feat: poc for token command on combined

feat: adds netbird's proxy component to getting-started
fix: remove duplicate import
2026-04-24 18:32:13 -04:00 · 2026-02-13 01:22:59 +01:00 · 2026-02-13 00:42:59 +01:00 · 2026-02-13 00:02:50 +01:00 · 2026-02-12 19:27:12 +01:00 · 2026-02-12 19:12:20 +01:00
305 changed files with 2840 additions and 34468 deletions
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -39,7 +39,7 @@ jobs:
            else
              echo "✓ No problematic dependencies found"
            fi
-          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name "combined" -not -name ".git*" | sort)
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name ".git*" | sort)

          echo ""
          if [ $FOUND_ISSUES -eq 1 ]; then
@@ -88,7 +88,7 @@ jobs:
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")

              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" | head -1)

              if [ -n "$BSD_IMPORTER" ]; then
                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -43,5 +43,5 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy)

--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -97,16 +97,6 @@ jobs:
        working-directory: relay
        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .

-      - name: Build combined
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build combined 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 GOARCH=386 go build -o combined-386 .
-
  test:
    name: "Client / Unit"
    needs: [build-cache]
@@ -154,7 +144,7 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy)

  test_client_on_docker:
    name: "Client (Docker) / Unit"
@@ -214,7 +204,7 @@ jobs:
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /client/ui -e /upload-server)
            '

  test_relay:
@@ -409,19 +399,12 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
-
      - name: download mysql image
        if: matrix.store == 'mysql'
        run: docker pull mlsmaycon/warmed-mysql:8
@@ -504,18 +487,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
        run: |
@@ -596,18 +576,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
        run: |
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -63,7 +63,7 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' })" >> $env:GITHUB_ENV
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' })" >> $env:GITHUB_ENV

      - name: test
        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans
          skip: go.mod,go.sum,**/proxy/web/**
  golangci:
    strategy:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -160,7 +160,7 @@ jobs:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@@ -176,7 +176,6 @@ jobs:
      - name: Generate windows syso arm64
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
-        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
@@ -186,19 +185,6 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-      - name: Tag and push PR images (amd64 only)
-        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
-        run: |
-          PR_TAG="pr-${{ github.event.pull_request.number }}"
-          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
-            grep '^ghcr.io/' | while read -r SRC; do
-              IMG_NAME="${SRC%%:*}"
-              DST="${IMG_NAME}:${PR_TAG}"
-              echo "Tagging ${SRC} -> ${DST}"
-              docker tag "$SRC" "$DST"
-              docker push "$DST"
-            done
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -140,20 +140,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

-  - id: netbird-proxy
-    dir: proxy/cmd/proxy
-    env: [CGO_ENABLED=0]
-    binary: netbird-proxy
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
  - id: netbird

@@ -603,55 +589,6 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-    ids:
-      - netbird-proxy
-    goarch: amd64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-    ids:
-      - netbird-proxy
-    goarch: arm64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-    ids:
-      - netbird-proxy
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
@@ -832,30 +769,6 @@ docker_manifests:
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64

-  - name_template: netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:latest
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
 brews:
  - ids:
      - default
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/, relay/ and combined/.
+This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

 BSD 3-Clause License
--- a/client/android/env_list.go
+++ b/client/android/env_list.go
@@ -1,19 +1,10 @@
 package android

-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"

 var (
-	// EnvKeyNBForceRelay Exported for Android java client to force relay connections
+	// EnvKeyNBForceRelay Exported for Android java client
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
-
-	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
-	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
-
-	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
-	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold
 )

 // EnvList wraps a Go map for export to Java
--- a/client/cmd/expose.go
+++ b/client/cmd/expose.go
@@ -1,194 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"os/signal"
-	"regexp"
-	"strconv"
-	"strings"
-	"syscall"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util"
-)
-
-var pinRegexp = regexp.MustCompile(`^\d{6}$`)
-
-var (
-	exposePin        string
-	exposePassword   string
-	exposeUserGroups []string
-	exposeDomain     string
-	exposeNamePrefix string
-	exposeProtocol   string
-)
-
-var exposeCmd = &cobra.Command{
-	Use:     "expose <port>",
-	Short:   "Expose a local port via the NetBird reverse proxy",
-	Args:    cobra.ExactArgs(1),
-	Example: "netbird expose --with-password safe-pass 8080",
-	RunE:    exposeFn,
-}
-
-func init() {
-	exposeCmd.Flags().StringVar(&exposePin, "with-pin", "", "Protect the exposed service with a 6-digit PIN (e.g. --with-pin 123456)")
-	exposeCmd.Flags().StringVar(&exposePassword, "with-password", "", "Protect the exposed service with a password (e.g. --with-password my-secret)")
-	exposeCmd.Flags().StringSliceVar(&exposeUserGroups, "with-user-groups", nil, "Restrict access to specific user groups with SSO (e.g. --with-user-groups devops,Backend)")
-	exposeCmd.Flags().StringVar(&exposeDomain, "with-custom-domain", "", "Custom domain for the exposed service, must be configured to your account (e.g. --with-custom-domain myapp.example.com)")
-	exposeCmd.Flags().StringVar(&exposeNamePrefix, "with-name-prefix", "", "Prefix for the generated service name (e.g. --with-name-prefix my-app)")
-	exposeCmd.Flags().StringVar(&exposeProtocol, "protocol", "http", "Protocol to use, http/https is supported (e.g. --protocol http)")
-}
-
-func validateExposeFlags(cmd *cobra.Command, portStr string) (uint64, error) {
-	port, err := strconv.ParseUint(portStr, 10, 32)
-	if err != nil {
-		return 0, fmt.Errorf("invalid port number: %s", portStr)
-	}
-	if port == 0 || port > 65535 {
-		return 0, fmt.Errorf("invalid port number: must be between 1 and 65535")
-	}
-
-	if !isProtocolValid(exposeProtocol) {
-		return 0, fmt.Errorf("unsupported protocol %q: only 'http' or 'https' are supported", exposeProtocol)
-	}
-
-	if exposePin != "" && !pinRegexp.MatchString(exposePin) {
-		return 0, fmt.Errorf("invalid pin: must be exactly 6 digits")
-	}
-
-	if cmd.Flags().Changed("with-password") && exposePassword == "" {
-		return 0, fmt.Errorf("password cannot be empty")
-	}
-
-	if cmd.Flags().Changed("with-user-groups") && len(exposeUserGroups) == 0 {
-		return 0, fmt.Errorf("user groups cannot be empty")
-	}
-
-	return port, nil
-}
-
-func isProtocolValid(exposeProtocol string) bool {
-	return strings.ToLower(exposeProtocol) == "http" || strings.ToLower(exposeProtocol) == "https"
-}
-
-func exposeFn(cmd *cobra.Command, args []string) error {
-	SetFlagsFromEnvVars(rootCmd)
-
-	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
-		log.Errorf("failed initializing log %v", err)
-		return err
-	}
-
-	cmd.Root().SilenceUsage = false
-
-	port, err := validateExposeFlags(cmd, args[0])
-	if err != nil {
-		return err
-	}
-
-	cmd.Root().SilenceUsage = true
-
-	ctx, cancel := context.WithCancel(cmd.Context())
-	defer cancel()
-
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		<-sigCh
-		cancel()
-	}()
-
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to daemon: %w", err)
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Debugf("failed to close daemon connection: %v", err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-
-	protocol, err := toExposeProtocol(exposeProtocol)
-	if err != nil {
-		return err
-	}
-
-	stream, err := client.ExposeService(ctx, &proto.ExposeServiceRequest{
-		Port:       uint32(port),
-		Protocol:   protocol,
-		Pin:        exposePin,
-		Password:   exposePassword,
-		UserGroups: exposeUserGroups,
-		Domain:     exposeDomain,
-		NamePrefix: exposeNamePrefix,
-	})
-	if err != nil {
-		return fmt.Errorf("expose service: %w", err)
-	}
-
-	if err := handleExposeReady(cmd, stream, port); err != nil {
-		return err
-	}
-
-	return waitForExposeEvents(cmd, ctx, stream)
-}
-
-func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
-	switch strings.ToLower(exposeProtocol) {
-	case "http":
-		return proto.ExposeProtocol_EXPOSE_HTTP, nil
-	case "https":
-		return proto.ExposeProtocol_EXPOSE_HTTPS, nil
-	default:
-		return 0, fmt.Errorf("unsupported protocol %q: only 'http' or 'https' are supported", exposeProtocol)
-	}
-}
-
-func handleExposeReady(cmd *cobra.Command, stream proto.DaemonService_ExposeServiceClient, port uint64) error {
-	event, err := stream.Recv()
-	if err != nil {
-		return fmt.Errorf("receive expose event: %w", err)
-	}
-
-	switch e := event.Event.(type) {
-	case *proto.ExposeServiceEvent_Ready:
-		cmd.Println("Service exposed successfully!")
-		cmd.Printf("  Name:     %s\n", e.Ready.ServiceName)
-		cmd.Printf("  URL:      %s\n", e.Ready.ServiceUrl)
-		cmd.Printf("  Domain:   %s\n", e.Ready.Domain)
-		cmd.Printf("  Protocol: %s\n", exposeProtocol)
-		cmd.Printf("  Port:     %d\n", port)
-		cmd.Println()
-		cmd.Println("Press Ctrl+C to stop exposing.")
-		return nil
-	default:
-		return fmt.Errorf("unexpected expose event: %T", event.Event)
-	}
-}
-
-func waitForExposeEvents(cmd *cobra.Command, ctx context.Context, stream proto.DaemonService_ExposeServiceClient) error {
-	for {
-		_, err := stream.Recv()
-		if err != nil {
-			if ctx.Err() != nil {
-				cmd.Println("\nService stopped.")
-				//nolint:nilerr
-				return nil
-			}
-			if errors.Is(err, io.EOF) {
-				return fmt.Errorf("connection to daemon closed unexpectedly")
-			}
-			return fmt.Errorf("stream error: %w", err)
-		}
-	}
-}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -22,7 +22,6 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

-	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )

@@ -81,15 +80,6 @@ var (
 		Short:        "",
 		Long:         "",
 		SilenceUsage: true,
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars(cmd.Root())
-
-			// Don't resolve for service commands — they create the socket, not connect to it.
-			if !isServiceCmd(cmd) {
-				daemonAddr = daddr.ResolveUnixDaemonAddr(daemonAddr)
-			}
-			return nil
-		},
 	}
 )

@@ -154,7 +144,6 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
-	rootCmd.AddCommand(exposeCmd)

 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
@@ -396,6 +385,7 @@ func migrateToNetbird(oldPath, newPath string) bool {
 }

 func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
+	SetFlagsFromEnvVars(rootCmd)
 	cmd.SetOut(cmd.OutOrStdout())

 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
@@ -408,13 +398,3 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {

 	return conn, nil
 }
-
-// isServiceCmd returns true if cmd is the "service" command or a child of it.
-func isServiceCmd(cmd *cobra.Command) bool {
-	for c := cmd; c != nil; c = c.Parent() {
-		if c.Name() == "service" {
-			return true
-		}
-	}
-	return false
-}
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -358,9 +358,9 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	// Fast path for IPv4 addresses (4 bytes) - most common case
 	if len(oldBytes) == 4 && len(newBytes) == 4 {
 		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
 		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
 	} else {
 		// Fallback for other lengths
 		for i := 0; i < len(oldBytes)-1; i += 2 {
--- a/client/iface/configurer/uapi.go
+++ b/client/iface/configurer/uapi.go
@@ -5,18 +5,20 @@ package configurer
 import (
 	"net"

+	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/ipc"
 )

 func openUAPI(deviceName string) (net.Listener, error) {
 	uapiSock, err := ipc.UAPIOpen(deviceName)
 	if err != nil {
+		log.Errorf("failed to open uapi socket: %v", err)
 		return nil, err
 	}

 	listener, err := ipc.UAPIListen(deviceName, uapiSock)
 	if err != nil {
-		_ = uapiSock.Close()
+		log.Errorf("failed to listen on uapi socket: %v", err)
 		return nil, err
 	}

--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -54,14 +54,6 @@ func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder
 	return wgCfg
 }

-func NewUSPConfigurerNoUAPI(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
-	return &WGUSPConfigurer{
-		device:           device,
-		deviceName:       deviceName,
-		activityRecorder: activityRecorder,
-	}
-}
-
 func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error {
 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -79,7 +79,7 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)

-	t.configurer = configurer.NewUSPConfigurerNoUAPI(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		if cErr := tunIface.Close(); cErr != nil {
--- a/client/internal/daemonaddr/resolve.go
+++ b/client/internal/daemonaddr/resolve.go
@@ -1,60 +0,0 @@
-//go:build !windows && !ios && !android
-
-package daemonaddr
-
-import (
-	"os"
-	"path/filepath"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-)
-
-var scanDir = "/var/run/netbird"
-
-// setScanDir overrides the scan directory (used by tests).
-func setScanDir(dir string) {
-	scanDir = dir
-}
-
-// ResolveUnixDaemonAddr checks whether the default Unix socket exists and, if not,
-// scans /var/run/netbird/ for a single .sock file to use instead. This handles the
-// mismatch between the netbird@.service template (which places the socket under
-// /var/run/netbird/<instance>.sock) and the CLI default (/var/run/netbird.sock).
-func ResolveUnixDaemonAddr(addr string) string {
-	if !strings.HasPrefix(addr, "unix://") {
-		return addr
-	}
-
-	sockPath := strings.TrimPrefix(addr, "unix://")
-	if _, err := os.Stat(sockPath); err == nil {
-		return addr
-	}
-
-	entries, err := os.ReadDir(scanDir)
-	if err != nil {
-		return addr
-	}
-
-	var found []string
-	for _, e := range entries {
-		if e.IsDir() {
-			continue
-		}
-		if strings.HasSuffix(e.Name(), ".sock") {
-			found = append(found, filepath.Join(scanDir, e.Name()))
-		}
-	}
-
-	switch len(found) {
-	case 1:
-		resolved := "unix://" + found[0]
-		log.Infof("Default daemon socket not found, using discovered socket: %s", resolved)
-		return resolved
-	case 0:
-		return addr
-	default:
-		log.Warnf("Default daemon socket not found and multiple sockets discovered in %s; pass --daemon-addr explicitly", scanDir)
-		return addr
-	}
-}
--- a/client/internal/daemonaddr/resolve_stub.go
+++ b/client/internal/daemonaddr/resolve_stub.go
@@ -1,8 +0,0 @@
-//go:build windows || ios || android
-
-package daemonaddr
-
-// ResolveUnixDaemonAddr is a no-op on platforms that don't use Unix sockets.
-func ResolveUnixDaemonAddr(addr string) string {
-	return addr
-}
--- a/client/internal/daemonaddr/resolve_test.go
+++ b/client/internal/daemonaddr/resolve_test.go
@@ -1,121 +0,0 @@
-//go:build !windows && !ios && !android
-
-package daemonaddr
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-// createSockFile creates a regular file with a .sock extension.
-// ResolveUnixDaemonAddr uses os.Stat (not net.Dial), so a regular file is
-// sufficient and avoids Unix socket path-length limits on macOS.
-func createSockFile(t *testing.T, path string) {
-	t.Helper()
-	if err := os.WriteFile(path, nil, 0o600); err != nil {
-		t.Fatalf("failed to create test sock file at %s: %v", path, err)
-	}
-}
-
-func TestResolveUnixDaemonAddr_DefaultExists(t *testing.T) {
-	tmp := t.TempDir()
-	sock := filepath.Join(tmp, "netbird.sock")
-	createSockFile(t, sock)
-
-	addr := "unix://" + sock
-	got := ResolveUnixDaemonAddr(addr)
-	if got != addr {
-		t.Errorf("expected %s, got %s", addr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_SingleDiscovered(t *testing.T) {
-	tmp := t.TempDir()
-
-	// Default socket does not exist
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	// Create a scan dir with one socket
-	sd := filepath.Join(tmp, "netbird")
-	if err := os.MkdirAll(sd, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	instanceSock := filepath.Join(sd, "main.sock")
-	createSockFile(t, instanceSock)
-
-	origScanDir := scanDir
-	setScanDir(sd)
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	expected := "unix://" + instanceSock
-	if got != expected {
-		t.Errorf("expected %s, got %s", expected, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_MultipleDiscovered(t *testing.T) {
-	tmp := t.TempDir()
-
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	sd := filepath.Join(tmp, "netbird")
-	if err := os.MkdirAll(sd, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	createSockFile(t, filepath.Join(sd, "main.sock"))
-	createSockFile(t, filepath.Join(sd, "other.sock"))
-
-	origScanDir := scanDir
-	setScanDir(sd)
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	if got != defaultAddr {
-		t.Errorf("expected original %s, got %s", defaultAddr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_NoSocketsFound(t *testing.T) {
-	tmp := t.TempDir()
-
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	sd := filepath.Join(tmp, "netbird")
-	if err := os.MkdirAll(sd, 0o755); err != nil {
-		t.Fatal(err)
-	}
-
-	origScanDir := scanDir
-	setScanDir(sd)
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	if got != defaultAddr {
-		t.Errorf("expected original %s, got %s", defaultAddr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_NonUnixAddr(t *testing.T) {
-	addr := "tcp://127.0.0.1:41731"
-	got := ResolveUnixDaemonAddr(addr)
-	if got != addr {
-		t.Errorf("expected %s, got %s", addr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_ScanDirMissing(t *testing.T) {
-	tmp := t.TempDir()
-
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	origScanDir := scanDir
-	setScanDir(filepath.Join(tmp, "nonexistent"))
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	if got != defaultAddr {
-		t.Errorf("expected original %s, got %s", defaultAddr, got)
-	}
-}
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -14,8 +14,6 @@ import (
 	"strings"
 	"sync"

-	"github.com/hashicorp/go-multierror"
-	nberrors "github.com/netbirdio/netbird/client/errors"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"

@@ -24,7 +22,6 @@ import (

 const (
 	netbirdDNSStateKeyFormat            = "State:/Network/Service/NetBird-%s/DNS"
-	netbirdDNSStateKeyIndexedFormat     = "State:/Network/Service/NetBird-%s-%d/DNS"
 	globalIPv4State                     = "State:/Network/Global/IPv4"
 	primaryServiceStateKeyFormat        = "State:/Network/Service/%s/DNS"
 	keySupplementalMatchDomains         = "SupplementalMatchDomains"
@@ -38,14 +35,6 @@ const (
 	searchSuffix                        = "Search"
 	matchSuffix                         = "Match"
 	localSuffix                         = "Local"
-
-	// maxDomainsPerResolverEntry is the max number of domains per scutil resolver key.
-	// scutil's d.add has maxArgs=101 (key + * + 99 values), so 99 is the hard cap.
-	maxDomainsPerResolverEntry = 50
-
-	// maxDomainBytesPerResolverEntry is the max total bytes of domain strings per key.
-	// scutil has an undocumented ~2048 byte value buffer; we stay well under it.
-	maxDomainBytesPerResolverEntry = 1500
 )

 type systemConfigurator struct {
@@ -95,23 +84,28 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 		searchDomains = append(searchDomains, strings.TrimSuffix(""+dConf.Domain, "."))
 	}

-	if err := s.removeKeysContaining(matchSuffix); err != nil {
-		log.Warnf("failed to remove old match keys: %v", err)
-	}
+	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
+	var err error
 	if len(matchDomains) != 0 {
-		if err := s.addBatchedDomains(matchSuffix, matchDomains, config.ServerIP, config.ServerPort, false); err != nil {
-			return fmt.Errorf("add match domains: %w", err)
-		}
+		err = s.addMatchDomains(matchKey, strings.Join(matchDomains, " "), config.ServerIP, config.ServerPort)
+	} else {
+		log.Infof("removing match domains from the system")
+		err = s.removeKeyFromSystemConfig(matchKey)
+	}
+	if err != nil {
+		return fmt.Errorf("add match domains: %w", err)
 	}
 	s.updateState(stateManager)

-	if err := s.removeKeysContaining(searchSuffix); err != nil {
-		log.Warnf("failed to remove old search keys: %v", err)
-	}
+	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
 	if len(searchDomains) != 0 {
-		if err := s.addBatchedDomains(searchSuffix, searchDomains, config.ServerIP, config.ServerPort, true); err != nil {
-			return fmt.Errorf("add search domains: %w", err)
-		}
+		err = s.addSearchDomains(searchKey, strings.Join(searchDomains, " "), config.ServerIP, config.ServerPort)
+	} else {
+		log.Infof("removing search domains from the system")
+		err = s.removeKeyFromSystemConfig(searchKey)
+	}
+	if err != nil {
+		return fmt.Errorf("add search domains: %w", err)
 	}
 	s.updateState(stateManager)

@@ -155,7 +149,8 @@ func (s *systemConfigurator) restoreHostDNS() error {

 func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
 	if len(s.createdKeys) == 0 {
-		return s.discoverExistingKeys()
+		// return defaults for startup calls
+		return []string{getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix), getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)}
 	}

 	keys := make([]string, 0, len(s.createdKeys))
@@ -165,47 +160,6 @@ func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
 	return keys
 }

-// discoverExistingKeys probes scutil for all NetBird DNS keys that may exist.
-// This handles the case where createdKeys is empty (e.g., state file lost after unclean shutdown).
-func (s *systemConfigurator) discoverExistingKeys() []string {
-	dnsKeys, err := getSystemDNSKeys()
-	if err != nil {
-		log.Errorf("failed to get system DNS keys: %v", err)
-		return nil
-	}
-
-	var keys []string
-
-	for _, suffix := range []string{searchSuffix, matchSuffix, localSuffix} {
-		key := getKeyWithInput(netbirdDNSStateKeyFormat, suffix)
-		if strings.Contains(dnsKeys, key) {
-			keys = append(keys, key)
-		}
-	}
-
-	for _, suffix := range []string{searchSuffix, matchSuffix} {
-		for i := 0; ; i++ {
-			key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, suffix, i)
-			if !strings.Contains(dnsKeys, key) {
-				break
-			}
-			keys = append(keys, key)
-		}
-	}
-
-	return keys
-}
-
-// getSystemDNSKeys gets all DNS keys
-func getSystemDNSKeys() (string, error) {
-	command := "list .*DNS\nquit\n"
-	out, err := runSystemConfigCommand(command)
-	if err != nil {
-		return "", err
-	}
-	return string(out), nil
-}
-
 func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 	line := buildRemoveKeyOperation(key)
 	_, err := runSystemConfigCommand(wrapCommand(line))
@@ -230,11 +184,12 @@ func (s *systemConfigurator) addLocalDNS() error {
 		return nil
 	}

-	domainsStr := strings.Join(s.systemDNSSettings.Domains, " ")
-	if err := s.addDNSState(localKey, domainsStr, s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort, true); err != nil {
-		return fmt.Errorf("add local dns state: %w", err)
+	if err := s.addSearchDomains(
+		localKey,
+		strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort,
+	); err != nil {
+		return fmt.Errorf("add search domains: %w", err)
 	}
-	s.createdKeys[localKey] = struct{}{}

 	return nil
 }
@@ -325,77 +280,28 @@ func (s *systemConfigurator) getOriginalNameservers() []netip.Addr {
 	return slices.Clone(s.origNameservers)
 }

-// splitDomainsIntoBatches splits domains into batches respecting both element count and byte size limits.
-func splitDomainsIntoBatches(domains []string) [][]string {
-	if len(domains) == 0 {
-		return nil
+func (s *systemConfigurator) addSearchDomains(key, domains string, ip netip.Addr, port int) error {
+	err := s.addDNSState(key, domains, ip, port, true)
+	if err != nil {
+		return fmt.Errorf("add dns state: %w", err)
 	}

-	var batches [][]string
-	var current []string
-	currentBytes := 0
+	log.Infof("added %d search domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)

-	for _, d := range domains {
-		domainLen := len(d)
-		newBytes := currentBytes + domainLen
-		if currentBytes > 0 {
-			newBytes++ // space separator
-		}
+	s.createdKeys[key] = struct{}{}

-		if len(current) > 0 && (len(current) >= maxDomainsPerResolverEntry || newBytes > maxDomainBytesPerResolverEntry) {
-			batches = append(batches, current)
-			current = nil
-			currentBytes = 0
-		}
-
-		current = append(current, d)
-		if currentBytes > 0 {
-			currentBytes += 1 + domainLen
-		} else {
-			currentBytes = domainLen
-		}
-	}
-
-	if len(current) > 0 {
-		batches = append(batches, current)
-	}
-
-	return batches
+	return nil
 }

-// removeKeysContaining removes all created keys that contain the given substring.
-func (s *systemConfigurator) removeKeysContaining(suffix string) error {
-	var toRemove []string
-	for key := range s.createdKeys {
-		if strings.Contains(key, suffix) {
-			toRemove = append(toRemove, key)
-		}
-	}
-	var multiErr *multierror.Error
-	for _, key := range toRemove {
-		if err := s.removeKeyFromSystemConfig(key); err != nil {
-			multiErr = multierror.Append(multiErr, fmt.Errorf("couldn't remove key %s: %w", key, err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(multiErr)
-}
-
-// addBatchedDomains splits domains into batches and creates indexed scutil keys for each batch.
-func (s *systemConfigurator) addBatchedDomains(suffix string, domains []string, ip netip.Addr, port int, enableSearch bool) error {
-	batches := splitDomainsIntoBatches(domains)
-
-	for i, batch := range batches {
-		key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, suffix, i)
-		domainsStr := strings.Join(batch, " ")
-
-		if err := s.addDNSState(key, domainsStr, ip, port, enableSearch); err != nil {
-			return fmt.Errorf("add dns state for batch %d: %w", i, err)
-		}
-
-		s.createdKeys[key] = struct{}{}
+func (s *systemConfigurator) addMatchDomains(key, domains string, dnsServer netip.Addr, port int) error {
+	err := s.addDNSState(key, domains, dnsServer, port, false)
+	if err != nil {
+		return fmt.Errorf("add dns state: %w", err)
 	}

-	log.Infof("added %d %s domains across %d resolver entries", len(domains), suffix, len(batches))
+	log.Infof("added %d match domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)
+
+	s.createdKeys[key] = struct{}{}

 	return nil
 }
@@ -458,6 +364,7 @@ func (s *systemConfigurator) flushDNSCache() error {
 	if out, err := cmd.CombinedOutput(); err != nil {
 		return fmt.Errorf("restart mDNSResponder: %w, output: %s", err, out)
 	}
+
 	log.Info("flushed DNS cache")
 	return nil
 }
--- a/client/internal/dns/host_darwin_test.go
+++ b/client/internal/dns/host_darwin_test.go
@@ -3,10 +3,7 @@
 package dns

 import (
-	"bufio"
-	"bytes"
 	"context"
-	"fmt"
 	"net/netip"
 	"os/exec"
 	"path/filepath"
@@ -52,22 +49,17 @@ func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {

 	require.NoError(t, sm.PersistState(context.Background()))

+	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
+	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)

-	// Collect all created keys for cleanup verification
-	createdKeys := make([]string, 0, len(configurator.createdKeys))
-	for key := range configurator.createdKeys {
-		createdKeys = append(createdKeys, key)
-	}
-
 	defer func() {
-		for _, key := range createdKeys {
+		for _, key := range []string{searchKey, matchKey, localKey} {
 			_ = removeTestDNSKey(key)
 		}
-		_ = removeTestDNSKey(localKey)
 	}()

-	for _, key := range createdKeys {
+	for _, key := range []string{searchKey, matchKey, localKey} {
 		exists, err := checkDNSKeyExists(key)
 		require.NoError(t, err)
 		if exists {
@@ -91,223 +83,13 @@ func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {
 	err = shutdownState.Cleanup()
 	require.NoError(t, err)

-	for _, key := range createdKeys {
+	for _, key := range []string{searchKey, matchKey, localKey} {
 		exists, err := checkDNSKeyExists(key)
 		require.NoError(t, err)
 		assert.False(t, exists, "Key %s should NOT exist after cleanup", key)
 	}
 }

-// generateShortDomains generates domains like a.com, b.com, ..., aa.com, ab.com, etc.
-func generateShortDomains(count int) []string {
-	domains := make([]string, 0, count)
-	for i := range count {
-		label := ""
-		n := i
-		for {
-			label = string(rune('a'+n%26)) + label
-			n = n/26 - 1
-			if n < 0 {
-				break
-			}
-		}
-		domains = append(domains, label+".com")
-	}
-	return domains
-}
-
-// generateLongDomains generates domains like subdomain-000.department.organization-name.example.com
-func generateLongDomains(count int) []string {
-	domains := make([]string, 0, count)
-	for i := range count {
-		domains = append(domains, fmt.Sprintf("subdomain-%03d.department.organization-name.example.com", i))
-	}
-	return domains
-}
-
-// readDomainsFromKey reads the SupplementalMatchDomains array back from scutil for a given key.
-func readDomainsFromKey(t *testing.T, key string) []string {
-	t.Helper()
-
-	cmd := exec.Command(scutilPath)
-	cmd.Stdin = strings.NewReader(fmt.Sprintf("open\nshow %s\nquit\n", key))
-	out, err := cmd.Output()
-	require.NoError(t, err, "scutil show should succeed")
-
-	var domains []string
-	inArray := false
-	scanner := bufio.NewScanner(bytes.NewReader(out))
-	for scanner.Scan() {
-		line := strings.TrimSpace(scanner.Text())
-		if strings.HasPrefix(line, "SupplementalMatchDomains") && strings.Contains(line, "<array>") {
-			inArray = true
-			continue
-		}
-		if inArray {
-			if line == "}" {
-				break
-			}
-			// lines look like: "0 : a.com"
-			parts := strings.SplitN(line, " : ", 2)
-			if len(parts) == 2 {
-				domains = append(domains, parts[1])
-			}
-		}
-	}
-	require.NoError(t, scanner.Err())
-	return domains
-}
-
-func TestSplitDomainsIntoBatches(t *testing.T) {
-	tests := []struct {
-		name            string
-		domains         []string
-		expectedCount   int
-		checkAllPresent bool
-	}{
-		{
-			name:          "empty",
-			domains:       nil,
-			expectedCount: 0,
-		},
-		{
-			name:            "under_limit",
-			domains:         generateShortDomains(10),
-			expectedCount:   1,
-			checkAllPresent: true,
-		},
-		{
-			name:            "at_element_limit",
-			domains:         generateShortDomains(50),
-			expectedCount:   1,
-			checkAllPresent: true,
-		},
-		{
-			name:            "over_element_limit",
-			domains:         generateShortDomains(51),
-			expectedCount:   2,
-			checkAllPresent: true,
-		},
-		{
-			name:            "triple_element_limit",
-			domains:         generateShortDomains(150),
-			expectedCount:   3,
-			checkAllPresent: true,
-		},
-		{
-			name:            "long_domains_hit_byte_limit",
-			domains:         generateLongDomains(50),
-			checkAllPresent: true,
-		},
-		{
-			name:            "500_short_domains",
-			domains:         generateShortDomains(500),
-			expectedCount:   10,
-			checkAllPresent: true,
-		},
-		{
-			name:            "500_long_domains",
-			domains:         generateLongDomains(500),
-			checkAllPresent: true,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			batches := splitDomainsIntoBatches(tc.domains)
-
-			if tc.expectedCount > 0 {
-				assert.Len(t, batches, tc.expectedCount, "expected %d batches", tc.expectedCount)
-			}
-
-			// Verify each batch respects limits
-			for i, batch := range batches {
-				assert.LessOrEqual(t, len(batch), maxDomainsPerResolverEntry,
-					"batch %d exceeds element limit", i)
-
-				totalBytes := 0
-				for j, d := range batch {
-					if j > 0 {
-						totalBytes++
-					}
-					totalBytes += len(d)
-				}
-				assert.LessOrEqual(t, totalBytes, maxDomainBytesPerResolverEntry,
-					"batch %d exceeds byte limit (%d bytes)", i, totalBytes)
-			}
-
-			if tc.checkAllPresent {
-				var all []string
-				for _, batch := range batches {
-					all = append(all, batch...)
-				}
-				assert.Equal(t, tc.domains, all, "all domains should be present in order")
-			}
-		})
-	}
-}
-
-// TestMatchDomainBatching writes increasing numbers of domains via the batching mechanism
-// and verifies all domains are readable across multiple scutil keys.
-func TestMatchDomainBatching(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping scutil integration test in short mode")
-	}
-
-	testCases := []struct {
-		name      string
-		count     int
-		generator func(int) []string
-	}{
-		{"short_10", 10, generateShortDomains},
-		{"short_50", 50, generateShortDomains},
-		{"short_100", 100, generateShortDomains},
-		{"short_200", 200, generateShortDomains},
-		{"short_500", 500, generateShortDomains},
-		{"long_10", 10, generateLongDomains},
-		{"long_50", 50, generateLongDomains},
-		{"long_100", 100, generateLongDomains},
-		{"long_200", 200, generateLongDomains},
-		{"long_500", 500, generateLongDomains},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			configurator := &systemConfigurator{
-				createdKeys: make(map[string]struct{}),
-			}
-
-			defer func() {
-				for key := range configurator.createdKeys {
-					_ = removeTestDNSKey(key)
-				}
-			}()
-
-			domains := tc.generator(tc.count)
-			err := configurator.addBatchedDomains(matchSuffix, domains, netip.MustParseAddr("100.64.0.1"), 53, false)
-			require.NoError(t, err)
-
-			batches := splitDomainsIntoBatches(domains)
-			t.Logf("wrote %d domains across %d batched keys", tc.count, len(batches))
-
-			// Read back all domains from all batched keys
-			var got []string
-			for i := range batches {
-				key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, matchSuffix, i)
-				exists, err := checkDNSKeyExists(key)
-				require.NoError(t, err)
-				require.True(t, exists, "key %s should exist", key)
-
-				got = append(got, readDomainsFromKey(t, key)...)
-			}
-
-			t.Logf("read back %d/%d domains from %d keys", len(got), tc.count, len(batches))
-			assert.Equal(t, tc.count, len(got), "all domains should be readable")
-			assert.Equal(t, domains, got, "domains should match in order")
-		})
-	}
-}
-
 func checkDNSKeyExists(key string) (bool, error) {
 	cmd := exec.Command(scutilPath)
 	cmd.Stdin = strings.NewReader("show " + key + "\nquit\n")
@@ -376,15 +158,15 @@ func setupTestConfigurator(t *testing.T) (*systemConfigurator, *statemanager.Man
 		createdKeys: make(map[string]struct{}),
 	}

+	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
+	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
+	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
+
 	cleanup := func() {
 		_ = sm.Stop(context.Background())
-		for key := range configurator.createdKeys {
+		for _, key := range []string{searchKey, matchKey, localKey} {
 			_ = removeTestDNSKey(key)
 		}
-		// Also clean up old-format keys and local key in case they exist
-		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix))
-		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix))
-		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix))
 	}

 	return configurator, sm, cleanup
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -42,8 +42,6 @@ const (
 	dnsPolicyConfigConfigOptionsKey     = "ConfigOptions"
 	dnsPolicyConfigConfigOptionsValue   = 0x8

-	nrptMaxDomainsPerRule = 50
-
 	interfaceConfigPath          = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
 	interfaceConfigNameServerKey = "NameServer"
 	interfaceConfigSearchListKey = "SearchList"
@@ -200,11 +198,10 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager

 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
-		// Update count even on error to ensure cleanup covers partially created rules
-		r.nrptEntryCount = count
 		if err != nil {
 			return fmt.Errorf("add dns match policy: %w", err)
 		}
+		r.nrptEntryCount = count
 	} else {
 		r.nrptEntryCount = 0
 	}
@@ -242,33 +239,23 @@ func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr) (int, error) {
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
+	for i, domain := range domains {
+		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)

-	// We need to batch domains into chunks and create one NRPT rule per batch.
-	ruleIndex := 0
-	for i := 0; i < len(domains); i += nrptMaxDomainsPerRule {
-		end := i + nrptMaxDomainsPerRule
-		if end > len(domains) {
-			end = len(domains)
+		singleDomain := []string{domain}
+
+		if err := r.configureDNSPolicy(localPath, singleDomain, ip); err != nil {
+			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
 		}
-		batchDomains := domains[i:end]
-
-		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, ruleIndex)
-		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, ruleIndex)
-
-		if err := r.configureDNSPolicy(localPath, batchDomains, ip); err != nil {
-			return ruleIndex, fmt.Errorf("configure DNS Local policy for rule %d: %w", ruleIndex, err)
-		}
-
-		// Increment immediately so the caller's cleanup path knows about this rule
-		ruleIndex++

 		if r.gpo {
-			if err := r.configureDNSPolicy(gpoPath, batchDomains, ip); err != nil {
-				return ruleIndex, fmt.Errorf("configure gpo DNS policy for rule %d: %w", ruleIndex-1, err)
+			if err := r.configureDNSPolicy(gpoPath, singleDomain, ip); err != nil {
+				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
 			}
 		}

-		log.Debugf("added NRPT rule %d with %d domains", ruleIndex-1, len(batchDomains))
+		log.Debugf("added NRPT entry for domain: %s", domain)
 	}

 	if r.gpo {
@@ -277,8 +264,8 @@ func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr
 		}
 	}

-	log.Infof("added %d NRPT rules for %d domains", ruleIndex, len(domains))
-	return ruleIndex, nil
+	log.Infof("added %d separate NRPT entries. Domain list: %s", len(domains), domains)
+	return len(domains), nil
 }

 func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []string, ip netip.Addr) error {
--- a/client/internal/dns/host_windows_test.go
+++ b/client/internal/dns/host_windows_test.go
@@ -12,7 +12,6 @@ import (

 // TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
 // when the number of match domains decreases between configuration changes.
-// With batching enabled (50 domains per rule), we need enough domains to create multiple rules.
 func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping registry integration test in short mode")
@@ -38,60 +37,51 @@ func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 		gpo:  false,
 	}

-	// Create 125 domains which will result in 3 NRPT rules (50+50+25)
-	domains125 := make([]DomainConfig, 125)
-	for i := 0; i < 125; i++ {
-		domains125[i] = DomainConfig{
-			Domain:    fmt.Sprintf("domain%d.com", i+1),
-			MatchOnly: true,
-		}
-	}
-
-	config125 := HostDNSConfig{
+	config5 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains:  domains125,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+			{Domain: "domain3.com", MatchOnly: true},
+			{Domain: "domain4.com", MatchOnly: true},
+			{Domain: "domain5.com", MatchOnly: true},
+		},
 	}

-	err = cfg.applyDNSConfig(config125, nil)
+	err = cfg.applyDNSConfig(config5, nil)
 	require.NoError(t, err)

-	// Verify 3 NRPT rules exist
-	assert.Equal(t, 3, cfg.nrptEntryCount, "Should create 3 NRPT rules for 125 domains")
-	for i := 0; i < 3; i++ {
+	// Verify all 5 entries exist
+	for i := 0; i < 5; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "NRPT rule %d should exist after first config", i)
+		assert.True(t, exists, "Entry %d should exist after first config", i)
 	}

-	// Reduce to 75 domains which will result in 2 NRPT rules (50+25)
-	domains75 := make([]DomainConfig, 75)
-	for i := 0; i < 75; i++ {
-		domains75[i] = DomainConfig{
-			Domain:    fmt.Sprintf("domain%d.com", i+1),
-			MatchOnly: true,
-		}
-	}
-
-	config75 := HostDNSConfig{
+	config2 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains:  domains75,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+		},
 	}

-	err = cfg.applyDNSConfig(config75, nil)
+	err = cfg.applyDNSConfig(config2, nil)
 	require.NoError(t, err)

-	// Verify first 2 NRPT rules exist
-	assert.Equal(t, 2, cfg.nrptEntryCount, "Should create 2 NRPT rules for 75 domains")
+	// Verify first 2 entries exist
 	for i := 0; i < 2; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "NRPT rule %d should exist after second config", i)
+		assert.True(t, exists, "Entry %d should exist after second config", i)
 	}

-	// Verify rule 2 is cleaned up
-	exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, 2))
-	require.NoError(t, err)
-	assert.False(t, exists, "NRPT rule 2 should NOT exist after reducing to 75 domains")
+	// Verify entries 2-4 are cleaned up
+	for i := 2; i < 5; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
+	}
 }

 func registryKeyExists(path string) (bool, error) {
@@ -107,106 +97,6 @@ func registryKeyExists(path string) (bool, error) {
 }

 func cleanupRegistryKeys(*testing.T) {
-	// Clean up more entries to account for batching tests with many domains
-	cfg := &registryConfigurator{nrptEntryCount: 20}
+	cfg := &registryConfigurator{nrptEntryCount: 10}
 	_ = cfg.removeDNSMatchPolicies()
 }
-
-// TestNRPTDomainBatching verifies that domains are correctly batched into NRPT rules.
-func TestNRPTDomainBatching(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping registry integration test in short mode")
-	}
-
-	defer cleanupRegistryKeys(t)
-	cleanupRegistryKeys(t)
-
-	testIP := netip.MustParseAddr("100.64.0.1")
-
-	// Create a test interface registry key so updateSearchDomains doesn't fail
-	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
-	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
-	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
-	require.NoError(t, err, "Should create test interface registry key")
-	testKey.Close()
-	defer func() {
-		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
-	}()
-
-	cfg := &registryConfigurator{
-		guid: testGUID,
-		gpo:  false,
-	}
-
-	testCases := []struct {
-		name              string
-		domainCount       int
-		expectedRuleCount int
-	}{
-		{
-			name:              "Less than 50 domains (single rule)",
-			domainCount:       30,
-			expectedRuleCount: 1,
-		},
-		{
-			name:              "Exactly 50 domains (single rule)",
-			domainCount:       50,
-			expectedRuleCount: 1,
-		},
-		{
-			name:              "51 domains (two rules)",
-			domainCount:       51,
-			expectedRuleCount: 2,
-		},
-		{
-			name:              "100 domains (two rules)",
-			domainCount:       100,
-			expectedRuleCount: 2,
-		},
-		{
-			name:              "125 domains (three rules: 50+50+25)",
-			domainCount:       125,
-			expectedRuleCount: 3,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			// Clean up before each subtest
-			cleanupRegistryKeys(t)
-
-			// Generate domains
-			domains := make([]DomainConfig, tc.domainCount)
-			for i := 0; i < tc.domainCount; i++ {
-				domains[i] = DomainConfig{
-					Domain:    fmt.Sprintf("domain%d.com", i+1),
-					MatchOnly: true,
-				}
-			}
-
-			config := HostDNSConfig{
-				ServerIP: testIP,
-				Domains:  domains,
-			}
-
-			err := cfg.applyDNSConfig(config, nil)
-			require.NoError(t, err)
-
-			// Verify that exactly expectedRuleCount rules were created
-			assert.Equal(t, tc.expectedRuleCount, cfg.nrptEntryCount,
-				"Should create %d NRPT rules for %d domains", tc.expectedRuleCount, tc.domainCount)
-
-			// Verify all expected rules exist
-			for i := 0; i < tc.expectedRuleCount; i++ {
-				exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-				require.NoError(t, err)
-				assert.True(t, exists, "NRPT rule %d should exist", i)
-			}
-
-			// Verify no extra rules were created
-			exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, tc.expectedRuleCount))
-			require.NoError(t, err)
-			assert.False(t, exists, "No NRPT rule should exist at index %d", tc.expectedRuleCount)
-		})
-	}
-}
--- a/client/internal/dns/mgmt/mgmt.go
+++ b/client/internal/dns/mgmt/mgmt.go
@@ -376,9 +376,9 @@ func (m *Resolver) extractDomainsFromServerDomains(serverDomains dnsconfig.Serve
 		}
 	}

-	// Flow receiver domain is intentionally excluded from caching.
-	// Cloud providers may rotate the IP behind this domain; a stale cached record
-	// causes TLS certificate verification failures on reconnect.
+	if serverDomains.Flow != "" {
+		domains = append(domains, serverDomains.Flow)
+	}

 	for _, stun := range serverDomains.Stuns {
 		if stun != "" {
--- a/client/internal/dns/mgmt/mgmt_test.go
+++ b/client/internal/dns/mgmt/mgmt_test.go
@@ -391,8 +391,7 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 	}
 	assert.Len(t, resolver.GetCachedDomains(), 3)

-	// Update with partial ServerDomains (only flow domain - flow is intentionally excluded from
-	// caching to prevent TLS failures from stale records, so all existing domains are preserved)
+	// Update with partial ServerDomains (only flow domain - new type, should preserve all existing)
 	partialDomains := dnsconfig.ServerDomains{
 		Flow: "github.com",
 	}
@@ -401,10 +400,10 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
 	}

-	assert.Len(t, removedDomains, 0, "Should not remove any domains when only flow domain is provided")
+	assert.Len(t, removedDomains, 0, "Should not remove any domains when adding new type")

 	finalDomains := resolver.GetCachedDomains()
-	assert.Len(t, finalDomains, 3, "Flow domain is not cached; all original domains should be preserved")
+	assert.Len(t, finalDomains, 4, "Should have all original domains plus new flow domain")

 	domainStrings := make([]string, len(finalDomains))
 	for i, d := range finalDomains {
@@ -413,5 +412,5 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 	assert.Contains(t, domainStrings, "example.org")
 	assert.Contains(t, domainStrings, "google.com")
 	assert.Contains(t, domainStrings, "cloudflare.com")
-	assert.NotContains(t, domainStrings, "github.com")
+	assert.Contains(t, domainStrings, "github.com")
 }
--- a/client/internal/dns/mock_server.go
+++ b/client/internal/dns/mock_server.go
@@ -84,18 +84,3 @@ func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
 func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }
-
-// BeginBatch mock implementation of BeginBatch from Server interface
-func (m *MockServer) BeginBatch() {
-	// Mock implementation - no-op
-}
-
-// EndBatch mock implementation of EndBatch from Server interface
-func (m *MockServer) EndBatch() {
-	// Mock implementation - no-op
-}
-
-// CancelBatch mock implementation of CancelBatch from Server interface
-func (m *MockServer) CancelBatch() {
-	// Mock implementation - no-op
-}
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -45,9 +45,6 @@ type IosDnsManager interface {
 type Server interface {
 	RegisterHandler(domains domain.List, handler dns.Handler, priority int)
 	DeregisterHandler(domains domain.List, priority int)
-	BeginBatch()
-	EndBatch()
-	CancelBatch()
 	Initialize() error
 	Stop()
 	DnsIP() netip.Addr
@@ -90,7 +87,6 @@ type DefaultServer struct {
 	currentConfigHash  uint64
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int
-	batchMode          bool

 	mgmtCacheResolver *mgmt.Resolver

@@ -238,9 +234,7 @@ func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler
 		// convert to zone with simple ref counter
 		s.extraDomains[toZone(domain)]++
 	}
-	if !s.batchMode {
-		s.applyHostConfig()
-	}
+	s.applyHostConfig()
 }

 func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
@@ -269,41 +263,9 @@ func (s *DefaultServer) DeregisterHandler(domains domain.List, priority int) {
 			delete(s.extraDomains, zone)
 		}
 	}
-	if !s.batchMode {
-		s.applyHostConfig()
-	}
-}
-
-// BeginBatch starts batch mode for DNS handler registration/deregistration.
-// In batch mode, applyHostConfig() is not called after each handler operation,
-// allowing multiple handlers to be registered/deregistered efficiently.
-// Must be followed by EndBatch() to apply the accumulated changes.
-func (s *DefaultServer) BeginBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode enabled")
-	s.batchMode = true
-}
-
-// EndBatch ends batch mode and applies all accumulated DNS configuration changes.
-func (s *DefaultServer) EndBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode disabled, applying accumulated changes")
-	s.batchMode = false
 	s.applyHostConfig()
 }

-// CancelBatch cancels batch mode without applying accumulated changes.
-// This is useful when operations fail partway through and you want to
-// discard partial state rather than applying it.
-func (s *DefaultServer) CancelBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode cancelled, discarding accumulated changes")
-	s.batchMode = false
-}
-
 func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
 	log.Debugf("deregistering handler with priority %d for %v", priority, domains)

@@ -561,7 +523,6 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.currentConfig.RouteAll = false
 	}

-	// Always apply host config for management updates, regardless of batch mode
 	s.applyHostConfig()

 	s.shutdownWg.Add(1)
@@ -926,7 +887,6 @@ func (s *DefaultServer) upstreamCallbacks(
 			}
 		}

-		// Always apply host config when nameserver goes down, regardless of batch mode
 		s.applyHostConfig()

 		go func() {
@@ -962,7 +922,6 @@ func (s *DefaultServer) upstreamCallbacks(
 			s.registerHandler([]string{nbdns.RootZone}, handler, priority)
 		}

-		// Always apply host config when nameserver reactivates, regardless of batch mode
 		s.applyHostConfig()

 		s.updateNSState(nsGroup, nil, true)
--- a/client/internal/dns/server_export_test.go
+++ b/client/internal/dns/server_export_test.go
@@ -18,12 +18,7 @@ func TestGetServerDns(t *testing.T) {
 		t.Errorf("invalid dns server instance: %s", err)
 	}

-	mockSrvB, ok := srvB.(*MockServer)
-	if !ok {
-		t.Errorf("returned server is not a MockServer")
-	}
-
-	if mockSrvB != srv {
+	if srvB != srv {
 		t.Errorf("mismatch dns instances")
 	}
 }
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -351,13 +351,9 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 		return fmt.Errorf("upstream check call error")
 	}

-	err := backoff.Retry(operation, backoff.WithContext(exponentialBackOff, u.ctx))
+	err := backoff.Retry(operation, exponentialBackOff)
 	if err != nil {
-		if errors.Is(err, context.Canceled) {
-			log.Debugf("upstream retry loop exited for upstreams %s", u.upstreamServersString())
-		} else {
-			log.Warnf("upstream retry loop exited for upstreams %s: %v", u.upstreamServersString(), err)
-		}
+		log.Warn(err)
 		return
 	}

--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -28,15 +28,14 @@ import (
 	"github.com/netbirdio/netbird/client/firewall"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
+	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
-	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
@@ -54,11 +53,13 @@ import (
 	"github.com/netbirdio/netbird/client/internal/updatemanager"
 	"github.com/netbirdio/netbird/client/jobexec"
 	cProto "github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/shared/management/domain"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
+
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	auth "github.com/netbirdio/netbird/shared/relay/auth/hmac"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -74,6 +75,7 @@ import (
 const (
 	PeerConnectionTimeoutMax = 45000 // ms
 	PeerConnectionTimeoutMin = 30000 // ms
+	connInitLimit            = 200
 	disableAutoUpdate        = "disabled"
 )

@@ -206,6 +208,7 @@ type Engine struct {
 	syncRespMux         sync.RWMutex
 	persistSyncResponse bool
 	latestSyncResponse  *mgmProto.SyncResponse
+	connSemaphore       *semaphoregroup.SemaphoreGroup
 	flowManager         nftypes.FlowManager

 	// auto-update
@@ -221,8 +224,6 @@ type Engine struct {

 	jobExecutor   *jobexec.Executor
 	jobExecutorWG sync.WaitGroup
-
-	exposeManager *expose.Manager
 }

 // Peer is an instance of the Connection Peer
@@ -265,6 +266,7 @@ func NewEngine(
 		statusRecorder: statusRecorder,
 		stateManager:   stateManager,
 		checks:         checks,
+		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
 		probeStunTurn:  relay.NewStunTurnProbe(relay.DefaultCacheTTL),
 		jobExecutor:    jobexec.NewExecutor(),
 	}
@@ -417,7 +419,6 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		e.cancel()
 	}
 	e.ctx, e.cancel = context.WithCancel(e.clientCtx)
-	e.exposeManager = expose.NewManager(e.ctx, e.mgmClient)

 	wgIface, err := e.newWgIface()
 	if err != nil {
@@ -800,7 +801,7 @@ func (e *Engine) handleAutoUpdateVersion(autoUpdateSettings *mgmProto.AutoUpdate

 	disabled := autoUpdateSettings.Version == disableAutoUpdate

-	// stop and cleanup if disabled
+	// Stop and cleanup if disabled
 	if e.updateManager != nil && disabled {
 		log.Infof("auto-update is disabled, stopping update manager")
 		e.updateManager.Stop()
@@ -1538,6 +1539,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 		IFaceDiscover:  e.mobileDep.IFaceDiscover,
 		RelayManager:   e.relayManager,
 		SrWatcher:      e.srWatcher,
+		Semaphore:      e.connSemaphore,
 	}
 	peerConn, err := peer.NewConn(config, serviceDependencies)
 	if err != nil {
@@ -1560,10 +1562,8 @@ func (e *Engine) receiveSignalEvents() {
 		defer e.shutdownWg.Done()
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
-			start := time.Now()
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()
-			gotLock := time.Since(start)

 			// Check context INSIDE lock to ensure atomicity with shutdown
 			if e.ctx.Err() != nil {
@@ -1587,8 +1587,6 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}

-				log.Debugf("receiveMSG: took %s to get lock for peer %s with session id %s", gotLock, msg.Key, offerAnswer.SessionID)
-
 				if msg.Body.Type == sProto.Body_OFFER {
 					conn.OnRemoteOffer(*offerAnswer)
 				} else {
@@ -1822,18 +1820,11 @@ func (e *Engine) GetRouteManager() routemanager.Manager {
 	return e.routeManager
 }

-// GetFirewallManager returns the firewall manager.
+// GetFirewallManager returns the firewall manager
 func (e *Engine) GetFirewallManager() firewallManager.Manager {
 	return e.firewall
 }

-// GetExposeManager returns the expose session manager.
-func (e *Engine) GetExposeManager() *expose.Manager {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-	return e.exposeManager
-}
-
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {
--- a/client/internal/expose/manager.go
+++ b/client/internal/expose/manager.go
@@ -1,95 +0,0 @@
-package expose
-
-import (
-	"context"
-	"time"
-
-	mgm "github.com/netbirdio/netbird/shared/management/client"
-	log "github.com/sirupsen/logrus"
-)
-
-const renewTimeout = 10 * time.Second
-
-// Response holds the response from exposing a service.
-type Response struct {
-	ServiceName string
-	ServiceURL  string
-	Domain      string
-}
-
-type Request struct {
-	NamePrefix string
-	Domain     string
-	Port       uint16
-	Protocol   int
-	Pin        string
-	Password   string
-	UserGroups []string
-}
-
-type ManagementClient interface {
-	CreateExpose(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error)
-	RenewExpose(ctx context.Context, domain string) error
-	StopExpose(ctx context.Context, domain string) error
-}
-
-// Manager handles expose session lifecycle via the management client.
-type Manager struct {
-	mgmClient ManagementClient
-	ctx       context.Context
-}
-
-// NewManager creates a new expose Manager using the given management client.
-func NewManager(ctx context.Context, mgmClient ManagementClient) *Manager {
-	return &Manager{mgmClient: mgmClient, ctx: ctx}
-}
-
-// Expose creates a new expose session via the management server.
-func (m *Manager) Expose(ctx context.Context, req Request) (*Response, error) {
-	log.Infof("exposing service on port %d", req.Port)
-	resp, err := m.mgmClient.CreateExpose(ctx, toClientExposeRequest(req))
-	if err != nil {
-		return nil, err
-	}
-
-	log.Infof("expose session created for %s", resp.Domain)
-
-	return fromClientExposeResponse(resp), nil
-}
-
-func (m *Manager) KeepAlive(ctx context.Context, domain string) error {
-	ticker := time.NewTicker(30 * time.Second)
-	defer ticker.Stop()
-	defer m.stop(domain)
-
-	for {
-		select {
-		case <-ctx.Done():
-			log.Infof("context canceled, stopping keep alive for %s", domain)
-
-			return nil
-		case <-ticker.C:
-			if err := m.renew(ctx, domain); err != nil {
-				log.Errorf("renewing expose session for %s: %v", domain, err)
-				return err
-			}
-		}
-	}
-}
-
-// renew extends the TTL of an active expose session.
-func (m *Manager) renew(ctx context.Context, domain string) error {
-	renewCtx, cancel := context.WithTimeout(ctx, renewTimeout)
-	defer cancel()
-	return m.mgmClient.RenewExpose(renewCtx, domain)
-}
-
-// stop terminates an active expose session.
-func (m *Manager) stop(domain string) {
-	stopCtx, cancel := context.WithTimeout(m.ctx, renewTimeout)
-	defer cancel()
-	err := m.mgmClient.StopExpose(stopCtx, domain)
-	if err != nil {
-		log.Warnf("Failed stopping expose session for %s: %v", domain, err)
-	}
-}
--- a/client/internal/expose/manager_test.go
+++ b/client/internal/expose/manager_test.go
@@ -1,95 +0,0 @@
-package expose
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	daemonProto "github.com/netbirdio/netbird/client/proto"
-	mgm "github.com/netbirdio/netbird/shared/management/client"
-)
-
-func TestManager_Expose_Success(t *testing.T) {
-	mock := &mgm.MockClient{
-		CreateExposeFunc: func(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error) {
-			return &mgm.ExposeResponse{
-				ServiceName: "my-service",
-				ServiceURL:  "https://my-service.example.com",
-				Domain:      "my-service.example.com",
-			}, nil
-		},
-	}
-
-	m := NewManager(context.Background(), mock)
-	result, err := m.Expose(context.Background(), Request{Port: 8080})
-	require.NoError(t, err)
-	assert.Equal(t, "my-service", result.ServiceName, "service name should match")
-	assert.Equal(t, "https://my-service.example.com", result.ServiceURL, "service URL should match")
-	assert.Equal(t, "my-service.example.com", result.Domain, "domain should match")
-}
-
-func TestManager_Expose_Error(t *testing.T) {
-	mock := &mgm.MockClient{
-		CreateExposeFunc: func(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error) {
-			return nil, errors.New("permission denied")
-		},
-	}
-
-	m := NewManager(context.Background(), mock)
-	_, err := m.Expose(context.Background(), Request{Port: 8080})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "permission denied", "error should propagate")
-}
-
-func TestManager_Renew_Success(t *testing.T) {
-	mock := &mgm.MockClient{
-		RenewExposeFunc: func(ctx context.Context, domain string) error {
-			assert.Equal(t, "my-service.example.com", domain, "domain should be passed through")
-			return nil
-		},
-	}
-
-	m := NewManager(context.Background(), mock)
-	err := m.renew(context.Background(), "my-service.example.com")
-	require.NoError(t, err)
-}
-
-func TestManager_Renew_Timeout(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	mock := &mgm.MockClient{
-		RenewExposeFunc: func(ctx context.Context, domain string) error {
-			return ctx.Err()
-		},
-	}
-
-	m := NewManager(ctx, mock)
-	err := m.renew(ctx, "my-service.example.com")
-	require.Error(t, err)
-}
-
-func TestNewRequest(t *testing.T) {
-	req := &daemonProto.ExposeServiceRequest{
-		Port:       8080,
-		Protocol:   daemonProto.ExposeProtocol_EXPOSE_HTTPS,
-		Pin:        "123456",
-		Password:   "secret",
-		UserGroups: []string{"group1", "group2"},
-		Domain:     "custom.example.com",
-		NamePrefix: "my-prefix",
-	}
-
-	exposeReq := NewRequest(req)
-
-	assert.Equal(t, uint16(8080), exposeReq.Port, "port should match")
-	assert.Equal(t, int(daemonProto.ExposeProtocol_EXPOSE_HTTPS), exposeReq.Protocol, "protocol should match")
-	assert.Equal(t, "123456", exposeReq.Pin, "pin should match")
-	assert.Equal(t, "secret", exposeReq.Password, "password should match")
-	assert.Equal(t, []string{"group1", "group2"}, exposeReq.UserGroups, "user groups should match")
-	assert.Equal(t, "custom.example.com", exposeReq.Domain, "domain should match")
-	assert.Equal(t, "my-prefix", exposeReq.NamePrefix, "name prefix should match")
-}
--- a/client/internal/expose/request.go
+++ b/client/internal/expose/request.go
@@ -1,39 +0,0 @@
-package expose
-
-import (
-	daemonProto "github.com/netbirdio/netbird/client/proto"
-	mgm "github.com/netbirdio/netbird/shared/management/client"
-)
-
-// NewRequest converts a daemon ExposeServiceRequest to a management ExposeServiceRequest.
-func NewRequest(req *daemonProto.ExposeServiceRequest) *Request {
-	return &Request{
-		Port:       uint16(req.Port),
-		Protocol:   int(req.Protocol),
-		Pin:        req.Pin,
-		Password:   req.Password,
-		UserGroups: req.UserGroups,
-		Domain:     req.Domain,
-		NamePrefix: req.NamePrefix,
-	}
-}
-
-func toClientExposeRequest(req Request) mgm.ExposeRequest {
-	return mgm.ExposeRequest{
-		NamePrefix: req.NamePrefix,
-		Domain:     req.Domain,
-		Port:       req.Port,
-		Protocol:   req.Protocol,
-		Pin:        req.Pin,
-		Password:   req.Password,
-		UserGroups: req.UserGroups,
-	}
-}
-
-func fromClientExposeResponse(response *mgm.ExposeResponse) *Response {
-	return &Response{
-		ServiceName: response.ServiceName,
-		Domain:      response.Domain,
-		ServiceURL:  response.ServiceURL,
-	}
-}
--- a/client/internal/networkmonitor/check_change_common.go
+++ b/client/internal/networkmonitor/check_change_common.go
@@ -22,56 +22,51 @@ func prepareFd() (int, error) {

 func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Nexthop) error {
 	for {
-		// Wait until fd is readable or context is cancelled, to avoid a busy-loop
-		// when the routing socket returns EAGAIN (e.g. immediately after wakeup).
-		if err := waitReadable(ctx, fd); err != nil {
-			return err
-		}
-
-		buf := make([]byte, 2048)
-		n, err := unix.Read(fd, buf)
-		if err != nil {
-			if errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EINTR) {
-				continue
-			}
-			if errors.Is(err, unix.EBADF) || errors.Is(err, unix.EINVAL) {
-				return fmt.Errorf("routing socket closed: %w", err)
-			}
-			return fmt.Errorf("read routing socket: %w", err)
-		}
-
-		if n < unix.SizeofRtMsghdr {
-			log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
-			continue
-		}
-
-		msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
-
-		switch msg.Type {
-		// handle route changes
-		case unix.RTM_ADD, syscall.RTM_DELETE:
-			route, err := parseRouteMessage(buf[:n])
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			buf := make([]byte, 2048)
+			n, err := unix.Read(fd, buf)
 			if err != nil {
-				log.Debugf("Network monitor: error parsing routing message: %v", err)
+				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
+					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
+				}
+				continue
+			}
+			if n < unix.SizeofRtMsghdr {
+				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
 				continue
 			}

-			if route.Dst.Bits() != 0 {
-				continue
-			}
+			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))

-			intf := "<nil>"
-			if route.Interface != nil {
-				intf = route.Interface.Name
-			}
 			switch msg.Type {
-			case unix.RTM_ADD:
-				log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
-				return nil
-			case unix.RTM_DELETE:
-				if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
-					log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+			// handle route changes
+			case unix.RTM_ADD, syscall.RTM_DELETE:
+				route, err := parseRouteMessage(buf[:n])
+				if err != nil {
+					log.Debugf("Network monitor: error parsing routing message: %v", err)
+					continue
+				}
+
+				if route.Dst.Bits() != 0 {
+					continue
+				}
+
+				intf := "<nil>"
+				if route.Interface != nil {
+					intf = route.Interface.Name
+				}
+				switch msg.Type {
+				case unix.RTM_ADD:
+					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
 					return nil
+				case unix.RTM_DELETE:
+					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
+						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+						return nil
+					}
 				}
 			}
 		}
@@ -95,33 +90,3 @@ func parseRouteMessage(buf []byte) (*systemops.Route, error) {

 	return systemops.MsgToRoute(msg)
 }
-
-// waitReadable blocks until fd has data to read, or ctx is cancelled.
-func waitReadable(ctx context.Context, fd int) error {
-	var fdset unix.FdSet
-	if fd < 0 || fd/unix.NFDBITS >= len(fdset.Bits) {
-		return fmt.Errorf("fd %d out of range for FdSet", fd)
-	}
-
-	for {
-		if err := ctx.Err(); err != nil {
-			return err
-		}
-
-		fdset = unix.FdSet{}
-		fdset.Set(fd)
-		// Use a 1-second timeout so we can re-check ctx periodically.
-		tv := unix.Timeval{Sec: 1}
-		n, err := unix.Select(fd+1, &fdset, nil, nil, &tv)
-		if err != nil {
-			if errors.Is(err, unix.EINTR) {
-				continue
-			}
-			return fmt.Errorf("select on routing socket: %w", err)
-		}
-		if n > 0 {
-			return nil
-		}
-		// timeout — loop back and re-check ctx
-	}
-}
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -3,6 +3,7 @@ package peer
 import (
 	"context"
 	"fmt"
+	"math/rand"
 	"net"
 	"net/netip"
 	"runtime"
@@ -24,6 +25,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )

 type ServiceDependencies struct {
@@ -32,6 +34,7 @@ type ServiceDependencies struct {
 	IFaceDiscover      stdnet.ExternalIFaceDiscover
 	RelayManager       *relayClient.Manager
 	SrWatcher          *guard.SRWatcher
+	Semaphore          *semaphoregroup.SemaphoreGroup
 	PeerConnDispatcher *dispatcher.ConnectionDispatcher
 }

@@ -108,8 +111,9 @@ type Conn struct {
 	wgProxyRelay wgproxy.Proxy
 	handshaker   *Handshaker

-	guard *guard.Guard
-	wg    sync.WaitGroup
+	guard     *guard.Guard
+	semaphore *semaphoregroup.SemaphoreGroup
+	wg        sync.WaitGroup

 	// debug purpose
 	dumpState *stateDump
@@ -135,6 +139,7 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 		iFaceDiscover:   services.IFaceDiscover,
 		relayManager:    services.RelayManager,
 		srWatcher:       services.SrWatcher,
+		semaphore:       services.Semaphore,
 		statusRelay:     worker.NewAtomicStatus(),
 		statusICE:       worker.NewAtomicStatus(),
 		dumpState:       dumpState,
@@ -149,10 +154,15 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 // It will try to establish a connection using ICE and in parallel with relay. The higher priority connection type will
 // be used.
 func (conn *Conn) Open(engineCtx context.Context) error {
+	if err := conn.semaphore.Add(engineCtx); err != nil {
+		return err
+	}
+
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

 	if conn.opened {
+		conn.semaphore.Done()
 		return nil
 	}

@@ -163,6 +173,7 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
 	workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
 	if err != nil {
+		conn.semaphore.Done()
 		return err
 	}
 	conn.workerICE = workerICE
@@ -196,6 +207,10 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	conn.wg.Add(1)
 	go func() {
 		defer conn.wg.Done()
+
+		conn.waitInitialRandomSleepTime(conn.ctx)
+		conn.semaphore.Done()
+
 		conn.guard.Start(conn.ctx, conn.onGuardEvent)
 	}()
 	conn.opened = true
@@ -395,7 +410,7 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 	conn.doOnConnected(iceConnInfo.RosenpassPubKey, iceConnInfo.RosenpassAddr)
 }

-func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
+func (conn *Conn) onICEStateDisconnected() {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

@@ -415,18 +430,14 @@ func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
 	if conn.isReadyToUpgrade() {
 		conn.Log.Infof("ICE disconnected, set Relay to active connection")
 		conn.dumpState.SwitchToRelay()
-		if sessionChanged {
-			conn.resetEndpoint()
-		}
-
-		// todo consider to move after the ConfigureWGEndpoint
 		conn.wgProxyRelay.Work()

 		presharedKey := conn.presharedKey(conn.rosenpassRemoteKey)
-		if err := conn.endpointUpdater.SwitchWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
+		if err := conn.endpointUpdater.ConfigureWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
 			conn.Log.Errorf("failed to switch to relay conn: %v", err)
 		}

+		conn.wgProxyRelay.Work()
 		conn.currentConnPriority = conntype.Relay
 	} else {
 		conn.Log.Infof("ICE disconnected, do not switch to Relay. Reset priority to: %s", conntype.None.String())
@@ -488,22 +499,20 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 		return
 	}

-	controller := isController(conn.config)
+	wgProxy.Work()
+	presharedKey := conn.presharedKey(rci.rosenpassPubKey)

-	if controller {
-		wgProxy.Work()
-	}
 	conn.enableWgWatcherIfNeeded()
-	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), conn.presharedKey(rci.rosenpassPubKey)); err != nil {
+
+	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), presharedKey); err != nil {
 		if err := wgProxy.CloseConn(); err != nil {
 			conn.Log.Warnf("Failed to close relay connection: %v", err)
 		}
 		conn.Log.Errorf("Failed to update WireGuard peer configuration: %v", err)
 		return
 	}
-	if !controller {
-		wgProxy.Work()
-	}
+
+	wgConfigWorkaround()
 	conn.rosenpassRemoteKey = rci.rosenpassPubKey
 	conn.currentConnPriority = conntype.Relay
 	conn.statusRelay.SetConnected()
@@ -655,6 +664,19 @@ func (conn *Conn) doOnConnected(remoteRosenpassPubKey []byte, remoteRosenpassAdd
 	}
 }

+func (conn *Conn) waitInitialRandomSleepTime(ctx context.Context) {
+	maxWait := 300
+	duration := time.Duration(rand.Intn(maxWait)) * time.Millisecond
+
+	timeout := time.NewTimer(duration)
+	defer timeout.Stop()
+
+	select {
+	case <-ctx.Done():
+	case <-timeout.C:
+	}
+}
+
 func (conn *Conn) isRelayed() bool {
 	switch conn.currentConnPriority {
 	case conntype.Relay, conntype.ICETurn:
@@ -735,17 +757,6 @@ func (conn *Conn) newProxy(remoteConn net.Conn) (wgproxy.Proxy, error) {
 	return wgProxy, nil
 }

-func (conn *Conn) resetEndpoint() {
-	if !isController(conn.config) {
-		return
-	}
-	conn.Log.Infof("reset wg endpoint")
-	conn.wgWatcher.Reset()
-	if err := conn.endpointUpdater.RemoveEndpointAddress(); err != nil {
-		conn.Log.Warnf("failed to remove endpoint address before update: %v", err)
-	}
-}
-
 func (conn *Conn) isReadyToUpgrade() bool {
 	return conn.wgProxyRelay != nil && conn.currentConnPriority != conntype.Relay
 }
@@ -851,3 +862,9 @@ func isController(config ConnConfig) bool {
 func isRosenpassEnabled(remoteRosenpassPubKey []byte) bool {
 	return remoteRosenpassPubKey != nil
 }
+
+// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
+// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
+func wgConfigWorkaround() {
+	time.Sleep(100 * time.Millisecond)
+}
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/util"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )

 var testDispatcher = dispatcher.NewConnectionDispatcher()
@@ -52,6 +53,7 @@ func TestConn_GetKey(t *testing.T) {

 	sd := ServiceDependencies{
 		SrWatcher:          swWatcher,
+		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
@@ -69,6 +71,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 	sd := ServiceDependencies{
 		StatusRecorder:     NewRecorder("https://mgm"),
 		SrWatcher:          swWatcher,
+		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
@@ -107,6 +110,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	sd := ServiceDependencies{
 		StatusRecorder:     NewRecorder("https://mgm"),
 		SrWatcher:          swWatcher,
+		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
--- a/client/internal/peer/endpoint.go
+++ b/client/internal/peer/endpoint.go
@@ -34,27 +34,28 @@ func NewEndpointUpdater(log *logrus.Entry, wgConfig WgConfig, initiator bool) *E
 	}
 }

+// ConfigureWGEndpoint sets up the WireGuard endpoint configuration.
+// The initiator immediately configures the endpoint, while the non-initiator
+// waits for a fallback period before configuring to avoid handshake congestion.
 func (e *EndpointUpdater) ConfigureWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
 	e.mu.Lock()
 	defer e.mu.Unlock()

 	if e.initiator {
-		e.log.Debugf("configure up WireGuard as initiator")
-		return e.configureAsInitiator(addr, presharedKey)
+		e.log.Debugf("configure up WireGuard as initiatr")
+		return e.updateWireGuardPeer(addr, presharedKey)
 	}

-	e.log.Debugf("configure up WireGuard as responder")
-	return e.configureAsResponder(addr, presharedKey)
-}
-
-func (e *EndpointUpdater) SwitchWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
 	// prevent to run new update while cancel the previous update
 	e.waitForCloseTheDelayedUpdate()

-	return e.updateWireGuardPeer(addr, presharedKey)
+	var ctx context.Context
+	ctx, e.cancelFunc = context.WithCancel(context.Background())
+	e.updateWg.Add(1)
+	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
+
+	e.log.Debugf("configure up WireGuard and wait for handshake")
+	return e.updateWireGuardPeer(nil, presharedKey)
 }

 func (e *EndpointUpdater) RemoveWgPeer() error {
@@ -65,38 +66,6 @@ func (e *EndpointUpdater) RemoveWgPeer() error {
 	return e.wgConfig.WgInterface.RemovePeer(e.wgConfig.RemoteKey)
 }

-func (e *EndpointUpdater) RemoveEndpointAddress() error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	e.waitForCloseTheDelayedUpdate()
-	return e.wgConfig.WgInterface.RemoveEndpointAddress(e.wgConfig.RemoteKey)
-}
-
-func (e *EndpointUpdater) configureAsInitiator(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	if err := e.updateWireGuardPeer(addr, presharedKey); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (e *EndpointUpdater) configureAsResponder(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	// prevent to run new update while cancel the previous update
-	e.waitForCloseTheDelayedUpdate()
-
-	e.log.Debugf("configure up WireGuard and wait for handshake")
-	var ctx context.Context
-	ctx, e.cancelFunc = context.WithCancel(context.Background())
-	e.updateWg.Add(1)
-	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
-
-	if err := e.updateWireGuardPeer(nil, presharedKey); err != nil {
-		e.waitForCloseTheDelayedUpdate()
-		return err
-	}
-	return nil
-}
-
 func (e *EndpointUpdater) waitForCloseTheDelayedUpdate() {
 	if e.cancelFunc == nil {
 		return
@@ -132,9 +101,3 @@ func (e *EndpointUpdater) updateWireGuardPeer(endpoint *net.UDPAddr, presharedKe
 		presharedKey,
 	)
 }
-
-// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
-// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
-func wgConfigWorkaround() {
-	time.Sleep(100 * time.Millisecond)
-}
--- a/client/internal/peer/wg_watcher.go
+++ b/client/internal/peer/wg_watcher.go
@@ -32,8 +32,6 @@ type WGWatcher struct {

 	enabled   bool
 	muEnabled sync.RWMutex
-
-	resetCh chan struct{}
 }

 func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey string, stateDump *stateDump) *WGWatcher {
@@ -42,7 +40,6 @@ func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey strin
 		wgIfaceStater: wgIfaceStater,
 		peerKey:       peerKey,
 		stateDump:     stateDump,
-		resetCh:       make(chan struct{}, 1),
 	}
 }

@@ -79,15 +76,6 @@ func (w *WGWatcher) IsEnabled() bool {
 	return w.enabled
 }

-// Reset signals the watcher that the WireGuard peer has been reset and a new
-// handshake is expected. This restarts the handshake timeout from scratch.
-func (w *WGWatcher) Reset() {
-	select {
-	case w.resetCh <- struct{}{}:
-	default:
-	}
-}
-
 // wgStateCheck help to check the state of the WireGuard handshake and relay connection
 func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn func(), enabledTime time.Time, initialHandshake time.Time) {
 	w.log.Infof("WireGuard watcher started")
@@ -117,12 +105,6 @@ func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn
 			w.stateDump.WGcheckSuccess()

 			w.log.Debugf("WireGuard watcher reset timer: %v", resetTime)
-		case <-w.resetCh:
-			w.log.Infof("WireGuard watcher received peer reset, restarting handshake timeout")
-			lastHandshake = time.Time{}
-			enabledTime = time.Now()
-			timer.Stop()
-			timer.Reset(wgHandshakeOvertime)
 		case <-ctx.Done():
 			w.log.Infof("WireGuard watcher stopped")
 			return
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -52,9 +52,8 @@ type WorkerICE struct {
 	// increase by one when disconnecting the agent
 	// with it the remote peer can discard the already deprecated offer/answer
 	// Without it the remote peer may recreate a workable ICE connection
-	sessionID            ICESessionID
-	remoteSessionChanged bool
-	muxAgent             sync.Mutex
+	sessionID ICESessionID
+	muxAgent  sync.Mutex

 	localUfrag string
 	localPwd   string
@@ -107,7 +106,6 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 			return
 		}
 		w.log.Debugf("agent already exists, recreate the connection")
-		w.remoteSessionChanged = true
 		w.agentDialerCancel()
 		if w.agent != nil {
 			if err := w.agent.Close(); err != nil {
@@ -308,17 +306,13 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 	w.conn.onICEConnectionIsReady(selectedPriority(pair), ci)
 }

-func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) bool {
+func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) {
 	cancel()
 	if err := agent.Close(); err != nil {
 		w.log.Warnf("failed to close ICE agent: %s", err)
 	}

 	w.muxAgent.Lock()
-	defer w.muxAgent.Unlock()
-
-	sessionChanged := w.remoteSessionChanged
-	w.remoteSessionChanged = false

 	if w.agent == agent {
 		// consider to remove from here and move to the OnNewOffer
@@ -331,7 +325,7 @@ func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.C
 		w.agentConnecting = false
 		w.remoteSessionID = ""
 	}
-	return sessionChanged
+	w.muxAgent.Unlock()
 }

 func (w *WorkerICE) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
@@ -432,11 +426,11 @@ func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dia
 			// ice.ConnectionStateClosed happens when we recreate the agent. For the P2P to TURN switch important to
 			// notify the conn.onICEStateDisconnected changes to update the current used priority

-			sessionChanged := w.closeAgent(agent, dialerCancel)
+			w.closeAgent(agent, dialerCancel)

 			if w.lastKnownState == ice.ConnectionStateConnected {
 				w.lastKnownState = ice.ConnectionStateDisconnected
-				w.conn.onICEStateDisconnected(sessionChanged)
+				w.conn.onICEStateDisconnected()
 			}
 		default:
 			return
--- a/client/internal/routemanager/dnsinterceptor/handler.go
+++ b/client/internal/routemanager/dnsinterceptor/handler.go
@@ -351,11 +351,6 @@ func (d *DnsInterceptor) writeMsg(w dns.ResponseWriter, r *dns.Msg, logger *log.
 				logger.Errorf("failed to update domain prefixes: %v", err)
 			}

-			// Allow time for route changes to be applied before sending
-			// the DNS response (relevant on iOS where setTunnelNetworkSettings
-			// is asynchronous).
-			waitForRouteSettlement(logger)
-
 			d.replaceIPsInDNSResponse(r, newPrefixes, logger)
 		}
 	}
--- a/client/internal/routemanager/dnsinterceptor/handler_ios.go
+++ b/client/internal/routemanager/dnsinterceptor/handler_ios.go
@@ -1,20 +0,0 @@
-//go:build ios
-
-package dnsinterceptor
-
-import (
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const routeSettleDelay = 500 * time.Millisecond
-
-// waitForRouteSettlement introduces a short delay on iOS to allow
-// setTunnelNetworkSettings to apply route changes before the DNS
-// response reaches the application. Without this, the first request
-// to a newly resolved domain may bypass the tunnel.
-func waitForRouteSettlement(logger *log.Entry) {
-	logger.Tracef("waiting %v for iOS route settlement", routeSettleDelay)
-	time.Sleep(routeSettleDelay)
-}
--- a/client/internal/routemanager/dnsinterceptor/handler_nonios.go
+++ b/client/internal/routemanager/dnsinterceptor/handler_nonios.go
@@ -1,12 +0,0 @@
-//go:build !ios
-
-package dnsinterceptor
-
-import log "github.com/sirupsen/logrus"
-
-func waitForRouteSettlement(_ *log.Entry) {
-	// No-op on non-iOS platforms: route changes are applied synchronously by
-	// the kernel, so no settlement delay is needed before the DNS response
-	// reaches the application. The delay is only required on iOS where
-	// setTunnelNetworkSettings applies routes asynchronously.
-}
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -346,23 +346,6 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 	}

 	var merr *multierror.Error
-
-	// Begin batch mode to avoid calling applyHostConfig() after each DNS handler operation
-	batchStarted := false
-	if m.dnsServer != nil {
-		m.dnsServer.BeginBatch()
-		batchStarted = true
-		defer func() {
-			if merr != nil {
-				// On error, cancel batch to discard partial DNS state
-				m.dnsServer.CancelBatch()
-			} else {
-				// On success, apply accumulated DNS changes
-				m.dnsServer.EndBatch()
-			}
-		}()
-	}
-
 	for id, handler := range toRemove {
 		if err := handler.RemoveRoute(); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove route %s: %w", handler.String(), err))
@@ -393,7 +376,6 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 		m.activeRoutes[id] = handler
 	}

-	_ = batchStarted // Mark as used
 	return nberrors.FormatErrorOrNil(merr)
 }

--- a/client/internal/sleep/handler/handler.go
+++ b/client/internal/sleep/handler/handler.go
@@ -1,80 +0,0 @@
-package handler
-
-import (
-	"context"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal"
-)
-
-type Agent interface {
-	Up(ctx context.Context) error
-	Down(ctx context.Context) error
-	Status() (internal.StatusType, error)
-}
-
-type SleepHandler struct {
-	agent Agent
-
-	mu sync.Mutex
-	// sleepTriggeredDown indicates whether the sleep handler triggered the last client down, to avoid unnecessary up on wake
-	sleepTriggeredDown bool
-}
-
-func New(agent Agent) *SleepHandler {
-	return &SleepHandler{
-		agent: agent,
-	}
-}
-
-func (s *SleepHandler) HandleWakeUp(ctx context.Context) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if !s.sleepTriggeredDown {
-		log.Info("skipping up because wasn't sleep down")
-		return nil
-	}
-
-	// avoid other wakeup runs if sleep didn't make the computer sleep
-	s.sleepTriggeredDown = false
-
-	log.Info("running up after wake up")
-	err := s.agent.Up(ctx)
-	if err != nil {
-		log.Errorf("running up failed: %v", err)
-		return err
-	}
-
-	log.Info("running up command executed successfully")
-	return nil
-}
-
-func (s *SleepHandler) HandleSleep(ctx context.Context) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	status, err := s.agent.Status()
-	if err != nil {
-		return err
-	}
-
-	if status != internal.StatusConnecting && status != internal.StatusConnected {
-		log.Infof("skipping setting the agent down because status is %s", status)
-		return nil
-	}
-
-	log.Info("running down after system started sleeping")
-
-	if err = s.agent.Down(ctx); err != nil {
-		log.Errorf("running down failed: %v", err)
-		return err
-	}
-
-	s.sleepTriggeredDown = true
-
-	log.Info("running down executed successfully")
-	return nil
-}
--- a/client/internal/sleep/handler/handler_test.go
+++ b/client/internal/sleep/handler/handler_test.go
@@ -1,153 +0,0 @@
-package handler
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal"
-)
-
-type mockAgent struct {
-	upErr     error
-	downErr   error
-	statusErr error
-	status    internal.StatusType
-	upCalls   int
-}
-
-func (m *mockAgent) Up(_ context.Context) error {
-	m.upCalls++
-	return m.upErr
-}
-
-func (m *mockAgent) Down(_ context.Context) error {
-	return m.downErr
-}
-
-func (m *mockAgent) Status() (internal.StatusType, error) {
-	return m.status, m.statusErr
-}
-
-func newHandler(status internal.StatusType) (*SleepHandler, *mockAgent) {
-	agent := &mockAgent{status: status}
-	return New(agent), agent
-}
-
-func TestHandleWakeUp_SkipsWhenFlagFalse(t *testing.T) {
-	h, agent := newHandler(internal.StatusIdle)
-
-	err := h.HandleWakeUp(context.Background())
-
-	require.NoError(t, err)
-	assert.Equal(t, 0, agent.upCalls, "Up should not be called when flag is false")
-}
-
-func TestHandleWakeUp_ResetsFlagBeforeUp(t *testing.T) {
-	h, _ := newHandler(internal.StatusIdle)
-	h.sleepTriggeredDown = true
-
-	// Even if Up fails, flag should be reset
-	_ = h.HandleWakeUp(context.Background())
-
-	assert.False(t, h.sleepTriggeredDown, "flag must be reset before calling Up")
-}
-
-func TestHandleWakeUp_CallsUpWhenFlagSet(t *testing.T) {
-	h, agent := newHandler(internal.StatusIdle)
-	h.sleepTriggeredDown = true
-
-	err := h.HandleWakeUp(context.Background())
-
-	require.NoError(t, err)
-	assert.Equal(t, 1, agent.upCalls)
-	assert.False(t, h.sleepTriggeredDown)
-}
-
-func TestHandleWakeUp_ReturnsErrorFromUp(t *testing.T) {
-	h, agent := newHandler(internal.StatusIdle)
-	h.sleepTriggeredDown = true
-	agent.upErr = errors.New("up failed")
-
-	err := h.HandleWakeUp(context.Background())
-
-	assert.ErrorIs(t, err, agent.upErr)
-	assert.False(t, h.sleepTriggeredDown, "flag should still be reset even when Up fails")
-}
-
-func TestHandleWakeUp_SecondCallIsNoOp(t *testing.T) {
-	h, agent := newHandler(internal.StatusIdle)
-	h.sleepTriggeredDown = true
-
-	_ = h.HandleWakeUp(context.Background())
-	err := h.HandleWakeUp(context.Background())
-
-	require.NoError(t, err)
-	assert.Equal(t, 1, agent.upCalls, "second wakeup should be no-op")
-}
-
-func TestHandleSleep_SkipsForNonActiveStates(t *testing.T) {
-	tests := []struct {
-		name   string
-		status internal.StatusType
-	}{
-		{"Idle", internal.StatusIdle},
-		{"NeedsLogin", internal.StatusNeedsLogin},
-		{"LoginFailed", internal.StatusLoginFailed},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			h, _ := newHandler(tt.status)
-
-			err := h.HandleSleep(context.Background())
-
-			require.NoError(t, err)
-			assert.False(t, h.sleepTriggeredDown)
-		})
-	}
-}
-
-func TestHandleSleep_ProceedsForActiveStates(t *testing.T) {
-	tests := []struct {
-		name   string
-		status internal.StatusType
-	}{
-		{"Connecting", internal.StatusConnecting},
-		{"Connected", internal.StatusConnected},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			h, _ := newHandler(tt.status)
-
-			err := h.HandleSleep(context.Background())
-
-			require.NoError(t, err)
-			assert.True(t, h.sleepTriggeredDown)
-		})
-	}
-}
-
-func TestHandleSleep_ReturnsErrorFromStatus(t *testing.T) {
-	agent := &mockAgent{statusErr: errors.New("status error")}
-	h := New(agent)
-
-	err := h.HandleSleep(context.Background())
-
-	assert.ErrorIs(t, err, agent.statusErr)
-	assert.False(t, h.sleepTriggeredDown)
-}
-
-func TestHandleSleep_ReturnsErrorFromDown(t *testing.T) {
-	agent := &mockAgent{status: internal.StatusConnected, downErr: errors.New("down failed")}
-	h := New(agent)
-
-	err := h.HandleSleep(context.Background())
-
-	assert.ErrorIs(t, err, agent.downErr)
-	assert.False(t, h.sleepTriggeredDown, "flag should not be set when Down fails")
-}
--- a/client/ios/NetBirdSDK/env_list.go
+++ b/client/ios/NetBirdSDK/env_list.go
@@ -2,10 +2,7 @@

 package NetBirdSDK

-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"

 // EnvList is an exported struct to be bound by gomobile
 type EnvList struct {
@@ -35,13 +32,3 @@ func (el *EnvList) AllItems() map[string]string {
 func GetEnvKeyNBForceRelay() string {
 	return peer.EnvKeyNBForceRelay
 }
-
-// GetEnvKeyNBLazyConn Exports the environment variable for the iOS client
-func GetEnvKeyNBLazyConn() string {
-	return lazyconn.EnvEnableLazyConn
-}
-
-// GetEnvKeyNBInactivityThreshold Exports the environment variable for the iOS client
-func GetEnvKeyNBInactivityThreshold() string {
-	return lazyconn.EnvInactivityThreshold
-}
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.6
-// 	protoc        v6.33.3
+// 	protoc        v6.32.1
 // source: daemon.proto

 package proto
@@ -88,58 +88,6 @@ func (LogLevel) EnumDescriptor() ([]byte, []int) {
 	return file_daemon_proto_rawDescGZIP(), []int{0}
 }

-type ExposeProtocol int32
-
-const (
-	ExposeProtocol_EXPOSE_HTTP  ExposeProtocol = 0
-	ExposeProtocol_EXPOSE_HTTPS ExposeProtocol = 1
-	ExposeProtocol_EXPOSE_TCP   ExposeProtocol = 2
-	ExposeProtocol_EXPOSE_UDP   ExposeProtocol = 3
-)
-
-// Enum value maps for ExposeProtocol.
-var (
-	ExposeProtocol_name = map[int32]string{
-		0: "EXPOSE_HTTP",
-		1: "EXPOSE_HTTPS",
-		2: "EXPOSE_TCP",
-		3: "EXPOSE_UDP",
-	}
-	ExposeProtocol_value = map[string]int32{
-		"EXPOSE_HTTP":  0,
-		"EXPOSE_HTTPS": 1,
-		"EXPOSE_TCP":   2,
-		"EXPOSE_UDP":   3,
-	}
-)
-
-func (x ExposeProtocol) Enum() *ExposeProtocol {
-	p := new(ExposeProtocol)
-	*p = x
-	return p
-}
-
-func (x ExposeProtocol) String() string {
-	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
-}
-
-func (ExposeProtocol) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[1].Descriptor()
-}
-
-func (ExposeProtocol) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[1]
-}
-
-func (x ExposeProtocol) Number() protoreflect.EnumNumber {
-	return protoreflect.EnumNumber(x)
-}
-
-// Deprecated: Use ExposeProtocol.Descriptor instead.
-func (ExposeProtocol) EnumDescriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{1}
-}
-
 // avoid collision with loglevel enum
 type OSLifecycleRequest_CycleType int32

@@ -174,11 +122,11 @@ func (x OSLifecycleRequest_CycleType) String() string {
 }

 func (OSLifecycleRequest_CycleType) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[2].Descriptor()
+	return file_daemon_proto_enumTypes[1].Descriptor()
 }

 func (OSLifecycleRequest_CycleType) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[2]
+	return &file_daemon_proto_enumTypes[1]
 }

 func (x OSLifecycleRequest_CycleType) Number() protoreflect.EnumNumber {
@@ -226,11 +174,11 @@ func (x SystemEvent_Severity) String() string {
 }

 func (SystemEvent_Severity) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[3].Descriptor()
+	return file_daemon_proto_enumTypes[2].Descriptor()
 }

 func (SystemEvent_Severity) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[3]
+	return &file_daemon_proto_enumTypes[2]
 }

 func (x SystemEvent_Severity) Number() protoreflect.EnumNumber {
@@ -281,11 +229,11 @@ func (x SystemEvent_Category) String() string {
 }

 func (SystemEvent_Category) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[4].Descriptor()
+	return file_daemon_proto_enumTypes[3].Descriptor()
 }

 func (SystemEvent_Category) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[4]
+	return &file_daemon_proto_enumTypes[3]
 }

 func (x SystemEvent_Category) Number() protoreflect.EnumNumber {
@@ -5652,224 +5600,6 @@ func (x *InstallerResultResponse) GetErrorMsg() string {
 	return ""
 }

-type ExposeServiceRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Port          uint32                 `protobuf:"varint,1,opt,name=port,proto3" json:"port,omitempty"`
-	Protocol      ExposeProtocol         `protobuf:"varint,2,opt,name=protocol,proto3,enum=daemon.ExposeProtocol" json:"protocol,omitempty"`
-	Pin           string                 `protobuf:"bytes,3,opt,name=pin,proto3" json:"pin,omitempty"`
-	Password      string                 `protobuf:"bytes,4,opt,name=password,proto3" json:"password,omitempty"`
-	UserGroups    []string               `protobuf:"bytes,5,rep,name=user_groups,json=userGroups,proto3" json:"user_groups,omitempty"`
-	Domain        string                 `protobuf:"bytes,6,opt,name=domain,proto3" json:"domain,omitempty"`
-	NamePrefix    string                 `protobuf:"bytes,7,opt,name=name_prefix,json=namePrefix,proto3" json:"name_prefix,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *ExposeServiceRequest) Reset() {
-	*x = ExposeServiceRequest{}
-	mi := &file_daemon_proto_msgTypes[85]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *ExposeServiceRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*ExposeServiceRequest) ProtoMessage() {}
-
-func (x *ExposeServiceRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[85]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use ExposeServiceRequest.ProtoReflect.Descriptor instead.
-func (*ExposeServiceRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{85}
-}
-
-func (x *ExposeServiceRequest) GetPort() uint32 {
-	if x != nil {
-		return x.Port
-	}
-	return 0
-}
-
-func (x *ExposeServiceRequest) GetProtocol() ExposeProtocol {
-	if x != nil {
-		return x.Protocol
-	}
-	return ExposeProtocol_EXPOSE_HTTP
-}
-
-func (x *ExposeServiceRequest) GetPin() string {
-	if x != nil {
-		return x.Pin
-	}
-	return ""
-}
-
-func (x *ExposeServiceRequest) GetPassword() string {
-	if x != nil {
-		return x.Password
-	}
-	return ""
-}
-
-func (x *ExposeServiceRequest) GetUserGroups() []string {
-	if x != nil {
-		return x.UserGroups
-	}
-	return nil
-}
-
-func (x *ExposeServiceRequest) GetDomain() string {
-	if x != nil {
-		return x.Domain
-	}
-	return ""
-}
-
-func (x *ExposeServiceRequest) GetNamePrefix() string {
-	if x != nil {
-		return x.NamePrefix
-	}
-	return ""
-}
-
-type ExposeServiceEvent struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	// Types that are valid to be assigned to Event:
-	//
-	//	*ExposeServiceEvent_Ready
-	Event         isExposeServiceEvent_Event `protobuf_oneof:"event"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *ExposeServiceEvent) Reset() {
-	*x = ExposeServiceEvent{}
-	mi := &file_daemon_proto_msgTypes[86]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *ExposeServiceEvent) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*ExposeServiceEvent) ProtoMessage() {}
-
-func (x *ExposeServiceEvent) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[86]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use ExposeServiceEvent.ProtoReflect.Descriptor instead.
-func (*ExposeServiceEvent) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{86}
-}
-
-func (x *ExposeServiceEvent) GetEvent() isExposeServiceEvent_Event {
-	if x != nil {
-		return x.Event
-	}
-	return nil
-}
-
-func (x *ExposeServiceEvent) GetReady() *ExposeServiceReady {
-	if x != nil {
-		if x, ok := x.Event.(*ExposeServiceEvent_Ready); ok {
-			return x.Ready
-		}
-	}
-	return nil
-}
-
-type isExposeServiceEvent_Event interface {
-	isExposeServiceEvent_Event()
-}
-
-type ExposeServiceEvent_Ready struct {
-	Ready *ExposeServiceReady `protobuf:"bytes,1,opt,name=ready,proto3,oneof"`
-}
-
-func (*ExposeServiceEvent_Ready) isExposeServiceEvent_Event() {}
-
-type ExposeServiceReady struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	ServiceName   string                 `protobuf:"bytes,1,opt,name=service_name,json=serviceName,proto3" json:"service_name,omitempty"`
-	ServiceUrl    string                 `protobuf:"bytes,2,opt,name=service_url,json=serviceUrl,proto3" json:"service_url,omitempty"`
-	Domain        string                 `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *ExposeServiceReady) Reset() {
-	*x = ExposeServiceReady{}
-	mi := &file_daemon_proto_msgTypes[87]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *ExposeServiceReady) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*ExposeServiceReady) ProtoMessage() {}
-
-func (x *ExposeServiceReady) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[87]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use ExposeServiceReady.ProtoReflect.Descriptor instead.
-func (*ExposeServiceReady) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{87}
-}
-
-func (x *ExposeServiceReady) GetServiceName() string {
-	if x != nil {
-		return x.ServiceName
-	}
-	return ""
-}
-
-func (x *ExposeServiceReady) GetServiceUrl() string {
-	if x != nil {
-		return x.ServiceUrl
-	}
-	return ""
-}
-
-func (x *ExposeServiceReady) GetDomain() string {
-	if x != nil {
-		return x.Domain
-	}
-	return ""
-}
-
 type PortInfo_Range struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Start         uint32                 `protobuf:"varint,1,opt,name=start,proto3" json:"start,omitempty"`
@@ -5880,7 +5610,7 @@ type PortInfo_Range struct {

 func (x *PortInfo_Range) Reset() {
 	*x = PortInfo_Range{}
-	mi := &file_daemon_proto_msgTypes[89]
+	mi := &file_daemon_proto_msgTypes[86]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -5892,7 +5622,7 @@ func (x *PortInfo_Range) String() string {
 func (*PortInfo_Range) ProtoMessage() {}

 func (x *PortInfo_Range) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[89]
+	mi := &file_daemon_proto_msgTypes[86]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -6419,25 +6149,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x16InstallerResultRequest\"O\n" +
 	"\x17InstallerResultResponse\x12\x18\n" +
 	"\asuccess\x18\x01 \x01(\bR\asuccess\x12\x1a\n" +
-	"\berrorMsg\x18\x02 \x01(\tR\berrorMsg\"\xe6\x01\n" +
-	"\x14ExposeServiceRequest\x12\x12\n" +
-	"\x04port\x18\x01 \x01(\rR\x04port\x122\n" +
-	"\bprotocol\x18\x02 \x01(\x0e2\x16.daemon.ExposeProtocolR\bprotocol\x12\x10\n" +
-	"\x03pin\x18\x03 \x01(\tR\x03pin\x12\x1a\n" +
-	"\bpassword\x18\x04 \x01(\tR\bpassword\x12\x1f\n" +
-	"\vuser_groups\x18\x05 \x03(\tR\n" +
-	"userGroups\x12\x16\n" +
-	"\x06domain\x18\x06 \x01(\tR\x06domain\x12\x1f\n" +
-	"\vname_prefix\x18\a \x01(\tR\n" +
-	"namePrefix\"Q\n" +
-	"\x12ExposeServiceEvent\x122\n" +
-	"\x05ready\x18\x01 \x01(\v2\x1a.daemon.ExposeServiceReadyH\x00R\x05readyB\a\n" +
-	"\x05event\"p\n" +
-	"\x12ExposeServiceReady\x12!\n" +
-	"\fservice_name\x18\x01 \x01(\tR\vserviceName\x12\x1f\n" +
-	"\vservice_url\x18\x02 \x01(\tR\n" +
-	"serviceUrl\x12\x16\n" +
-	"\x06domain\x18\x03 \x01(\tR\x06domain*b\n" +
+	"\berrorMsg\x18\x02 \x01(\tR\berrorMsg*b\n" +
 	"\bLogLevel\x12\v\n" +
 	"\aUNKNOWN\x10\x00\x12\t\n" +
 	"\x05PANIC\x10\x01\x12\t\n" +
@@ -6446,14 +6158,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x04WARN\x10\x04\x12\b\n" +
 	"\x04INFO\x10\x05\x12\t\n" +
 	"\x05DEBUG\x10\x06\x12\t\n" +
-	"\x05TRACE\x10\a*S\n" +
-	"\x0eExposeProtocol\x12\x0f\n" +
-	"\vEXPOSE_HTTP\x10\x00\x12\x10\n" +
-	"\fEXPOSE_HTTPS\x10\x01\x12\x0e\n" +
-	"\n" +
-	"EXPOSE_TCP\x10\x02\x12\x0e\n" +
-	"\n" +
-	"EXPOSE_UDP\x10\x032\xac\x15\n" +
+	"\x05TRACE\x10\a2\xdd\x14\n" +
 	"\rDaemonService\x126\n" +
 	"\x05Login\x12\x14.daemon.LoginRequest\x1a\x15.daemon.LoginResponse\"\x00\x12K\n" +
 	"\fWaitSSOLogin\x12\x1b.daemon.WaitSSOLoginRequest\x1a\x1c.daemon.WaitSSOLoginResponse\"\x00\x12-\n" +
@@ -6492,8 +6197,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x0fStartCPUProfile\x12\x1e.daemon.StartCPUProfileRequest\x1a\x1f.daemon.StartCPUProfileResponse\"\x00\x12Q\n" +
 	"\x0eStopCPUProfile\x12\x1d.daemon.StopCPUProfileRequest\x1a\x1e.daemon.StopCPUProfileResponse\"\x00\x12N\n" +
 	"\x11NotifyOSLifecycle\x12\x1a.daemon.OSLifecycleRequest\x1a\x1b.daemon.OSLifecycleResponse\"\x00\x12W\n" +
-	"\x12GetInstallerResult\x12\x1e.daemon.InstallerResultRequest\x1a\x1f.daemon.InstallerResultResponse\"\x00\x12M\n" +
-	"\rExposeService\x12\x1c.daemon.ExposeServiceRequest\x1a\x1a.daemon.ExposeServiceEvent\"\x000\x01B\bZ\x06/protob\x06proto3"
+	"\x12GetInstallerResult\x12\x1e.daemon.InstallerResultRequest\x1a\x1f.daemon.InstallerResultResponse\"\x00B\bZ\x06/protob\x06proto3"

 var (
 	file_daemon_proto_rawDescOnce sync.Once
@@ -6507,222 +6211,214 @@ func file_daemon_proto_rawDescGZIP() []byte {
 	return file_daemon_proto_rawDescData
 }

-var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
-var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 91)
+var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 88)
 var file_daemon_proto_goTypes = []any{
 	(LogLevel)(0),                              // 0: daemon.LogLevel
-	(ExposeProtocol)(0),                        // 1: daemon.ExposeProtocol
-	(OSLifecycleRequest_CycleType)(0),          // 2: daemon.OSLifecycleRequest.CycleType
-	(SystemEvent_Severity)(0),                  // 3: daemon.SystemEvent.Severity
-	(SystemEvent_Category)(0),                  // 4: daemon.SystemEvent.Category
-	(*EmptyRequest)(nil),                       // 5: daemon.EmptyRequest
-	(*OSLifecycleRequest)(nil),                 // 6: daemon.OSLifecycleRequest
-	(*OSLifecycleResponse)(nil),                // 7: daemon.OSLifecycleResponse
-	(*LoginRequest)(nil),                       // 8: daemon.LoginRequest
-	(*LoginResponse)(nil),                      // 9: daemon.LoginResponse
-	(*WaitSSOLoginRequest)(nil),                // 10: daemon.WaitSSOLoginRequest
-	(*WaitSSOLoginResponse)(nil),               // 11: daemon.WaitSSOLoginResponse
-	(*UpRequest)(nil),                          // 12: daemon.UpRequest
-	(*UpResponse)(nil),                         // 13: daemon.UpResponse
-	(*StatusRequest)(nil),                      // 14: daemon.StatusRequest
-	(*StatusResponse)(nil),                     // 15: daemon.StatusResponse
-	(*DownRequest)(nil),                        // 16: daemon.DownRequest
-	(*DownResponse)(nil),                       // 17: daemon.DownResponse
-	(*GetConfigRequest)(nil),                   // 18: daemon.GetConfigRequest
-	(*GetConfigResponse)(nil),                  // 19: daemon.GetConfigResponse
-	(*PeerState)(nil),                          // 20: daemon.PeerState
-	(*LocalPeerState)(nil),                     // 21: daemon.LocalPeerState
-	(*SignalState)(nil),                        // 22: daemon.SignalState
-	(*ManagementState)(nil),                    // 23: daemon.ManagementState
-	(*RelayState)(nil),                         // 24: daemon.RelayState
-	(*NSGroupState)(nil),                       // 25: daemon.NSGroupState
-	(*SSHSessionInfo)(nil),                     // 26: daemon.SSHSessionInfo
-	(*SSHServerState)(nil),                     // 27: daemon.SSHServerState
-	(*FullStatus)(nil),                         // 28: daemon.FullStatus
-	(*ListNetworksRequest)(nil),                // 29: daemon.ListNetworksRequest
-	(*ListNetworksResponse)(nil),               // 30: daemon.ListNetworksResponse
-	(*SelectNetworksRequest)(nil),              // 31: daemon.SelectNetworksRequest
-	(*SelectNetworksResponse)(nil),             // 32: daemon.SelectNetworksResponse
-	(*IPList)(nil),                             // 33: daemon.IPList
-	(*Network)(nil),                            // 34: daemon.Network
-	(*PortInfo)(nil),                           // 35: daemon.PortInfo
-	(*ForwardingRule)(nil),                     // 36: daemon.ForwardingRule
-	(*ForwardingRulesResponse)(nil),            // 37: daemon.ForwardingRulesResponse
-	(*DebugBundleRequest)(nil),                 // 38: daemon.DebugBundleRequest
-	(*DebugBundleResponse)(nil),                // 39: daemon.DebugBundleResponse
-	(*GetLogLevelRequest)(nil),                 // 40: daemon.GetLogLevelRequest
-	(*GetLogLevelResponse)(nil),                // 41: daemon.GetLogLevelResponse
-	(*SetLogLevelRequest)(nil),                 // 42: daemon.SetLogLevelRequest
-	(*SetLogLevelResponse)(nil),                // 43: daemon.SetLogLevelResponse
-	(*State)(nil),                              // 44: daemon.State
-	(*ListStatesRequest)(nil),                  // 45: daemon.ListStatesRequest
-	(*ListStatesResponse)(nil),                 // 46: daemon.ListStatesResponse
-	(*CleanStateRequest)(nil),                  // 47: daemon.CleanStateRequest
-	(*CleanStateResponse)(nil),                 // 48: daemon.CleanStateResponse
-	(*DeleteStateRequest)(nil),                 // 49: daemon.DeleteStateRequest
-	(*DeleteStateResponse)(nil),                // 50: daemon.DeleteStateResponse
-	(*SetSyncResponsePersistenceRequest)(nil),  // 51: daemon.SetSyncResponsePersistenceRequest
-	(*SetSyncResponsePersistenceResponse)(nil), // 52: daemon.SetSyncResponsePersistenceResponse
-	(*TCPFlags)(nil),                           // 53: daemon.TCPFlags
-	(*TracePacketRequest)(nil),                 // 54: daemon.TracePacketRequest
-	(*TraceStage)(nil),                         // 55: daemon.TraceStage
-	(*TracePacketResponse)(nil),                // 56: daemon.TracePacketResponse
-	(*SubscribeRequest)(nil),                   // 57: daemon.SubscribeRequest
-	(*SystemEvent)(nil),                        // 58: daemon.SystemEvent
-	(*GetEventsRequest)(nil),                   // 59: daemon.GetEventsRequest
-	(*GetEventsResponse)(nil),                  // 60: daemon.GetEventsResponse
-	(*SwitchProfileRequest)(nil),               // 61: daemon.SwitchProfileRequest
-	(*SwitchProfileResponse)(nil),              // 62: daemon.SwitchProfileResponse
-	(*SetConfigRequest)(nil),                   // 63: daemon.SetConfigRequest
-	(*SetConfigResponse)(nil),                  // 64: daemon.SetConfigResponse
-	(*AddProfileRequest)(nil),                  // 65: daemon.AddProfileRequest
-	(*AddProfileResponse)(nil),                 // 66: daemon.AddProfileResponse
-	(*RemoveProfileRequest)(nil),               // 67: daemon.RemoveProfileRequest
-	(*RemoveProfileResponse)(nil),              // 68: daemon.RemoveProfileResponse
-	(*ListProfilesRequest)(nil),                // 69: daemon.ListProfilesRequest
-	(*ListProfilesResponse)(nil),               // 70: daemon.ListProfilesResponse
-	(*Profile)(nil),                            // 71: daemon.Profile
-	(*GetActiveProfileRequest)(nil),            // 72: daemon.GetActiveProfileRequest
-	(*GetActiveProfileResponse)(nil),           // 73: daemon.GetActiveProfileResponse
-	(*LogoutRequest)(nil),                      // 74: daemon.LogoutRequest
-	(*LogoutResponse)(nil),                     // 75: daemon.LogoutResponse
-	(*GetFeaturesRequest)(nil),                 // 76: daemon.GetFeaturesRequest
-	(*GetFeaturesResponse)(nil),                // 77: daemon.GetFeaturesResponse
-	(*GetPeerSSHHostKeyRequest)(nil),           // 78: daemon.GetPeerSSHHostKeyRequest
-	(*GetPeerSSHHostKeyResponse)(nil),          // 79: daemon.GetPeerSSHHostKeyResponse
-	(*RequestJWTAuthRequest)(nil),              // 80: daemon.RequestJWTAuthRequest
-	(*RequestJWTAuthResponse)(nil),             // 81: daemon.RequestJWTAuthResponse
-	(*WaitJWTTokenRequest)(nil),                // 82: daemon.WaitJWTTokenRequest
-	(*WaitJWTTokenResponse)(nil),               // 83: daemon.WaitJWTTokenResponse
-	(*StartCPUProfileRequest)(nil),             // 84: daemon.StartCPUProfileRequest
-	(*StartCPUProfileResponse)(nil),            // 85: daemon.StartCPUProfileResponse
-	(*StopCPUProfileRequest)(nil),              // 86: daemon.StopCPUProfileRequest
-	(*StopCPUProfileResponse)(nil),             // 87: daemon.StopCPUProfileResponse
-	(*InstallerResultRequest)(nil),             // 88: daemon.InstallerResultRequest
-	(*InstallerResultResponse)(nil),            // 89: daemon.InstallerResultResponse
-	(*ExposeServiceRequest)(nil),               // 90: daemon.ExposeServiceRequest
-	(*ExposeServiceEvent)(nil),                 // 91: daemon.ExposeServiceEvent
-	(*ExposeServiceReady)(nil),                 // 92: daemon.ExposeServiceReady
-	nil,                                        // 93: daemon.Network.ResolvedIPsEntry
-	(*PortInfo_Range)(nil),                     // 94: daemon.PortInfo.Range
-	nil,                                        // 95: daemon.SystemEvent.MetadataEntry
-	(*durationpb.Duration)(nil),                // 96: google.protobuf.Duration
-	(*timestamppb.Timestamp)(nil),              // 97: google.protobuf.Timestamp
+	(OSLifecycleRequest_CycleType)(0),          // 1: daemon.OSLifecycleRequest.CycleType
+	(SystemEvent_Severity)(0),                  // 2: daemon.SystemEvent.Severity
+	(SystemEvent_Category)(0),                  // 3: daemon.SystemEvent.Category
+	(*EmptyRequest)(nil),                       // 4: daemon.EmptyRequest
+	(*OSLifecycleRequest)(nil),                 // 5: daemon.OSLifecycleRequest
+	(*OSLifecycleResponse)(nil),                // 6: daemon.OSLifecycleResponse
+	(*LoginRequest)(nil),                       // 7: daemon.LoginRequest
+	(*LoginResponse)(nil),                      // 8: daemon.LoginResponse
+	(*WaitSSOLoginRequest)(nil),                // 9: daemon.WaitSSOLoginRequest
+	(*WaitSSOLoginResponse)(nil),               // 10: daemon.WaitSSOLoginResponse
+	(*UpRequest)(nil),                          // 11: daemon.UpRequest
+	(*UpResponse)(nil),                         // 12: daemon.UpResponse
+	(*StatusRequest)(nil),                      // 13: daemon.StatusRequest
+	(*StatusResponse)(nil),                     // 14: daemon.StatusResponse
+	(*DownRequest)(nil),                        // 15: daemon.DownRequest
+	(*DownResponse)(nil),                       // 16: daemon.DownResponse
+	(*GetConfigRequest)(nil),                   // 17: daemon.GetConfigRequest
+	(*GetConfigResponse)(nil),                  // 18: daemon.GetConfigResponse
+	(*PeerState)(nil),                          // 19: daemon.PeerState
+	(*LocalPeerState)(nil),                     // 20: daemon.LocalPeerState
+	(*SignalState)(nil),                        // 21: daemon.SignalState
+	(*ManagementState)(nil),                    // 22: daemon.ManagementState
+	(*RelayState)(nil),                         // 23: daemon.RelayState
+	(*NSGroupState)(nil),                       // 24: daemon.NSGroupState
+	(*SSHSessionInfo)(nil),                     // 25: daemon.SSHSessionInfo
+	(*SSHServerState)(nil),                     // 26: daemon.SSHServerState
+	(*FullStatus)(nil),                         // 27: daemon.FullStatus
+	(*ListNetworksRequest)(nil),                // 28: daemon.ListNetworksRequest
+	(*ListNetworksResponse)(nil),               // 29: daemon.ListNetworksResponse
+	(*SelectNetworksRequest)(nil),              // 30: daemon.SelectNetworksRequest
+	(*SelectNetworksResponse)(nil),             // 31: daemon.SelectNetworksResponse
+	(*IPList)(nil),                             // 32: daemon.IPList
+	(*Network)(nil),                            // 33: daemon.Network
+	(*PortInfo)(nil),                           // 34: daemon.PortInfo
+	(*ForwardingRule)(nil),                     // 35: daemon.ForwardingRule
+	(*ForwardingRulesResponse)(nil),            // 36: daemon.ForwardingRulesResponse
+	(*DebugBundleRequest)(nil),                 // 37: daemon.DebugBundleRequest
+	(*DebugBundleResponse)(nil),                // 38: daemon.DebugBundleResponse
+	(*GetLogLevelRequest)(nil),                 // 39: daemon.GetLogLevelRequest
+	(*GetLogLevelResponse)(nil),                // 40: daemon.GetLogLevelResponse
+	(*SetLogLevelRequest)(nil),                 // 41: daemon.SetLogLevelRequest
+	(*SetLogLevelResponse)(nil),                // 42: daemon.SetLogLevelResponse
+	(*State)(nil),                              // 43: daemon.State
+	(*ListStatesRequest)(nil),                  // 44: daemon.ListStatesRequest
+	(*ListStatesResponse)(nil),                 // 45: daemon.ListStatesResponse
+	(*CleanStateRequest)(nil),                  // 46: daemon.CleanStateRequest
+	(*CleanStateResponse)(nil),                 // 47: daemon.CleanStateResponse
+	(*DeleteStateRequest)(nil),                 // 48: daemon.DeleteStateRequest
+	(*DeleteStateResponse)(nil),                // 49: daemon.DeleteStateResponse
+	(*SetSyncResponsePersistenceRequest)(nil),  // 50: daemon.SetSyncResponsePersistenceRequest
+	(*SetSyncResponsePersistenceResponse)(nil), // 51: daemon.SetSyncResponsePersistenceResponse
+	(*TCPFlags)(nil),                           // 52: daemon.TCPFlags
+	(*TracePacketRequest)(nil),                 // 53: daemon.TracePacketRequest
+	(*TraceStage)(nil),                         // 54: daemon.TraceStage
+	(*TracePacketResponse)(nil),                // 55: daemon.TracePacketResponse
+	(*SubscribeRequest)(nil),                   // 56: daemon.SubscribeRequest
+	(*SystemEvent)(nil),                        // 57: daemon.SystemEvent
+	(*GetEventsRequest)(nil),                   // 58: daemon.GetEventsRequest
+	(*GetEventsResponse)(nil),                  // 59: daemon.GetEventsResponse
+	(*SwitchProfileRequest)(nil),               // 60: daemon.SwitchProfileRequest
+	(*SwitchProfileResponse)(nil),              // 61: daemon.SwitchProfileResponse
+	(*SetConfigRequest)(nil),                   // 62: daemon.SetConfigRequest
+	(*SetConfigResponse)(nil),                  // 63: daemon.SetConfigResponse
+	(*AddProfileRequest)(nil),                  // 64: daemon.AddProfileRequest
+	(*AddProfileResponse)(nil),                 // 65: daemon.AddProfileResponse
+	(*RemoveProfileRequest)(nil),               // 66: daemon.RemoveProfileRequest
+	(*RemoveProfileResponse)(nil),              // 67: daemon.RemoveProfileResponse
+	(*ListProfilesRequest)(nil),                // 68: daemon.ListProfilesRequest
+	(*ListProfilesResponse)(nil),               // 69: daemon.ListProfilesResponse
+	(*Profile)(nil),                            // 70: daemon.Profile
+	(*GetActiveProfileRequest)(nil),            // 71: daemon.GetActiveProfileRequest
+	(*GetActiveProfileResponse)(nil),           // 72: daemon.GetActiveProfileResponse
+	(*LogoutRequest)(nil),                      // 73: daemon.LogoutRequest
+	(*LogoutResponse)(nil),                     // 74: daemon.LogoutResponse
+	(*GetFeaturesRequest)(nil),                 // 75: daemon.GetFeaturesRequest
+	(*GetFeaturesResponse)(nil),                // 76: daemon.GetFeaturesResponse
+	(*GetPeerSSHHostKeyRequest)(nil),           // 77: daemon.GetPeerSSHHostKeyRequest
+	(*GetPeerSSHHostKeyResponse)(nil),          // 78: daemon.GetPeerSSHHostKeyResponse
+	(*RequestJWTAuthRequest)(nil),              // 79: daemon.RequestJWTAuthRequest
+	(*RequestJWTAuthResponse)(nil),             // 80: daemon.RequestJWTAuthResponse
+	(*WaitJWTTokenRequest)(nil),                // 81: daemon.WaitJWTTokenRequest
+	(*WaitJWTTokenResponse)(nil),               // 82: daemon.WaitJWTTokenResponse
+	(*StartCPUProfileRequest)(nil),             // 83: daemon.StartCPUProfileRequest
+	(*StartCPUProfileResponse)(nil),            // 84: daemon.StartCPUProfileResponse
+	(*StopCPUProfileRequest)(nil),              // 85: daemon.StopCPUProfileRequest
+	(*StopCPUProfileResponse)(nil),             // 86: daemon.StopCPUProfileResponse
+	(*InstallerResultRequest)(nil),             // 87: daemon.InstallerResultRequest
+	(*InstallerResultResponse)(nil),            // 88: daemon.InstallerResultResponse
+	nil,                                        // 89: daemon.Network.ResolvedIPsEntry
+	(*PortInfo_Range)(nil),                     // 90: daemon.PortInfo.Range
+	nil,                                        // 91: daemon.SystemEvent.MetadataEntry
+	(*durationpb.Duration)(nil),                // 92: google.protobuf.Duration
+	(*timestamppb.Timestamp)(nil),              // 93: google.protobuf.Timestamp
 }
 var file_daemon_proto_depIdxs = []int32{
-	2,  // 0: daemon.OSLifecycleRequest.type:type_name -> daemon.OSLifecycleRequest.CycleType
-	96, // 1: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
-	28, // 2: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
-	97, // 3: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
-	97, // 4: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
-	96, // 5: daemon.PeerState.latency:type_name -> google.protobuf.Duration
-	26, // 6: daemon.SSHServerState.sessions:type_name -> daemon.SSHSessionInfo
-	23, // 7: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
-	22, // 8: daemon.FullStatus.signalState:type_name -> daemon.SignalState
-	21, // 9: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
-	20, // 10: daemon.FullStatus.peers:type_name -> daemon.PeerState
-	24, // 11: daemon.FullStatus.relays:type_name -> daemon.RelayState
-	25, // 12: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
-	58, // 13: daemon.FullStatus.events:type_name -> daemon.SystemEvent
-	27, // 14: daemon.FullStatus.sshServerState:type_name -> daemon.SSHServerState
-	34, // 15: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
-	93, // 16: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
-	94, // 17: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
-	35, // 18: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
-	35, // 19: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
-	36, // 20: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
+	1,  // 0: daemon.OSLifecycleRequest.type:type_name -> daemon.OSLifecycleRequest.CycleType
+	92, // 1: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	27, // 2: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
+	93, // 3: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
+	93, // 4: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
+	92, // 5: daemon.PeerState.latency:type_name -> google.protobuf.Duration
+	25, // 6: daemon.SSHServerState.sessions:type_name -> daemon.SSHSessionInfo
+	22, // 7: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
+	21, // 8: daemon.FullStatus.signalState:type_name -> daemon.SignalState
+	20, // 9: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
+	19, // 10: daemon.FullStatus.peers:type_name -> daemon.PeerState
+	23, // 11: daemon.FullStatus.relays:type_name -> daemon.RelayState
+	24, // 12: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
+	57, // 13: daemon.FullStatus.events:type_name -> daemon.SystemEvent
+	26, // 14: daemon.FullStatus.sshServerState:type_name -> daemon.SSHServerState
+	33, // 15: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
+	89, // 16: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
+	90, // 17: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
+	34, // 18: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
+	34, // 19: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
+	35, // 20: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
 	0,  // 21: daemon.GetLogLevelResponse.level:type_name -> daemon.LogLevel
 	0,  // 22: daemon.SetLogLevelRequest.level:type_name -> daemon.LogLevel
-	44, // 23: daemon.ListStatesResponse.states:type_name -> daemon.State
-	53, // 24: daemon.TracePacketRequest.tcp_flags:type_name -> daemon.TCPFlags
-	55, // 25: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
-	3,  // 26: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
-	4,  // 27: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
-	97, // 28: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
-	95, // 29: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
-	58, // 30: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
-	96, // 31: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
-	71, // 32: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
-	1,  // 33: daemon.ExposeServiceRequest.protocol:type_name -> daemon.ExposeProtocol
-	92, // 34: daemon.ExposeServiceEvent.ready:type_name -> daemon.ExposeServiceReady
-	33, // 35: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
-	8,  // 36: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
-	10, // 37: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
-	12, // 38: daemon.DaemonService.Up:input_type -> daemon.UpRequest
-	14, // 39: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
-	16, // 40: daemon.DaemonService.Down:input_type -> daemon.DownRequest
-	18, // 41: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
-	29, // 42: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
-	31, // 43: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
-	31, // 44: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
-	5,  // 45: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
-	38, // 46: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
-	40, // 47: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
-	42, // 48: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
-	45, // 49: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
-	47, // 50: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
-	49, // 51: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
-	51, // 52: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
-	54, // 53: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
-	57, // 54: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
-	59, // 55: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
-	61, // 56: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
-	63, // 57: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
-	65, // 58: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
-	67, // 59: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
-	69, // 60: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
-	72, // 61: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
-	74, // 62: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
-	76, // 63: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
-	78, // 64: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
-	80, // 65: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
-	82, // 66: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
-	84, // 67: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
-	86, // 68: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
-	6,  // 69: daemon.DaemonService.NotifyOSLifecycle:input_type -> daemon.OSLifecycleRequest
-	88, // 70: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
-	90, // 71: daemon.DaemonService.ExposeService:input_type -> daemon.ExposeServiceRequest
-	9,  // 72: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	11, // 73: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	13, // 74: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	15, // 75: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	17, // 76: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	19, // 77: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	30, // 78: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
-	32, // 79: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
-	32, // 80: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
-	37, // 81: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
-	39, // 82: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
-	41, // 83: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
-	43, // 84: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
-	46, // 85: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
-	48, // 86: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
-	50, // 87: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
-	52, // 88: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
-	56, // 89: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
-	58, // 90: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
-	60, // 91: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
-	62, // 92: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
-	64, // 93: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
-	66, // 94: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
-	68, // 95: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
-	70, // 96: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
-	73, // 97: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
-	75, // 98: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
-	77, // 99: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
-	79, // 100: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
-	81, // 101: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
-	83, // 102: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
-	85, // 103: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
-	87, // 104: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
-	7,  // 105: daemon.DaemonService.NotifyOSLifecycle:output_type -> daemon.OSLifecycleResponse
-	89, // 106: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
-	91, // 107: daemon.DaemonService.ExposeService:output_type -> daemon.ExposeServiceEvent
-	72, // [72:108] is the sub-list for method output_type
-	36, // [36:72] is the sub-list for method input_type
-	36, // [36:36] is the sub-list for extension type_name
-	36, // [36:36] is the sub-list for extension extendee
-	0,  // [0:36] is the sub-list for field type_name
+	43, // 23: daemon.ListStatesResponse.states:type_name -> daemon.State
+	52, // 24: daemon.TracePacketRequest.tcp_flags:type_name -> daemon.TCPFlags
+	54, // 25: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
+	2,  // 26: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
+	3,  // 27: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
+	93, // 28: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
+	91, // 29: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
+	57, // 30: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
+	92, // 31: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	70, // 32: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
+	32, // 33: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
+	7,  // 34: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
+	9,  // 35: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
+	11, // 36: daemon.DaemonService.Up:input_type -> daemon.UpRequest
+	13, // 37: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
+	15, // 38: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	17, // 39: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
+	28, // 40: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
+	30, // 41: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
+	30, // 42: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
+	4,  // 43: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
+	37, // 44: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
+	39, // 45: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
+	41, // 46: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
+	44, // 47: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
+	46, // 48: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
+	48, // 49: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
+	50, // 50: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
+	53, // 51: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
+	56, // 52: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
+	58, // 53: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
+	60, // 54: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
+	62, // 55: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
+	64, // 56: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
+	66, // 57: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
+	68, // 58: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
+	71, // 59: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
+	73, // 60: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
+	75, // 61: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
+	77, // 62: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
+	79, // 63: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
+	81, // 64: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
+	83, // 65: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
+	85, // 66: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
+	5,  // 67: daemon.DaemonService.NotifyOSLifecycle:input_type -> daemon.OSLifecycleRequest
+	87, // 68: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
+	8,  // 69: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	10, // 70: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	12, // 71: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	14, // 72: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	16, // 73: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	18, // 74: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	29, // 75: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
+	31, // 76: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
+	31, // 77: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
+	36, // 78: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
+	38, // 79: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
+	40, // 80: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
+	42, // 81: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
+	45, // 82: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
+	47, // 83: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
+	49, // 84: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
+	51, // 85: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
+	55, // 86: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
+	57, // 87: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
+	59, // 88: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
+	61, // 89: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
+	63, // 90: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
+	65, // 91: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
+	67, // 92: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
+	69, // 93: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
+	72, // 94: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
+	74, // 95: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
+	76, // 96: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
+	78, // 97: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
+	80, // 98: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
+	82, // 99: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
+	84, // 100: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
+	86, // 101: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
+	6,  // 102: daemon.DaemonService.NotifyOSLifecycle:output_type -> daemon.OSLifecycleResponse
+	88, // 103: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
+	69, // [69:104] is the sub-list for method output_type
+	34, // [34:69] is the sub-list for method input_type
+	34, // [34:34] is the sub-list for extension type_name
+	34, // [34:34] is the sub-list for extension extendee
+	0,  // [0:34] is the sub-list for field type_name
 }

 func init() { file_daemon_proto_init() }
@@ -6743,16 +6439,13 @@ func file_daemon_proto_init() {
 	file_daemon_proto_msgTypes[58].OneofWrappers = []any{}
 	file_daemon_proto_msgTypes[69].OneofWrappers = []any{}
 	file_daemon_proto_msgTypes[75].OneofWrappers = []any{}
-	file_daemon_proto_msgTypes[86].OneofWrappers = []any{
-		(*ExposeServiceEvent_Ready)(nil),
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_proto_rawDesc), len(file_daemon_proto_rawDesc)),
-			NumEnums:      5,
-			NumMessages:   91,
+			NumEnums:      4,
+			NumMessages:   88,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -103,9 +103,6 @@ service DaemonService {
  rpc NotifyOSLifecycle(OSLifecycleRequest) returns(OSLifecycleResponse) {}

  rpc GetInstallerResult(InstallerResultRequest) returns (InstallerResultResponse) {}
-
-  // ExposeService exposes a local port via the NetBird reverse proxy
-  rpc ExposeService(ExposeServiceRequest) returns (stream ExposeServiceEvent) {}
 }


@@ -804,32 +801,3 @@ message InstallerResultResponse {
  bool success = 1;
  string errorMsg = 2;
 }
-
-enum ExposeProtocol {
-  EXPOSE_HTTP = 0;
-  EXPOSE_HTTPS = 1;
-  EXPOSE_TCP = 2;
-  EXPOSE_UDP = 3;
-}
-
-message ExposeServiceRequest {
-  uint32 port = 1;
-  ExposeProtocol protocol = 2;
-  string pin = 3;
-  string password = 4;
-  repeated string user_groups = 5;
-  string domain = 6;
-  string name_prefix = 7;
-}
-
-message ExposeServiceEvent {
-  oneof event {
-    ExposeServiceReady ready = 1;
-  }
-}
-
-message ExposeServiceReady {
-  string service_name = 1;
-  string service_url = 2;
-  string domain = 3;
-}
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -76,8 +76,6 @@ type DaemonServiceClient interface {
 	StopCPUProfile(ctx context.Context, in *StopCPUProfileRequest, opts ...grpc.CallOption) (*StopCPUProfileResponse, error)
 	NotifyOSLifecycle(ctx context.Context, in *OSLifecycleRequest, opts ...grpc.CallOption) (*OSLifecycleResponse, error)
 	GetInstallerResult(ctx context.Context, in *InstallerResultRequest, opts ...grpc.CallOption) (*InstallerResultResponse, error)
-	// ExposeService exposes a local port via the NetBird reverse proxy
-	ExposeService(ctx context.Context, in *ExposeServiceRequest, opts ...grpc.CallOption) (DaemonService_ExposeServiceClient, error)
 }

 type daemonServiceClient struct {
@@ -426,38 +424,6 @@ func (c *daemonServiceClient) GetInstallerResult(ctx context.Context, in *Instal
 	return out, nil
 }

-func (c *daemonServiceClient) ExposeService(ctx context.Context, in *ExposeServiceRequest, opts ...grpc.CallOption) (DaemonService_ExposeServiceClient, error) {
-	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[1], "/daemon.DaemonService/ExposeService", opts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &daemonServiceExposeServiceClient{stream}
-	if err := x.ClientStream.SendMsg(in); err != nil {
-		return nil, err
-	}
-	if err := x.ClientStream.CloseSend(); err != nil {
-		return nil, err
-	}
-	return x, nil
-}
-
-type DaemonService_ExposeServiceClient interface {
-	Recv() (*ExposeServiceEvent, error)
-	grpc.ClientStream
-}
-
-type daemonServiceExposeServiceClient struct {
-	grpc.ClientStream
-}
-
-func (x *daemonServiceExposeServiceClient) Recv() (*ExposeServiceEvent, error) {
-	m := new(ExposeServiceEvent)
-	if err := x.ClientStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
 // for forward compatibility
@@ -520,8 +486,6 @@ type DaemonServiceServer interface {
 	StopCPUProfile(context.Context, *StopCPUProfileRequest) (*StopCPUProfileResponse, error)
 	NotifyOSLifecycle(context.Context, *OSLifecycleRequest) (*OSLifecycleResponse, error)
 	GetInstallerResult(context.Context, *InstallerResultRequest) (*InstallerResultResponse, error)
-	// ExposeService exposes a local port via the NetBird reverse proxy
-	ExposeService(*ExposeServiceRequest, DaemonService_ExposeServiceServer) error
 	mustEmbedUnimplementedDaemonServiceServer()
 }

@@ -634,9 +598,6 @@ func (UnimplementedDaemonServiceServer) NotifyOSLifecycle(context.Context, *OSLi
 func (UnimplementedDaemonServiceServer) GetInstallerResult(context.Context, *InstallerResultRequest) (*InstallerResultResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetInstallerResult not implemented")
 }
-func (UnimplementedDaemonServiceServer) ExposeService(*ExposeServiceRequest, DaemonService_ExposeServiceServer) error {
-	return status.Errorf(codes.Unimplemented, "method ExposeService not implemented")
-}
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}

 // UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -1283,27 +1244,6 @@ func _DaemonService_GetInstallerResult_Handler(srv interface{}, ctx context.Cont
 	return interceptor(ctx, in, info, handler)
 }

-func _DaemonService_ExposeService_Handler(srv interface{}, stream grpc.ServerStream) error {
-	m := new(ExposeServiceRequest)
-	if err := stream.RecvMsg(m); err != nil {
-		return err
-	}
-	return srv.(DaemonServiceServer).ExposeService(m, &daemonServiceExposeServiceServer{stream})
-}
-
-type DaemonService_ExposeServiceServer interface {
-	Send(*ExposeServiceEvent) error
-	grpc.ServerStream
-}
-
-type daemonServiceExposeServiceServer struct {
-	grpc.ServerStream
-}
-
-func (x *daemonServiceExposeServiceServer) Send(m *ExposeServiceEvent) error {
-	return x.ServerStream.SendMsg(m)
-}
-
 // DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -1454,11 +1394,6 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _DaemonService_SubscribeEvents_Handler,
 			ServerStreams: true,
 		},
-		{
-			StreamName:    "ExposeService",
-			Handler:       _DaemonService_ExposeService_Handler,
-			ServerStreams: true,
-		},
 	},
 	Metadata: "daemon.proto",
 }
--- a/client/server/lifecycle.go
+++ b/client/server/lifecycle.go
@@ -0,0 +1,77 @@
+package server
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
+func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
+	switch req.GetType() {
+	case proto.OSLifecycleRequest_WAKEUP:
+		return s.handleWakeUp(callerCtx)
+	case proto.OSLifecycleRequest_SLEEP:
+		return s.handleSleep(callerCtx)
+	default:
+		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
+	}
+	return &proto.OSLifecycleResponse{}, nil
+}
+
+// handleWakeUp processes a wake-up event by triggering the Up command if the system was previously put to sleep.
+// It resets the sleep state and logs the process. Returns a response or an error if the Up command fails.
+func (s *Server) handleWakeUp(callerCtx context.Context) (*proto.OSLifecycleResponse, error) {
+	if !s.sleepTriggeredDown.Load() {
+		log.Info("skipping up because wasn't sleep down")
+		return &proto.OSLifecycleResponse{}, nil
+	}
+
+	// avoid other wakeup runs if sleep didn't make the computer sleep
+	s.sleepTriggeredDown.Store(false)
+
+	log.Info("running up after wake up")
+	_, err := s.Up(callerCtx, &proto.UpRequest{})
+	if err != nil {
+		log.Errorf("running up failed: %v", err)
+		return &proto.OSLifecycleResponse{}, err
+	}
+
+	log.Info("running up command executed successfully")
+	return &proto.OSLifecycleResponse{}, nil
+}
+
+// handleSleep handles the sleep event by initiating a "down" sequence if the system is in a connected or connecting state.
+func (s *Server) handleSleep(callerCtx context.Context) (*proto.OSLifecycleResponse, error) {
+	s.mutex.Lock()
+
+	state := internal.CtxGetState(s.rootCtx)
+	status, err := state.Status()
+	if err != nil {
+		s.mutex.Unlock()
+		return &proto.OSLifecycleResponse{}, err
+	}
+
+	if status != internal.StatusConnecting && status != internal.StatusConnected {
+		log.Infof("skipping setting the agent down because status is %s", status)
+		s.mutex.Unlock()
+		return &proto.OSLifecycleResponse{}, nil
+	}
+	s.mutex.Unlock()
+
+	log.Info("running down after system started sleeping")
+
+	_, err = s.Down(callerCtx, &proto.DownRequest{})
+	if err != nil {
+		log.Errorf("running down failed: %v", err)
+		return &proto.OSLifecycleResponse{}, err
+	}
+
+	s.sleepTriggeredDown.Store(true)
+
+	log.Info("running down executed successfully")
+	return &proto.OSLifecycleResponse{}, nil
+}
--- a/client/server/lifecycle_test.go
+++ b/client/server/lifecycle_test.go
@@ -0,0 +1,219 @@
+package server
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+func newTestServer() *Server {
+	ctx := internal.CtxInitState(context.Background())
+	return &Server{
+		rootCtx:        ctx,
+		statusRecorder: peer.NewRecorder(""),
+	}
+}
+
+func TestNotifyOSLifecycle_WakeUp_SkipsWhenNotSleepTriggered(t *testing.T) {
+	s := newTestServer()
+
+	// sleepTriggeredDown is false by default
+	assert.False(t, s.sleepTriggeredDown.Load())
+
+	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_WAKEUP,
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	assert.False(t, s.sleepTriggeredDown.Load(), "flag should remain false")
+}
+
+func TestNotifyOSLifecycle_Sleep_SkipsWhenStatusIdle(t *testing.T) {
+	s := newTestServer()
+
+	state := internal.CtxGetState(s.rootCtx)
+	state.Set(internal.StatusIdle)
+
+	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_SLEEP,
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	assert.False(t, s.sleepTriggeredDown.Load(), "flag should remain false when status is Idle")
+}
+
+func TestNotifyOSLifecycle_Sleep_SkipsWhenStatusNeedsLogin(t *testing.T) {
+	s := newTestServer()
+
+	state := internal.CtxGetState(s.rootCtx)
+	state.Set(internal.StatusNeedsLogin)
+
+	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_SLEEP,
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	assert.False(t, s.sleepTriggeredDown.Load(), "flag should remain false when status is NeedsLogin")
+}
+
+func TestNotifyOSLifecycle_Sleep_SetsFlag_WhenConnecting(t *testing.T) {
+	s := newTestServer()
+
+	state := internal.CtxGetState(s.rootCtx)
+	state.Set(internal.StatusConnecting)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	s.actCancel = cancel
+
+	resp, err := s.NotifyOSLifecycle(ctx, &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_SLEEP,
+	})
+
+	require.NoError(t, err)
+	assert.NotNil(t, resp, "handleSleep returns not nil response on success")
+	assert.True(t, s.sleepTriggeredDown.Load(), "flag should be set after sleep when connecting")
+}
+
+func TestNotifyOSLifecycle_Sleep_SetsFlag_WhenConnected(t *testing.T) {
+	s := newTestServer()
+
+	state := internal.CtxGetState(s.rootCtx)
+	state.Set(internal.StatusConnected)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	s.actCancel = cancel
+
+	resp, err := s.NotifyOSLifecycle(ctx, &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_SLEEP,
+	})
+
+	require.NoError(t, err)
+	assert.NotNil(t, resp, "handleSleep returns not nil response on success")
+	assert.True(t, s.sleepTriggeredDown.Load(), "flag should be set after sleep when connected")
+}
+
+func TestNotifyOSLifecycle_WakeUp_ResetsFlag(t *testing.T) {
+	s := newTestServer()
+
+	// Manually set the flag to simulate prior sleep down
+	s.sleepTriggeredDown.Store(true)
+
+	// WakeUp will try to call Up which fails without proper setup, but flag should reset first
+	_, _ = s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_WAKEUP,
+	})
+
+	assert.False(t, s.sleepTriggeredDown.Load(), "flag should be reset after WakeUp attempt")
+}
+
+func TestNotifyOSLifecycle_MultipleWakeUpCalls(t *testing.T) {
+	s := newTestServer()
+
+	// First wakeup without prior sleep - should be no-op
+	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_WAKEUP,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	assert.False(t, s.sleepTriggeredDown.Load())
+
+	// Simulate prior sleep
+	s.sleepTriggeredDown.Store(true)
+
+	// First wakeup after sleep - should reset flag
+	_, _ = s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_WAKEUP,
+	})
+	assert.False(t, s.sleepTriggeredDown.Load())
+
+	// Second wakeup - should be no-op
+	resp, err = s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_WAKEUP,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	assert.False(t, s.sleepTriggeredDown.Load())
+}
+
+func TestHandleWakeUp_SkipsWhenFlagFalse(t *testing.T) {
+	s := newTestServer()
+
+	resp, err := s.handleWakeUp(context.Background())
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+}
+
+func TestHandleWakeUp_ResetsFlagBeforeUp(t *testing.T) {
+	s := newTestServer()
+	s.sleepTriggeredDown.Store(true)
+
+	// Even if Up fails, flag should be reset
+	_, _ = s.handleWakeUp(context.Background())
+
+	assert.False(t, s.sleepTriggeredDown.Load(), "flag must be reset before calling Up")
+}
+
+func TestHandleSleep_SkipsForNonActiveStates(t *testing.T) {
+	tests := []struct {
+		name   string
+		status internal.StatusType
+	}{
+		{"Idle", internal.StatusIdle},
+		{"NeedsLogin", internal.StatusNeedsLogin},
+		{"LoginFailed", internal.StatusLoginFailed},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := newTestServer()
+			state := internal.CtxGetState(s.rootCtx)
+			state.Set(tt.status)
+
+			resp, err := s.handleSleep(context.Background())
+
+			require.NoError(t, err)
+			require.NotNil(t, resp)
+			assert.False(t, s.sleepTriggeredDown.Load())
+		})
+	}
+}
+
+func TestHandleSleep_ProceedsForActiveStates(t *testing.T) {
+	tests := []struct {
+		name   string
+		status internal.StatusType
+	}{
+		{"Connecting", internal.StatusConnecting},
+		{"Connected", internal.StatusConnected},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := newTestServer()
+			state := internal.CtxGetState(s.rootCtx)
+			state.Set(tt.status)
+
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+			s.actCancel = cancel
+
+			resp, err := s.handleSleep(ctx)
+
+			require.NoError(t, err)
+			assert.NotNil(t, resp)
+			assert.True(t, s.sleepTriggeredDown.Load())
+		})
+	}
+}
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -21,9 +21,7 @@ import (
 	gstatus "google.golang.org/grpc/status"

 	"github.com/netbirdio/netbird/client/internal/auth"
-	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	sleephandler "github.com/netbirdio/netbird/client/internal/sleep/handler"
 	"github.com/netbirdio/netbird/client/system"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -87,7 +85,8 @@ type Server struct {
 	profilesDisabled       bool
 	updateSettingsDisabled bool

-	sleepHandler *sleephandler.SleepHandler
+	// sleepTriggeredDown holds a state indicated if the sleep handler triggered the last client down
+	sleepTriggeredDown atomic.Bool

 	jwtCache *jwtCache
 }
@@ -101,7 +100,7 @@ type oauthAuthFlow struct {

 // New server instance constructor.
 func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool) *Server {
-	s := &Server{
+	return &Server{
 		rootCtx:                ctx,
 		logFile:                logFile,
 		persistSyncResponse:    true,
@@ -111,10 +110,6 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 		updateSettingsDisabled: updateSettingsDisabled,
 		jwtCache:               newJWTCache(),
 	}
-	agent := &serverAgent{s}
-	s.sleepHandler = sleephandler.New(agent)
-
-	return s
 }

 func (s *Server) Start() error {
@@ -1317,60 +1312,6 @@ func (s *Server) WaitJWTToken(
 	}, nil
 }

-// ExposeService exposes a local port via the NetBird reverse proxy.
-func (s *Server) ExposeService(req *proto.ExposeServiceRequest, srv proto.DaemonService_ExposeServiceServer) error {
-	s.mutex.Lock()
-	if !s.clientRunning {
-		s.mutex.Unlock()
-		return gstatus.Errorf(codes.FailedPrecondition, "client is not running, run 'netbird up' first")
-	}
-	connectClient := s.connectClient
-	s.mutex.Unlock()
-
-	if connectClient == nil {
-		return gstatus.Errorf(codes.FailedPrecondition, "client not initialized")
-	}
-
-	engine := connectClient.Engine()
-	if engine == nil {
-		return gstatus.Errorf(codes.FailedPrecondition, "engine not initialized")
-	}
-
-	mgr := engine.GetExposeManager()
-	if mgr == nil {
-		return gstatus.Errorf(codes.Internal, "expose manager not available")
-	}
-
-	ctx := srv.Context()
-
-	exposeCtx, exposeCancel := context.WithTimeout(ctx, 30*time.Second)
-	defer exposeCancel()
-
-	mgmReq := expose.NewRequest(req)
-	result, err := mgr.Expose(exposeCtx, *mgmReq)
-	if err != nil {
-		return err
-	}
-
-	if err := srv.Send(&proto.ExposeServiceEvent{
-		Event: &proto.ExposeServiceEvent_Ready{
-			Ready: &proto.ExposeServiceReady{
-				ServiceName: result.ServiceName,
-				ServiceUrl:  result.ServiceURL,
-				Domain:      result.Domain,
-			},
-		},
-	}); err != nil {
-		return err
-	}
-
-	err = mgr.KeepAlive(ctx, result.Domain)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
 func isUnixRunningDesktop() bool {
 	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {
 		return false
--- a/client/server/sleep.go
+++ b/client/server/sleep.go
@@ -1,46 +0,0 @@
-package server
-
-import (
-	"context"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-// serverAgent adapts Server to the handler.Agent and handler.StatusChecker interfaces
-type serverAgent struct {
-	s *Server
-}
-
-func (a *serverAgent) Up(ctx context.Context) error {
-	_, err := a.s.Up(ctx, &proto.UpRequest{})
-	return err
-}
-
-func (a *serverAgent) Down(ctx context.Context) error {
-	_, err := a.s.Down(ctx, &proto.DownRequest{})
-	return err
-}
-
-func (a *serverAgent) Status() (internal.StatusType, error) {
-	return internal.CtxGetState(a.s.rootCtx).Status()
-}
-
-// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
-func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
-	switch req.GetType() {
-	case proto.OSLifecycleRequest_WAKEUP:
-		if err := s.sleepHandler.HandleWakeUp(callerCtx); err != nil {
-			return &proto.OSLifecycleResponse{}, err
-		}
-	case proto.OSLifecycleRequest_SLEEP:
-		if err := s.sleepHandler.HandleSleep(callerCtx); err != nil {
-			return &proto.OSLifecycleResponse{}, err
-		}
-	default:
-		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
-	}
-	return &proto.OSLifecycleResponse{}, nil
-}
--- a/client/ssh/client/client.go
+++ b/client/ssh/client/client.go
@@ -19,7 +19,6 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

-	"github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
@@ -269,7 +268,7 @@ func getDefaultDaemonAddr() string {
 	if runtime.GOOS == "windows" {
 		return DefaultDaemonAddrWindows
 	}
-	return daemonaddr.ResolveUnixDaemonAddr(DefaultDaemonAddr)
+	return DefaultDaemonAddr
 }

 // DialOptions contains options for SSH connections
--- a/client/uiwails/.gitignore
+++ b/client/uiwails/.gitignore
@@ -1,4 +0,0 @@
-frontend/node_modules/
-frontend/dist/
-bin/
-.task/
--- a/client/uiwails/Taskfile.yml
+++ b/client/uiwails/Taskfile.yml
@@ -1,33 +0,0 @@
-version: '3'
-
-includes:
-  common: ./build/Taskfile.yml
-  linux: ./build/linux/Taskfile.yml
-  darwin: ./build/darwin/Taskfile.yml
-  windows: ./build/windows/Taskfile.yml
-
-vars:
-  APP_NAME: "netbird-ui"
-  BIN_DIR: "bin"
-  VITE_PORT: '{{.WAILS_VITE_PORT | default 9245}}'
-
-tasks:
-  build:
-    summary: Builds the application
-    cmds:
-      - task: "{{OS}}:build"
-
-  package:
-    summary: Packages a production build of the application
-    cmds:
-      - task: "{{OS}}:package"
-
-  run:
-    summary: Runs the application
-    cmds:
-      - task: "{{OS}}:run"
-
-  dev:
-    summary: Runs the application in development mode
-    cmds:
-      - wails3 dev -config ./build/config.yml -port {{.VITE_PORT}}
--- a/client/uiwails/assets/connected.png
+++ b/client/uiwails/assets/connected.png
--- a/client/uiwails/assets/disconnected.png
+++ b/client/uiwails/assets/disconnected.png
--- a/client/uiwails/assets/netbird-disconnected.ico
+++ b/client/uiwails/assets/netbird-disconnected.ico
--- a/client/uiwails/assets/netbird-disconnected.png
+++ b/client/uiwails/assets/netbird-disconnected.png
--- a/client/uiwails/assets/netbird-systemtray-connected-dark.ico
+++ b/client/uiwails/assets/netbird-systemtray-connected-dark.ico
--- a/client/uiwails/assets/netbird-systemtray-connected-dark.png
+++ b/client/uiwails/assets/netbird-systemtray-connected-dark.png
--- a/client/uiwails/assets/netbird-systemtray-connected-macos.png
+++ b/client/uiwails/assets/netbird-systemtray-connected-macos.png
--- a/client/uiwails/assets/netbird-systemtray-connected.ico
+++ b/client/uiwails/assets/netbird-systemtray-connected.ico
--- a/client/uiwails/assets/netbird-systemtray-connected.png
+++ b/client/uiwails/assets/netbird-systemtray-connected.png
--- a/client/uiwails/assets/netbird-systemtray-connecting-dark.ico
+++ b/client/uiwails/assets/netbird-systemtray-connecting-dark.ico
--- a/client/uiwails/assets/netbird-systemtray-connecting-dark.png
+++ b/client/uiwails/assets/netbird-systemtray-connecting-dark.png
--- a/client/uiwails/assets/netbird-systemtray-connecting-macos.png
+++ b/client/uiwails/assets/netbird-systemtray-connecting-macos.png
--- a/client/uiwails/assets/netbird-systemtray-connecting.ico
+++ b/client/uiwails/assets/netbird-systemtray-connecting.ico
--- a/client/uiwails/assets/netbird-systemtray-connecting.png
+++ b/client/uiwails/assets/netbird-systemtray-connecting.png
--- a/client/uiwails/assets/netbird-systemtray-disconnected-macos.png
+++ b/client/uiwails/assets/netbird-systemtray-disconnected-macos.png
--- a/client/uiwails/assets/netbird-systemtray-disconnected.ico
+++ b/client/uiwails/assets/netbird-systemtray-disconnected.ico
--- a/client/uiwails/assets/netbird-systemtray-disconnected.png
+++ b/client/uiwails/assets/netbird-systemtray-disconnected.png
--- a/client/uiwails/assets/netbird-systemtray-error-dark.ico
+++ b/client/uiwails/assets/netbird-systemtray-error-dark.ico
--- a/client/uiwails/assets/netbird-systemtray-error-dark.png
+++ b/client/uiwails/assets/netbird-systemtray-error-dark.png
--- a/client/uiwails/assets/netbird-systemtray-error-macos.png
+++ b/client/uiwails/assets/netbird-systemtray-error-macos.png
--- a/client/uiwails/assets/netbird-systemtray-error.ico
+++ b/client/uiwails/assets/netbird-systemtray-error.ico
--- a/client/uiwails/assets/netbird-systemtray-error.png
+++ b/client/uiwails/assets/netbird-systemtray-error.png
--- a/client/uiwails/assets/netbird-systemtray-update-connected-dark.ico
+++ b/client/uiwails/assets/netbird-systemtray-update-connected-dark.ico
--- a/client/uiwails/assets/netbird-systemtray-update-connected-dark.png
+++ b/client/uiwails/assets/netbird-systemtray-update-connected-dark.png
--- a/client/uiwails/assets/netbird-systemtray-update-connected-macos.png
+++ b/client/uiwails/assets/netbird-systemtray-update-connected-macos.png
--- a/client/uiwails/assets/netbird-systemtray-update-connected.ico
+++ b/client/uiwails/assets/netbird-systemtray-update-connected.ico
--- a/client/uiwails/assets/netbird-systemtray-update-connected.png
+++ b/client/uiwails/assets/netbird-systemtray-update-connected.png
--- a/client/uiwails/assets/netbird-systemtray-update-disconnected-dark.ico
+++ b/client/uiwails/assets/netbird-systemtray-update-disconnected-dark.ico
--- a/client/uiwails/assets/netbird-systemtray-update-disconnected-dark.png
+++ b/client/uiwails/assets/netbird-systemtray-update-disconnected-dark.png
--- a/client/uiwails/assets/netbird-systemtray-update-disconnected-macos.png
+++ b/client/uiwails/assets/netbird-systemtray-update-disconnected-macos.png
--- a/client/uiwails/assets/netbird-systemtray-update-disconnected.ico
+++ b/client/uiwails/assets/netbird-systemtray-update-disconnected.ico
--- a/client/uiwails/assets/netbird-systemtray-update-disconnected.png
+++ b/client/uiwails/assets/netbird-systemtray-update-disconnected.png
--- a/client/uiwails/assets/netbird.ico
+++ b/client/uiwails/assets/netbird.ico
--- a/client/uiwails/assets/netbird.png
+++ b/client/uiwails/assets/netbird.png
--- a/client/uiwails/build/Taskfile.yml
+++ b/client/uiwails/build/Taskfile.yml
@@ -1,61 +0,0 @@
-version: '3'
-
-tasks:
-  go:mod:tidy:
-    summary: Runs `go mod tidy`
-    internal: true
-    cmds:
-      - go mod tidy
-
-  install:frontend:deps:
-    summary: Install frontend dependencies
-    dir: frontend
-    sources:
-      - package.json
-      - package-lock.json
-    generates:
-      - node_modules
-    preconditions:
-      - sh: npm version
-        msg: "Looks like npm isn't installed. Npm is part of the Node installer: https://nodejs.org/en/download/"
-    cmds:
-      - npm install
-
-  build:frontend:
-    label: build:frontend (DEV={{.DEV}})
-    summary: Build the frontend project
-    dir: frontend
-    sources:
-      - "**/*"
-      - exclude: node_modules/**/*
-    generates:
-      - dist/**/*
-    deps:
-      - task: install:frontend:deps
-    cmds:
-      - npm run {{.BUILD_COMMAND}} -q
-    env:
-      PRODUCTION: '{{if eq .DEV "true"}}false{{else}}true{{end}}'
-    vars:
-      BUILD_COMMAND: '{{if eq .DEV "true"}}build:dev{{else}}build{{end}}'
-
-  generate:icons:
-    summary: Generates Windows `.ico` and Mac `.icns` from an image
-    dir: build
-    sources:
-      - "appicon.png"
-    generates:
-      - "icons.icns"
-      - "icon.ico"
-    cmds:
-      - echo "Icon generation skipped (no appicon.png)"
-    status:
-      - test ! -f appicon.png
-
-  dev:frontend:
-    summary: Runs the frontend in development mode
-    dir: frontend
-    deps:
-      - task: install:frontend:deps
-    cmds:
-      - npm run dev -- --port {{.VITE_PORT}} --strictPort
--- a/client/uiwails/build/build-ui-linux.sh
+++ b/client/uiwails/build/build-ui-linux.sh
@@ -1,24 +0,0 @@
-#!/bin/bash
-# Build script for NetBird Wails v3 on Linux
-set -e
-
-echo "Installing system dependencies for Wails v3 on Linux..."
-sudo apt-get update
-sudo apt-get install -y \
-  libayatana-appindicator3-dev \
-  gcc \
-  libgtk-3-dev \
-  libwebkit2gtk-4.1-dev \
-  libglib2.0-dev \
-  libsoup-3.0-dev \
-  libx11-dev \
-  npm
-
-echo "Installing wails3 CLI..."
-go install github.com/wailsapp/wails/v3/cmd/wails3@v3.0.0-alpha.72
-
-echo "Building fancyui..."
-cd "$(dirname "$0")/.."
-wails3 build
-
-echo "Build complete."
--- a/client/uiwails/build/darwin/Taskfile.yml
+++ b/client/uiwails/build/darwin/Taskfile.yml
@@ -1,35 +0,0 @@
-version: '3'
-
-includes:
-  common: ../Taskfile.yml
-
-tasks:
-  build:
-    summary: Builds the application for macOS
-    cmds:
-      - task: build:native
-        vars:
-          DEV: '{{.DEV}}'
-          OUTPUT: '{{.OUTPUT}}'
-
-  build:native:
-    summary: Builds the application natively on macOS
-    internal: true
-    deps:
-      - task: common:build:frontend
-        vars:
-          DEV:
-            ref: .DEV
-    cmds:
-      - go build {{.BUILD_FLAGS}} -o {{.OUTPUT}}
-    vars:
-      BUILD_FLAGS: '{{if eq .DEV "true"}}-buildvcs=false -gcflags=all="-l"{{else}}-tags production -trimpath -buildvcs=false -ldflags="-w -s"{{end}}'
-      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
-      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
-    env:
-      GOOS: darwin
-      CGO_ENABLED: 1
-
-  run:
-    cmds:
-      - '{{.BIN_DIR}}/{{.APP_NAME}}'
--- a/client/uiwails/build/linux/Taskfile.yml
+++ b/client/uiwails/build/linux/Taskfile.yml
@@ -1,35 +0,0 @@
-version: '3'
-
-includes:
-  common: ../Taskfile.yml
-
-tasks:
-  build:
-    summary: Builds the application for Linux
-    cmds:
-      - task: build:native
-        vars:
-          DEV: '{{.DEV}}'
-          OUTPUT: '{{.OUTPUT}}'
-
-  build:native:
-    summary: Builds the application natively on Linux
-    internal: true
-    deps:
-      - task: common:build:frontend
-        vars:
-          DEV:
-            ref: .DEV
-    cmds:
-      - go build {{.BUILD_FLAGS}} -o {{.OUTPUT}}
-    vars:
-      BUILD_FLAGS: '{{if eq .DEV "true"}}-buildvcs=false -gcflags=all="-l"{{else}}-tags production -trimpath -buildvcs=false -ldflags="-w -s"{{end}}'
-      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
-      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
-    env:
-      GOOS: linux
-      CGO_ENABLED: 1
-
-  run:
-    cmds:
-      - '{{.BIN_DIR}}/{{.APP_NAME}}'
--- a/client/uiwails/build/windows/Taskfile.yml
+++ b/client/uiwails/build/windows/Taskfile.yml
@@ -1,41 +0,0 @@
-version: '3'
-
-includes:
-  common: ../Taskfile.yml
-
-tasks:
-  build:
-    summary: Cross-compiles the application for Windows from Linux using mingw-w64
-    cmds:
-      - task: build:cross
-        vars:
-          DEV: '{{.DEV}}'
-          OUTPUT: '{{.OUTPUT}}'
-
-  build:cross:
-    summary: Cross-compiles for Windows with mingw-w64
-    internal: true
-    deps:
-      - task: common:build:frontend
-        vars:
-          DEV:
-            ref: .DEV
-    preconditions:
-      - sh: command -v {{.CC}}
-        msg: "{{.CC}} not found. Install with: sudo apt-get install gcc-mingw-w64-x86-64"
-    cmds:
-      - go build {{.BUILD_FLAGS}} -o {{.OUTPUT}}
-    vars:
-      BUILD_FLAGS: '{{if eq .DEV "true"}}-buildvcs=false -gcflags=all="-l" -ldflags="-H=windowsgui"{{else}}-tags production -trimpath -buildvcs=false -ldflags="-w -s -H=windowsgui"{{end}}'
-      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}.exe'
-      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
-      CC: '{{.CC | default "x86_64-w64-mingw32-gcc"}}'
-    env:
-      GOOS: windows
-      GOARCH: amd64
-      CGO_ENABLED: 1
-      CC: '{{.CC}}'
-
-  run:
-    cmds:
-      - '{{.BIN_DIR}}/{{.APP_NAME}}.exe'
--- a/client/uiwails/event/event.go
+++ b/client/uiwails/event/event.go
@@ -1,217 +0,0 @@
-//go:build !(linux && 386)
-
-package event
-
-import (
-	"context"
-	"fmt"
-	"slices"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/cenkalti/backoff/v4"
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials/insecure"
-
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/version"
-)
-
-// NotifyFunc is a callback used to send desktop notifications.
-type NotifyFunc func(title, body string)
-
-// Handler is a callback invoked for each received daemon event.
-type Handler func(*proto.SystemEvent)
-
-// Manager subscribes to daemon events and dispatches them.
-type Manager struct {
-	addr   string
-	notify NotifyFunc
-
-	mu       sync.Mutex
-	ctx      context.Context
-	cancel   context.CancelFunc
-	enabled  bool
-	handlers []Handler
-
-	connMu sync.Mutex
-	conn   *grpc.ClientConn
-	client proto.DaemonServiceClient
-}
-
-// NewManager creates a new event Manager.
-func NewManager(addr string, notify NotifyFunc) *Manager {
-	return &Manager{
-		addr:   addr,
-		notify: notify,
-	}
-}
-
-// Start begins event streaming with exponential backoff reconnection.
-func (m *Manager) Start(ctx context.Context) {
-	m.mu.Lock()
-	m.ctx, m.cancel = context.WithCancel(ctx)
-	m.mu.Unlock()
-
-	expBackOff := backoff.WithContext(&backoff.ExponentialBackOff{
-		InitialInterval:     time.Second,
-		RandomizationFactor: backoff.DefaultRandomizationFactor,
-		Multiplier:          backoff.DefaultMultiplier,
-		MaxInterval:         10 * time.Second,
-		MaxElapsedTime:      0,
-		Stop:                backoff.Stop,
-		Clock:               backoff.SystemClock,
-	}, ctx)
-
-	if err := backoff.Retry(m.streamEvents, expBackOff); err != nil {
-		log.Errorf("event stream ended: %v", err)
-	}
-}
-
-func (m *Manager) streamEvents() error {
-	m.mu.Lock()
-	ctx := m.ctx
-	m.mu.Unlock()
-
-	client, err := m.getClient()
-	if err != nil {
-		return fmt.Errorf("create client: %w", err)
-	}
-
-	stream, err := client.SubscribeEvents(ctx, &proto.SubscribeRequest{})
-	if err != nil {
-		return fmt.Errorf("subscribe events: %w", err)
-	}
-
-	log.Info("subscribed to daemon events")
-	defer log.Info("unsubscribed from daemon events")
-
-	for {
-		event, err := stream.Recv()
-		if err != nil {
-			return fmt.Errorf("receive event: %w", err)
-		}
-		m.handleEvent(event)
-	}
-}
-
-// Stop cancels the event stream and closes the connection.
-func (m *Manager) Stop() {
-	m.mu.Lock()
-	if m.cancel != nil {
-		m.cancel()
-	}
-	m.mu.Unlock()
-
-	m.connMu.Lock()
-	if m.conn != nil {
-		m.conn.Close()
-		m.conn = nil
-		m.client = nil
-	}
-	m.connMu.Unlock()
-}
-
-// SetNotificationsEnabled enables or disables desktop notifications.
-func (m *Manager) SetNotificationsEnabled(enabled bool) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.enabled = enabled
-}
-
-// AddHandler registers an event handler.
-func (m *Manager) AddHandler(h Handler) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.handlers = append(m.handlers, h)
-}
-
-func (m *Manager) handleEvent(event *proto.SystemEvent) {
-	m.mu.Lock()
-	enabled := m.enabled
-	handlers := slices.Clone(m.handlers)
-	m.mu.Unlock()
-
-	// Critical events are always shown.
-	if !enabled && event.Severity != proto.SystemEvent_CRITICAL {
-		goto dispatch
-	}
-
-	if event.UserMessage != "" && m.notify != nil {
-		title := getEventTitle(event)
-		body := event.UserMessage
-		if id := event.Metadata["id"]; id != "" {
-			body += fmt.Sprintf(" ID: %s", id)
-		}
-		m.notify(title, body)
-	}
-
-dispatch:
-	for _, h := range handlers {
-		go h(event)
-	}
-}
-
-func getEventTitle(event *proto.SystemEvent) string {
-	var prefix string
-	switch event.Severity {
-	case proto.SystemEvent_CRITICAL:
-		prefix = "Critical"
-	case proto.SystemEvent_ERROR:
-		prefix = "Error"
-	case proto.SystemEvent_WARNING:
-		prefix = "Warning"
-	default:
-		prefix = "Info"
-	}
-
-	var category string
-	switch event.Category {
-	case proto.SystemEvent_DNS:
-		category = "DNS"
-	case proto.SystemEvent_NETWORK:
-		category = "Network"
-	case proto.SystemEvent_AUTHENTICATION:
-		category = "Authentication"
-	case proto.SystemEvent_CONNECTIVITY:
-		category = "Connectivity"
-	default:
-		category = "System"
-	}
-
-	return fmt.Sprintf("%s: %s", prefix, category)
-}
-
-// getClient returns a cached gRPC client, creating the connection on first use.
-func (m *Manager) getClient() (proto.DaemonServiceClient, error) {
-	m.connMu.Lock()
-	defer m.connMu.Unlock()
-
-	if m.client != nil {
-		return m.client, nil
-	}
-
-	target := m.addr
-	if strings.HasPrefix(target, "tcp://") {
-		target = strings.TrimPrefix(target, "tcp://")
-	} else if strings.HasPrefix(target, "unix://") {
-		target = "unix:" + strings.TrimPrefix(target, "unix://")
-	}
-
-	conn, err := grpc.NewClient(
-		target,
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
-		grpc.WithUserAgent("netbird-fancyui/"+version.NetbirdVersion()),
-	)
-	if err != nil {
-		return nil, err
-	}
-
-	m.conn = conn
-	m.client = proto.NewDaemonServiceClient(conn)
-	log.Debugf("event manager: gRPC connection established to %s", m.addr)
-
-	return m.client, nil
-}
--- a/client/uiwails/frontend/index.html
+++ b/client/uiwails/frontend/index.html
@@ -1,13 +0,0 @@
-<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="UTF-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="color-scheme" content="light dark" />
-    <title>NetBird</title>
-  </head>
-  <body>
-    <div id="root"></div>
-    <script type="module" src="/src/main.tsx"></script>
-  </body>
-</html>
--- a/client/uiwails/frontend/package-lock.json
+++ b/client/uiwails/frontend/package-lock.json
--- a/client/uiwails/frontend/package.json
+++ b/client/uiwails/frontend/package.json
@@ -1,26 +0,0 @@
-{
-  "name": "netbird-fancyui",
-  "private": true,
-  "version": "0.0.0",
-  "type": "module",
-  "scripts": {
-    "dev": "vite",
-    "build": "tsc && vite build",
-    "preview": "vite preview"
-  },
-  "dependencies": {
-    "@wailsio/runtime": "latest",
-    "react": "^18.3.1",
-    "react-dom": "^18.3.1",
-    "react-router-dom": "^6.28.0"
-  },
-  "devDependencies": {
-    "@tailwindcss/vite": "^4.0.6",
-    "@types/react": "^18.3.12",
-    "@types/react-dom": "^18.3.1",
-    "@vitejs/plugin-react": "^4.3.4",
-    "tailwindcss": "^4.0.6",
-    "typescript": "^5.6.3",
-    "vite": "^6.0.5"
-  }
-}
--- a/client/uiwails/frontend/src/App.tsx
+++ b/client/uiwails/frontend/src/App.tsx
@@ -1,59 +0,0 @@
-import { HashRouter, Routes, Route, useNavigate } from 'react-router-dom'
-import { useEffect } from 'react'
-import { Events } from '@wailsio/runtime'
-import Status from './pages/Status'
-import Settings from './pages/Settings'
-import Networks from './pages/Networks'
-import Profiles from './pages/Profiles'
-import Peers from './pages/Peers'
-import Debug from './pages/Debug'
-import Update from './pages/Update'
-import NavBar from './components/NavBar'
-
-/**
- * Navigator listens for the "navigate" event emitted by the Go backend
- * and programmatically navigates the React router.
- */
-function Navigator() {
-  const navigate = useNavigate()
-
-  useEffect(() => {
-    const unsub = Events.On('navigate', (event: { data: string[] }) => {
-      const path = event.data[0]
-      if (path) navigate(path)
-    })
-    return () => {
-      if (typeof unsub === 'function') unsub()
-    }
-  }, [navigate])
-
-  return null
-}
-
-export default function App() {
-  return (
-    <HashRouter>
-      <Navigator />
-      <div
-        className="min-h-screen flex"
-        style={{
-          backgroundColor: 'var(--color-bg-primary)',
-          color: 'var(--color-text-primary)',
-        }}
-      >
-        <NavBar />
-        <main className="flex-1 px-10 py-8 overflow-y-auto h-screen">
-          <Routes>
-            <Route path="/" element={<Status />} />
-            <Route path="/settings" element={<Settings />} />
-            <Route path="/peers" element={<Peers />} />
-            <Route path="/networks" element={<Networks />} />
-            <Route path="/profiles" element={<Profiles />} />
-            <Route path="/debug" element={<Debug />} />
-            <Route path="/update" element={<Update />} />
-          </Routes>
-        </main>
-      </div>
-    </HashRouter>
-  )
-}
--- a/client/uiwails/frontend/src/bindings.ts
+++ b/client/uiwails/frontend/src/bindings.ts
@@ -1,126 +0,0 @@
-/**
- * Type definitions for the auto-generated Wails v3 service bindings.
- * Run `wails3 generate bindings` to regenerate the actual TypeScript bindings
- * from the Go service methods. These types mirror the Go structs.
- *
- * The actual binding files will be generated into frontend/bindings/ by the
- * Wails CLI. This file serves as a centralized re-export and type reference.
- */
-
-// ---- Connection service ----
-
-export interface StatusInfo {
-  status: string
-  ip: string
-  publicKey: string
-  fqdn: string
-  connectedPeers: number
-}
-
-// ---- Settings service ----
-
-export interface ConfigInfo {
-  managementUrl: string
-  adminUrl: string
-  preSharedKey: string
-  interfaceName: string
-  wireguardPort: number
-  disableAutoConnect: boolean
-  serverSshAllowed: boolean
-  rosenpassEnabled: boolean
-  rosenpassPermissive: boolean
-  lazyConnectionEnabled: boolean
-  blockInbound: boolean
-  disableNotifications: boolean
-}
-
-// ---- Network service ----
-
-export interface NetworkInfo {
-  id: string
-  range: string
-  domains: string[]
-  selected: boolean
-  resolvedIPs: Record<string, string[]>
-}
-
-// ---- Profile service ----
-
-export interface ProfileInfo {
-  name: string
-  isActive: boolean
-}
-
-export interface ActiveProfileInfo {
-  profileName: string
-  username: string
-  email: string
-}
-
-// ---- Debug service ----
-
-export interface DebugBundleParams {
-  anonymize: boolean
-  systemInfo: boolean
-  upload: boolean
-  uploadUrl: string
-  runDurationMins: number
-  enablePersistence: boolean
-}
-
-export interface DebugBundleResult {
-  localPath: string
-  uploadedKey: string
-  uploadFailureReason: string
-}
-
-// ---- Peers service ----
-
-export interface PeerInfo {
-  ip: string
-  pubKey: string
-  fqdn: string
-  connStatus: string
-  connStatusUpdate: string
-  relayed: boolean
-  relayAddress: string
-  latencyMs: number
-  bytesRx: number
-  bytesTx: number
-  rosenpassEnabled: boolean
-  networks: string[]
-  lastHandshake: string
-  localIceType: string
-  remoteIceType: string
-  localEndpoint: string
-  remoteEndpoint: string
-}
-
-// ---- Update service ----
-
-export interface InstallerResult {
-  success: boolean
-  errorMsg: string
-}
-
-/**
- * Wails v3 service call helper.
- * After running `wails3 generate bindings`, use the generated functions directly.
- * This helper wraps window.__wails.call for manual use during development.
- */
-export async function call<T>(service: string, method: string, ...args: unknown[]): Promise<T> {
-  // This will be replaced by generated bindings after `wails3 generate bindings`
-  // For now, call via the Wails runtime bridge
-  const w = window as typeof window & {
-    go?: {
-      [svc: string]: {
-        [method: string]: (...args: unknown[]) => Promise<T>
-      }
-    }
-  }
-  const svc = w.go?.[service]
-  if (!svc) throw new Error(`Service ${service} not found. Run wails3 generate bindings.`)
-  const fn = svc[method]
-  if (!fn) throw new Error(`Method ${service}.${method} not found.`)
-  return fn(...args)
-}
--- a/Show More
+++ b/Show More