Merge branch 'prototype/reverse-proxy' into prototype/reverse-proxy-clusters

Combines token-based authentication from upstream with proxy clustering:
- Session keys for JWT signing (SessionPrivateKey/SessionPublicKey)
- One-time token store for proxy authentication
- Cluster-targeted updates via SendReverseProxyUpdateToCluster
- ProxyCluster field derived from domain
- OIDC validation config support

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.dockerignore

@@ -1,6 +0,0 @@
-.env
-.env.*
-*.pem
-*.key
-*.crt
-*.p12

.github/workflows/check-license-dependencies.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Check for problematic license dependencies
         run: |
-          echo "Checking for dependencies on management/, signal/, relay/, and proxy/ packages..."
+          echo "Checking for dependencies on management/, signal/, and relay/ packages..."
           echo ""
 
           # Find all directories except the problematic ones and system dirs
@@ -31,7 +31,7 @@ jobs:
           while IFS= read -r dir; do
             echo "=== Checking $dir ==="
             # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
             if [ -n "$RESULTS" ]; then
               echo "❌ Found problematic dependencies:"
               echo "$RESULTS"
@@ -39,11 +39,11 @@ jobs:
             else
               echo "✓ No problematic dependencies found"
             fi
-          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name "combined" -not -name ".git*" | sort)
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)
 
           echo ""
           if [ $FOUND_ISSUES -eq 1 ]; then
-            echo "❌ Found dependencies on management/, signal/, relay/, or proxy/ packages"
+            echo "❌ Found dependencies on management/, signal/, or relay/ packages"
             echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
             exit 1
           else
@@ -88,7 +88,7 @@ jobs:
               IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
 
               # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\)" | head -1)
 
               if [ -n "$BSD_IMPORTER" ]; then
                 echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"

.github/workflows/golang-test-darwin.yml

@@ -43,5 +43,5 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)
 

.github/workflows/golang-test-freebsd.yml

@@ -46,5 +46,6 @@ jobs:
             time go test -timeout 1m -failfast ./client/iface/...
             time go test -timeout 1m -failfast ./route/...
             time go test -timeout 1m -failfast ./sharedsock/...
+            time go test -timeout 1m -failfast ./signal/...
             time go test -timeout 1m -failfast ./util/...
             time go test -timeout 1m -failfast ./version/...

.github/workflows/golang-test-linux.yml

@@ -97,16 +97,6 @@ jobs:
         working-directory: relay
         run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .
 
-      - name: Build combined
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build combined 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 GOARCH=386 go build -o combined-386 .
-
   test:
     name: "Client / Unit"
     needs: [build-cache]
@@ -154,7 +144,7 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
 
   test_client_on_docker:
     name: "Client (Docker) / Unit"
@@ -214,7 +204,7 @@ jobs:
             sh -c ' \
               apk update; apk add --no-cache \
                 ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
             '
 
   test_relay:
@@ -271,53 +261,6 @@ jobs:
             -exec 'sudo' \
             -timeout 10m -p 1 ./relay/... ./shared/relay/...
 
-  test_proxy:
-    name: "Proxy / Unit"
-    needs: [build-cache]
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ '386','amd64' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: "go.mod"
-          cache: false
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test -timeout 10m -p 1 ./proxy/...
-
   test_signal:
     name: "Signal / Unit"
     needs: [build-cache]

.github/workflows/golang-test-windows.yml

@@ -63,7 +63,7 @@ jobs:
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' })" >> $env:GITHUB_ENV
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV
 
       - name: test
         run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"

.github/workflows/golangci-lint.yml

@@ -19,8 +19,8 @@ jobs:
       - name: codespell
         uses: codespell-project/actions-codespell@v2
         with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver
-          skip: go.mod,go.sum,**/proxy/web/**
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans
+          skip: go.mod,go.sum
   golangci:
     strategy:
       fail-fast: false

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.1"
+  SIGN_PIPE_VER: "v0.1.0"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"
@@ -160,7 +160,7 @@ jobs:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -176,7 +176,6 @@ jobs:
       - name: Generate windows syso arm64
         run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
       - name: Run GoReleaser
-        id: goreleaser
         uses: goreleaser/goreleaser-action@v4
         with:
           version: ${{ env.GORELEASER_VER }}
@@ -186,19 +185,6 @@ jobs:
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
           UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
           UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-      - name: Tag and push PR images (amd64 only)
-        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
-        run: |
-          PR_TAG="pr-${{ github.event.pull_request.number }}"
-          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
-            grep '^ghcr.io/' | while read -r SRC; do
-              IMG_NAME="${SRC%%:*}"
-              DST="${IMG_NAME}:${PR_TAG}"
-              echo "Tagging ${SRC} -> ${DST}"
-              docker tag "$SRC" "$DST"
-              docker push "$DST"
-            done
       - name: upload non tags for debug purposes
         uses: actions/upload-artifact@v4
         with:

.gitignore

@@ -2,7 +2,6 @@
 .run
 *.iml
 dist/
-!proxy/web/dist/
 bin/
 .env
 conf.json

.goreleaser.yaml

@@ -106,26 +106,6 @@ builds:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
 
-  - id: netbird-server
-    dir: combined
-    env:
-      - CGO_ENABLED=1
-      - >-
-        {{- if eq .Runtime.Goos "linux" }}
-          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-        {{- end }}
-    binary: netbird-server
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
   - id: netbird-upload
     dir: upload-server
     env: [CGO_ENABLED=0]
@@ -140,20 +120,6 @@ builds:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
 
-  - id: netbird-proxy
-    dir: proxy/cmd/proxy
-    env: [CGO_ENABLED=0]
-    binary: netbird-proxy
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
   - id: netbird
 
@@ -554,104 +520,6 @@ dockers:
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
       - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-    ids:
-      - netbird-server
-    goarch: amd64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-    ids:
-      - netbird-server
-    goarch: arm64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-    ids:
-      - netbird-server
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-    ids:
-      - netbird-proxy
-    goarch: amd64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-    ids:
-      - netbird-proxy
-    goarch: arm64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-    ids:
-      - netbird-proxy
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
   - name_template: netbirdio/netbird:{{ .Version }}
     image_templates:
@@ -730,18 +598,6 @@ docker_manifests:
       - netbirdio/upload:{{ .Version }}-arm
       - netbirdio/upload:{{ .Version }}-amd64
 
-  - name_template: netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/netbird-server:latest
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
   - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
     image_templates:
       - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
@@ -819,43 +675,6 @@ docker_manifests:
       - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
       - ghcr.io/netbirdio/upload:{{ .Version }}-arm
       - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:latest
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
 brews:
   - ids:
       - default

LICENSE

@@ -1,4 +1,4 @@
-This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/, relay/ and combined/.
+This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.
 
 BSD 3-Clause License

README.md

@@ -60,8 +60,8 @@
 
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
 
-### Self-Host NetBird (Video)
-[![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
+### NetBird on Lawrence Systems (Video)
+[![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)
 
 ### Key features
 

client/android/env_list.go

@@ -1,19 +1,10 @@
 package android
 
-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"
 
 var (
-	// EnvKeyNBForceRelay Exported for Android java client to force relay connections
+	// EnvKeyNBForceRelay Exported for Android java client
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
-
-	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
-	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
-
-	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
-	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold
 )
 
 // EnvList wraps a Go map for export to Java

client/cmd/login.go

@@ -282,9 +282,13 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	}
 	defer authClient.Close()
 
-	needsLogin, err := authClient.IsLoginRequired(ctx)
-	if err != nil {
-		return fmt.Errorf("check login required: %v", err)
+	needsLogin := false
+
+	err, isAuthError := authClient.Login(ctx, "", "")
+	if isAuthError {
+		needsLogin = true
+	} else if err != nil {
+		return fmt.Errorf("login check failed: %v", err)
 	}
 
 	jwtToken := ""

client/embed/embed.go

@@ -31,14 +31,6 @@ var (
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )
 
-// PeerConnStatus is a peer's connection status.
-type PeerConnStatus = peer.ConnStatus
-
-const (
-	// PeerStatusConnected indicates the peer is in connected state.
-	PeerStatusConnected = peer.StatusConnected
-)
-
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string

client/firewall/nftables/router_linux.go

@@ -483,12 +483,7 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	}
 
 	if nftRule.Handle == 0 {
-		log.Warnf("route rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(nftRule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
-		}
-		delete(r.rules, ruleKey)
-		return nil
+		return fmt.Errorf("route rule %s has no handle", ruleKey)
 	}
 
 	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
@@ -665,32 +660,13 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 	}
 
 	if err := r.conn.Flush(); err != nil {
-		r.rollbackRules(pair)
-		return fmt.Errorf("insert rules for %s: %w", pair.Destination, err)
+		// TODO: rollback ipset counter
+		return fmt.Errorf("insert rules for %s: %v", pair.Destination, err)
 	}
 
 	return nil
 }
 
-// rollbackRules cleans up unflushed rules and their set counters after a flush failure.
-func (r *router) rollbackRules(pair firewall.RouterPair) {
-	keys := []string{
-		firewall.GenKey(firewall.ForwardingFormat, pair),
-		firewall.GenKey(firewall.PreroutingFormat, pair),
-		firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair)),
-	}
-	for _, key := range keys {
-		rule, ok := r.rules[key]
-		if !ok {
-			continue
-		}
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("rollback set counter for %s: %v", key, err)
-		}
-		delete(r.rules, key)
-	}
-}
-
 // addNatRule inserts a nftables rule to the conn client flush queue
 func (r *router) addNatRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -952,30 +928,18 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
 
-	rule, exists := r.rules[ruleKey]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("legacy forwarding rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
+	if rule, exists := r.rules[ruleKey]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
+
+		log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
+
 		delete(r.rules, ruleKey)
-		return nil
-	}
 
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("remove legacy forwarding rule %s -> %s: %w", pair.Source, pair.Destination, err)
-	}
-
-	log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
-
-	delete(r.rules, ruleKey)
-
-	if err := r.decrementSetCounter(rule); err != nil {
-		return fmt.Errorf("decrement set counter: %w", err)
+		if err := r.decrementSetCounter(rule); err != nil {
+			return fmt.Errorf("decrement set counter: %w", err)
+		}
 	}
 
 	return nil
@@ -1365,89 +1329,65 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
 
-	var merr *multierror.Error
-
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove prerouting rule: %w", err))
+			return fmt.Errorf("remove prerouting rule: %w", err)
 		}
 
 		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove inverse prerouting rule: %w", err))
+			return fmt.Errorf("remove inverse prerouting rule: %w", err)
 		}
 	}
 
 	if err := r.removeLegacyRouteRule(pair); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove legacy routing rule: %w", err))
+		return fmt.Errorf("remove legacy routing rule: %w", err)
 	}
 
-	// Set counters are decremented in the sub-methods above before flush. If flush fails,
-	// counters will be off until the next successful removal or refresh cycle.
 	if err := r.conn.Flush(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("flush remove nat rules %s: %w", pair.Destination, err))
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) removeNatRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-
-	rule, exists := r.rules[ruleKey]
-	if !exists {
-		log.Debugf("prerouting rule %s not found", ruleKey)
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("prerouting rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
-		}
-		delete(r.rules, ruleKey)
-		return nil
-	}
-
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("remove prerouting rule %s -> %s: %w", pair.Source, pair.Destination, err)
-	}
-
-	log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
-
-	delete(r.rules, ruleKey)
-
-	if err := r.decrementSetCounter(rule); err != nil {
-		return fmt.Errorf("decrement set counter: %w", err)
+		// TODO: rollback set counter
+		return fmt.Errorf("remove nat rules rule %s: %v", pair.Destination, err)
 	}
 
 	return nil
 }
 
-// refreshRulesMap rebuilds the rule map from the kernel. This removes stale entries
-// (e.g. from failed flushes) and updates handles for all existing rules.
+func (r *router) removeNatRule(pair firewall.RouterPair) error {
+	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
+
+	if rule, exists := r.rules[ruleKey]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
+		}
+
+		log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
+
+		delete(r.rules, ruleKey)
+
+		if err := r.decrementSetCounter(rule); err != nil {
+			return fmt.Errorf("decrement set counter: %w", err)
+		}
+	} else {
+		log.Debugf("prerouting rule %s not found", ruleKey)
+	}
+
+	return nil
+}
+
+// refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
+// duplicates and to get missing attributes that we don't have when adding new rules
 func (r *router) refreshRulesMap() error {
-	var merr *multierror.Error
-	newRules := make(map[string]*nftables.Rule)
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("list rules for chain %s: %w", chain.Name, err))
-			// preserve existing entries for this chain since we can't verify their state
-			for k, v := range r.rules {
-				if v.Chain != nil && v.Chain.Name == chain.Name {
-					newRules[k] = v
-				}
-			}
-			continue
+			return fmt.Errorf("list rules: %w", err)
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
-				newRules[string(rule.UserData)] = rule
+				r.rules[string(rule.UserData)] = rule
 			}
 		}
 	}
-	r.rules = newRules
-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }
 
 func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
@@ -1689,34 +1629,20 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	}
 
 	var merr *multierror.Error
-	var needsFlush bool
-
 	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		if dnatRule.Handle == 0 {
-			log.Warnf("dnat rule %s has no handle, removing stale entry", ruleKey+dnatSuffix)
-			delete(r.rules, ruleKey+dnatSuffix)
-		} else if err := r.conn.DelRule(dnatRule); err != nil {
+		if err := r.conn.DelRule(dnatRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete dnat rule: %w", err))
-		} else {
-			needsFlush = true
 		}
 	}
 
 	if masqRule, exists := r.rules[ruleKey+snatSuffix]; exists {
-		if masqRule.Handle == 0 {
-			log.Warnf("snat rule %s has no handle, removing stale entry", ruleKey+snatSuffix)
-			delete(r.rules, ruleKey+snatSuffix)
-		} else if err := r.conn.DelRule(masqRule); err != nil {
+		if err := r.conn.DelRule(masqRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete snat rule: %w", err))
-		} else {
-			needsFlush = true
 		}
 	}
 
-	if needsFlush {
-		if err := r.conn.Flush(); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf(flushError, err))
-		}
+	if err := r.conn.Flush(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
 	}
 
 	if merr == nil {
@@ -1831,25 +1757,16 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto
 
 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 
-	rule, exists := r.rules[ruleID]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("inbound DNAT rule %s has no handle, removing stale entry", ruleID)
+	if rule, exists := r.rules[ruleID]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
+		}
+		if err := r.conn.Flush(); err != nil {
+			return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
+		}
 		delete(r.rules, ruleID)
-		return nil
 	}
 
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
-	}
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
-	}
-	delete(r.rules, ruleID)
-
 	return nil
 }
 

client/firewall/nftables/router_linux_test.go

@@ -18,7 +18,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
 	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/internal/acl/id"
 )
 
 const (
@@ -720,137 +719,3 @@ func deleteWorkTable() {
 		}
 	}
 }
-
-func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	workTable, err := createWorkTable()
-	require.NoError(t, err)
-	defer deleteWorkTable()
-
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, r.init(workTable))
-	defer func() { require.NoError(t, r.Reset()) }()
-
-	// Add a real rule to the kernel
-	ruleKey, err := r.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-		firewall.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
-		firewall.ProtocolTCP,
-		nil,
-		&firewall.Port{Values: []uint16{80}},
-		firewall.ActionAccept,
-	)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, r.DeleteRouteRule(ruleKey))
-	})
-
-	// Inject a stale entry with Handle=0 (simulates store-before-flush failure)
-	staleKey := "stale-rule-that-does-not-exist"
-	r.rules[staleKey] = &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingFw],
-		Handle:   0,
-		UserData: []byte(staleKey),
-	}
-
-	require.Contains(t, r.rules, staleKey, "stale entry should be in map before refresh")
-
-	err = r.refreshRulesMap()
-	require.NoError(t, err)
-
-	assert.NotContains(t, r.rules, staleKey, "stale entry should be removed after refresh")
-
-	realRule, ok := r.rules[ruleKey.ID()]
-	assert.True(t, ok, "real rule should still exist after refresh")
-	assert.NotZero(t, realRule.Handle, "real rule should have a valid handle")
-}
-
-func TestRouter_DeleteRouteRule_StaleHandle(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	workTable, err := createWorkTable()
-	require.NoError(t, err)
-	defer deleteWorkTable()
-
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, r.init(workTable))
-	defer func() { require.NoError(t, r.Reset()) }()
-
-	// Inject a stale entry with Handle=0
-	staleKey := "stale-route-rule"
-	r.rules[staleKey] = &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingFw],
-		Handle:   0,
-		UserData: []byte(staleKey),
-	}
-
-	// DeleteRouteRule should not return an error for stale handles
-	err = r.DeleteRouteRule(id.RuleID(staleKey))
-	assert.NoError(t, err, "deleting a stale rule should not error")
-	assert.NotContains(t, r.rules, staleKey, "stale entry should be cleaned up")
-}
-
-func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, manager.Init(nil))
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	pair := firewall.RouterPair{
-		ID:          "staletest",
-		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
-		Masquerade:  true,
-	}
-
-	rtr := manager.router
-
-	// First add succeeds
-	err = rtr.AddNatRule(pair)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, rtr.RemoveNatRule(pair))
-	})
-
-	// Corrupt the handle to simulate stale state
-	natRuleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-	if rule, exists := rtr.rules[natRuleKey]; exists {
-		rule.Handle = 0
-	}
-	inverseKey := firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair))
-	if rule, exists := rtr.rules[inverseKey]; exists {
-		rule.Handle = 0
-	}
-
-	// Adding the same rule again should succeed despite stale handles
-	err = rtr.AddNatRule(pair)
-	assert.NoError(t, err, "AddNatRule should succeed even with stale entries")
-
-	// Verify rules exist in kernel
-	rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
-	require.NoError(t, err)
-
-	found := 0
-	for _, rule := range rules {
-		if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
-			found++
-		}
-	}
-	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
-}

client/firewall/uspfilter/allow_netbird.go

@@ -3,6 +3,12 @@
 package uspfilter
 
 import (
+	"context"
+	"net/netip"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
@@ -11,7 +17,33 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	m.resetState()
+	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
+	m.incomingRules = make(map[netip.Addr]RuleSet)
+
+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+	}
+
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.Stop()
+	}
+
+	if m.logger != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := m.logger.Stop(ctx); err != nil {
+			log.Errorf("failed to shutdown logger: %v", err)
+		}
+	}
 
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)

client/firewall/uspfilter/allow_netbird_windows.go

@@ -1,9 +1,12 @@
 package uspfilter
 
 import (
+	"context"
 	"fmt"
+	"net/netip"
 	"os/exec"
 	"syscall"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 
@@ -23,7 +26,33 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	m.resetState()
+	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
+	m.incomingRules = make(map[netip.Addr]RuleSet)
+
+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+	}
+
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.Stop()
+	}
+
+	if m.logger != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := m.logger.Stop(ctx); err != nil {
+			log.Errorf("failed to shutdown logger: %v", err)
+		}
+	}
 
 	if !isWindowsFirewallReachable() {
 		return nil

client/firewall/uspfilter/conntrack/tcp.go

@@ -115,17 +115,6 @@ func (t *TCPConnTrack) IsTombstone() bool {
 	return t.tombstone.Load()
 }
 
-// IsSupersededBy returns true if this connection should be replaced by a new one
-// carrying the given flags. Tombstoned connections are always superseded; TIME-WAIT
-// connections are superseded by a pure SYN (a new connection attempt for the same
-// four-tuple, as contemplated by RFC 1122 §4.2.2.13 and RFC 6191).
-func (t *TCPConnTrack) IsSupersededBy(flags uint8) bool {
-	if t.tombstone.Load() {
-		return true
-	}
-	return flags&TCPSyn != 0 && flags&TCPAck == 0 && TCPState(t.state.Load()) == TCPStateTimeWait
-}
-
 // SetTombstone safely marks the connection for deletion
 func (t *TCPConnTrack) SetTombstone() {
 	t.tombstone.Store(true)
@@ -180,7 +169,7 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
 
-	if exists && !conn.IsSupersededBy(flags) {
+	if exists {
 		t.updateState(key, conn, flags, direction, size)
 		return key, uint16(conn.DNATOrigPort.Load()), true
 	}
@@ -252,7 +241,7 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
 
-	if !exists || conn.IsSupersededBy(flags) {
+	if !exists || conn.IsTombstone() {
 		return false
 	}
 

client/firewall/uspfilter/conntrack/tcp_test.go

@@ -485,261 +485,6 @@ func TestTCPAbnormalSequences(t *testing.T) {
 	})
 }
 
-// TestTCPPortReuseTombstone verifies that a new connection on a port with a
-// tombstoned (closed) conntrack entry is properly tracked. Without the fix,
-// updateIfExists treats tombstoned entries as live, causing track() to skip
-// creating a new connection. The subsequent SYN-ACK then fails IsValidInbound
-// because the entry is tombstoned, and the response packet gets dropped by ACL.
-func TestTCPPortReuseTombstone(t *testing.T) {
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Outbound port reuse after graceful close", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and gracefully close a connection (server-initiated close)
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Server sends FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-
-		// Client sends FIN-ACK
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-
-		// Server sends final ACK
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-
-		// Connection should be tombstoned
-		conn := tracker.connections[key]
-		require.NotNil(t, conn, "old connection should still be in map")
-		require.True(t, conn.IsTombstone(), "old connection should be tombstoned")
-
-		// Now reuse the same port for a new connection
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		// The old tombstoned entry should be replaced with a new one
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn, "new connection should exist")
-		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
-		require.Equal(t, TCPStateSynSent, newConn.GetState())
-
-		// SYN-ACK for the new connection should be valid
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK for new connection on reused port should be accepted")
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-
-		// Data transfer should work
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 500)
-		require.True(t, valid, "data should be allowed on new connection")
-	})
-
-	t.Run("Outbound port reuse after RST", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and RST a connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst|TCPAck, 0)
-		require.True(t, valid)
-
-		conn := tracker.connections[key]
-		require.True(t, conn.IsTombstone(), "RST connection should be tombstoned")
-
-		// Reuse the same port
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn)
-		require.False(t, newConn.IsTombstone())
-		require.Equal(t, TCPStateSynSent, newConn.GetState())
-
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK should be accepted after RST tombstone")
-	})
-
-	t.Run("Inbound port reuse after close", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		clientIP := srcIP
-		serverIP := dstIP
-		clientPort := srcPort
-		serverPort := dstPort
-		key := ConnKey{SrcIP: clientIP, DstIP: serverIP, SrcPort: clientPort, DstPort: serverPort}
-
-		// Inbound connection: client SYN → server SYN-ACK → client ACK
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-
-		// Server-initiated close to reach Closed/tombstoned:
-		// Server FIN (opposite dir) → CloseWait
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPFin|TCPAck, 100)
-		require.Equal(t, TCPStateCloseWait, conn.GetState())
-		// Client FIN-ACK (same dir as conn) → LastAck
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPFin|TCPAck, nil, 100, 0)
-		require.Equal(t, TCPStateLastAck, conn.GetState())
-		// Server final ACK (opposite dir) → Closed → tombstoned
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
-
-		require.True(t, conn.IsTombstone())
-
-		// New inbound connection on same ports
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
-
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn)
-		require.False(t, newConn.IsTombstone())
-		require.Equal(t, TCPStateSynReceived, newConn.GetState())
-
-		// Complete handshake: server SYN-ACK, then client ACK
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-	})
-
-	t.Run("Late ACK on tombstoned connection is harmless", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and close via passive close (server-initiated FIN → Closed → tombstoned)
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0) // CloseWait
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)  // LastAck
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)        // Closed
-
-		conn := tracker.connections[key]
-		require.True(t, conn.IsTombstone())
-
-		// Late ACK should be rejected (tombstoned)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.False(t, valid, "late ACK on tombstoned connection should be rejected")
-
-		// Late outbound ACK should not create a new connection (not a SYN)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-		require.True(t, tracker.connections[key].IsTombstone(), "late outbound ACK should not replace tombstoned entry")
-	})
-}
-
-func TestTCPPortReuseTimeWait(t *testing.T) {
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Outbound port reuse during TIME-WAIT (active close)", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Active close: client (outbound initiator) sends FIN first
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-		// Server ACKs the FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateFinWait2, conn.GetState())
-
-		// Server sends its own FIN
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Client sends final ACK (TIME-WAIT stays, not tombstoned)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-		require.False(t, conn.IsTombstone(), "TIME-WAIT should not be tombstoned")
-
-		// New outbound SYN on the same port (port reuse during TIME-WAIT)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		// Per RFC 1122/6191, new SYN during TIME-WAIT should start a new connection
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn, "new connection should exist")
-		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
-		require.Equal(t, TCPStateSynSent, newConn.GetState(), "new connection should be in SYN-SENT")
-
-		// SYN-ACK for new connection should be valid
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK for new connection should be accepted")
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-	})
-
-	t.Run("Inbound SYN during TIME-WAIT falls through to normal tracking", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish outbound connection and close via active close → TIME-WAIT
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Inbound SYN on same ports during TIME-WAIT: IsValidInbound returns false
-		// so the filter falls through to ACL check + TrackInbound (which creates
-		// a new connection via track() → updateIfExists skips TIME-WAIT for SYN)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, 0)
-		require.False(t, valid, "inbound SYN during TIME-WAIT should fail conntrack validation")
-
-		// Simulate what the filter does next: TrackInbound via the normal path
-		tracker.TrackInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, nil, 100, 0)
-
-		// The new inbound connection uses the inverted key (dst→src becomes src→dst in track)
-		invertedKey := ConnKey{SrcIP: dstIP, DstIP: srcIP, SrcPort: dstPort, DstPort: srcPort}
-		newConn := tracker.connections[invertedKey]
-		require.NotNil(t, newConn, "new inbound connection should be tracked")
-		require.Equal(t, TCPStateSynReceived, newConn.GetState())
-		require.False(t, newConn.IsTombstone())
-	})
-
-	t.Run("Late retransmit during TIME-WAIT still allowed", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and active close → TIME-WAIT
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Late ACK retransmits during TIME-WAIT should still be accepted
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid, "retransmitted ACK during TIME-WAIT should be accepted")
-	})
-}
-
 func TestTCPTimeoutHandling(t *testing.T) {
 	// Create tracker with a very short timeout for testing
 	shortTimeout := 100 * time.Millisecond

client/firewall/uspfilter/filter.go

@@ -1,7 +1,6 @@
 package uspfilter
 
 import (
-	"context"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -13,13 +12,11 @@ import (
 	"strings"
 	"sync"
 	"sync/atomic"
-	"time"
 
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
@@ -27,7 +24,6 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -93,7 +89,6 @@ type Manager struct {
 	incomingDenyRules map[netip.Addr]RuleSet
 	incomingRules     map[netip.Addr]RuleSet
 	routeRules        RouteRules
-	routeRulesMap     map[nbid.RuleID]*RouteRule
 	decoders          sync.Pool
 	wgIface           common.IFaceMapper
 	nativeFirewall    firewall.Manager
@@ -234,7 +229,6 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		flowLogger:          flowLogger,
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
-		routeRulesMap:       make(map[nbid.RuleID]*RouteRule),
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
 		netstackServices:    make(map[serviceKey]struct{}),
@@ -486,15 +480,11 @@ func (m *Manager) addRouteFiltering(
 		return m.nativeFirewall.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}
 
-	ruleKey := nbid.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
-
-	if existingRule, ok := m.routeRulesMap[ruleKey]; ok {
-		return existingRule, nil
-	}
+	ruleID := uuid.New().String()
 
 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:         string(ruleKey),
+		id:         ruleID,
 		mgmtId:     id,
 		sources:    sources,
 		dstSet:     destination.Set,
@@ -509,7 +499,6 @@ func (m *Manager) addRouteFiltering(
 
 	m.routeRules = append(m.routeRules, &rule)
 	m.routeRules.Sort()
-	m.routeRulesMap[ruleKey] = &rule
 
 	return &rule, nil
 }
@@ -526,20 +515,15 @@ func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}
 
-	ruleKey := nbid.RuleID(rule.ID())
-	if _, ok := m.routeRulesMap[ruleKey]; !ok {
-		return fmt.Errorf("route rule not found: %s", ruleKey)
-	}
-
+	ruleID := rule.ID()
 	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
-		return r.id == string(ruleKey)
+		return r.id == ruleID
 	})
 	if idx < 0 {
-		return fmt.Errorf("route rule not found in slice: %s", ruleKey)
+		return fmt.Errorf("route rule not found: %s", ruleID)
 	}
 
 	m.routeRules = slices.Delete(m.routeRules, idx, idx+1)
-	delete(m.routeRulesMap, ruleKey)
 	return nil
 }
 
@@ -586,40 +570,6 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }
 
-// resetState clears all firewall rules and closes connection trackers.
-// Must be called with m.mutex held.
-func (m *Manager) resetState() {
-	maps.Clear(m.outgoingRules)
-	maps.Clear(m.incomingDenyRules)
-	maps.Clear(m.incomingRules)
-	maps.Clear(m.routeRulesMap)
-	m.routeRules = m.routeRules[:0]
-
-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-	}
-
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.Stop()
-	}
-
-	if m.logger != nil {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-		if err := m.logger.Stop(ctx); err != nil {
-			log.Errorf("failed to shutdown logger: %v", err)
-		}
-	}
-}
-
 // SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
 func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	if m.nativeFirewall == nil {

client/firewall/uspfilter/filter_routeacl_test.go

@@ -1,376 +0,0 @@
-package uspfilter
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	wgdevice "golang.zx2c4.com/wireguard/device"
-
-	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/mocks"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-// TestAddRouteFilteringReturnsExistingRule verifies that adding the same route
-// filtering rule twice returns the same rule ID (idempotent behavior).
-func TestAddRouteFilteringReturnsExistingRule(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{
-		netip.MustParsePrefix("100.64.1.0/24"),
-		netip.MustParsePrefix("100.64.2.0/24"),
-	}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Add rule first time
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule1)
-
-	// Add the same rule again
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule2)
-
-	// These should be the same (idempotent) like nftables/iptables implementations
-	assert.Equal(t, rule1.ID(), rule2.ID(),
-		"Adding the same rule twice should return the same rule ID (idempotent)")
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 2, ruleCount,
-		"Should have exactly 2 rules (1 user rule + 1 block rule)")
-}
-
-// TestAddRouteFilteringDifferentRulesGetDifferentIDs verifies that rules with
-// different parameters get distinct IDs.
-func TestAddRouteFilteringDifferentRulesGetDifferentIDs(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-
-	// Add first rule
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	// Add different rule (different destination)
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-2"),
-		sources,
-		fw.Network{Prefix: netip.MustParsePrefix("192.168.2.0/24")}, // Different!
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	assert.NotEqual(t, rule1.ID(), rule2.ID(),
-		"Different rules should have different IDs")
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 3, ruleCount, "Should have 3 rules (2 user rules + 1 block rule)")
-}
-
-// TestRouteRuleUpdateDoesNotCauseGap verifies that re-adding the same route
-// rule during a network map update does not disrupt existing traffic.
-func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	srcIP := netip.MustParseAddr("100.64.1.5")
-	dstIP := netip.MustParseAddr("192.168.1.10")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	require.True(t, pass, "Traffic should pass with rule in place")
-
-	// Re-add same rule (simulates network map update)
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	// Idempotent IDs mean rule1.ID() == rule2.ID(), so the ACL manager
-	// won't delete rule1 during cleanup. If IDs differed, deleting rule1
-	// would remove the only matching rule and cause a traffic gap.
-	if rule1.ID() != rule2.ID() {
-		err = manager.DeleteRouteRule(rule1)
-		require.NoError(t, err)
-	}
-
-	_, passAfter := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	assert.True(t, passAfter,
-		"Traffic should still pass after rule update - no gap should occur")
-}
-
-// TestBlockInvalidRoutedIdempotent verifies that blockInvalidRouted creates
-// exactly one drop rule for the WireGuard network prefix, and calling it again
-// returns the same rule without duplicating.
-func TestBlockInvalidRoutedIdempotent(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	// Call blockInvalidRouted directly multiple times
-	rule1, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule1)
-
-	rule2, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule2)
-
-	rule3, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule3)
-
-	// All should return the same rule
-	assert.Equal(t, rule1.ID(), rule2.ID(), "Second call should return same rule")
-	assert.Equal(t, rule2.ID(), rule3.ID(), "Third call should return same rule")
-
-	// Should have exactly 1 route rule
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 1, ruleCount, "Should have exactly 1 block rule after 3 calls")
-
-	// Verify the rule blocks traffic to the WG network
-	srcIP := netip.MustParseAddr("10.0.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.50")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 80)
-	assert.False(t, pass, "Block rule should deny traffic to WG prefix")
-}
-
-// TestBlockRuleNotAccumulatedOnRepeatedEnableRouting verifies that calling
-// EnableRouting multiple times (as happens on each route update) does not
-// accumulate duplicate block rules in the routeRules slice.
-func TestBlockRuleNotAccumulatedOnRepeatedEnableRouting(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	// Call EnableRouting multiple times (simulating repeated route updates)
-	for i := 0; i < 5; i++ {
-		require.NoError(t, manager.EnableRouting())
-	}
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 1, ruleCount,
-		"Repeated EnableRouting should not accumulate block rules")
-}
-
-// TestRouteRuleCountStableAcrossUpdates verifies that adding the same route
-// rule multiple times does not create duplicate entries.
-func TestRouteRuleCountStableAcrossUpdates(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Simulate 5 network map updates with the same route rule
-	for i := 0; i < 5; i++ {
-		rule, err := manager.AddRouteFiltering(
-			[]byte("policy-1"),
-			sources,
-			destination,
-			fw.ProtocolTCP,
-			nil,
-			&fw.Port{Values: []uint16{443}},
-			fw.ActionAccept,
-		)
-		require.NoError(t, err)
-		require.NotNil(t, rule)
-	}
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 2, ruleCount,
-		"Should have exactly 2 rules (1 user rule + 1 block rule) after 5 updates")
-}
-
-// TestDeleteRouteRuleAfterIdempotentAdd verifies that deleting a route rule
-// after adding it multiple times works correctly.
-func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Add same rule twice
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	require.Equal(t, rule1.ID(), rule2.ID(), "Should return same rule ID")
-
-	// Delete using first reference
-	err = manager.DeleteRouteRule(rule1)
-	require.NoError(t, err)
-
-	// Verify traffic no longer passes
-	srcIP := netip.MustParseAddr("100.64.1.5")
-	dstIP := netip.MustParseAddr("192.168.1.10")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	assert.False(t, pass, "Traffic should not pass after rule deletion")
-}
-
-func setupTestManager(t *testing.T) *Manager {
-	t.Helper()
-
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, manager.EnableRouting())
-
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	return manager
-}

client/firewall/uspfilter/filter_test.go

@@ -263,158 +263,6 @@ func TestAddUDPPacketHook(t *testing.T) {
 	}
 }
 
-// TestPeerRuleLifecycleDenyRules verifies that deny rules are correctly added
-// to the deny map and can be cleanly deleted without leaving orphans.
-func TestPeerRuleLifecycleDenyRules(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
-
-	ip := net.ParseIP("192.168.1.1")
-	addr := netip.MustParseAddr("192.168.1.1")
-
-	// Add multiple deny rules for different ports
-	rule1, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-	require.NoError(t, err)
-
-	rule2, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{80}}, fw.ActionDrop, "")
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCount := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-	require.Equal(t, 2, denyCount, "Should have exactly 2 deny rules")
-
-	// Delete the first deny rule
-	err = m.DeletePeerRule(rule1[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCount = len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-	require.Equal(t, 1, denyCount, "Should have 1 deny rule after deleting first")
-
-	// Delete the second deny rule
-	err = m.DeletePeerRule(rule2[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	_, exists := m.incomingDenyRules[addr]
-	m.mutex.RUnlock()
-	require.False(t, exists, "Deny rules IP entry should be cleaned up when empty")
-}
-
-// TestPeerRuleAddAndDeleteDontLeak verifies that repeatedly adding and deleting
-// peer rules (simulating network map updates) does not leak rules in the maps.
-func TestPeerRuleAddAndDeleteDontLeak(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
-
-	ip := net.ParseIP("192.168.1.1")
-	addr := netip.MustParseAddr("192.168.1.1")
-
-	// Simulate 10 network map updates: add rule, delete old, add new
-	for i := 0; i < 10; i++ {
-		// Add a deny rule
-		rules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-			&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-		require.NoError(t, err)
-
-		// Add an allow rule
-		allowRules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-			&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
-		require.NoError(t, err)
-
-		// Delete them (simulating ACL manager cleanup)
-		for _, r := range rules {
-			require.NoError(t, m.DeletePeerRule(r))
-		}
-		for _, r := range allowRules {
-			require.NoError(t, m.DeletePeerRule(r))
-		}
-	}
-
-	m.mutex.RLock()
-	denyCount := len(m.incomingDenyRules[addr])
-	allowCount := len(m.incomingRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 0, denyCount, "No deny rules should remain after cleanup")
-	require.Equal(t, 0, allowCount, "No allow rules should remain after cleanup")
-}
-
-// TestMixedAllowDenyRulesSameIP verifies that allow and deny rules for the same
-// IP are stored in separate maps and don't interfere with each other.
-func TestMixedAllowDenyRulesSameIP(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
-
-	ip := net.ParseIP("192.168.1.1")
-
-	// Add allow rule for port 80
-	allowRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
-	require.NoError(t, err)
-
-	// Add deny rule for port 22
-	denyRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-	require.NoError(t, err)
-
-	addr := netip.MustParseAddr("192.168.1.1")
-	m.mutex.RLock()
-	allowCount := len(m.incomingRules[addr])
-	denyCount := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 1, allowCount, "Should have 1 allow rule")
-	require.Equal(t, 1, denyCount, "Should have 1 deny rule")
-
-	// Delete allow rule should not affect deny rule
-	err = m.DeletePeerRule(allowRule[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCountAfter := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 1, denyCountAfter, "Deny rule should still exist after deleting allow rule")
-
-	// Delete deny rule
-	err = m.DeletePeerRule(denyRule[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	_, denyExists := m.incomingDenyRules[addr]
-	_, allowExists := m.incomingRules[addr]
-	m.mutex.RUnlock()
-
-	require.False(t, denyExists, "Deny rules should be empty")
-	require.False(t, allowExists, "Allow rules should be empty")
-}
-
 func TestManagerReset(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },

client/firewall/uspfilter/log/log.go

@@ -5,8 +5,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"os"
-	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -18,18 +16,9 @@ const (
 	maxBatchSize         = 1024 * 16
 	maxMessageSize       = 1024 * 2
 	defaultFlushInterval = 2 * time.Second
-	defaultLogChanSize   = 1000
+	logChannelSize       = 1000
 )
 
-func getLogChannelSize() int {
-	if v := os.Getenv("NB_USPFILTER_LOG_BUFFER"); v != "" {
-		if n, err := strconv.Atoi(v); err == nil && n > 0 {
-			return n
-		}
-	}
-	return defaultLogChanSize
-}
-
 type Level uint32
 
 const (
@@ -80,7 +69,7 @@ type Logger struct {
 func NewFromLogrus(logrusLogger *log.Logger) *Logger {
 	l := &Logger{
 		output:     logrusLogger.Out,
-		msgChannel: make(chan logMessage, getLogChannelSize()),
+		msgChannel: make(chan logMessage, logChannelSize),
 		shutdown:   make(chan struct{}),
 		bufPool: sync.Pool{
 			New: func() any {

client/firewall/uspfilter/nat.go

@@ -358,9 +358,9 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	// Fast path for IPv4 addresses (4 bytes) - most common case
 	if len(oldBytes) == 4 && len(newBytes) == 4 {
 		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
 		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
 	} else {
 		// Fallback for other lengths
 		for i := 0; i < len(oldBytes)-1; i += 2 {

client/iface/device/device_filter.go

@@ -29,9 +29,8 @@ type PacketFilter interface {
 type FilteredDevice struct {
 	tun.Device
 
-	filter    PacketFilter
-	mutex     sync.RWMutex
-	closeOnce sync.Once
+	filter PacketFilter
+	mutex  sync.RWMutex
 }
 
 // newDeviceFilter constructor function
@@ -41,20 +40,6 @@ func newDeviceFilter(device tun.Device) *FilteredDevice {
 	}
 }
 
-// Close closes the underlying tun device exactly once.
-// wireguard-go's netTun.Close() panics on double-close due to a bare close(channel),
-// and multiple code paths can trigger Close on the same device.
-func (d *FilteredDevice) Close() error {
-	var err error
-	d.closeOnce.Do(func() {
-		err = d.Device.Close()
-	})
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
 // Read wraps read method with filtering feature
 func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
 	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {

client/iface/device/device_netstack.go

@@ -82,9 +82,7 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
-		if cErr := tunIface.Close(); cErr != nil {
-			log.Debugf("failed to close tun device: %v", cErr)
-		}
+		_ = tunIface.Close()
 		return nil, fmt.Errorf("error configuring interface: %s", err)
 	}
 

client/iface/iface_test.go

@@ -589,101 +589,6 @@ func Test_ConnectPeers(t *testing.T) {
 
 }
 
-func Test_UserSpaceAddAllowedIPs(t *testing.T) {
-	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+5)
-	wgIP := "10.99.99.21/30"
-	wgPort := 33105
-
-	newNet, err := stdnet.NewNet(context.Background(), nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	opts := WGIFaceOpts{
-		IFaceName:    ifaceName,
-		Address:      wgIP,
-		WGPort:       wgPort,
-		WGPrivKey:    key,
-		MTU:          DefaultMTU,
-		TransportNet: newNet,
-	}
-
-	iface, err := NewWGIFace(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = iface.Create()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer func() {
-		if err := iface.Close(); err != nil {
-			t.Error(err)
-		}
-	}()
-
-	_, err = iface.Up()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	keepAlive := 15 * time.Second
-	initialAllowedIP := netip.MustParsePrefix("10.99.99.22/32")
-	endpoint, err := net.ResolveUDPAddr("udp", "127.0.0.1:9905")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Add peer with initial endpoint and first allowed IP
-	err = iface.UpdatePeer(peerPubKey, []netip.Prefix{initialAllowedIP}, keepAlive, endpoint, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Phase 1: generate 500 allowed IPs into a list
-	const extraIPs = 500
-	addedPrefixes := make([]netip.Prefix, 0, extraIPs)
-	for i := 0; i < extraIPs; i++ {
-		// Use 172.16.x.y/32 range: i encoded as two octets
-		prefix := netip.MustParsePrefix(fmt.Sprintf("172.16.%d.%d/32", i/256, i%256))
-		addedPrefixes = append(addedPrefixes, prefix)
-	}
-
-	// Phase 2: iterate over the list and add each allowed IP to the peer
-	phase2Start := time.Now()
-	for _, prefix := range addedPrefixes {
-		if addErr := iface.AddAllowedIP(peerPubKey, prefix); addErr != nil {
-			t.Fatalf("failed to add allowed IP %s: %v", prefix, addErr)
-		}
-	}
-	t.Logf("Phase 2 (add %d IPs to peer): %s", extraIPs, time.Since(phase2Start))
-
-	// Verify the peer has all 101 allowed IPs (1 initial + 100 added)
-	peer, err := getPeer(ifaceName, peerPubKey)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if peer.Endpoint.String() != endpoint.String() {
-		t.Fatalf("expected endpoint %s, got %s", endpoint, peer.Endpoint)
-	}
-
-	allExpected := append([]netip.Prefix{initialAllowedIP}, addedPrefixes...)
-	if len(peer.AllowedIPs) != len(allExpected) {
-		t.Fatalf("expected %d allowed IPs, got %d", len(allExpected), len(peer.AllowedIPs))
-	}
-
-	allowedIPSet := make(map[string]struct{}, len(peer.AllowedIPs))
-	for _, aip := range peer.AllowedIPs {
-		allowedIPSet[aip.String()] = struct{}{}
-	}
-	for _, expected := range allExpected {
-		if _, found := allowedIPSet[expected.String()]; !found {
-			t.Errorf("expected allowed IP %s not found in peer config", expected)
-		}
-	}
-}
-
 func getPeer(ifaceName, peerPubKey string) (wgtypes.Peer, error) {
 	wg, err := wgctrl.New()
 	if err != nil {

client/iface/netstack/tun.go

@@ -66,7 +66,7 @@ func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
 		}
 	}()
 
-	return t.tundev, tunNet, nil
+	return nsTunDev, tunNet, nil
 }
 
 func (t *NetStackTun) Close() error {

client/internal/acl/manager_test.go

@@ -189,212 +189,6 @@ func TestDefaultManagerStateless(t *testing.T) {
 	})
 }
 
-// TestDenyRulesNotAccumulatedOnRepeatedApply verifies that applying the same
-// deny rules repeatedly does not accumulate duplicate rules in the uspfilter.
-// This tests the full ACL manager -> uspfilter integration.
-func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
-	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-
-	networkMap := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_DROP,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "22",
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_DROP,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "80",
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "443",
-			},
-		},
-		FirewallRulesIsEmpty: false,
-	}
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
-	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
-	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
-	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
-		Network: network,
-	}).AnyTimes()
-	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
-
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, fw.Close(nil))
-	}()
-
-	acl := NewDefaultManager(fw)
-
-	// Apply the same rules 5 times (simulating repeated network map updates)
-	for i := 0; i < 5; i++ {
-		acl.ApplyFiltering(networkMap, false)
-	}
-
-	// The ACL manager should track exactly 3 rule pairs (2 deny + 1 accept inbound)
-	assert.Equal(t, 3, len(acl.peerRulesPairs),
-		"Should have exactly 3 rule pairs after 5 identical updates")
-}
-
-// TestDenyRulesCleanedUpOnRemoval verifies that deny rules are properly cleaned
-// up when they're removed from the network map in a subsequent update.
-func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
-	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
-	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
-	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
-	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
-		Network: network,
-	}).AnyTimes()
-	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
-
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, fw.Close(nil))
-	}()
-
-	acl := NewDefaultManager(fw)
-
-	// First update: add deny and accept rules
-	networkMap1 := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_DROP,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "22",
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "443",
-			},
-		},
-		FirewallRulesIsEmpty: false,
-	}
-
-	acl.ApplyFiltering(networkMap1, false)
-	assert.Equal(t, 2, len(acl.peerRulesPairs), "Should have 2 rules after first update")
-
-	// Second update: remove the deny rule, keep only accept
-	networkMap2 := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "443",
-			},
-		},
-		FirewallRulesIsEmpty: false,
-	}
-
-	acl.ApplyFiltering(networkMap2, false)
-	assert.Equal(t, 1, len(acl.peerRulesPairs),
-		"Should have 1 rule after removing deny rule")
-
-	// Third update: remove all rules
-	networkMap3 := &mgmProto.NetworkMap{
-		FirewallRules:        []*mgmProto.FirewallRule{},
-		FirewallRulesIsEmpty: true,
-	}
-
-	acl.ApplyFiltering(networkMap3, false)
-	assert.Equal(t, 0, len(acl.peerRulesPairs),
-		"Should have 0 rules after removing all rules")
-}
-
-// TestRuleUpdateChangingAction verifies that when a rule's action changes from
-// accept to deny (or vice versa), the old rule is properly removed and the new
-// one added without leaking.
-func TestRuleUpdateChangingAction(t *testing.T) {
-	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
-	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
-	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
-	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
-		Network: network,
-	}).AnyTimes()
-	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
-
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, fw.Close(nil))
-	}()
-
-	acl := NewDefaultManager(fw)
-
-	// First update: accept rule
-	networkMap := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "22",
-			},
-		},
-		FirewallRulesIsEmpty: false,
-	}
-	acl.ApplyFiltering(networkMap, false)
-	assert.Equal(t, 1, len(acl.peerRulesPairs))
-
-	// Second update: change to deny (same IP/port/proto, different action)
-	networkMap.FirewallRules = []*mgmProto.FirewallRule{
-		{
-			PeerIP:    "10.93.0.1",
-			Direction: mgmProto.RuleDirection_IN,
-			Action:    mgmProto.RuleAction_DROP,
-			Protocol:  mgmProto.RuleProtocol_TCP,
-			Port:      "22",
-		},
-	}
-	acl.ApplyFiltering(networkMap, false)
-
-	// Should still have exactly 1 rule (the old accept removed, new deny added)
-	assert.Equal(t, 1, len(acl.peerRulesPairs),
-		"Changing action should result in exactly 1 rule, not 2")
-}
-
 func TestPortInfoEmpty(t *testing.T) {
 	tests := []struct {
 		name     string

client/internal/connect.go

@@ -290,10 +290,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			return wrapErr(err)
 		}
 
-		if relayClient.IsDisableRelay() {
-			relayURLs = []string{}
-		}
-
 		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String(), engineConfig.MTU)
 		c.statusRecorder.SetRelayMgr(relayManager)
 		if len(relayURLs) > 0 {
@@ -314,8 +310,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.engineMutex.Lock()
 		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, checks, stateManager)
 		engine.SetSyncResponsePersistence(c.persistSyncResponse)
-		engine.SetReadyChan(runningChan)
-		runningChan = nil
 		c.engine = engine
 		c.engineMutex.Unlock()
 
@@ -336,6 +330,11 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)
 
+		if runningChan != nil {
+			close(runningChan)
+			runningChan = nil
+		}
+
 		<-engineCtx.Done()
 
 		c.engineMutex.Lock()

client/internal/dns/host_windows.go

@@ -42,8 +42,6 @@ const (
 	dnsPolicyConfigConfigOptionsKey     = "ConfigOptions"
 	dnsPolicyConfigConfigOptionsValue   = 0x8
 
-	nrptMaxDomainsPerRule = 50
-
 	interfaceConfigPath          = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
 	interfaceConfigNameServerKey = "NameServer"
 	interfaceConfigSearchListKey = "SearchList"
@@ -200,11 +198,10 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 
 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
-		// Update count even on error to ensure cleanup covers partially created rules
-		r.nrptEntryCount = count
 		if err != nil {
 			return fmt.Errorf("add dns match policy: %w", err)
 		}
+		r.nrptEntryCount = count
 	} else {
 		r.nrptEntryCount = 0
 	}
@@ -242,33 +239,23 @@ func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr) (int, error) {
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
+	for i, domain := range domains {
+		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
 
-	// We need to batch domains into chunks and create one NRPT rule per batch.
-	ruleIndex := 0
-	for i := 0; i < len(domains); i += nrptMaxDomainsPerRule {
-		end := i + nrptMaxDomainsPerRule
-		if end > len(domains) {
-			end = len(domains)
+		singleDomain := []string{domain}
+
+		if err := r.configureDNSPolicy(localPath, singleDomain, ip); err != nil {
+			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
 		}
-		batchDomains := domains[i:end]
-
-		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, ruleIndex)
-		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, ruleIndex)
-
-		if err := r.configureDNSPolicy(localPath, batchDomains, ip); err != nil {
-			return ruleIndex, fmt.Errorf("configure DNS Local policy for rule %d: %w", ruleIndex, err)
-		}
-
-		// Increment immediately so the caller's cleanup path knows about this rule
-		ruleIndex++
 
 		if r.gpo {
-			if err := r.configureDNSPolicy(gpoPath, batchDomains, ip); err != nil {
-				return ruleIndex, fmt.Errorf("configure gpo DNS policy for rule %d: %w", ruleIndex-1, err)
+			if err := r.configureDNSPolicy(gpoPath, singleDomain, ip); err != nil {
+				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
 			}
 		}
 
-		log.Debugf("added NRPT rule %d with %d domains", ruleIndex-1, len(batchDomains))
+		log.Debugf("added NRPT entry for domain: %s", domain)
 	}
 
 	if r.gpo {
@@ -277,8 +264,8 @@ func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr
 		}
 	}
 
-	log.Infof("added %d NRPT rules for %d domains. Domain list: %v", ruleIndex, len(domains), domains)
-	return ruleIndex, nil
+	log.Infof("added %d separate NRPT entries. Domain list: %s", len(domains), domains)
+	return len(domains), nil
 }
 
 func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []string, ip netip.Addr) error {

client/internal/dns/host_windows_test.go

@@ -12,7 +12,6 @@ import (
 
 // TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
 // when the number of match domains decreases between configuration changes.
-// With batching enabled (50 domains per rule), we need enough domains to create multiple rules.
 func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping registry integration test in short mode")
@@ -38,60 +37,51 @@ func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 		gpo:  false,
 	}
 
-	// Create 125 domains which will result in 3 NRPT rules (50+50+25)
-	domains125 := make([]DomainConfig, 125)
-	for i := 0; i < 125; i++ {
-		domains125[i] = DomainConfig{
-			Domain:    fmt.Sprintf("domain%d.com", i+1),
-			MatchOnly: true,
-		}
-	}
-
-	config125 := HostDNSConfig{
+	config5 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains:  domains125,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+			{Domain: "domain3.com", MatchOnly: true},
+			{Domain: "domain4.com", MatchOnly: true},
+			{Domain: "domain5.com", MatchOnly: true},
+		},
 	}
 
-	err = cfg.applyDNSConfig(config125, nil)
+	err = cfg.applyDNSConfig(config5, nil)
 	require.NoError(t, err)
 
-	// Verify 3 NRPT rules exist
-	assert.Equal(t, 3, cfg.nrptEntryCount, "Should create 3 NRPT rules for 125 domains")
-	for i := 0; i < 3; i++ {
+	// Verify all 5 entries exist
+	for i := 0; i < 5; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "NRPT rule %d should exist after first config", i)
+		assert.True(t, exists, "Entry %d should exist after first config", i)
 	}
 
-	// Reduce to 75 domains which will result in 2 NRPT rules (50+25)
-	domains75 := make([]DomainConfig, 75)
-	for i := 0; i < 75; i++ {
-		domains75[i] = DomainConfig{
-			Domain:    fmt.Sprintf("domain%d.com", i+1),
-			MatchOnly: true,
-		}
-	}
-
-	config75 := HostDNSConfig{
+	config2 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains:  domains75,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+		},
 	}
 
-	err = cfg.applyDNSConfig(config75, nil)
+	err = cfg.applyDNSConfig(config2, nil)
 	require.NoError(t, err)
 
-	// Verify first 2 NRPT rules exist
-	assert.Equal(t, 2, cfg.nrptEntryCount, "Should create 2 NRPT rules for 75 domains")
+	// Verify first 2 entries exist
 	for i := 0; i < 2; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "NRPT rule %d should exist after second config", i)
+		assert.True(t, exists, "Entry %d should exist after second config", i)
 	}
 
-	// Verify rule 2 is cleaned up
-	exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, 2))
-	require.NoError(t, err)
-	assert.False(t, exists, "NRPT rule 2 should NOT exist after reducing to 75 domains")
+	// Verify entries 2-4 are cleaned up
+	for i := 2; i < 5; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
+	}
 }
 
 func registryKeyExists(path string) (bool, error) {
@@ -107,106 +97,6 @@ func registryKeyExists(path string) (bool, error) {
 }
 
 func cleanupRegistryKeys(*testing.T) {
-	// Clean up more entries to account for batching tests with many domains
-	cfg := &registryConfigurator{nrptEntryCount: 20}
+	cfg := &registryConfigurator{nrptEntryCount: 10}
 	_ = cfg.removeDNSMatchPolicies()
 }
-
-// TestNRPTDomainBatching verifies that domains are correctly batched into NRPT rules.
-func TestNRPTDomainBatching(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping registry integration test in short mode")
-	}
-
-	defer cleanupRegistryKeys(t)
-	cleanupRegistryKeys(t)
-
-	testIP := netip.MustParseAddr("100.64.0.1")
-
-	// Create a test interface registry key so updateSearchDomains doesn't fail
-	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
-	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
-	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
-	require.NoError(t, err, "Should create test interface registry key")
-	testKey.Close()
-	defer func() {
-		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
-	}()
-
-	cfg := &registryConfigurator{
-		guid: testGUID,
-		gpo:  false,
-	}
-
-	testCases := []struct {
-		name              string
-		domainCount       int
-		expectedRuleCount int
-	}{
-		{
-			name:              "Less than 50 domains (single rule)",
-			domainCount:       30,
-			expectedRuleCount: 1,
-		},
-		{
-			name:              "Exactly 50 domains (single rule)",
-			domainCount:       50,
-			expectedRuleCount: 1,
-		},
-		{
-			name:              "51 domains (two rules)",
-			domainCount:       51,
-			expectedRuleCount: 2,
-		},
-		{
-			name:              "100 domains (two rules)",
-			domainCount:       100,
-			expectedRuleCount: 2,
-		},
-		{
-			name:              "125 domains (three rules: 50+50+25)",
-			domainCount:       125,
-			expectedRuleCount: 3,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			// Clean up before each subtest
-			cleanupRegistryKeys(t)
-
-			// Generate domains
-			domains := make([]DomainConfig, tc.domainCount)
-			for i := 0; i < tc.domainCount; i++ {
-				domains[i] = DomainConfig{
-					Domain:    fmt.Sprintf("domain%d.com", i+1),
-					MatchOnly: true,
-				}
-			}
-
-			config := HostDNSConfig{
-				ServerIP: testIP,
-				Domains:  domains,
-			}
-
-			err := cfg.applyDNSConfig(config, nil)
-			require.NoError(t, err)
-
-			// Verify that exactly expectedRuleCount rules were created
-			assert.Equal(t, tc.expectedRuleCount, cfg.nrptEntryCount,
-				"Should create %d NRPT rules for %d domains", tc.expectedRuleCount, tc.domainCount)
-
-			// Verify all expected rules exist
-			for i := 0; i < tc.expectedRuleCount; i++ {
-				exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-				require.NoError(t, err)
-				assert.True(t, exists, "NRPT rule %d should exist", i)
-			}
-
-			// Verify no extra rules were created
-			exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, tc.expectedRuleCount))
-			require.NoError(t, err)
-			assert.False(t, exists, "No NRPT rule should exist at index %d", tc.expectedRuleCount)
-		})
-	}
-}

client/internal/dns/mock_server.go

@@ -84,18 +84,3 @@ func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
 func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }
-
-// BeginBatch mock implementation of BeginBatch from Server interface
-func (m *MockServer) BeginBatch() {
-	// Mock implementation - no-op
-}
-
-// EndBatch mock implementation of EndBatch from Server interface
-func (m *MockServer) EndBatch() {
-	// Mock implementation - no-op
-}
-
-// CancelBatch mock implementation of CancelBatch from Server interface
-func (m *MockServer) CancelBatch() {
-	// Mock implementation - no-op
-}

client/internal/dns/server.go

@@ -6,9 +6,7 @@ import (
 	"fmt"
 	"net/netip"
 	"net/url"
-	"os"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"
 
@@ -29,8 +27,6 @@ import (
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
-const envSkipDNSProbe = "NB_SKIP_DNS_PROBE"
-
 // ReadyListener is a notification mechanism what indicate the server is ready to handle host dns address changes
 type ReadyListener interface {
 	OnReady()
@@ -45,9 +41,6 @@ type IosDnsManager interface {
 type Server interface {
 	RegisterHandler(domains domain.List, handler dns.Handler, priority int)
 	DeregisterHandler(domains domain.List, priority int)
-	BeginBatch()
-	EndBatch()
-	CancelBatch()
 	Initialize() error
 	Stop()
 	DnsIP() netip.Addr
@@ -90,7 +83,6 @@ type DefaultServer struct {
 	currentConfigHash  uint64
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int
-	batchMode          bool
 
 	mgmtCacheResolver *mgmt.Resolver
 
@@ -238,9 +230,7 @@ func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler
 		// convert to zone with simple ref counter
 		s.extraDomains[toZone(domain)]++
 	}
-	if !s.batchMode {
-		s.applyHostConfig()
-	}
+	s.applyHostConfig()
 }
 
 func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
@@ -269,41 +259,9 @@ func (s *DefaultServer) DeregisterHandler(domains domain.List, priority int) {
 			delete(s.extraDomains, zone)
 		}
 	}
-	if !s.batchMode {
-		s.applyHostConfig()
-	}
-}
-
-// BeginBatch starts batch mode for DNS handler registration/deregistration.
-// In batch mode, applyHostConfig() is not called after each handler operation,
-// allowing multiple handlers to be registered/deregistered efficiently.
-// Must be followed by EndBatch() to apply the accumulated changes.
-func (s *DefaultServer) BeginBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode enabled")
-	s.batchMode = true
-}
-
-// EndBatch ends batch mode and applies all accumulated DNS configuration changes.
-func (s *DefaultServer) EndBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode disabled, applying accumulated changes")
-	s.batchMode = false
 	s.applyHostConfig()
 }
 
-// CancelBatch cancels batch mode without applying accumulated changes.
-// This is useful when operations fail partway through and you want to
-// discard partial state rather than applying it.
-func (s *DefaultServer) CancelBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode cancelled, discarding accumulated changes")
-	s.batchMode = false
-}
-
 func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
 	log.Debugf("deregistering handler with priority %d for %v", priority, domains)
 
@@ -481,17 +439,6 @@ func (s *DefaultServer) SearchDomains() []string {
 // ProbeAvailability tests each upstream group's servers for availability
 // and deactivates the group if no server responds
 func (s *DefaultServer) ProbeAvailability() {
-	if val := os.Getenv(envSkipDNSProbe); val != "" {
-		skipProbe, err := strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", envSkipDNSProbe, err)
-		}
-		if skipProbe {
-			log.Infof("skipping DNS probe due to %s", envSkipDNSProbe)
-			return
-		}
-	}
-
 	var wg sync.WaitGroup
 	for _, mux := range s.dnsMuxMap {
 		wg.Add(1)
@@ -561,7 +508,6 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.currentConfig.RouteAll = false
 	}
 
-	// Always apply host config for management updates, regardless of batch mode
 	s.applyHostConfig()
 
 	s.shutdownWg.Add(1)
@@ -926,7 +872,6 @@ func (s *DefaultServer) upstreamCallbacks(
 			}
 		}
 
-		// Always apply host config when nameserver goes down, regardless of batch mode
 		s.applyHostConfig()
 
 		go func() {
@@ -962,7 +907,6 @@ func (s *DefaultServer) upstreamCallbacks(
 			s.registerHandler([]string{nbdns.RootZone}, handler, priority)
 		}
 
-		// Always apply host config when nameserver reactivates, regardless of batch mode
 		s.applyHostConfig()
 
 		s.updateNSState(nsGroup, nil, true)

client/internal/dns/server_export_test.go

@@ -18,12 +18,7 @@ func TestGetServerDns(t *testing.T) {
 		t.Errorf("invalid dns server instance: %s", err)
 	}
 
-	mockSrvB, ok := srvB.(*MockServer)
-	if !ok {
-		t.Errorf("returned server is not a MockServer")
-	}
-
-	if mockSrvB != srv {
+	if srvB != srv {
 		t.Errorf("mismatch dns instances")
 	}
 }

client/internal/dnsfwd/forwarder.go

@@ -190,75 +190,50 @@ func (f *DNSForwarder) Close(ctx context.Context) error {
 	return nberrors.FormatErrorOrNil(result)
 }
 
-func (f *DNSForwarder) handleDNSQuery(logger *log.Entry, w dns.ResponseWriter, query *dns.Msg, startTime time.Time) {
+func (f *DNSForwarder) handleDNSQuery(logger *log.Entry, w dns.ResponseWriter, query *dns.Msg) *dns.Msg {
 	if len(query.Question) == 0 {
-		return
+		return nil
 	}
 	question := query.Question[0]
-	qname := strings.ToLower(question.Name)
+	logger.Tracef("received DNS request for DNS forwarder: domain=%s type=%s class=%s",
+		question.Name, dns.TypeToString[question.Qtype], dns.ClassToString[question.Qclass])
 
-	logger.Tracef("question: domain=%s type=%s class=%s",
-		qname, dns.TypeToString[question.Qtype], dns.ClassToString[question.Qclass])
+	domain := strings.ToLower(question.Name)
 
 	resp := query.SetReply(query)
 	network := resutil.NetworkForQtype(question.Qtype)
 	if network == "" {
 		resp.Rcode = dns.RcodeNotImplemented
-		f.writeResponse(logger, w, resp, qname, startTime)
-		return
+		if err := w.WriteMsg(resp); err != nil {
+			logger.Errorf("failed to write DNS response: %v", err)
+		}
+		return nil
 	}
 
-	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(qname, "."))
+	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(domain, "."))
+	// query doesn't match any configured domain
 	if mostSpecificResId == "" {
 		resp.Rcode = dns.RcodeRefused
-		f.writeResponse(logger, w, resp, qname, startTime)
-		return
+		if err := w.WriteMsg(resp); err != nil {
+			logger.Errorf("failed to write DNS response: %v", err)
+		}
+		return nil
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), upstreamTimeout)
 	defer cancel()
 
-	result := resutil.LookupIP(ctx, f.resolver, network, qname, question.Qtype)
+	result := resutil.LookupIP(ctx, f.resolver, network, domain, question.Qtype)
 	if result.Err != nil {
-		f.handleDNSError(ctx, logger, w, question, resp, qname, result, startTime)
-		return
+		f.handleDNSError(ctx, logger, w, question, resp, domain, result)
+		return nil
 	}
 
 	f.updateInternalState(result.IPs, mostSpecificResId, matchingEntries)
-	resp.Answer = append(resp.Answer, resutil.IPsToRRs(qname, result.IPs, f.ttl)...)
-	f.cache.set(qname, question.Qtype, result.IPs)
+	resp.Answer = append(resp.Answer, resutil.IPsToRRs(domain, result.IPs, f.ttl)...)
+	f.cache.set(domain, question.Qtype, result.IPs)
 
-	f.writeResponse(logger, w, resp, qname, startTime)
-}
-
-func (f *DNSForwarder) writeResponse(logger *log.Entry, w dns.ResponseWriter, resp *dns.Msg, qname string, startTime time.Time) {
-	if err := w.WriteMsg(resp); err != nil {
-		logger.Errorf("failed to write DNS response: %v", err)
-		return
-	}
-
-	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
-		qname, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
-}
-
-// udpResponseWriter wraps a dns.ResponseWriter to handle UDP-specific truncation.
-type udpResponseWriter struct {
-	dns.ResponseWriter
-	query *dns.Msg
-}
-
-func (u *udpResponseWriter) WriteMsg(resp *dns.Msg) error {
-	opt := u.query.IsEdns0()
-	maxSize := dns.MinMsgSize
-	if opt != nil {
-		maxSize = int(opt.UDPSize())
-	}
-
-	if resp.Len() > maxSize {
-		resp.Truncate(maxSize)
-	}
-
-	return u.ResponseWriter.WriteMsg(resp)
+	return resp
 }
 
 func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
@@ -268,7 +243,30 @@ func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
 		"dns_id":     fmt.Sprintf("%04x", query.Id),
 	})
 
-	f.handleDNSQuery(logger, &udpResponseWriter{ResponseWriter: w, query: query}, query, startTime)
+	resp := f.handleDNSQuery(logger, w, query)
+	if resp == nil {
+		return
+	}
+
+	opt := query.IsEdns0()
+	maxSize := dns.MinMsgSize
+	if opt != nil {
+		// client advertised a larger EDNS0 buffer
+		maxSize = int(opt.UDPSize())
+	}
+
+	// if our response is too big, truncate and set the TC bit
+	if resp.Len() > maxSize {
+		resp.Truncate(maxSize)
+	}
+
+	if err := w.WriteMsg(resp); err != nil {
+		logger.Errorf("failed to write DNS response: %v", err)
+		return
+	}
+
+	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
+		query.Question[0].Name, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
 }
 
 func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
@@ -278,7 +276,18 @@ func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
 		"dns_id":     fmt.Sprintf("%04x", query.Id),
 	})
 
-	f.handleDNSQuery(logger, w, query, startTime)
+	resp := f.handleDNSQuery(logger, w, query)
+	if resp == nil {
+		return
+	}
+
+	if err := w.WriteMsg(resp); err != nil {
+		logger.Errorf("failed to write DNS response: %v", err)
+		return
+	}
+
+	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
+		query.Question[0].Name, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
 }
 
 func (f *DNSForwarder) updateInternalState(ips []netip.Addr, mostSpecificResId route.ResID, matchingEntries []*ForwarderEntry) {
@@ -325,7 +334,6 @@ func (f *DNSForwarder) handleDNSError(
 	resp *dns.Msg,
 	domain string,
 	result resutil.LookupResult,
-	startTime time.Time,
 ) {
 	qType := question.Qtype
 	qTypeName := dns.TypeToString[qType]
@@ -335,7 +343,9 @@ func (f *DNSForwarder) handleDNSError(
 	// NotFound: cache negative result and respond
 	if result.Rcode == dns.RcodeNameError || result.Rcode == dns.RcodeSuccess {
 		f.cache.set(domain, question.Qtype, nil)
-		f.writeResponse(logger, w, resp, domain, startTime)
+		if writeErr := w.WriteMsg(resp); writeErr != nil {
+			logger.Errorf("failed to write failure DNS response: %v", writeErr)
+		}
 		return
 	}
 
@@ -345,7 +355,9 @@ func (f *DNSForwarder) handleDNSError(
 			logger.Debugf("serving cached DNS response after upstream failure: domain=%s type=%s", domain, qTypeName)
 			resp.Answer = append(resp.Answer, resutil.IPsToRRs(domain, ips, f.ttl)...)
 			resp.Rcode = dns.RcodeSuccess
-			f.writeResponse(logger, w, resp, domain, startTime)
+			if writeErr := w.WriteMsg(resp); writeErr != nil {
+				logger.Errorf("failed to write cached DNS response: %v", writeErr)
+			}
 			return
 		}
 
@@ -353,7 +365,9 @@ func (f *DNSForwarder) handleDNSError(
 		verifyResult := resutil.LookupIP(ctx, f.resolver, resutil.NetworkForQtype(qType), domain, qType)
 		if verifyResult.Rcode == dns.RcodeNameError || verifyResult.Rcode == dns.RcodeSuccess {
 			resp.Rcode = verifyResult.Rcode
-			f.writeResponse(logger, w, resp, domain, startTime)
+			if writeErr := w.WriteMsg(resp); writeErr != nil {
+				logger.Errorf("failed to write failure DNS response: %v", writeErr)
+			}
 			return
 		}
 	}
@@ -361,12 +375,15 @@ func (f *DNSForwarder) handleDNSError(
 	// No cache or verification failed. Log with or without the server field for more context.
 	var dnsErr *net.DNSError
 	if errors.As(result.Err, &dnsErr) && dnsErr.Server != "" {
-		logger.Warnf("upstream failure: type=%s domain=%s server=%s: %v", qTypeName, domain, dnsErr.Server, result.Err)
+		logger.Warnf("failed to resolve: type=%s domain=%s server=%s: %v", qTypeName, domain, dnsErr.Server, result.Err)
 	} else {
 		logger.Warnf(errResolveFailed, domain, result.Err)
 	}
 
-	f.writeResponse(logger, w, resp, domain, startTime)
+	// Write final failure response.
+	if writeErr := w.WriteMsg(resp); writeErr != nil {
+		logger.Errorf("failed to write failure DNS response: %v", writeErr)
+	}
 }
 
 // getMatchingEntries retrieves the resource IDs for a given domain.

client/internal/dnsfwd/forwarder_test.go

@@ -318,9 +318,8 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 			query.SetQuestion(dns.Fqdn(tt.queryDomain), dns.TypeA)
 
 			mockWriter := &test.MockResponseWriter{}
-			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
 
-			resp := mockWriter.GetLastResponse()
 			if tt.shouldResolve {
 				require.NotNil(t, resp, "Expected response for authorized domain")
 				require.Equal(t, dns.RcodeSuccess, resp.Rcode, "Expected successful response")
@@ -330,9 +329,10 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 				mockFirewall.AssertExpectations(t)
 				mockResolver.AssertExpectations(t)
 			} else {
-				require.NotNil(t, resp, "Expected response")
-				assert.True(t, len(resp.Answer) == 0 || resp.Rcode != dns.RcodeSuccess,
-					"Unauthorized domain should not return successful answers")
+				if resp != nil {
+					assert.True(t, len(resp.Answer) == 0 || resp.Rcode != dns.RcodeSuccess,
+						"Unauthorized domain should not return successful answers")
+				}
 				mockFirewall.AssertNotCalled(t, "UpdateSet")
 				mockResolver.AssertNotCalled(t, "LookupNetIP")
 			}
@@ -466,16 +466,14 @@ func TestDNSForwarder_FirewallSetUpdates(t *testing.T) {
 			dnsQuery.SetQuestion(dns.Fqdn(tt.query), dns.TypeA)
 
 			mockWriter := &test.MockResponseWriter{}
-			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, dnsQuery, time.Now())
+			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, dnsQuery)
 
 			// Verify response
-			resp := mockWriter.GetLastResponse()
 			if tt.shouldResolve {
 				require.NotNil(t, resp, "Expected response for authorized domain")
 				require.Equal(t, dns.RcodeSuccess, resp.Rcode)
 				require.NotEmpty(t, resp.Answer)
-			} else {
-				require.NotNil(t, resp, "Expected response")
+			} else if resp != nil {
 				assert.True(t, resp.Rcode == dns.RcodeRefused || len(resp.Answer) == 0,
 					"Unauthorized domain should be refused or have no answers")
 			}
@@ -530,10 +528,9 @@ func TestDNSForwarder_MultipleIPsInSingleUpdate(t *testing.T) {
 	query.SetQuestion("example.com.", dns.TypeA)
 
 	mockWriter := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
 
 	// Verify response contains all IPs
-	resp := mockWriter.GetLastResponse()
 	require.NotNil(t, resp)
 	require.Equal(t, dns.RcodeSuccess, resp.Rcode)
 	require.Len(t, resp.Answer, 3, "Should have 3 answer records")
@@ -608,7 +605,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 				},
 			}
 
-			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+			_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
 
 			// Check the response written to the writer
 			require.NotNil(t, writtenResp, "Expected response to be written")
@@ -678,8 +675,7 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	q1 := &dns.Msg{}
 	q1.SetQuestion(dns.Fqdn("example.com"), dns.TypeA)
 	w1 := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1, time.Now())
-	resp1 := w1.GetLastResponse()
+	resp1 := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1)
 	require.NotNil(t, resp1)
 	require.Equal(t, dns.RcodeSuccess, resp1.Rcode)
 	require.Len(t, resp1.Answer, 1)
@@ -687,13 +683,13 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	// Second query: serve from cache after upstream failure
 	q2 := &dns.Msg{}
 	q2.SetQuestion(dns.Fqdn("example.com"), dns.TypeA)
-	w2 := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2, time.Now())
+	var writtenResp *dns.Msg
+	w2 := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { writtenResp = m; return nil }}
+	_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2)
 
-	resp2 := w2.GetLastResponse()
-	require.NotNil(t, resp2, "expected response to be written")
-	require.Equal(t, dns.RcodeSuccess, resp2.Rcode)
-	require.Len(t, resp2.Answer, 1)
+	require.NotNil(t, writtenResp, "expected response to be written")
+	require.Equal(t, dns.RcodeSuccess, writtenResp.Rcode)
+	require.Len(t, writtenResp.Answer, 1)
 
 	mockResolver.AssertExpectations(t)
 }
@@ -719,8 +715,7 @@ func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
 	q1 := &dns.Msg{}
 	q1.SetQuestion(mixedQuery+".", dns.TypeA)
 	w1 := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1, time.Now())
-	resp1 := w1.GetLastResponse()
+	resp1 := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1)
 	require.NotNil(t, resp1)
 	require.Equal(t, dns.RcodeSuccess, resp1.Rcode)
 	require.Len(t, resp1.Answer, 1)
@@ -732,13 +727,13 @@ func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
 
 	q2 := &dns.Msg{}
 	q2.SetQuestion("EXAMPLE.COM", dns.TypeA)
-	w2 := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2, time.Now())
+	var writtenResp *dns.Msg
+	w2 := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { writtenResp = m; return nil }}
+	_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2)
 
-	resp2 := w2.GetLastResponse()
-	require.NotNil(t, resp2)
-	require.Equal(t, dns.RcodeSuccess, resp2.Rcode)
-	require.Len(t, resp2.Answer, 1)
+	require.NotNil(t, writtenResp)
+	require.Equal(t, dns.RcodeSuccess, writtenResp.Rcode)
+	require.Len(t, writtenResp.Answer, 1)
 
 	mockResolver.AssertExpectations(t)
 }
@@ -789,9 +784,8 @@ func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
 	query.SetQuestion("smtp.mail.example.com.", dns.TypeA)
 
 	mockWriter := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
 
-	resp := mockWriter.GetLastResponse()
 	require.NotNil(t, resp)
 	assert.Equal(t, dns.RcodeSuccess, resp.Rcode)
 
@@ -903,15 +897,26 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 			query := &dns.Msg{}
 			query.SetQuestion(dns.Fqdn("example.com"), tt.queryType)
 
-			mockWriter := &test.MockResponseWriter{}
-			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+			var writtenResp *dns.Msg
+			mockWriter := &test.MockResponseWriter{
+				WriteMsgFunc: func(m *dns.Msg) error {
+					writtenResp = m
+					return nil
+				},
+			}
 
-			resp := mockWriter.GetLastResponse()
-			require.NotNil(t, resp, "Expected response to be written")
-			assert.Equal(t, tt.expectedCode, resp.Rcode, tt.description)
+			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+
+			// If a response was returned, it means it should be written (happens in wrapper functions)
+			if resp != nil && writtenResp == nil {
+				writtenResp = resp
+			}
+
+			require.NotNil(t, writtenResp, "Expected response to be written")
+			assert.Equal(t, tt.expectedCode, writtenResp.Rcode, tt.description)
 
 			if tt.expectNoAnswer {
-				assert.Empty(t, resp.Answer, "Response should have no answer records")
+				assert.Empty(t, writtenResp.Answer, "Response should have no answer records")
 			}
 
 			mockResolver.AssertExpectations(t)
@@ -926,8 +931,15 @@ func TestDNSForwarder_EmptyQuery(t *testing.T) {
 	query := &dns.Msg{}
 	// Don't set any question
 
-	mockWriter := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+	writeCalled := false
+	mockWriter := &test.MockResponseWriter{
+		WriteMsgFunc: func(m *dns.Msg) error {
+			writeCalled = true
+			return nil
+		},
+	}
+	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
 
-	assert.Nil(t, mockWriter.GetLastResponse(), "Should not write response for empty query")
+	assert.Nil(t, resp, "Should return nil for empty query")
+	assert.False(t, writeCalled, "Should not write response for empty query")
 }

client/internal/engine.go

@@ -29,7 +29,6 @@ import (
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
-	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/debug"
@@ -217,10 +216,6 @@ type Engine struct {
 	// WireGuard interface monitor
 	wgIfaceMonitor *WGIfaceMonitor
 
-	// readyChan is closed when the first sync message is received from management
-	readyChan     chan struct{}
-	readyChanOnce sync.Once
-
 	// shutdownWg tracks all long-running goroutines to ensure clean shutdown
 	shutdownWg sync.WaitGroup
 
@@ -279,10 +274,6 @@ func NewEngine(
 	return engine
 }
 
-func (e *Engine) SetReadyChan(ch chan struct{}) {
-	e.readyChan = ch
-}
-
 func (e *Engine) Stop() error {
 	if e == nil {
 		// this seems to be a very odd case but there was the possibility if the netbird down command comes before the engine is fully started
@@ -552,12 +543,11 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	// monitor WireGuard interface lifecycle and restart engine on changes
 	e.wgIfaceMonitor = NewWGIfaceMonitor()
 	e.shutdownWg.Add(1)
-	wgIfaceName := e.wgInterface.Name()
 
 	go func() {
 		defer e.shutdownWg.Done()
 
-		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, wgIfaceName); shouldRestart {
+		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, e.wgInterface.Name()); shouldRestart {
 			log.Infof("WireGuard interface monitor: %s, restarting engine", err)
 			e.triggerClientRestart()
 		} else if err != nil {
@@ -838,17 +828,6 @@ func (e *Engine) handleAutoUpdateVersion(autoUpdateSettings *mgmProto.AutoUpdate
 }
 
 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
-	started := time.Now()
-	defer func() {
-		log.Infof("sync finished in %s", time.Since(started))
-	}()
-
-	e.readyChanOnce.Do(func() {
-		if e.readyChan != nil {
-			close(e.readyChan)
-		}
-	})
-
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 
@@ -895,11 +874,9 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		// todo update signal
 	}
 
-	uCheckTime := time.Now()
 	if err := e.updateChecksIfNew(update.Checks); err != nil {
 		return err
 	}
-	log.Infof("update check finished in %s", time.Since(uCheckTime))
 
 	nm := update.GetNetworkMap()
 	if nm == nil {
@@ -942,9 +919,7 @@ func (e *Engine) handleRelayUpdate(update *mgmProto.RelayConfig) error {
 			return fmt.Errorf("update relay token: %w", err)
 		}
 
-		if !relayClient.IsDisableRelay() {
-			e.relayManager.UpdateServerURLs(update.Urls)
-		}
+		e.relayManager.UpdateServerURLs(update.Urls)
 
 		// Just in case the agent started with an MGM server where the relay was disabled but was later enabled.
 		// We can ignore all errors because the guard will manage the reconnection retries.
@@ -1943,7 +1918,7 @@ func (e *Engine) triggerClientRestart() {
 }
 
 func (e *Engine) startNetworkMonitor() {
-	if !e.config.NetworkMonitor || nbnetstack.IsEnabled() {
+	if !e.config.NetworkMonitor {
 		log.Infof("Network monitor is disabled, not starting")
 		return
 	}

client/internal/networkmonitor/monitor.go

@@ -14,6 +14,7 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )
 
@@ -37,6 +38,11 @@ func New() *NetworkMonitor {
 
 // Listen begins monitoring network changes. When a change is detected, this function will return without error.
 func (nw *NetworkMonitor) Listen(ctx context.Context) (err error) {
+	if netstack.IsEnabled() {
+		log.Debugf("Network monitor: skipping in netstack mode")
+		return nil
+	}
+
 	nw.mu.Lock()
 	if nw.cancel != nil {
 		nw.mu.Unlock()

client/internal/peer/conn.go

@@ -410,7 +410,7 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 	conn.doOnConnected(iceConnInfo.RosenpassPubKey, iceConnInfo.RosenpassAddr)
 }
 
-func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
+func (conn *Conn) onICEStateDisconnected() {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()
 
@@ -430,18 +430,14 @@ func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
 	if conn.isReadyToUpgrade() {
 		conn.Log.Infof("ICE disconnected, set Relay to active connection")
 		conn.dumpState.SwitchToRelay()
-		if sessionChanged {
-			conn.resetEndpoint()
-		}
-
-		// todo consider to move after the ConfigureWGEndpoint
 		conn.wgProxyRelay.Work()
 
 		presharedKey := conn.presharedKey(conn.rosenpassRemoteKey)
-		if err := conn.endpointUpdater.SwitchWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
+		if err := conn.endpointUpdater.ConfigureWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
 			conn.Log.Errorf("failed to switch to relay conn: %v", err)
 		}
 
+		conn.wgProxyRelay.Work()
 		conn.currentConnPriority = conntype.Relay
 	} else {
 		conn.Log.Infof("ICE disconnected, do not switch to Relay. Reset priority to: %s", conntype.None.String())
@@ -503,22 +499,20 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 		return
 	}
 
-	controller := isController(conn.config)
+	wgProxy.Work()
+	presharedKey := conn.presharedKey(rci.rosenpassPubKey)
 
-	if controller {
-		wgProxy.Work()
-	}
 	conn.enableWgWatcherIfNeeded()
-	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), conn.presharedKey(rci.rosenpassPubKey)); err != nil {
+
+	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), presharedKey); err != nil {
 		if err := wgProxy.CloseConn(); err != nil {
 			conn.Log.Warnf("Failed to close relay connection: %v", err)
 		}
 		conn.Log.Errorf("Failed to update WireGuard peer configuration: %v", err)
 		return
 	}
-	if !controller {
-		wgProxy.Work()
-	}
+
+	wgConfigWorkaround()
 	conn.rosenpassRemoteKey = rci.rosenpassPubKey
 	conn.currentConnPriority = conntype.Relay
 	conn.statusRelay.SetConnected()
@@ -763,17 +757,6 @@ func (conn *Conn) newProxy(remoteConn net.Conn) (wgproxy.Proxy, error) {
 	return wgProxy, nil
 }
 
-func (conn *Conn) resetEndpoint() {
-	if !isController(conn.config) {
-		return
-	}
-	conn.Log.Infof("reset wg endpoint")
-	conn.wgWatcher.Reset()
-	if err := conn.endpointUpdater.RemoveEndpointAddress(); err != nil {
-		conn.Log.Warnf("failed to remove endpoint address before update: %v", err)
-	}
-}
-
 func (conn *Conn) isReadyToUpgrade() bool {
 	return conn.wgProxyRelay != nil && conn.currentConnPriority != conntype.Relay
 }
@@ -879,3 +862,9 @@ func isController(config ConnConfig) bool {
 func isRosenpassEnabled(remoteRosenpassPubKey []byte) bool {
 	return remoteRosenpassPubKey != nil
 }
+
+// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
+// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
+func wgConfigWorkaround() {
+	time.Sleep(100 * time.Millisecond)
+}

client/internal/peer/endpoint.go

@@ -34,27 +34,28 @@ func NewEndpointUpdater(log *logrus.Entry, wgConfig WgConfig, initiator bool) *E
 	}
 }
 
+// ConfigureWGEndpoint sets up the WireGuard endpoint configuration.
+// The initiator immediately configures the endpoint, while the non-initiator
+// waits for a fallback period before configuring to avoid handshake congestion.
 func (e *EndpointUpdater) ConfigureWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
 	e.mu.Lock()
 	defer e.mu.Unlock()
 
 	if e.initiator {
-		e.log.Debugf("configure up WireGuard as initiator")
-		return e.configureAsInitiator(addr, presharedKey)
+		e.log.Debugf("configure up WireGuard as initiatr")
+		return e.updateWireGuardPeer(addr, presharedKey)
 	}
 
-	e.log.Debugf("configure up WireGuard as responder")
-	return e.configureAsResponder(addr, presharedKey)
-}
-
-func (e *EndpointUpdater) SwitchWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
 	// prevent to run new update while cancel the previous update
 	e.waitForCloseTheDelayedUpdate()
 
-	return e.updateWireGuardPeer(addr, presharedKey)
+	var ctx context.Context
+	ctx, e.cancelFunc = context.WithCancel(context.Background())
+	e.updateWg.Add(1)
+	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
+
+	e.log.Debugf("configure up WireGuard and wait for handshake")
+	return e.updateWireGuardPeer(nil, presharedKey)
 }
 
 func (e *EndpointUpdater) RemoveWgPeer() error {
@@ -65,38 +66,6 @@ func (e *EndpointUpdater) RemoveWgPeer() error {
 	return e.wgConfig.WgInterface.RemovePeer(e.wgConfig.RemoteKey)
 }
 
-func (e *EndpointUpdater) RemoveEndpointAddress() error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	e.waitForCloseTheDelayedUpdate()
-	return e.wgConfig.WgInterface.RemoveEndpointAddress(e.wgConfig.RemoteKey)
-}
-
-func (e *EndpointUpdater) configureAsInitiator(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	if err := e.updateWireGuardPeer(addr, presharedKey); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (e *EndpointUpdater) configureAsResponder(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	// prevent to run new update while cancel the previous update
-	e.waitForCloseTheDelayedUpdate()
-
-	e.log.Debugf("configure up WireGuard and wait for handshake")
-	var ctx context.Context
-	ctx, e.cancelFunc = context.WithCancel(context.Background())
-	e.updateWg.Add(1)
-	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
-
-	if err := e.updateWireGuardPeer(nil, presharedKey); err != nil {
-		e.waitForCloseTheDelayedUpdate()
-		return err
-	}
-	return nil
-}
-
 func (e *EndpointUpdater) waitForCloseTheDelayedUpdate() {
 	if e.cancelFunc == nil {
 		return
@@ -132,9 +101,3 @@ func (e *EndpointUpdater) updateWireGuardPeer(endpoint *net.UDPAddr, presharedKe
 		presharedKey,
 	)
 }
-
-// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
-// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
-func wgConfigWorkaround() {
-	time.Sleep(100 * time.Millisecond)
-}

client/internal/peer/ice/agent.go

@@ -2,7 +2,6 @@ package ice
 
 import (
 	"context"
-	"fmt"
 	"sync"
 	"time"
 
@@ -12,7 +11,6 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 )
 
 const (
@@ -34,6 +32,24 @@ type ThreadSafeAgent struct {
 	once sync.Once
 }
 
+func (a *ThreadSafeAgent) Close() error {
+	var err error
+	a.once.Do(func() {
+		done := make(chan error, 1)
+		go func() {
+			done <- a.Agent.Close()
+		}()
+
+		select {
+		case err = <-done:
+		case <-time.After(iceAgentCloseTimeout):
+			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
+			err = nil
+		}
+	})
+	return err
+}
+
 func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
@@ -77,41 +93,9 @@ func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, c
 		return nil, err
 	}
 
-	if agent == nil {
-		return nil, fmt.Errorf("ice.NewAgent returned nil agent without error")
-	}
-
 	return &ThreadSafeAgent{Agent: agent}, nil
 }
 
-func (a *ThreadSafeAgent) Close() error {
-	var err error
-	a.once.Do(func() {
-		// Defensive check to prevent nil pointer dereference
-		// This can happen during sleep/wake transitions or memory corruption scenarios
-		// github.com/netbirdio/netbird/client/internal/peer/ice.(*ThreadSafeAgent).Close(0x40006883f0?)
-		//  [signal 0xc0000005 code=0x0 addr=0x0 pc=0x7ff7e73af83c]
-		agent := a.Agent
-		if agent == nil {
-			log.Warnf("ICE agent is nil during close, skipping")
-			return
-		}
-
-		done := make(chan error, 1)
-		go func() {
-			done <- agent.Close()
-		}()
-
-		select {
-		case err = <-done:
-		case <-time.After(iceAgentCloseTimeout):
-			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
-			err = nil
-		}
-	})
-	return err
-}
-
 func GenerateICECredentials() (string, string, error) {
 	ufrag, err := randutil.GenerateCryptoRandomString(lenUFrag, runesAlpha)
 	if err != nil {
@@ -126,10 +110,6 @@ func GenerateICECredentials() (string, string, error) {
 }
 
 func CandidateTypes() []ice.CandidateType {
-	if relayClient.IsDisableRelay() {
-		return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
-	}
-
 	if hasICEForceRelayConn() {
 		return []ice.CandidateType{ice.CandidateTypeRelay}
 	}

client/internal/peer/wg_watcher.go

@@ -32,8 +32,6 @@ type WGWatcher struct {
 
 	enabled   bool
 	muEnabled sync.RWMutex
-
-	resetCh chan struct{}
 }
 
 func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey string, stateDump *stateDump) *WGWatcher {
@@ -42,7 +40,6 @@ func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey strin
 		wgIfaceStater: wgIfaceStater,
 		peerKey:       peerKey,
 		stateDump:     stateDump,
-		resetCh:       make(chan struct{}, 1),
 	}
 }
 
@@ -79,15 +76,6 @@ func (w *WGWatcher) IsEnabled() bool {
 	return w.enabled
 }
 
-// Reset signals the watcher that the WireGuard peer has been reset and a new
-// handshake is expected. This restarts the handshake timeout from scratch.
-func (w *WGWatcher) Reset() {
-	select {
-	case w.resetCh <- struct{}{}:
-	default:
-	}
-}
-
 // wgStateCheck help to check the state of the WireGuard handshake and relay connection
 func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn func(), enabledTime time.Time, initialHandshake time.Time) {
 	w.log.Infof("WireGuard watcher started")
@@ -117,12 +105,6 @@ func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn
 			w.stateDump.WGcheckSuccess()
 
 			w.log.Debugf("WireGuard watcher reset timer: %v", resetTime)
-		case <-w.resetCh:
-			w.log.Infof("WireGuard watcher received peer reset, restarting handshake timeout")
-			lastHandshake = time.Time{}
-			enabledTime = time.Now()
-			timer.Stop()
-			timer.Reset(wgHandshakeOvertime)
 		case <-ctx.Done():
 			w.log.Infof("WireGuard watcher stopped")
 			return

client/internal/peer/worker_ice.go

@@ -52,9 +52,8 @@ type WorkerICE struct {
 	// increase by one when disconnecting the agent
 	// with it the remote peer can discard the already deprecated offer/answer
 	// Without it the remote peer may recreate a workable ICE connection
-	sessionID            ICESessionID
-	remoteSessionChanged bool
-	muxAgent             sync.Mutex
+	sessionID ICESessionID
+	muxAgent  sync.Mutex
 
 	localUfrag string
 	localPwd   string
@@ -107,12 +106,9 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 			return
 		}
 		w.log.Debugf("agent already exists, recreate the connection")
-		w.remoteSessionChanged = true
 		w.agentDialerCancel()
-		if w.agent != nil {
-			if err := w.agent.Close(); err != nil {
-				w.log.Warnf("failed to close ICE agent: %s", err)
-			}
+		if err := w.agent.Close(); err != nil {
+			w.log.Warnf("failed to close ICE agent: %s", err)
 		}
 
 		sessionID, err := NewICESessionID()
@@ -308,17 +304,13 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 	w.conn.onICEConnectionIsReady(selectedPriority(pair), ci)
 }
 
-func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) bool {
+func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) {
 	cancel()
 	if err := agent.Close(); err != nil {
 		w.log.Warnf("failed to close ICE agent: %s", err)
 	}
 
 	w.muxAgent.Lock()
-	defer w.muxAgent.Unlock()
-
-	sessionChanged := w.remoteSessionChanged
-	w.remoteSessionChanged = false
 
 	if w.agent == agent {
 		// consider to remove from here and move to the OnNewOffer
@@ -331,7 +323,7 @@ func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.C
 		w.agentConnecting = false
 		w.remoteSessionID = ""
 	}
-	return sessionChanged
+	w.muxAgent.Unlock()
 }
 
 func (w *WorkerICE) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
@@ -432,11 +424,11 @@ func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dia
 			// ice.ConnectionStateClosed happens when we recreate the agent. For the P2P to TURN switch important to
 			// notify the conn.onICEStateDisconnected changes to update the current used priority
 
-			sessionChanged := w.closeAgent(agent, dialerCancel)
+			w.closeAgent(agent, dialerCancel)
 
 			if w.lastKnownState == ice.ConnectionStateConnected {
 				w.lastKnownState = ice.ConnectionStateDisconnected
-				w.conn.onICEStateDisconnected(sessionChanged)
+				w.conn.onICEStateDisconnected()
 			}
 		default:
 			return

client/internal/profilemanager/config.go

@@ -252,7 +252,7 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 	}
 
 	if config.AdminURL == nil {
-		log.Infof("using default Admin URL %s", DefaultAdminURL)
+		log.Infof("using default Admin URL %s", DefaultManagementURL)
 		config.AdminURL, err = parseURL("Admin URL", DefaultAdminURL)
 		if err != nil {
 			return false, err

client/internal/routemanager/manager.go

@@ -173,21 +173,12 @@ func (m *DefaultManager) setupAndroidRoutes(config ManagerConfig) {
 }
 
 func (m *DefaultManager) setupRefCounters(useNoop bool) {
-	var once sync.Once
-	var wgIface *net.Interface
-	toInterface := func() *net.Interface {
-		once.Do(func() {
-			wgIface = m.wgInterface.ToInterface()
-		})
-		return wgIface
-	}
-
 	m.routeRefCounter = refcounter.New(
 		func(prefix netip.Prefix, _ struct{}) (struct{}, error) {
-			return struct{}{}, m.sysOps.AddVPNRoute(prefix, toInterface())
+			return struct{}{}, m.sysOps.AddVPNRoute(prefix, m.wgInterface.ToInterface())
 		},
 		func(prefix netip.Prefix, _ struct{}) error {
-			return m.sysOps.RemoveVPNRoute(prefix, toInterface())
+			return m.sysOps.RemoveVPNRoute(prefix, m.wgInterface.ToInterface())
 		},
 	)
 
@@ -346,23 +337,6 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 	}
 
 	var merr *multierror.Error
-
-	// Begin batch mode to avoid calling applyHostConfig() after each DNS handler operation
-	batchStarted := false
-	if m.dnsServer != nil {
-		m.dnsServer.BeginBatch()
-		batchStarted = true
-		defer func() {
-			if merr != nil {
-				// On error, cancel batch to discard partial DNS state
-				m.dnsServer.CancelBatch()
-			} else {
-				// On success, apply accumulated DNS changes
-				m.dnsServer.EndBatch()
-			}
-		}()
-	}
-
 	for id, handler := range toRemove {
 		if err := handler.RemoveRoute(); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove route %s: %w", handler.String(), err))
@@ -393,7 +367,6 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 		m.activeRoutes[id] = handler
 	}
 
-	_ = batchStarted // Mark as used
 	return nberrors.FormatErrorOrNil(merr)
 }
 

client/internal/routemanager/systemops/routeflags_bsd.go

@@ -4,17 +4,16 @@ package systemops
 
 import (
 	"strings"
-
-	"golang.org/x/sys/unix"
+	"syscall"
 )
 
 // filterRoutesByFlags returns true if the route message should be ignored based on its flags.
 func filterRoutesByFlags(routeMessageFlags int) bool {
-	if routeMessageFlags&unix.RTF_UP == 0 {
+	if routeMessageFlags&syscall.RTF_UP == 0 {
 		return true
 	}
 
-	if routeMessageFlags&(unix.RTF_REJECT|unix.RTF_BLACKHOLE|unix.RTF_WASCLONED) != 0 {
+	if routeMessageFlags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE|syscall.RTF_WASCLONED) != 0 {
 		return true
 	}
 
@@ -25,51 +24,42 @@ func filterRoutesByFlags(routeMessageFlags int) bool {
 func formatBSDFlags(flags int) string {
 	var flagStrs []string
 
-	if flags&unix.RTF_UP != 0 {
+	if flags&syscall.RTF_UP != 0 {
 		flagStrs = append(flagStrs, "U")
 	}
-	if flags&unix.RTF_GATEWAY != 0 {
+	if flags&syscall.RTF_GATEWAY != 0 {
 		flagStrs = append(flagStrs, "G")
 	}
-	if flags&unix.RTF_HOST != 0 {
+	if flags&syscall.RTF_HOST != 0 {
 		flagStrs = append(flagStrs, "H")
 	}
-	if flags&unix.RTF_REJECT != 0 {
+	if flags&syscall.RTF_REJECT != 0 {
 		flagStrs = append(flagStrs, "R")
 	}
-	if flags&unix.RTF_DYNAMIC != 0 {
+	if flags&syscall.RTF_DYNAMIC != 0 {
 		flagStrs = append(flagStrs, "D")
 	}
-	if flags&unix.RTF_MODIFIED != 0 {
+	if flags&syscall.RTF_MODIFIED != 0 {
 		flagStrs = append(flagStrs, "M")
 	}
-	if flags&unix.RTF_STATIC != 0 {
+	if flags&syscall.RTF_STATIC != 0 {
 		flagStrs = append(flagStrs, "S")
 	}
-	if flags&unix.RTF_LLINFO != 0 {
+	if flags&syscall.RTF_LLINFO != 0 {
 		flagStrs = append(flagStrs, "L")
 	}
-	if flags&unix.RTF_LOCAL != 0 {
+	if flags&syscall.RTF_LOCAL != 0 {
 		flagStrs = append(flagStrs, "l")
 	}
-	if flags&unix.RTF_BLACKHOLE != 0 {
+	if flags&syscall.RTF_BLACKHOLE != 0 {
 		flagStrs = append(flagStrs, "B")
 	}
-	if flags&unix.RTF_CLONING != 0 {
+	if flags&syscall.RTF_CLONING != 0 {
 		flagStrs = append(flagStrs, "C")
 	}
-	if flags&unix.RTF_WASCLONED != 0 {
+	if flags&syscall.RTF_WASCLONED != 0 {
 		flagStrs = append(flagStrs, "W")
 	}
-	if flags&unix.RTF_PROTO1 != 0 {
-		flagStrs = append(flagStrs, "1")
-	}
-	if flags&unix.RTF_PROTO2 != 0 {
-		flagStrs = append(flagStrs, "2")
-	}
-	if flags&unix.RTF_PROTO3 != 0 {
-		flagStrs = append(flagStrs, "3")
-	}
 
 	if len(flagStrs) == 0 {
 		return "-"

client/internal/routemanager/systemops/routeflags_freebsd.go

@@ -4,18 +4,17 @@ package systemops
 
 import (
 	"strings"
-
-	"golang.org/x/sys/unix"
+	"syscall"
 )
 
 // filterRoutesByFlags returns true if the route message should be ignored based on its flags.
 func filterRoutesByFlags(routeMessageFlags int) bool {
-	if routeMessageFlags&unix.RTF_UP == 0 {
+	if routeMessageFlags&syscall.RTF_UP == 0 {
 		return true
 	}
 
-	// NOTE: RTF_WASCLONED deprecated in FreeBSD 8.0
-	if routeMessageFlags&(unix.RTF_REJECT|unix.RTF_BLACKHOLE) != 0 {
+	// NOTE: syscall.RTF_WASCLONED deprecated in FreeBSD 8.0
+	if routeMessageFlags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE) != 0 {
 		return true
 	}
 
@@ -26,46 +25,37 @@ func filterRoutesByFlags(routeMessageFlags int) bool {
 func formatBSDFlags(flags int) string {
 	var flagStrs []string
 
-	if flags&unix.RTF_UP != 0 {
+	if flags&syscall.RTF_UP != 0 {
 		flagStrs = append(flagStrs, "U")
 	}
-	if flags&unix.RTF_GATEWAY != 0 {
+	if flags&syscall.RTF_GATEWAY != 0 {
 		flagStrs = append(flagStrs, "G")
 	}
-	if flags&unix.RTF_HOST != 0 {
+	if flags&syscall.RTF_HOST != 0 {
 		flagStrs = append(flagStrs, "H")
 	}
-	if flags&unix.RTF_REJECT != 0 {
+	if flags&syscall.RTF_REJECT != 0 {
 		flagStrs = append(flagStrs, "R")
 	}
-	if flags&unix.RTF_DYNAMIC != 0 {
+	if flags&syscall.RTF_DYNAMIC != 0 {
 		flagStrs = append(flagStrs, "D")
 	}
-	if flags&unix.RTF_MODIFIED != 0 {
+	if flags&syscall.RTF_MODIFIED != 0 {
 		flagStrs = append(flagStrs, "M")
 	}
-	if flags&unix.RTF_STATIC != 0 {
+	if flags&syscall.RTF_STATIC != 0 {
 		flagStrs = append(flagStrs, "S")
 	}
-	if flags&unix.RTF_LLINFO != 0 {
+	if flags&syscall.RTF_LLINFO != 0 {
 		flagStrs = append(flagStrs, "L")
 	}
-	if flags&unix.RTF_LOCAL != 0 {
+	if flags&syscall.RTF_LOCAL != 0 {
 		flagStrs = append(flagStrs, "l")
 	}
-	if flags&unix.RTF_BLACKHOLE != 0 {
+	if flags&syscall.RTF_BLACKHOLE != 0 {
 		flagStrs = append(flagStrs, "B")
 	}
 	// Note: RTF_CLONING and RTF_WASCLONED deprecated in FreeBSD 8.0
-	if flags&unix.RTF_PROTO1 != 0 {
-		flagStrs = append(flagStrs, "1")
-	}
-	if flags&unix.RTF_PROTO2 != 0 {
-		flagStrs = append(flagStrs, "2")
-	}
-	if flags&unix.RTF_PROTO3 != 0 {
-		flagStrs = append(flagStrs, "3")
-	}
 
 	if len(flagStrs) == 0 {
 		return "-"

client/ios/NetBirdSDK/env_list.go

@@ -2,10 +2,7 @@
 
 package NetBirdSDK
 
-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"
 
 // EnvList is an exported struct to be bound by gomobile
 type EnvList struct {
@@ -35,13 +32,3 @@ func (el *EnvList) AllItems() map[string]string {
 func GetEnvKeyNBForceRelay() string {
 	return peer.EnvKeyNBForceRelay
 }
-
-// GetEnvKeyNBLazyConn Exports the environment variable for the iOS client
-func GetEnvKeyNBLazyConn() string {
-	return lazyconn.EnvEnableLazyConn
-}
-
-// GetEnvKeyNBInactivityThreshold Exports the environment variable for the iOS client
-func GetEnvKeyNBInactivityThreshold() string {
-	return lazyconn.EnvInactivityThreshold
-}

combined/Dockerfile

@@ -1,5 +0,0 @@
-FROM ubuntu:24.04
-RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
-ENTRYPOINT [ "/go/bin/netbird-server" ]
-CMD ["--config", "/etc/netbird/config.yaml"]
-COPY netbird-server /go/bin/netbird-server

combined/Dockerfile.multistage

@@ -1,25 +0,0 @@
-FROM golang:1.25-bookworm AS builder
-WORKDIR /app
-
-# Install build dependencies
-RUN apt-get update && apt-get install -y gcc libc6-dev git && rm -rf /var/lib/apt/lists/*
-
-COPY go.mod go.sum ./
-RUN go mod download
-
-COPY . .
-
-# Build with version info from git (matching goreleaser ldflags)
-RUN CGO_ENABLED=1 GOOS=linux go build \
-    -ldflags="-s -w \
-    -X github.com/netbirdio/netbird/version.version=$(git describe --tags --always --dirty 2>/dev/null || echo 'dev') \
-    -X main.commit=$(git rev-parse --short HEAD 2>/dev/null || echo 'unknown') \
-    -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
-    -X main.builtBy=docker" \
-    -o netbird-server ./combined
-
-FROM ubuntu:24.04
-RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
-ENTRYPOINT [ "/go/bin/netbird-server" ]
-CMD ["--config", "/etc/netbird/config.yaml"]
-COPY --from=builder /app/netbird-server /go/bin/netbird-server

combined/LICENSE

@@ -1,661 +0,0 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
-                       Version 3, 19 November 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-our General Public Licenses are intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
-
-  A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate.  Many developers of free software are heartened and
-encouraged by the resulting cooperation.  However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
-
-  The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community.  It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server.  Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
-
-  An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals.  This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing under
-this license.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU Affero General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Remote Network Interaction; Use with the GNU General Public License.
-
-  Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your version
-supports such interaction) an opportunity to receive the Corresponding
-Source of your version by providing access to the Corresponding Source
-from a network server at no charge, through some standard or customary
-means of facilitating copying of software.  This Corresponding Source
-shall include the Corresponding Source for any work covered by version 3
-of the GNU General Public License that is incorporated pursuant to the
-following paragraph.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new versions
-will be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Affero General Public License for more details.
-
-    You should have received a copy of the GNU Affero General Public License
-    along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source.  For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code.  There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for the
-specific requirements.
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU AGPL, see
-<https://www.gnu.org/licenses/>.

combined/cmd/config.go

@@ -1,723 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"os"
-	"path"
-	"strings"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v3"
-
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/crypt"
-
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-)
-
-// CombinedConfig is the root configuration for the combined server.
-// The combined server is primarily a Management server with optional embedded
-// Signal, Relay, and STUN services.
-//
-// Architecture:
-//   - Management: Always runs locally (this IS the management server)
-//   - Signal: Runs locally by default; disabled if server.signalUri is set
-//   - Relay: Runs locally by default; disabled if server.relays is set
-//   - STUN: Runs locally on port 3478 by default; disabled if server.stuns is set
-//
-// All user-facing settings are under "server". The relay/signal/management
-// fields are internal and populated automatically from server settings.
-type CombinedConfig struct {
-	Server ServerConfig `yaml:"server"`
-
-	// Internal configs - populated from Server settings, not user-configurable
-	Relay      RelayConfig      `yaml:"-"`
-	Signal     SignalConfig     `yaml:"-"`
-	Management ManagementConfig `yaml:"-"`
-}
-
-// ServerConfig contains server-wide settings
-// In simplified mode, this contains all configuration
-type ServerConfig struct {
-	ListenAddress      string    `yaml:"listenAddress"`
-	MetricsPort        int       `yaml:"metricsPort"`
-	HealthcheckAddress string    `yaml:"healthcheckAddress"`
-	LogLevel           string    `yaml:"logLevel"`
-	LogFile            string    `yaml:"logFile"`
-	TLS                TLSConfig `yaml:"tls"`
-
-	// Simplified config fields (used when relay/signal/management sections are omitted)
-	ExposedAddress string `yaml:"exposedAddress"` // Public address with protocol (e.g., "https://example.com:443")
-	StunPorts      []int  `yaml:"stunPorts"`      // STUN ports (empty to disable local STUN)
-	AuthSecret     string `yaml:"authSecret"`     // Shared secret for relay authentication
-	DataDir        string `yaml:"dataDir"`        // Data directory for all services
-
-	// External service overrides (simplified mode)
-	// When these are set, the corresponding local service is NOT started
-	// and these values are used for client configuration instead
-	Stuns     []HostConfig `yaml:"stuns"`     // External STUN servers (disables local STUN)
-	Relays    RelaysConfig `yaml:"relays"`    // External relay servers (disables local relay)
-	SignalURI string       `yaml:"signalUri"` // External signal server (disables local signal)
-
-	// Management settings (simplified mode)
-	DisableAnonymousMetrics bool               `yaml:"disableAnonymousMetrics"`
-	DisableGeoliteUpdate    bool               `yaml:"disableGeoliteUpdate"`
-	Auth                    AuthConfig         `yaml:"auth"`
-	Store                   StoreConfig        `yaml:"store"`
-	ReverseProxy            ReverseProxyConfig `yaml:"reverseProxy"`
-}
-
-// TLSConfig contains TLS/HTTPS settings
-type TLSConfig struct {
-	CertFile    string            `yaml:"certFile"`
-	KeyFile     string            `yaml:"keyFile"`
-	LetsEncrypt LetsEncryptConfig `yaml:"letsencrypt"`
-}
-
-// LetsEncryptConfig contains Let's Encrypt settings
-type LetsEncryptConfig struct {
-	Enabled    bool     `yaml:"enabled"`
-	DataDir    string   `yaml:"dataDir"`
-	Domains    []string `yaml:"domains"`
-	Email      string   `yaml:"email"`
-	AWSRoute53 bool     `yaml:"awsRoute53"`
-}
-
-// RelayConfig contains relay service settings
-type RelayConfig struct {
-	Enabled        bool       `yaml:"enabled"`
-	ExposedAddress string     `yaml:"exposedAddress"`
-	AuthSecret     string     `yaml:"authSecret"`
-	LogLevel       string     `yaml:"logLevel"`
-	Stun           StunConfig `yaml:"stun"`
-}
-
-// StunConfig contains embedded STUN service settings
-type StunConfig struct {
-	Enabled  bool   `yaml:"enabled"`
-	Ports    []int  `yaml:"ports"`
-	LogLevel string `yaml:"logLevel"`
-}
-
-// SignalConfig contains signal service settings
-type SignalConfig struct {
-	Enabled  bool   `yaml:"enabled"`
-	LogLevel string `yaml:"logLevel"`
-}
-
-// ManagementConfig contains management service settings
-type ManagementConfig struct {
-	Enabled                 bool               `yaml:"enabled"`
-	LogLevel                string             `yaml:"logLevel"`
-	DataDir                 string             `yaml:"dataDir"`
-	DnsDomain               string             `yaml:"dnsDomain"`
-	DisableAnonymousMetrics bool               `yaml:"disableAnonymousMetrics"`
-	DisableGeoliteUpdate    bool               `yaml:"disableGeoliteUpdate"`
-	DisableDefaultPolicy    bool               `yaml:"disableDefaultPolicy"`
-	Auth                    AuthConfig         `yaml:"auth"`
-	Stuns                   []HostConfig       `yaml:"stuns"`
-	Relays                  RelaysConfig       `yaml:"relays"`
-	SignalURI               string             `yaml:"signalUri"`
-	Store                   StoreConfig        `yaml:"store"`
-	ReverseProxy            ReverseProxyConfig `yaml:"reverseProxy"`
-}
-
-// AuthConfig contains authentication/identity provider settings
-type AuthConfig struct {
-	Issuer                string            `yaml:"issuer"`
-	LocalAuthDisabled     bool              `yaml:"localAuthDisabled"`
-	SignKeyRefreshEnabled bool              `yaml:"signKeyRefreshEnabled"`
-	Storage               AuthStorageConfig `yaml:"storage"`
-	DashboardRedirectURIs []string          `yaml:"dashboardRedirectURIs"`
-	CLIRedirectURIs       []string          `yaml:"cliRedirectURIs"`
-	Owner                 *AuthOwnerConfig  `yaml:"owner,omitempty"`
-}
-
-// AuthStorageConfig contains auth storage settings
-type AuthStorageConfig struct {
-	Type string `yaml:"type"`
-	File string `yaml:"file"`
-}
-
-// AuthOwnerConfig contains initial admin user settings
-type AuthOwnerConfig struct {
-	Email    string `yaml:"email"`
-	Password string `yaml:"password"`
-}
-
-// HostConfig represents a STUN/TURN/Signal host
-type HostConfig struct {
-	URI      string `yaml:"uri"`
-	Proto    string `yaml:"proto,omitempty"` // udp, dtls, tcp, http, https - defaults based on URI scheme
-	Username string `yaml:"username,omitempty"`
-	Password string `yaml:"password,omitempty"`
-}
-
-// RelaysConfig contains external relay server settings for clients
-type RelaysConfig struct {
-	Addresses      []string `yaml:"addresses"`
-	CredentialsTTL string   `yaml:"credentialsTTL"`
-	Secret         string   `yaml:"secret"`
-}
-
-// StoreConfig contains database settings
-type StoreConfig struct {
-	Engine        string `yaml:"engine"`
-	EncryptionKey string `yaml:"encryptionKey"`
-	DSN           string `yaml:"dsn"` // Connection string for postgres or mysql engines
-}
-
-// ReverseProxyConfig contains reverse proxy settings
-type ReverseProxyConfig struct {
-	TrustedHTTPProxies      []string `yaml:"trustedHTTPProxies"`
-	TrustedHTTPProxiesCount uint     `yaml:"trustedHTTPProxiesCount"`
-	TrustedPeers            []string `yaml:"trustedPeers"`
-}
-
-// DefaultConfig returns a CombinedConfig with default values
-func DefaultConfig() *CombinedConfig {
-	return &CombinedConfig{
-		Server: ServerConfig{
-			ListenAddress:      ":443",
-			MetricsPort:        9090,
-			HealthcheckAddress: ":9000",
-			LogLevel:           "info",
-			LogFile:            "console",
-			StunPorts:          []int{3478},
-			DataDir:            "/var/lib/netbird/",
-			Auth: AuthConfig{
-				Storage: AuthStorageConfig{
-					Type: "sqlite3",
-				},
-			},
-			Store: StoreConfig{
-				Engine: "sqlite",
-			},
-		},
-		Relay: RelayConfig{
-			// LogLevel inherited from Server.LogLevel via ApplySimplifiedDefaults
-			Stun: StunConfig{
-				Enabled: false,
-				Ports:   []int{3478},
-				// LogLevel inherited from Server.LogLevel via ApplySimplifiedDefaults
-			},
-		},
-		Signal: SignalConfig{
-			// LogLevel inherited from Server.LogLevel via ApplySimplifiedDefaults
-		},
-		Management: ManagementConfig{
-			DataDir: "/var/lib/netbird/",
-			Auth: AuthConfig{
-				Storage: AuthStorageConfig{
-					Type: "sqlite3",
-				},
-			},
-			Relays: RelaysConfig{
-				CredentialsTTL: "12h",
-			},
-			Store: StoreConfig{
-				Engine: "sqlite",
-			},
-		},
-	}
-}
-
-// hasRequiredSettings returns true if the configuration has the required server settings
-func (c *CombinedConfig) hasRequiredSettings() bool {
-	return c.Server.ExposedAddress != ""
-}
-
-// parseExposedAddress extracts protocol, host, and host:port from the exposed address
-// Input format: "https://example.com:443" or "http://example.com:8080" or "example.com:443"
-// Returns: protocol ("https" or "http"), hostname only, and host:port
-func parseExposedAddress(exposedAddress string) (protocol, hostname, hostPort string) {
-	// Default to https if no protocol specified
-	protocol = "https"
-	hostPort = exposedAddress
-
-	// Check for protocol prefix
-	if strings.HasPrefix(exposedAddress, "https://") {
-		protocol = "https"
-		hostPort = strings.TrimPrefix(exposedAddress, "https://")
-	} else if strings.HasPrefix(exposedAddress, "http://") {
-		protocol = "http"
-		hostPort = strings.TrimPrefix(exposedAddress, "http://")
-	}
-
-	// Extract hostname (without port)
-	hostname = hostPort
-	if host, _, err := net.SplitHostPort(hostPort); err == nil {
-		hostname = host
-	}
-
-	return protocol, hostname, hostPort
-}
-
-// ApplySimplifiedDefaults populates internal relay/signal/management configs from server settings.
-// Management is always enabled. Signal, Relay, and STUN are enabled unless external
-// overrides are configured (server.signalUri, server.relays, server.stuns).
-func (c *CombinedConfig) ApplySimplifiedDefaults() {
-	if !c.hasRequiredSettings() {
-		return
-	}
-
-	// Parse exposed address to extract protocol and hostname
-	exposedProto, exposedHost, exposedHostPort := parseExposedAddress(c.Server.ExposedAddress)
-
-	// Check for external service overrides
-	hasExternalRelay := len(c.Server.Relays.Addresses) > 0
-	hasExternalSignal := c.Server.SignalURI != ""
-	hasExternalStuns := len(c.Server.Stuns) > 0
-
-	// Default stunPorts to [3478] if not specified and no external STUN
-	if len(c.Server.StunPorts) == 0 && !hasExternalStuns {
-		c.Server.StunPorts = []int{3478}
-	}
-
-	c.applyRelayDefaults(exposedProto, exposedHostPort, hasExternalRelay, hasExternalStuns)
-	c.applySignalDefaults(hasExternalSignal)
-	c.applyManagementDefaults(exposedHost)
-
-	// Auto-configure client settings (stuns, relays, signalUri)
-	c.autoConfigureClientSettings(exposedProto, exposedHost, exposedHostPort, hasExternalStuns, hasExternalRelay, hasExternalSignal)
-}
-
-// applyRelayDefaults configures the relay service if no external relay is configured.
-func (c *CombinedConfig) applyRelayDefaults(exposedProto, exposedHostPort string, hasExternalRelay, hasExternalStuns bool) {
-	if hasExternalRelay {
-		return
-	}
-
-	c.Relay.Enabled = true
-	relayProto := "rel"
-	if exposedProto == "https" {
-		relayProto = "rels"
-	}
-	c.Relay.ExposedAddress = fmt.Sprintf("%s://%s", relayProto, exposedHostPort)
-	c.Relay.AuthSecret = c.Server.AuthSecret
-	if c.Relay.LogLevel == "" {
-		c.Relay.LogLevel = c.Server.LogLevel
-	}
-
-	// Enable local STUN only if no external STUN servers and stunPorts are configured
-	if !hasExternalStuns && len(c.Server.StunPorts) > 0 {
-		c.Relay.Stun.Enabled = true
-		c.Relay.Stun.Ports = c.Server.StunPorts
-		if c.Relay.Stun.LogLevel == "" {
-			c.Relay.Stun.LogLevel = c.Server.LogLevel
-		}
-	}
-}
-
-// applySignalDefaults configures the signal service if no external signal is configured.
-func (c *CombinedConfig) applySignalDefaults(hasExternalSignal bool) {
-	if hasExternalSignal {
-		return
-	}
-
-	c.Signal.Enabled = true
-	if c.Signal.LogLevel == "" {
-		c.Signal.LogLevel = c.Server.LogLevel
-	}
-}
-
-// applyManagementDefaults configures the management service (always enabled).
-func (c *CombinedConfig) applyManagementDefaults(exposedHost string) {
-	c.Management.Enabled = true
-	if c.Management.LogLevel == "" {
-		c.Management.LogLevel = c.Server.LogLevel
-	}
-	if c.Management.DataDir == "" || c.Management.DataDir == "/var/lib/netbird/" {
-		c.Management.DataDir = c.Server.DataDir
-	}
-	c.Management.DnsDomain = exposedHost
-	c.Management.DisableAnonymousMetrics = c.Server.DisableAnonymousMetrics
-	c.Management.DisableGeoliteUpdate = c.Server.DisableGeoliteUpdate
-	// Copy auth config from server if management auth issuer is not set
-	if c.Management.Auth.Issuer == "" && c.Server.Auth.Issuer != "" {
-		c.Management.Auth = c.Server.Auth
-	}
-
-	// Copy store config from server if not set
-	if c.Management.Store.Engine == "" || c.Management.Store.Engine == "sqlite" {
-		if c.Server.Store.Engine != "" {
-			c.Management.Store = c.Server.Store
-		}
-	}
-
-	// Copy reverse proxy config from server
-	if len(c.Server.ReverseProxy.TrustedHTTPProxies) > 0 || c.Server.ReverseProxy.TrustedHTTPProxiesCount > 0 || len(c.Server.ReverseProxy.TrustedPeers) > 0 {
-		c.Management.ReverseProxy = c.Server.ReverseProxy
-	}
-}
-
-// autoConfigureClientSettings sets up STUN/relay/signal URIs for clients
-// External overrides from server config take precedence over auto-generated values
-func (c *CombinedConfig) autoConfigureClientSettings(exposedProto, exposedHost, exposedHostPort string, hasExternalStuns, hasExternalRelay, hasExternalSignal bool) {
-	// Determine relay protocol from exposed protocol
-	relayProto := "rel"
-	if exposedProto == "https" {
-		relayProto = "rels"
-	}
-
-	// Configure STUN servers for clients
-	if hasExternalStuns {
-		// Use external STUN servers from server config
-		c.Management.Stuns = c.Server.Stuns
-	} else if len(c.Server.StunPorts) > 0 && len(c.Management.Stuns) == 0 {
-		// Auto-configure local STUN servers for all ports
-		for _, port := range c.Server.StunPorts {
-			c.Management.Stuns = append(c.Management.Stuns, HostConfig{
-				URI: fmt.Sprintf("stun:%s:%d", exposedHost, port),
-			})
-		}
-	}
-
-	// Configure relay for clients
-	if hasExternalRelay {
-		// Use external relay config from server
-		c.Management.Relays = c.Server.Relays
-	} else if len(c.Management.Relays.Addresses) == 0 {
-		// Auto-configure local relay
-		c.Management.Relays.Addresses = []string{
-			fmt.Sprintf("%s://%s", relayProto, exposedHostPort),
-		}
-	}
-	if c.Management.Relays.Secret == "" {
-		c.Management.Relays.Secret = c.Server.AuthSecret
-	}
-	if c.Management.Relays.CredentialsTTL == "" {
-		c.Management.Relays.CredentialsTTL = "12h"
-	}
-
-	// Configure signal for clients
-	if hasExternalSignal {
-		// Use external signal URI from server config
-		c.Management.SignalURI = c.Server.SignalURI
-	} else if c.Management.SignalURI == "" {
-		// Auto-configure local signal
-		c.Management.SignalURI = fmt.Sprintf("%s://%s", exposedProto, exposedHostPort)
-	}
-}
-
-// LoadConfig loads configuration from a YAML file
-func LoadConfig(configPath string) (*CombinedConfig, error) {
-	cfg := DefaultConfig()
-
-	if configPath == "" {
-		return cfg, nil
-	}
-
-	data, err := os.ReadFile(configPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read config file: %w", err)
-	}
-
-	if err := yaml.Unmarshal(data, cfg); err != nil {
-		return nil, fmt.Errorf("failed to parse config file: %w", err)
-	}
-
-	// Populate internal configs from server settings
-	cfg.ApplySimplifiedDefaults()
-
-	return cfg, nil
-}
-
-// Validate validates the configuration
-func (c *CombinedConfig) Validate() error {
-	if c.Server.ExposedAddress == "" {
-		return fmt.Errorf("server.exposedAddress is required")
-	}
-	if c.Server.DataDir == "" {
-		return fmt.Errorf("server.dataDir is required")
-	}
-
-	// Validate STUN ports
-	seen := make(map[int]bool)
-	for _, port := range c.Server.StunPorts {
-		if port <= 0 || port > 65535 {
-			return fmt.Errorf("invalid server.stunPorts value %d: must be between 1 and 65535", port)
-		}
-		if seen[port] {
-			return fmt.Errorf("duplicate STUN port %d in server.stunPorts", port)
-		}
-		seen[port] = true
-	}
-
-	// authSecret is required only if running local relay (no external relay configured)
-	hasExternalRelay := len(c.Server.Relays.Addresses) > 0
-	if !hasExternalRelay && c.Server.AuthSecret == "" {
-		return fmt.Errorf("server.authSecret is required when running local relay")
-	}
-
-	return nil
-}
-
-// HasTLSCert returns true if TLS certificate files are configured
-func (c *CombinedConfig) HasTLSCert() bool {
-	return c.Server.TLS.CertFile != "" && c.Server.TLS.KeyFile != ""
-}
-
-// HasLetsEncrypt returns true if Let's Encrypt is configured
-func (c *CombinedConfig) HasLetsEncrypt() bool {
-	return c.Server.TLS.LetsEncrypt.Enabled &&
-		c.Server.TLS.LetsEncrypt.DataDir != "" &&
-		len(c.Server.TLS.LetsEncrypt.Domains) > 0
-}
-
-// parseExplicitProtocol parses an explicit protocol string to nbconfig.Protocol
-func parseExplicitProtocol(proto string) (nbconfig.Protocol, bool) {
-	switch strings.ToLower(proto) {
-	case "udp":
-		return nbconfig.UDP, true
-	case "dtls":
-		return nbconfig.DTLS, true
-	case "tcp":
-		return nbconfig.TCP, true
-	case "http":
-		return nbconfig.HTTP, true
-	case "https":
-		return nbconfig.HTTPS, true
-	default:
-		return "", false
-	}
-}
-
-// parseStunProtocol determines protocol for STUN/TURN servers.
-// stun: → UDP, stuns: → DTLS, turn: → UDP, turns: → DTLS
-// Explicit proto overrides URI scheme. Defaults to UDP.
-func parseStunProtocol(uri, proto string) nbconfig.Protocol {
-	if proto != "" {
-		if p, ok := parseExplicitProtocol(proto); ok {
-			return p
-		}
-	}
-
-	uri = strings.ToLower(uri)
-	switch {
-	case strings.HasPrefix(uri, "stuns:"):
-		return nbconfig.DTLS
-	case strings.HasPrefix(uri, "turns:"):
-		return nbconfig.DTLS
-	default:
-		// stun:, turn:, or no scheme - default to UDP
-		return nbconfig.UDP
-	}
-}
-
-// parseSignalProtocol determines protocol for Signal servers.
-// https:// → HTTPS, http:// → HTTP. Defaults to HTTPS.
-func parseSignalProtocol(uri string) nbconfig.Protocol {
-	uri = strings.ToLower(uri)
-	switch {
-	case strings.HasPrefix(uri, "http://"):
-		return nbconfig.HTTP
-	default:
-		// https:// or no scheme - default to HTTPS
-		return nbconfig.HTTPS
-	}
-}
-
-// stripSignalProtocol removes the protocol prefix from a signal URI.
-// Returns just the host:port (e.g., "selfhosted2.demo.netbird.io:443").
-func stripSignalProtocol(uri string) string {
-	uri = strings.TrimPrefix(uri, "https://")
-	uri = strings.TrimPrefix(uri, "http://")
-	return uri
-}
-
-// ToManagementConfig converts CombinedConfig to management server config
-func (c *CombinedConfig) ToManagementConfig() (*nbconfig.Config, error) {
-	mgmt := c.Management
-
-	// Build STUN hosts
-	var stuns []*nbconfig.Host
-	for _, s := range mgmt.Stuns {
-		stuns = append(stuns, &nbconfig.Host{
-			URI:      s.URI,
-			Proto:    parseStunProtocol(s.URI, s.Proto),
-			Username: s.Username,
-			Password: s.Password,
-		})
-	}
-
-	// Build relay config
-	var relayConfig *nbconfig.Relay
-	if len(mgmt.Relays.Addresses) > 0 || mgmt.Relays.Secret != "" {
-		var ttl time.Duration
-		if mgmt.Relays.CredentialsTTL != "" {
-			var err error
-			ttl, err = time.ParseDuration(mgmt.Relays.CredentialsTTL)
-			if err != nil {
-				return nil, fmt.Errorf("invalid relay credentials TTL %q: %w", mgmt.Relays.CredentialsTTL, err)
-			}
-		}
-		relayConfig = &nbconfig.Relay{
-			Addresses:      mgmt.Relays.Addresses,
-			CredentialsTTL: util.Duration{Duration: ttl},
-			Secret:         mgmt.Relays.Secret,
-		}
-	}
-
-	// Build signal config
-	var signalConfig *nbconfig.Host
-	if mgmt.SignalURI != "" {
-		signalConfig = &nbconfig.Host{
-			URI:   stripSignalProtocol(mgmt.SignalURI),
-			Proto: parseSignalProtocol(mgmt.SignalURI),
-		}
-	}
-
-	// Build store config
-	storeConfig := nbconfig.StoreConfig{
-		Engine: types.Engine(mgmt.Store.Engine),
-	}
-
-	// Build reverse proxy config
-	reverseProxy := nbconfig.ReverseProxy{
-		TrustedHTTPProxiesCount: mgmt.ReverseProxy.TrustedHTTPProxiesCount,
-	}
-	for _, p := range mgmt.ReverseProxy.TrustedHTTPProxies {
-		if prefix, err := netip.ParsePrefix(p); err == nil {
-			reverseProxy.TrustedHTTPProxies = append(reverseProxy.TrustedHTTPProxies, prefix)
-		}
-	}
-	for _, p := range mgmt.ReverseProxy.TrustedPeers {
-		if prefix, err := netip.ParsePrefix(p); err == nil {
-			reverseProxy.TrustedPeers = append(reverseProxy.TrustedPeers, prefix)
-		}
-	}
-
-	// Build HTTP config (required, even if empty)
-	httpConfig := &nbconfig.HttpServerConfig{}
-
-	// Build embedded IDP config (always enabled in combined server)
-	storageFile := mgmt.Auth.Storage.File
-	if storageFile == "" {
-		storageFile = path.Join(mgmt.DataDir, "idp.db")
-	}
-
-	embeddedIdP := &idp.EmbeddedIdPConfig{
-		Enabled:               true,
-		Issuer:                mgmt.Auth.Issuer,
-		LocalAuthDisabled:     mgmt.Auth.LocalAuthDisabled,
-		SignKeyRefreshEnabled: mgmt.Auth.SignKeyRefreshEnabled,
-		Storage: idp.EmbeddedStorageConfig{
-			Type: mgmt.Auth.Storage.Type,
-			Config: idp.EmbeddedStorageTypeConfig{
-				File: storageFile,
-			},
-		},
-		DashboardRedirectURIs: mgmt.Auth.DashboardRedirectURIs,
-		CLIRedirectURIs:       mgmt.Auth.CLIRedirectURIs,
-	}
-
-	if mgmt.Auth.Owner != nil && mgmt.Auth.Owner.Email != "" {
-		embeddedIdP.Owner = &idp.OwnerConfig{
-			Email: mgmt.Auth.Owner.Email,
-			Hash:  mgmt.Auth.Owner.Password, // Will be hashed if plain text
-		}
-	}
-
-	// Set HTTP config fields for embedded IDP
-	httpConfig.AuthIssuer = mgmt.Auth.Issuer
-	httpConfig.AuthAudience = "netbird-dashboard"
-	httpConfig.AuthClientID = httpConfig.AuthAudience
-	httpConfig.CLIAuthAudience = "netbird-cli"
-	httpConfig.AuthUserIDClaim = "sub"
-	httpConfig.AuthKeysLocation = mgmt.Auth.Issuer + "/keys"
-	httpConfig.OIDCConfigEndpoint = mgmt.Auth.Issuer + "/.well-known/openid-configuration"
-	httpConfig.IdpSignKeyRefreshEnabled = mgmt.Auth.SignKeyRefreshEnabled
-	callbackURL := strings.TrimSuffix(httpConfig.AuthIssuer, "/oauth2")
-	httpConfig.AuthCallbackURL = callbackURL + types.ProxyCallbackEndpointFull
-
-	return &nbconfig.Config{
-		Stuns:                  stuns,
-		Relay:                  relayConfig,
-		Signal:                 signalConfig,
-		Datadir:                mgmt.DataDir,
-		DataStoreEncryptionKey: mgmt.Store.EncryptionKey,
-		HttpConfig:             httpConfig,
-		StoreConfig:            storeConfig,
-		ReverseProxy:           reverseProxy,
-		DisableDefaultPolicy:   mgmt.DisableDefaultPolicy,
-		EmbeddedIdP:            embeddedIdP,
-	}, nil
-}
-
-// ApplyEmbeddedIdPConfig applies embedded IdP configuration to the management config.
-// This mirrors the logic in management/cmd/management.go ApplyEmbeddedIdPConfig.
-func ApplyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config, mgmtPort int, disableSingleAccMode bool) error {
-	if cfg.EmbeddedIdP == nil || !cfg.EmbeddedIdP.Enabled {
-		return nil
-	}
-
-	// Embedded IdP requires single account mode
-	if disableSingleAccMode {
-		return fmt.Errorf("embedded IdP requires single account mode; multiple account mode is not supported with embedded IdP")
-	}
-
-	// Set LocalAddress for embedded IdP, used for internal JWT validation
-	cfg.EmbeddedIdP.LocalAddress = fmt.Sprintf("localhost:%d", mgmtPort)
-
-	// Set storage defaults based on Datadir
-	if cfg.EmbeddedIdP.Storage.Type == "" {
-		cfg.EmbeddedIdP.Storage.Type = "sqlite3"
-	}
-	if cfg.EmbeddedIdP.Storage.Config.File == "" && cfg.Datadir != "" {
-		cfg.EmbeddedIdP.Storage.Config.File = path.Join(cfg.Datadir, "idp.db")
-	}
-
-	issuer := cfg.EmbeddedIdP.Issuer
-
-	// Ensure HttpConfig exists
-	if cfg.HttpConfig == nil {
-		cfg.HttpConfig = &nbconfig.HttpServerConfig{}
-	}
-
-	// Set HttpConfig values from EmbeddedIdP
-	cfg.HttpConfig.AuthIssuer = issuer
-	cfg.HttpConfig.AuthAudience = "netbird-dashboard"
-	cfg.HttpConfig.CLIAuthAudience = "netbird-cli"
-	cfg.HttpConfig.AuthUserIDClaim = "sub"
-	cfg.HttpConfig.AuthKeysLocation = issuer + "/keys"
-	cfg.HttpConfig.OIDCConfigEndpoint = issuer + "/.well-known/openid-configuration"
-	cfg.HttpConfig.IdpSignKeyRefreshEnabled = true
-
-	return nil
-}
-
-// EnsureEncryptionKey generates an encryption key if not set.
-// Unlike management server, we don't write back to the config file.
-func EnsureEncryptionKey(ctx context.Context, cfg *nbconfig.Config) error {
-	if cfg.DataStoreEncryptionKey != "" {
-		return nil
-	}
-
-	log.WithContext(ctx).Infof("DataStoreEncryptionKey is not set, generating a new key")
-	key, err := crypt.GenerateKey()
-	if err != nil {
-		return fmt.Errorf("failed to generate datastore encryption key: %v", err)
-	}
-	cfg.DataStoreEncryptionKey = key
-	keyPreview := key[:8] + "..."
-	log.WithContext(ctx).Warnf("DataStoreEncryptionKey generated (%s); add it to your config file under 'server.store.encryptionKey' to persist across restarts", keyPreview)
-
-	return nil
-}
-
-// LogConfigInfo logs informational messages about the loaded configuration
-func LogConfigInfo(cfg *nbconfig.Config) {
-	if cfg.EmbeddedIdP != nil && cfg.EmbeddedIdP.Enabled {
-		log.Infof("running with the embedded IdP: %v", cfg.EmbeddedIdP.Issuer)
-	}
-	if cfg.Relay != nil {
-		log.Infof("Relay addresses: %v", cfg.Relay.Addresses)
-	}
-}

combined/cmd/pprof.go

@@ -1,33 +0,0 @@
-//go:build pprof
-// +build pprof
-
-package cmd
-
-import (
-	"net/http"
-	_ "net/http/pprof"
-	"os"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func init() {
-	addr := pprofAddr()
-	go pprof(addr)
-}
-
-func pprofAddr() string {
-	listenAddr := os.Getenv("NB_PPROF_ADDR")
-	if listenAddr == "" {
-		return "localhost:6969"
-	}
-
-	return listenAddr
-}
-
-func pprof(listenAddr string) {
-	log.Infof("listening pprof on: %s\n", listenAddr)
-	if err := http.ListenAndServe(listenAddr, nil); err != nil {
-		log.Fatalf("Failed to start pprof: %v", err)
-	}
-}

combined/cmd/root.go

@@ -1,715 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"crypto/sha256"
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"net"
-	"net/http"
-	"os"
-	"os/signal"
-	"strconv"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
-
-	"github.com/coder/websocket"
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"go.opentelemetry.io/otel/metric"
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/netbird/encryption"
-	mgmtServer "github.com/netbirdio/netbird/management/internals/server"
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/relay/healthcheck"
-	relayServer "github.com/netbirdio/netbird/relay/server"
-	"github.com/netbirdio/netbird/relay/server/listener/ws"
-	sharedMetrics "github.com/netbirdio/netbird/shared/metrics"
-	"github.com/netbirdio/netbird/shared/relay/auth"
-	"github.com/netbirdio/netbird/shared/signal/proto"
-	signalServer "github.com/netbirdio/netbird/signal/server"
-	"github.com/netbirdio/netbird/stun"
-	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/wsproxy"
-	wsproxyserver "github.com/netbirdio/netbird/util/wsproxy/server"
-)
-
-var (
-	configPath string
-	config     *CombinedConfig
-
-	rootCmd = &cobra.Command{
-		Use:   "combined",
-		Short: "Combined Netbird server (Management + Signal + Relay + STUN)",
-		Long: `Combined Netbird server for self-hosted deployments.
-
-All services (Management, Signal, Relay) are multiplexed on a single port.
-Optional STUN server runs on separate UDP ports.
-
-Configuration is loaded from a YAML file specified with --config.`,
-		SilenceUsage:  true,
-		SilenceErrors: true,
-		RunE:          execute,
-	}
-)
-
-func init() {
-	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "path to YAML configuration file (required)")
-	_ = rootCmd.MarkPersistentFlagRequired("config")
-
-	rootCmd.AddCommand(newTokenCommands())
-}
-
-func Execute() error {
-	return rootCmd.Execute()
-}
-
-func waitForExitSignal() {
-	osSigs := make(chan os.Signal, 1)
-	signal.Notify(osSigs, syscall.SIGINT, syscall.SIGTERM)
-	<-osSigs
-}
-
-func execute(cmd *cobra.Command, _ []string) error {
-	if err := initializeConfig(); err != nil {
-		return err
-	}
-
-	// Management is required as the base server when signal or relay are enabled
-	if (config.Signal.Enabled || config.Relay.Enabled) && !config.Management.Enabled {
-		return fmt.Errorf("management must be enabled when signal or relay are enabled (provides the base HTTP server)")
-	}
-
-	servers, err := createAllServers(cmd.Context(), config)
-	if err != nil {
-		return err
-	}
-
-	// Register services with management's gRPC server using AfterInit hook
-	setupServerHooks(servers, config)
-
-	// Start management server (this also starts the HTTP listener)
-	if servers.mgmtSrv != nil {
-		if err := servers.mgmtSrv.Start(cmd.Context()); err != nil {
-			cleanupSTUNListeners(servers.stunListeners)
-			return fmt.Errorf("failed to start management server: %w", err)
-		}
-	}
-
-	// Start all other servers
-	wg := sync.WaitGroup{}
-	startServers(&wg, servers.relaySrv, servers.healthcheck, servers.stunServer, servers.metricsServer)
-
-	waitForExitSignal()
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	err = shutdownServers(ctx, servers.relaySrv, servers.healthcheck, servers.stunServer, servers.mgmtSrv, servers.metricsServer)
-	wg.Wait()
-	return err
-}
-
-// initializeConfig loads and validates the configuration, then initializes logging.
-func initializeConfig() error {
-	var err error
-	config, err = LoadConfig(configPath)
-	if err != nil {
-		return fmt.Errorf("failed to load config: %w", err)
-	}
-
-	if err := config.Validate(); err != nil {
-		return fmt.Errorf("invalid config: %w", err)
-	}
-
-	if err := util.InitLog(config.Server.LogLevel, config.Server.LogFile); err != nil {
-		return fmt.Errorf("failed to initialize log: %w", err)
-	}
-
-	if dsn := config.Server.Store.DSN; dsn != "" {
-		switch strings.ToLower(config.Server.Store.Engine) {
-		case "postgres":
-			os.Setenv("NB_STORE_ENGINE_POSTGRES_DSN", dsn)
-		case "mysql":
-			os.Setenv("NB_STORE_ENGINE_MYSQL_DSN", dsn)
-		}
-	}
-
-	log.Infof("Starting combined NetBird server")
-	logConfig(config)
-	logEnvVars()
-	return nil
-}
-
-// serverInstances holds all server instances created during startup.
-type serverInstances struct {
-	relaySrv      *relayServer.Server
-	mgmtSrv       *mgmtServer.BaseServer
-	signalSrv     *signalServer.Server
-	healthcheck   *healthcheck.Server
-	stunServer    *stun.Server
-	stunListeners []*net.UDPConn
-	metricsServer *sharedMetrics.Metrics
-}
-
-// createAllServers creates all server instances based on configuration.
-func createAllServers(ctx context.Context, cfg *CombinedConfig) (*serverInstances, error) {
-	metricsServer, err := sharedMetrics.NewServer(cfg.Server.MetricsPort, "")
-	if err != nil {
-		return nil, fmt.Errorf("failed to create metrics server: %w", err)
-	}
-	servers := &serverInstances{
-		metricsServer: metricsServer,
-	}
-
-	_, tlsSupport, err := handleTLSConfig(cfg)
-	if err != nil {
-		return nil, fmt.Errorf("failed to setup TLS config: %w", err)
-	}
-
-	if err := servers.createRelayServer(cfg, tlsSupport); err != nil {
-		return nil, err
-	}
-
-	if err := servers.createManagementServer(ctx, cfg); err != nil {
-		return nil, err
-	}
-
-	if err := servers.createSignalServer(ctx, cfg); err != nil {
-		return nil, err
-	}
-
-	if err := servers.createHealthcheckServer(cfg); err != nil {
-		return nil, err
-	}
-
-	return servers, nil
-}
-
-func (s *serverInstances) createRelayServer(cfg *CombinedConfig, tlsSupport bool) error {
-	if !cfg.Relay.Enabled {
-		return nil
-	}
-
-	var err error
-	s.stunListeners, err = createSTUNListeners(cfg)
-	if err != nil {
-		return err
-	}
-
-	hashedSecret := sha256.Sum256([]byte(cfg.Relay.AuthSecret))
-	authenticator := auth.NewTimedHMACValidator(hashedSecret[:], 24*time.Hour)
-
-	relayCfg := relayServer.Config{
-		Meter:          s.metricsServer.Meter,
-		ExposedAddress: cfg.Relay.ExposedAddress,
-		AuthValidator:  authenticator,
-		TLSSupport:     tlsSupport,
-	}
-
-	s.relaySrv, err = createRelayServer(relayCfg, s.stunListeners)
-	if err != nil {
-		return err
-	}
-
-	log.Infof("Relay server created")
-
-	if len(s.stunListeners) > 0 {
-		s.stunServer = stun.NewServer(s.stunListeners, cfg.Relay.Stun.LogLevel)
-	}
-
-	return nil
-}
-
-func (s *serverInstances) createManagementServer(ctx context.Context, cfg *CombinedConfig) error {
-	if !cfg.Management.Enabled {
-		return nil
-	}
-
-	mgmtConfig, err := cfg.ToManagementConfig()
-	if err != nil {
-		return fmt.Errorf("failed to create management config: %w", err)
-	}
-
-	_, portStr, portErr := net.SplitHostPort(cfg.Server.ListenAddress)
-	if portErr != nil {
-		portStr = "443"
-	}
-	mgmtPort, _ := strconv.Atoi(portStr)
-
-	if err := ApplyEmbeddedIdPConfig(ctx, mgmtConfig, mgmtPort, false); err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to apply embedded IdP config: %w", err)
-	}
-
-	if err := EnsureEncryptionKey(ctx, mgmtConfig); err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to ensure encryption key: %w", err)
-	}
-
-	LogConfigInfo(mgmtConfig)
-
-	s.mgmtSrv, err = createManagementServer(cfg, mgmtConfig)
-	if err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to create management server: %w", err)
-	}
-
-	// Inject externally-managed AppMetrics so management uses the shared metrics server
-	appMetrics, err := telemetry.NewAppMetricsWithMeter(ctx, s.metricsServer.Meter)
-	if err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to create management app metrics: %w", err)
-	}
-	mgmtServer.Inject[telemetry.AppMetrics](s.mgmtSrv, appMetrics)
-
-	log.Infof("Management server created")
-	return nil
-}
-
-func (s *serverInstances) createSignalServer(ctx context.Context, cfg *CombinedConfig) error {
-	if !cfg.Signal.Enabled {
-		return nil
-	}
-
-	var err error
-	s.signalSrv, err = signalServer.NewServer(ctx, s.metricsServer.Meter, "signal_")
-	if err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to create signal server: %w", err)
-	}
-
-	log.Infof("Signal server created")
-	return nil
-}
-
-func (s *serverInstances) createHealthcheckServer(cfg *CombinedConfig) error {
-	hCfg := healthcheck.Config{
-		ListenAddress:  cfg.Server.HealthcheckAddress,
-		ServiceChecker: s.relaySrv,
-	}
-
-	var err error
-	s.healthcheck, err = createHealthCheck(hCfg, s.stunListeners)
-	return err
-}
-
-// setupServerHooks registers services with management's gRPC server.
-func setupServerHooks(servers *serverInstances, cfg *CombinedConfig) {
-	if servers.mgmtSrv == nil {
-		return
-	}
-
-	servers.mgmtSrv.AfterInit(func(s *mgmtServer.BaseServer) {
-		grpcSrv := s.GRPCServer()
-
-		if servers.signalSrv != nil {
-			proto.RegisterSignalExchangeServer(grpcSrv, servers.signalSrv)
-			log.Infof("Signal server registered on port %s", cfg.Server.ListenAddress)
-		}
-
-		s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
-		if servers.relaySrv != nil {
-			log.Infof("Relay WebSocket handler added (path: /relay)")
-		}
-	})
-}
-
-func startServers(wg *sync.WaitGroup, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, metricsServer *sharedMetrics.Metrics) {
-	if srv != nil {
-		instanceURL := srv.InstanceURL()
-		log.Infof("Relay server instance URL: %s", instanceURL.String())
-		log.Infof("Relay WebSocket multiplexed on management port (no separate relay listener)")
-	}
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		log.Infof("running metrics server: %s%s", metricsServer.Addr, metricsServer.Endpoint)
-		if err := metricsServer.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
-			log.Fatalf("failed to start metrics server: %v", err)
-		}
-	}()
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		if err := httpHealthcheck.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
-			log.Fatalf("failed to start healthcheck server: %v", err)
-		}
-	}()
-
-	if stunServer != nil {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			if err := stunServer.Listen(); err != nil {
-				if errors.Is(err, stun.ErrServerClosed) {
-					return
-				}
-				log.Errorf("STUN server error: %v", err)
-			}
-		}()
-	}
-}
-
-func shutdownServers(ctx context.Context, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, mgmtSrv *mgmtServer.BaseServer, metricsServer *sharedMetrics.Metrics) error {
-	var errs error
-
-	if err := httpHealthcheck.Shutdown(ctx); err != nil {
-		errs = multierror.Append(errs, fmt.Errorf("failed to close healthcheck server: %w", err))
-	}
-
-	if stunServer != nil {
-		if err := stunServer.Shutdown(); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close STUN server: %w", err))
-		}
-	}
-
-	if srv != nil {
-		if err := srv.Shutdown(ctx); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close relay server: %w", err))
-		}
-	}
-
-	if mgmtSrv != nil {
-		log.Infof("shutting down management and signal servers")
-		if err := mgmtSrv.Stop(); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close management server: %w", err))
-		}
-	}
-
-	if metricsServer != nil {
-		log.Infof("shutting down metrics server")
-		if err := metricsServer.Shutdown(ctx); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close metrics server: %w", err))
-		}
-	}
-
-	return errs
-}
-
-func createHealthCheck(hCfg healthcheck.Config, stunListeners []*net.UDPConn) (*healthcheck.Server, error) {
-	httpHealthcheck, err := healthcheck.NewServer(hCfg)
-	if err != nil {
-		cleanupSTUNListeners(stunListeners)
-		return nil, fmt.Errorf("failed to create healthcheck server: %w", err)
-	}
-	return httpHealthcheck, nil
-}
-
-func createRelayServer(cfg relayServer.Config, stunListeners []*net.UDPConn) (*relayServer.Server, error) {
-	srv, err := relayServer.NewServer(cfg)
-	if err != nil {
-		cleanupSTUNListeners(stunListeners)
-		return nil, fmt.Errorf("failed to create relay server: %w", err)
-	}
-	return srv, nil
-}
-
-func cleanupSTUNListeners(stunListeners []*net.UDPConn) {
-	for _, l := range stunListeners {
-		_ = l.Close()
-	}
-}
-
-func createSTUNListeners(cfg *CombinedConfig) ([]*net.UDPConn, error) {
-	var stunListeners []*net.UDPConn
-	if cfg.Relay.Stun.Enabled {
-		for _, port := range cfg.Relay.Stun.Ports {
-			listener, err := net.ListenUDP("udp", &net.UDPAddr{Port: port})
-			if err != nil {
-				cleanupSTUNListeners(stunListeners)
-				return nil, fmt.Errorf("failed to create STUN listener on port %d: %w", port, err)
-			}
-			stunListeners = append(stunListeners, listener)
-			log.Infof("STUN server listening on UDP port %d", port)
-		}
-	}
-	return stunListeners, nil
-}
-
-func handleTLSConfig(cfg *CombinedConfig) (*tls.Config, bool, error) {
-	tlsCfg := cfg.Server.TLS
-
-	if tlsCfg.LetsEncrypt.AWSRoute53 {
-		log.Debugf("using Let's Encrypt DNS resolver with Route 53 support")
-		r53 := encryption.Route53TLS{
-			DataDir: tlsCfg.LetsEncrypt.DataDir,
-			Email:   tlsCfg.LetsEncrypt.Email,
-			Domains: tlsCfg.LetsEncrypt.Domains,
-		}
-		tc, err := r53.GetCertificate()
-		if err != nil {
-			return nil, false, err
-		}
-		return tc, true, nil
-	}
-
-	if cfg.HasLetsEncrypt() {
-		log.Infof("setting up TLS with Let's Encrypt")
-		certManager, err := encryption.CreateCertManager(tlsCfg.LetsEncrypt.DataDir, tlsCfg.LetsEncrypt.Domains...)
-		if err != nil {
-			return nil, false, fmt.Errorf("failed creating LetsEncrypt cert manager: %w", err)
-		}
-		return certManager.TLSConfig(), true, nil
-	}
-
-	if cfg.HasTLSCert() {
-		log.Debugf("using file based TLS config")
-		tc, err := encryption.LoadTLSConfig(tlsCfg.CertFile, tlsCfg.KeyFile)
-		if err != nil {
-			return nil, false, err
-		}
-		return tc, true, nil
-	}
-
-	return nil, false, nil
-}
-
-func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (*mgmtServer.BaseServer, error) {
-	mgmt := cfg.Management
-
-	dnsDomain := mgmt.DnsDomain
-	singleAccModeDomain := dnsDomain
-
-	// Extract port from listen address
-	_, portStr, err := net.SplitHostPort(cfg.Server.ListenAddress)
-	if err != nil {
-		// If no port specified, assume default
-		portStr = "443"
-	}
-	mgmtPort, _ := strconv.Atoi(portStr)
-
-	mgmtSrv := mgmtServer.NewServer(
-		&mgmtServer.Config{
-			NbConfig:                mgmtConfig,
-			DNSDomain:               dnsDomain,
-			MgmtSingleAccModeDomain: singleAccModeDomain,
-			MgmtPort:                mgmtPort,
-			MgmtMetricsPort:         cfg.Server.MetricsPort,
-			DisableMetrics:          mgmt.DisableAnonymousMetrics,
-			DisableGeoliteUpdate:    mgmt.DisableGeoliteUpdate,
-			// Always enable user deletion from IDP in combined server (embedded IdP is always enabled)
-			UserDeleteFromIDPEnabled: true,
-		},
-	)
-
-	return mgmtSrv, nil
-}
-
-// createCombinedHandler creates an HTTP handler that multiplexes Management, Signal (via wsproxy), and Relay WebSocket traffic
-func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, relaySrv *relayServer.Server, meter metric.Meter, cfg *CombinedConfig) http.Handler {
-	wsProxy := wsproxyserver.New(grpcServer, wsproxyserver.WithOTelMeter(meter))
-
-	var relayAcceptFn func(conn net.Conn)
-	if relaySrv != nil {
-		relayAcceptFn = relaySrv.RelayAccept()
-	}
-
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch {
-		// Native gRPC traffic (HTTP/2 with gRPC content-type)
-		case r.ProtoMajor == 2 && (strings.HasPrefix(r.Header.Get("Content-Type"), "application/grpc") ||
-			strings.HasPrefix(r.Header.Get("Content-Type"), "application/grpc+proto")):
-			grpcServer.ServeHTTP(w, r)
-
-		// WebSocket proxy for Management gRPC
-		case r.URL.Path == wsproxy.ProxyPath+wsproxy.ManagementComponent:
-			wsProxy.Handler().ServeHTTP(w, r)
-
-		// WebSocket proxy for Signal gRPC
-		case r.URL.Path == wsproxy.ProxyPath+wsproxy.SignalComponent:
-			if cfg.Signal.Enabled {
-				wsProxy.Handler().ServeHTTP(w, r)
-			} else {
-				http.Error(w, "Signal service not enabled", http.StatusNotFound)
-			}
-
-		// Relay WebSocket
-		case r.URL.Path == "/relay":
-			if relayAcceptFn != nil {
-				handleRelayWebSocket(w, r, relayAcceptFn, cfg)
-			} else {
-				http.Error(w, "Relay service not enabled", http.StatusNotFound)
-			}
-
-		// Management HTTP API (default)
-		default:
-			httpHandler.ServeHTTP(w, r)
-		}
-	})
-}
-
-// handleRelayWebSocket handles incoming WebSocket connections for the relay service
-func handleRelayWebSocket(w http.ResponseWriter, r *http.Request, acceptFn func(conn net.Conn), cfg *CombinedConfig) {
-	acceptOptions := &websocket.AcceptOptions{
-		OriginPatterns: []string{"*"},
-	}
-
-	wsConn, err := websocket.Accept(w, r, acceptOptions)
-	if err != nil {
-		log.Errorf("failed to accept relay ws connection: %s", err)
-		return
-	}
-
-	connRemoteAddr := r.RemoteAddr
-	if r.Header.Get("X-Real-Ip") != "" && r.Header.Get("X-Real-Port") != "" {
-		connRemoteAddr = net.JoinHostPort(r.Header.Get("X-Real-Ip"), r.Header.Get("X-Real-Port"))
-	}
-
-	rAddr, err := net.ResolveTCPAddr("tcp", connRemoteAddr)
-	if err != nil {
-		_ = wsConn.Close(websocket.StatusInternalError, "internal error")
-		return
-	}
-
-	lAddr, err := net.ResolveTCPAddr("tcp", cfg.Server.ListenAddress)
-	if err != nil {
-		_ = wsConn.Close(websocket.StatusInternalError, "internal error")
-		return
-	}
-
-	log.Debugf("Relay WS client connected from: %s", rAddr)
-
-	conn := ws.NewConn(wsConn, lAddr, rAddr)
-	acceptFn(conn)
-}
-
-// logConfig prints all configuration parameters for debugging
-func logConfig(cfg *CombinedConfig) {
-	log.Info("=== Configuration ===")
-	logServerConfig(cfg)
-	logComponentsConfig(cfg)
-	logRelayConfig(cfg)
-	logManagementConfig(cfg)
-	log.Info("=== End Configuration ===")
-}
-
-func logServerConfig(cfg *CombinedConfig) {
-	log.Info("--- Server ---")
-	log.Infof("  Listen address: %s", cfg.Server.ListenAddress)
-	log.Infof("  Exposed address: %s", cfg.Server.ExposedAddress)
-	log.Infof("  Healthcheck address: %s", cfg.Server.HealthcheckAddress)
-	log.Infof("  Metrics port: %d", cfg.Server.MetricsPort)
-	log.Infof("  Log level: %s", cfg.Server.LogLevel)
-	log.Infof("  Data dir: %s", cfg.Server.DataDir)
-
-	switch {
-	case cfg.HasTLSCert():
-		log.Infof("  TLS: cert=%s, key=%s", cfg.Server.TLS.CertFile, cfg.Server.TLS.KeyFile)
-	case cfg.HasLetsEncrypt():
-		log.Infof("  TLS: Let's Encrypt (domains=%v)", cfg.Server.TLS.LetsEncrypt.Domains)
-	default:
-		log.Info("  TLS: disabled (using reverse proxy)")
-	}
-}
-
-func logComponentsConfig(cfg *CombinedConfig) {
-	log.Info("--- Components ---")
-	log.Infof("  Management: %v (log level: %s)", cfg.Management.Enabled, cfg.Management.LogLevel)
-	log.Infof("  Signal: %v (log level: %s)", cfg.Signal.Enabled, cfg.Signal.LogLevel)
-	log.Infof("  Relay: %v (log level: %s)", cfg.Relay.Enabled, cfg.Relay.LogLevel)
-}
-
-func logRelayConfig(cfg *CombinedConfig) {
-	if !cfg.Relay.Enabled {
-		return
-	}
-	log.Info("--- Relay ---")
-	log.Infof("  Exposed address: %s", cfg.Relay.ExposedAddress)
-	log.Infof("  Auth secret: %s...", maskSecret(cfg.Relay.AuthSecret))
-	if cfg.Relay.Stun.Enabled {
-		log.Infof("  STUN ports: %v (log level: %s)", cfg.Relay.Stun.Ports, cfg.Relay.Stun.LogLevel)
-	} else {
-		log.Info("  STUN: disabled")
-	}
-}
-
-func logManagementConfig(cfg *CombinedConfig) {
-	if !cfg.Management.Enabled {
-		return
-	}
-	log.Info("--- Management ---")
-	log.Infof("  Data dir: %s", cfg.Management.DataDir)
-	log.Infof("  DNS domain: %s", cfg.Management.DnsDomain)
-	log.Infof("  Store engine: %s", cfg.Management.Store.Engine)
-	if cfg.Server.Store.DSN != "" {
-		log.Infof("  Store DSN: %s", maskDSNPassword(cfg.Server.Store.DSN))
-	}
-
-	log.Info("  Auth (embedded IdP):")
-	log.Infof("    Issuer: %s", cfg.Management.Auth.Issuer)
-	log.Infof("    Dashboard redirect URIs: %v", cfg.Management.Auth.DashboardRedirectURIs)
-	log.Infof("    CLI redirect URIs: %v", cfg.Management.Auth.CLIRedirectURIs)
-
-	log.Info("  Client settings:")
-	log.Infof("    Signal URI: %s", cfg.Management.SignalURI)
-	for _, s := range cfg.Management.Stuns {
-		log.Infof("    STUN: %s", s.URI)
-	}
-	if len(cfg.Management.Relays.Addresses) > 0 {
-		log.Infof("    Relay addresses: %v", cfg.Management.Relays.Addresses)
-		log.Infof("    Relay credentials TTL: %s", cfg.Management.Relays.CredentialsTTL)
-	}
-}
-
-// logEnvVars logs all NB_ environment variables that are currently set
-func logEnvVars() {
-	log.Info("=== Environment Variables ===")
-	found := false
-	for _, env := range os.Environ() {
-		if strings.HasPrefix(env, "NB_") {
-			key, _, _ := strings.Cut(env, "=")
-			value := os.Getenv(key)
-			if strings.Contains(strings.ToLower(key), "secret") || strings.Contains(strings.ToLower(key), "key") || strings.Contains(strings.ToLower(key), "password") {
-				value = maskSecret(value)
-			}
-			log.Infof("  %s=%s", key, value)
-			found = true
-		}
-	}
-	if !found {
-		log.Info("  (none set)")
-	}
-	log.Info("=== End Environment Variables ===")
-}
-
-// maskDSNPassword masks the password in a DSN string.
-// Handles both key=value format ("password=secret") and URI format ("user:secret@host").
-func maskDSNPassword(dsn string) string {
-	// Key=value format: "host=localhost user=nb password=secret dbname=nb"
-	if strings.Contains(dsn, "password=") {
-		parts := strings.Fields(dsn)
-		for i, p := range parts {
-			if strings.HasPrefix(p, "password=") {
-				parts[i] = "password=****"
-			}
-		}
-		return strings.Join(parts, " ")
-	}
-
-	// URI format: "user:password@host..."
-	if atIdx := strings.Index(dsn, "@"); atIdx != -1 {
-		prefix := dsn[:atIdx]
-		if colonIdx := strings.Index(prefix, ":"); colonIdx != -1 {
-			return prefix[:colonIdx+1] + "****" + dsn[atIdx:]
-		}
-	}
-
-	return dsn
-}
-
-// maskSecret returns first 4 chars of secret followed by "..."
-func maskSecret(secret string) string {
-	if len(secret) <= 4 {
-		return "****"
-	}
-	return secret[:4] + "..."
-}

combined/cmd/token.go

@@ -1,60 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/formatter/hook"
-	tokencmd "github.com/netbirdio/netbird/management/cmd/token"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/util"
-)
-
-// newTokenCommands creates the token command tree with combined-specific store opener.
-func newTokenCommands() *cobra.Command {
-	return tokencmd.NewCommands(withTokenStore)
-}
-
-// withTokenStore loads the combined YAML config, initializes the store, and calls fn.
-func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error {
-	if err := util.InitLog("error", "console"); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource) //nolint:staticcheck
-
-	cfg, err := LoadConfig(configPath)
-	if err != nil {
-		return fmt.Errorf("load config: %w", err)
-	}
-
-	if dsn := cfg.Server.Store.DSN; dsn != "" {
-		switch strings.ToLower(cfg.Server.Store.Engine) {
-		case "postgres":
-			os.Setenv("NB_STORE_ENGINE_POSTGRES_DSN", dsn)
-		case "mysql":
-			os.Setenv("NB_STORE_ENGINE_MYSQL_DSN", dsn)
-		}
-	}
-
-	datadir := cfg.Management.DataDir
-	engine := types.Engine(cfg.Management.Store.Engine)
-
-	s, err := store.NewStore(ctx, engine, datadir, nil, true)
-	if err != nil {
-		return fmt.Errorf("create store: %w", err)
-	}
-	defer func() {
-		if err := s.Close(ctx); err != nil {
-			log.Debugf("close store: %v", err)
-		}
-	}()
-
-	return fn(ctx, s)
-}

combined/config-simple.yaml.example

@@ -1,111 +0,0 @@
-# NetBird Combined Server Configuration
-# Copy this file to config.yaml and customize for your deployment
-#
-# This is a Management server with optional embedded Signal, Relay, and STUN services.
-# By default, all services run locally. You can use external services instead by
-# setting the corresponding override fields.
-#
-# Architecture:
-#   - Management: Always runs locally (this IS the management server)
-#   - Signal: Local by default; set 'signalUri' to use external (disables local)
-#   - Relay: Local by default; set 'relays' to use external (disables local)
-#   - STUN: Local on port 3478 by default; set 'stuns' to use external instead
-
-server:
-  # Main HTTP/gRPC port for all services (Management, Signal, Relay)
-  listenAddress: ":443"
-
-  # Public address that peers will use to connect to this server
-  # Used for relay connections and management DNS domain
-  # Format: protocol://hostname:port (e.g., https://server.mycompany.com:443)
-  exposedAddress: "https://server.mycompany.com:443"
-
-  # STUN server ports (defaults to [3478] if not specified; set 'stuns' to use external)
-  # stunPorts:
-  #   - 3478
-
-  # Metrics endpoint port
-  metricsPort: 9090
-
-  # Healthcheck endpoint address
-  healthcheckAddress: ":9000"
-
-  # Logging configuration
-  logLevel: "info"    # Default log level for all components: panic, fatal, error, warn, info, debug, trace
-  logFile: "console"  # "console" or path to log file
-
-  # TLS configuration (optional)
-  tls:
-    certFile: ""
-    keyFile: ""
-    letsencrypt:
-      enabled: false
-      dataDir: ""
-      domains: []
-      email: ""
-      awsRoute53: false
-
-  # Shared secret for relay authentication (required when running local relay)
-  authSecret: "your-secret-key-here"
-
-  # Data directory for all services
-  dataDir: "/var/lib/netbird/"
-
-  # ============================================================================
-  # External Service Overrides (optional)
-  # Use these to point to external Signal, Relay, or STUN servers instead of
-  # running them locally. When set, the corresponding local service is disabled.
-  # ============================================================================
-
-  # External STUN servers - disables local STUN server
-  # stuns:
-  #   - uri: "stun:stun.example.com:3478"
-  #   - uri: "stun:stun.example.com:3479"
-
-  # External relay servers - disables local relay server
-  # relays:
-  #   addresses:
-  #     - "rels://relay.example.com:443"
-  #   credentialsTTL: "12h"
-  #   secret: "relay-shared-secret"
-
-  # External signal server - disables local signal server
-  # signalUri: "https://signal.example.com:443"
-
-  # ============================================================================
-  # Management Settings
-  # ============================================================================
-
-  # Metrics and updates
-  disableAnonymousMetrics: false
-  disableGeoliteUpdate: false
-
-  # Embedded authentication/identity provider (Dex) configuration (always enabled)
-  auth:
-    # OIDC issuer URL - must be publicly accessible
-    issuer: "https://server.mycompany.com/oauth2"
-    localAuthDisabled: false
-    signKeyRefreshEnabled: false
-    # OAuth2 redirect URIs for dashboard
-    dashboardRedirectURIs:
-      - "https://app.netbird.io/nb-auth"
-      - "https://app.netbird.io/nb-silent-auth"
-    # OAuth2 redirect URIs for CLI
-    cliRedirectURIs:
-      - "http://localhost:53000/"
-    # Optional initial admin user
-    # owner:
-    #   email: "admin@example.com"
-    #   password: "initial-password"
-
-  # Store configuration
-  store:
-    engine: "sqlite"  # sqlite, postgres, or mysql
-    dsn: ""  # Connection string for postgres or mysql
-    encryptionKey: ""
-
-  # Reverse proxy settings (optional)
-  # reverseProxy:
-  #   trustedHTTPProxies: []
-  #   trustedHTTPProxiesCount: 0
-  #   trustedPeers: []

combined/config.yaml.example

@@ -1,115 +0,0 @@
-# Simplified Combined NetBird Server Configuration
-# Copy this file to config.yaml and customize for your deployment
-
-# Server-wide settings
-server:
-  # Main HTTP/gRPC port for all services (Management, Signal, Relay)
-  listenAddress: ":443"
-
-  # Metrics endpoint port
-  metricsPort: 9090
-
-  # Healthcheck endpoint address
-  healthcheckAddress: ":9000"
-
-  # Logging configuration
-  logLevel: "info"    # panic, fatal, error, warn, info, debug, trace
-  logFile: "console"  # "console" or path to log file
-
-  # TLS configuration (optional)
-  tls:
-    certFile: ""
-    keyFile: ""
-    letsencrypt:
-      enabled: false
-      dataDir: ""
-      domains: []
-      email: ""
-      awsRoute53: false
-
-# Relay service configuration
-relay:
-  # Enable/disable the relay service
-  enabled: true
-
-  # Public address that peers will use to connect to this relay
-  # Format: hostname:port or ip:port
-  exposedAddress: "relay.example.com:443"
-
-  # Shared secret for relay authentication (required when enabled)
-  authSecret: "your-secret-key-here"
-
-  # Log level for relay (reserved for future use, currently uses global log level)
-  logLevel: "info"
-
-  # Embedded STUN server (optional)
-  stun:
-    enabled: false
-    ports: [3478]
-    logLevel: "info"
-
-# Signal service configuration
-signal:
-  # Enable/disable the signal service
-  enabled: true
-
-  # Log level for signal (reserved for future use, currently uses global log level)
-  logLevel: "info"
-
-# Management service configuration
-management:
-  # Enable/disable the management service
-  enabled: true
-
-  # Data directory for management service
-  dataDir: "/var/lib/netbird/"
-
-  # DNS domain for the management server
-  dnsDomain: ""
-
-  # Metrics and updates
-  disableAnonymousMetrics: false
-  disableGeoliteUpdate: false
-
-  auth:
-    # OIDC issuer URL - must be publicly accessible
-    issuer: "https://management.example.com/oauth2"
-    localAuthDisabled: false
-    signKeyRefreshEnabled: false
-    # OAuth2 redirect URIs for dashboard
-    dashboardRedirectURIs:
-      - "https://app.example.com/nb-auth"
-      - "https://app.example.com/nb-silent-auth"
-    # OAuth2 redirect URIs for CLI
-    cliRedirectURIs:
-      - "http://localhost:53000/"
-    # Optional initial admin user
-    # owner:
-    #   email: "admin@example.com"
-    #   password: "initial-password"
-
-  # External STUN servers (for client config)
-  stuns: []
-  #  - uri: "stun:stun.example.com:3478"
-
-  # External relay servers (for client config)
-  relays:
-    addresses: []
-    #  - "rels://relay.example.com:443"
-    credentialsTTL: "12h"
-    secret: ""
-
-  # External signal server URI (for client config)
-  signalUri: ""
-
-  # Store configuration
-  store:
-    engine: "sqlite"  # sqlite, postgres, or mysql
-    dsn: ""  # Connection string for postgres or mysql
-    encryptionKey: ""
-
-  # Reverse proxy settings
-  reverseProxy:
-    trustedHTTPProxies: []
-    trustedHTTPProxiesCount: 0
-    trustedPeers: []

combined/main.go

@@ -1,13 +0,0 @@
-package main
-
-import (
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/combined/cmd"
-)
-
-func main() {
-	if err := cmd.Execute(); err != nil {
-		log.Fatalf("failed to execute command: %v", err)
-	}
-}

go.mod

@@ -40,7 +40,8 @@ require (
 	github.com/c-robinson/iplib v1.0.3
 	github.com/caddyserver/certmagic v0.21.3
 	github.com/cilium/ebpf v0.15.0
-	github.com/coder/websocket v1.8.14
+	github.com/cloudflare/backoff v0.0.0-20240920015135-e46b80a3a7d0
+	github.com/coder/websocket v1.8.13
 	github.com/coreos/go-iptables v0.7.0
 	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/creack/pty v1.1.24
@@ -69,7 +70,7 @@ require (
 	github.com/mdlayher/socket v0.5.1
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20260122111742-a6f99668844f
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
 	github.com/oapi-codegen/runtime v1.1.2
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
@@ -83,7 +84,6 @@ require (
 	github.com/pion/stun/v3 v3.1.0
 	github.com/pion/transport/v3 v3.1.1
 	github.com/pion/turn/v3 v3.0.1
-	github.com/pires/go-proxyproto v0.11.0
 	github.com/pkg/sftp v1.13.9
 	github.com/prometheus/client_golang v1.23.2
 	github.com/quic-go/quic-go v0.55.0

go.sum

@@ -107,8 +107,10 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
-github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
-github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
+github.com/cloudflare/backoff v0.0.0-20240920015135-e46b80a3a7d0 h1:pRcxfaAlK0vR6nOeQs7eAEvjJzdGXl8+KaBlcvpQTyQ=
+github.com/cloudflare/backoff v0.0.0-20240920015135-e46b80a3a7d0/go.mod h1:rzgs2ZOiguV6/NpiDgADjRLPNyZlApIWxKpkT+X8SdY=
+github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
+github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
 github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
@@ -406,8 +408,8 @@ github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6S
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51/go.mod h1:ZSIbPdBn5hePO8CpF1PekH2SfpTxg1PDhEwtbqZS7R8=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25 h1:iwAq/Ncaq0etl4uAlVsbNBzC1yY52o0AmY7uCm2AMTs=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25/go.mod h1:y7CxagMYzg9dgu+masRqYM7BQlOGA5Y8US85MCNFPlY=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20260122111742-a6f99668844f h1:CTBf0je/FpKr2lVSMZLak7m8aaWcS6ur4SOfhSSazFI=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20260122111742-a6f99668844f/go.mod h1:y7CxagMYzg9dgu+masRqYM7BQlOGA5Y8US85MCNFPlY=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=
@@ -474,8 +476,6 @@ github.com/pion/turn/v3 v3.0.1 h1:wLi7BTQr6/Q20R0vt/lHbjv6y4GChFtC33nkYbasoT8=
 github.com/pion/turn/v3 v3.0.1/go.mod h1:MrJDKgqryDyWy1/4NT9TWfXWGMC7UHT6pJIv1+gMeNE=
 github.com/pion/turn/v4 v4.1.1 h1:9UnY2HB99tpDyz3cVVZguSxcqkJ1DsTSZ+8TGruh4fc=
 github.com/pion/turn/v4 v4.1.1/go.mod h1:2123tHk1O++vmjI5VSD0awT50NywDAq5A2NNNU4Jjs8=
-github.com/pires/go-proxyproto v0.11.0 h1:gUQpS85X/VJMdUsYyEgyn59uLJvGqPhJV5YvG68wXH4=
-github.com/pires/go-proxyproto v0.11.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

idp/dex/connector.go

@@ -327,60 +327,6 @@ func ensureLocalConnector(ctx context.Context, stor storage.Storage) error {
 	return nil
 }
 
-// HasNonLocalConnectors checks if there are any connectors other than the local connector.
-func (p *Provider) HasNonLocalConnectors(ctx context.Context) (bool, error) {
-	connectors, err := p.storage.ListConnectors(ctx)
-	if err != nil {
-		return false, fmt.Errorf("failed to list connectors: %w", err)
-	}
-
-	p.logger.Info("checking for non-local connectors", "total_connectors", len(connectors))
-	for _, conn := range connectors {
-		p.logger.Info("found connector in storage", "id", conn.ID, "type", conn.Type, "name", conn.Name)
-		if conn.ID != "local" || conn.Type != "local" {
-			p.logger.Info("found non-local connector", "id", conn.ID)
-			return true, nil
-		}
-	}
-	p.logger.Info("no non-local connectors found")
-	return false, nil
-}
-
-// DisableLocalAuth removes the local (password) connector.
-// Returns an error if no other connectors are configured.
-func (p *Provider) DisableLocalAuth(ctx context.Context) error {
-	hasOthers, err := p.HasNonLocalConnectors(ctx)
-	if err != nil {
-		return err
-	}
-	if !hasOthers {
-		return fmt.Errorf("cannot disable local authentication: no other identity providers configured")
-	}
-
-	// Check if local connector exists
-	_, err = p.storage.GetConnector(ctx, "local")
-	if errors.Is(err, storage.ErrNotFound) {
-		// Already disabled
-		return nil
-	}
-	if err != nil {
-		return fmt.Errorf("failed to check local connector: %w", err)
-	}
-
-	// Delete the local connector
-	if err := p.storage.DeleteConnector(ctx, "local"); err != nil {
-		return fmt.Errorf("failed to delete local connector: %w", err)
-	}
-
-	p.logger.Info("local authentication disabled")
-	return nil
-}
-
-// EnableLocalAuth creates the local (password) connector if it doesn't exist.
-func (p *Provider) EnableLocalAuth(ctx context.Context) error {
-	return ensureLocalConnector(ctx, p.storage)
-}
-
 // ensureStaticConnectors creates or updates static connectors in storage
 func ensureStaticConnectors(ctx context.Context, stor storage.Storage, connectors []Connector) error {
 	for _, conn := range connectors {

idp/dex/provider.go

@@ -99,16 +99,15 @@ func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
 
 	// Build Dex server config - use Dex's types directly
 	dexConfig := server.Config{
-		Issuer:                     issuer,
-		Storage:                    stor,
-		SkipApprovalScreen:         true,
-		SupportedResponseTypes:     []string{"code"},
-		ContinueOnConnectorFailure: true,
-		Logger:                     logger,
-		PrometheusRegistry:         prometheus.NewRegistry(),
-		RotateKeysAfter:            6 * time.Hour,
-		IDTokensValidFor:           24 * time.Hour,
-		RefreshTokenPolicy:         refreshPolicy,
+		Issuer:                 issuer,
+		Storage:                stor,
+		SkipApprovalScreen:     true,
+		SupportedResponseTypes: []string{"code"},
+		Logger:                 logger,
+		PrometheusRegistry:     prometheus.NewRegistry(),
+		RotateKeysAfter:        6 * time.Hour,
+		IDTokensValidFor:       24 * time.Hour,
+		RefreshTokenPolicy:     refreshPolicy,
 		Web: server.WebConfig{
 			Issuer: "NetBird",
 		},
@@ -261,7 +260,6 @@ func buildDexConfig(yamlConfig *YAMLConfig, stor storage.Storage, logger *slog.L
 	if len(cfg.SupportedResponseTypes) == 0 {
 		cfg.SupportedResponseTypes = []string{"code"}
 	}
-	cfg.ContinueOnConnectorFailure = true
 	return cfg
 }
 

idp/dex/provider_test.go

@@ -2,7 +2,6 @@ package dex
 
 import (
 	"context"
-	"log/slog"
 	"os"
 	"path/filepath"
 	"testing"
@@ -196,64 +195,3 @@ enablePasswordDB: true
 
 	t.Logf("User lookup successful: rawID=%s, connectorID=%s", rawID, connID)
 }
-
-func TestNewProvider_ContinueOnConnectorFailure(t *testing.T) {
-	ctx := context.Background()
-
-	tmpDir, err := os.MkdirTemp("", "dex-connector-failure-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	config := &Config{
-		Issuer:  "http://localhost:5556/dex",
-		Port:    5556,
-		DataDir: tmpDir,
-	}
-
-	provider, err := NewProvider(ctx, config)
-	require.NoError(t, err)
-	defer func() { _ = provider.Stop(ctx) }()
-
-	// The provider should have started successfully even though
-	// ContinueOnConnectorFailure is an internal Dex config field.
-	// We verify the provider is functional by performing a basic operation.
-	assert.NotNil(t, provider.dexServer)
-	assert.NotNil(t, provider.storage)
-}
-
-func TestBuildDexConfig_ContinueOnConnectorFailure(t *testing.T) {
-	tmpDir, err := os.MkdirTemp("", "dex-build-config-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	yamlContent := `
-issuer: http://localhost:5556/dex
-storage:
-  type: sqlite3
-  config:
-    file: ` + filepath.Join(tmpDir, "dex.db") + `
-web:
-  http: 127.0.0.1:5556
-enablePasswordDB: true
-`
-	configPath := filepath.Join(tmpDir, "config.yaml")
-	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
-	require.NoError(t, err)
-
-	yamlConfig, err := LoadConfig(configPath)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	stor, err := yamlConfig.Storage.OpenStorage(slog.New(slog.NewTextHandler(os.Stderr, nil)))
-	require.NoError(t, err)
-	defer stor.Close()
-
-	err = initializeStorage(ctx, stor, yamlConfig)
-	require.NoError(t, err)
-
-	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
-	cfg := buildDexConfig(yamlConfig, stor, logger)
-
-	assert.True(t, cfg.ContinueOnConnectorFailure,
-		"buildDexConfig must set ContinueOnConnectorFailure to true so management starts even if an external IdP is down")
-}

management/Dockerfile.multistage

@@ -1,17 +0,0 @@
-FROM golang:1.25-bookworm AS builder
-WORKDIR /app
-
-# Install build dependencies
-RUN apt-get update && apt-get install -y gcc libc6-dev && rm -rf /var/lib/apt/lists/*
-
-COPY go.mod go.sum ./
-RUN go mod download
-
-COPY . .
-RUN CGO_ENABLED=1 GOOS=linux go build -ldflags="-s -w" -o netbird-mgmt ./management
-
-FROM ubuntu:24.04
-RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
-ENTRYPOINT [ "/go/bin/netbird-mgmt","management"]
-CMD ["--log-file", "console"]
-COPY --from=builder /app/netbird-mgmt /go/bin/netbird-mgmt

management/cmd/management.go

@@ -19,8 +19,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"github.com/netbirdio/netbird/management/server/types"
-
 	"github.com/netbirdio/netbird/formatter/hook"
 	"github.com/netbirdio/netbird/management/internals/server"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
@@ -29,11 +27,11 @@ import (
 	"github.com/netbirdio/netbird/util/crypt"
 )
 
-var newServer = func(cfg *server.Config) server.Server {
-	return server.NewServer(cfg)
+var newServer = func(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort int, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) server.Server {
+	return server.NewServer(config, dnsDomain, mgmtSingleAccModeDomain, mgmtPort, mgmtMetricsPort, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled)
 }
 
-func SetNewServer(fn func(*server.Config) server.Server) {
+func SetNewServer(fn func(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort int, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) server.Server) {
 	newServer = fn
 }
 
@@ -57,7 +55,7 @@ var (
 			// detect whether user specified a port
 			userPort := cmd.Flag("port").Changed
 
-			config, err = LoadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
+			config, err = loadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
 			if err != nil {
 				return fmt.Errorf("failed reading provided config file: %s: %v", nbconfig.MgmtConfigPath, err)
 			}
@@ -110,17 +108,7 @@ var (
 				mgmtSingleAccModeDomain = ""
 			}
 
-			srv := newServer(&server.Config{
-				NbConfig:                    config,
-				DNSDomain:                   dnsDomain,
-				MgmtSingleAccModeDomain:     mgmtSingleAccModeDomain,
-				MgmtPort:                    mgmtPort,
-				MgmtMetricsPort:             mgmtMetricsPort,
-				DisableLegacyManagementPort: disableLegacyManagementPort,
-				DisableMetrics:              disableMetrics,
-				DisableGeoliteUpdate:        disableGeoliteUpdate,
-				UserDeleteFromIDPEnabled:    userDeleteFromIDPEnabled,
-			})
+			srv := newServer(config, dnsDomain, mgmtSingleAccModeDomain, mgmtPort, mgmtMetricsPort, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled)
 			go func() {
 				if err := srv.Start(cmd.Context()); err != nil {
 					log.Fatalf("Server error: %v", err)
@@ -145,35 +133,35 @@ var (
 	}
 )
 
-func LoadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*nbconfig.Config, error) {
+func loadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*nbconfig.Config, error) {
 	loadedConfig := &nbconfig.Config{}
 	if _, err := util.ReadJsonWithEnvSub(mgmtConfigPath, loadedConfig); err != nil {
 		return nil, err
 	}
 
-	ApplyCommandLineOverrides(loadedConfig)
+	applyCommandLineOverrides(loadedConfig)
 
 	// Apply EmbeddedIdP config to HttpConfig if embedded IdP is enabled
-	err := ApplyEmbeddedIdPConfig(ctx, loadedConfig)
+	err := applyEmbeddedIdPConfig(ctx, loadedConfig)
 	if err != nil {
 		return nil, err
 	}
 
-	if err := ApplyOIDCConfig(ctx, loadedConfig); err != nil {
+	if err := applyOIDCConfig(ctx, loadedConfig); err != nil {
 		return nil, err
 	}
 
-	LogConfigInfo(loadedConfig)
+	logConfigInfo(loadedConfig)
 
-	if err := EnsureEncryptionKey(ctx, mgmtConfigPath, loadedConfig); err != nil {
+	if err := ensureEncryptionKey(ctx, mgmtConfigPath, loadedConfig); err != nil {
 		return nil, err
 	}
 
 	return loadedConfig, nil
 }
 
-// ApplyCommandLineOverrides applies command-line flag overrides to the config
-func ApplyCommandLineOverrides(cfg *nbconfig.Config) {
+// applyCommandLineOverrides applies command-line flag overrides to the config
+func applyCommandLineOverrides(cfg *nbconfig.Config) {
 	if mgmtLetsencryptDomain != "" {
 		cfg.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
 	}
@@ -186,9 +174,9 @@ func ApplyCommandLineOverrides(cfg *nbconfig.Config) {
 	}
 }
 
-// ApplyEmbeddedIdPConfig populates HttpConfig and EmbeddedIdP storage from config when embedded IdP is enabled.
+// applyEmbeddedIdPConfig populates HttpConfig and EmbeddedIdP storage from config when embedded IdP is enabled.
 // This allows users to only specify EmbeddedIdP config without duplicating values in HttpConfig.
-func ApplyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
+func applyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	if cfg.EmbeddedIdP == nil || !cfg.EmbeddedIdP.Enabled {
 		return nil
 	}
@@ -225,20 +213,17 @@ func ApplyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	// Set HttpConfig values from EmbeddedIdP
 	cfg.HttpConfig.AuthIssuer = issuer
 	cfg.HttpConfig.AuthAudience = "netbird-dashboard"
-	cfg.HttpConfig.AuthClientID = cfg.HttpConfig.AuthAudience
 	cfg.HttpConfig.CLIAuthAudience = "netbird-cli"
 	cfg.HttpConfig.AuthUserIDClaim = "sub"
 	cfg.HttpConfig.AuthKeysLocation = issuer + "/keys"
 	cfg.HttpConfig.OIDCConfigEndpoint = issuer + "/.well-known/openid-configuration"
 	cfg.HttpConfig.IdpSignKeyRefreshEnabled = true
-	callbackURL := strings.TrimSuffix(cfg.HttpConfig.AuthIssuer, "/oauth2")
-	cfg.HttpConfig.AuthCallbackURL = callbackURL + types.ProxyCallbackEndpointFull
 
 	return nil
 }
 
-// ApplyOIDCConfig fetches and applies OIDC configuration if endpoint is specified
-func ApplyOIDCConfig(ctx context.Context, cfg *nbconfig.Config) error {
+// applyOIDCConfig fetches and applies OIDC configuration if endpoint is specified
+func applyOIDCConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	oidcEndpoint := cfg.HttpConfig.OIDCConfigEndpoint
 	if oidcEndpoint == "" {
 		return nil
@@ -264,16 +249,16 @@ func ApplyOIDCConfig(ctx context.Context, cfg *nbconfig.Config) error {
 		oidcConfig.JwksURI, cfg.HttpConfig.AuthKeysLocation)
 	cfg.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI
 
-	if err := ApplyDeviceAuthFlowConfig(ctx, cfg, &oidcConfig, oidcEndpoint); err != nil {
+	if err := applyDeviceAuthFlowConfig(ctx, cfg, &oidcConfig, oidcEndpoint); err != nil {
 		return err
 	}
-	ApplyPKCEFlowConfig(ctx, cfg, &oidcConfig)
+	applyPKCEFlowConfig(ctx, cfg, &oidcConfig)
 
 	return nil
 }
 
-// ApplyDeviceAuthFlowConfig applies OIDC config to DeviceAuthorizationFlow if enabled
-func ApplyDeviceAuthFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse, oidcEndpoint string) error {
+// applyDeviceAuthFlowConfig applies OIDC config to DeviceAuthorizationFlow if enabled
+func applyDeviceAuthFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse, oidcEndpoint string) error {
 	if cfg.DeviceAuthorizationFlow == nil || strings.ToLower(cfg.DeviceAuthorizationFlow.Provider) == string(nbconfig.NONE) {
 		return nil
 	}
@@ -300,8 +285,8 @@ func ApplyDeviceAuthFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcCo
 	return nil
 }
 
-// ApplyPKCEFlowConfig applies OIDC config to PKCEAuthorizationFlow if configured
-func ApplyPKCEFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse) {
+// applyPKCEFlowConfig applies OIDC config to PKCEAuthorizationFlow if configured
+func applyPKCEFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse) {
 	if cfg.PKCEAuthorizationFlow == nil {
 		return
 	}
@@ -314,8 +299,8 @@ func ApplyPKCEFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *
 	cfg.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint = oidcConfig.AuthorizationEndpoint
 }
 
-// LogConfigInfo logs informational messages about the loaded configuration
-func LogConfigInfo(cfg *nbconfig.Config) {
+// logConfigInfo logs informational messages about the loaded configuration
+func logConfigInfo(cfg *nbconfig.Config) {
 	if cfg.EmbeddedIdP != nil {
 		log.Infof("running with the embedded IdP: %v", cfg.EmbeddedIdP.Issuer)
 	}
@@ -324,8 +309,8 @@ func LogConfigInfo(cfg *nbconfig.Config) {
 	}
 }
 
-// EnsureEncryptionKey generates and saves a DataStoreEncryptionKey if not set
-func EnsureEncryptionKey(ctx context.Context, configPath string, cfg *nbconfig.Config) error {
+// ensureEncryptionKey generates and saves a DataStoreEncryptionKey if not set
+func ensureEncryptionKey(ctx context.Context, configPath string, cfg *nbconfig.Config) error {
 	if cfg.DataStoreEncryptionKey != "" {
 		return nil
 	}

management/cmd/management_test.go

@@ -30,7 +30,7 @@ func Test_loadMgmtConfig(t *testing.T) {
 		t.Fatalf("failed to create config: %s", err)
 	}
 
-	cfg, err := LoadMgmtConfig(context.Background(), tmpFile)
+	cfg, err := loadMgmtConfig(context.Background(), tmpFile)
 	if err != nil {
 		t.Fatalf("failed to load management config: %s", err)
 	}

management/cmd/root.go

@@ -16,22 +16,21 @@ const (
 )
 
 var (
-	dnsDomain                   string
-	mgmtDataDir                 string
-	logLevel                    string
-	logFile                     string
-	disableMetrics              bool
-	disableSingleAccMode        bool
-	disableGeoliteUpdate        bool
-	idpSignKeyRefreshEnabled    bool
-	userDeleteFromIDPEnabled    bool
-	mgmtPort                    int
-	mgmtMetricsPort             int
-	disableLegacyManagementPort bool
-	mgmtLetsencryptDomain       string
-	mgmtSingleAccModeDomain     string
-	certFile                    string
-	certKey                     string
+	dnsDomain                string
+	mgmtDataDir              string
+	logLevel                 string
+	logFile                  string
+	disableMetrics           bool
+	disableSingleAccMode     bool
+	disableGeoliteUpdate     bool
+	idpSignKeyRefreshEnabled bool
+	userDeleteFromIDPEnabled bool
+	mgmtPort                 int
+	mgmtMetricsPort          int
+	mgmtLetsencryptDomain    string
+	mgmtSingleAccModeDomain  string
+	certFile                 string
+	certKey                  string
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird-mgmt",
@@ -56,7 +55,6 @@ func Execute() error {
 
 func init() {
 	mgmtCmd.Flags().IntVar(&mgmtPort, "port", 80, "server port to listen on (defaults to 443 if TLS is enabled, 80 otherwise")
-	mgmtCmd.Flags().BoolVar(&disableLegacyManagementPort, "disable-legacy-port", false, "disabling the old legacy port (33073)")
 	mgmtCmd.Flags().IntVar(&mgmtMetricsPort, "metrics-port", 9090, "metrics endpoint http port. Metrics are accessible under host:metrics-port/metrics")
 	mgmtCmd.Flags().StringVar(&mgmtDataDir, "datadir", defaultMgmtDataDir, "server data directory location")
 	mgmtCmd.Flags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location. Config params specified via command line (e.g. datadir) have a precedence over configuration from this file")
@@ -82,8 +80,4 @@ func init() {
 	migrationCmd.AddCommand(upCmd)
 
 	rootCmd.AddCommand(migrationCmd)
-
-	tc := newTokenCommands()
-	tc.PersistentFlags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location")
-	rootCmd.AddCommand(tc)
 }

management/cmd/token.go

@@ -1,55 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/formatter/hook"
-	tokencmd "github.com/netbirdio/netbird/management/cmd/token"
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/util"
-)
-
-var tokenDatadir string
-
-// newTokenCommands creates the token command tree with management-specific store opener.
-func newTokenCommands() *cobra.Command {
-	cmd := tokencmd.NewCommands(withTokenStore)
-	cmd.PersistentFlags().StringVar(&tokenDatadir, "datadir", "", "Override the data directory from config (where store.db is located)")
-	return cmd
-}
-
-// withTokenStore initializes logging, loads config, opens the store, and calls fn.
-func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error {
-	if err := util.InitLog("error", "console"); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource) //nolint:staticcheck
-
-	config, err := LoadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
-	if err != nil {
-		return fmt.Errorf("load config: %w", err)
-	}
-
-	datadir := config.Datadir
-	if tokenDatadir != "" {
-		datadir = tokenDatadir
-	}
-
-	s, err := store.NewStore(ctx, config.StoreConfig.Engine, datadir, nil, true)
-	if err != nil {
-		return fmt.Errorf("create store: %w", err)
-	}
-	defer func() {
-		if err := s.Close(ctx); err != nil {
-			log.Debugf("close store: %v", err)
-		}
-	}()
-
-	return fn(ctx, s)
-}

management/cmd/token/token.go

@@ -1,185 +0,0 @@
-// Package tokencmd provides reusable cobra commands for managing proxy access tokens.
-// Both the management and combined binaries use these commands, each providing
-// their own StoreOpener to handle config loading and store initialization.
-package tokencmd
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"strconv"
-	"text/tabwriter"
-	"time"
-
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-// StoreOpener initializes a store from the command context and calls fn.
-type StoreOpener func(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error
-
-// NewCommands creates the token command tree with the given store opener.
-// Returns the parent "token" command with create, list, and revoke subcommands.
-func NewCommands(opener StoreOpener) *cobra.Command {
-	var (
-		tokenName     string
-		tokenExpireIn string
-	)
-
-	tokenCmd := &cobra.Command{
-		Use:   "token",
-		Short: "Manage proxy access tokens",
-		Long:  "Commands for creating, listing, and revoking proxy access tokens used by reverse proxy instances to authenticate with the management server.",
-	}
-
-	createCmd := &cobra.Command{
-		Use:   "create",
-		Short: "Create a new proxy access token",
-		Long:  "Creates a new proxy access token. The plain text token is displayed only once at creation time.",
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opener(cmd, func(ctx context.Context, s store.Store) error {
-				return runCreate(ctx, s, cmd.OutOrStdout(), tokenName, tokenExpireIn)
-			})
-		},
-	}
-	createCmd.Flags().StringVar(&tokenName, "name", "", "Name for the token (required)")
-	createCmd.Flags().StringVar(&tokenExpireIn, "expires-in", "", "Token expiration duration (e.g., 365d, 24h, 30d). Empty means no expiration")
-	if err := createCmd.MarkFlagRequired("name"); err != nil {
-		panic(err)
-	}
-
-	listCmd := &cobra.Command{
-		Use:     "list",
-		Aliases: []string{"ls"},
-		Short:   "List all proxy access tokens",
-		Long:    "Lists all proxy access tokens with their IDs, names, creation dates, expiration, and revocation status.",
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opener(cmd, func(ctx context.Context, s store.Store) error {
-				return runList(ctx, s, cmd.OutOrStdout())
-			})
-		},
-	}
-
-	revokeCmd := &cobra.Command{
-		Use:   "revoke [token-id]",
-		Short: "Revoke a proxy access token",
-		Long:  "Revokes a proxy access token by its ID. Revoked tokens can no longer be used for authentication.",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return opener(cmd, func(ctx context.Context, s store.Store) error {
-				return runRevoke(ctx, s, cmd.OutOrStdout(), args[0])
-			})
-		},
-	}
-
-	tokenCmd.AddCommand(createCmd, listCmd, revokeCmd)
-	return tokenCmd
-}
-
-func runCreate(ctx context.Context, s store.Store, w io.Writer, name string, expireIn string) error {
-	expiresIn, err := ParseDuration(expireIn)
-	if err != nil {
-		return fmt.Errorf("parse expiration: %w", err)
-	}
-
-	generated, err := types.CreateNewProxyAccessToken(name, expiresIn, nil, "CLI")
-	if err != nil {
-		return fmt.Errorf("generate token: %w", err)
-	}
-
-	if err := s.SaveProxyAccessToken(ctx, &generated.ProxyAccessToken); err != nil {
-		return fmt.Errorf("save token: %w", err)
-	}
-
-	_, _ = fmt.Fprintln(w, "Token created successfully!")
-	_, _ = fmt.Fprintf(w, "Token: %s\n", generated.PlainToken)
-	_, _ = fmt.Fprintln(w)
-	_, _ = fmt.Fprintln(w, "IMPORTANT: Save this token now. It will not be shown again.")
-	_, _ = fmt.Fprintf(w, "Token ID: %s\n", generated.ID)
-	return nil
-}
-
-func runList(ctx context.Context, s store.Store, out io.Writer) error {
-	tokens, err := s.GetAllProxyAccessTokens(ctx, store.LockingStrengthNone)
-	if err != nil {
-		return fmt.Errorf("list tokens: %w", err)
-	}
-
-	if len(tokens) == 0 {
-		_, _ = fmt.Fprintln(out, "No proxy access tokens found.")
-		return nil
-	}
-
-	w := tabwriter.NewWriter(out, 0, 0, 2, ' ', 0)
-	_, _ = fmt.Fprintln(w, "ID\tNAME\tCREATED\tEXPIRES\tLAST USED\tREVOKED")
-	_, _ = fmt.Fprintln(w, "--\t----\t-------\t-------\t---------\t-------")
-
-	for _, t := range tokens {
-		expires := "never"
-		if t.ExpiresAt != nil {
-			expires = t.ExpiresAt.Format("2006-01-02")
-		}
-
-		lastUsed := "never"
-		if t.LastUsed != nil {
-			lastUsed = t.LastUsed.Format("2006-01-02 15:04")
-		}
-
-		revoked := "no"
-		if t.Revoked {
-			revoked = "yes"
-		}
-
-		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
-			t.ID,
-			t.Name,
-			t.CreatedAt.Format("2006-01-02"),
-			expires,
-			lastUsed,
-			revoked,
-		)
-	}
-
-	w.Flush()
-
-	return nil
-}
-
-func runRevoke(ctx context.Context, s store.Store, w io.Writer, tokenID string) error {
-	if err := s.RevokeProxyAccessToken(ctx, tokenID); err != nil {
-		return fmt.Errorf("revoke token: %w", err)
-	}
-
-	_, _ = fmt.Fprintf(w, "Token %s revoked successfully.\n", tokenID)
-	return nil
-}
-
-// ParseDuration parses a duration string with support for days (e.g., "30d", "365d").
-// An empty string returns zero duration (no expiration).
-func ParseDuration(s string) (time.Duration, error) {
-	if len(s) == 0 {
-		return 0, nil
-	}
-
-	if s[len(s)-1] == 'd' {
-		d, err := strconv.Atoi(s[:len(s)-1])
-		if err != nil {
-			return 0, fmt.Errorf("invalid day format: %s", s)
-		}
-		if d <= 0 {
-			return 0, fmt.Errorf("duration must be positive: %s", s)
-		}
-		return time.Duration(d) * 24 * time.Hour, nil
-	}
-
-	d, err := time.ParseDuration(s)
-	if err != nil {
-		return 0, err
-	}
-	if d <= 0 {
-		return 0, fmt.Errorf("duration must be positive: %s", s)
-	}
-	return d, nil
-}

management/cmd/token/token_test.go

@@ -1,101 +0,0 @@
-package tokencmd
-
-import (
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestParseDuration(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected time.Duration
-		wantErr  bool
-	}{
-		{
-			name:     "empty string returns zero",
-			input:    "",
-			expected: 0,
-		},
-		{
-			name:     "days suffix",
-			input:    "30d",
-			expected: 30 * 24 * time.Hour,
-		},
-		{
-			name:     "one day",
-			input:    "1d",
-			expected: 24 * time.Hour,
-		},
-		{
-			name:     "365 days",
-			input:    "365d",
-			expected: 365 * 24 * time.Hour,
-		},
-		{
-			name:     "hours via Go duration",
-			input:    "24h",
-			expected: 24 * time.Hour,
-		},
-		{
-			name:     "minutes via Go duration",
-			input:    "30m",
-			expected: 30 * time.Minute,
-		},
-		{
-			name:     "complex Go duration",
-			input:    "1h30m",
-			expected: 90 * time.Minute,
-		},
-		{
-			name:    "invalid day format",
-			input:   "abcd",
-			wantErr: true,
-		},
-		{
-			name:    "negative days",
-			input:   "-1d",
-			wantErr: true,
-		},
-		{
-			name:    "zero days",
-			input:   "0d",
-			wantErr: true,
-		},
-		{
-			name:    "non-numeric days",
-			input:   "xyzd",
-			wantErr: true,
-		},
-		{
-			name:    "negative Go duration",
-			input:   "-24h",
-			wantErr: true,
-		},
-		{
-			name:    "zero Go duration",
-			input:   "0s",
-			wantErr: true,
-		},
-		{
-			name:    "invalid Go duration",
-			input:   "notaduration",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result, err := ParseDuration(tt.input)
-			if tt.wantErr {
-				assert.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}

management/internals/controllers/network_map/controller/controller.go

@@ -174,13 +174,14 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 	var wg sync.WaitGroup
 	semaphore := make(chan struct{}, 10)
 
-	account.InjectProxyPolicies(ctx)
 	dnsCache := &cache.DNSConfigCache{}
 	dnsDomain := c.GetDNSDomain(account.Settings)
 	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()
 	groupIDToUserIDs := account.GetActiveGroupUsers()
+	exposedServices := account.GetExposedServicesMap()
+	proxyPeers := account.GetProxyPeers()
 
 	if c.experimentalNetworkMap(accountID) {
 		c.initNetworkMapBuilderIfNeeded(account, approvedPeersMap)
@@ -233,7 +234,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 			if c.experimentalNetworkMap(accountID) {
 				remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
 			} else {
-				remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+				remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs, exposedServices, proxyPeers)
 			}
 
 			c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))
@@ -248,10 +249,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 			update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
 			c.metrics.CountToSyncResponseDuration(time.Since(start))
 
-			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{
-				Update:      update,
-				MessageType: network_map.MessageTypeNetworkMap,
-			})
+			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{Update: update})
 		}(peer)
 	}
 
@@ -327,7 +325,6 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 		return fmt.Errorf("failed to get validated peers: %v", err)
 	}
 
-	account.InjectProxyPolicies(ctx)
 	dnsCache := &cache.DNSConfigCache{}
 	dnsDomain := c.GetDNSDomain(account.Settings)
 	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
@@ -358,7 +355,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 	if c.experimentalNetworkMap(accountId) {
 		remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
 	} else {
-		remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+		remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs, account.GetExposedServicesMap(), account.GetProxyPeers())
 	}
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
@@ -375,10 +372,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)
 
 	update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
-	c.peersUpdateManager.SendUpdate(ctx, peer.ID, &network_map.UpdateMessage{
-		Update:      update,
-		MessageType: network_map.MessageTypeNetworkMap,
-	})
+	c.peersUpdateManager.SendUpdate(ctx, peer.ID, &network_map.UpdateMessage{Update: update})
 
 	return nil
 }
@@ -443,8 +437,6 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		}
 	}
 
-	account.InjectProxyPolicies(ctx)
-
 	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
 	if err != nil {
 		return nil, nil, nil, 0, err
@@ -479,7 +471,7 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 	} else {
 		resourcePolicies := account.GetResourcePoliciesMap()
 		routers := account.GetResourceRoutersMap()
-		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, account.GetActiveGroupUsers())
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, account.GetActiveGroupUsers(), account.GetExposedServicesMap(), account.GetProxyPeers())
 	}
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
@@ -788,7 +780,6 @@ func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerI
 					},
 				},
 			},
-			MessageType: network_map.MessageTypeNetworkMap,
 		})
 		c.peersUpdateManager.CloseChannel(ctx, peerID)
 
@@ -851,10 +842,9 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 	if c.experimentalNetworkMap(peer.AccountID) {
 		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, peersCustomZone, accountZones, nil)
 	} else {
-		account.InjectProxyPolicies(ctx)
 		resourcePolicies := account.GetResourcePoliciesMap()
 		routers := account.GetResourceRoutersMap()
-		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, account.GetActiveGroupUsers(), account.GetExposedServicesMap(), account.GetProxyPeers())
 	}
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]

management/internals/controllers/network_map/update_channel/updatechannel_test.go

@@ -25,14 +25,11 @@ func TestCreateChannel(t *testing.T) {
 func TestSendUpdate(t *testing.T) {
 	peer := "test-sendupdate"
 	peersUpdater := NewPeersUpdateManager(nil)
-	update1 := &network_map.UpdateMessage{
-		Update: &proto.SyncResponse{
-			NetworkMap: &proto.NetworkMap{
-				Serial: 0,
-			},
+	update1 := &network_map.UpdateMessage{Update: &proto.SyncResponse{
+		NetworkMap: &proto.NetworkMap{
+			Serial: 0,
 		},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
+	}}
 	_ = peersUpdater.CreateChannel(context.Background(), peer)
 	if _, ok := peersUpdater.peerChannels[peer]; !ok {
 		t.Error("Error creating the channel")
@@ -48,14 +45,11 @@ func TestSendUpdate(t *testing.T) {
 		peersUpdater.SendUpdate(context.Background(), peer, update1)
 	}
 
-	update2 := &network_map.UpdateMessage{
-		Update: &proto.SyncResponse{
-			NetworkMap: &proto.NetworkMap{
-				Serial: 10,
-			},
+	update2 := &network_map.UpdateMessage{Update: &proto.SyncResponse{
+		NetworkMap: &proto.NetworkMap{
+			Serial: 10,
 		},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
+	}}
 
 	peersUpdater.SendUpdate(context.Background(), peer, update2)
 	timeout := time.After(5 * time.Second)

management/internals/controllers/network_map/update_message.go

@@ -4,19 +4,6 @@ import (
 	"github.com/netbirdio/netbird/shared/management/proto"
 )
 
-// MessageType indicates the type of update message for debouncing strategy
-type MessageType int
-
-const (
-	// MessageTypeNetworkMap represents network map updates (peers, routes, DNS, firewall)
-	// These updates can be safely debounced - only the latest state matters
-	MessageTypeNetworkMap MessageType = iota
-	// MessageTypeControlConfig represents control/config updates (tokens, peer expiration)
-	// These updates should not be dropped as they contain time-sensitive information
-	MessageTypeControlConfig
-)
-
 type UpdateMessage struct {
-	Update      *proto.SyncResponse
-	MessageType MessageType
+	Update *proto.SyncResponse
 }

management/internals/modules/peers/manager.go

@@ -33,7 +33,7 @@ type Manager interface {
 	SetIntegratedPeerValidator(integratedPeerValidator integrated_validator.IntegratedValidator)
 	SetAccountManager(accountManager account.Manager)
 	GetPeerID(ctx context.Context, peerKey string) (string, error)
-	CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error
+	CreateProxyPeer(ctx context.Context, accountID string, peerKey string) error
 }
 
 type managerImpl struct {
@@ -185,7 +185,7 @@ func (m *managerImpl) GetPeerID(ctx context.Context, peerKey string) (string, er
 	return m.store.GetPeerIDByKey(ctx, store.LockingStrengthNone, peerKey)
 }
 
-func (m *managerImpl) CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error {
+func (m *managerImpl) CreateProxyPeer(ctx context.Context, accountID string, peerKey string) error {
 	existingPeerID, err := m.store.GetPeerIDByKey(ctx, store.LockingStrengthNone, peerKey)
 	if err == nil && existingPeerID != "" {
 		// Peer already exists
@@ -194,11 +194,8 @@ func (m *managerImpl) CreateProxyPeer(ctx context.Context, accountID string, pee
 
 	name := fmt.Sprintf("proxy-%s", xid.New().String())
 	peer := &peer.Peer{
-		Ephemeral: true,
-		ProxyMeta: peer.ProxyMeta{
-			Cluster:  cluster,
-			Embedded: true,
-		},
+		Ephemeral:                   true,
+		ProxyEmbedded:               true,
 		Name:                        name,
 		Key:                         peerKey,
 		LoginExpirationEnabled:      false,

management/internals/modules/peers/manager_mock.go

@@ -162,17 +162,3 @@ func (mr *MockManagerMockRecorder) SetNetworkMapController(networkMapController
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetworkMapController", reflect.TypeOf((*MockManager)(nil).SetNetworkMapController), networkMapController)
 }
-
-// CreateProxyPeer mocks base method.
-func (m *MockManager) CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CreateProxyPeer", ctx, accountID, peerKey, cluster)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// CreateProxyPeer indicates an expected call of CreateProxyPeer.
-func (mr *MockManagerMockRecorder) CreateProxyPeer(ctx, accountID, peerKey, cluster interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProxyPeer", reflect.TypeOf((*MockManager)(nil).CreateProxyPeer), ctx, accountID, peerKey, cluster)
-}

management/internals/modules/reverseproxy/accesslogs/accesslogentry.go

@@ -13,42 +13,42 @@ import (
 type AccessLogEntry struct {
 	ID             string        `gorm:"primaryKey"`
 	AccountID      string        `gorm:"index"`
-	ServiceID      string        `gorm:"index"`
+	ProxyID        string        `gorm:"index"`
 	Timestamp      time.Time     `gorm:"index"`
 	GeoLocation    peer.Location `gorm:"embedded;embeddedPrefix:location_"`
-	Method         string        `gorm:"index"`
-	Host           string        `gorm:"index"`
-	Path           string        `gorm:"index"`
-	Duration       time.Duration `gorm:"index"`
-	StatusCode     int           `gorm:"index"`
+	Method         string
+	Host           string
+	Path           string
+	Duration       time.Duration
+	StatusCode     int
 	Reason         string
-	UserId         string `gorm:"index"`
-	AuthMethodUsed string `gorm:"index"`
+	UserId         string
+	AuthMethodUsed string
 }
 
 // FromProto creates an AccessLogEntry from a proto.AccessLog
-func (a *AccessLogEntry) FromProto(serviceLog *proto.AccessLog) {
-	a.ID = serviceLog.GetLogId()
-	a.ServiceID = serviceLog.GetServiceId()
-	a.Timestamp = serviceLog.GetTimestamp().AsTime()
-	a.Method = serviceLog.GetMethod()
-	a.Host = serviceLog.GetHost()
-	a.Path = serviceLog.GetPath()
-	a.Duration = time.Duration(serviceLog.GetDurationMs()) * time.Millisecond
-	a.StatusCode = int(serviceLog.GetResponseCode())
-	a.UserId = serviceLog.GetUserId()
-	a.AuthMethodUsed = serviceLog.GetAuthMechanism()
-	a.AccountID = serviceLog.GetAccountId()
+func (a *AccessLogEntry) FromProto(proxyLog *proto.AccessLog) {
+	a.ID = proxyLog.GetLogId()
+	a.ProxyID = proxyLog.GetServiceId()
+	a.Timestamp = proxyLog.GetTimestamp().AsTime()
+	a.Method = proxyLog.GetMethod()
+	a.Host = proxyLog.GetHost()
+	a.Path = proxyLog.GetPath()
+	a.Duration = time.Duration(proxyLog.GetDurationMs()) * time.Millisecond
+	a.StatusCode = int(proxyLog.GetResponseCode())
+	a.UserId = proxyLog.GetUserId()
+	a.AuthMethodUsed = proxyLog.GetAuthMechanism()
+	a.AccountID = proxyLog.GetAccountId()
 
-	if sourceIP := serviceLog.GetSourceIp(); sourceIP != "" {
+	if sourceIP := proxyLog.GetSourceIp(); sourceIP != "" {
 		if ip, err := netip.ParseAddr(sourceIP); err == nil {
 			a.GeoLocation.ConnectionIP = net.IP(ip.AsSlice())
 		}
 	}
 
-	if !serviceLog.GetAuthSuccess() {
+	if !proxyLog.GetAuthSuccess() {
 		a.Reason = "Authentication failed"
-	} else if serviceLog.GetResponseCode() >= 400 {
+	} else if proxyLog.GetResponseCode() >= 400 {
 		a.Reason = "Request failed"
 	}
 }
@@ -88,7 +88,7 @@ func (a *AccessLogEntry) ToAPIResponse() *api.ProxyAccessLog {
 
 	return &api.ProxyAccessLog{
 		Id:             a.ID,
-		ServiceId:      a.ServiceID,
+		ProxyId:        a.ProxyID,
 		Timestamp:      a.Timestamp,
 		Method:         a.Method,
 		Host:           a.Host,

management/internals/modules/reverseproxy/accesslogs/filter.go

@@ -1,109 +0,0 @@
-package accesslogs
-
-import (
-	"net/http"
-	"strconv"
-	"time"
-)
-
-const (
-	// DefaultPageSize is the default number of records per page
-	DefaultPageSize = 50
-	// MaxPageSize is the maximum number of records allowed per page
-	MaxPageSize = 100
-)
-
-// AccessLogFilter holds pagination and filtering parameters for access logs
-type AccessLogFilter struct {
-	// Page is the current page number (1-indexed)
-	Page int
-	// PageSize is the number of records per page
-	PageSize int
-
-	// Filtering parameters
-	Search     *string    // General search across log ID, host, path, source IP, and user fields
-	SourceIP   *string    // Filter by source IP address
-	Host       *string    // Filter by host header
-	Path       *string    // Filter by request path (supports LIKE pattern)
-	UserID     *string    // Filter by authenticated user ID
-	UserEmail  *string    // Filter by user email (requires user lookup)
-	UserName   *string    // Filter by user name (requires user lookup)
-	Method     *string    // Filter by HTTP method
-	Status     *string    // Filter by status: "success" (2xx/3xx) or "failed" (1xx/4xx/5xx)
-	StatusCode *int       // Filter by HTTP status code
-	StartDate  *time.Time // Filter by timestamp >= start_date
-	EndDate    *time.Time // Filter by timestamp <= end_date
-}
-
-// ParseFromRequest parses pagination and filter parameters from HTTP request query parameters
-func (f *AccessLogFilter) ParseFromRequest(r *http.Request) {
-	queryParams := r.URL.Query()
-
-	f.Page = parsePositiveInt(queryParams.Get("page"), 1)
-	f.PageSize = min(parsePositiveInt(queryParams.Get("page_size"), DefaultPageSize), MaxPageSize)
-
-	f.Search = parseOptionalString(queryParams.Get("search"))
-	f.SourceIP = parseOptionalString(queryParams.Get("source_ip"))
-	f.Host = parseOptionalString(queryParams.Get("host"))
-	f.Path = parseOptionalString(queryParams.Get("path"))
-	f.UserID = parseOptionalString(queryParams.Get("user_id"))
-	f.UserEmail = parseOptionalString(queryParams.Get("user_email"))
-	f.UserName = parseOptionalString(queryParams.Get("user_name"))
-	f.Method = parseOptionalString(queryParams.Get("method"))
-	f.Status = parseOptionalString(queryParams.Get("status"))
-	f.StatusCode = parseOptionalInt(queryParams.Get("status_code"))
-	f.StartDate = parseOptionalRFC3339(queryParams.Get("start_date"))
-	f.EndDate = parseOptionalRFC3339(queryParams.Get("end_date"))
-}
-
-// parsePositiveInt parses a positive integer from a string, returning defaultValue if invalid
-func parsePositiveInt(s string, defaultValue int) int {
-	if s == "" {
-		return defaultValue
-	}
-	if val, err := strconv.Atoi(s); err == nil && val > 0 {
-		return val
-	}
-	return defaultValue
-}
-
-// parseOptionalString returns a pointer to the string if non-empty, otherwise nil
-func parseOptionalString(s string) *string {
-	if s == "" {
-		return nil
-	}
-	return &s
-}
-
-// parseOptionalInt parses an optional positive integer from a string
-func parseOptionalInt(s string) *int {
-	if s == "" {
-		return nil
-	}
-	if val, err := strconv.Atoi(s); err == nil && val > 0 {
-		v := val
-		return &v
-	}
-	return nil
-}
-
-// parseOptionalRFC3339 parses an optional RFC3339 timestamp from a string
-func parseOptionalRFC3339(s string) *time.Time {
-	if s == "" {
-		return nil
-	}
-	if t, err := time.Parse(time.RFC3339, s); err == nil {
-		return &t
-	}
-	return nil
-}
-
-// GetOffset calculates the database offset for pagination
-func (f *AccessLogFilter) GetOffset() int {
-	return (f.Page - 1) * f.PageSize
-}
-
-// GetLimit returns the page size for database queries
-func (f *AccessLogFilter) GetLimit() int {
-	return f.PageSize
-}

management/internals/modules/reverseproxy/accesslogs/filter_test.go

@@ -1,371 +0,0 @@
-package accesslogs
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestAccessLogFilter_ParseFromRequest(t *testing.T) {
-	tests := []struct {
-		name             string
-		queryParams      map[string]string
-		expectedPage     int
-		expectedPageSize int
-	}{
-		{
-			name:             "default values when no params provided",
-			queryParams:      map[string]string{},
-			expectedPage:     1,
-			expectedPageSize: DefaultPageSize,
-		},
-		{
-			name: "valid page and page_size",
-			queryParams: map[string]string{
-				"page":      "2",
-				"page_size": "25",
-			},
-			expectedPage:     2,
-			expectedPageSize: 25,
-		},
-		{
-			name: "page_size exceeds max, should cap at MaxPageSize",
-			queryParams: map[string]string{
-				"page":      "1",
-				"page_size": "200",
-			},
-			expectedPage:     1,
-			expectedPageSize: MaxPageSize,
-		},
-		{
-			name: "invalid page number, should use default",
-			queryParams: map[string]string{
-				"page":      "invalid",
-				"page_size": "10",
-			},
-			expectedPage:     1,
-			expectedPageSize: 10,
-		},
-		{
-			name: "invalid page_size, should use default",
-			queryParams: map[string]string{
-				"page":      "2",
-				"page_size": "invalid",
-			},
-			expectedPage:     2,
-			expectedPageSize: DefaultPageSize,
-		},
-		{
-			name: "zero page number, should use default",
-			queryParams: map[string]string{
-				"page":      "0",
-				"page_size": "10",
-			},
-			expectedPage:     1,
-			expectedPageSize: 10,
-		},
-		{
-			name: "negative page number, should use default",
-			queryParams: map[string]string{
-				"page":      "-1",
-				"page_size": "10",
-			},
-			expectedPage:     1,
-			expectedPageSize: 10,
-		},
-		{
-			name: "zero page_size, should use default",
-			queryParams: map[string]string{
-				"page":      "1",
-				"page_size": "0",
-			},
-			expectedPage:     1,
-			expectedPageSize: DefaultPageSize,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodGet, "/test", nil)
-			q := req.URL.Query()
-			for key, value := range tt.queryParams {
-				q.Set(key, value)
-			}
-			req.URL.RawQuery = q.Encode()
-
-			filter := &AccessLogFilter{}
-			filter.ParseFromRequest(req)
-
-			assert.Equal(t, tt.expectedPage, filter.Page, "Page mismatch")
-			assert.Equal(t, tt.expectedPageSize, filter.PageSize, "PageSize mismatch")
-		})
-	}
-}
-
-func TestAccessLogFilter_GetOffset(t *testing.T) {
-	tests := []struct {
-		name           string
-		page           int
-		pageSize       int
-		expectedOffset int
-	}{
-		{
-			name:           "first page",
-			page:           1,
-			pageSize:       50,
-			expectedOffset: 0,
-		},
-		{
-			name:           "second page",
-			page:           2,
-			pageSize:       50,
-			expectedOffset: 50,
-		},
-		{
-			name:           "third page with page size 25",
-			page:           3,
-			pageSize:       25,
-			expectedOffset: 50,
-		},
-		{
-			name:           "page 10 with page size 10",
-			page:           10,
-			pageSize:       10,
-			expectedOffset: 90,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			filter := &AccessLogFilter{
-				Page:     tt.page,
-				PageSize: tt.pageSize,
-			}
-
-			offset := filter.GetOffset()
-			assert.Equal(t, tt.expectedOffset, offset)
-		})
-	}
-}
-
-func TestAccessLogFilter_GetLimit(t *testing.T) {
-	filter := &AccessLogFilter{
-		Page:     2,
-		PageSize: 25,
-	}
-
-	limit := filter.GetLimit()
-	assert.Equal(t, 25, limit, "GetLimit should return PageSize")
-}
-
-func TestAccessLogFilter_ParseFromRequest_FilterParams(t *testing.T) {
-	startDate := "2024-01-15T10:30:00Z"
-	endDate := "2024-01-16T15:45:00Z"
-
-	req := httptest.NewRequest(http.MethodGet, "/test", nil)
-	q := req.URL.Query()
-	q.Set("search", "test query")
-	q.Set("source_ip", "192.168.1.1")
-	q.Set("host", "example.com")
-	q.Set("path", "/api/users")
-	q.Set("user_id", "user123")
-	q.Set("user_email", "user@example.com")
-	q.Set("user_name", "John Doe")
-	q.Set("method", "GET")
-	q.Set("status", "success")
-	q.Set("status_code", "200")
-	q.Set("start_date", startDate)
-	q.Set("end_date", endDate)
-	req.URL.RawQuery = q.Encode()
-
-	filter := &AccessLogFilter{}
-	filter.ParseFromRequest(req)
-
-	require.NotNil(t, filter.Search)
-	assert.Equal(t, "test query", *filter.Search)
-
-	require.NotNil(t, filter.SourceIP)
-	assert.Equal(t, "192.168.1.1", *filter.SourceIP)
-
-	require.NotNil(t, filter.Host)
-	assert.Equal(t, "example.com", *filter.Host)
-
-	require.NotNil(t, filter.Path)
-	assert.Equal(t, "/api/users", *filter.Path)
-
-	require.NotNil(t, filter.UserID)
-	assert.Equal(t, "user123", *filter.UserID)
-
-	require.NotNil(t, filter.UserEmail)
-	assert.Equal(t, "user@example.com", *filter.UserEmail)
-
-	require.NotNil(t, filter.UserName)
-	assert.Equal(t, "John Doe", *filter.UserName)
-
-	require.NotNil(t, filter.Method)
-	assert.Equal(t, "GET", *filter.Method)
-
-	require.NotNil(t, filter.Status)
-	assert.Equal(t, "success", *filter.Status)
-
-	require.NotNil(t, filter.StatusCode)
-	assert.Equal(t, 200, *filter.StatusCode)
-
-	require.NotNil(t, filter.StartDate)
-	expectedStart, _ := time.Parse(time.RFC3339, startDate)
-	assert.Equal(t, expectedStart, *filter.StartDate)
-
-	require.NotNil(t, filter.EndDate)
-	expectedEnd, _ := time.Parse(time.RFC3339, endDate)
-	assert.Equal(t, expectedEnd, *filter.EndDate)
-}
-
-func TestAccessLogFilter_ParseFromRequest_EmptyFilters(t *testing.T) {
-	req := httptest.NewRequest(http.MethodGet, "/test", nil)
-
-	filter := &AccessLogFilter{}
-	filter.ParseFromRequest(req)
-
-	assert.Nil(t, filter.Search)
-	assert.Nil(t, filter.SourceIP)
-	assert.Nil(t, filter.Host)
-	assert.Nil(t, filter.Path)
-	assert.Nil(t, filter.UserID)
-	assert.Nil(t, filter.UserEmail)
-	assert.Nil(t, filter.UserName)
-	assert.Nil(t, filter.Method)
-	assert.Nil(t, filter.Status)
-	assert.Nil(t, filter.StatusCode)
-	assert.Nil(t, filter.StartDate)
-	assert.Nil(t, filter.EndDate)
-}
-
-func TestAccessLogFilter_ParseFromRequest_InvalidFilters(t *testing.T) {
-	req := httptest.NewRequest(http.MethodGet, "/test", nil)
-	q := req.URL.Query()
-	q.Set("status_code", "invalid")
-	q.Set("start_date", "not-a-date")
-	q.Set("end_date", "2024-99-99")
-	req.URL.RawQuery = q.Encode()
-
-	filter := &AccessLogFilter{}
-	filter.ParseFromRequest(req)
-
-	assert.Nil(t, filter.StatusCode, "invalid status_code should be nil")
-	assert.Nil(t, filter.StartDate, "invalid start_date should be nil")
-	assert.Nil(t, filter.EndDate, "invalid end_date should be nil")
-}
-
-func TestParsePositiveInt(t *testing.T) {
-	tests := []struct {
-		name         string
-		input        string
-		defaultValue int
-		expected     int
-	}{
-		{"empty string", "", 10, 10},
-		{"valid positive int", "25", 10, 25},
-		{"zero", "0", 10, 10},
-		{"negative", "-5", 10, 10},
-		{"invalid string", "abc", 10, 10},
-		{"float", "3.14", 10, 10},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parsePositiveInt(tt.input, tt.defaultValue)
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}
-
-func TestParseOptionalString(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected *string
-	}{
-		{"empty string", "", nil},
-		{"valid string", "hello", strPtr("hello")},
-		{"whitespace", "  ", strPtr("  ")},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseOptionalString(tt.input)
-			if tt.expected == nil {
-				assert.Nil(t, result)
-			} else {
-				require.NotNil(t, result)
-				assert.Equal(t, *tt.expected, *result)
-			}
-		})
-	}
-}
-
-func TestParseOptionalInt(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected *int
-	}{
-		{"empty string", "", nil},
-		{"valid positive int", "42", intPtr(42)},
-		{"zero", "0", nil},
-		{"negative", "-10", nil},
-		{"invalid string", "abc", nil},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseOptionalInt(tt.input)
-			if tt.expected == nil {
-				assert.Nil(t, result)
-			} else {
-				require.NotNil(t, result)
-				assert.Equal(t, *tt.expected, *result)
-			}
-		})
-	}
-}
-
-func TestParseOptionalRFC3339(t *testing.T) {
-	validDate := "2024-01-15T10:30:00Z"
-	expectedTime, _ := time.Parse(time.RFC3339, validDate)
-
-	tests := []struct {
-		name     string
-		input    string
-		expected *time.Time
-	}{
-		{"empty string", "", nil},
-		{"valid RFC3339", validDate, &expectedTime},
-		{"invalid format", "2024-01-15", nil},
-		{"invalid date", "not-a-date", nil},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseOptionalRFC3339(tt.input)
-			if tt.expected == nil {
-				assert.Nil(t, result)
-			} else {
-				require.NotNil(t, result)
-				assert.Equal(t, *tt.expected, *result)
-			}
-		})
-	}
-}
-
-// Helper functions for creating pointers
-func strPtr(s string) *string {
-	return &s
-}
-
-func intPtr(i int) *int {
-	return &i
-}

management/internals/modules/reverseproxy/accesslogs/interface.go

@@ -6,5 +6,5 @@ import (
 
 type Manager interface {
 	SaveAccessLog(ctx context.Context, proxyLog *AccessLogEntry) error
-	GetAllAccessLogs(ctx context.Context, accountID, userID string, filter *AccessLogFilter) ([]*AccessLogEntry, int64, error)
+	GetAllAccessLogs(ctx context.Context, accountID, userID string) ([]*AccessLogEntry, error)
 }

management/internals/modules/reverseproxy/accesslogs/manager/api.go

@@ -30,10 +30,7 @@ func (h *handler) getAccessLogs(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var filter accesslogs.AccessLogFilter
-	filter.ParseFromRequest(r)
-
-	logs, totalCount, err := h.manager.GetAllAccessLogs(r.Context(), userAuth.AccountId, userAuth.UserId, &filter)
+	logs, err := h.manager.GetAllAccessLogs(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -44,21 +41,5 @@ func (h *handler) getAccessLogs(w http.ResponseWriter, r *http.Request) {
 		apiLogs = append(apiLogs, *log.ToAPIResponse())
 	}
 
-	response := &api.ProxyAccessLogsResponse{
-		Data:         apiLogs,
-		Page:         filter.Page,
-		PageSize:     filter.PageSize,
-		TotalRecords: int(totalCount),
-		TotalPages:   getTotalPageCount(int(totalCount), filter.PageSize),
-	}
-
-	util.WriteJSONObject(r.Context(), w, response)
-}
-
-// getTotalPageCount calculates the total number of pages
-func getTotalPageCount(totalCount, pageSize int) int {
-	if pageSize <= 0 {
-		return 0
-	}
-	return (totalCount + pageSize - 1) / pageSize
+	util.WriteJSONObject(r.Context(), w, apiLogs)
 }

management/internals/modules/reverseproxy/accesslogs/manager/manager.go

@@ -2,7 +2,6 @@ package manager
 
 import (
 	"context"
-	"strings"
 
 	log "github.com/sirupsen/logrus"
 
@@ -44,11 +43,11 @@ func (m *managerImpl) SaveAccessLog(ctx context.Context, logEntry *accesslogs.Ac
 
 	if err := m.store.CreateAccessLog(ctx, logEntry); err != nil {
 		log.WithContext(ctx).WithFields(log.Fields{
-			"service_id": logEntry.ServiceID,
-			"method":     logEntry.Method,
-			"host":       logEntry.Host,
-			"path":       logEntry.Path,
-			"status":     logEntry.StatusCode,
+			"proxy_id": logEntry.ProxyID,
+			"method":   logEntry.Method,
+			"host":     logEntry.Host,
+			"path":     logEntry.Path,
+			"status":   logEntry.StatusCode,
 		}).Errorf("failed to save access log: %v", err)
 		return err
 	}
@@ -56,53 +55,20 @@ func (m *managerImpl) SaveAccessLog(ctx context.Context, logEntry *accesslogs.Ac
 	return nil
 }
 
-// GetAllAccessLogs retrieves access logs for an account with pagination and filtering
-func (m *managerImpl) GetAllAccessLogs(ctx context.Context, accountID, userID string, filter *accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
+// GetAllAccessLogs retrieves all access logs for an account
+func (m *managerImpl) GetAllAccessLogs(ctx context.Context, accountID, userID string) ([]*accesslogs.AccessLogEntry, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
-		return nil, 0, status.NewPermissionValidationError(err)
+		return nil, status.NewPermissionValidationError(err)
 	}
 	if !ok {
-		return nil, 0, status.NewPermissionDeniedError()
+		return nil, status.NewPermissionDeniedError()
 	}
 
-	if err := m.resolveUserFilters(ctx, accountID, filter); err != nil {
-		log.WithContext(ctx).Warnf("failed to resolve user filters: %v", err)
-	}
-
-	logs, totalCount, err := m.store.GetAccountAccessLogs(ctx, store.LockingStrengthNone, accountID, *filter)
+	logs, err := m.store.GetAccountAccessLogs(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
-		return nil, 0, err
+		return nil, err
 	}
 
-	return logs, totalCount, nil
-}
-
-// resolveUserFilters converts user email/name filters to user ID filter
-func (m *managerImpl) resolveUserFilters(ctx context.Context, accountID string, filter *accesslogs.AccessLogFilter) error {
-	if filter.UserEmail == nil && filter.UserName == nil {
-		return nil
-	}
-
-	users, err := m.store.GetAccountUsers(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return err
-	}
-
-	var matchingUserIDs []string
-	for _, user := range users {
-		if filter.UserEmail != nil && strings.Contains(strings.ToLower(user.Email), strings.ToLower(*filter.UserEmail)) {
-			matchingUserIDs = append(matchingUserIDs, user.Id)
-			continue
-		}
-		if filter.UserName != nil && strings.Contains(strings.ToLower(user.Name), strings.ToLower(*filter.UserName)) {
-			matchingUserIDs = append(matchingUserIDs, user.Id)
-		}
-	}
-
-	if len(matchingUserIDs) > 0 {
-		filter.UserID = &matchingUserIDs[0]
-	}
-
-	return nil
+	return logs, nil
 }

management/internals/modules/reverseproxy/domain/api.go

@@ -1,4 +1,4 @@
-package manager
+package domain
 
 import (
 	"encoding/json"
@@ -6,7 +6,6 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -28,11 +27,11 @@ func RegisterEndpoints(router *mux.Router, manager Manager) {
 	router.HandleFunc("/domains/{domainId}/validate", h.triggerCustomDomainValidation).Methods("GET", "OPTIONS")
 }
 
-func domainTypeToApi(t domain.Type) api.ReverseProxyDomainType {
+func domainTypeToApi(t domainType) api.ReverseProxyDomainType {
 	switch t {
-	case domain.TypeCustom:
+	case TypeCustom:
 		return api.ReverseProxyDomainTypeCustom
-	case domain.TypeFree:
+	case TypeFree:
 		return api.ReverseProxyDomainTypeFree
 	}
 	// By default return as a "free" domain as that is more restrictive.
@@ -40,17 +39,13 @@ func domainTypeToApi(t domain.Type) api.ReverseProxyDomainType {
 	return api.ReverseProxyDomainTypeFree
 }
 
-func domainToApi(d *domain.Domain) api.ReverseProxyDomain {
-	resp := api.ReverseProxyDomain{
+func domainToApi(d *Domain) api.ReverseProxyDomain {
+	return api.ReverseProxyDomain{
 		Domain:    d.Domain,
 		Id:        d.ID,
 		Type:      domainTypeToApi(d.Type),
 		Validated: d.Validated,
 	}
-	if d.TargetCluster != "" {
-		resp.TargetCluster = &d.TargetCluster
-	}
-	return resp
 }
 
 func (h *handler) getAllDomains(w http.ResponseWriter, r *http.Request) {
@@ -60,7 +55,7 @@ func (h *handler) getAllDomains(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	domains, err := h.manager.GetDomains(r.Context(), userAuth.AccountId, userAuth.UserId)
+	domains, err := h.manager.GetDomains(r.Context(), userAuth.AccountId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -87,7 +82,7 @@ func (h *handler) createCustomDomain(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	domain, err := h.manager.CreateDomain(r.Context(), userAuth.AccountId, userAuth.UserId, req.Domain, req.TargetCluster)
+	domain, err := h.manager.CreateDomain(r.Context(), userAuth.AccountId, req.Domain)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -109,7 +104,7 @@ func (h *handler) deleteCustomDomain(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.manager.DeleteDomain(r.Context(), userAuth.AccountId, userAuth.UserId, domainID); err != nil {
+	if err := h.manager.DeleteDomain(r.Context(), userAuth.AccountId, domainID); err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
@@ -130,7 +125,7 @@ func (h *handler) triggerCustomDomainValidation(w http.ResponseWriter, r *http.R
 		return
 	}
 
-	go h.manager.ValidateDomain(r.Context(), userAuth.AccountId, userAuth.UserId, domainID)
+	go h.manager.ValidateDomain(userAuth.AccountId, domainID)
 
 	w.WriteHeader(http.StatusAccepted)
 }

management/internals/modules/reverseproxy/domain/domain.go

@@ -1,17 +0,0 @@
-package domain
-
-type Type string
-
-const (
-	TypeFree   Type = "free"
-	TypeCustom Type = "custom"
-)
-
-type Domain struct {
-	ID            string `gorm:"unique;primaryKey;autoIncrement"`
-	Domain        string `gorm:"unique"` // Domain records must be unique, this avoids domain reuse across accounts.
-	AccountID     string `gorm:"index"`
-	TargetCluster string // The proxy cluster this domain should be validated against
-	Type          Type   `gorm:"-"`
-	Validated     bool
-}

management/internals/modules/reverseproxy/domain/interface.go

@@ -1,12 +0,0 @@
-package domain
-
-import (
-	"context"
-)
-
-type Manager interface {
-	GetDomains(ctx context.Context, accountID, userID string) ([]*Domain, error)
-	CreateDomain(ctx context.Context, accountID, userID, domainName, targetCluster string) (*Domain, error)
-	DeleteDomain(ctx context.Context, accountID, userID, domainID string) error
-	ValidateDomain(ctx context.Context, accountID, userID, domainID string)
-}

management/internals/modules/reverseproxy/domain/manager.go

@@ -0,0 +1,239 @@
+package domain
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+
+	"github.com/netbirdio/netbird/management/server/types"
+	log "github.com/sirupsen/logrus"
+)
+
+type domainType string
+
+const (
+	TypeFree   domainType = "free"
+	TypeCustom domainType = "custom"
+)
+
+type Domain struct {
+	ID        string     `gorm:"unique;primaryKey;autoIncrement"`
+	Domain    string     `gorm:"unique"` // Domain records must be unique, this avoids domain reuse across accounts.
+	AccountID string     `gorm:"index"`
+	Type      domainType `gorm:"-"`
+	Validated bool
+}
+
+type store interface {
+	GetAccount(ctx context.Context, accountID string) (*types.Account, error)
+
+	GetCustomDomain(ctx context.Context, accountID string, domainID string) (*Domain, error)
+	ListFreeDomains(ctx context.Context, accountID string) ([]string, error)
+	ListCustomDomains(ctx context.Context, accountID string) ([]*Domain, error)
+	CreateCustomDomain(ctx context.Context, accountID string, domainName string, validated bool) (*Domain, error)
+	UpdateCustomDomain(ctx context.Context, accountID string, d *Domain) (*Domain, error)
+	DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error
+}
+
+type proxyURLProvider interface {
+	GetConnectedProxyURLs() []string
+}
+
+type Manager struct {
+	store            store
+	validator        Validator
+	proxyURLProvider proxyURLProvider
+}
+
+func NewManager(store store, proxyURLProvider proxyURLProvider) Manager {
+	return Manager{
+		store:            store,
+		proxyURLProvider: proxyURLProvider,
+		validator: Validator{
+			resolver: net.DefaultResolver,
+		},
+	}
+}
+
+func (m Manager) GetDomains(ctx context.Context, accountID string) ([]*Domain, error) {
+	domains, err := m.store.ListCustomDomains(ctx, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("list custom domains: %w", err)
+	}
+
+	var ret []*Domain
+
+	// Add connected proxy clusters as free domains.
+	// The cluster address itself is the free domain base (e.g., "eu.proxy.netbird.io").
+	allowList := m.proxyURLAllowList()
+	log.WithFields(log.Fields{
+		"accountID":      accountID,
+		"proxyAllowList": allowList,
+	}).Debug("getting domains with proxy allow list")
+
+	for _, cluster := range allowList {
+		ret = append(ret, &Domain{
+			Domain:    cluster,
+			AccountID: accountID,
+			Type:      TypeFree,
+			Validated: true,
+		})
+	}
+
+	// Add custom domains.
+	for _, domain := range domains {
+		ret = append(ret, &Domain{
+			ID:        domain.ID,
+			Domain:    domain.Domain,
+			AccountID: accountID,
+			Type:      TypeCustom,
+			Validated: domain.Validated,
+		})
+	}
+
+	return ret, nil
+}
+
+func (m Manager) CreateDomain(ctx context.Context, accountID, domainName string) (*Domain, error) {
+	// Attempt an initial validation; however, a failure is still acceptable for creation
+	// because the user may not yet have configured their DNS records, or the DNS update
+	// has not yet reached the servers that are queried by the validation resolver.
+	var validated bool
+	if m.validator.IsValid(ctx, domainName, m.proxyURLAllowList()) {
+		validated = true
+	}
+
+	d, err := m.store.CreateCustomDomain(ctx, accountID, domainName, validated)
+	if err != nil {
+		return d, fmt.Errorf("create domain in store: %w", err)
+	}
+
+	return d, nil
+}
+
+func (m Manager) DeleteDomain(ctx context.Context, accountID, domainID string) error {
+	if err := m.store.DeleteCustomDomain(ctx, accountID, domainID); err != nil {
+		// TODO: check for "no records" type error. Because that is a success condition.
+		return fmt.Errorf("delete domain from store: %w", err)
+	}
+	return nil
+}
+
+func (m Manager) ValidateDomain(accountID, domainID string) {
+	log.WithFields(log.Fields{
+		"accountID": accountID,
+		"domainID":  domainID,
+	}).Info("starting domain validation")
+
+	d, err := m.store.GetCustomDomain(context.Background(), accountID, domainID)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"accountID": accountID,
+			"domainID":  domainID,
+		}).WithError(err).Error("get custom domain from store")
+		return
+	}
+
+	allowList := m.proxyURLAllowList()
+	log.WithFields(log.Fields{
+		"accountID":      accountID,
+		"domainID":       domainID,
+		"domain":         d.Domain,
+		"proxyAllowList": allowList,
+	}).Info("validating domain against proxy allow list")
+
+	if m.validator.IsValid(context.Background(), d.Domain, allowList) {
+		log.WithFields(log.Fields{
+			"accountID": accountID,
+			"domainID":  domainID,
+			"domain":    d.Domain,
+		}).Info("domain validated successfully")
+		d.Validated = true
+		if _, err := m.store.UpdateCustomDomain(context.Background(), accountID, d); err != nil {
+			log.WithFields(log.Fields{
+				"accountID": accountID,
+				"domainID":  domainID,
+				"domain":    d.Domain,
+			}).WithError(err).Error("update custom domain in store")
+			return
+		}
+	} else {
+		log.WithFields(log.Fields{
+			"accountID":      accountID,
+			"domainID":       domainID,
+			"domain":         d.Domain,
+			"proxyAllowList": allowList,
+		}).Warn("domain validation failed - CNAME does not match any connected proxy")
+	}
+}
+
+// proxyURLAllowList retrieves a list of currently connected proxies and
+// their URLs (as reported by the proxy servers). It performs some clean
+// up on those URLs to attempt to retrieve domain names as we would
+// expect to see them in a validation check.
+func (m Manager) proxyURLAllowList() []string {
+	var reverseProxyAddresses []string
+	if m.proxyURLProvider != nil {
+		reverseProxyAddresses = m.proxyURLProvider.GetConnectedProxyURLs()
+	}
+	var allowedProxyURLs []string
+	for _, addr := range reverseProxyAddresses {
+		if addr == "" {
+			continue
+		}
+		host := extractHostFromAddress(addr)
+		if host != "" {
+			allowedProxyURLs = append(allowedProxyURLs, host)
+		}
+	}
+	return allowedProxyURLs
+}
+
+// extractHostFromAddress extracts the hostname from an address string.
+// It handles both URL format (https://host:port) and plain hostname (host or host:port).
+func extractHostFromAddress(addr string) string {
+	// If it looks like a URL with a scheme, parse it
+	if strings.Contains(addr, "://") {
+		proxyUrl, err := url.Parse(addr)
+		if err != nil {
+			log.WithError(err).Debugf("failed to parse proxy URL %s", addr)
+			return ""
+		}
+		host, _, err := net.SplitHostPort(proxyUrl.Host)
+		if err != nil {
+			return proxyUrl.Host
+		}
+		return host
+	}
+
+	// Otherwise treat as hostname or host:port
+	host, _, err := net.SplitHostPort(addr)
+	if err != nil {
+		// No port, use as-is
+		return addr
+	}
+	return host
+}
+
+// DeriveClusterFromDomain determines the proxy cluster for a given domain.
+// For free domains (those ending with a known cluster suffix), the cluster is extracted from the domain.
+// For custom domains, the cluster is determined by looking up the CNAME target.
+func (m Manager) DeriveClusterFromDomain(ctx context.Context, domain string) (string, error) {
+	allowList := m.proxyURLAllowList()
+	if len(allowList) == 0 {
+		return "", fmt.Errorf("no proxy clusters available")
+	}
+
+	if cluster, ok := ExtractClusterFromFreeDomain(domain, allowList); ok {
+		return cluster, nil
+	}
+
+	cluster, valid := m.validator.ValidateWithCluster(ctx, domain, allowList)
+	if valid {
+		return cluster, nil
+	}
+
+	return "", fmt.Errorf("domain %s does not match any available proxy cluster", domain)
+}

management/internals/modules/reverseproxy/domain/manager/manager.go

@@ -1,279 +0,0 @@
-package manager
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
-	"github.com/netbirdio/netbird/management/server/permissions"
-	"github.com/netbirdio/netbird/management/server/permissions/modules"
-	"github.com/netbirdio/netbird/management/server/permissions/operations"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/management/status"
-)
-
-type store interface {
-	GetAccount(ctx context.Context, accountID string) (*types.Account, error)
-
-	GetCustomDomain(ctx context.Context, accountID string, domainID string) (*domain.Domain, error)
-	ListFreeDomains(ctx context.Context, accountID string) ([]string, error)
-	ListCustomDomains(ctx context.Context, accountID string) ([]*domain.Domain, error)
-	CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*domain.Domain, error)
-	UpdateCustomDomain(ctx context.Context, accountID string, d *domain.Domain) (*domain.Domain, error)
-	DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error
-}
-
-type proxyURLProvider interface {
-	GetConnectedProxyURLs() []string
-}
-
-type Manager struct {
-	store              store
-	validator          domain.Validator
-	proxyURLProvider   proxyURLProvider
-	permissionsManager permissions.Manager
-}
-
-func NewManager(store store, proxyURLProvider proxyURLProvider, permissionsManager permissions.Manager) Manager {
-	return Manager{
-		store:            store,
-		proxyURLProvider: proxyURLProvider,
-		validator: domain.Validator{
-			Resolver: net.DefaultResolver,
-		},
-		permissionsManager: permissionsManager,
-	}
-}
-
-func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*domain.Domain, error) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return nil, status.NewPermissionDeniedError()
-	}
-
-	domains, err := m.store.ListCustomDomains(ctx, accountID)
-	if err != nil {
-		return nil, fmt.Errorf("list custom domains: %w", err)
-	}
-
-	var ret []*domain.Domain
-
-	// Add connected proxy clusters as free domains.
-	// The cluster address itself is the free domain base (e.g., "eu.proxy.netbird.io").
-	allowList := m.proxyURLAllowList()
-	log.WithFields(log.Fields{
-		"accountID":      accountID,
-		"proxyAllowList": allowList,
-	}).Debug("getting domains with proxy allow list")
-
-	for _, cluster := range allowList {
-		ret = append(ret, &domain.Domain{
-			Domain:    cluster,
-			AccountID: accountID,
-			Type:      domain.TypeFree,
-			Validated: true,
-		})
-	}
-
-	// Add custom domains.
-	for _, d := range domains {
-		ret = append(ret, &domain.Domain{
-			ID:            d.ID,
-			Domain:        d.Domain,
-			AccountID:     accountID,
-			TargetCluster: d.TargetCluster,
-			Type:          domain.TypeCustom,
-			Validated:     d.Validated,
-		})
-	}
-
-	return ret, nil
-}
-
-func (m Manager) CreateDomain(ctx context.Context, accountID, userID, domainName, targetCluster string) (*domain.Domain, error) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return nil, status.NewPermissionDeniedError()
-	}
-
-	// Verify the target cluster is in the available clusters
-	allowList := m.proxyURLAllowList()
-	clusterValid := false
-	for _, cluster := range allowList {
-		if cluster == targetCluster {
-			clusterValid = true
-			break
-		}
-	}
-	if !clusterValid {
-		return nil, fmt.Errorf("target cluster %s is not available", targetCluster)
-	}
-
-	// Attempt an initial validation against the specified cluster only
-	var validated bool
-	if m.validator.IsValid(ctx, domainName, []string{targetCluster}) {
-		validated = true
-	}
-
-	d, err := m.store.CreateCustomDomain(ctx, accountID, domainName, targetCluster, validated)
-	if err != nil {
-		return d, fmt.Errorf("create domain in store: %w", err)
-	}
-	return d, nil
-}
-
-func (m Manager) DeleteDomain(ctx context.Context, accountID, userID, domainID string) error {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
-	if err != nil {
-		return status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return status.NewPermissionDeniedError()
-	}
-
-	if err := m.store.DeleteCustomDomain(ctx, accountID, domainID); err != nil {
-		// TODO: check for "no records" type error. Because that is a success condition.
-		return fmt.Errorf("delete domain from store: %w", err)
-	}
-	return nil
-}
-
-func (m Manager) ValidateDomain(ctx context.Context, accountID, userID, domainID string) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
-	if err != nil {
-		log.WithFields(log.Fields{
-			"accountID": accountID,
-			"domainID":  domainID,
-		}).WithError(err).Error("validate domain")
-		return
-	}
-	if !ok {
-		log.WithFields(log.Fields{
-			"accountID": accountID,
-			"domainID":  domainID,
-		}).WithError(err).Error("validate domain")
-	}
-
-	log.WithFields(log.Fields{
-		"accountID": accountID,
-		"domainID":  domainID,
-	}).Info("starting domain validation")
-
-	d, err := m.store.GetCustomDomain(context.Background(), accountID, domainID)
-	if err != nil {
-		log.WithFields(log.Fields{
-			"accountID": accountID,
-			"domainID":  domainID,
-		}).WithError(err).Error("get custom domain from store")
-		return
-	}
-
-	// Validate only against the domain's target cluster
-	targetCluster := d.TargetCluster
-	if targetCluster == "" {
-		log.WithFields(log.Fields{
-			"accountID": accountID,
-			"domainID":  domainID,
-			"domain":    d.Domain,
-		}).Warn("domain has no target cluster set, skipping validation")
-		return
-	}
-
-	log.WithFields(log.Fields{
-		"accountID":     accountID,
-		"domainID":      domainID,
-		"domain":        d.Domain,
-		"targetCluster": targetCluster,
-	}).Info("validating domain against target cluster")
-
-	if m.validator.IsValid(context.Background(), d.Domain, []string{targetCluster}) {
-		log.WithFields(log.Fields{
-			"accountID": accountID,
-			"domainID":  domainID,
-			"domain":    d.Domain,
-		}).Info("domain validated successfully")
-		d.Validated = true
-		if _, err := m.store.UpdateCustomDomain(context.Background(), accountID, d); err != nil {
-			log.WithFields(log.Fields{
-				"accountID": accountID,
-				"domainID":  domainID,
-				"domain":    d.Domain,
-			}).WithError(err).Error("update custom domain in store")
-			return
-		}
-	} else {
-		log.WithFields(log.Fields{
-			"accountID":     accountID,
-			"domainID":      domainID,
-			"domain":        d.Domain,
-			"targetCluster": targetCluster,
-		}).Warn("domain validation failed - CNAME does not match target cluster")
-	}
-}
-
-// proxyURLAllowList retrieves a list of currently connected proxies and
-// their URLs
-func (m Manager) proxyURLAllowList() []string {
-	var reverseProxyAddresses []string
-	if m.proxyURLProvider != nil {
-		reverseProxyAddresses = m.proxyURLProvider.GetConnectedProxyURLs()
-	}
-	return reverseProxyAddresses
-}
-
-// DeriveClusterFromDomain determines the proxy cluster for a given domain.
-// For free domains (those ending with a known cluster suffix), the cluster is extracted from the domain.
-// For custom domains, the cluster is determined by checking the registered custom domain's target cluster.
-func (m Manager) DeriveClusterFromDomain(ctx context.Context, accountID, domain string) (string, error) {
-	allowList := m.proxyURLAllowList()
-	if len(allowList) == 0 {
-		return "", fmt.Errorf("no proxy clusters available")
-	}
-
-	if cluster, ok := ExtractClusterFromFreeDomain(domain, allowList); ok {
-		return cluster, nil
-	}
-
-	customDomains, err := m.store.ListCustomDomains(ctx, accountID)
-	if err != nil {
-		return "", fmt.Errorf("list custom domains: %w", err)
-	}
-
-	targetCluster, valid := extractClusterFromCustomDomains(domain, customDomains)
-	if valid {
-		return targetCluster, nil
-	}
-
-	return "", fmt.Errorf("domain %s does not match any available proxy cluster", domain)
-}
-
-func extractClusterFromCustomDomains(domain string, customDomains []*domain.Domain) (string, bool) {
-	for _, customDomain := range customDomains {
-		if strings.HasSuffix(domain, "."+customDomain.Domain) {
-			return customDomain.TargetCluster, true
-		}
-	}
-	return "", false
-}
-
-// ExtractClusterFromFreeDomain extracts the cluster address from a free domain.
-// Free domains have the format: <name>.<nonce>.<cluster> (e.g., myapp.abc123.eu.proxy.netbird.io)
-// It matches the domain suffix against available clusters and returns the matching cluster.
-func ExtractClusterFromFreeDomain(domain string, availableClusters []string) (string, bool) {
-	for _, cluster := range availableClusters {
-		if strings.HasSuffix(domain, "."+cluster) {
-			return cluster, true
-		}
-	}
-	return "", false
-}

management/internals/modules/reverseproxy/domain/validator.go

@@ -13,15 +13,15 @@ type resolver interface {
 }
 
 type Validator struct {
-	Resolver resolver
+	resolver resolver
 }
 
-// NewValidator initializes a validator with a specific DNS Resolver.
-// If a Validator is used without specifying a Resolver, then it will
+// NewValidator initializes a validator with a specific DNS resolver.
+// If a Validator is used without specifying a resolver, then it will
 // use the net.DefaultResolver.
 func NewValidator(resolver resolver) *Validator {
 	return &Validator{
-		Resolver: resolver,
+		resolver: resolver,
 	}
 }
 
@@ -39,8 +39,8 @@ func (v *Validator) IsValid(ctx context.Context, domain string, accept []string)
 // ValidateWithCluster validates a custom domain and returns the matched cluster address.
 // Returns the cluster address and true if valid, or empty string and false if invalid.
 func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, accept []string) (string, bool) {
-	if v.Resolver == nil {
-		v.Resolver = net.DefaultResolver
+	if v.resolver == nil {
+		v.resolver = net.DefaultResolver
 	}
 
 	lookupDomain := "validation." + domain
@@ -50,7 +50,7 @@ func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, acce
 		"acceptList":   accept,
 	}).Debug("looking up CNAME for domain validation")
 
-	cname, err := v.Resolver.LookupCNAME(ctx, lookupDomain)
+	cname, err := v.resolver.LookupCNAME(ctx, lookupDomain)
 	if err != nil {
 		log.WithFields(log.Fields{
 			"domain":       domain,
@@ -86,3 +86,15 @@ func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, acce
 	}).Warn("domain CNAME does not match any accepted cluster")
 	return "", false
 }
+
+// ExtractClusterFromFreeDomain extracts the cluster address from a free domain.
+// Free domains have the format: <name>.<nonce>.<cluster> (e.g., myapp.abc123.eu.proxy.netbird.io)
+// It matches the domain suffix against available clusters and returns the matching cluster.
+func ExtractClusterFromFreeDomain(domain string, availableClusters []string) (string, bool) {
+	for _, cluster := range availableClusters {
+		if strings.HasSuffix(domain, "."+cluster) {
+			return cluster, true
+		}
+	}
+	return "", false
+}

management/internals/modules/reverseproxy/interface.go

@@ -1,23 +1,15 @@
 package reverseproxy
 
-//go:generate go run github.com/golang/mock/mockgen -package reverseproxy -destination=interface_mock.go -source=./interface.go -build_flags=-mod=mod
-
 import (
 	"context"
 )
 
 type Manager interface {
-	GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error)
-	GetService(ctx context.Context, accountID, userID, serviceID string) (*Service, error)
-	CreateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error)
-	UpdateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error)
-	DeleteService(ctx context.Context, accountID, userID, serviceID string) error
-	SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error
-	SetStatus(ctx context.Context, accountID, serviceID string, status ProxyStatus) error
-	ReloadAllServicesForAccount(ctx context.Context, accountID string) error
-	ReloadService(ctx context.Context, accountID, serviceID string) error
-	GetGlobalServices(ctx context.Context) ([]*Service, error)
-	GetServiceByID(ctx context.Context, accountID, serviceID string) (*Service, error)
-	GetAccountServices(ctx context.Context, accountID string) ([]*Service, error)
-	GetServiceIDByTargetID(ctx context.Context, accountID string, resourceID string) (string, error)
+	GetAllReverseProxies(ctx context.Context, accountID, userID string) ([]*ReverseProxy, error)
+	GetReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) (*ReverseProxy, error)
+	CreateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *ReverseProxy) (*ReverseProxy, error)
+	UpdateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *ReverseProxy) (*ReverseProxy, error)
+	DeleteReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) error
+	SetCertificateIssuedAt(ctx context.Context, accountID, reverseProxyID string) error
+	SetStatus(ctx context.Context, accountID, reverseProxyID string, status ProxyStatus) error
 }

management/internals/modules/reverseproxy/interface_mock.go

@@ -1,225 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: ./interface.go
-
-// Package reverseproxy is a generated GoMock package.
-package reverseproxy
-
-import (
-	context "context"
-	reflect "reflect"
-
-	gomock "github.com/golang/mock/gomock"
-)
-
-// MockManager is a mock of Manager interface.
-type MockManager struct {
-	ctrl     *gomock.Controller
-	recorder *MockManagerMockRecorder
-}
-
-// MockManagerMockRecorder is the mock recorder for MockManager.
-type MockManagerMockRecorder struct {
-	mock *MockManager
-}
-
-// NewMockManager creates a new mock instance.
-func NewMockManager(ctrl *gomock.Controller) *MockManager {
-	mock := &MockManager{ctrl: ctrl}
-	mock.recorder = &MockManagerMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockManager) EXPECT() *MockManagerMockRecorder {
-	return m.recorder
-}
-
-// CreateService mocks base method.
-func (m *MockManager) CreateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CreateService", ctx, accountID, userID, service)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateService indicates an expected call of CreateService.
-func (mr *MockManagerMockRecorder) CreateService(ctx, accountID, userID, service interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateService", reflect.TypeOf((*MockManager)(nil).CreateService), ctx, accountID, userID, service)
-}
-
-// DeleteService mocks base method.
-func (m *MockManager) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteService", ctx, accountID, userID, serviceID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DeleteService indicates an expected call of DeleteService.
-func (mr *MockManagerMockRecorder) DeleteService(ctx, accountID, userID, serviceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteService", reflect.TypeOf((*MockManager)(nil).DeleteService), ctx, accountID, userID, serviceID)
-}
-
-// GetAccountServices mocks base method.
-func (m *MockManager) GetAccountServices(ctx context.Context, accountID string) ([]*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetAccountServices", ctx, accountID)
-	ret0, _ := ret[0].([]*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetAccountServices indicates an expected call of GetAccountServices.
-func (mr *MockManagerMockRecorder) GetAccountServices(ctx, accountID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAccountServices", reflect.TypeOf((*MockManager)(nil).GetAccountServices), ctx, accountID)
-}
-
-// GetAllServices mocks base method.
-func (m *MockManager) GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetAllServices", ctx, accountID, userID)
-	ret0, _ := ret[0].([]*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetAllServices indicates an expected call of GetAllServices.
-func (mr *MockManagerMockRecorder) GetAllServices(ctx, accountID, userID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllServices", reflect.TypeOf((*MockManager)(nil).GetAllServices), ctx, accountID, userID)
-}
-
-// GetGlobalServices mocks base method.
-func (m *MockManager) GetGlobalServices(ctx context.Context) ([]*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetGlobalServices", ctx)
-	ret0, _ := ret[0].([]*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetGlobalServices indicates an expected call of GetGlobalServices.
-func (mr *MockManagerMockRecorder) GetGlobalServices(ctx interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGlobalServices", reflect.TypeOf((*MockManager)(nil).GetGlobalServices), ctx)
-}
-
-// GetService mocks base method.
-func (m *MockManager) GetService(ctx context.Context, accountID, userID, serviceID string) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetService", ctx, accountID, userID, serviceID)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetService indicates an expected call of GetService.
-func (mr *MockManagerMockRecorder) GetService(ctx, accountID, userID, serviceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetService", reflect.TypeOf((*MockManager)(nil).GetService), ctx, accountID, userID, serviceID)
-}
-
-// GetServiceByID mocks base method.
-func (m *MockManager) GetServiceByID(ctx context.Context, accountID, serviceID string) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetServiceByID", ctx, accountID, serviceID)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetServiceByID indicates an expected call of GetServiceByID.
-func (mr *MockManagerMockRecorder) GetServiceByID(ctx, accountID, serviceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceByID", reflect.TypeOf((*MockManager)(nil).GetServiceByID), ctx, accountID, serviceID)
-}
-
-// GetServiceIDByTargetID mocks base method.
-func (m *MockManager) GetServiceIDByTargetID(ctx context.Context, accountID, resourceID string) (string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetServiceIDByTargetID", ctx, accountID, resourceID)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetServiceIDByTargetID indicates an expected call of GetServiceIDByTargetID.
-func (mr *MockManagerMockRecorder) GetServiceIDByTargetID(ctx, accountID, resourceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceIDByTargetID", reflect.TypeOf((*MockManager)(nil).GetServiceIDByTargetID), ctx, accountID, resourceID)
-}
-
-// ReloadAllServicesForAccount mocks base method.
-func (m *MockManager) ReloadAllServicesForAccount(ctx context.Context, accountID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ReloadAllServicesForAccount", ctx, accountID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// ReloadAllServicesForAccount indicates an expected call of ReloadAllServicesForAccount.
-func (mr *MockManagerMockRecorder) ReloadAllServicesForAccount(ctx, accountID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReloadAllServicesForAccount", reflect.TypeOf((*MockManager)(nil).ReloadAllServicesForAccount), ctx, accountID)
-}
-
-// ReloadService mocks base method.
-func (m *MockManager) ReloadService(ctx context.Context, accountID, serviceID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ReloadService", ctx, accountID, serviceID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// ReloadService indicates an expected call of ReloadService.
-func (mr *MockManagerMockRecorder) ReloadService(ctx, accountID, serviceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReloadService", reflect.TypeOf((*MockManager)(nil).ReloadService), ctx, accountID, serviceID)
-}
-
-// SetCertificateIssuedAt mocks base method.
-func (m *MockManager) SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SetCertificateIssuedAt", ctx, accountID, serviceID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// SetCertificateIssuedAt indicates an expected call of SetCertificateIssuedAt.
-func (mr *MockManagerMockRecorder) SetCertificateIssuedAt(ctx, accountID, serviceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetCertificateIssuedAt", reflect.TypeOf((*MockManager)(nil).SetCertificateIssuedAt), ctx, accountID, serviceID)
-}
-
-// SetStatus mocks base method.
-func (m *MockManager) SetStatus(ctx context.Context, accountID, serviceID string, status ProxyStatus) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SetStatus", ctx, accountID, serviceID, status)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// SetStatus indicates an expected call of SetStatus.
-func (mr *MockManagerMockRecorder) SetStatus(ctx, accountID, serviceID, status interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetStatus", reflect.TypeOf((*MockManager)(nil).SetStatus), ctx, accountID, serviceID, status)
-}
-
-// UpdateService mocks base method.
-func (m *MockManager) UpdateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateService", ctx, accountID, userID, service)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateService indicates an expected call of UpdateService.
-func (mr *MockManagerMockRecorder) UpdateService(ctx, accountID, userID, service interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateService", reflect.TypeOf((*MockManager)(nil).UpdateService), ctx, accountID, userID, service)
-}

management/internals/modules/reverseproxy/manager/api.go

@@ -9,7 +9,7 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
 	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
-	domainmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -20,148 +20,148 @@ type handler struct {
 	manager reverseproxy.Manager
 }
 
-// RegisterEndpoints registers all service HTTP endpoints.
-func RegisterEndpoints(manager reverseproxy.Manager, domainManager domainmanager.Manager, accessLogsManager accesslogs.Manager, router *mux.Router) {
+// RegisterEndpoints registers all reverse proxy HTTP endpoints.
+func RegisterEndpoints(manager reverseproxy.Manager, domainManager domain.Manager, accessLogsManager accesslogs.Manager, router *mux.Router) {
 	h := &handler{
 		manager: manager,
 	}
 
 	domainRouter := router.PathPrefix("/reverse-proxies").Subrouter()
-	domainmanager.RegisterEndpoints(domainRouter, domainManager)
+	domain.RegisterEndpoints(domainRouter, domainManager)
 
 	accesslogsmanager.RegisterEndpoints(router, accessLogsManager)
 
-	router.HandleFunc("/reverse-proxies/services", h.getAllServices).Methods("GET", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services", h.createService).Methods("POST", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.getService).Methods("GET", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.updateService).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.deleteService).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/reverse-proxies", h.getAllReverseProxies).Methods("GET", "OPTIONS")
+	router.HandleFunc("/reverse-proxies", h.createReverseProxy).Methods("POST", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/{proxyId}", h.getReverseProxy).Methods("GET", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/{proxyId}", h.updateReverseProxy).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/{proxyId}", h.deleteReverseProxy).Methods("DELETE", "OPTIONS")
 }
 
-func (h *handler) getAllServices(w http.ResponseWriter, r *http.Request) {
+func (h *handler) getAllReverseProxies(w http.ResponseWriter, r *http.Request) {
 	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	allServices, err := h.manager.GetAllServices(r.Context(), userAuth.AccountId, userAuth.UserId)
+	allReverseProxies, err := h.manager.GetAllReverseProxies(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	apiServices := make([]*api.Service, 0, len(allServices))
-	for _, service := range allServices {
-		apiServices = append(apiServices, service.ToAPIResponse())
+	apiReverseProxies := make([]*api.ReverseProxy, 0, len(allReverseProxies))
+	for _, reverseProxy := range allReverseProxies {
+		apiReverseProxies = append(apiReverseProxies, reverseProxy.ToAPIResponse())
 	}
 
-	util.WriteJSONObject(r.Context(), w, apiServices)
+	util.WriteJSONObject(r.Context(), w, apiReverseProxies)
 }
 
-func (h *handler) createService(w http.ResponseWriter, r *http.Request) {
+func (h *handler) createReverseProxy(w http.ResponseWriter, r *http.Request) {
 	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	var req api.ServiceRequest
+	var req api.ReverseProxyRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
 	}
 
-	service := new(reverseproxy.Service)
-	service.FromAPIRequest(&req, userAuth.AccountId)
+	reverseProxy := new(reverseproxy.ReverseProxy)
+	reverseProxy.FromAPIRequest(&req, userAuth.AccountId)
 
-	if err = service.Validate(); err != nil {
+	if err = reverseProxy.Validate(); err != nil {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
 		return
 	}
 
-	createdService, err := h.manager.CreateService(r.Context(), userAuth.AccountId, userAuth.UserId, service)
+	createdReverseProxy, err := h.manager.CreateReverseProxy(r.Context(), userAuth.AccountId, userAuth.UserId, reverseProxy)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	util.WriteJSONObject(r.Context(), w, createdService.ToAPIResponse())
+	util.WriteJSONObject(r.Context(), w, createdReverseProxy.ToAPIResponse())
 }
 
-func (h *handler) getService(w http.ResponseWriter, r *http.Request) {
+func (h *handler) getReverseProxy(w http.ResponseWriter, r *http.Request) {
 	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	serviceID := mux.Vars(r)["serviceId"]
-	if serviceID == "" {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "service ID is required"), w)
+	reverseProxyID := mux.Vars(r)["proxyId"]
+	if reverseProxyID == "" {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "reverse proxy ID is required"), w)
 		return
 	}
 
-	service, err := h.manager.GetService(r.Context(), userAuth.AccountId, userAuth.UserId, serviceID)
+	reverseProxy, err := h.manager.GetReverseProxy(r.Context(), userAuth.AccountId, userAuth.UserId, reverseProxyID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	util.WriteJSONObject(r.Context(), w, service.ToAPIResponse())
+	util.WriteJSONObject(r.Context(), w, reverseProxy.ToAPIResponse())
 }
 
-func (h *handler) updateService(w http.ResponseWriter, r *http.Request) {
+func (h *handler) updateReverseProxy(w http.ResponseWriter, r *http.Request) {
 	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	serviceID := mux.Vars(r)["serviceId"]
-	if serviceID == "" {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "service ID is required"), w)
+	reverseProxyID := mux.Vars(r)["proxyId"]
+	if reverseProxyID == "" {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "reverse proxy ID is required"), w)
 		return
 	}
 
-	var req api.ServiceRequest
+	var req api.ReverseProxyRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
 	}
 
-	service := new(reverseproxy.Service)
-	service.ID = serviceID
-	service.FromAPIRequest(&req, userAuth.AccountId)
+	reverseProxy := new(reverseproxy.ReverseProxy)
+	reverseProxy.ID = reverseProxyID
+	reverseProxy.FromAPIRequest(&req, userAuth.AccountId)
 
-	if err = service.Validate(); err != nil {
+	if err = reverseProxy.Validate(); err != nil {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
 		return
 	}
 
-	updatedService, err := h.manager.UpdateService(r.Context(), userAuth.AccountId, userAuth.UserId, service)
+	updatedReverseProxy, err := h.manager.UpdateReverseProxy(r.Context(), userAuth.AccountId, userAuth.UserId, reverseProxy)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	util.WriteJSONObject(r.Context(), w, updatedService.ToAPIResponse())
+	util.WriteJSONObject(r.Context(), w, updatedReverseProxy.ToAPIResponse())
 }
 
-func (h *handler) deleteService(w http.ResponseWriter, r *http.Request) {
+func (h *handler) deleteReverseProxy(w http.ResponseWriter, r *http.Request) {
 	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	serviceID := mux.Vars(r)["serviceId"]
-	if serviceID == "" {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "service ID is required"), w)
+	reverseProxyID := mux.Vars(r)["proxyId"]
+	if reverseProxyID == "" {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "reverse proxy ID is required"), w)
 		return
 	}
 
-	if err := h.manager.DeleteService(r.Context(), userAuth.AccountId, userAuth.UserId, serviceID); err != nil {
+	if err := h.manager.DeleteReverseProxy(r.Context(), userAuth.AccountId, userAuth.UserId, reverseProxyID); err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}

management/internals/modules/reverseproxy/manager/manager.go

@@ -19,11 +19,9 @@ import (
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
-const unknownHostPlaceholder = "unknown"
-
 // ClusterDeriver derives the proxy cluster from a domain.
 type ClusterDeriver interface {
-	DeriveClusterFromDomain(ctx context.Context, accountID, domain string) (string, error)
+	DeriveClusterFromDomain(ctx context.Context, domain string) (string, error)
 }
 
 type managerImpl struct {
@@ -32,20 +30,22 @@ type managerImpl struct {
 	permissionsManager permissions.Manager
 	proxyGRPCServer    *nbgrpc.ProxyServiceServer
 	clusterDeriver     ClusterDeriver
+	tokenStore         *nbgrpc.OneTimeTokenStore
 }
 
-// NewManager creates a new service manager.
-func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, clusterDeriver ClusterDeriver) reverseproxy.Manager {
+// NewManager creates a new reverse proxy manager.
+func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, clusterDeriver ClusterDeriver, tokenStore *nbgrpc.OneTimeTokenStore) reverseproxy.Manager {
 	return &managerImpl{
 		store:              store,
 		accountManager:     accountManager,
 		permissionsManager: permissionsManager,
 		proxyGRPCServer:    proxyGRPCServer,
 		clusterDeriver:     clusterDeriver,
+		tokenStore:         tokenStore,
 	}
 }
 
-func (m *managerImpl) GetAllServices(ctx context.Context, accountID, userID string) ([]*reverseproxy.Service, error) {
+func (m *managerImpl) GetAllReverseProxies(ctx context.Context, accountID, userID string) ([]*reverseproxy.ReverseProxy, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
@@ -54,58 +54,10 @@ func (m *managerImpl) GetAllServices(ctx context.Context, accountID, userID stri
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	services, err := m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get services: %w", err)
-	}
-
-	for _, service := range services {
-		err = m.replaceHostByLookup(ctx, accountID, service)
-		if err != nil {
-			return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-		}
-	}
-
-	return services, nil
+	return m.store.GetAccountReverseProxies(ctx, store.LockingStrengthNone, accountID)
 }
 
-func (m *managerImpl) replaceHostByLookup(ctx context.Context, accountID string, service *reverseproxy.Service) error {
-	for _, target := range service.Targets {
-		switch target.TargetType {
-		case reverseproxy.TargetTypePeer:
-			peer, err := m.store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
-			if err != nil {
-				log.WithContext(ctx).Warnf("failed to get peer by id %s for service %s: %v", target.TargetId, service.ID, err)
-				target.Host = unknownHostPlaceholder
-				continue
-			}
-			target.Host = peer.IP.String()
-		case reverseproxy.TargetTypeHost:
-			resource, err := m.store.GetNetworkResourceByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
-			if err != nil {
-				log.WithContext(ctx).Warnf("failed to get resource by id %s for service %s: %v", target.TargetId, service.ID, err)
-				target.Host = unknownHostPlaceholder
-				continue
-			}
-			target.Host = resource.Prefix.Addr().String()
-		case reverseproxy.TargetTypeDomain:
-			resource, err := m.store.GetNetworkResourceByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
-			if err != nil {
-				log.WithContext(ctx).Warnf("failed to get resource by id %s for service %s: %v", target.TargetId, service.ID, err)
-				target.Host = unknownHostPlaceholder
-				continue
-			}
-			target.Host = resource.Domain
-		case reverseproxy.TargetTypeSubnet:
-			// For subnets we do not do any lookups on the resource
-		default:
-			return fmt.Errorf("unknown target type: %s", target.TargetType)
-		}
-	}
-	return nil
-}
-
-func (m *managerImpl) GetService(ctx context.Context, accountID, userID, serviceID string) (*reverseproxy.Service, error) {
+func (m *managerImpl) GetReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) (*reverseproxy.ReverseProxy, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
@@ -114,19 +66,10 @@ func (m *managerImpl) GetService(ctx context.Context, accountID, userID, service
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	service, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get service: %w", err)
-	}
-
-	err = m.replaceHostByLookup(ctx, accountID, service)
-	if err != nil {
-		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-	}
-	return service, nil
+	return m.store.GetReverseProxyByID(ctx, store.LockingStrengthNone, accountID, reverseProxyID)
 }
 
-func (m *managerImpl) CreateService(ctx context.Context, accountID, userID string, service *reverseproxy.Service) (*reverseproxy.Service, error) {
+func (m *managerImpl) CreateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
@@ -135,90 +78,63 @@ func (m *managerImpl) CreateService(ctx context.Context, accountID, userID strin
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	if err := m.initializeServiceForCreate(ctx, accountID, service); err != nil {
-		return nil, err
-	}
-
-	if err := m.persistNewService(ctx, accountID, service); err != nil {
-		return nil, err
-	}
-
-	m.accountManager.StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceCreated, service.EventMeta())
-
-	err = m.replaceHostByLookup(ctx, accountID, service)
-	if err != nil {
-		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-	}
-
-	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-
-	m.accountManager.UpdateAccountPeers(ctx, accountID)
-
-	return service, nil
-}
-
-func (m *managerImpl) initializeServiceForCreate(ctx context.Context, accountID string, service *reverseproxy.Service) error {
+	var proxyCluster string
 	if m.clusterDeriver != nil {
-		proxyCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
+		proxyCluster, err = m.clusterDeriver.DeriveClusterFromDomain(ctx, reverseProxy.Domain)
 		if err != nil {
-			log.WithError(err).Warnf("could not derive cluster from domain %s, updates will broadcast to all proxy servers", service.Domain)
-			return status.Errorf(status.PreconditionFailed, "could not derive cluster from domain %s: %v", service.Domain, err)
+			log.WithError(err).Warnf("could not derive cluster from domain %s, updates will broadcast to all proxies", reverseProxy.Domain)
 		}
-		service.ProxyCluster = proxyCluster
 	}
 
-	service.AccountID = accountID
-	service.InitNewRecord()
+	authConfig := reverseProxy.Auth
 
-	if err := service.Auth.HashSecrets(); err != nil {
-		return fmt.Errorf("hash secrets: %w", err)
-	}
+	reverseProxy = reverseproxy.NewReverseProxy(accountID, reverseProxy.Name, reverseProxy.Domain, proxyCluster, reverseProxy.Targets, reverseProxy.Enabled)
 
+	reverseProxy.Auth = authConfig
+
+	// Generate session JWT signing keys
 	keyPair, err := sessionkey.GenerateKeyPair()
 	if err != nil {
-		return fmt.Errorf("generate session keys: %w", err)
+		return nil, fmt.Errorf("generate session keys: %w", err)
 	}
-	service.SessionPrivateKey = keyPair.PrivateKey
-	service.SessionPublicKey = keyPair.PublicKey
+	reverseProxy.SessionPrivateKey = keyPair.PrivateKey
+	reverseProxy.SessionPublicKey = keyPair.PublicKey
 
-	return nil
-}
-
-func (m *managerImpl) persistNewService(ctx context.Context, accountID string, service *reverseproxy.Service) error {
-	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		if err := m.checkDomainAvailable(ctx, transaction, accountID, service.Domain, ""); err != nil {
-			return err
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		// Check for duplicate domain
+		existingReverseProxy, err := transaction.GetReverseProxyByDomain(ctx, accountID, reverseProxy.Domain)
+		if err != nil {
+			if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
+				return fmt.Errorf("failed to check existing reverse proxy: %w", err)
+			}
+		}
+		if existingReverseProxy != nil {
+			return status.Errorf(status.AlreadyExists, "reverse proxy with domain %s already exists", reverseProxy.Domain)
 		}
 
-		if err := validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
-			return err
-		}
-
-		if err := transaction.CreateService(ctx, service); err != nil {
-			return fmt.Errorf("failed to create service: %w", err)
+		if err = transaction.CreateReverseProxy(ctx, reverseProxy); err != nil {
+			return fmt.Errorf("failed to create reverse proxy: %w", err)
 		}
 
 		return nil
 	})
-}
-
-func (m *managerImpl) checkDomainAvailable(ctx context.Context, transaction store.Store, accountID, domain, excludeServiceID string) error {
-	existingService, err := transaction.GetServiceByDomain(ctx, accountID, domain)
 	if err != nil {
-		if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
-			return fmt.Errorf("failed to check existing service: %w", err)
-		}
-		return nil
+		return nil, err
 	}
 
-	if existingService != nil && existingService.ID != excludeServiceID {
-		return status.Errorf(status.AlreadyExists, "service with domain %s already exists", domain)
+	token, err := m.tokenStore.GenerateToken(accountID, reverseProxy.ID, 5*time.Minute)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate authentication token: %w", err)
 	}
 
-	return nil
+	m.accountManager.StoreEvent(ctx, userID, reverseProxy.ID, accountID, activity.ReverseProxyCreated, reverseProxy.EventMeta())
+
+	m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
+
+	return reverseProxy, nil
 }
 
-func (m *managerImpl) UpdateService(ctx context.Context, accountID, userID string, service *reverseproxy.Service) (*reverseproxy.Service, error) {
+func (m *managerImpl) UpdateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
@@ -227,148 +143,66 @@ func (m *managerImpl) UpdateService(ctx context.Context, accountID, userID strin
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	if err := service.Auth.HashSecrets(); err != nil {
-		return nil, fmt.Errorf("hash secrets: %w", err)
-	}
+	var oldCluster string
+	var domainChanged bool
 
-	updateInfo, err := m.persistServiceUpdate(ctx, accountID, service)
-	if err != nil {
-		return nil, err
-	}
-
-	m.accountManager.StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceUpdated, service.EventMeta())
-
-	if err := m.replaceHostByLookup(ctx, accountID, service); err != nil {
-		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-	}
-
-	m.sendServiceUpdateNotifications(service, updateInfo)
-	m.accountManager.UpdateAccountPeers(ctx, accountID)
-
-	return service, nil
-}
-
-type serviceUpdateInfo struct {
-	oldCluster            string
-	domainChanged         bool
-	serviceEnabledChanged bool
-}
-
-func (m *managerImpl) persistServiceUpdate(ctx context.Context, accountID string, service *reverseproxy.Service) (*serviceUpdateInfo, error) {
-	var updateInfo serviceUpdateInfo
-
-	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		existingReverseProxy, err := transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxy.ID)
 		if err != nil {
 			return err
 		}
 
-		updateInfo.oldCluster = existingService.ProxyCluster
-		updateInfo.domainChanged = existingService.Domain != service.Domain
+		oldCluster = existingReverseProxy.ProxyCluster
 
-		if updateInfo.domainChanged {
-			if err := m.handleDomainChange(ctx, transaction, accountID, service); err != nil {
-				return err
+		if existingReverseProxy.Domain != reverseProxy.Domain {
+			domainChanged = true
+			conflictReverseProxy, err := transaction.GetReverseProxyByDomain(ctx, accountID, reverseProxy.Domain)
+			if err != nil {
+				if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
+					return fmt.Errorf("check existing reverse proxy: %w", err)
+				}
+			}
+			if conflictReverseProxy != nil && conflictReverseProxy.ID != reverseProxy.ID {
+				return status.Errorf(status.AlreadyExists, "reverse proxy with domain %s already exists", reverseProxy.Domain)
+			}
+
+			if m.clusterDeriver != nil {
+				newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, reverseProxy.Domain)
+				if err != nil {
+					log.WithError(err).Warnf("could not derive cluster from domain %s", reverseProxy.Domain)
+				}
+				reverseProxy.ProxyCluster = newCluster
 			}
 		} else {
-			service.ProxyCluster = existingService.ProxyCluster
+			reverseProxy.ProxyCluster = existingReverseProxy.ProxyCluster
 		}
 
-		m.preserveExistingAuthSecrets(service, existingService)
-		m.preserveServiceMetadata(service, existingService)
-		updateInfo.serviceEnabledChanged = existingService.Enabled != service.Enabled
+		reverseProxy.Meta = existingReverseProxy.Meta
 
-		if err := validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
-			return err
-		}
-
-		if err := transaction.UpdateService(ctx, service); err != nil {
-			return fmt.Errorf("update service: %w", err)
+		if err = transaction.UpdateReverseProxy(ctx, reverseProxy); err != nil {
+			return fmt.Errorf("update reverse proxy: %w", err)
 		}
 
 		return nil
 	})
-
-	return &updateInfo, err
-}
-
-func (m *managerImpl) handleDomainChange(ctx context.Context, transaction store.Store, accountID string, service *reverseproxy.Service) error {
-	if err := m.checkDomainAvailable(ctx, transaction, accountID, service.Domain, service.ID); err != nil {
-		return err
+	if err != nil {
+		return nil, err
 	}
 
-	if m.clusterDeriver != nil {
-		newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
-		if err != nil {
-			log.WithError(err).Warnf("could not derive cluster from domain %s", service.Domain)
-		} else {
-			service.ProxyCluster = newCluster
-		}
+	m.accountManager.StoreEvent(ctx, userID, reverseProxy.ID, accountID, activity.ReverseProxyUpdated, reverseProxy.EventMeta())
+
+	oidcConfig := m.proxyGRPCServer.GetOIDCValidationConfig()
+	if domainChanged && oldCluster != reverseProxy.ProxyCluster {
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Delete, "", oidcConfig), oldCluster)
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Create, "", oidcConfig), reverseProxy.ProxyCluster)
+	} else {
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Update, "", oidcConfig), reverseProxy.ProxyCluster)
 	}
 
-	return nil
+	return reverseProxy, nil
 }
 
-func (m *managerImpl) preserveExistingAuthSecrets(service, existingService *reverseproxy.Service) {
-	if service.Auth.PasswordAuth != nil && service.Auth.PasswordAuth.Enabled &&
-		existingService.Auth.PasswordAuth != nil && existingService.Auth.PasswordAuth.Enabled &&
-		service.Auth.PasswordAuth.Password == "" {
-		service.Auth.PasswordAuth = existingService.Auth.PasswordAuth
-	}
-
-	if service.Auth.PinAuth != nil && service.Auth.PinAuth.Enabled &&
-		existingService.Auth.PinAuth != nil && existingService.Auth.PinAuth.Enabled &&
-		service.Auth.PinAuth.Pin == "" {
-		service.Auth.PinAuth = existingService.Auth.PinAuth
-	}
-}
-
-func (m *managerImpl) preserveServiceMetadata(service, existingService *reverseproxy.Service) {
-	service.Meta = existingService.Meta
-	service.SessionPrivateKey = existingService.SessionPrivateKey
-	service.SessionPublicKey = existingService.SessionPublicKey
-}
-
-func (m *managerImpl) sendServiceUpdateNotifications(service *reverseproxy.Service, updateInfo *serviceUpdateInfo) {
-	oidcCfg := m.proxyGRPCServer.GetOIDCValidationConfig()
-
-	switch {
-	case updateInfo.domainChanged && updateInfo.oldCluster != service.ProxyCluster:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), updateInfo.oldCluster)
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", oidcCfg), service.ProxyCluster)
-	case !service.Enabled && updateInfo.serviceEnabledChanged:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), service.ProxyCluster)
-	case service.Enabled && updateInfo.serviceEnabledChanged:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", oidcCfg), service.ProxyCluster)
-	default:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", oidcCfg), service.ProxyCluster)
-	}
-}
-
-// validateTargetReferences checks that all target IDs reference existing peers or resources in the account.
-func validateTargetReferences(ctx context.Context, transaction store.Store, accountID string, targets []*reverseproxy.Target) error {
-	for _, target := range targets {
-		switch target.TargetType {
-		case reverseproxy.TargetTypePeer:
-			if _, err := transaction.GetPeerByID(ctx, store.LockingStrengthShare, accountID, target.TargetId); err != nil {
-				if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
-					return status.Errorf(status.InvalidArgument, "peer target %q not found in account", target.TargetId)
-				}
-				return fmt.Errorf("look up peer target %q: %w", target.TargetId, err)
-			}
-		case reverseproxy.TargetTypeHost, reverseproxy.TargetTypeSubnet, reverseproxy.TargetTypeDomain:
-			if _, err := transaction.GetNetworkResourceByID(ctx, store.LockingStrengthShare, accountID, target.TargetId); err != nil {
-				if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
-					return status.Errorf(status.InvalidArgument, "resource target %q not found in account", target.TargetId)
-				}
-				return fmt.Errorf("look up resource target %q: %w", target.TargetId, err)
-			}
-		}
-	}
-	return nil
-}
-
-func (m *managerImpl) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
+func (m *managerImpl) DeleteReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) error {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
@@ -377,16 +211,16 @@ func (m *managerImpl) DeleteService(ctx context.Context, accountID, userID, serv
 		return status.NewPermissionDeniedError()
 	}
 
-	var service *reverseproxy.Service
+	var reverseProxy *reverseproxy.ReverseProxy
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		var err error
-		service, err = transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
+		reverseProxy, err = transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxyID)
 		if err != nil {
 			return err
 		}
 
-		if err = transaction.DeleteService(ctx, accountID, serviceID); err != nil {
-			return fmt.Errorf("failed to delete service: %w", err)
+		if err = transaction.DeleteReverseProxy(ctx, accountID, reverseProxyID); err != nil {
+			return fmt.Errorf("failed to delete reverse proxy: %w", err)
 		}
 
 		return nil
@@ -395,145 +229,46 @@ func (m *managerImpl) DeleteService(ctx context.Context, accountID, userID, serv
 		return err
 	}
 
-	m.accountManager.StoreEvent(ctx, userID, serviceID, accountID, activity.ServiceDeleted, service.EventMeta())
+	m.accountManager.StoreEvent(ctx, userID, reverseProxyID, accountID, activity.ReverseProxyDeleted, reverseProxy.EventMeta())
 
-	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-
-	m.accountManager.UpdateAccountPeers(ctx, accountID)
+	m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
 
 	return nil
 }
 
 // SetCertificateIssuedAt sets the certificate issued timestamp to the current time.
 // Call this when receiving a gRPC notification that the certificate was issued.
-func (m *managerImpl) SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error {
+func (m *managerImpl) SetCertificateIssuedAt(ctx context.Context, accountID, reverseProxyID string) error {
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		service, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
+		proxy, err := transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxyID)
 		if err != nil {
-			return fmt.Errorf("failed to get service: %w", err)
+			return fmt.Errorf("failed to get reverse proxy: %w", err)
 		}
 
-		service.Meta.CertificateIssuedAt = time.Now()
+		proxy.Meta.CertificateIssuedAt = time.Now()
 
-		if err = transaction.UpdateService(ctx, service); err != nil {
-			return fmt.Errorf("failed to update service certificate timestamp: %w", err)
+		if err = transaction.UpdateReverseProxy(ctx, proxy); err != nil {
+			return fmt.Errorf("failed to update reverse proxy certificate timestamp: %w", err)
 		}
 
 		return nil
 	})
 }
 
-// SetStatus updates the status of the service (e.g., "active", "tunnel_not_created", etc.)
-func (m *managerImpl) SetStatus(ctx context.Context, accountID, serviceID string, status reverseproxy.ProxyStatus) error {
+// SetStatus updates the status of the reverse proxy (e.g., "active", "tunnel_not_created", etc.)
+func (m *managerImpl) SetStatus(ctx context.Context, accountID, reverseProxyID string, status reverseproxy.ProxyStatus) error {
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		service, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
+		proxy, err := transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxyID)
 		if err != nil {
-			return fmt.Errorf("failed to get service: %w", err)
+			return fmt.Errorf("failed to get reverse proxy: %w", err)
 		}
 
-		service.Meta.Status = string(status)
+		proxy.Meta.Status = string(status)
 
-		if err = transaction.UpdateService(ctx, service); err != nil {
-			return fmt.Errorf("failed to update service status: %w", err)
+		if err = transaction.UpdateReverseProxy(ctx, proxy); err != nil {
+			return fmt.Errorf("failed to update reverse proxy status: %w", err)
 		}
 
 		return nil
 	})
 }
-
-func (m *managerImpl) ReloadService(ctx context.Context, accountID, serviceID string) error {
-	service, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
-	if err != nil {
-		return fmt.Errorf("failed to get service: %w", err)
-	}
-
-	err = m.replaceHostByLookup(ctx, accountID, service)
-	if err != nil {
-		return fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-	}
-
-	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-
-	m.accountManager.UpdateAccountPeers(ctx, accountID)
-
-	return nil
-}
-
-func (m *managerImpl) ReloadAllServicesForAccount(ctx context.Context, accountID string) error {
-	services, err := m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return fmt.Errorf("failed to get services: %w", err)
-	}
-
-	for _, service := range services {
-		err = m.replaceHostByLookup(ctx, accountID, service)
-		if err != nil {
-			return fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-		}
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-	}
-
-	return nil
-}
-
-func (m *managerImpl) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
-	services, err := m.store.GetServices(ctx, store.LockingStrengthNone)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get services: %w", err)
-	}
-
-	for _, service := range services {
-		err = m.replaceHostByLookup(ctx, service.AccountID, service)
-		if err != nil {
-			return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-		}
-	}
-
-	return services, nil
-}
-
-func (m *managerImpl) GetServiceByID(ctx context.Context, accountID, serviceID string) (*reverseproxy.Service, error) {
-	service, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get service: %w", err)
-	}
-
-	err = m.replaceHostByLookup(ctx, accountID, service)
-	if err != nil {
-		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-	}
-
-	return service, nil
-}
-
-func (m *managerImpl) GetAccountServices(ctx context.Context, accountID string) ([]*reverseproxy.Service, error) {
-	services, err := m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get services: %w", err)
-	}
-
-	for _, service := range services {
-		err = m.replaceHostByLookup(ctx, accountID, service)
-		if err != nil {
-			return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-		}
-	}
-
-	return services, nil
-}
-
-func (m *managerImpl) GetServiceIDByTargetID(ctx context.Context, accountID string, resourceID string) (string, error) {
-	target, err := m.store.GetServiceTargetByTargetID(ctx, store.LockingStrengthNone, accountID, resourceID)
-	if err != nil {
-		if s, ok := status.FromError(err); ok && s.Type() == status.NotFound {
-			return "", nil
-		}
-		return "", fmt.Errorf("failed to get service target by resource ID: %w", err)
-	}
-
-	if target == nil {
-		return "", nil
-	}
-
-	return target.ServiceID, nil
-}

management/internals/modules/reverseproxy/manager/manager_test.go

@@ -1,375 +0,0 @@
-package manager
-
-import (
-	"context"
-	"errors"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/shared/management/status"
-)
-
-func TestInitializeServiceForCreate(t *testing.T) {
-	ctx := context.Background()
-	accountID := "test-account"
-
-	t.Run("successful initialization without cluster deriver", func(t *testing.T) {
-		mgr := &managerImpl{
-			clusterDeriver: nil,
-		}
-
-		service := &reverseproxy.Service{
-			Domain: "example.com",
-			Auth:   reverseproxy.AuthConfig{},
-		}
-
-		err := mgr.initializeServiceForCreate(ctx, accountID, service)
-
-		assert.NoError(t, err)
-		assert.Equal(t, accountID, service.AccountID)
-		assert.Empty(t, service.ProxyCluster, "proxy cluster should be empty when no deriver")
-		assert.NotEmpty(t, service.ID, "service ID should be initialized")
-		assert.NotEmpty(t, service.SessionPrivateKey, "session private key should be generated")
-		assert.NotEmpty(t, service.SessionPublicKey, "session public key should be generated")
-	})
-
-	t.Run("verifies session keys are different", func(t *testing.T) {
-		mgr := &managerImpl{
-			clusterDeriver: nil,
-		}
-
-		service1 := &reverseproxy.Service{Domain: "test1.com", Auth: reverseproxy.AuthConfig{}}
-		service2 := &reverseproxy.Service{Domain: "test2.com", Auth: reverseproxy.AuthConfig{}}
-
-		err1 := mgr.initializeServiceForCreate(ctx, accountID, service1)
-		err2 := mgr.initializeServiceForCreate(ctx, accountID, service2)
-
-		assert.NoError(t, err1)
-		assert.NoError(t, err2)
-		assert.NotEqual(t, service1.SessionPrivateKey, service2.SessionPrivateKey, "private keys should be unique")
-		assert.NotEqual(t, service1.SessionPublicKey, service2.SessionPublicKey, "public keys should be unique")
-	})
-}
-
-func TestCheckDomainAvailable(t *testing.T) {
-	ctx := context.Background()
-	accountID := "test-account"
-
-	tests := []struct {
-		name             string
-		domain           string
-		excludeServiceID string
-		setupMock        func(*store.MockStore)
-		expectedError    bool
-		errorType        status.Type
-	}{
-		{
-			name:             "domain available - not found",
-			domain:           "available.com",
-			excludeServiceID: "",
-			setupMock: func(ms *store.MockStore) {
-				ms.EXPECT().
-					GetServiceByDomain(ctx, accountID, "available.com").
-					Return(nil, status.Errorf(status.NotFound, "not found"))
-			},
-			expectedError: false,
-		},
-		{
-			name:             "domain already exists",
-			domain:           "exists.com",
-			excludeServiceID: "",
-			setupMock: func(ms *store.MockStore) {
-				ms.EXPECT().
-					GetServiceByDomain(ctx, accountID, "exists.com").
-					Return(&reverseproxy.Service{ID: "existing-id", Domain: "exists.com"}, nil)
-			},
-			expectedError: true,
-			errorType:     status.AlreadyExists,
-		},
-		{
-			name:             "domain exists but excluded (same ID)",
-			domain:           "exists.com",
-			excludeServiceID: "service-123",
-			setupMock: func(ms *store.MockStore) {
-				ms.EXPECT().
-					GetServiceByDomain(ctx, accountID, "exists.com").
-					Return(&reverseproxy.Service{ID: "service-123", Domain: "exists.com"}, nil)
-			},
-			expectedError: false,
-		},
-		{
-			name:             "domain exists with different ID",
-			domain:           "exists.com",
-			excludeServiceID: "service-456",
-			setupMock: func(ms *store.MockStore) {
-				ms.EXPECT().
-					GetServiceByDomain(ctx, accountID, "exists.com").
-					Return(&reverseproxy.Service{ID: "service-123", Domain: "exists.com"}, nil)
-			},
-			expectedError: true,
-			errorType:     status.AlreadyExists,
-		},
-		{
-			name:             "store error (non-NotFound)",
-			domain:           "error.com",
-			excludeServiceID: "",
-			setupMock: func(ms *store.MockStore) {
-				ms.EXPECT().
-					GetServiceByDomain(ctx, accountID, "error.com").
-					Return(nil, errors.New("database error"))
-			},
-			expectedError: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			mockStore := store.NewMockStore(ctrl)
-			tt.setupMock(mockStore)
-
-			mgr := &managerImpl{}
-			err := mgr.checkDomainAvailable(ctx, mockStore, accountID, tt.domain, tt.excludeServiceID)
-
-			if tt.expectedError {
-				require.Error(t, err)
-				if tt.errorType != 0 {
-					sErr, ok := status.FromError(err)
-					require.True(t, ok, "error should be a status error")
-					assert.Equal(t, tt.errorType, sErr.Type())
-				}
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}
-
-func TestCheckDomainAvailable_EdgeCases(t *testing.T) {
-	ctx := context.Background()
-	accountID := "test-account"
-
-	t.Run("empty domain", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		mockStore.EXPECT().
-			GetServiceByDomain(ctx, accountID, "").
-			Return(nil, status.Errorf(status.NotFound, "not found"))
-
-		mgr := &managerImpl{}
-		err := mgr.checkDomainAvailable(ctx, mockStore, accountID, "", "")
-
-		assert.NoError(t, err)
-	})
-
-	t.Run("empty exclude ID with existing service", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		mockStore.EXPECT().
-			GetServiceByDomain(ctx, accountID, "test.com").
-			Return(&reverseproxy.Service{ID: "some-id", Domain: "test.com"}, nil)
-
-		mgr := &managerImpl{}
-		err := mgr.checkDomainAvailable(ctx, mockStore, accountID, "test.com", "")
-
-		assert.Error(t, err)
-		sErr, ok := status.FromError(err)
-		require.True(t, ok)
-		assert.Equal(t, status.AlreadyExists, sErr.Type())
-	})
-
-	t.Run("nil existing service with nil error", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		mockStore.EXPECT().
-			GetServiceByDomain(ctx, accountID, "nil.com").
-			Return(nil, nil)
-
-		mgr := &managerImpl{}
-		err := mgr.checkDomainAvailable(ctx, mockStore, accountID, "nil.com", "")
-
-		assert.NoError(t, err)
-	})
-}
-
-func TestPersistNewService(t *testing.T) {
-	ctx := context.Background()
-	accountID := "test-account"
-
-	t.Run("successful service creation with no targets", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		service := &reverseproxy.Service{
-			ID:      "service-123",
-			Domain:  "new.com",
-			Targets: []*reverseproxy.Target{},
-		}
-
-		// Mock ExecuteInTransaction to execute the function immediately
-		mockStore.EXPECT().
-			ExecuteInTransaction(ctx, gomock.Any()).
-			DoAndReturn(func(ctx context.Context, fn func(store.Store) error) error {
-				// Create another mock for the transaction
-				txMock := store.NewMockStore(ctrl)
-				txMock.EXPECT().
-					GetServiceByDomain(ctx, accountID, "new.com").
-					Return(nil, status.Errorf(status.NotFound, "not found"))
-				txMock.EXPECT().
-					CreateService(ctx, service).
-					Return(nil)
-
-				return fn(txMock)
-			})
-
-		mgr := &managerImpl{store: mockStore}
-		err := mgr.persistNewService(ctx, accountID, service)
-
-		assert.NoError(t, err)
-	})
-
-	t.Run("domain already exists", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		service := &reverseproxy.Service{
-			ID:      "service-123",
-			Domain:  "existing.com",
-			Targets: []*reverseproxy.Target{},
-		}
-
-		mockStore.EXPECT().
-			ExecuteInTransaction(ctx, gomock.Any()).
-			DoAndReturn(func(ctx context.Context, fn func(store.Store) error) error {
-				txMock := store.NewMockStore(ctrl)
-				txMock.EXPECT().
-					GetServiceByDomain(ctx, accountID, "existing.com").
-					Return(&reverseproxy.Service{ID: "other-id", Domain: "existing.com"}, nil)
-
-				return fn(txMock)
-			})
-
-		mgr := &managerImpl{store: mockStore}
-		err := mgr.persistNewService(ctx, accountID, service)
-
-		require.Error(t, err)
-		sErr, ok := status.FromError(err)
-		require.True(t, ok)
-		assert.Equal(t, status.AlreadyExists, sErr.Type())
-	})
-}
-func TestPreserveExistingAuthSecrets(t *testing.T) {
-	mgr := &managerImpl{}
-
-	t.Run("preserve password when empty", func(t *testing.T) {
-		existing := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PasswordAuth: &reverseproxy.PasswordAuthConfig{
-					Enabled:  true,
-					Password: "hashed-password",
-				},
-			},
-		}
-
-		updated := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PasswordAuth: &reverseproxy.PasswordAuthConfig{
-					Enabled:  true,
-					Password: "",
-				},
-			},
-		}
-
-		mgr.preserveExistingAuthSecrets(updated, existing)
-
-		assert.Equal(t, existing.Auth.PasswordAuth, updated.Auth.PasswordAuth)
-	})
-
-	t.Run("preserve pin when empty", func(t *testing.T) {
-		existing := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PinAuth: &reverseproxy.PINAuthConfig{
-					Enabled: true,
-					Pin:     "hashed-pin",
-				},
-			},
-		}
-
-		updated := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PinAuth: &reverseproxy.PINAuthConfig{
-					Enabled: true,
-					Pin:     "",
-				},
-			},
-		}
-
-		mgr.preserveExistingAuthSecrets(updated, existing)
-
-		assert.Equal(t, existing.Auth.PinAuth, updated.Auth.PinAuth)
-	})
-
-	t.Run("do not preserve when password is provided", func(t *testing.T) {
-		existing := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PasswordAuth: &reverseproxy.PasswordAuthConfig{
-					Enabled:  true,
-					Password: "old-password",
-				},
-			},
-		}
-
-		updated := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PasswordAuth: &reverseproxy.PasswordAuthConfig{
-					Enabled:  true,
-					Password: "new-password",
-				},
-			},
-		}
-
-		mgr.preserveExistingAuthSecrets(updated, existing)
-
-		assert.Equal(t, "new-password", updated.Auth.PasswordAuth.Password)
-		assert.NotEqual(t, existing.Auth.PasswordAuth, updated.Auth.PasswordAuth)
-	})
-}
-
-func TestPreserveServiceMetadata(t *testing.T) {
-	mgr := &managerImpl{}
-
-	existing := &reverseproxy.Service{
-		Meta: reverseproxy.ServiceMeta{
-			CertificateIssuedAt: time.Now(),
-			Status:              "active",
-		},
-		SessionPrivateKey: "private-key",
-		SessionPublicKey:  "public-key",
-	}
-
-	updated := &reverseproxy.Service{
-		Domain: "updated.com",
-	}
-
-	mgr.preserveServiceMetadata(updated, existing)
-
-	assert.Equal(t, existing.Meta, updated.Meta)
-	assert.Equal(t, existing.SessionPrivateKey, updated.SessionPrivateKey)
-	assert.Equal(t, existing.SessionPublicKey, updated.SessionPublicKey)
-}

management/internals/modules/reverseproxy/reverseproxy.go

@@ -2,18 +2,15 @@ package reverseproxy
 
 import (
 	"errors"
-	"fmt"
 	"net"
 	"net/url"
 	"strconv"
 	"time"
 
+	"github.com/netbirdio/netbird/util/crypt"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/shared/hash/argon2id"
-	"github.com/netbirdio/netbird/util/crypt"
-
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/proto"
 )
@@ -36,23 +33,18 @@ const (
 	StatusCertificateFailed  ProxyStatus = "certificate_failed"
 	StatusError              ProxyStatus = "error"
 
-	TargetTypePeer   = "peer"
-	TargetTypeHost   = "host"
-	TargetTypeDomain = "domain"
-	TargetTypeSubnet = "subnet"
+	TargetTypePeer     = "peer"
+	TargetTypeResource = "resource"
 )
 
 type Target struct {
-	ID         uint    `gorm:"primaryKey" json:"-"`
-	AccountID  string  `gorm:"index:idx_target_account;not null" json:"-"`
-	ServiceID  string  `gorm:"index:idx_service_targets;not null" json:"-"`
 	Path       *string `json:"path,omitempty"`
-	Host       string  `json:"host"` // the Host field is only used for subnet targets, otherwise ignored
-	Port       int     `gorm:"index:idx_target_port" json:"port"`
-	Protocol   string  `gorm:"index:idx_target_protocol" json:"protocol"`
-	TargetId   string  `gorm:"index:idx_target_id" json:"target_id"`
-	TargetType string  `gorm:"index:idx_target_type" json:"target_type"`
-	Enabled    bool    `gorm:"index:idx_target_enabled" json:"enabled"`
+	Host       string  `json:"host"`
+	Port       int     `json:"port"`
+	Protocol   string  `json:"protocol"`
+	TargetId   string  `json:"target_id"`
+	TargetType string  `json:"target_type"`
+	Enabled    bool    `json:"enabled"`
 }
 
 type PasswordAuthConfig struct {
@@ -76,35 +68,6 @@ type AuthConfig struct {
 	BearerAuth   *BearerAuthConfig   `json:"bearer_auth,omitempty" gorm:"serializer:json"`
 }
 
-func (a *AuthConfig) HashSecrets() error {
-	if a.PasswordAuth != nil && a.PasswordAuth.Enabled && a.PasswordAuth.Password != "" {
-		hashedPassword, err := argon2id.Hash(a.PasswordAuth.Password)
-		if err != nil {
-			return fmt.Errorf("hash password: %w", err)
-		}
-		a.PasswordAuth.Password = hashedPassword
-	}
-
-	if a.PinAuth != nil && a.PinAuth.Enabled && a.PinAuth.Pin != "" {
-		hashedPin, err := argon2id.Hash(a.PinAuth.Pin)
-		if err != nil {
-			return fmt.Errorf("hash pin: %w", err)
-		}
-		a.PinAuth.Pin = hashedPin
-	}
-
-	return nil
-}
-
-func (a *AuthConfig) ClearSecrets() {
-	if a.PasswordAuth != nil {
-		a.PasswordAuth.Password = ""
-	}
-	if a.PinAuth != nil {
-		a.PinAuth.Pin = ""
-	}
-}
-
 type OIDCValidationConfig struct {
 	Issuer             string
 	Audiences          []string
@@ -112,147 +75,127 @@ type OIDCValidationConfig struct {
 	MaxTokenAgeSeconds int64
 }
 
-type ServiceMeta struct {
+type ReverseProxyMeta struct {
 	CreatedAt           time.Time
 	CertificateIssuedAt time.Time
 	Status              string
 }
 
-type Service struct {
+type ReverseProxy struct {
 	ID                string `gorm:"primaryKey"`
 	AccountID         string `gorm:"index"`
 	Name              string
-	Domain            string    `gorm:"index"`
-	ProxyCluster      string    `gorm:"index"`
-	Targets           []*Target `gorm:"foreignKey:ServiceID;constraint:OnDelete:CASCADE"`
+	Domain            string   `gorm:"index"`
+	ProxyCluster      string   `gorm:"index"`
+	Targets           []Target `gorm:"serializer:json"`
 	Enabled           bool
-	PassHostHeader    bool
-	RewriteRedirects  bool
-	Auth              AuthConfig  `gorm:"serializer:json"`
-	Meta              ServiceMeta `gorm:"embedded;embeddedPrefix:meta_"`
-	SessionPrivateKey string      `gorm:"column:session_private_key"`
-	SessionPublicKey  string      `gorm:"column:session_public_key"`
+	Auth              AuthConfig       `gorm:"serializer:json"`
+	Meta              ReverseProxyMeta `gorm:"embedded;embeddedPrefix:meta_"`
+	SessionPrivateKey string           `gorm:"column:session_private_key"`
+	SessionPublicKey  string           `gorm:"column:session_public_key"`
 }
 
-func NewService(accountID, name, domain, proxyCluster string, targets []*Target, enabled bool) *Service {
-	for _, target := range targets {
-		target.AccountID = accountID
-	}
-
-	s := &Service{
+func NewReverseProxy(accountID, name, domain, proxyCluster string, targets []Target, enabled bool) *ReverseProxy {
+	return &ReverseProxy{
+		ID:           xid.New().String(),
 		AccountID:    accountID,
 		Name:         name,
 		Domain:       domain,
 		ProxyCluster: proxyCluster,
 		Targets:      targets,
 		Enabled:      enabled,
-	}
-	s.InitNewRecord()
-	return s
-}
-
-// InitNewRecord generates a new unique ID and resets metadata for a newly created
-// Service record. This overwrites any existing ID and Meta fields and should
-// only be called during initial creation, not for updates.
-func (s *Service) InitNewRecord() {
-	s.ID = xid.New().String()
-	s.Meta = ServiceMeta{
-		CreatedAt: time.Now(),
-		Status:    string(StatusPending),
+		Meta: ReverseProxyMeta{
+			CreatedAt: time.Now(),
+			Status:    string(StatusPending),
+		},
 	}
 }
 
-func (s *Service) ToAPIResponse() *api.Service {
-	s.Auth.ClearSecrets()
+func (r *ReverseProxy) ToAPIResponse() *api.ReverseProxy {
+	authConfig := api.ReverseProxyAuthConfig{}
 
-	authConfig := api.ServiceAuthConfig{}
-
-	if s.Auth.PasswordAuth != nil {
+	if r.Auth.PasswordAuth != nil {
 		authConfig.PasswordAuth = &api.PasswordAuthConfig{
-			Enabled:  s.Auth.PasswordAuth.Enabled,
-			Password: s.Auth.PasswordAuth.Password,
+			Enabled:  r.Auth.PasswordAuth.Enabled,
+			Password: r.Auth.PasswordAuth.Password,
 		}
 	}
 
-	if s.Auth.PinAuth != nil {
+	if r.Auth.PinAuth != nil {
 		authConfig.PinAuth = &api.PINAuthConfig{
-			Enabled: s.Auth.PinAuth.Enabled,
-			Pin:     s.Auth.PinAuth.Pin,
+			Enabled: r.Auth.PinAuth.Enabled,
+			Pin:     r.Auth.PinAuth.Pin,
 		}
 	}
 
-	if s.Auth.BearerAuth != nil {
+	if r.Auth.BearerAuth != nil {
 		authConfig.BearerAuth = &api.BearerAuthConfig{
-			Enabled:            s.Auth.BearerAuth.Enabled,
-			DistributionGroups: &s.Auth.BearerAuth.DistributionGroups,
+			Enabled:            r.Auth.BearerAuth.Enabled,
+			DistributionGroups: &r.Auth.BearerAuth.DistributionGroups,
 		}
 	}
 
 	// Convert internal targets to API targets
-	apiTargets := make([]api.ServiceTarget, 0, len(s.Targets))
-	for _, target := range s.Targets {
-		apiTargets = append(apiTargets, api.ServiceTarget{
+	apiTargets := make([]api.ReverseProxyTarget, 0, len(r.Targets))
+	for _, target := range r.Targets {
+		apiTargets = append(apiTargets, api.ReverseProxyTarget{
 			Path:       target.Path,
-			Host:       &target.Host,
+			Host:       target.Host,
 			Port:       target.Port,
-			Protocol:   api.ServiceTargetProtocol(target.Protocol),
+			Protocol:   api.ReverseProxyTargetProtocol(target.Protocol),
 			TargetId:   target.TargetId,
-			TargetType: api.ServiceTargetTargetType(target.TargetType),
+			TargetType: api.ReverseProxyTargetTargetType(target.TargetType),
 			Enabled:    target.Enabled,
 		})
 	}
 
-	meta := api.ServiceMeta{
-		CreatedAt: s.Meta.CreatedAt,
-		Status:    api.ServiceMetaStatus(s.Meta.Status),
+	meta := api.ReverseProxyMeta{
+		CreatedAt: r.Meta.CreatedAt,
+		Status:    api.ReverseProxyMetaStatus(r.Meta.Status),
 	}
 
-	if !s.Meta.CertificateIssuedAt.IsZero() {
-		meta.CertificateIssuedAt = &s.Meta.CertificateIssuedAt
+	if !r.Meta.CertificateIssuedAt.IsZero() {
+		meta.CertificateIssuedAt = &r.Meta.CertificateIssuedAt
 	}
 
-	resp := &api.Service{
-		Id:               s.ID,
-		Name:             s.Name,
-		Domain:           s.Domain,
-		Targets:          apiTargets,
-		Enabled:          s.Enabled,
-		PassHostHeader:   &s.PassHostHeader,
-		RewriteRedirects: &s.RewriteRedirects,
-		Auth:             authConfig,
-		Meta:             meta,
+	resp := &api.ReverseProxy{
+		Id:      r.ID,
+		Name:    r.Name,
+		Domain:  r.Domain,
+		Targets: apiTargets,
+		Enabled: r.Enabled,
+		Auth:    authConfig,
+		Meta:    meta,
 	}
 
-	if s.ProxyCluster != "" {
-		resp.ProxyCluster = &s.ProxyCluster
+	if r.ProxyCluster != "" {
+		resp.ProxyCluster = &r.ProxyCluster
 	}
 
 	return resp
 }
 
-func (s *Service) ToProtoMapping(operation Operation, authToken string, oidcConfig OIDCValidationConfig) *proto.ProxyMapping {
-	pathMappings := make([]*proto.PathMapping, 0, len(s.Targets))
-	for _, target := range s.Targets {
+func (r *ReverseProxy) ToProtoMapping(operation Operation, authToken string, oidcConfig OIDCValidationConfig) *proto.ProxyMapping {
+	pathMappings := make([]*proto.PathMapping, 0, len(r.Targets))
+	for _, target := range r.Targets {
 		if !target.Enabled {
 			continue
 		}
 
-		// TODO: Make path prefix stripping configurable per-target.
-		// Currently the matching prefix is baked into the target URL path,
-		// so the proxy strips-then-re-adds it (effectively a no-op).
-		targetURL := url.URL{
-			Scheme: target.Protocol,
-			Host:   target.Host,
-			Path:   "/", // TODO: support service path
-		}
-		if target.Port > 0 && !isDefaultPort(target.Protocol, target.Port) {
-			targetURL.Host = net.JoinHostPort(targetURL.Host, strconv.Itoa(target.Port))
-		}
-
 		path := "/"
 		if target.Path != nil {
 			path = *target.Path
 		}
+
+		targetURL := url.URL{
+			Scheme: target.Protocol,
+			Host:   target.Host,
+			Path:   path,
+		}
+		if target.Port > 0 {
+			targetURL.Host = net.JoinHostPort(targetURL.Host, strconv.Itoa(target.Port))
+		}
+
 		pathMappings = append(pathMappings, &proto.PathMapping{
 			Path:   path,
 			Target: targetURL.String(),
@@ -260,32 +203,30 @@ func (s *Service) ToProtoMapping(operation Operation, authToken string, oidcConf
 	}
 
 	auth := &proto.Authentication{
-		SessionKey:           s.SessionPublicKey,
+		SessionKey:           r.SessionPublicKey,
 		MaxSessionAgeSeconds: int64((time.Hour * 24).Seconds()),
 	}
 
-	if s.Auth.PasswordAuth != nil && s.Auth.PasswordAuth.Enabled {
+	if r.Auth.PasswordAuth != nil && r.Auth.PasswordAuth.Enabled {
 		auth.Password = true
 	}
 
-	if s.Auth.PinAuth != nil && s.Auth.PinAuth.Enabled {
+	if r.Auth.PinAuth != nil && r.Auth.PinAuth.Enabled {
 		auth.Pin = true
 	}
 
-	if s.Auth.BearerAuth != nil && s.Auth.BearerAuth.Enabled {
+	if r.Auth.BearerAuth != nil && r.Auth.BearerAuth.Enabled {
 		auth.Oidc = true
 	}
 
 	return &proto.ProxyMapping{
-		Type:             operationToProtoType(operation),
-		Id:               s.ID,
-		Domain:           s.Domain,
-		Path:             pathMappings,
-		AuthToken:        authToken,
-		Auth:             auth,
-		AccountId:        s.AccountID,
-		PassHostHeader:   s.PassHostHeader,
-		RewriteRedirects: s.RewriteRedirects,
+		Type:      operationToProtoType(operation),
+		Id:        r.ID,
+		Domain:    r.Domain,
+		Path:      pathMappings,
+		AuthToken: authToken,
+		Auth:      auth,
+		AccountId: r.AccountID,
 	}
 }
 
@@ -303,54 +244,36 @@ func operationToProtoType(op Operation) proto.ProxyMappingUpdateType {
 	}
 }
 
-// isDefaultPort reports whether port is the standard default for the given scheme
-// (443 for https, 80 for http).
-func isDefaultPort(scheme string, port int) bool {
-	return (scheme == "https" && port == 443) || (scheme == "http" && port == 80)
-}
+func (r *ReverseProxy) FromAPIRequest(req *api.ReverseProxyRequest, accountID string) {
+	r.Name = req.Name
+	r.Domain = req.Domain
+	r.AccountID = accountID
 
-func (s *Service) FromAPIRequest(req *api.ServiceRequest, accountID string) {
-	s.Name = req.Name
-	s.Domain = req.Domain
-	s.AccountID = accountID
-
-	targets := make([]*Target, 0, len(req.Targets))
+	targets := make([]Target, 0, len(req.Targets))
 	for _, apiTarget := range req.Targets {
-		target := &Target{
-			AccountID:  accountID,
+		targets = append(targets, Target{
 			Path:       apiTarget.Path,
+			Host:       apiTarget.Host,
 			Port:       apiTarget.Port,
 			Protocol:   string(apiTarget.Protocol),
 			TargetId:   apiTarget.TargetId,
 			TargetType: string(apiTarget.TargetType),
 			Enabled:    apiTarget.Enabled,
-		}
-		if apiTarget.Host != nil {
-			target.Host = *apiTarget.Host
-		}
-		targets = append(targets, target)
+		})
 	}
-	s.Targets = targets
+	r.Targets = targets
 
-	s.Enabled = req.Enabled
-
-	if req.PassHostHeader != nil {
-		s.PassHostHeader = *req.PassHostHeader
-	}
-
-	if req.RewriteRedirects != nil {
-		s.RewriteRedirects = *req.RewriteRedirects
-	}
+	r.Enabled = req.Enabled
 
 	if req.Auth.PasswordAuth != nil {
-		s.Auth.PasswordAuth = &PasswordAuthConfig{
+		r.Auth.PasswordAuth = &PasswordAuthConfig{
 			Enabled:  req.Auth.PasswordAuth.Enabled,
 			Password: req.Auth.PasswordAuth.Password,
 		}
 	}
 
 	if req.Auth.PinAuth != nil {
-		s.Auth.PinAuth = &PINAuthConfig{
+		r.Auth.PinAuth = &PINAuthConfig{
 			Enabled: req.Auth.PinAuth.Enabled,
 			Pin:     req.Auth.PinAuth.Pin,
 		}
@@ -363,81 +286,60 @@ func (s *Service) FromAPIRequest(req *api.ServiceRequest, accountID string) {
 		if req.Auth.BearerAuth.DistributionGroups != nil {
 			bearerAuth.DistributionGroups = *req.Auth.BearerAuth.DistributionGroups
 		}
-		s.Auth.BearerAuth = bearerAuth
+		r.Auth.BearerAuth = bearerAuth
 	}
 }
 
-func (s *Service) Validate() error {
-	if s.Name == "" {
-		return errors.New("service name is required")
+func (r *ReverseProxy) Validate() error {
+	if r.Name == "" {
+		return errors.New("reverse proxy name is required")
 	}
-	if len(s.Name) > 255 {
-		return errors.New("service name exceeds maximum length of 255 characters")
+	if len(r.Name) > 255 {
+		return errors.New("reverse proxy name exceeds maximum length of 255 characters")
 	}
 
-	if s.Domain == "" {
-		return errors.New("service domain is required")
+	if r.Domain == "" {
+		return errors.New("reverse proxy domain is required")
 	}
 
-	if len(s.Targets) == 0 {
+	if len(r.Targets) == 0 {
 		return errors.New("at least one target is required")
 	}
 
-	for i, target := range s.Targets {
-		switch target.TargetType {
-		case TargetTypePeer, TargetTypeHost, TargetTypeDomain:
-			// host field will be ignored
-		case TargetTypeSubnet:
-			if target.Host == "" {
-				return fmt.Errorf("target %d has empty host but target_type is %q", i, target.TargetType)
-			}
-		default:
-			return fmt.Errorf("target %d has invalid target_type %q", i, target.TargetType)
-		}
-		if target.TargetId == "" {
-			return fmt.Errorf("target %d has empty target_id", i)
-		}
-	}
-
 	return nil
 }
 
-func (s *Service) EventMeta() map[string]any {
-	return map[string]any{"name": s.Name, "domain": s.Domain, "proxy_cluster": s.ProxyCluster}
+func (r *ReverseProxy) EventMeta() map[string]any {
+	return map[string]any{"name": r.Name, "domain": r.Domain, "proxy_cluster": r.ProxyCluster}
 }
 
-func (s *Service) Copy() *Service {
-	targets := make([]*Target, len(s.Targets))
-	for i, target := range s.Targets {
-		targetCopy := *target
-		targets[i] = &targetCopy
-	}
+func (r *ReverseProxy) Copy() *ReverseProxy {
+	targets := make([]Target, len(r.Targets))
+	copy(targets, r.Targets)
 
-	return &Service{
-		ID:                s.ID,
-		AccountID:         s.AccountID,
-		Name:              s.Name,
-		Domain:            s.Domain,
-		ProxyCluster:      s.ProxyCluster,
+	return &ReverseProxy{
+		ID:                r.ID,
+		AccountID:         r.AccountID,
+		Name:              r.Name,
+		Domain:            r.Domain,
+		ProxyCluster:      r.ProxyCluster,
 		Targets:           targets,
-		Enabled:           s.Enabled,
-		PassHostHeader:    s.PassHostHeader,
-		RewriteRedirects:  s.RewriteRedirects,
-		Auth:              s.Auth,
-		Meta:              s.Meta,
-		SessionPrivateKey: s.SessionPrivateKey,
-		SessionPublicKey:  s.SessionPublicKey,
+		Enabled:           r.Enabled,
+		Auth:              r.Auth,
+		Meta:              r.Meta,
+		SessionPrivateKey: r.SessionPrivateKey,
+		SessionPublicKey:  r.SessionPublicKey,
 	}
 }
 
-func (s *Service) EncryptSensitiveData(enc *crypt.FieldEncrypt) error {
+func (r *ReverseProxy) EncryptSensitiveData(enc *crypt.FieldEncrypt) error {
 	if enc == nil {
 		return nil
 	}
 
-	if s.SessionPrivateKey != "" {
+	if r.SessionPrivateKey != "" {
 		var err error
-		s.SessionPrivateKey, err = enc.Encrypt(s.SessionPrivateKey)
+		r.SessionPrivateKey, err = enc.Encrypt(r.SessionPrivateKey)
 		if err != nil {
 			return err
 		}
@@ -446,14 +348,14 @@ func (s *Service) EncryptSensitiveData(enc *crypt.FieldEncrypt) error {
 	return nil
 }
 
-func (s *Service) DecryptSensitiveData(enc *crypt.FieldEncrypt) error {
+func (r *ReverseProxy) DecryptSensitiveData(enc *crypt.FieldEncrypt) error {
 	if enc == nil {
 		return nil
 	}
 
-	if s.SessionPrivateKey != "" {
+	if r.SessionPrivateKey != "" {
 		var err error
-		s.SessionPrivateKey, err = enc.Decrypt(s.SessionPrivateKey)
+		r.SessionPrivateKey, err = enc.Decrypt(r.SessionPrivateKey)
 		if err != nil {
 			return err
 		}

management/internals/modules/reverseproxy/reverseproxy_test.go

@@ -1,405 +0,0 @@
-package reverseproxy
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/shared/hash/argon2id"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-func validProxy() *Service {
-	return &Service{
-		Name:   "test",
-		Domain: "example.com",
-		Targets: []*Target{
-			{TargetId: "peer-1", TargetType: TargetTypePeer, Host: "10.0.0.1", Port: 80, Protocol: "http", Enabled: true},
-		},
-	}
-}
-
-func TestValidate_Valid(t *testing.T) {
-	require.NoError(t, validProxy().Validate())
-}
-
-func TestValidate_EmptyName(t *testing.T) {
-	rp := validProxy()
-	rp.Name = ""
-	assert.ErrorContains(t, rp.Validate(), "name is required")
-}
-
-func TestValidate_EmptyDomain(t *testing.T) {
-	rp := validProxy()
-	rp.Domain = ""
-	assert.ErrorContains(t, rp.Validate(), "domain is required")
-}
-
-func TestValidate_NoTargets(t *testing.T) {
-	rp := validProxy()
-	rp.Targets = nil
-	assert.ErrorContains(t, rp.Validate(), "at least one target")
-}
-
-func TestValidate_EmptyTargetId(t *testing.T) {
-	rp := validProxy()
-	rp.Targets[0].TargetId = ""
-	assert.ErrorContains(t, rp.Validate(), "empty target_id")
-}
-
-func TestValidate_InvalidTargetType(t *testing.T) {
-	rp := validProxy()
-	rp.Targets[0].TargetType = "invalid"
-	assert.ErrorContains(t, rp.Validate(), "invalid target_type")
-}
-
-func TestValidate_ResourceTarget(t *testing.T) {
-	rp := validProxy()
-	rp.Targets = append(rp.Targets, &Target{
-		TargetId:   "resource-1",
-		TargetType: TargetTypeHost,
-		Host:       "example.org",
-		Port:       443,
-		Protocol:   "https",
-		Enabled:    true,
-	})
-	require.NoError(t, rp.Validate())
-}
-
-func TestValidate_MultipleTargetsOneInvalid(t *testing.T) {
-	rp := validProxy()
-	rp.Targets = append(rp.Targets, &Target{
-		TargetId:   "",
-		TargetType: TargetTypePeer,
-		Host:       "10.0.0.2",
-		Port:       80,
-		Protocol:   "http",
-		Enabled:    true,
-	})
-	err := rp.Validate()
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "target 1")
-	assert.Contains(t, err.Error(), "empty target_id")
-}
-
-func TestIsDefaultPort(t *testing.T) {
-	tests := []struct {
-		scheme string
-		port   int
-		want   bool
-	}{
-		{"http", 80, true},
-		{"https", 443, true},
-		{"http", 443, false},
-		{"https", 80, false},
-		{"http", 8080, false},
-		{"https", 8443, false},
-		{"http", 0, false},
-		{"https", 0, false},
-	}
-	for _, tt := range tests {
-		t.Run(fmt.Sprintf("%s/%d", tt.scheme, tt.port), func(t *testing.T) {
-			assert.Equal(t, tt.want, isDefaultPort(tt.scheme, tt.port))
-		})
-	}
-}
-
-func TestToProtoMapping_PortInTargetURL(t *testing.T) {
-	oidcConfig := OIDCValidationConfig{}
-
-	tests := []struct {
-		name       string
-		protocol   string
-		host       string
-		port       int
-		wantTarget string
-	}{
-		{
-			name:       "http with default port 80 omits port",
-			protocol:   "http",
-			host:       "10.0.0.1",
-			port:       80,
-			wantTarget: "http://10.0.0.1/",
-		},
-		{
-			name:       "https with default port 443 omits port",
-			protocol:   "https",
-			host:       "10.0.0.1",
-			port:       443,
-			wantTarget: "https://10.0.0.1/",
-		},
-		{
-			name:       "port 0 omits port",
-			protocol:   "http",
-			host:       "10.0.0.1",
-			port:       0,
-			wantTarget: "http://10.0.0.1/",
-		},
-		{
-			name:       "non-default port is included",
-			protocol:   "http",
-			host:       "10.0.0.1",
-			port:       8080,
-			wantTarget: "http://10.0.0.1:8080/",
-		},
-		{
-			name:       "https with non-default port is included",
-			protocol:   "https",
-			host:       "10.0.0.1",
-			port:       8443,
-			wantTarget: "https://10.0.0.1:8443/",
-		},
-		{
-			name:       "http port 443 is included",
-			protocol:   "http",
-			host:       "10.0.0.1",
-			port:       443,
-			wantTarget: "http://10.0.0.1:443/",
-		},
-		{
-			name:       "https port 80 is included",
-			protocol:   "https",
-			host:       "10.0.0.1",
-			port:       80,
-			wantTarget: "https://10.0.0.1:80/",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			rp := &Service{
-				ID:        "test-id",
-				AccountID: "acc-1",
-				Domain:    "example.com",
-				Targets: []*Target{
-					{
-						TargetId:   "peer-1",
-						TargetType: TargetTypePeer,
-						Host:       tt.host,
-						Port:       tt.port,
-						Protocol:   tt.protocol,
-						Enabled:    true,
-					},
-				},
-			}
-			pm := rp.ToProtoMapping(Create, "token", oidcConfig)
-			require.Len(t, pm.Path, 1, "should have one path mapping")
-			assert.Equal(t, tt.wantTarget, pm.Path[0].Target)
-		})
-	}
-}
-
-func TestToProtoMapping_DisabledTargetSkipped(t *testing.T) {
-	rp := &Service{
-		ID:        "test-id",
-		AccountID: "acc-1",
-		Domain:    "example.com",
-		Targets: []*Target{
-			{TargetId: "peer-1", TargetType: TargetTypePeer, Host: "10.0.0.1", Port: 8080, Protocol: "http", Enabled: false},
-			{TargetId: "peer-2", TargetType: TargetTypePeer, Host: "10.0.0.2", Port: 9090, Protocol: "http", Enabled: true},
-		},
-	}
-	pm := rp.ToProtoMapping(Create, "token", OIDCValidationConfig{})
-	require.Len(t, pm.Path, 1)
-	assert.Equal(t, "http://10.0.0.2:9090/", pm.Path[0].Target)
-}
-
-func TestToProtoMapping_OperationTypes(t *testing.T) {
-	rp := validProxy()
-	tests := []struct {
-		op   Operation
-		want proto.ProxyMappingUpdateType
-	}{
-		{Create, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED},
-		{Update, proto.ProxyMappingUpdateType_UPDATE_TYPE_MODIFIED},
-		{Delete, proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED},
-	}
-	for _, tt := range tests {
-		t.Run(string(tt.op), func(t *testing.T) {
-			pm := rp.ToProtoMapping(tt.op, "", OIDCValidationConfig{})
-			assert.Equal(t, tt.want, pm.Type)
-		})
-	}
-}
-
-func TestAuthConfig_HashSecrets(t *testing.T) {
-	tests := []struct {
-		name     string
-		config   *AuthConfig
-		wantErr  bool
-		validate func(*testing.T, *AuthConfig)
-	}{
-		{
-			name: "hash password successfully",
-			config: &AuthConfig{
-				PasswordAuth: &PasswordAuthConfig{
-					Enabled:  true,
-					Password: "testPassword123",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if !strings.HasPrefix(config.PasswordAuth.Password, "$argon2id$") {
-					t.Errorf("Password not hashed with argon2id, got: %s", config.PasswordAuth.Password)
-				}
-				// Verify the hash can be verified
-				if err := argon2id.Verify("testPassword123", config.PasswordAuth.Password); err != nil {
-					t.Errorf("Hash verification failed: %v", err)
-				}
-			},
-		},
-		{
-			name: "hash PIN successfully",
-			config: &AuthConfig{
-				PinAuth: &PINAuthConfig{
-					Enabled: true,
-					Pin:     "123456",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if !strings.HasPrefix(config.PinAuth.Pin, "$argon2id$") {
-					t.Errorf("PIN not hashed with argon2id, got: %s", config.PinAuth.Pin)
-				}
-				// Verify the hash can be verified
-				if err := argon2id.Verify("123456", config.PinAuth.Pin); err != nil {
-					t.Errorf("Hash verification failed: %v", err)
-				}
-			},
-		},
-		{
-			name: "hash both password and PIN",
-			config: &AuthConfig{
-				PasswordAuth: &PasswordAuthConfig{
-					Enabled:  true,
-					Password: "password",
-				},
-				PinAuth: &PINAuthConfig{
-					Enabled: true,
-					Pin:     "9999",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if !strings.HasPrefix(config.PasswordAuth.Password, "$argon2id$") {
-					t.Errorf("Password not hashed with argon2id")
-				}
-				if !strings.HasPrefix(config.PinAuth.Pin, "$argon2id$") {
-					t.Errorf("PIN not hashed with argon2id")
-				}
-				if err := argon2id.Verify("password", config.PasswordAuth.Password); err != nil {
-					t.Errorf("Password hash verification failed: %v", err)
-				}
-				if err := argon2id.Verify("9999", config.PinAuth.Pin); err != nil {
-					t.Errorf("PIN hash verification failed: %v", err)
-				}
-			},
-		},
-		{
-			name: "skip disabled password auth",
-			config: &AuthConfig{
-				PasswordAuth: &PasswordAuthConfig{
-					Enabled:  false,
-					Password: "password",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if config.PasswordAuth.Password != "password" {
-					t.Errorf("Disabled password auth should not be hashed")
-				}
-			},
-		},
-		{
-			name: "skip empty password",
-			config: &AuthConfig{
-				PasswordAuth: &PasswordAuthConfig{
-					Enabled:  true,
-					Password: "",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if config.PasswordAuth.Password != "" {
-					t.Errorf("Empty password should remain empty")
-				}
-			},
-		},
-		{
-			name: "skip nil password auth",
-			config: &AuthConfig{
-				PasswordAuth: nil,
-				PinAuth: &PINAuthConfig{
-					Enabled: true,
-					Pin:     "1234",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if config.PasswordAuth != nil {
-					t.Errorf("PasswordAuth should remain nil")
-				}
-				if !strings.HasPrefix(config.PinAuth.Pin, "$argon2id$") {
-					t.Errorf("PIN should still be hashed")
-				}
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := tt.config.HashSecrets()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("HashSecrets() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if tt.validate != nil {
-				tt.validate(t, tt.config)
-			}
-		})
-	}
-}
-
-func TestAuthConfig_HashSecrets_VerifyIncorrectSecret(t *testing.T) {
-	config := &AuthConfig{
-		PasswordAuth: &PasswordAuthConfig{
-			Enabled:  true,
-			Password: "correctPassword",
-		},
-	}
-
-	if err := config.HashSecrets(); err != nil {
-		t.Fatalf("HashSecrets() error = %v", err)
-	}
-
-	// Verify with wrong password should fail
-	err := argon2id.Verify("wrongPassword", config.PasswordAuth.Password)
-	if !errors.Is(err, argon2id.ErrMismatchedHashAndPassword) {
-		t.Errorf("Expected ErrMismatchedHashAndPassword, got %v", err)
-	}
-}
-
-func TestAuthConfig_ClearSecrets(t *testing.T) {
-	config := &AuthConfig{
-		PasswordAuth: &PasswordAuthConfig{
-			Enabled:  true,
-			Password: "hashedPassword",
-		},
-		PinAuth: &PINAuthConfig{
-			Enabled: true,
-			Pin:     "hashedPin",
-		},
-	}
-
-	config.ClearSecrets()
-
-	if config.PasswordAuth.Password != "" {
-		t.Errorf("Password not cleared, got: %s", config.PasswordAuth.Password)
-	}
-	if config.PinAuth.Pin != "" {
-		t.Errorf("PIN not cleared, got: %s", config.PinAuth.Pin)
-	}
-}

management/internals/server/boot.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/netip"
 	"slices"
+	"strings"
 	"time"
 
 	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware/v2"
@@ -94,7 +95,7 @@ func (s *BaseServer) EventStore() activity.Store {
 
 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ReverseProxyManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies)
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ReverseProxyManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer())
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}
@@ -122,13 +123,11 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 			realip.WithTrustedProxiesCount(trustedProxiesCount),
 			realip.WithHeaders([]string{realip.XForwardedFor, realip.XRealIp}),
 		}
-		proxyUnary, proxyStream, proxyAuthClose := nbgrpc.NewProxyAuthInterceptors(s.Store())
-		s.proxyAuthClose = proxyAuthClose
 		gRPCOpts := []grpc.ServerOption{
 			grpc.KeepaliveEnforcementPolicy(kaep),
 			grpc.KeepaliveParams(kasp),
-			grpc.ChainUnaryInterceptor(realip.UnaryServerInterceptorOpts(realipOpts...), unaryInterceptor, proxyUnary),
-			grpc.ChainStreamInterceptor(realip.StreamServerInterceptorOpts(realipOpts...), streamInterceptor, proxyStream),
+			grpc.ChainUnaryInterceptor(realip.UnaryServerInterceptorOpts(realipOpts...), unaryInterceptor),
+			grpc.ChainStreamInterceptor(realip.StreamServerInterceptorOpts(realipOpts...), streamInterceptor),
 		}
 
 		if s.Config.HttpConfig.LetsEncryptDomain != "" {
@@ -163,7 +162,7 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 
 func (s *BaseServer) ReverseProxyGRPCServer() *nbgrpc.ProxyServiceServer {
 	return Create(s, func() *nbgrpc.ProxyServiceServer {
-		proxyService := nbgrpc.NewProxyServiceServer(s.AccessLogsManager(), s.ProxyTokenStore(), s.proxyOIDCConfig(), s.PeersManager(), s.UsersManager())
+		proxyService := nbgrpc.NewProxyServiceServer(s.Store(), s.AccessLogsManager(), s.ProxyTokenStore(), s.proxyOIDCConfig(), s.PeersManager())
 		s.AfterInit(func(s *BaseServer) {
 			proxyService.SetProxyManager(s.ReverseProxyManager())
 		})
@@ -173,12 +172,18 @@ func (s *BaseServer) ReverseProxyGRPCServer() *nbgrpc.ProxyServiceServer {
 
 func (s *BaseServer) proxyOIDCConfig() nbgrpc.ProxyOIDCConfig {
 	return Create(s, func() nbgrpc.ProxyOIDCConfig {
+		// TODO: this is weird, double check
+		// Build callback URL - this should be the management server's callback endpoint
+		// For embedded IdP, derive from issuer. For external, use a configured value or derive from issuer.
+		// The callback URL should be registered in the IdP's allowed redirect URIs for the dashboard client.
+		callbackURL := strings.TrimSuffix(s.Config.HttpConfig.AuthIssuer, "/oauth2")
+		callbackURL = callbackURL + "/api/oauth/callback"
+
 		return nbgrpc.ProxyOIDCConfig{
-			Issuer: s.Config.HttpConfig.AuthIssuer,
-			// todo: double check auth clientID value
-			ClientID:     s.Config.HttpConfig.AuthClientID, // Reuse dashboard client
+			Issuer:       s.Config.HttpConfig.AuthIssuer,
+			ClientID:     "netbird-dashboard", // Reuse dashboard client
 			Scopes:       []string{"openid", "profile", "email"},
-			CallbackURL:  s.Config.HttpConfig.AuthCallbackURL,
+			CallbackURL:  callbackURL,
 			HMACKey:      []byte(s.Config.DataStoreEncryptionKey), // Use the datastore encryption key for OIDC state HMACs, this should ensure all management instances are using the same key.
 			Audience:     s.Config.HttpConfig.AuthAudience,
 			KeysLocation: s.Config.HttpConfig.AuthKeysLocation,

management/internals/server/config/config.go

@@ -100,8 +100,6 @@ type HttpServerConfig struct {
 	CertFile string
 	// CertKey is the location of the certificate private key
 	CertKey string
-	// AuthClientID is the client id used for proxy SSO auth
-	AuthClientID string
 	// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)
 	AuthAudience string
 	// CLIAuthAudience identifies the client app recipients that the JWT is intended for (aud in JWT)
@@ -119,8 +117,6 @@ type HttpServerConfig struct {
 	IdpSignKeyRefreshEnabled bool
 	// Extra audience
 	ExtraAuthAudience string
-	// AuthCallbackDomain contains the callback domain
-	AuthCallbackURL string
 }
 
 // Host represents a Netbird host (e.g. STUN, TURN, Signal)