Debug received local records

.github/workflows/golang-test-linux.yml

@@ -223,10 +223,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Install dependencies
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
-
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -273,10 +269,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Install dependencies
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
-
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV

.github/workflows/golangci-lint.yml

@@ -21,6 +21,7 @@ jobs:
         with:
           ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
           skip: go.mod,go.sum
+          only_warn: 1
   golangci:
     strategy:
       fail-fast: false

.github/workflows/release.yml

@@ -65,13 +65,6 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
-      - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.CI_DOCKER_PUSH_GITHUB_TOKEN }}
       - name: Install OS build dependencies
         run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
 

.github/workflows/test-infrastructure-files.yml

@@ -172,11 +172,11 @@ jobs:
           grep "NETBIRD_STORE_ENGINE_MYSQL_DSN=$NETBIRD_STORE_ENGINE_MYSQL_DSN" docker-compose.yml
           grep NETBIRD_STORE_ENGINE_POSTGRES_DSN docker-compose.yml | egrep "$NETBIRD_STORE_ENGINE_POSTGRES_DSN"
           # check relay values
-          grep "NB_EXPOSED_ADDRESS=rels://$CI_NETBIRD_DOMAIN:33445" docker-compose.yml
+          grep "NB_EXPOSED_ADDRESS=$CI_NETBIRD_DOMAIN:33445" docker-compose.yml
           grep "NB_LISTEN_ADDRESS=:33445" docker-compose.yml
           grep '33445:33445' docker-compose.yml
           grep -A 10 'relay:' docker-compose.yml | egrep 'NB_AUTH_SECRET=.+$'
-          grep -A 7 Relay management.json | grep "rels://$CI_NETBIRD_DOMAIN:33445"
+          grep -A 7 Relay management.json | grep "rel://$CI_NETBIRD_DOMAIN:33445"
           grep -A 7 Relay management.json | egrep '"Secret": ".+"'
           grep DisablePromptLogin management.json | grep 'true'
           grep LoginFlag management.json | grep 0

.goreleaser.yaml

@@ -149,7 +149,6 @@ nfpms:
 dockers:
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
     ids:
       - netbird
     goarch: amd64
@@ -165,7 +164,6 @@ dockers:
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
     ids:
       - netbird
     goarch: arm64
@@ -177,11 +175,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
     ids:
       - netbird
     goarch: arm
@@ -194,12 +191,11 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
 
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-rootless-amd64
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
     ids:
       - netbird
     goarch: amd64
@@ -211,11 +207,9 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
     ids:
       - netbird
     goarch: arm64
@@ -227,11 +221,9 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-rootless-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
     ids:
       - netbird
     goarch: arm
@@ -244,12 +236,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
       - "--label=maintainer=dev@netbird.io"
 
   - image_templates:
       - netbirdio/relay:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
     ids:
       - netbird-relay
     goarch: amd64
@@ -261,11 +251,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/relay:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
     ids:
       - netbird-relay
     goarch: arm64
@@ -277,11 +266,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/relay:{{ .Version }}-arm
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
     ids:
       - netbird-relay
     goarch: arm
@@ -294,11 +282,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/signal:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
     ids:
       - netbird-signal
     goarch: amd64
@@ -310,11 +297,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/signal:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
     ids:
       - netbird-signal
     goarch: arm64
@@ -326,11 +312,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/signal:{{ .Version }}-arm
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
     ids:
       - netbird-signal
     goarch: arm
@@ -343,11 +328,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/management:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
     ids:
       - netbird-mgmt
     goarch: amd64
@@ -359,11 +343,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/management:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
     ids:
       - netbird-mgmt
     goarch: arm64
@@ -375,11 +358,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/management:{{ .Version }}-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm
     ids:
       - netbird-mgmt
     goarch: arm
@@ -392,11 +374,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/management:{{ .Version }}-debug-amd64
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
     ids:
       - netbird-mgmt
     goarch: amd64
@@ -408,11 +389,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/management:{{ .Version }}-debug-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
     ids:
       - netbird-mgmt
     goarch: arm64
@@ -424,12 +404,11 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
 
   - image_templates:
       - netbirdio/management:{{ .Version }}-debug-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
     ids:
       - netbird-mgmt
     goarch: arm
@@ -442,11 +421,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/upload:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
     ids:
       - netbird-upload
     goarch: amd64
@@ -458,11 +436,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/upload:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
     ids:
       - netbird-upload
     goarch: arm64
@@ -474,11 +451,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/upload:{{ .Version }}-arm
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
     ids:
       - netbird-upload
     goarch: arm
@@ -491,7 +467,7 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
 docker_manifests:
   - name_template: netbirdio/netbird:{{ .Version }}
@@ -570,84 +546,6 @@ docker_manifests:
       - netbirdio/upload:{{ .Version }}-arm64v8
       - netbirdio/upload:{{ .Version }}-arm
       - netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}-rootless
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:rootless-latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-
-  - name_template: ghcr.io/netbirdio/relay:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/relay:latest
-    image_templates:
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/signal:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
-      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/signal:latest
-    image_templates:
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
-      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/management:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/management:latest
-    image_templates:
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/management:debug-latest
-    image_templates:
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
-
-  - name_template: ghcr.io/netbirdio/upload:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/upload:latest
-    image_templates:
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
 brews:
   - ids:
       - default

README.md

@@ -12,7 +12,7 @@
        <img src="https://img.shields.io/badge/license-BSD--3-blue" />
      </a> 
     <br>
-    <a href="https://docs.netbird.io/slack-url">
+    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-31rofwmxc-27akKd0Le0vyRpBcwXkP0g">
         <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
      </a>  
      <br>
@@ -29,7 +29,7 @@
   <br/>
   See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
-   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a>
+   Join our <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-31rofwmxc-27akKd0Le0vyRpBcwXkP0g">Slack channel</a>
   <br/>
  
 </strong>

client/android/client.go

@@ -59,8 +59,6 @@ type Client struct {
 	deviceName            string
 	uiVersion             string
 	networkChangeListener listener.NetworkChangeListener
-
-	connectClient *internal.ConnectClient
 }
 
 // NewClient instantiate a new Client
@@ -108,8 +106,8 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -134,8 +132,8 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // Stop the internal client and free the resources
@@ -176,53 +174,6 @@ func (c *Client) PeersList() *PeerInfoArray {
 	return &PeerInfoArray{items: peerInfos}
 }
 
-func (c *Client) Networks() *NetworkArray {
-	if c.connectClient == nil {
-		log.Error("not connected")
-		return nil
-	}
-
-	engine := c.connectClient.Engine()
-	if engine == nil {
-		log.Error("could not get engine")
-		return nil
-	}
-
-	routeManager := engine.GetRouteManager()
-	if routeManager == nil {
-		log.Error("could not get route manager")
-		return nil
-	}
-
-	networkArray := &NetworkArray{
-		items: make([]Network, 0),
-	}
-
-	for id, routes := range routeManager.GetClientRoutesWithNetID() {
-		if len(routes) == 0 {
-			continue
-		}
-
-		if routes[0].IsDynamic() {
-			continue
-		}
-
-		peer, err := c.recorder.GetPeer(routes[0].Peer)
-		if err != nil {
-			log.Errorf("could not get peer info for %s: %v", routes[0].Peer, err)
-			continue
-		}
-		network := Network{
-			Name:    string(id),
-			Network: routes[0].Network.String(),
-			Peer:    peer.FQDN,
-			Status:  peer.ConnStatus.String(),
-		}
-		networkArray.Add(network)
-	}
-	return networkArray
-}
-
 // OnUpdatedHostDNS update the DNS servers addresses for root zones
 func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
 	dnsServer, err := dns.GetServerDns()

client/android/networks.go

@@ -1,27 +0,0 @@
-//go:build android
-
-package android
-
-type Network struct {
-	Name    string
-	Network string
-	Peer    string
-	Status  string
-}
-
-type NetworkArray struct {
-	items []Network
-}
-
-func (array *NetworkArray) Add(s Network) *NetworkArray {
-	array.items = append(array.items, s)
-	return array
-}
-
-func (array *NetworkArray) Get(i int) *Network {
-	return &array.items[i]
-}
-
-func (array *NetworkArray) Size() int {
-	return len(array.items)
-}

client/android/peer_notifier.go

@@ -7,23 +7,30 @@ type PeerInfo struct {
 	ConnStatus string // Todo replace to enum
 }
 
-// PeerInfoArray is a wrapper of []PeerInfo
+// PeerInfoCollection made for Java layer to get non default types as collection
+type PeerInfoCollection interface {
+	Add(s string) PeerInfoCollection
+	Get(i int) string
+	Size() int
+}
+
+// PeerInfoArray is the implementation of the PeerInfoCollection
 type PeerInfoArray struct {
 	items []PeerInfo
 }
 
 // Add new PeerInfo to the collection
-func (array *PeerInfoArray) Add(s PeerInfo) *PeerInfoArray {
+func (array PeerInfoArray) Add(s PeerInfo) PeerInfoArray {
 	array.items = append(array.items, s)
 	return array
 }
 
 // Get return an element of the collection
-func (array *PeerInfoArray) Get(i int) *PeerInfo {
+func (array PeerInfoArray) Get(i int) *PeerInfo {
 	return &array.items[i]
 }
 
 // Size return with the size of the collection
-func (array *PeerInfoArray) Size() int {
+func (array PeerInfoArray) Size() int {
 	return len(array.items)
 }

client/android/preferences.go

@@ -4,12 +4,12 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 )
 
-// Preferences exports a subset of the internal config for gomobile
+// Preferences export a subset of the internal config for gomobile
 type Preferences struct {
 	configInput internal.ConfigInput
 }
 
-// NewPreferences creates a new Preferences instance
+// NewPreferences create new Preferences instance
 func NewPreferences(configPath string) *Preferences {
 	ci := internal.ConfigInput{
 		ConfigPath: configPath,
@@ -17,7 +17,7 @@ func NewPreferences(configPath string) *Preferences {
 	return &Preferences{ci}
 }
 
-// GetManagementURL reads URL from config file
+// GetManagementURL read url from config file
 func (p *Preferences) GetManagementURL() (string, error) {
 	if p.configInput.ManagementURL != "" {
 		return p.configInput.ManagementURL, nil
@@ -30,12 +30,12 @@ func (p *Preferences) GetManagementURL() (string, error) {
 	return cfg.ManagementURL.String(), err
 }
 
-// SetManagementURL stores the given URL and waits for commit
+// SetManagementURL store the given url and wait for commit
 func (p *Preferences) SetManagementURL(url string) {
 	p.configInput.ManagementURL = url
 }
 
-// GetAdminURL reads URL from config file
+// GetAdminURL read url from config file
 func (p *Preferences) GetAdminURL() (string, error) {
 	if p.configInput.AdminURL != "" {
 		return p.configInput.AdminURL, nil
@@ -48,12 +48,12 @@ func (p *Preferences) GetAdminURL() (string, error) {
 	return cfg.AdminURL.String(), err
 }
 
-// SetAdminURL stores the given URL and waits for commit
+// SetAdminURL store the given url and wait for commit
 func (p *Preferences) SetAdminURL(url string) {
 	p.configInput.AdminURL = url
 }
 
-// GetPreSharedKey reads pre-shared key from config file
+// GetPreSharedKey read preshared key from config file
 func (p *Preferences) GetPreSharedKey() (string, error) {
 	if p.configInput.PreSharedKey != nil {
 		return *p.configInput.PreSharedKey, nil
@@ -66,160 +66,12 @@ func (p *Preferences) GetPreSharedKey() (string, error) {
 	return cfg.PreSharedKey, err
 }
 
-// SetPreSharedKey stores the given key and waits for commit
+// SetPreSharedKey store the given key and wait for commit
 func (p *Preferences) SetPreSharedKey(key string) {
 	p.configInput.PreSharedKey = &key
 }
 
-// SetRosenpassEnabled stores whether Rosenpass is enabled
-func (p *Preferences) SetRosenpassEnabled(enabled bool) {
-	p.configInput.RosenpassEnabled = &enabled
-}
-
-// GetRosenpassEnabled reads Rosenpass enabled status from config file
-func (p *Preferences) GetRosenpassEnabled() (bool, error) {
-	if p.configInput.RosenpassEnabled != nil {
-		return *p.configInput.RosenpassEnabled, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.RosenpassEnabled, err
-}
-
-// SetRosenpassPermissive stores the given permissive setting and waits for commit
-func (p *Preferences) SetRosenpassPermissive(permissive bool) {
-	p.configInput.RosenpassPermissive = &permissive
-}
-
-// GetRosenpassPermissive reads Rosenpass permissive setting from config file
-func (p *Preferences) GetRosenpassPermissive() (bool, error) {
-	if p.configInput.RosenpassPermissive != nil {
-		return *p.configInput.RosenpassPermissive, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.RosenpassPermissive, err
-}
-
-// GetDisableClientRoutes reads disable client routes setting from config file
-func (p *Preferences) GetDisableClientRoutes() (bool, error) {
-	if p.configInput.DisableClientRoutes != nil {
-		return *p.configInput.DisableClientRoutes, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableClientRoutes, err
-}
-
-// SetDisableClientRoutes stores the given value and waits for commit
-func (p *Preferences) SetDisableClientRoutes(disable bool) {
-	p.configInput.DisableClientRoutes = &disable
-}
-
-// GetDisableServerRoutes reads disable server routes setting from config file
-func (p *Preferences) GetDisableServerRoutes() (bool, error) {
-	if p.configInput.DisableServerRoutes != nil {
-		return *p.configInput.DisableServerRoutes, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableServerRoutes, err
-}
-
-// SetDisableServerRoutes stores the given value and waits for commit
-func (p *Preferences) SetDisableServerRoutes(disable bool) {
-	p.configInput.DisableServerRoutes = &disable
-}
-
-// GetDisableDNS reads disable DNS setting from config file
-func (p *Preferences) GetDisableDNS() (bool, error) {
-	if p.configInput.DisableDNS != nil {
-		return *p.configInput.DisableDNS, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableDNS, err
-}
-
-// SetDisableDNS stores the given value and waits for commit
-func (p *Preferences) SetDisableDNS(disable bool) {
-	p.configInput.DisableDNS = &disable
-}
-
-// GetDisableFirewall reads disable firewall setting from config file
-func (p *Preferences) GetDisableFirewall() (bool, error) {
-	if p.configInput.DisableFirewall != nil {
-		return *p.configInput.DisableFirewall, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableFirewall, err
-}
-
-// SetDisableFirewall stores the given value and waits for commit
-func (p *Preferences) SetDisableFirewall(disable bool) {
-	p.configInput.DisableFirewall = &disable
-}
-
-// GetServerSSHAllowed reads server SSH allowed setting from config file
-func (p *Preferences) GetServerSSHAllowed() (bool, error) {
-	if p.configInput.ServerSSHAllowed != nil {
-		return *p.configInput.ServerSSHAllowed, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	if cfg.ServerSSHAllowed == nil {
-		// Default to false for security on Android
-		return false, nil
-	}
-	return *cfg.ServerSSHAllowed, err
-}
-
-// SetServerSSHAllowed stores the given value and waits for commit
-func (p *Preferences) SetServerSSHAllowed(allowed bool) {
-	p.configInput.ServerSSHAllowed = &allowed
-}
-
-// GetBlockInbound reads block inbound setting from config file
-func (p *Preferences) GetBlockInbound() (bool, error) {
-	if p.configInput.BlockInbound != nil {
-		return *p.configInput.BlockInbound, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.BlockInbound, err
-}
-
-// SetBlockInbound stores the given value and waits for commit
-func (p *Preferences) SetBlockInbound(block bool) {
-	p.configInput.BlockInbound = &block
-}
-
-// Commit writes out the changes to the config file
+// Commit write out the changes into config file
 func (p *Preferences) Commit() error {
 	_, err := internal.UpdateOrCreateConfig(p.configInput)
 	return err

client/anonymize/anonymize.go

@@ -69,22 +69,6 @@ func (a *Anonymizer) AnonymizeIP(ip netip.Addr) netip.Addr {
 	return a.ipAnonymizer[ip]
 }
 
-func (a *Anonymizer) AnonymizeUDPAddr(addr net.UDPAddr) net.UDPAddr {
-	// Convert IP to netip.Addr
-	ip, ok := netip.AddrFromSlice(addr.IP)
-	if !ok {
-		return addr
-	}
-
-	anonIP := a.AnonymizeIP(ip)
-
-	return net.UDPAddr{
-		IP:   anonIP.AsSlice(),
-		Port: addr.Port,
-		Zone: addr.Zone,
-	}
-}
-
 // isInAnonymizedRange checks if an IP is within the range of already assigned anonymized IPs
 func (a *Anonymizer) isInAnonymizedRange(ip netip.Addr) bool {
 	if ip.Is4() && ip.Compare(a.startAnonIPv4) >= 0 && ip.Compare(a.currentAnonIPv4) <= 0 {

client/cmd/root.go

@@ -39,6 +39,7 @@ const (
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	systemInfoFlag           = "system-info"
+	blockLANAccessFlag       = "block-lan-access"
 	enableLazyConnectionFlag = "enable-lazy-connection"
 	uploadBundle             = "upload-bundle"
 	uploadBundleURL          = "upload-bundle-url"
@@ -77,6 +78,7 @@ var (
 	anonymizeFlag           bool
 	debugSystemInfoFlag     bool
 	dnsRouteInterval        time.Duration
+	blockLANAccess          bool
 	debugUploadBundle       bool
 	debugUploadBundleURL    string
 	lazyConnEnabled         bool

client/cmd/service.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"context"
-	"runtime"
 	"sync"
 
 	"github.com/kardianos/service"
@@ -28,19 +27,12 @@ func newProgram(ctx context.Context, cancel context.CancelFunc) *program {
 }
 
 func newSVCConfig() *service.Config {
-	config := &service.Config{
+	return &service.Config{
 		Name:        serviceName,
 		DisplayName: "Netbird",
-		Description: "Netbird mesh network client",
+		Description: "A WireGuard-based mesh network that connects your devices into a single private network.",
 		Option:      make(service.KeyValue),
-		EnvVars:     make(map[string]string),
 	}
-
-	if runtime.GOOS == "linux" {
-		config.EnvVars["SYSTEMD_UNIT"] = serviceName
-	}
-
-	return config
 }
 
 func newSVC(prg *program, conf *service.Config) (service.Service, error) {

client/cmd/service_installer.go

@@ -39,7 +39,7 @@ var installCmd = &cobra.Command{
 			svcConfig.Arguments = append(svcConfig.Arguments, "--management-url", managementURL)
 		}
 
-		if logFile != "" {
+		if logFile != "console" {
 			svcConfig.Arguments = append(svcConfig.Arguments, "--log-file", logFile)
 		}
 

client/cmd/status.go

@@ -69,10 +69,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	status := resp.GetStatus()
-
-	if status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
-		status == string(internal.StatusSessionExpired) {
+	if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
 		cmd.Printf("Daemon status: %s\n\n"+
 			"Run UP command to log in with SSO (interactive login):\n\n"+
 			" netbird up \n\n"+

client/cmd/system.go

@@ -6,8 +6,6 @@ const (
 	disableServerRoutesFlag = "disable-server-routes"
 	disableDNSFlag          = "disable-dns"
 	disableFirewallFlag     = "disable-firewall"
-	blockLANAccessFlag      = "block-lan-access"
-	blockInboundFlag        = "block-inbound"
 )
 
 var (
@@ -15,8 +13,6 @@ var (
 	disableServerRoutes bool
 	disableDNS          bool
 	disableFirewall     bool
-	blockLANAccess      bool
-	blockInbound        bool
 )
 
 func init() {
@@ -32,11 +28,4 @@ func init() {
 
 	upCmd.PersistentFlags().BoolVar(&disableFirewall, disableFirewallFlag, false,
 		"Disable firewall configuration. If enabled, the client won't modify firewall rules.")
-
-	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false,
-		"Block access to local networks (LAN) when using this peer as a router or exit node")
-
-	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
-		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
-			"This overrides any policies received from the management service.")
 }

client/cmd/trace.go

@@ -17,7 +17,7 @@ var traceCmd = &cobra.Command{
 	Example: `
   netbird debug trace in 192.168.1.10 10.10.0.2 -p tcp --sport 12345 --dport 443 --syn --ack
   netbird debug trace out 10.10.0.1 8.8.8.8 -p udp  --dport 53
-  netbird debug trace in 10.10.0.2 10.10.0.1 -p icmp --icmp-type 8 --icmp-code 0
+  netbird debug trace in 10.10.0.2 10.10.0.1 -p icmp --type 8 --code 0
   netbird debug trace in 100.64.1.1 self -p tcp --dport 80`,
 	Args: cobra.ExactArgs(3),
 	RunE: tracePacket,
@@ -118,7 +118,7 @@ func tracePacket(cmd *cobra.Command, args []string) error {
 }
 
 func printTrace(cmd *cobra.Command, src, dst, proto string, sport, dport uint16, resp *proto.TracePacketResponse) {
-	cmd.Printf("Packet trace %s:%d → %s:%d (%s)\n\n", src, sport, dst, dport, strings.ToUpper(proto))
+	cmd.Printf("Packet trace %s:%d -> %s:%d (%s)\n\n", src, sport, dst, dport, strings.ToUpper(proto))
 
 	for _, stage := range resp.Stages {
 		if stage.ForwardingDetails != nil {

client/cmd/up.go

@@ -55,11 +55,12 @@ func init() {
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "Wireguard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "Wireguard interface listening port")
 	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
-		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux and FreeBSD. `+
+		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux. `+
 			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
 	)
 	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
 	upCmd.PersistentFlags().DurationVar(&dnsRouteInterval, dnsRouteIntervalFlag, time.Minute, "DNS route update interval")
+	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false, "Block access to local networks (LAN) when using this peer as a router or exit node")
 
 	upCmd.PersistentFlags().StringSliceVar(&dnsLabels, dnsLabelsFlag, nil,
 		`Sets DNS labels`+
@@ -118,9 +119,83 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	ic, err := setupConfig(customDNSAddressConverted, cmd)
-	if err != nil {
-		return fmt.Errorf("setup config: %v", err)
+	ic := internal.ConfigInput{
+		ManagementURL:       managementURL,
+		AdminURL:            adminURL,
+		ConfigPath:          configPath,
+		NATExternalIPs:      natExternalIPs,
+		CustomDNSAddress:    customDNSAddressConverted,
+		ExtraIFaceBlackList: extraIFaceBlackList,
+		DNSLabels:           dnsLabelsValidated,
+	}
+
+	if cmd.Flag(enableRosenpassFlag).Changed {
+		ic.RosenpassEnabled = &rosenpassEnabled
+	}
+
+	if cmd.Flag(rosenpassPermissiveFlag).Changed {
+		ic.RosenpassPermissive = &rosenpassPermissive
+	}
+
+	if cmd.Flag(serverSSHAllowedFlag).Changed {
+		ic.ServerSSHAllowed = &serverSSHAllowed
+	}
+
+	if cmd.Flag(interfaceNameFlag).Changed {
+		if err := parseInterfaceName(interfaceName); err != nil {
+			return err
+		}
+		ic.InterfaceName = &interfaceName
+	}
+
+	if cmd.Flag(wireguardPortFlag).Changed {
+		p := int(wireguardPort)
+		ic.WireguardPort = &p
+	}
+
+	if cmd.Flag(networkMonitorFlag).Changed {
+		ic.NetworkMonitor = &networkMonitor
+	}
+
+	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
+		ic.PreSharedKey = &preSharedKey
+	}
+
+	if cmd.Flag(disableAutoConnectFlag).Changed {
+		ic.DisableAutoConnect = &autoConnectDisabled
+
+		if autoConnectDisabled {
+			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
+		}
+
+		if !autoConnectDisabled {
+			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
+		}
+	}
+
+	if cmd.Flag(dnsRouteIntervalFlag).Changed {
+		ic.DNSRouteInterval = &dnsRouteInterval
+	}
+
+	if cmd.Flag(disableClientRoutesFlag).Changed {
+		ic.DisableClientRoutes = &disableClientRoutes
+	}
+	if cmd.Flag(disableServerRoutesFlag).Changed {
+		ic.DisableServerRoutes = &disableServerRoutes
+	}
+	if cmd.Flag(disableDNSFlag).Changed {
+		ic.DisableDNS = &disableDNS
+	}
+	if cmd.Flag(disableFirewallFlag).Changed {
+		ic.DisableFirewall = &disableFirewall
+	}
+
+	if cmd.Flag(blockLANAccessFlag).Changed {
+		ic.BlockLANAccess = &blockLANAccess
+	}
+
+	if cmd.Flag(enableLazyConnectionFlag).Changed {
+		ic.LazyConnectionEnabled = &lazyConnEnabled
 	}
 
 	providedSetupKey, err := getSetupKey()
@@ -128,7 +203,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	config, err := internal.UpdateOrCreateConfig(*ic)
+	config, err := internal.UpdateOrCreateConfig(ic)
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
 	}
@@ -187,141 +262,9 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 
 	providedSetupKey, err := getSetupKey()
 	if err != nil {
-		return fmt.Errorf("get setup key: %v", err)
+		return err
 	}
 
-	loginRequest, err := setupLoginRequest(providedSetupKey, customDNSAddressConverted, cmd)
-	if err != nil {
-		return fmt.Errorf("setup login request: %v", err)
-	}
-
-	var loginErr error
-	var loginResp *proto.LoginResponse
-
-	err = WithBackOff(func() error {
-		var backOffErr error
-		loginResp, backOffErr = client.Login(ctx, loginRequest)
-		if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
-			s.Code() == codes.PermissionDenied ||
-			s.Code() == codes.NotFound ||
-			s.Code() == codes.Unimplemented) {
-			loginErr = backOffErr
-			return nil
-		}
-		return backOffErr
-	})
-	if err != nil {
-		return fmt.Errorf("login backoff cycle failed: %v", err)
-	}
-
-	if loginErr != nil {
-		return fmt.Errorf("login failed: %v", loginErr)
-	}
-
-	if loginResp.NeedsSSOLogin {
-
-		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
-
-		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
-		if err != nil {
-			return fmt.Errorf("waiting sso login failed with: %v", err)
-		}
-	}
-
-	if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
-		return fmt.Errorf("call service up method: %v", err)
-	}
-	cmd.Println("Connected")
-	return nil
-}
-
-func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command) (*internal.ConfigInput, error) {
-	ic := internal.ConfigInput{
-		ManagementURL:       managementURL,
-		AdminURL:            adminURL,
-		ConfigPath:          configPath,
-		NATExternalIPs:      natExternalIPs,
-		CustomDNSAddress:    customDNSAddressConverted,
-		ExtraIFaceBlackList: extraIFaceBlackList,
-		DNSLabels:           dnsLabelsValidated,
-	}
-
-	if cmd.Flag(enableRosenpassFlag).Changed {
-		ic.RosenpassEnabled = &rosenpassEnabled
-	}
-
-	if cmd.Flag(rosenpassPermissiveFlag).Changed {
-		ic.RosenpassPermissive = &rosenpassPermissive
-	}
-
-	if cmd.Flag(serverSSHAllowedFlag).Changed {
-		ic.ServerSSHAllowed = &serverSSHAllowed
-	}
-
-	if cmd.Flag(interfaceNameFlag).Changed {
-		if err := parseInterfaceName(interfaceName); err != nil {
-			return nil, err
-		}
-		ic.InterfaceName = &interfaceName
-	}
-
-	if cmd.Flag(wireguardPortFlag).Changed {
-		p := int(wireguardPort)
-		ic.WireguardPort = &p
-	}
-
-	if cmd.Flag(networkMonitorFlag).Changed {
-		ic.NetworkMonitor = &networkMonitor
-	}
-
-	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
-		ic.PreSharedKey = &preSharedKey
-	}
-
-	if cmd.Flag(disableAutoConnectFlag).Changed {
-		ic.DisableAutoConnect = &autoConnectDisabled
-
-		if autoConnectDisabled {
-			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
-		}
-
-		if !autoConnectDisabled {
-			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
-		}
-	}
-
-	if cmd.Flag(dnsRouteIntervalFlag).Changed {
-		ic.DNSRouteInterval = &dnsRouteInterval
-	}
-
-	if cmd.Flag(disableClientRoutesFlag).Changed {
-		ic.DisableClientRoutes = &disableClientRoutes
-	}
-	if cmd.Flag(disableServerRoutesFlag).Changed {
-		ic.DisableServerRoutes = &disableServerRoutes
-	}
-	if cmd.Flag(disableDNSFlag).Changed {
-		ic.DisableDNS = &disableDNS
-	}
-	if cmd.Flag(disableFirewallFlag).Changed {
-		ic.DisableFirewall = &disableFirewall
-	}
-
-	if cmd.Flag(blockLANAccessFlag).Changed {
-		ic.BlockLANAccess = &blockLANAccess
-	}
-
-	if cmd.Flag(blockInboundFlag).Changed {
-		ic.BlockInbound = &blockInbound
-	}
-
-	if cmd.Flag(enableLazyConnectionFlag).Changed {
-		ic.LazyConnectionEnabled = &lazyConnEnabled
-	}
-	return &ic, nil
-}
-
-func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte, cmd *cobra.Command) (*proto.LoginRequest, error) {
 	loginRequest := proto.LoginRequest{
 		SetupKey:            providedSetupKey,
 		ManagementUrl:       managementURL,
@@ -358,7 +301,7 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
-			return nil, err
+			return err
 		}
 		loginRequest.InterfaceName = &interfaceName
 	}
@@ -393,14 +336,49 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.BlockLanAccess = &blockLANAccess
 	}
 
-	if cmd.Flag(blockInboundFlag).Changed {
-		loginRequest.BlockInbound = &blockInbound
-	}
-
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		loginRequest.LazyConnectionEnabled = &lazyConnEnabled
 	}
-	return &loginRequest, nil
+
+	var loginErr error
+
+	var loginResp *proto.LoginResponse
+
+	err = WithBackOff(func() error {
+		var backOffErr error
+		loginResp, backOffErr = client.Login(ctx, &loginRequest)
+		if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
+			s.Code() == codes.PermissionDenied ||
+			s.Code() == codes.NotFound ||
+			s.Code() == codes.Unimplemented) {
+			loginErr = backOffErr
+			return nil
+		}
+		return backOffErr
+	})
+	if err != nil {
+		return fmt.Errorf("login backoff cycle failed: %v", err)
+	}
+
+	if loginErr != nil {
+		return fmt.Errorf("login failed: %v", loginErr)
+	}
+
+	if loginResp.NeedsSSOLogin {
+
+		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+
+		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
+		if err != nil {
+			return fmt.Errorf("waiting sso login failed with: %v", err)
+		}
+	}
+
+	if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
+		return fmt.Errorf("call service up method: %v", err)
+	}
+	cmd.Println("Connected")
+	return nil
 }
 
 func validateNATExternalIPs(list []string) error {

client/firewall/iptables/manager_linux.go

@@ -147,10 +147,6 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
-func (m *Manager) IsStateful() bool {
-	return true
-}
-
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -202,7 +198,7 @@ func (m *Manager) AllowNetbird() error {
 	_, err := m.AddPeerFiltering(
 		nil,
 		net.IP{0, 0, 0, 0},
-		firewall.ProtocolALL,
+		"all",
 		nil,
 		nil,
 		firewall.ActionAccept,
@@ -223,16 +219,10 @@ func (m *Manager) SetLogLevel(log.Level) {
 }
 
 func (m *Manager) EnableRouting() error {
-	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
-		return fmt.Errorf("enable IP forwarding: %w", err)
-	}
 	return nil
 }
 
 func (m *Manager) DisableRouting() error {
-	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
-		return fmt.Errorf("disable IP forwarding: %w", err)
-	}
 	return nil
 }
 

client/firewall/iptables/manager_linux_test.go

@@ -2,7 +2,7 @@ package iptables
 
 import (
 	"fmt"
-	"net/netip"
+	"net"
 	"testing"
 	"time"
 
@@ -19,8 +19,11 @@ var ifaceMock = &iFaceMock{
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
-			IP:      netip.MustParseAddr("10.20.0.1"),
-			Network: netip.MustParsePrefix("10.20.0.0/24"),
+			IP: net.ParseIP("10.20.0.1"),
+			Network: &net.IPNet{
+				IP:   net.ParseIP("10.20.0.0"),
+				Mask: net.IPv4Mask(255, 255, 255, 0),
+			},
 		}
 	},
 }
@@ -67,12 +70,12 @@ func TestIptablesManager(t *testing.T) {
 
 	var rule2 []fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
-		ip := netip.MustParseAddr("10.20.0.3")
+		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
 			IsRange: true,
 			Values:  []uint16{8043, 8046},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", port, nil, fw.ActionAccept, "")
+		rule2, err = manager.AddPeerFiltering(nil, ip, "tcp", port, nil, fw.ActionAccept, "")
 		require.NoError(t, err, "failed to add rule")
 
 		for _, r := range rule2 {
@@ -92,9 +95,9 @@ func TestIptablesManager(t *testing.T) {
 
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
-		ip := netip.MustParseAddr("10.20.0.3")
+		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{Values: []uint16{5353}}
-		_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "udp", nil, port, fw.ActionAccept, "")
+		_, err = manager.AddPeerFiltering(nil, ip, "udp", nil, port, fw.ActionAccept, "")
 		require.NoError(t, err, "failed to add rule")
 
 		err = manager.Close(nil)
@@ -116,8 +119,11 @@ func TestIptablesManagerIPSet(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: netip.MustParsePrefix("10.20.0.0/24"),
+				IP: net.ParseIP("10.20.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("10.20.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
 			}
 		},
 	}
@@ -138,11 +144,11 @@ func TestIptablesManagerIPSet(t *testing.T) {
 
 	var rule2 []fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
-		ip := netip.MustParseAddr("10.20.0.3")
+		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
 			Values: []uint16{443},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", port, nil, fw.ActionAccept, "default")
+		rule2, err = manager.AddPeerFiltering(nil, ip, "tcp", port, nil, fw.ActionAccept, "default")
 		for _, r := range rule2 {
 			require.NoError(t, err, "failed to add rule")
 			require.Equal(t, r.(*Rule).ipsetName, "default-sport", "ipset name must be set")
@@ -180,8 +186,11 @@ func TestIptablesCreatePerformance(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: netip.MustParsePrefix("10.20.0.0/24"),
+				IP: net.ParseIP("10.20.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("10.20.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
 			}
 		},
 	}
@@ -203,11 +212,11 @@ func TestIptablesCreatePerformance(t *testing.T) {
 
 			require.NoError(t, err)
 
-			ip := netip.MustParseAddr("10.20.0.100")
+			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
 
 				require.NoError(t, err, "failed to add rule")
 			}

client/firewall/iptables/router_linux.go

@@ -248,6 +248,10 @@ func (r *router) deleteIpSet(setName string) error {
 
 // AddNatRule inserts an iptables rule pair into the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.RequestForwarding(); err != nil {
+		return err
+	}
+
 	if r.legacyManagement {
 		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
 		if err := r.addLegacyRouteRule(pair); err != nil {
@@ -274,6 +278,10 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 
 // RemoveNatRule removes an iptables rule pair from forwarding and nat chains
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
+		log.Errorf("%v", err)
+	}
+
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
 			return fmt.Errorf("remove nat rule: %w", err)

client/firewall/manager/firewall.go

@@ -116,8 +116,6 @@ type Manager interface {
 	// IsServerRouteSupported returns true if the firewall supports server side routing operations
 	IsServerRouteSupported() bool
 
-	IsStateful() bool
-
 	AddRouteFiltering(
 		id []byte,
 		sources []netip.Prefix,

client/firewall/nftables/manager_linux.go

@@ -170,10 +170,6 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
-func (m *Manager) IsStateful() bool {
-	return true
-}
-
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -328,16 +324,10 @@ func (m *Manager) SetLogLevel(log.Level) {
 }
 
 func (m *Manager) EnableRouting() error {
-	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
-		return fmt.Errorf("enable IP forwarding: %w", err)
-	}
 	return nil
 }
 
 func (m *Manager) DisableRouting() error {
-	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
-		return fmt.Errorf("disable IP forwarding: %w", err)
-	}
 	return nil
 }
 

client/firewall/nftables/manager_linux_test.go

@@ -3,6 +3,7 @@ package nftables
 import (
 	"bytes"
 	"fmt"
+	"net"
 	"net/netip"
 	"os/exec"
 	"testing"
@@ -24,8 +25,11 @@ var ifaceMock = &iFaceMock{
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
-			IP:      netip.MustParseAddr("100.96.0.1"),
-			Network: netip.MustParsePrefix("100.96.0.0/16"),
+			IP: net.ParseIP("100.96.0.1"),
+			Network: &net.IPNet{
+				IP:   net.ParseIP("100.96.0.0"),
+				Mask: net.IPv4Mask(255, 255, 255, 0),
+			},
 		}
 	},
 }
@@ -66,11 +70,11 @@ func TestNftablesManager(t *testing.T) {
 		time.Sleep(time.Second)
 	}()
 
-	ip := netip.MustParseAddr("100.96.0.1").Unmap()
+	ip := net.ParseIP("100.96.0.1")
 
 	testClient := &nftables.Conn{}
 
-	rule, err := manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "")
+	rule, err := manager.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "")
 	require.NoError(t, err, "failed to add rule")
 
 	err = manager.Flush()
@@ -105,6 +109,8 @@ func TestNftablesManager(t *testing.T) {
 	}
 	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedExprs1)
 
+	ipToAdd, _ := netip.AddrFromSlice(ip)
+	add := ipToAdd.Unmap()
 	expectedExprs2 := []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
@@ -126,7 +132,7 @@ func TestNftablesManager(t *testing.T) {
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 1,
-			Data:     ip.AsSlice(),
+			Data:     add.AsSlice(),
 		},
 		&expr.Payload{
 			DestRegister: 1,
@@ -167,8 +173,11 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.96.0.1"),
-				Network: netip.MustParsePrefix("100.96.0.0/16"),
+				IP: net.ParseIP("100.96.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.96.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
 			}
 		},
 	}
@@ -188,11 +197,11 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 				time.Sleep(time.Second)
 			}()
 
-			ip := netip.MustParseAddr("10.20.0.100")
+			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
 				require.NoError(t, err, "failed to add rule")
 
 				if i%100 == 0 {
@@ -273,8 +282,8 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 		verifyIptablesOutput(t, stdout, stderr)
 	})
 
-	ip := netip.MustParseAddr("100.96.0.1")
-	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+	ip := net.ParseIP("100.96.0.1")
+	_, err = manager.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
 	require.NoError(t, err, "failed to add peer filtering rule")
 
 	_, err = manager.AddRouteFiltering(

client/firewall/nftables/router_linux.go

@@ -573,6 +573,10 @@ func (r *router) deleteNftRule(rule *nftables.Rule, ruleKey string) error {
 
 // AddNatRule appends a nftables rule pair to the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.RequestForwarding(); err != nil {
+		return err
+	}
+
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
@@ -1002,6 +1006,10 @@ func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error
 
 // RemoveNatRule removes the prerouting mark rule
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
+		log.Errorf("%v", err)
+	}
+
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}

client/firewall/uspfilter/conntrack/common.go

@@ -62,5 +62,5 @@ type ConnKey struct {
 }
 
 func (c ConnKey) String() string {
-	return fmt.Sprintf("%s:%d → %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
+	return fmt.Sprintf("%s:%d -> %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
 }

client/firewall/uspfilter/conntrack/icmp.go

@@ -3,7 +3,6 @@ package conntrack
 import (
 	"context"
 	"fmt"
-	"net"
 	"net/netip"
 	"sync"
 	"time"
@@ -20,10 +19,6 @@ const (
 	DefaultICMPTimeout = 30 * time.Second
 	// ICMPCleanupInterval is how often we check for stale ICMP connections
 	ICMPCleanupInterval = 15 * time.Second
-
-	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info,
-	// which includes the IP header (20 bytes) and transport header (8 bytes)
-	MaxICMPPayloadLength = 28
 )
 
 // ICMPConnKey uniquely identifies an ICMP connection
@@ -34,7 +29,7 @@ type ICMPConnKey struct {
 }
 
 func (i ICMPConnKey) String() string {
-	return fmt.Sprintf("%s → %s (id %d)", i.SrcIP, i.DstIP, i.ID)
+	return fmt.Sprintf("%s -> %s (id %d)", i.SrcIP, i.DstIP, i.ID)
 }
 
 // ICMPConnTrack represents an ICMP connection state
@@ -55,72 +50,6 @@ type ICMPTracker struct {
 	flowLogger    nftypes.FlowLogger
 }
 
-// ICMPInfo holds ICMP type, code, and payload for lazy string formatting in logs
-type ICMPInfo struct {
-	TypeCode    layers.ICMPv4TypeCode
-	PayloadData [MaxICMPPayloadLength]byte
-	// actual length of valid data
-	PayloadLen int
-}
-
-// String implements fmt.Stringer for lazy evaluation in log messages
-func (info ICMPInfo) String() string {
-	if info.isErrorMessage() && info.PayloadLen >= MaxICMPPayloadLength {
-		if origInfo := info.parseOriginalPacket(); origInfo != "" {
-			return fmt.Sprintf("%s (original: %s)", info.TypeCode, origInfo)
-		}
-	}
-
-	return info.TypeCode.String()
-}
-
-// isErrorMessage returns true if this ICMP type carries original packet info
-func (info ICMPInfo) isErrorMessage() bool {
-	typ := info.TypeCode.Type()
-	return typ == 3 || // Destination Unreachable
-		typ == 5 || // Redirect
-		typ == 11 || // Time Exceeded
-		typ == 12 // Parameter Problem
-}
-
-// parseOriginalPacket extracts info about the original packet from ICMP payload
-func (info ICMPInfo) parseOriginalPacket() string {
-	if info.PayloadLen < MaxICMPPayloadLength {
-		return ""
-	}
-
-	// TODO: handle IPv6
-	if version := (info.PayloadData[0] >> 4) & 0xF; version != 4 {
-		return ""
-	}
-
-	protocol := info.PayloadData[9]
-	srcIP := net.IP(info.PayloadData[12:16])
-	dstIP := net.IP(info.PayloadData[16:20])
-
-	transportData := info.PayloadData[20:]
-
-	switch nftypes.Protocol(protocol) {
-	case nftypes.TCP:
-		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
-		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("TCP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
-
-	case nftypes.UDP:
-		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
-		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("UDP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
-
-	case nftypes.ICMP:
-		icmpType := transportData[0]
-		icmpCode := transportData[1]
-		return fmt.Sprintf("ICMP %s → %s (type %d code %d)", srcIP, dstIP, icmpType, icmpCode)
-
-	default:
-		return fmt.Sprintf("Proto %d %s → %s", protocol, srcIP, dstIP)
-	}
-}
-
 // NewICMPTracker creates a new ICMP connection tracker
 func NewICMPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *ICMPTracker {
 	if timeout == 0 {
@@ -164,64 +93,30 @@ func (t *ICMPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, id uint
 }
 
 // TrackOutbound records an outbound ICMP connection
-func (t *ICMPTracker) TrackOutbound(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	payload []byte,
-	size int,
-) {
+func (t *ICMPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, size int) {
 	if _, exists := t.updateIfExists(dstIP, srcIP, id, nftypes.Egress, size); !exists {
 		// if (inverted direction) conn is not tracked, track this direction
-		t.track(srcIP, dstIP, id, typecode, nftypes.Egress, nil, payload, size)
+		t.track(srcIP, dstIP, id, typecode, nftypes.Egress, nil, size)
 	}
 }
 
 // TrackInbound records an inbound ICMP Echo Request
-func (t *ICMPTracker) TrackInbound(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	ruleId []byte,
-	payload []byte,
-	size int,
-) {
-	t.track(srcIP, dstIP, id, typecode, nftypes.Ingress, ruleId, payload, size)
+func (t *ICMPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, ruleId []byte, size int) {
+	t.track(srcIP, dstIP, id, typecode, nftypes.Ingress, ruleId, size)
 }
 
 // track is the common implementation for tracking both inbound and outbound ICMP connections
-func (t *ICMPTracker) track(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	direction nftypes.Direction,
-	ruleId []byte,
-	payload []byte,
-	size int,
-) {
+func (t *ICMPTracker) track(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, direction nftypes.Direction, ruleId []byte, size int) {
 	key, exists := t.updateIfExists(srcIP, dstIP, id, direction, size)
 	if exists {
 		return
 	}
 
 	typ, code := typecode.Type(), typecode.Code()
-	icmpInfo := ICMPInfo{
-		TypeCode: typecode,
-	}
-	if len(payload) > 0 {
-		icmpInfo.PayloadLen = len(payload)
-		if icmpInfo.PayloadLen > MaxICMPPayloadLength {
-			icmpInfo.PayloadLen = MaxICMPPayloadLength
-		}
-		copy(icmpInfo.PayloadData[:], payload[:icmpInfo.PayloadLen])
-	}
 
 	// non echo requests don't need tracking
 	if typ != uint8(layers.ICMPv4TypeEchoRequest) {
-		t.logger.Trace("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+		t.logger.Trace("New %s ICMP connection %s type %d code %d", direction, key, typ, code)
 		t.sendStartEvent(direction, srcIP, dstIP, typ, code, ruleId, size)
 		return
 	}
@@ -243,7 +138,7 @@ func (t *ICMPTracker) track(
 	t.connections[key] = conn
 	t.mutex.Unlock()
 
-	t.logger.Trace("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+	t.logger.Trace("New %s ICMP connection %s type %d code %d", direction, key, typ, code)
 	t.sendEvent(nftypes.TypeStart, conn, ruleId)
 }
 

client/firewall/uspfilter/conntrack/icmp_test.go

@@ -15,7 +15,7 @@ func BenchmarkICMPTracker(b *testing.B) {
 
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 0, []byte{}, 0)
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 0, 0)
 		}
 	})
 
@@ -28,7 +28,7 @@ func BenchmarkICMPTracker(b *testing.B) {
 
 		// Pre-populate some connections
 		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 0, []byte{}, 0)
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 0, 0)
 		}
 
 		b.ResetTimer()

client/firewall/uspfilter/forwarder/endpoint.go

@@ -86,5 +86,5 @@ type epID stack.TransportEndpointID
 
 func (i epID) String() string {
 	// src and remote is swapped
-	return fmt.Sprintf("%s:%d → %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
+	return fmt.Sprintf("%s:%d -> %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
 }

client/firewall/uspfilter/forwarder/forwarder.go

@@ -41,7 +41,7 @@ type Forwarder struct {
 	udpForwarder *udpForwarder
 	ctx          context.Context
 	cancel       context.CancelFunc
-	ip           tcpip.Address
+	ip           net.IP
 	netstack     bool
 }
 
@@ -71,11 +71,12 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("failed to create NIC: %v", err)
 	}
 
+	ones, _ := iface.Address().Network.Mask.Size()
 	protoAddr := tcpip.ProtocolAddress{
 		Protocol: ipv4.ProtocolNumber,
 		AddressWithPrefix: tcpip.AddressWithPrefix{
-			Address:   tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
-			PrefixLen: iface.Address().Network.Bits(),
+			Address:   tcpip.AddrFromSlice(iface.Address().IP.To4()),
+			PrefixLen: ones,
 		},
 	}
 
@@ -115,7 +116,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		ctx:          ctx,
 		cancel:       cancel,
 		netstack:     netstack,
-		ip:           tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		ip:           iface.Address().IP,
 	}
 
 	receiveWindow := defaultReceiveWindow
@@ -166,7 +167,7 @@ func (f *Forwarder) Stop() {
 }
 
 func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
-	if f.netstack && f.ip.Equal(addr) {
+	if f.netstack && f.ip.Equal(addr.AsSlice()) {
 		return net.IPv4(127, 0, 0, 1)
 	}
 	return addr.AsSlice()
@@ -178,6 +179,7 @@ func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uin
 }
 
 func (f *Forwarder) getRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) ([]byte, bool) {
+
 	if value, ok := f.ruleIdMap.Load(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
 		return value.([]byte), true
 	} else if value, ok := f.ruleIdMap.Load(buildKey(dstIP, srcIP, dstPort, srcPort)); ok {

client/firewall/uspfilter/forwarder/tcp.go

@@ -111,12 +111,12 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 
 	if errInToOut != nil {
 		if !isClosedError(errInToOut) {
-			f.logger.Error("proxyTCP: copy error (in → out) for %s: %v", epID(id), errInToOut)
+			f.logger.Error("proxyTCP: copy error (in -> out): %v", errInToOut)
 		}
 	}
 	if errOutToIn != nil {
 		if !isClosedError(errOutToIn) {
-			f.logger.Error("proxyTCP: copy error (out → in) for %s: %v", epID(id), errOutToIn)
+			f.logger.Error("proxyTCP: copy error (out -> in): %v", errOutToIn)
 		}
 	}
 

client/firewall/uspfilter/forwarder/udp.go

@@ -250,10 +250,10 @@ func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack
 	wg.Wait()
 
 	if outboundErr != nil && !isClosedError(outboundErr) {
-		f.logger.Error("proxyUDP: copy error (outbound→inbound) for %s: %v", epID(id), outboundErr)
+		f.logger.Error("proxyUDP: copy error (outbound->inbound): %v", outboundErr)
 	}
 	if inboundErr != nil && !isClosedError(inboundErr) {
-		f.logger.Error("proxyUDP: copy error (inbound→outbound) for %s: %v", epID(id), inboundErr)
+		f.logger.Error("proxyUDP: copy error (inbound->outbound): %v", inboundErr)
 	}
 
 	var rxPackets, txPackets uint64

client/firewall/uspfilter/localip.go

@@ -45,26 +45,24 @@ func (m *localIPManager) setBitmapBit(ip net.IP) {
 	m.ipv4Bitmap[high].bitmap[index] |= 1 << bit
 }
 
-func (m *localIPManager) setBitInBitmap(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
-	if !ip.Is4() {
-		return
-	}
-	ipv4 := ip.AsSlice()
+func (m *localIPManager) setBitInBitmap(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
+	if ipv4 := ip.To4(); ipv4 != nil {
+		high := uint16(ipv4[0])
+		low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
 
-	high := uint16(ipv4[0])
-	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
+		if bitmap[high] == nil {
+			bitmap[high] = &ipv4LowBitmap{}
+		}
 
-	if bitmap[high] == nil {
-		bitmap[high] = &ipv4LowBitmap{}
-	}
+		index := low / 32
+		bit := low % 32
+		bitmap[high].bitmap[index] |= 1 << bit
 
-	index := low / 32
-	bit := low % 32
-	bitmap[high].bitmap[index] |= 1 << bit
-
-	if _, exists := ipv4Set[ip]; !exists {
-		ipv4Set[ip] = struct{}{}
-		*ipv4Addresses = append(*ipv4Addresses, ip)
+		ipStr := ipv4.String()
+		if _, exists := ipv4Set[ipStr]; !exists {
+			ipv4Set[ipStr] = struct{}{}
+			*ipv4Addresses = append(*ipv4Addresses, ipStr)
+		}
 	}
 }
 
@@ -81,12 +79,12 @@ func (m *localIPManager) checkBitmapBit(ip []byte) bool {
 	return (m.ipv4Bitmap[high].bitmap[index] & (1 << bit)) != 0
 }
 
-func (m *localIPManager) processIP(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) error {
+func (m *localIPManager) processIP(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) error {
 	m.setBitInBitmap(ip, bitmap, ipv4Set, ipv4Addresses)
 	return nil
 }
 
-func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
+func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		log.Debugf("get addresses for interface %s failed: %v", iface.Name, err)
@@ -104,13 +102,7 @@ func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv
 			continue
 		}
 
-		addr, ok := netip.AddrFromSlice(ip)
-		if !ok {
-			log.Warnf("invalid IP address %s in interface %s", ip.String(), iface.Name)
-			continue
-		}
-
-		if err := m.processIP(addr.Unmap(), bitmap, ipv4Set, ipv4Addresses); err != nil {
+		if err := m.processIP(ip, bitmap, ipv4Set, ipv4Addresses); err != nil {
 			log.Debugf("process IP failed: %v", err)
 		}
 	}
@@ -124,8 +116,8 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	}()
 
 	var newIPv4Bitmap [256]*ipv4LowBitmap
-	ipv4Set := make(map[netip.Addr]struct{})
-	var ipv4Addresses []netip.Addr
+	ipv4Set := make(map[string]struct{})
+	var ipv4Addresses []string
 
 	// 127.0.0.0/8
 	newIPv4Bitmap[127] = &ipv4LowBitmap{}

client/firewall/uspfilter/localip_test.go

@@ -20,8 +20,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost range",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("127.0.0.2"),
 			expected: true,
@@ -29,8 +32,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost standard address",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("127.0.0.1"),
 			expected: true,
@@ -38,8 +44,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost range edge",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("127.255.255.255"),
 			expected: true,
@@ -47,8 +56,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP matches",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.1"),
 			expected: true,
@@ -56,8 +68,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP doesn't match",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.2"),
 			expected: false,
@@ -65,8 +80,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP doesn't match - addresses 32 apart",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.33"),
 			expected: false,
@@ -74,8 +92,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "IPv6 address",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("fe80::1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("fe80::1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("fe80::"),
+					Mask: net.CIDRMask(64, 128),
+				},
 			},
 			testIP:   netip.MustParseAddr("fe80::1"),
 			expected: false,

client/firewall/uspfilter/tracer_test.go

@@ -38,8 +38,11 @@ func TestTracePacket(t *testing.T) {
 			SetFilterFunc: func(device.PacketFilter) error { return nil },
 			AddressFunc: func() wgaddr.Address {
 				return wgaddr.Address{
-					IP:      netip.MustParseAddr("100.10.0.100"),
-					Network: netip.MustParsePrefix("100.10.0.0/16"),
+					IP: net.ParseIP("100.10.0.100"),
+					Network: &net.IPNet{
+						IP:   net.ParseIP("100.10.0.0"),
+						Mask: net.CIDRMask(16, 32),
+					},
 				}
 			},
 		}

client/firewall/uspfilter/uspfilter.go

@@ -39,12 +39,8 @@ const (
 	// EnvForceUserspaceRouter forces userspace routing even if native routing is available.
 	EnvForceUserspaceRouter = "NB_FORCE_USERSPACE_ROUTER"
 
-	// EnvEnableLocalForwarding enables forwarding of local traffic to the native stack for internal (non-NetBird) interfaces.
-	// Default off as it might be security risk because sockets listening on localhost only will become accessible.
-	EnvEnableLocalForwarding = "NB_ENABLE_LOCAL_FORWARDING"
-
-	// EnvEnableNetstackLocalForwarding is an alias for EnvEnableLocalForwarding.
-	// In netstack mode, it enables forwarding of local traffic to the native stack for all interfaces.
+	// EnvEnableNetstackLocalForwarding enables forwarding of local traffic to the native stack when running netstack
+	// Leaving this on by default introduces a security risk as sockets on listening on localhost only will be accessible
 	EnvEnableNetstackLocalForwarding = "NB_ENABLE_NETSTACK_LOCAL_FORWARDING"
 )
 
@@ -75,6 +71,7 @@ type Manager struct {
 	// incomingRules is used for filtering and hooks
 	incomingRules  map[netip.Addr]RuleSet
 	routeRules     RouteRules
+	wgNetwork      *net.IPNet
 	decoders       sync.Pool
 	wgIface        common.IFaceMapper
 	nativeFirewall firewall.Manager
@@ -151,11 +148,6 @@ func parseCreateEnv() (bool, bool) {
 		if err != nil {
 			log.Warnf("failed to parse %s: %v", EnvEnableNetstackLocalForwarding, err)
 		}
-	} else if val := os.Getenv(EnvEnableLocalForwarding); val != "" {
-		enableLocalForwarding, err = strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", EnvEnableLocalForwarding, err)
-		}
 	}
 
 	return disableConntrack, enableLocalForwarding
@@ -277,7 +269,7 @@ func (m *Manager) determineRouting() error {
 
 		log.Info("userspace routing is forced")
 
-	case !m.netstack && m.nativeFirewall != nil:
+	case !m.netstack && m.nativeFirewall != nil && m.nativeFirewall.IsServerRouteSupported():
 		// if the OS supports routing natively, then we don't need to filter/route ourselves
 		// netstack mode won't support native routing as there is no interface
 
@@ -334,10 +326,6 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
-func (m *Manager) IsStateful() bool {
-	return m.stateful
-}
-
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
 		return m.nativeFirewall.AddNatRule(pair)
@@ -618,8 +606,9 @@ func (m *Manager) processOutgoingHooks(packetData []byte, size int) bool {
 		return true
 	}
 
-	// for netflow we keep track even if the firewall is stateless
-	m.trackOutbound(d, srcIP, dstIP, size)
+	if m.stateful {
+		m.trackOutbound(d, srcIP, dstIP, size)
+	}
 
 	return false
 }
@@ -671,7 +660,7 @@ func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, size int) {
 		flags := getTCPFlags(&d.tcp)
 		m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
 	case layers.LayerTypeICMPv4:
-		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
+		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, size)
 	}
 }
 
@@ -684,7 +673,7 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 		flags := getTCPFlags(&d.tcp)
 		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size)
 	case layers.LayerTypeICMPv4:
-		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
+		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, size)
 	}
 }
 
@@ -788,10 +777,9 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		return true
 	}
 
-	// If requested we pass local traffic to internal interfaces to the forwarder.
-	// netstack doesn't have an interface to forward packets to the native stack so we always need to use the forwarder.
-	if m.localForwarding && (m.netstack || dstIP != m.wgIface.Address().IP) {
-		return m.handleForwardedLocalTraffic(packetData)
+	// if running in netstack mode we need to pass this to the forwarder
+	if m.netstack && m.localForwarding {
+		return m.handleNetstackLocalTraffic(packetData)
 	}
 
 	// track inbound packets to get the correct direction and session id for flows
@@ -801,7 +789,8 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 	return false
 }
 
-func (m *Manager) handleForwardedLocalTraffic(packetData []byte) bool {
+func (m *Manager) handleNetstackLocalTraffic(packetData []byte) bool {
+
 	fwd := m.forwarder.Load()
 	if fwd == nil {
 		m.logger.Trace("Dropping local packet (forwarder not initialized)")
@@ -1099,6 +1088,11 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 	return true
 }
 
+// SetNetwork of the wireguard interface to which filtering applied
+func (m *Manager) SetNetwork(network *net.IPNet) {
+	m.wgNetwork = network
+}
+
 // AddUDPPacketHook calls hook when UDP packet from given direction matched
 //
 // Hook function returns flag which indicates should be the matched package dropped or not

client/firewall/uspfilter/uspfilter_bench_test.go

@@ -174,6 +174,11 @@ func BenchmarkCoreFiltering(b *testing.B) {
 					require.NoError(b, manager.Close(nil))
 				})
 
+				manager.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
+
 				// Apply scenario-specific setup
 				sc.setupFunc(manager)
 
@@ -214,6 +219,11 @@ func BenchmarkStateScaling(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.wgNetwork = &net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			}
+
 			// Pre-populate connection table
 			srcIPs := generateRandomIPs(count)
 			dstIPs := generateRandomIPs(count)
@@ -257,6 +267,11 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.wgNetwork = &net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			}
+
 			srcIP := generateRandomIPs(1)[0]
 			dstIP := generateRandomIPs(1)[0]
 			outbound := generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolTCP)
@@ -289,6 +304,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -302,6 +321,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -316,6 +339,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -329,6 +356,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -342,6 +373,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -355,6 +390,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -369,6 +408,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "post_handshake",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -383,6 +426,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -396,6 +443,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -542,6 +593,11 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
@@ -625,6 +681,11 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
@@ -736,6 +797,11 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			// Setup initial state based on scenario
 			if sc.rules {
 				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
@@ -816,6 +882,11 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			if sc.rules {
 				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
 				require.NoError(b, err)
@@ -961,8 +1032,7 @@ func BenchmarkRouteACLs(b *testing.B) {
 	}
 
 	for _, r := range rules {
-		dst := fw.Network{Prefix: r.dest}
-		_, err := manager.AddRouteFiltering(nil, r.sources, dst, r.proto, nil, r.port, fw.ActionAccept)
+		_, err := manager.AddRouteFiltering(nil, r.sources, r.dest, r.proto, nil, r.port, fw.ActionAccept)
 		if err != nil {
 			b.Fatal(err)
 		}

client/firewall/uspfilter/uspfilter_filter_test.go

@@ -19,8 +19,12 @@ import (
 )
 
 func TestPeerACLFiltering(t *testing.T) {
-	localIP := netip.MustParseAddr("100.10.0.100")
-	wgNet := netip.MustParsePrefix("100.10.0.0/16")
+	localIP := net.ParseIP("100.10.0.100")
+	wgNet := &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
+
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
@@ -39,6 +43,8 @@ func TestPeerACLFiltering(t *testing.T) {
 		require.NoError(t, manager.Close(nil))
 	})
 
+	manager.wgNetwork = wgNet
+
 	err = manager.UpdateLocalIPs()
 	require.NoError(t, err)
 
@@ -575,13 +581,14 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 	dev := mocks.NewMockDevice(ctrl)
 	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
 
-	wgNet := netip.MustParsePrefix(network)
+	localIP, wgNet, err := net.ParseCIDR(network)
+	require.NoError(tb, err)
 
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      wgNet.Addr(),
+				IP:      localIP,
 				Network: wgNet,
 			}
 		},
@@ -1433,8 +1440,11 @@ func TestRouteACLSet(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.10.0.100"),
-				Network: netip.MustParsePrefix("100.10.0.0/16"),
+				IP: net.ParseIP("100.10.0.100"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.10.0.0"),
+					Mask: net.CIDRMask(16, 32),
+				},
 			}
 		},
 	}

client/firewall/uspfilter/uspfilter_test.go

@@ -271,8 +271,11 @@ func TestNotMatchByIP(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.10.0.100"),
-				Network: netip.MustParsePrefix("100.10.0.0/16"),
+				IP: net.ParseIP("100.10.0.100"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.10.0.0"),
+					Mask: net.CIDRMask(16, 32),
+				},
 			}
 		},
 	}
@@ -282,6 +285,10 @@ func TestNotMatchByIP(t *testing.T) {
 		t.Errorf("failed to create Manager: %v", err)
 		return
 	}
+	m.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
 
 	ip := net.ParseIP("0.0.0.0")
 	proto := fw.ProtocolUDP
@@ -389,6 +396,10 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	}, false, flowLogger)
 	require.NoError(t, err)
 
+	manager.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
 	manager.udpTracker.Close()
 	manager.udpTracker = conntrack.NewUDPTracker(100*time.Millisecond, logger, flowLogger)
 	defer func() {
@@ -498,6 +509,11 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	}, false, flowLogger)
 	require.NoError(t, err)
 
+	manager.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
+
 	manager.udpTracker.Close() // Close the existing tracker
 	manager.udpTracker = conntrack.NewUDPTracker(200*time.Millisecond, logger, flowLogger)
 	manager.decoders = sync.Pool{

client/iface/bind/udp_mux_universal.go

@@ -164,7 +164,7 @@ func (u *udpConn) performFilterCheck(addr net.Addr) error {
 		return nil
 	}
 
-	if u.address.Network.Contains(a) {
+	if u.address.Network.Contains(a.AsSlice()) {
 		log.Warnf("Address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 		return fmt.Errorf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 	}

client/iface/configurer/common.go

@@ -1,17 +0,0 @@
-package configurer
-
-import (
-	"net"
-	"net/netip"
-)
-
-func prefixesToIPNets(prefixes []netip.Prefix) []net.IPNet {
-	ipNets := make([]net.IPNet, len(prefixes))
-	for i, prefix := range prefixes {
-		ipNets[i] = net.IPNet{
-			IP:   prefix.Addr().AsSlice(),                             // Convert netip.Addr to net.IP
-			Mask: net.CIDRMask(prefix.Bits(), prefix.Addr().BitLen()), // Create subnet mask
-		}
-	}
-	return ipNets
-}

client/iface/configurer/kernel_unix.go

@@ -5,7 +5,6 @@ package configurer
 import (
 	"fmt"
 	"net"
-	"net/netip"
 	"time"
 
 	log "github.com/sirupsen/logrus"
@@ -13,8 +12,6 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
-var zeroKey wgtypes.Key
-
 type KernelConfigurer struct {
 	deviceName string
 }
@@ -46,7 +43,7 @@ func (c *KernelConfigurer) ConfigureInterface(privateKey string, port int) error
 	return nil
 }
 
-func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
@@ -55,7 +52,7 @@ func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		// don't replace allowed ips, wg will handle duplicated peer IP
-		AllowedIPs:                  prefixesToIPNets(allowedIps),
+		AllowedIPs:                  allowedIps,
 		PersistentKeepaliveInterval: &keepAlive,
 		Endpoint:                    endpoint,
 		PresharedKey:                preSharedKey,
@@ -92,10 +89,10 @@ func (c *KernelConfigurer) RemovePeer(peerKey string) error {
 	return nil
 }
 
-func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
-	ipNet := net.IPNet{
-		IP:   allowedIP.Addr().AsSlice(),
-		Mask: net.CIDRMask(allowedIP.Bits(), allowedIP.Addr().BitLen()),
+func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP string) error {
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
 	}
 
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
@@ -106,7 +103,7 @@ func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix)
 		PublicKey:         peerKeyParsed,
 		UpdateOnly:        true,
 		ReplaceAllowedIPs: false,
-		AllowedIPs:        []net.IPNet{ipNet},
+		AllowedIPs:        []net.IPNet{*ipNet},
 	}
 
 	config := wgtypes.Config{
@@ -119,10 +116,10 @@ func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix)
 	return nil
 }
 
-func (c *KernelConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
-	ipNet := net.IPNet{
-		IP:   allowedIP.Addr().AsSlice(),
-		Mask: net.CIDRMask(allowedIP.Bits(), allowedIP.Addr().BitLen()),
+func (c *KernelConfigurer) RemoveAllowedIP(peerKey string, allowedIP string) error {
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return fmt.Errorf("parse allowed IP: %w", err)
 	}
 
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
@@ -190,11 +187,7 @@ func (c *KernelConfigurer) configure(config wgtypes.Config) error {
 	if err != nil {
 		return err
 	}
-	defer func() {
-		if err := wg.Close(); err != nil {
-			log.Errorf("Failed to close wgctrl client: %v", err)
-		}
-	}()
+	defer wg.Close()
 
 	// validate if device with name exists
 	_, err = wg.Device(c.deviceName)
@@ -208,47 +201,6 @@ func (c *KernelConfigurer) configure(config wgtypes.Config) error {
 func (c *KernelConfigurer) Close() {
 }
 
-func (c *KernelConfigurer) FullStats() (*Stats, error) {
-	wg, err := wgctrl.New()
-	if err != nil {
-		return nil, fmt.Errorf("wgctl: %w", err)
-	}
-	defer func() {
-		err = wg.Close()
-		if err != nil {
-			log.Errorf("Got error while closing wgctl: %v", err)
-		}
-	}()
-
-	wgDevice, err := wg.Device(c.deviceName)
-	if err != nil {
-		return nil, fmt.Errorf("get device %s: %w", c.deviceName, err)
-	}
-	fullStats := &Stats{
-		DeviceName: wgDevice.Name,
-		PublicKey:  wgDevice.PublicKey.String(),
-		ListenPort: wgDevice.ListenPort,
-		FWMark:     wgDevice.FirewallMark,
-		Peers:      []Peer{},
-	}
-
-	for _, p := range wgDevice.Peers {
-		peer := Peer{
-			PublicKey:     p.PublicKey.String(),
-			AllowedIPs:    p.AllowedIPs,
-			TxBytes:       p.TransmitBytes,
-			RxBytes:       p.ReceiveBytes,
-			LastHandshake: p.LastHandshakeTime,
-			PresharedKey:  p.PresharedKey != zeroKey,
-		}
-		if p.Endpoint != nil {
-			peer.Endpoint = *p.Endpoint
-		}
-		fullStats.Peers = append(fullStats.Peers, peer)
-	}
-	return fullStats, nil
-}
-
 func (c *KernelConfigurer) GetStats() (map[string]WGStats, error) {
 	stats := make(map[string]WGStats)
 	wg, err := wgctrl.New()

client/iface/configurer/usp.go

@@ -5,7 +5,6 @@ import (
 	"encoding/hex"
 	"fmt"
 	"net"
-	"net/netip"
 	"os"
 	"runtime"
 	"strconv"
@@ -20,17 +19,10 @@ import (
 )
 
 const (
-	privateKey                  = "private_key"
 	ipcKeyLastHandshakeTimeSec  = "last_handshake_time_sec"
 	ipcKeyLastHandshakeTimeNsec = "last_handshake_time_nsec"
 	ipcKeyTxBytes               = "tx_bytes"
 	ipcKeyRxBytes               = "rx_bytes"
-	allowedIP                   = "allowed_ip"
-	endpoint                    = "endpoint"
-	fwmark                      = "fwmark"
-	listenPort                  = "listen_port"
-	publicKey                   = "public_key"
-	presharedKey                = "preshared_key"
 )
 
 var ErrAllowedIPNotFound = fmt.Errorf("allowed IP not found")
@@ -68,7 +60,7 @@ func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
@@ -77,7 +69,7 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		// don't replace allowed ips, wg will handle duplicated peer IP
-		AllowedIPs:                  prefixesToIPNets(allowedIps),
+		AllowedIPs:                  allowedIps,
 		PersistentKeepaliveInterval: &keepAlive,
 		PresharedKey:                preSharedKey,
 		Endpoint:                    endpoint,
@@ -107,10 +99,10 @@ func (c *WGUSPConfigurer) RemovePeer(peerKey string) error {
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
-	ipNet := net.IPNet{
-		IP:   allowedIP.Addr().AsSlice(),
-		Mask: net.CIDRMask(allowedIP.Bits(), allowedIP.Addr().BitLen()),
+func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP string) error {
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
 	}
 
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
@@ -121,7 +113,7 @@ func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) e
 		PublicKey:         peerKeyParsed,
 		UpdateOnly:        true,
 		ReplaceAllowedIPs: false,
-		AllowedIPs:        []net.IPNet{ipNet},
+		AllowedIPs:        []net.IPNet{*ipNet},
 	}
 
 	config := wgtypes.Config{
@@ -131,7 +123,7 @@ func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) e
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, ip string) error {
 	ipc, err := c.device.IpcGet()
 	if err != nil {
 		return err
@@ -154,8 +146,6 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 
 	foundPeer := false
 	removedAllowedIP := false
-	ip := allowedIP.String()
-
 	for _, line := range lines {
 		line = strings.TrimSpace(line)
 
@@ -178,8 +168,8 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 
 		// Append the line to the output string
 		if foundPeer && strings.HasPrefix(line, "allowed_ip=") {
-			allowedIPStr := strings.TrimPrefix(line, "allowed_ip=")
-			_, ipNet, err := net.ParseCIDR(allowedIPStr)
+			allowedIP := strings.TrimPrefix(line, "allowed_ip=")
+			_, ipNet, err := net.ParseCIDR(allowedIP)
 			if err != nil {
 				return err
 			}
@@ -196,15 +186,6 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) FullStats() (*Stats, error) {
-	ipcStr, err := c.device.IpcGet()
-	if err != nil {
-		return nil, fmt.Errorf("IpcGet failed: %w", err)
-	}
-
-	return parseStatus(c.deviceName, ipcStr)
-}
-
 // startUAPI starts the UAPI listener for managing the WireGuard interface via external tool
 func (t *WGUSPConfigurer) startUAPI() {
 	var err error
@@ -384,136 +365,3 @@ func getFwmark() int {
 	}
 	return 0
 }
-
-func hexToWireguardKey(hexKey string) (wgtypes.Key, error) {
-	// Decode hex string to bytes
-	keyBytes, err := hex.DecodeString(hexKey)
-	if err != nil {
-		return wgtypes.Key{}, fmt.Errorf("failed to decode hex key: %w", err)
-	}
-
-	// Check if we have the right number of bytes (WireGuard keys are 32 bytes)
-	if len(keyBytes) != 32 {
-		return wgtypes.Key{}, fmt.Errorf("invalid key length: expected 32 bytes, got %d", len(keyBytes))
-	}
-
-	// Convert to wgtypes.Key
-	var key wgtypes.Key
-	copy(key[:], keyBytes)
-
-	return key, nil
-}
-
-func parseStatus(deviceName, ipcStr string) (*Stats, error) {
-	stats := &Stats{DeviceName: deviceName}
-	var currentPeer *Peer
-	for _, line := range strings.Split(strings.TrimSpace(ipcStr), "\n") {
-		if line == "" {
-			continue
-		}
-		parts := strings.SplitN(line, "=", 2)
-		if len(parts) != 2 {
-			continue
-		}
-		key := parts[0]
-		val := parts[1]
-
-		switch key {
-		case privateKey:
-			key, err := hexToWireguardKey(val)
-			if err != nil {
-				log.Errorf("failed to parse private key: %v", err)
-				continue
-			}
-			stats.PublicKey = key.PublicKey().String()
-		case publicKey:
-			// Save previous peer
-			if currentPeer != nil {
-				stats.Peers = append(stats.Peers, *currentPeer)
-			}
-			key, err := hexToWireguardKey(val)
-			if err != nil {
-				log.Errorf("failed to parse public key: %v", err)
-				continue
-			}
-			currentPeer = &Peer{
-				PublicKey: key.String(),
-			}
-		case listenPort:
-			if port, err := strconv.Atoi(val); err == nil {
-				stats.ListenPort = port
-			}
-		case fwmark:
-			if fwmark, err := strconv.Atoi(val); err == nil {
-				stats.FWMark = fwmark
-			}
-		case endpoint:
-			if currentPeer == nil {
-				continue
-			}
-
-			host, portStr, err := net.SplitHostPort(strings.Trim(val, "[]"))
-			if err != nil {
-				log.Errorf("failed to parse endpoint: %v", err)
-				continue
-			}
-			port, err := strconv.Atoi(portStr)
-			if err != nil {
-				log.Errorf("failed to parse endpoint port: %v", err)
-				continue
-			}
-			currentPeer.Endpoint = net.UDPAddr{
-				IP:   net.ParseIP(host),
-				Port: port,
-			}
-		case allowedIP:
-			if currentPeer == nil {
-				continue
-			}
-			_, ipnet, err := net.ParseCIDR(val)
-			if err == nil {
-				currentPeer.AllowedIPs = append(currentPeer.AllowedIPs, *ipnet)
-			}
-		case ipcKeyTxBytes:
-			if currentPeer == nil {
-				continue
-			}
-			rxBytes, err := toBytes(val)
-			if err != nil {
-				continue
-			}
-			currentPeer.TxBytes = rxBytes
-		case ipcKeyRxBytes:
-			if currentPeer == nil {
-				continue
-			}
-			rxBytes, err := toBytes(val)
-			if err != nil {
-				continue
-			}
-			currentPeer.RxBytes = rxBytes
-
-		case ipcKeyLastHandshakeTimeSec:
-			if currentPeer == nil {
-				continue
-			}
-
-			ts, err := toLastHandshake(val)
-			if err != nil {
-				continue
-			}
-			currentPeer.LastHandshake = ts
-		case presharedKey:
-			if currentPeer == nil {
-				continue
-			}
-			if val != "" {
-				currentPeer.PresharedKey = true
-			}
-		}
-	}
-	if currentPeer != nil {
-		stats.Peers = append(stats.Peers, *currentPeer)
-	}
-	return stats, nil
-}

client/iface/configurer/wgshow.go

@@ -1,24 +0,0 @@
-package configurer
-
-import (
-	"net"
-	"time"
-)
-
-type Peer struct {
-	PublicKey     string
-	Endpoint      net.UDPAddr
-	AllowedIPs    []net.IPNet
-	TxBytes       int64
-	RxBytes       int64
-	LastHandshake time.Time
-	PresharedKey  bool
-}
-
-type Stats struct {
-	DeviceName string
-	PublicKey  string
-	ListenPort int
-	FWMark     int
-	Peers      []Peer
-}

client/iface/device/device_android.go

@@ -24,7 +24,6 @@ type WGTunDevice struct {
 	mtu        int
 	iceBind    *bind.ICEBind
 	tunAdapter TunAdapter
-	disableDNS bool
 
 	name           string
 	device         *device.Device
@@ -33,7 +32,7 @@ type WGTunDevice struct {
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
+func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter) *WGTunDevice {
 	return &WGTunDevice{
 		address:    address,
 		port:       port,
@@ -41,7 +40,6 @@ func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind
 		mtu:        mtu,
 		iceBind:    iceBind,
 		tunAdapter: tunAdapter,
-		disableDNS: disableDNS,
 	}
 }
 
@@ -51,13 +49,6 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	routesString := routesToString(routes)
 	searchDomainsToString := searchDomainsToString(searchDomains)
 
-	// Skip DNS configuration when DisableDNS is enabled
-	if t.disableDNS {
-		log.Info("DNS is disabled, skipping DNS and search domain configuration")
-		dns = ""
-		searchDomainsToString = ""
-	}
-
 	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.mtu, dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)

client/iface/device/device_filter.go

@@ -1,6 +1,7 @@
 package device
 
 import (
+	"net"
 	"net/netip"
 	"sync"
 
@@ -23,6 +24,9 @@ type PacketFilter interface {
 
 	// RemovePacketHook removes hook by ID
 	RemovePacketHook(hookID string) error
+
+	// SetNetwork of the wireguard interface to which filtering applied
+	SetNetwork(*net.IPNet)
 }
 
 // FilteredDevice to override Read or Write of packets

client/iface/device/device_netstack.go

@@ -51,11 +51,7 @@ func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 	log.Info("create nbnetstack tun interface")
 
 	// TODO: get from service listener runtime IP
-	dnsAddr, err := nbnet.GetLastIPFromNetwork(t.address.Network, 1)
-	if err != nil {
-		return nil, fmt.Errorf("last ip: %w", err)
-	}
-
+	dnsAddr := nbnet.GetLastIPFromNetwork(t.address.Network, 1)
 	log.Debugf("netstack using address: %s", t.address.IP)
 	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, t.mtu)
 	log.Debugf("netstack using dns address: %s", dnsAddr)

client/iface/device/interface.go

@@ -2,7 +2,6 @@ package device
 
 import (
 	"net"
-	"net/netip"
 	"time"
 
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -12,11 +11,10 @@ import (
 
 type WGConfigurer interface {
 	ConfigureInterface(privateKey string, port int) error
-	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+	UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
 	RemovePeer(peerKey string) error
-	AddAllowedIP(peerKey string, allowedIP netip.Prefix) error
-	RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error
+	AddAllowedIP(peerKey string, allowedIP string) error
+	RemoveAllowedIP(peerKey string, allowedIP string) error
 	Close()
 	GetStats() (map[string]configurer.WGStats, error)
-	FullStats() (*configurer.Stats, error)
 }

client/iface/device/wg_link_freebsd.go

@@ -64,15 +64,7 @@ func (l *wgLink) assignAddr(address wgaddr.Address) error {
 	}
 
 	ip := address.IP.String()
-
-	// Convert prefix length to hex netmask
-	prefixLen := address.Network.Bits()
-	if !address.IP.Is4() {
-		return fmt.Errorf("IPv6 not supported for interface assignment")
-	}
-
-	maskBits := uint32(0xffffffff) << (32 - prefixLen)
-	mask := fmt.Sprintf("0x%08x", maskBits)
+	mask := "0x" + address.Network.Mask.String()
 
 	log.Infof("assign addr %s mask %s to %s interface", ip, mask, l.name)
 

client/iface/iface.go

@@ -43,7 +43,6 @@ type WGIFaceOpts struct {
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
 	FilterFn     bind.FilterFn
-	DisableDNS   bool
 }
 
 // WGIface represents an interface instance
@@ -112,14 +111,14 @@ func (w *WGIface) UpdateAddr(newAddr string) error {
 }
 
 // UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
-// Endpoint is optional.
-// If allowedIps is given it will be added to the existing ones.
+// Endpoint is optional
 func (w *WGIface) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
-	log.Debugf("updating interface %s peer %s, endpoint %s, allowedIPs %v", w.tun.DeviceName(), peerKey, endpoint, allowedIps)
-	return w.configurer.UpdatePeer(peerKey, allowedIps, keepAlive, endpoint, preSharedKey)
+	netIPNets := prefixesToIPNets(allowedIps)
+	log.Debugf("updating interface %s peer %s, endpoint %s", w.tun.DeviceName(), peerKey, endpoint)
+	return w.configurer.UpdatePeer(peerKey, netIPNets, keepAlive, endpoint, preSharedKey)
 }
 
 // RemovePeer removes a Wireguard Peer from the interface iface
@@ -132,7 +131,7 @@ func (w *WGIface) RemovePeer(peerKey string) error {
 }
 
 // AddAllowedIP adds a prefix to the allowed IPs list of peer
-func (w *WGIface) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (w *WGIface) AddAllowedIP(peerKey string, allowedIP string) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
@@ -141,7 +140,7 @@ func (w *WGIface) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
 }
 
 // RemoveAllowedIP removes a prefix from the allowed IPs list of peer
-func (w *WGIface) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (w *WGIface) RemoveAllowedIP(peerKey string, allowedIP string) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
@@ -186,6 +185,7 @@ func (w *WGIface) SetFilter(filter device.PacketFilter) error {
 	}
 
 	w.filter = filter
+	w.filter.SetNetwork(w.tun.WgAddress().Network)
 
 	w.tun.FilteredDevice().SetFilter(filter)
 	return nil
@@ -217,10 +217,6 @@ func (w *WGIface) GetStats() (map[string]configurer.WGStats, error) {
 	return w.configurer.GetStats()
 }
 
-func (w *WGIface) FullStats() (*configurer.Stats, error) {
-	return w.configurer.FullStats()
-}
-
 func (w *WGIface) waitUntilRemoved() error {
 	maxWaitTime := 5 * time.Second
 	timeout := time.NewTimer(maxWaitTime)
@@ -255,3 +251,14 @@ func (w *WGIface) GetNet() *netstack.Net {
 
 	return w.tun.GetNet()
 }
+
+func prefixesToIPNets(prefixes []netip.Prefix) []net.IPNet {
+	ipNets := make([]net.IPNet, len(prefixes))
+	for i, prefix := range prefixes {
+		ipNets[i] = net.IPNet{
+			IP:   net.IP(prefix.Addr().AsSlice()),                     // Convert netip.Addr to net.IP
+			Mask: net.CIDRMask(prefix.Bits(), prefix.Addr().BitLen()), // Create subnet mask
+		}
+	}
+	return ipNets
+}

client/iface/iface_new_android.go

@@ -18,7 +18,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 
 	wgIFace := &WGIface{
 		userspaceBind:  true,
-		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
+		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter),
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil

client/iface/mocks/filter.go

@@ -5,6 +5,7 @@
 package mocks
 
 import (
+	net "net"
 	"net/netip"
 	reflect "reflect"
 
@@ -89,3 +90,15 @@ func (mr *MockPacketFilterMockRecorder) RemovePacketHook(arg0 interface{}) *gomo
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePacketHook", reflect.TypeOf((*MockPacketFilter)(nil).RemovePacketHook), arg0)
 }
+
+// SetNetwork mocks base method.
+func (m *MockPacketFilter) SetNetwork(arg0 *net.IPNet) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetNetwork", arg0)
+}
+
+// SetNetwork indicates an expected call of SetNetwork.
+func (mr *MockPacketFilterMockRecorder) SetNetwork(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetwork", reflect.TypeOf((*MockPacketFilter)(nil).SetNetwork), arg0)
+}

client/iface/netstack/tun.go

@@ -1,6 +1,8 @@
 package netstack
 
 import (
+	"fmt"
+	"net"
 	"net/netip"
 	"os"
 	"strconv"
@@ -13,8 +15,8 @@ import (
 const EnvSkipProxy = "NB_NETSTACK_SKIP_PROXY"
 
 type NetStackTun struct { //nolint:revive
-	address       netip.Addr
-	dnsAddress    netip.Addr
+	address       net.IP
+	dnsAddress    net.IP
 	mtu           int
 	listenAddress string
 
@@ -22,7 +24,7 @@ type NetStackTun struct { //nolint:revive
 	tundev tun.Device
 }
 
-func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.Addr, mtu int) *NetStackTun {
+func NewNetStackTun(listenAddress string, address net.IP, dnsAddress net.IP, mtu int) *NetStackTun {
 	return &NetStackTun{
 		address:       address,
 		dnsAddress:    dnsAddress,
@@ -32,9 +34,19 @@ func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.A
 }
 
 func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
+	addr, ok := netip.AddrFromSlice(t.address)
+	if !ok {
+		return nil, nil, fmt.Errorf("convert address to netip.Addr: %v", t.address)
+	}
+
+	dnsAddr, ok := netip.AddrFromSlice(t.dnsAddress)
+	if !ok {
+		return nil, nil, fmt.Errorf("convert dns address to netip.Addr: %v", t.dnsAddress)
+	}
+
 	nsTunDev, tunNet, err := netstack.CreateNetTUN(
-		[]netip.Addr{t.address},
-		[]netip.Addr{t.dnsAddress},
+		[]netip.Addr{addr.Unmap()},
+		[]netip.Addr{dnsAddr.Unmap()},
 		t.mtu)
 	if err != nil {
 		return nil, nil, err

client/iface/wgaddr/address.go

@@ -2,27 +2,28 @@ package wgaddr
 
 import (
 	"fmt"
-	"net/netip"
+	"net"
 )
 
 // Address WireGuard parsed address
 type Address struct {
-	IP      netip.Addr
-	Network netip.Prefix
+	IP      net.IP
+	Network *net.IPNet
 }
 
 // ParseWGAddress parse a string ("1.2.3.4/24") address to WG Address
 func ParseWGAddress(address string) (Address, error) {
-	prefix, err := netip.ParsePrefix(address)
+	ip, network, err := net.ParseCIDR(address)
 	if err != nil {
 		return Address{}, err
 	}
 	return Address{
-		IP:      prefix.Addr().Unmap(),
-		Network: prefix.Masked(),
+		IP:      ip,
+		Network: network,
 	}, nil
 }
 
 func (addr Address) String() string {
-	return fmt.Sprintf("%s/%d", addr.IP.String(), addr.Network.Bits())
+	maskSize, _ := addr.Network.Mask.Size()
+	return fmt.Sprintf("%s/%d", addr.IP.String(), maskSize)
 }

client/internal/acl/manager.go

@@ -58,11 +58,6 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 	d.mutex.Lock()
 	defer d.mutex.Unlock()
 
-	if d.firewall == nil {
-		log.Debug("firewall manager is not supported, skipping firewall rules")
-		return
-	}
-
 	start := time.Now()
 	defer func() {
 		total := 0
@@ -74,8 +69,14 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 			time.Since(start), total)
 	}()
 
+	if d.firewall == nil {
+		log.Debug("firewall manager is not supported, skipping firewall rules")
+		return
+	}
+
 	d.applyPeerACLs(networkMap)
 
+
 	if err := d.applyRouteACLs(networkMap.RoutesFirewallRules, dnsRouteFeatureFlag); err != nil {
 		log.Errorf("Failed to apply route ACLs: %v", err)
 	}
@@ -284,10 +285,8 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 	case mgmProto.RuleDirection_IN:
 		rules, err = d.addInRules(r.PolicyID, ip, protocol, port, action, ipsetName)
 	case mgmProto.RuleDirection_OUT:
-		if d.firewall.IsStateful() {
-			return "", nil, nil
-		}
-		// return traffic for outbound connections if firewall is stateless
+		// TODO: Remove this soon. Outbound rules are obsolete.
+		// We only maintain this for return traffic (inbound dir) which is now handled by the stateful firewall already
 		rules, err = d.addOutRules(r.PolicyID, ip, protocol, port, action, ipsetName)
 	default:
 		return "", nil, fmt.Errorf("invalid direction, skipping firewall rule")
@@ -398,15 +397,11 @@ func (d *DefaultManager) squashAcceptRules(
 	//
 	// We zeroed this to notify squash function that this protocol can't be squashed.
 	addRuleToCalculationMap := func(i int, r *mgmProto.FirewallRule, protocols map[mgmProto.RuleProtocol]*protoMatch) {
-		hasPortRestrictions := r.Action == mgmProto.RuleAction_DROP ||
-			r.Port != "" || !portInfoEmpty(r.PortInfo)
-
-		if hasPortRestrictions {
-			// Don't squash rules with port restrictions
+		drop := r.Action == mgmProto.RuleAction_DROP || r.Port != ""
+		if drop {
 			protocols[r.Protocol] = &protoMatch{ips: map[string]int{}}
 			return
 		}
-
 		if _, ok := protocols[r.Protocol]; !ok {
 			protocols[r.Protocol] = &protoMatch{
 				ips: map[string]int{},

client/internal/acl/manager_test.go

@@ -1,14 +1,13 @@
 package acl
 
 import (
-	"net/netip"
+	"net"
 	"testing"
 
 	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl/mocks"
 	"github.com/netbirdio/netbird/client/internal/netflow"
@@ -43,31 +42,35 @@ func TestDefaultManager(t *testing.T) {
 	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
 	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
 	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
+	ip, network, err := net.ParseCIDR("172.0.0.1/32")
+	if err != nil {
+		t.Fatalf("failed to parse IP address: %v", err)
+	}
 
 	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
 	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
+		IP:      ip,
 		Network: network,
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
+	// we receive one rule from the management so for testing purposes ignore it
 	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
-	require.NoError(t, err)
-	defer func() {
-		err = fw.Close(nil)
-		require.NoError(t, err)
-	}()
-
+	if err != nil {
+		t.Errorf("create firewall: %v", err)
+		return
+	}
+	defer func(fw manager.Manager) {
+		_ = fw.Close(nil)
+	}(fw)
 	acl := NewDefaultManager(fw)
 
 	t.Run("apply firewall rules", func(t *testing.T) {
 		acl.ApplyFiltering(networkMap, false)
 
-		if fw.IsStateful() {
-			assert.Equal(t, 0, len(acl.peerRulesPairs))
-		} else {
-			assert.Equal(t, 2, len(acl.peerRulesPairs))
+		if len(acl.peerRulesPairs) != 2 {
+			t.Errorf("firewall rules not applied: %v", acl.peerRulesPairs)
+			return
 		}
 	})
 
@@ -91,13 +94,12 @@ func TestDefaultManager(t *testing.T) {
 
 		acl.ApplyFiltering(networkMap, false)
 
-		expectedRules := 2
-		if fw.IsStateful() {
-			expectedRules = 1 // only the inbound rule
+		// we should have one old and one new rule in the existed rules
+		if len(acl.peerRulesPairs) != 2 {
+			t.Errorf("firewall rules not applied")
+			return
 		}
 
-		assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
-
 		// check that old rule was removed
 		previousCount := 0
 		for id := range acl.peerRulesPairs {
@@ -105,86 +107,26 @@ func TestDefaultManager(t *testing.T) {
 				previousCount++
 			}
 		}
-
-		expectedPreviousCount := 0
-		if !fw.IsStateful() {
-			expectedPreviousCount = 1
+		if previousCount != 1 {
+			t.Errorf("old rule was not removed")
 		}
-		assert.Equal(t, expectedPreviousCount, previousCount)
 	})
 
 	t.Run("handle default rules", func(t *testing.T) {
 		networkMap.FirewallRules = networkMap.FirewallRules[:0]
 
 		networkMap.FirewallRulesIsEmpty = true
-		acl.ApplyFiltering(networkMap, false)
-		assert.Equal(t, 0, len(acl.peerRulesPairs))
+		if acl.ApplyFiltering(networkMap, false); len(acl.peerRulesPairs) != 0 {
+			t.Errorf("rules should be empty if FirewallRulesIsEmpty is set, got: %v", len(acl.peerRulesPairs))
+			return
+		}
 
 		networkMap.FirewallRulesIsEmpty = false
 		acl.ApplyFiltering(networkMap, false)
-
-		expectedRules := 1
-		if fw.IsStateful() {
-			expectedRules = 1 // only inbound allow-all rule
+		if len(acl.peerRulesPairs) != 1 {
+			t.Errorf("rules should contain 1 rules if FirewallRulesIsEmpty is not set, got: %v", len(acl.peerRulesPairs))
+			return
 		}
-		assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
-	})
-}
-
-func TestDefaultManagerStateless(t *testing.T) {
-	// stateless currently only in userspace, so we have to disable kernel
-	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv("NB_DISABLE_CONNTRACK", "true")
-
-	networkMap := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "80",
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_UDP,
-				Port:      "53",
-			},
-		},
-	}
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
-	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
-
-	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
-	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
-		Network: network,
-	}).AnyTimes()
-	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
-
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
-	require.NoError(t, err)
-	defer func() {
-		err = fw.Close(nil)
-		require.NoError(t, err)
-	}()
-
-	acl := NewDefaultManager(fw)
-
-	t.Run("stateless firewall creates outbound rules", func(t *testing.T) {
-		acl.ApplyFiltering(networkMap, false)
-
-		// In stateless mode, we should have both inbound and outbound rules
-		assert.False(t, fw.IsStateful())
-		assert.Equal(t, 2, len(acl.peerRulesPairs))
 	})
 }
 
@@ -250,19 +192,42 @@ func TestDefaultManagerSquashRules(t *testing.T) {
 
 	manager := &DefaultManager{}
 	rules, _ := manager.squashAcceptRules(networkMap)
-	assert.Equal(t, 2, len(rules))
+	if len(rules) != 2 {
+		t.Errorf("rules should contain 2, got: %v", rules)
+		return
+	}
 
 	r := rules[0]
-	assert.Equal(t, "0.0.0.0", r.PeerIP)
-	assert.Equal(t, mgmProto.RuleDirection_IN, r.Direction)
-	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
-	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
+	switch {
+	case r.PeerIP != "0.0.0.0":
+		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
+		return
+	case r.Direction != mgmProto.RuleDirection_IN:
+		t.Errorf("direction should be IN, got: %v", r.Direction)
+		return
+	case r.Protocol != mgmProto.RuleProtocol_ALL:
+		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
+		return
+	case r.Action != mgmProto.RuleAction_ACCEPT:
+		t.Errorf("action should be ACCEPT, got: %v", r.Action)
+		return
+	}
 
 	r = rules[1]
-	assert.Equal(t, "0.0.0.0", r.PeerIP)
-	assert.Equal(t, mgmProto.RuleDirection_OUT, r.Direction)
-	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
-	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
+	switch {
+	case r.PeerIP != "0.0.0.0":
+		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
+		return
+	case r.Direction != mgmProto.RuleDirection_OUT:
+		t.Errorf("direction should be OUT, got: %v", r.Direction)
+		return
+	case r.Protocol != mgmProto.RuleProtocol_ALL:
+		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
+		return
+	case r.Action != mgmProto.RuleAction_ACCEPT:
+		t.Errorf("action should be ACCEPT, got: %v", r.Action)
+		return
+	}
 }
 
 func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
@@ -326,435 +291,8 @@ func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
 	}
 
 	manager := &DefaultManager{}
-	rules, _ := manager.squashAcceptRules(networkMap)
-	assert.Equal(t, len(networkMap.FirewallRules), len(rules))
-}
-
-func TestDefaultManagerSquashRulesWithPortRestrictions(t *testing.T) {
-	tests := []struct {
-		name          string
-		rules         []*mgmProto.FirewallRule
-		expectedCount int
-		description   string
-	}{
-		{
-			name: "should not squash rules with port ranges",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with port ranges should not be squashed even if they cover all peers",
-		},
-		{
-			name: "should not squash rules with specific ports",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with specific ports should not be squashed even if they cover all peers",
-		},
-		{
-			name: "should not squash rules with legacy port field",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with legacy port field should not be squashed",
-		},
-		{
-			name: "should not squash rules with DROP action",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with DROP action should not be squashed",
-		},
-		{
-			name: "should squash rules without port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 1,
-			description:   "Rules without port restrictions should be squashed into a single 0.0.0.0 rule",
-		},
-		{
-			name: "mixed rules should not squash protocol with port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 4,
-			description:   "TCP should not be squashed because one rule has port restrictions",
-		},
-		{
-			name: "should squash UDP but not TCP when TCP has port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				// TCP rules with port restrictions - should NOT be squashed
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				// UDP rules without port restrictions - SHOULD be squashed
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-			},
-			expectedCount: 5, // 4 TCP rules + 1 squashed UDP rule (0.0.0.0)
-			description:   "UDP should be squashed to 0.0.0.0 rule, but TCP should remain as individual rules due to port restrictions",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			networkMap := &mgmProto.NetworkMap{
-				RemotePeers: []*mgmProto.RemotePeerConfig{
-					{AllowedIps: []string{"10.93.0.1"}},
-					{AllowedIps: []string{"10.93.0.2"}},
-					{AllowedIps: []string{"10.93.0.3"}},
-					{AllowedIps: []string{"10.93.0.4"}},
-				},
-				FirewallRules: tt.rules,
-			}
-
-			manager := &DefaultManager{}
-			rules, _ := manager.squashAcceptRules(networkMap)
-
-			assert.Equal(t, tt.expectedCount, len(rules), tt.description)
-
-			// For squashed rules, verify we get the expected 0.0.0.0 rule
-			if tt.expectedCount == 1 {
-				assert.Equal(t, "0.0.0.0", rules[0].PeerIP)
-				assert.Equal(t, mgmProto.RuleDirection_IN, rules[0].Direction)
-				assert.Equal(t, mgmProto.RuleAction_ACCEPT, rules[0].Action)
-			}
-		})
-	}
-}
-
-func TestPortInfoEmpty(t *testing.T) {
-	tests := []struct {
-		name     string
-		portInfo *mgmProto.PortInfo
-		expected bool
-	}{
-		{
-			name:     "nil PortInfo should be empty",
-			portInfo: nil,
-			expected: true,
-		},
-		{
-			name: "PortInfo with zero port should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Port{
-					Port: 0,
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with valid port should not be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Port{
-					Port: 80,
-				},
-			},
-			expected: false,
-		},
-		{
-			name: "PortInfo with nil range should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: nil,
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with zero start range should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: &mgmProto.PortInfo_Range{
-						Start: 0,
-						End:   100,
-					},
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with zero end range should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: &mgmProto.PortInfo_Range{
-						Start: 80,
-						End:   0,
-					},
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with valid range should not be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: &mgmProto.PortInfo_Range{
-						Start: 8080,
-						End:   8090,
-					},
-				},
-			},
-			expected: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := portInfoEmpty(tt.portInfo)
-			assert.Equal(t, tt.expected, result)
-		})
+	if rules, _ := manager.squashAcceptRules(networkMap); len(rules) != len(networkMap.FirewallRules) {
+		t.Errorf("we should get the same amount of rules as output, got %v", len(rules))
 	}
 }
 
@@ -798,29 +336,33 @@ func TestDefaultManagerEnableSSHRules(t *testing.T) {
 	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
 	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
 	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
+	ip, network, err := net.ParseCIDR("172.0.0.1/32")
+	if err != nil {
+		t.Fatalf("failed to parse IP address: %v", err)
+	}
 
 	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
 	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
+		IP:      ip,
 		Network: network,
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
+	// we receive one rule from the management so for testing purposes ignore it
 	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
-	require.NoError(t, err)
-	defer func() {
-		err = fw.Close(nil)
-		require.NoError(t, err)
-	}()
-
+	if err != nil {
+		t.Errorf("create firewall: %v", err)
+		return
+	}
+	defer func(fw manager.Manager) {
+		_ = fw.Close(nil)
+	}(fw)
 	acl := NewDefaultManager(fw)
 
 	acl.ApplyFiltering(networkMap, false)
 
-	expectedRules := 3
-	if fw.IsStateful() {
-		expectedRules = 3 // 2 inbound rules + SSH rule
+	if len(acl.peerRulesPairs) != 3 {
+		t.Errorf("expect 3 rules (last must be SSH), got: %d", len(acl.peerRulesPairs))
+		return
 	}
-	assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
 }

client/internal/config.go

@@ -68,8 +68,8 @@ type ConfigInput struct {
 	DisableServerRoutes *bool
 	DisableDNS          *bool
 	DisableFirewall     *bool
-	BlockLANAccess      *bool
-	BlockInbound        *bool
+
+	BlockLANAccess *bool
 
 	DisableNotifications *bool
 
@@ -98,8 +98,8 @@ type Config struct {
 	DisableServerRoutes bool
 	DisableDNS          bool
 	DisableFirewall     bool
-	BlockLANAccess      bool
-	BlockInbound        bool
+
+	BlockLANAccess bool
 
 	DisableNotifications *bool
 
@@ -223,8 +223,6 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 	config := &Config{
 		// defaults to false only for new (post 0.26) configurations
 		ServerSSHAllowed: util.False(),
-		// default to disabling server routes on Android for security
-		DisableServerRoutes: runtime.GOOS == "android",
 	}
 
 	if _, err := config.apply(input); err != nil {
@@ -418,15 +416,9 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		config.ServerSSHAllowed = input.ServerSSHAllowed
 		updated = true
 	} else if config.ServerSSHAllowed == nil {
-		if runtime.GOOS == "android" {
-			// default to disabled SSH on Android for security
-			log.Infof("setting SSH server to false by default on Android")
-			config.ServerSSHAllowed = util.False()
-		} else {
-			// enables SSH for configs from old versions to preserve backwards compatibility
-			log.Infof("falling back to enabled SSH server for pre-existing configuration")
-			config.ServerSSHAllowed = util.True()
-		}
+		// enables SSH for configs from old versions to preserve backwards compatibility
+		log.Infof("falling back to enabled SSH server for pre-existing configuration")
+		config.ServerSSHAllowed = util.True()
 		updated = true
 	}
 
@@ -491,16 +483,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
-	if input.BlockInbound != nil && *input.BlockInbound != config.BlockInbound {
-		if *input.BlockInbound {
-			log.Infof("blocking inbound connections")
-		} else {
-			log.Infof("allowing inbound connections")
-		}
-		config.BlockInbound = *input.BlockInbound
-		updated = true
-	}
-
 	if input.DisableNotifications != nil && input.DisableNotifications != config.DisableNotifications {
 		if *input.DisableNotifications {
 			log.Infof("disabling notifications")

client/internal/conn_mgr.go

@@ -14,7 +14,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
-	"github.com/netbirdio/netbird/route"
 )
 
 // ConnMgr coordinates both lazy connections (established on-demand) and permanent peer connections.
@@ -34,9 +33,9 @@ type ConnMgr struct {
 
 	lazyConnMgr *manager.Manager
 
-	wg            sync.WaitGroup
-	lazyCtx       context.Context
-	lazyCtxCancel context.CancelFunc
+	wg        sync.WaitGroup
+	ctx       context.Context
+	ctxCancel context.CancelFunc
 }
 
 func NewConnMgr(engineConfig *EngineConfig, statusRecorder *peer.Status, peerStore *peerstore.Store, iface lazyconn.WGIface, dispatcher *dispatcher.ConnectionDispatcher) *ConnMgr {
@@ -86,7 +85,7 @@ func (e *ConnMgr) UpdatedRemoteFeatureFlag(ctx context.Context, enabled bool) er
 		log.Infof("lazy connection manager is enabled by management feature flag")
 		e.initLazyManager(ctx)
 		e.statusRecorder.UpdateLazyConnection(true)
-		return e.addPeersToLazyConnManager()
+		return e.addPeersToLazyConnManager(ctx)
 	} else {
 		if e.lazyConnMgr == nil {
 			return nil
@@ -98,25 +97,15 @@ func (e *ConnMgr) UpdatedRemoteFeatureFlag(ctx context.Context, enabled bool) er
 	}
 }
 
-// UpdateRouteHAMap updates the route HA mappings in the lazy connection manager
-func (e *ConnMgr) UpdateRouteHAMap(haMap route.HAMap) {
-	if !e.isStartedWithLazyMgr() {
-		log.Debugf("lazy connection manager is not started, skipping UpdateRouteHAMap")
-		return
-	}
-
-	e.lazyConnMgr.UpdateRouteHAMap(haMap)
-}
-
 // SetExcludeList sets the list of peer IDs that should always have permanent connections.
-func (e *ConnMgr) SetExcludeList(ctx context.Context, peerIDs map[string]bool) {
+func (e *ConnMgr) SetExcludeList(peerIDs []string) {
 	if e.lazyConnMgr == nil {
 		return
 	}
 
 	excludedPeers := make([]lazyconn.PeerConfig, 0, len(peerIDs))
 
-	for peerID := range peerIDs {
+	for _, peerID := range peerIDs {
 		var peerConn *peer.Conn
 		var exists bool
 		if peerConn, exists = e.peerStore.PeerConn(peerID); !exists {
@@ -133,7 +122,7 @@ func (e *ConnMgr) SetExcludeList(ctx context.Context, peerIDs map[string]bool) {
 		excludedPeers = append(excludedPeers, lazyPeerCfg)
 	}
 
-	added := e.lazyConnMgr.ExcludePeer(e.lazyCtx, excludedPeers)
+	added := e.lazyConnMgr.ExcludePeer(e.ctx, excludedPeers)
 	for _, peerID := range added {
 		var peerConn *peer.Conn
 		var exists bool
@@ -143,7 +132,7 @@ func (e *ConnMgr) SetExcludeList(ctx context.Context, peerIDs map[string]bool) {
 		}
 
 		peerConn.Log.Infof("peer has been added to lazy connection exclude list, opening permanent connection")
-		if err := peerConn.Open(ctx); err != nil {
+		if err := peerConn.Open(e.ctx); err != nil {
 			peerConn.Log.Errorf("failed to open connection: %v", err)
 		}
 	}
@@ -221,9 +210,9 @@ func (e *ConnMgr) OnSignalMsg(ctx context.Context, peerKey string) (*peer.Conn,
 		return conn, true
 	}
 
-	if found := e.lazyConnMgr.ActivatePeer(e.lazyCtx, peerKey); found {
+	if found := e.lazyConnMgr.ActivatePeer(ctx, peerKey); found {
 		conn.Log.Infof("activated peer from inactive state")
-		if err := conn.Open(ctx); err != nil {
+		if err := conn.Open(e.ctx); err != nil {
 			conn.Log.Errorf("failed to open connection: %v", err)
 		}
 	}
@@ -235,27 +224,29 @@ func (e *ConnMgr) Close() {
 		return
 	}
 
-	e.lazyCtxCancel()
+	e.ctxCancel()
 	e.wg.Wait()
 	e.lazyConnMgr = nil
 }
 
-func (e *ConnMgr) initLazyManager(engineCtx context.Context) {
+func (e *ConnMgr) initLazyManager(parentCtx context.Context) {
 	cfg := manager.Config{
 		InactivityThreshold: inactivityThresholdEnv(),
 	}
-	e.lazyConnMgr = manager.NewManager(cfg, engineCtx, e.peerStore, e.iface, e.dispatcher)
+	e.lazyConnMgr = manager.NewManager(cfg, e.peerStore, e.iface, e.dispatcher)
 
-	e.lazyCtx, e.lazyCtxCancel = context.WithCancel(engineCtx)
+	ctx, cancel := context.WithCancel(parentCtx)
+	e.ctx = ctx
+	e.ctxCancel = cancel
 
 	e.wg.Add(1)
 	go func() {
 		defer e.wg.Done()
-		e.lazyConnMgr.Start(e.lazyCtx)
+		e.lazyConnMgr.Start(ctx)
 	}()
 }
 
-func (e *ConnMgr) addPeersToLazyConnManager() error {
+func (e *ConnMgr) addPeersToLazyConnManager(ctx context.Context) error {
 	peers := e.peerStore.PeersPubKey()
 	lazyPeerCfgs := make([]lazyconn.PeerConfig, 0, len(peers))
 	for _, peerID := range peers {
@@ -275,7 +266,7 @@ func (e *ConnMgr) addPeersToLazyConnManager() error {
 		lazyPeerCfgs = append(lazyPeerCfgs, lazyPeerCfg)
 	}
 
-	return e.lazyConnMgr.AddActivePeers(e.lazyCtx, lazyPeerCfgs)
+	return e.lazyConnMgr.AddActivePeers(ctx, lazyPeerCfgs)
 }
 
 func (e *ConnMgr) closeManager(ctx context.Context) {
@@ -283,7 +274,7 @@ func (e *ConnMgr) closeManager(ctx context.Context) {
 		return
 	}
 
-	e.lazyCtxCancel()
+	e.ctxCancel()
 	e.wg.Wait()
 	e.lazyConnMgr = nil
 
@@ -293,7 +284,7 @@ func (e *ConnMgr) closeManager(ctx context.Context) {
 }
 
 func (e *ConnMgr) isStartedWithLazyMgr() bool {
-	return e.lazyConnMgr != nil && e.lazyCtxCancel != nil
+	return e.lazyConnMgr != nil && e.ctxCancel != nil
 }
 
 func inactivityThresholdEnv() *time.Duration {

client/internal/connect.go

@@ -436,12 +436,11 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		DNSRouteInterval:     config.DNSRouteInterval,
 
 		DisableClientRoutes: config.DisableClientRoutes,
-		DisableServerRoutes: config.DisableServerRoutes || config.BlockInbound,
+		DisableServerRoutes: config.DisableServerRoutes,
 		DisableDNS:          config.DisableDNS,
 		DisableFirewall:     config.DisableFirewall,
-		BlockLANAccess:      config.BlockLANAccess,
-		BlockInbound:        config.BlockInbound,
 
+		BlockLANAccess:        config.BlockLANAccess,
 		LazyConnectionEnabled: config.LazyConnectionEnabled,
 	}
 
@@ -500,9 +499,6 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.DisableServerRoutes,
 		config.DisableDNS,
 		config.DisableFirewall,
-		config.BlockLANAccess,
-		config.BlockInbound,
-		config.LazyConnectionEnabled,
 	)
 	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey, config.DNSLabels)
 	if err != nil {

client/internal/debug/debug.go

@@ -270,21 +270,11 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("Failed to add corrupted state files to debug bundle: %v", err)
 	}
 
-	if err := g.addWgShow(); err != nil {
-		log.Errorf("Failed to add wg show output: %v", err)
-	}
-
-	if g.logFile != "console" && g.logFile != "" {
+	if g.logFile != "console" {
 		if err := g.addLogfile(); err != nil {
-			log.Errorf("Failed to add log file to debug bundle: %v", err)
-			if err := g.trySystemdLogFallback(); err != nil {
-				log.Errorf("Failed to add systemd logs as fallback: %v", err)
-			}
+			return fmt.Errorf("add log file: %w", err)
 		}
-	} else if err := g.trySystemdLogFallback(); err != nil {
-		log.Errorf("Failed to add systemd logs: %v", err)
 	}
-
 	return nil
 }
 
@@ -376,33 +366,17 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	configContent.WriteString(fmt.Sprintf("RosenpassEnabled: %v\n", g.internalConfig.RosenpassEnabled))
 	configContent.WriteString(fmt.Sprintf("RosenpassPermissive: %v\n", g.internalConfig.RosenpassPermissive))
 	if g.internalConfig.ServerSSHAllowed != nil {
-		configContent.WriteString(fmt.Sprintf("ServerSSHAllowed: %v\n", *g.internalConfig.ServerSSHAllowed))
+		configContent.WriteString(fmt.Sprintf("BundleGeneratorSSHAllowed: %v\n", *g.internalConfig.ServerSSHAllowed))
 	}
-
-	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
-	configContent.WriteString(fmt.Sprintf("DisableServerRoutes: %v\n", g.internalConfig.DisableServerRoutes))
-	configContent.WriteString(fmt.Sprintf("DisableDNS: %v\n", g.internalConfig.DisableDNS))
-	configContent.WriteString(fmt.Sprintf("DisableFirewall: %v\n", g.internalConfig.DisableFirewall))
-	configContent.WriteString(fmt.Sprintf("BlockLANAccess: %v\n", g.internalConfig.BlockLANAccess))
-	configContent.WriteString(fmt.Sprintf("BlockInbound: %v\n", g.internalConfig.BlockInbound))
-
-	if g.internalConfig.DisableNotifications != nil {
-		configContent.WriteString(fmt.Sprintf("DisableNotifications: %v\n", *g.internalConfig.DisableNotifications))
-	}
-
-	configContent.WriteString(fmt.Sprintf("DNSLabels: %v\n", g.internalConfig.DNSLabels))
-
 	configContent.WriteString(fmt.Sprintf("DisableAutoConnect: %v\n", g.internalConfig.DisableAutoConnect))
-
 	configContent.WriteString(fmt.Sprintf("DNSRouteInterval: %s\n", g.internalConfig.DNSRouteInterval))
 
-	if g.internalConfig.ClientCertPath != "" {
-		configContent.WriteString(fmt.Sprintf("ClientCertPath: %s\n", g.internalConfig.ClientCertPath))
-	}
-	if g.internalConfig.ClientCertKeyPath != "" {
-		configContent.WriteString(fmt.Sprintf("ClientCertKeyPath: %s\n", g.internalConfig.ClientCertKeyPath))
-	}
+	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
+	configContent.WriteString(fmt.Sprintf("DisableBundleGeneratorRoutes: %v\n", g.internalConfig.DisableServerRoutes))
+	configContent.WriteString(fmt.Sprintf("DisableDNS: %v\n", g.internalConfig.DisableDNS))
+	configContent.WriteString(fmt.Sprintf("DisableFirewall: %v\n", g.internalConfig.DisableFirewall))
 
+	configContent.WriteString(fmt.Sprintf("BlockLANAccess: %v\n", g.internalConfig.BlockLANAccess))
 	configContent.WriteString(fmt.Sprintf("LazyConnectionEnabled: %v\n", g.internalConfig.LazyConnectionEnabled))
 }
 

client/internal/debug/debug_linux.go

@@ -4,104 +4,17 @@ package debug
 
 import (
 	"bytes"
-	"context"
 	"encoding/binary"
-	"errors"
 	"fmt"
-	"os"
 	"os/exec"
 	"sort"
 	"strings"
-	"time"
 
 	"github.com/google/nftables"
 	"github.com/google/nftables/expr"
 	log "github.com/sirupsen/logrus"
 )
 
-const (
-	maxLogEntries = 100000
-	maxLogAge     = 7 * 24 * time.Hour // Last 7 days
-)
-
-// trySystemdLogFallback attempts to get logs from systemd journal as fallback
-func (g *BundleGenerator) trySystemdLogFallback() error {
-	log.Debug("Attempting to collect systemd journal logs")
-
-	serviceName := getServiceName()
-	journalLogs, err := getSystemdLogs(serviceName)
-	if err != nil {
-		return fmt.Errorf("get systemd logs for %s: %w", serviceName, err)
-	}
-
-	if strings.Contains(journalLogs, "No recent log entries found") {
-		log.Debug("No recent log entries found in systemd journal")
-		return nil
-	}
-
-	if g.anonymize {
-		journalLogs = g.anonymizer.AnonymizeString(journalLogs)
-	}
-
-	logReader := strings.NewReader(journalLogs)
-	fileName := fmt.Sprintf("systemd-%s.log", serviceName)
-	if err := g.addFileToZip(logReader, fileName); err != nil {
-		return fmt.Errorf("add systemd logs to bundle: %w", err)
-	}
-
-	log.Infof("Added systemd journal logs for %s to debug bundle", serviceName)
-	return nil
-}
-
-// getServiceName gets the service name from environment or defaults to netbird
-func getServiceName() string {
-	if unitName := os.Getenv("SYSTEMD_UNIT"); unitName != "" {
-		log.Debugf("Detected SYSTEMD_UNIT environment variable: %s", unitName)
-		return unitName
-	}
-
-	return "netbird"
-}
-
-// getSystemdLogs retrieves logs from systemd journal for a specific service using journalctl
-func getSystemdLogs(serviceName string) (string, error) {
-	args := []string{
-		"-u", fmt.Sprintf("%s.service", serviceName),
-		"--since", fmt.Sprintf("-%s", maxLogAge.String()),
-		"--lines", fmt.Sprintf("%d", maxLogEntries),
-		"--no-pager",
-		"--output", "short-iso",
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	cmd := exec.CommandContext(ctx, "journalctl", args...)
-	var stdout, stderr bytes.Buffer
-	cmd.Stdout = &stdout
-	cmd.Stderr = &stderr
-
-	if err := cmd.Run(); err != nil {
-		if errors.Is(ctx.Err(), context.DeadlineExceeded) {
-			return "", fmt.Errorf("journalctl command timed out after 30 seconds")
-		}
-		if strings.Contains(err.Error(), "executable file not found") {
-			return "", fmt.Errorf("journalctl command not found: %w", err)
-		}
-		return "", fmt.Errorf("execute journalctl: %w (stderr: %s)", err, stderr.String())
-	}
-
-	logs := stdout.String()
-	if strings.TrimSpace(logs) == "" {
-		return "No recent log entries found in systemd journal", nil
-	}
-
-	header := fmt.Sprintf("=== Systemd Journal Logs for %s.service (last %d entries, max %s) ===\n",
-		serviceName, maxLogEntries, maxLogAge.String())
-
-	return header + logs, nil
-}
-
 // addFirewallRules collects and adds firewall rules to the archive
 func (g *BundleGenerator) addFirewallRules() error {
 	log.Info("Collecting firewall rules")
@@ -568,7 +481,7 @@ func formatExpr(exp expr.Any) string {
 	case *expr.Fib:
 		return formatFib(e)
 	case *expr.Target:
-		return fmt.Sprintf("jump %s", e.Name)
+		return fmt.Sprintf("jump %s", e.Name) // Properly format jump targets
 	case *expr.Immediate:
 		if e.Register == 1 {
 			return formatImmediateData(e.Data)

client/internal/debug/debug_nonlinux.go

@@ -6,9 +6,3 @@ package debug
 func (g *BundleGenerator) addFirewallRules() error {
 	return nil
 }
-
-func (g *BundleGenerator) trySystemdLogFallback() error {
-	// Systemd is only available on Linux
-	// TODO: Add BSD support
-	return nil
-}

client/internal/debug/wgshow.go

@@ -1,66 +0,0 @@
-package debug
-
-import (
-	"bytes"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/netbirdio/netbird/client/iface/configurer"
-)
-
-type WGIface interface {
-	FullStats() (*configurer.Stats, error)
-}
-
-func (g *BundleGenerator) addWgShow() error {
-	result, err := g.statusRecorder.PeersStatus()
-	if err != nil {
-		return err
-	}
-
-	output := g.toWGShowFormat(result)
-	reader := bytes.NewReader([]byte(output))
-
-	if err := g.addFileToZip(reader, "wgshow.txt"); err != nil {
-		return fmt.Errorf("add wg show to zip: %w", err)
-	}
-	return nil
-}
-
-func (g *BundleGenerator) toWGShowFormat(s *configurer.Stats) string {
-	var sb strings.Builder
-
-	sb.WriteString(fmt.Sprintf("interface: %s\n", s.DeviceName))
-	sb.WriteString(fmt.Sprintf("  public key: %s\n", s.PublicKey))
-	sb.WriteString(fmt.Sprintf("  listen port: %d\n", s.ListenPort))
-	if s.FWMark != 0 {
-		sb.WriteString(fmt.Sprintf("  fwmark: %#x\n", s.FWMark))
-	}
-
-	for _, peer := range s.Peers {
-		sb.WriteString(fmt.Sprintf("\npeer: %s\n", peer.PublicKey))
-		if peer.Endpoint.IP != nil {
-			if g.anonymize {
-				anonEndpoint := g.anonymizer.AnonymizeUDPAddr(peer.Endpoint)
-				sb.WriteString(fmt.Sprintf("  endpoint: %s\n", anonEndpoint.String()))
-			} else {
-				sb.WriteString(fmt.Sprintf("  endpoint: %s\n", peer.Endpoint.String()))
-			}
-		}
-		if len(peer.AllowedIPs) > 0 {
-			var ipStrings []string
-			for _, ipnet := range peer.AllowedIPs {
-				ipStrings = append(ipStrings, ipnet.String())
-			}
-			sb.WriteString(fmt.Sprintf("  allowed ips: %s\n", strings.Join(ipStrings, ", ")))
-		}
-		sb.WriteString(fmt.Sprintf("  latest handshake: %s\n", peer.LastHandshake.Format(time.RFC1123)))
-		sb.WriteString(fmt.Sprintf("  transfer: %d B received, %d B sent\n", peer.RxBytes, peer.TxBytes))
-		if peer.PresharedKey {
-			sb.WriteString("  preshared key: (hidden)\n")
-		}
-	}
-
-	return sb.String()
-}

client/internal/dns.go

@@ -2,7 +2,7 @@ package internal
 
 import (
 	"fmt"
-	"net/netip"
+	"net"
 	"slices"
 	"strings"
 
@@ -12,14 +12,13 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 )
 
-func createPTRRecord(aRecord nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.SimpleRecord, bool) {
-	ip, err := netip.ParseAddr(aRecord.RData)
-	if err != nil {
-		log.Warnf("failed to parse IP address %s: %v", aRecord.RData, err)
+func createPTRRecord(aRecord nbdns.SimpleRecord, ipNet *net.IPNet) (nbdns.SimpleRecord, bool) {
+	ip := net.ParseIP(aRecord.RData)
+	if ip == nil || ip.To4() == nil {
 		return nbdns.SimpleRecord{}, false
 	}
 
-	if !prefix.Contains(ip) {
+	if !ipNet.Contains(ip) {
 		return nbdns.SimpleRecord{}, false
 	}
 
@@ -37,19 +36,16 @@ func createPTRRecord(aRecord nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.Sim
 }
 
 // generateReverseZoneName creates the reverse DNS zone name for a given network
-func generateReverseZoneName(network netip.Prefix) (string, error) {
-	networkIP := network.Masked().Addr()
-
-	if !networkIP.Is4() {
-		return "", fmt.Errorf("reverse DNS is only supported for IPv4 networks, got: %s", networkIP)
-	}
+func generateReverseZoneName(ipNet *net.IPNet) (string, error) {
+	networkIP := ipNet.IP.Mask(ipNet.Mask)
+	maskOnes, _ := ipNet.Mask.Size()
 
 	// round up to nearest byte
-	octetsToUse := (network.Bits() + 7) / 8
+	octetsToUse := (maskOnes + 7) / 8
 
 	octets := strings.Split(networkIP.String(), ".")
 	if octetsToUse > len(octets) {
-		return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", network.Bits())
+		return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", maskOnes)
 	}
 
 	reverseOctets := make([]string, octetsToUse)
@@ -72,7 +68,7 @@ func zoneExists(config *nbdns.Config, zoneName string) bool {
 }
 
 // collectPTRRecords gathers all PTR records for the given network from A records
-func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.SimpleRecord {
+func collectPTRRecords(config *nbdns.Config, ipNet *net.IPNet) []nbdns.SimpleRecord {
 	var records []nbdns.SimpleRecord
 
 	for _, zone := range config.CustomZones {
@@ -81,7 +77,7 @@ func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.Simple
 				continue
 			}
 
-			if ptrRecord, ok := createPTRRecord(record, prefix); ok {
+			if ptrRecord, ok := createPTRRecord(record, ipNet); ok {
 				records = append(records, ptrRecord)
 			}
 		}
@@ -91,8 +87,8 @@ func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.Simple
 }
 
 // addReverseZone adds a reverse DNS zone to the configuration for the given network
-func addReverseZone(config *nbdns.Config, network netip.Prefix) {
-	zoneName, err := generateReverseZoneName(network)
+func addReverseZone(config *nbdns.Config, ipNet *net.IPNet) {
+	zoneName, err := generateReverseZoneName(ipNet)
 	if err != nil {
 		log.Warn(err)
 		return
@@ -103,7 +99,7 @@ func addReverseZone(config *nbdns.Config, network netip.Prefix) {
 		return
 	}
 
-	records := collectPTRRecords(config, network)
+	records := collectPTRRecords(config, ipNet)
 
 	reverseZone := nbdns.CustomZone{
 		Domain:  zoneName,

client/internal/dns/handler_chain.go

@@ -1,7 +1,6 @@
 package dns
 
 import (
-	"fmt"
 	"slices"
 	"strings"
 	"sync"
@@ -11,10 +10,9 @@ import (
 )
 
 const (
-	PriorityLocal    = 100
-	PriorityDNSRoute = 75
-	PriorityUpstream = 50
-	PriorityDefault  = 1
+	PriorityDNSRoute    = 100
+	PriorityMatchDomain = 50
+	PriorityDefault     = 1
 )
 
 type SubdomainMatcher interface {
@@ -150,42 +148,61 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 
 	qname := strings.ToLower(r.Question[0].Name)
+	log.Tracef("handling DNS request for domain=%s", qname)
 
 	c.mu.RLock()
 	handlers := slices.Clone(c.handlers)
 	c.mu.RUnlock()
 
 	if log.IsLevelEnabled(log.TraceLevel) {
-		var b strings.Builder
-		b.WriteString(fmt.Sprintf("DNS request domain=%s, handlers (%d):\n", qname, len(handlers)))
+		log.Tracef("current handlers (%d):", len(handlers))
 		for _, h := range handlers {
-			b.WriteString(fmt.Sprintf("  - pattern: domain=%s original: domain=%s wildcard=%v match_subdomain=%v priority=%d\n",
-				h.Pattern, h.OrigPattern, h.IsWildcard, h.MatchSubdomains, h.Priority))
+			log.Tracef("  - pattern: domain=%s original: domain=%s wildcard=%v match_subdomain=%v priority=%d",
+				h.Pattern, h.OrigPattern, h.IsWildcard, h.MatchSubdomains, h.Priority)
 		}
-		log.Trace(strings.TrimSuffix(b.String(), "\n"))
 	}
 
 	// Try handlers in priority order
 	for _, entry := range handlers {
-		matched := c.isHandlerMatch(qname, entry)
-
-		if matched {
-			log.Tracef("handler matched: domain=%s -> pattern=%s wildcard=%v match_subdomain=%v priority=%d",
-				qname, entry.OrigPattern, entry.IsWildcard, entry.MatchSubdomains, entry.Priority)
-
-			chainWriter := &ResponseWriterChain{
-				ResponseWriter: w,
-				origPattern:    entry.OrigPattern,
+		var matched bool
+		switch {
+		case entry.Pattern == ".":
+			matched = true
+		case entry.IsWildcard:
+			parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
+			matched = len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
+		default:
+			// For non-wildcard patterns:
+			// If handler wants subdomain matching, allow suffix match
+			// Otherwise require exact match
+			if entry.MatchSubdomains {
+				matched = strings.EqualFold(qname, entry.Pattern) || strings.HasSuffix(qname, "."+entry.Pattern)
+			} else {
+				matched = strings.EqualFold(qname, entry.Pattern)
 			}
-			entry.Handler.ServeDNS(chainWriter, r)
-
-			// If handler wants to continue, try next handler
-			if chainWriter.shouldContinue {
-				log.Tracef("handler requested continue to next handler for domain=%s", qname)
-				continue
-			}
-			return
 		}
+
+		if !matched {
+			log.Tracef("trying domain match: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v priority=%d matched=false",
+				qname, entry.OrigPattern, entry.MatchSubdomains, entry.IsWildcard, entry.Priority)
+			continue
+		}
+
+		log.Tracef("handler matched: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v priority=%d",
+			qname, entry.OrigPattern, entry.IsWildcard, entry.MatchSubdomains, entry.Priority)
+
+		chainWriter := &ResponseWriterChain{
+			ResponseWriter: w,
+			origPattern:    entry.OrigPattern,
+		}
+		entry.Handler.ServeDNS(chainWriter, r)
+
+		// If handler wants to continue, try next handler
+		if chainWriter.shouldContinue {
+			log.Tracef("handler requested continue to next handler")
+			continue
+		}
+		return
 	}
 
 	// No handler matched or all handlers passed
@@ -196,22 +213,3 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		log.Errorf("failed to write DNS response: %v", err)
 	}
 }
-
-func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
-	switch {
-	case entry.Pattern == ".":
-		return true
-	case entry.IsWildcard:
-		parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
-		return len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
-	default:
-		// For non-wildcard patterns:
-		// If handler wants subdomain matching, allow suffix match
-		// Otherwise require exact match
-		if entry.MatchSubdomains {
-			return strings.EqualFold(qname, entry.Pattern) || strings.HasSuffix(qname, "."+entry.Pattern)
-		} else {
-			return strings.EqualFold(qname, entry.Pattern)
-		}
-	}
-}

client/internal/dns/handler_chain_test.go

@@ -22,7 +22,7 @@ func TestHandlerChain_ServeDNS_Priorities(t *testing.T) {
 
 	// Setup handlers with different priorities
 	chain.AddHandler("example.com.", defaultHandler, nbdns.PriorityDefault)
-	chain.AddHandler("example.com.", matchDomainHandler, nbdns.PriorityUpstream)
+	chain.AddHandler("example.com.", matchDomainHandler, nbdns.PriorityMatchDomain)
 	chain.AddHandler("example.com.", dnsRouteHandler, nbdns.PriorityDNSRoute)
 
 	// Create test request
@@ -200,7 +200,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 				priority int
 			}{
 				{pattern: "*.example.com.", priority: nbdns.PriorityDefault},
-				{pattern: "*.example.com.", priority: nbdns.PriorityUpstream},
+				{pattern: "*.example.com.", priority: nbdns.PriorityMatchDomain},
 				{pattern: "*.example.com.", priority: nbdns.PriorityDNSRoute},
 			},
 			queryDomain:     "test.example.com.",
@@ -214,7 +214,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 				priority int
 			}{
 				{pattern: "*.example.com.", priority: nbdns.PriorityDefault},
-				{pattern: "test.example.com.", priority: nbdns.PriorityUpstream},
+				{pattern: "test.example.com.", priority: nbdns.PriorityMatchDomain},
 				{pattern: "*.test.example.com.", priority: nbdns.PriorityDNSRoute},
 			},
 			queryDomain:     "sub.test.example.com.",
@@ -281,7 +281,7 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 
 	// Add handlers in priority order
 	chain.AddHandler("example.com.", handler1, nbdns.PriorityDNSRoute)
-	chain.AddHandler("example.com.", handler2, nbdns.PriorityUpstream)
+	chain.AddHandler("example.com.", handler2, nbdns.PriorityMatchDomain)
 	chain.AddHandler("example.com.", handler3, nbdns.PriorityDefault)
 
 	// Create test request
@@ -344,13 +344,13 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 				priority int
 			}{
 				{"add", "example.com.", nbdns.PriorityDNSRoute},
-				{"add", "example.com.", nbdns.PriorityUpstream},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
 				{"remove", "example.com.", nbdns.PriorityDNSRoute},
 			},
 			query: "example.com.",
 			expectedCalls: map[int]bool{
-				nbdns.PriorityDNSRoute: false,
-				nbdns.PriorityUpstream: true,
+				nbdns.PriorityDNSRoute:    false,
+				nbdns.PriorityMatchDomain: true,
 			},
 		},
 		{
@@ -361,13 +361,13 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 				priority int
 			}{
 				{"add", "example.com.", nbdns.PriorityDNSRoute},
-				{"add", "example.com.", nbdns.PriorityUpstream},
-				{"remove", "example.com.", nbdns.PriorityUpstream},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
+				{"remove", "example.com.", nbdns.PriorityMatchDomain},
 			},
 			query: "example.com.",
 			expectedCalls: map[int]bool{
-				nbdns.PriorityDNSRoute: true,
-				nbdns.PriorityUpstream: false,
+				nbdns.PriorityDNSRoute:    true,
+				nbdns.PriorityMatchDomain: false,
 			},
 		},
 		{
@@ -378,16 +378,16 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 				priority int
 			}{
 				{"add", "example.com.", nbdns.PriorityDNSRoute},
-				{"add", "example.com.", nbdns.PriorityUpstream},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
 				{"add", "example.com.", nbdns.PriorityDefault},
 				{"remove", "example.com.", nbdns.PriorityDNSRoute},
-				{"remove", "example.com.", nbdns.PriorityUpstream},
+				{"remove", "example.com.", nbdns.PriorityMatchDomain},
 			},
 			query: "example.com.",
 			expectedCalls: map[int]bool{
-				nbdns.PriorityDNSRoute: false,
-				nbdns.PriorityUpstream: false,
-				nbdns.PriorityDefault:  true,
+				nbdns.PriorityDNSRoute:    false,
+				nbdns.PriorityMatchDomain: false,
+				nbdns.PriorityDefault:     true,
 			},
 		},
 	}
@@ -454,7 +454,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Add handlers in mixed order
 	chain.AddHandler(testDomain, defaultHandler, nbdns.PriorityDefault)
 	chain.AddHandler(testDomain, routeHandler, nbdns.PriorityDNSRoute)
-	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityUpstream)
+	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityMatchDomain)
 
 	// Test 1: Initial state
 	w1 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
@@ -490,7 +490,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	defaultHandler.Calls = nil
 
 	// Test 3: Remove middle priority handler
-	chain.RemoveHandler(testDomain, nbdns.PriorityUpstream)
+	chain.RemoveHandler(testDomain, nbdns.PriorityMatchDomain)
 
 	w3 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
 	// Now lowest priority handler (defaultHandler) should be called
@@ -607,7 +607,7 @@ func TestHandlerChain_CaseSensitivity(t *testing.T) {
 				shouldMatch bool
 			}{
 				{"EXAMPLE.COM.", nbdns.PriorityDefault, false, false},
-				{"example.com.", nbdns.PriorityUpstream, false, false},
+				{"example.com.", nbdns.PriorityMatchDomain, false, false},
 				{"Example.Com.", nbdns.PriorityDNSRoute, false, true},
 			},
 			query:         "example.com.",
@@ -702,8 +702,8 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, false},
 			},
 			query:         "sub.example.com.",
 			expectedMatch: "sub.example.com.",
@@ -717,8 +717,8 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, true},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, true},
 			},
 			query:         "sub.example.com.",
 			expectedMatch: "sub.example.com.",
@@ -732,10 +732,10 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, true},
-				{"add", "test.sub.example.com.", nbdns.PriorityUpstream, false},
-				{"remove", "test.sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "test.sub.example.com.", nbdns.PriorityMatchDomain, false},
+				{"remove", "test.sub.example.com.", nbdns.PriorityMatchDomain, false},
 			},
 			query:         "test.sub.example.com.",
 			expectedMatch: "sub.example.com.",
@@ -749,7 +749,7 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, false},
 				{"add", "example.com.", nbdns.PriorityDNSRoute, true},
 			},
 			query:         "sub.example.com.",
@@ -764,9 +764,9 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "other.example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "other.example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, false},
 			},
 			query:         "sub.example.com.",
 			expectedMatch: "sub.example.com.",

client/internal/dns/host_windows.go

@@ -1,14 +1,11 @@
 package dns
 
 import (
-	"context"
 	"errors"
 	"fmt"
 	"io"
-	"os/exec"
 	"strings"
 	"syscall"
-	"time"
 
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
@@ -44,20 +41,6 @@ const (
 	interfaceConfigNameServerKey = "NameServer"
 	interfaceConfigSearchListKey = "SearchList"
 
-	// Network interface DNS registration settings
-	disableDynamicUpdateKey           = "DisableDynamicUpdate"
-	registrationEnabledKey            = "RegistrationEnabled"
-	maxNumberOfAddressesToRegisterKey = "MaxNumberOfAddressesToRegister"
-
-	// NetBIOS/WINS settings
-	netbtInterfacePath = `SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces`
-	netbiosOptionsKey  = "NetbiosOptions"
-
-	// NetBIOS option values: 0 = from DHCP, 1 = enabled, 2 = disabled
-	netbiosFromDHCP = 0
-	netbiosEnabled  = 1
-	netbiosDisabled = 2
-
 	// RP_FORCE: Reapply all policies even if no policy change was detected
 	rpForce = 0x1
 )
@@ -84,85 +67,16 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 		log.Infof("detected GPO DNS policy configuration, using policy store")
 	}
 
-	configurator := &registryConfigurator{
+	return &registryConfigurator{
 		guid: guid,
 		gpo:  useGPO,
-	}
-
-	if err := configurator.configureInterface(); err != nil {
-		log.Errorf("failed to configure interface settings: %v", err)
-	}
-
-	return configurator, nil
+	}, nil
 }
 
 func (r *registryConfigurator) supportCustomPort() bool {
 	return false
 }
 
-func (r *registryConfigurator) configureInterface() error {
-	var merr *multierror.Error
-
-	if err := r.disableDNSRegistrationForInterface(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("disable DNS registration: %w", err))
-	}
-
-	if err := r.disableWINSForInterface(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("disable WINS: %w", err))
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *registryConfigurator) disableDNSRegistrationForInterface() error {
-	regKey, err := r.getInterfaceRegistryKey()
-	if err != nil {
-		return fmt.Errorf("get interface registry key: %w", err)
-	}
-	defer closer(regKey)
-
-	var merr *multierror.Error
-
-	if err := regKey.SetDWordValue(disableDynamicUpdateKey, 1); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("set %s: %w", disableDynamicUpdateKey, err))
-	}
-
-	if err := regKey.SetDWordValue(registrationEnabledKey, 0); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("set %s: %w", registrationEnabledKey, err))
-	}
-
-	if err := regKey.SetDWordValue(maxNumberOfAddressesToRegisterKey, 0); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("set %s: %w", maxNumberOfAddressesToRegisterKey, err))
-	}
-
-	if merr == nil || len(merr.Errors) == 0 {
-		log.Infof("disabled DNS registration for interface %s", r.guid)
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *registryConfigurator) disableWINSForInterface() error {
-	netbtKeyPath := fmt.Sprintf(`%s\Tcpip_%s`, netbtInterfacePath, r.guid)
-
-	regKey, err := registry.OpenKey(registry.LOCAL_MACHINE, netbtKeyPath, registry.SET_VALUE)
-	if err != nil {
-		regKey, _, err = registry.CreateKey(registry.LOCAL_MACHINE, netbtKeyPath, registry.SET_VALUE)
-		if err != nil {
-			return fmt.Errorf("create NetBT interface key %s: %w", netbtKeyPath, err)
-		}
-	}
-	defer closer(regKey)
-
-	// NetbiosOptions: 2 = disabled
-	if err := regKey.SetDWordValue(netbiosOptionsKey, netbiosDisabled); err != nil {
-		return fmt.Errorf("set %s: %w", netbiosOptionsKey, err)
-	}
-
-	log.Infof("disabled WINS/NetBIOS for interface %s", r.guid)
-	return nil
-}
-
 func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
 	if config.RouteAll {
 		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
@@ -205,7 +119,9 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		return fmt.Errorf("update search domains: %w", err)
 	}
 
-	go r.flushDNSCache()
+	if err := r.flushDNSCache(); err != nil {
+		log.Errorf("failed to flush DNS cache: %v", err)
+	}
 
 	return nil
 }
@@ -275,25 +191,7 @@ func (r *registryConfigurator) string() string {
 	return "registry"
 }
 
-func (r *registryConfigurator) registerDNS() {
-	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
-	defer cancel()
-
-	// nolint:misspell
-	cmd := exec.CommandContext(ctx, "ipconfig", "/registerdns")
-	out, err := cmd.CombinedOutput()
-
-	if err != nil {
-		log.Errorf("failed to register DNS: %v, output: %s", err, out)
-		return
-	}
-
-	log.Info("registered DNS names")
-}
-
-func (r *registryConfigurator) flushDNSCache() {
-	r.registerDNS()
-
+func (r *registryConfigurator) flushDNSCache() error {
 	// dnsFlushResolverCacheFn.Call() may panic if the func is not found
 	defer func() {
 		if rec := recover(); rec != nil {
@@ -304,14 +202,13 @@ func (r *registryConfigurator) flushDNSCache() {
 	ret, _, err := dnsFlushResolverCacheFn.Call()
 	if ret == 0 {
 		if err != nil && !errors.Is(err, syscall.Errno(0)) {
-			log.Errorf("DnsFlushResolverCache failed: %v", err)
-			return
+			return fmt.Errorf("DnsFlushResolverCache failed: %w", err)
 		}
-		log.Errorf("DnsFlushResolverCache failed")
-		return
+		return fmt.Errorf("DnsFlushResolverCache failed")
 	}
 
 	log.Info("flushed DNS cache")
+	return nil
 }
 
 func (r *registryConfigurator) updateSearchDomains(domains []string) error {
@@ -366,7 +263,9 @@ func (r *registryConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("remove interface registry key: %w", err)
 	}
 
-	go r.flushDNSCache()
+	if err := r.flushDNSCache(); err != nil {
+		log.Errorf("failed to flush DNS cache: %v", err)
+	}
 
 	return nil
 }

client/internal/dns/local/local.go

@@ -12,19 +12,16 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/domain"
 )
 
 type Resolver struct {
 	mu      sync.RWMutex
 	records map[dns.Question][]dns.RR
-	domains map[domain.Domain]struct{}
 }
 
 func NewResolver() *Resolver {
 	return &Resolver{
 		records: make(map[dns.Question][]dns.RR),
-		domains: make(map[domain.Domain]struct{}),
 	}
 }
 
@@ -67,12 +64,8 @@ func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		replyMessage.Rcode = dns.RcodeSuccess
 		replyMessage.Answer = append(replyMessage.Answer, records...)
 	} else {
-		// Check if we have any records for this domain name with different types
-		if d.hasRecordsForDomain(domain.Domain(question.Name)) {
-			replyMessage.Rcode = dns.RcodeSuccess // NOERROR with 0 records
-		} else {
-			replyMessage.Rcode = dns.RcodeNameError // NXDOMAIN
-		}
+		// TODO: return success if we have a different record type for the same name, relevant for search domains
+		replyMessage.Rcode = dns.RcodeNameError
 	}
 
 	if err := w.WriteMsg(replyMessage); err != nil {
@@ -80,15 +73,6 @@ func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 }
 
-// hasRecordsForDomain checks if any records exist for the given domain name regardless of type
-func (d *Resolver) hasRecordsForDomain(domainName domain.Domain) bool {
-	d.mu.RLock()
-	defer d.mu.RUnlock()
-
-	_, exists := d.domains[domainName]
-	return exists
-}
-
 // lookupRecords fetches *all* DNS records matching the first question in r.
 func (d *Resolver) lookupRecords(question dns.Question) []dns.RR {
 	d.mu.RLock()
@@ -126,8 +110,11 @@ func (d *Resolver) Update(update []nbdns.SimpleRecord) {
 	d.mu.Lock()
 	defer d.mu.Unlock()
 
+	log.Infof("updating %d records. Records: %v", len(update), update)
+
 	maps.Clear(d.records)
-	maps.Clear(d.domains)
+
+	log.Infof("map size: %d", len(d.records))
 
 	for _, rec := range update {
 		if err := d.registerRecord(rec); err != nil {
@@ -161,7 +148,6 @@ func (d *Resolver) registerRecord(record nbdns.SimpleRecord) error {
 	}
 
 	d.records[q] = append(d.records[q], rr)
-	d.domains[domain.Domain(q.Name)] = struct{}{}
 
 	return nil
 }

client/internal/dns/local/local_test.go

@@ -470,115 +470,3 @@ func TestLocalResolver_CNAMEFallback(t *testing.T) {
 		})
 	}
 }
-
-// TestLocalResolver_NoErrorWithDifferentRecordType verifies that querying for a record type
-// that doesn't exist but where other record types exist for the same domain returns NOERROR
-// with 0 records instead of NXDOMAIN
-func TestLocalResolver_NoErrorWithDifferentRecordType(t *testing.T) {
-	resolver := NewResolver()
-
-	recordA := nbdns.SimpleRecord{
-		Name:  "example.netbird.cloud.",
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "192.168.1.100",
-	}
-
-	recordCNAME := nbdns.SimpleRecord{
-		Name:  "alias.netbird.cloud.",
-		Type:  int(dns.TypeCNAME),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "target.example.com.",
-	}
-
-	resolver.Update([]nbdns.SimpleRecord{recordA, recordCNAME})
-
-	testCases := []struct {
-		name           string
-		queryName      string
-		queryType      uint16
-		expectedRcode  int
-		shouldHaveData bool
-	}{
-		{
-			name:           "Query A record that exists",
-			queryName:      "example.netbird.cloud.",
-			queryType:      dns.TypeA,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: true,
-		},
-		{
-			name:           "Query AAAA for domain with only A record",
-			queryName:      "example.netbird.cloud.",
-			queryType:      dns.TypeAAAA,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: false,
-		},
-		{
-			name:           "Query other record with different case and non-fqdn",
-			queryName:      "EXAMPLE.netbird.cloud",
-			queryType:      dns.TypeAAAA,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: false,
-		},
-		{
-			name:           "Query TXT for domain with only A record",
-			queryName:      "example.netbird.cloud.",
-			queryType:      dns.TypeTXT,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: false,
-		},
-		{
-			name:           "Query A for domain with only CNAME record",
-			queryName:      "alias.netbird.cloud.",
-			queryType:      dns.TypeA,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: true,
-		},
-		{
-			name:           "Query AAAA for domain with only CNAME record",
-			queryName:      "alias.netbird.cloud.",
-			queryType:      dns.TypeAAAA,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: true,
-		},
-		{
-			name:           "Query for completely non-existent domain",
-			queryName:      "nonexistent.netbird.cloud.",
-			queryType:      dns.TypeA,
-			expectedRcode:  dns.RcodeNameError,
-			shouldHaveData: false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var responseMSG *dns.Msg
-
-			msg := new(dns.Msg).SetQuestion(tc.queryName, tc.queryType)
-
-			responseWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			resolver.ServeDNS(responseWriter, msg)
-
-			require.NotNil(t, responseMSG, "Should have received a response message")
-
-			assert.Equal(t, tc.expectedRcode, responseMSG.Rcode,
-				"Response code should be %d (%s)",
-				tc.expectedRcode, dns.RcodeToString[tc.expectedRcode])
-
-			if tc.shouldHaveData {
-				assert.Greater(t, len(responseMSG.Answer), 0, "Response should contain answers")
-			} else {
-				assert.Equal(t, 0, len(responseMSG.Answer), "Response should contain no answers")
-			}
-		})
-	}
-}

client/internal/dns/server.go

@@ -489,7 +489,7 @@ func (s *DefaultServer) applyHostConfig() {
 		}
 	}
 
-	log.Debugf("extra match domains: %v", maps.Keys(s.extraDomains))
+	log.Debugf("extra match domains: %v", s.extraDomains)
 
 	if err := s.hostManager.applyDNSConfig(config, s.stateManager); err != nil {
 		log.Errorf("failed to apply DNS host manager update: %v", err)
@@ -527,7 +527,7 @@ func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone)
 		muxUpdates = append(muxUpdates, handlerWrapper{
 			domain:   customZone.Domain,
 			handler:  s.localResolver,
-			priority: PriorityLocal,
+			priority: PriorityMatchDomain,
 		})
 
 		for _, record := range customZone.Records {
@@ -566,7 +566,7 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 	groupedNS := groupNSGroupsByDomain(nameServerGroups)
 
 	for _, domainGroup := range groupedNS {
-		basePriority := PriorityUpstream
+		basePriority := PriorityMatchDomain
 		if domainGroup.domain == nbdns.RootZone {
 			basePriority = PriorityDefault
 		}
@@ -588,14 +588,10 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		// Decrement priority by handler index (0, 1, 2, ...) to avoid conflicts
 		priority := basePriority - i
 
-		// Check if we're about to overlap with the next priority tier.
-		// This boundary check ensures that the priority of upstream handlers does not conflict
-		// with the default priority tier. By decrementing the priority for each handler, we avoid
-		// overlaps, but if the calculated priority falls into the default tier, we skip the remaining
-		// handlers to maintain the integrity of the priority system.
-		if basePriority == PriorityUpstream && priority <= PriorityDefault {
+		// Check if we're about to overlap with the next priority tier
+		if basePriority == PriorityMatchDomain && priority <= PriorityDefault {
 			log.Warnf("too many handlers for domain=%s, would overlap with default priority tier (diff=%d). Skipping remaining handlers",
-				domainGroup.domain, PriorityUpstream-PriorityDefault)
+				domainGroup.domain, PriorityMatchDomain-PriorityDefault)
 			break
 		}
 

client/internal/dns/server_test.go

@@ -46,9 +46,10 @@ func (w *mocWGIface) Name() string {
 }
 
 func (w *mocWGIface) Address() wgaddr.Address {
+	ip, network, _ := net.ParseCIDR("100.66.100.0/24")
 	return wgaddr.Address{
-		IP:      netip.MustParseAddr("100.66.100.1"),
-		Network: netip.MustParsePrefix("100.66.100.0/24"),
+		IP:      ip,
+		Network: network,
 	}
 }
 
@@ -164,12 +165,12 @@ func TestUpdateDNSServer(t *testing.T) {
 				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				dummyHandler.ID(): handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
-					priority: PriorityLocal,
+					priority: PriorityMatchDomain,
 				},
 				generateDummyHandler(".", nameServers).ID(): handlerWrapper{
 					domain:   nbdns.RootZone,
@@ -186,7 +187,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			initSerial:  0,
@@ -210,12 +211,12 @@ func TestUpdateDNSServer(t *testing.T) {
 				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				"local-resolver": handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
-					priority: PriorityLocal,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedLocalQs: []dns.Question{{Name: zoneRecords[0].Name, Qtype: 1, Qclass: 1}},
@@ -305,7 +306,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			initSerial:          0,
@@ -321,7 +322,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			initSerial:          0,
@@ -463,10 +464,17 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 
+	_, ipNet, err := net.ParseCIDR("100.66.100.1/32")
+	if err != nil {
+		t.Errorf("parse CIDR: %v", err)
+		return
+	}
+
 	packetfilter := pfmock.NewMockPacketFilter(ctrl)
 	packetfilter.EXPECT().DropOutgoing(gomock.Any(), gomock.Any()).AnyTimes()
 	packetfilter.EXPECT().AddUDPPacketHook(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any())
 	packetfilter.EXPECT().RemovePacketHook(gomock.Any())
+	packetfilter.EXPECT().SetNetwork(ipNet)
 
 	if err := wgIface.SetFilter(packetfilter); err != nil {
 		t.Errorf("set packet filter: %v", err)
@@ -495,7 +503,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		"id1": handlerWrapper{
 			domain:   zoneRecords[0].Name,
 			handler:  &local.Resolver{},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 	}
 	//dnsServer.localResolver.RegisteredMap = local.RegistrationMap{local.BuildRecordKey("netbird.cloud", dns.ClassINET, dns.TypeA): struct{}{}}
@@ -978,7 +986,7 @@ func TestHandlerChain_DomainPriorities(t *testing.T) {
 	}
 
 	chain.AddHandler("example.com.", dnsRouteHandler, PriorityDNSRoute)
-	chain.AddHandler("example.com.", upstreamHandler, PriorityUpstream)
+	chain.AddHandler("example.com.", upstreamHandler, PriorityMatchDomain)
 
 	testCases := []struct {
 		name            string
@@ -1059,14 +1067,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			handler: &mockHandler{
 				Id: "upstream-group1",
 			},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 		"upstream-group2": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group2",
 			},
-			priority: PriorityUpstream - 1,
+			priority: PriorityMatchDomain - 1,
 		},
 	}
 
@@ -1093,21 +1101,21 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			handler: &mockHandler{
 				Id: "upstream-group1",
 			},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 		"upstream-group2": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group2",
 			},
-			priority: PriorityUpstream - 1,
+			priority: PriorityMatchDomain - 1,
 		},
 		"upstream-other": {
 			domain: "other.com",
 			handler: &mockHandler{
 				Id: "upstream-other",
 			},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 	}
 
@@ -1128,7 +1136,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1146,7 +1154,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1164,7 +1172,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group3",
 					},
-					priority: PriorityUpstream + 1,
+					priority: PriorityMatchDomain + 1,
 				},
 				// Keep existing groups with their original priorities
 				{
@@ -1172,14 +1180,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "example.com",
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1199,14 +1207,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "example.com",
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 				// Add group3 with lowest priority
 				{
@@ -1214,7 +1222,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group3",
 					},
-					priority: PriorityUpstream - 2,
+					priority: PriorityMatchDomain - 2,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1335,14 +1343,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "other.com",
 					handler: &mockHandler{
 						Id: "upstream-other",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1360,28 +1368,28 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "example.com",
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 				{
 					domain: "other.com",
 					handler: &mockHandler{
 						Id: "upstream-other",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "new.com",
 					handler: &mockHandler{
 						Id: "upstream-new",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1791,14 +1799,14 @@ func TestExtraDomainsRefCounting(t *testing.T) {
 
 	// Register domains from different handlers with same domain
 	server.RegisterHandler(domain.List{"*.shared.example.com"}, &MockHandler{}, PriorityDNSRoute)
-	server.RegisterHandler(domain.List{"shared.example.com."}, &MockHandler{}, PriorityUpstream)
+	server.RegisterHandler(domain.List{"shared.example.com."}, &MockHandler{}, PriorityMatchDomain)
 
 	// Verify refcount is 2
 	zoneKey := toZone("shared.example.com")
 	assert.Equal(t, 2, server.extraDomains[zoneKey], "Refcount should be 2 after registering same domain twice")
 
 	// Deregister one handler
-	server.DeregisterHandler(domain.List{"shared.example.com"}, PriorityUpstream)
+	server.DeregisterHandler(domain.List{"shared.example.com"}, PriorityMatchDomain)
 
 	// Verify refcount is 1
 	assert.Equal(t, 1, server.extraDomains[zoneKey], "Refcount should be 1 after deregistering one handler")
@@ -1925,7 +1933,7 @@ func TestDomainCaseHandling(t *testing.T) {
 	}
 
 	server.RegisterHandler(domain.List{"MIXED.example.com"}, &MockHandler{}, PriorityDefault)
-	server.RegisterHandler(domain.List{"mixed.EXAMPLE.com"}, &MockHandler{}, PriorityUpstream)
+	server.RegisterHandler(domain.List{"mixed.EXAMPLE.com"}, &MockHandler{}, PriorityMatchDomain)
 
 	assert.Equal(t, 1, len(server.extraDomains), "Case differences should be normalized")
 
@@ -1945,111 +1953,3 @@ func TestDomainCaseHandling(t *testing.T) {
 	assert.Contains(t, domains, "config.example.com.", "Mixed case domain should be normalized and pre.sent")
 	assert.Contains(t, domains, "mixed.example.com.", "Mixed case domain should be normalized and present")
 }
-
-func TestLocalResolverPriorityInServer(t *testing.T) {
-	server := &DefaultServer{
-		ctx:           context.Background(),
-		wgInterface:   &mocWGIface{},
-		handlerChain:  NewHandlerChain(),
-		localResolver: local.NewResolver(),
-		service:       &mockService{},
-		extraDomains:  make(map[domain.Domain]int),
-	}
-
-	config := nbdns.Config{
-		ServiceEnable: true,
-		CustomZones: []nbdns.CustomZone{
-			{
-				Domain: "local.example.com",
-				Records: []nbdns.SimpleRecord{
-					{
-						Name:  "test.local.example.com",
-						Type:  int(dns.TypeA),
-						Class: nbdns.DefaultClass,
-						TTL:   300,
-						RData: "192.168.1.100",
-					},
-				},
-			},
-		},
-		NameServerGroups: []*nbdns.NameServerGroup{
-			{
-				Domains: []string{"local.example.com"}, // Same domain as local records
-				NameServers: []nbdns.NameServer{
-					{
-						IP:     netip.MustParseAddr("8.8.8.8"),
-						NSType: nbdns.UDPNameServerType,
-						Port:   53,
-					},
-				},
-			},
-		},
-	}
-
-	localMuxUpdates, _, err := server.buildLocalHandlerUpdate(config.CustomZones)
-	assert.NoError(t, err)
-
-	upstreamMuxUpdates, err := server.buildUpstreamHandlerUpdate(config.NameServerGroups)
-	assert.NoError(t, err)
-
-	// Verify that local handler has higher priority than upstream for same domain
-	var localPriority, upstreamPriority int
-	localFound, upstreamFound := false, false
-
-	for _, update := range localMuxUpdates {
-		if update.domain == "local.example.com" {
-			localPriority = update.priority
-			localFound = true
-		}
-	}
-
-	for _, update := range upstreamMuxUpdates {
-		if update.domain == "local.example.com" {
-			upstreamPriority = update.priority
-			upstreamFound = true
-		}
-	}
-
-	assert.True(t, localFound, "Local handler should be found")
-	assert.True(t, upstreamFound, "Upstream handler should be found")
-	assert.Greater(t, localPriority, upstreamPriority,
-		"Local handler priority (%d) should be higher than upstream priority (%d)",
-		localPriority, upstreamPriority)
-	assert.Equal(t, PriorityLocal, localPriority, "Local handler should use PriorityLocal")
-	assert.Equal(t, PriorityUpstream, upstreamPriority, "Upstream handler should use PriorityUpstream")
-}
-
-func TestLocalResolverPriorityConstants(t *testing.T) {
-	// Test that priority constants are ordered correctly
-	assert.Greater(t, PriorityLocal, PriorityDNSRoute, "Local priority should be higher than DNS route")
-	assert.Greater(t, PriorityLocal, PriorityUpstream, "Local priority should be higher than upstream")
-	assert.Greater(t, PriorityUpstream, PriorityDefault, "Upstream priority should be higher than default")
-
-	// Test that local resolver uses the correct priority
-	server := &DefaultServer{
-		localResolver: local.NewResolver(),
-	}
-
-	config := nbdns.Config{
-		CustomZones: []nbdns.CustomZone{
-			{
-				Domain: "local.example.com",
-				Records: []nbdns.SimpleRecord{
-					{
-						Name:  "test.local.example.com",
-						Type:  int(dns.TypeA),
-						Class: nbdns.DefaultClass,
-						TTL:   300,
-						RData: "192.168.1.100",
-					},
-				},
-			},
-		},
-	}
-
-	localMuxUpdates, _, err := server.buildLocalHandlerUpdate(config.CustomZones)
-	assert.NoError(t, err)
-	assert.Len(t, localMuxUpdates, 1)
-	assert.Equal(t, PriorityLocal, localMuxUpdates[0].priority, "Local handler should use PriorityLocal")
-	assert.Equal(t, "local.example.com", localMuxUpdates[0].domain)
-}

client/internal/dns/service_memory.go

@@ -24,15 +24,11 @@ type ServiceViaMemory struct {
 }
 
 func NewServiceViaMemory(wgIface WGIface) *ServiceViaMemory {
-	lastIP, err := nbnet.GetLastIPFromNetwork(wgIface.Address().Network, 1)
-	if err != nil {
-		log.Errorf("get last ip from network: %v", err)
-	}
 	s := &ServiceViaMemory{
 		wgInterface: wgIface,
 		dnsMux:      dns.NewServeMux(),
 
-		runtimeIP:   lastIP.String(),
+		runtimeIP:   nbnet.GetLastIPFromNetwork(wgIface.Address().Network, 1).String(),
 		runtimePort: defaultPort,
 	}
 	return s
@@ -95,7 +91,7 @@ func (s *ServiceViaMemory) filterDNSTraffic() (string, error) {
 	}
 
 	firstLayerDecoder := layers.LayerTypeIPv4
-	if s.wgInterface.Address().IP.Is6() {
+	if s.wgInterface.Address().Network.IP.To4() == nil {
 		firstLayerDecoder = layers.LayerTypeIPv6
 	}
 

client/internal/dns/service_memory_test.go

@@ -0,0 +1,33 @@
+package dns
+
+import (
+	"net"
+	"testing"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+func TestGetLastIPFromNetwork(t *testing.T) {
+	tests := []struct {
+		addr string
+		ip   string
+	}{
+		{"2001:db8::/32", "2001:db8:ffff:ffff:ffff:ffff:ffff:fffe"},
+		{"192.168.0.0/30", "192.168.0.2"},
+		{"192.168.0.0/16", "192.168.255.254"},
+		{"192.168.0.0/24", "192.168.0.254"},
+	}
+
+	for _, tt := range tests {
+		_, ipnet, err := net.ParseCIDR(tt.addr)
+		if err != nil {
+			t.Errorf("Error parsing CIDR: %v", err)
+			return
+		}
+
+		lastIP := nbnet.GetLastIPFromNetwork(ipnet, 1).String()
+		if lastIP != tt.ip {
+			t.Errorf("wrong IP address, expected %s: got %s", tt.ip, lastIP)
+		}
+	}
+}

client/internal/dns/upstream.go

@@ -2,7 +2,6 @@ package dns
 
 import (
 	"context"
-	"crypto/rand"
 	"crypto/sha256"
 	"encoding/hex"
 	"errors"
@@ -104,21 +103,19 @@ func (u *upstreamResolverBase) Stop() {
 
 // ServeDNS handles a DNS request
 func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	requestID := GenerateRequestID()
-	logger := log.WithField("request_id", requestID)
 	var err error
 	defer func() {
 		u.checkUpstreamFails(err)
 	}()
 
-	logger.Tracef("received upstream question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+	log.Tracef("received upstream question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
 	if r.Extra == nil {
 		r.MsgHdr.AuthenticatedData = true
 	}
 
 	select {
 	case <-u.ctx.Done():
-		logger.Tracef("%s has been stopped", u)
+		log.Tracef("%s has been stopped", u)
 		return
 	default:
 	}
@@ -135,35 +132,35 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 
 		if err != nil {
 			if errors.Is(err, context.DeadlineExceeded) || isTimeout(err) {
-				logger.Warnf("upstream %s timed out for question domain=%s", upstream, r.Question[0].Name)
+				log.Warnf("upstream %s timed out for question domain=%s", upstream, r.Question[0].Name)
 				continue
 			}
-			logger.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, r.Question[0].Name, err)
+			log.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, r.Question[0].Name, err)
 			continue
 		}
 
 		if rm == nil || !rm.Response {
-			logger.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
+			log.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
 			continue
 		}
 
 		u.successCount.Add(1)
-		logger.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, r.Question[0].Name)
+		log.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, r.Question[0].Name)
 
 		if err = w.WriteMsg(rm); err != nil {
-			logger.Errorf("failed to write DNS response for question domain=%s: %s", r.Question[0].Name, err)
+			log.Errorf("failed to write DNS response for question domain=%s: %s", r.Question[0].Name, err)
 		}
 		// count the fails only if they happen sequentially
 		u.failsCount.Store(0)
 		return
 	}
 	u.failsCount.Add(1)
-	logger.Errorf("all queries to the %s failed for question domain=%s", u, r.Question[0].Name)
+	log.Errorf("all queries to the %s failed for question domain=%s", u, r.Question[0].Name)
 
 	m := new(dns.Msg)
 	m.SetRcode(r, dns.RcodeServerFailure)
 	if err := w.WriteMsg(m); err != nil {
-		logger.Errorf("failed to write error response for %s for question domain=%s: %s", u, r.Question[0].Name, err)
+		log.Errorf("failed to write error response for %s for question domain=%s: %s", u, r.Question[0].Name, err)
 	}
 }
 
@@ -388,13 +385,3 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 
 	return rm, t, nil
 }
-
-func GenerateRequestID() string {
-	bytes := make([]byte, 4)
-	_, err := rand.Read(bytes)
-	if err != nil {
-		log.Errorf("failed to generate request ID: %v", err)
-		return ""
-	}
-	return hex.EncodeToString(bytes)
-}

client/internal/dns/upstream_android.go

@@ -3,7 +3,6 @@ package dns
 import (
 	"context"
 	"net"
-	"net/netip"
 	"syscall"
 	"time"
 
@@ -24,8 +23,8 @@ type upstreamResolver struct {
 func newUpstreamResolver(
 	ctx context.Context,
 	_ string,
-	_ netip.Addr,
-	_ netip.Prefix,
+	_ net.IP,
+	_ *net.IPNet,
 	statusRecorder *peer.Status,
 	hostsDNSHolder *hostsDNSHolder,
 	domain string,
@@ -84,10 +83,3 @@ func (u *upstreamResolver) isLocalResolver(upstream string) bool {
 	}
 	return false
 }
-
-func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
-	return &dns.Client{
-		Timeout: dialTimeout,
-		Net:     "udp",
-	}, nil
-}

client/internal/dns/upstream_general.go

@@ -4,7 +4,7 @@ package dns
 
 import (
 	"context"
-	"net/netip"
+	"net"
 	"time"
 
 	"github.com/miekg/dns"
@@ -19,8 +19,8 @@ type upstreamResolver struct {
 func newUpstreamResolver(
 	ctx context.Context,
 	_ string,
-	_ netip.Addr,
-	_ netip.Prefix,
+	_ net.IP,
+	_ *net.IPNet,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
 	domain string,
@@ -36,10 +36,3 @@ func newUpstreamResolver(
 func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
 	return ExchangeWithFallback(ctx, &dns.Client{}, r, upstream)
 }
-
-func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
-	return &dns.Client{
-		Timeout: dialTimeout,
-		Net:     "udp",
-	}, nil
-}

client/internal/dns/upstream_ios.go

@@ -6,7 +6,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
 	"syscall"
 	"time"
 
@@ -19,16 +18,16 @@ import (
 
 type upstreamResolverIOS struct {
 	*upstreamResolverBase
-	lIP           netip.Addr
-	lNet          netip.Prefix
+	lIP           net.IP
+	lNet          *net.IPNet
 	interfaceName string
 }
 
 func newUpstreamResolver(
 	ctx context.Context,
 	interfaceName string,
-	ip netip.Addr,
-	net netip.Prefix,
+	ip net.IP,
+	net *net.IPNet,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
 	domain string,
@@ -59,11 +58,8 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	}
 	client.DialTimeout = timeout
 
-	upstreamIP, err := netip.ParseAddr(upstreamHost)
-	if err != nil {
-		log.Warnf("failed to parse upstream host %s: %s", upstreamHost, err)
-	}
-	if u.lNet.Contains(upstreamIP) || upstreamIP.IsPrivate() {
+	upstreamIP := net.ParseIP(upstreamHost)
+	if u.lNet.Contains(upstreamIP) || net.IP.IsPrivate(upstreamIP) {
 		log.Debugf("using private client to query upstream: %s", upstream)
 		client, err = GetClientPrivate(u.lIP, u.interfaceName, timeout)
 		if err != nil {
@@ -77,7 +73,7 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 
 // GetClientPrivate returns a new DNS client bound to the local IP address of the Netbird interface
 // This method is needed for iOS
-func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
+func GetClientPrivate(ip net.IP, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {
 	index, err := getInterfaceIndex(interfaceName)
 	if err != nil {
 		log.Debugf("unable to get interface index for %s: %s", interfaceName, err)
@@ -86,7 +82,7 @@ func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Dura
 
 	dialer := &net.Dialer{
 		LocalAddr: &net.UDPAddr{
-			IP:   ip.AsSlice(),
+			IP:   ip,
 			Port: 0, // Let the OS pick a free port
 		},
 		Timeout: dialTimeout,

client/internal/dns/upstream_test.go

@@ -2,7 +2,7 @@ package dns
 
 import (
 	"context"
-	"net/netip"
+	"net"
 	"strings"
 	"testing"
 	"time"
@@ -58,7 +58,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.TODO())
-			resolver, _ := newUpstreamResolver(ctx, "", netip.Addr{}, netip.Prefix{}, nil, nil, ".")
+			resolver, _ := newUpstreamResolver(ctx, "", net.IP{}, &net.IPNet{}, nil, nil, ".")
 			resolver.upstreamServers = testCase.InputServers
 			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {

client/internal/dnsfwd/forwarder.go

@@ -18,20 +18,14 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/route"
 )
 
 const errResolveFailed = "failed to resolve query for domain=%s: %v"
 const upstreamTimeout = 15 * time.Second
 
-type resolver interface {
-	LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error)
-}
-
-type firewaller interface {
-	UpdateSet(set firewall.Set, prefixes []netip.Prefix) error
-}
-
 type DNSForwarder struct {
 	listenAddress  string
 	ttl            uint32
@@ -44,18 +38,16 @@ type DNSForwarder struct {
 
 	mutex      sync.RWMutex
 	fwdEntries []*ForwarderEntry
-	firewall   firewaller
-	resolver   resolver
+	firewall   firewall.Manager
 }
 
-func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, statusRecorder *peer.Status) *DNSForwarder {
+func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewall.Manager, statusRecorder *peer.Status) *DNSForwarder {
 	log.Debugf("creating DNS forwarder with listen_address=%s ttl=%d", listenAddress, ttl)
 	return &DNSForwarder{
 		listenAddress:  listenAddress,
 		ttl:            ttl,
 		firewall:       firewall,
 		statusRecorder: statusRecorder,
-		resolver:       net.DefaultResolver,
 	}
 }
 
@@ -65,17 +57,14 @@ func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
 	// UDP server
 	mux := dns.NewServeMux()
 	f.mux = mux
-	mux.HandleFunc(".", f.handleDNSQueryUDP)
 	f.dnsServer = &dns.Server{
 		Addr:    f.listenAddress,
 		Net:     "udp",
 		Handler: mux,
 	}
-
 	// TCP server
 	tcpMux := dns.NewServeMux()
 	f.tcpMux = tcpMux
-	tcpMux.HandleFunc(".", f.handleDNSQueryTCP)
 	f.tcpServer = &dns.Server{
 		Addr:    f.listenAddress,
 		Net:     "tcp",
@@ -98,13 +87,30 @@ func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
 	// return the first error we get (e.g. bind failure or shutdown)
 	return <-errCh
 }
-
 func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()
 
+	if f.mux == nil {
+		log.Debug("DNS mux is nil, skipping domain update")
+		f.fwdEntries = entries
+		return
+	}
+
+	oldDomains := filterDomains(f.fwdEntries)
+	for _, d := range oldDomains {
+		f.mux.HandleRemove(d.PunycodeString())
+		f.tcpMux.HandleRemove(d.PunycodeString())
+	}
+
+	newDomains := filterDomains(entries)
+	for _, d := range newDomains {
+		f.mux.HandleFunc(d.PunycodeString(), f.handleDNSQueryUDP)
+		f.tcpMux.HandleFunc(d.PunycodeString(), f.handleDNSQueryTCP)
+	}
+
 	f.fwdEntries = entries
-	log.Debugf("Updated DNS forwarder with %d domains", len(entries))
+	log.Debugf("Updated domains from %v to %v", oldDomains, newDomains)
 }
 
 func (f *DNSForwarder) Close(ctx context.Context) error {
@@ -151,31 +157,22 @@ func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) *dns
 		return nil
 	}
 
-	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(domain, "."))
-	// query doesn't match any configured domain
-	if mostSpecificResId == "" {
-		resp.Rcode = dns.RcodeRefused
-		if err := w.WriteMsg(resp); err != nil {
-			log.Errorf("failed to write DNS response: %v", err)
-		}
-		return nil
-	}
-
 	ctx, cancel := context.WithTimeout(context.Background(), upstreamTimeout)
 	defer cancel()
-	ips, err := f.resolver.LookupNetIP(ctx, network, domain)
+	ips, err := net.DefaultResolver.LookupNetIP(ctx, network, domain)
 	if err != nil {
 		f.handleDNSError(w, query, resp, domain, err)
 		return nil
 	}
 
-	f.updateInternalState(ips, mostSpecificResId, matchingEntries)
+	f.updateInternalState(domain, ips)
 	f.addIPsToResponse(resp, domain, ips)
 
 	return resp
 }
 
 func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
+
 	resp := f.handleDNSQuery(w, query)
 	if resp == nil {
 		return
@@ -209,8 +206,9 @@ func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
 	}
 }
 
-func (f *DNSForwarder) updateInternalState(ips []netip.Addr, mostSpecificResId route.ResID, matchingEntries []*ForwarderEntry) {
+func (f *DNSForwarder) updateInternalState(domain string, ips []netip.Addr) {
 	var prefixes []netip.Prefix
+	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(domain, "."))
 	if mostSpecificResId != "" {
 		for _, ip := range ips {
 			var prefix netip.Prefix
@@ -341,3 +339,16 @@ func (f *DNSForwarder) getMatchingEntries(domain string) (route.ResID, []*Forwar
 
 	return selectedResId, matches
 }
+
+// filterDomains returns a list of normalized domains
+func filterDomains(entries []*ForwarderEntry) domain.List {
+	newDomains := make(domain.List, 0, len(entries))
+	for _, d := range entries {
+		if d.Domain == "" {
+			log.Warn("empty domain in DNS forwarder")
+			continue
+		}
+		newDomains = append(newDomains, domain.Domain(nbdns.NormalizeZone(d.Domain.PunycodeString())))
+	}
+	return newDomains
+}

client/internal/dnsfwd/forwarder_test.go

@@ -1,21 +1,11 @@
 package dnsfwd
 
 import (
-	"context"
-	"fmt"
-	"net/netip"
-	"strings"
 	"testing"
-	"time"
 
-	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/dns/test"
-	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/route"
 )
@@ -23,7 +13,7 @@ import (
 func Test_getMatchingEntries(t *testing.T) {
 	testCases := []struct {
 		name           string
-		storedMappings map[string]route.ResID
+		storedMappings map[string]route.ResID // key: domain pattern, value: resId
 		queryDomain    string
 		expectedResId  route.ResID
 	}{
@@ -54,7 +44,7 @@ func Test_getMatchingEntries(t *testing.T) {
 		{
 			name:           "Wildcard pattern does not match different domain",
 			storedMappings: map[string]route.ResID{"*.example.com": "res4"},
-			queryDomain:    "foo.example.org",
+			queryDomain:    "foo.notexample.com",
 			expectedResId:  "",
 		},
 		{
@@ -111,619 +101,3 @@ func Test_getMatchingEntries(t *testing.T) {
 		})
 	}
 }
-
-type MockFirewall struct {
-	mock.Mock
-}
-
-func (m *MockFirewall) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	args := m.Called(set, prefixes)
-	return args.Error(0)
-}
-
-type MockResolver struct {
-	mock.Mock
-}
-
-func (m *MockResolver) LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error) {
-	args := m.Called(ctx, network, host)
-	return args.Get(0).([]netip.Addr), args.Error(1)
-}
-
-func TestDNSForwarder_SubdomainAccessLogic(t *testing.T) {
-	tests := []struct {
-		name             string
-		configuredDomain string
-		queryDomain      string
-		shouldMatch      bool
-		expectedResID    route.ResID
-		description      string
-	}{
-		{
-			name:             "exact domain match should be allowed",
-			configuredDomain: "example.com",
-			queryDomain:      "example.com",
-			shouldMatch:      true,
-			expectedResID:    "test-res-id",
-			description:      "Direct match to configured domain should work",
-		},
-		{
-			name:             "subdomain access should be restricted",
-			configuredDomain: "example.com",
-			queryDomain:      "mail.example.com",
-			shouldMatch:      false,
-			expectedResID:    "",
-			description:      "Subdomain should not be accessible unless explicitly configured",
-		},
-		{
-			name:             "wildcard should allow subdomains",
-			configuredDomain: "*.example.com",
-			queryDomain:      "mail.example.com",
-			shouldMatch:      true,
-			expectedResID:    "test-res-id",
-			description:      "Wildcard domains should allow subdomain access",
-		},
-		{
-			name:             "wildcard should allow base domain",
-			configuredDomain: "*.example.com",
-			queryDomain:      "example.com",
-			shouldMatch:      true,
-			expectedResID:    "test-res-id",
-			description:      "Wildcard should also match the base domain",
-		},
-		{
-			name:             "deep subdomain should be restricted",
-			configuredDomain: "example.com",
-			queryDomain:      "deep.mail.example.com",
-			shouldMatch:      false,
-			expectedResID:    "",
-			description:      "Deep subdomains should not be accessible",
-		},
-		{
-			name:             "wildcard allows deep subdomains",
-			configuredDomain: "*.example.com",
-			queryDomain:      "deep.mail.example.com",
-			shouldMatch:      true,
-			expectedResID:    "test-res-id",
-			description:      "Wildcard should allow deep subdomains",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			forwarder := &DNSForwarder{}
-
-			d, err := domain.FromString(tt.configuredDomain)
-			require.NoError(t, err)
-
-			entries := []*ForwarderEntry{
-				{
-					Domain: d,
-					ResID:  "test-res-id",
-				},
-			}
-
-			forwarder.UpdateDomains(entries)
-
-			resID, matchingEntries := forwarder.getMatchingEntries(tt.queryDomain)
-
-			if tt.shouldMatch {
-				assert.Equal(t, tt.expectedResID, resID, "Expected matching ResID")
-				assert.NotEmpty(t, matchingEntries, "Expected matching entries")
-				t.Logf("✓ Domain %s correctly matches pattern %s", tt.queryDomain, tt.configuredDomain)
-			} else {
-				assert.Equal(t, tt.expectedResID, resID, "Expected no ResID match")
-				assert.Empty(t, matchingEntries, "Expected no matching entries")
-				t.Logf("✓ Domain %s correctly does NOT match pattern %s", tt.queryDomain, tt.configuredDomain)
-			}
-		})
-	}
-}
-
-func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
-	if testing.Short() {
-		t.Skip("Skipping integration test in short mode")
-	}
-
-	tests := []struct {
-		name             string
-		configuredDomain string
-		queryDomain      string
-		shouldResolve    bool
-		description      string
-	}{
-		{
-			name:             "configured exact domain resolves",
-			configuredDomain: "example.com",
-			queryDomain:      "example.com",
-			shouldResolve:    true,
-			description:      "Exact match should resolve",
-		},
-		{
-			name:             "unauthorized subdomain blocked",
-			configuredDomain: "example.com",
-			queryDomain:      "mail.example.com",
-			shouldResolve:    false,
-			description:      "Subdomain should be blocked without wildcard",
-		},
-		{
-			name:             "wildcard allows subdomain",
-			configuredDomain: "*.example.com",
-			queryDomain:      "mail.example.com",
-			shouldResolve:    true,
-			description:      "Wildcard should allow subdomain",
-		},
-		{
-			name:             "wildcard allows base domain",
-			configuredDomain: "*.example.com",
-			queryDomain:      "example.com",
-			shouldResolve:    true,
-			description:      "Wildcard should allow base domain",
-		},
-		{
-			name:             "unrelated domain blocked",
-			configuredDomain: "example.com",
-			queryDomain:      "example.org",
-			shouldResolve:    false,
-			description:      "Unrelated domain should be blocked",
-		},
-		{
-			name:             "deep subdomain blocked",
-			configuredDomain: "example.com",
-			queryDomain:      "deep.mail.example.com",
-			shouldResolve:    false,
-			description:      "Deep subdomain should be blocked",
-		},
-		{
-			name:             "wildcard allows deep subdomain",
-			configuredDomain: "*.example.com",
-			queryDomain:      "deep.mail.example.com",
-			shouldResolve:    true,
-			description:      "Wildcard should allow deep subdomain",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockFirewall := &MockFirewall{}
-			mockResolver := &MockResolver{}
-
-			if tt.shouldResolve {
-				mockFirewall.On("UpdateSet", mock.AnythingOfType("manager.Set"), mock.AnythingOfType("[]netip.Prefix")).Return(nil)
-
-				// Mock successful DNS resolution
-				fakeIP := netip.MustParseAddr("1.2.3.4")
-				mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn(tt.queryDomain)).Return([]netip.Addr{fakeIP}, nil)
-			}
-
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
-			forwarder.resolver = mockResolver
-
-			d, err := domain.FromString(tt.configuredDomain)
-			require.NoError(t, err)
-
-			entries := []*ForwarderEntry{
-				{
-					Domain: d,
-					ResID:  "test-res-id",
-					Set:    firewall.NewDomainSet([]domain.Domain{d}),
-				},
-			}
-
-			forwarder.UpdateDomains(entries)
-
-			query := &dns.Msg{}
-			query.SetQuestion(dns.Fqdn(tt.queryDomain), dns.TypeA)
-
-			mockWriter := &test.MockResponseWriter{}
-			resp := forwarder.handleDNSQuery(mockWriter, query)
-
-			if tt.shouldResolve {
-				require.NotNil(t, resp, "Expected response for authorized domain")
-				require.Equal(t, dns.RcodeSuccess, resp.Rcode, "Expected successful response")
-				assert.NotEmpty(t, resp.Answer, "Expected DNS answer records")
-
-				time.Sleep(10 * time.Millisecond)
-				mockFirewall.AssertExpectations(t)
-				mockResolver.AssertExpectations(t)
-			} else {
-				if resp != nil {
-					assert.True(t, len(resp.Answer) == 0 || resp.Rcode != dns.RcodeSuccess,
-						"Unauthorized domain should not return successful answers")
-				}
-				mockFirewall.AssertNotCalled(t, "UpdateSet")
-				mockResolver.AssertNotCalled(t, "LookupNetIP")
-			}
-		})
-	}
-}
-
-func TestDNSForwarder_FirewallSetUpdates(t *testing.T) {
-	tests := []struct {
-		name              string
-		configuredDomains []string
-		query             string
-		mockIP            string
-		shouldResolve     bool
-		expectedSetCount  int // How many sets should be updated
-		description       string
-	}{
-		{
-			name:              "exact domain gets firewall update",
-			configuredDomains: []string{"example.com"},
-			query:             "example.com",
-			mockIP:            "1.1.1.1",
-			shouldResolve:     true,
-			expectedSetCount:  1,
-			description:       "Single exact match updates one set",
-		},
-		{
-			name:              "wildcard domain gets firewall update",
-			configuredDomains: []string{"*.example.com"},
-			query:             "mail.example.com",
-			mockIP:            "1.1.1.2",
-			shouldResolve:     true,
-			expectedSetCount:  1,
-			description:       "Wildcard match updates one set",
-		},
-		{
-			name:              "overlapping exact and wildcard both get updates",
-			configuredDomains: []string{"*.example.com", "mail.example.com"},
-			query:             "mail.example.com",
-			mockIP:            "1.1.1.3",
-			shouldResolve:     true,
-			expectedSetCount:  2,
-			description:       "Both exact and wildcard sets should be updated",
-		},
-		{
-			name:              "unauthorized domain gets no firewall update",
-			configuredDomains: []string{"example.com"},
-			query:             "mail.example.com",
-			mockIP:            "1.1.1.4",
-			shouldResolve:     false,
-			expectedSetCount:  0,
-			description:       "No firewall update for unauthorized domains",
-		},
-		{
-			name:              "multiple wildcards matching get all updated",
-			configuredDomains: []string{"*.example.com", "*.sub.example.com"},
-			query:             "test.sub.example.com",
-			mockIP:            "1.1.1.5",
-			shouldResolve:     true,
-			expectedSetCount:  2,
-			description:       "All matching wildcard sets should be updated",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockFirewall := &MockFirewall{}
-			mockResolver := &MockResolver{}
-
-			// Set up forwarder
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
-			forwarder.resolver = mockResolver
-
-			// Create entries and track sets
-			var entries []*ForwarderEntry
-			sets := make([]firewall.Set, 0)
-
-			for i, configDomain := range tt.configuredDomains {
-				d, err := domain.FromString(configDomain)
-				require.NoError(t, err)
-
-				set := firewall.NewDomainSet([]domain.Domain{d})
-				sets = append(sets, set)
-
-				entries = append(entries, &ForwarderEntry{
-					Domain: d,
-					ResID:  route.ResID(fmt.Sprintf("res-%d", i)),
-					Set:    set,
-				})
-			}
-
-			forwarder.UpdateDomains(entries)
-
-			// Set up mocks
-			if tt.shouldResolve {
-				fakeIP := netip.MustParseAddr(tt.mockIP)
-				mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn(tt.query)).
-					Return([]netip.Addr{fakeIP}, nil).Once()
-
-				expectedPrefixes := []netip.Prefix{netip.PrefixFrom(fakeIP, 32)}
-
-				// Count how many sets should actually match
-				updateCount := 0
-				for i, entry := range entries {
-					domain := strings.ToLower(tt.query)
-					pattern := entry.Domain.PunycodeString()
-
-					matches := false
-					if strings.HasPrefix(pattern, "*.") {
-						baseDomain := strings.TrimPrefix(pattern, "*.")
-						if domain == baseDomain || strings.HasSuffix(domain, "."+baseDomain) {
-							matches = true
-						}
-					} else if domain == pattern {
-						matches = true
-					}
-
-					if matches {
-						mockFirewall.On("UpdateSet", sets[i], expectedPrefixes).Return(nil).Once()
-						updateCount++
-					}
-				}
-
-				assert.Equal(t, tt.expectedSetCount, updateCount,
-					"Expected %d sets to be updated, but mock expects %d",
-					tt.expectedSetCount, updateCount)
-			}
-
-			// Execute query
-			dnsQuery := &dns.Msg{}
-			dnsQuery.SetQuestion(dns.Fqdn(tt.query), dns.TypeA)
-
-			mockWriter := &test.MockResponseWriter{}
-			resp := forwarder.handleDNSQuery(mockWriter, dnsQuery)
-
-			// Verify response
-			if tt.shouldResolve {
-				require.NotNil(t, resp, "Expected response for authorized domain")
-				require.Equal(t, dns.RcodeSuccess, resp.Rcode)
-				require.NotEmpty(t, resp.Answer)
-			} else if resp != nil {
-				assert.True(t, resp.Rcode == dns.RcodeRefused || len(resp.Answer) == 0,
-					"Unauthorized domain should be refused or have no answers")
-			}
-
-			// Verify all mock expectations were met
-			mockFirewall.AssertExpectations(t)
-			mockResolver.AssertExpectations(t)
-		})
-	}
-}
-
-// Test to verify that multiple IPs for one domain result in all prefixes being sent together
-func TestDNSForwarder_MultipleIPsInSingleUpdate(t *testing.T) {
-	mockFirewall := &MockFirewall{}
-	mockResolver := &MockResolver{}
-
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
-	forwarder.resolver = mockResolver
-
-	// Configure a single domain
-	d, err := domain.FromString("example.com")
-	require.NoError(t, err)
-
-	set := firewall.NewDomainSet([]domain.Domain{d})
-	entries := []*ForwarderEntry{{
-		Domain: d,
-		ResID:  "test-res",
-		Set:    set,
-	}}
-
-	forwarder.UpdateDomains(entries)
-
-	// Mock resolver returns multiple IPs
-	ips := []netip.Addr{
-		netip.MustParseAddr("1.1.1.1"),
-		netip.MustParseAddr("1.1.1.2"),
-		netip.MustParseAddr("1.1.1.3"),
-	}
-	mockResolver.On("LookupNetIP", mock.Anything, "ip4", "example.com.").
-		Return(ips, nil).Once()
-
-	// Expect ONE UpdateSet call with ALL prefixes
-	expectedPrefixes := []netip.Prefix{
-		netip.PrefixFrom(ips[0], 32),
-		netip.PrefixFrom(ips[1], 32),
-		netip.PrefixFrom(ips[2], 32),
-	}
-	mockFirewall.On("UpdateSet", set, expectedPrefixes).Return(nil).Once()
-
-	// Execute query
-	query := &dns.Msg{}
-	query.SetQuestion("example.com.", dns.TypeA)
-
-	mockWriter := &test.MockResponseWriter{}
-	resp := forwarder.handleDNSQuery(mockWriter, query)
-
-	// Verify response contains all IPs
-	require.NotNil(t, resp)
-	require.Equal(t, dns.RcodeSuccess, resp.Rcode)
-	require.Len(t, resp.Answer, 3, "Should have 3 answer records")
-
-	// Verify mocks
-	mockFirewall.AssertExpectations(t)
-	mockResolver.AssertExpectations(t)
-}
-
-func TestDNSForwarder_ResponseCodes(t *testing.T) {
-	tests := []struct {
-		name         string
-		queryType    uint16
-		queryDomain  string
-		configured   string
-		expectedCode int
-		description  string
-	}{
-		{
-			name:         "unauthorized domain returns REFUSED",
-			queryType:    dns.TypeA,
-			queryDomain:  "evil.com",
-			configured:   "example.com",
-			expectedCode: dns.RcodeRefused,
-			description:  "RFC compliant REFUSED for unauthorized queries",
-		},
-		{
-			name:         "unsupported query type returns NOTIMP",
-			queryType:    dns.TypeMX,
-			queryDomain:  "example.com",
-			configured:   "example.com",
-			expectedCode: dns.RcodeNotImplemented,
-			description:  "RFC compliant NOTIMP for unsupported types",
-		},
-		{
-			name:         "CNAME query returns NOTIMP",
-			queryType:    dns.TypeCNAME,
-			queryDomain:  "example.com",
-			configured:   "example.com",
-			expectedCode: dns.RcodeNotImplemented,
-			description:  "CNAME queries not supported",
-		},
-		{
-			name:         "TXT query returns NOTIMP",
-			queryType:    dns.TypeTXT,
-			queryDomain:  "example.com",
-			configured:   "example.com",
-			expectedCode: dns.RcodeNotImplemented,
-			description:  "TXT queries not supported",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
-
-			d, err := domain.FromString(tt.configured)
-			require.NoError(t, err)
-
-			entries := []*ForwarderEntry{{Domain: d, ResID: "test-res"}}
-			forwarder.UpdateDomains(entries)
-
-			query := &dns.Msg{}
-			query.SetQuestion(dns.Fqdn(tt.queryDomain), tt.queryType)
-
-			// Capture the written response
-			var writtenResp *dns.Msg
-			mockWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					writtenResp = m
-					return nil
-				},
-			}
-
-			_ = forwarder.handleDNSQuery(mockWriter, query)
-
-			// Check the response written to the writer
-			require.NotNil(t, writtenResp, "Expected response to be written")
-			assert.Equal(t, tt.expectedCode, writtenResp.Rcode, tt.description)
-		})
-	}
-}
-
-func TestDNSForwarder_TCPTruncation(t *testing.T) {
-	// Test that large UDP responses are truncated with TC bit set
-	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
-	forwarder.resolver = mockResolver
-
-	d, _ := domain.FromString("example.com")
-	entries := []*ForwarderEntry{{Domain: d, ResID: "test-res"}}
-	forwarder.UpdateDomains(entries)
-
-	// Mock many IPs to create a large response
-	var manyIPs []netip.Addr
-	for i := 0; i < 100; i++ {
-		manyIPs = append(manyIPs, netip.MustParseAddr(fmt.Sprintf("1.1.1.%d", i%256)))
-	}
-	mockResolver.On("LookupNetIP", mock.Anything, "ip4", "example.com.").Return(manyIPs, nil)
-
-	// Query without EDNS0
-	query := &dns.Msg{}
-	query.SetQuestion("example.com.", dns.TypeA)
-
-	var writtenResp *dns.Msg
-	mockWriter := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			writtenResp = m
-			return nil
-		},
-	}
-	forwarder.handleDNSQueryUDP(mockWriter, query)
-
-	require.NotNil(t, writtenResp)
-	assert.True(t, writtenResp.Truncated, "Large response should be truncated")
-	assert.LessOrEqual(t, writtenResp.Len(), dns.MinMsgSize, "Response should fit in minimum UDP size")
-}
-
-func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
-	// Test complex overlapping pattern scenarios
-	mockFirewall := &MockFirewall{}
-	mockResolver := &MockResolver{}
-
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
-	forwarder.resolver = mockResolver
-
-	// Set up complex overlapping patterns
-	patterns := []string{
-		"*.example.com",         // Matches all subdomains
-		"*.mail.example.com",    // More specific wildcard
-		"smtp.mail.example.com", // Exact match
-		"example.com",           // Base domain
-	}
-
-	var entries []*ForwarderEntry
-	sets := make(map[string]firewall.Set)
-
-	for _, pattern := range patterns {
-		d, _ := domain.FromString(pattern)
-		set := firewall.NewDomainSet([]domain.Domain{d})
-		sets[pattern] = set
-		entries = append(entries, &ForwarderEntry{
-			Domain: d,
-			ResID:  route.ResID("res-" + pattern),
-			Set:    set,
-		})
-	}
-
-	forwarder.UpdateDomains(entries)
-
-	// Test smtp.mail.example.com - should match 3 patterns
-	fakeIP := netip.MustParseAddr("1.2.3.4")
-	mockResolver.On("LookupNetIP", mock.Anything, "ip4", "smtp.mail.example.com.").Return([]netip.Addr{fakeIP}, nil)
-
-	expectedPrefix := netip.PrefixFrom(fakeIP, 32)
-	// All three matching patterns should get firewall updates
-	mockFirewall.On("UpdateSet", sets["smtp.mail.example.com"], []netip.Prefix{expectedPrefix}).Return(nil)
-	mockFirewall.On("UpdateSet", sets["*.mail.example.com"], []netip.Prefix{expectedPrefix}).Return(nil)
-	mockFirewall.On("UpdateSet", sets["*.example.com"], []netip.Prefix{expectedPrefix}).Return(nil)
-
-	query := &dns.Msg{}
-	query.SetQuestion("smtp.mail.example.com.", dns.TypeA)
-
-	mockWriter := &test.MockResponseWriter{}
-	resp := forwarder.handleDNSQuery(mockWriter, query)
-
-	require.NotNil(t, resp)
-	assert.Equal(t, dns.RcodeSuccess, resp.Rcode)
-
-	// Verify all three sets were updated
-	mockFirewall.AssertExpectations(t)
-
-	// Verify the most specific ResID was selected
-	// (exact match should win over wildcards)
-	resID, matches := forwarder.getMatchingEntries("smtp.mail.example.com")
-	assert.Equal(t, route.ResID("res-smtp.mail.example.com"), resID)
-	assert.Len(t, matches, 3, "Should match 3 patterns")
-}
-
-func TestDNSForwarder_EmptyQuery(t *testing.T) {
-	// Test handling of malformed query with no questions
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
-
-	query := &dns.Msg{}
-	// Don't set any question
-
-	writeCalled := false
-	mockWriter := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			writeCalled = true
-			return nil
-		},
-	}
-	resp := forwarder.handleDNSQuery(mockWriter, query)
-
-	assert.Nil(t, resp, "Should return nil for empty query")
-	assert.False(t, writeCalled, "Should not write response for empty query")
-}

client/internal/engine.go

@@ -121,8 +121,8 @@ type EngineConfig struct {
 	DisableServerRoutes bool
 	DisableDNS          bool
 	DisableFirewall     bool
-	BlockLANAccess      bool
-	BlockInbound        bool
+
+	BlockLANAccess bool
 
 	LazyConnectionEnabled bool
 }
@@ -359,7 +359,6 @@ func (e *Engine) Start() error {
 		return fmt.Errorf("new wg interface: %w", err)
 	}
 	e.wgInterface = wgIface
-	e.statusRecorder.SetWgIface(wgIface)
 
 	// start flow manager right after interface creation
 	publicKey := e.config.WgPrivateKey.PublicKey()
@@ -381,6 +380,7 @@ func (e *Engine) Start() error {
 			return fmt.Errorf("run rosenpass manager: %w", err)
 		}
 	}
+
 	e.stateManager.Start()
 
 	initialRoutes, dnsServer, err := e.newDnsServer()
@@ -431,8 +431,7 @@ func (e *Engine) Start() error {
 		return fmt.Errorf("up wg interface: %w", err)
 	}
 
-	// if inbound conns are blocked there is no need to create the ACL manager
-	if e.firewall != nil && !e.config.BlockInbound {
+	if e.firewall != nil {
 		e.acl = acl.NewDefaultManager(e.firewall)
 	}
 
@@ -488,9 +487,11 @@ func (e *Engine) createFirewall() error {
 }
 
 func (e *Engine) initFirewall() error {
-	if err := e.routeManager.EnableServerRouter(e.firewall); err != nil {
-		e.close()
-		return fmt.Errorf("enable server router: %w", err)
+	if e.firewall.IsServerRouteSupported() {
+		if err := e.routeManager.EnableServerRouter(e.firewall); err != nil {
+			e.close()
+			return fmt.Errorf("enable server router: %w", err)
+		}
 	}
 
 	if e.config.BlockLANAccess {
@@ -524,11 +525,6 @@ func (e *Engine) initFirewall() error {
 }
 
 func (e *Engine) blockLanAccess() {
-	if e.config.BlockInbound {
-		// no need to set up extra deny rules if inbound is already blocked in general
-		return
-	}
-
 	var merr *multierror.Error
 
 	// TODO: keep this updated
@@ -786,9 +782,6 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 		e.config.DisableServerRoutes,
 		e.config.DisableDNS,
 		e.config.DisableFirewall,
-		e.config.BlockLANAccess,
-		e.config.BlockInbound,
-		e.config.LazyConnectionEnabled,
 	)
 
 	if err := e.mgmClient.SyncMeta(info); err != nil {
@@ -803,58 +796,56 @@ func isNil(server nbssh.Server) bool {
 }
 
 func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
-	if e.config.BlockInbound {
-		log.Infof("SSH server is disabled because inbound connections are blocked")
-		return nil
-	}
 
 	if !e.config.ServerSSHAllowed {
-		log.Info("SSH server is not enabled")
+		log.Warnf("running SSH server is not permitted")
 		return nil
-	}
+	} else {
 
-	if sshConf.GetSshEnabled() {
-		if runtime.GOOS == "windows" {
-			log.Warnf("running SSH server on %s is not supported", runtime.GOOS)
-			return nil
-		}
-		// start SSH server if it wasn't running
-		if isNil(e.sshServer) {
-			listenAddr := fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort)
-			if nbnetstack.IsEnabled() {
-				listenAddr = fmt.Sprintf("127.0.0.1:%d", nbssh.DefaultSSHPort)
+		if sshConf.GetSshEnabled() {
+			if runtime.GOOS == "windows" {
+				log.Warnf("running SSH server on %s is not supported", runtime.GOOS)
+				return nil
 			}
-			// nil sshServer means it has not yet been started
-			var err error
-			e.sshServer, err = e.sshServerFunc(e.config.SSHKey, listenAddr)
-
-			if err != nil {
-				return fmt.Errorf("create ssh server: %w", err)
-			}
-			go func() {
-				// blocking
-				err = e.sshServer.Start()
-				if err != nil {
-					// will throw error when we stop it even if it is a graceful stop
-					log.Debugf("stopped SSH server with error %v", err)
+			// start SSH server if it wasn't running
+			if isNil(e.sshServer) {
+				listenAddr := fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort)
+				if nbnetstack.IsEnabled() {
+					listenAddr = fmt.Sprintf("127.0.0.1:%d", nbssh.DefaultSSHPort)
 				}
-				e.syncMsgMux.Lock()
-				defer e.syncMsgMux.Unlock()
-				e.sshServer = nil
-				log.Infof("stopped SSH server")
-			}()
-		} else {
-			log.Debugf("SSH server is already running")
+				// nil sshServer means it has not yet been started
+				var err error
+				e.sshServer, err = e.sshServerFunc(e.config.SSHKey, listenAddr)
+
+				if err != nil {
+					return fmt.Errorf("create ssh server: %w", err)
+				}
+				go func() {
+					// blocking
+					err = e.sshServer.Start()
+					if err != nil {
+						// will throw error when we stop it even if it is a graceful stop
+						log.Debugf("stopped SSH server with error %v", err)
+					}
+					e.syncMsgMux.Lock()
+					defer e.syncMsgMux.Unlock()
+					e.sshServer = nil
+					log.Infof("stopped SSH server")
+				}()
+			} else {
+				log.Debugf("SSH server is already running")
+			}
+		} else if !isNil(e.sshServer) {
+			// Disable SSH server request, so stop it if it was running
+			err := e.sshServer.Stop()
+			if err != nil {
+				log.Warnf("failed to stop SSH server %v", err)
+			}
+			e.sshServer = nil
 		}
-	} else if !isNil(e.sshServer) {
-		// Disable SSH server request, so stop it if it was running
-		err := e.sshServer.Stop()
-		if err != nil {
-			log.Warnf("failed to stop SSH server %v", err)
-		}
-		e.sshServer = nil
+		return nil
+
 	}
-	return nil
 }
 
 func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
@@ -908,9 +899,6 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.DisableServerRoutes,
 			e.config.DisableDNS,
 			e.config.DisableFirewall,
-			e.config.BlockLANAccess,
-			e.config.BlockInbound,
-			e.config.LazyConnectionEnabled,
 		)
 
 		// err = e.mgmClient.Sync(info, e.handleSync)
@@ -1000,29 +988,12 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		}
 	}
 
-	protoDNSConfig := networkMap.GetDNSConfig()
-	if protoDNSConfig == nil {
-		protoDNSConfig = &mgmProto.DNSConfig{}
-	}
-
-	if err := e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig, e.wgInterface.Address().Network)); err != nil {
-		log.Errorf("failed to update dns server, err: %v", err)
-	}
-
 	dnsRouteFeatureFlag := toDNSFeatureFlag(networkMap)
 
 	// apply routes first, route related actions might depend on routing being enabled
 	routes := toRoutes(networkMap.GetRoutes())
-	serverRoutes, clientRoutes := e.routeManager.ClassifyRoutes(routes)
-
-	// lazy mgr needs to be aware of which routes are available before they are applied
-	if e.connMgr != nil {
-		e.connMgr.UpdateRouteHAMap(clientRoutes)
-		log.Debugf("updated lazy connection manager with %d HA groups", len(clientRoutes))
-	}
-
-	if err := e.routeManager.UpdateRoutes(serial, serverRoutes, clientRoutes, dnsRouteFeatureFlag); err != nil {
-		log.Errorf("failed to update routes: %v", err)
+	if err := e.routeManager.UpdateRoutes(serial, routes, dnsRouteFeatureFlag); err != nil {
+		log.Errorf("failed to update clientRoutes, err: %v", err)
 	}
 
 	if e.acl != nil {
@@ -1081,8 +1052,17 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	}
 
 	// must set the exclude list after the peers are added. Without it the manager can not figure out the peers parameters from the store
-	excludedLazyPeers := e.toExcludedLazyPeers(forwardingRules, networkMap.GetRemotePeers())
-	e.connMgr.SetExcludeList(e.ctx, excludedLazyPeers)
+	excludedLazyPeers := e.toExcludedLazyPeers(routes, forwardingRules, networkMap.GetRemotePeers())
+	e.connMgr.SetExcludeList(excludedLazyPeers)
+
+	protoDNSConfig := networkMap.GetDNSConfig()
+	if protoDNSConfig == nil {
+		protoDNSConfig = &mgmProto.DNSConfig{}
+	}
+
+	if err := e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig, e.wgInterface.Address().Network)); err != nil {
+		log.Errorf("failed to update dns server, err: %v", err)
+	}
 
 	e.networkSerial = serial
 
@@ -1118,7 +1098,7 @@ func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 
 		convertedRoute := &route.Route{
 			ID:          route.ID(protoRoute.ID),
-			Network:     prefix.Masked(),
+			Network:     prefix,
 			Domains:     domain.FromPunycodeList(protoRoute.Domains),
 			NetID:       route.NetID(protoRoute.NetID),
 			NetworkType: route.NetworkType(protoRoute.NetworkType),
@@ -1152,7 +1132,7 @@ func toRouteDomains(myPubKey string, routes []*route.Route) []*dnsfwd.ForwarderE
 	return entries
 }
 
-func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network netip.Prefix) nbdns.Config {
+func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network *net.IPNet) nbdns.Config {
 	dnsUpdate := nbdns.Config{
 		ServiceEnable:    protoDNSConfig.GetServiceEnable(),
 		CustomZones:      make([]nbdns.CustomZone, 0),
@@ -1467,7 +1447,6 @@ func (e *Engine) close() {
 			log.Errorf("failed closing Netbird interface %s %v", e.config.WgIfaceName, err)
 		}
 		e.wgInterface = nil
-		e.statusRecorder.SetWgIface(nil)
 	}
 
 	if !isNil(e.sshServer) {
@@ -1499,9 +1478,6 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, error) {
 		e.config.DisableServerRoutes,
 		e.config.DisableDNS,
 		e.config.DisableFirewall,
-		e.config.BlockLANAccess,
-		e.config.BlockInbound,
-		e.config.LazyConnectionEnabled,
 	)
 
 	netMap, err := e.mgmClient.GetNetworkMap(info)
@@ -1527,7 +1503,6 @@ func (e *Engine) newWgIface() (*iface.WGIface, error) {
 		MTU:          iface.DefaultMTU,
 		TransportNet: transportNet,
 		FilterFn:     e.addrViaRoutes,
-		DisableDNS:   e.config.DisableDNS,
 	}
 
 	switch runtime.GOOS {
@@ -1696,7 +1671,7 @@ func (e *Engine) RunHealthProbes() bool {
 func (e *Engine) probeICE(stuns, turns []*stun.URI) []relay.ProbeResult {
 	return append(
 		relay.ProbeAll(e.ctx, relay.ProbeSTUN, stuns),
-		relay.ProbeAll(e.ctx, relay.ProbeTURN, turns)...,
+		relay.ProbeAll(e.ctx, relay.ProbeSTUN, turns)...,
 	)
 }
 
@@ -1809,9 +1784,9 @@ func (e *Engine) GetLatestNetworkMap() (*mgmProto.NetworkMap, error) {
 }
 
 // GetWgAddr returns the wireguard address
-func (e *Engine) GetWgAddr() netip.Addr {
+func (e *Engine) GetWgAddr() net.IP {
 	if e.wgInterface == nil {
-		return netip.Addr{}
+		return nil
 	}
 	return e.wgInterface.Address().IP
 }
@@ -1821,10 +1796,6 @@ func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
 ) {
-	if e.config.DisableServerRoutes {
-		return
-	}
-
 	if !enabled {
 		if e.dnsForwardMgr == nil {
 			return
@@ -1880,7 +1851,12 @@ func (e *Engine) Address() (netip.Addr, error) {
 		return netip.Addr{}, errors.New("wireguard interface not initialized")
 	}
 
-	return e.wgInterface.Address().IP, nil
+	addr := e.wgInterface.Address()
+	ip, ok := netip.AddrFromSlice(addr.IP)
+	if !ok {
+		return netip.Addr{}, errors.New("failed to convert address to netip.Addr")
+	}
+	return ip.Unmap(), nil
 }
 
 func (e *Engine) updateForwardRules(rules []*mgmProto.ForwardingRule) ([]firewallManager.ForwardRule, error) {
@@ -1951,8 +1927,16 @@ func (e *Engine) updateForwardRules(rules []*mgmProto.ForwardingRule) ([]firewal
 	return forwardingRules, nberrors.FormatErrorOrNil(merr)
 }
 
-func (e *Engine) toExcludedLazyPeers(rules []firewallManager.ForwardRule, peers []*mgmProto.RemotePeerConfig) map[string]bool {
-	excludedPeers := make(map[string]bool)
+func (e *Engine) toExcludedLazyPeers(routes []*route.Route, rules []firewallManager.ForwardRule, peers []*mgmProto.RemotePeerConfig) []string {
+	excludedPeers := make([]string, 0)
+	for _, r := range routes {
+		if r.Peer == "" {
+			continue
+		}
+		log.Infof("exclude router peer from lazy connection: %s", r.Peer)
+		excludedPeers = append(excludedPeers, r.Peer)
+	}
+
 	for _, r := range rules {
 		ip := r.TranslatedAddress
 		for _, p := range peers {
@@ -1961,7 +1945,7 @@ func (e *Engine) toExcludedLazyPeers(rules []firewallManager.ForwardRule, peers
 					continue
 				}
 				log.Infof("exclude forwarder peer from lazy connection: %s", p.GetWgPubKey())
-				excludedPeers[p.GetWgPubKey()] = true
+				excludedPeers = append(excludedPeers, p.GetWgPubKey())
 			}
 		}
 	}

client/internal/engine_test.go

@@ -86,8 +86,8 @@ type MockWGIface struct {
 	UpdateAddrFunc             func(newAddr string) error
 	UpdatePeerFunc             func(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
 	RemovePeerFunc             func(peerKey string) error
-	AddAllowedIPFunc           func(peerKey string, allowedIP netip.Prefix) error
-	RemoveAllowedIPFunc        func(peerKey string, allowedIP netip.Prefix) error
+	AddAllowedIPFunc           func(peerKey string, allowedIP string) error
+	RemoveAllowedIPFunc        func(peerKey string, allowedIP string) error
 	CloseFunc                  func() error
 	SetFilterFunc              func(filter device.PacketFilter) error
 	GetFilterFunc              func() device.PacketFilter
@@ -99,10 +99,6 @@ type MockWGIface struct {
 	GetNetFunc                 func() *netstack.Net
 }
 
-func (m *MockWGIface) FullStats() (*configurer.Stats, error) {
-	return nil, fmt.Errorf("not implemented")
-}
-
 func (m *MockWGIface) GetInterfaceGUIDString() (string, error) {
 	return m.GetInterfaceGUIDStringFunc()
 }
@@ -147,11 +143,11 @@ func (m *MockWGIface) RemovePeer(peerKey string) error {
 	return m.RemovePeerFunc(peerKey)
 }
 
-func (m *MockWGIface) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (m *MockWGIface) AddAllowedIP(peerKey string, allowedIP string) error {
 	return m.AddAllowedIPFunc(peerKey, allowedIP)
 }
 
-func (m *MockWGIface) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (m *MockWGIface) RemoveAllowedIP(peerKey string, allowedIP string) error {
 	return m.RemoveAllowedIPFunc(peerKey, allowedIP)
 }
 
@@ -375,8 +371,11 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: netip.MustParsePrefix("10.20.0.0/24"),
+				IP: net.ParseIP("10.20.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("10.20.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
 			}
 		},
 		UpdatePeerFunc: func(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
@@ -643,12 +642,12 @@ func TestEngine_Sync(t *testing.T) {
 
 func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 	testCases := []struct {
-		name                 string
-		inputErr             error
-		networkMap           *mgmtProto.NetworkMap
-		expectedLen          int
-		expectedClientRoutes route.HAMap
-		expectedSerial       uint64
+		name           string
+		inputErr       error
+		networkMap     *mgmtProto.NetworkMap
+		expectedLen    int
+		expectedRoutes []*route.Route
+		expectedSerial uint64
 	}{
 		{
 			name: "Routes Config Should Be Passed To Manager",
@@ -676,26 +675,22 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				},
 			},
 			expectedLen: 2,
-			expectedClientRoutes: route.HAMap{
-				"n1|192.168.0.0/24": []*route.Route{
-					{
-						ID:          "a",
-						Network:     netip.MustParsePrefix("192.168.0.0/24"),
-						NetID:       "n1",
-						Peer:        "p1",
-						NetworkType: 1,
-						Masquerade:  false,
-					},
+			expectedRoutes: []*route.Route{
+				{
+					ID:          "a",
+					Network:     netip.MustParsePrefix("192.168.0.0/24"),
+					NetID:       "n1",
+					Peer:        "p1",
+					NetworkType: 1,
+					Masquerade:  false,
 				},
-				"n2|192.168.1.0/24": []*route.Route{
-					{
-						ID:          "b",
-						Network:     netip.MustParsePrefix("192.168.1.0/24"),
-						NetID:       "n2",
-						Peer:        "p1",
-						NetworkType: 1,
-						Masquerade:  false,
-					},
+				{
+					ID:          "b",
+					Network:     netip.MustParsePrefix("192.168.1.0/24"),
+					NetID:       "n2",
+					Peer:        "p1",
+					NetworkType: 1,
+					Masquerade:  false,
 				},
 			},
 			expectedSerial: 1,
@@ -708,9 +703,9 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				RemotePeersIsEmpty: false,
 				Routes:             nil,
 			},
-			expectedLen:          0,
-			expectedClientRoutes: nil,
-			expectedSerial:       1,
+			expectedLen:    0,
+			expectedRoutes: []*route.Route{},
+			expectedSerial: 1,
 		},
 		{
 			name:     "Error Shouldn't Break Engine",
@@ -721,9 +716,9 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				RemotePeersIsEmpty: false,
 				Routes:             nil,
 			},
-			expectedLen:          0,
-			expectedClientRoutes: nil,
-			expectedSerial:       1,
+			expectedLen:    0,
+			expectedRoutes: []*route.Route{},
+			expectedSerial: 1,
 		},
 	}
 
@@ -766,29 +761,16 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			engine.wgInterface, err = iface.NewWGIFace(opts)
 			assert.NoError(t, err, "shouldn't return error")
 			input := struct {
-				inputSerial  uint64
-				clientRoutes route.HAMap
+				inputSerial uint64
+				inputRoutes []*route.Route
 			}{}
 
 			mockRouteManager := &routemanager.MockManager{
-				UpdateRoutesFunc: func(updateSerial uint64, serverRoutes map[route.ID]*route.Route, clientRoutes route.HAMap, useNewDNSRoute bool) error {
+				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) error {
 					input.inputSerial = updateSerial
-					input.clientRoutes = clientRoutes
+					input.inputRoutes = newRoutes
 					return testCase.inputErr
 				},
-				ClassifyRoutesFunc: func(newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap) {
-					if len(newRoutes) == 0 {
-						return nil, nil
-					}
-
-					// Classify all routes as client routes (not matching our public key)
-					clientRoutes := make(route.HAMap)
-					for _, r := range newRoutes {
-						haID := r.GetHAUniqueID()
-						clientRoutes[haID] = append(clientRoutes[haID], r)
-					}
-					return nil, clientRoutes
-				},
 			}
 
 			engine.routeManager = mockRouteManager
@@ -806,8 +788,8 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			err = engine.updateNetworkMap(testCase.networkMap)
 			assert.NoError(t, err, "shouldn't return error")
 			assert.Equal(t, testCase.expectedSerial, input.inputSerial, "serial should match")
-			assert.Len(t, input.clientRoutes, testCase.expectedLen, "clientRoutes len should match")
-			assert.Equal(t, testCase.expectedClientRoutes, input.clientRoutes, "clientRoutes should match")
+			assert.Len(t, input.inputRoutes, testCase.expectedLen, "clientRoutes len should match")
+			assert.Equal(t, testCase.expectedRoutes, input.inputRoutes, "clientRoutes should match")
 		})
 	}
 }
@@ -968,7 +950,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			assert.NoError(t, err, "shouldn't return error")
 
 			mockRouteManager := &routemanager.MockManager{
-				UpdateRoutesFunc: func(updateSerial uint64, serverRoutes map[route.ID]*route.Route, clientRoutes route.HAMap, useNewDNSRoute bool) error {
+				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) error {
 					return nil
 				},
 			}

client/internal/iface_common.go

@@ -28,8 +28,8 @@ type wgIfaceBase interface {
 	GetProxy() wgproxy.Proxy
 	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
 	RemovePeer(peerKey string) error
-	AddAllowedIP(peerKey string, allowedIP netip.Prefix) error
-	RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error
+	AddAllowedIP(peerKey string, allowedIP string) error
+	RemoveAllowedIP(peerKey string, allowedIP string) error
 	Close() error
 	SetFilter(filter device.PacketFilter) error
 	GetFilter() device.PacketFilter
@@ -37,5 +37,4 @@ type wgIfaceBase interface {
 	GetWGDevice() *wgdevice.Device
 	GetStats() (map[string]configurer.WGStats, error)
 	GetNet() *netstack.Net
-	FullStats() (*configurer.Stats, error)
 }

client/internal/lazyconn/manager/manager.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	"github.com/netbirdio/netbird/client/internal/lazyconn/activity"
@@ -14,7 +13,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
-	"github.com/netbirdio/netbird/route"
 )
 
 const (
@@ -39,9 +37,7 @@ type Config struct {
 // - Managing inactivity monitors for lazy connections (based on peer disconnection events)
 // - Maintaining a list of excluded peers that should always have permanent connections
 // - Handling connection establishment based on peer signaling
-// - Managing route HA groups and activating all peers in a group when one peer is activated
 type Manager struct {
-	engineCtx           context.Context
 	peerStore           *peerstore.Store
 	connStateDispatcher *dispatcher.ConnectionDispatcher
 	inactivityThreshold time.Duration
@@ -55,20 +51,13 @@ type Manager struct {
 	activityManager    *activity.Manager
 	inactivityMonitors map[peerid.ConnID]*inactivity.Monitor
 
-	// Route HA group management
-	peerToHAGroups map[string][]route.HAUniqueID // peer ID -> HA groups they belong to
-	haGroupToPeers map[route.HAUniqueID][]string // HA group -> peer IDs in the group
-	routesMu       sync.RWMutex                  // protects route mappings
-
+	cancel     context.CancelFunc
 	onInactive chan peerid.ConnID
 }
 
-// NewManager creates a new lazy connection manager
-// engineCtx is the context for creating peer Connection
-func NewManager(config Config, engineCtx context.Context, peerStore *peerstore.Store, wgIface lazyconn.WGIface, connStateDispatcher *dispatcher.ConnectionDispatcher) *Manager {
+func NewManager(config Config, peerStore *peerstore.Store, wgIface lazyconn.WGIface, connStateDispatcher *dispatcher.ConnectionDispatcher) *Manager {
 	log.Infof("setup lazy connection service")
 	m := &Manager{
-		engineCtx:            engineCtx,
 		peerStore:            peerStore,
 		connStateDispatcher:  connStateDispatcher,
 		inactivityThreshold:  inactivity.DefaultInactivityThreshold,
@@ -77,8 +66,6 @@ func NewManager(config Config, engineCtx context.Context, peerStore *peerstore.S
 		excludes:             make(map[string]lazyconn.PeerConfig),
 		activityManager:      activity.NewManager(wgIface),
 		inactivityMonitors:   make(map[peerid.ConnID]*inactivity.Monitor),
-		peerToHAGroups:       make(map[string][]route.HAUniqueID),
-		haGroupToPeers:       make(map[route.HAUniqueID][]string),
 		onInactive:           make(chan peerid.ConnID),
 	}
 
@@ -100,45 +87,11 @@ func NewManager(config Config, engineCtx context.Context, peerStore *peerstore.S
 	return m
 }
 
-// UpdateRouteHAMap updates the HA group mappings for routes
-// This should be called when route configuration changes
-func (m *Manager) UpdateRouteHAMap(haMap route.HAMap) {
-	m.routesMu.Lock()
-	defer m.routesMu.Unlock()
-
-	maps.Clear(m.peerToHAGroups)
-	maps.Clear(m.haGroupToPeers)
-
-	for haUniqueID, routes := range haMap {
-		var peers []string
-
-		peerSet := make(map[string]bool)
-		for _, r := range routes {
-			if !peerSet[r.Peer] {
-				peerSet[r.Peer] = true
-				peers = append(peers, r.Peer)
-			}
-		}
-
-		if len(peers) <= 1 {
-			continue
-		}
-
-		m.haGroupToPeers[haUniqueID] = peers
-
-		for _, peerID := range peers {
-			m.peerToHAGroups[peerID] = append(m.peerToHAGroups[peerID], haUniqueID)
-		}
-	}
-
-	log.Debugf("updated route HA mappings: %d HA groups, %d peers with routes",
-		len(m.haGroupToPeers), len(m.peerToHAGroups))
-}
-
 // Start starts the manager and listens for peer activity and inactivity events
 func (m *Manager) Start(ctx context.Context) {
 	defer m.close()
 
+	ctx, m.cancel = context.WithCancel(ctx)
 	for {
 		select {
 		case <-ctx.Done():
@@ -256,47 +209,25 @@ func (m *Manager) RemovePeer(peerID string) {
 }
 
 // ActivatePeer activates a peer connection when a signal message is received
-// Also activates all peers in the same HA groups as this peer
 func (m *Manager) ActivatePeer(ctx context.Context, peerID string) (found bool) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
-	cfg, mp := m.getPeerForActivation(peerID)
-	if cfg == nil {
-		return false
-	}
 
-	if !m.activateSinglePeer(ctx, cfg, mp) {
-		return false
-	}
-
-	m.activateHAGroupPeers(ctx, peerID)
-
-	return true
-}
-
-// getPeerForActivation checks if a peer can be activated and returns the necessary structs
-// Returns nil values if the peer should be skipped
-func (m *Manager) getPeerForActivation(peerID string) (*lazyconn.PeerConfig, *managedPeer) {
 	cfg, ok := m.managedPeers[peerID]
 	if !ok {
-		return nil, nil
+		return false
 	}
 
 	mp, ok := m.managedPeersByConnID[cfg.PeerConnID]
 	if !ok {
-		return nil, nil
+		return false
 	}
 
 	// signal messages coming continuously after success activation, with this avoid the multiple activation
 	if mp.expectedWatcher == watcherInactivity {
-		return nil, nil
+		return false
 	}
 
-	return cfg, mp
-}
-
-// activateSinglePeer activates a single peer (internal method)
-func (m *Manager) activateSinglePeer(ctx context.Context, cfg *lazyconn.PeerConfig, mp *managedPeer) bool {
 	mp.expectedWatcher = watcherInactivity
 
 	m.activityManager.RemovePeer(cfg.Log, cfg.PeerConnID)
@@ -307,53 +238,12 @@ func (m *Manager) activateSinglePeer(ctx context.Context, cfg *lazyconn.PeerConf
 		return false
 	}
 
-	cfg.Log.Infof("starting inactivity monitor")
+	mp.peerCfg.Log.Infof("starting inactivity monitor")
 	go im.Start(ctx, m.onInactive)
 
 	return true
 }
 
-// activateHAGroupPeers activates all peers in HA groups that the given peer belongs to
-func (m *Manager) activateHAGroupPeers(ctx context.Context, triggerPeerID string) {
-	m.routesMu.RLock()
-	haGroups := m.peerToHAGroups[triggerPeerID]
-	m.routesMu.RUnlock()
-
-	if len(haGroups) == 0 {
-		log.Debugf("peer %s is not part of any HA groups", triggerPeerID)
-		return
-	}
-
-	activatedCount := 0
-	for _, haGroup := range haGroups {
-		m.routesMu.RLock()
-		peers := m.haGroupToPeers[haGroup]
-		m.routesMu.RUnlock()
-
-		for _, peerID := range peers {
-			if peerID == triggerPeerID {
-				continue
-			}
-
-			cfg, mp := m.getPeerForActivation(peerID)
-			if cfg == nil {
-				continue
-			}
-
-			if m.activateSinglePeer(ctx, cfg, mp) {
-				activatedCount++
-				cfg.Log.Infof("activated peer as part of HA group %s (triggered by %s)", haGroup, triggerPeerID)
-				m.peerStore.PeerConnOpen(m.engineCtx, cfg.PublicKey)
-			}
-		}
-	}
-
-	if activatedCount > 0 {
-		log.Infof("activated %d additional peers in HA groups for peer %s (groups: %v)",
-			activatedCount, triggerPeerID, haGroups)
-	}
-}
-
 func (m *Manager) addActivePeer(ctx context.Context, peerCfg lazyconn.PeerConfig) error {
 	if _, ok := m.managedPeers[peerCfg.PublicKey]; ok {
 		peerCfg.Log.Warnf("peer already managed")
@@ -397,6 +287,8 @@ func (m *Manager) close() {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 
+	m.cancel()
+
 	m.connStateDispatcher.RemoveListener(m.connStateListener)
 	m.activityManager.Close()
 	for _, iw := range m.inactivityMonitors {
@@ -405,13 +297,6 @@ func (m *Manager) close() {
 	m.inactivityMonitors = make(map[peerid.ConnID]*inactivity.Monitor)
 	m.managedPeers = make(map[string]*lazyconn.PeerConfig)
 	m.managedPeersByConnID = make(map[peerid.ConnID]*managedPeer)
-
-	// Clear route mappings
-	m.routesMu.Lock()
-	m.peerToHAGroups = make(map[string][]route.HAUniqueID)
-	m.haGroupToPeers = make(map[route.HAUniqueID][]string)
-	m.routesMu.Unlock()
-
 	log.Infof("lazy connection manager closed")
 }
 
@@ -432,13 +317,12 @@ func (m *Manager) onPeerActivity(ctx context.Context, peerConnID peerid.ConnID)
 
 	mp.peerCfg.Log.Infof("detected peer activity")
 
-	if !m.activateSinglePeer(ctx, mp.peerCfg, mp) {
-		return
-	}
+	mp.expectedWatcher = watcherInactivity
 
-	m.activateHAGroupPeers(ctx, mp.peerCfg.PublicKey)
+	mp.peerCfg.Log.Infof("starting inactivity monitor")
+	go m.inactivityMonitors[peerConnID].Start(ctx, m.onInactive)
 
-	m.peerStore.PeerConnOpen(m.engineCtx, mp.peerCfg.PublicKey)
+	m.peerStore.PeerConnOpen(ctx, mp.peerCfg.PublicKey)
 }
 
 func (m *Manager) onPeerInactivityTimedOut(peerConnID peerid.ConnID) {

client/internal/login.go

@@ -116,9 +116,6 @@ func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte
 		config.DisableServerRoutes,
 		config.DisableDNS,
 		config.DisableFirewall,
-		config.BlockLANAccess,
-		config.BlockInbound,
-		config.LazyConnectionEnabled,
 	)
 	_, err = mgmClient.Login(*serverKey, sysInfo, pubSSHKey, config.DNSLabels)
 	return serverKey, err
@@ -142,9 +139,6 @@ func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.
 		config.DisableServerRoutes,
 		config.DisableDNS,
 		config.DisableFirewall,
-		config.BlockLANAccess,
-		config.BlockInbound,
-		config.LazyConnectionEnabled,
 	)
 	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey, config.DNSLabels)
 	if err != nil {

client/internal/netflow/conntrack/conntrack.go

@@ -204,7 +204,7 @@ func (c *ConnTrack) handleEvent(event nfct.Event) {
 		eventStr = "Ended"
 	}
 
-	log.Tracef("%s %s %s connection: %s:%d → %s:%d", eventStr, direction, proto, srcIP, srcPort, dstIP, dstPort)
+	log.Tracef("%s %s %s connection: %s:%d -> %s:%d", eventStr, direction, proto, srcIP, srcPort, dstIP, dstPort)
 
 	c.flowLogger.StoreEvent(nftypes.EventFields{
 		FlowID:     flowID,
@@ -232,7 +232,7 @@ func (c *ConnTrack) relevantFlow(mark uint32, srcIP, dstIP netip.Addr) bool {
 
 	// fallback if mark rules are not in place
 	wgnet := c.iface.Address().Network
-	return wgnet.Contains(srcIP) || wgnet.Contains(dstIP)
+	return wgnet.Contains(srcIP.AsSlice()) || wgnet.Contains(dstIP.AsSlice())
 }
 
 // mapRxPackets maps packet counts to RX based on flow direction
@@ -293,15 +293,17 @@ func (c *ConnTrack) inferDirection(mark uint32, srcIP, dstIP netip.Addr) nftypes
 	// fallback if marks are not set
 	wgaddr := c.iface.Address().IP
 	wgnetwork := c.iface.Address().Network
+	src, dst := srcIP.AsSlice(), dstIP.AsSlice()
+
 	switch {
-	case wgaddr == srcIP:
+	case wgaddr.Equal(src):
 		return nftypes.Egress
-	case wgaddr == dstIP:
+	case wgaddr.Equal(dst):
 		return nftypes.Ingress
-	case wgnetwork.Contains(srcIP):
+	case wgnetwork.Contains(src):
 		// netbird network -> resource network
 		return nftypes.Ingress
-	case wgnetwork.Contains(dstIP):
+	case wgnetwork.Contains(dst):
 		// resource network -> netbird network
 		return nftypes.Egress
 	}

client/internal/netflow/logger/logger.go

@@ -2,7 +2,7 @@ package logger
 
 import (
 	"context"
-	"net/netip"
+	"net"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -23,16 +23,17 @@ type Logger struct {
 	rcvChan            atomic.Pointer[rcvChan]
 	cancel             context.CancelFunc
 	statusRecorder     *peer.Status
-	wgIfaceNet         netip.Prefix
+	wgIfaceIPNet       net.IPNet
 	dnsCollection      atomic.Bool
 	exitNodeCollection atomic.Bool
 	Store              types.Store
 }
 
-func New(statusRecorder *peer.Status, wgIfaceIPNet netip.Prefix) *Logger {
+func New(statusRecorder *peer.Status, wgIfaceIPNet net.IPNet) *Logger {
+
 	return &Logger{
 		statusRecorder: statusRecorder,
-		wgIfaceNet:     wgIfaceIPNet,
+		wgIfaceIPNet:   wgIfaceIPNet,
 		Store:          store.NewMemoryStore(),
 	}
 }
@@ -88,11 +89,11 @@ func (l *Logger) startReceiver() {
 			var isSrcExitNode bool
 			var isDestExitNode bool
 
-			if !l.wgIfaceNet.Contains(event.SourceIP) {
+			if !l.wgIfaceIPNet.Contains(net.IP(event.SourceIP.AsSlice())) {
 				event.SourceResourceID, isSrcExitNode = l.statusRecorder.CheckRoutes(event.SourceIP)
 			}
 
-			if !l.wgIfaceNet.Contains(event.DestIP) {
+			if !l.wgIfaceIPNet.Contains(net.IP(event.DestIP.AsSlice())) {
 				event.DestResourceID, isDestExitNode = l.statusRecorder.CheckRoutes(event.DestIP)
 			}
 

client/internal/netflow/logger/logger_test.go

@@ -1,7 +1,7 @@
 package logger_test
 
 import (
-	"net/netip"
+	"net"
 	"testing"
 	"time"
 
@@ -12,7 +12,7 @@ import (
 )
 
 func TestStore(t *testing.T) {
-	logger := logger.New(nil, netip.Prefix{})
+	logger := logger.New(nil, net.IPNet{})
 	logger.Enable()
 
 	event := types.EventFields{

client/internal/netflow/manager.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net/netip"
+	"net"
 	"runtime"
 	"sync"
 	"time"
@@ -34,11 +34,11 @@ type Manager struct {
 
 // NewManager creates a new netflow manager
 func NewManager(iface nftypes.IFaceMapper, publicKey []byte, statusRecorder *peer.Status) *Manager {
-	var prefix netip.Prefix
+	var ipNet net.IPNet
 	if iface != nil {
-		prefix = iface.Address().Network
+		ipNet = *iface.Address().Network
 	}
-	flowLogger := logger.New(statusRecorder, prefix)
+	flowLogger := logger.New(statusRecorder, ipNet)
 
 	var ct nftypes.ConnTracker
 	if runtime.GOOS == "linux" && iface != nil && !iface.IsUserspaceBind() {

client/internal/netflow/manager_test.go

@@ -1,7 +1,7 @@
 package netflow
 
 import (
-	"net/netip"
+	"net"
 	"testing"
 	"time"
 
@@ -33,7 +33,10 @@ func (m *mockIFaceMapper) IsUserspaceBind() bool {
 func TestManager_Update(t *testing.T) {
 	mockIFace := &mockIFaceMapper{
 		address: wgaddr.Address{
-			Network: netip.MustParsePrefix("192.168.1.1/32"),
+			Network: &net.IPNet{
+				IP:   net.ParseIP("192.168.1.1"),
+				Mask: net.CIDRMask(24, 32),
+			},
 		},
 		isUserspaceBind: true,
 	}
@@ -99,7 +102,10 @@ func TestManager_Update(t *testing.T) {
 func TestManager_Update_TokenPreservation(t *testing.T) {
 	mockIFace := &mockIFaceMapper{
 		address: wgaddr.Address{
-			Network: netip.MustParsePrefix("192.168.1.1/32"),
+			Network: &net.IPNet{
+				IP:   net.ParseIP("192.168.1.1"),
+				Mask: net.CIDRMask(24, 32),
+			},
 		},
 		isUserspaceBind: true,
 	}

client/internal/peer/conn.go

@@ -691,7 +691,8 @@ func (conn *Conn) evalStatus() ConnStatus {
 }
 
 func (conn *Conn) isConnectedOnAllWay() (connected bool) {
-	// would be better to protect this with a mutex, but it could cause deadlock with Close function
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
 
 	defer func() {
 		if !connected {

client/internal/peer/notifier.go

@@ -18,8 +18,6 @@ type notifier struct {
 	currentClientState bool
 	lastNotification   int
 	lastNumberOfPeers  int
-	lastFqdnAddress    string
-	lastIPAddress      string
 }
 
 func newNotifier() *notifier {
@@ -27,22 +25,15 @@ func newNotifier() *notifier {
 }
 
 func (n *notifier) setListener(listener Listener) {
-	n.serverStateLock.Lock()
-	lastNotification := n.lastNotification
-	numOfPeers := n.lastNumberOfPeers
-	fqdnAddress := n.lastFqdnAddress
-	address := n.lastIPAddress
-	n.serverStateLock.Unlock()
-
 	n.listenersLock.Lock()
 	defer n.listenersLock.Unlock()
 
-	n.listener = listener
+	n.serverStateLock.Lock()
+	n.notifyListener(listener, n.lastNotification)
+	listener.OnPeersListChanged(n.lastNumberOfPeers)
+	n.serverStateLock.Unlock()
 
-	listener.OnAddressChanged(fqdnAddress, address)
-	notifyListener(listener, lastNotification)
-	// run on go routine to avoid on Java layer to call go functions on same thread
-	go listener.OnPeersListChanged(numOfPeers)
+	n.listener = listener
 }
 
 func (n *notifier) removeListener() {
@@ -53,44 +44,41 @@ func (n *notifier) removeListener() {
 
 func (n *notifier) updateServerStates(mgmState bool, signalState bool) {
 	n.serverStateLock.Lock()
+	defer n.serverStateLock.Unlock()
+
 	calculatedState := n.calculateState(mgmState, signalState)
 
 	if !n.isServerStateChanged(calculatedState) {
-		n.serverStateLock.Unlock()
 		return
 	}
 
 	n.lastNotification = calculatedState
-	n.serverStateLock.Unlock()
 
-	n.notify(calculatedState)
+	n.notify(n.lastNotification)
 }
 
 func (n *notifier) clientStart() {
 	n.serverStateLock.Lock()
+	defer n.serverStateLock.Unlock()
 	n.currentClientState = true
 	n.lastNotification = stateConnecting
-	n.serverStateLock.Unlock()
-
-	n.notify(stateConnecting)
+	n.notify(n.lastNotification)
 }
 
 func (n *notifier) clientStop() {
 	n.serverStateLock.Lock()
+	defer n.serverStateLock.Unlock()
 	n.currentClientState = false
 	n.lastNotification = stateDisconnected
-	n.serverStateLock.Unlock()
-
-	n.notify(stateDisconnected)
+	n.notify(n.lastNotification)
 }
 
 func (n *notifier) clientTearDown() {
 	n.serverStateLock.Lock()
+	defer n.serverStateLock.Unlock()
 	n.currentClientState = false
 	n.lastNotification = stateDisconnecting
-	n.serverStateLock.Unlock()
-
-	n.notify(stateDisconnecting)
+	n.notify(n.lastNotification)
 }
 
 func (n *notifier) isServerStateChanged(newState int) bool {
@@ -99,14 +87,26 @@ func (n *notifier) isServerStateChanged(newState int) bool {
 
 func (n *notifier) notify(state int) {
 	n.listenersLock.Lock()
-	listener := n.listener
-	n.listenersLock.Unlock()
-
-	if listener == nil {
+	defer n.listenersLock.Unlock()
+	if n.listener == nil {
 		return
 	}
+	n.notifyListener(n.listener, state)
+}
 
-	notifyListener(listener, state)
+func (n *notifier) notifyListener(l Listener, state int) {
+	go func() {
+		switch state {
+		case stateDisconnected:
+			l.OnDisconnected()
+		case stateConnected:
+			l.OnConnected()
+		case stateConnecting:
+			l.OnConnecting()
+		case stateDisconnecting:
+			l.OnDisconnecting()
+		}
+	}()
 }
 
 func (n *notifier) calculateState(managementConn, signalConn bool) int {
@@ -126,48 +126,20 @@ func (n *notifier) calculateState(managementConn, signalConn bool) int {
 }
 
 func (n *notifier) peerListChanged(numOfPeers int) {
-	n.serverStateLock.Lock()
 	n.lastNumberOfPeers = numOfPeers
-	n.serverStateLock.Unlock()
-
 	n.listenersLock.Lock()
-	listener := n.listener
-	n.listenersLock.Unlock()
-
-	if listener == nil {
+	defer n.listenersLock.Unlock()
+	if n.listener == nil {
 		return
 	}
-
-	// run on go routine to avoid on Java layer to call go functions on same thread
-	go listener.OnPeersListChanged(numOfPeers)
+	n.listener.OnPeersListChanged(numOfPeers)
 }
 
 func (n *notifier) localAddressChanged(fqdn, address string) {
-	n.serverStateLock.Lock()
-	n.lastFqdnAddress = fqdn
-	n.lastIPAddress = address
-	n.serverStateLock.Unlock()
-
 	n.listenersLock.Lock()
-	listener := n.listener
-	n.listenersLock.Unlock()
-
-	if listener == nil {
+	defer n.listenersLock.Unlock()
+	if n.listener == nil {
 		return
 	}
-
-	listener.OnAddressChanged(fqdn, address)
-}
-
-func notifyListener(l Listener, state int) {
-	switch state {
-	case stateDisconnected:
-		l.OnDisconnected()
-	case stateConnected:
-		l.OnConnected()
-	case stateConnecting:
-		l.OnConnecting()
-	case stateDisconnecting:
-		l.OnDisconnecting()
-	}
+	n.listener.OnAddressChanged(fqdn, address)
 }

client/internal/peer/status.go

@@ -1,9 +1,7 @@
 package peer
 
 import (
-	"context"
 	"errors"
-	"fmt"
 	"net/netip"
 	"slices"
 	"sync"
@@ -33,21 +31,10 @@ type ResolvedDomainInfo struct {
 	ParentDomain domain.Domain
 }
 
-type WGIfaceStatus interface {
-	FullStats() (*configurer.Stats, error)
-}
-
 type EventListener interface {
 	OnEvent(event *proto.SystemEvent)
 }
 
-// RouterState status for router peers. This contains relevant fields for route manager
-type RouterState struct {
-	Status  ConnStatus
-	Relayed bool
-	Latency time.Duration
-}
-
 // State contains the latest state of a peer
 type State struct {
 	Mux                        *sync.RWMutex
@@ -159,32 +146,11 @@ type FullStatus struct {
 	LazyConnectionEnabled bool
 }
 
-type StatusChangeSubscription struct {
-	peerID     string
-	id         string
-	eventsChan chan map[string]RouterState
-	ctx        context.Context
-}
-
-func newStatusChangeSubscription(ctx context.Context, peerID string) *StatusChangeSubscription {
-	return &StatusChangeSubscription{
-		ctx:    ctx,
-		peerID: peerID,
-		id:     uuid.New().String(),
-		// it is a buffer for notifications to block less the status recorded
-		eventsChan: make(chan map[string]RouterState, 8),
-	}
-}
-
-func (s *StatusChangeSubscription) Events() chan map[string]RouterState {
-	return s.eventsChan
-}
-
 // Status holds a state of peers, signal, management connections and relays
 type Status struct {
 	mux                   sync.Mutex
 	peers                 map[string]State
-	changeNotify          map[string]map[string]*StatusChangeSubscription // map[peerID]map[subscriptionID]*StatusChangeSubscription
+	changeNotify          map[string]chan struct{}
 	signalState           bool
 	signalError           error
 	managementState       bool
@@ -215,14 +181,13 @@ type Status struct {
 	ingressGwMgr *ingressgw.Manager
 
 	routeIDLookup routeIDLookup
-	wgIface       WGIfaceStatus
 }
 
 // NewRecorder returns a new Status instance
 func NewRecorder(mgmAddress string) *Status {
 	return &Status{
 		peers:                 make(map[string]State),
-		changeNotify:          make(map[string]map[string]*StatusChangeSubscription),
+		changeNotify:          make(map[string]chan struct{}),
 		eventStreams:          make(map[string]chan *proto.SystemEvent),
 		eventQueue:            NewEventQueue(eventQueueSize),
 		offlinePeers:          make([]State, 0),
@@ -324,7 +289,11 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 		return errors.New("peer doesn't exist")
 	}
 
-	oldState := peerState.ConnStatus
+	if receivedState.IP != "" {
+		peerState.IP = receivedState.IP
+	}
+
+	skipNotification := shouldSkipNotify(receivedState.ConnStatus, peerState)
 
 	if receivedState.ConnStatus != peerState.ConnStatus {
 		peerState.ConnStatus = receivedState.ConnStatus
@@ -340,14 +309,11 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
-		d.notifyPeerListChanged()
+	if skipNotification {
+		return nil
 	}
 
-	// when we close the connection we will not notify the router manager
-	if receivedState.ConnStatus == StatusIdle {
-		d.notifyPeerStateChangeListeners(receivedState.PubKey)
-	}
+	d.notifyPeerListChanged()
 	return nil
 }
 
@@ -414,8 +380,11 @@ func (d *Status) UpdatePeerICEState(receivedState State) error {
 		return errors.New("peer doesn't exist")
 	}
 
-	oldState := peerState.ConnStatus
-	oldIsRelayed := peerState.Relayed
+	if receivedState.IP != "" {
+		peerState.IP = receivedState.IP
+	}
+
+	skipNotification := shouldSkipNotify(receivedState.ConnStatus, peerState)
 
 	peerState.ConnStatus = receivedState.ConnStatus
 	peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
@@ -428,13 +397,12 @@ func (d *Status) UpdatePeerICEState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
-		d.notifyPeerListChanged()
+	if skipNotification {
+		return nil
 	}
 
-	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
-		d.notifyPeerStateChangeListeners(receivedState.PubKey)
-	}
+	d.notifyPeerStateChangeListeners(receivedState.PubKey)
+	d.notifyPeerListChanged()
 	return nil
 }
 
@@ -447,8 +415,7 @@ func (d *Status) UpdatePeerRelayedState(receivedState State) error {
 		return errors.New("peer doesn't exist")
 	}
 
-	oldState := peerState.ConnStatus
-	oldIsRelayed := peerState.Relayed
+	skipNotification := shouldSkipNotify(receivedState.ConnStatus, peerState)
 
 	peerState.ConnStatus = receivedState.ConnStatus
 	peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
@@ -458,13 +425,12 @@ func (d *Status) UpdatePeerRelayedState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
-		d.notifyPeerListChanged()
+	if skipNotification {
+		return nil
 	}
 
-	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
-		d.notifyPeerStateChangeListeners(receivedState.PubKey)
-	}
+	d.notifyPeerStateChangeListeners(receivedState.PubKey)
+	d.notifyPeerListChanged()
 	return nil
 }
 
@@ -477,8 +443,7 @@ func (d *Status) UpdatePeerRelayedStateToDisconnected(receivedState State) error
 		return errors.New("peer doesn't exist")
 	}
 
-	oldState := peerState.ConnStatus
-	oldIsRelayed := peerState.Relayed
+	skipNotification := shouldSkipNotify(receivedState.ConnStatus, peerState)
 
 	peerState.ConnStatus = receivedState.ConnStatus
 	peerState.Relayed = receivedState.Relayed
@@ -487,13 +452,12 @@ func (d *Status) UpdatePeerRelayedStateToDisconnected(receivedState State) error
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
-		d.notifyPeerListChanged()
+	if skipNotification {
+		return nil
 	}
 
-	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
-		d.notifyPeerStateChangeListeners(receivedState.PubKey)
-	}
+	d.notifyPeerStateChangeListeners(receivedState.PubKey)
+	d.notifyPeerListChanged()
 	return nil
 }
 
@@ -506,8 +470,7 @@ func (d *Status) UpdatePeerICEStateToDisconnected(receivedState State) error {
 		return errors.New("peer doesn't exist")
 	}
 
-	oldState := peerState.ConnStatus
-	oldIsRelayed := peerState.Relayed
+	skipNotification := shouldSkipNotify(receivedState.ConnStatus, peerState)
 
 	peerState.ConnStatus = receivedState.ConnStatus
 	peerState.Relayed = receivedState.Relayed
@@ -519,13 +482,12 @@ func (d *Status) UpdatePeerICEStateToDisconnected(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
-		d.notifyPeerListChanged()
+	if skipNotification {
+		return nil
 	}
 
-	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
-		d.notifyPeerStateChangeListeners(receivedState.PubKey)
-	}
+	d.notifyPeerStateChangeListeners(receivedState.PubKey)
+	d.notifyPeerListChanged()
 	return nil
 }
 
@@ -548,12 +510,17 @@ func (d *Status) UpdateWireGuardPeerState(pubKey string, wgStats configurer.WGSt
 	return nil
 }
 
-func hasStatusOrRelayedChange(oldConnStatus, newConnStatus ConnStatus, oldRelayed, newRelayed bool) bool {
-	return oldRelayed != newRelayed || hasConnStatusChanged(newConnStatus, oldConnStatus)
-}
-
-func hasConnStatusChanged(oldStatus, newStatus ConnStatus) bool {
-	return newStatus != oldStatus
+func shouldSkipNotify(receivedConnStatus ConnStatus, curr State) bool {
+	switch {
+	case receivedConnStatus == StatusConnecting:
+		return true
+	case receivedConnStatus == StatusIdle && curr.ConnStatus == StatusConnecting:
+		return true
+	case receivedConnStatus == StatusIdle && curr.ConnStatus == StatusIdle:
+		return curr.IP != ""
+	default:
+		return false
+	}
 }
 
 // UpdatePeerFQDN update peer's state fqdn only
@@ -575,55 +542,30 @@ func (d *Status) UpdatePeerFQDN(peerPubKey, fqdn string) error {
 // FinishPeerListModifications this event invoke the notification
 func (d *Status) FinishPeerListModifications() {
 	d.mux.Lock()
-	defer d.mux.Unlock()
 
 	if !d.peerListChangedForNotification {
+		d.mux.Unlock()
 		return
 	}
 	d.peerListChangedForNotification = false
+	d.mux.Unlock()
 
 	d.notifyPeerListChanged()
-
-	for key := range d.peers {
-		d.notifyPeerStateChangeListeners(key)
-	}
 }
 
-func (d *Status) SubscribeToPeerStateChanges(ctx context.Context, peerID string) *StatusChangeSubscription {
+// GetPeerStateChangeNotifier returns a change notifier channel for a peer
+func (d *Status) GetPeerStateChangeNotifier(peer string) <-chan struct{} {
 	d.mux.Lock()
 	defer d.mux.Unlock()
 
-	sub := newStatusChangeSubscription(ctx, peerID)
-	if _, ok := d.changeNotify[peerID]; !ok {
-		d.changeNotify[peerID] = make(map[string]*StatusChangeSubscription)
-	}
-	d.changeNotify[peerID][sub.id] = sub
-
-	return sub
-}
-
-func (d *Status) UnsubscribePeerStateChanges(subscription *StatusChangeSubscription) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	if subscription == nil {
-		return
+	ch, found := d.changeNotify[peer]
+	if found {
+		return ch
 	}
 
-	channels, ok := d.changeNotify[subscription.peerID]
-	if !ok {
-		return
-	}
-
-	sub, exists := channels[subscription.id]
-	if !exists {
-		return
-	}
-
-	delete(channels, subscription.id)
-	if len(channels) == 0 {
-		delete(d.changeNotify, sub.peerID)
-	}
+	ch = make(chan struct{})
+	d.changeNotify[peer] = ch
+	return ch
 }
 
 // GetLocalPeerState returns the local peer state
@@ -998,33 +940,13 @@ func (d *Status) onConnectionChanged() {
 
 // notifyPeerStateChangeListeners notifies route manager about the change in peer state
 func (d *Status) notifyPeerStateChangeListeners(peerID string) {
-	subs, ok := d.changeNotify[peerID]
-	if !ok {
+	ch, found := d.changeNotify[peerID]
+	if !found {
 		return
 	}
 
-	// collect the relevant data for router peers
-	routerPeers := make(map[string]RouterState, len(d.changeNotify))
-	for pid := range d.changeNotify {
-		s, ok := d.peers[pid]
-		if !ok {
-			log.Warnf("router peer not found in peers list: %s", pid)
-			continue
-		}
-
-		routerPeers[pid] = RouterState{
-			Status:  s.ConnStatus,
-			Relayed: s.Relayed,
-			Latency: s.Latency,
-		}
-	}
-
-	for _, sub := range subs {
-		select {
-		case sub.eventsChan <- routerPeers:
-		case <-sub.ctx.Done():
-		}
-	}
+	close(ch)
+	delete(d.changeNotify, peerID)
 }
 
 func (d *Status) notifyPeerListChanged() {
@@ -1108,23 +1030,6 @@ func (d *Status) GetEventHistory() []*proto.SystemEvent {
 	return d.eventQueue.GetAll()
 }
 
-func (d *Status) SetWgIface(wgInterface WGIfaceStatus) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	d.wgIface = wgInterface
-}
-
-func (d *Status) PeersStatus() (*configurer.Stats, error) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	if d.wgIface == nil {
-		return nil, fmt.Errorf("wgInterface is nil, cannot retrieve peers status")
-	}
-
-	return d.wgIface.FullStats()
-}
-
 type EventQueue struct {
 	maxSize int
 	events  []*proto.SystemEvent

client/internal/peer/status_test.go

@@ -1,11 +1,9 @@
 package peer
 
 import (
-	"context"
 	"errors"
 	"sync"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -44,16 +42,16 @@ func TestGetPeer(t *testing.T) {
 func TestUpdatePeerState(t *testing.T) {
 	key := "abc"
 	ip := "10.10.10.10"
-	fqdn := "peer-a.netbird.local"
 	status := NewRecorder("https://mgm")
-	_ = status.AddPeer(key, fqdn, ip)
-
 	peerState := State{
-		PubKey:           key,
-		ConnStatusUpdate: time.Now(),
-		ConnStatus:       StatusConnecting,
+		PubKey: key,
+		Mux:    new(sync.RWMutex),
 	}
 
+	status.peers[key] = peerState
+
+	peerState.IP = ip
+
 	err := status.UpdatePeerState(peerState)
 	assert.NoError(t, err, "shouldn't return error")
 
@@ -85,27 +83,25 @@ func TestGetPeerStateChangeNotifierLogic(t *testing.T) {
 	key := "abc"
 	ip := "10.10.10.10"
 	status := NewRecorder("https://mgm")
-	_ = status.AddPeer(key, "abc.netbird", ip)
-
-	sub := status.SubscribeToPeerStateChanges(context.Background(), key)
-	assert.NotNil(t, sub, "channel shouldn't be nil")
-
 	peerState := State{
-		PubKey:           key,
-		ConnStatus:       StatusConnecting,
-		Relayed:          false,
-		ConnStatusUpdate: time.Now(),
+		PubKey: key,
+		Mux:    new(sync.RWMutex),
 	}
 
+	status.peers[key] = peerState
+
+	ch := status.GetPeerStateChangeNotifier(key)
+	assert.NotNil(t, ch, "channel shouldn't be nil")
+
+	peerState.IP = ip
+
 	err := status.UpdatePeerRelayedStateToDisconnected(peerState)
 	assert.NoError(t, err, "shouldn't return error")
 
-	timeoutCtx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
-	defer cancel()
 	select {
-	case <-sub.eventsChan:
-	case <-timeoutCtx.Done():
-		t.Errorf("timed out waiting for event")
+	case <-ch:
+	default:
+		t.Errorf("channel wasn't closed after update")
 	}
 }
 

client/internal/relay/relay.go

@@ -170,7 +170,7 @@ func ProbeAll(
 
 	var wg sync.WaitGroup
 	for i, uri := range relays {
-		ctx, cancel := context.WithTimeout(ctx, 6*time.Second)
+		ctx, cancel := context.WithTimeout(ctx, 2*time.Second)
 		defer cancel()
 
 		wg.Add(1)

client/internal/routemanager/client.go

@@ -0,0 +1,544 @@
+package routemanager
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"runtime"
+	"time"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	nbdns "github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/peerstore"
+	"github.com/netbirdio/netbird/client/internal/routemanager/dnsinterceptor"
+	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
+	"github.com/netbirdio/netbird/client/internal/routemanager/iface"
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+	"github.com/netbirdio/netbird/client/internal/routemanager/static"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/route"
+)
+
+const (
+	handlerTypeDynamic = iota
+	handlerTypeDomain
+	handlerTypeStatic
+)
+
+type reason int
+
+const (
+	reasonUnknown reason = iota
+	reasonRouteUpdate
+	reasonPeerUpdate
+	reasonShutdown
+)
+
+type routerPeerStatus struct {
+	connected bool
+	relayed   bool
+	latency   time.Duration
+}
+
+type routesUpdate struct {
+	updateSerial uint64
+	routes       []*route.Route
+}
+
+// RouteHandler defines the interface for handling routes
+type RouteHandler interface {
+	String() string
+	AddRoute(ctx context.Context) error
+	RemoveRoute() error
+	AddAllowedIPs(peerKey string) error
+	RemoveAllowedIPs() error
+}
+
+type clientNetwork struct {
+	ctx                 context.Context
+	cancel              context.CancelFunc
+	statusRecorder      *peer.Status
+	wgInterface         iface.WGIface
+	routes              map[route.ID]*route.Route
+	routeUpdate         chan routesUpdate
+	peerStateUpdate     chan struct{}
+	routePeersNotifiers map[string]chan struct{}
+	currentChosen       *route.Route
+	handler             RouteHandler
+	updateSerial        uint64
+}
+
+func newClientNetworkWatcher(
+	ctx context.Context,
+	dnsRouteInterval time.Duration,
+	wgInterface iface.WGIface,
+	statusRecorder *peer.Status,
+	rt *route.Route,
+	routeRefCounter *refcounter.RouteRefCounter,
+	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
+	dnsServer nbdns.Server,
+	peerStore *peerstore.Store,
+	useNewDNSRoute bool,
+) *clientNetwork {
+	ctx, cancel := context.WithCancel(ctx)
+
+	client := &clientNetwork{
+		ctx:                 ctx,
+		cancel:              cancel,
+		statusRecorder:      statusRecorder,
+		wgInterface:         wgInterface,
+		routes:              make(map[route.ID]*route.Route),
+		routePeersNotifiers: make(map[string]chan struct{}),
+		routeUpdate:         make(chan routesUpdate),
+		peerStateUpdate:     make(chan struct{}),
+		handler: handlerFromRoute(
+			rt,
+			routeRefCounter,
+			allowedIPsRefCounter,
+			dnsRouteInterval,
+			statusRecorder,
+			wgInterface,
+			dnsServer,
+			peerStore,
+			useNewDNSRoute,
+		),
+	}
+	return client
+}
+
+func (c *clientNetwork) getRouterPeerStatuses() map[route.ID]routerPeerStatus {
+	routePeerStatuses := make(map[route.ID]routerPeerStatus)
+	for _, r := range c.routes {
+		peerStatus, err := c.statusRecorder.GetPeer(r.Peer)
+		if err != nil {
+			log.Debugf("couldn't fetch peer state: %v", err)
+			continue
+		}
+		routePeerStatuses[r.ID] = routerPeerStatus{
+			connected: peerStatus.ConnStatus == peer.StatusConnected,
+			relayed:   peerStatus.Relayed,
+			latency:   peerStatus.Latency,
+		}
+	}
+	return routePeerStatuses
+}
+
+// getBestRouteFromStatuses determines the most optimal route from the available routes
+// within a clientNetwork, taking into account peer connection status, route metrics, and
+// preference for non-relayed and direct connections.
+//
+// It follows these prioritization rules:
+// * Connected peers: Only routes with connected peers are considered.
+// * Metric: Routes with lower metrics (better) are prioritized.
+// * Non-relayed: Routes without relays are preferred.
+// * Latency: Routes with lower latency are prioritized.
+// * we compare the current score + 10ms to the chosen score to avoid flapping between routes
+// * Stability: In case of equal scores, the currently active route (if any) is maintained.
+//
+// It returns the ID of the selected optimal route.
+func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[route.ID]routerPeerStatus) route.ID {
+	chosen := route.ID("")
+	chosenScore := float64(0)
+	currScore := float64(0)
+
+	currID := route.ID("")
+	if c.currentChosen != nil {
+		currID = c.currentChosen.ID
+	}
+
+	for _, r := range c.routes {
+		tempScore := float64(0)
+		peerStatus, found := routePeerStatuses[r.ID]
+		if !found || !peerStatus.connected {
+			continue
+		}
+
+		if r.Metric < route.MaxMetric {
+			metricDiff := route.MaxMetric - r.Metric
+			tempScore = float64(metricDiff) * 10
+		}
+
+		// in some temporal cases, latency can be 0, so we set it to 999ms to not block but try to avoid this route
+		latency := 999 * time.Millisecond
+		if peerStatus.latency != 0 {
+			latency = peerStatus.latency
+		} else {
+			log.Tracef("peer %s has 0 latency, range %s", r.Peer, c.handler)
+		}
+
+		// avoid negative tempScore on the higher latency calculation
+		if latency > 1*time.Second {
+			latency = 999 * time.Millisecond
+		}
+
+		// higher latency is worse score
+		tempScore += 1 - latency.Seconds()
+
+		if !peerStatus.relayed {
+			tempScore++
+		}
+
+		if tempScore > chosenScore || (tempScore == chosenScore && chosen == "") {
+			chosen = r.ID
+			chosenScore = tempScore
+		}
+
+		if chosen == "" && currID == "" {
+			chosen = r.ID
+			chosenScore = tempScore
+		}
+
+		if r.ID == currID {
+			currScore = tempScore
+		}
+	}
+
+	log.Debugf("chosen route: %s, chosen score: %f, current route: %s, current score: %f", chosen, chosenScore, currID, currScore)
+
+	switch {
+	case chosen == "":
+		var peers []string
+		for _, r := range c.routes {
+			peers = append(peers, r.Peer)
+		}
+
+		log.Warnf("The network [%v] has not been assigned a routing peer as no peers from the list %s are currently connected", c.handler, peers)
+	case chosen != currID:
+		// we compare the current score + 10ms to the chosen score to avoid flapping between routes
+		if currScore != 0 && currScore+0.01 > chosenScore {
+			log.Debugf("Keeping current routing peer because the score difference with latency is less than 0.01(10ms), current: %f, new: %f", currScore, chosenScore)
+			return currID
+		}
+		var p string
+		if rt := c.routes[chosen]; rt != nil {
+			p = rt.Peer
+		}
+		log.Infof("New chosen route is %s with peer %s with score %f for network [%v]", chosen, p, chosenScore, c.handler)
+	}
+
+	return chosen
+}
+
+func (c *clientNetwork) watchPeerStatusChanges(ctx context.Context, peerKey string, peerStateUpdate chan struct{}, closer chan struct{}) {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-closer:
+			return
+		case <-c.statusRecorder.GetPeerStateChangeNotifier(peerKey):
+			state, err := c.statusRecorder.GetPeer(peerKey)
+			if err != nil || state.ConnStatus == peer.StatusConnecting {
+				continue
+			}
+			peerStateUpdate <- struct{}{}
+			log.Debugf("triggered route state update for Peer %s, state: %s", peerKey, state.ConnStatus)
+		}
+	}
+}
+
+func (c *clientNetwork) startPeersStatusChangeWatcher() {
+	for _, r := range c.routes {
+		_, found := c.routePeersNotifiers[r.Peer]
+		if found {
+			continue
+		}
+
+		closerChan := make(chan struct{})
+		c.routePeersNotifiers[r.Peer] = closerChan
+		go c.watchPeerStatusChanges(c.ctx, r.Peer, c.peerStateUpdate, closerChan)
+	}
+}
+
+func (c *clientNetwork) removeRouteFromWireGuardPeer() error {
+	if err := c.statusRecorder.RemovePeerStateRoute(c.currentChosen.Peer, c.handler.String()); err != nil {
+		log.Warnf("Failed to update peer state: %v", err)
+	}
+
+	if err := c.handler.RemoveAllowedIPs(); err != nil {
+		return fmt.Errorf("remove allowed IPs: %w", err)
+	}
+	return nil
+}
+
+func (c *clientNetwork) removeRouteFromPeerAndSystem(rsn reason) error {
+	if c.currentChosen == nil {
+		return nil
+	}
+
+	var merr *multierror.Error
+
+	if err := c.removeRouteFromWireGuardPeer(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove allowed IPs for peer %s: %w", c.currentChosen.Peer, err))
+	}
+	if err := c.handler.RemoveRoute(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove route: %w", err))
+	}
+
+	c.disconnectEvent(rsn)
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem(rsn reason) error {
+	routerPeerStatuses := c.getRouterPeerStatuses()
+
+	newChosenID := c.getBestRouteFromStatuses(routerPeerStatuses)
+
+	// If no route is chosen, remove the route from the peer and system
+	if newChosenID == "" {
+		if err := c.removeRouteFromPeerAndSystem(rsn); err != nil {
+			return fmt.Errorf("remove route for peer %s: %w", c.currentChosen.Peer, err)
+		}
+
+		c.currentChosen = nil
+
+		return nil
+	}
+
+	// If the chosen route is the same as the current route, do nothing
+	if c.currentChosen != nil && c.currentChosen.ID == newChosenID &&
+		c.currentChosen.Equal(c.routes[newChosenID]) {
+		return nil
+	}
+
+	var isNew bool
+	if c.currentChosen == nil {
+		// If they were not previously assigned to another peer, add routes to the system first
+		if err := c.handler.AddRoute(c.ctx); err != nil {
+			return fmt.Errorf("add route: %w", err)
+		}
+		isNew = true
+	} else {
+		// Otherwise, remove the allowed IPs from the previous peer first
+		if err := c.removeRouteFromWireGuardPeer(); err != nil {
+			return fmt.Errorf("remove allowed IPs for peer %s: %w", c.currentChosen.Peer, err)
+		}
+	}
+
+	c.currentChosen = c.routes[newChosenID]
+
+	if err := c.handler.AddAllowedIPs(c.currentChosen.Peer); err != nil {
+		return fmt.Errorf("add allowed IPs for peer %s: %w", c.currentChosen.Peer, err)
+	}
+
+	if isNew {
+		c.connectEvent()
+	}
+
+	err := c.statusRecorder.AddPeerStateRoute(c.currentChosen.Peer, c.handler.String(), c.currentChosen.GetResourceID())
+	if err != nil {
+		return fmt.Errorf("add peer state route: %w", err)
+	}
+	return nil
+}
+
+func (c *clientNetwork) connectEvent() {
+	var defaultRoute bool
+	for _, r := range c.routes {
+		if r.Network.Bits() == 0 {
+			defaultRoute = true
+			break
+		}
+	}
+
+	if !defaultRoute {
+		return
+	}
+
+	meta := map[string]string{
+		"network": c.handler.String(),
+	}
+	if c.currentChosen != nil {
+		meta["id"] = string(c.currentChosen.NetID)
+		meta["peer"] = c.currentChosen.Peer
+	}
+	c.statusRecorder.PublishEvent(
+		proto.SystemEvent_INFO,
+		proto.SystemEvent_NETWORK,
+		"Default route added",
+		"Exit node connected.",
+		meta,
+	)
+}
+
+func (c *clientNetwork) disconnectEvent(rsn reason) {
+	var defaultRoute bool
+	for _, r := range c.routes {
+		if r.Network.Bits() == 0 {
+			defaultRoute = true
+			break
+		}
+	}
+
+	if !defaultRoute {
+		return
+	}
+
+	var severity proto.SystemEvent_Severity
+	var message string
+	var userMessage string
+	meta := make(map[string]string)
+
+	if c.currentChosen != nil {
+		meta["id"] = string(c.currentChosen.NetID)
+		meta["peer"] = c.currentChosen.Peer
+	}
+	meta["network"] = c.handler.String()
+	switch rsn {
+	case reasonShutdown:
+		severity = proto.SystemEvent_INFO
+		message = "Default route removed"
+		userMessage = "Exit node disconnected."
+	case reasonRouteUpdate:
+		severity = proto.SystemEvent_INFO
+		message = "Default route updated due to configuration change"
+	case reasonPeerUpdate:
+		severity = proto.SystemEvent_WARNING
+		message = "Default route disconnected due to peer unreachability"
+		userMessage = "Exit node connection lost. Your internet access might be affected."
+	default:
+		severity = proto.SystemEvent_ERROR
+		message = "Default route disconnected for unknown reasons"
+		userMessage = "Exit node disconnected for unknown reasons."
+	}
+
+	c.statusRecorder.PublishEvent(
+		severity,
+		proto.SystemEvent_NETWORK,
+		message,
+		userMessage,
+		meta,
+	)
+}
+
+func (c *clientNetwork) sendUpdateToClientNetworkWatcher(update routesUpdate) {
+	go func() {
+		c.routeUpdate <- update
+	}()
+}
+
+func (c *clientNetwork) handleUpdate(update routesUpdate) bool {
+	isUpdateMapDifferent := false
+	updateMap := make(map[route.ID]*route.Route)
+
+	for _, r := range update.routes {
+		updateMap[r.ID] = r
+	}
+
+	if len(c.routes) != len(updateMap) {
+		isUpdateMapDifferent = true
+	}
+
+	for id, r := range c.routes {
+		_, found := updateMap[id]
+		if !found {
+			close(c.routePeersNotifiers[r.Peer])
+			delete(c.routePeersNotifiers, r.Peer)
+			isUpdateMapDifferent = true
+			continue
+		}
+		if !reflect.DeepEqual(c.routes[id], updateMap[id]) {
+			isUpdateMapDifferent = true
+		}
+	}
+
+	c.routes = updateMap
+	return isUpdateMapDifferent
+}
+
+// peersStateAndUpdateWatcher is the main point of reacting on client network routing events.
+// All the processing related to the client network should be done here. Thread-safe.
+func (c *clientNetwork) peersStateAndUpdateWatcher() {
+	for {
+		select {
+		case <-c.ctx.Done():
+			log.Debugf("Stopping watcher for network [%v]", c.handler)
+			if err := c.removeRouteFromPeerAndSystem(reasonShutdown); err != nil {
+				log.Errorf("Failed to remove routes for [%v]: %v", c.handler, err)
+			}
+			return
+		case <-c.peerStateUpdate:
+			err := c.recalculateRouteAndUpdatePeerAndSystem(reasonPeerUpdate)
+			if err != nil {
+				log.Errorf("Failed to recalculate routes for network [%v]: %v", c.handler, err)
+			}
+		case update := <-c.routeUpdate:
+			if update.updateSerial < c.updateSerial {
+				log.Warnf("Received a routes update with smaller serial number (%d -> %d), ignoring it", c.updateSerial, update.updateSerial)
+				continue
+			}
+
+			log.Debugf("Received a new client network route update for [%v]", c.handler)
+
+			// hash update somehow
+			isTrueRouteUpdate := c.handleUpdate(update)
+
+			c.updateSerial = update.updateSerial
+
+			if isTrueRouteUpdate {
+				log.Debug("Client network update contains different routes, recalculating routes")
+				err := c.recalculateRouteAndUpdatePeerAndSystem(reasonRouteUpdate)
+				if err != nil {
+					log.Errorf("Failed to recalculate routes for network [%v]: %v", c.handler, err)
+				}
+			} else {
+				log.Debug("Route update is not different, skipping route recalculation")
+			}
+
+			c.startPeersStatusChangeWatcher()
+		}
+	}
+}
+
+func handlerFromRoute(
+	rt *route.Route,
+	routeRefCounter *refcounter.RouteRefCounter,
+	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
+	dnsRouterInteval time.Duration,
+	statusRecorder *peer.Status,
+	wgInterface iface.WGIface,
+	dnsServer nbdns.Server,
+	peerStore *peerstore.Store,
+	useNewDNSRoute bool,
+) RouteHandler {
+	switch handlerType(rt, useNewDNSRoute) {
+	case handlerTypeDomain:
+		return dnsinterceptor.New(
+			rt,
+			routeRefCounter,
+			allowedIPsRefCounter,
+			statusRecorder,
+			dnsServer,
+			peerStore,
+		)
+	case handlerTypeDynamic:
+		dns := nbdns.NewServiceViaMemory(wgInterface)
+		return dynamic.NewRoute(
+			rt,
+			routeRefCounter,
+			allowedIPsRefCounter,
+			dnsRouterInteval,
+			statusRecorder,
+			wgInterface,
+			fmt.Sprintf("%s:%d", dns.RuntimeIP(), dns.RuntimePort()),
+		)
+	default:
+		return static.NewRoute(rt, routeRefCounter, allowedIPsRefCounter)
+	}
+}
+
+func handlerType(rt *route.Route, useNewDNSRoute bool) int {
+	if !rt.IsDynamic() {
+		return handlerTypeStatic
+	}
+
+	if useNewDNSRoute && runtime.GOOS != "ios" {
+		return handlerTypeDomain
+	}
+	return handlerTypeDynamic
+}

client/internal/routemanager/client/client.go

@@ -1,603 +0,0 @@
-package client
-
-import (
-	"context"
-	"fmt"
-	"reflect"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	nbdns "github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/peerstore"
-	"github.com/netbirdio/netbird/client/internal/routemanager/dnsinterceptor"
-	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
-	"github.com/netbirdio/netbird/client/internal/routemanager/iface"
-	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	"github.com/netbirdio/netbird/client/internal/routemanager/static"
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/route"
-)
-
-const (
-	handlerTypeDynamic = iota
-	handlerTypeDnsInterceptor
-	handlerTypeStatic
-)
-
-type reason int
-
-const (
-	reasonUnknown reason = iota
-	reasonRouteUpdate
-	reasonPeerUpdate
-	reasonShutdown
-	reasonHA
-)
-
-type routerPeerStatus struct {
-	status  peer.ConnStatus
-	relayed bool
-	latency time.Duration
-}
-
-type RoutesUpdate struct {
-	UpdateSerial uint64
-	Routes       []*route.Route
-}
-
-// RouteHandler defines the interface for handling routes
-type RouteHandler interface {
-	String() string
-	AddRoute(ctx context.Context) error
-	RemoveRoute() error
-	AddAllowedIPs(peerKey string) error
-	RemoveAllowedIPs() error
-}
-
-type WatcherConfig struct {
-	Context          context.Context
-	DNSRouteInterval time.Duration
-	WGInterface      iface.WGIface
-	StatusRecorder   *peer.Status
-	Route            *route.Route
-	Handler          RouteHandler
-}
-
-// Watcher watches route and peer changes and updates allowed IPs accordingly.
-// Once stopped, it cannot be reused.
-// The methods are not thread-safe and should be synchronized externally.
-type Watcher struct {
-	ctx                 context.Context
-	cancel              context.CancelFunc
-	statusRecorder      *peer.Status
-	wgInterface         iface.WGIface
-	routes              map[route.ID]*route.Route
-	routeUpdate         chan RoutesUpdate
-	peerStateUpdate     chan map[string]peer.RouterState
-	routePeersNotifiers map[string]chan struct{} // map of peer key to channel for peer state changes
-	currentChosen       *route.Route
-	currentChosenStatus *routerPeerStatus
-	handler             RouteHandler
-	updateSerial        uint64
-}
-
-func NewWatcher(config WatcherConfig) *Watcher {
-	ctx, cancel := context.WithCancel(config.Context)
-
-	client := &Watcher{
-		ctx:                 ctx,
-		cancel:              cancel,
-		statusRecorder:      config.StatusRecorder,
-		wgInterface:         config.WGInterface,
-		routes:              make(map[route.ID]*route.Route),
-		routePeersNotifiers: make(map[string]chan struct{}),
-		routeUpdate:         make(chan RoutesUpdate),
-		peerStateUpdate:     make(chan map[string]peer.RouterState),
-		handler:             config.Handler,
-		currentChosenStatus: nil,
-	}
-	return client
-}
-
-func (w *Watcher) getRouterPeerStatuses() map[route.ID]routerPeerStatus {
-	routePeerStatuses := make(map[route.ID]routerPeerStatus)
-	for _, r := range w.routes {
-		peerStatus, err := w.statusRecorder.GetPeer(r.Peer)
-		if err != nil {
-			log.Debugf("couldn't fetch peer state %v: %v", r.Peer, err)
-			continue
-		}
-		routePeerStatuses[r.ID] = routerPeerStatus{
-			status:  peerStatus.ConnStatus,
-			relayed: peerStatus.Relayed,
-			latency: peerStatus.Latency,
-		}
-	}
-	return routePeerStatuses
-}
-
-func (w *Watcher) convertRouterPeerStatuses(states map[string]peer.RouterState) map[route.ID]routerPeerStatus {
-	routePeerStatuses := make(map[route.ID]routerPeerStatus)
-	for _, r := range w.routes {
-		peerStatus, ok := states[r.Peer]
-		if !ok {
-			log.Warnf("couldn't fetch peer state: %v", r.Peer)
-			continue
-		}
-		routePeerStatuses[r.ID] = routerPeerStatus{
-			status:  peerStatus.Status,
-			relayed: peerStatus.Relayed,
-			latency: peerStatus.Latency,
-		}
-	}
-	return routePeerStatuses
-}
-
-// getBestRouteFromStatuses determines the most optimal route from the available routes
-// within a Watcher, taking into account peer connection status, route metrics, and
-// preference for non-relayed and direct connections.
-//
-// It follows these prioritization rules:
-// * Connection status: Both connected and idle peers are considered, but connected peers always take precedence.
-// * Idle peer penalty: Idle peers receive a significant score penalty to ensure any connected peer is preferred.
-// * Metric: Routes with lower metrics (better) are prioritized.
-// * Non-relayed: Routes without relays are preferred.
-// * Latency: Routes with lower latency are prioritized.
-// * Allowed IPs: Idle peers can still receive allowed IPs to enable lazy connection triggering.
-// * we compare the current score + 10ms to the chosen score to avoid flapping between routes
-// * Stability: In case of equal scores, the currently active route (if any) is maintained.
-//
-// It returns the ID of the selected optimal route.
-func (w *Watcher) getBestRouteFromStatuses(routePeerStatuses map[route.ID]routerPeerStatus) (route.ID, routerPeerStatus) {
-	var chosen route.ID
-	chosenScore := float64(0)
-	currScore := float64(0)
-
-	var currID route.ID
-	if w.currentChosen != nil {
-		currID = w.currentChosen.ID
-	}
-
-	var chosenStatus routerPeerStatus
-
-	for _, r := range w.routes {
-		tempScore := float64(0)
-		peerStatus, found := routePeerStatuses[r.ID]
-		// connecting status equals disconnected: no wireguard endpoint to assign allowed IPs to
-		if !found || peerStatus.status == peer.StatusConnecting {
-			continue
-		}
-
-		if r.Metric < route.MaxMetric {
-			metricDiff := route.MaxMetric - r.Metric
-			tempScore = float64(metricDiff) * 10
-		}
-
-		// in some temporal cases, latency can be 0, so we set it to 999ms to not block but try to avoid this route
-		latency := 999 * time.Millisecond
-		if peerStatus.latency != 0 {
-			latency = peerStatus.latency
-		} else if !peerStatus.relayed && peerStatus.status != peer.StatusIdle {
-			log.Tracef("peer %s has 0 latency: [%v]", r.Peer, w.handler)
-		}
-
-		// avoid negative tempScore on the higher latency calculation
-		if latency > 1*time.Second {
-			latency = 999 * time.Millisecond
-		}
-
-		// higher latency is worse score
-		tempScore += 1 - latency.Seconds()
-
-		// apply significant penalty for idle peers to ensure connected peers always take precedence
-		if peerStatus.status == peer.StatusConnected {
-			tempScore += 100_000
-		}
-
-		if !peerStatus.relayed {
-			tempScore++
-		}
-
-		if tempScore > chosenScore || (tempScore == chosenScore && chosen == "") {
-			chosen = r.ID
-			chosenStatus = peerStatus
-			chosenScore = tempScore
-		}
-
-		if chosen == "" && currID == "" {
-			chosen = r.ID
-			chosenStatus = peerStatus
-			chosenScore = tempScore
-		}
-
-		if r.ID == currID {
-			currScore = tempScore
-		}
-	}
-
-	chosenID := chosen
-	if chosen == "" {
-		chosenID = "<none>"
-	}
-	currentID := currID
-	if currID == "" {
-		currentID = "<none>"
-	}
-
-	log.Debugf("chosen route: %s, chosen score: %f, current route: %s, current score: %f", chosenID, chosenScore, currentID, currScore)
-
-	switch {
-	case chosen == "":
-		var peers []string
-		for _, r := range w.routes {
-			peers = append(peers, r.Peer)
-		}
-
-		log.Infof("network [%v] has not been assigned a routing peer as no peers from the list %s are currently available", w.handler, peers)
-	case chosen != currID:
-		// we compare the current score + 10ms to the chosen score to avoid flapping between routes
-		if currScore != 0 && currScore+0.01 > chosenScore {
-			log.Debugf("keeping current routing peer %s for [%v]: the score difference with latency is less than 0.01(10ms): current: %f, new: %f",
-				w.currentChosen.Peer, w.handler, currScore, chosenScore)
-			return currID, chosenStatus
-		}
-		var p string
-		if rt := w.routes[chosen]; rt != nil {
-			p = rt.Peer
-		}
-		log.Infof("New chosen route is %s with peer %s with score %f for network [%v]", chosen, p, chosenScore, w.handler)
-	}
-
-	return chosen, chosenStatus
-}
-
-func (w *Watcher) watchPeerStatusChanges(ctx context.Context, peerKey string, peerStateUpdate chan map[string]peer.RouterState, closer chan struct{}) {
-	subscription := w.statusRecorder.SubscribeToPeerStateChanges(ctx, peerKey)
-	defer w.statusRecorder.UnsubscribePeerStateChanges(subscription)
-
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-closer:
-			return
-		case routerStates := <-subscription.Events():
-			peerStateUpdate <- routerStates
-			log.Debugf("triggered route state update for Peer: %s", peerKey)
-		}
-	}
-}
-
-func (w *Watcher) startNewPeerStatusWatchers() {
-	for _, r := range w.routes {
-		if _, found := w.routePeersNotifiers[r.Peer]; found {
-			continue
-		}
-
-		closerChan := make(chan struct{})
-		w.routePeersNotifiers[r.Peer] = closerChan
-		go w.watchPeerStatusChanges(w.ctx, r.Peer, w.peerStateUpdate, closerChan)
-	}
-}
-
-// addAllowedIPs adds the allowed IPs for the current chosen route to the handler.
-func (w *Watcher) addAllowedIPs(route *route.Route) error {
-	if err := w.handler.AddAllowedIPs(route.Peer); err != nil {
-		return fmt.Errorf("add allowed IPs for peer %s: %w", route.Peer, err)
-	}
-
-	if err := w.statusRecorder.AddPeerStateRoute(route.Peer, w.handler.String(), route.GetResourceID()); err != nil {
-		log.Warnf("Failed to update peer state: %v", err)
-	}
-
-	w.connectEvent(route)
-	return nil
-}
-
-func (w *Watcher) removeAllowedIPs(route *route.Route, rsn reason) error {
-	if err := w.statusRecorder.RemovePeerStateRoute(route.Peer, w.handler.String()); err != nil {
-		log.Warnf("Failed to update peer state: %v", err)
-	}
-
-	if err := w.handler.RemoveAllowedIPs(); err != nil {
-		return fmt.Errorf("remove allowed IPs: %w", err)
-	}
-
-	w.disconnectEvent(route, rsn)
-
-	return nil
-}
-
-// shouldSkipRecalculation checks if we can skip route recalculation for the same route without status changes
-func (w *Watcher) shouldSkipRecalculation(newChosenID route.ID, newStatus routerPeerStatus) bool {
-	if w.currentChosen == nil {
-		return false
-	}
-
-	isSameRoute := w.currentChosen.ID == newChosenID && w.currentChosen.Equal(w.routes[newChosenID])
-	if !isSameRoute {
-		return false
-	}
-
-	if w.currentChosenStatus != nil {
-		return w.currentChosenStatus.status == newStatus.status
-	}
-
-	return true
-}
-
-func (w *Watcher) recalculateRoutes(rsn reason, routerPeerStatuses map[route.ID]routerPeerStatus) error {
-	newChosenID, newStatus := w.getBestRouteFromStatuses(routerPeerStatuses)
-
-	// If no route is chosen, remove the route from the peer
-	if newChosenID == "" {
-		if w.currentChosen == nil {
-			return nil
-		}
-
-		if err := w.removeAllowedIPs(w.currentChosen, rsn); err != nil {
-			return fmt.Errorf("remove obsolete: %w", err)
-		}
-
-		w.currentChosen = nil
-		w.currentChosenStatus = nil
-
-		return nil
-	}
-
-	// If we can skip recalculation for the same route without changes, do nothing
-	if w.shouldSkipRecalculation(newChosenID, newStatus) {
-		return nil
-	}
-
-	// If the chosen route was assigned to a different peer, remove the allowed IPs first
-	if isNew := w.currentChosen == nil; !isNew {
-		if err := w.removeAllowedIPs(w.currentChosen, reasonHA); err != nil {
-			return fmt.Errorf("remove old: %w", err)
-		}
-	}
-
-	newChosenRoute := w.routes[newChosenID]
-	if err := w.addAllowedIPs(newChosenRoute); err != nil {
-		return fmt.Errorf("add new: %w", err)
-	}
-	if newStatus.status != peer.StatusIdle {
-		w.connectEvent(newChosenRoute)
-	}
-
-	w.currentChosen = newChosenRoute
-	w.currentChosenStatus = &newStatus
-
-	return nil
-}
-
-func (w *Watcher) connectEvent(route *route.Route) {
-	var defaultRoute bool
-	for _, r := range w.routes {
-		if r.Network.Bits() == 0 {
-			defaultRoute = true
-			break
-		}
-	}
-
-	if !defaultRoute {
-		return
-	}
-
-	meta := map[string]string{
-		"network": w.handler.String(),
-	}
-	if route != nil {
-		meta["id"] = string(route.NetID)
-		meta["peer"] = route.Peer
-	}
-	w.statusRecorder.PublishEvent(
-		proto.SystemEvent_INFO,
-		proto.SystemEvent_NETWORK,
-		"Default route added",
-		"Exit node connected.",
-		meta,
-	)
-}
-
-func (w *Watcher) disconnectEvent(route *route.Route, rsn reason) {
-	var defaultRoute bool
-	for _, r := range w.routes {
-		if r.Network.Bits() == 0 {
-			defaultRoute = true
-			break
-		}
-	}
-
-	if !defaultRoute {
-		return
-	}
-
-	var severity proto.SystemEvent_Severity
-	var message string
-	var userMessage string
-	meta := make(map[string]string)
-
-	if route != nil {
-		meta["id"] = string(route.NetID)
-		meta["peer"] = route.Peer
-	}
-	meta["network"] = w.handler.String()
-	switch rsn {
-	case reasonShutdown:
-		severity = proto.SystemEvent_INFO
-		message = "Default route removed"
-		userMessage = "Exit node disconnected."
-	case reasonRouteUpdate:
-		severity = proto.SystemEvent_INFO
-		message = "Default route updated due to configuration change"
-	case reasonPeerUpdate:
-		severity = proto.SystemEvent_WARNING
-		message = "Default route disconnected due to peer unreachability"
-		userMessage = "Exit node connection lost. Your internet access might be affected."
-	case reasonHA:
-		severity = proto.SystemEvent_INFO
-		message = "Default route disconnected due to high availability change"
-		userMessage = "Exit node disconnected due to high availability change."
-	default:
-		severity = proto.SystemEvent_ERROR
-		message = "Default route disconnected for unknown reasons"
-		userMessage = "Exit node disconnected for unknown reasons."
-	}
-
-	w.statusRecorder.PublishEvent(
-		severity,
-		proto.SystemEvent_NETWORK,
-		message,
-		userMessage,
-		meta,
-	)
-}
-
-func (w *Watcher) SendUpdate(update RoutesUpdate) {
-	go func() {
-		select {
-		case w.routeUpdate <- update:
-		case <-w.ctx.Done():
-		}
-	}()
-}
-
-func (w *Watcher) classifyUpdate(update RoutesUpdate) bool {
-	isUpdateMapDifferent := false
-	updateMap := make(map[route.ID]*route.Route)
-
-	for _, r := range update.Routes {
-		updateMap[r.ID] = r
-	}
-
-	if len(w.routes) != len(updateMap) {
-		isUpdateMapDifferent = true
-	}
-
-	for id, r := range w.routes {
-		_, found := updateMap[id]
-		if !found {
-			close(w.routePeersNotifiers[r.Peer])
-			delete(w.routePeersNotifiers, r.Peer)
-			isUpdateMapDifferent = true
-			continue
-		}
-		if !reflect.DeepEqual(w.routes[id], updateMap[id]) {
-			isUpdateMapDifferent = true
-		}
-	}
-
-	w.routes = updateMap
-	return isUpdateMapDifferent
-}
-
-// Start is the main point of reacting on client network routing events.
-// All the processing related to the client network should be done here. Thread-safe.
-func (w *Watcher) Start() {
-	for {
-		select {
-		case <-w.ctx.Done():
-			return
-		case routersStates := <-w.peerStateUpdate:
-			routerPeerStatuses := w.convertRouterPeerStatuses(routersStates)
-			if err := w.recalculateRoutes(reasonPeerUpdate, routerPeerStatuses); err != nil {
-				log.Errorf("Failed to recalculate routes for network [%v]: %v", w.handler, err)
-			}
-		case update := <-w.routeUpdate:
-			if update.UpdateSerial < w.updateSerial {
-				log.Warnf("Received a routes update with smaller serial number (%d -> %d), ignoring it", w.updateSerial, update.UpdateSerial)
-				continue
-			}
-
-			w.handleRouteUpdate(update)
-		}
-	}
-}
-
-func (w *Watcher) handleRouteUpdate(update RoutesUpdate) {
-	log.Debugf("Received a new client network route update for [%v]", w.handler)
-
-	// hash update somehow
-	isTrueRouteUpdate := w.classifyUpdate(update)
-
-	w.updateSerial = update.UpdateSerial
-
-	if isTrueRouteUpdate {
-		log.Debugf("client network update %v for [%v] contains different routes, recalculating routes", update.UpdateSerial, w.handler)
-		routePeerStatuses := w.getRouterPeerStatuses()
-		if err := w.recalculateRoutes(reasonRouteUpdate, routePeerStatuses); err != nil {
-			log.Errorf("failed to recalculate routes for network [%v]: %v", w.handler, err)
-		}
-	} else {
-		log.Debugf("route update %v for [%v] is not different, skipping route recalculation", update.UpdateSerial, w.handler)
-	}
-
-	w.startNewPeerStatusWatchers()
-}
-
-// Stop stops the watcher and cleans up resources.
-func (w *Watcher) Stop() {
-	log.Debugf("Stopping watcher for network [%v]", w.handler)
-
-	w.cancel()
-
-	if w.currentChosen == nil {
-		return
-	}
-	if err := w.removeAllowedIPs(w.currentChosen, reasonShutdown); err != nil {
-		log.Errorf("Failed to remove routes for [%v]: %v", w.handler, err)
-	}
-	w.currentChosenStatus = nil
-}
-
-func HandlerFromRoute(
-	rt *route.Route,
-	routeRefCounter *refcounter.RouteRefCounter,
-	allowedIPsRefCounter *refcounter.AllowedIPsRefCounter,
-	dnsRouterInteval time.Duration,
-	statusRecorder *peer.Status,
-	wgInterface iface.WGIface,
-	dnsServer nbdns.Server,
-	peerStore *peerstore.Store,
-	useNewDNSRoute bool,
-) RouteHandler {
-	switch handlerType(rt, useNewDNSRoute) {
-	case handlerTypeDnsInterceptor:
-		return dnsinterceptor.New(
-			rt,
-			routeRefCounter,
-			allowedIPsRefCounter,
-			statusRecorder,
-			dnsServer,
-			wgInterface,
-			peerStore,
-		)
-	case handlerTypeDynamic:
-		dns := nbdns.NewServiceViaMemory(wgInterface)
-		return dynamic.NewRoute(
-			rt,
-			routeRefCounter,
-			allowedIPsRefCounter,
-			dnsRouterInteval,
-			statusRecorder,
-			wgInterface,
-			fmt.Sprintf("%s:%d", dns.RuntimeIP(), dns.RuntimePort()),
-		)
-	default:
-		return static.NewRoute(rt, routeRefCounter, allowedIPsRefCounter)
-	}
-}
-
-func handlerType(rt *route.Route, useNewDNSRoute bool) int {
-	if !rt.IsDynamic() {
-		return handlerTypeStatic
-	}
-
-	if useNewDNSRoute {
-		return handlerTypeDnsInterceptor
-	}
-	return handlerTypeDynamic
-}

client/internal/routemanager/client/client_bench_test.go

@@ -1,156 +0,0 @@
-package client
-
-import (
-	"context"
-	"fmt"
-	"net/netip"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/route"
-)
-
-type benchmarkTier struct {
-	name            string
-	peers           int
-	routes          int
-	haPeersPerGroup int
-}
-
-var benchmarkTiers = []benchmarkTier{
-	{"Small", 100, 50, 4},
-	{"Medium", 1000, 200, 16},
-	{"Large", 5000, 500, 32},
-}
-
-type mockRouteHandler struct {
-	network string
-}
-
-func (m *mockRouteHandler) String() string                 { return m.network }
-func (m *mockRouteHandler) AddRoute(context.Context) error { return nil }
-func (m *mockRouteHandler) RemoveRoute() error             { return nil }
-func (m *mockRouteHandler) AddAllowedIPs(string) error     { return nil }
-func (m *mockRouteHandler) RemoveAllowedIPs() error        { return nil }
-
-func generateBenchmarkData(tier benchmarkTier) (*peer.Status, map[route.ID]*route.Route) {
-	statusRecorder := peer.NewRecorder("test-mgm")
-	routes := make(map[route.ID]*route.Route)
-
-	peerKeys := make([]string, tier.peers)
-	for i := 0; i < tier.peers; i++ {
-		peerKey := fmt.Sprintf("peer-%d", i)
-		peerKeys[i] = peerKey
-		fqdn := fmt.Sprintf("peer-%d.example.com", i)
-		ip := fmt.Sprintf("10.0.%d.%d", i/256, i%256)
-
-		err := statusRecorder.AddPeer(peerKey, fqdn, ip)
-		if err != nil {
-			panic(fmt.Sprintf("failed to add peer: %v", err))
-		}
-
-		var status peer.ConnStatus
-		var latency time.Duration
-		relayed := false
-
-		switch i % 10 {
-		case 0, 1: // 20% disconnected
-			status = peer.StatusConnecting
-			latency = 0
-		case 2: // 10% idle
-			status = peer.StatusIdle
-			latency = 50 * time.Millisecond
-		case 3, 4: // 20% relayed
-			status = peer.StatusConnected
-			relayed = true
-			latency = time.Duration(50+i%100) * time.Millisecond
-		default: // 50% direct connection
-			status = peer.StatusConnected
-			latency = time.Duration(10+i%40) * time.Millisecond
-		}
-
-		// Update peer state
-		state := peer.State{
-			PubKey:           peerKey,
-			IP:               ip,
-			FQDN:             fqdn,
-			ConnStatus:       status,
-			ConnStatusUpdate: time.Now(),
-			Relayed:          relayed,
-			Latency:          latency,
-			Mux:              &sync.RWMutex{},
-		}
-
-		err = statusRecorder.UpdatePeerState(state)
-		if err != nil {
-			panic(fmt.Sprintf("failed to update peer state: %v", err))
-		}
-	}
-
-	routeID := 0
-	for i := 0; i < tier.routes; i++ {
-		network := fmt.Sprintf("192.168.%d.0/24", i%256)
-		prefix := netip.MustParsePrefix(network)
-
-		haGroupSize := 1
-		if i%4 == 0 { // 25% of routes have HA
-			haGroupSize = tier.haPeersPerGroup
-		}
-
-		for j := 0; j < haGroupSize; j++ {
-			peerIndex := (i*tier.haPeersPerGroup + j) % tier.peers
-			peerKey := peerKeys[peerIndex]
-
-			rID := route.ID(fmt.Sprintf("route-%d-%d", i, j))
-
-			metric := 100 + j*10
-
-			routes[rID] = &route.Route{
-				ID:      rID,
-				Network: prefix,
-				Peer:    peerKey,
-				Metric:  metric,
-				NetID:   route.NetID(fmt.Sprintf("net-%d", i)),
-			}
-			routeID++
-		}
-	}
-
-	return statusRecorder, routes
-}
-
-// Benchmark the optimized recalculate routes
-func BenchmarkRecalculateRoutes(b *testing.B) {
-	for _, tier := range benchmarkTiers {
-		b.Run(tier.name, func(b *testing.B) {
-			statusRecorder, routes := generateBenchmarkData(tier)
-
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			watcher := &Watcher{
-				ctx:                 ctx,
-				statusRecorder:      statusRecorder,
-				routes:              routes,
-				routePeersNotifiers: make(map[string]chan struct{}),
-				routeUpdate:         make(chan RoutesUpdate),
-				peerStateUpdate:     make(chan map[string]peer.RouterState),
-				handler:             &mockRouteHandler{network: "benchmark"},
-				currentChosenStatus: nil,
-			}
-
-			b.ResetTimer()
-			b.ReportAllocs()
-
-			routePeerStatuses := watcher.getRouterPeerStatuses()
-			for i := 0; i < b.N; i++ {
-				err := watcher.recalculateRoutes(reasonPeerUpdate, routePeerStatuses)
-				if err != nil {
-					b.Fatalf("recalculateRoutes failed: %v", err)
-				}
-			}
-		})
-	}
-}

client/internal/routemanager/client/client_test.go

@@ -1,827 +0,0 @@
-package client
-
-import (
-	"fmt"
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/routemanager/static"
-	"github.com/netbirdio/netbird/route"
-)
-
-func TestGetBestrouteFromStatuses(t *testing.T) {
-
-	testCases := []struct {
-		name            string
-		statuses        map[route.ID]routerPeerStatus
-		expectedRouteID route.ID
-		currentRoute    route.ID
-		existingRoutes  map[route.ID]*route.Route
-	}{
-		{
-			name: "one route",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					relayed: false,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "one connected routes with relayed and direct",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					relayed: true,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "one connected routes with relayed and no direct",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					relayed: true,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "no connected peers",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnecting,
-					relayed: false,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "",
-		},
-		{
-			name: "multiple connected peers with different metrics",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					relayed: false,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: false,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: 9000,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "multiple connected peers with one relayed",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					relayed: false,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: true,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "multiple connected peers with different latencies",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					latency: 300 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					latency: 10 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route2",
-		},
-		{
-			name: "should ignore routes with latency 0",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					latency: 0 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					latency: 10 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route2",
-		},
-		{
-			name: "current route with similar score and similar but slightly worse latency should not change",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 15 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "route1",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "relayed routes with latency 0 should maintain previous choice",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					relayed: true,
-					latency: 0 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: true,
-					latency: 0 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "route1",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "p2p routes with latency 0 should maintain previous choice",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 0 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 0 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "route1",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "current route with bad score should be changed to route with better score",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 200 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "route1",
-			expectedRouteID: "route2",
-		},
-		{
-			name: "current chosen route doesn't exist anymore",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 20 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "routeDoesntExistAnymore",
-			expectedRouteID: "route2",
-		},
-		{
-			name: "connected peer should be preferred over idle peer",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 100 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route2",
-		},
-		{
-			name: "idle peer should be selected when no connected peers",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnecting,
-					relayed: false,
-					latency: 5 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "best idle peer should be selected among multiple idle peers",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 100 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route2",
-		},
-		{
-			name: "connecting peers should not be considered for routing",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnecting,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnecting,
-					relayed: false,
-					latency: 5 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "",
-		},
-		{
-			name: "mixed statuses - connected wins over idle and connecting",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusConnecting,
-					relayed: false,
-					latency: 5 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-				"route3": {
-					status:  peer.StatusConnected,
-					relayed: true,
-					latency: 200 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-				"route3": {
-					ID:     "route3",
-					Metric: route.MaxMetric,
-					Peer:   "peer3",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route3",
-		},
-		{
-			name: "idle peer with better metric should win over idle peer with worse metric",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 50 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 50 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: 5000,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "current idle route should be maintained for similar scores",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 20 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 15 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "route1",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "idle peer with zero latency should still be considered",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 0 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnecting,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "direct idle peer preferred over relayed idle peer",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: true,
-					latency: 10 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 50 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route2",
-		},
-		{
-			name: "connected peer with worse metric still beats idle peer with better metric",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 50 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: 1000,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route2",
-		},
-		{
-			name: "connected peer wins even when idle peer has all advantages",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 1 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: true,
-					latency: 30 * time.Minute,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: 1,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route2",
-		},
-		{
-			name: "connected peer should be preferred over idle peer",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnected,
-					relayed: false,
-					latency: 100 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route2",
-		},
-		{
-			name: "idle peer should be selected when no connected peers",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusConnecting,
-					relayed: false,
-					latency: 5 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route1",
-		},
-		{
-			name: "best idle peer should be selected among multiple idle peers",
-			statuses: map[route.ID]routerPeerStatus{
-				"route1": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 100 * time.Millisecond,
-				},
-				"route2": {
-					status:  peer.StatusIdle,
-					relayed: false,
-					latency: 10 * time.Millisecond,
-				},
-			},
-			existingRoutes: map[route.ID]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    "",
-			expectedRouteID: "route2",
-		},
-	}
-
-	// fill the test data with random routes
-	for _, tc := range testCases {
-		for i := 0; i < 50; i++ {
-			dummyRoute := &route.Route{
-				ID:     route.ID(fmt.Sprintf("dummy_p1_%d", i)),
-				Metric: route.MinMetric,
-				Peer:   fmt.Sprintf("dummy_p1_%d", i),
-			}
-			tc.existingRoutes[dummyRoute.ID] = dummyRoute
-		}
-		for i := 0; i < 50; i++ {
-			dummyRoute := &route.Route{
-				ID:     route.ID(fmt.Sprintf("dummy_p2_%d", i)),
-				Metric: route.MinMetric,
-				Peer:   fmt.Sprintf("dummy_p1_%d", i),
-			}
-			tc.existingRoutes[dummyRoute.ID] = dummyRoute
-		}
-
-		for i := 0; i < 50; i++ {
-			id := route.ID(fmt.Sprintf("dummy_p1_%d", i))
-			dummyStatus := routerPeerStatus{
-				status:  peer.StatusConnecting,
-				relayed: true,
-				latency: 0,
-			}
-			tc.statuses[id] = dummyStatus
-		}
-		for i := 0; i < 50; i++ {
-			id := route.ID(fmt.Sprintf("dummy_p2_%d", i))
-			dummyStatus := routerPeerStatus{
-				status:  peer.StatusConnecting,
-				relayed: true,
-				latency: 0,
-			}
-			tc.statuses[id] = dummyStatus
-		}
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			currentRoute := &route.Route{
-				ID: "routeDoesntExistAnymore",
-			}
-			if tc.currentRoute != "" {
-				currentRoute = tc.existingRoutes[tc.currentRoute]
-			}
-
-			// create new clientNetwork
-			client := &Watcher{
-				handler:       static.NewRoute(&route.Route{Network: netip.MustParsePrefix("192.168.0.0/24")}, nil, nil),
-				routes:        tc.existingRoutes,
-				currentChosen: currentRoute,
-			}
-
-			chosenRoute, _ := client.getBestRouteFromStatuses(tc.statuses)
-			if chosenRoute != tc.expectedRouteID {
-				t.Errorf("expected routeID %s, got %s", tc.expectedRouteID, chosenRoute)
-			}
-		})
-	}
-}

client/internal/routemanager/client_test.go

@@ -0,0 +1,410 @@
+package routemanager
+
+import (
+	"fmt"
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/static"
+	"github.com/netbirdio/netbird/route"
+)
+
+func TestGetBestrouteFromStatuses(t *testing.T) {
+
+	testCases := []struct {
+		name            string
+		statuses        map[route.ID]routerPeerStatus
+		expectedRouteID route.ID
+		currentRoute    route.ID
+		existingRoutes  map[route.ID]*route.Route
+	}{
+		{
+			name: "one route",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "one connected routes with relayed and direct",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   true,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "one connected routes with relayed and no direct",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   true,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "no connected peers",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: false,
+					relayed:   false,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "",
+		},
+		{
+			name: "multiple connected peers with different metrics",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: 9000,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "multiple connected peers with one relayed",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+				},
+				"route2": {
+					connected: true,
+					relayed:   true,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "multiple connected peers with different latencies",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					latency:   300 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "should ignore routes with latency 0",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					latency:   0 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "current route with similar score and similar but slightly worse latency should not change",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					latency:   15 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "route1",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "relayed routes with latency 0 should maintain previous choice",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   true,
+					latency:   0 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   true,
+					latency:   0 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "route1",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "p2p routes with latency 0 should maintain previous choice",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					latency:   0 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					latency:   0 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "route1",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "current route with bad score should be changed to route with better score",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					latency:   200 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "route1",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "current chosen route doesn't exist anymore",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					latency:   20 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "routeDoesntExistAnymore",
+			expectedRouteID: "route2",
+		},
+	}
+
+	// fill the test data with random routes
+	for _, tc := range testCases {
+		for i := 0; i < 50; i++ {
+			dummyRoute := &route.Route{
+				ID:     route.ID(fmt.Sprintf("dummy_p1_%d", i)),
+				Metric: route.MinMetric,
+				Peer:   fmt.Sprintf("dummy_p1_%d", i),
+			}
+			tc.existingRoutes[dummyRoute.ID] = dummyRoute
+		}
+		for i := 0; i < 50; i++ {
+			dummyRoute := &route.Route{
+				ID:     route.ID(fmt.Sprintf("dummy_p2_%d", i)),
+				Metric: route.MinMetric,
+				Peer:   fmt.Sprintf("dummy_p1_%d", i),
+			}
+			tc.existingRoutes[dummyRoute.ID] = dummyRoute
+		}
+
+		for i := 0; i < 50; i++ {
+			id := route.ID(fmt.Sprintf("dummy_p1_%d", i))
+			dummyStatus := routerPeerStatus{
+				connected: false,
+				relayed:   true,
+				latency:   0,
+			}
+			tc.statuses[id] = dummyStatus
+		}
+		for i := 0; i < 50; i++ {
+			id := route.ID(fmt.Sprintf("dummy_p2_%d", i))
+			dummyStatus := routerPeerStatus{
+				connected: false,
+				relayed:   true,
+				latency:   0,
+			}
+			tc.statuses[id] = dummyStatus
+		}
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			currentRoute := &route.Route{
+				ID: "routeDoesntExistAnymore",
+			}
+			if tc.currentRoute != "" {
+				currentRoute = tc.existingRoutes[tc.currentRoute]
+			}
+
+			// create new clientNetwork
+			client := &clientNetwork{
+				handler:       static.NewRoute(&route.Route{Network: netip.MustParsePrefix("192.168.0.0/24")}, nil, nil),
+				routes:        tc.existingRoutes,
+				currentChosen: currentRoute,
+			}
+
+			chosenRoute := client.getBestRouteFromStatuses(tc.statuses)
+			if chosenRoute != tc.expectedRouteID {
+				t.Errorf("expected routeID %s, got %s", tc.expectedRouteID, chosenRoute)
+			}
+		})
+	}
+}