Use -ldflags "-s -w" to strip debug symbols and reduce binary size

* Replace ipset lib

* Update .github/workflows/check-license-dependencies.yml

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Ignore internal licenses

* Ignore dependencies from AGPL code

* Use exported errors

* Use fixed version

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

.github/workflows/check-license-dependencies.yml

@@ -3,39 +3,108 @@ name: Check License Dependencies
 on:
   push:
     branches: [ main ]
+    paths:
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/check-license-dependencies.yml'
   pull_request:
+    paths:
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/check-license-dependencies.yml'
 
 jobs:
-  check-dependencies:
+  check-internal-dependencies:
+    name: Check Internal AGPL Dependencies
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check for problematic license dependencies
+        run: |
+          echo "Checking for dependencies on management/, signal/, and relay/ packages..."
+          echo ""
+
+          # Find all directories except the problematic ones and system dirs
+          FOUND_ISSUES=0
+          while IFS= read -r dir; do
+            echo "=== Checking $dir ==="
+            # Search for problematic imports, excluding test files
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+            if [ -n "$RESULTS" ]; then
+              echo "❌ Found problematic dependencies:"
+              echo "$RESULTS"
+              FOUND_ISSUES=1
+            else
+              echo "✓ No problematic dependencies found"
+            fi
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)
+
+          echo ""
+          if [ $FOUND_ISSUES -eq 1 ]; then
+            echo "❌ Found dependencies on management/, signal/, or relay/ packages"
+            echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
+            exit 1
+          else
+            echo ""
+            echo "✅ All internal license dependencies are clean"
+          fi
+
+  check-external-licenses:
+    name: Check External GPL/AGPL Licenses
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4
 
-    - name: Check for problematic license dependencies
-      run: |
-        echo "Checking for dependencies on management/, signal/, and relay/ packages..."
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+        cache: true
 
-        # Find all directories except the problematic ones and system dirs
-        FOUND_ISSUES=0
-        find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort | while read dir; do
-          echo "=== Checking $dir ==="
-          # Search for problematic imports, excluding test files
-          RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
-          if [ ! -z "$RESULTS" ]; then
-            echo "❌ Found problematic dependencies:"
-            echo "$RESULTS"
-            FOUND_ISSUES=1
-          else
-            echo "✓ No problematic dependencies found"
+    - name: Install go-licenses
+      run: go install github.com/google/go-licenses@v1.6.0
+
+    - name: Check for GPL/AGPL licensed dependencies
+      run: |
+        echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
+        echo ""
+
+        # Check all Go packages for copyleft licenses, excluding internal netbird packages
+        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
+
+        if [ -n "$COPYLEFT_DEPS" ]; then
+          echo "Found copyleft licensed dependencies:"
+          echo "$COPYLEFT_DEPS"
+          echo ""
+
+          # Filter out dependencies that are only pulled in by internal AGPL packages
+          INCOMPATIBLE=""
+          while IFS=',' read -r package url license; do
+            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
+              # Find ALL packages that import this GPL package using go list
+              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
+
+              # Check if any importer is NOT in management/signal/relay
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\)" | head -1)
+
+              if [ -n "$BSD_IMPORTER" ]; then
+                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
+                INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
+              else
+                echo "✓ $package ($license) is only used by internal AGPL packages - OK"
+              fi
+            fi
+          done <<< "$COPYLEFT_DEPS"
+
+          if [ -n "$INCOMPATIBLE" ]; then
+            echo ""
+            echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
+            echo -e "$INCOMPATIBLE"
+            exit 1
           fi
-        done
-        if [ $FOUND_ISSUES -eq 1 ]; then
-          echo ""
-          echo "❌ Found dependencies on management/, signal/, or relay/ packages"
-          echo "These packages will change license and should not be imported by client or shared code"
-          exit 1
-        else
-          echo ""
-          echo "✅ All license dependencies are clean"
         fi
+
+        echo "✅ All external license dependencies are compatible with BSD-3-Clause"

.github/workflows/wasm-build-validation.yml

@@ -47,7 +47,7 @@ jobs:
         with:
           go-version: "1.23.x"
       - name: Build Wasm client
-        run: GOOS=js GOARCH=wasm go build -o netbird.wasm ./client/wasm/cmd
+        run: GOOS=js GOARCH=wasm go build -o netbird.wasm -ldflags="-s -w" ./client/wasm/cmd
         env:
           CGO_ENABLED: 0
       - name: Check Wasm build size

client/android/client.go

@@ -17,9 +17,9 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/client/net"
 )
 
 // ConnectionListener export internal Listener for mobile

client/android/login.go

@@ -200,7 +200,7 @@ func (a *Auth) login(urlOpener URLOpener) error {
 }
 
 func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false)
+	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false, "")
 	if err != nil {
 		return nil, err
 	}

client/android/preferences.go

@@ -201,6 +201,94 @@ func (p *Preferences) SetServerSSHAllowed(allowed bool) {
 	p.configInput.ServerSSHAllowed = &allowed
 }
 
+// GetEnableSSHRoot reads SSH root login setting from config file
+func (p *Preferences) GetEnableSSHRoot() (bool, error) {
+	if p.configInput.EnableSSHRoot != nil {
+		return *p.configInput.EnableSSHRoot, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHRoot == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHRoot, err
+}
+
+// SetEnableSSHRoot stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHRoot(enabled bool) {
+	p.configInput.EnableSSHRoot = &enabled
+}
+
+// GetEnableSSHSFTP reads SSH SFTP setting from config file
+func (p *Preferences) GetEnableSSHSFTP() (bool, error) {
+	if p.configInput.EnableSSHSFTP != nil {
+		return *p.configInput.EnableSSHSFTP, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHSFTP == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHSFTP, err
+}
+
+// SetEnableSSHSFTP stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHSFTP(enabled bool) {
+	p.configInput.EnableSSHSFTP = &enabled
+}
+
+// GetEnableSSHLocalPortForwarding reads SSH local port forwarding setting from config file
+func (p *Preferences) GetEnableSSHLocalPortForwarding() (bool, error) {
+	if p.configInput.EnableSSHLocalPortForwarding != nil {
+		return *p.configInput.EnableSSHLocalPortForwarding, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHLocalPortForwarding == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHLocalPortForwarding, err
+}
+
+// SetEnableSSHLocalPortForwarding stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHLocalPortForwarding(enabled bool) {
+	p.configInput.EnableSSHLocalPortForwarding = &enabled
+}
+
+// GetEnableSSHRemotePortForwarding reads SSH remote port forwarding setting from config file
+func (p *Preferences) GetEnableSSHRemotePortForwarding() (bool, error) {
+	if p.configInput.EnableSSHRemotePortForwarding != nil {
+		return *p.configInput.EnableSSHRemotePortForwarding, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHRemotePortForwarding == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHRemotePortForwarding, err
+}
+
+// SetEnableSSHRemotePortForwarding stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHRemotePortForwarding(enabled bool) {
+	p.configInput.EnableSSHRemotePortForwarding = &enabled
+}
+
 // GetBlockInbound reads block inbound setting from config file
 func (p *Preferences) GetBlockInbound() (bool, error) {
 	if p.configInput.BlockInbound != nil {

client/cmd/login.go

@@ -106,6 +106,13 @@ func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey str
 		Username:            &username,
 	}
 
+	profileState, err := pm.GetProfileState(activeProf.Name)
+	if err != nil {
+		log.Debugf("failed to get profile state for login hint: %v", err)
+	} else if profileState.Email != "" {
+		loginRequest.Hint = &profileState.Email
+	}
+
 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
 		loginRequest.OptionalPreSharedKey = &preSharedKey
 	}
@@ -241,7 +248,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 		return fmt.Errorf("read config file %s: %v", configFilePath, err)
 	}
 
-	err = foregroundLogin(ctx, cmd, config, setupKey)
+	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.Name)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -269,7 +276,7 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 	return nil
 }
 
-func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey string) error {
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
 	needsLogin := false
 
 	err := WithBackOff(func() error {
@@ -286,7 +293,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 
 	jwtToken := ""
 	if setupKey == "" && needsLogin {
-		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config)
+		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileName)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
@@ -315,8 +322,17 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	return nil
 }
 
-func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop())
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileName string) (*auth.TokenInfo, error) {
+	hint := ""
+	pm := profilemanager.NewProfileManager()
+	profileState, err := pm.GetProfileState(profileName)
+	if err != nil {
+		log.Debugf("failed to get profile state for login hint: %v", err)
+	} else if profileState.Email != "" {
+		hint = profileState.Email
+	}
+
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop(), hint)
 	if err != nil {
 		return nil, err
 	}

client/cmd/root.go

@@ -35,7 +35,6 @@ const (
 	wireguardPortFlag        = "wireguard-port"
 	networkMonitorFlag       = "network-monitor"
 	disableAutoConnectFlag   = "disable-auto-connect"
-	serverSSHAllowedFlag     = "allow-server-ssh"
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	enableLazyConnectionFlag = "enable-lazy-connection"
@@ -64,7 +63,6 @@ var (
 	customDNSAddress        string
 	rosenpassEnabled        bool
 	rosenpassPermissive     bool
-	serverSSHAllowed        bool
 	interfaceName           string
 	wireguardPort           uint16
 	networkMonitor          bool
@@ -176,7 +174,6 @@ func init() {
 	)
 	upCmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "[Experimental] Enable Rosenpass feature. If enabled, the connection will be post-quantum secured via Rosenpass.")
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
-	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
 	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand. Note: this setting may be overridden by management configuration.")
 

client/cmd/service_installer.go

@@ -10,6 +10,8 @@ import (
 	"path/filepath"
 	"runtime"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/kardianos/service"
 	"github.com/spf13/cobra"
 
@@ -81,6 +83,10 @@ func configurePlatformSpecificSettings(svcConfig *service.Config) error {
 				svcConfig.Option["LogDirectory"] = dir
 			}
 		}
+
+		if err := configureSystemdNetworkd(); err != nil {
+			log.Warnf("failed to configure systemd-networkd: %v", err)
+		}
 	}
 
 	if runtime.GOOS == "windows" {
@@ -160,6 +166,12 @@ var uninstallCmd = &cobra.Command{
 			return fmt.Errorf("uninstall service: %w", err)
 		}
 
+		if runtime.GOOS == "linux" {
+			if err := cleanupSystemdNetworkd(); err != nil {
+				log.Warnf("failed to cleanup systemd-networkd configuration: %v", err)
+			}
+		}
+
 		cmd.Println("NetBird service has been uninstalled")
 		return nil
 	},
@@ -245,3 +257,50 @@ func isServiceRunning() (bool, error) {
 
 	return status == service.StatusRunning, nil
 }
+
+const (
+	networkdConf        = "/etc/systemd/networkd.conf"
+	networkdConfDir     = "/etc/systemd/networkd.conf.d"
+	networkdConfFile    = "/etc/systemd/networkd.conf.d/99-netbird.conf"
+	networkdConfContent = `# Created by NetBird to prevent systemd-networkd from removing
+# routes and policy rules managed by NetBird.
+
+[Network]
+ManageForeignRoutes=no
+ManageForeignRoutingPolicyRules=no
+`
+)
+
+// configureSystemdNetworkd creates a drop-in configuration file to prevent
+// systemd-networkd from removing NetBird's routes and policy rules.
+func configureSystemdNetworkd() error {
+	if _, err := os.Stat(networkdConf); os.IsNotExist(err) {
+		log.Debug("systemd-networkd not in use, skipping configuration")
+		return nil
+	}
+
+	// nolint:gosec // standard networkd permissions
+	if err := os.MkdirAll(networkdConfDir, 0755); err != nil {
+		return fmt.Errorf("create networkd.conf.d directory: %w", err)
+	}
+
+	// nolint:gosec // standard networkd permissions
+	if err := os.WriteFile(networkdConfFile, []byte(networkdConfContent), 0644); err != nil {
+		return fmt.Errorf("write networkd configuration: %w", err)
+	}
+
+	return nil
+}
+
+// cleanupSystemdNetworkd removes the NetBird systemd-networkd configuration file.
+func cleanupSystemdNetworkd() error {
+	if _, err := os.Stat(networkdConfFile); os.IsNotExist(err) {
+		return nil
+	}
+
+	if err := os.Remove(networkdConfFile); err != nil {
+		return fmt.Errorf("remove networkd configuration: %w", err)
+	}
+
+	return nil
+}

client/cmd/ssh.go

@@ -3,125 +3,809 @@ package cmd
 import (
 	"context"
 	"errors"
+	"flag"
 	"fmt"
+	"net"
 	"os"
 	"os/signal"
+	"os/user"
+	"slices"
+	"strconv"
 	"strings"
 	"syscall"
 
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"golang.org/x/crypto/ssh"
 
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	nbssh "github.com/netbirdio/netbird/client/ssh"
+	sshclient "github.com/netbirdio/netbird/client/ssh/client"
+	"github.com/netbirdio/netbird/client/ssh/detection"
+	sshproxy "github.com/netbirdio/netbird/client/ssh/proxy"
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
 	"github.com/netbirdio/netbird/util"
 )
 
-var (
-	port     int
-	userName = "root"
-	host     string
+const (
+	sshUsernameDesc      = "SSH username"
+	hostArgumentRequired = "host argument required"
+
+	serverSSHAllowedFlag           = "allow-server-ssh"
+	enableSSHRootFlag              = "enable-ssh-root"
+	enableSSHSFTPFlag              = "enable-ssh-sftp"
+	enableSSHLocalPortForwardFlag  = "enable-ssh-local-port-forwarding"
+	enableSSHRemotePortForwardFlag = "enable-ssh-remote-port-forwarding"
+	disableSSHAuthFlag             = "disable-ssh-auth"
+	sshJWTCacheTTLFlag             = "ssh-jwt-cache-ttl"
 )
 
-var sshCmd = &cobra.Command{
-	Use: "ssh [user@]host",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return errors.New("requires a host argument")
-		}
+var (
+	port                  int
+	username              string
+	host                  string
+	command               string
+	localForwards         []string
+	remoteForwards        []string
+	strictHostKeyChecking bool
+	knownHostsFile        string
+	identityFile          string
+	skipCachedToken       bool
+	requestPTY            bool
+)
 
-		split := strings.Split(args[0], "@")
-		if len(split) == 2 {
-			userName = split[0]
-			host = split[1]
-		} else {
-			host = args[0]
-		}
+var (
+	serverSSHAllowed           bool
+	enableSSHRoot              bool
+	enableSSHSFTP              bool
+	enableSSHLocalPortForward  bool
+	enableSSHRemotePortForward bool
+	disableSSHAuth             bool
+	sshJWTCacheTTL             int
+)
 
-		return nil
-	},
-	Short: "Connect to a remote SSH server",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
-		SetFlagsFromEnvVars(cmd)
+func init() {
+	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer")
+	upCmd.PersistentFlags().BoolVar(&enableSSHRoot, enableSSHRootFlag, false, "Enable root login for SSH server")
+	upCmd.PersistentFlags().BoolVar(&enableSSHSFTP, enableSSHSFTPFlag, false, "Enable SFTP subsystem for SSH server")
+	upCmd.PersistentFlags().BoolVar(&enableSSHLocalPortForward, enableSSHLocalPortForwardFlag, false, "Enable local port forwarding for SSH server")
+	upCmd.PersistentFlags().BoolVar(&enableSSHRemotePortForward, enableSSHRemotePortForwardFlag, false, "Enable remote port forwarding for SSH server")
+	upCmd.PersistentFlags().BoolVar(&disableSSHAuth, disableSSHAuthFlag, false, "Disable SSH authentication")
+	upCmd.PersistentFlags().IntVar(&sshJWTCacheTTL, sshJWTCacheTTLFlag, 0, "SSH JWT token cache TTL in seconds (0=disabled)")
 
-		cmd.SetOut(cmd.OutOrStdout())
+	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", sshserver.DefaultSSHPort, "Remote SSH port")
+	sshCmd.PersistentFlags().StringVarP(&username, "user", "u", "", sshUsernameDesc)
+	sshCmd.PersistentFlags().StringVar(&username, "login", "", sshUsernameDesc+" (alias for --user)")
+	sshCmd.PersistentFlags().BoolVarP(&requestPTY, "tty", "t", false, "Force pseudo-terminal allocation")
+	sshCmd.PersistentFlags().BoolVar(&strictHostKeyChecking, "strict-host-key-checking", true, "Enable strict host key checking (default: true)")
+	sshCmd.PersistentFlags().StringVarP(&knownHostsFile, "known-hosts", "o", "", "Path to known_hosts file (default: ~/.ssh/known_hosts)")
+	sshCmd.PersistentFlags().StringVarP(&identityFile, "identity", "i", "", "Path to SSH private key file (deprecated)")
+	_ = sshCmd.PersistentFlags().MarkDeprecated("identity", "this flag is no longer used")
+	sshCmd.PersistentFlags().BoolVar(&skipCachedToken, "no-cache", false, "Skip cached JWT token and force fresh authentication")
 
-		err := util.InitLog(logLevel, util.LogConsole)
-		if err != nil {
-			return fmt.Errorf("failed initializing log %v", err)
-		}
+	sshCmd.PersistentFlags().StringArrayP("L", "L", []string{}, "Local port forwarding [bind_address:]port:host:hostport")
+	sshCmd.PersistentFlags().StringArrayP("R", "R", []string{}, "Remote port forwarding [bind_address:]port:host:hostport")
 
-		if !util.IsAdmin() {
-			cmd.Printf("error: you must have Administrator privileges to run this command\n")
-			return nil
-		}
-
-		ctx := internal.CtxInitState(cmd.Context())
-
-		sm := profilemanager.NewServiceManager(configPath)
-		activeProf, err := sm.GetActiveProfileState()
-		if err != nil {
-			return fmt.Errorf("get active profile: %v", err)
-		}
-		profPath, err := activeProf.FilePath()
-		if err != nil {
-			return fmt.Errorf("get active profile path: %v", err)
-		}
-
-		config, err := profilemanager.ReadConfig(profPath)
-		if err != nil {
-			return fmt.Errorf("read profile config: %v", err)
-		}
-
-		sig := make(chan os.Signal, 1)
-		signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
-		sshctx, cancel := context.WithCancel(ctx)
-
-		go func() {
-			// blocking
-			if err := runSSH(sshctx, host, []byte(config.SSHKey), cmd); err != nil {
-				cmd.Printf("Error: %v\n", err)
-				os.Exit(1)
-			}
-			cancel()
-		}()
-
-		select {
-		case <-sig:
-			cancel()
-		case <-sshctx.Done():
-		}
-
-		return nil
-	},
+	sshCmd.AddCommand(sshSftpCmd)
+	sshCmd.AddCommand(sshProxyCmd)
+	sshCmd.AddCommand(sshDetectCmd)
 }
 
-func runSSH(ctx context.Context, addr string, pemKey []byte, cmd *cobra.Command) error {
-	c, err := nbssh.DialWithKey(fmt.Sprintf("%s:%d", addr, port), userName, pemKey)
-	if err != nil {
-		cmd.Printf("Error: %v\n", err)
-		cmd.Printf("Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer" +
-			"\nYou can verify the connection by running:\n\n" +
-			" netbird status\n\n")
-		return err
-	}
-	go func() {
-		<-ctx.Done()
-		err = c.Close()
-		if err != nil {
-			return
+var sshCmd = &cobra.Command{
+	Use:   "ssh [flags] [user@]host [command]",
+	Short: "Connect to a NetBird peer via SSH",
+	Long: `Connect to a NetBird peer using SSH with support for port forwarding.
+
+Port Forwarding:
+  -L [bind_address:]port:host:hostport   Local port forwarding
+  -L [bind_address:]port:/path/to/socket Local port forwarding to Unix socket
+  -R [bind_address:]port:host:hostport   Remote port forwarding
+  -R [bind_address:]port:/path/to/socket Remote port forwarding to Unix socket
+
+SSH Options:
+  -p, --port int                       Remote SSH port (default 22)
+  -u, --user string                    SSH username
+      --login string                   SSH username (alias for --user)
+  -t, --tty                            Force pseudo-terminal allocation
+      --strict-host-key-checking       Enable strict host key checking (default: true)
+  -o, --known-hosts string             Path to known_hosts file
+
+Examples:
+  netbird ssh peer-hostname
+  netbird ssh root@peer-hostname
+  netbird ssh --login root peer-hostname
+  netbird ssh peer-hostname ls -la
+  netbird ssh peer-hostname whoami
+  netbird ssh -t peer-hostname tmux                  # Force PTY for tmux/screen
+  netbird ssh -t peer-hostname sudo -i               # Force PTY for interactive sudo
+  netbird ssh -L 8080:localhost:80 peer-hostname     # Local port forwarding
+  netbird ssh -R 9090:localhost:3000 peer-hostname   # Remote port forwarding
+  netbird ssh -L "*:8080:localhost:80" peer-hostname # Bind to all interfaces
+  netbird ssh -L 8080:/tmp/socket peer-hostname      # Unix socket forwarding`,
+	DisableFlagParsing: true,
+	Args:               validateSSHArgsWithoutFlagParsing,
+	RunE:               sshFn,
+	Aliases:            []string{"ssh"},
+}
+
+func sshFn(cmd *cobra.Command, args []string) error {
+	for _, arg := range args {
+		if arg == "-h" || arg == "--help" {
+			return cmd.Help()
 		}
+	}
+
+	SetFlagsFromEnvVars(rootCmd)
+	SetFlagsFromEnvVars(cmd)
+
+	cmd.SetOut(cmd.OutOrStdout())
+
+	logOutput := "console"
+	if firstLogFile := util.FindFirstLogPath(logFiles); firstLogFile != "" && firstLogFile != defaultLogFile {
+		logOutput = firstLogFile
+	}
+	if err := util.InitLog(logLevel, logOutput); err != nil {
+		return fmt.Errorf("init log: %w", err)
+	}
+
+	ctx := internal.CtxInitState(cmd.Context())
+
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
+	sshctx, cancel := context.WithCancel(ctx)
+
+	errCh := make(chan error, 1)
+	go func() {
+		if err := runSSH(sshctx, host, cmd); err != nil {
+			errCh <- err
+		}
+		cancel()
 	}()
 
-	err = c.OpenTerminal()
-	if err != nil {
+	select {
+	case <-sig:
+		cancel()
+		<-sshctx.Done()
+		return nil
+	case err := <-errCh:
 		return err
+	case <-sshctx.Done():
 	}
 
 	return nil
 }
 
-func init() {
-	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", nbssh.DefaultSSHPort, "Sets remote SSH port. Defaults to "+fmt.Sprint(nbssh.DefaultSSHPort))
+// getEnvOrDefault checks for environment variables with WT_ and NB_ prefixes
+func getEnvOrDefault(flagName, defaultValue string) string {
+	if envValue := os.Getenv("WT_" + flagName); envValue != "" {
+		return envValue
+	}
+	if envValue := os.Getenv("NB_" + flagName); envValue != "" {
+		return envValue
+	}
+	return defaultValue
+}
+
+// resetSSHGlobals sets SSH globals to their default values
+func resetSSHGlobals() {
+	port = sshserver.DefaultSSHPort
+	username = ""
+	host = ""
+	command = ""
+	localForwards = nil
+	remoteForwards = nil
+	strictHostKeyChecking = true
+	knownHostsFile = ""
+	identityFile = ""
+}
+
+// parseCustomSSHFlags extracts -L, -R flags and returns filtered args
+func parseCustomSSHFlags(args []string) ([]string, []string, []string) {
+	var localForwardFlags []string
+	var remoteForwardFlags []string
+	var filteredArgs []string
+
+	for i := 0; i < len(args); i++ {
+		arg := args[i]
+		switch {
+		case strings.HasPrefix(arg, "-L"):
+			localForwardFlags, i = parseForwardFlag(arg, args, i, localForwardFlags)
+		case strings.HasPrefix(arg, "-R"):
+			remoteForwardFlags, i = parseForwardFlag(arg, args, i, remoteForwardFlags)
+		default:
+			filteredArgs = append(filteredArgs, arg)
+		}
+	}
+
+	return filteredArgs, localForwardFlags, remoteForwardFlags
+}
+
+func parseForwardFlag(arg string, args []string, i int, flags []string) ([]string, int) {
+	if arg == "-L" || arg == "-R" {
+		if i+1 < len(args) {
+			flags = append(flags, args[i+1])
+			i++
+		}
+	} else if len(arg) > 2 {
+		flags = append(flags, arg[2:])
+	}
+	return flags, i
+}
+
+// extractGlobalFlags parses global flags that were passed before 'ssh' command
+func extractGlobalFlags(args []string) {
+	sshPos := findSSHCommandPosition(args)
+	if sshPos == -1 {
+		return
+	}
+
+	globalArgs := args[:sshPos]
+	parseGlobalArgs(globalArgs)
+}
+
+// findSSHCommandPosition locates the 'ssh' command in the argument list
+func findSSHCommandPosition(args []string) int {
+	for i, arg := range args {
+		if arg == "ssh" {
+			return i
+		}
+	}
+	return -1
+}
+
+const (
+	configFlag   = "config"
+	logLevelFlag = "log-level"
+	logFileFlag  = "log-file"
+)
+
+// parseGlobalArgs processes the global arguments and sets the corresponding variables
+func parseGlobalArgs(globalArgs []string) {
+	flagHandlers := map[string]func(string){
+		configFlag:   func(value string) { configPath = value },
+		logLevelFlag: func(value string) { logLevel = value },
+		logFileFlag: func(value string) {
+			if !slices.Contains(logFiles, value) {
+				logFiles = append(logFiles, value)
+			}
+		},
+	}
+
+	shortFlags := map[string]string{
+		"c": configFlag,
+		"l": logLevelFlag,
+	}
+
+	for i := 0; i < len(globalArgs); i++ {
+		arg := globalArgs[i]
+
+		if handled, nextIndex := parseFlag(arg, globalArgs, i, flagHandlers, shortFlags); handled {
+			i = nextIndex
+		}
+	}
+}
+
+// parseFlag handles generic flag parsing for both long and short forms
+func parseFlag(arg string, args []string, currentIndex int, flagHandlers map[string]func(string), shortFlags map[string]string) (bool, int) {
+	if parsedValue, found := parseEqualsFormat(arg, flagHandlers, shortFlags); found {
+		flagHandlers[parsedValue.flagName](parsedValue.value)
+		return true, currentIndex
+	}
+
+	if parsedValue, found := parseSpacedFormat(arg, args, currentIndex, flagHandlers, shortFlags); found {
+		flagHandlers[parsedValue.flagName](parsedValue.value)
+		return true, currentIndex + 1
+	}
+
+	return false, currentIndex
+}
+
+type parsedFlag struct {
+	flagName string
+	value    string
+}
+
+// parseEqualsFormat handles --flag=value and -f=value formats
+func parseEqualsFormat(arg string, flagHandlers map[string]func(string), shortFlags map[string]string) (parsedFlag, bool) {
+	if !strings.Contains(arg, "=") {
+		return parsedFlag{}, false
+	}
+
+	parts := strings.SplitN(arg, "=", 2)
+	if len(parts) != 2 {
+		return parsedFlag{}, false
+	}
+
+	if strings.HasPrefix(parts[0], "--") {
+		flagName := strings.TrimPrefix(parts[0], "--")
+		if _, exists := flagHandlers[flagName]; exists {
+			return parsedFlag{flagName: flagName, value: parts[1]}, true
+		}
+	}
+
+	if strings.HasPrefix(parts[0], "-") && len(parts[0]) == 2 {
+		shortFlag := strings.TrimPrefix(parts[0], "-")
+		if longFlag, exists := shortFlags[shortFlag]; exists {
+			if _, exists := flagHandlers[longFlag]; exists {
+				return parsedFlag{flagName: longFlag, value: parts[1]}, true
+			}
+		}
+	}
+
+	return parsedFlag{}, false
+}
+
+// parseSpacedFormat handles --flag value and -f value formats
+func parseSpacedFormat(arg string, args []string, currentIndex int, flagHandlers map[string]func(string), shortFlags map[string]string) (parsedFlag, bool) {
+	if currentIndex+1 >= len(args) {
+		return parsedFlag{}, false
+	}
+
+	if strings.HasPrefix(arg, "--") {
+		flagName := strings.TrimPrefix(arg, "--")
+		if _, exists := flagHandlers[flagName]; exists {
+			return parsedFlag{flagName: flagName, value: args[currentIndex+1]}, true
+		}
+	}
+
+	if strings.HasPrefix(arg, "-") && len(arg) == 2 {
+		shortFlag := strings.TrimPrefix(arg, "-")
+		if longFlag, exists := shortFlags[shortFlag]; exists {
+			if _, exists := flagHandlers[longFlag]; exists {
+				return parsedFlag{flagName: longFlag, value: args[currentIndex+1]}, true
+			}
+		}
+	}
+
+	return parsedFlag{}, false
+}
+
+// createSSHFlagSet creates and configures the flag set for SSH command parsing
+// sshFlags contains all SSH-related flags and parameters
+type sshFlags struct {
+	Port                  int
+	Username              string
+	Login                 string
+	RequestPTY            bool
+	StrictHostKeyChecking bool
+	KnownHostsFile        string
+	IdentityFile          string
+	SkipCachedToken       bool
+	ConfigPath            string
+	LogLevel              string
+	LocalForwards         []string
+	RemoteForwards        []string
+	Host                  string
+	Command               string
+}
+
+func createSSHFlagSet() (*flag.FlagSet, *sshFlags) {
+	defaultConfigPath := getEnvOrDefault("CONFIG", configPath)
+	defaultLogLevel := getEnvOrDefault("LOG_LEVEL", logLevel)
+
+	fs := flag.NewFlagSet("ssh-flags", flag.ContinueOnError)
+	fs.SetOutput(nil)
+
+	flags := &sshFlags{}
+
+	fs.IntVar(&flags.Port, "p", sshserver.DefaultSSHPort, "SSH port")
+	fs.IntVar(&flags.Port, "port", sshserver.DefaultSSHPort, "SSH port")
+	fs.StringVar(&flags.Username, "u", "", sshUsernameDesc)
+	fs.StringVar(&flags.Username, "user", "", sshUsernameDesc)
+	fs.StringVar(&flags.Login, "login", "", sshUsernameDesc+" (alias for --user)")
+	fs.BoolVar(&flags.RequestPTY, "t", false, "Force pseudo-terminal allocation")
+	fs.BoolVar(&flags.RequestPTY, "tty", false, "Force pseudo-terminal allocation")
+
+	fs.BoolVar(&flags.StrictHostKeyChecking, "strict-host-key-checking", true, "Enable strict host key checking")
+	fs.StringVar(&flags.KnownHostsFile, "o", "", "Path to known_hosts file")
+	fs.StringVar(&flags.KnownHostsFile, "known-hosts", "", "Path to known_hosts file")
+	fs.StringVar(&flags.IdentityFile, "i", "", "Path to SSH private key file")
+	fs.StringVar(&flags.IdentityFile, "identity", "", "Path to SSH private key file")
+	fs.BoolVar(&flags.SkipCachedToken, "no-cache", false, "Skip cached JWT token and force fresh authentication")
+
+	fs.StringVar(&flags.ConfigPath, "c", defaultConfigPath, "Netbird config file location")
+	fs.StringVar(&flags.ConfigPath, "config", defaultConfigPath, "Netbird config file location")
+	fs.StringVar(&flags.LogLevel, "l", defaultLogLevel, "sets Netbird log level")
+	fs.StringVar(&flags.LogLevel, "log-level", defaultLogLevel, "sets Netbird log level")
+
+	return fs, flags
+}
+
+func validateSSHArgsWithoutFlagParsing(_ *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return errors.New(hostArgumentRequired)
+	}
+
+	resetSSHGlobals()
+
+	if len(os.Args) > 2 {
+		extractGlobalFlags(os.Args[1:])
+	}
+
+	filteredArgs, localForwardFlags, remoteForwardFlags := parseCustomSSHFlags(args)
+
+	fs, flags := createSSHFlagSet()
+
+	if err := fs.Parse(filteredArgs); err != nil {
+		if errors.Is(err, flag.ErrHelp) {
+			return nil
+		}
+		return err
+	}
+
+	remaining := fs.Args()
+	if len(remaining) < 1 {
+		return errors.New(hostArgumentRequired)
+	}
+
+	port = flags.Port
+	if flags.Username != "" {
+		username = flags.Username
+	} else if flags.Login != "" {
+		username = flags.Login
+	}
+
+	requestPTY = flags.RequestPTY
+	strictHostKeyChecking = flags.StrictHostKeyChecking
+	knownHostsFile = flags.KnownHostsFile
+	identityFile = flags.IdentityFile
+	skipCachedToken = flags.SkipCachedToken
+
+	if flags.ConfigPath != getEnvOrDefault("CONFIG", configPath) {
+		configPath = flags.ConfigPath
+	}
+	if flags.LogLevel != getEnvOrDefault("LOG_LEVEL", logLevel) {
+		logLevel = flags.LogLevel
+	}
+
+	localForwards = localForwardFlags
+	remoteForwards = remoteForwardFlags
+
+	return parseHostnameAndCommand(remaining)
+}
+
+func parseHostnameAndCommand(args []string) error {
+	if len(args) < 1 {
+		return errors.New(hostArgumentRequired)
+	}
+
+	arg := args[0]
+	if strings.Contains(arg, "@") {
+		parts := strings.SplitN(arg, "@", 2)
+		if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+			return errors.New("invalid user@host format")
+		}
+		if username == "" {
+			username = parts[0]
+		}
+		host = parts[1]
+	} else {
+		host = arg
+	}
+
+	if username == "" {
+		if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+			username = sudoUser
+		} else if currentUser, err := user.Current(); err == nil {
+			username = currentUser.Username
+		} else {
+			username = "root"
+		}
+	}
+
+	// Everything after hostname becomes the command
+	if len(args) > 1 {
+		command = strings.Join(args[1:], " ")
+	}
+
+	return nil
+}
+
+func runSSH(ctx context.Context, addr string, cmd *cobra.Command) error {
+	target := fmt.Sprintf("%s:%d", addr, port)
+	c, err := sshclient.Dial(ctx, target, username, sshclient.DialOptions{
+		KnownHostsFile:     knownHostsFile,
+		IdentityFile:       identityFile,
+		DaemonAddr:         daemonAddr,
+		SkipCachedToken:    skipCachedToken,
+		InsecureSkipVerify: !strictHostKeyChecking,
+	})
+
+	if err != nil {
+		cmd.Printf("Failed to connect to %s@%s\n", username, target)
+		cmd.Printf("\nTroubleshooting steps:\n")
+		cmd.Printf("  1. Check peer connectivity: netbird status -d\n")
+		cmd.Printf("  2. Verify SSH server is enabled on the peer\n")
+		cmd.Printf("  3. Ensure correct hostname/IP is used\n")
+		return fmt.Errorf("dial %s: %w", target, err)
+	}
+
+	sshCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	go func() {
+		<-sshCtx.Done()
+		if err := c.Close(); err != nil {
+			cmd.Printf("Error closing SSH connection: %v\n", err)
+		}
+	}()
+
+	if err := startPortForwarding(sshCtx, c, cmd); err != nil {
+		return fmt.Errorf("start port forwarding: %w", err)
+	}
+
+	if command != "" {
+		return executeSSHCommand(sshCtx, c, command)
+	}
+	return openSSHTerminal(sshCtx, c)
+}
+
+// executeSSHCommand executes a command over SSH.
+func executeSSHCommand(ctx context.Context, c *sshclient.Client, command string) error {
+	var err error
+	if requestPTY {
+		err = c.ExecuteCommandWithPTY(ctx, command)
+	} else {
+		err = c.ExecuteCommandWithIO(ctx, command)
+	}
+
+	if err != nil {
+		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+			return nil
+		}
+
+		var exitErr *ssh.ExitError
+		if errors.As(err, &exitErr) {
+			os.Exit(exitErr.ExitStatus())
+		}
+
+		var exitMissingErr *ssh.ExitMissingError
+		if errors.As(err, &exitMissingErr) {
+			log.Debugf("Remote command exited without exit status: %v", err)
+			return nil
+		}
+
+		return fmt.Errorf("execute command: %w", err)
+	}
+	return nil
+}
+
+// openSSHTerminal opens an interactive SSH terminal.
+func openSSHTerminal(ctx context.Context, c *sshclient.Client) error {
+	if err := c.OpenTerminal(ctx); err != nil {
+		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+			return nil
+		}
+
+		var exitMissingErr *ssh.ExitMissingError
+		if errors.As(err, &exitMissingErr) {
+			log.Debugf("Remote terminal exited without exit status: %v", err)
+			return nil
+		}
+
+		return fmt.Errorf("open terminal: %w", err)
+	}
+	return nil
+}
+
+// startPortForwarding starts local and remote port forwarding based on command line flags
+func startPortForwarding(ctx context.Context, c *sshclient.Client, cmd *cobra.Command) error {
+	for _, forward := range localForwards {
+		if err := parseAndStartLocalForward(ctx, c, forward, cmd); err != nil {
+			return fmt.Errorf("local port forward %s: %w", forward, err)
+		}
+	}
+
+	for _, forward := range remoteForwards {
+		if err := parseAndStartRemoteForward(ctx, c, forward, cmd); err != nil {
+			return fmt.Errorf("remote port forward %s: %w", forward, err)
+		}
+	}
+
+	return nil
+}
+
+// parseAndStartLocalForward parses and starts a local port forward (-L)
+func parseAndStartLocalForward(ctx context.Context, c *sshclient.Client, forward string, cmd *cobra.Command) error {
+	localAddr, remoteAddr, err := parsePortForwardSpec(forward)
+	if err != nil {
+		return err
+	}
+
+	cmd.Printf("Local port forwarding: %s -> %s\n", localAddr, remoteAddr)
+
+	go func() {
+		if err := c.LocalPortForward(ctx, localAddr, remoteAddr); err != nil && !errors.Is(err, context.Canceled) {
+			cmd.Printf("Local port forward error: %v\n", err)
+		}
+	}()
+
+	return nil
+}
+
+// parseAndStartRemoteForward parses and starts a remote port forward (-R)
+func parseAndStartRemoteForward(ctx context.Context, c *sshclient.Client, forward string, cmd *cobra.Command) error {
+	remoteAddr, localAddr, err := parsePortForwardSpec(forward)
+	if err != nil {
+		return err
+	}
+
+	cmd.Printf("Remote port forwarding: %s -> %s\n", remoteAddr, localAddr)
+
+	go func() {
+		if err := c.RemotePortForward(ctx, remoteAddr, localAddr); err != nil && !errors.Is(err, context.Canceled) {
+			cmd.Printf("Remote port forward error: %v\n", err)
+		}
+	}()
+
+	return nil
+}
+
+// parsePortForwardSpec parses port forward specifications like "8080:localhost:80" or "[::1]:8080:localhost:80".
+// Also supports Unix sockets like "8080:/tmp/socket" or "127.0.0.1:8080:/tmp/socket".
+func parsePortForwardSpec(spec string) (string, string, error) {
+	// Support formats:
+	// port:host:hostport  -> localhost:port -> host:hostport
+	// host:port:host:hostport  -> host:port -> host:hostport
+	// [host]:port:host:hostport -> [host]:port -> host:hostport
+	// port:unix_socket_path -> localhost:port -> unix_socket_path
+	// host:port:unix_socket_path -> host:port -> unix_socket_path
+
+	if strings.HasPrefix(spec, "[") && strings.Contains(spec, "]:") {
+		return parseIPv6ForwardSpec(spec)
+	}
+
+	parts := strings.Split(spec, ":")
+	if len(parts) < 2 {
+		return "", "", fmt.Errorf("invalid port forward specification: %s (expected format: [local_host:]local_port:remote_target)", spec)
+	}
+
+	switch len(parts) {
+	case 2:
+		return parseTwoPartForwardSpec(parts, spec)
+	case 3:
+		return parseThreePartForwardSpec(parts)
+	case 4:
+		return parseFourPartForwardSpec(parts)
+	default:
+		return "", "", fmt.Errorf("invalid port forward specification: %s", spec)
+	}
+}
+
+// parseTwoPartForwardSpec handles "port:unix_socket" format.
+func parseTwoPartForwardSpec(parts []string, spec string) (string, string, error) {
+	if isUnixSocket(parts[1]) {
+		localAddr := "localhost:" + parts[0]
+		remoteAddr := parts[1]
+		return localAddr, remoteAddr, nil
+	}
+	return "", "", fmt.Errorf("invalid port forward specification: %s (expected format: [local_host:]local_port:remote_host:remote_port or [local_host:]local_port:unix_socket)", spec)
+}
+
+// parseThreePartForwardSpec handles "port:host:hostport" or "host:port:unix_socket" formats.
+func parseThreePartForwardSpec(parts []string) (string, string, error) {
+	if isUnixSocket(parts[2]) {
+		localHost := normalizeLocalHost(parts[0])
+		localAddr := localHost + ":" + parts[1]
+		remoteAddr := parts[2]
+		return localAddr, remoteAddr, nil
+	}
+	localAddr := "localhost:" + parts[0]
+	remoteAddr := parts[1] + ":" + parts[2]
+	return localAddr, remoteAddr, nil
+}
+
+// parseFourPartForwardSpec handles "host:port:host:hostport" format.
+func parseFourPartForwardSpec(parts []string) (string, string, error) {
+	localHost := normalizeLocalHost(parts[0])
+	localAddr := localHost + ":" + parts[1]
+	remoteAddr := parts[2] + ":" + parts[3]
+	return localAddr, remoteAddr, nil
+}
+
+// parseIPv6ForwardSpec handles "[host]:port:host:hostport" format.
+func parseIPv6ForwardSpec(spec string) (string, string, error) {
+	idx := strings.Index(spec, "]:")
+	if idx == -1 {
+		return "", "", fmt.Errorf("invalid IPv6 port forward specification: %s", spec)
+	}
+
+	ipv6Host := spec[:idx+1]
+	remaining := spec[idx+2:]
+
+	parts := strings.Split(remaining, ":")
+	if len(parts) != 3 {
+		return "", "", fmt.Errorf("invalid IPv6 port forward specification: %s (expected [ipv6]:port:host:hostport)", spec)
+	}
+
+	localAddr := ipv6Host + ":" + parts[0]
+	remoteAddr := parts[1] + ":" + parts[2]
+	return localAddr, remoteAddr, nil
+}
+
+// isUnixSocket checks if a path is a Unix socket path.
+func isUnixSocket(path string) bool {
+	return strings.HasPrefix(path, "/") || strings.HasPrefix(path, "./")
+}
+
+// normalizeLocalHost converts "*" to "0.0.0.0" for binding to all interfaces.
+func normalizeLocalHost(host string) string {
+	if host == "*" {
+		return "0.0.0.0"
+	}
+	return host
+}
+
+var sshProxyCmd = &cobra.Command{
+	Use:    "proxy <host> <port>",
+	Short:  "Internal SSH proxy for native SSH client integration",
+	Long:   "Internal command used by SSH ProxyCommand to handle JWT authentication",
+	Hidden: true,
+	Args:   cobra.ExactArgs(2),
+	RunE:   sshProxyFn,
+}
+
+func sshProxyFn(cmd *cobra.Command, args []string) error {
+	logOutput := "console"
+	if firstLogFile := util.FindFirstLogPath(logFiles); firstLogFile != "" && firstLogFile != defaultLogFile {
+		logOutput = firstLogFile
+	}
+	if err := util.InitLog(logLevel, logOutput); err != nil {
+		return fmt.Errorf("init log: %w", err)
+	}
+
+	host := args[0]
+	portStr := args[1]
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return fmt.Errorf("invalid port: %s", portStr)
+	}
+
+	proxy, err := sshproxy.New(daemonAddr, host, port, cmd.ErrOrStderr())
+	if err != nil {
+		return fmt.Errorf("create SSH proxy: %w", err)
+	}
+	defer func() {
+		if err := proxy.Close(); err != nil {
+			log.Debugf("close SSH proxy: %v", err)
+		}
+	}()
+
+	if err := proxy.Connect(cmd.Context()); err != nil {
+		return fmt.Errorf("SSH proxy: %w", err)
+	}
+
+	return nil
+}
+
+var sshDetectCmd = &cobra.Command{
+	Use:    "detect <host> <port>",
+	Short:  "Detect if a host is running NetBird SSH",
+	Long:   "Internal command used by SSH Match exec to detect NetBird SSH servers. Exit codes: 0=JWT, 1=no-JWT, 2=regular SSH",
+	Hidden: true,
+	Args:   cobra.ExactArgs(2),
+	RunE:   sshDetectFn,
+}
+
+func sshDetectFn(cmd *cobra.Command, args []string) error {
+	if err := util.InitLog(logLevel, "console"); err != nil {
+		os.Exit(detection.ServerTypeRegular.ExitCode())
+	}
+
+	host := args[0]
+	portStr := args[1]
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		os.Exit(detection.ServerTypeRegular.ExitCode())
+	}
+
+	dialer := &net.Dialer{Timeout: detection.Timeout}
+	serverType, err := detection.DetectSSHServerType(cmd.Context(), dialer, host, port)
+	if err != nil {
+		os.Exit(detection.ServerTypeRegular.ExitCode())
+	}
+
+	os.Exit(serverType.ExitCode())
+	return nil
 }

client/cmd/ssh_exec_unix.go

@@ -0,0 +1,74 @@
+//go:build unix
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
+)
+
+var (
+	sshExecUID        uint32
+	sshExecGID        uint32
+	sshExecGroups     []uint
+	sshExecWorkingDir string
+	sshExecShell      string
+	sshExecCommand    string
+	sshExecPTY        bool
+)
+
+// sshExecCmd represents the hidden ssh exec subcommand for privilege dropping
+var sshExecCmd = &cobra.Command{
+	Use:    "exec",
+	Short:  "Internal SSH execution with privilege dropping (hidden)",
+	Hidden: true,
+	RunE:   runSSHExec,
+}
+
+func init() {
+	sshExecCmd.Flags().Uint32Var(&sshExecUID, "uid", 0, "Target user ID")
+	sshExecCmd.Flags().Uint32Var(&sshExecGID, "gid", 0, "Target group ID")
+	sshExecCmd.Flags().UintSliceVar(&sshExecGroups, "groups", nil, "Supplementary group IDs (can be repeated)")
+	sshExecCmd.Flags().StringVar(&sshExecWorkingDir, "working-dir", "", "Working directory")
+	sshExecCmd.Flags().StringVar(&sshExecShell, "shell", "/bin/sh", "Shell to execute")
+	sshExecCmd.Flags().BoolVar(&sshExecPTY, "pty", false, "Request PTY (will fail as executor doesn't support PTY)")
+	sshExecCmd.Flags().StringVar(&sshExecCommand, "cmd", "", "Command to execute")
+
+	if err := sshExecCmd.MarkFlagRequired("uid"); err != nil {
+		_, _ = fmt.Fprintf(os.Stderr, "failed to mark uid flag as required: %v\n", err)
+		os.Exit(1)
+	}
+	if err := sshExecCmd.MarkFlagRequired("gid"); err != nil {
+		_, _ = fmt.Fprintf(os.Stderr, "failed to mark gid flag as required: %v\n", err)
+		os.Exit(1)
+	}
+
+	sshCmd.AddCommand(sshExecCmd)
+}
+
+// runSSHExec handles the SSH exec subcommand execution.
+func runSSHExec(cmd *cobra.Command, _ []string) error {
+	privilegeDropper := sshserver.NewPrivilegeDropper()
+
+	var groups []uint32
+	for _, groupInt := range sshExecGroups {
+		groups = append(groups, uint32(groupInt))
+	}
+
+	config := sshserver.ExecutorConfig{
+		UID:        sshExecUID,
+		GID:        sshExecGID,
+		Groups:     groups,
+		WorkingDir: sshExecWorkingDir,
+		Shell:      sshExecShell,
+		Command:    sshExecCommand,
+		PTY:        sshExecPTY,
+	}
+
+	privilegeDropper.ExecuteWithPrivilegeDrop(cmd.Context(), config)
+	return nil
+}

client/cmd/ssh_sftp_unix.go

@@ -0,0 +1,94 @@
+//go:build unix
+
+package cmd
+
+import (
+	"errors"
+	"io"
+	"os"
+
+	"github.com/pkg/sftp"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
+)
+
+var (
+	sftpUID        uint32
+	sftpGID        uint32
+	sftpGroupsInt  []uint
+	sftpWorkingDir string
+)
+
+var sshSftpCmd = &cobra.Command{
+	Use:    "sftp",
+	Short:  "SFTP server with privilege dropping (internal use)",
+	Hidden: true,
+	RunE:   sftpMain,
+}
+
+func init() {
+	sshSftpCmd.Flags().Uint32Var(&sftpUID, "uid", 0, "Target user ID")
+	sshSftpCmd.Flags().Uint32Var(&sftpGID, "gid", 0, "Target group ID")
+	sshSftpCmd.Flags().UintSliceVar(&sftpGroupsInt, "groups", nil, "Supplementary group IDs (can be repeated)")
+	sshSftpCmd.Flags().StringVar(&sftpWorkingDir, "working-dir", "", "Working directory")
+}
+
+func sftpMain(cmd *cobra.Command, _ []string) error {
+	privilegeDropper := sshserver.NewPrivilegeDropper()
+
+	var groups []uint32
+	for _, groupInt := range sftpGroupsInt {
+		groups = append(groups, uint32(groupInt))
+	}
+
+	config := sshserver.ExecutorConfig{
+		UID:        sftpUID,
+		GID:        sftpGID,
+		Groups:     groups,
+		WorkingDir: sftpWorkingDir,
+		Shell:      "",
+		Command:    "",
+	}
+
+	log.Tracef("dropping privileges for SFTP to UID=%d, GID=%d, groups=%v", config.UID, config.GID, config.Groups)
+
+	if err := privilegeDropper.DropPrivileges(config.UID, config.GID, config.Groups); err != nil {
+		cmd.PrintErrf("privilege drop failed: %v\n", err)
+		os.Exit(sshserver.ExitCodePrivilegeDropFail)
+	}
+
+	if config.WorkingDir != "" {
+		if err := os.Chdir(config.WorkingDir); err != nil {
+			cmd.PrintErrf("failed to change to working directory %s: %v\n", config.WorkingDir, err)
+		}
+	}
+
+	sftpServer, err := sftp.NewServer(struct {
+		io.Reader
+		io.WriteCloser
+	}{
+		Reader:      os.Stdin,
+		WriteCloser: os.Stdout,
+	})
+	if err != nil {
+		cmd.PrintErrf("SFTP server creation failed: %v\n", err)
+		os.Exit(sshserver.ExitCodeShellExecFail)
+	}
+
+	log.Tracef("starting SFTP server with dropped privileges")
+	if err := sftpServer.Serve(); err != nil && !errors.Is(err, io.EOF) {
+		cmd.PrintErrf("SFTP server error: %v\n", err)
+		if closeErr := sftpServer.Close(); closeErr != nil {
+			cmd.PrintErrf("SFTP server close error: %v\n", closeErr)
+		}
+		os.Exit(sshserver.ExitCodeShellExecFail)
+	}
+
+	if closeErr := sftpServer.Close(); closeErr != nil {
+		cmd.PrintErrf("SFTP server close error: %v\n", closeErr)
+	}
+	os.Exit(sshserver.ExitCodeSuccess)
+	return nil
+}

client/cmd/ssh_sftp_windows.go

@@ -0,0 +1,94 @@
+//go:build windows
+
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/user"
+	"strings"
+
+	"github.com/pkg/sftp"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
+)
+
+var (
+	sftpWorkingDir  string
+	windowsUsername string
+	windowsDomain   string
+)
+
+var sshSftpCmd = &cobra.Command{
+	Use:    "sftp",
+	Short:  "SFTP server with user switching for Windows (internal use)",
+	Hidden: true,
+	RunE:   sftpMain,
+}
+
+func init() {
+	sshSftpCmd.Flags().StringVar(&sftpWorkingDir, "working-dir", "", "Working directory")
+	sshSftpCmd.Flags().StringVar(&windowsUsername, "windows-username", "", "Windows username for user switching")
+	sshSftpCmd.Flags().StringVar(&windowsDomain, "windows-domain", "", "Windows domain for user switching")
+}
+
+func sftpMain(cmd *cobra.Command, _ []string) error {
+	return sftpMainDirect(cmd)
+}
+
+func sftpMainDirect(cmd *cobra.Command) error {
+	currentUser, err := user.Current()
+	if err != nil {
+		cmd.PrintErrf("failed to get current user: %v\n", err)
+		os.Exit(sshserver.ExitCodeValidationFail)
+	}
+
+	if windowsUsername != "" {
+		expectedUsername := windowsUsername
+		if windowsDomain != "" {
+			expectedUsername = fmt.Sprintf(`%s\%s`, windowsDomain, windowsUsername)
+		}
+		if !strings.EqualFold(currentUser.Username, expectedUsername) && !strings.EqualFold(currentUser.Username, windowsUsername) {
+			cmd.PrintErrf("user switching failed\n")
+			os.Exit(sshserver.ExitCodeValidationFail)
+		}
+	}
+
+	log.Debugf("SFTP process running as: %s (UID: %s, Name: %s)", currentUser.Username, currentUser.Uid, currentUser.Name)
+
+	if sftpWorkingDir != "" {
+		if err := os.Chdir(sftpWorkingDir); err != nil {
+			cmd.PrintErrf("failed to change to working directory %s: %v\n", sftpWorkingDir, err)
+		}
+	}
+
+	sftpServer, err := sftp.NewServer(struct {
+		io.Reader
+		io.WriteCloser
+	}{
+		Reader:      os.Stdin,
+		WriteCloser: os.Stdout,
+	})
+	if err != nil {
+		cmd.PrintErrf("SFTP server creation failed: %v\n", err)
+		os.Exit(sshserver.ExitCodeShellExecFail)
+	}
+
+	log.Debugf("starting SFTP server")
+	exitCode := sshserver.ExitCodeSuccess
+	if err := sftpServer.Serve(); err != nil && !errors.Is(err, io.EOF) {
+		cmd.PrintErrf("SFTP server error: %v\n", err)
+		exitCode = sshserver.ExitCodeShellExecFail
+	}
+
+	if err := sftpServer.Close(); err != nil {
+		log.Debugf("SFTP server close error: %v", err)
+	}
+
+	os.Exit(exitCode)
+	return nil
+}

client/cmd/ssh_test.go

@@ -0,0 +1,717 @@
+package cmd
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSSHCommand_FlagParsing(t *testing.T) {
+	tests := []struct {
+		name         string
+		args         []string
+		expectedHost string
+		expectedUser string
+		expectedPort int
+		expectedCmd  string
+		expectError  bool
+	}{
+		{
+			name:         "basic host",
+			args:         []string{"hostname"},
+			expectedHost: "hostname",
+			expectedUser: "",
+			expectedPort: 22,
+			expectedCmd:  "",
+		},
+		{
+			name:         "user@host format",
+			args:         []string{"user@hostname"},
+			expectedHost: "hostname",
+			expectedUser: "user",
+			expectedPort: 22,
+			expectedCmd:  "",
+		},
+		{
+			name:         "host with command",
+			args:         []string{"hostname", "echo", "hello"},
+			expectedHost: "hostname",
+			expectedUser: "",
+			expectedPort: 22,
+			expectedCmd:  "echo hello",
+		},
+		{
+			name:         "command with flags should be preserved",
+			args:         []string{"hostname", "ls", "-la", "/tmp"},
+			expectedHost: "hostname",
+			expectedUser: "",
+			expectedPort: 22,
+			expectedCmd:  "ls -la /tmp",
+		},
+		{
+			name:         "double dash separator",
+			args:         []string{"hostname", "--", "ls", "-la"},
+			expectedHost: "hostname",
+			expectedUser: "",
+			expectedPort: 22,
+			expectedCmd:  "-- ls -la",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			// Mock command for testing
+			cmd := sshCmd
+			cmd.SetArgs(tt.args)
+
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+			assert.Equal(t, tt.expectedHost, host, "host mismatch")
+			if tt.expectedUser != "" {
+				assert.Equal(t, tt.expectedUser, username, "username mismatch")
+			}
+			assert.Equal(t, tt.expectedPort, port, "port mismatch")
+			assert.Equal(t, tt.expectedCmd, command, "command mismatch")
+		})
+	}
+}
+
+func TestSSHCommand_FlagConflictPrevention(t *testing.T) {
+	// Test that SSH flags don't conflict with command flags
+	tests := []struct {
+		name        string
+		args        []string
+		expectedCmd string
+		description string
+	}{
+		{
+			name:        "ls with -la flags",
+			args:        []string{"hostname", "ls", "-la"},
+			expectedCmd: "ls -la",
+			description: "ls flags should be passed to remote command",
+		},
+		{
+			name:        "grep with -r flag",
+			args:        []string{"hostname", "grep", "-r", "pattern", "/path"},
+			expectedCmd: "grep -r pattern /path",
+			description: "grep flags should be passed to remote command",
+		},
+		{
+			name:        "ps with aux flags",
+			args:        []string{"hostname", "ps", "aux"},
+			expectedCmd: "ps aux",
+			description: "ps flags should be passed to remote command",
+		},
+		{
+			name:        "command with double dash",
+			args:        []string{"hostname", "--", "ls", "-la"},
+			expectedCmd: "-- ls -la",
+			description: "double dash should be preserved in command",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+
+			assert.Equal(t, tt.expectedCmd, command, tt.description)
+		})
+	}
+}
+
+func TestSSHCommand_NonInteractiveExecution(t *testing.T) {
+	// Test that commands with arguments should execute the command and exit,
+	// not drop to an interactive shell
+	tests := []struct {
+		name        string
+		args        []string
+		expectedCmd string
+		shouldExit  bool
+		description string
+	}{
+		{
+			name:        "ls command should execute and exit",
+			args:        []string{"hostname", "ls"},
+			expectedCmd: "ls",
+			shouldExit:  true,
+			description: "ls command should execute and exit, not drop to shell",
+		},
+		{
+			name:        "ls with flags should execute and exit",
+			args:        []string{"hostname", "ls", "-la"},
+			expectedCmd: "ls -la",
+			shouldExit:  true,
+			description: "ls with flags should execute and exit, not drop to shell",
+		},
+		{
+			name:        "pwd command should execute and exit",
+			args:        []string{"hostname", "pwd"},
+			expectedCmd: "pwd",
+			shouldExit:  true,
+			description: "pwd command should execute and exit, not drop to shell",
+		},
+		{
+			name:        "echo command should execute and exit",
+			args:        []string{"hostname", "echo", "hello"},
+			expectedCmd: "echo hello",
+			shouldExit:  true,
+			description: "echo command should execute and exit, not drop to shell",
+		},
+		{
+			name:        "no command should open shell",
+			args:        []string{"hostname"},
+			expectedCmd: "",
+			shouldExit:  false,
+			description: "no command should open interactive shell",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+
+			assert.Equal(t, tt.expectedCmd, command, tt.description)
+
+			// When command is present, it should execute the command and exit
+			// When command is empty, it should open interactive shell
+			hasCommand := command != ""
+			assert.Equal(t, tt.shouldExit, hasCommand, "Command presence should match expected behavior")
+		})
+	}
+}
+
+func TestSSHCommand_FlagHandling(t *testing.T) {
+	// Test that flags after hostname are not parsed by netbird but passed to SSH command
+	tests := []struct {
+		name         string
+		args         []string
+		expectedHost string
+		expectedCmd  string
+		expectError  bool
+		description  string
+	}{
+		{
+			name:         "ls with -la flag should not be parsed by netbird",
+			args:         []string{"debian2", "ls", "-la"},
+			expectedHost: "debian2",
+			expectedCmd:  "ls -la",
+			expectError:  false,
+			description:  "ls -la should be passed as SSH command, not parsed as netbird flags",
+		},
+		{
+			name:         "command with netbird-like flags should be passed through",
+			args:         []string{"hostname", "echo", "--help"},
+			expectedHost: "hostname",
+			expectedCmd:  "echo --help",
+			expectError:  false,
+			description:  "--help should be passed to echo, not parsed by netbird",
+		},
+		{
+			name:         "command with -p flag should not conflict with SSH port flag",
+			args:         []string{"hostname", "ps", "-p", "1234"},
+			expectedHost: "hostname",
+			expectedCmd:  "ps -p 1234",
+			expectError:  false,
+			description:  "ps -p should be passed to ps command, not parsed as port",
+		},
+		{
+			name:         "tar with flags should be passed through",
+			args:         []string{"hostname", "tar", "-czf", "backup.tar.gz", "/home"},
+			expectedHost: "hostname",
+			expectedCmd:  "tar -czf backup.tar.gz /home",
+			expectError:  false,
+			description:  "tar flags should be passed to tar command",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+			assert.Equal(t, tt.expectedHost, host, "host mismatch")
+			assert.Equal(t, tt.expectedCmd, command, tt.description)
+		})
+	}
+}
+
+func TestSSHCommand_RegressionFlagParsing(t *testing.T) {
+	// Regression test for the specific issue: "sudo ./netbird ssh debian2 ls -la"
+	// should not parse -la as netbird flags but pass them to the SSH command
+	tests := []struct {
+		name         string
+		args         []string
+		expectedHost string
+		expectedCmd  string
+		expectError  bool
+		description  string
+	}{
+		{
+			name:         "original issue: ls -la should be preserved",
+			args:         []string{"debian2", "ls", "-la"},
+			expectedHost: "debian2",
+			expectedCmd:  "ls -la",
+			expectError:  false,
+			description:  "The original failing case should now work",
+		},
+		{
+			name:         "ls -l should be preserved",
+			args:         []string{"hostname", "ls", "-l"},
+			expectedHost: "hostname",
+			expectedCmd:  "ls -l",
+			expectError:  false,
+			description:  "Single letter flags should be preserved",
+		},
+		{
+			name:         "SSH port flag should work",
+			args:         []string{"-p", "2222", "hostname", "ls", "-la"},
+			expectedHost: "hostname",
+			expectedCmd:  "ls -la",
+			expectError:  false,
+			description:  "SSH -p flag should be parsed, command flags preserved",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+			assert.Equal(t, tt.expectedHost, host, "host mismatch")
+			assert.Equal(t, tt.expectedCmd, command, tt.description)
+
+			// Check port for the test case with -p flag
+			if len(tt.args) > 0 && tt.args[0] == "-p" {
+				assert.Equal(t, 2222, port, "port should be parsed from -p flag")
+			}
+		})
+	}
+}
+
+func TestSSHCommand_PortForwardingFlagParsing(t *testing.T) {
+	tests := []struct {
+		name           string
+		args           []string
+		expectedHost   string
+		expectedLocal  []string
+		expectedRemote []string
+		expectError    bool
+		description    string
+	}{
+		{
+			name:           "local port forwarding -L",
+			args:           []string{"-L", "8080:localhost:80", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80"},
+			expectedRemote: []string{},
+			expectError:    false,
+			description:    "Single -L flag should be parsed correctly",
+		},
+		{
+			name:           "remote port forwarding -R",
+			args:           []string{"-R", "8080:localhost:80", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{},
+			expectedRemote: []string{"8080:localhost:80"},
+			expectError:    false,
+			description:    "Single -R flag should be parsed correctly",
+		},
+		{
+			name:           "multiple local port forwards",
+			args:           []string{"-L", "8080:localhost:80", "-L", "9090:localhost:443", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80", "9090:localhost:443"},
+			expectedRemote: []string{},
+			expectError:    false,
+			description:    "Multiple -L flags should be parsed correctly",
+		},
+		{
+			name:           "multiple remote port forwards",
+			args:           []string{"-R", "8080:localhost:80", "-R", "9090:localhost:443", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{},
+			expectedRemote: []string{"8080:localhost:80", "9090:localhost:443"},
+			expectError:    false,
+			description:    "Multiple -R flags should be parsed correctly",
+		},
+		{
+			name:           "mixed local and remote forwards",
+			args:           []string{"-L", "8080:localhost:80", "-R", "9090:localhost:443", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80"},
+			expectedRemote: []string{"9090:localhost:443"},
+			expectError:    false,
+			description:    "Mixed -L and -R flags should be parsed correctly",
+		},
+		{
+			name:           "port forwarding with bind address",
+			args:           []string{"-L", "127.0.0.1:8080:localhost:80", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"127.0.0.1:8080:localhost:80"},
+			expectedRemote: []string{},
+			expectError:    false,
+			description:    "Port forwarding with bind address should work",
+		},
+		{
+			name:           "port forwarding with command",
+			args:           []string{"-L", "8080:localhost:80", "hostname", "ls", "-la"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80"},
+			expectedRemote: []string{},
+			expectError:    false,
+			description:    "Port forwarding with command should work",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+			localForwards = nil
+			remoteForwards = nil
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+			assert.Equal(t, tt.expectedHost, host, "host mismatch")
+			// Handle nil vs empty slice comparison
+			if len(tt.expectedLocal) == 0 {
+				assert.True(t, len(localForwards) == 0, tt.description+" - local forwards should be empty")
+			} else {
+				assert.Equal(t, tt.expectedLocal, localForwards, tt.description+" - local forwards")
+			}
+			if len(tt.expectedRemote) == 0 {
+				assert.True(t, len(remoteForwards) == 0, tt.description+" - remote forwards should be empty")
+			} else {
+				assert.Equal(t, tt.expectedRemote, remoteForwards, tt.description+" - remote forwards")
+			}
+		})
+	}
+}
+
+func TestParsePortForward(t *testing.T) {
+	tests := []struct {
+		name           string
+		spec           string
+		expectedLocal  string
+		expectedRemote string
+		expectError    bool
+		description    string
+	}{
+		{
+			name:           "simple port forward",
+			spec:           "8080:localhost:80",
+			expectedLocal:  "localhost:8080",
+			expectedRemote: "localhost:80",
+			expectError:    false,
+			description:    "Simple port:host:port format should work",
+		},
+		{
+			name:           "port forward with bind address",
+			spec:           "127.0.0.1:8080:localhost:80",
+			expectedLocal:  "127.0.0.1:8080",
+			expectedRemote: "localhost:80",
+			expectError:    false,
+			description:    "bind_address:port:host:port format should work",
+		},
+		{
+			name:           "port forward to different host",
+			spec:           "8080:example.com:443",
+			expectedLocal:  "localhost:8080",
+			expectedRemote: "example.com:443",
+			expectError:    false,
+			description:    "Forwarding to different host should work",
+		},
+		{
+			name:        "port forward with IPv6 (needs bracket support)",
+			spec:        "::1:8080:localhost:80",
+			expectError: true,
+			description: "IPv6 without brackets fails as expected (feature to implement)",
+		},
+		{
+			name:        "invalid format - too few parts",
+			spec:        "8080:localhost",
+			expectError: true,
+			description: "Invalid format with too few parts should fail",
+		},
+		{
+			name:        "invalid format - too many parts",
+			spec:        "127.0.0.1:8080:localhost:80:extra",
+			expectError: true,
+			description: "Invalid format with too many parts should fail",
+		},
+		{
+			name:        "empty spec",
+			spec:        "",
+			expectError: true,
+			description: "Empty spec should fail",
+		},
+		{
+			name:           "unix socket local forward",
+			spec:           "8080:/tmp/socket",
+			expectedLocal:  "localhost:8080",
+			expectedRemote: "/tmp/socket",
+			expectError:    false,
+			description:    "Unix socket forwarding should work",
+		},
+		{
+			name:           "unix socket with bind address",
+			spec:           "127.0.0.1:8080:/tmp/socket",
+			expectedLocal:  "127.0.0.1:8080",
+			expectedRemote: "/tmp/socket",
+			expectError:    false,
+			description:    "Unix socket with bind address should work",
+		},
+		{
+			name:           "wildcard bind all interfaces",
+			spec:           "*:8080:localhost:80",
+			expectedLocal:  "0.0.0.0:8080",
+			expectedRemote: "localhost:80",
+			expectError:    false,
+			description:    "Wildcard * should bind to all interfaces (0.0.0.0)",
+		},
+		{
+			name:           "wildcard for port only",
+			spec:           "8080:*:80",
+			expectedLocal:  "localhost:8080",
+			expectedRemote: "*:80",
+			expectError:    false,
+			description:    "Wildcard in remote host should be preserved",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			localAddr, remoteAddr, err := parsePortForwardSpec(tt.spec)
+
+			if tt.expectError {
+				assert.Error(t, err, tt.description)
+				return
+			}
+
+			require.NoError(t, err, tt.description)
+			assert.Equal(t, tt.expectedLocal, localAddr, tt.description+" - local address")
+			assert.Equal(t, tt.expectedRemote, remoteAddr, tt.description+" - remote address")
+		})
+	}
+}
+
+func TestSSHCommand_IntegrationPortForwarding(t *testing.T) {
+	// Integration test for port forwarding with the actual SSH command implementation
+	tests := []struct {
+		name           string
+		args           []string
+		expectedHost   string
+		expectedLocal  []string
+		expectedRemote []string
+		expectedCmd    string
+		description    string
+	}{
+		{
+			name:           "local forward with command",
+			args:           []string{"-L", "8080:localhost:80", "hostname", "echo", "test"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80"},
+			expectedRemote: []string{},
+			expectedCmd:    "echo test",
+			description:    "Local forwarding should work with commands",
+		},
+		{
+			name:           "remote forward with command",
+			args:           []string{"-R", "8080:localhost:80", "hostname", "ls", "-la"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{},
+			expectedRemote: []string{"8080:localhost:80"},
+			expectedCmd:    "ls -la",
+			description:    "Remote forwarding should work with commands",
+		},
+		{
+			name:           "multiple forwards with user and command",
+			args:           []string{"-L", "8080:localhost:80", "-R", "9090:localhost:443", "user@hostname", "ps", "aux"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80"},
+			expectedRemote: []string{"9090:localhost:443"},
+			expectedCmd:    "ps aux",
+			description:    "Complex case with multiple forwards, user, and command",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+			localForwards = nil
+			remoteForwards = nil
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+
+			assert.Equal(t, tt.expectedHost, host, "host mismatch")
+			// Handle nil vs empty slice comparison
+			if len(tt.expectedLocal) == 0 {
+				assert.True(t, len(localForwards) == 0, tt.description+" - local forwards should be empty")
+			} else {
+				assert.Equal(t, tt.expectedLocal, localForwards, tt.description+" - local forwards")
+			}
+			if len(tt.expectedRemote) == 0 {
+				assert.True(t, len(remoteForwards) == 0, tt.description+" - remote forwards should be empty")
+			} else {
+				assert.Equal(t, tt.expectedRemote, remoteForwards, tt.description+" - remote forwards")
+			}
+			assert.Equal(t, tt.expectedCmd, command, tt.description+" - command")
+		})
+	}
+}
+
+func TestSSHCommand_ParameterIsolation(t *testing.T) {
+	tests := []struct {
+		name        string
+		args        []string
+		expectedCmd string
+	}{
+		{
+			name:        "cmd flag passed as command",
+			args:        []string{"hostname", "--cmd", "echo test"},
+			expectedCmd: "--cmd echo test",
+		},
+		{
+			name:        "uid flag passed as command",
+			args:        []string{"hostname", "--uid", "1000"},
+			expectedCmd: "--uid 1000",
+		},
+		{
+			name:        "shell flag passed as command",
+			args:        []string{"hostname", "--shell", "/bin/bash"},
+			expectedCmd: "--shell /bin/bash",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			err := validateSSHArgsWithoutFlagParsing(sshCmd, tt.args)
+			require.NoError(t, err)
+
+			assert.Equal(t, "hostname", host)
+			assert.Equal(t, tt.expectedCmd, command)
+		})
+	}
+}
+
+func TestSSHCommand_InvalidFlagRejection(t *testing.T) {
+	// Test that invalid flags are properly rejected and not misinterpreted as hostnames
+	tests := []struct {
+		name        string
+		args        []string
+		description string
+	}{
+		{
+			name:        "invalid long flag before hostname",
+			args:        []string{"--invalid-flag", "hostname"},
+			description: "Invalid flag should return parse error, not treat flag as hostname",
+		},
+		{
+			name:        "invalid short flag before hostname",
+			args:        []string{"-x", "hostname"},
+			description: "Invalid short flag should return parse error",
+		},
+		{
+			name:        "invalid flag with value before hostname",
+			args:        []string{"--invalid-option=value", "hostname"},
+			description: "Invalid flag with value should return parse error",
+		},
+		{
+			name:        "typo in known flag",
+			args:        []string{"--por", "2222", "hostname"},
+			description: "Typo in flag name should return parse error (not silently ignored)",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			err := validateSSHArgsWithoutFlagParsing(sshCmd, tt.args)
+
+			// Should return an error for invalid flags
+			assert.Error(t, err, tt.description)
+
+			// Should not have set host to the invalid flag
+			assert.NotEqual(t, tt.args[0], host, "Invalid flag should not be interpreted as hostname")
+		})
+	}
+}

client/cmd/status.go

@@ -109,7 +109,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	case yamlFlag:
 		statusOutputString, err = nbstatus.ParseToYAML(outputInformationHolder)
 	default:
-		statusOutputString = nbstatus.ParseGeneralSummary(outputInformationHolder, false, false, false)
+		statusOutputString = nbstatus.ParseGeneralSummary(outputInformationHolder, false, false, false, false)
 	}
 
 	if err != nil {

client/cmd/testutil_test.go

@@ -13,6 +13,10 @@ import (
 
 	"github.com/netbirdio/management-integrations/integrations"
 
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/management/internals/server/config"
@@ -84,7 +88,6 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	}
 	t.Cleanup(cleanUp)
 
-	peersUpdateManager := mgmt.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, nil
@@ -110,13 +113,18 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		Return(&types.Settings{}, nil).
 		AnyTimes()
 
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	ctx := context.Background()
+	updateManager := update_channel.NewPeersUpdateManager(metrics)
+	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock())
+
+	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &mgmt.MockIntegratedValidator{})
+	secretsManager := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, updateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &mgmt.MockIntegratedValidator{}, networkMapController)
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -185,7 +185,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 
 	_, _ = profilemanager.UpdateOldManagementURL(ctx, config, configFilePath)
 
-	err = foregroundLogin(ctx, cmd, config, providedSetupKey)
+	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.Name)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -286,6 +286,13 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	loginRequest.ProfileName = &activeProf.Name
 	loginRequest.Username = &username
 
+	profileState, err := pm.GetProfileState(activeProf.Name)
+	if err != nil {
+		log.Debugf("failed to get profile state for login hint: %v", err)
+	} else if profileState.Email != "" {
+		loginRequest.Hint = &profileState.Email
+	}
+
 	var loginErr error
 	var loginResp *proto.LoginResponse
 
@@ -348,6 +355,25 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		req.ServerSSHAllowed = &serverSSHAllowed
 	}
+	if cmd.Flag(enableSSHRootFlag).Changed {
+		req.EnableSSHRoot = &enableSSHRoot
+	}
+	if cmd.Flag(enableSSHSFTPFlag).Changed {
+		req.EnableSSHSFTP = &enableSSHSFTP
+	}
+	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
+		req.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
+	}
+	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
+		req.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
+	}
+	if cmd.Flag(disableSSHAuthFlag).Changed {
+		req.DisableSSHAuth = &disableSSHAuth
+	}
+	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
+		sshJWTCacheTTL32 := int32(sshJWTCacheTTL)
+		req.SshJWTCacheTTL = &sshJWTCacheTTL32
+	}
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			log.Errorf("parse interface name: %v", err)
@@ -432,6 +458,30 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.ServerSSHAllowed = &serverSSHAllowed
 	}
 
+	if cmd.Flag(enableSSHRootFlag).Changed {
+		ic.EnableSSHRoot = &enableSSHRoot
+	}
+
+	if cmd.Flag(enableSSHSFTPFlag).Changed {
+		ic.EnableSSHSFTP = &enableSSHSFTP
+	}
+
+	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
+		ic.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
+	}
+
+	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
+		ic.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
+	}
+
+	if cmd.Flag(disableSSHAuthFlag).Changed {
+		ic.DisableSSHAuth = &disableSSHAuth
+	}
+
+	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
+		ic.SSHJWTCacheTTL = &sshJWTCacheTTL
+	}
+
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			return nil, err
@@ -532,6 +582,31 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.ServerSSHAllowed = &serverSSHAllowed
 	}
 
+	if cmd.Flag(enableSSHRootFlag).Changed {
+		loginRequest.EnableSSHRoot = &enableSSHRoot
+	}
+
+	if cmd.Flag(enableSSHSFTPFlag).Changed {
+		loginRequest.EnableSSHSFTP = &enableSSHSFTP
+	}
+
+	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
+		loginRequest.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
+	}
+
+	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
+		loginRequest.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
+	}
+
+	if cmd.Flag(disableSSHAuthFlag).Changed {
+		loginRequest.DisableSSHAuth = &disableSSHAuth
+	}
+
+	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
+		sshJWTCacheTTL32 := int32(sshJWTCacheTTL)
+		loginRequest.SshJWTCacheTTL = &sshJWTCacheTTL32
+	}
+
 	if cmd.Flag(disableAutoConnectFlag).Changed {
 		loginRequest.DisableAutoConnect = &autoConnectDisabled
 	}

client/embed/embed.go

@@ -18,12 +18,16 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	sshcommon "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 )
 
-var ErrClientAlreadyStarted = errors.New("client already started")
-var ErrClientNotStarted = errors.New("client not started")
-var ErrConfigNotInitialized = errors.New("config not initialized")
+var (
+	ErrClientAlreadyStarted = errors.New("client already started")
+	ErrClientNotStarted     = errors.New("client not started")
+	ErrEngineNotStarted     = errors.New("engine not started")
+	ErrConfigNotInitialized = errors.New("config not initialized")
+)
 
 // Client manages a netbird embedded client instance.
 type Client struct {
@@ -238,17 +242,9 @@ func (c *Client) GetConfig() (profilemanager.Config, error) {
 // Dial dials a network address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
-	c.mu.Lock()
-	connect := c.connect
-	if connect == nil {
-		c.mu.Unlock()
-		return nil, ErrClientNotStarted
-	}
-	c.mu.Unlock()
-
-	engine := connect.Engine()
-	if engine == nil {
-		return nil, errors.New("engine not started")
+	engine, err := c.getEngine()
+	if err != nil {
+		return nil, err
 	}
 
 	nsnet, err := engine.GetNet()
@@ -259,6 +255,11 @@ func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return nsnet.DialContext(ctx, network, address)
 }
 
+// DialContext dials a network address in the netbird network with context
+func (c *Client) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	return c.Dial(ctx, network, address)
+}
+
 // ListenTCP listens on the given address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenTCP(address string) (net.Listener, error) {
@@ -314,18 +315,47 @@ func (c *Client) NewHTTPClient() *http.Client {
 	}
 }
 
-func (c *Client) getNet() (*wgnetstack.Net, netip.Addr, error) {
+// VerifySSHHostKey verifies an SSH host key against stored peer keys.
+// Returns nil if the key matches, ErrPeerNotFound if peer is not in network,
+// ErrNoStoredKey if peer has no stored key, or an error for verification failures.
+func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
+	engine, err := c.getEngine()
+	if err != nil {
+		return err
+	}
+
+	storedKey, found := engine.GetPeerSSHKey(peerAddress)
+	if !found {
+		return sshcommon.ErrPeerNotFound
+	}
+
+	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
+}
+
+// getEngine safely retrieves the engine from the client with proper locking.
+// Returns ErrClientNotStarted if the client is not started.
+// Returns ErrEngineNotStarted if the engine is not available.
+func (c *Client) getEngine() (*internal.Engine, error) {
 	c.mu.Lock()
 	connect := c.connect
-	if connect == nil {
-		c.mu.Unlock()
-		return nil, netip.Addr{}, errors.New("client not started")
-	}
 	c.mu.Unlock()
 
+	if connect == nil {
+		return nil, ErrClientNotStarted
+	}
+
 	engine := connect.Engine()
 	if engine == nil {
-		return nil, netip.Addr{}, errors.New("engine not started")
+		return nil, ErrEngineNotStarted
+	}
+
+	return engine, nil
+}
+
+func (c *Client) getNet() (*wgnetstack.Net, netip.Addr, error) {
+	engine, err := c.getEngine()
+	if err != nil {
+		return nil, netip.Addr{}, err
 	}
 
 	addr, err := engine.Address()

client/firewall/create.go

@@ -15,13 +15,13 @@ import (
 )
 
 // NewFirewall creates a firewall manager instance
-func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
 	if !iface.IsUserspaceBind() {
 		return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
 	}
 
 	// use userspace packet filtering firewall
-	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger)
+	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
 	if err != nil {
 		return nil, err
 	}

client/firewall/create_linux.go

@@ -34,12 +34,12 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 // FWType is the type for the firewall type
 type FWType int
 
-func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
 	// on the linux system we try to user nftables or iptables
 	// in any case, because we need to allow netbird interface traffic
 	// so we use AllowNetbird traffic from these firewall managers
 	// for the userspace packet filtering firewall
-	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes)
+	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)
 
 	if !iface.IsUserspaceBind() {
 		return fm, err
@@ -48,11 +48,11 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogg
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
 	}
-	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger)
+	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
 }
 
-func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool) (firewall.Manager, error) {
-	fm, err := createFW(iface)
+func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
+	fm, err := createFW(iface, mtu)
 	if err != nil {
 		return nil, fmt.Errorf("create firewall: %s", err)
 	}
@@ -64,26 +64,26 @@ func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager,
 	return fm, nil
 }
 
-func createFW(iface IFaceMapper) (firewall.Manager, error) {
+func createFW(iface IFaceMapper, mtu uint16) (firewall.Manager, error) {
 	switch check() {
 	case IPTABLES:
 		log.Info("creating an iptables firewall manager")
-		return nbiptables.Create(iface)
+		return nbiptables.Create(iface, mtu)
 	case NFTABLES:
 		log.Info("creating an nftables firewall manager")
-		return nbnftables.Create(iface)
+		return nbnftables.Create(iface, mtu)
 	default:
 		log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
 		return nil, errors.New("no firewall manager found")
 	}
 }
 
-func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (firewall.Manager, error) {
+func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (firewall.Manager, error) {
 	var errUsp error
 	if fm != nil {
-		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger)
+		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
 	} else {
-		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger)
+		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
 	}
 
 	if errUsp != nil {

client/firewall/iptables/acl_linux.go

@@ -1,13 +1,14 @@
 package iptables
 
 import (
+	"errors"
 	"fmt"
 	"net"
 	"slices"
 
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/uuid"
-	"github.com/nadoo/ipset"
+	ipset "github.com/lrh3321/ipset-go"
 	log "github.com/sirupsen/logrus"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -40,19 +41,13 @@ type aclManager struct {
 }
 
 func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*aclManager, error) {
-	m := &aclManager{
+	return &aclManager{
 		iptablesClient:  iptablesClient,
 		wgIface:         wgIface,
 		entries:         make(map[string][][]string),
 		optionalEntries: make(map[string][]entry),
 		ipsetStore:      newIpsetStore(),
-	}
-
-	if err := ipset.Init(); err != nil {
-		return nil, fmt.Errorf("init ipset: %w", err)
-	}
-
-	return m, nil
+	}, nil
 }
 
 func (m *aclManager) init(stateManager *statemanager.Manager) error {
@@ -98,8 +93,8 @@ func (m *aclManager) AddPeerFiltering(
 	specs = append(specs, "-j", actionToStr(action))
 	if ipsetName != "" {
 		if ipList, ipsetExists := m.ipsetStore.ipset(ipsetName); ipsetExists {
-			if err := ipset.Add(ipsetName, ip.String()); err != nil {
-				return nil, fmt.Errorf("failed to add IP to ipset: %w", err)
+			if err := m.addToIPSet(ipsetName, ip); err != nil {
+				return nil, fmt.Errorf("add IP to ipset: %w", err)
 			}
 			// if ruleset already exists it means we already have the firewall rule
 			// so we need to update IPs in the ruleset and return new fw.Rule object for ACL manager.
@@ -113,14 +108,18 @@ func (m *aclManager) AddPeerFiltering(
 			}}, nil
 		}
 
-		if err := ipset.Flush(ipsetName); err != nil {
-			log.Errorf("flush ipset %s before use it: %s", ipsetName, err)
+		if err := m.flushIPSet(ipsetName); err != nil {
+			if errors.Is(err, ipset.ErrSetNotExist) {
+				log.Debugf("flush ipset %s before use: %v", ipsetName, err)
+			} else {
+				log.Errorf("flush ipset %s before use: %v", ipsetName, err)
+			}
 		}
-		if err := ipset.Create(ipsetName); err != nil {
-			return nil, fmt.Errorf("failed to create ipset: %w", err)
+		if err := m.createIPSet(ipsetName); err != nil {
+			return nil, fmt.Errorf("create ipset: %w", err)
 		}
-		if err := ipset.Add(ipsetName, ip.String()); err != nil {
-			return nil, fmt.Errorf("failed to add IP to ipset: %w", err)
+		if err := m.addToIPSet(ipsetName, ip); err != nil {
+			return nil, fmt.Errorf("add IP to ipset: %w", err)
 		}
 
 		ipList := newIpList(ip.String())
@@ -172,11 +171,16 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		return fmt.Errorf("invalid rule type")
 	}
 
+	shouldDestroyIpset := false
 	if ipsetList, ok := m.ipsetStore.ipset(r.ipsetName); ok {
 		// delete IP from ruleset IPs list and ipset
 		if _, ok := ipsetList.ips[r.ip]; ok {
-			if err := ipset.Del(r.ipsetName, r.ip); err != nil {
-				return fmt.Errorf("failed to delete ip from ipset: %w", err)
+			ip := net.ParseIP(r.ip)
+			if ip == nil {
+				return fmt.Errorf("parse IP %s", r.ip)
+			}
+			if err := m.delFromIPSet(r.ipsetName, ip); err != nil {
+				return fmt.Errorf("delete ip from ipset: %w", err)
 			}
 			delete(ipsetList.ips, r.ip)
 		}
@@ -190,10 +194,7 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		// we delete last IP from the set, that means we need to delete
 		// set itself and associated firewall rule too
 		m.ipsetStore.deleteIpset(r.ipsetName)
-
-		if err := ipset.Destroy(r.ipsetName); err != nil {
-			log.Errorf("delete empty ipset: %v", err)
-		}
+		shouldDestroyIpset = true
 	}
 
 	if err := m.iptablesClient.Delete(tableName, r.chain, r.specs...); err != nil {
@@ -206,6 +207,16 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		}
 	}
 
+	if shouldDestroyIpset {
+		if err := m.destroyIPSet(r.ipsetName); err != nil {
+			if errors.Is(err, ipset.ErrBusy) || errors.Is(err, ipset.ErrSetNotExist) {
+				log.Debugf("destroy empty ipset: %v", err)
+			} else {
+				log.Errorf("destroy empty ipset: %v", err)
+			}
+		}
+	}
+
 	m.updateState()
 
 	return nil
@@ -264,11 +275,19 @@ func (m *aclManager) cleanChains() error {
 	}
 
 	for _, ipsetName := range m.ipsetStore.ipsetNames() {
-		if err := ipset.Flush(ipsetName); err != nil {
-			log.Errorf("flush ipset %q during reset: %v", ipsetName, err)
+		if err := m.flushIPSet(ipsetName); err != nil {
+			if errors.Is(err, ipset.ErrSetNotExist) {
+				log.Debugf("flush ipset %q during reset: %v", ipsetName, err)
+			} else {
+				log.Errorf("flush ipset %q during reset: %v", ipsetName, err)
+			}
 		}
-		if err := ipset.Destroy(ipsetName); err != nil {
-			log.Errorf("delete ipset %q during reset: %v", ipsetName, err)
+		if err := m.destroyIPSet(ipsetName); err != nil {
+			if errors.Is(err, ipset.ErrBusy) || errors.Is(err, ipset.ErrSetNotExist) {
+				log.Debugf("destroy ipset %q during reset: %v", ipsetName, err)
+			} else {
+				log.Errorf("destroy ipset %q during reset: %v", ipsetName, err)
+			}
 		}
 		m.ipsetStore.deleteIpset(ipsetName)
 	}
@@ -368,8 +387,8 @@ func (m *aclManager) updateState() {
 // filterRuleSpecs returns the specs of a filtering rule
 func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
 	matchByIP := true
-	// don't use IP matching if IP is ip 0.0.0.0
-	if ip.String() == "0.0.0.0" {
+	// don't use IP matching if IP is 0.0.0.0
+	if ip.IsUnspecified() {
 		matchByIP = false
 	}
 
@@ -416,3 +435,61 @@ func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action fi
 		return ipsetName + actionSuffix
 	}
 }
+
+func (m *aclManager) createIPSet(name string) error {
+	opts := ipset.CreateOptions{
+		Replace: true,
+	}
+
+	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
+		return fmt.Errorf("create ipset %s: %w", name, err)
+	}
+
+	log.Debugf("created ipset %s with type hash:net", name)
+	return nil
+}
+
+func (m *aclManager) addToIPSet(name string, ip net.IP) error {
+	cidr := uint8(32)
+	if ip.To4() == nil {
+		cidr = 128
+	}
+
+	entry := &ipset.Entry{
+		IP:      ip,
+		CIDR:    cidr,
+		Replace: true,
+	}
+
+	if err := ipset.Add(name, entry); err != nil {
+		return fmt.Errorf("add IP to ipset %s: %w", name, err)
+	}
+
+	return nil
+}
+
+func (m *aclManager) delFromIPSet(name string, ip net.IP) error {
+	cidr := uint8(32)
+	if ip.To4() == nil {
+		cidr = 128
+	}
+
+	entry := &ipset.Entry{
+		IP:   ip,
+		CIDR: cidr,
+	}
+
+	if err := ipset.Del(name, entry); err != nil {
+		return fmt.Errorf("delete IP from ipset %s: %w", name, err)
+	}
+
+	return nil
+}
+
+func (m *aclManager) flushIPSet(name string) error {
+	return ipset.Flush(name)
+}
+
+func (m *aclManager) destroyIPSet(name string) error {
+	return ipset.Destroy(name)
+}

client/firewall/iptables/manager_linux.go

@@ -36,7 +36,7 @@ type iFaceMapper interface {
 }
 
 // Create iptables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
+func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("init iptables: %w", err)
@@ -47,7 +47,7 @@ func Create(wgIface iFaceMapper) (*Manager, error) {
 		ipv4Client: iptablesClient,
 	}
 
-	m.router, err = newRouter(iptablesClient, wgIface)
+	m.router, err = newRouter(iptablesClient, wgIface, mtu)
 	if err != nil {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
@@ -66,6 +66,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 			NameStr:       m.wgIface.Name(),
 			WGAddress:     m.wgIface.Address(),
 			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}
 	stateManager.RegisterState(state)

client/firewall/iptables/manager_linux_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -53,7 +54,7 @@ func TestIptablesManager(t *testing.T) {
 	require.NoError(t, err)
 
 	// just check on the local interface
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -114,7 +115,7 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)
 
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -198,7 +199,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	}
 
 	// just check on the local interface
-	manager, err := Create(mock)
+	manager, err := Create(mock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -264,7 +265,7 @@ func TestIptablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock)
+			manager, err := Create(mock, iface.DefaultMTU)
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second)

client/firewall/iptables/router_linux.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/hashicorp/go-multierror"
-	"github.com/nadoo/ipset"
+	ipset "github.com/lrh3321/ipset-go"
 	log "github.com/sirupsen/logrus"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
@@ -30,17 +30,20 @@ const (
 
 	chainPOSTROUTING        = "POSTROUTING"
 	chainPREROUTING         = "PREROUTING"
+	chainFORWARD            = "FORWARD"
 	chainRTNAT              = "NETBIRD-RT-NAT"
 	chainRTFWDIN            = "NETBIRD-RT-FWD-IN"
 	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
 	chainRTPRE              = "NETBIRD-RT-PRE"
 	chainRTRDR              = "NETBIRD-RT-RDR"
+	chainRTMSSCLAMP         = "NETBIRD-RT-MSSCLAMP"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"
 
 	jumpManglePre  = "jump-mangle-pre"
 	jumpNatPre     = "jump-nat-pre"
 	jumpNatPost    = "jump-nat-post"
+	jumpMSSClamp   = "jump-mss-clamp"
 	markManglePre  = "mark-mangle-pre"
 	markManglePost = "mark-mangle-post"
 	matchSet       = "--match-set"
@@ -48,6 +51,9 @@ const (
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
 	fwdSuffix  = "_fwd"
+
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
 )
 
 type ruleInfo struct {
@@ -77,16 +83,18 @@ type router struct {
 	ipsetCounter     *ipsetCounter
 	wgIface          iFaceMapper
 	legacyManagement bool
+	mtu              uint16
 
 	stateManager *statemanager.Manager
 	ipFwdState   *ipfwdstate.IPForwardingState
 }
 
-func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router, error) {
+func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint16) (*router, error) {
 	r := &router{
 		iptablesClient: iptablesClient,
 		rules:          make(map[string][]string),
 		wgIface:        wgIface,
+		mtu:            mtu,
 		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}
 
@@ -99,10 +107,6 @@ func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router,
 		},
 	)
 
-	if err := ipset.Init(); err != nil {
-		return nil, fmt.Errorf("init ipset: %w", err)
-	}
-
 	return r, nil
 }
 
@@ -224,12 +228,12 @@ func (r *router) findSets(rule []string) []string {
 }
 
 func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
-	if err := ipset.Create(setName, ipset.OptTimeout(0)); err != nil {
+	if err := r.createIPSet(setName); err != nil {
 		return fmt.Errorf("create set %s: %w", setName, err)
 	}
 
 	for _, prefix := range sources {
-		if err := ipset.AddPrefix(setName, prefix); err != nil {
+		if err := r.addPrefixToIPSet(setName, prefix); err != nil {
 			return fmt.Errorf("add element to set %s: %w", setName, err)
 		}
 	}
@@ -238,7 +242,7 @@ func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
 }
 
 func (r *router) deleteIpSet(setName string) error {
-	if err := ipset.Destroy(setName); err != nil {
+	if err := r.destroyIPSet(setName); err != nil {
 		return fmt.Errorf("destroy set %s: %w", setName, err)
 	}
 
@@ -392,6 +396,7 @@ func (r *router) cleanUpDefaultForwardRules() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
+		{chainRTMSSCLAMP, tableMangle},
 	} {
 		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
 		if err != nil {
@@ -416,6 +421,7 @@ func (r *router) createContainers() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
+		{chainRTMSSCLAMP, tableMangle},
 	} {
 		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
 			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
@@ -438,6 +444,10 @@ func (r *router) createContainers() error {
 		return fmt.Errorf("add jump rules: %w", err)
 	}
 
+	if err := r.addMSSClampingRules(); err != nil {
+		log.Errorf("failed to add MSS clamping rules: %s", err)
+	}
+
 	return nil
 }
 
@@ -518,6 +528,35 @@ func (r *router) addPostroutingRules() error {
 	return nil
 }
 
+// addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
+// TODO: Add IPv6 support
+func (r *router) addMSSClampingRules() error {
+	mss := r.mtu - ipTCPHeaderMinSize
+
+	// Add jump rule from FORWARD chain in mangle table to our custom chain
+	jumpRule := []string{
+		"-j", chainRTMSSCLAMP,
+	}
+	if err := r.iptablesClient.Insert(tableMangle, chainFORWARD, 1, jumpRule...); err != nil {
+		return fmt.Errorf("add jump to MSS clamp chain: %w", err)
+	}
+	r.rules[jumpMSSClamp] = jumpRule
+
+	ruleOut := []string{
+		"-o", r.wgIface.Name(),
+		"-p", "tcp",
+		"--tcp-flags", "SYN,RST", "SYN",
+		"-j", "TCPMSS",
+		"--set-mss", fmt.Sprintf("%d", mss),
+	}
+	if err := r.iptablesClient.Append(tableMangle, chainRTMSSCLAMP, ruleOut...); err != nil {
+		return fmt.Errorf("add outbound MSS clamp rule: %w", err)
+	}
+	r.rules["mss-clamp-out"] = ruleOut
+
+	return nil
+}
+
 func (r *router) insertEstablishedRule(chain string) error {
 	establishedRule := getConntrackEstablished()
 
@@ -558,7 +597,7 @@ func (r *router) addJumpRules() error {
 }
 
 func (r *router) cleanJumpRules() error {
-	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre} {
+	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre, jumpMSSClamp} {
 		if rule, exists := r.rules[ruleKey]; exists {
 			var table, chain string
 			switch ruleKey {
@@ -571,6 +610,9 @@ func (r *router) cleanJumpRules() error {
 			case jumpNatPre:
 				table = tableNat
 				chain = chainPREROUTING
+			case jumpMSSClamp:
+				table = tableMangle
+				chain = chainFORWARD
 			default:
 				return fmt.Errorf("unknown jump rule: %s", ruleKey)
 			}
@@ -869,8 +911,8 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
 			continue
 		}
-		if err := ipset.AddPrefix(set.HashedName(), prefix); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("increment ipset counter: %w", err))
+		if err := r.addPrefixToIPSet(set.HashedName(), prefix); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("add prefix to ipset: %w", err))
 		}
 	}
 	if merr == nil {
@@ -947,3 +989,37 @@ func applyPort(flag string, port *firewall.Port) []string {
 
 	return []string{flag, strconv.Itoa(int(port.Values[0]))}
 }
+
+func (r *router) createIPSet(name string) error {
+	opts := ipset.CreateOptions{
+		Replace: true,
+	}
+
+	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
+		return fmt.Errorf("create ipset %s: %w", name, err)
+	}
+
+	log.Debugf("created ipset %s with type hash:net", name)
+	return nil
+}
+
+func (r *router) addPrefixToIPSet(name string, prefix netip.Prefix) error {
+	addr := prefix.Addr()
+	ip := addr.AsSlice()
+
+	entry := &ipset.Entry{
+		IP:      ip,
+		CIDR:    uint8(prefix.Bits()),
+		Replace: true,
+	}
+
+	if err := ipset.Add(name, entry); err != nil {
+		return fmt.Errorf("add prefix to ipset %s: %w", name, err)
+	}
+
+	return nil
+}
+
+func (r *router) destroyIPSet(name string) error {
+	return ipset.Destroy(name)
+}

client/firewall/iptables/router_linux_test.go

@@ -14,6 +14,7 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
+	"github.com/netbirdio/netbird/client/iface"
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
@@ -30,7 +31,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "failed to init iptables client")
 
-	manager, err := newRouter(iptablesClient, ifaceMock)
+	manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "should return a valid iptables manager")
 	require.NoError(t, manager.init(nil))
 
@@ -38,7 +39,6 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 		assert.NoError(t, manager.Reset(), "shouldn't return error")
 	}()
 
-	// Now 5 rules:
 	// 1. established rule forward in
 	// 2. estbalished rule forward out
 	// 3. jump rule to POST nat chain
@@ -48,7 +48,9 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	// 7. static return masquerade rule
 	// 8. mangle prerouting mark rule
 	// 9. mangle postrouting mark rule
-	require.Len(t, manager.rules, 9, "should have created rules map")
+	// 10. jump rule to MSS clamping chain
+	// 11. MSS clamping rule for outbound traffic
+	require.Len(t, manager.rules, 11, "should have created rules map")
 
 	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, "-j", chainRTNAT)
 	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPOSTROUTING)
@@ -82,7 +84,7 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 			require.NoError(t, err, "failed to init iptables client")
 
-			manager, err := newRouter(iptablesClient, ifaceMock)
+			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
 
@@ -155,7 +157,7 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 		t.Run(testCase.Name, func(t *testing.T) {
 			iptablesClient, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 
-			manager, err := newRouter(iptablesClient, ifaceMock)
+			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
 			defer func() {
@@ -217,7 +219,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "Failed to create iptables client")
 
-	r, err := newRouter(iptablesClient, ifaceMock)
+	r, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "Failed to create router manager")
 	require.NoError(t, r.init(nil))
 

client/firewall/iptables/state_linux.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"sync"
 
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -11,6 +12,7 @@ type InterfaceState struct {
 	NameStr       string         `json:"name"`
 	WGAddress     wgaddr.Address `json:"wg_address"`
 	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }
 
 func (i *InterfaceState) Name() string {
@@ -42,7 +44,11 @@ func (s *ShutdownState) Name() string {
 }
 
 func (s *ShutdownState) Cleanup() error {
-	ipt, err := Create(s.InterfaceState)
+	mtu := s.InterfaceState.MTU
+	if mtu == 0 {
+		mtu = iface.DefaultMTU
+	}
+	ipt, err := Create(s.InterfaceState, mtu)
 	if err != nil {
 		return fmt.Errorf("create iptables manager: %w", err)
 	}

client/firewall/manager/firewall.go

@@ -100,6 +100,9 @@ type Manager interface {
 	//
 	// If comment argument is empty firewall manager should set
 	// rule ID as comment for the rule
+	//
+	// Note: Callers should call Flush() after adding rules to ensure
+	// they are applied to the kernel and rule handles are refreshed.
 	AddPeerFiltering(
 		id []byte,
 		ip net.IP,

client/firewall/nftables/acl_linux.go

@@ -29,8 +29,6 @@ const (
 	chainNameForwardFilter     = "netbird-acl-forward-filter"
 	chainNameManglePrerouting  = "netbird-mangle-prerouting"
 	chainNameManglePostrouting = "netbird-mangle-postrouting"
-
-	allowNetbirdInputRuleID = "allow Netbird incoming traffic"
 )
 
 const flushError = "flush: %w"
@@ -195,25 +193,6 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 // createDefaultAllowRules creates default allow rules for the input and output chains
 func (m *AclManager) createDefaultAllowRules() error {
 	expIn := []expr.Any{
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       12,
-			Len:          4,
-		},
-		// mask
-		&expr.Bitwise{
-			SourceRegister: 1,
-			DestRegister:   1,
-			Len:            4,
-			Mask:           []byte{0, 0, 0, 0},
-			Xor:            []byte{0, 0, 0, 0},
-		},
-		// net address
-		&expr.Cmp{
-			Register: 1,
-			Data:     []byte{0, 0, 0, 0},
-		},
 		&expr.Verdict{
 			Kind: expr.VerdictAccept,
 		},
@@ -258,7 +237,7 @@ func (m *AclManager) addIOFiltering(
 	action firewall.Action,
 	ipset *nftables.Set,
 ) (*Rule, error) {
-	ruleId := generatePeerRuleId(ip, sPort, dPort, action, ipset)
+	ruleId := generatePeerRuleId(ip, proto, sPort, dPort, action, ipset)
 	if r, ok := m.rules[ruleId]; ok {
 		return &Rule{
 			nftRule:    r.nftRule,
@@ -357,11 +336,12 @@ func (m *AclManager) addIOFiltering(
 	}
 
 	if err := m.rConn.Flush(); err != nil {
-		return nil, fmt.Errorf(flushError, err)
+		return nil, fmt.Errorf("flush input rule %s: %v", ruleId, err)
 	}
 
 	ruleStruct := &Rule{
-		nftRule:    nftRule,
+		nftRule: nftRule,
+		// best effort mangle rule
 		mangleRule: m.createPreroutingRule(expressions, userData),
 		nftSet:     ipset,
 		ruleID:     ruleId,
@@ -420,12 +400,19 @@ func (m *AclManager) createPreroutingRule(expressions []expr.Any, userData []byt
 		},
 	)
 
-	return m.rConn.AddRule(&nftables.Rule{
+	nfRule := m.rConn.AddRule(&nftables.Rule{
 		Table:    m.workTable,
 		Chain:    m.chainPrerouting,
 		Exprs:    preroutingExprs,
 		UserData: userData,
 	})
+
+	if err := m.rConn.Flush(); err != nil {
+		log.Errorf("failed to flush mangle rule %s: %v", string(userData), err)
+		return nil
+	}
+
+	return nfRule
 }
 
 func (m *AclManager) createDefaultChains() (err error) {
@@ -697,8 +684,8 @@ func (m *AclManager) refreshRuleHandles(chain *nftables.Chain, mangle bool) erro
 	return nil
 }
 
-func generatePeerRuleId(ip net.IP, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
-	rulesetID := ":"
+func generatePeerRuleId(ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
+	rulesetID := ":" + string(proto) + ":"
 	if sPort != nil {
 		rulesetID += sPort.String()
 	}

client/firewall/nftables/manager_linux.go

@@ -1,11 +1,11 @@
 package nftables
 
 import (
-	"bytes"
 	"context"
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
 	"sync"
 
 	"github.com/google/nftables"
@@ -19,13 +19,22 @@ import (
 )
 
 const (
-	// tableNameNetbird is the name of the table that is used for filtering by the Netbird client
+	// tableNameNetbird is the default name of the table that is used for filtering by the Netbird client
 	tableNameNetbird = "netbird"
+	// envTableName is the environment variable to override the table name
+	envTableName = "NB_NFTABLES_TABLE"
 
 	tableNameFilter = "filter"
 	chainNameInput  = "INPUT"
 )
 
+func getTableName() string {
+	if name := os.Getenv(envTableName); name != "" {
+		return name
+	}
+	return tableNameNetbird
+}
+
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
@@ -44,16 +53,16 @@ type Manager struct {
 }
 
 // Create nftables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
+func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 	m := &Manager{
 		rConn:   &nftables.Conn{},
 		wgIface: wgIface,
 	}
 
-	workTable := &nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4}
+	workTable := &nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4}
 
 	var err error
-	m.router, err = newRouter(workTable, wgIface)
+	m.router, err = newRouter(workTable, wgIface, mtu)
 	if err != nil {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
@@ -93,6 +102,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 			NameStr:       m.wgIface.Name(),
 			WGAddress:     m.wgIface.Address(),
 			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -197,44 +207,11 @@ func (m *Manager) AllowNetbird() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	err := m.aclManager.createDefaultAllowRules()
-	if err != nil {
-		return fmt.Errorf("failed to create default allow rules: %v", err)
+	if err := m.aclManager.createDefaultAllowRules(); err != nil {
+		return fmt.Errorf("create default allow rules: %w", err)
 	}
-
-	chains, err := m.rConn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
-	if err != nil {
-		return fmt.Errorf("list of chains: %w", err)
-	}
-
-	var chain *nftables.Chain
-	for _, c := range chains {
-		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
-			chain = c
-			break
-		}
-	}
-
-	if chain == nil {
-		log.Debugf("chain INPUT not found. Skipping add allow netbird rule")
-		return nil
-	}
-
-	rules, err := m.rConn.GetRules(chain.Table, chain)
-	if err != nil {
-		return fmt.Errorf("failed to get rules for the INPUT chain: %v", err)
-	}
-
-	if rule := m.detectAllowNetbirdRule(rules); rule != nil {
-		log.Debugf("allow netbird rule already exists: %v", rule)
-		return nil
-	}
-
-	m.applyAllowNetbirdRules(chain)
-
-	err = m.rConn.Flush()
-	if err != nil {
-		return fmt.Errorf("failed to flush allow input netbird rules: %v", err)
+	if err := m.rConn.Flush(); err != nil {
+		return fmt.Errorf("flush allow input netbird rules: %w", err)
 	}
 
 	return nil
@@ -250,10 +227,6 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	if err := m.resetNetbirdInputRules(); err != nil {
-		return fmt.Errorf("reset netbird input rules: %v", err)
-	}
-
 	if err := m.router.Reset(); err != nil {
 		return fmt.Errorf("reset router: %v", err)
 	}
@@ -273,49 +246,15 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nil
 }
 
-func (m *Manager) resetNetbirdInputRules() error {
-	chains, err := m.rConn.ListChains()
-	if err != nil {
-		return fmt.Errorf("list chains: %w", err)
-	}
-
-	m.deleteNetbirdInputRules(chains)
-
-	return nil
-}
-
-func (m *Manager) deleteNetbirdInputRules(chains []*nftables.Chain) {
-	for _, c := range chains {
-		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
-			rules, err := m.rConn.GetRules(c.Table, c)
-			if err != nil {
-				log.Errorf("get rules for chain %q: %v", c.Name, err)
-				continue
-			}
-
-			m.deleteMatchingRules(rules)
-		}
-	}
-}
-
-func (m *Manager) deleteMatchingRules(rules []*nftables.Rule) {
-	for _, r := range rules {
-		if bytes.Equal(r.UserData, []byte(allowNetbirdInputRuleID)) {
-			if err := m.rConn.DelRule(r); err != nil {
-				log.Errorf("delete rule: %v", err)
-			}
-		}
-	}
-}
-
 func (m *Manager) cleanupNetbirdTables() error {
 	tables, err := m.rConn.ListTables()
 	if err != nil {
 		return fmt.Errorf("list tables: %w", err)
 	}
 
+	tableName := getTableName()
 	for _, t := range tables {
-		if t.Name == tableNameNetbird {
+		if t.Name == tableName {
 			m.rConn.DelTable(t)
 		}
 	}
@@ -398,55 +337,18 @@ func (m *Manager) createWorkTable() (*nftables.Table, error) {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}
 
+	tableName := getTableName()
 	for _, t := range tables {
-		if t.Name == tableNameNetbird {
+		if t.Name == tableName {
 			m.rConn.DelTable(t)
 		}
 	}
 
-	table := m.rConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4})
 	err = m.rConn.Flush()
 	return table, err
 }
 
-func (m *Manager) applyAllowNetbirdRules(chain *nftables.Chain) {
-	rule := &nftables.Rule{
-		Table: chain.Table,
-		Chain: chain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     ifname(m.wgIface.Name()),
-			},
-			&expr.Verdict{
-				Kind: expr.VerdictAccept,
-			},
-		},
-		UserData: []byte(allowNetbirdInputRuleID),
-	}
-	_ = m.rConn.InsertRule(rule)
-}
-
-func (m *Manager) detectAllowNetbirdRule(existedRules []*nftables.Rule) *nftables.Rule {
-	ifName := ifname(m.wgIface.Name())
-	for _, rule := range existedRules {
-		if rule.Table.Name == tableNameFilter && rule.Chain.Name == chainNameInput {
-			if len(rule.Exprs) < 4 {
-				if e, ok := rule.Exprs[0].(*expr.Meta); !ok || e.Key != expr.MetaKeyIIFNAME {
-					continue
-				}
-				if e, ok := rule.Exprs[1].(*expr.Cmp); !ok || e.Op != expr.CmpOpEq || !bytes.Equal(e.Data, ifName) {
-					continue
-				}
-				return rule
-			}
-		}
-	}
-	return nil
-}
-
 func insertReturnTrafficRule(conn *nftables.Conn, table *nftables.Table, chain *nftables.Chain) {
 	rule := &nftables.Rule{
 		Table: table,

client/firewall/nftables/manager_linux_test.go

@@ -16,6 +16,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -56,7 +57,7 @@ func (i *iFaceMock) IsUserspaceBind() bool { return false }
 func TestNftablesManager(t *testing.T) {
 
 	// just check on the local interface
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 	time.Sleep(time.Second * 3)
@@ -168,7 +169,7 @@ func TestNftablesManager(t *testing.T) {
 func TestNftablesManagerRuleOrder(t *testing.T) {
 	// This test verifies rule insertion order in nftables peer ACLs
 	// We add accept rule first, then deny rule to test ordering behavior
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -261,7 +262,7 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock)
+			manager, err := Create(mock, iface.DefaultMTU)
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second * 3)
@@ -345,7 +346,7 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	stdout, stderr := runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "failed to create manager")
 	require.NoError(t, manager.Init(nil))
 

client/firewall/nftables/router_linux.go

@@ -16,6 +16,7 @@ import (
 	"github.com/google/nftables/xt"
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -32,12 +33,17 @@ const (
 	chainNameRoutingNat    = "netbird-rt-postrouting"
 	chainNameRoutingRdr    = "netbird-rt-redirect"
 	chainNameForward       = "FORWARD"
+	chainNameMangleForward = "netbird-mangle-forward"
 
 	userDataAcceptForwardRuleIif = "frwacceptiif"
 	userDataAcceptForwardRuleOif = "frwacceptoif"
+	userDataAcceptInputRule      = "inputaccept"
 
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
+
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
 )
 
 const refreshRulesMapError = "refresh rules map: %w"
@@ -63,9 +69,10 @@ type router struct {
 	wgIface          iFaceMapper
 	ipFwdState       *ipfwdstate.IPForwardingState
 	legacyManagement bool
+	mtu              uint16
 }
 
-func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error) {
+func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*router, error) {
 	r := &router{
 		conn:       &nftables.Conn{},
 		workTable:  workTable,
@@ -73,6 +80,7 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error)
 		rules:      make(map[string]*nftables.Rule),
 		wgIface:    wgIface,
 		ipFwdState: ipfwdstate.NewIPForwardingState(),
+		mtu:        mtu,
 	}
 
 	r.ipsetCounter = refcounter.New(
@@ -96,8 +104,8 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error)
 func (r *router) init(workTable *nftables.Table) error {
 	r.workTable = workTable
 
-	if err := r.removeAcceptForwardRules(); err != nil {
-		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
+	if err := r.removeAcceptFilterRules(); err != nil {
+		log.Errorf("failed to clean up rules from filter table: %s", err)
 	}
 
 	if err := r.createContainers(); err != nil {
@@ -111,15 +119,15 @@ func (r *router) init(workTable *nftables.Table) error {
 	return nil
 }
 
-// Reset cleans existing nftables default forward rules from the system
+// Reset cleans existing nftables filter table rules from the system
 func (r *router) Reset() error {
 	// clear without deleting the ipsets, the nf table will be deleted by the caller
 	r.ipsetCounter.Clear()
 
 	var merr *multierror.Error
 
-	if err := r.removeAcceptForwardRules(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove accept forward rules: %w", err))
+	if err := r.removeAcceptFilterRules(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove accept filter rules: %w", err))
 	}
 
 	if err := r.removeNatPreroutingRules(); err != nil {
@@ -220,11 +228,23 @@ func (r *router) createContainers() error {
 		Type:     nftables.ChainTypeFilter,
 	})
 
+	r.chains[chainNameMangleForward] = r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameMangleForward,
+		Table:    r.workTable,
+		Hooknum:  nftables.ChainHookForward,
+		Priority: nftables.ChainPriorityMangle,
+		Type:     nftables.ChainTypeFilter,
+	})
+
 	// Add the single NAT rule that matches on mark
 	if err := r.addPostroutingRules(); err != nil {
 		return fmt.Errorf("add single nat rule: %v", err)
 	}
 
+	if err := r.addMSSClampingRules(); err != nil {
+		log.Errorf("failed to add MSS clamping rules: %s", err)
+	}
+
 	if err := r.acceptForwardRules(); err != nil {
 		log.Errorf("failed to add accept rules for the forward chain: %s", err)
 	}
@@ -745,6 +765,83 @@ func (r *router) addPostroutingRules() error {
 	return nil
 }
 
+// addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
+// TODO: Add IPv6 support
+func (r *router) addMSSClampingRules() error {
+	mss := r.mtu - ipTCPHeaderMinSize
+
+	exprsOut := []expr.Any{
+		&expr.Meta{
+			Key:      expr.MetaKeyOIFNAME,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Meta{
+			Key:      expr.MetaKeyL4PROTO,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     []byte{unix.IPPROTO_TCP},
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseTransportHeader,
+			Offset:       13,
+			Len:          1,
+		},
+		&expr.Bitwise{
+			DestRegister:   1,
+			SourceRegister: 1,
+			Len:            1,
+			Mask:           []byte{0x02},
+			Xor:            []byte{0x00},
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 1,
+			Data:     []byte{0x00},
+		},
+		&expr.Counter{},
+		&expr.Exthdr{
+			DestRegister: 1,
+			Type:         2,
+			Offset:       2,
+			Len:          2,
+			Op:           expr.ExthdrOpTcpopt,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpGt,
+			Register: 1,
+			Data:     binaryutil.BigEndian.PutUint16(uint16(mss)),
+		},
+		&expr.Immediate{
+			Register: 1,
+			Data:     binaryutil.BigEndian.PutUint16(uint16(mss)),
+		},
+		&expr.Exthdr{
+			SourceRegister: 1,
+			Type:           2,
+			Offset:         2,
+			Len:            2,
+			Op:             expr.ExthdrOpTcpopt,
+		},
+	}
+
+	r.conn.AddRule(&nftables.Rule{
+		Table: r.workTable,
+		Chain: r.chains[chainNameMangleForward],
+		Exprs: exprsOut,
+	})
+
+	return nil
+}
+
 // addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
 func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -840,6 +937,7 @@ func (r *router) RemoveAllLegacyRouteRules() error {
 // that our traffic is not dropped by existing rules there.
 // The existing FORWARD rules/policies decide outbound traffic towards our interface.
 // In case the FORWARD policy is set to "drop", we add an established/related rule to allow return traffic for the inbound rule.
+// This method also adds INPUT chain rules to allow traffic to the local interface.
 func (r *router) acceptForwardRules() error {
 	if r.filterTable == nil {
 		log.Debugf("table 'filter' not found for forward rules, skipping accept rules")
@@ -849,7 +947,7 @@ func (r *router) acceptForwardRules() error {
 	fw := "iptables"
 
 	defer func() {
-		log.Debugf("Used %s to add accept forward rules", fw)
+		log.Debugf("Used %s to add accept forward and input rules", fw)
 	}()
 
 	// Try iptables first and fallback to nftables if iptables is not available
@@ -859,22 +957,30 @@ func (r *router) acceptForwardRules() error {
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
 
 		fw = "nftables"
-		return r.acceptForwardRulesNftables()
+		return r.acceptFilterRulesNftables()
 	}
 
-	return r.acceptForwardRulesIptables(ipt)
+	return r.acceptFilterRulesIptables(ipt)
 }
 
-func (r *router) acceptForwardRulesIptables(ipt *iptables.IPTables) error {
+func (r *router) acceptFilterRulesIptables(ipt *iptables.IPTables) error {
 	var merr *multierror.Error
+
 	for _, rule := range r.getAcceptForwardRules() {
 		if err := ipt.Insert("filter", chainNameForward, 1, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("add iptables rule: %v", err))
+			merr = multierror.Append(err, fmt.Errorf("add iptables forward rule: %v", err))
 		} else {
-			log.Debugf("added iptables rule: %v", rule)
+			log.Debugf("added iptables forward rule: %v", rule)
 		}
 	}
 
+	inputRule := r.getAcceptInputRule()
+	if err := ipt.Insert("filter", chainNameInput, 1, inputRule...); err != nil {
+		merr = multierror.Append(err, fmt.Errorf("add iptables input rule: %v", err))
+	} else {
+		log.Debugf("added iptables input rule: %v", inputRule)
+	}
+
 	return nberrors.FormatErrorOrNil(merr)
 }
 
@@ -886,10 +992,13 @@ func (r *router) getAcceptForwardRules() [][]string {
 	}
 }
 
-func (r *router) acceptForwardRulesNftables() error {
+func (r *router) getAcceptInputRule() []string {
+	return []string{"-i", r.wgIface.Name(), "-j", "ACCEPT"}
+}
+
+func (r *router) acceptFilterRulesNftables() error {
 	intf := ifname(r.wgIface.Name())
 
-	// Rule for incoming interface (iif) with counter
 	iifRule := &nftables.Rule{
 		Table: r.filterTable,
 		Chain: &nftables.Chain{
@@ -922,11 +1031,10 @@ func (r *router) acceptForwardRulesNftables() error {
 		},
 	}
 
-	// Rule for outgoing interface (oif) with counter
 	oifRule := &nftables.Rule{
 		Table: r.filterTable,
 		Chain: &nftables.Chain{
-			Name:     "FORWARD",
+			Name:     chainNameForward,
 			Table:    r.filterTable,
 			Type:     nftables.ChainTypeFilter,
 			Hooknum:  nftables.ChainHookForward,
@@ -935,35 +1043,60 @@ func (r *router) acceptForwardRulesNftables() error {
 		Exprs:    append(oifExprs, getEstablishedExprs(2)...),
 		UserData: []byte(userDataAcceptForwardRuleOif),
 	}
-
 	r.conn.InsertRule(oifRule)
 
+	inputRule := &nftables.Rule{
+		Table: r.filterTable,
+		Chain: &nftables.Chain{
+			Name:     chainNameInput,
+			Table:    r.filterTable,
+			Type:     nftables.ChainTypeFilter,
+			Hooknum:  nftables.ChainHookInput,
+			Priority: nftables.ChainPriorityFilter,
+		},
+		Exprs: []expr.Any{
+			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     intf,
+			},
+			&expr.Counter{},
+			&expr.Verdict{Kind: expr.VerdictAccept},
+		},
+		UserData: []byte(userDataAcceptInputRule),
+	}
+	r.conn.InsertRule(inputRule)
+
 	return nil
 }
 
-func (r *router) removeAcceptForwardRules() error {
+func (r *router) removeAcceptFilterRules() error {
 	if r.filterTable == nil {
 		return nil
 	}
 
-	// Try iptables first and fallback to nftables if iptables is not available
 	ipt, err := iptables.New()
 	if err != nil {
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
-		return r.removeAcceptForwardRulesNftables()
+		return r.removeAcceptFilterRulesNftables()
 	}
 
-	return r.removeAcceptForwardRulesIptables(ipt)
+	return r.removeAcceptFilterRulesIptables(ipt)
 }
 
-func (r *router) removeAcceptForwardRulesNftables() error {
+func (r *router) removeAcceptFilterRulesNftables() error {
 	chains, err := r.conn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return fmt.Errorf("list chains: %v", err)
 	}
 
 	for _, chain := range chains {
-		if chain.Table.Name != r.filterTable.Name || chain.Name != chainNameForward {
+		if chain.Table.Name != r.filterTable.Name {
+			continue
+		}
+
+		if chain.Name != chainNameForward && chain.Name != chainNameInput {
 			continue
 		}
 
@@ -974,7 +1107,8 @@ func (r *router) removeAcceptForwardRulesNftables() error {
 
 		for _, rule := range rules {
 			if bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleIif)) ||
-				bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) {
+				bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) ||
+				bytes.Equal(rule.UserData, []byte(userDataAcceptInputRule)) {
 				if err := r.conn.DelRule(rule); err != nil {
 					return fmt.Errorf("delete rule: %v", err)
 				}
@@ -989,14 +1123,20 @@ func (r *router) removeAcceptForwardRulesNftables() error {
 	return nil
 }
 
-func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error {
+func (r *router) removeAcceptFilterRulesIptables(ipt *iptables.IPTables) error {
 	var merr *multierror.Error
+
 	for _, rule := range r.getAcceptForwardRules() {
 		if err := ipt.DeleteIfExists("filter", chainNameForward, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("remove iptables rule: %v", err))
+			merr = multierror.Append(err, fmt.Errorf("remove iptables forward rule: %v", err))
 		}
 	}
 
+	inputRule := r.getAcceptInputRule()
+	if err := ipt.DeleteIfExists("filter", chainNameInput, inputRule...); err != nil {
+		merr = multierror.Append(err, fmt.Errorf("remove iptables input rule: %v", err))
+	}
+
 	return nberrors.FormatErrorOrNil(merr)
 }
 

client/firewall/nftables/router_linux_test.go

@@ -17,6 +17,7 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
+	"github.com/netbirdio/netbird/client/iface"
 )
 
 const (
@@ -36,7 +37,7 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 	for _, testCase := range test.InsertRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
 			// need fw manager to init both acl mgr and router for all chains to be present
-			manager, err := Create(ifaceMock)
+			manager, err := Create(ifaceMock, iface.DefaultMTU)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
 			})
@@ -125,7 +126,7 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {
 
 	for _, testCase := range test.RemoveRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			manager, err := Create(ifaceMock)
+			manager, err := Create(ifaceMock, iface.DefaultMTU)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
 			})
@@ -197,7 +198,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 
 	defer deleteWorkTable()
 
-	r, err := newRouter(workTable, ifaceMock)
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "Failed to create router")
 	require.NoError(t, r.init(workTable))
 
@@ -364,7 +365,7 @@ func TestNftablesCreateIpSet(t *testing.T) {
 
 	defer deleteWorkTable()
 
-	r, err := newRouter(workTable, ifaceMock)
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "Failed to create router")
 	require.NoError(t, r.init(workTable))
 

client/firewall/nftables/state_linux.go

@@ -3,6 +3,7 @@ package nftables
 import (
 	"fmt"
 
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -10,6 +11,7 @@ type InterfaceState struct {
 	NameStr       string         `json:"name"`
 	WGAddress     wgaddr.Address `json:"wg_address"`
 	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }
 
 func (i *InterfaceState) Name() string {
@@ -33,7 +35,11 @@ func (s *ShutdownState) Name() string {
 }
 
 func (s *ShutdownState) Cleanup() error {
-	nft, err := Create(s.InterfaceState)
+	mtu := s.InterfaceState.MTU
+	if mtu == 0 {
+		mtu = iface.DefaultMTU
+	}
+	nft, err := Create(s.InterfaceState, mtu)
 	if err != nil {
 		return fmt.Errorf("create nftables manager: %w", err)
 	}

client/firewall/uspfilter/filter.go

@@ -1,6 +1,7 @@
 package uspfilter
 
 import (
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"net"
@@ -27,7 +28,18 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
-const layerTypeAll = 0
+const (
+	layerTypeAll = 0
+
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
+)
+
+// serviceKey represents a protocol/port combination for netstack service registry
+type serviceKey struct {
+	protocol gopacket.LayerType
+	port     uint16
+}
 
 const (
 	// EnvDisableConntrack disables the stateful filter, replies to outbound traffic won't be allowed.
@@ -36,6 +48,9 @@ const (
 	// EnvDisableUserspaceRouting disables userspace routing, to-be-routed packets will be dropped.
 	EnvDisableUserspaceRouting = "NB_DISABLE_USERSPACE_ROUTING"
 
+	// EnvDisableMSSClamping disables TCP MSS clamping for forwarded traffic.
+	EnvDisableMSSClamping = "NB_DISABLE_MSS_CLAMPING"
+
 	// EnvForceUserspaceRouter forces userspace routing even if native routing is available.
 	EnvForceUserspaceRouter = "NB_FORCE_USERSPACE_ROUTER"
 
@@ -113,6 +128,13 @@ type Manager struct {
 	portDNATEnabled atomic.Bool
 	portDNATRules   []portDNATRule
 	portDNATMutex   sync.RWMutex
+
+	netstackServices     map[serviceKey]struct{}
+	netstackServiceMutex sync.RWMutex
+
+	mtu             uint16
+	mssClampValue   uint16
+	mssClampEnabled bool
 }
 
 // decoder for packages
@@ -131,16 +153,16 @@ type decoder struct {
 }
 
 // Create userspace firewall manager constructor
-func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
-	return create(iface, nil, disableServerRoutes, flowLogger)
+func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
+	return create(iface, nil, disableServerRoutes, flowLogger, mtu)
 }
 
-func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
+func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
 	if nativeFirewall == nil {
 		return nil, errors.New("native firewall is nil")
 	}
 
-	mgr, err := create(iface, nativeFirewall, disableServerRoutes, flowLogger)
+	mgr, err := create(iface, nativeFirewall, disableServerRoutes, flowLogger, mtu)
 	if err != nil {
 		return nil, err
 	}
@@ -148,8 +170,8 @@ func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.
 	return mgr, nil
 }
 
-func parseCreateEnv() (bool, bool) {
-	var disableConntrack, enableLocalForwarding bool
+func parseCreateEnv() (bool, bool, bool) {
+	var disableConntrack, enableLocalForwarding, disableMSSClamping bool
 	var err error
 	if val := os.Getenv(EnvDisableConntrack); val != "" {
 		disableConntrack, err = strconv.ParseBool(val)
@@ -168,12 +190,18 @@ func parseCreateEnv() (bool, bool) {
 			log.Warnf("failed to parse %s: %v", EnvEnableLocalForwarding, err)
 		}
 	}
+	if val := os.Getenv(EnvDisableMSSClamping); val != "" {
+		disableMSSClamping, err = strconv.ParseBool(val)
+		if err != nil {
+			log.Warnf("failed to parse %s: %v", EnvDisableMSSClamping, err)
+		}
+	}
 
-	return disableConntrack, enableLocalForwarding
+	return disableConntrack, enableLocalForwarding, disableMSSClamping
 }
 
-func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
-	disableConntrack, enableLocalForwarding := parseCreateEnv()
+func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
+	disableConntrack, enableLocalForwarding, disableMSSClamping := parseCreateEnv()
 
 	m := &Manager{
 		decoders: sync.Pool{
@@ -203,13 +231,18 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		localForwarding:     enableLocalForwarding,
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
+		netstackServices:    make(map[serviceKey]struct{}),
+		mtu:                 mtu,
 	}
 	m.routingEnabled.Store(false)
 
+	if !disableMSSClamping {
+		m.mssClampEnabled = true
+		m.mssClampValue = mtu - ipTCPHeaderMinSize
+	}
 	if err := m.localipmanager.UpdateLocalIPs(iface); err != nil {
 		return nil, fmt.Errorf("update local IPs: %w", err)
 	}
-
 	if disableConntrack {
 		log.Info("conntrack is disabled")
 	} else {
@@ -217,14 +250,11 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout, m.logger, flowLogger)
 		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout, m.logger, flowLogger)
 	}
-
-	// netstack needs the forwarder for local traffic
 	if m.netstack && m.localForwarding {
 		if err := m.initForwarder(); err != nil {
 			log.Errorf("failed to initialize forwarder: %v", err)
 		}
 	}
-
 	if err := iface.SetFilter(m); err != nil {
 		return nil, fmt.Errorf("set filter: %w", err)
 	}
@@ -327,7 +357,7 @@ func (m *Manager) initForwarder() error {
 		return errors.New("forwarding not supported")
 	}
 
-	forwarder, err := forwarder.New(m.wgIface, m.logger, m.flowLogger, m.netstack)
+	forwarder, err := forwarder.New(m.wgIface, m.logger, m.flowLogger, m.netstack, m.mtu)
 	if err != nil {
 		m.routingEnabled.Store(false)
 		return fmt.Errorf("create forwarder: %w", err)
@@ -633,8 +663,17 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 		return false
 	}
 
-	if d.decoded[1] == layers.LayerTypeUDP && m.udpHooksDrop(uint16(d.udp.DstPort), dstIP, packetData) {
-		return true
+	switch d.decoded[1] {
+	case layers.LayerTypeUDP:
+		if m.udpHooksDrop(uint16(d.udp.DstPort), dstIP, packetData) {
+			return true
+		}
+	case layers.LayerTypeTCP:
+		// Clamp MSS on all TCP SYN packets, including those from local IPs.
+		// SNATed routed traffic may appear as local IP but still requires clamping.
+		if m.mssClampEnabled {
+			m.clampTCPMSS(packetData, d)
+		}
 	}
 
 	m.trackOutbound(d, srcIP, dstIP, packetData, size)
@@ -681,6 +720,97 @@ func getTCPFlags(tcp *layers.TCP) uint8 {
 	return flags
 }
 
+// clampTCPMSS clamps the TCP MSS option in SYN and SYN-ACK packets to prevent fragmentation.
+// Both sides advertise their MSS during connection establishment, so we need to clamp both.
+func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
+	if !d.tcp.SYN {
+		return false
+	}
+	if len(d.tcp.Options) == 0 {
+		return false
+	}
+
+	mssOptionIndex := -1
+	var currentMSS uint16
+	for i, opt := range d.tcp.Options {
+		if opt.OptionType == layers.TCPOptionKindMSS && len(opt.OptionData) == 2 {
+			currentMSS = binary.BigEndian.Uint16(opt.OptionData)
+			if currentMSS > m.mssClampValue {
+				mssOptionIndex = i
+				break
+			}
+		}
+	}
+
+	if mssOptionIndex == -1 {
+		return false
+	}
+
+	ipHeaderSize := int(d.ip4.IHL) * 4
+	if ipHeaderSize < 20 {
+		return false
+	}
+
+	if !m.updateMSSOption(packetData, d, mssOptionIndex, ipHeaderSize) {
+		return false
+	}
+
+	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, m.mssClampValue)
+	return true
+}
+
+func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex, ipHeaderSize int) bool {
+	tcpHeaderStart := ipHeaderSize
+	tcpOptionsStart := tcpHeaderStart + 20
+
+	optOffset := tcpOptionsStart
+	for j := 0; j < mssOptionIndex; j++ {
+		switch d.tcp.Options[j].OptionType {
+		case layers.TCPOptionKindEndList, layers.TCPOptionKindNop:
+			optOffset++
+		default:
+			optOffset += 2 + len(d.tcp.Options[j].OptionData)
+		}
+	}
+
+	mssValueOffset := optOffset + 2
+	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], m.mssClampValue)
+
+	m.recalculateTCPChecksum(packetData, d, tcpHeaderStart)
+	return true
+}
+
+func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeaderStart int) {
+	tcpLayer := packetData[tcpHeaderStart:]
+	tcpLength := len(packetData) - tcpHeaderStart
+
+	tcpLayer[16] = 0
+	tcpLayer[17] = 0
+
+	var pseudoSum uint32
+	pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
+	pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
+	pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
+	pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
+	pseudoSum += uint32(d.ip4.Protocol)
+	pseudoSum += uint32(tcpLength)
+
+	var sum uint32 = pseudoSum
+	for i := 0; i < tcpLength-1; i += 2 {
+		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
+	}
+	if tcpLength%2 == 1 {
+		sum += uint32(tcpLayer[tcpLength-1]) << 8
+	}
+
+	for sum > 0xFFFF {
+		sum = (sum & 0xFFFF) + (sum >> 16)
+	}
+
+	checksum := ^uint16(sum)
+	binary.BigEndian.PutUint16(tcpLayer[16:18], checksum)
+}
+
 func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) {
 	transport := d.decoded[1]
 	switch transport {
@@ -838,9 +968,7 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		return true
 	}
 
-	// If requested we pass local traffic to internal interfaces to the forwarder.
-	// netstack doesn't have an interface to forward packets to the native stack so we always need to use the forwarder.
-	if m.localForwarding && (m.netstack || dstIP != m.wgIface.Address().IP) {
+	if m.shouldForward(d, dstIP) {
 		return m.handleForwardedLocalTraffic(packetData)
 	}
 
@@ -1274,3 +1402,86 @@ func (m *Manager) DisableRouting() error {
 
 	return nil
 }
+
+// RegisterNetstackService registers a service as listening on the netstack for the given protocol and port
+func (m *Manager) RegisterNetstackService(protocol nftypes.Protocol, port uint16) {
+	m.netstackServiceMutex.Lock()
+	defer m.netstackServiceMutex.Unlock()
+	layerType := m.protocolToLayerType(protocol)
+	key := serviceKey{protocol: layerType, port: port}
+	m.netstackServices[key] = struct{}{}
+	m.logger.Debug3("RegisterNetstackService: registered %s:%d (layerType=%s)", protocol, port, layerType)
+	m.logger.Debug1("RegisterNetstackService: current registry size: %d", len(m.netstackServices))
+}
+
+// UnregisterNetstackService removes a service from the netstack registry
+func (m *Manager) UnregisterNetstackService(protocol nftypes.Protocol, port uint16) {
+	m.netstackServiceMutex.Lock()
+	defer m.netstackServiceMutex.Unlock()
+	layerType := m.protocolToLayerType(protocol)
+	key := serviceKey{protocol: layerType, port: port}
+	delete(m.netstackServices, key)
+	m.logger.Debug2("Unregistered netstack service on protocol %s port %d", protocol, port)
+}
+
+// protocolToLayerType converts nftypes.Protocol to gopacket.LayerType for internal use
+func (m *Manager) protocolToLayerType(protocol nftypes.Protocol) gopacket.LayerType {
+	switch protocol {
+	case nftypes.TCP:
+		return layers.LayerTypeTCP
+	case nftypes.UDP:
+		return layers.LayerTypeUDP
+	case nftypes.ICMP:
+		return layers.LayerTypeICMPv4
+	default:
+		return gopacket.LayerType(0) // Invalid/unknown
+	}
+}
+
+// shouldForward determines if a packet should be forwarded to the forwarder.
+// The forwarder handles routing packets to the native OS network stack.
+// Returns true if packet should go to the forwarder, false if it should go to netstack listeners or the native stack directly.
+func (m *Manager) shouldForward(d *decoder, dstIP netip.Addr) bool {
+	// not enabled, never forward
+	if !m.localForwarding {
+		return false
+	}
+
+	// netstack always needs to forward because it's lacking a native interface
+	// exception for registered netstack services, those should go to netstack listeners
+	if m.netstack {
+		return !m.hasMatchingNetstackService(d)
+	}
+
+	// traffic to our other local interfaces (not NetBird IP) - always forward
+	if dstIP != m.wgIface.Address().IP {
+		return true
+	}
+
+	// traffic to our NetBird IP, not netstack mode - send to netstack listeners
+	return false
+}
+
+// hasMatchingNetstackService checks if there's a registered netstack service for this packet
+func (m *Manager) hasMatchingNetstackService(d *decoder) bool {
+	if len(d.decoded) < 2 {
+		return false
+	}
+
+	var dstPort uint16
+	switch d.decoded[1] {
+	case layers.LayerTypeTCP:
+		dstPort = uint16(d.tcp.DstPort)
+	case layers.LayerTypeUDP:
+		dstPort = uint16(d.udp.DstPort)
+	default:
+		return false
+	}
+
+	key := serviceKey{protocol: d.decoded[1], port: dstPort}
+	m.netstackServiceMutex.RLock()
+	_, exists := m.netstackServices[key]
+	m.netstackServiceMutex.RUnlock()
+
+	return exists
+}

client/firewall/uspfilter/filter_bench_test.go

@@ -17,6 +17,7 @@ import (
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
 
@@ -169,7 +170,7 @@ func BenchmarkCoreFiltering(b *testing.B) {
 				// Create manager and basic setup
 				manager, _ := Create(&IFaceMock{
 					SetFilterFunc: func(device.PacketFilter) error { return nil },
-				}, false, flowLogger)
+				}, false, flowLogger, iface.DefaultMTU)
 				defer b.Cleanup(func() {
 					require.NoError(b, manager.Close(nil))
 				})
@@ -209,7 +210,7 @@ func BenchmarkStateScaling(b *testing.B) {
 		b.Run(fmt.Sprintf("conns_%d", count), func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -252,7 +253,7 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -410,7 +411,7 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -537,7 +538,7 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -620,7 +621,7 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -731,7 +732,7 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -811,7 +812,7 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -896,38 +897,6 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 	}
 }
 
-// generateTCPPacketWithFlags creates a TCP packet with specific flags
-func generateTCPPacketWithFlags(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort, flags uint16) []byte {
-	b.Helper()
-
-	ipv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    srcIP,
-		DstIP:    dstIP,
-		Protocol: layers.IPProtocolTCP,
-	}
-
-	tcp := &layers.TCP{
-		SrcPort: layers.TCPPort(srcPort),
-		DstPort: layers.TCPPort(dstPort),
-	}
-
-	// Set TCP flags
-	tcp.SYN = (flags & uint16(conntrack.TCPSyn)) != 0
-	tcp.ACK = (flags & uint16(conntrack.TCPAck)) != 0
-	tcp.PSH = (flags & uint16(conntrack.TCPPush)) != 0
-	tcp.RST = (flags & uint16(conntrack.TCPRst)) != 0
-	tcp.FIN = (flags & uint16(conntrack.TCPFin)) != 0
-
-	require.NoError(b, tcp.SetNetworkLayerForChecksum(ipv4))
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
-	require.NoError(b, gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test")))
-	return buf.Bytes()
-}
-
 func BenchmarkRouteACLs(b *testing.B) {
 	manager := setupRoutedManager(b, "10.10.0.100/16")
 
@@ -990,3 +959,231 @@ func BenchmarkRouteACLs(b *testing.B) {
 		}
 	}
 }
+
+// BenchmarkMSSClamping benchmarks the MSS clamping impact on filterOutbound.
+// This shows the overhead difference between the common case (non-SYN packets, fast path)
+// and the rare case (SYN packets that need clamping, expensive path).
+func BenchmarkMSSClamping(b *testing.B) {
+	scenarios := []struct {
+		name        string
+		description string
+		genPacket   func(*testing.B, net.IP, net.IP) []byte
+		frequency   string
+	}{
+		{
+			name:        "syn_needs_clamp",
+			description: "SYN packet needing MSS clamping",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+			frequency: "~0.1% of traffic - EXPENSIVE",
+		},
+		{
+			name:        "syn_no_clamp_needed",
+			description: "SYN packet with already-small MSS",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1200)
+			},
+			frequency: "~0.05% of traffic",
+		},
+		{
+			name:        "tcp_ack",
+			description: "Non-SYN TCP packet (ACK, data transfer)",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+			frequency: "~60-70% of traffic - FAST PATH",
+		},
+		{
+			name:        "tcp_psh_ack",
+			description: "TCP data packet (PSH+ACK)",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPPush|conntrack.TCPAck))
+			},
+			frequency: "~10-20% of traffic - FAST PATH",
+		},
+		{
+			name:        "udp",
+			description: "UDP packet",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generatePacket(b, src, dst, 12345, 80, layers.IPProtocolUDP)
+			},
+			frequency: "~20-30% of traffic - FAST PATH",
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, iface.DefaultMTU)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			manager.mssClampEnabled = true
+			manager.mssClampValue = 1240
+
+			srcIP := net.ParseIP("100.64.0.2")
+			dstIP := net.ParseIP("8.8.8.8")
+			packet := sc.genPacket(b, srcIP, dstIP)
+
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.filterOutbound(packet, len(packet))
+			}
+		})
+	}
+}
+
+// BenchmarkMSSClampingOverhead compares overhead of MSS clamping enabled vs disabled
+// for the common case (non-SYN TCP packets).
+func BenchmarkMSSClampingOverhead(b *testing.B) {
+	scenarios := []struct {
+		name      string
+		enabled   bool
+		genPacket func(*testing.B, net.IP, net.IP) []byte
+	}{
+		{
+			name:    "disabled_tcp_ack",
+			enabled: false,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+		},
+		{
+			name:    "enabled_tcp_ack",
+			enabled: true,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+		},
+		{
+			name:    "disabled_syn_needs_clamp",
+			enabled: false,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+		},
+		{
+			name:    "enabled_syn_needs_clamp",
+			enabled: true,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, iface.DefaultMTU)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			manager.mssClampEnabled = sc.enabled
+			if sc.enabled {
+				manager.mssClampValue = 1240
+			}
+
+			srcIP := net.ParseIP("100.64.0.2")
+			dstIP := net.ParseIP("8.8.8.8")
+			packet := sc.genPacket(b, srcIP, dstIP)
+
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.filterOutbound(packet, len(packet))
+			}
+		})
+	}
+}
+
+// BenchmarkMSSClampingMemory measures memory allocations for common vs rare cases
+func BenchmarkMSSClampingMemory(b *testing.B) {
+	scenarios := []struct {
+		name      string
+		genPacket func(*testing.B, net.IP, net.IP) []byte
+	}{
+		{
+			name: "tcp_ack_fast_path",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+		},
+		{
+			name: "syn_needs_clamp",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+		},
+		{
+			name: "udp_fast_path",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generatePacket(b, src, dst, 12345, 80, layers.IPProtocolUDP)
+			},
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, iface.DefaultMTU)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			manager.mssClampEnabled = true
+			manager.mssClampValue = 1240
+
+			srcIP := net.ParseIP("100.64.0.2")
+			dstIP := net.ParseIP("8.8.8.8")
+			packet := sc.genPacket(b, srcIP, dstIP)
+
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.filterOutbound(packet, len(packet))
+			}
+		})
+	}
+}
+
+func generateSYNPacketNoMSS(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort uint16) []byte {
+	b.Helper()
+
+	ip := &layers.IPv4{
+		Version:  4,
+		IHL:      5,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcp := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		SYN:     true,
+		Seq:     1000,
+		Window:  65535,
+	}
+
+	require.NoError(b, tcp.SetNetworkLayerForChecksum(ip))
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{
+		FixLengths:       true,
+		ComputeChecksums: true,
+	}
+
+	require.NoError(b, gopacket.SerializeLayers(buf, opts, ip, tcp, gopacket.Payload([]byte{})))
+	return buf.Bytes()
+}

client/firewall/uspfilter/filter_filter_test.go

@@ -12,6 +12,7 @@ import (
 	wgdevice "golang.zx2c4.com/wireguard/device"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
@@ -31,7 +32,7 @@ func TestPeerACLFiltering(t *testing.T) {
 		},
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NotNil(t, manager)
 
@@ -616,7 +617,7 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 		},
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(tb, err)
 	require.NoError(tb, manager.EnableRouting())
 	require.NotNil(tb, manager)
@@ -1462,7 +1463,7 @@ func TestRouteACLSet(t *testing.T) {
 		},
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))

client/firewall/uspfilter/filter_test.go

@@ -1,6 +1,7 @@
 package uspfilter
 
 import (
+	"encoding/binary"
 	"fmt"
 	"net"
 	"net/netip"
@@ -17,9 +18,11 @@ import (
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/log"
+	nbiface "github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/netflow"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
@@ -66,7 +69,7 @@ func TestManagerCreate(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -86,7 +89,7 @@ func TestManagerAddPeerFiltering(t *testing.T) {
 		},
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -119,7 +122,7 @@ func TestManagerDeleteRule(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -215,7 +218,7 @@ func TestAddUDPPacketHook(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, nbiface.DefaultMTU)
 			require.NoError(t, err)
 
 			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)
@@ -265,7 +268,7 @@ func TestManagerReset(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -304,7 +307,7 @@ func TestNotMatchByIP(t *testing.T) {
 		},
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -367,7 +370,7 @@ func TestRemovePacketHook(t *testing.T) {
 	}
 
 	// creating manager instance
-	manager, err := Create(iface, false, flowLogger)
+	manager, err := Create(iface, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Fatalf("Failed to create Manager: %s", err)
 	}
@@ -413,7 +416,7 @@ func TestRemovePacketHook(t *testing.T) {
 func TestProcessOutgoingHooks(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 
 	manager.udpTracker.Close()
@@ -495,7 +498,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 			ifaceMock := &IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
 			}
-			manager, err := Create(ifaceMock, false, flowLogger)
+			manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 			require.NoError(t, err)
 			time.Sleep(time.Second)
 
@@ -522,7 +525,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 
 	manager.udpTracker.Close() // Close the existing tracker
@@ -729,7 +732,7 @@ func TestUpdateSetMerge(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -815,7 +818,7 @@ func TestUpdateSetDeduplication(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -923,3 +926,327 @@ func TestUpdateSetDeduplication(t *testing.T) {
 		require.Equal(t, tc.expected, isAllowed, tc.desc)
 	}
 }
+
+func TestMSSClamping(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      netip.MustParseAddr("100.10.0.100"),
+				Network: netip.MustParsePrefix("100.10.0.0/16"),
+			}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, 1280)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	require.True(t, manager.mssClampEnabled, "MSS clamping should be enabled by default")
+	expectedMSSValue := uint16(1280 - ipTCPHeaderMinSize)
+	require.Equal(t, expectedMSSValue, manager.mssClampValue, "MSS clamp value should be MTU - 40")
+
+	err = manager.UpdateLocalIPs()
+	require.NoError(t, err)
+
+	srcIP := net.ParseIP("100.10.0.2")
+	dstIP := net.ParseIP("8.8.8.8")
+
+	t.Run("SYN packet with high MSS gets clamped", func(t *testing.T) {
+		highMSS := uint16(1460)
+		packet := generateSYNPacketWithMSS(t, srcIP, dstIP, 12345, 80, highMSS)
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
+		require.Equal(t, uint8(layers.TCPOptionKindMSS), uint8(d.tcp.Options[0].OptionType))
+		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
+		require.Equal(t, expectedMSSValue, actualMSS, "MSS should be clamped to MTU - 40")
+	})
+
+	t.Run("SYN packet with low MSS unchanged", func(t *testing.T) {
+		lowMSS := uint16(1200)
+		packet := generateSYNPacketWithMSS(t, srcIP, dstIP, 12345, 80, lowMSS)
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
+		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
+		require.Equal(t, lowMSS, actualMSS, "Low MSS should not be modified")
+	})
+
+	t.Run("SYN-ACK packet gets clamped", func(t *testing.T) {
+		highMSS := uint16(1460)
+		packet := generateSYNACKPacketWithMSS(t, srcIP, dstIP, 12345, 80, highMSS)
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
+		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
+		require.Equal(t, expectedMSSValue, actualMSS, "MSS in SYN-ACK should be clamped")
+	})
+
+	t.Run("Non-SYN packet unchanged", func(t *testing.T) {
+		packet := generateTCPPacketWithFlags(t, srcIP, dstIP, 12345, 80, uint16(conntrack.TCPAck))
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Empty(t, d.tcp.Options, "ACK packet should have no options")
+	})
+}
+
+func generateSYNPacketWithMSS(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, mss uint16) []byte {
+	tb.Helper()
+
+	ipLayer := &layers.IPv4{
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcpLayer := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		SYN:     true,
+		Window:  65535,
+		Options: []layers.TCPOption{
+			{
+				OptionType:   layers.TCPOptionKindMSS,
+				OptionLength: 4,
+				OptionData:   binary.BigEndian.AppendUint16(nil, mss),
+			},
+		},
+	}
+	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
+	require.NoError(tb, err)
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
+	require.NoError(tb, err)
+
+	return buf.Bytes()
+}
+
+func generateSYNACKPacketWithMSS(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, mss uint16) []byte {
+	tb.Helper()
+
+	ipLayer := &layers.IPv4{
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcpLayer := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		SYN:     true,
+		ACK:     true,
+		Window:  65535,
+		Options: []layers.TCPOption{
+			{
+				OptionType:   layers.TCPOptionKindMSS,
+				OptionLength: 4,
+				OptionData:   binary.BigEndian.AppendUint16(nil, mss),
+			},
+		},
+	}
+	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
+	require.NoError(tb, err)
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
+	require.NoError(tb, err)
+
+	return buf.Bytes()
+}
+
+func generateTCPPacketWithFlags(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, flags uint16) []byte {
+	tb.Helper()
+
+	ipLayer := &layers.IPv4{
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcpLayer := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		Window:  65535,
+	}
+
+	if flags&uint16(conntrack.TCPSyn) != 0 {
+		tcpLayer.SYN = true
+	}
+	if flags&uint16(conntrack.TCPAck) != 0 {
+		tcpLayer.ACK = true
+	}
+	if flags&uint16(conntrack.TCPFin) != 0 {
+		tcpLayer.FIN = true
+	}
+	if flags&uint16(conntrack.TCPRst) != 0 {
+		tcpLayer.RST = true
+	}
+	if flags&uint16(conntrack.TCPPush) != 0 {
+		tcpLayer.PSH = true
+	}
+
+	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
+	require.NoError(tb, err)
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
+	require.NoError(tb, err)
+
+	return buf.Bytes()
+}
+
+func TestShouldForward(t *testing.T) {
+	// Set up test addresses
+	wgIP := netip.MustParseAddr("100.10.0.1")
+	otherIP := netip.MustParseAddr("100.10.0.2")
+
+	// Create test manager with mock interface
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}
+	// Set the mock to return our test WG IP
+	ifaceMock.AddressFunc = func() wgaddr.Address {
+		return wgaddr.Address{IP: wgIP, Network: netip.PrefixFrom(wgIP, 24)}
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	// Helper to create decoder with TCP packet
+	createTCPDecoder := func(dstPort uint16) *decoder {
+		ipv4 := &layers.IPv4{
+			Version:  4,
+			Protocol: layers.IPProtocolTCP,
+			SrcIP:    net.ParseIP("192.168.1.100"),
+			DstIP:    wgIP.AsSlice(),
+		}
+		tcp := &layers.TCP{
+			SrcPort: 54321,
+			DstPort: layers.TCPPort(dstPort),
+		}
+
+		err := tcp.SetNetworkLayerForChecksum(ipv4)
+		require.NoError(t, err)
+
+		buf := gopacket.NewSerializeBuffer()
+		opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+		err = gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test"))
+		require.NoError(t, err)
+
+		d := &decoder{
+			decoded: []gopacket.LayerType{},
+		}
+		d.parser = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv4,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser.IgnoreUnsupported = true
+
+		err = d.parser.DecodeLayers(buf.Bytes(), &d.decoded)
+		require.NoError(t, err)
+
+		return d
+	}
+
+	tests := []struct {
+		name              string
+		localForwarding   bool
+		netstack          bool
+		dstIP             netip.Addr
+		serviceRegistered bool
+		servicePort       uint16
+		expected          bool
+		description       string
+	}{
+		{
+			name:            "no local forwarding",
+			localForwarding: false,
+			netstack:        true,
+			dstIP:           wgIP,
+			expected:        false,
+			description:     "should never forward when local forwarding disabled",
+		},
+		{
+			name:            "traffic to other local interface",
+			localForwarding: true,
+			netstack:        false,
+			dstIP:           otherIP,
+			expected:        true,
+			description:     "should forward traffic to our other local interfaces (not NetBird IP)",
+		},
+		{
+			name:            "traffic to NetBird IP, no netstack",
+			localForwarding: true,
+			netstack:        false,
+			dstIP:           wgIP,
+			expected:        false,
+			description:     "should send to netstack listeners (final return false path)",
+		},
+		{
+			name:            "traffic to our IP, netstack mode, no service",
+			localForwarding: true,
+			netstack:        true,
+			dstIP:           wgIP,
+			expected:        true,
+			description:     "should forward when in netstack mode with no matching service",
+		},
+		{
+			name:              "traffic to our IP, netstack mode, with service",
+			localForwarding:   true,
+			netstack:          true,
+			dstIP:             wgIP,
+			serviceRegistered: true,
+			servicePort:       22,
+			expected:          false,
+			description:       "should send to netstack listeners when service is registered",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Configure manager
+			manager.localForwarding = tt.localForwarding
+			manager.netstack = tt.netstack
+
+			// Register service if needed
+			if tt.serviceRegistered {
+				manager.RegisterNetstackService(nftypes.TCP, tt.servicePort)
+				defer manager.UnregisterNetstackService(nftypes.TCP, tt.servicePort)
+			}
+
+			// Create decoder for the test
+			decoder := createTCPDecoder(tt.servicePort)
+			if !tt.serviceRegistered {
+				decoder = createTCPDecoder(8080) // Use non-registered port
+			}
+
+			// Test the method
+			result := manager.shouldForward(decoder, tt.dstIP)
+			require.Equal(t, tt.expected, result, tt.description)
+		})
+	}
+}

client/firewall/uspfilter/forwarder/forwarder.go

@@ -45,7 +45,7 @@ type Forwarder struct {
 	netstack     bool
 }
 
-func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool) (*Forwarder, error) {
+func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
 	s := stack.New(stack.Options{
 		NetworkProtocols: []stack.NetworkProtocolFactory{ipv4.NewProtocol},
 		TransportProtocols: []stack.TransportProtocolFactory{
@@ -56,10 +56,6 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		HandleLocal: false,
 	})
 
-	mtu, err := iface.GetDevice().MTU()
-	if err != nil {
-		return nil, fmt.Errorf("get MTU: %w", err)
-	}
 	nicID := tcpip.NICID(1)
 	endpoint := &endpoint{
 		logger: logger,
@@ -68,7 +64,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	}
 
 	if err := s.CreateNIC(nicID, endpoint); err != nil {
-		return nil, fmt.Errorf("failed to create NIC: %v", err)
+		return nil, fmt.Errorf("create NIC: %v", err)
 	}
 
 	protoAddr := tcpip.ProtocolAddress{

client/firewall/uspfilter/forwarder/udp.go

@@ -49,7 +49,7 @@ type idleConn struct {
 	conn *udpPacketConn
 }
 
-func newUDPForwarder(mtu int, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *udpForwarder {
+func newUDPForwarder(mtu uint16, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *udpForwarder {
 	ctx, cancel := context.WithCancel(context.Background())
 	f := &udpForwarder{
 		logger:     logger,

client/firewall/uspfilter/nat_bench_test.go

@@ -12,6 +12,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
 
@@ -65,7 +66,7 @@ func BenchmarkDNATTranslation(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
@@ -125,7 +126,7 @@ func BenchmarkDNATTranslation(b *testing.B) {
 func BenchmarkDNATConcurrency(b *testing.B) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(b, err)
 	defer func() {
 		require.NoError(b, manager.Close(nil))
@@ -197,7 +198,7 @@ func BenchmarkDNATScaling(b *testing.B) {
 		b.Run(fmt.Sprintf("mappings_%d", count), func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
@@ -309,7 +310,7 @@ func BenchmarkChecksumUpdate(b *testing.B) {
 func BenchmarkDNATMemoryAllocations(b *testing.B) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(b, err)
 	defer func() {
 		require.NoError(b, manager.Close(nil))
@@ -472,7 +473,7 @@ func BenchmarkPortDNAT(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))

client/firewall/uspfilter/nat_stateful_test.go

@@ -0,0 +1,85 @@
+package uspfilter
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/google/gopacket/layers"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/device"
+)
+
+// TestPortDNATBasic tests basic port DNAT functionality
+func TestPortDNATBasic(t *testing.T) {
+	manager, err := Create(&IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	// Define peer IPs
+	peerA := netip.MustParseAddr("100.10.0.50")
+	peerB := netip.MustParseAddr("100.10.0.51")
+
+	// Add SSH port redirection rule for peer B (the target)
+	err = manager.addPortRedirection(peerB, layers.LayerTypeTCP, 22, 22022)
+	require.NoError(t, err)
+
+	// Scenario: Peer A connects to Peer B on port 22 (should get NAT)
+	packetAtoB := generateDNATTestPacket(t, peerA, peerB, layers.IPProtocolTCP, 54321, 22)
+	d := parsePacket(t, packetAtoB)
+	translatedAtoB := manager.translateInboundPortDNAT(packetAtoB, d, peerA, peerB)
+	require.True(t, translatedAtoB, "Peer A to Peer B should be translated (NAT applied)")
+
+	// Verify port was translated to 22022
+	d = parsePacket(t, packetAtoB)
+	require.Equal(t, uint16(22022), uint16(d.tcp.DstPort), "Port should be rewritten to 22022")
+
+	// Scenario: Return traffic from Peer B to Peer A should NOT be translated
+	// (prevents double NAT - original port stored in conntrack)
+	returnPacket := generateDNATTestPacket(t, peerB, peerA, layers.IPProtocolTCP, 22022, 54321)
+	d2 := parsePacket(t, returnPacket)
+	translatedReturn := manager.translateInboundPortDNAT(returnPacket, d2, peerB, peerA)
+	require.False(t, translatedReturn, "Return traffic from same IP should not be translated")
+}
+
+// TestPortDNATMultipleRules tests multiple port DNAT rules
+func TestPortDNATMultipleRules(t *testing.T) {
+	manager, err := Create(&IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	// Define peer IPs
+	peerA := netip.MustParseAddr("100.10.0.50")
+	peerB := netip.MustParseAddr("100.10.0.51")
+
+	// Add SSH port redirection rules for both peers
+	err = manager.addPortRedirection(peerA, layers.LayerTypeTCP, 22, 22022)
+	require.NoError(t, err)
+	err = manager.addPortRedirection(peerB, layers.LayerTypeTCP, 22, 22022)
+	require.NoError(t, err)
+
+	// Test traffic to peer B gets translated
+	packetToB := generateDNATTestPacket(t, peerA, peerB, layers.IPProtocolTCP, 54321, 22)
+	d1 := parsePacket(t, packetToB)
+	translatedToB := manager.translateInboundPortDNAT(packetToB, d1, peerA, peerB)
+	require.True(t, translatedToB, "Traffic to peer B should be translated")
+	d1 = parsePacket(t, packetToB)
+	require.Equal(t, uint16(22022), uint16(d1.tcp.DstPort), "Port should be 22022")
+
+	// Test traffic to peer A gets translated
+	packetToA := generateDNATTestPacket(t, peerB, peerA, layers.IPProtocolTCP, 54322, 22)
+	d2 := parsePacket(t, packetToA)
+	translatedToA := manager.translateInboundPortDNAT(packetToA, d2, peerB, peerA)
+	require.True(t, translatedToA, "Traffic to peer A should be translated")
+	d2 = parsePacket(t, packetToA)
+	require.Equal(t, uint16(22022), uint16(d2.tcp.DstPort), "Port should be 22022")
+}

client/firewall/uspfilter/nat_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
 
@@ -16,7 +17,7 @@ import (
 func TestDNATTranslationCorrectness(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -100,7 +101,7 @@ func parsePacket(t testing.TB, packetData []byte) *decoder {
 func TestDNATMappingManagement(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -148,7 +149,7 @@ func TestDNATMappingManagement(t *testing.T) {
 func TestInboundPortDNAT(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -198,7 +199,7 @@ func TestInboundPortDNAT(t *testing.T) {
 func TestInboundPortDNATNegative(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))

client/firewall/uspfilter/tracer_test.go

@@ -10,6 +10,7 @@ import (
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -44,7 +45,7 @@ func TestTracePacket(t *testing.T) {
 			},
 		}
 
-		m, err := Create(ifaceMock, false, flowLogger)
+		m, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 		require.NoError(t, err)
 
 		if !statefulMode {

client/grpc/dialer.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
 	"fmt"
 	"runtime"
 	"time"
@@ -12,7 +11,6 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/connectivity"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
@@ -20,9 +18,6 @@ import (
 	"github.com/netbirdio/netbird/util/embeddedroots"
 )
 
-// ErrConnectionShutdown indicates that the connection entered shutdown state before becoming ready
-var ErrConnectionShutdown = errors.New("connection shutdown before ready")
-
 // Backoff returns a backoff configuration for gRPC calls
 func Backoff(ctx context.Context) backoff.BackOff {
 	b := backoff.NewExponentialBackOff()
@@ -31,26 +26,6 @@ func Backoff(ctx context.Context) backoff.BackOff {
 	return backoff.WithContext(b, ctx)
 }
 
-// waitForConnectionReady blocks until the connection becomes ready or fails.
-// Returns an error if the connection times out, is cancelled, or enters shutdown state.
-func waitForConnectionReady(ctx context.Context, conn *grpc.ClientConn) error {
-	conn.Connect()
-
-	state := conn.GetState()
-	for state != connectivity.Ready && state != connectivity.Shutdown {
-		if !conn.WaitForStateChange(ctx, state) {
-			return fmt.Errorf("wait state change from %s: %w", state, ctx.Err())
-		}
-		state = conn.GetState()
-	}
-
-	if state == connectivity.Shutdown {
-		return ErrConnectionShutdown
-	}
-
-	return nil
-}
-
 // CreateConnection creates a gRPC client connection with the appropriate transport options.
 // The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
 func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string) (*grpc.ClientConn, error) {
@@ -68,25 +43,22 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 		}))
 	}
 
-	conn, err := grpc.NewClient(
+	connCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	conn, err := grpc.DialContext(
+		connCtx,
 		addr,
 		transportOption,
 		WithCustomDialer(tlsEnabled, component),
+		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    30 * time.Second,
 			Timeout: 10 * time.Second,
 		}),
 	)
 	if err != nil {
-		return nil, fmt.Errorf("new client: %w", err)
-	}
-
-	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
-	defer cancel()
-
-	if err := waitForConnectionReady(ctx, conn); err != nil {
-		_ = conn.Close()
-		return nil, err
+		return nil, fmt.Errorf("dial context: %w", err)
 	}
 
 	return conn, nil

client/iface/iface_test.go

@@ -1,6 +1,7 @@
 package iface
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"net/netip"
@@ -9,13 +10,13 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 )
 
 // keep darwin compatibility
@@ -40,7 +41,7 @@ func TestWGIface_UpdateAddr(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	addr := "100.64.0.1/8"
 	wgPort := 33100
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -123,7 +124,7 @@ func getIfaceAddrs(ifaceName string) ([]net.Addr, error) {
 func Test_CreateInterface(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+1)
 	wgIP := "10.99.99.1/32"
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -166,7 +167,7 @@ func Test_Close(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+2)
 	wgIP := "10.99.99.2/32"
 	wgPort := 33100
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -211,7 +212,7 @@ func TestRecreation(t *testing.T) {
 			ifaceName := fmt.Sprintf("utun%d", WgIntNumber+2)
 			wgIP := "10.99.99.2/32"
 			wgPort := 33100
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -284,7 +285,7 @@ func Test_ConfigureInterface(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+3)
 	wgIP := "10.99.99.5/30"
 	wgPort := 33100
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -339,7 +340,7 @@ func Test_ConfigureInterface(t *testing.T) {
 func Test_UpdatePeer(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	wgIP := "10.99.99.9/30"
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -409,7 +410,7 @@ func Test_UpdatePeer(t *testing.T) {
 func Test_RemovePeer(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	wgIP := "10.99.99.13/30"
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -471,7 +472,7 @@ func Test_ConnectPeers(t *testing.T) {
 	peer2wgPort := 33200
 
 	keepAlive := 1 * time.Second
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -514,7 +515,7 @@ func Test_ConnectPeers(t *testing.T) {
 	guid = fmt.Sprintf("{%s}", uuid.New().String())
 	device.CustomWindowsGUIDString = strings.ToLower(guid)
 
-	newNet, err = stdnet.NewNet()
+	newNet, err = stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}

client/iface/udpmux/mux.go

@@ -1,6 +1,7 @@
 package udpmux
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net"
@@ -12,8 +13,9 @@ import (
 	"github.com/pion/logging"
 	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
-	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 )
 
 /*
@@ -199,7 +201,7 @@ func (m *SingleSocketUDPMux) updateLocalAddresses() {
 		if len(networks) > 0 {
 			if m.params.Net == nil {
 				var err error
-				if m.params.Net, err = stdnet.NewNet(); err != nil {
+				if m.params.Net, err = stdnet.NewNet(context.Background(), nil); err != nil {
 					m.params.Logger.Errorf("failed to get create network: %v", err)
 				}
 			}

client/internal/acl/manager.go

@@ -17,7 +17,6 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )
@@ -83,22 +82,6 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 	rules := networkMap.FirewallRules
 
-	enableSSH := networkMap.PeerConfig != nil &&
-		networkMap.PeerConfig.SshConfig != nil &&
-		networkMap.PeerConfig.SshConfig.SshEnabled
-
-	// If SSH enabled, add default firewall rule which accepts connection to any peer
-	// in the network by SSH (TCP port defined by ssh.DefaultSSHPort).
-	if enableSSH {
-		rules = append(rules, &mgmProto.FirewallRule{
-			PeerIP:    "0.0.0.0",
-			Direction: mgmProto.RuleDirection_IN,
-			Action:    mgmProto.RuleAction_ACCEPT,
-			Protocol:  mgmProto.RuleProtocol_TCP,
-			Port:      strconv.Itoa(ssh.DefaultSSHPort),
-		})
-	}
-
 	// if we got empty rules list but management not set networkMap.FirewallRulesIsEmpty flag
 	// we have old version of management without rules handling, we should allow all traffic
 	if len(networkMap.FirewallRules) == 0 && !networkMap.FirewallRulesIsEmpty {

client/internal/acl/manager_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl/mocks"
 	"github.com/netbirdio/netbird/client/internal/netflow"
@@ -52,7 +53,7 @@ func TestDefaultManager(t *testing.T) {
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		err = fw.Close(nil)
@@ -170,7 +171,7 @@ func TestDefaultManagerStateless(t *testing.T) {
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		err = fw.Close(nil)
@@ -271,70 +272,3 @@ func TestPortInfoEmpty(t *testing.T) {
 		})
 	}
 }
-
-func TestDefaultManagerEnableSSHRules(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		PeerConfig: &mgmProto.PeerConfig{
-			SshConfig: &mgmProto.SSHConfig{
-				SshEnabled: true,
-			},
-		},
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{AllowedIps: []string{"10.93.0.1"}},
-			{AllowedIps: []string{"10.93.0.2"}},
-			{AllowedIps: []string{"10.93.0.3"}},
-		},
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_UDP,
-			},
-		},
-	}
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
-	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
-
-	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
-	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
-		Network: network,
-	}).AnyTimes()
-	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
-
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
-	require.NoError(t, err)
-	defer func() {
-		err = fw.Close(nil)
-		require.NoError(t, err)
-	}()
-
-	acl := NewDefaultManager(fw)
-
-	acl.ApplyFiltering(networkMap, false)
-
-	expectedRules := 3
-	if fw.IsStateful() {
-		expectedRules = 3 // 2 inbound rules + SSH rule
-	}
-	assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
-}

client/internal/auth/device_flow.go

@@ -128,9 +128,34 @@ func (d *DeviceAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlow
 		deviceCode.VerificationURIComplete = deviceCode.VerificationURI
 	}
 
+	if d.providerConfig.LoginHint != "" {
+		deviceCode.VerificationURIComplete = appendLoginHint(deviceCode.VerificationURIComplete, d.providerConfig.LoginHint)
+		if deviceCode.VerificationURI != "" {
+			deviceCode.VerificationURI = appendLoginHint(deviceCode.VerificationURI, d.providerConfig.LoginHint)
+		}
+	}
+
 	return deviceCode, err
 }
 
+func appendLoginHint(uri, loginHint string) string {
+	if uri == "" || loginHint == "" {
+		return uri
+	}
+
+	parsedURL, err := url.Parse(uri)
+	if err != nil {
+		log.Debugf("failed to parse verification URI for login_hint: %v", err)
+		return uri
+	}
+
+	query := parsedURL.Query()
+	query.Set("login_hint", loginHint)
+	parsedURL.RawQuery = query.Encode()
+
+	return parsedURL.String()
+}
+
 func (d *DeviceAuthorizationFlow) requestToken(info AuthFlowInfo) (TokenRequestResponse, error) {
 	form := url.Values{}
 	form.Add("client_id", d.providerConfig.ClientID)

client/internal/auth/oauth.go

@@ -66,32 +66,34 @@ func (t TokenInfo) GetTokenToUse() string {
 // and if that also fails, the authentication process is deemed unsuccessful
 //
 // On Linux distros without desktop environment support, it only tries to initialize the Device Code Flow
-func NewOAuthFlow(ctx context.Context, config *profilemanager.Config, isUnixDesktopClient bool) (OAuthFlow, error) {
+func NewOAuthFlow(ctx context.Context, config *profilemanager.Config, isUnixDesktopClient bool, hint string) (OAuthFlow, error) {
 	if (runtime.GOOS == "linux" || runtime.GOOS == "freebsd") && !isUnixDesktopClient {
-		return authenticateWithDeviceCodeFlow(ctx, config)
+		return authenticateWithDeviceCodeFlow(ctx, config, hint)
 	}
 
-	pkceFlow, err := authenticateWithPKCEFlow(ctx, config)
+	pkceFlow, err := authenticateWithPKCEFlow(ctx, config, hint)
 	if err != nil {
-		// fallback to device code flow
 		log.Debugf("failed to initialize pkce authentication with error: %v\n", err)
 		log.Debug("falling back to device code flow")
-		return authenticateWithDeviceCodeFlow(ctx, config)
+		return authenticateWithDeviceCodeFlow(ctx, config, hint)
 	}
 	return pkceFlow, nil
 }
 
 // authenticateWithPKCEFlow initializes the Proof Key for Code Exchange flow auth flow
-func authenticateWithPKCEFlow(ctx context.Context, config *profilemanager.Config) (OAuthFlow, error) {
+func authenticateWithPKCEFlow(ctx context.Context, config *profilemanager.Config, hint string) (OAuthFlow, error) {
 	pkceFlowInfo, err := internal.GetPKCEAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL, config.ClientCertKeyPair)
 	if err != nil {
 		return nil, fmt.Errorf("getting pkce authorization flow info failed with error: %v", err)
 	}
+
+	pkceFlowInfo.ProviderConfig.LoginHint = hint
+
 	return NewPKCEAuthorizationFlow(pkceFlowInfo.ProviderConfig)
 }
 
 // authenticateWithDeviceCodeFlow initializes the Device Code auth Flow
-func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.Config) (OAuthFlow, error) {
+func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.Config, hint string) (OAuthFlow, error) {
 	deviceFlowInfo, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
 	if err != nil {
 		switch s, ok := gstatus.FromError(err); {
@@ -107,5 +109,7 @@ func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.
 		}
 	}
 
+	deviceFlowInfo.ProviderConfig.LoginHint = hint
+
 	return NewDeviceAuthorizationFlow(deviceFlowInfo.ProviderConfig)
 }

client/internal/auth/pkce_flow.go

@@ -109,6 +109,9 @@ func (p *PKCEAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowIn
 			params = append(params, oauth2.SetAuthURLParam("max_age", "0"))
 		}
 	}
+	if p.providerConfig.LoginHint != "" {
+		params = append(params, oauth2.SetAuthURLParam("login_hint", p.providerConfig.LoginHint))
+	}
 
 	authURL := p.oAuthConfig.AuthCodeURL(state, params...)
 
@@ -189,17 +192,20 @@ func (p *PKCEAuthorizationFlow) handleRequest(req *http.Request) (*oauth2.Token,
 
 	if authError := query.Get(queryError); authError != "" {
 		authErrorDesc := query.Get(queryErrorDesc)
-		return nil, fmt.Errorf("%s.%s", authError, authErrorDesc)
+		if authErrorDesc != "" {
+			return nil, fmt.Errorf("authentication failed: %s", authErrorDesc)
+		}
+		return nil, fmt.Errorf("authentication failed: %s", authError)
 	}
 
 	// Prevent timing attacks on the state
 	if state := query.Get(queryState); subtle.ConstantTimeCompare([]byte(p.state), []byte(state)) == 0 {
-		return nil, fmt.Errorf("invalid state")
+		return nil, fmt.Errorf("authentication failed: Invalid state")
 	}
 
 	code := query.Get(queryCode)
 	if code == "" {
-		return nil, fmt.Errorf("missing code")
+		return nil, fmt.Errorf("authentication failed: missing code")
 	}
 
 	return p.oAuthConfig.Exchange(
@@ -228,7 +234,7 @@ func (p *PKCEAuthorizationFlow) parseOAuthToken(token *oauth2.Token) (TokenInfo,
 	}
 
 	if err := isValidAccessToken(tokenInfo.GetTokenToUse(), audience); err != nil {
-		return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+		return TokenInfo{}, fmt.Errorf("authentication failed: invalid access token - %w", err)
 	}
 
 	email, err := parseEmailFromIDToken(tokenInfo.IDToken)

client/internal/connect.go

@@ -25,6 +25,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
+	nbnet "github.com/netbirdio/netbird/client/net"
 	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
@@ -34,7 +35,6 @@ import (
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/util"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/version"
 )
 
@@ -289,15 +289,18 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		}
 
 		<-engineCtx.Done()
+
 		c.engineMutex.Lock()
-		if c.engine != nil && c.engine.wgInterface != nil {
-			log.Infof("ensuring %s is removed, Netbird engine context cancelled", c.engine.wgInterface.Name())
-			if err := c.engine.Stop(); err != nil {
+		engine := c.engine
+		c.engine = nil
+		c.engineMutex.Unlock()
+
+		if engine != nil && engine.wgInterface != nil {
+			log.Infof("ensuring %s is removed, Netbird engine context cancelled", engine.wgInterface.Name())
+			if err := engine.Stop(); err != nil {
 				log.Errorf("Failed to stop engine: %v", err)
 			}
-			c.engine = nil
 		}
-		c.engineMutex.Unlock()
 		c.statusRecorder.ClientTeardown()
 
 		backOff.Reset()
@@ -382,19 +385,12 @@ func (c *ConnectClient) Status() StatusType {
 }
 
 func (c *ConnectClient) Stop() error {
-	if c == nil {
-		return nil
+	engine := c.Engine()
+	if engine != nil {
+		if err := engine.Stop(); err != nil {
+			return fmt.Errorf("stop engine: %w", err)
+		}
 	}
-	c.engineMutex.Lock()
-	defer c.engineMutex.Unlock()
-
-	if c.engine == nil {
-		return nil
-	}
-	if err := c.engine.Stop(); err != nil {
-		return fmt.Errorf("stop engine: %w", err)
-	}
-
 	return nil
 }
 
@@ -420,20 +416,25 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		nm = *config.NetworkMonitor
 	}
 	engineConf := &EngineConfig{
-		WgIfaceName:          config.WgIface,
-		WgAddr:               peerConfig.Address,
-		IFaceBlackList:       config.IFaceBlackList,
-		DisableIPv6Discovery: config.DisableIPv6Discovery,
-		WgPrivateKey:         key,
-		WgPort:               config.WgPort,
-		NetworkMonitor:       nm,
-		SSHKey:               []byte(config.SSHKey),
-		NATExternalIPs:       config.NATExternalIPs,
-		CustomDNSAddress:     config.CustomDNSAddress,
-		RosenpassEnabled:     config.RosenpassEnabled,
-		RosenpassPermissive:  config.RosenpassPermissive,
-		ServerSSHAllowed:     util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
-		DNSRouteInterval:     config.DNSRouteInterval,
+		WgIfaceName:                   config.WgIface,
+		WgAddr:                        peerConfig.Address,
+		IFaceBlackList:                config.IFaceBlackList,
+		DisableIPv6Discovery:          config.DisableIPv6Discovery,
+		WgPrivateKey:                  key,
+		WgPort:                        config.WgPort,
+		NetworkMonitor:                nm,
+		SSHKey:                        []byte(config.SSHKey),
+		NATExternalIPs:                config.NATExternalIPs,
+		CustomDNSAddress:              config.CustomDNSAddress,
+		RosenpassEnabled:              config.RosenpassEnabled,
+		RosenpassPermissive:           config.RosenpassPermissive,
+		ServerSSHAllowed:              util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
+		EnableSSHRoot:                 config.EnableSSHRoot,
+		EnableSSHSFTP:                 config.EnableSSHSFTP,
+		EnableSSHLocalPortForwarding:  config.EnableSSHLocalPortForwarding,
+		EnableSSHRemotePortForwarding: config.EnableSSHRemotePortForwarding,
+		DisableSSHAuth:                config.DisableSSHAuth,
+		DNSRouteInterval:              config.DNSRouteInterval,
 
 		DisableClientRoutes: config.DisableClientRoutes,
 		DisableServerRoutes: config.DisableServerRoutes || config.BlockInbound,
@@ -519,6 +520,11 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.BlockLANAccess,
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
+		config.EnableSSHRoot,
+		config.EnableSSHSFTP,
+		config.EnableSSHLocalPortForwarding,
+		config.EnableSSHRemotePortForwarding,
+		config.DisableSSHAuth,
 	)
 	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey, config.DNSLabels)
 	if err != nil {

client/internal/debug/debug.go

@@ -44,6 +44,8 @@ interfaces.txt: Anonymized network interface information, if --system-info flag
 ip_rules.txt: Detailed IP routing rules in tabular format including priority, source, destination, interfaces, table, and action information (Linux only), if --system-info flag was provided.
 iptables.txt: Anonymized iptables rules with packet counters, if --system-info flag was provided.
 nftables.txt: Anonymized nftables rules with packet counters, if --system-info flag was provided.
+resolv.conf: DNS resolver configuration from /etc/resolv.conf (Unix systems only), if --system-info flag was provided.
+scutil_dns.txt: DNS configuration from scutil --dns (macOS only), if --system-info flag was provided.
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
 config.txt: Anonymized configuration information of the NetBird client.
 network_map.json: Anonymized sync response containing peer configurations, routes, DNS settings, and firewall rules.
@@ -184,6 +186,20 @@ The ip_rules.txt file contains detailed IP routing rule information:
 The table format provides comprehensive visibility into the IP routing decision process, including how traffic is directed to different routing tables based on various criteria. This is valuable for troubleshooting advanced routing configurations and policy-based routing.
 
 For anonymized rules, IP addresses and prefixes are replaced as described above. Interface names are anonymized using string anonymization. Table names, actions, and other non-sensitive information remain unchanged.
+
+DNS Configuration
+The debug bundle includes platform-specific DNS configuration files:
+
+resolv.conf (Unix systems):
+- Contains DNS resolver configuration from /etc/resolv.conf
+- Includes nameserver entries, search domains, and resolver options
+- All IP addresses and domain names are anonymized following the same rules as other files
+
+scutil_dns.txt (macOS only):
+- Contains detailed DNS configuration from scutil --dns
+- Shows DNS configuration for all network interfaces
+- Includes search domains, nameservers, and DNS resolver settings
+- All IP addresses and domain names are anonymized
 `
 
 const (
@@ -357,6 +373,10 @@ func (g *BundleGenerator) addSystemInfo() {
 	if err := g.addFirewallRules(); err != nil {
 		log.Errorf("failed to add firewall rules to debug bundle: %v", err)
 	}
+
+	if err := g.addDNSInfo(); err != nil {
+		log.Errorf("failed to add DNS info to debug bundle: %v", err)
+	}
 }
 
 func (g *BundleGenerator) addReadme() error {
@@ -433,6 +453,18 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	if g.internalConfig.ServerSSHAllowed != nil {
 		configContent.WriteString(fmt.Sprintf("ServerSSHAllowed: %v\n", *g.internalConfig.ServerSSHAllowed))
 	}
+	if g.internalConfig.EnableSSHRoot != nil {
+		configContent.WriteString(fmt.Sprintf("EnableSSHRoot: %v\n", *g.internalConfig.EnableSSHRoot))
+	}
+	if g.internalConfig.EnableSSHSFTP != nil {
+		configContent.WriteString(fmt.Sprintf("EnableSSHSFTP: %v\n", *g.internalConfig.EnableSSHSFTP))
+	}
+	if g.internalConfig.EnableSSHLocalPortForwarding != nil {
+		configContent.WriteString(fmt.Sprintf("EnableSSHLocalPortForwarding: %v\n", *g.internalConfig.EnableSSHLocalPortForwarding))
+	}
+	if g.internalConfig.EnableSSHRemotePortForwarding != nil {
+		configContent.WriteString(fmt.Sprintf("EnableSSHRemotePortForwarding: %v\n", *g.internalConfig.EnableSSHRemotePortForwarding))
+	}
 
 	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
 	configContent.WriteString(fmt.Sprintf("DisableServerRoutes: %v\n", g.internalConfig.DisableServerRoutes))

client/internal/debug/debug_darwin.go

@@ -0,0 +1,53 @@
+//go:build darwin && !ios
+
+package debug
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os/exec"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// addDNSInfo collects and adds DNS configuration information to the archive
+func (g *BundleGenerator) addDNSInfo() error {
+	if err := g.addResolvConf(); err != nil {
+		log.Errorf("failed to add resolv.conf: %v", err)
+	}
+
+	if err := g.addScutilDNS(); err != nil {
+		log.Errorf("failed to add scutil DNS output: %v", err)
+	}
+
+	return nil
+}
+
+func (g *BundleGenerator) addScutilDNS() error {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, "scutil", "--dns")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("execute scutil --dns: %w", err)
+	}
+
+	if len(bytes.TrimSpace(output)) == 0 {
+		return fmt.Errorf("no scutil DNS output")
+	}
+
+	content := string(output)
+	if g.anonymize {
+		content = g.anonymizer.AnonymizeString(content)
+	}
+
+	if err := g.addFileToZip(strings.NewReader(content), "scutil_dns.txt"); err != nil {
+		return fmt.Errorf("add scutil DNS output to zip: %w", err)
+	}
+
+	return nil
+}

client/internal/debug/debug_mobile.go

@@ -5,3 +5,7 @@ package debug
 func (g *BundleGenerator) addRoutes() error {
 	return nil
 }
+
+func (g *BundleGenerator) addDNSInfo() error {
+	return nil
+}

client/internal/debug/debug_nondarwin.go

@@ -0,0 +1,16 @@
+//go:build unix && !darwin && !android
+
+package debug
+
+import (
+	log "github.com/sirupsen/logrus"
+)
+
+// addDNSInfo collects and adds DNS configuration information to the archive
+func (g *BundleGenerator) addDNSInfo() error {
+	if err := g.addResolvConf(); err != nil {
+		log.Errorf("failed to add resolv.conf: %v", err)
+	}
+
+	return nil
+}

client/internal/debug/debug_nonunix.go

@@ -0,0 +1,7 @@
+//go:build !unix
+
+package debug
+
+func (g *BundleGenerator) addDNSInfo() error {
+	return nil
+}

client/internal/debug/debug_unix.go

@@ -0,0 +1,29 @@
+//go:build unix && !android
+
+package debug
+
+import (
+	"fmt"
+	"os"
+	"strings"
+)
+
+const resolvConfPath = "/etc/resolv.conf"
+
+func (g *BundleGenerator) addResolvConf() error {
+	data, err := os.ReadFile(resolvConfPath)
+	if err != nil {
+		return fmt.Errorf("read %s: %w", resolvConfPath, err)
+	}
+
+	content := string(data)
+	if g.anonymize {
+		content = g.anonymizer.AnonymizeString(content)
+	}
+
+	if err := g.addFileToZip(strings.NewReader(content), "resolv.conf"); err != nil {
+		return fmt.Errorf("add resolv.conf to zip: %w", err)
+	}
+
+	return nil
+}

client/internal/device_auth.go

@@ -38,6 +38,8 @@ type DeviceAuthProviderConfig struct {
 	Scope string
 	// UseIDToken indicates if the id token should be used for authentication
 	UseIDToken bool
+	// LoginHint is used to pre-fill the email/username field during authentication
+	LoginHint string
 }
 
 // GetDeviceAuthorizationFlowInfo initialize a DeviceAuthorizationFlow instance and return with it

client/internal/dns/server.go

@@ -65,8 +65,9 @@ type hostManagerWithOriginalNS interface {
 
 // DefaultServer dns server object
 type DefaultServer struct {
-	ctx       context.Context
-	ctxCancel context.CancelFunc
+	ctx        context.Context
+	ctxCancel  context.CancelFunc
+	shutdownWg sync.WaitGroup
 	// disableSys disables system DNS management (e.g., /etc/resolv.conf updates) while keeping the DNS service running.
 	// This is different from ServiceEnable=false from management which completely disables the DNS service.
 	disableSys         bool
@@ -318,6 +319,7 @@ func (s *DefaultServer) DnsIP() netip.Addr {
 // Stop stops the server
 func (s *DefaultServer) Stop() {
 	s.ctxCancel()
+	s.shutdownWg.Wait()
 
 	s.mux.Lock()
 	defer s.mux.Unlock()
@@ -507,8 +509,9 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 
 	s.applyHostConfig()
 
+	s.shutdownWg.Add(1)
 	go func() {
-		// persist dns state right away
+		defer s.shutdownWg.Done()
 		if err := s.stateManager.PersistState(s.ctx); err != nil {
 			log.Errorf("Failed to persist dns state: %v", err)
 		}

client/internal/dns/server_test.go

@@ -335,7 +335,7 @@ func TestUpdateDNSServer(t *testing.T) {
 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			privKey, _ := wgtypes.GenerateKey()
-			newNet, err := stdnet.NewNet(nil)
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -434,7 +434,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	defer t.Setenv("NB_WG_KERNEL_DISABLED", ov)
 
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	newNet, err := stdnet.NewNet([]string{"utun2301"})
+	newNet, err := stdnet.NewNet(context.Background(), []string{"utun2301"})
 	if err != nil {
 		t.Errorf("create stdnet: %v", err)
 		return
@@ -915,7 +915,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 	defer t.Setenv("NB_WG_KERNEL_DISABLED", ov)
 
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	newNet, err := stdnet.NewNet([]string{"utun2301"})
+	newNet, err := stdnet.NewNet(context.Background(), []string{"utun2301"})
 	if err != nil {
 		t.Fatalf("create stdnet: %v", err)
 		return nil, err
@@ -944,7 +944,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 		return nil, err
 	}
 
-	pf, err := uspfilter.Create(wgIface, false, flowLogger)
+	pf, err := uspfilter.Create(wgIface, false, flowLogger, iface.DefaultMTU)
 	if err != nil {
 		t.Fatalf("failed to create uspfilter: %v", err)
 		return nil, err

client/internal/dnsfwd/cache_test.go

@@ -83,4 +83,3 @@ func TestCacheMiss(t *testing.T) {
 		t.Fatalf("expected cache miss, got=%v ok=%v", got, ok)
 	}
 }
-

client/internal/dnsfwd/forwarder.go

@@ -14,6 +14,7 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -33,7 +34,7 @@ type firewaller interface {
 }
 
 type DNSForwarder struct {
-	listenAddress  string
+	listenAddress  netip.AddrPort
 	ttl            uint32
 	statusRecorder *peer.Status
 
@@ -47,9 +48,11 @@ type DNSForwarder struct {
 	firewall   firewaller
 	resolver   resolver
 	cache      *cache
+
+	wgIface wgIface
 }
 
-func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, statusRecorder *peer.Status) *DNSForwarder {
+func NewDNSForwarder(listenAddress netip.AddrPort, ttl uint32, firewall firewaller, statusRecorder *peer.Status, wgIface wgIface) *DNSForwarder {
 	log.Debugf("creating DNS forwarder with listen_address=%s ttl=%d", listenAddress, ttl)
 	return &DNSForwarder{
 		listenAddress:  listenAddress,
@@ -58,30 +61,46 @@ func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, stat
 		statusRecorder: statusRecorder,
 		resolver:       net.DefaultResolver,
 		cache:          newCache(),
+		wgIface:        wgIface,
 	}
 }
 
 func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
-	log.Infof("starting DNS forwarder on address=%s", f.listenAddress)
+	var netstackNet *netstack.Net
+	if f.wgIface != nil {
+		netstackNet = f.wgIface.GetNet()
+	}
+
+	addrDesc := f.listenAddress.String()
+	if netstackNet != nil {
+		addrDesc = fmt.Sprintf("netstack %s", f.listenAddress)
+	}
+	log.Infof("starting DNS forwarder on address=%s", addrDesc)
+
+	udpLn, err := f.createUDPListener(netstackNet)
+	if err != nil {
+		return fmt.Errorf("create UDP listener: %w", err)
+	}
+
+	tcpLn, err := f.createTCPListener(netstackNet)
+	if err != nil {
+		return fmt.Errorf("create TCP listener: %w", err)
+	}
 
-	// UDP server
 	mux := dns.NewServeMux()
 	f.mux = mux
 	mux.HandleFunc(".", f.handleDNSQueryUDP)
 	f.dnsServer = &dns.Server{
-		Addr:    f.listenAddress,
-		Net:     "udp",
-		Handler: mux,
+		PacketConn: udpLn,
+		Handler:    mux,
 	}
 
-	// TCP server
 	tcpMux := dns.NewServeMux()
 	f.tcpMux = tcpMux
 	tcpMux.HandleFunc(".", f.handleDNSQueryTCP)
 	f.tcpServer = &dns.Server{
-		Addr:    f.listenAddress,
-		Net:     "tcp",
-		Handler: tcpMux,
+		Listener: tcpLn,
+		Handler:  tcpMux,
 	}
 
 	f.UpdateDomains(entries)
@@ -89,18 +108,33 @@ func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
 	errCh := make(chan error, 2)
 
 	go func() {
-		log.Infof("DNS UDP listener running on %s", f.listenAddress)
-		errCh <- f.dnsServer.ListenAndServe()
+		log.Infof("DNS UDP listener running on %s", addrDesc)
+		errCh <- f.dnsServer.ActivateAndServe()
 	}()
 	go func() {
-		log.Infof("DNS TCP listener running on %s", f.listenAddress)
-		errCh <- f.tcpServer.ListenAndServe()
+		log.Infof("DNS TCP listener running on %s", addrDesc)
+		errCh <- f.tcpServer.ActivateAndServe()
 	}()
 
-	// return the first error we get (e.g. bind failure or shutdown)
 	return <-errCh
 }
 
+func (f *DNSForwarder) createUDPListener(netstackNet *netstack.Net) (net.PacketConn, error) {
+	if netstackNet != nil {
+		return netstackNet.ListenUDPAddrPort(f.listenAddress)
+	}
+
+	return net.ListenUDP("udp", net.UDPAddrFromAddrPort(f.listenAddress))
+}
+
+func (f *DNSForwarder) createTCPListener(netstackNet *netstack.Net) (net.Listener, error) {
+	if netstackNet != nil {
+		return netstackNet.ListenTCPAddrPort(f.listenAddress)
+	}
+
+	return net.ListenTCP("tcp", net.TCPAddrFromAddrPort(f.listenAddress))
+}
+
 func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()

client/internal/dnsfwd/forwarder_test.go

@@ -297,7 +297,7 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 				mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn(tt.queryDomain)).Return([]netip.Addr{fakeIP}, nil)
 			}
 
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 			forwarder.resolver = mockResolver
 
 			d, err := domain.FromString(tt.configuredDomain)
@@ -402,7 +402,7 @@ func TestDNSForwarder_FirewallSetUpdates(t *testing.T) {
 			mockResolver := &MockResolver{}
 
 			// Set up forwarder
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 			forwarder.resolver = mockResolver
 
 			// Create entries and track sets
@@ -489,7 +489,7 @@ func TestDNSForwarder_MultipleIPsInSingleUpdate(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}
 
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	// Configure a single domain
@@ -584,7 +584,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 
 			d, err := domain.FromString(tt.configured)
 			require.NoError(t, err)
@@ -616,7 +616,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 func TestDNSForwarder_TCPTruncation(t *testing.T) {
 	// Test that large UDP responses are truncated with TC bit set
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	d, _ := domain.FromString("example.com")
@@ -652,7 +652,7 @@ func TestDNSForwarder_TCPTruncation(t *testing.T) {
 // a subsequent upstream failure still returns a successful response from cache.
 func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	d, err := domain.FromString("example.com")
@@ -696,7 +696,7 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 // Verifies that cache normalization works across casing and trailing dot variations.
 func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	d, err := domain.FromString("ExAmPlE.CoM")
@@ -742,7 +742,7 @@ func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}
 
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	// Set up complex overlapping patterns
@@ -804,7 +804,7 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}
 
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	d, err := domain.FromString("example.com")
@@ -925,7 +925,7 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 
 func TestDNSForwarder_EmptyQuery(t *testing.T) {
 	// Test handling of malformed query with no questions
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 
 	query := &dns.Msg{}
 	// Don't set any question

client/internal/dnsfwd/manager.go

@@ -10,9 +10,12 @@ import (
 
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
@@ -24,6 +27,12 @@ const (
 	envServerPort = "NB_DNS_FORWARDER_PORT"
 )
 
+// wgIface defines the interface for WireGuard interface operations needed by the DNS forwarder.
+type wgIface interface {
+	GetNet() *netstack.Net
+	Address() wgaddr.Address
+}
+
 // ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
 type ForwarderEntry struct {
 	Domain domain.Domain
@@ -34,7 +43,7 @@ type ForwarderEntry struct {
 type Manager struct {
 	firewall       firewall.Manager
 	statusRecorder *peer.Status
-	localAddr      netip.Addr
+	wgIface        wgIface
 	serverPort     uint16
 
 	fwRules      []firewall.Rule
@@ -42,7 +51,7 @@ type Manager struct {
 	dnsForwarder *DNSForwarder
 }
 
-func NewManager(fw firewall.Manager, statusRecorder *peer.Status, localAddr netip.Addr) *Manager {
+func NewManager(fw firewall.Manager, statusRecorder *peer.Status, wgIface wgIface) *Manager {
 	serverPort := nbdns.ForwarderServerPort
 	if envPort := os.Getenv(envServerPort); envPort != "" {
 		if port, err := strconv.ParseUint(envPort, 10, 16); err == nil && port > 0 {
@@ -56,7 +65,7 @@ func NewManager(fw firewall.Manager, statusRecorder *peer.Status, localAddr neti
 	return &Manager{
 		firewall:       fw,
 		statusRecorder: statusRecorder,
-		localAddr:      localAddr,
+		wgIface:        wgIface,
 		serverPort:     serverPort,
 	}
 }
@@ -71,21 +80,25 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}
 
-	if m.localAddr.IsValid() && m.firewall != nil {
-		if err := m.firewall.AddInboundDNAT(m.localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+	localAddr := m.wgIface.Address().IP
+
+	if localAddr.IsValid() && m.firewall != nil {
+		if err := m.firewall.AddInboundDNAT(localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			log.Warnf("failed to add DNS UDP DNAT rule: %v", err)
 		} else {
-			log.Infof("added DNS UDP DNAT rule: %s:%d -> %s:%d", m.localAddr, nbdns.ForwarderClientPort, m.localAddr, m.serverPort)
+			log.Infof("added DNS UDP DNAT rule: %s:%d -> %s:%d", localAddr, nbdns.ForwarderClientPort, localAddr, m.serverPort)
 		}
 
-		if err := m.firewall.AddInboundDNAT(m.localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+		if err := m.firewall.AddInboundDNAT(localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			log.Warnf("failed to add DNS TCP DNAT rule: %v", err)
 		} else {
-			log.Infof("added DNS TCP DNAT rule: %s:%d -> %s:%d", m.localAddr, nbdns.ForwarderClientPort, m.localAddr, m.serverPort)
+			log.Infof("added DNS TCP DNAT rule: %s:%d -> %s:%d", localAddr, nbdns.ForwarderClientPort, localAddr, m.serverPort)
 		}
 	}
 
-	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", m.serverPort), dnsTTL, m.firewall, m.statusRecorder)
+	listenAddress := netip.AddrPortFrom(localAddr, m.serverPort)
+	m.dnsForwarder = NewDNSForwarder(listenAddress, dnsTTL, m.firewall, m.statusRecorder, m.wgIface)
+
 	go func() {
 		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
 			// todo handle close error if it is exists
@@ -111,16 +124,19 @@ func (m *Manager) Stop(ctx context.Context) error {
 
 	var mErr *multierror.Error
 
-	if m.localAddr.IsValid() && m.firewall != nil {
-		if err := m.firewall.RemoveInboundDNAT(m.localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+	localAddr := m.wgIface.Address().IP
+	if localAddr.IsValid() && m.firewall != nil {
+		if err := m.firewall.RemoveInboundDNAT(localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			mErr = multierror.Append(mErr, fmt.Errorf("remove DNS UDP DNAT rule: %w", err))
 		}
 
-		if err := m.firewall.RemoveInboundDNAT(m.localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+		if err := m.firewall.RemoveInboundDNAT(localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			mErr = multierror.Append(mErr, fmt.Errorf("remove DNS TCP DNAT rule: %w", err))
 		}
 	}
 
+	m.unregisterNetstackServices()
+
 	if err := m.dropDNSFirewall(); err != nil {
 		mErr = multierror.Append(mErr, err)
 	}
@@ -145,21 +161,50 @@ func (m *Manager) allowDNSFirewall() error {
 
 	dnsRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolUDP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
-		log.Errorf("failed to add allow DNS router rules, err: %v", err)
-		return err
+		return fmt.Errorf("add udp firewall rule: %w", err)
 	}
-	m.fwRules = dnsRules
 
 	tcpRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolTCP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
-		log.Errorf("failed to add allow DNS router rules, err: %v", err)
-		return err
+		return fmt.Errorf("add tcp firewall rule: %w", err)
 	}
+
+	if err := m.firewall.Flush(); err != nil {
+		return fmt.Errorf("flush: %w", err)
+	}
+
+	m.fwRules = dnsRules
 	m.tcpRules = tcpRules
 
+	m.registerNetstackServices()
+
 	return nil
 }
 
+func (m *Manager) registerNetstackServices() {
+	if netstackNet := m.wgIface.GetNet(); netstackNet != nil {
+		if registrar, ok := m.firewall.(interface {
+			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.RegisterNetstackService(nftypes.TCP, m.serverPort)
+			registrar.RegisterNetstackService(nftypes.UDP, m.serverPort)
+			log.Debugf("registered DNS forwarder service with netstack for UDP/TCP:%d", m.serverPort)
+		}
+	}
+}
+
+func (m *Manager) unregisterNetstackServices() {
+	if netstackNet := m.wgIface.GetNet(); netstackNet != nil {
+		if registrar, ok := m.firewall.(interface {
+			UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.UnregisterNetstackService(nftypes.TCP, m.serverPort)
+			registrar.UnregisterNetstackService(nftypes.UDP, m.serverPort)
+			log.Debugf("unregistered DNS forwarder service with netstack for UDP/TCP:%d", m.serverPort)
+		}
+	}
+}
+
 func (m *Manager) dropDNSFirewall() error {
 	var mErr *multierror.Error
 	for _, rule := range m.fwRules {

client/internal/engine.go

@@ -9,7 +9,6 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
-	"reflect"
 	"runtime"
 	"slices"
 	"sort"
@@ -30,7 +29,6 @@ import (
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
-	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
@@ -51,10 +49,10 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	cProto "github.com/netbirdio/netbird/client/proto"
+	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 
-	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
@@ -115,7 +113,12 @@ type EngineConfig struct {
 	RosenpassEnabled    bool
 	RosenpassPermissive bool
 
-	ServerSSHAllowed bool
+	ServerSSHAllowed              bool
+	EnableSSHRoot                 *bool
+	EnableSSHSFTP                 *bool
+	EnableSSHLocalPortForwarding  *bool
+	EnableSSHRemotePortForwarding *bool
+	DisableSSHAuth                *bool
 
 	DNSRouteInterval time.Duration
 
@@ -173,8 +176,7 @@ type Engine struct {
 
 	networkMonitor *networkmonitor.NetworkMonitor
 
-	sshServerFunc func(hostKeyPEM []byte, addr string) (nbssh.Server, error)
-	sshServer     nbssh.Server
+	sshServer sshServer
 
 	statusRecorder *peer.Status
 
@@ -200,8 +202,10 @@ type Engine struct {
 	flowManager         nftypes.FlowManager
 
 	// WireGuard interface monitor
-	wgIfaceMonitor   *WGIfaceMonitor
-	wgIfaceMonitorWg sync.WaitGroup
+	wgIfaceMonitor *WGIfaceMonitor
+
+	// shutdownWg tracks all long-running goroutines to ensure clean shutdown
+	shutdownWg sync.WaitGroup
 
 	probeStunTurn *relay.StunTurnProbe
 }
@@ -242,7 +246,6 @@ func NewEngine(
 		STUNs:          []*stun.URI{},
 		TURNs:          []*stun.URI{},
 		networkSerial:  0,
-		sshServerFunc:  nbssh.DefaultSSHServer,
 		statusRecorder: statusRecorder,
 		checks:         checks,
 		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
@@ -264,6 +267,7 @@ func NewEngine(
 		path = mobileDep.StateFilePath
 	}
 	engine.stateManager = statemanager.New(path)
+	engine.stateManager.RegisterState(&sshconfig.ShutdownState{})
 
 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
 	return engine
@@ -288,6 +292,12 @@ func (e *Engine) Stop() error {
 	}
 	log.Info("Network monitor: stopped")
 
+	if err := e.stopSSHServer(); err != nil {
+		log.Warnf("failed to stop SSH server: %v", err)
+	}
+
+	e.cleanupSSHConfig()
+
 	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
 	e.stopDNSServer()
 
@@ -298,17 +308,12 @@ func (e *Engine) Stop() error {
 		e.ingressGatewayMgr = nil
 	}
 
+	e.stopDNSForwarder()
+
 	if e.routeManager != nil {
 		e.routeManager.Stop(e.stateManager)
 	}
 
-	if e.dnsForwardMgr != nil {
-		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-			log.Errorf("failed to stop DNS forward: %v", err)
-		}
-		e.dnsForwardMgr = nil
-	}
-
 	if e.srWatcher != nil {
 		e.srWatcher.Close()
 	}
@@ -325,10 +330,6 @@ func (e *Engine) Stop() error {
 		e.cancel()
 	}
 
-	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
-	// Removing peers happens in the conn.Close() asynchronously
-	time.Sleep(500 * time.Millisecond)
-
 	e.close()
 
 	// stop flow manager after wg interface is gone
@@ -336,8 +337,6 @@ func (e *Engine) Stop() error {
 		e.flowManager.Close()
 	}
 
-	log.Infof("stopped Netbird Engine")
-
 	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
 	defer cancel()
 
@@ -348,12 +347,52 @@ func (e *Engine) Stop() error {
 		log.Errorf("failed to persist state: %v", err)
 	}
 
-	// Stop WireGuard interface monitor and wait for it to exit
-	e.wgIfaceMonitorWg.Wait()
+	timeout := e.calculateShutdownTimeout()
+	log.Debugf("waiting for goroutines to finish with timeout: %v", timeout)
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	if err := waitWithContext(shutdownCtx, &e.shutdownWg); err != nil {
+		log.Warnf("shutdown timeout exceeded after %v, some goroutines may still be running", timeout)
+	}
+
+	log.Infof("stopped Netbird Engine")
 
 	return nil
 }
 
+// calculateShutdownTimeout returns shutdown timeout: 10s base + 100ms per peer, capped at 30s.
+func (e *Engine) calculateShutdownTimeout() time.Duration {
+	peerCount := len(e.peerStore.PeersPubKey())
+
+	baseTimeout := 10 * time.Second
+	perPeerTimeout := time.Duration(peerCount) * 100 * time.Millisecond
+	timeout := baseTimeout + perPeerTimeout
+
+	maxTimeout := 30 * time.Second
+	if timeout > maxTimeout {
+		timeout = maxTimeout
+	}
+
+	return timeout
+}
+
+// waitWithContext waits for WaitGroup with timeout, returns ctx.Err() on timeout.
+func waitWithContext(ctx context.Context, wg *sync.WaitGroup) error {
+	done := make(chan struct{})
+	go func() {
+		wg.Wait()
+		close(done)
+	}()
+
+	select {
+	case <-done:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
 // Start creates a new WireGuard tunnel interface and listens to events from Signal and Management services
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
@@ -483,14 +522,14 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 
 	// monitor WireGuard interface lifecycle and restart engine on changes
 	e.wgIfaceMonitor = NewWGIfaceMonitor()
-	e.wgIfaceMonitorWg.Add(1)
+	e.shutdownWg.Add(1)
 
 	go func() {
-		defer e.wgIfaceMonitorWg.Done()
+		defer e.shutdownWg.Done()
 
 		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, e.wgInterface.Name()); shouldRestart {
 			log.Infof("WireGuard interface monitor: %s, restarting engine", err)
-			e.restartEngine()
+			e.triggerClientRestart()
 		} else if err != nil {
 			log.Warnf("WireGuard interface monitor: %s", err)
 		}
@@ -506,7 +545,7 @@ func (e *Engine) createFirewall() error {
 	}
 
 	var err error
-	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes)
+	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes, e.config.MTU)
 	if err != nil || e.firewall == nil {
 		log.Errorf("failed creating firewall manager: %s", err)
 		return nil
@@ -670,14 +709,10 @@ func (e *Engine) removeAllPeers() error {
 	return nil
 }
 
-// removePeer closes an existing peer connection, removes a peer, and clears authorized key of the SSH server
+// removePeer closes an existing peer connection and removes a peer
 func (e *Engine) removePeer(peerKey string) error {
 	log.Debugf("removing peer from engine %s", peerKey)
 
-	if !isNil(e.sshServer) {
-		e.sshServer.RemoveAuthorizedKey(peerKey)
-	}
-
 	e.connMgr.RemovePeerConn(peerKey)
 
 	err := e.statusRecorder.RemovePeer(peerKey)
@@ -849,6 +884,11 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 		e.config.BlockLANAccess,
 		e.config.BlockInbound,
 		e.config.LazyConnectionEnabled,
+		e.config.EnableSSHRoot,
+		e.config.EnableSSHSFTP,
+		e.config.EnableSSHLocalPortForwarding,
+		e.config.EnableSSHRemotePortForwarding,
+		e.config.DisableSSHAuth,
 	)
 
 	if err := e.mgmClient.SyncMeta(info); err != nil {
@@ -858,65 +898,6 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 	return nil
 }
 
-func isNil(server nbssh.Server) bool {
-	return server == nil || reflect.ValueOf(server).IsNil()
-}
-
-func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
-	if e.config.BlockInbound {
-		log.Infof("SSH server is disabled because inbound connections are blocked")
-		return nil
-	}
-
-	if !e.config.ServerSSHAllowed {
-		log.Info("SSH server is not enabled")
-		return nil
-	}
-
-	if sshConf.GetSshEnabled() {
-		if runtime.GOOS == "windows" {
-			log.Warnf("running SSH server on %s is not supported", runtime.GOOS)
-			return nil
-		}
-		// start SSH server if it wasn't running
-		if isNil(e.sshServer) {
-			listenAddr := fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort)
-			if nbnetstack.IsEnabled() {
-				listenAddr = fmt.Sprintf("127.0.0.1:%d", nbssh.DefaultSSHPort)
-			}
-			// nil sshServer means it has not yet been started
-			var err error
-			e.sshServer, err = e.sshServerFunc(e.config.SSHKey, listenAddr)
-
-			if err != nil {
-				return fmt.Errorf("create ssh server: %w", err)
-			}
-			go func() {
-				// blocking
-				err = e.sshServer.Start()
-				if err != nil {
-					// will throw error when we stop it even if it is a graceful stop
-					log.Debugf("stopped SSH server with error %v", err)
-				}
-				e.syncMsgMux.Lock()
-				defer e.syncMsgMux.Unlock()
-				e.sshServer = nil
-				log.Infof("stopped SSH server")
-			}()
-		} else {
-			log.Debugf("SSH server is already running")
-		}
-	} else if !isNil(e.sshServer) {
-		// Disable SSH server request, so stop it if it was running
-		err := e.sshServer.Stop()
-		if err != nil {
-			log.Warnf("failed to stop SSH server %v", err)
-		}
-		e.sshServer = nil
-	}
-	return nil
-}
-
 func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	if e.wgInterface == nil {
 		return errors.New("wireguard interface is not initialized")
@@ -929,8 +910,7 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	}
 
 	if conf.GetSshConfig() != nil {
-		err := e.updateSSH(conf.GetSshConfig())
-		if err != nil {
+		if err := e.updateSSH(conf.GetSshConfig()); err != nil {
 			log.Warnf("failed handling SSH server setup: %v", err)
 		}
 	}
@@ -949,7 +929,9 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 // receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
 // E.g. when a new peer has been registered and we are allowed to connect to it.
 func (e *Engine) receiveManagementEvents() {
+	e.shutdownWg.Add(1)
 	go func() {
+		defer e.shutdownWg.Done()
 		info, err := system.GetInfoWithChecks(e.ctx, e.checks)
 		if err != nil {
 			log.Warnf("failed to get system info with checks: %v", err)
@@ -966,6 +948,11 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.BlockLANAccess,
 			e.config.BlockInbound,
 			e.config.LazyConnectionEnabled,
+			e.config.EnableSSHRoot,
+			e.config.EnableSSHSFTP,
+			e.config.EnableSSHLocalPortForwarding,
+			e.config.EnableSSHRemotePortForwarding,
+			e.config.DisableSSHAuth,
 		)
 
 		err = e.mgmClient.Sync(e.ctx, info, e.handleSync)
@@ -1124,16 +1111,10 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 
 		e.statusRecorder.FinishPeerListModifications()
 
-		// update SSHServer by adding remote peer SSH keys
-		if !isNil(e.sshServer) {
-			for _, config := range networkMap.GetRemotePeers() {
-				if config.GetSshConfig() != nil && config.GetSshConfig().GetSshPubKey() != nil {
-					err := e.sshServer.AddAuthorizedKey(config.WgPubKey, string(config.GetSshConfig().GetSshPubKey()))
-					if err != nil {
-						log.Warnf("failed adding authorized key to SSH DefaultServer %v", err)
-					}
-				}
-			}
+		e.updatePeerSSHHostKeys(networkMap.GetRemotePeers())
+
+		if err := e.updateSSHClientConfig(networkMap.GetRemotePeers()); err != nil {
+			log.Warnf("failed to update SSH client config: %v", err)
 		}
 	}
 
@@ -1377,7 +1358,9 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 
 // receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
 func (e *Engine) receiveSignalEvents() {
+	e.shutdownWg.Add(1)
 	go func() {
+		defer e.shutdownWg.Done()
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
 			e.syncMsgMux.Lock()
@@ -1494,13 +1477,6 @@ func (e *Engine) close() {
 		e.statusRecorder.SetWgIface(nil)
 	}
 
-	if !isNil(e.sshServer) {
-		err := e.sshServer.Stop()
-		if err != nil {
-			log.Warnf("failed stopping the SSH server: %v", err)
-		}
-	}
-
 	if e.firewall != nil {
 		err := e.firewall.Close(e.stateManager)
 		if err != nil {
@@ -1531,6 +1507,11 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, err
 		e.config.BlockLANAccess,
 		e.config.BlockInbound,
 		e.config.LazyConnectionEnabled,
+		e.config.EnableSSHRoot,
+		e.config.EnableSSHSFTP,
+		e.config.EnableSSHLocalPortForwarding,
+		e.config.EnableSSHRemotePortForwarding,
+		e.config.DisableSSHAuth,
 	)
 
 	netMap, err := e.mgmClient.GetNetworkMap(info)
@@ -1730,8 +1711,10 @@ func (e *Engine) RunHealthProbes(waitForResult bool) bool {
 	return allHealthy
 }
 
-// restartEngine restarts the engine by cancelling the client context
-func (e *Engine) restartEngine() {
+// triggerClientRestart triggers a full client restart by cancelling the client context.
+// Note: This does NOT just restart the engine - it cancels the entire client context,
+// which causes the connect client's retry loop to create a completely new engine.
+func (e *Engine) triggerClientRestart() {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 
@@ -1753,7 +1736,9 @@ func (e *Engine) startNetworkMonitor() {
 	}
 
 	e.networkMonitor = networkmonitor.New()
+	e.shutdownWg.Add(1)
 	go func() {
+		defer e.shutdownWg.Done()
 		if err := e.networkMonitor.Listen(e.ctx); err != nil {
 			if errors.Is(err, context.Canceled) {
 				log.Infof("network monitor stopped")
@@ -1763,8 +1748,8 @@ func (e *Engine) startNetworkMonitor() {
 			return
 		}
 
-		log.Infof("Network monitor: detected network change, restarting engine")
-		e.restartEngine()
+		log.Infof("Network monitor: detected network change, triggering client restart")
+		e.triggerClientRestart()
 	}()
 }
 
@@ -1855,38 +1840,46 @@ func (e *Engine) updateDNSForwarder(
 	}
 
 	if !enabled {
-		if e.dnsForwardMgr == nil {
-			return
-		}
-		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-			log.Errorf("failed to stop DNS forward: %v", err)
-		}
+		e.stopDNSForwarder()
 		return
 	}
 
 	if len(fwdEntries) > 0 {
 		if e.dnsForwardMgr == nil {
-			localAddr := e.wgInterface.Address().IP
-			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, localAddr)
-
-			if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
-				log.Errorf("failed to start DNS forward: %v", err)
-				e.dnsForwardMgr = nil
-			}
-
-			log.Infof("started domain router service with %d entries", len(fwdEntries))
+			e.startDNSForwarder(fwdEntries)
 		} else {
 			e.dnsForwardMgr.UpdateDomains(fwdEntries)
 		}
 	} else if e.dnsForwardMgr != nil {
 		log.Infof("disable domain router service")
-		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-			log.Errorf("failed to stop DNS forward: %v", err)
-		}
-		e.dnsForwardMgr = nil
+		e.stopDNSForwarder()
 	}
 }
 
+func (e *Engine) startDNSForwarder(fwdEntries []*dnsfwd.ForwarderEntry) {
+	e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, e.wgInterface)
+
+	if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
+		log.Errorf("failed to start DNS forward: %v", err)
+		e.dnsForwardMgr = nil
+		return
+	}
+
+	log.Infof("started domain router service with %d entries", len(fwdEntries))
+}
+
+func (e *Engine) stopDNSForwarder() {
+	if e.dnsForwardMgr == nil {
+		return
+	}
+
+	if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+		log.Errorf("failed to stop DNS forward: %v", err)
+	}
+
+	e.dnsForwardMgr = nil
+}
+
 func (e *Engine) GetNet() (*netstack.Net, error) {
 	e.syncMsgMux.Lock()
 	intf := e.wgInterface

client/internal/engine_ssh.go

@@ -0,0 +1,355 @@
+package internal
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
+	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
+	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+)
+
+type sshServer interface {
+	Start(ctx context.Context, addr netip.AddrPort) error
+	Stop() error
+	GetStatus() (bool, []sshserver.SessionInfo)
+}
+
+func (e *Engine) setupSSHPortRedirection() error {
+	if e.firewall == nil || e.wgInterface == nil {
+		return nil
+	}
+
+	localAddr := e.wgInterface.Address().IP
+	if !localAddr.IsValid() {
+		return errors.New("invalid local NetBird address")
+	}
+
+	if err := e.firewall.AddInboundDNAT(localAddr, firewallManager.ProtocolTCP, 22, 22022); err != nil {
+		return fmt.Errorf("add SSH port redirection: %w", err)
+	}
+	log.Infof("SSH port redirection enabled: %s:22 -> %s:22022", localAddr, localAddr)
+
+	return nil
+}
+
+func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
+	if e.config.BlockInbound {
+		log.Info("SSH server is disabled because inbound connections are blocked")
+		return e.stopSSHServer()
+	}
+
+	if !e.config.ServerSSHAllowed {
+		log.Info("SSH server is disabled in config")
+		return e.stopSSHServer()
+	}
+
+	if !sshConf.GetSshEnabled() {
+		if e.config.ServerSSHAllowed {
+			log.Info("SSH server is locally allowed but disabled by management server")
+		}
+		return e.stopSSHServer()
+	}
+
+	if e.sshServer != nil {
+		log.Debug("SSH server is already running")
+		return nil
+	}
+
+	if e.config.DisableSSHAuth != nil && *e.config.DisableSSHAuth {
+		log.Info("starting SSH server without JWT authentication (authentication disabled by config)")
+		return e.startSSHServer(nil)
+	}
+
+	if protoJWT := sshConf.GetJwtConfig(); protoJWT != nil {
+		jwtConfig := &sshserver.JWTConfig{
+			Issuer:       protoJWT.GetIssuer(),
+			Audience:     protoJWT.GetAudience(),
+			KeysLocation: protoJWT.GetKeysLocation(),
+			MaxTokenAge:  protoJWT.GetMaxTokenAge(),
+		}
+
+		return e.startSSHServer(jwtConfig)
+	}
+
+	return errors.New("SSH server requires valid JWT configuration")
+}
+
+// updateSSHClientConfig updates the SSH client configuration with peer information
+func (e *Engine) updateSSHClientConfig(remotePeers []*mgmProto.RemotePeerConfig) error {
+	peerInfo := e.extractPeerSSHInfo(remotePeers)
+	if len(peerInfo) == 0 {
+		log.Debug("no SSH-enabled peers found, skipping SSH config update")
+		return nil
+	}
+
+	configMgr := sshconfig.New()
+	if err := configMgr.SetupSSHClientConfig(peerInfo); err != nil {
+		log.Warnf("failed to update SSH client config: %v", err)
+		return nil // Don't fail engine startup on SSH config issues
+	}
+
+	log.Debugf("updated SSH client config with %d peers", len(peerInfo))
+
+	if err := e.stateManager.UpdateState(&sshconfig.ShutdownState{
+		SSHConfigDir:  configMgr.GetSSHConfigDir(),
+		SSHConfigFile: configMgr.GetSSHConfigFile(),
+	}); err != nil {
+		log.Warnf("failed to update SSH config state: %v", err)
+	}
+
+	return nil
+}
+
+// extractPeerSSHInfo extracts SSH information from peer configurations
+func (e *Engine) extractPeerSSHInfo(remotePeers []*mgmProto.RemotePeerConfig) []sshconfig.PeerSSHInfo {
+	var peerInfo []sshconfig.PeerSSHInfo
+
+	for _, peerConfig := range remotePeers {
+		if peerConfig.GetSshConfig() == nil {
+			continue
+		}
+
+		sshPubKeyBytes := peerConfig.GetSshConfig().GetSshPubKey()
+		if len(sshPubKeyBytes) == 0 {
+			continue
+		}
+
+		peerIP := e.extractPeerIP(peerConfig)
+		hostname := e.extractHostname(peerConfig)
+
+		peerInfo = append(peerInfo, sshconfig.PeerSSHInfo{
+			Hostname: hostname,
+			IP:       peerIP,
+			FQDN:     peerConfig.GetFqdn(),
+		})
+	}
+
+	return peerInfo
+}
+
+// extractPeerIP extracts IP address from peer's allowed IPs
+func (e *Engine) extractPeerIP(peerConfig *mgmProto.RemotePeerConfig) string {
+	if len(peerConfig.GetAllowedIps()) == 0 {
+		return ""
+	}
+
+	if prefix, err := netip.ParsePrefix(peerConfig.GetAllowedIps()[0]); err == nil {
+		return prefix.Addr().String()
+	}
+	return ""
+}
+
+// extractHostname extracts short hostname from FQDN
+func (e *Engine) extractHostname(peerConfig *mgmProto.RemotePeerConfig) string {
+	fqdn := peerConfig.GetFqdn()
+	if fqdn == "" {
+		return ""
+	}
+
+	parts := strings.Split(fqdn, ".")
+	if len(parts) > 0 && parts[0] != "" {
+		return parts[0]
+	}
+	return ""
+}
+
+// updatePeerSSHHostKeys updates peer SSH host keys in the status recorder for daemon API access
+func (e *Engine) updatePeerSSHHostKeys(remotePeers []*mgmProto.RemotePeerConfig) {
+	for _, peerConfig := range remotePeers {
+		if peerConfig.GetSshConfig() == nil {
+			continue
+		}
+
+		sshPubKeyBytes := peerConfig.GetSshConfig().GetSshPubKey()
+		if len(sshPubKeyBytes) == 0 {
+			continue
+		}
+
+		if err := e.statusRecorder.UpdatePeerSSHHostKey(peerConfig.GetWgPubKey(), sshPubKeyBytes); err != nil {
+			log.Warnf("failed to update SSH host key for peer %s: %v", peerConfig.GetWgPubKey(), err)
+		}
+	}
+
+	log.Debugf("updated peer SSH host keys for daemon API access")
+}
+
+// GetPeerSSHKey returns the SSH host key for a specific peer by IP or FQDN
+func (e *Engine) GetPeerSSHKey(peerAddress string) ([]byte, bool) {
+	e.syncMsgMux.Lock()
+	statusRecorder := e.statusRecorder
+	e.syncMsgMux.Unlock()
+
+	if statusRecorder == nil {
+		return nil, false
+	}
+
+	fullStatus := statusRecorder.GetFullStatus()
+	for _, peerState := range fullStatus.Peers {
+		if peerState.IP == peerAddress || peerState.FQDN == peerAddress {
+			if len(peerState.SSHHostKey) > 0 {
+				return peerState.SSHHostKey, true
+			}
+			return nil, false
+		}
+	}
+
+	return nil, false
+}
+
+// cleanupSSHConfig removes NetBird SSH client configuration on shutdown
+func (e *Engine) cleanupSSHConfig() {
+	configMgr := sshconfig.New()
+
+	if err := configMgr.RemoveSSHClientConfig(); err != nil {
+		log.Warnf("failed to remove SSH client config: %v", err)
+	} else {
+		log.Debugf("SSH client config cleanup completed")
+	}
+}
+
+// startSSHServer initializes and starts the SSH server with proper configuration.
+func (e *Engine) startSSHServer(jwtConfig *sshserver.JWTConfig) error {
+	if e.wgInterface == nil {
+		return errors.New("wg interface not initialized")
+	}
+
+	serverConfig := &sshserver.Config{
+		HostKeyPEM: e.config.SSHKey,
+		JWT:        jwtConfig,
+	}
+	server := sshserver.New(serverConfig)
+
+	wgAddr := e.wgInterface.Address()
+	server.SetNetworkValidation(wgAddr)
+
+	netbirdIP := wgAddr.IP
+	listenAddr := netip.AddrPortFrom(netbirdIP, sshserver.InternalSSHPort)
+
+	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
+		server.SetNetstackNet(netstackNet)
+	}
+
+	e.configureSSHServer(server)
+
+	if err := server.Start(e.ctx, listenAddr); err != nil {
+		return fmt.Errorf("start SSH server: %w", err)
+	}
+
+	e.sshServer = server
+
+	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
+		if registrar, ok := e.firewall.(interface {
+			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.RegisterNetstackService(nftypes.TCP, sshserver.InternalSSHPort)
+			log.Debugf("registered SSH service with netstack for TCP:%d", sshserver.InternalSSHPort)
+		}
+	}
+
+	if err := e.setupSSHPortRedirection(); err != nil {
+		log.Warnf("failed to setup SSH port redirection: %v", err)
+	}
+
+	return nil
+}
+
+// configureSSHServer applies SSH configuration options to the server.
+func (e *Engine) configureSSHServer(server *sshserver.Server) {
+	if e.config.EnableSSHRoot != nil && *e.config.EnableSSHRoot {
+		server.SetAllowRootLogin(true)
+		log.Info("SSH root login enabled")
+	} else {
+		server.SetAllowRootLogin(false)
+		log.Info("SSH root login disabled (default)")
+	}
+
+	if e.config.EnableSSHSFTP != nil && *e.config.EnableSSHSFTP {
+		server.SetAllowSFTP(true)
+		log.Info("SSH SFTP subsystem enabled")
+	} else {
+		server.SetAllowSFTP(false)
+		log.Info("SSH SFTP subsystem disabled (default)")
+	}
+
+	if e.config.EnableSSHLocalPortForwarding != nil && *e.config.EnableSSHLocalPortForwarding {
+		server.SetAllowLocalPortForwarding(true)
+		log.Info("SSH local port forwarding enabled")
+	} else {
+		server.SetAllowLocalPortForwarding(false)
+		log.Info("SSH local port forwarding disabled (default)")
+	}
+
+	if e.config.EnableSSHRemotePortForwarding != nil && *e.config.EnableSSHRemotePortForwarding {
+		server.SetAllowRemotePortForwarding(true)
+		log.Info("SSH remote port forwarding enabled")
+	} else {
+		server.SetAllowRemotePortForwarding(false)
+		log.Info("SSH remote port forwarding disabled (default)")
+	}
+}
+
+func (e *Engine) cleanupSSHPortRedirection() error {
+	if e.firewall == nil || e.wgInterface == nil {
+		return nil
+	}
+
+	localAddr := e.wgInterface.Address().IP
+	if !localAddr.IsValid() {
+		return errors.New("invalid local NetBird address")
+	}
+
+	if err := e.firewall.RemoveInboundDNAT(localAddr, firewallManager.ProtocolTCP, 22, 22022); err != nil {
+		return fmt.Errorf("remove SSH port redirection: %w", err)
+	}
+	log.Debugf("SSH port redirection removed: %s:22 -> %s:22022", localAddr, localAddr)
+
+	return nil
+}
+
+func (e *Engine) stopSSHServer() error {
+	if e.sshServer == nil {
+		return nil
+	}
+
+	if err := e.cleanupSSHPortRedirection(); err != nil {
+		log.Warnf("failed to cleanup SSH port redirection: %v", err)
+	}
+
+	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
+		if registrar, ok := e.firewall.(interface {
+			UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.UnregisterNetstackService(nftypes.TCP, sshserver.InternalSSHPort)
+			log.Debugf("unregistered SSH service from netstack for TCP:%d", sshserver.InternalSSHPort)
+		}
+	}
+
+	log.Info("stopping SSH server")
+	err := e.sshServer.Stop()
+	e.sshServer = nil
+	if err != nil {
+		return fmt.Errorf("stop: %w", err)
+	}
+	return nil
+}
+
+// GetSSHServerStatus returns the SSH server status and active sessions
+func (e *Engine) GetSSHServerStatus() (enabled bool, sessions []sshserver.SessionInfo) {
+	e.syncMsgMux.Lock()
+	sshServer := e.sshServer
+	e.syncMsgMux.Unlock()
+
+	if sshServer == nil {
+		return false, nil
+	}
+
+	return sshServer.GetStatus()
+}

client/internal/engine_stdnet.go

@@ -7,5 +7,5 @@ import (
 )
 
 func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNet(e.config.IFaceBlackList)
+	return stdnet.NewNet(e.clientCtx, e.config.IFaceBlackList)
 }

client/internal/engine_stdnet_android.go

@@ -3,5 +3,5 @@ package internal
 import "github.com/netbirdio/netbird/client/internal/stdnet"
 
 func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(e.mobileDep.IFaceDiscover, e.config.IFaceBlackList)
+	return stdnet.NewNetWithDiscover(e.clientCtx, e.mobileDep.IFaceDiscover, e.config.IFaceBlackList)
 }

client/internal/engine_test.go

@@ -14,7 +14,6 @@ import (
 
 	"github.com/golang/mock/gomock"
 	"github.com/google/uuid"
-	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -25,8 +24,14 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"
 
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+
 	"github.com/netbirdio/management-integrations/integrations"
 
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
+	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
@@ -43,7 +48,7 @@ import (
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/ssh"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server"
@@ -211,11 +216,13 @@ func TestMain(m *testing.M) {
 }
 
 func TestEngine_SSH(t *testing.T) {
-	if runtime.GOOS == "windows" {
-		t.Skip("skipping TestEngine_SSH")
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		t.Fatal(err)
+		return
 	}
 
-	key, err := wgtypes.GeneratePrivateKey()
+	sshKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -237,6 +244,7 @@ func TestEngine_SSH(t *testing.T) {
 			WgPort:           33100,
 			ServerSSHAllowed: true,
 			MTU:              iface.DefaultMTU,
+			SSHKey:           sshKey,
 		},
 		MobileDependency{},
 		peer.NewRecorder("https://mgm"),
@@ -247,35 +255,8 @@ func TestEngine_SSH(t *testing.T) {
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
 	}
 
-	var sshKeysAdded []string
-	var sshPeersRemoved []string
-
-	sshCtx, cancel := context.WithCancel(context.Background())
-
-	engine.sshServerFunc = func(hostKeyPEM []byte, addr string) (ssh.Server, error) {
-		return &ssh.MockServer{
-			Ctx: sshCtx,
-			StopFunc: func() error {
-				cancel()
-				return nil
-			},
-			StartFunc: func() error {
-				<-ctx.Done()
-				return ctx.Err()
-			},
-			AddAuthorizedKeyFunc: func(peer, newKey string) error {
-				sshKeysAdded = append(sshKeysAdded, newKey)
-				return nil
-			},
-			RemoveAuthorizedKeyFunc: func(peer string) {
-				sshPeersRemoved = append(sshPeersRemoved, peer)
-			},
-		}, nil
-	}
 	err = engine.Start(nil, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	defer func() {
 		err := engine.Stop()
@@ -301,9 +282,7 @@ func TestEngine_SSH(t *testing.T) {
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	assert.Nil(t, engine.sshServer)
 
@@ -311,19 +290,24 @@ func TestEngine_SSH(t *testing.T) {
 	networkMap = &mgmtProto.NetworkMap{
 		Serial: 7,
 		PeerConfig: &mgmtProto.PeerConfig{Address: "100.64.0.1/24",
-			SshConfig: &mgmtProto.SSHConfig{SshEnabled: true}},
+			SshConfig: &mgmtProto.SSHConfig{
+				SshEnabled: true,
+				JwtConfig: &mgmtProto.JWTConfig{
+					Issuer:       "test-issuer",
+					Audience:     "test-audience",
+					KeysLocation: "test-keys",
+					MaxTokenAge:  3600,
+				},
+			}},
 		RemotePeers:        []*mgmtProto.RemotePeerConfig{peerWithSSH},
 		RemotePeersIsEmpty: false,
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	time.Sleep(250 * time.Millisecond)
 	assert.NotNil(t, engine.sshServer)
-	assert.Contains(t, sshKeysAdded, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFATYCqaQw/9id1Qkq3n16JYhDhXraI6Pc1fgB8ynEfQ")
 
 	// now remove peer
 	networkMap = &mgmtProto.NetworkMap{
@@ -333,13 +317,10 @@ func TestEngine_SSH(t *testing.T) {
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	// time.Sleep(250 * time.Millisecond)
 	assert.NotNil(t, engine.sshServer)
-	assert.Contains(t, sshPeersRemoved, "MNHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=")
 
 	// now disable SSH server
 	networkMap = &mgmtProto.NetworkMap{
@@ -351,12 +332,70 @@ func TestEngine_SSH(t *testing.T) {
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	assert.Nil(t, engine.sshServer)
+}
 
+func TestEngine_SSHUpdateLogic(t *testing.T) {
+	// Test that SSH server start/stop logic works based on config
+	engine := &Engine{
+		config: &EngineConfig{
+			ServerSSHAllowed: false, // Start with SSH disabled
+		},
+		syncMsgMux: &sync.Mutex{},
+	}
+
+	// Test SSH disabled config
+	sshConfig := &mgmtProto.SSHConfig{SshEnabled: false}
+	err := engine.updateSSH(sshConfig)
+	assert.NoError(t, err)
+	assert.Nil(t, engine.sshServer)
+
+	// Test inbound blocked
+	engine.config.BlockInbound = true
+	err = engine.updateSSH(&mgmtProto.SSHConfig{SshEnabled: true})
+	assert.NoError(t, err)
+	assert.Nil(t, engine.sshServer)
+	engine.config.BlockInbound = false
+
+	// Test with server SSH not allowed
+	err = engine.updateSSH(&mgmtProto.SSHConfig{SshEnabled: true})
+	assert.NoError(t, err)
+	assert.Nil(t, engine.sshServer)
+}
+
+func TestEngine_SSHServerConsistency(t *testing.T) {
+
+	t.Run("server set only on successful creation", func(t *testing.T) {
+		engine := &Engine{
+			config: &EngineConfig{
+				ServerSSHAllowed: true,
+				SSHKey:           []byte("test-key"),
+			},
+			syncMsgMux: &sync.Mutex{},
+		}
+
+		engine.wgInterface = nil
+
+		err := engine.updateSSH(&mgmtProto.SSHConfig{SshEnabled: true})
+
+		assert.Error(t, err)
+		assert.Nil(t, engine.sshServer)
+	})
+
+	t.Run("cleanup handles nil gracefully", func(t *testing.T) {
+		engine := &Engine{
+			config: &EngineConfig{
+				ServerSSHAllowed: false,
+			},
+			syncMsgMux: &sync.Mutex{},
+		}
+
+		err := engine.stopSSHServer()
+		assert.NoError(t, err)
+		assert.Nil(t, engine.sshServer)
+	})
 }
 
 func TestEngine_UpdateNetworkMap(t *testing.T) {
@@ -771,7 +810,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				MTU:          iface.DefaultMTU,
 			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -974,7 +1013,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx
 
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -1556,7 +1595,6 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	}
 	t.Cleanup(cleanUp)
 
-	peersUpdateManager := server.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, "", err
@@ -1584,13 +1622,16 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 
 	groupsManager := groups.NewManagerMock()
 
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	updateManager := update_channel.NewPeersUpdateManager(metrics)
+	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
+	networkMapController := controller.NewController(context.Background(), store, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock())
+	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
 	}
 
-	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &server.MockIntegratedValidator{})
+	secretsManager := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, updateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &server.MockIntegratedValidator{}, networkMapController)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/login.go

@@ -124,6 +124,11 @@ func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte
 		config.BlockLANAccess,
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
+		config.EnableSSHRoot,
+		config.EnableSSHSFTP,
+		config.EnableSSHLocalPortForwarding,
+		config.EnableSSHRemotePortForwarding,
+		config.DisableSSHAuth,
 	)
 	loginResp, err := mgmClient.Login(*serverKey, sysInfo, pubSSHKey, config.DNSLabels)
 	return serverKey, loginResp, err
@@ -150,6 +155,11 @@ func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.
 		config.BlockLANAccess,
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
+		config.EnableSSHRoot,
+		config.EnableSSHSFTP,
+		config.EnableSSHLocalPortForwarding,
+		config.EnableSSHRemotePortForwarding,
+		config.DisableSSHAuth,
 	)
 	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey, config.DNSLabels)
 	if err != nil {

client/internal/netflow/manager.go

@@ -24,6 +24,7 @@ import (
 // Manager handles netflow tracking and logging
 type Manager struct {
 	mux            sync.Mutex
+	shutdownWg     sync.WaitGroup
 	logger         nftypes.FlowLogger
 	flowConfig     *nftypes.FlowConfig
 	conntrack      nftypes.ConnTracker
@@ -105,8 +106,15 @@ func (m *Manager) resetClient() error {
 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel
 
-	go m.receiveACKs(ctx, flowClient)
-	go m.startSender(ctx)
+	m.shutdownWg.Add(2)
+	go func() {
+		defer m.shutdownWg.Done()
+		m.receiveACKs(ctx, flowClient)
+	}()
+	go func() {
+		defer m.shutdownWg.Done()
+		m.startSender(ctx)
+	}()
 
 	return nil
 }
@@ -176,11 +184,12 @@ func (m *Manager) Update(update *nftypes.FlowConfig) error {
 // Close cleans up all resources
 func (m *Manager) Close() {
 	m.mux.Lock()
-	defer m.mux.Unlock()
-
 	if err := m.disableFlow(); err != nil {
 		log.Warnf("failed to disable flow manager: %v", err)
 	}
+	m.mux.Unlock()
+
+	m.shutdownWg.Wait()
 }
 
 // GetLogger returns the flow logger

client/internal/networkmonitor/check_change_bsd.go

@@ -1,4 +1,4 @@
-//go:build (darwin && !ios) || dragonfly || freebsd || netbsd || openbsd
+//go:build dragonfly || freebsd || netbsd || openbsd
 
 package networkmonitor
 
@@ -6,21 +6,19 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"syscall"
-	"unsafe"
 
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"
 
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )
 
 func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
-	fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
+	fd, err := prepareFd()
 	if err != nil {
 		return fmt.Errorf("open routing socket: %v", err)
 	}
+
 	defer func() {
 		err := unix.Close(fd)
 		if err != nil && !errors.Is(err, unix.EBADF) {
@@ -28,72 +26,5 @@ func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) er
 		}
 	}()
 
-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-			buf := make([]byte, 2048)
-			n, err := unix.Read(fd, buf)
-			if err != nil {
-				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
-					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
-				}
-				continue
-			}
-			if n < unix.SizeofRtMsghdr {
-				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
-				continue
-			}
-
-			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
-
-			switch msg.Type {
-			// handle route changes
-			case unix.RTM_ADD, syscall.RTM_DELETE:
-				route, err := parseRouteMessage(buf[:n])
-				if err != nil {
-					log.Debugf("Network monitor: error parsing routing message: %v", err)
-					continue
-				}
-
-				if route.Dst.Bits() != 0 {
-					continue
-				}
-
-				intf := "<nil>"
-				if route.Interface != nil {
-					intf = route.Interface.Name
-				}
-				switch msg.Type {
-				case unix.RTM_ADD:
-					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
-					return nil
-				case unix.RTM_DELETE:
-					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
-						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
-						return nil
-					}
-				}
-			}
-		}
-	}
-}
-
-func parseRouteMessage(buf []byte) (*systemops.Route, error) {
-	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
-	if err != nil {
-		return nil, fmt.Errorf("parse RIB: %v", err)
-	}
-
-	if len(msgs) != 1 {
-		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
-	}
-
-	msg, ok := msgs[0].(*route.RouteMessage)
-	if !ok {
-		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
-	}
-
-	return systemops.MsgToRoute(msg)
+	return routeCheck(ctx, fd, nexthopv4, nexthopv6)
 }

client/internal/networkmonitor/check_change_common.go

@@ -0,0 +1,92 @@
+//go:build dragonfly || freebsd || netbsd || openbsd || darwin
+
+package networkmonitor
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"syscall"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/route"
+	"golang.org/x/sys/unix"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
+)
+
+func prepareFd() (int, error) {
+	return unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
+}
+
+func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Nexthop) error {
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			buf := make([]byte, 2048)
+			n, err := unix.Read(fd, buf)
+			if err != nil {
+				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
+					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
+				}
+				continue
+			}
+			if n < unix.SizeofRtMsghdr {
+				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
+				continue
+			}
+
+			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
+
+			switch msg.Type {
+			// handle route changes
+			case unix.RTM_ADD, syscall.RTM_DELETE:
+				route, err := parseRouteMessage(buf[:n])
+				if err != nil {
+					log.Debugf("Network monitor: error parsing routing message: %v", err)
+					continue
+				}
+
+				if route.Dst.Bits() != 0 {
+					continue
+				}
+
+				intf := "<nil>"
+				if route.Interface != nil {
+					intf = route.Interface.Name
+				}
+				switch msg.Type {
+				case unix.RTM_ADD:
+					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
+					return nil
+				case unix.RTM_DELETE:
+					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
+						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+						return nil
+					}
+				}
+			}
+		}
+	}
+}
+
+func parseRouteMessage(buf []byte) (*systemops.Route, error) {
+	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
+	if err != nil {
+		return nil, fmt.Errorf("parse RIB: %v", err)
+	}
+
+	if len(msgs) != 1 {
+		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
+	}
+
+	msg, ok := msgs[0].(*route.RouteMessage)
+	if !ok {
+		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
+	}
+
+	return systemops.MsgToRoute(msg)
+}

client/internal/networkmonitor/check_change_darwin.go

@@ -0,0 +1,149 @@
+//go:build darwin && !ios
+
+package networkmonitor
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"hash/fnv"
+	"os/exec"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
+)
+
+// todo: refactor to not use static functions
+
+func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
+	fd, err := prepareFd()
+	if err != nil {
+		return fmt.Errorf("open routing socket: %v", err)
+	}
+
+	defer func() {
+		if err := unix.Close(fd); err != nil {
+			if !errors.Is(err, unix.EBADF) {
+				log.Warnf("Network monitor: failed to close routing socket: %v", err)
+			}
+		}
+	}()
+
+	routeChanged := make(chan struct{})
+	go func() {
+		_ = routeCheck(ctx, fd, nexthopv4, nexthopv6)
+		close(routeChanged)
+	}()
+
+	wakeUp := make(chan struct{})
+	go func() {
+		wakeUpListen(ctx)
+		close(wakeUp)
+	}()
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-routeChanged:
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		log.Infof("route change detected")
+		return nil
+	case <-wakeUp:
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		log.Infof("wakeup detected")
+		return nil
+	}
+}
+
+func wakeUpListen(ctx context.Context) {
+	log.Infof("start to watch for system wakeups")
+	var (
+		initialHash uint32
+		err         error
+	)
+
+	// Keep retrying until initial sysctl succeeds or context is canceled
+	for {
+		select {
+		case <-ctx.Done():
+			log.Info("exit from wakeUpListen initial hash detection due to context cancellation")
+			return
+		default:
+			initialHash, err = readSleepTimeHash()
+			if err != nil {
+				log.Errorf("failed to detect initial sleep time: %v", err)
+				select {
+				case <-ctx.Done():
+					log.Info("exit from wakeUpListen initial hash detection due to context cancellation")
+					return
+				case <-time.After(3 * time.Second):
+					continue
+				}
+			}
+			log.Debugf("initial wakeup hash: %d", initialHash)
+			break
+		}
+		break
+	}
+
+	ticker := time.NewTicker(5 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Info("context canceled, stopping wakeUpListen")
+			return
+
+		case <-ticker.C:
+			newHash, err := readSleepTimeHash()
+			if err != nil {
+				log.Errorf("failed to read sleep time hash: %v", err)
+				continue
+			}
+
+			if newHash == initialHash {
+				log.Tracef("no wakeup detected")
+				continue
+			}
+
+			upOut, err := exec.Command("uptime").Output()
+			if err != nil {
+				log.Errorf("failed to run uptime command: %v", err)
+				upOut = []byte("unknown")
+			}
+			log.Infof("Wakeup detected: %d -> %d, uptime: %s", initialHash, newHash, upOut)
+			return
+		}
+	}
+}
+
+func readSleepTimeHash() (uint32, error) {
+	cmd := exec.Command("sysctl", "kern.sleeptime")
+	out, err := cmd.Output()
+	if err != nil {
+		return 0, fmt.Errorf("failed to run sysctl: %w", err)
+	}
+
+	h, err := hash(out)
+	if err != nil {
+		return 0, fmt.Errorf("failed to compute hash: %w", err)
+	}
+
+	return h, nil
+}
+
+func hash(data []byte) (uint32, error) {
+	hasher := fnv.New32a() // Create a new 32-bit FNV-1a hasher
+	if _, err := hasher.Write(data); err != nil {
+		return 0, err
+	}
+	return hasher.Sum32(), nil
+}

client/internal/networkmonitor/monitor.go

@@ -88,6 +88,7 @@ func (nw *NetworkMonitor) Listen(ctx context.Context) (err error) {
 	event := make(chan struct{}, 1)
 	go nw.checkChanges(ctx, event, nexthop4, nexthop6)
 
+	log.Infof("start watching for network changes")
 	// debounce changes
 	timer := time.NewTimer(0)
 	timer.Stop()

client/internal/peer/conn.go

@@ -666,7 +666,7 @@ func (conn *Conn) isConnectedOnAllWay() (connected bool) {
 		}
 	}()
 
-	if conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
+	if runtime.GOOS != "js" && conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
 		return false
 	}
 

client/internal/peer/env.go

@@ -2,6 +2,7 @@ package peer
 
 import (
 	"os"
+	"runtime"
 	"strings"
 )
 
@@ -10,5 +11,8 @@ const (
 )
 
 func isForceRelayed() bool {
+	if runtime.GOOS == "js" {
+		return true
+	}
 	return strings.EqualFold(os.Getenv(EnvKeyNBForceRelay), "true")
 }

client/internal/peer/guard/ice_monitor.go

@@ -78,7 +78,7 @@ func (cm *ICEMonitor) Start(ctx context.Context, onChanged func()) {
 func (cm *ICEMonitor) handleCandidateTick(ctx context.Context, ufrag string, pwd string) (bool, error) {
 	log.Debugf("Gathering ICE candidates")
 
-	agent, err := icemaker.NewAgent(cm.iFaceDiscover, cm.iceConfig, candidateTypesP2P(), ufrag, pwd)
+	agent, err := icemaker.NewAgent(ctx, cm.iFaceDiscover, cm.iceConfig, candidateTypesP2P(), ufrag, pwd)
 	if err != nil {
 		return false, fmt.Errorf("create ICE agent: %w", err)
 	}

client/internal/peer/guard/sr_watcher.go

@@ -19,11 +19,10 @@ type SRWatcher struct {
 	signalClient chNotifier
 	relayManager chNotifier
 
-	listeners     map[chan struct{}]struct{}
-	mu            sync.Mutex
-	iFaceDiscover stdnet.ExternalIFaceDiscover
-	iceConfig     ice.Config
-
+	listeners        map[chan struct{}]struct{}
+	mu               sync.Mutex
+	iFaceDiscover    stdnet.ExternalIFaceDiscover
+	iceConfig        ice.Config
 	cancelIceMonitor context.CancelFunc
 }
 

client/internal/peer/ice/agent.go

@@ -1,6 +1,7 @@
 package ice
 
 import (
+	"context"
 	"sync"
 	"time"
 
@@ -22,6 +23,8 @@ const (
 	iceFailedTimeoutDefault       = 6 * time.Second
 	// iceRelayAcceptanceMinWaitDefault is the same as in the Pion ICE package
 	iceRelayAcceptanceMinWaitDefault = 2 * time.Second
+	// iceAgentCloseTimeout is the maximum time to wait for ICE agent close to complete
+	iceAgentCloseTimeout = 3 * time.Second
 )
 
 type ThreadSafeAgent struct {
@@ -32,18 +35,28 @@ type ThreadSafeAgent struct {
 func (a *ThreadSafeAgent) Close() error {
 	var err error
 	a.once.Do(func() {
-		err = a.Agent.Close()
+		done := make(chan error, 1)
+		go func() {
+			done <- a.Agent.Close()
+		}()
+
+		select {
+		case err = <-done:
+		case <-time.After(iceAgentCloseTimeout):
+			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
+			err = nil
+		}
 	})
 	return err
 }
 
-func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
+func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
 	iceFailedTimeout := iceFailedTimeout()
 	iceRelayAcceptanceMinWait := iceRelayAcceptanceMinWait()
 
-	transportNet, err := newStdNet(iFaceDiscover, config.InterfaceBlackList)
+	transportNet, err := newStdNet(ctx, iFaceDiscover, config.InterfaceBlackList)
 	if err != nil {
 		log.Errorf("failed to create pion's stdnet: %s", err)
 	}

client/internal/peer/ice/stdnet.go

@@ -3,9 +3,11 @@
 package ice
 
 import (
+	"context"
+
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )
 
-func newStdNet(_ stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
-	return stdnet.NewNet(ifaceBlacklist)
+func newStdNet(ctx context.Context, _ stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
+	return stdnet.NewNet(ctx, ifaceBlacklist)
 }

client/internal/peer/ice/stdnet_android.go

@@ -1,7 +1,11 @@
 package ice
 
-import "github.com/netbirdio/netbird/client/internal/stdnet"
+import (
+	"context"
 
-func newStdNet(iFaceDiscover stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(iFaceDiscover, ifaceBlacklist)
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+)
+
+func newStdNet(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
+	return stdnet.NewNetWithDiscover(ctx, iFaceDiscover, ifaceBlacklist)
 }

client/internal/peer/status.go

@@ -21,9 +21,9 @@ import (
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
-	"github.com/netbirdio/netbird/route"
 )
 
 const eventQueueSize = 10
@@ -67,6 +67,7 @@ type State struct {
 	BytesRx                    int64
 	Latency                    time.Duration
 	RosenpassEnabled           bool
+	SSHHostKey                 []byte
 	routes                     map[string]struct{}
 }
 
@@ -572,6 +573,22 @@ func (d *Status) UpdatePeerFQDN(peerPubKey, fqdn string) error {
 	return nil
 }
 
+// UpdatePeerSSHHostKey updates peer's SSH host key
+func (d *Status) UpdatePeerSSHHostKey(peerPubKey string, sshHostKey []byte) error {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	peerState, ok := d.peers[peerPubKey]
+	if !ok {
+		return errors.New("peer doesn't exist")
+	}
+
+	peerState.SSHHostKey = sshHostKey
+	d.peers[peerPubKey] = peerState
+
+	return nil
+}
+
 // FinishPeerListModifications this event invoke the notification
 func (d *Status) FinishPeerListModifications() {
 	d.mux.Lock()

client/internal/peer/worker_ice.go

@@ -209,7 +209,7 @@ func (w *WorkerICE) Close() {
 }
 
 func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*icemaker.ThreadSafeAgent, error) {
-	agent, err := icemaker.NewAgent(w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
+	agent, err := icemaker.NewAgent(w.ctx, w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
 	if err != nil {
 		return nil, fmt.Errorf("create agent: %w", err)
 	}
@@ -411,7 +411,7 @@ func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dia
 
 func (w *WorkerICE) turnAgentDial(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
 	if isController(w.config) {
-		return w.agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		return agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	} else {
 		return agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	}

client/internal/pkce_auth.go

@@ -44,6 +44,8 @@ type PKCEAuthProviderConfig struct {
 	DisablePromptLogin bool
 	// LoginFlag is used to configure the PKCE flow login behavior
 	LoginFlag common.LoginFlag
+	// LoginHint is used to pre-fill the email/username field during authentication
+	LoginHint string
 }
 
 // GetPKCEAuthorizationFlowInfo initialize a PKCEAuthorizationFlow instance and return with it

client/internal/profilemanager/config.go

@@ -44,24 +44,30 @@ var DefaultInterfaceBlacklist = []string{
 
 // ConfigInput carries configuration changes to the client
 type ConfigInput struct {
-	ManagementURL       string
-	AdminURL            string
-	ConfigPath          string
-	StateFilePath       string
-	PreSharedKey        *string
-	ServerSSHAllowed    *bool
-	NATExternalIPs      []string
-	CustomDNSAddress    []byte
-	RosenpassEnabled    *bool
-	RosenpassPermissive *bool
-	InterfaceName       *string
-	WireguardPort       *int
-	NetworkMonitor      *bool
-	DisableAutoConnect  *bool
-	ExtraIFaceBlackList []string
-	DNSRouteInterval    *time.Duration
-	ClientCertPath      string
-	ClientCertKeyPath   string
+	ManagementURL                 string
+	AdminURL                      string
+	ConfigPath                    string
+	StateFilePath                 string
+	PreSharedKey                  *string
+	ServerSSHAllowed              *bool
+	EnableSSHRoot                 *bool
+	EnableSSHSFTP                 *bool
+	EnableSSHLocalPortForwarding  *bool
+	EnableSSHRemotePortForwarding *bool
+	DisableSSHAuth                *bool
+	SSHJWTCacheTTL                *int
+	NATExternalIPs                []string
+	CustomDNSAddress              []byte
+	RosenpassEnabled              *bool
+	RosenpassPermissive           *bool
+	InterfaceName                 *string
+	WireguardPort                 *int
+	NetworkMonitor                *bool
+	DisableAutoConnect            *bool
+	ExtraIFaceBlackList           []string
+	DNSRouteInterval              *time.Duration
+	ClientCertPath                string
+	ClientCertKeyPath             string
 
 	DisableClientRoutes *bool
 	DisableServerRoutes *bool
@@ -82,18 +88,24 @@ type ConfigInput struct {
 // Config Configuration type
 type Config struct {
 	// Wireguard private key of local peer
-	PrivateKey           string
-	PreSharedKey         string
-	ManagementURL        *url.URL
-	AdminURL             *url.URL
-	WgIface              string
-	WgPort               int
-	NetworkMonitor       *bool
-	IFaceBlackList       []string
-	DisableIPv6Discovery bool
-	RosenpassEnabled     bool
-	RosenpassPermissive  bool
-	ServerSSHAllowed     *bool
+	PrivateKey                    string
+	PreSharedKey                  string
+	ManagementURL                 *url.URL
+	AdminURL                      *url.URL
+	WgIface                       string
+	WgPort                        int
+	NetworkMonitor                *bool
+	IFaceBlackList                []string
+	DisableIPv6Discovery          bool
+	RosenpassEnabled              bool
+	RosenpassPermissive           bool
+	ServerSSHAllowed              *bool
+	EnableSSHRoot                 *bool
+	EnableSSHSFTP                 *bool
+	EnableSSHLocalPortForwarding  *bool
+	EnableSSHRemotePortForwarding *bool
+	DisableSSHAuth                *bool
+	SSHJWTCacheTTL                *int
 
 	DisableClientRoutes bool
 	DisableServerRoutes bool
@@ -376,6 +388,62 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
+	if input.EnableSSHRoot != nil && input.EnableSSHRoot != config.EnableSSHRoot {
+		if *input.EnableSSHRoot {
+			log.Infof("enabling SSH root login")
+		} else {
+			log.Infof("disabling SSH root login")
+		}
+		config.EnableSSHRoot = input.EnableSSHRoot
+		updated = true
+	}
+
+	if input.EnableSSHSFTP != nil && input.EnableSSHSFTP != config.EnableSSHSFTP {
+		if *input.EnableSSHSFTP {
+			log.Infof("enabling SSH SFTP subsystem")
+		} else {
+			log.Infof("disabling SSH SFTP subsystem")
+		}
+		config.EnableSSHSFTP = input.EnableSSHSFTP
+		updated = true
+	}
+
+	if input.EnableSSHLocalPortForwarding != nil && input.EnableSSHLocalPortForwarding != config.EnableSSHLocalPortForwarding {
+		if *input.EnableSSHLocalPortForwarding {
+			log.Infof("enabling SSH local port forwarding")
+		} else {
+			log.Infof("disabling SSH local port forwarding")
+		}
+		config.EnableSSHLocalPortForwarding = input.EnableSSHLocalPortForwarding
+		updated = true
+	}
+
+	if input.EnableSSHRemotePortForwarding != nil && input.EnableSSHRemotePortForwarding != config.EnableSSHRemotePortForwarding {
+		if *input.EnableSSHRemotePortForwarding {
+			log.Infof("enabling SSH remote port forwarding")
+		} else {
+			log.Infof("disabling SSH remote port forwarding")
+		}
+		config.EnableSSHRemotePortForwarding = input.EnableSSHRemotePortForwarding
+		updated = true
+	}
+
+	if input.DisableSSHAuth != nil && input.DisableSSHAuth != config.DisableSSHAuth {
+		if *input.DisableSSHAuth {
+			log.Infof("disabling SSH authentication")
+		} else {
+			log.Infof("enabling SSH authentication")
+		}
+		config.DisableSSHAuth = input.DisableSSHAuth
+		updated = true
+	}
+
+	if input.SSHJWTCacheTTL != nil && input.SSHJWTCacheTTL != config.SSHJWTCacheTTL {
+		log.Infof("updating SSH JWT cache TTL to %d seconds", *input.SSHJWTCacheTTL)
+		config.SSHJWTCacheTTL = input.SSHJWTCacheTTL
+		updated = true
+	}
+
 	if input.DNSRouteInterval != nil && *input.DNSRouteInterval != config.DNSRouteInterval {
 		log.Infof("updating DNS route interval to %s (old value %s)",
 			input.DNSRouteInterval.String(), config.DNSRouteInterval.String())

client/internal/profilemanager/config_test.go

@@ -193,10 +193,10 @@ func TestWireguardPortZeroExplicit(t *testing.T) {
 
 func TestWireguardPortDefaultVsExplicit(t *testing.T) {
 	tests := []struct {
-		name           string
-		wireguardPort  *int
-		expectedPort   int
-		description    string
+		name          string
+		wireguardPort *int
+		expectedPort  int
+		description   string
 	}{
 		{
 			name:          "no port specified uses default",

client/internal/profilemanager/profilemanager.go

@@ -132,3 +132,21 @@ func (pm *ProfileManager) setActiveProfileState(profileName string) error {
 
 	return nil
 }
+
+// GetLoginHint retrieves the email from the active profile to use as login_hint.
+func GetLoginHint() string {
+	pm := NewProfileManager()
+	activeProf, err := pm.GetActiveProfile()
+	if err != nil {
+		log.Debugf("failed to get active profile for login hint: %v", err)
+		return ""
+	}
+
+	profileState, err := pm.GetProfileState(activeProf.Name)
+	if err != nil {
+		log.Debugf("failed to get profile state for login hint: %v", err)
+		return ""
+	}
+
+	return profileState.Email
+}

client/internal/relay/relay.go

@@ -197,7 +197,7 @@ func (p *StunTurnProbe) probeSTUN(ctx context.Context, uri *stun.URI) (addr stri
 		}
 	}()
 
-	net, err := stdnet.NewNet(nil)
+	net, err := stdnet.NewNet(ctx, nil)
 	if err != nil {
 		probeErr = fmt.Errorf("new net: %w", err)
 		return
@@ -286,7 +286,7 @@ func (p *StunTurnProbe) probeTURN(ctx context.Context, uri *stun.URI) (addr stri
 		}
 	}()
 
-	net, err := stdnet.NewNet(nil)
+	net, err := stdnet.NewNet(ctx, nil)
 	if err != nil {
 		probeErr = fmt.Errorf("new net: %w", err)
 		return

client/internal/routemanager/dynamic/route.go

@@ -18,8 +18,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/routemanager/util"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 const (

client/internal/routemanager/manager.go

@@ -24,7 +24,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
-	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/routemanager/client"
@@ -39,6 +38,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	nbnet "github.com/netbirdio/netbird/client/net"
+	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	"github.com/netbirdio/netbird/version"
@@ -81,6 +81,7 @@ type DefaultManager struct {
 	ctx                  context.Context
 	stop                 context.CancelFunc
 	mux                  sync.Mutex
+	shutdownWg           sync.WaitGroup
 	clientNetworks       map[route.HAUniqueID]*client.Watcher
 	routeSelector        *routeselector.RouteSelector
 	serverRouter         *server.Router
@@ -283,6 +284,7 @@ func (m *DefaultManager) SetDNSForwarderPort(port uint16) {
 // Stop stops the manager watchers and clean firewall rules
 func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 	m.stop()
+	m.shutdownWg.Wait()
 	if m.serverRouter != nil {
 		m.serverRouter.CleanUp()
 	}
@@ -485,7 +487,11 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 		}
 		clientNetworkWatcher := client.NewWatcher(config)
 		m.clientNetworks[id] = clientNetworkWatcher
-		go clientNetworkWatcher.Start()
+		m.shutdownWg.Add(1)
+		go func() {
+			defer m.shutdownWg.Done()
+			clientNetworkWatcher.Start()
+		}()
 		clientNetworkWatcher.SendUpdate(client.RoutesUpdate{Routes: routes})
 	}
 
@@ -527,7 +533,11 @@ func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks rout
 			}
 			clientNetworkWatcher = client.NewWatcher(config)
 			m.clientNetworks[id] = clientNetworkWatcher
-			go clientNetworkWatcher.Start()
+			m.shutdownWg.Add(1)
+			go func() {
+				defer m.shutdownWg.Done()
+				clientNetworkWatcher.Start()
+			}()
 		}
 		update := client.RoutesUpdate{
 			UpdateSerial: updateSerial,

client/internal/routemanager/manager_test.go

@@ -6,7 +6,7 @@ import (
 	"net/netip"
 	"testing"
 
-	"github.com/pion/transport/v3/stdnet"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/stretchr/testify/require"
@@ -403,7 +403,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			peerPrivateKey, _ := wgtypes.GeneratePrivateKey()
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}

client/internal/routemanager/systemops/systemops_generic_test.go

@@ -15,7 +15,7 @@ import (
 	"syscall"
 	"testing"
 
-	"github.com/pion/transport/v3/stdnet"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -436,7 +436,7 @@ func createWGInterface(t *testing.T, interfaceName, ipAddressCIDR string, listen
 	peerPrivateKey, err := wgtypes.GeneratePrivateKey()
 	require.NoError(t, err)
 
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	require.NoError(t, err)
 
 	opts := iface.WGIFaceOpts{

client/internal/routeselector/routeselector.go

@@ -9,8 +9,6 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"golang.org/x/exp/maps"
 
-	log "github.com/sirupsen/logrus"
-
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/route"
 )
@@ -128,13 +126,11 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	defer rs.mu.RUnlock()
 
 	if rs.deselectAll {
-		log.Debugf("Route %s not selected (deselect all)", routeID)
 		return false
 	}
 
 	_, deselected := rs.deselectedRoutes[routeID]
 	isSelected := !deselected
-	log.Debugf("Route %s selection status: %v (deselected: %v)", routeID, isSelected, deselected)
 	return isSelected
 }
 

client/internal/stdnet/stdnet.go

@@ -4,17 +4,28 @@
 package stdnet
 
 import (
+	"context"
+	"errors"
 	"fmt"
+	"net"
+	"net/netip"
 	"slices"
+	"strconv"
 	"sync"
 	"time"
 
-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/pion/transport/v3"
 	"github.com/pion/transport/v3/stdnet"
+
+	"github.com/netbirdio/netbird/client/iface/netstack"
 )
 
-const updateInterval = 30 * time.Second
+const (
+	updateInterval    = 30 * time.Second
+	dnsResolveTimeout = 30 * time.Second
+)
+
+var errNoSuitableAddress = errors.New("no suitable address found")
 
 // Net is an implementation of the net.Net interface
 // based on functions of the standard net package.
@@ -28,12 +39,19 @@ type Net struct {
 
 	// mu is shared between interfaces and lastUpdate
 	mu sync.Mutex
+
+	// ctx is the context for network operations that supports cancellation
+	ctx context.Context
 }
 
 // NewNetWithDiscover creates a new StdNet instance.
-func NewNetWithDiscover(iFaceDiscover ExternalIFaceDiscover, disallowList []string) (*Net, error) {
+func NewNetWithDiscover(ctx context.Context, iFaceDiscover ExternalIFaceDiscover, disallowList []string) (*Net, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
 	n := &Net{
 		interfaceFilter: InterfaceFilter(disallowList),
+		ctx:             ctx,
 	}
 	// current ExternalIFaceDiscover implement in android-client https://github.dev/netbirdio/android-client
 	// so in android cli use pionDiscover
@@ -46,14 +64,64 @@ func NewNetWithDiscover(iFaceDiscover ExternalIFaceDiscover, disallowList []stri
 }
 
 // NewNet creates a new StdNet instance.
-func NewNet(disallowList []string) (*Net, error) {
+func NewNet(ctx context.Context, disallowList []string) (*Net, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
 	n := &Net{
 		iFaceDiscover:   pionDiscover{},
 		interfaceFilter: InterfaceFilter(disallowList),
+		ctx:             ctx,
 	}
 	return n, n.UpdateInterfaces()
 }
 
+// resolveAddr performs DNS resolution with context support and timeout.
+func (n *Net) resolveAddr(network, address string) (netip.AddrPort, error) {
+	host, portStr, err := net.SplitHostPort(address)
+	if err != nil {
+		return netip.AddrPort{}, err
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return netip.AddrPort{}, fmt.Errorf("invalid port: %w", err)
+	}
+	if port < 0 || port > 65535 {
+		return netip.AddrPort{}, fmt.Errorf("invalid port: %d", port)
+	}
+
+	ipNet := "ip"
+	switch network {
+	case "tcp4", "udp4":
+		ipNet = "ip4"
+	case "tcp6", "udp6":
+		ipNet = "ip6"
+	}
+
+	if host == "" {
+		addr := netip.IPv4Unspecified()
+		if ipNet == "ip6" {
+			addr = netip.IPv6Unspecified()
+		}
+		return netip.AddrPortFrom(addr, uint16(port)), nil
+	}
+
+	ctx, cancel := context.WithTimeout(n.ctx, dnsResolveTimeout)
+	defer cancel()
+
+	addrs, err := net.DefaultResolver.LookupNetIP(ctx, ipNet, host)
+	if err != nil {
+		return netip.AddrPort{}, err
+	}
+
+	if len(addrs) == 0 {
+		return netip.AddrPort{}, errNoSuitableAddress
+	}
+
+	return netip.AddrPortFrom(addrs[0], uint16(port)), nil
+}
+
 // UpdateInterfaces updates the internal list of network interfaces
 // and associated addresses filtering them by name.
 // The interfaces are discovered by an external iFaceDiscover function or by a default discoverer if the external one
@@ -137,3 +205,39 @@ func (n *Net) filterInterfaces(interfaces []*transport.Interface) []*transport.I
 	}
 	return result
 }
+
+// ResolveUDPAddr resolves UDP addresses with context support and timeout.
+func (n *Net) ResolveUDPAddr(network, address string) (*net.UDPAddr, error) {
+	switch network {
+	case "udp", "udp4", "udp6":
+	case "":
+		network = "udp"
+	default:
+		return nil, &net.OpError{Op: "resolve", Net: network, Err: net.UnknownNetworkError(network)}
+	}
+
+	addrPort, err := n.resolveAddr(network, address)
+	if err != nil {
+		return nil, &net.OpError{Op: "resolve", Net: network, Addr: &net.UDPAddr{IP: nil}, Err: err}
+	}
+
+	return net.UDPAddrFromAddrPort(addrPort), nil
+}
+
+// ResolveTCPAddr resolves TCP addresses with context support and timeout.
+func (n *Net) ResolveTCPAddr(network, address string) (*net.TCPAddr, error) {
+	switch network {
+	case "tcp", "tcp4", "tcp6":
+	case "":
+		network = "tcp"
+	default:
+		return nil, &net.OpError{Op: "resolve", Net: network, Err: net.UnknownNetworkError(network)}
+	}
+
+	addrPort, err := n.resolveAddr(network, address)
+	if err != nil {
+		return nil, &net.OpError{Op: "resolve", Net: network, Addr: &net.TCPAddr{IP: nil}, Err: err}
+	}
+
+	return net.TCPAddrFromAddrPort(addrPort), nil
+}

client/internal/templates/pkce_auth_msg_test.go

@@ -0,0 +1,299 @@
+package templates
+
+import (
+	"html/template"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestPKCEAuthMsgTemplate(t *testing.T) {
+	tests := []struct {
+		name                 string
+		data                 map[string]string
+		outputFile           string
+		expectedTitle        string
+		expectedInContent    []string
+		notExpectedInContent []string
+	}{
+		{
+			name: "error_state",
+			data: map[string]string{
+				"Error": "authentication failed: invalid state",
+			},
+			outputFile:    "pkce-auth-error.html",
+			expectedTitle: "Login Failed",
+			expectedInContent: []string{
+				"authentication failed: invalid state",
+				"Login Failed",
+			},
+			notExpectedInContent: []string{
+				"Login Successful",
+				"Your device is now registered and logged in to NetBird",
+			},
+		},
+		{
+			name: "success_state",
+			data: map[string]string{
+				// No error field means success
+			},
+			outputFile:    "pkce-auth-success.html",
+			expectedTitle: "Login Successful",
+			expectedInContent: []string{
+				"Login Successful",
+				"Your device is now registered and logged in to NetBird. You can now close this window.",
+			},
+			notExpectedInContent: []string{
+				"Login Failed",
+			},
+		},
+		{
+			name: "error_state_timeout",
+			data: map[string]string{
+				"Error": "authentication timeout: request expired after 5 minutes",
+			},
+			outputFile:    "pkce-auth-timeout.html",
+			expectedTitle: "Login Failed",
+			expectedInContent: []string{
+				"authentication timeout: request expired after 5 minutes",
+				"Login Failed",
+			},
+			notExpectedInContent: []string{
+				"Login Successful",
+				"Your device is now registered and logged in to NetBird",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Parse the template
+			tmpl, err := template.New("pkce-auth-msg").Parse(PKCEAuthMsgTmpl)
+			if err != nil {
+				t.Fatalf("Failed to parse template: %v", err)
+			}
+
+			// Create temp directory for this test
+			tempDir := t.TempDir()
+			outputPath := filepath.Join(tempDir, tt.outputFile)
+
+			// Create output file
+			file, err := os.Create(outputPath)
+			if err != nil {
+				t.Fatalf("Failed to create output file: %v", err)
+			}
+
+			// Execute the template
+			if err := tmpl.Execute(file, tt.data); err != nil {
+				file.Close()
+				t.Fatalf("Failed to execute template: %v", err)
+			}
+			file.Close()
+
+			t.Logf("Generated test output: %s", outputPath)
+
+			// Read the generated file
+			content, err := os.ReadFile(outputPath)
+			if err != nil {
+				t.Fatalf("Failed to read output file: %v", err)
+			}
+
+			contentStr := string(content)
+
+			// Verify file has content
+			if len(contentStr) == 0 {
+				t.Error("Output file is empty")
+			}
+
+			// Verify basic HTML structure
+			basicElements := []string{
+				"<!DOCTYPE html>",
+				"<html",
+				"<head>",
+				"<body>",
+				"NetBird",
+			}
+
+			for _, elem := range basicElements {
+				if !contains(contentStr, elem) {
+					t.Errorf("Expected HTML to contain '%s', but it was not found", elem)
+				}
+			}
+
+			// Verify expected title
+			if !contains(contentStr, tt.expectedTitle) {
+				t.Errorf("Expected HTML to contain title '%s', but it was not found", tt.expectedTitle)
+			}
+
+			// Verify expected content is present
+			for _, expected := range tt.expectedInContent {
+				if !contains(contentStr, expected) {
+					t.Errorf("Expected HTML to contain '%s', but it was not found", expected)
+				}
+			}
+
+			// Verify unexpected content is not present
+			for _, notExpected := range tt.notExpectedInContent {
+				if contains(contentStr, notExpected) {
+					t.Errorf("Expected HTML to NOT contain '%s', but it was found", notExpected)
+				}
+			}
+		})
+	}
+}
+
+func TestPKCEAuthMsgTemplateValidation(t *testing.T) {
+	// Test that the template can be parsed without errors
+	tmpl, err := template.New("pkce-auth-msg").Parse(PKCEAuthMsgTmpl)
+	if err != nil {
+		t.Fatalf("Template parsing failed: %v", err)
+	}
+
+	// Test with empty data
+	t.Run("empty_data", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "empty-data.html")
+
+		file, err := os.Create(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to create output file: %v", err)
+		}
+		defer file.Close()
+
+		if err := tmpl.Execute(file, nil); err != nil {
+			t.Errorf("Template execution with nil data failed: %v", err)
+		}
+	})
+
+	// Test with error data
+	t.Run("with_error", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "with-error.html")
+
+		file, err := os.Create(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to create output file: %v", err)
+		}
+		defer file.Close()
+
+		data := map[string]string{
+			"Error": "test error message",
+		}
+		if err := tmpl.Execute(file, data); err != nil {
+			t.Errorf("Template execution with error data failed: %v", err)
+		}
+	})
+}
+
+func TestPKCEAuthMsgTemplateContent(t *testing.T) {
+	// Test that the template contains expected elements
+	tmpl, err := template.New("pkce-auth-msg").Parse(PKCEAuthMsgTmpl)
+	if err != nil {
+		t.Fatalf("Template parsing failed: %v", err)
+	}
+
+	t.Run("success_content", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "success.html")
+
+		file, err := os.Create(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to create output file: %v", err)
+		}
+		defer file.Close()
+
+		data := map[string]string{}
+		if err := tmpl.Execute(file, data); err != nil {
+			t.Fatalf("Template execution failed: %v", err)
+		}
+
+		// Read the file and verify it contains expected content
+		content, err := os.ReadFile(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to read output file: %v", err)
+		}
+
+		// Check for success indicators
+		contentStr := string(content)
+		if len(contentStr) == 0 {
+			t.Error("Generated HTML is empty")
+		}
+
+		// Basic HTML structure checks
+		requiredElements := []string{
+			"<!DOCTYPE html>",
+			"<html",
+			"<head>",
+			"<body>",
+			"Login Successful",
+			"NetBird",
+		}
+
+		for _, elem := range requiredElements {
+			if !contains(contentStr, elem) {
+				t.Errorf("Expected HTML to contain '%s', but it was not found", elem)
+			}
+		}
+	})
+
+	t.Run("error_content", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "error.html")
+
+		file, err := os.Create(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to create output file: %v", err)
+		}
+		defer file.Close()
+
+		errorMsg := "test error message"
+		data := map[string]string{
+			"Error": errorMsg,
+		}
+		if err := tmpl.Execute(file, data); err != nil {
+			t.Fatalf("Template execution failed: %v", err)
+		}
+
+		// Read the file and verify it contains expected content
+		content, err := os.ReadFile(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to read output file: %v", err)
+		}
+
+		// Check for error indicators
+		contentStr := string(content)
+		if len(contentStr) == 0 {
+			t.Error("Generated HTML is empty")
+		}
+
+		// Basic HTML structure checks
+		requiredElements := []string{
+			"<!DOCTYPE html>",
+			"<html",
+			"<head>",
+			"<body>",
+			"Login Failed",
+			errorMsg,
+		}
+
+		for _, elem := range requiredElements {
+			if !contains(contentStr, elem) {
+				t.Errorf("Expected HTML to contain '%s', but it was not found", elem)
+			}
+		}
+	})
+}
+
+func contains(s, substr string) bool {
+	return len(s) >= len(substr) && (s == substr || len(substr) == 0 ||
+		(len(s) > 0 && len(substr) > 0 && containsHelper(s, substr)))
+}
+
+func containsHelper(s, substr string) bool {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return true
+		}
+	}
+	return false
+}

client/ios/NetBirdSDK/client.go

@@ -20,8 +20,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 // ConnectionListener export internal Listener for mobile
@@ -228,7 +228,7 @@ func (c *Client) LoginForMobile() string {
 		ConfigPath: c.cfgFile,
 	})
 
-	oAuthFlow, err := auth.NewOAuthFlow(ctx, cfg, false)
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, cfg, false, "")
 	if err != nil {
 		return err.Error()
 	}

client/proto/daemon.proto

@@ -84,6 +84,15 @@ service DaemonService {
   rpc Logout(LogoutRequest) returns (LogoutResponse) {}
 
   rpc GetFeatures(GetFeaturesRequest) returns (GetFeaturesResponse) {}
+
+  // GetPeerSSHHostKey retrieves SSH host key for a specific peer
+  rpc GetPeerSSHHostKey(GetPeerSSHHostKeyRequest) returns (GetPeerSSHHostKeyResponse) {}
+
+  // RequestJWTAuth initiates JWT authentication flow for SSH
+  rpc RequestJWTAuth(RequestJWTAuthRequest) returns (RequestJWTAuthResponse) {}
+
+  // WaitJWTToken waits for JWT authentication completion
+  rpc WaitJWTToken(WaitJWTTokenRequest) returns (WaitJWTTokenResponse) {}
 }
 
 
@@ -158,6 +167,16 @@ message LoginRequest {
   optional string username = 31;
 
   optional int64 mtu = 32;
+
+  // hint is used to pre-fill the email/username field during SSO authentication
+  optional string hint = 33;
+
+  optional bool enableSSHRoot = 34;
+  optional bool enableSSHSFTP = 35;
+  optional bool enableSSHLocalPortForwarding = 36;
+  optional bool enableSSHRemotePortForwarding = 37;
+  optional bool disableSSHAuth = 38;
+  optional int32 sshJWTCacheTTL = 39;
 }
 
 message LoginResponse {
@@ -185,9 +204,9 @@ message UpResponse {}
 
 message StatusRequest{
   bool getFullPeerStatus = 1;
-  bool shouldRunProbes   = 2;
+  bool shouldRunProbes = 2;
   // the UI do not using this yet, but CLIs could use it to wait until the status is ready
-  optional bool waitForReady     = 3;
+  optional bool waitForReady = 3;
 }
 
 message StatusResponse{
@@ -252,6 +271,18 @@ message GetConfigResponse {
   bool disable_server_routes = 19;
 
   bool block_lan_access = 20;
+
+  bool enableSSHRoot = 21;
+
+  bool enableSSHSFTP = 24;
+
+  bool enableSSHLocalPortForwarding = 22;
+
+  bool enableSSHRemotePortForwarding = 23;
+
+  bool disableSSHAuth = 25;
+
+  int32 sshJWTCacheTTL = 26;
 }
 
 // PeerState contains the latest state of a peer
@@ -273,6 +304,7 @@ message PeerState {
   repeated string networks = 16;
   google.protobuf.Duration latency = 17;
   string relayAddress = 18;
+  bytes sshHostKey = 19;
 }
 
 // LocalPeerState contains the latest state of the local peer
@@ -314,6 +346,20 @@ message NSGroupState {
   string error = 4;
 }
 
+// SSHSessionInfo contains information about an active SSH session
+message SSHSessionInfo {
+  string username = 1;
+  string remoteAddress = 2;
+  string command = 3;
+  string jwtUsername = 4;
+}
+
+// SSHServerState contains the latest state of the SSH server
+message SSHServerState {
+  bool enabled = 1;
+  repeated SSHSessionInfo sessions = 2;
+}
+
 // FullStatus contains the full state held by the Status instance
 message FullStatus {
   ManagementState managementState = 1;
@@ -327,6 +373,7 @@ message FullStatus {
   repeated SystemEvent events = 7;
 
   bool lazyConnectionEnabled = 9;
+  SSHServerState sshServerState = 10;
 }
 
 // Networks
@@ -540,56 +587,63 @@ message SwitchProfileRequest {
 message SwitchProfileResponse {}
 
 message SetConfigRequest {
-    string username = 1;
-    string profileName = 2;
-    // managementUrl to authenticate.
-    string managementUrl = 3;
+  string username = 1;
+  string profileName = 2;
+  // managementUrl to authenticate.
+  string managementUrl = 3;
 
-    // adminUrl to manage keys.
-    string adminURL = 4;
+  // adminUrl to manage keys.
+  string adminURL = 4;
 
-    optional bool rosenpassEnabled = 5;
+  optional bool rosenpassEnabled = 5;
 
-    optional string interfaceName = 6;
+  optional string interfaceName = 6;
 
-    optional int64 wireguardPort = 7;
+  optional int64 wireguardPort = 7;
 
-    optional string optionalPreSharedKey = 8;
+  optional string optionalPreSharedKey = 8;
 
-    optional bool disableAutoConnect = 9;
+  optional bool disableAutoConnect = 9;
 
-    optional bool serverSSHAllowed = 10;
+  optional bool serverSSHAllowed = 10;
 
-    optional bool rosenpassPermissive = 11;
+  optional bool rosenpassPermissive = 11;
 
-    optional bool networkMonitor = 12;
+  optional bool networkMonitor = 12;
 
-    optional bool disable_client_routes = 13;
-    optional bool disable_server_routes = 14;
-    optional bool disable_dns = 15;
-    optional bool disable_firewall = 16;
-    optional bool block_lan_access = 17;
+  optional bool disable_client_routes = 13;
+  optional bool disable_server_routes = 14;
+  optional bool disable_dns = 15;
+  optional bool disable_firewall = 16;
+  optional bool block_lan_access = 17;
 
-    optional bool disable_notifications = 18;
+  optional bool disable_notifications = 18;
 
-    optional bool lazyConnectionEnabled = 19;
+  optional bool lazyConnectionEnabled = 19;
 
-    optional bool block_inbound = 20;
+  optional bool block_inbound = 20;
 
-    repeated string natExternalIPs = 21;
-    bool cleanNATExternalIPs = 22;
+  repeated string natExternalIPs = 21;
+  bool cleanNATExternalIPs = 22;
 
-    bytes customDNSAddress = 23;
+  bytes customDNSAddress = 23;
 
-    repeated string extraIFaceBlacklist = 24;
+  repeated string extraIFaceBlacklist = 24;
 
-    repeated string dns_labels = 25;
-    // cleanDNSLabels clean map list of DNS labels.
-    bool cleanDNSLabels = 26;
+  repeated string dns_labels = 25;
+  // cleanDNSLabels clean map list of DNS labels.
+  bool cleanDNSLabels = 26;
 
-    optional google.protobuf.Duration dnsRouteInterval = 27;
+  optional google.protobuf.Duration dnsRouteInterval = 27;
 
-    optional int64 mtu = 28;
+  optional int64 mtu = 28;
+
+  optional bool enableSSHRoot = 29;
+  optional bool enableSSHSFTP = 30;
+  optional bool enableSSHLocalPortForwarding = 31;
+  optional bool enableSSHRemotePortForwarding = 32;
+  optional bool disableSSHAuth = 33;
+  optional int32 sshJWTCacheTTL = 34;
 }
 
 message SetConfigResponse{}
@@ -641,3 +695,63 @@ message GetFeaturesResponse{
   bool disable_profiles = 1;
   bool disable_update_settings = 2;
 }
+
+// GetPeerSSHHostKeyRequest for retrieving SSH host key for a specific peer
+message GetPeerSSHHostKeyRequest {
+  // peer IP address or FQDN to get SSH host key for
+  string peerAddress = 1;
+}
+
+// GetPeerSSHHostKeyResponse contains the SSH host key for the requested peer
+message GetPeerSSHHostKeyResponse {
+  // SSH host key in SSH public key format (e.g., "ssh-ed25519 AAAAC3... hostname")
+  bytes sshHostKey = 1;
+  // peer IP address
+  string peerIP = 2;
+  // peer FQDN
+  string peerFQDN = 3;
+  // indicates if the SSH host key was found
+  bool found = 4;
+}
+
+// RequestJWTAuthRequest for initiating JWT authentication flow
+message RequestJWTAuthRequest {
+  // hint for OIDC login_hint parameter (typically email address)
+  optional string hint = 1;
+}
+
+// RequestJWTAuthResponse contains authentication flow information
+message RequestJWTAuthResponse {
+  // verification URI for user authentication
+  string verificationURI = 1;
+  // complete verification URI (with embedded user code)
+  string verificationURIComplete = 2;
+  // user code to enter on verification URI
+  string userCode = 3;
+  // device code for polling
+  string deviceCode = 4;
+  // expiration time in seconds
+  int64 expiresIn = 5;
+  // if a cached token is available, it will be returned here
+  string cachedToken = 6;
+  // maximum age of JWT tokens in seconds (from management server)
+  int64 maxTokenAge = 7;
+}
+
+// WaitJWTTokenRequest for waiting for authentication completion
+message WaitJWTTokenRequest {
+  // device code from RequestJWTAuthResponse
+  string deviceCode = 1;
+  // user code for verification
+  string userCode = 2;
+}
+
+// WaitJWTTokenResponse contains the JWT token after authentication
+message WaitJWTTokenResponse {
+  // JWT token (access token or ID token)
+  string token = 1;
+  // token type (e.g., "Bearer")
+  string tokenType = 2;
+  // expiration time in seconds
+  int64 expiresIn = 3;
+}