Merge branch 'refs/heads/test/add-stopwatch' into deploy/peer-performance

update sqlite operations
remove stacktrace
2026-04-01 07:04:17 -04:00 · 2024-05-06 14:29:22 +03:00 · 2024-05-06 13:25:46 +02:00 · 2024-05-03 17:30:26 +02:00 · 2024-05-03 14:11:23 +03:00 · 2024-05-03 14:07:54 +03:00
452 changed files with 11713 additions and 27489 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,8 +0,0 @@
-root = true
-
-[*]
-end_of_line = lf
-insert_final_newline = true
-
-[*.go]
-indent_style = tab
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -1,4 +1,4 @@
-name: Test Code Linux
+name: Test Code Darwin

 on:
  push:
@@ -11,27 +11,29 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test_client_on_docker:
-    runs-on: ubuntu-20.04
+  test:
+    strategy:
+      matrix:
+        store: ['jsonfile', 'sqlite']
+    runs-on: macos-latest
    steps:
      - name: Install Go
        uses: actions/setup-go@v4
        with:
          go-version: "1.21.x"
+      - name: Checkout code
+        uses: actions/checkout@v3

      - name: Cache Go modules
        uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: macos-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            macos-go-

-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+      - name: Install libpcap
+        run: brew install libpcap

      - name: Install modules
        run: go mod tidy
@@ -39,5 +41,5 @@ jobs:
      - name: check git status
        run: git --no-pager diff --exit-code

-      - name: Run test
-        run: go test ./client/internal/routemanager -run TestGetBestrouteFromStatuses
+      - name: Test
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 ./...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -0,0 +1,121 @@
+name: Test Code Linux
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    strategy:
+      matrix:
+        arch: [ '386','amd64' ]
+        store: [ 'jsonfile', 'sqlite' ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21.x"
+
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Test
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 ./...
+
+  test_client_on_docker:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21.x"
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Generate Iface Test bin
+        run: CGO_ENABLED=0 go test -c -o iface-testing.bin ./iface/
+
+      - name: Generate Shared Sock Test bin
+        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock
+
+      - name: Generate RouteManager Test bin
+        run: CGO_ENABLED=1 go test -c -o routemanager-testing.bin -tags netgo -ldflags '-w -extldflags "-static -ldbus-1 -lpcap"' ./client/internal/routemanager/...
+
+      - name: Generate nftables Manager Test bin
+        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
+
+      - name: Generate Engine Test bin
+        run: CGO_ENABLED=1 go test -c -o engine-testing.bin ./client/internal
+
+      - name: Generate Peer Test bin
+        run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/...
+
+      - run: chmod +x *testing.bin
+
+      - name: Run Shared Sock tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/sharedsock --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/sharedsock-testing.bin -test.timeout 5m -test.parallel 1
+
+      - name: Run Iface tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/iface --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/iface-testing.bin -test.timeout 5m -test.parallel 1
+
+      - name: Run RouteManager tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run nftables Manager tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/firewall --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/nftablesmanager-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run Engine tests in docker with file store
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="jsonfile" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run Engine tests in docker with sqlite store
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="sqlite" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run Peer tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -0,0 +1,52 @@
+name: Test Code Windows
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+env:
+  downloadPath: '${{ github.workspace }}\temp'
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: windows-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install Go
+        uses: actions/setup-go@v4
+        id: go
+        with:
+          go-version: "1.21.x"
+
+      - name: Download wintun
+        uses: carlosperate/download-file-action@v2
+        id: download-wintun
+        with:
+          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          file-name: wintun.zip
+          location: ${{ env.downloadPath }}
+          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+
+      - name: Decompressing wintun files
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+
+      - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'
+
+      - run: choco install -y sysinternals --ignore-checksums
+      - run: choco install -y mingw
+
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=C:\Users\runneradmin\go\pkg\mod
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=C:\Users\runneradmin\AppData\Local\go-build
+
+      - name: test
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 10m -p 1 ./... > test-out.txt 2>&1"
+      - name: test output
+        if: ${{ always() }}
+        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -0,0 +1,52 @@
+name: golangci-lint
+on: [pull_request]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  codespell:
+    name: codespell
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: codespell
+        uses: codespell-project/actions-codespell@v2
+        with:
+          ignore_words_list: erro,clienta,hastable,
+          skip: go.mod,go.sum
+          only_warn: 1
+  golangci:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-latest, windows-latest, ubuntu-latest]
+    name: lint
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 15
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Check for duplicate constants
+        if: matrix.os == 'ubuntu-latest'
+        run: |
+          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21.x"
+          cache: false
+      - name: Install dependencies
+        if: matrix.os == 'ubuntu-latest'
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: latest
+          args: --timeout=12m
--- a/.github/workflows/install-script-test.yml
+++ b/.github/workflows/install-script-test.yml
@@ -0,0 +1,36 @@
+name: Test installation
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - "release_files/install.sh"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+jobs:
+  test-install-script:
+    strategy:
+      max-parallel: 2
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        skip_ui_mode: [true, false]
+        install_binary: [true, false]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: run install script
+        env:
+          SKIP_UI_APP: ${{ matrix.skip_ui_mode }}
+          USE_BIN_INSTALL: ${{ matrix.install_binary }}
+          GITHUB_TOKEN: ${{ secrets.RO_API_CALLER_TOKEN }}
+        run: |
+          [ "$SKIP_UI_APP" == "false" ] && export XDG_CURRENT_DESKTOP="none"
+          cat release_files/install.sh | sh -x
+
+      - name: check cli binary
+        run: command -v netbird
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -0,0 +1,65 @@
+name: Mobile build validation
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  android_build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21.x"
+      - name: Setup Android SDK
+        uses: android-actions/setup-android@v3
+        with:
+          cmdline-tools-version: 8512546
+      - name: Setup Java
+        uses: actions/setup-java@v3
+        with:
+          java-version: "11"
+          distribution: "adopt"
+      - name: NDK Cache
+        id: ndk-cache
+        uses: actions/cache@v3
+        with:
+          path: /usr/local/lib/android/sdk/ndk
+          key: ndk-cache-23.1.7779620
+      - name: Setup NDK
+        run: /usr/local/lib/android/sdk/cmdline-tools/7.0/bin/sdkmanager --install "ndk;23.1.7779620"
+      - name: install gomobile
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
+      - name: gomobile init
+        run: gomobile init
+      - name: build android netbird lib
+        run: PATH=$PATH:$(go env GOPATH) gomobile bind -o $GITHUB_WORKSPACE/netbird.aar -javapkg=io.netbird.gomobile -ldflags="-X golang.zx2c4.com/wireguard/ipc.socketDirectory=/data/data/io.netbird.client/cache/wireguard -X github.com/netbirdio/netbird/version.version=buildtest"  $GITHUB_WORKSPACE/client/android
+        env:
+          CGO_ENABLED: 0
+          ANDROID_NDK_HOME: /usr/local/lib/android/sdk/ndk/23.1.7779620
+  ios_build:
+    runs-on: macos-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21.x"
+      - name: install gomobile
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
+      - name: gomobile init
+        run: gomobile init
+      - name: build iOS netbird lib
+        run: PATH=$PATH:$(go env GOPATH) gomobile bind -target=ios -bundleid=io.netbird.framework -ldflags="-X github.com/netbirdio/netbird/version.version=buildtest" -o ./NetBirdSDK.xcframework ./client/ios/NetBirdSDK
+        env:
+          CGO_ENABLED: 0
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,239 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+    branches:
+      - main
+  pull_request:
+    paths:
+      - 'go.mod'
+      - 'go.sum'
+      - '.goreleaser.yml'
+      - '.goreleaser_ui.yaml'
+      - '.goreleaser_ui_darwin.yaml'
+      - '.github/workflows/release.yml'
+      - 'release_files/**'
+      - '**/Dockerfile'
+      - '**/Dockerfile.*'
+      - 'client/ui/**'
+
+env:
+  SIGN_PIPE_VER: "v0.0.11"
+  GORELEASER_VER: "v1.14.1"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    env:
+      flags: ""
+    steps:
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+      -
+        name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21"
+          cache: false
+      -
+        name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-go-releaser-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-releaser-
+      -
+        name: Install modules
+        run: go mod tidy
+      -
+        name: check git status
+        run: git --no-pager diff --exit-code
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Login to Docker hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          username: netbirdio
+          password: ${{ secrets.DOCKER_TOKEN }}
+      - name: Install OS build dependencies
+        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
+
+      - name: Install rsrc
+        run: go install github.com/akavel/rsrc@v0.10.2
+      - name: Generate windows rsrc amd64
+        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_amd64.syso
+      - name: Generate windows rsrc arm64
+        run: rsrc -arch arm64 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_arm64.syso
+      - name: Generate windows rsrc arm
+        run: rsrc -arch arm -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_arm.syso
+      - name: Generate windows rsrc 386
+        run: rsrc -arch 386 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_386.syso
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          version: ${{ env.GORELEASER_VER }}
+          args: release --rm-dist ${{ env.flags }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+      -
+        name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v3
+        with:
+          name: release
+          path: dist/
+          retention-days: 3
+
+  release_ui:
+    runs-on: ubuntu-latest
+    steps:
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21"
+          cache: false
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: | 
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-ui-go-releaser-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-ui-go-releaser-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64
+      - name: Install rsrc
+        run: go install github.com/akavel/rsrc@v0.10.2
+      - name: Generate windows rsrc
+        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/ui/manifest.xml -o client/ui/resources_windows_amd64.syso
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          version: ${{ env.GORELEASER_VER }}
+          args: release --config .goreleaser_ui.yaml --rm-dist ${{ env.flags }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+      - name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v3
+        with:
+          name: release-ui
+          path: dist/
+          retention-days: 3
+
+  release_ui_darwin:
+    runs-on: macos-11
+    steps:
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+      -
+        name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21"
+          cache: false
+      -
+        name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-ui-go-releaser-darwin-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-ui-go-releaser-darwin-
+      -
+        name: Install modules
+        run: go mod tidy
+      - 
+        name: check git status
+        run: git --no-pager diff --exit-code
+      -
+        name: Run GoReleaser
+        id: goreleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          version: ${{ env.GORELEASER_VER }}
+          args: release --config .goreleaser_ui_darwin.yaml --rm-dist ${{ env.flags }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v3
+        with:
+          name: release-ui-darwin
+          path: dist/
+          retention-days: 3
+
+  trigger_windows_signer:
+    runs-on: ubuntu-latest
+    needs: [release,release_ui]
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Trigger Windows binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: Sign windows bin and installer
+          repo: netbirdio/sign-pipelines
+          ref: ${{ env.SIGN_PIPE_VER }}
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
+
+  trigger_darwin_signer:
+    runs-on: ubuntu-latest
+    needs: [release,release_ui_darwin]
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Trigger Darwin App binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: Sign darwin ui app with dispatch
+          repo: netbirdio/sign-pipelines
+          ref: ${{ env.SIGN_PIPE_VER }}
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.github/workflows/sync-main.yml
+++ b/.github/workflows/sync-main.yml
@@ -0,0 +1,22 @@
+name: sync main
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  trigger_sync_main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger main branch sync
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: sync-main.yml
+          repo: ${{ secrets.UPSTREAM_REPO }}
+          token: ${{ secrets.NC_GITHUB_TOKEN }}
+          inputs: '{ "sha": "${{ github.sha }}" }'
--- a/.github/workflows/sync-tag.yml
+++ b/.github/workflows/sync-tag.yml
@@ -0,0 +1,23 @@
+name: sync tag
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  trigger_sync_tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger release tag sync
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: sync-tag.yml
+          ref: main
+          repo: ${{ secrets.UPSTREAM_REPO }}
+          token: ${{ secrets.NC_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref_name }}" }'
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -0,0 +1,211 @@
+name: Test Infrastructure files
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - 'infrastructure_files/**'
+      - '.github/workflows/test-infrastructure-files.yml'
+      - 'management/cmd/**'
+      - 'signal/cmd/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  test-docker-compose:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Install curl
+        run: sudo apt-get install -y curl
+
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21.x"
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: cp setup.env
+        run: cp infrastructure_files/tests/setup.env infrastructure_files/
+
+      - name: run configure
+        working-directory: infrastructure_files
+        run: bash -x configure.sh
+        env:
+          CI_NETBIRD_DOMAIN: localhost
+          CI_NETBIRD_AUTH_CLIENT_ID: testing.client.id
+          CI_NETBIRD_AUTH_CLIENT_SECRET: testing.client.secret
+          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
+          CI_NETBIRD_USE_AUTH0: true
+          CI_NETBIRD_MGMT_IDP: "none"
+          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
+          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
+          CI_NETBIRD_AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified"
+          CI_NETBIRD_STORE_CONFIG_ENGINE: "sqlite"
+          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
+
+      - name: check values
+        working-directory: infrastructure_files/artifacts
+        env:
+          CI_NETBIRD_DOMAIN: localhost
+          CI_NETBIRD_AUTH_CLIENT_ID: testing.client.id
+          CI_NETBIRD_AUTH_CLIENT_SECRET: testing.client.secret
+          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
+          CI_NETBIRD_USE_AUTH0: true
+          CI_NETBIRD_AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified"
+          CI_NETBIRD_AUTH_AUTHORITY: https://example.eu.auth0.com/
+          CI_NETBIRD_AUTH_JWT_CERTS: https://example.eu.auth0.com/.well-known/jwks.json
+          CI_NETBIRD_AUTH_TOKEN_ENDPOINT: https://example.eu.auth0.com/oauth/token
+          CI_NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT: https://example.eu.auth0.com/oauth/device/code
+          CI_NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT: https://example.eu.auth0.com/authorize
+          CI_NETBIRD_AUTH_REDIRECT_URI: "/peers"
+          CI_NETBIRD_TOKEN_SOURCE: "idToken"
+          CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
+          CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
+          CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE: "openid email"
+          CI_NETBIRD_MGMT_IDP: "none"
+          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
+          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
+          CI_NETBIRD_SIGNAL_PORT: 12345
+          CI_NETBIRD_STORE_CONFIG_ENGINE: "sqlite"
+          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
+          CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
+
+        run: |
+          set -x
+          grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
+          grep AUTH_CLIENT_SECRET docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_SECRET
+          grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
+          grep AUTH_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH_AUDIENCE
+          grep AUTH_SUPPORTED_SCOPES docker-compose.yml | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
+          grep USE_AUTH0 docker-compose.yml | grep $CI_NETBIRD_USE_AUTH0
+          grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "$CI_NETBIRD_DOMAIN:33073"
+          grep AUTH_REDIRECT_URI docker-compose.yml | grep $CI_NETBIRD_AUTH_REDIRECT_URI
+          grep AUTH_SILENT_REDIRECT_URI docker-compose.yml | egrep 'AUTH_SILENT_REDIRECT_URI=$'
+          grep $CI_NETBIRD_SIGNAL_PORT docker-compose.yml | grep ':80'
+          grep LETSENCRYPT_DOMAIN docker-compose.yml | egrep 'LETSENCRYPT_DOMAIN=$'
+          grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
+          grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
+          grep -A 3 DeviceAuthorizationFlow management.json | grep -A 1 ProviderConfig | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
+          grep -A 3 DeviceAuthorizationFlow management.json | grep -A 1 ProviderConfig | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
+          grep Engine management.json  | grep "$CI_NETBIRD_STORE_CONFIG_ENGINE"
+          grep IdpSignKeyRefreshEnabled management.json | grep "$CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH"
+          grep UseIDToken management.json | grep false
+          grep -A 1 IdpManagerConfig management.json | grep ManagerType | grep $CI_NETBIRD_MGMT_IDP
+          grep -A 3 IdpManagerConfig management.json | grep -A 1 ClientConfig | grep Issuer | grep $CI_NETBIRD_AUTH_AUTHORITY
+          grep -A 4 IdpManagerConfig management.json | grep -A 2 ClientConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
+          grep -A 5 IdpManagerConfig management.json | grep -A 3 ClientConfig | grep ClientID | grep $CI_NETBIRD_IDP_MGMT_CLIENT_ID
+          grep -A 6 IdpManagerConfig management.json | grep -A 4 ClientConfig | grep ClientSecret | grep $CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
+          grep -A 7 IdpManagerConfig management.json | grep -A 5 ClientConfig | grep GrantType | grep client_credentials
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep Audience | grep $CI_NETBIRD_AUTH_AUDIENCE
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep ClientID | grep $CI_NETBIRD_AUTH_CLIENT_ID
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep ClientSecret | grep $CI_NETBIRD_AUTH_CLIENT_SECRET
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep AuthorizationEndpoint | grep $CI_NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep Scope | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep -A 3 RedirectURLs | grep "http://localhost:53000"
+          grep "external-ip" turnserver.conf | grep $CI_NETBIRD_TURN_EXTERNAL_IP
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Build management binary
+        working-directory: management
+        run: CGO_ENABLED=1 go build -o netbird-mgmt main.go
+
+      - name: Build management docker image
+        working-directory: management
+        run: |
+          docker build -t netbirdio/management:latest .
+
+      - name: Build signal binary
+        working-directory: signal
+        run: CGO_ENABLED=0 go build -o netbird-signal main.go
+
+      - name: Build signal docker image
+        working-directory: signal
+        run: |
+          docker build -t netbirdio/signal:latest .
+
+      - name: run docker compose up
+        working-directory: infrastructure_files/artifacts
+        run: |
+          docker-compose up -d
+          sleep 5
+          docker-compose ps
+          docker-compose logs --tail=20
+
+      - name: test running containers
+        run: |
+          count=$(docker compose ps --format json | jq '. | select(.Name | contains("artifacts")) | .State' | grep -c running)
+          test $count -eq 4
+        working-directory: infrastructure_files/artifacts
+
+      - name: test geolocation databases
+        working-directory: infrastructure_files/artifacts
+        run: |
+          sleep 30
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i GeoLite2-City.mmdb
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i geonames.db
+
+  test-getting-started-script:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: run script
+        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
+
+      - name: test Caddy file gen
+        run: test -f Caddyfile
+      - name: test docker-compose file gen
+        run: test -f docker-compose.yml
+      - name: test management.json file gen
+        run: test -f management.json
+      - name: test turnserver.conf file gen
+        run: | 
+          set -x
+          test -f turnserver.conf
+          grep external-ip turnserver.conf
+      - name: test zitadel.env file gen
+        run: test -f zitadel.env
+      - name: test dashboard.env file gen
+        run: test -f dashboard.env
+  test-download-geolite2-script:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y unzip sqlite3
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: test script
+        run: bash -x infrastructure_files/download-geolite2.sh
+      - name: test mmdb file exists
+        run: test -f GeoLite2-City.mmdb
+      - name: test geonames file exists
+        run: test -f geonames.db
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@@ -0,0 +1,22 @@
+name: update docs
+
+on:
+  push:
+    tags:
+      - 'v*'
+    paths:
+      - 'management/server/http/api/openapi.yml'
+
+jobs:
+  trigger_docs_api_update:
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Trigger API pages generation
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: generate api pages
+          repo: netbirdio/docs
+          ref: "refs/heads/main"
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -130,10 +130,3 @@ issues:
    - path: mock\.go
      linters:
      - nilnil
-    # Exclude specific deprecation warnings for grpc methods
-    - linters:
-       - staticcheck
-      text: "grpc.DialContext is deprecated"
-    - linters:
-        - staticcheck
-      text: "grpc.WithBlock is deprecated"
--- a/.goreleaser_ui_darwin.yaml
+++ b/.goreleaser_ui_darwin.yaml
@@ -3,10 +3,8 @@ builds:
  - id: netbird-ui-darwin
    dir: client/ui
    binary: netbird-ui
-    env:
-      - CGO_ENABLED=1
-      - MACOSX_DEPLOYMENT_TARGET=11.0
-      - MACOS_DEPLOYMENT_TARGET=11.0
+    env: [CGO_ENABLED=1]
+
    goos:
      - darwin
    goarch:
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socioeconomic status,
+identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, caste, color, religion, or sexual
 identity and orientation.

--- a/README.md
+++ b/README.md
@@ -10,12 +10,10 @@
  <img width="234" src="docs/media/logo-full.png"/>
 </p>
  <p>
-   <a href="https://img.shields.io/badge/license-BSD--3-blue)">
-       <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" />
-     </a> 
     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
     </a> 
+   <a href="https://www.codacy.com/gh/netbirdio/netbird/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=netbirdio/netbird&amp;utm_campaign=Badge_Grade"><img src="https://app.codacy.com/project/badge/Grade/e3013d046aec44cdb7462c8673b00976"/></a>
    <br>
    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">
        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.18.5
 RUN apk add --no-cache ca-certificates iptables ip6tables
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -1,5 +1,3 @@
-//go:build android
-
 package android

 import (
@@ -16,7 +14,6 @@ import (
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
 	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/util/net"
 )

 // ConnectionListener export internal Listener for mobile
@@ -57,17 +54,14 @@ type Client struct {
 	ctxCancel             context.CancelFunc
 	ctxCancelLock         *sync.Mutex
 	deviceName            string
-	uiVersion             string
 	networkChangeListener listener.NetworkChangeListener
 }

 // NewClient instantiate a new Client
-func NewClient(cfgFile, deviceName string, uiVersion string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
-	net.SetAndroidProtectSocketFn(tunAdapter.ProtectSocket)
+func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
 	return &Client{
 		cfgFile:               cfgFile,
 		deviceName:            deviceName,
-		uiVersion:             uiVersion,
 		tunAdapter:            tunAdapter,
 		iFaceDiscover:         iFaceDiscover,
 		recorder:              peer.NewRecorder(""),
@@ -90,9 +84,6 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 	var ctx context.Context
 	//nolint
 	ctxWithValues := context.WithValue(context.Background(), system.DeviceNameCtxKey, c.deviceName)
-	//nolint
-	ctxWithValues = context.WithValue(ctxWithValues, system.UiVersionCtxKey, c.uiVersion)
-
 	c.ctxCancelLock.Lock()
 	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
 	defer c.ctxCancel()
@@ -106,8 +97,7 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead

 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
-	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	return internal.RunClientMobile(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }

 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -132,8 +122,7 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener

 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
-	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	return internal.RunClientMobile(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }

 // Stop the internal client and free the resources
--- a/client/anonymize/anonymize.go
+++ b/client/anonymize/anonymize.go
@@ -178,21 +178,6 @@ func (a *Anonymizer) AnonymizeDNSLogLine(logEntry string) string {
 	})
 }

-// AnonymizeRoute anonymizes a route string by replacing IP addresses with anonymized versions and
-// domain names with random strings.
-func (a *Anonymizer) AnonymizeRoute(route string) string {
-	prefix, err := netip.ParsePrefix(route)
-	if err == nil {
-		ip := a.AnonymizeIPString(prefix.Addr().String())
-		return fmt.Sprintf("%s/%d", ip, prefix.Bits())
-	}
-	domains := strings.Split(route, ", ")
-	for i, domain := range domains {
-		domains[i] = a.AnonymizeDomain(domain)
-	}
-	return strings.Join(domains, ", ")
-}
-
 func isWellKnown(addr netip.Addr) bool {
 	wellKnown := []string{
 		"8.8.8.8", "8.8.4.4", // Google DNS IPv4
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -3,19 +3,15 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"

-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"

-	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/client/server"
 )

-const errCloseConnection = "Failed to close connection: %v"
-
 var debugCmd = &cobra.Command{
 	Use:   "debug",
 	Short: "Debugging commands",
@@ -62,21 +58,16 @@ var forCmd = &cobra.Command{
 }

 func debugBundle(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd)
+	conn, err := getClient(cmd.Context())
 	if err != nil {
 		return err
 	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
+	defer conn.Close()

 	client := proto.NewDaemonServiceClient(conn)
 	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
-		Anonymize:  anonymizeFlag,
-		Status:     getStatusOutput(cmd),
-		SystemInfo: debugSystemInfoFlag,
+		Anonymize: anonymizeFlag,
+		Status:    getStatusOutput(cmd),
 	})
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
@@ -88,18 +79,14 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 }

 func setLogLevel(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
+	conn, err := getClient(cmd.Context())
 	if err != nil {
 		return err
 	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
+	defer conn.Close()

 	client := proto.NewDaemonServiceClient(conn)
-	level := server.ParseLogLevel(args[0])
+	level := parseLogLevel(args[0])
 	if level == proto.LogLevel_UNKNOWN {
 		return fmt.Errorf("unknown log level: %s. Available levels are: panic, fatal, error, warn, info, debug, trace\n", args[0])
 	}
@@ -115,60 +102,54 @@ func setLogLevel(cmd *cobra.Command, args []string) error {
 	return nil
 }

+func parseLogLevel(level string) proto.LogLevel {
+	switch strings.ToLower(level) {
+	case "panic":
+		return proto.LogLevel_PANIC
+	case "fatal":
+		return proto.LogLevel_FATAL
+	case "error":
+		return proto.LogLevel_ERROR
+	case "warn":
+		return proto.LogLevel_WARN
+	case "info":
+		return proto.LogLevel_INFO
+	case "debug":
+		return proto.LogLevel_DEBUG
+	case "trace":
+		return proto.LogLevel_TRACE
+	default:
+		return proto.LogLevel_UNKNOWN
+	}
+}
+
 func runForDuration(cmd *cobra.Command, args []string) error {
 	duration, err := time.ParseDuration(args[0])
 	if err != nil {
 		return fmt.Errorf("invalid duration format: %v", err)
 	}

-	conn, err := getClient(cmd)
+	conn, err := getClient(cmd.Context())
 	if err != nil {
 		return err
 	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
+	defer conn.Close()

 	client := proto.NewDaemonServiceClient(conn)

-	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{})
-	if err != nil {
-		return fmt.Errorf("failed to get status: %v", status.Convert(err).Message())
-	}
-
-	stateWasDown := stat.Status != string(internal.StatusConnected) && stat.Status != string(internal.StatusConnecting)
-
-	initialLogLevel, err := client.GetLogLevel(cmd.Context(), &proto.GetLogLevelRequest{})
-	if err != nil {
-		return fmt.Errorf("failed to get log level: %v", status.Convert(err).Message())
-	}
-
-	if stateWasDown {
-		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
-		}
-		cmd.Println("Netbird up")
-		time.Sleep(time.Second * 10)
-	}
-
-	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
-	if !initialLevelTrace {
-		_, err = client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{
-			Level: proto.LogLevel_TRACE,
-		})
-		if err != nil {
-			return fmt.Errorf("failed to set log level to TRACE: %v", status.Convert(err).Message())
-		}
-		cmd.Println("Log level set to trace.")
-	}
-
 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
 		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 	}
 	cmd.Println("Netbird down")

+	_, err = client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{
+		Level: proto.LogLevel_TRACE,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to set log level to trace: %v", status.Convert(err).Message())
+	}
+	cmd.Println("Log level set to trace.")
+
 	time.Sleep(1 * time.Second)

 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
@@ -186,34 +167,28 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	}
 	cmd.Println("\nDuration completed")

-	cmd.Println("Creating debug bundle...")
-
 	headerPreDown := fmt.Sprintf("----- Netbird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
 	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd))

+	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
+		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
+	}
+	cmd.Println("Netbird down")
+
+	// TODO reset log level
+
+	time.Sleep(1 * time.Second)
+
+	cmd.Println("Creating debug bundle...")
+
 	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
-		Anonymize:  anonymizeFlag,
-		Status:     statusOutput,
-		SystemInfo: debugSystemInfoFlag,
+		Anonymize: anonymizeFlag,
+		Status:    statusOutput,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}

-	if stateWasDown {
-		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
-		}
-		cmd.Println("Netbird down")
-	}
-
-	if !initialLevelTrace {
-		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
-			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
-		}
-		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
-	}
-
 	cmd.Println(resp.GetPath())

 	return nil
--- a/client/cmd/down.go
+++ b/client/cmd/down.go
@@ -2,9 +2,8 @@ package cmd

 import (
 	"context"
-	"time"
-
 	"github.com/netbirdio/netbird/util"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -26,7 +25,7 @@ var downCmd = &cobra.Command{
 			return err
 		}

-		ctx, cancel := context.WithTimeout(context.Background(), time.Second*7)
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
 		defer cancel()

 		conn, err := DialClientGRPCServer(ctx, daemonAddr)
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -32,12 +32,9 @@ const (
 	preSharedKeyFlag        = "preshared-key"
 	interfaceNameFlag       = "interface-name"
 	wireguardPortFlag       = "wireguard-port"
-	networkMonitorFlag      = "network-monitor"
 	disableAutoConnectFlag  = "disable-auto-connect"
 	serverSSHAllowedFlag    = "allow-server-ssh"
 	extraIFaceBlackListFlag = "extra-iface-blacklist"
-	dnsRouteIntervalFlag    = "dns-router-interval"
-	systemInfoFlag          = "system-info"
 )

 var (
@@ -65,15 +62,11 @@ var (
 	serverSSHAllowed        bool
 	interfaceName           string
 	wireguardPort           uint16
-	networkMonitor          bool
 	serviceName             string
 	autoConnectDisabled     bool
 	extraIFaceBlackList     []string
 	anonymizeFlag           bool
-	debugSystemInfoFlag     bool
-	dnsRouteInterval        time.Duration
-
-	rootCmd = &cobra.Command{
+	rootCmd                 = &cobra.Command{
 		Use:          "netbird",
 		Short:        "",
 		Long:         "",
@@ -93,15 +86,12 @@ func init() {
 	oldDefaultConfigPathDir = "/etc/wiretrustee/"
 	oldDefaultLogFileDir = "/var/log/wiretrustee/"

-	switch runtime.GOOS {
-	case "windows":
+	if runtime.GOOS == "windows" {
 		defaultConfigPathDir = os.Getenv("PROGRAMDATA") + "\\Netbird\\"
 		defaultLogFileDir = os.Getenv("PROGRAMDATA") + "\\Netbird\\"

 		oldDefaultConfigPathDir = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\"
 		oldDefaultLogFileDir = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\"
-	case "freebsd":
-		defaultConfigPathDir = "/var/db/netbird/"
 	}

 	defaultConfigPath = defaultConfigPathDir + "config.json"
@@ -126,7 +116,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", defaultConfigPath, "Netbird config file location")
 	rootCmd.PersistentFlags().StringVarP(&logLevel, "log-level", "l", "info", "sets Netbird log level")
-	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Netbird log path. If console is specified the log will be output to stdout. If syslog is specified the log will be sent to syslog daemon.")
+	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Netbird log path. If console is specified the log will be output to stdout")
 	rootCmd.PersistentFlags().StringVarP(&setupKey, "setup-key", "k", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
 	rootCmd.PersistentFlags().StringVar(&preSharedKey, preSharedKeyFlag, "", "Sets Wireguard PreSharedKey property. If set, then only peers that have the same key can communicate.")
 	rootCmd.PersistentFlags().StringVarP(&hostName, "hostname", "n", "", "Sets a custom hostname for the device")
@@ -170,8 +160,6 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
 	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
-
-	debugCmd.PersistentFlags().BoolVarP(&debugSystemInfoFlag, systemInfoFlag, "S", false, "Adds system information to the debug bundle")
 }

 // SetupCloseHandler handles SIGTERM signal and exits with success
@@ -363,11 +351,8 @@ func migrateToNetbird(oldPath, newPath string) bool {
 	return true
 }

-func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
-	SetFlagsFromEnvVars(rootCmd)
-	cmd.SetOut(cmd.OutOrStdout())
-
-	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
+func getClient(ctx context.Context) (*grpc.ClientConn, error) {
+	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
--- a/client/cmd/route.go
+++ b/client/cmd/route.go
@@ -2,7 +2,6 @@ package cmd

 import (
 	"fmt"
-	"strings"

 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -50,7 +49,7 @@ func init() {
 }

 func routesList(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd)
+	conn, err := getClient(cmd.Context())
 	if err != nil {
 		return err
 	}
@@ -67,62 +66,20 @@ func routesList(cmd *cobra.Command, _ []string) error {
 		return nil
 	}

-	printRoutes(cmd, resp)
+	cmd.Println("Available Routes:")
+	for _, route := range resp.Routes {
+		selectedStatus := "Not Selected"
+		if route.GetSelected() {
+			selectedStatus = "Selected"
+		}
+		cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetNetwork(), selectedStatus)
+	}

 	return nil
 }

-func printRoutes(cmd *cobra.Command, resp *proto.ListRoutesResponse) {
-	cmd.Println("Available Routes:")
-	for _, route := range resp.Routes {
-		printRoute(cmd, route)
-	}
-}
-
-func printRoute(cmd *cobra.Command, route *proto.Route) {
-	selectedStatus := getSelectedStatus(route)
-	domains := route.GetDomains()
-
-	if len(domains) > 0 {
-		printDomainRoute(cmd, route, domains, selectedStatus)
-	} else {
-		printNetworkRoute(cmd, route, selectedStatus)
-	}
-}
-
-func getSelectedStatus(route *proto.Route) string {
-	if route.GetSelected() {
-		return "Selected"
-	}
-	return "Not Selected"
-}
-
-func printDomainRoute(cmd *cobra.Command, route *proto.Route, domains []string, selectedStatus string) {
-	cmd.Printf("\n  - ID: %s\n    Domains: %s\n    Status: %s\n", route.GetID(), strings.Join(domains, ", "), selectedStatus)
-	resolvedIPs := route.GetResolvedIPs()
-
-	if len(resolvedIPs) > 0 {
-		printResolvedIPs(cmd, domains, resolvedIPs)
-	} else {
-		cmd.Printf("    Resolved IPs: -\n")
-	}
-}
-
-func printNetworkRoute(cmd *cobra.Command, route *proto.Route, selectedStatus string) {
-	cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetNetwork(), selectedStatus)
-}
-
-func printResolvedIPs(cmd *cobra.Command, domains []string, resolvedIPs map[string]*proto.IPList) {
-	cmd.Printf("    Resolved IPs:\n")
-	for _, domain := range domains {
-		if ipList, exists := resolvedIPs[domain]; exists {
-			cmd.Printf("      [%s]: %s\n", domain, strings.Join(ipList.GetIps(), ", "))
-		}
-	}
-}
-
 func routesSelect(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
+	conn, err := getClient(cmd.Context())
 	if err != nil {
 		return err
 	}
@@ -149,7 +106,7 @@ func routesSelect(cmd *cobra.Command, args []string) error {
 }

 func routesDeselect(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
+	conn, err := getClient(cmd.Context())
 	if err != nil {
 		return err
 	}
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -31,8 +31,6 @@ var installCmd = &cobra.Command{
 			configPath,
 			"--log-level",
 			logLevel,
-			"--daemon-addr",
-			daemonAddr,
 		}

 		if managementURL != "" {
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -31,9 +31,9 @@ type peerStateDetailOutput struct {
 	Status                 string           `json:"status" yaml:"status"`
 	LastStatusUpdate       time.Time        `json:"lastStatusUpdate" yaml:"lastStatusUpdate"`
 	ConnType               string           `json:"connectionType" yaml:"connectionType"`
+	Direct                 bool             `json:"direct" yaml:"direct"`
 	IceCandidateType       iceCandidateType `json:"iceCandidateType" yaml:"iceCandidateType"`
 	IceCandidateEndpoint   iceCandidateType `json:"iceCandidateEndpoint" yaml:"iceCandidateEndpoint"`
-	RelayAddress           string           `json:"relayAddress" yaml:"relayAddress"`
 	LastWireguardHandshake time.Time        `json:"lastWireguardHandshake" yaml:"lastWireguardHandshake"`
 	TransferReceived       int64            `json:"transferReceived" yaml:"transferReceived"`
 	TransferSent           int64            `json:"transferSent" yaml:"transferSent"`
@@ -335,18 +335,16 @@ func mapNSGroups(servers []*proto.NSGroupState) []nsServerGroupStateOutput {

 func mapPeers(peers []*proto.PeerState) peersStateOutput {
 	var peersStateDetail []peerStateDetailOutput
+	localICE := ""
+	remoteICE := ""
+	localICEEndpoint := ""
+	remoteICEEndpoint := ""
+	connType := ""
 	peersConnected := 0
+	lastHandshake := time.Time{}
+	transferReceived := int64(0)
+	transferSent := int64(0)
 	for _, pbPeerState := range peers {
-		localICE := ""
-		remoteICE := ""
-		localICEEndpoint := ""
-		remoteICEEndpoint := ""
-		relayServerAddress := ""
-		connType := ""
-		lastHandshake := time.Time{}
-		transferReceived := int64(0)
-		transferSent := int64(0)
-
 		isPeerConnected := pbPeerState.ConnStatus == peer.StatusConnected.String()
 		if skipDetailByFilters(pbPeerState, isPeerConnected) {
 			continue
@@ -362,7 +360,6 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 			if pbPeerState.Relayed {
 				connType = "Relayed"
 			}
-			relayServerAddress = pbPeerState.GetRelayAddress()
 			lastHandshake = pbPeerState.GetLastWireguardHandshake().AsTime().Local()
 			transferReceived = pbPeerState.GetBytesRx()
 			transferSent = pbPeerState.GetBytesTx()
@@ -375,6 +372,7 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 			Status:           pbPeerState.GetConnStatus(),
 			LastStatusUpdate: timeLocal,
 			ConnType:         connType,
+			Direct:           pbPeerState.GetDirect(),
 			IceCandidateType: iceCandidateType{
 				Local:  localICE,
 				Remote: remoteICE,
@@ -383,7 +381,6 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 				Local:  localICEEndpoint,
 				Remote: remoteICEEndpoint,
 			},
-			RelayAddress:           relayServerAddress,
 			FQDN:                   pbPeerState.GetFqdn(),
 			LastWireguardHandshake: lastHandshake,
 			TransferReceived:       transferReceived,
@@ -644,9 +641,9 @@ func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bo
 				"  Status: %s\n"+
 				"  -- detail --\n"+
 				"  Connection type: %s\n"+
+				"  Direct: %t\n"+
 				"  ICE candidate (Local/Remote): %s/%s\n"+
 				"  ICE candidate endpoints (Local/Remote): %s/%s\n"+
-				"  Relay server address: %s\n"+
 				"  Last connection update: %s\n"+
 				"  Last WireGuard handshake: %s\n"+
 				"  Transfer status (received/sent) %s/%s\n"+
@@ -658,11 +655,11 @@ func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bo
 			peerState.PubKey,
 			peerState.Status,
 			peerState.ConnType,
+			peerState.Direct,
 			localICE,
 			remoteICE,
 			localICEEndpoint,
 			remoteICEEndpoint,
-			peerState.RelayAddress,
 			timeAgo(peerState.LastStatusUpdate),
 			timeAgo(peerState.LastWireguardHandshake),
 			toIEC(peerState.TransferReceived),
@@ -810,7 +807,11 @@ func anonymizePeerDetail(a *anonymize.Anonymizer, peer *peerStateDetailOutput) {
 	}

 	for i, route := range peer.Routes {
-		peer.Routes[i] = a.AnonymizeRoute(route)
+		prefix, err := netip.ParsePrefix(route)
+		if err == nil {
+			ip := a.AnonymizeIPString(prefix.Addr().String())
+			peer.Routes[i] = fmt.Sprintf("%s/%d", ip, prefix.Bits())
+		}
 	}
 }

@@ -846,7 +847,11 @@ func anonymizeOverview(a *anonymize.Anonymizer, overview *statusOutputOverview)
 	}

 	for i, route := range overview.Routes {
-		overview.Routes[i] = a.AnonymizeRoute(route)
+		prefix, err := netip.ParsePrefix(route)
+		if err == nil {
+			ip := a.AnonymizeIPString(prefix.Addr().String())
+			overview.Routes[i] = fmt.Sprintf("%s/%d", ip, prefix.Bits())
+		}
 	}

 	overview.FQDN = a.AnonymizeDomain(overview.FQDN)
--- a/client/cmd/status_test.go
+++ b/client/cmd/status_test.go
@@ -37,6 +37,7 @@ var resp = &proto.StatusResponse{
 				ConnStatus:                 "Connected",
 				ConnStatusUpdate:           timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 1, 0, time.UTC)),
 				Relayed:                    false,
+				Direct:                     true,
 				LocalIceCandidateType:      "",
 				RemoteIceCandidateType:     "",
 				LocalIceCandidateEndpoint:  "",
@@ -56,6 +57,7 @@ var resp = &proto.StatusResponse{
 				ConnStatus:                 "Connected",
 				ConnStatusUpdate:           timestamppb.New(time.Date(2002, time.Month(2), 2, 2, 2, 2, 0, time.UTC)),
 				Relayed:                    true,
+				Direct:                     false,
 				LocalIceCandidateType:      "relay",
 				RemoteIceCandidateType:     "prflx",
 				LocalIceCandidateEndpoint:  "10.0.0.1:10001",
@@ -135,6 +137,7 @@ var overview = statusOutputOverview{
 				Status:           "Connected",
 				LastStatusUpdate: time.Date(2001, 1, 1, 1, 1, 1, 0, time.UTC),
 				ConnType:         "P2P",
+				Direct:           true,
 				IceCandidateType: iceCandidateType{
 					Local:  "",
 					Remote: "",
@@ -158,6 +161,7 @@ var overview = statusOutputOverview{
 				Status:           "Connected",
 				LastStatusUpdate: time.Date(2002, 2, 2, 2, 2, 2, 0, time.UTC),
 				ConnType:         "Relayed",
+				Direct:           false,
 				IceCandidateType: iceCandidateType{
 					Local:  "relay",
 					Remote: "prflx",
@@ -279,6 +283,7 @@ func TestParsingToJSON(t *testing.T) {
                "status": "Connected",
                "lastStatusUpdate": "2001-01-01T01:01:01Z",
                "connectionType": "P2P",
+                "direct": true,
                "iceCandidateType": {
                  "local": "",
                  "remote": ""
@@ -287,7 +292,6 @@ func TestParsingToJSON(t *testing.T) {
                  "local": "",
                  "remote": ""
                },
-				"relayAddress": "",
                "lastWireguardHandshake": "2001-01-01T01:01:02Z",
                "transferReceived": 200,
                "transferSent": 100,
@@ -304,6 +308,7 @@ func TestParsingToJSON(t *testing.T) {
                "status": "Connected",
                "lastStatusUpdate": "2002-02-02T02:02:02Z",
                "connectionType": "Relayed",
+                "direct": false,
                "iceCandidateType": {
                  "local": "relay",
                  "remote": "prflx"
@@ -312,7 +317,6 @@ func TestParsingToJSON(t *testing.T) {
                  "local": "10.0.0.1:10001",
                  "remote": "10.0.10.1:10002"
                },
-				"relayAddress": "",
                "lastWireguardHandshake": "2002-02-02T02:02:03Z",
                "transferReceived": 2000,
                "transferSent": 1000,
@@ -404,13 +408,13 @@ func TestParsingToYAML(t *testing.T) {
          status: Connected
          lastStatusUpdate: 2001-01-01T01:01:01Z
          connectionType: P2P
+          direct: true
          iceCandidateType:
            local: ""
            remote: ""
          iceCandidateEndpoint:
            local: ""
            remote: ""
-          relayAddress: ""
          lastWireguardHandshake: 2001-01-01T01:01:02Z
          transferReceived: 200
          transferSent: 100
@@ -424,13 +428,13 @@ func TestParsingToYAML(t *testing.T) {
          status: Connected
          lastStatusUpdate: 2002-02-02T02:02:02Z
          connectionType: Relayed
+          direct: false
          iceCandidateType:
            local: relay
            remote: prflx
          iceCandidateEndpoint:
            local: 10.0.0.1:10001
            remote: 10.0.10.1:10002
-          relayAddress: ""
          lastWireguardHandshake: 2002-02-02T02:02:03Z
          transferReceived: 2000
          transferSent: 1000
@@ -501,9 +505,9 @@ func TestParsingToDetail(t *testing.T) {
  Status: Connected
  -- detail --
  Connection type: P2P
+  Direct: true
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
-  Relay server address: 
  Last connection update: %s
  Last WireGuard handshake: %s
  Transfer status (received/sent) 200 B/100 B
@@ -517,9 +521,9 @@ func TestParsingToDetail(t *testing.T) {
  Status: Connected
  -- detail --
  Connection type: Relayed
+  Direct: false
  ICE candidate (Local/Remote): relay/prflx
  ICE candidate endpoints (Local/Remote): 10.0.0.1:10001/10.0.10.1:10002
-  Relay server address: 
  Last connection update: %s
  Last WireGuard handshake: %s
  Transfer status (received/sent) 2.0 KiB/1000 B
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -7,9 +7,6 @@ import (
 	"testing"
 	"time"

-	"github.com/stretchr/testify/require"
-	"go.opentelemetry.io/otel"
-
 	"github.com/netbirdio/netbird/management/server/activity"

 	"github.com/netbirdio/netbird/util"
@@ -17,7 +14,6 @@ import (
 	"google.golang.org/grpc"

 	"github.com/netbirdio/management-integrations/integrations"
-
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
@@ -56,10 +52,7 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	srv, err := sig.NewServer(otel.Meter(""))
-	require.NoError(t, err)
-
-	sigProto.RegisterSignalExchangeServer(s, srv)
+	sigProto.RegisterSignalExchangeServer(s, sig.NewServer())
 	go func() {
 		if err := s.Serve(lis); err != nil {
 			panic(err)
@@ -76,28 +69,23 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, cleanUp, err := mgmt.NewTestStoreFromJson(context.Background(), config.Datadir)
+	store, err := mgmt.NewStoreFromJson(config.Datadir, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-	t.Cleanup(cleanUp)

 	peersUpdateManager := mgmt.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, nil
 	}
-	iv, _ := integrations.NewIntegratedValidator(context.Background(), eventStore)
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv)
+	iv, _ := integrations.NewIntegratedValidator(eventStore)
+	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv)
 	if err != nil {
 		t.Fatal(err)
 	}
-
-	rc := &mgmt.RelayConfig{
-		Address: "localhost:0",
-	}
-	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, rc)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, peersUpdateManager, turnManager, nil, nil)
+	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -112,7 +100,7 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 }

 func startClientDaemon(
-	t *testing.T, ctx context.Context, _, configPath string,
+	t *testing.T, ctx context.Context, managementURL, configPath string,
 ) (*grpc.Server, net.Listener) {
 	t.Helper()
 	lis, err := net.Listen("tcp", "127.0.0.1:0")
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -7,13 +7,11 @@ import (
 	"net/netip"
 	"runtime"
 	"strings"
-	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/durationpb"

 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -42,12 +40,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVarP(&foregroundMode, "foreground-mode", "F", false, "start service in foreground")
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "Wireguard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "Wireguard interface listening port")
-	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
-		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux. `+
-			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
-	)
 	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
-	upCmd.PersistentFlags().DurationVar(&dnsRouteInterval, dnsRouteIntervalFlag, time.Minute, "DNS route update interval")
 }

 func upFunc(cmd *cobra.Command, args []string) error {
@@ -123,10 +116,6 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		ic.WireguardPort = &p
 	}

-	if cmd.Flag(networkMonitorFlag).Changed {
-		ic.NetworkMonitor = &networkMonitor
-	}
-
 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
 		ic.PreSharedKey = &preSharedKey
 	}
@@ -143,10 +132,6 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		}
 	}

-	if cmd.Flag(dnsRouteIntervalFlag).Changed {
-		ic.DNSRouteInterval = &dnsRouteInterval
-	}
-
 	config, err := internal.UpdateOrCreateConfig(ic)
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
@@ -162,12 +147,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	var cancel context.CancelFunc
 	ctx, cancel = context.WithCancel(ctx)
 	SetupCloseHandler(ctx, cancel)
-
-	r := peer.NewRecorder(config.ManagementURL.String())
-	r.GetFullStatus()
-
-	connectClient := internal.NewConnectClient(ctx, config, r)
-	return connectClient.Run()
+	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()))
 }

 func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
@@ -246,14 +226,6 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		loginRequest.WireguardPort = &wp
 	}

-	if cmd.Flag(networkMonitorFlag).Changed {
-		loginRequest.NetworkMonitor = &networkMonitor
-	}
-
-	if cmd.Flag(dnsRouteIntervalFlag).Changed {
-		loginRequest.DnsRouteInterval = durationpb.New(dnsRouteInterval)
-	}
-
 	var loginErr error

 	var loginResp *proto.LoginResponse
--- a/client/errors/errors.go
+++ b/client/errors/errors.go
@@ -1,30 +0,0 @@
-package errors
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/go-multierror"
-)
-
-func formatError(es []error) string {
-	if len(es) == 0 {
-		return fmt.Sprintf("0 error occurred:\n\t* %s", es[0])
-	}
-
-	points := make([]string, len(es))
-	for i, err := range es {
-		points[i] = fmt.Sprintf("* %s", err)
-	}
-
-	return fmt.Sprintf(
-		"%d errors occurred:\n\t%s",
-		len(es), strings.Join(points, "\n\t"))
-}
-
-func FormatErrorOrNil(err *multierror.Error) error {
-	if err != nil {
-		err.ErrorFormat = formatError
-	}
-	return err.ErrorOrNil()
-}
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -42,20 +42,20 @@ func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager,

 	switch check() {
 	case IPTABLES:
-		log.Info("creating an iptables firewall manager")
+		log.Debug("creating an iptables firewall manager")
 		fm, errFw = nbiptables.Create(context, iface)
 		if errFw != nil {
 			log.Errorf("failed to create iptables manager: %s", errFw)
 		}
 	case NFTABLES:
-		log.Info("creating an nftables firewall manager")
+		log.Debug("creating an nftables firewall manager")
 		fm, errFw = nbnftables.Create(context, iface)
 		if errFw != nil {
 			log.Errorf("failed to create nftables manager: %s", errFw)
 		}
 	default:
 		errFw = fmt.Errorf("no firewall manager found")
-		log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
+		log.Debug("no firewall manager found, try to use userspace packet filtering firewall")
 	}

 	if iface.IsUserspaceBind() {
@@ -85,58 +85,16 @@ func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager,

 // check returns the firewall type based on common lib checks. It returns UNKNOWN if no firewall is found.
 func check() FWType {
-	useIPTABLES := false
-	var iptablesChains []string
-	ip, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	if err == nil && isIptablesClientAvailable(ip) {
-		major, minor, _ := ip.GetIptablesVersion()
-		// use iptables when its version is lower than 1.8.0 which doesn't work well with our nftables manager
-		if major < 1 || (major == 1 && minor < 8) {
-			return IPTABLES
-		}
-
-		useIPTABLES = true
-
-		iptablesChains, err = ip.ListChains("filter")
-		if err != nil {
-			log.Errorf("failed to list iptables chains: %s", err)
-			useIPTABLES = false
-		}
-	}
-
 	nf := nftables.Conn{}
-	if chains, err := nf.ListChains(); err == nil && os.Getenv(SKIP_NFTABLES_ENV) != "true" {
-		if !useIPTABLES {
-			return NFTABLES
-		}
-
-		// search for chains where table is filter
-		// if we find one, we assume that nftables manager can be used with iptables
-		for _, chain := range chains {
-			if chain.Table.Name == "filter" {
-				return NFTABLES
-			}
-		}
-
-		// check tables for the following constraints:
-		// 1. there is no chain in nftables for the filter table and there is at least one chain in iptables, we assume that nftables manager can not be used
-		// 2. there is no tables or more than one table, we assume that nftables manager can be used
-		// 3. there is only one table and its name is filter, we assume that nftables manager can not be used, since there was no chain in it
-		// 4. if we find an error we log and continue with iptables check
-		nbTablesList, err := nf.ListTables()
-		switch {
-		case err == nil && len(iptablesChains) > 0:
-			return IPTABLES
-		case err == nil && len(nbTablesList) != 1:
-			return NFTABLES
-		case err == nil && len(nbTablesList) == 1 && nbTablesList[0].Name == "filter":
-			return IPTABLES
-		case err != nil:
-			log.Errorf("failed to list nftables tables on fw manager discovery: %s", err)
-		}
+	if _, err := nf.ListChains(); err == nil && os.Getenv(SKIP_NFTABLES_ENV) != "true" {
+		return NFTABLES
 	}

-	if useIPTABLES {
+	ip, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if err != nil {
+		return UNKNOWN
+	}
+	if isIptablesClientAvailable(ip) {
 		return IPTABLES
 	}

--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -74,12 +74,12 @@ func (i *routerManager) InsertRoutingRules(pair firewall.RouterPair) error {
 		return nil
 	}

-	err = i.addNATRule(firewall.NatFormat, tableNat, chainRTNAT, routingFinalNatJump, pair)
+	err = i.insertRoutingRule(firewall.NatFormat, tableNat, chainRTNAT, routingFinalNatJump, pair)
 	if err != nil {
 		return err
 	}

-	err = i.addNATRule(firewall.InNatFormat, tableNat, chainRTNAT, routingFinalNatJump, firewall.GetInPair(pair))
+	err = i.insertRoutingRule(firewall.InNatFormat, tableNat, chainRTNAT, routingFinalNatJump, firewall.GetInPair(pair))
 	if err != nil {
 		return err
 	}
@@ -87,12 +87,12 @@ func (i *routerManager) InsertRoutingRules(pair firewall.RouterPair) error {
 	return nil
 }

-// insertRoutingRule inserts an iptables rule
+// insertRoutingRule inserts an iptable rule
 func (i *routerManager) insertRoutingRule(keyFormat, table, chain, jump string, pair firewall.RouterPair) error {
 	var err error

 	ruleKey := firewall.GenKey(keyFormat, pair.ID)
-	rule := genRuleSpec(jump, pair.Source, pair.Destination)
+	rule := genRuleSpec(jump, ruleKey, pair.Source, pair.Destination)
 	existingRule, found := i.rules[ruleKey]
 	if found {
 		err = i.iptablesClient.DeleteIfExists(table, chain, existingRule...)
@@ -101,7 +101,6 @@ func (i *routerManager) insertRoutingRule(keyFormat, table, chain, jump string,
 		}
 		delete(i.rules, ruleKey)
 	}
-
 	err = i.iptablesClient.Insert(table, chain, 1, rule...)
 	if err != nil {
 		return fmt.Errorf("error while adding new %s rule for %s: %v", getIptablesRuleType(table), pair.Destination, err)
@@ -318,13 +317,6 @@ func (i *routerManager) createChain(table, newChain string) error {
 			return fmt.Errorf("couldn't create chain %s in %s table, error: %v", newChain, table, err)
 		}

-		// Add the loopback return rule to the NAT chain
-		loopbackRule := []string{"-o", "lo", "-j", "RETURN"}
-		err = i.iptablesClient.Insert(table, newChain, 1, loopbackRule...)
-		if err != nil {
-			return fmt.Errorf("failed to add loopback return rule to %s: %v", chainRTNAT, err)
-		}
-
 		err = i.iptablesClient.Append(table, newChain, "-j", "RETURN")
 		if err != nil {
 			return fmt.Errorf("couldn't create chain %s default rule, error: %v", newChain, err)
@@ -334,33 +326,9 @@ func (i *routerManager) createChain(table, newChain string) error {
 	return nil
 }

-// addNATRule appends an iptables rule pair to the nat chain
-func (i *routerManager) addNATRule(keyFormat, table, chain, jump string, pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(keyFormat, pair.ID)
-	rule := genRuleSpec(jump, pair.Source, pair.Destination)
-	existingRule, found := i.rules[ruleKey]
-	if found {
-		err := i.iptablesClient.DeleteIfExists(table, chain, existingRule...)
-		if err != nil {
-			return fmt.Errorf("error while removing existing NAT rule for %s: %v", pair.Destination, err)
-		}
-		delete(i.rules, ruleKey)
-	}
-
-	// inserting after loopback ignore rule
-	err := i.iptablesClient.Insert(table, chain, 2, rule...)
-	if err != nil {
-		return fmt.Errorf("error while appending new NAT rule for %s: %v", pair.Destination, err)
-	}
-
-	i.rules[ruleKey] = rule
-
-	return nil
-}
-
-// genRuleSpec generates rule specification
-func genRuleSpec(jump, source, destination string) []string {
-	return []string{"-s", source, "-d", destination, "-j", jump}
+// genRuleSpec generates rule specification with comment identifier
+func genRuleSpec(jump, id, source, destination string) []string {
+	return []string{"-s", source, "-d", destination, "-j", jump, "-m", "comment", "--comment", id}
 }

 func getIptablesRuleType(table string) string {
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -51,12 +51,14 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 		Destination: "100.100.100.0/24",
 		Masquerade:  true,
 	}
-	forward4Rule := genRuleSpec(routingFinalForwardJump, pair.Source, pair.Destination)
+	forward4RuleKey := firewall.GenKey(firewall.ForwardingFormat, pair.ID)
+	forward4Rule := genRuleSpec(routingFinalForwardJump, forward4RuleKey, pair.Source, pair.Destination)

 	err = manager.iptablesClient.Insert(tableFilter, chainRTFWD, 1, forward4Rule...)
 	require.NoError(t, err, "inserting rule should not return error")

-	nat4Rule := genRuleSpec(routingFinalNatJump, pair.Source, pair.Destination)
+	nat4RuleKey := firewall.GenKey(firewall.NatFormat, pair.ID)
+	nat4Rule := genRuleSpec(routingFinalNatJump, nat4RuleKey, pair.Source, pair.Destination)

 	err = manager.iptablesClient.Insert(tableNat, chainRTNAT, 1, nat4Rule...)
 	require.NoError(t, err, "inserting rule should not return error")
@@ -90,7 +92,7 @@ func TestIptablesManager_InsertRoutingRules(t *testing.T) {
 			require.NoError(t, err, "forwarding pair should be inserted")

 			forwardRuleKey := firewall.GenKey(firewall.ForwardingFormat, testCase.InputPair.ID)
-			forwardRule := genRuleSpec(routingFinalForwardJump, testCase.InputPair.Source, testCase.InputPair.Destination)
+			forwardRule := genRuleSpec(routingFinalForwardJump, forwardRuleKey, testCase.InputPair.Source, testCase.InputPair.Destination)

 			exists, err := iptablesClient.Exists(tableFilter, chainRTFWD, forwardRule...)
 			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableFilter, chainRTFWD)
@@ -101,7 +103,7 @@ func TestIptablesManager_InsertRoutingRules(t *testing.T) {
 			require.Equal(t, forwardRule[:4], foundRule[:4], "stored forwarding rule should match")

 			inForwardRuleKey := firewall.GenKey(firewall.InForwardingFormat, testCase.InputPair.ID)
-			inForwardRule := genRuleSpec(routingFinalForwardJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)
+			inForwardRule := genRuleSpec(routingFinalForwardJump, inForwardRuleKey, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)

 			exists, err = iptablesClient.Exists(tableFilter, chainRTFWD, inForwardRule...)
 			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableFilter, chainRTFWD)
@@ -112,7 +114,7 @@ func TestIptablesManager_InsertRoutingRules(t *testing.T) {
 			require.Equal(t, inForwardRule[:4], foundRule[:4], "stored income forwarding rule should match")

 			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair.ID)
-			natRule := genRuleSpec(routingFinalNatJump, testCase.InputPair.Source, testCase.InputPair.Destination)
+			natRule := genRuleSpec(routingFinalNatJump, natRuleKey, testCase.InputPair.Source, testCase.InputPair.Destination)

 			exists, err = iptablesClient.Exists(tableNat, chainRTNAT, natRule...)
 			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
@@ -128,7 +130,7 @@ func TestIptablesManager_InsertRoutingRules(t *testing.T) {
 			}

 			inNatRuleKey := firewall.GenKey(firewall.InNatFormat, testCase.InputPair.ID)
-			inNatRule := genRuleSpec(routingFinalNatJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)
+			inNatRule := genRuleSpec(routingFinalNatJump, inNatRuleKey, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)

 			exists, err = iptablesClient.Exists(tableNat, chainRTNAT, inNatRule...)
 			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
@@ -165,25 +167,25 @@ func TestIptablesManager_RemoveRoutingRules(t *testing.T) {
 			require.NoError(t, err, "shouldn't return error")

 			forwardRuleKey := firewall.GenKey(firewall.ForwardingFormat, testCase.InputPair.ID)
-			forwardRule := genRuleSpec(routingFinalForwardJump, testCase.InputPair.Source, testCase.InputPair.Destination)
+			forwardRule := genRuleSpec(routingFinalForwardJump, forwardRuleKey, testCase.InputPair.Source, testCase.InputPair.Destination)

 			err = iptablesClient.Insert(tableFilter, chainRTFWD, 1, forwardRule...)
 			require.NoError(t, err, "inserting rule should not return error")

 			inForwardRuleKey := firewall.GenKey(firewall.InForwardingFormat, testCase.InputPair.ID)
-			inForwardRule := genRuleSpec(routingFinalForwardJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)
+			inForwardRule := genRuleSpec(routingFinalForwardJump, inForwardRuleKey, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)

 			err = iptablesClient.Insert(tableFilter, chainRTFWD, 1, inForwardRule...)
 			require.NoError(t, err, "inserting rule should not return error")

 			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair.ID)
-			natRule := genRuleSpec(routingFinalNatJump, testCase.InputPair.Source, testCase.InputPair.Destination)
+			natRule := genRuleSpec(routingFinalNatJump, natRuleKey, testCase.InputPair.Source, testCase.InputPair.Destination)

 			err = iptablesClient.Insert(tableNat, chainRTNAT, 1, natRule...)
 			require.NoError(t, err, "inserting rule should not return error")

 			inNatRuleKey := firewall.GenKey(firewall.InNatFormat, testCase.InputPair.ID)
-			inNatRule := genRuleSpec(routingFinalNatJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)
+			inNatRule := genRuleSpec(routingFinalNatJump, inNatRuleKey, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)

 			err = iptablesClient.Insert(tableNat, chainRTNAT, 1, inNatRule...)
 			require.NoError(t, err, "inserting rule should not return error")
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -95,7 +95,7 @@ func (m *Manager) InsertRoutingRules(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddRoutingRules(pair)
+	return m.router.InsertRoutingRules(pair)
 }

 func (m *Manager) RemoveRoutingRules(pair firewall.RouterPair) error {
--- a/client/firewall/nftables/route_linux.go
+++ b/client/firewall/nftables/route_linux.go
@@ -22,8 +22,6 @@ const (

 	userDataAcceptForwardRuleSrc = "frwacceptsrc"
 	userDataAcceptForwardRuleDst = "frwacceptdst"
-
-	loopbackInterface = "lo\x00"
 )

 // some presets for building nftable rules
@@ -128,22 +126,6 @@ func (r *router) createContainers() error {
 		Type:     nftables.ChainTypeNAT,
 	})

-	// Add RETURN rule for loopback interface
-	loRule := &nftables.Rule{
-		Table: r.workTable,
-		Chain: r.chains[chainNameRoutingNat],
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     []byte(loopbackInterface),
-			},
-			&expr.Verdict{Kind: expr.VerdictReturn},
-		},
-	}
-	r.conn.InsertRule(loRule)
-
 	err := r.refreshRulesMap()
 	if err != nil {
 		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
@@ -156,28 +138,28 @@ func (r *router) createContainers() error {
 	return nil
 }

-// AddRoutingRules appends a nftable rule pair to the forwarding chain and if enabled, to the nat chain
-func (r *router) AddRoutingRules(pair manager.RouterPair) error {
+// InsertRoutingRules inserts a nftable rule pair to the forwarding chain and if enabled, to the nat chain
+func (r *router) InsertRoutingRules(pair manager.RouterPair) error {
 	err := r.refreshRulesMap()
 	if err != nil {
 		return err
 	}

-	err = r.addRoutingRule(manager.ForwardingFormat, chainNameRouteingFw, pair, false)
+	err = r.insertRoutingRule(manager.ForwardingFormat, chainNameRouteingFw, pair, false)
 	if err != nil {
 		return err
 	}
-	err = r.addRoutingRule(manager.InForwardingFormat, chainNameRouteingFw, manager.GetInPair(pair), false)
+	err = r.insertRoutingRule(manager.InForwardingFormat, chainNameRouteingFw, manager.GetInPair(pair), false)
 	if err != nil {
 		return err
 	}

 	if pair.Masquerade {
-		err = r.addRoutingRule(manager.NatFormat, chainNameRoutingNat, pair, true)
+		err = r.insertRoutingRule(manager.NatFormat, chainNameRoutingNat, pair, true)
 		if err != nil {
 			return err
 		}
-		err = r.addRoutingRule(manager.InNatFormat, chainNameRoutingNat, manager.GetInPair(pair), true)
+		err = r.insertRoutingRule(manager.InNatFormat, chainNameRoutingNat, manager.GetInPair(pair), true)
 		if err != nil {
 			return err
 		}
@@ -195,8 +177,8 @@ func (r *router) AddRoutingRules(pair manager.RouterPair) error {
 	return nil
 }

-// addRoutingRule inserts a nftable rule to the conn client flush queue
-func (r *router) addRoutingRule(format, chainName string, pair manager.RouterPair, isNat bool) error {
+// insertRoutingRule inserts a nftable rule to the conn client flush queue
+func (r *router) insertRoutingRule(format, chainName string, pair manager.RouterPair, isNat bool) error {
 	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
 	destExp := generateCIDRMatcherExpressions(false, pair.Destination)

@@ -217,7 +199,7 @@ func (r *router) addRoutingRule(format, chainName string, pair manager.RouterPai
 		}
 	}

-	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
+	r.rules[ruleKey] = r.conn.InsertRule(&nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainName],
 		Exprs:    expression,
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -47,7 +47,7 @@ func TestNftablesManager_InsertRoutingRules(t *testing.T) {

 			require.NoError(t, err, "shouldn't return error")

-			err = manager.AddRoutingRules(testCase.InputPair)
+			err = manager.InsertRoutingRules(testCase.InputPair)
 			defer func() {
 				_ = manager.RemoveRoutingRules(testCase.InputPair)
 			}()
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -64,18 +64,15 @@ func manageFirewallRule(ruleName string, action action, extraArgs ...string) err
 	if action == addRule {
 		args = append(args, extraArgs...)
 	}
-	netshCmd := GetSystem32Command("netsh")
-	cmd := exec.Command(netshCmd, args...)
+
+	cmd := exec.Command("netsh", args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 	return cmd.Run()
 }

 func isWindowsFirewallReachable() bool {
 	args := []string{"advfirewall", "show", "allprofiles", "state"}
-
-	netshCmd := GetSystem32Command("netsh")
-
-	cmd := exec.Command(netshCmd, args...)
+	cmd := exec.Command("netsh", args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}

 	_, err := cmd.Output()
@@ -90,23 +87,8 @@ func isWindowsFirewallReachable() bool {
 func isFirewallRuleActive(ruleName string) bool {
 	args := []string{"advfirewall", "firewall", "show", "rule", "name=" + ruleName}

-	netshCmd := GetSystem32Command("netsh")
-
-	cmd := exec.Command(netshCmd, args...)
+	cmd := exec.Command("netsh", args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 	_, err := cmd.Output()
 	return err == nil
 }
-
-// GetSystem32Command checks if a command can be found in the system path and returns it. In case it can't find it
-// in the path it will return the full path of a command assuming C:\windows\system32 as the base path.
-func GetSystem32Command(command string) string {
-	_, err := exec.LookPath(command)
-	if err == nil {
-		return command
-	}
-
-	log.Tracef("Command %s not found in PATH, using C:\\windows\\system32\\%s.exe path", command, command)
-
-	return "C:\\windows\\system32\\" + command + ".exe"
-}
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -337,6 +337,7 @@ func validateRule(ip net.IP, packetData []byte, rules map[string]Rule, d *decode
 			if rule.dPort != 0 && rule.dPort == uint16(d.udp.DstPort) {
 				return rule.drop, true
 			}
+			return rule.drop, true
 		case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
 			return rule.drop, true
 		}
--- a/client/internal/auth/oauth.go
+++ b/client/internal/auth/oauth.go
@@ -69,11 +69,6 @@ func NewOAuthFlow(ctx context.Context, config *internal.Config, isLinuxDesktopCl
 		return authenticateWithDeviceCodeFlow(ctx, config)
 	}

-	// On FreeBSD we currently do not support desktop environments and offer only Device Code Flow (#2384)
-	if runtime.GOOS == "freebsd" {
-		return authenticateWithDeviceCodeFlow(ctx, config)
-	}
-
 	pkceFlow, err := authenticateWithPKCEFlow(ctx, config)
 	if err != nil {
 		// fallback to device code flow
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -5,17 +5,12 @@ import (
 	"fmt"
 	"net/url"
 	"os"
-	"reflect"
-	"runtime"
-	"strings"
-	"time"

 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"

-	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/iface"
 	mgm "github.com/netbirdio/netbird/management/client"
@@ -53,10 +48,8 @@ type ConfigInput struct {
 	RosenpassPermissive *bool
 	InterfaceName       *string
 	WireguardPort       *int
-	NetworkMonitor      *bool
 	DisableAutoConnect  *bool
 	ExtraIFaceBlackList []string
-	DNSRouteInterval    *time.Duration
 }

 // Config Configuration type
@@ -68,7 +61,6 @@ type Config struct {
 	AdminURL             *url.URL
 	WgIface              string
 	WgPort               int
-	NetworkMonitor       *bool
 	IFaceBlackList       []string
 	DisableIPv6Discovery bool
 	RosenpassEnabled     bool
@@ -99,9 +91,6 @@ type Config struct {
 	// DisableAutoConnect determines whether the client should not start with the service
 	// it's set to false by default due to backwards compatibility
 	DisableAutoConnect bool
-
-	// DNSRouteInterval is the interval in which the DNS routes are updated
-	DNSRouteInterval time.Duration
 }

 // ReadConfig read config file and return with Config. If it is not exists create a new with default values
@@ -111,14 +100,6 @@ func ReadConfig(configPath string) (*Config, error) {
 		if _, err := util.ReadJson(configPath, config); err != nil {
 			return nil, err
 		}
-		// initialize through apply() without changes
-		if changed, err := config.apply(ConfigInput{}); err != nil {
-			return nil, err
-		} else if changed {
-			if err = WriteOutConfig(configPath, config); err != nil {
-				return nil, err
-			}
-		}

 		return config, nil
 	}
@@ -171,15 +152,79 @@ func WriteOutConfig(path string, config *Config) error {

 // createNewConfig creates a new config generating a new Wireguard key and saving to file
 func createNewConfig(input ConfigInput) (*Config, error) {
-	config := &Config{
-		// defaults to false only for new (post 0.26) configurations
-		ServerSSHAllowed: util.False(),
-	}
-
-	if _, err := config.apply(input); err != nil {
+	wgKey := generateKey()
+	pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
+	if err != nil {
 		return nil, err
 	}

+	config := &Config{
+		SSHKey:               string(pem),
+		PrivateKey:           wgKey,
+		IFaceBlackList:       []string{},
+		DisableIPv6Discovery: false,
+		NATExternalIPs:       input.NATExternalIPs,
+		CustomDNSAddress:     string(input.CustomDNSAddress),
+		ServerSSHAllowed:     util.False(),
+		DisableAutoConnect:   false,
+	}
+
+	defaultManagementURL, err := parseURL("Management URL", DefaultManagementURL)
+	if err != nil {
+		return nil, err
+	}
+
+	config.ManagementURL = defaultManagementURL
+	if input.ManagementURL != "" {
+		URL, err := parseURL("Management URL", input.ManagementURL)
+		if err != nil {
+			return nil, err
+		}
+		config.ManagementURL = URL
+	}
+
+	config.WgPort = iface.DefaultWgPort
+	if input.WireguardPort != nil {
+		config.WgPort = *input.WireguardPort
+	}
+
+	config.WgIface = iface.WgInterfaceDefault
+	if input.InterfaceName != nil {
+		config.WgIface = *input.InterfaceName
+	}
+
+	if input.PreSharedKey != nil {
+		config.PreSharedKey = *input.PreSharedKey
+	}
+
+	if input.RosenpassEnabled != nil {
+		config.RosenpassEnabled = *input.RosenpassEnabled
+	}
+
+	if input.RosenpassPermissive != nil {
+		config.RosenpassPermissive = *input.RosenpassPermissive
+	}
+
+	if input.ServerSSHAllowed != nil {
+		config.ServerSSHAllowed = input.ServerSSHAllowed
+	}
+
+	defaultAdminURL, err := parseURL("Admin URL", DefaultAdminURL)
+	if err != nil {
+		return nil, err
+	}
+
+	config.AdminURL = defaultAdminURL
+	if input.AdminURL != "" {
+		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
+		if err != nil {
+			return nil, err
+		}
+		config.AdminURL = newURL
+	}
+
+	// nolint:gocritic
+	config.IFaceBlackList = append(defaultInterfaceBlacklist, input.ExtraIFaceBlackList...)
 	return config, nil
 }

@@ -190,12 +235,104 @@ func update(input ConfigInput) (*Config, error) {
 		return nil, err
 	}

-	updated, err := config.apply(input)
-	if err != nil {
-		return nil, err
+	refresh := false
+
+	if input.ManagementURL != "" && config.ManagementURL.String() != input.ManagementURL {
+		log.Infof("new Management URL provided, updated to %s (old value %s)",
+			input.ManagementURL, config.ManagementURL)
+		newURL, err := parseURL("Management URL", input.ManagementURL)
+		if err != nil {
+			return nil, err
+		}
+		config.ManagementURL = newURL
+		refresh = true
 	}

-	if updated {
+	if input.AdminURL != "" && (config.AdminURL == nil || config.AdminURL.String() != input.AdminURL) {
+		log.Infof("new Admin Panel URL provided, updated to %s (old value %s)",
+			input.AdminURL, config.AdminURL)
+		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
+		if err != nil {
+			return nil, err
+		}
+		config.AdminURL = newURL
+		refresh = true
+	}
+
+	if input.PreSharedKey != nil && config.PreSharedKey != *input.PreSharedKey {
+		log.Infof("new pre-shared key provided, replacing old key")
+		config.PreSharedKey = *input.PreSharedKey
+		refresh = true
+	}
+
+	if config.SSHKey == "" {
+		pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
+		if err != nil {
+			return nil, err
+		}
+		config.SSHKey = string(pem)
+		refresh = true
+	}
+
+	if config.WgPort == 0 {
+		config.WgPort = iface.DefaultWgPort
+		refresh = true
+	}
+
+	if input.WireguardPort != nil {
+		config.WgPort = *input.WireguardPort
+		refresh = true
+	}
+
+	if input.InterfaceName != nil {
+		config.WgIface = *input.InterfaceName
+		refresh = true
+	}
+
+	if input.NATExternalIPs != nil && len(config.NATExternalIPs) != len(input.NATExternalIPs) {
+		config.NATExternalIPs = input.NATExternalIPs
+		refresh = true
+	}
+
+	if input.CustomDNSAddress != nil {
+		config.CustomDNSAddress = string(input.CustomDNSAddress)
+		refresh = true
+	}
+
+	if input.RosenpassEnabled != nil {
+		config.RosenpassEnabled = *input.RosenpassEnabled
+		refresh = true
+	}
+
+	if input.RosenpassPermissive != nil {
+		config.RosenpassPermissive = *input.RosenpassPermissive
+		refresh = true
+	}
+
+	if input.DisableAutoConnect != nil {
+		config.DisableAutoConnect = *input.DisableAutoConnect
+		refresh = true
+	}
+
+	if input.ServerSSHAllowed != nil {
+		config.ServerSSHAllowed = input.ServerSSHAllowed
+		refresh = true
+	}
+
+	if config.ServerSSHAllowed == nil {
+		config.ServerSSHAllowed = util.True()
+		refresh = true
+	}
+
+	if len(input.ExtraIFaceBlackList) > 0 {
+		for _, iFace := range util.SliceDiff(input.ExtraIFaceBlackList, config.IFaceBlackList) {
+			config.IFaceBlackList = append(config.IFaceBlackList, iFace)
+			refresh = true
+		}
+	}
+
+	if refresh {
+		// since we have new management URL, we need to update config file
 		if err := util.WriteJson(input.ConfigPath, config); err != nil {
 			return nil, err
 		}
@@ -204,190 +341,6 @@ func update(input ConfigInput) (*Config, error) {
 	return config, nil
 }

-func (config *Config) apply(input ConfigInput) (updated bool, err error) {
-	if config.ManagementURL == nil {
-		log.Infof("using default Management URL %s", DefaultManagementURL)
-		config.ManagementURL, err = parseURL("Management URL", DefaultManagementURL)
-		if err != nil {
-			return false, err
-		}
-	}
-	if input.ManagementURL != "" && input.ManagementURL != config.ManagementURL.String() {
-		log.Infof("new Management URL provided, updated to %#v (old value %#v)",
-			input.ManagementURL, config.ManagementURL.String())
-		URL, err := parseURL("Management URL", input.ManagementURL)
-		if err != nil {
-			return false, err
-		}
-		config.ManagementURL = URL
-		updated = true
-	} else if config.ManagementURL == nil {
-		log.Infof("using default Management URL %s", DefaultManagementURL)
-		config.ManagementURL, err = parseURL("Management URL", DefaultManagementURL)
-		if err != nil {
-			return false, err
-		}
-	}
-
-	if config.AdminURL == nil {
-		log.Infof("using default Admin URL %s", DefaultManagementURL)
-		config.AdminURL, err = parseURL("Admin URL", DefaultAdminURL)
-		if err != nil {
-			return false, err
-		}
-	}
-	if input.AdminURL != "" && input.AdminURL != config.AdminURL.String() {
-		log.Infof("new Admin Panel URL provided, updated to %#v (old value %#v)",
-			input.AdminURL, config.AdminURL.String())
-		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
-		if err != nil {
-			return updated, err
-		}
-		config.AdminURL = newURL
-		updated = true
-	}
-
-	if config.PrivateKey == "" {
-		log.Infof("generated new Wireguard key")
-		config.PrivateKey = generateKey()
-		updated = true
-	}
-
-	if config.SSHKey == "" {
-		log.Infof("generated new SSH key")
-		pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
-		if err != nil {
-			return false, err
-		}
-		config.SSHKey = string(pem)
-		updated = true
-	}
-
-	if input.WireguardPort != nil && *input.WireguardPort != config.WgPort {
-		log.Infof("updating Wireguard port %d (old value %d)",
-			*input.WireguardPort, config.WgPort)
-		config.WgPort = *input.WireguardPort
-		updated = true
-	} else if config.WgPort == 0 {
-		config.WgPort = iface.DefaultWgPort
-		log.Infof("using default Wireguard port %d", config.WgPort)
-		updated = true
-	}
-
-	if input.InterfaceName != nil && *input.InterfaceName != config.WgIface {
-		log.Infof("updating Wireguard interface %#v (old value %#v)",
-			*input.InterfaceName, config.WgIface)
-		config.WgIface = *input.InterfaceName
-		updated = true
-	} else if config.WgIface == "" {
-		config.WgIface = iface.WgInterfaceDefault
-		log.Infof("using default Wireguard interface %s", config.WgIface)
-		updated = true
-	}
-
-	if input.NATExternalIPs != nil && !reflect.DeepEqual(config.NATExternalIPs, input.NATExternalIPs) {
-		log.Infof("updating NAT External IP [ %s ] (old value: [ %s ])",
-			strings.Join(input.NATExternalIPs, " "),
-			strings.Join(config.NATExternalIPs, " "))
-		config.NATExternalIPs = input.NATExternalIPs
-		updated = true
-	}
-
-	if input.PreSharedKey != nil && *input.PreSharedKey != config.PreSharedKey {
-		log.Infof("new pre-shared key provided, replacing old key")
-		config.PreSharedKey = *input.PreSharedKey
-		updated = true
-	}
-
-	if input.RosenpassEnabled != nil && *input.RosenpassEnabled != config.RosenpassEnabled {
-		log.Infof("switching Rosenpass to %t", *input.RosenpassEnabled)
-		config.RosenpassEnabled = *input.RosenpassEnabled
-		updated = true
-	}
-
-	if input.RosenpassPermissive != nil && *input.RosenpassPermissive != config.RosenpassPermissive {
-		log.Infof("switching Rosenpass permissive to %t", *input.RosenpassPermissive)
-		config.RosenpassPermissive = *input.RosenpassPermissive
-		updated = true
-	}
-
-	if input.NetworkMonitor != nil && input.NetworkMonitor != config.NetworkMonitor {
-		log.Infof("switching Network Monitor to %t", *input.NetworkMonitor)
-		config.NetworkMonitor = input.NetworkMonitor
-		updated = true
-	}
-
-	if config.NetworkMonitor == nil {
-		// enable network monitoring by default on windows and darwin clients
-		if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
-			enabled := true
-			config.NetworkMonitor = &enabled
-			updated = true
-		}
-	}
-
-	if input.CustomDNSAddress != nil && string(input.CustomDNSAddress) != config.CustomDNSAddress {
-		log.Infof("updating custom DNS address %#v (old value %#v)",
-			string(input.CustomDNSAddress), config.CustomDNSAddress)
-		config.CustomDNSAddress = string(input.CustomDNSAddress)
-		updated = true
-	}
-
-	if len(config.IFaceBlackList) == 0 {
-		log.Infof("filling in interface blacklist with defaults: [ %s ]",
-			strings.Join(defaultInterfaceBlacklist, " "))
-		config.IFaceBlackList = append(config.IFaceBlackList, defaultInterfaceBlacklist...)
-		updated = true
-	}
-
-	if len(input.ExtraIFaceBlackList) > 0 {
-		for _, iFace := range util.SliceDiff(input.ExtraIFaceBlackList, config.IFaceBlackList) {
-			log.Infof("adding new entry to interface blacklist: %s", iFace)
-			config.IFaceBlackList = append(config.IFaceBlackList, iFace)
-			updated = true
-		}
-	}
-
-	if input.DisableAutoConnect != nil && *input.DisableAutoConnect != config.DisableAutoConnect {
-		if *input.DisableAutoConnect {
-			log.Infof("turning off automatic connection on startup")
-		} else {
-			log.Infof("enabling automatic connection on startup")
-		}
-		config.DisableAutoConnect = *input.DisableAutoConnect
-		updated = true
-	}
-
-	if input.ServerSSHAllowed != nil && *input.ServerSSHAllowed != *config.ServerSSHAllowed {
-		if *input.ServerSSHAllowed {
-			log.Infof("enabling SSH server")
-		} else {
-			log.Infof("disabling SSH server")
-		}
-		config.ServerSSHAllowed = input.ServerSSHAllowed
-		updated = true
-	} else if config.ServerSSHAllowed == nil {
-		// enables SSH for configs from old versions to preserve backwards compatibility
-		log.Infof("falling back to enabled SSH server for pre-existing configuration")
-		config.ServerSSHAllowed = util.True()
-		updated = true
-	}
-
-	if input.DNSRouteInterval != nil && *input.DNSRouteInterval != config.DNSRouteInterval {
-		log.Infof("updating DNS route interval to %s (old value %s)",
-			input.DNSRouteInterval.String(), config.DNSRouteInterval.String())
-		config.DNSRouteInterval = *input.DNSRouteInterval
-		updated = true
-	} else if config.DNSRouteInterval == 0 {
-		config.DNSRouteInterval = dynamic.DefaultInterval
-		log.Infof("using default DNS route interval %s", config.DNSRouteInterval)
-		updated = true
-
-	}
-
-	return updated, nil
-}
-
 // parseURL parses and validates a service URL
 func parseURL(serviceName, serviceURL string) (*url.URL, error) {
 	parsedMgmtURL, err := url.ParseRequestURI(serviceURL)
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -4,11 +4,9 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net"
 	"runtime"
 	"runtime/debug"
 	"strings"
-	"sync"
 	"time"

 	"github.com/cenkalti/backoff/v4"
@@ -26,52 +24,35 @@ import (
 	"github.com/netbirdio/netbird/iface"
 	mgm "github.com/netbirdio/netbird/management/client"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
-	"github.com/netbirdio/netbird/relay/auth/hmac"
-	relayClient "github.com/netbirdio/netbird/relay/client"
 	signal "github.com/netbirdio/netbird/signal/client"
 	"github.com/netbirdio/netbird/util"
 	"github.com/netbirdio/netbird/version"
 )

-type ConnectClient struct {
-	ctx            context.Context
-	config         *Config
-	statusRecorder *peer.Status
-	engine         *Engine
-	engineMutex    sync.Mutex
+// RunClient with main logic.
+func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status) error {
+	return runClient(ctx, config, statusRecorder, MobileDependency{}, nil, nil, nil, nil, nil)
 }

-func NewConnectClient(
+// RunClientWithProbes runs the client's main logic with probes attached
+func RunClientWithProbes(
 	ctx context.Context,
 	config *Config,
 	statusRecorder *peer.Status,
-
-) *ConnectClient {
-	return &ConnectClient{
-		ctx:            ctx,
-		config:         config,
-		statusRecorder: statusRecorder,
-		engineMutex:    sync.Mutex{},
-	}
-}
-
-// Run with main logic.
-func (c *ConnectClient) Run() error {
-	return c.run(MobileDependency{}, nil, nil, nil, nil)
-}
-
-// RunWithProbes runs the client's main logic with probes attached
-func (c *ConnectClient) RunWithProbes(
 	mgmProbe *Probe,
 	signalProbe *Probe,
 	relayProbe *Probe,
 	wgProbe *Probe,
+	engineChan chan<- *Engine,
 ) error {
-	return c.run(MobileDependency{}, mgmProbe, signalProbe, relayProbe, wgProbe)
+	return runClient(ctx, config, statusRecorder, MobileDependency{}, mgmProbe, signalProbe, relayProbe, wgProbe, engineChan)
 }

-// RunOnAndroid with main logic on mobile system
-func (c *ConnectClient) RunOnAndroid(
+// RunClientMobile with main logic on mobile system
+func RunClientMobile(
+	ctx context.Context,
+	config *Config,
+	statusRecorder *peer.Status,
 	tunAdapter iface.TunAdapter,
 	iFaceDiscover stdnet.ExternalIFaceDiscover,
 	networkChangeListener listener.NetworkChangeListener,
@@ -86,31 +67,35 @@ func (c *ConnectClient) RunOnAndroid(
 		HostDNSAddresses:      dnsAddresses,
 		DnsReadyListener:      dnsReadyListener,
 	}
-	return c.run(mobileDependency, nil, nil, nil, nil)
+	return runClient(ctx, config, statusRecorder, mobileDependency, nil, nil, nil, nil, nil)
 }

-func (c *ConnectClient) RunOniOS(
+func RunClientiOS(
+	ctx context.Context,
+	config *Config,
+	statusRecorder *peer.Status,
 	fileDescriptor int32,
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
 ) error {
-	// Set GC percent to 5% to reduce memory usage as iOS only allows 50MB of memory for the extension.
-	debug.SetGCPercent(5)
-
 	mobileDependency := MobileDependency{
 		FileDescriptor:        fileDescriptor,
 		NetworkChangeListener: networkChangeListener,
 		DnsManager:            dnsManager,
 	}
-	return c.run(mobileDependency, nil, nil, nil, nil)
+	return runClient(ctx, config, statusRecorder, mobileDependency, nil, nil, nil, nil, nil)
 }

-func (c *ConnectClient) run(
+func runClient(
+	ctx context.Context,
+	config *Config,
+	statusRecorder *peer.Status,
 	mobileDependency MobileDependency,
 	mgmProbe *Probe,
 	signalProbe *Probe,
 	relayProbe *Probe,
 	wgProbe *Probe,
+	engineChan chan<- *Engine,
 ) error {
 	defer func() {
 		if r := recover(); r != nil {
@@ -122,7 +107,7 @@ func (c *ConnectClient) run(

 	// Check if client was not shut down in a clean way and restore DNS config if required.
 	// Otherwise, we might not be able to connect to the management server to retrieve new config.
-	if err := dns.CheckUncleanShutdown(c.config.WgIface); err != nil {
+	if err := dns.CheckUncleanShutdown(config.WgIface); err != nil {
 		log.Errorf("checking unclean shutdown error: %s", err)
 	}

@@ -136,7 +121,7 @@ func (c *ConnectClient) run(
 		Clock:               backoff.SystemClock,
 	}

-	state := CtxGetState(c.ctx)
+	state := CtxGetState(ctx)
 	defer func() {
 		s, err := state.Status()
 		if err != nil || s != StatusNeedsLogin {
@@ -145,49 +130,52 @@ func (c *ConnectClient) run(
 	}()

 	wrapErr := state.Wrap
-	myPrivateKey, err := wgtypes.ParseKey(c.config.PrivateKey)
+	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
 	if err != nil {
-		log.Errorf("failed parsing Wireguard key %s: [%s]", c.config.PrivateKey, err.Error())
+		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
 		return wrapErr(err)
 	}

 	var mgmTlsEnabled bool
-	if c.config.ManagementURL.Scheme == "https" {
+	if config.ManagementURL.Scheme == "https" {
 		mgmTlsEnabled = true
 	}

-	publicSSHKey, err := ssh.GeneratePublicKey([]byte(c.config.SSHKey))
+	publicSSHKey, err := ssh.GeneratePublicKey([]byte(config.SSHKey))
 	if err != nil {
 		return err
 	}

-	defer c.statusRecorder.ClientStop()
+	defer statusRecorder.ClientStop()
 	operation := func() error {
 		// if context cancelled we not start new backoff cycle
-		if c.isContextCancelled() {
+		select {
+		case <-ctx.Done():
 			return nil
+		default:
 		}

 		state.Set(StatusConnecting)

-		engineCtx, cancel := context.WithCancel(c.ctx)
+		engineCtx, cancel := context.WithCancel(ctx)
 		defer func() {
-			c.statusRecorder.MarkManagementDisconnected(state.err)
-			c.statusRecorder.CleanLocalPeerState()
+			statusRecorder.MarkManagementDisconnected(state.err)
+			statusRecorder.CleanLocalPeerState()
 			cancel()
 		}()

-		log.Debugf("connecting to the Management service %s", c.config.ManagementURL.Host)
-		mgmClient, err := mgm.NewClient(engineCtx, c.config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+		log.Debugf("connecting to the Management service %s", config.ManagementURL.Host)
+		mgmClient, err := mgm.NewClient(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 		if err != nil {
 			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
 		}
-		mgmNotifier := statusRecorderToMgmConnStateNotifier(c.statusRecorder)
+		mgmNotifier := statusRecorderToMgmConnStateNotifier(statusRecorder)
 		mgmClient.SetConnStateListener(mgmNotifier)

-		log.Debugf("connected to the Management service %s", c.config.ManagementURL.Host)
+		log.Debugf("connected to the Management service %s", config.ManagementURL.Host)
 		defer func() {
-			if err = mgmClient.Close(); err != nil {
+			err = mgmClient.Close()
+			if err != nil {
 				log.Warnf("failed to close the Management service client %v", err)
 			}
 		}()
@@ -202,7 +190,7 @@ func (c *ConnectClient) run(
 			}
 			return wrapErr(err)
 		}
-		c.statusRecorder.MarkManagementConnected()
+		statusRecorder.MarkManagementConnected()

 		localPeerState := peer.LocalPeerState{
 			IP:              loginResp.GetPeerConfig().GetAddress(),
@@ -210,18 +198,19 @@ func (c *ConnectClient) run(
 			KernelInterface: iface.WireGuardModuleIsLoaded(),
 			FQDN:            loginResp.GetPeerConfig().GetFqdn(),
 		}
-		c.statusRecorder.UpdateLocalPeerState(localPeerState)
+
+		statusRecorder.UpdateLocalPeerState(localPeerState)

 		signalURL := fmt.Sprintf("%s://%s",
 			strings.ToLower(loginResp.GetWiretrusteeConfig().GetSignal().GetProtocol().String()),
 			loginResp.GetWiretrusteeConfig().GetSignal().GetUri(),
 		)

-		c.statusRecorder.UpdateSignalAddress(signalURL)
+		statusRecorder.UpdateSignalAddress(signalURL)

-		c.statusRecorder.MarkSignalDisconnected(nil)
+		statusRecorder.MarkSignalDisconnected(nil)
 		defer func() {
-			c.statusRecorder.MarkSignalDisconnected(state.err)
+			statusRecorder.MarkSignalDisconnected(state.err)
 		}()

 		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
@@ -237,53 +226,42 @@ func (c *ConnectClient) run(
 			}
 		}()

-		signalNotifier := statusRecorderToSignalConnStateNotifier(c.statusRecorder)
+		signalNotifier := statusRecorderToSignalConnStateNotifier(statusRecorder)
 		signalClient.SetConnStateListener(signalNotifier)

-		c.statusRecorder.MarkSignalConnected()
-
-		relayURL, token := parseRelayInfo(loginResp)
-		relayManager := relayClient.NewManager(engineCtx, relayURL, myPrivateKey.PublicKey().String())
-		if relayURL != "" {
-			if token != nil {
-				relayManager.UpdateToken(token)
-			}
-			log.Infof("connecting to the Relay service %s", relayURL)
-			if err = relayManager.Serve(); err != nil {
-				log.Error(err)
-				return wrapErr(err)
-			}
-			c.statusRecorder.SetRelayMgr(relayManager)
-		}
+		statusRecorder.MarkSignalConnected()

 		peerConfig := loginResp.GetPeerConfig()

-		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig)
+		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
 		if err != nil {
 			log.Error(err)
 			return wrapErr(err)
 		}

-		checks := loginResp.GetChecks()
-
-		c.engineMutex.Lock()
-		c.engine = NewEngineWithProbes(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, mgmProbe, signalProbe, relayProbe, wgProbe, checks)
-		c.engineMutex.Unlock()
-
-		if err := c.engine.Start(); err != nil {
+		engine := NewEngineWithProbes(engineCtx, cancel, signalClient, mgmClient, engineConfig, mobileDependency, statusRecorder, mgmProbe, signalProbe, relayProbe, wgProbe)
+		err = engine.Start()
+		if err != nil {
 			log.Errorf("error while starting Netbird Connection Engine: %s", err)
 			return wrapErr(err)
 		}
+		if engineChan != nil {
+			engineChan <- engine
+		}

-		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
+		log.Print("Netbird engine started, my IP is: ", peerConfig.Address)
 		state.Set(StatusConnected)

 		<-engineCtx.Done()
-		c.statusRecorder.ClientTeardown()
+		statusRecorder.ClientTeardown()

 		backOff.Reset()

-		err = c.engine.Stop()
+		if engineChan != nil {
+			engineChan <- nil
+		}
+
+		err = engine.Stop()
 		if err != nil {
 			log.Errorf("failed stopping engine %v", err)
 			return wrapErr(err)
@@ -298,7 +276,7 @@ func (c *ConnectClient) run(
 		return nil
 	}

-	c.statusRecorder.ClientStart()
+	statusRecorder.ClientStart()
 	err = backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)
@@ -310,48 +288,8 @@ func (c *ConnectClient) run(
 	return nil
 }

-func parseRelayInfo(resp *mgmProto.LoginResponse) (string, *hmac.Token) {
-	msg := resp.GetWiretrusteeConfig().GetRelay()
-	if msg == nil {
-		return "", nil
-	}
-
-	var url string
-	if msg.GetUrls() != nil && len(msg.GetUrls()) > 0 {
-		url = msg.GetUrls()[0]
-	}
-
-	token := &hmac.Token{
-		Payload:   msg.GetTokenPayload(),
-		Signature: msg.GetTokenSignature(),
-	}
-
-	return url, token
-}
-
-func (c *ConnectClient) Engine() *Engine {
-	var e *Engine
-	c.engineMutex.Lock()
-	e = c.engine
-	c.engineMutex.Unlock()
-	return e
-}
-
-func (c *ConnectClient) isContextCancelled() bool {
-	select {
-	case <-c.ctx.Done():
-		return true
-	default:
-		return false
-	}
-}
-
 // createEngineConfig converts configuration received from Management Service to EngineConfig
 func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
-	nm := false
-	if config.NetworkMonitor != nil {
-		nm = *config.NetworkMonitor
-	}
 	engineConf := &EngineConfig{
 		WgIfaceName:          config.WgIface,
 		WgAddr:               peerConfig.Address,
@@ -359,14 +297,12 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		DisableIPv6Discovery: config.DisableIPv6Discovery,
 		WgPrivateKey:         key,
 		WgPort:               config.WgPort,
-		NetworkMonitor:       nm,
 		SSHKey:               []byte(config.SSHKey),
 		NATExternalIPs:       config.NATExternalIPs,
 		CustomDNSAddress:     config.CustomDNSAddress,
 		RosenpassEnabled:     config.RosenpassEnabled,
 		RosenpassPermissive:  config.RosenpassPermissive,
 		ServerSSHAllowed:     util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
-		DNSRouteInterval:     config.DNSRouteInterval,
 	}

 	if config.PreSharedKey != "" {
@@ -377,15 +313,6 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		engineConf.PreSharedKey = &preSharedKey
 	}

-	port, err := freePort(config.WgPort)
-	if err != nil {
-		return nil, err
-	}
-	if port != config.WgPort {
-		log.Infof("using %d as wireguard port: %d is in use", port, config.WgPort)
-	}
-	engineConf.WgPort = port
-
 	return engineConf, nil
 }

@@ -435,20 +362,3 @@ func statusRecorderToSignalConnStateNotifier(statusRecorder *peer.Status) signal
 	notifier, _ := sri.(signal.ConnStateNotifier)
 	return notifier
 }
-
-func freePort(start int) (int, error) {
-	addr := net.UDPAddr{}
-	if start == 0 {
-		start = iface.DefaultWgPort
-	}
-	for x := start; x <= 65535; x++ {
-		addr.Port = x
-		conn, err := net.ListenUDP("udp", &addr)
-		if err != nil {
-			continue
-		}
-		conn.Close()
-		return x, nil
-	}
-	return 0, errors.New("no free ports")
-}
--- a/client/internal/connect_test.go
+++ b/client/internal/connect_test.go
@@ -1,57 +0,0 @@
-package internal
-
-import (
-	"net"
-	"testing"
-)
-
-func Test_freePort(t *testing.T) {
-	tests := []struct {
-		name    string
-		port    int
-		want    int
-		wantErr bool
-	}{
-		{
-			name:    "available",
-			port:    51820,
-			want:    51820,
-			wantErr: false,
-		},
-		{
-			name:    "notavailable",
-			port:    51830,
-			want:    51831,
-			wantErr: false,
-		},
-		{
-			name:    "noports",
-			port:    65535,
-			want:    0,
-			wantErr: true,
-		},
-	}
-	for _, tt := range tests {
-
-		c1, err := net.ListenUDP("udp", &net.UDPAddr{Port: 51830})
-		if err != nil {
-			t.Errorf("freePort error = %v", err)
-		}
-		c2, err := net.ListenUDP("udp", &net.UDPAddr{Port: 65535})
-		if err != nil {
-			t.Errorf("freePort error = %v", err)
-		}
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := freePort(tt.port)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("freePort() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if got != tt.want {
-				t.Errorf("freePort() = %v, want %v", got, tt.want)
-			}
-		})
-		c1.Close()
-		c2.Close()
-	}
-}
--- a/client/internal/dns/consts_freebsd.go
+++ b/client/internal/dns/consts_freebsd.go
@@ -1,6 +0,0 @@
-package dns
-
-const (
-	fileUncleanShutdownResolvConfLocation  = "/var/db/netbird/resolv.conf"
-	fileUncleanShutdownManagerTypeLocation = "/var/db/netbird/manager"
-)
--- a/client/internal/dns/consts_linux.go
+++ b/client/internal/dns/consts_linux.go
@@ -1,8 +0,0 @@
-//go:build !android
-
-package dns
-
-const (
-	fileUncleanShutdownResolvConfLocation  = "/var/lib/netbird/resolv.conf"
-	fileUncleanShutdownManagerTypeLocation = "/var/lib/netbird/manager"
-)
--- a/client/internal/dns/dbus_linux.go
+++ b/client/internal/dns/dbus_linux.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

--- a/client/internal/dns/file_linux.go
+++ b/client/internal/dns/file_linux.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

@@ -47,20 +47,24 @@ func (f *fileConfigurator) supportCustomPort() bool {
 }

 func (f *fileConfigurator) applyDNSConfig(config HostDNSConfig) error {
-	backupFileExist := f.isBackupFileExist()
+	backupFileExist := false
+	_, err := os.Stat(fileDefaultResolvConfBackupLocation)
+	if err == nil {
+		backupFileExist = true
+	}
+
 	if !config.RouteAll {
 		if backupFileExist {
-			f.repair.stopWatchFileChanges()
-			err := f.restore()
+			err = f.restore()
 			if err != nil {
-				return fmt.Errorf("restoring the original resolv.conf file return err: %w", err)
+				return fmt.Errorf("unable to configure DNS for this peer using file manager without a Primary nameserver group. Restoring the original file return err: %w", err)
 			}
 		}
 		return fmt.Errorf("unable to configure DNS for this peer using file manager without a nameserver group with all domains configured")
 	}

 	if !backupFileExist {
-		err := f.backup()
+		err = f.backup()
 		if err != nil {
 			return fmt.Errorf("unable to backup the resolv.conf file: %w", err)
 		}
@@ -180,11 +184,6 @@ func (f *fileConfigurator) restoreUncleanShutdownDNS(storedDNSAddress *netip.Add
 	return nil
 }

-func (f *fileConfigurator) isBackupFileExist() bool {
-	_, err := os.Stat(fileDefaultResolvConfBackupLocation)
-	return err == nil
-}
-
 func restoreResolvConfFile() error {
 	log.Debugf("restoring unclean shutdown: restoring %s from %s", defaultResolvConfPath, fileUncleanShutdownResolvConfLocation)

--- a/client/internal/dns/file_linux_test.go
+++ b/client/internal/dns/file_linux_test.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

--- a/client/internal/dns/file_parser_linux.go
+++ b/client/internal/dns/file_parser_linux.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

--- a/client/internal/dns/file_parser_linux_test.go
+++ b/client/internal/dns/file_parser_linux_test.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

--- a/client/internal/dns/file_repair_linux.go
+++ b/client/internal/dns/file_repair_linux.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

--- a/client/internal/dns/file_repair_linux_test.go
+++ b/client/internal/dns/file_repair_linux_test.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

--- a/client/internal/dns/host.go
+++ b/client/internal/dns/host.go
@@ -15,12 +15,6 @@ type hostManager interface {
 	restoreUncleanShutdownDNS(storedDNSAddress *netip.Addr) error
 }

-type SystemDNSSettings struct {
-	Domains    []string
-	ServerIP   string
-	ServerPort int
-}
-
 type HostDNSConfig struct {
 	Domains    []DomainConfig `json:"domains"`
 	RouteAll   bool           `json:"routeAll"`
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -7,7 +7,6 @@ import (
 	"bytes"
 	"fmt"
 	"io"
-	"net"
 	"net/netip"
 	"os/exec"
 	"strconv"
@@ -19,7 +18,7 @@ import (
 const (
 	netbirdDNSStateKeyFormat            = "State:/Network/Service/NetBird-%s/DNS"
 	globalIPv4State                     = "State:/Network/Global/IPv4"
-	primaryServiceStateKeyFormat        = "State:/Network/Service/%s/DNS"
+	primaryServiceSetupKeyFormat        = "Setup:/Network/Service/%s/DNS"
 	keySupplementalMatchDomains         = "SupplementalMatchDomains"
 	keySupplementalMatchDomainsNoSearch = "SupplementalMatchDomainsNoSearch"
 	keyServerAddresses                  = "ServerAddresses"
@@ -29,12 +28,12 @@ const (
 	scutilPath                          = "/usr/sbin/scutil"
 	searchSuffix                        = "Search"
 	matchSuffix                         = "Match"
-	localSuffix                         = "Local"
 )

 type systemConfigurator struct {
-	createdKeys       map[string]struct{}
-	systemDNSSettings SystemDNSSettings
+	// primaryServiceID primary interface in the system. AKA the interface with the default route
+	primaryServiceID string
+	createdKeys      map[string]struct{}
 }

 func newHostManager() (hostManager, error) {
@@ -50,6 +49,20 @@ func (s *systemConfigurator) supportCustomPort() bool {
 func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig) error {
 	var err error

+	if config.RouteAll {
+		err = s.addDNSSetupForAll(config.ServerIP, config.ServerPort)
+		if err != nil {
+			return fmt.Errorf("add dns setup for all: %w", err)
+		}
+	} else if s.primaryServiceID != "" {
+		err = s.removeKeyFromSystemConfig(getKeyWithInput(primaryServiceSetupKeyFormat, s.primaryServiceID))
+		if err != nil {
+			return fmt.Errorf("remote key from system config: %w", err)
+		}
+		s.primaryServiceID = ""
+		log.Infof("removed %s:%d as main DNS resolver for this peer", config.ServerIP, config.ServerPort)
+	}
+
 	// create a file for unclean shutdown detection
 	if err := createUncleanShutdownIndicator(); err != nil {
 		log.Errorf("failed to create unclean shutdown file: %s", err)
@@ -60,19 +73,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig) error {
 		matchDomains  []string
 	)

-	err = s.recordSystemDNSSettings(true)
-	if err != nil {
-		log.Errorf("unable to update record of System's DNS config: %s", err.Error())
-	}
-
-	if config.RouteAll {
-		searchDomains = append(searchDomains, "\"\"")
-		err = s.addLocalDNS()
-		if err != nil {
-			log.Infof("failed to enable split DNS")
-		}
-	}
-
 	for _, dConf := range config.Domains {
 		if dConf.Disabled {
 			continue
@@ -110,17 +110,23 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig) error {
 }

 func (s *systemConfigurator) restoreHostDNS() error {
-	keys := s.getRemovableKeysWithDefaults()
-	for _, key := range keys {
+	lines := ""
+	for key := range s.createdKeys {
+		lines += buildRemoveKeyOperation(key)
 		keyType := "search"
 		if strings.Contains(key, matchSuffix) {
 			keyType = "match"
 		}
 		log.Infof("removing %s domains from system", keyType)
-		err := s.removeKeyFromSystemConfig(key)
-		if err != nil {
-			log.Errorf("failed to remove %s domains from system: %s", keyType, err)
-		}
+	}
+	if s.primaryServiceID != "" {
+		lines += buildRemoveKeyOperation(getKeyWithInput(primaryServiceSetupKeyFormat, s.primaryServiceID))
+		log.Infof("restoring DNS resolver configuration for system")
+	}
+	_, err := runSystemConfigCommand(wrapCommand(lines))
+	if err != nil {
+		log.Errorf("got an error while cleaning the system configuration: %s", err)
+		return fmt.Errorf("clean system: %w", err)
 	}

 	if err := removeUncleanShutdownIndicator(); err != nil {
@@ -130,19 +136,6 @@ func (s *systemConfigurator) restoreHostDNS() error {
 	return nil
 }

-func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
-	if len(s.createdKeys) == 0 {
-		// return defaults for startup calls
-		return []string{getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix), getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)}
-	}
-
-	keys := make([]string, 0, len(s.createdKeys))
-	for key := range s.createdKeys {
-		keys = append(keys, key)
-	}
-	return keys
-}
-
 func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 	line := buildRemoveKeyOperation(key)
 	_, err := runSystemConfigCommand(wrapCommand(line))
@@ -155,97 +148,6 @@ func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 	return nil
 }

-func (s *systemConfigurator) addLocalDNS() error {
-	if s.systemDNSSettings.ServerIP == "" || len(s.systemDNSSettings.Domains) == 0 {
-		err := s.recordSystemDNSSettings(true)
-		log.Errorf("Unable to get system DNS configuration")
-		return err
-	}
-	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
-	if s.systemDNSSettings.ServerIP != "" && len(s.systemDNSSettings.Domains) != 0 {
-		err := s.addSearchDomains(localKey, strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort)
-		if err != nil {
-			return fmt.Errorf("couldn't add local network DNS conf: %w", err)
-		}
-	} else {
-		log.Info("Not enabling local DNS server")
-	}
-
-	return nil
-}
-
-func (s *systemConfigurator) recordSystemDNSSettings(force bool) error {
-	if s.systemDNSSettings.ServerIP != "" && len(s.systemDNSSettings.Domains) != 0 && !force {
-		return nil
-	}
-
-	systemDNSSettings, err := s.getSystemDNSSettings()
-	if err != nil {
-		return fmt.Errorf("couldn't get current DNS config: %w", err)
-	}
-	s.systemDNSSettings = systemDNSSettings
-
-	return nil
-}
-
-func (s *systemConfigurator) getSystemDNSSettings() (SystemDNSSettings, error) {
-	primaryServiceKey, _, err := s.getPrimaryService()
-	if err != nil || primaryServiceKey == "" {
-		return SystemDNSSettings{}, fmt.Errorf("couldn't find the primary service key: %w", err)
-	}
-	dnsServiceKey := getKeyWithInput(primaryServiceStateKeyFormat, primaryServiceKey)
-	line := buildCommandLine("show", dnsServiceKey, "")
-	stdinCommands := wrapCommand(line)
-
-	b, err := runSystemConfigCommand(stdinCommands)
-	if err != nil {
-		return SystemDNSSettings{}, fmt.Errorf("sending the command: %w", err)
-	}
-
-	var dnsSettings SystemDNSSettings
-	inSearchDomainsArray := false
-	inServerAddressesArray := false
-
-	scanner := bufio.NewScanner(bytes.NewReader(b))
-	for scanner.Scan() {
-		line := strings.TrimSpace(scanner.Text())
-		switch {
-		case strings.HasPrefix(line, "DomainName :"):
-			domainName := strings.TrimSpace(strings.Split(line, ":")[1])
-			dnsSettings.Domains = append(dnsSettings.Domains, domainName)
-		case line == "SearchDomains : <array> {":
-			inSearchDomainsArray = true
-			continue
-		case line == "ServerAddresses : <array> {":
-			inServerAddressesArray = true
-			continue
-		case line == "}":
-			inSearchDomainsArray = false
-			inServerAddressesArray = false
-		}
-
-		if inSearchDomainsArray {
-			searchDomain := strings.Split(line, " : ")[1]
-			dnsSettings.Domains = append(dnsSettings.Domains, searchDomain)
-		} else if inServerAddressesArray {
-			address := strings.Split(line, " : ")[1]
-			if ip := net.ParseIP(address); ip != nil && ip.To4() != nil {
-				dnsSettings.ServerIP = address
-				inServerAddressesArray = false // Stop reading after finding the first IPv4 address
-			}
-		}
-	}
-
-	if err := scanner.Err(); err != nil {
-		return dnsSettings, err
-	}
-
-	// default to 53 port
-	dnsSettings.ServerPort = 53
-
-	return dnsSettings, nil
-}
-
 func (s *systemConfigurator) addSearchDomains(key, domains string, ip string, port int) error {
 	err := s.addDNSState(key, domains, ip, port, true)
 	if err != nil {
@@ -292,6 +194,23 @@ func (s *systemConfigurator) addDNSState(state, domains, dnsServer string, port
 	return nil
 }

+func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error {
+	primaryServiceKey, existingNameserver, err := s.getPrimaryService()
+	if err != nil || primaryServiceKey == "" {
+		return fmt.Errorf("couldn't find the primary service key: %w", err)
+	}
+
+	err = s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port, existingNameserver)
+	if err != nil {
+		return fmt.Errorf("add dns setup: %w", err)
+	}
+
+	log.Infof("configured %s:%d as main DNS resolver for this peer", dnsServer, port)
+	s.primaryServiceID = primaryServiceKey
+
+	return nil
+}
+
 func (s *systemConfigurator) getPrimaryService() (string, string, error) {
 	line := buildCommandLine("show", globalIPv4State, "")
 	stdinCommands := wrapCommand(line)
@@ -320,6 +239,19 @@ func (s *systemConfigurator) getPrimaryService() (string, string, error) {
 	return primaryService, router, nil
 }

+func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int, existingDNSServer string) error {
+	lines := buildAddCommandLine(keySupplementalMatchDomainsNoSearch, digitSymbol+strconv.Itoa(0))
+	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer+" "+existingDNSServer)
+	lines += buildAddCommandLine(keyServerPort, digitSymbol+strconv.Itoa(port))
+	addDomainCommand := buildCreateStateWithOperation(setupKey, lines)
+	stdinCommands := wrapCommand(addDomainCommand)
+	_, err := runSystemConfigCommand(stdinCommands)
+	if err != nil {
+		return fmt.Errorf("applying dns setup, error: %w", err)
+	}
+	return nil
+}
+
 func (s *systemConfigurator) restoreUncleanShutdownDNS(*netip.Addr) error {
 	if err := s.restoreHostDNS(); err != nil {
 		return fmt.Errorf("restoring dns via scutil: %w", err)
--- a/client/internal/dns/host_linux.go
+++ b/client/internal/dns/host_linux.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

@@ -108,7 +108,7 @@ func getOSDNSManagerType() (osManagerType, error) {
 		if strings.Contains(text, "NetworkManager") && isDbusListenerRunning(networkManagerDest, networkManagerDbusObjectNode) && isNetworkManagerSupported() {
 			return networkManager, nil
 		}
-		if strings.Contains(text, "systemd-resolved") && isSystemdResolvedRunning() {
+		if strings.Contains(text, "systemd-resolved") && isDbusListenerRunning(systemdResolvedDest, systemdDbusObjectNode) {
 			if checkStub() {
 				return systemdManager, nil
 			} else {
@@ -116,10 +116,16 @@ func getOSDNSManagerType() (osManagerType, error) {
 			}
 		}
 		if strings.Contains(text, "resolvconf") {
-			if isSystemdResolveConfMode() {
-				return systemdManager, nil
+			if isDbusListenerRunning(systemdResolvedDest, systemdDbusObjectNode) {
+				var value string
+				err = getSystemdDbusProperty(systemdDbusResolvConfModeProperty, &value)
+				if err == nil {
+					if value == systemdDbusResolvConfModeForeign {
+						return systemdManager, nil
+					}
+				}
+				log.Errorf("got an error while checking systemd resolv conf mode, error: %s", err)
 			}
-
 			return resolvConfManager, nil
 		}
 	}
--- a/client/internal/dns/hosts_dns_holder.go
+++ b/client/internal/dns/hosts_dns_holder.go
@@ -1,63 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"net/netip"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-)
-
-type hostsDNSHolder struct {
-	unprotectedDNSList map[string]struct{}
-	mutex              sync.RWMutex
-}
-
-func newHostsDNSHolder() *hostsDNSHolder {
-	return &hostsDNSHolder{
-		unprotectedDNSList: make(map[string]struct{}),
-	}
-}
-
-func (h *hostsDNSHolder) set(list []string) {
-	h.mutex.Lock()
-	h.unprotectedDNSList = make(map[string]struct{})
-	for _, dns := range list {
-		dnsAddr, err := h.normalizeAddress(dns)
-		if err != nil {
-			continue
-		}
-		h.unprotectedDNSList[dnsAddr] = struct{}{}
-	}
-	h.mutex.Unlock()
-}
-
-func (h *hostsDNSHolder) get() map[string]struct{} {
-	h.mutex.RLock()
-	l := h.unprotectedDNSList
-	h.mutex.RUnlock()
-	return l
-}
-
-//nolint:unused
-func (h *hostsDNSHolder) isContain(upstream string) bool {
-	h.mutex.RLock()
-	defer h.mutex.RUnlock()
-
-	_, ok := h.unprotectedDNSList[upstream]
-	return ok
-}
-
-func (h *hostsDNSHolder) normalizeAddress(addr string) (string, error) {
-	a, err := netip.ParseAddr(addr)
-	if err != nil {
-		log.Errorf("invalid upstream IP address: %s, error: %s", addr, err)
-		return "", err
-	}
-
-	if a.Is4() {
-		return fmt.Sprintf("%s:53", addr), nil
-	} else {
-		return fmt.Sprintf("[%s]:53", addr), nil
-	}
-}
--- a/client/internal/dns/network_manager_linux.go
+++ b/client/internal/dns/network_manager_linux.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

--- a/client/internal/dns/resolvconf_linux.go
+++ b/client/internal/dns/resolvconf_linux.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
-	"runtime"
 	"strings"
 	"sync"

@@ -55,8 +54,9 @@ type DefaultServer struct {
 	currentConfig      HostDNSConfig

 	// permanent related properties
-	permanent      bool
-	hostsDNSHolder *hostsDNSHolder
+	permanent        bool
+	hostsDnsList     []string
+	hostsDnsListLock sync.Mutex

 	// make sense on mobile only
 	searchDomainNotifier *notifier
@@ -94,7 +94,7 @@ func NewDefaultServer(

 	var dnsService service
 	if wgInterface.IsUserspaceBind() {
-		dnsService = NewServiceViaMemory(wgInterface)
+		dnsService = newServiceViaMemory(wgInterface)
 	} else {
 		dnsService = newServiceViaListener(wgInterface, addrPort)
 	}
@@ -112,9 +112,9 @@ func NewDefaultServerPermanentUpstream(
 	statusRecorder *peer.Status,
 ) *DefaultServer {
 	log.Debugf("host dns address list is: %v", hostsDnsList)
-	ds := newDefaultServer(ctx, wgInterface, NewServiceViaMemory(wgInterface), statusRecorder)
-	ds.hostsDNSHolder.set(hostsDnsList)
+	ds := newDefaultServer(ctx, wgInterface, newServiceViaMemory(wgInterface), statusRecorder)
 	ds.permanent = true
+	ds.hostsDnsList = hostsDnsList
 	ds.addHostRootZone()
 	ds.currentConfig = dnsConfigToHostDNSConfig(config, ds.service.RuntimeIP(), ds.service.RuntimePort())
 	ds.searchDomainNotifier = newNotifier(ds.SearchDomains())
@@ -130,7 +130,7 @@ func NewDefaultServerIos(
 	iosDnsManager IosDnsManager,
 	statusRecorder *peer.Status,
 ) *DefaultServer {
-	ds := newDefaultServer(ctx, wgInterface, NewServiceViaMemory(wgInterface), statusRecorder)
+	ds := newDefaultServer(ctx, wgInterface, newServiceViaMemory(wgInterface), statusRecorder)
 	ds.iosDnsManager = iosDnsManager
 	return ds
 }
@@ -147,7 +147,6 @@ func newDefaultServer(ctx context.Context, wgInterface WGIface, dnsService servi
 		},
 		wgInterface:    wgInterface,
 		statusRecorder: statusRecorder,
-		hostsDNSHolder: newHostsDNSHolder(),
 	}

 	return defaultServer
@@ -203,8 +202,10 @@ func (s *DefaultServer) Stop() {
 // OnUpdatedHostDNSServer update the DNS servers addresses for root zones
 // It will be applied if the mgm server do not enforce DNS settings for root zone
 func (s *DefaultServer) OnUpdatedHostDNSServer(hostsDnsList []string) {
-	s.hostsDNSHolder.set(hostsDnsList)
+	s.hostsDnsListLock.Lock()
+	defer s.hostsDnsListLock.Unlock()

+	s.hostsDnsList = hostsDnsList
 	_, ok := s.dnsMuxMap[nbdns.RootZone]
 	if ok {
 		log.Debugf("on new host DNS config but skip to apply it")
@@ -373,7 +374,6 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 			s.wgInterface.Address().IP,
 			s.wgInterface.Address().Network,
 			s.statusRecorder,
-			s.hostsDNSHolder,
 		)
 		if err != nil {
 			return nil, fmt.Errorf("unable to create a new upstream resolver, error: %v", err)
@@ -452,7 +452,9 @@ func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
 		_, found := muxUpdateMap[key]
 		if !found {
 			if !isContainRootUpdate && key == nbdns.RootZone {
+				s.hostsDnsListLock.Lock()
 				s.addHostRootZone()
+				s.hostsDnsListLock.Unlock()
 				existingHandler.stop()
 			} else {
 				existingHandler.stop()
@@ -510,7 +512,6 @@ func (s *DefaultServer) upstreamCallbacks(
 		if nsGroup.Primary {
 			removeIndex[nbdns.RootZone] = -1
 			s.currentConfig.RouteAll = false
-			s.service.DeregisterMux(nbdns.RootZone)
 		}

 		for i, item := range s.currentConfig.Domains {
@@ -520,15 +521,10 @@ func (s *DefaultServer) upstreamCallbacks(
 				removeIndex[item.Domain] = i
 			}
 		}
-
 		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
 			l.Errorf("Failed to apply nameserver deactivation on the host: %v", err)
 		}

-		if runtime.GOOS == "android" && nsGroup.Primary && len(s.hostsDNSHolder.get()) > 0 {
-			s.addHostRootZone()
-		}
-
 		s.updateNSState(nsGroup, err, false)

 	}
@@ -549,7 +545,6 @@ func (s *DefaultServer) upstreamCallbacks(

 		if nsGroup.Primary {
 			s.currentConfig.RouteAll = true
-			s.service.RegisterMux(nbdns.RootZone, handler)
 		}
 		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
 			l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
@@ -567,16 +562,25 @@ func (s *DefaultServer) addHostRootZone() {
 		s.wgInterface.Address().IP,
 		s.wgInterface.Address().Network,
 		s.statusRecorder,
-		s.hostsDNSHolder,
 	)
 	if err != nil {
 		log.Errorf("unable to create a new upstream resolver, error: %v", err)
 		return
 	}
+	handler.upstreamServers = make([]string, len(s.hostsDnsList))
+	for n, ua := range s.hostsDnsList {
+		a, err := netip.ParseAddr(ua)
+		if err != nil {
+			log.Errorf("invalid upstream IP address: %s, error: %s", ua, err)
+			continue
+		}

-	handler.upstreamServers = make([]string, 0)
-	for k := range s.hostsDNSHolder.get() {
-		handler.upstreamServers = append(handler.upstreamServers, k)
+		ipString := ua
+		if !a.Is4() {
+			ipString = fmt.Sprintf("[%s]", ua)
+		}
+
+		handler.upstreamServers[n] = fmt.Sprintf("%s:53", ipString)
 	}
 	handler.deactivate = func(error) {}
 	handler.reactivate = func() {}
--- a/client/internal/dns/server_linux.go
+++ b/client/internal/dns/server_linux.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -39,10 +39,6 @@ func (w *mocWGIface) Address() iface.WGAddress {
 	}
 }

-func (w *mocWGIface) ToInterface() *net.Interface {
-	panic("implement me")
-}
-
 func (w *mocWGIface) GetFilter() iface.PacketFilter {
 	return w.filter
 }
@@ -265,7 +261,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), 33100, privKey.String(), iface.DefaultMTU, newNet, nil, nil)
+			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -343,7 +339,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	}

 	privKey, _ := wgtypes.GeneratePrivateKey()
-	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.1/32", 33100, privKey.String(), iface.DefaultMTU, newNet, nil, nil)
+	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.1/32", 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
 	if err != nil {
 		t.Errorf("build interface wireguard: %v", err)
 		return
@@ -534,7 +530,7 @@ func TestDNSServerStartStop(t *testing.T) {
 func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 	hostManager := &mockHostConfigurator{}
 	server := DefaultServer{
-		service: NewServiceViaMemory(&mocWGIface{}),
+		service: newServiceViaMemory(&mocWGIface{}),
 		localResolver: &localResolver{
 			registeredMap: make(registrationMap),
 		},
@@ -801,7 +797,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 	}

 	privKey, _ := wgtypes.GeneratePrivateKey()
-	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.2/24", 33100, privKey.String(), iface.DefaultMTU, newNet, nil, nil)
+	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.2/24", 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
 	if err != nil {
 		t.Fatalf("build interface wireguard: %v", err)
 		return nil, err
--- a/client/internal/dns/service_listener.go
+++ b/client/internal/dns/service_listener.go
@@ -128,9 +128,6 @@ func (s *serviceViaListener) RuntimeIP() string {
 }

 func (s *serviceViaListener) setListenerStatus(running bool) {
-	s.listenerFlagLock.Lock()
-	defer s.listenerFlagLock.Unlock()
-
 	s.listenerIsRunning = running
 }

--- a/client/internal/dns/service_memory.go
+++ b/client/internal/dns/service_memory.go
@@ -12,7 +12,7 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-type ServiceViaMemory struct {
+type serviceViaMemory struct {
 	wgInterface       WGIface
 	dnsMux            *dns.ServeMux
 	runtimeIP         string
@@ -22,8 +22,8 @@ type ServiceViaMemory struct {
 	listenerFlagLock  sync.Mutex
 }

-func NewServiceViaMemory(wgIface WGIface) *ServiceViaMemory {
-	s := &ServiceViaMemory{
+func newServiceViaMemory(wgIface WGIface) *serviceViaMemory {
+	s := &serviceViaMemory{
 		wgInterface: wgIface,
 		dnsMux:      dns.NewServeMux(),

@@ -33,7 +33,7 @@ func NewServiceViaMemory(wgIface WGIface) *ServiceViaMemory {
 	return s
 }

-func (s *ServiceViaMemory) Listen() error {
+func (s *serviceViaMemory) Listen() error {
 	s.listenerFlagLock.Lock()
 	defer s.listenerFlagLock.Unlock()

@@ -52,7 +52,7 @@ func (s *ServiceViaMemory) Listen() error {
 	return nil
 }

-func (s *ServiceViaMemory) Stop() {
+func (s *serviceViaMemory) Stop() {
 	s.listenerFlagLock.Lock()
 	defer s.listenerFlagLock.Unlock()

@@ -67,23 +67,23 @@ func (s *ServiceViaMemory) Stop() {
 	s.listenerIsRunning = false
 }

-func (s *ServiceViaMemory) RegisterMux(pattern string, handler dns.Handler) {
+func (s *serviceViaMemory) RegisterMux(pattern string, handler dns.Handler) {
 	s.dnsMux.Handle(pattern, handler)
 }

-func (s *ServiceViaMemory) DeregisterMux(pattern string) {
+func (s *serviceViaMemory) DeregisterMux(pattern string) {
 	s.dnsMux.HandleRemove(pattern)
 }

-func (s *ServiceViaMemory) RuntimePort() int {
+func (s *serviceViaMemory) RuntimePort() int {
 	return s.runtimePort
 }

-func (s *ServiceViaMemory) RuntimeIP() string {
+func (s *serviceViaMemory) RuntimeIP() string {
 	return s.runtimeIP
 }

-func (s *ServiceViaMemory) filterDNSTraffic() (string, error) {
+func (s *serviceViaMemory) filterDNSTraffic() (string, error) {
 	filter := s.wgInterface.GetFilter()
 	if filter == nil {
 		return "", fmt.Errorf("can't set DNS filter, filter not initialized")
--- a/client/internal/dns/systemd_freebsd.go
+++ b/client/internal/dns/systemd_freebsd.go
@@ -1,20 +0,0 @@
-package dns
-
-import (
-	"errors"
-	"fmt"
-)
-
-var errNotImplemented = errors.New("not implemented")
-
-func newSystemdDbusConfigurator(wgInterface string) (hostManager, error) {
-	return nil, fmt.Errorf("systemd dns management: %w on freebsd", errNotImplemented)
-}
-
-func isSystemdResolvedRunning() bool {
-	return false
-}
-
-func isSystemdResolveConfMode() bool {
-	return false
-}
--- a/client/internal/dns/systemd_linux.go
+++ b/client/internal/dns/systemd_linux.go
@@ -242,25 +242,3 @@ func getSystemdDbusProperty(property string, store any) error {

 	return v.Store(store)
 }
-
-func isSystemdResolvedRunning() bool {
-	return isDbusListenerRunning(systemdResolvedDest, systemdDbusObjectNode)
-}
-
-func isSystemdResolveConfMode() bool {
-	if !isDbusListenerRunning(systemdResolvedDest, systemdDbusObjectNode) {
-		return false
-	}
-
-	var value string
-	if err := getSystemdDbusProperty(systemdDbusResolvConfModeProperty, &value); err != nil {
-		log.Errorf("got an error while checking systemd resolv conf mode, error: %s", err)
-		return false
-	}
-
-	if value == systemdDbusResolvConfModeForeign {
-		return true
-	}
-
-	return false
-}
--- a/client/internal/dns/unclean_shutdown_linux.go
+++ b/client/internal/dns/unclean_shutdown_linux.go
@@ -1,4 +1,4 @@
-//go:build (linux && !android) || freebsd
+//go:build !android

 package dns

@@ -14,6 +14,11 @@ import (
 	log "github.com/sirupsen/logrus"
 )

+const (
+	fileUncleanShutdownResolvConfLocation  = "/var/lib/netbird/resolv.conf"
+	fileUncleanShutdownManagerTypeLocation = "/var/lib/netbird/manager"
+)
+
 func CheckUncleanShutdown(wgIface string) error {
 	if _, err := os.Stat(fileUncleanShutdownResolvConfLocation); err != nil {
 		if errors.Is(err, fs.ErrNotExist) {
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"runtime"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -24,7 +25,7 @@ const (
 	probeTimeout     = 2 * time.Second
 )

-const testRecord = "com."
+const testRecord = "."

 type upstreamClient interface {
 	exchange(ctx context.Context, upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
@@ -42,7 +43,6 @@ type upstreamResolverBase struct {
 	upstreamServers  []string
 	disabled         bool
 	failsCount       atomic.Int32
-	successCount     atomic.Int32
 	failsTillDeact   int32
 	mutex            sync.Mutex
 	reactivatePeriod time.Duration
@@ -79,11 +79,6 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}()

 	log.WithField("question", r.Question[0]).Trace("received an upstream question")
-	// set the AuthenticatedData flag and the EDNS0 buffer size to 4096 bytes to support larger dns records
-	if r.Extra == nil {
-		r.SetEdns0(4096, false)
-		r.MsgHdr.AuthenticatedData = true
-	}

 	select {
 	case <-u.ctx.Done():
@@ -125,7 +120,6 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 			return
 		}

-		u.successCount.Add(1)
 		log.Tracef("took %s to query the upstream %s", t, upstream)

 		err = w.WriteMsg(rm)
@@ -174,11 +168,6 @@ func (u *upstreamResolverBase) probeAvailability() {
 	default:
 	}

-	// avoid probe if upstreams could resolve at least one query and fails count is less than failsTillDeact
-	if u.successCount.Load() > 0 && u.failsCount.Load() < u.failsTillDeact {
-		return
-	}
-
 	var success bool
 	var mu sync.Mutex
 	var wg sync.WaitGroup
@@ -190,7 +179,7 @@ func (u *upstreamResolverBase) probeAvailability() {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			err := u.testNameserver(upstream, 500*time.Millisecond)
+			err := u.testNameserver(upstream)
 			if err != nil {
 				errors = multierror.Append(errors, err)
 				log.Warnf("probing upstream nameserver %s: %s", upstream, err)
@@ -231,7 +220,7 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 		}

 		for _, upstream := range u.upstreamServers {
-			if err := u.testNameserver(upstream, probeTimeout); err != nil {
+			if err := u.testNameserver(upstream); err != nil {
 				log.Tracef("upstream check for %s: %s", upstream, err)
 			} else {
 				// at least one upstream server is available, stop probing
@@ -251,7 +240,6 @@ func (u *upstreamResolverBase) waitUntilResponse() {

 	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServers)
 	u.failsCount.Store(0)
-	u.successCount.Add(1)
 	u.reactivate()
 	u.disabled = false
 }
@@ -272,15 +260,17 @@ func (u *upstreamResolverBase) disable(err error) {
 		return
 	}

-	log.Warnf("Upstream resolving is Disabled for %v", reactivatePeriod)
-	u.successCount.Store(0)
-	u.deactivate(err)
-	u.disabled = true
-	go u.waitUntilResponse()
+	// todo test the deactivation logic, it seems to affect the client
+	if runtime.GOOS != "ios" {
+		log.Warnf("Upstream resolving is Disabled for %v", reactivatePeriod)
+		u.deactivate(err)
+		u.disabled = true
+		go u.waitUntilResponse()
+	}
 }

-func (u *upstreamResolverBase) testNameserver(server string, timeout time.Duration) error {
-	ctx, cancel := context.WithTimeout(u.ctx, timeout)
+func (u *upstreamResolverBase) testNameserver(server string) error {
+	ctx, cancel := context.WithTimeout(u.ctx, probeTimeout)
 	defer cancel()

 	r := new(dns.Msg).SetQuestion(testRecord, dns.TypeSOA)
--- a/client/internal/dns/upstream_android.go
+++ b/client/internal/dns/upstream_android.go
@@ -1,84 +0,0 @@
-package dns
-
-import (
-	"context"
-	"net"
-	"syscall"
-	"time"
-
-	"github.com/miekg/dns"
-
-	"github.com/netbirdio/netbird/client/internal/peer"
-	nbnet "github.com/netbirdio/netbird/util/net"
-)
-
-type upstreamResolver struct {
-	*upstreamResolverBase
-	hostsDNSHolder *hostsDNSHolder
-}
-
-// newUpstreamResolver in Android we need to distinguish the DNS servers to available through VPN or outside of VPN
-// In case if the assigned DNS address is available only in the protected network then the resolver will time out at the
-// first time, and we need to wait for a while to start to use again the proper DNS resolver.
-func newUpstreamResolver(
-	ctx context.Context,
-	_ string,
-	_ net.IP,
-	_ *net.IPNet,
-	statusRecorder *peer.Status,
-	hostsDNSHolder *hostsDNSHolder,
-) (*upstreamResolver, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder)
-	c := &upstreamResolver{
-		upstreamResolverBase: upstreamResolverBase,
-		hostsDNSHolder:       hostsDNSHolder,
-	}
-	upstreamResolverBase.upstreamClient = c
-	return c, nil
-}
-
-// exchange in case of Android if the upstream is a local resolver then we do not need to mark the socket as protected.
-// In other case the DNS resolvation goes through the VPN, so we need to force to use the
-func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	if u.isLocalResolver(upstream) {
-		return u.exchangeWithoutVPN(ctx, upstream, r)
-	} else {
-		return u.exchangeWithinVPN(ctx, upstream, r)
-	}
-}
-
-func (u *upstreamResolver) exchangeWithinVPN(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	upstreamExchangeClient := &dns.Client{}
-	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
-}
-
-// exchangeWithoutVPN protect the UDP socket by Android SDK to avoid to goes through the VPN
-func (u *upstreamResolver) exchangeWithoutVPN(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	timeout := upstreamTimeout
-	if deadline, ok := ctx.Deadline(); ok {
-		timeout = time.Until(deadline)
-	}
-	dialTimeout := timeout
-
-	nbDialer := nbnet.NewDialer()
-
-	dialer := &net.Dialer{
-		Control: func(network, address string, c syscall.RawConn) error {
-			return nbDialer.Control(network, address, c)
-		},
-		Timeout: dialTimeout,
-	}
-
-	upstreamExchangeClient := &dns.Client{
-		Dialer: dialer,
-	}
-
-	return upstreamExchangeClient.Exchange(r, upstream)
-}
-
-func (u *upstreamResolver) isLocalResolver(upstream string) bool {
-	if u.hostsDNSHolder.isContain(upstream) {
-		return true
-	}
-	return false
-}
--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -4,7 +4,6 @@ package dns

 import (
 	"context"
-	"fmt"
 	"net"
 	"syscall"
 	"time"
@@ -18,9 +17,9 @@ import (

 type upstreamResolverIOS struct {
 	*upstreamResolverBase
-	lIP           net.IP
-	lNet          *net.IPNet
-	interfaceName string
+	lIP    net.IP
+	lNet   *net.IPNet
+	iIndex int
 }

 func newUpstreamResolver(
@@ -29,15 +28,20 @@ func newUpstreamResolver(
 	ip net.IP,
 	net *net.IPNet,
 	statusRecorder *peer.Status,
-	_ *hostsDNSHolder,
 ) (*upstreamResolverIOS, error) {
 	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder)

+	index, err := getInterfaceIndex(interfaceName)
+	if err != nil {
+		log.Debugf("unable to get interface index for %s: %s", interfaceName, err)
+		return nil, err
+	}
+
 	ios := &upstreamResolverIOS{
 		upstreamResolverBase: upstreamResolverBase,
 		lIP:                  ip,
 		lNet:                 net,
-		interfaceName:        interfaceName,
+		iIndex:               index,
 	}
 	ios.upstreamClient = ios

@@ -48,7 +52,7 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	client := &dns.Client{}
 	upstreamHost, _, err := net.SplitHostPort(upstream)
 	if err != nil {
-		return nil, 0, fmt.Errorf("error while parsing upstream host: %s", err)
+		log.Errorf("error while parsing upstream host: %s", err)
 	}

 	timeout := upstreamTimeout
@@ -60,35 +64,26 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	upstreamIP := net.ParseIP(upstreamHost)
 	if u.lNet.Contains(upstreamIP) || net.IP.IsPrivate(upstreamIP) {
 		log.Debugf("using private client to query upstream: %s", upstream)
-		client, err = GetClientPrivate(u.lIP, u.interfaceName, timeout)
-		if err != nil {
-			return nil, 0, fmt.Errorf("error while creating private client: %s", err)
-		}
+		client = u.getClientPrivate(timeout)
 	}

 	// Cannot use client.ExchangeContext because it overwrites our Dialer
 	return client.Exchange(r, upstream)
 }

-// GetClientPrivate returns a new DNS client bound to the local IP address of the Netbird interface
+// getClientPrivate returns a new DNS client bound to the local IP address of the Netbird interface
 // This method is needed for iOS
-func GetClientPrivate(ip net.IP, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
-	index, err := getInterfaceIndex(interfaceName)
-	if err != nil {
-		log.Debugf("unable to get interface index for %s: %s", interfaceName, err)
-		return nil, err
-	}
-
+func (u *upstreamResolverIOS) getClientPrivate(dialTimeout time.Duration) *dns.Client {
 	dialer := &net.Dialer{
 		LocalAddr: &net.UDPAddr{
-			IP:   ip,
+			IP:   u.lIP,
 			Port: 0, // Let the OS pick a free port
 		},
 		Timeout: dialTimeout,
 		Control: func(network, address string, c syscall.RawConn) error {
 			var operr error
 			fn := func(s uintptr) {
-				operr = unix.SetsockoptInt(int(s), unix.IPPROTO_IP, unix.IP_BOUND_IF, index)
+				operr = unix.SetsockoptInt(int(s), unix.IPPROTO_IP, unix.IP_BOUND_IF, u.iIndex)
 			}

 			if err := c.Control(fn); err != nil {
@@ -105,7 +100,7 @@ func GetClientPrivate(ip net.IP, interfaceName string, dialTimeout time.Duration
 	client := &dns.Client{
 		Dialer: dialer,
 	}
-	return client, nil
+	return client
 }

 func getInterfaceIndex(interfaceName string) (int, error) {
--- a/client/internal/dns/upstream_general.go
+++ b/client/internal/dns/upstream_general.go
@@ -1,4 +1,4 @@
-//go:build !android && !ios
+//go:build !ios

 package dns

@@ -12,7 +12,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 )

-type upstreamResolver struct {
+type upstreamResolverNonIOS struct {
 	*upstreamResolverBase
 }

@@ -22,17 +22,16 @@ func newUpstreamResolver(
 	_ net.IP,
 	_ *net.IPNet,
 	statusRecorder *peer.Status,
-	_ *hostsDNSHolder,
-) (*upstreamResolver, error) {
+) (*upstreamResolverNonIOS, error) {
 	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder)
-	nonIOS := &upstreamResolver{
+	nonIOS := &upstreamResolverNonIOS{
 		upstreamResolverBase: upstreamResolverBase,
 	}
 	upstreamResolverBase.upstreamClient = nonIOS
 	return nonIOS, nil
 }

-func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
+func (u *upstreamResolverNonIOS) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
 	upstreamExchangeClient := &dns.Client{}
 	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
 }
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -58,7 +58,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.TODO())
-			resolver, _ := newUpstreamResolver(ctx, "", net.IP{}, &net.IPNet{}, nil, nil)
+			resolver, _ := newUpstreamResolver(ctx, "", net.IP{}, &net.IPNet{}, nil)
 			resolver.upstreamServers = testCase.InputServers
 			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {
--- a/client/internal/dns/wgiface.go
+++ b/client/internal/dns/wgiface.go
@@ -2,17 +2,12 @@

 package dns

-import (
-	"net"
-
-	"github.com/netbirdio/netbird/iface"
-)
+import "github.com/netbirdio/netbird/iface"

 // WGIface defines subset methods of interface required for manager
 type WGIface interface {
 	Name() string
 	Address() iface.WGAddress
-	ToInterface() *net.Interface
 	IsUserspaceBind() bool
 	GetFilter() iface.PacketFilter
 	GetDevice() *iface.DeviceWrapper
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -2,18 +2,14 @@ package internal

 import (
 	"context"
-	"errors"
 	"fmt"
-	"maps"
 	"math/rand"
 	"net"
 	"net/netip"
 	"reflect"
 	"runtime"
-	"slices"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"

 	"github.com/pion/ice/v3"
@@ -25,29 +21,21 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
-
-	"github.com/netbirdio/netbird/client/internal/networkmonitor"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/wgproxy"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
-	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/iface/bind"
 	mgm "github.com/netbirdio/netbird/management/client"
-	"github.com/netbirdio/netbird/management/domain"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
-	auth "github.com/netbirdio/netbird/relay/auth/hmac"
-	relayClient "github.com/netbirdio/netbird/relay/client"
 	"github.com/netbirdio/netbird/route"
 	signal "github.com/netbirdio/netbird/signal/client"
 	sProto "github.com/netbirdio/netbird/signal/proto"
 	"github.com/netbirdio/netbird/util"
-	nbnet "github.com/netbirdio/netbird/util/net"
 )

 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -72,9 +60,6 @@ type EngineConfig struct {
 	// WgPrivateKey is a Wireguard private key of our peer (it MUST never leave the machine)
 	WgPrivateKey wgtypes.Key

-	// NetworkMonitor is a flag to enable network monitoring
-	NetworkMonitor bool
-
 	// IFaceBlackList is a list of network interfaces to ignore when discovering connection candidates (ICE related)
 	IFaceBlackList       []string
 	DisableIPv6Discovery bool
@@ -98,22 +83,19 @@ type EngineConfig struct {
 	RosenpassPermissive bool

 	ServerSSHAllowed bool
-
-	DNSRouteInterval time.Duration
 }

 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
 type Engine struct {
 	// signal is a Signal Service client
-	signal   signal.Client
-	signaler *peer.Signaler
+	signal signal.Client
 	// mgmClient is a Management Service client
 	mgmClient mgm.Client
 	// peerConns is a map that holds all the peers that are known to this peer
 	peerConns map[string]*peer.Conn

-	beforePeerHook nbnet.AddHookFunc
-	afterPeerHook  nbnet.RemoveHookFunc
+	beforePeerHook peer.BeforeAddPeerHookFunc
+	afterPeerHook  peer.AfterRemovePeerHookFunc

 	// rpManager is a Rosenpass manager
 	rpManager *rosenpass.Manager
@@ -127,20 +109,16 @@ type Engine struct {
 	// STUNs is a list of STUN servers used by ICE
 	STUNs []*stun.URI
 	// TURNs is a list of STUN servers used by ICE
-	TURNs    []*stun.URI
-	StunTurn atomic.Value
+	TURNs []*stun.URI

 	// clientRoutes is the most recent list of clientRoutes received from the Management Service
-	clientRoutes   route.HAMap
-	clientRoutesMu sync.RWMutex
+	clientRoutes map[string][]*route.Route

-	clientCtx    context.Context
-	clientCancel context.CancelFunc
-
-	ctx    context.Context
 	cancel context.CancelFunc

-	wgInterface    iface.IWGIface
+	ctx context.Context
+
+	wgInterface    *iface.WGIface
 	wgProxyFactory *wgproxy.Factory

 	udpMux *bind.UniversalUDPMuxDefault
@@ -148,8 +126,6 @@ type Engine struct {
 	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
 	networkSerial uint64

-	networkMonitor *networkmonitor.NetworkMonitor
-
 	sshServerFunc func(hostKeyPEM []byte, addr string) (nbssh.Server, error)
 	sshServer     nbssh.Server

@@ -165,11 +141,6 @@ type Engine struct {
 	signalProbe *Probe
 	relayProbe  *Probe
 	wgProbe     *Probe
-
-	// checks are the client-applied posture checks that need to be evaluated on the client
-	checks []*mgmProto.Checks
-
-	relayManager *relayClient.Manager
 }

 // Peer is an instance of the Connection Peer
@@ -180,22 +151,19 @@ type Peer struct {

 // NewEngine creates a new Connection Engine
 func NewEngine(
-	clientCtx context.Context,
-	clientCancel context.CancelFunc,
+	ctx context.Context,
+	cancel context.CancelFunc,
 	signalClient signal.Client,
 	mgmClient mgm.Client,
-	relayManager *relayClient.Manager,
 	config *EngineConfig,
 	mobileDep MobileDependency,
 	statusRecorder *peer.Status,
-	checks []*mgmProto.Checks,
 ) *Engine {
 	return NewEngineWithProbes(
-		clientCtx,
-		clientCancel,
+		ctx,
+		cancel,
 		signalClient,
 		mgmClient,
-		relayManager,
 		config,
 		mobileDep,
 		statusRecorder,
@@ -203,17 +171,15 @@ func NewEngine(
 		nil,
 		nil,
 		nil,
-		checks,
 	)
 }

 // NewEngineWithProbes creates a new Connection Engine with probes attached
 func NewEngineWithProbes(
-	clientCtx context.Context,
-	clientCancel context.CancelFunc,
+	ctx context.Context,
+	cancel context.CancelFunc,
 	signalClient signal.Client,
 	mgmClient mgm.Client,
-	relayManager *relayClient.Manager,
 	config *EngineConfig,
 	mobileDep MobileDependency,
 	statusRecorder *peer.Status,
@@ -221,15 +187,12 @@ func NewEngineWithProbes(
 	signalProbe *Probe,
 	relayProbe *Probe,
 	wgProbe *Probe,
-	checks []*mgmProto.Checks,
 ) *Engine {
 	return &Engine{
-		clientCtx:      clientCtx,
-		clientCancel:   clientCancel,
+		ctx:            ctx,
+		cancel:         cancel,
 		signal:         signalClient,
-		signaler:       peer.NewSignaler(signalClient, config.WgPrivateKey),
 		mgmClient:      mgmClient,
-		relayManager:   relayManager,
 		peerConns:      make(map[string]*peer.Conn),
 		syncMsgMux:     &sync.Mutex{},
 		config:         config,
@@ -239,11 +202,11 @@ func NewEngineWithProbes(
 		networkSerial:  0,
 		sshServerFunc:  nbssh.DefaultSSHServer,
 		statusRecorder: statusRecorder,
+		wgProxyFactory: wgproxy.NewFactory(config.WgPort),
 		mgmProbe:       mgmProbe,
 		signalProbe:    signalProbe,
 		relayProbe:     relayProbe,
 		wgProbe:        wgProbe,
-		checks:         checks,
 	}
 }

@@ -251,27 +214,15 @@ func (e *Engine) Stop() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

-	if e.cancel != nil {
-		e.cancel()
-	}
-
-	// stopping network monitor first to avoid starting the engine again
-	if e.networkMonitor != nil {
-		e.networkMonitor.Stop()
-	}
-	log.Info("Network monitor: stopped")
-
 	err := e.removeAllPeers()
 	if err != nil {
 		return err
 	}

-	e.clientRoutesMu.Lock()
 	e.clientRoutes = nil
-	e.clientRoutesMu.Unlock()

 	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
-	// Removing peers happens in the conn.Close() asynchronously
+	// Removing peers happens in the conn.CLose() asynchronously
 	time.Sleep(500 * time.Millisecond)

 	e.close()
@@ -286,11 +237,6 @@ func (e *Engine) Start() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

-	if e.cancel != nil {
-		e.cancel()
-	}
-	e.ctx, e.cancel = context.WithCancel(e.clientCtx)
-
 	wgIface, err := e.newWgIface()
 	if err != nil {
 		log.Errorf("failed creating wireguard interface instance %s: [%s]", e.config.WgIfaceName, err)
@@ -298,9 +244,6 @@ func (e *Engine) Start() error {
 	}
 	e.wgInterface = wgIface

-	userspace := e.wgInterface.IsUserspaceBind()
-	e.wgProxyFactory = wgproxy.NewFactory(e.ctx, userspace, e.config.WgPort)
-
 	if e.config.RosenpassEnabled {
 		log.Infof("rosenpass is enabled")
 		if e.config.RosenpassPermissive {
@@ -325,7 +268,7 @@ func (e *Engine) Start() error {
 	}
 	e.dnsServer = dnsServer

-	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.config.DNSRouteInterval, e.wgInterface, e.statusRecorder, initialRoutes)
+	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder, initialRoutes)
 	beforePeerHook, afterPeerHook, err := e.routeManager.Init()
 	if err != nil {
 		log.Errorf("Failed to initialize route manager: %s", err)
@@ -377,9 +320,6 @@ func (e *Engine) Start() error {
 	e.receiveManagementEvents()
 	e.receiveProbeEvents()

-	// starting network monitor at the very last to avoid disruptions
-	e.startNetworkMonitor()
-
 	return nil
 }

@@ -474,49 +414,83 @@ func (e *Engine) removePeer(peerKey string) error {
 	conn, exists := e.peerConns[peerKey]
 	if exists {
 		delete(e.peerConns, peerKey)
-		conn.Close()
+		err := conn.Close()
+		if err != nil {
+			switch err.(type) {
+			case *peer.ConnectionAlreadyClosedError:
+				return nil
+			default:
+				return err
+			}
+		}
 	}
 	return nil
 }

+func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client) error {
+	err := s.Send(&sProto.Message{
+		Key:       myKey.PublicKey().String(),
+		RemoteKey: remoteKey.String(),
+		Body: &sProto.Body{
+			Type:    sProto.Body_CANDIDATE,
+			Payload: candidate.Marshal(),
+		},
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func sendSignal(message *sProto.Message, s signal.Client) error {
+	return s.Send(message)
+}
+
+// SignalOfferAnswer signals either an offer or an answer to remote peer
+func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client,
+	isAnswer bool) error {
+	var t sProto.Body_Type
+	if isAnswer {
+		t = sProto.Body_ANSWER
+	} else {
+		t = sProto.Body_OFFER
+	}
+
+	msg, err := signal.MarshalCredential(myKey, offerAnswer.WgListenPort, remoteKey, &signal.Credential{
+		UFrag: offerAnswer.IceCredentials.UFrag,
+		Pwd:   offerAnswer.IceCredentials.Pwd,
+	}, t, offerAnswer.RosenpassPubKey, offerAnswer.RosenpassAddr)
+	if err != nil {
+		return err
+	}
+
+	err = s.Send(msg)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

 	if update.GetWiretrusteeConfig() != nil {
-		wCfg := update.GetWiretrusteeConfig()
-		err := e.updateTURNs(wCfg.GetTurns())
+		err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
 		if err != nil {
 			return err
 		}

-		err = e.updateSTUNs(wCfg.GetStuns())
+		err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
 		if err != nil {
 			return err
 		}

-		var stunTurn []*stun.URI
-		stunTurn = append(stunTurn, e.STUNs...)
-		stunTurn = append(stunTurn, e.TURNs...)
-		e.StunTurn.Store(stunTurn)
-
-		relayMsg := wCfg.GetRelay()
-		if relayMsg != nil {
-			c := &auth.Token{
-				Payload:   relayMsg.GetTokenPayload(),
-				Signature: relayMsg.GetTokenSignature(),
-			}
-			e.relayManager.UpdateToken(c)
-		}
-
-		// todo update relay address in the relay manager
 		// todo update signal
 	}

-	if err := e.updateChecksIfNew(update.Checks); err != nil {
-		return err
-	}
-
 	if update.GetNetworkMap() != nil {
 		// only apply new changes and ignore old ones
 		err := e.updateNetworkMap(update.GetNetworkMap())
@@ -524,27 +498,7 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 			return err
 		}
 	}
-	return nil
-}

-// updateChecksIfNew updates checks if there are changes and sync new meta with management
-func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
-	// if checks are equal, we skip the update
-	if isChecksEqual(e.checks, checks) {
-		return nil
-	}
-	e.checks = checks
-
-	info, err := system.GetInfoWithChecks(e.ctx, checks)
-	if err != nil {
-		log.Warnf("failed to get system info with checks: %v", err)
-		info = system.GetInfo(e.ctx)
-	}
-
-	if err := e.mgmClient.SyncMeta(info); err != nil {
-		log.Errorf("could not sync meta: error %s", err)
-		return err
-	}
 	return nil
 }

@@ -560,8 +514,8 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 	} else {

 		if sshConf.GetSshEnabled() {
-			if runtime.GOOS == "windows" || runtime.GOOS == "freebsd" {
-				log.Warnf("running SSH server on %s is not supported", runtime.GOOS)
+			if runtime.GOOS == "windows" {
+				log.Warnf("running SSH server on Windows is not supported")
 				return nil
 			}
 			// start SSH server if it wasn't running
@@ -634,19 +588,12 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 // E.g. when a new peer has been registered and we are allowed to connect to it.
 func (e *Engine) receiveManagementEvents() {
 	go func() {
-		info, err := system.GetInfoWithChecks(e.ctx, e.checks)
-		if err != nil {
-			log.Warnf("failed to get system info with checks: %v", err)
-			info = system.GetInfo(e.ctx)
-		}
-
-		// err = e.mgmClient.Sync(info, e.handleSync)
-		err = e.mgmClient.Sync(e.ctx, info, e.handleSync)
+		err := e.mgmClient.Sync(e.handleSync)
 		if err != nil {
 			// happens if management is unavailable for a long time.
 			// We want to cancel the operation of the whole client
 			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
-			e.clientCancel()
+			e.cancel()
 			return
 		}
 		log.Debugf("stopped receiving updates from Management Service")
@@ -708,20 +655,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		return nil
 	}

-	protoRoutes := networkMap.GetRoutes()
-	if protoRoutes == nil {
-		protoRoutes = []*mgmProto.Route{}
-	}
-
-	_, clientRoutes, err := e.routeManager.UpdateRoutes(serial, toRoutes(protoRoutes))
-	if err != nil {
-		log.Errorf("failed to update clientRoutes, err: %v", err)
-	}
-
-	e.clientRoutesMu.Lock()
-	e.clientRoutes = clientRoutes
-	e.clientRoutesMu.Unlock()
-
 	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))

 	e.updateOfflinePeers(networkMap.GetOfflinePeers())
@@ -763,6 +696,17 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 			}
 		}
 	}
+	protoRoutes := networkMap.GetRoutes()
+	if protoRoutes == nil {
+		protoRoutes = []*mgmProto.Route{}
+	}
+
+	_, clientRoutes, err := e.routeManager.UpdateRoutes(serial, toRoutes(protoRoutes))
+	if err != nil {
+		log.Errorf("failed to update clientRoutes, err: %v", err)
+	}
+
+	e.clientRoutes = clientRoutes

 	protoDNSConfig := networkMap.GetDNSConfig()
 	if protoDNSConfig == nil {
@@ -790,24 +734,15 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 	routes := make([]*route.Route, 0)
 	for _, protoRoute := range protoRoutes {
-		var prefix netip.Prefix
-		if len(protoRoute.Domains) == 0 {
-			var err error
-			if prefix, err = netip.ParsePrefix(protoRoute.Network); err != nil {
-				log.Errorf("Failed to parse prefix %s: %v", protoRoute.Network, err)
-				continue
-			}
-		}
+		_, prefix, _ := route.ParseNetwork(protoRoute.Network)
 		convertedRoute := &route.Route{
-			ID:          route.ID(protoRoute.ID),
+			ID:          protoRoute.ID,
 			Network:     prefix,
-			Domains:     domain.FromPunycodeList(protoRoute.Domains),
-			NetID:       route.NetID(protoRoute.NetID),
+			NetID:       protoRoute.NetID,
 			NetworkType: route.NetworkType(protoRoute.NetworkType),
 			Peer:        protoRoute.Peer,
 			Metric:      int(protoRoute.Metric),
 			Masquerade:  protoRoute.Masquerade,
-			KeepRoute:   protoRoute.KeepRoute,
 		}
 		routes = append(routes, convertedRoute)
 	}
@@ -905,13 +840,60 @@ func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 			log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
 		}

-		conn.Open()
+		go e.connWorker(conn, peerKey)
 	}
 	return nil
 }

+func (e *Engine) connWorker(conn *peer.Conn, peerKey string) {
+	for {
+
+		// randomize starting time a bit
+		min := 500
+		max := 2000
+		time.Sleep(time.Duration(rand.Intn(max-min)+min) * time.Millisecond)
+
+		// if peer has been removed -> give up
+		if !e.peerExists(peerKey) {
+			log.Debugf("peer %s doesn't exist anymore, won't retry connection", peerKey)
+			return
+		}
+
+		if !e.signal.Ready() {
+			log.Infof("signal client isn't ready, skipping connection attempt %s", peerKey)
+			continue
+		}
+
+		// we might have received new STUN and TURN servers meanwhile, so update them
+		e.syncMsgMux.Lock()
+		conn.UpdateStunTurn(append(e.STUNs, e.TURNs...))
+		e.syncMsgMux.Unlock()
+
+		err := conn.Open()
+		if err != nil {
+			log.Debugf("connection to peer %s failed: %v", peerKey, err)
+			switch err.(type) {
+			case *peer.ConnectionClosedError:
+				// conn has been forced to close, so we exit the loop
+				return
+			default:
+			}
+		}
+	}
+}
+
+func (e *Engine) peerExists(peerKey string) bool {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+	_, ok := e.peerConns[peerKey]
+	return ok
+}
+
 func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, error) {
 	log.Debugf("creating peer connection %s", pubKey)
+	var stunTurn []*stun.URI
+	stunTurn = append(stunTurn, e.STUNs...)
+	stunTurn = append(stunTurn, e.TURNs...)

 	wgConfig := peer.WgConfig{
 		RemoteKey:    pubKey,
@@ -944,29 +926,53 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 	// randomize connection timeout
 	timeout := time.Duration(rand.Intn(PeerConnectionTimeoutMax-PeerConnectionTimeoutMin)+PeerConnectionTimeoutMin) * time.Millisecond
 	config := peer.ConnConfig{
-		Key:             pubKey,
-		LocalKey:        e.config.WgPrivateKey.PublicKey().String(),
-		Timeout:         timeout,
-		WgConfig:        wgConfig,
-		LocalWgPort:     e.config.WgPort,
-		RosenpassPubKey: e.getRosenpassPubKey(),
-		RosenpassAddr:   e.getRosenpassAddr(),
-		ICEConfig: peer.ICEConfig{
-			StunTurn:             e.StunTurn,
-			InterfaceBlackList:   e.config.IFaceBlackList,
-			DisableIPv6Discovery: e.config.DisableIPv6Discovery,
-			UDPMux:               e.udpMux.UDPMuxDefault,
-			UDPMuxSrflx:          e.udpMux,
-			NATExternalIPs:       e.parseNATExternalIPMappings(),
-		},
+		Key:                  pubKey,
+		LocalKey:             e.config.WgPrivateKey.PublicKey().String(),
+		StunTurn:             stunTurn,
+		InterfaceBlackList:   e.config.IFaceBlackList,
+		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
+		Timeout:              timeout,
+		UDPMux:               e.udpMux.UDPMuxDefault,
+		UDPMuxSrflx:          e.udpMux,
+		WgConfig:             wgConfig,
+		LocalWgPort:          e.config.WgPort,
+		NATExternalIPs:       e.parseNATExternalIPMappings(),
+		UserspaceBind:        e.wgInterface.IsUserspaceBind(),
+		RosenpassPubKey:      e.getRosenpassPubKey(),
+		RosenpassAddr:        e.getRosenpassAddr(),
 	}

-	peerConn, err := peer.NewConn(e.ctx, config, e.statusRecorder, e.wgProxyFactory, e.signaler, e.mobileDep.IFaceDiscover, e.relayManager)
+	peerConn, err := peer.NewConn(config, e.statusRecorder, e.wgProxyFactory, e.mobileDep.TunAdapter, e.mobileDep.IFaceDiscover)
 	if err != nil {
 		return nil, err
 	}

+	wgPubKey, err := wgtypes.ParseKey(pubKey)
+	if err != nil {
+		return nil, err
+	}
+
+	signalOffer := func(offerAnswer peer.OfferAnswer) error {
+		return SignalOfferAnswer(offerAnswer, e.config.WgPrivateKey, wgPubKey, e.signal, false)
+	}
+
+	signalCandidate := func(candidate ice.Candidate) error {
+		return signalCandidate(candidate, e.config.WgPrivateKey, wgPubKey, e.signal)
+	}
+
+	signalAnswer := func(offerAnswer peer.OfferAnswer) error {
+		return SignalOfferAnswer(offerAnswer, e.config.WgPrivateKey, wgPubKey, e.signal, true)
+	}
+
+	peerConn.SetSignalCandidate(signalCandidate)
+	peerConn.SetSignalOffer(signalOffer)
+	peerConn.SetSignalAnswer(signalAnswer)
+	peerConn.SetSendSignalMessage(func(message *sProto.Message) error {
+		return sendSignal(message, e.signal)
+	})
+
 	if e.rpManager != nil {
+
 		peerConn.SetOnConnected(e.rpManager.OnConnected)
 		peerConn.SetOnDisconnected(e.rpManager.OnDisconnected)
 	}
@@ -978,7 +984,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 func (e *Engine) receiveSignalEvents() {
 	go func() {
 		// connect to a stream of messages coming from the signal server
-		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
+		err := e.signal.Receive(func(msg *sProto.Message) error {
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()

@@ -994,6 +1000,8 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}

+				conn.RegisterProtoSupportMeta(msg.Body.GetFeaturesSupported())
+
 				var rosenpassPubKey []byte
 				rosenpassAddr := ""
 				if msg.GetBody().GetRosenpassConfig() != nil {
@@ -1009,7 +1017,6 @@ func (e *Engine) receiveSignalEvents() {
 					Version:         msg.GetBody().GetNetBirdVersion(),
 					RosenpassPubKey: rosenpassPubKey,
 					RosenpassAddr:   rosenpassAddr,
-					RelaySrvAddress: msg.GetBody().GetRelayServerAddress(),
 				})
 			case sProto.Body_ANSWER:
 				remoteCred, err := signal.UnMarshalCredential(msg)
@@ -1017,6 +1024,8 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}

+				conn.RegisterProtoSupportMeta(msg.GetBody().GetFeaturesSupported())
+
 				var rosenpassPubKey []byte
 				rosenpassAddr := ""
 				if msg.GetBody().GetRosenpassConfig() != nil {
@@ -1032,7 +1041,6 @@ func (e *Engine) receiveSignalEvents() {
 					Version:         msg.GetBody().GetNetBirdVersion(),
 					RosenpassPubKey: rosenpassPubKey,
 					RosenpassAddr:   rosenpassAddr,
-					RelaySrvAddress: msg.GetBody().GetRelayServerAddress(),
 				})
 			case sProto.Body_CANDIDATE:
 				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
@@ -1040,8 +1048,7 @@ func (e *Engine) receiveSignalEvents() {
 					log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
 					return err
 				}
-
-				go conn.OnRemoteCandidate(candidate, e.GetClientRoutes())
+				conn.OnRemoteCandidate(candidate)
 			case sProto.Body_MODE:
 			}

@@ -1051,7 +1058,7 @@ func (e *Engine) receiveSignalEvents() {
 			// happens if signal is unavailable for a long time.
 			// We want to cancel the operation of the whole client
 			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
-			e.clientCancel()
+			e.cancel()
 			return
 		}
 	}()
@@ -1112,16 +1119,13 @@ func (e *Engine) parseNATExternalIPMappings() []string {
 }

 func (e *Engine) close() {
-	if e.wgProxyFactory != nil {
-		if err := e.wgProxyFactory.Free(); err != nil {
-			log.Errorf("failed closing ebpf proxy: %s", err)
-		}
+	if err := e.wgProxyFactory.Free(); err != nil {
+		log.Errorf("failed closing ebpf proxy: %s", err)
 	}

 	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
 	if e.dnsServer != nil {
 		e.dnsServer.Stop()
-		e.dnsServer = nil
 	}

 	if e.routeManager != nil {
@@ -1155,8 +1159,7 @@ func (e *Engine) close() {
 }

 func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, error) {
-	info := system.GetInfo(e.ctx)
-	netMap, err := e.mgmClient.GetNetworkMap(info)
+	netMap, err := e.mgmClient.GetNetworkMap()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -1185,7 +1188,7 @@ func (e *Engine) newWgIface() (*iface.WGIface, error) {
 	default:
 	}

-	return iface.NewWGIFace(e.config.WgIfaceName, e.config.WgAddr, e.config.WgPort, e.config.WgPrivateKey.String(), iface.DefaultMTU, transportNet, mArgs, e.addrViaRoutes)
+	return iface.NewWGIFace(e.config.WgIfaceName, e.config.WgAddr, e.config.WgPort, e.config.WgPrivateKey.String(), iface.DefaultMTU, transportNet, mArgs)
 }

 func (e *Engine) wgInterfaceCreate() (err error) {
@@ -1235,21 +1238,18 @@ func (e *Engine) newDnsServer() ([]*route.Route, dns.Server, error) {
 }

 // GetClientRoutes returns the current routes from the route map
-func (e *Engine) GetClientRoutes() route.HAMap {
-	e.clientRoutesMu.RLock()
-	defer e.clientRoutesMu.RUnlock()
-
-	return maps.Clone(e.clientRoutes)
+func (e *Engine) GetClientRoutes() map[string][]*route.Route {
+	return e.clientRoutes
 }

 // GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
-func (e *Engine) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
-	e.clientRoutesMu.RLock()
-	defer e.clientRoutesMu.RUnlock()
-
-	routes := make(map[route.NetID][]*route.Route, len(e.clientRoutes))
+func (e *Engine) GetClientRoutesWithNetID() map[string][]*route.Route {
+	routes := make(map[string][]*route.Route, len(e.clientRoutes))
 	for id, v := range e.clientRoutes {
-		routes[id.NetID()] = v
+		if i := strings.LastIndex(id, "-"); i != -1 {
+			id = id[:i]
+		}
+		routes[id] = v
 	}
 	return routes
 }
@@ -1337,7 +1337,7 @@ func (e *Engine) receiveProbeEvents() {

 			for _, peer := range e.peerConns {
 				key := peer.GetKey()
-				wgStats, err := peer.WgConfig().WgInterface.GetStats(key)
+				wgStats, err := peer.GetConf().WgConfig.WgInterface.GetStats(key)
 				if err != nil {
 					log.Debugf("failed to get wg stats for peer %s: %s", key, err)
 				}
@@ -1359,89 +1359,3 @@ func (e *Engine) probeSTUNs() []relay.ProbeResult {
 func (e *Engine) probeTURNs() []relay.ProbeResult {
 	return relay.ProbeAll(e.ctx, relay.ProbeTURN, e.TURNs)
 }
-
-func (e *Engine) restartEngine() {
-	if err := e.Stop(); err != nil {
-		log.Errorf("Failed to stop engine: %v", err)
-	}
-	if err := e.Start(); err != nil {
-		log.Errorf("Failed to start engine: %v", err)
-	}
-}
-
-func (e *Engine) startNetworkMonitor() {
-	if !e.config.NetworkMonitor {
-		log.Infof("Network monitor is disabled, not starting")
-		return
-	}
-
-	e.networkMonitor = networkmonitor.New()
-	go func() {
-		var mu sync.Mutex
-		var debounceTimer *time.Timer
-
-		// Start the network monitor with a callback, Start will block until the monitor is stopped,
-		// a network change is detected, or an error occurs on start up
-		err := e.networkMonitor.Start(e.ctx, func() {
-			// This function is called when a network change is detected
-			mu.Lock()
-			defer mu.Unlock()
-
-			if debounceTimer != nil {
-				debounceTimer.Stop()
-			}
-
-			// Set a new timer to debounce rapid network changes
-			debounceTimer = time.AfterFunc(1*time.Second, func() {
-				// This function is called after the debounce period
-				mu.Lock()
-				defer mu.Unlock()
-
-				log.Infof("Network monitor detected network change, restarting engine")
-				e.restartEngine()
-			})
-		})
-		if err != nil && !errors.Is(err, networkmonitor.ErrStopped) {
-			log.Errorf("Network monitor: %v", err)
-		}
-	}()
-}
-
-func (e *Engine) addrViaRoutes(addr netip.Addr) (bool, netip.Prefix, error) {
-	var vpnRoutes []netip.Prefix
-	for _, routes := range e.GetClientRoutes() {
-		if len(routes) > 0 && routes[0] != nil {
-			vpnRoutes = append(vpnRoutes, routes[0].Network)
-		}
-	}
-
-	if isVpn, prefix := systemops.IsAddrRouted(addr, vpnRoutes); isVpn {
-		return true, prefix, nil
-	}
-
-	return false, netip.Prefix{}, nil
-}
-
-// isChecksEqual checks if two slices of checks are equal.
-func isChecksEqual(checks []*mgmProto.Checks, oChecks []*mgmProto.Checks) bool {
-	return slices.EqualFunc(checks, oChecks, func(checks, oChecks *mgmProto.Checks) bool {
-		return slices.Equal(checks.Files, oChecks.Files)
-	})
-}
-
-func (e *Engine) IsWGIfaceUp() bool {
-	if e == nil || e.wgInterface == nil {
-		return false
-	}
-	iface, err := net.InterfaceByName(e.wgInterface.Name())
-	if err != nil {
-		log.Debugf("failed to get interface by name %s: %v", e.wgInterface.Name(), err)
-		return false
-	}
-
-	if iface.Flags&net.FlagUp != 0 {
-		return true
-	}
-
-	return false
-}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -17,7 +17,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"go.opentelemetry.io/otel"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"
@@ -36,7 +35,6 @@ import (
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
-	relayClient "github.com/netbirdio/netbird/relay/client"
 	"github.com/netbirdio/netbird/route"
 	signal "github.com/netbirdio/netbird/signal/client"
 	"github.com/netbirdio/netbird/signal/proto"
@@ -58,16 +56,10 @@ var (
 	}
 )

-func TestMain(m *testing.M) {
-	_ = util.InitLog("debug", "console")
-	code := m.Run()
-	os.Exit(code)
-}
-
 func TestEngine_SSH(t *testing.T) {
-	// todo resolve test execution on freebsd
-	if runtime.GOOS == "windows" || runtime.GOOS == "freebsd" {
-		t.Skip("skipping TestEngine_SSH")
+
+	if runtime.GOOS == "windows" {
+		t.Skip("skipping TestEngine_SSH on Windows")
 	}

 	key, err := wgtypes.GeneratePrivateKey()
@@ -79,23 +71,13 @@ func TestEngine_SSH(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

-	relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
-	engine := NewEngine(
-		ctx, cancel,
-		&signal.MockClient{},
-		&mgmt.MockClient{},
-		relayMgr,
-		&EngineConfig{
-			WgIfaceName:      "utun101",
-			WgAddr:           "100.64.0.1/24",
-			WgPrivateKey:     key,
-			WgPort:           33100,
-			ServerSSHAllowed: true,
-		},
-		MobileDependency{},
-		peer.NewRecorder("https://mgm"),
-		nil,
-	)
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
+		WgIfaceName:      "utun101",
+		WgAddr:           "100.64.0.1/24",
+		WgPrivateKey:     key,
+		WgPort:           33100,
+		ServerSSHAllowed: true,
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"))

 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -191,7 +173,7 @@ func TestEngine_SSH(t *testing.T) {
 		t.Fatal(err)
 	}

-	// time.Sleep(250 * time.Millisecond)
+	//time.Sleep(250 * time.Millisecond)
 	assert.NotNil(t, engine.sshServer)
 	assert.Contains(t, sshPeersRemoved, "MNHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=")

@@ -224,29 +206,21 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

-	relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
-	engine := NewEngine(
-		ctx, cancel,
-		&signal.MockClient{},
-		&mgmt.MockClient{},
-		relayMgr,
-		&EngineConfig{
-			WgIfaceName:  "utun102",
-			WgAddr:       "100.64.0.1/24",
-			WgPrivateKey: key,
-			WgPort:       33100,
-		},
-		MobileDependency{},
-		peer.NewRecorder("https://mgm"),
-		nil)
-
-	wgIface := &iface.MockWGIface{
-		RemovePeerFunc: func(peerKey string) error {
-			return nil
-		},
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
+		WgIfaceName:  "utun102",
+		WgAddr:       "100.64.0.1/24",
+		WgPrivateKey: key,
+		WgPort:       33100,
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+	newNet, err := stdnet.NewNet()
+	if err != nil {
+		t.Fatal(err)
 	}
-	engine.wgInterface = wgIface
-	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), time.Minute, engine.wgInterface, engine.statusRecorder, nil)
+	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", engine.config.WgPort, key.String(), iface.DefaultMTU, newNet, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), engine.wgInterface, engine.statusRecorder, nil)
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
 	}
@@ -255,7 +229,6 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		t.Fatal(err)
 	}
 	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn})
-	engine.ctx = ctx

 	type testCase struct {
 		name       string
@@ -419,7 +392,7 @@ func TestEngine_Sync(t *testing.T) {
 	// feed updates to Engine via mocked Management client
 	updates := make(chan *mgmtProto.SyncResponse)
 	defer close(updates)
-	syncFunc := func(ctx context.Context, info *system.Info, msgHandler func(msg *mgmtProto.SyncResponse) error) error {
+	syncFunc := func(msgHandler func(msg *mgmtProto.SyncResponse) error) error {
 		for msg := range updates {
 			err := msgHandler(msg)
 			if err != nil {
@@ -428,14 +401,13 @@ func TestEngine_Sync(t *testing.T) {
 		}
 		return nil
 	}
-	relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
-	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, relayMgr, &EngineConfig{
+
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, &EngineConfig{
 		WgIfaceName:  "utun103",
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
-	engine.ctx = ctx
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"))

 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -588,19 +560,17 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
 			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)

-			relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
-			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
+			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
-			engine.ctx = ctx
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
 			newNet, err := stdnet.NewNet()
 			if err != nil {
 				t.Fatal(err)
 			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, engine.config.WgPort, key.String(), iface.DefaultMTU, newNet, nil, nil)
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, engine.config.WgPort, key.String(), iface.DefaultMTU, newNet, nil)
 			assert.NoError(t, err, "shouldn't return error")
 			input := struct {
 				inputSerial uint64
@@ -608,7 +578,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			}{}

 			mockRouteManager := &routemanager.MockManager{
-				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
+				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) (map[string]*route.Route, map[string][]*route.Route, error) {
 					input.inputSerial = updateSerial
 					input.inputRoutes = newRoutes
 					return nil, nil, testCase.inputErr
@@ -759,24 +729,21 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
 			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)

-			relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
-			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
+			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
-			engine.ctx = ctx
-
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
 			newNet, err := stdnet.NewNet()
 			if err != nil {
 				t.Fatal(err)
 			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, 33100, key.String(), iface.DefaultMTU, newNet, nil, nil)
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, 33100, key.String(), iface.DefaultMTU, newNet, nil)
 			assert.NoError(t, err, "shouldn't return error")

 			mockRouteManager := &routemanager.MockManager{
-				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
+				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) (map[string]*route.Route, map[string][]*route.Route, error) {
 					return nil, nil, nil
 				},
 			}
@@ -838,13 +805,13 @@ func TestEngine_MultiplePeers(t *testing.T) {
 	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
 	defer cancel()

-	sigServer, signalAddr, err := startSignal(t)
+	sigServer, signalAddr, err := startSignal()
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	defer sigServer.Stop()
-	mgmtServer, mgmtAddr, err := startManagement(t, dir)
+	mgmtServer, mgmtAddr, err := startManagement(dir)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -1036,15 +1003,10 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		WgPort:       wgPort,
 	}

-	relayMgr := relayClient.NewManager(ctx, "", key.PublicKey().String())
-	e, err := NewEngine(ctx, cancel, signalClient, mgmtClient, relayMgr, conf, MobileDependency{}, peer.NewRecorder("https://mgm"), nil), nil
-	e.ctx = ctx
-	return e, err
+	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf, MobileDependency{}, peer.NewRecorder("https://mgm")), nil
 }

-func startSignal(t *testing.T) (*grpc.Server, string, error) {
-	t.Helper()
-
+func startSignal() (*grpc.Server, string, error) {
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))

 	lis, err := net.Listen("tcp", "localhost:0")
@@ -1052,9 +1014,7 @@ func startSignal(t *testing.T) (*grpc.Server, string, error) {
 		log.Fatalf("failed to listen: %v", err)
 	}

-	srv, err := signalServer.NewServer(otel.Meter(""))
-	require.NoError(t, err)
-	proto.RegisterSignalExchangeServer(s, srv)
+	proto.RegisterSignalExchangeServer(s, signalServer.NewServer())

 	go func() {
 		if err = s.Serve(lis); err != nil {
@@ -1065,9 +1025,7 @@ func startSignal(t *testing.T) (*grpc.Server, string, error) {
 	return s, lis.Addr().String(), nil
 }

-func startManagement(t *testing.T, dataDir string) (*grpc.Server, string, error) {
-	t.Helper()
-
+func startManagement(dataDir string) (*grpc.Server, string, error) {
 	config := &server.Config{
 		Stuns:      []*server.Host{},
 		TURNConfig: &server.TURNConfig{},
@@ -1084,28 +1042,23 @@ func startManagement(t *testing.T, dataDir string) (*grpc.Server, string, error)
 		return nil, "", err
 	}
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
-
-	store, cleanUp, err := server.NewTestStoreFromJson(context.Background(), config.Datadir)
+	store, err := server.NewStoreFromJson(config.Datadir, nil)
 	if err != nil {
 		return nil, "", err
 	}
-	t.Cleanup(cleanUp)

 	peersUpdateManager := server.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, "", err
 	}
-	ia, _ := integrations.NewIntegratedValidator(context.Background(), eventStore)
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia)
+	ia, _ := integrations.NewIntegratedValidator(eventStore)
+	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia)
 	if err != nil {
 		return nil, "", err
 	}
-	rc := &server.RelayConfig{
-		Address: "127.0.0.1:1234",
-	}
-	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, rc)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, peersUpdateManager, turnManager, nil, nil)
+	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/engine_watcher.go
+++ b/client/internal/engine_watcher.go
@@ -0,0 +1 @@
+package internal
--- a/client/internal/login.go
+++ b/client/internal/login.go
@@ -68,7 +68,7 @@ func Login(ctx context.Context, config *Config, setupKey string, jwtToken string
 	}

 	serverKey, err := doMgmLogin(ctx, mgmClient, pubSSHKey)
-	if serverKey != nil && isRegistrationNeeded(err) {
+	if isRegistrationNeeded(err) {
 		log.Debugf("peer registration required")
 		_, err = registerPeer(ctx, *serverKey, mgmClient, setupKey, jwtToken, pubSSHKey)
 		return err
--- a/client/internal/networkmonitor/monitor.go
+++ b/client/internal/networkmonitor/monitor.go
@@ -1,21 +0,0 @@
-package networkmonitor
-
-import (
-	"context"
-	"errors"
-	"sync"
-)
-
-var ErrStopped = errors.New("monitor has been stopped")
-
-// NetworkMonitor watches for changes in network configuration.
-type NetworkMonitor struct {
-	cancel context.CancelFunc
-	wg     sync.WaitGroup
-	mu     sync.Mutex
-}
-
-// New creates a new network monitor.
-func New() *NetworkMonitor {
-	return &NetworkMonitor{}
-}
--- a/client/internal/networkmonitor/monitor_bsd.go
+++ b/client/internal/networkmonitor/monitor_bsd.go
@@ -1,107 +0,0 @@
-//go:build (darwin && !ios) || dragonfly || freebsd || netbsd || openbsd
-
-package networkmonitor
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"syscall"
-	"unsafe"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/net/route"
-	"golang.org/x/sys/unix"
-
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
-)
-
-func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop, callback func()) error {
-	fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
-	if err != nil {
-		return fmt.Errorf("failed to open routing socket: %v", err)
-	}
-	defer func() {
-		err := unix.Close(fd)
-		if err != nil && !errors.Is(err, unix.EBADF) {
-			log.Errorf("Network monitor: failed to close routing socket: %v", err)
-		}
-	}()
-
-	go func() {
-		<-ctx.Done()
-		err := unix.Close(fd)
-		if err != nil && !errors.Is(err, unix.EBADF) {
-			log.Debugf("Network monitor: closed routing socket")
-		}
-	}()
-
-	for {
-		select {
-		case <-ctx.Done():
-			return ErrStopped
-		default:
-			buf := make([]byte, 2048)
-			n, err := unix.Read(fd, buf)
-			if err != nil {
-				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
-					log.Errorf("Network monitor: failed to read from routing socket: %v", err)
-				}
-				continue
-			}
-			if n < unix.SizeofRtMsghdr {
-				log.Errorf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
-				continue
-			}
-
-			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
-
-			switch msg.Type {
-			// handle route changes
-			case unix.RTM_ADD, syscall.RTM_DELETE:
-				route, err := parseRouteMessage(buf[:n])
-				if err != nil {
-					log.Errorf("Network monitor: error parsing routing message: %v", err)
-					continue
-				}
-
-				if !route.Dst.Addr().IsUnspecified() {
-					continue
-				}
-
-				intf := "<nil>"
-				if route.Interface != nil {
-					intf = route.Interface.Name
-				}
-				switch msg.Type {
-				case unix.RTM_ADD:
-					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
-					go callback()
-				case unix.RTM_DELETE:
-					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
-						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
-						go callback()
-					}
-				}
-			}
-		}
-	}
-}
-
-func parseRouteMessage(buf []byte) (*systemops.Route, error) {
-	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
-	if err != nil {
-		return nil, fmt.Errorf("parse RIB: %v", err)
-	}
-
-	if len(msgs) != 1 {
-		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
-	}
-
-	msg, ok := msgs[0].(*route.RouteMessage)
-	if !ok {
-		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
-	}
-
-	return systemops.MsgToRoute(msg)
-}
--- a/client/internal/networkmonitor/monitor_generic.go
+++ b/client/internal/networkmonitor/monitor_generic.go
@@ -1,82 +0,0 @@
-//go:build !ios && !android
-
-package networkmonitor
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/netip"
-	"runtime/debug"
-
-	"github.com/cenkalti/backoff/v4"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
-)
-
-// Start begins monitoring network changes. When a change is detected, it calls the callback asynchronously and returns.
-func (nw *NetworkMonitor) Start(ctx context.Context, callback func()) (err error) {
-	if ctx.Err() != nil {
-		return ctx.Err()
-	}
-
-	nw.mu.Lock()
-	ctx, nw.cancel = context.WithCancel(ctx)
-	nw.mu.Unlock()
-
-	nw.wg.Add(1)
-	defer nw.wg.Done()
-
-	var nexthop4, nexthop6 systemops.Nexthop
-
-	operation := func() error {
-		var errv4, errv6 error
-		nexthop4, errv4 = systemops.GetNextHop(netip.IPv4Unspecified())
-		nexthop6, errv6 = systemops.GetNextHop(netip.IPv6Unspecified())
-
-		if errv4 != nil && errv6 != nil {
-			return errors.New("failed to get default next hops")
-		}
-
-		if errv4 == nil {
-			log.Debugf("Network monitor: IPv4 default route: %s, interface: %s", nexthop4.IP, nexthop4.Intf.Name)
-		}
-		if errv6 == nil {
-			log.Debugf("Network monitor: IPv6 default route: %s, interface: %s", nexthop6.IP, nexthop6.Intf.Name)
-		}
-
-		// continue if either route was found
-		return nil
-	}
-
-	expBackOff := backoff.WithContext(backoff.NewExponentialBackOff(), ctx)
-
-	if err := backoff.Retry(operation, expBackOff); err != nil {
-		return fmt.Errorf("failed to get default next hops: %w", err)
-	}
-
-	// recover in case sys ops panic
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic occurred: %v, stack trace: %s", r, string(debug.Stack()))
-		}
-	}()
-
-	if err := checkChange(ctx, nexthop4, nexthop6, callback); err != nil {
-		return fmt.Errorf("check change: %w", err)
-	}
-
-	return nil
-}
-
-// Stop stops the network monitor.
-func (nw *NetworkMonitor) Stop() {
-	nw.mu.Lock()
-	defer nw.mu.Unlock()
-
-	if nw.cancel != nil {
-		nw.cancel()
-		nw.wg.Wait()
-	}
-}
--- a/client/internal/networkmonitor/monitor_linux.go
+++ b/client/internal/networkmonitor/monitor_linux.go
@@ -1,57 +0,0 @@
-//go:build !android
-
-package networkmonitor
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"syscall"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/vishvananda/netlink"
-
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
-)
-
-func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop, callback func()) error {
-	if nexthopv4.Intf == nil && nexthopv6.Intf == nil {
-		return errors.New("no interfaces available")
-	}
-
-	done := make(chan struct{})
-	defer close(done)
-
-	routeChan := make(chan netlink.RouteUpdate)
-	if err := netlink.RouteSubscribe(routeChan, done); err != nil {
-		return fmt.Errorf("subscribe to route updates: %v", err)
-	}
-
-	log.Info("Network monitor: started")
-	for {
-		select {
-		case <-ctx.Done():
-			return ErrStopped
-
-		// handle route changes
-		case route := <-routeChan:
-			// default route and main table
-			if route.Dst != nil || route.Table != syscall.RT_TABLE_MAIN {
-				continue
-			}
-			switch route.Type {
-			// triggered on added/replaced routes
-			case syscall.RTM_NEWROUTE:
-				log.Infof("Network monitor: default route changed: via %s, interface %d", route.Gw, route.LinkIndex)
-				go callback()
-				return nil
-			case syscall.RTM_DELROUTE:
-				if nexthopv4.Intf != nil && route.Gw.Equal(nexthopv4.IP.AsSlice()) || nexthopv6.Intf != nil && route.Gw.Equal(nexthopv6.IP.AsSlice()) {
-					log.Infof("Network monitor: default route removed: via %s, interface %d", route.Gw, route.LinkIndex)
-					go callback()
-					return nil
-				}
-			}
-		}
-	}
-}
--- a/client/internal/networkmonitor/monitor_mobile.go
+++ b/client/internal/networkmonitor/monitor_mobile.go
@@ -1,12 +0,0 @@
-//go:build ios || android
-
-package networkmonitor
-
-import "context"
-
-func (nw *NetworkMonitor) Start(context.Context, func()) error {
-	return nil
-}
-
-func (nw *NetworkMonitor) Stop() {
-}
--- a/client/internal/networkmonitor/monitor_windows.go
+++ b/client/internal/networkmonitor/monitor_windows.go
@@ -1,254 +0,0 @@
-package networkmonitor
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"strings"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
-)
-
-const (
-	unreachable = 0
-	incomplete  = 1
-	probe       = 2
-	delay       = 3
-	stale       = 4
-	reachable   = 5
-	permanent   = 6
-	tbd         = 7
-)
-
-const interval = 10 * time.Second
-
-func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop, callback func()) error {
-	var neighborv4, neighborv6 *systemops.Neighbor
-	{
-		initialNeighbors, err := getNeighbors()
-		if err != nil {
-			return fmt.Errorf("get neighbors: %w", err)
-		}
-
-		neighborv4 = assignNeighbor(nexthopv4, initialNeighbors)
-		neighborv6 = assignNeighbor(nexthopv6, initialNeighbors)
-	}
-	log.Debugf("Network monitor: initial IPv4 neighbor: %v, IPv6 neighbor: %v", neighborv4, neighborv6)
-
-	ticker := time.NewTicker(interval)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
-			return ErrStopped
-		case <-ticker.C:
-			if changed(nexthopv4, neighborv4, nexthopv6, neighborv6) {
-				go callback()
-				return nil
-			}
-		}
-	}
-}
-
-func assignNeighbor(nexthop systemops.Nexthop, initialNeighbors map[netip.Addr]systemops.Neighbor) *systemops.Neighbor {
-	if n, ok := initialNeighbors[nexthop.IP]; ok &&
-		n.State != unreachable &&
-		n.State != incomplete &&
-		n.State != tbd {
-		return &n
-	}
-	return nil
-}
-
-func changed(
-	nexthopv4 systemops.Nexthop,
-	neighborv4 *systemops.Neighbor,
-	nexthopv6 systemops.Nexthop,
-	neighborv6 *systemops.Neighbor,
-) bool {
-	neighbors, err := getNeighbors()
-	if err != nil {
-		log.Errorf("network monitor: error fetching current neighbors: %v", err)
-		return false
-	}
-	if neighborChanged(nexthopv4, neighborv4, neighbors) || neighborChanged(nexthopv6, neighborv6, neighbors) {
-		return true
-	}
-
-	routes, err := getRoutes()
-	if err != nil {
-		log.Errorf("network monitor: error fetching current routes: %v", err)
-		return false
-	}
-
-	if routeChanged(nexthopv4, nexthopv4.Intf, routes) || routeChanged(nexthopv6, nexthopv6.Intf, routes) {
-		return true
-	}
-
-	return false
-}
-
-// routeChanged checks if the default routes still point to our nexthop/interface
-func routeChanged(nexthop systemops.Nexthop, intf *net.Interface, routes []systemops.Route) bool {
-	if !nexthop.IP.IsValid() {
-		return false
-	}
-
-	if isSoftInterface(nexthop.Intf.Name) {
-		log.Tracef("network monitor: ignoring default route change for soft interface %s", nexthop.Intf.Name)
-		return false
-	}
-
-	unspec := getUnspecifiedPrefix(nexthop.IP)
-	defaultRoutes, foundMatchingRoute := processRoutes(nexthop, intf, routes, unspec)
-
-	log.Tracef("network monitor: all default routes:\n%s", strings.Join(defaultRoutes, "\n"))
-
-	if !foundMatchingRoute {
-		logRouteChange(nexthop.IP, intf)
-		return true
-	}
-
-	return false
-}
-
-func getUnspecifiedPrefix(ip netip.Addr) netip.Prefix {
-	if ip.Is6() {
-		return netip.PrefixFrom(netip.IPv6Unspecified(), 0)
-	}
-	return netip.PrefixFrom(netip.IPv4Unspecified(), 0)
-}
-
-func processRoutes(nexthop systemops.Nexthop, nexthopIntf *net.Interface, routes []systemops.Route, unspec netip.Prefix) ([]string, bool) {
-	var defaultRoutes []string
-	foundMatchingRoute := false
-
-	for _, r := range routes {
-		if r.Destination == unspec {
-			routeInfo := formatRouteInfo(r)
-			defaultRoutes = append(defaultRoutes, routeInfo)
-
-			if r.Nexthop == nexthop.IP && compareIntf(r.Interface, nexthopIntf) == 0 {
-				foundMatchingRoute = true
-				log.Debugf("network monitor: found matching default route: %s", routeInfo)
-			}
-		}
-	}
-
-	return defaultRoutes, foundMatchingRoute
-}
-
-func formatRouteInfo(r systemops.Route) string {
-	newIntf := "<nil>"
-	if r.Interface != nil {
-		newIntf = r.Interface.Name
-	}
-	return fmt.Sprintf("Nexthop: %s, Interface: %s", r.Nexthop, newIntf)
-}
-
-func logRouteChange(ip netip.Addr, intf *net.Interface) {
-	oldIntf := "<nil>"
-	if intf != nil {
-		oldIntf = intf.Name
-	}
-	log.Infof("network monitor: default route for %s (%s) is gone or changed", ip, oldIntf)
-}
-
-func neighborChanged(nexthop systemops.Nexthop, neighbor *systemops.Neighbor, neighbors map[netip.Addr]systemops.Neighbor) bool {
-	if neighbor == nil {
-		return false
-	}
-
-	// TODO: consider non-local nexthops, e.g. on point-to-point interfaces
-	if n, ok := neighbors[nexthop.IP]; ok {
-		if n.State == unreachable || n.State == incomplete {
-			log.Infof("network monitor: neighbor %s (%s) is not reachable: %s", neighbor.IPAddress, neighbor.LinkLayerAddress, stateFromInt(n.State))
-			return true
-		} else if n.InterfaceIndex != neighbor.InterfaceIndex {
-			log.Infof(
-				"network monitor: neighbor %s (%s) changed interface from '%s' (%d) to '%s' (%d): %s",
-				neighbor.IPAddress,
-				neighbor.LinkLayerAddress,
-				neighbor.InterfaceAlias,
-				neighbor.InterfaceIndex,
-				n.InterfaceAlias,
-				n.InterfaceIndex,
-				stateFromInt(n.State),
-			)
-			return true
-		}
-	} else {
-		log.Infof("network monitor: neighbor %s (%s) is gone", neighbor.IPAddress, neighbor.LinkLayerAddress)
-		return true
-	}
-
-	return false
-}
-
-func getNeighbors() (map[netip.Addr]systemops.Neighbor, error) {
-	entries, err := systemops.GetNeighbors()
-	if err != nil {
-		return nil, fmt.Errorf("get neighbors: %w", err)
-	}
-
-	neighbours := make(map[netip.Addr]systemops.Neighbor, len(entries))
-	for _, entry := range entries {
-		neighbours[entry.IPAddress] = entry
-	}
-
-	return neighbours, nil
-}
-
-func getRoutes() ([]systemops.Route, error) {
-	entries, err := systemops.GetRoutes()
-	if err != nil {
-		return nil, fmt.Errorf("get routes: %w", err)
-	}
-
-	return entries, nil
-}
-
-func stateFromInt(state uint8) string {
-	switch state {
-	case unreachable:
-		return "unreachable"
-	case incomplete:
-		return "incomplete"
-	case probe:
-		return "probe"
-	case delay:
-		return "delay"
-	case stale:
-		return "stale"
-	case reachable:
-		return "reachable"
-	case permanent:
-		return "permanent"
-	case tbd:
-		return "tbd"
-	default:
-		return "unknown"
-	}
-}
-
-func compareIntf(a, b *net.Interface) int {
-	switch {
-	case a == nil && b == nil:
-		return 0
-	case a == nil:
-		return -1
-	case b == nil:
-		return 1
-	default:
-		return a.Index - b.Index
-	}
-}
-
-func isSoftInterface(name string) bool {
-	return strings.Contains(strings.ToLower(name), "isatap") || strings.Contains(strings.ToLower(name), "teredo")
-}
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -1,34 +1,25 @@
 package peer

 import (
-	"context"
-	"os"
 	"sync"
 	"testing"
 	"time"

 	"github.com/magiconair/properties/assert"
+	"github.com/pion/stun/v2"

 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/internal/wgproxy"
 	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/util"
 )

 var connConf = ConnConfig{
-	Key:         "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
-	LocalKey:    "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
-	Timeout:     time.Second,
-	LocalWgPort: 51820,
-	ICEConfig: ICEConfig{
-		InterfaceBlackList: nil,
-	},
-}
-
-func TestMain(m *testing.M) {
-	_ = util.InitLog("trace", "console")
-	code := m.Run()
-	os.Exit(code)
+	Key:                "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+	LocalKey:           "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+	StunTurn:           []*stun.URI{},
+	InterfaceBlackList: nil,
+	Timeout:            time.Second,
+	LocalWgPort:        51820,
 }

 func TestNewConn_interfaceFilter(t *testing.T) {
@@ -44,11 +35,11 @@ func TestNewConn_interfaceFilter(t *testing.T) {
 }

 func TestConn_GetKey(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), false, connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
-	conn, err := NewConn(context.Background(), connConf, nil, wgProxyFactory, nil, nil, nil)
+	conn, err := NewConn(connConf, nil, wgProxyFactory, nil, nil)
 	if err != nil {
 		return
 	}
@@ -59,11 +50,11 @@ func TestConn_GetKey(t *testing.T) {
 }

 func TestConn_OnRemoteOffer(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), false, connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
-	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil, nil)
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
 	if err != nil {
 		return
 	}
@@ -71,7 +62,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 	wg := sync.WaitGroup{}
 	wg.Add(2)
 	go func() {
-		<-conn.handshaker.remoteOffersCh
+		<-conn.remoteOffersCh
 		wg.Done()
 	}()

@@ -96,11 +87,11 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 }

 func TestConn_OnRemoteAnswer(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), false, connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
-	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil, nil)
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
 	if err != nil {
 		return
 	}
@@ -108,7 +99,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	wg := sync.WaitGroup{}
 	wg.Add(2)
 	go func() {
-		<-conn.handshaker.remoteAnswerCh
+		<-conn.remoteAnswerCh
 		wg.Done()
 	}()

@@ -132,37 +123,62 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	wg.Wait()
 }
 func TestConn_Status(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), false, connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
-	conn, err := NewConn(context.Background(), connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil, nil)
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
 	if err != nil {
 		return
 	}

 	tables := []struct {
-		name        string
-		statusIce   ConnStatus
-		statusRelay ConnStatus
-		want        ConnStatus
+		name   string
+		status ConnStatus
+		want   ConnStatus
 	}{
-		{"StatusConnected", StatusConnected, StatusConnected, StatusConnected},
-		{"StatusDisconnected", StatusDisconnected, StatusDisconnected, StatusDisconnected},
-		{"StatusConnecting", StatusConnecting, StatusConnecting, StatusConnecting},
-		{"StatusConnectingIce", StatusConnecting, StatusDisconnected, StatusConnecting},
-		{"StatusConnectingIceAlternative", StatusConnecting, StatusConnected, StatusConnected},
-		{"StatusConnectingRelay", StatusDisconnected, StatusConnecting, StatusConnecting},
-		{"StatusConnectingRelayAlternative", StatusConnected, StatusConnecting, StatusConnected},
+		{"StatusConnected", StatusConnected, StatusConnected},
+		{"StatusDisconnected", StatusDisconnected, StatusDisconnected},
+		{"StatusConnecting", StatusConnecting, StatusConnecting},
 	}

 	for _, table := range tables {
 		t.Run(table.name, func(t *testing.T) {
-			conn.statusICE = table.statusIce
-			conn.statusRelay = table.statusRelay
+			conn.status = table.status

 			got := conn.Status()
 			assert.Equal(t, got, table.want, "they should be equal")
 		})
 	}
 }
+
+func TestConn_Close(t *testing.T) {
+	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
+	defer func() {
+		_ = wgProxyFactory.Free()
+	}()
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
+	if err != nil {
+		return
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		<-conn.closeCh
+		wg.Done()
+	}()
+
+	go func() {
+		for {
+			err := conn.Close()
+			if err != nil {
+				continue
+			} else {
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}
--- a/client/internal/peer/handshaker.go
+++ b/client/internal/peer/handshaker.go
@@ -1,191 +0,0 @@
-package peer
-
-import (
-	"context"
-	"errors"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/version"
-)
-
-var (
-	ErrSignalIsNotReady = errors.New("signal is not ready")
-)
-
-// IceCredentials ICE protocol credentials struct
-type IceCredentials struct {
-	UFrag string
-	Pwd   string
-}
-
-// OfferAnswer represents a session establishment offer or answer
-type OfferAnswer struct {
-	IceCredentials IceCredentials
-	// WgListenPort is a remote WireGuard listen port.
-	// This field is used when establishing a direct WireGuard connection without any proxy.
-	// We can set the remote peer's endpoint with this port.
-	WgListenPort int
-
-	// Version of NetBird Agent
-	Version string
-	// RosenpassPubKey is the Rosenpass public key of the remote peer when receiving this message
-	// This value is the local Rosenpass server public key when sending the message
-	RosenpassPubKey []byte
-	// RosenpassAddr is the Rosenpass server address (IP:port) of the remote peer when receiving this message
-	// This value is the local Rosenpass server address when sending the message
-	RosenpassAddr string
-
-	// relay server address
-	RelaySrvAddress string
-}
-
-type Handshaker struct {
-	mu                  sync.Mutex
-	ctx                 context.Context
-	log                 *log.Entry
-	config              ConnConfig
-	signaler            *Signaler
-	ice                 *WorkerICE
-	relay               *WorkerRelay
-	onNewOfferListeners []func(*OfferAnswer)
-
-	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
-	remoteOffersCh chan OfferAnswer
-	// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
-	remoteAnswerCh chan OfferAnswer
-}
-
-func NewHandshaker(ctx context.Context, log *log.Entry, config ConnConfig, signaler *Signaler, ice *WorkerICE, relay *WorkerRelay) *Handshaker {
-	return &Handshaker{
-		ctx:            ctx,
-		log:            log,
-		config:         config,
-		signaler:       signaler,
-		ice:            ice,
-		relay:          relay,
-		remoteOffersCh: make(chan OfferAnswer),
-		remoteAnswerCh: make(chan OfferAnswer),
-	}
-}
-
-func (h *Handshaker) AddOnNewOfferListener(offer func(remoteOfferAnswer *OfferAnswer)) {
-	h.onNewOfferListeners = append(h.onNewOfferListeners, offer)
-}
-
-func (h *Handshaker) Listen() {
-	for {
-		h.log.Debugf("wait for remote offer confirmation")
-		remoteOfferAnswer, err := h.waitForRemoteOfferConfirmation()
-		if err != nil {
-			if _, ok := err.(*ConnectionClosedError); ok {
-				h.log.Tracef("stop handshaker")
-				return
-			}
-			h.log.Errorf("failed to received remote offer confirmation: %s", err)
-			continue
-		}
-
-		h.log.Debugf("received connection confirmation, running version %s and with remote WireGuard listen port %d", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort)
-		for _, listener := range h.onNewOfferListeners {
-			go listener(remoteOfferAnswer)
-		}
-	}
-}
-
-func (h *Handshaker) SendOffer() error {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-	return h.sendOffer()
-}
-
-// OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
-// doesn't block, discards the message if connection wasn't ready
-func (h *Handshaker) OnRemoteOffer(offer OfferAnswer) bool {
-	select {
-	case h.remoteOffersCh <- offer:
-		return true
-	default:
-		h.log.Debugf("OnRemoteOffer skipping message because is not ready")
-		// connection might not be ready yet to receive so we ignore the message
-		return false
-	}
-}
-
-// OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
-// doesn't block, discards the message if connection wasn't ready
-func (h *Handshaker) OnRemoteAnswer(answer OfferAnswer) bool {
-	select {
-	case h.remoteAnswerCh <- answer:
-		return true
-	default:
-		// connection might not be ready yet to receive so we ignore the message
-		h.log.Debugf("OnRemoteAnswer skipping message because is not ready")
-		return false
-	}
-}
-
-func (h *Handshaker) waitForRemoteOfferConfirmation() (*OfferAnswer, error) {
-	select {
-	case remoteOfferAnswer := <-h.remoteOffersCh:
-		// received confirmation from the remote peer -> ready to proceed
-		err := h.sendAnswer()
-		if err != nil {
-			return nil, err
-		}
-		return &remoteOfferAnswer, nil
-	case remoteOfferAnswer := <-h.remoteAnswerCh:
-		return &remoteOfferAnswer, nil
-	case <-h.ctx.Done():
-		// closed externally
-		return nil, NewConnectionClosedError(h.config.Key)
-	}
-}
-
-// sendOffer prepares local user credentials and signals them to the remote peer
-func (h *Handshaker) sendOffer() error {
-	if !h.signaler.Ready() {
-		return ErrSignalIsNotReady
-	}
-
-	iceUFrag, icePwd := h.ice.GetLocalUserCredentials()
-	offer := OfferAnswer{
-		IceCredentials:  IceCredentials{iceUFrag, icePwd},
-		WgListenPort:    h.config.LocalWgPort,
-		Version:         version.NetbirdVersion(),
-		RosenpassPubKey: h.config.RosenpassPubKey,
-		RosenpassAddr:   h.config.RosenpassAddr,
-	}
-
-	addr, err := h.relay.RelayInstanceAddress()
-	if err == nil {
-		offer.RelaySrvAddress = addr
-	}
-
-	return h.signaler.SignalOffer(offer, h.config.Key)
-}
-
-func (h *Handshaker) sendAnswer() error {
-	h.log.Debugf("sending answer")
-	uFrag, pwd := h.ice.GetLocalUserCredentials()
-
-	answer := OfferAnswer{
-		IceCredentials:  IceCredentials{uFrag, pwd},
-		WgListenPort:    h.config.LocalWgPort,
-		Version:         version.NetbirdVersion(),
-		RosenpassPubKey: h.config.RosenpassPubKey,
-		RosenpassAddr:   h.config.RosenpassAddr,
-	}
-	addr, err := h.relay.RelayInstanceAddress()
-	if err == nil {
-		answer.RelaySrvAddress = addr
-	}
-
-	err = h.signaler.SignalAnswer(answer, h.config.Key)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
--- a/client/internal/peer/signaler.go
+++ b/client/internal/peer/signaler.go
@@ -1,70 +0,0 @@
-package peer
-
-import (
-	"github.com/pion/ice/v3"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-
-	signal "github.com/netbirdio/netbird/signal/client"
-	sProto "github.com/netbirdio/netbird/signal/proto"
-)
-
-type Signaler struct {
-	signal       signal.Client
-	wgPrivateKey wgtypes.Key
-}
-
-func NewSignaler(signal signal.Client, wgPrivateKey wgtypes.Key) *Signaler {
-	return &Signaler{
-		signal:       signal,
-		wgPrivateKey: wgPrivateKey,
-	}
-}
-
-func (s *Signaler) SignalOffer(offer OfferAnswer, remoteKey string) error {
-	return s.signalOfferAnswer(offer, remoteKey, sProto.Body_OFFER)
-}
-
-func (s *Signaler) SignalAnswer(offer OfferAnswer, remoteKey string) error {
-	return s.signalOfferAnswer(offer, remoteKey, sProto.Body_ANSWER)
-}
-
-func (s *Signaler) SignalICECandidate(candidate ice.Candidate, remoteKey string) error {
-	return s.signal.Send(&sProto.Message{
-		Key:       s.wgPrivateKey.PublicKey().String(),
-		RemoteKey: remoteKey,
-		Body: &sProto.Body{
-			Type:    sProto.Body_CANDIDATE,
-			Payload: candidate.Marshal(),
-		},
-	})
-}
-
-func (s *Signaler) Ready() bool {
-	return s.signal.Ready()
-}
-
-// SignalOfferAnswer signals either an offer or an answer to remote peer
-func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string, bodyType sProto.Body_Type) error {
-	msg, err := signal.MarshalCredential(
-		s.wgPrivateKey,
-		offerAnswer.WgListenPort,
-		remoteKey,
-		&signal.Credential{
-			UFrag: offerAnswer.IceCredentials.UFrag,
-			Pwd:   offerAnswer.IceCredentials.Pwd,
-		},
-		bodyType,
-		offerAnswer.RosenpassPubKey,
-		offerAnswer.RosenpassAddr,
-		offerAnswer.RelaySrvAddress)
-	if err != nil {
-		return err
-	}
-
-	err = s.signal.Send(msg)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -2,18 +2,14 @@ package peer

 import (
 	"errors"
-	"net/netip"
 	"sync"
 	"time"

-	"golang.org/x/exp/maps"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"

 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/management/domain"
-	relayClient "github.com/netbirdio/netbird/relay/client"
 )

 // State contains the latest state of a peer
@@ -25,11 +21,11 @@ type State struct {
 	ConnStatus                 ConnStatus
 	ConnStatusUpdate           time.Time
 	Relayed                    bool
+	Direct                     bool
 	LocalIceCandidateType      string
 	RemoteIceCandidateType     string
 	LocalIceCandidateEndpoint  string
 	RemoteIceCandidateEndpoint string
-	RelayServerAddress         string
 	LastWireguardHandshake     time.Time
 	BytesTx                    int64
 	BytesRx                    int64
@@ -41,25 +37,25 @@ type State struct {
 // AddRoute add a single route to routes map
 func (s *State) AddRoute(network string) {
 	s.Mux.Lock()
-	defer s.Mux.Unlock()
 	if s.routes == nil {
 		s.routes = make(map[string]struct{})
 	}
 	s.routes[network] = struct{}{}
+	s.Mux.Unlock()
 }

 // SetRoutes set state routes
 func (s *State) SetRoutes(routes map[string]struct{}) {
 	s.Mux.Lock()
-	defer s.Mux.Unlock()
 	s.routes = routes
+	s.Mux.Unlock()
 }

 // DeleteRoute removes a route from the network amp
 func (s *State) DeleteRoute(network string) {
 	s.Mux.Lock()
-	defer s.Mux.Unlock()
 	delete(s.routes, network)
+	s.Mux.Unlock()
 }

 // GetRoutes return routes map
@@ -121,50 +117,40 @@ type FullStatus struct {

 // Status holds a state of peers, signal, management connections and relays
 type Status struct {
-	mux                   sync.Mutex
-	peers                 map[string]State
-	changeNotify          map[string]chan struct{}
-	signalState           bool
-	signalError           error
-	managementState       bool
-	managementError       error
-	relayStates           []relay.ProbeResult
-	localPeer             LocalPeerState
-	offlinePeers          []State
-	mgmAddress            string
-	signalAddress         string
-	notifier              *notifier
-	rosenpassEnabled      bool
-	rosenpassPermissive   bool
-	nsGroupStates         []NSGroupState
-	resolvedDomainsStates map[domain.Domain][]netip.Prefix
+	mux                 sync.Mutex
+	peers               map[string]State
+	changeNotify        map[string]chan struct{}
+	signalState         bool
+	signalError         error
+	managementState     bool
+	managementError     error
+	relayStates         []relay.ProbeResult
+	localPeer           LocalPeerState
+	offlinePeers        []State
+	mgmAddress          string
+	signalAddress       string
+	notifier            *notifier
+	rosenpassEnabled    bool
+	rosenpassPermissive bool
+	nsGroupStates       []NSGroupState

 	// To reduce the number of notification invocation this bool will be true when need to call the notification
 	// Some Peer actions mostly used by in a batch when the network map has been synchronized. In these type of events
 	// set to true this variable and at the end of the processing we will reset it by the FinishPeerListModifications()
 	peerListChangedForNotification bool
-
-	relayMgr *relayClient.Manager
 }

 // NewRecorder returns a new Status instance
 func NewRecorder(mgmAddress string) *Status {
 	return &Status{
-		peers:                 make(map[string]State),
-		changeNotify:          make(map[string]chan struct{}),
-		offlinePeers:          make([]State, 0),
-		notifier:              newNotifier(),
-		mgmAddress:            mgmAddress,
-		resolvedDomainsStates: make(map[domain.Domain][]netip.Prefix),
+		peers:        make(map[string]State),
+		changeNotify: make(map[string]chan struct{}),
+		offlinePeers: make([]State, 0),
+		notifier:     newNotifier(),
+		mgmAddress:   mgmAddress,
 	}
 }

-func (d *Status) SetRelayMgr(manager *relayClient.Manager) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	d.relayMgr = manager
-}
-
 // ReplaceOfflinePeers replaces
 func (d *Status) ReplaceOfflinePeers(replacement []State) {
 	d.mux.Lock()
@@ -202,7 +188,7 @@ func (d *Status) GetPeer(peerPubKey string) (State, error) {

 	state, ok := d.peers[peerPubKey]
 	if !ok {
-		return State{}, iface.ErrPeerNotFound
+		return State{}, errors.New("peer not found")
 	}
 	return state, nil
 }
@@ -240,17 +226,17 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 		peerState.SetRoutes(receivedState.GetRoutes())
 	}

-	skipNotification := shouldSkipNotify(receivedState.ConnStatus, peerState)
+	skipNotification := shouldSkipNotify(receivedState, peerState)

 	if receivedState.ConnStatus != peerState.ConnStatus {
 		peerState.ConnStatus = receivedState.ConnStatus
 		peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
+		peerState.Direct = receivedState.Direct
 		peerState.Relayed = receivedState.Relayed
 		peerState.LocalIceCandidateType = receivedState.LocalIceCandidateType
 		peerState.RemoteIceCandidateType = receivedState.RemoteIceCandidateType
 		peerState.LocalIceCandidateEndpoint = receivedState.LocalIceCandidateEndpoint
 		peerState.RemoteIceCandidateEndpoint = receivedState.RemoteIceCandidateEndpoint
-		peerState.RelayServerAddress = receivedState.RelayServerAddress
 		peerState.RosenpassEnabled = receivedState.RosenpassEnabled
 	}

@@ -270,146 +256,6 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 	return nil
 }

-func (d *Status) UpdatePeerICEState(receivedState State) error {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	peerState, ok := d.peers[receivedState.PubKey]
-	if !ok {
-		return errors.New("peer doesn't exist")
-	}
-
-	if receivedState.IP != "" {
-		peerState.IP = receivedState.IP
-	}
-
-	skipNotification := shouldSkipNotify(receivedState.ConnStatus, peerState)
-
-	peerState.ConnStatus = receivedState.ConnStatus
-	peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
-	peerState.Relayed = receivedState.Relayed
-	peerState.LocalIceCandidateType = receivedState.LocalIceCandidateType
-	peerState.RemoteIceCandidateType = receivedState.RemoteIceCandidateType
-	peerState.LocalIceCandidateEndpoint = receivedState.LocalIceCandidateEndpoint
-	peerState.RemoteIceCandidateEndpoint = receivedState.RemoteIceCandidateEndpoint
-	peerState.RosenpassEnabled = receivedState.RosenpassEnabled
-
-	d.peers[receivedState.PubKey] = peerState
-
-	if skipNotification {
-		return nil
-	}
-
-	ch, found := d.changeNotify[receivedState.PubKey]
-	if found && ch != nil {
-		close(ch)
-		d.changeNotify[receivedState.PubKey] = nil
-	}
-
-	d.notifyPeerListChanged()
-	return nil
-}
-
-func (d *Status) UpdatePeerRelayedState(receivedState State) error {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	peerState, ok := d.peers[receivedState.PubKey]
-	if !ok {
-		return errors.New("peer doesn't exist")
-	}
-
-	skipNotification := shouldSkipNotify(receivedState.ConnStatus, peerState)
-
-	peerState.ConnStatus = receivedState.ConnStatus
-	peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
-	peerState.Relayed = receivedState.Relayed
-	peerState.RelayServerAddress = receivedState.RelayServerAddress
-	peerState.RosenpassEnabled = receivedState.RosenpassEnabled
-
-	d.peers[receivedState.PubKey] = peerState
-
-	if skipNotification {
-		return nil
-	}
-
-	ch, found := d.changeNotify[receivedState.PubKey]
-	if found && ch != nil {
-		close(ch)
-		d.changeNotify[receivedState.PubKey] = nil
-	}
-
-	d.notifyPeerListChanged()
-	return nil
-}
-
-func (d *Status) UpdatePeerRelayedStateToDisconnected(receivedState State) error {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	peerState, ok := d.peers[receivedState.PubKey]
-	if !ok {
-		return errors.New("peer doesn't exist")
-	}
-
-	skipNotification := shouldSkipNotify(receivedState.ConnStatus, peerState)
-
-	peerState.ConnStatus = receivedState.ConnStatus
-	peerState.Relayed = receivedState.Relayed
-	peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
-	peerState.RelayServerAddress = ""
-
-	d.peers[receivedState.PubKey] = peerState
-
-	if skipNotification {
-		return nil
-	}
-
-	ch, found := d.changeNotify[receivedState.PubKey]
-	if found && ch != nil {
-		close(ch)
-		d.changeNotify[receivedState.PubKey] = nil
-	}
-
-	d.notifyPeerListChanged()
-	return nil
-}
-
-func (d *Status) UpdatePeerICEStateToDisconnected(receivedState State) error {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	peerState, ok := d.peers[receivedState.PubKey]
-	if !ok {
-		return errors.New("peer doesn't exist")
-	}
-
-	skipNotification := shouldSkipNotify(receivedState.ConnStatus, peerState)
-
-	peerState.ConnStatus = receivedState.ConnStatus
-	peerState.Relayed = receivedState.Relayed
-	peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
-	peerState.LocalIceCandidateType = receivedState.LocalIceCandidateType
-	peerState.RemoteIceCandidateType = receivedState.RemoteIceCandidateType
-	peerState.LocalIceCandidateEndpoint = receivedState.LocalIceCandidateEndpoint
-	peerState.RemoteIceCandidateEndpoint = receivedState.RemoteIceCandidateEndpoint
-
-	d.peers[receivedState.PubKey] = peerState
-
-	if skipNotification {
-		return nil
-	}
-
-	ch, found := d.changeNotify[receivedState.PubKey]
-	if found && ch != nil {
-		close(ch)
-		d.changeNotify[receivedState.PubKey] = nil
-	}
-
-	d.notifyPeerListChanged()
-	return nil
-}
-
 // UpdateWireGuardPeerState updates the WireGuard bits of the peer state
 func (d *Status) UpdateWireGuardPeerState(pubKey string, wgStats iface.WGStats) error {
 	d.mux.Lock()
@@ -429,13 +275,13 @@ func (d *Status) UpdateWireGuardPeerState(pubKey string, wgStats iface.WGStats)
 	return nil
 }

-func shouldSkipNotify(receivedConnStatus ConnStatus, curr State) bool {
+func shouldSkipNotify(received, curr State) bool {
 	switch {
-	case receivedConnStatus == StatusConnecting:
+	case received.ConnStatus == StatusConnecting:
 		return true
-	case receivedConnStatus == StatusDisconnected && curr.ConnStatus == StatusConnecting:
+	case received.ConnStatus == StatusDisconnected && curr.ConnStatus == StatusConnecting:
 		return true
-	case receivedConnStatus == StatusDisconnected && curr.ConnStatus == StatusDisconnected:
+	case received.ConnStatus == StatusDisconnected && curr.ConnStatus == StatusDisconnected:
 		return curr.IP != ""
 	default:
 		return false
@@ -583,18 +429,6 @@ func (d *Status) UpdateDNSStates(dnsStates []NSGroupState) {
 	d.nsGroupStates = dnsStates
 }

-func (d *Status) UpdateResolvedDomainsStates(domain domain.Domain, prefixes []netip.Prefix) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	d.resolvedDomainsStates[domain] = prefixes
-}
-
-func (d *Status) DeleteResolvedDomainsStates(domain domain.Domain) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	delete(d.resolvedDomainsStates, domain)
-}
-
 func (d *Status) GetRosenpassState() RosenpassState {
 	return RosenpassState{
 		d.rosenpassEnabled,
@@ -652,40 +486,13 @@ func (d *Status) GetSignalState() SignalState {
 }

 func (d *Status) GetRelayStates() []relay.ProbeResult {
-	if d.relayMgr == nil {
-		return d.relayStates
-	}
-
-	// extend the list of stun, turn servers with relay address
-	relaysState := make([]relay.ProbeResult, len(d.relayStates), len(d.relayStates)+1)
-	copy(relaysState, d.relayStates)
-
-	relayState := relay.ProbeResult{}
-
-	// if the server connection is not established then we will use the general address
-	// in case of connection we will use the instance specific address
-	instanceAddr, err := d.relayMgr.RelayInstanceAddress()
-	if err != nil {
-		relayState.URI = d.relayMgr.ServerURL()
-		relayState.Err = err
-	} else {
-		relayState.URI = instanceAddr
-	}
-
-	relaysState = append(relaysState, relayState)
-	return relaysState
+	return d.relayStates
 }

 func (d *Status) GetDNSStates() []NSGroupState {
 	return d.nsGroupStates
 }

-func (d *Status) GetResolvedDomainsStates() map[domain.Domain][]netip.Prefix {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	return maps.Clone(d.resolvedDomainsStates)
-}
-
 // GetFullStatus gets full status
 func (d *Status) GetFullStatus() FullStatus {
 	d.mux.Lock()
@@ -705,6 +512,7 @@ func (d *Status) GetFullStatus() FullStatus {
 	}

 	fullStatus.Peers = append(fullStatus.Peers, d.offlinePeers...)
+
 	return fullStatus
 }

--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -2,8 +2,8 @@ package peer

 import (
 	"errors"
-	"sync"
 	"testing"
+	"sync"

 	"github.com/stretchr/testify/assert"
 )
@@ -43,7 +43,7 @@ func TestUpdatePeerState(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
-		Mux:    new(sync.RWMutex),
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -64,7 +64,7 @@ func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
-		Mux:    new(sync.RWMutex),
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -83,7 +83,7 @@ func TestGetPeerStateChangeNotifierLogic(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
-		Mux:    new(sync.RWMutex),
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -108,7 +108,7 @@ func TestRemovePeer(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
-		Mux:    new(sync.RWMutex),
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
--- a/client/internal/peer/stdnet.go
+++ b/client/internal/peer/stdnet.go
@@ -6,6 +6,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )

-func (w *WorkerICE) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNet(w.config.ICEConfig.InterfaceBlackList)
+func (conn *Conn) newStdNet() (*stdnet.Net, error) {
+	return stdnet.NewNet(conn.config.InterfaceBlackList)
 }
--- a/client/internal/peer/stdnet_android.go
+++ b/client/internal/peer/stdnet_android.go
@@ -2,6 +2,6 @@ package peer

 import "github.com/netbirdio/netbird/client/internal/stdnet"

-func (w *WorkerICE) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(w.iFaceDiscover, w.config.ICEConfig.InterfaceBlackList)
+func (conn *Conn) newStdNet() (*stdnet.Net, error) {
+	return stdnet.NewNetWithDiscover(conn.iFaceDiscover, conn.config.InterfaceBlackList)
 }
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -1,457 +0,0 @@
-package peer
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"runtime"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/pion/ice/v3"
-	"github.com/pion/randutil"
-	"github.com/pion/stun/v2"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/iface/bind"
-	"github.com/netbirdio/netbird/route"
-)
-
-const (
-	iceKeepAliveDefault           = 4 * time.Second
-	iceDisconnectedTimeoutDefault = 6 * time.Second
-	// iceRelayAcceptanceMinWaitDefault is the same as in the Pion ICE package
-	iceRelayAcceptanceMinWaitDefault = 2 * time.Second
-
-	lenUFrag   = 16
-	lenPwd     = 32
-	runesAlpha = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
-)
-
-var (
-	failedTimeout = 6 * time.Second
-)
-
-type ICEConfig struct {
-	// StunTurn is a list of STUN and TURN URLs
-	StunTurn atomic.Value // []*stun.URI
-
-	// InterfaceBlackList is a list of machine interfaces that should be filtered out by ICE Candidate gathering
-	// (e.g. if eth0 is in the list, host candidate of this interface won't be used)
-	InterfaceBlackList   []string
-	DisableIPv6Discovery bool
-
-	UDPMux      ice.UDPMux
-	UDPMuxSrflx ice.UniversalUDPMux
-
-	NATExternalIPs []string
-}
-
-type ICEConnInfo struct {
-	RemoteConn                 net.Conn
-	RosenpassPubKey            []byte
-	RosenpassAddr              string
-	LocalIceCandidateType      string
-	RemoteIceCandidateType     string
-	RemoteIceCandidateEndpoint string
-	LocalIceCandidateEndpoint  string
-	Relayed                    bool
-	RelayedOnLocal             bool
-}
-
-type WorkerICECallbacks struct {
-	OnConnReady     func(ConnPriority, ICEConnInfo)
-	OnStatusChanged func(ConnStatus)
-}
-
-type WorkerICE struct {
-	ctx               context.Context
-	log               *log.Entry
-	config            ConnConfig
-	signaler          *Signaler
-	iFaceDiscover     stdnet.ExternalIFaceDiscover
-	statusRecorder    *Status
-	hasRelayOnLocally bool
-	conn              WorkerICECallbacks
-
-	selectedPriority ConnPriority
-
-	agent    *ice.Agent
-	muxAgent sync.Mutex
-
-	StunTurn []*stun.URI
-
-	sentExtraSrflx bool
-
-	localUfrag string
-	localPwd   string
-}
-
-func NewWorkerICE(ctx context.Context, log *log.Entry, config ConnConfig, signaler *Signaler, ifaceDiscover stdnet.ExternalIFaceDiscover, statusRecorder *Status, hasRelayOnLocally bool, callBacks WorkerICECallbacks) (*WorkerICE, error) {
-	w := &WorkerICE{
-		ctx:               ctx,
-		log:               log,
-		config:            config,
-		signaler:          signaler,
-		iFaceDiscover:     ifaceDiscover,
-		statusRecorder:    statusRecorder,
-		hasRelayOnLocally: hasRelayOnLocally,
-		conn:              callBacks,
-	}
-
-	localUfrag, localPwd, err := generateICECredentials()
-	if err != nil {
-		return nil, err
-	}
-	w.localUfrag = localUfrag
-	w.localPwd = localPwd
-	return w, nil
-}
-
-func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
-	w.log.Debugf("OnNewOffer for ICE")
-	w.muxAgent.Lock()
-
-	if w.agent != nil {
-		w.log.Debugf("agent already exists, skipping the offer")
-		w.muxAgent.Unlock()
-		return
-	}
-
-	var preferredCandidateTypes []ice.CandidateType
-	if w.hasRelayOnLocally && remoteOfferAnswer.RelaySrvAddress != "" {
-		w.selectedPriority = connPriorityICEP2P
-		preferredCandidateTypes = candidateTypesP2P()
-	} else {
-		w.selectedPriority = connPriorityICETurn
-		preferredCandidateTypes = candidateTypes()
-	}
-
-	w.log.Debugf("recreate ICE agent")
-	agentCtx, agentCancel := context.WithCancel(w.ctx)
-	agent, err := w.reCreateAgent(agentCancel, preferredCandidateTypes)
-	if err != nil {
-		w.log.Errorf("failed to recreate ICE Agent: %s", err)
-		w.muxAgent.Unlock()
-		return
-	}
-	w.agent = agent
-	w.muxAgent.Unlock()
-
-	w.log.Debugf("gather candidates")
-	err = w.agent.GatherCandidates()
-	if err != nil {
-		w.log.Debugf("failed to gather candidates: %s", err)
-		return
-	}
-
-	// will block until connection succeeded
-	// but it won't release if ICE Agent went into Disconnected or Failed state,
-	// so we have to cancel it with the provided context once agent detected a broken connection
-	w.log.Debugf("turn agent dial")
-	remoteConn, err := w.turnAgentDial(agentCtx, remoteOfferAnswer)
-	if err != nil {
-		w.log.Debugf("failed to dial the remote peer: %s", err)
-		return
-	}
-	w.log.Debugf("agent dial succeeded")
-
-	pair, err := w.agent.GetSelectedCandidatePair()
-	if err != nil {
-		return
-	}
-
-	if !isRelayCandidate(pair.Local) {
-		// dynamically set remote WireGuard port if other side specified a different one from the default one
-		remoteWgPort := iface.DefaultWgPort
-		if remoteOfferAnswer.WgListenPort != 0 {
-			remoteWgPort = remoteOfferAnswer.WgListenPort
-		}
-
-		// To support old version's with direct mode we attempt to punch an additional role with the remote WireGuard port
-		go w.punchRemoteWGPort(pair, remoteWgPort)
-	}
-
-	ci := ICEConnInfo{
-		RemoteConn:                 remoteConn,
-		RosenpassPubKey:            remoteOfferAnswer.RosenpassPubKey,
-		RosenpassAddr:              remoteOfferAnswer.RosenpassAddr,
-		LocalIceCandidateType:      pair.Local.Type().String(),
-		RemoteIceCandidateType:     pair.Remote.Type().String(),
-		LocalIceCandidateEndpoint:  fmt.Sprintf("%s:%d", pair.Local.Address(), pair.Local.Port()),
-		RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Remote.Port()),
-		Relayed:                    isRelayed(pair),
-		RelayedOnLocal:             isRelayCandidate(pair.Local),
-	}
-	w.log.Debugf("on ICE conn read to use ready")
-	go w.conn.OnConnReady(w.selectedPriority, ci)
-}
-
-// OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
-func (w *WorkerICE) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HAMap) {
-	w.muxAgent.Lock()
-	defer w.muxAgent.Unlock()
-	w.log.Debugf("OnRemoteCandidate from peer %s -> %s", w.config.Key, candidate.String())
-	if w.agent == nil {
-		w.log.Warnf("ICE Agent is not initialized yet")
-		return
-	}
-
-	if candidateViaRoutes(candidate, haRoutes) {
-		return
-	}
-
-	err := w.agent.AddRemoteCandidate(candidate)
-	if err != nil {
-		w.log.Errorf("error while handling remote candidate")
-		return
-	}
-}
-
-func (w *WorkerICE) GetLocalUserCredentials() (frag string, pwd string) {
-	w.muxAgent.Lock()
-	defer w.muxAgent.Unlock()
-	return w.localUfrag, w.localPwd
-}
-
-func (w *WorkerICE) reCreateAgent(agentCancel context.CancelFunc, relaySupport []ice.CandidateType) (*ice.Agent, error) {
-	transportNet, err := w.newStdNet()
-	if err != nil {
-		w.log.Errorf("failed to create pion's stdnet: %s", err)
-	}
-
-	iceKeepAlive := iceKeepAlive()
-	iceDisconnectedTimeout := iceDisconnectedTimeout()
-	iceRelayAcceptanceMinWait := iceRelayAcceptanceMinWait()
-
-	agentConfig := &ice.AgentConfig{
-		MulticastDNSMode:       ice.MulticastDNSModeDisabled,
-		NetworkTypes:           []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
-		Urls:                   w.config.ICEConfig.StunTurn.Load().([]*stun.URI),
-		CandidateTypes:         relaySupport,
-		InterfaceFilter:        stdnet.InterfaceFilter(w.config.ICEConfig.InterfaceBlackList),
-		UDPMux:                 w.config.ICEConfig.UDPMux,
-		UDPMuxSrflx:            w.config.ICEConfig.UDPMuxSrflx,
-		NAT1To1IPs:             w.config.ICEConfig.NATExternalIPs,
-		Net:                    transportNet,
-		FailedTimeout:          &failedTimeout,
-		DisconnectedTimeout:    &iceDisconnectedTimeout,
-		KeepaliveInterval:      &iceKeepAlive,
-		RelayAcceptanceMinWait: &iceRelayAcceptanceMinWait,
-		LocalUfrag:             w.localUfrag,
-		LocalPwd:               w.localPwd,
-	}
-
-	if w.config.ICEConfig.DisableIPv6Discovery {
-		agentConfig.NetworkTypes = []ice.NetworkType{ice.NetworkTypeUDP4}
-	}
-
-	w.sentExtraSrflx = false
-	agent, err := ice.NewAgent(agentConfig)
-	if err != nil {
-		return nil, err
-	}
-
-	err = agent.OnCandidate(w.onICECandidate)
-	if err != nil {
-		return nil, err
-	}
-
-	err = agent.OnConnectionStateChange(func(state ice.ConnectionState) {
-		w.log.Debugf("ICE ConnectionState has changed to %s", state.String())
-		if state == ice.ConnectionStateFailed || state == ice.ConnectionStateDisconnected {
-			w.conn.OnStatusChanged(StatusDisconnected)
-
-			w.muxAgent.Lock()
-			agentCancel()
-			_ = agent.Close()
-			w.agent = nil
-
-			w.muxAgent.Unlock()
-		}
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	err = agent.OnSelectedCandidatePairChange(w.onICESelectedCandidatePair)
-	if err != nil {
-		return nil, err
-	}
-
-	err = agent.OnSuccessfulSelectedPairBindingResponse(func(p *ice.CandidatePair) {
-		err := w.statusRecorder.UpdateLatency(w.config.Key, p.Latency())
-		if err != nil {
-			w.log.Debugf("failed to update latency for peer: %s", err)
-			return
-		}
-	})
-	if err != nil {
-		return nil, fmt.Errorf("failed setting binding response callback: %w", err)
-	}
-
-	return agent, nil
-}
-
-func (w *WorkerICE) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
-	// wait local endpoint configuration
-	time.Sleep(time.Second)
-	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", pair.Remote.Address(), remoteWgPort))
-	if err != nil {
-		w.log.Warnf("got an error while resolving the udp address, err: %s", err)
-		return
-	}
-
-	mux, ok := w.config.ICEConfig.UDPMuxSrflx.(*bind.UniversalUDPMuxDefault)
-	if !ok {
-		w.log.Warn("invalid udp mux conversion")
-		return
-	}
-	_, err = mux.GetSharedConn().WriteTo([]byte{0x6e, 0x62}, addr)
-	if err != nil {
-		w.log.Warnf("got an error while sending the punch packet, err: %s", err)
-	}
-}
-
-// onICECandidate is a callback attached to an ICE Agent to receive new local connection candidates
-// and then signals them to the remote peer
-func (w *WorkerICE) onICECandidate(candidate ice.Candidate) {
-	// nil means candidate gathering has been ended
-	if candidate == nil {
-		return
-	}
-
-	// TODO: reported port is incorrect for CandidateTypeHost, makes understanding ICE use via logs confusing as port is ignored
-	w.log.Debugf("discovered local candidate %s", candidate.String())
-	go func() {
-		err := w.signaler.SignalICECandidate(candidate, w.config.Key)
-		if err != nil {
-			w.log.Errorf("failed signaling candidate to the remote peer %s %s", w.config.Key, err)
-		}
-	}()
-
-	if !w.shouldSendExtraSrflxCandidate(candidate) {
-		return
-	}
-
-	// sends an extra server reflexive candidate to the remote peer with our related port (usually the wireguard port)
-	// this is useful when network has an existing port forwarding rule for the wireguard port and this peer
-	extraSrflx, err := extraSrflxCandidate(candidate)
-	if err != nil {
-		w.log.Errorf("failed creating extra server reflexive candidate %s", err)
-		return
-	}
-	w.sentExtraSrflx = true
-
-	go func() {
-		err = w.signaler.SignalICECandidate(extraSrflx, w.config.Key)
-		if err != nil {
-			w.log.Errorf("failed signaling the extra server reflexive candidate: %s", err)
-		}
-	}()
-}
-
-func (w *WorkerICE) onICESelectedCandidatePair(c1 ice.Candidate, c2 ice.Candidate) {
-	w.log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
-		w.config.Key)
-}
-
-func (w *WorkerICE) shouldSendExtraSrflxCandidate(candidate ice.Candidate) bool {
-	if !w.sentExtraSrflx && candidate.Type() == ice.CandidateTypeServerReflexive && candidate.Port() != candidate.RelatedAddress().Port {
-		return true
-	}
-	return false
-}
-
-func (w *WorkerICE) turnAgentDial(ctx context.Context, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
-	isControlling := w.config.LocalKey > w.config.Key
-	if isControlling {
-		return w.agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
-	} else {
-		return w.agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
-	}
-}
-
-func extraSrflxCandidate(candidate ice.Candidate) (*ice.CandidateServerReflexive, error) {
-	relatedAdd := candidate.RelatedAddress()
-	return ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
-		Network:   candidate.NetworkType().String(),
-		Address:   candidate.Address(),
-		Port:      relatedAdd.Port,
-		Component: candidate.Component(),
-		RelAddr:   relatedAdd.Address,
-		RelPort:   relatedAdd.Port,
-	})
-}
-
-func candidateViaRoutes(candidate ice.Candidate, clientRoutes route.HAMap) bool {
-	var routePrefixes []netip.Prefix
-	for _, routes := range clientRoutes {
-		if len(routes) > 0 && routes[0] != nil {
-			routePrefixes = append(routePrefixes, routes[0].Network)
-		}
-	}
-
-	addr, err := netip.ParseAddr(candidate.Address())
-	if err != nil {
-		log.Errorf("Failed to parse IP address %s: %v", candidate.Address(), err)
-		return false
-	}
-
-	for _, prefix := range routePrefixes {
-		// default route is
-		if prefix.Bits() == 0 {
-			continue
-		}
-
-		if prefix.Contains(addr) {
-			log.Debugf("Ignoring candidate [%s], its address is part of routed network %s", candidate.String(), prefix)
-			return true
-		}
-	}
-	return false
-}
-
-func candidateTypes() []ice.CandidateType {
-	if hasICEForceRelayConn() {
-		return []ice.CandidateType{ice.CandidateTypeRelay}
-	}
-	// TODO: remove this once we have refactored userspace proxy into the bind package
-	if runtime.GOOS == "ios" {
-		return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive}
-	}
-	return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
-}
-
-func candidateTypesP2P() []ice.CandidateType {
-	return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive}
-}
-
-func isRelayCandidate(candidate ice.Candidate) bool {
-	return candidate.Type() == ice.CandidateTypeRelay
-}
-
-func isRelayed(pair *ice.CandidatePair) bool {
-	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
-		return true
-	}
-	return false
-}
-
-func generateICECredentials() (string, string, error) {
-	ufrag, err := randutil.GenerateCryptoRandomString(lenUFrag, runesAlpha)
-	if err != nil {
-		return "", "", err
-	}
-
-	pwd, err := randutil.GenerateCryptoRandomString(lenPwd, runesAlpha)
-	if err != nil {
-		return "", "", err
-	}
-	return ufrag, pwd, nil
-
-}
--- a/client/internal/peer/worker_relay.go
+++ b/client/internal/peer/worker_relay.go
@@ -1,173 +0,0 @@
-package peer
-
-import (
-	"context"
-	"errors"
-	"net"
-	"sync/atomic"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	relayClient "github.com/netbirdio/netbird/relay/client"
-)
-
-var (
-	wgHandshakePeriod   = 2 * time.Minute
-	wgHandshakeOvertime = 30000 * time.Millisecond
-)
-
-type RelayConnInfo struct {
-	relayedConn     net.Conn
-	rosenpassPubKey []byte
-	rosenpassAddr   string
-}
-
-type WorkerRelayCallbacks struct {
-	OnConnReady    func(RelayConnInfo)
-	OnDisconnected func()
-}
-
-type WorkerRelay struct {
-	parentCtx    context.Context
-	log          *log.Entry
-	config       ConnConfig
-	relayManager relayClient.ManagerService
-	conn         WorkerRelayCallbacks
-
-	ctxCancel                  context.CancelFunc
-	relaySupportedOnRemotePeer atomic.Bool
-}
-
-func NewWorkerRelay(ctx context.Context, log *log.Entry, config ConnConfig, relayManager relayClient.ManagerService, callbacks WorkerRelayCallbacks) *WorkerRelay {
-	r := &WorkerRelay{
-		parentCtx:    ctx,
-		log:          log,
-		config:       config,
-		relayManager: relayManager,
-		conn:         callbacks,
-	}
-	return r
-}
-
-func (w *WorkerRelay) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
-	if !w.isRelaySupported(remoteOfferAnswer) {
-		w.log.Infof("Relay is not supported by remote peer")
-		w.relaySupportedOnRemotePeer.Store(false)
-		return
-	}
-	w.relaySupportedOnRemotePeer.Store(true)
-
-	// the relayManager will return with error in case if the connection has lost with relay server
-	currentRelayAddress, err := w.relayManager.RelayInstanceAddress()
-	if err != nil {
-		w.log.Errorf("failed to handle new offer: %s", err)
-		return
-	}
-
-	srv := w.preferredRelayServer(currentRelayAddress, remoteOfferAnswer.RelaySrvAddress)
-
-	relayedConn, err := w.relayManager.OpenConn(srv, w.config.Key)
-	if err != nil {
-		// todo handle all type errors
-		if errors.Is(err, relayClient.ErrConnAlreadyExists) {
-			w.log.Infof("do not need to reopen relay connection")
-			return
-		}
-		w.log.Errorf("failed to open connection via Relay: %s", err)
-		return
-	}
-
-	ctx, ctxCancel := context.WithCancel(w.parentCtx)
-	w.ctxCancel = ctxCancel
-
-	err = w.relayManager.AddCloseListener(srv, w.disconnected)
-	if err != nil {
-		log.Errorf("failed to add close listener: %s", err)
-		_ = relayedConn.Close()
-		ctxCancel()
-		return
-	}
-
-	go w.wgStateCheck(ctx, relayedConn)
-
-	w.log.Debugf("peer conn opened via Relay: %s", srv)
-	go w.conn.OnConnReady(RelayConnInfo{
-		relayedConn:     relayedConn,
-		rosenpassPubKey: remoteOfferAnswer.RosenpassPubKey,
-		rosenpassAddr:   remoteOfferAnswer.RosenpassAddr,
-	})
-}
-
-func (w *WorkerRelay) RelayInstanceAddress() (string, error) {
-	return w.relayManager.RelayInstanceAddress()
-}
-
-func (w *WorkerRelay) IsRelayConnectionSupportedWithPeer() bool {
-	return w.relaySupportedOnRemotePeer.Load() && w.RelayIsSupportedLocally()
-}
-
-func (w *WorkerRelay) IsController() bool {
-	return w.config.LocalKey > w.config.Key
-}
-
-func (w *WorkerRelay) RelayIsSupportedLocally() bool {
-	return w.relayManager.HasRelayAddress()
-}
-
-// wgStateCheck help to check the state of the wireguard handshake and relay connection
-func (w *WorkerRelay) wgStateCheck(ctx context.Context, conn net.Conn) {
-	timer := time.NewTimer(wgHandshakeOvertime)
-	defer timer.Stop()
-	for {
-		select {
-		case <-timer.C:
-			lastHandshake, err := w.wgState()
-			if err != nil {
-				w.log.Errorf("failed to read wg stats: %v", err)
-				continue
-			}
-			w.log.Tracef("last handshake: %v", lastHandshake)
-
-			if time.Since(lastHandshake) > wgHandshakePeriod {
-				w.log.Infof("Wireguard handshake timed out, closing relay connection")
-				_ = conn.Close()
-				w.conn.OnDisconnected()
-				return
-			}
-			resetTime := time.Until(lastHandshake.Add(wgHandshakeOvertime + wgHandshakePeriod))
-			timer.Reset(resetTime)
-		case <-ctx.Done():
-			return
-		}
-	}
-}
-
-func (w *WorkerRelay) isRelaySupported(answer *OfferAnswer) bool {
-	if !w.relayManager.HasRelayAddress() {
-		return false
-	}
-	return answer.RelaySrvAddress != ""
-}
-
-func (w *WorkerRelay) preferredRelayServer(myRelayAddress, remoteRelayAddress string) string {
-	if w.IsController() {
-		return myRelayAddress
-	}
-	return remoteRelayAddress
-}
-
-func (w *WorkerRelay) wgState() (time.Time, error) {
-	wgState, err := w.config.WgConfig.WgInterface.GetStats(w.config.Key)
-	if err != nil {
-		return time.Time{}, err
-	}
-	return wgState.LastHandshake, nil
-}
-
-func (w *WorkerRelay) disconnected() {
-	if w.ctxCancel != nil {
-		w.ctxCancel()
-	}
-	w.conn.OnDisconnected()
-}
--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -17,7 +17,7 @@ import (

 // ProbeResult holds the info about the result of a relay probe request
 type ProbeResult struct {
-	URI  string
+	URI  *stun.URI
 	Err  error
 	Addr string
 }
@@ -170,13 +170,13 @@ func ProbeAll(

 	var wg sync.WaitGroup
 	for i, uri := range relays {
-		ctx, cancel := context.WithTimeout(ctx, 2*time.Second)
+		ctx, cancel := context.WithTimeout(ctx, 1*time.Second)
 		defer cancel()

 		wg.Add(1)
 		go func(res *ProbeResult, stunURI *stun.URI) {
 			defer wg.Done()
-			res.URI = stunURI.String()
+			res.URI = stunURI
 			res.Addr, res.Err = fn(ctx, stunURI)
 		}(&results[i], uri)
 	}
--- a/client/internal/routemanager/client.go
+++ b/client/internal/routemanager/client.go
@@ -3,25 +3,23 @@ package routemanager
 import (
 	"context"
 	"fmt"
-	"reflect"
+	"net"
+	"net/netip"
 	"time"

-	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"

-	nberrors "github.com/netbirdio/netbird/client/errors"
-	nbdns "github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
-	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	"github.com/netbirdio/netbird/client/internal/routemanager/static"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
 )

+const minRangeBits = 7
+
 type routerPeerStatus struct {
 	connected bool
 	relayed   bool
+	direct    bool
 	latency   time.Duration
 }

@@ -30,48 +28,39 @@ type routesUpdate struct {
 	routes       []*route.Route
 }

-// RouteHandler defines the interface for handling routes
-type RouteHandler interface {
-	String() string
-	AddRoute(ctx context.Context) error
-	RemoveRoute() error
-	AddAllowedIPs(peerKey string) error
-	RemoveAllowedIPs() error
-}
-
 type clientNetwork struct {
 	ctx                 context.Context
-	cancel              context.CancelFunc
+	stop                context.CancelFunc
 	statusRecorder      *peer.Status
-	wgInterface         iface.IWGIface
-	routes              map[route.ID]*route.Route
+	wgInterface         *iface.WGIface
+	routes              map[string]*route.Route
 	routeUpdate         chan routesUpdate
 	peerStateUpdate     chan struct{}
 	routePeersNotifiers map[string]chan struct{}
-	currentChosen       *route.Route
-	handler             RouteHandler
+	chosenRoute         *route.Route
+	network             netip.Prefix
 	updateSerial        uint64
 }

-func newClientNetworkWatcher(ctx context.Context, dnsRouteInterval time.Duration, wgInterface iface.IWGIface, statusRecorder *peer.Status, rt *route.Route, routeRefCounter *refcounter.RouteRefCounter, allowedIPsRefCounter *refcounter.AllowedIPsRefCounter) *clientNetwork {
+func newClientNetworkWatcher(ctx context.Context, wgInterface *iface.WGIface, statusRecorder *peer.Status, network netip.Prefix) *clientNetwork {
 	ctx, cancel := context.WithCancel(ctx)

 	client := &clientNetwork{
 		ctx:                 ctx,
-		cancel:              cancel,
+		stop:                cancel,
 		statusRecorder:      statusRecorder,
 		wgInterface:         wgInterface,
-		routes:              make(map[route.ID]*route.Route),
+		routes:              make(map[string]*route.Route),
 		routePeersNotifiers: make(map[string]chan struct{}),
 		routeUpdate:         make(chan routesUpdate),
 		peerStateUpdate:     make(chan struct{}),
-		handler:             handlerFromRoute(rt, routeRefCounter, allowedIPsRefCounter, dnsRouteInterval, statusRecorder, wgInterface),
+		network:             network,
 	}
 	return client
 }

-func (c *clientNetwork) getRouterPeerStatuses() map[route.ID]routerPeerStatus {
-	routePeerStatuses := make(map[route.ID]routerPeerStatus)
+func (c *clientNetwork) getRouterPeerStatuses() map[string]routerPeerStatus {
+	routePeerStatuses := make(map[string]routerPeerStatus)
 	for _, r := range c.routes {
 		peerStatus, err := c.statusRecorder.GetPeer(r.Peer)
 		if err != nil {
@@ -81,6 +70,7 @@ func (c *clientNetwork) getRouterPeerStatuses() map[route.ID]routerPeerStatus {
 		routePeerStatuses[r.ID] = routerPeerStatus{
 			connected: peerStatus.ConnStatus == peer.StatusConnected,
 			relayed:   peerStatus.Relayed,
+			direct:    peerStatus.Direct,
 			latency:   peerStatus.Latency,
 		}
 	}
@@ -96,18 +86,18 @@ func (c *clientNetwork) getRouterPeerStatuses() map[route.ID]routerPeerStatus {
 // * Metric: Routes with lower metrics (better) are prioritized.
 // * Non-relayed: Routes without relays are preferred.
 // * Direct connections: Routes with direct peer connections are favored.
-// * Latency: Routes with lower latency are prioritized.
 // * Stability: In case of equal scores, the currently active route (if any) is maintained.
+// * Latency: Routes with lower latency are prioritized.
 //
 // It returns the ID of the selected optimal route.
-func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[route.ID]routerPeerStatus) route.ID {
-	chosen := route.ID("")
+func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]routerPeerStatus) string {
+	chosen := ""
 	chosenScore := float64(0)
 	currScore := float64(0)

-	currID := route.ID("")
-	if c.currentChosen != nil {
-		currID = c.currentChosen.ID
+	currID := ""
+	if c.chosenRoute != nil {
+		currID = c.chosenRoute.ID
 	}

 	for _, r := range c.routes {
@@ -135,14 +125,16 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[route.ID]
 			tempScore++
 		}

+		if peerStatus.direct {
+			tempScore++
+		}
+
 		if tempScore > chosenScore || (tempScore == chosenScore && chosen == "") {
-			log.Infof("tempScore(%f) > chosenScore(%f) || (tempScore(%f) == chosenScore(%f) && chosen == \"\"(%s): chosen: %s", tempScore, chosenScore, tempScore, chosenScore, chosen, r.ID)
 			chosen = r.ID
 			chosenScore = tempScore
 		}

 		if chosen == "" && currID == "" {
-			log.Infof("chosen == \"\" && currID == \"\" , chosen: %s", r.ID)
 			chosen = r.ID
 			chosenScore = tempScore
 		}
@@ -159,19 +151,17 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[route.ID]
 			peers = append(peers, r.Peer)
 		}

-		log.Warnf("The network [%v] has not been assigned a routing peer as no peers from the list %s are currently connected", c.handler, peers)
+		log.Warnf("the network %s has not been assigned a routing peer as no peers from the list %s are currently connected", c.network, peers)
 	case chosen != currID:
-		log.Infof("chosen != currID, chosen: %s", chosen)
-		// we compare the current score + 10ms to the chosen score to avoid flapping between routes
-		if currScore != 0 && currScore+0.01 > chosenScore {
-			log.Debugf("Keeping current routing peer because the score difference with latency is less than 0.01(10ms), current: %f, new: %f", currScore, chosenScore)
+		if currScore != 0 && currScore < chosenScore+0.1 {
 			return currID
+		} else {
+			var peer string
+			if route := c.routes[chosen]; route != nil {
+				peer = route.Peer
+			}
+			log.Infof("new chosen route is %s with peer %s with score %f for network %s", chosen, peer, chosenScore, c.network)
 		}
-		var p string
-		if rt := c.routes[chosen]; rt != nil {
-			p = rt.Peer
-		}
-		log.Infof("New chosen route is %s with peer %s with score %f for network [%v]", chosen, p, chosenScore, c.handler)
 	}

 	return chosen
@@ -205,136 +195,120 @@ func (c *clientNetwork) startPeersStatusChangeWatcher() {
 	}
 }

-func (c *clientNetwork) removeRouteFromWireguardPeer() error {
-	c.removeStateRoute()
+func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {
+	state, err := c.statusRecorder.GetPeer(peerKey)
+	if err != nil {
+		return fmt.Errorf("get peer state: %v", err)
+	}

-	if err := c.handler.RemoveAllowedIPs(); err != nil {
-		return fmt.Errorf("remove allowed IPs: %w", err)
+	state.DeleteRoute(c.network.String())
+	if err := c.statusRecorder.UpdatePeerState(state); err != nil {
+		log.Warnf("Failed to update peer state: %v", err)
+	}
+
+	if state.ConnStatus != peer.StatusConnected {
+		return nil
+	}
+
+	err = c.wgInterface.RemoveAllowedIP(peerKey, c.network.String())
+	if err != nil {
+		return fmt.Errorf("remove allowed IP %s removed for peer %s, err: %v",
+			c.network, c.chosenRoute.Peer, err)
 	}
 	return nil
 }

 func (c *clientNetwork) removeRouteFromPeerAndSystem() error {
-	if c.currentChosen == nil {
-		return nil
-	}
+	if c.chosenRoute != nil {
+		if err := removeVPNRoute(c.network, c.getAsInterface()); err != nil {
+			return fmt.Errorf("remove route %s from system, err: %v", c.network, err)
+		}

-	var merr *multierror.Error
-
-	if err := c.removeRouteFromWireguardPeer(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove allowed IPs for peer %s: %w", c.currentChosen.Peer, err))
+		if err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer); err != nil {
+			return fmt.Errorf("remove route: %v", err)
+		}
 	}
-	if err := c.handler.RemoveRoute(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove route: %w", err))
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }

 func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
 	routerPeerStatuses := c.getRouterPeerStatuses()

-	newChosenID := c.getBestRouteFromStatuses(routerPeerStatuses)
+	chosen := c.getBestRouteFromStatuses(routerPeerStatuses)

 	// If no route is chosen, remove the route from the peer and system
-	if newChosenID == "" {
+	if chosen == "" {
 		if err := c.removeRouteFromPeerAndSystem(); err != nil {
-			return fmt.Errorf("remove route for peer %s: %w", c.currentChosen.Peer, err)
+			return fmt.Errorf("remove route from peer and system: %v", err)
 		}

-		c.currentChosen = nil
+		c.chosenRoute = nil

 		return nil
 	}

 	// If the chosen route is the same as the current route, do nothing
-	if c.currentChosen != nil && c.currentChosen.ID == newChosenID &&
-		c.currentChosen.IsEqual(c.routes[newChosenID]) {
-		return nil
+	if c.chosenRoute != nil && c.chosenRoute.ID == chosen {
+		if c.chosenRoute.IsEqual(c.routes[chosen]) {
+			return nil
+		}
 	}

-	if c.currentChosen == nil {
-		// If they were not previously assigned to another peer, add routes to the system first
-		if err := c.handler.AddRoute(c.ctx); err != nil {
-			return fmt.Errorf("add route: %w", err)
+	if c.chosenRoute != nil {
+		// If a previous route exists, remove it from the peer
+		if err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer); err != nil {
+			return fmt.Errorf("remove route from peer: %v", err)
 		}
 	} else {
-		// Otherwise, remove the allowed IPs from the previous peer first
-		if err := c.removeRouteFromWireguardPeer(); err != nil {
-			return fmt.Errorf("remove allowed IPs for peer %s: %w", c.currentChosen.Peer, err)
+		// otherwise add the route to the system
+		if err := addVPNRoute(c.network, c.getAsInterface()); err != nil {
+			return fmt.Errorf("route %s couldn't be added for peer %s, err: %v",
+				c.network.String(), c.wgInterface.Address().IP.String(), err)
 		}
 	}

-	c.currentChosen = c.routes[newChosenID]
+	c.chosenRoute = c.routes[chosen]

-	if err := c.handler.AddAllowedIPs(c.currentChosen.Peer); err != nil {
-		return fmt.Errorf("add allowed IPs for peer %s: %w", c.currentChosen.Peer, err)
+	state, err := c.statusRecorder.GetPeer(c.chosenRoute.Peer)
+	if err != nil {
+		log.Errorf("Failed to get peer state: %v", err)
+	} else {
+		state.AddRoute(c.network.String())
+		if err := c.statusRecorder.UpdatePeerState(state); err != nil {
+			log.Warnf("Failed to update peer state: %v", err)
+		}
 	}

-	c.addStateRoute()
+	if err := c.wgInterface.AddAllowedIP(c.chosenRoute.Peer, c.network.String()); err != nil {
+		log.Errorf("couldn't add allowed IP %s added for peer %s, err: %v",
+			c.network, c.chosenRoute.Peer, err)
+	}

 	return nil
 }

-func (c *clientNetwork) addStateRoute() {
-	state, err := c.statusRecorder.GetPeer(c.currentChosen.Peer)
-	if err != nil {
-		log.Errorf("Failed to get peer state: %v", err)
-		return
-	}
-
-	state.AddRoute(c.handler.String())
-	if err := c.statusRecorder.UpdatePeerState(state); err != nil {
-		log.Warnf("Failed to update peer state: %v", err)
-	}
-}
-
-func (c *clientNetwork) removeStateRoute() {
-	state, err := c.statusRecorder.GetPeer(c.currentChosen.Peer)
-	if err != nil {
-		log.Errorf("Failed to get peer state: %v", err)
-		return
-	}
-
-	state.DeleteRoute(c.handler.String())
-	if err := c.statusRecorder.UpdatePeerState(state); err != nil {
-		log.Warnf("Failed to update peer state: %v", err)
-	}
-}
-
 func (c *clientNetwork) sendUpdateToClientNetworkWatcher(update routesUpdate) {
 	go func() {
 		c.routeUpdate <- update
 	}()
 }

-func (c *clientNetwork) handleUpdate(update routesUpdate) bool {
-	isUpdateMapDifferent := false
-	updateMap := make(map[route.ID]*route.Route)
+func (c *clientNetwork) handleUpdate(update routesUpdate) {
+	updateMap := make(map[string]*route.Route)

 	for _, r := range update.routes {
 		updateMap[r.ID] = r
 	}

-	if len(c.routes) != len(updateMap) {
-		isUpdateMapDifferent = true
-	}
-
 	for id, r := range c.routes {
 		_, found := updateMap[id]
 		if !found {
 			close(c.routePeersNotifiers[r.Peer])
 			delete(c.routePeersNotifiers, r.Peer)
-			isUpdateMapDifferent = true
-			continue
-		}
-		if !reflect.DeepEqual(c.routes[id], updateMap[id]) {
-			isUpdateMapDifferent = true
 		}
 	}

 	c.routes = updateMap
-	return isUpdateMapDifferent
 }

 // peersStateAndUpdateWatcher is the main point of reacting on client network routing events.
@@ -343,37 +317,32 @@ func (c *clientNetwork) peersStateAndUpdateWatcher() {
 	for {
 		select {
 		case <-c.ctx.Done():
-			log.Debugf("Stopping watcher for network [%v]", c.handler)
-			if err := c.removeRouteFromPeerAndSystem(); err != nil {
-				log.Errorf("Failed to remove routes for [%v]: %v", c.handler, err)
+			log.Debugf("stopping watcher for network %s", c.network)
+			err := c.removeRouteFromPeerAndSystem()
+			if err != nil {
+				log.Errorf("Couldn't remove route from peer and system for network %s: %v", c.network, err)
 			}
 			return
 		case <-c.peerStateUpdate:
 			err := c.recalculateRouteAndUpdatePeerAndSystem()
 			if err != nil {
-				log.Errorf("Failed to recalculate routes for network [%v]: %v", c.handler, err)
+				log.Errorf("Couldn't recalculate route and update peer and system: %v", err)
 			}
 		case update := <-c.routeUpdate:
 			if update.updateSerial < c.updateSerial {
-				log.Warnf("Received a routes update with smaller serial number (%d -> %d), ignoring it", c.updateSerial, update.updateSerial)
+				log.Warnf("Received a routes update with smaller serial number, ignoring it")
 				continue
 			}

-			log.Debugf("Received a new client network route update for [%v]", c.handler)
+			log.Debugf("Received a new client network route update for %s", c.network)

-			// hash update somehow
-			isTrueRouteUpdate := c.handleUpdate(update)
+			c.handleUpdate(update)

 			c.updateSerial = update.updateSerial

-			if isTrueRouteUpdate {
-				log.Debug("Client network update contains different routes, recalculating routes")
-				err := c.recalculateRouteAndUpdatePeerAndSystem()
-				if err != nil {
-					log.Errorf("Failed to recalculate routes for network [%v]: %v", c.handler, err)
-				}
-			} else {
-				log.Debug("Route update is not different, skipping route recalculation")
+			err := c.recalculateRouteAndUpdatePeerAndSystem()
+			if err != nil {
+				log.Errorf("Couldn't recalculate route and update peer and system for network %s: %v", c.network, err)
 			}

 			c.startPeersStatusChangeWatcher()
@@ -381,10 +350,14 @@ func (c *clientNetwork) peersStateAndUpdateWatcher() {
 	}
 }

-func handlerFromRoute(rt *route.Route, routeRefCounter *refcounter.RouteRefCounter, allowedIPsRefCounter *refcounter.AllowedIPsRefCounter, dnsRouterInteval time.Duration, statusRecorder *peer.Status, wgInterface iface.IWGIface) RouteHandler {
-	if rt.IsDynamic() {
-		dns := nbdns.NewServiceViaMemory(wgInterface)
-		return dynamic.NewRoute(rt, routeRefCounter, allowedIPsRefCounter, dnsRouterInteval, statusRecorder, wgInterface, fmt.Sprintf("%s:%d", dns.RuntimeIP(), dns.RuntimePort()))
+func (c *clientNetwork) getAsInterface() *net.Interface {
+	intf, err := net.InterfaceByName(c.wgInterface.Name())
+	if err != nil {
+		log.Warnf("Couldn't get interface by name %s: %v", c.wgInterface.Name(), err)
+		intf = &net.Interface{
+			Name: c.wgInterface.Name(),
+		}
 	}
-	return static.NewRoute(rt, routeRefCounter, allowedIPsRefCounter)
+
+	return intf
 }
--- a/client/internal/routemanager/client_test.go
+++ b/client/internal/routemanager/client_test.go
@@ -3,10 +3,8 @@ package routemanager
 import (
 	"net/netip"
 	"testing"
+	"time"

-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/routemanager/static"
 	"github.com/netbirdio/netbird/route"
 )

@@ -14,24 +12,131 @@ func TestGetBestrouteFromStatuses(t *testing.T) {

 	testCases := []struct {
 		name            string
-		statuses        map[route.ID]routerPeerStatus
-		expectedRouteID route.ID
-		currentRoute    route.ID
-		existingRoutes  map[route.ID]*route.Route
+		statuses        map[string]routerPeerStatus
+		expectedRouteID string
+		currentRoute    string
+		existingRoutes  map[string]*route.Route
 	}{
 		{
-			name: "multiple connected peers with one direct",
-			statuses: map[route.ID]routerPeerStatus{
+			name: "one route",
+			statuses: map[string]routerPeerStatus{
 				"route1": {
 					connected: true,
 					relayed:   false,
+					direct:    true,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "one connected routes with relayed and direct",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   true,
+					direct:    true,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "one connected routes with relayed and no direct",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   true,
+					direct:    false,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "no connected peers",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: false,
+					relayed:   false,
+					direct:    false,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "",
+		},
+		{
+			name: "multiple connected peers with different metrics",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
 				},
 				"route2": {
 					connected: true,
 					relayed:   false,
+					direct:    true,
 				},
 			},
-			existingRoutes: map[route.ID]*route.Route{
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: 9000,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "multiple connected peers with one relayed",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+				},
+				"route2": {
+					connected: true,
+					relayed:   true,
+					direct:    true,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
 				"route1": {
 					ID:     "route1",
 					Metric: route.MaxMetric,
@@ -46,31 +151,173 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
+		{
+			name: "multiple connected peers with one direct",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    false,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "multiple connected peers with different latencies",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					latency:   300 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "should ignore routes with latency 0",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					latency:   0 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "current route with similar score and similar but slightly worse latency should not change",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   12 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "route1",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "current chosen route doesn't exist anymore",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   20 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "routeDoesntExistAnymore",
+			expectedRouteID: "route2",
+		},
 	}

-	for i := 0; i < 10; i++ {
-		log.Infof("Test iteration %d", i)
-		for _, tc := range testCases {
-			t.Run(tc.name, func(t *testing.T) {
-				currentRoute := &route.Route{
-					ID: "routeDoesntExistAnymore",
-				}
-				if tc.currentRoute != "" {
-					currentRoute = tc.existingRoutes[tc.currentRoute]
-				}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			currentRoute := &route.Route{
+				ID: "routeDoesntExistAnymore",
+			}
+			if tc.currentRoute != "" {
+				currentRoute = tc.existingRoutes[tc.currentRoute]
+			}

-				// create new clientNetwork
-				client := &clientNetwork{
-					handler:       static.NewRoute(&route.Route{Network: netip.MustParsePrefix("192.168.0.0/24")}, nil, nil),
-					routes:        tc.existingRoutes,
-					currentChosen: currentRoute,
-				}
+			// create new clientNetwork
+			client := &clientNetwork{
+				network:     netip.MustParsePrefix("192.168.0.0/24"),
+				routes:      tc.existingRoutes,
+				chosenRoute: currentRoute,
+			}

-				chosenRoute := client.getBestRouteFromStatuses(tc.statuses)
-				if chosenRoute != tc.expectedRouteID {
-					t.Errorf("expected routeID %s, got %s", tc.expectedRouteID, chosenRoute)
-				}
-			})
-		}
+			chosenRoute := client.getBestRouteFromStatuses(tc.statuses)
+			if chosenRoute != tc.expectedRouteID {
+				t.Errorf("expected routeID %s, got %s", tc.expectedRouteID, chosenRoute)
+			}
+		})
 	}
 }
--- a/client/internal/routemanager/dynamic/route.go
+++ b/client/internal/routemanager/dynamic/route.go
@@ -1,396 +0,0 @@
-package dynamic
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	"github.com/netbirdio/netbird/client/internal/routemanager/util"
-	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/management/domain"
-	"github.com/netbirdio/netbird/route"
-)
-
-const (
-	DefaultInterval = time.Minute
-
-	minInterval     = 2 * time.Second
-	failureInterval = 5 * time.Second
-
-	addAllowedIP = "add allowed IP %s: %w"
-)
-
-type domainMap map[domain.Domain][]netip.Prefix
-
-type resolveResult struct {
-	domain domain.Domain
-	prefix netip.Prefix
-	err    error
-}
-
-type Route struct {
-	route                *route.Route
-	routeRefCounter      *refcounter.RouteRefCounter
-	allowedIPsRefcounter *refcounter.AllowedIPsRefCounter
-	interval             time.Duration
-	dynamicDomains       domainMap
-	mu                   sync.Mutex
-	currentPeerKey       string
-	cancel               context.CancelFunc
-	statusRecorder       *peer.Status
-	wgInterface          iface.IWGIface
-	resolverAddr         string
-}
-
-func NewRoute(
-	rt *route.Route,
-	routeRefCounter *refcounter.RouteRefCounter,
-	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
-	interval time.Duration,
-	statusRecorder *peer.Status,
-	wgInterface iface.IWGIface,
-	resolverAddr string,
-) *Route {
-	return &Route{
-		route:                rt,
-		routeRefCounter:      routeRefCounter,
-		allowedIPsRefcounter: allowedIPsRefCounter,
-		interval:             interval,
-		dynamicDomains:       domainMap{},
-		statusRecorder:       statusRecorder,
-		wgInterface:          wgInterface,
-		resolverAddr:         resolverAddr,
-	}
-}
-
-func (r *Route) String() string {
-	s, err := r.route.Domains.String()
-	if err != nil {
-		return r.route.Domains.PunycodeString()
-	}
-	return s
-}
-
-func (r *Route) AddRoute(ctx context.Context) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	if r.cancel != nil {
-		r.cancel()
-	}
-
-	ctx, r.cancel = context.WithCancel(ctx)
-
-	go r.startResolver(ctx)
-
-	return nil
-}
-
-// RemoveRoute will stop the dynamic resolver and remove all dynamic routes.
-// It doesn't touch allowed IPs, these should be removed separately and before calling this method.
-func (r *Route) RemoveRoute() error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	if r.cancel != nil {
-		r.cancel()
-	}
-
-	var merr *multierror.Error
-	for domain, prefixes := range r.dynamicDomains {
-		for _, prefix := range prefixes {
-			if _, err := r.routeRefCounter.Decrement(prefix); err != nil {
-				merr = multierror.Append(merr, fmt.Errorf("remove dynamic route for IP %s: %w", prefix, err))
-			}
-		}
-		log.Debugf("Removed dynamic route(s) for [%s]: %s", domain.SafeString(), strings.ReplaceAll(fmt.Sprintf("%s", prefixes), " ", ", "))
-
-		r.statusRecorder.DeleteResolvedDomainsStates(domain)
-	}
-
-	r.dynamicDomains = domainMap{}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *Route) AddAllowedIPs(peerKey string) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	var merr *multierror.Error
-	for domain, domainPrefixes := range r.dynamicDomains {
-		for _, prefix := range domainPrefixes {
-			if err := r.incrementAllowedIP(domain, prefix, peerKey); err != nil {
-				merr = multierror.Append(merr, fmt.Errorf(addAllowedIP, prefix, err))
-			}
-		}
-	}
-	r.currentPeerKey = peerKey
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *Route) RemoveAllowedIPs() error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	var merr *multierror.Error
-	for _, domainPrefixes := range r.dynamicDomains {
-		for _, prefix := range domainPrefixes {
-			if _, err := r.allowedIPsRefcounter.Decrement(prefix); err != nil {
-				merr = multierror.Append(merr, fmt.Errorf("remove allowed IP %s: %w", prefix, err))
-			}
-		}
-	}
-
-	r.currentPeerKey = ""
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *Route) startResolver(ctx context.Context) {
-	log.Debugf("Starting dynamic route resolver for domains [%v]", r)
-
-	interval := r.interval
-	if interval < minInterval {
-		interval = minInterval
-		log.Warnf("Dynamic route resolver interval %s is too low, setting to minimum value %s", r.interval, minInterval)
-	}
-
-	ticker := time.NewTicker(interval)
-	defer ticker.Stop()
-
-	if err := r.update(ctx); err != nil {
-		log.Errorf("Failed to resolve domains for route [%v]: %v", r, err)
-		if interval > failureInterval {
-			ticker.Reset(failureInterval)
-		}
-	}
-
-	for {
-		select {
-		case <-ctx.Done():
-			log.Debugf("Stopping dynamic route resolver for domains [%v]", r)
-			return
-		case <-ticker.C:
-			if err := r.update(ctx); err != nil {
-				log.Errorf("Failed to resolve domains for route [%v]: %v", r, err)
-				// Use a lower ticker interval if the update fails
-				if interval > failureInterval {
-					ticker.Reset(failureInterval)
-				}
-			} else if interval > failureInterval {
-				// Reset to the original interval if the update succeeds
-				ticker.Reset(interval)
-			}
-		}
-	}
-}
-
-func (r *Route) update(ctx context.Context) error {
-	resolved, err := r.resolveDomains()
-	if err != nil {
-		if len(resolved) == 0 {
-			return fmt.Errorf("resolve domains: %w", err)
-		}
-		log.Warnf("Failed to resolve domains: %v", err)
-	}
-	if err := r.updateDynamicRoutes(ctx, resolved); err != nil {
-		return fmt.Errorf("update dynamic routes: %w", err)
-	}
-
-	return nil
-}
-
-func (r *Route) resolveDomains() (domainMap, error) {
-	results := make(chan resolveResult)
-	go r.resolve(results)
-
-	resolved := domainMap{}
-	var merr *multierror.Error
-
-	for result := range results {
-		if result.err != nil {
-			merr = multierror.Append(merr, result.err)
-		} else {
-			resolved[result.domain] = append(resolved[result.domain], result.prefix)
-		}
-	}
-
-	return resolved, nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *Route) resolve(results chan resolveResult) {
-	var wg sync.WaitGroup
-
-	for _, d := range r.route.Domains {
-		wg.Add(1)
-		go func(domain domain.Domain) {
-			defer wg.Done()
-
-			ips, err := r.getIPsFromResolver(domain)
-			if err != nil {
-				log.Tracef("Failed to resolve domain %s with private resolver: %v", domain.SafeString(), err)
-				ips, err = net.LookupIP(string(domain))
-				if err != nil {
-					results <- resolveResult{domain: domain, err: fmt.Errorf("resolve d %s: %w", domain.SafeString(), err)}
-					return
-				}
-			}
-
-			for _, ip := range ips {
-				prefix, err := util.GetPrefixFromIP(ip)
-				if err != nil {
-					results <- resolveResult{domain: domain, err: fmt.Errorf("get prefix from IP %s: %w", ip.String(), err)}
-					return
-				}
-				results <- resolveResult{domain: domain, prefix: prefix}
-			}
-		}(d)
-	}
-
-	wg.Wait()
-	close(results)
-}
-
-func (r *Route) updateDynamicRoutes(ctx context.Context, newDomains domainMap) error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	if ctx.Err() != nil {
-		return ctx.Err()
-	}
-
-	var merr *multierror.Error
-
-	for domain, newPrefixes := range newDomains {
-		oldPrefixes := r.dynamicDomains[domain]
-		toAdd, toRemove := determinePrefixChanges(oldPrefixes, newPrefixes)
-
-		addedPrefixes, err := r.addRoutes(domain, toAdd)
-		if err != nil {
-			merr = multierror.Append(merr, err)
-		} else if len(addedPrefixes) > 0 {
-			log.Debugf("Added dynamic route(s) for [%s]: %s", domain.SafeString(), strings.ReplaceAll(fmt.Sprintf("%s", addedPrefixes), " ", ", "))
-		}
-
-		removedPrefixes, err := r.removeRoutes(toRemove)
-		if err != nil {
-			merr = multierror.Append(merr, err)
-		} else if len(removedPrefixes) > 0 {
-			log.Debugf("Removed dynamic route(s) for [%s]: %s", domain.SafeString(), strings.ReplaceAll(fmt.Sprintf("%s", removedPrefixes), " ", ", "))
-		}
-
-		updatedPrefixes := combinePrefixes(oldPrefixes, removedPrefixes, addedPrefixes)
-		r.dynamicDomains[domain] = updatedPrefixes
-
-		r.statusRecorder.UpdateResolvedDomainsStates(domain, updatedPrefixes)
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *Route) addRoutes(domain domain.Domain, prefixes []netip.Prefix) ([]netip.Prefix, error) {
-	var addedPrefixes []netip.Prefix
-	var merr *multierror.Error
-
-	for _, prefix := range prefixes {
-		if _, err := r.routeRefCounter.Increment(prefix, nil); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("add dynamic route for IP %s: %w", prefix, err))
-			continue
-		}
-		if r.currentPeerKey != "" {
-			if err := r.incrementAllowedIP(domain, prefix, r.currentPeerKey); err != nil {
-				merr = multierror.Append(merr, fmt.Errorf(addAllowedIP, prefix, err))
-			}
-		}
-		addedPrefixes = append(addedPrefixes, prefix)
-	}
-
-	return addedPrefixes, merr.ErrorOrNil()
-}
-
-func (r *Route) removeRoutes(prefixes []netip.Prefix) ([]netip.Prefix, error) {
-	if r.route.KeepRoute {
-		return nil, nil
-	}
-
-	var removedPrefixes []netip.Prefix
-	var merr *multierror.Error
-
-	for _, prefix := range prefixes {
-		if _, err := r.routeRefCounter.Decrement(prefix); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove dynamic route for IP %s: %w", prefix, err))
-		}
-		if r.currentPeerKey != "" {
-			if _, err := r.allowedIPsRefcounter.Decrement(prefix); err != nil {
-				merr = multierror.Append(merr, fmt.Errorf("remove allowed IP %s: %w", prefix, err))
-			}
-		}
-		removedPrefixes = append(removedPrefixes, prefix)
-	}
-
-	return removedPrefixes, merr.ErrorOrNil()
-}
-
-func (r *Route) incrementAllowedIP(domain domain.Domain, prefix netip.Prefix, peerKey string) error {
-	if ref, err := r.allowedIPsRefcounter.Increment(prefix, peerKey); err != nil {
-		return fmt.Errorf(addAllowedIP, prefix, err)
-	} else if ref.Count > 1 && ref.Out != peerKey {
-		log.Warnf("IP [%s] for domain [%s] is already routed by peer [%s]. HA routing disabled",
-			prefix.Addr(),
-			domain.SafeString(),
-			ref.Out,
-		)
-
-	}
-	return nil
-}
-
-func determinePrefixChanges(oldPrefixes, newPrefixes []netip.Prefix) (toAdd, toRemove []netip.Prefix) {
-	prefixSet := make(map[netip.Prefix]bool)
-	for _, prefix := range oldPrefixes {
-		prefixSet[prefix] = false
-	}
-	for _, prefix := range newPrefixes {
-		if _, exists := prefixSet[prefix]; exists {
-			prefixSet[prefix] = true
-		} else {
-			toAdd = append(toAdd, prefix)
-		}
-	}
-	for prefix, inUse := range prefixSet {
-		if !inUse {
-			toRemove = append(toRemove, prefix)
-		}
-	}
-	return
-}
-
-func combinePrefixes(oldPrefixes, removedPrefixes, addedPrefixes []netip.Prefix) []netip.Prefix {
-	prefixSet := make(map[netip.Prefix]struct{})
-	for _, prefix := range oldPrefixes {
-		prefixSet[prefix] = struct{}{}
-	}
-	for _, prefix := range removedPrefixes {
-		delete(prefixSet, prefix)
-	}
-	for _, prefix := range addedPrefixes {
-		prefixSet[prefix] = struct{}{}
-	}
-
-	var combinedPrefixes []netip.Prefix
-	for prefix := range prefixSet {
-		combinedPrefixes = append(combinedPrefixes, prefix)
-	}
-
-	return combinedPrefixes
-}
--- a/client/internal/routemanager/dynamic/route_generic.go
+++ b/client/internal/routemanager/dynamic/route_generic.go
@@ -1,13 +0,0 @@
-//go:build !ios
-
-package dynamic
-
-import (
-	"net"
-
-	"github.com/netbirdio/netbird/management/domain"
-)
-
-func (r *Route) getIPsFromResolver(domain domain.Domain) ([]net.IP, error) {
-	return net.LookupIP(string(domain))
-}
--- a/client/internal/routemanager/dynamic/route_ios.go
+++ b/client/internal/routemanager/dynamic/route_ios.go
@@ -1,55 +0,0 @@
-//go:build ios
-
-package dynamic
-
-import (
-	"fmt"
-	"net"
-	"time"
-
-	"github.com/miekg/dns"
-
-	nbdns "github.com/netbirdio/netbird/client/internal/dns"
-
-	"github.com/netbirdio/netbird/management/domain"
-)
-
-const dialTimeout = 10 * time.Second
-
-func (r *Route) getIPsFromResolver(domain domain.Domain) ([]net.IP, error) {
-	privateClient, err := nbdns.GetClientPrivate(r.wgInterface.Address().IP, r.wgInterface.Name(), dialTimeout)
-	if err != nil {
-		return nil, fmt.Errorf("error while creating private client: %s", err)
-	}
-
-	msg := new(dns.Msg)
-	msg.SetQuestion(dns.Fqdn(string(domain)), dns.TypeA)
-
-	startTime := time.Now()
-
-	response, _, err := privateClient.Exchange(msg, r.resolverAddr)
-	if err != nil {
-		return nil, fmt.Errorf("DNS query for %s failed after %s: %s ", domain.SafeString(), time.Since(startTime), err)
-	}
-
-	if response.Rcode != dns.RcodeSuccess {
-		return nil, fmt.Errorf("dns response code: %s", dns.RcodeToString[response.Rcode])
-	}
-
-	ips := make([]net.IP, 0)
-
-	for _, answ := range response.Answer {
-		if aRecord, ok := answ.(*dns.A); ok {
-			ips = append(ips, aRecord.A)
-		}
-		if aaaaRecord, ok := answ.(*dns.AAAA); ok {
-			ips = append(ips, aaaaRecord.AAAA)
-		}
-	}
-
-	if len(ips) == 0 {
-		return nil, fmt.Errorf("no A or AAAA records found for %s", domain.SafeString())
-	}
-
-	return ips, nil
-}
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -2,24 +2,18 @@ package routemanager

 import (
 	"context"
-	"errors"
 	"fmt"
 	"net"
 	"net/netip"
 	"net/url"
 	"runtime"
 	"sync"
-	"time"

 	log "github.com/sirupsen/logrus"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/routemanager/notifier"
-	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
-	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
 	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
@@ -27,11 +21,16 @@ import (
 	"github.com/netbirdio/netbird/version"
 )

+var defaultv4 = netip.PrefixFrom(netip.IPv4Unspecified(), 0)
+
+// nolint:unused
+var defaultv6 = netip.PrefixFrom(netip.IPv6Unspecified(), 0)
+
 // Manager is a route manager interface
 type Manager interface {
-	Init() (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error)
-	UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error)
-	TriggerSelection(route.HAMap)
+	Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error)
+	UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[string]*route.Route, map[string][]*route.Route, error)
+	TriggerSelection(map[string][]*route.Route)
 	GetRouteSelector() *routeselector.RouteSelector
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
@@ -41,86 +40,45 @@ type Manager interface {

 // DefaultManager is the default instance of a route manager
 type DefaultManager struct {
-	ctx                  context.Context
-	stop                 context.CancelFunc
-	mux                  sync.Mutex
-	clientNetworks       map[route.HAUniqueID]*clientNetwork
-	routeSelector        *routeselector.RouteSelector
-	serverRouter         serverRouter
-	sysOps               *systemops.SysOps
-	statusRecorder       *peer.Status
-	wgInterface          iface.IWGIface
-	pubKey               string
-	notifier             *notifier.Notifier
-	routeRefCounter      *refcounter.RouteRefCounter
-	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter
-	dnsRouteInterval     time.Duration
+	ctx            context.Context
+	stop           context.CancelFunc
+	mux            sync.Mutex
+	clientNetworks map[string]*clientNetwork
+	routeSelector  *routeselector.RouteSelector
+	serverRouter   serverRouter
+	statusRecorder *peer.Status
+	wgInterface    *iface.WGIface
+	pubKey         string
+	notifier       *notifier
 }

-func NewManager(
-	ctx context.Context,
-	pubKey string,
-	dnsRouteInterval time.Duration,
-	wgInterface iface.IWGIface,
-	statusRecorder *peer.Status,
-	initialRoutes []*route.Route,
-) *DefaultManager {
+func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface, statusRecorder *peer.Status, initialRoutes []*route.Route) *DefaultManager {
 	mCTX, cancel := context.WithCancel(ctx)
-	notifier := notifier.NewNotifier()
-	sysOps := systemops.NewSysOps(wgInterface, notifier)
-
 	dm := &DefaultManager{
-		ctx:              mCTX,
-		stop:             cancel,
-		dnsRouteInterval: dnsRouteInterval,
-		clientNetworks:   make(map[route.HAUniqueID]*clientNetwork),
-		routeSelector:    routeselector.NewRouteSelector(),
-		sysOps:           sysOps,
-		statusRecorder:   statusRecorder,
-		wgInterface:      wgInterface,
-		pubKey:           pubKey,
-		notifier:         notifier,
+		ctx:            mCTX,
+		stop:           cancel,
+		clientNetworks: make(map[string]*clientNetwork),
+		routeSelector:  routeselector.NewRouteSelector(),
+		statusRecorder: statusRecorder,
+		wgInterface:    wgInterface,
+		pubKey:         pubKey,
+		notifier:       newNotifier(),
 	}

-	dm.routeRefCounter = refcounter.New(
-		func(prefix netip.Prefix, _ any) (any, error) {
-			return nil, sysOps.AddVPNRoute(prefix, wgInterface.ToInterface())
-		},
-		func(prefix netip.Prefix, _ any) error {
-			return sysOps.RemoveVPNRoute(prefix, wgInterface.ToInterface())
-		},
-	)
-
-	dm.allowedIPsRefCounter = refcounter.New(
-		func(prefix netip.Prefix, peerKey string) (string, error) {
-			// save peerKey to use it in the remove function
-			return peerKey, wgInterface.AddAllowedIP(peerKey, prefix.String())
-		},
-		func(prefix netip.Prefix, peerKey string) error {
-			if err := wgInterface.RemoveAllowedIP(peerKey, prefix.String()); err != nil {
-				if !errors.Is(err, iface.ErrPeerNotFound) && !errors.Is(err, iface.ErrAllowedIPNotFound) {
-					return err
-				}
-				log.Tracef("Remove allowed IPs %s for %s: %v", prefix, peerKey, err)
-			}
-			return nil
-		},
-	)
-
 	if runtime.GOOS == "android" {
 		cr := dm.clientRoutes(initialRoutes)
-		dm.notifier.SetInitialClientRoutes(cr)
+		dm.notifier.setInitialClientRoutes(cr)
 	}
 	return dm
 }

 // Init sets up the routing
-func (m *DefaultManager) Init() (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error) {
+func (m *DefaultManager) Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
 	if nbnet.CustomRoutingDisabled() {
 		return nil, nil, nil
 	}

-	if err := m.sysOps.CleanupRouting(); err != nil {
+	if err := cleanupRouting(); err != nil {
 		log.Warnf("Failed cleaning up routing: %v", err)
 	}

@@ -128,7 +86,7 @@ func (m *DefaultManager) Init() (nbnet.AddHookFunc, nbnet.RemoveHookFunc, error)
 	signalAddress := m.statusRecorder.GetSignalState().URL
 	ips := resolveURLsToIPs([]string{mgmtAddress, signalAddress})

-	beforePeerHook, afterPeerHook, err := m.sysOps.SetupRouting(ips)
+	beforePeerHook, afterPeerHook, err := setupRouting(ips, m.wgInterface)
 	if err != nil {
 		return nil, nil, fmt.Errorf("setup routing: %w", err)
 	}
@@ -152,19 +110,8 @@ func (m *DefaultManager) Stop() {
 		m.serverRouter.cleanUp()
 	}

-	if m.routeRefCounter != nil {
-		if err := m.routeRefCounter.Flush(); err != nil {
-			log.Errorf("Error flushing route ref counter: %v", err)
-		}
-	}
-	if m.allowedIPsRefCounter != nil {
-		if err := m.allowedIPsRefCounter.Flush(); err != nil {
-			log.Errorf("Error flushing allowed IPs ref counter: %v", err)
-		}
-	}
-
 	if !nbnet.CustomRoutingDisabled() {
-		if err := m.sysOps.CleanupRouting(); err != nil {
+		if err := cleanupRouting(); err != nil {
 			log.Errorf("Error cleaning up routing: %v", err)
 		} else {
 			log.Info("Routing cleanup complete")
@@ -175,7 +122,7 @@ func (m *DefaultManager) Stop() {
 }

 // UpdateRoutes compares received routes with existing routes and removes, updates or adds them to the client and server maps
-func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
+func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[string]*route.Route, map[string][]*route.Route, error) {
 	select {
 	case <-m.ctx.Done():
 		log.Infof("not updating routes as context is closed")
@@ -188,7 +135,7 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro

 		filteredClientRoutes := m.routeSelector.FilterSelected(newClientRoutesIDMap)
 		m.updateClientNetworks(updateSerial, filteredClientRoutes)
-		m.notifier.OnNewRoutes(filteredClientRoutes)
+		m.notifier.onNewRoutes(filteredClientRoutes)

 		if m.serverRouter != nil {
 			err := m.serverRouter.updateRoutes(newServerRoutesMap)
@@ -201,14 +148,14 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro
 	}
 }

-// SetRouteChangeListener set RouteListener for route change Notifier
+// SetRouteChangeListener set RouteListener for route change notifier
 func (m *DefaultManager) SetRouteChangeListener(listener listener.NetworkChangeListener) {
-	m.notifier.SetListener(listener)
+	m.notifier.setListener(listener)
 }

 // InitialRouteRange return the list of initial routes. It used by mobile systems
 func (m *DefaultManager) InitialRouteRange() []string {
-	return m.notifier.GetInitialRouteRanges()
+	return m.notifier.initialRouteRanges()
 }

 // GetRouteSelector returns the route selector
@@ -217,19 +164,16 @@ func (m *DefaultManager) GetRouteSelector() *routeselector.RouteSelector {
 }

 // GetClientRoutes returns the client routes
-func (m *DefaultManager) GetClientRoutes() map[route.HAUniqueID]*clientNetwork {
+func (m *DefaultManager) GetClientRoutes() map[string]*clientNetwork {
 	return m.clientNetworks
 }

 // TriggerSelection triggers the selection of routes, stopping deselected watchers and starting newly selected ones
-func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
+func (m *DefaultManager) TriggerSelection(networks map[string][]*route.Route) {
 	m.mux.Lock()
 	defer m.mux.Unlock()

 	networks = m.routeSelector.FilterSelected(networks)
-
-	m.notifier.OnNewRoutes(networks)
-
 	m.stopObsoleteClients(networks)

 	for id, routes := range networks {
@@ -238,7 +182,7 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 			continue
 		}

-		clientNetworkWatcher := newClientNetworkWatcher(m.ctx, m.dnsRouteInterval, m.wgInterface, m.statusRecorder, routes[0], m.routeRefCounter, m.allowedIPsRefCounter)
+		clientNetworkWatcher := newClientNetworkWatcher(m.ctx, m.wgInterface, m.statusRecorder, routes[0].Network)
 		m.clientNetworks[id] = clientNetworkWatcher
 		go clientNetworkWatcher.peersStateAndUpdateWatcher()
 		clientNetworkWatcher.sendUpdateToClientNetworkWatcher(routesUpdate{routes: routes})
@@ -246,24 +190,24 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 }

 // stopObsoleteClients stops the client network watcher for the networks that are not in the new list
-func (m *DefaultManager) stopObsoleteClients(networks route.HAMap) {
+func (m *DefaultManager) stopObsoleteClients(networks map[string][]*route.Route) {
 	for id, client := range m.clientNetworks {
 		if _, ok := networks[id]; !ok {
 			log.Debugf("Stopping client network watcher, %s", id)
-			client.cancel()
+			client.stop()
 			delete(m.clientNetworks, id)
 		}
 	}
 }

-func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks route.HAMap) {
+func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks map[string][]*route.Route) {
 	// removing routes that do not exist as per the update from the Management service.
 	m.stopObsoleteClients(networks)

 	for id, routes := range networks {
 		clientNetworkWatcher, found := m.clientNetworks[id]
 		if !found {
-			clientNetworkWatcher = newClientNetworkWatcher(m.ctx, m.dnsRouteInterval, m.wgInterface, m.statusRecorder, routes[0], m.routeRefCounter, m.allowedIPsRefCounter)
+			clientNetworkWatcher = newClientNetworkWatcher(m.ctx, m.wgInterface, m.statusRecorder, routes[0].Network)
 			m.clientNetworks[id] = clientNetworkWatcher
 			go clientNetworkWatcher.peersStateAndUpdateWatcher()
 		}
@@ -275,15 +219,15 @@ func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks rout
 	}
 }

-func (m *DefaultManager) classifyRoutes(newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap) {
-	newClientRoutesIDMap := make(route.HAMap)
-	newServerRoutesMap := make(map[route.ID]*route.Route)
-	ownNetworkIDs := make(map[route.HAUniqueID]bool)
+func (m *DefaultManager) classifyRoutes(newRoutes []*route.Route) (map[string]*route.Route, map[string][]*route.Route) {
+	newClientRoutesIDMap := make(map[string][]*route.Route)
+	newServerRoutesMap := make(map[string]*route.Route)
+	ownNetworkIDs := make(map[string]bool)

 	for _, newRoute := range newRoutes {
-		haID := newRoute.GetHAUniqueID()
+		networkID := route.GetHAUniqueID(newRoute)
 		if newRoute.Peer == m.pubKey {
-			ownNetworkIDs[haID] = true
+			ownNetworkIDs[networkID] = true
 			// only linux is supported for now
 			if runtime.GOOS != "linux" {
 				log.Warnf("received a route to manage, but agent doesn't support router mode on %s OS", runtime.GOOS)
@@ -294,12 +238,12 @@ func (m *DefaultManager) classifyRoutes(newRoutes []*route.Route) (map[route.ID]
 	}

 	for _, newRoute := range newRoutes {
-		haID := newRoute.GetHAUniqueID()
-		if !ownNetworkIDs[haID] {
-			if !isRouteSupported(newRoute) {
+		networkID := route.GetHAUniqueID(newRoute)
+		if !ownNetworkIDs[networkID] {
+			if !isPrefixSupported(newRoute.Network) {
 				continue
 			}
-			newClientRoutesIDMap[haID] = append(newClientRoutesIDMap[haID], newRoute)
+			newClientRoutesIDMap[networkID] = append(newClientRoutesIDMap[networkID], newRoute)
 		}
 	}

@@ -308,23 +252,26 @@ func (m *DefaultManager) classifyRoutes(newRoutes []*route.Route) (map[route.ID]

 func (m *DefaultManager) clientRoutes(initialRoutes []*route.Route) []*route.Route {
 	_, crMap := m.classifyRoutes(initialRoutes)
-	rs := make([]*route.Route, 0, len(crMap))
+	rs := make([]*route.Route, 0)
 	for _, routes := range crMap {
 		rs = append(rs, routes...)
 	}
 	return rs
 }

-func isRouteSupported(route *route.Route) bool {
-	if !nbnet.CustomRoutingDisabled() || route.IsDynamic() {
-		return true
+func isPrefixSupported(prefix netip.Prefix) bool {
+	if !nbnet.CustomRoutingDisabled() {
+		switch runtime.GOOS {
+		case "linux", "windows", "darwin", "ios":
+			return true
+		}
 	}

 	// If prefix is too small, lets assume it is a possible default prefix which is not yet supported
 	// we skip this prefix management
-	if route.Network.Bits() <= vars.MinRangeBits {
+	if prefix.Bits() <= minRangeBits {
 		log.Warnf("This agent version: %s, doesn't support default routes, received %s, skipping this prefix",
-			version.NetbirdVersion(), route.Network)
+			version.NetbirdVersion(), prefix)
 		return false
 	}
 	return true
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -407,7 +407,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", 33100, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil, nil)
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", 33100, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()

@@ -416,7 +416,7 @@ func TestManagerUpdateRoutes(t *testing.T) {

 			statusRecorder := peer.NewRecorder("https://mgm")
 			ctx := context.TODO()
-			routeManager := NewManager(ctx, localPeerKey, 0, wgInterface, statusRecorder, nil)
+			routeManager := NewManager(ctx, localPeerKey, wgInterface, statusRecorder, nil)

 			_, _, err = routeManager.Init()

@@ -436,7 +436,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			require.NoError(t, err, "should update routes")

 			expectedWatchers := testCase.clientNetworkWatchersExpected
-			if testCase.clientNetworkWatchersExpectedAllowed != 0 {
+			if (runtime.GOOS == "linux" || runtime.GOOS == "windows" || runtime.GOOS == "darwin") && testCase.clientNetworkWatchersExpectedAllowed != 0 {
 				expectedWatchers = testCase.clientNetworkWatchersExpectedAllowed
 			}
 			require.Len(t, routeManager.clientNetworks, expectedWatchers, "client networks size should match")
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -6,21 +6,21 @@ import (

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
-	"github.com/netbirdio/netbird/util/net"
 )

 // MockManager is the mock instance of a route manager
 type MockManager struct {
-	UpdateRoutesFunc     func(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error)
-	TriggerSelectionFunc func(haMap route.HAMap)
+	UpdateRoutesFunc     func(updateSerial uint64, newRoutes []*route.Route) (map[string]*route.Route, map[string][]*route.Route, error)
+	TriggerSelectionFunc func(map[string][]*route.Route)
 	GetRouteSelectorFunc func() *routeselector.RouteSelector
 	StopFunc             func()
 }

-func (m *MockManager) Init() (net.AddHookFunc, net.RemoveHookFunc, error) {
+func (m *MockManager) Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
 	return nil, nil, nil
 }

@@ -30,14 +30,14 @@ func (m *MockManager) InitialRouteRange() []string {
 }

 // UpdateRoutes mock implementation of UpdateRoutes from Manager interface
-func (m *MockManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
+func (m *MockManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[string]*route.Route, map[string][]*route.Route, error) {
 	if m.UpdateRoutesFunc != nil {
 		return m.UpdateRoutesFunc(updateSerial, newRoutes)
 	}
 	return nil, nil, fmt.Errorf("method UpdateRoutes is not implemented")
 }

-func (m *MockManager) TriggerSelection(networks route.HAMap) {
+func (m *MockManager) TriggerSelection(networks map[string][]*route.Route) {
 	if m.TriggerSelectionFunc != nil {
 		m.TriggerSelectionFunc(networks)
 	}
--- a/client/internal/routemanager/notifier.go
+++ b/client/internal/routemanager/notifier.go
@@ -0,0 +1,83 @@
+package routemanager
+
+import (
+	"sort"
+	"strings"
+	"sync"
+
+	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/route"
+)
+
+type notifier struct {
+	initialRouteRangers []string
+	routeRangers        []string
+
+	listener    listener.NetworkChangeListener
+	listenerMux sync.Mutex
+}
+
+func newNotifier() *notifier {
+	return &notifier{}
+}
+
+func (n *notifier) setListener(listener listener.NetworkChangeListener) {
+	n.listenerMux.Lock()
+	defer n.listenerMux.Unlock()
+	n.listener = listener
+}
+
+func (n *notifier) setInitialClientRoutes(clientRoutes []*route.Route) {
+	nets := make([]string, 0)
+	for _, r := range clientRoutes {
+		nets = append(nets, r.Network.String())
+	}
+	sort.Strings(nets)
+	n.initialRouteRangers = nets
+}
+
+func (n *notifier) onNewRoutes(idMap map[string][]*route.Route) {
+	newNets := make([]string, 0)
+	for _, routes := range idMap {
+		for _, r := range routes {
+			newNets = append(newNets, r.Network.String())
+		}
+	}
+
+	sort.Strings(newNets)
+	if !n.hasDiff(n.initialRouteRangers, newNets) {
+		return
+	}
+
+	n.routeRangers = newNets
+
+	n.notify()
+}
+
+func (n *notifier) notify() {
+	n.listenerMux.Lock()
+	defer n.listenerMux.Unlock()
+	if n.listener == nil {
+		return
+	}
+
+	go func(l listener.NetworkChangeListener) {
+		l.OnNetworkChanged(strings.Join(n.routeRangers, ","))
+	}(n.listener)
+}
+
+func (n *notifier) hasDiff(a []string, b []string) bool {
+	if len(a) != len(b) {
+		return true
+	}
+	for i, v := range a {
+		if v != b[i] {
+			return true
+		}
+	}
+	return false
+}
+
+func (n *notifier) initialRouteRanges() []string {
+	return n.initialRouteRangers
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
bcmmbaga	8c44187900	Merge branch 'refs/heads/test/add-stopwatch' into deploy/peer-performance	2024-05-06 14:29:22 +03:00
Pascal Fischer	0dc050b354	update sqlite operations	2024-05-06 13:25:46 +02:00
Pascal Fischer	69eb6f17c6	remove stacktrace	2024-05-03 17:30:26 +02:00
bcmmbaga	ccbe2e0100	Merge branch 'refs/heads/migrate-with-json-serializer' into deploy/peer-performance	2024-05-03 14:11:23 +03:00
bcmmbaga	5b042eee74	migrate null blob values	2024-05-03 14:07:54 +03:00
Pascal Fischer	125c418d85	add debug to GetAccount sqlite store	2024-04-30 13:52:19 +02:00
Pascal Fischer	9f607029c0	add debug to GetAccount sqlite store	2024-04-30 13:35:04 +02:00
bcmmbaga	4df1d556c8	fix tests	2024-04-30 13:35:49 +03:00
bcmmbaga	acaf315152	Merge branch 'refs/heads/migrate-with-json-serializer' into deploy/peer-performance	2024-04-30 13:32:48 +03:00
bcmmbaga	81b6f7dc56	Merge remote-tracking branch 'refs/remotes/origin/test/add-stopwatch' into deploy/peer-performance	2024-04-30 13:32:37 +03:00
bcmmbaga	cb9a8e9fa4	Add tests	2024-04-30 13:27:14 +03:00
Pascal Fischer	f68d9ce042	fix linter	2024-04-30 12:03:59 +02:00
Pascal Fischer	1f182411c6	update store	2024-04-30 11:43:48 +02:00
Pascal Fischer	68e971cb82	Merge remote-tracking branch 'origin/test/add-stopwatch' into test/add-stopwatch	2024-04-30 11:29:08 +02:00
Pascal Fischer	f4a464fb69	update account manager mock	2024-04-30 11:28:57 +02:00
bcmmbaga	7aff0e828b	Refactor	2024-04-30 10:07:40 +03:00
bcmmbaga	90ebf0017b	remove duplicate index	2024-04-29 23:21:00 +03:00
bcmmbaga	bf8c6b95de	run net ip migration	2024-04-29 23:20:43 +03:00
bcmmbaga	8415064758	migrate net ip field from blob to json	2024-04-29 23:20:22 +03:00
Pascal Fischer	809f6cdbc7	add stacktrace for get network map	2024-04-29 18:56:58 +02:00
Pascal Fischer	7474876d6a	add stacktrace for get network map	2024-04-29 18:12:22 +02:00
Pascal Fischer	2095e35217	remove stopwatches + logs	2024-04-29 16:26:44 +02:00
Pascal Fischer	02537e5536	remove stopwatches	2024-04-29 14:57:57 +02:00
bcmmbaga	f99477d3db	serialize net.IP as json	2024-04-29 15:45:46 +03:00
Pascal Fischer	3085383729	introduce RWLocks	2024-04-29 14:03:33 +02:00
Pascal Fischer	07bdf977d0	update db access	2024-04-26 18:05:41 +02:00
Pascal Fischer	4a147006d2	add table	2024-04-26 17:45:10 +02:00
Pascal Fischer	480192028e	try improving Sync method	2024-04-26 17:18:24 +02:00
Pascal Fischer	027c0e5c63	update	2024-04-25 15:47:32 +02:00
Pascal Fischer	fbb1181b64	update	2024-04-25 15:44:06 +02:00
Pascal Fischer	e50ed290d9	update	2024-04-25 15:17:57 +02:00
Pascal Fischer	8f8cfcbc20	add method timing logs	2024-04-25 14:15:36 +02:00