Fix key reload

.github/workflows/golang-test-linux.yml

@@ -217,7 +217,7 @@ jobs:
           - arch: "386"
             raceFlag: ""
           - arch: "amd64"
-            raceFlag: "-race"
+            raceFlag: ""
     runs-on: ubuntu-22.04
     steps:
       - name: Install Go

.github/workflows/golangci-lint.yml

@@ -19,7 +19,7 @@ jobs:
       - name: codespell
         uses: codespell-project/actions-codespell@v2
         with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
           skip: go.mod,go.sum
   golangci:
     strategy:

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.23"
+  SIGN_PIPE_VER: "v0.0.22"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"

.github/workflows/wasm-build-validation.yml

@@ -1,67 +0,0 @@
-name: Wasm
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
-jobs:
-  js_lint:
-    name: "JS / Lint"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
-      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc
-        with:
-          version: latest
-          install-mode: binary
-          skip-cache: true
-          skip-pkg-cache: true
-          skip-build-cache: true
-      - name: Run golangci-lint for WASM
-        run: |
-          GOOS=js GOARCH=wasm golangci-lint run --timeout=12m --out-format colored-line-number ./client/...
-        continue-on-error: true
-
-  js_build:
-    name: "JS / Build"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-      - name: Build Wasm client
-        run: GOOS=js GOARCH=wasm go build -o netbird.wasm ./client/wasm/cmd
-        env:
-          CGO_ENABLED: 0
-      - name: Check Wasm build size
-        run: |
-          echo "Wasm build size:"
-          ls -lh netbird.wasm
-
-          SIZE=$(stat -c%s netbird.wasm)
-          SIZE_MB=$((SIZE / 1024 / 1024))
-
-          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
-
-          if [ ${SIZE} -gt 52428800 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 50MB limit!"
-            exit 1
-          fi
-

.gitignore

@@ -31,4 +31,3 @@ infrastructure_files/setup-*.env
 .DS_Store
 vendor/
 /netbird
-client/ui/ui

.goreleaser.yaml

@@ -2,18 +2,6 @@ version: 2
 
 project_name: netbird
 builds:
-  - id: netbird-wasm
-    dir: client/wasm/cmd
-    binary: netbird
-    env: [GOOS=js, GOARCH=wasm, CGO_ENABLED=0]
-    goos:
-      - js
-    goarch:
-      - wasm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
   - id: netbird
     dir: client
     binary: netbird
@@ -127,11 +115,6 @@ archives:
   - builds:
       - netbird
       - netbird-static
-  - id: netbird-wasm
-    builds:
-      - netbird-wasm
-    name_template: "{{ .ProjectName }}_{{ .Version }}"
-    format: binary
 
 nfpms:
   - maintainer: Netbird <dev@netbird.io>

README.md

@@ -1,4 +1,3 @@
-
 <div align="center">
 <br/>
   <br/>
@@ -53,7 +52,7 @@
 
 ### Open Source Network Security in a Single Platform
 
-https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
+<img width="1188" alt="centralized-network-management 1" src="https://github.com/user-attachments/assets/c28cc8e4-15d2-4d2f-bb97-a6433db39d56" />
 
 ### NetBird on Lawrence Systems (Video)
 [![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)

client/Dockerfile

@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest
 
-FROM alpine:3.22.2
+FROM alpine:3.22.0
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
     bash \
@@ -18,7 +18,7 @@ ENV \
     NB_LOG_FILE="console,/var/log/netbird/client.log" \
     NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
-    NB_ENTRYPOINT_LOGIN_TIMEOUT="5"
+    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
 

client/android/client.go

@@ -4,7 +4,6 @@ package android
 
 import (
 	"context"
-	"os"
 	"slices"
 	"sync"
 
@@ -19,7 +18,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/client/net"
+	"github.com/netbirdio/netbird/util/net"
 )
 
 // ConnectionListener export internal Listener for mobile
@@ -84,8 +83,7 @@ func NewClient(cfgFile string, androidSDKVersion int, deviceName string, uiVersi
 }
 
 // Run start the internal client. It is a blocker function
-func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsReadyListener, envList *EnvList) error {
-	exportEnvList(envList)
+func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsReadyListener) error {
 	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
@@ -120,8 +118,7 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
 // In this case make no sense handle registration steps.
-func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener, envList *EnvList) error {
-	exportEnvList(envList)
+func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener) error {
 	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
@@ -252,14 +249,3 @@ func (c *Client) SetConnectionListener(listener ConnectionListener) {
 func (c *Client) RemoveConnectionListener() {
 	c.recorder.RemoveConnectionListener()
 }
-
-func exportEnvList(list *EnvList) {
-	if list == nil {
-		return
-	}
-	for k, v := range list.AllItems() {
-		if err := os.Setenv(k, v); err != nil {
-			log.Errorf("could not set env variable %s: %v", k, err)
-		}
-	}
-}

client/android/env_list.go

@@ -1,32 +0,0 @@
-package android
-
-import "github.com/netbirdio/netbird/client/internal/peer"
-
-var (
-	// EnvKeyNBForceRelay Exported for Android java client
-	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
-)
-
-// EnvList wraps a Go map for export to Java
-type EnvList struct {
-	data map[string]string
-}
-
-// NewEnvList creates a new EnvList
-func NewEnvList() *EnvList {
-	return &EnvList{data: make(map[string]string)}
-}
-
-// Put adds a key-value pair
-func (el *EnvList) Put(key, value string) {
-	el.data[key] = value
-}
-
-// Get retrieves a value by key
-func (el *EnvList) Get(key string) string {
-	return el.data[key]
-}
-
-func (el *EnvList) AllItems() map[string]string {
-	return el.data
-}

client/android/login.go

@@ -33,7 +33,6 @@ type ErrListener interface {
 // the backend want to show an url for the user
 type URLOpener interface {
 	Open(string)
-	OnLoginSuccess()
 }
 
 // Auth can register or login new client
@@ -182,11 +181,6 @@ func (a *Auth) login(urlOpener URLOpener) error {
 
 	err = a.withBackOff(a.ctx, func() error {
 		err := internal.Login(a.ctx, a.config, "", jwtToken)
-
-		if err == nil {
-			go urlOpener.OnLoginSuccess()
-		}
-
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 			return nil
 		}

client/cmd/debug_js.go

@@ -1,8 +0,0 @@
-package cmd
-
-import "context"
-
-// SetupDebugHandler is a no-op for WASM
-func SetupDebugHandler(context.Context, interface{}, interface{}, interface{}, string) {
-	// Debug handler not needed for WASM
-}

client/cmd/down.go

@@ -27,7 +27,7 @@ var downCmd = &cobra.Command{
 			return err
 		}
 
-		ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*7)
 		defer cancel()
 
 		conn, err := DialClientGRPCServer(ctx, daemonAddr)

client/cmd/login.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"os/exec"
 	"os/user"
 	"runtime"
 	"strings"
@@ -228,7 +227,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 	}
 
 	// update host's static platform and system information
-	system.UpdateStaticInfoAsync()
+	system.UpdateStaticInfo()
 
 	configFilePath, err := activeProf.FilePath()
 	if err != nil {
@@ -357,21 +356,13 @@ func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBro
 	cmd.Println("")
 
 	if !noBrowser {
-		if err := openBrowser(verificationURIComplete); err != nil {
+		if err := open.Run(verificationURIComplete); err != nil {
 			cmd.Println("\nAlternatively, you may want to use a setup key, see:\n\n" +
 				"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
 		}
 	}
 }
 
-// openBrowser opens the URL in a browser, respecting the BROWSER environment variable.
-func openBrowser(url string) error {
-	if browser := os.Getenv("BROWSER"); browser != "" {
-		return exec.Command(browser, url).Start()
-	}
-	return open.Run(url)
-}
-
 // isUnixRunningDesktop checks if a Linux OS is running desktop environment
 func isUnixRunningDesktop() bool {
 	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {

client/cmd/root.go

@@ -231,7 +231,7 @@ func FlagNameToEnvVar(cmdFlag string, prefix string) string {
 
 // DialClientGRPCServer returns client connection to the daemon server.
 func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, error) {
-	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
+	ctx, cancel := context.WithTimeout(ctx, time.Second*3)
 	defer cancel()
 
 	return grpc.DialContext(

client/cmd/service_controller.go

@@ -27,7 +27,7 @@ func (p *program) Start(svc service.Service) error {
 	log.Info("starting NetBird service") //nolint
 
 	// Collect static system and platform information
-	system.UpdateStaticInfoAsync()
+	system.UpdateStaticInfo()
 
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()

client/cmd/testutil_test.go

@@ -12,7 +12,6 @@ import (
 	"google.golang.org/grpc"
 
 	"github.com/netbirdio/management-integrations/integrations"
-
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/management/internals/server/config"
@@ -21,7 +20,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/peers"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -95,9 +93,8 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
 	peersmanager := peers.NewManager(store, permissionsManagerMock)
-	settingsManagerMock := settings.NewMockManager(ctrl)
 
-	iv, _ := integrations.NewIntegratedValidator(context.Background(), peersmanager, settingsManagerMock, eventStore)
+	iv, _ := integrations.NewIntegratedValidator(context.Background(), peersmanager, eventStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
@@ -116,7 +113,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	}
 
 	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &mgmt.MockIntegratedValidator{})
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &mgmt.MockIntegratedValidator{})
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -230,9 +230,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 
 	client := proto.NewDaemonServiceClient(conn)
 
-	status, err := client.Status(ctx, &proto.StatusRequest{
-		WaitForReady: func() *bool { b := true; return &b }(),
-	})
+	status, err := client.Status(ctx, &proto.StatusRequest{})
 	if err != nil {
 		return fmt.Errorf("unable to get daemon status: %v", err)
 	}

client/embed/embed.go

@@ -23,29 +23,23 @@ import (
 
 var ErrClientAlreadyStarted = errors.New("client already started")
 var ErrClientNotStarted = errors.New("client not started")
-var ErrConfigNotInitialized = errors.New("config not initialized")
 
-// Client manages a netbird embedded client instance.
+// Client manages a netbird embedded client instance
 type Client struct {
 	deviceName string
 	config     *profilemanager.Config
 	mu         sync.Mutex
 	cancel     context.CancelFunc
 	setupKey   string
-	jwtToken   string
 	connect    *internal.ConnectClient
 }
 
-// Options configures a new Client.
+// Options configures a new Client
 type Options struct {
 	// DeviceName is this peer's name in the network
 	DeviceName string
 	// SetupKey is used for authentication
 	SetupKey string
-	// JWTToken is used for JWT-based authentication
-	JWTToken string
-	// PrivateKey is used for direct private key authentication
-	PrivateKey string
 	// ManagementURL overrides the default management server URL
 	ManagementURL string
 	// PreSharedKey is the pre-shared key for the WireGuard interface
@@ -64,35 +58,8 @@ type Options struct {
 	DisableClientRoutes bool
 }
 
-// validateCredentials checks that exactly one credential type is provided
-func (opts *Options) validateCredentials() error {
-	credentialsProvided := 0
-	if opts.SetupKey != "" {
-		credentialsProvided++
-	}
-	if opts.JWTToken != "" {
-		credentialsProvided++
-	}
-	if opts.PrivateKey != "" {
-		credentialsProvided++
-	}
-
-	if credentialsProvided == 0 {
-		return fmt.Errorf("one of SetupKey, JWTToken, or PrivateKey must be provided")
-	}
-	if credentialsProvided > 1 {
-		return fmt.Errorf("only one of SetupKey, JWTToken, or PrivateKey can be specified")
-	}
-
-	return nil
-}
-
-// New creates a new netbird embedded client.
+// New creates a new netbird embedded client
 func New(opts Options) (*Client, error) {
-	if err := opts.validateCredentials(); err != nil {
-		return nil, err
-	}
-
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -140,14 +107,9 @@ func New(opts Options) (*Client, error) {
 		return nil, fmt.Errorf("create config: %w", err)
 	}
 
-	if opts.PrivateKey != "" {
-		config.PrivateKey = opts.PrivateKey
-	}
-
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
-		jwtToken:   opts.JWTToken,
 		config:     config,
 	}, nil
 }
@@ -164,7 +126,7 @@ func (c *Client) Start(startCtx context.Context) error {
 	ctx := internal.CtxInitState(context.Background())
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-	if err := internal.Login(ctx, c.config, c.setupKey, c.jwtToken); err != nil {
+	if err := internal.Login(ctx, c.config, c.setupKey, ""); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
 
@@ -173,7 +135,7 @@ func (c *Client) Start(startCtx context.Context) error {
 
 	// either startup error (permanent backoff err) or nil err (successful engine up)
 	// TODO: make after-startup backoff err available
-	run := make(chan struct{})
+	run := make(chan struct{}, 1)
 	clientErr := make(chan error, 1)
 	go func() {
 		if err := client.Run(run); err != nil {
@@ -225,16 +187,6 @@ func (c *Client) Stop(ctx context.Context) error {
 	}
 }
 
-// GetConfig returns a copy of the internal client config.
-func (c *Client) GetConfig() (profilemanager.Config, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.config == nil {
-		return profilemanager.Config{}, ErrConfigNotInitialized
-	}
-	return *c.config, nil
-}
-
 // Dial dials a network address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
@@ -259,7 +211,7 @@ func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return nsnet.DialContext(ctx, network, address)
 }
 
-// ListenTCP listens on the given address in the netbird network.
+// ListenTCP listens on the given address in the netbird network
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	nsnet, addr, err := c.getNet()
@@ -280,7 +232,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	return nsnet.ListenTCP(tcpAddr)
 }
 
-// ListenUDP listens on the given address in the netbird network.
+// ListenUDP listens on the given address in the netbird network
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	nsnet, addr, err := c.getNet()

client/firewall/iptables/acl_linux.go

@@ -12,7 +12,7 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (
@@ -400,6 +400,7 @@ func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action fi
 		return ""
 	}
 
+	// Include action in the ipset name to prevent squashing rules with different actions
 	actionSuffix := ""
 	if action == firewall.ActionDrop {
 		actionSuffix = "-drop"

client/firewall/iptables/router_linux.go

@@ -19,7 +19,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 // constants needed to manage and create iptable rules

client/firewall/iptables/router_linux_test.go

@@ -14,7 +14,7 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 func isIptablesSupported() bool {

client/firewall/nftables/acl_linux.go

@@ -16,7 +16,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (

client/firewall/nftables/router_linux.go

@@ -22,7 +22,7 @@ import (
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (

client/grpc/dialer_generic.go

@@ -1,44 +0,0 @@
-//go:build !js
-
-package grpc
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"os/user"
-	"runtime"
-
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-
-	nbnet "github.com/netbirdio/netbird/client/net"
-)
-
-func WithCustomDialer(tlsEnabled bool, component string) grpc.DialOption {
-	return grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
-		if runtime.GOOS == "linux" {
-			currentUser, err := user.Current()
-			if err != nil {
-				return nil, status.Errorf(codes.FailedPrecondition, "failed to get current user: %v", err)
-			}
-
-			// the custom dialer requires root permissions which are not required for use cases run as non-root
-			if currentUser.Uid != "0" {
-				log.Debug("Not running as root, using standard dialer")
-				dialer := &net.Dialer{}
-				return dialer.DialContext(ctx, "tcp", addr)
-			}
-		}
-
-		conn, err := nbnet.NewDialer().DialContext(ctx, "tcp", addr)
-		if err != nil {
-			log.Errorf("Failed to dial: %s", err)
-			return nil, fmt.Errorf("nbnet.NewDialer().DialContext: %w", err)
-		}
-		return conn, nil
-	})
-}

client/grpc/dialer_js.go

@@ -1,13 +0,0 @@
-package grpc
-
-import (
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/netbird/util/wsproxy/client"
-)
-
-// WithCustomDialer returns a gRPC dial option that uses WebSocket transport for WASM/JS environments.
-// The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
-func WithCustomDialer(tlsEnabled bool, component string) grpc.DialOption {
-	return client.WithWebSocketDialer(tlsEnabled, component)
-}

client/iface/bind/control.go

@@ -3,7 +3,7 @@ package bind
 import (
 	wireguard "golang.zx2c4.com/wireguard/conn"
 
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 // TODO: This is most likely obsolete since the control fns should be called by the wrapped udpconn (ice_bind.go)

client/iface/bind/endpoint.go

@@ -1,17 +1,5 @@
 package bind
 
-import (
-	"net"
-
-	wgConn "golang.zx2c4.com/wireguard/conn"
-)
+import wgConn "golang.zx2c4.com/wireguard/conn"
 
 type Endpoint = wgConn.StdNetEndpoint
-
-func EndpointToUDPAddr(e Endpoint) *net.UDPAddr {
-	return &net.UDPAddr{
-		IP:   e.Addr().AsSlice(),
-		Port: int(e.Port()),
-		Zone: e.Addr().Zone(),
-	}
-}

client/iface/bind/error.go

@@ -1,7 +0,0 @@
-package bind
-
-import "fmt"
-
-var (
-	ErrUDPMUXNotSupported = fmt.Errorf("UDPMUX is not supported in WASM")
-)

client/iface/bind/ice_bind.go

@@ -1,9 +1,6 @@
-//go:build !js
-
 package bind
 
 import (
-	"context"
 	"encoding/binary"
 	"fmt"
 	"net"
@@ -18,11 +15,15 @@ import (
 	"golang.org/x/net/ipv6"
 	wgConn "golang.zx2c4.com/wireguard/conn"
 
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
+type RecvMessage struct {
+	Endpoint *Endpoint
+	Buffer   []byte
+}
+
 type receiverCreator struct {
 	iceBind *ICEBind
 }
@@ -40,38 +41,37 @@ func (rc receiverCreator) CreateIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UD
 // use the port because in the Send function the wgConn.Endpoint the port info is not exported.
 type ICEBind struct {
 	*wgConn.StdNetBind
+	RecvChan chan RecvMessage
 
 	transportNet transport.Net
-	filterFn     udpmux.FilterFn
-	address      wgaddr.Address
-	mtu          uint16
-
-	endpoints   map[netip.Addr]net.Conn
-	endpointsMu sync.Mutex
-	recvChan    chan recvMessage
+	filterFn     FilterFn
+	endpoints    map[netip.Addr]net.Conn
+	endpointsMu  sync.Mutex
 	// every time when Close() is called (i.e. BindUpdate()) we need to close exit from the receiveRelayed and create a
 	// new closed channel. With the closedChanMu we can safely close the channel and create a new one
-	closedChan       chan struct{}
-	closedChanMu     sync.RWMutex // protect the closeChan recreation from reading from it.
-	closed           bool
-	activityRecorder *ActivityRecorder
+	closedChan   chan struct{}
+	closedChanMu sync.RWMutex // protect the closeChan recreation from reading from it.
+	closed       bool
 
-	muUDPMux sync.Mutex
-	udpMux   *udpmux.UniversalUDPMuxDefault
+	muUDPMux         sync.Mutex
+	udpMux           *UniversalUDPMuxDefault
+	address          wgaddr.Address
+	mtu              uint16
+	activityRecorder *ActivityRecorder
 }
 
-func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
+func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
 		StdNetBind:       b,
+		RecvChan:         make(chan RecvMessage, 1),
 		transportNet:     transportNet,
 		filterFn:         filterFn,
-		address:          address,
-		mtu:              mtu,
 		endpoints:        make(map[netip.Addr]net.Conn),
-		recvChan:         make(chan recvMessage, 1),
 		closedChan:       make(chan struct{}),
 		closed:           true,
+		mtu:              mtu,
+		address:          address,
 		activityRecorder: NewActivityRecorder(),
 	}
 
@@ -82,6 +82,10 @@ func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wg
 	return ib
 }
 
+func (s *ICEBind) MTU() uint16 {
+	return s.mtu
+}
+
 func (s *ICEBind) Open(uport uint16) ([]wgConn.ReceiveFunc, uint16, error) {
 	s.closed = false
 	s.closedChanMu.Lock()
@@ -111,7 +115,7 @@ func (s *ICEBind) ActivityRecorder() *ActivityRecorder {
 }
 
 // GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (s *ICEBind) GetICEMux() (*udpmux.UniversalUDPMuxDefault, error) {
+func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 	if s.udpMux == nil {
@@ -134,16 +138,6 @@ func (b *ICEBind) RemoveEndpoint(fakeIP netip.Addr) {
 	delete(b.endpoints, fakeIP)
 }
 
-func (b *ICEBind) ReceiveFromEndpoint(ctx context.Context, ep *Endpoint, buf []byte) {
-	select {
-	case <-b.closedChan:
-		return
-	case <-ctx.Done():
-		return
-	case b.recvChan <- recvMessage{ep, buf}:
-	}
-}
-
 func (b *ICEBind) Send(bufs [][]byte, ep wgConn.Endpoint) error {
 	b.endpointsMu.Lock()
 	conn, ok := b.endpoints[ep.DstIP()]
@@ -164,8 +158,8 @@ func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, r
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 
-	s.udpMux = udpmux.NewUniversalUDPMuxDefault(
-		udpmux.UniversalUDPMuxParams{
+	s.udpMux = NewUniversalUDPMuxDefault(
+		UniversalUDPMuxParams{
 			UDPConn:   nbnet.WrapPacketConn(conn),
 			Net:       s.transportNet,
 			FilterFn:  s.filterFn,
@@ -276,7 +270,7 @@ func (c *ICEBind) receiveRelayed(buffs [][]byte, sizes []int, eps []wgConn.Endpo
 	select {
 	case <-c.closedChan:
 		return 0, net.ErrClosed
-	case msg, ok := <-c.recvChan:
+	case msg, ok := <-c.RecvChan:
 		if !ok {
 			return 0, net.ErrClosed
 		}

client/iface/bind/recv_msg.go

@@ -1,6 +0,0 @@
-package bind
-
-type recvMessage struct {
-	Endpoint *Endpoint
-	Buffer   []byte
-}

client/iface/bind/relay_bind.go

@@ -1,125 +0,0 @@
-package bind
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
-
-	"github.com/netbirdio/netbird/client/iface/udpmux"
-)
-
-// RelayBindJS is a conn.Bind implementation for WebAssembly environments.
-// Do not limit to build only js, because we want to be able to run tests
-type RelayBindJS struct {
-	*conn.StdNetBind
-
-	recvChan         chan recvMessage
-	endpoints        map[netip.Addr]net.Conn
-	endpointsMu      sync.Mutex
-	activityRecorder *ActivityRecorder
-	ctx              context.Context
-	cancel           context.CancelFunc
-}
-
-func NewRelayBindJS() *RelayBindJS {
-	return &RelayBindJS{
-		recvChan:         make(chan recvMessage, 100),
-		endpoints:        make(map[netip.Addr]net.Conn),
-		activityRecorder: NewActivityRecorder(),
-	}
-}
-
-// Open creates a receive function for handling relay packets in WASM.
-func (s *RelayBindJS) Open(uport uint16) ([]conn.ReceiveFunc, uint16, error) {
-	log.Debugf("Open: creating receive function for port %d", uport)
-
-	s.ctx, s.cancel = context.WithCancel(context.Background())
-
-	receiveFn := func(bufs [][]byte, sizes []int, eps []conn.Endpoint) (int, error) {
-		select {
-		case <-s.ctx.Done():
-			return 0, net.ErrClosed
-		case msg, ok := <-s.recvChan:
-			if !ok {
-				return 0, net.ErrClosed
-			}
-			copy(bufs[0], msg.Buffer)
-			sizes[0] = len(msg.Buffer)
-			eps[0] = conn.Endpoint(msg.Endpoint)
-			return 1, nil
-		}
-	}
-
-	log.Debugf("Open: receive function created, returning port %d", uport)
-	return []conn.ReceiveFunc{receiveFn}, uport, nil
-}
-
-func (s *RelayBindJS) Close() error {
-	if s.cancel == nil {
-		return nil
-	}
-	log.Debugf("close RelayBindJS")
-	s.cancel()
-	return nil
-}
-
-func (s *RelayBindJS) ReceiveFromEndpoint(ctx context.Context, ep *Endpoint, buf []byte) {
-	select {
-	case <-s.ctx.Done():
-		return
-	case <-ctx.Done():
-		return
-	case s.recvChan <- recvMessage{ep, buf}:
-	}
-}
-
-// Send forwards packets through the relay connection for WASM.
-func (s *RelayBindJS) Send(bufs [][]byte, ep conn.Endpoint) error {
-	if ep == nil {
-		return nil
-	}
-
-	fakeIP := ep.DstIP()
-
-	s.endpointsMu.Lock()
-	relayConn, ok := s.endpoints[fakeIP]
-	s.endpointsMu.Unlock()
-
-	if !ok {
-		return nil
-	}
-
-	for _, buf := range bufs {
-		if _, err := relayConn.Write(buf); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (b *RelayBindJS) SetEndpoint(fakeIP netip.Addr, conn net.Conn) {
-	b.endpointsMu.Lock()
-	b.endpoints[fakeIP] = conn
-	b.endpointsMu.Unlock()
-}
-
-func (s *RelayBindJS) RemoveEndpoint(fakeIP netip.Addr) {
-	s.endpointsMu.Lock()
-	defer s.endpointsMu.Unlock()
-
-	delete(s.endpoints, fakeIP)
-}
-
-// GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (s *RelayBindJS) GetICEMux() (*udpmux.UniversalUDPMuxDefault, error) {
-	return nil, ErrUDPMUXNotSupported
-}
-
-func (s *RelayBindJS) ActivityRecorder() *ActivityRecorder {
-	return s.activityRecorder
-}

client/iface/bind/udp_mux.go

@@ -1,4 +1,4 @@
-package udpmux
+package bind
 
 import (
 	"fmt"
@@ -22,9 +22,9 @@ import (
 
 const receiveMTU = 8192
 
-// SingleSocketUDPMux is an implementation of the interface
-type SingleSocketUDPMux struct {
-	params Params
+// UDPMuxDefault is an implementation of the interface
+type UDPMuxDefault struct {
+	params UDPMuxParams
 
 	closedChan chan struct{}
 	closeOnce  sync.Once
@@ -32,9 +32,6 @@ type SingleSocketUDPMux struct {
 	// connsIPv4 and connsIPv6 are maps of all udpMuxedConn indexed by ufrag|network|candidateType
 	connsIPv4, connsIPv6 map[string]*udpMuxedConn
 
-	// candidateConnMap maps local candidate IDs to their corresponding connection.
-	candidateConnMap map[string]*udpMuxedConn
-
 	addressMapMu sync.RWMutex
 	addressMap   map[string][]*udpMuxedConn
 
@@ -49,8 +46,8 @@ type SingleSocketUDPMux struct {
 
 const maxAddrSize = 512
 
-// Params are parameters for UDPMux.
-type Params struct {
+// UDPMuxParams are parameters for UDPMux.
+type UDPMuxParams struct {
 	Logger  logging.LeveledLogger
 	UDPConn net.PacketConn
 
@@ -150,19 +147,18 @@ func isZeros(ip net.IP) bool {
 	return true
 }
 
-// NewSingleSocketUDPMux creates an implementation of UDPMux
-func NewSingleSocketUDPMux(params Params) *SingleSocketUDPMux {
+// NewUDPMuxDefault creates an implementation of UDPMux
+func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
 	if params.Logger == nil {
 		params.Logger = getLogger()
 	}
 
-	mux := &SingleSocketUDPMux{
-		addressMap:       map[string][]*udpMuxedConn{},
-		params:           params,
-		connsIPv4:        make(map[string]*udpMuxedConn),
-		connsIPv6:        make(map[string]*udpMuxedConn),
-		candidateConnMap: make(map[string]*udpMuxedConn),
-		closedChan:       make(chan struct{}, 1),
+	mux := &UDPMuxDefault{
+		addressMap: map[string][]*udpMuxedConn{},
+		params:     params,
+		connsIPv4:  make(map[string]*udpMuxedConn),
+		connsIPv6:  make(map[string]*udpMuxedConn),
+		closedChan: make(chan struct{}, 1),
 		pool: &sync.Pool{
 			New: func() interface{} {
 				// big enough buffer to fit both packet and address
@@ -175,15 +171,15 @@ func NewSingleSocketUDPMux(params Params) *SingleSocketUDPMux {
 	return mux
 }
 
-func (m *SingleSocketUDPMux) updateLocalAddresses() {
+func (m *UDPMuxDefault) updateLocalAddresses() {
 	var localAddrsForUnspecified []net.Addr
 	if addr, ok := m.params.UDPConn.LocalAddr().(*net.UDPAddr); !ok {
 		m.params.Logger.Errorf("LocalAddr is not a net.UDPAddr, got %T", m.params.UDPConn.LocalAddr())
 	} else if ok && addr.IP.IsUnspecified() {
 		// For unspecified addresses, the correct behavior is to return errListenUnspecified, but
 		// it will break the applications that are already using unspecified UDP connection
-		// with SingleSocketUDPMux, so print a warn log and create a local address list for mux.
-		m.params.Logger.Warn("SingleSocketUDPMux should not listening on unspecified address, use NewMultiUDPMuxFromPort instead")
+		// with UDPMuxDefault, so print a warn log and create a local address list for mux.
+		m.params.Logger.Warn("UDPMuxDefault should not listening on unspecified address, use NewMultiUDPMuxFromPort instead")
 		var networks []ice.NetworkType
 		switch {
 
@@ -220,13 +216,13 @@ func (m *SingleSocketUDPMux) updateLocalAddresses() {
 	m.mu.Unlock()
 }
 
-// LocalAddr returns the listening address of this SingleSocketUDPMux
-func (m *SingleSocketUDPMux) LocalAddr() net.Addr {
+// LocalAddr returns the listening address of this UDPMuxDefault
+func (m *UDPMuxDefault) LocalAddr() net.Addr {
 	return m.params.UDPConn.LocalAddr()
 }
 
 // GetListenAddresses returns the list of addresses that this mux is listening on
-func (m *SingleSocketUDPMux) GetListenAddresses() []net.Addr {
+func (m *UDPMuxDefault) GetListenAddresses() []net.Addr {
 	m.updateLocalAddresses()
 
 	m.mu.Lock()
@@ -240,7 +236,7 @@ func (m *SingleSocketUDPMux) GetListenAddresses() []net.Addr {
 
 // GetConn returns a PacketConn given the connection's ufrag and network address
 // creates the connection if an existing one can't be found
-func (m *SingleSocketUDPMux) GetConn(ufrag string, addr net.Addr, candidateID string) (net.PacketConn, error) {
+func (m *UDPMuxDefault) GetConn(ufrag string, addr net.Addr) (net.PacketConn, error) {
 	// don't check addr for mux using unspecified address
 	m.mu.Lock()
 	lenLocalAddrs := len(m.localAddrsForUnspecified)
@@ -264,14 +260,12 @@ func (m *SingleSocketUDPMux) GetConn(ufrag string, addr net.Addr, candidateID st
 		return conn, nil
 	}
 
-	c := m.createMuxedConn(ufrag, candidateID)
+	c := m.createMuxedConn(ufrag)
 	go func() {
 		<-c.CloseChannel()
 		m.RemoveConnByUfrag(ufrag)
 	}()
 
-	m.candidateConnMap[candidateID] = c
-
 	if isIPv6 {
 		m.connsIPv6[ufrag] = c
 	} else {
@@ -282,7 +276,7 @@ func (m *SingleSocketUDPMux) GetConn(ufrag string, addr net.Addr, candidateID st
 }
 
 // RemoveConnByUfrag stops and removes the muxed packet connection
-func (m *SingleSocketUDPMux) RemoveConnByUfrag(ufrag string) {
+func (m *UDPMuxDefault) RemoveConnByUfrag(ufrag string) {
 	removedConns := make([]*udpMuxedConn, 0, 2)
 
 	// Keep lock section small to avoid deadlock with conn lock
@@ -290,12 +284,10 @@ func (m *SingleSocketUDPMux) RemoveConnByUfrag(ufrag string) {
 	if c, ok := m.connsIPv4[ufrag]; ok {
 		delete(m.connsIPv4, ufrag)
 		removedConns = append(removedConns, c)
-		delete(m.candidateConnMap, c.GetCandidateID())
 	}
 	if c, ok := m.connsIPv6[ufrag]; ok {
 		delete(m.connsIPv6, ufrag)
 		removedConns = append(removedConns, c)
-		delete(m.candidateConnMap, c.GetCandidateID())
 	}
 	m.mu.Unlock()
 
@@ -322,7 +314,7 @@ func (m *SingleSocketUDPMux) RemoveConnByUfrag(ufrag string) {
 }
 
 // IsClosed returns true if the mux had been closed
-func (m *SingleSocketUDPMux) IsClosed() bool {
+func (m *UDPMuxDefault) IsClosed() bool {
 	select {
 	case <-m.closedChan:
 		return true
@@ -332,7 +324,7 @@ func (m *SingleSocketUDPMux) IsClosed() bool {
 }
 
 // Close the mux, no further connections could be created
-func (m *SingleSocketUDPMux) Close() error {
+func (m *UDPMuxDefault) Close() error {
 	var err error
 	m.closeOnce.Do(func() {
 		m.mu.Lock()
@@ -355,11 +347,11 @@ func (m *SingleSocketUDPMux) Close() error {
 	return err
 }
 
-func (m *SingleSocketUDPMux) writeTo(buf []byte, rAddr net.Addr) (n int, err error) {
+func (m *UDPMuxDefault) writeTo(buf []byte, rAddr net.Addr) (n int, err error) {
 	return m.params.UDPConn.WriteTo(buf, rAddr)
 }
 
-func (m *SingleSocketUDPMux) registerConnForAddress(conn *udpMuxedConn, addr string) {
+func (m *UDPMuxDefault) registerConnForAddress(conn *udpMuxedConn, addr string) {
 	if m.IsClosed() {
 		return
 	}
@@ -376,109 +368,81 @@ func (m *SingleSocketUDPMux) registerConnForAddress(conn *udpMuxedConn, addr str
 	log.Debugf("ICE: registered %s for %s", addr, conn.params.Key)
 }
 
-func (m *SingleSocketUDPMux) createMuxedConn(key string, candidateID string) *udpMuxedConn {
+func (m *UDPMuxDefault) createMuxedConn(key string) *udpMuxedConn {
 	c := newUDPMuxedConn(&udpMuxedConnParams{
-		Mux:         m,
-		Key:         key,
-		AddrPool:    m.pool,
-		LocalAddr:   m.LocalAddr(),
-		Logger:      m.params.Logger,
-		CandidateID: candidateID,
+		Mux:       m,
+		Key:       key,
+		AddrPool:  m.pool,
+		LocalAddr: m.LocalAddr(),
+		Logger:    m.params.Logger,
 	})
 	return c
 }
 
 // HandleSTUNMessage handles STUN packets and forwards them to underlying pion/ice library
-func (m *SingleSocketUDPMux) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
+func (m *UDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
+
 	remoteAddr, ok := addr.(*net.UDPAddr)
 	if !ok {
 		return fmt.Errorf("underlying PacketConn did not return a UDPAddr")
 	}
 
-	// Try to route to specific candidate connection first
-	if conn := m.findCandidateConnection(msg); conn != nil {
-		return conn.writePacket(msg.Raw, remoteAddr)
-	}
-
-	// Fallback: route to all possible connections
-	return m.forwardToAllConnections(msg, addr, remoteAddr)
-}
-
-// findCandidateConnection attempts to find the specific connection for a STUN message
-func (m *SingleSocketUDPMux) findCandidateConnection(msg *stun.Message) *udpMuxedConn {
-	candidatePairID, ok, err := ice.CandidatePairIDFromSTUN(msg)
-	if err != nil {
-		return nil
-	} else if !ok {
-		return nil
-	}
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	conn, exists := m.candidateConnMap[candidatePairID.TargetCandidateID()]
-	if !exists {
-		return nil
-	}
-	return conn
-}
-
-// forwardToAllConnections forwards STUN message to all relevant connections
-func (m *SingleSocketUDPMux) forwardToAllConnections(msg *stun.Message, addr net.Addr, remoteAddr *net.UDPAddr) error {
-	var destinationConnList []*udpMuxedConn
-
-	// Add connections from address map
+	// If we have already seen this address dispatch to the appropriate destination
+	// If you are using the same socket for the Host and SRFLX candidates, it might be that there are more than one
+	// muxed connection - one for the SRFLX candidate and the other one for the HOST one.
+	// We will then forward STUN packets to each of these connections.
 	m.addressMapMu.RLock()
+	var destinationConnList []*udpMuxedConn
 	if storedConns, ok := m.addressMap[addr.String()]; ok {
 		destinationConnList = append(destinationConnList, storedConns...)
 	}
 	m.addressMapMu.RUnlock()
 
-	if conn, ok := m.findConnectionByUsername(msg, addr); ok {
-		// If we have already seen this address dispatch to the appropriate destination
-		// If you are using the same socket for the Host and SRFLX candidates, it might be that there are more than one
-		// muxed connection - one for the SRFLX candidate and the other one for the HOST one.
-		// We will then forward STUN packets to each of these connections.
-		if !m.connectionExists(conn, destinationConnList) {
-			destinationConnList = append(destinationConnList, conn)
-		}
+	var isIPv6 bool
+	if udpAddr, _ := addr.(*net.UDPAddr); udpAddr != nil && udpAddr.IP.To4() == nil {
+		isIPv6 = true
 	}
 
-	// Forward to all found connections
+	// This block is needed to discover Peer Reflexive Candidates for which we don't know the Endpoint upfront.
+	// However, we can take a username attribute from the STUN message which contains ufrag.
+	// We can use ufrag to identify the destination conn to route packet to.
+	attr, stunAttrErr := msg.Get(stun.AttrUsername)
+	if stunAttrErr == nil {
+		ufrag := strings.Split(string(attr), ":")[0]
+
+		m.mu.Lock()
+		destinationConn := m.connsIPv4[ufrag]
+		if isIPv6 {
+			destinationConn = m.connsIPv6[ufrag]
+		}
+
+		if destinationConn != nil {
+			exists := false
+			for _, conn := range destinationConnList {
+				if conn.params.Key == destinationConn.params.Key {
+					exists = true
+					break
+				}
+			}
+			if !exists {
+				destinationConnList = append(destinationConnList, destinationConn)
+			}
+		}
+		m.mu.Unlock()
+	}
+
+	// Forward STUN packets to each destination connections even thought the STUN packet might not belong there.
+	// It will be discarded by the further ICE candidate logic if so.
 	for _, conn := range destinationConnList {
 		if err := conn.writePacket(msg.Raw, remoteAddr); err != nil {
 			log.Errorf("could not write packet: %v", err)
 		}
 	}
+
 	return nil
 }
 
-// findConnectionByUsername finds connection using username attribute from STUN message
-func (m *SingleSocketUDPMux) findConnectionByUsername(msg *stun.Message, addr net.Addr) (*udpMuxedConn, bool) {
-	attr, err := msg.Get(stun.AttrUsername)
-	if err != nil {
-		return nil, false
-	}
-
-	ufrag := strings.Split(string(attr), ":")[0]
-	isIPv6 := isIPv6Address(addr)
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	return m.getConn(ufrag, isIPv6)
-}
-
-// connectionExists checks if a connection already exists in the list
-func (m *SingleSocketUDPMux) connectionExists(target *udpMuxedConn, conns []*udpMuxedConn) bool {
-	for _, conn := range conns {
-		if conn.params.Key == target.params.Key {
-			return true
-		}
-	}
-	return false
-}
-
-func (m *SingleSocketUDPMux) getConn(ufrag string, isIPv6 bool) (val *udpMuxedConn, ok bool) {
+func (m *UDPMuxDefault) getConn(ufrag string, isIPv6 bool) (val *udpMuxedConn, ok bool) {
 	if isIPv6 {
 		val, ok = m.connsIPv6[ufrag]
 	} else {
@@ -487,13 +451,6 @@ func (m *SingleSocketUDPMux) getConn(ufrag string, isIPv6 bool) (val *udpMuxedCo
 	return
 }
 
-func isIPv6Address(addr net.Addr) bool {
-	if udpAddr, ok := addr.(*net.UDPAddr); ok {
-		return udpAddr.IP.To4() == nil
-	}
-	return false
-}
-
 type bufferHolder struct {
 	buf []byte
 }

client/iface/bind/udp_mux_generic.go

@@ -1,12 +1,12 @@
 //go:build !ios
 
-package udpmux
+package bind
 
 import (
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
-func (m *SingleSocketUDPMux) notifyAddressRemoval(addr string) {
+func (m *UDPMuxDefault) notifyAddressRemoval(addr string) {
 	// Kernel mode: direct nbnet.PacketConn (SharedSocket wrapped with nbnet)
 	if conn, ok := m.params.UDPConn.(*nbnet.PacketConn); ok {
 		conn.RemoveAddress(addr)

client/iface/bind/udp_mux_ios.go

@@ -0,0 +1,7 @@
+//go:build ios
+
+package bind
+
+func (m *UDPMuxDefault) notifyAddressRemoval(addr string) {
+	// iOS doesn't support nbnet hooks, so this is a no-op
+}

client/iface/bind/udp_mux_universal.go

@@ -1,4 +1,4 @@
-package udpmux
+package bind
 
 /*
  Most of this code was copied from https://github.com/pion/ice and modified to fulfill NetBird's requirements.
@@ -29,7 +29,7 @@ type FilterFn func(address netip.Addr) (bool, netip.Prefix, error)
 // UniversalUDPMuxDefault handles STUN and TURN servers packets by wrapping the original UDPConn
 // It then passes packets to the UDPMux that does the actual connection muxing.
 type UniversalUDPMuxDefault struct {
-	*SingleSocketUDPMux
+	*UDPMuxDefault
 	params UniversalUDPMuxParams
 
 	// since we have a shared socket, for srflx candidates it makes sense to have a shared mapped address across all the agents
@@ -72,12 +72,12 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 		address:    params.WGAddress,
 	}
 
-	udpMuxParams := Params{
+	udpMuxParams := UDPMuxParams{
 		Logger:  params.Logger,
 		UDPConn: m.params.UDPConn,
 		Net:     m.params.Net,
 	}
-	m.SingleSocketUDPMux = NewSingleSocketUDPMux(udpMuxParams)
+	m.UDPMuxDefault = NewUDPMuxDefault(udpMuxParams)
 
 	return m
 }
@@ -211,8 +211,8 @@ func (m *UniversalUDPMuxDefault) GetRelayedAddr(turnAddr net.Addr, deadline time
 
 // GetConnForURL add uniques to the muxed connection by concatenating ufrag and URL (e.g. STUN URL) to be able to support multiple STUN/TURN servers
 // and return a unique connection per server.
-func (m *UniversalUDPMuxDefault) GetConnForURL(ufrag string, url string, addr net.Addr, candidateID string) (net.PacketConn, error) {
-	return m.SingleSocketUDPMux.GetConn(fmt.Sprintf("%s%s", ufrag, url), addr, candidateID)
+func (m *UniversalUDPMuxDefault) GetConnForURL(ufrag string, url string, addr net.Addr) (net.PacketConn, error) {
+	return m.UDPMuxDefault.GetConn(fmt.Sprintf("%s%s", ufrag, url), addr)
 }
 
 // HandleSTUNMessage discovers STUN packets that carry a XOR mapped address from a STUN server.
@@ -233,7 +233,7 @@ func (m *UniversalUDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.A
 		}
 		return nil
 	}
-	return m.SingleSocketUDPMux.HandleSTUNMessage(msg, addr)
+	return m.UDPMuxDefault.HandleSTUNMessage(msg, addr)
 }
 
 // isXORMappedResponse indicates whether the message is a XORMappedAddress and is coming from the known STUN server.

client/iface/bind/udp_muxed_conn.go

@@ -1,4 +1,4 @@
-package udpmux
+package bind
 
 /*
  Most of this code was copied from https://github.com/pion/ice and modified to fulfill NetBird's requirements
@@ -16,12 +16,11 @@ import (
 )
 
 type udpMuxedConnParams struct {
-	Mux         *SingleSocketUDPMux
-	AddrPool    *sync.Pool
-	Key         string
-	LocalAddr   net.Addr
-	Logger      logging.LeveledLogger
-	CandidateID string
+	Mux       *UDPMuxDefault
+	AddrPool  *sync.Pool
+	Key       string
+	LocalAddr net.Addr
+	Logger    logging.LeveledLogger
 }
 
 // udpMuxedConn represents a logical packet conn for a single remote as identified by ufrag
@@ -120,10 +119,6 @@ func (c *udpMuxedConn) Close() error {
 	return err
 }
 
-func (c *udpMuxedConn) GetCandidateID() string {
-	return c.params.CandidateID
-}
-
 func (c *udpMuxedConn) isClosed() bool {
 	select {
 	case <-c.closedChan:

client/iface/configurer/kernel_unix.go

@@ -73,44 +73,6 @@ func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 	return nil
 }
 
-func (c *KernelConfigurer) RemoveEndpointAddress(peerKey string) error {
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	// Get the existing peer to preserve its allowed IPs
-	existingPeer, err := c.getPeer(c.deviceName, peerKey)
-	if err != nil {
-		return fmt.Errorf("get peer: %w", err)
-	}
-
-	removePeerCfg := wgtypes.PeerConfig{
-		PublicKey: peerKeyParsed,
-		Remove:    true,
-	}
-
-	if err := c.configure(wgtypes.Config{Peers: []wgtypes.PeerConfig{removePeerCfg}}); err != nil {
-		return fmt.Errorf(`error removing peer %s from interface %s: %w`, peerKey, c.deviceName, err)
-	}
-
-	//Re-add the peer without the endpoint but same AllowedIPs
-	reAddPeerCfg := wgtypes.PeerConfig{
-		PublicKey:         peerKeyParsed,
-		AllowedIPs:        existingPeer.AllowedIPs,
-		ReplaceAllowedIPs: true,
-	}
-
-	if err := c.configure(wgtypes.Config{Peers: []wgtypes.PeerConfig{reAddPeerCfg}}); err != nil {
-		return fmt.Errorf(
-			`error re-adding peer %s to interface %s with allowed IPs %v: %w`,
-			peerKey, c.deviceName, existingPeer.AllowedIPs, err,
-		)
-	}
-
-	return nil
-}
-
 func (c *KernelConfigurer) RemovePeer(peerKey string) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {

client/iface/configurer/name.go

@@ -1,4 +1,4 @@
-//go:build linux || windows || freebsd || js || wasip1
+//go:build linux || windows || freebsd
 
 package configurer
 

client/iface/configurer/uapi.go

@@ -1,4 +1,4 @@
-//go:build !windows && !js
+//go:build !windows
 
 package configurer
 

client/iface/configurer/uapi_js.go

@@ -1,23 +0,0 @@
-package configurer
-
-import (
-	"net"
-)
-
-type noopListener struct{}
-
-func (n *noopListener) Accept() (net.Conn, error) {
-	return nil, net.ErrClosed
-}
-
-func (n *noopListener) Close() error {
-	return nil
-}
-
-func (n *noopListener) Addr() net.Addr {
-	return nil
-}
-
-func openUAPI(deviceName string) (net.Listener, error) {
-	return &noopListener{}, nil
-}

client/iface/configurer/usp.go

@@ -17,8 +17,8 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/monotime"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (
@@ -106,67 +106,6 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 	return nil
 }
 
-func (c *WGUSPConfigurer) RemoveEndpointAddress(peerKey string) error {
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return fmt.Errorf("parse peer key: %w", err)
-	}
-
-	ipcStr, err := c.device.IpcGet()
-	if err != nil {
-		return fmt.Errorf("get IPC config: %w", err)
-	}
-
-	// Parse current status to get allowed IPs for the peer
-	stats, err := parseStatus(c.deviceName, ipcStr)
-	if err != nil {
-		return fmt.Errorf("parse IPC config: %w", err)
-	}
-
-	var allowedIPs []net.IPNet
-	found := false
-	for _, peer := range stats.Peers {
-		if peer.PublicKey == peerKey {
-			allowedIPs = peer.AllowedIPs
-			found = true
-			break
-		}
-	}
-	if !found {
-		return fmt.Errorf("peer %s not found", peerKey)
-	}
-
-	// remove the peer from the WireGuard configuration
-	peer := wgtypes.PeerConfig{
-		PublicKey: peerKeyParsed,
-		Remove:    true,
-	}
-
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-	if ipcErr := c.device.IpcSet(toWgUserspaceString(config)); ipcErr != nil {
-		return fmt.Errorf("failed to remove peer: %s", ipcErr)
-	}
-
-	// Build the peer config
-	peer = wgtypes.PeerConfig{
-		PublicKey:         peerKeyParsed,
-		ReplaceAllowedIPs: true,
-		AllowedIPs:        allowedIPs,
-	}
-
-	config = wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-
-	if err := c.device.IpcSet(toWgUserspaceString(config)); err != nil {
-		return fmt.Errorf("remove endpoint address: %w", err)
-	}
-
-	return nil
-}
-
 func (c *WGUSPConfigurer) RemovePeer(peerKey string) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
@@ -455,13 +394,6 @@ func toLastHandshake(stringVar string) (time.Time, error) {
 	if err != nil {
 		return time.Time{}, fmt.Errorf("parse handshake sec: %w", err)
 	}
-
-	// If sec is 0 (Unix epoch), return zero time instead
-	// This indicates no handshake has occurred
-	if sec == 0 {
-		return time.Time{}, nil
-	}
-
 	return time.Unix(sec, 0), nil
 }
 
@@ -470,7 +402,7 @@ func toBytes(s string) (int64, error) {
 }
 
 func getFwmark() int {
-	if nbnet.AdvancedRouting() && runtime.GOOS == "linux" {
+	if nbnet.AdvancedRouting() {
 		return nbnet.ControlPlaneMark
 	}
 	return 0

client/iface/device.go

@@ -7,14 +7,14 @@ import (
 
 	wgdevice "golang.zx2c4.com/wireguard/device"
 
+	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
 type WGTunDevice interface {
 	Create() (device.WGConfigurer, error)
-	Up() (*udpmux.UniversalUDPMuxDefault, error)
+	Up() (*bind.UniversalUDPMuxDefault, error)
 	UpdateAddr(address wgaddr.Address) error
 	WgAddress() wgaddr.Address
 	MTU() uint16
@@ -23,5 +23,4 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
-	GetICEBind() device.EndpointManager
 }

client/iface/device/device_android.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -30,7 +29,7 @@ type WGTunDevice struct {
 	name           string
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *udpmux.UniversalUDPMuxDefault
+	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
@@ -89,7 +88,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	}
 	return t.configurer, nil
 }
-func (t *WGTunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *WGTunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -150,11 +149,6 @@ func (t *WGTunDevice) GetNet() *netstack.Net {
 	return nil
 }
 
-// GetICEBind returns the ICEBind instance
-func (t *WGTunDevice) GetICEBind() EndpointManager {
-	return t.iceBind
-}
-
 func routesToString(routes []string) string {
 	return strings.Join(routes, ";")
 }

client/iface/device/device_darwin.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -27,7 +26,7 @@ type TunDevice struct {
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *udpmux.UniversalUDPMuxDefault
+	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
@@ -72,7 +71,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -154,8 +153,3 @@ func (t *TunDevice) assignAddr() error {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
-
-// GetICEBind returns the ICEBind instance
-func (t *TunDevice) GetICEBind() EndpointManager {
-	return t.iceBind
-}

client/iface/device/device_ios.go

@@ -14,7 +14,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -29,7 +28,7 @@ type TunDevice struct {
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *udpmux.UniversalUDPMuxDefault
+	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
@@ -84,7 +83,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -144,8 +143,3 @@ func (t *TunDevice) FilteredDevice() *FilteredDevice {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
-
-// GetICEBind returns the ICEBind instance
-func (t *TunDevice) GetICEBind() EndpointManager {
-	return t.iceBind
-}

client/iface/device/device_kernel_unix.go

@@ -12,11 +12,11 @@ import (
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
+	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/sharedsock"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 type TunKernelDevice struct {
@@ -31,9 +31,9 @@ type TunKernelDevice struct {
 
 	link       *wgLink
 	udpMuxConn net.PacketConn
-	udpMux     *udpmux.UniversalUDPMuxDefault
+	udpMux     *bind.UniversalUDPMuxDefault
 
-	filterFn udpmux.FilterFn
+	filterFn bind.FilterFn
 }
 
 func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, transportNet transport.Net) *TunKernelDevice {
@@ -79,7 +79,7 @@ func (t *TunKernelDevice) Create() (WGConfigurer, error) {
 	return configurer, nil
 }
 
-func (t *TunKernelDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunKernelDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	if t.udpMux != nil {
 		return t.udpMux, nil
 	}
@@ -101,14 +101,19 @@ func (t *TunKernelDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}
 
-	bindParams := udpmux.UniversalUDPMuxParams{
-		UDPConn:   nbnet.WrapPacketConn(rawSock),
+	var udpConn net.PacketConn = rawSock
+	if !nbnet.AdvancedRouting() {
+		udpConn = nbnet.WrapPacketConn(rawSock)
+	}
+
+	bindParams := bind.UniversalUDPMuxParams{
+		UDPConn:   udpConn,
 		Net:       t.transportNet,
 		FilterFn:  t.filterFn,
 		WGAddress: t.address,
 		MTU:       t.mtu,
 	}
-	mux := udpmux.NewUniversalUDPMuxDefault(bindParams)
+	mux := bind.NewUniversalUDPMuxDefault(bindParams)
 	go mux.ReadFromConn(t.ctx)
 	t.udpMuxConn = rawSock
 	t.udpMux = mux
@@ -179,8 +184,3 @@ func (t *TunKernelDevice) assignAddr() error {
 func (t *TunKernelDevice) GetNet() *netstack.Net {
 	return nil
 }
-
-// GetICEBind returns nil for kernel mode devices
-func (t *TunKernelDevice) GetICEBind() EndpointManager {
-	return nil
-}

client/iface/device/device_netstack.go

@@ -1,29 +1,19 @@
 package device
 
 import (
-	"errors"
 	"fmt"
 
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
-type Bind interface {
-	conn.Bind
-	GetICEMux() (*udpmux.UniversalUDPMuxDefault, error)
-	ActivityRecorder() *bind.ActivityRecorder
-	EndpointManager
-}
-
 type TunNetstackDevice struct {
 	name          string
 	address       wgaddr.Address
@@ -31,18 +21,18 @@ type TunNetstackDevice struct {
 	key           string
 	mtu           uint16
 	listenAddress string
-	bind          Bind
+	iceBind       *bind.ICEBind
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
 	nsTun          *nbnetstack.NetStackTun
-	udpMux         *udpmux.UniversalUDPMuxDefault
+	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 
 	net *netstack.Net
 }
 
-func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, bind Bind, listenAddress string) *TunNetstackDevice {
+func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
 	return &TunNetstackDevice{
 		name:          name,
 		address:       address,
@@ -50,7 +40,7 @@ func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key stri
 		key:           key,
 		mtu:           mtu,
 		listenAddress: listenAddress,
-		bind:          bind,
+		iceBind:       iceBind,
 	}
 }
 
@@ -75,11 +65,11 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 
 	t.device = device.NewDevice(
 		t.filteredDevice,
-		t.bind,
+		t.iceBind,
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		_ = tunIface.Close()
@@ -90,7 +80,7 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunNetstackDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunNetstackDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	if t.device == nil {
 		return nil, fmt.Errorf("device is not ready yet")
 	}
@@ -100,15 +90,11 @@ func (t *TunNetstackDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}
 
-	udpMux, err := t.bind.GetICEMux()
-	if err != nil && !errors.Is(err, bind.ErrUDPMUXNotSupported) {
+	udpMux, err := t.iceBind.GetICEMux()
+	if err != nil {
 		return nil, err
 	}
-
-	if udpMux != nil {
-		t.udpMux = udpMux
-	}
-
+	t.udpMux = udpMux
 	log.Debugf("netstack device is ready to use")
 	return udpMux, nil
 }
@@ -156,8 +142,3 @@ func (t *TunNetstackDevice) Device() *device.Device {
 func (t *TunNetstackDevice) GetNet() *netstack.Net {
 	return t.net
 }
-
-// GetICEBind returns the bind instance
-func (t *TunNetstackDevice) GetICEBind() EndpointManager {
-	return t.bind
-}

client/iface/device/device_netstack_test.go

@@ -1,27 +0,0 @@
-package device
-
-import (
-	"testing"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-func TestNewNetstackDevice(t *testing.T) {
-	privateKey, _ := wgtypes.GeneratePrivateKey()
-	wgAddress, _ := wgaddr.ParseWGAddress("1.2.3.4/24")
-
-	relayBind := bind.NewRelayBindJS()
-	nsTun := NewNetstackDevice("wtx", wgAddress, 1234, privateKey.String(), 1500, relayBind, netstack.ListenAddr())
-
-	cfgr, err := nsTun.Create()
-	if err != nil {
-		t.Fatalf("failed to create netstack device: %v", err)
-	}
-	if cfgr == nil {
-		t.Fatal("expected non-nil configurer")
-	}
-}

client/iface/device/device_usp_unix.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -26,7 +25,7 @@ type USPDevice struct {
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *udpmux.UniversalUDPMuxDefault
+	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
@@ -75,7 +74,7 @@ func (t *USPDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *USPDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *USPDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	if t.device == nil {
 		return nil, fmt.Errorf("device is not ready yet")
 	}
@@ -146,8 +145,3 @@ func (t *USPDevice) assignAddr() error {
 func (t *USPDevice) GetNet() *netstack.Net {
 	return nil
 }
-
-// GetICEBind returns the ICEBind instance
-func (t *USPDevice) GetICEBind() EndpointManager {
-	return t.iceBind
-}

client/iface/device/device_windows.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -30,7 +29,7 @@ type TunDevice struct {
 	device          *device.Device
 	nativeTunDevice *tun.NativeTun
 	filteredDevice  *FilteredDevice
-	udpMux          *udpmux.UniversalUDPMuxDefault
+	udpMux          *bind.UniversalUDPMuxDefault
 	configurer      WGConfigurer
 }
 
@@ -105,7 +104,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -185,8 +184,3 @@ func (t *TunDevice) assignAddr() error {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
-
-// GetICEBind returns the ICEBind instance
-func (t *TunDevice) GetICEBind() EndpointManager {
-	return t.iceBind
-}

client/iface/device/endpoint_manager.go

@@ -1,13 +0,0 @@
-package device
-
-import (
-	"net"
-	"net/netip"
-)
-
-// EndpointManager manages fake IP to connection mappings for userspace bind implementations.
-// Implemented by bind.ICEBind and bind.RelayBindJS.
-type EndpointManager interface {
-	SetEndpoint(fakeIP netip.Addr, conn net.Conn)
-	RemoveEndpoint(fakeIP netip.Addr)
-}

client/iface/device/interface.go

@@ -21,5 +21,4 @@ type WGConfigurer interface {
 	GetStats() (map[string]configurer.WGStats, error)
 	FullStats() (*configurer.Stats, error)
 	LastActivities() map[string]monotime.Time
-	RemoveEndpointAddress(peerKey string) error
 }

client/iface/device_android.go

@@ -5,14 +5,14 @@ import (
 
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
+	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
 type WGTunDevice interface {
 	Create(routes []string, dns string, searchDomains []string) (device.WGConfigurer, error)
-	Up() (*udpmux.UniversalUDPMuxDefault, error)
+	Up() (*bind.UniversalUDPMuxDefault, error)
 	UpdateAddr(address wgaddr.Address) error
 	WgAddress() wgaddr.Address
 	MTU() uint16
@@ -21,5 +21,4 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
-	GetICEBind() device.EndpointManager
 }

client/iface/iface.go

@@ -16,9 +16,9 @@ import (
 	wgdevice "golang.zx2c4.com/wireguard/device"
 
 	"github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 	"github.com/netbirdio/netbird/monotime"
@@ -61,7 +61,7 @@ type WGIFaceOpts struct {
 	MTU          uint16
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
-	FilterFn     udpmux.FilterFn
+	FilterFn     bind.FilterFn
 	DisableDNS   bool
 }
 
@@ -80,17 +80,6 @@ func (w *WGIface) GetProxy() wgproxy.Proxy {
 	return w.wgProxyFactory.GetProxy()
 }
 
-// GetBind returns the EndpointManager userspace bind mode.
-func (w *WGIface) GetBind() device.EndpointManager {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	if w.tun == nil {
-		return nil
-	}
-	return w.tun.GetICEBind()
-}
-
 // IsUserspaceBind indicates whether this interfaces is userspace with bind.ICEBind
 func (w *WGIface) IsUserspaceBind() bool {
 	return w.userspaceBind
@@ -125,7 +114,7 @@ func (r *WGIface) ToInterface() *net.Interface {
 
 // Up configures a Wireguard interface
 // The interface must exist before calling this method (e.g. call interface.Create() before)
-func (w *WGIface) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (w *WGIface) Up() (*bind.UniversalUDPMuxDefault, error) {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
@@ -159,17 +148,6 @@ func (w *WGIface) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAliv
 	return w.configurer.UpdatePeer(peerKey, allowedIps, keepAlive, endpoint, preSharedKey)
 }
 
-func (w *WGIface) RemoveEndpointAddress(peerKey string) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	if w.configurer == nil {
-		return ErrIfaceNotFound
-	}
-
-	log.Debugf("Removing endpoint address: %s", peerKey)
-	return w.configurer.RemoveEndpointAddress(peerKey)
-}
-
 // RemovePeer removes a Wireguard Peer from the interface iface
 func (w *WGIface) RemovePeer(peerKey string) error {
 	w.mu.Lock()

client/iface/iface_destroy_js.go

@@ -1,6 +0,0 @@
-package iface
-
-// Destroy is a no-op on WASM
-func (w *WGIface) Destroy() error {
-	return nil
-}

client/iface/iface_new_android.go

@@ -21,7 +21,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		wgIFace := &WGIface{
 			userspaceBind:  true,
 			tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
-			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+			wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 		}
 		return wgIFace, nil
 	}
@@ -29,7 +29,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_darwin.go

@@ -29,7 +29,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_freebsd.go

@@ -1,41 +0,0 @@
-//go:build freebsd
-
-package iface
-
-import (
-	"fmt"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	wgIFace := &WGIface{}
-
-	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	return nil, fmt.Errorf("couldn't check or load tun module")
-}

client/iface/iface_new_ios.go

@@ -21,7 +21,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
 		userspaceBind:  true,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_js.go

@@ -1,27 +0,0 @@
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace creates a new WireGuard interface for WASM (always uses netstack mode)
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	relayBind := bind.NewRelayBindJS()
-
-	wgIface := &WGIface{
-		tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, relayBind, netstack.ListenAddr()),
-		userspaceBind:  true,
-		wgProxyFactory: wgproxy.NewUSPFactory(relayBind, opts.MTU),
-	}
-
-	return wgIface, nil
-}

client/iface/iface_new_unix.go

@@ -1,4 +1,4 @@
-//go:build linux && !android
+//go:build (linux && !android) || freebsd
 
 package iface
 
@@ -25,7 +25,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
 		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
 		return wgIFace, nil
 	}
 
@@ -38,7 +38,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
 		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
 		return wgIFace, nil
 	}
 

client/iface/iface_new_windows.go

@@ -26,7 +26,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 

client/iface/netstack/env.go

@@ -1,5 +1,3 @@
-//go:build !js
-
 package netstack
 
 import (

client/iface/netstack/env_js.go

@@ -1,12 +0,0 @@
-package netstack
-
-const EnvUseNetstackMode = "NB_USE_NETSTACK_MODE"
-
-// IsEnabled always returns true for js since it's the only mode available
-func IsEnabled() bool {
-	return true
-}
-
-func ListenAddr() string {
-	return ""
-}

client/iface/udpmux/doc.go

@@ -1,64 +0,0 @@
-// Package udpmux provides a custom implementation of a UDP multiplexer
-// that allows multiple logical ICE connections to share a single underlying
-// UDP socket. This is based on Pion's ICE library, with modifications for
-// NetBird's requirements.
-//
-// # Background
-//
-// In WebRTC and NAT traversal scenarios, ICE (Interactive Connectivity
-// Establishment) is responsible for discovering candidate network paths
-// and maintaining connectivity between peers. Each ICE connection
-// normally requires a dedicated UDP socket. However, using one socket
-// per candidate can be inefficient and difficult to manage.
-//
-// This package introduces SingleSocketUDPMux, which allows multiple ICE
-// candidate connections (muxed connections) to share a single UDP socket.
-// It handles demultiplexing of packets based on ICE ufrag values, STUN
-// attributes, and candidate IDs.
-//
-// # Usage
-//
-// The typical flow is:
-//
-//  1. Create a UDP socket (net.PacketConn).
-//  2. Construct Params with the socket and optional logger/net stack.
-//  3. Call NewSingleSocketUDPMux(params).
-//  4. For each ICE candidate ufrag, call GetConn(ufrag, addr, candidateID)
-//     to obtain a logical PacketConn.
-//  5. Use the returned PacketConn just like a normal UDP connection.
-//
-// # STUN Message Routing Logic
-//
-//		When a STUN packet arrives, the mux decides which connection should
-//		receive it using this routing logic:
-//
-//		Primary Routing: Candidate Pair ID
-//		  - Extract the candidate pair ID from the STUN message using
-//		    ice.CandidatePairIDFromSTUN(msg)
-//	   - The target candidate is the locally generated candidate that
-//	     corresponds to the connection that should handle this STUN message
-//		  - If found, use the target candidate ID to lookup the specific
-//		    connection in candidateConnMap
-//		  - Route the message directly to that connection
-//
-//		Fallback Routing: Broadcasting
-//		  When candidate pair ID is not available or lookup fails:
-//		  - Collect connections from addressMap based on source address
-//		  - Find connection using username attribute (ufrag) from STUN message
-//		  - Remove duplicate connections from the list
-//		  - Send the STUN message to all collected connections
-//
-// # Peer Reflexive Candidate Discovery
-//
-//	When a remote peer sends a STUN message from an unknown source address
-//	(from a candidate that has not been exchanged via signal), the ICE
-//	library will:
-//	  - Generate a new peer reflexive candidate for this source address
-//	  - Extract or assign a candidate ID based on the STUN message attributes
-//	  - Create a mapping between the new peer reflexive candidate ID and
-//	    the appropriate local connection
-//
-//	This discovery mechanism ensures that STUN messages from newly discovered
-//	peer reflexive candidates can be properly routed to the correct local
-//	connection without requiring fallback broadcasting.
-package udpmux

client/iface/udpmux/mux_ios.go

@@ -1,7 +0,0 @@
-//go:build ios
-
-package udpmux
-
-func (m *SingleSocketUDPMux) notifyAddressRemoval(addr string) {
-	// iOS doesn't support nbnet hooks, so this is a no-op
-}

client/iface/wgproxy/bind/proxy.go

@@ -16,38 +16,28 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
-type Bind interface {
-	SetEndpoint(addr netip.Addr, conn net.Conn)
-	RemoveEndpoint(addr netip.Addr)
-	ReceiveFromEndpoint(ctx context.Context, ep *bind.Endpoint, buf []byte)
-}
-
 type ProxyBind struct {
-	bind Bind
+	Bind *bind.ICEBind
 
-	// wgRelayedEndpoint is a fake address that generated by the Bind.SetEndpoint based on the remote NetBird peer address
-	wgRelayedEndpoint *bind.Endpoint
-	wgCurrentUsed     *bind.Endpoint
-	remoteConn        net.Conn
-	ctx               context.Context
-	cancel            context.CancelFunc
-	closeMu           sync.Mutex
-	closed            bool
+	fakeNetIP      *netip.AddrPort
+	wgBindEndpoint *bind.Endpoint
+	remoteConn     net.Conn
+	ctx            context.Context
+	cancel         context.CancelFunc
+	closeMu        sync.Mutex
+	closed         bool
 
-	paused     bool
-	pausedCond *sync.Cond
-	isStarted  bool
+	pausedMu  sync.Mutex
+	paused    bool
+	isStarted bool
 
 	closeListener *listener.CloseListener
-	mtu           uint16
 }
 
-func NewProxyBind(bind Bind, mtu uint16) *ProxyBind {
+func NewProxyBind(bind *bind.ICEBind) *ProxyBind {
 	p := &ProxyBind{
-		bind:          bind,
+		Bind:          bind,
 		closeListener: listener.NewCloseListener(),
-		pausedCond:    sync.NewCond(&sync.Mutex{}),
-		mtu:           mtu + bufsize.WGBufferOverhead,
 	}
 
 	return p
@@ -56,25 +46,25 @@ func NewProxyBind(bind Bind, mtu uint16) *ProxyBind {
 // AddTurnConn adds a new connection to the bind.
 // endpoint is the NetBird address of the remote peer. The SetEndpoint return with the address what will be used in the
 // WireGuard configuration.
-//
-// Parameters:
-//   - ctx: Context is used for proxyToLocal to avoid unnecessary error messages
-//   - nbAddr: The NetBird UDP address of the remote peer, it required to generate fake address
-//   - remoteConn: The established TURN connection to the remote peer
 func (p *ProxyBind) AddTurnConn(ctx context.Context, nbAddr *net.UDPAddr, remoteConn net.Conn) error {
 	fakeNetIP, err := fakeAddress(nbAddr)
 	if err != nil {
 		return err
 	}
-	p.wgRelayedEndpoint = &bind.Endpoint{AddrPort: *fakeNetIP}
+
+	p.fakeNetIP = fakeNetIP
+	p.wgBindEndpoint = &bind.Endpoint{AddrPort: *fakeNetIP}
 	p.remoteConn = remoteConn
 	p.ctx, p.cancel = context.WithCancel(ctx)
 	return nil
 
 }
-
 func (p *ProxyBind) EndpointAddr() *net.UDPAddr {
-	return bind.EndpointToUDPAddr(*p.wgRelayedEndpoint)
+	return &net.UDPAddr{
+		IP:   p.fakeNetIP.Addr().AsSlice(),
+		Port: int(p.fakeNetIP.Port()),
+		Zone: p.fakeNetIP.Addr().Zone(),
+	}
 }
 
 func (p *ProxyBind) SetDisconnectListener(disconnected func()) {
@@ -86,21 +76,17 @@ func (p *ProxyBind) Work() {
 		return
 	}
 
-	p.bind.SetEndpoint(p.wgRelayedEndpoint.Addr(), p.remoteConn)
+	p.Bind.SetEndpoint(p.fakeNetIP.Addr(), p.remoteConn)
 
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = false
-
-	p.wgCurrentUsed = p.wgRelayedEndpoint
+	p.pausedMu.Unlock()
 
 	// Start the proxy only once
 	if !p.isStarted {
 		p.isStarted = true
 		go p.proxyToLocal(p.ctx)
 	}
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
 }
 
 func (p *ProxyBind) Pause() {
@@ -108,25 +94,9 @@ func (p *ProxyBind) Pause() {
 		return
 	}
 
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = true
-	p.pausedCond.L.Unlock()
-}
-
-func (p *ProxyBind) RedirectAs(endpoint *net.UDPAddr) {
-	p.pausedCond.L.Lock()
-	p.paused = false
-
-	p.wgCurrentUsed = addrToEndpoint(endpoint)
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-}
-
-func addrToEndpoint(addr *net.UDPAddr) *bind.Endpoint {
-	ip, _ := netip.AddrFromSlice(addr.IP.To4())
-	addrPort := netip.AddrPortFrom(ip, uint16(addr.Port))
-	return &bind.Endpoint{AddrPort: addrPort}
+	p.pausedMu.Unlock()
 }
 
 func (p *ProxyBind) CloseConn() error {
@@ -137,10 +107,6 @@ func (p *ProxyBind) CloseConn() error {
 }
 
 func (p *ProxyBind) close() error {
-	if p.remoteConn == nil {
-		return nil
-	}
-
 	p.closeMu.Lock()
 	defer p.closeMu.Unlock()
 
@@ -154,12 +120,7 @@ func (p *ProxyBind) close() error {
 
 	p.cancel()
 
-	p.pausedCond.L.Lock()
-	p.paused = false
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-
-	p.bind.RemoveEndpoint(p.wgRelayedEndpoint.Addr())
+	p.Bind.RemoveEndpoint(p.fakeNetIP.Addr())
 
 	if rErr := p.remoteConn.Close(); rErr != nil && !errors.Is(rErr, net.ErrClosed) {
 		return rErr
@@ -175,7 +136,7 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 	}()
 
 	for {
-		buf := make([]byte, p.mtu)
+		buf := make([]byte, p.Bind.MTU()+bufsize.WGBufferOverhead)
 		n, err := p.remoteConn.Read(buf)
 		if err != nil {
 			if ctx.Err() != nil {
@@ -186,13 +147,18 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 			return
 		}
 
-		p.pausedCond.L.Lock()
-		for p.paused {
-			p.pausedCond.Wait()
+		p.pausedMu.Lock()
+		if p.paused {
+			p.pausedMu.Unlock()
+			continue
 		}
 
-		p.bind.ReceiveFromEndpoint(ctx, p.wgCurrentUsed, buf[:n])
-		p.pausedCond.L.Unlock()
+		msg := bind.RecvMessage{
+			Endpoint: p.wgBindEndpoint,
+			Buffer:   buf[:n],
+		}
+		p.Bind.RecvChan <- msg
+		p.pausedMu.Unlock()
 	}
 }
 

client/iface/wgproxy/ebpf/proxy.go

@@ -6,7 +6,9 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"os"
 	"sync"
+	"syscall"
 
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
@@ -16,20 +18,15 @@ import (
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/iface/bufsize"
-	"github.com/netbirdio/netbird/client/iface/wgproxy/rawsocket"
 	"github.com/netbirdio/netbird/client/internal/ebpf"
 	ebpfMgr "github.com/netbirdio/netbird/client/internal/ebpf/manager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (
 	loopbackAddr = "127.0.0.1"
 )
 
-var (
-	localHostNetIP = net.ParseIP("127.0.0.1")
-)
-
 // WGEBPFProxy definition for proxy with EBPF support
 type WGEBPFProxy struct {
 	localWGListenPort int
@@ -67,7 +64,7 @@ func (p *WGEBPFProxy) Listen() error {
 		return err
 	}
 
-	p.rawConn, err = rawsocket.PrepareSenderRawSocket()
+	p.rawConn, err = p.prepareSenderRawSocket()
 	if err != nil {
 		return err
 	}
@@ -217,17 +214,57 @@ generatePort:
 	return p.lastUsedPort, nil
 }
 
-func (p *WGEBPFProxy) sendPkg(data []byte, endpointAddr *net.UDPAddr) error {
+func (p *WGEBPFProxy) prepareSenderRawSocket() (net.PacketConn, error) {
+	// Create a raw socket.
+	fd, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_RAW, syscall.IPPROTO_RAW)
+	if err != nil {
+		return nil, fmt.Errorf("creating raw socket failed: %w", err)
+	}
+
+	// Set the IP_HDRINCL option on the socket to tell the kernel that headers are included in the packet.
+	err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_HDRINCL, 1)
+	if err != nil {
+		return nil, fmt.Errorf("setting IP_HDRINCL failed: %w", err)
+	}
+
+	// Bind the socket to the "lo" interface.
+	err = syscall.SetsockoptString(fd, syscall.SOL_SOCKET, syscall.SO_BINDTODEVICE, "lo")
+	if err != nil {
+		return nil, fmt.Errorf("binding to lo interface failed: %w", err)
+	}
+
+	// Set the fwmark on the socket.
+	err = nbnet.SetSocketOpt(fd)
+	if err != nil {
+		return nil, fmt.Errorf("setting fwmark failed: %w", err)
+	}
+
+	// Convert the file descriptor to a PacketConn.
+	file := os.NewFile(uintptr(fd), fmt.Sprintf("fd %d", fd))
+	if file == nil {
+		return nil, fmt.Errorf("converting fd to file failed")
+	}
+	packetConn, err := net.FilePacketConn(file)
+	if err != nil {
+		return nil, fmt.Errorf("converting file to packet conn failed: %w", err)
+	}
+
+	return packetConn, nil
+}
+
+func (p *WGEBPFProxy) sendPkg(data []byte, port int) error {
+	localhost := net.ParseIP("127.0.0.1")
+
 	payload := gopacket.Payload(data)
 	ipH := &layers.IPv4{
-		DstIP:    localHostNetIP,
-		SrcIP:    endpointAddr.IP,
+		DstIP:    localhost,
+		SrcIP:    localhost,
 		Version:  4,
 		TTL:      64,
 		Protocol: layers.IPProtocolUDP,
 	}
 	udpH := &layers.UDP{
-		SrcPort: layers.UDPPort(endpointAddr.Port),
+		SrcPort: layers.UDPPort(port),
 		DstPort: layers.UDPPort(p.localWGListenPort),
 	}
 
@@ -242,7 +279,7 @@ func (p *WGEBPFProxy) sendPkg(data []byte, endpointAddr *net.UDPAddr) error {
 	if err != nil {
 		return fmt.Errorf("serialize layers: %w", err)
 	}
-	if _, err = p.rawConn.WriteTo(layerBuffer.Bytes(), &net.IPAddr{IP: localHostNetIP}); err != nil {
+	if _, err = p.rawConn.WriteTo(layerBuffer.Bytes(), &net.IPAddr{IP: localhost}); err != nil {
 		return fmt.Errorf("write to raw conn: %w", err)
 	}
 	return nil

client/iface/wgproxy/ebpf/wrapper.go

@@ -18,42 +18,41 @@ import (
 
 // ProxyWrapper help to keep the remoteConn instance for net.Conn.Close function call
 type ProxyWrapper struct {
-	wgeBPFProxy *WGEBPFProxy
+	WgeBPFProxy *WGEBPFProxy
 
 	remoteConn net.Conn
 	ctx        context.Context
 	cancel     context.CancelFunc
 
-	wgRelayedEndpointAddr     *net.UDPAddr
-	wgEndpointCurrentUsedAddr *net.UDPAddr
+	wgEndpointAddr *net.UDPAddr
 
-	paused     bool
-	pausedCond *sync.Cond
-	isStarted  bool
+	pausedMu  sync.Mutex
+	paused    bool
+	isStarted bool
 
 	closeListener *listener.CloseListener
 }
 
-func NewProxyWrapper(proxy *WGEBPFProxy) *ProxyWrapper {
+func NewProxyWrapper(WgeBPFProxy *WGEBPFProxy) *ProxyWrapper {
 	return &ProxyWrapper{
-		wgeBPFProxy:   proxy,
-		pausedCond:    sync.NewCond(&sync.Mutex{}),
+		WgeBPFProxy:   WgeBPFProxy,
 		closeListener: listener.NewCloseListener(),
 	}
 }
+
 func (p *ProxyWrapper) AddTurnConn(ctx context.Context, endpoint *net.UDPAddr, remoteConn net.Conn) error {
-	addr, err := p.wgeBPFProxy.AddTurnConn(remoteConn)
+	addr, err := p.WgeBPFProxy.AddTurnConn(remoteConn)
 	if err != nil {
 		return fmt.Errorf("add turn conn: %w", err)
 	}
 	p.remoteConn = remoteConn
 	p.ctx, p.cancel = context.WithCancel(ctx)
-	p.wgRelayedEndpointAddr = addr
+	p.wgEndpointAddr = addr
 	return err
 }
 
 func (p *ProxyWrapper) EndpointAddr() *net.UDPAddr {
-	return p.wgRelayedEndpointAddr
+	return p.wgEndpointAddr
 }
 
 func (p *ProxyWrapper) SetDisconnectListener(disconnected func()) {
@@ -65,18 +64,14 @@ func (p *ProxyWrapper) Work() {
 		return
 	}
 
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = false
-
-	p.wgEndpointCurrentUsedAddr = p.wgRelayedEndpointAddr
+	p.pausedMu.Unlock()
 
 	if !p.isStarted {
 		p.isStarted = true
 		go p.proxyToLocal(p.ctx)
 	}
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
 }
 
 func (p *ProxyWrapper) Pause() {
@@ -85,59 +80,45 @@ func (p *ProxyWrapper) Pause() {
 	}
 
 	log.Tracef("pause proxy reading from: %s", p.remoteConn.RemoteAddr())
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = true
-	p.pausedCond.L.Unlock()
-}
-
-func (p *ProxyWrapper) RedirectAs(endpoint *net.UDPAddr) {
-	p.pausedCond.L.Lock()
-	p.paused = false
-
-	p.wgEndpointCurrentUsedAddr = endpoint
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
+	p.pausedMu.Unlock()
 }
 
 // CloseConn close the remoteConn and automatically remove the conn instance from the map
-func (p *ProxyWrapper) CloseConn() error {
-	if p.cancel == nil {
+func (e *ProxyWrapper) CloseConn() error {
+	if e.cancel == nil {
 		return fmt.Errorf("proxy not started")
 	}
 
-	p.cancel()
+	e.cancel()
 
-	p.closeListener.SetCloseListener(nil)
+	e.closeListener.SetCloseListener(nil)
 
-	p.pausedCond.L.Lock()
-	p.paused = false
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-
-	if err := p.remoteConn.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
-		return fmt.Errorf("failed to close remote conn: %w", err)
+	if err := e.remoteConn.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
+		return fmt.Errorf("close remote conn: %w", err)
 	}
 	return nil
 }
 
 func (p *ProxyWrapper) proxyToLocal(ctx context.Context) {
-	defer p.wgeBPFProxy.removeTurnConn(uint16(p.wgRelayedEndpointAddr.Port))
+	defer p.WgeBPFProxy.removeTurnConn(uint16(p.wgEndpointAddr.Port))
 
-	buf := make([]byte, p.wgeBPFProxy.mtu+bufsize.WGBufferOverhead)
+	buf := make([]byte, p.WgeBPFProxy.mtu+bufsize.WGBufferOverhead)
 	for {
 		n, err := p.readFromRemote(ctx, buf)
 		if err != nil {
 			return
 		}
 
-		p.pausedCond.L.Lock()
-		for p.paused {
-			p.pausedCond.Wait()
+		p.pausedMu.Lock()
+		if p.paused {
+			p.pausedMu.Unlock()
+			continue
 		}
 
-		err = p.wgeBPFProxy.sendPkg(buf[:n], p.wgEndpointCurrentUsedAddr)
-		p.pausedCond.L.Unlock()
+		err = p.WgeBPFProxy.sendPkg(buf[:n], p.wgEndpointAddr.Port)
+		p.pausedMu.Unlock()
 
 		if err != nil {
 			if ctx.Err() != nil {
@@ -156,7 +137,7 @@ func (p *ProxyWrapper) readFromRemote(ctx context.Context, buf []byte) (int, err
 		}
 		p.closeListener.Notify()
 		if !errors.Is(err, io.EOF) {
-			log.Errorf("failed to read from turn conn (endpoint: :%d): %s", p.wgRelayedEndpointAddr.Port, err)
+			log.Errorf("failed to read from turn conn (endpoint: :%d): %s", p.wgEndpointAddr.Port, err)
 		}
 		return 0, err
 	}

client/iface/wgproxy/factory_kernel.go

@@ -39,6 +39,7 @@ func (w *KernelFactory) GetProxy() Proxy {
 	}
 
 	return ebpf.NewProxyWrapper(w.ebpfProxy)
+
 }
 
 func (w *KernelFactory) Free() error {

client/iface/wgproxy/factory_kernel_freebsd.go

@@ -0,0 +1,31 @@
+package wgproxy
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	udpProxy "github.com/netbirdio/netbird/client/iface/wgproxy/udp"
+)
+
+// KernelFactory todo: check eBPF support on FreeBSD
+type KernelFactory struct {
+	wgPort int
+	mtu    uint16
+}
+
+func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
+	log.Infof("WireGuard Proxy Factory will produce UDP proxy")
+	f := &KernelFactory{
+		wgPort: wgPort,
+		mtu:    mtu,
+	}
+
+	return f
+}
+
+func (w *KernelFactory) GetProxy() Proxy {
+	return udpProxy.NewWGUDPProxy(w.wgPort, w.mtu)
+}
+
+func (w *KernelFactory) Free() error {
+	return nil
+}

client/iface/wgproxy/factory_usp.go

@@ -3,25 +3,24 @@ package wgproxy
 import (
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/iface/bind"
 	proxyBind "github.com/netbirdio/netbird/client/iface/wgproxy/bind"
 )
 
 type USPFactory struct {
-	bind proxyBind.Bind
-	mtu  uint16
+	bind *bind.ICEBind
 }
 
-func NewUSPFactory(bind proxyBind.Bind, mtu uint16) *USPFactory {
+func NewUSPFactory(iceBind *bind.ICEBind) *USPFactory {
 	log.Infof("WireGuard Proxy Factory will produce bind proxy")
 	f := &USPFactory{
-		bind: bind,
-		mtu:  mtu,
+		bind: iceBind,
 	}
 	return f
 }
 
 func (w *USPFactory) GetProxy() Proxy {
-	return proxyBind.NewProxyBind(w.bind, w.mtu)
+	return proxyBind.NewProxyBind(w.bind)
 }
 
 func (w *USPFactory) Free() error {

client/iface/wgproxy/proxy.go

@@ -11,11 +11,6 @@ type Proxy interface {
 	EndpointAddr() *net.UDPAddr // EndpointAddr returns the address of the WireGuard peer endpoint
 	Work()                      // Work start or resume the proxy
 	Pause()                     // Pause to forward the packages from remote connection to WireGuard. The opposite way still works.
-
-	//RedirectAs resume the forwarding the packages from relayed connection to WireGuard interface if it was paused
-	//and rewrite the src address to the endpoint address.
-	//With this logic can avoid the package loss from relayed connections.
-	RedirectAs(endpoint *net.UDPAddr)
 	CloseConn() error
 	SetDisconnectListener(disconnected func())
 }

client/iface/wgproxy/proxy_linux_test.go

@@ -3,82 +3,54 @@
 package wgproxy
 
 import (
-	"fmt"
-	"net"
+	"context"
+	"os"
+	"testing"
 
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	bindproxy "github.com/netbirdio/netbird/client/iface/wgproxy/bind"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/ebpf"
-	"github.com/netbirdio/netbird/client/iface/wgproxy/udp"
 )
 
-func seedProxies() ([]proxyInstance, error) {
-	pl := make([]proxyInstance, 0)
+func TestProxyCloseByRemoteConnEBPF(t *testing.T) {
+	if os.Getenv("GITHUB_ACTIONS") != "true" {
+		t.Skip("Skipping test as it requires root privileges")
+	}
+	ctx := context.Background()
 
 	ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
 	if err := ebpfProxy.Listen(); err != nil {
-		return nil, fmt.Errorf("failed to initialize ebpf proxy: %s", err)
+		t.Fatalf("failed to initialize ebpf proxy: %s", err)
 	}
 
-	pEbpf := proxyInstance{
-		name:    "ebpf kernel proxy",
-		proxy:   ebpf.NewProxyWrapper(ebpfProxy),
-		wgPort:  51831,
-		closeFn: ebpfProxy.Free,
-	}
-	pl = append(pl, pEbpf)
+	defer func() {
+		if err := ebpfProxy.Free(); err != nil {
+			t.Errorf("failed to free ebpf proxy: %s", err)
+		}
+	}()
 
-	pUDP := proxyInstance{
-		name:    "udp kernel proxy",
-		proxy:   udp.NewWGUDPProxy(51832, 1280),
-		wgPort:  51832,
-		closeFn: func() error { return nil },
+	tests := []struct {
+		name  string
+		proxy Proxy
+	}{
+		{
+			name: "ebpf proxy",
+			proxy: &ebpf.ProxyWrapper{
+				WgeBPFProxy: ebpfProxy,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			relayedConn := newMockConn()
+			err := tt.proxy.AddTurnConn(ctx, nil, relayedConn)
+			if err != nil {
+				t.Errorf("error: %v", err)
+			}
+
+			_ = relayedConn.Close()
+			if err := tt.proxy.CloseConn(); err != nil {
+				t.Errorf("error: %v", err)
+			}
+		})
 	}
-	pl = append(pl, pUDP)
-	return pl, nil
-}
-
-func seedProxyForProxyCloseByRemoteConn() ([]proxyInstance, error) {
-	pl := make([]proxyInstance, 0)
-
-	ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
-	if err := ebpfProxy.Listen(); err != nil {
-		return nil, fmt.Errorf("failed to initialize ebpf proxy: %s", err)
-	}
-
-	pEbpf := proxyInstance{
-		name:    "ebpf kernel proxy",
-		proxy:   ebpf.NewProxyWrapper(ebpfProxy),
-		wgPort:  51831,
-		closeFn: ebpfProxy.Free,
-	}
-	pl = append(pl, pEbpf)
-
-	pUDP := proxyInstance{
-		name:    "udp kernel proxy",
-		proxy:   udp.NewWGUDPProxy(51832, 1280),
-		wgPort:  51832,
-		closeFn: func() error { return nil },
-	}
-	pl = append(pl, pUDP)
-	wgAddress, err := wgaddr.ParseWGAddress("10.0.0.1/32")
-	if err != nil {
-		return nil, err
-	}
-	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
-	endpointAddress := &net.UDPAddr{
-		IP:   net.IPv4(10, 0, 0, 1),
-		Port: 1234,
-	}
-
-	pBind := proxyInstance{
-		name:         "bind proxy",
-		proxy:        bindproxy.NewProxyBind(iceBind, 0),
-		endpointAddr: endpointAddress,
-		closeFn:      func() error { return nil },
-	}
-	pl = append(pl, pBind)
-
-	return pl, nil
 }

client/iface/wgproxy/proxy_seed_test.go

@@ -1,39 +0,0 @@
-//go:build !linux
-
-package wgproxy
-
-import (
-	"net"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	bindproxy "github.com/netbirdio/netbird/client/iface/wgproxy/bind"
-)
-
-func seedProxies() ([]proxyInstance, error) {
-	// todo extend with Bind proxy
-	pl := make([]proxyInstance, 0)
-	return pl, nil
-}
-
-func seedProxyForProxyCloseByRemoteConn() ([]proxyInstance, error) {
-	pl := make([]proxyInstance, 0)
-	wgAddress, err := wgaddr.ParseWGAddress("10.0.0.1/32")
-	if err != nil {
-		return nil, err
-	}
-	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
-	endpointAddress := &net.UDPAddr{
-		IP:   net.IPv4(10, 0, 0, 1),
-		Port: 1234,
-	}
-
-	pBind := proxyInstance{
-		name:         "bind proxy",
-		proxy:        bindproxy.NewProxyBind(iceBind, 0),
-		endpointAddr: endpointAddress,
-		closeFn:      func() error { return nil },
-	}
-	pl = append(pl, pBind)
-	return pl, nil
-}

client/iface/wgproxy/proxy_test.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package wgproxy
 
 import (
@@ -5,9 +7,12 @@ import (
 	"io"
 	"net"
 	"os"
+	"runtime"
 	"testing"
 	"time"
 
+	"github.com/netbirdio/netbird/client/iface/wgproxy/ebpf"
+	udpProxy "github.com/netbirdio/netbird/client/iface/wgproxy/udp"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -17,14 +22,6 @@ func TestMain(m *testing.M) {
 	os.Exit(code)
 }
 
-type proxyInstance struct {
-	name         string
-	proxy        Proxy
-	wgPort       int
-	endpointAddr *net.UDPAddr
-	closeFn      func() error
-}
-
 type mocConn struct {
 	closeChan chan struct{}
 	closed    bool
@@ -81,21 +78,41 @@ func (m *mocConn) SetWriteDeadline(t time.Time) error {
 func TestProxyCloseByRemoteConn(t *testing.T) {
 	ctx := context.Background()
 
-	tests, err := seedProxyForProxyCloseByRemoteConn()
-	if err != nil {
-		t.Fatalf("error: %v", err)
+	tests := []struct {
+		name  string
+		proxy Proxy
+	}{
+		{
+			name:  "userspace proxy",
+			proxy: udpProxy.NewWGUDPProxy(51830, 1280),
+		},
 	}
 
-	relayedConn, _ := net.Dial("udp", "127.0.0.1:1234")
-	defer func() {
-		_ = relayedConn.Close()
-	}()
+	if runtime.GOOS == "linux" && os.Getenv("GITHUB_ACTIONS") != "true" {
+		ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
+		if err := ebpfProxy.Listen(); err != nil {
+			t.Fatalf("failed to initialize ebpf proxy: %s", err)
+		}
+		defer func() {
+			if err := ebpfProxy.Free(); err != nil {
+				t.Errorf("failed to free ebpf proxy: %s", err)
+			}
+		}()
+		proxyWrapper := ebpf.NewProxyWrapper(ebpfProxy)
+
+		tests = append(tests, struct {
+			name  string
+			proxy Proxy
+		}{
+			name:  "ebpf proxy",
+			proxy: proxyWrapper,
+		})
+	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			addr, _ := net.ResolveUDPAddr("udp", "100.108.135.221:51892")
 			relayedConn := newMockConn()
-			err := tt.proxy.AddTurnConn(ctx, addr, relayedConn)
+			err := tt.proxy.AddTurnConn(ctx, nil, relayedConn)
 			if err != nil {
 				t.Errorf("error: %v", err)
 			}
@@ -107,104 +124,3 @@ func TestProxyCloseByRemoteConn(t *testing.T) {
 		})
 	}
 }
-
-// TestProxyRedirect todo extend the proxies with Bind proxy
-func TestProxyRedirect(t *testing.T) {
-	tests, err := seedProxies()
-	if err != nil {
-		t.Fatalf("error: %v", err)
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			redirectTraffic(t, tt.proxy, tt.wgPort, tt.endpointAddr)
-			if err := tt.closeFn(); err != nil {
-				t.Errorf("error: %v", err)
-			}
-		})
-	}
-}
-
-func redirectTraffic(t *testing.T, proxy Proxy, wgPort int, endPointAddr *net.UDPAddr) {
-	t.Helper()
-
-	msgHelloFromRelay := []byte("hello from relay")
-	msgRedirected := [][]byte{
-		[]byte("hello 1. to p2p"),
-		[]byte("hello 2. to p2p"),
-		[]byte("hello 3. to p2p"),
-	}
-
-	dummyWgListener, err := net.ListenUDP("udp", &net.UDPAddr{
-		IP:   net.IPv4(127, 0, 0, 1),
-		Port: wgPort})
-	if err != nil {
-		t.Fatalf("failed to listen on udp port: %s", err)
-	}
-
-	relayedServer, _ := net.ListenUDP("udp",
-		&net.UDPAddr{
-			IP:   net.IPv4(127, 0, 0, 1),
-			Port: 1234,
-		},
-	)
-
-	relayedConn, _ := net.Dial("udp", "127.0.0.1:1234")
-
-	defer func() {
-		_ = dummyWgListener.Close()
-		_ = relayedConn.Close()
-		_ = relayedServer.Close()
-	}()
-
-	if err := proxy.AddTurnConn(context.Background(), endPointAddr, relayedConn); err != nil {
-		t.Errorf("error: %v", err)
-	}
-	defer func() {
-		if err := proxy.CloseConn(); err != nil {
-			t.Errorf("error: %v", err)
-		}
-	}()
-
-	proxy.Work()
-
-	if _, err := relayedServer.WriteTo(msgHelloFromRelay, relayedConn.LocalAddr()); err != nil {
-		t.Errorf("error relayedServer.Write(msgHelloFromRelay): %v", err)
-	}
-
-	n, err := dummyWgListener.Read(make([]byte, 1024))
-	if err != nil {
-		t.Errorf("error: %v", err)
-	}
-
-	if n != len(msgHelloFromRelay) {
-		t.Errorf("expected %d bytes, got %d", len(msgHelloFromRelay), n)
-	}
-
-	p2pEndpointAddr := &net.UDPAddr{
-		IP:   net.IPv4(192, 168, 0, 56),
-		Port: 1234,
-	}
-	proxy.RedirectAs(p2pEndpointAddr)
-
-	for _, msg := range msgRedirected {
-		if _, err := relayedServer.WriteTo(msg, relayedConn.LocalAddr()); err != nil {
-			t.Errorf("error: %v", err)
-		}
-	}
-
-	for i := 0; i < len(msgRedirected); i++ {
-		buf := make([]byte, 1024)
-		n, rAddr, err := dummyWgListener.ReadFrom(buf)
-		if err != nil {
-			t.Errorf("error: %v", err)
-		}
-
-		if rAddr.String() != p2pEndpointAddr.String() {
-			t.Errorf("expected %s, got %s", p2pEndpointAddr.String(), rAddr.String())
-		}
-		if string(buf[:n]) != string(msgRedirected[i]) {
-			t.Errorf("expected %s, got %s", string(msgRedirected[i]), string(buf[:n]))
-		}
-	}
-}

client/iface/wgproxy/rawsocket/rawsocket.go

@@ -1,50 +0,0 @@
-//go:build linux && !android
-
-package rawsocket
-
-import (
-	"fmt"
-	"net"
-	"os"
-	"syscall"
-
-	nbnet "github.com/netbirdio/netbird/client/net"
-)
-
-func PrepareSenderRawSocket() (net.PacketConn, error) {
-	// Create a raw socket.
-	fd, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_RAW, syscall.IPPROTO_RAW)
-	if err != nil {
-		return nil, fmt.Errorf("creating raw socket failed: %w", err)
-	}
-
-	// Set the IP_HDRINCL option on the socket to tell the kernel that headers are included in the packet.
-	err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_HDRINCL, 1)
-	if err != nil {
-		return nil, fmt.Errorf("setting IP_HDRINCL failed: %w", err)
-	}
-
-	// Bind the socket to the "lo" interface.
-	err = syscall.SetsockoptString(fd, syscall.SOL_SOCKET, syscall.SO_BINDTODEVICE, "lo")
-	if err != nil {
-		return nil, fmt.Errorf("binding to lo interface failed: %w", err)
-	}
-
-	// Set the fwmark on the socket.
-	err = nbnet.SetSocketOpt(fd)
-	if err != nil {
-		return nil, fmt.Errorf("setting fwmark failed: %w", err)
-	}
-
-	// Convert the file descriptor to a PacketConn.
-	file := os.NewFile(uintptr(fd), fmt.Sprintf("fd %d", fd))
-	if file == nil {
-		return nil, fmt.Errorf("converting fd to file failed")
-	}
-	packetConn, err := net.FilePacketConn(file)
-	if err != nil {
-		return nil, fmt.Errorf("converting file to packet conn failed: %w", err)
-	}
-
-	return packetConn, nil
-}

client/iface/wgproxy/udp/proxy.go

@@ -1,5 +1,3 @@
-//go:build linux && !android
-
 package udp
 
 import (
@@ -23,18 +21,16 @@ type WGUDPProxy struct {
 	localWGListenPort int
 	mtu               uint16
 
-	remoteConn   net.Conn
-	localConn    net.Conn
-	srcFakerConn *SrcFaker
-	sendPkg      func(data []byte) (int, error)
-	ctx          context.Context
-	cancel       context.CancelFunc
-	closeMu      sync.Mutex
-	closed       bool
+	remoteConn net.Conn
+	localConn  net.Conn
+	ctx        context.Context
+	cancel     context.CancelFunc
+	closeMu    sync.Mutex
+	closed     bool
 
-	paused     bool
-	pausedCond *sync.Cond
-	isStarted  bool
+	pausedMu  sync.Mutex
+	paused    bool
+	isStarted bool
 
 	closeListener *listener.CloseListener
 }
@@ -45,7 +41,6 @@ func NewWGUDPProxy(wgPort int, mtu uint16) *WGUDPProxy {
 	p := &WGUDPProxy{
 		localWGListenPort: wgPort,
 		mtu:               mtu,
-		pausedCond:        sync.NewCond(&sync.Mutex{}),
 		closeListener:     listener.NewCloseListener(),
 	}
 	return p
@@ -66,7 +61,6 @@ func (p *WGUDPProxy) AddTurnConn(ctx context.Context, endpoint *net.UDPAddr, rem
 
 	p.ctx, p.cancel = context.WithCancel(ctx)
 	p.localConn = localConn
-	p.sendPkg = p.localConn.Write
 	p.remoteConn = remoteConn
 
 	return err
@@ -90,24 +84,15 @@ func (p *WGUDPProxy) Work() {
 		return
 	}
 
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = false
-	p.sendPkg = p.localConn.Write
-
-	if p.srcFakerConn != nil {
-		if err := p.srcFakerConn.Close(); err != nil {
-			log.Errorf("failed to close src faker conn: %s", err)
-		}
-		p.srcFakerConn = nil
-	}
+	p.pausedMu.Unlock()
 
 	if !p.isStarted {
 		p.isStarted = true
 		go p.proxyToRemote(p.ctx)
 		go p.proxyToLocal(p.ctx)
 	}
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
 }
 
 // Pause pauses the proxy from receiving data from the remote peer
@@ -116,35 +101,9 @@ func (p *WGUDPProxy) Pause() {
 		return
 	}
 
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = true
-	p.pausedCond.L.Unlock()
-}
-
-// RedirectAs start to use the fake sourced raw socket as package sender
-func (p *WGUDPProxy) RedirectAs(endpoint *net.UDPAddr) {
-	p.pausedCond.L.Lock()
-	defer func() {
-		p.pausedCond.Signal()
-		p.pausedCond.L.Unlock()
-	}()
-
-	p.paused = false
-	if p.srcFakerConn != nil {
-		if err := p.srcFakerConn.Close(); err != nil {
-			log.Errorf("failed to close src faker conn: %s", err)
-		}
-		p.srcFakerConn = nil
-	}
-	srcFakerConn, err := NewSrcFaker(p.localWGListenPort, endpoint)
-	if err != nil {
-		log.Errorf("failed to create src faker conn: %s", err)
-		// fallback to continue without redirecting
-		p.paused = true
-		return
-	}
-	p.srcFakerConn = srcFakerConn
-	p.sendPkg = p.srcFakerConn.SendPkg
+	p.pausedMu.Unlock()
 }
 
 // CloseConn close the localConn
@@ -156,8 +115,6 @@ func (p *WGUDPProxy) CloseConn() error {
 }
 
 func (p *WGUDPProxy) close() error {
-	var result *multierror.Error
-
 	p.closeMu.Lock()
 	defer p.closeMu.Unlock()
 
@@ -171,11 +128,7 @@ func (p *WGUDPProxy) close() error {
 
 	p.cancel()
 
-	p.pausedCond.L.Lock()
-	p.paused = false
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-
+	var result *multierror.Error
 	if err := p.remoteConn.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
 		result = multierror.Append(result, fmt.Errorf("remote conn: %s", err))
 	}
@@ -183,13 +136,6 @@ func (p *WGUDPProxy) close() error {
 	if err := p.localConn.Close(); err != nil {
 		result = multierror.Append(result, fmt.Errorf("local conn: %s", err))
 	}
-
-	if p.srcFakerConn != nil {
-		if err := p.srcFakerConn.Close(); err != nil {
-			result = multierror.Append(result, fmt.Errorf("src faker raw conn: %s", err))
-		}
-	}
-
 	return cerrors.FormatErrorOrNil(result)
 }
 
@@ -248,12 +194,14 @@ func (p *WGUDPProxy) proxyToLocal(ctx context.Context) {
 			return
 		}
 
-		p.pausedCond.L.Lock()
-		for p.paused {
-			p.pausedCond.Wait()
+		p.pausedMu.Lock()
+		if p.paused {
+			p.pausedMu.Unlock()
+			continue
 		}
-		_, err = p.sendPkg(buf[:n])
-		p.pausedCond.L.Unlock()
+
+		_, err = p.localConn.Write(buf[:n])
+		p.pausedMu.Unlock()
 
 		if err != nil {
 			if ctx.Err() != nil {

client/iface/wgproxy/udp/rawsocket.go

@@ -1,101 +0,0 @@
-//go:build linux && !android
-
-package udp
-
-import (
-	"fmt"
-	"net"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/iface/wgproxy/rawsocket"
-)
-
-var (
-	serializeOpts = gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-
-	localHostNetIPAddr = &net.IPAddr{
-		IP: net.ParseIP("127.0.0.1"),
-	}
-)
-
-type SrcFaker struct {
-	srcAddr *net.UDPAddr
-
-	rawSocket   net.PacketConn
-	ipH         gopacket.SerializableLayer
-	udpH        gopacket.SerializableLayer
-	layerBuffer gopacket.SerializeBuffer
-}
-
-func NewSrcFaker(dstPort int, srcAddr *net.UDPAddr) (*SrcFaker, error) {
-	rawSocket, err := rawsocket.PrepareSenderRawSocket()
-	if err != nil {
-		return nil, err
-	}
-
-	ipH, udpH, err := prepareHeaders(dstPort, srcAddr)
-	if err != nil {
-		return nil, err
-	}
-
-	f := &SrcFaker{
-		srcAddr:     srcAddr,
-		rawSocket:   rawSocket,
-		ipH:         ipH,
-		udpH:        udpH,
-		layerBuffer: gopacket.NewSerializeBuffer(),
-	}
-
-	return f, nil
-}
-
-func (f *SrcFaker) Close() error {
-	return f.rawSocket.Close()
-}
-
-func (f *SrcFaker) SendPkg(data []byte) (int, error) {
-	defer func() {
-		if err := f.layerBuffer.Clear(); err != nil {
-			log.Errorf("failed to clear layer buffer: %s", err)
-		}
-	}()
-
-	payload := gopacket.Payload(data)
-
-	err := gopacket.SerializeLayers(f.layerBuffer, serializeOpts, f.ipH, f.udpH, payload)
-	if err != nil {
-		return 0, fmt.Errorf("serialize layers: %w", err)
-	}
-	n, err := f.rawSocket.WriteTo(f.layerBuffer.Bytes(), localHostNetIPAddr)
-	if err != nil {
-		return 0, fmt.Errorf("write to raw conn: %w", err)
-	}
-	return n, nil
-}
-
-func prepareHeaders(dstPort int, srcAddr *net.UDPAddr) (gopacket.SerializableLayer, gopacket.SerializableLayer, error) {
-	ipH := &layers.IPv4{
-		DstIP:    net.ParseIP("127.0.0.1"),
-		SrcIP:    srcAddr.IP,
-		Version:  4,
-		TTL:      64,
-		Protocol: layers.IPProtocolUDP,
-	}
-	udpH := &layers.UDP{
-		SrcPort: layers.UDPPort(srcAddr.Port),
-		DstPort: layers.UDPPort(dstPort), // dst is the localhost WireGuard port
-	}
-
-	err := udpH.SetNetworkLayerForChecksum(ipH)
-	if err != nil {
-		return nil, nil, fmt.Errorf("set network layer for checksum: %w", err)
-	}
-
-	return ipH, udpH, nil
-}

client/internal/acl/manager.go

@@ -29,6 +29,11 @@ type Manager interface {
 	ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRouteFeatureFlag bool)
 }
 
+type protoMatch struct {
+	ips      map[string]int
+	policyID []byte
+}
+
 // DefaultManager uses firewall manager to handle
 type DefaultManager struct {
 	firewall       firewall.Manager
@@ -81,14 +86,21 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 }
 
 func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
-	rules := networkMap.FirewallRules
+	rules, squashedProtocols := d.squashAcceptRules(networkMap)
 
 	enableSSH := networkMap.PeerConfig != nil &&
 		networkMap.PeerConfig.SshConfig != nil &&
 		networkMap.PeerConfig.SshConfig.SshEnabled
+	if _, ok := squashedProtocols[mgmProto.RuleProtocol_ALL]; ok {
+		enableSSH = enableSSH && !ok
+	}
+	if _, ok := squashedProtocols[mgmProto.RuleProtocol_TCP]; ok {
+		enableSSH = enableSSH && !ok
+	}
 
-	// If SSH enabled, add default firewall rule which accepts connection to any peer
-	// in the network by SSH (TCP port defined by ssh.DefaultSSHPort).
+	// if TCP protocol rules not squashed and SSH enabled
+	// we add default firewall rule which accepts connection to any peer
+	// in the network by SSH (TCP 22 port).
 	if enableSSH {
 		rules = append(rules, &mgmProto.FirewallRule{
 			PeerIP:    "0.0.0.0",
@@ -356,6 +368,145 @@ func (d *DefaultManager) getPeerRuleID(
 	return id.RuleID(hex.EncodeToString(md5.New().Sum([]byte(idStr))))
 }
 
+// squashAcceptRules does complex logic to convert many rules which allows connection by traffic type
+// to all peers in the network map to one rule which just accepts that type of the traffic.
+//
+// NOTE: It will not squash two rules for same protocol if one covers all peers in the network,
+// but other has port definitions or has drop policy.
+func (d *DefaultManager) squashAcceptRules(
+	networkMap *mgmProto.NetworkMap,
+) ([]*mgmProto.FirewallRule, map[mgmProto.RuleProtocol]struct{}) {
+	totalIPs := 0
+	for _, p := range append(networkMap.RemotePeers, networkMap.OfflinePeers...) {
+		for range p.AllowedIps {
+			totalIPs++
+		}
+	}
+
+	in := map[mgmProto.RuleProtocol]*protoMatch{}
+	out := map[mgmProto.RuleProtocol]*protoMatch{}
+
+	// trace which type of protocols was squashed
+	squashedRules := []*mgmProto.FirewallRule{}
+	squashedProtocols := map[mgmProto.RuleProtocol]struct{}{}
+
+	// this function we use to do calculation, can we squash the rules by protocol or not.
+	// We summ amount of Peers IP for given protocol we found in original rules list.
+	// But we zeroed the IP's for protocol if:
+	// 1. Any of the rule has DROP action type.
+	// 2. Any of rule contains Port.
+	//
+	// We zeroed this to notify squash function that this protocol can't be squashed.
+	addRuleToCalculationMap := func(i int, r *mgmProto.FirewallRule, protocols map[mgmProto.RuleProtocol]*protoMatch) {
+		hasPortRestrictions := r.Action == mgmProto.RuleAction_DROP ||
+			r.Port != "" || !portInfoEmpty(r.PortInfo)
+
+		if hasPortRestrictions {
+			// Don't squash rules with port restrictions
+			protocols[r.Protocol] = &protoMatch{ips: map[string]int{}}
+			return
+		}
+
+		if _, ok := protocols[r.Protocol]; !ok {
+			protocols[r.Protocol] = &protoMatch{
+				ips: map[string]int{},
+				// store the first encountered PolicyID for this protocol
+				policyID: r.PolicyID,
+			}
+		}
+
+		// special case, when we receive this all network IP address
+		// it means that rules for that protocol was already optimized on the
+		// management side
+		if r.PeerIP == "0.0.0.0" {
+			squashedRules = append(squashedRules, r)
+			squashedProtocols[r.Protocol] = struct{}{}
+			return
+		}
+
+		ipset := protocols[r.Protocol].ips
+
+		if _, ok := ipset[r.PeerIP]; ok {
+			return
+		}
+		ipset[r.PeerIP] = i
+	}
+
+	for i, r := range networkMap.FirewallRules {
+		// calculate squash for different directions
+		if r.Direction == mgmProto.RuleDirection_IN {
+			addRuleToCalculationMap(i, r, in)
+		} else {
+			addRuleToCalculationMap(i, r, out)
+		}
+	}
+
+	// order of squashing by protocol is important
+	// only for their first element ALL, it must be done first
+	protocolOrders := []mgmProto.RuleProtocol{
+		mgmProto.RuleProtocol_ALL,
+		mgmProto.RuleProtocol_ICMP,
+		mgmProto.RuleProtocol_TCP,
+		mgmProto.RuleProtocol_UDP,
+	}
+
+	squash := func(matches map[mgmProto.RuleProtocol]*protoMatch, direction mgmProto.RuleDirection) {
+		for _, protocol := range protocolOrders {
+			match, ok := matches[protocol]
+			if !ok || len(match.ips) != totalIPs || len(match.ips) < 2 {
+				// don't squash if :
+				// 1. Rules not cover all peers in the network
+				// 2. Rules cover only one peer in the network.
+				continue
+			}
+
+			// add special rule 0.0.0.0 which allows all IP's in our firewall implementations
+			squashedRules = append(squashedRules, &mgmProto.FirewallRule{
+				PeerIP:    "0.0.0.0",
+				Direction: direction,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  protocol,
+				PolicyID:  match.policyID,
+			})
+			squashedProtocols[protocol] = struct{}{}
+
+			if protocol == mgmProto.RuleProtocol_ALL {
+				// if we have ALL traffic type squashed rule
+				// it allows all other type of traffic, so we can stop processing
+				break
+			}
+		}
+	}
+
+	squash(in, mgmProto.RuleDirection_IN)
+	squash(out, mgmProto.RuleDirection_OUT)
+
+	// if all protocol was squashed everything is allow and we can ignore all other rules
+	if _, ok := squashedProtocols[mgmProto.RuleProtocol_ALL]; ok {
+		return squashedRules, squashedProtocols
+	}
+
+	if len(squashedRules) == 0 {
+		return networkMap.FirewallRules, squashedProtocols
+	}
+
+	var rules []*mgmProto.FirewallRule
+	// filter out rules which was squashed from final list
+	// if we also have other not squashed rules.
+	for i, r := range networkMap.FirewallRules {
+		if _, ok := squashedProtocols[r.Protocol]; ok {
+			if m, ok := in[r.Protocol]; ok && m.ips[r.PeerIP] == i {
+				continue
+			} else if m, ok := out[r.Protocol]; ok && m.ips[r.PeerIP] == i {
+				continue
+			}
+		}
+		rules = append(rules, r)
+	}
+
+	return append(rules, squashedRules...), squashedProtocols
+}
+
 // getRuleGroupingSelector takes all rule properties except IP address to build selector
 func (d *DefaultManager) getRuleGroupingSelector(rule *mgmProto.FirewallRule) string {
 	return fmt.Sprintf("%v:%v:%v:%s:%v", strconv.Itoa(int(rule.Direction)), rule.Action, rule.Protocol, rule.Port, rule.PortInfo)

client/internal/acl/manager_test.go

@@ -188,6 +188,492 @@ func TestDefaultManagerStateless(t *testing.T) {
 	})
 }
 
+func TestDefaultManagerSquashRules(t *testing.T) {
+	networkMap := &mgmProto.NetworkMap{
+		RemotePeers: []*mgmProto.RemotePeerConfig{
+			{AllowedIps: []string{"10.93.0.1"}},
+			{AllowedIps: []string{"10.93.0.2"}},
+			{AllowedIps: []string{"10.93.0.3"}},
+			{AllowedIps: []string{"10.93.0.4"}},
+		},
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+		},
+	}
+
+	manager := &DefaultManager{}
+	rules, _ := manager.squashAcceptRules(networkMap)
+	assert.Equal(t, 2, len(rules))
+
+	r := rules[0]
+	assert.Equal(t, "0.0.0.0", r.PeerIP)
+	assert.Equal(t, mgmProto.RuleDirection_IN, r.Direction)
+	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
+	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
+
+	r = rules[1]
+	assert.Equal(t, "0.0.0.0", r.PeerIP)
+	assert.Equal(t, mgmProto.RuleDirection_OUT, r.Direction)
+	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
+	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
+}
+
+func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
+	networkMap := &mgmProto.NetworkMap{
+		RemotePeers: []*mgmProto.RemotePeerConfig{
+			{AllowedIps: []string{"10.93.0.1"}},
+			{AllowedIps: []string{"10.93.0.2"}},
+			{AllowedIps: []string{"10.93.0.3"}},
+			{AllowedIps: []string{"10.93.0.4"}},
+		},
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+			},
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_UDP,
+			},
+		},
+	}
+
+	manager := &DefaultManager{}
+	rules, _ := manager.squashAcceptRules(networkMap)
+	assert.Equal(t, len(networkMap.FirewallRules), len(rules))
+}
+
+func TestDefaultManagerSquashRulesWithPortRestrictions(t *testing.T) {
+	tests := []struct {
+		name          string
+		rules         []*mgmProto.FirewallRule
+		expectedCount int
+		description   string
+	}{
+		{
+			name: "should not squash rules with port ranges",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with port ranges should not be squashed even if they cover all peers",
+		},
+		{
+			name: "should not squash rules with specific ports",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with specific ports should not be squashed even if they cover all peers",
+		},
+		{
+			name: "should not squash rules with legacy port field",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with legacy port field should not be squashed",
+		},
+		{
+			name: "should not squash rules with DROP action",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with DROP action should not be squashed",
+		},
+		{
+			name: "should squash rules without port restrictions",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+			},
+			expectedCount: 1,
+			description:   "Rules without port restrictions should be squashed into a single 0.0.0.0 rule",
+		},
+		{
+			name: "mixed rules should not squash protocol with port restrictions",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+			},
+			expectedCount: 4,
+			description:   "TCP should not be squashed because one rule has port restrictions",
+		},
+		{
+			name: "should squash UDP but not TCP when TCP has port restrictions",
+			rules: []*mgmProto.FirewallRule{
+				// TCP rules with port restrictions - should NOT be squashed
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				// UDP rules without port restrictions - SHOULD be squashed
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+			},
+			expectedCount: 5, // 4 TCP rules + 1 squashed UDP rule (0.0.0.0)
+			description:   "UDP should be squashed to 0.0.0.0 rule, but TCP should remain as individual rules due to port restrictions",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			networkMap := &mgmProto.NetworkMap{
+				RemotePeers: []*mgmProto.RemotePeerConfig{
+					{AllowedIps: []string{"10.93.0.1"}},
+					{AllowedIps: []string{"10.93.0.2"}},
+					{AllowedIps: []string{"10.93.0.3"}},
+					{AllowedIps: []string{"10.93.0.4"}},
+				},
+				FirewallRules: tt.rules,
+			}
+
+			manager := &DefaultManager{}
+			rules, _ := manager.squashAcceptRules(networkMap)
+
+			assert.Equal(t, tt.expectedCount, len(rules), tt.description)
+
+			// For squashed rules, verify we get the expected 0.0.0.0 rule
+			if tt.expectedCount == 1 {
+				assert.Equal(t, "0.0.0.0", rules[0].PeerIP)
+				assert.Equal(t, mgmProto.RuleDirection_IN, rules[0].Direction)
+				assert.Equal(t, mgmProto.RuleAction_ACCEPT, rules[0].Action)
+			}
+		})
+	}
+}
+
 func TestPortInfoEmpty(t *testing.T) {
 	tests := []struct {
 		name     string

client/internal/connect.go

@@ -34,7 +34,7 @@ import (
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/util"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 	"github.com/netbirdio/netbird/version"
 )
 
@@ -280,12 +280,15 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			return wrapErr(err)
 		}
 
+
 		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)
 
 		if runningChan != nil {
-			close(runningChan)
-			runningChan = nil
+			select {
+			case runningChan <- struct{}{}:
+			default:
+			}
 		}
 
 		<-engineCtx.Done()

client/internal/debug/wgshow.go

@@ -14,9 +14,6 @@ type WGIface interface {
 }
 
 func (g *BundleGenerator) addWgShow() error {
-	if g.statusRecorder == nil {
-		return fmt.Errorf("no status recorder available for wg show")
-	}
 	result, err := g.statusRecorder.PeersStatus()
 	if err != nil {
 		return err

client/internal/dns/host_windows.go

@@ -17,7 +17,6 @@ import (
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	"github.com/netbirdio/netbird/client/internal/winregistry"
 )
 
 var (
@@ -198,10 +197,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		matchDomains = append(matchDomains, "."+strings.TrimSuffix(dConf.Domain, "."))
 	}
 
-	if err := r.removeDNSMatchPolicies(); err != nil {
-		log.Errorf("cleanup old dns match policies: %s", err)
-	}
-
 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
 		if err != nil {
@@ -209,6 +204,9 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		}
 		r.nrptEntryCount = count
 	} else {
+		if err := r.removeDNSMatchPolicies(); err != nil {
+			return fmt.Errorf("remove dns match policies: %w", err)
+		}
 		r.nrptEntryCount = 0
 	}
 
@@ -242,19 +240,15 @@ func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
 	for i, domain := range domains {
-		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
-		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
+		policyPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		if r.gpo {
+			policyPath = fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
+		}
 
 		singleDomain := []string{domain}
 
-		if err := r.configureDNSPolicy(localPath, singleDomain, ip); err != nil {
-			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
-		}
-
-		if r.gpo {
-			if err := r.configureDNSPolicy(gpoPath, singleDomain, ip); err != nil {
-				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
-			}
+		if err := r.configureDNSPolicy(policyPath, singleDomain, ip); err != nil {
+			return i, fmt.Errorf("configure DNS policy for domain %s: %w", domain, err)
 		}
 
 		log.Debugf("added NRPT entry for domain: %s", domain)
@@ -275,9 +269,9 @@ func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []s
 		return fmt.Errorf("remove existing dns policy: %w", err)
 	}
 
-	regKey, _, err := winregistry.CreateVolatileKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
+	regKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
 	if err != nil {
-		return fmt.Errorf("create volatile registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
+		return fmt.Errorf("create registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
 	}
 	defer closer(regKey)
 
@@ -407,7 +401,6 @@ func (r *registryConfigurator) removeDNSMatchPolicies() error {
 	if err := removeRegistryKeyFromDNSPolicyConfig(dnsPolicyConfigMatchPath); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("remove local base entry: %w", err))
 	}
-
 	if err := removeRegistryKeyFromDNSPolicyConfig(gpoDnsPolicyConfigMatchPath); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("remove GPO base entry: %w", err))
 	}
@@ -419,7 +412,6 @@ func (r *registryConfigurator) removeDNSMatchPolicies() error {
 		if err := removeRegistryKeyFromDNSPolicyConfig(localPath); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove local entry %d: %w", i, err))
 		}
-
 		if err := removeRegistryKeyFromDNSPolicyConfig(gpoPath); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove GPO entry %d: %w", i, err))
 		}

client/internal/dns/host_windows_test.go

@@ -1,102 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/sys/windows/registry"
-)
-
-// TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
-// when the number of match domains decreases between configuration changes.
-func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping registry integration test in short mode")
-	}
-
-	defer cleanupRegistryKeys(t)
-	cleanupRegistryKeys(t)
-
-	testIP := netip.MustParseAddr("100.64.0.1")
-
-	// Create a test interface registry key so updateSearchDomains doesn't fail
-	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
-	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
-	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
-	require.NoError(t, err, "Should create test interface registry key")
-	testKey.Close()
-	defer func() {
-		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
-	}()
-
-	cfg := &registryConfigurator{
-		guid: testGUID,
-		gpo:  false,
-	}
-
-	config5 := HostDNSConfig{
-		ServerIP: testIP,
-		Domains: []DomainConfig{
-			{Domain: "domain1.com", MatchOnly: true},
-			{Domain: "domain2.com", MatchOnly: true},
-			{Domain: "domain3.com", MatchOnly: true},
-			{Domain: "domain4.com", MatchOnly: true},
-			{Domain: "domain5.com", MatchOnly: true},
-		},
-	}
-
-	err = cfg.applyDNSConfig(config5, nil)
-	require.NoError(t, err)
-
-	// Verify all 5 entries exist
-	for i := 0; i < 5; i++ {
-		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-		require.NoError(t, err)
-		assert.True(t, exists, "Entry %d should exist after first config", i)
-	}
-
-	config2 := HostDNSConfig{
-		ServerIP: testIP,
-		Domains: []DomainConfig{
-			{Domain: "domain1.com", MatchOnly: true},
-			{Domain: "domain2.com", MatchOnly: true},
-		},
-	}
-
-	err = cfg.applyDNSConfig(config2, nil)
-	require.NoError(t, err)
-
-	// Verify first 2 entries exist
-	for i := 0; i < 2; i++ {
-		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-		require.NoError(t, err)
-		assert.True(t, exists, "Entry %d should exist after second config", i)
-	}
-
-	// Verify entries 2-4 are cleaned up
-	for i := 2; i < 5; i++ {
-		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-		require.NoError(t, err)
-		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
-	}
-}
-
-func registryKeyExists(path string) (bool, error) {
-	k, err := registry.OpenKey(registry.LOCAL_MACHINE, path, registry.QUERY_VALUE)
-	if err != nil {
-		if err == registry.ErrNotExist {
-			return false, nil
-		}
-		return false, err
-	}
-	k.Close()
-	return true, nil
-}
-
-func cleanupRegistryKeys(*testing.T) {
-	cfg := &registryConfigurator{nrptEntryCount: 10}
-	_ = cfg.removeDNSMatchPolicies()
-}

client/internal/dns/server_js.go

@@ -1,5 +0,0 @@
-package dns
-
-func (s *DefaultServer) initialize() (hostManager, error) {
-	return &noopHostConfigurator{}, nil
-}

client/internal/dns/service_memory.go

@@ -10,7 +10,7 @@ import (
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 type ServiceViaMemory struct {

client/internal/dns/systemd_linux.go

@@ -31,7 +31,6 @@ const (
 	systemdDbusSetDefaultRouteMethodSuffix = systemdDbusLinkInterface + ".SetDefaultRoute"
 	systemdDbusSetDomainsMethodSuffix      = systemdDbusLinkInterface + ".SetDomains"
 	systemdDbusSetDNSSECMethodSuffix       = systemdDbusLinkInterface + ".SetDNSSEC"
-	systemdDbusSetDNSOverTLSMethodSuffix   = systemdDbusLinkInterface + ".SetDNSOverTLS"
 	systemdDbusResolvConfModeForeign       = "foreign"
 
 	dbusErrorUnknownObject = "org.freedesktop.DBus.Error.UnknownObject"
@@ -103,11 +102,6 @@ func (s *systemdDbusConfigurator) applyDNSConfig(config HostDNSConfig, stateMana
 		log.Warnf("failed to set DNSSEC to 'no': %v", err)
 	}
 
-	// We don't support DNSOverTLS. On some machines this is default on so we explicitly set it to off
-	if err := s.callLinkMethod(systemdDbusSetDNSOverTLSMethodSuffix, dnsSecDisabled); err != nil {
-		log.Warnf("failed to set DNSOverTLS to 'no': %v", err)
-	}
-
 	var (
 		searchDomains []string
 		matchDomains  []string

client/internal/dns/unclean_shutdown_js.go

@@ -1,19 +0,0 @@
-package dns
-
-import (
-	"context"
-)
-
-type ShutdownState struct{}
-
-func (s *ShutdownState) Name() string {
-	return "dns_state"
-}
-
-func (s *ShutdownState) Cleanup() error {
-	return nil
-}
-
-func (s *ShutdownState) RestoreUncleanShutdownConfigs(context.Context) error {
-	return nil
-}

client/internal/dns/upstream_android.go

@@ -10,7 +10,7 @@ import (
 	"github.com/miekg/dns"
 
 	"github.com/netbirdio/netbird/client/internal/peer"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 type upstreamResolver struct {

client/internal/dnsfwd/cache.go

@@ -1,78 +0,0 @@
-package dnsfwd
-
-import (
-	"net/netip"
-	"slices"
-	"strings"
-	"sync"
-
-	"github.com/miekg/dns"
-)
-
-type cache struct {
-	mu      sync.RWMutex
-	records map[string]*cacheEntry
-}
-
-type cacheEntry struct {
-	ip4Addrs []netip.Addr
-	ip6Addrs []netip.Addr
-}
-
-func newCache() *cache {
-	return &cache{
-		records: make(map[string]*cacheEntry),
-	}
-}
-
-func (c *cache) get(domain string, reqType uint16) ([]netip.Addr, bool) {
-	c.mu.RLock()
-	defer c.mu.RUnlock()
-
-	entry, exists := c.records[normalizeDomain(domain)]
-	if !exists {
-		return nil, false
-	}
-
-	switch reqType {
-	case dns.TypeA:
-		return slices.Clone(entry.ip4Addrs), true
-	case dns.TypeAAAA:
-		return slices.Clone(entry.ip6Addrs), true
-	default:
-		return nil, false
-	}
-
-}
-
-func (c *cache) set(domain string, reqType uint16, addrs []netip.Addr) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	norm := normalizeDomain(domain)
-	entry, exists := c.records[norm]
-	if !exists {
-		entry = &cacheEntry{}
-		c.records[norm] = entry
-	}
-
-	switch reqType {
-	case dns.TypeA:
-		entry.ip4Addrs = slices.Clone(addrs)
-	case dns.TypeAAAA:
-		entry.ip6Addrs = slices.Clone(addrs)
-	}
-}
-
-// unset removes cached entries for the given domain and request type.
-func (c *cache) unset(domain string) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	delete(c.records, normalizeDomain(domain))
-}
-
-// normalizeDomain converts an input domain into a canonical form used as cache key:
-// lowercase and fully-qualified (with trailing dot).
-func normalizeDomain(domain string) string {
-	// dns.Fqdn ensures trailing dot; ToLower for consistent casing
-	return dns.Fqdn(strings.ToLower(domain))
-}

client/internal/dnsfwd/cache_test.go

@@ -1,86 +0,0 @@
-package dnsfwd
-
-import (
-	"net/netip"
-	"testing"
-)
-
-func mustAddr(t *testing.T, s string) netip.Addr {
-	t.Helper()
-	a, err := netip.ParseAddr(s)
-	if err != nil {
-		t.Fatalf("parse addr %s: %v", s, err)
-	}
-	return a
-}
-
-func TestCacheNormalization(t *testing.T) {
-	c := newCache()
-
-	// Mixed case, without trailing dot
-	domainInput := "ExAmPlE.CoM"
-	ipv4 := []netip.Addr{mustAddr(t, "1.2.3.4")}
-	c.set(domainInput, 1 /* dns.TypeA */, ipv4)
-
-	// Lookup with lower, with trailing dot
-	if got, ok := c.get("example.com.", 1); !ok || len(got) != 1 || got[0].String() != "1.2.3.4" {
-		t.Fatalf("expected cached IPv4 result via normalized key, got=%v ok=%v", got, ok)
-	}
-
-	// Lookup with different casing again
-	if got, ok := c.get("EXAMPLE.COM", 1); !ok || len(got) != 1 || got[0].String() != "1.2.3.4" {
-		t.Fatalf("expected cached IPv4 result via different casing, got=%v ok=%v", got, ok)
-	}
-}
-
-func TestCacheSeparateTypes(t *testing.T) {
-	c := newCache()
-
-	domain := "test.local"
-	ipv4 := []netip.Addr{mustAddr(t, "10.0.0.1")}
-	ipv6 := []netip.Addr{mustAddr(t, "2001:db8::1")}
-
-	c.set(domain, 1 /* A */, ipv4)
-	c.set(domain, 28 /* AAAA */, ipv6)
-
-	got4, ok4 := c.get(domain, 1)
-	if !ok4 || len(got4) != 1 || got4[0] != ipv4[0] {
-		t.Fatalf("expected A record from cache, got=%v ok=%v", got4, ok4)
-	}
-
-	got6, ok6 := c.get(domain, 28)
-	if !ok6 || len(got6) != 1 || got6[0] != ipv6[0] {
-		t.Fatalf("expected AAAA record from cache, got=%v ok=%v", got6, ok6)
-	}
-}
-
-func TestCacheCloneOnGetAndSet(t *testing.T) {
-	c := newCache()
-	domain := "clone.test"
-
-	src := []netip.Addr{mustAddr(t, "8.8.8.8")}
-	c.set(domain, 1, src)
-
-	// Mutate source slice; cache should be unaffected
-	src[0] = mustAddr(t, "9.9.9.9")
-
-	got, ok := c.get(domain, 1)
-	if !ok || len(got) != 1 || got[0].String() != "8.8.8.8" {
-		t.Fatalf("expected cached value to be independent of source slice, got=%v ok=%v", got, ok)
-	}
-
-	// Mutate returned slice; internal cache should remain unchanged
-	got[0] = mustAddr(t, "4.4.4.4")
-	got2, ok2 := c.get(domain, 1)
-	if !ok2 || len(got2) != 1 || got2[0].String() != "8.8.8.8" {
-		t.Fatalf("expected returned slice to be a clone, got=%v ok=%v", got2, ok2)
-	}
-}
-
-func TestCacheMiss(t *testing.T) {
-	c := newCache()
-	if got, ok := c.get("missing.example", 1); ok || got != nil {
-		t.Fatalf("expected cache miss, got=%v ok=%v", got, ok)
-	}
-}
-

client/internal/dnsfwd/forwarder.go

@@ -46,7 +46,6 @@ type DNSForwarder struct {
 	fwdEntries []*ForwarderEntry
 	firewall   firewaller
 	resolver   resolver
-	cache      *cache
 }
 
 func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, statusRecorder *peer.Status) *DNSForwarder {
@@ -57,7 +56,6 @@ func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, stat
 		firewall:       firewall,
 		statusRecorder: statusRecorder,
 		resolver:       net.DefaultResolver,
-		cache:          newCache(),
 	}
 }
 
@@ -105,39 +103,10 @@ func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()
 
-	// remove cache entries for domains that no longer appear
-	f.removeStaleCacheEntries(f.fwdEntries, entries)
-
 	f.fwdEntries = entries
 	log.Debugf("Updated DNS forwarder with %d domains", len(entries))
 }
 
-// removeStaleCacheEntries unsets cache items for domains that were present
-// in the old list but not present in the new list.
-func (f *DNSForwarder) removeStaleCacheEntries(oldEntries, newEntries []*ForwarderEntry) {
-	if f.cache == nil {
-		return
-	}
-
-	newSet := make(map[string]struct{}, len(newEntries))
-	for _, e := range newEntries {
-		if e == nil {
-			continue
-		}
-		newSet[e.Domain.PunycodeString()] = struct{}{}
-	}
-
-	for _, e := range oldEntries {
-		if e == nil {
-			continue
-		}
-		pattern := e.Domain.PunycodeString()
-		if _, ok := newSet[pattern]; !ok {
-			f.cache.unset(pattern)
-		}
-	}
-}
-
 func (f *DNSForwarder) Close(ctx context.Context) error {
 	var result *multierror.Error
 
@@ -202,7 +171,6 @@ func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) *dns
 
 	f.updateInternalState(ips, mostSpecificResId, matchingEntries)
 	f.addIPsToResponse(resp, domain, ips)
-	f.cache.set(domain, question.Qtype, ips)
 
 	return resp
 }
@@ -314,69 +282,29 @@ func (f *DNSForwarder) setResponseCodeForNotFound(ctx context.Context, resp *dns
 	resp.Rcode = dns.RcodeSuccess
 }
 
-// handleDNSError processes DNS lookup errors and sends an appropriate error response.
-func (f *DNSForwarder) handleDNSError(
-	ctx context.Context,
-	w dns.ResponseWriter,
-	question dns.Question,
-	resp *dns.Msg,
-	domain string,
-	err error,
-) {
-	// Default to SERVFAIL; override below when appropriate.
-	resp.Rcode = dns.RcodeServerFailure
-
-	qType := question.Qtype
-	qTypeName := dns.TypeToString[qType]
-
-	// Prefer typed DNS errors; fall back to generic logging otherwise.
+// handleDNSError processes DNS lookup errors and sends an appropriate error response
+func (f *DNSForwarder) handleDNSError(ctx context.Context, w dns.ResponseWriter, question dns.Question, resp *dns.Msg, domain string, err error) {
 	var dnsErr *net.DNSError
-	if !errors.As(err, &dnsErr) {
-		log.Warnf(errResolveFailed, domain, err)
-		if writeErr := w.WriteMsg(resp); writeErr != nil {
-			log.Errorf("failed to write failure DNS response: %v", writeErr)
-		}
-		return
-	}
 
-	// NotFound: set NXDOMAIN / appropriate code via helper.
-	if dnsErr.IsNotFound {
-		f.setResponseCodeForNotFound(ctx, resp, domain, qType)
-		if writeErr := w.WriteMsg(resp); writeErr != nil {
-			log.Errorf("failed to write failure DNS response: %v", writeErr)
+	switch {
+	case errors.As(err, &dnsErr):
+		resp.Rcode = dns.RcodeServerFailure
+		if dnsErr.IsNotFound {
+			f.setResponseCodeForNotFound(ctx, resp, domain, question.Qtype)
 		}
-		f.cache.set(domain, question.Qtype, nil)
-		return
-	}
 
-	// Upstream failed but we might have a cached answer—serve it if present.
-	if ips, ok := f.cache.get(domain, qType); ok {
-		if len(ips) > 0 {
-			log.Debugf("serving cached DNS response after upstream failure: domain=%s type=%s", domain, qTypeName)
-			f.addIPsToResponse(resp, domain, ips)
-			resp.Rcode = dns.RcodeSuccess
-			if writeErr := w.WriteMsg(resp); writeErr != nil {
-				log.Errorf("failed to write cached DNS response: %v", writeErr)
-			}
-		} else { // send NXDOMAIN / appropriate code if cache is empty
-			f.setResponseCodeForNotFound(ctx, resp, domain, qType)
-			if writeErr := w.WriteMsg(resp); writeErr != nil {
-				log.Errorf("failed to write failure DNS response: %v", writeErr)
-			}
+		if dnsErr.Server != "" {
+			log.Warnf("failed to resolve query for type=%s domain=%s server=%s: %v", dns.TypeToString[question.Qtype], domain, dnsErr.Server, err)
+		} else {
+			log.Warnf(errResolveFailed, domain, err)
 		}
-		return
-	}
-
-	// No cache. Log with or without the server field for more context.
-	if dnsErr.Server != "" {
-		log.Warnf("failed to resolve: type=%s domain=%s server=%s: %v", qTypeName, domain, dnsErr.Server, err)
-	} else {
+	default:
+		resp.Rcode = dns.RcodeServerFailure
 		log.Warnf(errResolveFailed, domain, err)
 	}
 
-	// Write final failure response.
-	if writeErr := w.WriteMsg(resp); writeErr != nil {
-		log.Errorf("failed to write failure DNS response: %v", writeErr)
+	if err := w.WriteMsg(resp); err != nil {
+		log.Errorf("failed to write failure DNS response: %v", err)
 	}
 }
 

client/internal/dnsfwd/forwarder_test.go

@@ -648,95 +648,6 @@ func TestDNSForwarder_TCPTruncation(t *testing.T) {
 	assert.LessOrEqual(t, writtenResp.Len(), dns.MinMsgSize, "Response should fit in minimum UDP size")
 }
 
-// Ensures that when the first query succeeds and populates the cache,
-// a subsequent upstream failure still returns a successful response from cache.
-func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
-	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
-	forwarder.resolver = mockResolver
-
-	d, err := domain.FromString("example.com")
-	require.NoError(t, err)
-	entries := []*ForwarderEntry{{Domain: d, ResID: "res-cache"}}
-	forwarder.UpdateDomains(entries)
-
-	ip := netip.MustParseAddr("1.2.3.4")
-
-	// First call resolves successfully and populates cache
-	mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn("example.com")).
-		Return([]netip.Addr{ip}, nil).Once()
-
-	// Second call fails upstream; forwarder should serve from cache
-	mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn("example.com")).
-		Return([]netip.Addr{}, &net.DNSError{Err: "temporary failure"}).Once()
-
-	// First query: populate cache
-	q1 := &dns.Msg{}
-	q1.SetQuestion(dns.Fqdn("example.com"), dns.TypeA)
-	w1 := &test.MockResponseWriter{}
-	resp1 := forwarder.handleDNSQuery(w1, q1)
-	require.NotNil(t, resp1)
-	require.Equal(t, dns.RcodeSuccess, resp1.Rcode)
-	require.Len(t, resp1.Answer, 1)
-
-	// Second query: serve from cache after upstream failure
-	q2 := &dns.Msg{}
-	q2.SetQuestion(dns.Fqdn("example.com"), dns.TypeA)
-	var writtenResp *dns.Msg
-	w2 := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { writtenResp = m; return nil }}
-	_ = forwarder.handleDNSQuery(w2, q2)
-
-	require.NotNil(t, writtenResp, "expected response to be written")
-	require.Equal(t, dns.RcodeSuccess, writtenResp.Rcode)
-	require.Len(t, writtenResp.Answer, 1)
-
-	mockResolver.AssertExpectations(t)
-}
-
-// Verifies that cache normalization works across casing and trailing dot variations.
-func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
-	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
-	forwarder.resolver = mockResolver
-
-	d, err := domain.FromString("ExAmPlE.CoM")
-	require.NoError(t, err)
-	entries := []*ForwarderEntry{{Domain: d, ResID: "res-norm"}}
-	forwarder.UpdateDomains(entries)
-
-	ip := netip.MustParseAddr("9.8.7.6")
-
-	// Initial resolution with mixed case to populate cache
-	mixedQuery := "ExAmPlE.CoM"
-	mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn(strings.ToLower(mixedQuery))).
-		Return([]netip.Addr{ip}, nil).Once()
-
-	q1 := &dns.Msg{}
-	q1.SetQuestion(mixedQuery+".", dns.TypeA)
-	w1 := &test.MockResponseWriter{}
-	resp1 := forwarder.handleDNSQuery(w1, q1)
-	require.NotNil(t, resp1)
-	require.Equal(t, dns.RcodeSuccess, resp1.Rcode)
-	require.Len(t, resp1.Answer, 1)
-
-	// Subsequent query without dot and upper case should hit cache even if upstream fails
-	// Forwarder lowercases and uses the question name as-is (no trailing dot here)
-	mockResolver.On("LookupNetIP", mock.Anything, "ip4", strings.ToLower("EXAMPLE.COM")).
-		Return([]netip.Addr{}, &net.DNSError{Err: "temporary failure"}).Once()
-
-	q2 := &dns.Msg{}
-	q2.SetQuestion("EXAMPLE.COM", dns.TypeA)
-	var writtenResp *dns.Msg
-	w2 := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { writtenResp = m; return nil }}
-	_ = forwarder.handleDNSQuery(w2, q2)
-
-	require.NotNil(t, writtenResp)
-	require.Equal(t, dns.RcodeSuccess, writtenResp.Rcode)
-	require.Len(t, writtenResp.Answer, 1)
-
-	mockResolver.AssertExpectations(t)
-}
-
 func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
 	// Test complex overlapping pattern scenarios
 	mockFirewall := &MockFirewall{}

client/internal/dnsfwd/manager.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"sync"
 
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
@@ -12,18 +11,14 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-var (
-	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
-	listenPort   uint16 = 5353
-	listenPortMu sync.RWMutex
+	"github.com/netbirdio/netbird/route"
 )
 
 const (
-	dnsTTL = 60 //seconds
+	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
+	ListenPort = 5353
+	dnsTTL     = 60 //seconds
 )
 
 // ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
@@ -42,18 +37,6 @@ type Manager struct {
 	dnsForwarder *DNSForwarder
 }
 
-func ListenPort() uint16 {
-	listenPortMu.RLock()
-	defer listenPortMu.RUnlock()
-	return listenPort
-}
-
-func SetListenPort(port uint16) {
-	listenPortMu.Lock()
-	listenPort = port
-	listenPortMu.Unlock()
-}
-
 func NewManager(fw firewall.Manager, statusRecorder *peer.Status) *Manager {
 	return &Manager{
 		firewall:       fw,
@@ -71,7 +54,7 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}
 
-	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort()), dnsTTL, m.firewall, m.statusRecorder)
+	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort), dnsTTL, m.firewall, m.statusRecorder)
 	go func() {
 		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
 			// todo handle close error if it is exists
@@ -111,7 +94,7 @@ func (m *Manager) Stop(ctx context.Context) error {
 func (m *Manager) allowDNSFirewall() error {
 	dport := &firewall.Port{
 		IsRange: false,
-		Values:  []uint16{ListenPort()},
+		Values:  []uint16{ListenPort},
 	}
 
 	if m.firewall == nil {

client/internal/engine.go

@@ -29,9 +29,9 @@ import (
 	"github.com/netbirdio/netbird/client/firewall"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
@@ -166,7 +166,7 @@ type Engine struct {
 
 	wgInterface WGIface
 
-	udpMux *udpmux.UniversalUDPMuxDefault
+	udpMux *bind.UniversalUDPMuxDefault
 
 	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
 	networkSerial uint64
@@ -198,13 +198,6 @@ type Engine struct {
 	latestSyncResponse  *mgmProto.SyncResponse
 	connSemaphore       *semaphoregroup.SemaphoreGroup
 	flowManager         nftypes.FlowManager
-
-	// WireGuard interface monitor
-	wgIfaceMonitor   *WGIfaceMonitor
-	wgIfaceMonitorWg sync.WaitGroup
-
-	// dns forwarder port
-	dnsFwdPort uint16
 }
 
 // Peer is an instance of the Connection Peer
@@ -247,7 +240,6 @@ func NewEngine(
 		statusRecorder: statusRecorder,
 		checks:         checks,
 		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
-		dnsFwdPort:     dnsfwd.ListenPort(),
 	}
 
 	sm := profilemanager.NewServiceManager("")
@@ -349,9 +341,6 @@ func (e *Engine) Stop() error {
 		log.Errorf("failed to persist state: %v", err)
 	}
 
-	// Stop WireGuard interface monitor and wait for it to exit
-	e.wgIfaceMonitorWg.Wait()
-
 	return nil
 }
 
@@ -468,7 +457,14 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		return fmt.Errorf("initialize dns server: %w", err)
 	}
 
-	iceCfg := e.createICEConfig()
+	iceCfg := icemaker.Config{
+		StunTurn:             &e.stunTurn,
+		InterfaceBlackList:   e.config.IFaceBlackList,
+		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
+		UDPMux:               e.udpMux.UDPMuxDefault,
+		UDPMuxSrflx:          e.udpMux,
+		NATExternalIPs:       e.parseNATExternalIPMappings(),
+	}
 
 	e.connMgr = NewConnMgr(e.config, e.statusRecorder, e.peerStore, wgIface)
 	e.connMgr.Start(e.ctx)
@@ -481,22 +477,6 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 
 	// starting network monitor at the very last to avoid disruptions
 	e.startNetworkMonitor()
-
-	// monitor WireGuard interface lifecycle and restart engine on changes
-	e.wgIfaceMonitor = NewWGIfaceMonitor()
-	e.wgIfaceMonitorWg.Add(1)
-
-	go func() {
-		defer e.wgIfaceMonitorWg.Done()
-
-		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, e.wgInterface.Name()); shouldRestart {
-			log.Infof("WireGuard interface monitor: %s, restarting engine", err)
-			e.restartEngine()
-		} else if err != nil {
-			log.Warnf("WireGuard interface monitor: %s", err)
-		}
-	}()
-
 	return nil
 }
 
@@ -969,6 +949,7 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.LazyConnectionEnabled,
 		)
 
+		// err = e.mgmClient.Sync(info, e.handleSync)
 		err = e.mgmClient.Sync(e.ctx, info, e.handleSync)
 		if err != nil {
 			// happens if management is unavailable for a long time.
@@ -979,7 +960,7 @@ func (e *Engine) receiveManagementEvents() {
 		}
 		log.Debugf("stopped receiving updates from Management Service")
 	}()
-	log.Infof("connecting to Management Service updates stream")
+	log.Debugf("connecting to Management Service updates stream")
 }
 
 func (e *Engine) updateSTUNs(stuns []*mgmProto.HostConfig) error {
@@ -1084,7 +1065,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	}
 
 	fwdEntries := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), routes)
-	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries, uint16(protoDNSConfig.ForwarderPort))
+	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries)
 
 	// Ingress forward rules
 	forwardingRules, err := e.updateForwardRules(networkMap.GetForwardingRules())
@@ -1342,7 +1323,14 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 			Addr:           e.getRosenpassAddr(),
 			PermissiveMode: e.config.RosenpassPermissive,
 		},
-		ICEConfig: e.createICEConfig(),
+		ICEConfig: icemaker.Config{
+			StunTurn:             &e.stunTurn,
+			InterfaceBlackList:   e.config.IFaceBlackList,
+			DisableIPv6Discovery: e.config.DisableIPv6Discovery,
+			UDPMux:               e.udpMux.UDPMuxDefault,
+			UDPMuxSrflx:          e.udpMux,
+			NATExternalIPs:       e.parseNATExternalIPMappings(),
+		},
 	}
 
 	serviceDependencies := peer.ServiceDependencies{
@@ -1843,16 +1831,11 @@ func (e *Engine) GetWgAddr() netip.Addr {
 func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
-	forwarderPort uint16,
 ) {
 	if e.config.DisableServerRoutes {
 		return
 	}
 
-	if forwarderPort > 0 {
-		dnsfwd.SetListenPort(forwarderPort)
-	}
-
 	if !enabled {
 		if e.dnsForwardMgr == nil {
 			return
@@ -1864,20 +1847,16 @@ func (e *Engine) updateDNSForwarder(
 	}
 
 	if len(fwdEntries) > 0 {
-		switch {
-		case e.dnsForwardMgr == nil:
+		if e.dnsForwardMgr == nil {
 			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder)
+
 			if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
 				log.Errorf("failed to start DNS forward: %v", err)
 				e.dnsForwardMgr = nil
 			}
-			log.Infof("started domain router service with %d entries", len(fwdEntries))
-		case e.dnsFwdPort != forwarderPort:
-			log.Infof("updating domain router service port from %d to %d", e.dnsFwdPort, forwarderPort)
-			e.restartDnsFwd(fwdEntries, forwarderPort)
-			e.dnsFwdPort = forwarderPort
 
-		default:
+			log.Infof("started domain router service with %d entries", len(fwdEntries))
+		} else {
 			e.dnsForwardMgr.UpdateDomains(fwdEntries)
 		}
 	} else if e.dnsForwardMgr != nil {
@@ -1887,20 +1866,6 @@ func (e *Engine) updateDNSForwarder(
 		}
 		e.dnsForwardMgr = nil
 	}
-
-}
-
-func (e *Engine) restartDnsFwd(fwdEntries []*dnsfwd.ForwarderEntry, forwarderPort uint16) {
-	log.Infof("updating domain router service port from %d to %d", e.dnsFwdPort, forwarderPort)
-	// stop and start the forwarder to apply the new port
-	if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-		log.Errorf("failed to stop DNS forward: %v", err)
-	}
-	e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder)
-	if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
-		log.Errorf("failed to start DNS forward: %v", err)
-		e.dnsForwardMgr = nil
-	}
 }
 
 func (e *Engine) GetNet() (*netstack.Net, error) {

client/internal/engine_generic.go

@@ -1,19 +0,0 @@
-//go:build !js
-
-package internal
-
-import (
-	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
-)
-
-// createICEConfig creates ICE configuration for non-WASM environments
-func (e *Engine) createICEConfig() icemaker.Config {
-	return icemaker.Config{
-		StunTurn:             &e.stunTurn,
-		InterfaceBlackList:   e.config.IFaceBlackList,
-		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
-		UDPMux:               e.udpMux.SingleSocketUDPMux,
-		UDPMuxSrflx:          e.udpMux,
-		NATExternalIPs:       e.parseNATExternalIPMappings(),
-	}
-}

client/internal/engine_js.go

@@ -1,18 +0,0 @@
-//go:build js
-
-package internal
-
-import (
-	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
-)
-
-// createICEConfig creates ICE configuration for WASM environment.
-func (e *Engine) createICEConfig() icemaker.Config {
-	cfg := icemaker.Config{
-		StunTurn:             &e.stunTurn,
-		InterfaceBlackList:   e.config.IFaceBlackList,
-		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
-		NATExternalIPs:       e.parseNATExternalIPMappings(),
-	}
-	return cfg
-}