set command with cursor

README.md

@@ -134,3 +134,37 @@ We use open-source technologies like [WireGuard®](https://www.wireguard.com/),
 ### Legal
  _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
 
+## Configuration Management
+
+Netbird now supports direct configuration management via CLI commands:
+
+- You can use `netbird set` as a regular user if the daemon is running; it will securely update the config via the daemon.
+- If the daemon is not running, you need write access to the config file (typically requires root).
+
+### Set a configuration value
+
+```
+netbird set <setting> <value>
+# or using environment variables
+NB_INTERFACE_NAME=utun5 netbird set interface-name
+```
+
+### Get a configuration value
+
+```
+netbird get <setting>
+# or using environment variables
+NB_INTERFACE_NAME=utun5 netbird get interface-name
+```
+
+### Show all configuration values
+
+```
+netbird show
+```
+
+- All settings support environment variable overrides: `NB_<SETTING>` or `WT_<SETTING>` (e.g. `NB_ENABLE_ROSENPASS=true`).
+- Supported settings: management-url, admin-url, interface-name, external-ip-map, extra-iface-blacklist, dns-resolver-address, extra-dns-labels, preshared-key, enable-rosenpass, rosenpass-permissive, allow-server-ssh, network-monitor, disable-auto-connect, disable-client-routes, disable-server-routes, disable-dns, disable-firewall, block-lan-access, block-inbound, enable-lazy-connection, wireguard-port, dns-router-interval.
+
+See `netbird set --help`, `netbird get --help`, and `netbird show --help` for more details.
+

client/cmd/flags.go

@@ -1,210 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"time"
-
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/management/domain"
-	"github.com/spf13/cobra"
-)
-
-// SharedFlags contains all configuration flags that are common between up and set commands
-type SharedFlags struct {
-	// Network configuration
-	InterfaceName       string
-	WireguardPort       uint16
-	NATExternalIPs      []string
-	CustomDNSAddress    string
-	ExtraIFaceBlackList []string
-	DNSLabels           []string
-	DNSRouteInterval    time.Duration
-
-	// Feature flags
-	RosenpassEnabled    bool
-	RosenpassPermissive bool
-	ServerSSHAllowed    bool
-	AutoConnectDisabled bool
-	NetworkMonitor      bool
-	LazyConnEnabled     bool
-
-	// System flags
-	DisableClientRoutes bool
-	DisableServerRoutes bool
-	DisableDNS          bool
-	DisableFirewall     bool
-	BlockLANAccess      bool
-	BlockInbound        bool
-
-	// Login-specific (only for up command)
-	NoBrowser bool
-}
-
-// AddSharedFlags adds all shared configuration flags to the given command
-func AddSharedFlags(cmd *cobra.Command, flags *SharedFlags) {
-	// Network configuration flags
-	cmd.PersistentFlags().StringVar(&flags.InterfaceName, interfaceNameFlag, iface.WgInterfaceDefault,
-		"Wireguard interface name")
-	cmd.PersistentFlags().Uint16Var(&flags.WireguardPort, wireguardPortFlag, iface.DefaultWgPort,
-		"Wireguard interface listening port")
-	cmd.PersistentFlags().StringSliceVar(&flags.NATExternalIPs, externalIPMapFlag, nil,
-		`Sets external IPs maps between local addresses and interfaces. `+
-			`You can specify a comma-separated list with a single IP and IP/IP or IP/Interface Name. `+
-			`An empty string "" clears the previous configuration. `+
-			`E.g. --external-ip-map 12.34.56.78/10.0.0.1 or --external-ip-map 12.34.56.200,12.34.56.78/10.0.0.1,12.34.56.80/eth1 `+
-			`or --external-ip-map ""`)
-	cmd.PersistentFlags().StringVar(&flags.CustomDNSAddress, dnsResolverAddress, "",
-		`Sets a custom address for NetBird's local DNS resolver. `+
-			`If set, the agent won't attempt to discover the best ip and port to listen on. `+
-			`An empty string "" clears the previous configuration. `+
-			`E.g. --dns-resolver-address 127.0.0.1:5053 or --dns-resolver-address ""`)
-	cmd.PersistentFlags().StringSliceVar(&flags.ExtraIFaceBlackList, extraIFaceBlackListFlag, nil,
-		"Extra list of default interfaces to ignore for listening")
-	cmd.PersistentFlags().StringSliceVar(&flags.DNSLabels, dnsLabelsFlag, nil,
-		`Sets DNS labels. `+
-			`You can specify a comma-separated list of up to 32 labels. `+
-			`An empty string "" clears the previous configuration. `+
-			`E.g. --extra-dns-labels vpc1 or --extra-dns-labels vpc1,mgmt1 `+
-			`or --extra-dns-labels ""`)
-	cmd.PersistentFlags().DurationVar(&flags.DNSRouteInterval, dnsRouteIntervalFlag, time.Minute,
-		"DNS route update interval")
-
-	// Feature flags
-	cmd.PersistentFlags().BoolVar(&flags.RosenpassEnabled, enableRosenpassFlag, false,
-		"[Experimental] Enable Rosenpass feature. If enabled, the connection will be post-quantum secured via Rosenpass.")
-	cmd.PersistentFlags().BoolVar(&flags.RosenpassPermissive, rosenpassPermissiveFlag, false,
-		"[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
-	cmd.PersistentFlags().BoolVar(&flags.ServerSSHAllowed, serverSSHAllowedFlag, false,
-		"Allow SSH server on peer. If enabled, the SSH server will be permitted")
-	cmd.PersistentFlags().BoolVar(&flags.AutoConnectDisabled, disableAutoConnectFlag, false,
-		"Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
-	cmd.PersistentFlags().BoolVarP(&flags.NetworkMonitor, networkMonitorFlag, "N", networkMonitor,
-		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux and FreeBSD. `+
-			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`)
-	cmd.PersistentFlags().BoolVar(&flags.LazyConnEnabled, enableLazyConnectionFlag, false,
-		"[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand.")
-
-	// System flags (from system.go)
-	cmd.PersistentFlags().BoolVar(&flags.DisableClientRoutes, disableClientRoutesFlag, false,
-		"Disable client routes. If enabled, the client won't process client routes received from the management service.")
-	cmd.PersistentFlags().BoolVar(&flags.DisableServerRoutes, disableServerRoutesFlag, false,
-		"Disable server routes. If enabled, the client won't act as a router for server routes received from the management service.")
-	cmd.PersistentFlags().BoolVar(&flags.DisableDNS, disableDNSFlag, false,
-		"Disable DNS. If enabled, the client won't configure DNS settings.")
-	cmd.PersistentFlags().BoolVar(&flags.DisableFirewall, disableFirewallFlag, false,
-		"Disable firewall configuration. If enabled, the client won't modify firewall rules.")
-	cmd.PersistentFlags().BoolVar(&flags.BlockLANAccess, blockLANAccessFlag, false,
-		"Block access to local networks (LAN) when using this peer as a router or exit node")
-	cmd.PersistentFlags().BoolVar(&flags.BlockInbound, blockInboundFlag, false,
-		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
-			"This overrides any policies received from the management service.")
-}
-
-// AddUpOnlyFlags adds flags that are specific to the up command
-func AddUpOnlyFlags(cmd *cobra.Command, flags *SharedFlags) {
-	cmd.PersistentFlags().BoolVar(&flags.NoBrowser, noBrowserFlag, false, noBrowserDesc)
-}
-
-// BuildConfigInput creates an internal.ConfigInput from SharedFlags with Changed() checks
-func BuildConfigInput(cmd *cobra.Command, flags *SharedFlags, customDNSAddressConverted []byte) (*internal.ConfigInput, error) {
-	ic := internal.ConfigInput{
-		ManagementURL:    managementURL,
-		AdminURL:         adminURL,
-		ConfigPath:       configPath,
-		CustomDNSAddress: customDNSAddressConverted,
-	}
-
-	// Handle PreSharedKey from root command
-	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
-		ic.PreSharedKey = &preSharedKey
-	}
-
-	if cmd.Flag(enableRosenpassFlag).Changed {
-		ic.RosenpassEnabled = &flags.RosenpassEnabled
-	}
-
-	if cmd.Flag(rosenpassPermissiveFlag).Changed {
-		ic.RosenpassPermissive = &flags.RosenpassPermissive
-	}
-
-	if cmd.Flag(serverSSHAllowedFlag).Changed {
-		ic.ServerSSHAllowed = &flags.ServerSSHAllowed
-	}
-
-	if cmd.Flag(interfaceNameFlag).Changed {
-		if err := parseInterfaceName(flags.InterfaceName); err != nil {
-			return nil, err
-		}
-		ic.InterfaceName = &flags.InterfaceName
-	}
-
-	if cmd.Flag(wireguardPortFlag).Changed {
-		p := int(flags.WireguardPort)
-		ic.WireguardPort = &p
-	}
-
-	if cmd.Flag(networkMonitorFlag).Changed {
-		ic.NetworkMonitor = &flags.NetworkMonitor
-	}
-
-	if cmd.Flag(disableAutoConnectFlag).Changed {
-		ic.DisableAutoConnect = &flags.AutoConnectDisabled
-
-		if flags.AutoConnectDisabled {
-			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
-		} else {
-			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
-		}
-	}
-
-	if cmd.Flag(dnsRouteIntervalFlag).Changed {
-		ic.DNSRouteInterval = &flags.DNSRouteInterval
-	}
-
-	if cmd.Flag(disableClientRoutesFlag).Changed {
-		ic.DisableClientRoutes = &flags.DisableClientRoutes
-	}
-
-	if cmd.Flag(disableServerRoutesFlag).Changed {
-		ic.DisableServerRoutes = &flags.DisableServerRoutes
-	}
-
-	if cmd.Flag(disableDNSFlag).Changed {
-		ic.DisableDNS = &flags.DisableDNS
-	}
-
-	if cmd.Flag(disableFirewallFlag).Changed {
-		ic.DisableFirewall = &flags.DisableFirewall
-	}
-
-	if cmd.Flag(blockLANAccessFlag).Changed {
-		ic.BlockLANAccess = &flags.BlockLANAccess
-	}
-
-	if cmd.Flag(blockInboundFlag).Changed {
-		ic.BlockInbound = &flags.BlockInbound
-	}
-
-	if cmd.Flag(enableLazyConnectionFlag).Changed {
-		ic.LazyConnectionEnabled = &flags.LazyConnEnabled
-	}
-
-	if cmd.Flag(externalIPMapFlag).Changed {
-		ic.NATExternalIPs = flags.NATExternalIPs
-	}
-
-	if cmd.Flag(extraIFaceBlackListFlag).Changed {
-		ic.ExtraIFaceBlackList = flags.ExtraIFaceBlackList
-	}
-
-	if cmd.Flag(dnsLabelsFlag).Changed {
-		var err error
-		ic.DNSLabels, err = domain.FromStringList(flags.DNSLabels)
-		if err != nil {
-			return nil, fmt.Errorf("invalid DNS labels: %v", err)
-		}
-	}
-
-	return &ic, nil
-}

client/cmd/root.go

@@ -22,6 +22,7 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/upload-server/types"
 )
 
@@ -87,6 +88,30 @@ var (
 		Long:         "",
 		SilenceUsage: true,
 	}
+
+	getCmd = &cobra.Command{
+		Use:   "get <setting>",
+		Short: "Get a configuration value from the config file",
+		Long:  `Get a configuration value from the Netbird config file. You can also use NB_<SETTING> or WT_<SETTING> environment variables to override the value (same as 'set').`,
+		Args:  cobra.ExactArgs(1),
+		RunE:  getFunc,
+	}
+
+	showCmd = &cobra.Command{
+		Use:   "show",
+		Short: "Show all configuration values",
+		Long:  `Show all configuration values from the Netbird config file, with environment variable overrides if present.`,
+		Args:  cobra.NoArgs,
+		RunE:  showFunc,
+	}
+
+	reloadCmd = &cobra.Command{
+		Use:   "reload",
+		Short: "Reload the configuration in the daemon (daemon mode)",
+		Long:  `Reload the configuration from disk in the running daemon. Use after 'set' to apply changes without restarting the service.`,
+		Args:  cobra.NoArgs,
+		RunE:  reloadFunc,
+	}
 )
 
 // Execute executes the root command.
@@ -149,10 +174,12 @@ func init() {
 	rootCmd.AddCommand(loginCmd)
 	rootCmd.AddCommand(versionCmd)
 	rootCmd.AddCommand(sshCmd)
-	rootCmd.AddCommand(setCmd)
 	rootCmd.AddCommand(networksCMD)
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
+	rootCmd.AddCommand(getCmd)
+	rootCmd.AddCommand(showCmd)
+	rootCmd.AddCommand(reloadCmd)
 
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
 	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service
@@ -168,6 +195,24 @@ func init() {
 	debugCmd.AddCommand(forCmd)
 	debugCmd.AddCommand(persistenceCmd)
 
+	upCmd.PersistentFlags().StringSliceVar(&natExternalIPs, externalIPMapFlag, nil,
+		`Sets external IPs maps between local addresses and interfaces.`+
+			`You can specify a comma-separated list with a single IP and IP/IP or IP/Interface Name. `+
+			`An empty string "" clears the previous configuration. `+
+			`E.g. --external-ip-map 12.34.56.78/10.0.0.1 or --external-ip-map 12.34.56.200,12.34.56.78/10.0.0.1,12.34.56.80/eth1 `+
+			`or --external-ip-map ""`,
+	)
+	upCmd.PersistentFlags().StringVar(&customDNSAddress, dnsResolverAddress, "",
+		`Sets a custom address for NetBird's local DNS resolver. `+
+			`If set, the agent won't attempt to discover the best ip and port to listen on. `+
+			`An empty string "" clears the previous configuration. `+
+			`E.g. --dns-resolver-address 127.0.0.1:5053 or --dns-resolver-address ""`,
+	)
+	upCmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "[Experimental] Enable Rosenpass feature. If enabled, the connection will be post-quantum secured via Rosenpass.")
+	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
+	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
+	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
+	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand.")
 
 	debugCmd.PersistentFlags().BoolVarP(&debugSystemInfoFlag, systemInfoFlag, "S", true, "Adds system information to the debug bundle")
 	debugCmd.PersistentFlags().BoolVarP(&debugUploadBundle, uploadBundle, "U", false, fmt.Sprintf("Uploads the debug bundle to a server from URL defined by %s", uploadBundleURL))
@@ -391,3 +436,167 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
 
 	return conn, nil
 }
+
+func getFunc(cmd *cobra.Command, args []string) error {
+	setting := args[0]
+	upper := strings.ToUpper(strings.ReplaceAll(setting, "-", "_"))
+	if v, ok := os.LookupEnv("NB_" + upper); ok {
+		cmd.Println(v)
+		return nil
+	} else if v, ok := os.LookupEnv("WT_" + upper); ok {
+		cmd.Println(v)
+		return nil
+	}
+	config, err := internal.ReadConfig(configPath)
+	if err != nil {
+		return fmt.Errorf("failed to read config: %v", err)
+	}
+	switch setting {
+	case "management-url":
+		cmd.Println(config.ManagementURL.String())
+	case "admin-url":
+		cmd.Println(config.AdminURL.String())
+	case "interface-name":
+		cmd.Println(config.WgIface)
+	case "external-ip-map":
+		cmd.Println(strings.Join(config.NATExternalIPs, ","))
+	case "extra-iface-blacklist":
+		cmd.Println(strings.Join(config.IFaceBlackList, ","))
+	case "dns-resolver-address":
+		cmd.Println(config.CustomDNSAddress)
+	case "extra-dns-labels":
+		cmd.Println(config.DNSLabels.SafeString())
+	case "preshared-key":
+		cmd.Println(config.PreSharedKey)
+	case "enable-rosenpass":
+		cmd.Println(config.RosenpassEnabled)
+	case "rosenpass-permissive":
+		cmd.Println(config.RosenpassPermissive)
+	case "allow-server-ssh":
+		if config.ServerSSHAllowed != nil {
+			cmd.Println(*config.ServerSSHAllowed)
+		} else {
+			cmd.Println(false)
+		}
+	case "network-monitor":
+		if config.NetworkMonitor != nil {
+			cmd.Println(*config.NetworkMonitor)
+		} else {
+			cmd.Println(false)
+		}
+	case "disable-auto-connect":
+		cmd.Println(config.DisableAutoConnect)
+	case "disable-client-routes":
+		cmd.Println(config.DisableClientRoutes)
+	case "disable-server-routes":
+		cmd.Println(config.DisableServerRoutes)
+	case "disable-dns":
+		cmd.Println(config.DisableDNS)
+	case "disable-firewall":
+		cmd.Println(config.DisableFirewall)
+	case "block-lan-access":
+		cmd.Println(config.BlockLANAccess)
+	case "block-inbound":
+		cmd.Println(config.BlockInbound)
+	case "enable-lazy-connection":
+		cmd.Println(config.LazyConnectionEnabled)
+	case "wireguard-port":
+		cmd.Println(config.WgPort)
+	case "dns-router-interval":
+		cmd.Println(config.DNSRouteInterval)
+	default:
+		return fmt.Errorf("unknown setting: %s", setting)
+	}
+	return nil
+}
+
+func showFunc(cmd *cobra.Command, args []string) error {
+	config, err := internal.ReadConfig(configPath)
+	if err != nil {
+		return fmt.Errorf("failed to read config: %v", err)
+	}
+	settings := []string{
+		"management-url", "admin-url", "interface-name", "external-ip-map", "extra-iface-blacklist", "dns-resolver-address", "extra-dns-labels", "preshared-key", "enable-rosenpass", "rosenpass-permissive", "allow-server-ssh", "network-monitor", "disable-auto-connect", "disable-client-routes", "disable-server-routes", "disable-dns", "disable-firewall", "block-lan-access", "block-inbound", "enable-lazy-connection", "wireguard-port", "dns-router-interval",
+	}
+	for _, setting := range settings {
+		upper := strings.ToUpper(strings.ReplaceAll(setting, "-", "_"))
+		var val string
+		if v, ok := os.LookupEnv("NB_" + upper); ok {
+			val = v + " (from NB_ env)"
+		} else if v, ok := os.LookupEnv("WT_" + upper); ok {
+			val = v + " (from WT_ env)"
+		} else {
+			switch setting {
+			case "management-url":
+				val = config.ManagementURL.String()
+			case "admin-url":
+				val = config.AdminURL.String()
+			case "interface-name":
+				val = config.WgIface
+			case "external-ip-map":
+				val = strings.Join(config.NATExternalIPs, ",")
+			case "extra-iface-blacklist":
+				val = strings.Join(config.IFaceBlackList, ",")
+			case "dns-resolver-address":
+				val = config.CustomDNSAddress
+			case "extra-dns-labels":
+				val = config.DNSLabels.SafeString()
+			case "preshared-key":
+				val = config.PreSharedKey
+			case "enable-rosenpass":
+				val = fmt.Sprintf("%v", config.RosenpassEnabled)
+			case "rosenpass-permissive":
+				val = fmt.Sprintf("%v", config.RosenpassPermissive)
+			case "allow-server-ssh":
+				if config.ServerSSHAllowed != nil {
+					val = fmt.Sprintf("%v", *config.ServerSSHAllowed)
+				} else {
+					val = "false"
+				}
+			case "network-monitor":
+				if config.NetworkMonitor != nil {
+					val = fmt.Sprintf("%v", *config.NetworkMonitor)
+				} else {
+					val = "false"
+				}
+			case "disable-auto-connect":
+				val = fmt.Sprintf("%v", config.DisableAutoConnect)
+			case "disable-client-routes":
+				val = fmt.Sprintf("%v", config.DisableClientRoutes)
+			case "disable-server-routes":
+				val = fmt.Sprintf("%v", config.DisableServerRoutes)
+			case "disable-dns":
+				val = fmt.Sprintf("%v", config.DisableDNS)
+			case "disable-firewall":
+				val = fmt.Sprintf("%v", config.DisableFirewall)
+			case "block-lan-access":
+				val = fmt.Sprintf("%v", config.BlockLANAccess)
+			case "block-inbound":
+				val = fmt.Sprintf("%v", config.BlockInbound)
+			case "enable-lazy-connection":
+				val = fmt.Sprintf("%v", config.LazyConnectionEnabled)
+			case "wireguard-port":
+				val = fmt.Sprintf("%d", config.WgPort)
+			case "dns-router-interval":
+				val = config.DNSRouteInterval.String()
+			}
+		}
+		cmd.Printf("%-22s: %s\n", setting, val)
+	}
+	return nil
+}
+
+func reloadFunc(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	client := proto.NewDaemonServiceClient(conn)
+	_, err = client.ReloadConfig(cmd.Context(), &proto.ReloadConfigRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to reload config in daemon: %v", err)
+	}
+	cmd.Println("Configuration reloaded in daemon.")
+	return nil
+}

client/cmd/set.go

@@ -2,160 +2,474 @@ package cmd
 
 import (
 	"fmt"
+	"os"
+	osuser "os/user"
+	"strings"
+	"time"
 
-	"github.com/spf13/cobra"
-	"google.golang.org/protobuf/types/known/durationpb"
-
+	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/management/domain"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
 )
 
-var (
-	setFlags = &SharedFlags{}
+var setCmd = &cobra.Command{
+	Use:   "set <setting> <value>",
+	Short: "Set a configuration value without running up",
+	Long: `Set a configuration value in the Netbird config file without running 'up'.
 
-	setCmd = &cobra.Command{
-		Use:   "set",
-		Short: "Update NetBird client configuration",
-		Long:  `Update NetBird client configuration without connecting. Uses the same flags as 'netbird up' but only updates the configuration file.`,
-		RunE:  setFunc,
-	}
-)
+You can also set values via environment variables NB_<SETTING> or WT_<SETTING> (e.g. NB_INTERFACE_NAME=utun5 netbird set interface-name).
 
-func init() {
-	// Add all shared flags to the set command
-	AddSharedFlags(setCmd, setFlags)
-	// Note: We don't add up-only flags like --no-browser to set command
+Supported settings:
+  management-url            (string)   e.g. https://api.netbird.io:443
+  admin-url                 (string)   e.g. https://app.netbird.io:443
+  interface-name            (string)   e.g. utun5
+  external-ip-map           (list)     comma-separated, e.g. 12.34.56.78,12.34.56.79/eth0
+  extra-iface-blacklist     (list)     comma-separated, e.g. eth1,eth2
+  dns-resolver-address      (string)   e.g. 127.0.0.1:5053
+  extra-dns-labels          (list)     comma-separated, e.g. vpc1,mgmt1
+  preshared-key             (string)
+  enable-rosenpass          (bool)     true/false
+  rosenpass-permissive      (bool)     true/false
+  allow-server-ssh          (bool)     true/false
+  network-monitor           (bool)     true/false
+  disable-auto-connect      (bool)     true/false
+  disable-client-routes     (bool)     true/false
+  disable-server-routes     (bool)     true/false
+  disable-dns               (bool)     true/false
+  disable-firewall          (bool)     true/false
+  block-lan-access          (bool)     true/false
+  block-inbound             (bool)     true/false
+  enable-lazy-connection    (bool)     true/false
+  wireguard-port            (int)      e.g. 51820
+  dns-router-interval       (duration) e.g. 1m, 30s
+
+Examples:
+  NB_INTERFACE_NAME=utun5 netbird set interface-name
+  netbird set wireguard-port 51820
+  netbird set external-ip-map 12.34.56.78,12.34.56.79/eth0
+  netbird set enable-rosenpass true
+  netbird set dns-router-interval 2m
+  netbird set extra-dns-labels vpc1,mgmt1
+  netbird set disable-firewall true
+`,
+	Args: cobra.ExactArgs(2),
+	RunE: setFunc,
 }
 
-func setFunc(cmd *cobra.Command, _ []string) error {
-	SetFlagsFromEnvVars(rootCmd)
-	SetFlagsFromEnvVars(cmd)
+func init() {
+	rootCmd.AddCommand(setCmd)
+}
 
-	cmd.SetOut(cmd.OutOrStdout())
+func setFunc(cmd *cobra.Command, args []string) error {
+	setting := args[0]
+	var value string
 
-	// Validate inputs (reuse validation logic from up.go)
-	if err := validateNATExternalIPs(setFlags.NATExternalIPs); err != nil {
-		return err
+	// Check environment variables first
+	upper := strings.ToUpper(strings.ReplaceAll(setting, "-", "_"))
+	if v, ok := os.LookupEnv("NB_" + upper); ok {
+		value = v
+	} else if v, ok := os.LookupEnv("WT_" + upper); ok {
+		value = v
+	} else {
+		if len(args) < 2 {
+			return fmt.Errorf("missing value for setting %s", setting)
+		}
+		value = args[1]
 	}
 
-	if cmd.Flag(dnsLabelsFlag).Changed {
-		if _, err := validateDnsLabels(setFlags.DNSLabels); err != nil {
-			return err
+	// If not root, try to use the daemon (only if cmd is not nil)
+	if cmd != nil {
+		if u, err := osuser.Current(); err == nil && u.Uid != "0" {
+			conn, err := getClient(cmd)
+			if err == nil {
+				defer conn.Close()
+				client := proto.NewDaemonServiceClient(conn)
+				_, err = client.SetConfigValue(cmd.Context(), &proto.SetConfigValueRequest{Setting: setting, Value: value})
+				if err == nil {
+					if cmd != nil {
+						cmd.Println("Configuration updated via daemon.")
+					} else {
+						fmt.Println("Configuration updated via daemon.")
+					}
+					return nil
+				}
+				if s, ok := status.FromError(err); ok {
+					return fmt.Errorf("daemon error: %v", s.Message())
+				}
+				return fmt.Errorf("failed to update config via daemon: %v", err)
+			}
+			// else: fall back to direct file write
 		}
 	}
 
-	var customDNSAddressConverted []byte
-	if cmd.Flag(dnsResolverAddress).Changed {
-		var err error
-		customDNSAddressConverted, err = parseCustomDNSAddress(cmd.Flag(dnsResolverAddress).Changed)
+	switch setting {
+	case "management-url":
+		input := internal.ConfigInput{ConfigPath: configPath, ManagementURL: value}
+		_, err := internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set management-url: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set management-url to: %s\n", value)
+		} else {
+			fmt.Printf("Set management-url to: %s\n", value)
+		}
+	case "admin-url":
+		input := internal.ConfigInput{ConfigPath: configPath, AdminURL: value}
+		_, err := internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set admin-url: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set admin-url to: %s\n", value)
+		} else {
+			fmt.Printf("Set admin-url to: %s\n", value)
+		}
+	case "interface-name":
+		if err := parseInterfaceName(value); err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, InterfaceName: &value}
+		_, err := internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set interface-name: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set interface-name to: %s\n", value)
+		} else {
+			fmt.Printf("Set interface-name to: %s\n", value)
+		}
+	case "external-ip-map":
+		var ips []string
+		if value == "" {
+			ips = []string{}
+		} else {
+			ips = strings.Split(value, ",")
+		}
+		if err := validateNATExternalIPs(ips); err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, NATExternalIPs: ips}
+		_, err := internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set external-ip-map: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set external-ip-map to: %v\n", ips)
+		} else {
+			fmt.Printf("Set external-ip-map to: %v\n", ips)
+		}
+	case "extra-iface-blacklist":
+		var ifaces []string
+		if value == "" {
+			ifaces = []string{}
+		} else {
+			ifaces = strings.Split(value, ",")
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, ExtraIFaceBlackList: ifaces}
+		_, err := internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set extra-iface-blacklist: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set extra-iface-blacklist to: %v\n", ifaces)
+		} else {
+			fmt.Printf("Set extra-iface-blacklist to: %v\n", ifaces)
+		}
+	case "dns-resolver-address":
+		if value != "" && !isValidAddrPort(value) {
+			return fmt.Errorf("%s is invalid, it should be formatted as IP:Port string or as an empty string like \"\"", value)
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, CustomDNSAddress: []byte(value)}
+		_, err := internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set dns-resolver-address: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set dns-resolver-address to: %s\n", value)
+		} else {
+			fmt.Printf("Set dns-resolver-address to: %s\n", value)
+		}
+	case "extra-dns-labels":
+		var labels []string
+		if value == "" {
+			labels = []string{}
+		} else {
+			labels = strings.Split(value, ",")
+		}
+		domains, err := domain.ValidateDomains(labels)
+		if err != nil {
+			return fmt.Errorf("invalid DNS labels: %v", err)
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, DNSLabels: domains}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set extra-dns-labels: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set extra-dns-labels to: %v\n", labels)
+		} else {
+			fmt.Printf("Set extra-dns-labels to: %v\n", labels)
+		}
+	case "preshared-key":
+		input := internal.ConfigInput{ConfigPath: configPath, PreSharedKey: &value}
+		_, err := internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set preshared-key: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set preshared-key to: %s\n", value)
+		} else {
+			fmt.Printf("Set preshared-key to: %s\n", value)
+		}
+	case "hostname":
+		// Hostname is not persisted in config, so just print a warning
+		if cmd != nil {
+			cmd.Printf("Warning: hostname is not persisted in config. Use --hostname with up command.\n")
+		} else {
+			fmt.Printf("Warning: hostname is not persisted in config. Use --hostname with up command.\n")
+		}
+	case "enable-rosenpass":
+		b, err := parseBool(value)
 		if err != nil {
 			return err
 		}
-	}
-
-	// Connect to daemon
-	ctx := cmd.Context()
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to daemon: %w", err)
-	}
-	defer func() {
-		if closeErr := conn.Close(); closeErr != nil {
-			fmt.Printf("Warning: failed to close connection: %v\n", closeErr)
+		input := internal.ConfigInput{ConfigPath: configPath, RosenpassEnabled: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set enable-rosenpass: %v", err)
 		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-	req := &proto.SetConfigRequest{}
-
-	// Set fields based on changed flags
-	if cmd.Flag(enableRosenpassFlag).Changed {
-		req.RosenpassEnabled = &setFlags.RosenpassEnabled
-	}
-
-	if cmd.Flag(rosenpassPermissiveFlag).Changed {
-		req.RosenpassPermissive = &setFlags.RosenpassPermissive
-	}
-
-	if cmd.Flag(serverSSHAllowedFlag).Changed {
-		req.ServerSSHAllowed = &setFlags.ServerSSHAllowed
-	}
-
-	if cmd.Flag(disableAutoConnectFlag).Changed {
-		req.DisableAutoConnect = &setFlags.AutoConnectDisabled
-	}
-
-	if cmd.Flag(networkMonitorFlag).Changed {
-		req.NetworkMonitor = &setFlags.NetworkMonitor
-	}
-
-	if cmd.Flag(interfaceNameFlag).Changed {
-		if err := parseInterfaceName(setFlags.InterfaceName); err != nil {
+		if cmd != nil {
+			cmd.Printf("Set enable-rosenpass to: %v\n", b)
+		} else {
+			fmt.Printf("Set enable-rosenpass to: %v\n", b)
+		}
+	case "rosenpass-permissive":
+		b, err := parseBool(value)
+		if err != nil {
 			return err
 		}
-		req.InterfaceName = &setFlags.InterfaceName
+		input := internal.ConfigInput{ConfigPath: configPath, RosenpassPermissive: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set rosenpass-permissive: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set rosenpass-permissive to: %v\n", b)
+		} else {
+			fmt.Printf("Set rosenpass-permissive to: %v\n", b)
+		}
+	case "allow-server-ssh":
+		b, err := parseBool(value)
+		if err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, ServerSSHAllowed: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set allow-server-ssh: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set allow-server-ssh to: %v\n", b)
+		} else {
+			fmt.Printf("Set allow-server-ssh to: %v\n", b)
+		}
+	case "network-monitor":
+		b, err := parseBool(value)
+		if err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, NetworkMonitor: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set network-monitor: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set network-monitor to: %v\n", b)
+		} else {
+			fmt.Printf("Set network-monitor to: %v\n", b)
+		}
+	case "disable-auto-connect":
+		b, err := parseBool(value)
+		if err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, DisableAutoConnect: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set disable-auto-connect: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set disable-auto-connect to: %v\n", b)
+		} else {
+			fmt.Printf("Set disable-auto-connect to: %v\n", b)
+		}
+	case "disable-client-routes":
+		b, err := parseBool(value)
+		if err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, DisableClientRoutes: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set disable-client-routes: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set disable-client-routes to: %v\n", b)
+		} else {
+			fmt.Printf("Set disable-client-routes to: %v\n", b)
+		}
+	case "disable-server-routes":
+		b, err := parseBool(value)
+		if err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, DisableServerRoutes: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set disable-server-routes: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set disable-server-routes to: %v\n", b)
+		} else {
+			fmt.Printf("Set disable-server-routes to: %v\n", b)
+		}
+	case "disable-dns":
+		b, err := parseBool(value)
+		if err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, DisableDNS: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set disable-dns: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set disable-dns to: %v\n", b)
+		} else {
+			fmt.Printf("Set disable-dns to: %v\n", b)
+		}
+	case "disable-firewall":
+		b, err := parseBool(value)
+		if err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, DisableFirewall: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set disable-firewall: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set disable-firewall to: %v\n", b)
+		} else {
+			fmt.Printf("Set disable-firewall to: %v\n", b)
+		}
+	case "block-lan-access":
+		b, err := parseBool(value)
+		if err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, BlockLANAccess: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set block-lan-access: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set block-lan-access to: %v\n", b)
+		} else {
+			fmt.Printf("Set block-lan-access to: %v\n", b)
+		}
+	case "block-inbound":
+		b, err := parseBool(value)
+		if err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, BlockInbound: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set block-inbound: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set block-inbound to: %v\n", b)
+		} else {
+			fmt.Printf("Set block-inbound to: %v\n", b)
+		}
+	case "enable-lazy-connection":
+		b, err := parseBool(value)
+		if err != nil {
+			return err
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, LazyConnectionEnabled: &b}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set enable-lazy-connection: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set enable-lazy-connection to: %v\n", b)
+		} else {
+			fmt.Printf("Set enable-lazy-connection to: %v\n", b)
+		}
+	case "wireguard-port":
+		p, err := parseUint16(value)
+		if err != nil {
+			return err
+		}
+		pi := int(p)
+		input := internal.ConfigInput{ConfigPath: configPath, WireguardPort: &pi}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set wireguard-port: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set wireguard-port to: %d\n", p)
+		} else {
+			fmt.Printf("Set wireguard-port to: %d\n", p)
+		}
+	case "dns-router-interval":
+		d, err := time.ParseDuration(value)
+		if err != nil {
+			return fmt.Errorf("invalid duration: %v", err)
+		}
+		input := internal.ConfigInput{ConfigPath: configPath, DNSRouteInterval: &d}
+		_, err = internal.UpdateOrCreateConfig(input)
+		if err != nil {
+			return fmt.Errorf("failed to set dns-router-interval: %v", err)
+		}
+		if cmd != nil {
+			cmd.Printf("Set dns-router-interval to: %s\n", d)
+		} else {
+			fmt.Printf("Set dns-router-interval to: %s\n", d)
+		}
+	default:
+		return fmt.Errorf("unknown setting: %s", setting)
 	}
 
-	if cmd.Flag(wireguardPortFlag).Changed {
-		port := int64(setFlags.WireguardPort)
-		req.WireguardPort = &port
+	if cmd != nil {
+		cmd.Println("Configuration updated successfully.")
+	} else {
+		fmt.Println("Configuration updated successfully.")
 	}
-
-	if cmd.Flag(dnsResolverAddress).Changed {
-		customAddr := string(customDNSAddressConverted)
-		req.CustomDNSAddress = &customAddr
-	}
-
-	if cmd.Flag(extraIFaceBlackListFlag).Changed {
-		req.ExtraIFaceBlacklist = setFlags.ExtraIFaceBlackList
-	}
-
-	if cmd.Flag(dnsLabelsFlag).Changed {
-		req.DnsLabels = setFlags.DNSLabels
-		req.CleanDNSLabels = &[]bool{setFlags.DNSLabels != nil && len(setFlags.DNSLabels) == 0}[0]
-	}
-
-	if cmd.Flag(externalIPMapFlag).Changed {
-		req.NatExternalIPs = setFlags.NATExternalIPs
-		req.CleanNATExternalIPs = &[]bool{setFlags.NATExternalIPs != nil && len(setFlags.NATExternalIPs) == 0}[0]
-	}
-
-	if cmd.Flag(dnsRouteIntervalFlag).Changed {
-		req.DnsRouteInterval = durationpb.New(setFlags.DNSRouteInterval)
-	}
-
-	if cmd.Flag(disableClientRoutesFlag).Changed {
-		req.DisableClientRoutes = &setFlags.DisableClientRoutes
-	}
-
-	if cmd.Flag(disableServerRoutesFlag).Changed {
-		req.DisableServerRoutes = &setFlags.DisableServerRoutes
-	}
-
-	if cmd.Flag(disableDNSFlag).Changed {
-		req.DisableDns = &setFlags.DisableDNS
-	}
-
-	if cmd.Flag(disableFirewallFlag).Changed {
-		req.DisableFirewall = &setFlags.DisableFirewall
-	}
-
-	if cmd.Flag(blockLANAccessFlag).Changed {
-		req.BlockLanAccess = &setFlags.BlockLANAccess
-	}
-
-	if cmd.Flag(blockInboundFlag).Changed {
-		req.BlockInbound = &setFlags.BlockInbound
-	}
-
-	if cmd.Flag(enableLazyConnectionFlag).Changed {
-		req.LazyConnectionEnabled = &setFlags.LazyConnEnabled
-	}
-
-	// Send the request
-	if _, err := client.SetConfig(ctx, req); err != nil {
-		return fmt.Errorf("update configuration: %w", err)
-	}
-
-	cmd.Println("Configuration updated successfully")
 	return nil
 }
+
+func parseBool(val string) (bool, error) {
+	v := strings.ToLower(val)
+	if v == "true" || v == "1" {
+		return true, nil
+	}
+	if v == "false" || v == "0" {
+		return false, nil
+	}
+	return false, fmt.Errorf("invalid boolean value: %s", val)
+}
+
+func parseUint16(val string) (uint16, error) {
+	var p uint16
+	_, err := fmt.Sscanf(val, "%d", &p)
+	if err != nil {
+		return 0, fmt.Errorf("invalid uint16 value: %s", val)
+	}
+	return p, nil
+}

client/cmd/set_test.go

@@ -1,110 +1,162 @@
 package cmd
 
 import (
+	"os"
+	"strings"
 	"testing"
+	"time"
 
-	"github.com/spf13/cobra"
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/stretchr/testify/require"
 )
 
-func TestParseBoolArg(t *testing.T) {
+func TestSetCommand_AllSettings(t *testing.T) {
+	tempFile, err := os.CreateTemp("", "config.json")
+	require.NoError(t, err)
+	defer os.Remove(tempFile.Name())
+
+	// Write empty JSON object to the config file to avoid JSON parse errors
+	_, err = tempFile.WriteString("{}")
+	require.NoError(t, err)
+	tempFile.Close()
+
+	configPath = tempFile.Name()
+
 	tests := []struct {
-		input    string
-		expected bool
-		hasError bool
+		setting string
+		value   string
+		verify  func(*testing.T, *internal.Config)
+		wantErr bool
 	}{
-		{"true", true, false},
-		{"True", true, false},
-		{"1", true, false},
-		{"yes", true, false},
-		{"on", true, false},
-		{"false", false, false},
-		{"False", false, false},
-		{"0", false, false},
-		{"no", false, false},
-		{"off", false, false},
-		{"invalid", false, true},
-		{"maybe", false, true},
-		{"", false, true},
+		{"management-url", "https://test.mgmt:443", func(t *testing.T, c *internal.Config) {
+			require.Equal(t, "https://test.mgmt:443", c.ManagementURL.String())
+		}, false},
+		{"admin-url", "https://test.admin:443", func(t *testing.T, c *internal.Config) {
+			require.Equal(t, "https://test.admin:443", c.AdminURL.String())
+		}, false},
+		{"interface-name", "utun99", func(t *testing.T, c *internal.Config) {
+			require.Equal(t, "utun99", c.WgIface)
+		}, false},
+		{"external-ip-map", "12.34.56.78,12.34.56.79", func(t *testing.T, c *internal.Config) {
+			require.Equal(t, []string{"12.34.56.78", "12.34.56.79"}, c.NATExternalIPs)
+		}, false},
+		{"extra-iface-blacklist", "eth1,eth2", func(t *testing.T, c *internal.Config) {
+			require.Contains(t, c.IFaceBlackList, "eth1")
+			require.Contains(t, c.IFaceBlackList, "eth2")
+		}, false},
+		{"dns-resolver-address", "127.0.0.1:5053", func(t *testing.T, c *internal.Config) {
+			require.Equal(t, "127.0.0.1:5053", c.CustomDNSAddress)
+		}, false},
+		{"extra-dns-labels", "vpc1,mgmt1", func(t *testing.T, c *internal.Config) {
+			require.True(t, strings.Contains(c.DNSLabels.SafeString(), "vpc1"))
+			require.True(t, strings.Contains(c.DNSLabels.SafeString(), "mgmt1"))
+		}, false},
+		{"preshared-key", "testkey", func(t *testing.T, c *internal.Config) {
+			require.Equal(t, "testkey", c.PreSharedKey)
+		}, false},
+		{"enable-rosenpass", "true", func(t *testing.T, c *internal.Config) {
+			require.True(t, c.RosenpassEnabled)
+		}, false},
+		{"rosenpass-permissive", "false", func(t *testing.T, c *internal.Config) {
+			require.False(t, c.RosenpassPermissive)
+		}, false},
+		{"allow-server-ssh", "true", func(t *testing.T, c *internal.Config) {
+			require.NotNil(t, c.ServerSSHAllowed)
+			require.True(t, *c.ServerSSHAllowed)
+		}, false},
+		{"network-monitor", "false", func(t *testing.T, c *internal.Config) {
+			require.NotNil(t, c.NetworkMonitor)
+			require.False(t, *c.NetworkMonitor)
+		}, false},
+		{"disable-auto-connect", "true", func(t *testing.T, c *internal.Config) {
+			require.True(t, c.DisableAutoConnect)
+		}, false},
+		{"disable-client-routes", "false", func(t *testing.T, c *internal.Config) {
+			require.False(t, c.DisableClientRoutes)
+		}, false},
+		{"disable-server-routes", "true", func(t *testing.T, c *internal.Config) {
+			require.True(t, c.DisableServerRoutes)
+		}, false},
+		{"disable-dns", "false", func(t *testing.T, c *internal.Config) {
+			require.False(t, c.DisableDNS)
+		}, false},
+		{"disable-firewall", "true", func(t *testing.T, c *internal.Config) {
+			require.True(t, c.DisableFirewall)
+		}, false},
+		{"block-lan-access", "true", func(t *testing.T, c *internal.Config) {
+			require.True(t, c.BlockLANAccess)
+		}, false},
+		{"block-inbound", "false", func(t *testing.T, c *internal.Config) {
+			require.False(t, c.BlockInbound)
+		}, false},
+		{"enable-lazy-connection", "true", func(t *testing.T, c *internal.Config) {
+			require.True(t, c.LazyConnectionEnabled)
+		}, false},
+		{"wireguard-port", "51820", func(t *testing.T, c *internal.Config) {
+			require.Equal(t, 51820, c.WgPort)
+		}, false},
+		{"dns-router-interval", "2m", func(t *testing.T, c *internal.Config) {
+			require.Equal(t, 2*time.Minute, c.DNSRouteInterval)
+		}, false},
+		// Invalid cases
+		{"enable-rosenpass", "notabool", nil, true},
+		{"wireguard-port", "notanint", nil, true},
+		{"dns-router-interval", "notaduration", nil, true},
 	}
 
-	for _, test := range tests {
-		t.Run(test.input, func(t *testing.T) {
-			result, err := parseBoolArg(test.input)
-			
-			if test.hasError {
-				if err == nil {
-					t.Errorf("Expected error for input %q, but got none", test.input)
-				}
-			} else {
-				if err != nil {
-					t.Errorf("Unexpected error for input %q: %v", test.input, err)
-				}
-				if result != test.expected {
-					t.Errorf("For input %q, expected %v but got %v", test.input, test.expected, result)
-				}
+	for _, tt := range tests {
+		t.Run(tt.setting+"="+tt.value, func(t *testing.T) {
+			args := []string{tt.setting, tt.value}
+			err := setFunc(nil, args)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			config, err := internal.ReadConfig(configPath)
+			require.NoError(t, err)
+			if tt.verify != nil {
+				tt.verify(t, config)
 			}
 		})
 	}
 }
 
-func TestSetCommandStructure(t *testing.T) {
-	// Test that the set command has the expected subcommands
-	expectedSubcommands := []string{
-		"autoconnect",
-		"ssh-server", 
-		"network-monitor",
-		"rosenpass",
-		"dns",
-		"dns-interval",
-	}
+func TestSetCommand_EnvVars(t *testing.T) {
+	tempFile, err := os.CreateTemp("", "config.json")
+	require.NoError(t, err)
+	defer os.Remove(tempFile.Name())
 
-	actualSubcommands := make([]string, 0, len(setCmd.Commands()))
-	for _, cmd := range setCmd.Commands() {
-		actualSubcommands = append(actualSubcommands, cmd.Name())
-	}
+	// Write empty JSON object to the config file to avoid JSON parse errors
+	_, err = tempFile.WriteString("{}")
+	require.NoError(t, err)
+	tempFile.Close()
 
-	if len(actualSubcommands) != len(expectedSubcommands) {
-		t.Errorf("Expected %d subcommands, got %d", len(expectedSubcommands), len(actualSubcommands))
-	}
+	configPath = tempFile.Name()
 
-	for _, expected := range expectedSubcommands {
-		found := false
-		for _, actual := range actualSubcommands {
-			if actual == expected {
-				found = true
-				break
-			}
-		}
-		if !found {
-			t.Errorf("Expected subcommand %q not found", expected)
-		}
-	}
+	os.Setenv("NB_INTERFACE_NAME", "utun77")
+	defer os.Unsetenv("NB_INTERFACE_NAME")
+	args := []string{"interface-name", "utun99"}
+	err = setFunc(nil, args)
+	require.NoError(t, err)
+	config, err := internal.ReadConfig(configPath)
+	require.NoError(t, err)
+	require.Equal(t, "utun77", config.WgIface)
+
+	os.Unsetenv("NB_INTERFACE_NAME")
+	os.Setenv("WT_INTERFACE_NAME", "utun88")
+	defer os.Unsetenv("WT_INTERFACE_NAME")
+	err = setFunc(nil, args)
+	require.NoError(t, err)
+	config, err = internal.ReadConfig(configPath)
+	require.NoError(t, err)
+	require.Equal(t, "utun88", config.WgIface)
+
+	os.Unsetenv("WT_INTERFACE_NAME")
+	// No env var, should use CLI value
+	err = setFunc(nil, args)
+	require.NoError(t, err)
+	config, err = internal.ReadConfig(configPath)
+	require.NoError(t, err)
+	require.Equal(t, "utun99", config.WgIface)
 }
-
-func TestSetCommandUsage(t *testing.T) {
-	if setCmd.Use != "set" {
-		t.Errorf("Expected command use to be 'set', got %q", setCmd.Use)
-	}
-
-	if setCmd.Short != "Set NetBird client configuration" {
-		t.Errorf("Expected short description to be 'Set NetBird client configuration', got %q", setCmd.Short)
-	}
-}
-
-func TestSubcommandArgRequirements(t *testing.T) {
-	// Test that all subcommands except dns-interval require exactly 1 argument
-	subcommands := []*cobra.Command{
-		setAutoconnectCmd,
-		setSSHServerCmd,
-		setNetworkMonitorCmd,
-		setRosenpassCmd,
-		setDNSCmd,
-		setDNSIntervalCmd,
-	}
-
-	for _, cmd := range subcommands {
-		if cmd.Args == nil {
-			t.Errorf("Command %q should have Args validation", cmd.Name())
-		}
-	}
-}

client/cmd/system.go

@@ -19,3 +19,24 @@ var (
 	blockInbound        bool
 )
 
+func init() {
+	// Add system flags to upCmd
+	upCmd.PersistentFlags().BoolVar(&disableClientRoutes, disableClientRoutesFlag, false,
+		"Disable client routes. If enabled, the client won't process client routes received from the management service.")
+
+	upCmd.PersistentFlags().BoolVar(&disableServerRoutes, disableServerRoutesFlag, false,
+		"Disable server routes. If enabled, the client won't act as a router for server routes received from the management service.")
+
+	upCmd.PersistentFlags().BoolVar(&disableDNS, disableDNSFlag, false,
+		"Disable DNS. If enabled, the client won't configure DNS settings.")
+
+	upCmd.PersistentFlags().BoolVar(&disableFirewall, disableFirewallFlag, false,
+		"Disable firewall configuration. If enabled, the client won't modify firewall rules.")
+
+	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false,
+		"Block access to local networks (LAN) when using this peer as a router or exit node")
+
+	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
+		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
+			"This overrides any policies received from the management service.")
+}

client/cmd/up.go

@@ -7,6 +7,7 @@ import (
 	"net/netip"
 	"runtime"
 	"strings"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -14,6 +15,7 @@ import (
 	gstatus "google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/durationpb"
 
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
@@ -40,7 +42,6 @@ var (
 	dnsLabels          []string
 	dnsLabelsValidated domain.List
 	noBrowser          bool
-	upFlags            = &SharedFlags{}
 
 	upCmd = &cobra.Command{
 		Use:   "up",
@@ -50,12 +51,26 @@ var (
 )
 
 func init() {
-	// Add shared flags to up command
-	AddSharedFlags(upCmd, upFlags)
-
-	// Add up-specific flags
 	upCmd.PersistentFlags().BoolVarP(&foregroundMode, "foreground-mode", "F", false, "start service in foreground")
-	AddUpOnlyFlags(upCmd, upFlags)
+	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "Wireguard interface name")
+	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "Wireguard interface listening port")
+	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
+		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux and FreeBSD. `+
+			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
+	)
+	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
+	upCmd.PersistentFlags().DurationVar(&dnsRouteInterval, dnsRouteIntervalFlag, time.Minute, "DNS route update interval")
+
+	upCmd.PersistentFlags().StringSliceVar(&dnsLabels, dnsLabelsFlag, nil,
+		`Sets DNS labels`+
+			`You can specify a comma-separated list of up to 32 labels. `+
+			`An empty string "" clears the previous configuration. `+
+			`E.g. --extra-dns-labels vpc1 or --extra-dns-labels vpc1,mgmt1 `+
+			`or --extra-dns-labels ""`,
+	)
+
+	upCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
+
 }
 
 func upFunc(cmd *cobra.Command, args []string) error {
@@ -103,16 +118,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	// Handle DNS labels validation and assignment to SharedFlags
-	if cmd.Flag(dnsLabelsFlag).Changed {
-		var err error
-		dnsLabelsValidated, err = validateDnsLabels(upFlags.DNSLabels)
-		if err != nil {
-			return err
-		}
-	}
-
-	ic, err := BuildConfigInput(cmd, upFlags, customDNSAddressConverted)
+	ic, err := setupConfig(customDNSAddressConverted, cmd)
 	if err != nil {
 		return fmt.Errorf("setup config: %v", err)
 	}
@@ -229,6 +235,92 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 	return nil
 }
 
+func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command) (*internal.ConfigInput, error) {
+	ic := internal.ConfigInput{
+		ManagementURL:       managementURL,
+		AdminURL:            adminURL,
+		ConfigPath:          configPath,
+		NATExternalIPs:      natExternalIPs,
+		CustomDNSAddress:    customDNSAddressConverted,
+		ExtraIFaceBlackList: extraIFaceBlackList,
+		DNSLabels:           dnsLabelsValidated,
+	}
+
+	if cmd.Flag(enableRosenpassFlag).Changed {
+		ic.RosenpassEnabled = &rosenpassEnabled
+	}
+
+	if cmd.Flag(rosenpassPermissiveFlag).Changed {
+		ic.RosenpassPermissive = &rosenpassPermissive
+	}
+
+	if cmd.Flag(serverSSHAllowedFlag).Changed {
+		ic.ServerSSHAllowed = &serverSSHAllowed
+	}
+
+	if cmd.Flag(interfaceNameFlag).Changed {
+		if err := parseInterfaceName(interfaceName); err != nil {
+			return nil, err
+		}
+		ic.InterfaceName = &interfaceName
+	}
+
+	if cmd.Flag(wireguardPortFlag).Changed {
+		p := int(wireguardPort)
+		ic.WireguardPort = &p
+	}
+
+	if cmd.Flag(networkMonitorFlag).Changed {
+		ic.NetworkMonitor = &networkMonitor
+	}
+
+	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
+		ic.PreSharedKey = &preSharedKey
+	}
+
+	if cmd.Flag(disableAutoConnectFlag).Changed {
+		ic.DisableAutoConnect = &autoConnectDisabled
+
+		if autoConnectDisabled {
+			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
+		}
+
+		if !autoConnectDisabled {
+			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
+		}
+	}
+
+	if cmd.Flag(dnsRouteIntervalFlag).Changed {
+		ic.DNSRouteInterval = &dnsRouteInterval
+	}
+
+	if cmd.Flag(disableClientRoutesFlag).Changed {
+		ic.DisableClientRoutes = &disableClientRoutes
+	}
+	if cmd.Flag(disableServerRoutesFlag).Changed {
+		ic.DisableServerRoutes = &disableServerRoutes
+	}
+	if cmd.Flag(disableDNSFlag).Changed {
+		ic.DisableDNS = &disableDNS
+	}
+	if cmd.Flag(disableFirewallFlag).Changed {
+		ic.DisableFirewall = &disableFirewall
+	}
+
+	if cmd.Flag(blockLANAccessFlag).Changed {
+		ic.BlockLANAccess = &blockLANAccess
+	}
+
+	if cmd.Flag(blockInboundFlag).Changed {
+		ic.BlockInbound = &blockInbound
+	}
+
+	if cmd.Flag(enableLazyConnectionFlag).Changed {
+		ic.LazyConnectionEnabled = &lazyConnEnabled
+	}
+	return &ic, nil
+}
+
 func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte, cmd *cobra.Command) (*proto.LoginRequest, error) {
 	loginRequest := proto.LoginRequest{
 		SetupKey:            providedSetupKey,

client/proto/daemon.proto

@@ -68,8 +68,11 @@ service DaemonService {
 
   rpc GetEvents(GetEventsRequest) returns (GetEventsResponse) {}
 
-  // SetConfig updates daemon configuration without reconnecting
-  rpc SetConfig(SetConfigRequest) returns (SetConfigResponse) {}
+  // Reloads the configuration from disk
+  rpc ReloadConfig(ReloadConfigRequest) returns (ReloadConfigResponse) {}
+
+  // Sets a configuration value (for use by regular users via the daemon)
+  rpc SetConfigValue(SetConfigValueRequest) returns (SetConfigValueResponse) {}
 }
 
 
@@ -500,28 +503,11 @@ message GetEventsResponse {
   repeated SystemEvent events = 1;
 }
 
-message SetConfigRequest {
-  optional bool rosenpassEnabled = 1;
-  optional bool rosenpassPermissive = 2;
-  optional bool serverSSHAllowed = 3;
-  optional bool disableAutoConnect = 4;
-  optional bool networkMonitor = 5;
-  optional google.protobuf.Duration dnsRouteInterval = 6;
-  optional bool disable_client_routes = 7;
-  optional bool disable_server_routes = 8;
-  optional bool disable_dns = 9;
-  optional bool disable_firewall = 10;
-  optional bool block_lan_access = 11;
-  optional bool lazyConnectionEnabled = 12;
-  optional bool block_inbound = 13;
-  optional string interfaceName = 14;
-  optional int64 wireguardPort = 15;
-  optional string customDNSAddress = 16;
-  repeated string extraIFaceBlacklist = 17;
-  repeated string dns_labels = 18;
-  optional bool cleanDNSLabels = 19;
-  repeated string natExternalIPs = 20;
-  optional bool cleanNATExternalIPs = 21;
-}
+message ReloadConfigRequest {}
+message ReloadConfigResponse {}
 
-message SetConfigResponse {}
+message SetConfigValueRequest {
+  string setting = 1;
+  string value = 2;
+}
+message SetConfigValueResponse {}

client/proto/daemon_grpc.pb.go

@@ -55,8 +55,10 @@ type DaemonServiceClient interface {
 	TracePacket(ctx context.Context, in *TracePacketRequest, opts ...grpc.CallOption) (*TracePacketResponse, error)
 	SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (DaemonService_SubscribeEventsClient, error)
 	GetEvents(ctx context.Context, in *GetEventsRequest, opts ...grpc.CallOption) (*GetEventsResponse, error)
-	// SetConfig updates daemon configuration without reconnecting
-	SetConfig(ctx context.Context, in *SetConfigRequest, opts ...grpc.CallOption) (*SetConfigResponse, error)
+	// Reloads the configuration from disk
+	ReloadConfig(ctx context.Context, in *ReloadConfigRequest, opts ...grpc.CallOption) (*ReloadConfigResponse, error)
+	// Sets a configuration value (for use by regular users via the daemon)
+	SetConfigValue(ctx context.Context, in *SetConfigValueRequest, opts ...grpc.CallOption) (*SetConfigValueResponse, error)
 }
 
 type daemonServiceClient struct {
@@ -270,9 +272,18 @@ func (c *daemonServiceClient) GetEvents(ctx context.Context, in *GetEventsReques
 	return out, nil
 }
 
-func (c *daemonServiceClient) SetConfig(ctx context.Context, in *SetConfigRequest, opts ...grpc.CallOption) (*SetConfigResponse, error) {
-	out := new(SetConfigResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SetConfig", in, out, opts...)
+func (c *daemonServiceClient) ReloadConfig(ctx context.Context, in *ReloadConfigRequest, opts ...grpc.CallOption) (*ReloadConfigResponse, error) {
+	out := new(ReloadConfigResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ReloadConfig", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) SetConfigValue(ctx context.Context, in *SetConfigValueRequest, opts ...grpc.CallOption) (*SetConfigValueResponse, error) {
+	out := new(SetConfigValueResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SetConfigValue", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -320,8 +331,10 @@ type DaemonServiceServer interface {
 	TracePacket(context.Context, *TracePacketRequest) (*TracePacketResponse, error)
 	SubscribeEvents(*SubscribeRequest, DaemonService_SubscribeEventsServer) error
 	GetEvents(context.Context, *GetEventsRequest) (*GetEventsResponse, error)
-	// SetConfig updates daemon configuration without reconnecting
-	SetConfig(context.Context, *SetConfigRequest) (*SetConfigResponse, error)
+	// Reloads the configuration from disk
+	ReloadConfig(context.Context, *ReloadConfigRequest) (*ReloadConfigResponse, error)
+	// Sets a configuration value (for use by regular users via the daemon)
+	SetConfigValue(context.Context, *SetConfigValueRequest) (*SetConfigValueResponse, error)
 	mustEmbedUnimplementedDaemonServiceServer()
 }
 
@@ -389,8 +402,11 @@ func (UnimplementedDaemonServiceServer) SubscribeEvents(*SubscribeRequest, Daemo
 func (UnimplementedDaemonServiceServer) GetEvents(context.Context, *GetEventsRequest) (*GetEventsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetEvents not implemented")
 }
-func (UnimplementedDaemonServiceServer) SetConfig(context.Context, *SetConfigRequest) (*SetConfigResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method SetConfig not implemented")
+func (UnimplementedDaemonServiceServer) ReloadConfig(context.Context, *ReloadConfigRequest) (*ReloadConfigResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ReloadConfig not implemented")
+}
+func (UnimplementedDaemonServiceServer) SetConfigValue(context.Context, *SetConfigValueRequest) (*SetConfigValueResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SetConfigValue not implemented")
 }
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
 
@@ -768,20 +784,38 @@ func _DaemonService_GetEvents_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }
 
-func _DaemonService_SetConfig_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(SetConfigRequest)
+func _DaemonService_ReloadConfig_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ReloadConfigRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(DaemonServiceServer).SetConfig(ctx, in)
+		return srv.(DaemonServiceServer).ReloadConfig(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/daemon.DaemonService/SetConfig",
+		FullMethod: "/daemon.DaemonService/ReloadConfig",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).SetConfig(ctx, req.(*SetConfigRequest))
+		return srv.(DaemonServiceServer).ReloadConfig(ctx, req.(*ReloadConfigRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_SetConfigValue_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SetConfigValueRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).SetConfigValue(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/SetConfigValue",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).SetConfigValue(ctx, req.(*SetConfigValueRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
@@ -870,8 +904,12 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			Handler:    _DaemonService_GetEvents_Handler,
 		},
 		{
-			MethodName: "SetConfig",
-			Handler:    _DaemonService_SetConfig_Handler,
+			MethodName: "ReloadConfig",
+			Handler:    _DaemonService_ReloadConfig_Handler,
+		},
+		{
+			MethodName: "SetConfigValue",
+			Handler:    _DaemonService_SetConfigValue_Handler,
 		},
 	},
 	Streams: []grpc.StreamDesc{

client/server/server.go

@@ -5,10 +5,13 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"os/signal"
 	"runtime"
 	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
+	"syscall"
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
@@ -95,6 +98,8 @@ func (s *Server) Start() error {
 	defer s.mutex.Unlock()
 	state := internal.CtxGetState(s.rootCtx)
 
+	s.setupReloadSignal()
+
 	if err := handlePanicLog(); err != nil {
 		log.Warnf("failed to redirect stderr: %v", err)
 	}
@@ -799,133 +804,6 @@ func (s *Server) GetConfig(_ context.Context, _ *proto.GetConfigRequest) (*proto
 	}, nil
 }
 
-// SetConfig updates daemon configuration without reconnecting
-func (s *Server) SetConfig(ctx context.Context, req *proto.SetConfigRequest) (*proto.SetConfigResponse, error) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	if s.config == nil {
-		return nil, gstatus.Errorf(codes.FailedPrecondition, "daemon is not configured")
-	}
-
-	configChanged := false
-
-	if req.RosenpassEnabled != nil && s.config.RosenpassEnabled != *req.RosenpassEnabled {
-		s.config.RosenpassEnabled = *req.RosenpassEnabled
-		configChanged = true
-	}
-
-	if req.RosenpassPermissive != nil && s.config.RosenpassPermissive != *req.RosenpassPermissive {
-		s.config.RosenpassPermissive = *req.RosenpassPermissive
-		configChanged = true
-	}
-
-	if req.ServerSSHAllowed != nil && s.config.ServerSSHAllowed != nil && *s.config.ServerSSHAllowed != *req.ServerSSHAllowed {
-		*s.config.ServerSSHAllowed = *req.ServerSSHAllowed
-		configChanged = true
-	}
-
-	if req.DisableAutoConnect != nil && s.config.DisableAutoConnect != *req.DisableAutoConnect {
-		s.config.DisableAutoConnect = *req.DisableAutoConnect
-		configChanged = true
-	}
-
-	if req.NetworkMonitor != nil && s.config.NetworkMonitor != nil && *s.config.NetworkMonitor != *req.NetworkMonitor {
-		*s.config.NetworkMonitor = *req.NetworkMonitor
-		configChanged = true
-	}
-
-	if req.DnsRouteInterval != nil {
-		duration := req.DnsRouteInterval.AsDuration()
-		if s.config.DNSRouteInterval != duration {
-			s.config.DNSRouteInterval = duration
-			configChanged = true
-		}
-	}
-
-	if req.DisableClientRoutes != nil && s.config.DisableClientRoutes != *req.DisableClientRoutes {
-		s.config.DisableClientRoutes = *req.DisableClientRoutes
-		configChanged = true
-	}
-
-	if req.DisableServerRoutes != nil && s.config.DisableServerRoutes != *req.DisableServerRoutes {
-		s.config.DisableServerRoutes = *req.DisableServerRoutes
-		configChanged = true
-	}
-
-	if req.DisableDns != nil && s.config.DisableDNS != *req.DisableDns {
-		s.config.DisableDNS = *req.DisableDns
-		configChanged = true
-	}
-
-	if req.DisableFirewall != nil && s.config.DisableFirewall != *req.DisableFirewall {
-		s.config.DisableFirewall = *req.DisableFirewall
-		configChanged = true
-	}
-
-	if req.BlockLanAccess != nil && s.config.BlockLANAccess != *req.BlockLanAccess {
-		s.config.BlockLANAccess = *req.BlockLanAccess
-		configChanged = true
-	}
-
-	if req.LazyConnectionEnabled != nil && s.config.LazyConnectionEnabled != *req.LazyConnectionEnabled {
-		s.config.LazyConnectionEnabled = *req.LazyConnectionEnabled
-		configChanged = true
-	}
-
-	if req.BlockInbound != nil && s.config.BlockInbound != *req.BlockInbound {
-		s.config.BlockInbound = *req.BlockInbound
-		configChanged = true
-	}
-
-	if req.InterfaceName != nil && s.config.WgIface != *req.InterfaceName {
-		s.config.WgIface = *req.InterfaceName
-		configChanged = true
-	}
-
-	if req.WireguardPort != nil && s.config.WgPort != int(*req.WireguardPort) {
-		s.config.WgPort = int(*req.WireguardPort)
-		configChanged = true
-	}
-
-	if req.CustomDNSAddress != nil && s.config.CustomDNSAddress != *req.CustomDNSAddress {
-		s.config.CustomDNSAddress = *req.CustomDNSAddress
-		configChanged = true
-	}
-
-	if len(req.ExtraIFaceBlacklist) > 0 {
-		s.config.IFaceBlackList = req.ExtraIFaceBlacklist
-		configChanged = true
-	}
-
-	if len(req.DnsLabels) > 0 || (req.CleanDNSLabels != nil && *req.CleanDNSLabels) {
-		if req.CleanDNSLabels != nil && *req.CleanDNSLabels {
-			s.config.DNSLabels = domain.List{}
-		} else {
-			var err error
-			s.config.DNSLabels, err = domain.FromStringList(req.DnsLabels)
-			if err != nil {
-				return nil, gstatus.Errorf(codes.InvalidArgument, "invalid DNS labels: %v", err)
-			}
-		}
-		configChanged = true
-	}
-
-	if len(req.NatExternalIPs) > 0 || (req.CleanNATExternalIPs != nil && *req.CleanNATExternalIPs) {
-		s.config.NATExternalIPs = req.NatExternalIPs
-		configChanged = true
-	}
-
-	if configChanged {
-		if err := internal.WriteOutConfig(s.latestConfigInput.ConfigPath, s.config); err != nil {
-			return nil, gstatus.Errorf(codes.Internal, "write config: %v", err)
-		}
-		log.Debug("Configuration updated successfully")
-	}
-
-	return &proto.SetConfigResponse{}, nil
-}
-
 func (s *Server) onSessionExpire() {
 	if runtime.GOOS != "windows" {
 		isUIActive := internal.CheckUIApp()
@@ -1045,3 +923,186 @@ func sendTerminalNotification() error {
 
 	return wallCmd.Wait()
 }
+
+// Add a gRPC method to reload config from disk
+func (s *Server) ReloadConfig(_ context.Context, _ *proto.ReloadConfigRequest) (*proto.ReloadConfigResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	config, err := internal.ReadConfig(s.latestConfigInput.ConfigPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to reload config: %v", err)
+	}
+	s.config = config
+	s.statusRecorder.UpdateManagementAddress(config.ManagementURL.String())
+	s.statusRecorder.UpdateRosenpass(config.RosenpassEnabled, config.RosenpassPermissive)
+	s.statusRecorder.UpdateLazyConnection(config.LazyConnectionEnabled)
+	log.Infof("Reloaded config from disk")
+	return &proto.ReloadConfigResponse{}, nil
+}
+
+// Optionally, handle SIGHUP to reload config
+func (s *Server) setupReloadSignal() {
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, syscall.SIGHUP)
+	go func() {
+		for range c {
+			_, err := s.ReloadConfig(context.Background(), &proto.ReloadConfigRequest{})
+			if err != nil {
+				log.Warnf("failed to reload config on SIGHUP: %v", err)
+			}
+		}
+	}()
+}
+
+func (s *Server) SetConfigValue(_ context.Context, req *proto.SetConfigValueRequest) (*proto.SetConfigValueResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	setting := req.Setting
+	value := req.Value
+	input := internal.ConfigInput{ConfigPath: s.latestConfigInput.ConfigPath}
+	switch setting {
+	case "management-url":
+		input.ManagementURL = value
+	case "admin-url":
+		input.AdminURL = value
+	case "interface-name":
+		input.InterfaceName = &value
+	case "external-ip-map":
+		if value == "" {
+			input.NATExternalIPs = []string{}
+		} else {
+			input.NATExternalIPs = strings.Split(value, ",")
+		}
+	case "extra-iface-blacklist":
+		if value == "" {
+			input.ExtraIFaceBlackList = []string{}
+		} else {
+			input.ExtraIFaceBlackList = strings.Split(value, ",")
+		}
+	case "dns-resolver-address":
+		input.CustomDNSAddress = []byte(value)
+	case "extra-dns-labels":
+		if value == "" {
+			input.DNSLabels = nil
+		} else {
+			labels := strings.Split(value, ",")
+			domains, err := domain.ValidateDomains(labels)
+			if err != nil {
+				return nil, fmt.Errorf("invalid DNS labels: %v", err)
+			}
+			input.DNSLabels = domains
+		}
+	case "preshared-key":
+		input.PreSharedKey = &value
+	case "enable-rosenpass":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.RosenpassEnabled = &b
+	case "rosenpass-permissive":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.RosenpassPermissive = &b
+	case "allow-server-ssh":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.ServerSSHAllowed = &b
+	case "network-monitor":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.NetworkMonitor = &b
+	case "disable-auto-connect":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.DisableAutoConnect = &b
+	case "disable-client-routes":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.DisableClientRoutes = &b
+	case "disable-server-routes":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.DisableServerRoutes = &b
+	case "disable-dns":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.DisableDNS = &b
+	case "disable-firewall":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.DisableFirewall = &b
+	case "block-lan-access":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.BlockLANAccess = &b
+	case "block-inbound":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.BlockInbound = &b
+	case "enable-lazy-connection":
+		b, err := parseBool(value)
+		if err != nil {
+			return nil, err
+		}
+		input.LazyConnectionEnabled = &b
+	case "wireguard-port":
+		var p int
+		_, err := fmt.Sscanf(value, "%d", &p)
+		if err != nil {
+			return nil, fmt.Errorf("invalid wireguard-port: %s", value)
+		}
+		input.WireguardPort = &p
+	case "dns-router-interval":
+		d, err := time.ParseDuration(value)
+		if err != nil {
+			return nil, fmt.Errorf("invalid duration: %v", err)
+		}
+		input.DNSRouteInterval = &d
+	default:
+		return nil, fmt.Errorf("unknown setting: %s", setting)
+	}
+	_, err := internal.UpdateOrCreateConfig(input)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update config: %v", err)
+	}
+	// Reload config in memory
+	config, err := internal.ReadConfig(s.latestConfigInput.ConfigPath)
+	if err == nil {
+		s.config = config
+	}
+	return &proto.SetConfigValueResponse{}, nil
+}
+
+func parseBool(val string) (bool, error) {
+	v := strings.ToLower(val)
+	if v == "true" || v == "1" {
+		return true, nil
+	}
+	if v == "false" || v == "0" {
+		return false, nil
+	}
+	return false, fmt.Errorf("invalid boolean value: %s", val)
+}