Add embedded VNC server with JWT auth, DXGI capture, and dashboard integration

.github/workflows/proto-version-check.yml

@@ -1,62 +0,0 @@
-name: Proto Version Check
-
-on:
-  pull_request:
-    paths:
-      - "**/*.pb.go"
-
-jobs:
-  check-proto-versions:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check for proto tool version changes
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const files = await github.paginate(github.rest.pulls.listFiles, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.issue.number,
-              per_page: 100,
-            });
-
-            const pbFiles = files.filter(f => f.filename.endsWith('.pb.go'));
-            const missingPatch = pbFiles.filter(f => !f.patch).map(f => f.filename);
-            if (missingPatch.length > 0) {
-              core.setFailed(
-                `Cannot inspect patch data for:\n` +
-                missingPatch.map(f => `- ${f}`).join('\n') +
-                `\nThis can happen with very large PRs. Verify proto versions manually.`
-              );
-              return;
-            }
-            const versionPattern = /^[+-]\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
-            const violations = [];
-
-            for (const file of pbFiles) {
-              const changed = file.patch
-                .split('\n')
-                .filter(line => versionPattern.test(line));
-              if (changed.length > 0) {
-                violations.push({
-                  file: file.filename,
-                  lines: changed,
-                });
-              }
-            }
-
-            if (violations.length > 0) {
-              const details = violations.map(v =>
-                `${v.file}:\n${v.lines.map(l => '  ' + l).join('\n')}`
-              ).join('\n\n');
-
-              core.setFailed(
-                `Proto version strings changed in generated files.\n` +
-                `This usually means the wrong protoc or protoc-gen-go version was used.\n` +
-                `Regenerate with the matching tool versions.\n\n` +
-                details
-              );
-              return;
-            }
-
-            console.log('No proto version string changes detected');

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.2"
+  SIGN_PIPE_VER: "v0.1.1"
   GORELEASER_VER: "v2.14.3"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"

client/cmd/root.go

@@ -75,7 +75,6 @@ var (
 	mtu                     uint16
 	profilesDisabled        bool
 	updateSettingsDisabled  bool
-	networksDisabled        bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",
@@ -151,6 +150,7 @@ func init() {
 	rootCmd.AddCommand(logoutCmd)
 	rootCmd.AddCommand(versionCmd)
 	rootCmd.AddCommand(sshCmd)
+	rootCmd.AddCommand(vncCmd)
 	rootCmd.AddCommand(networksCMD)
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)

client/cmd/service.go

@@ -44,13 +44,10 @@ func init() {
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
-	serviceCmd.PersistentFlags().BoolVar(&networksDisabled, "disable-networks", false, "Disables network selection. If enabled, the client will not allow listing, selecting, or deselecting networks. To persist, use: netbird service install --disable-networks")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +
 		`You can specify a comma-separated list of KEY=VALUE pairs. ` +
-		`New keys are merged with previously saved env vars; existing keys are overwritten. ` +
-		`Use --service-env "" to clear all saved env vars. ` +
 		`E.g. --service-env NB_LOG_LEVEL=debug,CUSTOM_VAR=value`
 
 	installCmd.Flags().StringSliceVar(&serviceEnvVars, "service-env", nil, serviceEnvDesc)

client/cmd/service_controller.go

@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
 
-		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled, networksDisabled)
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}

client/cmd/service_installer.go

@@ -59,10 +59,6 @@ func buildServiceArguments() []string {
 		args = append(args, "--disable-update-settings")
 	}
 
-	if networksDisabled {
-		args = append(args, "--disable-networks")
-	}
-
 	return args
 }
 

client/cmd/service_params.go

@@ -28,7 +28,6 @@ type serviceParams struct {
 	LogFiles              []string          `json:"log_files,omitempty"`
 	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
-	DisableNetworks       bool              `json:"disable_networks,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
 
@@ -79,12 +78,11 @@ func currentServiceParams() *serviceParams {
 		LogFiles:              logFiles,
 		DisableProfiles:       profilesDisabled,
 		DisableUpdateSettings: updateSettingsDisabled,
-		DisableNetworks:       networksDisabled,
 	}
 
 	if len(serviceEnvVars) > 0 {
 		parsed, err := parseServiceEnvVars(serviceEnvVars)
-		if err == nil {
+		if err == nil && len(parsed) > 0 {
 			params.ServiceEnvVars = parsed
 		}
 	}
@@ -144,46 +142,31 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		updateSettingsDisabled = params.DisableUpdateSettings
 	}
 
-	if !serviceCmd.PersistentFlags().Changed("disable-networks") {
-		networksDisabled = params.DisableNetworks
-	}
-
 	applyServiceEnvParams(cmd, params)
 }
 
 // applyServiceEnvParams merges saved service environment variables.
-// If --service-env was explicitly set with values, explicit values win on key
-// conflict but saved keys not in the explicit set are carried over.
-// If --service-env was explicitly set to empty, all saved env vars are cleared.
+// If --service-env was explicitly set, explicit values win on key conflict
+// but saved keys not in the explicit set are carried over.
 // If --service-env was not set, saved env vars are used entirely.
 func applyServiceEnvParams(cmd *cobra.Command, params *serviceParams) {
-	if !cmd.Flags().Changed("service-env") {
-		if len(params.ServiceEnvVars) > 0 {
-			// No explicit env vars: rebuild serviceEnvVars from saved params.
-			serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
-		}
+	if len(params.ServiceEnvVars) == 0 {
 		return
 	}
 
-	// Flag was explicitly set: parse what the user provided.
+	if !cmd.Flags().Changed("service-env") {
+		// No explicit env vars: rebuild serviceEnvVars from saved params.
+		serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
+		return
+	}
+
+	// Explicit env vars were provided: merge saved values underneath.
 	explicit, err := parseServiceEnvVars(serviceEnvVars)
 	if err != nil {
 		cmd.PrintErrf("Warning: parse explicit service env vars for merge: %v\n", err)
 		return
 	}
 
-	// If the user passed an empty value (e.g. --service-env ""), clear all
-	// saved env vars rather than merging.
-	if len(explicit) == 0 {
-		serviceEnvVars = nil
-		return
-	}
-
-	if len(params.ServiceEnvVars) == 0 {
-		return
-	}
-
-	// Merge saved values underneath explicit ones.
 	merged := make(map[string]string, len(params.ServiceEnvVars)+len(explicit))
 	maps.Copy(merged, params.ServiceEnvVars)
 	maps.Copy(merged, explicit) // explicit wins on conflict

client/cmd/service_params_test.go

@@ -327,41 +327,6 @@ func TestApplyServiceEnvParams_NotChanged(t *testing.T) {
 	assert.Equal(t, map[string]string{"FROM_SAVED": "val"}, result)
 }
 
-func TestApplyServiceEnvParams_ExplicitEmptyClears(t *testing.T) {
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
-
-	// Simulate --service-env "" which produces [""] in the slice.
-	serviceEnvVars = []string{""}
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	require.NoError(t, cmd.Flags().Set("service-env", ""))
-
-	saved := &serviceParams{
-		ServiceEnvVars: map[string]string{"OLD_VAR": "should_be_cleared"},
-	}
-
-	applyServiceEnvParams(cmd, saved)
-
-	assert.Nil(t, serviceEnvVars, "explicit empty --service-env should clear all saved env vars")
-}
-
-func TestCurrentServiceParams_EmptyEnvVarsAfterParse(t *testing.T) {
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
-
-	// Simulate --service-env "" which produces [""] in the slice.
-	serviceEnvVars = []string{""}
-
-	params := currentServiceParams()
-
-	// After parsing, the empty string is skipped, resulting in an empty map.
-	// The map should still be set (not nil) so it overwrites saved values.
-	assert.NotNil(t, params.ServiceEnvVars, "empty env vars should produce empty map, not nil")
-	assert.Empty(t, params.ServiceEnvVars, "no valid env vars should be parsed from empty string")
-}
-
 // TestServiceParams_FieldsCoveredInFunctions ensures that all serviceParams fields are
 // referenced in both currentServiceParams() and applyServiceParams(). If a new field is
 // added to serviceParams but not wired into these functions, this test fails.
@@ -535,7 +500,6 @@ func fieldToGlobalVar(field string) string {
 		"LogFiles":              "logFiles",
 		"DisableProfiles":       "profilesDisabled",
 		"DisableUpdateSettings": "updateSettingsDisabled",
-		"DisableNetworks":       "networksDisabled",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}
 	if v, ok := m[field]; ok {

client/cmd/ssh.go

@@ -36,7 +36,10 @@ const (
 	enableSSHLocalPortForwardFlag  = "enable-ssh-local-port-forwarding"
 	enableSSHRemotePortForwardFlag = "enable-ssh-remote-port-forwarding"
 	disableSSHAuthFlag             = "disable-ssh-auth"
-	sshJWTCacheTTLFlag             = "ssh-jwt-cache-ttl"
+	jwtCacheTTLFlag                = "jwt-cache-ttl"
+
+	// Alias for backward compatibility.
+	sshJWTCacheTTLFlag = "ssh-jwt-cache-ttl"
 )
 
 var (
@@ -61,7 +64,7 @@ var (
 	enableSSHLocalPortForward  bool
 	enableSSHRemotePortForward bool
 	disableSSHAuth             bool
-	sshJWTCacheTTL             int
+	jwtCacheTTL                int
 )
 
 func init() {
@@ -71,7 +74,9 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&enableSSHLocalPortForward, enableSSHLocalPortForwardFlag, false, "Enable local port forwarding for SSH server")
 	upCmd.PersistentFlags().BoolVar(&enableSSHRemotePortForward, enableSSHRemotePortForwardFlag, false, "Enable remote port forwarding for SSH server")
 	upCmd.PersistentFlags().BoolVar(&disableSSHAuth, disableSSHAuthFlag, false, "Disable SSH authentication")
-	upCmd.PersistentFlags().IntVar(&sshJWTCacheTTL, sshJWTCacheTTLFlag, 0, "SSH JWT token cache TTL in seconds (0=disabled)")
+	upCmd.PersistentFlags().IntVar(&jwtCacheTTL, jwtCacheTTLFlag, 0, "JWT token cache TTL in seconds (0=disabled)")
+	upCmd.PersistentFlags().IntVar(&jwtCacheTTL, sshJWTCacheTTLFlag, 0, "JWT token cache TTL in seconds (alias for --jwt-cache-ttl)")
+	_ = upCmd.PersistentFlags().MarkDeprecated(sshJWTCacheTTLFlag, "use --jwt-cache-ttl instead")
 
 	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", sshserver.DefaultSSHPort, "Remote SSH port")
 	sshCmd.PersistentFlags().StringVarP(&username, "user", "u", "", sshUsernameDesc)

client/cmd/testutil_test.go

@@ -13,8 +13,6 @@ import (
 
 	"github.com/netbirdio/management-integrations/integrations"
 
-	nbcache "github.com/netbirdio/netbird/management/server/cache"
-
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
@@ -102,16 +100,9 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 
 	jobManager := job.NewJobManager(nil, store, peersmanager)
 
-	ctx := context.Background()
+	iv, _ := integrations.NewIntegratedValidator(context.Background(), peersmanager, settingsManagerMock, eventStore)
 
-	cacheStore, err := nbcache.NewStore(ctx, 100*time.Millisecond, 300*time.Millisecond, 100)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	iv, _ := integrations.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
-
-	metrics, err := telemetry.NewDefaultAppMetrics(ctx)
+	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
 
 	settingsMockManager := settings.NewMockManager(ctrl)
@@ -122,11 +113,12 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		Return(&types.Settings{}, nil).
 		AnyTimes()
 
+	ctx := context.Background()
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
 	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersmanager), config)
 
-	accountManager, err := mgmt.BuildManager(ctx, config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false, cacheStore)
+	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -160,7 +152,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 
 	server := client.New(ctx,
-		"", "", false, false, false)
+		"", "", false, false)
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -356,6 +356,9 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		req.ServerSSHAllowed = &serverSSHAllowed
 	}
+	if cmd.Flag(serverVNCAllowedFlag).Changed {
+		req.ServerVNCAllowed = &serverVNCAllowed
+	}
 	if cmd.Flag(enableSSHRootFlag).Changed {
 		req.EnableSSHRoot = &enableSSHRoot
 	}
@@ -371,9 +374,12 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 	if cmd.Flag(disableSSHAuthFlag).Changed {
 		req.DisableSSHAuth = &disableSSHAuth
 	}
-	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
-		sshJWTCacheTTL32 := int32(sshJWTCacheTTL)
-		req.SshJWTCacheTTL = &sshJWTCacheTTL32
+	if cmd.Flag(disableVNCAuthFlag).Changed {
+		req.DisableVNCAuth = &disableVNCAuth
+	}
+	if cmd.Flag(jwtCacheTTLFlag).Changed || cmd.Flag(sshJWTCacheTTLFlag).Changed {
+		jwtCacheTTL32 := int32(jwtCacheTTL)
+		req.SshJWTCacheTTL = &jwtCacheTTL32
 	}
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
@@ -458,6 +464,9 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		ic.ServerSSHAllowed = &serverSSHAllowed
 	}
+	if cmd.Flag(serverVNCAllowedFlag).Changed {
+		ic.ServerVNCAllowed = &serverVNCAllowed
+	}
 
 	if cmd.Flag(enableSSHRootFlag).Changed {
 		ic.EnableSSHRoot = &enableSSHRoot
@@ -479,8 +488,12 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.DisableSSHAuth = &disableSSHAuth
 	}
 
-	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
-		ic.SSHJWTCacheTTL = &sshJWTCacheTTL
+	if cmd.Flag(disableVNCAuthFlag).Changed {
+		ic.DisableVNCAuth = &disableVNCAuth
+	}
+
+	if cmd.Flag(jwtCacheTTLFlag).Changed || cmd.Flag(sshJWTCacheTTLFlag).Changed {
+		ic.SSHJWTCacheTTL = &jwtCacheTTL
 	}
 
 	if cmd.Flag(interfaceNameFlag).Changed {
@@ -582,6 +595,9 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		loginRequest.ServerSSHAllowed = &serverSSHAllowed
 	}
+	if cmd.Flag(serverVNCAllowedFlag).Changed {
+		loginRequest.ServerVNCAllowed = &serverVNCAllowed
+	}
 
 	if cmd.Flag(enableSSHRootFlag).Changed {
 		loginRequest.EnableSSHRoot = &enableSSHRoot
@@ -603,9 +619,13 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.DisableSSHAuth = &disableSSHAuth
 	}
 
-	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
-		sshJWTCacheTTL32 := int32(sshJWTCacheTTL)
-		loginRequest.SshJWTCacheTTL = &sshJWTCacheTTL32
+	if cmd.Flag(disableVNCAuthFlag).Changed {
+		loginRequest.DisableVNCAuth = &disableVNCAuth
+	}
+
+	if cmd.Flag(jwtCacheTTLFlag).Changed || cmd.Flag(sshJWTCacheTTLFlag).Changed {
+		jwtCacheTTL32 := int32(jwtCacheTTL)
+		loginRequest.SshJWTCacheTTL = &jwtCacheTTL32
 	}
 
 	if cmd.Flag(disableAutoConnectFlag).Changed {

client/cmd/vnc.go

@@ -0,0 +1,271 @@
+package cmd
+
+import (
+	"context"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/signal"
+	"os/user"
+	"strings"
+	"syscall"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/client/proto"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
+	"github.com/netbirdio/netbird/util"
+)
+
+var (
+	vncUsername  string
+	vncHost      string
+	vncMode      string
+	vncListen    string
+	vncNoBrowser bool
+	vncNoCache   bool
+)
+
+func init() {
+	vncCmd.PersistentFlags().StringVar(&vncUsername, "user", "", "OS username for session mode")
+	vncCmd.PersistentFlags().StringVar(&vncMode, "mode", "attach", "Connection mode: attach (view current display) or session (virtual desktop)")
+	vncCmd.PersistentFlags().StringVar(&vncListen, "listen", "", "Start local VNC proxy on this address (e.g., :5900) for external VNC viewers")
+	vncCmd.PersistentFlags().BoolVar(&vncNoBrowser, noBrowserFlag, false, noBrowserDesc)
+	vncCmd.PersistentFlags().BoolVar(&vncNoCache, "no-cache", false, "Skip cached JWT token and force fresh authentication")
+}
+
+var vncCmd = &cobra.Command{
+	Use:   "vnc [flags] [user@]host",
+	Short: "Connect to a NetBird peer via VNC",
+	Long: `Connect to a NetBird peer using VNC with JWT-based authentication.
+The target peer must have the VNC server enabled.
+
+Two modes are available:
+  - attach: view the current physical display (remote support)
+  - session: start a virtual desktop as the specified user (passwordless login)
+
+Use --listen to start a local proxy for external VNC viewers:
+  netbird vnc --listen :5900 peer-hostname
+  vncviewer localhost:5900
+
+Examples:
+  netbird vnc peer-hostname
+  netbird vnc --mode session --user alice peer-hostname
+  netbird vnc --listen :5900 peer-hostname`,
+	Args: cobra.MinimumNArgs(1),
+	RunE: vncFn,
+}
+
+func vncFn(cmd *cobra.Command, args []string) error {
+	SetFlagsFromEnvVars(rootCmd)
+	SetFlagsFromEnvVars(cmd)
+	cmd.SetOut(cmd.OutOrStdout())
+
+	logOutput := "console"
+	if firstLogFile := util.FindFirstLogPath(logFiles); firstLogFile != "" && firstLogFile != defaultLogFile {
+		logOutput = firstLogFile
+	}
+	if err := util.InitLog(logLevel, logOutput); err != nil {
+		return fmt.Errorf("init log: %w", err)
+	}
+
+	if err := parseVNCHostArg(args[0]); err != nil {
+		return err
+	}
+
+	ctx := internal.CtxInitState(cmd.Context())
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
+	vncCtx, cancel := context.WithCancel(ctx)
+
+	errCh := make(chan error, 1)
+	go func() {
+		if err := runVNC(vncCtx, cmd); err != nil {
+			errCh <- err
+		}
+		cancel()
+	}()
+
+	select {
+	case <-sig:
+		cancel()
+		<-vncCtx.Done()
+		return nil
+	case err := <-errCh:
+		return err
+	case <-vncCtx.Done():
+	}
+
+	return nil
+}
+
+func parseVNCHostArg(arg string) error {
+	if strings.Contains(arg, "@") {
+		parts := strings.SplitN(arg, "@", 2)
+		if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+			return fmt.Errorf("invalid user@host format")
+		}
+		if vncUsername == "" {
+			vncUsername = parts[0]
+		}
+		vncHost = parts[1]
+		if vncMode == "attach" {
+			vncMode = "session"
+		}
+	} else {
+		vncHost = arg
+	}
+
+	if vncMode == "session" && vncUsername == "" {
+		if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+			vncUsername = sudoUser
+		} else if currentUser, err := user.Current(); err == nil {
+			vncUsername = currentUser.Username
+		}
+	}
+
+	return nil
+}
+
+func runVNC(ctx context.Context, cmd *cobra.Command) error {
+	grpcAddr := strings.TrimPrefix(daemonAddr, "tcp://")
+	grpcConn, err := grpc.NewClient(grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		return fmt.Errorf("connect to daemon: %w", err)
+	}
+	defer func() { _ = grpcConn.Close() }()
+
+	daemonClient := proto.NewDaemonServiceClient(grpcConn)
+
+	if vncMode == "session" {
+		cmd.Printf("Connecting to %s@%s [session mode]...\n", vncUsername, vncHost)
+	} else {
+		cmd.Printf("Connecting to %s [attach mode]...\n", vncHost)
+	}
+
+	// Obtain JWT token. If the daemon has no SSO configured, proceed without one
+	// (the server will accept unauthenticated connections if --disable-vnc-auth is set).
+	var jwtToken string
+	hint := profilemanager.GetLoginHint()
+	var browserOpener func(string) error
+	if !vncNoBrowser {
+		browserOpener = util.OpenBrowser
+	}
+
+	token, err := nbssh.RequestJWTToken(ctx, daemonClient, nil, cmd.ErrOrStderr(), !vncNoCache, hint, browserOpener)
+	if err != nil {
+		log.Debugf("JWT authentication unavailable, connecting without token: %v", err)
+	} else {
+		jwtToken = token
+		log.Debug("JWT authentication successful")
+	}
+
+	// Connect to the VNC server on the standard port (5900). The peer's firewall
+	// DNATs 5900 -> 25900 (internal), so both ports work on the overlay network.
+	vncAddr := net.JoinHostPort(vncHost, "5900")
+	vncConn, err := net.DialTimeout("tcp", vncAddr, vncDialTimeout)
+	if err != nil {
+		return fmt.Errorf("connect to VNC at %s: %w", vncAddr, err)
+	}
+	defer vncConn.Close()
+
+	// Send session header with mode, username, and JWT.
+	if err := sendVNCHeader(vncConn, vncMode, vncUsername, jwtToken); err != nil {
+		return fmt.Errorf("send VNC header: %w", err)
+	}
+
+	cmd.Printf("VNC connected to %s\n", vncHost)
+
+	if vncListen != "" {
+		return runVNCLocalProxy(ctx, cmd, vncConn)
+	}
+
+	// No --listen flag: inform the user they need to use --listen for external viewers.
+	cmd.Printf("VNC tunnel established. Use --listen :5900 to proxy for local VNC viewers.\n")
+	cmd.Printf("Press Ctrl+C to disconnect.\n")
+	<-ctx.Done()
+	return nil
+}
+
+const vncDialTimeout = 15 * time.Second
+
+// sendVNCHeader writes the NetBird VNC session header.
+func sendVNCHeader(conn net.Conn, mode, username, jwt string) error {
+	var modeByte byte
+	if mode == "session" {
+		modeByte = 1
+	}
+
+	usernameBytes := []byte(username)
+	jwtBytes := []byte(jwt)
+	hdr := make([]byte, 3+len(usernameBytes)+2+len(jwtBytes))
+	hdr[0] = modeByte
+	binary.BigEndian.PutUint16(hdr[1:3], uint16(len(usernameBytes)))
+	off := 3
+	copy(hdr[off:], usernameBytes)
+	off += len(usernameBytes)
+	binary.BigEndian.PutUint16(hdr[off:off+2], uint16(len(jwtBytes)))
+	off += 2
+	copy(hdr[off:], jwtBytes)
+
+	_, err := conn.Write(hdr)
+	return err
+}
+
+// runVNCLocalProxy listens on the given address and proxies incoming
+// connections to the already-established VNC tunnel.
+func runVNCLocalProxy(ctx context.Context, cmd *cobra.Command, vncConn net.Conn) error {
+	listener, err := net.Listen("tcp", vncListen)
+	if err != nil {
+		return fmt.Errorf("listen on %s: %w", vncListen, err)
+	}
+	defer listener.Close()
+
+	cmd.Printf("VNC proxy listening on %s - connect with your VNC viewer\n", listener.Addr())
+	cmd.Printf("Press Ctrl+C to stop.\n")
+
+	go func() {
+		<-ctx.Done()
+		listener.Close()
+	}()
+
+	// Accept a single viewer connection. VNC is single-session: the RFB
+	// handshake completes on vncConn for the first viewer, so subsequent
+	// viewers would get a mid-stream connection. The loop handles transient
+	// accept errors until a valid connection arrives.
+	for {
+		clientConn, err := listener.Accept()
+		if err != nil {
+			select {
+			case <-ctx.Done():
+				return nil
+			default:
+			}
+			log.Debugf("accept VNC proxy client: %v", err)
+			continue
+		}
+
+		cmd.Printf("VNC viewer connected from %s\n", clientConn.RemoteAddr())
+
+		// Bidirectional copy.
+		done := make(chan struct{})
+		go func() {
+			io.Copy(vncConn, clientConn)
+			close(done)
+		}()
+		io.Copy(clientConn, vncConn)
+		<-done
+		clientConn.Close()
+
+		cmd.Printf("VNC viewer disconnected\n")
+		return nil
+	}
+}

client/cmd/vnc_agent.go

@@ -0,0 +1,62 @@
+//go:build windows
+
+package cmd
+
+import (
+	"net/netip"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+)
+
+var vncAgentPort string
+
+func init() {
+	vncAgentCmd.Flags().StringVar(&vncAgentPort, "port", "15900", "Port for the VNC agent to listen on")
+	rootCmd.AddCommand(vncAgentCmd)
+}
+
+// vncAgentCmd runs a VNC server in the current user session, listening on
+// localhost. It is spawned by the NetBird service (Session 0) via
+// CreateProcessAsUser into the interactive console session.
+var vncAgentCmd = &cobra.Command{
+	Use:    "vnc-agent",
+	Short:  "Run VNC capture agent (internal, spawned by service)",
+	Hidden: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		// Agent's stderr is piped to the service which relogs it.
+		// Use JSON format with caller info for structured parsing.
+		log.SetReportCaller(true)
+		log.SetFormatter(&log.JSONFormatter{})
+		log.SetOutput(os.Stderr)
+
+		sessionID := vncserver.GetCurrentSessionID()
+		log.Infof("VNC agent starting on 127.0.0.1:%s (session %d)", vncAgentPort, sessionID)
+
+		capturer := vncserver.NewDesktopCapturer()
+		injector := vncserver.NewWindowsInputInjector()
+		srv := vncserver.New(capturer, injector, "")
+		// Auth is handled by the service. The agent verifies a token on each
+		// connection to ensure only the service process can connect.
+		// The token is passed via environment variable to avoid exposing it
+		// in the process command line (visible via tasklist/wmic).
+		srv.SetDisableAuth(true)
+		srv.SetAgentToken(os.Getenv("NB_VNC_AGENT_TOKEN"))
+
+		port, err := netip.ParseAddrPort("127.0.0.1:" + vncAgentPort)
+		if err != nil {
+			return err
+		}
+
+		loopback := netip.PrefixFrom(netip.AddrFrom4([4]byte{127, 0, 0, 0}), 8)
+		if err := srv.Start(cmd.Context(), port, loopback); err != nil {
+			return err
+		}
+
+		<-cmd.Context().Done()
+		return srv.Stop()
+	},
+}

client/cmd/vnc_flags.go

@@ -0,0 +1,16 @@
+package cmd
+
+const (
+	serverVNCAllowedFlag = "allow-server-vnc"
+	disableVNCAuthFlag   = "disable-vnc-auth"
+)
+
+var (
+	serverVNCAllowed bool
+	disableVNCAuth   bool
+)
+
+func init() {
+	upCmd.PersistentFlags().BoolVar(&serverVNCAllowed, serverVNCAllowedFlag, false, "Allow embedded VNC server on peer")
+	upCmd.PersistentFlags().BoolVar(&disableVNCAuth, disableVNCAuthFlag, false, "Disable JWT authentication for VNC")
+}

client/firewall/create_linux.go

@@ -56,13 +56,6 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogg
 		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}
 
-	// Native firewall handles packet filtering, but the userspace WireGuard bind
-	// needs a device filter for DNS interception hooks. Install a minimal
-	// hooks-only filter that passes all traffic through to the kernel firewall.
-	if err := iface.SetFilter(&uspfilter.HooksFilter{}); err != nil {
-		log.Warnf("failed to set hooks filter, DNS via memory hooks will not work: %v", err)
-	}
-
 	return fm, nil
 }
 

client/firewall/iptables/acl_linux.go

@@ -21,10 +21,6 @@ const (
 
 	// rules chains contains the effective ACL rules
 	chainNameInputRules = "NETBIRD-ACL-INPUT"
-
-	// mangleFwdKey is the entries map key for mangle FORWARD guard rules that prevent
-	// external DNAT from bypassing ACL rules.
-	mangleFwdKey = "MANGLE-FORWARD"
 )
 
 type aclEntries map[string][][]string
@@ -278,12 +274,6 @@ func (m *aclManager) cleanChains() error {
 		}
 	}
 
-	for _, rule := range m.entries[mangleFwdKey] {
-		if err := m.iptablesClient.DeleteIfExists(tableMangle, chainFORWARD, rule...); err != nil {
-			log.Errorf("failed to delete mangle FORWARD guard rule: %v, %s", rule, err)
-		}
-	}
-
 	for _, ipsetName := range m.ipsetStore.ipsetNames() {
 		if err := m.flushIPSet(ipsetName); err != nil {
 			if errors.Is(err, ipset.ErrSetNotExist) {
@@ -313,10 +303,6 @@ func (m *aclManager) createDefaultChains() error {
 	}
 
 	for chainName, rules := range m.entries {
-		// mangle FORWARD guard rules are handled separately below
-		if chainName == mangleFwdKey {
-			continue
-		}
 		for _, rule := range rules {
 			if err := m.iptablesClient.InsertUnique(tableName, chainName, 1, rule...); err != nil {
 				log.Debugf("failed to create input chain jump rule: %s", err)
@@ -336,13 +322,6 @@ func (m *aclManager) createDefaultChains() error {
 	}
 	clear(m.optionalEntries)
 
-	// Insert mangle FORWARD guard rules to prevent external DNAT bypass.
-	for _, rule := range m.entries[mangleFwdKey] {
-		if err := m.iptablesClient.AppendUnique(tableMangle, chainFORWARD, rule...); err != nil {
-			log.Errorf("failed to add mangle FORWARD guard rule: %v", err)
-		}
-	}
-
 	return nil
 }
 
@@ -364,22 +343,6 @@ func (m *aclManager) seedInitialEntries() {
 
 	m.appendToEntries("FORWARD", []string{"-o", m.wgIface.Name(), "-j", chainRTFWDOUT})
 	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", chainRTFWDIN})
-
-	// Mangle FORWARD guard: when external DNAT redirects traffic from the wg interface, it
-	// traverses FORWARD instead of INPUT, bypassing ACL rules. ACCEPT rules in filter FORWARD
-	// can be inserted above ours. Mangle runs before filter, so these guard rules enforce the
-	// ACL mark check where it cannot be overridden.
-	m.appendToEntries(mangleFwdKey, []string{
-		"-i", m.wgIface.Name(),
-		"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED",
-		"-j", "ACCEPT",
-	})
-	m.appendToEntries(mangleFwdKey, []string{
-		"-i", m.wgIface.Name(),
-		"-m", "conntrack", "--ctstate", "DNAT",
-		"-m", "mark", "!", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected),
-		"-j", "DROP",
-	})
 }
 
 func (m *aclManager) seedInitialOptionalEntries() {

client/firewall/uspfilter/common/hooks.go

@@ -1,37 +0,0 @@
-package common
-
-import (
-	"net/netip"
-	"sync/atomic"
-)
-
-// PacketHook stores a registered hook for a specific IP:port.
-type PacketHook struct {
-	IP   netip.Addr
-	Port uint16
-	Fn   func([]byte) bool
-}
-
-// HookMatches checks if a packet's destination matches the hook and invokes it.
-func HookMatches(h *PacketHook, dstIP netip.Addr, dport uint16, packetData []byte) bool {
-	if h == nil {
-		return false
-	}
-	if h.IP == dstIP && h.Port == dport {
-		return h.Fn(packetData)
-	}
-	return false
-}
-
-// SetHook atomically stores a hook, handling nil removal.
-func SetHook(ptr *atomic.Pointer[PacketHook], ip netip.Addr, dPort uint16, hook func([]byte) bool) {
-	if hook == nil {
-		ptr.Store(nil)
-		return
-	}
-	ptr.Store(&PacketHook{
-		IP:   ip,
-		Port: dPort,
-		Fn:   hook,
-	})
-}

client/firewall/uspfilter/filter.go

@@ -142,8 +142,15 @@ type Manager struct {
 	mssClampEnabled bool
 
 	// Only one hook per protocol is supported. Outbound direction only.
-	udpHookOut atomic.Pointer[common.PacketHook]
-	tcpHookOut atomic.Pointer[common.PacketHook]
+	udpHookOut atomic.Pointer[packetHook]
+	tcpHookOut atomic.Pointer[packetHook]
+}
+
+// packetHook stores a registered hook for a specific IP:port.
+type packetHook struct {
+	ip   netip.Addr
+	port uint16
+	fn   func([]byte) bool
 }
 
 // decoder for packages
@@ -905,11 +912,21 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 }
 
 func (m *Manager) udpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return common.HookMatches(m.udpHookOut.Load(), dstIP, dport, packetData)
+	return hookMatches(m.udpHookOut.Load(), dstIP, dport, packetData)
 }
 
 func (m *Manager) tcpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return common.HookMatches(m.tcpHookOut.Load(), dstIP, dport, packetData)
+	return hookMatches(m.tcpHookOut.Load(), dstIP, dport, packetData)
+}
+
+func hookMatches(h *packetHook, dstIP netip.Addr, dport uint16, packetData []byte) bool {
+	if h == nil {
+		return false
+	}
+	if h.ip == dstIP && h.port == dport {
+		return h.fn(packetData)
+	}
+	return false
 }
 
 // filterInbound implements filtering logic for incoming packets.
@@ -1320,12 +1337,28 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 
 // SetUDPPacketHook sets the outbound UDP packet hook. Pass nil hook to remove.
 func (m *Manager) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	common.SetHook(&m.udpHookOut, ip, dPort, hook)
+	if hook == nil {
+		m.udpHookOut.Store(nil)
+		return
+	}
+	m.udpHookOut.Store(&packetHook{
+		ip:   ip,
+		port: dPort,
+		fn:   hook,
+	})
 }
 
 // SetTCPPacketHook sets the outbound TCP packet hook. Pass nil hook to remove.
 func (m *Manager) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	common.SetHook(&m.tcpHookOut, ip, dPort, hook)
+	if hook == nil {
+		m.tcpHookOut.Store(nil)
+		return
+	}
+	m.tcpHookOut.Store(&packetHook{
+		ip:   ip,
+		port: dPort,
+		fn:   hook,
+	})
 }
 
 // SetLogLevel sets the log level for the firewall manager

client/firewall/uspfilter/filter_test.go

@@ -202,9 +202,9 @@ func TestSetUDPPacketHook(t *testing.T) {
 
 	h := manager.udpHookOut.Load()
 	require.NotNil(t, h)
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.IP)
-	assert.Equal(t, uint16(8000), h.Port)
-	assert.True(t, h.Fn(nil))
+	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.ip)
+	assert.Equal(t, uint16(8000), h.port)
+	assert.True(t, h.fn(nil))
 	assert.True(t, called)
 
 	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, nil)
@@ -226,9 +226,9 @@ func TestSetTCPPacketHook(t *testing.T) {
 
 	h := manager.tcpHookOut.Load()
 	require.NotNil(t, h)
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.IP)
-	assert.Equal(t, uint16(53), h.Port)
-	assert.True(t, h.Fn(nil))
+	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.ip)
+	assert.Equal(t, uint16(53), h.port)
+	assert.True(t, h.fn(nil))
 	assert.True(t, called)
 
 	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, nil)

client/firewall/uspfilter/hooks_filter.go

@@ -1,90 +0,0 @@
-package uspfilter
-
-import (
-	"encoding/binary"
-	"net/netip"
-	"sync/atomic"
-
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-const (
-	ipv4HeaderMinLen = 20
-	ipv4ProtoOffset  = 9
-	ipv4FlagsOffset  = 6
-	ipv4DstOffset    = 16
-	ipProtoUDP       = 17
-	ipProtoTCP       = 6
-	ipv4FragOffMask  = 0x1fff
-	// dstPortOffset is the offset of the destination port within a UDP or TCP header.
-	dstPortOffset = 2
-)
-
-// HooksFilter is a minimal packet filter that only handles outbound DNS hooks.
-// It is installed on the WireGuard interface when the userspace bind is active
-// but a full firewall filter (Manager) is not needed because a native kernel
-// firewall (nftables/iptables) handles packet filtering.
-type HooksFilter struct {
-	udpHook atomic.Pointer[common.PacketHook]
-	tcpHook atomic.Pointer[common.PacketHook]
-}
-
-var _ device.PacketFilter = (*HooksFilter)(nil)
-
-// FilterOutbound checks outbound packets for DNS hook matches.
-// Only IPv4 packets matching the registered hook IP:port are intercepted.
-// IPv6 and non-IP packets pass through unconditionally.
-func (f *HooksFilter) FilterOutbound(packetData []byte, _ int) bool {
-	if len(packetData) < ipv4HeaderMinLen {
-		return false
-	}
-
-	// Only process IPv4 packets, let everything else pass through.
-	if packetData[0]>>4 != 4 {
-		return false
-	}
-
-	ihl := int(packetData[0]&0x0f) * 4
-	if ihl < ipv4HeaderMinLen || len(packetData) < ihl+4 {
-		return false
-	}
-
-	// Skip non-first fragments: they don't carry L4 headers.
-	flagsAndOffset := binary.BigEndian.Uint16(packetData[ipv4FlagsOffset : ipv4FlagsOffset+2])
-	if flagsAndOffset&ipv4FragOffMask != 0 {
-		return false
-	}
-
-	dstIP, ok := netip.AddrFromSlice(packetData[ipv4DstOffset : ipv4DstOffset+4])
-	if !ok {
-		return false
-	}
-
-	proto := packetData[ipv4ProtoOffset]
-	dstPort := binary.BigEndian.Uint16(packetData[ihl+dstPortOffset : ihl+dstPortOffset+2])
-
-	switch proto {
-	case ipProtoUDP:
-		return common.HookMatches(f.udpHook.Load(), dstIP, dstPort, packetData)
-	case ipProtoTCP:
-		return common.HookMatches(f.tcpHook.Load(), dstIP, dstPort, packetData)
-	default:
-		return false
-	}
-}
-
-// FilterInbound allows all inbound packets (native firewall handles filtering).
-func (f *HooksFilter) FilterInbound([]byte, int) bool {
-	return false
-}
-
-// SetUDPPacketHook registers the UDP packet hook.
-func (f *HooksFilter) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func([]byte) bool) {
-	common.SetHook(&f.udpHook, ip, dPort, hook)
-}
-
-// SetTCPPacketHook registers the TCP packet hook.
-func (f *HooksFilter) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func([]byte) bool) {
-	common.SetHook(&f.tcpHook, ip, dPort, hook)
-}

client/iface/udpmux/universal.go

@@ -171,7 +171,7 @@ func (u *UDPConn) performFilterCheck(addr net.Addr) error {
 	}
 
 	if u.address.Network.Contains(a) {
-		log.Warnf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
+		log.Warnf("Address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 		return fmt.Errorf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 	}
 
@@ -181,7 +181,7 @@ func (u *UDPConn) performFilterCheck(addr net.Addr) error {
 		u.addrCache.Store(addr.String(), isRouted)
 		if isRouted {
 			// Extra log, as the error only shows up with ICE logging enabled
-			log.Infof("address %s is part of routed network %s, refusing to write", addr, prefix)
+			log.Infof("Address %s is part of routed network %s, refusing to write", addr, prefix)
 			return fmt.Errorf("address %s is part of routed network %s, refusing to write", addr, prefix)
 		}
 	}

client/internal/auth/auth.go

@@ -315,6 +315,7 @@ func (a *Auth) setSystemInfoFlags(info *system.Info) {
 		a.config.RosenpassEnabled,
 		a.config.RosenpassPermissive,
 		a.config.ServerSSHAllowed,
+		a.config.ServerVNCAllowed,
 		a.config.DisableClientRoutes,
 		a.config.DisableServerRoutes,
 		a.config.DisableDNS,
@@ -327,6 +328,7 @@ func (a *Auth) setSystemInfoFlags(info *system.Info) {
 		a.config.EnableSSHLocalPortForwarding,
 		a.config.EnableSSHRemotePortForwarding,
 		a.config.DisableSSHAuth,
+		a.config.DisableVNCAuth,
 	)
 }
 

client/internal/connect.go

@@ -543,11 +543,13 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		RosenpassEnabled:              config.RosenpassEnabled,
 		RosenpassPermissive:           config.RosenpassPermissive,
 		ServerSSHAllowed:              util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
+		ServerVNCAllowed:              config.ServerVNCAllowed != nil && *config.ServerVNCAllowed,
 		EnableSSHRoot:                 config.EnableSSHRoot,
 		EnableSSHSFTP:                 config.EnableSSHSFTP,
 		EnableSSHLocalPortForwarding:  config.EnableSSHLocalPortForwarding,
 		EnableSSHRemotePortForwarding: config.EnableSSHRemotePortForwarding,
 		DisableSSHAuth:                config.DisableSSHAuth,
+		DisableVNCAuth:                config.DisableVNCAuth,
 		DNSRouteInterval:              config.DNSRouteInterval,
 
 		DisableClientRoutes: config.DisableClientRoutes,
@@ -624,6 +626,7 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.RosenpassEnabled,
 		config.RosenpassPermissive,
 		config.ServerSSHAllowed,
+		config.ServerVNCAllowed,
 		config.DisableClientRoutes,
 		config.DisableServerRoutes,
 		config.DisableDNS,
@@ -636,6 +639,7 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.EnableSSHLocalPortForwarding,
 		config.EnableSSHRemotePortForwarding,
 		config.DisableSSHAuth,
+		config.DisableVNCAuth,
 	)
 	return client.Login(sysInfo, pubSSHKey, config.DNSLabels)
 }

client/internal/engine.go

@@ -117,11 +117,13 @@ type EngineConfig struct {
 	RosenpassPermissive bool
 
 	ServerSSHAllowed              bool
+	ServerVNCAllowed              bool
 	EnableSSHRoot                 *bool
 	EnableSSHSFTP                 *bool
 	EnableSSHLocalPortForwarding  *bool
 	EnableSSHRemotePortForwarding *bool
 	DisableSSHAuth                *bool
+	DisableVNCAuth                *bool
 
 	DNSRouteInterval time.Duration
 
@@ -197,6 +199,7 @@ type Engine struct {
 	networkMonitor *networkmonitor.NetworkMonitor
 
 	sshServer sshServer
+	vncSrv    vncServer
 
 	statusRecorder *peer.Status
 
@@ -310,6 +313,10 @@ func (e *Engine) Stop() error {
 		log.Warnf("failed to stop SSH server: %v", err)
 	}
 
+	if err := e.stopVNCServer(); err != nil {
+		log.Warnf("failed to stop VNC server: %v", err)
+	}
+
 	e.cleanupSSHConfig()
 
 	if e.ingressGatewayMgr != nil {
@@ -997,6 +1004,7 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 		e.config.RosenpassEnabled,
 		e.config.RosenpassPermissive,
 		&e.config.ServerSSHAllowed,
+		&e.config.ServerVNCAllowed,
 		e.config.DisableClientRoutes,
 		e.config.DisableServerRoutes,
 		e.config.DisableDNS,
@@ -1009,6 +1017,7 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 		e.config.EnableSSHLocalPortForwarding,
 		e.config.EnableSSHRemotePortForwarding,
 		e.config.DisableSSHAuth,
+		e.config.DisableVNCAuth,
 	)
 
 	if err := e.mgmClient.SyncMeta(info); err != nil {
@@ -1036,6 +1045,10 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 		}
 	}
 
+	if err := e.updateVNC(conf.GetSshConfig()); err != nil {
+		log.Warnf("failed handling VNC server setup: %v", err)
+	}
+
 	state := e.statusRecorder.GetLocalPeerState()
 	state.IP = e.wgInterface.Address().String()
 	state.PubKey = e.config.WgPrivateKey.PublicKey().String()
@@ -1137,6 +1150,7 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.RosenpassEnabled,
 			e.config.RosenpassPermissive,
 			&e.config.ServerSSHAllowed,
+			&e.config.ServerVNCAllowed,
 			e.config.DisableClientRoutes,
 			e.config.DisableServerRoutes,
 			e.config.DisableDNS,
@@ -1149,6 +1163,7 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.EnableSSHLocalPortForwarding,
 			e.config.EnableSSHRemotePortForwarding,
 			e.config.DisableSSHAuth,
+			e.config.DisableVNCAuth,
 		)
 
 		err = e.mgmClient.Sync(e.ctx, info, e.handleSync)
@@ -1323,6 +1338,11 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		}
 
 		e.updateSSHServerAuth(networkMap.GetSshAuth())
+
+		// VNC auth: use dedicated VNCAuth if present.
+		if vncAuth := networkMap.GetVncAuth(); vncAuth != nil {
+			e.updateVNCServerAuth(vncAuth)
+		}
 	}
 
 	// must set the exclude list after the peers are added. Without it the manager can not figure out the peers parameters from the store
@@ -1732,6 +1752,7 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, err
 		e.config.RosenpassEnabled,
 		e.config.RosenpassPermissive,
 		&e.config.ServerSSHAllowed,
+		&e.config.ServerVNCAllowed,
 		e.config.DisableClientRoutes,
 		e.config.DisableServerRoutes,
 		e.config.DisableDNS,
@@ -1744,6 +1765,7 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, err
 		e.config.EnableSSHLocalPortForwarding,
 		e.config.EnableSSHRemotePortForwarding,
 		e.config.DisableSSHAuth,
+		e.config.DisableVNCAuth,
 	)
 
 	netMap, err := e.mgmClient.GetNetworkMap(info)

client/internal/engine_test.go

@@ -55,7 +55,6 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
-	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
@@ -1635,12 +1634,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	peersManager := peers.NewManager(store, permissionsManager)
 	jobManager := job.NewJobManager(nil, store, peersManager)
 
-	cacheStore, err := nbcache.NewStore(context.Background(), 100*time.Millisecond, 300*time.Millisecond, 100)
-	if err != nil {
-		return nil, "", err
-	}
-
-	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
@@ -1662,7 +1656,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
 	networkMapController := controller.NewController(context.Background(), store, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersManager), config)
-	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
+	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/engine_vnc.go

@@ -0,0 +1,247 @@
+package internal
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+
+	log "github.com/sirupsen/logrus"
+
+	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
+	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	sshuserhash "github.com/netbirdio/netbird/shared/sshauth"
+)
+
+const (
+	vncExternalPort uint16 = 5900
+	vncInternalPort uint16 = 25900
+)
+
+type vncServer interface {
+	Start(ctx context.Context, addr netip.AddrPort, network netip.Prefix) error
+	Stop() error
+}
+
+func (e *Engine) setupVNCPortRedirection() error {
+	if e.firewall == nil || e.wgInterface == nil {
+		return nil
+	}
+
+	localAddr := e.wgInterface.Address().IP
+	if !localAddr.IsValid() {
+		return errors.New("invalid local NetBird address")
+	}
+
+	if err := e.firewall.AddInboundDNAT(localAddr, firewallManager.ProtocolTCP, vncExternalPort, vncInternalPort); err != nil {
+		return fmt.Errorf("add VNC port redirection: %w", err)
+	}
+	log.Infof("VNC port redirection: %s:%d -> %s:%d", localAddr, vncExternalPort, localAddr, vncInternalPort)
+
+	return nil
+}
+
+func (e *Engine) cleanupVNCPortRedirection() error {
+	if e.firewall == nil || e.wgInterface == nil {
+		return nil
+	}
+
+	localAddr := e.wgInterface.Address().IP
+	if !localAddr.IsValid() {
+		return errors.New("invalid local NetBird address")
+	}
+
+	if err := e.firewall.RemoveInboundDNAT(localAddr, firewallManager.ProtocolTCP, vncExternalPort, vncInternalPort); err != nil {
+		return fmt.Errorf("remove VNC port redirection: %w", err)
+	}
+
+	return nil
+}
+
+// updateVNC handles starting/stopping the VNC server based on the config flag.
+// sshConf provides the JWT identity provider config (shared with SSH).
+func (e *Engine) updateVNC(sshConf *mgmProto.SSHConfig) error {
+	if !e.config.ServerVNCAllowed {
+		if e.vncSrv != nil {
+			log.Info("VNC server disabled, stopping")
+		}
+		return e.stopVNCServer()
+	}
+
+	if e.config.BlockInbound {
+		log.Info("VNC server disabled because inbound connections are blocked")
+		return e.stopVNCServer()
+	}
+
+	if e.vncSrv != nil {
+		// Update JWT config on existing server in case management sent new config.
+		e.updateVNCServerJWT(sshConf)
+		return nil
+	}
+
+	return e.startVNCServer(sshConf)
+}
+
+func (e *Engine) startVNCServer(sshConf *mgmProto.SSHConfig) error {
+	if e.wgInterface == nil {
+		return errors.New("wg interface not initialized")
+	}
+
+	capturer, injector := newPlatformVNC()
+	if capturer == nil || injector == nil {
+		log.Debug("VNC server not supported on this platform")
+		return nil
+	}
+
+	netbirdIP := e.wgInterface.Address().IP
+
+	srv := vncserver.New(capturer, injector, "")
+	if vncNeedsServiceMode() {
+		log.Info("VNC: running in Session 0, enabling service mode (agent proxy)")
+		srv.SetServiceMode(true)
+	}
+
+	// Configure VNC authentication.
+	if e.config.DisableVNCAuth != nil && *e.config.DisableVNCAuth {
+		log.Info("VNC: authentication disabled by config")
+		srv.SetDisableAuth(true)
+	} else if protoJWT := sshConf.GetJwtConfig(); protoJWT != nil {
+		audiences := protoJWT.GetAudiences()
+		if len(audiences) == 0 && protoJWT.GetAudience() != "" {
+			audiences = []string{protoJWT.GetAudience()}
+		}
+		srv.SetJWTConfig(&vncserver.JWTConfig{
+			Issuer:       protoJWT.GetIssuer(),
+			Audiences:    audiences,
+			KeysLocation: protoJWT.GetKeysLocation(),
+			MaxTokenAge:  protoJWT.GetMaxTokenAge(),
+		})
+		log.Debugf("VNC: JWT authentication configured (issuer=%s)", protoJWT.GetIssuer())
+	}
+
+	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
+		srv.SetNetstackNet(netstackNet)
+	}
+
+	listenAddr := netip.AddrPortFrom(netbirdIP, vncInternalPort)
+	network := e.wgInterface.Address().Network
+	if err := srv.Start(e.ctx, listenAddr, network); err != nil {
+		return fmt.Errorf("start VNC server: %w", err)
+	}
+
+	e.vncSrv = srv
+
+	if registrar, ok := e.firewall.(interface {
+		RegisterNetstackService(protocol nftypes.Protocol, port uint16)
+	}); ok {
+		registrar.RegisterNetstackService(nftypes.TCP, vncInternalPort)
+		log.Debugf("registered VNC service for TCP:%d", vncInternalPort)
+	}
+
+	if err := e.setupVNCPortRedirection(); err != nil {
+		log.Warnf("setup VNC port redirection: %v", err)
+	}
+
+	log.Info("VNC server enabled")
+	return nil
+}
+
+// updateVNCServerJWT configures the JWT validation for the VNC server using
+// the same JWT config as SSH (same identity provider).
+func (e *Engine) updateVNCServerJWT(sshConf *mgmProto.SSHConfig) {
+	if e.vncSrv == nil {
+		return
+	}
+
+	vncSrv, ok := e.vncSrv.(*vncserver.Server)
+	if !ok {
+		return
+	}
+
+	if e.config.DisableVNCAuth != nil && *e.config.DisableVNCAuth {
+		vncSrv.SetDisableAuth(true)
+		return
+	}
+
+	protoJWT := sshConf.GetJwtConfig()
+	if protoJWT == nil {
+		return
+	}
+
+	audiences := protoJWT.GetAudiences()
+	if len(audiences) == 0 && protoJWT.GetAudience() != "" {
+		audiences = []string{protoJWT.GetAudience()}
+	}
+
+	vncSrv.SetJWTConfig(&vncserver.JWTConfig{
+		Issuer:       protoJWT.GetIssuer(),
+		Audiences:    audiences,
+		KeysLocation: protoJWT.GetKeysLocation(),
+		MaxTokenAge:  protoJWT.GetMaxTokenAge(),
+	})
+}
+
+// updateVNCServerAuth updates VNC fine-grained access control from management.
+func (e *Engine) updateVNCServerAuth(vncAuth *mgmProto.VNCAuth) {
+	if vncAuth == nil || e.vncSrv == nil {
+		return
+	}
+
+	vncSrv, ok := e.vncSrv.(*vncserver.Server)
+	if !ok {
+		return
+	}
+
+	protoUsers := vncAuth.GetAuthorizedUsers()
+	authorizedUsers := make([]sshuserhash.UserIDHash, len(protoUsers))
+	for i, hash := range protoUsers {
+		if len(hash) != 16 {
+			log.Warnf("invalid VNC auth hash length %d, expected 16", len(hash))
+			return
+		}
+		authorizedUsers[i] = sshuserhash.UserIDHash(hash)
+	}
+
+	machineUsers := make(map[string][]uint32)
+	for osUser, indexes := range vncAuth.GetMachineUsers() {
+		machineUsers[osUser] = indexes.GetIndexes()
+	}
+
+	vncSrv.UpdateVNCAuth(&sshauth.Config{
+		UserIDClaim:     vncAuth.GetUserIDClaim(),
+		AuthorizedUsers: authorizedUsers,
+		MachineUsers:    machineUsers,
+	})
+}
+
+// GetVNCServerStatus returns whether the VNC server is running.
+func (e *Engine) GetVNCServerStatus() bool {
+	return e.vncSrv != nil
+}
+
+func (e *Engine) stopVNCServer() error {
+	if e.vncSrv == nil {
+		return nil
+	}
+
+	if err := e.cleanupVNCPortRedirection(); err != nil {
+		log.Warnf("cleanup VNC port redirection: %v", err)
+	}
+
+	if registrar, ok := e.firewall.(interface {
+		UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
+	}); ok {
+		registrar.UnregisterNetstackService(nftypes.TCP, vncInternalPort)
+	}
+
+	log.Info("stopping VNC server")
+	err := e.vncSrv.Stop()
+	e.vncSrv = nil
+	if err != nil {
+		return fmt.Errorf("stop VNC server: %w", err)
+	}
+	return nil
+}

client/internal/engine_vnc_darwin.go

@@ -0,0 +1,23 @@
+//go:build darwin && !ios
+
+package internal
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+)
+
+func newPlatformVNC() (vncserver.ScreenCapturer, vncserver.InputInjector) {
+	capturer := vncserver.NewMacPoller()
+	injector, err := vncserver.NewMacInputInjector()
+	if err != nil {
+		log.Debugf("VNC: macOS input injector: %v", err)
+		return capturer, &vncserver.StubInputInjector{}
+	}
+	return capturer, injector
+}
+
+func vncNeedsServiceMode() bool {
+	return false
+}

client/internal/engine_vnc_stub.go

@@ -0,0 +1,13 @@
+//go:build !windows && !darwin && !freebsd && !(linux && !android)
+
+package internal
+
+import vncserver "github.com/netbirdio/netbird/client/vnc/server"
+
+func newPlatformVNC() (vncserver.ScreenCapturer, vncserver.InputInjector) {
+	return nil, nil
+}
+
+func vncNeedsServiceMode() bool {
+	return false
+}

client/internal/engine_vnc_windows.go

@@ -0,0 +1,13 @@
+//go:build windows
+
+package internal
+
+import vncserver "github.com/netbirdio/netbird/client/vnc/server"
+
+func newPlatformVNC() (vncserver.ScreenCapturer, vncserver.InputInjector) {
+	return vncserver.NewDesktopCapturer(), vncserver.NewWindowsInputInjector()
+}
+
+func vncNeedsServiceMode() bool {
+	return vncserver.GetCurrentSessionID() == 0
+}

client/internal/engine_vnc_x11.go

@@ -0,0 +1,23 @@
+//go:build (linux && !android) || freebsd
+
+package internal
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+)
+
+func newPlatformVNC() (vncserver.ScreenCapturer, vncserver.InputInjector) {
+	capturer := vncserver.NewX11Poller("")
+	injector, err := vncserver.NewX11InputInjector("")
+	if err != nil {
+		log.Debugf("VNC: X11 input injector: %v", err)
+		return capturer, &vncserver.StubInputInjector{}
+	}
+	return capturer, injector
+}
+
+func vncNeedsServiceMode() bool {
+	return false
+}

client/internal/netflow/conntrack/conntrack.go

@@ -7,9 +7,7 @@ import (
 	"fmt"
 	"net/netip"
 	"sync"
-	"time"
 
-	"github.com/cenkalti/backoff/v4"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 	nfct "github.com/ti-mo/conntrack"
@@ -19,64 +17,31 @@ import (
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
-const (
-	defaultChannelSize     = 100
-	reconnectInitInterval  = 5 * time.Second
-	reconnectMaxInterval   = 5 * time.Minute
-	reconnectRandomization = 0.5
-)
-
-// listener abstracts a netlink conntrack connection for testability.
-type listener interface {
-	Listen(evChan chan<- nfct.Event, numWorkers uint8, groups []netfilter.NetlinkGroup) (chan error, error)
-	Close() error
-}
+const defaultChannelSize = 100
 
 // ConnTrack manages kernel-based conntrack events
 type ConnTrack struct {
 	flowLogger nftypes.FlowLogger
 	iface      nftypes.IFaceMapper
 
-	conn listener
+	conn *nfct.Conn
 	mux  sync.Mutex
 
-	dial           func() (listener, error)
 	instanceID     uuid.UUID
 	started        bool
 	done           chan struct{}
 	sysctlModified bool
 }
 
-// DialFunc is a constructor for netlink conntrack connections.
-type DialFunc func() (listener, error)
-
-// Option configures a ConnTrack instance.
-type Option func(*ConnTrack)
-
-// WithDialer overrides the default netlink dialer, primarily for testing.
-func WithDialer(dial DialFunc) Option {
-	return func(c *ConnTrack) {
-		c.dial = dial
-	}
-}
-
-func defaultDial() (listener, error) {
-	return nfct.Dial(nil)
-}
-
 // New creates a new connection tracker that interfaces with the kernel's conntrack system
-func New(flowLogger nftypes.FlowLogger, iface nftypes.IFaceMapper, opts ...Option) *ConnTrack {
-	ct := &ConnTrack{
+func New(flowLogger nftypes.FlowLogger, iface nftypes.IFaceMapper) *ConnTrack {
+	return &ConnTrack{
 		flowLogger: flowLogger,
 		iface:      iface,
 		instanceID: uuid.New(),
-		dial:       defaultDial,
+		started:    false,
 		done:       make(chan struct{}, 1),
 	}
-	for _, opt := range opts {
-		opt(ct)
-	}
-	return ct
 }
 
 // Start begins tracking connections by listening for conntrack events. This method is idempotent.
@@ -94,9 +59,8 @@ func (c *ConnTrack) Start(enableCounters bool) error {
 		c.EnableAccounting()
 	}
 
-	conn, err := c.dial()
+	conn, err := nfct.Dial(nil)
 	if err != nil {
-		c.RestoreAccounting()
 		return fmt.Errorf("dial conntrack: %w", err)
 	}
 	c.conn = conn
@@ -112,16 +76,9 @@ func (c *ConnTrack) Start(enableCounters bool) error {
 			log.Errorf("Error closing conntrack connection: %v", err)
 		}
 		c.conn = nil
-		c.RestoreAccounting()
 		return fmt.Errorf("start conntrack listener: %w", err)
 	}
 
-	// Drain any stale stop signal from a previous cycle.
-	select {
-	case <-c.done:
-	default:
-	}
-
 	c.started = true
 
 	go c.receiverRoutine(events, errChan)
@@ -135,98 +92,17 @@ func (c *ConnTrack) receiverRoutine(events chan nfct.Event, errChan chan error)
 		case event := <-events:
 			c.handleEvent(event)
 		case err := <-errChan:
-			if events, errChan = c.handleListenerError(err); events == nil {
-				return
+			log.Errorf("Error from conntrack event listener: %v", err)
+			if err := c.conn.Close(); err != nil {
+				log.Errorf("Error closing conntrack connection: %v", err)
 			}
+			return
 		case <-c.done:
 			return
 		}
 	}
 }
 
-// handleListenerError closes the failed connection and attempts to reconnect.
-// Returns new channels on success, or nil if shutdown was requested.
-func (c *ConnTrack) handleListenerError(err error) (chan nfct.Event, chan error) {
-	log.Warnf("conntrack event listener failed: %v", err)
-	c.closeConn()
-	return c.reconnect()
-}
-
-func (c *ConnTrack) closeConn() {
-	c.mux.Lock()
-	defer c.mux.Unlock()
-
-	if c.conn != nil {
-		if err := c.conn.Close(); err != nil {
-			log.Debugf("close conntrack connection: %v", err)
-		}
-		c.conn = nil
-	}
-}
-
-// reconnect attempts to re-establish the conntrack netlink listener with exponential backoff.
-// Returns new channels on success, or nil if shutdown was requested.
-func (c *ConnTrack) reconnect() (chan nfct.Event, chan error) {
-	bo := &backoff.ExponentialBackOff{
-		InitialInterval:     reconnectInitInterval,
-		RandomizationFactor: reconnectRandomization,
-		Multiplier:          backoff.DefaultMultiplier,
-		MaxInterval:         reconnectMaxInterval,
-		MaxElapsedTime:      0, // retry indefinitely
-		Clock:               backoff.SystemClock,
-	}
-	bo.Reset()
-
-	for {
-		delay := bo.NextBackOff()
-		log.Infof("reconnecting conntrack listener in %s", delay)
-
-		select {
-		case <-c.done:
-			c.mux.Lock()
-			c.started = false
-			c.mux.Unlock()
-			return nil, nil
-		case <-time.After(delay):
-		}
-
-		conn, err := c.dial()
-		if err != nil {
-			log.Warnf("reconnect conntrack dial: %v", err)
-			continue
-		}
-
-		events := make(chan nfct.Event, defaultChannelSize)
-		errChan, err := conn.Listen(events, 1, []netfilter.NetlinkGroup{
-			netfilter.GroupCTNew,
-			netfilter.GroupCTDestroy,
-		})
-		if err != nil {
-			log.Warnf("reconnect conntrack listen: %v", err)
-			if closeErr := conn.Close(); closeErr != nil {
-				log.Debugf("close conntrack connection: %v", closeErr)
-			}
-			continue
-		}
-
-		c.mux.Lock()
-		if !c.started {
-			// Stop() ran while we were reconnecting.
-			c.mux.Unlock()
-			if closeErr := conn.Close(); closeErr != nil {
-				log.Debugf("close conntrack connection: %v", closeErr)
-			}
-			return nil, nil
-		}
-		c.conn = conn
-		c.mux.Unlock()
-
-		log.Infof("conntrack listener reconnected successfully")
-
-		return events, errChan
-	}
-}
-
 // Stop stops the connection tracking. This method is idempotent.
 func (c *ConnTrack) Stop() {
 	c.mux.Lock()
@@ -260,27 +136,23 @@ func (c *ConnTrack) Close() error {
 	c.mux.Lock()
 	defer c.mux.Unlock()
 
-	if !c.started {
-		return nil
+	if c.started {
+		select {
+		case c.done <- struct{}{}:
+		default:
+		}
 	}
 
-	select {
-	case c.done <- struct{}{}:
-	default:
-	}
-
-	c.started = false
-
-	var closeErr error
 	if c.conn != nil {
-		closeErr = c.conn.Close()
+		err := c.conn.Close()
 		c.conn = nil
-	}
+		c.started = false
 
-	c.RestoreAccounting()
+		c.RestoreAccounting()
 
-	if closeErr != nil {
-		return fmt.Errorf("close conntrack: %w", closeErr)
+		if err != nil {
+			return fmt.Errorf("close conntrack: %w", err)
+		}
 	}
 
 	return nil

client/internal/netflow/conntrack/conntrack_test.go

@@ -1,224 +0,0 @@
-//go:build linux && !android
-
-package conntrack
-
-import (
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	nfct "github.com/ti-mo/conntrack"
-	"github.com/ti-mo/netfilter"
-)
-
-type mockListener struct {
-	errChan  chan error
-	closed   atomic.Bool
-	closedCh chan struct{}
-}
-
-func newMockListener() *mockListener {
-	return &mockListener{
-		errChan:  make(chan error, 1),
-		closedCh: make(chan struct{}),
-	}
-}
-
-func (m *mockListener) Listen(evChan chan<- nfct.Event, _ uint8, _ []netfilter.NetlinkGroup) (chan error, error) {
-	return m.errChan, nil
-}
-
-func (m *mockListener) Close() error {
-	if m.closed.CompareAndSwap(false, true) {
-		close(m.closedCh)
-	}
-	return nil
-}
-
-func TestReconnectAfterError(t *testing.T) {
-	first := newMockListener()
-	second := newMockListener()
-	third := newMockListener()
-	listeners := []*mockListener{first, second, third}
-	callCount := atomic.Int32{}
-
-	ct := New(nil, nil, WithDialer(func() (listener, error) {
-		n := int(callCount.Add(1)) - 1
-		return listeners[n], nil
-	}))
-
-	err := ct.Start(false)
-	require.NoError(t, err)
-
-	// Inject an error on the first listener.
-	first.errChan <- assert.AnError
-
-	// Wait for reconnect to complete.
-	require.Eventually(t, func() bool {
-		return callCount.Load() >= 2
-	}, 15*time.Second, 100*time.Millisecond, "reconnect should dial a new connection")
-
-	// The first connection must have been closed.
-	select {
-	case <-first.closedCh:
-	case <-time.After(2 * time.Second):
-		t.Fatal("first connection was not closed")
-	}
-
-	// Verify the receiver is still running by injecting and handling a second error.
-	second.errChan <- assert.AnError
-
-	require.Eventually(t, func() bool {
-		return callCount.Load() >= 3
-	}, 15*time.Second, 100*time.Millisecond, "second reconnect should succeed")
-
-	ct.Stop()
-}
-
-func TestStopDuringReconnectBackoff(t *testing.T) {
-	mock := newMockListener()
-
-	ct := New(nil, nil, WithDialer(func() (listener, error) {
-		return mock, nil
-	}))
-
-	err := ct.Start(false)
-	require.NoError(t, err)
-
-	// Trigger an error so the receiver enters reconnect.
-	mock.errChan <- assert.AnError
-
-	// Wait for the error handler to close the old listener before calling Stop.
-	select {
-	case <-mock.closedCh:
-	case <-time.After(5 * time.Second):
-		t.Fatal("timed out waiting for reconnect to start")
-	}
-
-	// Stop while reconnecting.
-	ct.Stop()
-
-	ct.mux.Lock()
-	assert.False(t, ct.started, "started should be false after Stop")
-	assert.Nil(t, ct.conn, "conn should be nil after Stop")
-	ct.mux.Unlock()
-}
-
-func TestStopRaceWithReconnectDial(t *testing.T) {
-	first := newMockListener()
-	dialStarted := make(chan struct{})
-	dialProceed := make(chan struct{})
-	second := newMockListener()
-	callCount := atomic.Int32{}
-
-	ct := New(nil, nil, WithDialer(func() (listener, error) {
-		n := callCount.Add(1)
-		if n == 1 {
-			return first, nil
-		}
-		// Second dial: signal that we're in progress, wait for test to call Stop.
-		close(dialStarted)
-		<-dialProceed
-		return second, nil
-	}))
-
-	err := ct.Start(false)
-	require.NoError(t, err)
-
-	// Trigger error to enter reconnect.
-	first.errChan <- assert.AnError
-
-	// Wait for reconnect's second dial to begin.
-	select {
-	case <-dialStarted:
-	case <-time.After(15 * time.Second):
-		t.Fatal("timed out waiting for reconnect dial")
-	}
-
-	// Stop while dial is in progress (conn is nil at this point).
-	ct.Stop()
-
-	// Let the dial complete. reconnect should detect started==false and close the new conn.
-	close(dialProceed)
-
-	// The second connection should be closed (not leaked).
-	select {
-	case <-second.closedCh:
-	case <-time.After(2 * time.Second):
-		t.Fatal("second connection was leaked after Stop")
-	}
-
-	ct.mux.Lock()
-	assert.False(t, ct.started)
-	assert.Nil(t, ct.conn)
-	ct.mux.Unlock()
-}
-
-func TestCloseRaceWithReconnectDial(t *testing.T) {
-	first := newMockListener()
-	dialStarted := make(chan struct{})
-	dialProceed := make(chan struct{})
-	second := newMockListener()
-	callCount := atomic.Int32{}
-
-	ct := New(nil, nil, WithDialer(func() (listener, error) {
-		n := callCount.Add(1)
-		if n == 1 {
-			return first, nil
-		}
-		close(dialStarted)
-		<-dialProceed
-		return second, nil
-	}))
-
-	err := ct.Start(false)
-	require.NoError(t, err)
-
-	first.errChan <- assert.AnError
-
-	select {
-	case <-dialStarted:
-	case <-time.After(15 * time.Second):
-		t.Fatal("timed out waiting for reconnect dial")
-	}
-
-	// Close while dial is in progress (conn is nil).
-	require.NoError(t, ct.Close())
-
-	close(dialProceed)
-
-	// The second connection should be closed (not leaked).
-	select {
-	case <-second.closedCh:
-	case <-time.After(2 * time.Second):
-		t.Fatal("second connection was leaked after Close")
-	}
-
-	ct.mux.Lock()
-	assert.False(t, ct.started)
-	assert.Nil(t, ct.conn)
-	ct.mux.Unlock()
-}
-
-func TestStartIsIdempotent(t *testing.T) {
-	mock := newMockListener()
-	callCount := atomic.Int32{}
-
-	ct := New(nil, nil, WithDialer(func() (listener, error) {
-		callCount.Add(1)
-		return mock, nil
-	}))
-
-	err := ct.Start(false)
-	require.NoError(t, err)
-
-	// Second Start should be a no-op.
-	err = ct.Start(false)
-	require.NoError(t, err)
-
-	assert.Equal(t, int32(1), callCount.Load(), "dial should only be called once")
-
-	ct.Stop()
-}

client/internal/portforward/env.go

@@ -8,27 +8,18 @@ import (
 )
 
 const (
-	envDisableNATMapper      = "NB_DISABLE_NAT_MAPPER"
-	envDisablePCPHealthCheck = "NB_DISABLE_PCP_HEALTH_CHECK"
+	envDisableNATMapper = "NB_DISABLE_NAT_MAPPER"
 )
 
 func isDisabledByEnv() bool {
-	return parseBoolEnv(envDisableNATMapper)
-}
-
-func isHealthCheckDisabled() bool {
-	return parseBoolEnv(envDisablePCPHealthCheck)
-}
-
-func parseBoolEnv(key string) bool {
-	val := os.Getenv(key)
+	val := os.Getenv(envDisableNATMapper)
 	if val == "" {
 		return false
 	}
 
 	disabled, err := strconv.ParseBool(val)
 	if err != nil {
-		log.Warnf("failed to parse %s: %v", key, err)
+		log.Warnf("failed to parse %s: %v", envDisableNATMapper, err)
 		return false
 	}
 	return disabled

client/internal/portforward/manager.go

@@ -12,15 +12,12 @@ import (
 
 	"github.com/libp2p/go-nat"
 	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/portforward/pcp"
 )
 
 const (
-	defaultMappingTTL   = 2 * time.Hour
-	healthCheckInterval = 1 * time.Minute
-	discoveryTimeout    = 10 * time.Second
-	mappingDescription  = "NetBird"
+	defaultMappingTTL  = 2 * time.Hour
+	discoveryTimeout   = 10 * time.Second
+	mappingDescription = "NetBird"
 )
 
 // upnpErrPermanentLeaseOnly matches UPnP error 725 in SOAP fault XML,
@@ -157,7 +154,7 @@ func (m *Manager) setup(ctx context.Context) (nat.NAT, *Mapping, error) {
 	discoverCtx, discoverCancel := context.WithTimeout(ctx, discoveryTimeout)
 	defer discoverCancel()
 
-	gateway, err := discoverGateway(discoverCtx)
+	gateway, err := nat.DiscoverGateway(discoverCtx)
 	if err != nil {
 		return nil, nil, fmt.Errorf("discover gateway: %w", err)
 	}
@@ -192,6 +189,7 @@ func (m *Manager) createMapping(ctx context.Context, gateway nat.NAT) (*Mapping,
 	externalIP, err := gateway.GetExternalAddress()
 	if err != nil {
 		log.Debugf("failed to get external address: %v", err)
+		// todo return with err?
 	}
 
 	mapping := &Mapping{
@@ -210,87 +208,27 @@ func (m *Manager) createMapping(ctx context.Context, gateway nat.NAT) (*Mapping,
 
 func (m *Manager) renewLoop(ctx context.Context, gateway nat.NAT, ttl time.Duration) {
 	if ttl == 0 {
-		// Permanent mappings don't expire, just wait for cancellation
-		// but still run health checks for PCP gateways.
-		m.permanentLeaseLoop(ctx, gateway)
+		// Permanent mappings don't expire, just wait for cancellation.
+		<-ctx.Done()
 		return
 	}
 
-	renewTicker := time.NewTicker(ttl / 2)
-	healthTicker := time.NewTicker(healthCheckInterval)
-	defer renewTicker.Stop()
-	defer healthTicker.Stop()
+	ticker := time.NewTicker(ttl / 2)
+	defer ticker.Stop()
 
 	for {
 		select {
 		case <-ctx.Done():
 			return
-		case <-renewTicker.C:
+		case <-ticker.C:
 			if err := m.renewMapping(ctx, gateway); err != nil {
 				log.Warnf("failed to renew port mapping: %v", err)
 				continue
 			}
-		case <-healthTicker.C:
-			if m.checkHealthAndRecreate(ctx, gateway) {
-				renewTicker.Reset(ttl / 2)
-			}
 		}
 	}
 }
 
-func (m *Manager) permanentLeaseLoop(ctx context.Context, gateway nat.NAT) {
-	healthTicker := time.NewTicker(healthCheckInterval)
-	defer healthTicker.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-healthTicker.C:
-			m.checkHealthAndRecreate(ctx, gateway)
-		}
-	}
-}
-
-func (m *Manager) checkHealthAndRecreate(ctx context.Context, gateway nat.NAT) bool {
-	if isHealthCheckDisabled() {
-		return false
-	}
-
-	m.mappingLock.Lock()
-	hasMapping := m.mapping != nil
-	m.mappingLock.Unlock()
-
-	if !hasMapping {
-		return false
-	}
-
-	pcpNAT, ok := gateway.(*pcp.NAT)
-	if !ok {
-		return false
-	}
-
-	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
-	defer cancel()
-
-	epoch, serverRestarted, err := pcpNAT.CheckServerHealth(ctx)
-	if err != nil {
-		log.Debugf("PCP health check failed: %v", err)
-		return false
-	}
-
-	if serverRestarted {
-		log.Warnf("PCP server restart detected (epoch=%d), recreating port mapping", epoch)
-		if err := m.renewMapping(ctx, gateway); err != nil {
-			log.Errorf("failed to recreate port mapping after server restart: %v", err)
-			return false
-		}
-		return true
-	}
-
-	return false
-}
-
 func (m *Manager) renewMapping(ctx context.Context, gateway nat.NAT) error {
 	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()

client/internal/portforward/pcp/client.go

@@ -1,408 +0,0 @@
-package pcp
-
-import (
-	"context"
-	"crypto/rand"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	defaultTimeout     = 3 * time.Second
-	responseBufferSize = 128
-
-	// RFC 6887 Section 8.1.1 retry timing
-	initialRetryDelay = 3 * time.Second
-	maxRetryDelay     = 1024 * time.Second
-	maxRetries        = 4 // 3s + 6s + 12s + 24s = 45s total worst case
-)
-
-// Client is a PCP protocol client.
-// All methods are safe for concurrent use.
-type Client struct {
-	gateway netip.Addr
-	timeout time.Duration
-
-	mu sync.Mutex
-	// localIP caches the resolved local IP address.
-	localIP netip.Addr
-	// lastEpoch is the last observed server epoch value.
-	lastEpoch uint32
-	// epochTime tracks when lastEpoch was received for state loss detection.
-	epochTime time.Time
-	// externalIP caches the external IP from the last successful MAP response.
-	externalIP netip.Addr
-	// epochStateLost is set when epoch indicates server restart.
-	epochStateLost bool
-}
-
-// NewClient creates a new PCP client for the gateway at the given IP.
-func NewClient(gateway net.IP) *Client {
-	addr, ok := netip.AddrFromSlice(gateway)
-	if !ok {
-		log.Debugf("invalid gateway IP: %v", gateway)
-	}
-	return &Client{
-		gateway: addr.Unmap(),
-		timeout: defaultTimeout,
-	}
-}
-
-// NewClientWithTimeout creates a new PCP client with a custom timeout.
-func NewClientWithTimeout(gateway net.IP, timeout time.Duration) *Client {
-	addr, ok := netip.AddrFromSlice(gateway)
-	if !ok {
-		log.Debugf("invalid gateway IP: %v", gateway)
-	}
-	return &Client{
-		gateway: addr.Unmap(),
-		timeout: timeout,
-	}
-}
-
-// SetLocalIP sets the local IP address to use in PCP requests.
-func (c *Client) SetLocalIP(ip net.IP) {
-	addr, ok := netip.AddrFromSlice(ip)
-	if !ok {
-		log.Debugf("invalid local IP: %v", ip)
-	}
-	c.mu.Lock()
-	c.localIP = addr.Unmap()
-	c.mu.Unlock()
-}
-
-// Gateway returns the gateway IP address.
-func (c *Client) Gateway() net.IP {
-	return c.gateway.AsSlice()
-}
-
-// Announce sends a PCP ANNOUNCE request to discover PCP support.
-// Returns the server's epoch time on success.
-func (c *Client) Announce(ctx context.Context) (epoch uint32, err error) {
-	localIP, err := c.getLocalIP()
-	if err != nil {
-		return 0, fmt.Errorf("get local IP: %w", err)
-	}
-
-	req := buildAnnounceRequest(localIP)
-	resp, err := c.sendRequest(ctx, req)
-	if err != nil {
-		return 0, fmt.Errorf("send announce: %w", err)
-	}
-
-	parsed, err := parseResponse(resp)
-	if err != nil {
-		return 0, fmt.Errorf("parse announce response: %w", err)
-	}
-
-	if parsed.ResultCode != ResultSuccess {
-		return 0, fmt.Errorf("PCP ANNOUNCE failed: %s", ResultCodeString(parsed.ResultCode))
-	}
-
-	c.mu.Lock()
-	if c.updateEpochLocked(parsed.Epoch) {
-		log.Warnf("PCP server epoch indicates state loss - mappings may need refresh")
-	}
-	c.mu.Unlock()
-	return parsed.Epoch, nil
-}
-
-// AddPortMapping requests a port mapping from the PCP server.
-func (c *Client) AddPortMapping(ctx context.Context, protocol string, internalPort int, lifetime time.Duration) (*MapResponse, error) {
-	return c.addPortMappingWithHint(ctx, protocol, internalPort, internalPort, netip.Addr{}, lifetime)
-}
-
-// AddPortMappingWithHint requests a port mapping with suggested external port and IP.
-// Use lifetime <= 0 to delete a mapping.
-func (c *Client) AddPortMappingWithHint(ctx context.Context, protocol string, internalPort, suggestedExtPort int, suggestedExtIP net.IP, lifetime time.Duration) (*MapResponse, error) {
-	var extIP netip.Addr
-	if suggestedExtIP != nil {
-		var ok bool
-		extIP, ok = netip.AddrFromSlice(suggestedExtIP)
-		if !ok {
-			log.Debugf("invalid suggested external IP: %v", suggestedExtIP)
-		}
-		extIP = extIP.Unmap()
-	}
-	return c.addPortMappingWithHint(ctx, protocol, internalPort, suggestedExtPort, extIP, lifetime)
-}
-
-func (c *Client) addPortMappingWithHint(ctx context.Context, protocol string, internalPort, suggestedExtPort int, suggestedExtIP netip.Addr, lifetime time.Duration) (*MapResponse, error) {
-	localIP, err := c.getLocalIP()
-	if err != nil {
-		return nil, fmt.Errorf("get local IP: %w", err)
-	}
-
-	proto, err := protocolNumber(protocol)
-	if err != nil {
-		return nil, fmt.Errorf("parse protocol: %w", err)
-	}
-
-	var nonce [12]byte
-	if _, err := rand.Read(nonce[:]); err != nil {
-		return nil, fmt.Errorf("generate nonce: %w", err)
-	}
-
-	// Convert lifetime to seconds. Lifetime 0 means delete, so only apply
-	// default for positive durations that round to 0 seconds.
-	var lifetimeSec uint32
-	if lifetime > 0 {
-		lifetimeSec = uint32(lifetime.Seconds())
-		if lifetimeSec == 0 {
-			lifetimeSec = DefaultLifetime
-		}
-	}
-
-	req := buildMapRequest(localIP, nonce, proto, uint16(internalPort), uint16(suggestedExtPort), suggestedExtIP, lifetimeSec)
-
-	resp, err := c.sendRequest(ctx, req)
-	if err != nil {
-		return nil, fmt.Errorf("send map request: %w", err)
-	}
-
-	mapResp, err := parseMapResponse(resp)
-	if err != nil {
-		return nil, fmt.Errorf("parse map response: %w", err)
-	}
-
-	if mapResp.Nonce != nonce {
-		return nil, fmt.Errorf("nonce mismatch in response")
-	}
-
-	if mapResp.Protocol != proto {
-		return nil, fmt.Errorf("protocol mismatch: requested %d, got %d", proto, mapResp.Protocol)
-	}
-	if mapResp.InternalPort != uint16(internalPort) {
-		return nil, fmt.Errorf("internal port mismatch: requested %d, got %d", internalPort, mapResp.InternalPort)
-	}
-
-	if mapResp.ResultCode != ResultSuccess {
-		return nil, &Error{
-			Code:    mapResp.ResultCode,
-			Message: ResultCodeString(mapResp.ResultCode),
-		}
-	}
-
-	c.mu.Lock()
-	if c.updateEpochLocked(mapResp.Epoch) {
-		log.Warnf("PCP server epoch indicates state loss - mappings may need refresh")
-	}
-	c.cacheExternalIPLocked(mapResp.ExternalIP)
-	c.mu.Unlock()
-	return mapResp, nil
-}
-
-// DeletePortMapping removes a port mapping by requesting zero lifetime.
-func (c *Client) DeletePortMapping(ctx context.Context, protocol string, internalPort int) error {
-	if _, err := c.addPortMappingWithHint(ctx, protocol, internalPort, 0, netip.Addr{}, 0); err != nil {
-		var pcpErr *Error
-		if errors.As(err, &pcpErr) && pcpErr.Code == ResultNotAuthorized {
-			return nil
-		}
-		return fmt.Errorf("delete mapping: %w", err)
-	}
-	return nil
-}
-
-// GetExternalAddress returns the external IP address.
-// First checks for a cached value from previous MAP responses.
-// If not cached, creates a short-lived mapping to discover the external IP.
-func (c *Client) GetExternalAddress(ctx context.Context) (net.IP, error) {
-	c.mu.Lock()
-	if c.externalIP.IsValid() {
-		ip := c.externalIP.AsSlice()
-		c.mu.Unlock()
-		return ip, nil
-	}
-	c.mu.Unlock()
-
-	// Use an ephemeral port in the dynamic range (49152-65535).
-	// Port 0 is not valid with UDP/TCP protocols per RFC 6887.
-	ephemeralPort := 49152 + int(uint16(time.Now().UnixNano()))%(65535-49152)
-
-	// Use minimal lifetime (1 second) for discovery.
-	resp, err := c.AddPortMapping(ctx, "udp", ephemeralPort, time.Second)
-	if err != nil {
-		return nil, fmt.Errorf("create temporary mapping: %w", err)
-	}
-
-	if err := c.DeletePortMapping(ctx, "udp", ephemeralPort); err != nil {
-		log.Debugf("cleanup temporary PCP mapping: %v", err)
-	}
-
-	return resp.ExternalIP.AsSlice(), nil
-}
-
-// LastEpoch returns the last observed server epoch value.
-// A decrease in epoch indicates the server may have restarted and mappings may be lost.
-func (c *Client) LastEpoch() uint32 {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	return c.lastEpoch
-}
-
-// EpochStateLost returns true if epoch state loss was detected and clears the flag.
-func (c *Client) EpochStateLost() bool {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	lost := c.epochStateLost
-	c.epochStateLost = false
-	return lost
-}
-
-// updateEpoch updates the epoch tracking and detects potential state loss.
-// Returns true if state loss was detected (server likely restarted).
-// Caller must hold c.mu.
-func (c *Client) updateEpochLocked(newEpoch uint32) bool {
-	now := time.Now()
-	stateLost := false
-
-	// RFC 6887 Section 8.5: Detect invalid epoch indicating server state loss.
-	// client_delta = time since last response
-	// server_delta = epoch change since last response
-	// Invalid if: client_delta+2 < server_delta - server_delta/16
-	//         OR: server_delta+2 < client_delta - client_delta/16
-	// The +2 handles quantization, /16 (6.25%) handles clock drift.
-	if !c.epochTime.IsZero() && c.lastEpoch > 0 {
-		clientDelta := uint32(now.Sub(c.epochTime).Seconds())
-		serverDelta := newEpoch - c.lastEpoch
-
-		// Check for epoch going backwards or jumping unexpectedly.
-		// Subtraction is safe: serverDelta/16 is always <= serverDelta.
-		if clientDelta+2 < serverDelta-(serverDelta/16) ||
-			serverDelta+2 < clientDelta-(clientDelta/16) {
-			stateLost = true
-			c.epochStateLost = true
-		}
-	}
-
-	c.lastEpoch = newEpoch
-	c.epochTime = now
-	return stateLost
-}
-
-// cacheExternalIP stores the external IP from a successful MAP response.
-// Caller must hold c.mu.
-func (c *Client) cacheExternalIPLocked(ip netip.Addr) {
-	if ip.IsValid() && !ip.IsUnspecified() {
-		c.externalIP = ip
-	}
-}
-
-// sendRequest sends a PCP request with retries per RFC 6887 Section 8.1.1.
-func (c *Client) sendRequest(ctx context.Context, req []byte) ([]byte, error) {
-	addr := &net.UDPAddr{IP: c.gateway.AsSlice(), Port: Port}
-
-	var lastErr error
-	delay := initialRetryDelay
-
-	for range maxRetries {
-		resp, err := c.sendOnce(ctx, addr, req)
-		if err == nil {
-			return resp, nil
-		}
-		lastErr = err
-
-		if ctx.Err() != nil {
-			return nil, ctx.Err()
-		}
-
-		// RFC 6887 Section 8.1.1: RT = (1 + RAND) * MIN(2 * RTprev, MRT)
-		// RAND is random between -0.1 and +0.1
-		select {
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		case <-time.After(retryDelayWithJitter(delay)):
-		}
-		delay = min(delay*2, maxRetryDelay)
-	}
-
-	return nil, fmt.Errorf("PCP request failed after %d retries: %w", maxRetries, lastErr)
-}
-
-// retryDelayWithJitter applies RFC 6887 jitter: multiply by (1 + RAND) where RAND is [-0.1, +0.1].
-func retryDelayWithJitter(d time.Duration) time.Duration {
-	var b [1]byte
-	_, _ = rand.Read(b[:])
-	// Convert byte to range [-0.1, +0.1]: (b/255 * 0.2) - 0.1
-	jitter := (float64(b[0])/255.0)*0.2 - 0.1
-	return time.Duration(float64(d) * (1 + jitter))
-}
-
-func (c *Client) sendOnce(ctx context.Context, addr *net.UDPAddr, req []byte) ([]byte, error) {
-	// Use ListenUDP instead of DialUDP to validate response source address per RFC 6887 §8.3.
-	conn, err := net.ListenUDP("udp", nil)
-	if err != nil {
-		return nil, fmt.Errorf("listen: %w", err)
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Debugf("close UDP connection: %v", err)
-		}
-	}()
-
-	timeout := c.timeout
-	if deadline, ok := ctx.Deadline(); ok {
-		if remaining := time.Until(deadline); remaining < timeout {
-			timeout = remaining
-		}
-	}
-
-	if err := conn.SetDeadline(time.Now().Add(timeout)); err != nil {
-		return nil, fmt.Errorf("set deadline: %w", err)
-	}
-
-	if _, err := conn.WriteToUDP(req, addr); err != nil {
-		return nil, fmt.Errorf("write: %w", err)
-	}
-
-	resp := make([]byte, responseBufferSize)
-	n, from, err := conn.ReadFromUDP(resp)
-	if err != nil {
-		return nil, fmt.Errorf("read: %w", err)
-	}
-
-	// RFC 6887 §8.3: Validate response came from expected PCP server.
-	if !from.IP.Equal(addr.IP) {
-		return nil, fmt.Errorf("response from unexpected source %s (expected %s)", from.IP, addr.IP)
-	}
-
-	return resp[:n], nil
-}
-
-func (c *Client) getLocalIP() (netip.Addr, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	if !c.localIP.IsValid() {
-		return netip.Addr{}, fmt.Errorf("local IP not set for gateway %s", c.gateway)
-	}
-	return c.localIP, nil
-}
-
-func protocolNumber(protocol string) (uint8, error) {
-	switch protocol {
-	case "udp", "UDP":
-		return ProtoUDP, nil
-	case "tcp", "TCP":
-		return ProtoTCP, nil
-	default:
-		return 0, fmt.Errorf("unsupported protocol: %s", protocol)
-	}
-}
-
-// Error represents a PCP error response.
-type Error struct {
-	Code    uint8
-	Message string
-}
-
-func (e *Error) Error() string {
-	return fmt.Sprintf("PCP error: %s (%d)", e.Message, e.Code)
-}

client/internal/portforward/pcp/client_test.go

@@ -1,187 +0,0 @@
-package pcp
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestAddrConversion(t *testing.T) {
-	tests := []struct {
-		name string
-		addr netip.Addr
-	}{
-		{"IPv4", netip.MustParseAddr("192.168.1.100")},
-		{"IPv4 loopback", netip.MustParseAddr("127.0.0.1")},
-		{"IPv6", netip.MustParseAddr("2001:db8::1")},
-		{"IPv6 loopback", netip.MustParseAddr("::1")},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			b16 := addrTo16(tt.addr)
-
-			recovered := addrFrom16(b16)
-			assert.Equal(t, tt.addr, recovered, "address should round-trip")
-		})
-	}
-}
-
-func TestBuildAnnounceRequest(t *testing.T) {
-	clientIP := netip.MustParseAddr("192.168.1.100")
-	req := buildAnnounceRequest(clientIP)
-
-	require.Len(t, req, headerSize)
-	assert.Equal(t, byte(Version), req[0], "version")
-	assert.Equal(t, byte(OpAnnounce), req[1], "opcode")
-
-	// Check client IP is properly encoded as IPv4-mapped IPv6
-	assert.Equal(t, byte(0xff), req[18], "IPv4-mapped prefix byte 10")
-	assert.Equal(t, byte(0xff), req[19], "IPv4-mapped prefix byte 11")
-	assert.Equal(t, byte(192), req[20], "IP octet 1")
-	assert.Equal(t, byte(168), req[21], "IP octet 2")
-	assert.Equal(t, byte(1), req[22], "IP octet 3")
-	assert.Equal(t, byte(100), req[23], "IP octet 4")
-}
-
-func TestBuildMapRequest(t *testing.T) {
-	clientIP := netip.MustParseAddr("192.168.1.100")
-	nonce := [12]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
-	req := buildMapRequest(clientIP, nonce, ProtoUDP, 51820, 51820, netip.Addr{}, 3600)
-
-	require.Len(t, req, mapRequestSize)
-	assert.Equal(t, byte(Version), req[0], "version")
-	assert.Equal(t, byte(OpMap), req[1], "opcode")
-
-	// Lifetime at bytes 4-7
-	assert.Equal(t, uint32(3600), (uint32(req[4])<<24)|(uint32(req[5])<<16)|(uint32(req[6])<<8)|uint32(req[7]), "lifetime")
-
-	// Nonce at bytes 24-35
-	assert.Equal(t, nonce[:], req[24:36], "nonce")
-
-	// Protocol at byte 36
-	assert.Equal(t, byte(ProtoUDP), req[36], "protocol")
-
-	// Internal port at bytes 40-41
-	assert.Equal(t, uint16(51820), (uint16(req[40])<<8)|uint16(req[41]), "internal port")
-
-	// External port at bytes 42-43
-	assert.Equal(t, uint16(51820), (uint16(req[42])<<8)|uint16(req[43]), "external port")
-}
-
-func TestParseResponse(t *testing.T) {
-	// Construct a valid ANNOUNCE response
-	resp := make([]byte, headerSize)
-	resp[0] = Version
-	resp[1] = OpAnnounce | OpReply
-	// Result code = 0 (success)
-	// Lifetime = 0
-	// Epoch = 12345
-	resp[8] = 0
-	resp[9] = 0
-	resp[10] = 0x30
-	resp[11] = 0x39
-
-	parsed, err := parseResponse(resp)
-	require.NoError(t, err)
-	assert.Equal(t, uint8(Version), parsed.Version)
-	assert.Equal(t, uint8(OpAnnounce|OpReply), parsed.Opcode)
-	assert.Equal(t, uint8(ResultSuccess), parsed.ResultCode)
-	assert.Equal(t, uint32(12345), parsed.Epoch)
-}
-
-func TestParseResponseErrors(t *testing.T) {
-	t.Run("too short", func(t *testing.T) {
-		_, err := parseResponse([]byte{1, 2, 3})
-		assert.Error(t, err)
-	})
-
-	t.Run("wrong version", func(t *testing.T) {
-		resp := make([]byte, headerSize)
-		resp[0] = 1 // Wrong version
-		resp[1] = OpReply
-		_, err := parseResponse(resp)
-		assert.Error(t, err)
-	})
-
-	t.Run("missing reply bit", func(t *testing.T) {
-		resp := make([]byte, headerSize)
-		resp[0] = Version
-		resp[1] = OpAnnounce // Missing OpReply bit
-		_, err := parseResponse(resp)
-		assert.Error(t, err)
-	})
-}
-
-func TestResultCodeString(t *testing.T) {
-	assert.Equal(t, "SUCCESS", ResultCodeString(ResultSuccess))
-	assert.Equal(t, "NOT_AUTHORIZED", ResultCodeString(ResultNotAuthorized))
-	assert.Equal(t, "ADDRESS_MISMATCH", ResultCodeString(ResultAddressMismatch))
-	assert.Contains(t, ResultCodeString(255), "UNKNOWN")
-}
-
-func TestProtocolNumber(t *testing.T) {
-	proto, err := protocolNumber("udp")
-	require.NoError(t, err)
-	assert.Equal(t, uint8(ProtoUDP), proto)
-
-	proto, err = protocolNumber("tcp")
-	require.NoError(t, err)
-	assert.Equal(t, uint8(ProtoTCP), proto)
-
-	proto, err = protocolNumber("UDP")
-	require.NoError(t, err)
-	assert.Equal(t, uint8(ProtoUDP), proto)
-
-	_, err = protocolNumber("icmp")
-	assert.Error(t, err)
-}
-
-func TestClientCreation(t *testing.T) {
-	gateway := netip.MustParseAddr("192.168.1.1").AsSlice()
-
-	client := NewClient(gateway)
-	assert.Equal(t, net.IP(gateway), client.Gateway())
-	assert.Equal(t, defaultTimeout, client.timeout)
-
-	clientWithTimeout := NewClientWithTimeout(gateway, 5*time.Second)
-	assert.Equal(t, 5*time.Second, clientWithTimeout.timeout)
-}
-
-func TestNATType(t *testing.T) {
-	n := NewNAT(netip.MustParseAddr("192.168.1.1").AsSlice(), netip.MustParseAddr("192.168.1.100").AsSlice())
-	assert.Equal(t, "PCP", n.Type())
-}
-
-// Integration test - skipped unless PCP_TEST_GATEWAY env is set
-func TestClientIntegration(t *testing.T) {
-	t.Skip("Integration test - run manually with PCP_TEST_GATEWAY=<gateway-ip>")
-
-	gateway := netip.MustParseAddr("10.0.1.1").AsSlice()   // Change to your test gateway
-	localIP := netip.MustParseAddr("10.0.1.100").AsSlice() // Change to your local IP
-
-	client := NewClient(gateway)
-	client.SetLocalIP(localIP)
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-
-	// Test ANNOUNCE
-	epoch, err := client.Announce(ctx)
-	require.NoError(t, err)
-	t.Logf("Server epoch: %d", epoch)
-
-	// Test MAP
-	resp, err := client.AddPortMapping(ctx, "udp", 51820, 1*time.Hour)
-	require.NoError(t, err)
-	t.Logf("Mapping: internal=%d external=%d externalIP=%s",
-		resp.InternalPort, resp.ExternalPort, resp.ExternalIP)
-
-	// Cleanup
-	err = client.DeletePortMapping(ctx, "udp", 51820)
-	require.NoError(t, err)
-}

client/internal/portforward/pcp/nat.go

@@ -1,209 +0,0 @@
-package pcp
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/libp2p/go-nat"
-	"github.com/libp2p/go-netroute"
-)
-
-var _ nat.NAT = (*NAT)(nil)
-
-// NAT implements the go-nat NAT interface using PCP.
-// Supports dual-stack (IPv4 and IPv6) when available.
-// All methods are safe for concurrent use.
-//
-// TODO: IPv6 pinholes use the local IPv6 address. If the address changes
-// (e.g., due to SLAAC rotation or network change), the pinhole becomes stale
-// and needs to be recreated with the new address.
-type NAT struct {
-	client *Client
-
-	mu sync.RWMutex
-	// client6 is the IPv6 PCP client, nil if IPv6 is unavailable.
-	client6 *Client
-	// localIP6 caches the local IPv6 address used for PCP requests.
-	localIP6 netip.Addr
-}
-
-// NewNAT creates a new NAT instance backed by PCP.
-func NewNAT(gateway, localIP net.IP) *NAT {
-	client := NewClient(gateway)
-	client.SetLocalIP(localIP)
-	return &NAT{
-		client: client,
-	}
-}
-
-// Type returns "PCP" as the NAT type.
-func (n *NAT) Type() string {
-	return "PCP"
-}
-
-// GetDeviceAddress returns the gateway IP address.
-func (n *NAT) GetDeviceAddress() (net.IP, error) {
-	return n.client.Gateway(), nil
-}
-
-// GetExternalAddress returns the external IP address.
-func (n *NAT) GetExternalAddress() (net.IP, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-	return n.client.GetExternalAddress(ctx)
-}
-
-// GetInternalAddress returns the local IP address used to communicate with the gateway.
-func (n *NAT) GetInternalAddress() (net.IP, error) {
-	addr, err := n.client.getLocalIP()
-	if err != nil {
-		return nil, err
-	}
-	return addr.AsSlice(), nil
-}
-
-// AddPortMapping creates a port mapping on both IPv4 and IPv6 (if available).
-func (n *NAT) AddPortMapping(ctx context.Context, protocol string, internalPort int, _ string, timeout time.Duration) (int, error) {
-	resp, err := n.client.AddPortMapping(ctx, protocol, internalPort, timeout)
-	if err != nil {
-		return 0, fmt.Errorf("add mapping: %w", err)
-	}
-
-	n.mu.RLock()
-	client6 := n.client6
-	localIP6 := n.localIP6
-	n.mu.RUnlock()
-
-	if client6 == nil {
-		return int(resp.ExternalPort), nil
-	}
-
-	if _, err := client6.AddPortMapping(ctx, protocol, internalPort, timeout); err != nil {
-		log.Warnf("IPv6 PCP mapping failed (continuing with IPv4): %v", err)
-		return int(resp.ExternalPort), nil
-	}
-
-	log.Infof("created IPv6 PCP pinhole: %s:%d", localIP6, internalPort)
-	return int(resp.ExternalPort), nil
-}
-
-// DeletePortMapping removes a port mapping from both IPv4 and IPv6.
-func (n *NAT) DeletePortMapping(ctx context.Context, protocol string, internalPort int) error {
-	err := n.client.DeletePortMapping(ctx, protocol, internalPort)
-
-	n.mu.RLock()
-	client6 := n.client6
-	n.mu.RUnlock()
-
-	if client6 != nil {
-		if err6 := client6.DeletePortMapping(ctx, protocol, internalPort); err6 != nil {
-			log.Warnf("IPv6 PCP delete mapping failed: %v", err6)
-		}
-	}
-
-	if err != nil {
-		return fmt.Errorf("delete mapping: %w", err)
-	}
-	return nil
-}
-
-// CheckServerHealth sends an ANNOUNCE to verify the server is still responsive.
-// Returns the current epoch and whether the server may have restarted (epoch state loss detected).
-func (n *NAT) CheckServerHealth(ctx context.Context) (epoch uint32, serverRestarted bool, err error) {
-	epoch, err = n.client.Announce(ctx)
-	if err != nil {
-		return 0, false, fmt.Errorf("announce: %w", err)
-	}
-	return epoch, n.client.EpochStateLost(), nil
-}
-
-// DiscoverPCP attempts to discover a PCP-capable gateway.
-// Returns a NAT interface if PCP is supported, or an error otherwise.
-// Discovers both IPv4 and IPv6 gateways when available.
-func DiscoverPCP(ctx context.Context) (nat.NAT, error) {
-	gateway, localIP, err := getDefaultGateway()
-	if err != nil {
-		return nil, fmt.Errorf("get default gateway: %w", err)
-	}
-
-	client := NewClient(gateway)
-	client.SetLocalIP(localIP)
-	if _, err := client.Announce(ctx); err != nil {
-		return nil, fmt.Errorf("PCP announce: %w", err)
-	}
-
-	result := &NAT{client: client}
-	discoverIPv6(ctx, result)
-
-	return result, nil
-}
-
-func discoverIPv6(ctx context.Context, result *NAT) {
-	gateway6, localIP6, err := getDefaultGateway6()
-	if err != nil {
-		log.Debugf("IPv6 gateway discovery failed: %v", err)
-		return
-	}
-
-	client6 := NewClient(gateway6)
-	client6.SetLocalIP(localIP6)
-	if _, err := client6.Announce(ctx); err != nil {
-		log.Debugf("PCP IPv6 announce failed: %v", err)
-		return
-	}
-
-	addr, ok := netip.AddrFromSlice(localIP6)
-	if !ok {
-		log.Debugf("invalid IPv6 local IP: %v", localIP6)
-		return
-	}
-	result.mu.Lock()
-	result.client6 = client6
-	result.localIP6 = addr
-	result.mu.Unlock()
-	log.Debugf("PCP IPv6 gateway discovered: %s (local: %s)", gateway6, localIP6)
-}
-
-// getDefaultGateway returns the default IPv4 gateway and local IP using the system routing table.
-func getDefaultGateway() (gateway net.IP, localIP net.IP, err error) {
-	router, err := netroute.New()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	_, gateway, localIP, err = router.Route(net.IPv4zero)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if gateway == nil {
-		return nil, nil, nat.ErrNoNATFound
-	}
-
-	return gateway, localIP, nil
-}
-
-// getDefaultGateway6 returns the default IPv6 gateway IP address using the system routing table.
-func getDefaultGateway6() (gateway net.IP, localIP net.IP, err error) {
-	router, err := netroute.New()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	_, gateway, localIP, err = router.Route(net.IPv6zero)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if gateway == nil {
-		return nil, nil, nat.ErrNoNATFound
-	}
-
-	return gateway, localIP, nil
-}

client/internal/portforward/pcp/protocol.go

@@ -1,225 +0,0 @@
-// Package pcp implements the Port Control Protocol (RFC 6887).
-//
-// # Implemented Features
-//
-//   - ANNOUNCE opcode: Discovers PCP server support
-//   - MAP opcode: Creates/deletes port mappings (IPv4 NAT) and firewall pinholes (IPv6)
-//   - Dual-stack: Simultaneous IPv4 and IPv6 support via separate clients
-//   - Nonce validation: Prevents response spoofing
-//   - Epoch tracking: Detects server restarts per Section 8.5
-//   - RFC-compliant retry timing: 3s initial, exponential backoff to 1024s max (Section 8.1.1)
-//
-// # Not Implemented
-//
-//   - PEER opcode: For outbound peer connections (not needed for inbound NAT traversal)
-//   - THIRD_PARTY option: For managing mappings on behalf of other devices
-//   - PREFER_FAILURE option: Requires exact external port or fail (IPv4 NAT only, not needed for IPv6 pinholing)
-//   - FILTER option: To restrict remote peer addresses
-//
-// These optional features are omitted because the primary use case is simple
-// port forwarding for WireGuard, which only requires MAP with default behavior.
-package pcp
-
-import (
-	"encoding/binary"
-	"fmt"
-	"net/netip"
-)
-
-const (
-	// Version is the PCP protocol version (RFC 6887).
-	Version = 2
-
-	// Port is the standard PCP server port.
-	Port = 5351
-
-	// DefaultLifetime is the default requested mapping lifetime in seconds.
-	DefaultLifetime = 7200 // 2 hours
-
-	// Header sizes
-	headerSize     = 24
-	mapPayloadSize = 36
-	mapRequestSize = headerSize + mapPayloadSize // 60 bytes
-)
-
-// Opcodes
-const (
-	OpAnnounce = 0
-	OpMap      = 1
-	OpPeer     = 2
-	OpReply    = 0x80 // OR'd with opcode in responses
-)
-
-// Protocol numbers for MAP requests
-const (
-	ProtoUDP = 17
-	ProtoTCP = 6
-)
-
-// Result codes (RFC 6887 Section 7.4)
-const (
-	ResultSuccess              = 0
-	ResultUnsuppVersion        = 1
-	ResultNotAuthorized        = 2
-	ResultMalformedRequest     = 3
-	ResultUnsuppOpcode         = 4
-	ResultUnsuppOption         = 5
-	ResultMalformedOption      = 6
-	ResultNetworkFailure       = 7
-	ResultNoResources          = 8
-	ResultUnsuppProtocol       = 9
-	ResultUserExQuota          = 10
-	ResultCannotProvideExt     = 11
-	ResultAddressMismatch      = 12
-	ResultExcessiveRemotePeers = 13
-)
-
-// ResultCodeString returns a human-readable string for a result code.
-func ResultCodeString(code uint8) string {
-	switch code {
-	case ResultSuccess:
-		return "SUCCESS"
-	case ResultUnsuppVersion:
-		return "UNSUPP_VERSION"
-	case ResultNotAuthorized:
-		return "NOT_AUTHORIZED"
-	case ResultMalformedRequest:
-		return "MALFORMED_REQUEST"
-	case ResultUnsuppOpcode:
-		return "UNSUPP_OPCODE"
-	case ResultUnsuppOption:
-		return "UNSUPP_OPTION"
-	case ResultMalformedOption:
-		return "MALFORMED_OPTION"
-	case ResultNetworkFailure:
-		return "NETWORK_FAILURE"
-	case ResultNoResources:
-		return "NO_RESOURCES"
-	case ResultUnsuppProtocol:
-		return "UNSUPP_PROTOCOL"
-	case ResultUserExQuota:
-		return "USER_EX_QUOTA"
-	case ResultCannotProvideExt:
-		return "CANNOT_PROVIDE_EXTERNAL"
-	case ResultAddressMismatch:
-		return "ADDRESS_MISMATCH"
-	case ResultExcessiveRemotePeers:
-		return "EXCESSIVE_REMOTE_PEERS"
-	default:
-		return fmt.Sprintf("UNKNOWN(%d)", code)
-	}
-}
-
-// Response represents a parsed PCP response header.
-type Response struct {
-	Version    uint8
-	Opcode     uint8
-	ResultCode uint8
-	Lifetime   uint32
-	Epoch      uint32
-}
-
-// MapResponse contains the full response to a MAP request.
-type MapResponse struct {
-	Response
-	Nonce        [12]byte
-	Protocol     uint8
-	InternalPort uint16
-	ExternalPort uint16
-	ExternalIP   netip.Addr
-}
-
-// addrTo16 converts an address to its 16-byte IPv4-mapped IPv6 representation.
-func addrTo16(addr netip.Addr) [16]byte {
-	if addr.Is4() {
-		return netip.AddrFrom4(addr.As4()).As16()
-	}
-	return addr.As16()
-}
-
-// addrFrom16 extracts an address from a 16-byte representation, unmapping IPv4.
-func addrFrom16(b [16]byte) netip.Addr {
-	return netip.AddrFrom16(b).Unmap()
-}
-
-// buildAnnounceRequest creates a PCP ANNOUNCE request packet.
-func buildAnnounceRequest(clientIP netip.Addr) []byte {
-	req := make([]byte, headerSize)
-	req[0] = Version
-	req[1] = OpAnnounce
-	mapped := addrTo16(clientIP)
-	copy(req[8:24], mapped[:])
-	return req
-}
-
-// buildMapRequest creates a PCP MAP request packet.
-func buildMapRequest(clientIP netip.Addr, nonce [12]byte, protocol uint8, internalPort, suggestedExtPort uint16, suggestedExtIP netip.Addr, lifetime uint32) []byte {
-	req := make([]byte, mapRequestSize)
-
-	// Header
-	req[0] = Version
-	req[1] = OpMap
-	binary.BigEndian.PutUint32(req[4:8], lifetime)
-	mapped := addrTo16(clientIP)
-	copy(req[8:24], mapped[:])
-
-	// MAP payload
-	copy(req[24:36], nonce[:])
-	req[36] = protocol
-	binary.BigEndian.PutUint16(req[40:42], internalPort)
-	binary.BigEndian.PutUint16(req[42:44], suggestedExtPort)
-	if suggestedExtIP.IsValid() {
-		extMapped := addrTo16(suggestedExtIP)
-		copy(req[44:60], extMapped[:])
-	}
-
-	return req
-}
-
-// parseResponse parses the common PCP response header.
-func parseResponse(data []byte) (*Response, error) {
-	if len(data) < headerSize {
-		return nil, fmt.Errorf("response too short: %d bytes", len(data))
-	}
-
-	resp := &Response{
-		Version:    data[0],
-		Opcode:     data[1],
-		ResultCode: data[3], // Byte 2 is reserved, byte 3 is result code (RFC 6887 §7.2)
-		Lifetime:   binary.BigEndian.Uint32(data[4:8]),
-		Epoch:      binary.BigEndian.Uint32(data[8:12]),
-	}
-
-	if resp.Version != Version {
-		return nil, fmt.Errorf("unsupported PCP version: %d", resp.Version)
-	}
-
-	if resp.Opcode&OpReply == 0 {
-		return nil, fmt.Errorf("response missing reply bit: opcode=0x%02x", resp.Opcode)
-	}
-
-	return resp, nil
-}
-
-// parseMapResponse parses a complete MAP response.
-func parseMapResponse(data []byte) (*MapResponse, error) {
-	if len(data) < mapRequestSize {
-		return nil, fmt.Errorf("MAP response too short: %d bytes", len(data))
-	}
-
-	resp, err := parseResponse(data)
-	if err != nil {
-		return nil, fmt.Errorf("parse header: %w", err)
-	}
-
-	mapResp := &MapResponse{
-		Response:     *resp,
-		Protocol:     data[36],
-		InternalPort: binary.BigEndian.Uint16(data[40:42]),
-		ExternalPort: binary.BigEndian.Uint16(data[42:44]),
-		ExternalIP:   addrFrom16([16]byte(data[44:60])),
-	}
-	copy(mapResp.Nonce[:], data[24:36])
-
-	return mapResp, nil
-}

client/internal/portforward/state.go

@@ -1,63 +0,0 @@
-//go:build !js
-
-package portforward
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/libp2p/go-nat"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/portforward/pcp"
-)
-
-// discoverGateway is the function used for NAT gateway discovery.
-// It can be replaced in tests to avoid real network operations.
-// Tries PCP first, then falls back to NAT-PMP/UPnP.
-var discoverGateway = defaultDiscoverGateway
-
-func defaultDiscoverGateway(ctx context.Context) (nat.NAT, error) {
-	pcpGateway, err := pcp.DiscoverPCP(ctx)
-	if err == nil {
-		return pcpGateway, nil
-	}
-	log.Debugf("PCP discovery failed: %v, trying NAT-PMP/UPnP", err)
-
-	return nat.DiscoverGateway(ctx)
-}
-
-// State is persisted only for crash recovery cleanup
-type State struct {
-	InternalPort uint16 `json:"internal_port,omitempty"`
-	Protocol     string `json:"protocol,omitempty"`
-}
-
-func (s *State) Name() string {
-	return "port_forward_state"
-}
-
-// Cleanup implements statemanager.CleanableState for crash recovery
-func (s *State) Cleanup() error {
-	if s.InternalPort == 0 {
-		return nil
-	}
-
-	log.Infof("cleaning up stale port mapping for port %d", s.InternalPort)
-
-	ctx, cancel := context.WithTimeout(context.Background(), discoveryTimeout)
-	defer cancel()
-
-	gateway, err := discoverGateway(ctx)
-	if err != nil {
-		// Discovery failure is not an error - gateway may not exist
-		log.Debugf("cleanup: no gateway found: %v", err)
-		return nil
-	}
-
-	if err := gateway.DeletePortMapping(ctx, s.Protocol, int(s.InternalPort)); err != nil {
-		return fmt.Errorf("delete port mapping: %w", err)
-	}
-
-	return nil
-}

client/internal/profilemanager/config.go

@@ -64,11 +64,13 @@ type ConfigInput struct {
 	StateFilePath                 string
 	PreSharedKey                  *string
 	ServerSSHAllowed              *bool
+	ServerVNCAllowed              *bool
 	EnableSSHRoot                 *bool
 	EnableSSHSFTP                 *bool
 	EnableSSHLocalPortForwarding  *bool
 	EnableSSHRemotePortForwarding *bool
 	DisableSSHAuth                *bool
+	DisableVNCAuth                *bool
 	SSHJWTCacheTTL                *int
 	NATExternalIPs                []string
 	CustomDNSAddress              []byte
@@ -114,11 +116,13 @@ type Config struct {
 	RosenpassEnabled              bool
 	RosenpassPermissive           bool
 	ServerSSHAllowed              *bool
+	ServerVNCAllowed              *bool
 	EnableSSHRoot                 *bool
 	EnableSSHSFTP                 *bool
 	EnableSSHLocalPortForwarding  *bool
 	EnableSSHRemotePortForwarding *bool
 	DisableSSHAuth                *bool
+	DisableVNCAuth                *bool
 	SSHJWTCacheTTL                *int
 
 	DisableClientRoutes bool
@@ -415,6 +419,21 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
+	if input.ServerVNCAllowed != nil {
+		if config.ServerVNCAllowed == nil || *input.ServerVNCAllowed != *config.ServerVNCAllowed {
+			if *input.ServerVNCAllowed {
+				log.Infof("enabling VNC server")
+			} else {
+				log.Infof("disabling VNC server")
+			}
+			config.ServerVNCAllowed = input.ServerVNCAllowed
+			updated = true
+		}
+	} else if config.ServerVNCAllowed == nil {
+		config.ServerVNCAllowed = util.True()
+		updated = true
+	}
+
 	if input.EnableSSHRoot != nil && input.EnableSSHRoot != config.EnableSSHRoot {
 		if *input.EnableSSHRoot {
 			log.Infof("enabling SSH root login")
@@ -465,6 +484,16 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
+	if input.DisableVNCAuth != nil && input.DisableVNCAuth != config.DisableVNCAuth {
+		if *input.DisableVNCAuth {
+			log.Infof("disabling VNC authentication")
+		} else {
+			log.Infof("enabling VNC authentication")
+		}
+		config.DisableVNCAuth = input.DisableVNCAuth
+		updated = true
+	}
+
 	if input.SSHJWTCacheTTL != nil && input.SSHJWTCacheTTL != config.SSHJWTCacheTTL {
 		log.Infof("updating SSH JWT cache TTL to %d seconds", *input.SSHJWTCacheTTL)
 		config.SSHJWTCacheTTL = input.SSHJWTCacheTTL

client/internal/routemanager/systemops/systemops_bsd_other.go

@@ -1,10 +0,0 @@
-//go:build (dragonfly || freebsd || netbsd || openbsd) && !darwin
-
-package systemops
-
-// Non-darwin BSDs don't support the IP_BOUND_IF + scoped default model. They
-// always fall through to the ref-counter exclusion-route path; these stubs
-// exist only so systemops_unix.go compiles.
-func (r *SysOps) setupAdvancedRouting() error   { return nil }
-func (r *SysOps) cleanupAdvancedRouting() error { return nil }
-func (r *SysOps) flushPlatformExtras() error    { return nil }

client/internal/routemanager/systemops/systemops_darwin.go

@@ -1,217 +0,0 @@
-//go:build darwin && !ios
-
-package systemops
-
-import (
-	"errors"
-	"fmt"
-	"net/netip"
-
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/net/route"
-	"golang.org/x/sys/unix"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
-	nbnet "github.com/netbirdio/netbird/client/net"
-)
-
-// setupAdvancedRouting installs an RTF_IFSCOPE default route per address family
-// pinned to the current physical egress, so IP_BOUND_IF scoped lookups can
-// resolve gateway'd destinations while the VPN's split default owns the
-// unscoped table.
-//
-// Timing note: this runs during routeManager.Init, which happens before the
-// VPN interface is created and before any peer routes propagate. The initial
-// mgmt / signal / relay TCP dials always fire before this runs, so those
-// sockets miss the IP_BOUND_IF binding and rely on the kernel's normal route
-// lookup, which at that point correctly picks the physical default. Those
-// already-established TCP flows keep their originally-selected interface for
-// their lifetime on Darwin because the kernel caches the egress route
-// per-socket at connect time; adding the VPN's 0/1 + 128/1 split default
-// afterwards does not migrate them since the original en0 default stays in
-// the table. Any subsequent reconnect via nbnet.NewDialer picks up the
-// populated bound-iface cache and gets IP_BOUND_IF set cleanly.
-func (r *SysOps) setupAdvancedRouting() error {
-	if err := r.flushScopedDefaults(); err != nil {
-		log.Warnf("flush residual scoped defaults: %v", err)
-	}
-
-	var merr *multierror.Error
-	installed := 0
-
-	for _, unspec := range []netip.Addr{netip.IPv4Unspecified(), netip.IPv6Unspecified()} {
-		ok, err := r.installScopedDefaultFor(unspec)
-		if err != nil {
-			merr = multierror.Append(merr, err)
-			continue
-		}
-		if ok {
-			installed++
-		}
-	}
-
-	if installed == 0 && merr != nil {
-		return nberrors.FormatErrorOrNil(merr)
-	}
-	if merr != nil {
-		log.Warnf("advanced routing setup partially succeeded: %v", nberrors.FormatErrorOrNil(merr))
-	}
-	return nil
-}
-
-// installScopedDefaultFor resolves the physical default nexthop for the given
-// address family, installs a scoped default via it, and caches the iface for
-// subsequent IP_BOUND_IF / IPV6_BOUND_IF socket binds.
-func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
-	nexthop, err := GetNextHop(unspec)
-	if err != nil {
-		if errors.Is(err, vars.ErrRouteNotFound) {
-			return false, nil
-		}
-		return false, fmt.Errorf("get default nexthop for %s: %w", unspec, err)
-	}
-	if nexthop.Intf == nil || !nexthop.IP.IsValid() {
-		return false, fmt.Errorf("unusable default nexthop for %s (iface=%v gw=%v)",
-			unspec, nexthop.Intf, nexthop.IP)
-	}
-
-	if err := r.addScopedDefault(unspec, nexthop); err != nil {
-		return false, fmt.Errorf("add scoped default via %s on %s: %w",
-			nexthop.IP, nexthop.Intf.Name, err)
-	}
-
-	af := unix.AF_INET
-	if unspec.Is6() {
-		af = unix.AF_INET6
-	}
-	nbnet.SetBoundInterface(af, nexthop.Intf)
-	log.Infof("installed scoped default route via %s on %s for %s",
-		nexthop.IP, nexthop.Intf.Name, afOf(unspec))
-	return true, nil
-}
-
-func (r *SysOps) cleanupAdvancedRouting() error {
-	nbnet.ClearBoundInterfaces()
-	return r.flushScopedDefaults()
-}
-
-// flushPlatformExtras runs darwin-specific residual cleanup hooked into the
-// generic FlushMarkedRoutes path, so a crashed daemon's scoped defaults get
-// removed on the next boot regardless of whether a profile is brought up.
-func (r *SysOps) flushPlatformExtras() error {
-	return r.flushScopedDefaults()
-}
-
-// flushScopedDefaults removes any scoped default routes tagged with routeProtoFlag.
-// Safe to call at startup to clear residual entries from a prior session.
-func (r *SysOps) flushScopedDefaults() error {
-	rib, err := retryFetchRIB()
-	if err != nil {
-		return fmt.Errorf("fetch routing table: %w", err)
-	}
-
-	msgs, err := route.ParseRIB(route.RIBTypeRoute, rib)
-	if err != nil {
-		return fmt.Errorf("parse routing table: %w", err)
-	}
-
-	var merr *multierror.Error
-	removed := 0
-
-	for _, msg := range msgs {
-		rtMsg, ok := msg.(*route.RouteMessage)
-		if !ok {
-			continue
-		}
-		if rtMsg.Flags&routeProtoFlag == 0 {
-			continue
-		}
-		if rtMsg.Flags&unix.RTF_IFSCOPE == 0 {
-			continue
-		}
-
-		info, err := MsgToRoute(rtMsg)
-		if err != nil {
-			log.Debugf("skip scoped flush: %v", err)
-			continue
-		}
-		if !info.Dst.IsValid() || info.Dst.Bits() != 0 {
-			continue
-		}
-
-		if err := r.deleteScopedRoute(rtMsg); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete scoped default %s on index %d: %w",
-				info.Dst, rtMsg.Index, err))
-			continue
-		}
-		removed++
-		log.Debugf("flushed residual scoped default %s on index %d", info.Dst, rtMsg.Index)
-	}
-
-	if removed > 0 {
-		log.Infof("flushed %d residual scoped default route(s)", removed)
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *SysOps) addScopedDefault(unspec netip.Addr, nexthop Nexthop) error {
-	return r.scopedRouteSocket(unix.RTM_ADD, unspec, nexthop)
-}
-
-func (r *SysOps) deleteScopedRoute(rtMsg *route.RouteMessage) error {
-	// Preserve identifying flags from the stored route (including RTF_GATEWAY
-	// only if present); kernel-set bits like RTF_DONE don't belong on RTM_DELETE.
-	keep := unix.RTF_UP | unix.RTF_STATIC | unix.RTF_GATEWAY | unix.RTF_IFSCOPE | routeProtoFlag
-	del := &route.RouteMessage{
-		Type:    unix.RTM_DELETE,
-		Flags:   rtMsg.Flags & keep,
-		Version: unix.RTM_VERSION,
-		Seq:     r.getSeq(),
-		Index:   rtMsg.Index,
-		Addrs:   rtMsg.Addrs,
-	}
-	return r.writeRouteMessage(del)
-}
-
-func (r *SysOps) scopedRouteSocket(action int, unspec netip.Addr, nexthop Nexthop) error {
-	flags := unix.RTF_UP | unix.RTF_STATIC | unix.RTF_GATEWAY | unix.RTF_IFSCOPE | routeProtoFlag
-
-	msg := &route.RouteMessage{
-		Type:    action,
-		Flags:   flags,
-		Version: unix.RTM_VERSION,
-		Seq:     r.getSeq(),
-		Index:   nexthop.Intf.Index,
-	}
-
-	const numAddrs = unix.RTAX_NETMASK + 1
-	addrs := make([]route.Addr, numAddrs)
-
-	dst, err := addrToRouteAddr(unspec)
-	if err != nil {
-		return fmt.Errorf("build destination: %w", err)
-	}
-	mask, err := prefixToRouteNetmask(netip.PrefixFrom(unspec, 0))
-	if err != nil {
-		return fmt.Errorf("build netmask: %w", err)
-	}
-	gw, err := addrToRouteAddr(nexthop.IP.Unmap())
-	if err != nil {
-		return fmt.Errorf("build gateway: %w", err)
-	}
-	addrs[unix.RTAX_DST] = dst
-	addrs[unix.RTAX_NETMASK] = mask
-	addrs[unix.RTAX_GATEWAY] = gw
-	msg.Addrs = addrs
-
-	return r.writeRouteMessage(msg)
-}
-
-func afOf(a netip.Addr) string {
-	if a.Is4() {
-		return "IPv4"
-	}
-	return "IPv6"
-}

client/internal/routemanager/systemops/systemops_generic.go

@@ -21,7 +21,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/util"
 	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/client/net/hooks"
 )
 
@@ -32,6 +31,8 @@ var splitDefaultv4_2 = netip.PrefixFrom(netip.AddrFrom4([4]byte{128}), 1)
 var splitDefaultv6_1 = netip.PrefixFrom(netip.IPv6Unspecified(), 1)
 var splitDefaultv6_2 = netip.PrefixFrom(netip.AddrFrom16([16]byte{0x80}), 1)
 
+var ErrRoutingIsSeparate = errors.New("routing is separate")
+
 func (r *SysOps) setupRefCounter(initAddresses []net.IP, stateManager *statemanager.Manager) error {
 	stateManager.RegisterState(&ShutdownState{})
 
@@ -396,16 +397,12 @@ func ipToAddr(ip net.IP, intf *net.Interface) (netip.Addr, error) {
 }
 
 // IsAddrRouted checks if the candidate address would route to the vpn, in which case it returns true and the matched prefix.
-// When advanced routing is active the WG socket is bound to the physical interface (fwmark on linux,
-// IP_UNICAST_IF on windows, IP_BOUND_IF on darwin) and bypasses the main routing table, so the check is skipped.
 func IsAddrRouted(addr netip.Addr, vpnRoutes []netip.Prefix) (bool, netip.Prefix) {
-	if nbnet.AdvancedRouting() {
-		return false, netip.Prefix{}
-	}
-
-	localRoutes, err := GetRoutesFromTable()
+	localRoutes, err := hasSeparateRouting()
 	if err != nil {
-		log.Errorf("Failed to get routes: %v", err)
+		if !errors.Is(err, ErrRoutingIsSeparate) {
+			log.Errorf("Failed to get routes: %v", err)
+		}
 		return false, netip.Prefix{}
 	}
 

client/internal/routemanager/systemops/systemops_js.go

@@ -22,6 +22,10 @@ func GetRoutesFromTable() ([]netip.Prefix, error) {
 	return []netip.Prefix{}, nil
 }
 
+func hasSeparateRouting() ([]netip.Prefix, error) {
+	return []netip.Prefix{}, nil
+}
+
 // GetDetailedRoutesFromTable returns empty routes for WASM.
 func GetDetailedRoutesFromTable() ([]DetailedRoute, error) {
 	return []DetailedRoute{}, nil

client/internal/routemanager/systemops/systemops_linux.go

@@ -894,6 +894,13 @@ func getAddressFamily(prefix netip.Prefix) int {
 	return netlink.FAMILY_V6
 }
 
+func hasSeparateRouting() ([]netip.Prefix, error) {
+	if !nbnet.AdvancedRouting() {
+		return GetRoutesFromTable()
+	}
+	return nil, ErrRoutingIsSeparate
+}
+
 func isOpErr(err error) bool {
 	// EAFTNOSUPPORT when ipv6 is disabled via sysctl, EOPNOTSUPP when disabled in boot options or otherwise not supported
 	if errors.Is(err, syscall.EAFNOSUPPORT) || errors.Is(err, syscall.EOPNOTSUPP) {

client/internal/routemanager/systemops/systemops_nonlinux.go

@@ -48,6 +48,10 @@ func EnableIPForwarding() error {
 	return nil
 }
 
+func hasSeparateRouting() ([]netip.Prefix, error) {
+	return GetRoutesFromTable()
+}
+
 // GetIPRules returns IP rules for debugging (not supported on non-Linux platforms)
 func GetIPRules() ([]IPRule, error) {
 	log.Infof("IP rules collection is not supported on %s", runtime.GOOS)

client/internal/routemanager/systemops/systemops_unix.go

@@ -41,42 +41,26 @@ func init() {
 }
 
 func (r *SysOps) SetupRouting(initAddresses []net.IP, stateManager *statemanager.Manager, advancedRouting bool) error {
-	if advancedRouting {
-		return r.setupAdvancedRouting()
-	}
-
-	log.Infof("Using legacy routing setup with ref counters")
 	return r.setupRefCounter(initAddresses, stateManager)
 }
 
 func (r *SysOps) CleanupRouting(stateManager *statemanager.Manager, advancedRouting bool) error {
-	if advancedRouting {
-		return r.cleanupAdvancedRouting()
-	}
-
 	return r.cleanupRefCounter(stateManager)
 }
 
 // FlushMarkedRoutes removes single IP exclusion routes marked with the configured RTF_PROTO flag.
-// On darwin it also flushes residual RTF_IFSCOPE scoped default routes so a
-// crashed prior session can't leave crud in the table.
 func (r *SysOps) FlushMarkedRoutes() error {
-	var merr *multierror.Error
-
-	if err := r.flushPlatformExtras(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("flush platform extras: %w", err))
-	}
-
 	rib, err := retryFetchRIB()
 	if err != nil {
-		return nberrors.FormatErrorOrNil(multierror.Append(merr, fmt.Errorf("fetch routing table: %w", err)))
+		return fmt.Errorf("fetch routing table: %w", err)
 	}
 
 	msgs, err := route.ParseRIB(route.RIBTypeRoute, rib)
 	if err != nil {
-		return nberrors.FormatErrorOrNil(multierror.Append(merr, fmt.Errorf("parse routing table: %w", err)))
+		return fmt.Errorf("parse routing table: %w", err)
 	}
 
+	var merr *multierror.Error
 	flushedCount := 0
 
 	for _, msg := range msgs {
@@ -133,12 +117,12 @@ func (r *SysOps) routeSocket(action int, prefix netip.Prefix, nexthop Nexthop) e
 		return fmt.Errorf("invalid prefix: %s", prefix)
 	}
 
-	msg, err := r.buildRouteMessage(action, prefix, nexthop)
-	if err != nil {
-		return fmt.Errorf("build route message: %w", err)
-	}
+	expBackOff := backoff.NewExponentialBackOff()
+	expBackOff.InitialInterval = 50 * time.Millisecond
+	expBackOff.MaxInterval = 500 * time.Millisecond
+	expBackOff.MaxElapsedTime = 1 * time.Second
 
-	if err := r.writeRouteMessage(msg); err != nil {
+	if err := backoff.Retry(r.routeOp(action, prefix, nexthop), expBackOff); err != nil {
 		a := "add"
 		if action == unix.RTM_DELETE {
 			a = "remove"
@@ -148,80 +132,50 @@ func (r *SysOps) routeSocket(action int, prefix netip.Prefix, nexthop Nexthop) e
 	return nil
 }
 
-// writeRouteMessage sends a route message over AF_ROUTE and waits for the
-// kernel's matching reply, retrying transient failures. Callers do not need to
-// manage sockets or seq numbers themselves.
-func (r *SysOps) writeRouteMessage(msg *route.RouteMessage) error {
-	expBackOff := backoff.NewExponentialBackOff()
-	expBackOff.InitialInterval = 50 * time.Millisecond
-	expBackOff.MaxInterval = 500 * time.Millisecond
-	expBackOff.MaxElapsedTime = 1 * time.Second
-
-	return backoff.Retry(func() error { return routeMessageRoundtrip(msg) }, expBackOff)
-}
-
-func routeMessageRoundtrip(msg *route.RouteMessage) error {
-	fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
-	if err != nil {
-		return fmt.Errorf("open routing socket: %w", err)
-	}
-	defer func() {
-		if err := unix.Close(fd); err != nil && !errors.Is(err, unix.EBADF) {
-			log.Warnf("close routing socket: %v", err)
-		}
-	}()
-
-	tv := unix.Timeval{Sec: 1}
-	if err := unix.SetsockoptTimeval(fd, unix.SOL_SOCKET, unix.SO_RCVTIMEO, &tv); err != nil {
-		return backoff.Permanent(fmt.Errorf("set recv timeout: %w", err))
-	}
-
-	bytes, err := msg.Marshal()
-	if err != nil {
-		return backoff.Permanent(fmt.Errorf("marshal: %w", err))
-	}
-
-	if _, err = unix.Write(fd, bytes); err != nil {
-		if errors.Is(err, unix.ENOBUFS) || errors.Is(err, unix.EAGAIN) {
-			return fmt.Errorf("write: %w", err)
-		}
-		return backoff.Permanent(fmt.Errorf("write: %w", err))
-	}
-	return readRouteResponse(fd, msg.Type, msg.Seq)
-}
-
-// readRouteResponse reads from the AF_ROUTE socket until it sees a reply
-// matching our write (same type, seq, and pid). AF_ROUTE SOCK_RAW is a
-// broadcast channel: interface up/down, third-party route changes and neighbor
-// discovery events can all land between our write and read, so we must filter.
-func readRouteResponse(fd, wantType, wantSeq int) error {
-	pid := int32(os.Getpid())
-	resp := make([]byte, 2048)
-	deadline := time.Now().Add(time.Second)
-	for {
-		if time.Now().After(deadline) {
-			return backoff.Permanent(fmt.Errorf("read: timeout waiting for route reply type=%d seq=%d", wantType, wantSeq))
-		}
-		n, err := unix.Read(fd, resp)
+func (r *SysOps) routeOp(action int, prefix netip.Prefix, nexthop Nexthop) func() error {
+	operation := func() error {
+		fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
 		if err != nil {
-			if errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EWOULDBLOCK) {
-				// SO_RCVTIMEO fired while waiting; loop to re-check the absolute deadline.
-				continue
+			return fmt.Errorf("open routing socket: %w", err)
+		}
+		defer func() {
+			if err := unix.Close(fd); err != nil && !errors.Is(err, unix.EBADF) {
+				log.Warnf("failed to close routing socket: %v", err)
 			}
-			return backoff.Permanent(fmt.Errorf("read: %w", err))
+		}()
+
+		msg, err := r.buildRouteMessage(action, prefix, nexthop)
+		if err != nil {
+			return backoff.Permanent(fmt.Errorf("build route message: %w", err))
 		}
-		if n < int(unsafe.Sizeof(unix.RtMsghdr{})) {
-			continue
+
+		msgBytes, err := msg.Marshal()
+		if err != nil {
+			return backoff.Permanent(fmt.Errorf("marshal route message: %w", err))
 		}
-		hdr := (*unix.RtMsghdr)(unsafe.Pointer(&resp[0]))
-		if int(hdr.Type) != wantType || int(hdr.Seq) != wantSeq || hdr.Pid != pid {
-			continue
+
+		if _, err = unix.Write(fd, msgBytes); err != nil {
+			if errors.Is(err, unix.ENOBUFS) || errors.Is(err, unix.EAGAIN) {
+				return fmt.Errorf("write: %w", err)
+			}
+			return backoff.Permanent(fmt.Errorf("write: %w", err))
 		}
-		if hdr.Errno != 0 {
-			return backoff.Permanent(fmt.Errorf("kernel errno %d", hdr.Errno))
+
+		respBuf := make([]byte, 2048)
+		n, err := unix.Read(fd, respBuf)
+		if err != nil {
+			return backoff.Permanent(fmt.Errorf("read route response: %w", err))
 		}
+
+		if n > 0 {
+			if err := r.parseRouteResponse(respBuf[:n]); err != nil {
+				return backoff.Permanent(err)
+			}
+		}
+
 		return nil
 	}
+	return operation
 }
 
 func (r *SysOps) buildRouteMessage(action int, prefix netip.Prefix, nexthop Nexthop) (msg *route.RouteMessage, err error) {
@@ -267,6 +221,19 @@ func (r *SysOps) buildRouteMessage(action int, prefix netip.Prefix, nexthop Next
 	return msg, nil
 }
 
+func (r *SysOps) parseRouteResponse(buf []byte) error {
+	if len(buf) < int(unsafe.Sizeof(unix.RtMsghdr{})) {
+		return nil
+	}
+
+	rtMsg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
+	if rtMsg.Errno != 0 {
+		return fmt.Errorf("parse: %d", rtMsg.Errno)
+	}
+
+	return nil
+}
+
 // addrToRouteAddr converts a netip.Addr to the appropriate route.Addr (*route.Inet4Addr or *route.Inet6Addr).
 func addrToRouteAddr(addr netip.Addr) (route.Addr, error) {
 	if addr.Is4() {

client/net/dialer_init_darwin.go

@@ -1,5 +0,0 @@
-package net
-
-func (d *Dialer) init() {
-	d.Dialer.Control = applyBoundIfToSocket
-}

client/net/dialer_init_generic.go

@@ -1,4 +1,4 @@
-//go:build !linux && !windows && !darwin
+//go:build !linux && !windows
 
 package net
 

client/net/env_android.go

@@ -0,0 +1,24 @@
+//go:build android
+
+package net
+
+// Init initializes the network environment for Android
+func Init() {
+	// No initialization needed on Android
+}
+
+// AdvancedRouting reports whether routing loops can be avoided without using exclusion routes.
+// Always returns true on Android since we cannot handle routes dynamically.
+func AdvancedRouting() bool {
+	return true
+}
+
+// SetVPNInterfaceName is a no-op on Android
+func SetVPNInterfaceName(name string) {
+	// No-op on Android - not needed for Android VPN service
+}
+
+// GetVPNInterfaceName returns empty string on Android
+func GetVPNInterfaceName() string {
+	return ""
+}

client/net/env_generic.go

@@ -1,4 +1,4 @@
-//go:build !linux && !windows && !darwin
+//go:build !linux && !windows && !android
 
 package net
 

client/net/env_mobile.go

@@ -1,23 +0,0 @@
-//go:build ios || android
-
-package net
-
-// Init initializes the network environment for mobile platforms.
-func Init() {
-}
-
-// AdvancedRouting reports whether routing loops can be avoided without using exclusion routes.
-// Always returns true on mobile since routes cannot be handled dynamically and the VPN extension
-// owns the routing scope.
-func AdvancedRouting() bool {
-	return true
-}
-
-// SetVPNInterfaceName is a no-op on mobile.
-func SetVPNInterfaceName(string) {
-}
-
-// GetVPNInterfaceName returns an empty string on mobile.
-func GetVPNInterfaceName() string {
-	return ""
-}

client/net/env_windows.go

@@ -1,4 +1,4 @@
-//go:build (darwin && !ios) || windows
+//go:build windows
 
 package net
 
@@ -24,22 +24,17 @@ func Init() {
 }
 
 func checkAdvancedRoutingSupport() bool {
-	legacyRouting := false
+	var err error
+	var legacyRouting bool
 	if val := os.Getenv(envUseLegacyRouting); val != "" {
-		parsed, err := strconv.ParseBool(val)
+		legacyRouting, err = strconv.ParseBool(val)
 		if err != nil {
-			log.Warnf("ignoring unparsable %s=%q: %v", envUseLegacyRouting, val, err)
-		} else {
-			legacyRouting = parsed
+			log.Warnf("failed to parse %s: %v", envUseLegacyRouting, err)
 		}
 	}
 
-	if legacyRouting {
-		log.Infof("advanced routing disabled: legacy routing requested via %s", envUseLegacyRouting)
-		return false
-	}
-	if netstack.IsEnabled() {
-		log.Info("advanced routing disabled: netstack mode is enabled")
+	if legacyRouting || netstack.IsEnabled() {
+		log.Info("advanced routing has been requested to be disabled")
 		return false
 	}
 

client/net/listener_init_darwin.go

@@ -1,5 +0,0 @@
-package net
-
-func (l *ListenerConfig) init() {
-	l.ListenConfig.Control = applyBoundIfToSocket
-}

client/net/listener_init_generic.go

@@ -1,4 +1,4 @@
-//go:build !linux && !windows && !darwin
+//go:build !linux && !windows
 
 package net
 

client/net/net_darwin.go

@@ -1,150 +0,0 @@
-package net
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"strconv"
-	"strings"
-	"sync"
-	"syscall"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-)
-
-// On darwin IPV6_BOUND_IF also scopes v4-mapped egress from dual-stack
-// (IPV6_V6ONLY=0) AF_INET6 sockets, so a single setsockopt on "udp6"/"tcp6"
-// covers both families. Setting IP_BOUND_IF on an AF_INET6 socket returns
-// EINVAL regardless of V6ONLY because the IPPROTO_IP ctloutput path is
-// dispatched by socket domain (AF_INET only) not by inp_vflag.
-
-// boundIface holds the physical interface chosen at routing setup time. Sockets
-// created via nbnet.NewDialer / nbnet.NewListener bind to it via IP_BOUND_IF
-// (IPv4) or IPV6_BOUND_IF (IPv6 / dual-stack) so their scoped route lookup
-// hits the RTF_IFSCOPE default installed by the routemanager, rather than
-// following the VPN's split default.
-var (
-	boundIfaceMu sync.RWMutex
-	boundIface4  *net.Interface
-	boundIface6  *net.Interface
-)
-
-// SetBoundInterface records the egress interface for an address family. Called
-// by the routemanager after a scoped default route has been installed.
-// af must be unix.AF_INET or unix.AF_INET6; other values are ignored.
-// nil iface is rejected — use ClearBoundInterfaces to clear all slots.
-func SetBoundInterface(af int, iface *net.Interface) {
-	if iface == nil {
-		log.Warnf("SetBoundInterface: nil iface for AF %d, ignored", af)
-		return
-	}
-	boundIfaceMu.Lock()
-	defer boundIfaceMu.Unlock()
-	switch af {
-	case unix.AF_INET:
-		boundIface4 = iface
-	case unix.AF_INET6:
-		boundIface6 = iface
-	default:
-		log.Warnf("SetBoundInterface: unsupported address family %d", af)
-	}
-}
-
-// ClearBoundInterfaces resets the cached egress interfaces. Called by the
-// routemanager during cleanup.
-func ClearBoundInterfaces() {
-	boundIfaceMu.Lock()
-	defer boundIfaceMu.Unlock()
-	boundIface4 = nil
-	boundIface6 = nil
-}
-
-func boundInterfaceFor(network, address string) *net.Interface {
-	if iface := zoneInterface(address); iface != nil {
-		return iface
-	}
-
-	boundIfaceMu.RLock()
-	defer boundIfaceMu.RUnlock()
-
-	if isV6Network(network) {
-		return boundIface6
-	}
-	return boundIface4
-}
-
-func isV6Network(network string) bool {
-	return strings.HasSuffix(network, "6")
-}
-
-// zoneInterface extracts an explicit interface from an IPv6 link-local zone (e.g. fe80::1%en0).
-func zoneInterface(address string) *net.Interface {
-	if address == "" {
-		return nil
-	}
-	addr, err := netip.ParseAddrPort(address)
-	if err != nil {
-		a, err := netip.ParseAddr(address)
-		if err != nil {
-			return nil
-		}
-		addr = netip.AddrPortFrom(a, 0)
-	}
-	zone := addr.Addr().Zone()
-	if zone == "" {
-		return nil
-	}
-	if iface, err := net.InterfaceByName(zone); err == nil {
-		return iface
-	}
-	if idx, err := strconv.Atoi(zone); err == nil {
-		if iface, err := net.InterfaceByIndex(idx); err == nil {
-			return iface
-		}
-	}
-	return nil
-}
-
-func setIPv4BoundIf(fd uintptr, iface *net.Interface) error {
-	if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_IP, unix.IP_BOUND_IF, iface.Index); err != nil {
-		return fmt.Errorf("set IP_BOUND_IF: %w (interface: %s, index: %d)", err, iface.Name, iface.Index)
-	}
-	return nil
-}
-
-func setIPv6BoundIf(fd uintptr, iface *net.Interface) error {
-	if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_IPV6, unix.IPV6_BOUND_IF, iface.Index); err != nil {
-		return fmt.Errorf("set IPV6_BOUND_IF: %w (interface: %s, index: %d)", err, iface.Name, iface.Index)
-	}
-	return nil
-}
-
-// applyBoundIfToSocket binds the socket to the cached physical egress interface
-// so scoped route lookup avoids the VPN utun and egresses the underlay directly.
-func applyBoundIfToSocket(network, address string, c syscall.RawConn) error {
-	if !AdvancedRouting() {
-		return nil
-	}
-
-	iface := boundInterfaceFor(network, address)
-	if iface == nil {
-		return nil
-	}
-
-	isV6 := isV6Network(network)
-	var controlErr error
-	if err := c.Control(func(fd uintptr) {
-		if isV6 {
-			controlErr = setIPv6BoundIf(fd, iface)
-		} else {
-			controlErr = setIPv4BoundIf(fd, iface)
-		}
-		if controlErr == nil {
-			log.Debugf("set BOUND_IF=%d on %s for %s to %s", iface.Index, iface.Name, network, address)
-		}
-	}); err != nil {
-		return fmt.Errorf("control: %w", err)
-	}
-	return controlErr
-}

client/proto/daemon.proto

@@ -209,6 +209,9 @@ message LoginRequest {
   optional bool enableSSHRemotePortForwarding = 37;
   optional bool disableSSHAuth = 38;
   optional int32 sshJWTCacheTTL = 39;
+
+  optional bool serverVNCAllowed = 41;
+  optional bool disableVNCAuth = 42;
 }
 
 message LoginResponse {
@@ -316,6 +319,10 @@ message GetConfigResponse {
   bool disableSSHAuth = 25;
 
   int32 sshJWTCacheTTL = 26;
+
+  bool serverVNCAllowed = 28;
+
+  bool disableVNCAuth = 29;
 }
 
 // PeerState contains the latest state of a peer
@@ -394,6 +401,11 @@ message SSHServerState {
   repeated SSHSessionInfo sessions = 2;
 }
 
+// VNCServerState contains the latest state of the VNC server
+message VNCServerState {
+  bool enabled = 1;
+}
+
 // FullStatus contains the full state held by the Status instance
 message FullStatus {
   ManagementState managementState = 1;
@@ -408,6 +420,7 @@ message FullStatus {
 
   bool lazyConnectionEnabled = 9;
   SSHServerState sshServerState = 10;
+  VNCServerState vncServerState = 11;
 }
 
 // Networks
@@ -677,6 +690,9 @@ message SetConfigRequest {
   optional bool enableSSHRemotePortForwarding = 32;
   optional bool disableSSHAuth = 33;
   optional int32 sshJWTCacheTTL = 34;
+
+  optional bool serverVNCAllowed = 36;
+  optional bool disableVNCAuth = 37;
 }
 
 message SetConfigResponse{}
@@ -727,7 +743,6 @@ message GetFeaturesRequest{}
 message GetFeaturesResponse{
   bool disable_profiles = 1;
   bool disable_update_settings = 2;
-  bool disable_networks = 3;
 }
 
 message TriggerUpdateRequest {}

client/server/network.go

@@ -9,8 +9,6 @@ import (
 	"strings"
 
 	"golang.org/x/exp/maps"
-	"google.golang.org/grpc/codes"
-	gstatus "google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/route"
@@ -29,10 +27,6 @@ func (s *Server) ListNetworks(context.Context, *proto.ListNetworksRequest) (*pro
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if s.networksDisabled {
-		return nil, gstatus.Errorf(codes.Unavailable, errNetworksDisabled)
-	}
-
 	if s.connectClient == nil {
 		return nil, fmt.Errorf("not connected")
 	}
@@ -124,10 +118,6 @@ func (s *Server) SelectNetworks(_ context.Context, req *proto.SelectNetworksRequ
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if s.networksDisabled {
-		return nil, gstatus.Errorf(codes.Unavailable, errNetworksDisabled)
-	}
-
 	if s.connectClient == nil {
 		return nil, fmt.Errorf("not connected")
 	}
@@ -174,10 +164,6 @@ func (s *Server) DeselectNetworks(_ context.Context, req *proto.SelectNetworksRe
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if s.networksDisabled {
-		return nil, gstatus.Errorf(codes.Unavailable, errNetworksDisabled)
-	}
-
 	if s.connectClient == nil {
 		return nil, fmt.Errorf("not connected")
 	}

client/server/server.go

@@ -53,7 +53,6 @@ const (
 	errRestoreResidualState   = "failed to restore residual state: %v"
 	errProfilesDisabled       = "profiles are disabled, you cannot use this feature without profiles enabled"
 	errUpdateSettingsDisabled = "update settings are disabled, you cannot use this feature without update settings enabled"
-	errNetworksDisabled       = "network selection is disabled by the administrator"
 )
 
 var ErrServiceNotUp = errors.New("service is not up")
@@ -89,7 +88,6 @@ type Server struct {
 	profileManager         *profilemanager.ServiceManager
 	profilesDisabled       bool
 	updateSettingsDisabled bool
-	networksDisabled       bool
 
 	sleepHandler *sleephandler.SleepHandler
 
@@ -106,7 +104,7 @@ type oauthAuthFlow struct {
 }
 
 // New server instance constructor.
-func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool, networksDisabled bool) *Server {
+func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool) *Server {
 	s := &Server{
 		rootCtx:                ctx,
 		logFile:                logFile,
@@ -115,7 +113,6 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 		profileManager:         profilemanager.NewServiceManager(configFile),
 		profilesDisabled:       profilesDisabled,
 		updateSettingsDisabled: updateSettingsDisabled,
-		networksDisabled:       networksDisabled,
 		jwtCache:               newJWTCache(),
 	}
 	agent := &serverAgent{s}
@@ -369,6 +366,7 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	config.RosenpassPermissive = msg.RosenpassPermissive
 	config.DisableAutoConnect = msg.DisableAutoConnect
 	config.ServerSSHAllowed = msg.ServerSSHAllowed
+	config.ServerVNCAllowed = msg.ServerVNCAllowed
 	config.NetworkMonitor = msg.NetworkMonitor
 	config.DisableClientRoutes = msg.DisableClientRoutes
 	config.DisableServerRoutes = msg.DisableServerRoutes
@@ -385,6 +383,9 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	if msg.DisableSSHAuth != nil {
 		config.DisableSSHAuth = msg.DisableSSHAuth
 	}
+	if msg.DisableVNCAuth != nil {
+		config.DisableVNCAuth = msg.DisableVNCAuth
+	}
 	if msg.SshJWTCacheTTL != nil {
 		ttl := int(*msg.SshJWTCacheTTL)
 		config.SSHJWTCacheTTL = &ttl
@@ -1123,6 +1124,7 @@ func (s *Server) Status(
 		pbFullStatus := fullStatus.ToProto()
 		pbFullStatus.Events = s.statusRecorder.GetEventHistory()
 		pbFullStatus.SshServerState = s.getSSHServerState()
+		pbFullStatus.VncServerState = s.getVNCServerState()
 		statusResponse.FullStatus = pbFullStatus
 	}
 
@@ -1162,6 +1164,26 @@ func (s *Server) getSSHServerState() *proto.SSHServerState {
 	return sshServerState
 }
 
+// getVNCServerState retrieves the current VNC server state.
+func (s *Server) getVNCServerState() *proto.VNCServerState {
+	s.mutex.Lock()
+	connectClient := s.connectClient
+	s.mutex.Unlock()
+
+	if connectClient == nil {
+		return nil
+	}
+
+	engine := connectClient.Engine()
+	if engine == nil {
+		return nil
+	}
+
+	return &proto.VNCServerState{
+		Enabled: engine.GetVNCServerStatus(),
+	}
+}
+
 // GetPeerSSHHostKey retrieves SSH host key for a specific peer
 func (s *Server) GetPeerSSHHostKey(
 	ctx context.Context,
@@ -1503,6 +1525,11 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		disableSSHAuth = *cfg.DisableSSHAuth
 	}
 
+	disableVNCAuth := false
+	if cfg.DisableVNCAuth != nil {
+		disableVNCAuth = *cfg.DisableVNCAuth
+	}
+
 	sshJWTCacheTTL := int32(0)
 	if cfg.SSHJWTCacheTTL != nil {
 		sshJWTCacheTTL = int32(*cfg.SSHJWTCacheTTL)
@@ -1517,6 +1544,7 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		Mtu:                           int64(cfg.MTU),
 		DisableAutoConnect:            cfg.DisableAutoConnect,
 		ServerSSHAllowed:              *cfg.ServerSSHAllowed,
+		ServerVNCAllowed:              cfg.ServerVNCAllowed != nil && *cfg.ServerVNCAllowed,
 		RosenpassEnabled:              cfg.RosenpassEnabled,
 		RosenpassPermissive:           cfg.RosenpassPermissive,
 		LazyConnectionEnabled:         cfg.LazyConnectionEnabled,
@@ -1532,6 +1560,7 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		EnableSSHLocalPortForwarding:  enableSSHLocalPortForwarding,
 		EnableSSHRemotePortForwarding: enableSSHRemotePortForwarding,
 		DisableSSHAuth:                disableSSHAuth,
+		DisableVNCAuth:                disableVNCAuth,
 		SshJWTCacheTTL:                sshJWTCacheTTL,
 	}, nil
 }
@@ -1631,7 +1660,6 @@ func (s *Server) GetFeatures(ctx context.Context, msg *proto.GetFeaturesRequest)
 	features := &proto.GetFeaturesResponse{
 		DisableProfiles:       s.checkProfilesDisabled(),
 		DisableUpdateSettings: s.checkUpdateSettingsDisabled(),
-		DisableNetworks:       s.networksDisabled,
 	}
 
 	return features, nil

client/server/server_test.go

@@ -36,7 +36,6 @@ import (
 	daemonProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
-	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
@@ -104,7 +103,7 @@ func TestConnectWithRetryRuns(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "debug", "", false, false, false)
+	s := New(ctx, "debug", "", false, false)
 
 	s.config = config
 
@@ -165,7 +164,7 @@ func TestServer_Up(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "console", "", false, false, false)
+	s := New(ctx, "console", "", false, false)
 	err = s.Start()
 	require.NoError(t, err)
 
@@ -235,7 +234,7 @@ func TestServer_SubcribeEvents(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "console", "", false, false, false)
+	s := New(ctx, "console", "", false, false)
 
 	err = s.Start()
 	require.NoError(t, err)
@@ -310,12 +309,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 
 	jobManager := job.NewJobManager(nil, store, peersManager)
 
-	cacheStore, err := nbcache.NewStore(context.Background(), 100*time.Millisecond, 300*time.Millisecond, 100)
-	if err != nil {
-		return nil, "", err
-	}
-
-	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore, cacheStore)
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
@@ -326,7 +320,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
 	peersUpdateManager := update_channel.NewPeersUpdateManager(metrics)
 	networkMapController := controller.NewController(context.Background(), store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersManager), config)
-	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false, cacheStore)
+	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		return nil, "", err
 	}

client/server/setconfig_test.go

@@ -53,11 +53,13 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.NoError(t, err)
 
 	ctx := context.Background()
-	s := New(ctx, "console", "", false, false, false)
+	s := New(ctx, "console", "", false, false)
 
 	rosenpassEnabled := true
 	rosenpassPermissive := true
 	serverSSHAllowed := true
+	serverVNCAllowed := true
+	disableVNCAuth := true
 	interfaceName := "utun100"
 	wireguardPort := int64(51820)
 	preSharedKey := "test-psk"
@@ -82,6 +84,8 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 		RosenpassEnabled:      &rosenpassEnabled,
 		RosenpassPermissive:   &rosenpassPermissive,
 		ServerSSHAllowed:      &serverSSHAllowed,
+		ServerVNCAllowed:      &serverVNCAllowed,
+		DisableVNCAuth:        &disableVNCAuth,
 		InterfaceName:         &interfaceName,
 		WireguardPort:         &wireguardPort,
 		OptionalPreSharedKey:  &preSharedKey,
@@ -125,6 +129,10 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.Equal(t, rosenpassPermissive, cfg.RosenpassPermissive)
 	require.NotNil(t, cfg.ServerSSHAllowed)
 	require.Equal(t, serverSSHAllowed, *cfg.ServerSSHAllowed)
+	require.NotNil(t, cfg.ServerVNCAllowed)
+	require.Equal(t, serverVNCAllowed, *cfg.ServerVNCAllowed)
+	require.NotNil(t, cfg.DisableVNCAuth)
+	require.Equal(t, disableVNCAuth, *cfg.DisableVNCAuth)
 	require.Equal(t, interfaceName, cfg.WgIface)
 	require.Equal(t, int(wireguardPort), cfg.WgPort)
 	require.Equal(t, preSharedKey, cfg.PreSharedKey)
@@ -176,6 +184,8 @@ func verifyAllFieldsCovered(t *testing.T, req *proto.SetConfigRequest) {
 		"RosenpassEnabled":              true,
 		"RosenpassPermissive":           true,
 		"ServerSSHAllowed":              true,
+		"ServerVNCAllowed":              true,
+		"DisableVNCAuth":                true,
 		"InterfaceName":                 true,
 		"WireguardPort":                 true,
 		"OptionalPreSharedKey":          true,
@@ -236,6 +246,8 @@ func TestCLIFlags_MappedToSetConfig(t *testing.T) {
 		"enable-rosenpass":                  "RosenpassEnabled",
 		"rosenpass-permissive":              "RosenpassPermissive",
 		"allow-server-ssh":                  "ServerSSHAllowed",
+		"allow-server-vnc":                  "ServerVNCAllowed",
+		"disable-vnc-auth":                  "DisableVNCAuth",
 		"interface-name":                    "InterfaceName",
 		"wireguard-port":                    "WireguardPort",
 		"preshared-key":                     "OptionalPreSharedKey",

client/ssh/server/executor_windows.go

@@ -200,8 +200,8 @@ func newLsaString(s string) lsaString {
 	}
 }
 
-// generateS4UUserToken creates a Windows token using S4U authentication
-// This is the exact approach OpenSSH for Windows uses for public key authentication
+// generateS4UUserToken creates a Windows token using S4U authentication.
+// This is the same approach OpenSSH for Windows uses for public key authentication.
 func generateS4UUserToken(logger *log.Entry, username, domain string) (windows.Handle, error) {
 	userCpn := buildUserCpn(username, domain)
 

client/ssh/server/server.go

@@ -507,27 +507,7 @@ func (s *Server) checkTokenAge(token *gojwt.Token, jwtConfig *JWTConfig) error {
 		maxTokenAge = DefaultJWTMaxTokenAge
 	}
 
-	claims, ok := token.Claims.(gojwt.MapClaims)
-	if !ok {
-		userID := extractUserID(token)
-		return fmt.Errorf("token has invalid claims format (user=%s)", userID)
-	}
-
-	iat, ok := claims["iat"].(float64)
-	if !ok {
-		userID := extractUserID(token)
-		return fmt.Errorf("token missing iat claim (user=%s)", userID)
-	}
-
-	issuedAt := time.Unix(int64(iat), 0)
-	tokenAge := time.Since(issuedAt)
-	maxAge := time.Duration(maxTokenAge) * time.Second
-	if tokenAge > maxAge {
-		userID := getUserIDFromClaims(claims)
-		return fmt.Errorf("token expired for user=%s: age=%v, max=%v", userID, tokenAge, maxAge)
-	}
-
-	return nil
+	return jwt.CheckTokenAge(token, time.Duration(maxTokenAge)*time.Second)
 }
 
 func (s *Server) extractAndValidateUser(token *gojwt.Token) (*auth.UserAuth, error) {
@@ -558,27 +538,7 @@ func (s *Server) hasSSHAccess(userAuth *auth.UserAuth) bool {
 }
 
 func extractUserID(token *gojwt.Token) string {
-	if token == nil {
-		return "unknown"
-	}
-	claims, ok := token.Claims.(gojwt.MapClaims)
-	if !ok {
-		return "unknown"
-	}
-	return getUserIDFromClaims(claims)
-}
-
-func getUserIDFromClaims(claims gojwt.MapClaims) string {
-	if sub, ok := claims["sub"].(string); ok && sub != "" {
-		return sub
-	}
-	if userID, ok := claims["user_id"].(string); ok && userID != "" {
-		return userID
-	}
-	if email, ok := claims["email"].(string); ok && email != "" {
-		return email
-	}
-	return "unknown"
+	return jwt.UserIDFromToken(token)
 }
 
 func (s *Server) parseTokenWithoutValidation(tokenString string) (map[string]interface{}, error) {

client/status/status.go

@@ -130,6 +130,10 @@ type SSHServerStateOutput struct {
 	Sessions []SSHSessionOutput `json:"sessions" yaml:"sessions"`
 }
 
+type VNCServerStateOutput struct {
+	Enabled bool `json:"enabled" yaml:"enabled"`
+}
+
 type OutputOverview struct {
 	Peers                   PeersStateOutput           `json:"peers" yaml:"peers"`
 	CliVersion              string                     `json:"cliVersion" yaml:"cliVersion"`
@@ -151,6 +155,7 @@ type OutputOverview struct {
 	LazyConnectionEnabled   bool                       `json:"lazyConnectionEnabled" yaml:"lazyConnectionEnabled"`
 	ProfileName             string                     `json:"profileName" yaml:"profileName"`
 	SSHServerState          SSHServerStateOutput       `json:"sshServer" yaml:"sshServer"`
+	VNCServerState          VNCServerStateOutput       `json:"vncServer" yaml:"vncServer"`
 }
 
 // ConvertToStatusOutputOverview converts protobuf status to the output overview.
@@ -171,6 +176,9 @@ func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, opts ConvertO
 
 	relayOverview := mapRelays(pbFullStatus.GetRelays())
 	sshServerOverview := mapSSHServer(pbFullStatus.GetSshServerState())
+	vncServerOverview := VNCServerStateOutput{
+		Enabled: pbFullStatus.GetVncServerState().GetEnabled(),
+	}
 	peersOverview := mapPeers(pbFullStatus.GetPeers(), opts.StatusFilter, opts.PrefixNamesFilter, opts.PrefixNamesFilterMap, opts.IPsFilter, opts.ConnectionTypeFilter)
 
 	overview := OutputOverview{
@@ -194,6 +202,7 @@ func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, opts ConvertO
 		LazyConnectionEnabled:   pbFullStatus.GetLazyConnectionEnabled(),
 		ProfileName:             opts.ProfileName,
 		SSHServerState:          sshServerOverview,
+		VNCServerState:          vncServerOverview,
 	}
 
 	if opts.Anonymize {
@@ -524,6 +533,11 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 		}
 	}
 
+	vncServerStatus := "Disabled"
+	if o.VNCServerState.Enabled {
+		vncServerStatus = "Enabled"
+	}
+
 	peersCountString := fmt.Sprintf("%d/%d Connected", o.Peers.Connected, o.Peers.Total)
 
 	var forwardingRulesString string
@@ -553,6 +567,7 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 			"Quantum resistance: %s\n"+
 			"Lazy connection: %s\n"+
 			"SSH Server: %s\n"+
+			"VNC Server: %s\n"+
 			"Networks: %s\n"+
 			"%s"+
 			"Peers count: %s\n",
@@ -570,6 +585,7 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 		rosenpassEnabledStatus,
 		lazyConnectionEnabledStatus,
 		sshServerStatus,
+		vncServerStatus,
 		networks,
 		forwardingRulesString,
 		peersCountString,

client/status/status_test.go

@@ -398,6 +398,9 @@ func TestParsingToJSON(t *testing.T) {
 		  "sshServer":{
 		    "enabled":false,
 			"sessions":[]
+		  },
+		  "vncServer":{
+		    "enabled":false
 		  }
         }`
 	// @formatter:on
@@ -505,6 +508,8 @@ profileName: ""
 sshServer:
     enabled: false
     sessions: []
+vncServer:
+    enabled: false
 `
 
 	assert.Equal(t, expectedYAML, yaml)
@@ -572,6 +577,7 @@ Interface type: Kernel
 Quantum resistance: false
 Lazy connection: false
 SSH Server: Disabled
+VNC Server: Disabled
 Networks: 10.10.0.0/24
 Peers count: 2/2 Connected
 `, lastConnectionUpdate1, lastHandshake1, lastConnectionUpdate2, lastHandshake2, runtime.GOOS, runtime.GOARCH, overview.CliVersion)
@@ -596,6 +602,7 @@ Interface type: Kernel
 Quantum resistance: false
 Lazy connection: false
 SSH Server: Disabled
+VNC Server: Disabled
 Networks: 10.10.0.0/24
 Peers count: 2/2 Connected
 `

client/system/info.go

@@ -63,6 +63,7 @@ type Info struct {
 	RosenpassEnabled    bool
 	RosenpassPermissive bool
 	ServerSSHAllowed    bool
+	ServerVNCAllowed    bool
 
 	DisableClientRoutes bool
 	DisableServerRoutes bool
@@ -78,21 +79,27 @@ type Info struct {
 	EnableSSHLocalPortForwarding  bool
 	EnableSSHRemotePortForwarding bool
 	DisableSSHAuth                bool
+	DisableVNCAuth                bool
 }
 
 func (i *Info) SetFlags(
 	rosenpassEnabled, rosenpassPermissive bool,
 	serverSSHAllowed *bool,
+	serverVNCAllowed *bool,
 	disableClientRoutes, disableServerRoutes,
 	disableDNS, disableFirewall, blockLANAccess, blockInbound, lazyConnectionEnabled bool,
 	enableSSHRoot, enableSSHSFTP, enableSSHLocalPortForwarding, enableSSHRemotePortForwarding *bool,
 	disableSSHAuth *bool,
+	disableVNCAuth *bool,
 ) {
 	i.RosenpassEnabled = rosenpassEnabled
 	i.RosenpassPermissive = rosenpassPermissive
 	if serverSSHAllowed != nil {
 		i.ServerSSHAllowed = *serverSSHAllowed
 	}
+	if serverVNCAllowed != nil {
+		i.ServerVNCAllowed = *serverVNCAllowed
+	}
 
 	i.DisableClientRoutes = disableClientRoutes
 	i.DisableServerRoutes = disableServerRoutes
@@ -118,6 +125,9 @@ func (i *Info) SetFlags(
 	if disableSSHAuth != nil {
 		i.DisableSSHAuth = *disableSSHAuth
 	}
+	if disableVNCAuth != nil {
+		i.DisableVNCAuth = *disableVNCAuth
+	}
 }
 
 // extractUserAgent extracts Netbird's agent (client) name and version from the outgoing context

client/system/info_ios.go

@@ -4,12 +4,10 @@ import (
 	"context"
 	"runtime"
 
-	log "github.com/sirupsen/logrus"
-
 	"github.com/netbirdio/netbird/version"
 )
 
-// UpdateStaticInfoAsync is a no-op on iOS as there is no static info to update
+// UpdateStaticInfoAsync is a no-op on Android as there is no static info to update
 func UpdateStaticInfoAsync() {
 	// do nothing
 }
@@ -17,24 +15,11 @@ func UpdateStaticInfoAsync() {
 // GetInfo retrieves and parses the system information
 func GetInfo(ctx context.Context) *Info {
 
+	// Convert fixed-size byte arrays to Go strings
 	sysName := extractOsName(ctx, "sysName")
 	swVersion := extractOsVersion(ctx, "swVersion")
 
-	addrs, err := networkAddresses()
-	if err != nil {
-		log.Warnf("failed to discover network addresses: %s", err)
-	}
-
-	gio := &Info{
-		Kernel:           sysName,
-		OSVersion:        swVersion,
-		Platform:         "unknown",
-		OS:               sysName,
-		GoOS:             runtime.GOOS,
-		CPUs:             runtime.NumCPU(),
-		KernelVersion:    swVersion,
-		NetworkAddresses: addrs,
-	}
+	gio := &Info{Kernel: sysName, OSVersion: swVersion, Platform: "unknown", OS: sysName, GoOS: runtime.GOOS, CPUs: runtime.NumCPU(), KernelVersion: swVersion}
 	gio.Hostname = extractDeviceName(ctx, "hostname")
 	gio.NetbirdVersion = version.NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)

client/ui/client_ui.go

@@ -314,7 +314,6 @@ type serviceClient struct {
 	lastNotifiedVersion  string
 	settingsEnabled      bool
 	profilesEnabled      bool
-	networksEnabled      bool
 	showNetworks         bool
 	wNetworks            fyne.Window
 	wProfiles            fyne.Window
@@ -369,7 +368,6 @@ func newServiceClient(args *newServiceClientArgs) *serviceClient {
 
 		showAdvancedSettings: args.showSettings,
 		showNetworks:         args.showNetworks,
-		networksEnabled:      true,
 	}
 
 	s.eventHandler = newEventHandler(s)
@@ -922,10 +920,8 @@ func (s *serviceClient) updateStatus() error {
 			s.mStatus.SetIcon(s.icConnectedDot)
 			s.mUp.Disable()
 			s.mDown.Enable()
-			if s.networksEnabled {
-				s.mNetworks.Enable()
-				s.mExitNode.Enable()
-			}
+			s.mNetworks.Enable()
+			s.mExitNode.Enable()
 			s.startExitNodeRefresh()
 			systrayIconState = true
 		case status.Status == string(internal.StatusConnecting):
@@ -1097,14 +1093,14 @@ func (s *serviceClient) onTrayReady() {
 		s.getSrvConfig()
 		time.Sleep(100 * time.Millisecond) // To prevent race condition caused by systray not being fully initialized and ignoring setIcon
 		for {
-			// Check features before status so menus respect disable flags before being enabled
-			s.checkAndUpdateFeatures()
-
 			err := s.updateStatus()
 			if err != nil {
 				log.Errorf("error while updating status: %v", err)
 			}
 
+			// Check features periodically to handle daemon restarts
+			s.checkAndUpdateFeatures()
+
 			time.Sleep(2 * time.Second)
 		}
 	}()
@@ -1303,16 +1299,6 @@ func (s *serviceClient) checkAndUpdateFeatures() {
 			s.mProfile.setEnabled(profilesEnabled)
 		}
 	}
-
-	// Update networks and exit node menus based on current features
-	s.networksEnabled = features == nil || !features.DisableNetworks
-	if s.networksEnabled && s.connected {
-		s.mNetworks.Enable()
-		s.mExitNode.Enable()
-	} else {
-		s.mNetworks.Disable()
-		s.mExitNode.Disable()
-	}
 }
 
 // getFeatures from the daemon to determine which features are enabled/disabled.

client/vnc/server/agent_windows.go

@@ -0,0 +1,474 @@
+//go:build windows
+
+package server
+
+import (
+	crand "crypto/rand"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"sync"
+	"time"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+const (
+	agentPort = "15900"
+
+	// agentTokenLen is the length of the random authentication token
+	// used to verify that connections to the agent come from the service.
+	agentTokenLen = 32
+
+	stillActive = 259
+
+	tokenPrimary          = 1
+	securityImpersonation = 2
+	tokenSessionID        = 12
+
+	createUnicodeEnvironment = 0x00000400
+	createNoWindow           = 0x08000000
+)
+
+var (
+	kernel32 = windows.NewLazySystemDLL("kernel32.dll")
+	advapi32 = windows.NewLazySystemDLL("advapi32.dll")
+	userenv  = windows.NewLazySystemDLL("userenv.dll")
+
+	procWTSGetActiveConsoleSessionId = kernel32.NewProc("WTSGetActiveConsoleSessionId")
+	procSetTokenInformation          = advapi32.NewProc("SetTokenInformation")
+	procCreateEnvironmentBlock       = userenv.NewProc("CreateEnvironmentBlock")
+	procDestroyEnvironmentBlock      = userenv.NewProc("DestroyEnvironmentBlock")
+
+	wtsapi32                  = windows.NewLazySystemDLL("wtsapi32.dll")
+	procWTSEnumerateSessionsW = wtsapi32.NewProc("WTSEnumerateSessionsW")
+	procWTSFreeMemory         = wtsapi32.NewProc("WTSFreeMemory")
+)
+
+// GetCurrentSessionID returns the session ID of the current process.
+func GetCurrentSessionID() uint32 {
+	var token windows.Token
+	if err := windows.OpenProcessToken(windows.CurrentProcess(),
+		windows.TOKEN_QUERY, &token); err != nil {
+		return 0
+	}
+	defer token.Close()
+	var id uint32
+	var ret uint32
+	_ = windows.GetTokenInformation(token, windows.TokenSessionId,
+		(*byte)(unsafe.Pointer(&id)), 4, &ret)
+	return id
+}
+
+func getConsoleSessionID() uint32 {
+	r, _, _ := procWTSGetActiveConsoleSessionId.Call()
+	return uint32(r)
+}
+
+const (
+	wtsActive       = 0
+	wtsConnected    = 1
+	wtsDisconnected = 4
+)
+
+type wtsSessionInfo struct {
+	SessionID      uint32
+	WinStationName [66]byte // actually *uint16, but we just need the struct size
+	State          uint32
+}
+
+// getActiveSessionID returns the session ID of the best session to attach to.
+// Prefers an active (logged-in, interactive) session over the console session.
+// This avoids kicking out an RDP user when the console is at the login screen.
+func getActiveSessionID() uint32 {
+	var sessionInfo uintptr
+	var count uint32
+
+	r, _, _ := procWTSEnumerateSessionsW.Call(
+		0, // WTS_CURRENT_SERVER_HANDLE
+		0, // reserved
+		1, // version
+		uintptr(unsafe.Pointer(&sessionInfo)),
+		uintptr(unsafe.Pointer(&count)),
+	)
+	if r == 0 || count == 0 {
+		return getConsoleSessionID()
+	}
+	defer procWTSFreeMemory.Call(sessionInfo)
+
+	type wtsSession struct {
+		SessionID uint32
+		Station   *uint16
+		State     uint32
+	}
+	sessions := unsafe.Slice((*wtsSession)(unsafe.Pointer(sessionInfo)), count)
+
+	// Find the first active session (not session 0, which is the services session).
+	var bestID uint32
+	found := false
+	for _, s := range sessions {
+		if s.SessionID == 0 {
+			continue
+		}
+		if s.State == wtsActive {
+			bestID = s.SessionID
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		return getConsoleSessionID()
+	}
+	return bestID
+}
+
+// getSystemTokenForSession duplicates the current SYSTEM token and sets its
+// session ID so the spawned process runs in the target session. Using a SYSTEM
+// token gives access to both Default and Winlogon desktops plus UIPI bypass.
+func getSystemTokenForSession(sessionID uint32) (windows.Token, error) {
+	var cur windows.Token
+	if err := windows.OpenProcessToken(windows.CurrentProcess(),
+		windows.MAXIMUM_ALLOWED, &cur); err != nil {
+		return 0, fmt.Errorf("OpenProcessToken: %w", err)
+	}
+	defer cur.Close()
+
+	var dup windows.Token
+	if err := windows.DuplicateTokenEx(cur, windows.MAXIMUM_ALLOWED, nil,
+		securityImpersonation, tokenPrimary, &dup); err != nil {
+		return 0, fmt.Errorf("DuplicateTokenEx: %w", err)
+	}
+
+	sid := sessionID
+	r, _, err := procSetTokenInformation.Call(
+		uintptr(dup),
+		uintptr(tokenSessionID),
+		uintptr(unsafe.Pointer(&sid)),
+		unsafe.Sizeof(sid),
+	)
+	if r == 0 {
+		dup.Close()
+		return 0, fmt.Errorf("SetTokenInformation(SessionId=%d): %w", sessionID, err)
+	}
+	return dup, nil
+}
+
+const agentTokenEnvVar = "NB_VNC_AGENT_TOKEN"
+
+// injectEnvVar appends a KEY=VALUE entry to a Unicode environment block.
+// The block is a sequence of null-terminated UTF-16 strings, terminated by
+// an extra null. Returns a new block pointer with the entry added.
+func injectEnvVar(envBlock uintptr, key, value string) uintptr {
+	entry := key + "=" + value
+
+	// Walk the existing block to find its total length.
+	ptr := (*uint16)(unsafe.Pointer(envBlock))
+	var totalChars int
+	for {
+		ch := *(*uint16)(unsafe.Pointer(uintptr(unsafe.Pointer(ptr)) + uintptr(totalChars)*2))
+		if ch == 0 {
+			// Check for double-null terminator.
+			next := *(*uint16)(unsafe.Pointer(uintptr(unsafe.Pointer(ptr)) + uintptr(totalChars+1)*2))
+			totalChars++
+			if next == 0 {
+				// End of block (don't count the final null yet, we'll rebuild).
+				break
+			}
+		} else {
+			totalChars++
+		}
+	}
+
+	entryUTF16, _ := windows.UTF16FromString(entry)
+	// New block: existing entries + new entry (null-terminated) + final null.
+	newLen := totalChars + len(entryUTF16) + 1
+	newBlock := make([]uint16, newLen)
+	// Copy existing entries (up to but not including the final null).
+	for i := range totalChars {
+		newBlock[i] = *(*uint16)(unsafe.Pointer(uintptr(unsafe.Pointer(ptr)) + uintptr(i)*2))
+	}
+	copy(newBlock[totalChars:], entryUTF16)
+	newBlock[newLen-1] = 0 // final null terminator
+
+	return uintptr(unsafe.Pointer(&newBlock[0]))
+}
+
+func spawnAgentInSession(sessionID uint32, port string, authToken string) (windows.Handle, error) {
+	token, err := getSystemTokenForSession(sessionID)
+	if err != nil {
+		return 0, fmt.Errorf("get SYSTEM token for session %d: %w", sessionID, err)
+	}
+	defer token.Close()
+
+	var envBlock uintptr
+	r, _, _ := procCreateEnvironmentBlock.Call(
+		uintptr(unsafe.Pointer(&envBlock)),
+		uintptr(token),
+		0,
+	)
+	if r != 0 {
+		defer procDestroyEnvironmentBlock.Call(envBlock)
+	}
+
+	// Inject the auth token into the environment block so it doesn't appear
+	// in the process command line (visible via tasklist/wmic).
+	if r != 0 {
+		envBlock = injectEnvVar(envBlock, agentTokenEnvVar, authToken)
+	}
+
+	exePath, err := os.Executable()
+	if err != nil {
+		return 0, fmt.Errorf("get executable path: %w", err)
+	}
+
+	cmdLine := fmt.Sprintf(`"%s" vnc-agent --port %s`, exePath, port)
+	cmdLineW, err := windows.UTF16PtrFromString(cmdLine)
+	if err != nil {
+		return 0, fmt.Errorf("UTF16 cmdline: %w", err)
+	}
+
+	// Create an inheritable pipe for the agent's stderr so we can relog
+	// its output in the service process.
+	var sa windows.SecurityAttributes
+	sa.Length = uint32(unsafe.Sizeof(sa))
+	sa.InheritHandle = 1
+
+	var stderrRead, stderrWrite windows.Handle
+	if err := windows.CreatePipe(&stderrRead, &stderrWrite, &sa, 0); err != nil {
+		return 0, fmt.Errorf("create stderr pipe: %w", err)
+	}
+	// The read end must NOT be inherited by the child.
+	windows.SetHandleInformation(stderrRead, windows.HANDLE_FLAG_INHERIT, 0)
+
+	desktop, _ := windows.UTF16PtrFromString(`WinSta0\Default`)
+	si := windows.StartupInfo{
+		Cb:         uint32(unsafe.Sizeof(windows.StartupInfo{})),
+		Desktop:    desktop,
+		Flags:      windows.STARTF_USESHOWWINDOW | windows.STARTF_USESTDHANDLES,
+		ShowWindow: 0,
+		StdErr:     stderrWrite,
+		StdOutput:  stderrWrite,
+	}
+	var pi windows.ProcessInformation
+
+	var envPtr *uint16
+	if envBlock != 0 {
+		envPtr = (*uint16)(unsafe.Pointer(envBlock))
+	}
+
+	err = windows.CreateProcessAsUser(
+		token, nil, cmdLineW,
+		nil, nil, true, // inheritHandles=true for the pipe
+		createUnicodeEnvironment|createNoWindow,
+		envPtr, nil, &si, &pi,
+	)
+	// Close the write end in the parent so reads will get EOF when the child exits.
+	windows.CloseHandle(stderrWrite)
+	if err != nil {
+		windows.CloseHandle(stderrRead)
+		return 0, fmt.Errorf("CreateProcessAsUser: %w", err)
+	}
+	windows.CloseHandle(pi.Thread)
+
+	// Relog agent output in the service with a [vnc-agent] prefix.
+	go relogAgentOutput(stderrRead)
+
+	log.Infof("spawned agent PID=%d in session %d on port %s", pi.ProcessId, sessionID, port)
+	return pi.Process, nil
+}
+
+// sessionManager monitors the active console session and ensures a VNC agent
+// process is running in it. When the session changes (e.g., user switch, RDP
+// connect/disconnect), it kills the old agent and spawns a new one.
+type sessionManager struct {
+	port      string
+	mu        sync.Mutex
+	agentProc windows.Handle
+	sessionID uint32
+	authToken string
+	done      chan struct{}
+}
+
+func newSessionManager(port string) *sessionManager {
+	return &sessionManager{port: port, sessionID: ^uint32(0), done: make(chan struct{})}
+}
+
+// generateAuthToken creates a new random hex token for agent authentication.
+func generateAuthToken() string {
+	b := make([]byte, agentTokenLen)
+	if _, err := crand.Read(b); err != nil {
+		log.Warnf("generate agent auth token: %v", err)
+		return ""
+	}
+	return hex.EncodeToString(b)
+}
+
+// AuthToken returns the current agent authentication token.
+func (m *sessionManager) AuthToken() string {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.authToken
+}
+
+// Stop signals the session manager to exit its polling loop.
+func (m *sessionManager) Stop() {
+	select {
+	case <-m.done:
+	default:
+		close(m.done)
+	}
+}
+
+func (m *sessionManager) run() {
+	ticker := time.NewTicker(2 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		sid := getActiveSessionID()
+
+		m.mu.Lock()
+		if sid != m.sessionID {
+			log.Infof("active session changed: %d -> %d", m.sessionID, sid)
+			m.killAgent()
+			m.sessionID = sid
+		}
+
+		if m.agentProc != 0 {
+			var code uint32
+			_ = windows.GetExitCodeProcess(m.agentProc, &code)
+			if code != stillActive {
+				log.Infof("agent exited (code=%d), respawning", code)
+				windows.CloseHandle(m.agentProc)
+				m.agentProc = 0
+			}
+		}
+
+		if m.agentProc == 0 && sid != 0xFFFFFFFF {
+			m.authToken = generateAuthToken()
+			h, err := spawnAgentInSession(sid, m.port, m.authToken)
+			if err != nil {
+				log.Warnf("spawn agent in session %d: %v", sid, err)
+				m.authToken = ""
+			} else {
+				m.agentProc = h
+			}
+		}
+		m.mu.Unlock()
+
+		select {
+		case <-m.done:
+			m.mu.Lock()
+			m.killAgent()
+			m.mu.Unlock()
+			return
+		case <-ticker.C:
+		}
+	}
+}
+
+func (m *sessionManager) killAgent() {
+	if m.agentProc != 0 {
+		_ = windows.TerminateProcess(m.agentProc, 0)
+		windows.CloseHandle(m.agentProc)
+		m.agentProc = 0
+		log.Info("killed old agent")
+	}
+}
+
+// relogAgentOutput reads JSON log lines from the agent's stderr pipe and
+// relogs them at the correct level with the service's formatter.
+func relogAgentOutput(pipe windows.Handle) {
+	defer windows.CloseHandle(pipe)
+	f := os.NewFile(uintptr(pipe), "vnc-agent-stderr")
+	defer f.Close()
+
+	entry := log.WithField("component", "vnc-agent")
+	dec := json.NewDecoder(f)
+	for dec.More() {
+		var m map[string]any
+		if err := dec.Decode(&m); err != nil {
+			break
+		}
+		msg, _ := m["msg"].(string)
+		if msg == "" {
+			continue
+		}
+
+		// Forward extra fields from the agent (skip standard logrus fields).
+		// Remap "caller" to "source" so it doesn't conflict with logrus internals
+		// but still shows the original file/line from the agent process.
+		fields := make(log.Fields)
+		for k, v := range m {
+			switch k {
+			case "msg", "level", "time", "func":
+				continue
+			case "caller":
+				fields["source"] = v
+			default:
+				fields[k] = v
+			}
+		}
+		e := entry.WithFields(fields)
+
+		switch m["level"] {
+		case "error":
+			e.Error(msg)
+		case "warning":
+			e.Warn(msg)
+		case "debug":
+			e.Debug(msg)
+		case "trace":
+			e.Trace(msg)
+		default:
+			e.Info(msg)
+		}
+	}
+}
+
+// proxyToAgent connects to the agent, sends the auth token, then proxies
+// the VNC client connection bidirectionally.
+func proxyToAgent(client net.Conn, port string, authToken string) {
+	defer client.Close()
+
+	addr := "127.0.0.1:" + port
+	var agentConn net.Conn
+	var err error
+	for range 50 {
+		agentConn, err = net.DialTimeout("tcp", addr, time.Second)
+		if err == nil {
+			break
+		}
+		time.Sleep(200 * time.Millisecond)
+	}
+	if err != nil {
+		log.Warnf("proxy cannot reach agent at %s: %v", addr, err)
+		return
+	}
+	defer agentConn.Close()
+
+	// Send the auth token so the agent can verify this connection
+	// comes from the trusted service process.
+	tokenBytes, _ := hex.DecodeString(authToken)
+	if _, err := agentConn.Write(tokenBytes); err != nil {
+		log.Warnf("send auth token to agent: %v", err)
+		return
+	}
+
+	log.Debugf("proxy connected to agent, starting bidirectional copy")
+
+	done := make(chan struct{}, 2)
+	cp := func(label string, dst, src net.Conn) {
+		n, err := io.Copy(dst, src)
+		log.Debugf("proxy %s: %d bytes, err=%v", label, n, err)
+		done <- struct{}{}
+	}
+	go cp("client→agent", agentConn, client)
+	go cp("agent→client", client, agentConn)
+	<-done
+}

client/vnc/server/capture_darwin.go

@@ -0,0 +1,274 @@
+//go:build darwin && !ios
+
+package server
+
+import (
+	"fmt"
+	"image"
+	"sync"
+	"time"
+	"unsafe"
+
+	"github.com/ebitengine/purego"
+	log "github.com/sirupsen/logrus"
+)
+
+var darwinCaptureOnce sync.Once
+
+var (
+	cgMainDisplayID                func() uint32
+	cgDisplayPixelsWide            func(uint32) uintptr
+	cgDisplayPixelsHigh            func(uint32) uintptr
+	cgDisplayCreateImage           func(uint32) uintptr
+	cgImageGetWidth                func(uintptr) uintptr
+	cgImageGetHeight               func(uintptr) uintptr
+	cgImageGetBytesPerRow          func(uintptr) uintptr
+	cgImageGetBitsPerPixel         func(uintptr) uintptr
+	cgImageGetDataProvider         func(uintptr) uintptr
+	cgDataProviderCopyData         func(uintptr) uintptr
+	cgImageRelease                 func(uintptr)
+	cfDataGetLength                func(uintptr) int64
+	cfDataGetBytePtr               func(uintptr) uintptr
+	cfRelease                      func(uintptr)
+	cgPreflightScreenCaptureAccess func() bool
+	cgRequestScreenCaptureAccess   func() bool
+	darwinCaptureReady             bool
+)
+
+func initDarwinCapture() {
+	darwinCaptureOnce.Do(func() {
+		cg, err := purego.Dlopen("/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics", purego.RTLD_NOW|purego.RTLD_GLOBAL)
+		if err != nil {
+			log.Debugf("load CoreGraphics: %v", err)
+			return
+		}
+		cf, err := purego.Dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", purego.RTLD_NOW|purego.RTLD_GLOBAL)
+		if err != nil {
+			log.Debugf("load CoreFoundation: %v", err)
+			return
+		}
+
+		purego.RegisterLibFunc(&cgMainDisplayID, cg, "CGMainDisplayID")
+		purego.RegisterLibFunc(&cgDisplayPixelsWide, cg, "CGDisplayPixelsWide")
+		purego.RegisterLibFunc(&cgDisplayPixelsHigh, cg, "CGDisplayPixelsHigh")
+		purego.RegisterLibFunc(&cgDisplayCreateImage, cg, "CGDisplayCreateImage")
+		purego.RegisterLibFunc(&cgImageGetWidth, cg, "CGImageGetWidth")
+		purego.RegisterLibFunc(&cgImageGetHeight, cg, "CGImageGetHeight")
+		purego.RegisterLibFunc(&cgImageGetBytesPerRow, cg, "CGImageGetBytesPerRow")
+		purego.RegisterLibFunc(&cgImageGetBitsPerPixel, cg, "CGImageGetBitsPerPixel")
+		purego.RegisterLibFunc(&cgImageGetDataProvider, cg, "CGImageGetDataProvider")
+		purego.RegisterLibFunc(&cgDataProviderCopyData, cg, "CGDataProviderCopyData")
+		purego.RegisterLibFunc(&cgImageRelease, cg, "CGImageRelease")
+		purego.RegisterLibFunc(&cfDataGetLength, cf, "CFDataGetLength")
+		purego.RegisterLibFunc(&cfDataGetBytePtr, cf, "CFDataGetBytePtr")
+		purego.RegisterLibFunc(&cfRelease, cf, "CFRelease")
+
+		// Screen capture permission APIs (macOS 11+). Might not exist on older versions.
+		if sym, err := purego.Dlsym(cg, "CGPreflightScreenCaptureAccess"); err == nil {
+			purego.RegisterFunc(&cgPreflightScreenCaptureAccess, sym)
+		}
+		if sym, err := purego.Dlsym(cg, "CGRequestScreenCaptureAccess"); err == nil {
+			purego.RegisterFunc(&cgRequestScreenCaptureAccess, sym)
+		}
+
+		darwinCaptureReady = true
+	})
+}
+
+// CGCapturer captures the macOS main display using Core Graphics.
+type CGCapturer struct {
+	displayID uint32
+	w, h      int
+}
+
+// NewCGCapturer creates a screen capturer for the main display.
+func NewCGCapturer() (*CGCapturer, error) {
+	initDarwinCapture()
+	if !darwinCaptureReady {
+		return nil, fmt.Errorf("CoreGraphics not available")
+	}
+
+	// Request Screen Recording permission (shows system dialog on macOS 11+).
+	if cgPreflightScreenCaptureAccess != nil && !cgPreflightScreenCaptureAccess() {
+		if cgRequestScreenCaptureAccess != nil {
+			cgRequestScreenCaptureAccess()
+		}
+		log.Warn("Screen Recording permission not granted. " +
+			"Grant in System Settings > Privacy & Security > Screen Recording, then restart.")
+	}
+
+	displayID := cgMainDisplayID()
+	w := int(cgDisplayPixelsWide(displayID))
+	h := int(cgDisplayPixelsHigh(displayID))
+	if w == 0 || h == 0 {
+		return nil, fmt.Errorf("display dimensions are zero")
+	}
+
+	log.Infof("macOS capturer ready: %dx%d (display=%d)", w, h, displayID)
+	return &CGCapturer{displayID: displayID, w: w, h: h}, nil
+}
+
+// Width returns the screen width.
+func (c *CGCapturer) Width() int { return c.w }
+
+// Height returns the screen height.
+func (c *CGCapturer) Height() int { return c.h }
+
+// Capture returns the current screen as an RGBA image.
+func (c *CGCapturer) Capture() (*image.RGBA, error) {
+	cgImage := cgDisplayCreateImage(c.displayID)
+	if cgImage == 0 {
+		return nil, fmt.Errorf("CGDisplayCreateImage returned nil (screen recording permission?)")
+	}
+	defer cgImageRelease(cgImage)
+
+	w := int(cgImageGetWidth(cgImage))
+	h := int(cgImageGetHeight(cgImage))
+	bytesPerRow := int(cgImageGetBytesPerRow(cgImage))
+	bpp := int(cgImageGetBitsPerPixel(cgImage))
+
+	provider := cgImageGetDataProvider(cgImage)
+	if provider == 0 {
+		return nil, fmt.Errorf("CGImageGetDataProvider returned nil")
+	}
+
+	cfData := cgDataProviderCopyData(provider)
+	if cfData == 0 {
+		return nil, fmt.Errorf("CGDataProviderCopyData returned nil")
+	}
+	defer cfRelease(cfData)
+
+	dataLen := int(cfDataGetLength(cfData))
+	dataPtr := cfDataGetBytePtr(cfData)
+	if dataPtr == 0 || dataLen == 0 {
+		return nil, fmt.Errorf("empty image data")
+	}
+
+	src := unsafe.Slice((*byte)(unsafe.Pointer(dataPtr)), dataLen)
+	img := image.NewRGBA(image.Rect(0, 0, w, h))
+
+	bytesPerPixel := bpp / 8
+	for row := 0; row < h; row++ {
+		srcOff := row * bytesPerRow
+		dstOff := row * img.Stride
+		for col := 0; col < w; col++ {
+			si := srcOff + col*bytesPerPixel
+			di := dstOff + col*4
+			img.Pix[di+0] = src[si+2] // R (from BGRA)
+			img.Pix[di+1] = src[si+1] // G
+			img.Pix[di+2] = src[si+0] // B
+			img.Pix[di+3] = 0xff
+		}
+	}
+
+	return img, nil
+}
+
+// MacPoller wraps CGCapturer in a continuous capture loop.
+type MacPoller struct {
+	mu    sync.Mutex
+	frame *image.RGBA
+	w, h  int
+	done  chan struct{}
+}
+
+// NewMacPoller creates a capturer that continuously grabs the macOS display.
+func NewMacPoller() *MacPoller {
+	p := &MacPoller{done: make(chan struct{})}
+	go p.loop()
+	return p
+}
+
+// Close stops the capture loop.
+func (p *MacPoller) Close() {
+	select {
+	case <-p.done:
+	default:
+		close(p.done)
+	}
+}
+
+// Width returns the screen width.
+func (p *MacPoller) Width() int {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	return p.w
+}
+
+// Height returns the screen height.
+func (p *MacPoller) Height() int {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	return p.h
+}
+
+// Capture returns the most recent frame.
+func (p *MacPoller) Capture() (*image.RGBA, error) {
+	p.mu.Lock()
+	img := p.frame
+	p.mu.Unlock()
+	if img != nil {
+		return img, nil
+	}
+	return nil, fmt.Errorf("no frame available yet")
+}
+
+func (p *MacPoller) loop() {
+	var capturer *CGCapturer
+	var initFails int
+
+	for {
+		select {
+		case <-p.done:
+			return
+		default:
+		}
+
+		if capturer == nil {
+			var err error
+			capturer, err = NewCGCapturer()
+			if err != nil {
+				initFails++
+				if initFails <= maxCapturerRetries {
+					log.Debugf("macOS capturer: %v (attempt %d/%d)", err, initFails, maxCapturerRetries)
+					select {
+					case <-p.done:
+						return
+					case <-time.After(2 * time.Second):
+					}
+					continue
+				}
+				log.Warnf("macOS capturer unavailable after %d attempts, stopping poller", maxCapturerRetries)
+				return
+			}
+			initFails = 0
+			p.mu.Lock()
+			p.w, p.h = capturer.Width(), capturer.Height()
+			p.mu.Unlock()
+		}
+
+		img, err := capturer.Capture()
+		if err != nil {
+			log.Debugf("macOS capture: %v", err)
+			capturer = nil
+			select {
+			case <-p.done:
+				return
+			case <-time.After(500 * time.Millisecond):
+			}
+			continue
+		}
+
+		p.mu.Lock()
+		p.frame = img
+		p.mu.Unlock()
+
+		select {
+		case <-p.done:
+			return
+		case <-time.After(33 * time.Millisecond): // ~30 fps
+		}
+	}
+}
+
+var _ ScreenCapturer = (*MacPoller)(nil)

client/vnc/server/capture_dxgi_windows.go

@@ -0,0 +1,99 @@
+//go:build windows
+
+package server
+
+import (
+	"errors"
+	"fmt"
+	"image"
+
+	"github.com/kirides/go-d3d/d3d11"
+	"github.com/kirides/go-d3d/outputduplication"
+)
+
+// dxgiCapturer captures the desktop using DXGI Desktop Duplication.
+// Provides GPU-accelerated capture with native dirty rect tracking.
+// Only works from the interactive user session, not Session 0.
+//
+// Uses a double-buffer: DXGI writes into img, then we copy to the current
+// output buffer and hand it out. Alternating between two output buffers
+// avoids allocating a new image.RGBA per frame (~8MB at 1080p, 30fps).
+type dxgiCapturer struct {
+	dup    *outputduplication.OutputDuplicator
+	device *d3d11.ID3D11Device
+	ctx    *d3d11.ID3D11DeviceContext
+	img    *image.RGBA
+	out    [2]*image.RGBA
+	outIdx int
+	width  int
+	height int
+}
+
+func newDXGICapturer() (*dxgiCapturer, error) {
+	device, deviceCtx, err := d3d11.NewD3D11Device()
+	if err != nil {
+		return nil, fmt.Errorf("create D3D11 device: %w", err)
+	}
+
+	dup, err := outputduplication.NewIDXGIOutputDuplication(device, deviceCtx, 0)
+	if err != nil {
+		device.Release()
+		deviceCtx.Release()
+		return nil, fmt.Errorf("create output duplication: %w", err)
+	}
+
+	w, h := screenSize()
+	if w == 0 || h == 0 {
+		dup.Release()
+		device.Release()
+		deviceCtx.Release()
+		return nil, fmt.Errorf("screen dimensions are zero")
+	}
+
+	rect := image.Rect(0, 0, w, h)
+	c := &dxgiCapturer{
+		dup:    dup,
+		device: device,
+		ctx:    deviceCtx,
+		img:    image.NewRGBA(rect),
+		out:    [2]*image.RGBA{image.NewRGBA(rect), image.NewRGBA(rect)},
+		width:  w,
+		height: h,
+	}
+
+	// Grab the initial frame with a longer timeout to ensure we have
+	// a valid image before returning.
+	_ = dup.GetImage(c.img, 2000)
+
+	return c, nil
+}
+
+func (c *dxgiCapturer) capture() (*image.RGBA, error) {
+	err := c.dup.GetImage(c.img, 100)
+	if err != nil && !errors.Is(err, outputduplication.ErrNoImageYet) {
+		return nil, err
+	}
+
+	// Copy into the next output buffer. The DesktopCapturer hands out the
+	// returned pointer to VNC sessions that read pixels concurrently, so we
+	// alternate between two pre-allocated buffers instead of allocating per frame.
+	out := c.out[c.outIdx]
+	c.outIdx ^= 1
+	copy(out.Pix, c.img.Pix)
+	return out, nil
+}
+
+func (c *dxgiCapturer) close() {
+	if c.dup != nil {
+		c.dup.Release()
+		c.dup = nil
+	}
+	if c.ctx != nil {
+		c.ctx.Release()
+		c.ctx = nil
+	}
+	if c.device != nil {
+		c.device.Release()
+		c.device = nil
+	}
+}

client/vnc/server/capture_windows.go

@@ -0,0 +1,461 @@
+//go:build windows
+
+package server
+
+import (
+	"fmt"
+	"image"
+	"runtime"
+	"sync"
+	"sync/atomic"
+	"time"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+var (
+	gdi32  = windows.NewLazySystemDLL("gdi32.dll")
+	user32 = windows.NewLazySystemDLL("user32.dll")
+
+	procGetDC            = user32.NewProc("GetDC")
+	procReleaseDC        = user32.NewProc("ReleaseDC")
+	procCreateCompatDC   = gdi32.NewProc("CreateCompatibleDC")
+	procCreateDIBSection = gdi32.NewProc("CreateDIBSection")
+	procSelectObject     = gdi32.NewProc("SelectObject")
+	procDeleteObject     = gdi32.NewProc("DeleteObject")
+	procDeleteDC         = gdi32.NewProc("DeleteDC")
+	procBitBlt           = gdi32.NewProc("BitBlt")
+	procGetSystemMetrics = user32.NewProc("GetSystemMetrics")
+
+	// Desktop switching for service/Session 0 capture.
+	procOpenInputDesktop          = user32.NewProc("OpenInputDesktop")
+	procSetThreadDesktop          = user32.NewProc("SetThreadDesktop")
+	procCloseDesktop              = user32.NewProc("CloseDesktop")
+	procOpenWindowStation         = user32.NewProc("OpenWindowStationW")
+	procSetProcessWindowStation   = user32.NewProc("SetProcessWindowStation")
+	procCloseWindowStation        = user32.NewProc("CloseWindowStation")
+	procGetUserObjectInformationW = user32.NewProc("GetUserObjectInformationW")
+)
+
+const uoiName = 2
+
+const (
+	smCxScreen   = 0
+	smCyScreen   = 1
+	srccopy      = 0x00CC0020
+	dibRgbColors = 0
+)
+
+type bitmapInfoHeader struct {
+	Size          uint32
+	Width         int32
+	Height        int32
+	Planes        uint16
+	BitCount      uint16
+	Compression   uint32
+	SizeImage     uint32
+	XPelsPerMeter int32
+	YPelsPerMeter int32
+	ClrUsed       uint32
+	ClrImportant  uint32
+}
+
+type bitmapInfo struct {
+	Header bitmapInfoHeader
+}
+
+// setupInteractiveWindowStation associates the current process with WinSta0,
+// the interactive window station. This is required for a SYSTEM service in
+// Session 0 to call OpenInputDesktop for screen capture and input injection.
+func setupInteractiveWindowStation() error {
+	name, err := windows.UTF16PtrFromString("WinSta0")
+	if err != nil {
+		return fmt.Errorf("UTF16 WinSta0: %w", err)
+	}
+	hWinSta, _, err := procOpenWindowStation.Call(
+		uintptr(unsafe.Pointer(name)),
+		0,
+		uintptr(windows.MAXIMUM_ALLOWED),
+	)
+	if hWinSta == 0 {
+		return fmt.Errorf("OpenWindowStation(WinSta0): %w", err)
+	}
+	r, _, err := procSetProcessWindowStation.Call(hWinSta)
+	if r == 0 {
+		procCloseWindowStation.Call(hWinSta)
+		return fmt.Errorf("SetProcessWindowStation: %w", err)
+	}
+	log.Info("process window station set to WinSta0 (interactive)")
+	return nil
+}
+
+func screenSize() (int, int) {
+	w, _, _ := procGetSystemMetrics.Call(uintptr(smCxScreen))
+	h, _, _ := procGetSystemMetrics.Call(uintptr(smCyScreen))
+	return int(w), int(h)
+}
+
+func getDesktopName(hDesk uintptr) string {
+	var buf [256]uint16
+	var needed uint32
+	procGetUserObjectInformationW.Call(hDesk, uoiName,
+		uintptr(unsafe.Pointer(&buf[0])), 512,
+		uintptr(unsafe.Pointer(&needed)))
+	return windows.UTF16ToString(buf[:])
+}
+
+// switchToInputDesktop opens the desktop currently receiving user input
+// and sets it as the calling OS thread's desktop. Must be called from a
+// goroutine locked to its OS thread via runtime.LockOSThread().
+func switchToInputDesktop() (bool, string) {
+	hDesk, _, _ := procOpenInputDesktop.Call(0, 0, uintptr(windows.MAXIMUM_ALLOWED))
+	if hDesk == 0 {
+		return false, ""
+	}
+	name := getDesktopName(hDesk)
+	ret, _, _ := procSetThreadDesktop.Call(hDesk)
+	procCloseDesktop.Call(hDesk)
+	return ret != 0, name
+}
+
+// gdiCapturer captures the desktop screen using GDI BitBlt.
+// GDI objects (DC, DIBSection) are allocated once and reused across frames.
+type gdiCapturer struct {
+	mu     sync.Mutex
+	width  int
+	height int
+
+	// Pre-allocated GDI resources, reused across captures.
+	memDC uintptr
+	bmp   uintptr
+	bits  uintptr
+}
+
+func newGDICapturer() (*gdiCapturer, error) {
+	w, h := screenSize()
+	if w == 0 || h == 0 {
+		return nil, fmt.Errorf("screen dimensions are zero")
+	}
+	c := &gdiCapturer{width: w, height: h}
+	if err := c.allocGDI(); err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
+// allocGDI pre-allocates the compatible DC and DIB section for reuse.
+func (c *gdiCapturer) allocGDI() error {
+	screenDC, _, _ := procGetDC.Call(0)
+	if screenDC == 0 {
+		return fmt.Errorf("GetDC returned 0")
+	}
+	defer procReleaseDC.Call(0, screenDC)
+
+	memDC, _, _ := procCreateCompatDC.Call(screenDC)
+	if memDC == 0 {
+		return fmt.Errorf("CreateCompatibleDC returned 0")
+	}
+
+	bi := bitmapInfo{
+		Header: bitmapInfoHeader{
+			Size:     uint32(unsafe.Sizeof(bitmapInfoHeader{})),
+			Width:    int32(c.width),
+			Height:   -int32(c.height), // negative = top-down DIB
+			Planes:   1,
+			BitCount: 32,
+		},
+	}
+
+	var bits uintptr
+	bmp, _, _ := procCreateDIBSection.Call(
+		screenDC,
+		uintptr(unsafe.Pointer(&bi)),
+		dibRgbColors,
+		uintptr(unsafe.Pointer(&bits)),
+		0, 0,
+	)
+	if bmp == 0 || bits == 0 {
+		procDeleteDC.Call(memDC)
+		return fmt.Errorf("CreateDIBSection returned 0")
+	}
+
+	procSelectObject.Call(memDC, bmp)
+
+	c.memDC = memDC
+	c.bmp = bmp
+	c.bits = bits
+	return nil
+}
+
+func (c *gdiCapturer) close() { c.freeGDI() }
+
+// freeGDI releases pre-allocated GDI resources.
+func (c *gdiCapturer) freeGDI() {
+	if c.bmp != 0 {
+		procDeleteObject.Call(c.bmp)
+		c.bmp = 0
+	}
+	if c.memDC != 0 {
+		procDeleteDC.Call(c.memDC)
+		c.memDC = 0
+	}
+	c.bits = 0
+}
+
+func (c *gdiCapturer) capture() (*image.RGBA, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.memDC == 0 {
+		return nil, fmt.Errorf("GDI resources not allocated")
+	}
+
+	screenDC, _, _ := procGetDC.Call(0)
+	if screenDC == 0 {
+		return nil, fmt.Errorf("GetDC returned 0")
+	}
+	defer procReleaseDC.Call(0, screenDC)
+
+	ret, _, _ := procBitBlt.Call(c.memDC, 0, 0, uintptr(c.width), uintptr(c.height),
+		screenDC, 0, 0, srccopy)
+	if ret == 0 {
+		return nil, fmt.Errorf("BitBlt returned 0")
+	}
+
+	n := c.width * c.height * 4
+	raw := unsafe.Slice((*byte)(unsafe.Pointer(c.bits)), n)
+
+	// GDI gives BGRA, the RFB encoder expects RGBA (img.Pix layout).
+	// Swap R and B in bulk using uint32 operations (one load + mask + shift
+	// per pixel instead of three separate byte assignments).
+	img := image.NewRGBA(image.Rect(0, 0, c.width, c.height))
+	pix := img.Pix
+	copy(pix, raw)
+	swizzleBGRAtoRGBA(pix)
+	return img, nil
+}
+
+// DesktopCapturer captures the interactive desktop, handling desktop transitions
+// (login screen, UAC prompts). A dedicated OS-locked goroutine continuously
+// captures frames, which are retrieved by the VNC session on demand.
+// Capture pauses automatically when no clients are connected.
+type DesktopCapturer struct {
+	mu    sync.Mutex
+	frame *image.RGBA
+	w, h  int
+
+	// clients tracks the number of active VNC sessions. When zero, the
+	// capture loop idles instead of grabbing frames.
+	clients atomic.Int32
+
+	// wake is signaled when a client connects and the loop should resume.
+	wake chan struct{}
+	// done is closed when Close is called, terminating the capture loop.
+	done chan struct{}
+}
+
+// NewDesktopCapturer creates a capturer that continuously grabs the active desktop.
+func NewDesktopCapturer() *DesktopCapturer {
+	c := &DesktopCapturer{
+		wake: make(chan struct{}, 1),
+		done: make(chan struct{}),
+	}
+	go c.loop()
+	return c
+}
+
+// ClientConnect increments the active client count, resuming capture if needed.
+func (c *DesktopCapturer) ClientConnect() {
+	c.clients.Add(1)
+	select {
+	case c.wake <- struct{}{}:
+	default:
+	}
+}
+
+// ClientDisconnect decrements the active client count.
+func (c *DesktopCapturer) ClientDisconnect() {
+	c.clients.Add(-1)
+}
+
+// Close stops the capture loop and releases resources.
+func (c *DesktopCapturer) Close() {
+	select {
+	case <-c.done:
+	default:
+		close(c.done)
+	}
+}
+
+// Width returns the current screen width.
+func (c *DesktopCapturer) Width() int {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.w
+}
+
+// Height returns the current screen height.
+func (c *DesktopCapturer) Height() int {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.h
+}
+
+// Capture returns the most recent desktop frame.
+func (c *DesktopCapturer) Capture() (*image.RGBA, error) {
+	c.mu.Lock()
+	img := c.frame
+	c.mu.Unlock()
+	if img != nil {
+		return img, nil
+	}
+	return nil, fmt.Errorf("no frame available yet")
+}
+
+// waitForClient blocks until a client connects or the capturer is closed.
+func (c *DesktopCapturer) waitForClient() bool {
+	if c.clients.Load() > 0 {
+		return true
+	}
+	select {
+	case <-c.wake:
+		return true
+	case <-c.done:
+		return false
+	}
+}
+
+func (c *DesktopCapturer) loop() {
+	runtime.LockOSThread()
+
+	// When running as a Windows service (Session 0), we need to attach to the
+	// interactive window station before OpenInputDesktop will succeed.
+	if err := setupInteractiveWindowStation(); err != nil {
+		log.Warnf("attach to interactive window station: %v", err)
+	}
+
+	frameTicker := time.NewTicker(33 * time.Millisecond) // ~30 fps
+	defer frameTicker.Stop()
+
+	retryTimer := time.NewTimer(0)
+	retryTimer.Stop()
+	defer retryTimer.Stop()
+
+	type frameCapturer interface {
+		capture() (*image.RGBA, error)
+		close()
+	}
+
+	var cap frameCapturer
+	var desktopFails int
+	var lastDesktop string
+
+	createCapturer := func() (frameCapturer, error) {
+		dc, err := newDXGICapturer()
+		if err == nil {
+			log.Info("using DXGI Desktop Duplication for capture")
+			return dc, nil
+		}
+		log.Debugf("DXGI unavailable (%v), falling back to GDI", err)
+		gc, err := newGDICapturer()
+		if err != nil {
+			return nil, err
+		}
+		log.Info("using GDI BitBlt for capture")
+		return gc, nil
+	}
+
+	for {
+		if !c.waitForClient() {
+			if cap != nil {
+				cap.close()
+			}
+			return
+		}
+
+		// No clients: release the capturer and wait.
+		if c.clients.Load() <= 0 {
+			if cap != nil {
+				cap.close()
+				cap = nil
+			}
+			continue
+		}
+
+		ok, desk := switchToInputDesktop()
+		if !ok {
+			desktopFails++
+			if desktopFails == 1 || desktopFails%100 == 0 {
+				log.Warnf("switchToInputDesktop failed (count=%d), no interactive desktop session?", desktopFails)
+			}
+			retryTimer.Reset(100 * time.Millisecond)
+			select {
+			case <-retryTimer.C:
+			case <-c.done:
+				return
+			}
+			continue
+		}
+		if desktopFails > 0 {
+			log.Infof("switchToInputDesktop recovered after %d failures, desktop=%q", desktopFails, desk)
+			desktopFails = 0
+		}
+		if desk != lastDesktop {
+			log.Infof("desktop changed: %q -> %q", lastDesktop, desk)
+			lastDesktop = desk
+			if cap != nil {
+				cap.close()
+			}
+			cap = nil
+		}
+
+		if cap == nil {
+			fc, err := createCapturer()
+			if err != nil {
+				log.Warnf("create capturer: %v", err)
+				retryTimer.Reset(500 * time.Millisecond)
+				select {
+				case <-retryTimer.C:
+				case <-c.done:
+					return
+				}
+				continue
+			}
+			cap = fc
+			w, h := screenSize()
+			c.mu.Lock()
+			c.w, c.h = w, h
+			c.mu.Unlock()
+			log.Infof("screen capturer ready: %dx%d", w, h)
+		}
+
+		img, err := cap.capture()
+		if err != nil {
+			log.Debugf("capture: %v", err)
+			cap.close()
+			cap = nil
+			retryTimer.Reset(100 * time.Millisecond)
+			select {
+			case <-retryTimer.C:
+			case <-c.done:
+				return
+			}
+			continue
+		}
+
+		c.mu.Lock()
+		c.frame = img
+		c.mu.Unlock()
+
+		select {
+		case <-frameTicker.C:
+		case <-c.done:
+			if cap != nil {
+				cap.close()
+			}
+			return
+		}
+	}
+}

client/vnc/server/capture_x11.go

@@ -0,0 +1,385 @@
+//go:build (linux && !android) || freebsd
+
+package server
+
+import (
+	"fmt"
+	"image"
+	"os"
+	"os/exec"
+	"strings"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/jezek/xgb"
+	"github.com/jezek/xgb/xproto"
+)
+
+// X11Capturer captures the screen from an X11 display using the MIT-SHM extension.
+type X11Capturer struct {
+	mu      sync.Mutex
+	conn    *xgb.Conn
+	screen  *xproto.ScreenInfo
+	w, h    int
+	shmID   int
+	shmAddr []byte
+	shmSeg  uint32 // shm.Seg
+	useSHM  bool
+}
+
+// detectX11Display finds the active X11 display and sets DISPLAY/XAUTHORITY
+// environment variables if needed. This is required when running as a system
+// service where these vars aren't set.
+func detectX11Display() {
+	if os.Getenv("DISPLAY") != "" {
+		return
+	}
+
+	// Try /proc first (Linux), then ps fallback (FreeBSD and others).
+	if detectX11FromProc() {
+		return
+	}
+	if detectX11FromSockets() {
+		return
+	}
+}
+
+// detectX11FromProc scans /proc/*/cmdline for Xorg (Linux).
+func detectX11FromProc() bool {
+	entries, err := os.ReadDir("/proc")
+	if err != nil {
+		return false
+	}
+	for _, e := range entries {
+		if !e.IsDir() {
+			continue
+		}
+		cmdline, err := os.ReadFile("/proc/" + e.Name() + "/cmdline")
+		if err != nil {
+			continue
+		}
+		if display, auth := parseXorgArgs(splitCmdline(cmdline)); display != "" {
+			setDisplayEnv(display, auth)
+			return true
+		}
+	}
+	return false
+}
+
+// detectX11FromSockets checks /tmp/.X11-unix/ for X sockets and uses ps
+// to find the auth file. Works on FreeBSD and other systems without /proc.
+func detectX11FromSockets() bool {
+	entries, err := os.ReadDir("/tmp/.X11-unix")
+	if err != nil {
+		return false
+	}
+
+	// Find the lowest display number.
+	for _, e := range entries {
+		name := e.Name()
+		if len(name) < 2 || name[0] != 'X' {
+			continue
+		}
+		display := ":" + name[1:]
+		os.Setenv("DISPLAY", display)
+		log.Infof("auto-detected DISPLAY=%s (from socket)", display)
+
+		// Try to find -auth from ps output.
+		if auth := findXorgAuthFromPS(); auth != "" {
+			os.Setenv("XAUTHORITY", auth)
+			log.Infof("auto-detected XAUTHORITY=%s (from ps)", auth)
+		}
+		return true
+	}
+	return false
+}
+
+// findXorgAuthFromPS runs ps to find Xorg and extract its -auth argument.
+func findXorgAuthFromPS() string {
+	out, err := exec.Command("ps", "auxww").Output()
+	if err != nil {
+		return ""
+	}
+	for _, line := range strings.Split(string(out), "\n") {
+		if !strings.Contains(line, "Xorg") && !strings.Contains(line, "/X ") {
+			continue
+		}
+		fields := strings.Fields(line)
+		for i, f := range fields {
+			if f == "-auth" && i+1 < len(fields) {
+				return fields[i+1]
+			}
+		}
+	}
+	return ""
+}
+
+func parseXorgArgs(args []string) (display, auth string) {
+	if len(args) == 0 {
+		return "", ""
+	}
+	base := args[0]
+	if !(base == "Xorg" || base == "X" || len(base) > 0 && base[len(base)-1] == 'X' ||
+		strings.Contains(base, "/Xorg") || strings.Contains(base, "/X")) {
+		return "", ""
+	}
+	for i, arg := range args[1:] {
+		if len(arg) > 0 && arg[0] == ':' {
+			display = arg
+		}
+		if arg == "-auth" && i+2 < len(args) {
+			auth = args[i+2]
+		}
+	}
+	return display, auth
+}
+
+func setDisplayEnv(display, auth string) {
+	os.Setenv("DISPLAY", display)
+	log.Infof("auto-detected DISPLAY=%s", display)
+	if auth != "" {
+		os.Setenv("XAUTHORITY", auth)
+		log.Infof("auto-detected XAUTHORITY=%s", auth)
+	}
+}
+
+func splitCmdline(data []byte) []string {
+	var args []string
+	for _, b := range splitNull(data) {
+		if len(b) > 0 {
+			args = append(args, string(b))
+		}
+	}
+	return args
+}
+
+func splitNull(data []byte) [][]byte {
+	var parts [][]byte
+	start := 0
+	for i, b := range data {
+		if b == 0 {
+			parts = append(parts, data[start:i])
+			start = i + 1
+		}
+	}
+	if start < len(data) {
+		parts = append(parts, data[start:])
+	}
+	return parts
+}
+
+// NewX11Capturer connects to the X11 display and sets up shared memory capture.
+func NewX11Capturer(display string) (*X11Capturer, error) {
+	detectX11Display()
+
+	if display == "" {
+		display = os.Getenv("DISPLAY")
+	}
+	if display == "" {
+		return nil, fmt.Errorf("DISPLAY not set and no Xorg process found")
+	}
+
+	conn, err := xgb.NewConnDisplay(display)
+	if err != nil {
+		return nil, fmt.Errorf("connect to X11 display %s: %w", display, err)
+	}
+
+	setup := xproto.Setup(conn)
+	if len(setup.Roots) == 0 {
+		conn.Close()
+		return nil, fmt.Errorf("no X11 screens")
+	}
+	screen := setup.Roots[0]
+
+	c := &X11Capturer{
+		conn:   conn,
+		screen: &screen,
+		w:      int(screen.WidthInPixels),
+		h:      int(screen.HeightInPixels),
+	}
+
+	if err := c.initSHM(); err != nil {
+		log.Debugf("X11 SHM not available, using slow GetImage: %v", err)
+	}
+
+	log.Infof("X11 capturer ready: %dx%d (display=%s, shm=%v)", c.w, c.h, display, c.useSHM)
+	return c, nil
+}
+
+// initSHM is implemented in capture_x11_shm_linux.go (requires SysV SHM).
+// On platforms without SysV SHM (FreeBSD), a stub returns an error and
+// the capturer falls back to GetImage.
+
+// Width returns the screen width.
+func (c *X11Capturer) Width() int { return c.w }
+
+// Height returns the screen height.
+func (c *X11Capturer) Height() int { return c.h }
+
+// Capture returns the current screen as an RGBA image.
+func (c *X11Capturer) Capture() (*image.RGBA, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.useSHM {
+		return c.captureSHM()
+	}
+	return c.captureGetImage()
+}
+
+// captureSHM is implemented in capture_x11_shm_linux.go.
+
+func (c *X11Capturer) captureGetImage() (*image.RGBA, error) {
+	cookie := xproto.GetImage(c.conn, xproto.ImageFormatZPixmap,
+		xproto.Drawable(c.screen.Root),
+		0, 0, uint16(c.w), uint16(c.h), 0xFFFFFFFF)
+
+	reply, err := cookie.Reply()
+	if err != nil {
+		return nil, fmt.Errorf("GetImage: %w", err)
+	}
+
+	img := image.NewRGBA(image.Rect(0, 0, c.w, c.h))
+	data := reply.Data
+	n := c.w * c.h * 4
+	if len(data) < n {
+		return nil, fmt.Errorf("GetImage returned %d bytes, expected %d", len(data), n)
+	}
+
+	for i := 0; i < n; i += 4 {
+		img.Pix[i+0] = data[i+2] // R
+		img.Pix[i+1] = data[i+1] // G
+		img.Pix[i+2] = data[i+0] // B
+		img.Pix[i+3] = 0xff
+	}
+	return img, nil
+}
+
+// Close releases X11 resources.
+func (c *X11Capturer) Close() {
+	c.closeSHM()
+	c.conn.Close()
+}
+
+// closeSHM is implemented in capture_x11_shm_linux.go.
+
+// X11Poller wraps X11Capturer in a continuous capture loop, matching the
+// DesktopCapturer pattern from Windows.
+type X11Poller struct {
+	mu      sync.Mutex
+	frame   *image.RGBA
+	w, h    int
+	display string
+	done    chan struct{}
+}
+
+// NewX11Poller creates a capturer that continuously grabs the X11 display.
+func NewX11Poller(display string) *X11Poller {
+	p := &X11Poller{
+		display: display,
+		done:    make(chan struct{}),
+	}
+	go p.loop()
+	return p
+}
+
+// Close stops the capture loop.
+func (p *X11Poller) Close() {
+	select {
+	case <-p.done:
+	default:
+		close(p.done)
+	}
+}
+
+// Width returns the screen width.
+func (p *X11Poller) Width() int {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	return p.w
+}
+
+// Height returns the screen height.
+func (p *X11Poller) Height() int {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	return p.h
+}
+
+// Capture returns the most recent frame.
+func (p *X11Poller) Capture() (*image.RGBA, error) {
+	p.mu.Lock()
+	img := p.frame
+	p.mu.Unlock()
+	if img != nil {
+		return img, nil
+	}
+	return nil, fmt.Errorf("no frame available yet")
+}
+
+func (p *X11Poller) loop() {
+	var capturer *X11Capturer
+	var initFails int
+
+	defer func() {
+		if capturer != nil {
+			capturer.Close()
+		}
+	}()
+
+	for {
+		select {
+		case <-p.done:
+			return
+		default:
+		}
+
+		if capturer == nil {
+			var err error
+			capturer, err = NewX11Capturer(p.display)
+			if err != nil {
+				initFails++
+				if initFails <= maxCapturerRetries {
+					log.Debugf("X11 capturer: %v (attempt %d/%d)", err, initFails, maxCapturerRetries)
+					select {
+					case <-p.done:
+						return
+					case <-time.After(2 * time.Second):
+					}
+					continue
+				}
+				log.Warnf("X11 capturer unavailable after %d attempts, stopping poller", maxCapturerRetries)
+				return
+			}
+			initFails = 0
+			p.mu.Lock()
+			p.w, p.h = capturer.Width(), capturer.Height()
+			p.mu.Unlock()
+		}
+
+		img, err := capturer.Capture()
+		if err != nil {
+			log.Debugf("X11 capture: %v", err)
+			capturer.Close()
+			capturer = nil
+			select {
+			case <-p.done:
+				return
+			case <-time.After(500 * time.Millisecond):
+			}
+			continue
+		}
+
+		p.mu.Lock()
+		p.frame = img
+		p.mu.Unlock()
+
+		select {
+		case <-p.done:
+			return
+		case <-time.After(33 * time.Millisecond): // ~30 fps
+		}
+	}
+}

client/vnc/server/capture_x11_shm_linux.go

@@ -0,0 +1,78 @@
+//go:build linux && !android
+
+package server
+
+import (
+	"fmt"
+	"image"
+
+	"github.com/jezek/xgb/shm"
+	"github.com/jezek/xgb/xproto"
+	"golang.org/x/sys/unix"
+)
+
+func (c *X11Capturer) initSHM() error {
+	if err := shm.Init(c.conn); err != nil {
+		return fmt.Errorf("init SHM extension: %w", err)
+	}
+
+	size := c.w * c.h * 4
+	id, err := unix.SysvShmGet(unix.IPC_PRIVATE, size, unix.IPC_CREAT|0600)
+	if err != nil {
+		return fmt.Errorf("shmget: %w", err)
+	}
+
+	addr, err := unix.SysvShmAttach(id, 0, 0)
+	if err != nil {
+		unix.SysvShmCtl(id, unix.IPC_RMID, nil)
+		return fmt.Errorf("shmat: %w", err)
+	}
+
+	unix.SysvShmCtl(id, unix.IPC_RMID, nil)
+
+	seg, err := shm.NewSegId(c.conn)
+	if err != nil {
+		unix.SysvShmDetach(addr)
+		return fmt.Errorf("new SHM seg: %w", err)
+	}
+
+	if err := shm.AttachChecked(c.conn, seg, uint32(id), false).Check(); err != nil {
+		unix.SysvShmDetach(addr)
+		return fmt.Errorf("SHM attach to X: %w", err)
+	}
+
+	c.shmID = id
+	c.shmAddr = addr
+	c.shmSeg = uint32(seg)
+	c.useSHM = true
+	return nil
+}
+
+func (c *X11Capturer) captureSHM() (*image.RGBA, error) {
+	cookie := shm.GetImage(c.conn, xproto.Drawable(c.screen.Root),
+		0, 0, uint16(c.w), uint16(c.h), 0xFFFFFFFF,
+		xproto.ImageFormatZPixmap, shm.Seg(c.shmSeg), 0)
+
+	_, err := cookie.Reply()
+	if err != nil {
+		return nil, fmt.Errorf("SHM GetImage: %w", err)
+	}
+
+	img := image.NewRGBA(image.Rect(0, 0, c.w, c.h))
+	n := c.w * c.h * 4
+
+	for i := 0; i < n; i += 4 {
+		img.Pix[i+0] = c.shmAddr[i+2] // R
+		img.Pix[i+1] = c.shmAddr[i+1] // G
+		img.Pix[i+2] = c.shmAddr[i+0] // B
+		img.Pix[i+3] = 0xff
+	}
+	return img, nil
+}
+
+func (c *X11Capturer) closeSHM() {
+	if c.useSHM {
+		shm.Detach(c.conn, shm.Seg(c.shmSeg))
+		unix.SysvShmDetach(c.shmAddr)
+	}
+}

client/vnc/server/capture_x11_shm_stub.go

@@ -0,0 +1,18 @@
+//go:build freebsd
+
+package server
+
+import (
+	"fmt"
+	"image"
+)
+
+func (c *X11Capturer) initSHM() error {
+	return fmt.Errorf("SysV SHM not available on this platform")
+}
+
+func (c *X11Capturer) captureSHM() (*image.RGBA, error) {
+	return nil, fmt.Errorf("SHM capture not available on this platform")
+}
+
+func (c *X11Capturer) closeSHM() {}

client/vnc/server/input_darwin.go

@@ -0,0 +1,403 @@
+//go:build darwin && !ios
+
+package server
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+	"sync"
+
+	"github.com/ebitengine/purego"
+	log "github.com/sirupsen/logrus"
+)
+
+// Core Graphics event constants.
+const (
+	kCGEventSourceStateCombinedSessionState int32 = 0
+
+	kCGEventLeftMouseDown     int32 = 1
+	kCGEventLeftMouseUp       int32 = 2
+	kCGEventRightMouseDown    int32 = 3
+	kCGEventRightMouseUp      int32 = 4
+	kCGEventMouseMoved        int32 = 5
+	kCGEventLeftMouseDragged  int32 = 6
+	kCGEventRightMouseDragged int32 = 7
+	kCGEventKeyDown           int32 = 10
+	kCGEventKeyUp             int32 = 11
+	kCGEventOtherMouseDown    int32 = 25
+	kCGEventOtherMouseUp      int32 = 26
+
+	kCGMouseButtonLeft   int32 = 0
+	kCGMouseButtonRight  int32 = 1
+	kCGMouseButtonCenter int32 = 2
+
+	kCGHIDEventTap int32 = 0
+)
+
+var darwinInputOnce sync.Once
+
+var (
+	cgEventSourceCreate        func(int32) uintptr
+	cgEventCreateKeyboardEvent func(uintptr, uint16, bool) uintptr
+	// CGEventCreateMouseEvent takes CGPoint as two separate float64 args.
+	// purego can't handle array/struct types but individual float64s work.
+	cgEventCreateMouseEvent func(uintptr, int32, float64, float64, int32) uintptr
+	cgEventPost             func(int32, uintptr)
+
+	// CGEventCreateScrollWheelEvent is variadic, call via SyscallN.
+	cgEventCreateScrollWheelEventAddr uintptr
+
+	darwinInputReady  bool
+	darwinEventSource uintptr
+)
+
+func initDarwinInput() {
+	darwinInputOnce.Do(func() {
+		cg, err := purego.Dlopen("/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics", purego.RTLD_NOW|purego.RTLD_GLOBAL)
+		if err != nil {
+			log.Debugf("load CoreGraphics for input: %v", err)
+			return
+		}
+
+		purego.RegisterLibFunc(&cgEventSourceCreate, cg, "CGEventSourceCreate")
+		purego.RegisterLibFunc(&cgEventCreateKeyboardEvent, cg, "CGEventCreateKeyboardEvent")
+		purego.RegisterLibFunc(&cgEventCreateMouseEvent, cg, "CGEventCreateMouseEvent")
+		purego.RegisterLibFunc(&cgEventPost, cg, "CGEventPost")
+
+		sym, err := purego.Dlsym(cg, "CGEventCreateScrollWheelEvent")
+		if err == nil {
+			cgEventCreateScrollWheelEventAddr = sym
+		}
+
+		darwinInputReady = true
+	})
+}
+
+func ensureEventSource() uintptr {
+	if darwinEventSource != 0 {
+		return darwinEventSource
+	}
+	darwinEventSource = cgEventSourceCreate(kCGEventSourceStateCombinedSessionState)
+	return darwinEventSource
+}
+
+// MacInputInjector injects keyboard and mouse events via Core Graphics.
+type MacInputInjector struct {
+	lastButtons uint8
+	pbcopyPath  string
+	pbpastePath string
+}
+
+// NewMacInputInjector creates a macOS input injector.
+func NewMacInputInjector() (*MacInputInjector, error) {
+	initDarwinInput()
+	if !darwinInputReady {
+		return nil, fmt.Errorf("CoreGraphics not available for input injection")
+	}
+	checkMacPermissions()
+
+	m := &MacInputInjector{}
+	if path, err := exec.LookPath("pbcopy"); err == nil {
+		m.pbcopyPath = path
+	}
+	if path, err := exec.LookPath("pbpaste"); err == nil {
+		m.pbpastePath = path
+	}
+	if m.pbcopyPath == "" || m.pbpastePath == "" {
+		log.Debugf("clipboard tools not found (pbcopy=%q, pbpaste=%q)", m.pbcopyPath, m.pbpastePath)
+	}
+
+	log.Info("macOS input injector ready")
+	return m, nil
+}
+
+// checkMacPermissions logs warnings and triggers the Accessibility prompt.
+// Screen Recording has no programmatic prompt, the user must grant it manually.
+func checkMacPermissions() {
+	// Check Accessibility via osascript (triggers the system prompt dialog).
+	out, err := exec.Command("osascript", "-e",
+		`tell application "System Events" to return name of first process`).CombinedOutput()
+	if err != nil {
+		log.Warn("Accessibility permission not granted. Input injection will not work. " +
+			"Grant in System Settings > Privacy & Security > Accessibility.")
+		log.Debugf("accessibility check output: %s (%v)", strings.TrimSpace(string(out)), err)
+	}
+
+	log.Info("Screen Recording permission is required for screen capture. " +
+		"If the screen appears black, grant in System Settings > Privacy & Security > Screen Recording.")
+}
+
+// InjectKey simulates a key press or release.
+func (m *MacInputInjector) InjectKey(keysym uint32, down bool) {
+	src := ensureEventSource()
+	if src == 0 {
+		return
+	}
+	keycode := keysymToMacKeycode(keysym)
+	if keycode == 0xFFFF {
+		return
+	}
+	event := cgEventCreateKeyboardEvent(src, keycode, down)
+	if event == 0 {
+		return
+	}
+	cgEventPost(kCGHIDEventTap, event)
+	cfRelease(event)
+}
+
+// InjectPointer simulates mouse movement and button events.
+func (m *MacInputInjector) InjectPointer(buttonMask uint8, px, py, serverW, serverH int) {
+	if serverW == 0 || serverH == 0 {
+		return
+	}
+	src := ensureEventSource()
+	if src == 0 {
+		return
+	}
+
+	x := float64(px)
+	y := float64(py)
+	leftDown := buttonMask&0x01 != 0
+	rightDown := buttonMask&0x04 != 0
+	middleDown := buttonMask&0x02 != 0
+	scrollUp := buttonMask&0x08 != 0
+	scrollDown := buttonMask&0x10 != 0
+
+	wasLeft := m.lastButtons&0x01 != 0
+	wasRight := m.lastButtons&0x04 != 0
+	wasMiddle := m.lastButtons&0x02 != 0
+
+	if leftDown {
+		m.postMouse(src, kCGEventLeftMouseDragged, x, y, kCGMouseButtonLeft)
+	} else if rightDown {
+		m.postMouse(src, kCGEventRightMouseDragged, x, y, kCGMouseButtonRight)
+	} else {
+		m.postMouse(src, kCGEventMouseMoved, x, y, kCGMouseButtonLeft)
+	}
+
+	if leftDown && !wasLeft {
+		m.postMouse(src, kCGEventLeftMouseDown, x, y, kCGMouseButtonLeft)
+	} else if !leftDown && wasLeft {
+		m.postMouse(src, kCGEventLeftMouseUp, x, y, kCGMouseButtonLeft)
+	}
+	if rightDown && !wasRight {
+		m.postMouse(src, kCGEventRightMouseDown, x, y, kCGMouseButtonRight)
+	} else if !rightDown && wasRight {
+		m.postMouse(src, kCGEventRightMouseUp, x, y, kCGMouseButtonRight)
+	}
+	if middleDown && !wasMiddle {
+		m.postMouse(src, kCGEventOtherMouseDown, x, y, kCGMouseButtonCenter)
+	} else if !middleDown && wasMiddle {
+		m.postMouse(src, kCGEventOtherMouseUp, x, y, kCGMouseButtonCenter)
+	}
+
+	if scrollUp {
+		m.postScroll(src, 3)
+	}
+	if scrollDown {
+		m.postScroll(src, -3)
+	}
+
+	m.lastButtons = buttonMask
+}
+
+func (m *MacInputInjector) postMouse(src uintptr, eventType int32, x, y float64, button int32) {
+	if cgEventCreateMouseEvent == nil {
+		return
+	}
+	event := cgEventCreateMouseEvent(src, eventType, x, y, button)
+	if event == 0 {
+		return
+	}
+	cgEventPost(kCGHIDEventTap, event)
+	cfRelease(event)
+}
+
+func (m *MacInputInjector) postScroll(src uintptr, deltaY int32) {
+	if cgEventCreateScrollWheelEventAddr == 0 {
+		return
+	}
+	// CGEventCreateScrollWheelEvent(source, units, wheelCount, wheel1delta)
+	// units=0 (pixel), wheelCount=1, wheel1delta=deltaY
+	// Variadic C function: pass args as uintptr via SyscallN.
+	r1, _, _ := purego.SyscallN(cgEventCreateScrollWheelEventAddr,
+		src, 0, 1, uintptr(uint32(deltaY)))
+	if r1 == 0 {
+		return
+	}
+	cgEventPost(kCGHIDEventTap, r1)
+	cfRelease(r1)
+}
+
+// SetClipboard sets the macOS clipboard using pbcopy.
+func (m *MacInputInjector) SetClipboard(text string) {
+	if m.pbcopyPath == "" {
+		return
+	}
+	cmd := exec.Command(m.pbcopyPath)
+	cmd.Stdin = strings.NewReader(text)
+	if err := cmd.Run(); err != nil {
+		log.Tracef("set clipboard via pbcopy: %v", err)
+	}
+}
+
+// GetClipboard reads the macOS clipboard using pbpaste.
+func (m *MacInputInjector) GetClipboard() string {
+	if m.pbpastePath == "" {
+		return ""
+	}
+	out, err := exec.Command(m.pbpastePath).Output()
+	if err != nil {
+		log.Tracef("get clipboard via pbpaste: %v", err)
+		return ""
+	}
+	return string(out)
+}
+
+// Close is a no-op on macOS.
+func (m *MacInputInjector) Close() {}
+
+func keysymToMacKeycode(keysym uint32) uint16 {
+	if keysym >= 0x61 && keysym <= 0x7a {
+		return asciiToMacKey[keysym-0x61]
+	}
+	if keysym >= 0x41 && keysym <= 0x5a {
+		return asciiToMacKey[keysym-0x41]
+	}
+	if keysym >= 0x30 && keysym <= 0x39 {
+		return digitToMacKey[keysym-0x30]
+	}
+	if code, ok := specialKeyMap[keysym]; ok {
+		return code
+	}
+	return 0xFFFF
+}
+
+var asciiToMacKey = [26]uint16{
+	0x00, 0x0B, 0x08, 0x02, 0x0E, 0x03, 0x05, 0x04,
+	0x22, 0x26, 0x28, 0x25, 0x2E, 0x2D, 0x1F, 0x23,
+	0x0C, 0x0F, 0x01, 0x11, 0x20, 0x09, 0x0D, 0x07,
+	0x10, 0x06,
+}
+
+var digitToMacKey = [10]uint16{
+	0x1D, 0x12, 0x13, 0x14, 0x15, 0x17, 0x16, 0x1A, 0x1C, 0x19,
+}
+
+var specialKeyMap = map[uint32]uint16{
+	// Whitespace and editing
+	0x0020: 0x31, // space
+	0xff08: 0x33, // BackSpace
+	0xff09: 0x30, // Tab
+	0xff0d: 0x24, // Return
+	0xff1b: 0x35, // Escape
+	0xffff: 0x75, // Delete (forward)
+
+	// Navigation
+	0xff50: 0x73, // Home
+	0xff51: 0x7B, // Left
+	0xff52: 0x7E, // Up
+	0xff53: 0x7C, // Right
+	0xff54: 0x7D, // Down
+	0xff55: 0x74, // Page_Up
+	0xff56: 0x79, // Page_Down
+	0xff57: 0x77, // End
+	0xff63: 0x72, // Insert (Help on Mac)
+
+	// Modifiers
+	0xffe1: 0x38, // Shift_L
+	0xffe2: 0x3C, // Shift_R
+	0xffe3: 0x3B, // Control_L
+	0xffe4: 0x3E, // Control_R
+	0xffe5: 0x39, // Caps_Lock
+	0xffe9: 0x3A, // Alt_L (Option)
+	0xffea: 0x3D, // Alt_R (Option)
+	0xffe7: 0x37, // Meta_L (Command)
+	0xffe8: 0x36, // Meta_R (Command)
+	0xffeb: 0x37, // Super_L (Command) - noVNC sends this
+	0xffec: 0x36, // Super_R (Command)
+
+	// Mode_switch / ISO_Level3_Shift (sent by noVNC for macOS Option remap)
+	0xff7e: 0x3A, // Mode_switch -> Option
+	0xfe03: 0x3D, // ISO_Level3_Shift -> Right Option
+
+	// Function keys
+	0xffbe: 0x7A, // F1
+	0xffbf: 0x78, // F2
+	0xffc0: 0x63, // F3
+	0xffc1: 0x76, // F4
+	0xffc2: 0x60, // F5
+	0xffc3: 0x61, // F6
+	0xffc4: 0x62, // F7
+	0xffc5: 0x64, // F8
+	0xffc6: 0x65, // F9
+	0xffc7: 0x6D, // F10
+	0xffc8: 0x67, // F11
+	0xffc9: 0x6F, // F12
+	0xffca: 0x69, // F13
+	0xffcb: 0x6B, // F14
+	0xffcc: 0x71, // F15
+	0xffcd: 0x6A, // F16
+	0xffce: 0x40, // F17
+	0xffcf: 0x4F, // F18
+	0xffd0: 0x50, // F19
+	0xffd1: 0x5A, // F20
+
+	// Punctuation (US keyboard layout, keysym = ASCII code)
+	0x002d: 0x1B, // minus -
+	0x003d: 0x18, // equal =
+	0x005b: 0x21, // bracketleft [
+	0x005d: 0x1E, // bracketright ]
+	0x005c: 0x2A, // backslash
+	0x003b: 0x29, // semicolon ;
+	0x0027: 0x27, // apostrophe '
+	0x0060: 0x32, // grave `
+	0x002c: 0x2B, // comma ,
+	0x002e: 0x2F, // period .
+	0x002f: 0x2C, // slash /
+
+	// Shifted punctuation (noVNC sends these as separate keysyms)
+	0x005f: 0x1B, // underscore _ (shift+minus)
+	0x002b: 0x18, // plus + (shift+equal)
+	0x007b: 0x21, // braceleft { (shift+[)
+	0x007d: 0x1E, // braceright } (shift+])
+	0x007c: 0x2A, // bar | (shift+\)
+	0x003a: 0x29, // colon : (shift+;)
+	0x0022: 0x27, // quotedbl " (shift+')
+	0x007e: 0x32, // tilde ~ (shift+`)
+	0x003c: 0x2B, // less < (shift+,)
+	0x003e: 0x2F, // greater > (shift+.)
+	0x003f: 0x2C, // question ? (shift+/)
+	0x0021: 0x12, // exclam ! (shift+1)
+	0x0040: 0x13, // at @ (shift+2)
+	0x0023: 0x14, // numbersign # (shift+3)
+	0x0024: 0x15, // dollar $ (shift+4)
+	0x0025: 0x17, // percent % (shift+5)
+	0x005e: 0x16, // asciicircum ^ (shift+6)
+	0x0026: 0x1A, // ampersand & (shift+7)
+	0x002a: 0x1C, // asterisk * (shift+8)
+	0x0028: 0x19, // parenleft ( (shift+9)
+	0x0029: 0x1D, // parenright ) (shift+0)
+
+	// Numpad
+	0xffb0: 0x52, // KP_0
+	0xffb1: 0x53, // KP_1
+	0xffb2: 0x54, // KP_2
+	0xffb3: 0x55, // KP_3
+	0xffb4: 0x56, // KP_4
+	0xffb5: 0x57, // KP_5
+	0xffb6: 0x58, // KP_6
+	0xffb7: 0x59, // KP_7
+	0xffb8: 0x5B, // KP_8
+	0xffb9: 0x5C, // KP_9
+	0xffae: 0x41, // KP_Decimal
+	0xffaa: 0x43, // KP_Multiply
+	0xffab: 0x45, // KP_Add
+	0xffad: 0x4E, // KP_Subtract
+	0xffaf: 0x4B, // KP_Divide
+	0xff8d: 0x4C, // KP_Enter
+	0xffbd: 0x51, // KP_Equal
+}
+
+var _ InputInjector = (*MacInputInjector)(nil)

client/vnc/server/input_windows.go

@@ -0,0 +1,398 @@
+//go:build windows
+
+package server
+
+import (
+	"runtime"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+var (
+	procOpenEventW = kernel32.NewProc("OpenEventW")
+	procSendInput  = user32.NewProc("SendInput")
+	procVkKeyScanA = user32.NewProc("VkKeyScanA")
+)
+
+const eventModifyState = 0x0002
+
+const (
+	inputMouse    = 0
+	inputKeyboard = 1
+
+	mouseeventfMove       = 0x0001
+	mouseeventfLeftDown   = 0x0002
+	mouseeventfLeftUp     = 0x0004
+	mouseeventfRightDown  = 0x0008
+	mouseeventfRightUp    = 0x0010
+	mouseeventfMiddleDown = 0x0020
+	mouseeventfMiddleUp   = 0x0040
+	mouseeventfWheel      = 0x0800
+	mouseeventfAbsolute   = 0x8000
+
+	wheelDelta = 120
+
+	keyeventfKeyUp    = 0x0002
+	keyeventfScanCode = 0x0008
+)
+
+type mouseInput struct {
+	Dx          int32
+	Dy          int32
+	MouseData   uint32
+	DwFlags     uint32
+	Time        uint32
+	DwExtraInfo uintptr
+}
+
+type keybdInput struct {
+	WVk         uint16
+	WScan       uint16
+	DwFlags     uint32
+	Time        uint32
+	DwExtraInfo uintptr
+	_           [8]byte
+}
+
+type inputUnion [32]byte
+
+type winInput struct {
+	Type uint32
+	_    [4]byte
+	Data inputUnion
+}
+
+func sendMouseInput(flags uint32, dx, dy int32, mouseData uint32) {
+	mi := mouseInput{
+		Dx:        dx,
+		Dy:        dy,
+		MouseData: mouseData,
+		DwFlags:   flags,
+	}
+	inp := winInput{Type: inputMouse}
+	copy(inp.Data[:], (*[unsafe.Sizeof(mi)]byte)(unsafe.Pointer(&mi))[:])
+	r, _, err := procSendInput.Call(1, uintptr(unsafe.Pointer(&inp)), unsafe.Sizeof(inp))
+	if r == 0 {
+		log.Tracef("SendInput(mouse flags=0x%x): %v", flags, err)
+	}
+}
+
+func sendKeyInput(vk uint16, scanCode uint16, flags uint32) {
+	ki := keybdInput{
+		WVk:     vk,
+		WScan:   scanCode,
+		DwFlags: flags,
+	}
+	inp := winInput{Type: inputKeyboard}
+	copy(inp.Data[:], (*[unsafe.Sizeof(ki)]byte)(unsafe.Pointer(&ki))[:])
+	r, _, err := procSendInput.Call(1, uintptr(unsafe.Pointer(&inp)), unsafe.Sizeof(inp))
+	if r == 0 {
+		log.Tracef("SendInput(key vk=0x%x): %v", vk, err)
+	}
+}
+
+const sasEventName = `Global\NetBirdVNC_SAS`
+
+type inputCmd struct {
+	isKey      bool
+	keysym     uint32
+	down       bool
+	buttonMask uint8
+	x, y       int
+	serverW    int
+	serverH    int
+}
+
+// WindowsInputInjector delivers input events from a dedicated OS thread that
+// calls switchToInputDesktop before each injection. SendInput targets the
+// calling thread's desktop, so the injection thread must be on the same
+// desktop the user sees.
+type WindowsInputInjector struct {
+	ch             chan inputCmd
+	prevButtonMask uint8
+	ctrlDown       bool
+	altDown        bool
+}
+
+// NewWindowsInputInjector creates a desktop-aware input injector.
+func NewWindowsInputInjector() *WindowsInputInjector {
+	w := &WindowsInputInjector{ch: make(chan inputCmd, 64)}
+	go w.loop()
+	return w
+}
+
+func (w *WindowsInputInjector) loop() {
+	runtime.LockOSThread()
+
+	for cmd := range w.ch {
+		// Switch to the current input desktop so SendInput reaches the right target.
+		switchToInputDesktop()
+
+		if cmd.isKey {
+			w.doInjectKey(cmd.keysym, cmd.down)
+		} else {
+			w.doInjectPointer(cmd.buttonMask, cmd.x, cmd.y, cmd.serverW, cmd.serverH)
+		}
+	}
+}
+
+// InjectKey queues a key event for injection on the input desktop thread.
+func (w *WindowsInputInjector) InjectKey(keysym uint32, down bool) {
+	w.ch <- inputCmd{isKey: true, keysym: keysym, down: down}
+}
+
+// InjectPointer queues a pointer event for injection on the input desktop thread.
+func (w *WindowsInputInjector) InjectPointer(buttonMask uint8, x, y, serverW, serverH int) {
+	w.ch <- inputCmd{buttonMask: buttonMask, x: x, y: y, serverW: serverW, serverH: serverH}
+}
+
+func (w *WindowsInputInjector) doInjectKey(keysym uint32, down bool) {
+	switch keysym {
+	case 0xffe3, 0xffe4:
+		w.ctrlDown = down
+	case 0xffe9, 0xffea:
+		w.altDown = down
+	}
+
+	if (keysym == 0xff9f || keysym == 0xffff) && w.ctrlDown && w.altDown && down {
+		signalSAS()
+		return
+	}
+
+	vk, _, extended := keysym2VK(keysym)
+	if vk == 0 {
+		return
+	}
+	var flags uint32
+	if !down {
+		flags |= keyeventfKeyUp
+	}
+	if extended {
+		flags |= keyeventfScanCode
+	}
+	sendKeyInput(vk, 0, flags)
+}
+
+// signalSAS signals the SAS named event. A listener in Session 0
+// (startSASListener) calls SendSAS to trigger the Secure Attention Sequence.
+func signalSAS() {
+	namePtr, err := windows.UTF16PtrFromString(sasEventName)
+	if err != nil {
+		log.Warnf("SAS UTF16: %v", err)
+		return
+	}
+	h, _, lerr := procOpenEventW.Call(
+		uintptr(eventModifyState),
+		0,
+		uintptr(unsafe.Pointer(namePtr)),
+	)
+	if h == 0 {
+		log.Warnf("OpenEvent(%s): %v", sasEventName, lerr)
+		return
+	}
+	ev := windows.Handle(h)
+	defer windows.CloseHandle(ev)
+	if err := windows.SetEvent(ev); err != nil {
+		log.Warnf("SetEvent SAS: %v", err)
+	} else {
+		log.Info("SAS event signaled")
+	}
+}
+
+func (w *WindowsInputInjector) doInjectPointer(buttonMask uint8, x, y, serverW, serverH int) {
+	if serverW == 0 || serverH == 0 {
+		return
+	}
+
+	absX := int32(x * 65535 / serverW)
+	absY := int32(y * 65535 / serverH)
+
+	sendMouseInput(mouseeventfMove|mouseeventfAbsolute, absX, absY, 0)
+
+	changed := buttonMask ^ w.prevButtonMask
+	w.prevButtonMask = buttonMask
+
+	type btnMap struct {
+		bit  uint8
+		down uint32
+		up   uint32
+	}
+	buttons := [...]btnMap{
+		{0x01, mouseeventfLeftDown, mouseeventfLeftUp},
+		{0x02, mouseeventfMiddleDown, mouseeventfMiddleUp},
+		{0x04, mouseeventfRightDown, mouseeventfRightUp},
+	}
+	for _, b := range buttons {
+		if changed&b.bit == 0 {
+			continue
+		}
+		var flags uint32
+		if buttonMask&b.bit != 0 {
+			flags = b.down
+		} else {
+			flags = b.up
+		}
+		sendMouseInput(flags|mouseeventfAbsolute, absX, absY, 0)
+	}
+
+	negWheelDelta := ^uint32(wheelDelta - 1)
+	if changed&0x08 != 0 && buttonMask&0x08 != 0 {
+		sendMouseInput(mouseeventfWheel|mouseeventfAbsolute, absX, absY, wheelDelta)
+	}
+	if changed&0x10 != 0 && buttonMask&0x10 != 0 {
+		sendMouseInput(mouseeventfWheel|mouseeventfAbsolute, absX, absY, negWheelDelta)
+	}
+}
+
+// keysym2VK converts an X11 keysym to a Windows virtual key code.
+func keysym2VK(keysym uint32) (vk uint16, scan uint16, extended bool) {
+	if keysym >= 0x20 && keysym <= 0x7e {
+		r, _, _ := procVkKeyScanA.Call(uintptr(keysym))
+		vk = uint16(r & 0xff)
+		return
+	}
+
+	if keysym >= 0xffbe && keysym <= 0xffc9 {
+		vk = uint16(0x70 + keysym - 0xffbe)
+		return
+	}
+
+	switch keysym {
+	case 0xff08:
+		vk = 0x08 // Backspace
+	case 0xff09:
+		vk = 0x09 // Tab
+	case 0xff0d:
+		vk = 0x0d // Return
+	case 0xff1b:
+		vk = 0x1b // Escape
+	case 0xff63:
+		vk, extended = 0x2d, true // Insert
+	case 0xff9f, 0xffff:
+		vk, extended = 0x2e, true // Delete
+	case 0xff50:
+		vk, extended = 0x24, true // Home
+	case 0xff57:
+		vk, extended = 0x23, true // End
+	case 0xff55:
+		vk, extended = 0x21, true // PageUp
+	case 0xff56:
+		vk, extended = 0x22, true // PageDown
+	case 0xff51:
+		vk, extended = 0x25, true // Left
+	case 0xff52:
+		vk, extended = 0x26, true // Up
+	case 0xff53:
+		vk, extended = 0x27, true // Right
+	case 0xff54:
+		vk, extended = 0x28, true // Down
+	case 0xffe1, 0xffe2:
+		vk = 0x10 // Shift
+	case 0xffe3, 0xffe4:
+		vk = 0x11 // Control
+	case 0xffe9, 0xffea:
+		vk = 0x12 // Alt
+	case 0xffe5:
+		vk = 0x14 // CapsLock
+	case 0xffe7, 0xffeb:
+		vk, extended = 0x5B, true // Meta_L / Super_L -> Left Windows
+	case 0xffe8, 0xffec:
+		vk, extended = 0x5C, true // Meta_R / Super_R -> Right Windows
+	case 0xff61:
+		vk = 0x2c // PrintScreen
+	case 0xff13:
+		vk = 0x13 // Pause
+	case 0xff14:
+		vk = 0x91 // ScrollLock
+	}
+	return
+}
+
+var (
+	procOpenClipboard              = user32.NewProc("OpenClipboard")
+	procCloseClipboard             = user32.NewProc("CloseClipboard")
+	procEmptyClipboard             = user32.NewProc("EmptyClipboard")
+	procSetClipboardData           = user32.NewProc("SetClipboardData")
+	procGetClipboardData           = user32.NewProc("GetClipboardData")
+	procIsClipboardFormatAvailable = user32.NewProc("IsClipboardFormatAvailable")
+
+	procGlobalAlloc  = kernel32.NewProc("GlobalAlloc")
+	procGlobalLock   = kernel32.NewProc("GlobalLock")
+	procGlobalUnlock = kernel32.NewProc("GlobalUnlock")
+)
+
+const (
+	cfUnicodeText = 13
+	gmemMoveable  = 0x0002
+)
+
+// SetClipboard sets the Windows clipboard to the given UTF-8 text.
+func (w *WindowsInputInjector) SetClipboard(text string) {
+	utf16, err := windows.UTF16FromString(text)
+	if err != nil {
+		log.Tracef("clipboard UTF16 encode: %v", err)
+		return
+	}
+
+	size := uintptr(len(utf16) * 2)
+	hMem, _, _ := procGlobalAlloc.Call(gmemMoveable, size)
+	if hMem == 0 {
+		log.Tracef("GlobalAlloc for clipboard: allocation returned nil")
+		return
+	}
+
+	ptr, _, _ := procGlobalLock.Call(hMem)
+	if ptr == 0 {
+		log.Tracef("GlobalLock for clipboard: lock returned nil")
+		return
+	}
+	copy(unsafe.Slice((*uint16)(unsafe.Pointer(ptr)), len(utf16)), utf16)
+	procGlobalUnlock.Call(hMem)
+
+	r, _, lerr := procOpenClipboard.Call(0)
+	if r == 0 {
+		log.Tracef("OpenClipboard: %v", lerr)
+		return
+	}
+	defer procCloseClipboard.Call()
+
+	procEmptyClipboard.Call()
+	r, _, lerr = procSetClipboardData.Call(cfUnicodeText, hMem)
+	if r == 0 {
+		log.Tracef("SetClipboardData: %v", lerr)
+	}
+}
+
+// GetClipboard reads the Windows clipboard as UTF-8 text.
+func (w *WindowsInputInjector) GetClipboard() string {
+	r, _, _ := procIsClipboardFormatAvailable.Call(cfUnicodeText)
+	if r == 0 {
+		return ""
+	}
+
+	r, _, lerr := procOpenClipboard.Call(0)
+	if r == 0 {
+		log.Tracef("OpenClipboard for read: %v", lerr)
+		return ""
+	}
+	defer procCloseClipboard.Call()
+
+	hData, _, _ := procGetClipboardData.Call(cfUnicodeText)
+	if hData == 0 {
+		return ""
+	}
+
+	ptr, _, _ := procGlobalLock.Call(hData)
+	if ptr == 0 {
+		return ""
+	}
+	defer procGlobalUnlock.Call(hData)
+
+	return windows.UTF16PtrToString((*uint16)(unsafe.Pointer(ptr)))
+}
+
+var _ InputInjector = (*WindowsInputInjector)(nil)
+
+var _ ScreenCapturer = (*DesktopCapturer)(nil)

client/vnc/server/input_x11.go

@@ -0,0 +1,242 @@
+//go:build (linux && !android) || freebsd
+
+package server
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/jezek/xgb"
+	"github.com/jezek/xgb/xproto"
+	"github.com/jezek/xgb/xtest"
+)
+
+// X11InputInjector injects keyboard and mouse events via the XTest extension.
+type X11InputInjector struct {
+	conn              *xgb.Conn
+	root              xproto.Window
+	screen            *xproto.ScreenInfo
+	display           string
+	keysymMap         map[uint32]byte
+	lastButtons       uint8
+	clipboardTool     string
+	clipboardToolName string
+}
+
+// NewX11InputInjector connects to the X11 display and initializes XTest.
+func NewX11InputInjector(display string) (*X11InputInjector, error) {
+	detectX11Display()
+
+	if display == "" {
+		display = os.Getenv("DISPLAY")
+	}
+	if display == "" {
+		return nil, fmt.Errorf("DISPLAY not set and no Xorg process found")
+	}
+
+	conn, err := xgb.NewConnDisplay(display)
+	if err != nil {
+		return nil, fmt.Errorf("connect to X11 display %s: %w", display, err)
+	}
+
+	if err := xtest.Init(conn); err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("init XTest extension: %w", err)
+	}
+
+	setup := xproto.Setup(conn)
+	if len(setup.Roots) == 0 {
+		conn.Close()
+		return nil, fmt.Errorf("no X11 screens")
+	}
+	screen := setup.Roots[0]
+
+	inj := &X11InputInjector{
+		conn:    conn,
+		root:    screen.Root,
+		screen:  &screen,
+		display: display,
+	}
+	inj.cacheKeyboardMapping()
+	inj.resolveClipboardTool()
+
+	log.Infof("X11 input injector ready (display=%s)", display)
+	return inj, nil
+}
+
+// InjectKey simulates a key press or release. keysym is an X11 KeySym.
+func (x *X11InputInjector) InjectKey(keysym uint32, down bool) {
+	keycode := x.keysymToKeycode(keysym)
+	if keycode == 0 {
+		return
+	}
+
+	var eventType byte
+	if down {
+		eventType = xproto.KeyPress
+	} else {
+		eventType = xproto.KeyRelease
+	}
+
+	xtest.FakeInput(x.conn, eventType, keycode, 0, x.root, 0, 0, 0)
+}
+
+// InjectPointer simulates mouse movement and button events.
+func (x *X11InputInjector) InjectPointer(buttonMask uint8, px, py, serverW, serverH int) {
+	if serverW == 0 || serverH == 0 {
+		return
+	}
+
+	// Scale to actual screen coordinates.
+	screenW := int(x.screen.WidthInPixels)
+	screenH := int(x.screen.HeightInPixels)
+	absX := px * screenW / serverW
+	absY := py * screenH / serverH
+
+	// Move pointer.
+	xtest.FakeInput(x.conn, xproto.MotionNotify, 0, 0, x.root, int16(absX), int16(absY), 0)
+
+	// Handle button events. RFB button mask: bit0=left, bit1=middle, bit2=right,
+	// bit3=scrollUp, bit4=scrollDown. X11 buttons: 1=left, 2=middle, 3=right,
+	// 4=scrollUp, 5=scrollDown.
+	type btnMap struct {
+		rfbBit uint8
+		x11Btn byte
+	}
+	buttons := [...]btnMap{
+		{0x01, 1}, // left
+		{0x02, 2}, // middle
+		{0x04, 3}, // right
+		{0x08, 4}, // scroll up
+		{0x10, 5}, // scroll down
+	}
+
+	for _, b := range buttons {
+		pressed := buttonMask&b.rfbBit != 0
+		wasPressed := x.lastButtons&b.rfbBit != 0
+		if b.x11Btn >= 4 {
+			// Scroll: send press+release on each scroll event.
+			if pressed {
+				xtest.FakeInput(x.conn, xproto.ButtonPress, b.x11Btn, 0, x.root, 0, 0, 0)
+				xtest.FakeInput(x.conn, xproto.ButtonRelease, b.x11Btn, 0, x.root, 0, 0, 0)
+			}
+		} else {
+			if pressed && !wasPressed {
+				xtest.FakeInput(x.conn, xproto.ButtonPress, b.x11Btn, 0, x.root, 0, 0, 0)
+			} else if !pressed && wasPressed {
+				xtest.FakeInput(x.conn, xproto.ButtonRelease, b.x11Btn, 0, x.root, 0, 0, 0)
+			}
+		}
+	}
+	x.lastButtons = buttonMask
+}
+
+// cacheKeyboardMapping fetches the X11 keyboard mapping once and stores it
+// as a keysym-to-keycode map, avoiding a round-trip per keystroke.
+func (x *X11InputInjector) cacheKeyboardMapping() {
+	setup := xproto.Setup(x.conn)
+	minKeycode := setup.MinKeycode
+	maxKeycode := setup.MaxKeycode
+
+	reply, err := xproto.GetKeyboardMapping(x.conn, minKeycode,
+		byte(maxKeycode-minKeycode+1)).Reply()
+	if err != nil {
+		log.Debugf("cache keyboard mapping: %v", err)
+		x.keysymMap = make(map[uint32]byte)
+		return
+	}
+
+	m := make(map[uint32]byte, int(maxKeycode-minKeycode+1)*int(reply.KeysymsPerKeycode))
+	keysymsPerKeycode := int(reply.KeysymsPerKeycode)
+	for i := int(minKeycode); i <= int(maxKeycode); i++ {
+		offset := (i - int(minKeycode)) * keysymsPerKeycode
+		for j := 0; j < keysymsPerKeycode; j++ {
+			ks := uint32(reply.Keysyms[offset+j])
+			if ks != 0 {
+				if _, exists := m[ks]; !exists {
+					m[ks] = byte(i)
+				}
+			}
+		}
+	}
+	x.keysymMap = m
+}
+
+// keysymToKeycode looks up a cached keysym-to-keycode mapping.
+// Returns 0 if the keysym is not mapped.
+func (x *X11InputInjector) keysymToKeycode(keysym uint32) byte {
+	return x.keysymMap[keysym]
+}
+
+// SetClipboard sets the X11 clipboard using xclip or xsel.
+func (x *X11InputInjector) SetClipboard(text string) {
+	if x.clipboardTool == "" {
+		return
+	}
+
+	var cmd *exec.Cmd
+	if x.clipboardToolName == "xclip" {
+		cmd = exec.Command(x.clipboardTool, "-selection", "clipboard")
+	} else {
+		cmd = exec.Command(x.clipboardTool, "--clipboard", "--input")
+	}
+	cmd.Env = x.clipboardEnv()
+	cmd.Stdin = strings.NewReader(text)
+	if err := cmd.Run(); err != nil {
+		log.Debugf("set clipboard via %s: %v", x.clipboardToolName, err)
+	}
+}
+
+func (x *X11InputInjector) resolveClipboardTool() {
+	for _, name := range []string{"xclip", "xsel"} {
+		path, err := exec.LookPath(name)
+		if err == nil {
+			x.clipboardTool = path
+			x.clipboardToolName = name
+			log.Debugf("clipboard tool resolved to %s", path)
+			return
+		}
+	}
+	log.Debugf("no clipboard tool (xclip/xsel) found, clipboard sync disabled")
+}
+
+// GetClipboard reads the X11 clipboard using xclip or xsel.
+func (x *X11InputInjector) GetClipboard() string {
+	if x.clipboardTool == "" {
+		return ""
+	}
+
+	var cmd *exec.Cmd
+	if x.clipboardToolName == "xclip" {
+		cmd = exec.Command(x.clipboardTool, "-selection", "clipboard", "-o")
+	} else {
+		cmd = exec.Command(x.clipboardTool, "--clipboard", "--output")
+	}
+	cmd.Env = x.clipboardEnv()
+	out, err := cmd.Output()
+	if err != nil {
+		log.Tracef("get clipboard via %s: %v", x.clipboardToolName, err)
+		return ""
+	}
+	return string(out)
+}
+
+func (x *X11InputInjector) clipboardEnv() []string {
+	env := []string{"DISPLAY=" + x.display}
+	if auth := os.Getenv("XAUTHORITY"); auth != "" {
+		env = append(env, "XAUTHORITY="+auth)
+	}
+	return env
+}
+
+// Close releases X11 resources.
+func (x *X11InputInjector) Close() {
+	x.conn.Close()
+}
+
+var _ InputInjector = (*X11InputInjector)(nil)
+var _ ScreenCapturer = (*X11Poller)(nil)

client/vnc/server/rfb.go

@@ -0,0 +1,264 @@
+package server
+
+import (
+	"bytes"
+	"compress/zlib"
+	"crypto/des"
+	"encoding/binary"
+	"image"
+)
+
+const (
+	rfbProtocolVersion = "RFB 003.008\n"
+
+	secNone    = 1
+	secVNCAuth = 2
+
+	// Client message types.
+	clientSetPixelFormat           = 0
+	clientSetEncodings             = 2
+	clientFramebufferUpdateRequest = 3
+	clientKeyEvent                 = 4
+	clientPointerEvent             = 5
+	clientCutText                  = 6
+
+	// Server message types.
+	serverFramebufferUpdate = 0
+	serverCutText           = 3
+
+	// Encoding types.
+	encRaw  = 0
+	encZlib = 6
+)
+
+// serverPixelFormat is the default pixel format advertised by the server:
+// 32bpp RGBA, big-endian, true-colour, 8 bits per channel.
+var serverPixelFormat = [16]byte{
+	32,      // bits-per-pixel
+	24,      // depth
+	1,       // big-endian-flag
+	1,       // true-colour-flag
+	0, 255,  // red-max
+	0, 255,  // green-max
+	0, 255,  // blue-max
+	16,      // red-shift
+	8,       // green-shift
+	0,       // blue-shift
+	0, 0, 0, // padding
+}
+
+// clientPixelFormat holds the negotiated pixel format from the client.
+type clientPixelFormat struct {
+	bpp       uint8
+	bigEndian uint8
+	rMax      uint16
+	gMax      uint16
+	bMax      uint16
+	rShift    uint8
+	gShift    uint8
+	bShift    uint8
+}
+
+func defaultClientPixelFormat() clientPixelFormat {
+	return clientPixelFormat{
+		bpp:       serverPixelFormat[0],
+		bigEndian: serverPixelFormat[2],
+		rMax:      binary.BigEndian.Uint16(serverPixelFormat[4:6]),
+		gMax:      binary.BigEndian.Uint16(serverPixelFormat[6:8]),
+		bMax:      binary.BigEndian.Uint16(serverPixelFormat[8:10]),
+		rShift:    serverPixelFormat[10],
+		gShift:    serverPixelFormat[11],
+		bShift:    serverPixelFormat[12],
+	}
+}
+
+func parsePixelFormat(pf []byte) clientPixelFormat {
+	return clientPixelFormat{
+		bpp:       pf[0],
+		bigEndian: pf[2],
+		rMax:      binary.BigEndian.Uint16(pf[4:6]),
+		gMax:      binary.BigEndian.Uint16(pf[6:8]),
+		bMax:      binary.BigEndian.Uint16(pf[8:10]),
+		rShift:    pf[10],
+		gShift:    pf[11],
+		bShift:    pf[12],
+	}
+}
+
+// encodeRawRect encodes a framebuffer region as a raw RFB rectangle.
+// The returned buffer includes the FramebufferUpdate header (1 rectangle).
+func encodeRawRect(img *image.RGBA, pf clientPixelFormat, x, y, w, h int) []byte {
+	bytesPerPixel := max(int(pf.bpp)/8, 1)
+
+	pixelBytes := w * h * bytesPerPixel
+	buf := make([]byte, 4+12+pixelBytes)
+
+	// FramebufferUpdate header.
+	buf[0] = serverFramebufferUpdate
+	buf[1] = 0 // padding
+	binary.BigEndian.PutUint16(buf[2:4], 1)
+
+	// Rectangle header.
+	binary.BigEndian.PutUint16(buf[4:6], uint16(x))
+	binary.BigEndian.PutUint16(buf[6:8], uint16(y))
+	binary.BigEndian.PutUint16(buf[8:10], uint16(w))
+	binary.BigEndian.PutUint16(buf[10:12], uint16(h))
+	binary.BigEndian.PutUint32(buf[12:16], uint32(encRaw))
+
+	off := 16
+	stride := img.Stride
+	for row := y; row < y+h; row++ {
+		for col := x; col < x+w; col++ {
+			p := row*stride + col*4
+			r, g, b := img.Pix[p], img.Pix[p+1], img.Pix[p+2]
+
+			rv := uint32(r) * uint32(pf.rMax) / 255
+			gv := uint32(g) * uint32(pf.gMax) / 255
+			bv := uint32(b) * uint32(pf.bMax) / 255
+			pixel := (rv << pf.rShift) | (gv << pf.gShift) | (bv << pf.bShift)
+
+			if pf.bigEndian != 0 {
+				for i := range bytesPerPixel {
+					buf[off+i] = byte(pixel >> uint((bytesPerPixel-1-i)*8))
+				}
+			} else {
+				for i := range bytesPerPixel {
+					buf[off+i] = byte(pixel >> uint(i*8))
+				}
+			}
+			off += bytesPerPixel
+		}
+	}
+
+	return buf
+}
+
+// vncAuthEncrypt encrypts a 16-byte challenge using the VNC DES scheme.
+func vncAuthEncrypt(challenge []byte, password string) []byte {
+	key := make([]byte, 8)
+	for i, c := range []byte(password) {
+		if i >= 8 {
+			break
+		}
+		key[i] = reverseBits(c)
+	}
+	block, _ := des.NewCipher(key)
+	out := make([]byte, 16)
+	block.Encrypt(out[:8], challenge[:8])
+	block.Encrypt(out[8:], challenge[8:])
+	return out
+}
+
+func reverseBits(b byte) byte {
+	var r byte
+	for range 8 {
+		r = (r << 1) | (b & 1)
+		b >>= 1
+	}
+	return r
+}
+
+// encodeZlibRect encodes a framebuffer region using Zlib compression.
+// The zlib stream is continuous for the entire VNC session: noVNC creates
+// one inflate context at startup and reuses it for all zlib-encoded rects.
+// We must NOT reset the zlib writer between calls.
+func encodeZlibRect(img *image.RGBA, pf clientPixelFormat, x, y, w, h int, zw *zlib.Writer, zbuf *bytes.Buffer) []byte {
+	bytesPerPixel := max(int(pf.bpp)/8, 1)
+
+	// Clear the output buffer but keep the deflate dictionary intact.
+	zbuf.Reset()
+
+	stride := img.Stride
+	pixel := make([]byte, bytesPerPixel)
+	for row := y; row < y+h; row++ {
+		for col := x; col < x+w; col++ {
+			p := row*stride + col*4
+			r, g, b := img.Pix[p], img.Pix[p+1], img.Pix[p+2]
+
+			rv := uint32(r) * uint32(pf.rMax) / 255
+			gv := uint32(g) * uint32(pf.gMax) / 255
+			bv := uint32(b) * uint32(pf.bMax) / 255
+			val := (rv << pf.rShift) | (gv << pf.gShift) | (bv << pf.bShift)
+
+			if pf.bigEndian != 0 {
+				for i := range bytesPerPixel {
+					pixel[i] = byte(val >> uint((bytesPerPixel-1-i)*8))
+				}
+			} else {
+				for i := range bytesPerPixel {
+					pixel[i] = byte(val >> uint(i*8))
+				}
+			}
+			zw.Write(pixel)
+		}
+	}
+	zw.Flush()
+
+	compressed := zbuf.Bytes()
+
+	// Build the FramebufferUpdate message.
+	buf := make([]byte, 4+12+4+len(compressed))
+	buf[0] = serverFramebufferUpdate
+	buf[1] = 0
+	binary.BigEndian.PutUint16(buf[2:4], 1) // 1 rectangle
+
+	binary.BigEndian.PutUint16(buf[4:6], uint16(x))
+	binary.BigEndian.PutUint16(buf[6:8], uint16(y))
+	binary.BigEndian.PutUint16(buf[8:10], uint16(w))
+	binary.BigEndian.PutUint16(buf[10:12], uint16(h))
+	binary.BigEndian.PutUint32(buf[12:16], uint32(encZlib))
+	binary.BigEndian.PutUint32(buf[16:20], uint32(len(compressed)))
+	copy(buf[20:], compressed)
+
+	return buf
+}
+
+// diffRects compares two RGBA images and returns a list of dirty rectangles.
+// Divides the screen into tiles and checks each for changes.
+func diffRects(prev, cur *image.RGBA, w, h, tileSize int) [][4]int {
+	if prev == nil {
+		return [][4]int{{0, 0, w, h}}
+	}
+
+	var rects [][4]int
+	for ty := 0; ty < h; ty += tileSize {
+		th := min(tileSize, h-ty)
+		for tx := 0; tx < w; tx += tileSize {
+			tw := min(tileSize, w-tx)
+			if tileChanged(prev, cur, tx, ty, tw, th) {
+				rects = append(rects, [4]int{tx, ty, tw, th})
+			}
+		}
+	}
+	return rects
+}
+
+func tileChanged(prev, cur *image.RGBA, x, y, w, h int) bool {
+	stride := prev.Stride
+	for row := y; row < y+h; row++ {
+		off := row*stride + x*4
+		end := off + w*4
+		prevRow := prev.Pix[off:end]
+		curRow := cur.Pix[off:end]
+		if !bytes.Equal(prevRow, curRow) {
+			return true
+		}
+	}
+	return false
+}
+
+// zlibState holds the persistent zlib writer and buffer for a session.
+type zlibState struct {
+	buf *bytes.Buffer
+	w   *zlib.Writer
+}
+
+func newZlibState() *zlibState {
+	buf := &bytes.Buffer{}
+	w, _ := zlib.NewWriterLevel(buf, zlib.BestSpeed)
+	return &zlibState{buf: buf, w: w}
+}
+
+func (z *zlibState) Close() error {
+	return z.w.Close()
+}

client/vnc/server/server.go

@@ -0,0 +1,605 @@
+package server
+
+import (
+	"context"
+	"crypto/subtle"
+	"encoding/binary"
+	"encoding/hex"
+	"fmt"
+	"image"
+	"io"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
+
+	gojwt "github.com/golang-jwt/jwt/v5"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+
+	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
+	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
+)
+
+// Connection modes sent by the client in the session header.
+const (
+	ModeAttach  byte = 0 // Capture current display
+	ModeSession byte = 1 // Virtual session as specified user
+)
+
+// ScreenCapturer grabs desktop frames for the VNC server.
+type ScreenCapturer interface {
+	// Width returns the current screen width in pixels.
+	Width() int
+	// Height returns the current screen height in pixels.
+	Height() int
+	// Capture returns the current desktop as an RGBA image.
+	Capture() (*image.RGBA, error)
+}
+
+// InputInjector delivers keyboard and mouse events to the OS.
+type InputInjector interface {
+	// InjectKey simulates a key press or release. keysym is an X11 KeySym.
+	InjectKey(keysym uint32, down bool)
+	// InjectPointer simulates mouse movement and button state.
+	InjectPointer(buttonMask uint8, x, y, serverW, serverH int)
+	// SetClipboard sets the system clipboard to the given text.
+	SetClipboard(text string)
+	// GetClipboard returns the current system clipboard text.
+	GetClipboard() string
+}
+
+// JWTConfig holds JWT validation configuration for VNC auth.
+type JWTConfig struct {
+	Issuer       string
+	KeysLocation string
+	MaxTokenAge  int64
+	Audiences    []string
+}
+
+// connectionHeader is sent by the client before the RFB handshake to specify
+// the VNC session mode and authenticate.
+type connectionHeader struct {
+	mode      byte
+	username  string
+	jwt       string
+	sessionID uint32 // Windows session ID (0 = console/auto)
+}
+
+// Server is the embedded VNC server that listens on the WireGuard interface.
+// It supports two operating modes:
+//   - Direct mode: captures the screen and handles VNC sessions in-process.
+//     Used when running in a user session with desktop access.
+//   - Service mode: proxies VNC connections to an agent process spawned in
+//     the active console session. Used when running as a Windows service in
+//     Session 0.
+//
+// Within direct mode, each connection can request one of two session modes
+// via the connection header:
+//   - Attach: capture the current physical display.
+//   - Session: start a virtual Xvfb display as the requested user.
+type Server struct {
+	capturer    ScreenCapturer
+	injector    InputInjector
+	password    string
+	serviceMode bool
+	disableAuth bool
+	localAddr   netip.Addr   // NetBird WireGuard IP this server is bound to
+	network     netip.Prefix // NetBird overlay network
+	log         *log.Entry
+
+	mu           sync.Mutex
+	listener     net.Listener
+	ctx          context.Context
+	cancel       context.CancelFunc
+	vmgr         virtualSessionManager
+	jwtConfig    *JWTConfig
+	jwtValidator *nbjwt.Validator
+	jwtExtractor *nbjwt.ClaimsExtractor
+	authorizer   *sshauth.Authorizer
+	netstackNet  *netstack.Net
+	agentToken   []byte // raw token bytes for agent-mode auth
+}
+
+// vncSession provides capturer and injector for a virtual display session.
+type vncSession interface {
+	Capturer() ScreenCapturer
+	Injector() InputInjector
+	Display() string
+	ClientConnect()
+	ClientDisconnect()
+}
+
+// virtualSessionManager is implemented by sessionManager on Linux.
+type virtualSessionManager interface {
+	GetOrCreate(username string) (vncSession, error)
+	StopAll()
+}
+
+// New creates a VNC server with the given screen capturer and input injector.
+func New(capturer ScreenCapturer, injector InputInjector, password string) *Server {
+	return &Server{
+		capturer:   capturer,
+		injector:   injector,
+		password:   password,
+		authorizer: sshauth.NewAuthorizer(),
+		log:        log.WithField("component", "vnc-server"),
+	}
+}
+
+// SetServiceMode enables proxy-to-agent mode for Windows service operation.
+func (s *Server) SetServiceMode(enabled bool) {
+	s.serviceMode = enabled
+}
+
+// SetJWTConfig configures JWT authentication for VNC connections.
+// Pass nil to disable JWT (public mode).
+func (s *Server) SetJWTConfig(config *JWTConfig) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.jwtConfig = config
+	s.jwtValidator = nil
+	s.jwtExtractor = nil
+}
+
+// SetDisableAuth disables authentication entirely.
+func (s *Server) SetDisableAuth(disable bool) {
+	s.disableAuth = disable
+}
+
+// SetAgentToken sets a hex-encoded token that must be presented by incoming
+// connections before any VNC data. Used in agent mode to verify that only the
+// trusted service process connects.
+func (s *Server) SetAgentToken(hexToken string) {
+	if hexToken == "" {
+		return
+	}
+	b, err := hex.DecodeString(hexToken)
+	if err != nil {
+		s.log.Warnf("invalid agent token: %v", err)
+		return
+	}
+	s.agentToken = b
+}
+
+// SetNetstackNet sets the netstack network for userspace-only listening.
+// When set, the VNC server listens via netstack instead of a real OS socket.
+func (s *Server) SetNetstackNet(n *netstack.Net) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.netstackNet = n
+}
+
+// UpdateVNCAuth updates the fine-grained authorization configuration.
+func (s *Server) UpdateVNCAuth(config *sshauth.Config) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.jwtValidator = nil
+	s.jwtExtractor = nil
+	s.authorizer.Update(config)
+}
+
+// Start begins listening for VNC connections on the given address.
+// network is the NetBird overlay prefix used to validate connection sources.
+func (s *Server) Start(ctx context.Context, addr netip.AddrPort, network netip.Prefix) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.listener != nil {
+		return fmt.Errorf("server already running")
+	}
+
+	s.ctx, s.cancel = context.WithCancel(ctx)
+	s.vmgr = s.platformSessionManager()
+	s.localAddr = addr.Addr()
+	s.network = network
+
+	var listener net.Listener
+	var listenDesc string
+	if s.netstackNet != nil {
+		ln, err := s.netstackNet.ListenTCPAddrPort(addr)
+		if err != nil {
+			return fmt.Errorf("listen on netstack %s: %w", addr, err)
+		}
+		listener = ln
+		listenDesc = fmt.Sprintf("netstack %s", addr)
+	} else {
+		tcpAddr := net.TCPAddrFromAddrPort(addr)
+		ln, err := net.ListenTCP("tcp", tcpAddr)
+		if err != nil {
+			return fmt.Errorf("listen on %s: %w", addr, err)
+		}
+		listener = ln
+		listenDesc = addr.String()
+	}
+	s.listener = listener
+
+	if s.serviceMode {
+		s.platformInit()
+	}
+
+	if s.serviceMode {
+		go s.serviceAcceptLoop()
+	} else {
+		go s.acceptLoop()
+	}
+
+	s.log.Infof("started on %s (service_mode=%v)", listenDesc, s.serviceMode)
+	return nil
+}
+
+// Stop shuts down the server and closes all connections.
+func (s *Server) Stop() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.cancel != nil {
+		s.cancel()
+		s.cancel = nil
+	}
+
+	if s.vmgr != nil {
+		s.vmgr.StopAll()
+	}
+
+	if c, ok := s.capturer.(interface{ Close() }); ok {
+		c.Close()
+	}
+
+	if s.listener != nil {
+		err := s.listener.Close()
+		s.listener = nil
+		if err != nil {
+			return fmt.Errorf("close VNC listener: %w", err)
+		}
+	}
+
+	s.log.Info("stopped")
+	return nil
+}
+
+// acceptLoop handles VNC connections directly (user session mode).
+func (s *Server) acceptLoop() {
+	for {
+		conn, err := s.listener.Accept()
+		if err != nil {
+			select {
+			case <-s.ctx.Done():
+				return
+			default:
+			}
+			s.log.Debugf("accept VNC connection: %v", err)
+			continue
+		}
+
+		go s.handleConnection(conn)
+	}
+}
+
+func (s *Server) validateCapturer(cap ScreenCapturer) error {
+	// Quick check first: if already ready, return immediately.
+	if cap.Width() > 0 && cap.Height() > 0 {
+		return nil
+	}
+	// Wait up to 5s for the capturer to become ready.
+	for range 50 {
+		time.Sleep(100 * time.Millisecond)
+		if cap.Width() > 0 && cap.Height() > 0 {
+			return nil
+		}
+	}
+	return fmt.Errorf("no display available (X11 not running or screen recording not permitted)")
+}
+
+// isAllowedSource rejects connections from outside the NetBird overlay network
+// and from the local WireGuard IP (prevents local privilege escalation).
+// Matches the SSH server's connectionValidator logic.
+func (s *Server) isAllowedSource(addr net.Addr) bool {
+	tcpAddr, ok := addr.(*net.TCPAddr)
+	if !ok {
+		s.log.Warnf("connection rejected: non-TCP address %s", addr)
+		return false
+	}
+
+	remoteIP, ok := netip.AddrFromSlice(tcpAddr.IP)
+	if !ok {
+		s.log.Warnf("connection rejected: invalid remote IP %s", tcpAddr.IP)
+		return false
+	}
+	remoteIP = remoteIP.Unmap()
+
+	if remoteIP.IsLoopback() && s.localAddr.IsLoopback() {
+		return true
+	}
+
+	if remoteIP == s.localAddr {
+		s.log.Warnf("connection rejected from own IP %s", remoteIP)
+		return false
+	}
+
+	if s.network.IsValid() && !s.network.Contains(remoteIP) {
+		s.log.Warnf("connection rejected from non-NetBird IP %s", remoteIP)
+		return false
+	}
+
+	return true
+}
+
+func (s *Server) handleConnection(conn net.Conn) {
+	connLog := s.log.WithField("remote", conn.RemoteAddr().String())
+
+	if !s.isAllowedSource(conn.RemoteAddr()) {
+		conn.Close()
+		return
+	}
+
+	if len(s.agentToken) > 0 {
+		buf := make([]byte, len(s.agentToken))
+		if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
+			connLog.Debugf("set agent token deadline: %v", err)
+			conn.Close()
+			return
+		}
+		if _, err := io.ReadFull(conn, buf); err != nil {
+			connLog.Warnf("agent auth: read token: %v", err)
+			conn.Close()
+			return
+		}
+		conn.SetReadDeadline(time.Time{}) //nolint:errcheck
+		if subtle.ConstantTimeCompare(buf, s.agentToken) != 1 {
+			connLog.Warn("agent auth: invalid token, rejecting")
+			conn.Close()
+			return
+		}
+	}
+
+	header, err := readConnectionHeader(conn)
+	if err != nil {
+		connLog.Warnf("read connection header: %v", err)
+		conn.Close()
+		return
+	}
+
+	if !s.disableAuth {
+		if s.jwtConfig == nil {
+			rejectConnection(conn, "auth enabled but no identity provider configured")
+			connLog.Warn("auth rejected: no identity provider configured")
+			return
+		}
+		jwtUserID, err := s.authenticateJWT(header)
+		if err != nil {
+			rejectConnection(conn, fmt.Sprintf("auth: %v", err))
+			connLog.Warnf("auth rejected: %v", err)
+			return
+		}
+		connLog = connLog.WithField("jwt_user", jwtUserID)
+	}
+
+	var capturer ScreenCapturer
+	var injector InputInjector
+
+	switch header.mode {
+	case ModeSession:
+		if s.vmgr == nil {
+			rejectConnection(conn, "virtual sessions not supported on this platform")
+			connLog.Warn("session rejected: not supported on this platform")
+			return
+		}
+		if header.username == "" {
+			rejectConnection(conn, "session mode requires a username")
+			connLog.Warn("session rejected: no username provided")
+			return
+		}
+		vs, err := s.vmgr.GetOrCreate(header.username)
+		if err != nil {
+			rejectConnection(conn, fmt.Sprintf("create virtual session: %v", err))
+			connLog.Warnf("create virtual session for %s: %v", header.username, err)
+			return
+		}
+		capturer = vs.Capturer()
+		injector = vs.Injector()
+		vs.ClientConnect()
+		defer vs.ClientDisconnect()
+		connLog = connLog.WithField("vnc_user", header.username)
+		connLog.Infof("session mode: user=%s display=%s", header.username, vs.Display())
+
+	default:
+		capturer = s.capturer
+		injector = s.injector
+		if cc, ok := capturer.(interface{ ClientConnect() }); ok {
+			cc.ClientConnect()
+		}
+		defer func() {
+			if cd, ok := capturer.(interface{ ClientDisconnect() }); ok {
+				cd.ClientDisconnect()
+			}
+		}()
+	}
+
+	if err := s.validateCapturer(capturer); err != nil {
+		rejectConnection(conn, fmt.Sprintf("screen capturer: %v", err))
+		connLog.Warnf("capturer not ready: %v", err)
+		return
+	}
+
+	sess := &session{
+		conn:     conn,
+		capturer: capturer,
+		injector: injector,
+		serverW:  capturer.Width(),
+		serverH:  capturer.Height(),
+		password: s.password,
+		log:      connLog,
+	}
+	sess.serve()
+}
+
+// rejectConnection sends a minimal RFB handshake with a security failure
+// reason, so VNC clients display the error message instead of a generic
+// "unexpected disconnect."
+func rejectConnection(conn net.Conn, reason string) {
+	defer conn.Close()
+	// RFB 3.8 server version.
+	io.WriteString(conn, "RFB 003.008\n")
+	// Read client version (12 bytes), ignore errors.
+	var clientVer [12]byte
+	conn.SetReadDeadline(time.Now().Add(2 * time.Second))
+	io.ReadFull(conn, clientVer[:])
+	conn.SetReadDeadline(time.Time{})
+	// Send 0 security types = connection failed, followed by reason.
+	msg := []byte(reason)
+	buf := make([]byte, 1+4+len(msg))
+	buf[0] = 0 // 0 security types = failure
+	binary.BigEndian.PutUint32(buf[1:5], uint32(len(msg)))
+	copy(buf[5:], msg)
+	conn.Write(buf)
+}
+
+const defaultJWTMaxTokenAge = 10 * 60 // 10 minutes
+
+// authenticateJWT validates the JWT from the connection header and checks
+// authorization. For attach mode, just checks membership in the authorized
+// user list. For session mode, additionally validates the OS user mapping.
+func (s *Server) authenticateJWT(header *connectionHeader) (string, error) {
+	if header.jwt == "" {
+		return "", fmt.Errorf("JWT required but not provided")
+	}
+
+	s.mu.Lock()
+	if err := s.ensureJWTValidator(); err != nil {
+		s.mu.Unlock()
+		return "", fmt.Errorf("initialize JWT validator: %w", err)
+	}
+	validator := s.jwtValidator
+	extractor := s.jwtExtractor
+	s.mu.Unlock()
+
+	token, err := validator.ValidateAndParse(context.Background(), header.jwt)
+	if err != nil {
+		return "", fmt.Errorf("validate JWT: %w", err)
+	}
+
+	if err := s.checkTokenAge(token); err != nil {
+		return "", err
+	}
+
+	userAuth, err := extractor.ToUserAuth(token)
+	if err != nil {
+		return "", fmt.Errorf("extract user from JWT: %w", err)
+	}
+	if userAuth.UserId == "" {
+		return "", fmt.Errorf("JWT has no user ID")
+	}
+
+	switch header.mode {
+	case ModeSession:
+		// Session mode: check user + OS username mapping.
+		if _, err := s.authorizer.Authorize(userAuth.UserId, header.username); err != nil {
+			return "", fmt.Errorf("authorize session for %s: %w", header.username, err)
+		}
+	default:
+		// Attach mode: just check user is in the authorized list (wildcard OS user).
+		if _, err := s.authorizer.Authorize(userAuth.UserId, "*"); err != nil {
+			return "", fmt.Errorf("user not authorized for VNC: %w", err)
+		}
+	}
+
+	return userAuth.UserId, nil
+}
+
+// ensureJWTValidator lazily initializes the JWT validator. Must be called with mu held.
+func (s *Server) ensureJWTValidator() error {
+	if s.jwtValidator != nil && s.jwtExtractor != nil {
+		return nil
+	}
+	if s.jwtConfig == nil {
+		return fmt.Errorf("no JWT config")
+	}
+
+	s.jwtValidator = nbjwt.NewValidator(
+		s.jwtConfig.Issuer,
+		s.jwtConfig.Audiences,
+		s.jwtConfig.KeysLocation,
+		false,
+	)
+
+	opts := []nbjwt.ClaimsExtractorOption{nbjwt.WithAudience(s.jwtConfig.Audiences[0])}
+	if claim := s.authorizer.GetUserIDClaim(); claim != "" {
+		opts = append(opts, nbjwt.WithUserIDClaim(claim))
+	}
+	s.jwtExtractor = nbjwt.NewClaimsExtractor(opts...)
+
+	return nil
+}
+
+func (s *Server) checkTokenAge(token *gojwt.Token) error {
+	maxAge := defaultJWTMaxTokenAge
+	if s.jwtConfig != nil && s.jwtConfig.MaxTokenAge > 0 {
+		maxAge = int(s.jwtConfig.MaxTokenAge)
+	}
+	return nbjwt.CheckTokenAge(token, time.Duration(maxAge)*time.Second)
+}
+
+// readConnectionHeader reads the NetBird VNC session header from the connection.
+// Format: [mode: 1 byte] [username_len: 2 bytes BE] [username: N bytes]
+//
+//	[jwt_len: 2 bytes BE] [jwt: N bytes]
+//
+// Uses a short timeout: our WASM proxy sends the header immediately after
+// connecting. Standard VNC clients don't send anything first (server speaks
+// first in RFB), so they time out and get the default attach mode.
+func readConnectionHeader(conn net.Conn) (*connectionHeader, error) {
+	if err := conn.SetReadDeadline(time.Now().Add(2 * time.Second)); err != nil {
+		return nil, fmt.Errorf("set deadline: %w", err)
+	}
+	defer conn.SetReadDeadline(time.Time{}) //nolint:errcheck
+
+	var hdr [3]byte
+	if _, err := io.ReadFull(conn, hdr[:]); err != nil {
+		// Timeout or error: assume no header, use attach mode.
+		return &connectionHeader{mode: ModeAttach}, nil
+	}
+
+	// Restore a longer deadline for reading variable-length fields.
+	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
+		return nil, fmt.Errorf("set deadline: %w", err)
+	}
+
+	mode := hdr[0]
+	usernameLen := binary.BigEndian.Uint16(hdr[1:3])
+
+	var username string
+	if usernameLen > 0 {
+		if usernameLen > 256 {
+			return nil, fmt.Errorf("username too long: %d", usernameLen)
+		}
+		buf := make([]byte, usernameLen)
+		if _, err := io.ReadFull(conn, buf); err != nil {
+			return nil, fmt.Errorf("read username: %w", err)
+		}
+		username = string(buf)
+	}
+
+	// Read JWT token length and data.
+	var jwtLenBuf [2]byte
+	var jwtToken string
+	if _, err := io.ReadFull(conn, jwtLenBuf[:]); err == nil {
+		jwtLen := binary.BigEndian.Uint16(jwtLenBuf[:])
+		if jwtLen > 0 && jwtLen < 8192 {
+			buf := make([]byte, jwtLen)
+			if _, err := io.ReadFull(conn, buf); err != nil {
+				return nil, fmt.Errorf("read JWT: %w", err)
+			}
+			jwtToken = string(buf)
+		}
+	}
+
+	// Read optional Windows session ID (4 bytes BE). Missing = 0 (console/auto).
+	var sessionID uint32
+	var sidBuf [4]byte
+	if _, err := io.ReadFull(conn, sidBuf[:]); err == nil {
+		sessionID = binary.BigEndian.Uint32(sidBuf[:])
+	}
+
+	return &connectionHeader{mode: mode, username: username, jwt: jwtToken, sessionID: sessionID}, nil
+}

client/vnc/server/server_darwin.go

@@ -0,0 +1,15 @@
+//go:build darwin && !ios
+
+package server
+
+func (s *Server) platformInit() {}
+
+// serviceAcceptLoop is not supported on macOS.
+func (s *Server) serviceAcceptLoop() {
+	s.log.Warn("service mode not supported on macOS, falling back to direct mode")
+	s.acceptLoop()
+}
+
+func (s *Server) platformSessionManager() virtualSessionManager {
+	return nil
+}

client/vnc/server/server_stub.go

@@ -0,0 +1,15 @@
+//go:build !windows && !darwin && !freebsd && !(linux && !android)
+
+package server
+
+func (s *Server) platformInit() {}
+
+// serviceAcceptLoop is not supported on non-Windows platforms.
+func (s *Server) serviceAcceptLoop() {
+	s.log.Warn("service mode not supported on this platform, falling back to direct mode")
+	s.acceptLoop()
+}
+
+func (s *Server) platformSessionManager() virtualSessionManager {
+	return nil
+}

client/vnc/server/server_test.go

@@ -0,0 +1,136 @@
+package server
+
+import (
+	"encoding/binary"
+	"image"
+	"io"
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// testCapturer returns a 100x100 image for test sessions.
+type testCapturer struct{}
+
+func (t *testCapturer) Width() int                      { return 100 }
+func (t *testCapturer) Height() int                     { return 100 }
+func (t *testCapturer) Capture() (*image.RGBA, error)   { return image.NewRGBA(image.Rect(0, 0, 100, 100)), nil }
+
+func startTestServer(t *testing.T, disableAuth bool, jwtConfig *JWTConfig) (net.Addr, *Server) {
+	t.Helper()
+
+	srv := New(&testCapturer{}, &StubInputInjector{}, "")
+	srv.SetDisableAuth(disableAuth)
+	if jwtConfig != nil {
+		srv.SetJWTConfig(jwtConfig)
+	}
+
+	addr := netip.MustParseAddrPort("127.0.0.1:0")
+	network := netip.MustParsePrefix("127.0.0.0/8")
+	require.NoError(t, srv.Start(t.Context(), addr, network))
+	// Override local address so source validation doesn't reject 127.0.0.1 as "own IP".
+	srv.localAddr = netip.MustParseAddr("10.99.99.1")
+	t.Cleanup(func() { _ = srv.Stop() })
+
+	return srv.listener.Addr(), srv
+}
+
+func TestAuthEnabled_NoJWTConfig_RejectsConnection(t *testing.T) {
+	addr, _ := startTestServer(t, false, nil)
+
+	conn, err := net.Dial("tcp", addr.String())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Send session header: attach mode, no username, no JWT.
+	header := []byte{ModeAttach, 0, 0, 0, 0}
+	_, err = conn.Write(header)
+	require.NoError(t, err)
+
+	// Server should send RFB version then security failure.
+	var version [12]byte
+	_, err = io.ReadFull(conn, version[:])
+	require.NoError(t, err)
+	assert.Equal(t, "RFB 003.008\n", string(version[:]))
+
+	// Write client version to proceed through handshake.
+	_, err = conn.Write(version[:])
+	require.NoError(t, err)
+
+	// Read security types: 0 means failure, followed by reason.
+	var numTypes [1]byte
+	_, err = io.ReadFull(conn, numTypes[:])
+	require.NoError(t, err)
+	assert.Equal(t, byte(0), numTypes[0], "should have 0 security types (failure)")
+
+	var reasonLen [4]byte
+	_, err = io.ReadFull(conn, reasonLen[:])
+	require.NoError(t, err)
+
+	reason := make([]byte, binary.BigEndian.Uint32(reasonLen[:]))
+	_, err = io.ReadFull(conn, reason)
+	require.NoError(t, err)
+	assert.Contains(t, string(reason), "identity provider", "rejection reason should mention missing IdP config")
+}
+
+func TestAuthDisabled_AllowsConnection(t *testing.T) {
+	addr, _ := startTestServer(t, true, nil)
+
+	conn, err := net.Dial("tcp", addr.String())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Send session header: attach mode, no username, no JWT.
+	header := []byte{ModeAttach, 0, 0, 0, 0}
+	_, err = conn.Write(header)
+	require.NoError(t, err)
+
+	// Server should send RFB version.
+	var version [12]byte
+	_, err = io.ReadFull(conn, version[:])
+	require.NoError(t, err)
+	assert.Equal(t, "RFB 003.008\n", string(version[:]))
+
+	// Write client version.
+	_, err = conn.Write(version[:])
+	require.NoError(t, err)
+
+	// Should get security types (not 0 = failure).
+	var numTypes [1]byte
+	_, err = io.ReadFull(conn, numTypes[:])
+	require.NoError(t, err)
+	assert.NotEqual(t, byte(0), numTypes[0], "should have at least one security type (auth disabled)")
+}
+
+func TestAuthEnabled_EmptyJWT_Rejected(t *testing.T) {
+	// Auth enabled with a (bogus) JWT config: connections without JWT should be rejected.
+	addr, _ := startTestServer(t, false, &JWTConfig{
+		Issuer:       "https://example.com",
+		KeysLocation: "https://example.com/.well-known/jwks.json",
+		Audiences:    []string{"test"},
+	})
+
+	conn, err := net.Dial("tcp", addr.String())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Send session header with empty JWT.
+	header := []byte{ModeAttach, 0, 0, 0, 0}
+	_, err = conn.Write(header)
+	require.NoError(t, err)
+
+	var version [12]byte
+	_, err = io.ReadFull(conn, version[:])
+	require.NoError(t, err)
+
+	_, err = conn.Write(version[:])
+	require.NoError(t, err)
+
+	var numTypes [1]byte
+	_, err = io.ReadFull(conn, numTypes[:])
+	require.NoError(t, err)
+	assert.Equal(t, byte(0), numTypes[0], "should reject with 0 security types")
+}

client/vnc/server/server_windows.go

@@ -0,0 +1,223 @@
+//go:build windows
+
+package server
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/registry"
+)
+
+var (
+	sasDLL      = windows.NewLazySystemDLL("sas.dll")
+	procSendSAS = sasDLL.NewProc("SendSAS")
+
+	procConvertStringSecurityDescriptorToSecurityDescriptor = advapi32.NewProc("ConvertStringSecurityDescriptorToSecurityDescriptorW")
+)
+
+// sasSecurityAttributes builds a SECURITY_ATTRIBUTES that grants
+// EVENT_MODIFY_STATE only to the SYSTEM account, preventing unprivileged
+// local processes from triggering the Secure Attention Sequence.
+func sasSecurityAttributes() (*windows.SecurityAttributes, error) {
+	// SDDL: grant full access to SYSTEM (creates/waits) and EVENT_MODIFY_STATE
+	// to the interactive user (IU) so the VNC agent in the console session can
+	// signal it. Other local users and network users are denied.
+	sddl, err := windows.UTF16PtrFromString("D:(A;;GA;;;SY)(A;;0x0002;;;IU)")
+	if err != nil {
+		return nil, err
+	}
+	var sd uintptr
+	r, _, lerr := procConvertStringSecurityDescriptorToSecurityDescriptor.Call(
+		uintptr(unsafe.Pointer(sddl)),
+		1, // SDDL_REVISION_1
+		uintptr(unsafe.Pointer(&sd)),
+		0,
+	)
+	if r == 0 {
+		return nil, lerr
+	}
+	return &windows.SecurityAttributes{
+		Length:             uint32(unsafe.Sizeof(windows.SecurityAttributes{})),
+		SecurityDescriptor: (*windows.SECURITY_DESCRIPTOR)(unsafe.Pointer(sd)),
+		InheritHandle:      0,
+	}, nil
+}
+
+// enableSoftwareSAS sets the SoftwareSASGeneration registry key to allow
+// services to trigger the Secure Attention Sequence via SendSAS. Without this,
+// SendSAS silently does nothing on most Windows editions.
+func enableSoftwareSAS() {
+	key, _, err := registry.CreateKey(
+		registry.LOCAL_MACHINE,
+		`SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`,
+		registry.SET_VALUE,
+	)
+	if err != nil {
+		log.Warnf("open SoftwareSASGeneration registry key: %v", err)
+		return
+	}
+	defer key.Close()
+
+	if err := key.SetDWordValue("SoftwareSASGeneration", 1); err != nil {
+		log.Warnf("set SoftwareSASGeneration: %v", err)
+		return
+	}
+	log.Debug("SoftwareSASGeneration registry key set to 1 (services allowed)")
+}
+
+// startSASListener creates a named event with a restricted DACL and waits for
+// the VNC input injector to signal it. When signaled, it calls SendSAS(FALSE)
+// from Session 0 to trigger the Secure Attention Sequence (Ctrl+Alt+Del).
+// Only SYSTEM processes can open the event.
+func startSASListener() {
+	enableSoftwareSAS()
+	namePtr, err := windows.UTF16PtrFromString(sasEventName)
+	if err != nil {
+		log.Warnf("SAS listener UTF16: %v", err)
+		return
+	}
+	sa, err := sasSecurityAttributes()
+	if err != nil {
+		log.Warnf("build SAS security descriptor: %v", err)
+		return
+	}
+	ev, err := windows.CreateEvent(sa, 0, 0, namePtr)
+	if err != nil {
+		log.Warnf("SAS CreateEvent: %v", err)
+		return
+	}
+	log.Info("SAS listener ready (Session 0)")
+	go func() {
+		defer windows.CloseHandle(ev)
+		for {
+			ret, _ := windows.WaitForSingleObject(ev, windows.INFINITE)
+			if ret == windows.WAIT_OBJECT_0 {
+				r, _, sasErr := procSendSAS.Call(0) // FALSE = not from service desktop
+				if r == 0 {
+					log.Warnf("SendSAS: %v", sasErr)
+				} else {
+					log.Info("SendSAS called from Session 0")
+				}
+			}
+		}
+	}()
+}
+
+// enablePrivilege enables a named privilege on the current process token.
+func enablePrivilege(name string) error {
+	var token windows.Token
+	if err := windows.OpenProcessToken(windows.CurrentProcess(),
+		windows.TOKEN_ADJUST_PRIVILEGES|windows.TOKEN_QUERY, &token); err != nil {
+		return err
+	}
+	defer token.Close()
+
+	var luid windows.LUID
+	namePtr, _ := windows.UTF16PtrFromString(name)
+	if err := windows.LookupPrivilegeValue(nil, namePtr, &luid); err != nil {
+		return err
+	}
+	tp := windows.Tokenprivileges{PrivilegeCount: 1}
+	tp.Privileges[0].Luid = luid
+	tp.Privileges[0].Attributes = windows.SE_PRIVILEGE_ENABLED
+	return windows.AdjustTokenPrivileges(token, false, &tp, 0, nil, nil)
+}
+
+func (s *Server) platformSessionManager() virtualSessionManager {
+	return nil
+}
+
+// platformInit starts the SAS listener and enables privileges needed for
+// Session 0 operations (agent spawning, SendSAS).
+func (s *Server) platformInit() {
+	for _, priv := range []string{"SeTcbPrivilege", "SeAssignPrimaryTokenPrivilege"} {
+		if err := enablePrivilege(priv); err != nil {
+			log.Debugf("enable %s: %v", priv, err)
+		}
+	}
+	startSASListener()
+}
+
+// serviceAcceptLoop runs in Session 0. It validates source IP and
+// authenticates via JWT before proxying connections to the user-session agent.
+func (s *Server) serviceAcceptLoop() {
+
+	sm := newSessionManager(agentPort)
+	go sm.run()
+
+	log.Infof("service mode, proxying connections to agent on 127.0.0.1:%s", agentPort)
+
+	for {
+		conn, err := s.listener.Accept()
+		if err != nil {
+			select {
+			case <-s.ctx.Done():
+				sm.Stop()
+				return
+			default:
+			}
+			s.log.Debugf("accept VNC connection: %v", err)
+			continue
+		}
+
+		go s.handleServiceConnection(conn, sm)
+	}
+}
+
+// handleServiceConnection validates the source IP and JWT, then proxies
+// the connection (with header bytes replayed) to the agent.
+func (s *Server) handleServiceConnection(conn net.Conn, sm *sessionManager) {
+	connLog := s.log.WithField("remote", conn.RemoteAddr().String())
+
+	if !s.isAllowedSource(conn.RemoteAddr()) {
+		conn.Close()
+		return
+	}
+
+	var headerBuf bytes.Buffer
+	tee := io.TeeReader(conn, &headerBuf)
+	teeConn := &prefixConn{Reader: tee, Conn: conn}
+
+	header, err := readConnectionHeader(teeConn)
+	if err != nil {
+		connLog.Debugf("read connection header: %v", err)
+		conn.Close()
+		return
+	}
+
+	if !s.disableAuth {
+		if s.jwtConfig == nil {
+			rejectConnection(conn, "auth enabled but no identity provider configured")
+			connLog.Warn("auth rejected: no identity provider configured")
+			return
+		}
+		if _, err := s.authenticateJWT(header); err != nil {
+			rejectConnection(conn, fmt.Sprintf("auth: %v", err))
+			connLog.Warnf("auth rejected: %v", err)
+			return
+		}
+	}
+
+	// Replay buffered header bytes + remaining stream to the agent.
+	replayConn := &prefixConn{
+		Reader: io.MultiReader(&headerBuf, conn),
+		Conn:   conn,
+	}
+	proxyToAgent(replayConn, agentPort, sm.AuthToken())
+}
+
+// prefixConn wraps a net.Conn, overriding Read to use a different reader.
+type prefixConn struct {
+	io.Reader
+	net.Conn
+}
+
+func (p *prefixConn) Read(b []byte) (int, error) {
+	return p.Reader.Read(b)
+}

client/vnc/server/server_x11.go

@@ -0,0 +1,15 @@
+//go:build (linux && !android) || freebsd
+
+package server
+
+func (s *Server) platformInit() {}
+
+// serviceAcceptLoop is not supported on Linux.
+func (s *Server) serviceAcceptLoop() {
+	s.log.Warn("service mode not supported on Linux, falling back to direct mode")
+	s.acceptLoop()
+}
+
+func (s *Server) platformSessionManager() virtualSessionManager {
+	return newSessionManager(s.log)
+}

client/vnc/server/session.go

@@ -0,0 +1,443 @@
+package server
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/binary"
+	"fmt"
+	"image"
+	"io"
+	"net"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	readDeadline    = 60 * time.Second
+	maxCutTextBytes = 1 << 20 // 1 MiB
+)
+
+const tileSize = 64 // pixels per tile for dirty-rect detection
+
+type session struct {
+	conn     net.Conn
+	capturer ScreenCapturer
+	injector InputInjector
+	serverW  int
+	serverH  int
+	password string
+	log      *log.Entry
+
+	writeMu    sync.Mutex
+	pf         clientPixelFormat
+	useZlib    bool
+	zlib       *zlibState
+	prevFrame  *image.RGBA
+	idleFrames int
+}
+
+func (s *session) addr() string { return s.conn.RemoteAddr().String() }
+
+// serve runs the full RFB session lifecycle.
+func (s *session) serve() {
+	defer s.conn.Close()
+	s.pf = defaultClientPixelFormat()
+
+	if err := s.handshake(); err != nil {
+		s.log.Warnf("handshake with %s: %v", s.addr(), err)
+		return
+	}
+	s.log.Infof("client connected: %s", s.addr())
+
+	done := make(chan struct{})
+	defer close(done)
+	go s.clipboardPoll(done)
+
+	if err := s.messageLoop(); err != nil && err != io.EOF {
+		s.log.Warnf("client %s disconnected: %v", s.addr(), err)
+	} else {
+		s.log.Infof("client disconnected: %s", s.addr())
+	}
+}
+
+// clipboardPoll periodically checks the server-side clipboard and sends
+// changes to the VNC client. Only runs during active sessions.
+func (s *session) clipboardPoll(done <-chan struct{}) {
+	ticker := time.NewTicker(2 * time.Second)
+	defer ticker.Stop()
+
+	var lastClip string
+	for {
+		select {
+		case <-done:
+			return
+		case <-ticker.C:
+			text := s.injector.GetClipboard()
+			if len(text) > maxCutTextBytes {
+				text = text[:maxCutTextBytes]
+			}
+			if text != "" && text != lastClip {
+				lastClip = text
+				if err := s.sendServerCutText(text); err != nil {
+					s.log.Debugf("send clipboard to client: %v", err)
+					return
+				}
+			}
+		}
+	}
+}
+
+func (s *session) handshake() error {
+	// Send protocol version.
+	if _, err := io.WriteString(s.conn, rfbProtocolVersion); err != nil {
+		return fmt.Errorf("send version: %w", err)
+	}
+
+	// Read client version.
+	var clientVer [12]byte
+	if _, err := io.ReadFull(s.conn, clientVer[:]); err != nil {
+		return fmt.Errorf("read client version: %w", err)
+	}
+
+	// Send supported security types.
+	if err := s.sendSecurityTypes(); err != nil {
+		return err
+	}
+
+	// Read chosen security type.
+	var secType [1]byte
+	if _, err := io.ReadFull(s.conn, secType[:]); err != nil {
+		return fmt.Errorf("read security type: %w", err)
+	}
+
+	if err := s.handleSecurity(secType[0]); err != nil {
+		return err
+	}
+
+	// Read ClientInit.
+	var clientInit [1]byte
+	if _, err := io.ReadFull(s.conn, clientInit[:]); err != nil {
+		return fmt.Errorf("read ClientInit: %w", err)
+	}
+
+	return s.sendServerInit()
+}
+
+func (s *session) sendSecurityTypes() error {
+	if s.password == "" {
+		_, err := s.conn.Write([]byte{1, secNone})
+		return err
+	}
+	_, err := s.conn.Write([]byte{1, secVNCAuth})
+	return err
+}
+
+func (s *session) handleSecurity(secType byte) error {
+	switch secType {
+	case secVNCAuth:
+		return s.doVNCAuth()
+	case secNone:
+		return binary.Write(s.conn, binary.BigEndian, uint32(0))
+	default:
+		return fmt.Errorf("unsupported security type: %d", secType)
+	}
+}
+
+func (s *session) doVNCAuth() error {
+	challenge := make([]byte, 16)
+	if _, err := rand.Read(challenge); err != nil {
+		return fmt.Errorf("generate challenge: %w", err)
+	}
+	if _, err := s.conn.Write(challenge); err != nil {
+		return fmt.Errorf("send challenge: %w", err)
+	}
+
+	response := make([]byte, 16)
+	if _, err := io.ReadFull(s.conn, response); err != nil {
+		return fmt.Errorf("read auth response: %w", err)
+	}
+
+	var result uint32
+	if s.password != "" {
+		expected := vncAuthEncrypt(challenge, s.password)
+		if !bytes.Equal(expected, response) {
+			result = 1
+		}
+	}
+
+	if err := binary.Write(s.conn, binary.BigEndian, result); err != nil {
+		return fmt.Errorf("send auth result: %w", err)
+	}
+	if result != 0 {
+		msg := "authentication failed"
+		_ = binary.Write(s.conn, binary.BigEndian, uint32(len(msg)))
+		_, _ = s.conn.Write([]byte(msg))
+		return fmt.Errorf("authentication failed from %s", s.addr())
+	}
+	return nil
+}
+
+func (s *session) sendServerInit() error {
+	name := []byte("NetBird VNC")
+	buf := make([]byte, 0, 4+16+4+len(name))
+
+	// Framebuffer width and height.
+	buf = append(buf, byte(s.serverW>>8), byte(s.serverW))
+	buf = append(buf, byte(s.serverH>>8), byte(s.serverH))
+
+	// Server pixel format.
+	buf = append(buf, serverPixelFormat[:]...)
+
+	// Desktop name.
+	buf = append(buf,
+		byte(len(name)>>24), byte(len(name)>>16),
+		byte(len(name)>>8), byte(len(name)),
+	)
+	buf = append(buf, name...)
+
+	_, err := s.conn.Write(buf)
+	return err
+}
+
+func (s *session) messageLoop() error {
+	for {
+		var msgType [1]byte
+		if err := s.conn.SetDeadline(time.Now().Add(readDeadline)); err != nil {
+			return fmt.Errorf("set deadline: %w", err)
+		}
+		if _, err := io.ReadFull(s.conn, msgType[:]); err != nil {
+			return err
+		}
+		_ = s.conn.SetDeadline(time.Time{})
+
+		switch msgType[0] {
+		case clientSetPixelFormat:
+			if err := s.handleSetPixelFormat(); err != nil {
+				return err
+			}
+		case clientSetEncodings:
+			if err := s.handleSetEncodings(); err != nil {
+				return err
+			}
+		case clientFramebufferUpdateRequest:
+			if err := s.handleFBUpdateRequest(); err != nil {
+				return err
+			}
+		case clientKeyEvent:
+			if err := s.handleKeyEvent(); err != nil {
+				return err
+			}
+		case clientPointerEvent:
+			if err := s.handlePointerEvent(); err != nil {
+				return err
+			}
+		case clientCutText:
+			if err := s.handleCutText(); err != nil {
+				return err
+			}
+		default:
+			return fmt.Errorf("unknown client message type: %d", msgType[0])
+		}
+	}
+}
+
+func (s *session) handleSetPixelFormat() error {
+	var buf [19]byte // 3 padding + 16 pixel format
+	if _, err := io.ReadFull(s.conn, buf[:]); err != nil {
+		return fmt.Errorf("read SetPixelFormat: %w", err)
+	}
+	s.pf = parsePixelFormat(buf[3:19])
+	return nil
+}
+
+func (s *session) handleSetEncodings() error {
+	var header [3]byte // 1 padding + 2 number-of-encodings
+	if _, err := io.ReadFull(s.conn, header[:]); err != nil {
+		return fmt.Errorf("read SetEncodings header: %w", err)
+	}
+	numEnc := binary.BigEndian.Uint16(header[1:3])
+	buf := make([]byte, int(numEnc)*4)
+	if _, err := io.ReadFull(s.conn, buf); err != nil {
+		return err
+	}
+
+	// Check if client supports zlib encoding.
+	for i := range int(numEnc) {
+		enc := int32(binary.BigEndian.Uint32(buf[i*4 : i*4+4]))
+		if enc == encZlib {
+			s.useZlib = true
+			if s.zlib == nil {
+				s.zlib = newZlibState()
+			}
+			s.log.Debugf("client supports zlib encoding")
+			break
+		}
+	}
+	return nil
+}
+
+func (s *session) handleFBUpdateRequest() error {
+	var req [9]byte
+	if _, err := io.ReadFull(s.conn, req[:]); err != nil {
+		return fmt.Errorf("read FBUpdateRequest: %w", err)
+	}
+	incremental := req[0]
+
+	img, err := s.capturer.Capture()
+	if err != nil {
+		return fmt.Errorf("capture screen: %w", err)
+	}
+
+	if incremental == 1 && s.prevFrame != nil {
+		rects := diffRects(s.prevFrame, img, s.serverW, s.serverH, tileSize)
+		if len(rects) == 0 {
+			// Nothing changed. Back off briefly before responding to reduce
+			// CPU usage when the screen is static. The client re-requests
+			// immediately after receiving our empty response, so without
+			// this delay we'd spin at ~1000fps checking for changes.
+			s.idleFrames++
+			delay := min(s.idleFrames*5, 100) // 5ms → 100ms adaptive backoff
+			time.Sleep(time.Duration(delay) * time.Millisecond)
+			s.savePrevFrame(img)
+			return s.sendEmptyUpdate()
+		}
+		s.idleFrames = 0
+		s.savePrevFrame(img)
+		return s.sendDirtyRects(img, rects)
+	}
+
+	// Full update.
+	s.idleFrames = 0
+	s.savePrevFrame(img)
+	return s.sendFullUpdate(img)
+}
+
+// savePrevFrame copies img's pixel data into prevFrame. This is necessary
+// because some capturers (DXGI) reuse the same image buffer across calls,
+// so a simple pointer assignment would make prevFrame alias the live buffer
+// and diffRects would always see zero changes.
+func (s *session) savePrevFrame(img *image.RGBA) {
+	if s.prevFrame == nil || s.prevFrame.Rect != img.Rect {
+		s.prevFrame = image.NewRGBA(img.Rect)
+	}
+	copy(s.prevFrame.Pix, img.Pix)
+}
+
+// sendEmptyUpdate sends a FramebufferUpdate with zero rectangles.
+func (s *session) sendEmptyUpdate() error {
+	var buf [4]byte
+	buf[0] = serverFramebufferUpdate
+	s.writeMu.Lock()
+	_, err := s.conn.Write(buf[:])
+	s.writeMu.Unlock()
+	return err
+}
+
+func (s *session) sendFullUpdate(img *image.RGBA) error {
+	w, h := s.serverW, s.serverH
+
+	var buf []byte
+	if s.useZlib && s.zlib != nil {
+		buf = encodeZlibRect(img, s.pf, 0, 0, w, h, s.zlib.w, s.zlib.buf)
+	} else {
+		buf = encodeRawRect(img, s.pf, 0, 0, w, h)
+	}
+
+	s.writeMu.Lock()
+	_, err := s.conn.Write(buf)
+	s.writeMu.Unlock()
+	return err
+}
+
+func (s *session) sendDirtyRects(img *image.RGBA, rects [][4]int) error {
+	// Build a multi-rectangle FramebufferUpdate.
+	// Header: type(1) + padding(1) + numRects(2)
+	header := make([]byte, 4)
+	header[0] = serverFramebufferUpdate
+	binary.BigEndian.PutUint16(header[2:4], uint16(len(rects)))
+
+	s.writeMu.Lock()
+	defer s.writeMu.Unlock()
+
+	if _, err := s.conn.Write(header); err != nil {
+		return err
+	}
+
+	for _, r := range rects {
+		x, y, w, h := r[0], r[1], r[2], r[3]
+
+		var rectBuf []byte
+		if s.useZlib && s.zlib != nil {
+			rectBuf = encodeZlibRect(img, s.pf, x, y, w, h, s.zlib.w, s.zlib.buf)
+			// encodeZlibRect includes its own FBUpdate header for 1 rect.
+			// For multi-rect, we need just the rect data without the FBUpdate header.
+			// Skip the 4-byte FBUpdate header since we already sent ours.
+			rectBuf = rectBuf[4:]
+		} else {
+			rectBuf = encodeRawRect(img, s.pf, x, y, w, h)
+			rectBuf = rectBuf[4:] // skip FBUpdate header
+		}
+
+		if _, err := s.conn.Write(rectBuf); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *session) handleKeyEvent() error {
+	var data [7]byte
+	if _, err := io.ReadFull(s.conn, data[:]); err != nil {
+		return fmt.Errorf("read KeyEvent: %w", err)
+	}
+	down := data[0] == 1
+	keysym := binary.BigEndian.Uint32(data[3:7])
+	s.injector.InjectKey(keysym, down)
+	return nil
+}
+
+func (s *session) handlePointerEvent() error {
+	var data [5]byte
+	if _, err := io.ReadFull(s.conn, data[:]); err != nil {
+		return fmt.Errorf("read PointerEvent: %w", err)
+	}
+	buttonMask := data[0]
+	x := int(binary.BigEndian.Uint16(data[1:3]))
+	y := int(binary.BigEndian.Uint16(data[3:5]))
+	s.injector.InjectPointer(buttonMask, x, y, s.serverW, s.serverH)
+	return nil
+}
+
+func (s *session) handleCutText() error {
+	var header [7]byte // 3 padding + 4 length
+	if _, err := io.ReadFull(s.conn, header[:]); err != nil {
+		return fmt.Errorf("read CutText header: %w", err)
+	}
+	length := binary.BigEndian.Uint32(header[3:7])
+	if length > maxCutTextBytes {
+		return fmt.Errorf("cut text too large: %d bytes", length)
+	}
+	buf := make([]byte, length)
+	if _, err := io.ReadFull(s.conn, buf); err != nil {
+		return fmt.Errorf("read CutText payload: %w", err)
+	}
+	s.injector.SetClipboard(string(buf))
+	return nil
+}
+
+// sendServerCutText sends clipboard text from the server to the client.
+func (s *session) sendServerCutText(text string) error {
+	data := []byte(text)
+	buf := make([]byte, 8+len(data))
+	buf[0] = serverCutText
+	// buf[1:4] = padding (zero)
+	binary.BigEndian.PutUint32(buf[4:8], uint32(len(data)))
+	copy(buf[8:], data)
+
+	s.writeMu.Lock()
+	_, err := s.conn.Write(buf)
+	s.writeMu.Unlock()
+	return err
+}

client/vnc/server/shutdown_state.go

@@ -0,0 +1,79 @@
+//go:build !windows
+
+package server
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"syscall"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// ShutdownState tracks VNC virtual session processes for crash recovery.
+// Persisted by the state manager; on restart, residual processes are killed.
+type ShutdownState struct {
+	// Processes maps a description to its PID (e.g., "xvfb:50" -> 1234).
+	Processes map[string]int `json:"processes,omitempty"`
+}
+
+// Name returns the state name for the state manager.
+func (s *ShutdownState) Name() string {
+	return "vnc_sessions_state"
+}
+
+// Cleanup kills any residual VNC session processes left from a crash.
+func (s *ShutdownState) Cleanup() error {
+	if len(s.Processes) == 0 {
+		return nil
+	}
+
+	for desc, pid := range s.Processes {
+		if pid <= 0 {
+			continue
+		}
+		if !isOurProcess(pid, desc) {
+			log.Debugf("cleanup:skipping PID %d (%s), not ours", pid, desc)
+			continue
+		}
+		log.Infof("cleanup:killing residual process %d (%s)", pid, desc)
+		// Kill the process group (negative PID) to get children too.
+		if err := syscall.Kill(-pid, syscall.SIGTERM); err != nil {
+			// Try individual process if group kill fails.
+			syscall.Kill(pid, syscall.SIGKILL)
+		}
+	}
+
+	s.Processes = nil
+	return nil
+}
+
+// isOurProcess verifies the PID still belongs to a VNC-related process
+// by checking /proc/<pid>/cmdline (Linux) or the process name.
+func isOurProcess(pid int, desc string) bool {
+	// Check if the process exists at all.
+	if err := syscall.Kill(pid, 0); err != nil {
+		return false
+	}
+
+	// On Linux, verify via /proc cmdline.
+	cmdline, err := os.ReadFile(fmt.Sprintf("/proc/%d/cmdline", pid))
+	if err != nil {
+		// No /proc (FreeBSD): trust the PID if the process exists.
+		// PID reuse is unlikely in the short window between crash and restart.
+		return true
+	}
+
+	cmd := string(cmdline)
+	// Match against expected process types.
+	if strings.Contains(desc, "xvfb") || strings.Contains(desc, "xorg") {
+		return strings.Contains(cmd, "Xvfb") || strings.Contains(cmd, "Xorg")
+	}
+	if strings.Contains(desc, "desktop") {
+		return strings.Contains(cmd, "session") || strings.Contains(cmd, "plasma") ||
+			strings.Contains(cmd, "gnome") || strings.Contains(cmd, "xfce") ||
+			strings.Contains(cmd, "dbus-launch")
+	}
+	return false
+}

client/vnc/server/stubs.go

@@ -0,0 +1,37 @@
+package server
+
+import (
+	"fmt"
+	"image"
+)
+
+const maxCapturerRetries = 5
+
+// StubCapturer is a placeholder for platforms without screen capture support.
+type StubCapturer struct{}
+
+// Width returns 0 on unsupported platforms.
+func (c *StubCapturer) Width() int { return 0 }
+
+// Height returns 0 on unsupported platforms.
+func (c *StubCapturer) Height() int { return 0 }
+
+// Capture returns an error on unsupported platforms.
+func (c *StubCapturer) Capture() (*image.RGBA, error) {
+	return nil, fmt.Errorf("screen capture not supported on this platform")
+}
+
+// StubInputInjector is a placeholder for platforms without input injection support.
+type StubInputInjector struct{}
+
+// InjectKey is a no-op on unsupported platforms.
+func (s *StubInputInjector) InjectKey(_ uint32, _ bool) {}
+
+// InjectPointer is a no-op on unsupported platforms.
+func (s *StubInputInjector) InjectPointer(_ uint8, _, _, _, _ int) {}
+
+// SetClipboard is a no-op on unsupported platforms.
+func (s *StubInputInjector) SetClipboard(_ string) {}
+
+// GetClipboard returns empty on unsupported platforms.
+func (s *StubInputInjector) GetClipboard() string { return "" }

client/vnc/server/swizzle_windows.go

@@ -0,0 +1,19 @@
+//go:build windows
+
+package server
+
+import "unsafe"
+
+// swizzleBGRAtoRGBA swaps B and R channels in a BGRA pixel buffer in-place.
+// Operates on uint32 words for throughput: one read-modify-write per pixel.
+func swizzleBGRAtoRGBA(pix []byte) {
+	n := len(pix) / 4
+	pixels := unsafe.Slice((*uint32)(unsafe.Pointer(&pix[0])), n)
+	for i := range n {
+		p := pixels[i]
+		// p = 0xAABBGGRR (little-endian BGRA in memory: B,G,R,A bytes)
+		// We want 0xAABBGGRR -> 0xAARRGGBB (RGBA in memory: R,G,B,A bytes)
+		// Swap byte 0 (B) and byte 2 (R), keep byte 1 (G) and byte 3 (A).
+		pixels[i] = (p & 0xFF00FF00) | ((p & 0x00FF0000) >> 16) | ((p & 0x000000FF) << 16)
+	}
+}

client/vnc/server/virtual_x11.go

@@ -0,0 +1,634 @@
+//go:build (linux && !android) || freebsd
+
+package server
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// VirtualSession manages a virtual X11 display (Xvfb) with a desktop session
+// running as a target user. It implements ScreenCapturer and InputInjector by
+// delegating to an X11Capturer/X11InputInjector pointed at the virtual display.
+const sessionIdleTimeout = 5 * time.Minute
+
+type VirtualSession struct {
+	mu       sync.Mutex
+	display  string
+	user     *user.User
+	uid      uint32
+	gid      uint32
+	groups   []uint32
+	xvfb     *exec.Cmd
+	desktop  *exec.Cmd
+	poller   *X11Poller
+	injector *X11InputInjector
+	log      *log.Entry
+	stopped  bool
+	clients  int
+	idleTimer *time.Timer
+	onIdle   func() // called when idle timeout fires or Xvfb dies
+}
+
+// StartVirtualSession creates and starts a virtual X11 session for the given user.
+// Requires root privileges to create sessions as other users.
+func StartVirtualSession(username string, logger *log.Entry) (*VirtualSession, error) {
+	if os.Getuid() != 0 {
+		return nil, fmt.Errorf("virtual sessions require root privileges")
+	}
+
+	if _, err := exec.LookPath("Xvfb"); err != nil {
+		if _, err := exec.LookPath("Xorg"); err != nil {
+			return nil, fmt.Errorf("neither Xvfb nor Xorg found (install xvfb or xserver-xorg)")
+		}
+		if !hasDummyDriver() {
+			return nil, fmt.Errorf("Xvfb not found and Xorg dummy driver not installed (install xvfb or xf86-video-dummy)")
+		}
+	}
+
+	u, err := user.Lookup(username)
+	if err != nil {
+		return nil, fmt.Errorf("lookup user %s: %w", username, err)
+	}
+
+	uid, err := strconv.ParseUint(u.Uid, 10, 32)
+	if err != nil {
+		return nil, fmt.Errorf("parse uid: %w", err)
+	}
+	gid, err := strconv.ParseUint(u.Gid, 10, 32)
+	if err != nil {
+		return nil, fmt.Errorf("parse gid: %w", err)
+	}
+
+	groups, err := supplementaryGroups(u)
+	if err != nil {
+		logger.Debugf("supplementary groups for %s: %v", username, err)
+	}
+
+	vs := &VirtualSession{
+		user:   u,
+		uid:    uint32(uid),
+		gid:    uint32(gid),
+		groups: groups,
+		log:    logger.WithField("vnc_user", username),
+	}
+
+	if err := vs.start(); err != nil {
+		return nil, err
+	}
+	return vs, nil
+}
+
+func (vs *VirtualSession) start() error {
+	display, err := findFreeDisplay()
+	if err != nil {
+		return fmt.Errorf("find free display: %w", err)
+	}
+	vs.display = display
+
+	if err := vs.startXvfb(); err != nil {
+		return err
+	}
+
+	socketPath := fmt.Sprintf("/tmp/.X11-unix/X%s", vs.display[1:])
+	if err := waitForPath(socketPath, 5*time.Second); err != nil {
+		vs.stopXvfb()
+		return fmt.Errorf("wait for X11 socket %s: %w", socketPath, err)
+	}
+
+	// Grant the target user access to the display via xhost.
+	xhostCmd := exec.Command("xhost", "+SI:localuser:"+vs.user.Username)
+	xhostCmd.Env = []string{"DISPLAY=" + vs.display}
+	if out, err := xhostCmd.CombinedOutput(); err != nil {
+		vs.log.Debugf("xhost: %s (%v)", strings.TrimSpace(string(out)), err)
+	}
+
+	vs.poller = NewX11Poller(vs.display)
+
+	injector, err := NewX11InputInjector(vs.display)
+	if err != nil {
+		vs.stopXvfb()
+		return fmt.Errorf("create X11 injector for %s: %w", vs.display, err)
+	}
+	vs.injector = injector
+
+	if err := vs.startDesktop(); err != nil {
+		vs.injector.Close()
+		vs.stopXvfb()
+		return fmt.Errorf("start desktop: %w", err)
+	}
+
+	vs.log.Infof("virtual session started: display=%s user=%s", vs.display, vs.user.Username)
+	return nil
+}
+
+// ClientConnect increments the client count and cancels any idle timer.
+func (vs *VirtualSession) ClientConnect() {
+	vs.mu.Lock()
+	defer vs.mu.Unlock()
+	vs.clients++
+	if vs.idleTimer != nil {
+		vs.idleTimer.Stop()
+		vs.idleTimer = nil
+	}
+}
+
+// ClientDisconnect decrements the client count. When the last client
+// disconnects, starts an idle timer that destroys the session.
+func (vs *VirtualSession) ClientDisconnect() {
+	vs.mu.Lock()
+	defer vs.mu.Unlock()
+	vs.clients--
+	if vs.clients <= 0 {
+		vs.clients = 0
+		vs.log.Infof("no VNC clients connected, session will be destroyed in %s", sessionIdleTimeout)
+		vs.idleTimer = time.AfterFunc(sessionIdleTimeout, vs.idleExpired)
+	}
+}
+
+// idleExpired is called by the idle timer. It stops the session and
+// notifies the session manager via onIdle so it removes us from the map.
+func (vs *VirtualSession) idleExpired() {
+	vs.log.Info("idle timeout reached, destroying virtual session")
+	vs.Stop()
+	// onIdle acquires sessionManager.mu; safe because Stop() has released vs.mu.
+	if vs.onIdle != nil {
+		vs.onIdle()
+	}
+}
+
+// isAlive returns true if the session is running and its X server socket exists.
+func (vs *VirtualSession) isAlive() bool {
+	vs.mu.Lock()
+	stopped := vs.stopped
+	display := vs.display
+	vs.mu.Unlock()
+
+	if stopped {
+		return false
+	}
+	// Verify the X socket still exists on disk.
+	socketPath := fmt.Sprintf("/tmp/.X11-unix/X%s", display[1:])
+	if _, err := os.Stat(socketPath); err != nil {
+		return false
+	}
+	return true
+}
+
+// Capturer returns the screen capturer for this virtual session.
+func (vs *VirtualSession) Capturer() ScreenCapturer {
+	return vs.poller
+}
+
+// Injector returns the input injector for this virtual session.
+func (vs *VirtualSession) Injector() InputInjector {
+	return vs.injector
+}
+
+// Display returns the X11 display string (e.g., ":99").
+func (vs *VirtualSession) Display() string {
+	return vs.display
+}
+
+// Stop terminates the virtual session, killing the desktop and Xvfb.
+func (vs *VirtualSession) Stop() {
+	vs.mu.Lock()
+	defer vs.mu.Unlock()
+
+	if vs.stopped {
+		return
+	}
+	vs.stopped = true
+
+	if vs.injector != nil {
+		vs.injector.Close()
+	}
+
+	vs.stopDesktop()
+	vs.stopXvfb()
+
+	vs.log.Info("virtual session stopped")
+}
+
+func (vs *VirtualSession) startXvfb() error {
+	if _, err := exec.LookPath("Xvfb"); err == nil {
+		return vs.startXvfbDirect()
+	}
+	return vs.startXorgDummy()
+}
+
+func (vs *VirtualSession) startXvfbDirect() error {
+	vs.xvfb = exec.Command("Xvfb", vs.display,
+		"-screen", "0", "1280x800x24",
+		"-ac",
+		"-nolisten", "tcp",
+	)
+	vs.xvfb.SysProcAttr = &syscall.SysProcAttr{Setsid: true, Pdeathsig: syscall.SIGTERM}
+
+	if err := vs.xvfb.Start(); err != nil {
+		return fmt.Errorf("start Xvfb on %s: %w", vs.display, err)
+	}
+	vs.log.Infof("Xvfb started on %s (pid=%d)", vs.display, vs.xvfb.Process.Pid)
+
+	go vs.monitorXvfb()
+
+	return nil
+}
+
+// startXorgDummy starts Xorg with the dummy video driver as a fallback when
+// Xvfb is not installed. Most systems with a desktop have Xorg available.
+func (vs *VirtualSession) startXorgDummy() error {
+	confPath := fmt.Sprintf("/tmp/nbvnc-dummy-%s.conf", vs.display[1:])
+	conf := `Section "Device"
+    Identifier "dummy"
+    Driver "dummy"
+    VideoRam 256000
+EndSection
+Section "Screen"
+    Identifier "screen"
+    Device "dummy"
+    DefaultDepth 24
+    SubSection "Display"
+        Depth 24
+        Modes "1280x800"
+    EndSubSection
+EndSection
+`
+	if err := os.WriteFile(confPath, []byte(conf), 0644); err != nil {
+		return fmt.Errorf("write Xorg dummy config: %w", err)
+	}
+
+	vs.xvfb = exec.Command("Xorg", vs.display,
+		"-config", confPath,
+		"-noreset",
+		"-nolisten", "tcp",
+		"-ac",
+	)
+	vs.xvfb.SysProcAttr = &syscall.SysProcAttr{Setsid: true, Pdeathsig: syscall.SIGTERM}
+
+	if err := vs.xvfb.Start(); err != nil {
+		os.Remove(confPath)
+		return fmt.Errorf("start Xorg dummy on %s: %w", vs.display, err)
+	}
+	vs.log.Infof("Xorg (dummy driver) started on %s (pid=%d)", vs.display, vs.xvfb.Process.Pid)
+
+	go func() {
+		vs.monitorXvfb()
+		os.Remove(confPath)
+	}()
+
+	return nil
+}
+
+// monitorXvfb waits for the Xvfb/Xorg process to exit. If it exits
+// unexpectedly (not via Stop), the session is marked as dead and the
+// onIdle callback fires so the session manager removes it from the map.
+// The next GetOrCreate call for this user will create a fresh session.
+func (vs *VirtualSession) monitorXvfb() {
+	if err := vs.xvfb.Wait(); err != nil {
+		vs.log.Debugf("X server exited: %v", err)
+	}
+
+	vs.mu.Lock()
+	alreadyStopped := vs.stopped
+	if !alreadyStopped {
+		vs.log.Warn("X server exited unexpectedly, marking session as dead")
+		vs.stopped = true
+		if vs.idleTimer != nil {
+			vs.idleTimer.Stop()
+			vs.idleTimer = nil
+		}
+		if vs.injector != nil {
+			vs.injector.Close()
+		}
+		vs.stopDesktop()
+	}
+	onIdle := vs.onIdle
+	vs.mu.Unlock()
+
+	if !alreadyStopped && onIdle != nil {
+		onIdle()
+	}
+}
+
+func (vs *VirtualSession) stopXvfb() {
+	if vs.xvfb != nil && vs.xvfb.Process != nil {
+		syscall.Kill(-vs.xvfb.Process.Pid, syscall.SIGTERM)
+		time.Sleep(200 * time.Millisecond)
+		syscall.Kill(-vs.xvfb.Process.Pid, syscall.SIGKILL)
+	}
+}
+
+func (vs *VirtualSession) startDesktop() error {
+	session := detectDesktopSession()
+
+	// Wrap the desktop command with dbus-launch to provide a session bus.
+	// Without this, most desktop environments (XFCE, MATE, etc.) fail immediately.
+	var args []string
+	if _, err := exec.LookPath("dbus-launch"); err == nil {
+		args = append([]string{"dbus-launch", "--exit-with-session"}, session...)
+	} else {
+		args = session
+	}
+
+	vs.desktop = exec.Command(args[0], args[1:]...)
+	vs.desktop.Dir = vs.user.HomeDir
+	vs.desktop.Env = vs.buildUserEnv()
+	vs.desktop.SysProcAttr = &syscall.SysProcAttr{
+		Credential: &syscall.Credential{
+			Uid:    vs.uid,
+			Gid:    vs.gid,
+			Groups: vs.groups,
+		},
+		Setsid:    true,
+		Pdeathsig: syscall.SIGTERM,
+	}
+
+	if err := vs.desktop.Start(); err != nil {
+		return fmt.Errorf("start desktop session (%v): %w", args, err)
+	}
+	vs.log.Infof("desktop session started: %v (pid=%d)", args, vs.desktop.Process.Pid)
+
+	go func() {
+		if err := vs.desktop.Wait(); err != nil {
+			vs.log.Debugf("desktop session exited: %v", err)
+		}
+	}()
+
+	return nil
+}
+
+func (vs *VirtualSession) stopDesktop() {
+	if vs.desktop != nil && vs.desktop.Process != nil {
+		syscall.Kill(-vs.desktop.Process.Pid, syscall.SIGTERM)
+		time.Sleep(200 * time.Millisecond)
+		syscall.Kill(-vs.desktop.Process.Pid, syscall.SIGKILL)
+	}
+}
+
+func (vs *VirtualSession) buildUserEnv() []string {
+	return []string{
+		"DISPLAY=" + vs.display,
+		"HOME=" + vs.user.HomeDir,
+		"USER=" + vs.user.Username,
+		"LOGNAME=" + vs.user.Username,
+		"SHELL=" + getUserShell(vs.user.Uid),
+		"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+		"XDG_RUNTIME_DIR=/run/user/" + vs.user.Uid,
+		"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/" + vs.user.Uid + "/bus",
+	}
+}
+
+// detectDesktopSession discovers available desktop sessions from the standard
+// /usr/share/xsessions/*.desktop files (FreeDesktop standard, used by all
+// display managers). Falls back to a hardcoded list if no .desktop files found.
+func detectDesktopSession() []string {
+	// Scan xsessions directories (Linux: /usr/share, FreeBSD: /usr/local/share).
+	for _, dir := range []string{"/usr/share/xsessions", "/usr/local/share/xsessions"} {
+		if cmd := findXSession(dir); cmd != nil {
+			return cmd
+		}
+	}
+
+	// Fallback: try common session commands directly.
+	fallbacks := [][]string{
+		{"startplasma-x11"},
+		{"gnome-session"},
+		{"xfce4-session"},
+		{"mate-session"},
+		{"cinnamon-session"},
+		{"openbox-session"},
+		{"xterm"},
+	}
+	for _, s := range fallbacks {
+		if _, err := exec.LookPath(s[0]); err == nil {
+			return s
+		}
+	}
+	return []string{"xterm"}
+}
+
+// sessionPriority defines preference order for desktop environments.
+// Lower number = higher priority. Unknown sessions get 100.
+var sessionPriority = map[string]int{
+	"plasma":     1, // KDE
+	"gnome":      2,
+	"xfce":       3,
+	"mate":       4,
+	"cinnamon":   5,
+	"lxqt":       6,
+	"lxde":       7,
+	"budgie":     8,
+	"openbox":    20,
+	"fluxbox":    21,
+	"i3":         22,
+	"xinit":      50, // generic user session
+	"lightdm":    50,
+	"default":    50,
+}
+
+func findXSession(dir string) []string {
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		return nil
+	}
+
+	type candidate struct {
+		cmd      string
+		priority int
+	}
+	var candidates []candidate
+
+	for _, e := range entries {
+		if !strings.HasSuffix(e.Name(), ".desktop") {
+			continue
+		}
+		data, err := os.ReadFile(filepath.Join(dir, e.Name()))
+		if err != nil {
+			continue
+		}
+		execCmd := ""
+		for _, line := range strings.Split(string(data), "\n") {
+			if strings.HasPrefix(line, "Exec=") {
+				execCmd = strings.TrimSpace(strings.TrimPrefix(line, "Exec="))
+				break
+			}
+		}
+		if execCmd == "" || execCmd == "default" {
+			continue
+		}
+
+		// Determine priority from the filename or exec command.
+		pri := 100
+		lower := strings.ToLower(e.Name() + " " + execCmd)
+		for keyword, p := range sessionPriority {
+			if strings.Contains(lower, keyword) && p < pri {
+				pri = p
+			}
+		}
+		candidates = append(candidates, candidate{cmd: execCmd, priority: pri})
+	}
+
+	if len(candidates) == 0 {
+		return nil
+	}
+
+	// Pick the highest priority (lowest number).
+	best := candidates[0]
+	for _, c := range candidates[1:] {
+		if c.priority < best.priority {
+			best = c
+		}
+	}
+
+	// Verify the binary exists.
+	parts := strings.Fields(best.cmd)
+	if _, err := exec.LookPath(parts[0]); err != nil {
+		return nil
+	}
+	return parts
+}
+
+// findFreeDisplay scans for an unused X11 display number.
+func findFreeDisplay() (string, error) {
+	for n := 50; n < 200; n++ {
+		lockFile := fmt.Sprintf("/tmp/.X%d-lock", n)
+		socketFile := fmt.Sprintf("/tmp/.X11-unix/X%d", n)
+		if _, err := os.Stat(lockFile); err == nil {
+			continue
+		}
+		if _, err := os.Stat(socketFile); err == nil {
+			continue
+		}
+		return fmt.Sprintf(":%d", n), nil
+	}
+	return "", fmt.Errorf("no free X11 display found (checked :50-:199)")
+}
+
+// waitForPath polls until a filesystem path exists or the timeout expires.
+func waitForPath(path string, timeout time.Duration) error {
+	deadline := time.Now().Add(timeout)
+	for time.Now().Before(deadline) {
+		if _, err := os.Stat(path); err == nil {
+			return nil
+		}
+		time.Sleep(50 * time.Millisecond)
+	}
+	return fmt.Errorf("timeout waiting for %s", path)
+}
+
+// getUserShell returns the login shell for the given UID.
+func getUserShell(uid string) string {
+	data, err := os.ReadFile("/etc/passwd")
+	if err != nil {
+		return "/bin/sh"
+	}
+	for _, line := range strings.Split(string(data), "\n") {
+		fields := strings.Split(line, ":")
+		if len(fields) >= 7 && fields[2] == uid {
+			return fields[6]
+		}
+	}
+	return "/bin/sh"
+}
+
+// supplementaryGroups returns the supplementary group IDs for a user.
+func supplementaryGroups(u *user.User) ([]uint32, error) {
+	gids, err := u.GroupIds()
+	if err != nil {
+		return nil, err
+	}
+	var groups []uint32
+	for _, g := range gids {
+		id, err := strconv.ParseUint(g, 10, 32)
+		if err != nil {
+			continue
+		}
+		groups = append(groups, uint32(id))
+	}
+	return groups, nil
+}
+
+// sessionManager tracks active virtual sessions by username.
+type sessionManager struct {
+	mu       sync.Mutex
+	sessions map[string]*VirtualSession
+	log      *log.Entry
+}
+
+func newSessionManager(logger *log.Entry) *sessionManager {
+	return &sessionManager{
+		sessions: make(map[string]*VirtualSession),
+		log:      logger,
+	}
+}
+
+// GetOrCreate returns an existing virtual session or creates a new one.
+// If a previous session for this user is stopped or its X server died, it is replaced.
+func (sm *sessionManager) GetOrCreate(username string) (vncSession, error) {
+	sm.mu.Lock()
+	defer sm.mu.Unlock()
+
+	if vs, ok := sm.sessions[username]; ok {
+		if vs.isAlive() {
+			return vs, nil
+		}
+		sm.log.Infof("replacing dead virtual session for %s", username)
+		vs.Stop()
+		delete(sm.sessions, username)
+	}
+
+	vs, err := StartVirtualSession(username, sm.log)
+	if err != nil {
+		return nil, err
+	}
+	vs.onIdle = func() {
+		sm.mu.Lock()
+		defer sm.mu.Unlock()
+		if cur, ok := sm.sessions[username]; ok && cur == vs {
+			delete(sm.sessions, username)
+			sm.log.Infof("removed idle virtual session for %s", username)
+		}
+	}
+	sm.sessions[username] = vs
+	return vs, nil
+}
+
+// hasDummyDriver checks common paths for the Xorg dummy video driver.
+func hasDummyDriver() bool {
+	paths := []string{
+		"/usr/lib/xorg/modules/drivers/dummy_drv.so",                // Debian/Ubuntu
+		"/usr/lib64/xorg/modules/drivers/dummy_drv.so",              // RHEL/Fedora
+		"/usr/local/lib/xorg/modules/drivers/dummy_drv.so",          // FreeBSD
+		"/usr/lib/x86_64-linux-gnu/xorg/modules/drivers/dummy_drv.so", // Debian multiarch
+	}
+	for _, p := range paths {
+		if _, err := os.Stat(p); err == nil {
+			return true
+		}
+	}
+	return false
+}
+
+// StopAll terminates all active virtual sessions.
+func (sm *sessionManager) StopAll() {
+	sm.mu.Lock()
+	defer sm.mu.Unlock()
+
+	for username, vs := range sm.sessions {
+		vs.Stop()
+		delete(sm.sessions, username)
+		sm.log.Infof("stopped virtual session for %s", username)
+	}
+}
+

client/vnc/testpage/index.html

@@ -0,0 +1,174 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>VNC Test</title>
+  <style>
+    body { margin: 0; background: #111; color: #eee; font-family: monospace; font-size: 13px; }
+    #toolbar { position: fixed; top: 0; left: 0; right: 0; z-index: 10; background: #222; padding: 4px 8px; display: flex; gap: 8px; align-items: center; }
+    #toolbar button { padding: 4px 12px; cursor: pointer; background: #444; color: #eee; border: 1px solid #666; border-radius: 3px; }
+    #toolbar button:hover { background: #555; }
+    #toolbar #status { flex: 1; }
+    #vnc-container { width: 100vw; height: calc(100vh - 28px); margin-top: 28px; }
+    #log { position: fixed; bottom: 0; left: 0; right: 0; max-height: 150px; overflow-y: auto; background: rgba(0,0,0,0.85); padding: 4px 8px; font-size: 11px; z-index: 10; display: none; }
+    #log.visible { display: block; }
+  </style>
+</head>
+<body>
+  <div id="toolbar">
+    <span id="status">Loading WASM...</span>
+    <button onclick="sendCAD()">Ctrl+Alt+Del</button>
+    <button onclick="document.getElementById('log').classList.toggle('visible')">Log</button>
+  </div>
+  <div id="vnc-container"></div>
+  <div id="log"></div>
+
+  <script>
+    const params = new URLSearchParams(location.search);
+    const HOST = params.get('host') || '';
+    const PORT = params.get('port') || '5900';
+    const MODE = params.get('mode') || 'attach'; // 'attach' or 'session'
+    const USER = params.get('user') || '';
+    const SETUP_KEY = params.get('setup_key') || '64BB8FF4-5A96-488F-B0AE-316555E916B0';
+    const MGMT_URL = params.get('mgmt') || 'http://192.168.100.1:8080';
+
+    const statusEl = document.getElementById('status');
+    const logEl = document.getElementById('log');
+    function addLog(msg) {
+      const line = document.createElement('div');
+      line.textContent = `[${new Date().toISOString().slice(11,23)}] ${msg}`;
+      logEl.appendChild(line);
+      logEl.scrollTop = logEl.scrollHeight;
+      console.log('[vnc-test]', msg);
+    }
+    function setStatus(s) { statusEl.textContent = s; addLog(s); }
+
+    let rfbInstance = null;
+    window.sendCAD = () => { if (rfbInstance) { rfbInstance.sendCtrlAltDel(); addLog('Sent Ctrl+Alt+Del'); } };
+
+    // VNC WebSocket proxy (bridges noVNC WebSocket API to Go WASM tunnel)
+    class VNCProxyWS extends EventTarget {
+      constructor(url) {
+        super();
+        this.url = url;
+        this.readyState = 0;
+        this.protocol = '';
+        this.extensions = '';
+        this.bufferedAmount = 0;
+        this.binaryType = 'arraybuffer';
+        this.onopen = null; this.onclose = null; this.onerror = null; this.onmessage = null;
+        const match = url.match(/vnc\.proxy\.local\/(.+)/);
+        this._proxyID = match ? match[1] : 'default';
+        setTimeout(() => this._connect(), 0);
+      }
+      get CONNECTING() { return 0; } get OPEN() { return 1; } get CLOSING() { return 2; } get CLOSED() { return 3; }
+      _connect() {
+        try {
+          const handler = window[`handleVNCWebSocket_${this._proxyID}`];
+          if (!handler) throw new Error(`No VNC handler for ${this._proxyID}`);
+          handler(this);
+          this.readyState = 1;
+          const ev = new Event('open');
+          if (this.onopen) this.onopen(ev);
+          this.dispatchEvent(ev);
+        } catch (err) {
+          addLog(`WS proxy error: ${err.message}`);
+          this.readyState = 3;
+        }
+      }
+      receiveFromGo(data) {
+        const ev = new MessageEvent('message', { data });
+        if (this.onmessage) this.onmessage(ev);
+        this.dispatchEvent(ev);
+      }
+      send(data) {
+        if (this.readyState !== 1) return;
+        let u8;
+        if (data instanceof ArrayBuffer) u8 = new Uint8Array(data);
+        else if (data instanceof Uint8Array) u8 = data;
+        else if (typeof data === 'string') u8 = new TextEncoder().encode(data);
+        else if (data.buffer) u8 = new Uint8Array(data.buffer, data.byteOffset, data.byteLength);
+        else return;
+        if (this.onGoMessage) this.onGoMessage(u8);
+      }
+      close(code, reason) {
+        if (this.readyState >= 2) return;
+        this.readyState = 2;
+        if (this.onGoClose) this.onGoClose();
+        setTimeout(() => {
+          this.readyState = 3;
+          const ev = new CloseEvent('close', { code: code||1000, reason: reason||'', wasClean: true });
+          if (this.onclose) this.onclose(ev);
+          this.dispatchEvent(ev);
+        }, 0);
+      }
+    }
+
+    async function main() {
+      if (!HOST) { setStatus('Usage: ?host=<peer_ip>&setup_key=<key>[&mode=session&user=alice]'); return; }
+
+      // Install WS proxy before anything creates WebSockets
+      const OrigWS = window.WebSocket;
+      window.WebSocket = new Proxy(OrigWS, {
+        construct(target, args) {
+          if (args[0] && args[0].includes('vnc.proxy.local')) return new VNCProxyWS(args[0]);
+          return new target(args[0], args[1]);
+        }
+      });
+
+      // Load WASM
+      setStatus('Loading WASM runtime...');
+      await new Promise((resolve, reject) => {
+        const s = document.createElement('script');
+        s.src = '/wasm_exec.js'; s.onload = resolve; s.onerror = reject;
+        document.head.appendChild(s);
+      });
+
+      setStatus('Loading NetBird WASM...');
+      const go = new Go();
+      const wasm = await WebAssembly.instantiateStreaming(fetch('/netbird.wasm'), go.importObject);
+      go.run(wasm.instance);
+      const t0 = Date.now();
+      while (!window.NetBirdClient && Date.now() - t0 < 10000) await new Promise(r => setTimeout(r, 100));
+      if (!window.NetBirdClient) { setStatus('WASM init timeout'); return; }
+      addLog('WASM ready');
+
+      // Connect NetBird with setup key
+      setStatus('Connecting NetBird...');
+      let client;
+      try {
+        client = await window.NetBirdClient({
+          setupKey: SETUP_KEY,
+          managementURL: MGMT_URL,
+          logLevel: 'debug',
+        });
+        addLog('Client created, starting...');
+        await client.start();
+        addLog('NetBird connected');
+      } catch (err) {
+        setStatus('NetBird error: ' + (err && err.message ? err.message : String(err)));
+        return;
+      }
+
+      // Create VNC proxy
+      setStatus(`Creating VNC proxy (mode=${MODE}${USER ? ', user=' + USER : ''})...`);
+      const proxyURL = await client.createVNCProxy(HOST, PORT, MODE, USER);
+      addLog(`Proxy: ${proxyURL}`);
+
+      // Connect noVNC
+      setStatus('Connecting VNC...');
+      const { default: RFB } = await import('/novnc-pkg/core/rfb.js');
+      const container = document.getElementById('vnc-container');
+      rfbInstance = new RFB(container, proxyURL, { wsProtocols: [] });
+      rfbInstance.scaleViewport = true;
+      rfbInstance.resizeSession = false;
+      rfbInstance.showDotCursor = true;
+      rfbInstance.addEventListener('connect', () => setStatus(`Connected: ${HOST}`));
+      rfbInstance.addEventListener('disconnect', e => setStatus(`Disconnected${e.detail?.clean ? '' : ' (unexpected)'}`));
+      rfbInstance.addEventListener('credentialsrequired', () => rfbInstance.sendCredentials({ password: '' }));
+      window.rfb = rfbInstance;
+    }
+
+    main().catch(err => { setStatus(`Error: ${err.message}`); console.error(err); });
+  </script>
+</body>
+</html>

client/vnc/testpage/serve.go

@@ -0,0 +1,44 @@
+//go:build ignore
+
+// Simple file server for the VNC test page.
+// Usage: go run serve.go
+// Then open: http://localhost:9090?host=100.0.23.250
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"path/filepath"
+)
+
+func main() {
+	// Serve from the dashboard's public dir (has wasm, noVNC, etc.)
+	dashboardPublic := os.Getenv("DASHBOARD_PUBLIC")
+	if dashboardPublic == "" {
+		home, _ := os.UserHomeDir()
+		dashboardPublic = filepath.Join(home, "dev", "dashboard", "public")
+	}
+
+	// Serve test page index.html from this directory
+	testDir, _ := os.Getwd()
+
+	mux := http.NewServeMux()
+	// Test page itself
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/" || r.URL.Path == "/index.html" {
+			http.ServeFile(w, r, filepath.Join(testDir, "index.html"))
+			return
+		}
+		// Everything else from dashboard public (wasm, noVNC, etc.)
+		http.FileServer(http.Dir(dashboardPublic)).ServeHTTP(w, r)
+	})
+
+	addr := ":9090"
+	fmt.Printf("VNC test page: http://localhost%s?host=<peer_ip>\n", addr)
+	fmt.Printf("Serving assets from: %s\n", dashboardPublic)
+	if err := http.ListenAndServe(addr, mux); err != nil {
+		fmt.Fprintf(os.Stderr, "listen: %v\n", err)
+		os.Exit(1)
+	}
+}

client/wasm/cmd/main.go

@@ -15,8 +15,8 @@ import (
 	sshdetection "github.com/netbirdio/netbird/client/ssh/detection"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/client/wasm/internal/http"
-	"github.com/netbirdio/netbird/client/wasm/internal/rdp"
 	"github.com/netbirdio/netbird/client/wasm/internal/ssh"
+	"github.com/netbirdio/netbird/client/wasm/internal/vnc"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -317,8 +317,13 @@ func createProxyRequestMethod(client *netbird.Client) js.Func {
 	})
 }
 
-// createRDPProxyMethod creates the RDP proxy method
-func createRDPProxyMethod(client *netbird.Client) js.Func {
+// createVNCProxyMethod creates the VNC proxy method for raw TCP-over-WebSocket bridging.
+// JS signature: createVNCProxy(hostname, port, mode?, username?, jwt?, sessionID?)
+// mode: "attach" (default) or "session"
+// username: required when mode is "session"
+// jwt: authentication token (from OIDC session)
+// sessionID: Windows session ID (0 = console/auto)
+func createVNCProxyMethod(client *netbird.Client) js.Func {
 	return js.FuncOf(func(_ js.Value, args []js.Value) any {
 		if len(args) < 2 {
 			return js.ValueOf("error: hostname and port required")
@@ -335,8 +340,25 @@ func createRDPProxyMethod(client *netbird.Client) js.Func {
 			})
 		}
 
-		proxy := rdp.NewRDCleanPathProxy(client)
-		return proxy.CreateProxy(args[0].String(), args[1].String())
+		mode := "attach"
+		username := ""
+		jwtToken := ""
+		var sessionID uint32
+		if len(args) > 2 && args[2].Type() == js.TypeString {
+			mode = args[2].String()
+		}
+		if len(args) > 3 && args[3].Type() == js.TypeString {
+			username = args[3].String()
+		}
+		if len(args) > 4 && args[4].Type() == js.TypeString {
+			jwtToken = args[4].String()
+		}
+		if len(args) > 5 && args[5].Type() == js.TypeNumber {
+			sessionID = uint32(args[5].Int())
+		}
+
+		proxy := vnc.NewVNCProxy(client)
+		return proxy.CreateProxy(args[0].String(), args[1].String(), mode, username, jwtToken, sessionID)
 	})
 }
 
@@ -515,7 +537,7 @@ func createClientObject(client *netbird.Client) js.Value {
 	obj["detectSSHServerType"] = createDetectSSHServerMethod(client)
 	obj["createSSHConnection"] = createSSHMethod(client)
 	obj["proxyRequest"] = createProxyRequestMethod(client)
-	obj["createRDPProxy"] = createRDPProxyMethod(client)
+	obj["createVNCProxy"] = createVNCProxyMethod(client)
 	obj["status"] = createStatusMethod(client)
 	obj["statusSummary"] = createStatusSummaryMethod(client)
 	obj["statusDetail"] = createStatusDetailMethod(client)

client/wasm/internal/rdp/cert_validation.go

@@ -1,107 +0,0 @@
-//go:build js
-
-package rdp
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"syscall/js"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	certValidationTimeout = 60 * time.Second
-)
-
-func (p *RDCleanPathProxy) validateCertificateWithJS(conn *proxyConnection, certChain [][]byte) (bool, error) {
-	if !conn.wsHandlers.Get("onCertificateRequest").Truthy() {
-		return false, fmt.Errorf("certificate validation handler not configured")
-	}
-
-	certInfo := js.Global().Get("Object").New()
-	certInfo.Set("ServerAddr", conn.destination)
-
-	certArray := js.Global().Get("Array").New()
-	for i, certBytes := range certChain {
-		uint8Array := js.Global().Get("Uint8Array").New(len(certBytes))
-		js.CopyBytesToJS(uint8Array, certBytes)
-		certArray.SetIndex(i, uint8Array)
-	}
-	certInfo.Set("ServerCertChain", certArray)
-	if len(certChain) > 0 {
-		cert, err := x509.ParseCertificate(certChain[0])
-		if err == nil {
-			info := js.Global().Get("Object").New()
-			info.Set("subject", cert.Subject.String())
-			info.Set("issuer", cert.Issuer.String())
-			info.Set("validFrom", cert.NotBefore.Format(time.RFC3339))
-			info.Set("validTo", cert.NotAfter.Format(time.RFC3339))
-			info.Set("serialNumber", cert.SerialNumber.String())
-			certInfo.Set("CertificateInfo", info)
-		}
-	}
-
-	promise := conn.wsHandlers.Call("onCertificateRequest", certInfo)
-
-	resultChan := make(chan bool)
-	errorChan := make(chan error)
-
-	promise.Call("then", js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		result := args[0].Bool()
-		resultChan <- result
-		return nil
-	})).Call("catch", js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		errorChan <- fmt.Errorf("certificate validation failed")
-		return nil
-	}))
-
-	select {
-	case result := <-resultChan:
-		if result {
-			log.Info("Certificate accepted by user")
-		} else {
-			log.Info("Certificate rejected by user")
-		}
-		return result, nil
-	case err := <-errorChan:
-		return false, err
-	case <-time.After(certValidationTimeout):
-		return false, fmt.Errorf("certificate validation timeout")
-	}
-}
-
-func (p *RDCleanPathProxy) getTLSConfigWithValidation(conn *proxyConnection, requiresCredSSP bool) *tls.Config {
-	config := &tls.Config{
-		InsecureSkipVerify: true, // We'll validate manually after handshake
-		VerifyConnection: func(cs tls.ConnectionState) error {
-			var certChain [][]byte
-			for _, cert := range cs.PeerCertificates {
-				certChain = append(certChain, cert.Raw)
-			}
-
-			accepted, err := p.validateCertificateWithJS(conn, certChain)
-			if err != nil {
-				return err
-			}
-			if !accepted {
-				return fmt.Errorf("certificate rejected by user")
-			}
-
-			return nil
-		},
-	}
-
-	// CredSSP (NLA) requires TLS 1.2 - it's incompatible with TLS 1.3
-	if requiresCredSSP {
-		config.MinVersion = tls.VersionTLS12
-		config.MaxVersion = tls.VersionTLS12
-	} else {
-		config.MinVersion = tls.VersionTLS12
-		config.MaxVersion = tls.VersionTLS13
-	}
-
-	return config
-}

client/wasm/internal/rdp/rdcleanpath.go

@@ -1,344 +0,0 @@
-//go:build js
-
-package rdp
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/asn1"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"sync"
-	"syscall/js"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	RDCleanPathVersion     = 3390
-	RDCleanPathProxyHost   = "rdcleanpath.proxy.local"
-	RDCleanPathProxyScheme = "ws"
-
-	rdpDialTimeout = 15 * time.Second
-
-	GeneralErrorCode = 1
-	WSAETimedOut     = 10060
-	WSAEConnRefused  = 10061
-	WSAEConnAborted  = 10053
-	WSAEConnReset    = 10054
-	WSAEGenericError = 10050
-)
-
-type RDCleanPathPDU struct {
-	Version           int64          `asn1:"tag:0,explicit"`
-	Error             RDCleanPathErr `asn1:"tag:1,explicit,optional"`
-	Destination       string         `asn1:"utf8,tag:2,explicit,optional"`
-	ProxyAuth         string         `asn1:"utf8,tag:3,explicit,optional"`
-	ServerAuth        string         `asn1:"utf8,tag:4,explicit,optional"`
-	PreconnectionBlob string         `asn1:"utf8,tag:5,explicit,optional"`
-	X224ConnectionPDU []byte         `asn1:"tag:6,explicit,optional"`
-	ServerCertChain   [][]byte       `asn1:"tag:7,explicit,optional"`
-	ServerAddr        string         `asn1:"utf8,tag:9,explicit,optional"`
-}
-
-type RDCleanPathErr struct {
-	ErrorCode      int16 `asn1:"tag:0,explicit"`
-	HTTPStatusCode int16 `asn1:"tag:1,explicit,optional"`
-	WSALastError   int16 `asn1:"tag:2,explicit,optional"`
-	TLSAlertCode   int8  `asn1:"tag:3,explicit,optional"`
-}
-
-type RDCleanPathProxy struct {
-	nbClient interface {
-		Dial(ctx context.Context, network, address string) (net.Conn, error)
-	}
-	activeConnections map[string]*proxyConnection
-	destinations      map[string]string
-	mu                sync.Mutex
-}
-
-type proxyConnection struct {
-	id          string
-	destination string
-	rdpConn     net.Conn
-	tlsConn     *tls.Conn
-	wsHandlers  js.Value
-	ctx         context.Context
-	cancel      context.CancelFunc
-}
-
-// NewRDCleanPathProxy creates a new RDCleanPath proxy
-func NewRDCleanPathProxy(client interface {
-	Dial(ctx context.Context, network, address string) (net.Conn, error)
-}) *RDCleanPathProxy {
-	return &RDCleanPathProxy{
-		nbClient:          client,
-		activeConnections: make(map[string]*proxyConnection),
-	}
-}
-
-// CreateProxy creates a new proxy endpoint for the given destination
-func (p *RDCleanPathProxy) CreateProxy(hostname, port string) js.Value {
-	destination := fmt.Sprintf("%s:%s", hostname, port)
-
-	return js.Global().Get("Promise").New(js.FuncOf(func(_ js.Value, args []js.Value) any {
-		resolve := args[0]
-
-		go func() {
-			proxyID := fmt.Sprintf("proxy_%d", len(p.activeConnections))
-
-			p.mu.Lock()
-			if p.destinations == nil {
-				p.destinations = make(map[string]string)
-			}
-			p.destinations[proxyID] = destination
-			p.mu.Unlock()
-
-			proxyURL := fmt.Sprintf("%s://%s/%s", RDCleanPathProxyScheme, RDCleanPathProxyHost, proxyID)
-
-			// Register the WebSocket handler for this specific proxy
-			js.Global().Set(fmt.Sprintf("handleRDCleanPathWebSocket_%s", proxyID), js.FuncOf(func(_ js.Value, args []js.Value) any {
-				if len(args) < 1 {
-					return js.ValueOf("error: requires WebSocket argument")
-				}
-
-				ws := args[0]
-				p.HandleWebSocketConnection(ws, proxyID)
-				return nil
-			}))
-
-			log.Infof("Created RDCleanPath proxy endpoint: %s for destination: %s", proxyURL, destination)
-			resolve.Invoke(proxyURL)
-		}()
-
-		return nil
-	}))
-}
-
-// HandleWebSocketConnection handles incoming WebSocket connections from IronRDP
-func (p *RDCleanPathProxy) HandleWebSocketConnection(ws js.Value, proxyID string) {
-	p.mu.Lock()
-	destination := p.destinations[proxyID]
-	p.mu.Unlock()
-
-	if destination == "" {
-		log.Errorf("No destination found for proxy ID: %s", proxyID)
-		return
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	// Don't defer cancel here - it will be called by cleanupConnection
-
-	conn := &proxyConnection{
-		id:          proxyID,
-		destination: destination,
-		wsHandlers:  ws,
-		ctx:         ctx,
-		cancel:      cancel,
-	}
-
-	p.mu.Lock()
-	p.activeConnections[proxyID] = conn
-	p.mu.Unlock()
-
-	p.setupWebSocketHandlers(ws, conn)
-
-	log.Infof("RDCleanPath proxy WebSocket connection established for %s", proxyID)
-}
-
-func (p *RDCleanPathProxy) setupWebSocketHandlers(ws js.Value, conn *proxyConnection) {
-	ws.Set("onGoMessage", js.FuncOf(func(this js.Value, args []js.Value) any {
-		if len(args) < 1 {
-			return nil
-		}
-
-		data := args[0]
-		go p.handleWebSocketMessage(conn, data)
-		return nil
-	}))
-
-	ws.Set("onGoClose", js.FuncOf(func(_ js.Value, args []js.Value) any {
-		log.Debug("WebSocket closed by JavaScript")
-		conn.cancel()
-		return nil
-	}))
-}
-
-func (p *RDCleanPathProxy) handleWebSocketMessage(conn *proxyConnection, data js.Value) {
-	if !data.InstanceOf(js.Global().Get("Uint8Array")) {
-		return
-	}
-
-	length := data.Get("length").Int()
-	bytes := make([]byte, length)
-	js.CopyBytesToGo(bytes, data)
-
-	if conn.rdpConn != nil || conn.tlsConn != nil {
-		p.forwardToRDP(conn, bytes)
-		return
-	}
-
-	var pdu RDCleanPathPDU
-	_, err := asn1.Unmarshal(bytes, &pdu)
-	if err != nil {
-		log.Warnf("Failed to parse RDCleanPath PDU: %v", err)
-		n := len(bytes)
-		if n > 20 {
-			n = 20
-		}
-		log.Warnf("First %d bytes: %x", n, bytes[:n])
-
-		if len(bytes) > 0 && bytes[0] == 0x03 {
-			log.Debug("Received raw RDP packet instead of RDCleanPath PDU")
-			go p.handleDirectRDP(conn, bytes)
-			return
-		}
-		return
-	}
-
-	go p.processRDCleanPathPDU(conn, pdu)
-}
-
-func (p *RDCleanPathProxy) forwardToRDP(conn *proxyConnection, bytes []byte) {
-	var writer io.Writer
-	var connType string
-
-	if conn.tlsConn != nil {
-		writer = conn.tlsConn
-		connType = "TLS"
-	} else if conn.rdpConn != nil {
-		writer = conn.rdpConn
-		connType = "TCP"
-	} else {
-		log.Error("No RDP connection available")
-		return
-	}
-
-	if _, err := writer.Write(bytes); err != nil {
-		log.Errorf("Failed to write to %s: %v", connType, err)
-	}
-}
-
-func (p *RDCleanPathProxy) handleDirectRDP(conn *proxyConnection, firstPacket []byte) {
-	defer p.cleanupConnection(conn)
-
-	destination := conn.destination
-	log.Infof("Direct RDP mode: Connecting to %s via NetBird", destination)
-
-	ctx, cancel := context.WithTimeout(conn.ctx, rdpDialTimeout)
-	defer cancel()
-
-	rdpConn, err := p.nbClient.Dial(ctx, "tcp", destination)
-	if err != nil {
-		log.Errorf("Failed to connect to %s: %v", destination, err)
-		p.sendRDCleanPathError(conn, newWSAError(err))
-		return
-	}
-	conn.rdpConn = rdpConn
-
-	_, err = rdpConn.Write(firstPacket)
-	if err != nil {
-		log.Errorf("Failed to write first packet: %v", err)
-		p.sendRDCleanPathError(conn, newWSAError(err))
-		return
-	}
-
-	response := make([]byte, 1024)
-	n, err := rdpConn.Read(response)
-	if err != nil {
-		log.Errorf("Failed to read X.224 response: %v", err)
-		p.sendRDCleanPathError(conn, newWSAError(err))
-		return
-	}
-
-	p.sendToWebSocket(conn, response[:n])
-
-	go p.forwardWSToConn(conn, conn.rdpConn, "TCP")
-	go p.forwardConnToWS(conn, conn.rdpConn, "TCP")
-}
-
-func (p *RDCleanPathProxy) cleanupConnection(conn *proxyConnection) {
-	log.Debugf("Cleaning up connection %s", conn.id)
-	conn.cancel()
-	if conn.tlsConn != nil {
-		log.Debug("Closing TLS connection")
-		if err := conn.tlsConn.Close(); err != nil {
-			log.Debugf("Error closing TLS connection: %v", err)
-		}
-		conn.tlsConn = nil
-	}
-	if conn.rdpConn != nil {
-		log.Debug("Closing TCP connection")
-		if err := conn.rdpConn.Close(); err != nil {
-			log.Debugf("Error closing TCP connection: %v", err)
-		}
-		conn.rdpConn = nil
-	}
-	p.mu.Lock()
-	delete(p.activeConnections, conn.id)
-	p.mu.Unlock()
-}
-
-func (p *RDCleanPathProxy) sendToWebSocket(conn *proxyConnection, data []byte) {
-	if conn.wsHandlers.Get("receiveFromGo").Truthy() {
-		uint8Array := js.Global().Get("Uint8Array").New(len(data))
-		js.CopyBytesToJS(uint8Array, data)
-		conn.wsHandlers.Call("receiveFromGo", uint8Array.Get("buffer"))
-	} else if conn.wsHandlers.Get("send").Truthy() {
-		uint8Array := js.Global().Get("Uint8Array").New(len(data))
-		js.CopyBytesToJS(uint8Array, data)
-		conn.wsHandlers.Call("send", uint8Array.Get("buffer"))
-	}
-}
-
-func (p *RDCleanPathProxy) sendRDCleanPathError(conn *proxyConnection, pdu RDCleanPathPDU) {
-	data, err := asn1.Marshal(pdu)
-	if err != nil {
-		log.Errorf("Failed to marshal error PDU: %v", err)
-		return
-	}
-	p.sendToWebSocket(conn, data)
-}
-
-func errorToWSACode(err error) int16 {
-	if err == nil {
-		return WSAEGenericError
-	}
-	var netErr *net.OpError
-	if errors.As(err, &netErr) && netErr.Timeout() {
-		return WSAETimedOut
-	}
-	if errors.Is(err, context.DeadlineExceeded) {
-		return WSAETimedOut
-	}
-	if errors.Is(err, context.Canceled) {
-		return WSAEConnAborted
-	}
-	if errors.Is(err, io.EOF) {
-		return WSAEConnReset
-	}
-	return WSAEGenericError
-}
-
-func newWSAError(err error) RDCleanPathPDU {
-	return RDCleanPathPDU{
-		Version: RDCleanPathVersion,
-		Error: RDCleanPathErr{
-			ErrorCode:    GeneralErrorCode,
-			WSALastError: errorToWSACode(err),
-		},
-	}
-}
-
-func newHTTPError(statusCode int16) RDCleanPathPDU {
-	return RDCleanPathPDU{
-		Version: RDCleanPathVersion,
-		Error: RDCleanPathErr{
-			ErrorCode:      GeneralErrorCode,
-			HTTPStatusCode: statusCode,
-		},
-	}
-}

client/wasm/internal/rdp/rdcleanpath_handlers.go

@@ -1,244 +0,0 @@
-//go:build js
-
-package rdp
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/asn1"
-	"io"
-	"syscall/js"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	// MS-RDPBCGR: confusingly named, actually means PROTOCOL_HYBRID (CredSSP)
-	protocolSSL      = 0x00000001
-	protocolHybridEx = 0x00000008
-)
-
-func (p *RDCleanPathProxy) processRDCleanPathPDU(conn *proxyConnection, pdu RDCleanPathPDU) {
-	log.Infof("Processing RDCleanPath PDU: Version=%d, Destination=%s", pdu.Version, pdu.Destination)
-
-	if pdu.Version != RDCleanPathVersion {
-		p.sendRDCleanPathError(conn, newHTTPError(400))
-		return
-	}
-
-	destination := conn.destination
-	if pdu.Destination != "" {
-		destination = pdu.Destination
-	}
-
-	ctx, cancel := context.WithTimeout(conn.ctx, rdpDialTimeout)
-	defer cancel()
-
-	rdpConn, err := p.nbClient.Dial(ctx, "tcp", destination)
-	if err != nil {
-		log.Errorf("Failed to connect to %s: %v", destination, err)
-		p.sendRDCleanPathError(conn, newWSAError(err))
-		p.cleanupConnection(conn)
-		return
-	}
-	conn.rdpConn = rdpConn
-
-	// RDP always starts with X.224 negotiation, then determines if TLS is needed
-	// Modern RDP (since Windows Vista/2008) typically requires TLS
-	// The X.224 Connection Confirm response will indicate if TLS is required
-	// For now, we'll attempt TLS for all connections as it's the modern default
-	p.setupTLSConnection(conn, pdu)
-}
-
-// detectCredSSPFromX224 checks if the X.224 response indicates NLA/CredSSP is required.
-// Per MS-RDPBCGR spec: byte 11 = TYPE_RDP_NEG_RSP (0x02), bytes 15-18 = selectedProtocol flags.
-// Returns (requiresTLS12, selectedProtocol, detectionSuccessful).
-func (p *RDCleanPathProxy) detectCredSSPFromX224(x224Response []byte) (bool, uint32, bool) {
-	const minResponseLength = 19
-
-	if len(x224Response) < minResponseLength {
-		return false, 0, false
-	}
-
-	// Per X.224 specification:
-	//   x224Response[0] == 0x03: Length of X.224 header (3 bytes)
-	//   x224Response[5] == 0xD0: X.224 Data TPDU code
-	if x224Response[0] != 0x03 || x224Response[5] != 0xD0 {
-		return false, 0, false
-	}
-
-	if x224Response[11] == 0x02 {
-		flags := uint32(x224Response[15]) | uint32(x224Response[16])<<8 |
-			uint32(x224Response[17])<<16 | uint32(x224Response[18])<<24
-
-		hasNLA := (flags & (protocolSSL | protocolHybridEx)) != 0
-		return hasNLA, flags, true
-	}
-
-	return false, 0, false
-}
-
-func (p *RDCleanPathProxy) setupTLSConnection(conn *proxyConnection, pdu RDCleanPathPDU) {
-	var x224Response []byte
-	if len(pdu.X224ConnectionPDU) > 0 {
-		log.Debugf("Forwarding X.224 Connection Request (%d bytes)", len(pdu.X224ConnectionPDU))
-		_, err := conn.rdpConn.Write(pdu.X224ConnectionPDU)
-		if err != nil {
-			log.Errorf("Failed to write X.224 PDU: %v", err)
-			p.sendRDCleanPathError(conn, newWSAError(err))
-			return
-		}
-
-		response := make([]byte, 1024)
-		n, err := conn.rdpConn.Read(response)
-		if err != nil {
-			log.Errorf("Failed to read X.224 response: %v", err)
-			p.sendRDCleanPathError(conn, newWSAError(err))
-			return
-		}
-		x224Response = response[:n]
-		log.Debugf("Received X.224 Connection Confirm (%d bytes)", n)
-	}
-
-	requiresCredSSP, selectedProtocol, detected := p.detectCredSSPFromX224(x224Response)
-	if detected {
-		if requiresCredSSP {
-			log.Warnf("Detected NLA/CredSSP (selectedProtocol: 0x%08X), forcing TLS 1.2 for compatibility", selectedProtocol)
-		} else {
-			log.Warnf("No NLA/CredSSP detected (selectedProtocol: 0x%08X), allowing up to TLS 1.3", selectedProtocol)
-		}
-	} else {
-		log.Warnf("Could not detect RDP security protocol, allowing up to TLS 1.3")
-	}
-
-	tlsConfig := p.getTLSConfigWithValidation(conn, requiresCredSSP)
-
-	tlsConn := tls.Client(conn.rdpConn, tlsConfig)
-	conn.tlsConn = tlsConn
-
-	if err := tlsConn.Handshake(); err != nil {
-		log.Errorf("TLS handshake failed: %v", err)
-		p.sendRDCleanPathError(conn, newWSAError(err))
-		return
-	}
-
-	log.Info("TLS handshake successful")
-
-	// Certificate validation happens during handshake via VerifyConnection callback
-	var certChain [][]byte
-	connState := tlsConn.ConnectionState()
-	if len(connState.PeerCertificates) > 0 {
-		for _, cert := range connState.PeerCertificates {
-			certChain = append(certChain, cert.Raw)
-		}
-		log.Debugf("Extracted %d certificates from TLS connection", len(certChain))
-	}
-
-	responsePDU := RDCleanPathPDU{
-		Version:         RDCleanPathVersion,
-		ServerAddr:      conn.destination,
-		ServerCertChain: certChain,
-	}
-
-	if len(x224Response) > 0 {
-		responsePDU.X224ConnectionPDU = x224Response
-	}
-
-	p.sendRDCleanPathPDU(conn, responsePDU)
-
-	log.Debug("Starting TLS forwarding")
-	go p.forwardConnToWS(conn, conn.tlsConn, "TLS")
-	go p.forwardWSToConn(conn, conn.tlsConn, "TLS")
-
-	<-conn.ctx.Done()
-	log.Debug("TLS connection context done, cleaning up")
-	p.cleanupConnection(conn)
-}
-
-func (p *RDCleanPathProxy) sendRDCleanPathPDU(conn *proxyConnection, pdu RDCleanPathPDU) {
-	data, err := asn1.Marshal(pdu)
-	if err != nil {
-		log.Errorf("Failed to marshal RDCleanPath PDU: %v", err)
-		return
-	}
-
-	log.Debugf("Sending RDCleanPath PDU response (%d bytes)", len(data))
-	p.sendToWebSocket(conn, data)
-}
-
-func (p *RDCleanPathProxy) readWebSocketMessage(conn *proxyConnection) ([]byte, error) {
-	msgChan := make(chan []byte)
-	errChan := make(chan error)
-
-	handler := js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		if len(args) < 1 {
-			errChan <- io.EOF
-			return nil
-		}
-
-		data := args[0]
-		if data.InstanceOf(js.Global().Get("Uint8Array")) {
-			length := data.Get("length").Int()
-			bytes := make([]byte, length)
-			js.CopyBytesToGo(bytes, data)
-			msgChan <- bytes
-		}
-		return nil
-	})
-	defer handler.Release()
-
-	conn.wsHandlers.Set("onceGoMessage", handler)
-
-	select {
-	case msg := <-msgChan:
-		return msg, nil
-	case err := <-errChan:
-		return nil, err
-	case <-conn.ctx.Done():
-		return nil, conn.ctx.Err()
-	}
-}
-
-func (p *RDCleanPathProxy) forwardWSToConn(conn *proxyConnection, dst io.Writer, connType string) {
-	for {
-		if conn.ctx.Err() != nil {
-			return
-		}
-
-		msg, err := p.readWebSocketMessage(conn)
-		if err != nil {
-			if err != io.EOF {
-				log.Errorf("Failed to read from WebSocket: %v", err)
-			}
-			return
-		}
-
-		_, err = dst.Write(msg)
-		if err != nil {
-			log.Errorf("Failed to write to %s: %v", connType, err)
-			return
-		}
-	}
-}
-
-func (p *RDCleanPathProxy) forwardConnToWS(conn *proxyConnection, src io.Reader, connType string) {
-	buffer := make([]byte, 32*1024)
-
-	for {
-		if conn.ctx.Err() != nil {
-			return
-		}
-
-		n, err := src.Read(buffer)
-		if err != nil {
-			if err != io.EOF {
-				log.Errorf("Failed to read from %s: %v", connType, err)
-			}
-			return
-		}
-
-		if n > 0 {
-			p.sendToWebSocket(conn, buffer[:n])
-		}
-	}
-}

client/wasm/internal/vnc/proxy.go

@@ -0,0 +1,332 @@
+//go:build js
+
+package vnc
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"sync"
+	"sync/atomic"
+	"syscall/js"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	vncProxyHost   = "vnc.proxy.local"
+	vncProxyScheme = "ws"
+	vncDialTimeout = 15 * time.Second
+
+	// Connection modes matching server/server.go constants.
+	modeAttach  byte = 0
+	modeSession byte = 1
+)
+
+// VNCProxy bridges WebSocket connections from noVNC in the browser
+// to TCP VNC server connections through the NetBird tunnel.
+type VNCProxy struct {
+	nbClient interface {
+		Dial(ctx context.Context, network, address string) (net.Conn, error)
+	}
+	activeConnections map[string]*vncConnection
+	destinations      map[string]vncDestination
+	mu                sync.Mutex
+	nextID            atomic.Uint64
+}
+
+type vncDestination struct {
+	address   string
+	mode      byte
+	username  string
+	jwt       string
+	sessionID uint32 // Windows session ID (0 = auto/console)
+}
+
+type vncConnection struct {
+	id          string
+	destination vncDestination
+	mu          sync.Mutex
+	vncConn     net.Conn
+	wsHandlers  js.Value
+	ctx         context.Context
+	cancel      context.CancelFunc
+}
+
+// NewVNCProxy creates a new VNC proxy.
+func NewVNCProxy(client interface {
+	Dial(ctx context.Context, network, address string) (net.Conn, error)
+}) *VNCProxy {
+	return &VNCProxy{
+		nbClient:          client,
+		activeConnections: make(map[string]*vncConnection),
+	}
+}
+
+// CreateProxy creates a new proxy endpoint for the given VNC destination.
+// mode is "attach" (capture current display) or "session" (virtual session).
+// username is required for session mode.
+// Returns a JS Promise that resolves to the WebSocket proxy URL.
+func (p *VNCProxy) CreateProxy(hostname, port, mode, username, jwt string, sessionID uint32) js.Value {
+	address := fmt.Sprintf("%s:%s", hostname, port)
+
+	var m byte
+	if mode == "session" {
+		m = modeSession
+	}
+
+	dest := vncDestination{
+		address:   address,
+		mode:      m,
+		username:  username,
+		jwt:       jwt,
+		sessionID: sessionID,
+	}
+
+	return js.Global().Get("Promise").New(js.FuncOf(func(_ js.Value, args []js.Value) any {
+		resolve := args[0]
+
+		go func() {
+			proxyID := fmt.Sprintf("vnc_proxy_%d", p.nextID.Add(1))
+
+			p.mu.Lock()
+			if p.destinations == nil {
+				p.destinations = make(map[string]vncDestination)
+			}
+			p.destinations[proxyID] = dest
+			p.mu.Unlock()
+
+			proxyURL := fmt.Sprintf("%s://%s/%s", vncProxyScheme, vncProxyHost, proxyID)
+
+			js.Global().Set(fmt.Sprintf("handleVNCWebSocket_%s", proxyID), js.FuncOf(func(_ js.Value, args []js.Value) any {
+				if len(args) < 1 {
+					return js.ValueOf("error: requires WebSocket argument")
+				}
+				ws := args[0]
+				p.handleWebSocketConnection(ws, proxyID)
+				return nil
+			}))
+
+			log.Infof("created VNC proxy: %s -> %s (mode=%s, user=%s)", proxyURL, address, mode, username)
+			resolve.Invoke(proxyURL)
+		}()
+
+		return nil
+	}))
+}
+
+func (p *VNCProxy) handleWebSocketConnection(ws js.Value, proxyID string) {
+	p.mu.Lock()
+	dest, ok := p.destinations[proxyID]
+	p.mu.Unlock()
+
+	if !ok {
+		log.Errorf("no destination for VNC proxy %s", proxyID)
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	conn := &vncConnection{
+		id:          proxyID,
+		destination: dest,
+		wsHandlers:  ws,
+		ctx:         ctx,
+		cancel:      cancel,
+	}
+
+	p.mu.Lock()
+	p.activeConnections[proxyID] = conn
+	p.mu.Unlock()
+
+	p.setupWebSocketHandlers(ws, conn)
+	go p.connectToVNC(conn)
+
+	log.Infof("VNC proxy WebSocket connection established for %s", proxyID)
+}
+
+func (p *VNCProxy) setupWebSocketHandlers(ws js.Value, conn *vncConnection) {
+	ws.Set("onGoMessage", js.FuncOf(func(_ js.Value, args []js.Value) any {
+		if len(args) < 1 {
+			return nil
+		}
+		data := args[0]
+		go p.handleWebSocketMessage(conn, data)
+		return nil
+	}))
+
+	ws.Set("onGoClose", js.FuncOf(func(_ js.Value, _ []js.Value) any {
+		log.Debug("VNC WebSocket closed by JavaScript")
+		conn.cancel()
+		return nil
+	}))
+}
+
+func (p *VNCProxy) handleWebSocketMessage(conn *vncConnection, data js.Value) {
+	if !data.InstanceOf(js.Global().Get("Uint8Array")) {
+		return
+	}
+
+	length := data.Get("length").Int()
+	buf := make([]byte, length)
+	js.CopyBytesToGo(buf, data)
+
+	conn.mu.Lock()
+	vncConn := conn.vncConn
+	conn.mu.Unlock()
+
+	if vncConn == nil {
+		return
+	}
+
+	if _, err := vncConn.Write(buf); err != nil {
+		log.Debugf("write to VNC server: %v", err)
+	}
+}
+
+func (p *VNCProxy) connectToVNC(conn *vncConnection) {
+	ctx, cancel := context.WithTimeout(conn.ctx, vncDialTimeout)
+	defer cancel()
+
+	vncConn, err := p.nbClient.Dial(ctx, "tcp", conn.destination.address)
+	if err != nil {
+		log.Errorf("VNC connect to %s: %v", conn.destination.address, err)
+		// Close the WebSocket so noVNC fires a disconnect event.
+		if conn.wsHandlers.Get("close").Truthy() {
+			conn.wsHandlers.Call("close", 1006, fmt.Sprintf("connect to peer: %v", err))
+		}
+		p.cleanupConnection(conn)
+		return
+	}
+	conn.mu.Lock()
+	conn.vncConn = vncConn
+	conn.mu.Unlock()
+
+	// Send the NetBird VNC session header before the RFB handshake.
+	if err := p.sendSessionHeader(vncConn, conn.destination); err != nil {
+		log.Errorf("send VNC session header: %v", err)
+		p.cleanupConnection(conn)
+		return
+	}
+
+	// WS→TCP is handled by the onGoMessage handler set in setupWebSocketHandlers,
+	// which writes directly to the VNC connection as data arrives from JS.
+	// Only the TCP→WS direction needs a read loop here.
+	go p.forwardConnToWS(conn)
+
+	<-conn.ctx.Done()
+	p.cleanupConnection(conn)
+}
+
+// sendSessionHeader writes mode, username, and JWT to the VNC server.
+// Format: [mode: 1 byte] [username_len: 2 bytes BE] [username: N bytes]
+//
+//	[jwt_len: 2 bytes BE] [jwt: N bytes]
+func (p *VNCProxy) sendSessionHeader(conn net.Conn, dest vncDestination) error {
+	usernameBytes := []byte(dest.username)
+	jwtBytes := []byte(dest.jwt)
+	// Format: [mode:1] [username_len:2] [username:N] [jwt_len:2] [jwt:N] [session_id:4]
+	hdr := make([]byte, 3+len(usernameBytes)+2+len(jwtBytes)+4)
+	hdr[0] = dest.mode
+	hdr[1] = byte(len(usernameBytes) >> 8)
+	hdr[2] = byte(len(usernameBytes))
+	off := 3
+	copy(hdr[off:], usernameBytes)
+	off += len(usernameBytes)
+	hdr[off] = byte(len(jwtBytes) >> 8)
+	hdr[off+1] = byte(len(jwtBytes))
+	off += 2
+	copy(hdr[off:], jwtBytes)
+	off += len(jwtBytes)
+	hdr[off] = byte(dest.sessionID >> 24)
+	hdr[off+1] = byte(dest.sessionID >> 16)
+	hdr[off+2] = byte(dest.sessionID >> 8)
+	hdr[off+3] = byte(dest.sessionID)
+
+	_, err := conn.Write(hdr)
+	return err
+}
+
+func (p *VNCProxy) forwardConnToWS(conn *vncConnection) {
+	buf := make([]byte, 32*1024)
+
+	for {
+		if conn.ctx.Err() != nil {
+			return
+		}
+
+		// Set a read deadline so we detect dead connections instead of
+		// blocking forever when the remote peer dies.
+		conn.mu.Lock()
+		vc := conn.vncConn
+		conn.mu.Unlock()
+		if vc == nil {
+			return
+		}
+		vc.SetReadDeadline(time.Now().Add(30 * time.Second))
+
+		n, err := vc.Read(buf)
+		if err != nil {
+			if conn.ctx.Err() != nil {
+				return
+			}
+			if netErr, ok := err.(interface{ Timeout() bool }); ok && netErr.Timeout() {
+				// Read timeout: connection might be stale. Send a ping-like
+				// empty read to check. If the connection is truly dead, the
+				// next iteration will fail too and we'll close.
+				continue
+			}
+			if err != io.EOF {
+				log.Debugf("read from VNC connection: %v", err)
+			}
+			// Close the WebSocket to notify noVNC.
+			if conn.wsHandlers.Get("close").Truthy() {
+				conn.wsHandlers.Call("close", 1006, "VNC connection lost")
+			}
+			return
+		}
+
+		if n > 0 {
+			p.sendToWebSocket(conn, buf[:n])
+		}
+	}
+}
+
+func (p *VNCProxy) sendToWebSocket(conn *vncConnection, data []byte) {
+	if conn.wsHandlers.Get("receiveFromGo").Truthy() {
+		uint8Array := js.Global().Get("Uint8Array").New(len(data))
+		js.CopyBytesToJS(uint8Array, data)
+		conn.wsHandlers.Call("receiveFromGo", uint8Array.Get("buffer"))
+	} else if conn.wsHandlers.Get("send").Truthy() {
+		uint8Array := js.Global().Get("Uint8Array").New(len(data))
+		js.CopyBytesToJS(uint8Array, data)
+		conn.wsHandlers.Call("send", uint8Array.Get("buffer"))
+	}
+}
+
+func (p *VNCProxy) cleanupConnection(conn *vncConnection) {
+	log.Debugf("cleaning up VNC connection %s", conn.id)
+	conn.cancel()
+
+	conn.mu.Lock()
+	vncConn := conn.vncConn
+	conn.vncConn = nil
+	conn.mu.Unlock()
+
+	if vncConn != nil {
+		if err := vncConn.Close(); err != nil {
+			log.Debugf("close VNC connection: %v", err)
+		}
+	}
+
+	// Remove the global JS handler registered in CreateProxy.
+	globalName := fmt.Sprintf("handleVNCWebSocket_%s", conn.id)
+	js.Global().Delete(globalName)
+
+	p.mu.Lock()
+	delete(p.activeConnections, conn.id)
+	delete(p.destinations, conn.id)
+	p.mu.Unlock()
+}

go.mod

@@ -13,28 +13,28 @@ require (
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.6
 	github.com/rs/cors v1.8.0
-	github.com/sirupsen/logrus v1.9.4
+	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.9
 	github.com/vishvananda/netlink v1.3.1
-	golang.org/x/crypto v0.49.0
-	golang.org/x/sys v0.42.0
+	golang.org/x/crypto v0.48.0
+	golang.org/x/sys v0.41.0
 	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/grpc v1.80.0
+	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
-	gopkg.in/natefinch/lumberjack.v2 v2.2.1
+	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
 
 require (
 	fyne.io/fyne/v2 v2.7.0
 	fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9
 	github.com/awnumar/memguard v0.23.0
-	github.com/aws/aws-sdk-go-v2 v1.38.3
-	github.com/aws/aws-sdk-go-v2/config v1.31.6
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.10
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.87.3
+	github.com/aws/aws-sdk-go-v2 v1.36.3
+	github.com/aws/aws-sdk-go-v2/config v1.29.14
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.79.2
 	github.com/c-robinson/iplib v1.0.3
 	github.com/caddyserver/certmagic v0.21.3
 	github.com/cilium/ebpf v0.15.0
@@ -42,8 +42,6 @@ require (
 	github.com/coreos/go-iptables v0.7.0
 	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/creack/pty v1.1.24
-	github.com/crowdsecurity/crowdsec v1.7.7
-	github.com/crowdsecurity/go-cs-bouncer v0.0.21
 	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
 	github.com/dexidp/dex/api/v2 v2.4.0
 	github.com/eko/gocache/lib/v4 v4.2.0
@@ -62,7 +60,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.2-0.20240212192251-757544f21357
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
-	github.com/hashicorp/go-version v1.7.0
+	github.com/hashicorp/go-version v1.6.0
 	github.com/jackc/pgx/v5 v5.5.5
 	github.com/libdns/route53 v1.5.0
 	github.com/libp2p/go-nat v0.2.0
@@ -71,7 +69,7 @@ require (
 	github.com/mdlayher/socket v0.5.1
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
 	github.com/oapi-codegen/runtime v1.1.2
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
@@ -106,22 +104,22 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.4
 	github.com/zcalusic/sysinfo v1.1.3
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0
-	go.opentelemetry.io/otel v1.43.0
+	go.opentelemetry.io/otel v1.42.0
 	go.opentelemetry.io/otel/exporters/prometheus v0.64.0
-	go.opentelemetry.io/otel/metric v1.43.0
-	go.opentelemetry.io/otel/sdk/metric v1.43.0
+	go.opentelemetry.io/otel/metric v1.42.0
+	go.opentelemetry.io/otel/sdk/metric v1.42.0
 	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
 	goauthentik.io/api/v3 v3.2023051.3
-	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/mobile v0.0.0-20251113184115-a159579294ab
-	golang.org/x/mod v0.33.0
-	golang.org/x/net v0.52.0
-	golang.org/x/oauth2 v0.36.0
-	golang.org/x/sync v0.20.0
-	golang.org/x/term v0.41.0
-	golang.org/x/time v0.15.0
-	google.golang.org/api v0.276.0
+	golang.org/x/mod v0.32.0
+	golang.org/x/net v0.51.0
+	golang.org/x/oauth2 v0.34.0
+	golang.org/x/sync v0.19.0
+	golang.org/x/term v0.40.0
+	golang.org/x/time v0.14.0
+	google.golang.org/api v0.257.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.5.7
 	gorm.io/driver/postgres v1.5.7
@@ -131,11 +129,11 @@ require (
 )
 
 require (
-	cloud.google.com/go/auth v0.20.0 // indirect
+	cloud.google.com/go/auth v0.17.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
-	filippo.io/edwards25519 v1.1.1 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AppsFlyer/go-sundheit v0.6.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
@@ -146,39 +144,36 @@ require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/awnumar/memcall v0.4.0 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.6 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/route53 v1.42.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.29.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.38.2 // indirect
-	github.com/aws/smithy-go v1.23.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.2 // indirect
 	github.com/beevik/etree v1.6.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
-	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
-	github.com/crowdsecurity/go-cs-lib v0.0.25 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/docker v28.0.1+incompatible // indirect
-	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.4 // indirect
+	github.com/ebitengine/purego v0.8.2 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fredbi/uri v1.1.1 // indirect
 	github.com/fyne-io/gl-js v0.2.0 // indirect
@@ -192,26 +187,14 @@ require (
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-openapi/analysis v0.23.0 // indirect
-	github.com/go-openapi/errors v0.22.2 // indirect
-	github.com/go-openapi/jsonpointer v0.21.1 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
-	github.com/go-openapi/loads v0.22.0 // indirect
-	github.com/go-openapi/spec v0.21.0 // indirect
-	github.com/go-openapi/strfmt v0.23.0 // indirect
-	github.com/go-openapi/swag v0.23.1 // indirect
-	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/go-text/render v0.2.0 // indirect
 	github.com/go-text/typesetting v0.2.1 // indirect
-	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
-	github.com/googleapis/gax-go/v2 v2.21.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/gorilla/handlers v1.5.2 // indirect
 	github.com/hack-pad/go-indexeddb v0.3.2 // indirect
 	github.com/hack-pad/safejs v0.1.0 // indirect
@@ -225,22 +208,22 @@ require (
 	github.com/jackc/puddle/v2 v2.2.1 // indirect
 	github.com/jackpal/go-nat-pmp v1.0.2 // indirect
 	github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade // indirect
+	github.com/jezek/xgb v1.3.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jonboulle/clockwork v0.5.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
 	github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
+	github.com/kirides/go-d3d v1.0.1 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
 	github.com/koron/go-ssdp v0.0.4 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
 	github.com/magiconair/properties v1.8.10 // indirect
-	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mdelapenya/tlscert v0.2.0 // indirect
@@ -248,7 +231,6 @@ require (
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mholt/acmez/v2 v2.0.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
@@ -260,8 +242,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
 	github.com/nicksnyder/go-i18n/v2 v2.5.1 // indirect
-	github.com/nxadm/tail v1.4.11 // indirect
-	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
@@ -271,43 +252,41 @@ require (
 	github.com/pion/transport/v2 v2.2.4 // indirect
 	github.com/pion/turn/v4 v4.1.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.67.5 // indirect
 	github.com/prometheus/otlptranslator v1.0.0 // indirect
 	github.com/prometheus/procfs v0.19.2 // indirect
-	github.com/russellhaering/goxmldsig v1.6.0 // indirect
+	github.com/russellhaering/goxmldsig v1.5.0 // indirect
 	github.com/rymdport/portal v0.4.2 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.8 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.1 // indirect
 	github.com/shoenig/go-m1cpu v0.2.1 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
 	github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/tklauser/go-sysconf v0.3.15 // indirect
-	github.com/tklauser/numcpus v0.10.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.14 // indirect
+	github.com/tklauser/numcpus v0.8.0 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/wlynxg/anet v0.0.5 // indirect
 	github.com/yuin/goldmark v1.7.8 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
-	go.mongodb.org/mongo-driver v1.17.9 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
-	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.42.0 // indirect
+	go.opentelemetry.io/otel/trace v1.42.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/image v0.33.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/tools v0.41.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 
 replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502

go.sum

@@ -1,5 +1,5 @@
-cloud.google.com/go/auth v0.20.0 h1:kXTssoVb4azsVDoUiF8KvxAqrsQcQtB53DcSgta74CA=
-cloud.google.com/go/auth v0.20.0/go.mod h1:942/yi/itH1SsmpyrbnTMDgGfdy2BUqIKyd0cyYLc5Q=
+cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4=
+cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
@@ -9,8 +9,8 @@ cunicu.li/go-rosenpass v0.4.0 h1:LtPtBgFWY/9emfgC4glKLEqS0MJTylzV6+ChRhiZERw=
 cunicu.li/go-rosenpass v0.4.0/go.mod h1:MPbjH9nxV4l3vEagKVdFNwHOketqgS5/To1VYJplf/M=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw=
-filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 fyne.io/fyne/v2 v2.7.0 h1:GvZSpE3X0liU/fqstInVvRsaboIVpIWQ4/sfjDGIGGQ=
 fyne.io/fyne/v2 v2.7.0/go.mod h1:xClVlrhxl7D+LT+BWYmcrW4Nf+dJTvkhnPgji7spAwE=
 fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9 h1:829+77I4TaMrcg9B3wf+gHhdSgoCVEgH2czlPXPbfj4=
@@ -40,50 +40,48 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
-github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
-github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/awnumar/memcall v0.4.0 h1:B7hgZYdfH6Ot1Goaz8jGne/7i8xD4taZie/PNSFZ29g=
 github.com/awnumar/memcall v0.4.0/go.mod h1:8xOx1YbfyuCg3Fy6TO8DK0kZUua3V42/goA5Ru47E8w=
 github.com/awnumar/memguard v0.23.0 h1:sJ3a1/SWlcuKIQ7MV+R9p0Pvo9CWsMbGZvcZQtmc68A=
 github.com/awnumar/memguard v0.23.0/go.mod h1:olVofBrsPdITtJ2HgxQKrEYEMyIBAIciVG4wNnZhW9M=
-github.com/aws/aws-sdk-go-v2 v1.38.3 h1:B6cV4oxnMs45fql4yRH+/Po/YU+597zgWqvDpYMturk=
-github.com/aws/aws-sdk-go-v2 v1.38.3/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 h1:i8p8P4diljCr60PpJp6qZXNlgX4m2yQFpYk+9ZT+J4E=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1/go.mod h1:ddqbooRZYNoJ2dsTwOty16rM+/Aqmk/GOXrK8cg7V00=
-github.com/aws/aws-sdk-go-v2/config v1.31.6 h1:a1t8fXY4GT4xjyJExz4knbuoxSCacB5hT/WgtfPyLjo=
-github.com/aws/aws-sdk-go-v2/config v1.31.6/go.mod h1:5ByscNi7R+ztvOGzeUaIu49vkMk2soq5NaH5PYe33MQ=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.10 h1:xdJnXCouCx8Y0NncgoptztUocIYLKeQxrCgN6x9sdhg=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.10/go.mod h1:7tQk08ntj914F/5i9jC4+2HQTAuJirq7m1vZVIhEkWs=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6 h1:wbjnrrMnKew78/juW7I2BtKQwa1qlf6EjQgS69uYY14=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.6/go.mod h1:AtiqqNrDioJXuUgz3+3T0mBWN7Hro2n9wll2zRUc0ww=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6 h1:uF68eJA6+S9iVr9WgX1NaRGyQ/6MdIyc4JNUo6TN1FA=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.6/go.mod h1:qlPeVZCGPiobx8wb1ft0GHT5l+dc6ldnwInDFaMvC7Y=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6 h1:pa1DEC6JoI0zduhZePp3zmhWvk/xxm4NB8Hy/Tlsgos=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.6/go.mod h1:gxEjPebnhWGJoaDdtDkA0JX46VRg1wcTHYe63OfX5pE=
+github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
+github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 h1:zAybnyUQXIZ5mok5Jqwlf58/TFE7uvd3IAsa1aF9cXs=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10/go.mod h1:qqvMj6gHLR/EXWZw4ZbqlPbQUyenf4h82UQUlKc+l14=
+github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM=
+github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.6 h1:R0tNFJqfjHL3900cqhXuwQ+1K4G0xc9Yf8EDbFXCKEw=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.6/go.mod h1:y/7sDdu+aJvPtGXr4xYosdpq9a6T9Z0jkXfugmti0rI=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.6 h1:hncKj/4gR+TPauZgTAsxOxNcvBayhUlYZ6LO/BYiQ30=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.6/go.mod h1:OiIh45tp6HdJDDJGnja0mw8ihQGz3VGrUflLqSL0SmM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.6 h1:LHS1YAIJXJ4K9zS+1d/xa9JAA9sL2QyXIQCQFQW/X08=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.6/go.mod h1:c9PCiTEuh0wQID5/KqA32J+HAgZxN9tOGXKCiYJjTZI=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.6 h1:nEXUSAwyUfLTgnc9cxlDWy637qsq4UWwp3sNAfl0Z3Y=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.6/go.mod h1:HGzIULx4Ge3Do2V0FaiYKcyKzOqwrhUZgCI77NisswQ=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 h1:ZNTqv4nIdE/DiBfUUfXcLZ/Spcuz+RjeziUtNJackkM=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34/go.mod h1:zf7Vcd1ViW7cPqYWEHLHJkS50X0JS2IKz9Cgaj6ugrs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.0 h1:lguz0bmOoGzozP9XfRJR1QIayEYo+2vP/No3OfLF0pU=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.0/go.mod h1:iu6FSzgt+M2/x3Dk8zhycdIcHjEFb36IS8HVUVFoMg0=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 h1:moLQUoVq91LiqT1nbvzDukyqAlCv89ZmwaHw/ZFlFZg=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15/go.mod h1:ZH34PJUc8ApjBIfgQCFvkWcUDBtl/WTD+uiYHjd8igA=
 github.com/aws/aws-sdk-go-v2/service/route53 v1.42.3 h1:MmLCRqP4U4Cw9gJ4bNrCG0mWqEtBlmAVleyelcHARMU=
 github.com/aws/aws-sdk-go-v2/service/route53 v1.42.3/go.mod h1:AMPjK2YnRh0YgOID3PqhJA1BRNfXDfGOnSsKHtAe8yA=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.87.3 h1:ETkfWcXP2KNPLecaDa++5bsQhCRa5M5sLUJa5DWYIIg=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.87.3/go.mod h1:+/3ZTqoYb3Ur7DObD00tarKMLMuKg8iqz5CHEanqTnw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.29.1 h1:8OLZnVJPvjnrxEwHFg9hVUof/P4sibH+Ea4KKuqAGSg=
-github.com/aws/aws-sdk-go-v2/service/sso v1.29.1/go.mod h1:27M3BpVi0C02UiQh1w9nsBEit6pLhlaH3NHna6WUbDE=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.2 h1:gKWSTnqudpo8dAxqBqZnDoDWCiEh/40FziUjr/mo6uA=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.2/go.mod h1:x7+rkNmRoEN1U13A6JE2fXne9EWyJy54o3n6d4mGaXQ=
-github.com/aws/aws-sdk-go-v2/service/sts v1.38.2 h1:YZPjhyaGzhDQEvsffDEcpycq49nl7fiGcfJTIo8BszI=
-github.com/aws/aws-sdk-go-v2/service/sts v1.38.2/go.mod h1:2dIN8qhQfv37BdUYGgEC8Q3tteM3zFxTI1MLO2O3J3c=
-github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE=
-github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.79.2 h1:tWUG+4wZqdMl/znThEk9tcCy8tTMxq8dW0JTgamohrY=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.79.2/go.mod h1:U5SNqwhXB3Xe6F47kXvWihPl/ilGaEDe8HD/50Z9wxc=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
+github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/beevik/etree v1.6.0 h1:u8Kwy8pp9D9XeITj2Z0XtA5qqZEmtJtuXZRQi+j03eE=
 github.com/beevik/etree v1.6.0/go.mod h1:bh4zJxiIr62SOf9pRzN7UUYaEDa9HEKafK25+sLc0Gc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -101,8 +99,6 @@ github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+Y
 github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
-github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
@@ -122,18 +118,11 @@ github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHf
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
-github.com/crowdsecurity/crowdsec v1.7.7 h1:sduZN763iXsrZodocWDrsR//7nLeffGu+RVkkIsbQkE=
-github.com/crowdsecurity/crowdsec v1.7.7/go.mod h1:L1HLGPDnBYCcY+yfSFnuBbQ1G9DHEJN9c+Kevv9F+4Q=
-github.com/crowdsecurity/go-cs-bouncer v0.0.21 h1:arPz0VtdVSaz+auOSfHythzkZVLyy18CzYvYab8UJDU=
-github.com/crowdsecurity/go-cs-bouncer v0.0.21/go.mod h1:4JiH0XXA4KKnnWThItUpe5+heJHWzsLOSA2IWJqUDBA=
-github.com/crowdsecurity/go-cs-lib v0.0.25 h1:Ov6VPW9yV+OPsbAIQk1iTkEWhwkpaG0v3lrBzeqjzj4=
-github.com/crowdsecurity/go-cs-lib v0.0.25/go.mod h1:X0GMJY2CxdA1S09SpuqIKaWQsvRGxXmecUp9cP599dE=
 github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6 h1:/DS5cDX3FJdl+XaN2D7XAwFpuanTxnp52DBLZAaJKx0=
 github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dexidp/dex/api/v2 v2.4.0 h1:gNba7n6BKVp8X4Jp24cxYn5rIIGhM6kDOXcZoL6tr9A=
 github.com/dexidp/dex/api/v2 v2.4.0/go.mod h1:/p550ADvFFh7K95VmhUD+jgm15VdaNnab9td8DHOpyI=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
@@ -142,12 +131,12 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/docker v28.0.1+incompatible h1:FCHjSRdXhNRFjlHMTv4jUNlIBbTeRjrWfeFuJp7jpo0=
 github.com/docker/docker v28.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
-github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/ebitengine/purego v0.8.4 h1:CF7LEKg5FFOsASUj0+QwaXf8Ht6TlFxg09+S9wz0omw=
-github.com/ebitengine/purego v0.8.4/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.8.2 h1:jPPGWs2sZ1UgOSgD2bClL0MJIqu58nOmIcBuXr62z1I=
+github.com/ebitengine/purego v0.8.2/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/eko/gocache/lib/v4 v4.2.0 h1:MNykyi5Xw+5Wu3+PUrvtOCaKSZM1nUSVftbzmeC7Yuw=
 github.com/eko/gocache/lib/v4 v4.2.0/go.mod h1:7ViVmbU+CzDHzRpmB4SXKyyzyuJ8A3UW3/cszpcqB4M=
 github.com/eko/gocache/store/go_cache/v4 v4.2.2 h1:tAI9nl6TLoJyKG1ujF0CS0n/IgTEMl+NivxtR5R3/hw=
@@ -166,7 +155,6 @@ github.com/fredbi/uri v1.1.1 h1:xZHJC08GZNIUhbP5ImTHnt5Ya0T8FI2VAwI/37kh2Ko=
 github.com/fredbi/uri v1.1.1/go.mod h1:4+DZQ5zBjEwQCDmXW5JdIjz0PUA+yJbvtBv+u+adr5o=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fyne-io/gl-js v0.2.0 h1:+EXMLVEa18EfkXBVKhifYB6OGs3HwKO3lUElA0LlAjs=
@@ -199,24 +187,6 @@ github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
-github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU=
-github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo=
-github.com/go-openapi/errors v0.22.2 h1:rdxhzcBUazEcGccKqbY1Y7NS8FDcMyIRr0934jrYnZg=
-github.com/go-openapi/errors v0.22.2/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0=
-github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic=
-github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk=
-github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
-github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
-github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=
-github.com/go-openapi/loads v0.22.0/go.mod h1:yLsaTCS92mnSAZX5WWoxszLj0u+Ojl+Zs5Stn1oF+rs=
-github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY=
-github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk=
-github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c=
-github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4=
-github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU=
-github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
-github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
-github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
 github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM=
 github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY=
 github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
@@ -233,14 +203,10 @@ github.com/go-text/typesetting v0.2.1 h1:x0jMOGyO3d1qFAPI0j4GSsh7M0Q3Ypjzr4+CEVg
 github.com/go-text/typesetting v0.2.1/go.mod h1:mTOxEwasOFpAMBjEQDhdWRckoLLeI/+qrQeBCTGEt6M=
 github.com/go-text/typesetting-utils v0.0.0-20241103174707-87a29e9e6066 h1:qCuYC+94v2xrb1PoS4NIDe7DGYtLnU2wWiQe9a1B1c0=
 github.com/go-text/typesetting-utils v0.0.0-20241103174707-87a29e9e6066/go.mod h1:DDxDdQEnB70R8owOx3LVpEFvpMK9eeH1o2r0yZhFI9o=
-github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
-github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
-github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
@@ -264,7 +230,6 @@ github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl76
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -272,8 +237,6 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
@@ -285,10 +248,10 @@ github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=
-github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
-github.com/googleapis/gax-go/v2 v2.21.0 h1:h45NjjzEO3faG9Lg/cFrBh2PgegVVgzqKzuZl/wMbiI=
-github.com/googleapis/gax-go/v2 v2.21.0/go.mod h1:But/NJU6TnZsrLai/xBAQLLz+Hc7fHZJt/hsCz3Fih4=
+github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAVrGgAa0f2/R35S4DJwfFaUPFQ=
+github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
+github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
+github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
 github.com/gopacket/gopacket v1.1.1 h1:zbx9F9d6A7sWNkFKrvMBZTfGgxFoY4NgUudFVVHMfcw=
 github.com/gopacket/gopacket v1.1.1/go.mod h1:HavMeONEl7W9036of9LbSWoonqhH7HA1+ZRO+rMIvFs=
 github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
@@ -313,8 +276,8 @@ github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PU
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
-github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
+github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
@@ -346,6 +309,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade h1:FmusiCI1wHw+XQbvL9M+1r/C3SPqKrmBaIOYwVfQoDE=
 github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade/go.mod h1:ZDXo8KHryOWSIqnsb/CiDq7hQUYryCgdVnxbj8tDG7o=
+github.com/jezek/xgb v1.3.0 h1:Wa1pn4GVtcmNVAVB6/pnQVJ7xPFZVZ/W1Tc27msDhgI=
+github.com/jezek/xgb v1.3.0/go.mod h1:nrhwO0FX/enq75I7Y7G8iN1ubpSGZEiA3v9e9GyRFlk=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
@@ -356,21 +321,21 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
-github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
-github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25 h1:YLvr1eE6cdCqjOe972w/cYF+FjW34v27+9Vo5106B4M=
 github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25/go.mod h1:kLgvv7o6UM+0QSf0QjAse3wReFDsb9qbZJdfexWlrQw=
 github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
 github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
+github.com/kirides/go-d3d v1.0.1 h1:ZDANfvo34vskBMET1uwUUMNw8545Kbe8qYSiRwlNIuA=
+github.com/kirides/go-d3d v1.0.1/go.mod h1:99AjD+5mRTFEnkpRWkwq8UYMQDljGIIvLn2NyRdVImY=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
-github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
-github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
+github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/koron/go-ssdp v0.0.4 h1:1IDwrghSKYM7yLf7XCzbByg2sJ/JcNOZRXS2jczTwz0=
 github.com/koron/go-ssdp v0.0.4/go.mod h1:oDXq+E5IL5q0U8uSBcoAXzTzInwy5lEgC91HoKtbmZk=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
@@ -400,8 +365,6 @@ github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae h1:dIZY4ULFcto4tA
 github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
-github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
-github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
@@ -425,8 +388,6 @@ github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa1
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
@@ -453,8 +414,8 @@ github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6S
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51/go.mod h1:ZSIbPdBn5hePO8CpF1PekH2SfpTxg1PDhEwtbqZS7R8=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42 h1:F3zS5fT9xzD1OFLfcdAE+3FfyiwjGukF1hvj0jErgs8=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42/go.mod h1:n47r67ZSPgwSmT/Z1o48JjZQW9YJ6m/6Bd/uAXkL3Pg=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25 h1:iwAq/Ncaq0etl4uAlVsbNBzC1yY52o0AmY7uCm2AMTs=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25/go.mod h1:y7CxagMYzg9dgu+masRqYM7BQlOGA5Y8US85MCNFPlY=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=
@@ -466,13 +427,10 @@ github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S
 github.com/nicksnyder/go-i18n/v2 v2.5.1 h1:IxtPxYsR9Gp60cGXjfuR/llTqV8aYMsC472zD0D1vHk=
 github.com/nicksnyder/go-i18n/v2 v2.5.1/go.mod h1:DrhgsSDZxoAfvVrBVLXoxZn/pN5TXqaDbq7ju94viiQ=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
-github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
 github.com/oapi-codegen/runtime v1.1.2 h1:P2+CubHq8fO4Q6fV1tqDBZHCwpVpvPg7oKiYzQgXIyI=
 github.com/oapi-codegen/runtime v1.1.2/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
-github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/okta/okta-sdk-golang/v2 v2.18.0 h1:cfDasMb7CShbZvOrF6n+DnLevWwiHgedWMGJ8M8xKDc=
 github.com/okta/okta-sdk-golang/v2 v2.18.0/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
@@ -493,8 +451,8 @@ github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq5
 github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pelletier/go-toml/v2 v2.0.9 h1:uH2qQXheeefCCkuBBSLi7jCiSmj3VRh2+Goq2N7Xxu0=
+github.com/pelletier/go-toml/v2 v2.0.9/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
 github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203 h1:E7Kmf11E4K7B5hDti2K2NqPb1nlYlGYsu02S1JNd/Bs=
 github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
 github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s=
@@ -532,9 +490,8 @@ github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/pkg/sftp v1.13.9 h1:4NGkvGudBL7GteO3m6qnaQ4pC0Kvf0onSVc9gR3EWBw=
 github.com/pkg/sftp v1.13.9/go.mod h1:OBN7bVXdstkFFN/gdnHPUb5TE8eb8G1Rp9wCItqjkkA=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
@@ -558,15 +515,15 @@ github.com/rs/cors v1.8.0 h1:P2KMzcFwrPoSjkF1WLRPsp3UMLyql8L4v9hQpVeK5so=
 github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM=
 github.com/rs/xid v1.3.0 h1:6NjYksEUlhurdVehpc7S7dk6DAmcKv8V9gG0FsVN2U4=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/russellhaering/goxmldsig v1.6.0 h1:8fdWXEPh2k/NZNQBPFNoVfS3JmzS4ZprY/sAOpKQLks=
-github.com/russellhaering/goxmldsig v1.6.0/go.mod h1:TrnaquDcYxWXfJrOjeMBTX4mLBeYAqaHEyUeWPxZlBM=
+github.com/russellhaering/goxmldsig v1.5.0 h1:AU2UkkYIUOTyZRbe08XMThaOCelArgvNfYapcmSjBNw=
+github.com/russellhaering/goxmldsig v1.5.0/go.mod h1:x98CjQNFJcWfMxeOrMnMKg70lvDP6tE0nTaeUnjXDmk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/rymdport/portal v0.4.2 h1:7jKRSemwlTyVHHrTGgQg7gmNPJs88xkbKcIL3NlcmSU=
 github.com/rymdport/portal v0.4.2/go.mod h1:kFF4jslnJ8pD5uCi17brj/ODlfIidOxlgUDTO5ncnC4=
 github.com/shirou/gopsutil/v3 v3.24.4 h1:dEHgzZXt4LMNm+oYELpzl9YCqV65Yr/6SfrvgRBtXeU=
 github.com/shirou/gopsutil/v3 v3.24.4/go.mod h1:lTd2mdiOspcqLgAnr9/nGi71NkeMpWKdmhuxm9GusH8=
-github.com/shirou/gopsutil/v4 v4.25.8 h1:NnAsw9lN7587WHxjJA9ryDnqhJpFH6A+wagYWTOH970=
-github.com/shirou/gopsutil/v4 v4.25.8/go.mod h1:q9QdMmfAOVIw7a+eF86P7ISEU6ka+NLgkUxlopV4RwI=
+github.com/shirou/gopsutil/v4 v4.25.1 h1:QSWkTc+fu9LTAWfkZwZ6j8MSUk4A2LV7rbH0ZqmLjXs=
+github.com/shirou/gopsutil/v4 v4.25.1/go.mod h1:RoUCUpndaJFtT+2zsZzzmhvbfGoDCJ7nFXKJf8GqJbI=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/go-m1cpu v0.2.1 h1:yqRB4fvOge2+FyRXFkXqsyMoqPazv14Yyy+iyccT2E4=
 github.com/shoenig/go-m1cpu v0.2.1/go.mod h1:KkDOw6m3ZJQAPHbrzkZki4hnx+pDRR1Lo+ldA56wD5w=
@@ -575,8 +532,8 @@ github.com/shoenig/test v1.7.0 h1:eWcHtTXa6QLnBvm0jgEabMRN/uJ4DMV3M8xUGgRkZmk=
 github.com/shoenig/test v1.7.0/go.mod h1:UxJ6u/x2v/TNs/LoLxBNJRV9DiwBBKYxXSyczsBHFoI=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
-github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
-github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
 github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8 h1:TG/diQgUe0pntT/2D9tmUCz4VNwm9MfrtPr0SU2qSX8=
@@ -625,11 +582,11 @@ github.com/ti-mo/conntrack v0.5.1/go.mod h1:T6NCbkMdVU4qEIgwL0njA6lw/iCAbzchlnwm
 github.com/ti-mo/netfilter v0.5.2 h1:CTjOwFuNNeZ9QPdRXt1MZFLFUf84cKtiQutNauHWd40=
 github.com/ti-mo/netfilter v0.5.2/go.mod h1:Btx3AtFiOVdHReTDmP9AE+hlkOcvIy403u7BXXbWZKo=
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
-github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
-github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
+github.com/tklauser/go-sysconf v0.3.14 h1:g5vzr9iPFFz24v2KZXs/pvpvh8/V9Fw6vQK5ZZb78yU=
+github.com/tklauser/go-sysconf v0.3.14/go.mod h1:1ym4lWMLUOhuBOPGtRcJm7tEGX4SCYNEEEtghGG/8uY=
 github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
-github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=
-github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ=
+github.com/tklauser/numcpus v0.8.0 h1:Mx4Wwe/FjZLeQsK/6kt2EOepwwSl7SmJrK5bV/dXYgY=
+github.com/tklauser/numcpus v0.8.0/go.mod h1:ZJZlAY+dmR4eut8epnzf0u/VwodKmryxR8txiloSqBE=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
 github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
@@ -658,30 +615,28 @@ github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
 github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvvKCaQ=
 github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
-go.mongodb.org/mongo-driver v1.17.9 h1:IexDdCuuNJ3BHrELgBlyaH9p60JXAvdzWR128q+U5tU=
-go.mongodb.org/mongo-driver v1.17.9/go.mod h1:LlOhpH5NUEfhxcAwG0UEkMqwYcc4JU18gtCdGudk/tQ=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 h1:yI1/OhfEPy7J9eoa6Sj051C7n5dvpj0QX8g4sRchg04=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0/go.mod h1:NoUCKYWK+3ecatC4HjkRktREheMeEtrXoQxrqYFeHSc=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg=
-go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
-go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=
+go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
 go.opentelemetry.io/otel/exporters/prometheus v0.64.0 h1:g0LRDXMX/G1SEZtK8zl8Chm4K6GBwRkjPKE36LxiTYs=
 go.opentelemetry.io/otel/exporters/prometheus v0.64.0/go.mod h1:UrgcjnarfdlBDP3GjDIJWe6HTprwSazNjwsI+Ru6hro=
-go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
-go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
-go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
-go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
-go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
-go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
-go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
-go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
+go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=
+go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=
+go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=
+go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=
+go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=
+go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=
+go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=
+go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
 go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -707,10 +662,10 @@ golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1m
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
-golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
-golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.33.0 h1:LXRZRnv1+zGd5XBUVRFmYEphyyKJjQjCRiOuAP3sZfQ=
 golang.org/x/image v0.33.0/go.mod h1:DD3OsTYT9chzuzTQt+zMcOlBHgfoKQb1gry8p76Y1sc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
@@ -725,8 +680,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
@@ -745,11 +700,11 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
-golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
-golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -761,8 +716,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -782,8 +737,8 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -797,8 +752,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -811,8 +766,8 @@ golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
-golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -824,10 +779,10 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
-golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
-golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
@@ -839,8 +794,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -851,19 +806,19 @@ golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvY
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
-gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
-gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
-google.golang.org/api v0.276.0 h1:nVArUtfLEihtW+b0DdcqRGK1xoEm2+ltAihyztq7MKY=
-google.golang.org/api v0.276.0/go.mod h1:Fnag/EWUPIcJXuIkP1pjoTgS5vdxlk3eeemL7Do6bvw=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/api v0.257.0 h1:8Y0lzvHlZps53PEaw+G29SsQIkuKrumGWs9puiexNAA=
+google.golang.org/api v0.257.0/go.mod h1:4eJrr+vbVaZSqs7vovFd1Jb/A6ml6iw2e6FBYf3GAO4=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 h1:XzmzkmB14QhVhgnawEVsOn6OFsnpyxNPRY9QV01dNB0=
-google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I=
-google.golang.org/genproto/googleapis/api v0.0.0-20260319201613-d00831a3d3e7 h1:41r6JMbpzBMen0R/4TZeeAmGXSJC7DftGINUodzTkPI=
-google.golang.org/genproto/googleapis/api v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:EIQZ5bFCfRQDV4MhRle7+OgjNtZ6P1PiZBgAKuxXu/Y=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
-google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
-google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
+google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
+google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -885,8 +840,8 @@ gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8
 gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
-gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
+gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
+gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=