics().(*influxDBMetrics)
-
-	agentInfo := AgentInfo{
-		DeploymentType: DeploymentTypeCloud,
-		Version:        "1.0.0",
-		OS:             "linux",
-		Arch:           "amd64",
-		peerID:         "abc123",
-	}
-
-	ts := ConnectionStageTimestamps{
-		SignalingReceived:  time.Now().Add(-3 * time.Second),
-		ConnectionReady:    time.Now().Add(-2 * time.Second),
-		WgHandshakeSuccess: time.Now().Add(-1 * time.Second),
-	}
-
-	m.RecordConnectionStages(context.Background(), agentInfo, "pair123", ConnectionTypeICE, false, ts)
-
-	var buf bytes.Buffer
-	err := m.Export(&buf)
-	require.NoError(t, err)
-
-	output := buf.String()
-	assert.Contains(t, output, "netbird_peer_connection,")
-	assert.Contains(t, output, "connection_to_wg_handshake_seconds=")
-	assert.Contains(t, output, "signaling_to_connection_seconds=")
-	assert.Contains(t, output, "total_seconds=")
-}
-
-func TestInfluxDBMetrics_ExportDeterministicFieldOrder(t *testing.T) {
-	m := newInfluxDBMetrics().(*influxDBMetrics)
-
-	agentInfo := AgentInfo{
-		DeploymentType: DeploymentTypeCloud,
-		Version:        "1.0.0",
-		OS:             "linux",
-		Arch:           "amd64",
-		peerID:         "abc123",
-	}
-
-	ts := ConnectionStageTimestamps{
-		SignalingReceived:  time.Now().Add(-3 * time.Second),
-		ConnectionReady:    time.Now().Add(-2 * time.Second),
-		WgHandshakeSuccess: time.Now().Add(-1 * time.Second),
-	}
-
-	// Record multiple times and verify consistent field order
-	for i := 0; i < 10; i++ {
-		m.RecordConnectionStages(context.Background(), agentInfo, "pair123", ConnectionTypeICE, false, ts)
-	}
-
-	var buf bytes.Buffer
-	err := m.Export(&buf)
-	require.NoError(t, err)
-
-	lines := strings.Split(strings.TrimSpace(buf.String()), "\n")
-	require.Len(t, lines, 10)
-
-	// Extract field portion from each line and verify they're all identical
-	var fieldSections []string
-	for _, line := range lines {
-		parts := strings.SplitN(line, " ", 3)
-		require.Len(t, parts, 3, "each line should have measurement, fields, timestamp")
-		fieldSections = append(fieldSections, parts[1])
-	}
-
-	for i := 1; i < len(fieldSections); i++ {
-		assert.Equal(t, fieldSections[0], fieldSections[i], "field order should be deterministic across samples")
-	}
-
-	// Fields should be alphabetically sorted
-	assert.True(t, strings.HasPrefix(fieldSections[0], "connection_to_wg_handshake_seconds="),
-		"fields should be sorted: connection_to_wg < signaling_to < total")
-}
-
-func TestInfluxDBMetrics_RecordSyncDuration(t *testing.T) {
-	m := newInfluxDBMetrics().(*influxDBMetrics)
-
-	agentInfo := AgentInfo{
-		DeploymentType: DeploymentTypeSelfHosted,
-		Version:        "2.0.0",
-		OS:             "darwin",
-		Arch:           "arm64",
-		peerID:         "def456",
-	}
-
-	m.RecordSyncDuration(context.Background(), agentInfo, 1500*time.Millisecond)
-
-	var buf bytes.Buffer
-	err := m.Export(&buf)
-	require.NoError(t, err)
-
-	output := buf.String()
-	assert.Contains(t, output, "netbird_sync,")
-	assert.Contains(t, output, "duration_seconds=1.5")
-	assert.Contains(t, output, "deployment_type=selfhosted")
-}
-
-func TestInfluxDBMetrics_Reset(t *testing.T) {
-	m := newInfluxDBMetrics().(*influxDBMetrics)
-
-	agentInfo := AgentInfo{
-		DeploymentType: DeploymentTypeCloud,
-		Version:        "1.0.0",
-		OS:             "linux",
-		Arch:           "amd64",
-		peerID:         "abc123",
-	}
-
-	m.RecordSyncDuration(context.Background(), agentInfo, time.Second)
-
-	var buf bytes.Buffer
-	err := m.Export(&buf)
-	require.NoError(t, err)
-	assert.NotEmpty(t, buf.String())
-
-	m.Reset()
-
-	buf.Reset()
-	err = m.Export(&buf)
-	require.NoError(t, err)
-	assert.Empty(t, buf.String(), "should be empty after reset")
-}
-
-func TestInfluxDBMetrics_ExportEmpty(t *testing.T) {
-	m := newInfluxDBMetrics().(*influxDBMetrics)
-
-	var buf bytes.Buffer
-	err := m.Export(&buf)
-	require.NoError(t, err)
-	assert.Empty(t, buf.String())
-}
-
-func TestInfluxDBMetrics_TrimByAge(t *testing.T) {
-	m := newInfluxDBMetrics().(*influxDBMetrics)
-
-	m.mu.Lock()
-	m.samples = append(m.samples, influxSample{
-		measurement: "old",
-		tags:        "t=1",
-		fields:      map[string]float64{"v": 1},
-		timestamp:   time.Now().Add(-maxSampleAge - time.Hour),
-	})
-	m.trimLocked()
-	remaining := len(m.samples)
-	m.mu.Unlock()
-
-	assert.Equal(t, 0, remaining, "old samples should be trimmed")
-}
-
-func TestInfluxDBMetrics_RecordLoginDuration(t *testing.T) {
-	m := newInfluxDBMetrics().(*influxDBMetrics)
-
-	agentInfo := AgentInfo{
-		DeploymentType: DeploymentTypeCloud,
-		Version:        "1.0.0",
-		OS:             "linux",
-		Arch:           "amd64",
-		peerID:         "abc123",
-	}
-
-	m.RecordLoginDuration(context.Background(), agentInfo, 2500*time.Millisecond, true)
-
-	var buf bytes.Buffer
-	err := m.Export(&buf)
-	require.NoError(t, err)
-
-	output := buf.String()
-	assert.Contains(t, output, "netbird_login,")
-	assert.Contains(t, output, "duration_seconds=2.5")
-	assert.Contains(t, output, "result=success")
-}
-
-func TestInfluxDBMetrics_RecordLoginDurationFailure(t *testing.T) {
-	m := newInfluxDBMetrics().(*influxDBMetrics)
-
-	agentInfo := AgentInfo{
-		DeploymentType: DeploymentTypeSelfHosted,
-		Version:        "1.0.0",
-		OS:             "darwin",
-		Arch:           "arm64",
-		peerID:         "xyz789",
-	}
-
-	m.RecordLoginDuration(context.Background(), agentInfo, 5*time.Second, false)
-
-	var buf bytes.Buffer
-	err := m.Export(&buf)
-	require.NoError(t, err)
-
-	output := buf.String()
-	assert.Contains(t, output, "netbird_login,")
-	assert.Contains(t, output, "result=failure")
-	assert.Contains(t, output, "deployment_type=selfhosted")
-}
-
-func TestInfluxDBMetrics_TrimBySize(t *testing.T) {
-	m := newInfluxDBMetrics().(*influxDBMetrics)
-
-	maxSamples := maxBufferSize / estimatedSampleSize
-	m.mu.Lock()
-	for i := 0; i < maxSamples+100; i++ {
-		m.samples = append(m.samples, influxSample{
-			measurement: "test",
-			tags:        "t=1",
-			fields:      map[string]float64{"v": float64(i)},
-			timestamp:   time.Now(),
-		})
-	}
-	m.trimLocked()
-	remaining := len(m.samples)
-	m.mu.Unlock()
-
-	assert.Equal(t, maxSamples, remaining, "should trim to max samples")
-}
--- a/client/internal/metrics/infra/.env.example
+++ b/client/internal/metrics/infra/.env.example
@@ -1,16 +0,0 @@
-# Copy to .env and adjust values before running docker compose
-
-# InfluxDB admin (server-side only, never exposed to clients)
-INFLUXDB_ADMIN_PASSWORD=changeme
-INFLUXDB_ADMIN_TOKEN=changeme
-
-# Grafana admin credentials
-GRAFANA_ADMIN_USER=admin
-GRAFANA_ADMIN_PASSWORD=changeme
-
-# Remote config served by ingest at /config
-# Set CONFIG_METRICS_SERVER_URL to the ingest server's public address to enable
-CONFIG_METRICS_SERVER_URL=
-CONFIG_VERSION_SINCE=0.0.0
-CONFIG_VERSION_UNTIL=99.99.99
-CONFIG_PERIOD_MINUTES=5
--- a/client/internal/metrics/infra/.gitignore
+++ b/client/internal/metrics/infra/.gitignore
@@ -1 +0,0 @@
-.env
--- a/client/internal/metrics/infra/README.md
+++ b/client/internal/metrics/infra/README.md
@@ -1,194 +0,0 @@
-# Client Metrics
-
-Internal documentation for the NetBird client metrics system.
-
-## Overview
-
-Client metrics track connection performance and sync durations using InfluxDB line protocol (`influxdb.go`). Each event is pushed once then cleared.
-
-Metrics collection is always active (for debug bundles). Push to backend is:
- Disabled by default (opt-in via `NB_METRICS_PUSH_ENABLED=true`)
- Managed at daemon layer (survives engine restarts)
-
-## Architecture
-
-### Layer Separation
-
-```text
-Daemon Layer (connect.go)
-  ├─ Creates ClientMetrics instance once
-  ├─ Starts/stops push lifecycle
-  └─ Updates AgentInfo on profile switch
-      │
-      ▼
-Engine Layer (engine.go)
-  └─ Records metrics via ClientMetrics methods
-```
-
-### Ingest Server
-
-Clients do not talk to InfluxDB directly. An ingest server sits between clients and InfluxDB:
-
-```text
-Client ──POST──▶ Ingest Server (:8087) ──▶ InfluxDB (internal)
-                  │
-                  ├─ Validates line protocol
-                  ├─ Allowlists measurements, fields, and tags
-                  ├─ Rejects out-of-bound values
-                  └─ Serves remote config at /config
-```
-
- **No secret/token-based client auth** — the ingest server holds the InfluxDB token server-side. Clients must send a hashed peer ID via `X-Peer-ID` header.
- **InfluxDB is not exposed** — only accessible within the docker network
- Source: `ingest/main.go`
-
-## Metrics Collected
-
-### Connection Stage Timing
-
-Measurement: `netbird_peer_connection`
-
-| Field | Timestamps | Description |
-|-------|-----------|-------------|
-| `signaling_to_connection_seconds` | `SignalingReceived → ConnectionReady` | ICE/relay negotiation time after the first signal is received from the remote peer |
-| `connection_to_wg_handshake_seconds` | `ConnectionReady → WgHandshakeSuccess` | WireGuard cryptographic handshake latency once the transport layer is ready |
-| `total_seconds` | `SignalingReceived → WgHandshakeSuccess` | End-to-end connection time anchored at the first received signal |
-
-Tags:
- `deployment_type`: "cloud" | "selfhosted" | "unknown"
- `connection_type`: "ice" | "relay"
- `attempt_type`: "initial" | "reconnection"
- `version`: NetBird version string
- `os`: Operating system (linux, darwin, windows, android, ios, etc.)
- `arch`: CPU architecture (amd64, arm64, etc.)
-
-**Note:** `SignalingReceived` is set when the first offer or answer arrives from the remote peer (in both initial and reconnection paths). It excludes the potentially unbounded wait for the remote peer to come online.
-
-### Sync Duration
-
-Measurement: `netbird_sync`
-
-| Field | Description |
-|-------|-------------|
-| `duration_seconds` | Time to process a sync message from management server |
-
-Tags:
- `deployment_type`: "cloud" | "selfhosted" | "unknown"
- `version`: NetBird version string
- `os`: Operating system (linux, darwin, windows, android, ios, etc.)
- `arch`: CPU architecture (amd64, arm64, etc.)
-
-### Login Duration
-
-Measurement: `netbird_login`
-
-| Field | Description |
-|-------|-------------|
-| `duration_seconds` | Time to complete the login/auth exchange with management server |
-
-Tags:
- `deployment_type`: "cloud" | "selfhosted" | "unknown"
- `result`: "success" | "failure"
- `version`: NetBird version string
- `os`: Operating system (linux, darwin, windows, android, ios, etc.)
- `arch`: CPU architecture (amd64, arm64, etc.)
-
-## Buffer Limits
-
-The InfluxDB backend limits in-memory sample storage to prevent unbounded growth when pushes fail:
- **Max age:** Samples older than 5 days are dropped
- **Max size:** Estimated buffer size capped at 5 MB (~20k samples)
-
-## Configuration
-
-### Client Environment Variables
-
-| Variable | Default | Description |
-|----------|---------|-------------|
-| `NB_METRICS_PUSH_ENABLED` | `false` | Enable metrics push to backend |
-| `NB_METRICS_SERVER_URL` | *(from remote config)* | Ingest server URL (e.g., `https://ingest.netbird.io`) |
-| `NB_METRICS_INTERVAL` | *(from remote config)* | Push interval (e.g., "1m", "30m", "4h") |
-| `NB_METRICS_FORCE_SENDING` | `false` | Skip remote config, push unconditionally |
-| `NB_METRICS_CONFIG_URL` | `https://ingest.netbird.io/config` | Remote push config URL |
-
-`NB_METRICS_SERVER_URL` and `NB_METRICS_INTERVAL` override their respective values but do not bypass remote config eligibility checks (version range). Use `NB_METRICS_FORCE_SENDING=true` to skip all remote config gating.
-
-### Ingest Server Environment Variables
-
-| Variable | Default | Description |
-|----------|---------|-------------|
-| `INGEST_LISTEN_ADDR` | `:8087` | Listen address |
-| `INFLUXDB_URL` | `http://influxdb:8086/api/v2/write?org=netbird&bucket=metrics&precision=ns` | InfluxDB write endpoint |
-| `INFLUXDB_TOKEN` | *(required)* | InfluxDB auth token (server-side only) |
-| `CONFIG_METRICS_SERVER_URL` | *(empty — disables /config)* | `server_url` in the remote config JSON (the URL clients push metrics to) |
-| `CONFIG_VERSION_SINCE` | `0.0.0` | Minimum client version to push metrics |
-| `CONFIG_VERSION_UNTIL` | `99.99.99` | Maximum client version to push metrics |
-| `CONFIG_PERIOD_MINUTES` | `5` | Push interval in minutes |
-
-The ingest server serves a remote config JSON at `GET /config` when `CONFIG_METRICS_SERVER_URL` is set. Clients can use `NB_METRICS_CONFIG_URL=http://<ingest>/config` to fetch it.
-
-### Configuration Precedence
-
-For URL and Interval, the precedence is:
-1. **Environment variable** - `NB_METRICS_SERVER_URL` / `NB_METRICS_INTERVAL`
-2. **Remote config** - fetched from `NB_METRICS_CONFIG_URL`
-3. **Default** - 5 minute interval, URL from remote config
-
-## Push Behavior
-
-1. `StartPush()` spawns background goroutine with timer
-2. First push happens immediately on startup
-3. Periodically: `push()` → `Export()` → HTTP POST to ingest server
-4. On failure: log error, continue (non-blocking)
-5. On success: `Reset()` clears pushed samples
-6. `StopPush()` cancels context and waits for goroutine
-
-Samples are collected with exact timestamps, pushed once, then cleared. No data is resent.
-
-## Local Development Setup
-
-### 1. Configure and Start Services
-
-```bash
-# From this directory (client/internal/metrics/infra)
-cp .env.example .env
-# Edit .env to set INFLUXDB_ADMIN_PASSWORD, INFLUXDB_ADMIN_TOKEN, and GRAFANA_ADMIN_PASSWORD
-docker compose up -d
-```
-
-This starts:
- **Ingest server** on http://localhost:8087 — accepts client metrics (requires `X-Peer-ID` header, no secret/token auth)
- **InfluxDB** — internal only, not exposed to host
- **Grafana** on http://localhost:3001
-
-### 2. Configure Client
-
-```bash
-export NB_METRICS_PUSH_ENABLED=true
-export NB_METRICS_FORCE_SENDING=true
-export NB_METRICS_SERVER_URL=http://localhost:8087
-export NB_METRICS_INTERVAL=1m
-```
-
-### 3. Run Client
-
-```bash
-cd ../../../..
-go run ./client/ up
-```
-
-### 4. View in Grafana
-
- **InfluxDB dashboard:** http://localhost:3001/d/netbird-influxdb-metrics
-
-### 5. Verify Data
-
-```bash
-# Query via InfluxDB (using admin token from .env)
-docker compose exec influxdb influx query \
-  'from(bucket: "metrics") |> range(start: -1h)' \
-  --org netbird
-
-# Check ingest server health
-curl http://localhost:8087/health
-```
--- a/client/internal/metrics/infra/docker-compose.yml
+++ b/client/internal/metrics/infra/docker-compose.yml
@@ -1,69 +0,0 @@
-version: '3.8'
-
-services:
-  ingest:
-    container_name: ingest
-    build:
-      context: ./ingest
-    ports:
-      - "8087:8087"
-    environment:
-      - INGEST_LISTEN_ADDR=:8087
-      - INFLUXDB_URL=http://influxdb:8086/api/v2/write?org=netbird&bucket=metrics&precision=ns
-      - INFLUXDB_TOKEN=${INFLUXDB_ADMIN_TOKEN:?required}
-      - CONFIG_METRICS_SERVER_URL=${CONFIG_METRICS_SERVER_URL:-}
-      - CONFIG_VERSION_SINCE=${CONFIG_VERSION_SINCE:-0.0.0}
-      - CONFIG_VERSION_UNTIL=${CONFIG_VERSION_UNTIL:-99.99.99}
-      - CONFIG_PERIOD_MINUTES=${CONFIG_PERIOD_MINUTES:-5}
-    depends_on:
-      - influxdb
-    restart: unless-stopped
-    networks:
-      - metrics
-
-  influxdb:
-    container_name: influxdb
-    image: influxdb:2
-    # No ports exposed — only accessible within the metrics network
-    volumes:
-      - influxdb-data:/var/lib/influxdb2
-      - ./influxdb/scripts:/docker-entrypoint-initdb.d
-    environment:
-      - DOCKER_INFLUXDB_INIT_MODE=setup
-      - DOCKER_INFLUXDB_INIT_USERNAME=admin
-      - DOCKER_INFLUXDB_INIT_PASSWORD=${INFLUXDB_ADMIN_PASSWORD:?required}
-      - DOCKER_INFLUXDB_INIT_ORG=netbird
-      - DOCKER_INFLUXDB_INIT_BUCKET=metrics
-      - DOCKER_INFLUXDB_INIT_RETENTION=365d
-      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=${INFLUXDB_ADMIN_TOKEN:-}
-    restart: unless-stopped
-    networks:
-      - metrics
-
-  grafana:
-    container_name: grafana
-    image: grafana/grafana:11.6.0
-    ports:
-      - "3001:3000"
-    environment:
-      - GF_SECURITY_ADMIN_USER=${GRAFANA_ADMIN_USER:-admin}
-      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD:?required}
-      - GF_USERS_ALLOW_SIGN_UP=false
-      - GF_INSTALL_PLUGINS=
-      - INFLUXDB_ADMIN_TOKEN=${INFLUXDB_ADMIN_TOKEN:-}
-    volumes:
-      - grafana-data:/var/lib/grafana
-      - ./grafana/provisioning:/etc/grafana/provisioning
-    depends_on:
-      - influxdb
-    restart: unless-stopped
-    networks:
-      - metrics
-
-volumes:
-  influxdb-data:
-  grafana-data:
-
-networks:
-  metrics:
-    driver: bridge
--- a/client/internal/metrics/infra/grafana/provisioning/dashboards/dashboard.yml
+++ b/client/internal/metrics/infra/grafana/provisioning/dashboards/dashboard.yml
@@ -1,12 +0,0 @@
-apiVersion: 1
-
-providers:
-  - name: 'NetBird Dashboards'
-    orgId: 1
-    folder: ''
-    type: file
-    disableDeletion: false
-    updateIntervalSeconds: 10
-    allowUiUpdates: true
-    options:
-      path: /etc/grafana/provisioning/dashboards/json
--- a/client/internal/metrics/infra/grafana/provisioning/dashboards/json/netbird-influxdb-metrics.json
+++ b/client/internal/metrics/infra/grafana/provisioning/dashboards/json/netbird-influxdb-metrics.json
@@ -1,280 +0,0 @@
-{
-  "uid": "netbird-influxdb-metrics",
-  "title": "NetBird Client Metrics (InfluxDB)",
-  "tags": ["netbird", "connections", "influxdb"],
-  "timezone": "browser",
-  "panels": [
-    {
-      "id": 5,
-      "title": "Sync Duration Extremes",
-      "type": "stat",
-      "datasource": {
-        "type": "influxdb",
-        "uid": "influxdb"
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 0,
-        "y": 0
-      },
-      "targets": [
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_sync\" and r._field == \"duration_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> min()\n  |> set(key: \"_field\", value: \"Min\")",
-          "refId": "A"
-        },
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_sync\" and r._field == \"duration_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> max()\n  |> set(key: \"_field\", value: \"Max\")",
-          "refId": "B"
-        }
-      ],
-      "fieldConfig": {
-        "defaults": {
-          "unit": "ms",
-          "min": 0
-        }
-      },
-      "options": {
-        "reduceOptions": {
-          "calcs": ["lastNotNull"]
-        },
-        "colorMode": "value",
-        "graphMode": "none",
-        "textMode": "auto"
-      }
-    },
-    {
-      "id": 6,
-      "title": "Total Connection Time Extremes",
-      "type": "stat",
-      "datasource": {
-        "type": "influxdb",
-        "uid": "influxdb"
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 12,
-        "y": 0
-      },
-      "targets": [
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"total_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"connection_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\", \"connection_pair_id\"])\n  |> min()\n  |> set(key: \"_field\", value: \"Min\")",
-          "refId": "A"
-        },
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"total_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"connection_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\", \"connection_pair_id\"])\n  |> max()\n  |> set(key: \"_field\", value: \"Max\")",
-          "refId": "B"
-        }
-      ],
-      "fieldConfig": {
-        "defaults": {
-          "unit": "ms",
-          "min": 0
-        }
-      },
-      "options": {
-        "reduceOptions": {
-          "calcs": ["lastNotNull"]
-        },
-        "colorMode": "value",
-        "graphMode": "none",
-        "textMode": "auto"
-      }
-    },
-    {
-      "id": 1,
-      "title": "Sync Duration",
-      "type": "timeseries",
-      "datasource": {
-        "type": "influxdb",
-        "uid": "influxdb"
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 0,
-        "y": 8
-      },
-      "targets": [
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_sync\" and r._field == \"duration_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> set(key: \"_field\", value: \"Sync Duration\")",
-          "refId": "A"
-        }
-      ],
-      "fieldConfig": {
-        "defaults": {
-          "unit": "ms",
-          "min": 0,
-          "custom": {
-            "drawStyle": "points",
-            "pointSize": 5
-          }
-        }
-      }
-    },
-    {
-      "id": 4,
-      "title": "ICE vs Relay",
-      "type": "piechart",
-      "datasource": {
-        "type": "influxdb",
-        "uid": "influxdb"
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 12,
-        "y": 8
-      },
-      "targets": [
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"total_seconds\")\n  |> drop(columns: [\"deployment_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> group(columns: [\"connection_pair_id\"])\n  |> last()\n  |> group(columns: [\"connection_type\"])\n  |> count()",
-          "refId": "A"
-        }
-      ],
-      "options": {
-        "reduceOptions": {
-          "calcs": ["lastNotNull"]
-        },
-        "pieType": "donut",
-        "tooltip": {
-          "mode": "multi"
-        }
-      }
-    },
-    {
-      "id": 2,
-      "title": "Connection Stage Durations (avg)",
-      "type": "bargauge",
-      "datasource": {
-        "type": "influxdb",
-        "uid": "influxdb"
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 0,
-        "y": 16
-      },
-      "targets": [
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"signaling_to_connection_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"connection_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\", \"connection_pair_id\"])\n  |> mean()\n  |> drop(columns: [\"_start\", \"_stop\", \"_measurement\", \"_time\", \"_field\"])\n  |> rename(columns: {_value: \"Avg Signaling to Connection\"})",
-          "refId": "A"
-        },
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"connection_to_wg_handshake_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"connection_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\", \"connection_pair_id\"])\n  |> mean()\n  |> drop(columns: [\"_start\", \"_stop\", \"_measurement\", \"_time\", \"_field\"])\n  |> rename(columns: {_value: \"Avg Connection to WG Handshake\"})",
-          "refId": "B"
-        }
-      ],
-      "fieldConfig": {
-        "defaults": {
-          "unit": "ms",
-          "min": 0
-        }
-      },
-      "options": {
-        "reduceOptions": {
-          "calcs": ["lastNotNull"]
-        },
-        "orientation": "horizontal",
-        "displayMode": "gradient"
-      }
-    },
-    {
-      "id": 3,
-      "title": "Total Connection Time",
-      "type": "timeseries",
-      "datasource": {
-        "type": "influxdb",
-        "uid": "influxdb"
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 12,
-        "y": 16
-      },
-      "targets": [
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"total_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"connection_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\", \"connection_pair_id\"])\n  |> set(key: \"_field\", value: \"Total Connection Time\")",
-          "refId": "A"
-        }
-      ],
-      "fieldConfig": {
-        "defaults": {
-          "unit": "ms",
-          "min": 0,
-          "custom": {
-            "drawStyle": "points",
-            "pointSize": 5
-          }
-        }
-      }
-    },
-    {
-      "id": 7,
-      "title": "Login Duration",
-      "type": "timeseries",
-      "datasource": {
-        "type": "influxdb",
-        "uid": "influxdb"
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 0,
-        "y": 24
-      },
-      "targets": [
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_login\" and r._field == \"duration_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> set(key: \"_field\", value: \"Login Duration\")",
-          "refId": "A"
-        }
-      ],
-      "fieldConfig": {
-        "defaults": {
-          "unit": "ms",
-          "min": 0,
-          "custom": {
-            "drawStyle": "points",
-            "pointSize": 5
-          }
-        }
-      }
-    },
-    {
-      "id": 8,
-      "title": "Login Success vs Failure",
-      "type": "piechart",
-      "datasource": {
-        "type": "influxdb",
-        "uid": "influxdb"
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 12,
-        "y": 24
-      },
-      "targets": [
-        {
-          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_login\" and r._field == \"duration_seconds\")\n  |> drop(columns: [\"deployment_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> group(columns: [\"result\"])\n  |> count()",
-          "refId": "A"
-        }
-      ],
-      "options": {
-        "reduceOptions": {
-          "calcs": ["lastNotNull"]
-        },
-        "pieType": "donut",
-        "tooltip": {
-          "mode": "multi"
-        }
-      }
-    }
-  ],
-  "schemaVersion": 27,
-  "version": 2,
-  "refresh": "30s"
-}
--- a/client/internal/metrics/infra/grafana/provisioning/datasources/influxdb.yml
+++ b/client/internal/metrics/infra/grafana/provisioning/datasources/influxdb.yml
@@ -1,15 +0,0 @@
-apiVersion: 1
-
-datasources:
-  - name: InfluxDB
-    uid: influxdb
-    type: influxdb
-    access: proxy
-    url: http://influxdb:8086
-    editable: true
-    jsonData:
-      version: Flux
-      organization: netbird
-      defaultBucket: metrics
-    secureJsonData:
-      token: ${INFLUXDB_ADMIN_TOKEN}
--- a/client/internal/metrics/infra/influxdb/scripts/create-tokens.sh
+++ b/client/internal/metrics/infra/influxdb/scripts/create-tokens.sh
@@ -1,25 +0,0 @@
-#!/bin/bash
-# Creates a scoped InfluxDB read-only token for Grafana.
-# Clients do not need a token — they push via the ingest server.
-
-BUCKET_ID=$(influx bucket list --org netbird --name metrics --json | grep -oP '"id"\s*:\s*"\K[^"]+' | head -1)
-ORG_ID=$(influx org list --name netbird --json | grep -oP '"id"\s*:\s*"\K[^"]+' | head -1)
-
-if [[ -z "$BUCKET_ID" ]] || [[ -z "$ORG_ID" ]]; then
-  echo "ERROR: Could not determine bucket or org ID" >&2
-  echo "BUCKET_ID=$BUCKET_ID ORG_ID=$ORG_ID" >&2
-  exit 1
-fi
-
-# Create read-only token for Grafana
-READ_TOKEN=$(influx auth create \
-  --org netbird \
-  --read-bucket "$BUCKET_ID" \
-  --description "Grafana read-only token" \
-  --json | grep -oP '"token"\s*:\s*"\K[^"]+' | head -1)
-
-echo ""
-echo "============================================"
-echo "GRAFANA READ-ONLY TOKEN:"
-echo "$READ_TOKEN"
-echo "============================================"
--- a/client/internal/metrics/infra/ingest/Dockerfile
+++ b/client/internal/metrics/infra/ingest/Dockerfile
@@ -1,10 +0,0 @@
-FROM golang:1.25-alpine AS build
-WORKDIR /app
-COPY go.mod main.go ./
-RUN CGO_ENABLED=0 go build -o ingest .
-
-FROM alpine:3.20
-RUN adduser -D -H ingest
-COPY --from=build /app/ingest /usr/local/bin/ingest
-USER ingest
-ENTRYPOINT ["ingest"]
--- a/client/internal/metrics/infra/ingest/go.mod
+++ b/client/internal/metrics/infra/ingest/go.mod
@@ -1,11 +0,0 @@
-module github.com/netbirdio/netbird/client/internal/metrics/infra/ingest
-
-go 1.25
-
-require github.com/stretchr/testify v1.11.1
-
-require (
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-)
--- a/client/internal/metrics/infra/ingest/go.sum
+++ b/client/internal/metrics/infra/ingest/go.sum
@@ -1,10 +0,0 @@
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/client/internal/metrics/infra/ingest/main.go
+++ b/client/internal/metrics/infra/ingest/main.go
@@ -1,355 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"compress/gzip"
-	"encoding/hex"
-	"encoding/json"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"os"
-	"strconv"
-	"strings"
-	"time"
-)
-
-const (
-	defaultListenAddr  = ":8087"
-	defaultInfluxDBURL = "http://influxdb:8086/api/v2/write?org=netbird&bucket=metrics&precision=ns"
-	maxBodySize        = 50 * 1024 * 1024 // 50 MB max request body
-	maxDurationSeconds = 300.0            // reject any duration field > 5 minutes
-	peerIDLength       = 16               // truncated SHA-256: 8 bytes = 16 hex chars
-	maxTagValueLength  = 64               // reject tag values longer than this
-)
-
-type measurementSpec struct {
-	allowedFields map[string]bool
-	allowedTags   map[string]bool
-}
-
-var allowedMeasurements = map[string]measurementSpec{
-	"netbird_peer_connection": {
-		allowedFields: map[string]bool{
-			"signaling_to_connection_seconds":    true,
-			"connection_to_wg_handshake_seconds": true,
-			"total_seconds":                      true,
-		},
-		allowedTags: map[string]bool{
-			"deployment_type":    true,
-			"connection_type":    true,
-			"attempt_type":       true,
-			"version":            true,
-			"os":                 true,
-			"arch":               true,
-			"peer_id":            true,
-			"connection_pair_id": true,
-		},
-	},
-	"netbird_sync": {
-		allowedFields: map[string]bool{
-			"duration_seconds": true,
-		},
-		allowedTags: map[string]bool{
-			"deployment_type": true,
-			"version":         true,
-			"os":              true,
-			"arch":            true,
-			"peer_id":         true,
-		},
-	},
-	"netbird_login": {
-		allowedFields: map[string]bool{
-			"duration_seconds": true,
-		},
-		allowedTags: map[string]bool{
-			"deployment_type": true,
-			"result":          true,
-			"version":         true,
-			"os":              true,
-			"arch":            true,
-			"peer_id":         true,
-		},
-	},
-}
-
-func main() {
-	listenAddr := envOr("INGEST_LISTEN_ADDR", defaultListenAddr)
-	influxURL := envOr("INFLUXDB_URL", defaultInfluxDBURL)
-	influxToken := os.Getenv("INFLUXDB_TOKEN")
-
-	if influxToken == "" {
-		log.Fatal("INFLUXDB_TOKEN is required")
-	}
-
-	client := &http.Client{Timeout: 10 * time.Second}
-
-	http.HandleFunc("/", handleIngest(client, influxURL, influxToken))
-
-	// Build config JSON once at startup from env vars
-	configJSON := buildConfigJSON()
-	if configJSON != nil {
-		log.Printf("serving remote config at /config")
-	}
-
-	http.HandleFunc("/config", func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodGet {
-			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
-			return
-		}
-		if configJSON == nil {
-			http.Error(w, "config not configured", http.StatusNotFound)
-			return
-		}
-		w.Header().Set("Content-Type", "application/json")
-		w.Write(configJSON) //nolint:errcheck
-	})
-
-	http.HandleFunc("/health", func(w http.ResponseWriter, _ *http.Request) {
-		w.WriteHeader(http.StatusOK)
-		fmt.Fprint(w, "ok") //nolint:errcheck
-	})
-
-	log.Printf("ingest server listening on %s, forwarding to %s", listenAddr, influxURL)
-	if err := http.ListenAndServe(listenAddr, nil); err != nil { //nolint:gosec
-		log.Fatal(err)
-	}
-}
-
-func handleIngest(client *http.Client, influxURL, influxToken string) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodPost {
-			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
-			return
-		}
-
-		if err := validateAuth(r); err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return
-		}
-
-		body, err := readBody(r)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusBadRequest)
-			return
-		}
-		if len(body) > maxBodySize {
-			http.Error(w, "body too large", http.StatusRequestEntityTooLarge)
-			return
-		}
-
-		validated, err := validateLineProtocol(body)
-		if err != nil {
-			log.Printf("WARN validation failed from %s: %v", r.RemoteAddr, err)
-			http.Error(w, err.Error(), http.StatusBadRequest)
-			return
-		}
-
-		forwardToInflux(w, r, client, influxURL, influxToken, validated)
-	}
-}
-
-func forwardToInflux(w http.ResponseWriter, r *http.Request, client *http.Client, influxURL, influxToken string, body []byte) {
-	req, err := http.NewRequestWithContext(r.Context(), http.MethodPost, influxURL, bytes.NewReader(body))
-	if err != nil {
-		log.Printf("ERROR create request: %v", err)
-		http.Error(w, "internal error", http.StatusInternalServerError)
-		return
-	}
-	req.Header.Set("Content-Type", "text/plain; charset=utf-8")
-	req.Header.Set("Authorization", "Token "+influxToken)
-
-	resp, err := client.Do(req)
-	if err != nil {
-		log.Printf("ERROR forward to influxdb: %v", err)
-		http.Error(w, "upstream error", http.StatusBadGateway)
-		return
-	}
-	defer func(Body io.ReadCloser) {
-		_ = Body.Close()
-	}(resp.Body)
-
-	w.WriteHeader(resp.StatusCode)
-	io.Copy(w, resp.Body) //nolint:errcheck
-}
-
-// validateAuth checks that the X-Peer-ID header contains a valid hashed peer ID.
-func validateAuth(r *http.Request) error {
-	peerID := r.Header.Get("X-Peer-ID")
-	if peerID == "" {
-		return fmt.Errorf("missing X-Peer-ID header")
-	}
-	if len(peerID) != peerIDLength {
-		return fmt.Errorf("invalid X-Peer-ID header length")
-	}
-	if _, err := hex.DecodeString(peerID); err != nil {
-		return fmt.Errorf("invalid X-Peer-ID header format")
-	}
-	return nil
-}
-
-// readBody reads the request body, decompressing gzip if Content-Encoding indicates it.
-func readBody(r *http.Request) ([]byte, error) {
-	reader := io.LimitReader(r.Body, maxBodySize+1)
-
-	if r.Header.Get("Content-Encoding") == "gzip" {
-		gz, err := gzip.NewReader(reader)
-		if err != nil {
-			return nil, fmt.Errorf("invalid gzip: %w", err)
-		}
-		defer gz.Close()
-		reader = io.LimitReader(gz, maxBodySize+1)
-	}
-
-	return io.ReadAll(reader)
-}
-
-// validateLineProtocol parses InfluxDB line protocol lines,
-// whitelists measurements and fields, and checks value bounds.
-func validateLineProtocol(body []byte) ([]byte, error) {
-	lines := strings.Split(strings.TrimSpace(string(body)), "\n")
-	var valid []string
-
-	for _, line := range lines {
-		line = strings.TrimSpace(line)
-		if line == "" {
-			continue
-		}
-
-		if err := validateLine(line); err != nil {
-			return nil, err
-		}
-
-		valid = append(valid, line)
-	}
-
-	if len(valid) == 0 {
-		return nil, fmt.Errorf("no valid lines")
-	}
-
-	return []byte(strings.Join(valid, "\n") + "\n"), nil
-}
-
-func validateLine(line string) error {
-	// line protocol: measurement,tag=val,tag=val field=val,field=val timestamp
-	parts := strings.SplitN(line, " ", 3)
-	if len(parts) < 2 {
-		return fmt.Errorf("invalid line protocol: %q", truncate(line, 100))
-	}
-
-	// parts[0] is "measurement,tag=val,tag=val"
-	measurementAndTags := strings.Split(parts[0], ",")
-	measurement := measurementAndTags[0]
-
-	spec, ok := allowedMeasurements[measurement]
-	if !ok {
-		return fmt.Errorf("unknown measurement: %q", measurement)
-	}
-
-	// Validate tags (everything after measurement name in parts[0])
-	for _, tagPair := range measurementAndTags[1:] {
-		if err := validateTag(tagPair, measurement, spec.allowedTags); err != nil {
-			return err
-		}
-	}
-
-	// Validate fields
-	for _, pair := range strings.Split(parts[1], ",") {
-		if err := validateField(pair, measurement, spec.allowedFields); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func validateTag(pair, measurement string, allowedTags map[string]bool) error {
-	kv := strings.SplitN(pair, "=", 2)
-	if len(kv) != 2 {
-		return fmt.Errorf("invalid tag: %q", pair)
-	}
-
-	tagName := kv[0]
-	if !allowedTags[tagName] {
-		return fmt.Errorf("unknown tag %q in measurement %q", tagName, measurement)
-	}
-
-	if len(kv[1]) > maxTagValueLength {
-		return fmt.Errorf("tag value too long for %q: %d > %d", tagName, len(kv[1]), maxTagValueLength)
-	}
-
-	return nil
-}
-
-func validateField(pair, measurement string, allowedFields map[string]bool) error {
-	kv := strings.SplitN(pair, "=", 2)
-	if len(kv) != 2 {
-		return fmt.Errorf("invalid field: %q", pair)
-	}
-
-	fieldName := kv[0]
-	if !allowedFields[fieldName] {
-		return fmt.Errorf("unknown field %q in measurement %q", fieldName, measurement)
-	}
-
-	val, err := strconv.ParseFloat(kv[1], 64)
-	if err != nil {
-		return fmt.Errorf("invalid field value %q for %q", kv[1], fieldName)
-	}
-	if val < 0 {
-		return fmt.Errorf("negative value for %q: %g", fieldName, val)
-	}
-	if strings.HasSuffix(fieldName, "_seconds") && val > maxDurationSeconds {
-		return fmt.Errorf("%q too large: %g > %g", fieldName, val, maxDurationSeconds)
-	}
-
-	return nil
-}
-
-// buildConfigJSON builds the remote config JSON from env vars.
-// Returns nil if required vars are not set.
-func buildConfigJSON() []byte {
-	serverURL := os.Getenv("CONFIG_METRICS_SERVER_URL")
-	versionSince := envOr("CONFIG_VERSION_SINCE", "0.0.0")
-	versionUntil := envOr("CONFIG_VERSION_UNTIL", "99.99.99")
-	periodMinutes := envOr("CONFIG_PERIOD_MINUTES", "5")
-
-	if serverURL == "" {
-		return nil
-	}
-
-	period, err := strconv.Atoi(periodMinutes)
-	if err != nil || period <= 0 {
-		log.Printf("WARN invalid CONFIG_PERIOD_MINUTES: %q, using 5", periodMinutes)
-		period = 5
-	}
-
-	cfg := map[string]any{
-		"server_url":     serverURL,
-		"version-since":  versionSince,
-		"version-until":  versionUntil,
-		"period_minutes": period,
-	}
-
-	data, err := json.Marshal(cfg)
-	if err != nil {
-		log.Printf("ERROR failed to marshal config: %v", err)
-		return nil
-	}
-	return data
-}
-
-func envOr(key, defaultVal string) string {
-	if v := os.Getenv(key); v != "" {
-		return v
-	}
-	return defaultVal
-}
-
-func truncate(s string, n int) string {
-	if len(s) <= n {
-		return s
-	}
-	return s[:n] + "..."
-}
--- a/client/internal/metrics/infra/ingest/main_test.go
+++ b/client/internal/metrics/infra/ingest/main_test.go
@@ -1,124 +0,0 @@
-package main
-
-import (
-	"net/http"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestValidateLine_ValidPeerConnection(t *testing.T) {
-	line := `netbird_peer_connection,deployment_type=cloud,connection_type=ice,attempt_type=initial,version=1.0.0,os=linux,arch=amd64,peer_id=abcdef0123456789,connection_pair_id=pair1234 signaling_to_connection_seconds=1.5,connection_to_wg_handshake_seconds=0.5,total_seconds=2 1234567890`
-	assert.NoError(t, validateLine(line))
-}
-
-func TestValidateLine_ValidSync(t *testing.T) {
-	line := `netbird_sync,deployment_type=selfhosted,version=2.0.0,os=darwin,arch=arm64,peer_id=abcdef0123456789 duration_seconds=1.5 1234567890`
-	assert.NoError(t, validateLine(line))
-}
-
-func TestValidateLine_ValidLogin(t *testing.T) {
-	line := `netbird_login,deployment_type=cloud,result=success,version=1.0.0,os=linux,arch=amd64,peer_id=abcdef0123456789 duration_seconds=3.2 1234567890`
-	assert.NoError(t, validateLine(line))
-}
-
-func TestValidateLine_UnknownMeasurement(t *testing.T) {
-	line := `unknown_metric,foo=bar value=1 1234567890`
-	err := validateLine(line)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "unknown measurement")
-}
-
-func TestValidateLine_UnknownTag(t *testing.T) {
-	line := `netbird_sync,deployment_type=cloud,evil_tag=injected,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=1.5 1234567890`
-	err := validateLine(line)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "unknown tag")
-}
-
-func TestValidateLine_UnknownField(t *testing.T) {
-	line := `netbird_sync,deployment_type=cloud,version=1.0.0,os=linux,arch=amd64,peer_id=abc injected_field=1 1234567890`
-	err := validateLine(line)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "unknown field")
-}
-
-func TestValidateLine_NegativeValue(t *testing.T) {
-	line := `netbird_sync,deployment_type=cloud,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=-1.5 1234567890`
-	err := validateLine(line)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "negative")
-}
-
-func TestValidateLine_DurationTooLarge(t *testing.T) {
-	line := `netbird_sync,deployment_type=cloud,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=999 1234567890`
-	err := validateLine(line)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "too large")
-}
-
-func TestValidateLine_TotalSecondsTooLarge(t *testing.T) {
-	line := `netbird_peer_connection,deployment_type=cloud,connection_type=ice,attempt_type=initial,version=1.0.0,os=linux,arch=amd64,peer_id=abc,connection_pair_id=pair total_seconds=500 1234567890`
-	err := validateLine(line)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "too large")
-}
-
-func TestValidateLine_TagValueTooLong(t *testing.T) {
-	longTag := strings.Repeat("a", maxTagValueLength+1)
-	line := `netbird_sync,deployment_type=` + longTag + `,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=1.5 1234567890`
-	err := validateLine(line)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "tag value too long")
-}
-
-func TestValidateLineProtocol_MultipleLines(t *testing.T) {
-	body := []byte(
-		"netbird_sync,deployment_type=cloud,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=1.5 1234567890\n" +
-			"netbird_login,deployment_type=cloud,result=success,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=2.0 1234567890\n",
-	)
-	validated, err := validateLineProtocol(body)
-	require.NoError(t, err)
-	assert.Contains(t, string(validated), "netbird_sync")
-	assert.Contains(t, string(validated), "netbird_login")
-}
-
-func TestValidateLineProtocol_RejectsOnBadLine(t *testing.T) {
-	body := []byte(
-		"netbird_sync,deployment_type=cloud,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=1.5 1234567890\n" +
-			"evil_metric,foo=bar value=1 1234567890\n",
-	)
-	_, err := validateLineProtocol(body)
-	require.Error(t, err)
-}
-
-func TestValidateAuth(t *testing.T) {
-	tests := []struct {
-		name    string
-		peerID  string
-		wantErr bool
-	}{
-		{"valid hex", "abcdef0123456789", false},
-		{"empty", "", true},
-		{"too short", "abcdef01234567", true},
-		{"too long", "abcdef01234567890", true},
-		{"invalid hex", "ghijklmnopqrstuv", true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			r, _ := http.NewRequest(http.MethodPost, "/", nil)
-			if tt.peerID != "" {
-				r.Header.Set("X-Peer-ID", tt.peerID)
-			}
-			err := validateAuth(r)
-			if tt.wantErr {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-			}
-		})
-	}
-}
--- a/client/internal/metrics/metrics.go
+++ b/client/internal/metrics/metrics.go
@@ -1,224 +0,0 @@
-package metrics
-
-import (
-	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"io"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/metrics/remoteconfig"
-)
-
-// AgentInfo holds static information about the agent
-type AgentInfo struct {
-	DeploymentType DeploymentType
-	Version        string
-	OS             string // runtime.GOOS (linux, darwin, windows, etc.)
-	Arch           string // runtime.GOARCH (amd64, arm64, etc.)
-	peerID         string // anonymised peer identifier (SHA-256 of WireGuard public key)
-}
-
-// peerIDFromPublicKey returns a truncated SHA-256 hash (8 bytes / 16 hex chars) of the given WireGuard public key.
-func peerIDFromPublicKey(pubKey string) string {
-	hash := sha256.Sum256([]byte(pubKey))
-	return hex.EncodeToString(hash[:8])
-}
-
-// connectionPairID returns a deterministic identifier for a connection between two peers.
-// It sorts the two peer IDs before hashing so the same pair always produces the same ID
-// regardless of which side computes it.
-func connectionPairID(peerID1, peerID2 string) string {
-	a, b := peerID1, peerID2
-	if a > b {
-		a, b = b, a
-	}
-	hash := sha256.Sum256([]byte(a + b))
-	return hex.EncodeToString(hash[:8])
-}
-
-// metricsImplementation defines the internal interface for metrics implementations
-type metricsImplementation interface {
-	// RecordConnectionStages records connection stage metrics from timestamps
-	RecordConnectionStages(
-		ctx context.Context,
-		agentInfo AgentInfo,
-		connectionPairID string,
-		connectionType ConnectionType,
-		isReconnection bool,
-		timestamps ConnectionStageTimestamps,
-	)
-
-	// RecordSyncDuration records how long it took to process a sync message
-	RecordSyncDuration(ctx context.Context, agentInfo AgentInfo, duration time.Duration)
-
-	// RecordLoginDuration records how long the login to management took
-	RecordLoginDuration(ctx context.Context, agentInfo AgentInfo, duration time.Duration, success bool)
-
-	// Export exports metrics in InfluxDB line protocol format
-	Export(w io.Writer) error
-
-	// Reset clears all collected metrics
-	Reset()
-}
-
-type ClientMetrics struct {
-	impl metricsImplementation
-
-	agentInfo AgentInfo
-	mu        sync.RWMutex
-
-	push       *Push
-	pushMu     sync.Mutex
-	wg         sync.WaitGroup
-	pushCancel context.CancelFunc
-}
-
-// ConnectionStageTimestamps holds timestamps for each connection stage
-type ConnectionStageTimestamps struct {
-	SignalingReceived  time.Time // First signal received from remote peer (both initial and reconnection)
-	ConnectionReady    time.Time
-	WgHandshakeSuccess time.Time
-}
-
-// String returns a human-readable representation of the connection stage timestamps
-func (c ConnectionStageTimestamps) String() string {
-	return fmt.Sprintf("ConnectionStageTimestamps{SignalingReceived=%v, ConnectionReady=%v, WgHandshakeSuccess=%v}",
-		c.SignalingReceived.Format(time.RFC3339Nano),
-		c.ConnectionReady.Format(time.RFC3339Nano),
-		c.WgHandshakeSuccess.Format(time.RFC3339Nano),
-	)
-}
-
-// RecordConnectionStages calculates stage durations from timestamps and records them.
-// remotePubKey is the remote peer's WireGuard public key; it will be hashed for anonymisation.
-func (c *ClientMetrics) RecordConnectionStages(
-	ctx context.Context,
-	remotePubKey string,
-	connectionType ConnectionType,
-	isReconnection bool,
-	timestamps ConnectionStageTimestamps,
-) {
-	if c == nil {
-		return
-	}
-	c.mu.RLock()
-	agentInfo := c.agentInfo
-	c.mu.RUnlock()
-
-	remotePeerID := peerIDFromPublicKey(remotePubKey)
-	pairID := connectionPairID(agentInfo.peerID, remotePeerID)
-	c.impl.RecordConnectionStages(ctx, agentInfo, pairID, connectionType, isReconnection, timestamps)
-}
-
-// RecordSyncDuration records the duration of sync message processing
-func (c *ClientMetrics) RecordSyncDuration(ctx context.Context, duration time.Duration) {
-	if c == nil {
-		return
-	}
-	c.mu.RLock()
-	agentInfo := c.agentInfo
-	c.mu.RUnlock()
-
-	c.impl.RecordSyncDuration(ctx, agentInfo, duration)
-}
-
-// RecordLoginDuration records how long the login to management server took
-func (c *ClientMetrics) RecordLoginDuration(ctx context.Context, duration time.Duration, success bool) {
-	if c == nil {
-		return
-	}
-	c.mu.RLock()
-	agentInfo := c.agentInfo
-	c.mu.RUnlock()
-
-	c.impl.RecordLoginDuration(ctx, agentInfo, duration, success)
-}
-
-// UpdateAgentInfo updates the agent information (e.g., when switching profiles).
-// publicKey is the WireGuard public key; it will be hashed for anonymisation.
-func (c *ClientMetrics) UpdateAgentInfo(agentInfo AgentInfo, publicKey string) {
-	if c == nil {
-		return
-	}
-
-	agentInfo.peerID = peerIDFromPublicKey(publicKey)
-
-	c.mu.Lock()
-	c.agentInfo = agentInfo
-	c.mu.Unlock()
-
-	c.pushMu.Lock()
-	push := c.push
-	c.pushMu.Unlock()
-	if push != nil {
-		push.SetPeerID(agentInfo.peerID)
-	}
-}
-
-// Export exports metrics to the writer
-func (c *ClientMetrics) Export(w io.Writer) error {
-	if c == nil {
-		return nil
-	}
-
-	return c.impl.Export(w)
-}
-
-// StartPush starts periodic pushing of metrics with the given configuration
-// Precedence: PushConfig.ServerAddress > remote config server_url
-func (c *ClientMetrics) StartPush(ctx context.Context, config PushConfig) {
-	if c == nil {
-		return
-	}
-
-	c.pushMu.Lock()
-	defer c.pushMu.Unlock()
-
-	if c.push != nil {
-		log.Warnf("metrics push already running")
-		return
-	}
-
-	c.mu.RLock()
-	agentVersion := c.agentInfo.Version
-	peerID := c.agentInfo.peerID
-	c.mu.RUnlock()
-
-	configManager := remoteconfig.NewManager(getMetricsConfigURL(), remoteconfig.DefaultMinRefreshInterval)
-	push, err := NewPush(c.impl, configManager, config, agentVersion)
-	if err != nil {
-		log.Errorf("failed to create metrics push: %v", err)
-		return
-	}
-	push.SetPeerID(peerID)
-
-	ctx, cancel := context.WithCancel(ctx)
-	c.pushCancel = cancel
-
-	c.wg.Add(1)
-	go func() {
-		defer c.wg.Done()
-		push.Start(ctx)
-	}()
-	c.push = push
-}
-
-func (c *ClientMetrics) StopPush() {
-	if c == nil {
-		return
-	}
-	c.pushMu.Lock()
-	defer c.pushMu.Unlock()
-	if c.push == nil {
-		return
-	}
-
-	c.pushCancel()
-	c.wg.Wait()
-	c.push = nil
-}
--- a/client/internal/metrics/metrics_default.go
+++ b/client/internal/metrics/metrics_default.go
@@ -1,11 +0,0 @@
-//go:build !js
-
-package metrics
-
-// NewClientMetrics creates a new ClientMetrics instance
-func NewClientMetrics(agentInfo AgentInfo) *ClientMetrics {
-	return &ClientMetrics{
-		impl:      newInfluxDBMetrics(),
-		agentInfo: agentInfo,
-	}
-}
--- a/client/internal/metrics/metrics_js.go
+++ b/client/internal/metrics/metrics_js.go
@@ -1,8 +0,0 @@
-//go:build js
-
-package metrics
-
-// NewClientMetrics returns nil on WASM builds — all ClientMetrics methods are nil-safe.
-func NewClientMetrics(AgentInfo) *ClientMetrics {
-	return nil
-}
--- a/client/internal/metrics/push.go
+++ b/client/internal/metrics/push.go
@@ -1,289 +0,0 @@
-package metrics
-
-import (
-	"bytes"
-	"compress/gzip"
-	"context"
-	"fmt"
-	"net/http"
-	"net/url"
-	"sync"
-	"time"
-
-	goversion "github.com/hashicorp/go-version"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/metrics/remoteconfig"
-)
-
-const (
-	// defaultPushInterval is the default interval for pushing metrics
-	defaultPushInterval = 5 * time.Minute
-)
-
-// defaultMetricsServerURL is used as fallback when NB_METRICS_FORCE_SENDING is true
-var defaultMetricsServerURL *url.URL
-
-func init() {
-	defaultMetricsServerURL, _ = url.Parse("https://ingest.netbird.io")
-}
-
-// PushConfig holds configuration for metrics push
-type PushConfig struct {
-	// ServerAddress is the metrics server URL. If nil, uses remote config server_url.
-	ServerAddress *url.URL
-	// Interval is how often to push metrics. If 0, uses remote config interval or defaultPushInterval.
-	Interval time.Duration
-	// ForceSending skips remote configuration fetch and version checks, pushing unconditionally.
-	ForceSending bool
-}
-
-// PushConfigFromEnv builds a PushConfig from environment variables.
-func PushConfigFromEnv() PushConfig {
-	config := PushConfig{}
-
-	config.ForceSending = isForceSending()
-	config.ServerAddress = getMetricsServerURL()
-	config.Interval = getMetricsInterval()
-
-	return config
-}
-
-// remoteConfigProvider abstracts remote push config fetching for testability
-type remoteConfigProvider interface {
-	RefreshIfNeeded(ctx context.Context) *remoteconfig.Config
-}
-
-// Push handles periodic pushing of metrics
-type Push struct {
-	metrics       metricsImplementation
-	configManager remoteConfigProvider
-	agentVersion  *goversion.Version
-
-	peerID string
-	peerMu sync.RWMutex
-
-	client          *http.Client
-	cfgForceSending bool
-	cfgInterval     time.Duration
-	cfgAddress      *url.URL
-}
-
-// NewPush creates a new Push instance with configuration resolution
-func NewPush(metrics metricsImplementation, configManager remoteConfigProvider, config PushConfig, agentVersion string) (*Push, error) {
-	var cfgInterval time.Duration
-	var cfgAddress *url.URL
-
-	if config.ForceSending {
-		cfgInterval = config.Interval
-		if config.Interval <= 0 {
-			cfgInterval = defaultPushInterval
-		}
-
-		cfgAddress = config.ServerAddress
-		if cfgAddress == nil {
-			cfgAddress = defaultMetricsServerURL
-		}
-	} else {
-		cfgAddress = config.ServerAddress
-
-		if config.Interval < 0 {
-			log.Warnf("negative metrics push interval %s", config.Interval)
-		} else {
-			cfgInterval = config.Interval
-		}
-	}
-
-	parsedVersion, err := goversion.NewVersion(agentVersion)
-	if err != nil {
-		if !config.ForceSending {
-			return nil, fmt.Errorf("parse agent version %q: %w", agentVersion, err)
-		}
-	}
-
-	return &Push{
-		metrics:         metrics,
-		configManager:   configManager,
-		agentVersion:    parsedVersion,
-		cfgForceSending: config.ForceSending,
-		cfgInterval:     cfgInterval,
-		cfgAddress:      cfgAddress,
-		client: &http.Client{
-			Timeout: 10 * time.Second,
-		},
-	}, nil
-}
-
-// SetPeerID updates the hashed peer ID used for the Authorization header.
-func (p *Push) SetPeerID(peerID string) {
-	p.peerMu.Lock()
-	p.peerID = peerID
-	p.peerMu.Unlock()
-}
-
-// Start starts the periodic push loop.
-// The env interval override controls tick frequency but does not bypass remote config
-// version gating. Use ForceSending to skip remote config entirely.
-func (p *Push) Start(ctx context.Context) {
-	// Log initial state
-	switch {
-	case p.cfgForceSending:
-		log.Infof("started metrics push with force sending to %s, interval %s", p.cfgAddress, p.cfgInterval)
-	case p.cfgAddress != nil:
-		log.Infof("started metrics push with server URL override: %s", p.cfgAddress.String())
-	default:
-		log.Infof("started metrics push, server URL will be resolved from remote config")
-	}
-
-	timer := time.NewTimer(0) // fire immediately on first iteration
-	defer timer.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
-			log.Debug("stopping metrics push")
-			return
-		case <-timer.C:
-		}
-
-		pushURL, interval := p.resolve(ctx)
-		if pushURL != "" {
-			if err := p.push(ctx, pushURL); err != nil {
-				log.Errorf("failed to push metrics: %v", err)
-			}
-		}
-
-		if interval <= 0 {
-			interval = defaultPushInterval
-		}
-		timer.Reset(interval)
-	}
-}
-
-// resolve returns the push URL and interval for the next cycle.
-// Returns empty pushURL to skip this cycle.
-func (p *Push) resolve(ctx context.Context) (pushURL string, interval time.Duration) {
-	if p.cfgForceSending {
-		return p.resolveServerURL(nil), p.cfgInterval
-	}
-
-	config := p.configManager.RefreshIfNeeded(ctx)
-	if config == nil {
-		log.Debug("no metrics push config available, waiting to retry")
-		return "", defaultPushInterval
-	}
-
-	// prefer env variables instead of remote config
-	if p.cfgInterval > 0 {
-		interval = p.cfgInterval
-	} else {
-		interval = config.Interval
-	}
-
-	if !isVersionInRange(p.agentVersion, config.VersionSince, config.VersionUntil) {
-		log.Debugf("agent version %s not in range [%s, %s), skipping metrics push",
-			p.agentVersion, config.VersionSince, config.VersionUntil)
-		return "", interval
-	}
-
-	pushURL = p.resolveServerURL(&config.ServerURL)
-	if pushURL == "" {
-		log.Warn("no metrics server URL available, skipping push")
-	}
-	return pushURL, interval
-}
-
-// push exports metrics and sends them to the metrics server
-func (p *Push) push(ctx context.Context, pushURL string) error {
-	// Export metrics without clearing
-	var buf bytes.Buffer
-	if err := p.metrics.Export(&buf); err != nil {
-		return fmt.Errorf("export metrics: %w", err)
-	}
-
-	// Don't push if there are no metrics
-	if buf.Len() == 0 {
-		log.Tracef("no metrics to push")
-		return nil
-	}
-
-	// Gzip compress the body
-	compressed, err := gzipCompress(buf.Bytes())
-	if err != nil {
-		return fmt.Errorf("gzip compress: %w", err)
-	}
-
-	// Create HTTP request
-	req, err := http.NewRequestWithContext(ctx, "POST", pushURL, compressed)
-	if err != nil {
-		return fmt.Errorf("create request: %w", err)
-	}
-	req.Header.Set("Content-Type", "text/plain; charset=utf-8")
-	req.Header.Set("Content-Encoding", "gzip")
-
-	p.peerMu.RLock()
-	peerID := p.peerID
-	p.peerMu.RUnlock()
-	if peerID != "" {
-		req.Header.Set("X-Peer-ID", peerID)
-	}
-
-	// Send request
-	resp, err := p.client.Do(req)
-	if err != nil {
-		return fmt.Errorf("send request: %w", err)
-	}
-	defer func() {
-		if resp.Body == nil {
-			return
-		}
-		if err := resp.Body.Close(); err != nil {
-			log.Warnf("failed to close response body: %v", err)
-		}
-	}()
-
-	// Check response status
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return fmt.Errorf("push failed with status %d", resp.StatusCode)
-	}
-
-	log.Debugf("successfully pushed metrics to %s", pushURL)
-	p.metrics.Reset()
-	return nil
-}
-
-// resolveServerURL determines the push URL.
-// Precedence: envAddress (env var) > remote config server_url
-func (p *Push) resolveServerURL(remoteServerURL *url.URL) string {
-	var baseURL *url.URL
-	if p.cfgAddress != nil {
-		baseURL = p.cfgAddress
-	} else {
-		baseURL = remoteServerURL
-	}
-
-	if baseURL == nil {
-		return ""
-	}
-
-	return baseURL.String()
-}
-
-// gzipCompress compresses data using gzip and returns the compressed buffer.
-func gzipCompress(data []byte) (*bytes.Buffer, error) {
-	var buf bytes.Buffer
-	gz := gzip.NewWriter(&buf)
-	if _, err := gz.Write(data); err != nil {
-		_ = gz.Close()
-		return nil, err
-	}
-	if err := gz.Close(); err != nil {
-		return nil, err
-	}
-	return &buf, nil
-}
-
-// isVersionInRange checks if current falls within [since, until)
-func isVersionInRange(current, since, until *goversion.Version) bool {
-	return !current.LessThan(since) && current.LessThan(until)
-}
--- a/client/internal/metrics/push_test.go
+++ b/client/internal/metrics/push_test.go
@@ -1,343 +0,0 @@
-package metrics
-
-import (
-	"context"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	goversion "github.com/hashicorp/go-version"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal/metrics/remoteconfig"
-)
-
-func mustVersion(s string) *goversion.Version {
-	v, err := goversion.NewVersion(s)
-	if err != nil {
-		panic(err)
-	}
-	return v
-}
-
-func mustURL(s string) url.URL {
-	u, err := url.Parse(s)
-	if err != nil {
-		panic(err)
-	}
-	return *u
-}
-
-func parseURL(s string) *url.URL {
-	u, err := url.Parse(s)
-	if err != nil {
-		panic(err)
-	}
-	return u
-}
-
-func testConfig(serverURL, since, until string, period time.Duration) *remoteconfig.Config {
-	return &remoteconfig.Config{
-		ServerURL:    mustURL(serverURL),
-		VersionSince: mustVersion(since),
-		VersionUntil: mustVersion(until),
-		Interval:     period,
-	}
-}
-
-// mockConfigProvider implements remoteConfigProvider for testing
-type mockConfigProvider struct {
-	config *remoteconfig.Config
-}
-
-func (m *mockConfigProvider) RefreshIfNeeded(_ context.Context) *remoteconfig.Config {
-	return m.config
-}
-
-// mockMetrics implements metricsImplementation for testing
-type mockMetrics struct {
-	exportData string
-}
-
-func (m *mockMetrics) RecordConnectionStages(_ context.Context, _ AgentInfo, _ string, _ ConnectionType, _ bool, _ ConnectionStageTimestamps) {
-}
-
-func (m *mockMetrics) RecordSyncDuration(_ context.Context, _ AgentInfo, _ time.Duration) {
-}
-
-func (m *mockMetrics) RecordLoginDuration(_ context.Context, _ AgentInfo, _ time.Duration, _ bool) {
-}
-
-func (m *mockMetrics) Export(w io.Writer) error {
-	if m.exportData != "" {
-		_, err := w.Write([]byte(m.exportData))
-		return err
-	}
-	return nil
-}
-
-func (m *mockMetrics) Reset() {
-}
-
-func TestPush_OverrideIntervalPushes(t *testing.T) {
-	var pushCount atomic.Int32
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		pushCount.Add(1)
-		w.WriteHeader(http.StatusNoContent)
-	}))
-	defer server.Close()
-
-	metrics := &mockMetrics{exportData: "test_metric 1\n"}
-	configProvider := &mockConfigProvider{config: testConfig(server.URL, "1.0.0", "2.0.0", 60*time.Minute)}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{
-		Interval:      50 * time.Millisecond,
-		ServerAddress: parseURL(server.URL),
-	}, "1.0.0")
-	require.NoError(t, err)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	done := make(chan struct{})
-	go func() {
-		push.Start(ctx)
-		close(done)
-	}()
-
-	require.Eventually(t, func() bool {
-		return pushCount.Load() >= 3
-	}, 2*time.Second, 10*time.Millisecond)
-
-	cancel()
-	<-done
-}
-
-func TestPush_RemoteConfigVersionInRange(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusNoContent)
-	}))
-	defer server.Close()
-
-	metrics := &mockMetrics{exportData: "test_metric 1\n"}
-	configProvider := &mockConfigProvider{config: testConfig(server.URL, "1.0.0", "2.0.0", 1*time.Minute)}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{}, "1.5.0")
-	require.NoError(t, err)
-
-	pushURL, interval := push.resolve(context.Background())
-	assert.NotEmpty(t, pushURL)
-	assert.Equal(t, 1*time.Minute, interval)
-}
-
-func TestPush_RemoteConfigVersionOutOfRange(t *testing.T) {
-	metrics := &mockMetrics{exportData: "test_metric 1\n"}
-	configProvider := &mockConfigProvider{config: testConfig("http://localhost", "1.0.0", "1.5.0", 1*time.Minute)}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{}, "2.0.0")
-	require.NoError(t, err)
-
-	pushURL, interval := push.resolve(context.Background())
-	assert.Empty(t, pushURL)
-	assert.Equal(t, 1*time.Minute, interval)
-}
-
-func TestPush_NoConfigReturnsDefault(t *testing.T) {
-	metrics := &mockMetrics{}
-	configProvider := &mockConfigProvider{config: nil}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{}, "1.0.0")
-	require.NoError(t, err)
-
-	pushURL, interval := push.resolve(context.Background())
-	assert.Empty(t, pushURL)
-	assert.Equal(t, defaultPushInterval, interval)
-}
-
-func TestPush_OverrideIntervalRespectsVersionCheck(t *testing.T) {
-	metrics := &mockMetrics{}
-	configProvider := &mockConfigProvider{config: testConfig("http://localhost", "3.0.0", "4.0.0", 60*time.Minute)}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{
-		Interval:      30 * time.Second,
-		ServerAddress: parseURL("http://localhost"),
-	}, "1.0.0")
-	require.NoError(t, err)
-
-	pushURL, interval := push.resolve(context.Background())
-	assert.Empty(t, pushURL)                  // version out of range
-	assert.Equal(t, 30*time.Second, interval) // but uses override interval
-}
-
-func TestPush_OverrideIntervalUsedWhenVersionInRange(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusNoContent)
-	}))
-	defer server.Close()
-
-	metrics := &mockMetrics{}
-	configProvider := &mockConfigProvider{config: testConfig(server.URL, "1.0.0", "2.0.0", 60*time.Minute)}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{
-		Interval: 30 * time.Second,
-	}, "1.5.0")
-	require.NoError(t, err)
-
-	pushURL, interval := push.resolve(context.Background())
-	assert.NotEmpty(t, pushURL)
-	assert.Equal(t, 30*time.Second, interval)
-}
-
-func TestPush_NoMetricsSkipsPush(t *testing.T) {
-	var pushCount atomic.Int32
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		pushCount.Add(1)
-		w.WriteHeader(http.StatusNoContent)
-	}))
-	defer server.Close()
-
-	metrics := &mockMetrics{exportData: ""} // no metrics to export
-	configProvider := &mockConfigProvider{config: nil}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{}, "1.0.0")
-	require.NoError(t, err)
-
-	err = push.push(context.Background(), server.URL)
-	assert.NoError(t, err)
-	assert.Equal(t, int32(0), pushCount.Load())
-}
-
-func TestPush_ServerURLFromRemoteConfig(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusNoContent)
-	}))
-	defer server.Close()
-
-	metrics := &mockMetrics{exportData: "test_metric 1\n"}
-	configProvider := &mockConfigProvider{config: testConfig(server.URL, "1.0.0", "2.0.0", 1*time.Minute)}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{}, "1.5.0")
-	require.NoError(t, err)
-
-	pushURL, interval := push.resolve(context.Background())
-	assert.Contains(t, pushURL, server.URL)
-	assert.Equal(t, 1*time.Minute, interval)
-}
-
-func TestPush_ServerAddressOverridesTakePrecedenceOverRemoteConfig(t *testing.T) {
-	overrideServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusNoContent)
-	}))
-	defer overrideServer.Close()
-
-	metrics := &mockMetrics{exportData: "test_metric 1\n"}
-	configProvider := &mockConfigProvider{config: testConfig("http://remote-config-server", "1.0.0", "2.0.0", 1*time.Minute)}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{
-		ServerAddress: parseURL(overrideServer.URL),
-	}, "1.5.0")
-	require.NoError(t, err)
-
-	pushURL, _ := push.resolve(context.Background())
-	assert.Contains(t, pushURL, overrideServer.URL)
-	assert.NotContains(t, pushURL, "remote-config-server")
-}
-
-func TestPush_OverrideIntervalWithoutOverrideURL_UsesRemoteConfigURL(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusNoContent)
-	}))
-	defer server.Close()
-
-	metrics := &mockMetrics{exportData: "test_metric 1\n"}
-	configProvider := &mockConfigProvider{config: testConfig(server.URL, "1.0.0", "2.0.0", 60*time.Minute)}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{
-		Interval: 30 * time.Second,
-	}, "1.0.0")
-	require.NoError(t, err)
-
-	pushURL, interval := push.resolve(context.Background())
-	assert.Contains(t, pushURL, server.URL)
-	assert.Equal(t, 30*time.Second, interval)
-}
-
-func TestPush_NoConfigSkipsPush(t *testing.T) {
-	metrics := &mockMetrics{exportData: "test_metric 1\n"}
-	configProvider := &mockConfigProvider{config: nil}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{
-		Interval: 30 * time.Second,
-	}, "1.0.0")
-	require.NoError(t, err)
-
-	pushURL, interval := push.resolve(context.Background())
-	assert.Empty(t, pushURL)
-	assert.Equal(t, defaultPushInterval, interval) // no config available, use default retry interval
-}
-
-func TestPush_ForceSendingSkipsRemoteConfig(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusNoContent)
-	}))
-	defer server.Close()
-
-	metrics := &mockMetrics{exportData: "test_metric 1\n"}
-	configProvider := &mockConfigProvider{config: nil}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{
-		ForceSending:  true,
-		Interval:      1 * time.Minute,
-		ServerAddress: parseURL(server.URL),
-	}, "1.0.0")
-	require.NoError(t, err)
-
-	pushURL, interval := push.resolve(context.Background())
-	assert.NotEmpty(t, pushURL)
-	assert.Equal(t, 1*time.Minute, interval)
-}
-
-func TestPush_ForceSendingUsesDefaultInterval(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusNoContent)
-	}))
-	defer server.Close()
-
-	metrics := &mockMetrics{exportData: "test_metric 1\n"}
-	configProvider := &mockConfigProvider{config: nil}
-
-	push, err := NewPush(metrics, configProvider, PushConfig{
-		ForceSending:  true,
-		ServerAddress: parseURL(server.URL),
-	}, "1.0.0")
-	require.NoError(t, err)
-
-	pushURL, interval := push.resolve(context.Background())
-	assert.NotEmpty(t, pushURL)
-	assert.Equal(t, defaultPushInterval, interval)
-}
-
-func TestIsVersionInRange(t *testing.T) {
-	tests := []struct {
-		name     string
-		current  string
-		since    string
-		until    string
-		expected bool
-	}{
-		{"at lower bound inclusive", "1.2.2", "1.2.2", "1.2.3", true},
-		{"in range", "1.2.2", "1.2.0", "1.3.0", true},
-		{"at upper bound exclusive", "1.2.3", "1.2.2", "1.2.3", false},
-		{"below range", "1.2.1", "1.2.2", "1.2.3", false},
-		{"above range", "1.3.0", "1.2.2", "1.2.3", false},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equal(t, tt.expected, isVersionInRange(mustVersion(tt.current), mustVersion(tt.since), mustVersion(tt.until)))
-		})
-	}
-}
--- a/client/internal/metrics/remoteconfig/manager.go
+++ b/client/internal/metrics/remoteconfig/manager.go
@@ -1,149 +0,0 @@
-package remoteconfig
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"sync"
-	"time"
-
-	goversion "github.com/hashicorp/go-version"
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	DefaultMinRefreshInterval = 30 * time.Minute
-)
-
-// Config holds the parsed remote push configuration
-type Config struct {
-	ServerURL    url.URL
-	VersionSince *goversion.Version
-	VersionUntil *goversion.Version
-	Interval     time.Duration
-}
-
-// rawConfig is the JSON wire format fetched from the remote server
-type rawConfig struct {
-	ServerURL     string `json:"server_url"`
-	VersionSince  string `json:"version-since"`
-	VersionUntil  string `json:"version-until"`
-	PeriodMinutes int    `json:"period_minutes"`
-}
-
-// Manager handles fetching and caching remote push configuration
-type Manager struct {
-	configURL          string
-	minRefreshInterval time.Duration
-	client             *http.Client
-
-	mu          sync.Mutex
-	lastConfig  *Config
-	lastFetched time.Time
-}
-
-func NewManager(configURL string, minRefreshInterval time.Duration) *Manager {
-	return &Manager{
-		configURL:          configURL,
-		minRefreshInterval: minRefreshInterval,
-		client: &http.Client{
-			Timeout: 10 * time.Second,
-		},
-	}
-}
-
-// RefreshIfNeeded fetches new config if the cached one is stale.
-// Returns the current config (possibly just fetched) or nil if unavailable.
-func (m *Manager) RefreshIfNeeded(ctx context.Context) *Config {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	if m.isConfigFresh() {
-		return m.lastConfig
-	}
-
-	fetchedConfig, err := m.fetch(ctx)
-	m.lastFetched = time.Now()
-	if err != nil {
-		log.Warnf("failed to fetch metrics remote config: %v", err)
-		return m.lastConfig // return cached (may be nil)
-	}
-
-	m.lastConfig = fetchedConfig
-
-	log.Tracef("fetched metrics remote config: version-since=%s version-until=%s period=%s",
-		fetchedConfig.VersionSince, fetchedConfig.VersionUntil, fetchedConfig.Interval)
-
-	return fetchedConfig
-}
-
-func (m *Manager) isConfigFresh() bool {
-	if m.lastConfig == nil {
-		return false
-	}
-	return time.Since(m.lastFetched) < m.minRefreshInterval
-}
-
-func (m *Manager) fetch(ctx context.Context) (*Config, error) {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, m.configURL, nil)
-	if err != nil {
-		return nil, fmt.Errorf("create request: %w", err)
-	}
-
-	resp, err := m.client.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("send request: %w", err)
-	}
-	defer func() {
-		if resp.Body != nil {
-			_ = resp.Body.Close()
-		}
-	}()
-
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return nil, fmt.Errorf("unexpected status code: %d", resp.StatusCode)
-	}
-
-	body, err := io.ReadAll(io.LimitReader(resp.Body, 4096))
-	if err != nil {
-		return nil, fmt.Errorf("read body: %w", err)
-	}
-
-	var raw rawConfig
-	if err := json.Unmarshal(body, &raw); err != nil {
-		return nil, fmt.Errorf("parse config: %w", err)
-	}
-
-	if raw.PeriodMinutes <= 0 {
-		return nil, fmt.Errorf("invalid period_minutes: %d", raw.PeriodMinutes)
-	}
-
-	if raw.ServerURL == "" {
-		return nil, fmt.Errorf("server_url is required")
-	}
-
-	serverURL, err := url.Parse(raw.ServerURL)
-	if err != nil {
-		return nil, fmt.Errorf("parse server_url %q: %w", raw.ServerURL, err)
-	}
-
-	since, err := goversion.NewVersion(raw.VersionSince)
-	if err != nil {
-		return nil, fmt.Errorf("parse version-since %q: %w", raw.VersionSince, err)
-	}
-
-	until, err := goversion.NewVersion(raw.VersionUntil)
-	if err != nil {
-		return nil, fmt.Errorf("parse version-until %q: %w", raw.VersionUntil, err)
-	}
-
-	return &Config{
-		ServerURL:    *serverURL,
-		VersionSince: since,
-		VersionUntil: until,
-		Interval:     time.Duration(raw.PeriodMinutes) * time.Minute,
-	}, nil
-}
--- a/client/internal/metrics/remoteconfig/manager_test.go
+++ b/client/internal/metrics/remoteconfig/manager_test.go
@@ -1,197 +0,0 @@
-package remoteconfig
-
-import (
-	"context"
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-const testMinRefresh = 100 * time.Millisecond
-
-func TestManager_FetchSuccess(t *testing.T) {
-	server := newConfigServer(t, rawConfig{
-		ServerURL:     "https://ingest.example.com",
-		VersionSince:  "1.0.0",
-		VersionUntil:  "2.0.0",
-		PeriodMinutes: 60,
-	})
-	defer server.Close()
-
-	mgr := NewManager(server.URL, testMinRefresh)
-	config := mgr.RefreshIfNeeded(context.Background())
-
-	require.NotNil(t, config)
-	assert.Equal(t, "https://ingest.example.com", config.ServerURL.String())
-	assert.Equal(t, "1.0.0", config.VersionSince.String())
-	assert.Equal(t, "2.0.0", config.VersionUntil.String())
-	assert.Equal(t, 60*time.Minute, config.Interval)
-}
-
-func TestManager_CachesConfig(t *testing.T) {
-	var fetchCount atomic.Int32
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		fetchCount.Add(1)
-		err := json.NewEncoder(w).Encode(rawConfig{
-			ServerURL:     "https://ingest.example.com",
-			VersionSince:  "1.0.0",
-			VersionUntil:  "2.0.0",
-			PeriodMinutes: 60,
-		})
-		require.NoError(t, err)
-	}))
-	defer server.Close()
-
-	mgr := NewManager(server.URL, testMinRefresh)
-
-	// First call fetches
-	config1 := mgr.RefreshIfNeeded(context.Background())
-	require.NotNil(t, config1)
-	assert.Equal(t, int32(1), fetchCount.Load())
-
-	// Second call uses cache (within minRefreshInterval)
-	config2 := mgr.RefreshIfNeeded(context.Background())
-	require.NotNil(t, config2)
-	assert.Equal(t, int32(1), fetchCount.Load())
-	assert.Equal(t, config1, config2)
-}
-
-func TestManager_RefetchesWhenStale(t *testing.T) {
-	var fetchCount atomic.Int32
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		fetchCount.Add(1)
-		err := json.NewEncoder(w).Encode(rawConfig{
-			ServerURL:     "https://ingest.example.com",
-			VersionSince:  "1.0.0",
-			VersionUntil:  "2.0.0",
-			PeriodMinutes: 60,
-		})
-		require.NoError(t, err)
-	}))
-	defer server.Close()
-
-	mgr := NewManager(server.URL, testMinRefresh)
-
-	// First fetch
-	mgr.RefreshIfNeeded(context.Background())
-	assert.Equal(t, int32(1), fetchCount.Load())
-
-	// Wait for config to become stale
-	time.Sleep(testMinRefresh + 10*time.Millisecond)
-
-	// Should refetch
-	mgr.RefreshIfNeeded(context.Background())
-	assert.Equal(t, int32(2), fetchCount.Load())
-}
-
-func TestManager_FetchFailureReturnsNil(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusInternalServerError)
-	}))
-	defer server.Close()
-
-	mgr := NewManager(server.URL, testMinRefresh)
-	config := mgr.RefreshIfNeeded(context.Background())
-
-	assert.Nil(t, config)
-}
-
-func TestManager_FetchFailureReturnsCached(t *testing.T) {
-	var fetchCount atomic.Int32
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		fetchCount.Add(1)
-		if fetchCount.Load() > 1 {
-			w.WriteHeader(http.StatusInternalServerError)
-			return
-		}
-		err := json.NewEncoder(w).Encode(rawConfig{
-			ServerURL:     "https://ingest.example.com",
-			VersionSince:  "1.0.0",
-			VersionUntil:  "2.0.0",
-			PeriodMinutes: 60,
-		})
-		require.NoError(t, err)
-	}))
-	defer server.Close()
-
-	mgr := NewManager(server.URL, testMinRefresh)
-
-	// First call succeeds
-	config1 := mgr.RefreshIfNeeded(context.Background())
-	require.NotNil(t, config1)
-
-	// Wait for config to become stale
-	time.Sleep(testMinRefresh + 10*time.Millisecond)
-
-	// Second call fails but returns cached
-	config2 := mgr.RefreshIfNeeded(context.Background())
-	require.NotNil(t, config2)
-	assert.Equal(t, config1, config2)
-}
-
-func TestManager_RejectsInvalidPeriod(t *testing.T) {
-	tests := []struct {
-		name   string
-		period int
-	}{
-		{"zero", 0},
-		{"negative", -5},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			server := newConfigServer(t, rawConfig{
-				ServerURL:     "https://ingest.example.com",
-				VersionSince:  "1.0.0",
-				VersionUntil:  "2.0.0",
-				PeriodMinutes: tt.period,
-			})
-			defer server.Close()
-
-			mgr := NewManager(server.URL, testMinRefresh)
-			config := mgr.RefreshIfNeeded(context.Background())
-			assert.Nil(t, config)
-		})
-	}
-}
-
-func TestManager_RejectsEmptyServerURL(t *testing.T) {
-	server := newConfigServer(t, rawConfig{
-		ServerURL:     "",
-		VersionSince:  "1.0.0",
-		VersionUntil:  "2.0.0",
-		PeriodMinutes: 60,
-	})
-	defer server.Close()
-
-	mgr := NewManager(server.URL, testMinRefresh)
-	config := mgr.RefreshIfNeeded(context.Background())
-	assert.Nil(t, config)
-}
-
-func TestManager_RejectsInvalidJSON(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		_, err := w.Write([]byte("not json"))
-		require.NoError(t, err)
-	}))
-	defer server.Close()
-
-	mgr := NewManager(server.URL, testMinRefresh)
-	config := mgr.RefreshIfNeeded(context.Background())
-	assert.Nil(t, config)
-}
-
-func newConfigServer(t *testing.T, config rawConfig) *httptest.Server {
-	t.Helper()
-	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "application/json")
-		err := json.NewEncoder(w).Encode(config)
-		require.NoError(t, err)
-	}))
-}
--- a/client/internal/networkmonitor/check_change_common.go
+++ b/client/internal/networkmonitor/check_change_common.go
@@ -22,56 +22,51 @@ func prepareFd() (int, error) {

 func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Nexthop) error {
 	for {
-		// Wait until fd is readable or context is cancelled, to avoid a busy-loop
-		// when the routing socket returns EAGAIN (e.g. immediately after wakeup).
-		if err := waitReadable(ctx, fd); err != nil {
-			return err
-		}
-
-		buf := make([]byte, 2048)
-		n, err := unix.Read(fd, buf)
-		if err != nil {
-			if errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EINTR) {
-				continue
-			}
-			if errors.Is(err, unix.EBADF) || errors.Is(err, unix.EINVAL) {
-				return fmt.Errorf("routing socket closed: %w", err)
-			}
-			return fmt.Errorf("read routing socket: %w", err)
-		}
-
-		if n < unix.SizeofRtMsghdr {
-			log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
-			continue
-		}
-
-		msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
-
-		switch msg.Type {
-		// handle route changes
-		case unix.RTM_ADD, syscall.RTM_DELETE:
-			route, err := parseRouteMessage(buf[:n])
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			buf := make([]byte, 2048)
+			n, err := unix.Read(fd, buf)
 			if err != nil {
-				log.Debugf("Network monitor: error parsing routing message: %v", err)
+				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
+					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
+				}
+				continue
+			}
+			if n < unix.SizeofRtMsghdr {
+				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
 				continue
 			}

-			if route.Dst.Bits() != 0 {
-				continue
-			}
+			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))

-			intf := "<nil>"
-			if route.Interface != nil {
-				intf = route.Interface.Name
-			}
 			switch msg.Type {
-			case unix.RTM_ADD:
-				log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
-				return nil
-			case unix.RTM_DELETE:
-				if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
-					log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+			// handle route changes
+			case unix.RTM_ADD, syscall.RTM_DELETE:
+				route, err := parseRouteMessage(buf[:n])
+				if err != nil {
+					log.Debugf("Network monitor: error parsing routing message: %v", err)
+					continue
+				}
+
+				if route.Dst.Bits() != 0 {
+					continue
+				}
+
+				intf := "<nil>"
+				if route.Interface != nil {
+					intf = route.Interface.Name
+				}
+				switch msg.Type {
+				case unix.RTM_ADD:
+					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
 					return nil
+				case unix.RTM_DELETE:
+					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
+						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+						return nil
+					}
 				}
 			}
 		}
@@ -95,33 +90,3 @@ func parseRouteMessage(buf []byte) (*systemops.Route, error) {

 	return systemops.MsgToRoute(msg)
 }
-
-// waitReadable blocks until fd has data to read, or ctx is cancelled.
-func waitReadable(ctx context.Context, fd int) error {
-	var fdset unix.FdSet
-	if fd < 0 || fd/unix.NFDBITS >= len(fdset.Bits) {
-		return fmt.Errorf("fd %d out of range for FdSet", fd)
-	}
-
-	for {
-		if err := ctx.Err(); err != nil {
-			return err
-		}
-
-		fdset = unix.FdSet{}
-		fdset.Set(fd)
-		// Use a 1-second timeout so we can re-check ctx periodically.
-		tv := unix.Timeval{Sec: 1}
-		n, err := unix.Select(fd+1, &fdset, nil, nil, &tv)
-		if err != nil {
-			if errors.Is(err, unix.EINTR) {
-				continue
-			}
-			return fmt.Errorf("select on routing socket: %w", err)
-		}
-		if n > 0 {
-			return nil
-		}
-		// timeout — loop back and re-check ctx
-	}
-}
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -3,6 +3,7 @@ package peer
 import (
 	"context"
 	"fmt"
+	"math/rand"
 	"net"
 	"net/netip"
 	"runtime"
@@ -15,7 +16,6 @@ import (

 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
-	"github.com/netbirdio/netbird/client/internal/metrics"
 	"github.com/netbirdio/netbird/client/internal/peer/conntype"
 	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
@@ -25,27 +25,17 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )

-// MetricsRecorder is an interface for recording peer connection metrics
-type MetricsRecorder interface {
-	RecordConnectionStages(
-		ctx context.Context,
-		remotePubKey string,
-		connectionType metrics.ConnectionType,
-		isReconnection bool,
-		timestamps metrics.ConnectionStageTimestamps,
-	)
-}
-
 type ServiceDependencies struct {
 	StatusRecorder     *Status
 	Signaler           *Signaler
 	IFaceDiscover      stdnet.ExternalIFaceDiscover
 	RelayManager       *relayClient.Manager
 	SrWatcher          *guard.SRWatcher
+	Semaphore          *semaphoregroup.SemaphoreGroup
 	PeerConnDispatcher *dispatcher.ConnectionDispatcher
-	MetricsRecorder    MetricsRecorder
 }

 type WgConfig struct {
@@ -121,17 +111,14 @@ type Conn struct {
 	wgProxyRelay wgproxy.Proxy
 	handshaker   *Handshaker

-	guard *guard.Guard
-	wg    sync.WaitGroup
+	guard     *guard.Guard
+	semaphore *semaphoregroup.SemaphoreGroup
+	wg        sync.WaitGroup

 	// debug purpose
 	dumpState *stateDump

 	endpointUpdater *EndpointUpdater
-
-	// Connection stage timestamps for metrics
-	metricsRecorder MetricsRecorder
-	metricsStages   *MetricsStages
 }

 // NewConn creates a new not opened Conn to the remote peer.
@@ -152,12 +139,12 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 		iFaceDiscover:   services.IFaceDiscover,
 		relayManager:    services.RelayManager,
 		srWatcher:       services.SrWatcher,
+		semaphore:       services.Semaphore,
 		statusRelay:     worker.NewAtomicStatus(),
 		statusICE:       worker.NewAtomicStatus(),
 		dumpState:       dumpState,
 		endpointUpdater: NewEndpointUpdater(connLog, config.WgConfig, isController(config)),
 		wgWatcher:       NewWGWatcher(connLog, config.WgConfig.WgInterface, config.Key, dumpState),
-		metricsRecorder: services.MetricsRecorder,
 	}

 	return conn, nil
@@ -167,16 +154,18 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 // It will try to establish a connection using ICE and in parallel with relay. The higher priority connection type will
 // be used.
 func (conn *Conn) Open(engineCtx context.Context) error {
+	if err := conn.semaphore.Add(engineCtx); err != nil {
+		return err
+	}
+
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

 	if conn.opened {
+		conn.semaphore.Done()
 		return nil
 	}

-	// Allocate new metrics stages so old goroutines don't corrupt new state
-	conn.metricsStages = &MetricsStages{}
-
 	conn.ctx, conn.ctxCancel = context.WithCancel(engineCtx)

 	conn.workerRelay = NewWorkerRelay(conn.ctx, conn.Log, isController(conn.config), conn.config, conn, conn.relayManager)
@@ -184,11 +173,12 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
 	workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
 	if err != nil {
+		conn.semaphore.Done()
 		return err
 	}
 	conn.workerICE = workerICE

-	conn.handshaker = NewHandshaker(conn.Log, conn.config, conn.signaler, conn.workerICE, conn.workerRelay, conn.metricsStages)
+	conn.handshaker = NewHandshaker(conn.Log, conn.config, conn.signaler, conn.workerICE, conn.workerRelay)

 	conn.handshaker.AddRelayListener(conn.workerRelay.OnNewOffer)
 	if !isForceRelayed() {
@@ -217,6 +207,10 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	conn.wg.Add(1)
 	go func() {
 		defer conn.wg.Done()
+
+		conn.waitInitialRandomSleepTime(conn.ctx)
+		conn.semaphore.Done()
+
 		conn.guard.Start(conn.ctx, conn.onGuardEvent)
 	}()
 	conn.opened = true
@@ -356,7 +350,7 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 	if conn.currentConnPriority > priority {
 		conn.Log.Infof("current connection priority (%s) is higher than the new one (%s), do not upgrade connection", conn.currentConnPriority, priority)
 		conn.statusICE.SetConnected()
-		conn.updateIceState(iceConnInfo, time.Now())
+		conn.updateIceState(iceConnInfo)
 		return
 	}

@@ -396,8 +390,7 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 	}

 	conn.Log.Infof("configure WireGuard endpoint to: %s", ep.String())
-	updateTime := time.Now()
-	conn.enableWgWatcherIfNeeded(updateTime)
+	conn.enableWgWatcherIfNeeded()

 	presharedKey := conn.presharedKey(iceConnInfo.RosenpassPubKey)
 	if err = conn.endpointUpdater.ConfigureWGEndpoint(ep, presharedKey); err != nil {
@@ -413,11 +406,11 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn

 	conn.currentConnPriority = priority
 	conn.statusICE.SetConnected()
-	conn.updateIceState(iceConnInfo, updateTime)
-	conn.doOnConnected(iceConnInfo.RosenpassPubKey, iceConnInfo.RosenpassAddr, updateTime)
+	conn.updateIceState(iceConnInfo)
+	conn.doOnConnected(iceConnInfo.RosenpassPubKey, iceConnInfo.RosenpassAddr)
 }

-func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
+func (conn *Conn) onICEStateDisconnected() {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

@@ -437,18 +430,14 @@ func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
 	if conn.isReadyToUpgrade() {
 		conn.Log.Infof("ICE disconnected, set Relay to active connection")
 		conn.dumpState.SwitchToRelay()
-		if sessionChanged {
-			conn.resetEndpoint()
-		}
-
-		// todo consider to move after the ConfigureWGEndpoint
 		conn.wgProxyRelay.Work()

 		presharedKey := conn.presharedKey(conn.rosenpassRemoteKey)
-		if err := conn.endpointUpdater.SwitchWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
+		if err := conn.endpointUpdater.ConfigureWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
 			conn.Log.Errorf("failed to switch to relay conn: %v", err)
 		}

+		conn.wgProxyRelay.Work()
 		conn.currentConnPriority = conntype.Relay
 	} else {
 		conn.Log.Infof("ICE disconnected, do not switch to Relay. Reset priority to: %s", conntype.None.String())
@@ -466,10 +455,6 @@ func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {

 	conn.disableWgWatcherIfNeeded()

-	if conn.currentConnPriority == conntype.None {
-		conn.metricsStages.Disconnected()
-	}
-
 	peerState := State{
 		PubKey:           conn.config.Key,
 		ConnStatus:       conn.evalStatus(),
@@ -510,37 +495,31 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 		conn.Log.Debugf("do not switch to relay because current priority is: %s", conn.currentConnPriority.String())
 		conn.setRelayedProxy(wgProxy)
 		conn.statusRelay.SetConnected()
-		conn.updateRelayStatus(rci.relayedConn.RemoteAddr().String(), rci.rosenpassPubKey, time.Now())
+		conn.updateRelayStatus(rci.relayedConn.RemoteAddr().String(), rci.rosenpassPubKey)
 		return
 	}

-	controller := isController(conn.config)
+	wgProxy.Work()
+	presharedKey := conn.presharedKey(rci.rosenpassPubKey)

-	if controller {
-		wgProxy.Work()
-	}
-	updateTime := time.Now()
-	conn.enableWgWatcherIfNeeded(updateTime)
-	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), conn.presharedKey(rci.rosenpassPubKey)); err != nil {
+	conn.enableWgWatcherIfNeeded()
+
+	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), presharedKey); err != nil {
 		if err := wgProxy.CloseConn(); err != nil {
 			conn.Log.Warnf("Failed to close relay connection: %v", err)
 		}
 		conn.Log.Errorf("Failed to update WireGuard peer configuration: %v", err)
 		return
 	}
-	if !controller {
-		wgProxy.Work()
-	}

 	wgConfigWorkaround()
-
 	conn.rosenpassRemoteKey = rci.rosenpassPubKey
 	conn.currentConnPriority = conntype.Relay
 	conn.statusRelay.SetConnected()
 	conn.setRelayedProxy(wgProxy)
-	conn.updateRelayStatus(rci.relayedConn.RemoteAddr().String(), rci.rosenpassPubKey, updateTime)
+	conn.updateRelayStatus(rci.relayedConn.RemoteAddr().String(), rci.rosenpassPubKey)
 	conn.Log.Infof("start to communicate with peer via relay")
-	conn.doOnConnected(rci.rosenpassPubKey, rci.rosenpassAddr, updateTime)
+	conn.doOnConnected(rci.rosenpassPubKey, rci.rosenpassAddr)
 }

 func (conn *Conn) onRelayDisconnected() {
@@ -578,10 +557,6 @@ func (conn *Conn) handleRelayDisconnectedLocked() {

 	conn.disableWgWatcherIfNeeded()

-	if conn.currentConnPriority == conntype.None {
-		conn.metricsStages.Disconnected()
-	}
-
 	peerState := State{
 		PubKey:           conn.config.Key,
 		ConnStatus:       conn.evalStatus(),
@@ -622,10 +597,10 @@ func (conn *Conn) onWGDisconnected() {
 	}
 }

-func (conn *Conn) updateRelayStatus(relayServerAddr string, rosenpassPubKey []byte, updateTime time.Time) {
+func (conn *Conn) updateRelayStatus(relayServerAddr string, rosenpassPubKey []byte) {
 	peerState := State{
 		PubKey:             conn.config.Key,
-		ConnStatusUpdate:   updateTime,
+		ConnStatusUpdate:   time.Now(),
 		ConnStatus:         conn.evalStatus(),
 		Relayed:            conn.isRelayed(),
 		RelayServerAddress: relayServerAddr,
@@ -638,10 +613,10 @@ func (conn *Conn) updateRelayStatus(relayServerAddr string, rosenpassPubKey []by
 	}
 }

-func (conn *Conn) updateIceState(iceConnInfo ICEConnInfo, updateTime time.Time) {
+func (conn *Conn) updateIceState(iceConnInfo ICEConnInfo) {
 	peerState := State{
 		PubKey:                     conn.config.Key,
-		ConnStatusUpdate:           updateTime,
+		ConnStatusUpdate:           time.Now(),
 		ConnStatus:                 conn.evalStatus(),
 		Relayed:                    iceConnInfo.Relayed,
 		LocalIceCandidateType:      iceConnInfo.LocalIceCandidateType,
@@ -679,18 +654,29 @@ func (conn *Conn) setStatusToDisconnected() {
 	}
 }

-func (conn *Conn) doOnConnected(remoteRosenpassPubKey []byte, remoteRosenpassAddr string, updateTime time.Time) {
+func (conn *Conn) doOnConnected(remoteRosenpassPubKey []byte, remoteRosenpassAddr string) {
 	if runtime.GOOS == "ios" {
 		runtime.GC()
 	}

-	conn.metricsStages.RecordConnectionReady(updateTime)
-
 	if conn.onConnected != nil {
 		conn.onConnected(conn.config.Key, remoteRosenpassPubKey, conn.config.WgConfig.AllowedIps[0].Addr().String(), remoteRosenpassAddr)
 	}
 }

+func (conn *Conn) waitInitialRandomSleepTime(ctx context.Context) {
+	maxWait := 300
+	duration := time.Duration(rand.Intn(maxWait)) * time.Millisecond
+
+	timeout := time.NewTimer(duration)
+	defer timeout.Stop()
+
+	select {
+	case <-ctx.Done():
+	case <-timeout.C:
+	}
+}
+
 func (conn *Conn) isRelayed() bool {
 	switch conn.currentConnPriority {
 	case conntype.Relay, conntype.ICETurn:
@@ -737,14 +723,14 @@ func (conn *Conn) isConnectedOnAllWay() (connected bool) {
 	return true
 }

-func (conn *Conn) enableWgWatcherIfNeeded(enabledTime time.Time) {
+func (conn *Conn) enableWgWatcherIfNeeded() {
 	if !conn.wgWatcher.IsEnabled() {
 		wgWatcherCtx, wgWatcherCancel := context.WithCancel(conn.ctx)
 		conn.wgWatcherCancel = wgWatcherCancel
 		conn.wgWatcherWg.Add(1)
 		go func() {
 			defer conn.wgWatcherWg.Done()
-			conn.wgWatcher.EnableWgWatcher(wgWatcherCtx, enabledTime, conn.onWGDisconnected, conn.onWGHandshakeSuccess)
+			conn.wgWatcher.EnableWgWatcher(wgWatcherCtx, conn.onWGDisconnected)
 		}()
 	}
 }
@@ -771,17 +757,6 @@ func (conn *Conn) newProxy(remoteConn net.Conn) (wgproxy.Proxy, error) {
 	return wgProxy, nil
 }

-func (conn *Conn) resetEndpoint() {
-	if !isController(conn.config) {
-		return
-	}
-	conn.Log.Infof("reset wg endpoint")
-	conn.wgWatcher.Reset()
-	if err := conn.endpointUpdater.RemoveEndpointAddress(); err != nil {
-		conn.Log.Warnf("failed to remove endpoint address before update: %v", err)
-	}
-}
-
 func (conn *Conn) isReadyToUpgrade() bool {
 	return conn.wgProxyRelay != nil && conn.currentConnPriority != conntype.Relay
 }
@@ -819,41 +794,6 @@ func (conn *Conn) setRelayedProxy(proxy wgproxy.Proxy) {
 	conn.wgProxyRelay = proxy
 }

-// onWGHandshakeSuccess is called when the first WireGuard handshake is detected
-func (conn *Conn) onWGHandshakeSuccess(when time.Time) {
-	conn.metricsStages.RecordWGHandshakeSuccess(when)
-	conn.recordConnectionMetrics()
-}
-
-// recordConnectionMetrics records connection stage timestamps as metrics
-func (conn *Conn) recordConnectionMetrics() {
-	if conn.metricsRecorder == nil {
-		return
-	}
-
-	// Determine connection type based on current priority
-	conn.mu.Lock()
-	priority := conn.currentConnPriority
-	conn.mu.Unlock()
-
-	var connType metrics.ConnectionType
-	switch priority {
-	case conntype.Relay:
-		connType = metrics.ConnectionTypeRelay
-	default:
-		connType = metrics.ConnectionTypeICE
-	}
-
-	// Record metrics with timestamps - duration calculation happens in metrics package
-	conn.metricsRecorder.RecordConnectionStages(
-		context.Background(),
-		conn.config.Key,
-		connType,
-		conn.metricsStages.IsReconnection(),
-		conn.metricsStages.GetTimestamps(),
-	)
-}
-
 // AllowedIP returns the allowed IP of the remote peer
 func (conn *Conn) AllowedIP() netip.Addr {
 	return conn.config.WgConfig.AllowedIps[0].Addr()
@@ -922,3 +862,9 @@ func isController(config ConnConfig) bool {
 func isRosenpassEnabled(remoteRosenpassPubKey []byte) bool {
 	return remoteRosenpassPubKey != nil
 }
+
+// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
+// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
+func wgConfigWorkaround() {
+	time.Sleep(100 * time.Millisecond)
+}
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/util"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )

 var testDispatcher = dispatcher.NewConnectionDispatcher()
@@ -52,6 +53,7 @@ func TestConn_GetKey(t *testing.T) {

 	sd := ServiceDependencies{
 		SrWatcher:          swWatcher,
+		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
@@ -69,6 +71,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 	sd := ServiceDependencies{
 		StatusRecorder:     NewRecorder("https://mgm"),
 		SrWatcher:          swWatcher,
+		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
@@ -107,6 +110,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	sd := ServiceDependencies{
 		StatusRecorder:     NewRecorder("https://mgm"),
 		SrWatcher:          swWatcher,
+		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
--- a/client/internal/peer/endpoint.go
+++ b/client/internal/peer/endpoint.go
@@ -34,27 +34,28 @@ func NewEndpointUpdater(log *logrus.Entry, wgConfig WgConfig, initiator bool) *E
 	}
 }

+// ConfigureWGEndpoint sets up the WireGuard endpoint configuration.
+// The initiator immediately configures the endpoint, while the non-initiator
+// waits for a fallback period before configuring to avoid handshake congestion.
 func (e *EndpointUpdater) ConfigureWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
 	e.mu.Lock()
 	defer e.mu.Unlock()

 	if e.initiator {
-		e.log.Debugf("configure up WireGuard as initiator")
-		return e.configureAsInitiator(addr, presharedKey)
+		e.log.Debugf("configure up WireGuard as initiatr")
+		return e.updateWireGuardPeer(addr, presharedKey)
 	}

-	e.log.Debugf("configure up WireGuard as responder")
-	return e.configureAsResponder(addr, presharedKey)
-}
-
-func (e *EndpointUpdater) SwitchWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
 	// prevent to run new update while cancel the previous update
 	e.waitForCloseTheDelayedUpdate()

-	return e.updateWireGuardPeer(addr, presharedKey)
+	var ctx context.Context
+	ctx, e.cancelFunc = context.WithCancel(context.Background())
+	e.updateWg.Add(1)
+	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
+
+	e.log.Debugf("configure up WireGuard and wait for handshake")
+	return e.updateWireGuardPeer(nil, presharedKey)
 }

 func (e *EndpointUpdater) RemoveWgPeer() error {
@@ -65,38 +66,6 @@ func (e *EndpointUpdater) RemoveWgPeer() error {
 	return e.wgConfig.WgInterface.RemovePeer(e.wgConfig.RemoteKey)
 }

-func (e *EndpointUpdater) RemoveEndpointAddress() error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	e.waitForCloseTheDelayedUpdate()
-	return e.wgConfig.WgInterface.RemoveEndpointAddress(e.wgConfig.RemoteKey)
-}
-
-func (e *EndpointUpdater) configureAsInitiator(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	if err := e.updateWireGuardPeer(addr, presharedKey); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (e *EndpointUpdater) configureAsResponder(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	// prevent to run new update while cancel the previous update
-	e.waitForCloseTheDelayedUpdate()
-
-	e.log.Debugf("configure up WireGuard and wait for handshake")
-	var ctx context.Context
-	ctx, e.cancelFunc = context.WithCancel(context.Background())
-	e.updateWg.Add(1)
-	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
-
-	if err := e.updateWireGuardPeer(nil, presharedKey); err != nil {
-		e.waitForCloseTheDelayedUpdate()
-		return err
-	}
-	return nil
-}
-
 func (e *EndpointUpdater) waitForCloseTheDelayedUpdate() {
 	if e.cancelFunc == nil {
 		return
@@ -132,9 +101,3 @@ func (e *EndpointUpdater) updateWireGuardPeer(endpoint *net.UDPAddr, presharedKe
 		presharedKey,
 	)
 }
-
-// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
-// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
-func wgConfigWorkaround() {
-	time.Sleep(100 * time.Millisecond)
-}
--- a/client/internal/peer/handshaker.go
+++ b/client/internal/peer/handshaker.go
@@ -44,13 +44,12 @@ type OfferAnswer struct {
 }

 type Handshaker struct {
-	mu            sync.Mutex
-	log           *log.Entry
-	config        ConnConfig
-	signaler      *Signaler
-	ice           *WorkerICE
-	relay         *WorkerRelay
-	metricsStages *MetricsStages
+	mu       sync.Mutex
+	log      *log.Entry
+	config   ConnConfig
+	signaler *Signaler
+	ice      *WorkerICE
+	relay    *WorkerRelay
 	// relayListener is not blocking because the listener is using a goroutine to process the messages
 	// and it will only keep the latest message if multiple offers are received in a short time
 	// this is to avoid blocking the handshaker if the listener is doing some heavy processing
@@ -65,14 +64,13 @@ type Handshaker struct {
 	remoteAnswerCh chan OfferAnswer
 }

-func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *WorkerICE, relay *WorkerRelay, metricsStages *MetricsStages) *Handshaker {
+func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *WorkerICE, relay *WorkerRelay) *Handshaker {
 	return &Handshaker{
 		log:            log,
 		config:         config,
 		signaler:       signaler,
 		ice:            ice,
 		relay:          relay,
-		metricsStages:  metricsStages,
 		remoteOffersCh: make(chan OfferAnswer),
 		remoteAnswerCh: make(chan OfferAnswer),
 	}
@@ -91,12 +89,6 @@ func (h *Handshaker) Listen(ctx context.Context) {
 		select {
 		case remoteOfferAnswer := <-h.remoteOffersCh:
 			h.log.Infof("received offer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
-
-			// Record signaling received for reconnection attempts
-			if h.metricsStages != nil {
-				h.metricsStages.RecordSignalingReceived()
-			}
-
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}
@@ -111,12 +103,6 @@ func (h *Handshaker) Listen(ctx context.Context) {
 			}
 		case remoteOfferAnswer := <-h.remoteAnswerCh:
 			h.log.Infof("received answer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
-
-			// Record signaling received for reconnection attempts
-			if h.metricsStages != nil {
-				h.metricsStages.RecordSignalingReceived()
-			}
-
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}
--- a/client/internal/peer/metrics_saver.go
+++ b/client/internal/peer/metrics_saver.go
@@ -1,73 +0,0 @@
-package peer
-
-import (
-	"sync"
-	"time"
-
-	"github.com/netbirdio/netbird/client/internal/metrics"
-)
-
-type MetricsStages struct {
-	isReconnectionAttempt bool // Track if current attempt is a reconnection
-	stageTimestamps       metrics.ConnectionStageTimestamps
-	mu                    sync.Mutex
-}
-
-// RecordSignalingReceived records when the first signal is received from the remote peer.
-// Used as the base for all subsequent stage durations to avoid inflating metrics when
-// the remote peer was offline.
-func (s *MetricsStages) RecordSignalingReceived() {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if s.stageTimestamps.SignalingReceived.IsZero() {
-		s.stageTimestamps.SignalingReceived = time.Now()
-	}
-}
-
-func (s *MetricsStages) RecordConnectionReady(when time.Time) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.stageTimestamps.ConnectionReady.IsZero() {
-		s.stageTimestamps.ConnectionReady = when
-	}
-}
-
-func (s *MetricsStages) RecordWGHandshakeSuccess(handshakeTime time.Time) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if !s.stageTimestamps.ConnectionReady.IsZero() && s.stageTimestamps.WgHandshakeSuccess.IsZero() {
-		// WireGuard only reports handshake times with second precision, but ConnectionReady
-		// is captured with microsecond precision. If handshake appears before ConnectionReady
-		// due to truncation (e.g., handshake at 6.042s truncated to 6.000s), normalize to
-		// ConnectionReady to avoid negative duration metrics.
-		if handshakeTime.Before(s.stageTimestamps.ConnectionReady) {
-			s.stageTimestamps.WgHandshakeSuccess = s.stageTimestamps.ConnectionReady
-		} else {
-			s.stageTimestamps.WgHandshakeSuccess = handshakeTime
-		}
-	}
-}
-
-// Disconnected sets the mode to reconnection. It is called only when both ICE and Relay have been disconnected at the same time.
-func (s *MetricsStages) Disconnected() {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	// Reset all timestamps for reconnection
-	s.stageTimestamps = metrics.ConnectionStageTimestamps{}
-	s.isReconnectionAttempt = true
-}
-
-func (s *MetricsStages) IsReconnection() bool {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	return s.isReconnectionAttempt
-}
-
-func (s *MetricsStages) GetTimestamps() metrics.ConnectionStageTimestamps {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	return s.stageTimestamps
-}
--- a/Show More
+++ b/Show More