Fix relay instance address indication

Add relay server address for the status
Add relay address to signal OFFER
2026-04-18 23:44:43 -04:00 · 2024-07-10 22:33:15 +02:00 · 2024-07-10 22:17:54 +02:00 · 2024-07-10 18:39:24 +02:00 · 2024-07-10 18:34:04 +02:00 · 2024-07-10 16:51:38 +02:00
368 changed files with 19933 additions and 8153 deletions
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -14,7 +14,7 @@ jobs:
  test:
    strategy:
      matrix:
-        store: ['jsonfile', 'sqlite']
+        store: ['sqlite']
    runs-on: macos-latest
    steps:
      - name: Install Go
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -0,0 +1,39 @@
+
+name: Test Code FreeBSD
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Test in FreeBSD
+        id: test
+        uses: vmactions/freebsd-vm@v1
+        with:
+          usesh: true
+          prepare: |
+            pkg install -y curl
+            pkg install -y git
+
+          run: |
+            set -x
+            curl -o go.tar.gz https://go.dev/dl/go1.21.11.freebsd-amd64.tar.gz -L
+            tar zxf go.tar.gz
+            mv go /usr/local/go
+            ln -s /usr/local/go/bin/go /usr/local/bin/go
+            go mod tidy
+            go test -timeout 5m -p 1 ./iface/...
+            go test -timeout 5m -p 1 ./client/... 
+            cd client
+            go build .
+            cd ..
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -15,7 +15,7 @@ jobs:
    strategy:
      matrix:
        arch: [ '386','amd64' ]
-        store: [ 'jsonfile', 'sqlite' ]
+        store: [ 'sqlite', 'postgres']
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
@@ -86,7 +86,10 @@ jobs:
        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock

      - name: Generate RouteManager Test bin
-        run: CGO_ENABLED=1 go test -c -o routemanager-testing.bin -tags netgo -ldflags '-w -extldflags "-static -ldbus-1 -lpcap"' ./client/internal/routemanager/...
+        run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin  ./client/internal/routemanager
+
+      - name: Generate SystemOps Test bin
+        run: CGO_ENABLED=1 go test -c -o systemops-testing.bin -tags netgo -ldflags '-w -extldflags "-static -ldbus-1 -lpcap"' ./client/internal/routemanager/systemops

      - name: Generate nftables Manager Test bin
        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
@@ -108,6 +111,9 @@ jobs:
      - name: Run RouteManager tests in docker
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin  -test.timeout 5m -test.parallel 1

+      - name: Run SystemOps tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager/systemops --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/systemops-testing.bin  -test.timeout 5m -test.parallel 1
+
      - name: Run nftables Manager tests in docker
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/firewall --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/nftablesmanager-testing.bin  -test.timeout 5m -test.parallel 1

--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -173,7 +173,7 @@ jobs:
          retention-days: 3

  release_ui_darwin:
-    runs-on: macos-11
+    runs-on: macos-latest
    steps:
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -178,34 +178,79 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v3

-      - name: run script
+      - name: run script with Zitadel PostgreSQL
        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh

-      - name: test Caddy file gen
+      - name: test Caddy file gen postgres
        run: test -f Caddyfile
-      - name: test docker-compose file gen
+
+      - name: test docker-compose file gen postgres
        run: test -f docker-compose.yml
-      - name: test management.json file gen
+
+      - name: test management.json file gen postgres
        run: test -f management.json
-      - name: test turnserver.conf file gen
+
+      - name: test turnserver.conf file gen postgres
        run: | 
          set -x
          test -f turnserver.conf
          grep external-ip turnserver.conf
-      - name: test zitadel.env file gen
+
+      - name: test zitadel.env file gen postgres
        run: test -f zitadel.env
-      - name: test dashboard.env file gen
+
+      - name: test dashboard.env file gen postgres
        run: test -f dashboard.env
+
+      - name: test zdb.env file gen postgres
+        run: test -f zdb.env
+
+      - name: Postgres run cleanup
+        run: |
+          docker-compose down --volumes --rmi all
+          rm -rf docker-compose.yml Caddyfile zitadel.env dashboard.env machinekey/zitadel-admin-sa.token turnserver.conf management.json zdb.env
+
+      - name: run script with Zitadel CockroachDB
+        run: bash -x infrastructure_files/getting-started-with-zitadel.sh
+        env:
+          NETBIRD_DOMAIN: use-ip
+          ZITADEL_DATABASE: cockroach
+
+      - name: test Caddy file gen CockroachDB
+        run: test -f Caddyfile
+
+      - name: test docker-compose file gen CockroachDB
+        run: test -f docker-compose.yml
+
+      - name: test management.json file gen CockroachDB
+        run: test -f management.json
+
+      - name: test turnserver.conf file gen CockroachDB
+        run: | 
+          set -x
+          test -f turnserver.conf
+          grep external-ip turnserver.conf
+
+      - name: test zitadel.env file gen CockroachDB
+        run: test -f zitadel.env
+
+      - name: test dashboard.env file gen CockroachDB
+        run: test -f dashboard.env
+
  test-download-geolite2-script:
    runs-on: ubuntu-latest
    steps:
      - name: Install jq
        run: sudo apt-get update && sudo apt-get install -y unzip sqlite3
+
      - name: Checkout code
        uses: actions/checkout@v3
+
      - name: test script
        run: bash -x infrastructure_files/download-geolite2.sh
+
      - name: test mmdb file exists
        run: test -f GeoLite2-City.mmdb
+
      - name: test geonames file exists
        run: test -f geonames.db
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -130,3 +130,10 @@ issues:
    - path: mock\.go
      linters:
      - nilnil
+    # Exclude specific deprecation warnings for grpc methods
+    - linters:
+       - staticcheck
+      text: "grpc.DialContext is deprecated"
+    - linters:
+        - staticcheck
+      text: "grpc.WithBlock is deprecated"
--- a/.goreleaser_ui_darwin.yaml
+++ b/.goreleaser_ui_darwin.yaml
@@ -3,8 +3,10 @@ builds:
  - id: netbird-ui-darwin
    dir: client/ui
    binary: netbird-ui
-    env: [CGO_ENABLED=1]
-
+    env:
+      - CGO_ENABLED=1
+      - MACOSX_DEPLOYMENT_TARGET=11.0
+      - MACOS_DEPLOYMENT_TARGET=11.0
    goos:
      - darwin
    goarch:
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
+identity and expression, level of experience, education, socioeconomic status,
 nationality, personal appearance, race, caste, color, religion, or sexual
 identity and orientation.

--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.18.5
+FROM alpine:3.19
 RUN apk add --no-cache ca-certificates iptables ip6tables
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -57,15 +57,17 @@ type Client struct {
 	ctxCancel             context.CancelFunc
 	ctxCancelLock         *sync.Mutex
 	deviceName            string
+	uiVersion             string
 	networkChangeListener listener.NetworkChangeListener
 }

 // NewClient instantiate a new Client
-func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
+func NewClient(cfgFile, deviceName string, uiVersion string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
 	net.SetAndroidProtectSocketFn(tunAdapter.ProtectSocket)
 	return &Client{
 		cfgFile:               cfgFile,
 		deviceName:            deviceName,
+		uiVersion:             uiVersion,
 		tunAdapter:            tunAdapter,
 		iFaceDiscover:         iFaceDiscover,
 		recorder:              peer.NewRecorder(""),
@@ -88,6 +90,9 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 	var ctx context.Context
 	//nolint
 	ctxWithValues := context.WithValue(context.Background(), system.DeviceNameCtxKey, c.deviceName)
+	//nolint
+	ctxWithValues = context.WithValue(ctxWithValues, system.UiVersionCtxKey, c.uiVersion)
+
 	c.ctxCancelLock.Lock()
 	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
 	defer c.ctxCancel()
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -3,13 +3,14 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"strings"
 	"time"

 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"

+	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/client/server"
 )

 var debugCmd = &cobra.Command{
@@ -58,7 +59,7 @@ var forCmd = &cobra.Command{
 }

 func debugBundle(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd.Context())
+	conn, err := getClient(cmd)
 	if err != nil {
 		return err
 	}
@@ -79,14 +80,14 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 }

 func setLogLevel(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd.Context())
+	conn, err := getClient(cmd)
 	if err != nil {
 		return err
 	}
 	defer conn.Close()

 	client := proto.NewDaemonServiceClient(conn)
-	level := parseLogLevel(args[0])
+	level := server.ParseLogLevel(args[0])
 	if level == proto.LogLevel_UNKNOWN {
 		return fmt.Errorf("unknown log level: %s. Available levels are: panic, fatal, error, warn, info, debug, trace\n", args[0])
 	}
@@ -102,34 +103,13 @@ func setLogLevel(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func parseLogLevel(level string) proto.LogLevel {
-	switch strings.ToLower(level) {
-	case "panic":
-		return proto.LogLevel_PANIC
-	case "fatal":
-		return proto.LogLevel_FATAL
-	case "error":
-		return proto.LogLevel_ERROR
-	case "warn":
-		return proto.LogLevel_WARN
-	case "info":
-		return proto.LogLevel_INFO
-	case "debug":
-		return proto.LogLevel_DEBUG
-	case "trace":
-		return proto.LogLevel_TRACE
-	default:
-		return proto.LogLevel_UNKNOWN
-	}
-}
-
 func runForDuration(cmd *cobra.Command, args []string) error {
 	duration, err := time.ParseDuration(args[0])
 	if err != nil {
 		return fmt.Errorf("invalid duration format: %v", err)
 	}

-	conn, err := getClient(cmd.Context())
+	conn, err := getClient(cmd)
 	if err != nil {
 		return err
 	}
@@ -137,18 +117,33 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	client := proto.NewDaemonServiceClient(conn)

+	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to get status: %v", status.Convert(err).Message())
+	}
+
+	restoreUp := stat.Status == string(internal.StatusConnected) || stat.Status == string(internal.StatusConnecting)
+
+	initialLogLevel, err := client.GetLogLevel(cmd.Context(), &proto.GetLogLevelRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to get log level: %v", status.Convert(err).Message())
+	}
+
 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
 		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 	}
 	cmd.Println("Netbird down")

-	_, err = client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{
-		Level: proto.LogLevel_TRACE,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to set log level to trace: %v", status.Convert(err).Message())
+	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
+	if !initialLevelTrace {
+		_, err = client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{
+			Level: proto.LogLevel_TRACE,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to set log level to TRACE: %v", status.Convert(err).Message())
+		}
+		cmd.Println("Log level set to trace.")
 	}
-	cmd.Println("Log level set to trace.")

 	time.Sleep(1 * time.Second)

@@ -175,10 +170,22 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	}
 	cmd.Println("Netbird down")

-	// TODO reset log level
-
 	time.Sleep(1 * time.Second)

+	if restoreUp {
+		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
+			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
+		}
+		cmd.Println("Netbird up")
+	}
+
+	if !initialLevelTrace {
+		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
+			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
+		}
+		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
+	}
+
 	cmd.Println("Creating debug bundle...")

 	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
--- a/client/cmd/down.go
+++ b/client/cmd/down.go
@@ -2,9 +2,10 @@ package cmd

 import (
 	"context"
-	"github.com/netbirdio/netbird/util"
 	"time"

+	"github.com/netbirdio/netbird/util"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -36,6 +36,7 @@ const (
 	disableAutoConnectFlag  = "disable-auto-connect"
 	serverSSHAllowedFlag    = "allow-server-ssh"
 	extraIFaceBlackListFlag = "extra-iface-blacklist"
+	dnsRouteIntervalFlag    = "dns-router-interval"
 )

 var (
@@ -68,7 +69,9 @@ var (
 	autoConnectDisabled     bool
 	extraIFaceBlackList     []string
 	anonymizeFlag           bool
-	rootCmd                 = &cobra.Command{
+	dnsRouteInterval        time.Duration
+
+	rootCmd = &cobra.Command{
 		Use:          "netbird",
 		Short:        "",
 		Long:         "",
@@ -353,8 +356,11 @@ func migrateToNetbird(oldPath, newPath string) bool {
 	return true
 }

-func getClient(ctx context.Context) (*grpc.ClientConn, error) {
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
+func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
+	SetFlagsFromEnvVars(rootCmd)
+	cmd.SetOut(cmd.OutOrStdout())
+
+	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
--- a/client/cmd/route.go
+++ b/client/cmd/route.go
@@ -2,6 +2,7 @@ package cmd

 import (
 	"fmt"
+	"strings"

 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -49,7 +50,7 @@ func init() {
 }

 func routesList(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd.Context())
+	conn, err := getClient(cmd)
 	if err != nil {
 		return err
 	}
@@ -66,20 +67,62 @@ func routesList(cmd *cobra.Command, _ []string) error {
 		return nil
 	}

-	cmd.Println("Available Routes:")
-	for _, route := range resp.Routes {
-		selectedStatus := "Not Selected"
-		if route.GetSelected() {
-			selectedStatus = "Selected"
-		}
-		cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetNetwork(), selectedStatus)
-	}
+	printRoutes(cmd, resp)

 	return nil
 }

+func printRoutes(cmd *cobra.Command, resp *proto.ListRoutesResponse) {
+	cmd.Println("Available Routes:")
+	for _, route := range resp.Routes {
+		printRoute(cmd, route)
+	}
+}
+
+func printRoute(cmd *cobra.Command, route *proto.Route) {
+	selectedStatus := getSelectedStatus(route)
+	domains := route.GetDomains()
+
+	if len(domains) > 0 {
+		printDomainRoute(cmd, route, domains, selectedStatus)
+	} else {
+		printNetworkRoute(cmd, route, selectedStatus)
+	}
+}
+
+func getSelectedStatus(route *proto.Route) string {
+	if route.GetSelected() {
+		return "Selected"
+	}
+	return "Not Selected"
+}
+
+func printDomainRoute(cmd *cobra.Command, route *proto.Route, domains []string, selectedStatus string) {
+	cmd.Printf("\n  - ID: %s\n    Domains: %s\n    Status: %s\n", route.GetID(), strings.Join(domains, ", "), selectedStatus)
+	resolvedIPs := route.GetResolvedIPs()
+
+	if len(resolvedIPs) > 0 {
+		printResolvedIPs(cmd, domains, resolvedIPs)
+	} else {
+		cmd.Printf("    Resolved IPs: -\n")
+	}
+}
+
+func printNetworkRoute(cmd *cobra.Command, route *proto.Route, selectedStatus string) {
+	cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetNetwork(), selectedStatus)
+}
+
+func printResolvedIPs(cmd *cobra.Command, domains []string, resolvedIPs map[string]*proto.IPList) {
+	cmd.Printf("    Resolved IPs:\n")
+	for _, domain := range domains {
+		if ipList, exists := resolvedIPs[domain]; exists {
+			cmd.Printf("      [%s]: %s\n", domain, strings.Join(ipList.GetIps(), ", "))
+		}
+	}
+}
+
 func routesSelect(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd.Context())
+	conn, err := getClient(cmd)
 	if err != nil {
 		return err
 	}
@@ -106,7 +149,7 @@ func routesSelect(cmd *cobra.Command, args []string) error {
 }

 func routesDeselect(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd.Context())
+	conn, err := getClient(cmd)
 	if err != nil {
 		return err
 	}
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -807,11 +807,7 @@ func anonymizePeerDetail(a *anonymize.Anonymizer, peer *peerStateDetailOutput) {
 	}

 	for i, route := range peer.Routes {
-		prefix, err := netip.ParsePrefix(route)
-		if err == nil {
-			ip := a.AnonymizeIPString(prefix.Addr().String())
-			peer.Routes[i] = fmt.Sprintf("%s/%d", ip, prefix.Bits())
-		}
+		peer.Routes[i] = anonymizeRoute(a, route)
 	}
 }

@@ -847,12 +843,21 @@ func anonymizeOverview(a *anonymize.Anonymizer, overview *statusOutputOverview)
 	}

 	for i, route := range overview.Routes {
-		prefix, err := netip.ParsePrefix(route)
-		if err == nil {
-			ip := a.AnonymizeIPString(prefix.Addr().String())
-			overview.Routes[i] = fmt.Sprintf("%s/%d", ip, prefix.Bits())
-		}
+		overview.Routes[i] = anonymizeRoute(a, route)
 	}

 	overview.FQDN = a.AnonymizeDomain(overview.FQDN)
 }
+
+func anonymizeRoute(a *anonymize.Anonymizer, route string) string {
+	prefix, err := netip.ParsePrefix(route)
+	if err == nil {
+		ip := a.AnonymizeIPString(prefix.Addr().String())
+		return fmt.Sprintf("%s/%d", ip, prefix.Bits())
+	}
+	domains := strings.Split(route, ", ")
+	for i, domain := range domains {
+		domains[i] = a.AnonymizeDomain(domain)
+	}
+	return strings.Join(domains, ", ")
+}
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -7,6 +7,9 @@ import (
 	"testing"
 	"time"

+	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/otel"
+
 	"github.com/netbirdio/netbird/management/server/activity"

 	"github.com/netbirdio/netbird/util"
@@ -14,6 +17,7 @@ import (
 	"google.golang.org/grpc"

 	"github.com/netbirdio/management-integrations/integrations"
+
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
@@ -52,7 +56,10 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	sigProto.RegisterSignalExchangeServer(s, sig.NewServer())
+	srv, err := sig.NewServer(otel.Meter(""))
+	require.NoError(t, err)
+
+	sigProto.RegisterSignalExchangeServer(s, srv)
 	go func() {
 		if err := s.Serve(lis); err != nil {
 			panic(err)
@@ -69,23 +76,24 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, err := mgmt.NewStoreFromJson(config.Datadir, nil)
+	store, cleanUp, err := mgmt.NewTestStoreFromJson(context.Background(), config.Datadir)
 	if err != nil {
 		t.Fatal(err)
 	}
+	t.Cleanup(cleanUp)

 	peersUpdateManager := mgmt.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, nil
 	}
-	iv, _ := integrations.NewIntegratedValidator(eventStore)
-	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv)
+	iv, _ := integrations.NewIntegratedValidator(context.Background(), eventStore)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv)
 	if err != nil {
 		t.Fatal(err)
 	}
-	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
-	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager, nil, nil)
+	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, "")
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, peersUpdateManager, turnManager, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -100,7 +108,7 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 }

 func startClientDaemon(
-	t *testing.T, ctx context.Context, managementURL, configPath string,
+	t *testing.T, ctx context.Context, _, configPath string,
 ) (*grpc.Server, net.Listener) {
 	t.Helper()
 	lis, err := net.Listen("tcp", "127.0.0.1:0")
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -7,11 +7,13 @@ import (
 	"net/netip"
 	"runtime"
 	"strings"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/durationpb"

 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -40,8 +42,12 @@ func init() {
 	upCmd.PersistentFlags().BoolVarP(&foregroundMode, "foreground-mode", "F", false, "start service in foreground")
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "Wireguard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "Wireguard interface listening port")
-	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", false, "Enable network monitoring")
+	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
+		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux. `+
+			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
+	)
 	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
+	upCmd.PersistentFlags().DurationVar(&dnsRouteInterval, dnsRouteIntervalFlag, time.Minute, "DNS route update interval")
 }

 func upFunc(cmd *cobra.Command, args []string) error {
@@ -137,6 +143,10 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		}
 	}

+	if cmd.Flag(dnsRouteIntervalFlag).Changed {
+		ic.DNSRouteInterval = &dnsRouteInterval
+	}
+
 	config, err := internal.UpdateOrCreateConfig(ic)
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
@@ -153,7 +163,10 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	ctx, cancel = context.WithCancel(ctx)
 	SetupCloseHandler(ctx, cancel)

-	connectClient := internal.NewConnectClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()))
+	r := peer.NewRecorder(config.ManagementURL.String())
+	r.GetFullStatus()
+
+	connectClient := internal.NewConnectClient(ctx, config, r)
 	return connectClient.Run()
 }

@@ -237,6 +250,10 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		loginRequest.NetworkMonitor = &networkMonitor
 	}

+	if cmd.Flag(dnsRouteIntervalFlag).Changed {
+		loginRequest.DnsRouteInterval = durationpb.New(dnsRouteInterval)
+	}
+
 	var loginErr error

 	var loginResp *proto.LoginResponse
--- a/client/errors/errors.go
+++ b/client/errors/errors.go
@@ -0,0 +1,30 @@
+package errors
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/go-multierror"
+)
+
+func formatError(es []error) string {
+	if len(es) == 0 {
+		return fmt.Sprintf("0 error occurred:\n\t* %s", es[0])
+	}
+
+	points := make([]string, len(es))
+	for i, err := range es {
+		points[i] = fmt.Sprintf("* %s", err)
+	}
+
+	return fmt.Sprintf(
+		"%d errors occurred:\n\t%s",
+		len(es), strings.Join(points, "\n\t"))
+}
+
+func FormatErrorOrNil(err *multierror.Error) error {
+	if err != nil {
+		err.ErrorFormat = formatError
+	}
+	return err.ErrorOrNil()
+}
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -42,20 +42,20 @@ func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager,

 	switch check() {
 	case IPTABLES:
-		log.Debug("creating an iptables firewall manager")
+		log.Info("creating an iptables firewall manager")
 		fm, errFw = nbiptables.Create(context, iface)
 		if errFw != nil {
 			log.Errorf("failed to create iptables manager: %s", errFw)
 		}
 	case NFTABLES:
-		log.Debug("creating an nftables firewall manager")
+		log.Info("creating an nftables firewall manager")
 		fm, errFw = nbnftables.Create(context, iface)
 		if errFw != nil {
 			log.Errorf("failed to create nftables manager: %s", errFw)
 		}
 	default:
 		errFw = fmt.Errorf("no firewall manager found")
-		log.Debug("no firewall manager found, try to use userspace packet filtering firewall")
+		log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
 	}

 	if iface.IsUserspaceBind() {
@@ -85,16 +85,58 @@ func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager,

 // check returns the firewall type based on common lib checks. It returns UNKNOWN if no firewall is found.
 func check() FWType {
-	nf := nftables.Conn{}
-	if _, err := nf.ListChains(); err == nil && os.Getenv(SKIP_NFTABLES_ENV) != "true" {
-		return NFTABLES
+	useIPTABLES := false
+	var iptablesChains []string
+	ip, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if err == nil && isIptablesClientAvailable(ip) {
+		major, minor, _ := ip.GetIptablesVersion()
+		// use iptables when its version is lower than 1.8.0 which doesn't work well with our nftables manager
+		if major < 1 || (major == 1 && minor < 8) {
+			return IPTABLES
+		}
+
+		useIPTABLES = true
+
+		iptablesChains, err = ip.ListChains("filter")
+		if err != nil {
+			log.Errorf("failed to list iptables chains: %s", err)
+			useIPTABLES = false
+		}
 	}

-	ip, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	if err != nil {
-		return UNKNOWN
+	nf := nftables.Conn{}
+	if chains, err := nf.ListChains(); err == nil && os.Getenv(SKIP_NFTABLES_ENV) != "true" {
+		if !useIPTABLES {
+			return NFTABLES
+		}
+
+		// search for chains where table is filter
+		// if we find one, we assume that nftables manager can be used with iptables
+		for _, chain := range chains {
+			if chain.Table.Name == "filter" {
+				return NFTABLES
+			}
+		}
+
+		// check tables for the following constraints:
+		// 1. there is no chain in nftables for the filter table and there is at least one chain in iptables, we assume that nftables manager can not be used
+		// 2. there is no tables or more than one table, we assume that nftables manager can be used
+		// 3. there is only one table and its name is filter, we assume that nftables manager can not be used, since there was no chain in it
+		// 4. if we find an error we log and continue with iptables check
+		nbTablesList, err := nf.ListTables()
+		switch {
+		case err == nil && len(iptablesChains) > 0:
+			return IPTABLES
+		case err == nil && len(nbTablesList) != 1:
+			return NFTABLES
+		case err == nil && len(nbTablesList) == 1 && nbTablesList[0].Name == "filter":
+			return IPTABLES
+		case err != nil:
+			log.Errorf("failed to list nftables tables on fw manager discovery: %s", err)
+		}
 	}
-	if isIptablesClientAvailable(ip) {
+
+	if useIPTABLES {
 		return IPTABLES
 	}

--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -74,12 +74,12 @@ func (i *routerManager) InsertRoutingRules(pair firewall.RouterPair) error {
 		return nil
 	}

-	err = i.insertRoutingRule(firewall.NatFormat, tableNat, chainRTNAT, routingFinalNatJump, pair)
+	err = i.addNATRule(firewall.NatFormat, tableNat, chainRTNAT, routingFinalNatJump, pair)
 	if err != nil {
 		return err
 	}

-	err = i.insertRoutingRule(firewall.InNatFormat, tableNat, chainRTNAT, routingFinalNatJump, firewall.GetInPair(pair))
+	err = i.addNATRule(firewall.InNatFormat, tableNat, chainRTNAT, routingFinalNatJump, firewall.GetInPair(pair))
 	if err != nil {
 		return err
 	}
@@ -101,6 +101,7 @@ func (i *routerManager) insertRoutingRule(keyFormat, table, chain, jump string,
 		}
 		delete(i.rules, ruleKey)
 	}
+
 	err = i.iptablesClient.Insert(table, chain, 1, rule...)
 	if err != nil {
 		return fmt.Errorf("error while adding new %s rule for %s: %v", getIptablesRuleType(table), pair.Destination, err)
@@ -317,6 +318,13 @@ func (i *routerManager) createChain(table, newChain string) error {
 			return fmt.Errorf("couldn't create chain %s in %s table, error: %v", newChain, table, err)
 		}

+		// Add the loopback return rule to the NAT chain
+		loopbackRule := []string{"-o", "lo", "-j", "RETURN"}
+		err = i.iptablesClient.Insert(table, newChain, 1, loopbackRule...)
+		if err != nil {
+			return fmt.Errorf("failed to add loopback return rule to %s: %v", chainRTNAT, err)
+		}
+
 		err = i.iptablesClient.Append(table, newChain, "-j", "RETURN")
 		if err != nil {
 			return fmt.Errorf("couldn't create chain %s default rule, error: %v", newChain, err)
@@ -326,6 +334,30 @@ func (i *routerManager) createChain(table, newChain string) error {
 	return nil
 }

+// addNATRule appends an iptables rule pair to the nat chain
+func (i *routerManager) addNATRule(keyFormat, table, chain, jump string, pair firewall.RouterPair) error {
+	ruleKey := firewall.GenKey(keyFormat, pair.ID)
+	rule := genRuleSpec(jump, pair.Source, pair.Destination)
+	existingRule, found := i.rules[ruleKey]
+	if found {
+		err := i.iptablesClient.DeleteIfExists(table, chain, existingRule...)
+		if err != nil {
+			return fmt.Errorf("error while removing existing NAT rule for %s: %v", pair.Destination, err)
+		}
+		delete(i.rules, ruleKey)
+	}
+
+	// inserting after loopback ignore rule
+	err := i.iptablesClient.Insert(table, chain, 2, rule...)
+	if err != nil {
+		return fmt.Errorf("error while appending new NAT rule for %s: %v", pair.Destination, err)
+	}
+
+	i.rules[ruleKey] = rule
+
+	return nil
+}
+
 // genRuleSpec generates rule specification
 func genRuleSpec(jump, source, destination string) []string {
 	return []string{"-s", source, "-d", destination, "-j", jump}
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -95,7 +95,7 @@ func (m *Manager) InsertRoutingRules(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.InsertRoutingRules(pair)
+	return m.router.AddRoutingRules(pair)
 }

 func (m *Manager) RemoveRoutingRules(pair firewall.RouterPair) error {
--- a/client/firewall/nftables/route_linux.go
+++ b/client/firewall/nftables/route_linux.go
@@ -22,6 +22,8 @@ const (

 	userDataAcceptForwardRuleSrc = "frwacceptsrc"
 	userDataAcceptForwardRuleDst = "frwacceptdst"
+
+	loopbackInterface = "lo\x00"
 )

 // some presets for building nftable rules
@@ -126,6 +128,22 @@ func (r *router) createContainers() error {
 		Type:     nftables.ChainTypeNAT,
 	})

+	// Add RETURN rule for loopback interface
+	loRule := &nftables.Rule{
+		Table: r.workTable,
+		Chain: r.chains[chainNameRoutingNat],
+		Exprs: []expr.Any{
+			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     []byte(loopbackInterface),
+			},
+			&expr.Verdict{Kind: expr.VerdictReturn},
+		},
+	}
+	r.conn.InsertRule(loRule)
+
 	err := r.refreshRulesMap()
 	if err != nil {
 		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
@@ -138,28 +156,28 @@ func (r *router) createContainers() error {
 	return nil
 }

-// InsertRoutingRules inserts a nftable rule pair to the forwarding chain and if enabled, to the nat chain
-func (r *router) InsertRoutingRules(pair manager.RouterPair) error {
+// AddRoutingRules appends a nftable rule pair to the forwarding chain and if enabled, to the nat chain
+func (r *router) AddRoutingRules(pair manager.RouterPair) error {
 	err := r.refreshRulesMap()
 	if err != nil {
 		return err
 	}

-	err = r.insertRoutingRule(manager.ForwardingFormat, chainNameRouteingFw, pair, false)
+	err = r.addRoutingRule(manager.ForwardingFormat, chainNameRouteingFw, pair, false)
 	if err != nil {
 		return err
 	}
-	err = r.insertRoutingRule(manager.InForwardingFormat, chainNameRouteingFw, manager.GetInPair(pair), false)
+	err = r.addRoutingRule(manager.InForwardingFormat, chainNameRouteingFw, manager.GetInPair(pair), false)
 	if err != nil {
 		return err
 	}

 	if pair.Masquerade {
-		err = r.insertRoutingRule(manager.NatFormat, chainNameRoutingNat, pair, true)
+		err = r.addRoutingRule(manager.NatFormat, chainNameRoutingNat, pair, true)
 		if err != nil {
 			return err
 		}
-		err = r.insertRoutingRule(manager.InNatFormat, chainNameRoutingNat, manager.GetInPair(pair), true)
+		err = r.addRoutingRule(manager.InNatFormat, chainNameRoutingNat, manager.GetInPair(pair), true)
 		if err != nil {
 			return err
 		}
@@ -177,8 +195,8 @@ func (r *router) InsertRoutingRules(pair manager.RouterPair) error {
 	return nil
 }

-// insertRoutingRule inserts a nftable rule to the conn client flush queue
-func (r *router) insertRoutingRule(format, chainName string, pair manager.RouterPair, isNat bool) error {
+// addRoutingRule inserts a nftable rule to the conn client flush queue
+func (r *router) addRoutingRule(format, chainName string, pair manager.RouterPair, isNat bool) error {
 	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
 	destExp := generateCIDRMatcherExpressions(false, pair.Destination)

@@ -199,7 +217,7 @@ func (r *router) insertRoutingRule(format, chainName string, pair manager.Router
 		}
 	}

-	r.rules[ruleKey] = r.conn.InsertRule(&nftables.Rule{
+	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainName],
 		Exprs:    expression,
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -47,7 +47,7 @@ func TestNftablesManager_InsertRoutingRules(t *testing.T) {

 			require.NoError(t, err, "shouldn't return error")

-			err = manager.InsertRoutingRules(testCase.InputPair)
+			err = manager.AddRoutingRules(testCase.InputPair)
 			defer func() {
 				_ = manager.RemoveRoutingRules(testCase.InputPair)
 			}()
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -6,13 +6,16 @@ import (
 	"net/url"
 	"os"
 	"reflect"
+	"runtime"
 	"strings"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"

+	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/iface"
 	mgm "github.com/netbirdio/netbird/management/client"
@@ -53,6 +56,7 @@ type ConfigInput struct {
 	NetworkMonitor      *bool
 	DisableAutoConnect  *bool
 	ExtraIFaceBlackList []string
+	DNSRouteInterval    *time.Duration
 }

 // Config Configuration type
@@ -64,7 +68,7 @@ type Config struct {
 	AdminURL             *url.URL
 	WgIface              string
 	WgPort               int
-	NetworkMonitor       bool
+	NetworkMonitor       *bool
 	IFaceBlackList       []string
 	DisableIPv6Discovery bool
 	RosenpassEnabled     bool
@@ -95,6 +99,9 @@ type Config struct {
 	// DisableAutoConnect determines whether the client should not start with the service
 	// it's set to false by default due to backwards compatibility
 	DisableAutoConnect bool
+
+	// DNSRouteInterval is the interval in which the DNS routes are updated
+	DNSRouteInterval time.Duration
 }

 // ReadConfig read config file and return with Config. If it is not exists create a new with default values
@@ -304,12 +311,21 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}

-	if input.NetworkMonitor != nil && *input.NetworkMonitor != config.NetworkMonitor {
+	if input.NetworkMonitor != nil && input.NetworkMonitor != config.NetworkMonitor {
 		log.Infof("switching Network Monitor to %t", *input.NetworkMonitor)
-		config.NetworkMonitor = *input.NetworkMonitor
+		config.NetworkMonitor = input.NetworkMonitor
 		updated = true
 	}

+	if config.NetworkMonitor == nil {
+		// enable network monitoring by default on windows and darwin clients
+		if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
+			enabled := true
+			config.NetworkMonitor = &enabled
+			updated = true
+		}
+	}
+
 	if input.CustomDNSAddress != nil && string(input.CustomDNSAddress) != config.CustomDNSAddress {
 		log.Infof("updating custom DNS address %#v (old value %#v)",
 			string(input.CustomDNSAddress), config.CustomDNSAddress)
@@ -357,6 +373,18 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}

+	if input.DNSRouteInterval != nil && *input.DNSRouteInterval != config.DNSRouteInterval {
+		log.Infof("updating DNS route interval to %s (old value %s)",
+			input.DNSRouteInterval.String(), config.DNSRouteInterval.String())
+		config.DNSRouteInterval = *input.DNSRouteInterval
+		updated = true
+	} else if config.DNSRouteInterval == 0 {
+		config.DNSRouteInterval = dynamic.DefaultInterval
+		log.Infof("using default DNS route interval %s", config.DNSRouteInterval)
+		updated = true
+
+	}
+
 	return updated, nil
 }

--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"runtime"
 	"runtime/debug"
 	"strings"
@@ -25,6 +26,8 @@ import (
 	"github.com/netbirdio/netbird/iface"
 	mgm "github.com/netbirdio/netbird/management/client"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
+	"github.com/netbirdio/netbird/relay/auth/hmac"
+	relayClient "github.com/netbirdio/netbird/relay/client"
 	signal "github.com/netbirdio/netbird/signal/client"
 	"github.com/netbirdio/netbird/util"
 	"github.com/netbirdio/netbird/version"
@@ -91,6 +94,9 @@ func (c *ConnectClient) RunOniOS(
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
 ) error {
+	// Set GC percent to 5% to reduce memory usage as iOS only allows 50MB of memory for the extension.
+	debug.SetGCPercent(5)
+
 	mobileDependency := MobileDependency{
 		FileDescriptor:        fileDescriptor,
 		NetworkChangeListener: networkChangeListener,
@@ -240,6 +246,20 @@ func (c *ConnectClient) run(

 		c.statusRecorder.MarkSignalConnected()

+		relayURL, token := parseRelayInfo(loginResp)
+		relayManager := relayClient.NewManager(engineCtx, relayURL, myPrivateKey.PublicKey().String())
+		if relayURL != "" {
+			if token != nil {
+				relayManager.UpdateToken(token)
+			}
+			log.Infof("connecting to the Relay service %s", relayURL)
+			if err = relayManager.Serve(); err != nil {
+				log.Error(err)
+				return wrapErr(err)
+			}
+			c.statusRecorder.SetRelayMgr(relayManager)
+		}
+
 		peerConfig := loginResp.GetPeerConfig()

 		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig)
@@ -248,8 +268,10 @@ func (c *ConnectClient) run(
 			return wrapErr(err)
 		}

+		checks := loginResp.GetChecks()
+
 		c.engineMutex.Lock()
-		c.engine = NewEngineWithProbes(engineCtx, cancel, signalClient, mgmClient, engineConfig, mobileDependency, c.statusRecorder, mgmProbe, signalProbe, relayProbe, wgProbe)
+		c.engine = NewEngineWithProbes(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, mgmProbe, signalProbe, relayProbe, wgProbe, checks)
 		c.engineMutex.Unlock()

 		err = c.engine.Start()
@@ -293,6 +315,30 @@ func (c *ConnectClient) run(
 	return nil
 }

+func parseRelayInfo(resp *mgmProto.LoginResponse) (string, *hmac.Token) {
+	// todo remove this
+	if ra := peer.ForcedRelayAddress(); ra != "" {
+		return ra, nil
+	}
+
+	msg := resp.GetWiretrusteeConfig().GetRelay()
+	if msg == nil {
+		return "", nil
+	}
+
+	var url string
+	if msg.GetUrls() != nil && len(msg.GetUrls()) > 0 {
+		url = msg.GetUrls()[0]
+	}
+
+	token := &hmac.Token{
+		Payload:   msg.GetTokenPayload(),
+		Signature: msg.GetTokenSignature(),
+	}
+
+	return url, token
+}
+
 func (c *ConnectClient) Engine() *Engine {
 	var e *Engine
 	c.engineMutex.Lock()
@@ -303,6 +349,10 @@ func (c *ConnectClient) Engine() *Engine {

 // createEngineConfig converts configuration received from Management Service to EngineConfig
 func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
+	nm := false
+	if config.NetworkMonitor != nil {
+		nm = *config.NetworkMonitor
+	}
 	engineConf := &EngineConfig{
 		WgIfaceName:          config.WgIface,
 		WgAddr:               peerConfig.Address,
@@ -310,13 +360,14 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		DisableIPv6Discovery: config.DisableIPv6Discovery,
 		WgPrivateKey:         key,
 		WgPort:               config.WgPort,
-		NetworkMonitor:       config.NetworkMonitor,
+		NetworkMonitor:       nm,
 		SSHKey:               []byte(config.SSHKey),
 		NATExternalIPs:       config.NATExternalIPs,
 		CustomDNSAddress:     config.CustomDNSAddress,
 		RosenpassEnabled:     config.RosenpassEnabled,
 		RosenpassPermissive:  config.RosenpassPermissive,
 		ServerSSHAllowed:     util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
+		DNSRouteInterval:     config.DNSRouteInterval,
 	}

 	if config.PreSharedKey != "" {
@@ -327,6 +378,15 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		engineConf.PreSharedKey = &preSharedKey
 	}

+	port, err := freePort(config.WgPort)
+	if err != nil {
+		return nil, err
+	}
+	if port != config.WgPort {
+		log.Infof("using %d as wireguard port: %d is in use", port, config.WgPort)
+	}
+	engineConf.WgPort = port
+
 	return engineConf, nil
 }

@@ -376,3 +436,20 @@ func statusRecorderToSignalConnStateNotifier(statusRecorder *peer.Status) signal
 	notifier, _ := sri.(signal.ConnStateNotifier)
 	return notifier
 }
+
+func freePort(start int) (int, error) {
+	addr := net.UDPAddr{}
+	if start == 0 {
+		start = iface.DefaultWgPort
+	}
+	for x := start; x <= 65535; x++ {
+		addr.Port = x
+		conn, err := net.ListenUDP("udp", &addr)
+		if err != nil {
+			continue
+		}
+		conn.Close()
+		return x, nil
+	}
+	return 0, errors.New("no free ports")
+}
--- a/client/internal/connect_test.go
+++ b/client/internal/connect_test.go
@@ -0,0 +1,57 @@
+package internal
+
+import (
+	"net"
+	"testing"
+)
+
+func Test_freePort(t *testing.T) {
+	tests := []struct {
+		name    string
+		port    int
+		want    int
+		wantErr bool
+	}{
+		{
+			name:    "available",
+			port:    51820,
+			want:    51820,
+			wantErr: false,
+		},
+		{
+			name:    "notavailable",
+			port:    51830,
+			want:    51831,
+			wantErr: false,
+		},
+		{
+			name:    "noports",
+			port:    65535,
+			want:    0,
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+
+		c1, err := net.ListenUDP("udp", &net.UDPAddr{Port: 51830})
+		if err != nil {
+			t.Errorf("freePort error = %v", err)
+		}
+		c2, err := net.ListenUDP("udp", &net.UDPAddr{Port: 65535})
+		if err != nil {
+			t.Errorf("freePort error = %v", err)
+		}
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := freePort(tt.port)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("freePort() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("freePort() = %v, want %v", got, tt.want)
+			}
+		})
+		c1.Close()
+		c2.Close()
+	}
+}
--- a/client/internal/dns/consts_freebsd.go
+++ b/client/internal/dns/consts_freebsd.go
@@ -0,0 +1,6 @@
+package dns
+
+const (
+	fileUncleanShutdownResolvConfLocation  = "/var/db/netbird/resolv.conf"
+	fileUncleanShutdownManagerTypeLocation = "/var/db/netbird/manager"
+)
--- a/client/internal/dns/consts_linux.go
+++ b/client/internal/dns/consts_linux.go
@@ -0,0 +1,8 @@
+//go:build !android
+
+package dns
+
+const (
+	fileUncleanShutdownResolvConfLocation  = "/var/lib/netbird/resolv.conf"
+	fileUncleanShutdownManagerTypeLocation = "/var/lib/netbird/manager"
+)
--- a/client/internal/dns/dbus_linux.go
+++ b/client/internal/dns/dbus_linux.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

--- a/client/internal/dns/file_parser_linux.go
+++ b/client/internal/dns/file_parser_linux.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

--- a/client/internal/dns/file_parser_linux_test.go
+++ b/client/internal/dns/file_parser_linux_test.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

--- a/client/internal/dns/file_repair_linux.go
+++ b/client/internal/dns/file_repair_linux.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

--- a/client/internal/dns/file_repair_linux_test.go
+++ b/client/internal/dns/file_repair_linux_test.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

--- a/client/internal/dns/file_linux.go
+++ b/client/internal/dns/file_linux.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

--- a/client/internal/dns/file_linux_test.go
+++ b/client/internal/dns/file_linux_test.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

--- a/client/internal/dns/host_linux.go
+++ b/client/internal/dns/host_linux.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

@@ -108,7 +108,7 @@ func getOSDNSManagerType() (osManagerType, error) {
 		if strings.Contains(text, "NetworkManager") && isDbusListenerRunning(networkManagerDest, networkManagerDbusObjectNode) && isNetworkManagerSupported() {
 			return networkManager, nil
 		}
-		if strings.Contains(text, "systemd-resolved") && isDbusListenerRunning(systemdResolvedDest, systemdDbusObjectNode) {
+		if strings.Contains(text, "systemd-resolved") && isSystemdResolvedRunning() {
 			if checkStub() {
 				return systemdManager, nil
 			} else {
@@ -116,16 +116,10 @@ func getOSDNSManagerType() (osManagerType, error) {
 			}
 		}
 		if strings.Contains(text, "resolvconf") {
-			if isDbusListenerRunning(systemdResolvedDest, systemdDbusObjectNode) {
-				var value string
-				err = getSystemdDbusProperty(systemdDbusResolvConfModeProperty, &value)
-				if err == nil {
-					if value == systemdDbusResolvConfModeForeign {
-						return systemdManager, nil
-					}
-				}
-				log.Errorf("got an error while checking systemd resolv conf mode, error: %s", err)
+			if isSystemdResolveConfMode() {
+				return systemdManager, nil
 			}
+
 			return resolvConfManager, nil
 		}
 	}
--- a/client/internal/dns/network_manager_linux.go
+++ b/client/internal/dns/network_manager_linux.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

--- a/client/internal/dns/resolvconf_linux.go
+++ b/client/internal/dns/resolvconf_linux.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -39,6 +39,10 @@ func (w *mocWGIface) Address() iface.WGAddress {
 	}
 }

+func (w *mocWGIface) ToInterface() *net.Interface {
+	panic("implement me")
+}
+
 func (w *mocWGIface) GetFilter() iface.PacketFilter {
 	return w.filter
 }
@@ -261,7 +265,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
+			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), 33100, privKey.String(), iface.DefaultMTU, newNet, nil, nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -339,7 +343,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	}

 	privKey, _ := wgtypes.GeneratePrivateKey()
-	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.1/32", 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
+	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.1/32", 33100, privKey.String(), iface.DefaultMTU, newNet, nil, nil)
 	if err != nil {
 		t.Errorf("build interface wireguard: %v", err)
 		return
@@ -797,7 +801,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 	}

 	privKey, _ := wgtypes.GeneratePrivateKey()
-	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.2/24", 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
+	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.2/24", 33100, privKey.String(), iface.DefaultMTU, newNet, nil, nil)
 	if err != nil {
 		t.Fatalf("build interface wireguard: %v", err)
 		return nil, err
--- a/client/internal/dns/server_linux.go
+++ b/client/internal/dns/server_linux.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

--- a/client/internal/dns/systemd_freebsd.go
+++ b/client/internal/dns/systemd_freebsd.go
@@ -0,0 +1,20 @@
+package dns
+
+import (
+	"errors"
+	"fmt"
+)
+
+var errNotImplemented = errors.New("not implemented")
+
+func newSystemdDbusConfigurator(wgInterface string) (hostManager, error) {
+	return nil, fmt.Errorf("systemd dns management: %w on freebsd", errNotImplemented)
+}
+
+func isSystemdResolvedRunning() bool {
+	return false
+}
+
+func isSystemdResolveConfMode() bool {
+	return false
+}
--- a/client/internal/dns/systemd_linux.go
+++ b/client/internal/dns/systemd_linux.go
@@ -242,3 +242,25 @@ func getSystemdDbusProperty(property string, store any) error {

 	return v.Store(store)
 }
+
+func isSystemdResolvedRunning() bool {
+	return isDbusListenerRunning(systemdResolvedDest, systemdDbusObjectNode)
+}
+
+func isSystemdResolveConfMode() bool {
+	if !isDbusListenerRunning(systemdResolvedDest, systemdDbusObjectNode) {
+		return false
+	}
+
+	var value string
+	if err := getSystemdDbusProperty(systemdDbusResolvConfModeProperty, &value); err != nil {
+		log.Errorf("got an error while checking systemd resolv conf mode, error: %s", err)
+		return false
+	}
+
+	if value == systemdDbusResolvConfModeForeign {
+		return true
+	}
+
+	return false
+}
--- a/client/internal/dns/unclean_shutdown_linux.go
+++ b/client/internal/dns/unclean_shutdown_linux.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build (linux && !android) || freebsd

 package dns

@@ -14,11 +14,6 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-const (
-	fileUncleanShutdownResolvConfLocation  = "/var/lib/netbird/resolv.conf"
-	fileUncleanShutdownManagerTypeLocation = "/var/lib/netbird/manager"
-)
-
 func CheckUncleanShutdown(wgIface string) error {
 	if _, err := os.Stat(fileUncleanShutdownResolvConfLocation); err != nil {
 		if errors.Is(err, fs.ErrNotExist) {
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"runtime"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -79,6 +78,11 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}()

 	log.WithField("question", r.Question[0]).Trace("received an upstream question")
+	// set the AuthenticatedData flag and the EDNS0 buffer size to 4096 bytes to support larger dns records
+	if r.Extra == nil {
+		r.SetEdns0(4096, false)
+		r.MsgHdr.AuthenticatedData = true
+	}

 	select {
 	case <-u.ctx.Done():
@@ -260,13 +264,10 @@ func (u *upstreamResolverBase) disable(err error) {
 		return
 	}

-	// todo test the deactivation logic, it seems to affect the client
-	if runtime.GOOS != "ios" {
-		log.Warnf("Upstream resolving is Disabled for %v", reactivatePeriod)
-		u.deactivate(err)
-		u.disabled = true
-		go u.waitUntilResponse()
-	}
+	log.Warnf("Upstream resolving is Disabled for %v", reactivatePeriod)
+	u.deactivate(err)
+	u.disabled = true
+	go u.waitUntilResponse()
 }

 func (u *upstreamResolverBase) testNameserver(server string) error {
--- a/client/internal/dns/wgiface.go
+++ b/client/internal/dns/wgiface.go
@@ -2,12 +2,17 @@

 package dns

-import "github.com/netbirdio/netbird/iface"
+import (
+	"net"
+
+	"github.com/netbirdio/netbird/iface"
+)

 // WGIface defines subset methods of interface required for manager
 type WGIface interface {
 	Name() string
 	Address() iface.WGAddress
+	ToInterface() *net.Interface
 	IsUserspaceBind() bool
 	GetFilter() iface.PacketFilter
 	GetDevice() *iface.DeviceWrapper
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -4,13 +4,16 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"maps"
 	"math/rand"
 	"net"
 	"net/netip"
 	"reflect"
 	"runtime"
+	"slices"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"

 	"github.com/pion/ice/v3"
@@ -22,22 +25,29 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
+
 	"github.com/netbirdio/netbird/client/internal/networkmonitor"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/wgproxy"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
+	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/iface/bind"
 	mgm "github.com/netbirdio/netbird/management/client"
+	"github.com/netbirdio/netbird/management/domain"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
+	auth "github.com/netbirdio/netbird/relay/auth/hmac"
+	relayClient "github.com/netbirdio/netbird/relay/client"
 	"github.com/netbirdio/netbird/route"
 	signal "github.com/netbirdio/netbird/signal/client"
 	sProto "github.com/netbirdio/netbird/signal/proto"
 	"github.com/netbirdio/netbird/util"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -88,19 +98,22 @@ type EngineConfig struct {
 	RosenpassPermissive bool

 	ServerSSHAllowed bool
+
+	DNSRouteInterval time.Duration
 }

 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
 type Engine struct {
 	// signal is a Signal Service client
-	signal signal.Client
+	signal   signal.Client
+	signaler *peer.Signaler
 	// mgmClient is a Management Service client
 	mgmClient mgm.Client
 	// peerConns is a map that holds all the peers that are known to this peer
 	peerConns map[string]*peer.Conn

-	beforePeerHook peer.BeforeAddPeerHookFunc
-	afterPeerHook  peer.AfterRemovePeerHookFunc
+	beforePeerHook nbnet.AddHookFunc
+	afterPeerHook  nbnet.RemoveHookFunc

 	// rpManager is a Rosenpass manager
 	rpManager *rosenpass.Manager
@@ -114,10 +127,12 @@ type Engine struct {
 	// STUNs is a list of STUN servers used by ICE
 	STUNs []*stun.URI
 	// TURNs is a list of STUN servers used by ICE
-	TURNs []*stun.URI
+	TURNs    []*stun.URI
+	StunTurn atomic.Value

 	// clientRoutes is the most recent list of clientRoutes received from the Management Service
-	clientRoutes route.HAMap
+	clientRoutes   route.HAMap
+	clientRoutesMu sync.RWMutex

 	clientCtx    context.Context
 	clientCancel context.CancelFunc
@@ -125,7 +140,7 @@ type Engine struct {
 	ctx    context.Context
 	cancel context.CancelFunc

-	wgInterface    *iface.WGIface
+	wgInterface    iface.IWGIface
 	wgProxyFactory *wgproxy.Factory

 	udpMux *bind.UniversalUDPMuxDefault
@@ -133,7 +148,7 @@ type Engine struct {
 	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
 	networkSerial uint64

-	networkWatcher *networkmonitor.NetworkWatcher
+	networkMonitor *networkmonitor.NetworkMonitor

 	sshServerFunc func(hostKeyPEM []byte, addr string) (nbssh.Server, error)
 	sshServer     nbssh.Server
@@ -150,6 +165,11 @@ type Engine struct {
 	signalProbe *Probe
 	relayProbe  *Probe
 	wgProbe     *Probe
+
+	// checks are the client-applied posture checks that need to be evaluated on the client
+	checks []*mgmProto.Checks
+
+	relayManager *relayClient.Manager
 }

 // Peer is an instance of the Connection Peer
@@ -164,15 +184,18 @@ func NewEngine(
 	clientCancel context.CancelFunc,
 	signalClient signal.Client,
 	mgmClient mgm.Client,
+	relayManager *relayClient.Manager,
 	config *EngineConfig,
 	mobileDep MobileDependency,
 	statusRecorder *peer.Status,
+	checks []*mgmProto.Checks,
 ) *Engine {
 	return NewEngineWithProbes(
 		clientCtx,
 		clientCancel,
 		signalClient,
 		mgmClient,
+		relayManager,
 		config,
 		mobileDep,
 		statusRecorder,
@@ -180,6 +203,7 @@ func NewEngine(
 		nil,
 		nil,
 		nil,
+		checks,
 	)
 }

@@ -189,6 +213,7 @@ func NewEngineWithProbes(
 	clientCancel context.CancelFunc,
 	signalClient signal.Client,
 	mgmClient mgm.Client,
+	relayManager *relayClient.Manager,
 	config *EngineConfig,
 	mobileDep MobileDependency,
 	statusRecorder *peer.Status,
@@ -196,13 +221,15 @@ func NewEngineWithProbes(
 	signalProbe *Probe,
 	relayProbe *Probe,
 	wgProbe *Probe,
+	checks []*mgmProto.Checks,
 ) *Engine {
-
 	return &Engine{
 		clientCtx:      clientCtx,
 		clientCancel:   clientCancel,
 		signal:         signalClient,
+		signaler:       peer.NewSignaler(signalClient, config.WgPrivateKey),
 		mgmClient:      mgmClient,
+		relayManager:   relayManager,
 		peerConns:      make(map[string]*peer.Conn),
 		syncMsgMux:     &sync.Mutex{},
 		config:         config,
@@ -212,11 +239,11 @@ func NewEngineWithProbes(
 		networkSerial:  0,
 		sshServerFunc:  nbssh.DefaultSSHServer,
 		statusRecorder: statusRecorder,
-		networkWatcher: networkmonitor.New(),
 		mgmProbe:       mgmProbe,
 		signalProbe:    signalProbe,
 		relayProbe:     relayProbe,
 		wgProbe:        wgProbe,
+		checks:         checks,
 	}
 }

@@ -229,14 +256,19 @@ func (e *Engine) Stop() error {
 	}

 	// stopping network monitor first to avoid starting the engine again
-	e.networkWatcher.Stop()
+	if e.networkMonitor != nil {
+		e.networkMonitor.Stop()
+	}
+	log.Info("Network monitor: stopped")

 	err := e.removeAllPeers()
 	if err != nil {
 		return err
 	}

+	e.clientRoutesMu.Lock()
 	e.clientRoutes = nil
+	e.clientRoutesMu.Unlock()

 	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
 	// Removing peers happens in the conn.Close() asynchronously
@@ -259,8 +291,6 @@ func (e *Engine) Start() error {
 	}
 	e.ctx, e.cancel = context.WithCancel(e.clientCtx)

-	e.wgProxyFactory = wgproxy.NewFactory(e.clientCtx, e.config.WgPort)
-
 	wgIface, err := e.newWgIface()
 	if err != nil {
 		log.Errorf("failed creating wireguard interface instance %s: [%s]", e.config.WgIfaceName, err)
@@ -268,6 +298,9 @@ func (e *Engine) Start() error {
 	}
 	e.wgInterface = wgIface

+	userspace := e.wgInterface.IsUserspaceBind()
+	e.wgProxyFactory = wgproxy.NewFactory(e.ctx, userspace, e.config.WgPort)
+
 	if e.config.RosenpassEnabled {
 		log.Infof("rosenpass is enabled")
 		if e.config.RosenpassPermissive {
@@ -292,7 +325,7 @@ func (e *Engine) Start() error {
 	}
 	e.dnsServer = dnsServer

-	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder, initialRoutes)
+	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.config.DNSRouteInterval, e.wgInterface, e.statusRecorder, initialRoutes)
 	beforePeerHook, afterPeerHook, err := e.routeManager.Init()
 	if err != nil {
 		log.Errorf("Failed to initialize route manager: %s", err)
@@ -344,20 +377,8 @@ func (e *Engine) Start() error {
 	e.receiveManagementEvents()
 	e.receiveProbeEvents()

-	if e.config.NetworkMonitor {
-		// starting network monitor at the very last to avoid disruptions
-		go e.networkWatcher.Start(e.ctx, func() {
-			log.Infof("Network monitor detected network change, restarting engine")
-			if err := e.Stop(); err != nil {
-				log.Errorf("Failed to stop engine: %v", err)
-			}
-			if err := e.Start(); err != nil {
-				log.Errorf("Failed to start engine: %v", err)
-			}
-		})
-	} else {
-		log.Infof("Network monitor is disabled, not starting")
-	}
+	// starting network monitor at the very last to avoid disruptions
+	e.startNetworkMonitor()

 	return nil
 }
@@ -453,83 +474,49 @@ func (e *Engine) removePeer(peerKey string) error {
 	conn, exists := e.peerConns[peerKey]
 	if exists {
 		delete(e.peerConns, peerKey)
-		err := conn.Close()
-		if err != nil {
-			switch err.(type) {
-			case *peer.ConnectionAlreadyClosedError:
-				return nil
-			default:
-				return err
-			}
-		}
+		conn.Close()
 	}
 	return nil
 }

-func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client) error {
-	err := s.Send(&sProto.Message{
-		Key:       myKey.PublicKey().String(),
-		RemoteKey: remoteKey.String(),
-		Body: &sProto.Body{
-			Type:    sProto.Body_CANDIDATE,
-			Payload: candidate.Marshal(),
-		},
-	})
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func sendSignal(message *sProto.Message, s signal.Client) error {
-	return s.Send(message)
-}
-
-// SignalOfferAnswer signals either an offer or an answer to remote peer
-func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client,
-	isAnswer bool) error {
-	var t sProto.Body_Type
-	if isAnswer {
-		t = sProto.Body_ANSWER
-	} else {
-		t = sProto.Body_OFFER
-	}
-
-	msg, err := signal.MarshalCredential(myKey, offerAnswer.WgListenPort, remoteKey, &signal.Credential{
-		UFrag: offerAnswer.IceCredentials.UFrag,
-		Pwd:   offerAnswer.IceCredentials.Pwd,
-	}, t, offerAnswer.RosenpassPubKey, offerAnswer.RosenpassAddr)
-	if err != nil {
-		return err
-	}
-
-	err = s.Send(msg)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

 	if update.GetWiretrusteeConfig() != nil {
-		err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
+		wCfg := update.GetWiretrusteeConfig()
+		err := e.updateTURNs(wCfg.GetTurns())
 		if err != nil {
 			return err
 		}

-		err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
+		err = e.updateSTUNs(wCfg.GetStuns())
 		if err != nil {
 			return err
 		}

+		var stunTurn []*stun.URI
+		stunTurn = append(stunTurn, e.STUNs...)
+		stunTurn = append(stunTurn, e.TURNs...)
+		e.StunTurn.Store(stunTurn)
+
+		relayMsg := wCfg.GetRelay()
+		if relayMsg != nil {
+			c := &auth.Token{
+				Payload:   relayMsg.GetTokenPayload(),
+				Signature: relayMsg.GetTokenSignature(),
+			}
+			e.relayManager.UpdateToken(c)
+		}
+
+		// todo update relay address in the relay manager
 		// todo update signal
 	}

+	if err := e.updateChecksIfNew(update.Checks); err != nil {
+		return err
+	}
+
 	if update.GetNetworkMap() != nil {
 		// only apply new changes and ignore old ones
 		err := e.updateNetworkMap(update.GetNetworkMap())
@@ -537,7 +524,27 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 			return err
 		}
 	}
+	return nil
+}

+// updateChecksIfNew updates checks if there are changes and sync new meta with management
+func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
+	// if checks are equal, we skip the update
+	if isChecksEqual(e.checks, checks) {
+		return nil
+	}
+	e.checks = checks
+
+	info, err := system.GetInfoWithChecks(e.ctx, checks)
+	if err != nil {
+		log.Warnf("failed to get system info with checks: %v", err)
+		info = system.GetInfo(e.ctx)
+	}
+
+	if err := e.mgmClient.SyncMeta(info); err != nil {
+		log.Errorf("could not sync meta: error %s", err)
+		return err
+	}
 	return nil
 }

@@ -553,8 +560,8 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 	} else {

 		if sshConf.GetSshEnabled() {
-			if runtime.GOOS == "windows" {
-				log.Warnf("running SSH server on Windows is not supported")
+			if runtime.GOOS == "windows" || runtime.GOOS == "freebsd" {
+				log.Warnf("running SSH server on %s is not supported", runtime.GOOS)
 				return nil
 			}
 			// start SSH server if it wasn't running
@@ -627,7 +634,14 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 // E.g. when a new peer has been registered and we are allowed to connect to it.
 func (e *Engine) receiveManagementEvents() {
 	go func() {
-		err := e.mgmClient.Sync(e.ctx, e.handleSync)
+		info, err := system.GetInfoWithChecks(e.ctx, e.checks)
+		if err != nil {
+			log.Warnf("failed to get system info with checks: %v", err)
+			info = system.GetInfo(e.ctx)
+		}
+
+		// err = e.mgmClient.Sync(info, e.handleSync)
+		err = e.mgmClient.Sync(e.ctx, info, e.handleSync)
 		if err != nil {
 			// happens if management is unavailable for a long time.
 			// We want to cancel the operation of the whole client
@@ -694,6 +708,20 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		return nil
 	}

+	protoRoutes := networkMap.GetRoutes()
+	if protoRoutes == nil {
+		protoRoutes = []*mgmProto.Route{}
+	}
+
+	_, clientRoutes, err := e.routeManager.UpdateRoutes(serial, toRoutes(protoRoutes))
+	if err != nil {
+		log.Errorf("failed to update clientRoutes, err: %v", err)
+	}
+
+	e.clientRoutesMu.Lock()
+	e.clientRoutes = clientRoutes
+	e.clientRoutesMu.Unlock()
+
 	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))

 	e.updateOfflinePeers(networkMap.GetOfflinePeers())
@@ -735,17 +763,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 			}
 		}
 	}
-	protoRoutes := networkMap.GetRoutes()
-	if protoRoutes == nil {
-		protoRoutes = []*mgmProto.Route{}
-	}
-
-	_, clientRoutes, err := e.routeManager.UpdateRoutes(serial, toRoutes(protoRoutes))
-	if err != nil {
-		log.Errorf("failed to update clientRoutes, err: %v", err)
-	}
-
-	e.clientRoutes = clientRoutes

 	protoDNSConfig := networkMap.GetDNSConfig()
 	if protoDNSConfig == nil {
@@ -773,15 +790,24 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 	routes := make([]*route.Route, 0)
 	for _, protoRoute := range protoRoutes {
-		_, prefix, _ := route.ParseNetwork(protoRoute.Network)
+		var prefix netip.Prefix
+		if len(protoRoute.Domains) == 0 {
+			var err error
+			if prefix, err = netip.ParsePrefix(protoRoute.Network); err != nil {
+				log.Errorf("Failed to parse prefix %s: %v", protoRoute.Network, err)
+				continue
+			}
+		}
 		convertedRoute := &route.Route{
 			ID:          route.ID(protoRoute.ID),
 			Network:     prefix,
+			Domains:     domain.FromPunycodeList(protoRoute.Domains),
 			NetID:       route.NetID(protoRoute.NetID),
 			NetworkType: route.NetworkType(protoRoute.NetworkType),
 			Peer:        protoRoute.Peer,
 			Metric:      int(protoRoute.Metric),
 			Masquerade:  protoRoute.Masquerade,
+			KeepRoute:   protoRoute.KeepRoute,
 		}
 		routes = append(routes, convertedRoute)
 	}
@@ -879,61 +905,13 @@ func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 			log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
 		}

-		go e.connWorker(conn, peerKey)
+		conn.Open()
 	}
 	return nil
 }

-func (e *Engine) connWorker(conn *peer.Conn, peerKey string) {
-	for {
-
-		// randomize starting time a bit
-		min := 500
-		max := 2000
-		time.Sleep(time.Duration(rand.Intn(max-min)+min) * time.Millisecond)
-
-		// if peer has been removed -> give up
-		if !e.peerExists(peerKey) {
-			log.Debugf("peer %s doesn't exist anymore, won't retry connection", peerKey)
-			return
-		}
-
-		if !e.signal.Ready() {
-			log.Infof("signal client isn't ready, skipping connection attempt %s", peerKey)
-			continue
-		}
-
-		// we might have received new STUN and TURN servers meanwhile, so update them
-		e.syncMsgMux.Lock()
-		conn.UpdateStunTurn(append(e.STUNs, e.TURNs...))
-		e.syncMsgMux.Unlock()
-
-		err := conn.Open(e.ctx)
-		if err != nil {
-			log.Debugf("connection to peer %s failed: %v", peerKey, err)
-			var connectionClosedError *peer.ConnectionClosedError
-			switch {
-			case errors.As(err, &connectionClosedError):
-				// conn has been forced to close, so we exit the loop
-				return
-			default:
-			}
-		}
-	}
-}
-
-func (e *Engine) peerExists(peerKey string) bool {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-	_, ok := e.peerConns[peerKey]
-	return ok
-}
-
 func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, error) {
 	log.Debugf("creating peer connection %s", pubKey)
-	var stunTurn []*stun.URI
-	stunTurn = append(stunTurn, e.STUNs...)
-	stunTurn = append(stunTurn, e.TURNs...)

 	wgConfig := peer.WgConfig{
 		RemoteKey:    pubKey,
@@ -966,53 +944,29 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 	// randomize connection timeout
 	timeout := time.Duration(rand.Intn(PeerConnectionTimeoutMax-PeerConnectionTimeoutMin)+PeerConnectionTimeoutMin) * time.Millisecond
 	config := peer.ConnConfig{
-		Key:                  pubKey,
-		LocalKey:             e.config.WgPrivateKey.PublicKey().String(),
-		StunTurn:             stunTurn,
-		InterfaceBlackList:   e.config.IFaceBlackList,
-		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
-		Timeout:              timeout,
-		UDPMux:               e.udpMux.UDPMuxDefault,
-		UDPMuxSrflx:          e.udpMux,
-		WgConfig:             wgConfig,
-		LocalWgPort:          e.config.WgPort,
-		NATExternalIPs:       e.parseNATExternalIPMappings(),
-		UserspaceBind:        e.wgInterface.IsUserspaceBind(),
-		RosenpassPubKey:      e.getRosenpassPubKey(),
-		RosenpassAddr:        e.getRosenpassAddr(),
+		Key:             pubKey,
+		LocalKey:        e.config.WgPrivateKey.PublicKey().String(),
+		Timeout:         timeout,
+		WgConfig:        wgConfig,
+		LocalWgPort:     e.config.WgPort,
+		RosenpassPubKey: e.getRosenpassPubKey(),
+		RosenpassAddr:   e.getRosenpassAddr(),
+		ICEConfig: peer.ICEConfig{
+			StunTurn:             e.StunTurn,
+			InterfaceBlackList:   e.config.IFaceBlackList,
+			DisableIPv6Discovery: e.config.DisableIPv6Discovery,
+			UDPMux:               e.udpMux.UDPMuxDefault,
+			UDPMuxSrflx:          e.udpMux,
+			NATExternalIPs:       e.parseNATExternalIPMappings(),
+		},
 	}

-	peerConn, err := peer.NewConn(config, e.statusRecorder, e.wgProxyFactory, e.mobileDep.TunAdapter, e.mobileDep.IFaceDiscover)
+	peerConn, err := peer.NewConn(e.ctx, config, e.statusRecorder, e.wgProxyFactory, e.signaler, e.mobileDep.IFaceDiscover, e.relayManager)
 	if err != nil {
 		return nil, err
 	}

-	wgPubKey, err := wgtypes.ParseKey(pubKey)
-	if err != nil {
-		return nil, err
-	}
-
-	signalOffer := func(offerAnswer peer.OfferAnswer) error {
-		return SignalOfferAnswer(offerAnswer, e.config.WgPrivateKey, wgPubKey, e.signal, false)
-	}
-
-	signalCandidate := func(candidate ice.Candidate) error {
-		return signalCandidate(candidate, e.config.WgPrivateKey, wgPubKey, e.signal)
-	}
-
-	signalAnswer := func(offerAnswer peer.OfferAnswer) error {
-		return SignalOfferAnswer(offerAnswer, e.config.WgPrivateKey, wgPubKey, e.signal, true)
-	}
-
-	peerConn.SetSignalCandidate(signalCandidate)
-	peerConn.SetSignalOffer(signalOffer)
-	peerConn.SetSignalAnswer(signalAnswer)
-	peerConn.SetSendSignalMessage(func(message *sProto.Message) error {
-		return sendSignal(message, e.signal)
-	})
-
 	if e.rpManager != nil {
-
 		peerConn.SetOnConnected(e.rpManager.OnConnected)
 		peerConn.SetOnDisconnected(e.rpManager.OnDisconnected)
 	}
@@ -1040,8 +994,6 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}

-				conn.RegisterProtoSupportMeta(msg.Body.GetFeaturesSupported())
-
 				var rosenpassPubKey []byte
 				rosenpassAddr := ""
 				if msg.GetBody().GetRosenpassConfig() != nil {
@@ -1057,6 +1009,7 @@ func (e *Engine) receiveSignalEvents() {
 					Version:         msg.GetBody().GetNetBirdVersion(),
 					RosenpassPubKey: rosenpassPubKey,
 					RosenpassAddr:   rosenpassAddr,
+					RelaySrvAddress: msg.GetBody().GetRelayServerAddress(),
 				})
 			case sProto.Body_ANSWER:
 				remoteCred, err := signal.UnMarshalCredential(msg)
@@ -1064,8 +1017,6 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}

-				conn.RegisterProtoSupportMeta(msg.GetBody().GetFeaturesSupported())
-
 				var rosenpassPubKey []byte
 				rosenpassAddr := ""
 				if msg.GetBody().GetRosenpassConfig() != nil {
@@ -1081,6 +1032,7 @@ func (e *Engine) receiveSignalEvents() {
 					Version:         msg.GetBody().GetNetBirdVersion(),
 					RosenpassPubKey: rosenpassPubKey,
 					RosenpassAddr:   rosenpassAddr,
+					RelaySrvAddress: msg.GetBody().GetRelayServerAddress(),
 				})
 			case sProto.Body_CANDIDATE:
 				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
@@ -1088,7 +1040,8 @@ func (e *Engine) receiveSignalEvents() {
 					log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
 					return err
 				}
-				conn.OnRemoteCandidate(candidate)
+
+				go conn.OnRemoteCandidate(candidate, e.GetClientRoutes())
 			case sProto.Body_MODE:
 			}

@@ -1202,7 +1155,8 @@ func (e *Engine) close() {
 }

 func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, error) {
-	netMap, err := e.mgmClient.GetNetworkMap()
+	info := system.GetInfo(e.ctx)
+	netMap, err := e.mgmClient.GetNetworkMap(info)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -1231,7 +1185,7 @@ func (e *Engine) newWgIface() (*iface.WGIface, error) {
 	default:
 	}

-	return iface.NewWGIFace(e.config.WgIfaceName, e.config.WgAddr, e.config.WgPort, e.config.WgPrivateKey.String(), iface.DefaultMTU, transportNet, mArgs)
+	return iface.NewWGIFace(e.config.WgIfaceName, e.config.WgAddr, e.config.WgPort, e.config.WgPrivateKey.String(), iface.DefaultMTU, transportNet, mArgs, e.addrViaRoutes)
 }

 func (e *Engine) wgInterfaceCreate() (err error) {
@@ -1282,11 +1236,17 @@ func (e *Engine) newDnsServer() ([]*route.Route, dns.Server, error) {

 // GetClientRoutes returns the current routes from the route map
 func (e *Engine) GetClientRoutes() route.HAMap {
-	return e.clientRoutes
+	e.clientRoutesMu.RLock()
+	defer e.clientRoutesMu.RUnlock()
+
+	return maps.Clone(e.clientRoutes)
 }

 // GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
 func (e *Engine) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
+	e.clientRoutesMu.RLock()
+	defer e.clientRoutesMu.RUnlock()
+
 	routes := make(map[route.NetID][]*route.Route, len(e.clientRoutes))
 	for id, v := range e.clientRoutes {
 		routes[id.NetID()] = v
@@ -1377,7 +1337,7 @@ func (e *Engine) receiveProbeEvents() {

 			for _, peer := range e.peerConns {
 				key := peer.GetKey()
-				wgStats, err := peer.GetConf().WgConfig.WgInterface.GetStats(key)
+				wgStats, err := peer.WgConfig().WgInterface.GetStats(key)
 				if err != nil {
 					log.Debugf("failed to get wg stats for peer %s: %s", key, err)
 				}
@@ -1399,3 +1359,72 @@ func (e *Engine) probeSTUNs() []relay.ProbeResult {
 func (e *Engine) probeTURNs() []relay.ProbeResult {
 	return relay.ProbeAll(e.ctx, relay.ProbeTURN, e.TURNs)
 }
+
+func (e *Engine) restartEngine() {
+	if err := e.Stop(); err != nil {
+		log.Errorf("Failed to stop engine: %v", err)
+	}
+	if err := e.Start(); err != nil {
+		log.Errorf("Failed to start engine: %v", err)
+	}
+}
+
+func (e *Engine) startNetworkMonitor() {
+	if !e.config.NetworkMonitor {
+		log.Infof("Network monitor is disabled, not starting")
+		return
+	}
+
+	e.networkMonitor = networkmonitor.New()
+	go func() {
+		var mu sync.Mutex
+		var debounceTimer *time.Timer
+
+		// Start the network monitor with a callback, Start will block until the monitor is stopped,
+		// a network change is detected, or an error occurs on start up
+		err := e.networkMonitor.Start(e.ctx, func() {
+			// This function is called when a network change is detected
+			mu.Lock()
+			defer mu.Unlock()
+
+			if debounceTimer != nil {
+				debounceTimer.Stop()
+			}
+
+			// Set a new timer to debounce rapid network changes
+			debounceTimer = time.AfterFunc(1*time.Second, func() {
+				// This function is called after the debounce period
+				mu.Lock()
+				defer mu.Unlock()
+
+				log.Infof("Network monitor detected network change, restarting engine")
+				e.restartEngine()
+			})
+		})
+		if err != nil && !errors.Is(err, networkmonitor.ErrStopped) {
+			log.Errorf("Network monitor: %v", err)
+		}
+	}()
+}
+
+func (e *Engine) addrViaRoutes(addr netip.Addr) (bool, netip.Prefix, error) {
+	var vpnRoutes []netip.Prefix
+	for _, routes := range e.GetClientRoutes() {
+		if len(routes) > 0 && routes[0] != nil {
+			vpnRoutes = append(vpnRoutes, routes[0].Network)
+		}
+	}
+
+	if isVpn, prefix := systemops.IsAddrRouted(addr, vpnRoutes); isVpn {
+		return true, prefix, nil
+	}
+
+	return false, netip.Prefix{}, nil
+}
+
+// isChecksEqual checks if two slices of checks are equal.
+func isChecksEqual(checks []*mgmProto.Checks, oChecks []*mgmProto.Checks) bool {
+	return slices.EqualFunc(checks, oChecks, func(checks, oChecks *mgmProto.Checks) bool {
+		return slices.Equal(checks.Files, oChecks.Files)
+	})
+}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -17,6 +17,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/otel"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"
@@ -35,6 +36,7 @@ import (
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
+	relayClient "github.com/netbirdio/netbird/relay/client"
 	"github.com/netbirdio/netbird/route"
 	signal "github.com/netbirdio/netbird/signal/client"
 	"github.com/netbirdio/netbird/signal/proto"
@@ -56,10 +58,16 @@ var (
 	}
 )

-func TestEngine_SSH(t *testing.T) {
+func TestMain(m *testing.M) {
+	_ = util.InitLog("debug", "console")
+	code := m.Run()
+	os.Exit(code)
+}

-	if runtime.GOOS == "windows" {
-		t.Skip("skipping TestEngine_SSH on Windows")
+func TestEngine_SSH(t *testing.T) {
+	// todo resolve test execution on freebsd
+	if runtime.GOOS == "windows" || runtime.GOOS == "freebsd" {
+		t.Skip("skipping TestEngine_SSH")
 	}

 	key, err := wgtypes.GeneratePrivateKey()
@@ -71,13 +79,23 @@ func TestEngine_SSH(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

-	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
-		WgIfaceName:      "utun101",
-		WgAddr:           "100.64.0.1/24",
-		WgPrivateKey:     key,
-		WgPort:           33100,
-		ServerSSHAllowed: true,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+	relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
+	engine := NewEngine(
+		ctx, cancel,
+		&signal.MockClient{},
+		&mgmt.MockClient{},
+		relayMgr,
+		&EngineConfig{
+			WgIfaceName:      "utun101",
+			WgAddr:           "100.64.0.1/24",
+			WgPrivateKey:     key,
+			WgPort:           33100,
+			ServerSSHAllowed: true,
+		},
+		MobileDependency{},
+		peer.NewRecorder("https://mgm"),
+		nil,
+	)

 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -173,7 +191,7 @@ func TestEngine_SSH(t *testing.T) {
 		t.Fatal(err)
 	}

-	//time.Sleep(250 * time.Millisecond)
+	// time.Sleep(250 * time.Millisecond)
 	assert.NotNil(t, engine.sshServer)
 	assert.Contains(t, sshPeersRemoved, "MNHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=")

@@ -206,21 +224,29 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

-	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
-		WgIfaceName:  "utun102",
-		WgAddr:       "100.64.0.1/24",
-		WgPrivateKey: key,
-		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
-	newNet, err := stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
+	relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
+	engine := NewEngine(
+		ctx, cancel,
+		&signal.MockClient{},
+		&mgmt.MockClient{},
+		relayMgr,
+		&EngineConfig{
+			WgIfaceName:  "utun102",
+			WgAddr:       "100.64.0.1/24",
+			WgPrivateKey: key,
+			WgPort:       33100,
+		},
+		MobileDependency{},
+		peer.NewRecorder("https://mgm"),
+		nil)
+
+	wgIface := &iface.MockWGIface{
+		RemovePeerFunc: func(peerKey string) error {
+			return nil
+		},
 	}
-	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", engine.config.WgPort, key.String(), iface.DefaultMTU, newNet, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), engine.wgInterface, engine.statusRecorder, nil)
+	engine.wgInterface = wgIface
+	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), time.Minute, engine.wgInterface, engine.statusRecorder, nil)
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
 	}
@@ -229,6 +255,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		t.Fatal(err)
 	}
 	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn})
+	engine.ctx = ctx

 	type testCase struct {
 		name       string
@@ -392,7 +419,7 @@ func TestEngine_Sync(t *testing.T) {
 	// feed updates to Engine via mocked Management client
 	updates := make(chan *mgmtProto.SyncResponse)
 	defer close(updates)
-	syncFunc := func(ctx context.Context, msgHandler func(msg *mgmtProto.SyncResponse) error) error {
+	syncFunc := func(ctx context.Context, info *system.Info, msgHandler func(msg *mgmtProto.SyncResponse) error) error {
 		for msg := range updates {
 			err := msgHandler(msg)
 			if err != nil {
@@ -401,13 +428,14 @@ func TestEngine_Sync(t *testing.T) {
 		}
 		return nil
 	}
-
-	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, &EngineConfig{
+	relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, relayMgr, &EngineConfig{
 		WgIfaceName:  "utun103",
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
+	engine.ctx = ctx

 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -560,17 +588,19 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
 			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)

-			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
+			relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
+			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
+			engine.ctx = ctx
 			newNet, err := stdnet.NewNet()
 			if err != nil {
 				t.Fatal(err)
 			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, engine.config.WgPort, key.String(), iface.DefaultMTU, newNet, nil)
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, engine.config.WgPort, key.String(), iface.DefaultMTU, newNet, nil, nil)
 			assert.NoError(t, err, "shouldn't return error")
 			input := struct {
 				inputSerial uint64
@@ -729,17 +759,20 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
 			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)

-			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
+			relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
+			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
+			engine.ctx = ctx
+
 			newNet, err := stdnet.NewNet()
 			if err != nil {
 				t.Fatal(err)
 			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, 33100, key.String(), iface.DefaultMTU, newNet, nil)
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, 33100, key.String(), iface.DefaultMTU, newNet, nil, nil)
 			assert.NoError(t, err, "shouldn't return error")

 			mockRouteManager := &routemanager.MockManager{
@@ -805,13 +838,13 @@ func TestEngine_MultiplePeers(t *testing.T) {
 	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
 	defer cancel()

-	sigServer, signalAddr, err := startSignal()
+	sigServer, signalAddr, err := startSignal(t)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	defer sigServer.Stop()
-	mgmtServer, mgmtAddr, err := startManagement(dir)
+	mgmtServer, mgmtAddr, err := startManagement(t, dir)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -1003,10 +1036,15 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		WgPort:       wgPort,
 	}

-	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf, MobileDependency{}, peer.NewRecorder("https://mgm")), nil
+	relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
+	e, err := NewEngine(ctx, cancel, signalClient, mgmtClient, relayMgr, conf, MobileDependency{}, peer.NewRecorder("https://mgm"), nil), nil
+	e.ctx = ctx
+	return e, err
 }

-func startSignal() (*grpc.Server, string, error) {
+func startSignal(t *testing.T) (*grpc.Server, string, error) {
+	t.Helper()
+
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))

 	lis, err := net.Listen("tcp", "localhost:0")
@@ -1014,7 +1052,9 @@ func startSignal() (*grpc.Server, string, error) {
 		log.Fatalf("failed to listen: %v", err)
 	}

-	proto.RegisterSignalExchangeServer(s, signalServer.NewServer())
+	srv, err := signalServer.NewServer(otel.Meter(""))
+	require.NoError(t, err)
+	proto.RegisterSignalExchangeServer(s, srv)

 	go func() {
 		if err = s.Serve(lis); err != nil {
@@ -1025,7 +1065,9 @@ func startSignal() (*grpc.Server, string, error) {
 	return s, lis.Addr().String(), nil
 }

-func startManagement(dataDir string) (*grpc.Server, string, error) {
+func startManagement(t *testing.T, dataDir string) (*grpc.Server, string, error) {
+	t.Helper()
+
 	config := &server.Config{
 		Stuns:      []*server.Host{},
 		TURNConfig: &server.TURNConfig{},
@@ -1042,23 +1084,25 @@ func startManagement(dataDir string) (*grpc.Server, string, error) {
 		return nil, "", err
 	}
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
-	store, err := server.NewStoreFromJson(config.Datadir, nil)
+
+	store, cleanUp, err := server.NewTestStoreFromJson(context.Background(), config.Datadir)
 	if err != nil {
 		return nil, "", err
 	}
+	t.Cleanup(cleanUp)

 	peersUpdateManager := server.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, "", err
 	}
-	ia, _ := integrations.NewIntegratedValidator(eventStore)
-	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia)
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), eventStore)
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia)
 	if err != nil {
 		return nil, "", err
 	}
-	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
-	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager, nil, nil)
+	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, "")
+	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, peersUpdateManager, turnManager, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/networkmonitor/monitor.go
+++ b/client/internal/networkmonitor/monitor.go
@@ -2,14 +2,20 @@ package networkmonitor

 import (
 	"context"
+	"errors"
+	"sync"
 )

-// NetworkWatcher watches for changes in network configuration.
-type NetworkWatcher struct {
+var ErrStopped = errors.New("monitor has been stopped")
+
+// NetworkMonitor watches for changes in network configuration.
+type NetworkMonitor struct {
 	cancel context.CancelFunc
+	wg     sync.WaitGroup
+	mu     sync.Mutex
 }

 // New creates a new network monitor.
-func New() *NetworkWatcher {
-	return &NetworkWatcher{}
+func New() *NetworkMonitor {
+	return &NetworkMonitor{}
 }
--- a/client/internal/networkmonitor/monitor_bsd.go
+++ b/client/internal/networkmonitor/monitor_bsd.go
@@ -5,8 +5,6 @@ package networkmonitor
 import (
 	"context"
 	"fmt"
-	"net"
-	"net/netip"
 	"syscall"
 	"unsafe"

@@ -14,10 +12,10 @@ import (
 	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"

-	"github.com/netbirdio/netbird/client/internal/routemanager"
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )

-func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interface, nexthopv6 netip.Addr, intfv6 *net.Interface, callback func()) error {
+func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop, callback func()) error {
 	fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
 	if err != nil {
 		return fmt.Errorf("failed to open routing socket: %v", err)
@@ -31,7 +29,7 @@ func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interfac
 	for {
 		select {
 		case <-ctx.Done():
-			return ctx.Err()
+			return ErrStopped
 		default:
 			buf := make([]byte, 2048)
 			n, err := unix.Read(fd, buf)
@@ -47,24 +45,6 @@ func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interfac
 			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))

 			switch msg.Type {
-
-			// handle interface state changes
-			case unix.RTM_IFINFO:
-				ifinfo, err := parseInterfaceMessage(buf[:n])
-				if err != nil {
-					log.Errorf("Network monitor: error parsing interface message: %v", err)
-					continue
-				}
-				if msg.Flags&unix.IFF_UP != 0 {
-					continue
-				}
-				if (intfv4 == nil || ifinfo.Index != intfv4.Index) && (intfv6 == nil || ifinfo.Index != intfv6.Index) {
-					continue
-				}
-
-				log.Infof("Network monitor: monitored interface (%s) is down.", ifinfo.Name)
-				callback()
-
 			// handle route changes
 			case unix.RTM_ADD, syscall.RTM_DELETE:
 				route, err := parseRouteMessage(buf[:n])
@@ -84,11 +64,11 @@ func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interfac
 				switch msg.Type {
 				case unix.RTM_ADD:
 					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
-					callback()
+					go callback()
 				case unix.RTM_DELETE:
-					if intfv4 != nil && route.Gw.Compare(nexthopv4) == 0 || intfv6 != nil && route.Gw.Compare(nexthopv6) == 0 {
+					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
 						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
-						callback()
+						go callback()
 					}
 				}
 			}
@@ -96,25 +76,7 @@ func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interfac
 	}
 }

-func parseInterfaceMessage(buf []byte) (*route.InterfaceMessage, error) {
-	msgs, err := route.ParseRIB(route.RIBTypeInterface, buf)
-	if err != nil {
-		return nil, fmt.Errorf("parse RIB: %v", err)
-	}
-
-	if len(msgs) != 1 {
-		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
-	}
-
-	msg, ok := msgs[0].(*route.InterfaceMessage)
-	if !ok {
-		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
-	}
-
-	return msg, nil
-}
-
-func parseRouteMessage(buf []byte) (*routemanager.Route, error) {
+func parseRouteMessage(buf []byte) (*systemops.Route, error) {
 	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
 	if err != nil {
 		return nil, fmt.Errorf("parse RIB: %v", err)
@@ -129,5 +91,5 @@ func parseRouteMessage(buf []byte) (*routemanager.Route, error) {
 		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
 	}

-	return routemanager.MsgToRoute(msg)
+	return systemops.MsgToRoute(msg)
 }
--- a/client/internal/networkmonitor/monitor_generic.go
+++ b/client/internal/networkmonitor/monitor_generic.go
@@ -5,48 +5,45 @@ package networkmonitor
 import (
 	"context"
 	"errors"
-	"net"
+	"fmt"
 	"net/netip"
 	"runtime/debug"

 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/client/internal/routemanager"
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )

-// Start begins watching for network changes and calls the callback function and stops when a change is detected.
-func (nw *NetworkWatcher) Start(ctx context.Context, callback func()) {
-	if nw.cancel != nil {
-		log.Warn("Network monitor: already running, stopping previous watcher")
-		nw.Stop()
-	}
-
+// Start begins monitoring network changes. When a change is detected, it calls the callback asynchronously and returns.
+func (nw *NetworkMonitor) Start(ctx context.Context, callback func()) (err error) {
 	if ctx.Err() != nil {
-		log.Info("Network monitor: not starting, context is already cancelled")
-		return
+		return ctx.Err()
 	}

+	nw.mu.Lock()
 	ctx, nw.cancel = context.WithCancel(ctx)
-	defer nw.Stop()
+	nw.mu.Unlock()

-	var nexthop4, nexthop6 netip.Addr
-	var intf4, intf6 *net.Interface
+	nw.wg.Add(1)
+	defer nw.wg.Done()
+
+	var nexthop4, nexthop6 systemops.Nexthop

 	operation := func() error {
 		var errv4, errv6 error
-		nexthop4, intf4, errv4 = routemanager.GetNextHop(netip.IPv4Unspecified())
-		nexthop6, intf6, errv6 = routemanager.GetNextHop(netip.IPv6Unspecified())
+		nexthop4, errv4 = systemops.GetNextHop(netip.IPv4Unspecified())
+		nexthop6, errv6 = systemops.GetNextHop(netip.IPv6Unspecified())

 		if errv4 != nil && errv6 != nil {
 			return errors.New("failed to get default next hops")
 		}

 		if errv4 == nil {
-			log.Debugf("Network monitor: IPv4 default route: %s, interface: %s", nexthop4, intf4.Name)
+			log.Debugf("Network monitor: IPv4 default route: %s, interface: %s", nexthop4.IP, nexthop4.Intf.Name)
 		}
 		if errv6 == nil {
-			log.Debugf("Network monitor: IPv6 default route: %s, interface: %s", nexthop6, intf6.Name)
+			log.Debugf("Network monitor: IPv6 default route: %s, interface: %s", nexthop6.IP, nexthop6.Intf.Name)
 		}

 		// continue if either route was found
@@ -56,27 +53,30 @@ func (nw *NetworkWatcher) Start(ctx context.Context, callback func()) {
 	expBackOff := backoff.WithContext(backoff.NewExponentialBackOff(), ctx)

 	if err := backoff.Retry(operation, expBackOff); err != nil {
-		log.Errorf("Network monitor: failed to get default next hops: %v", err)
-		return
+		return fmt.Errorf("failed to get default next hops: %w", err)
 	}

 	// recover in case sys ops panic
 	defer func() {
 		if r := recover(); r != nil {
-			log.Errorf("Network monitor: panic occurred: %v, stack trace: %s", r, string(debug.Stack()))
+			err = fmt.Errorf("panic occurred: %v, stack trace: %s", r, string(debug.Stack()))
 		}
 	}()

-	if err := checkChange(ctx, nexthop4, intf4, nexthop6, intf6, callback); err != nil && !errors.Is(err, context.Canceled) {
-		log.Errorf("Network monitor: failed to start: %v", err)
+	if err := checkChange(ctx, nexthop4, nexthop6, callback); err != nil {
+		return fmt.Errorf("check change: %w", err)
 	}
+
+	return nil
 }

 // Stop stops the network monitor.
-func (nw *NetworkWatcher) Stop() {
+func (nw *NetworkMonitor) Stop() {
+	nw.mu.Lock()
+	defer nw.mu.Unlock()
+
 	if nw.cancel != nil {
 		nw.cancel()
-		nw.cancel = nil
-		log.Info("Network monitor: stopped")
+		nw.wg.Wait()
 	}
 }
--- a/client/internal/networkmonitor/monitor_linux.go
+++ b/client/internal/networkmonitor/monitor_linux.go
@@ -6,27 +6,22 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net"
-	"net/netip"
 	"syscall"

 	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )

-func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interface, nexthop6 netip.Addr, intfv6 *net.Interface, callback func()) error {
-	if intfv4 == nil && intfv6 == nil {
+func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop, callback func()) error {
+	if nexthopv4.Intf == nil && nexthopv6.Intf == nil {
 		return errors.New("no interfaces available")
 	}

-	linkChan := make(chan netlink.LinkUpdate)
 	done := make(chan struct{})
 	defer close(done)

-	if err := netlink.LinkSubscribe(linkChan, done); err != nil {
-		return fmt.Errorf("subscribe to link updates: %v", err)
-	}
-
 	routeChan := make(chan netlink.RouteUpdate)
 	if err := netlink.RouteSubscribe(routeChan, done); err != nil {
 		return fmt.Errorf("subscribe to route updates: %v", err)
@@ -36,26 +31,7 @@ func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interfac
 	for {
 		select {
 		case <-ctx.Done():
-			return ctx.Err()
-
-		// handle interface state changes
-		case update := <-linkChan:
-			if (intfv4 == nil || update.Index != int32(intfv4.Index)) && (intfv6 == nil || update.Index != int32(intfv6.Index)) {
-				continue
-			}
-
-			switch update.Header.Type {
-			case syscall.RTM_DELLINK:
-				log.Infof("Network monitor: monitored interface (%s) is gone", update.Link.Attrs().Name)
-				callback()
-				return nil
-			case syscall.RTM_NEWLINK:
-				if (update.IfInfomsg.Flags&syscall.IFF_RUNNING) == 0 && update.Link.Attrs().OperState == netlink.OperDown {
-					log.Infof("Network monitor: monitored interface (%s) is down.", update.Link.Attrs().Name)
-					callback()
-					return nil
-				}
-			}
+			return ErrStopped

 		// handle route changes
 		case route := <-routeChan:
@@ -67,12 +43,12 @@ func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interfac
 			// triggered on added/replaced routes
 			case syscall.RTM_NEWROUTE:
 				log.Infof("Network monitor: default route changed: via %s, interface %d", route.Gw, route.LinkIndex)
-				callback()
+				go callback()
 				return nil
 			case syscall.RTM_DELROUTE:
-				if intfv4 != nil && route.Gw.Equal(nexthopv4.AsSlice()) || intfv6 != nil && route.Gw.Equal(nexthop6.AsSlice()) {
+				if nexthopv4.Intf != nil && route.Gw.Equal(nexthopv4.IP.AsSlice()) || nexthopv6.Intf != nil && route.Gw.Equal(nexthopv6.IP.AsSlice()) {
 					log.Infof("Network monitor: default route removed: via %s, interface %d", route.Gw, route.LinkIndex)
-					callback()
+					go callback()
 					return nil
 				}
 			}
--- a/client/internal/networkmonitor/monitor_mobile.go
+++ b/client/internal/networkmonitor/monitor_mobile.go
@@ -4,8 +4,9 @@ package networkmonitor

 import "context"

-func (nw *NetworkWatcher) Start(context.Context, func()) {
+func (nw *NetworkMonitor) Start(context.Context, func()) error {
+	return nil
 }

-func (nw *NetworkWatcher) Stop() {
+func (nw *NetworkMonitor) Stop() {
 }
--- a/client/internal/networkmonitor/monitor_windows.go
+++ b/client/internal/networkmonitor/monitor_windows.go
@@ -5,11 +5,12 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"strings"
 	"time"

 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/client/internal/routemanager"
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )

 const (
@@ -25,20 +26,16 @@ const (

 const interval = 10 * time.Second

-func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interface, nexthopv6 netip.Addr, intfv6 *net.Interface, callback func()) error {
-	var neighborv4, neighborv6 *routemanager.Neighbor
+func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop, callback func()) error {
+	var neighborv4, neighborv6 *systemops.Neighbor
 	{
 		initialNeighbors, err := getNeighbors()
 		if err != nil {
 			return fmt.Errorf("get neighbors: %w", err)
 		}

-		if n, ok := initialNeighbors[nexthopv4]; ok {
-			neighborv4 = &n
-		}
-		if n, ok := initialNeighbors[nexthopv6]; ok {
-			neighborv6 = &n
-		}
+		neighborv4 = assignNeighbor(nexthopv4, initialNeighbors)
+		neighborv6 = assignNeighbor(nexthopv6, initialNeighbors)
 	}
 	log.Debugf("Network monitor: initial IPv4 neighbor: %v, IPv6 neighbor: %v", neighborv4, neighborv6)

@@ -48,23 +45,31 @@ func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interfac
 	for {
 		select {
 		case <-ctx.Done():
-			return ctx.Err()
+			return ErrStopped
 		case <-ticker.C:
-			if changed(nexthopv4, intfv4, neighborv4, nexthopv6, intfv6, neighborv6) {
-				callback()
+			if changed(nexthopv4, neighborv4, nexthopv6, neighborv6) {
+				go callback()
 				return nil
 			}
 		}
 	}
 }

+func assignNeighbor(nexthop systemops.Nexthop, initialNeighbors map[netip.Addr]systemops.Neighbor) *systemops.Neighbor {
+	if n, ok := initialNeighbors[nexthop.IP]; ok &&
+		n.State != unreachable &&
+		n.State != incomplete &&
+		n.State != tbd {
+		return &n
+	}
+	return nil
+}
+
 func changed(
-	nexthopv4 netip.Addr,
-	intfv4 *net.Interface,
-	neighborv4 *routemanager.Neighbor,
-	nexthopv6 netip.Addr,
-	intfv6 *net.Interface,
-	neighborv6 *routemanager.Neighbor,
+	nexthopv4 systemops.Nexthop,
+	neighborv4 *systemops.Neighbor,
+	nexthopv6 systemops.Nexthop,
+	neighborv6 *systemops.Neighbor,
 ) bool {
 	neighbors, err := getNeighbors()
 	if err != nil {
@@ -81,7 +86,7 @@ func changed(
 		return false
 	}

-	if routeChanged(nexthopv4, intfv4, routes) || routeChanged(nexthopv6, intfv6, routes) {
+	if routeChanged(nexthopv4, nexthopv4.Intf, routes) || routeChanged(nexthopv6, nexthopv6.Intf, routes) {
 		return true
 	}

@@ -89,44 +94,74 @@ func changed(
 }

 // routeChanged checks if the default routes still point to our nexthop/interface
-func routeChanged(nexthop netip.Addr, intf *net.Interface, routes map[netip.Prefix]routemanager.Route) bool {
-	if !nexthop.IsValid() {
+func routeChanged(nexthop systemops.Nexthop, intf *net.Interface, routes []systemops.Route) bool {
+	if !nexthop.IP.IsValid() {
 		return false
 	}

-	var unspec netip.Prefix
-	if nexthop.Is6() {
-		unspec = netip.PrefixFrom(netip.IPv6Unspecified(), 0)
-	} else {
-		unspec = netip.PrefixFrom(netip.IPv4Unspecified(), 0)
-	}
+	unspec := getUnspecifiedPrefix(nexthop.IP)
+	defaultRoutes, foundMatchingRoute := processRoutes(nexthop, intf, routes, unspec)

-	if r, ok := routes[unspec]; ok {
-		if r.Nexthop != nexthop || compareIntf(r.Interface, intf) != 0 {
-			intf := "<nil>"
-			if r.Interface != nil {
-				intf = r.Interface.Name
-			}
-			log.Infof("network monitor: default route changed: %s via %s (%s)", r.Destination, r.Nexthop, intf)
-			return true
-		}
-	} else {
-		log.Infof("network monitor: default route is gone")
+	log.Tracef("network monitor: all default routes:\n%s", strings.Join(defaultRoutes, "\n"))
+
+	if !foundMatchingRoute {
+		logRouteChange(nexthop.IP, intf)
 		return true
 	}

 	return false
-
 }

-func neighborChanged(nexthop netip.Addr, neighbor *routemanager.Neighbor, neighbors map[netip.Addr]routemanager.Neighbor) bool {
+func getUnspecifiedPrefix(ip netip.Addr) netip.Prefix {
+	if ip.Is6() {
+		return netip.PrefixFrom(netip.IPv6Unspecified(), 0)
+	}
+	return netip.PrefixFrom(netip.IPv4Unspecified(), 0)
+}
+
+func processRoutes(nexthop systemops.Nexthop, intf *net.Interface, routes []systemops.Route, unspec netip.Prefix) ([]string, bool) {
+	var defaultRoutes []string
+	foundMatchingRoute := false
+
+	for _, r := range routes {
+		if r.Destination == unspec {
+			routeInfo := formatRouteInfo(r)
+			defaultRoutes = append(defaultRoutes, routeInfo)
+
+			if r.Nexthop == nexthop.IP && compareIntf(r.Interface, intf) == 0 {
+				foundMatchingRoute = true
+				log.Debugf("network monitor: found matching default route: %s", routeInfo)
+			}
+		}
+	}
+
+	return defaultRoutes, foundMatchingRoute
+}
+
+func formatRouteInfo(r systemops.Route) string {
+	newIntf := "<nil>"
+	if r.Interface != nil {
+		newIntf = r.Interface.Name
+	}
+	return fmt.Sprintf("Nexthop: %s, Interface: %s", r.Nexthop, newIntf)
+}
+
+func logRouteChange(ip netip.Addr, intf *net.Interface) {
+	oldIntf := "<nil>"
+	if intf != nil {
+		oldIntf = intf.Name
+	}
+	log.Infof("network monitor: default route for %s (%s) is gone or changed", ip, oldIntf)
+}
+
+func neighborChanged(nexthop systemops.Nexthop, neighbor *systemops.Neighbor, neighbors map[netip.Addr]systemops.Neighbor) bool {
 	if neighbor == nil {
 		return false
 	}

 	// TODO: consider non-local nexthops, e.g. on point-to-point interfaces
-	if n, ok := neighbors[nexthop]; ok {
-		if n.State != reachable && n.State != permanent {
+	if n, ok := neighbors[nexthop.IP]; ok {
+		if n.State == unreachable || n.State == incomplete {
 			log.Infof("network monitor: neighbor %s (%s) is not reachable: %s", neighbor.IPAddress, neighbor.LinkLayerAddress, stateFromInt(n.State))
 			return true
 		} else if n.InterfaceIndex != neighbor.InterfaceIndex {
@@ -150,13 +185,13 @@ func neighborChanged(nexthop netip.Addr, neighbor *routemanager.Neighbor, neighb
 	return false
 }

-func getNeighbors() (map[netip.Addr]routemanager.Neighbor, error) {
-	entries, err := routemanager.GetNeighbors()
+func getNeighbors() (map[netip.Addr]systemops.Neighbor, error) {
+	entries, err := systemops.GetNeighbors()
 	if err != nil {
 		return nil, fmt.Errorf("get neighbors: %w", err)
 	}

-	neighbours := make(map[netip.Addr]routemanager.Neighbor, len(entries))
+	neighbours := make(map[netip.Addr]systemops.Neighbor, len(entries))
 	for _, entry := range entries {
 		neighbours[entry.IPAddress] = entry
 	}
@@ -164,18 +199,13 @@ func getNeighbors() (map[netip.Addr]routemanager.Neighbor, error) {
 	return neighbours, nil
 }

-func getRoutes() (map[netip.Prefix]routemanager.Route, error) {
-	entries, err := routemanager.GetRoutes()
+func getRoutes() ([]systemops.Route, error) {
+	entries, err := systemops.GetRoutes()
 	if err != nil {
 		return nil, fmt.Errorf("get routes: %w", err)
 	}

-	routes := make(map[netip.Prefix]routemanager.Route, len(entries))
-	for _, entry := range entries {
-		routes[entry.Destination] = entry
-	}
-
-	return routes, nil
+	return entries, nil
 }

 func stateFromInt(state uint8) string {
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -2,25 +2,33 @@ package peer

 import (
 	"context"
+	"os"
 	"sync"
 	"testing"
 	"time"

 	"github.com/magiconair/properties/assert"
-	"github.com/pion/stun/v2"

 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/internal/wgproxy"
 	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/util"
 )

 var connConf = ConnConfig{
-	Key:                "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
-	LocalKey:           "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
-	StunTurn:           []*stun.URI{},
-	InterfaceBlackList: nil,
-	Timeout:            time.Second,
-	LocalWgPort:        51820,
+	Key:         "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+	LocalKey:    "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+	Timeout:     time.Second,
+	LocalWgPort: 51820,
+	ICEConfig: ICEConfig{
+		InterfaceBlackList: nil,
+	},
+}
+
+func TestMain(m *testing.M) {
+	_ = util.InitLog("trace", "console")
+	code := m.Run()
+	os.Exit(code)
 }

 func TestNewConn_interfaceFilter(t *testing.T) {
@@ -36,11 +44,11 @@ func TestNewConn_interfaceFilter(t *testing.T) {
 }

 func TestConn_GetKey(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(context.Background(), false, connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
-	conn, err := NewConn(connConf, nil, wgProxyFactory, nil, nil)
+	conn, err := NewConn(context.Background(), connConf, nil, wgProxyFactory, nil, nil, nil)
 	if err != nil {
 		return
 	}
@@ -51,11 +59,11 @@ func TestConn_GetKey(t *testing.T) {
 }

 func TestConn_OnRemoteOffer(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(context.Background(), false, connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
+	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil, nil)
 	if err != nil {
 		return
 	}
@@ -63,7 +71,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 	wg := sync.WaitGroup{}
 	wg.Add(2)
 	go func() {
-		<-conn.remoteOffersCh
+		<-conn.handshaker.remoteOffersCh
 		wg.Done()
 	}()

@@ -88,11 +96,11 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 }

 func TestConn_OnRemoteAnswer(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(context.Background(), false, connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
+	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil, nil)
 	if err != nil {
 		return
 	}
@@ -100,7 +108,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	wg := sync.WaitGroup{}
 	wg.Add(2)
 	go func() {
-		<-conn.remoteAnswerCh
+		<-conn.handshaker.remoteAnswerCh
 		wg.Done()
 	}()

@@ -124,62 +132,37 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	wg.Wait()
 }
 func TestConn_Status(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(context.Background(), false, connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
+	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil, nil)
 	if err != nil {
 		return
 	}

 	tables := []struct {
-		name   string
-		status ConnStatus
-		want   ConnStatus
+		name        string
+		statusIce   ConnStatus
+		statusRelay ConnStatus
+		want        ConnStatus
 	}{
-		{"StatusConnected", StatusConnected, StatusConnected},
-		{"StatusDisconnected", StatusDisconnected, StatusDisconnected},
-		{"StatusConnecting", StatusConnecting, StatusConnecting},
+		{"StatusConnected", StatusConnected, StatusConnected, StatusConnected},
+		{"StatusDisconnected", StatusDisconnected, StatusDisconnected, StatusDisconnected},
+		{"StatusConnecting", StatusConnecting, StatusConnecting, StatusConnecting},
+		{"StatusConnectingIce", StatusConnecting, StatusDisconnected, StatusConnecting},
+		{"StatusConnectingIceAlternative", StatusConnecting, StatusConnected, StatusConnected},
+		{"StatusConnectingRelay", StatusDisconnected, StatusConnecting, StatusConnecting},
+		{"StatusConnectingRelayAlternative", StatusConnected, StatusConnecting, StatusConnected},
 	}

 	for _, table := range tables {
 		t.Run(table.name, func(t *testing.T) {
-			conn.status = table.status
+			conn.statusICE = table.statusIce
+			conn.statusRelay = table.statusRelay

 			got := conn.Status()
 			assert.Equal(t, got, table.want, "they should be equal")
 		})
 	}
 }
-
-func TestConn_Close(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
-	defer func() {
-		_ = wgProxyFactory.Free()
-	}()
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
-	if err != nil {
-		return
-	}
-
-	wg := sync.WaitGroup{}
-	wg.Add(1)
-	go func() {
-		<-conn.closeCh
-		wg.Done()
-	}()
-
-	go func() {
-		for {
-			err := conn.Close()
-			if err != nil {
-				continue
-			} else {
-				return
-			}
-		}
-	}()
-
-	wg.Wait()
-}
--- a/client/internal/peer/env_config.go
+++ b/client/internal/peer/env_config.go
@@ -16,6 +16,13 @@ const (
 	envICEForceRelayConn            = "NB_ICE_FORCE_RELAY_CONN"
 )

+func ForcedRelayAddress() string {
+	if envRelay := os.Getenv("NB_RELAY_ADDRESS"); envRelay != "" {
+		return envRelay
+	}
+	return ""
+}
+
 func iceKeepAlive() time.Duration {
 	keepAliveEnv := os.Getenv(envICEKeepAliveIntervalSec)
 	if keepAliveEnv == "" {
--- a/client/internal/peer/handshaker.go
+++ b/client/internal/peer/handshaker.go
@@ -0,0 +1,195 @@
+package peer
+
+import (
+	"context"
+	"errors"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/version"
+)
+
+var (
+	ErrSignalIsNotReady = errors.New("signal is not ready")
+)
+
+// IceCredentials ICE protocol credentials struct
+type IceCredentials struct {
+	UFrag string
+	Pwd   string
+}
+
+// OfferAnswer represents a session establishment offer or answer
+type OfferAnswer struct {
+	IceCredentials IceCredentials
+	// WgListenPort is a remote WireGuard listen port.
+	// This field is used when establishing a direct WireGuard connection without any proxy.
+	// We can set the remote peer's endpoint with this port.
+	WgListenPort int
+
+	// Version of NetBird Agent
+	Version string
+	// RosenpassPubKey is the Rosenpass public key of the remote peer when receiving this message
+	// This value is the local Rosenpass server public key when sending the message
+	RosenpassPubKey []byte
+	// RosenpassAddr is the Rosenpass server address (IP:port) of the remote peer when receiving this message
+	// This value is the local Rosenpass server address when sending the message
+	RosenpassAddr string
+
+	// relay server address
+	RelaySrvAddress string
+}
+
+type HandshakeArgs struct {
+	IceUFrag  string
+	IcePwd    string
+	RelayAddr string
+}
+
+type Handshaker struct {
+	mu                  sync.Mutex
+	ctx                 context.Context
+	log                 *log.Entry
+	config              ConnConfig
+	signaler            *Signaler
+	onNewOfferListeners []func(*OfferAnswer)
+
+	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
+	remoteOffersCh chan OfferAnswer
+	// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
+	remoteAnswerCh chan OfferAnswer
+
+	lastOfferArgs HandshakeArgs
+}
+
+func NewHandshaker(ctx context.Context, log *log.Entry, config ConnConfig, signaler *Signaler) *Handshaker {
+	return &Handshaker{
+		ctx:            ctx,
+		log:            log,
+		config:         config,
+		signaler:       signaler,
+		remoteOffersCh: make(chan OfferAnswer),
+		remoteAnswerCh: make(chan OfferAnswer),
+	}
+}
+
+func (h *Handshaker) AddOnNewOfferListener(offer func(remoteOfferAnswer *OfferAnswer)) {
+	h.onNewOfferListeners = append(h.onNewOfferListeners, offer)
+}
+
+func (h *Handshaker) Listen() {
+	for {
+		h.log.Debugf("wait for remote offer confirmation")
+		remoteOfferAnswer, err := h.waitForRemoteOfferConfirmation()
+		if err != nil {
+			if _, ok := err.(*ConnectionClosedError); ok {
+				h.log.Tracef("stop handshaker")
+				return
+			}
+			h.log.Errorf("failed to received remote offer confirmation: %s", err)
+			continue
+		}
+
+		h.log.Debugf("received connection confirmation, running version %s and with remote WireGuard listen port %d", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort)
+		for _, listener := range h.onNewOfferListeners {
+			go listener(remoteOfferAnswer)
+		}
+	}
+}
+
+func (h *Handshaker) SendOffer(args HandshakeArgs) error {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+
+	err := h.sendOffer(args)
+	if err != nil {
+		return err
+	}
+
+	h.lastOfferArgs = args
+	return nil
+}
+
+// OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
+// doesn't block, discards the message if connection wasn't ready
+func (h *Handshaker) OnRemoteOffer(offer OfferAnswer) bool {
+	// todo remove this if signaling can support relay
+	if ForcedRelayAddress() != "" {
+		offer.RelaySrvAddress = ForcedRelayAddress()
+	}
+	select {
+	case h.remoteOffersCh <- offer:
+		return true
+	default:
+		h.log.Debugf("OnRemoteOffer skipping message because is not ready")
+		// connection might not be ready yet to receive so we ignore the message
+		return false
+	}
+}
+
+// OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
+// doesn't block, discards the message if connection wasn't ready
+func (h *Handshaker) OnRemoteAnswer(answer OfferAnswer) bool {
+	// todo remove this if signaling can support relay
+	if ForcedRelayAddress() != "" {
+		answer.RelaySrvAddress = ForcedRelayAddress()
+	}
+	select {
+	case h.remoteAnswerCh <- answer:
+		return true
+	default:
+		// connection might not be ready yet to receive so we ignore the message
+		h.log.Debugf("OnRemoteAnswer skipping message because is not ready")
+		return false
+	}
+}
+
+func (h *Handshaker) waitForRemoteOfferConfirmation() (*OfferAnswer, error) {
+	select {
+	case remoteOfferAnswer := <-h.remoteOffersCh:
+		// received confirmation from the remote peer -> ready to proceed
+		err := h.sendAnswer()
+		if err != nil {
+			return nil, err
+		}
+		return &remoteOfferAnswer, nil
+	case remoteOfferAnswer := <-h.remoteAnswerCh:
+		return &remoteOfferAnswer, nil
+	case <-h.ctx.Done():
+		// closed externally
+		return nil, NewConnectionClosedError(h.config.Key)
+	}
+}
+
+// sendOffer prepares local user credentials and signals them to the remote peer
+func (h *Handshaker) sendOffer(args HandshakeArgs) error {
+	offer := OfferAnswer{
+		IceCredentials:  IceCredentials{args.IceUFrag, args.IcePwd},
+		WgListenPort:    h.config.LocalWgPort,
+		Version:         version.NetbirdVersion(),
+		RosenpassPubKey: h.config.RosenpassPubKey,
+		RosenpassAddr:   h.config.RosenpassAddr,
+		RelaySrvAddress: args.RelayAddr,
+	}
+
+	return h.signaler.SignalOffer(offer, h.config.Key)
+}
+
+func (h *Handshaker) sendAnswer() error {
+	h.log.Debugf("sending answer")
+	answer := OfferAnswer{
+		IceCredentials:  IceCredentials{h.lastOfferArgs.IceUFrag, h.lastOfferArgs.IcePwd},
+		WgListenPort:    h.config.LocalWgPort,
+		Version:         version.NetbirdVersion(),
+		RosenpassPubKey: h.config.RosenpassPubKey,
+		RosenpassAddr:   h.config.RosenpassAddr,
+		RelaySrvAddress: h.lastOfferArgs.RelayAddr,
+	}
+	err := h.signaler.SignalAnswer(answer, h.config.Key)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/client/internal/peer/signaler.go
+++ b/client/internal/peer/signaler.go
@@ -0,0 +1,70 @@
+package peer
+
+import (
+	"github.com/pion/ice/v3"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	signal "github.com/netbirdio/netbird/signal/client"
+	sProto "github.com/netbirdio/netbird/signal/proto"
+)
+
+type Signaler struct {
+	signal       signal.Client
+	wgPrivateKey wgtypes.Key
+}
+
+func NewSignaler(signal signal.Client, wgPrivateKey wgtypes.Key) *Signaler {
+	return &Signaler{
+		signal:       signal,
+		wgPrivateKey: wgPrivateKey,
+	}
+}
+
+func (s *Signaler) SignalOffer(offer OfferAnswer, remoteKey string) error {
+	return s.signalOfferAnswer(offer, remoteKey, sProto.Body_OFFER)
+}
+
+func (s *Signaler) SignalAnswer(offer OfferAnswer, remoteKey string) error {
+	return s.signalOfferAnswer(offer, remoteKey, sProto.Body_ANSWER)
+}
+
+func (s *Signaler) SignalICECandidate(candidate ice.Candidate, remoteKey string) error {
+	return s.signal.Send(&sProto.Message{
+		Key:       s.wgPrivateKey.PublicKey().String(),
+		RemoteKey: remoteKey,
+		Body: &sProto.Body{
+			Type:    sProto.Body_CANDIDATE,
+			Payload: candidate.Marshal(),
+		},
+	})
+}
+
+func (s *Signaler) Ready() bool {
+	return s.signal.Ready()
+}
+
+// SignalOfferAnswer signals either an offer or an answer to remote peer
+func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string, bodyType sProto.Body_Type) error {
+	msg, err := signal.MarshalCredential(
+		s.wgPrivateKey,
+		offerAnswer.WgListenPort,
+		remoteKey,
+		&signal.Credential{
+			UFrag: offerAnswer.IceCredentials.UFrag,
+			Pwd:   offerAnswer.IceCredentials.Pwd,
+		},
+		bodyType,
+		offerAnswer.RosenpassPubKey,
+		offerAnswer.RosenpassAddr,
+		offerAnswer.RelaySrvAddress)
+	if err != nil {
+		return err
+	}
+
+	err = s.signal.Send(msg)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -2,14 +2,18 @@ package peer

 import (
 	"errors"
+	"net/netip"
 	"sync"
 	"time"

+	"golang.org/x/exp/maps"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"

 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/management/domain"
+	relayClient "github.com/netbirdio/netbird/relay/client"
 )

 // State contains the latest state of a peer
@@ -37,25 +41,25 @@ type State struct {
 // AddRoute add a single route to routes map
 func (s *State) AddRoute(network string) {
 	s.Mux.Lock()
+	defer s.Mux.Unlock()
 	if s.routes == nil {
 		s.routes = make(map[string]struct{})
 	}
 	s.routes[network] = struct{}{}
-	s.Mux.Unlock()
 }

 // SetRoutes set state routes
 func (s *State) SetRoutes(routes map[string]struct{}) {
 	s.Mux.Lock()
+	defer s.Mux.Unlock()
 	s.routes = routes
-	s.Mux.Unlock()
 }

 // DeleteRoute removes a route from the network amp
 func (s *State) DeleteRoute(network string) {
 	s.Mux.Lock()
+	defer s.Mux.Unlock()
 	delete(s.routes, network)
-	s.Mux.Unlock()
 }

 // GetRoutes return routes map
@@ -117,40 +121,50 @@ type FullStatus struct {

 // Status holds a state of peers, signal, management connections and relays
 type Status struct {
-	mux                 sync.Mutex
-	peers               map[string]State
-	changeNotify        map[string]chan struct{}
-	signalState         bool
-	signalError         error
-	managementState     bool
-	managementError     error
-	relayStates         []relay.ProbeResult
-	localPeer           LocalPeerState
-	offlinePeers        []State
-	mgmAddress          string
-	signalAddress       string
-	notifier            *notifier
-	rosenpassEnabled    bool
-	rosenpassPermissive bool
-	nsGroupStates       []NSGroupState
+	mux                   sync.Mutex
+	peers                 map[string]State
+	changeNotify          map[string]chan struct{}
+	signalState           bool
+	signalError           error
+	managementState       bool
+	managementError       error
+	relayStates           []relay.ProbeResult
+	localPeer             LocalPeerState
+	offlinePeers          []State
+	mgmAddress            string
+	signalAddress         string
+	notifier              *notifier
+	rosenpassEnabled      bool
+	rosenpassPermissive   bool
+	nsGroupStates         []NSGroupState
+	resolvedDomainsStates map[domain.Domain][]netip.Prefix

 	// To reduce the number of notification invocation this bool will be true when need to call the notification
 	// Some Peer actions mostly used by in a batch when the network map has been synchronized. In these type of events
 	// set to true this variable and at the end of the processing we will reset it by the FinishPeerListModifications()
 	peerListChangedForNotification bool
+
+	relayMgr *relayClient.Manager
 }

 // NewRecorder returns a new Status instance
 func NewRecorder(mgmAddress string) *Status {
 	return &Status{
-		peers:        make(map[string]State),
-		changeNotify: make(map[string]chan struct{}),
-		offlinePeers: make([]State, 0),
-		notifier:     newNotifier(),
-		mgmAddress:   mgmAddress,
+		peers:                 make(map[string]State),
+		changeNotify:          make(map[string]chan struct{}),
+		offlinePeers:          make([]State, 0),
+		notifier:              newNotifier(),
+		mgmAddress:            mgmAddress,
+		resolvedDomainsStates: make(map[domain.Domain][]netip.Prefix),
 	}
 }

+func (d *Status) SetRelayMgr(manager *relayClient.Manager) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.relayMgr = manager
+}
+
 // ReplaceOfflinePeers replaces
 func (d *Status) ReplaceOfflinePeers(replacement []State) {
 	d.mux.Lock()
@@ -188,7 +202,7 @@ func (d *Status) GetPeer(peerPubKey string) (State, error) {

 	state, ok := d.peers[peerPubKey]
 	if !ok {
-		return State{}, errors.New("peer not found")
+		return State{}, iface.ErrPeerNotFound
 	}
 	return state, nil
 }
@@ -429,6 +443,18 @@ func (d *Status) UpdateDNSStates(dnsStates []NSGroupState) {
 	d.nsGroupStates = dnsStates
 }

+func (d *Status) UpdateResolvedDomainsStates(domain domain.Domain, prefixes []netip.Prefix) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.resolvedDomainsStates[domain] = prefixes
+}
+
+func (d *Status) DeleteResolvedDomainsStates(domain domain.Domain) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	delete(d.resolvedDomainsStates, domain)
+}
+
 func (d *Status) GetRosenpassState() RosenpassState {
 	return RosenpassState{
 		d.rosenpassEnabled,
@@ -486,13 +512,40 @@ func (d *Status) GetSignalState() SignalState {
 }

 func (d *Status) GetRelayStates() []relay.ProbeResult {
-	return d.relayStates
+	if d.relayMgr == nil {
+		return d.relayStates
+	}
+
+	// extend the list of stun, turn servers with relay address
+	relaysState := make([]relay.ProbeResult, len(d.relayStates), len(d.relayStates)+1)
+	copy(relaysState, d.relayStates)
+
+	relayState := relay.ProbeResult{}
+
+	// if the server connection is not established then we will use the general address
+	// in case of connection we will use the instance specific address
+	instanceAddr, err := d.relayMgr.RelayInstanceAddress()
+	if err != nil {
+		relayState.URI = d.relayMgr.ServerURL()
+		relayState.Err = err
+	} else {
+		relayState.URI = instanceAddr
+	}
+
+	relaysState = append(relaysState, relayState)
+	return relaysState
 }

 func (d *Status) GetDNSStates() []NSGroupState {
 	return d.nsGroupStates
 }

+func (d *Status) GetResolvedDomainsStates() map[domain.Domain][]netip.Prefix {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	return maps.Clone(d.resolvedDomainsStates)
+}
+
 // GetFullStatus gets full status
 func (d *Status) GetFullStatus() FullStatus {
 	d.mux.Lock()
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -2,8 +2,8 @@ package peer

 import (
 	"errors"
-	"testing"
 	"sync"
+	"testing"

 	"github.com/stretchr/testify/assert"
 )
@@ -43,7 +43,7 @@ func TestUpdatePeerState(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
-		Mux:	new(sync.RWMutex),
+		Mux:    new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -64,7 +64,7 @@ func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
-		Mux:	new(sync.RWMutex),
+		Mux:    new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -83,7 +83,7 @@ func TestGetPeerStateChangeNotifierLogic(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
-		Mux:	new(sync.RWMutex),
+		Mux:    new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -108,7 +108,7 @@ func TestRemovePeer(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
-		Mux:	new(sync.RWMutex),
+		Mux:    new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
--- a/client/internal/peer/stdnet.go
+++ b/client/internal/peer/stdnet.go
@@ -6,6 +6,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )

-func (conn *Conn) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNet(conn.config.InterfaceBlackList)
+func (w *WorkerICE) newStdNet() (*stdnet.Net, error) {
+	return stdnet.NewNet(w.configICE.InterfaceBlackList)
 }
--- a/client/internal/peer/stdnet_android.go
+++ b/client/internal/peer/stdnet_android.go
@@ -2,6 +2,6 @@ package peer

 import "github.com/netbirdio/netbird/client/internal/stdnet"

-func (conn *Conn) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(conn.iFaceDiscover, conn.config.InterfaceBlackList)
+func (w *WorkerICE) newStdNet() (*stdnet.Net, error) {
+	return stdnet.NewNetWithDiscover(w.iFaceDiscover, w.configICE.InterfaceBlackList)
 }
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -0,0 +1,461 @@
+package peer
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"runtime"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/pion/ice/v3"
+	"github.com/pion/randutil"
+	"github.com/pion/stun/v2"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/iface/bind"
+	"github.com/netbirdio/netbird/route"
+)
+
+const (
+	iceKeepAliveDefault           = 4 * time.Second
+	iceDisconnectedTimeoutDefault = 6 * time.Second
+	// iceRelayAcceptanceMinWaitDefault is the same as in the Pion ICE package
+	iceRelayAcceptanceMinWaitDefault = 2 * time.Second
+
+	lenUFrag   = 16
+	lenPwd     = 32
+	runesAlpha = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
+)
+
+var (
+	failedTimeout = 6 * time.Second
+)
+
+type ICEConfig struct {
+	// StunTurn is a list of STUN and TURN URLs
+	StunTurn atomic.Value // []*stun.URI
+
+	// InterfaceBlackList is a list of machine interfaces that should be filtered out by ICE Candidate gathering
+	// (e.g. if eth0 is in the list, host candidate of this interface won't be used)
+	InterfaceBlackList   []string
+	DisableIPv6Discovery bool
+
+	UDPMux      ice.UDPMux
+	UDPMuxSrflx ice.UniversalUDPMux
+
+	NATExternalIPs []string
+}
+
+type ICEConnInfo struct {
+	RemoteConn                 net.Conn
+	RosenpassPubKey            []byte
+	RosenpassAddr              string
+	LocalIceCandidateType      string
+	RemoteIceCandidateType     string
+	RemoteIceCandidateEndpoint string
+	LocalIceCandidateEndpoint  string
+	Direct                     bool
+	Relayed                    bool
+	RelayedOnLocal             bool
+}
+
+type WorkerICECallbacks struct {
+	OnConnReady     func(ConnPriority, ICEConnInfo)
+	OnStatusChanged func(ConnStatus)
+}
+
+type WorkerICE struct {
+	ctx               context.Context
+	log               *log.Entry
+	config            ConnConfig
+	configICE         ICEConfig
+	signaler          *Signaler
+	iFaceDiscover     stdnet.ExternalIFaceDiscover
+	statusRecorder    *Status
+	hasRelayOnLocally bool
+	conn              WorkerICECallbacks
+
+	selectedPriority ConnPriority
+
+	agent    *ice.Agent
+	muxAgent sync.Mutex
+
+	StunTurn []*stun.URI
+
+	sentExtraSrflx bool
+
+	localUfrag string
+	localPwd   string
+}
+
+func NewWorkerICE(ctx context.Context, log *log.Entry, config ConnConfig, configICE ICEConfig, signaler *Signaler, ifaceDiscover stdnet.ExternalIFaceDiscover, statusRecorder *Status, hasRelayOnLocally bool, callBacks WorkerICECallbacks) (*WorkerICE, error) {
+	w := &WorkerICE{
+		ctx:               ctx,
+		log:               log,
+		config:            config,
+		configICE:         configICE,
+		signaler:          signaler,
+		iFaceDiscover:     ifaceDiscover,
+		statusRecorder:    statusRecorder,
+		hasRelayOnLocally: hasRelayOnLocally,
+		conn:              callBacks,
+	}
+
+	localUfrag, localPwd, err := generateICECredentials()
+	if err != nil {
+		return nil, err
+	}
+	w.localUfrag = localUfrag
+	w.localPwd = localPwd
+	return w, nil
+}
+
+func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
+	w.log.Debugf("OnNewOffer for ICE")
+	w.muxAgent.Lock()
+
+	if w.agent != nil {
+		w.log.Debugf("agent already exists, skipping the offer")
+		w.muxAgent.Unlock()
+		return
+	}
+
+	var preferredCandidateTypes []ice.CandidateType
+	if w.hasRelayOnLocally && remoteOfferAnswer.RelaySrvAddress != "" {
+		w.selectedPriority = connPriorityICEP2P
+		preferredCandidateTypes = candidateTypesP2P()
+	} else {
+		w.selectedPriority = connPriorityICETurn
+		preferredCandidateTypes = candidateTypes()
+	}
+
+	w.log.Debugf("recreate ICE agent")
+	agentCtx, agentCancel := context.WithCancel(w.ctx)
+	agent, err := w.reCreateAgent(agentCancel, preferredCandidateTypes)
+	if err != nil {
+		w.log.Errorf("failed to recreate ICE Agent: %s", err)
+		w.muxAgent.Unlock()
+		return
+	}
+	w.agent = agent
+	w.muxAgent.Unlock()
+
+	w.log.Debugf("gather candidates")
+	err = w.agent.GatherCandidates()
+	if err != nil {
+		w.log.Debugf("failed to gather candidates: %s", err)
+		return
+	}
+
+	// will block until connection succeeded
+	// but it won't release if ICE Agent went into Disconnected or Failed state,
+	// so we have to cancel it with the provided context once agent detected a broken connection
+	w.log.Debugf("turn agent dial")
+	remoteConn, err := w.turnAgentDial(agentCtx, remoteOfferAnswer)
+	if err != nil {
+		w.log.Debugf("failed to dial the remote peer: %s", err)
+		return
+	}
+	w.log.Debugf("agent dial succeeded")
+
+	pair, err := w.agent.GetSelectedCandidatePair()
+	if err != nil {
+		return
+	}
+
+	if !isRelayCandidate(pair.Local) {
+		// dynamically set remote WireGuard port if other side specified a different one from the default one
+		remoteWgPort := iface.DefaultWgPort
+		if remoteOfferAnswer.WgListenPort != 0 {
+			remoteWgPort = remoteOfferAnswer.WgListenPort
+		}
+
+		// To support old version's with direct mode we attempt to punch an additional role with the remote WireGuard port
+		go w.punchRemoteWGPort(pair, remoteWgPort)
+	}
+
+	ci := ICEConnInfo{
+		RemoteConn:                 remoteConn,
+		RosenpassPubKey:            remoteOfferAnswer.RosenpassPubKey,
+		RosenpassAddr:              remoteOfferAnswer.RosenpassAddr,
+		LocalIceCandidateType:      pair.Local.Type().String(),
+		RemoteIceCandidateType:     pair.Remote.Type().String(),
+		LocalIceCandidateEndpoint:  fmt.Sprintf("%s:%d", pair.Local.Address(), pair.Local.Port()),
+		RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Remote.Port()),
+		Direct:                     !isRelayCandidate(pair.Local),
+		Relayed:                    isRelayed(pair),
+		RelayedOnLocal:             isRelayCandidate(pair.Local),
+	}
+	w.log.Debugf("on ICE conn read to use ready")
+	go w.conn.OnConnReady(w.selectedPriority, ci)
+}
+
+// OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
+func (w *WorkerICE) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HAMap) {
+	w.muxAgent.Lock()
+	defer w.muxAgent.Unlock()
+	w.log.Debugf("OnRemoteCandidate from peer %s -> %s", w.config.Key, candidate.String())
+	if w.agent == nil {
+		w.log.Warnf("ICE Agent is not initialized yet")
+		return
+	}
+
+	if candidateViaRoutes(candidate, haRoutes) {
+		return
+	}
+
+	err := w.agent.AddRemoteCandidate(candidate)
+	if err != nil {
+		w.log.Errorf("error while handling remote candidate")
+		return
+	}
+}
+
+func (w *WorkerICE) GetLocalUserCredentials() (frag string, pwd string) {
+	w.muxAgent.Lock()
+	defer w.muxAgent.Unlock()
+	return w.localUfrag, w.localPwd
+}
+
+func (w *WorkerICE) reCreateAgent(agentCancel context.CancelFunc, relaySupport []ice.CandidateType) (*ice.Agent, error) {
+	transportNet, err := w.newStdNet()
+	if err != nil {
+		w.log.Errorf("failed to create pion's stdnet: %s", err)
+	}
+
+	iceKeepAlive := iceKeepAlive()
+	iceDisconnectedTimeout := iceDisconnectedTimeout()
+	iceRelayAcceptanceMinWait := iceRelayAcceptanceMinWait()
+
+	agentConfig := &ice.AgentConfig{
+		MulticastDNSMode:       ice.MulticastDNSModeDisabled,
+		NetworkTypes:           []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
+		Urls:                   w.configICE.StunTurn.Load().([]*stun.URI),
+		CandidateTypes:         relaySupport,
+		InterfaceFilter:        stdnet.InterfaceFilter(w.configICE.InterfaceBlackList),
+		UDPMux:                 w.configICE.UDPMux,
+		UDPMuxSrflx:            w.configICE.UDPMuxSrflx,
+		NAT1To1IPs:             w.configICE.NATExternalIPs,
+		Net:                    transportNet,
+		FailedTimeout:          &failedTimeout,
+		DisconnectedTimeout:    &iceDisconnectedTimeout,
+		KeepaliveInterval:      &iceKeepAlive,
+		RelayAcceptanceMinWait: &iceRelayAcceptanceMinWait,
+		LocalUfrag:             w.localUfrag,
+		LocalPwd:               w.localPwd,
+	}
+
+	if w.configICE.DisableIPv6Discovery {
+		agentConfig.NetworkTypes = []ice.NetworkType{ice.NetworkTypeUDP4}
+	}
+
+	w.sentExtraSrflx = false
+	agent, err := ice.NewAgent(agentConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	err = agent.OnCandidate(w.onICECandidate)
+	if err != nil {
+		return nil, err
+	}
+
+	err = agent.OnConnectionStateChange(func(state ice.ConnectionState) {
+		w.log.Debugf("ICE ConnectionState has changed to %s", state.String())
+		if state == ice.ConnectionStateFailed || state == ice.ConnectionStateDisconnected {
+			w.conn.OnStatusChanged(StatusDisconnected)
+
+			w.muxAgent.Lock()
+			agentCancel()
+			_ = agent.Close()
+			w.agent = nil
+
+			w.muxAgent.Unlock()
+		}
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	err = agent.OnSelectedCandidatePairChange(w.onICESelectedCandidatePair)
+	if err != nil {
+		return nil, err
+	}
+
+	err = agent.OnSuccessfulSelectedPairBindingResponse(func(p *ice.CandidatePair) {
+		err := w.statusRecorder.UpdateLatency(w.config.Key, p.Latency())
+		if err != nil {
+			w.log.Debugf("failed to update latency for peer: %s", err)
+			return
+		}
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed setting binding response callback: %w", err)
+	}
+
+	return agent, nil
+}
+
+func (w *WorkerICE) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
+	// wait local endpoint configuration
+	time.Sleep(time.Second)
+	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", pair.Remote.Address(), remoteWgPort))
+	if err != nil {
+		w.log.Warnf("got an error while resolving the udp address, err: %s", err)
+		return
+	}
+
+	mux, ok := w.configICE.UDPMuxSrflx.(*bind.UniversalUDPMuxDefault)
+	if !ok {
+		w.log.Warn("invalid udp mux conversion")
+		return
+	}
+	_, err = mux.GetSharedConn().WriteTo([]byte{0x6e, 0x62}, addr)
+	if err != nil {
+		w.log.Warnf("got an error while sending the punch packet, err: %s", err)
+	}
+}
+
+// onICECandidate is a callback attached to an ICE Agent to receive new local connection candidates
+// and then signals them to the remote peer
+func (w *WorkerICE) onICECandidate(candidate ice.Candidate) {
+	// nil means candidate gathering has been ended
+	if candidate == nil {
+		return
+	}
+
+	// TODO: reported port is incorrect for CandidateTypeHost, makes understanding ICE use via logs confusing as port is ignored
+	w.log.Debugf("discovered local candidate %s", candidate.String())
+	go func() {
+		err := w.signaler.SignalICECandidate(candidate, w.config.Key)
+		if err != nil {
+			w.log.Errorf("failed signaling candidate to the remote peer %s %s", w.config.Key, err)
+		}
+	}()
+
+	if !w.shouldSendExtraSrflxCandidate(candidate) {
+		return
+	}
+
+	// sends an extra server reflexive candidate to the remote peer with our related port (usually the wireguard port)
+	// this is useful when network has an existing port forwarding rule for the wireguard port and this peer
+	extraSrflx, err := extraSrflxCandidate(candidate)
+	if err != nil {
+		w.log.Errorf("failed creating extra server reflexive candidate %s", err)
+		return
+	}
+	w.sentExtraSrflx = true
+
+	go func() {
+		err = w.signaler.SignalICECandidate(extraSrflx, w.config.Key)
+		if err != nil {
+			w.log.Errorf("failed signaling the extra server reflexive candidate: %s", err)
+		}
+	}()
+}
+
+func (w *WorkerICE) onICESelectedCandidatePair(c1 ice.Candidate, c2 ice.Candidate) {
+	w.log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
+		w.config.Key)
+}
+
+func (w *WorkerICE) shouldSendExtraSrflxCandidate(candidate ice.Candidate) bool {
+	if !w.sentExtraSrflx && candidate.Type() == ice.CandidateTypeServerReflexive && candidate.Port() != candidate.RelatedAddress().Port {
+		return true
+	}
+	return false
+}
+
+func (w *WorkerICE) turnAgentDial(ctx context.Context, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
+	isControlling := w.config.LocalKey > w.config.Key
+	if isControlling {
+		return w.agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+	} else {
+		return w.agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+	}
+}
+
+func extraSrflxCandidate(candidate ice.Candidate) (*ice.CandidateServerReflexive, error) {
+	relatedAdd := candidate.RelatedAddress()
+	return ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
+		Network:   candidate.NetworkType().String(),
+		Address:   candidate.Address(),
+		Port:      relatedAdd.Port,
+		Component: candidate.Component(),
+		RelAddr:   relatedAdd.Address,
+		RelPort:   relatedAdd.Port,
+	})
+}
+
+func candidateViaRoutes(candidate ice.Candidate, clientRoutes route.HAMap) bool {
+	var routePrefixes []netip.Prefix
+	for _, routes := range clientRoutes {
+		if len(routes) > 0 && routes[0] != nil {
+			routePrefixes = append(routePrefixes, routes[0].Network)
+		}
+	}
+
+	addr, err := netip.ParseAddr(candidate.Address())
+	if err != nil {
+		log.Errorf("Failed to parse IP address %s: %v", candidate.Address(), err)
+		return false
+	}
+
+	for _, prefix := range routePrefixes {
+		// default route is
+		if prefix.Bits() == 0 {
+			continue
+		}
+
+		if prefix.Contains(addr) {
+			log.Debugf("Ignoring candidate [%s], its address is part of routed network %s", candidate.String(), prefix)
+			return true
+		}
+	}
+	return false
+}
+
+func candidateTypes() []ice.CandidateType {
+	if hasICEForceRelayConn() {
+		return []ice.CandidateType{ice.CandidateTypeRelay}
+	}
+	// TODO: remove this once we have refactored userspace proxy into the bind package
+	if runtime.GOOS == "ios" {
+		return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive}
+	}
+	return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
+}
+
+func candidateTypesP2P() []ice.CandidateType {
+	return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive}
+}
+
+func isRelayCandidate(candidate ice.Candidate) bool {
+	return candidate.Type() == ice.CandidateTypeRelay
+}
+
+func isRelayed(pair *ice.CandidatePair) bool {
+	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
+		return true
+	}
+	return false
+}
+
+func generateICECredentials() (string, string, error) {
+	ufrag, err := randutil.GenerateCryptoRandomString(lenUFrag, runesAlpha)
+	if err != nil {
+		return "", "", err
+	}
+
+	pwd, err := randutil.GenerateCryptoRandomString(lenPwd, runesAlpha)
+	if err != nil {
+		return "", "", err
+	}
+	return ufrag, pwd, nil
+
+}
--- a/client/internal/peer/worker_relay.go
+++ b/client/internal/peer/worker_relay.go
@@ -0,0 +1,100 @@
+package peer
+
+import (
+	"context"
+	"errors"
+	"net"
+
+	log "github.com/sirupsen/logrus"
+
+	relayClient "github.com/netbirdio/netbird/relay/client"
+)
+
+type RelayConnInfo struct {
+	relayedConn     net.Conn
+	rosenpassPubKey []byte
+	rosenpassAddr   string
+}
+
+type WorkerRelayCallbacks struct {
+	OnConnReady    func(RelayConnInfo)
+	OnDisconnected func()
+}
+
+type WorkerRelay struct {
+	ctx          context.Context
+	log          *log.Entry
+	config       ConnConfig
+	relayManager *relayClient.Manager
+	conn         WorkerRelayCallbacks
+}
+
+func NewWorkerRelay(ctx context.Context, log *log.Entry, config ConnConfig, relayManager *relayClient.Manager, callbacks WorkerRelayCallbacks) *WorkerRelay {
+	return &WorkerRelay{
+		ctx:          ctx,
+		log:          log,
+		config:       config,
+		relayManager: relayManager,
+		conn:         callbacks,
+	}
+}
+
+func (w *WorkerRelay) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
+	if !w.isRelaySupported(remoteOfferAnswer) {
+		w.log.Infof("Relay is not supported by remote peer")
+		return
+	}
+
+	// the relayManager will return with error in case if the connection has lost with relay server
+	currentRelayAddress, err := w.relayManager.RelayInstanceAddress()
+	if err != nil {
+		w.log.Infof("local Relay connection is lost, skipping connection attempt")
+		return
+	}
+
+	srv := w.preferredRelayServer(currentRelayAddress, remoteOfferAnswer.RelaySrvAddress)
+
+	relayedConn, err := w.relayManager.OpenConn(srv, w.config.Key, w.conn.OnDisconnected)
+	if err != nil {
+		// todo handle all type errors
+		if errors.Is(err, relayClient.ErrConnAlreadyExists) {
+			w.log.Infof("do not need to reopen relay connection")
+			return
+		}
+		w.log.Infof("do not need to reopen relay connection: %s", err)
+		return
+	}
+
+	w.log.Debugf("Relay connection established with %s", srv)
+	go w.conn.OnConnReady(RelayConnInfo{
+		relayedConn:     relayedConn,
+		rosenpassPubKey: remoteOfferAnswer.RosenpassPubKey,
+		rosenpassAddr:   remoteOfferAnswer.RosenpassAddr,
+	})
+}
+
+func (w *WorkerRelay) RelayInstanceAddress() (string, error) {
+	return w.relayManager.RelayInstanceAddress()
+}
+
+func (w *WorkerRelay) IsController() bool {
+	return w.config.LocalKey > w.config.Key
+}
+
+func (w *WorkerRelay) RelayIsSupportedLocally() bool {
+	return w.relayManager.HasRelayAddress()
+}
+
+func (w *WorkerRelay) isRelaySupported(answer *OfferAnswer) bool {
+	if !w.relayManager.HasRelayAddress() {
+		return false
+	}
+	return answer.RelaySrvAddress != ""
+}
+
+func (w *WorkerRelay) preferredRelayServer(myRelayAddress, remoteRelayAddress string) string {
+	if w.IsController() {
+		return myRelayAddress
+	}
+	return remoteRelayAddress
+}
--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -17,7 +17,7 @@ import (

 // ProbeResult holds the info about the result of a relay probe request
 type ProbeResult struct {
-	URI  *stun.URI
+	URI  string
 	Err  error
 	Addr string
 }
@@ -170,13 +170,13 @@ func ProbeAll(

 	var wg sync.WaitGroup
 	for i, uri := range relays {
-		ctx, cancel := context.WithTimeout(ctx, 1*time.Second)
+		ctx, cancel := context.WithTimeout(ctx, 2*time.Second)
 		defer cancel()

 		wg.Add(1)
 		go func(res *ProbeResult, stunURI *stun.URI) {
 			defer wg.Done()
-			res.URI = stunURI
+			res.URI = stunURI.String()
 			res.Addr, res.Err = fn(ctx, stunURI)
 		}(&results[i], uri)
 	}
--- a/client/internal/routemanager/client.go
+++ b/client/internal/routemanager/client.go
@@ -3,19 +3,20 @@ package routemanager
 import (
 	"context"
 	"fmt"
-	"net"
-	"net/netip"
 	"time"

+	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"

+	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+	"github.com/netbirdio/netbird/client/internal/routemanager/static"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
 )

-const minRangeBits = 7
-
 type routerPeerStatus struct {
 	connected bool
 	relayed   bool
@@ -28,33 +29,42 @@ type routesUpdate struct {
 	routes       []*route.Route
 }

+// RouteHandler defines the interface for handling routes
+type RouteHandler interface {
+	String() string
+	AddRoute(ctx context.Context) error
+	RemoveRoute() error
+	AddAllowedIPs(peerKey string) error
+	RemoveAllowedIPs() error
+}
+
 type clientNetwork struct {
 	ctx                 context.Context
-	stop                context.CancelFunc
+	cancel              context.CancelFunc
 	statusRecorder      *peer.Status
-	wgInterface         *iface.WGIface
+	wgInterface         iface.IWGIface
 	routes              map[route.ID]*route.Route
 	routeUpdate         chan routesUpdate
 	peerStateUpdate     chan struct{}
 	routePeersNotifiers map[string]chan struct{}
-	chosenRoute         *route.Route
-	network             netip.Prefix
+	currentChosen       *route.Route
+	handler             RouteHandler
 	updateSerial        uint64
 }

-func newClientNetworkWatcher(ctx context.Context, wgInterface *iface.WGIface, statusRecorder *peer.Status, network netip.Prefix) *clientNetwork {
+func newClientNetworkWatcher(ctx context.Context, dnsRouteInterval time.Duration, wgInterface iface.IWGIface, statusRecorder *peer.Status, rt *route.Route, routeRefCounter *refcounter.RouteRefCounter, allowedIPsRefCounter *refcounter.AllowedIPsRefCounter) *clientNetwork {
 	ctx, cancel := context.WithCancel(ctx)

 	client := &clientNetwork{
 		ctx:                 ctx,
-		stop:                cancel,
+		cancel:              cancel,
 		statusRecorder:      statusRecorder,
 		wgInterface:         wgInterface,
 		routes:              make(map[route.ID]*route.Route),
 		routePeersNotifiers: make(map[string]chan struct{}),
 		routeUpdate:         make(chan routesUpdate),
 		peerStateUpdate:     make(chan struct{}),
-		network:             network,
+		handler:             handlerFromRoute(rt, routeRefCounter, allowedIPsRefCounter, dnsRouteInterval, statusRecorder),
 	}
 	return client
 }
@@ -86,8 +96,8 @@ func (c *clientNetwork) getRouterPeerStatuses() map[route.ID]routerPeerStatus {
 // * Metric: Routes with lower metrics (better) are prioritized.
 // * Non-relayed: Routes without relays are preferred.
 // * Direct connections: Routes with direct peer connections are favored.
-// * Stability: In case of equal scores, the currently active route (if any) is maintained.
 // * Latency: Routes with lower latency are prioritized.
+// * Stability: In case of equal scores, the currently active route (if any) is maintained.
 //
 // It returns the ID of the selected optimal route.
 func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[route.ID]routerPeerStatus) route.ID {
@@ -96,8 +106,8 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[route.ID]
 	currScore := float64(0)

 	currID := route.ID("")
-	if c.chosenRoute != nil {
-		currID = c.chosenRoute.ID
+	if c.currentChosen != nil {
+		currID = c.currentChosen.ID
 	}

 	for _, r := range c.routes {
@@ -151,18 +161,18 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[route.ID]
 			peers = append(peers, r.Peer)
 		}

-		log.Warnf("the network %s has not been assigned a routing peer as no peers from the list %s are currently connected", c.network, peers)
+		log.Warnf("The network [%v] has not been assigned a routing peer as no peers from the list %s are currently connected", c.handler, peers)
 	case chosen != currID:
 		// we compare the current score + 10ms to the chosen score to avoid flapping between routes
 		if currScore != 0 && currScore+0.01 > chosenScore {
-			log.Debugf("keeping current routing peer because the score difference with latency is less than 0.01(10ms), current: %f, new: %f", currScore, chosenScore)
+			log.Debugf("Keeping current routing peer because the score difference with latency is less than 0.01(10ms), current: %f, new: %f", currScore, chosenScore)
 			return currID
 		}
 		var p string
 		if rt := c.routes[chosen]; rt != nil {
 			p = rt.Peer
 		}
-		log.Infof("new chosen route is %s with peer %s with score %f for network %s", chosen, p, chosenScore, c.network)
+		log.Infof("New chosen route is %s with peer %s with score %f for network [%v]", chosen, p, chosenScore, c.handler)
 	}

 	return chosen
@@ -196,98 +206,103 @@ func (c *clientNetwork) startPeersStatusChangeWatcher() {
 	}
 }

-func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {
-	state, err := c.statusRecorder.GetPeer(peerKey)
-	if err != nil {
-		return fmt.Errorf("get peer state: %v", err)
-	}
+func (c *clientNetwork) removeRouteFromWireguardPeer() error {
+	c.removeStateRoute()

-	state.DeleteRoute(c.network.String())
-	if err := c.statusRecorder.UpdatePeerState(state); err != nil {
-		log.Warnf("Failed to update peer state: %v", err)
-	}
-
-	if state.ConnStatus != peer.StatusConnected {
-		return nil
-	}
-
-	err = c.wgInterface.RemoveAllowedIP(peerKey, c.network.String())
-	if err != nil {
-		return fmt.Errorf("remove allowed IP %s removed for peer %s, err: %v",
-			c.network, c.chosenRoute.Peer, err)
+	if err := c.handler.RemoveAllowedIPs(); err != nil {
+		return fmt.Errorf("remove allowed IPs: %w", err)
 	}
 	return nil
 }

 func (c *clientNetwork) removeRouteFromPeerAndSystem() error {
-	if c.chosenRoute != nil {
-		if err := removeVPNRoute(c.network, c.getAsInterface()); err != nil {
-			return fmt.Errorf("remove route %s from system, err: %v", c.network, err)
-		}
-
-		if err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer); err != nil {
-			return fmt.Errorf("remove route: %v", err)
-		}
+	if c.currentChosen == nil {
+		return nil
 	}
-	return nil
+
+	var merr *multierror.Error
+
+	if err := c.removeRouteFromWireguardPeer(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove allowed IPs for peer %s: %w", c.currentChosen.Peer, err))
+	}
+	if err := c.handler.RemoveRoute(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove route: %w", err))
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
 }

 func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
 	routerPeerStatuses := c.getRouterPeerStatuses()

-	chosen := c.getBestRouteFromStatuses(routerPeerStatuses)
+	newChosenID := c.getBestRouteFromStatuses(routerPeerStatuses)

 	// If no route is chosen, remove the route from the peer and system
-	if chosen == "" {
+	if newChosenID == "" {
 		if err := c.removeRouteFromPeerAndSystem(); err != nil {
-			return fmt.Errorf("remove route from peer and system: %v", err)
+			return fmt.Errorf("remove route for peer %s: %w", c.currentChosen.Peer, err)
 		}

-		c.chosenRoute = nil
+		c.currentChosen = nil

 		return nil
 	}

 	// If the chosen route is the same as the current route, do nothing
-	if c.chosenRoute != nil && c.chosenRoute.ID == chosen {
-		if c.chosenRoute.IsEqual(c.routes[chosen]) {
-			return nil
-		}
+	if c.currentChosen != nil && c.currentChosen.ID == newChosenID &&
+		c.currentChosen.IsEqual(c.routes[newChosenID]) {
+		return nil
 	}

-	if c.chosenRoute != nil {
-		// If a previous route exists, remove it from the peer
-		if err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer); err != nil {
-			return fmt.Errorf("remove route from peer: %v", err)
+	if c.currentChosen == nil {
+		// If they were not previously assigned to another peer, add routes to the system first
+		if err := c.handler.AddRoute(c.ctx); err != nil {
+			return fmt.Errorf("add route: %w", err)
 		}
 	} else {
-		// otherwise add the route to the system
-		if err := addVPNRoute(c.network, c.getAsInterface()); err != nil {
-			return fmt.Errorf("route %s couldn't be added for peer %s, err: %v",
-				c.network.String(), c.wgInterface.Address().IP.String(), err)
+		// Otherwise, remove the allowed IPs from the previous peer first
+		if err := c.removeRouteFromWireguardPeer(); err != nil {
+			return fmt.Errorf("remove allowed IPs for peer %s: %w", c.currentChosen.Peer, err)
 		}
 	}

-	c.chosenRoute = c.routes[chosen]
+	c.currentChosen = c.routes[newChosenID]

-	state, err := c.statusRecorder.GetPeer(c.chosenRoute.Peer)
-	if err != nil {
-		log.Errorf("Failed to get peer state: %v", err)
-	} else {
-		state.AddRoute(c.network.String())
-		if err := c.statusRecorder.UpdatePeerState(state); err != nil {
-			log.Warnf("Failed to update peer state: %v", err)
-		}
+	if err := c.handler.AddAllowedIPs(c.currentChosen.Peer); err != nil {
+		return fmt.Errorf("add allowed IPs for peer %s: %w", c.currentChosen.Peer, err)
 	}

-	if err := c.wgInterface.AddAllowedIP(c.chosenRoute.Peer, c.network.String()); err != nil {
-		log.Errorf("couldn't add allowed IP %s added for peer %s, err: %v",
-			c.network, c.chosenRoute.Peer, err)
-	}
+	c.addStateRoute()

 	return nil
 }

+func (c *clientNetwork) addStateRoute() {
+	state, err := c.statusRecorder.GetPeer(c.currentChosen.Peer)
+	if err != nil {
+		log.Errorf("Failed to get peer state: %v", err)
+		return
+	}
+
+	state.AddRoute(c.handler.String())
+	if err := c.statusRecorder.UpdatePeerState(state); err != nil {
+		log.Warnf("Failed to update peer state: %v", err)
+	}
+}
+
+func (c *clientNetwork) removeStateRoute() {
+	state, err := c.statusRecorder.GetPeer(c.currentChosen.Peer)
+	if err != nil {
+		log.Errorf("Failed to get peer state: %v", err)
+		return
+	}
+
+	state.DeleteRoute(c.handler.String())
+	if err := c.statusRecorder.UpdatePeerState(state); err != nil {
+		log.Warnf("Failed to update peer state: %v", err)
+	}
+}
+
 func (c *clientNetwork) sendUpdateToClientNetworkWatcher(update routesUpdate) {
 	go func() {
 		c.routeUpdate <- update
@@ -318,24 +333,23 @@ func (c *clientNetwork) peersStateAndUpdateWatcher() {
 	for {
 		select {
 		case <-c.ctx.Done():
-			log.Debugf("stopping watcher for network %s", c.network)
-			err := c.removeRouteFromPeerAndSystem()
-			if err != nil {
-				log.Errorf("Couldn't remove route from peer and system for network %s: %v", c.network, err)
+			log.Debugf("Stopping watcher for network [%v]", c.handler)
+			if err := c.removeRouteFromPeerAndSystem(); err != nil {
+				log.Errorf("Failed to remove routes for [%v]: %v", c.handler, err)
 			}
 			return
 		case <-c.peerStateUpdate:
 			err := c.recalculateRouteAndUpdatePeerAndSystem()
 			if err != nil {
-				log.Errorf("Couldn't recalculate route and update peer and system: %v", err)
+				log.Errorf("Failed to recalculate routes for network [%v]: %v", c.handler, err)
 			}
 		case update := <-c.routeUpdate:
 			if update.updateSerial < c.updateSerial {
-				log.Warnf("Received a routes update with smaller serial number, ignoring it")
+				log.Warnf("Received a routes update with smaller serial number (%d -> %d), ignoring it", c.updateSerial, update.updateSerial)
 				continue
 			}

-			log.Debugf("Received a new client network route update for %s", c.network)
+			log.Debugf("Received a new client network route update for [%v]", c.handler)

 			c.handleUpdate(update)

@@ -343,7 +357,7 @@ func (c *clientNetwork) peersStateAndUpdateWatcher() {

 			err := c.recalculateRouteAndUpdatePeerAndSystem()
 			if err != nil {
-				log.Errorf("Couldn't recalculate route and update peer and system for network %s: %v", c.network, err)
+				log.Errorf("Failed to recalculate routes for network [%v]: %v", c.handler, err)
 			}

 			c.startPeersStatusChangeWatcher()
@@ -351,14 +365,9 @@ func (c *clientNetwork) peersStateAndUpdateWatcher() {
 	}
 }

-func (c *clientNetwork) getAsInterface() *net.Interface {
-	intf, err := net.InterfaceByName(c.wgInterface.Name())
-	if err != nil {
-		log.Warnf("Couldn't get interface by name %s: %v", c.wgInterface.Name(), err)
-		intf = &net.Interface{
-			Name: c.wgInterface.Name(),
-		}
+func handlerFromRoute(rt *route.Route, routeRefCounter *refcounter.RouteRefCounter, allowedIPsRefCounter *refcounter.AllowedIPsRefCounter, dnsRouterInteval time.Duration, statusRecorder *peer.Status) RouteHandler {
+	if rt.IsDynamic() {
+		return dynamic.NewRoute(rt, routeRefCounter, allowedIPsRefCounter, dnsRouterInteval, statusRecorder)
 	}
-
-	return intf
+	return static.NewRoute(rt, routeRefCounter, allowedIPsRefCounter)
 }
--- a/client/internal/routemanager/client_test.go
+++ b/client/internal/routemanager/client_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 	"time"

+	"github.com/netbirdio/netbird/client/internal/routemanager/static"
 	"github.com/netbirdio/netbird/route"
 )

@@ -340,9 +341,9 @@ func TestGetBestrouteFromStatuses(t *testing.T) {

 			// create new clientNetwork
 			client := &clientNetwork{
-				network:     netip.MustParsePrefix("192.168.0.0/24"),
-				routes:      tc.existingRoutes,
-				chosenRoute: currentRoute,
+				handler:       static.NewRoute(&route.Route{Network: netip.MustParsePrefix("192.168.0.0/24")}, nil, nil),
+				routes:        tc.existingRoutes,
+				currentChosen: currentRoute,
 			}

 			chosenRoute := client.getBestRouteFromStatuses(tc.statuses)
--- a/client/internal/routemanager/dynamic/route.go
+++ b/client/internal/routemanager/dynamic/route.go
@@ -0,0 +1,378 @@
+package dynamic
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+	"github.com/netbirdio/netbird/client/internal/routemanager/util"
+	"github.com/netbirdio/netbird/management/domain"
+	"github.com/netbirdio/netbird/route"
+)
+
+const (
+	DefaultInterval = time.Minute
+
+	minInterval     = 2 * time.Second
+	failureInterval = 5 * time.Second
+
+	addAllowedIP = "add allowed IP %s: %w"
+)
+
+type domainMap map[domain.Domain][]netip.Prefix
+
+type resolveResult struct {
+	domain domain.Domain
+	prefix netip.Prefix
+	err    error
+}
+
+type Route struct {
+	route                *route.Route
+	routeRefCounter      *refcounter.RouteRefCounter
+	allowedIPsRefcounter *refcounter.AllowedIPsRefCounter
+	interval             time.Duration
+	dynamicDomains       domainMap
+	mu                   sync.Mutex
+	currentPeerKey       string
+	cancel               context.CancelFunc
+	statusRecorder       *peer.Status
+}
+
+func NewRoute(
+	rt *route.Route,
+	routeRefCounter *refcounter.RouteRefCounter,
+	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
+	interval time.Duration,
+	statusRecorder *peer.Status,
+) *Route {
+	return &Route{
+		route:                rt,
+		routeRefCounter:      routeRefCounter,
+		allowedIPsRefcounter: allowedIPsRefCounter,
+		interval:             interval,
+		dynamicDomains:       domainMap{},
+		statusRecorder:       statusRecorder,
+	}
+}
+
+func (r *Route) String() string {
+	s, err := r.route.Domains.String()
+	if err != nil {
+		return r.route.Domains.PunycodeString()
+	}
+	return s
+}
+
+func (r *Route) AddRoute(ctx context.Context) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if r.cancel != nil {
+		r.cancel()
+	}
+
+	ctx, r.cancel = context.WithCancel(ctx)
+
+	go r.startResolver(ctx)
+
+	return nil
+}
+
+// RemoveRoute will stop the dynamic resolver and remove all dynamic routes.
+// It doesn't touch allowed IPs, these should be removed separately and before calling this method.
+func (r *Route) RemoveRoute() error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if r.cancel != nil {
+		r.cancel()
+	}
+
+	var merr *multierror.Error
+	for domain, prefixes := range r.dynamicDomains {
+		for _, prefix := range prefixes {
+			if _, err := r.routeRefCounter.Decrement(prefix); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf("remove dynamic route for IP %s: %w", prefix, err))
+			}
+		}
+		log.Debugf("Removed dynamic route(s) for [%s]: %s", domain.SafeString(), strings.ReplaceAll(fmt.Sprintf("%s", prefixes), " ", ", "))
+
+		r.statusRecorder.DeleteResolvedDomainsStates(domain)
+	}
+
+	r.dynamicDomains = domainMap{}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *Route) AddAllowedIPs(peerKey string) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	var merr *multierror.Error
+	for domain, domainPrefixes := range r.dynamicDomains {
+		for _, prefix := range domainPrefixes {
+			if err := r.incrementAllowedIP(domain, prefix, peerKey); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf(addAllowedIP, prefix, err))
+			}
+		}
+	}
+	r.currentPeerKey = peerKey
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *Route) RemoveAllowedIPs() error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	var merr *multierror.Error
+	for _, domainPrefixes := range r.dynamicDomains {
+		for _, prefix := range domainPrefixes {
+			if _, err := r.allowedIPsRefcounter.Decrement(prefix); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf("remove allowed IP %s: %w", prefix, err))
+			}
+		}
+	}
+
+	r.currentPeerKey = ""
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *Route) startResolver(ctx context.Context) {
+	log.Debugf("Starting dynamic route resolver for domains [%v]", r)
+
+	interval := r.interval
+	if interval < minInterval {
+		interval = minInterval
+		log.Warnf("Dynamic route resolver interval %s is too low, setting to minimum value %s", r.interval, minInterval)
+	}
+
+	ticker := time.NewTicker(interval)
+	defer ticker.Stop()
+
+	if err := r.update(ctx); err != nil {
+		log.Errorf("Failed to resolve domains for route [%v]: %v", r, err)
+		if interval > failureInterval {
+			ticker.Reset(failureInterval)
+		}
+	}
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Debugf("Stopping dynamic route resolver for domains [%v]", r)
+			return
+		case <-ticker.C:
+			if err := r.update(ctx); err != nil {
+				log.Errorf("Failed to resolve domains for route [%v]: %v", r, err)
+				// Use a lower ticker interval if the update fails
+				if interval > failureInterval {
+					ticker.Reset(failureInterval)
+				}
+			} else if interval > failureInterval {
+				// Reset to the original interval if the update succeeds
+				ticker.Reset(interval)
+			}
+		}
+	}
+}
+
+func (r *Route) update(ctx context.Context) error {
+	if resolved, err := r.resolveDomains(); err != nil {
+		return fmt.Errorf("resolve domains: %w", err)
+	} else if err := r.updateDynamicRoutes(ctx, resolved); err != nil {
+		return fmt.Errorf("update dynamic routes: %w", err)
+	}
+
+	return nil
+}
+
+func (r *Route) resolveDomains() (domainMap, error) {
+	results := make(chan resolveResult)
+	go r.resolve(results)
+
+	resolved := domainMap{}
+	var merr *multierror.Error
+
+	for result := range results {
+		if result.err != nil {
+			merr = multierror.Append(merr, result.err)
+		} else {
+			resolved[result.domain] = append(resolved[result.domain], result.prefix)
+		}
+	}
+
+	return resolved, nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *Route) resolve(results chan resolveResult) {
+	var wg sync.WaitGroup
+
+	for _, d := range r.route.Domains {
+		wg.Add(1)
+		go func(domain domain.Domain) {
+			defer wg.Done()
+			ips, err := net.LookupIP(string(domain))
+			if err != nil {
+				results <- resolveResult{domain: domain, err: fmt.Errorf("resolve d %s: %w", domain.SafeString(), err)}
+				return
+			}
+			for _, ip := range ips {
+				prefix, err := util.GetPrefixFromIP(ip)
+				if err != nil {
+					results <- resolveResult{domain: domain, err: fmt.Errorf("get prefix from IP %s: %w", ip.String(), err)}
+					return
+				}
+				results <- resolveResult{domain: domain, prefix: prefix}
+			}
+		}(d)
+	}
+
+	wg.Wait()
+	close(results)
+}
+
+func (r *Route) updateDynamicRoutes(ctx context.Context, newDomains domainMap) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if ctx.Err() != nil {
+		return ctx.Err()
+	}
+
+	var merr *multierror.Error
+
+	for domain, newPrefixes := range newDomains {
+		oldPrefixes := r.dynamicDomains[domain]
+		toAdd, toRemove := determinePrefixChanges(oldPrefixes, newPrefixes)
+
+		addedPrefixes, err := r.addRoutes(domain, toAdd)
+		if err != nil {
+			merr = multierror.Append(merr, err)
+		} else if len(addedPrefixes) > 0 {
+			log.Debugf("Added dynamic route(s) for [%s]: %s", domain.SafeString(), strings.ReplaceAll(fmt.Sprintf("%s", addedPrefixes), " ", ", "))
+		}
+
+		removedPrefixes, err := r.removeRoutes(toRemove)
+		if err != nil {
+			merr = multierror.Append(merr, err)
+		} else if len(removedPrefixes) > 0 {
+			log.Debugf("Removed dynamic route(s) for [%s]: %s", domain.SafeString(), strings.ReplaceAll(fmt.Sprintf("%s", removedPrefixes), " ", ", "))
+		}
+
+		updatedPrefixes := combinePrefixes(oldPrefixes, removedPrefixes, addedPrefixes)
+		r.dynamicDomains[domain] = updatedPrefixes
+
+		r.statusRecorder.UpdateResolvedDomainsStates(domain, updatedPrefixes)
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *Route) addRoutes(domain domain.Domain, prefixes []netip.Prefix) ([]netip.Prefix, error) {
+	var addedPrefixes []netip.Prefix
+	var merr *multierror.Error
+
+	for _, prefix := range prefixes {
+		if _, err := r.routeRefCounter.Increment(prefix, nil); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("add dynamic route for IP %s: %w", prefix, err))
+			continue
+		}
+		if r.currentPeerKey != "" {
+			if err := r.incrementAllowedIP(domain, prefix, r.currentPeerKey); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf(addAllowedIP, prefix, err))
+			}
+		}
+		addedPrefixes = append(addedPrefixes, prefix)
+	}
+
+	return addedPrefixes, merr.ErrorOrNil()
+}
+
+func (r *Route) removeRoutes(prefixes []netip.Prefix) ([]netip.Prefix, error) {
+	if r.route.KeepRoute {
+		return nil, nil
+	}
+
+	var removedPrefixes []netip.Prefix
+	var merr *multierror.Error
+
+	for _, prefix := range prefixes {
+		if _, err := r.routeRefCounter.Decrement(prefix); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove dynamic route for IP %s: %w", prefix, err))
+		}
+		if r.currentPeerKey != "" {
+			if _, err := r.allowedIPsRefcounter.Decrement(prefix); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf("remove allowed IP %s: %w", prefix, err))
+			}
+		}
+		removedPrefixes = append(removedPrefixes, prefix)
+	}
+
+	return removedPrefixes, merr.ErrorOrNil()
+}
+
+func (r *Route) incrementAllowedIP(domain domain.Domain, prefix netip.Prefix, peerKey string) error {
+	if ref, err := r.allowedIPsRefcounter.Increment(prefix, peerKey); err != nil {
+		return fmt.Errorf(addAllowedIP, prefix, err)
+	} else if ref.Count > 1 && ref.Out != peerKey {
+		log.Warnf("IP [%s] for domain [%s] is already routed by peer [%s]. HA routing disabled",
+			prefix.Addr(),
+			domain.SafeString(),
+			ref.Out,
+		)
+
+	}
+	return nil
+}
+
+func determinePrefixChanges(oldPrefixes, newPrefixes []netip.Prefix) (toAdd, toRemove []netip.Prefix) {
+	prefixSet := make(map[netip.Prefix]bool)
+	for _, prefix := range oldPrefixes {
+		prefixSet[prefix] = false
+	}
+	for _, prefix := range newPrefixes {
+		if _, exists := prefixSet[prefix]; exists {
+			prefixSet[prefix] = true
+		} else {
+			toAdd = append(toAdd, prefix)
+		}
+	}
+	for prefix, inUse := range prefixSet {
+		if !inUse {
+			toRemove = append(toRemove, prefix)
+		}
+	}
+	return
+}
+
+func combinePrefixes(oldPrefixes, removedPrefixes, addedPrefixes []netip.Prefix) []netip.Prefix {
+	prefixSet := make(map[netip.Prefix]struct{})
+	for _, prefix := range oldPrefixes {
+		prefixSet[prefix] = struct{}{}
+	}
+	for _, prefix := range removedPrefixes {
+		delete(prefixSet, prefix)
+	}
+	for _, prefix := range addedPrefixes {
+		prefixSet[prefix] = struct{}{}
+	}
+
+	var combinedPrefixes []netip.Prefix
+	for prefix := range prefixSet {
+		combinedPrefixes = append(combinedPrefixes, prefix)
+	}
+
+	return combinedPrefixes
+}
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -2,18 +2,23 @@ package routemanager

 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"net/netip"
 	"net/url"
 	"runtime"
 	"sync"
+	"time"

 	log "github.com/sirupsen/logrus"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
+	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
 	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
@@ -21,14 +26,9 @@ import (
 	"github.com/netbirdio/netbird/version"
 )

-var defaultv4 = netip.PrefixFrom(netip.IPv4Unspecified(), 0)
-
-// nolint:unused
-var defaultv6 = netip.PrefixFrom(netip.IPv6Unspecified(), 0)
-
 // Manager is a route manager interface
 type Manager interface {
-	Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error)
+	Init() (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error)
 	UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error)
 	TriggerSelection(route.HAMap)
 	GetRouteSelector() *routeselector.RouteSelector
@@ -40,31 +40,71 @@ type Manager interface {

 // DefaultManager is the default instance of a route manager
 type DefaultManager struct {
-	ctx            context.Context
-	stop           context.CancelFunc
-	mux            sync.Mutex
-	clientNetworks map[route.HAUniqueID]*clientNetwork
-	routeSelector  *routeselector.RouteSelector
-	serverRouter   serverRouter
-	statusRecorder *peer.Status
-	wgInterface    *iface.WGIface
-	pubKey         string
-	notifier       *notifier
+	ctx                  context.Context
+	stop                 context.CancelFunc
+	mux                  sync.Mutex
+	clientNetworks       map[route.HAUniqueID]*clientNetwork
+	routeSelector        *routeselector.RouteSelector
+	serverRouter         serverRouter
+	sysOps               *systemops.SysOps
+	statusRecorder       *peer.Status
+	wgInterface          iface.IWGIface
+	pubKey               string
+	notifier             *notifier
+	routeRefCounter      *refcounter.RouteRefCounter
+	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter
+	dnsRouteInterval     time.Duration
 }

-func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface, statusRecorder *peer.Status, initialRoutes []*route.Route) *DefaultManager {
+func NewManager(
+	ctx context.Context,
+	pubKey string,
+	dnsRouteInterval time.Duration,
+	wgInterface iface.IWGIface,
+	statusRecorder *peer.Status,
+	initialRoutes []*route.Route,
+) *DefaultManager {
 	mCTX, cancel := context.WithCancel(ctx)
+	sysOps := systemops.NewSysOps(wgInterface)
+
 	dm := &DefaultManager{
-		ctx:            mCTX,
-		stop:           cancel,
-		clientNetworks: make(map[route.HAUniqueID]*clientNetwork),
-		routeSelector:  routeselector.NewRouteSelector(),
-		statusRecorder: statusRecorder,
-		wgInterface:    wgInterface,
-		pubKey:         pubKey,
-		notifier:       newNotifier(),
+		ctx:              mCTX,
+		stop:             cancel,
+		dnsRouteInterval: dnsRouteInterval,
+		clientNetworks:   make(map[route.HAUniqueID]*clientNetwork),
+		routeSelector:    routeselector.NewRouteSelector(),
+		sysOps:           sysOps,
+		statusRecorder:   statusRecorder,
+		wgInterface:      wgInterface,
+		pubKey:           pubKey,
+		notifier:         newNotifier(),
 	}

+	dm.routeRefCounter = refcounter.New(
+		func(prefix netip.Prefix, _ any) (any, error) {
+			return nil, sysOps.AddVPNRoute(prefix, wgInterface.ToInterface())
+		},
+		func(prefix netip.Prefix, _ any) error {
+			return sysOps.RemoveVPNRoute(prefix, wgInterface.ToInterface())
+		},
+	)
+
+	dm.allowedIPsRefCounter = refcounter.New(
+		func(prefix netip.Prefix, peerKey string) (string, error) {
+			// save peerKey to use it in the remove function
+			return peerKey, wgInterface.AddAllowedIP(peerKey, prefix.String())
+		},
+		func(prefix netip.Prefix, peerKey string) error {
+			if err := wgInterface.RemoveAllowedIP(peerKey, prefix.String()); err != nil {
+				if !errors.Is(err, iface.ErrPeerNotFound) && !errors.Is(err, iface.ErrAllowedIPNotFound) {
+					return err
+				}
+				log.Tracef("Remove allowed IPs %s for %s: %v", prefix, peerKey, err)
+			}
+			return nil
+		},
+	)
+
 	if runtime.GOOS == "android" {
 		cr := dm.clientRoutes(initialRoutes)
 		dm.notifier.setInitialClientRoutes(cr)
@@ -73,12 +113,12 @@ func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface,
 }

 // Init sets up the routing
-func (m *DefaultManager) Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+func (m *DefaultManager) Init() (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error) {
 	if nbnet.CustomRoutingDisabled() {
 		return nil, nil, nil
 	}

-	if err := cleanupRouting(); err != nil {
+	if err := m.sysOps.CleanupRouting(); err != nil {
 		log.Warnf("Failed cleaning up routing: %v", err)
 	}

@@ -86,7 +126,7 @@ func (m *DefaultManager) Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePee
 	signalAddress := m.statusRecorder.GetSignalState().URL
 	ips := resolveURLsToIPs([]string{mgmtAddress, signalAddress})

-	beforePeerHook, afterPeerHook, err := setupRouting(ips, m.wgInterface)
+	beforePeerHook, afterPeerHook, err := m.sysOps.SetupRouting(ips)
 	if err != nil {
 		return nil, nil, fmt.Errorf("setup routing: %w", err)
 	}
@@ -110,8 +150,19 @@ func (m *DefaultManager) Stop() {
 		m.serverRouter.cleanUp()
 	}

+	if m.routeRefCounter != nil {
+		if err := m.routeRefCounter.Flush(); err != nil {
+			log.Errorf("Error flushing route ref counter: %v", err)
+		}
+	}
+	if m.allowedIPsRefCounter != nil {
+		if err := m.allowedIPsRefCounter.Flush(); err != nil {
+			log.Errorf("Error flushing allowed IPs ref counter: %v", err)
+		}
+	}
+
 	if !nbnet.CustomRoutingDisabled() {
-		if err := cleanupRouting(); err != nil {
+		if err := m.sysOps.CleanupRouting(); err != nil {
 			log.Errorf("Error cleaning up routing: %v", err)
 		} else {
 			log.Info("Routing cleanup complete")
@@ -185,7 +236,7 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 			continue
 		}

-		clientNetworkWatcher := newClientNetworkWatcher(m.ctx, m.wgInterface, m.statusRecorder, routes[0].Network)
+		clientNetworkWatcher := newClientNetworkWatcher(m.ctx, m.dnsRouteInterval, m.wgInterface, m.statusRecorder, routes[0], m.routeRefCounter, m.allowedIPsRefCounter)
 		m.clientNetworks[id] = clientNetworkWatcher
 		go clientNetworkWatcher.peersStateAndUpdateWatcher()
 		clientNetworkWatcher.sendUpdateToClientNetworkWatcher(routesUpdate{routes: routes})
@@ -197,7 +248,7 @@ func (m *DefaultManager) stopObsoleteClients(networks route.HAMap) {
 	for id, client := range m.clientNetworks {
 		if _, ok := networks[id]; !ok {
 			log.Debugf("Stopping client network watcher, %s", id)
-			client.stop()
+			client.cancel()
 			delete(m.clientNetworks, id)
 		}
 	}
@@ -210,7 +261,7 @@ func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks rout
 	for id, routes := range networks {
 		clientNetworkWatcher, found := m.clientNetworks[id]
 		if !found {
-			clientNetworkWatcher = newClientNetworkWatcher(m.ctx, m.wgInterface, m.statusRecorder, routes[0].Network)
+			clientNetworkWatcher = newClientNetworkWatcher(m.ctx, m.dnsRouteInterval, m.wgInterface, m.statusRecorder, routes[0], m.routeRefCounter, m.allowedIPsRefCounter)
 			m.clientNetworks[id] = clientNetworkWatcher
 			go clientNetworkWatcher.peersStateAndUpdateWatcher()
 		}
@@ -228,7 +279,7 @@ func (m *DefaultManager) classifyRoutes(newRoutes []*route.Route) (map[route.ID]
 	ownNetworkIDs := make(map[route.HAUniqueID]bool)

 	for _, newRoute := range newRoutes {
-		haID := route.GetHAUniqueID(newRoute)
+		haID := newRoute.GetHAUniqueID()
 		if newRoute.Peer == m.pubKey {
 			ownNetworkIDs[haID] = true
 			// only linux is supported for now
@@ -241,9 +292,9 @@ func (m *DefaultManager) classifyRoutes(newRoutes []*route.Route) (map[route.ID]
 	}

 	for _, newRoute := range newRoutes {
-		haID := route.GetHAUniqueID(newRoute)
+		haID := newRoute.GetHAUniqueID()
 		if !ownNetworkIDs[haID] {
-			if !isPrefixSupported(newRoute.Network) {
+			if !isRouteSupported(newRoute) {
 				continue
 			}
 			newClientRoutesIDMap[haID] = append(newClientRoutesIDMap[haID], newRoute)
@@ -255,23 +306,23 @@ func (m *DefaultManager) classifyRoutes(newRoutes []*route.Route) (map[route.ID]

 func (m *DefaultManager) clientRoutes(initialRoutes []*route.Route) []*route.Route {
 	_, crMap := m.classifyRoutes(initialRoutes)
-	rs := make([]*route.Route, 0)
+	rs := make([]*route.Route, 0, len(crMap))
 	for _, routes := range crMap {
 		rs = append(rs, routes...)
 	}
 	return rs
 }

-func isPrefixSupported(prefix netip.Prefix) bool {
-	if !nbnet.CustomRoutingDisabled() {
+func isRouteSupported(route *route.Route) bool {
+	if !nbnet.CustomRoutingDisabled() || route.IsDynamic() {
 		return true
 	}

 	// If prefix is too small, lets assume it is a possible default prefix which is not yet supported
 	// we skip this prefix management
-	if prefix.Bits() <= minRangeBits {
+	if route.Network.Bits() <= vars.MinRangeBits {
 		log.Warnf("This agent version: %s, doesn't support default routes, received %s, skipping this prefix",
-			version.NetbirdVersion(), prefix)
+			version.NetbirdVersion(), route.Network)
 		return false
 	}
 	return true
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -407,7 +407,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", 33100, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil)
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", 33100, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil, nil)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()

@@ -416,7 +416,7 @@ func TestManagerUpdateRoutes(t *testing.T) {

 			statusRecorder := peer.NewRecorder("https://mgm")
 			ctx := context.TODO()
-			routeManager := NewManager(ctx, localPeerKey, wgInterface, statusRecorder, nil)
+			routeManager := NewManager(ctx, localPeerKey, 0, wgInterface, statusRecorder, nil)

 			_, _, err = routeManager.Init()

@@ -436,7 +436,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			require.NoError(t, err, "should update routes")

 			expectedWatchers := testCase.clientNetworkWatchersExpected
-			if (runtime.GOOS == "linux" || runtime.GOOS == "windows" || runtime.GOOS == "darwin") && testCase.clientNetworkWatchersExpectedAllowed != 0 {
+			if testCase.clientNetworkWatchersExpectedAllowed != 0 {
 				expectedWatchers = testCase.clientNetworkWatchersExpectedAllowed
 			}
 			require.Len(t, routeManager.clientNetworks, expectedWatchers, "client networks size should match")
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -6,10 +6,10 @@ import (

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/listener"
-	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/util/net"
 )

 // MockManager is the mock instance of a route manager
@@ -20,7 +20,7 @@ type MockManager struct {
 	StopFunc             func()
 }

-func (m *MockManager) Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+func (m *MockManager) Init() (net.AddHookFunc, net.RemoveHookFunc, error) {
 	return nil, nil, nil
 }

--- a/client/internal/routemanager/refcounter/refcounter.go
+++ b/client/internal/routemanager/refcounter/refcounter.go
@@ -0,0 +1,155 @@
+package refcounter
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+	"sync"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+)
+
+// ErrIgnore can be returned by AddFunc to indicate that the counter not be incremented for the given prefix.
+var ErrIgnore = errors.New("ignore")
+
+type Ref[O any] struct {
+	Count int
+	Out   O
+}
+
+type AddFunc[I, O any] func(prefix netip.Prefix, in I) (out O, err error)
+type RemoveFunc[I, O any] func(prefix netip.Prefix, out O) error
+
+type Counter[I, O any] struct {
+	// refCountMap keeps track of the reference Ref for prefixes
+	refCountMap map[netip.Prefix]Ref[O]
+	refCountMu  sync.Mutex
+	// idMap keeps track of the prefixes associated with an ID for removal
+	idMap  map[string][]netip.Prefix
+	idMu   sync.Mutex
+	add    AddFunc[I, O]
+	remove RemoveFunc[I, O]
+}
+
+// New creates a new Counter instance
+func New[I, O any](add AddFunc[I, O], remove RemoveFunc[I, O]) *Counter[I, O] {
+	return &Counter[I, O]{
+		refCountMap: map[netip.Prefix]Ref[O]{},
+		idMap:       map[string][]netip.Prefix{},
+		add:         add,
+		remove:      remove,
+	}
+}
+
+// Increment increments the reference count for the given prefix.
+// If this is the first reference to the prefix, the AddFunc is called.
+func (rm *Counter[I, O]) Increment(prefix netip.Prefix, in I) (Ref[O], error) {
+	rm.refCountMu.Lock()
+	defer rm.refCountMu.Unlock()
+
+	ref := rm.refCountMap[prefix]
+	log.Tracef("Increasing ref count %d for prefix %s with [%v]", ref.Count, prefix, ref.Out)
+
+	// Call AddFunc only if it's a new prefix
+	if ref.Count == 0 {
+		log.Tracef("Adding for prefix %s with [%v]", prefix, ref.Out)
+		out, err := rm.add(prefix, in)
+
+		if errors.Is(err, ErrIgnore) {
+			return ref, nil
+		}
+		if err != nil {
+			return ref, fmt.Errorf("failed to add for prefix %s: %w", prefix, err)
+		}
+		ref.Out = out
+	}
+
+	ref.Count++
+	rm.refCountMap[prefix] = ref
+
+	return ref, nil
+}
+
+// IncrementWithID increments the reference count for the given prefix and groups it under the given ID.
+// If this is the first reference to the prefix, the AddFunc is called.
+func (rm *Counter[I, O]) IncrementWithID(id string, prefix netip.Prefix, in I) (Ref[O], error) {
+	rm.idMu.Lock()
+	defer rm.idMu.Unlock()
+
+	ref, err := rm.Increment(prefix, in)
+	if err != nil {
+		return ref, fmt.Errorf("with ID: %w", err)
+	}
+	rm.idMap[id] = append(rm.idMap[id], prefix)
+
+	return ref, nil
+}
+
+// Decrement decrements the reference count for the given prefix.
+// If the reference count reaches 0, the RemoveFunc is called.
+func (rm *Counter[I, O]) Decrement(prefix netip.Prefix) (Ref[O], error) {
+	rm.refCountMu.Lock()
+	defer rm.refCountMu.Unlock()
+
+	ref, ok := rm.refCountMap[prefix]
+	if !ok {
+		log.Tracef("No reference found for prefix %s", prefix)
+		return ref, nil
+	}
+
+	log.Tracef("Decreasing ref count %d for prefix %s with [%v]", ref.Count, prefix, ref.Out)
+	if ref.Count == 1 {
+		log.Tracef("Removing for prefix %s with [%v]", prefix, ref.Out)
+		if err := rm.remove(prefix, ref.Out); err != nil {
+			return ref, fmt.Errorf("remove for prefix %s: %w", prefix, err)
+		}
+		delete(rm.refCountMap, prefix)
+	} else {
+		ref.Count--
+		rm.refCountMap[prefix] = ref
+	}
+
+	return ref, nil
+}
+
+// DecrementWithID decrements the reference count for all prefixes associated with the given ID.
+// If the reference count reaches 0, the RemoveFunc is called.
+func (rm *Counter[I, O]) DecrementWithID(id string) error {
+	rm.idMu.Lock()
+	defer rm.idMu.Unlock()
+
+	var merr *multierror.Error
+	for _, prefix := range rm.idMap[id] {
+		if _, err := rm.Decrement(prefix); err != nil {
+			merr = multierror.Append(merr, err)
+		}
+	}
+	delete(rm.idMap, id)
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+// Flush removes all references and calls RemoveFunc for each prefix.
+func (rm *Counter[I, O]) Flush() error {
+	rm.refCountMu.Lock()
+	defer rm.refCountMu.Unlock()
+	rm.idMu.Lock()
+	defer rm.idMu.Unlock()
+
+	var merr *multierror.Error
+	for prefix := range rm.refCountMap {
+		log.Tracef("Removing for prefix %s", prefix)
+		ref := rm.refCountMap[prefix]
+		if err := rm.remove(prefix, ref.Out); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove for prefix %s: %w", prefix, err))
+		}
+	}
+	rm.refCountMap = map[netip.Prefix]Ref[O]{}
+
+	rm.idMap = map[string][]netip.Prefix{}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
--- a/client/internal/routemanager/refcounter/types.go
+++ b/client/internal/routemanager/refcounter/types.go
@@ -0,0 +1,7 @@
+package refcounter
+
+// RouteRefCounter is a Counter for Route, it doesn't take any input on Increment and doesn't use any output on Decrement
+type RouteRefCounter = Counter[any, any]
+
+// AllowedIPsRefCounter is a Counter for AllowedIPs, it takes a peer key on Increment and passes it back to Decrement
+type AllowedIPsRefCounter = Counter[string, string]
--- a/client/internal/routemanager/routemanager.go
+++ b/client/internal/routemanager/routemanager.go
@@ -1,127 +0,0 @@
-//go:build !android && !ios
-
-package routemanager
-
-import (
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-
-	nbnet "github.com/netbirdio/netbird/util/net"
-)
-
-type ref struct {
-	count   int
-	nexthop netip.Addr
-	intf    *net.Interface
-}
-
-type RouteManager struct {
-	// refCountMap keeps track of the reference ref for prefixes
-	refCountMap map[netip.Prefix]ref
-	// prefixMap keeps track of the prefixes associated with a connection ID for removal
-	prefixMap   map[nbnet.ConnectionID][]netip.Prefix
-	addRoute    AddRouteFunc
-	removeRoute RemoveRouteFunc
-	mutex       sync.Mutex
-}
-
-type AddRouteFunc func(prefix netip.Prefix) (nexthop netip.Addr, intf *net.Interface, err error)
-type RemoveRouteFunc func(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error
-
-func NewRouteManager(addRoute AddRouteFunc, removeRoute RemoveRouteFunc) *RouteManager {
-	// TODO: read initial routing table into refCountMap
-	return &RouteManager{
-		refCountMap: map[netip.Prefix]ref{},
-		prefixMap:   map[nbnet.ConnectionID][]netip.Prefix{},
-		addRoute:    addRoute,
-		removeRoute: removeRoute,
-	}
-}
-
-func (rm *RouteManager) AddRouteRef(connID nbnet.ConnectionID, prefix netip.Prefix) error {
-	rm.mutex.Lock()
-	defer rm.mutex.Unlock()
-
-	ref := rm.refCountMap[prefix]
-	log.Debugf("Increasing route ref count %d for prefix %s", ref.count, prefix)
-
-	// Add route to the system, only if it's a new prefix
-	if ref.count == 0 {
-		log.Debugf("Adding route for prefix %s", prefix)
-		nexthop, intf, err := rm.addRoute(prefix)
-		if errors.Is(err, ErrRouteNotFound) {
-			return nil
-		}
-		if errors.Is(err, ErrRouteNotAllowed) {
-			log.Debugf("Adding route for prefix %s: %s", prefix, err)
-		}
-		if err != nil {
-			return fmt.Errorf("failed to add route for prefix %s: %w", prefix, err)
-		}
-		ref.nexthop = nexthop
-		ref.intf = intf
-	}
-
-	ref.count++
-	rm.refCountMap[prefix] = ref
-	rm.prefixMap[connID] = append(rm.prefixMap[connID], prefix)
-
-	return nil
-}
-
-func (rm *RouteManager) RemoveRouteRef(connID nbnet.ConnectionID) error {
-	rm.mutex.Lock()
-	defer rm.mutex.Unlock()
-
-	prefixes, ok := rm.prefixMap[connID]
-	if !ok {
-		log.Debugf("No prefixes found for connection ID %s", connID)
-		return nil
-	}
-
-	var result *multierror.Error
-	for _, prefix := range prefixes {
-		ref := rm.refCountMap[prefix]
-		log.Debugf("Decreasing route ref count %d for prefix %s", ref.count, prefix)
-		if ref.count == 1 {
-			log.Debugf("Removing route for prefix %s", prefix)
-			// TODO: don't fail if the route is not found
-			if err := rm.removeRoute(prefix, ref.nexthop, ref.intf); err != nil {
-				result = multierror.Append(result, fmt.Errorf("remove route for prefix %s: %w", prefix, err))
-				continue
-			}
-			delete(rm.refCountMap, prefix)
-		} else {
-			ref.count--
-			rm.refCountMap[prefix] = ref
-		}
-	}
-	delete(rm.prefixMap, connID)
-
-	return result.ErrorOrNil()
-}
-
-// Flush removes all references and routes from the system
-func (rm *RouteManager) Flush() error {
-	rm.mutex.Lock()
-	defer rm.mutex.Unlock()
-
-	var result *multierror.Error
-	for prefix := range rm.refCountMap {
-		log.Debugf("Removing route for prefix %s", prefix)
-		ref := rm.refCountMap[prefix]
-		if err := rm.removeRoute(prefix, ref.nexthop, ref.intf); err != nil {
-			result = multierror.Append(result, fmt.Errorf("remove route for prefix %s: %w", prefix, err))
-		}
-	}
-	rm.refCountMap = map[netip.Prefix]ref{}
-	rm.prefixMap = map[nbnet.ConnectionID][]netip.Prefix{}
-
-	return result.ErrorOrNil()
-}
--- a/client/internal/routemanager/server_android.go
+++ b/client/internal/routemanager/server_android.go
@@ -11,6 +11,6 @@ import (
 	"github.com/netbirdio/netbird/iface"
 )

-func newServerRouter(context.Context, *iface.WGIface, firewall.Manager, *peer.Status) (serverRouter, error) {
+func newServerRouter(context.Context, iface.IWGIface, firewall.Manager, *peer.Status) (serverRouter, error) {
 	return nil, fmt.Errorf("server route not supported on this os")
 }
--- a/client/internal/routemanager/server_nonandroid.go
+++ b/client/internal/routemanager/server_nonandroid.go
@@ -12,6 +12,7 @@ import (

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
 )
@@ -21,11 +22,11 @@ type defaultServerRouter struct {
 	ctx            context.Context
 	routes         map[route.ID]*route.Route
 	firewall       firewall.Manager
-	wgInterface    *iface.WGIface
+	wgInterface    iface.IWGIface
 	statusRecorder *peer.Status
 }

-func newServerRouter(ctx context.Context, wgInterface *iface.WGIface, firewall firewall.Manager, statusRecorder *peer.Status) (serverRouter, error) {
+func newServerRouter(ctx context.Context, wgInterface iface.IWGIface, firewall firewall.Manager, statusRecorder *peer.Status) (serverRouter, error) {
 	return &defaultServerRouter{
 		ctx:            ctx,
 		routes:         make(map[route.ID]*route.Route),
@@ -70,7 +71,7 @@ func (m *defaultServerRouter) updateRoutes(routesMap map[route.ID]*route.Route)
 	}

 	if len(m.routes) > 0 {
-		err := enableIPForwarding()
+		err := systemops.EnableIPForwarding()
 		if err != nil {
 			return err
 		}
@@ -88,7 +89,7 @@ func (m *defaultServerRouter) removeFromServerNetwork(route *route.Route) error
 		m.mux.Lock()
 		defer m.mux.Unlock()

-		routerPair, err := routeToRouterPair(m.wgInterface.Address().Masked().String(), route)
+		routerPair, err := routeToRouterPair(route)
 		if err != nil {
 			return fmt.Errorf("parse prefix: %w", err)
 		}
@@ -117,7 +118,7 @@ func (m *defaultServerRouter) addToServerNetwork(route *route.Route) error {
 		m.mux.Lock()
 		defer m.mux.Unlock()

-		routerPair, err := routeToRouterPair(m.wgInterface.Address().Masked().String(), route)
+		routerPair, err := routeToRouterPair(route)
 		if err != nil {
 			return fmt.Errorf("parse prefix: %w", err)
 		}
@@ -133,7 +134,13 @@ func (m *defaultServerRouter) addToServerNetwork(route *route.Route) error {
 		if state.Routes == nil {
 			state.Routes = map[string]struct{}{}
 		}
-		state.Routes[route.Network.String()] = struct{}{}
+
+		routeStr := route.Network.String()
+		if route.IsDynamic() {
+			routeStr = route.Domains.SafeString()
+		}
+		state.Routes[routeStr] = struct{}{}
+
 		m.statusRecorder.UpdateLocalPeerState(state)

 		return nil
@@ -144,7 +151,7 @@ func (m *defaultServerRouter) cleanUp() {
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	for _, r := range m.routes {
-		routerPair, err := routeToRouterPair(m.wgInterface.Address().Masked().String(), r)
+		routerPair, err := routeToRouterPair(r)
 		if err != nil {
 			log.Errorf("Failed to convert route to router pair: %v", err)
 			continue
@@ -162,15 +169,27 @@ func (m *defaultServerRouter) cleanUp() {
 	m.statusRecorder.UpdateLocalPeerState(state)
 }

-func routeToRouterPair(source string, route *route.Route) (firewall.RouterPair, error) {
-	parsed, err := netip.ParsePrefix(source)
-	if err != nil {
-		return firewall.RouterPair{}, err
+func routeToRouterPair(route *route.Route) (firewall.RouterPair, error) {
+	// TODO: add ipv6
+	source := getDefaultPrefix(route.Network)
+
+	destination := route.Network.Masked().String()
+	if route.IsDynamic() {
+		// TODO: add ipv6
+		destination = "0.0.0.0/0"
 	}
+
 	return firewall.RouterPair{
 		ID:          string(route.ID),
-		Source:      parsed.String(),
-		Destination: route.Network.Masked().String(),
+		Source:      source.String(),
+		Destination: destination,
 		Masquerade:  route.Masquerade,
 	}, nil
 }
+
+func getDefaultPrefix(prefix netip.Prefix) netip.Prefix {
+	if prefix.Addr().Is6() {
+		return netip.PrefixFrom(netip.IPv6Unspecified(), 0)
+	}
+	return netip.PrefixFrom(netip.IPv4Unspecified(), 0)
+}
--- a/client/internal/routemanager/static/route.go
+++ b/client/internal/routemanager/static/route.go
@@ -0,0 +1,57 @@
+package static
+
+import (
+	"context"
+	"fmt"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+	"github.com/netbirdio/netbird/route"
+)
+
+type Route struct {
+	route                *route.Route
+	routeRefCounter      *refcounter.RouteRefCounter
+	allowedIPsRefcounter *refcounter.AllowedIPsRefCounter
+}
+
+func NewRoute(rt *route.Route, routeRefCounter *refcounter.RouteRefCounter, allowedIPsRefCounter *refcounter.AllowedIPsRefCounter) *Route {
+	return &Route{
+		route:                rt,
+		routeRefCounter:      routeRefCounter,
+		allowedIPsRefcounter: allowedIPsRefCounter,
+	}
+}
+
+// Route route methods
+func (r *Route) String() string {
+	return r.route.Network.String()
+}
+
+func (r *Route) AddRoute(context.Context) error {
+	_, err := r.routeRefCounter.Increment(r.route.Network, nil)
+	return err
+}
+
+func (r *Route) RemoveRoute() error {
+	_, err := r.routeRefCounter.Decrement(r.route.Network)
+	return err
+}
+
+func (r *Route) AddAllowedIPs(peerKey string) error {
+	if ref, err := r.allowedIPsRefcounter.Increment(r.route.Network, peerKey); err != nil {
+		return fmt.Errorf("add allowed IP %s: %w", r.route.Network, err)
+	} else if ref.Count > 1 && ref.Out != peerKey {
+		log.Warnf("Prefix [%s] is already routed by peer [%s]. HA routing disabled",
+			r.route.Network,
+			ref.Out,
+		)
+	}
+	return nil
+}
+
+func (r *Route) RemoveAllowedIPs() error {
+	_, err := r.allowedIPsRefcounter.Decrement(r.route.Network)
+	return err
+}
--- a/client/internal/routemanager/sysctl/sysctl_linux.go
+++ b/client/internal/routemanager/sysctl/sysctl_linux.go
@@ -0,0 +1,103 @@
+// go:build !android
+package sysctl
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/iface"
+)
+
+const (
+	rpFilterPath          = "net.ipv4.conf.all.rp_filter"
+	rpFilterInterfacePath = "net.ipv4.conf.%s.rp_filter"
+	srcValidMarkPath      = "net.ipv4.conf.all.src_valid_mark"
+)
+
+// Setup configures sysctl settings for RP filtering and source validation.
+func Setup(wgIface iface.IWGIface) (map[string]int, error) {
+	keys := map[string]int{}
+	var result *multierror.Error
+
+	oldVal, err := Set(srcValidMarkPath, 1, false)
+	if err != nil {
+		result = multierror.Append(result, err)
+	} else {
+		keys[srcValidMarkPath] = oldVal
+	}
+
+	oldVal, err = Set(rpFilterPath, 2, true)
+	if err != nil {
+		result = multierror.Append(result, err)
+	} else {
+		keys[rpFilterPath] = oldVal
+	}
+
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		result = multierror.Append(result, fmt.Errorf("list interfaces: %w", err))
+	}
+
+	for _, intf := range interfaces {
+		if intf.Name == "lo" || wgIface != nil && intf.Name == wgIface.Name() {
+			continue
+		}
+
+		i := fmt.Sprintf(rpFilterInterfacePath, intf.Name)
+		oldVal, err := Set(i, 2, true)
+		if err != nil {
+			result = multierror.Append(result, err)
+		} else {
+			keys[i] = oldVal
+		}
+	}
+
+	return keys, nberrors.FormatErrorOrNil(result)
+}
+
+// Set sets a sysctl configuration, if onlyIfOne is true it will only set the new value if it's set to 1
+func Set(key string, desiredValue int, onlyIfOne bool) (int, error) {
+	path := fmt.Sprintf("/proc/sys/%s", strings.ReplaceAll(key, ".", "/"))
+	currentValue, err := os.ReadFile(path)
+	if err != nil {
+		return -1, fmt.Errorf("read sysctl %s: %w", key, err)
+	}
+
+	currentV, err := strconv.Atoi(strings.TrimSpace(string(currentValue)))
+	if err != nil && len(currentValue) > 0 {
+		return -1, fmt.Errorf("convert current desiredValue to int: %w", err)
+	}
+
+	if currentV == desiredValue || onlyIfOne && currentV != 1 {
+		return currentV, nil
+	}
+
+	//nolint:gosec
+	if err := os.WriteFile(path, []byte(strconv.Itoa(desiredValue)), 0644); err != nil {
+		return currentV, fmt.Errorf("write sysctl %s: %w", key, err)
+	}
+	log.Debugf("Set sysctl %s from %d to %d", key, currentV, desiredValue)
+
+	return currentV, nil
+}
+
+// Cleanup resets sysctl settings to their original values.
+func Cleanup(originalSettings map[string]int) error {
+	var result *multierror.Error
+
+	for key, value := range originalSettings {
+		_, err := Set(key, value, false)
+		if err != nil {
+			result = multierror.Append(result, err)
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(result)
+}
--- a/client/internal/routemanager/systemops.go
+++ b/client/internal/routemanager/systemops.go
@@ -1,414 +0,0 @@
-//go:build !android && !ios
-
-package routemanager
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"runtime"
-	"strconv"
-
-	"github.com/hashicorp/go-multierror"
-	"github.com/libp2p/go-netroute"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/iface"
-	nbnet "github.com/netbirdio/netbird/util/net"
-)
-
-var splitDefaultv4_1 = netip.PrefixFrom(netip.IPv4Unspecified(), 1)
-var splitDefaultv4_2 = netip.PrefixFrom(netip.AddrFrom4([4]byte{128}), 1)
-var splitDefaultv6_1 = netip.PrefixFrom(netip.IPv6Unspecified(), 1)
-var splitDefaultv6_2 = netip.PrefixFrom(netip.AddrFrom16([16]byte{0x80}), 1)
-
-var ErrRouteNotFound = errors.New("route not found")
-var ErrRouteNotAllowed = errors.New("route not allowed")
-
-// TODO: fix: for default our wg address now appears as the default gw
-func addRouteForCurrentDefaultGateway(prefix netip.Prefix) error {
-	addr := netip.IPv4Unspecified()
-	if prefix.Addr().Is6() {
-		addr = netip.IPv6Unspecified()
-	}
-
-	defaultGateway, _, err := GetNextHop(addr)
-	if err != nil && !errors.Is(err, ErrRouteNotFound) {
-		return fmt.Errorf("get existing route gateway: %s", err)
-	}
-
-	if !prefix.Contains(defaultGateway) {
-		log.Debugf("Skipping adding a new route for gateway %s because it is not in the network %s", defaultGateway, prefix)
-		return nil
-	}
-
-	gatewayPrefix := netip.PrefixFrom(defaultGateway, 32)
-	if defaultGateway.Is6() {
-		gatewayPrefix = netip.PrefixFrom(defaultGateway, 128)
-	}
-
-	ok, err := existsInRouteTable(gatewayPrefix)
-	if err != nil {
-		return fmt.Errorf("unable to check if there is an existing route for gateway %s. error: %s", gatewayPrefix, err)
-	}
-
-	if ok {
-		log.Debugf("Skipping adding a new route for gateway %s because it already exists", gatewayPrefix)
-		return nil
-	}
-
-	gatewayHop, intf, err := GetNextHop(defaultGateway)
-	if err != nil && !errors.Is(err, ErrRouteNotFound) {
-		return fmt.Errorf("unable to get the next hop for the default gateway address. error: %s", err)
-	}
-
-	log.Debugf("Adding a new route for gateway %s with next hop %s", gatewayPrefix, gatewayHop)
-	return addToRouteTable(gatewayPrefix, gatewayHop, intf)
-}
-
-func GetNextHop(ip netip.Addr) (netip.Addr, *net.Interface, error) {
-	r, err := netroute.New()
-	if err != nil {
-		return netip.Addr{}, nil, fmt.Errorf("new netroute: %w", err)
-	}
-	intf, gateway, preferredSrc, err := r.Route(ip.AsSlice())
-	if err != nil {
-		log.Debugf("Failed to get route for %s: %v", ip, err)
-		return netip.Addr{}, nil, ErrRouteNotFound
-	}
-
-	log.Debugf("Route for %s: interface %v nexthop %v, preferred source %v", ip, intf, gateway, preferredSrc)
-	if gateway == nil {
-		if preferredSrc == nil {
-			return netip.Addr{}, nil, ErrRouteNotFound
-		}
-		log.Debugf("No next hop found for ip %s, using preferred source %s", ip, preferredSrc)
-
-		addr, err := ipToAddr(preferredSrc, intf)
-		if err != nil {
-			return netip.Addr{}, nil, fmt.Errorf("convert preferred source to address: %w", err)
-		}
-		return addr.Unmap(), intf, nil
-	}
-
-	addr, err := ipToAddr(gateway, intf)
-	if err != nil {
-		return netip.Addr{}, nil, fmt.Errorf("convert gateway to address: %w", err)
-	}
-
-	return addr, intf, nil
-}
-
-// converts a net.IP to a netip.Addr including the zone based on the passed interface
-func ipToAddr(ip net.IP, intf *net.Interface) (netip.Addr, error) {
-	addr, ok := netip.AddrFromSlice(ip)
-	if !ok {
-		return netip.Addr{}, fmt.Errorf("failed to convert IP address to netip.Addr: %s", ip)
-	}
-
-	if intf != nil && (addr.IsLinkLocalMulticast() || addr.IsLinkLocalUnicast()) {
-		log.Tracef("Adding zone %s to address %s", intf.Name, addr)
-		if runtime.GOOS == "windows" {
-			addr = addr.WithZone(strconv.Itoa(intf.Index))
-		} else {
-			addr = addr.WithZone(intf.Name)
-		}
-	}
-
-	return addr.Unmap(), nil
-}
-
-func existsInRouteTable(prefix netip.Prefix) (bool, error) {
-	routes, err := getRoutesFromTable()
-	if err != nil {
-		return false, fmt.Errorf("get routes from table: %w", err)
-	}
-	for _, tableRoute := range routes {
-		if tableRoute == prefix {
-			return true, nil
-		}
-	}
-	return false, nil
-}
-
-func isSubRange(prefix netip.Prefix) (bool, error) {
-	routes, err := getRoutesFromTable()
-	if err != nil {
-		return false, fmt.Errorf("get routes from table: %w", err)
-	}
-	for _, tableRoute := range routes {
-		if tableRoute.Bits() > minRangeBits && tableRoute.Contains(prefix.Addr()) && tableRoute.Bits() < prefix.Bits() {
-			return true, nil
-		}
-	}
-	return false, nil
-}
-
-// addRouteToNonVPNIntf adds a new route to the routing table for the given prefix and returns the next hop and interface.
-// If the next hop or interface is pointing to the VPN interface, it will return the initial values.
-func addRouteToNonVPNIntf(prefix netip.Prefix, vpnIntf *iface.WGIface, initialNextHop netip.Addr, initialIntf *net.Interface) (netip.Addr, *net.Interface, error) {
-	addr := prefix.Addr()
-	switch {
-	case addr.IsLoopback(),
-		addr.IsLinkLocalUnicast(),
-		addr.IsLinkLocalMulticast(),
-		addr.IsInterfaceLocalMulticast(),
-		addr.IsUnspecified(),
-		addr.IsMulticast():
-
-		return netip.Addr{}, nil, ErrRouteNotAllowed
-	}
-
-	// Determine the exit interface and next hop for the prefix, so we can add a specific route
-	nexthop, intf, err := GetNextHop(addr)
-	if err != nil {
-		return netip.Addr{}, nil, fmt.Errorf("get next hop: %w", err)
-	}
-
-	log.Debugf("Found next hop %s for prefix %s with interface %v", nexthop, prefix, intf)
-	exitNextHop := nexthop
-	exitIntf := intf
-
-	vpnAddr, ok := netip.AddrFromSlice(vpnIntf.Address().IP)
-	if !ok {
-		return netip.Addr{}, nil, fmt.Errorf("failed to convert vpn address to netip.Addr")
-	}
-
-	// if next hop is the VPN address or the interface is the VPN interface, we should use the initial values
-	if exitNextHop == vpnAddr || exitIntf != nil && exitIntf.Name == vpnIntf.Name() {
-		log.Debugf("Route for prefix %s is pointing to the VPN interface", prefix)
-		exitNextHop = initialNextHop
-		exitIntf = initialIntf
-	}
-
-	log.Debugf("Adding a new route for prefix %s with next hop %s", prefix, exitNextHop)
-	if err := addToRouteTable(prefix, exitNextHop, exitIntf); err != nil {
-		return netip.Addr{}, nil, fmt.Errorf("add route to table: %w", err)
-	}
-
-	return exitNextHop, exitIntf, nil
-}
-
-// genericAddVPNRoute adds a new route to the vpn interface, it splits the default prefix
-// in two /1 prefixes to avoid replacing the existing default route
-func genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
-	if prefix == defaultv4 {
-		if err := addToRouteTable(splitDefaultv4_1, netip.Addr{}, intf); err != nil {
-			return err
-		}
-		if err := addToRouteTable(splitDefaultv4_2, netip.Addr{}, intf); err != nil {
-			if err2 := removeFromRouteTable(splitDefaultv4_1, netip.Addr{}, intf); err2 != nil {
-				log.Warnf("Failed to rollback route addition: %s", err2)
-			}
-			return err
-		}
-
-		// TODO: remove once IPv6 is supported on the interface
-		if err := addToRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
-			return fmt.Errorf("add unreachable route split 1: %w", err)
-		}
-		if err := addToRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
-			if err2 := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err2 != nil {
-				log.Warnf("Failed to rollback route addition: %s", err2)
-			}
-			return fmt.Errorf("add unreachable route split 2: %w", err)
-		}
-
-		return nil
-	} else if prefix == defaultv6 {
-		if err := addToRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
-			return fmt.Errorf("add unreachable route split 1: %w", err)
-		}
-		if err := addToRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
-			if err2 := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err2 != nil {
-				log.Warnf("Failed to rollback route addition: %s", err2)
-			}
-			return fmt.Errorf("add unreachable route split 2: %w", err)
-		}
-
-		return nil
-	}
-
-	return addNonExistingRoute(prefix, intf)
-}
-
-// addNonExistingRoute adds a new route to the vpn interface if it doesn't exist in the current routing table
-func addNonExistingRoute(prefix netip.Prefix, intf *net.Interface) error {
-	ok, err := existsInRouteTable(prefix)
-	if err != nil {
-		return fmt.Errorf("exists in route table: %w", err)
-	}
-	if ok {
-		log.Warnf("Skipping adding a new route for network %s because it already exists", prefix)
-		return nil
-	}
-
-	ok, err = isSubRange(prefix)
-	if err != nil {
-		return fmt.Errorf("sub range: %w", err)
-	}
-
-	if ok {
-		err := addRouteForCurrentDefaultGateway(prefix)
-		if err != nil {
-			log.Warnf("Unable to add route for current default gateway route. Will proceed without it. error: %s", err)
-		}
-	}
-
-	return addToRouteTable(prefix, netip.Addr{}, intf)
-}
-
-// genericRemoveVPNRoute removes the route from the vpn interface. If a default prefix is given,
-// it will remove the split /1 prefixes
-func genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
-	if prefix == defaultv4 {
-		var result *multierror.Error
-		if err := removeFromRouteTable(splitDefaultv4_1, netip.Addr{}, intf); err != nil {
-			result = multierror.Append(result, err)
-		}
-		if err := removeFromRouteTable(splitDefaultv4_2, netip.Addr{}, intf); err != nil {
-			result = multierror.Append(result, err)
-		}
-
-		// TODO: remove once IPv6 is supported on the interface
-		if err := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
-			result = multierror.Append(result, err)
-		}
-		if err := removeFromRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
-			result = multierror.Append(result, err)
-		}
-
-		return result.ErrorOrNil()
-	} else if prefix == defaultv6 {
-		var result *multierror.Error
-		if err := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
-			result = multierror.Append(result, err)
-		}
-		if err := removeFromRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
-			result = multierror.Append(result, err)
-		}
-
-		return result.ErrorOrNil()
-	}
-
-	return removeFromRouteTable(prefix, netip.Addr{}, intf)
-}
-
-func getPrefixFromIP(ip net.IP) (*netip.Prefix, error) {
-	addr, ok := netip.AddrFromSlice(ip)
-	if !ok {
-		return nil, fmt.Errorf("parse IP address: %s", ip)
-	}
-	addr = addr.Unmap()
-
-	var prefixLength int
-	switch {
-	case addr.Is4():
-		prefixLength = 32
-	case addr.Is6():
-		prefixLength = 128
-	default:
-		return nil, fmt.Errorf("invalid IP address: %s", addr)
-	}
-
-	prefix := netip.PrefixFrom(addr, prefixLength)
-	return &prefix, nil
-}
-
-func setupRoutingWithRouteManager(routeManager **RouteManager, initAddresses []net.IP, wgIface *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
-	initialNextHopV4, initialIntfV4, err := GetNextHop(netip.IPv4Unspecified())
-	if err != nil && !errors.Is(err, ErrRouteNotFound) {
-		log.Errorf("Unable to get initial v4 default next hop: %v", err)
-	}
-	initialNextHopV6, initialIntfV6, err := GetNextHop(netip.IPv6Unspecified())
-	if err != nil && !errors.Is(err, ErrRouteNotFound) {
-		log.Errorf("Unable to get initial v6 default next hop: %v", err)
-	}
-
-	*routeManager = NewRouteManager(
-		func(prefix netip.Prefix) (netip.Addr, *net.Interface, error) {
-			addr := prefix.Addr()
-			nexthop, intf := initialNextHopV4, initialIntfV4
-			if addr.Is6() {
-				nexthop, intf = initialNextHopV6, initialIntfV6
-			}
-			return addRouteToNonVPNIntf(prefix, wgIface, nexthop, intf)
-		},
-		removeFromRouteTable,
-	)
-
-	return setupHooks(*routeManager, initAddresses)
-}
-
-func cleanupRoutingWithRouteManager(routeManager *RouteManager) error {
-	if routeManager == nil {
-		return nil
-	}
-
-	// TODO: Remove hooks selectively
-	nbnet.RemoveDialerHooks()
-	nbnet.RemoveListenerHooks()
-
-	if err := routeManager.Flush(); err != nil {
-		return fmt.Errorf("flush route manager: %w", err)
-	}
-
-	return nil
-}
-
-func setupHooks(routeManager *RouteManager, initAddresses []net.IP) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
-	beforeHook := func(connID nbnet.ConnectionID, ip net.IP) error {
-		prefix, err := getPrefixFromIP(ip)
-		if err != nil {
-			return fmt.Errorf("convert ip to prefix: %w", err)
-		}
-
-		if err := routeManager.AddRouteRef(connID, *prefix); err != nil {
-			return fmt.Errorf("adding route reference: %v", err)
-		}
-
-		return nil
-	}
-	afterHook := func(connID nbnet.ConnectionID) error {
-		if err := routeManager.RemoveRouteRef(connID); err != nil {
-			return fmt.Errorf("remove route reference: %w", err)
-		}
-
-		return nil
-	}
-
-	for _, ip := range initAddresses {
-		if err := beforeHook("init", ip); err != nil {
-			log.Errorf("Failed to add route reference: %v", err)
-		}
-	}
-
-	nbnet.AddDialerHook(func(ctx context.Context, connID nbnet.ConnectionID, resolvedIPs []net.IPAddr) error {
-		if ctx.Err() != nil {
-			return ctx.Err()
-		}
-
-		var result *multierror.Error
-		for _, ip := range resolvedIPs {
-			result = multierror.Append(result, beforeHook(connID, ip.IP))
-		}
-		return result.ErrorOrNil()
-	})
-
-	nbnet.AddDialerCloseHook(func(connID nbnet.ConnectionID, conn *net.Conn) error {
-		return afterHook(connID)
-	})
-
-	nbnet.AddListenerWriteHook(func(connID nbnet.ConnectionID, ip *net.IPAddr, data []byte) error {
-		return beforeHook(connID, ip.IP)
-	})
-
-	nbnet.AddListenerCloseHook(func(connID nbnet.ConnectionID, conn net.PacketConn) error {
-		return afterHook(connID)
-	})
-
-	return beforeHook, afterHook, nil
-}
--- a/client/internal/routemanager/systemops/routeflags_bsd.go
+++ b/client/internal/routemanager/systemops/routeflags_bsd.go
@@ -0,0 +1,18 @@
+//go:build darwin || dragonfly || netbsd || openbsd
+
+package systemops
+
+import "syscall"
+
+// filterRoutesByFlags - return true if need to ignore such route message because it consists specific flags.
+func filterRoutesByFlags(routeMessageFlags int) bool {
+	if routeMessageFlags&syscall.RTF_UP == 0 {
+		return true
+	}
+
+	if routeMessageFlags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE|syscall.RTF_WASCLONED) != 0 {
+		return true
+	}
+
+	return false
+}
--- a/client/internal/routemanager/systemops/routeflags_freebsd.go
+++ b/client/internal/routemanager/systemops/routeflags_freebsd.go
@@ -0,0 +1,19 @@
+//go:build: freebsd
+package systemops
+
+import "syscall"
+
+// filterRoutesByFlags - return true if need to ignore such route message because it consists specific flags.
+func filterRoutesByFlags(routeMessageFlags int) bool {
+	if routeMessageFlags&syscall.RTF_UP == 0 {
+		return true
+	}
+
+	// NOTE: syscall.RTF_WASCLONED deprecated in FreeBSD 8.0 (https://www.freebsd.org/releases/8.0R/relnotes-detailed/)
+	//  a concept of cloned route (a route generated by an entry with RTF_CLONING flag) is deprecated.
+	if routeMessageFlags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE) != 0 {
+		return true
+	}
+
+	return false
+}
--- a/client/internal/routemanager/systemops/systemops.go
+++ b/client/internal/routemanager/systemops/systemops.go
@@ -0,0 +1,27 @@
+package systemops
+
+import (
+	"net"
+	"net/netip"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+	"github.com/netbirdio/netbird/iface"
+)
+
+type Nexthop struct {
+	IP   netip.Addr
+	Intf *net.Interface
+}
+
+type ExclusionCounter = refcounter.Counter[any, Nexthop]
+
+type SysOps struct {
+	refCounter  *ExclusionCounter
+	wgInterface iface.IWGIface
+}
+
+func NewSysOps(wgInterface iface.IWGIface) *SysOps {
+	return &SysOps{
+		wgInterface: wgInterface,
+	}
+}
--- a/client/internal/routemanager/systemops/systemops_bsd.go
+++ b/client/internal/routemanager/systemops/systemops_bsd.go
@@ -1,6 +1,6 @@
 //go:build darwin || dragonfly || freebsd || netbsd || openbsd

-package routemanager
+package systemops

 import (
 	"errors"
@@ -43,8 +43,7 @@ func getRoutesFromTable() ([]netip.Prefix, error) {
 			return nil, fmt.Errorf("unexpected RIB message type: %d", m.Type)
 		}

-		if m.Flags&syscall.RTF_UP == 0 ||
-			m.Flags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE|syscall.RTF_WASCLONED) != 0 {
+		if filterRoutesByFlags(m.Flags) {
 			continue
 		}

@@ -93,7 +92,7 @@ func toNetIP(a route.Addr) netip.Addr {
 	case *route.Inet6Addr:
 		ip := netip.AddrFrom16(t.IP)
 		if t.ZoneID != 0 {
-			ip.WithZone(strconv.Itoa(t.ZoneID))
+			ip = ip.WithZone(strconv.Itoa(t.ZoneID))
 		}
 		return ip
 	default:
@@ -101,6 +100,7 @@ func toNetIP(a route.Addr) netip.Addr {
 	}
 }

+// ones returns the number of leading ones in the mask.
 func ones(a route.Addr) (int, error) {
 	switch t := a.(type) {
 	case *route.Inet4Addr:
@@ -114,6 +114,7 @@ func ones(a route.Addr) (int, error) {
 	}
 }

+// MsgToRoute converts a route message to a Route.
 func MsgToRoute(msg *route.RouteMessage) (*Route, error) {
 	dstIP, nexthop, dstMask := msg.Addrs[0], msg.Addrs[1], msg.Addrs[2]

--- a/client/internal/routemanager/systemops/systemops_bsd_test.go
+++ b/client/internal/routemanager/systemops/systemops_bsd_test.go
@@ -1,6 +1,6 @@
-//go:build !ios
+//go:build darwin || dragonfly || freebsd || netbsd || openbsd

-package routemanager
+package systemops

 import (
 	"fmt"
@@ -13,6 +13,7 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/net/route"
 )

 var expectedVPNint = "utun100"
@@ -35,13 +36,15 @@ func TestConcurrentRoutes(t *testing.T) {
 	baseIP := netip.MustParseAddr("192.0.2.0")
 	intf := &net.Interface{Name: "lo0"}

+	r := NewSysOps(nil)
+
 	var wg sync.WaitGroup
 	for i := 0; i < 1024; i++ {
 		wg.Add(1)
 		go func(ip netip.Addr) {
 			defer wg.Done()
 			prefix := netip.PrefixFrom(ip, 32)
-			if err := addToRouteTable(prefix, netip.Addr{}, intf); err != nil {
+			if err := r.addToRouteTable(prefix, Nexthop{netip.Addr{}, intf}); err != nil {
 				t.Errorf("Failed to add route for %s: %v", prefix, err)
 			}
 		}(baseIP)
@@ -57,7 +60,7 @@ func TestConcurrentRoutes(t *testing.T) {
 		go func(ip netip.Addr) {
 			defer wg.Done()
 			prefix := netip.PrefixFrom(ip, 32)
-			if err := removeFromRouteTable(prefix, netip.Addr{}, intf); err != nil {
+			if err := r.removeFromRouteTable(prefix, Nexthop{netip.Addr{}, intf}); err != nil {
 				t.Errorf("Failed to remove route for %s: %v", prefix, err)
 			}
 		}(baseIP)
@@ -67,6 +70,53 @@ func TestConcurrentRoutes(t *testing.T) {
 	wg.Wait()
 }

+func TestBits(t *testing.T) {
+	tests := []struct {
+		name    string
+		addr    route.Addr
+		want    int
+		wantErr bool
+	}{
+		{
+			name: "IPv4 all ones",
+			addr: &route.Inet4Addr{IP: [4]byte{255, 255, 255, 255}},
+			want: 32,
+		},
+		{
+			name: "IPv4 normal mask",
+			addr: &route.Inet4Addr{IP: [4]byte{255, 255, 255, 0}},
+			want: 24,
+		},
+		{
+			name: "IPv6 all ones",
+			addr: &route.Inet6Addr{IP: [16]byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255}},
+			want: 128,
+		},
+		{
+			name: "IPv6 normal mask",
+			addr: &route.Inet6Addr{IP: [16]byte{255, 255, 255, 255, 255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0}},
+			want: 64,
+		},
+		{
+			name:    "Unsupported type",
+			addr:    &route.LinkAddr{},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ones(tt.addr)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.want, got)
+			}
+		})
+	}
+}
+
 func createAndSetupDummyInterface(t *testing.T, intf string, ipAddressCIDR string) string {
 	t.Helper()

--- a/client/internal/routemanager/systemops/systemops_generic.go
+++ b/client/internal/routemanager/systemops/systemops_generic.go
@@ -0,0 +1,473 @@
+//go:build !android && !ios
+
+package systemops
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"runtime"
+	"strconv"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/libp2p/go-netroute"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+	"github.com/netbirdio/netbird/client/internal/routemanager/util"
+	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
+	"github.com/netbirdio/netbird/iface"
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+var splitDefaultv4_1 = netip.PrefixFrom(netip.IPv4Unspecified(), 1)
+var splitDefaultv4_2 = netip.PrefixFrom(netip.AddrFrom4([4]byte{128}), 1)
+var splitDefaultv6_1 = netip.PrefixFrom(netip.IPv6Unspecified(), 1)
+var splitDefaultv6_2 = netip.PrefixFrom(netip.AddrFrom16([16]byte{0x80}), 1)
+
+var ErrRoutingIsSeparate = errors.New("routing is separate")
+
+func (r *SysOps) setupRefCounter(initAddresses []net.IP) (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error) {
+	initialNextHopV4, err := GetNextHop(netip.IPv4Unspecified())
+	if err != nil && !errors.Is(err, vars.ErrRouteNotFound) {
+		log.Errorf("Unable to get initial v4 default next hop: %v", err)
+	}
+	initialNextHopV6, err := GetNextHop(netip.IPv6Unspecified())
+	if err != nil && !errors.Is(err, vars.ErrRouteNotFound) {
+		log.Errorf("Unable to get initial v6 default next hop: %v", err)
+	}
+
+	refCounter := refcounter.New(
+		func(prefix netip.Prefix, _ any) (Nexthop, error) {
+			initialNexthop := initialNextHopV4
+			if prefix.Addr().Is6() {
+				initialNexthop = initialNextHopV6
+			}
+
+			nexthop, err := r.addRouteToNonVPNIntf(prefix, r.wgInterface, initialNexthop)
+			if errors.Is(err, vars.ErrRouteNotAllowed) || errors.Is(err, vars.ErrRouteNotFound) {
+				log.Tracef("Adding for prefix %s: %v", prefix, err)
+				// These errors are not critical but also we should not track and try to remove the routes either.
+				return nexthop, refcounter.ErrIgnore
+			}
+			return nexthop, err
+		},
+		r.removeFromRouteTable,
+	)
+
+	r.refCounter = refCounter
+
+	return r.setupHooks(initAddresses)
+}
+
+func (r *SysOps) cleanupRefCounter() error {
+	if r.refCounter == nil {
+		return nil
+	}
+
+	// TODO: Remove hooks selectively
+	nbnet.RemoveDialerHooks()
+	nbnet.RemoveListenerHooks()
+
+	if err := r.refCounter.Flush(); err != nil {
+		return fmt.Errorf("flush route manager: %w", err)
+	}
+
+	return nil
+}
+
+// TODO: fix: for default our wg address now appears as the default gw
+func (r *SysOps) addRouteForCurrentDefaultGateway(prefix netip.Prefix) error {
+	addr := netip.IPv4Unspecified()
+	if prefix.Addr().Is6() {
+		addr = netip.IPv6Unspecified()
+	}
+
+	nexthop, err := GetNextHop(addr)
+	if err != nil && !errors.Is(err, vars.ErrRouteNotFound) {
+		return fmt.Errorf("get existing route gateway: %s", err)
+	}
+
+	if !prefix.Contains(nexthop.IP) {
+		log.Debugf("Skipping adding a new route for gateway %s because it is not in the network %s", nexthop.IP, prefix)
+		return nil
+	}
+
+	gatewayPrefix := netip.PrefixFrom(nexthop.IP, 32)
+	if nexthop.IP.Is6() {
+		gatewayPrefix = netip.PrefixFrom(nexthop.IP, 128)
+	}
+
+	ok, err := existsInRouteTable(gatewayPrefix)
+	if err != nil {
+		return fmt.Errorf("unable to check if there is an existing route for gateway %s. error: %s", gatewayPrefix, err)
+	}
+
+	if ok {
+		log.Debugf("Skipping adding a new route for gateway %s because it already exists", gatewayPrefix)
+		return nil
+	}
+
+	nexthop, err = GetNextHop(nexthop.IP)
+	if err != nil && !errors.Is(err, vars.ErrRouteNotFound) {
+		return fmt.Errorf("unable to get the next hop for the default gateway address. error: %s", err)
+	}
+
+	log.Debugf("Adding a new route for gateway %s with next hop %s", gatewayPrefix, nexthop.IP)
+	return r.addToRouteTable(gatewayPrefix, nexthop)
+}
+
+// addRouteToNonVPNIntf adds a new route to the routing table for the given prefix and returns the next hop and interface.
+// If the next hop or interface is pointing to the VPN interface, it will return the initial values.
+func (r *SysOps) addRouteToNonVPNIntf(prefix netip.Prefix, vpnIntf iface.IWGIface, initialNextHop Nexthop) (Nexthop, error) {
+	addr := prefix.Addr()
+	switch {
+	case addr.IsLoopback(),
+		addr.IsLinkLocalUnicast(),
+		addr.IsLinkLocalMulticast(),
+		addr.IsInterfaceLocalMulticast(),
+		addr.IsUnspecified(),
+		addr.IsMulticast():
+
+		return Nexthop{}, vars.ErrRouteNotAllowed
+	}
+
+	// Determine the exit interface and next hop for the prefix, so we can add a specific route
+	nexthop, err := GetNextHop(addr)
+	if err != nil {
+		return Nexthop{}, fmt.Errorf("get next hop: %w", err)
+	}
+
+	log.Debugf("Found next hop %s for prefix %s with interface %v", nexthop.IP, prefix, nexthop.IP)
+	exitNextHop := Nexthop{
+		IP:   nexthop.IP,
+		Intf: nexthop.Intf,
+	}
+
+	vpnAddr, ok := netip.AddrFromSlice(vpnIntf.Address().IP)
+	if !ok {
+		return Nexthop{}, fmt.Errorf("failed to convert vpn address to netip.Addr")
+	}
+
+	// if next hop is the VPN address or the interface is the VPN interface, we should use the initial values
+	if exitNextHop.IP == vpnAddr || exitNextHop.Intf != nil && exitNextHop.Intf.Name == vpnIntf.Name() {
+		log.Debugf("Route for prefix %s is pointing to the VPN interface, using initial next hop %v", prefix, initialNextHop)
+
+		exitNextHop = initialNextHop
+	}
+
+	log.Debugf("Adding a new route for prefix %s with next hop %s", prefix, exitNextHop.IP)
+	if err := r.addToRouteTable(prefix, exitNextHop); err != nil {
+		return Nexthop{}, fmt.Errorf("add route to table: %w", err)
+	}
+
+	return exitNextHop, nil
+}
+
+// genericAddVPNRoute adds a new route to the vpn interface, it splits the default prefix
+// in two /1 prefixes to avoid replacing the existing default route
+func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
+	nextHop := Nexthop{netip.Addr{}, intf}
+
+	if prefix == vars.Defaultv4 {
+		if err := r.addToRouteTable(splitDefaultv4_1, nextHop); err != nil {
+			return err
+		}
+		if err := r.addToRouteTable(splitDefaultv4_2, nextHop); err != nil {
+			if err2 := r.removeFromRouteTable(splitDefaultv4_1, nextHop); err2 != nil {
+				log.Warnf("Failed to rollback route addition: %s", err2)
+			}
+			return err
+		}
+
+		// TODO: remove once IPv6 is supported on the interface
+		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
+			return fmt.Errorf("add unreachable route split 1: %w", err)
+		}
+		if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
+			if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
+				log.Warnf("Failed to rollback route addition: %s", err2)
+			}
+			return fmt.Errorf("add unreachable route split 2: %w", err)
+		}
+
+		return nil
+	} else if prefix == vars.Defaultv6 {
+		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
+			return fmt.Errorf("add unreachable route split 1: %w", err)
+		}
+		if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
+			if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
+				log.Warnf("Failed to rollback route addition: %s", err2)
+			}
+			return fmt.Errorf("add unreachable route split 2: %w", err)
+		}
+
+		return nil
+	}
+
+	return r.addNonExistingRoute(prefix, intf)
+}
+
+// addNonExistingRoute adds a new route to the vpn interface if it doesn't exist in the current routing table
+func (r *SysOps) addNonExistingRoute(prefix netip.Prefix, intf *net.Interface) error {
+	ok, err := existsInRouteTable(prefix)
+	if err != nil {
+		return fmt.Errorf("exists in route table: %w", err)
+	}
+	if ok {
+		log.Warnf("Skipping adding a new route for network %s because it already exists", prefix)
+		return nil
+	}
+
+	ok, err = isSubRange(prefix)
+	if err != nil {
+		return fmt.Errorf("sub range: %w", err)
+	}
+
+	if ok {
+		if err := r.addRouteForCurrentDefaultGateway(prefix); err != nil {
+			log.Warnf("Unable to add route for current default gateway route. Will proceed without it. error: %s", err)
+		}
+	}
+
+	return r.addToRouteTable(prefix, Nexthop{netip.Addr{}, intf})
+}
+
+// genericRemoveVPNRoute removes the route from the vpn interface. If a default prefix is given,
+// it will remove the split /1 prefixes
+func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
+	nextHop := Nexthop{netip.Addr{}, intf}
+
+	if prefix == vars.Defaultv4 {
+		var result *multierror.Error
+		if err := r.removeFromRouteTable(splitDefaultv4_1, nextHop); err != nil {
+			result = multierror.Append(result, err)
+		}
+		if err := r.removeFromRouteTable(splitDefaultv4_2, nextHop); err != nil {
+			result = multierror.Append(result, err)
+		}
+
+		// TODO: remove once IPv6 is supported on the interface
+		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
+			result = multierror.Append(result, err)
+		}
+		if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
+			result = multierror.Append(result, err)
+		}
+
+		return nberrors.FormatErrorOrNil(result)
+	} else if prefix == vars.Defaultv6 {
+		var result *multierror.Error
+		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
+			result = multierror.Append(result, err)
+		}
+		if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
+			result = multierror.Append(result, err)
+		}
+
+		return nberrors.FormatErrorOrNil(result)
+	}
+
+	return r.removeFromRouteTable(prefix, nextHop)
+}
+
+func (r *SysOps) setupHooks(initAddresses []net.IP) (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error) {
+	beforeHook := func(connID nbnet.ConnectionID, ip net.IP) error {
+		prefix, err := util.GetPrefixFromIP(ip)
+		if err != nil {
+			return fmt.Errorf("convert ip to prefix: %w", err)
+		}
+
+		if _, err := r.refCounter.IncrementWithID(string(connID), prefix, nil); err != nil {
+			return fmt.Errorf("adding route reference: %v", err)
+		}
+
+		return nil
+	}
+	afterHook := func(connID nbnet.ConnectionID) error {
+		if err := r.refCounter.DecrementWithID(string(connID)); err != nil {
+			return fmt.Errorf("remove route reference: %w", err)
+		}
+
+		return nil
+	}
+
+	for _, ip := range initAddresses {
+		if err := beforeHook("init", ip); err != nil {
+			log.Errorf("Failed to add route reference: %v", err)
+		}
+	}
+
+	nbnet.AddDialerHook(func(ctx context.Context, connID nbnet.ConnectionID, resolvedIPs []net.IPAddr) error {
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+
+		var result *multierror.Error
+		for _, ip := range resolvedIPs {
+			result = multierror.Append(result, beforeHook(connID, ip.IP))
+		}
+		return nberrors.FormatErrorOrNil(result)
+	})
+
+	nbnet.AddDialerCloseHook(func(connID nbnet.ConnectionID, conn *net.Conn) error {
+		return afterHook(connID)
+	})
+
+	nbnet.AddListenerWriteHook(func(connID nbnet.ConnectionID, ip *net.IPAddr, data []byte) error {
+		return beforeHook(connID, ip.IP)
+	})
+
+	nbnet.AddListenerCloseHook(func(connID nbnet.ConnectionID, conn net.PacketConn) error {
+		return afterHook(connID)
+	})
+
+	return beforeHook, afterHook, nil
+}
+
+func GetNextHop(ip netip.Addr) (Nexthop, error) {
+	r, err := netroute.New()
+	if err != nil {
+		return Nexthop{}, fmt.Errorf("new netroute: %w", err)
+	}
+	intf, gateway, preferredSrc, err := r.Route(ip.AsSlice())
+	if err != nil {
+		log.Debugf("Failed to get route for %s: %v", ip, err)
+		return Nexthop{}, vars.ErrRouteNotFound
+	}
+
+	log.Debugf("Route for %s: interface %v nexthop %v, preferred source %v", ip, intf, gateway, preferredSrc)
+	if gateway == nil {
+		if runtime.GOOS == "freebsd" {
+			return Nexthop{Intf: intf}, nil
+		}
+
+		if preferredSrc == nil {
+			return Nexthop{}, vars.ErrRouteNotFound
+		}
+		log.Debugf("No next hop found for IP %s, using preferred source %s", ip, preferredSrc)
+
+		addr, err := ipToAddr(preferredSrc, intf)
+		if err != nil {
+			return Nexthop{}, fmt.Errorf("convert preferred source to address: %w", err)
+		}
+		return Nexthop{
+			IP:   addr,
+			Intf: intf,
+		}, nil
+	}
+
+	addr, err := ipToAddr(gateway, intf)
+	if err != nil {
+		return Nexthop{}, fmt.Errorf("convert gateway to address: %w", err)
+	}
+
+	return Nexthop{
+		IP:   addr,
+		Intf: intf,
+	}, nil
+}
+
+// converts a net.IP to a netip.Addr including the zone based on the passed interface
+func ipToAddr(ip net.IP, intf *net.Interface) (netip.Addr, error) {
+	addr, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		return netip.Addr{}, fmt.Errorf("failed to convert IP address to netip.Addr: %s", ip)
+	}
+
+	if intf != nil && (addr.IsLinkLocalMulticast() || addr.IsLinkLocalUnicast()) {
+		zone := intf.Name
+		if runtime.GOOS == "windows" {
+			zone = strconv.Itoa(intf.Index)
+		}
+		log.Tracef("Adding zone %s to address %s", zone, addr)
+		addr = addr.WithZone(zone)
+	}
+
+	return addr.Unmap(), nil
+}
+
+func existsInRouteTable(prefix netip.Prefix) (bool, error) {
+	routes, err := getRoutesFromTable()
+	if err != nil {
+		return false, fmt.Errorf("get routes from table: %w", err)
+	}
+	for _, tableRoute := range routes {
+		if tableRoute == prefix {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func isSubRange(prefix netip.Prefix) (bool, error) {
+	routes, err := getRoutesFromTable()
+	if err != nil {
+		return false, fmt.Errorf("get routes from table: %w", err)
+	}
+	for _, tableRoute := range routes {
+		if tableRoute.Bits() > vars.MinRangeBits && tableRoute.Contains(prefix.Addr()) && tableRoute.Bits() < prefix.Bits() {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// IsAddrRouted checks if the candidate address would route to the vpn, in which case it returns true and the matched prefix.
+func IsAddrRouted(addr netip.Addr, vpnRoutes []netip.Prefix) (bool, netip.Prefix) {
+	localRoutes, err := hasSeparateRouting()
+	if err != nil {
+		if !errors.Is(err, ErrRoutingIsSeparate) {
+			log.Errorf("Failed to get routes: %v", err)
+		}
+		return false, netip.Prefix{}
+	}
+
+	return isVpnRoute(addr, vpnRoutes, localRoutes)
+}
+
+func isVpnRoute(addr netip.Addr, vpnRoutes []netip.Prefix, localRoutes []netip.Prefix) (bool, netip.Prefix) {
+	vpnPrefixMap := map[netip.Prefix]struct{}{}
+	for _, prefix := range vpnRoutes {
+		vpnPrefixMap[prefix] = struct{}{}
+	}
+
+	// remove vpnRoute duplicates
+	for _, prefix := range localRoutes {
+		delete(vpnPrefixMap, prefix)
+	}
+
+	var longestPrefix netip.Prefix
+	var isVpn bool
+
+	combinedRoutes := make([]netip.Prefix, len(vpnRoutes)+len(localRoutes))
+	copy(combinedRoutes, vpnRoutes)
+	copy(combinedRoutes[len(vpnRoutes):], localRoutes)
+
+	for _, prefix := range combinedRoutes {
+		// Ignore the default route, it has special handling
+		if prefix.Bits() == 0 {
+			continue
+		}
+
+		if prefix.Contains(addr) {
+			// Longest prefix match
+			if !longestPrefix.IsValid() || prefix.Bits() > longestPrefix.Bits() {
+				longestPrefix = prefix
+				_, isVpn = vpnPrefixMap[prefix]
+			}
+		}
+	}
+
+	if !longestPrefix.IsValid() {
+		// No route matched
+		return false, netip.Prefix{}
+	}
+
+	// Return true if the longest matching prefix is from vpnRoutes
+	return isVpn, longestPrefix
+}
--- a/client/internal/routemanager/systemops/systemops_generic_test.go
+++ b/client/internal/routemanager/systemops/systemops_generic_test.go
@@ -1,6 +1,6 @@
 //go:build !android && !ios

-package routemanager
+package systemops

 import (
 	"bytes"
@@ -49,6 +49,10 @@ func TestAddRemoveRoutes(t *testing.T) {
 	}

 	for n, testCase := range testCases {
+		// todo resolve test execution on freebsd
+		if runtime.GOOS == "freebsd" {
+			t.Skip("skipping ", testCase.name, " on freebsd")
+		}
 		t.Run(testCase.name, func(t *testing.T) {
 			t.Setenv("NB_DISABLE_ROUTE_CACHE", "true")

@@ -57,23 +61,26 @@ func TestAddRemoveRoutes(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", 33100, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil)
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", 33100, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil, nil)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()

 			err = wgInterface.Create()
 			require.NoError(t, err, "should create testing wireguard interface")
-			_, _, err = setupRouting(nil, wgInterface)
+
+			r := NewSysOps(wgInterface)
+
+			_, _, err = r.SetupRouting(nil)
 			require.NoError(t, err)
 			t.Cleanup(func() {
-				assert.NoError(t, cleanupRouting())
+				assert.NoError(t, r.CleanupRouting())
 			})

 			index, err := net.InterfaceByName(wgInterface.Name())
 			require.NoError(t, err, "InterfaceByName should not return err")
 			intf := &net.Interface{Index: index.Index, Name: wgInterface.Name()}

-			err = addVPNRoute(testCase.prefix, intf)
+			err = r.AddVPNRoute(testCase.prefix, intf)
 			require.NoError(t, err, "genericAddVPNRoute should not return err")

 			if testCase.shouldRouteToWireguard {
@@ -84,19 +91,19 @@ func TestAddRemoveRoutes(t *testing.T) {
 			exists, err := existsInRouteTable(testCase.prefix)
 			require.NoError(t, err, "existsInRouteTable should not return err")
 			if exists && testCase.shouldRouteToWireguard {
-				err = removeVPNRoute(testCase.prefix, intf)
+				err = r.RemoveVPNRoute(testCase.prefix, intf)
 				require.NoError(t, err, "genericRemoveVPNRoute should not return err")

-				prefixGateway, _, err := GetNextHop(testCase.prefix.Addr())
+				prefixNexthop, err := GetNextHop(testCase.prefix.Addr())
 				require.NoError(t, err, "GetNextHop should not return err")

-				internetGateway, _, err := GetNextHop(netip.MustParseAddr("0.0.0.0"))
+				internetNexthop, err := GetNextHop(netip.MustParseAddr("0.0.0.0"))
 				require.NoError(t, err)

 				if testCase.shouldBeRemoved {
-					require.Equal(t, internetGateway, prefixGateway, "route should be pointing to default internet gateway")
+					require.Equal(t, internetNexthop.IP, prefixNexthop.IP, "route should be pointing to default internet gateway")
 				} else {
-					require.NotEqual(t, internetGateway, prefixGateway, "route should be pointing to a different gateway than the internet gateway")
+					require.NotEqual(t, internetNexthop.IP, prefixNexthop.IP, "route should be pointing to a different gateway than the internet gateway")
 				}
 			}
 		})
@@ -104,11 +111,14 @@ func TestAddRemoveRoutes(t *testing.T) {
 }

 func TestGetNextHop(t *testing.T) {
-	gateway, _, err := GetNextHop(netip.MustParseAddr("0.0.0.0"))
+	if runtime.GOOS == "freebsd" {
+		t.Skip("skipping on freebsd")
+	}
+	nexthop, err := GetNextHop(netip.MustParseAddr("0.0.0.0"))
 	if err != nil {
 		t.Fatal("shouldn't return error when fetching the gateway: ", err)
 	}
-	if !gateway.IsValid() {
+	if !nexthop.IP.IsValid() {
 		t.Fatal("should return a gateway")
 	}
 	addresses, err := net.InterfaceAddrs()
@@ -130,24 +140,24 @@ func TestGetNextHop(t *testing.T) {
 		}
 	}

-	localIP, _, err := GetNextHop(testingPrefix.Addr())
+	localIP, err := GetNextHop(testingPrefix.Addr())
 	if err != nil {
 		t.Fatal("shouldn't return error: ", err)
 	}
-	if !localIP.IsValid() {
+	if !localIP.IP.IsValid() {
 		t.Fatal("should return a gateway for local network")
 	}
-	if localIP.String() == gateway.String() {
-		t.Fatal("local ip should not match with gateway IP")
+	if localIP.IP.String() == nexthop.IP.String() {
+		t.Fatal("local IP should not match with gateway IP")
 	}
-	if localIP.String() != testingIP {
-		t.Fatalf("local ip should match with testing IP: want %s got %s", testingIP, localIP.String())
+	if localIP.IP.String() != testingIP {
+		t.Fatalf("local IP should match with testing IP: want %s got %s", testingIP, localIP.IP.String())
 	}
 }

 func TestAddExistAndRemoveRoute(t *testing.T) {
-	defaultGateway, _, err := GetNextHop(netip.MustParseAddr("0.0.0.0"))
-	t.Log("defaultGateway: ", defaultGateway)
+	defaultNexthop, err := GetNextHop(netip.MustParseAddr("0.0.0.0"))
+	t.Log("defaultNexthop: ", defaultNexthop)
 	if err != nil {
 		t.Fatal("shouldn't return error when fetching the gateway: ", err)
 	}
@@ -164,7 +174,7 @@ func TestAddExistAndRemoveRoute(t *testing.T) {
 		},
 		{
 			name:           "Should Not Add Route if overlaps with default gateway",
-			prefix:         netip.MustParsePrefix(defaultGateway.String() + "/31"),
+			prefix:         netip.MustParsePrefix(defaultNexthop.IP.String() + "/31"),
 			shouldAddRoute: false,
 		},
 		{
@@ -203,7 +213,7 @@ func TestAddExistAndRemoveRoute(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", 33100, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil)
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", 33100, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil, nil)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()

@@ -214,14 +224,16 @@ func TestAddExistAndRemoveRoute(t *testing.T) {
 			require.NoError(t, err, "InterfaceByName should not return err")
 			intf := &net.Interface{Index: index.Index, Name: wgInterface.Name()}

+			r := NewSysOps(wgInterface)
+
 			// Prepare the environment
 			if testCase.preExistingPrefix.IsValid() {
-				err := addVPNRoute(testCase.preExistingPrefix, intf)
+				err := r.AddVPNRoute(testCase.preExistingPrefix, intf)
 				require.NoError(t, err, "should not return err when adding pre-existing route")
 			}

 			// Add the route
-			err = addVPNRoute(testCase.prefix, intf)
+			err = r.AddVPNRoute(testCase.prefix, intf)
 			require.NoError(t, err, "should not return err when adding route")

 			if testCase.shouldAddRoute {
@@ -231,7 +243,7 @@ func TestAddExistAndRemoveRoute(t *testing.T) {
 				require.True(t, ok, "route should exist")

 				// remove route again if added
-				err = removeVPNRoute(testCase.prefix, intf)
+				err = r.RemoveVPNRoute(testCase.prefix, intf)
 				require.NoError(t, err, "should not return err")
 			}

@@ -295,19 +307,22 @@ func TestExistsInRouteTable(t *testing.T) {
 	var addressPrefixes []netip.Prefix
 	for _, address := range addresses {
 		p := netip.MustParsePrefix(address.String())
-		if p.Addr().Is6() {
-			continue
-		}
-		// Windows sometimes has hidden interface link local addrs that don't turn up on any interface
-		if runtime.GOOS == "windows" && p.Addr().IsLinkLocalUnicast() {
-			continue
-		}
-		// Linux loopback 127/8 is in the local table, not in the main table and always takes precedence
-		if runtime.GOOS == "linux" && p.Addr().IsLoopback() {
-			continue
-		}

-		addressPrefixes = append(addressPrefixes, p.Masked())
+		switch {
+		case p.Addr().Is6():
+			continue
+		// Windows sometimes has hidden interface link local addrs that don't turn up on any interface
+		case runtime.GOOS == "windows" && p.Addr().IsLinkLocalUnicast():
+			continue
+		// Linux loopback 127/8 is in the local table, not in the main table and always takes precedence
+		case runtime.GOOS == "linux" && p.Addr().IsLoopback():
+			continue
+		// FreeBSD loopback 127/8 is not added to the routing table
+		case runtime.GOOS == "freebsd" && p.Addr().IsLoopback():
+			continue
+		default:
+			addressPrefixes = append(addressPrefixes, p.Masked())
+		}
 	}

 	for _, prefix := range addressPrefixes {
@@ -330,7 +345,7 @@ func createWGInterface(t *testing.T, interfaceName, ipAddressCIDR string, listen
 	newNet, err := stdnet.NewNet()
 	require.NoError(t, err)

-	wgInterface, err := iface.NewWGIFace(interfaceName, ipAddressCIDR, listenPort, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil)
+	wgInterface, err := iface.NewWGIFace(interfaceName, ipAddressCIDR, listenPort, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil, nil)
 	require.NoError(t, err, "should create testing WireGuard interface")

 	err = wgInterface.Create()
@@ -343,65 +358,52 @@ func createWGInterface(t *testing.T, interfaceName, ipAddressCIDR string, listen
 	return wgInterface
 }

+func setupRouteAndCleanup(t *testing.T, r *SysOps, prefix netip.Prefix, intf *net.Interface) {
+	t.Helper()
+
+	err := r.AddVPNRoute(prefix, intf)
+	require.NoError(t, err, "addVPNRoute should not return err")
+	t.Cleanup(func() {
+		err = r.RemoveVPNRoute(prefix, intf)
+		assert.NoError(t, err, "removeVPNRoute should not return err")
+	})
+}
+
 func setupTestEnv(t *testing.T) {
 	t.Helper()

 	setupDummyInterfacesAndRoutes(t)

-	wgIface := createWGInterface(t, expectedVPNint, "100.64.0.1/24", 51820)
+	wgInterface := createWGInterface(t, expectedVPNint, "100.64.0.1/24", 51820)
 	t.Cleanup(func() {
-		assert.NoError(t, wgIface.Close())
+		assert.NoError(t, wgInterface.Close())
 	})

-	_, _, err := setupRouting(nil, wgIface)
+	r := NewSysOps(wgInterface)
+	_, _, err := r.SetupRouting(nil)
 	require.NoError(t, err, "setupRouting should not return err")
 	t.Cleanup(func() {
-		assert.NoError(t, cleanupRouting())
+		assert.NoError(t, r.CleanupRouting())
 	})

-	index, err := net.InterfaceByName(wgIface.Name())
+	index, err := net.InterfaceByName(wgInterface.Name())
 	require.NoError(t, err, "InterfaceByName should not return err")
-	intf := &net.Interface{Index: index.Index, Name: wgIface.Name()}
+	intf := &net.Interface{Index: index.Index, Name: wgInterface.Name()}

 	// default route exists in main table and vpn table
-	err = addVPNRoute(netip.MustParsePrefix("0.0.0.0/0"), intf)
-	require.NoError(t, err, "addVPNRoute should not return err")
-	t.Cleanup(func() {
-		err = removeVPNRoute(netip.MustParsePrefix("0.0.0.0/0"), intf)
-		assert.NoError(t, err, "removeVPNRoute should not return err")
-	})
+	setupRouteAndCleanup(t, r, netip.MustParsePrefix("0.0.0.0/0"), intf)

 	// 10.0.0.0/8 route exists in main table and vpn table
-	err = addVPNRoute(netip.MustParsePrefix("10.0.0.0/8"), intf)
-	require.NoError(t, err, "addVPNRoute should not return err")
-	t.Cleanup(func() {
-		err = removeVPNRoute(netip.MustParsePrefix("10.0.0.0/8"), intf)
-		assert.NoError(t, err, "removeVPNRoute should not return err")
-	})
+	setupRouteAndCleanup(t, r, netip.MustParsePrefix("10.0.0.0/8"), intf)

 	// 10.10.0.0/24 more specific route exists in vpn table
-	err = addVPNRoute(netip.MustParsePrefix("10.10.0.0/24"), intf)
-	require.NoError(t, err, "addVPNRoute should not return err")
-	t.Cleanup(func() {
-		err = removeVPNRoute(netip.MustParsePrefix("10.10.0.0/24"), intf)
-		assert.NoError(t, err, "removeVPNRoute should not return err")
-	})
+	setupRouteAndCleanup(t, r, netip.MustParsePrefix("10.10.0.0/24"), intf)

 	// 127.0.10.0/24 more specific route exists in vpn table
-	err = addVPNRoute(netip.MustParsePrefix("127.0.10.0/24"), intf)
-	require.NoError(t, err, "addVPNRoute should not return err")
-	t.Cleanup(func() {
-		err = removeVPNRoute(netip.MustParsePrefix("127.0.10.0/24"), intf)
-		assert.NoError(t, err, "removeVPNRoute should not return err")
-	})
+	setupRouteAndCleanup(t, r, netip.MustParsePrefix("127.0.10.0/24"), intf)

 	// unique route in vpn table
-	err = addVPNRoute(netip.MustParsePrefix("172.16.0.0/12"), intf)
-	require.NoError(t, err, "addVPNRoute should not return err")
-	t.Cleanup(func() {
-		err = removeVPNRoute(netip.MustParsePrefix("172.16.0.0/12"), intf)
-		assert.NoError(t, err, "removeVPNRoute should not return err")
-	})
+	setupRouteAndCleanup(t, r, netip.MustParsePrefix("172.16.0.0/12"), intf)
 }

 func assertWGOutInterface(t *testing.T, prefix netip.Prefix, wgIface *iface.WGIface, invert bool) {
@@ -410,11 +412,133 @@ func assertWGOutInterface(t *testing.T, prefix netip.Prefix, wgIface *iface.WGIf
 		return
 	}

-	prefixGateway, _, err := GetNextHop(prefix.Addr())
+	prefixNexthop, err := GetNextHop(prefix.Addr())
 	require.NoError(t, err, "GetNextHop should not return err")
 	if invert {
-		assert.NotEqual(t, wgIface.Address().IP.String(), prefixGateway.String(), "route should not point to wireguard interface IP")
+		assert.NotEqual(t, wgIface.Address().IP.String(), prefixNexthop.IP.String(), "route should not point to wireguard interface IP")
 	} else {
-		assert.Equal(t, wgIface.Address().IP.String(), prefixGateway.String(), "route should point to wireguard interface IP")
+		assert.Equal(t, wgIface.Address().IP.String(), prefixNexthop.IP.String(), "route should point to wireguard interface IP")
+	}
+}
+
+func TestIsVpnRoute(t *testing.T) {
+	tests := []struct {
+		name           string
+		addr           string
+		vpnRoutes      []string
+		localRoutes    []string
+		expectedVpn    bool
+		expectedPrefix netip.Prefix
+	}{
+		{
+			name:           "Match in VPN routes",
+			addr:           "192.168.1.1",
+			vpnRoutes:      []string{"192.168.1.0/24"},
+			localRoutes:    []string{"10.0.0.0/8"},
+			expectedVpn:    true,
+			expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"),
+		},
+		{
+			name:           "Match in local routes",
+			addr:           "10.1.1.1",
+			vpnRoutes:      []string{"192.168.1.0/24"},
+			localRoutes:    []string{"10.0.0.0/8"},
+			expectedVpn:    false,
+			expectedPrefix: netip.MustParsePrefix("10.0.0.0/8"),
+		},
+		{
+			name:           "No match",
+			addr:           "172.16.0.1",
+			vpnRoutes:      []string{"192.168.1.0/24"},
+			localRoutes:    []string{"10.0.0.0/8"},
+			expectedVpn:    false,
+			expectedPrefix: netip.Prefix{},
+		},
+		{
+			name:           "Default route ignored",
+			addr:           "192.168.1.1",
+			vpnRoutes:      []string{"0.0.0.0/0", "192.168.1.0/24"},
+			localRoutes:    []string{"10.0.0.0/8"},
+			expectedVpn:    true,
+			expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"),
+		},
+		{
+			name:           "Default route matches but ignored",
+			addr:           "172.16.1.1",
+			vpnRoutes:      []string{"0.0.0.0/0", "192.168.1.0/24"},
+			localRoutes:    []string{"10.0.0.0/8"},
+			expectedVpn:    false,
+			expectedPrefix: netip.Prefix{},
+		},
+		{
+			name:           "Longest prefix match local",
+			addr:           "192.168.1.1",
+			vpnRoutes:      []string{"192.168.0.0/16"},
+			localRoutes:    []string{"192.168.1.0/24"},
+			expectedVpn:    false,
+			expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"),
+		},
+		{
+			name:           "Longest prefix match local multiple",
+			addr:           "192.168.0.1",
+			vpnRoutes:      []string{"192.168.0.0/16", "192.168.0.0/25", "192.168.0.0/27"},
+			localRoutes:    []string{"192.168.0.0/24", "192.168.0.0/26", "192.168.0.0/28"},
+			expectedVpn:    false,
+			expectedPrefix: netip.MustParsePrefix("192.168.0.0/28"),
+		},
+		{
+			name:           "Longest prefix match vpn",
+			addr:           "192.168.1.1",
+			vpnRoutes:      []string{"192.168.1.0/24"},
+			localRoutes:    []string{"192.168.0.0/16"},
+			expectedVpn:    true,
+			expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"),
+		},
+		{
+			name:           "Longest prefix match vpn multiple",
+			addr:           "192.168.0.1",
+			vpnRoutes:      []string{"192.168.0.0/16", "192.168.0.0/25", "192.168.0.0/27"},
+			localRoutes:    []string{"192.168.0.0/24", "192.168.0.0/26"},
+			expectedVpn:    true,
+			expectedPrefix: netip.MustParsePrefix("192.168.0.0/27"),
+		},
+		{
+			name:           "Duplicate prefix in both",
+			addr:           "192.168.1.1",
+			vpnRoutes:      []string{"192.168.1.0/24"},
+			localRoutes:    []string{"192.168.1.0/24"},
+			expectedVpn:    false,
+			expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			addr, err := netip.ParseAddr(tt.addr)
+			if err != nil {
+				t.Fatalf("Failed to parse address %s: %v", tt.addr, err)
+			}
+
+			var vpnRoutes, localRoutes []netip.Prefix
+			for _, route := range tt.vpnRoutes {
+				prefix, err := netip.ParsePrefix(route)
+				if err != nil {
+					t.Fatalf("Failed to parse VPN route %s: %v", route, err)
+				}
+				vpnRoutes = append(vpnRoutes, prefix)
+			}
+
+			for _, route := range tt.localRoutes {
+				prefix, err := netip.ParsePrefix(route)
+				if err != nil {
+					t.Fatalf("Failed to parse local route %s: %v", route, err)
+				}
+				localRoutes = append(localRoutes, prefix)
+			}
+
+			isVpn, matchedPrefix := isVpnRoute(addr, vpnRoutes, localRoutes)
+			assert.Equal(t, tt.expectedVpn, isVpn, "isVpnRoute should return expectedVpn value")
+			assert.Equal(t, tt.expectedPrefix, matchedPrefix, "isVpnRoute should return expectedVpn prefix")
+		})
 	}
 }
--- a/client/internal/routemanager/systemops/systemops_linux.go
+++ b/client/internal/routemanager/systemops/systemops_linux.go
@@ -1,6 +1,6 @@
 //go:build !android

-package routemanager
+package systemops

 import (
 	"bufio"
@@ -9,16 +9,15 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strconv"
-	"strings"
 	"syscall"

 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"

-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/iface"
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/internal/routemanager/sysctl"
+	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
 	nbnet "github.com/netbirdio/netbird/util/net"
 )

@@ -33,16 +32,10 @@ const (

 	// ipv4ForwardingPath is the path to the file containing the IP forwarding setting.
 	ipv4ForwardingPath = "net.ipv4.ip_forward"
-
-	rpFilterPath          = "net.ipv4.conf.all.rp_filter"
-	rpFilterInterfacePath = "net.ipv4.conf.%s.rp_filter"
-	srcValidMarkPath      = "net.ipv4.conf.all.src_valid_mark"
 )

 var ErrTableIDExists = errors.New("ID exists with different name")

-var routeManager = &RouteManager{}
-
 // originalSysctl stores the original sysctl values before they are modified
 var originalSysctl map[string]int

@@ -82,7 +75,7 @@ func getSetupRules() []ruleParams {
 	}
 }

-// setupRouting establishes the routing configuration for the VPN, including essential rules
+// SetupRouting establishes the routing configuration for the VPN, including essential rules
 // to ensure proper traffic flow for management, locally configured routes, and VPN traffic.
 //
 // Rule 1 (Main Route Precedence): Safeguards locally installed routes by giving them precedence over
@@ -92,17 +85,17 @@ func getSetupRules() []ruleParams {
 // Rule 2 (VPN Traffic Routing): Directs all remaining traffic to the 'NetbirdVPNTableID' custom routing table.
 // This table is where a default route or other specific routes received from the management server are configured,
 // enabling VPN connectivity.
-func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (_ peer.BeforeAddPeerHookFunc, _ peer.AfterRemovePeerHookFunc, err error) {
+func (r *SysOps) SetupRouting(initAddresses []net.IP) (_ nbnet.AddHookFunc, _ nbnet.RemoveHookFunc, err error) {
 	if isLegacy() {
 		log.Infof("Using legacy routing setup")
-		return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
+		return r.setupRefCounter(initAddresses)
 	}

 	if err = addRoutingTableName(); err != nil {
 		log.Errorf("Error adding routing table name: %v", err)
 	}

-	originalValues, err := setupSysctl(wgIface)
+	originalValues, err := sysctl.Setup(r.wgInterface)
 	if err != nil {
 		log.Errorf("Error setting up sysctl: %v", err)
 		sysctlFailed = true
@@ -111,7 +104,7 @@ func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (_ peer.Before

 	defer func() {
 		if err != nil {
-			if cleanErr := cleanupRouting(); cleanErr != nil {
+			if cleanErr := r.CleanupRouting(); cleanErr != nil {
 				log.Errorf("Error cleaning up routing: %v", cleanErr)
 			}
 		}
@@ -123,7 +116,7 @@ func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (_ peer.Before
 			if errors.Is(err, syscall.EOPNOTSUPP) {
 				log.Warnf("Rule operations are not supported, falling back to the legacy routing setup")
 				setIsLegacy(true)
-				return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
+				return r.setupRefCounter(initAddresses)
 			}
 			return nil, nil, fmt.Errorf("%s: %w", rule.description, err)
 		}
@@ -132,12 +125,12 @@ func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (_ peer.Before
 	return nil, nil, nil
 }

-// cleanupRouting performs a thorough cleanup of the routing configuration established by 'setupRouting'.
+// CleanupRouting performs a thorough cleanup of the routing configuration established by 'setupRouting'.
 // It systematically removes the three rules and any associated routing table entries to ensure a clean state.
 // The function uses error aggregation to report any errors encountered during the cleanup process.
-func cleanupRouting() error {
+func (r *SysOps) CleanupRouting() error {
 	if isLegacy() {
-		return cleanupRoutingWithRouteManager(routeManager)
+		return r.cleanupRefCounter()
 	}

 	var result *multierror.Error
@@ -156,58 +149,58 @@ func cleanupRouting() error {
 		}
 	}

-	if err := cleanupSysctl(originalSysctl); err != nil {
+	if err := sysctl.Cleanup(originalSysctl); err != nil {
 		result = multierror.Append(result, fmt.Errorf("cleanup sysctl: %w", err))
 	}
 	originalSysctl = nil
 	sysctlFailed = false

-	return result.ErrorOrNil()
+	return nberrors.FormatErrorOrNil(result)
 }

-func addToRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
-	return addRoute(prefix, nexthop, intf, syscall.RT_TABLE_MAIN)
+func (r *SysOps) addToRouteTable(prefix netip.Prefix, nexthop Nexthop) error {
+	return addRoute(prefix, nexthop, syscall.RT_TABLE_MAIN)
 }

-func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
-	return removeRoute(prefix, nexthop, intf, syscall.RT_TABLE_MAIN)
+func (r *SysOps) removeFromRouteTable(prefix netip.Prefix, nexthop Nexthop) error {
+	return removeRoute(prefix, nexthop, syscall.RT_TABLE_MAIN)
 }

-func addVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
+func (r *SysOps) AddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
 	if isLegacy() {
-		return genericAddVPNRoute(prefix, intf)
+		return r.genericAddVPNRoute(prefix, intf)
 	}

-	if sysctlFailed && (prefix == defaultv4 || prefix == defaultv6) {
+	if sysctlFailed && (prefix == vars.Defaultv4 || prefix == vars.Defaultv6) {
 		log.Warnf("Default route is configured but sysctl operations failed, VPN traffic may not be routed correctly, consider using NB_USE_LEGACY_ROUTING=true or setting net.ipv4.conf.*.rp_filter to 2 (loose) or 0 (off)")
 	}

 	// No need to check if routes exist as main table takes precedence over the VPN table via Rule 1

 	// TODO remove this once we have ipv6 support
-	if prefix == defaultv4 {
-		if err := addUnreachableRoute(defaultv6, NetbirdVPNTableID); err != nil {
+	if prefix == vars.Defaultv4 {
+		if err := addUnreachableRoute(vars.Defaultv6, NetbirdVPNTableID); err != nil {
 			return fmt.Errorf("add blackhole: %w", err)
 		}
 	}
-	if err := addRoute(prefix, netip.Addr{}, intf, NetbirdVPNTableID); err != nil {
+	if err := addRoute(prefix, Nexthop{netip.Addr{}, intf}, NetbirdVPNTableID); err != nil {
 		return fmt.Errorf("add route: %w", err)
 	}
 	return nil
 }

-func removeVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
+func (r *SysOps) RemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
 	if isLegacy() {
-		return genericRemoveVPNRoute(prefix, intf)
+		return r.genericRemoveVPNRoute(prefix, intf)
 	}

 	// TODO remove this once we have ipv6 support
-	if prefix == defaultv4 {
-		if err := removeUnreachableRoute(defaultv6, NetbirdVPNTableID); err != nil {
+	if prefix == vars.Defaultv4 {
+		if err := removeUnreachableRoute(vars.Defaultv6, NetbirdVPNTableID); err != nil {
 			return fmt.Errorf("remove unreachable route: %w", err)
 		}
 	}
-	if err := removeRoute(prefix, netip.Addr{}, intf, NetbirdVPNTableID); err != nil {
+	if err := removeRoute(prefix, Nexthop{netip.Addr{}, intf}, NetbirdVPNTableID); err != nil {
 		return fmt.Errorf("remove route: %w", err)
 	}
 	return nil
@@ -255,7 +248,7 @@ func getRoutes(tableID, family int) ([]netip.Prefix, error) {
 }

 // addRoute adds a route to a specific routing table identified by tableID.
-func addRoute(prefix netip.Prefix, addr netip.Addr, intf *net.Interface, tableID int) error {
+func addRoute(prefix netip.Prefix, nexthop Nexthop, tableID int) error {
 	route := &netlink.Route{
 		Scope:  netlink.SCOPE_UNIVERSE,
 		Table:  tableID,
@@ -268,7 +261,7 @@ func addRoute(prefix netip.Prefix, addr netip.Addr, intf *net.Interface, tableID
 	}
 	route.Dst = ipNet

-	if err := addNextHop(addr, intf, route); err != nil {
+	if err := addNextHop(nexthop, route); err != nil {
 		return fmt.Errorf("add gateway and device: %w", err)
 	}

@@ -327,7 +320,7 @@ func removeUnreachableRoute(prefix netip.Prefix, tableID int) error {
 }

 // removeRoute removes a route from a specific routing table identified by tableID.
-func removeRoute(prefix netip.Prefix, addr netip.Addr, intf *net.Interface, tableID int) error {
+func removeRoute(prefix netip.Prefix, nexthop Nexthop, tableID int) error {
 	_, ipNet, err := net.ParseCIDR(prefix.String())
 	if err != nil {
 		return fmt.Errorf("parse prefix %s: %w", prefix, err)
@@ -340,7 +333,7 @@ func removeRoute(prefix netip.Prefix, addr netip.Addr, intf *net.Interface, tabl
 		Dst:    ipNet,
 	}

-	if err := addNextHop(addr, intf, route); err != nil {
+	if err := addNextHop(nexthop, route); err != nil {
 		return fmt.Errorf("add gateway and device: %w", err)
 	}

@@ -373,11 +366,11 @@ func flushRoutes(tableID, family int) error {
 		}
 	}

-	return result.ErrorOrNil()
+	return nberrors.FormatErrorOrNil(result)
 }

-func enableIPForwarding() error {
-	_, err := setSysctl(ipv4ForwardingPath, 1, false)
+func EnableIPForwarding() error {
+	_, err := sysctl.Set(ipv4ForwardingPath, 1, false)
 	return err
 }

@@ -481,19 +474,19 @@ func removeRule(params ruleParams) error {
 }

 // addNextHop adds the gateway and device to the route.
-func addNextHop(addr netip.Addr, intf *net.Interface, route *netlink.Route) error {
-	if intf != nil {
-		route.LinkIndex = intf.Index
+func addNextHop(nexthop Nexthop, route *netlink.Route) error {
+	if nexthop.Intf != nil {
+		route.LinkIndex = nexthop.Intf.Index
 	}

-	if addr.IsValid() {
-		route.Gw = addr.AsSlice()
+	if nexthop.IP.IsValid() {
+		route.Gw = nexthop.IP.AsSlice()

 		// if zone is set, it means the gateway is a link-local address, so we set the link index
-		if addr.Zone() != "" && intf == nil {
-			link, err := netlink.LinkByName(addr.Zone())
+		if nexthop.IP.Zone() != "" && nexthop.Intf == nil {
+			link, err := netlink.LinkByName(nexthop.IP.Zone())
 			if err != nil {
-				return fmt.Errorf("get link by name for zone %s: %w", addr.Zone(), err)
+				return fmt.Errorf("get link by name for zone %s: %w", nexthop.IP.Zone(), err)
 			}
 			route.LinkIndex = link.Attrs().Index
 		}
@@ -509,82 +502,9 @@ func getAddressFamily(prefix netip.Prefix) int {
 	return netlink.FAMILY_V6
 }

-// setupSysctl configures sysctl settings for RP filtering and source validation.
-func setupSysctl(wgIface *iface.WGIface) (map[string]int, error) {
-	keys := map[string]int{}
-	var result *multierror.Error
-
-	oldVal, err := setSysctl(srcValidMarkPath, 1, false)
-	if err != nil {
-		result = multierror.Append(result, err)
-	} else {
-		keys[srcValidMarkPath] = oldVal
+func hasSeparateRouting() ([]netip.Prefix, error) {
+	if isLegacy() {
+		return getRoutesFromTable()
 	}
-
-	oldVal, err = setSysctl(rpFilterPath, 2, true)
-	if err != nil {
-		result = multierror.Append(result, err)
-	} else {
-		keys[rpFilterPath] = oldVal
-	}
-
-	interfaces, err := net.Interfaces()
-	if err != nil {
-		result = multierror.Append(result, fmt.Errorf("list interfaces: %w", err))
-	}
-
-	for _, intf := range interfaces {
-		if intf.Name == "lo" || wgIface != nil && intf.Name == wgIface.Name() {
-			continue
-		}
-
-		i := fmt.Sprintf(rpFilterInterfacePath, intf.Name)
-		oldVal, err := setSysctl(i, 2, true)
-		if err != nil {
-			result = multierror.Append(result, err)
-		} else {
-			keys[i] = oldVal
-		}
-	}
-
-	return keys, result.ErrorOrNil()
-}
-
-// setSysctl sets a sysctl configuration, if onlyIfOne is true it will only set the new value if it's set to 1
-func setSysctl(key string, desiredValue int, onlyIfOne bool) (int, error) {
-	path := fmt.Sprintf("/proc/sys/%s", strings.ReplaceAll(key, ".", "/"))
-	currentValue, err := os.ReadFile(path)
-	if err != nil {
-		return -1, fmt.Errorf("read sysctl %s: %w", key, err)
-	}
-
-	currentV, err := strconv.Atoi(strings.TrimSpace(string(currentValue)))
-	if err != nil && len(currentValue) > 0 {
-		return -1, fmt.Errorf("convert current desiredValue to int: %w", err)
-	}
-
-	if currentV == desiredValue || onlyIfOne && currentV != 1 {
-		return currentV, nil
-	}
-
-	//nolint:gosec
-	if err := os.WriteFile(path, []byte(strconv.Itoa(desiredValue)), 0644); err != nil {
-		return currentV, fmt.Errorf("write sysctl %s: %w", key, err)
-	}
-	log.Debugf("Set sysctl %s from %d to %d", key, currentV, desiredValue)
-
-	return currentV, nil
-}
-
-func cleanupSysctl(originalSettings map[string]int) error {
-	var result *multierror.Error
-
-	for key, value := range originalSettings {
-		_, err := setSysctl(key, value, false)
-		if err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-
-	return result.ErrorOrNil()
+	return nil, ErrRoutingIsSeparate
 }
--- a/client/internal/routemanager/systemops/systemops_linux_test.go
+++ b/client/internal/routemanager/systemops/systemops_linux_test.go
@@ -1,6 +1,6 @@
 //go:build !android

-package routemanager
+package systemops

 import (
 	"errors"
@@ -14,6 +14,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/vishvananda/netlink"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
 )

 var expectedVPNint = "wgtest0"
@@ -138,7 +140,7 @@ func addDummyRoute(t *testing.T, dstCIDR string, gw net.IP, intf string) {
 	if dstIPNet.String() == "0.0.0.0/0" {
 		var err error
 		originalNexthop, originalLinkIndex, err = fetchOriginalGateway(netlink.FAMILY_V4)
-		if err != nil && !errors.Is(err, ErrRouteNotFound) {
+		if err != nil && !errors.Is(err, vars.ErrRouteNotFound) {
 			t.Logf("Failed to fetch original gateway: %v", err)
 		}

@@ -193,7 +195,7 @@ func fetchOriginalGateway(family int) (net.IP, int, error) {
 		}
 	}

-	return nil, 0, ErrRouteNotFound
+	return nil, 0, vars.ErrRouteNotFound
 }

 func setupDummyInterfacesAndRoutes(t *testing.T) {
--- a/client/internal/routemanager/systemops/systemops_mobile.go
+++ b/client/internal/routemanager/systemops/systemops_mobile.go
@@ -0,0 +1,38 @@
+//go:build ios || android
+
+package systemops
+
+import (
+	"net"
+	"net/netip"
+	"runtime"
+
+	log "github.com/sirupsen/logrus"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+func (r *SysOps) SetupRouting([]net.IP) (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error) {
+	return nil, nil, nil
+}
+
+func (r *SysOps) CleanupRouting() error {
+	return nil
+}
+
+func (r *SysOps) AddVPNRoute(netip.Prefix, *net.Interface) error {
+	return nil
+}
+
+func (r *SysOps) RemoveVPNRoute(netip.Prefix, *net.Interface) error {
+	return nil
+}
+
+func EnableIPForwarding() error {
+	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
+	return nil
+}
+
+func IsAddrRouted(netip.Addr, []netip.Prefix) (bool, netip.Prefix) {
+	return false, netip.Prefix{}
+}
--- a/client/internal/routemanager/systemops/systemops_nonlinux.go
+++ b/client/internal/routemanager/systemops/systemops_nonlinux.go
@@ -0,0 +1,28 @@
+//go:build !linux && !ios
+
+package systemops
+
+import (
+	"net"
+	"net/netip"
+	"runtime"
+
+	log "github.com/sirupsen/logrus"
+)
+
+func (r *SysOps) AddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
+	return r.genericAddVPNRoute(prefix, intf)
+}
+
+func (r *SysOps) RemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
+	return r.genericRemoveVPNRoute(prefix, intf)
+}
+
+func EnableIPForwarding() error {
+	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
+	return nil
+}
+
+func hasSeparateRouting() ([]netip.Prefix, error) {
+	return getRoutesFromTable()
+}
--- a/client/internal/routemanager/systemops/systemops_unix.go
+++ b/client/internal/routemanager/systemops/systemops_unix.go
@@ -1,6 +1,6 @@
-//go:build darwin && !ios
+//go:build (darwin && !ios) || dragonfly || freebsd || netbsd || openbsd

-package routemanager
+package systemops

 import (
 	"fmt"
@@ -13,48 +13,41 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/iface"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

-var routeManager *RouteManager
-
-func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
-	return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
+func (r *SysOps) SetupRouting(initAddresses []net.IP) (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error) {
+	return r.setupRefCounter(initAddresses)
 }

-func cleanupRouting() error {
-	return cleanupRoutingWithRouteManager(routeManager)
+func (r *SysOps) CleanupRouting() error {
+	return r.cleanupRefCounter()
 }

-func addToRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
-	return routeCmd("add", prefix, nexthop, intf)
+func (r *SysOps) addToRouteTable(prefix netip.Prefix, nexthop Nexthop) error {
+	return r.routeCmd("add", prefix, nexthop)
 }

-func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
-	return routeCmd("delete", prefix, nexthop, intf)
+func (r *SysOps) removeFromRouteTable(prefix netip.Prefix, nexthop Nexthop) error {
+	return r.routeCmd("delete", prefix, nexthop)
 }

-func routeCmd(action string, prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
+func (r *SysOps) routeCmd(action string, prefix netip.Prefix, nexthop Nexthop) error {
 	inet := "-inet"
+	if prefix.Addr().Is6() {
+		inet = "-inet6"
+	}
+
 	network := prefix.String()
 	if prefix.IsSingleIP() {
 		network = prefix.Addr().String()
 	}
-	if prefix.Addr().Is6() {
-		inet = "-inet6"
-		// Special case for IPv6 split default route, pointing to the wg interface fails
-		// TODO: Remove once we have IPv6 support on the interface
-		if prefix.Bits() == 1 {
-			intf = &net.Interface{Name: "lo0"}
-		}
-	}

 	args := []string{"-n", action, inet, network}
-	if nexthop.IsValid() {
-		args = append(args, nexthop.Unmap().String())
-	} else if intf != nil {
-		args = append(args, "-interface", intf.Name)
+	if nexthop.IP.IsValid() {
+		args = append(args, nexthop.IP.Unmap().String())
+	} else if nexthop.Intf != nil {
+		args = append(args, "-interface", nexthop.Intf.Name)
 	}

 	if err := retryRouteCmd(args); err != nil {
--- a/client/internal/routemanager/systemops/systemops_unix_test.go
+++ b/client/internal/routemanager/systemops/systemops_unix_test.go
@@ -1,10 +1,11 @@
 //go:build (linux && !android) || (darwin && !ios) || freebsd || openbsd || netbsd || dragonfly

-package routemanager
+package systemops

 import (
 	"fmt"
 	"net"
+	"runtime"
 	"strings"
 	"testing"
 	"time"
@@ -85,6 +86,10 @@ var testCases = []testCase{

 func TestRouting(t *testing.T) {
 	for _, tc := range testCases {
+		// todo resolve test execution on freebsd
+		if runtime.GOOS == "freebsd" {
+			t.Skip("skipping ", tc.name, " on freebsd")
+		}
 		t.Run(tc.name, func(t *testing.T) {
 			setupTestEnv(t)

--- a/client/internal/routemanager/systemops/systemops_windows.go
+++ b/client/internal/routemanager/systemops/systemops_windows.go
@@ -1,6 +1,6 @@
 //go:build windows

-package routemanager
+package systemops

 import (
 	"fmt"
@@ -17,8 +17,7 @@ import (
 	"github.com/yusufpapurcu/wmi"

 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/iface"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 type MSFT_NetRoute struct {
@@ -57,14 +56,42 @@ var prefixList []netip.Prefix
 var lastUpdate time.Time
 var mux = sync.Mutex{}

-var routeManager *RouteManager
-
-func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
-	return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
+func (r *SysOps) SetupRouting(initAddresses []net.IP) (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error) {
+	return r.setupRefCounter(initAddresses)
 }

-func cleanupRouting() error {
-	return cleanupRoutingWithRouteManager(routeManager)
+func (r *SysOps) CleanupRouting() error {
+	return r.cleanupRefCounter()
+}
+
+func (r *SysOps) addToRouteTable(prefix netip.Prefix, nexthop Nexthop) error {
+	if nexthop.IP.Zone() != "" && nexthop.Intf == nil {
+		zone, err := strconv.Atoi(nexthop.IP.Zone())
+		if err != nil {
+			return fmt.Errorf("invalid zone: %w", err)
+		}
+		nexthop.Intf = &net.Interface{Index: zone}
+	}
+
+	return addRouteCmd(prefix, nexthop)
+}
+
+func (r *SysOps) removeFromRouteTable(prefix netip.Prefix, nexthop Nexthop) error {
+	args := []string{"delete", prefix.String()}
+	if nexthop.IP.IsValid() {
+		ip := nexthop.IP.WithZone("")
+		args = append(args, ip.Unmap().String())
+	}
+
+	routeCmd := uspfilter.GetSystem32Command("route")
+
+	out, err := exec.Command(routeCmd, args...).CombinedOutput()
+	log.Tracef("route %s: %s", strings.Join(args, " "), out)
+
+	if err != nil {
+		return fmt.Errorf("remove route: %w", err)
+	}
+	return nil
 }

 func getRoutesFromTable() ([]netip.Prefix, error) {
@@ -93,7 +120,7 @@ func getRoutesFromTable() ([]netip.Prefix, error) {
 func GetRoutes() ([]Route, error) {
 	var entries []MSFT_NetRoute

-	query := `SELECT DestinationPrefix, NextHop, InterfaceIndex, InterfaceAlias, AddressFamily FROM MSFT_NetRoute`
+	query := `SELECT DestinationPrefix, Nexthop, InterfaceIndex, InterfaceAlias, AddressFamily FROM MSFT_NetRoute`
 	if err := wmi.QueryNamespace(query, &entries, `ROOT\StandardCimv2`); err != nil {
 		return nil, fmt.Errorf("get routes: %w", err)
 	}
@@ -118,6 +145,10 @@ func GetRoutes() ([]Route, error) {
 				Index: int(entry.InterfaceIndex),
 				Name:  entry.InterfaceAlias,
 			}
+
+			if nexthop.Is6() && (nexthop.IsLinkLocalUnicast() || nexthop.IsLinkLocalMulticast()) {
+				nexthop = nexthop.WithZone(strconv.Itoa(int(entry.InterfaceIndex)))
+			}
 		}

 		routes = append(routes, Route{
@@ -157,11 +188,12 @@ func GetNeighbors() ([]Neighbor, error) {
 	return neighbors, nil
 }

-func addRouteCmd(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
+func addRouteCmd(prefix netip.Prefix, nexthop Nexthop) error {
 	args := []string{"add", prefix.String()}

-	if nexthop.IsValid() {
-		args = append(args, nexthop.Unmap().String())
+	if nexthop.IP.IsValid() {
+		ip := nexthop.IP.WithZone("")
+		args = append(args, ip.Unmap().String())
 	} else {
 		addr := "0.0.0.0"
 		if prefix.Addr().Is6() {
@@ -170,8 +202,8 @@ func addRouteCmd(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) e
 		args = append(args, addr)
 	}

-	if intf != nil {
-		args = append(args, "if", strconv.Itoa(intf.Index))
+	if nexthop.Intf != nil {
+		args = append(args, "if", strconv.Itoa(nexthop.Intf.Index))
 	}

 	routeCmd := uspfilter.GetSystem32Command("route")
@@ -185,37 +217,6 @@ func addRouteCmd(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) e
 	return nil
 }

-func addToRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
-	if nexthop.Zone() != "" && intf == nil {
-		zone, err := strconv.Atoi(nexthop.Zone())
-		if err != nil {
-			return fmt.Errorf("invalid zone: %w", err)
-		}
-		intf = &net.Interface{Index: zone}
-		nexthop.WithZone("")
-	}
-
-	return addRouteCmd(prefix, nexthop, intf)
-}
-
-func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, _ *net.Interface) error {
-	args := []string{"delete", prefix.String()}
-	if nexthop.IsValid() {
-		nexthop.WithZone("")
-		args = append(args, nexthop.Unmap().String())
-	}
-
-	routeCmd := uspfilter.GetSystem32Command("route")
-
-	out, err := exec.Command(routeCmd, args...).CombinedOutput()
-	log.Tracef("route %s: %s", strings.Join(args, " "), out)
-
-	if err != nil {
-		return fmt.Errorf("remove route: %w", err)
-	}
-	return nil
-}
-
 func isCacheDisabled() bool {
 	return os.Getenv("NB_DISABLE_ROUTE_CACHE") == "true"
 }
--- a/client/internal/routemanager/systemops/systemops_windows_test.go
+++ b/client/internal/routemanager/systemops/systemops_windows_test.go
@@ -1,4 +1,4 @@
-package routemanager
+package systemops

 import (
 	"context"
@@ -29,7 +29,7 @@ type FindNetRouteOutput struct {
 	InterfaceIndex    int    `json:"InterfaceIndex"`
 	InterfaceAlias    string `json:"InterfaceAlias"`
 	AddressFamily     int    `json:"AddressFamily"`
-	NextHop           string `json:"NextHop"`
+	NextHop           string `json:"Nexthop"`
 	DestinationPrefix string `json:"DestinationPrefix"`
 }

@@ -166,7 +166,7 @@ func testRoute(t *testing.T, destination string, dialer dialer) *FindNetRouteOut
 	host, _, err := net.SplitHostPort(destination)
 	require.NoError(t, err)

-	script := fmt.Sprintf(`Find-NetRoute -RemoteIPAddress "%s" | Select-Object -Property IPAddress, InterfaceIndex, InterfaceAlias, AddressFamily, NextHop, DestinationPrefix | ConvertTo-Json`, host)
+	script := fmt.Sprintf(`Find-NetRoute -RemoteIPAddress "%s" | Select-Object -Property IPAddress, InterfaceIndex, InterfaceAlias, AddressFamily, Nexthop, DestinationPrefix | ConvertTo-Json`, host)

 	out, err := exec.Command("powershell", "-Command", script).Output()
 	require.NoError(t, err, "Failed to execute Find-NetRoute")
@@ -207,7 +207,7 @@ func createAndSetupDummyInterface(t *testing.T, interfaceName, ipAddressCIDR str
 }

 func fetchOriginalGateway() (*RouteInfo, error) {
-	cmd := exec.Command("powershell", "-Command", "Get-NetRoute -DestinationPrefix 0.0.0.0/0 | Select-Object NextHop, RouteMetric, InterfaceAlias | ConvertTo-Json")
+	cmd := exec.Command("powershell", "-Command", "Get-NetRoute -DestinationPrefix 0.0.0.0/0 | Select-Object Nexthop, RouteMetric, InterfaceAlias | ConvertTo-Json")
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return nil, fmt.Errorf("failed to execute Get-NetRoute: %w", err)
--- a/client/internal/routemanager/systemops_android.go
+++ b/client/internal/routemanager/systemops_android.go
@@ -1,33 +0,0 @@
-package routemanager
-
-import (
-	"net"
-	"net/netip"
-	"runtime"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/iface"
-)
-
-func setupRouting([]net.IP, *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
-	return nil, nil, nil
-}
-
-func cleanupRouting() error {
-	return nil
-}
-
-func enableIPForwarding() error {
-	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
-	return nil
-}
-
-func addVPNRoute(netip.Prefix, *net.Interface) error {
-	return nil
-}
-
-func removeVPNRoute(netip.Prefix, *net.Interface) error {
-	return nil
-}
--- a/client/internal/routemanager/systemops_bsd_test.go
+++ b/client/internal/routemanager/systemops_bsd_test.go
@@ -1,57 +0,0 @@
-//go:build darwin || dragonfly || freebsd || netbsd || openbsd
-
-package routemanager
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"golang.org/x/net/route"
-)
-
-func TestBits(t *testing.T) {
-	tests := []struct {
-		name    string
-		addr    route.Addr
-		want    int
-		wantErr bool
-	}{
-		{
-			name: "IPv4 all ones",
-			addr: &route.Inet4Addr{IP: [4]byte{255, 255, 255, 255}},
-			want: 32,
-		},
-		{
-			name: "IPv4 normal mask",
-			addr: &route.Inet4Addr{IP: [4]byte{255, 255, 255, 0}},
-			want: 24,
-		},
-		{
-			name: "IPv6 all ones",
-			addr: &route.Inet6Addr{IP: [16]byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255}},
-			want: 128,
-		},
-		{
-			name: "IPv6 normal mask",
-			addr: &route.Inet6Addr{IP: [16]byte{255, 255, 255, 255, 255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0}},
-			want: 64,
-		},
-		{
-			name:    "Unsupported type",
-			addr:    &route.LinkAddr{},
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := ones(tt.addr)
-			if tt.wantErr {
-				assert.Error(t, err)
-			} else {
-				assert.NoError(t, err)
-				assert.Equal(t, tt.want, got)
-			}
-		})
-	}
-}
--- a/client/internal/routemanager/systemops_ios.go
+++ b/client/internal/routemanager/systemops_ios.go
@@ -1,33 +0,0 @@
-package routemanager
-
-import (
-	"net"
-	"net/netip"
-	"runtime"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/iface"
-)
-
-func setupRouting([]net.IP, *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
-	return nil, nil, nil
-}
-
-func cleanupRouting() error {
-	return nil
-}
-
-func enableIPForwarding() error {
-	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
-	return nil
-}
-
-func addVPNRoute(netip.Prefix, *net.Interface) error {
-	return nil
-}
-
-func removeVPNRoute(netip.Prefix, *net.Interface) error {
-	return nil
-}
--- a/client/internal/routemanager/systemops_nonlinux.go
+++ b/client/internal/routemanager/systemops_nonlinux.go
@@ -1,24 +0,0 @@
-//go:build !linux && !ios
-
-package routemanager
-
-import (
-	"net"
-	"net/netip"
-	"runtime"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func enableIPForwarding() error {
-	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
-	return nil
-}
-
-func addVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
-	return genericAddVPNRoute(prefix, intf)
-}
-
-func removeVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
-	return genericRemoveVPNRoute(prefix, intf)
-}
--- a/client/internal/routemanager/util/ip.go
+++ b/client/internal/routemanager/util/ip.go
@@ -0,0 +1,29 @@
+package util
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+)
+
+// GetPrefixFromIP returns a netip.Prefix from a net.IP address.
+func GetPrefixFromIP(ip net.IP) (netip.Prefix, error) {
+	addr, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		return netip.Prefix{}, fmt.Errorf("parse IP address: %s", ip)
+	}
+	addr = addr.Unmap()
+
+	var prefixLength int
+	switch {
+	case addr.Is4():
+		prefixLength = 32
+	case addr.Is6():
+		prefixLength = 128
+	default:
+		return netip.Prefix{}, fmt.Errorf("invalid IP address: %s", addr)
+	}
+
+	prefix := netip.PrefixFrom(addr, prefixLength)
+	return prefix, nil
+}
--- a/client/internal/routemanager/vars/vars.go
+++ b/client/internal/routemanager/vars/vars.go
@@ -0,0 +1,16 @@
+package vars
+
+import (
+	"errors"
+	"net/netip"
+)
+
+const MinRangeBits = 7
+
+var (
+	ErrRouteNotFound   = errors.New("route not found")
+	ErrRouteNotAllowed = errors.New("route not allowed")
+
+	Defaultv4 = netip.PrefixFrom(netip.IPv4Unspecified(), 0)
+	Defaultv6 = netip.PrefixFrom(netip.IPv6Unspecified(), 0)
+)
--- a/Show More
+++ b/Show More