Update iOS client DNS servers to Quad9 for improved privacy

- DNS resolution broke after deselecting an exit node because the route checker used all client routes (including deselected ones) to decide how to forward upstream DNS
  queries
  - Added GetSelectedClientRoutes() to the route manager that filters out deselected exit nodes, and switched the DNS route checker to use it
  - Confirmed fix via device testing: after deselecting exit node, DNS queries now correctly use a regular network socket instead of binding to the utun interface

.github/workflows/check-license-dependencies.yml

@@ -31,7 +31,7 @@ jobs:
           while IFS= read -r dir; do
             echo "=== Checking $dir ==="
             # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" | grep -v "tools/idp-migrate/" || true)
             if [ -n "$RESULTS" ]; then
               echo "❌ Found problematic dependencies:"
               echo "$RESULTS"
@@ -88,7 +88,7 @@ jobs:
               IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
 
               # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
 
               if [ -n "$BSD_IMPORTER" ]; then
                 echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"

.github/workflows/golang-test-windows.yml

@@ -63,10 +63,15 @@ jobs:
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' })" >> $env:GITHUB_ENV
+      - name: Generate test script
+        run: |
+          $packages = go list ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' }
+          $goExe = "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe"
+          $cmd = "$goExe test -tags=devcert -timeout 10m -p 1 $($packages -join ' ') > test-out.txt 2>&1"
+          Set-Content -Path "${{ github.workspace }}\run-tests.cmd" -Value $cmd
 
       - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "${{ github.workspace }}\run-tests.cmd"
       - name: test output
         if: ${{ always() }}
         run: Get-Content test-out.txt

.github/workflows/golangci-lint.yml

@@ -19,7 +19,7 @@ jobs:
       - name: codespell
         uses: codespell-project/actions-codespell@v2
         with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA
           skip: go.mod,go.sum,**/proxy/web/**
   golangci:
     strategy:

.github/workflows/release.yml

@@ -170,6 +170,7 @@ jobs:
         run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
 
       - name: Decode GPG signing key
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         env:
           GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
         run: |
@@ -309,6 +310,7 @@ jobs:
         run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64
 
       - name: Decode GPG signing key
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         env:
           GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
         run: |

.github/workflows/wasm-build-validation.yml

@@ -61,8 +61,8 @@ jobs:
 
           echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
 
-          if [ ${SIZE} -gt 57671680 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 55MB limit!"
+          if [ ${SIZE} -gt 58720256 ]; then
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
             exit 1
           fi
 

.goreleaser.yaml

@@ -154,6 +154,26 @@ builds:
       - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
     mod_timestamp: "{{ .CommitTimestamp }}"
 
+  - id: netbird-idp-migrate
+    dir: tools/idp-migrate
+    env:
+      - CGO_ENABLED=1
+      - >-
+        {{- if eq .Runtime.Goos "linux" }}
+          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
+          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
+        {{- end }}
+    binary: netbird-idp-migrate
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
 universal_binaries:
   - id: netbird
 
@@ -166,11 +186,16 @@ archives:
       - netbird-wasm
     name_template: "{{ .ProjectName }}_{{ .Version }}"
     format: binary
+  - id: netbird-idp-migrate
+    builds:
+      - netbird-idp-migrate
+    name_template: "netbird-idp-migrate_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
 
 nfpms:
   - maintainer: Netbird <dev@netbird.io>
     description: Netbird client.
     homepage: https://netbird.io/
+    license: BSD-3-Clause
     id: netbird_deb
     bindir: /usr/bin
     builds:
@@ -184,6 +209,7 @@ nfpms:
   - maintainer: Netbird <dev@netbird.io>
     description: Netbird client.
     homepage: https://netbird.io/
+    license: BSD-3-Clause
     id: netbird_rpm
     bindir: /usr/bin
     builds:

CONTRIBUTOR_LICENSE_AGREEMENT.md

@@ -1,7 +1,7 @@
 ##  Contributor License Agreement
 
 This Contributor License Agreement (referred to as the "Agreement") is entered into by the individual 
-submitting this Agreement and NetBird GmbH, c/o Max-Beer-Straße 2-4 Münzstraße 12 10178 Berlin, Germany, 
+submitting this Agreement and NetBird GmbH, Brunnenstraße 196, 10119 Berlin, Germany, 
 referred to as "NetBird" (collectively, the "Parties"). The Agreement outlines the terms and conditions 
 under which NetBird may utilize software contributions provided by the Contributor for inclusion in 
 its software development projects. By submitting this Agreement, the Contributor confirms their acceptance 

README.md

@@ -126,6 +126,7 @@ See a complete [architecture overview](https://docs.netbird.io/about-netbird/how
 ### Community projects
 -  [NetBird installer script](https://github.com/physk/netbird-installer)
 -  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
+-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings
 
 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).

client/Dockerfile

@@ -17,8 +17,7 @@ ENV \
     NETBIRD_BIN="/usr/local/bin/netbird" \
     NB_LOG_FILE="console,/var/log/netbird/client.log" \
     NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
-    NB_ENTRYPOINT_LOGIN_TIMEOUT="5"
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
 

client/Dockerfile-rootless

@@ -23,8 +23,7 @@ ENV \
     NB_DAEMON_ADDR="unix:///var/lib/netbird/netbird.sock" \
     NB_LOG_FILE="console,/var/lib/netbird/client.log" \
     NB_DISABLE_DNS="true" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
-    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
 

client/android/client.go

@@ -205,7 +205,7 @@ func (c *Client) PeersList() *PeerInfoArray {
 		pi := PeerInfo{
 			p.IP,
 			p.FQDN,
-			p.ConnStatus.String(),
+			int(p.ConnStatus),
 			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi

client/android/peer_notifier.go

@@ -2,11 +2,20 @@
 
 package android
 
+import "github.com/netbirdio/netbird/client/internal/peer"
+
+// Connection status constants exported via gomobile.
+const (
+	ConnStatusIdle       = int(peer.StatusIdle)
+	ConnStatusConnecting = int(peer.StatusConnecting)
+	ConnStatusConnected  = int(peer.StatusConnected)
+)
+
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
 	IP         string
 	FQDN       string
-	ConnStatus string // Todo replace to enum
+	ConnStatus int
 	Routes     PeerRoutes
 }
 

client/cmd/debug.go

@@ -181,10 +181,11 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 
 	if stateWasDown {
 		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
+			cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
+		} else {
+			cmd.Println("netbird up")
+			time.Sleep(time.Second * 10)
 		}
-		cmd.Println("netbird up")
-		time.Sleep(time.Second * 10)
 	}
 
 	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
@@ -199,9 +200,10 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	}
 
 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
+		cmd.PrintErrf("Failed to bring service down: %v\n", status.Convert(err).Message())
+	} else {
+		cmd.Println("netbird down")
 	}
-	cmd.Println("netbird down")
 
 	time.Sleep(1 * time.Second)
 
@@ -209,13 +211,14 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if _, err := client.SetSyncResponsePersistence(cmd.Context(), &proto.SetSyncResponsePersistenceRequest{
 		Enabled: true,
 	}); err != nil {
-		return fmt.Errorf("failed to enable sync response persistence: %v", status.Convert(err).Message())
+		cmd.PrintErrf("Failed to enable sync response persistence: %v\n", status.Convert(err).Message())
 	}
 
 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
+		cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
+	} else {
+		cmd.Println("netbird up")
 	}
-	cmd.Println("netbird up")
 
 	time.Sleep(3 * time.Second)
 
@@ -263,16 +266,18 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
+			cmd.PrintErrf("Failed to restore service down state: %v\n", status.Convert(err).Message())
+		} else {
+			cmd.Println("netbird down")
 		}
-		cmd.Println("netbird down")
 	}
 
 	if !initialLevelTrace {
 		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
-			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
+			cmd.PrintErrf("Failed to restore log level: %v\n", status.Convert(err).Message())
+		} else {
+			cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 		}
-		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}
 
 	cmd.Printf("Local file:\n%s\n", resp.GetPath())

client/cmd/expose.go

@@ -15,6 +15,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/util"
 )
@@ -211,19 +212,24 @@ func exposeFn(cmd *cobra.Command, args []string) error {
 }
 
 func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
-	switch strings.ToLower(exposeProtocol) {
-	case "http":
+	p, err := expose.ParseProtocolType(exposeProtocol)
+	if err != nil {
+		return 0, fmt.Errorf("invalid protocol: %w", err)
+	}
+
+	switch p {
+	case expose.ProtocolHTTP:
 		return proto.ExposeProtocol_EXPOSE_HTTP, nil
-	case "https":
+	case expose.ProtocolHTTPS:
 		return proto.ExposeProtocol_EXPOSE_HTTPS, nil
-	case "tcp":
+	case expose.ProtocolTCP:
 		return proto.ExposeProtocol_EXPOSE_TCP, nil
-	case "udp":
+	case expose.ProtocolUDP:
 		return proto.ExposeProtocol_EXPOSE_UDP, nil
-	case "tls":
+	case expose.ProtocolTLS:
 		return proto.ExposeProtocol_EXPOSE_TLS, nil
 	default:
-		return 0, fmt.Errorf("unsupported protocol %q: must be http, https, tcp, udp, or tls", exposeProtocol)
+		return 0, fmt.Errorf("unhandled protocol type: %d", p)
 	}
 }
 

client/cmd/service.go

@@ -41,7 +41,7 @@ func init() {
 		defaultServiceName = "Netbird"
 	}
 
-	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
 

client/cmd/service_controller.go

@@ -103,7 +103,7 @@ func (p *program) Stop(srv service.Service) error {
 
 // Common setup for service control commands
 func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc) (service.Service, error) {
-	SetFlagsFromEnvVars(rootCmd)
+	// rootCmd env vars are already applied by PersistentPreRunE.
 	SetFlagsFromEnvVars(serviceCmd)
 
 	cmd.SetOut(cmd.OutOrStdout())

client/cmd/service_installer.go

@@ -119,6 +119,10 @@ var installCmd = &cobra.Command{
 			return err
 		}
 
+		if err := loadAndApplyServiceParams(cmd); err != nil {
+			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
+		}
+
 		svcConfig, err := createServiceConfigForInstall()
 		if err != nil {
 			return err
@@ -136,6 +140,10 @@ var installCmd = &cobra.Command{
 			return fmt.Errorf("install service: %w", err)
 		}
 
+		if err := saveServiceParams(currentServiceParams()); err != nil {
+			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
+		}
+
 		cmd.Println("NetBird service has been installed")
 		return nil
 	},
@@ -187,6 +195,10 @@ This command will temporarily stop the service, update its configuration, and re
 			return err
 		}
 
+		if err := loadAndApplyServiceParams(cmd); err != nil {
+			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
+		}
+
 		wasRunning, err := isServiceRunning()
 		if err != nil && !errors.Is(err, ErrGetServiceStatus) {
 			return fmt.Errorf("check service status: %w", err)
@@ -222,6 +234,10 @@ This command will temporarily stop the service, update its configuration, and re
 			return fmt.Errorf("install service with new config: %w", err)
 		}
 
+		if err := saveServiceParams(currentServiceParams()); err != nil {
+			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
+		}
+
 		if wasRunning {
 			cmd.Println("Starting NetBird service...")
 			if err := s.Start(); err != nil {

client/cmd/service_params.go

@@ -0,0 +1,201 @@
+//go:build !ios && !android
+
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"maps"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/configs"
+	"github.com/netbirdio/netbird/util"
+)
+
+const serviceParamsFile = "service.json"
+
+// serviceParams holds install-time service parameters that persist across
+// uninstall/reinstall cycles. Saved to <stateDir>/service.json.
+type serviceParams struct {
+	LogLevel              string            `json:"log_level"`
+	DaemonAddr            string            `json:"daemon_addr"`
+	ManagementURL         string            `json:"management_url,omitempty"`
+	ConfigPath            string            `json:"config_path,omitempty"`
+	LogFiles              []string          `json:"log_files,omitempty"`
+	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
+	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
+	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
+}
+
+// serviceParamsPath returns the path to the service params file.
+func serviceParamsPath() string {
+	return filepath.Join(configs.StateDir, serviceParamsFile)
+}
+
+// loadServiceParams reads saved service parameters from disk.
+// Returns nil with no error if the file does not exist.
+func loadServiceParams() (*serviceParams, error) {
+	path := serviceParamsPath()
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil //nolint:nilnil
+		}
+		return nil, fmt.Errorf("read service params %s: %w", path, err)
+	}
+
+	var params serviceParams
+	if err := json.Unmarshal(data, &params); err != nil {
+		return nil, fmt.Errorf("parse service params %s: %w", path, err)
+	}
+
+	return &params, nil
+}
+
+// saveServiceParams writes current service parameters to disk atomically
+// with restricted permissions.
+func saveServiceParams(params *serviceParams) error {
+	path := serviceParamsPath()
+	if err := util.WriteJsonWithRestrictedPermission(context.Background(), path, params); err != nil {
+		return fmt.Errorf("save service params: %w", err)
+	}
+	return nil
+}
+
+// currentServiceParams captures the current state of all package-level
+// variables into a serviceParams struct.
+func currentServiceParams() *serviceParams {
+	params := &serviceParams{
+		LogLevel:              logLevel,
+		DaemonAddr:            daemonAddr,
+		ManagementURL:         managementURL,
+		ConfigPath:            configPath,
+		LogFiles:              logFiles,
+		DisableProfiles:       profilesDisabled,
+		DisableUpdateSettings: updateSettingsDisabled,
+	}
+
+	if len(serviceEnvVars) > 0 {
+		parsed, err := parseServiceEnvVars(serviceEnvVars)
+		if err == nil && len(parsed) > 0 {
+			params.ServiceEnvVars = parsed
+		}
+	}
+
+	return params
+}
+
+// loadAndApplyServiceParams loads saved params from disk and applies them
+// to any flags that were not explicitly set.
+func loadAndApplyServiceParams(cmd *cobra.Command) error {
+	params, err := loadServiceParams()
+	if err != nil {
+		return err
+	}
+	applyServiceParams(cmd, params)
+	return nil
+}
+
+// applyServiceParams merges saved parameters into package-level variables
+// for any flag that was not explicitly set by the user (via CLI or env var).
+// Flags that were Changed() are left untouched.
+func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
+	if params == nil {
+		return
+	}
+
+	// For fields with non-empty defaults (log-level, daemon-addr), keep the
+	// != "" guard so that an older service.json missing the field doesn't
+	// clobber the default with an empty string.
+	if !rootCmd.PersistentFlags().Changed("log-level") && params.LogLevel != "" {
+		logLevel = params.LogLevel
+	}
+
+	if !rootCmd.PersistentFlags().Changed("daemon-addr") && params.DaemonAddr != "" {
+		daemonAddr = params.DaemonAddr
+	}
+
+	// For optional fields where empty means "use default", always apply so
+	// that an explicit clear (--management-url "") persists across reinstalls.
+	if !rootCmd.PersistentFlags().Changed("management-url") {
+		managementURL = params.ManagementURL
+	}
+
+	if !rootCmd.PersistentFlags().Changed("config") {
+		configPath = params.ConfigPath
+	}
+
+	if !rootCmd.PersistentFlags().Changed("log-file") {
+		logFiles = params.LogFiles
+	}
+
+	if !serviceCmd.PersistentFlags().Changed("disable-profiles") {
+		profilesDisabled = params.DisableProfiles
+	}
+
+	if !serviceCmd.PersistentFlags().Changed("disable-update-settings") {
+		updateSettingsDisabled = params.DisableUpdateSettings
+	}
+
+	applyServiceEnvParams(cmd, params)
+}
+
+// applyServiceEnvParams merges saved service environment variables.
+// If --service-env was explicitly set, explicit values win on key conflict
+// but saved keys not in the explicit set are carried over.
+// If --service-env was not set, saved env vars are used entirely.
+func applyServiceEnvParams(cmd *cobra.Command, params *serviceParams) {
+	if len(params.ServiceEnvVars) == 0 {
+		return
+	}
+
+	if !cmd.Flags().Changed("service-env") {
+		// No explicit env vars: rebuild serviceEnvVars from saved params.
+		serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
+		return
+	}
+
+	// Explicit env vars were provided: merge saved values underneath.
+	explicit, err := parseServiceEnvVars(serviceEnvVars)
+	if err != nil {
+		cmd.PrintErrf("Warning: parse explicit service env vars for merge: %v\n", err)
+		return
+	}
+
+	merged := make(map[string]string, len(params.ServiceEnvVars)+len(explicit))
+	maps.Copy(merged, params.ServiceEnvVars)
+	maps.Copy(merged, explicit) // explicit wins on conflict
+	serviceEnvVars = envMapToSlice(merged)
+}
+
+var resetParamsCmd = &cobra.Command{
+	Use:   "reset-params",
+	Short: "Remove saved service install parameters",
+	Long:  "Removes the saved service.json file so the next install uses default parameters.",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		path := serviceParamsPath()
+		if err := os.Remove(path); err != nil {
+			if os.IsNotExist(err) {
+				cmd.Println("No saved service parameters found")
+				return nil
+			}
+			return fmt.Errorf("remove service params: %w", err)
+		}
+		cmd.Printf("Removed saved service parameters (%s)\n", path)
+		return nil
+	},
+}
+
+// envMapToSlice converts a map of env vars to a KEY=VALUE slice.
+func envMapToSlice(m map[string]string) []string {
+	s := make([]string, 0, len(m))
+	for k, v := range m {
+		s = append(s, k+"="+v)
+	}
+	return s
+}

client/cmd/service_params_test.go

@@ -0,0 +1,523 @@
+//go:build !ios && !android
+
+package cmd
+
+import (
+	"encoding/json"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/configs"
+)
+
+func TestServiceParamsPath(t *testing.T) {
+	original := configs.StateDir
+	t.Cleanup(func() { configs.StateDir = original })
+
+	configs.StateDir = "/var/lib/netbird"
+	assert.Equal(t, filepath.Join("/var/lib/netbird", "service.json"), serviceParamsPath())
+
+	configs.StateDir = "/custom/state"
+	assert.Equal(t, filepath.Join("/custom/state", "service.json"), serviceParamsPath())
+}
+
+func TestSaveAndLoadServiceParams(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	original := configs.StateDir
+	t.Cleanup(func() { configs.StateDir = original })
+	configs.StateDir = tmpDir
+
+	params := &serviceParams{
+		LogLevel:              "debug",
+		DaemonAddr:            "unix:///var/run/netbird.sock",
+		ManagementURL:         "https://my.server.com",
+		ConfigPath:            "/etc/netbird/config.json",
+		LogFiles:              []string{"/var/log/netbird/client.log", "console"},
+		DisableProfiles:       true,
+		DisableUpdateSettings: false,
+		ServiceEnvVars:        map[string]string{"NB_LOG_FORMAT": "json", "CUSTOM": "val"},
+	}
+
+	err := saveServiceParams(params)
+	require.NoError(t, err)
+
+	// Verify the file exists and is valid JSON.
+	data, err := os.ReadFile(filepath.Join(tmpDir, "service.json"))
+	require.NoError(t, err)
+	assert.True(t, json.Valid(data))
+
+	loaded, err := loadServiceParams()
+	require.NoError(t, err)
+	require.NotNil(t, loaded)
+
+	assert.Equal(t, params.LogLevel, loaded.LogLevel)
+	assert.Equal(t, params.DaemonAddr, loaded.DaemonAddr)
+	assert.Equal(t, params.ManagementURL, loaded.ManagementURL)
+	assert.Equal(t, params.ConfigPath, loaded.ConfigPath)
+	assert.Equal(t, params.LogFiles, loaded.LogFiles)
+	assert.Equal(t, params.DisableProfiles, loaded.DisableProfiles)
+	assert.Equal(t, params.DisableUpdateSettings, loaded.DisableUpdateSettings)
+	assert.Equal(t, params.ServiceEnvVars, loaded.ServiceEnvVars)
+}
+
+func TestLoadServiceParams_FileNotExists(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	original := configs.StateDir
+	t.Cleanup(func() { configs.StateDir = original })
+	configs.StateDir = tmpDir
+
+	params, err := loadServiceParams()
+	assert.NoError(t, err)
+	assert.Nil(t, params)
+}
+
+func TestLoadServiceParams_InvalidJSON(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	original := configs.StateDir
+	t.Cleanup(func() { configs.StateDir = original })
+	configs.StateDir = tmpDir
+
+	err := os.WriteFile(filepath.Join(tmpDir, "service.json"), []byte("not json"), 0600)
+	require.NoError(t, err)
+
+	params, err := loadServiceParams()
+	assert.Error(t, err)
+	assert.Nil(t, params)
+}
+
+func TestCurrentServiceParams(t *testing.T) {
+	origLogLevel := logLevel
+	origDaemonAddr := daemonAddr
+	origManagementURL := managementURL
+	origConfigPath := configPath
+	origLogFiles := logFiles
+	origProfilesDisabled := profilesDisabled
+	origUpdateSettingsDisabled := updateSettingsDisabled
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() {
+		logLevel = origLogLevel
+		daemonAddr = origDaemonAddr
+		managementURL = origManagementURL
+		configPath = origConfigPath
+		logFiles = origLogFiles
+		profilesDisabled = origProfilesDisabled
+		updateSettingsDisabled = origUpdateSettingsDisabled
+		serviceEnvVars = origServiceEnvVars
+	})
+
+	logLevel = "trace"
+	daemonAddr = "tcp://127.0.0.1:9999"
+	managementURL = "https://mgmt.example.com"
+	configPath = "/tmp/test-config.json"
+	logFiles = []string{"/tmp/test.log"}
+	profilesDisabled = true
+	updateSettingsDisabled = true
+	serviceEnvVars = []string{"FOO=bar", "BAZ=qux"}
+
+	params := currentServiceParams()
+
+	assert.Equal(t, "trace", params.LogLevel)
+	assert.Equal(t, "tcp://127.0.0.1:9999", params.DaemonAddr)
+	assert.Equal(t, "https://mgmt.example.com", params.ManagementURL)
+	assert.Equal(t, "/tmp/test-config.json", params.ConfigPath)
+	assert.Equal(t, []string{"/tmp/test.log"}, params.LogFiles)
+	assert.True(t, params.DisableProfiles)
+	assert.True(t, params.DisableUpdateSettings)
+	assert.Equal(t, map[string]string{"FOO": "bar", "BAZ": "qux"}, params.ServiceEnvVars)
+}
+
+func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
+	origLogLevel := logLevel
+	origDaemonAddr := daemonAddr
+	origManagementURL := managementURL
+	origConfigPath := configPath
+	origLogFiles := logFiles
+	origProfilesDisabled := profilesDisabled
+	origUpdateSettingsDisabled := updateSettingsDisabled
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() {
+		logLevel = origLogLevel
+		daemonAddr = origDaemonAddr
+		managementURL = origManagementURL
+		configPath = origConfigPath
+		logFiles = origLogFiles
+		profilesDisabled = origProfilesDisabled
+		updateSettingsDisabled = origUpdateSettingsDisabled
+		serviceEnvVars = origServiceEnvVars
+	})
+
+	// Reset all flags to defaults.
+	logLevel = "info"
+	daemonAddr = "unix:///var/run/netbird.sock"
+	managementURL = ""
+	configPath = "/etc/netbird/config.json"
+	logFiles = []string{"/var/log/netbird/client.log"}
+	profilesDisabled = false
+	updateSettingsDisabled = false
+	serviceEnvVars = nil
+
+	// Reset Changed state on all relevant flags.
+	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
+		f.Changed = false
+	})
+	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
+		f.Changed = false
+	})
+
+	// Simulate user explicitly setting --log-level via CLI.
+	logLevel = "warn"
+	require.NoError(t, rootCmd.PersistentFlags().Set("log-level", "warn"))
+
+	saved := &serviceParams{
+		LogLevel:              "debug",
+		DaemonAddr:            "tcp://127.0.0.1:5555",
+		ManagementURL:         "https://saved.example.com",
+		ConfigPath:            "/saved/config.json",
+		LogFiles:              []string{"/saved/client.log"},
+		DisableProfiles:       true,
+		DisableUpdateSettings: true,
+		ServiceEnvVars:        map[string]string{"SAVED_KEY": "saved_val"},
+	}
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	applyServiceParams(cmd, saved)
+
+	// log-level was Changed, so it should keep "warn", not use saved "debug".
+	assert.Equal(t, "warn", logLevel)
+
+	// All other fields were not Changed, so they should use saved values.
+	assert.Equal(t, "tcp://127.0.0.1:5555", daemonAddr)
+	assert.Equal(t, "https://saved.example.com", managementURL)
+	assert.Equal(t, "/saved/config.json", configPath)
+	assert.Equal(t, []string{"/saved/client.log"}, logFiles)
+	assert.True(t, profilesDisabled)
+	assert.True(t, updateSettingsDisabled)
+	assert.Equal(t, []string{"SAVED_KEY=saved_val"}, serviceEnvVars)
+}
+
+func TestApplyServiceParams_BooleanRevertToFalse(t *testing.T) {
+	origProfilesDisabled := profilesDisabled
+	origUpdateSettingsDisabled := updateSettingsDisabled
+	t.Cleanup(func() {
+		profilesDisabled = origProfilesDisabled
+		updateSettingsDisabled = origUpdateSettingsDisabled
+	})
+
+	// Simulate current state where booleans are true (e.g. set by previous install).
+	profilesDisabled = true
+	updateSettingsDisabled = true
+
+	// Reset Changed state so flags appear unset.
+	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
+		f.Changed = false
+	})
+
+	// Saved params have both as false.
+	saved := &serviceParams{
+		DisableProfiles:       false,
+		DisableUpdateSettings: false,
+	}
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	applyServiceParams(cmd, saved)
+
+	assert.False(t, profilesDisabled, "saved false should override current true")
+	assert.False(t, updateSettingsDisabled, "saved false should override current true")
+}
+
+func TestApplyServiceParams_ClearManagementURL(t *testing.T) {
+	origManagementURL := managementURL
+	t.Cleanup(func() { managementURL = origManagementURL })
+
+	managementURL = "https://leftover.example.com"
+
+	// Simulate saved params where management URL was explicitly cleared.
+	saved := &serviceParams{
+		LogLevel:   "info",
+		DaemonAddr: "unix:///var/run/netbird.sock",
+		// ManagementURL intentionally empty: was cleared with --management-url "".
+	}
+
+	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
+		f.Changed = false
+	})
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	applyServiceParams(cmd, saved)
+
+	assert.Equal(t, "", managementURL, "saved empty management URL should clear the current value")
+}
+
+func TestApplyServiceParams_NilParams(t *testing.T) {
+	origLogLevel := logLevel
+	t.Cleanup(func() { logLevel = origLogLevel })
+
+	logLevel = "info"
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+
+	// Should be a no-op.
+	applyServiceParams(cmd, nil)
+	assert.Equal(t, "info", logLevel)
+}
+
+func TestApplyServiceEnvParams_MergeExplicitAndSaved(t *testing.T) {
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
+
+	// Set up a command with --service-env marked as Changed.
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	require.NoError(t, cmd.Flags().Set("service-env", "EXPLICIT=yes,OVERLAP=explicit"))
+
+	serviceEnvVars = []string{"EXPLICIT=yes", "OVERLAP=explicit"}
+
+	saved := &serviceParams{
+		ServiceEnvVars: map[string]string{
+			"SAVED":   "val",
+			"OVERLAP": "saved",
+		},
+	}
+
+	applyServiceEnvParams(cmd, saved)
+
+	// Parse result for easier assertion.
+	result, err := parseServiceEnvVars(serviceEnvVars)
+	require.NoError(t, err)
+
+	assert.Equal(t, "yes", result["EXPLICIT"])
+	assert.Equal(t, "val", result["SAVED"])
+	// Explicit wins on conflict.
+	assert.Equal(t, "explicit", result["OVERLAP"])
+}
+
+func TestApplyServiceEnvParams_NotChanged(t *testing.T) {
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
+
+	serviceEnvVars = nil
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+
+	saved := &serviceParams{
+		ServiceEnvVars: map[string]string{"FROM_SAVED": "val"},
+	}
+
+	applyServiceEnvParams(cmd, saved)
+
+	result, err := parseServiceEnvVars(serviceEnvVars)
+	require.NoError(t, err)
+	assert.Equal(t, map[string]string{"FROM_SAVED": "val"}, result)
+}
+
+// TestServiceParams_FieldsCoveredInFunctions ensures that all serviceParams fields are
+// referenced in both currentServiceParams() and applyServiceParams(). If a new field is
+// added to serviceParams but not wired into these functions, this test fails.
+func TestServiceParams_FieldsCoveredInFunctions(t *testing.T) {
+	fset := token.NewFileSet()
+	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
+	require.NoError(t, err)
+
+	// Collect all JSON field names from the serviceParams struct.
+	structFields := extractStructJSONFields(t, file, "serviceParams")
+	require.NotEmpty(t, structFields, "failed to find serviceParams struct fields")
+
+	// Collect field names referenced in currentServiceParams and applyServiceParams.
+	currentFields := extractFuncFieldRefs(t, file, "currentServiceParams", structFields)
+	applyFields := extractFuncFieldRefs(t, file, "applyServiceParams", structFields)
+	// applyServiceEnvParams handles ServiceEnvVars indirectly.
+	applyEnvFields := extractFuncFieldRefs(t, file, "applyServiceEnvParams", structFields)
+	for k, v := range applyEnvFields {
+		applyFields[k] = v
+	}
+
+	for _, field := range structFields {
+		assert.Contains(t, currentFields, field,
+			"serviceParams field %q is not captured in currentServiceParams()", field)
+		assert.Contains(t, applyFields, field,
+			"serviceParams field %q is not restored in applyServiceParams()/applyServiceEnvParams()", field)
+	}
+}
+
+// TestServiceParams_BuildArgsCoversAllFlags ensures that buildServiceArguments references
+// all serviceParams fields that should become CLI args. ServiceEnvVars is excluded because
+// it flows through newSVCConfig() EnvVars, not CLI args.
+func TestServiceParams_BuildArgsCoversAllFlags(t *testing.T) {
+	fset := token.NewFileSet()
+	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
+	require.NoError(t, err)
+
+	structFields := extractStructJSONFields(t, file, "serviceParams")
+	require.NotEmpty(t, structFields)
+
+	installerFile, err := parser.ParseFile(fset, "service_installer.go", nil, 0)
+	require.NoError(t, err)
+
+	// Fields that are handled outside of buildServiceArguments (env vars go through newSVCConfig).
+	fieldsNotInArgs := map[string]bool{
+		"ServiceEnvVars": true,
+	}
+
+	buildFields := extractFuncGlobalRefs(t, installerFile, "buildServiceArguments")
+
+	// Forward: every struct field must appear in buildServiceArguments.
+	for _, field := range structFields {
+		if fieldsNotInArgs[field] {
+			continue
+		}
+		globalVar := fieldToGlobalVar(field)
+		assert.Contains(t, buildFields, globalVar,
+			"serviceParams field %q (global %q) is not referenced in buildServiceArguments()", field, globalVar)
+	}
+
+	// Reverse: every service-related global used in buildServiceArguments must
+	// have a corresponding serviceParams field. This catches a developer adding
+	// a new flag to buildServiceArguments without adding it to the struct.
+	globalToField := make(map[string]string, len(structFields))
+	for _, field := range structFields {
+		globalToField[fieldToGlobalVar(field)] = field
+	}
+	// Identifiers in buildServiceArguments that are not service params
+	// (builtins, boilerplate, loop variables).
+	nonParamGlobals := map[string]bool{
+		"args": true, "append": true, "string": true, "_": true,
+		"logFile": true, // range variable over logFiles
+	}
+	for ref := range buildFields {
+		if nonParamGlobals[ref] {
+			continue
+		}
+		_, inStruct := globalToField[ref]
+		assert.True(t, inStruct,
+			"buildServiceArguments() references global %q which has no corresponding serviceParams field", ref)
+	}
+}
+
+// extractStructJSONFields returns field names from a named struct type.
+func extractStructJSONFields(t *testing.T, file *ast.File, structName string) []string {
+	t.Helper()
+	var fields []string
+	ast.Inspect(file, func(n ast.Node) bool {
+		ts, ok := n.(*ast.TypeSpec)
+		if !ok || ts.Name.Name != structName {
+			return true
+		}
+		st, ok := ts.Type.(*ast.StructType)
+		if !ok {
+			return false
+		}
+		for _, f := range st.Fields.List {
+			if len(f.Names) > 0 {
+				fields = append(fields, f.Names[0].Name)
+			}
+		}
+		return false
+	})
+	return fields
+}
+
+// extractFuncFieldRefs returns which of the given field names appear inside the
+// named function, either as selector expressions (params.FieldName) or as
+// composite literal keys (&serviceParams{FieldName: ...}).
+func extractFuncFieldRefs(t *testing.T, file *ast.File, funcName string, fields []string) map[string]bool {
+	t.Helper()
+	fieldSet := make(map[string]bool, len(fields))
+	for _, f := range fields {
+		fieldSet[f] = true
+	}
+
+	found := make(map[string]bool)
+	fn := findFuncDecl(file, funcName)
+	require.NotNil(t, fn, "function %s not found", funcName)
+
+	ast.Inspect(fn.Body, func(n ast.Node) bool {
+		switch v := n.(type) {
+		case *ast.SelectorExpr:
+			if fieldSet[v.Sel.Name] {
+				found[v.Sel.Name] = true
+			}
+		case *ast.KeyValueExpr:
+			if ident, ok := v.Key.(*ast.Ident); ok && fieldSet[ident.Name] {
+				found[ident.Name] = true
+			}
+		}
+		return true
+	})
+	return found
+}
+
+// extractFuncGlobalRefs returns all identifier names referenced in the named function body.
+func extractFuncGlobalRefs(t *testing.T, file *ast.File, funcName string) map[string]bool {
+	t.Helper()
+	fn := findFuncDecl(file, funcName)
+	require.NotNil(t, fn, "function %s not found", funcName)
+
+	refs := make(map[string]bool)
+	ast.Inspect(fn.Body, func(n ast.Node) bool {
+		if ident, ok := n.(*ast.Ident); ok {
+			refs[ident.Name] = true
+		}
+		return true
+	})
+	return refs
+}
+
+func findFuncDecl(file *ast.File, name string) *ast.FuncDecl {
+	for _, decl := range file.Decls {
+		fn, ok := decl.(*ast.FuncDecl)
+		if ok && fn.Name.Name == name {
+			return fn
+		}
+	}
+	return nil
+}
+
+// fieldToGlobalVar maps serviceParams field names to the package-level variable
+// names used in buildServiceArguments and applyServiceParams.
+func fieldToGlobalVar(field string) string {
+	m := map[string]string{
+		"LogLevel":              "logLevel",
+		"DaemonAddr":            "daemonAddr",
+		"ManagementURL":         "managementURL",
+		"ConfigPath":            "configPath",
+		"LogFiles":              "logFiles",
+		"DisableProfiles":       "profilesDisabled",
+		"DisableUpdateSettings": "updateSettingsDisabled",
+		"ServiceEnvVars":        "serviceEnvVars",
+	}
+	if v, ok := m[field]; ok {
+		return v
+	}
+	// Default: lowercase first letter.
+	return strings.ToLower(field[:1]) + field[1:]
+}
+
+func TestEnvMapToSlice(t *testing.T) {
+	m := map[string]string{"A": "1", "B": "2"}
+	s := envMapToSlice(m)
+	assert.Len(t, s, 2)
+	assert.Contains(t, s, "A=1")
+	assert.Contains(t, s, "B=2")
+}
+
+func TestEnvMapToSlice_Empty(t *testing.T) {
+	s := envMapToSlice(map[string]string{})
+	assert.Empty(t, s)
+}

client/cmd/service_test.go

@@ -4,7 +4,9 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/signal"
 	"runtime"
+	"syscall"
 	"testing"
 	"time"
 
@@ -13,6 +15,22 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+// TestMain intercepts when this test binary is run as a daemon subprocess.
+// On FreeBSD, the rc.d service script runs the binary via daemon(8) -r with
+// "service run ..." arguments. Since the test binary can't handle cobra CLI
+// args, it exits immediately, causing daemon -r to respawn rapidly until
+// hitting the rate limit and exiting. This makes service restart unreliable.
+// Blocking here keeps the subprocess alive until the init system sends SIGTERM.
+func TestMain(m *testing.M) {
+	if len(os.Args) > 2 && os.Args[1] == "service" && os.Args[2] == "run" {
+		sig := make(chan os.Signal, 1)
+		signal.Notify(sig, syscall.SIGTERM, os.Interrupt)
+		<-sig
+		return
+	}
+	os.Exit(m.Run())
+}
+
 const (
 	serviceStartTimeout = 10 * time.Second
 	serviceStopTimeout  = 5 * time.Second
@@ -79,6 +97,34 @@ func TestServiceLifecycle(t *testing.T) {
 	logLevel = "info"
 	daemonAddr = fmt.Sprintf("unix://%s/netbird-test.sock", tempDir)
 
+	// Ensure cleanup even if a subtest fails and Stop/Uninstall subtests don't run.
+	t.Cleanup(func() {
+		cfg, err := newSVCConfig()
+		if err != nil {
+			t.Errorf("cleanup: create service config: %v", err)
+			return
+		}
+		ctxSvc, cancel := context.WithCancel(context.Background())
+		defer cancel()
+		s, err := newSVC(newProgram(ctxSvc, cancel), cfg)
+		if err != nil {
+			t.Errorf("cleanup: create service: %v", err)
+			return
+		}
+
+		// If the subtests already cleaned up, there's nothing to do.
+		if _, err := s.Status(); err != nil {
+			return
+		}
+
+		if err := s.Stop(); err != nil {
+			t.Errorf("cleanup: stop service: %v", err)
+		}
+		if err := s.Uninstall(); err != nil {
+			t.Errorf("cleanup: uninstall service: %v", err)
+		}
+	})
+
 	ctx := context.Background()
 
 	t.Run("Install", func(t *testing.T) {

client/cmd/status.go

@@ -28,6 +28,7 @@ var (
 	ipsFilterMap         map[string]struct{}
 	prefixNamesFilterMap map[string]struct{}
 	connectionTypeFilter string
+	checkFlag            string
 )
 
 var statusCmd = &cobra.Command{
@@ -49,6 +50,7 @@ func init() {
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
 	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
 	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
+	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }
 
 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -56,6 +58,10 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 
 	cmd.SetOut(cmd.OutOrStdout())
 
+	if checkFlag != "" {
+		return runHealthCheck(cmd)
+	}
+
 	err := parseFilters()
 	if err != nil {
 		return err
@@ -68,15 +74,17 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 
 	ctx := internal.CtxInitState(cmd.Context())
 
-	resp, err := getStatus(ctx, false)
+	resp, err := getStatus(ctx, true, false)
 	if err != nil {
 		return err
 	}
 
 	status := resp.GetStatus()
 
-	if status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
-		status == string(internal.StatusSessionExpired) {
+	needsAuth := status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
+		status == string(internal.StatusSessionExpired)
+
+	if needsAuth && !jsonFlag && !yamlFlag {
 		cmd.Printf("Daemon status: %s\n\n"+
 			"Run UP command to log in with SSO (interactive login):\n\n"+
 			" netbird up \n\n"+
@@ -99,7 +107,17 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		profName = activeProf.Name
 	}
 
-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), anonymizeFlag, resp.GetDaemonVersion(), statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
+	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), nbstatus.ConvertOptions{
+		Anonymize:            anonymizeFlag,
+		DaemonVersion:        resp.GetDaemonVersion(),
+		DaemonStatus:         nbstatus.ParseDaemonStatus(status),
+		StatusFilter:         statusFilter,
+		PrefixNamesFilter:    prefixNamesFilter,
+		PrefixNamesFilterMap: prefixNamesFilterMap,
+		IPsFilter:            ipsFilterMap,
+		ConnectionTypeFilter: connectionTypeFilter,
+		ProfileName:          profName,
+	})
 	var statusOutputString string
 	switch {
 	case detailFlag:
@@ -121,7 +139,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
+func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
@@ -131,7 +149,7 @@ func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse
 	}
 	defer conn.Close()
 
-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: shouldRunProbes})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: fullPeerStatus, ShouldRunProbes: shouldRunProbes})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}
@@ -185,6 +203,83 @@ func enableDetailFlagWhenFilterFlag() {
 	}
 }
 
+func runHealthCheck(cmd *cobra.Command) error {
+	check := strings.ToLower(checkFlag)
+	switch check {
+	case "live", "ready", "startup":
+	default:
+		return fmt.Errorf("unknown check %q, must be one of: live, ready, startup", checkFlag)
+	}
+
+	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
+		return fmt.Errorf("init log: %w", err)
+	}
+
+	ctx := internal.CtxInitState(cmd.Context())
+
+	isStartup := check == "startup"
+	resp, err := getStatus(ctx, isStartup, false)
+	if err != nil {
+		return err
+	}
+
+	switch check {
+	case "live":
+		return nil
+	case "ready":
+		return checkReadiness(resp)
+	case "startup":
+		return checkStartup(resp)
+	default:
+		return nil
+	}
+}
+
+func checkReadiness(resp *proto.StatusResponse) error {
+	daemonStatus := internal.StatusType(resp.GetStatus())
+	switch daemonStatus {
+	case internal.StatusIdle, internal.StatusConnecting, internal.StatusConnected:
+		return nil
+	case internal.StatusNeedsLogin, internal.StatusLoginFailed, internal.StatusSessionExpired:
+		return fmt.Errorf("readiness check: daemon status is %s", daemonStatus)
+	default:
+		return fmt.Errorf("readiness check: unexpected daemon status %q", daemonStatus)
+	}
+}
+
+func checkStartup(resp *proto.StatusResponse) error {
+	fullStatus := resp.GetFullStatus()
+	if fullStatus == nil {
+		return fmt.Errorf("startup check: no full status available")
+	}
+
+	if !fullStatus.GetManagementState().GetConnected() {
+		return fmt.Errorf("startup check: management not connected")
+	}
+
+	if !fullStatus.GetSignalState().GetConnected() {
+		return fmt.Errorf("startup check: signal not connected")
+	}
+
+	var relayCount, relaysConnected int
+	for _, r := range fullStatus.GetRelays() {
+		uri := r.GetURI()
+		if !strings.HasPrefix(uri, "rel://") && !strings.HasPrefix(uri, "rels://") {
+			continue
+		}
+		relayCount++
+		if r.GetAvailable() {
+			relaysConnected++
+		}
+	}
+
+	if relayCount > 0 && relaysConnected == 0 {
+		return fmt.Errorf("startup check: no relay servers available (0/%d connected)", relayCount)
+	}
+
+	return nil
+}
+
 func parseInterfaceIP(interfaceIP string) string {
 	ip, _, err := net.ParseCIDR(interfaceIP)
 	if err != nil {

client/embed/embed.go

@@ -14,6 +14,7 @@ import (
 	"github.com/sirupsen/logrus"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"
 
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
@@ -21,6 +22,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sshcommon "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
+	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )
 
@@ -31,14 +33,14 @@ var (
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )
 
-// PeerConnStatus is a peer's connection status.
-type PeerConnStatus = peer.ConnStatus
-
 const (
 	// PeerStatusConnected indicates the peer is in connected state.
 	PeerStatusConnected = peer.StatusConnected
 )
 
+// PeerConnStatus is a peer's connection status.
+type PeerConnStatus = peer.ConnStatus
+
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string
@@ -81,6 +83,14 @@ type Options struct {
 	BlockInbound bool
 	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
 	WireguardPort *int
+	// MTU is the MTU for the WireGuard interface.
+	// Valid values are in the range 576..8192 bytes.
+	// If non-nil, this value overrides any value stored in the config file.
+	// If nil, the existing config MTU (if non-zero) is preserved; otherwise it defaults to 1280.
+	// Set to a higher value (e.g. 1400) if carrying QUIC or other protocols that require larger datagrams.
+	MTU *uint16
+	// DNSLabels defines additional DNS labels configured in the peer.
+	DNSLabels []string
 }
 
 // validateCredentials checks that exactly one credential type is provided
@@ -112,6 +122,12 @@ func New(opts Options) (*Client, error) {
 		return nil, err
 	}
 
+	if opts.MTU != nil {
+		if err := iface.ValidateMTU(*opts.MTU); err != nil {
+			return nil, fmt.Errorf("invalid MTU: %w", err)
+		}
+	}
+
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -140,9 +156,14 @@ func New(opts Options) (*Client, error) {
 		}
 	}
 
+	var err error
+	var parsedLabels domain.List
+	if parsedLabels, err = domain.FromStringList(opts.DNSLabels); err != nil {
+		return nil, fmt.Errorf("invalid dns labels: %w", err)
+	}
+
 	t := true
 	var config *profilemanager.Config
-	var err error
 	input := profilemanager.ConfigInput{
 		ConfigPath:          opts.ConfigPath,
 		ManagementURL:       opts.ManagementURL,
@@ -151,6 +172,8 @@ func New(opts Options) (*Client, error) {
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		BlockInbound:        &opts.BlockInbound,
 		WireguardPort:       opts.WireguardPort,
+		MTU:                 opts.MTU,
+		DNSLabels:           parsedLabels,
 	}
 	if opts.ConfigPath != "" {
 		config, err = profilemanager.UpdateOrCreateConfig(input)
@@ -352,6 +375,32 @@ func (c *Client) NewHTTPClient() *http.Client {
 	}
 }
 
+// Expose exposes a local service via the NetBird reverse proxy, making it accessible through a public URL.
+// It returns an ExposeSession. Call Wait on the session to keep it alive.
+func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession, error) {
+	engine, err := c.getEngine()
+	if err != nil {
+		return nil, err
+	}
+
+	mgr := engine.GetExposeManager()
+	if mgr == nil {
+		return nil, fmt.Errorf("expose manager not available")
+	}
+
+	resp, err := mgr.Expose(ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("expose: %w", err)
+	}
+
+	return &ExposeSession{
+		Domain:      resp.Domain,
+		ServiceName: resp.ServiceName,
+		ServiceURL:  resp.ServiceURL,
+		mgr:         mgr,
+	}, nil
+}
+
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()

client/embed/expose.go

@@ -0,0 +1,45 @@
+package embed
+
+import (
+	"context"
+	"errors"
+
+	"github.com/netbirdio/netbird/client/internal/expose"
+)
+
+const (
+	// ExposeProtocolHTTP exposes the service as HTTP.
+	ExposeProtocolHTTP = expose.ProtocolHTTP
+	// ExposeProtocolHTTPS exposes the service as HTTPS.
+	ExposeProtocolHTTPS = expose.ProtocolHTTPS
+	// ExposeProtocolTCP exposes the service as TCP.
+	ExposeProtocolTCP = expose.ProtocolTCP
+	// ExposeProtocolUDP exposes the service as UDP.
+	ExposeProtocolUDP = expose.ProtocolUDP
+	// ExposeProtocolTLS exposes the service as TLS.
+	ExposeProtocolTLS = expose.ProtocolTLS
+)
+
+// ExposeRequest is a request to expose a local service via the NetBird reverse proxy.
+type ExposeRequest = expose.Request
+
+// ExposeProtocolType represents the protocol used for exposing a service.
+type ExposeProtocolType = expose.ProtocolType
+
+// ExposeSession represents an active expose session. Use Wait to block until the session ends.
+type ExposeSession struct {
+	Domain      string
+	ServiceName string
+	ServiceURL  string
+
+	mgr *expose.Manager
+}
+
+// Wait blocks while keeping the expose session alive.
+// It returns when ctx is cancelled or a keep-alive error occurs, then terminates the session.
+func (s *ExposeSession) Wait(ctx context.Context) error {
+	if s == nil || s.mgr == nil {
+		return errors.New("expose session is not initialized")
+	}
+	return s.mgr.KeepAlive(ctx, s.Domain)
+}

client/firewall/iptables/manager_linux.go

@@ -23,9 +23,10 @@ type Manager struct {
 
 	wgIface iFaceMapper
 
-	ipv4Client *iptables.IPTables
-	aclMgr     *aclManager
-	router     *router
+	ipv4Client   *iptables.IPTables
+	aclMgr       *aclManager
+	router       *router
+	rawSupported bool
 }
 
 // iFaceMapper defines subset methods of interface required for manager
@@ -84,7 +85,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	}
 
 	if err := m.initNoTrackChain(); err != nil {
-		return fmt.Errorf("init notrack chain: %w", err)
+		log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
 	}
 
 	// persist early to ensure cleanup of chains
@@ -318,6 +319,10 @@ func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	if !m.rawSupported {
+		return fmt.Errorf("raw table not available")
+	}
+
 	wgPortStr := fmt.Sprintf("%d", wgPort)
 	proxyPortStr := fmt.Sprintf("%d", proxyPort)
 
@@ -375,12 +380,16 @@ func (m *Manager) initNoTrackChain() error {
 		return fmt.Errorf("add prerouting jump rule: %w", err)
 	}
 
+	m.rawSupported = true
 	return nil
 }
 
 func (m *Manager) cleanupNoTrackChain() error {
 	exists, err := m.ipv4Client.ChainExists(tableRaw, chainNameRaw)
 	if err != nil {
+		if !m.rawSupported {
+			return nil
+		}
 		return fmt.Errorf("check chain exists: %w", err)
 	}
 	if !exists {
@@ -401,6 +410,7 @@ func (m *Manager) cleanupNoTrackChain() error {
 		return fmt.Errorf("clear and delete chain: %w", err)
 	}
 
+	m.rawSupported = false
 	return nil
 }
 

client/firewall/nftables/manager_linux.go

@@ -95,7 +95,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	}
 
 	if err := m.initNoTrackChains(workTable); err != nil {
-		return fmt.Errorf("init notrack chains: %w", err)
+		log.Warnf("raw priority chains not available, notrack rules will be disabled: %v", err)
 	}
 
 	stateManager.RegisterState(&ShutdownState{})

client/grpc/dialer.go

@@ -28,7 +28,7 @@ func Backoff(ctx context.Context) backoff.BackOff {
 
 // CreateConnection creates a gRPC client connection with the appropriate transport options.
 // The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
-func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string) (*grpc.ClientConn, error) {
+func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string, extraOpts ...grpc.DialOption) (*grpc.ClientConn, error) {
 	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	// for js, the outer websocket layer takes care of tls
 	if tlsEnabled && runtime.GOOS != "js" {
@@ -46,9 +46,7 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 	connCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
 
-	conn, err := grpc.DialContext(
-		connCtx,
-		addr,
+	opts := []grpc.DialOption{
 		transportOption,
 		WithCustomDialer(tlsEnabled, component),
 		grpc.WithBlock(),
@@ -56,7 +54,10 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 			Time:    30 * time.Second,
 			Timeout: 10 * time.Second,
 		}),
-	)
+	}
+	opts = append(opts, extraOpts...)
+
+	conn, err := grpc.DialContext(connCtx, addr, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("dial context: %w", err)
 	}

client/internal/auth/auth.go

@@ -221,7 +221,7 @@ func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, erro
 	config := &PKCEAuthProviderConfig{
 		Audience:              protoConfig.GetAudience(),
 		ClientID:              protoConfig.GetClientID(),
-		ClientSecret:          protoConfig.GetClientSecret(),
+		ClientSecret:          protoConfig.GetClientSecret(), //nolint:staticcheck
 		TokenEndpoint:         protoConfig.GetTokenEndpoint(),
 		AuthorizationEndpoint: protoConfig.GetAuthorizationEndpoint(),
 		Scope:                 protoConfig.GetScope(),
@@ -266,7 +266,7 @@ func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow,
 	config := &DeviceAuthProviderConfig{
 		Audience:           protoConfig.GetAudience(),
 		ClientID:           protoConfig.GetClientID(),
-		ClientSecret:       protoConfig.GetClientSecret(),
+		ClientSecret:       protoConfig.GetClientSecret(), //nolint:staticcheck
 		Domain:             protoConfig.Domain,
 		TokenEndpoint:      protoConfig.GetTokenEndpoint(),
 		DeviceAuthEndpoint: protoConfig.GetDeviceAuthEndpoint(),

client/internal/connect.go

@@ -23,6 +23,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/client/internal/metrics"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -43,6 +44,10 @@ import (
 	"github.com/netbirdio/netbird/version"
 )
 
+// androidRunOverride is set on Android to inject mobile dependencies
+// when using embed.Client (which calls Run() with empty MobileDependency).
+var androidRunOverride func(c *ConnectClient, runningChan chan struct{}, logPath string) error
+
 type ConnectClient struct {
 	ctx            context.Context
 	config         *profilemanager.Config
@@ -50,6 +55,7 @@ type ConnectClient struct {
 
 	engine        *Engine
 	engineMutex   sync.Mutex
+	clientMetrics *metrics.ClientMetrics
 	updateManager *updater.Manager
 
 	persistSyncResponse bool
@@ -74,6 +80,9 @@ func (c *ConnectClient) SetUpdateManager(um *updater.Manager) {
 
 // Run with main logic.
 func (c *ConnectClient) Run(runningChan chan struct{}, logPath string) error {
+	if androidRunOverride != nil {
+		return androidRunOverride(c, runningChan, logPath)
+	}
 	return c.run(MobileDependency{}, runningChan, logPath)
 }
 
@@ -102,6 +111,7 @@ func (c *ConnectClient) RunOniOS(
 	fileDescriptor int32,
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
+	dnsAddresses []netip.AddrPort,
 	stateFilePath string,
 ) error {
 	// Set GC percent to 5% to reduce memory usage as iOS only allows 50MB of memory for the extension.
@@ -111,6 +121,7 @@ func (c *ConnectClient) RunOniOS(
 		FileDescriptor:        fileDescriptor,
 		NetworkChangeListener: networkChangeListener,
 		DnsManager:            dnsManager,
+		HostDNSAddresses:      dnsAddresses,
 		StateFilePath:         stateFilePath,
 	}
 	return c.run(mobileDependency, nil, "")
@@ -133,10 +144,34 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		}
 	}()
 
+	// Stop metrics push on exit
+	defer func() {
+		if c.clientMetrics != nil {
+			c.clientMetrics.StopPush()
+		}
+	}()
+
 	log.Infof("starting NetBird client version %s on %s/%s", version.NetbirdVersion(), runtime.GOOS, runtime.GOARCH)
 
 	nbnet.Init()
 
+	// Initialize metrics once at startup (always active for debug bundles)
+	if c.clientMetrics == nil {
+		agentInfo := metrics.AgentInfo{
+			DeploymentType: metrics.DeploymentTypeUnknown,
+			Version:        version.NetbirdVersion(),
+			OS:             runtime.GOOS,
+			Arch:           runtime.GOARCH,
+		}
+		c.clientMetrics = metrics.NewClientMetrics(agentInfo)
+		log.Debugf("initialized client metrics")
+
+		// Start metrics push if enabled (uses daemon context, persists across engine restarts)
+		if metrics.IsMetricsPushEnabled() {
+			c.clientMetrics.StartPush(c.ctx, metrics.PushConfigFromEnv())
+		}
+	}
+
 	backOff := &backoff.ExponentialBackOff{
 		InitialInterval:     time.Second,
 		RandomizationFactor: 1,
@@ -223,6 +258,16 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		mgmNotifier := statusRecorderToMgmConnStateNotifier(c.statusRecorder)
 		mgmClient.SetConnStateListener(mgmNotifier)
 
+		// Update metrics with actual deployment type after connection
+		deploymentType := metrics.DetermineDeploymentType(mgmClient.GetServerURL())
+		agentInfo := metrics.AgentInfo{
+			DeploymentType: deploymentType,
+			Version:        version.NetbirdVersion(),
+			OS:             runtime.GOOS,
+			Arch:           runtime.GOARCH,
+		}
+		c.clientMetrics.UpdateAgentInfo(agentInfo, myPrivateKey.PublicKey().String())
+
 		log.Debugf("connected to the Management service %s", c.config.ManagementURL.Host)
 		defer func() {
 			if err = mgmClient.Close(); err != nil {
@@ -231,8 +276,10 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		}()
 
 		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Netbird config
+		loginStarted := time.Now()
 		loginResp, err := loginToManagement(engineCtx, mgmClient, publicSSHKey, c.config)
 		if err != nil {
+			c.clientMetrics.RecordLoginDuration(engineCtx, time.Since(loginStarted), false)
 			log.Debug(err)
 			if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
 				state.Set(StatusNeedsLogin)
@@ -241,6 +288,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			}
 			return wrapErr(err)
 		}
+		c.clientMetrics.RecordLoginDuration(engineCtx, time.Since(loginStarted), true)
 		c.statusRecorder.MarkManagementConnected()
 
 		localPeerState := peer.LocalPeerState{
@@ -317,6 +365,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			Checks:         checks,
 			StateManager:   stateManager,
 			UpdateManager:  c.updateManager,
+			ClientMetrics:  c.clientMetrics,
 		}, mobileDependency)
 		engine.SetSyncResponsePersistence(c.persistSyncResponse)
 		c.engine = engine

client/internal/connect_android_default.go

@@ -0,0 +1,73 @@
+//go:build android
+
+package internal
+
+import (
+	"net/netip"
+
+	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+)
+
+// noopIFaceDiscover is a stub ExternalIFaceDiscover for embed.Client on Android.
+// It returns an empty interface list, which means ICE P2P candidates won't be
+// discovered — connections will fall back to relay. Applications that need P2P
+// should provide a real implementation via runOnAndroidEmbed that uses
+// Android's ConnectivityManager to enumerate network interfaces.
+type noopIFaceDiscover struct{}
+
+func (noopIFaceDiscover) IFaces() (string, error) {
+	// Return empty JSON array — no local interfaces advertised for ICE.
+	// This is intentional: without Android's ConnectivityManager, we cannot
+	// reliably enumerate interfaces (netlink is restricted on Android 11+).
+	// Relay connections still work; only P2P hole-punching is disabled.
+	return "[]", nil
+}
+
+// noopNetworkChangeListener is a stub for embed.Client on Android.
+// Network change events are ignored since the embed client manages its own
+// reconnection logic via the engine's built-in retry mechanism.
+type noopNetworkChangeListener struct{}
+
+func (noopNetworkChangeListener) OnNetworkChanged(string) {
+	// No-op: embed.Client relies on the engine's internal reconnection
+	// logic rather than OS-level network change notifications.
+}
+
+func (noopNetworkChangeListener) SetInterfaceIP(string) {
+	// No-op: in netstack mode, the overlay IP is managed by the userspace
+	// network stack, not by OS-level interface configuration.
+}
+
+// noopDnsReadyListener is a stub for embed.Client on Android.
+// DNS readiness notifications are not needed in netstack/embed mode
+// since system DNS is disabled and DNS resolution happens externally.
+type noopDnsReadyListener struct{}
+
+func (noopDnsReadyListener) OnReady() {
+	// No-op: embed.Client does not need DNS readiness notifications.
+	// System DNS is disabled in netstack mode.
+}
+
+var _ stdnet.ExternalIFaceDiscover = noopIFaceDiscover{}
+var _ listener.NetworkChangeListener = noopNetworkChangeListener{}
+var _ dns.ReadyListener = noopDnsReadyListener{}
+
+func init() {
+	// Wire up the default override so embed.Client.Start() works on Android
+	// with netstack mode. Provides complete no-op stubs for all mobile
+	// dependencies so the engine's existing Android code paths work unchanged.
+	// Applications that need P2P ICE or real DNS should replace this by
+	// setting androidRunOverride before calling Start().
+	androidRunOverride = func(c *ConnectClient, runningChan chan struct{}, logPath string) error {
+		return c.runOnAndroidEmbed(
+			noopIFaceDiscover{},
+			noopNetworkChangeListener{},
+			[]netip.AddrPort{},
+			noopDnsReadyListener{},
+			runningChan,
+			logPath,
+		)
+	}
+}

client/internal/connect_android_embed.go

@@ -0,0 +1,32 @@
+//go:build android
+
+package internal
+
+import (
+	"net/netip"
+
+	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+)
+
+// runOnAndroidEmbed is like RunOnAndroid but accepts a runningChan
+// so embed.Client.Start() can detect when the engine is ready.
+// It provides complete MobileDependency so the engine's existing
+// Android code paths work unchanged.
+func (c *ConnectClient) runOnAndroidEmbed(
+	iFaceDiscover stdnet.ExternalIFaceDiscover,
+	networkChangeListener listener.NetworkChangeListener,
+	dnsAddresses []netip.AddrPort,
+	dnsReadyListener dns.ReadyListener,
+	runningChan chan struct{},
+	logPath string,
+) error {
+	mobileDependency := MobileDependency{
+		IFaceDiscover:         iFaceDiscover,
+		NetworkChangeListener: networkChangeListener,
+		HostDNSAddresses:      dnsAddresses,
+		DnsReadyListener:      dnsReadyListener,
+	}
+	return c.run(mobileDependency, runningChan, logPath)
+}

client/internal/debug/debug.go

@@ -31,7 +31,6 @@ import (
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/version"
 )
 
 const readmeContent = `Netbird debug bundle
@@ -53,6 +52,7 @@ resolved_domains.txt: Anonymized resolved domain IP addresses from the status re
 config.txt: Anonymized configuration information of the NetBird client.
 network_map.json: Anonymized sync response containing peer configurations, routes, DNS settings, and firewall rules.
 state.json: Anonymized client state dump containing netbird states for the active profile.
+metrics.txt: Buffered client metrics in InfluxDB line protocol format. Only present when metrics collection is enabled. Peer identifiers are anonymized.
 mutex.prof: Mutex profiling information.
 goroutine.prof: Goroutine profiling information.
 block.prof: Block profiling information.
@@ -219,6 +219,11 @@ const (
 	darwinStdoutLogPath = "/var/log/netbird.err.log"
 )
 
+// MetricsExporter is an interface for exporting metrics
+type MetricsExporter interface {
+	Export(w io.Writer) error
+}
+
 type BundleGenerator struct {
 	anonymizer *anonymize.Anonymizer
 
@@ -229,6 +234,7 @@ type BundleGenerator struct {
 	logPath        string
 	cpuProfile     []byte
 	refreshStatus  func() // Optional callback to refresh status before bundle generation
+	clientMetrics  MetricsExporter
 
 	anonymize         bool
 	includeSystemInfo bool
@@ -250,6 +256,7 @@ type GeneratorDependencies struct {
 	LogPath        string
 	CPUProfile     []byte
 	RefreshStatus  func() // Optional callback to refresh status before bundle generation
+	ClientMetrics  MetricsExporter
 }
 
 func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGenerator {
@@ -268,6 +275,7 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		logPath:        deps.LogPath,
 		cpuProfile:     deps.CPUProfile,
 		refreshStatus:  deps.RefreshStatus,
+		clientMetrics:  deps.ClientMetrics,
 
 		anonymize:         cfg.Anonymize,
 		includeSystemInfo: cfg.IncludeSystemInfo,
@@ -351,6 +359,10 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("failed to add corrupted state files to debug bundle: %v", err)
 	}
 
+	if err := g.addMetrics(); err != nil {
+		log.Errorf("failed to add metrics to debug bundle: %v", err)
+	}
+
 	if err := g.addWgShow(); err != nil {
 		log.Errorf("failed to add wg show output: %v", err)
 	}
@@ -418,7 +430,10 @@ func (g *BundleGenerator) addStatus() error {
 		fullStatus := g.statusRecorder.GetFullStatus()
 		protoFullStatus := nbstatus.ToProtoFullStatus(fullStatus)
 		protoFullStatus.Events = g.statusRecorder.GetEventHistory()
-		overview := nbstatus.ConvertToStatusOutputOverview(protoFullStatus, g.anonymize, version.NetbirdVersion(), "", nil, nil, nil, "", profName)
+		overview := nbstatus.ConvertToStatusOutputOverview(protoFullStatus, nbstatus.ConvertOptions{
+			Anonymize:   g.anonymize,
+			ProfileName: profName,
+		})
 		statusOutput := overview.FullDetailSummary()
 
 		statusReader := strings.NewReader(statusOutput)
@@ -744,6 +759,30 @@ func (g *BundleGenerator) addCorruptedStateFiles() error {
 	return nil
 }
 
+func (g *BundleGenerator) addMetrics() error {
+	if g.clientMetrics == nil {
+		log.Debugf("skipping metrics in debug bundle: no metrics collector")
+		return nil
+	}
+
+	var buf bytes.Buffer
+	if err := g.clientMetrics.Export(&buf); err != nil {
+		return fmt.Errorf("export metrics: %w", err)
+	}
+
+	if buf.Len() == 0 {
+		log.Debugf("skipping metrics.txt in debug bundle: no metrics data")
+		return nil
+	}
+
+	if err := g.addFileToZip(&buf, "metrics.txt"); err != nil {
+		return fmt.Errorf("add metrics file to zip: %w", err)
+	}
+
+	log.Debugf("added metrics to debug bundle")
+	return nil
+}
+
 func (g *BundleGenerator) addLogfile() error {
 	if g.logPath == "" {
 		log.Debugf("skipping empty log file in debug bundle")

client/internal/dns/mock_server.go

@@ -85,6 +85,11 @@ func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }
 
+// SetRouteChecker mock implementation of SetRouteChecker from Server interface
+func (m *MockServer) SetRouteChecker(func(netip.Addr) bool) {
+	// Mock implementation - no-op
+}
+
 // BeginBatch mock implementation of BeginBatch from Server interface
 func (m *MockServer) BeginBatch() {
 	// Mock implementation - no-op

client/internal/dns/server.go

@@ -57,6 +57,7 @@ type Server interface {
 	ProbeAvailability()
 	UpdateServerConfig(domains dnsconfig.ServerDomains) error
 	PopulateManagementDomain(mgmtURL *url.URL) error
+	SetRouteChecker(func(netip.Addr) bool)
 }
 
 type nsGroupsByDomain struct {
@@ -104,6 +105,7 @@ type DefaultServer struct {
 
 	statusRecorder *peer.Status
 	stateManager   *statemanager.Manager
+	routeMatch     func(netip.Addr) bool
 
 	probeMu     sync.Mutex
 	probeCancel context.CancelFunc
@@ -184,11 +186,16 @@ func NewDefaultServerIos(
 	ctx context.Context,
 	wgInterface WGIface,
 	iosDnsManager IosDnsManager,
+	hostsDnsList []netip.AddrPort,
 	statusRecorder *peer.Status,
 	disableSys bool,
 ) *DefaultServer {
+	log.Debugf("iOS host dns address list is: %v", hostsDnsList)
 	ds := newDefaultServer(ctx, wgInterface, NewServiceViaMemory(wgInterface), statusRecorder, nil, disableSys)
 	ds.iosDnsManager = iosDnsManager
+	ds.hostsDNSHolder.set(hostsDnsList)
+	ds.permanent = true
+	ds.addHostRootZone()
 	return ds
 }
 
@@ -229,6 +236,14 @@ func newDefaultServer(
 	return defaultServer
 }
 
+// SetRouteChecker sets the function used by upstream resolvers to determine
+// whether an IP is routed through the tunnel.
+func (s *DefaultServer) SetRouteChecker(f func(netip.Addr) bool) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	s.routeMatch = f
+}
+
 // RegisterHandler registers a handler for the given domains with the given priority.
 // Any previously registered handler for the same domain and priority will be replaced.
 func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler, priority int) {
@@ -743,6 +758,7 @@ func (s *DefaultServer) registerFallback(config HostDNSConfig) {
 		log.Errorf("failed to create upstream resolver for original nameservers: %v", err)
 		return
 	}
+	handler.routeMatch = s.routeMatch
 
 	for _, ns := range originalNameservers {
 		if ns == config.ServerIP {
@@ -852,6 +868,7 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		if err != nil {
 			return nil, fmt.Errorf("create upstream resolver: %v", err)
 		}
+		handler.routeMatch = s.routeMatch
 
 		for _, ns := range nsGroup.NameServers {
 			if ns.NSType != nbdns.UDPNameServerType {
@@ -1036,6 +1053,7 @@ func (s *DefaultServer) addHostRootZone() {
 		log.Errorf("unable to create a new upstream resolver, error: %v", err)
 		return
 	}
+	handler.routeMatch = s.routeMatch
 
 	handler.upstreamServers = maps.Keys(hostDNSServers)
 	handler.deactivate = func(error) {}

client/internal/dns/service_listener.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"runtime"
+	"strconv"
 	"sync"
 	"time"
 
@@ -69,7 +70,7 @@ func (s *serviceViaListener) Listen() error {
 		return fmt.Errorf("eval listen address: %w", err)
 	}
 	s.listenIP = s.listenIP.Unmap()
-	s.server.Addr = fmt.Sprintf("%s:%d", s.listenIP, s.listenPort)
+	s.server.Addr = net.JoinHostPort(s.listenIP.String(), strconv.Itoa(int(s.listenPort)))
 	log.Debugf("starting dns on %s", s.server.Addr)
 	go func() {
 		s.setListenerStatus(true)
@@ -186,7 +187,7 @@ func (s *serviceViaListener) testFreePort(port int) (netip.Addr, bool) {
 }
 
 func (s *serviceViaListener) tryToBind(ip netip.Addr, port int) bool {
-	addrString := fmt.Sprintf("%s:%d", ip, port)
+	addrString := net.JoinHostPort(ip.String(), strconv.Itoa(port))
 	udpAddr := net.UDPAddrFromAddrPort(netip.MustParseAddrPort(addrString))
 	probeListener, err := net.ListenUDP("udp", udpAddr)
 	if err != nil {

client/internal/dns/upstream.go

@@ -70,6 +70,7 @@ type upstreamResolverBase struct {
 	deactivate     func(error)
 	reactivate     func()
 	statusRecorder *peer.Status
+	routeMatch     func(netip.Addr) bool
 }
 
 type upstreamFailure struct {

client/internal/dns/upstream_ios.go

@@ -65,11 +65,13 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	} else {
 		upstreamIP = upstreamIP.Unmap()
 	}
-	if u.lNet.Contains(upstreamIP) || upstreamIP.IsPrivate() {
-		log.Debugf("using private client to query upstream: %s", upstream)
+	needsPrivate := u.lNet.Contains(upstreamIP) ||
+		(u.routeMatch != nil && u.routeMatch(upstreamIP))
+	if needsPrivate {
+		log.Debugf("using private client to query %s via upstream %s", r.Question[0].Name, upstream)
 		client, err = GetClientPrivate(u.lIP, u.interfaceName, timeout)
 		if err != nil {
-			return nil, 0, fmt.Errorf("error while creating private client: %s", err)
+			return nil, 0, fmt.Errorf("create private client: %s", err)
 		}
 	}
 

client/internal/engine.go

@@ -38,6 +38,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
+	"github.com/netbirdio/netbird/client/internal/metrics"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/networkmonitor"
@@ -149,6 +150,7 @@ type EngineServices struct {
 	Checks         []*mgmProto.Checks
 	StateManager   *statemanager.Manager
 	UpdateManager  *updater.Manager
+	ClientMetrics  *metrics.ClientMetrics
 }
 
 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
@@ -229,6 +231,9 @@ type Engine struct {
 
 	probeStunTurn *relay.StunTurnProbe
 
+	// clientMetrics collects and pushes metrics
+	clientMetrics *metrics.ClientMetrics
+
 	jobExecutor   *jobexec.Executor
 	jobExecutorWG sync.WaitGroup
 
@@ -272,6 +277,7 @@ func NewEngine(
 		checks:         services.Checks,
 		probeStunTurn:  relay.NewStunTurnProbe(relay.DefaultCacheTTL),
 		jobExecutor:    jobexec.NewExecutor(),
+		clientMetrics:  services.ClientMetrics,
 		updateManager:  services.UpdateManager,
 	}
 
@@ -493,6 +499,17 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 
 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)
 
+	e.dnsServer.SetRouteChecker(func(ip netip.Addr) bool {
+		for _, routes := range e.routeManager.GetSelectedClientRoutes() {
+			for _, r := range routes {
+				if r.Network.Contains(ip) {
+					return true
+				}
+			}
+		}
+		return false
+	})
+
 	if err = e.wgInterfaceCreate(); err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
 		e.close()
@@ -813,7 +830,9 @@ func (e *Engine) handleAutoUpdateVersion(autoUpdateSettings *mgmProto.AutoUpdate
 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	started := time.Now()
 	defer func() {
-		log.Infof("sync finished in %s", time.Since(started))
+		duration := time.Since(started)
+		log.Infof("sync finished in %s", duration)
+		e.clientMetrics.RecordSyncDuration(e.ctx, duration)
 	}()
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
@@ -989,10 +1008,11 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 		return errors.New("wireguard interface is not initialized")
 	}
 
-	// Cannot update the IP address without restarting the engine because
-	// the firewall, route manager, and other components cache the old address
 	if e.wgInterface.Address().String() != conf.Address {
-		log.Infof("peer IP address has changed from %s to %s", e.wgInterface.Address().String(), conf.Address)
+		log.Infof("peer IP address changed from %s to %s, restarting client", e.wgInterface.Address().String(), conf.Address)
+		_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
+		e.clientCancel()
+		return ErrResetConnection
 	}
 
 	if conf.GetSshConfig() != nil {
@@ -1060,6 +1080,7 @@ func (e *Engine) handleBundle(params *mgmProto.BundleParameters) (*mgmProto.JobR
 		StatusRecorder: e.statusRecorder,
 		SyncResponse:   syncResponse,
 		LogPath:        e.config.LogPath,
+		ClientMetrics:  e.clientMetrics,
 		RefreshStatus: func() {
 			e.RunHealthProbes(true)
 		},
@@ -1514,11 +1535,12 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 	}
 
 	serviceDependencies := peer.ServiceDependencies{
-		StatusRecorder: e.statusRecorder,
-		Signaler:       e.signaler,
-		IFaceDiscover:  e.mobileDep.IFaceDiscover,
-		RelayManager:   e.relayManager,
-		SrWatcher:      e.srWatcher,
+		StatusRecorder:  e.statusRecorder,
+		Signaler:        e.signaler,
+		IFaceDiscover:   e.mobileDep.IFaceDiscover,
+		RelayManager:    e.relayManager,
+		SrWatcher:       e.srWatcher,
+		MetricsRecorder: e.clientMetrics,
 	}
 	peerConn, err := peer.NewConn(config, serviceDependencies)
 	if err != nil {
@@ -1778,7 +1800,7 @@ func (e *Engine) newDnsServer(dnsConfig *nbdns.Config) (dns.Server, error) {
 		return dnsServer, nil
 
 	case "ios":
-		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager, e.statusRecorder, e.config.DisableDNS)
+		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager, e.mobileDep.HostDNSAddresses, e.statusRecorder, e.config.DisableDNS)
 		return dnsServer, nil
 
 	default:
@@ -1815,6 +1837,11 @@ func (e *Engine) GetExposeManager() *expose.Manager {
 	return e.exposeManager
 }
 
+// GetClientMetrics returns the client metrics
+func (e *Engine) GetClientMetrics() *metrics.ClientMetrics {
+	return e.clientMetrics
+}
+
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {

client/internal/engine_test.go

@@ -828,7 +828,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				WgPrivateKey: key,
 				WgPort:       33100,
 				MTU:          iface.DefaultMTU,
-			}, EngineServices{
+	}, EngineServices{
 				SignalClient:   &signal.MockClient{},
 				MgmClient:      &mgmt.MockClient{},
 				RelayManager:   relayMgr,
@@ -1035,7 +1035,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 				WgPrivateKey: key,
 				WgPort:       33100,
 				MTU:          iface.DefaultMTU,
-			}, EngineServices{
+	}, EngineServices{
 				SignalClient:   &signal.MockClient{},
 				MgmClient:      &mgmt.MockClient{},
 				RelayManager:   relayMgr,
@@ -1566,7 +1566,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 	}
 
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
-	e, err := NewEngine(ctx, cancel, conf, EngineServices{
+e, err := NewEngine(ctx, cancel, conf, EngineServices{
 		SignalClient:   signalClient,
 		MgmClient:      mgmtClient,
 		RelayManager:   relayMgr,

client/internal/expose/manager.go

@@ -4,11 +4,14 @@ import (
 	"context"
 	"time"
 
-	mgm "github.com/netbirdio/netbird/shared/management/client"
 	log "github.com/sirupsen/logrus"
+
+	mgm "github.com/netbirdio/netbird/shared/management/client"
 )
 
-const renewTimeout = 10 * time.Second
+const (
+	renewTimeout = 10 * time.Second
+)
 
 // Response holds the response from exposing a service.
 type Response struct {
@@ -18,11 +21,13 @@ type Response struct {
 	PortAutoAssigned bool
 }
 
+// Request holds the parameters for exposing a local service via the management server.
+// It is part of the embed API surface and exposed via a type alias.
 type Request struct {
 	NamePrefix string
 	Domain     string
 	Port       uint16
-	Protocol   int
+	Protocol   ProtocolType
 	Pin        string
 	Password   string
 	UserGroups []string
@@ -59,6 +64,8 @@ func (m *Manager) Expose(ctx context.Context, req Request) (*Response, error) {
 	return fromClientExposeResponse(resp), nil
 }
 
+// KeepAlive periodically renews the expose session for the given domain until the context is canceled or an error occurs.
+// It is part of the embed API surface and exposed via a type alias.
 func (m *Manager) KeepAlive(ctx context.Context, domain string) error {
 	ticker := time.NewTicker(30 * time.Second)
 	defer ticker.Stop()

client/internal/expose/manager_test.go

@@ -86,7 +86,7 @@ func TestNewRequest(t *testing.T) {
 	exposeReq := NewRequest(req)
 
 	assert.Equal(t, uint16(8080), exposeReq.Port, "port should match")
-	assert.Equal(t, int(daemonProto.ExposeProtocol_EXPOSE_HTTPS), exposeReq.Protocol, "protocol should match")
+	assert.Equal(t, ProtocolType(daemonProto.ExposeProtocol_EXPOSE_HTTPS), exposeReq.Protocol, "protocol should match")
 	assert.Equal(t, "123456", exposeReq.Pin, "pin should match")
 	assert.Equal(t, "secret", exposeReq.Password, "password should match")
 	assert.Equal(t, []string{"group1", "group2"}, exposeReq.UserGroups, "user groups should match")

client/internal/expose/protocol.go

@@ -0,0 +1,40 @@
+package expose
+
+import (
+	"fmt"
+	"strings"
+)
+
+// ProtocolType represents the protocol used for exposing a service.
+type ProtocolType int
+
+const (
+	// ProtocolHTTP exposes the service as HTTP.
+	ProtocolHTTP ProtocolType = 0
+	// ProtocolHTTPS exposes the service as HTTPS.
+	ProtocolHTTPS ProtocolType = 1
+	// ProtocolTCP exposes the service as TCP.
+	ProtocolTCP ProtocolType = 2
+	// ProtocolUDP exposes the service as UDP.
+	ProtocolUDP ProtocolType = 3
+	// ProtocolTLS exposes the service as TLS.
+	ProtocolTLS ProtocolType = 4
+)
+
+// ParseProtocolType parses a protocol string into a ProtocolType.
+func ParseProtocolType(s string) (ProtocolType, error) {
+	switch strings.ToLower(s) {
+	case "http":
+		return ProtocolHTTP, nil
+	case "https":
+		return ProtocolHTTPS, nil
+	case "tcp":
+		return ProtocolTCP, nil
+	case "udp":
+		return ProtocolUDP, nil
+	case "tls":
+		return ProtocolTLS, nil
+	default:
+		return 0, fmt.Errorf("unsupported protocol %q: must be http, https, tcp, udp, or tls", s)
+	}
+}

client/internal/expose/request.go

@@ -9,7 +9,7 @@ import (
 func NewRequest(req *daemonProto.ExposeServiceRequest) *Request {
 	return &Request{
 		Port:       uint16(req.Port),
-		Protocol:   int(req.Protocol),
+		Protocol:   ProtocolType(req.Protocol),
 		Pin:        req.Pin,
 		Password:   req.Password,
 		UserGroups: req.UserGroups,
@@ -24,7 +24,7 @@ func toClientExposeRequest(req Request) mgm.ExposeRequest {
 		NamePrefix: req.NamePrefix,
 		Domain:     req.Domain,
 		Port:       req.Port,
-		Protocol:   req.Protocol,
+		Protocol:   int(req.Protocol),
 		Pin:        req.Pin,
 		Password:   req.Password,
 		UserGroups: req.UserGroups,

client/internal/metrics/connection_type.go

@@ -0,0 +1,17 @@
+package metrics
+
+// ConnectionType represents the type of peer connection
+type ConnectionType string
+
+const (
+	// ConnectionTypeICE represents a direct peer-to-peer connection using ICE
+	ConnectionTypeICE ConnectionType = "ice"
+
+	// ConnectionTypeRelay represents a relayed connection
+	ConnectionTypeRelay ConnectionType = "relay"
+)
+
+// String returns the string representation of the connection type
+func (c ConnectionType) String() string {
+	return string(c)
+}

client/internal/metrics/deployment_type.go

@@ -0,0 +1,51 @@
+package metrics
+
+import (
+	"net/url"
+	"strings"
+)
+
+// DeploymentType represents the type of NetBird deployment
+type DeploymentType int
+
+const (
+	// DeploymentTypeUnknown represents an unknown or uninitialized deployment type
+	DeploymentTypeUnknown DeploymentType = iota
+
+	// DeploymentTypeCloud represents a cloud-hosted NetBird deployment
+	DeploymentTypeCloud
+
+	// DeploymentTypeSelfHosted represents a self-hosted NetBird deployment
+	DeploymentTypeSelfHosted
+)
+
+// String returns the string representation of the deployment type
+func (d DeploymentType) String() string {
+	switch d {
+	case DeploymentTypeCloud:
+		return "cloud"
+	case DeploymentTypeSelfHosted:
+		return "selfhosted"
+	default:
+		return "unknown"
+	}
+}
+
+// DetermineDeploymentType determines if the deployment is cloud or self-hosted
+// based on the management URL string
+func DetermineDeploymentType(managementURL string) DeploymentType {
+	if managementURL == "" {
+		return DeploymentTypeUnknown
+	}
+
+	u, err := url.Parse(managementURL)
+	if err != nil {
+		return DeploymentTypeSelfHosted
+	}
+
+	if strings.ToLower(u.Hostname()) == "api.netbird.io" {
+		return DeploymentTypeCloud
+	}
+
+	return DeploymentTypeSelfHosted
+}

client/internal/metrics/env.go

@@ -0,0 +1,93 @@
+package metrics
+
+import (
+	"net/url"
+	"os"
+	"strconv"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	// EnvMetricsPushEnabled controls whether collected metrics are pushed to the backend.
+	// Metrics collection itself is always active (for debug bundles).
+	// Disabled by default. Set NB_METRICS_PUSH_ENABLED=true to enable push.
+	EnvMetricsPushEnabled = "NB_METRICS_PUSH_ENABLED"
+
+	// EnvMetricsForceSending if set to true, skips remote configuration fetch and forces metric sending
+	EnvMetricsForceSending = "NB_METRICS_FORCE_SENDING"
+
+	// EnvMetricsConfigURL is the environment variable to override the metrics push config ServerAddress
+	EnvMetricsConfigURL = "NB_METRICS_CONFIG_URL"
+
+	// EnvMetricsServerURL is the environment variable to override the metrics server address.
+	// When set, this takes precedence over the server_url from remote push config.
+	EnvMetricsServerURL = "NB_METRICS_SERVER_URL"
+
+	// EnvMetricsInterval overrides the push interval from the remote config.
+	// Only affects how often metrics are pushed; remote config availability
+	// and version range checks are still respected.
+	// Format: duration string like "1h", "30m", "4h"
+	EnvMetricsInterval = "NB_METRICS_INTERVAL"
+
+	defaultMetricsConfigURL = "https://ingest.netbird.io/config"
+)
+
+// IsMetricsPushEnabled returns true if metrics push is enabled via NB_METRICS_PUSH_ENABLED env var.
+// Disabled by default. Metrics collection is always active for debug bundles.
+func IsMetricsPushEnabled() bool {
+	enabled, _ := strconv.ParseBool(os.Getenv(EnvMetricsPushEnabled))
+	return enabled
+}
+
+// getMetricsInterval returns the metrics push interval from NB_METRICS_INTERVAL env var.
+// Returns 0 if not set or invalid.
+func getMetricsInterval() time.Duration {
+	intervalStr := os.Getenv(EnvMetricsInterval)
+	if intervalStr == "" {
+		return 0
+	}
+	interval, err := time.ParseDuration(intervalStr)
+	if err != nil {
+		log.Warnf("invalid metrics interval from env %q: %v", intervalStr, err)
+		return 0
+	}
+	if interval <= 0 {
+		log.Warnf("invalid metrics interval from env %q: must be positive", intervalStr)
+		return 0
+	}
+	return interval
+}
+
+func isForceSending() bool {
+	force, _ := strconv.ParseBool(os.Getenv(EnvMetricsForceSending))
+	return force
+}
+
+// getMetricsConfigURL returns the URL to fetch push configuration from
+func getMetricsConfigURL() string {
+	if envURL := os.Getenv(EnvMetricsConfigURL); envURL != "" {
+		return envURL
+	}
+	return defaultMetricsConfigURL
+}
+
+// getMetricsServerURL returns the metrics server URL from NB_METRICS_SERVER_URL env var.
+// Returns nil if not set or invalid.
+func getMetricsServerURL() *url.URL {
+	envURL := os.Getenv(EnvMetricsServerURL)
+	if envURL == "" {
+		return nil
+	}
+	parsed, err := url.ParseRequestURI(envURL)
+	if err != nil || parsed.Host == "" {
+		log.Warnf("invalid metrics server URL %q: must be an absolute HTTP(S) URL", envURL)
+		return nil
+	}
+	if parsed.Scheme != "http" && parsed.Scheme != "https" {
+		log.Warnf("invalid metrics server URL %q: unsupported scheme %q", envURL, parsed.Scheme)
+		return nil
+	}
+	return parsed
+}

client/internal/metrics/influxdb.go

@@ -0,0 +1,219 @@
+package metrics
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"maps"
+	"slices"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	maxSampleAge  = 5 * 24 * time.Hour // drop samples older than 5 days
+	maxBufferSize = 5 * 1024 * 1024    // drop oldest samples when estimated size exceeds 5 MB
+	// estimatedSampleSize is a rough per-sample memory estimate (measurement + tags + fields + timestamp)
+	estimatedSampleSize = 256
+)
+
+// influxSample is a single InfluxDB line protocol entry.
+type influxSample struct {
+	measurement string
+	tags        string
+	fields      map[string]float64
+	timestamp   time.Time
+}
+
+// influxDBMetrics collects metric events as timestamped samples.
+// Each event is recorded with its exact timestamp, pushed once, then cleared.
+type influxDBMetrics struct {
+	mu      sync.Mutex
+	samples []influxSample
+}
+
+func newInfluxDBMetrics() metricsImplementation {
+	return &influxDBMetrics{}
+}
+func (m *influxDBMetrics) RecordConnectionStages(
+	_ context.Context,
+	agentInfo AgentInfo,
+	connectionPairID string,
+	connectionType ConnectionType,
+	isReconnection bool,
+	timestamps ConnectionStageTimestamps,
+) {
+	var signalingReceivedToConnection, connectionToWgHandshake, totalDuration float64
+
+	if !timestamps.SignalingReceived.IsZero() && !timestamps.ConnectionReady.IsZero() {
+		signalingReceivedToConnection = timestamps.ConnectionReady.Sub(timestamps.SignalingReceived).Seconds()
+	}
+
+	if !timestamps.ConnectionReady.IsZero() && !timestamps.WgHandshakeSuccess.IsZero() {
+		connectionToWgHandshake = timestamps.WgHandshakeSuccess.Sub(timestamps.ConnectionReady).Seconds()
+	}
+
+	if !timestamps.SignalingReceived.IsZero() && !timestamps.WgHandshakeSuccess.IsZero() {
+		totalDuration = timestamps.WgHandshakeSuccess.Sub(timestamps.SignalingReceived).Seconds()
+	}
+
+	attemptType := "initial"
+	if isReconnection {
+		attemptType = "reconnection"
+	}
+
+	connTypeStr := connectionType.String()
+	tags := fmt.Sprintf("deployment_type=%s,connection_type=%s,attempt_type=%s,version=%s,os=%s,arch=%s,peer_id=%s,connection_pair_id=%s",
+		agentInfo.DeploymentType.String(),
+		connTypeStr,
+		attemptType,
+		agentInfo.Version,
+		agentInfo.OS,
+		agentInfo.Arch,
+		agentInfo.peerID,
+		connectionPairID,
+	)
+
+	now := time.Now()
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.samples = append(m.samples, influxSample{
+		measurement: "netbird_peer_connection",
+		tags:        tags,
+		fields: map[string]float64{
+			"signaling_to_connection_seconds":    signalingReceivedToConnection,
+			"connection_to_wg_handshake_seconds": connectionToWgHandshake,
+			"total_seconds":                      totalDuration,
+		},
+		timestamp: now,
+	})
+	m.trimLocked()
+
+	log.Tracef("peer connection metrics [%s, %s, %s]: signalingReceived→connection: %.3fs, connection→wg_handshake: %.3fs, total: %.3fs",
+		agentInfo.DeploymentType.String(), connTypeStr, attemptType, signalingReceivedToConnection, connectionToWgHandshake, totalDuration)
+}
+
+func (m *influxDBMetrics) RecordSyncDuration(_ context.Context, agentInfo AgentInfo, duration time.Duration) {
+	tags := fmt.Sprintf("deployment_type=%s,version=%s,os=%s,arch=%s,peer_id=%s",
+		agentInfo.DeploymentType.String(),
+		agentInfo.Version,
+		agentInfo.OS,
+		agentInfo.Arch,
+		agentInfo.peerID,
+	)
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.samples = append(m.samples, influxSample{
+		measurement: "netbird_sync",
+		tags:        tags,
+		fields: map[string]float64{
+			"duration_seconds": duration.Seconds(),
+		},
+		timestamp: time.Now(),
+	})
+	m.trimLocked()
+}
+
+func (m *influxDBMetrics) RecordLoginDuration(_ context.Context, agentInfo AgentInfo, duration time.Duration, success bool) {
+	result := "success"
+	if !success {
+		result = "failure"
+	}
+
+	tags := fmt.Sprintf("deployment_type=%s,result=%s,version=%s,os=%s,arch=%s,peer_id=%s",
+		agentInfo.DeploymentType.String(),
+		result,
+		agentInfo.Version,
+		agentInfo.OS,
+		agentInfo.Arch,
+		agentInfo.peerID,
+	)
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.samples = append(m.samples, influxSample{
+		measurement: "netbird_login",
+		tags:        tags,
+		fields: map[string]float64{
+			"duration_seconds": duration.Seconds(),
+		},
+		timestamp: time.Now(),
+	})
+	m.trimLocked()
+
+	log.Tracef("login metrics [%s, %s]: duration=%.3fs", agentInfo.DeploymentType.String(), result, duration.Seconds())
+}
+
+// Export writes pending samples in InfluxDB line protocol format.
+// Format: measurement,tag=val,tag=val field=val,field=val timestamp_ns
+func (m *influxDBMetrics) Export(w io.Writer) error {
+	m.mu.Lock()
+	samples := make([]influxSample, len(m.samples))
+	copy(samples, m.samples)
+	m.mu.Unlock()
+
+	for _, s := range samples {
+		if _, err := fmt.Fprintf(w, "%s,%s ", s.measurement, s.tags); err != nil {
+			return err
+		}
+
+		sortedKeys := slices.Sorted(maps.Keys(s.fields))
+		first := true
+		for _, k := range sortedKeys {
+			if !first {
+				if _, err := fmt.Fprint(w, ","); err != nil {
+					return err
+				}
+			}
+			if _, err := fmt.Fprintf(w, "%s=%g", k, s.fields[k]); err != nil {
+				return err
+			}
+			first = false
+		}
+
+		if _, err := fmt.Fprintf(w, " %d\n", s.timestamp.UnixNano()); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Reset clears pending samples after a successful push
+func (m *influxDBMetrics) Reset() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.samples = m.samples[:0]
+}
+
+// trimLocked removes samples that exceed age or size limits.
+// Must be called with m.mu held.
+func (m *influxDBMetrics) trimLocked() {
+	now := time.Now()
+
+	// drop samples older than maxSampleAge
+	cutoff := 0
+	for cutoff < len(m.samples) && now.Sub(m.samples[cutoff].timestamp) > maxSampleAge {
+		cutoff++
+	}
+	if cutoff > 0 {
+		copy(m.samples, m.samples[cutoff:])
+		m.samples = m.samples[:len(m.samples)-cutoff]
+		log.Debugf("influxdb metrics: dropped %d samples older than %s", cutoff, maxSampleAge)
+	}
+
+	// drop oldest samples if estimated size exceeds maxBufferSize
+	maxSamples := maxBufferSize / estimatedSampleSize
+	if len(m.samples) > maxSamples {
+		drop := len(m.samples) - maxSamples
+		copy(m.samples, m.samples[drop:])
+		m.samples = m.samples[:maxSamples]
+		log.Debugf("influxdb metrics: dropped %d oldest samples to stay under %d MB size limit", drop, maxBufferSize/(1024*1024))
+	}
+}

client/internal/metrics/influxdb_test.go

@@ -0,0 +1,229 @@
+package metrics
+
+import (
+	"bytes"
+	"context"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestInfluxDBMetrics_RecordAndExport(t *testing.T) {
+	m := newInfluxDBMetrics().(*influxDBMetrics)
+
+	agentInfo := AgentInfo{
+		DeploymentType: DeploymentTypeCloud,
+		Version:        "1.0.0",
+		OS:             "linux",
+		Arch:           "amd64",
+		peerID:         "abc123",
+	}
+
+	ts := ConnectionStageTimestamps{
+		SignalingReceived:  time.Now().Add(-3 * time.Second),
+		ConnectionReady:    time.Now().Add(-2 * time.Second),
+		WgHandshakeSuccess: time.Now().Add(-1 * time.Second),
+	}
+
+	m.RecordConnectionStages(context.Background(), agentInfo, "pair123", ConnectionTypeICE, false, ts)
+
+	var buf bytes.Buffer
+	err := m.Export(&buf)
+	require.NoError(t, err)
+
+	output := buf.String()
+	assert.Contains(t, output, "netbird_peer_connection,")
+	assert.Contains(t, output, "connection_to_wg_handshake_seconds=")
+	assert.Contains(t, output, "signaling_to_connection_seconds=")
+	assert.Contains(t, output, "total_seconds=")
+}
+
+func TestInfluxDBMetrics_ExportDeterministicFieldOrder(t *testing.T) {
+	m := newInfluxDBMetrics().(*influxDBMetrics)
+
+	agentInfo := AgentInfo{
+		DeploymentType: DeploymentTypeCloud,
+		Version:        "1.0.0",
+		OS:             "linux",
+		Arch:           "amd64",
+		peerID:         "abc123",
+	}
+
+	ts := ConnectionStageTimestamps{
+		SignalingReceived:  time.Now().Add(-3 * time.Second),
+		ConnectionReady:    time.Now().Add(-2 * time.Second),
+		WgHandshakeSuccess: time.Now().Add(-1 * time.Second),
+	}
+
+	// Record multiple times and verify consistent field order
+	for i := 0; i < 10; i++ {
+		m.RecordConnectionStages(context.Background(), agentInfo, "pair123", ConnectionTypeICE, false, ts)
+	}
+
+	var buf bytes.Buffer
+	err := m.Export(&buf)
+	require.NoError(t, err)
+
+	lines := strings.Split(strings.TrimSpace(buf.String()), "\n")
+	require.Len(t, lines, 10)
+
+	// Extract field portion from each line and verify they're all identical
+	var fieldSections []string
+	for _, line := range lines {
+		parts := strings.SplitN(line, " ", 3)
+		require.Len(t, parts, 3, "each line should have measurement, fields, timestamp")
+		fieldSections = append(fieldSections, parts[1])
+	}
+
+	for i := 1; i < len(fieldSections); i++ {
+		assert.Equal(t, fieldSections[0], fieldSections[i], "field order should be deterministic across samples")
+	}
+
+	// Fields should be alphabetically sorted
+	assert.True(t, strings.HasPrefix(fieldSections[0], "connection_to_wg_handshake_seconds="),
+		"fields should be sorted: connection_to_wg < signaling_to < total")
+}
+
+func TestInfluxDBMetrics_RecordSyncDuration(t *testing.T) {
+	m := newInfluxDBMetrics().(*influxDBMetrics)
+
+	agentInfo := AgentInfo{
+		DeploymentType: DeploymentTypeSelfHosted,
+		Version:        "2.0.0",
+		OS:             "darwin",
+		Arch:           "arm64",
+		peerID:         "def456",
+	}
+
+	m.RecordSyncDuration(context.Background(), agentInfo, 1500*time.Millisecond)
+
+	var buf bytes.Buffer
+	err := m.Export(&buf)
+	require.NoError(t, err)
+
+	output := buf.String()
+	assert.Contains(t, output, "netbird_sync,")
+	assert.Contains(t, output, "duration_seconds=1.5")
+	assert.Contains(t, output, "deployment_type=selfhosted")
+}
+
+func TestInfluxDBMetrics_Reset(t *testing.T) {
+	m := newInfluxDBMetrics().(*influxDBMetrics)
+
+	agentInfo := AgentInfo{
+		DeploymentType: DeploymentTypeCloud,
+		Version:        "1.0.0",
+		OS:             "linux",
+		Arch:           "amd64",
+		peerID:         "abc123",
+	}
+
+	m.RecordSyncDuration(context.Background(), agentInfo, time.Second)
+
+	var buf bytes.Buffer
+	err := m.Export(&buf)
+	require.NoError(t, err)
+	assert.NotEmpty(t, buf.String())
+
+	m.Reset()
+
+	buf.Reset()
+	err = m.Export(&buf)
+	require.NoError(t, err)
+	assert.Empty(t, buf.String(), "should be empty after reset")
+}
+
+func TestInfluxDBMetrics_ExportEmpty(t *testing.T) {
+	m := newInfluxDBMetrics().(*influxDBMetrics)
+
+	var buf bytes.Buffer
+	err := m.Export(&buf)
+	require.NoError(t, err)
+	assert.Empty(t, buf.String())
+}
+
+func TestInfluxDBMetrics_TrimByAge(t *testing.T) {
+	m := newInfluxDBMetrics().(*influxDBMetrics)
+
+	m.mu.Lock()
+	m.samples = append(m.samples, influxSample{
+		measurement: "old",
+		tags:        "t=1",
+		fields:      map[string]float64{"v": 1},
+		timestamp:   time.Now().Add(-maxSampleAge - time.Hour),
+	})
+	m.trimLocked()
+	remaining := len(m.samples)
+	m.mu.Unlock()
+
+	assert.Equal(t, 0, remaining, "old samples should be trimmed")
+}
+
+func TestInfluxDBMetrics_RecordLoginDuration(t *testing.T) {
+	m := newInfluxDBMetrics().(*influxDBMetrics)
+
+	agentInfo := AgentInfo{
+		DeploymentType: DeploymentTypeCloud,
+		Version:        "1.0.0",
+		OS:             "linux",
+		Arch:           "amd64",
+		peerID:         "abc123",
+	}
+
+	m.RecordLoginDuration(context.Background(), agentInfo, 2500*time.Millisecond, true)
+
+	var buf bytes.Buffer
+	err := m.Export(&buf)
+	require.NoError(t, err)
+
+	output := buf.String()
+	assert.Contains(t, output, "netbird_login,")
+	assert.Contains(t, output, "duration_seconds=2.5")
+	assert.Contains(t, output, "result=success")
+}
+
+func TestInfluxDBMetrics_RecordLoginDurationFailure(t *testing.T) {
+	m := newInfluxDBMetrics().(*influxDBMetrics)
+
+	agentInfo := AgentInfo{
+		DeploymentType: DeploymentTypeSelfHosted,
+		Version:        "1.0.0",
+		OS:             "darwin",
+		Arch:           "arm64",
+		peerID:         "xyz789",
+	}
+
+	m.RecordLoginDuration(context.Background(), agentInfo, 5*time.Second, false)
+
+	var buf bytes.Buffer
+	err := m.Export(&buf)
+	require.NoError(t, err)
+
+	output := buf.String()
+	assert.Contains(t, output, "netbird_login,")
+	assert.Contains(t, output, "result=failure")
+	assert.Contains(t, output, "deployment_type=selfhosted")
+}
+
+func TestInfluxDBMetrics_TrimBySize(t *testing.T) {
+	m := newInfluxDBMetrics().(*influxDBMetrics)
+
+	maxSamples := maxBufferSize / estimatedSampleSize
+	m.mu.Lock()
+	for i := 0; i < maxSamples+100; i++ {
+		m.samples = append(m.samples, influxSample{
+			measurement: "test",
+			tags:        "t=1",
+			fields:      map[string]float64{"v": float64(i)},
+			timestamp:   time.Now(),
+		})
+	}
+	m.trimLocked()
+	remaining := len(m.samples)
+	m.mu.Unlock()
+
+	assert.Equal(t, maxSamples, remaining, "should trim to max samples")
+}

client/internal/metrics/infra/.env.example

@@ -0,0 +1,16 @@
+# Copy to .env and adjust values before running docker compose
+
+# InfluxDB admin (server-side only, never exposed to clients)
+INFLUXDB_ADMIN_PASSWORD=changeme
+INFLUXDB_ADMIN_TOKEN=changeme
+
+# Grafana admin credentials
+GRAFANA_ADMIN_USER=admin
+GRAFANA_ADMIN_PASSWORD=changeme
+
+# Remote config served by ingest at /config
+# Set CONFIG_METRICS_SERVER_URL to the ingest server's public address to enable
+CONFIG_METRICS_SERVER_URL=
+CONFIG_VERSION_SINCE=0.0.0
+CONFIG_VERSION_UNTIL=99.99.99
+CONFIG_PERIOD_MINUTES=5

client/internal/metrics/infra/.gitignore

@@ -0,0 +1 @@
+.env

client/internal/metrics/infra/README.md

@@ -0,0 +1,194 @@
+# Client Metrics
+
+Internal documentation for the NetBird client metrics system.
+
+## Overview
+
+Client metrics track connection performance and sync durations using InfluxDB line protocol (`influxdb.go`). Each event is pushed once then cleared.
+
+Metrics collection is always active (for debug bundles). Push to backend is:
+- Disabled by default (opt-in via `NB_METRICS_PUSH_ENABLED=true`)
+- Managed at daemon layer (survives engine restarts)
+
+## Architecture
+
+### Layer Separation
+
+```text
+Daemon Layer (connect.go)
+  ├─ Creates ClientMetrics instance once
+  ├─ Starts/stops push lifecycle
+  └─ Updates AgentInfo on profile switch
+      │
+      ▼
+Engine Layer (engine.go)
+  └─ Records metrics via ClientMetrics methods
+```
+
+### Ingest Server
+
+Clients do not talk to InfluxDB directly. An ingest server sits between clients and InfluxDB:
+
+```text
+Client ──POST──▶ Ingest Server (:8087) ──▶ InfluxDB (internal)
+                  │
+                  ├─ Validates line protocol
+                  ├─ Allowlists measurements, fields, and tags
+                  ├─ Rejects out-of-bound values
+                  └─ Serves remote config at /config
+```
+
+- **No secret/token-based client auth** — the ingest server holds the InfluxDB token server-side. Clients must send a hashed peer ID via `X-Peer-ID` header.
+- **InfluxDB is not exposed** — only accessible within the docker network
+- Source: `ingest/main.go`
+
+## Metrics Collected
+
+### Connection Stage Timing
+
+Measurement: `netbird_peer_connection`
+
+| Field | Timestamps | Description |
+|-------|-----------|-------------|
+| `signaling_to_connection_seconds` | `SignalingReceived → ConnectionReady` | ICE/relay negotiation time after the first signal is received from the remote peer |
+| `connection_to_wg_handshake_seconds` | `ConnectionReady → WgHandshakeSuccess` | WireGuard cryptographic handshake latency once the transport layer is ready |
+| `total_seconds` | `SignalingReceived → WgHandshakeSuccess` | End-to-end connection time anchored at the first received signal |
+
+Tags:
+- `deployment_type`: "cloud" | "selfhosted" | "unknown"
+- `connection_type`: "ice" | "relay"
+- `attempt_type`: "initial" | "reconnection"
+- `version`: NetBird version string
+- `os`: Operating system (linux, darwin, windows, android, ios, etc.)
+- `arch`: CPU architecture (amd64, arm64, etc.)
+
+**Note:** `SignalingReceived` is set when the first offer or answer arrives from the remote peer (in both initial and reconnection paths). It excludes the potentially unbounded wait for the remote peer to come online.
+
+### Sync Duration
+
+Measurement: `netbird_sync`
+
+| Field | Description |
+|-------|-------------|
+| `duration_seconds` | Time to process a sync message from management server |
+
+Tags:
+- `deployment_type`: "cloud" | "selfhosted" | "unknown"
+- `version`: NetBird version string
+- `os`: Operating system (linux, darwin, windows, android, ios, etc.)
+- `arch`: CPU architecture (amd64, arm64, etc.)
+
+### Login Duration
+
+Measurement: `netbird_login`
+
+| Field | Description |
+|-------|-------------|
+| `duration_seconds` | Time to complete the login/auth exchange with management server |
+
+Tags:
+- `deployment_type`: "cloud" | "selfhosted" | "unknown"
+- `result`: "success" | "failure"
+- `version`: NetBird version string
+- `os`: Operating system (linux, darwin, windows, android, ios, etc.)
+- `arch`: CPU architecture (amd64, arm64, etc.)
+
+## Buffer Limits
+
+The InfluxDB backend limits in-memory sample storage to prevent unbounded growth when pushes fail:
+- **Max age:** Samples older than 5 days are dropped
+- **Max size:** Estimated buffer size capped at 5 MB (~20k samples)
+
+## Configuration
+
+### Client Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `NB_METRICS_PUSH_ENABLED` | `false` | Enable metrics push to backend |
+| `NB_METRICS_SERVER_URL` | *(from remote config)* | Ingest server URL (e.g., `https://ingest.netbird.io`) |
+| `NB_METRICS_INTERVAL` | *(from remote config)* | Push interval (e.g., "1m", "30m", "4h") |
+| `NB_METRICS_FORCE_SENDING` | `false` | Skip remote config, push unconditionally |
+| `NB_METRICS_CONFIG_URL` | `https://ingest.netbird.io/config` | Remote push config URL |
+
+`NB_METRICS_SERVER_URL` and `NB_METRICS_INTERVAL` override their respective values but do not bypass remote config eligibility checks (version range). Use `NB_METRICS_FORCE_SENDING=true` to skip all remote config gating.
+
+### Ingest Server Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `INGEST_LISTEN_ADDR` | `:8087` | Listen address |
+| `INFLUXDB_URL` | `http://influxdb:8086/api/v2/write?org=netbird&bucket=metrics&precision=ns` | InfluxDB write endpoint |
+| `INFLUXDB_TOKEN` | *(required)* | InfluxDB auth token (server-side only) |
+| `CONFIG_METRICS_SERVER_URL` | *(empty — disables /config)* | `server_url` in the remote config JSON (the URL clients push metrics to) |
+| `CONFIG_VERSION_SINCE` | `0.0.0` | Minimum client version to push metrics |
+| `CONFIG_VERSION_UNTIL` | `99.99.99` | Maximum client version to push metrics |
+| `CONFIG_PERIOD_MINUTES` | `5` | Push interval in minutes |
+
+The ingest server serves a remote config JSON at `GET /config` when `CONFIG_METRICS_SERVER_URL` is set. Clients can use `NB_METRICS_CONFIG_URL=http://<ingest>/config` to fetch it.
+
+### Configuration Precedence
+
+For URL and Interval, the precedence is:
+1. **Environment variable** - `NB_METRICS_SERVER_URL` / `NB_METRICS_INTERVAL`
+2. **Remote config** - fetched from `NB_METRICS_CONFIG_URL`
+3. **Default** - 5 minute interval, URL from remote config
+
+## Push Behavior
+
+1. `StartPush()` spawns background goroutine with timer
+2. First push happens immediately on startup
+3. Periodically: `push()` → `Export()` → HTTP POST to ingest server
+4. On failure: log error, continue (non-blocking)
+5. On success: `Reset()` clears pushed samples
+6. `StopPush()` cancels context and waits for goroutine
+
+Samples are collected with exact timestamps, pushed once, then cleared. No data is resent.
+
+## Local Development Setup
+
+### 1. Configure and Start Services
+
+```bash
+# From this directory (client/internal/metrics/infra)
+cp .env.example .env
+# Edit .env to set INFLUXDB_ADMIN_PASSWORD, INFLUXDB_ADMIN_TOKEN, and GRAFANA_ADMIN_PASSWORD
+docker compose up -d
+```
+
+This starts:
+- **Ingest server** on http://localhost:8087 — accepts client metrics (requires `X-Peer-ID` header, no secret/token auth)
+- **InfluxDB** — internal only, not exposed to host
+- **Grafana** on http://localhost:3001
+
+### 2. Configure Client
+
+```bash
+export NB_METRICS_PUSH_ENABLED=true
+export NB_METRICS_FORCE_SENDING=true
+export NB_METRICS_SERVER_URL=http://localhost:8087
+export NB_METRICS_INTERVAL=1m
+```
+
+### 3. Run Client
+
+```bash
+cd ../../../..
+go run ./client/ up
+```
+
+### 4. View in Grafana
+
+- **InfluxDB dashboard:** http://localhost:3001/d/netbird-influxdb-metrics
+
+### 5. Verify Data
+
+```bash
+# Query via InfluxDB (using admin token from .env)
+docker compose exec influxdb influx query \
+  'from(bucket: "metrics") |> range(start: -1h)' \
+  --org netbird
+
+# Check ingest server health
+curl http://localhost:8087/health
+```

client/internal/metrics/infra/docker-compose.yml

@@ -0,0 +1,69 @@
+version: '3.8'
+
+services:
+  ingest:
+    container_name: ingest
+    build:
+      context: ./ingest
+    ports:
+      - "8087:8087"
+    environment:
+      - INGEST_LISTEN_ADDR=:8087
+      - INFLUXDB_URL=http://influxdb:8086/api/v2/write?org=netbird&bucket=metrics&precision=ns
+      - INFLUXDB_TOKEN=${INFLUXDB_ADMIN_TOKEN:?required}
+      - CONFIG_METRICS_SERVER_URL=${CONFIG_METRICS_SERVER_URL:-}
+      - CONFIG_VERSION_SINCE=${CONFIG_VERSION_SINCE:-0.0.0}
+      - CONFIG_VERSION_UNTIL=${CONFIG_VERSION_UNTIL:-99.99.99}
+      - CONFIG_PERIOD_MINUTES=${CONFIG_PERIOD_MINUTES:-5}
+    depends_on:
+      - influxdb
+    restart: unless-stopped
+    networks:
+      - metrics
+
+  influxdb:
+    container_name: influxdb
+    image: influxdb:2
+    # No ports exposed — only accessible within the metrics network
+    volumes:
+      - influxdb-data:/var/lib/influxdb2
+      - ./influxdb/scripts:/docker-entrypoint-initdb.d
+    environment:
+      - DOCKER_INFLUXDB_INIT_MODE=setup
+      - DOCKER_INFLUXDB_INIT_USERNAME=admin
+      - DOCKER_INFLUXDB_INIT_PASSWORD=${INFLUXDB_ADMIN_PASSWORD:?required}
+      - DOCKER_INFLUXDB_INIT_ORG=netbird
+      - DOCKER_INFLUXDB_INIT_BUCKET=metrics
+      - DOCKER_INFLUXDB_INIT_RETENTION=365d
+      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=${INFLUXDB_ADMIN_TOKEN:-}
+    restart: unless-stopped
+    networks:
+      - metrics
+
+  grafana:
+    container_name: grafana
+    image: grafana/grafana:11.6.0
+    ports:
+      - "3001:3000"
+    environment:
+      - GF_SECURITY_ADMIN_USER=${GRAFANA_ADMIN_USER:-admin}
+      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD:?required}
+      - GF_USERS_ALLOW_SIGN_UP=false
+      - GF_INSTALL_PLUGINS=
+      - INFLUXDB_ADMIN_TOKEN=${INFLUXDB_ADMIN_TOKEN:-}
+    volumes:
+      - grafana-data:/var/lib/grafana
+      - ./grafana/provisioning:/etc/grafana/provisioning
+    depends_on:
+      - influxdb
+    restart: unless-stopped
+    networks:
+      - metrics
+
+volumes:
+  influxdb-data:
+  grafana-data:
+
+networks:
+  metrics:
+    driver: bridge

client/internal/metrics/infra/grafana/provisioning/dashboards/dashboard.yml

@@ -0,0 +1,12 @@
+apiVersion: 1
+
+providers:
+  - name: 'NetBird Dashboards'
+    orgId: 1
+    folder: ''
+    type: file
+    disableDeletion: false
+    updateIntervalSeconds: 10
+    allowUiUpdates: true
+    options:
+      path: /etc/grafana/provisioning/dashboards/json

client/internal/metrics/infra/grafana/provisioning/dashboards/json/netbird-influxdb-metrics.json

@@ -0,0 +1,280 @@
+{
+  "uid": "netbird-influxdb-metrics",
+  "title": "NetBird Client Metrics (InfluxDB)",
+  "tags": ["netbird", "connections", "influxdb"],
+  "timezone": "browser",
+  "panels": [
+    {
+      "id": 5,
+      "title": "Sync Duration Extremes",
+      "type": "stat",
+      "datasource": {
+        "type": "influxdb",
+        "uid": "influxdb"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "targets": [
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_sync\" and r._field == \"duration_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> min()\n  |> set(key: \"_field\", value: \"Min\")",
+          "refId": "A"
+        },
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_sync\" and r._field == \"duration_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> max()\n  |> set(key: \"_field\", value: \"Max\")",
+          "refId": "B"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ms",
+          "min": 0
+        }
+      },
+      "options": {
+        "reduceOptions": {
+          "calcs": ["lastNotNull"]
+        },
+        "colorMode": "value",
+        "graphMode": "none",
+        "textMode": "auto"
+      }
+    },
+    {
+      "id": 6,
+      "title": "Total Connection Time Extremes",
+      "type": "stat",
+      "datasource": {
+        "type": "influxdb",
+        "uid": "influxdb"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "targets": [
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"total_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"connection_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\", \"connection_pair_id\"])\n  |> min()\n  |> set(key: \"_field\", value: \"Min\")",
+          "refId": "A"
+        },
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"total_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"connection_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\", \"connection_pair_id\"])\n  |> max()\n  |> set(key: \"_field\", value: \"Max\")",
+          "refId": "B"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ms",
+          "min": 0
+        }
+      },
+      "options": {
+        "reduceOptions": {
+          "calcs": ["lastNotNull"]
+        },
+        "colorMode": "value",
+        "graphMode": "none",
+        "textMode": "auto"
+      }
+    },
+    {
+      "id": 1,
+      "title": "Sync Duration",
+      "type": "timeseries",
+      "datasource": {
+        "type": "influxdb",
+        "uid": "influxdb"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 8
+      },
+      "targets": [
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_sync\" and r._field == \"duration_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> set(key: \"_field\", value: \"Sync Duration\")",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ms",
+          "min": 0,
+          "custom": {
+            "drawStyle": "points",
+            "pointSize": 5
+          }
+        }
+      }
+    },
+    {
+      "id": 4,
+      "title": "ICE vs Relay",
+      "type": "piechart",
+      "datasource": {
+        "type": "influxdb",
+        "uid": "influxdb"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 12,
+        "y": 8
+      },
+      "targets": [
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"total_seconds\")\n  |> drop(columns: [\"deployment_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> group(columns: [\"connection_pair_id\"])\n  |> last()\n  |> group(columns: [\"connection_type\"])\n  |> count()",
+          "refId": "A"
+        }
+      ],
+      "options": {
+        "reduceOptions": {
+          "calcs": ["lastNotNull"]
+        },
+        "pieType": "donut",
+        "tooltip": {
+          "mode": "multi"
+        }
+      }
+    },
+    {
+      "id": 2,
+      "title": "Connection Stage Durations (avg)",
+      "type": "bargauge",
+      "datasource": {
+        "type": "influxdb",
+        "uid": "influxdb"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 16
+      },
+      "targets": [
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"signaling_to_connection_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"connection_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\", \"connection_pair_id\"])\n  |> mean()\n  |> drop(columns: [\"_start\", \"_stop\", \"_measurement\", \"_time\", \"_field\"])\n  |> rename(columns: {_value: \"Avg Signaling to Connection\"})",
+          "refId": "A"
+        },
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"connection_to_wg_handshake_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"connection_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\", \"connection_pair_id\"])\n  |> mean()\n  |> drop(columns: [\"_start\", \"_stop\", \"_measurement\", \"_time\", \"_field\"])\n  |> rename(columns: {_value: \"Avg Connection to WG Handshake\"})",
+          "refId": "B"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ms",
+          "min": 0
+        }
+      },
+      "options": {
+        "reduceOptions": {
+          "calcs": ["lastNotNull"]
+        },
+        "orientation": "horizontal",
+        "displayMode": "gradient"
+      }
+    },
+    {
+      "id": 3,
+      "title": "Total Connection Time",
+      "type": "timeseries",
+      "datasource": {
+        "type": "influxdb",
+        "uid": "influxdb"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 12,
+        "y": 16
+      },
+      "targets": [
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_peer_connection\" and r._field == \"total_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"connection_type\", \"attempt_type\", \"version\", \"os\", \"arch\", \"peer_id\", \"connection_pair_id\"])\n  |> set(key: \"_field\", value: \"Total Connection Time\")",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ms",
+          "min": 0,
+          "custom": {
+            "drawStyle": "points",
+            "pointSize": 5
+          }
+        }
+      }
+    },
+    {
+      "id": 7,
+      "title": "Login Duration",
+      "type": "timeseries",
+      "datasource": {
+        "type": "influxdb",
+        "uid": "influxdb"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 24
+      },
+      "targets": [
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_login\" and r._field == \"duration_seconds\")\n  |> map(fn: (r) => ({r with _value: r._value * 1000.0}))\n  |> drop(columns: [\"deployment_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> set(key: \"_field\", value: \"Login Duration\")",
+          "refId": "A"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ms",
+          "min": 0,
+          "custom": {
+            "drawStyle": "points",
+            "pointSize": 5
+          }
+        }
+      }
+    },
+    {
+      "id": 8,
+      "title": "Login Success vs Failure",
+      "type": "piechart",
+      "datasource": {
+        "type": "influxdb",
+        "uid": "influxdb"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 12,
+        "y": 24
+      },
+      "targets": [
+        {
+          "query": "from(bucket: \"metrics\")\n  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |> filter(fn: (r) => r._measurement == \"netbird_login\" and r._field == \"duration_seconds\")\n  |> drop(columns: [\"deployment_type\", \"version\", \"os\", \"arch\", \"peer_id\"])\n  |> group(columns: [\"result\"])\n  |> count()",
+          "refId": "A"
+        }
+      ],
+      "options": {
+        "reduceOptions": {
+          "calcs": ["lastNotNull"]
+        },
+        "pieType": "donut",
+        "tooltip": {
+          "mode": "multi"
+        }
+      }
+    }
+  ],
+  "schemaVersion": 27,
+  "version": 2,
+  "refresh": "30s"
+}

client/internal/metrics/infra/grafana/provisioning/datasources/influxdb.yml

@@ -0,0 +1,15 @@
+apiVersion: 1
+
+datasources:
+  - name: InfluxDB
+    uid: influxdb
+    type: influxdb
+    access: proxy
+    url: http://influxdb:8086
+    editable: true
+    jsonData:
+      version: Flux
+      organization: netbird
+      defaultBucket: metrics
+    secureJsonData:
+      token: ${INFLUXDB_ADMIN_TOKEN}

client/internal/metrics/infra/influxdb/scripts/create-tokens.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# Creates a scoped InfluxDB read-only token for Grafana.
+# Clients do not need a token — they push via the ingest server.
+
+BUCKET_ID=$(influx bucket list --org netbird --name metrics --json | grep -oP '"id"\s*:\s*"\K[^"]+' | head -1)
+ORG_ID=$(influx org list --name netbird --json | grep -oP '"id"\s*:\s*"\K[^"]+' | head -1)
+
+if [[ -z "$BUCKET_ID" ]] || [[ -z "$ORG_ID" ]]; then
+  echo "ERROR: Could not determine bucket or org ID" >&2
+  echo "BUCKET_ID=$BUCKET_ID ORG_ID=$ORG_ID" >&2
+  exit 1
+fi
+
+# Create read-only token for Grafana
+READ_TOKEN=$(influx auth create \
+  --org netbird \
+  --read-bucket "$BUCKET_ID" \
+  --description "Grafana read-only token" \
+  --json | grep -oP '"token"\s*:\s*"\K[^"]+' | head -1)
+
+echo ""
+echo "============================================"
+echo "GRAFANA READ-ONLY TOKEN:"
+echo "$READ_TOKEN"
+echo "============================================"

client/internal/metrics/infra/ingest/Dockerfile

@@ -0,0 +1,10 @@
+FROM golang:1.25-alpine AS build
+WORKDIR /app
+COPY go.mod main.go ./
+RUN CGO_ENABLED=0 go build -o ingest .
+
+FROM alpine:3.20
+RUN adduser -D -H ingest
+COPY --from=build /app/ingest /usr/local/bin/ingest
+USER ingest
+ENTRYPOINT ["ingest"]

client/internal/metrics/infra/ingest/go.mod

@@ -0,0 +1,11 @@
+module github.com/netbirdio/netbird/client/internal/metrics/infra/ingest
+
+go 1.25
+
+require github.com/stretchr/testify v1.11.1
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

client/internal/metrics/infra/ingest/go.sum

@@ -0,0 +1,10 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

client/internal/metrics/infra/ingest/main.go

@@ -0,0 +1,355 @@
+package main
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+)
+
+const (
+	defaultListenAddr  = ":8087"
+	defaultInfluxDBURL = "http://influxdb:8086/api/v2/write?org=netbird&bucket=metrics&precision=ns"
+	maxBodySize        = 50 * 1024 * 1024 // 50 MB max request body
+	maxDurationSeconds = 300.0            // reject any duration field > 5 minutes
+	peerIDLength       = 16               // truncated SHA-256: 8 bytes = 16 hex chars
+	maxTagValueLength  = 64               // reject tag values longer than this
+)
+
+type measurementSpec struct {
+	allowedFields map[string]bool
+	allowedTags   map[string]bool
+}
+
+var allowedMeasurements = map[string]measurementSpec{
+	"netbird_peer_connection": {
+		allowedFields: map[string]bool{
+			"signaling_to_connection_seconds":    true,
+			"connection_to_wg_handshake_seconds": true,
+			"total_seconds":                      true,
+		},
+		allowedTags: map[string]bool{
+			"deployment_type":    true,
+			"connection_type":    true,
+			"attempt_type":       true,
+			"version":            true,
+			"os":                 true,
+			"arch":               true,
+			"peer_id":            true,
+			"connection_pair_id": true,
+		},
+	},
+	"netbird_sync": {
+		allowedFields: map[string]bool{
+			"duration_seconds": true,
+		},
+		allowedTags: map[string]bool{
+			"deployment_type": true,
+			"version":         true,
+			"os":              true,
+			"arch":            true,
+			"peer_id":         true,
+		},
+	},
+	"netbird_login": {
+		allowedFields: map[string]bool{
+			"duration_seconds": true,
+		},
+		allowedTags: map[string]bool{
+			"deployment_type": true,
+			"result":          true,
+			"version":         true,
+			"os":              true,
+			"arch":            true,
+			"peer_id":         true,
+		},
+	},
+}
+
+func main() {
+	listenAddr := envOr("INGEST_LISTEN_ADDR", defaultListenAddr)
+	influxURL := envOr("INFLUXDB_URL", defaultInfluxDBURL)
+	influxToken := os.Getenv("INFLUXDB_TOKEN")
+
+	if influxToken == "" {
+		log.Fatal("INFLUXDB_TOKEN is required")
+	}
+
+	client := &http.Client{Timeout: 10 * time.Second}
+
+	http.HandleFunc("/", handleIngest(client, influxURL, influxToken))
+
+	// Build config JSON once at startup from env vars
+	configJSON := buildConfigJSON()
+	if configJSON != nil {
+		log.Printf("serving remote config at /config")
+	}
+
+	http.HandleFunc("/config", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet {
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+		if configJSON == nil {
+			http.Error(w, "config not configured", http.StatusNotFound)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.Write(configJSON) //nolint:errcheck
+	})
+
+	http.HandleFunc("/health", func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprint(w, "ok") //nolint:errcheck
+	})
+
+	log.Printf("ingest server listening on %s, forwarding to %s", listenAddr, influxURL)
+	if err := http.ListenAndServe(listenAddr, nil); err != nil { //nolint:gosec
+		log.Fatal(err)
+	}
+}
+
+func handleIngest(client *http.Client, influxURL, influxToken string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+
+		if err := validateAuth(r); err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return
+		}
+
+		body, err := readBody(r)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+		if len(body) > maxBodySize {
+			http.Error(w, "body too large", http.StatusRequestEntityTooLarge)
+			return
+		}
+
+		validated, err := validateLineProtocol(body)
+		if err != nil {
+			log.Printf("WARN validation failed from %s: %v", r.RemoteAddr, err)
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		forwardToInflux(w, r, client, influxURL, influxToken, validated)
+	}
+}
+
+func forwardToInflux(w http.ResponseWriter, r *http.Request, client *http.Client, influxURL, influxToken string, body []byte) {
+	req, err := http.NewRequestWithContext(r.Context(), http.MethodPost, influxURL, bytes.NewReader(body))
+	if err != nil {
+		log.Printf("ERROR create request: %v", err)
+		http.Error(w, "internal error", http.StatusInternalServerError)
+		return
+	}
+	req.Header.Set("Content-Type", "text/plain; charset=utf-8")
+	req.Header.Set("Authorization", "Token "+influxToken)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		log.Printf("ERROR forward to influxdb: %v", err)
+		http.Error(w, "upstream error", http.StatusBadGateway)
+		return
+	}
+	defer func(Body io.ReadCloser) {
+		_ = Body.Close()
+	}(resp.Body)
+
+	w.WriteHeader(resp.StatusCode)
+	io.Copy(w, resp.Body) //nolint:errcheck
+}
+
+// validateAuth checks that the X-Peer-ID header contains a valid hashed peer ID.
+func validateAuth(r *http.Request) error {
+	peerID := r.Header.Get("X-Peer-ID")
+	if peerID == "" {
+		return fmt.Errorf("missing X-Peer-ID header")
+	}
+	if len(peerID) != peerIDLength {
+		return fmt.Errorf("invalid X-Peer-ID header length")
+	}
+	if _, err := hex.DecodeString(peerID); err != nil {
+		return fmt.Errorf("invalid X-Peer-ID header format")
+	}
+	return nil
+}
+
+// readBody reads the request body, decompressing gzip if Content-Encoding indicates it.
+func readBody(r *http.Request) ([]byte, error) {
+	reader := io.LimitReader(r.Body, maxBodySize+1)
+
+	if r.Header.Get("Content-Encoding") == "gzip" {
+		gz, err := gzip.NewReader(reader)
+		if err != nil {
+			return nil, fmt.Errorf("invalid gzip: %w", err)
+		}
+		defer gz.Close()
+		reader = io.LimitReader(gz, maxBodySize+1)
+	}
+
+	return io.ReadAll(reader)
+}
+
+// validateLineProtocol parses InfluxDB line protocol lines,
+// whitelists measurements and fields, and checks value bounds.
+func validateLineProtocol(body []byte) ([]byte, error) {
+	lines := strings.Split(strings.TrimSpace(string(body)), "\n")
+	var valid []string
+
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+
+		if err := validateLine(line); err != nil {
+			return nil, err
+		}
+
+		valid = append(valid, line)
+	}
+
+	if len(valid) == 0 {
+		return nil, fmt.Errorf("no valid lines")
+	}
+
+	return []byte(strings.Join(valid, "\n") + "\n"), nil
+}
+
+func validateLine(line string) error {
+	// line protocol: measurement,tag=val,tag=val field=val,field=val timestamp
+	parts := strings.SplitN(line, " ", 3)
+	if len(parts) < 2 {
+		return fmt.Errorf("invalid line protocol: %q", truncate(line, 100))
+	}
+
+	// parts[0] is "measurement,tag=val,tag=val"
+	measurementAndTags := strings.Split(parts[0], ",")
+	measurement := measurementAndTags[0]
+
+	spec, ok := allowedMeasurements[measurement]
+	if !ok {
+		return fmt.Errorf("unknown measurement: %q", measurement)
+	}
+
+	// Validate tags (everything after measurement name in parts[0])
+	for _, tagPair := range measurementAndTags[1:] {
+		if err := validateTag(tagPair, measurement, spec.allowedTags); err != nil {
+			return err
+		}
+	}
+
+	// Validate fields
+	for _, pair := range strings.Split(parts[1], ",") {
+		if err := validateField(pair, measurement, spec.allowedFields); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func validateTag(pair, measurement string, allowedTags map[string]bool) error {
+	kv := strings.SplitN(pair, "=", 2)
+	if len(kv) != 2 {
+		return fmt.Errorf("invalid tag: %q", pair)
+	}
+
+	tagName := kv[0]
+	if !allowedTags[tagName] {
+		return fmt.Errorf("unknown tag %q in measurement %q", tagName, measurement)
+	}
+
+	if len(kv[1]) > maxTagValueLength {
+		return fmt.Errorf("tag value too long for %q: %d > %d", tagName, len(kv[1]), maxTagValueLength)
+	}
+
+	return nil
+}
+
+func validateField(pair, measurement string, allowedFields map[string]bool) error {
+	kv := strings.SplitN(pair, "=", 2)
+	if len(kv) != 2 {
+		return fmt.Errorf("invalid field: %q", pair)
+	}
+
+	fieldName := kv[0]
+	if !allowedFields[fieldName] {
+		return fmt.Errorf("unknown field %q in measurement %q", fieldName, measurement)
+	}
+
+	val, err := strconv.ParseFloat(kv[1], 64)
+	if err != nil {
+		return fmt.Errorf("invalid field value %q for %q", kv[1], fieldName)
+	}
+	if val < 0 {
+		return fmt.Errorf("negative value for %q: %g", fieldName, val)
+	}
+	if strings.HasSuffix(fieldName, "_seconds") && val > maxDurationSeconds {
+		return fmt.Errorf("%q too large: %g > %g", fieldName, val, maxDurationSeconds)
+	}
+
+	return nil
+}
+
+// buildConfigJSON builds the remote config JSON from env vars.
+// Returns nil if required vars are not set.
+func buildConfigJSON() []byte {
+	serverURL := os.Getenv("CONFIG_METRICS_SERVER_URL")
+	versionSince := envOr("CONFIG_VERSION_SINCE", "0.0.0")
+	versionUntil := envOr("CONFIG_VERSION_UNTIL", "99.99.99")
+	periodMinutes := envOr("CONFIG_PERIOD_MINUTES", "5")
+
+	if serverURL == "" {
+		return nil
+	}
+
+	period, err := strconv.Atoi(periodMinutes)
+	if err != nil || period <= 0 {
+		log.Printf("WARN invalid CONFIG_PERIOD_MINUTES: %q, using 5", periodMinutes)
+		period = 5
+	}
+
+	cfg := map[string]any{
+		"server_url":     serverURL,
+		"version-since":  versionSince,
+		"version-until":  versionUntil,
+		"period_minutes": period,
+	}
+
+	data, err := json.Marshal(cfg)
+	if err != nil {
+		log.Printf("ERROR failed to marshal config: %v", err)
+		return nil
+	}
+	return data
+}
+
+func envOr(key, defaultVal string) string {
+	if v := os.Getenv(key); v != "" {
+		return v
+	}
+	return defaultVal
+}
+
+func truncate(s string, n int) string {
+	if len(s) <= n {
+		return s
+	}
+	return s[:n] + "..."
+}

client/internal/metrics/infra/ingest/main_test.go

@@ -0,0 +1,124 @@
+package main
+
+import (
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidateLine_ValidPeerConnection(t *testing.T) {
+	line := `netbird_peer_connection,deployment_type=cloud,connection_type=ice,attempt_type=initial,version=1.0.0,os=linux,arch=amd64,peer_id=abcdef0123456789,connection_pair_id=pair1234 signaling_to_connection_seconds=1.5,connection_to_wg_handshake_seconds=0.5,total_seconds=2 1234567890`
+	assert.NoError(t, validateLine(line))
+}
+
+func TestValidateLine_ValidSync(t *testing.T) {
+	line := `netbird_sync,deployment_type=selfhosted,version=2.0.0,os=darwin,arch=arm64,peer_id=abcdef0123456789 duration_seconds=1.5 1234567890`
+	assert.NoError(t, validateLine(line))
+}
+
+func TestValidateLine_ValidLogin(t *testing.T) {
+	line := `netbird_login,deployment_type=cloud,result=success,version=1.0.0,os=linux,arch=amd64,peer_id=abcdef0123456789 duration_seconds=3.2 1234567890`
+	assert.NoError(t, validateLine(line))
+}
+
+func TestValidateLine_UnknownMeasurement(t *testing.T) {
+	line := `unknown_metric,foo=bar value=1 1234567890`
+	err := validateLine(line)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "unknown measurement")
+}
+
+func TestValidateLine_UnknownTag(t *testing.T) {
+	line := `netbird_sync,deployment_type=cloud,evil_tag=injected,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=1.5 1234567890`
+	err := validateLine(line)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "unknown tag")
+}
+
+func TestValidateLine_UnknownField(t *testing.T) {
+	line := `netbird_sync,deployment_type=cloud,version=1.0.0,os=linux,arch=amd64,peer_id=abc injected_field=1 1234567890`
+	err := validateLine(line)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "unknown field")
+}
+
+func TestValidateLine_NegativeValue(t *testing.T) {
+	line := `netbird_sync,deployment_type=cloud,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=-1.5 1234567890`
+	err := validateLine(line)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "negative")
+}
+
+func TestValidateLine_DurationTooLarge(t *testing.T) {
+	line := `netbird_sync,deployment_type=cloud,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=999 1234567890`
+	err := validateLine(line)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "too large")
+}
+
+func TestValidateLine_TotalSecondsTooLarge(t *testing.T) {
+	line := `netbird_peer_connection,deployment_type=cloud,connection_type=ice,attempt_type=initial,version=1.0.0,os=linux,arch=amd64,peer_id=abc,connection_pair_id=pair total_seconds=500 1234567890`
+	err := validateLine(line)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "too large")
+}
+
+func TestValidateLine_TagValueTooLong(t *testing.T) {
+	longTag := strings.Repeat("a", maxTagValueLength+1)
+	line := `netbird_sync,deployment_type=` + longTag + `,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=1.5 1234567890`
+	err := validateLine(line)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "tag value too long")
+}
+
+func TestValidateLineProtocol_MultipleLines(t *testing.T) {
+	body := []byte(
+		"netbird_sync,deployment_type=cloud,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=1.5 1234567890\n" +
+			"netbird_login,deployment_type=cloud,result=success,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=2.0 1234567890\n",
+	)
+	validated, err := validateLineProtocol(body)
+	require.NoError(t, err)
+	assert.Contains(t, string(validated), "netbird_sync")
+	assert.Contains(t, string(validated), "netbird_login")
+}
+
+func TestValidateLineProtocol_RejectsOnBadLine(t *testing.T) {
+	body := []byte(
+		"netbird_sync,deployment_type=cloud,version=1.0.0,os=linux,arch=amd64,peer_id=abc duration_seconds=1.5 1234567890\n" +
+			"evil_metric,foo=bar value=1 1234567890\n",
+	)
+	_, err := validateLineProtocol(body)
+	require.Error(t, err)
+}
+
+func TestValidateAuth(t *testing.T) {
+	tests := []struct {
+		name    string
+		peerID  string
+		wantErr bool
+	}{
+		{"valid hex", "abcdef0123456789", false},
+		{"empty", "", true},
+		{"too short", "abcdef01234567", true},
+		{"too long", "abcdef01234567890", true},
+		{"invalid hex", "ghijklmnopqrstuv", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r, _ := http.NewRequest(http.MethodPost, "/", nil)
+			if tt.peerID != "" {
+				r.Header.Set("X-Peer-ID", tt.peerID)
+			}
+			err := validateAuth(r)
+			if tt.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

client/internal/metrics/metrics.go

@@ -0,0 +1,224 @@
+package metrics
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/metrics/remoteconfig"
+)
+
+// AgentInfo holds static information about the agent
+type AgentInfo struct {
+	DeploymentType DeploymentType
+	Version        string
+	OS             string // runtime.GOOS (linux, darwin, windows, etc.)
+	Arch           string // runtime.GOARCH (amd64, arm64, etc.)
+	peerID         string // anonymised peer identifier (SHA-256 of WireGuard public key)
+}
+
+// peerIDFromPublicKey returns a truncated SHA-256 hash (8 bytes / 16 hex chars) of the given WireGuard public key.
+func peerIDFromPublicKey(pubKey string) string {
+	hash := sha256.Sum256([]byte(pubKey))
+	return hex.EncodeToString(hash[:8])
+}
+
+// connectionPairID returns a deterministic identifier for a connection between two peers.
+// It sorts the two peer IDs before hashing so the same pair always produces the same ID
+// regardless of which side computes it.
+func connectionPairID(peerID1, peerID2 string) string {
+	a, b := peerID1, peerID2
+	if a > b {
+		a, b = b, a
+	}
+	hash := sha256.Sum256([]byte(a + b))
+	return hex.EncodeToString(hash[:8])
+}
+
+// metricsImplementation defines the internal interface for metrics implementations
+type metricsImplementation interface {
+	// RecordConnectionStages records connection stage metrics from timestamps
+	RecordConnectionStages(
+		ctx context.Context,
+		agentInfo AgentInfo,
+		connectionPairID string,
+		connectionType ConnectionType,
+		isReconnection bool,
+		timestamps ConnectionStageTimestamps,
+	)
+
+	// RecordSyncDuration records how long it took to process a sync message
+	RecordSyncDuration(ctx context.Context, agentInfo AgentInfo, duration time.Duration)
+
+	// RecordLoginDuration records how long the login to management took
+	RecordLoginDuration(ctx context.Context, agentInfo AgentInfo, duration time.Duration, success bool)
+
+	// Export exports metrics in InfluxDB line protocol format
+	Export(w io.Writer) error
+
+	// Reset clears all collected metrics
+	Reset()
+}
+
+type ClientMetrics struct {
+	impl metricsImplementation
+
+	agentInfo AgentInfo
+	mu        sync.RWMutex
+
+	push       *Push
+	pushMu     sync.Mutex
+	wg         sync.WaitGroup
+	pushCancel context.CancelFunc
+}
+
+// ConnectionStageTimestamps holds timestamps for each connection stage
+type ConnectionStageTimestamps struct {
+	SignalingReceived  time.Time // First signal received from remote peer (both initial and reconnection)
+	ConnectionReady    time.Time
+	WgHandshakeSuccess time.Time
+}
+
+// String returns a human-readable representation of the connection stage timestamps
+func (c ConnectionStageTimestamps) String() string {
+	return fmt.Sprintf("ConnectionStageTimestamps{SignalingReceived=%v, ConnectionReady=%v, WgHandshakeSuccess=%v}",
+		c.SignalingReceived.Format(time.RFC3339Nano),
+		c.ConnectionReady.Format(time.RFC3339Nano),
+		c.WgHandshakeSuccess.Format(time.RFC3339Nano),
+	)
+}
+
+// RecordConnectionStages calculates stage durations from timestamps and records them.
+// remotePubKey is the remote peer's WireGuard public key; it will be hashed for anonymisation.
+func (c *ClientMetrics) RecordConnectionStages(
+	ctx context.Context,
+	remotePubKey string,
+	connectionType ConnectionType,
+	isReconnection bool,
+	timestamps ConnectionStageTimestamps,
+) {
+	if c == nil {
+		return
+	}
+	c.mu.RLock()
+	agentInfo := c.agentInfo
+	c.mu.RUnlock()
+
+	remotePeerID := peerIDFromPublicKey(remotePubKey)
+	pairID := connectionPairID(agentInfo.peerID, remotePeerID)
+	c.impl.RecordConnectionStages(ctx, agentInfo, pairID, connectionType, isReconnection, timestamps)
+}
+
+// RecordSyncDuration records the duration of sync message processing
+func (c *ClientMetrics) RecordSyncDuration(ctx context.Context, duration time.Duration) {
+	if c == nil {
+		return
+	}
+	c.mu.RLock()
+	agentInfo := c.agentInfo
+	c.mu.RUnlock()
+
+	c.impl.RecordSyncDuration(ctx, agentInfo, duration)
+}
+
+// RecordLoginDuration records how long the login to management server took
+func (c *ClientMetrics) RecordLoginDuration(ctx context.Context, duration time.Duration, success bool) {
+	if c == nil {
+		return
+	}
+	c.mu.RLock()
+	agentInfo := c.agentInfo
+	c.mu.RUnlock()
+
+	c.impl.RecordLoginDuration(ctx, agentInfo, duration, success)
+}
+
+// UpdateAgentInfo updates the agent information (e.g., when switching profiles).
+// publicKey is the WireGuard public key; it will be hashed for anonymisation.
+func (c *ClientMetrics) UpdateAgentInfo(agentInfo AgentInfo, publicKey string) {
+	if c == nil {
+		return
+	}
+
+	agentInfo.peerID = peerIDFromPublicKey(publicKey)
+
+	c.mu.Lock()
+	c.agentInfo = agentInfo
+	c.mu.Unlock()
+
+	c.pushMu.Lock()
+	push := c.push
+	c.pushMu.Unlock()
+	if push != nil {
+		push.SetPeerID(agentInfo.peerID)
+	}
+}
+
+// Export exports metrics to the writer
+func (c *ClientMetrics) Export(w io.Writer) error {
+	if c == nil {
+		return nil
+	}
+
+	return c.impl.Export(w)
+}
+
+// StartPush starts periodic pushing of metrics with the given configuration
+// Precedence: PushConfig.ServerAddress > remote config server_url
+func (c *ClientMetrics) StartPush(ctx context.Context, config PushConfig) {
+	if c == nil {
+		return
+	}
+
+	c.pushMu.Lock()
+	defer c.pushMu.Unlock()
+
+	if c.push != nil {
+		log.Warnf("metrics push already running")
+		return
+	}
+
+	c.mu.RLock()
+	agentVersion := c.agentInfo.Version
+	peerID := c.agentInfo.peerID
+	c.mu.RUnlock()
+
+	configManager := remoteconfig.NewManager(getMetricsConfigURL(), remoteconfig.DefaultMinRefreshInterval)
+	push, err := NewPush(c.impl, configManager, config, agentVersion)
+	if err != nil {
+		log.Errorf("failed to create metrics push: %v", err)
+		return
+	}
+	push.SetPeerID(peerID)
+
+	ctx, cancel := context.WithCancel(ctx)
+	c.pushCancel = cancel
+
+	c.wg.Add(1)
+	go func() {
+		defer c.wg.Done()
+		push.Start(ctx)
+	}()
+	c.push = push
+}
+
+func (c *ClientMetrics) StopPush() {
+	if c == nil {
+		return
+	}
+	c.pushMu.Lock()
+	defer c.pushMu.Unlock()
+	if c.push == nil {
+		return
+	}
+
+	c.pushCancel()
+	c.wg.Wait()
+	c.push = nil
+}

client/internal/metrics/metrics_default.go

@@ -0,0 +1,11 @@
+//go:build !js
+
+package metrics
+
+// NewClientMetrics creates a new ClientMetrics instance
+func NewClientMetrics(agentInfo AgentInfo) *ClientMetrics {
+	return &ClientMetrics{
+		impl:      newInfluxDBMetrics(),
+		agentInfo: agentInfo,
+	}
+}

client/internal/metrics/metrics_js.go

@@ -0,0 +1,8 @@
+//go:build js
+
+package metrics
+
+// NewClientMetrics returns nil on WASM builds — all ClientMetrics methods are nil-safe.
+func NewClientMetrics(AgentInfo) *ClientMetrics {
+	return nil
+}

client/internal/metrics/push.go

@@ -0,0 +1,289 @@
+package metrics
+
+import (
+	"bytes"
+	"compress/gzip"
+	"context"
+	"fmt"
+	"net/http"
+	"net/url"
+	"sync"
+	"time"
+
+	goversion "github.com/hashicorp/go-version"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/metrics/remoteconfig"
+)
+
+const (
+	// defaultPushInterval is the default interval for pushing metrics
+	defaultPushInterval = 5 * time.Minute
+)
+
+// defaultMetricsServerURL is used as fallback when NB_METRICS_FORCE_SENDING is true
+var defaultMetricsServerURL *url.URL
+
+func init() {
+	defaultMetricsServerURL, _ = url.Parse("https://ingest.netbird.io")
+}
+
+// PushConfig holds configuration for metrics push
+type PushConfig struct {
+	// ServerAddress is the metrics server URL. If nil, uses remote config server_url.
+	ServerAddress *url.URL
+	// Interval is how often to push metrics. If 0, uses remote config interval or defaultPushInterval.
+	Interval time.Duration
+	// ForceSending skips remote configuration fetch and version checks, pushing unconditionally.
+	ForceSending bool
+}
+
+// PushConfigFromEnv builds a PushConfig from environment variables.
+func PushConfigFromEnv() PushConfig {
+	config := PushConfig{}
+
+	config.ForceSending = isForceSending()
+	config.ServerAddress = getMetricsServerURL()
+	config.Interval = getMetricsInterval()
+
+	return config
+}
+
+// remoteConfigProvider abstracts remote push config fetching for testability
+type remoteConfigProvider interface {
+	RefreshIfNeeded(ctx context.Context) *remoteconfig.Config
+}
+
+// Push handles periodic pushing of metrics
+type Push struct {
+	metrics       metricsImplementation
+	configManager remoteConfigProvider
+	agentVersion  *goversion.Version
+
+	peerID string
+	peerMu sync.RWMutex
+
+	client          *http.Client
+	cfgForceSending bool
+	cfgInterval     time.Duration
+	cfgAddress      *url.URL
+}
+
+// NewPush creates a new Push instance with configuration resolution
+func NewPush(metrics metricsImplementation, configManager remoteConfigProvider, config PushConfig, agentVersion string) (*Push, error) {
+	var cfgInterval time.Duration
+	var cfgAddress *url.URL
+
+	if config.ForceSending {
+		cfgInterval = config.Interval
+		if config.Interval <= 0 {
+			cfgInterval = defaultPushInterval
+		}
+
+		cfgAddress = config.ServerAddress
+		if cfgAddress == nil {
+			cfgAddress = defaultMetricsServerURL
+		}
+	} else {
+		cfgAddress = config.ServerAddress
+
+		if config.Interval < 0 {
+			log.Warnf("negative metrics push interval %s", config.Interval)
+		} else {
+			cfgInterval = config.Interval
+		}
+	}
+
+	parsedVersion, err := goversion.NewVersion(agentVersion)
+	if err != nil {
+		if !config.ForceSending {
+			return nil, fmt.Errorf("parse agent version %q: %w", agentVersion, err)
+		}
+	}
+
+	return &Push{
+		metrics:         metrics,
+		configManager:   configManager,
+		agentVersion:    parsedVersion,
+		cfgForceSending: config.ForceSending,
+		cfgInterval:     cfgInterval,
+		cfgAddress:      cfgAddress,
+		client: &http.Client{
+			Timeout: 10 * time.Second,
+		},
+	}, nil
+}
+
+// SetPeerID updates the hashed peer ID used for the Authorization header.
+func (p *Push) SetPeerID(peerID string) {
+	p.peerMu.Lock()
+	p.peerID = peerID
+	p.peerMu.Unlock()
+}
+
+// Start starts the periodic push loop.
+// The env interval override controls tick frequency but does not bypass remote config
+// version gating. Use ForceSending to skip remote config entirely.
+func (p *Push) Start(ctx context.Context) {
+	// Log initial state
+	switch {
+	case p.cfgForceSending:
+		log.Infof("started metrics push with force sending to %s, interval %s", p.cfgAddress, p.cfgInterval)
+	case p.cfgAddress != nil:
+		log.Infof("started metrics push with server URL override: %s", p.cfgAddress.String())
+	default:
+		log.Infof("started metrics push, server URL will be resolved from remote config")
+	}
+
+	timer := time.NewTimer(0) // fire immediately on first iteration
+	defer timer.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Debug("stopping metrics push")
+			return
+		case <-timer.C:
+		}
+
+		pushURL, interval := p.resolve(ctx)
+		if pushURL != "" {
+			if err := p.push(ctx, pushURL); err != nil {
+				log.Errorf("failed to push metrics: %v", err)
+			}
+		}
+
+		if interval <= 0 {
+			interval = defaultPushInterval
+		}
+		timer.Reset(interval)
+	}
+}
+
+// resolve returns the push URL and interval for the next cycle.
+// Returns empty pushURL to skip this cycle.
+func (p *Push) resolve(ctx context.Context) (pushURL string, interval time.Duration) {
+	if p.cfgForceSending {
+		return p.resolveServerURL(nil), p.cfgInterval
+	}
+
+	config := p.configManager.RefreshIfNeeded(ctx)
+	if config == nil {
+		log.Debug("no metrics push config available, waiting to retry")
+		return "", defaultPushInterval
+	}
+
+	// prefer env variables instead of remote config
+	if p.cfgInterval > 0 {
+		interval = p.cfgInterval
+	} else {
+		interval = config.Interval
+	}
+
+	if !isVersionInRange(p.agentVersion, config.VersionSince, config.VersionUntil) {
+		log.Debugf("agent version %s not in range [%s, %s), skipping metrics push",
+			p.agentVersion, config.VersionSince, config.VersionUntil)
+		return "", interval
+	}
+
+	pushURL = p.resolveServerURL(&config.ServerURL)
+	if pushURL == "" {
+		log.Warn("no metrics server URL available, skipping push")
+	}
+	return pushURL, interval
+}
+
+// push exports metrics and sends them to the metrics server
+func (p *Push) push(ctx context.Context, pushURL string) error {
+	// Export metrics without clearing
+	var buf bytes.Buffer
+	if err := p.metrics.Export(&buf); err != nil {
+		return fmt.Errorf("export metrics: %w", err)
+	}
+
+	// Don't push if there are no metrics
+	if buf.Len() == 0 {
+		log.Tracef("no metrics to push")
+		return nil
+	}
+
+	// Gzip compress the body
+	compressed, err := gzipCompress(buf.Bytes())
+	if err != nil {
+		return fmt.Errorf("gzip compress: %w", err)
+	}
+
+	// Create HTTP request
+	req, err := http.NewRequestWithContext(ctx, "POST", pushURL, compressed)
+	if err != nil {
+		return fmt.Errorf("create request: %w", err)
+	}
+	req.Header.Set("Content-Type", "text/plain; charset=utf-8")
+	req.Header.Set("Content-Encoding", "gzip")
+
+	p.peerMu.RLock()
+	peerID := p.peerID
+	p.peerMu.RUnlock()
+	if peerID != "" {
+		req.Header.Set("X-Peer-ID", peerID)
+	}
+
+	// Send request
+	resp, err := p.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("send request: %w", err)
+	}
+	defer func() {
+		if resp.Body == nil {
+			return
+		}
+		if err := resp.Body.Close(); err != nil {
+			log.Warnf("failed to close response body: %v", err)
+		}
+	}()
+
+	// Check response status
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return fmt.Errorf("push failed with status %d", resp.StatusCode)
+	}
+
+	log.Debugf("successfully pushed metrics to %s", pushURL)
+	p.metrics.Reset()
+	return nil
+}
+
+// resolveServerURL determines the push URL.
+// Precedence: envAddress (env var) > remote config server_url
+func (p *Push) resolveServerURL(remoteServerURL *url.URL) string {
+	var baseURL *url.URL
+	if p.cfgAddress != nil {
+		baseURL = p.cfgAddress
+	} else {
+		baseURL = remoteServerURL
+	}
+
+	if baseURL == nil {
+		return ""
+	}
+
+	return baseURL.String()
+}
+
+// gzipCompress compresses data using gzip and returns the compressed buffer.
+func gzipCompress(data []byte) (*bytes.Buffer, error) {
+	var buf bytes.Buffer
+	gz := gzip.NewWriter(&buf)
+	if _, err := gz.Write(data); err != nil {
+		_ = gz.Close()
+		return nil, err
+	}
+	if err := gz.Close(); err != nil {
+		return nil, err
+	}
+	return &buf, nil
+}
+
+// isVersionInRange checks if current falls within [since, until)
+func isVersionInRange(current, since, until *goversion.Version) bool {
+	return !current.LessThan(since) && current.LessThan(until)
+}

client/internal/metrics/push_test.go

@@ -0,0 +1,343 @@
+package metrics
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	goversion "github.com/hashicorp/go-version"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal/metrics/remoteconfig"
+)
+
+func mustVersion(s string) *goversion.Version {
+	v, err := goversion.NewVersion(s)
+	if err != nil {
+		panic(err)
+	}
+	return v
+}
+
+func mustURL(s string) url.URL {
+	u, err := url.Parse(s)
+	if err != nil {
+		panic(err)
+	}
+	return *u
+}
+
+func parseURL(s string) *url.URL {
+	u, err := url.Parse(s)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}
+
+func testConfig(serverURL, since, until string, period time.Duration) *remoteconfig.Config {
+	return &remoteconfig.Config{
+		ServerURL:    mustURL(serverURL),
+		VersionSince: mustVersion(since),
+		VersionUntil: mustVersion(until),
+		Interval:     period,
+	}
+}
+
+// mockConfigProvider implements remoteConfigProvider for testing
+type mockConfigProvider struct {
+	config *remoteconfig.Config
+}
+
+func (m *mockConfigProvider) RefreshIfNeeded(_ context.Context) *remoteconfig.Config {
+	return m.config
+}
+
+// mockMetrics implements metricsImplementation for testing
+type mockMetrics struct {
+	exportData string
+}
+
+func (m *mockMetrics) RecordConnectionStages(_ context.Context, _ AgentInfo, _ string, _ ConnectionType, _ bool, _ ConnectionStageTimestamps) {
+}
+
+func (m *mockMetrics) RecordSyncDuration(_ context.Context, _ AgentInfo, _ time.Duration) {
+}
+
+func (m *mockMetrics) RecordLoginDuration(_ context.Context, _ AgentInfo, _ time.Duration, _ bool) {
+}
+
+func (m *mockMetrics) Export(w io.Writer) error {
+	if m.exportData != "" {
+		_, err := w.Write([]byte(m.exportData))
+		return err
+	}
+	return nil
+}
+
+func (m *mockMetrics) Reset() {
+}
+
+func TestPush_OverrideIntervalPushes(t *testing.T) {
+	var pushCount atomic.Int32
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		pushCount.Add(1)
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	metrics := &mockMetrics{exportData: "test_metric 1\n"}
+	configProvider := &mockConfigProvider{config: testConfig(server.URL, "1.0.0", "2.0.0", 60*time.Minute)}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{
+		Interval:      50 * time.Millisecond,
+		ServerAddress: parseURL(server.URL),
+	}, "1.0.0")
+	require.NoError(t, err)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+	go func() {
+		push.Start(ctx)
+		close(done)
+	}()
+
+	require.Eventually(t, func() bool {
+		return pushCount.Load() >= 3
+	}, 2*time.Second, 10*time.Millisecond)
+
+	cancel()
+	<-done
+}
+
+func TestPush_RemoteConfigVersionInRange(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	metrics := &mockMetrics{exportData: "test_metric 1\n"}
+	configProvider := &mockConfigProvider{config: testConfig(server.URL, "1.0.0", "2.0.0", 1*time.Minute)}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{}, "1.5.0")
+	require.NoError(t, err)
+
+	pushURL, interval := push.resolve(context.Background())
+	assert.NotEmpty(t, pushURL)
+	assert.Equal(t, 1*time.Minute, interval)
+}
+
+func TestPush_RemoteConfigVersionOutOfRange(t *testing.T) {
+	metrics := &mockMetrics{exportData: "test_metric 1\n"}
+	configProvider := &mockConfigProvider{config: testConfig("http://localhost", "1.0.0", "1.5.0", 1*time.Minute)}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{}, "2.0.0")
+	require.NoError(t, err)
+
+	pushURL, interval := push.resolve(context.Background())
+	assert.Empty(t, pushURL)
+	assert.Equal(t, 1*time.Minute, interval)
+}
+
+func TestPush_NoConfigReturnsDefault(t *testing.T) {
+	metrics := &mockMetrics{}
+	configProvider := &mockConfigProvider{config: nil}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{}, "1.0.0")
+	require.NoError(t, err)
+
+	pushURL, interval := push.resolve(context.Background())
+	assert.Empty(t, pushURL)
+	assert.Equal(t, defaultPushInterval, interval)
+}
+
+func TestPush_OverrideIntervalRespectsVersionCheck(t *testing.T) {
+	metrics := &mockMetrics{}
+	configProvider := &mockConfigProvider{config: testConfig("http://localhost", "3.0.0", "4.0.0", 60*time.Minute)}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{
+		Interval:      30 * time.Second,
+		ServerAddress: parseURL("http://localhost"),
+	}, "1.0.0")
+	require.NoError(t, err)
+
+	pushURL, interval := push.resolve(context.Background())
+	assert.Empty(t, pushURL)                  // version out of range
+	assert.Equal(t, 30*time.Second, interval) // but uses override interval
+}
+
+func TestPush_OverrideIntervalUsedWhenVersionInRange(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	metrics := &mockMetrics{}
+	configProvider := &mockConfigProvider{config: testConfig(server.URL, "1.0.0", "2.0.0", 60*time.Minute)}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{
+		Interval: 30 * time.Second,
+	}, "1.5.0")
+	require.NoError(t, err)
+
+	pushURL, interval := push.resolve(context.Background())
+	assert.NotEmpty(t, pushURL)
+	assert.Equal(t, 30*time.Second, interval)
+}
+
+func TestPush_NoMetricsSkipsPush(t *testing.T) {
+	var pushCount atomic.Int32
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		pushCount.Add(1)
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	metrics := &mockMetrics{exportData: ""} // no metrics to export
+	configProvider := &mockConfigProvider{config: nil}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{}, "1.0.0")
+	require.NoError(t, err)
+
+	err = push.push(context.Background(), server.URL)
+	assert.NoError(t, err)
+	assert.Equal(t, int32(0), pushCount.Load())
+}
+
+func TestPush_ServerURLFromRemoteConfig(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	metrics := &mockMetrics{exportData: "test_metric 1\n"}
+	configProvider := &mockConfigProvider{config: testConfig(server.URL, "1.0.0", "2.0.0", 1*time.Minute)}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{}, "1.5.0")
+	require.NoError(t, err)
+
+	pushURL, interval := push.resolve(context.Background())
+	assert.Contains(t, pushURL, server.URL)
+	assert.Equal(t, 1*time.Minute, interval)
+}
+
+func TestPush_ServerAddressOverridesTakePrecedenceOverRemoteConfig(t *testing.T) {
+	overrideServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer overrideServer.Close()
+
+	metrics := &mockMetrics{exportData: "test_metric 1\n"}
+	configProvider := &mockConfigProvider{config: testConfig("http://remote-config-server", "1.0.0", "2.0.0", 1*time.Minute)}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{
+		ServerAddress: parseURL(overrideServer.URL),
+	}, "1.5.0")
+	require.NoError(t, err)
+
+	pushURL, _ := push.resolve(context.Background())
+	assert.Contains(t, pushURL, overrideServer.URL)
+	assert.NotContains(t, pushURL, "remote-config-server")
+}
+
+func TestPush_OverrideIntervalWithoutOverrideURL_UsesRemoteConfigURL(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	metrics := &mockMetrics{exportData: "test_metric 1\n"}
+	configProvider := &mockConfigProvider{config: testConfig(server.URL, "1.0.0", "2.0.0", 60*time.Minute)}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{
+		Interval: 30 * time.Second,
+	}, "1.0.0")
+	require.NoError(t, err)
+
+	pushURL, interval := push.resolve(context.Background())
+	assert.Contains(t, pushURL, server.URL)
+	assert.Equal(t, 30*time.Second, interval)
+}
+
+func TestPush_NoConfigSkipsPush(t *testing.T) {
+	metrics := &mockMetrics{exportData: "test_metric 1\n"}
+	configProvider := &mockConfigProvider{config: nil}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{
+		Interval: 30 * time.Second,
+	}, "1.0.0")
+	require.NoError(t, err)
+
+	pushURL, interval := push.resolve(context.Background())
+	assert.Empty(t, pushURL)
+	assert.Equal(t, defaultPushInterval, interval) // no config available, use default retry interval
+}
+
+func TestPush_ForceSendingSkipsRemoteConfig(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	metrics := &mockMetrics{exportData: "test_metric 1\n"}
+	configProvider := &mockConfigProvider{config: nil}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{
+		ForceSending:  true,
+		Interval:      1 * time.Minute,
+		ServerAddress: parseURL(server.URL),
+	}, "1.0.0")
+	require.NoError(t, err)
+
+	pushURL, interval := push.resolve(context.Background())
+	assert.NotEmpty(t, pushURL)
+	assert.Equal(t, 1*time.Minute, interval)
+}
+
+func TestPush_ForceSendingUsesDefaultInterval(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+	defer server.Close()
+
+	metrics := &mockMetrics{exportData: "test_metric 1\n"}
+	configProvider := &mockConfigProvider{config: nil}
+
+	push, err := NewPush(metrics, configProvider, PushConfig{
+		ForceSending:  true,
+		ServerAddress: parseURL(server.URL),
+	}, "1.0.0")
+	require.NoError(t, err)
+
+	pushURL, interval := push.resolve(context.Background())
+	assert.NotEmpty(t, pushURL)
+	assert.Equal(t, defaultPushInterval, interval)
+}
+
+func TestIsVersionInRange(t *testing.T) {
+	tests := []struct {
+		name     string
+		current  string
+		since    string
+		until    string
+		expected bool
+	}{
+		{"at lower bound inclusive", "1.2.2", "1.2.2", "1.2.3", true},
+		{"in range", "1.2.2", "1.2.0", "1.3.0", true},
+		{"at upper bound exclusive", "1.2.3", "1.2.2", "1.2.3", false},
+		{"below range", "1.2.1", "1.2.2", "1.2.3", false},
+		{"above range", "1.3.0", "1.2.2", "1.2.3", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, isVersionInRange(mustVersion(tt.current), mustVersion(tt.since), mustVersion(tt.until)))
+		})
+	}
+}

client/internal/metrics/remoteconfig/manager.go

@@ -0,0 +1,149 @@
+package remoteconfig
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"sync"
+	"time"
+
+	goversion "github.com/hashicorp/go-version"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	DefaultMinRefreshInterval = 30 * time.Minute
+)
+
+// Config holds the parsed remote push configuration
+type Config struct {
+	ServerURL    url.URL
+	VersionSince *goversion.Version
+	VersionUntil *goversion.Version
+	Interval     time.Duration
+}
+
+// rawConfig is the JSON wire format fetched from the remote server
+type rawConfig struct {
+	ServerURL     string `json:"server_url"`
+	VersionSince  string `json:"version-since"`
+	VersionUntil  string `json:"version-until"`
+	PeriodMinutes int    `json:"period_minutes"`
+}
+
+// Manager handles fetching and caching remote push configuration
+type Manager struct {
+	configURL          string
+	minRefreshInterval time.Duration
+	client             *http.Client
+
+	mu          sync.Mutex
+	lastConfig  *Config
+	lastFetched time.Time
+}
+
+func NewManager(configURL string, minRefreshInterval time.Duration) *Manager {
+	return &Manager{
+		configURL:          configURL,
+		minRefreshInterval: minRefreshInterval,
+		client: &http.Client{
+			Timeout: 10 * time.Second,
+		},
+	}
+}
+
+// RefreshIfNeeded fetches new config if the cached one is stale.
+// Returns the current config (possibly just fetched) or nil if unavailable.
+func (m *Manager) RefreshIfNeeded(ctx context.Context) *Config {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.isConfigFresh() {
+		return m.lastConfig
+	}
+
+	fetchedConfig, err := m.fetch(ctx)
+	m.lastFetched = time.Now()
+	if err != nil {
+		log.Warnf("failed to fetch metrics remote config: %v", err)
+		return m.lastConfig // return cached (may be nil)
+	}
+
+	m.lastConfig = fetchedConfig
+
+	log.Tracef("fetched metrics remote config: version-since=%s version-until=%s period=%s",
+		fetchedConfig.VersionSince, fetchedConfig.VersionUntil, fetchedConfig.Interval)
+
+	return fetchedConfig
+}
+
+func (m *Manager) isConfigFresh() bool {
+	if m.lastConfig == nil {
+		return false
+	}
+	return time.Since(m.lastFetched) < m.minRefreshInterval
+}
+
+func (m *Manager) fetch(ctx context.Context) (*Config, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, m.configURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("create request: %w", err)
+	}
+
+	resp, err := m.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("send request: %w", err)
+	}
+	defer func() {
+		if resp.Body != nil {
+			_ = resp.Body.Close()
+		}
+	}()
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return nil, fmt.Errorf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(io.LimitReader(resp.Body, 4096))
+	if err != nil {
+		return nil, fmt.Errorf("read body: %w", err)
+	}
+
+	var raw rawConfig
+	if err := json.Unmarshal(body, &raw); err != nil {
+		return nil, fmt.Errorf("parse config: %w", err)
+	}
+
+	if raw.PeriodMinutes <= 0 {
+		return nil, fmt.Errorf("invalid period_minutes: %d", raw.PeriodMinutes)
+	}
+
+	if raw.ServerURL == "" {
+		return nil, fmt.Errorf("server_url is required")
+	}
+
+	serverURL, err := url.Parse(raw.ServerURL)
+	if err != nil {
+		return nil, fmt.Errorf("parse server_url %q: %w", raw.ServerURL, err)
+	}
+
+	since, err := goversion.NewVersion(raw.VersionSince)
+	if err != nil {
+		return nil, fmt.Errorf("parse version-since %q: %w", raw.VersionSince, err)
+	}
+
+	until, err := goversion.NewVersion(raw.VersionUntil)
+	if err != nil {
+		return nil, fmt.Errorf("parse version-until %q: %w", raw.VersionUntil, err)
+	}
+
+	return &Config{
+		ServerURL:    *serverURL,
+		VersionSince: since,
+		VersionUntil: until,
+		Interval:     time.Duration(raw.PeriodMinutes) * time.Minute,
+	}, nil
+}

client/internal/metrics/remoteconfig/manager_test.go

@@ -0,0 +1,197 @@
+package remoteconfig
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const testMinRefresh = 100 * time.Millisecond
+
+func TestManager_FetchSuccess(t *testing.T) {
+	server := newConfigServer(t, rawConfig{
+		ServerURL:     "https://ingest.example.com",
+		VersionSince:  "1.0.0",
+		VersionUntil:  "2.0.0",
+		PeriodMinutes: 60,
+	})
+	defer server.Close()
+
+	mgr := NewManager(server.URL, testMinRefresh)
+	config := mgr.RefreshIfNeeded(context.Background())
+
+	require.NotNil(t, config)
+	assert.Equal(t, "https://ingest.example.com", config.ServerURL.String())
+	assert.Equal(t, "1.0.0", config.VersionSince.String())
+	assert.Equal(t, "2.0.0", config.VersionUntil.String())
+	assert.Equal(t, 60*time.Minute, config.Interval)
+}
+
+func TestManager_CachesConfig(t *testing.T) {
+	var fetchCount atomic.Int32
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fetchCount.Add(1)
+		err := json.NewEncoder(w).Encode(rawConfig{
+			ServerURL:     "https://ingest.example.com",
+			VersionSince:  "1.0.0",
+			VersionUntil:  "2.0.0",
+			PeriodMinutes: 60,
+		})
+		require.NoError(t, err)
+	}))
+	defer server.Close()
+
+	mgr := NewManager(server.URL, testMinRefresh)
+
+	// First call fetches
+	config1 := mgr.RefreshIfNeeded(context.Background())
+	require.NotNil(t, config1)
+	assert.Equal(t, int32(1), fetchCount.Load())
+
+	// Second call uses cache (within minRefreshInterval)
+	config2 := mgr.RefreshIfNeeded(context.Background())
+	require.NotNil(t, config2)
+	assert.Equal(t, int32(1), fetchCount.Load())
+	assert.Equal(t, config1, config2)
+}
+
+func TestManager_RefetchesWhenStale(t *testing.T) {
+	var fetchCount atomic.Int32
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fetchCount.Add(1)
+		err := json.NewEncoder(w).Encode(rawConfig{
+			ServerURL:     "https://ingest.example.com",
+			VersionSince:  "1.0.0",
+			VersionUntil:  "2.0.0",
+			PeriodMinutes: 60,
+		})
+		require.NoError(t, err)
+	}))
+	defer server.Close()
+
+	mgr := NewManager(server.URL, testMinRefresh)
+
+	// First fetch
+	mgr.RefreshIfNeeded(context.Background())
+	assert.Equal(t, int32(1), fetchCount.Load())
+
+	// Wait for config to become stale
+	time.Sleep(testMinRefresh + 10*time.Millisecond)
+
+	// Should refetch
+	mgr.RefreshIfNeeded(context.Background())
+	assert.Equal(t, int32(2), fetchCount.Load())
+}
+
+func TestManager_FetchFailureReturnsNil(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusInternalServerError)
+	}))
+	defer server.Close()
+
+	mgr := NewManager(server.URL, testMinRefresh)
+	config := mgr.RefreshIfNeeded(context.Background())
+
+	assert.Nil(t, config)
+}
+
+func TestManager_FetchFailureReturnsCached(t *testing.T) {
+	var fetchCount atomic.Int32
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fetchCount.Add(1)
+		if fetchCount.Load() > 1 {
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		err := json.NewEncoder(w).Encode(rawConfig{
+			ServerURL:     "https://ingest.example.com",
+			VersionSince:  "1.0.0",
+			VersionUntil:  "2.0.0",
+			PeriodMinutes: 60,
+		})
+		require.NoError(t, err)
+	}))
+	defer server.Close()
+
+	mgr := NewManager(server.URL, testMinRefresh)
+
+	// First call succeeds
+	config1 := mgr.RefreshIfNeeded(context.Background())
+	require.NotNil(t, config1)
+
+	// Wait for config to become stale
+	time.Sleep(testMinRefresh + 10*time.Millisecond)
+
+	// Second call fails but returns cached
+	config2 := mgr.RefreshIfNeeded(context.Background())
+	require.NotNil(t, config2)
+	assert.Equal(t, config1, config2)
+}
+
+func TestManager_RejectsInvalidPeriod(t *testing.T) {
+	tests := []struct {
+		name   string
+		period int
+	}{
+		{"zero", 0},
+		{"negative", -5},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			server := newConfigServer(t, rawConfig{
+				ServerURL:     "https://ingest.example.com",
+				VersionSince:  "1.0.0",
+				VersionUntil:  "2.0.0",
+				PeriodMinutes: tt.period,
+			})
+			defer server.Close()
+
+			mgr := NewManager(server.URL, testMinRefresh)
+			config := mgr.RefreshIfNeeded(context.Background())
+			assert.Nil(t, config)
+		})
+	}
+}
+
+func TestManager_RejectsEmptyServerURL(t *testing.T) {
+	server := newConfigServer(t, rawConfig{
+		ServerURL:     "",
+		VersionSince:  "1.0.0",
+		VersionUntil:  "2.0.0",
+		PeriodMinutes: 60,
+	})
+	defer server.Close()
+
+	mgr := NewManager(server.URL, testMinRefresh)
+	config := mgr.RefreshIfNeeded(context.Background())
+	assert.Nil(t, config)
+}
+
+func TestManager_RejectsInvalidJSON(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, err := w.Write([]byte("not json"))
+		require.NoError(t, err)
+	}))
+	defer server.Close()
+
+	mgr := NewManager(server.URL, testMinRefresh)
+	config := mgr.RefreshIfNeeded(context.Background())
+	assert.Nil(t, config)
+}
+
+func newConfigServer(t *testing.T, config rawConfig) *httptest.Server {
+	t.Helper()
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		err := json.NewEncoder(w).Encode(config)
+		require.NoError(t, err)
+	}))
+}

client/internal/peer/conn.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
+	"github.com/netbirdio/netbird/client/internal/metrics"
 	"github.com/netbirdio/netbird/client/internal/peer/conntype"
 	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
@@ -26,6 +27,17 @@ import (
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 )
 
+// MetricsRecorder is an interface for recording peer connection metrics
+type MetricsRecorder interface {
+	RecordConnectionStages(
+		ctx context.Context,
+		remotePubKey string,
+		connectionType metrics.ConnectionType,
+		isReconnection bool,
+		timestamps metrics.ConnectionStageTimestamps,
+	)
+}
+
 type ServiceDependencies struct {
 	StatusRecorder     *Status
 	Signaler           *Signaler
@@ -33,6 +45,7 @@ type ServiceDependencies struct {
 	RelayManager       *relayClient.Manager
 	SrWatcher          *guard.SRWatcher
 	PeerConnDispatcher *dispatcher.ConnectionDispatcher
+	MetricsRecorder    MetricsRecorder
 }
 
 type WgConfig struct {
@@ -115,6 +128,10 @@ type Conn struct {
 	dumpState *stateDump
 
 	endpointUpdater *EndpointUpdater
+
+	// Connection stage timestamps for metrics
+	metricsRecorder MetricsRecorder
+	metricsStages   *MetricsStages
 }
 
 // NewConn creates a new not opened Conn to the remote peer.
@@ -140,6 +157,7 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 		dumpState:       dumpState,
 		endpointUpdater: NewEndpointUpdater(connLog, config.WgConfig, isController(config)),
 		wgWatcher:       NewWGWatcher(connLog, config.WgConfig.WgInterface, config.Key, dumpState),
+		metricsRecorder: services.MetricsRecorder,
 	}
 
 	return conn, nil
@@ -156,6 +174,9 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 		return nil
 	}
 
+	// Allocate new metrics stages so old goroutines don't corrupt new state
+	conn.metricsStages = &MetricsStages{}
+
 	conn.ctx, conn.ctxCancel = context.WithCancel(engineCtx)
 
 	conn.workerRelay = NewWorkerRelay(conn.ctx, conn.Log, isController(conn.config), conn.config, conn, conn.relayManager)
@@ -167,7 +188,7 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	}
 	conn.workerICE = workerICE
 
-	conn.handshaker = NewHandshaker(conn.Log, conn.config, conn.signaler, conn.workerICE, conn.workerRelay)
+	conn.handshaker = NewHandshaker(conn.Log, conn.config, conn.signaler, conn.workerICE, conn.workerRelay, conn.metricsStages)
 
 	conn.handshaker.AddRelayListener(conn.workerRelay.OnNewOffer)
 	if !isForceRelayed() {
@@ -335,7 +356,7 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 	if conn.currentConnPriority > priority {
 		conn.Log.Infof("current connection priority (%s) is higher than the new one (%s), do not upgrade connection", conn.currentConnPriority, priority)
 		conn.statusICE.SetConnected()
-		conn.updateIceState(iceConnInfo)
+		conn.updateIceState(iceConnInfo, time.Now())
 		return
 	}
 
@@ -375,7 +396,8 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 	}
 
 	conn.Log.Infof("configure WireGuard endpoint to: %s", ep.String())
-	conn.enableWgWatcherIfNeeded()
+	updateTime := time.Now()
+	conn.enableWgWatcherIfNeeded(updateTime)
 
 	presharedKey := conn.presharedKey(iceConnInfo.RosenpassPubKey)
 	if err = conn.endpointUpdater.ConfigureWGEndpoint(ep, presharedKey); err != nil {
@@ -391,8 +413,8 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 
 	conn.currentConnPriority = priority
 	conn.statusICE.SetConnected()
-	conn.updateIceState(iceConnInfo)
-	conn.doOnConnected(iceConnInfo.RosenpassPubKey, iceConnInfo.RosenpassAddr)
+	conn.updateIceState(iceConnInfo, updateTime)
+	conn.doOnConnected(iceConnInfo.RosenpassPubKey, iceConnInfo.RosenpassAddr, updateTime)
 }
 
 func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
@@ -444,6 +466,10 @@ func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
 
 	conn.disableWgWatcherIfNeeded()
 
+	if conn.currentConnPriority == conntype.None {
+		conn.metricsStages.Disconnected()
+	}
+
 	peerState := State{
 		PubKey:           conn.config.Key,
 		ConnStatus:       conn.evalStatus(),
@@ -484,7 +510,7 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 		conn.Log.Debugf("do not switch to relay because current priority is: %s", conn.currentConnPriority.String())
 		conn.setRelayedProxy(wgProxy)
 		conn.statusRelay.SetConnected()
-		conn.updateRelayStatus(rci.relayedConn.RemoteAddr().String(), rci.rosenpassPubKey)
+		conn.updateRelayStatus(rci.relayedConn.RemoteAddr().String(), rci.rosenpassPubKey, time.Now())
 		return
 	}
 
@@ -493,7 +519,8 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 	if controller {
 		wgProxy.Work()
 	}
-	conn.enableWgWatcherIfNeeded()
+	updateTime := time.Now()
+	conn.enableWgWatcherIfNeeded(updateTime)
 	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), conn.presharedKey(rci.rosenpassPubKey)); err != nil {
 		if err := wgProxy.CloseConn(); err != nil {
 			conn.Log.Warnf("Failed to close relay connection: %v", err)
@@ -504,13 +531,16 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 	if !controller {
 		wgProxy.Work()
 	}
+
+	wgConfigWorkaround()
+
 	conn.rosenpassRemoteKey = rci.rosenpassPubKey
 	conn.currentConnPriority = conntype.Relay
 	conn.statusRelay.SetConnected()
 	conn.setRelayedProxy(wgProxy)
-	conn.updateRelayStatus(rci.relayedConn.RemoteAddr().String(), rci.rosenpassPubKey)
+	conn.updateRelayStatus(rci.relayedConn.RemoteAddr().String(), rci.rosenpassPubKey, updateTime)
 	conn.Log.Infof("start to communicate with peer via relay")
-	conn.doOnConnected(rci.rosenpassPubKey, rci.rosenpassAddr)
+	conn.doOnConnected(rci.rosenpassPubKey, rci.rosenpassAddr, updateTime)
 }
 
 func (conn *Conn) onRelayDisconnected() {
@@ -548,6 +578,10 @@ func (conn *Conn) handleRelayDisconnectedLocked() {
 
 	conn.disableWgWatcherIfNeeded()
 
+	if conn.currentConnPriority == conntype.None {
+		conn.metricsStages.Disconnected()
+	}
+
 	peerState := State{
 		PubKey:           conn.config.Key,
 		ConnStatus:       conn.evalStatus(),
@@ -588,10 +622,10 @@ func (conn *Conn) onWGDisconnected() {
 	}
 }
 
-func (conn *Conn) updateRelayStatus(relayServerAddr string, rosenpassPubKey []byte) {
+func (conn *Conn) updateRelayStatus(relayServerAddr string, rosenpassPubKey []byte, updateTime time.Time) {
 	peerState := State{
 		PubKey:             conn.config.Key,
-		ConnStatusUpdate:   time.Now(),
+		ConnStatusUpdate:   updateTime,
 		ConnStatus:         conn.evalStatus(),
 		Relayed:            conn.isRelayed(),
 		RelayServerAddress: relayServerAddr,
@@ -604,10 +638,10 @@ func (conn *Conn) updateRelayStatus(relayServerAddr string, rosenpassPubKey []by
 	}
 }
 
-func (conn *Conn) updateIceState(iceConnInfo ICEConnInfo) {
+func (conn *Conn) updateIceState(iceConnInfo ICEConnInfo, updateTime time.Time) {
 	peerState := State{
 		PubKey:                     conn.config.Key,
-		ConnStatusUpdate:           time.Now(),
+		ConnStatusUpdate:           updateTime,
 		ConnStatus:                 conn.evalStatus(),
 		Relayed:                    iceConnInfo.Relayed,
 		LocalIceCandidateType:      iceConnInfo.LocalIceCandidateType,
@@ -645,11 +679,13 @@ func (conn *Conn) setStatusToDisconnected() {
 	}
 }
 
-func (conn *Conn) doOnConnected(remoteRosenpassPubKey []byte, remoteRosenpassAddr string) {
+func (conn *Conn) doOnConnected(remoteRosenpassPubKey []byte, remoteRosenpassAddr string, updateTime time.Time) {
 	if runtime.GOOS == "ios" {
 		runtime.GC()
 	}
 
+	conn.metricsStages.RecordConnectionReady(updateTime)
+
 	if conn.onConnected != nil {
 		conn.onConnected(conn.config.Key, remoteRosenpassPubKey, conn.config.WgConfig.AllowedIps[0].Addr().String(), remoteRosenpassAddr)
 	}
@@ -701,14 +737,14 @@ func (conn *Conn) isConnectedOnAllWay() (connected bool) {
 	return true
 }
 
-func (conn *Conn) enableWgWatcherIfNeeded() {
+func (conn *Conn) enableWgWatcherIfNeeded(enabledTime time.Time) {
 	if !conn.wgWatcher.IsEnabled() {
 		wgWatcherCtx, wgWatcherCancel := context.WithCancel(conn.ctx)
 		conn.wgWatcherCancel = wgWatcherCancel
 		conn.wgWatcherWg.Add(1)
 		go func() {
 			defer conn.wgWatcherWg.Done()
-			conn.wgWatcher.EnableWgWatcher(wgWatcherCtx, conn.onWGDisconnected)
+			conn.wgWatcher.EnableWgWatcher(wgWatcherCtx, enabledTime, conn.onWGDisconnected, conn.onWGHandshakeSuccess)
 		}()
 	}
 }
@@ -783,6 +819,41 @@ func (conn *Conn) setRelayedProxy(proxy wgproxy.Proxy) {
 	conn.wgProxyRelay = proxy
 }
 
+// onWGHandshakeSuccess is called when the first WireGuard handshake is detected
+func (conn *Conn) onWGHandshakeSuccess(when time.Time) {
+	conn.metricsStages.RecordWGHandshakeSuccess(when)
+	conn.recordConnectionMetrics()
+}
+
+// recordConnectionMetrics records connection stage timestamps as metrics
+func (conn *Conn) recordConnectionMetrics() {
+	if conn.metricsRecorder == nil {
+		return
+	}
+
+	// Determine connection type based on current priority
+	conn.mu.Lock()
+	priority := conn.currentConnPriority
+	conn.mu.Unlock()
+
+	var connType metrics.ConnectionType
+	switch priority {
+	case conntype.Relay:
+		connType = metrics.ConnectionTypeRelay
+	default:
+		connType = metrics.ConnectionTypeICE
+	}
+
+	// Record metrics with timestamps - duration calculation happens in metrics package
+	conn.metricsRecorder.RecordConnectionStages(
+		context.Background(),
+		conn.config.Key,
+		connType,
+		conn.metricsStages.IsReconnection(),
+		conn.metricsStages.GetTimestamps(),
+	)
+}
+
 // AllowedIP returns the allowed IP of the remote peer
 func (conn *Conn) AllowedIP() netip.Addr {
 	return conn.config.WgConfig.AllowedIps[0].Addr()

client/internal/peer/handshaker.go

@@ -44,12 +44,13 @@ type OfferAnswer struct {
 }
 
 type Handshaker struct {
-	mu       sync.Mutex
-	log      *log.Entry
-	config   ConnConfig
-	signaler *Signaler
-	ice      *WorkerICE
-	relay    *WorkerRelay
+	mu            sync.Mutex
+	log           *log.Entry
+	config        ConnConfig
+	signaler      *Signaler
+	ice           *WorkerICE
+	relay         *WorkerRelay
+	metricsStages *MetricsStages
 	// relayListener is not blocking because the listener is using a goroutine to process the messages
 	// and it will only keep the latest message if multiple offers are received in a short time
 	// this is to avoid blocking the handshaker if the listener is doing some heavy processing
@@ -64,13 +65,14 @@ type Handshaker struct {
 	remoteAnswerCh chan OfferAnswer
 }
 
-func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *WorkerICE, relay *WorkerRelay) *Handshaker {
+func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *WorkerICE, relay *WorkerRelay, metricsStages *MetricsStages) *Handshaker {
 	return &Handshaker{
 		log:            log,
 		config:         config,
 		signaler:       signaler,
 		ice:            ice,
 		relay:          relay,
+		metricsStages:  metricsStages,
 		remoteOffersCh: make(chan OfferAnswer),
 		remoteAnswerCh: make(chan OfferAnswer),
 	}
@@ -89,6 +91,12 @@ func (h *Handshaker) Listen(ctx context.Context) {
 		select {
 		case remoteOfferAnswer := <-h.remoteOffersCh:
 			h.log.Infof("received offer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
+
+			// Record signaling received for reconnection attempts
+			if h.metricsStages != nil {
+				h.metricsStages.RecordSignalingReceived()
+			}
+
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}
@@ -103,6 +111,12 @@ func (h *Handshaker) Listen(ctx context.Context) {
 			}
 		case remoteOfferAnswer := <-h.remoteAnswerCh:
 			h.log.Infof("received answer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
+
+			// Record signaling received for reconnection attempts
+			if h.metricsStages != nil {
+				h.metricsStages.RecordSignalingReceived()
+			}
+
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}

client/internal/peer/metrics_saver.go

@@ -0,0 +1,73 @@
+package peer
+
+import (
+	"sync"
+	"time"
+
+	"github.com/netbirdio/netbird/client/internal/metrics"
+)
+
+type MetricsStages struct {
+	isReconnectionAttempt bool // Track if current attempt is a reconnection
+	stageTimestamps       metrics.ConnectionStageTimestamps
+	mu                    sync.Mutex
+}
+
+// RecordSignalingReceived records when the first signal is received from the remote peer.
+// Used as the base for all subsequent stage durations to avoid inflating metrics when
+// the remote peer was offline.
+func (s *MetricsStages) RecordSignalingReceived() {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.stageTimestamps.SignalingReceived.IsZero() {
+		s.stageTimestamps.SignalingReceived = time.Now()
+	}
+}
+
+func (s *MetricsStages) RecordConnectionReady(when time.Time) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.stageTimestamps.ConnectionReady.IsZero() {
+		s.stageTimestamps.ConnectionReady = when
+	}
+}
+
+func (s *MetricsStages) RecordWGHandshakeSuccess(handshakeTime time.Time) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if !s.stageTimestamps.ConnectionReady.IsZero() && s.stageTimestamps.WgHandshakeSuccess.IsZero() {
+		// WireGuard only reports handshake times with second precision, but ConnectionReady
+		// is captured with microsecond precision. If handshake appears before ConnectionReady
+		// due to truncation (e.g., handshake at 6.042s truncated to 6.000s), normalize to
+		// ConnectionReady to avoid negative duration metrics.
+		if handshakeTime.Before(s.stageTimestamps.ConnectionReady) {
+			s.stageTimestamps.WgHandshakeSuccess = s.stageTimestamps.ConnectionReady
+		} else {
+			s.stageTimestamps.WgHandshakeSuccess = handshakeTime
+		}
+	}
+}
+
+// Disconnected sets the mode to reconnection. It is called only when both ICE and Relay have been disconnected at the same time.
+func (s *MetricsStages) Disconnected() {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	// Reset all timestamps for reconnection
+	s.stageTimestamps = metrics.ConnectionStageTimestamps{}
+	s.isReconnectionAttempt = true
+}
+
+func (s *MetricsStages) IsReconnection() bool {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.isReconnectionAttempt
+}
+
+func (s *MetricsStages) GetTimestamps() metrics.ConnectionStageTimestamps {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.stageTimestamps
+}

client/internal/peer/metrics_saver_test.go

@@ -0,0 +1,125 @@
+package peer
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal/metrics"
+)
+
+func TestMetricsStages_RecordSignalingReceived(t *testing.T) {
+	s := &MetricsStages{}
+
+	s.RecordSignalingReceived()
+	ts := s.GetTimestamps()
+	require.False(t, ts.SignalingReceived.IsZero())
+
+	// Second call should not overwrite
+	first := ts.SignalingReceived
+	time.Sleep(time.Millisecond)
+	s.RecordSignalingReceived()
+	ts = s.GetTimestamps()
+	assert.Equal(t, first, ts.SignalingReceived, "should keep the first signaling timestamp")
+}
+
+func TestMetricsStages_RecordConnectionReady(t *testing.T) {
+	s := &MetricsStages{}
+
+	now := time.Now()
+	s.RecordConnectionReady(now)
+	ts := s.GetTimestamps()
+	assert.Equal(t, now, ts.ConnectionReady)
+
+	// Second call should not overwrite
+	later := now.Add(time.Second)
+	s.RecordConnectionReady(later)
+	ts = s.GetTimestamps()
+	assert.Equal(t, now, ts.ConnectionReady, "should keep the first connection ready timestamp")
+}
+
+func TestMetricsStages_RecordWGHandshakeSuccess(t *testing.T) {
+	s := &MetricsStages{}
+
+	connReady := time.Now()
+	s.RecordConnectionReady(connReady)
+
+	handshake := connReady.Add(500 * time.Millisecond)
+	s.RecordWGHandshakeSuccess(handshake)
+
+	ts := s.GetTimestamps()
+	assert.Equal(t, handshake, ts.WgHandshakeSuccess)
+}
+
+func TestMetricsStages_HandshakeBeforeConnectionReady_Normalizes(t *testing.T) {
+	s := &MetricsStages{}
+
+	connReady := time.Now()
+	s.RecordConnectionReady(connReady)
+
+	// WG handshake appears before ConnectionReady due to second-precision truncation
+	handshake := connReady.Add(-100 * time.Millisecond)
+	s.RecordWGHandshakeSuccess(handshake)
+
+	ts := s.GetTimestamps()
+	assert.Equal(t, connReady, ts.WgHandshakeSuccess, "should normalize to ConnectionReady when handshake appears earlier")
+}
+
+func TestMetricsStages_HandshakeIgnoredWithoutConnectionReady(t *testing.T) {
+	s := &MetricsStages{}
+
+	s.RecordWGHandshakeSuccess(time.Now())
+	ts := s.GetTimestamps()
+	assert.True(t, ts.WgHandshakeSuccess.IsZero(), "should not record handshake without connection ready")
+}
+
+func TestMetricsStages_HandshakeRecordedOnce(t *testing.T) {
+	s := &MetricsStages{}
+
+	connReady := time.Now()
+	s.RecordConnectionReady(connReady)
+
+	first := connReady.Add(time.Second)
+	s.RecordWGHandshakeSuccess(first)
+
+	// Second call (rekey) should be ignored
+	second := connReady.Add(2 * time.Second)
+	s.RecordWGHandshakeSuccess(second)
+
+	ts := s.GetTimestamps()
+	assert.Equal(t, first, ts.WgHandshakeSuccess, "should preserve first handshake, ignore rekeys")
+}
+
+func TestMetricsStages_Disconnected(t *testing.T) {
+	s := &MetricsStages{}
+
+	s.RecordSignalingReceived()
+	s.RecordConnectionReady(time.Now())
+	assert.False(t, s.IsReconnection())
+
+	s.Disconnected()
+
+	assert.True(t, s.IsReconnection())
+	ts := s.GetTimestamps()
+	assert.True(t, ts.SignalingReceived.IsZero(), "timestamps should be reset after disconnect")
+	assert.True(t, ts.ConnectionReady.IsZero(), "timestamps should be reset after disconnect")
+	assert.True(t, ts.WgHandshakeSuccess.IsZero(), "timestamps should be reset after disconnect")
+}
+
+func TestMetricsStages_GetTimestamps(t *testing.T) {
+	s := &MetricsStages{}
+
+	ts := s.GetTimestamps()
+	assert.Equal(t, metrics.ConnectionStageTimestamps{}, ts)
+
+	now := time.Now()
+	s.RecordSignalingReceived()
+	s.RecordConnectionReady(now)
+
+	ts = s.GetTimestamps()
+	assert.False(t, ts.SignalingReceived.IsZero())
+	assert.Equal(t, now, ts.ConnectionReady)
+	assert.True(t, ts.WgHandshakeSuccess.IsZero())
+}

client/internal/peer/wg_watcher.go

@@ -48,7 +48,7 @@ func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey strin
 
 // EnableWgWatcher starts the WireGuard watcher. If it is already enabled, it will return immediately and do nothing.
 // The watcher runs until ctx is cancelled. Caller is responsible for context lifecycle management.
-func (w *WGWatcher) EnableWgWatcher(ctx context.Context, onDisconnectedFn func()) {
+func (w *WGWatcher) EnableWgWatcher(ctx context.Context, enabledTime time.Time, onDisconnectedFn func(), onHandshakeSuccessFn func(when time.Time)) {
 	w.muEnabled.Lock()
 	if w.enabled {
 		w.muEnabled.Unlock()
@@ -56,7 +56,6 @@ func (w *WGWatcher) EnableWgWatcher(ctx context.Context, onDisconnectedFn func()
 	}
 
 	w.log.Debugf("enable WireGuard watcher")
-	enabledTime := time.Now()
 	w.enabled = true
 	w.muEnabled.Unlock()
 
@@ -65,7 +64,7 @@ func (w *WGWatcher) EnableWgWatcher(ctx context.Context, onDisconnectedFn func()
 		w.log.Warnf("failed to read initial wg stats: %v", err)
 	}
 
-	w.periodicHandshakeCheck(ctx, onDisconnectedFn, enabledTime, initialHandshake)
+	w.periodicHandshakeCheck(ctx, onDisconnectedFn, onHandshakeSuccessFn, enabledTime, initialHandshake)
 
 	w.muEnabled.Lock()
 	w.enabled = false
@@ -89,7 +88,7 @@ func (w *WGWatcher) Reset() {
 }
 
 // wgStateCheck help to check the state of the WireGuard handshake and relay connection
-func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn func(), enabledTime time.Time, initialHandshake time.Time) {
+func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn func(), onHandshakeSuccessFn func(when time.Time), enabledTime time.Time, initialHandshake time.Time) {
 	w.log.Infof("WireGuard watcher started")
 
 	timer := time.NewTimer(wgHandshakeOvertime)
@@ -108,6 +107,9 @@ func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn
 			if lastHandshake.IsZero() {
 				elapsed := calcElapsed(enabledTime, *handshake)
 				w.log.Infof("first wg handshake detected within: %.2fsec, (%s)", elapsed, handshake)
+				if onHandshakeSuccessFn != nil {
+					onHandshakeSuccessFn(*handshake)
+				}
 			}
 
 			lastHandshake = *handshake

client/internal/peer/wg_watcher_test.go

@@ -35,9 +35,11 @@ func TestWGWatcher_EnableWgWatcher(t *testing.T) {
 	defer cancel()
 
 	onDisconnected := make(chan struct{}, 1)
-	go watcher.EnableWgWatcher(ctx, func() {
+	go watcher.EnableWgWatcher(ctx, time.Now(), func() {
 		mlog.Infof("onDisconnectedFn")
 		onDisconnected <- struct{}{}
+	}, func(when time.Time) {
+		mlog.Infof("onHandshakeSuccess: %v", when)
 	})
 
 	// wait for initial reading
@@ -64,7 +66,7 @@ func TestWGWatcher_ReEnable(t *testing.T) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		watcher.EnableWgWatcher(ctx, func() {})
+		watcher.EnableWgWatcher(ctx, time.Now(), func() {}, func(when time.Time) {})
 	}()
 	cancel()
 
@@ -75,9 +77,9 @@ func TestWGWatcher_ReEnable(t *testing.T) {
 	defer cancel()
 
 	onDisconnected := make(chan struct{}, 1)
-	go watcher.EnableWgWatcher(ctx, func() {
+	go watcher.EnableWgWatcher(ctx, time.Now(), func() {
 		onDisconnected <- struct{}{}
-	})
+	}, func(when time.Time) {})
 
 	time.Sleep(2 * time.Second)
 	mocWgIface.disconnect()

client/internal/profilemanager/config.go

@@ -39,6 +39,18 @@ const (
 	DefaultAdminURL = "https://app.netbird.io:443"
 )
 
+// mgmProber is the subset of management client needed for URL migration probes.
+type mgmProber interface {
+	GetServerPublicKey() (*wgtypes.Key, error)
+	Close() error
+}
+
+// newMgmProber creates a management client for probing URL reachability.
+// Overridden in tests to avoid real network calls.
+var newMgmProber = func(ctx context.Context, addr string, key wgtypes.Key, tlsEnabled bool) (mgmProber, error) {
+	return mgm.NewClient(ctx, addr, key, tlsEnabled)
+}
+
 var DefaultInterfaceBlacklist = []string{
 	iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
 	"Tailscale", "tailscale", "docker", "veth", "br-", "lo",
@@ -753,14 +765,13 @@ func UpdateOldManagementURL(ctx context.Context, config *Config, configPath stri
 		return config, err
 	}
 
-	client, err := mgm.NewClient(ctx, newURL.Host, key, mgmTlsEnabled)
+	client, err := newMgmProber(ctx, newURL.Host, key, mgmTlsEnabled)
 	if err != nil {
 		log.Infof("couldn't switch to the new Management %s", newURL.String())
 		return config, err
 	}
 	defer func() {
-		err = client.Close()
-		if err != nil {
+		if err := client.Close(); err != nil {
 			log.Warnf("failed to close the Management service client %v", err)
 		}
 	}()

client/internal/profilemanager/config_test.go

@@ -10,12 +10,23 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/util"
 )
 
+type mockMgmProber struct {
+	key wgtypes.Key
+}
+
+func (m *mockMgmProber) GetServerPublicKey() (*wgtypes.Key, error) {
+	return &m.key, nil
+}
+
+func (m *mockMgmProber) Close() error { return nil }
+
 func TestGetConfig(t *testing.T) {
 	// case 1: new default config has to be generated
 	config, err := UpdateOrCreateConfig(ConfigInput{
@@ -234,6 +245,16 @@ func TestWireguardPortDefaultVsExplicit(t *testing.T) {
 }
 
 func TestUpdateOldManagementURL(t *testing.T) {
+	origProber := newMgmProber
+	newMgmProber = func(_ context.Context, _ string, _ wgtypes.Key, _ bool) (mgmProber, error) {
+		key, err := wgtypes.GenerateKey()
+		if err != nil {
+			return nil, err
+		}
+		return &mockMgmProber{key: key.PublicKey()}, nil
+	}
+	t.Cleanup(func() { newMgmProber = origProber })
+
 	tests := []struct {
 		name                  string
 		previousManagementURL string
@@ -273,18 +294,17 @@ func TestUpdateOldManagementURL(t *testing.T) {
 				ConfigPath:    configPath,
 			})
 			require.NoError(t, err, "failed to create testing config")
-			previousStats, err := os.Stat(configPath)
-			require.NoError(t, err, "failed to create testing config stats")
+			previousContent, err := os.ReadFile(configPath)
+			require.NoError(t, err, "failed to read initial config")
 			resultConfig, err := UpdateOldManagementURL(context.TODO(), config, configPath)
 			require.NoError(t, err, "got error when updating old management url")
 			require.Equal(t, tt.expectedManagementURL, resultConfig.ManagementURL.String())
-			newStats, err := os.Stat(configPath)
-			require.NoError(t, err, "failed to create testing config stats")
-			switch tt.fileShouldNotChange {
-			case true:
-				require.Equal(t, previousStats.ModTime(), newStats.ModTime(), "file should not change")
-			case false:
-				require.NotEqual(t, previousStats.ModTime(), newStats.ModTime(), "file should have changed")
+			newContent, err := os.ReadFile(configPath)
+			require.NoError(t, err, "failed to read updated config")
+			if tt.fileShouldNotChange {
+				require.Equal(t, string(previousContent), string(newContent), "file should not change")
+			} else {
+				require.NotEqual(t, string(previousContent), string(newContent), "file should have changed")
 			}
 		})
 	}

client/internal/routemanager/client/client.go

@@ -3,7 +3,9 @@ package client
 import (
 	"context"
 	"fmt"
+	"net"
 	"reflect"
+	"strconv"
 	"time"
 
 	log "github.com/sirupsen/logrus"
@@ -564,7 +566,7 @@ func HandlerFromRoute(params common.HandlerParams) RouteHandler {
 		return dnsinterceptor.New(params)
 	case handlerTypeDynamic:
 		dns := nbdns.NewServiceViaMemory(params.WgInterface)
-		dnsAddr := fmt.Sprintf("%s:%d", dns.RuntimeIP(), dns.RuntimePort())
+		dnsAddr := net.JoinHostPort(dns.RuntimeIP().String(), strconv.Itoa(dns.RuntimePort()))
 		return dynamic.NewRoute(params, dnsAddr)
 	default:
 		return static.NewRoute(params)

client/internal/routemanager/dnsinterceptor/handler.go

@@ -4,8 +4,10 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"net/netip"
 	"runtime"
+	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -249,7 +251,7 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		r.MsgHdr.AuthenticatedData = true
 	}
 
-	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), uint16(d.forwarderPort.Load()))
+	upstream := net.JoinHostPort(upstreamIP.String(), strconv.FormatUint(uint64(d.forwarderPort.Load()), 10))
 	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
 	defer cancel()
 

client/internal/routemanager/manager.go

@@ -52,6 +52,7 @@ type Manager interface {
 	TriggerSelection(route.HAMap)
 	GetRouteSelector() *routeselector.RouteSelector
 	GetClientRoutes() route.HAMap
+	GetSelectedClientRoutes() route.HAMap
 	GetClientRoutesWithNetID() map[route.NetID][]*route.Route
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
@@ -465,6 +466,16 @@ func (m *DefaultManager) GetClientRoutes() route.HAMap {
 	return maps.Clone(m.clientRoutes)
 }
 
+// GetSelectedClientRoutes returns only the currently selected/active client routes,
+// filtering out deselected exit nodes. Use this instead of GetClientRoutes when checking
+// if traffic should be routed through the tunnel.
+func (m *DefaultManager) GetSelectedClientRoutes() route.HAMap {
+	m.mux.Lock()
+	defer m.mux.Unlock()
+
+	return m.routeSelector.FilterSelectedExitNodes(maps.Clone(m.clientRoutes))
+}
+
 // GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
 func (m *DefaultManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	m.mux.Lock()

client/internal/routemanager/mock.go

@@ -18,6 +18,7 @@ type MockManager struct {
 	TriggerSelectionFunc         func(haMap route.HAMap)
 	GetRouteSelectorFunc         func() *routeselector.RouteSelector
 	GetClientRoutesFunc          func() route.HAMap
+	GetSelectedClientRoutesFunc  func() route.HAMap
 	GetClientRoutesWithNetIDFunc func() map[route.NetID][]*route.Route
 	StopFunc                     func(manager *statemanager.Manager)
 }
@@ -61,7 +62,7 @@ func (m *MockManager) GetRouteSelector() *routeselector.RouteSelector {
 	return nil
 }
 
-// GetClientRoutes mock implementation of GetClientRoutes from Manager interface
+// GetClientRoutes mock implementation of GetClientRoutes from the Manager interface
 func (m *MockManager) GetClientRoutes() route.HAMap {
 	if m.GetClientRoutesFunc != nil {
 		return m.GetClientRoutesFunc()
@@ -69,6 +70,14 @@ func (m *MockManager) GetClientRoutes() route.HAMap {
 	return nil
 }
 
+// GetSelectedClientRoutes mock implementation of GetSelectedClientRoutes from the Manager interface
+func (m *MockManager) GetSelectedClientRoutes() route.HAMap {
+	if m.GetSelectedClientRoutesFunc != nil {
+		return m.GetSelectedClientRoutesFunc()
+	}
+	return nil
+}
+
 // GetClientRoutesWithNetID mock implementation of GetClientRoutesWithNetID from Manager interface
 func (m *MockManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	if m.GetClientRoutesWithNetIDFunc != nil {

client/internal/routemanager/notifier/notifier_android.go

@@ -31,26 +31,11 @@ func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
 	n.listener = listener
 }
 
+// SetInitialClientRoutes stores the full initial route set (including fake IP blocks)
+// and a separate comparison set (without fake IP blocks) for diff detection.
 func (n *Notifier) SetInitialClientRoutes(initialRoutes []*route.Route, routesForComparison []*route.Route) {
-	// initialRoutes contains fake IP block for interface configuration
-	filteredInitial := make([]*route.Route, 0)
-	for _, r := range initialRoutes {
-		if r.IsDynamic() {
-			continue
-		}
-		filteredInitial = append(filteredInitial, r)
-	}
-	n.initialRoutes = filteredInitial
-
-	// routesForComparison excludes fake IP block for comparison with new routes
-	filteredComparison := make([]*route.Route, 0)
-	for _, r := range routesForComparison {
-		if r.IsDynamic() {
-			continue
-		}
-		filteredComparison = append(filteredComparison, r)
-	}
-	n.currentRoutes = filteredComparison
+	n.initialRoutes = filterStatic(initialRoutes)
+	n.currentRoutes = filterStatic(routesForComparison)
 }
 
 func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
@@ -83,13 +68,43 @@ func (n *Notifier) notify() {
 		return
 	}
 
-	routeStrings := n.routesToStrings(n.currentRoutes)
+	allRoutes := slices.Clone(n.currentRoutes)
+	allRoutes = append(allRoutes, n.extraInitialRoutes()...)
+
+	routeStrings := n.routesToStrings(allRoutes)
 	sort.Strings(routeStrings)
 	go func(l listener.NetworkChangeListener) {
-		l.OnNetworkChanged(strings.Join(n.addIPv6RangeIfNeeded(routeStrings, n.currentRoutes), ","))
+		l.OnNetworkChanged(strings.Join(n.addIPv6RangeIfNeeded(routeStrings, allRoutes), ","))
 	}(n.listener)
 }
 
+// extraInitialRoutes returns initialRoutes whose network prefix is absent
+// from currentRoutes (e.g. the fake IP block added at setup time).
+func (n *Notifier) extraInitialRoutes() []*route.Route {
+	currentNets := make(map[netip.Prefix]struct{}, len(n.currentRoutes))
+	for _, r := range n.currentRoutes {
+		currentNets[r.Network] = struct{}{}
+	}
+
+	var extra []*route.Route
+	for _, r := range n.initialRoutes {
+		if _, ok := currentNets[r.Network]; !ok {
+			extra = append(extra, r)
+		}
+	}
+	return extra
+}
+
+func filterStatic(routes []*route.Route) []*route.Route {
+	out := make([]*route.Route, 0, len(routes))
+	for _, r := range routes {
+		if !r.IsDynamic() {
+			out = append(out, r)
+		}
+	}
+	return out
+}
+
 func (n *Notifier) routesToStrings(routes []*route.Route) []string {
 	nets := make([]string, 0, len(routes))
 	for _, r := range routes {

client/internal/routemanager/notifier/notifier_ios.go

@@ -53,7 +53,6 @@ func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
 	n.currentPrefixes = newNets
 	n.notify()
 }
-
 func (n *Notifier) notify() {
 	n.listenerMux.Lock()
 	defer n.listenerMux.Unlock()

client/ios/NetBirdSDK/client.go

@@ -161,7 +161,11 @@ func (c *Client) Run(fd int32, interfaceName string, envList *EnvList) error {
 	cfg.WgIface = interfaceName
 
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, c.stateFile)
+	hostDNS := []netip.AddrPort{
+		netip.MustParseAddrPort("9.9.9.9:53"),
+		netip.MustParseAddrPort("149.112.112.112:53"),
+	}
+	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, hostDNS, c.stateFile)
 }
 
 // Stop the internal client and free the resources

client/netbird-entrypoint.sh

@@ -1,12 +1,10 @@
 #!/usr/bin/env bash
 set -eEuo pipefail
 
-: ${NB_ENTRYPOINT_SERVICE_TIMEOUT:="5"}
-: ${NB_ENTRYPOINT_LOGIN_TIMEOUT:="5"}
+: ${NB_ENTRYPOINT_SERVICE_TIMEOUT:="30"}
 NETBIRD_BIN="${NETBIRD_BIN:-"netbird"}"
 export NB_LOG_FILE="${NB_LOG_FILE:-"console,/var/log/netbird/client.log"}"
 service_pids=()
-log_file_path=""
 
 _log() {
   # mimic Go logger's output for easier parsing
@@ -33,60 +31,29 @@ on_exit() {
   fi
 }
 
-wait_for_message() {
-  local timeout="${1}" message="${2}"
-  if test "${timeout}" -eq 0; then
-    info "not waiting for log line ${message@Q} due to zero timeout."
-  elif test -n "${log_file_path}"; then
-    info "waiting for log line ${message@Q} for ${timeout} seconds..."
-    grep -E -q "${message}" <(timeout "${timeout}" tail -F "${log_file_path}" 2>/dev/null)
-  else
-    info "log file unsupported, sleeping for ${timeout} seconds..."
-    sleep "${timeout}"
-  fi
-}
-
-locate_log_file() {
-  local log_files_string="${1}"
-
-  while read -r log_file; do
-    case "${log_file}" in
-    console | syslog) ;;
-    *)
-      log_file_path="${log_file}"
-      return
-      ;;
-    esac
-  done < <(sed 's#,#\n#g' <<<"${log_files_string}")
-
-  warn "log files parsing for ${log_files_string@Q} is not supported by debug bundles"
-  warn "please consider removing the \$NB_LOG_FILE or setting it to real file, before gathering debug bundles."
-}
-
 wait_for_daemon_startup() {
   local timeout="${1}"
-
-  if test -n "${log_file_path}"; then
-    if ! wait_for_message "${timeout}" "started daemon server"; then
-      warn "log line containing 'started daemon server' not found after ${timeout} seconds"
-      warn "daemon failed to start, exiting..."
-      exit 1
-    fi
-  else
-    warn "daemon service startup not discovered, sleeping ${timeout} instead"
-    sleep "${timeout}"
+  if [[ "${timeout}" -eq 0 ]]; then
+    info "not waiting for daemon startup due to zero timeout."
+    return
   fi
+
+  local deadline=$((SECONDS + timeout))
+  while [[ "${SECONDS}" -lt "${deadline}" ]]; do
+    if "${NETBIRD_BIN}" status --check live 2>/dev/null; then
+      return
+    fi
+    sleep 1
+  done
+
+  warn "daemon did not become responsive after ${timeout} seconds, exiting..."
+  exit 1
 }
 
-login_if_needed() {
-  local timeout="${1}"
-
-  if test -n "${log_file_path}" && wait_for_message "${timeout}" 'peer has been successfully registered|management connection state READY'; then
-    info "already logged in, skipping 'netbird up'..."
-  else
-    info "logging in..."
-    "${NETBIRD_BIN}" up
-  fi
+connect() {
+  info "running 'netbird up'..."
+  "${NETBIRD_BIN}" up
+  return $?
 }
 
 main() {
@@ -95,9 +62,8 @@ main() {
   service_pids+=("$!")
   info "registered new service process 'netbird service run', currently running: ${service_pids[@]@Q}"
 
-  locate_log_file "${NB_LOG_FILE}"
   wait_for_daemon_startup "${NB_ENTRYPOINT_SERVICE_TIMEOUT}"
-  login_if_needed "${NB_ENTRYPOINT_LOGIN_TIMEOUT}"
+  connect
 
   wait "${service_pids[@]}"
 }

client/server/debug.go

@@ -26,6 +26,15 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 		log.Warnf("failed to get latest sync response: %v", err)
 	}
 
+	var clientMetrics debug.MetricsExporter
+	if s.connectClient != nil {
+		if engine := s.connectClient.Engine(); engine != nil {
+			if cm := engine.GetClientMetrics(); cm != nil {
+				clientMetrics = cm
+			}
+		}
+	}
+
 	var cpuProfileData []byte
 	if s.cpuProfileBuf != nil && !s.cpuProfiling {
 		cpuProfileData = s.cpuProfileBuf.Bytes()
@@ -54,6 +63,7 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 			LogPath:        s.logFile,
 			CPUProfile:     cpuProfileData,
 			RefreshStatus:  refreshStatus,
+			ClientMetrics:  clientMetrics,
 		},
 		debug.BundleConfig{
 			Anonymize:         req.GetAnonymize(),

client/status/status.go

@@ -25,6 +25,38 @@ import (
 	"github.com/netbirdio/netbird/version"
 )
 
+// DaemonStatus represents the current state of the NetBird daemon.
+// These values mirror internal.StatusType but are defined here to avoid an import cycle.
+type DaemonStatus string
+
+const (
+	DaemonStatusIdle           DaemonStatus = "Idle"
+	DaemonStatusConnecting     DaemonStatus = "Connecting"
+	DaemonStatusConnected      DaemonStatus = "Connected"
+	DaemonStatusNeedsLogin     DaemonStatus = "NeedsLogin"
+	DaemonStatusLoginFailed    DaemonStatus = "LoginFailed"
+	DaemonStatusSessionExpired DaemonStatus = "SessionExpired"
+)
+
+// ParseDaemonStatus converts a raw status string to DaemonStatus.
+// Unrecognized values are preserved as-is to remain visible during version skew.
+func ParseDaemonStatus(s string) DaemonStatus {
+	return DaemonStatus(s)
+}
+
+// ConvertOptions holds parameters for ConvertToStatusOutputOverview.
+type ConvertOptions struct {
+	Anonymize            bool
+	DaemonVersion        string
+	DaemonStatus         DaemonStatus
+	StatusFilter         string
+	PrefixNamesFilter    []string
+	PrefixNamesFilterMap map[string]struct{}
+	IPsFilter            map[string]struct{}
+	ConnectionTypeFilter string
+	ProfileName          string
+}
+
 type PeerStateDetailOutput struct {
 	FQDN                   string           `json:"fqdn" yaml:"fqdn"`
 	IP                     string           `json:"netbirdIp" yaml:"netbirdIp"`
@@ -102,6 +134,7 @@ type OutputOverview struct {
 	Peers                   PeersStateOutput           `json:"peers" yaml:"peers"`
 	CliVersion              string                     `json:"cliVersion" yaml:"cliVersion"`
 	DaemonVersion           string                     `json:"daemonVersion" yaml:"daemonVersion"`
+	DaemonStatus            DaemonStatus               `json:"daemonStatus" yaml:"daemonStatus"`
 	ManagementState         ManagementStateOutput      `json:"management" yaml:"management"`
 	SignalState             SignalStateOutput          `json:"signal" yaml:"signal"`
 	Relays                  RelayStateOutput           `json:"relays" yaml:"relays"`
@@ -120,7 +153,8 @@ type OutputOverview struct {
 	SSHServerState          SSHServerStateOutput       `json:"sshServer" yaml:"sshServer"`
 }
 
-func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, anon bool, daemonVersion string, statusFilter string, prefixNamesFilter []string, prefixNamesFilterMap map[string]struct{}, ipsFilter map[string]struct{}, connectionTypeFilter string, profName string) OutputOverview {
+// ConvertToStatusOutputOverview converts protobuf status to the output overview.
+func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, opts ConvertOptions) OutputOverview {
 	managementState := pbFullStatus.GetManagementState()
 	managementOverview := ManagementStateOutput{
 		URL:       managementState.GetURL(),
@@ -137,12 +171,13 @@ func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, anon bool, da
 
 	relayOverview := mapRelays(pbFullStatus.GetRelays())
 	sshServerOverview := mapSSHServer(pbFullStatus.GetSshServerState())
-	peersOverview := mapPeers(pbFullStatus.GetPeers(), statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilter, connectionTypeFilter)
+	peersOverview := mapPeers(pbFullStatus.GetPeers(), opts.StatusFilter, opts.PrefixNamesFilter, opts.PrefixNamesFilterMap, opts.IPsFilter, opts.ConnectionTypeFilter)
 
 	overview := OutputOverview{
 		Peers:                   peersOverview,
 		CliVersion:              version.NetbirdVersion(),
-		DaemonVersion:           daemonVersion,
+		DaemonVersion:           opts.DaemonVersion,
+		DaemonStatus:            opts.DaemonStatus,
 		ManagementState:         managementOverview,
 		SignalState:             signalOverview,
 		Relays:                  relayOverview,
@@ -157,11 +192,11 @@ func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, anon bool, da
 		NSServerGroups:          mapNSGroups(pbFullStatus.GetDnsServers()),
 		Events:                  mapEvents(pbFullStatus.GetEvents()),
 		LazyConnectionEnabled:   pbFullStatus.GetLazyConnectionEnabled(),
-		ProfileName:             profName,
+		ProfileName:             opts.ProfileName,
 		SSHServerState:          sshServerOverview,
 	}
 
-	if anon {
+	if opts.Anonymize {
 		anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
 		anonymizeOverview(anonymizer, &overview)
 	}

client/status/status_test.go

@@ -176,6 +176,7 @@ var overview = OutputOverview{
 	Events:        []SystemEventOutput{},
 	CliVersion:    version.NetbirdVersion(),
 	DaemonVersion: "0.14.1",
+	DaemonStatus:  DaemonStatusConnected,
 	ManagementState: ManagementStateOutput{
 		URL:       "my-awesome-management.com:443",
 		Connected: true,
@@ -238,7 +239,10 @@ var overview = OutputOverview{
 }
 
 func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
-	convertedResult := ConvertToStatusOutputOverview(resp.GetFullStatus(), false, resp.GetDaemonVersion(), "", nil, nil, nil, "", "")
+	convertedResult := ConvertToStatusOutputOverview(resp.GetFullStatus(), ConvertOptions{
+		DaemonVersion: resp.GetDaemonVersion(),
+		DaemonStatus:  ParseDaemonStatus(resp.GetStatus()),
+	})
 
 	assert.Equal(t, overview, convertedResult)
 }
@@ -329,6 +333,7 @@ func TestParsingToJSON(t *testing.T) {
           },
           "cliVersion": "development",
           "daemonVersion": "0.14.1",
+          "daemonStatus": "Connected",
           "management": {
             "url": "my-awesome-management.com:443",
             "connected": true,
@@ -452,6 +457,7 @@ func TestParsingToYAML(t *testing.T) {
           networks: []
 cliVersion: development
 daemonVersion: 0.14.1
+daemonStatus: Connected
 management:
     url: my-awesome-management.com:443
     connected: true

client/ui/client_ui.go

@@ -324,6 +324,7 @@ type serviceClient struct {
 	exitNodeMu           sync.Mutex
 	mExitNodeItems       []menuHandler
 	exitNodeRetryCancel  context.CancelFunc
+	mExitNodeSeparator   *systray.MenuItem
 	mExitNodeDeselectAll *systray.MenuItem
 	logFile              string
 	wLoginURL            fyne.Window

client/ui/network.go

@@ -421,6 +421,10 @@ func (s *serviceClient) recreateExitNodeMenu(exitNodes []*proto.Network) {
 		node.Remove()
 	}
 	s.mExitNodeItems = nil
+	if s.mExitNodeSeparator != nil {
+		s.mExitNodeSeparator.Remove()
+		s.mExitNodeSeparator = nil
+	}
 	if s.mExitNodeDeselectAll != nil {
 		s.mExitNodeDeselectAll.Remove()
 		s.mExitNodeDeselectAll = nil
@@ -453,31 +457,37 @@ func (s *serviceClient) recreateExitNodeMenu(exitNodes []*proto.Network) {
 	}
 
 	if showDeselectAll {
-		s.mExitNode.AddSeparator()
-		deselectAllItem := s.mExitNode.AddSubMenuItem("Deselect All", "Deselect All")
-		s.mExitNodeDeselectAll = deselectAllItem
-		go func() {
-			for {
-				_, ok := <-deselectAllItem.ClickedCh
-				if !ok {
-					// channel closed: exit the goroutine
-					return
-				}
-				exitNodes, err := s.handleExitNodeMenuDeselectAll()
-				if err != nil {
-					log.Warnf("failed to handle deselect all exit nodes: %v", err)
-				} else {
-					s.exitNodeMu.Lock()
-					s.recreateExitNodeMenu(exitNodes)
-					s.exitNodeMu.Unlock()
-				}
-			}
-
-		}()
+		s.addExitNodeDeselectAll()
 	}
 
 }
 
+func (s *serviceClient) addExitNodeDeselectAll() {
+	sep := s.mExitNode.AddSubMenuItem("───────────────", "")
+	sep.Disable()
+	s.mExitNodeSeparator = sep
+
+	deselectAllItem := s.mExitNode.AddSubMenuItem("Deselect All", "Deselect All")
+	s.mExitNodeDeselectAll = deselectAllItem
+
+	go func() {
+		for {
+			_, ok := <-deselectAllItem.ClickedCh
+			if !ok {
+				return
+			}
+			exitNodes, err := s.handleExitNodeMenuDeselectAll()
+			if err != nil {
+				log.Warnf("failed to handle deselect all exit nodes: %v", err)
+			} else {
+				s.exitNodeMu.Lock()
+				s.recreateExitNodeMenu(exitNodes)
+				s.exitNodeMu.Unlock()
+			}
+		}
+	}()
+}
+
 func (s *serviceClient) getExitNodes(conn proto.DaemonServiceClient) ([]*proto.Network, error) {
 	ctx, cancel := context.WithTimeout(s.ctx, defaultFailTimeout)
 	defer cancel()

client/wasm/cmd/main.go

@@ -18,7 +18,6 @@ import (
 	"github.com/netbirdio/netbird/client/wasm/internal/rdp"
 	"github.com/netbirdio/netbird/client/wasm/internal/ssh"
 	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/version"
 )
 
 const (
@@ -350,7 +349,7 @@ func getStatusOverview(client *netbird.Client) (nbstatus.OutputOverview, error)
 
 	pbFullStatus := fullStatus.ToProto()
 
-	return nbstatus.ConvertToStatusOutputOverview(pbFullStatus, false, version.NetbirdVersion(), "", nil, nil, nil, "", ""), nil
+	return nbstatus.ConvertToStatusOutputOverview(pbFullStatus, nbstatus.ConvertOptions{}), nil
 }
 
 // createStatusMethod creates the status method that returns JSON

go.mod

@@ -1,8 +1,6 @@
 module github.com/netbirdio/netbird
 
-go 1.25
-
-toolchain go1.25.5
+go 1.25.5
 
 require (
 	cunicu.li/go-rosenpass v0.4.0
@@ -19,23 +17,23 @@ require (
 	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.9
 	github.com/vishvananda/netlink v1.3.1
-	golang.org/x/crypto v0.46.0
-	golang.org/x/sys v0.39.0
+	golang.org/x/crypto v0.48.0
+	golang.org/x/sys v0.41.0
 	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/grpc v1.77.0
-	google.golang.org/protobuf v1.36.10
+	google.golang.org/grpc v1.79.3
+	google.golang.org/protobuf v1.36.11
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
 
 require (
 	fyne.io/fyne/v2 v2.7.0
 	fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9
-	github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible
 	github.com/awnumar/memguard v0.23.0
 	github.com/aws/aws-sdk-go-v2 v1.36.3
 	github.com/aws/aws-sdk-go-v2/config v1.29.14
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.79.2
 	github.com/c-robinson/iplib v1.0.3
 	github.com/caddyserver/certmagic v0.21.3
@@ -51,6 +49,7 @@ require (
 	github.com/eko/gocache/store/redis/v4 v4.2.2
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gliderlabs/ssh v0.3.8
+	github.com/go-jose/go-jose/v4 v4.1.3
 	github.com/godbus/dbus/v5 v5.1.0
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/mock v1.6.0
@@ -103,21 +102,21 @@ require (
 	github.com/vmihailenco/msgpack/v5 v5.4.1
 	github.com/yusufpapurcu/wmi v1.2.4
 	github.com/zcalusic/sysinfo v1.1.3
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0
-	go.opentelemetry.io/otel v1.38.0
-	go.opentelemetry.io/otel/exporters/prometheus v0.48.0
-	go.opentelemetry.io/otel/metric v1.38.0
-	go.opentelemetry.io/otel/sdk/metric v1.38.0
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0
+	go.opentelemetry.io/otel v1.42.0
+	go.opentelemetry.io/otel/exporters/prometheus v0.64.0
+	go.opentelemetry.io/otel/metric v1.42.0
+	go.opentelemetry.io/otel/sdk/metric v1.42.0
 	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/mobile v0.0.0-20251113184115-a159579294ab
-	golang.org/x/mod v0.30.0
-	golang.org/x/net v0.47.0
+	golang.org/x/mod v0.32.0
+	golang.org/x/net v0.51.0
 	golang.org/x/oauth2 v0.34.0
 	golang.org/x/sync v0.19.0
-	golang.org/x/term v0.38.0
+	golang.org/x/term v0.40.0
 	golang.org/x/time v0.14.0
 	google.golang.org/api v0.257.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -125,7 +124,7 @@ require (
 	gorm.io/driver/postgres v1.5.7
 	gorm.io/driver/sqlite v1.5.7
 	gorm.io/gorm v1.25.12
-	gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c
+	gvisor.dev/gvisor v0.0.0-20260219192049-0f2374377e89
 )
 
 require (
@@ -146,7 +145,6 @@ require (
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/awnumar/memcall v0.4.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
@@ -184,7 +182,6 @@ require (
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 // indirect
 	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a // indirect
-	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.12 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -252,12 +249,13 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.66.1 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/otlptranslator v1.0.0 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/russellhaering/goxmldsig v1.5.0 // indirect
 	github.com/rymdport/portal v0.4.2 // indirect
 	github.com/shirou/gopsutil/v4 v4.25.1 // indirect
-	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/shoenig/go-m1cpu v0.2.1 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
@@ -272,15 +270,15 @@ require (
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.42.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/image v0.33.0 // indirect
-	golang.org/x/text v0.32.0 // indirect
-	golang.org/x/tools v0.39.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/tools v0.41.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 )

go.sum

@@ -34,8 +34,6 @@ github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSC
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
-github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible h1:hqcTK6ZISdip65SR792lwYJTa/axESA0889D3UlZbLo=
-github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible/go.mod h1:6B1nuc1MUs6c62ODZDl7hVE5Pv7O2XGSkgg2olnq34I=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
@@ -489,10 +487,12 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
-github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
-github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
-github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
+github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
+github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=
+github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
+github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
+github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
 github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
 github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
@@ -512,10 +512,12 @@ github.com/shirou/gopsutil/v3 v3.24.4 h1:dEHgzZXt4LMNm+oYELpzl9YCqV65Yr/6SfrvgRB
 github.com/shirou/gopsutil/v3 v3.24.4/go.mod h1:lTd2mdiOspcqLgAnr9/nGi71NkeMpWKdmhuxm9GusH8=
 github.com/shirou/gopsutil/v4 v4.25.1 h1:QSWkTc+fu9LTAWfkZwZ6j8MSUk4A2LV7rbH0ZqmLjXs=
 github.com/shirou/gopsutil/v4 v4.25.1/go.mod h1:RoUCUpndaJFtT+2zsZzzmhvbfGoDCJ7nFXKJf8GqJbI=
-github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
-github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
+github.com/shoenig/go-m1cpu v0.2.1 h1:yqRB4fvOge2+FyRXFkXqsyMoqPazv14Yyy+iyccT2E4=
+github.com/shoenig/go-m1cpu v0.2.1/go.mod h1:KkDOw6m3ZJQAPHbrzkZki4hnx+pDRR1Lo+ldA56wD5w=
 github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
+github.com/shoenig/test v1.7.0 h1:eWcHtTXa6QLnBvm0jgEabMRN/uJ4DMV3M8xUGgRkZmk=
+github.com/shoenig/test v1.7.0/go.mod h1:UxJ6u/x2v/TNs/LoLxBNJRV9DiwBBKYxXSyczsBHFoI=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
@@ -603,26 +605,26 @@ github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 h1:yI1/OhfEPy7J9eoa6Sj051C7n5dvpj0QX8g4sRchg04=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0/go.mod h1:NoUCKYWK+3ecatC4HjkRktREheMeEtrXoQxrqYFeHSc=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=
+go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
-go.opentelemetry.io/otel/exporters/prometheus v0.48.0 h1:sBQe3VNGUjY9IKWQC6z2lNqa5iGbDSxhs60ABwK4y0s=
-go.opentelemetry.io/otel/exporters/prometheus v0.48.0/go.mod h1:DtrbMzoZWwQHyrQmCfLam5DZbnmorsGbOtTbYHycU5o=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/otel/exporters/prometheus v0.64.0 h1:g0LRDXMX/G1SEZtK8zl8Chm4K6GBwRkjPKE36LxiTYs=
+go.opentelemetry.io/otel/exporters/prometheus v0.64.0/go.mod h1:UrgcjnarfdlBDP3GjDIJWe6HTprwSazNjwsI+Ru6hro=
+go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=
+go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=
+go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=
+go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=
+go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=
+go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=
+go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=
+go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
 go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -633,8 +635,8 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 goauthentik.io/api/v3 v3.2023051.3 h1:NebAhD/TeTWNo/9X3/Uj+rM5fG1HaiLOlKTNLQv9Qq4=
 goauthentik.io/api/v3 v3.2023051.3/go.mod h1:nYECml4jGbp/541hj8GcylKQG1gVBsKppHy4+7G8u4U=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -648,8 +650,8 @@ golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1m
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.33.0 h1:LXRZRnv1+zGd5XBUVRFmYEphyyKJjQjCRiOuAP3sZfQ=
@@ -666,8 +668,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
-golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
@@ -686,8 +688,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
 golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
 golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
@@ -738,8 +740,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -752,8 +754,8 @@ golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -765,8 +767,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -780,8 +782,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
-golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -799,12 +801,12 @@ google.golang.org/api v0.257.0/go.mod h1:4eJrr+vbVaZSqs7vovFd1Jb/A6ml6iw2e6FBYf3
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
-google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4=
-google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 h1:Wgl1rcDNThT+Zn47YyCXOXyX/COgMTIdhJ717F0l4xk=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
-google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -815,8 +817,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -852,5 +854,5 @@ gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
 gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c h1:pfzmXIkkDgydR4ZRP+e1hXywZfYR21FA0Fbk6ptMkiA=
-gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c/go.mod h1:/mc6CfwbOm5KKmqoV7Qx20Q+Ja8+vO4g7FuCdlVoAfQ=
+gvisor.dev/gvisor v0.0.0-20260219192049-0f2374377e89 h1:mGJaeA61P8dEHTqdvAgc70ZIV3QoUoJcXCRyyjO26OA=
+gvisor.dev/gvisor v0.0.0-20260219192049-0f2374377e89/go.mod h1:QkHjoMIBaYtpVufgwv3keYAbln78mBoCuShZrPrer1Q=

idp/dex/config.go

@@ -170,20 +170,66 @@ type Connector struct {
 }
 
 // ToStorageConnector converts a Connector to storage.Connector type.
+// It maps custom connector types (e.g., "zitadel", "entra") to Dex-native types
+// and augments the config with OIDC defaults when needed.
 func (c *Connector) ToStorageConnector() (storage.Connector, error) {
-	data, err := json.Marshal(c.Config)
+	dexType, augmentedConfig := mapConnectorToDex(c.Type, c.Config)
+
+	data, err := json.Marshal(augmentedConfig)
 	if err != nil {
 		return storage.Connector{}, fmt.Errorf("failed to marshal connector config: %v", err)
 	}
 
 	return storage.Connector{
 		ID:     c.ID,
-		Type:   c.Type,
+		Type:   dexType,
 		Name:   c.Name,
 		Config: data,
 	}, nil
 }
 
+// mapConnectorToDex maps custom connector types to Dex-native types and applies
+// OIDC defaults. This ensures static connectors from config files or env vars
+// are stored with types that Dex can open.
+func mapConnectorToDex(connType string, config map[string]interface{}) (string, map[string]interface{}) {
+	switch connType {
+	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
+		return "oidc", applyOIDCDefaults(connType, config)
+	default:
+		return connType, config
+	}
+}
+
+// applyOIDCDefaults clones the config map, sets common OIDC defaults,
+// and applies provider-specific overrides.
+func applyOIDCDefaults(connType string, config map[string]interface{}) map[string]interface{} {
+	augmented := make(map[string]interface{}, len(config)+4)
+	for k, v := range config {
+		augmented[k] = v
+	}
+	setDefault(augmented, "scopes", []string{"openid", "profile", "email"})
+	setDefault(augmented, "insecureEnableGroups", true)
+	setDefault(augmented, "insecureSkipEmailVerified", true)
+
+	switch connType {
+	case "zitadel":
+		setDefault(augmented, "getUserInfo", true)
+	case "entra":
+		setDefault(augmented, "claimMapping", map[string]string{"email": "preferred_username"})
+	case "okta", "pocketid":
+		augmented["scopes"] = []string{"openid", "profile", "email", "groups"}
+	}
+
+	return augmented
+}
+
+// setDefault sets a key in the map only if it doesn't already exist.
+func setDefault(m map[string]interface{}, key string, value interface{}) {
+	if _, ok := m[key]; !ok {
+		m[key] = value
+	}
+}
+
 // StorageConfig is a configuration that can create a storage.
 type StorageConfig interface {
 	Open(logger *slog.Logger) (storage.Storage, error)

idp/dex/provider.go

@@ -4,6 +4,7 @@ package dex
 import (
 	"context"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -19,10 +20,13 @@ import (
 	"github.com/dexidp/dex/server"
 	"github.com/dexidp/dex/storage"
 	"github.com/dexidp/dex/storage/sql"
+	jose "github.com/go-jose/go-jose/v4"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
 	"golang.org/x/crypto/bcrypt"
 	"google.golang.org/grpc"
+
+	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
 )
 
 // Config matches what management/internals/server/server.go expects
@@ -666,3 +670,46 @@ func (p *Provider) GetAuthorizationEndpoint() string {
 	}
 	return issuer + "/auth"
 }
+
+// GetJWKS reads signing keys directly from Dex storage and returns them as Jwks.
+// This avoids HTTP round-trips when the embedded IDP is co-located with the management server.
+// The key retrieval mirrors Dex's own handlePublicKeys/ValidationKeys logic:
+// SigningKeyPub first, then all VerificationKeys, serialized via go-jose.
+func (p *Provider) GetJWKS(ctx context.Context) (*nbjwt.Jwks, error) {
+	keys, err := p.storage.GetKeys(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get keys from storage: %w", err)
+	}
+
+	if keys.SigningKeyPub == nil {
+		return nil, fmt.Errorf("no public keys found in storage")
+	}
+
+	// Build the key set exactly as Dex's localSigner.ValidationKeys does:
+	// signing key first, then all verification (rotated) keys.
+	joseKeys := make([]jose.JSONWebKey, 0, len(keys.VerificationKeys)+1)
+	joseKeys = append(joseKeys, *keys.SigningKeyPub)
+	for _, vk := range keys.VerificationKeys {
+		if vk.PublicKey != nil {
+			joseKeys = append(joseKeys, *vk.PublicKey)
+		}
+	}
+
+	// Serialize through go-jose (same as Dex's handlePublicKeys handler)
+	// then deserialize into our Jwks type, so the JSON field mapping is identical
+	// to what the /keys HTTP endpoint would return.
+	joseSet := jose.JSONWebKeySet{Keys: joseKeys}
+	data, err := json.Marshal(joseSet)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal JWKS: %w", err)
+	}
+
+	jwks := &nbjwt.Jwks{}
+	if err := json.Unmarshal(data, jwks); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal JWKS: %w", err)
+	}
+
+	jwks.ExpiresInTime = keys.NextRotation
+
+	return jwks, nil
+}

idp/dex/provider_test.go

@@ -2,11 +2,14 @@ package dex
 
 import (
 	"context"
+	"encoding/json"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"testing"
 
+	"github.com/dexidp/dex/storage"
+	sqllib "github.com/dexidp/dex/storage/sql"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -197,6 +200,295 @@ enablePasswordDB: true
 	t.Logf("User lookup successful: rawID=%s, connectorID=%s", rawID, connID)
 }
 
+// openTestStorage creates a SQLite storage in the given directory for testing.
+func openTestStorage(t *testing.T, tmpDir string) storage.Storage {
+	t.Helper()
+	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	stor, err := (&sqllib.SQLite3{File: filepath.Join(tmpDir, "dex.db")}).Open(logger)
+	require.NoError(t, err)
+	return stor
+}
+
+func TestStaticConnectors_CreatedFromYAML(t *testing.T) {
+	ctx := context.Background()
+
+	tmpDir, err := os.MkdirTemp("", "dex-static-conn-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	yamlContent := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + filepath.Join(tmpDir, "dex.db") + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+connectors:
+- type: oidc
+  id: my-oidc
+  name: My OIDC Provider
+  config:
+    issuer: https://accounts.example.com
+    clientID: test-client-id
+    clientSecret: test-client-secret
+    redirectURI: http://localhost:5556/dex/callback
+`
+	configPath := filepath.Join(tmpDir, "config.yaml")
+	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
+	require.NoError(t, err)
+
+	yamlConfig, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	// Open storage and run initializeStorage directly (avoids Dex server
+	// trying to dial the OIDC issuer)
+	stor := openTestStorage(t, tmpDir)
+	defer stor.Close()
+
+	err = initializeStorage(ctx, stor, yamlConfig)
+	require.NoError(t, err)
+
+	// Verify connector was created in storage
+	conn, err := stor.GetConnector(ctx, "my-oidc")
+	require.NoError(t, err)
+	assert.Equal(t, "my-oidc", conn.ID)
+	assert.Equal(t, "My OIDC Provider", conn.Name)
+	assert.Equal(t, "oidc", conn.Type)
+
+	// Verify config fields were serialized correctly
+	var configMap map[string]interface{}
+	err = json.Unmarshal(conn.Config, &configMap)
+	require.NoError(t, err)
+	assert.Equal(t, "https://accounts.example.com", configMap["issuer"])
+	assert.Equal(t, "test-client-id", configMap["clientID"])
+}
+
+func TestStaticConnectors_UpdatedOnRestart(t *testing.T) {
+	ctx := context.Background()
+
+	tmpDir, err := os.MkdirTemp("", "dex-static-conn-update-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	dbFile := filepath.Join(tmpDir, "dex.db")
+
+	// First: load config with initial connector
+	yamlContent1 := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + dbFile + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+connectors:
+- type: oidc
+  id: my-oidc
+  name: Original Name
+  config:
+    issuer: https://accounts.example.com
+    clientID: original-client-id
+    clientSecret: original-secret
+`
+	configPath := filepath.Join(tmpDir, "config.yaml")
+	err = os.WriteFile(configPath, []byte(yamlContent1), 0644)
+	require.NoError(t, err)
+
+	yamlConfig1, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	stor := openTestStorage(t, tmpDir)
+	err = initializeStorage(ctx, stor, yamlConfig1)
+	require.NoError(t, err)
+
+	// Verify initial state
+	conn, err := stor.GetConnector(ctx, "my-oidc")
+	require.NoError(t, err)
+	assert.Equal(t, "Original Name", conn.Name)
+
+	var configMap1 map[string]interface{}
+	err = json.Unmarshal(conn.Config, &configMap1)
+	require.NoError(t, err)
+	assert.Equal(t, "original-client-id", configMap1["clientID"])
+
+	// Close storage to simulate restart
+	stor.Close()
+
+	// Second: load updated config against the same DB
+	yamlContent2 := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + dbFile + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+connectors:
+- type: oidc
+  id: my-oidc
+  name: Updated Name
+  config:
+    issuer: https://accounts.example.com
+    clientID: updated-client-id
+    clientSecret: updated-secret
+`
+	err = os.WriteFile(configPath, []byte(yamlContent2), 0644)
+	require.NoError(t, err)
+
+	yamlConfig2, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	stor2 := openTestStorage(t, tmpDir)
+	defer stor2.Close()
+
+	err = initializeStorage(ctx, stor2, yamlConfig2)
+	require.NoError(t, err)
+
+	// Verify connector was updated, not duplicated
+	allConnectors, err := stor2.ListConnectors(ctx)
+	require.NoError(t, err)
+
+	nonLocalCount := 0
+	for _, c := range allConnectors {
+		if c.ID != "local" {
+			nonLocalCount++
+		}
+	}
+	assert.Equal(t, 1, nonLocalCount, "connector should be updated, not duplicated")
+
+	conn2, err := stor2.GetConnector(ctx, "my-oidc")
+	require.NoError(t, err)
+	assert.Equal(t, "Updated Name", conn2.Name)
+
+	var configMap2 map[string]interface{}
+	err = json.Unmarshal(conn2.Config, &configMap2)
+	require.NoError(t, err)
+	assert.Equal(t, "updated-client-id", configMap2["clientID"])
+}
+
+func TestStaticConnectors_MultipleConnectors(t *testing.T) {
+	ctx := context.Background()
+
+	tmpDir, err := os.MkdirTemp("", "dex-static-conn-multi-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	yamlContent := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + filepath.Join(tmpDir, "dex.db") + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+connectors:
+- type: oidc
+  id: my-oidc
+  name: My OIDC Provider
+  config:
+    issuer: https://accounts.example.com
+    clientID: oidc-client-id
+    clientSecret: oidc-secret
+- type: google
+  id: my-google
+  name: Google Login
+  config:
+    clientID: google-client-id
+    clientSecret: google-secret
+`
+	configPath := filepath.Join(tmpDir, "config.yaml")
+	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
+	require.NoError(t, err)
+
+	yamlConfig, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	stor := openTestStorage(t, tmpDir)
+	defer stor.Close()
+
+	err = initializeStorage(ctx, stor, yamlConfig)
+	require.NoError(t, err)
+
+	allConnectors, err := stor.ListConnectors(ctx)
+	require.NoError(t, err)
+
+	// Build a map for easier assertion
+	connByID := make(map[string]storage.Connector)
+	for _, c := range allConnectors {
+		connByID[c.ID] = c
+	}
+
+	// Verify both static connectors exist
+	oidcConn, ok := connByID["my-oidc"]
+	require.True(t, ok, "oidc connector should exist")
+	assert.Equal(t, "My OIDC Provider", oidcConn.Name)
+	assert.Equal(t, "oidc", oidcConn.Type)
+
+	var oidcConfig map[string]interface{}
+	err = json.Unmarshal(oidcConn.Config, &oidcConfig)
+	require.NoError(t, err)
+	assert.Equal(t, "oidc-client-id", oidcConfig["clientID"])
+
+	googleConn, ok := connByID["my-google"]
+	require.True(t, ok, "google connector should exist")
+	assert.Equal(t, "Google Login", googleConn.Name)
+	assert.Equal(t, "google", googleConn.Type)
+
+	var googleConfig map[string]interface{}
+	err = json.Unmarshal(googleConn.Config, &googleConfig)
+	require.NoError(t, err)
+	assert.Equal(t, "google-client-id", googleConfig["clientID"])
+
+	// Verify local connector still exists alongside them (enablePasswordDB: true)
+	localConn, ok := connByID["local"]
+	require.True(t, ok, "local connector should exist")
+	assert.Equal(t, "local", localConn.Type)
+}
+
+func TestStaticConnectors_EmptyList(t *testing.T) {
+	ctx := context.Background()
+
+	tmpDir, err := os.MkdirTemp("", "dex-static-conn-empty-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	yamlContent := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + filepath.Join(tmpDir, "dex.db") + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+`
+	configPath := filepath.Join(tmpDir, "config.yaml")
+	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
+	require.NoError(t, err)
+
+	yamlConfig, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	provider, err := NewProviderFromYAML(ctx, yamlConfig)
+	require.NoError(t, err)
+	defer func() { _ = provider.Stop(ctx) }()
+
+	// No static connectors configured, so ListConnectors should return empty
+	connectors, err := provider.ListConnectors(ctx)
+	require.NoError(t, err)
+	assert.Empty(t, connectors)
+
+	// But local connector should still exist
+	localConn, err := provider.Storage().GetConnector(ctx, "local")
+	require.NoError(t, err)
+	assert.Equal(t, "local", localConn.ID)
+}
+
 func TestNewProvider_ContinueOnConnectorFailure(t *testing.T) {
 	ctx := context.Background()
 

infrastructure_files/getting-started-with-dex.sh

@@ -172,8 +172,11 @@ init_environment() {
   echo "You can access the NetBird dashboard at $NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN"
   echo ""
   echo "Login with the following credentials:"
-  echo "Email: admin@$NETBIRD_DOMAIN" | tee .env
-  echo "Password: $NETBIRD_ADMIN_PASSWORD" | tee -a .env
+  install -m 600 /dev/null .env
+  printf 'Email: admin@%s\nPassword: %s\n' \
+      "$NETBIRD_DOMAIN" "$NETBIRD_ADMIN_PASSWORD" >> .env
+  echo "Email: admin@$NETBIRD_DOMAIN"
+  echo "Password: $NETBIRD_ADMIN_PASSWORD"
   echo ""
   echo "Dex admin UI is not available (Dex has no built-in UI)."
   echo "To add more users, edit dex.yaml and restart: $DOCKER_COMPOSE_COMMAND restart dex"

infrastructure_files/getting-started-with-zitadel.sh

@@ -563,8 +563,11 @@ initEnvironment() {
   echo -e "\nDone!\n"
   echo "You can access the NetBird dashboard at $NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN"
   echo "Login with the following credentials:"
-  echo "Username: $ZITADEL_ADMIN_USERNAME" | tee .env
-  echo "Password: $ZITADEL_ADMIN_PASSWORD" | tee -a .env
+  install -m 600 /dev/null .env
+  printf 'Username: %s\nPassword: %s\n' \
+      "$ZITADEL_ADMIN_USERNAME" "$ZITADEL_ADMIN_PASSWORD" >> .env
+  echo "Username: $ZITADEL_ADMIN_USERNAME"
+  echo "Password: $ZITADEL_ADMIN_PASSWORD"
 }
 
 renderCaddyfile() {

infrastructure_files/getting-started.sh

@@ -1154,7 +1154,16 @@ print_builtin_traefik_instructions() {
   echo "  - $NETBIRD_STUN_PORT/udp   (STUN - required for NAT traversal)"
   if [[ "$ENABLE_PROXY" == "true" ]]; then
     echo "  - 51820/udp (WIREGUARD - (optional) for P2P proxy connections)"
-    echo ""
+  fi
+  echo ""
+  echo "This setup is ideal for homelabs and smaller organization deployments."
+  echo "For enterprise environments requiring high availability and advanced integrations,"
+  echo "consider a commercial on-prem license or scaling your open source deployment:"
+  echo ""
+  echo "  Commercial license: https://netbird.io/pricing#on-prem"
+  echo "  Scaling guide:      https://docs.netbird.io/scaling-your-self-hosted-deployment"
+  echo ""
+  if [[ "$ENABLE_PROXY" == "true" ]]; then
     echo "NetBird Proxy:"
     echo "  The proxy service is enabled and running."
     echo "  Any domain NOT matching $NETBIRD_DOMAIN will be passed through to the proxy."

management/internals/modules/peers/manager.go

@@ -154,9 +154,11 @@ func (m *managerImpl) DeletePeers(ctx context.Context, accountID string, peerIDs
 				return err
 			}
 
-			eventsToStore = append(eventsToStore, func() {
-				m.accountManager.StoreEvent(ctx, userID, peer.ID, accountID, activity.PeerRemovedByUser, peer.EventMeta(dnsDomain))
-			})
+			if !(peer.ProxyMeta.Embedded || peer.Meta.KernelVersion == "wasm") {
+				eventsToStore = append(eventsToStore, func() {
+					m.accountManager.StoreEvent(ctx, userID, peer.ID, accountID, activity.PeerRemovedByUser, peer.EventMeta(dnsDomain))
+				})
+			}
 
 			return nil
 		})

management/internals/modules/reverseproxy/domain/domain.go

@@ -17,6 +17,9 @@ type Domain struct {
 	// SupportsCustomPorts is populated at query time for free domains from the
 	// proxy cluster capabilities. Not persisted.
 	SupportsCustomPorts *bool `gorm:"-"`
+	// RequireSubdomain is populated at query time. When true, the domain
+	// cannot be used bare and a subdomain label must be prepended. Not persisted.
+	RequireSubdomain *bool `gorm:"-"`
 }
 
 // EventMeta returns activity event metadata for a domain

management/internals/modules/reverseproxy/domain/manager/api.go

@@ -47,6 +47,7 @@ func domainToApi(d *domain.Domain) api.ReverseProxyDomain {
 		Type:                domainTypeToApi(d.Type),
 		Validated:           d.Validated,
 		SupportsCustomPorts: d.SupportsCustomPorts,
+		RequireSubdomain:    d.RequireSubdomain,
 	}
 	if d.TargetCluster != "" {
 		resp.TargetCluster = &d.TargetCluster