Trigger

2026-04-12 12:36:15 -04:00 · 2026-01-20 17:47:51 +01:00
851 changed files with 7889 additions and 138121 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +0,0 @@
-.env
-.env.*
-*.pem
-*.key
-*.crt
-*.p12
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,14 +0,0 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Community Support
-    url: https://forum.netbird.io/
-    about: Community support forum
-  - name: Cloud Support
-    url: https://docs.netbird.io/help/report-bug-issues
-    about: Contact us for support
-  - name: Client/Connection Troubleshooting
-    url: https://docs.netbird.io/help/troubleshooting-client
-    about: See our client troubleshooting guide for help addressing common issues
-  - name: Self-host Troubleshooting
-    url: https://docs.netbird.io/selfhosted/troubleshooting
-    about: See our self-host troubleshooting guide for help addressing common issues
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -23,7 +23,7 @@ jobs:

      - name: Check for problematic license dependencies
        run: |
-          echo "Checking for dependencies on management/, signal/, relay/, and proxy/ packages..."
+          echo "Checking for dependencies on management/, signal/, and relay/ packages..."
          echo ""

          # Find all directories except the problematic ones and system dirs
@@ -31,7 +31,7 @@ jobs:
          while IFS= read -r dir; do
            echo "=== Checking $dir ==="
            # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" | grep -v "tools/idp-migrate/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
            if [ -n "$RESULTS" ]; then
              echo "❌ Found problematic dependencies:"
              echo "$RESULTS"
@@ -39,11 +39,11 @@ jobs:
            else
              echo "✓ No problematic dependencies found"
            fi
-          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name "combined" -not -name ".git*" | sort)
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)

          echo ""
          if [ $FOUND_ISSUES -eq 1 ]; then
-            echo "❌ Found dependencies on management/, signal/, relay/, or proxy/ packages"
+            echo "❌ Found dependencies on management/, signal/, or relay/ packages"
            echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
            exit 1
          else
@@ -88,7 +88,7 @@ jobs:
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")

              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\)" | head -1)

              if [ -n "$BSD_IMPORTER" ]; then
                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -43,5 +43,5 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)

--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -46,5 +46,6 @@ jobs:
            time go test -timeout 1m -failfast ./client/iface/...
            time go test -timeout 1m -failfast ./route/...
            time go test -timeout 1m -failfast ./sharedsock/...
+            time go test -timeout 1m -failfast ./signal/...
            time go test -timeout 1m -failfast ./util/...
            time go test -timeout 1m -failfast ./version/...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -97,16 +97,6 @@ jobs:
        working-directory: relay
        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .

-      - name: Build combined
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build combined 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 GOARCH=386 go build -o combined-386 .
-
  test:
    name: "Client / Unit"
    needs: [build-cache]
@@ -154,7 +144,7 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)

  test_client_on_docker:
    name: "Client (Docker) / Unit"
@@ -214,7 +204,7 @@ jobs:
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
            '

  test_relay:
@@ -271,53 +261,6 @@ jobs:
            -exec 'sudo' \
            -timeout 10m -p 1 ./relay/... ./shared/relay/...

-  test_proxy:
-    name: "Proxy / Unit"
-    needs: [build-cache]
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ '386','amd64' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: "go.mod"
-          cache: false
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test -timeout 10m -p 1 ./proxy/...
-
  test_signal:
    name: "Signal / Unit"
    needs: [build-cache]
@@ -409,19 +352,12 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
-
      - name: download mysql image
        if: matrix.store == 'mysql'
        run: docker pull mlsmaycon/warmed-mysql:8
@@ -504,18 +440,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
        run: |
@@ -596,18 +529,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
        run: |
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -63,15 +63,10 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - name: Generate test script
-        run: |
-          $packages = go list ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' }
-          $goExe = "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe"
-          $cmd = "$goExe test -tags=devcert -timeout 10m -p 1 $($packages -join ' ') > test-out.txt 2>&1"
-          Set-Content -Path "${{ github.workspace }}\run-tests.cmd" -Value $cmd
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV

      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "${{ github.workspace }}\run-tests.cmd"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
      - name: test output
        if: ${{ always() }}
        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,8 +19,8 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA
-          skip: go.mod,go.sum,**/proxy/web/**
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros
+          skip: go.mod,go.sum
  golangci:
    strategy:
      fail-fast: false
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -1,51 +0,0 @@
-name: PR Title Check
-
-on:
-  pull_request:
-    types: [opened, edited, synchronize, reopened]
-
-jobs:
-  check-title:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Validate PR title prefix
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const title = context.payload.pull_request.title;
-            const allowedTags = [
-              'management',
-              'client',
-              'signal',
-              'proxy',
-              'relay',
-              'misc',
-              'infrastructure',
-              'self-hosted',
-              'doc',
-            ];
-
-            const pattern = /^\[([^\]]+)\]\s+.+/;
-            const match = title.match(pattern);
-
-            if (!match) {
-              core.setFailed(
-                `PR title must start with a tag in brackets.\n` +
-                `Example: [client] fix something\n` +
-                `Allowed tags: ${allowedTags.join(', ')}`
-              );
-              return;
-            }
-
-            const tags = match[1].split(',').map(t => t.trim().toLowerCase());
-
-            const invalid = tags.filter(t => !allowedTags.includes(t));
-            if (invalid.length > 0) {
-              core.setFailed(
-                `Invalid tag(s): ${invalid.join(', ')}\n` +
-                `Allowed tags: ${allowedTags.join(', ')}`
-              );
-              return;
-            }
-
-            console.log(`Valid PR title tags: [${tags.join(', ')}]`);
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,8 +9,8 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.1.1"
-  GORELEASER_VER: "v2.14.3"
+  SIGN_PIPE_VER: "v0.1.0"
+  GORELEASER_VER: "v2.3.2"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"

@@ -160,7 +160,7 @@ jobs:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@@ -169,14 +169,6 @@ jobs:
      - name: Install OS build dependencies
        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu

-      - name: Decode GPG signing key
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        env:
-          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
-        run: |
-          echo "$GPG_RPM_PRIVATE_KEY" | base64 -d > /tmp/gpg-rpm-signing-key.asc
-          echo "GPG_RPM_KEY_FILE=/tmp/gpg-rpm-signing-key.asc" >> $GITHUB_ENV
-
      - name: Install goversioninfo
        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
      - name: Generate windows syso amd64
@@ -184,7 +176,6 @@ jobs:
      - name: Generate windows syso arm64
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
-        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
@@ -194,55 +185,6 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
-          NFPM_NETBIRD_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
-      - name: Verify RPM signatures
-        run: |
-          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
-            dnf install -y -q rpm-sign curl >/dev/null 2>&1
-            curl -sSL https://pkgs.netbird.io/yum/repodata/repomd.xml.key -o /tmp/rpm-pub.key
-            rpm --import /tmp/rpm-pub.key
-            echo "=== Verifying RPM signatures ==="
-            for rpm_file in /dist/*amd64*.rpm; do
-              [ -f "$rpm_file" ] || continue
-              echo "--- $(basename $rpm_file) ---"
-              rpm -K "$rpm_file"
-            done
-          '
-      - name: Clean up GPG key
-        if: always()
-        run: rm -f /tmp/gpg-rpm-signing-key.asc
-      - name: Tag and push images (amd64 only)
-        if: |
-          (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
-          (github.event_name == 'push' && github.ref == 'refs/heads/main')
-        run: |
-          resolve_tags() {
-            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              echo "pr-${{ github.event.pull_request.number }}"
-            else
-              echo "main sha-$(git rev-parse --short HEAD)"
-            fi
-          }
-
-          tag_and_push() {
-            local src="$1" img_name tag dst
-            img_name="${src%%:*}"
-            for tag in $(resolve_tags); do
-              dst="${img_name}:${tag}"
-              echo "Tagging ${src} -> ${dst}"
-              docker tag "$src" "$dst"
-              docker push "$dst"
-            done
-          }
-
-          export -f tag_and_push resolve_tags
-
-          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
-            grep '^ghcr.io/' | while read -r SRC; do
-              tag_and_push "$SRC"
-            done
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
@@ -309,14 +251,6 @@ jobs:
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64

-      - name: Decode GPG signing key
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        env:
-          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
-        run: |
-          echo "$GPG_RPM_PRIVATE_KEY" | base64 -d > /tmp/gpg-rpm-signing-key.asc
-          echo "GPG_RPM_KEY_FILE=/tmp/gpg-rpm-signing-key.asc" >> $GITHUB_ENV
-
      - name: Install LLVM-MinGW for ARM64 cross-compilation
        run: |
          cd /tmp
@@ -341,24 +275,6 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
-          NFPM_NETBIRD_UI_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
-      - name: Verify RPM signatures
-        run: |
-          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
-            dnf install -y -q rpm-sign curl >/dev/null 2>&1
-            curl -sSL https://pkgs.netbird.io/yum/repodata/repomd.xml.key -o /tmp/rpm-pub.key
-            rpm --import /tmp/rpm-pub.key
-            echo "=== Verifying RPM signatures ==="
-            for rpm_file in /dist/*.rpm; do
-              [ -f "$rpm_file" ] || continue
-              echo "--- $(basename $rpm_file) ---"
-              rpm -K "$rpm_file"
-            done
-          '
-      - name: Clean up GPG key
-        if: always()
-        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -61,8 +61,8 @@ jobs:

          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"

-          if [ ${SIZE} -gt 58720256 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
+          if [ ${SIZE} -gt 57671680 ]; then
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 55MB limit!"
            exit 1
          fi

--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,6 @@
 .run
 *.iml
 dist/
-!proxy/web/dist/
 bin/
 .env
 conf.json
@@ -33,5 +32,3 @@ infrastructure_files/setup-*.env
 vendor/
 /netbird
 client/netbird-electron/
-management/server/types/testdata/comparison/
-management/server/types/testdata/*.json
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -106,26 +106,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

-  - id: netbird-server
-    dir: combined
-    env:
-      - CGO_ENABLED=1
-      - >-
-        {{- if eq .Runtime.Goos "linux" }}
-          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-        {{- end }}
-    binary: netbird-server
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
  - id: netbird-upload
    dir: upload-server
    env: [CGO_ENABLED=0]
@@ -140,40 +120,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

-  - id: netbird-proxy
-    dir: proxy/cmd/proxy
-    env: [CGO_ENABLED=0]
-    binary: netbird-proxy
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
-  - id: netbird-idp-migrate
-    dir: tools/idp-migrate
-    env:
-      - CGO_ENABLED=1
-      - >-
-        {{- if eq .Runtime.Goos "linux" }}
-          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-        {{- end }}
-    binary: netbird-idp-migrate
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
  - id: netbird

@@ -186,22 +132,18 @@ archives:
      - netbird-wasm
    name_template: "{{ .ProjectName }}_{{ .Version }}"
    format: binary
-  - id: netbird-idp-migrate
-    builds:
-      - netbird-idp-migrate
-    name_template: "netbird-idp-migrate_{{ .Version }}_{{ .Os }}_{{ .Arch }}"

 nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    license: BSD-3-Clause
-    id: netbird_deb
+    id: netbird-deb
    bindir: /usr/bin
    builds:
      - netbird
    formats:
      - deb
+
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
@@ -209,19 +151,16 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    license: BSD-3-Clause
-    id: netbird_rpm
+    id: netbird-rpm
    bindir: /usr/bin
    builds:
      - netbird
    formats:
      - rpm
+
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
-    rpm:
-      signature:
-        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
 dockers:
  - image_templates:
      - netbirdio/netbird:{{ .Version }}-amd64
@@ -581,104 +520,6 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-    ids:
-      - netbird-server
-    goarch: amd64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-    ids:
-      - netbird-server
-    goarch: arm64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-    ids:
-      - netbird-server
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-    ids:
-      - netbird-proxy
-    goarch: amd64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-    ids:
-      - netbird-proxy
-    goarch: arm64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-    ids:
-      - netbird-proxy
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
@@ -757,18 +598,6 @@ docker_manifests:
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64

-  - name_template: netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/netbird-server:latest
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
@@ -846,43 +675,6 @@ docker_manifests:
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:latest
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
 brews:
  - ids:
      - default
@@ -903,7 +695,7 @@ brews:
 uploads:
  - name: debian
    ids:
-      - netbird_deb
+      - netbird-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -911,7 +703,7 @@ uploads:

  - name: yum
    ids:
-      - netbird_rpm
+      - netbird-rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -61,7 +61,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
-    id: netbird_ui_deb
+    id: netbird-ui-deb
    package_name: netbird-ui
    builds:
      - netbird-ui
@@ -80,7 +80,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
-    id: netbird_ui_rpm
+    id: netbird-ui-rpm
    package_name: netbird-ui
    builds:
      - netbird-ui
@@ -95,14 +95,11 @@ nfpms:
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
-    rpm:
-      signature:
-        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'

 uploads:
  - name: debian
    ids:
-      - netbird_ui_deb
+      - netbird-ui-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -110,7 +107,7 @@ uploads:

  - name: yum
    ids:
-      - netbird_ui_rpm
+      - netbird-ui-rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
--- a/CONTRIBUTOR_LICENSE_AGREEMENT.md
+++ b/CONTRIBUTOR_LICENSE_AGREEMENT.md
@@ -1,7 +1,7 @@
 ##  Contributor License Agreement

 This Contributor License Agreement (referred to as the "Agreement") is entered into by the individual 
-submitting this Agreement and NetBird GmbH, Brunnenstraße 196, 10119 Berlin, Germany, 
+submitting this Agreement and NetBird GmbH, c/o Max-Beer-Straße 2-4 Münzstraße 12 10178 Berlin, Germany, 
 referred to as "NetBird" (collectively, the "Parties"). The Agreement outlines the terms and conditions 
 under which NetBird may utilize software contributions provided by the Contributor for inclusion in 
 its software development projects. By submitting this Agreement, the Contributor confirms their acceptance 
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/, relay/ and combined/.
+This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

 BSD 3-Clause License
--- a/README.md
+++ b/README.md
@@ -60,8 +60,8 @@

 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2

-### Self-Host NetBird (Video)
-[![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
+### NetBird on Lawrence Systems (Video)
+[![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)

 ### Key features

@@ -126,7 +126,6 @@ See a complete [architecture overview](https://docs.netbird.io/about-netbird/how
 ### Community projects
 -  [NetBird installer script](https://github.com/physk/netbird-installer)
 -  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings

 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest

-FROM alpine:3.23.3
+FROM alpine:3.22.2
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
    bash \
@@ -17,7 +17,8 @@ ENV \
    NETBIRD_BIN="/usr/local/bin/netbird" \
    NB_LOG_FILE="console,/var/log/netbird/client.log" \
    NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
+    NB_ENTRYPOINT_LOGIN_TIMEOUT="5"

 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

--- a/client/Dockerfile-rootless
+++ b/client/Dockerfile-rootless
@@ -23,7 +23,8 @@ ENV \
    NB_DAEMON_ADDR="unix:///var/lib/netbird/netbird.sock" \
    NB_LOG_FILE="console,/var/lib/netbird/client.log" \
    NB_DISABLE_DNS="true" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
+    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"

 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

--- a/client/android/client.go
+++ b/client/android/client.go
@@ -124,7 +124,7 @@ func (c *Client) Run(platformFiles PlatformFiles, urlOpener URLOpener, isAndroid

 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, false)
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
 }

@@ -157,7 +157,7 @@ func (c *Client) RunWithoutLogin(platformFiles PlatformFiles, dns *DNSList, dnsR

 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, false)
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
 }

@@ -205,7 +205,7 @@ func (c *Client) PeersList() *PeerInfoArray {
 		pi := PeerInfo{
 			p.IP,
 			p.FQDN,
-			int(p.ConnStatus),
+			p.ConnStatus.String(),
 			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi
--- a/client/android/env_list.go
+++ b/client/android/env_list.go
@@ -1,19 +1,10 @@
 package android

-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"

 var (
-	// EnvKeyNBForceRelay Exported for Android java client to force relay connections
+	// EnvKeyNBForceRelay Exported for Android java client
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
-
-	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
-	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
-
-	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
-	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold
 )

 // EnvList wraps a Go map for export to Java
--- a/client/android/login.go
+++ b/client/android/login.go
@@ -3,7 +3,15 @@ package android
 import (
 	"context"
 	"fmt"
+	"time"

+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/cmd"
+	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
@@ -76,21 +84,34 @@ func (a *Auth) SaveConfigIfSSOSupported(listener SSOListener) {
 }

 func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
-	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
-	if err != nil {
-		return false, fmt.Errorf("failed to create auth client: %v", err)
-	}
-	defer authClient.Close()
+	supportsSSO := true
+	err := a.withBackOff(a.ctx, func() (err error) {
+		_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL, nil)
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
+			_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+			s, ok := gstatus.FromError(err)
+			if !ok {
+				return err
+			}
+			if s.Code() == codes.NotFound || s.Code() == codes.Unimplemented {
+				supportsSSO = false
+				err = nil
+			}

-	supportsSSO, err := authClient.IsSSOSupported(a.ctx)
-	if err != nil {
-		return false, fmt.Errorf("failed to check SSO support: %v", err)
-	}
+			return err
+		}
+
+		return err
+	})

 	if !supportsSSO {
 		return false, nil
 	}

+	if err != nil {
+		return false, fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
 	err = profilemanager.WriteOutConfig(a.cfgPath, a.config)
 	return true, err
 }
@@ -108,17 +129,19 @@ func (a *Auth) LoginWithSetupKeyAndSaveConfig(resultListener ErrListener, setupK
 }

 func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string) error {
-	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
-	if err != nil {
-		return fmt.Errorf("failed to create auth client: %v", err)
-	}
-	defer authClient.Close()
-
 	//nolint
 	ctxWithValues := context.WithValue(a.ctx, system.DeviceNameCtxKey, deviceName)
-	err, _ = authClient.Login(ctxWithValues, setupKey, "")
+
+	err := a.withBackOff(a.ctx, func() error {
+		backoffErr := internal.Login(ctxWithValues, a.config, setupKey, "")
+		if s, ok := gstatus.FromError(backoffErr); ok && (s.Code() == codes.PermissionDenied) {
+			// we got an answer from management, exit backoff earlier
+			return backoff.Permanent(backoffErr)
+		}
+		return backoffErr
+	})
 	if err != nil {
-		return fmt.Errorf("login failed: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}

 	return profilemanager.WriteOutConfig(a.cfgPath, a.config)
@@ -137,41 +160,49 @@ func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener, isAndroidT
 }

 func (a *Auth) login(urlOpener URLOpener, isAndroidTV bool) error {
-	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
-	if err != nil {
-		return fmt.Errorf("failed to create auth client: %v", err)
-	}
-	defer authClient.Close()
+	var needsLogin bool

 	// check if we need to generate JWT token
-	needsLogin, err := authClient.IsLoginRequired(a.ctx)
+	err := a.withBackOff(a.ctx, func() (err error) {
+		needsLogin, err = internal.IsLoginRequired(a.ctx, a.config)
+		return
+	})
 	if err != nil {
-		return fmt.Errorf("failed to check login requirement: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}

 	jwtToken := ""
 	if needsLogin {
-		tokenInfo, err := a.foregroundGetTokenInfo(authClient, urlOpener, isAndroidTV)
+		tokenInfo, err := a.foregroundGetTokenInfo(urlOpener, isAndroidTV)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
 		jwtToken = tokenInfo.GetTokenToUse()
 	}

-	err, _ = authClient.Login(a.ctx, "", jwtToken)
-	if err != nil {
-		return fmt.Errorf("login failed: %v", err)
-	}
+	err = a.withBackOff(a.ctx, func() error {
+		err := internal.Login(a.ctx, a.config, "", jwtToken)

-	go urlOpener.OnLoginSuccess()
+		if err == nil {
+			go urlOpener.OnLoginSuccess()
+		}
+
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			return nil
+		}
+		return err
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}

 	return nil
 }

-func (a *Auth) foregroundGetTokenInfo(authClient *auth.Auth, urlOpener URLOpener, isAndroidTV bool) (*auth.TokenInfo, error) {
-	oAuthFlow, err := authClient.GetOAuthFlow(a.ctx, isAndroidTV)
+func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener, isAndroidTV bool) (*auth.TokenInfo, error) {
+	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false, isAndroidTV, "")
 	if err != nil {
-		return nil, fmt.Errorf("failed to get OAuth flow: %v", err)
+		return nil, err
 	}

 	flowInfo, err := oAuthFlow.RequestAuthInfo(context.TODO())
@@ -181,10 +212,22 @@ func (a *Auth) foregroundGetTokenInfo(authClient *auth.Auth, urlOpener URLOpener

 	go urlOpener.Open(flowInfo.VerificationURIComplete, flowInfo.UserCode)

-	tokenInfo, err := oAuthFlow.WaitToken(a.ctx, flowInfo)
+	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
+	waitCTX, cancel := context.WithTimeout(a.ctx, waitTimeout)
+	defer cancel()
+	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}

 	return &tokenInfo, nil
 }
+
+func (a *Auth) withBackOff(ctx context.Context, bf func() error) error {
+	return backoff.RetryNotify(
+		bf,
+		backoff.WithContext(cmd.CLIBackOffSettings, ctx),
+		func(err error, duration time.Duration) {
+			log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
+		})
+}
--- a/client/android/peer_notifier.go
+++ b/client/android/peer_notifier.go
@@ -2,20 +2,11 @@

 package android

-import "github.com/netbirdio/netbird/client/internal/peer"
-
-// Connection status constants exported via gomobile.
-const (
-	ConnStatusIdle       = int(peer.StatusIdle)
-	ConnStatusConnecting = int(peer.StatusConnecting)
-	ConnStatusConnected  = int(peer.StatusConnected)
-)
-
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
 	IP         string
 	FQDN       string
-	ConnStatus int
+	ConnStatus string // Todo replace to enum
 	Routes     PeerRoutes
 }

--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -16,6 +16,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
+	nbstatus "github.com/netbirdio/netbird/client/status"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/upload-server/types"
 )
@@ -97,6 +98,7 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 	client := proto.NewDaemonServiceClient(conn)
 	request := &proto.DebugBundleRequest{
 		Anonymize:    anonymizeFlag,
+		Status:       getStatusOutput(cmd, anonymizeFlag),
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
 	}
@@ -181,11 +183,10 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	if stateWasDown {
 		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird up")
-			time.Sleep(time.Second * 10)
+			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 		}
+		cmd.Println("netbird up")
+		time.Sleep(time.Second * 10)
 	}

 	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
@@ -199,13 +200,10 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level set to trace.")
 	}

-	needsRestoreUp := false
 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-		cmd.PrintErrf("Failed to bring service down: %v\n", status.Convert(err).Message())
-	} else {
-		needsRestoreUp = !stateWasDown
-		cmd.Println("netbird down")
+		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 	}
+	cmd.Println("netbird down")

 	time.Sleep(1 * time.Second)

@@ -213,49 +211,31 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if _, err := client.SetSyncResponsePersistence(cmd.Context(), &proto.SetSyncResponsePersistenceRequest{
 		Enabled: true,
 	}); err != nil {
-		cmd.PrintErrf("Failed to enable sync response persistence: %v\n", status.Convert(err).Message())
+		return fmt.Errorf("failed to enable sync response persistence: %v", status.Convert(err).Message())
 	}

 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-		cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
-	} else {
-		needsRestoreUp = false
-		cmd.Println("netbird up")
+		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 	}
+	cmd.Println("netbird up")

 	time.Sleep(3 * time.Second)

-	cpuProfilingStarted := false
-	if _, err := client.StartCPUProfile(cmd.Context(), &proto.StartCPUProfileRequest{}); err != nil {
-		cmd.PrintErrf("Failed to start CPU profiling: %v\n", err)
-	} else {
-		cpuProfilingStarted = true
-		defer func() {
-			if cpuProfilingStarted {
-				if _, err := client.StopCPUProfile(cmd.Context(), &proto.StopCPUProfileRequest{}); err != nil {
-					cmd.PrintErrf("Failed to stop CPU profiling: %v\n", err)
-				}
-			}
-		}()
-	}
+	headerPostUp := fmt.Sprintf("----- NetBird post-up - Timestamp: %s", time.Now().Format(time.RFC3339))
+	statusOutput := fmt.Sprintf("%s\n%s", headerPostUp, getStatusOutput(cmd, anonymizeFlag))

 	if waitErr := waitForDurationOrCancel(cmd.Context(), duration, cmd); waitErr != nil {
 		return waitErr
 	}
 	cmd.Println("\nDuration completed")

-	if cpuProfilingStarted {
-		if _, err := client.StopCPUProfile(cmd.Context(), &proto.StopCPUProfileRequest{}); err != nil {
-			cmd.PrintErrf("Failed to stop CPU profiling: %v\n", err)
-		} else {
-			cpuProfilingStarted = false
-		}
-	}
-
 	cmd.Println("Creating debug bundle...")

+	headerPreDown := fmt.Sprintf("----- NetBird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
+	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd, anonymizeFlag))
 	request := &proto.DebugBundleRequest{
 		Anonymize:    anonymizeFlag,
+		Status:       statusOutput,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
 	}
@@ -267,28 +247,18 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}

-	if needsRestoreUp {
-		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			cmd.PrintErrf("Failed to restore service up state: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird up (restored)")
-		}
-	}
-
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-			cmd.PrintErrf("Failed to restore service down state: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird down")
+			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 		}
+		cmd.Println("netbird down")
 	}

 	if !initialLevelTrace {
 		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
-			cmd.PrintErrf("Failed to restore log level: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("Log level restored to", initialLogLevel.GetLevel())
+			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
 		}
+		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}

 	cmd.Printf("Local file:\n%s\n", resp.GetPath())
@@ -332,6 +302,25 @@ func setSyncResponsePersistence(cmd *cobra.Command, args []string) error {
 	return nil
 }

+func getStatusOutput(cmd *cobra.Command, anon bool) string {
+	var statusOutputString string
+	statusResp, err := getStatus(cmd.Context(), true)
+	if err != nil {
+		cmd.PrintErrf("Failed to get status: %v\n", err)
+	} else {
+		pm := profilemanager.NewProfileManager()
+		var profName string
+		if activeProf, err := pm.GetActiveProfile(); err == nil {
+			profName = activeProf.Name
+		}
+
+		statusOutputString = nbstatus.ParseToFullDetailSummary(
+			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", profName),
+		)
+	}
+	return statusOutputString
+}
+
 func waitForDurationOrCancel(ctx context.Context, duration time.Duration, cmd *cobra.Command) error {
 	ticker := time.NewTicker(1 * time.Second)
 	defer ticker.Stop()
@@ -390,8 +379,7 @@ func generateDebugBundle(config *profilemanager.Config, recorder *peer.Status, c
 			InternalConfig: config,
 			StatusRecorder: recorder,
 			SyncResponse:   syncResponse,
-			LogPath:        logFilePath,
-			CPUProfile:     nil,
+			LogFile:        logFilePath,
 		},
 		debug.BundleConfig{
 			IncludeSystemInfo: true,
--- a/client/cmd/expose.go
+++ b/client/cmd/expose.go
@@ -1,287 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"os/signal"
-	"regexp"
-	"strconv"
-	"strings"
-	"syscall"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal/expose"
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util"
-)
-
-var pinRegexp = regexp.MustCompile(`^\d{6}$`)
-
-var (
-	exposePin          string
-	exposePassword     string
-	exposeUserGroups   []string
-	exposeDomain       string
-	exposeNamePrefix   string
-	exposeProtocol     string
-	exposeExternalPort uint16
-)
-
-var exposeCmd = &cobra.Command{
-	Use:   "expose <port>",
-	Short: "Expose a local port via the NetBird reverse proxy",
-	Args:  cobra.ExactArgs(1),
-	Example: `  netbird expose --with-password safe-pass 8080
-  netbird expose --protocol tcp 5432
-  netbird expose --protocol tcp --with-external-port 5433 5432
-  netbird expose --protocol tls --with-custom-domain tls.example.com 4443`,
-	RunE: exposeFn,
-}
-
-func init() {
-	exposeCmd.Flags().StringVar(&exposePin, "with-pin", "", "Protect the exposed service with a 6-digit PIN (e.g. --with-pin 123456)")
-	exposeCmd.Flags().StringVar(&exposePassword, "with-password", "", "Protect the exposed service with a password (e.g. --with-password my-secret)")
-	exposeCmd.Flags().StringSliceVar(&exposeUserGroups, "with-user-groups", nil, "Restrict access to specific user groups with SSO (e.g. --with-user-groups devops,Backend)")
-	exposeCmd.Flags().StringVar(&exposeDomain, "with-custom-domain", "", "Custom domain for the exposed service, must be configured to your account (e.g. --with-custom-domain myapp.example.com)")
-	exposeCmd.Flags().StringVar(&exposeNamePrefix, "with-name-prefix", "", "Prefix for the generated service name (e.g. --with-name-prefix my-app)")
-	exposeCmd.Flags().StringVar(&exposeProtocol, "protocol", "http", "Protocol to use: http, https, tcp, udp, or tls (e.g. --protocol tcp)")
-	exposeCmd.Flags().Uint16Var(&exposeExternalPort, "with-external-port", 0, "Public-facing external port on the proxy cluster (defaults to the target port for L4)")
-}
-
-// isClusterProtocol returns true for L4/TLS protocols that reject HTTP-style auth flags.
-func isClusterProtocol(protocol string) bool {
-	switch strings.ToLower(protocol) {
-	case "tcp", "udp", "tls":
-		return true
-	default:
-		return false
-	}
-}
-
-// isPortBasedProtocol returns true for pure port-based protocols (TCP/UDP)
-// where domain display doesn't apply. TLS uses SNI so it has a domain.
-func isPortBasedProtocol(protocol string) bool {
-	switch strings.ToLower(protocol) {
-	case "tcp", "udp":
-		return true
-	default:
-		return false
-	}
-}
-
-// extractPort returns the port portion of a URL like "tcp://host:12345", or
-// falls back to the given default formatted as a string.
-func extractPort(serviceURL string, fallback uint16) string {
-	u := serviceURL
-	if idx := strings.Index(u, "://"); idx != -1 {
-		u = u[idx+3:]
-	}
-	if i := strings.LastIndex(u, ":"); i != -1 {
-		if p := u[i+1:]; p != "" {
-			return p
-		}
-	}
-	return strconv.FormatUint(uint64(fallback), 10)
-}
-
-// resolveExternalPort returns the effective external port, defaulting to the target port.
-func resolveExternalPort(targetPort uint64) uint16 {
-	if exposeExternalPort != 0 {
-		return exposeExternalPort
-	}
-	return uint16(targetPort)
-}
-
-func validateExposeFlags(cmd *cobra.Command, portStr string) (uint64, error) {
-	port, err := strconv.ParseUint(portStr, 10, 32)
-	if err != nil {
-		return 0, fmt.Errorf("invalid port number: %s", portStr)
-	}
-	if port == 0 || port > 65535 {
-		return 0, fmt.Errorf("invalid port number: must be between 1 and 65535")
-	}
-
-	if !isProtocolValid(exposeProtocol) {
-		return 0, fmt.Errorf("unsupported protocol %q: must be http, https, tcp, udp, or tls", exposeProtocol)
-	}
-
-	if isClusterProtocol(exposeProtocol) {
-		if exposePin != "" || exposePassword != "" || len(exposeUserGroups) > 0 {
-			return 0, fmt.Errorf("auth flags (--with-pin, --with-password, --with-user-groups) are not supported for %s protocol", exposeProtocol)
-		}
-	} else if cmd.Flags().Changed("with-external-port") {
-		return 0, fmt.Errorf("--with-external-port is not supported for %s protocol", exposeProtocol)
-	}
-
-	if exposePin != "" && !pinRegexp.MatchString(exposePin) {
-		return 0, fmt.Errorf("invalid pin: must be exactly 6 digits")
-	}
-
-	if cmd.Flags().Changed("with-password") && exposePassword == "" {
-		return 0, fmt.Errorf("password cannot be empty")
-	}
-
-	if cmd.Flags().Changed("with-user-groups") && len(exposeUserGroups) == 0 {
-		return 0, fmt.Errorf("user groups cannot be empty")
-	}
-
-	return port, nil
-}
-
-func isProtocolValid(exposeProtocol string) bool {
-	switch strings.ToLower(exposeProtocol) {
-	case "http", "https", "tcp", "udp", "tls":
-		return true
-	default:
-		return false
-	}
-}
-
-func exposeFn(cmd *cobra.Command, args []string) error {
-	SetFlagsFromEnvVars(rootCmd)
-
-	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
-		log.Errorf("failed initializing log %v", err)
-		return err
-	}
-
-	cmd.Root().SilenceUsage = false
-
-	port, err := validateExposeFlags(cmd, args[0])
-	if err != nil {
-		return err
-	}
-
-	cmd.Root().SilenceUsage = true
-
-	ctx, cancel := context.WithCancel(cmd.Context())
-	defer cancel()
-
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		<-sigCh
-		cancel()
-	}()
-
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to daemon: %w", err)
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Debugf("failed to close daemon connection: %v", err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-
-	protocol, err := toExposeProtocol(exposeProtocol)
-	if err != nil {
-		return err
-	}
-
-	req := &proto.ExposeServiceRequest{
-		Port:       uint32(port),
-		Protocol:   protocol,
-		Pin:        exposePin,
-		Password:   exposePassword,
-		UserGroups: exposeUserGroups,
-		Domain:     exposeDomain,
-		NamePrefix: exposeNamePrefix,
-	}
-	if isClusterProtocol(exposeProtocol) {
-		req.ListenPort = uint32(resolveExternalPort(port))
-	}
-
-	stream, err := client.ExposeService(ctx, req)
-	if err != nil {
-		return fmt.Errorf("expose service: %v", status.Convert(err).Message())
-	}
-
-	if err := handleExposeReady(cmd, stream, port); err != nil {
-		return err
-	}
-
-	return waitForExposeEvents(cmd, ctx, stream)
-}
-
-func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
-	p, err := expose.ParseProtocolType(exposeProtocol)
-	if err != nil {
-		return 0, fmt.Errorf("invalid protocol: %w", err)
-	}
-
-	switch p {
-	case expose.ProtocolHTTP:
-		return proto.ExposeProtocol_EXPOSE_HTTP, nil
-	case expose.ProtocolHTTPS:
-		return proto.ExposeProtocol_EXPOSE_HTTPS, nil
-	case expose.ProtocolTCP:
-		return proto.ExposeProtocol_EXPOSE_TCP, nil
-	case expose.ProtocolUDP:
-		return proto.ExposeProtocol_EXPOSE_UDP, nil
-	case expose.ProtocolTLS:
-		return proto.ExposeProtocol_EXPOSE_TLS, nil
-	default:
-		return 0, fmt.Errorf("unhandled protocol type: %d", p)
-	}
-}
-
-func handleExposeReady(cmd *cobra.Command, stream proto.DaemonService_ExposeServiceClient, port uint64) error {
-	event, err := stream.Recv()
-	if err != nil {
-		return fmt.Errorf("receive expose event: %v", status.Convert(err).Message())
-	}
-
-	ready, ok := event.Event.(*proto.ExposeServiceEvent_Ready)
-	if !ok {
-		return fmt.Errorf("unexpected expose event: %T", event.Event)
-	}
-	printExposeReady(cmd, ready.Ready, port)
-	return nil
-}
-
-func printExposeReady(cmd *cobra.Command, r *proto.ExposeServiceReady, port uint64) {
-	cmd.Println("Service exposed successfully!")
-	cmd.Printf("  Name:     %s\n", r.ServiceName)
-	if r.ServiceUrl != "" {
-		cmd.Printf("  URL:      %s\n", r.ServiceUrl)
-	}
-	if r.Domain != "" && !isPortBasedProtocol(exposeProtocol) {
-		cmd.Printf("  Domain:   %s\n", r.Domain)
-	}
-	cmd.Printf("  Protocol: %s\n", exposeProtocol)
-	cmd.Printf("  Internal: %d\n", port)
-	if isClusterProtocol(exposeProtocol) {
-		cmd.Printf("  External: %s\n", extractPort(r.ServiceUrl, resolveExternalPort(port)))
-	}
-	if r.PortAutoAssigned && exposeExternalPort != 0 {
-		cmd.Printf("\n  Note: requested port %d was reassigned\n", exposeExternalPort)
-	}
-	cmd.Println()
-	cmd.Println("Press Ctrl+C to stop exposing.")
-}
-
-func waitForExposeEvents(cmd *cobra.Command, ctx context.Context, stream proto.DaemonService_ExposeServiceClient) error {
-	for {
-		_, err := stream.Recv()
-		if err != nil {
-			if ctx.Err() != nil {
-				cmd.Println("\nService stopped.")
-				//nolint:nilerr
-				return nil
-			}
-			if errors.Is(err, io.EOF) {
-				return fmt.Errorf("connection to daemon closed unexpectedly")
-			}
-			return fmt.Errorf("stream error: %w", err)
-		}
-	}
-}
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -7,6 +7,7 @@ import (
 	"os/user"
 	"runtime"
 	"strings"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -276,15 +277,18 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 }

 func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
-	authClient, err := auth.NewAuth(ctx, config.PrivateKey, config.ManagementURL, config)
-	if err != nil {
-		return fmt.Errorf("failed to create auth client: %v", err)
-	}
-	defer authClient.Close()
+	needsLogin := false

-	needsLogin, err := authClient.IsLoginRequired(ctx)
+	err := WithBackOff(func() error {
+		err := internal.Login(ctx, config, "", "")
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			needsLogin = true
+			return nil
+		}
+		return err
+	})
 	if err != nil {
-		return fmt.Errorf("check login required: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}

 	jwtToken := ""
@@ -296,9 +300,23 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 		jwtToken = tokenInfo.GetTokenToUse()
 	}

-	err, _ = authClient.Login(ctx, setupKey, jwtToken)
+	var lastError error
+
+	err = WithBackOff(func() error {
+		err := internal.Login(ctx, config, setupKey, jwtToken)
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			lastError = err
+			return nil
+		}
+		return err
+	})
+
+	if lastError != nil {
+		return fmt.Errorf("login failed: %v", lastError)
+	}
+
 	if err != nil {
-		return fmt.Errorf("login failed: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}

 	return nil
@@ -326,7 +344,11 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *pro

 	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode, noBrowser)

-	tokenInfo, err := oAuthFlow.WaitToken(context.TODO(), flowInfo)
+	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
+	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout)
+	defer c()
+
+	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -22,7 +22,6 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

-	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )

@@ -81,15 +80,6 @@ var (
 		Short:        "",
 		Long:         "",
 		SilenceUsage: true,
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars(cmd.Root())
-
-			// Don't resolve for service commands — they create the socket, not connect to it.
-			if !isServiceCmd(cmd) {
-				daemonAddr = daddr.ResolveUnixDaemonAddr(daemonAddr)
-			}
-			return nil
-		},
 	}
 )

@@ -154,7 +144,6 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
-	rootCmd.AddCommand(exposeCmd)

 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
@@ -396,6 +385,7 @@ func migrateToNetbird(oldPath, newPath string) bool {
 }

 func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
+	SetFlagsFromEnvVars(rootCmd)
 	cmd.SetOut(cmd.OutOrStdout())

 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
@@ -408,13 +398,3 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {

 	return conn, nil
 }
-
-// isServiceCmd returns true if cmd is the "service" command or a child of it.
-func isServiceCmd(cmd *cobra.Command) bool {
-	for c := cmd; c != nil; c = c.Parent() {
-		if c.Name() == "service" {
-			return true
-		}
-	}
-	return false
-}
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -41,7 +41,7 @@ func init() {
 		defaultServiceName = "Netbird"
 	}

-	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")

--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -103,7 +103,7 @@ func (p *program) Stop(srv service.Service) error {

 // Common setup for service control commands
 func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc) (service.Service, error) {
-	// rootCmd env vars are already applied by PersistentPreRunE.
+	SetFlagsFromEnvVars(rootCmd)
 	SetFlagsFromEnvVars(serviceCmd)

 	cmd.SetOut(cmd.OutOrStdout())
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -119,10 +119,6 @@ var installCmd = &cobra.Command{
 			return err
 		}

-		if err := loadAndApplyServiceParams(cmd); err != nil {
-			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
-		}
-
 		svcConfig, err := createServiceConfigForInstall()
 		if err != nil {
 			return err
@@ -140,10 +136,6 @@ var installCmd = &cobra.Command{
 			return fmt.Errorf("install service: %w", err)
 		}

-		if err := saveServiceParams(currentServiceParams()); err != nil {
-			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
-		}
-
 		cmd.Println("NetBird service has been installed")
 		return nil
 	},
@@ -195,10 +187,6 @@ This command will temporarily stop the service, update its configuration, and re
 			return err
 		}

-		if err := loadAndApplyServiceParams(cmd); err != nil {
-			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
-		}
-
 		wasRunning, err := isServiceRunning()
 		if err != nil && !errors.Is(err, ErrGetServiceStatus) {
 			return fmt.Errorf("check service status: %w", err)
@@ -234,10 +222,6 @@ This command will temporarily stop the service, update its configuration, and re
 			return fmt.Errorf("install service with new config: %w", err)
 		}

-		if err := saveServiceParams(currentServiceParams()); err != nil {
-			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
-		}
-
 		if wasRunning {
 			cmd.Println("Starting NetBird service...")
 			if err := s.Start(); err != nil {
--- a/client/cmd/service_params.go
+++ b/client/cmd/service_params.go
@@ -1,201 +0,0 @@
-//go:build !ios && !android
-
-package cmd
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"maps"
-	"os"
-	"path/filepath"
-
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/configs"
-	"github.com/netbirdio/netbird/util"
-)
-
-const serviceParamsFile = "service.json"
-
-// serviceParams holds install-time service parameters that persist across
-// uninstall/reinstall cycles. Saved to <stateDir>/service.json.
-type serviceParams struct {
-	LogLevel              string            `json:"log_level"`
-	DaemonAddr            string            `json:"daemon_addr"`
-	ManagementURL         string            `json:"management_url,omitempty"`
-	ConfigPath            string            `json:"config_path,omitempty"`
-	LogFiles              []string          `json:"log_files,omitempty"`
-	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
-	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
-	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
-}
-
-// serviceParamsPath returns the path to the service params file.
-func serviceParamsPath() string {
-	return filepath.Join(configs.StateDir, serviceParamsFile)
-}
-
-// loadServiceParams reads saved service parameters from disk.
-// Returns nil with no error if the file does not exist.
-func loadServiceParams() (*serviceParams, error) {
-	path := serviceParamsPath()
-
-	data, err := os.ReadFile(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil, nil //nolint:nilnil
-		}
-		return nil, fmt.Errorf("read service params %s: %w", path, err)
-	}
-
-	var params serviceParams
-	if err := json.Unmarshal(data, &params); err != nil {
-		return nil, fmt.Errorf("parse service params %s: %w", path, err)
-	}
-
-	return &params, nil
-}
-
-// saveServiceParams writes current service parameters to disk atomically
-// with restricted permissions.
-func saveServiceParams(params *serviceParams) error {
-	path := serviceParamsPath()
-	if err := util.WriteJsonWithRestrictedPermission(context.Background(), path, params); err != nil {
-		return fmt.Errorf("save service params: %w", err)
-	}
-	return nil
-}
-
-// currentServiceParams captures the current state of all package-level
-// variables into a serviceParams struct.
-func currentServiceParams() *serviceParams {
-	params := &serviceParams{
-		LogLevel:              logLevel,
-		DaemonAddr:            daemonAddr,
-		ManagementURL:         managementURL,
-		ConfigPath:            configPath,
-		LogFiles:              logFiles,
-		DisableProfiles:       profilesDisabled,
-		DisableUpdateSettings: updateSettingsDisabled,
-	}
-
-	if len(serviceEnvVars) > 0 {
-		parsed, err := parseServiceEnvVars(serviceEnvVars)
-		if err == nil && len(parsed) > 0 {
-			params.ServiceEnvVars = parsed
-		}
-	}
-
-	return params
-}
-
-// loadAndApplyServiceParams loads saved params from disk and applies them
-// to any flags that were not explicitly set.
-func loadAndApplyServiceParams(cmd *cobra.Command) error {
-	params, err := loadServiceParams()
-	if err != nil {
-		return err
-	}
-	applyServiceParams(cmd, params)
-	return nil
-}
-
-// applyServiceParams merges saved parameters into package-level variables
-// for any flag that was not explicitly set by the user (via CLI or env var).
-// Flags that were Changed() are left untouched.
-func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
-	if params == nil {
-		return
-	}
-
-	// For fields with non-empty defaults (log-level, daemon-addr), keep the
-	// != "" guard so that an older service.json missing the field doesn't
-	// clobber the default with an empty string.
-	if !rootCmd.PersistentFlags().Changed("log-level") && params.LogLevel != "" {
-		logLevel = params.LogLevel
-	}
-
-	if !rootCmd.PersistentFlags().Changed("daemon-addr") && params.DaemonAddr != "" {
-		daemonAddr = params.DaemonAddr
-	}
-
-	// For optional fields where empty means "use default", always apply so
-	// that an explicit clear (--management-url "") persists across reinstalls.
-	if !rootCmd.PersistentFlags().Changed("management-url") {
-		managementURL = params.ManagementURL
-	}
-
-	if !rootCmd.PersistentFlags().Changed("config") {
-		configPath = params.ConfigPath
-	}
-
-	if !rootCmd.PersistentFlags().Changed("log-file") {
-		logFiles = params.LogFiles
-	}
-
-	if !serviceCmd.PersistentFlags().Changed("disable-profiles") {
-		profilesDisabled = params.DisableProfiles
-	}
-
-	if !serviceCmd.PersistentFlags().Changed("disable-update-settings") {
-		updateSettingsDisabled = params.DisableUpdateSettings
-	}
-
-	applyServiceEnvParams(cmd, params)
-}
-
-// applyServiceEnvParams merges saved service environment variables.
-// If --service-env was explicitly set, explicit values win on key conflict
-// but saved keys not in the explicit set are carried over.
-// If --service-env was not set, saved env vars are used entirely.
-func applyServiceEnvParams(cmd *cobra.Command, params *serviceParams) {
-	if len(params.ServiceEnvVars) == 0 {
-		return
-	}
-
-	if !cmd.Flags().Changed("service-env") {
-		// No explicit env vars: rebuild serviceEnvVars from saved params.
-		serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
-		return
-	}
-
-	// Explicit env vars were provided: merge saved values underneath.
-	explicit, err := parseServiceEnvVars(serviceEnvVars)
-	if err != nil {
-		cmd.PrintErrf("Warning: parse explicit service env vars for merge: %v\n", err)
-		return
-	}
-
-	merged := make(map[string]string, len(params.ServiceEnvVars)+len(explicit))
-	maps.Copy(merged, params.ServiceEnvVars)
-	maps.Copy(merged, explicit) // explicit wins on conflict
-	serviceEnvVars = envMapToSlice(merged)
-}
-
-var resetParamsCmd = &cobra.Command{
-	Use:   "reset-params",
-	Short: "Remove saved service install parameters",
-	Long:  "Removes the saved service.json file so the next install uses default parameters.",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		path := serviceParamsPath()
-		if err := os.Remove(path); err != nil {
-			if os.IsNotExist(err) {
-				cmd.Println("No saved service parameters found")
-				return nil
-			}
-			return fmt.Errorf("remove service params: %w", err)
-		}
-		cmd.Printf("Removed saved service parameters (%s)\n", path)
-		return nil
-	},
-}
-
-// envMapToSlice converts a map of env vars to a KEY=VALUE slice.
-func envMapToSlice(m map[string]string) []string {
-	s := make([]string, 0, len(m))
-	for k, v := range m {
-		s = append(s, k+"="+v)
-	}
-	return s
-}
--- a/client/cmd/service_params_test.go
+++ b/client/cmd/service_params_test.go
@@ -1,523 +0,0 @@
-//go:build !ios && !android
-
-package cmd
-
-import (
-	"encoding/json"
-	"go/ast"
-	"go/parser"
-	"go/token"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/configs"
-)
-
-func TestServiceParamsPath(t *testing.T) {
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-
-	configs.StateDir = "/var/lib/netbird"
-	assert.Equal(t, filepath.Join("/var/lib/netbird", "service.json"), serviceParamsPath())
-
-	configs.StateDir = "/custom/state"
-	assert.Equal(t, filepath.Join("/custom/state", "service.json"), serviceParamsPath())
-}
-
-func TestSaveAndLoadServiceParams(t *testing.T) {
-	tmpDir := t.TempDir()
-
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-	configs.StateDir = tmpDir
-
-	params := &serviceParams{
-		LogLevel:              "debug",
-		DaemonAddr:            "unix:///var/run/netbird.sock",
-		ManagementURL:         "https://my.server.com",
-		ConfigPath:            "/etc/netbird/config.json",
-		LogFiles:              []string{"/var/log/netbird/client.log", "console"},
-		DisableProfiles:       true,
-		DisableUpdateSettings: false,
-		ServiceEnvVars:        map[string]string{"NB_LOG_FORMAT": "json", "CUSTOM": "val"},
-	}
-
-	err := saveServiceParams(params)
-	require.NoError(t, err)
-
-	// Verify the file exists and is valid JSON.
-	data, err := os.ReadFile(filepath.Join(tmpDir, "service.json"))
-	require.NoError(t, err)
-	assert.True(t, json.Valid(data))
-
-	loaded, err := loadServiceParams()
-	require.NoError(t, err)
-	require.NotNil(t, loaded)
-
-	assert.Equal(t, params.LogLevel, loaded.LogLevel)
-	assert.Equal(t, params.DaemonAddr, loaded.DaemonAddr)
-	assert.Equal(t, params.ManagementURL, loaded.ManagementURL)
-	assert.Equal(t, params.ConfigPath, loaded.ConfigPath)
-	assert.Equal(t, params.LogFiles, loaded.LogFiles)
-	assert.Equal(t, params.DisableProfiles, loaded.DisableProfiles)
-	assert.Equal(t, params.DisableUpdateSettings, loaded.DisableUpdateSettings)
-	assert.Equal(t, params.ServiceEnvVars, loaded.ServiceEnvVars)
-}
-
-func TestLoadServiceParams_FileNotExists(t *testing.T) {
-	tmpDir := t.TempDir()
-
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-	configs.StateDir = tmpDir
-
-	params, err := loadServiceParams()
-	assert.NoError(t, err)
-	assert.Nil(t, params)
-}
-
-func TestLoadServiceParams_InvalidJSON(t *testing.T) {
-	tmpDir := t.TempDir()
-
-	original := configs.StateDir
-	t.Cleanup(func() { configs.StateDir = original })
-	configs.StateDir = tmpDir
-
-	err := os.WriteFile(filepath.Join(tmpDir, "service.json"), []byte("not json"), 0600)
-	require.NoError(t, err)
-
-	params, err := loadServiceParams()
-	assert.Error(t, err)
-	assert.Nil(t, params)
-}
-
-func TestCurrentServiceParams(t *testing.T) {
-	origLogLevel := logLevel
-	origDaemonAddr := daemonAddr
-	origManagementURL := managementURL
-	origConfigPath := configPath
-	origLogFiles := logFiles
-	origProfilesDisabled := profilesDisabled
-	origUpdateSettingsDisabled := updateSettingsDisabled
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() {
-		logLevel = origLogLevel
-		daemonAddr = origDaemonAddr
-		managementURL = origManagementURL
-		configPath = origConfigPath
-		logFiles = origLogFiles
-		profilesDisabled = origProfilesDisabled
-		updateSettingsDisabled = origUpdateSettingsDisabled
-		serviceEnvVars = origServiceEnvVars
-	})
-
-	logLevel = "trace"
-	daemonAddr = "tcp://127.0.0.1:9999"
-	managementURL = "https://mgmt.example.com"
-	configPath = "/tmp/test-config.json"
-	logFiles = []string{"/tmp/test.log"}
-	profilesDisabled = true
-	updateSettingsDisabled = true
-	serviceEnvVars = []string{"FOO=bar", "BAZ=qux"}
-
-	params := currentServiceParams()
-
-	assert.Equal(t, "trace", params.LogLevel)
-	assert.Equal(t, "tcp://127.0.0.1:9999", params.DaemonAddr)
-	assert.Equal(t, "https://mgmt.example.com", params.ManagementURL)
-	assert.Equal(t, "/tmp/test-config.json", params.ConfigPath)
-	assert.Equal(t, []string{"/tmp/test.log"}, params.LogFiles)
-	assert.True(t, params.DisableProfiles)
-	assert.True(t, params.DisableUpdateSettings)
-	assert.Equal(t, map[string]string{"FOO": "bar", "BAZ": "qux"}, params.ServiceEnvVars)
-}
-
-func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
-	origLogLevel := logLevel
-	origDaemonAddr := daemonAddr
-	origManagementURL := managementURL
-	origConfigPath := configPath
-	origLogFiles := logFiles
-	origProfilesDisabled := profilesDisabled
-	origUpdateSettingsDisabled := updateSettingsDisabled
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() {
-		logLevel = origLogLevel
-		daemonAddr = origDaemonAddr
-		managementURL = origManagementURL
-		configPath = origConfigPath
-		logFiles = origLogFiles
-		profilesDisabled = origProfilesDisabled
-		updateSettingsDisabled = origUpdateSettingsDisabled
-		serviceEnvVars = origServiceEnvVars
-	})
-
-	// Reset all flags to defaults.
-	logLevel = "info"
-	daemonAddr = "unix:///var/run/netbird.sock"
-	managementURL = ""
-	configPath = "/etc/netbird/config.json"
-	logFiles = []string{"/var/log/netbird/client.log"}
-	profilesDisabled = false
-	updateSettingsDisabled = false
-	serviceEnvVars = nil
-
-	// Reset Changed state on all relevant flags.
-	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-
-	// Simulate user explicitly setting --log-level via CLI.
-	logLevel = "warn"
-	require.NoError(t, rootCmd.PersistentFlags().Set("log-level", "warn"))
-
-	saved := &serviceParams{
-		LogLevel:              "debug",
-		DaemonAddr:            "tcp://127.0.0.1:5555",
-		ManagementURL:         "https://saved.example.com",
-		ConfigPath:            "/saved/config.json",
-		LogFiles:              []string{"/saved/client.log"},
-		DisableProfiles:       true,
-		DisableUpdateSettings: true,
-		ServiceEnvVars:        map[string]string{"SAVED_KEY": "saved_val"},
-	}
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	applyServiceParams(cmd, saved)
-
-	// log-level was Changed, so it should keep "warn", not use saved "debug".
-	assert.Equal(t, "warn", logLevel)
-
-	// All other fields were not Changed, so they should use saved values.
-	assert.Equal(t, "tcp://127.0.0.1:5555", daemonAddr)
-	assert.Equal(t, "https://saved.example.com", managementURL)
-	assert.Equal(t, "/saved/config.json", configPath)
-	assert.Equal(t, []string{"/saved/client.log"}, logFiles)
-	assert.True(t, profilesDisabled)
-	assert.True(t, updateSettingsDisabled)
-	assert.Equal(t, []string{"SAVED_KEY=saved_val"}, serviceEnvVars)
-}
-
-func TestApplyServiceParams_BooleanRevertToFalse(t *testing.T) {
-	origProfilesDisabled := profilesDisabled
-	origUpdateSettingsDisabled := updateSettingsDisabled
-	t.Cleanup(func() {
-		profilesDisabled = origProfilesDisabled
-		updateSettingsDisabled = origUpdateSettingsDisabled
-	})
-
-	// Simulate current state where booleans are true (e.g. set by previous install).
-	profilesDisabled = true
-	updateSettingsDisabled = true
-
-	// Reset Changed state so flags appear unset.
-	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-
-	// Saved params have both as false.
-	saved := &serviceParams{
-		DisableProfiles:       false,
-		DisableUpdateSettings: false,
-	}
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	applyServiceParams(cmd, saved)
-
-	assert.False(t, profilesDisabled, "saved false should override current true")
-	assert.False(t, updateSettingsDisabled, "saved false should override current true")
-}
-
-func TestApplyServiceParams_ClearManagementURL(t *testing.T) {
-	origManagementURL := managementURL
-	t.Cleanup(func() { managementURL = origManagementURL })
-
-	managementURL = "https://leftover.example.com"
-
-	// Simulate saved params where management URL was explicitly cleared.
-	saved := &serviceParams{
-		LogLevel:   "info",
-		DaemonAddr: "unix:///var/run/netbird.sock",
-		// ManagementURL intentionally empty: was cleared with --management-url "".
-	}
-
-	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		f.Changed = false
-	})
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	applyServiceParams(cmd, saved)
-
-	assert.Equal(t, "", managementURL, "saved empty management URL should clear the current value")
-}
-
-func TestApplyServiceParams_NilParams(t *testing.T) {
-	origLogLevel := logLevel
-	t.Cleanup(func() { logLevel = origLogLevel })
-
-	logLevel = "info"
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-
-	// Should be a no-op.
-	applyServiceParams(cmd, nil)
-	assert.Equal(t, "info", logLevel)
-}
-
-func TestApplyServiceEnvParams_MergeExplicitAndSaved(t *testing.T) {
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
-
-	// Set up a command with --service-env marked as Changed.
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-	require.NoError(t, cmd.Flags().Set("service-env", "EXPLICIT=yes,OVERLAP=explicit"))
-
-	serviceEnvVars = []string{"EXPLICIT=yes", "OVERLAP=explicit"}
-
-	saved := &serviceParams{
-		ServiceEnvVars: map[string]string{
-			"SAVED":   "val",
-			"OVERLAP": "saved",
-		},
-	}
-
-	applyServiceEnvParams(cmd, saved)
-
-	// Parse result for easier assertion.
-	result, err := parseServiceEnvVars(serviceEnvVars)
-	require.NoError(t, err)
-
-	assert.Equal(t, "yes", result["EXPLICIT"])
-	assert.Equal(t, "val", result["SAVED"])
-	// Explicit wins on conflict.
-	assert.Equal(t, "explicit", result["OVERLAP"])
-}
-
-func TestApplyServiceEnvParams_NotChanged(t *testing.T) {
-	origServiceEnvVars := serviceEnvVars
-	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
-
-	serviceEnvVars = nil
-
-	cmd := &cobra.Command{}
-	cmd.Flags().StringSlice("service-env", nil, "")
-
-	saved := &serviceParams{
-		ServiceEnvVars: map[string]string{"FROM_SAVED": "val"},
-	}
-
-	applyServiceEnvParams(cmd, saved)
-
-	result, err := parseServiceEnvVars(serviceEnvVars)
-	require.NoError(t, err)
-	assert.Equal(t, map[string]string{"FROM_SAVED": "val"}, result)
-}
-
-// TestServiceParams_FieldsCoveredInFunctions ensures that all serviceParams fields are
-// referenced in both currentServiceParams() and applyServiceParams(). If a new field is
-// added to serviceParams but not wired into these functions, this test fails.
-func TestServiceParams_FieldsCoveredInFunctions(t *testing.T) {
-	fset := token.NewFileSet()
-	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
-	require.NoError(t, err)
-
-	// Collect all JSON field names from the serviceParams struct.
-	structFields := extractStructJSONFields(t, file, "serviceParams")
-	require.NotEmpty(t, structFields, "failed to find serviceParams struct fields")
-
-	// Collect field names referenced in currentServiceParams and applyServiceParams.
-	currentFields := extractFuncFieldRefs(t, file, "currentServiceParams", structFields)
-	applyFields := extractFuncFieldRefs(t, file, "applyServiceParams", structFields)
-	// applyServiceEnvParams handles ServiceEnvVars indirectly.
-	applyEnvFields := extractFuncFieldRefs(t, file, "applyServiceEnvParams", structFields)
-	for k, v := range applyEnvFields {
-		applyFields[k] = v
-	}
-
-	for _, field := range structFields {
-		assert.Contains(t, currentFields, field,
-			"serviceParams field %q is not captured in currentServiceParams()", field)
-		assert.Contains(t, applyFields, field,
-			"serviceParams field %q is not restored in applyServiceParams()/applyServiceEnvParams()", field)
-	}
-}
-
-// TestServiceParams_BuildArgsCoversAllFlags ensures that buildServiceArguments references
-// all serviceParams fields that should become CLI args. ServiceEnvVars is excluded because
-// it flows through newSVCConfig() EnvVars, not CLI args.
-func TestServiceParams_BuildArgsCoversAllFlags(t *testing.T) {
-	fset := token.NewFileSet()
-	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
-	require.NoError(t, err)
-
-	structFields := extractStructJSONFields(t, file, "serviceParams")
-	require.NotEmpty(t, structFields)
-
-	installerFile, err := parser.ParseFile(fset, "service_installer.go", nil, 0)
-	require.NoError(t, err)
-
-	// Fields that are handled outside of buildServiceArguments (env vars go through newSVCConfig).
-	fieldsNotInArgs := map[string]bool{
-		"ServiceEnvVars": true,
-	}
-
-	buildFields := extractFuncGlobalRefs(t, installerFile, "buildServiceArguments")
-
-	// Forward: every struct field must appear in buildServiceArguments.
-	for _, field := range structFields {
-		if fieldsNotInArgs[field] {
-			continue
-		}
-		globalVar := fieldToGlobalVar(field)
-		assert.Contains(t, buildFields, globalVar,
-			"serviceParams field %q (global %q) is not referenced in buildServiceArguments()", field, globalVar)
-	}
-
-	// Reverse: every service-related global used in buildServiceArguments must
-	// have a corresponding serviceParams field. This catches a developer adding
-	// a new flag to buildServiceArguments without adding it to the struct.
-	globalToField := make(map[string]string, len(structFields))
-	for _, field := range structFields {
-		globalToField[fieldToGlobalVar(field)] = field
-	}
-	// Identifiers in buildServiceArguments that are not service params
-	// (builtins, boilerplate, loop variables).
-	nonParamGlobals := map[string]bool{
-		"args": true, "append": true, "string": true, "_": true,
-		"logFile": true, // range variable over logFiles
-	}
-	for ref := range buildFields {
-		if nonParamGlobals[ref] {
-			continue
-		}
-		_, inStruct := globalToField[ref]
-		assert.True(t, inStruct,
-			"buildServiceArguments() references global %q which has no corresponding serviceParams field", ref)
-	}
-}
-
-// extractStructJSONFields returns field names from a named struct type.
-func extractStructJSONFields(t *testing.T, file *ast.File, structName string) []string {
-	t.Helper()
-	var fields []string
-	ast.Inspect(file, func(n ast.Node) bool {
-		ts, ok := n.(*ast.TypeSpec)
-		if !ok || ts.Name.Name != structName {
-			return true
-		}
-		st, ok := ts.Type.(*ast.StructType)
-		if !ok {
-			return false
-		}
-		for _, f := range st.Fields.List {
-			if len(f.Names) > 0 {
-				fields = append(fields, f.Names[0].Name)
-			}
-		}
-		return false
-	})
-	return fields
-}
-
-// extractFuncFieldRefs returns which of the given field names appear inside the
-// named function, either as selector expressions (params.FieldName) or as
-// composite literal keys (&serviceParams{FieldName: ...}).
-func extractFuncFieldRefs(t *testing.T, file *ast.File, funcName string, fields []string) map[string]bool {
-	t.Helper()
-	fieldSet := make(map[string]bool, len(fields))
-	for _, f := range fields {
-		fieldSet[f] = true
-	}
-
-	found := make(map[string]bool)
-	fn := findFuncDecl(file, funcName)
-	require.NotNil(t, fn, "function %s not found", funcName)
-
-	ast.Inspect(fn.Body, func(n ast.Node) bool {
-		switch v := n.(type) {
-		case *ast.SelectorExpr:
-			if fieldSet[v.Sel.Name] {
-				found[v.Sel.Name] = true
-			}
-		case *ast.KeyValueExpr:
-			if ident, ok := v.Key.(*ast.Ident); ok && fieldSet[ident.Name] {
-				found[ident.Name] = true
-			}
-		}
-		return true
-	})
-	return found
-}
-
-// extractFuncGlobalRefs returns all identifier names referenced in the named function body.
-func extractFuncGlobalRefs(t *testing.T, file *ast.File, funcName string) map[string]bool {
-	t.Helper()
-	fn := findFuncDecl(file, funcName)
-	require.NotNil(t, fn, "function %s not found", funcName)
-
-	refs := make(map[string]bool)
-	ast.Inspect(fn.Body, func(n ast.Node) bool {
-		if ident, ok := n.(*ast.Ident); ok {
-			refs[ident.Name] = true
-		}
-		return true
-	})
-	return refs
-}
-
-func findFuncDecl(file *ast.File, name string) *ast.FuncDecl {
-	for _, decl := range file.Decls {
-		fn, ok := decl.(*ast.FuncDecl)
-		if ok && fn.Name.Name == name {
-			return fn
-		}
-	}
-	return nil
-}
-
-// fieldToGlobalVar maps serviceParams field names to the package-level variable
-// names used in buildServiceArguments and applyServiceParams.
-func fieldToGlobalVar(field string) string {
-	m := map[string]string{
-		"LogLevel":              "logLevel",
-		"DaemonAddr":            "daemonAddr",
-		"ManagementURL":         "managementURL",
-		"ConfigPath":            "configPath",
-		"LogFiles":              "logFiles",
-		"DisableProfiles":       "profilesDisabled",
-		"DisableUpdateSettings": "updateSettingsDisabled",
-		"ServiceEnvVars":        "serviceEnvVars",
-	}
-	if v, ok := m[field]; ok {
-		return v
-	}
-	// Default: lowercase first letter.
-	return strings.ToLower(field[:1]) + field[1:]
-}
-
-func TestEnvMapToSlice(t *testing.T) {
-	m := map[string]string{"A": "1", "B": "2"}
-	s := envMapToSlice(m)
-	assert.Len(t, s, 2)
-	assert.Contains(t, s, "A=1")
-	assert.Contains(t, s, "B=2")
-}
-
-func TestEnvMapToSlice_Empty(t *testing.T) {
-	s := envMapToSlice(map[string]string{})
-	assert.Empty(t, s)
-}
--- a/client/cmd/service_test.go
+++ b/client/cmd/service_test.go
@@ -4,9 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"os/signal"
 	"runtime"
-	"syscall"
 	"testing"
 	"time"

@@ -15,22 +13,6 @@ import (
 	"github.com/stretchr/testify/require"
 )

-// TestMain intercepts when this test binary is run as a daemon subprocess.
-// On FreeBSD, the rc.d service script runs the binary via daemon(8) -r with
-// "service run ..." arguments. Since the test binary can't handle cobra CLI
-// args, it exits immediately, causing daemon -r to respawn rapidly until
-// hitting the rate limit and exiting. This makes service restart unreliable.
-// Blocking here keeps the subprocess alive until the init system sends SIGTERM.
-func TestMain(m *testing.M) {
-	if len(os.Args) > 2 && os.Args[1] == "service" && os.Args[2] == "run" {
-		sig := make(chan os.Signal, 1)
-		signal.Notify(sig, syscall.SIGTERM, os.Interrupt)
-		<-sig
-		return
-	}
-	os.Exit(m.Run())
-}
-
 const (
 	serviceStartTimeout = 10 * time.Second
 	serviceStopTimeout  = 5 * time.Second
@@ -97,34 +79,6 @@ func TestServiceLifecycle(t *testing.T) {
 	logLevel = "info"
 	daemonAddr = fmt.Sprintf("unix://%s/netbird-test.sock", tempDir)

-	// Ensure cleanup even if a subtest fails and Stop/Uninstall subtests don't run.
-	t.Cleanup(func() {
-		cfg, err := newSVCConfig()
-		if err != nil {
-			t.Errorf("cleanup: create service config: %v", err)
-			return
-		}
-		ctxSvc, cancel := context.WithCancel(context.Background())
-		defer cancel()
-		s, err := newSVC(newProgram(ctxSvc, cancel), cfg)
-		if err != nil {
-			t.Errorf("cleanup: create service: %v", err)
-			return
-		}
-
-		// If the subtests already cleaned up, there's nothing to do.
-		if _, err := s.Status(); err != nil {
-			return
-		}
-
-		if err := s.Stop(); err != nil {
-			t.Errorf("cleanup: stop service: %v", err)
-		}
-		if err := s.Uninstall(); err != nil {
-			t.Errorf("cleanup: uninstall service: %v", err)
-		}
-	})
-
 	ctx := context.Background()

 	t.Run("Install", func(t *testing.T) {
--- a/client/cmd/signer/artifactkey.go
+++ b/client/cmd/signer/artifactkey.go
@@ -7,7 +7,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 var (
--- a/client/cmd/signer/artifactsign.go
+++ b/client/cmd/signer/artifactsign.go
@@ -6,7 +6,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 const (
--- a/client/cmd/signer/revocation.go
+++ b/client/cmd/signer/revocation.go
@@ -7,7 +7,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 const (
--- a/client/cmd/signer/rootkey.go
+++ b/client/cmd/signer/rootkey.go
@@ -7,7 +7,7 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/reposign"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
 )

 var (
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -28,7 +28,6 @@ var (
 	ipsFilterMap         map[string]struct{}
 	prefixNamesFilterMap map[string]struct{}
 	connectionTypeFilter string
-	checkFlag            string
 )

 var statusCmd = &cobra.Command{
@@ -50,7 +49,6 @@ func init() {
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
 	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
 	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
-	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }

 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -58,10 +56,6 @@ func statusFunc(cmd *cobra.Command, args []string) error {

 	cmd.SetOut(cmd.OutOrStdout())

-	if checkFlag != "" {
-		return runHealthCheck(cmd)
-	}
-
 	err := parseFilters()
 	if err != nil {
 		return err
@@ -74,17 +68,15 @@ func statusFunc(cmd *cobra.Command, args []string) error {

 	ctx := internal.CtxInitState(cmd.Context())

-	resp, err := getStatus(ctx, true, false)
+	resp, err := getStatus(ctx, false)
 	if err != nil {
 		return err
 	}

 	status := resp.GetStatus()

-	needsAuth := status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
-		status == string(internal.StatusSessionExpired)
-
-	if needsAuth && !jsonFlag && !yamlFlag {
+	if status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
+		status == string(internal.StatusSessionExpired) {
 		cmd.Printf("Daemon status: %s\n\n"+
 			"Run UP command to log in with SSO (interactive login):\n\n"+
 			" netbird up \n\n"+
@@ -107,27 +99,17 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		profName = activeProf.Name
 	}

-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), nbstatus.ConvertOptions{
-		Anonymize:            anonymizeFlag,
-		DaemonVersion:        resp.GetDaemonVersion(),
-		DaemonStatus:         nbstatus.ParseDaemonStatus(status),
-		StatusFilter:         statusFilter,
-		PrefixNamesFilter:    prefixNamesFilter,
-		PrefixNamesFilterMap: prefixNamesFilterMap,
-		IPsFilter:            ipsFilterMap,
-		ConnectionTypeFilter: connectionTypeFilter,
-		ProfileName:          profName,
-	})
+	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
 	var statusOutputString string
 	switch {
 	case detailFlag:
-		statusOutputString = outputInformationHolder.FullDetailSummary()
+		statusOutputString = nbstatus.ParseToFullDetailSummary(outputInformationHolder)
 	case jsonFlag:
-		statusOutputString, err = outputInformationHolder.JSON()
+		statusOutputString, err = nbstatus.ParseToJSON(outputInformationHolder)
 	case yamlFlag:
-		statusOutputString, err = outputInformationHolder.YAML()
+		statusOutputString, err = nbstatus.ParseToYAML(outputInformationHolder)
 	default:
-		statusOutputString = outputInformationHolder.GeneralSummary(false, false, false, false)
+		statusOutputString = nbstatus.ParseGeneralSummary(outputInformationHolder, false, false, false, false)
 	}

 	if err != nil {
@@ -139,7 +121,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (*proto.StatusResponse, error) {
+func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
@@ -149,7 +131,7 @@ func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (
 	}
 	defer conn.Close()

-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: fullPeerStatus, ShouldRunProbes: shouldRunProbes})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: shouldRunProbes})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}
@@ -203,83 +185,6 @@ func enableDetailFlagWhenFilterFlag() {
 	}
 }

-func runHealthCheck(cmd *cobra.Command) error {
-	check := strings.ToLower(checkFlag)
-	switch check {
-	case "live", "ready", "startup":
-	default:
-		return fmt.Errorf("unknown check %q, must be one of: live, ready, startup", checkFlag)
-	}
-
-	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := internal.CtxInitState(cmd.Context())
-
-	isStartup := check == "startup"
-	resp, err := getStatus(ctx, isStartup, false)
-	if err != nil {
-		return err
-	}
-
-	switch check {
-	case "live":
-		return nil
-	case "ready":
-		return checkReadiness(resp)
-	case "startup":
-		return checkStartup(resp)
-	default:
-		return nil
-	}
-}
-
-func checkReadiness(resp *proto.StatusResponse) error {
-	daemonStatus := internal.StatusType(resp.GetStatus())
-	switch daemonStatus {
-	case internal.StatusIdle, internal.StatusConnecting, internal.StatusConnected:
-		return nil
-	case internal.StatusNeedsLogin, internal.StatusLoginFailed, internal.StatusSessionExpired:
-		return fmt.Errorf("readiness check: daemon status is %s", daemonStatus)
-	default:
-		return fmt.Errorf("readiness check: unexpected daemon status %q", daemonStatus)
-	}
-}
-
-func checkStartup(resp *proto.StatusResponse) error {
-	fullStatus := resp.GetFullStatus()
-	if fullStatus == nil {
-		return fmt.Errorf("startup check: no full status available")
-	}
-
-	if !fullStatus.GetManagementState().GetConnected() {
-		return fmt.Errorf("startup check: management not connected")
-	}
-
-	if !fullStatus.GetSignalState().GetConnected() {
-		return fmt.Errorf("startup check: signal not connected")
-	}
-
-	var relayCount, relaysConnected int
-	for _, r := range fullStatus.GetRelays() {
-		uri := r.GetURI()
-		if !strings.HasPrefix(uri, "rel://") && !strings.HasPrefix(uri, "rels://") {
-			continue
-		}
-		relayCount++
-		if r.GetAvailable() {
-			relaysConnected++
-		}
-	}
-
-	if relayCount > 0 && relaysConnected == 0 {
-		return fmt.Errorf("startup check: no relay servers available (0/%d connected)", relayCount)
-	}
-
-	return nil
-}
-
 func parseInterfaceIP(interfaceIP string) string {
 	ip, _, err := net.ParseCIDR(interfaceIP)
 	if err != nil {
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -18,7 +18,6 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	"github.com/netbirdio/netbird/management/server/job"

 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
@@ -98,8 +97,6 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	peersmanager := peers.NewManager(store, permissionsManagerMock)
 	settingsManagerMock := settings.NewMockManager(ctrl)

-	jobManager := job.NewJobManager(nil, store, peersmanager)
-
 	iv, _ := integrations.NewIntegratedValidator(context.Background(), peersmanager, settingsManagerMock, eventStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
@@ -118,7 +115,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
 	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersmanager), config)

-	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -127,7 +124,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -197,10 +197,10 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 	r := peer.NewRecorder(config.ManagementURL.String())
 	r.GetFullStatus()

-	connectClient := internal.NewConnectClient(ctx, config, r)
+	connectClient := internal.NewConnectClient(ctx, config, r, false)
 	SetupDebugHandler(ctx, config, r, connectClient, "")

-	return connectClient.Run(nil, util.FindFirstLogPath(logFiles))
+	return connectClient.Run(nil)
 }

 func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager.ProfileManager, activeProf *profilemanager.Profile, profileSwitched bool) error {
--- a/client/cmd/update_supported.go
+++ b/client/cmd/update_supported.go
@@ -11,7 +11,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/client/internal/updater/installer"
+	"github.com/netbirdio/netbird/client/internal/updatemanager/installer"
 	"github.com/netbirdio/netbird/util"
 )

--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -14,16 +14,12 @@ import (
 	"github.com/sirupsen/logrus"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"

-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sshcommon "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
-	"github.com/netbirdio/netbird/shared/management/domain"
-	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )

 var (
@@ -33,14 +29,6 @@ var (
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )

-const (
-	// PeerStatusConnected indicates the peer is in connected state.
-	PeerStatusConnected = peer.StatusConnected
-)
-
-// PeerConnStatus is a peer's connection status.
-type PeerConnStatus = peer.ConnStatus
-
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string
@@ -50,7 +38,6 @@ type Client struct {
 	setupKey   string
 	jwtToken   string
 	connect    *internal.ConnectClient
-	recorder   *peer.Status
 }

 // Options configures a new Client.
@@ -79,18 +66,6 @@ type Options struct {
 	StatePath string
 	// DisableClientRoutes disables the client routes
 	DisableClientRoutes bool
-	// BlockInbound blocks all inbound connections from peers
-	BlockInbound bool
-	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
-	WireguardPort *int
-	// MTU is the MTU for the WireGuard interface.
-	// Valid values are in the range 576..8192 bytes.
-	// If non-nil, this value overrides any value stored in the config file.
-	// If nil, the existing config MTU (if non-zero) is preserved; otherwise it defaults to 1280.
-	// Set to a higher value (e.g. 1400) if carrying QUIC or other protocols that require larger datagrams.
-	MTU *uint16
-	// DNSLabels defines additional DNS labels configured in the peer.
-	DNSLabels []string
 }

 // validateCredentials checks that exactly one credential type is provided
@@ -122,12 +97,6 @@ func New(opts Options) (*Client, error) {
 		return nil, err
 	}

-	if opts.MTU != nil {
-		if err := iface.ValidateMTU(*opts.MTU); err != nil {
-			return nil, fmt.Errorf("invalid MTU: %w", err)
-		}
-	}
-
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -156,24 +125,15 @@ func New(opts Options) (*Client, error) {
 		}
 	}

-	var err error
-	var parsedLabels domain.List
-	if parsedLabels, err = domain.FromStringList(opts.DNSLabels); err != nil {
-		return nil, fmt.Errorf("invalid dns labels: %w", err)
-	}
-
 	t := true
 	var config *profilemanager.Config
+	var err error
 	input := profilemanager.ConfigInput{
 		ConfigPath:          opts.ConfigPath,
 		ManagementURL:       opts.ManagementURL,
 		PreSharedKey:        &opts.PreSharedKey,
 		DisableServerRoutes: &t,
 		DisableClientRoutes: &opts.DisableClientRoutes,
-		BlockInbound:        &opts.BlockInbound,
-		WireguardPort:       opts.WireguardPort,
-		MTU:                 opts.MTU,
-		DNSLabels:           parsedLabels,
 	}
 	if opts.ConfigPath != "" {
 		config, err = profilemanager.UpdateOrCreateConfig(input)
@@ -193,7 +153,6 @@ func New(opts Options) (*Client, error) {
 		setupKey:   opts.SetupKey,
 		jwtToken:   opts.JWTToken,
 		config:     config,
-		recorder:   peer.NewRecorder(config.ManagementURL.String()),
 	}, nil
 }

@@ -202,38 +161,26 @@ func New(opts Options) (*Client, error) {
 func (c *Client) Start(startCtx context.Context) error {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	if c.connect != nil {
+	if c.cancel != nil {
 		return ErrClientAlreadyStarted
 	}

-	ctx, cancel := context.WithCancel(internal.CtxInitState(context.Background()))
-	defer func() {
-		if c.connect == nil {
-			cancel()
-		}
-	}()
-
+	ctx := internal.CtxInitState(context.Background())
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-
-	authClient, err := auth.NewAuth(ctx, c.config.PrivateKey, c.config.ManagementURL, c.config)
-	if err != nil {
-		return fmt.Errorf("create auth client: %w", err)
-	}
-	defer authClient.Close()
-
-	if err, _ := authClient.Login(ctx, c.setupKey, c.jwtToken); err != nil {
+	if err := internal.Login(ctx, c.config, c.setupKey, c.jwtToken); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
-	client := internal.NewConnectClient(ctx, c.config, c.recorder)
-	client.SetSyncResponsePersistence(true)
+
+	recorder := peer.NewRecorder(c.config.ManagementURL.String())
+	client := internal.NewConnectClient(ctx, c.config, recorder, false)

 	// either startup error (permanent backoff err) or nil err (successful engine up)
 	// TODO: make after-startup backoff err available
 	run := make(chan struct{})
 	clientErr := make(chan error, 1)
 	go func() {
-		if err := client.Run(run, ""); err != nil {
+		if err := client.Run(run); err != nil {
 			clientErr <- err
 		}
 	}()
@@ -250,7 +197,6 @@ func (c *Client) Start(startCtx context.Context) error {
 	}

 	c.connect = client
-	c.cancel = cancel

 	return nil
 }
@@ -265,23 +211,17 @@ func (c *Client) Stop(ctx context.Context) error {
 		return ErrClientNotStarted
 	}

-	if c.cancel != nil {
-		c.cancel()
-		c.cancel = nil
-	}
-
 	done := make(chan error, 1)
-	connect := c.connect
 	go func() {
-		done <- connect.Stop()
+		done <- c.connect.Stop()
 	}()

 	select {
 	case <-ctx.Done():
-		c.connect = nil
+		c.cancel = nil
 		return ctx.Err()
 	case err := <-done:
-		c.connect = nil
+		c.cancel = nil
 		if err != nil {
 			return fmt.Errorf("stop: %w", err)
 		}
@@ -375,83 +315,6 @@ func (c *Client) NewHTTPClient() *http.Client {
 	}
 }

-// Expose exposes a local service via the NetBird reverse proxy, making it accessible through a public URL.
-// It returns an ExposeSession. Call Wait on the session to keep it alive.
-func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession, error) {
-	engine, err := c.getEngine()
-	if err != nil {
-		return nil, err
-	}
-
-	mgr := engine.GetExposeManager()
-	if mgr == nil {
-		return nil, fmt.Errorf("expose manager not available")
-	}
-
-	resp, err := mgr.Expose(ctx, req)
-	if err != nil {
-		return nil, fmt.Errorf("expose: %w", err)
-	}
-
-	return &ExposeSession{
-		Domain:      resp.Domain,
-		ServiceName: resp.ServiceName,
-		ServiceURL:  resp.ServiceURL,
-		mgr:         mgr,
-	}, nil
-}
-
-// Status returns the current status of the client.
-func (c *Client) Status() (peer.FullStatus, error) {
-	c.mu.Lock()
-	connect := c.connect
-	c.mu.Unlock()
-
-	if connect != nil {
-		engine := connect.Engine()
-		if engine != nil {
-			_ = engine.RunHealthProbes(false)
-		}
-	}
-
-	return c.recorder.GetFullStatus(), nil
-}
-
-// GetLatestSyncResponse returns the latest sync response from the management server.
-func (c *Client) GetLatestSyncResponse() (*mgmProto.SyncResponse, error) {
-	engine, err := c.getEngine()
-	if err != nil {
-		return nil, err
-	}
-
-	syncResp, err := engine.GetLatestSyncResponse()
-	if err != nil {
-		return nil, fmt.Errorf("get sync response: %w", err)
-	}
-
-	return syncResp, nil
-}
-
-// SetLogLevel sets the logging level for the client and its components.
-func (c *Client) SetLogLevel(levelStr string) error {
-	level, err := logrus.ParseLevel(levelStr)
-	if err != nil {
-		return fmt.Errorf("parse log level: %w", err)
-	}
-
-	logrus.SetLevel(level)
-
-	c.mu.Lock()
-	connect := c.connect
-	c.mu.Unlock()
-
-	if connect != nil {
-		connect.SetLogLevel(level)
-	}
-
-	return nil
-}
-
 // VerifySSHHostKey verifies an SSH host key against stored peer keys.
 // Returns nil if the key matches, ErrPeerNotFound if peer is not in network,
 // ErrNoStoredKey if peer has no stored key, or an error for verification failures.
--- a/client/embed/expose.go
+++ b/client/embed/expose.go
@@ -1,45 +0,0 @@
-package embed
-
-import (
-	"context"
-	"errors"
-
-	"github.com/netbirdio/netbird/client/internal/expose"
-)
-
-const (
-	// ExposeProtocolHTTP exposes the service as HTTP.
-	ExposeProtocolHTTP = expose.ProtocolHTTP
-	// ExposeProtocolHTTPS exposes the service as HTTPS.
-	ExposeProtocolHTTPS = expose.ProtocolHTTPS
-	// ExposeProtocolTCP exposes the service as TCP.
-	ExposeProtocolTCP = expose.ProtocolTCP
-	// ExposeProtocolUDP exposes the service as UDP.
-	ExposeProtocolUDP = expose.ProtocolUDP
-	// ExposeProtocolTLS exposes the service as TLS.
-	ExposeProtocolTLS = expose.ProtocolTLS
-)
-
-// ExposeRequest is a request to expose a local service via the NetBird reverse proxy.
-type ExposeRequest = expose.Request
-
-// ExposeProtocolType represents the protocol used for exposing a service.
-type ExposeProtocolType = expose.ProtocolType
-
-// ExposeSession represents an active expose session. Use Wait to block until the session ends.
-type ExposeSession struct {
-	Domain      string
-	ServiceName string
-	ServiceURL  string
-
-	mgr *expose.Manager
-}
-
-// Wait blocks while keeping the expose session alive.
-// It returns when ctx is cancelled or a keep-alive error occurs, then terminates the session.
-func (s *ExposeSession) Wait(ctx context.Context) error {
-	if s == nil || s.mgr == nil {
-		return errors.New("expose session is not initialized")
-	}
-	return s.mgr.KeepAlive(ctx, s.Domain)
-}
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"strconv"

 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/nftables"
@@ -36,27 +35,20 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 type FWType int

 func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
-	// We run in userspace mode and force userspace firewall was requested. We don't attempt native firewall.
-	if iface.IsUserspaceBind() && forceUserspaceFirewall() {
-		log.Info("forcing userspace firewall")
-		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
-	}
-
-	// Use native firewall for either kernel or userspace, the interface appears identical to netfilter
+	// on the linux system we try to user nftables or iptables
+	// in any case, because we need to allow netbird interface traffic
+	// so we use AllowNetbird traffic from these firewall managers
+	// for the userspace packet filtering firewall
 	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)

-	// Kernel cannot fall back to anything else, need to return error
 	if !iface.IsUserspaceBind() {
 		return fm, err
 	}

-	// Fall back to the userspace packet filter if native is unavailable
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
-		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}
-
-	return fm, nil
+	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
 }

 func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
@@ -168,17 +160,3 @@ func isIptablesClientAvailable(client *iptables.IPTables) bool {
 	_, err := client.ListChains("filter")
 	return err == nil
 }
-
-func forceUserspaceFirewall() bool {
-	val := os.Getenv(EnvForceUserspaceFirewall)
-	if val == "" {
-		return false
-	}
-
-	force, err := strconv.ParseBool(val)
-	if err != nil {
-		log.Warnf("failed to parse %s: %v", EnvForceUserspaceFirewall, err)
-		return false
-	}
-	return force
-}
--- a/client/firewall/iface.go
+++ b/client/firewall/iface.go
@@ -7,12 +7,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

-// EnvForceUserspaceFirewall forces the use of the userspace packet filter even when
-// native iptables/nftables is available. This only applies when the WireGuard interface
-// runs in userspace mode. When set, peer ACLs are handled by USPFilter instead of
-// kernel netfilter rules.
-const EnvForceUserspaceFirewall = "NB_FORCE_USERSPACE_FIREWALL"
-
 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
 	Name() string
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -23,16 +23,16 @@ type Manager struct {

 	wgIface iFaceMapper

-	ipv4Client   *iptables.IPTables
-	aclMgr       *aclManager
-	router       *router
-	rawSupported bool
+	ipv4Client *iptables.IPTables
+	aclMgr     *aclManager
+	router     *router
 }

 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
+	IsUserspaceBind() bool
 }

 // Create iptables firewall manager
@@ -63,9 +63,10 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	state := &ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:   m.wgIface.Name(),
-			WGAddress: m.wgIface.Address(),
-			MTU:       m.router.mtu,
+			NameStr:       m.wgIface.Name(),
+			WGAddress:     m.wgIface.Address(),
+			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}
 	stateManager.RegisterState(state)
@@ -82,10 +83,6 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		return fmt.Errorf("acl manager init: %w", err)
 	}

-	if err := m.initNoTrackChain(); err != nil {
-		log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
-	}
-
 	// persist early to ensure cleanup of chains
 	go func() {
 		if err := stateManager.PersistState(context.Background()); err != nil {
@@ -180,10 +177,6 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {

 	var merr *multierror.Error

-	if err := m.cleanupNoTrackChain(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("cleanup notrack chain: %w", err))
-	}
-
 	if err := m.aclMgr.Reset(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("reset acl manager: %w", err))
 	}
@@ -201,10 +194,12 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nberrors.FormatErrorOrNil(merr)
 }

-// AllowNetbird allows netbird interface traffic.
-// This is called when USPFilter wraps the native firewall, adding blanket accept
-// rules so that packet filtering is handled in userspace instead of by netfilter.
+// AllowNetbird allows netbird interface traffic
 func (m *Manager) AllowNetbird() error {
+	if !m.wgIface.IsUserspaceBind() {
+		return nil
+	}
+
 	_, err := m.AddPeerFiltering(
 		nil,
 		net.IP{0, 0, 0, 0},
@@ -282,172 +277,6 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }

-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-const (
-	chainNameRaw = "NETBIRD-RAW"
-	chainOUTPUT  = "OUTPUT"
-	tableRaw     = "raw"
-)
-
-// SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
-// This prevents conntrack from tracking WireGuard proxy traffic on loopback, which
-// can interfere with MASQUERADE rules (e.g., from container runtimes like Podman/netavark).
-//
-// Traffic flows that need NOTRACK:
-//
-//  1. Egress: WireGuard -> fake endpoint (before eBPF rewrite)
-//     src=127.0.0.1:wgPort -> dst=127.0.0.1:fakePort
-//     Matched by: sport=wgPort
-//
-//  2. Egress: Proxy -> WireGuard (via raw socket)
-//     src=127.0.0.1:fakePort -> dst=127.0.0.1:wgPort
-//     Matched by: dport=wgPort
-//
-//  3. Ingress: Packets to WireGuard
-//     dst=127.0.0.1:wgPort
-//     Matched by: dport=wgPort
-//
-//  4. Ingress: Packets to proxy (after eBPF rewrite)
-//     dst=127.0.0.1:proxyPort
-//     Matched by: dport=proxyPort
-//
-// Rules are cleaned up when the firewall manager is closed.
-func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	if !m.rawSupported {
-		return fmt.Errorf("raw table not available")
-	}
-
-	wgPortStr := fmt.Sprintf("%d", wgPort)
-	proxyPortStr := fmt.Sprintf("%d", proxyPort)
-
-	// Egress rules: match outgoing loopback UDP packets
-	outputRuleSport := []string{"-o", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--sport", wgPortStr, "-j", "NOTRACK"}
-	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, outputRuleSport...); err != nil {
-		return fmt.Errorf("add output sport notrack rule: %w", err)
-	}
-
-	outputRuleDport := []string{"-o", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", wgPortStr, "-j", "NOTRACK"}
-	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, outputRuleDport...); err != nil {
-		return fmt.Errorf("add output dport notrack rule: %w", err)
-	}
-
-	// Ingress rules: match incoming loopback UDP packets
-	preroutingRuleWg := []string{"-i", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", wgPortStr, "-j", "NOTRACK"}
-	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, preroutingRuleWg...); err != nil {
-		return fmt.Errorf("add prerouting wg notrack rule: %w", err)
-	}
-
-	preroutingRuleProxy := []string{"-i", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", proxyPortStr, "-j", "NOTRACK"}
-	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, preroutingRuleProxy...); err != nil {
-		return fmt.Errorf("add prerouting proxy notrack rule: %w", err)
-	}
-
-	log.Debugf("set up ebpf proxy notrack rules for ports %d,%d", proxyPort, wgPort)
-	return nil
-}
-
-// AddTProxyRule adds TPROXY redirect rules for the transparent proxy.
-func (m *Manager) AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddTProxyRule(ruleID, sources, dstPorts, redirectPort)
-}
-
-// RemoveTProxyRule removes TPROXY redirect rules by ID.
-func (m *Manager) RemoveTProxyRule(ruleID string) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveTProxyRule(ruleID)
-}
-
-// AddUDPInspectionHook is a no-op for iptables (kernel-mode firewall has no userspace packet hooks).
-func (m *Manager) AddUDPInspectionHook(_ uint16, _ func([]byte) bool) string { return "" }
-
-// RemoveUDPInspectionHook is a no-op for iptables.
-func (m *Manager) RemoveUDPInspectionHook(_ string) {}
-
-func (m *Manager) initNoTrackChain() error {
-	if err := m.cleanupNoTrackChain(); err != nil {
-		log.Debugf("cleanup notrack chain: %v", err)
-	}
-
-	if err := m.ipv4Client.NewChain(tableRaw, chainNameRaw); err != nil {
-		return fmt.Errorf("create chain: %w", err)
-	}
-
-	jumpRule := []string{"-j", chainNameRaw}
-
-	if err := m.ipv4Client.InsertUnique(tableRaw, chainOUTPUT, 1, jumpRule...); err != nil {
-		if delErr := m.ipv4Client.DeleteChain(tableRaw, chainNameRaw); delErr != nil {
-			log.Debugf("delete orphan chain: %v", delErr)
-		}
-		return fmt.Errorf("add output jump rule: %w", err)
-	}
-
-	if err := m.ipv4Client.InsertUnique(tableRaw, chainPREROUTING, 1, jumpRule...); err != nil {
-		if delErr := m.ipv4Client.DeleteIfExists(tableRaw, chainOUTPUT, jumpRule...); delErr != nil {
-			log.Debugf("delete output jump rule: %v", delErr)
-		}
-		if delErr := m.ipv4Client.DeleteChain(tableRaw, chainNameRaw); delErr != nil {
-			log.Debugf("delete orphan chain: %v", delErr)
-		}
-		return fmt.Errorf("add prerouting jump rule: %w", err)
-	}
-
-	m.rawSupported = true
-	return nil
-}
-
-func (m *Manager) cleanupNoTrackChain() error {
-	exists, err := m.ipv4Client.ChainExists(tableRaw, chainNameRaw)
-	if err != nil {
-		if !m.rawSupported {
-			return nil
-		}
-		return fmt.Errorf("check chain exists: %w", err)
-	}
-	if !exists {
-		return nil
-	}
-
-	jumpRule := []string{"-j", chainNameRaw}
-
-	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainOUTPUT, jumpRule...); err != nil {
-		return fmt.Errorf("remove output jump rule: %w", err)
-	}
-
-	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainPREROUTING, jumpRule...); err != nil {
-		return fmt.Errorf("remove prerouting jump rule: %w", err)
-	}
-
-	if err := m.ipv4Client.ClearAndDeleteChain(tableRaw, chainNameRaw); err != nil {
-		return fmt.Errorf("clear and delete chain: %w", err)
-	}
-
-	m.rawSupported = false
-	return nil
-}
-
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -47,6 +47,8 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }

+func (i *iFaceMock) IsUserspaceBind() bool { return false }
+
 func TestIptablesManager(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -36,7 +36,6 @@ const (
 	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
 	chainRTPRE              = "NETBIRD-RT-PRE"
 	chainRTRDR              = "NETBIRD-RT-RDR"
-	chainNATOutput          = "NETBIRD-NAT-OUTPUT"
 	chainRTMSSCLAMP         = "NETBIRD-RT-MSSCLAMP"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"
@@ -44,7 +43,6 @@ const (
 	jumpManglePre  = "jump-mangle-pre"
 	jumpNatPre     = "jump-nat-pre"
 	jumpNatPost    = "jump-nat-post"
-	jumpNatOutput  = "jump-nat-output"
 	jumpMSSClamp   = "jump-mss-clamp"
 	markManglePre  = "mark-mangle-pre"
 	markManglePost = "mark-mangle-post"
@@ -89,8 +87,6 @@ type router struct {

 	stateManager *statemanager.Manager
 	ipFwdState   *ipfwdstate.IPForwardingState
-
-	tproxyRules []tproxyRuleEntry
 }

 func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint16) (*router, error) {
@@ -391,14 +387,6 @@ func (r *router) cleanUpDefaultForwardRules() error {
 	}

 	log.Debug("flushing routing related tables")
-
-	// Remove jump rules from built-in chains before deleting custom chains,
-	// otherwise the chain deletion fails with "device or resource busy".
-	jumpRule := []string{"-j", chainNATOutput}
-	if err := r.iptablesClient.Delete(tableNat, "OUTPUT", jumpRule...); err != nil {
-		log.Debugf("clean OUTPUT jump rule: %v", err)
-	}
-
 	for _, chainInfo := range []struct {
 		chain string
 		table string
@@ -408,7 +396,6 @@ func (r *router) cleanUpDefaultForwardRules() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
-		{chainNATOutput, tableNat},
 		{chainRTMSSCLAMP, tableMangle},
 	} {
 		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
@@ -983,81 +970,6 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto
 	return nil
 }

-// ensureNATOutputChain lazily creates the OUTPUT NAT chain and jump rule on first use.
-func (r *router) ensureNATOutputChain() error {
-	if _, exists := r.rules[jumpNatOutput]; exists {
-		return nil
-	}
-
-	chainExists, err := r.iptablesClient.ChainExists(tableNat, chainNATOutput)
-	if err != nil {
-		return fmt.Errorf("check chain %s: %w", chainNATOutput, err)
-	}
-	if !chainExists {
-		if err := r.iptablesClient.NewChain(tableNat, chainNATOutput); err != nil {
-			return fmt.Errorf("create chain %s: %w", chainNATOutput, err)
-		}
-	}
-
-	jumpRule := []string{"-j", chainNATOutput}
-	if err := r.iptablesClient.Insert(tableNat, "OUTPUT", 1, jumpRule...); err != nil {
-		if !chainExists {
-			if delErr := r.iptablesClient.ClearAndDeleteChain(tableNat, chainNATOutput); delErr != nil {
-				log.Warnf("failed to rollback chain %s: %v", chainNATOutput, delErr)
-			}
-		}
-		return fmt.Errorf("add OUTPUT jump rule: %w", err)
-	}
-	r.rules[jumpNatOutput] = jumpRule
-
-	r.updateState()
-	return nil
-}
-
-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	if err := r.ensureNATOutputChain(); err != nil {
-		return err
-	}
-
-	dnatRule := []string{
-		"-p", strings.ToLower(string(protocol)),
-		"--dport", strconv.Itoa(int(sourcePort)),
-		"-d", localAddr.String(),
-		"-j", "DNAT",
-		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
-	}
-
-	if err := r.iptablesClient.Append(tableNat, chainNATOutput, dnatRule...); err != nil {
-		return fmt.Errorf("add output DNAT rule: %w", err)
-	}
-	r.rules[ruleID] = dnatRule
-
-	r.updateState()
-	return nil
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if dnatRule, exists := r.rules[ruleID]; exists {
-		if err := r.iptablesClient.Delete(tableNat, chainNATOutput, dnatRule...); err != nil {
-			return fmt.Errorf("delete output DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
-	}
-
-	r.updateState()
-	return nil
-}
-
 func applyPort(flag string, port *firewall.Port) []string {
 	if port == nil {
 		return nil
@@ -1111,92 +1023,3 @@ func (r *router) addPrefixToIPSet(name string, prefix netip.Prefix) error {
 func (r *router) destroyIPSet(name string) error {
 	return ipset.Destroy(name)
 }
-
-// AddTProxyRule adds iptables nat PREROUTING REDIRECT rules for transparent proxy interception.
-// Traffic from sources on dstPorts arriving on the WG interface is redirected
-// to the transparent proxy listener on redirectPort.
-func (r *router) AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error {
-	portStr := fmt.Sprintf("%d", redirectPort)
-
-	for _, proto := range []string{"tcp", "udp"} {
-		srcSpecs := r.buildSourceSpecs(sources)
-
-		for _, srcSpec := range srcSpecs {
-			if len(dstPorts) == 0 {
-				rule := append(srcSpec,
-					"-i", r.wgIface.Name(),
-					"-p", proto,
-					"-j", "REDIRECT",
-					"--to-ports", portStr,
-				)
-				if err := r.iptablesClient.AppendUnique(tableNat, chainRTRDR, rule...); err != nil {
-					return fmt.Errorf("add redirect rule %s/%s: %w", ruleID, proto, err)
-				}
-				r.tproxyRules = append(r.tproxyRules, tproxyRuleEntry{
-					ruleID: ruleID,
-					table:  tableNat,
-					chain:  chainRTRDR,
-					spec:   rule,
-				})
-			} else {
-				for _, port := range dstPorts {
-					rule := append(srcSpec,
-						"-i", r.wgIface.Name(),
-						"-p", proto,
-						"--dport", fmt.Sprintf("%d", port),
-						"-j", "REDIRECT",
-						"--to-ports", portStr,
-					)
-					if err := r.iptablesClient.AppendUnique(tableNat, chainRTRDR, rule...); err != nil {
-						return fmt.Errorf("add redirect rule %s/%s/%d: %w", ruleID, proto, port, err)
-					}
-					r.tproxyRules = append(r.tproxyRules, tproxyRuleEntry{
-						ruleID: ruleID,
-						table:  tableNat,
-						chain:  chainRTRDR,
-						spec:   rule,
-					})
-				}
-			}
-		}
-	}
-
-	return nil
-}
-
-// RemoveTProxyRule removes all iptables REDIRECT rules for the given ruleID.
-func (r *router) RemoveTProxyRule(ruleID string) error {
-	var remaining []tproxyRuleEntry
-	for _, entry := range r.tproxyRules {
-		if entry.ruleID != ruleID {
-			remaining = append(remaining, entry)
-			continue
-		}
-		if err := r.iptablesClient.DeleteIfExists(entry.table, entry.chain, entry.spec...); err != nil {
-			log.Debugf("remove tproxy rule %s: %v", ruleID, err)
-		}
-	}
-	r.tproxyRules = remaining
-
-	return nil
-}
-
-type tproxyRuleEntry struct {
-	ruleID string
-	table  string
-	chain  string
-	spec   []string
-}
-
-func (r *router) buildSourceSpecs(sources []netip.Prefix) [][]string {
-	if len(sources) == 0 {
-		return [][]string{{}} // empty spec = match any source
-	}
-
-	specs := make([][]string, 0, len(sources))
-	for _, src := range sources {
-		specs = append(specs, []string{"-s", src.String()})
-	}
-	return specs
-}
-
--- a/client/firewall/iptables/state_linux.go
+++ b/client/firewall/iptables/state_linux.go
@@ -9,9 +9,10 @@ import (
 )

 type InterfaceState struct {
-	NameStr   string         `json:"name"`
-	WGAddress wgaddr.Address `json:"wg_address"`
-	MTU       uint16         `json:"mtu"`
+	NameStr       string         `json:"name"`
+	WGAddress     wgaddr.Address `json:"wg_address"`
+	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }

 func (i *InterfaceState) Name() string {
@@ -22,6 +23,10 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }

+func (i *InterfaceState) IsUserspaceBind() bool {
+	return i.UserspaceBind
+}
+
 type ShutdownState struct {
 	sync.Mutex

--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -168,34 +168,6 @@ type Manager interface {

 	// RemoveInboundDNAT removes inbound DNAT rule
 	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
-	// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
-	AddOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
-	// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
-	RemoveOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
-	// SetupEBPFProxyNoTrack creates static notrack rules for eBPF proxy loopback traffic.
-	// This prevents conntrack from interfering with WireGuard proxy communication.
-	SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error
-
-	// AddTProxyRule adds TPROXY redirect rules for specific source CIDRs and destination ports.
-	// Traffic from sources on dstPorts is redirected to the transparent proxy on redirectPort.
-	// Empty dstPorts means redirect all ports.
-	AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error
-
-	// RemoveTProxyRule removes TPROXY redirect rules by ID.
-	RemoveTProxyRule(ruleID string) error
-
-	// AddUDPInspectionHook registers a hook that inspects UDP packets before forwarding.
-	// The hook receives the raw packet and returns true to drop it.
-	// Used for QUIC SNI-based blocking. Returns a hook ID for removal.
-	AddUDPInspectionHook(dstPort uint16, hook func(packet []byte) bool) string
-
-	// RemoveUDPInspectionHook removes a previously registered inspection hook.
-	RemoveUDPInspectionHook(hookID string)
 }

 func GenKey(format string, pair RouterPair) string {
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -12,7 +12,6 @@ import (
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
@@ -40,6 +39,7 @@ func getTableName() string {
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
+	IsUserspaceBind() bool
 }

 // Manager of iptables firewall
@@ -48,10 +48,8 @@ type Manager struct {
 	rConn   *nftables.Conn
 	wgIface iFaceMapper

-	router                 *router
-	aclManager             *AclManager
-	notrackOutputChain     *nftables.Chain
-	notrackPreroutingChain *nftables.Chain
+	router     *router
+	aclManager *AclManager
 }

 // Create nftables firewall manager
@@ -93,10 +91,6 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		return fmt.Errorf("acl manager init: %w", err)
 	}

-	if err := m.initNoTrackChains(workTable); err != nil {
-		log.Warnf("raw priority chains not available, notrack rules will be disabled: %v", err)
-	}
-
 	stateManager.RegisterState(&ShutdownState{})

 	// We only need to record minimal interface state for potential recreation.
@@ -105,9 +99,10 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	// cleanup using Close() without needing to store specific rules.
 	if err := stateManager.UpdateState(&ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:   m.wgIface.Name(),
-			WGAddress: m.wgIface.Address(),
-			MTU:       m.router.mtu,
+			NameStr:       m.wgIface.Name(),
+			WGAddress:     m.wgIface.Address(),
+			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -203,10 +198,12 @@ func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	return m.router.RemoveNatRule(pair)
 }

-// AllowNetbird allows netbird interface traffic.
-// This is called when USPFilter wraps the native firewall, adding blanket accept
-// rules so that packet filtering is handled in userspace instead of by netfilter.
+// AllowNetbird allows netbird interface traffic
 func (m *Manager) AllowNetbird() error {
+	if !m.wgIface.IsUserspaceBind() {
+		return nil
+	}
+
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -291,15 +288,7 @@ func (m *Manager) Flush() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if err := m.aclManager.Flush(); err != nil {
-		return err
-	}
-
-	if err := m.refreshNoTrackChains(); err != nil {
-		log.Errorf("failed to refresh notrack chains: %v", err)
-	}
-
-	return nil
+	return m.aclManager.Flush()
 }

 // AddDNATRule adds a DNAT rule
@@ -342,214 +331,6 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }

-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-const (
-	chainNameRawOutput     = "netbird-raw-out"
-	chainNameRawPrerouting = "netbird-raw-pre"
-)
-
-// SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
-// This prevents conntrack from tracking WireGuard proxy traffic on loopback, which
-// can interfere with MASQUERADE rules (e.g., from container runtimes like Podman/netavark).
-//
-// Traffic flows that need NOTRACK:
-//
-//  1. Egress: WireGuard -> fake endpoint (before eBPF rewrite)
-//     src=127.0.0.1:wgPort -> dst=127.0.0.1:fakePort
-//     Matched by: sport=wgPort
-//
-//  2. Egress: Proxy -> WireGuard (via raw socket)
-//     src=127.0.0.1:fakePort -> dst=127.0.0.1:wgPort
-//     Matched by: dport=wgPort
-//
-//  3. Ingress: Packets to WireGuard
-//     dst=127.0.0.1:wgPort
-//     Matched by: dport=wgPort
-//
-//  4. Ingress: Packets to proxy (after eBPF rewrite)
-//     dst=127.0.0.1:proxyPort
-//     Matched by: dport=proxyPort
-//
-// Rules are cleaned up when the firewall manager is closed.
-func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	if m.notrackOutputChain == nil || m.notrackPreroutingChain == nil {
-		return fmt.Errorf("notrack chains not initialized")
-	}
-
-	proxyPortBytes := binaryutil.BigEndian.PutUint16(proxyPort)
-	wgPortBytes := binaryutil.BigEndian.PutUint16(wgPort)
-	loopback := []byte{127, 0, 0, 1}
-
-	// Egress rules: match outgoing loopback UDP packets
-	m.rConn.AddRule(&nftables.Rule{
-		Table: m.notrackOutputChain.Table,
-		Chain: m.notrackOutputChain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 0, Len: 2},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // sport=wgPort
-			&expr.Counter{},
-			&expr.Notrack{},
-		},
-	})
-	m.rConn.AddRule(&nftables.Rule{
-		Table: m.notrackOutputChain.Table,
-		Chain: m.notrackOutputChain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // dport=wgPort
-			&expr.Counter{},
-			&expr.Notrack{},
-		},
-	})
-
-	// Ingress rules: match incoming loopback UDP packets
-	m.rConn.AddRule(&nftables.Rule{
-		Table: m.notrackPreroutingChain.Table,
-		Chain: m.notrackPreroutingChain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // dport=wgPort
-			&expr.Counter{},
-			&expr.Notrack{},
-		},
-	})
-	m.rConn.AddRule(&nftables.Rule{
-		Table: m.notrackPreroutingChain.Table,
-		Chain: m.notrackPreroutingChain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
-			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: proxyPortBytes}, // dport=proxyPort
-			&expr.Counter{},
-			&expr.Notrack{},
-		},
-	})
-
-	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf("flush notrack rules: %w", err)
-	}
-
-	log.Debugf("set up ebpf proxy notrack rules for ports %d,%d", proxyPort, wgPort)
-	return nil
-}
-
-// AddTProxyRule adds TPROXY redirect rules for the transparent proxy.
-func (m *Manager) AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddTProxyRule(ruleID, sources, dstPorts, redirectPort)
-}
-
-// RemoveTProxyRule removes TPROXY redirect rules by ID.
-func (m *Manager) RemoveTProxyRule(ruleID string) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveTProxyRule(ruleID)
-}
-
-// AddUDPInspectionHook is a no-op for nftables (kernel-mode firewall has no userspace packet hooks).
-func (m *Manager) AddUDPInspectionHook(_ uint16, _ func([]byte) bool) string { return "" }
-
-// RemoveUDPInspectionHook is a no-op for nftables.
-func (m *Manager) RemoveUDPInspectionHook(_ string) {}
-
-func (m *Manager) initNoTrackChains(table *nftables.Table) error {
-	m.notrackOutputChain = m.rConn.AddChain(&nftables.Chain{
-		Name:     chainNameRawOutput,
-		Table:    table,
-		Type:     nftables.ChainTypeFilter,
-		Hooknum:  nftables.ChainHookOutput,
-		Priority: nftables.ChainPriorityRaw,
-	})
-
-	m.notrackPreroutingChain = m.rConn.AddChain(&nftables.Chain{
-		Name:     chainNameRawPrerouting,
-		Table:    table,
-		Type:     nftables.ChainTypeFilter,
-		Hooknum:  nftables.ChainHookPrerouting,
-		Priority: nftables.ChainPriorityRaw,
-	})
-
-	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf("flush chain creation: %w", err)
-	}
-
-	return nil
-}
-
-func (m *Manager) refreshNoTrackChains() error {
-	chains, err := m.rConn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
-	if err != nil {
-		return fmt.Errorf("list chains: %w", err)
-	}
-
-	tableName := getTableName()
-	for _, c := range chains {
-		if c.Table.Name != tableName {
-			continue
-		}
-		switch c.Name {
-		case chainNameRawOutput:
-			m.notrackOutputChain = c
-		case chainNameRawPrerouting:
-			m.notrackPreroutingChain = c
-		}
-	}
-
-	return nil
-}
-
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -52,6 +52,8 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }

+func (i *iFaceMock) IsUserspaceBind() bool { return false }
+
 func TestNftablesManager(t *testing.T) {

 	// just check on the local interface
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -36,7 +36,6 @@ const (
 	chainNameRoutingFw     = "netbird-rt-fwd"
 	chainNameRoutingNat    = "netbird-rt-postrouting"
 	chainNameRoutingRdr    = "netbird-rt-redirect"
-	chainNameNATOutput     = "netbird-nat-output"
 	chainNameForward       = "FORWARD"
 	chainNameMangleForward = "netbird-mangle-forward"

@@ -77,7 +76,6 @@ type router struct {
 	ipFwdState       *ipfwdstate.IPForwardingState
 	legacyManagement bool
 	mtu              uint16
-
 }

 func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*router, error) {
@@ -485,12 +483,7 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	}

 	if nftRule.Handle == 0 {
-		log.Warnf("route rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(nftRule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
-		}
-		delete(r.rules, ruleKey)
-		return nil
+		return fmt.Errorf("route rule %s has no handle", ruleKey)
 	}

 	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
@@ -667,32 +660,13 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 	}

 	if err := r.conn.Flush(); err != nil {
-		r.rollbackRules(pair)
-		return fmt.Errorf("insert rules for %s: %w", pair.Destination, err)
+		// TODO: rollback ipset counter
+		return fmt.Errorf("insert rules for %s: %v", pair.Destination, err)
 	}

 	return nil
 }

-// rollbackRules cleans up unflushed rules and their set counters after a flush failure.
-func (r *router) rollbackRules(pair firewall.RouterPair) {
-	keys := []string{
-		firewall.GenKey(firewall.ForwardingFormat, pair),
-		firewall.GenKey(firewall.PreroutingFormat, pair),
-		firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair)),
-	}
-	for _, key := range keys {
-		rule, ok := r.rules[key]
-		if !ok {
-			continue
-		}
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("rollback set counter for %s: %v", key, err)
-		}
-		delete(r.rules, key)
-	}
-}
-
 // addNatRule inserts a nftables rule to the conn client flush queue
 func (r *router) addNatRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -954,30 +928,18 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)

-	rule, exists := r.rules[ruleKey]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("legacy forwarding rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
+	if rule, exists := r.rules[ruleKey]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
+
+		log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
+
 		delete(r.rules, ruleKey)
-		return nil
-	}

-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("remove legacy forwarding rule %s -> %s: %w", pair.Source, pair.Destination, err)
-	}
-
-	log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
-
-	delete(r.rules, ruleKey)
-
-	if err := r.decrementSetCounter(rule); err != nil {
-		return fmt.Errorf("decrement set counter: %w", err)
+		if err := r.decrementSetCounter(rule); err != nil {
+			return fmt.Errorf("decrement set counter: %w", err)
+		}
 	}

 	return nil
@@ -1367,89 +1329,65 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}

-	var merr *multierror.Error
-
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove prerouting rule: %w", err))
+			return fmt.Errorf("remove prerouting rule: %w", err)
 		}

 		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove inverse prerouting rule: %w", err))
+			return fmt.Errorf("remove inverse prerouting rule: %w", err)
 		}
 	}

 	if err := r.removeLegacyRouteRule(pair); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove legacy routing rule: %w", err))
+		return fmt.Errorf("remove legacy routing rule: %w", err)
 	}

-	// Set counters are decremented in the sub-methods above before flush. If flush fails,
-	// counters will be off until the next successful removal or refresh cycle.
 	if err := r.conn.Flush(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("flush remove nat rules %s: %w", pair.Destination, err))
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) removeNatRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-
-	rule, exists := r.rules[ruleKey]
-	if !exists {
-		log.Debugf("prerouting rule %s not found", ruleKey)
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("prerouting rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
-		}
-		delete(r.rules, ruleKey)
-		return nil
-	}
-
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("remove prerouting rule %s -> %s: %w", pair.Source, pair.Destination, err)
-	}
-
-	log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
-
-	delete(r.rules, ruleKey)
-
-	if err := r.decrementSetCounter(rule); err != nil {
-		return fmt.Errorf("decrement set counter: %w", err)
+		// TODO: rollback set counter
+		return fmt.Errorf("remove nat rules rule %s: %v", pair.Destination, err)
 	}

 	return nil
 }

-// refreshRulesMap rebuilds the rule map from the kernel. This removes stale entries
-// (e.g. from failed flushes) and updates handles for all existing rules.
+func (r *router) removeNatRule(pair firewall.RouterPair) error {
+	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
+
+	if rule, exists := r.rules[ruleKey]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
+		}
+
+		log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
+
+		delete(r.rules, ruleKey)
+
+		if err := r.decrementSetCounter(rule); err != nil {
+			return fmt.Errorf("decrement set counter: %w", err)
+		}
+	} else {
+		log.Debugf("prerouting rule %s not found", ruleKey)
+	}
+
+	return nil
+}
+
+// refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
+// duplicates and to get missing attributes that we don't have when adding new rules
 func (r *router) refreshRulesMap() error {
-	var merr *multierror.Error
-	newRules := make(map[string]*nftables.Rule)
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("list rules for chain %s: %w", chain.Name, err))
-			// preserve existing entries for this chain since we can't verify their state
-			for k, v := range r.rules {
-				if v.Chain != nil && v.Chain.Name == chain.Name {
-					newRules[k] = v
-				}
-			}
-			continue
+			return fmt.Errorf("list rules: %w", err)
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
-				newRules[string(rule.UserData)] = rule
+				r.rules[string(rule.UserData)] = rule
 			}
 		}
 	}
-	r.rules = newRules
-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }

 func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
@@ -1691,34 +1629,20 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	}

 	var merr *multierror.Error
-	var needsFlush bool
-
 	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		if dnatRule.Handle == 0 {
-			log.Warnf("dnat rule %s has no handle, removing stale entry", ruleKey+dnatSuffix)
-			delete(r.rules, ruleKey+dnatSuffix)
-		} else if err := r.conn.DelRule(dnatRule); err != nil {
+		if err := r.conn.DelRule(dnatRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete dnat rule: %w", err))
-		} else {
-			needsFlush = true
 		}
 	}

 	if masqRule, exists := r.rules[ruleKey+snatSuffix]; exists {
-		if masqRule.Handle == 0 {
-			log.Warnf("snat rule %s has no handle, removing stale entry", ruleKey+snatSuffix)
-			delete(r.rules, ruleKey+snatSuffix)
-		} else if err := r.conn.DelRule(masqRule); err != nil {
+		if err := r.conn.DelRule(masqRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete snat rule: %w", err))
-		} else {
-			needsFlush = true
 		}
 	}

-	if needsFlush {
-		if err := r.conn.Flush(); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf(flushError, err))
-		}
+	if err := r.conn.Flush(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
 	}

 	if merr == nil {
@@ -1833,149 +1757,16 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto

 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)

-	rule, exists := r.rules[ruleID]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("inbound DNAT rule %s has no handle, removing stale entry", ruleID)
+	if rule, exists := r.rules[ruleID]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
+		}
+		if err := r.conn.Flush(); err != nil {
+			return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
+		}
 		delete(r.rules, ruleID)
-		return nil
 	}

-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
-	}
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
-	}
-	delete(r.rules, ruleID)
-
-	return nil
-}
-
-// ensureNATOutputChain lazily creates the OUTPUT NAT chain on first use.
-func (r *router) ensureNATOutputChain() error {
-	if _, exists := r.chains[chainNameNATOutput]; exists {
-		return nil
-	}
-
-	r.chains[chainNameNATOutput] = r.conn.AddChain(&nftables.Chain{
-		Name:     chainNameNATOutput,
-		Table:    r.workTable,
-		Hooknum:  nftables.ChainHookOutput,
-		Priority: nftables.ChainPriorityNATDest,
-		Type:     nftables.ChainTypeNAT,
-	})
-
-	if err := r.conn.Flush(); err != nil {
-		delete(r.chains, chainNameNATOutput)
-		return fmt.Errorf("create NAT output chain: %w", err)
-	}
-	return nil
-}
-
-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	if err := r.ensureNATOutputChain(); err != nil {
-		return err
-	}
-
-	protoNum, err := protoToInt(protocol)
-	if err != nil {
-		return fmt.Errorf("convert protocol to number: %w", err)
-	}
-
-	exprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     []byte{protoNum},
-		},
-		&expr.Payload{
-			DestRegister: 2,
-			Base:         expr.PayloadBaseTransportHeader,
-			Offset:       2,
-			Len:          2,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(sourcePort),
-		},
-	}
-
-	exprs = append(exprs, applyPrefix(netip.PrefixFrom(localAddr, 32), false)...)
-
-	exprs = append(exprs,
-		&expr.Immediate{
-			Register: 1,
-			Data:     localAddr.AsSlice(),
-		},
-		&expr.Immediate{
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(targetPort),
-		},
-		&expr.NAT{
-			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
-			RegAddrMin:  1,
-			RegProtoMin: 2,
-		},
-	)
-
-	dnatRule := &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameNATOutput],
-		Exprs:    exprs,
-		UserData: []byte(ruleID),
-	}
-	r.conn.AddRule(dnatRule)
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("add output DNAT rule: %w", err)
-	}
-
-	r.rules[ruleID] = dnatRule
-
-	return nil
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	rule, exists := r.rules[ruleID]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("output DNAT rule %s has no handle, removing stale entry", ruleID)
-		delete(r.rules, ruleID)
-		return nil
-	}
-
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("delete output DNAT rule %s: %w", ruleID, err)
-	}
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("flush delete output DNAT rule: %w", err)
-	}
-	delete(r.rules, ruleID)
-
 	return nil
 }

@@ -2138,227 +1929,3 @@ func getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any
 		},
 	}, nil
 }
-
-// AddTProxyRule adds nftables TPROXY redirect rules in the mangle prerouting chain.
-// Traffic from sources on dstPorts arriving on the WG interface is redirected to
-// the transparent proxy listener on redirectPort.
-// Separate rules are created for TCP and UDP protocols.
-func (r *router) AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	// Use the nat redirect chain for DNAT rules.
-	// TPROXY doesn't work on WG kernel interfaces (socket assignment silently fails),
-	// so we use DNAT to 127.0.0.1:proxy_port instead. The proxy reads the original
-	// destination via SO_ORIGINAL_DST (conntrack).
-	chain := r.chains[chainNameRoutingRdr]
-	if chain == nil {
-		return fmt.Errorf("nat redirect chain not initialized")
-	}
-
-	for _, proto := range []uint8{unix.IPPROTO_TCP, unix.IPPROTO_UDP} {
-		protoName := "tcp"
-		if proto == unix.IPPROTO_UDP {
-			protoName = "udp"
-		}
-
-		ruleKey := fmt.Sprintf("tproxy-%s-%s", ruleID, protoName)
-
-		if existing, ok := r.rules[ruleKey]; ok && existing.Handle != 0 {
-			if err := r.decrementSetCounter(existing); err != nil {
-				log.Debugf("decrement set counter for %s: %v", ruleKey, err)
-			}
-			if err := r.conn.DelRule(existing); err != nil {
-				log.Debugf("remove existing tproxy rule %s: %v", ruleKey, err)
-			}
-			delete(r.rules, ruleKey)
-		}
-
-		exprs, err := r.buildRedirectExprs(proto, sources, dstPorts, redirectPort)
-		if err != nil {
-			return fmt.Errorf("build redirect exprs for %s: %w", protoName, err)
-		}
-
-		r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
-			Table:    r.workTable,
-			Chain:    chain,
-			Exprs:    exprs,
-			UserData: []byte(ruleKey),
-		})
-	}
-
-	// Accept redirected packets in the ACL input chain. After REDIRECT, the
-	// destination port becomes the proxy port. Without this rule, the ACL filter
-	// drops the packet. We match on ct state dnat so only REDIRECT'd connections
-	// are accepted: direct connections to the proxy port are blocked.
-	inputAcceptKey := fmt.Sprintf("tproxy-%s-input", ruleID)
-	if _, ok := r.rules[inputAcceptKey]; !ok {
-		inputChain := &nftables.Chain{
-			Name:  "netbird-acl-input-rules",
-			Table: r.workTable,
-		}
-		r.rules[inputAcceptKey] = r.conn.InsertRule(&nftables.Rule{
-			Table: r.workTable,
-			Chain: inputChain,
-			Exprs: []expr.Any{
-				// Only accept connections that were REDIRECT'd (ct status dnat)
-				&expr.Ct{Register: 1, Key: expr.CtKeySTATUS},
-				&expr.Bitwise{
-					SourceRegister: 1,
-					DestRegister:   1,
-					Len:            4,
-					Mask:           binaryutil.NativeEndian.PutUint32(0x20), // IPS_DST_NAT
-					Xor:            binaryutil.NativeEndian.PutUint32(0),
-				},
-				&expr.Cmp{
-					Op:       expr.CmpOpNeq,
-					Register: 1,
-					Data:     binaryutil.NativeEndian.PutUint32(0),
-				},
-				// Accept both TCP and UDP redirected to the proxy port.
-				&expr.Payload{
-					DestRegister: 1,
-					Base:         expr.PayloadBaseTransportHeader,
-					Offset:       2,
-					Len:          2,
-				},
-				&expr.Cmp{
-					Op:       expr.CmpOpEq,
-					Register: 1,
-					Data:     binaryutil.BigEndian.PutUint16(redirectPort),
-				},
-				&expr.Verdict{Kind: expr.VerdictAccept},
-			},
-			UserData: []byte(inputAcceptKey),
-		})
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("flush tproxy rules for %s: %w", ruleID, err)
-	}
-
-	return nil
-}
-
-// RemoveTProxyRule removes TPROXY redirect rules by ID (both TCP and UDP variants).
-func (r *router) RemoveTProxyRule(ruleID string) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	var removed int
-	for _, suffix := range []string{"tcp", "udp", "input"} {
-		ruleKey := fmt.Sprintf("tproxy-%s-%s", ruleID, suffix)
-
-		rule, ok := r.rules[ruleKey]
-		if !ok {
-			continue
-		}
-
-		if rule.Handle == 0 {
-			delete(r.rules, ruleKey)
-			continue
-		}
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Debugf("decrement set counter for %s: %v", ruleKey, err)
-		}
-		if err := r.conn.DelRule(rule); err != nil {
-			log.Debugf("delete tproxy rule %s: %v", ruleKey, err)
-		}
-		delete(r.rules, ruleKey)
-		removed++
-	}
-
-	if removed > 0 {
-		if err := r.conn.Flush(); err != nil {
-			return fmt.Errorf("flush tproxy rule removal for %s: %w", ruleID, err)
-		}
-	}
-
-	return nil
-}
-
-// buildRedirectExprs builds nftables expressions for a REDIRECT rule.
-// Matches WG interface ingress, source CIDRs, destination ports, then REDIRECTs to the proxy port.
-func (r *router) buildRedirectExprs(proto uint8, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) ([]expr.Any, error) {
-	var exprs []expr.Any
-
-	exprs = append(exprs,
-		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-		&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname(r.wgIface.Name())},
-	)
-
-	exprs = append(exprs,
-		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-		&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{proto}},
-	)
-
-	// Source CIDRs use the named ipset shared with route rules.
-	if len(sources) > 0 {
-		srcSet := firewall.NewPrefixSet(sources)
-		srcExprs, err := r.getIpSet(srcSet, sources, true)
-		if err != nil {
-			return nil, fmt.Errorf("get source ipset: %w", err)
-		}
-		exprs = append(exprs, srcExprs...)
-	}
-
-	if len(dstPorts) == 1 {
-		exprs = append(exprs,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseTransportHeader,
-				Offset:       2,
-				Len:          2,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     binaryutil.BigEndian.PutUint16(dstPorts[0]),
-			},
-		)
-	} else if len(dstPorts) > 1 {
-		setElements := make([]nftables.SetElement, len(dstPorts))
-		for i, p := range dstPorts {
-			setElements[i] = nftables.SetElement{Key: binaryutil.BigEndian.PutUint16(p)}
-		}
-		portSet := &nftables.Set{
-			Table:     r.workTable,
-			Anonymous: true,
-			Constant:  true,
-			KeyType:   nftables.TypeInetService,
-		}
-		if err := r.conn.AddSet(portSet, setElements); err != nil {
-			return nil, fmt.Errorf("create port set: %w", err)
-		}
-		exprs = append(exprs,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseTransportHeader,
-				Offset:       2,
-				Len:          2,
-			},
-			&expr.Lookup{
-				SourceRegister: 1,
-				SetName:        portSet.Name,
-				SetID:          portSet.ID,
-			},
-		)
-	}
-
-	// REDIRECT to local proxy port. Changes the destination to the interface's
-	// primary address + specified port. Conntrack tracks the original destination,
-	// readable via SO_ORIGINAL_DST.
-	exprs = append(exprs,
-		&expr.Immediate{Register: 1, Data: binaryutil.BigEndian.PutUint16(redirectPort)},
-		&expr.Redir{
-			RegisterProtoMin: 1,
-		},
-	)
-
-	return exprs, nil
-}
-
-
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -18,7 +18,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
 	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/internal/acl/id"
 )

 const (
@@ -720,137 +719,3 @@ func deleteWorkTable() {
 		}
 	}
 }
-
-func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	workTable, err := createWorkTable()
-	require.NoError(t, err)
-	defer deleteWorkTable()
-
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, r.init(workTable))
-	defer func() { require.NoError(t, r.Reset()) }()
-
-	// Add a real rule to the kernel
-	ruleKey, err := r.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-		firewall.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
-		firewall.ProtocolTCP,
-		nil,
-		&firewall.Port{Values: []uint16{80}},
-		firewall.ActionAccept,
-	)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, r.DeleteRouteRule(ruleKey))
-	})
-
-	// Inject a stale entry with Handle=0 (simulates store-before-flush failure)
-	staleKey := "stale-rule-that-does-not-exist"
-	r.rules[staleKey] = &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingFw],
-		Handle:   0,
-		UserData: []byte(staleKey),
-	}
-
-	require.Contains(t, r.rules, staleKey, "stale entry should be in map before refresh")
-
-	err = r.refreshRulesMap()
-	require.NoError(t, err)
-
-	assert.NotContains(t, r.rules, staleKey, "stale entry should be removed after refresh")
-
-	realRule, ok := r.rules[ruleKey.ID()]
-	assert.True(t, ok, "real rule should still exist after refresh")
-	assert.NotZero(t, realRule.Handle, "real rule should have a valid handle")
-}
-
-func TestRouter_DeleteRouteRule_StaleHandle(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	workTable, err := createWorkTable()
-	require.NoError(t, err)
-	defer deleteWorkTable()
-
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, r.init(workTable))
-	defer func() { require.NoError(t, r.Reset()) }()
-
-	// Inject a stale entry with Handle=0
-	staleKey := "stale-route-rule"
-	r.rules[staleKey] = &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingFw],
-		Handle:   0,
-		UserData: []byte(staleKey),
-	}
-
-	// DeleteRouteRule should not return an error for stale handles
-	err = r.DeleteRouteRule(id.RuleID(staleKey))
-	assert.NoError(t, err, "deleting a stale rule should not error")
-	assert.NotContains(t, r.rules, staleKey, "stale entry should be cleaned up")
-}
-
-func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, manager.Init(nil))
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	pair := firewall.RouterPair{
-		ID:          "staletest",
-		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
-		Masquerade:  true,
-	}
-
-	rtr := manager.router
-
-	// First add succeeds
-	err = rtr.AddNatRule(pair)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, rtr.RemoveNatRule(pair))
-	})
-
-	// Corrupt the handle to simulate stale state
-	natRuleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-	if rule, exists := rtr.rules[natRuleKey]; exists {
-		rule.Handle = 0
-	}
-	inverseKey := firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair))
-	if rule, exists := rtr.rules[inverseKey]; exists {
-		rule.Handle = 0
-	}
-
-	// Adding the same rule again should succeed despite stale handles
-	err = rtr.AddNatRule(pair)
-	assert.NoError(t, err, "AddNatRule should succeed even with stale entries")
-
-	// Verify rules exist in kernel
-	rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
-	require.NoError(t, err)
-
-	found := 0
-	for _, rule := range rules {
-		if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
-			found++
-		}
-	}
-	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
-}
--- a/client/firewall/nftables/state_linux.go
+++ b/client/firewall/nftables/state_linux.go
@@ -8,9 +8,10 @@ import (
 )

 type InterfaceState struct {
-	NameStr   string         `json:"name"`
-	WGAddress wgaddr.Address `json:"wg_address"`
-	MTU       uint16         `json:"mtu"`
+	NameStr       string         `json:"name"`
+	WGAddress     wgaddr.Address `json:"wg_address"`
+	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }

 func (i *InterfaceState) Name() string {
@@ -21,6 +22,10 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }

+func (i *InterfaceState) IsUserspaceBind() bool {
+	return i.UserspaceBind
+}
+
 type ShutdownState struct {
 	InterfaceState *InterfaceState `json:"interface_state,omitempty"`
 }
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -3,6 +3,12 @@
 package uspfilter

 import (
+	"context"
+	"net/netip"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

@@ -11,7 +17,33 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	m.resetState()
+	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
+	m.incomingRules = make(map[netip.Addr]RuleSet)
+
+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+	}
+
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.Stop()
+	}
+
+	if m.logger != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := m.logger.Stop(ctx); err != nil {
+			log.Errorf("failed to shutdown logger: %v", err)
+		}
+	}

 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -1,9 +1,12 @@
 package uspfilter

 import (
+	"context"
 	"fmt"
+	"net/netip"
 	"os/exec"
 	"syscall"
+	"time"

 	log "github.com/sirupsen/logrus"

@@ -23,7 +26,33 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	m.resetState()
+	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
+	m.incomingRules = make(map[netip.Addr]RuleSet)
+
+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+	}
+
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.Stop()
+	}
+
+	if m.logger != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := m.logger.Stop(ctx); err != nil {
+			log.Errorf("failed to shutdown logger: %v", err)
+		}
+	}

 	if !isWindowsFirewallReachable() {
 		return nil
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -115,17 +115,6 @@ func (t *TCPConnTrack) IsTombstone() bool {
 	return t.tombstone.Load()
 }

-// IsSupersededBy returns true if this connection should be replaced by a new one
-// carrying the given flags. Tombstoned connections are always superseded; TIME-WAIT
-// connections are superseded by a pure SYN (a new connection attempt for the same
-// four-tuple, as contemplated by RFC 1122 §4.2.2.13 and RFC 6191).
-func (t *TCPConnTrack) IsSupersededBy(flags uint8) bool {
-	if t.tombstone.Load() {
-		return true
-	}
-	return flags&TCPSyn != 0 && flags&TCPAck == 0 && TCPState(t.state.Load()) == TCPStateTimeWait
-}
-
 // SetTombstone safely marks the connection for deletion
 func (t *TCPConnTrack) SetTombstone() {
 	t.tombstone.Store(true)
@@ -180,7 +169,7 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()

-	if exists && !conn.IsSupersededBy(flags) {
+	if exists {
 		t.updateState(key, conn, flags, direction, size)
 		return key, uint16(conn.DNATOrigPort.Load()), true
 	}
@@ -252,7 +241,7 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()

-	if !exists || conn.IsSupersededBy(flags) {
+	if !exists || conn.IsTombstone() {
 		return false
 	}

--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -485,261 +485,6 @@ func TestTCPAbnormalSequences(t *testing.T) {
 	})
 }

-// TestTCPPortReuseTombstone verifies that a new connection on a port with a
-// tombstoned (closed) conntrack entry is properly tracked. Without the fix,
-// updateIfExists treats tombstoned entries as live, causing track() to skip
-// creating a new connection. The subsequent SYN-ACK then fails IsValidInbound
-// because the entry is tombstoned, and the response packet gets dropped by ACL.
-func TestTCPPortReuseTombstone(t *testing.T) {
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Outbound port reuse after graceful close", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and gracefully close a connection (server-initiated close)
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Server sends FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-
-		// Client sends FIN-ACK
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-
-		// Server sends final ACK
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-
-		// Connection should be tombstoned
-		conn := tracker.connections[key]
-		require.NotNil(t, conn, "old connection should still be in map")
-		require.True(t, conn.IsTombstone(), "old connection should be tombstoned")
-
-		// Now reuse the same port for a new connection
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		// The old tombstoned entry should be replaced with a new one
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn, "new connection should exist")
-		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
-		require.Equal(t, TCPStateSynSent, newConn.GetState())
-
-		// SYN-ACK for the new connection should be valid
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK for new connection on reused port should be accepted")
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-
-		// Data transfer should work
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 500)
-		require.True(t, valid, "data should be allowed on new connection")
-	})
-
-	t.Run("Outbound port reuse after RST", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and RST a connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst|TCPAck, 0)
-		require.True(t, valid)
-
-		conn := tracker.connections[key]
-		require.True(t, conn.IsTombstone(), "RST connection should be tombstoned")
-
-		// Reuse the same port
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn)
-		require.False(t, newConn.IsTombstone())
-		require.Equal(t, TCPStateSynSent, newConn.GetState())
-
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK should be accepted after RST tombstone")
-	})
-
-	t.Run("Inbound port reuse after close", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		clientIP := srcIP
-		serverIP := dstIP
-		clientPort := srcPort
-		serverPort := dstPort
-		key := ConnKey{SrcIP: clientIP, DstIP: serverIP, SrcPort: clientPort, DstPort: serverPort}
-
-		// Inbound connection: client SYN → server SYN-ACK → client ACK
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-
-		// Server-initiated close to reach Closed/tombstoned:
-		// Server FIN (opposite dir) → CloseWait
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPFin|TCPAck, 100)
-		require.Equal(t, TCPStateCloseWait, conn.GetState())
-		// Client FIN-ACK (same dir as conn) → LastAck
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPFin|TCPAck, nil, 100, 0)
-		require.Equal(t, TCPStateLastAck, conn.GetState())
-		// Server final ACK (opposite dir) → Closed → tombstoned
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
-
-		require.True(t, conn.IsTombstone())
-
-		// New inbound connection on same ports
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
-
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn)
-		require.False(t, newConn.IsTombstone())
-		require.Equal(t, TCPStateSynReceived, newConn.GetState())
-
-		// Complete handshake: server SYN-ACK, then client ACK
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-	})
-
-	t.Run("Late ACK on tombstoned connection is harmless", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and close via passive close (server-initiated FIN → Closed → tombstoned)
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0) // CloseWait
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)  // LastAck
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)        // Closed
-
-		conn := tracker.connections[key]
-		require.True(t, conn.IsTombstone())
-
-		// Late ACK should be rejected (tombstoned)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.False(t, valid, "late ACK on tombstoned connection should be rejected")
-
-		// Late outbound ACK should not create a new connection (not a SYN)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-		require.True(t, tracker.connections[key].IsTombstone(), "late outbound ACK should not replace tombstoned entry")
-	})
-}
-
-func TestTCPPortReuseTimeWait(t *testing.T) {
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Outbound port reuse during TIME-WAIT (active close)", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Active close: client (outbound initiator) sends FIN first
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-		// Server ACKs the FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateFinWait2, conn.GetState())
-
-		// Server sends its own FIN
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Client sends final ACK (TIME-WAIT stays, not tombstoned)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-		require.False(t, conn.IsTombstone(), "TIME-WAIT should not be tombstoned")
-
-		// New outbound SYN on the same port (port reuse during TIME-WAIT)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		// Per RFC 1122/6191, new SYN during TIME-WAIT should start a new connection
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn, "new connection should exist")
-		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
-		require.Equal(t, TCPStateSynSent, newConn.GetState(), "new connection should be in SYN-SENT")
-
-		// SYN-ACK for new connection should be valid
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK for new connection should be accepted")
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-	})
-
-	t.Run("Inbound SYN during TIME-WAIT falls through to normal tracking", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish outbound connection and close via active close → TIME-WAIT
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Inbound SYN on same ports during TIME-WAIT: IsValidInbound returns false
-		// so the filter falls through to ACL check + TrackInbound (which creates
-		// a new connection via track() → updateIfExists skips TIME-WAIT for SYN)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, 0)
-		require.False(t, valid, "inbound SYN during TIME-WAIT should fail conntrack validation")
-
-		// Simulate what the filter does next: TrackInbound via the normal path
-		tracker.TrackInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, nil, 100, 0)
-
-		// The new inbound connection uses the inverted key (dst→src becomes src→dst in track)
-		invertedKey := ConnKey{SrcIP: dstIP, DstIP: srcIP, SrcPort: dstPort, DstPort: srcPort}
-		newConn := tracker.connections[invertedKey]
-		require.NotNil(t, newConn, "new inbound connection should be tracked")
-		require.Equal(t, TCPStateSynReceived, newConn.GetState())
-		require.False(t, newConn.IsTombstone())
-	})
-
-	t.Run("Late retransmit during TIME-WAIT still allowed", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and active close → TIME-WAIT
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Late ACK retransmits during TIME-WAIT should still be accepted
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid, "retransmitted ACK during TIME-WAIT should be accepted")
-	})
-}
-
 func TestTCPTimeoutHandling(t *testing.T) {
 	// Create tracker with a very short timeout for testing
 	shortTimeout := 100 * time.Millisecond
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -1,7 +1,6 @@
 package uspfilter

 import (
-	"context"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -13,13 +12,11 @@ import (
 	"strings"
 	"sync"
 	"sync/atomic"
-	"time"

 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
@@ -27,7 +24,6 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -93,7 +89,6 @@ type Manager struct {
 	incomingDenyRules map[netip.Addr]RuleSet
 	incomingRules     map[netip.Addr]RuleSet
 	routeRules        RouteRules
-	routeRulesMap     map[nbid.RuleID]*RouteRule
 	decoders          sync.Pool
 	wgIface           common.IFaceMapper
 	nativeFirewall    firewall.Manager
@@ -140,17 +135,6 @@ type Manager struct {
 	mtu             uint16
 	mssClampValue   uint16
 	mssClampEnabled bool
-
-	// Only one hook per protocol is supported. Outbound direction only.
-	udpHookOut atomic.Pointer[packetHook]
-	tcpHookOut atomic.Pointer[packetHook]
-}
-
-// packetHook stores a registered hook for a specific IP:port.
-type packetHook struct {
-	ip   netip.Addr
-	port uint16
-	fn   func([]byte) bool
 }

 // decoder for packages
@@ -245,7 +229,6 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		flowLogger:          flowLogger,
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
-		routeRulesMap:       make(map[nbid.RuleID]*RouteRule),
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
 		netstackServices:    make(map[serviceKey]struct{}),
@@ -497,15 +480,11 @@ func (m *Manager) addRouteFiltering(
 		return m.nativeFirewall.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}

-	ruleKey := nbid.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
-
-	if existingRule, ok := m.routeRulesMap[ruleKey]; ok {
-		return existingRule, nil
-	}
+	ruleID := uuid.New().String()

 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:         string(ruleKey),
+		id:         ruleID,
 		mgmtId:     id,
 		sources:    sources,
 		dstSet:     destination.Set,
@@ -520,7 +499,6 @@ func (m *Manager) addRouteFiltering(

 	m.routeRules = append(m.routeRules, &rule)
 	m.routeRules.Sort()
-	m.routeRulesMap[ruleKey] = &rule

 	return &rule, nil
 }
@@ -537,20 +515,15 @@ func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}

-	ruleKey := nbid.RuleID(rule.ID())
-	if _, ok := m.routeRulesMap[ruleKey]; !ok {
-		return fmt.Errorf("route rule not found: %s", ruleKey)
-	}
-
+	ruleID := rule.ID()
 	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
-		return r.id == string(ruleKey)
+		return r.id == ruleID
 	})
 	if idx < 0 {
-		return fmt.Errorf("route rule not found in slice: %s", ruleKey)
+		return fmt.Errorf("route rule not found: %s", ruleID)
 	}

 	m.routeRules = slices.Delete(m.routeRules, idx, idx+1)
-	delete(m.routeRulesMap, ruleKey)
 	return nil
 }

@@ -597,89 +570,6 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }

-// resetState clears all firewall rules and closes connection trackers.
-// Must be called with m.mutex held.
-func (m *Manager) resetState() {
-	maps.Clear(m.outgoingRules)
-	maps.Clear(m.incomingDenyRules)
-	maps.Clear(m.incomingRules)
-	maps.Clear(m.routeRulesMap)
-	m.routeRules = m.routeRules[:0]
-	m.udpHookOut.Store(nil)
-	m.tcpHookOut.Store(nil)
-
-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-	}
-
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.Stop()
-	}
-
-	if m.logger != nil {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-		if err := m.logger.Stop(ctx); err != nil {
-			log.Errorf("failed to shutdown logger: %v", err)
-		}
-	}
-}
-
-// SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
-func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
-	if m.nativeFirewall == nil {
-		return nil
-	}
-	return m.nativeFirewall.SetupEBPFProxyNoTrack(proxyPort, wgPort)
-}
-
-// AddTProxyRule delegates to the native firewall for TPROXY rules.
-// In userspace mode (no native firewall), this is a no-op since the
-// forwarder intercepts traffic directly.
-func (m *Manager) AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error {
-	if m.nativeFirewall == nil {
-		return nil
-	}
-	return m.nativeFirewall.AddTProxyRule(ruleID, sources, dstPorts, redirectPort)
-}
-
-// AddUDPInspectionHook registers a hook for QUIC/UDP inspection via the packet filter.
-func (m *Manager) AddUDPInspectionHook(dstPort uint16, hook func(packet []byte) bool) string {
-	m.SetUDPPacketHook(netip.Addr{}, dstPort, hook)
-	return "udp-inspection"
-}
-
-// RemoveUDPInspectionHook removes a previously registered inspection hook.
-func (m *Manager) RemoveUDPInspectionHook(_ string) {
-	m.SetUDPPacketHook(netip.Addr{}, 0, nil)
-}
-
-// RemoveTProxyRule delegates to the native firewall for TPROXY rules.
-func (m *Manager) RemoveTProxyRule(ruleID string) error {
-	if m.nativeFirewall == nil {
-		return nil
-	}
-	return m.nativeFirewall.RemoveTProxyRule(ruleID)
-}
-
-// IsLocalIP reports whether the given IP belongs to the local machine.
-func (m *Manager) IsLocalIP(ip netip.Addr) bool {
-	return m.localipmanager.IsLocalIP(ip)
-}
-
-// GetForwarder returns the userspace packet forwarder, or nil if not initialized.
-func (m *Manager) GetForwarder() *forwarder.Forwarder {
-	return m.forwarder.Load()
-}
-
 // UpdateSet updates the rule destinations associated with the given set
 // by merging the existing prefixes with the new ones, then deduplicating.
 func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
@@ -765,9 +655,6 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 			return true
 		}
 	case layers.LayerTypeTCP:
-		if m.tcpHooksDrop(uint16(d.tcp.DstPort), dstIP, packetData) {
-			return true
-		}
 		// Clamp MSS on all TCP SYN packets, including those from local IPs.
 		// SNATed routed traffic may appear as local IP but still requires clamping.
 		if m.mssClampEnabled {
@@ -950,21 +837,38 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 	d.dnatOrigPort = 0
 }

+// udpHooksDrop checks if any UDP hooks should drop the packet
 func (m *Manager) udpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return hookMatches(m.udpHookOut.Load(), dstIP, dport, packetData)
-}
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()

-func (m *Manager) tcpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return hookMatches(m.tcpHookOut.Load(), dstIP, dport, packetData)
-}
+	// Check specific destination IP first
+	if rules, exists := m.outgoingRules[dstIP]; exists {
+		for _, rule := range rules {
+			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
+				return rule.udpHook(packetData)
+			}
+		}
+	}

-func hookMatches(h *packetHook, dstIP netip.Addr, dport uint16, packetData []byte) bool {
-	if h == nil {
-		return false
+	// Check IPv4 unspecified address
+	if rules, exists := m.outgoingRules[netip.IPv4Unspecified()]; exists {
+		for _, rule := range rules {
+			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
+				return rule.udpHook(packetData)
+			}
+		}
 	}
-	if h.ip == dstIP && h.port == dport {
-		return h.fn(packetData)
+
+	// Check IPv6 unspecified address
+	if rules, exists := m.outgoingRules[netip.IPv6Unspecified()]; exists {
+		for _, rule := range rules {
+			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
+				return rule.udpHook(packetData)
+			}
+		}
 	}
+
 	return false
 }

@@ -1316,6 +1220,12 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 				return rule.mgmtId, rule.drop, true
 			}
 		case layers.LayerTypeUDP:
+			// if rule has UDP hook (and if we are here we match this rule)
+			// we ignore rule.drop and call this hook
+			if rule.udpHook != nil {
+				return rule.mgmtId, rule.udpHook(packetData), true
+			}
+
 			if portsMatch(rule.sPort, uint16(d.udp.SrcPort)) && portsMatch(rule.dPort, uint16(d.udp.DstPort)) {
 				return rule.mgmtId, rule.drop, true
 			}
@@ -1374,30 +1284,65 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 	return sourceMatched
 }

-// SetUDPPacketHook sets the outbound UDP packet hook. Pass nil hook to remove.
-func (m *Manager) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	if hook == nil {
-		m.udpHookOut.Store(nil)
-		return
+// AddUDPPacketHook calls hook when UDP packet from given direction matched
+//
+// Hook function returns flag which indicates should be the matched package dropped or not
+func (m *Manager) AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook func(packet []byte) bool) string {
+	r := PeerRule{
+		id:         uuid.New().String(),
+		ip:         ip,
+		protoLayer: layers.LayerTypeUDP,
+		dPort:      &firewall.Port{Values: []uint16{dPort}},
+		ipLayer:    layers.LayerTypeIPv6,
+		udpHook:    hook,
 	}
-	m.udpHookOut.Store(&packetHook{
-		ip:   ip,
-		port: dPort,
-		fn:   hook,
-	})
+
+	if ip.Is4() {
+		r.ipLayer = layers.LayerTypeIPv4
+	}
+
+	m.mutex.Lock()
+	if in {
+		// Incoming UDP hooks are stored in allow rules map
+		if _, ok := m.incomingRules[r.ip]; !ok {
+			m.incomingRules[r.ip] = make(map[string]PeerRule)
+		}
+		m.incomingRules[r.ip][r.id] = r
+	} else {
+		if _, ok := m.outgoingRules[r.ip]; !ok {
+			m.outgoingRules[r.ip] = make(map[string]PeerRule)
+		}
+		m.outgoingRules[r.ip][r.id] = r
+	}
+	m.mutex.Unlock()
+
+	return r.id
 }

-// SetTCPPacketHook sets the outbound TCP packet hook. Pass nil hook to remove.
-func (m *Manager) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	if hook == nil {
-		m.tcpHookOut.Store(nil)
-		return
+// RemovePacketHook removes packet hook by given ID
+func (m *Manager) RemovePacketHook(hookID string) error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	// Check incoming hooks (stored in allow rules)
+	for _, arr := range m.incomingRules {
+		for _, r := range arr {
+			if r.id == hookID {
+				delete(arr, r.id)
+				return nil
+			}
+		}
 	}
-	m.tcpHookOut.Store(&packetHook{
-		ip:   ip,
-		port: dPort,
-		fn:   hook,
-	})
+	// Check outgoing hooks
+	for _, arr := range m.outgoingRules {
+		for _, r := range arr {
+			if r.id == hookID {
+				delete(arr, r.id)
+				return nil
+			}
+		}
+	}
+	return fmt.Errorf("hook with given id not found")
 }

 // SetLogLevel sets the log level for the firewall manager
--- a/client/firewall/uspfilter/filter_routeacl_test.go
+++ b/client/firewall/uspfilter/filter_routeacl_test.go
@@ -1,376 +0,0 @@
-package uspfilter
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	wgdevice "golang.zx2c4.com/wireguard/device"
-
-	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/mocks"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-// TestAddRouteFilteringReturnsExistingRule verifies that adding the same route
-// filtering rule twice returns the same rule ID (idempotent behavior).
-func TestAddRouteFilteringReturnsExistingRule(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{
-		netip.MustParsePrefix("100.64.1.0/24"),
-		netip.MustParsePrefix("100.64.2.0/24"),
-	}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Add rule first time
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule1)
-
-	// Add the same rule again
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule2)
-
-	// These should be the same (idempotent) like nftables/iptables implementations
-	assert.Equal(t, rule1.ID(), rule2.ID(),
-		"Adding the same rule twice should return the same rule ID (idempotent)")
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 2, ruleCount,
-		"Should have exactly 2 rules (1 user rule + 1 block rule)")
-}
-
-// TestAddRouteFilteringDifferentRulesGetDifferentIDs verifies that rules with
-// different parameters get distinct IDs.
-func TestAddRouteFilteringDifferentRulesGetDifferentIDs(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-
-	// Add first rule
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	// Add different rule (different destination)
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-2"),
-		sources,
-		fw.Network{Prefix: netip.MustParsePrefix("192.168.2.0/24")}, // Different!
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	assert.NotEqual(t, rule1.ID(), rule2.ID(),
-		"Different rules should have different IDs")
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 3, ruleCount, "Should have 3 rules (2 user rules + 1 block rule)")
-}
-
-// TestRouteRuleUpdateDoesNotCauseGap verifies that re-adding the same route
-// rule during a network map update does not disrupt existing traffic.
-func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	srcIP := netip.MustParseAddr("100.64.1.5")
-	dstIP := netip.MustParseAddr("192.168.1.10")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	require.True(t, pass, "Traffic should pass with rule in place")
-
-	// Re-add same rule (simulates network map update)
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	// Idempotent IDs mean rule1.ID() == rule2.ID(), so the ACL manager
-	// won't delete rule1 during cleanup. If IDs differed, deleting rule1
-	// would remove the only matching rule and cause a traffic gap.
-	if rule1.ID() != rule2.ID() {
-		err = manager.DeleteRouteRule(rule1)
-		require.NoError(t, err)
-	}
-
-	_, passAfter := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	assert.True(t, passAfter,
-		"Traffic should still pass after rule update - no gap should occur")
-}
-
-// TestBlockInvalidRoutedIdempotent verifies that blockInvalidRouted creates
-// exactly one drop rule for the WireGuard network prefix, and calling it again
-// returns the same rule without duplicating.
-func TestBlockInvalidRoutedIdempotent(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	// Call blockInvalidRouted directly multiple times
-	rule1, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule1)
-
-	rule2, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule2)
-
-	rule3, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule3)
-
-	// All should return the same rule
-	assert.Equal(t, rule1.ID(), rule2.ID(), "Second call should return same rule")
-	assert.Equal(t, rule2.ID(), rule3.ID(), "Third call should return same rule")
-
-	// Should have exactly 1 route rule
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 1, ruleCount, "Should have exactly 1 block rule after 3 calls")
-
-	// Verify the rule blocks traffic to the WG network
-	srcIP := netip.MustParseAddr("10.0.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.50")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 80)
-	assert.False(t, pass, "Block rule should deny traffic to WG prefix")
-}
-
-// TestBlockRuleNotAccumulatedOnRepeatedEnableRouting verifies that calling
-// EnableRouting multiple times (as happens on each route update) does not
-// accumulate duplicate block rules in the routeRules slice.
-func TestBlockRuleNotAccumulatedOnRepeatedEnableRouting(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	// Call EnableRouting multiple times (simulating repeated route updates)
-	for i := 0; i < 5; i++ {
-		require.NoError(t, manager.EnableRouting())
-	}
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 1, ruleCount,
-		"Repeated EnableRouting should not accumulate block rules")
-}
-
-// TestRouteRuleCountStableAcrossUpdates verifies that adding the same route
-// rule multiple times does not create duplicate entries.
-func TestRouteRuleCountStableAcrossUpdates(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Simulate 5 network map updates with the same route rule
-	for i := 0; i < 5; i++ {
-		rule, err := manager.AddRouteFiltering(
-			[]byte("policy-1"),
-			sources,
-			destination,
-			fw.ProtocolTCP,
-			nil,
-			&fw.Port{Values: []uint16{443}},
-			fw.ActionAccept,
-		)
-		require.NoError(t, err)
-		require.NotNil(t, rule)
-	}
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 2, ruleCount,
-		"Should have exactly 2 rules (1 user rule + 1 block rule) after 5 updates")
-}
-
-// TestDeleteRouteRuleAfterIdempotentAdd verifies that deleting a route rule
-// after adding it multiple times works correctly.
-func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Add same rule twice
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	require.Equal(t, rule1.ID(), rule2.ID(), "Should return same rule ID")
-
-	// Delete using first reference
-	err = manager.DeleteRouteRule(rule1)
-	require.NoError(t, err)
-
-	// Verify traffic no longer passes
-	srcIP := netip.MustParseAddr("100.64.1.5")
-	dstIP := netip.MustParseAddr("192.168.1.10")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	assert.False(t, pass, "Traffic should not pass after rule deletion")
-}
-
-func setupTestManager(t *testing.T) *Manager {
-	t.Helper()
-
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, manager.EnableRouting())
-
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	return manager
-}
--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -12,7 +12,6 @@ import (
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	wgdevice "golang.zx2c4.com/wireguard/device"

@@ -187,204 +186,81 @@ func TestManagerDeleteRule(t *testing.T) {
 	}
 }

-func TestSetUDPPacketHook(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
-
-	var called bool
-	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, func([]byte) bool {
-		called = true
-		return true
-	})
-
-	h := manager.udpHookOut.Load()
-	require.NotNil(t, h)
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.ip)
-	assert.Equal(t, uint16(8000), h.port)
-	assert.True(t, h.fn(nil))
-	assert.True(t, called)
-
-	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, nil)
-	assert.Nil(t, manager.udpHookOut.Load())
-}
-
-func TestSetTCPPacketHook(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
-
-	var called bool
-	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, func([]byte) bool {
-		called = true
-		return true
-	})
-
-	h := manager.tcpHookOut.Load()
-	require.NotNil(t, h)
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.ip)
-	assert.Equal(t, uint16(53), h.port)
-	assert.True(t, h.fn(nil))
-	assert.True(t, called)
-
-	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, nil)
-	assert.Nil(t, manager.tcpHookOut.Load())
-}
-
-// TestPeerRuleLifecycleDenyRules verifies that deny rules are correctly added
-// to the deny map and can be cleanly deleted without leaving orphans.
-func TestPeerRuleLifecycleDenyRules(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
+func TestAddUDPPacketHook(t *testing.T) {
+	tests := []struct {
+		name       string
+		in         bool
+		expDir     fw.RuleDirection
+		ip         netip.Addr
+		dPort      uint16
+		hook       func([]byte) bool
+		expectedID string
+	}{
+		{
+			name:   "Test Outgoing UDP Packet Hook",
+			in:     false,
+			expDir: fw.RuleDirectionOUT,
+			ip:     netip.MustParseAddr("10.168.0.1"),
+			dPort:  8000,
+			hook:   func([]byte) bool { return true },
+		},
+		{
+			name:   "Test Incoming UDP Packet Hook",
+			in:     true,
+			expDir: fw.RuleDirectionIN,
+			ip:     netip.MustParseAddr("::1"),
+			dPort:  9000,
+			hook:   func([]byte) bool { return false },
+		},
 	}

-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, nbiface.DefaultMTU)
+			require.NoError(t, err)

-	ip := net.ParseIP("192.168.1.1")
-	addr := netip.MustParseAddr("192.168.1.1")
+			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)

-	// Add multiple deny rules for different ports
-	rule1, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-	require.NoError(t, err)
+			var addedRule PeerRule
+			if tt.in {
+				// Incoming UDP hooks are stored in allow rules map
+				if len(manager.incomingRules[tt.ip]) != 1 {
+					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules[tt.ip]))
+					return
+				}
+				for _, rule := range manager.incomingRules[tt.ip] {
+					addedRule = rule
+				}
+			} else {
+				if len(manager.outgoingRules[tt.ip]) != 1 {
+					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules[tt.ip]))
+					return
+				}
+				for _, rule := range manager.outgoingRules[tt.ip] {
+					addedRule = rule
+				}
+			}

-	rule2, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{80}}, fw.ActionDrop, "")
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCount := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-	require.Equal(t, 2, denyCount, "Should have exactly 2 deny rules")
-
-	// Delete the first deny rule
-	err = m.DeletePeerRule(rule1[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCount = len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-	require.Equal(t, 1, denyCount, "Should have 1 deny rule after deleting first")
-
-	// Delete the second deny rule
-	err = m.DeletePeerRule(rule2[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	_, exists := m.incomingDenyRules[addr]
-	m.mutex.RUnlock()
-	require.False(t, exists, "Deny rules IP entry should be cleaned up when empty")
-}
-
-// TestPeerRuleAddAndDeleteDontLeak verifies that repeatedly adding and deleting
-// peer rules (simulating network map updates) does not leak rules in the maps.
-func TestPeerRuleAddAndDeleteDontLeak(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
+			if tt.ip.Compare(addedRule.ip) != 0 {
+				t.Errorf("expected ip %s, got %s", tt.ip, addedRule.ip)
+				return
+			}
+			if tt.dPort != addedRule.dPort.Values[0] {
+				t.Errorf("expected dPort %d, got %d", tt.dPort, addedRule.dPort.Values[0])
+				return
+			}
+			if layers.LayerTypeUDP != addedRule.protoLayer {
+				t.Errorf("expected protoLayer %s, got %s", layers.LayerTypeUDP, addedRule.protoLayer)
+				return
+			}
+			if addedRule.udpHook == nil {
+				t.Errorf("expected udpHook to be set")
+				return
+			}
+		})
 	}
-
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
-
-	ip := net.ParseIP("192.168.1.1")
-	addr := netip.MustParseAddr("192.168.1.1")
-
-	// Simulate 10 network map updates: add rule, delete old, add new
-	for i := 0; i < 10; i++ {
-		// Add a deny rule
-		rules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-			&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-		require.NoError(t, err)
-
-		// Add an allow rule
-		allowRules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-			&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
-		require.NoError(t, err)
-
-		// Delete them (simulating ACL manager cleanup)
-		for _, r := range rules {
-			require.NoError(t, m.DeletePeerRule(r))
-		}
-		for _, r := range allowRules {
-			require.NoError(t, m.DeletePeerRule(r))
-		}
-	}
-
-	m.mutex.RLock()
-	denyCount := len(m.incomingDenyRules[addr])
-	allowCount := len(m.incomingRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 0, denyCount, "No deny rules should remain after cleanup")
-	require.Equal(t, 0, allowCount, "No allow rules should remain after cleanup")
-}
-
-// TestMixedAllowDenyRulesSameIP verifies that allow and deny rules for the same
-// IP are stored in separate maps and don't interfere with each other.
-func TestMixedAllowDenyRulesSameIP(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
-
-	ip := net.ParseIP("192.168.1.1")
-
-	// Add allow rule for port 80
-	allowRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
-	require.NoError(t, err)
-
-	// Add deny rule for port 22
-	denyRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-	require.NoError(t, err)
-
-	addr := netip.MustParseAddr("192.168.1.1")
-	m.mutex.RLock()
-	allowCount := len(m.incomingRules[addr])
-	denyCount := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 1, allowCount, "Should have 1 allow rule")
-	require.Equal(t, 1, denyCount, "Should have 1 deny rule")
-
-	// Delete allow rule should not affect deny rule
-	err = m.DeletePeerRule(allowRule[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCountAfter := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 1, denyCountAfter, "Deny rule should still exist after deleting allow rule")
-
-	// Delete deny rule
-	err = m.DeletePeerRule(denyRule[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	_, denyExists := m.incomingDenyRules[addr]
-	_, allowExists := m.incomingRules[addr]
-	m.mutex.RUnlock()
-
-	require.False(t, denyExists, "Deny rules should be empty")
-	require.False(t, allowExists, "Allow rules should be empty")
 }

 func TestManagerReset(t *testing.T) {
@@ -502,12 +378,39 @@ func TestRemovePacketHook(t *testing.T) {
 		require.NoError(t, manager.Close(nil))
 	}()

-	manager.SetUDPPacketHook(netip.MustParseAddr("192.168.0.1"), 8080, func([]byte) bool { return true })
+	// Add a UDP packet hook
+	hookFunc := func(data []byte) bool { return true }
+	hookID := manager.AddUDPPacketHook(false, netip.MustParseAddr("192.168.0.1"), 8080, hookFunc)

-	require.NotNil(t, manager.udpHookOut.Load(), "hook should be registered")
+	// Assert the hook is added by finding it in the manager's outgoing rules
+	found := false
+	for _, arr := range manager.outgoingRules {
+		for _, rule := range arr {
+			if rule.id == hookID {
+				found = true
+				break
+			}
+		}
+	}

-	manager.SetUDPPacketHook(netip.MustParseAddr("192.168.0.1"), 8080, nil)
-	assert.Nil(t, manager.udpHookOut.Load(), "hook should be removed")
+	if !found {
+		t.Fatalf("The hook was not added properly.")
+	}
+
+	// Now remove the packet hook
+	err = manager.RemovePacketHook(hookID)
+	if err != nil {
+		t.Fatalf("Failed to remove hook: %s", err)
+	}
+
+	// Assert the hook is removed by checking it in the manager's outgoing rules
+	for _, arr := range manager.outgoingRules {
+		for _, rule := range arr {
+			if rule.id == hookID {
+				t.Fatalf("The hook was not removed properly.")
+			}
+		}
+	}
 }

 func TestProcessOutgoingHooks(t *testing.T) {
@@ -537,7 +440,8 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	}

 	hookCalled := false
-	manager.SetUDPPacketHook(
+	hookID := manager.AddUDPPacketHook(
+		false,
 		netip.MustParseAddr("100.10.0.100"),
 		53,
 		func([]byte) bool {
@@ -545,6 +449,7 @@ func TestProcessOutgoingHooks(t *testing.T) {
 			return true
 		},
 	)
+	require.NotEmpty(t, hookID)

 	// Create test UDP packet
 	ipv4 := &layers.IPv4{
--- a/client/firewall/uspfilter/forwarder/forwarder.go
+++ b/client/firewall/uspfilter/forwarder/forwarder.go
@@ -7,7 +7,6 @@ import (
 	"net/netip"
 	"runtime"
 	"sync"
-	"sync/atomic"
 	"time"

 	log "github.com/sirupsen/logrus"
@@ -22,7 +21,6 @@ import (

 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
-	"github.com/netbirdio/netbird/client/inspect"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )
@@ -48,10 +46,6 @@ type Forwarder struct {
 	netstack         bool
 	hasRawICMPAccess bool
 	pingSemaphore    chan struct{}
-	// proxy is the optional inspection engine.
-	// When set, TCP connections are handed to the engine for protocol detection
-	// and rule evaluation. Swapped atomically for lock-free hot-path access.
-	proxy atomic.Pointer[inspect.Proxy]
 }

 func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
@@ -85,7 +79,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	}

 	if err := s.AddProtocolAddress(nicID, protoAddr, stack.AddressProperties{}); err != nil {
-		return nil, fmt.Errorf("add protocol address: %s", err)
+		return nil, fmt.Errorf("failed to add protocol address: %s", err)
 	}

 	defaultSubnet, err := tcpip.NewSubnet(
@@ -161,13 +155,6 @@ func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
 	return nil
 }

-// SetProxy sets the inspection engine. When set, TCP connections are handed
-// to it for protocol detection and rule evaluation instead of direct relay.
-// Pass nil to disable inspection.
-func (f *Forwarder) SetProxy(p *inspect.Proxy) {
-	f.proxy.Store(p)
-}
-
 // Stop gracefully shuts down the forwarder
 func (f *Forwarder) Stop() {
 	f.cancel()
@@ -180,25 +167,6 @@ func (f *Forwarder) Stop() {
 	f.stack.Wait()
 }

-// CheckUDPPacket inspects a UDP payload against proxy rules before injection.
-// This is called by the filter for QUIC SNI-based blocking.
-// Returns true if the packet should be allowed, false if it should be dropped.
-func (f *Forwarder) CheckUDPPacket(payload []byte, srcIP, dstIP netip.Addr, srcPort, dstPort uint16, ruleID []byte) bool {
-	p := f.proxy.Load()
-	if p == nil {
-		return true
-	}
-
-	dst := netip.AddrPortFrom(dstIP, dstPort)
-	src := inspect.SourceInfo{
-		IP:       srcIP,
-		PolicyID: inspect.PolicyID(ruleID),
-	}
-
-	action := p.HandleUDPPacket(payload, dst, src)
-	return action != inspect.ActionBlock
-}
-
 func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
 	if f.netstack && f.ip.Equal(addr) {
 		return net.IPv4(127, 0, 0, 1)
--- a/client/firewall/uspfilter/forwarder/tcp.go
+++ b/client/firewall/uspfilter/forwarder/tcp.go
@@ -16,7 +16,6 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
 	"gvisor.dev/gvisor/pkg/waiter"

-	"github.com/netbirdio/netbird/client/inspect"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )

@@ -24,86 +23,6 @@ import (
 func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 	id := r.ID()

-	// If the inspection engine is configured, accept the connection first and hand it off.
-	if p := f.proxy.Load(); p != nil {
-		f.handleTCPWithInspection(r, id, p)
-		return
-	}
-
-	f.handleTCPDirect(r, id)
-}
-
-// handleTCPWithInspection accepts the connection and hands it to the inspection
-// engine. For allow decisions, the forwarder does its own relay (passthrough).
-// For block/inspect, the engine handles everything internally.
-func (f *Forwarder) handleTCPWithInspection(r *tcp.ForwarderRequest, id stack.TransportEndpointID, p *inspect.Proxy) {
-	flowID := uuid.New()
-	f.sendTCPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
-
-	wq := waiter.Queue{}
-	ep, epErr := r.CreateEndpoint(&wq)
-	if epErr != nil {
-		f.logger.Error1("forwarder: create TCP endpoint for inspection: %v", epErr)
-		r.Complete(true)
-		f.sendTCPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
-		return
-	}
-	r.Complete(false)
-
-	inConn := gonet.NewTCPConn(&wq, ep)
-
-	srcIP := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIP := netip.AddrFrom4(id.LocalAddress.As4())
-	dst := netip.AddrPortFrom(dstIP, id.LocalPort)
-
-	var policyID []byte
-	if ruleID, ok := f.getRuleID(srcIP, dstIP, id.RemotePort, id.LocalPort); ok {
-		policyID = ruleID
-	}
-
-	src := inspect.SourceInfo{
-		IP:       srcIP,
-		PolicyID: inspect.PolicyID(policyID),
-	}
-
-	f.logger.Trace1("forwarder: handing TCP %v to inspection engine", epID(id))
-
-	go func() {
-		result, err := p.InspectTCP(f.ctx, inConn, dst, src)
-		if err != nil && err != inspect.ErrBlocked {
-			f.logger.Debug2("forwarder: inspection error for %v: %v", epID(id), err)
-		}
-
-		// Passthrough: engine returned allow, forwarder does the relay.
-		if result.PassthroughConn != nil {
-			dialAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)
-			outConn, dialErr := (&net.Dialer{}).DialContext(f.ctx, "tcp", dialAddr)
-			if dialErr != nil {
-				f.logger.Trace2("forwarder: passthrough dial error for %v: %v", epID(id), dialErr)
-				if closeErr := result.PassthroughConn.Close(); closeErr != nil {
-					f.logger.Debug1("forwarder: close passthrough conn: %v", closeErr)
-				}
-				ep.Close()
-				f.sendTCPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
-				return
-			}
-			f.proxyTCPPassthrough(id, result.PassthroughConn, outConn, ep, flowID)
-			return
-		}
-
-		// Engine handled it (block/inspect/HTTP). Capture stats and clean up.
-		var rxPackets, txPackets uint64
-		if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
-			rxPackets = tcpStats.SegmentsSent.Value()
-			txPackets = tcpStats.SegmentsReceived.Value()
-		}
-		ep.Close()
-		f.sendTCPEvent(nftypes.TypeEnd, flowID, id, 0, 0, rxPackets, txPackets)
-	}()
-}
-
-// handleTCPDirect handles TCP connections with direct relay (no proxy).
-func (f *Forwarder) handleTCPDirect(r *tcp.ForwarderRequest, id stack.TransportEndpointID) {
 	flowID := uuid.New()

 	f.sendTCPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
@@ -123,6 +42,7 @@ func (f *Forwarder) handleTCPDirect(r *tcp.ForwarderRequest, id stack.TransportE
 		return
 	}

+	// Create wait queue for blocking syscalls
 	wq := waiter.Queue{}

 	ep, epErr := r.CreateEndpoint(&wq)
@@ -135,6 +55,7 @@ func (f *Forwarder) handleTCPDirect(r *tcp.ForwarderRequest, id stack.TransportE
 		return
 	}

+	// Complete the handshake
 	r.Complete(false)

 	inConn := gonet.NewTCPConn(&wq, ep)
@@ -152,6 +73,7 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn

 	go func() {
 		<-ctx.Done()
+		// Close connections and endpoint.
 		if err := inConn.Close(); err != nil && !isClosedError(err) {
 			f.logger.Debug1("forwarder: inConn close error: %v", err)
 		}
@@ -210,66 +132,6 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 	f.sendTCPEvent(nftypes.TypeEnd, flowID, id, uint64(bytesFromOutToIn), uint64(bytesFromInToOut), rxPackets, txPackets)
 }

-// proxyTCPPassthrough relays traffic between a peeked inbound connection
-// (from the inspection engine passthrough) and the outbound connection.
-// It accepts net.Conn for inConn since the inspection engine wraps it in a peekConn.
-func (f *Forwarder) proxyTCPPassthrough(id stack.TransportEndpointID, inConn net.Conn, outConn net.Conn, ep tcpip.Endpoint, flowID uuid.UUID) {
-	ctx, cancel := context.WithCancel(f.ctx)
-	defer cancel()
-
-	go func() {
-		<-ctx.Done()
-		if err := inConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug1("forwarder: passthrough inConn close: %v", err)
-		}
-		if err := outConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug1("forwarder: passthrough outConn close: %v", err)
-		}
-		ep.Close()
-	}()
-
-	var wg sync.WaitGroup
-	wg.Add(2)
-
-	var (
-		bytesIn  int64
-		bytesOut int64
-		errIn    error
-		errOut   error
-	)
-
-	go func() {
-		bytesIn, errIn = io.Copy(outConn, inConn)
-		cancel()
-		wg.Done()
-	}()
-
-	go func() {
-		bytesOut, errOut = io.Copy(inConn, outConn)
-		cancel()
-		wg.Done()
-	}()
-
-	wg.Wait()
-
-	if errIn != nil && !isClosedError(errIn) {
-		f.logger.Error2("proxyTCPPassthrough: copy error (in→out) for %s: %v", epID(id), errIn)
-	}
-	if errOut != nil && !isClosedError(errOut) {
-		f.logger.Error2("proxyTCPPassthrough: copy error (out→in) for %s: %v", epID(id), errOut)
-	}
-
-	var rxPackets, txPackets uint64
-	if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
-		rxPackets = tcpStats.SegmentsSent.Value()
-		txPackets = tcpStats.SegmentsReceived.Value()
-	}
-
-	f.logger.Trace5("forwarder: passthrough TCP %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesOut, txPackets, bytesIn)
-
-	f.sendTCPEvent(nftypes.TypeEnd, flowID, id, uint64(bytesOut), uint64(bytesIn), rxPackets, txPackets)
-}
-
 func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
 	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
 	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
--- a/client/firewall/uspfilter/localip.go
+++ b/client/firewall/uspfilter/localip.go
@@ -144,8 +144,6 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	if err != nil {
 		log.Warnf("failed to get interfaces: %v", err)
 	} else {
-		// TODO: filter out down interfaces (net.FlagUp). Also handle the reverse
-		// case where an interface comes up between refreshes.
 		for _, intf := range interfaces {
 			m.processInterface(intf, &newIPv4Bitmap, ipv4Set, &ipv4Addresses)
 		}
--- a/client/firewall/uspfilter/log/log.go
+++ b/client/firewall/uspfilter/log/log.go
@@ -5,8 +5,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"os"
-	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -18,18 +16,9 @@ const (
 	maxBatchSize         = 1024 * 16
 	maxMessageSize       = 1024 * 2
 	defaultFlushInterval = 2 * time.Second
-	defaultLogChanSize   = 1000
+	logChannelSize       = 1000
 )

-func getLogChannelSize() int {
-	if v := os.Getenv("NB_USPFILTER_LOG_BUFFER"); v != "" {
-		if n, err := strconv.Atoi(v); err == nil && n > 0 {
-			return n
-		}
-	}
-	return defaultLogChanSize
-}
-
 type Level uint32

 const (
@@ -80,7 +69,7 @@ type Logger struct {
 func NewFromLogrus(logrusLogger *log.Logger) *Logger {
 	l := &Logger{
 		output:     logrusLogger.Out,
-		msgChannel: make(chan logMessage, getLogChannelSize()),
+		msgChannel: make(chan logMessage, logChannelSize),
 		shutdown:   make(chan struct{}),
 		bufPool: sync.Pool{
 			New: func() any {
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -358,9 +358,9 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	// Fast path for IPv4 addresses (4 bytes) - most common case
 	if len(oldBytes) == 4 && len(newBytes) == 4 {
 		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
 		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
 	} else {
 		// Fallback for other lengths
 		for i := 0; i < len(oldBytes)-1; i += 2 {
@@ -421,7 +421,6 @@ func (m *Manager) addPortRedirection(targetIP netip.Addr, protocol gopacket.Laye
 }

 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-// TODO: also delegate to nativeFirewall when available for kernel WG mode
 func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	var layerType gopacket.LayerType
 	switch protocol {
@@ -467,22 +466,6 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	return m.removePortRedirection(localAddr, layerType, sourcePort, targetPort)
 }

-// AddOutputDNAT delegates to the native firewall if available.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if m.nativeFirewall == nil {
-		return fmt.Errorf("output DNAT not supported without native firewall")
-	}
-	return m.nativeFirewall.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveOutputDNAT delegates to the native firewall if available.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if m.nativeFirewall == nil {
-		return nil
-	}
-	return m.nativeFirewall.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 // translateInboundPortDNAT applies port-specific DNAT translation to inbound packets.
 func (m *Manager) translateInboundPortDNAT(packetData []byte, d *decoder, srcIP, dstIP netip.Addr) bool {
 	if !m.portDNATEnabled.Load() {
--- a/client/firewall/uspfilter/rule.go
+++ b/client/firewall/uspfilter/rule.go
@@ -18,7 +18,9 @@ type PeerRule struct {
 	protoLayer gopacket.LayerType
 	sPort      *firewall.Port
 	dPort      *firewall.Port
-	drop bool
+	drop       bool
+
+	udpHook func([]byte) bool
 }

 // ID returns the rule id
--- a/client/firewall/uspfilter/tracer_test.go
+++ b/client/firewall/uspfilter/tracer_test.go
@@ -399,17 +399,21 @@ func TestTracePacket(t *testing.T) {
 		{
 			name: "UDPTraffic_WithHook",
 			setup: func(m *Manager) {
-				m.SetUDPPacketHook(netip.MustParseAddr("100.10.255.254"), 53, func([]byte) bool {
-					return true // drop (intercepted by hook)
-				})
+				hookFunc := func([]byte) bool {
+					return true
+				}
+				m.AddUDPPacketHook(true, netip.MustParseAddr("1.1.1.1"), 53, hookFunc)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("100.10.0.100", "100.10.255.254", "udp", 12345, 53, fw.RuleDirectionOUT)
+				return createPacketBuilder("1.1.1.1", "100.10.0.100", "udp", 12345, 53, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageOutbound1to1NAT,
-				StageOutboundPortReverse,
+				StageInboundPortDNAT,
+				StageInbound1to1NAT,
+				StageConntrack,
+				StageRouting,
+				StagePeerACL,
 				StageCompleted,
 			},
 			expectedAllow: false,
--- a/client/grpc/dialer.go
+++ b/client/grpc/dialer.go
@@ -28,7 +28,7 @@ func Backoff(ctx context.Context) backoff.BackOff {

 // CreateConnection creates a gRPC client connection with the appropriate transport options.
 // The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
-func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string, extraOpts ...grpc.DialOption) (*grpc.ClientConn, error) {
+func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string) (*grpc.ClientConn, error) {
 	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	// for js, the outer websocket layer takes care of tls
 	if tlsEnabled && runtime.GOOS != "js" {
@@ -46,7 +46,9 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 	connCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()

-	opts := []grpc.DialOption{
+	conn, err := grpc.DialContext(
+		connCtx,
+		addr,
 		transportOption,
 		WithCustomDialer(tlsEnabled, component),
 		grpc.WithBlock(),
@@ -54,10 +56,7 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 			Time:    30 * time.Second,
 			Timeout: 10 * time.Second,
 		}),
-	}
-	opts = append(opts, extraOpts...)
-
-	conn, err := grpc.DialContext(connCtx, addr, opts...)
+	)
 	if err != nil {
 		return nil, fmt.Errorf("dial context: %w", err)
 	}
--- a/client/iface/bind/dual_stack_conn.go
+++ b/client/iface/bind/dual_stack_conn.go
@@ -1,169 +0,0 @@
-package bind
-
-import (
-	"errors"
-	"net"
-	"sync"
-	"time"
-
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-)
-
-var (
-	errNoIPv4Conn  = errors.New("no IPv4 connection available")
-	errNoIPv6Conn  = errors.New("no IPv6 connection available")
-	errInvalidAddr = errors.New("invalid address type")
-)
-
-// DualStackPacketConn wraps IPv4 and IPv6 UDP connections and routes writes
-// to the appropriate connection based on the destination address.
-// ReadFrom is not used in the hot path - ICEBind receives packets via
-// BatchReader.ReadBatch() directly. This is only used by udpMux for sending.
-type DualStackPacketConn struct {
-	ipv4Conn net.PacketConn
-	ipv6Conn net.PacketConn
-
-	readFromWarn sync.Once
-}
-
-// NewDualStackPacketConn creates a new dual-stack packet connection.
-func NewDualStackPacketConn(ipv4Conn, ipv6Conn net.PacketConn) *DualStackPacketConn {
-	return &DualStackPacketConn{
-		ipv4Conn: ipv4Conn,
-		ipv6Conn: ipv6Conn,
-	}
-}
-
-// ReadFrom reads from the available connection (preferring IPv4).
-// NOTE: This method is NOT used in the data path. ICEBind receives packets via
-// BatchReader.ReadBatch() directly for both IPv4 and IPv6, which is much more efficient.
-// This implementation exists only to satisfy the net.PacketConn interface for the udpMux,
-// but the udpMux only uses WriteTo() for sending STUN responses - it never calls ReadFrom()
-// because STUN packets are filtered and forwarded via HandleSTUNMessage() from the receive path.
-func (d *DualStackPacketConn) ReadFrom(b []byte) (n int, addr net.Addr, err error) {
-	d.readFromWarn.Do(func() {
-		log.Warn("DualStackPacketConn.ReadFrom called - this is unexpected and may indicate an inefficient code path")
-	})
-
-	if d.ipv4Conn != nil {
-		return d.ipv4Conn.ReadFrom(b)
-	}
-	if d.ipv6Conn != nil {
-		return d.ipv6Conn.ReadFrom(b)
-	}
-	return 0, nil, net.ErrClosed
-}
-
-// WriteTo writes to the appropriate connection based on the address type.
-func (d *DualStackPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
-	udpAddr, ok := addr.(*net.UDPAddr)
-	if !ok {
-		return 0, &net.OpError{
-			Op:   "write",
-			Net:  "udp",
-			Addr: addr,
-			Err:  errInvalidAddr,
-		}
-	}
-
-	if udpAddr.IP.To4() == nil {
-		if d.ipv6Conn != nil {
-			return d.ipv6Conn.WriteTo(b, addr)
-		}
-		return 0, &net.OpError{
-			Op:   "write",
-			Net:  "udp6",
-			Addr: addr,
-			Err:  errNoIPv6Conn,
-		}
-	}
-
-	if d.ipv4Conn != nil {
-		return d.ipv4Conn.WriteTo(b, addr)
-	}
-	return 0, &net.OpError{
-		Op:   "write",
-		Net:  "udp4",
-		Addr: addr,
-		Err:  errNoIPv4Conn,
-	}
-}
-
-// Close closes both connections.
-func (d *DualStackPacketConn) Close() error {
-	var result *multierror.Error
-	if d.ipv4Conn != nil {
-		if err := d.ipv4Conn.Close(); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	if d.ipv6Conn != nil {
-		if err := d.ipv6Conn.Close(); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	return nberrors.FormatErrorOrNil(result)
-}
-
-// LocalAddr returns the local address of the IPv4 connection if available,
-// otherwise the IPv6 connection.
-func (d *DualStackPacketConn) LocalAddr() net.Addr {
-	if d.ipv4Conn != nil {
-		return d.ipv4Conn.LocalAddr()
-	}
-	if d.ipv6Conn != nil {
-		return d.ipv6Conn.LocalAddr()
-	}
-	return nil
-}
-
-// SetDeadline sets the deadline for both connections.
-func (d *DualStackPacketConn) SetDeadline(t time.Time) error {
-	var result *multierror.Error
-	if d.ipv4Conn != nil {
-		if err := d.ipv4Conn.SetDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	if d.ipv6Conn != nil {
-		if err := d.ipv6Conn.SetDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	return nberrors.FormatErrorOrNil(result)
-}
-
-// SetReadDeadline sets the read deadline for both connections.
-func (d *DualStackPacketConn) SetReadDeadline(t time.Time) error {
-	var result *multierror.Error
-	if d.ipv4Conn != nil {
-		if err := d.ipv4Conn.SetReadDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	if d.ipv6Conn != nil {
-		if err := d.ipv6Conn.SetReadDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	return nberrors.FormatErrorOrNil(result)
-}
-
-// SetWriteDeadline sets the write deadline for both connections.
-func (d *DualStackPacketConn) SetWriteDeadline(t time.Time) error {
-	var result *multierror.Error
-	if d.ipv4Conn != nil {
-		if err := d.ipv4Conn.SetWriteDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	if d.ipv6Conn != nil {
-		if err := d.ipv6Conn.SetWriteDeadline(t); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-	return nberrors.FormatErrorOrNil(result)
-}
--- a/client/iface/bind/dual_stack_conn_bench_test.go
+++ b/client/iface/bind/dual_stack_conn_bench_test.go
@@ -1,119 +0,0 @@
-package bind
-
-import (
-	"net"
-	"testing"
-)
-
-var (
-	ipv4Addr = &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: 12345}
-	ipv6Addr = &net.UDPAddr{IP: net.ParseIP("::1"), Port: 12345}
-	payload  = make([]byte, 1200)
-)
-
-func BenchmarkWriteTo_DirectUDPConn(b *testing.B) {
-	conn, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn.Close()
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = conn.WriteTo(payload, ipv4Addr)
-	}
-}
-
-func BenchmarkWriteTo_DualStack_IPv4Only(b *testing.B) {
-	conn, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn.Close()
-
-	ds := NewDualStackPacketConn(conn, nil)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = ds.WriteTo(payload, ipv4Addr)
-	}
-}
-
-func BenchmarkWriteTo_DualStack_IPv6Only(b *testing.B) {
-	conn, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		b.Skipf("IPv6 not available: %v", err)
-	}
-	defer conn.Close()
-
-	ds := NewDualStackPacketConn(nil, conn)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = ds.WriteTo(payload, ipv6Addr)
-	}
-}
-
-func BenchmarkWriteTo_DualStack_Both_IPv4Traffic(b *testing.B) {
-	conn4, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn4.Close()
-
-	conn6, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		b.Skipf("IPv6 not available: %v", err)
-	}
-	defer conn6.Close()
-
-	ds := NewDualStackPacketConn(conn4, conn6)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = ds.WriteTo(payload, ipv4Addr)
-	}
-}
-
-func BenchmarkWriteTo_DualStack_Both_IPv6Traffic(b *testing.B) {
-	conn4, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn4.Close()
-
-	conn6, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		b.Skipf("IPv6 not available: %v", err)
-	}
-	defer conn6.Close()
-
-	ds := NewDualStackPacketConn(conn4, conn6)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = ds.WriteTo(payload, ipv6Addr)
-	}
-}
-
-func BenchmarkWriteTo_DualStack_Both_MixedTraffic(b *testing.B) {
-	conn4, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer conn4.Close()
-
-	conn6, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		b.Skipf("IPv6 not available: %v", err)
-	}
-	defer conn6.Close()
-
-	ds := NewDualStackPacketConn(conn4, conn6)
-	addrs := []net.Addr{ipv4Addr, ipv6Addr}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_, _ = ds.WriteTo(payload, addrs[i&1])
-	}
-}
--- a/client/iface/bind/dual_stack_conn_test.go
+++ b/client/iface/bind/dual_stack_conn_test.go
@@ -1,191 +0,0 @@
-package bind
-
-import (
-	"net"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestDualStackPacketConn_RoutesWritesToCorrectSocket(t *testing.T) {
-	ipv4Conn := &mockPacketConn{network: "udp4"}
-	ipv6Conn := &mockPacketConn{network: "udp6"}
-	dualStack := NewDualStackPacketConn(ipv4Conn, ipv6Conn)
-
-	tests := []struct {
-		name       string
-		addr       *net.UDPAddr
-		wantSocket string
-	}{
-		{
-			name:       "IPv4 address",
-			addr:       &net.UDPAddr{IP: net.ParseIP("192.168.1.1"), Port: 1234},
-			wantSocket: "udp4",
-		},
-		{
-			name:       "IPv6 address",
-			addr:       &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 1234},
-			wantSocket: "udp6",
-		},
-		{
-			name:       "IPv4-mapped IPv6 goes to IPv4",
-			addr:       &net.UDPAddr{IP: net.ParseIP("::ffff:192.168.1.1"), Port: 1234},
-			wantSocket: "udp4",
-		},
-		{
-			name:       "IPv4 loopback",
-			addr:       &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: 1234},
-			wantSocket: "udp4",
-		},
-		{
-			name:       "IPv6 loopback",
-			addr:       &net.UDPAddr{IP: net.ParseIP("::1"), Port: 1234},
-			wantSocket: "udp6",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ipv4Conn.writeCount = 0
-			ipv6Conn.writeCount = 0
-
-			n, err := dualStack.WriteTo([]byte("test"), tt.addr)
-			require.NoError(t, err)
-			assert.Equal(t, 4, n)
-
-			if tt.wantSocket == "udp4" {
-				assert.Equal(t, 1, ipv4Conn.writeCount, "expected write to IPv4")
-				assert.Equal(t, 0, ipv6Conn.writeCount, "expected no write to IPv6")
-			} else {
-				assert.Equal(t, 0, ipv4Conn.writeCount, "expected no write to IPv4")
-				assert.Equal(t, 1, ipv6Conn.writeCount, "expected write to IPv6")
-			}
-		})
-	}
-}
-
-func TestDualStackPacketConn_IPv4OnlyRejectsIPv6(t *testing.T) {
-	dualStack := NewDualStackPacketConn(&mockPacketConn{network: "udp4"}, nil)
-
-	// IPv4 works
-	_, err := dualStack.WriteTo([]byte("test"), &net.UDPAddr{IP: net.ParseIP("192.168.1.1"), Port: 1234})
-	require.NoError(t, err)
-
-	// IPv6 fails
-	_, err = dualStack.WriteTo([]byte("test"), &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 1234})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "no IPv6 connection")
-}
-
-func TestDualStackPacketConn_IPv6OnlyRejectsIPv4(t *testing.T) {
-	dualStack := NewDualStackPacketConn(nil, &mockPacketConn{network: "udp6"})
-
-	// IPv6 works
-	_, err := dualStack.WriteTo([]byte("test"), &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 1234})
-	require.NoError(t, err)
-
-	// IPv4 fails
-	_, err = dualStack.WriteTo([]byte("test"), &net.UDPAddr{IP: net.ParseIP("192.168.1.1"), Port: 1234})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "no IPv4 connection")
-}
-
-// TestDualStackPacketConn_ReadFromIsNotUsedInHotPath documents that ReadFrom
-// only reads from one socket (IPv4 preferred). This is fine because the actual
-// receive path uses wireguard-go's BatchReader directly, not ReadFrom.
-func TestDualStackPacketConn_ReadFromIsNotUsedInHotPath(t *testing.T) {
-	ipv4Conn := &mockPacketConn{
-		network:  "udp4",
-		readData: []byte("from ipv4"),
-		readAddr: &net.UDPAddr{IP: net.ParseIP("192.168.1.1"), Port: 1234},
-	}
-	ipv6Conn := &mockPacketConn{
-		network:  "udp6",
-		readData: []byte("from ipv6"),
-		readAddr: &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 1234},
-	}
-
-	dualStack := NewDualStackPacketConn(ipv4Conn, ipv6Conn)
-
-	buf := make([]byte, 100)
-	n, addr, err := dualStack.ReadFrom(buf)
-
-	require.NoError(t, err)
-	// reads from IPv4 (preferred) - this is expected behavior
-	assert.Equal(t, "from ipv4", string(buf[:n]))
-	assert.Equal(t, "192.168.1.1", addr.(*net.UDPAddr).IP.String())
-}
-
-func TestDualStackPacketConn_LocalAddrPrefersIPv4(t *testing.T) {
-	ipv4Addr := &net.UDPAddr{IP: net.ParseIP("0.0.0.0"), Port: 51820}
-	ipv6Addr := &net.UDPAddr{IP: net.ParseIP("::"), Port: 51820}
-
-	tests := []struct {
-		name     string
-		ipv4     net.PacketConn
-		ipv6     net.PacketConn
-		wantAddr net.Addr
-	}{
-		{
-			name:     "both available returns IPv4",
-			ipv4:     &mockPacketConn{localAddr: ipv4Addr},
-			ipv6:     &mockPacketConn{localAddr: ipv6Addr},
-			wantAddr: ipv4Addr,
-		},
-		{
-			name:     "IPv4 only",
-			ipv4:     &mockPacketConn{localAddr: ipv4Addr},
-			ipv6:     nil,
-			wantAddr: ipv4Addr,
-		},
-		{
-			name:     "IPv6 only",
-			ipv4:     nil,
-			ipv6:     &mockPacketConn{localAddr: ipv6Addr},
-			wantAddr: ipv6Addr,
-		},
-		{
-			name:     "neither returns nil",
-			ipv4:     nil,
-			ipv6:     nil,
-			wantAddr: nil,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			dualStack := NewDualStackPacketConn(tt.ipv4, tt.ipv6)
-			assert.Equal(t, tt.wantAddr, dualStack.LocalAddr())
-		})
-	}
-}
-
-// mock
-
-type mockPacketConn struct {
-	network    string
-	writeCount int
-	readData   []byte
-	readAddr   net.Addr
-	localAddr  net.Addr
-}
-
-func (m *mockPacketConn) ReadFrom(b []byte) (n int, addr net.Addr, err error) {
-	if m.readData != nil {
-		return copy(b, m.readData), m.readAddr, nil
-	}
-	return 0, nil, nil
-}
-
-func (m *mockPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
-	m.writeCount++
-	return len(b), nil
-}
-
-func (m *mockPacketConn) Close() error                       { return nil }
-func (m *mockPacketConn) LocalAddr() net.Addr                { return m.localAddr }
-func (m *mockPacketConn) SetDeadline(t time.Time) error      { return nil }
-func (m *mockPacketConn) SetReadDeadline(t time.Time) error  { return nil }
-func (m *mockPacketConn) SetWriteDeadline(t time.Time) error { return nil }
--- a/client/iface/bind/ice_bind.go
+++ b/client/iface/bind/ice_bind.go
@@ -14,6 +14,7 @@ import (
 	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/ipv4"
 	"golang.org/x/net/ipv6"
 	wgConn "golang.zx2c4.com/wireguard/conn"

@@ -27,7 +28,22 @@ type receiverCreator struct {
 }

 func (rc receiverCreator) CreateReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxOffload bool, msgPool *sync.Pool) wgConn.ReceiveFunc {
-	return rc.iceBind.createReceiverFn(pc, conn, rxOffload, msgPool)
+	if ipv4PC, ok := pc.(*ipv4.PacketConn); ok {
+		return rc.iceBind.createIPv4ReceiverFn(ipv4PC, conn, rxOffload, msgPool)
+	}
+	// IPv6 is currently not supported in the udpmux, this is a stub for compatibility with the
+	// wireguard-go ReceiverCreator interface which is called for both IPv4 and IPv6.
+	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
+		buf := bufs[0]
+		size, ep, err := conn.ReadFromUDPAddrPort(buf)
+		if err != nil {
+			return 0, err
+		}
+		sizes[0] = size
+		stdEp := &wgConn.StdNetEndpoint{AddrPort: ep}
+		eps[0] = stdEp
+		return 1, nil
+	}
 }

 // ICEBind is a bind implementation with two main features:
@@ -57,8 +73,6 @@ type ICEBind struct {

 	muUDPMux sync.Mutex
 	udpMux   *udpmux.UniversalUDPMuxDefault
-	ipv4Conn *net.UDPConn
-	ipv6Conn *net.UDPConn
 }

 func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
@@ -104,12 +118,6 @@ func (s *ICEBind) Close() error {

 	close(s.closedChan)

-	s.muUDPMux.Lock()
-	s.ipv4Conn = nil
-	s.ipv6Conn = nil
-	s.udpMux = nil
-	s.muUDPMux.Unlock()
-
 	return s.StdNetBind.Close()
 }

@@ -167,18 +175,19 @@ func (b *ICEBind) Send(bufs [][]byte, ep wgConn.Endpoint) error {
 	return nil
 }

-func (s *ICEBind) createReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxOffload bool, msgsPool *sync.Pool) wgConn.ReceiveFunc {
+func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, rxOffload bool, msgsPool *sync.Pool) wgConn.ReceiveFunc {
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()

-	// Detect IPv4 vs IPv6 from connection's local address
-	if localAddr := conn.LocalAddr().(*net.UDPAddr); localAddr.IP.To4() != nil {
-		s.ipv4Conn = conn
-	} else {
-		s.ipv6Conn = conn
-	}
-	s.createOrUpdateMux()
-
+	s.udpMux = udpmux.NewUniversalUDPMuxDefault(
+		udpmux.UniversalUDPMuxParams{
+			UDPConn:   nbnet.WrapPacketConn(conn),
+			Net:       s.transportNet,
+			FilterFn:  s.filterFn,
+			WGAddress: s.address,
+			MTU:       s.mtu,
+		},
+	)
 	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
 		msgs := getMessages(msgsPool)
 		for i := range bufs {
@@ -186,13 +195,12 @@ func (s *ICEBind) createReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxO
 			(*msgs)[i].OOB = (*msgs)[i].OOB[:cap((*msgs)[i].OOB)]
 		}
 		defer putMessages(msgs, msgsPool)
-
 		var numMsgs int
 		if runtime.GOOS == "linux" || runtime.GOOS == "android" {
 			if rxOffload {
 				readAt := len(*msgs) - (wgConn.IdealBatchSize / wgConn.UdpSegmentMaxDatagrams)
-				//nolint:staticcheck
-				_, err = pc.ReadBatch((*msgs)[readAt:], 0)
+				//nolint
+				numMsgs, err = pc.ReadBatch((*msgs)[readAt:], 0)
 				if err != nil {
 					return 0, err
 				}
@@ -214,12 +222,12 @@ func (s *ICEBind) createReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxO
 			}
 			numMsgs = 1
 		}
-
 		for i := 0; i < numMsgs; i++ {
 			msg := &(*msgs)[i]

 			// todo: handle err
-			if ok, _ := s.filterOutStunMessages(msg.Buffers, msg.N, msg.Addr); ok {
+			ok, _ := s.filterOutStunMessages(msg.Buffers, msg.N, msg.Addr)
+			if ok {
 				continue
 			}
 			sizes[i] = msg.N
@@ -240,38 +248,6 @@ func (s *ICEBind) createReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxO
 	}
 }

-// createOrUpdateMux creates or updates the UDP mux with the available connections.
-// Must be called with muUDPMux held.
-func (s *ICEBind) createOrUpdateMux() {
-	var muxConn net.PacketConn
-
-	switch {
-	case s.ipv4Conn != nil && s.ipv6Conn != nil:
-		muxConn = NewDualStackPacketConn(
-			nbnet.WrapPacketConn(s.ipv4Conn),
-			nbnet.WrapPacketConn(s.ipv6Conn),
-		)
-	case s.ipv4Conn != nil:
-		muxConn = nbnet.WrapPacketConn(s.ipv4Conn)
-	case s.ipv6Conn != nil:
-		muxConn = nbnet.WrapPacketConn(s.ipv6Conn)
-	default:
-		return
-	}
-
-	// Don't close the old mux - it doesn't own the underlying connections.
-	// The sockets are managed by WireGuard's StdNetBind, not by us.
-	s.udpMux = udpmux.NewUniversalUDPMuxDefault(
-		udpmux.UniversalUDPMuxParams{
-			UDPConn:   muxConn,
-			Net:       s.transportNet,
-			FilterFn:  s.filterFn,
-			WGAddress: s.address,
-			MTU:       s.mtu,
-		},
-	)
-}
-
 func (s *ICEBind) filterOutStunMessages(buffers [][]byte, n int, addr net.Addr) (bool, error) {
 	for i := range buffers {
 		if !stun.IsMessage(buffers[i]) {
@@ -284,14 +260,9 @@ func (s *ICEBind) filterOutStunMessages(buffers [][]byte, n int, addr net.Addr)
 			return true, err
 		}

-		s.muUDPMux.Lock()
-		mux := s.udpMux
-		s.muUDPMux.Unlock()
-
-		if mux != nil {
-			if muxErr := mux.HandleSTUNMessage(msg, addr); muxErr != nil {
-				log.Warnf("failed to handle STUN packet: %v", muxErr)
-			}
+		muxErr := s.udpMux.HandleSTUNMessage(msg, addr)
+		if muxErr != nil {
+			log.Warnf("failed to handle STUN packet")
 		}

 		buffers[i] = []byte{}
--- a/client/iface/bind/ice_bind_test.go
+++ b/client/iface/bind/ice_bind_test.go
@@ -1,324 +0,0 @@
-package bind
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/pion/transport/v3/stdnet"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/net/ipv4"
-	"golang.org/x/net/ipv6"
-
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-func TestICEBind_CreatesReceiverForBothIPv4AndIPv6(t *testing.T) {
-	iceBind := setupICEBind(t)
-
-	ipv4Conn, ipv6Conn := createDualStackConns(t)
-	defer ipv4Conn.Close()
-	defer ipv6Conn.Close()
-
-	rc := receiverCreator{iceBind}
-	pool := createMsgPool()
-
-	// Simulate wireguard-go calling CreateReceiverFn for IPv4
-	ipv4RecvFn := rc.CreateReceiverFn(ipv4.NewPacketConn(ipv4Conn), ipv4Conn, false, pool)
-	require.NotNil(t, ipv4RecvFn)
-
-	iceBind.muUDPMux.Lock()
-	assert.NotNil(t, iceBind.ipv4Conn, "should store IPv4 connection")
-	assert.Nil(t, iceBind.ipv6Conn, "IPv6 not added yet")
-	assert.NotNil(t, iceBind.udpMux, "mux should be created after first connection")
-	iceBind.muUDPMux.Unlock()
-
-	// Simulate wireguard-go calling CreateReceiverFn for IPv6
-	ipv6RecvFn := rc.CreateReceiverFn(ipv6.NewPacketConn(ipv6Conn), ipv6Conn, false, pool)
-	require.NotNil(t, ipv6RecvFn)
-
-	iceBind.muUDPMux.Lock()
-	assert.NotNil(t, iceBind.ipv4Conn, "should still have IPv4 connection")
-	assert.NotNil(t, iceBind.ipv6Conn, "should now have IPv6 connection")
-	assert.NotNil(t, iceBind.udpMux, "mux should still exist")
-	iceBind.muUDPMux.Unlock()
-
-	mux, err := iceBind.GetICEMux()
-	require.NoError(t, err)
-	require.NotNil(t, mux)
-}
-
-func TestICEBind_WorksWithIPv4Only(t *testing.T) {
-	iceBind := setupICEBind(t)
-
-	ipv4Conn, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	require.NoError(t, err)
-	defer ipv4Conn.Close()
-
-	rc := receiverCreator{iceBind}
-	recvFn := rc.CreateReceiverFn(ipv4.NewPacketConn(ipv4Conn), ipv4Conn, false, createMsgPool())
-	require.NotNil(t, recvFn)
-
-	iceBind.muUDPMux.Lock()
-	assert.NotNil(t, iceBind.ipv4Conn)
-	assert.Nil(t, iceBind.ipv6Conn)
-	assert.NotNil(t, iceBind.udpMux)
-	iceBind.muUDPMux.Unlock()
-
-	mux, err := iceBind.GetICEMux()
-	require.NoError(t, err)
-	require.NotNil(t, mux)
-}
-
-func TestICEBind_WorksWithIPv6Only(t *testing.T) {
-	iceBind := setupICEBind(t)
-
-	ipv6Conn, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		t.Skipf("IPv6 not available: %v", err)
-	}
-	defer ipv6Conn.Close()
-
-	rc := receiverCreator{iceBind}
-	recvFn := rc.CreateReceiverFn(ipv6.NewPacketConn(ipv6Conn), ipv6Conn, false, createMsgPool())
-	require.NotNil(t, recvFn)
-
-	iceBind.muUDPMux.Lock()
-	assert.Nil(t, iceBind.ipv4Conn)
-	assert.NotNil(t, iceBind.ipv6Conn)
-	assert.NotNil(t, iceBind.udpMux)
-	iceBind.muUDPMux.Unlock()
-
-	mux, err := iceBind.GetICEMux()
-	require.NoError(t, err)
-	require.NotNil(t, mux)
-}
-
-// TestICEBind_SendsToIPv4AndIPv6PeersSimultaneously verifies that we can communicate
-// with peers on different address families through the same DualStackPacketConn.
-func TestICEBind_SendsToIPv4AndIPv6PeersSimultaneously(t *testing.T) {
-	// two "remote peers" listening on different address families
-	ipv4Peer := listenUDP(t, "udp4", "127.0.0.1:0")
-	defer ipv4Peer.Close()
-
-	ipv6Peer, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6loopback, Port: 0})
-	if err != nil {
-		t.Skipf("IPv6 not available: %v", err)
-	}
-	defer ipv6Peer.Close()
-
-	// our local dual-stack connection
-	ipv4Local := listenUDP(t, "udp4", "127.0.0.1:0")
-	defer ipv4Local.Close()
-
-	ipv6Local := listenUDP(t, "udp6", "[::1]:0")
-	defer ipv6Local.Close()
-
-	dualStack := NewDualStackPacketConn(ipv4Local, ipv6Local)
-
-	// send to both peers
-	_, err = dualStack.WriteTo([]byte("to-ipv4"), ipv4Peer.LocalAddr())
-	require.NoError(t, err)
-
-	_, err = dualStack.WriteTo([]byte("to-ipv6"), ipv6Peer.LocalAddr())
-	require.NoError(t, err)
-
-	// verify IPv4 peer got its packet from the IPv4 socket
-	buf := make([]byte, 100)
-	_ = ipv4Peer.SetReadDeadline(time.Now().Add(time.Second))
-	n, addr, err := ipv4Peer.ReadFrom(buf)
-	require.NoError(t, err)
-	assert.Equal(t, "to-ipv4", string(buf[:n]))
-	assert.Equal(t, ipv4Local.LocalAddr().(*net.UDPAddr).Port, addr.(*net.UDPAddr).Port)
-
-	// verify IPv6 peer got its packet from the IPv6 socket
-	_ = ipv6Peer.SetReadDeadline(time.Now().Add(time.Second))
-	n, addr, err = ipv6Peer.ReadFrom(buf)
-	require.NoError(t, err)
-	assert.Equal(t, "to-ipv6", string(buf[:n]))
-	assert.Equal(t, ipv6Local.LocalAddr().(*net.UDPAddr).Port, addr.(*net.UDPAddr).Port)
-}
-
-// TestICEBind_HandlesConcurrentMixedTraffic sends packets concurrently to both IPv4
-// and IPv6 peers. Verifies no packets get misrouted (IPv4 peer only gets v4- packets,
-// IPv6 peer only gets v6- packets). Some packet loss is acceptable for UDP.
-func TestICEBind_HandlesConcurrentMixedTraffic(t *testing.T) {
-	ipv4Peer := listenUDP(t, "udp4", "127.0.0.1:0")
-	defer ipv4Peer.Close()
-
-	ipv6Peer, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6loopback, Port: 0})
-	if err != nil {
-		t.Skipf("IPv6 not available: %v", err)
-	}
-	defer ipv6Peer.Close()
-
-	ipv4Local := listenUDP(t, "udp4", "127.0.0.1:0")
-	defer ipv4Local.Close()
-
-	ipv6Local := listenUDP(t, "udp6", "[::1]:0")
-	defer ipv6Local.Close()
-
-	dualStack := NewDualStackPacketConn(ipv4Local, ipv6Local)
-
-	const packetsPerFamily = 500
-
-	ipv4Received := make(chan string, packetsPerFamily)
-	ipv6Received := make(chan string, packetsPerFamily)
-
-	startGate := make(chan struct{})
-	var wg sync.WaitGroup
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		buf := make([]byte, 100)
-		for i := 0; i < packetsPerFamily; i++ {
-			n, _, err := ipv4Peer.ReadFrom(buf)
-			if err != nil {
-				return
-			}
-			ipv4Received <- string(buf[:n])
-		}
-	}()
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		buf := make([]byte, 100)
-		for i := 0; i < packetsPerFamily; i++ {
-			n, _, err := ipv6Peer.ReadFrom(buf)
-			if err != nil {
-				return
-			}
-			ipv6Received <- string(buf[:n])
-		}
-	}()
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		<-startGate
-		for i := 0; i < packetsPerFamily; i++ {
-			_, _ = dualStack.WriteTo([]byte(fmt.Sprintf("v4-%04d", i)), ipv4Peer.LocalAddr())
-		}
-	}()
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		<-startGate
-		for i := 0; i < packetsPerFamily; i++ {
-			_, _ = dualStack.WriteTo([]byte(fmt.Sprintf("v6-%04d", i)), ipv6Peer.LocalAddr())
-		}
-	}()
-
-	close(startGate)
-
-	time.AfterFunc(5*time.Second, func() {
-		_ = ipv4Peer.SetReadDeadline(time.Now())
-		_ = ipv6Peer.SetReadDeadline(time.Now())
-	})
-
-	wg.Wait()
-	close(ipv4Received)
-	close(ipv6Received)
-
-	ipv4Count := 0
-	for pkt := range ipv4Received {
-		require.True(t, len(pkt) >= 3 && pkt[:3] == "v4-", "IPv4 peer got misrouted packet: %s", pkt)
-		ipv4Count++
-	}
-
-	ipv6Count := 0
-	for pkt := range ipv6Received {
-		require.True(t, len(pkt) >= 3 && pkt[:3] == "v6-", "IPv6 peer got misrouted packet: %s", pkt)
-		ipv6Count++
-	}
-
-	assert.Equal(t, packetsPerFamily, ipv4Count)
-	assert.Equal(t, packetsPerFamily, ipv6Count)
-}
-
-func TestICEBind_DetectsAddressFamilyFromConnection(t *testing.T) {
-	tests := []struct {
-		name     string
-		network  string
-		addr     string
-		wantIPv4 bool
-	}{
-		{"IPv4 any", "udp4", "0.0.0.0:0", true},
-		{"IPv4 loopback", "udp4", "127.0.0.1:0", true},
-		{"IPv6 any", "udp6", "[::]:0", false},
-		{"IPv6 loopback", "udp6", "[::1]:0", false},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			addr, err := net.ResolveUDPAddr(tt.network, tt.addr)
-			require.NoError(t, err)
-
-			conn, err := net.ListenUDP(tt.network, addr)
-			if err != nil {
-				t.Skipf("%s not available: %v", tt.network, err)
-			}
-			defer conn.Close()
-
-			localAddr := conn.LocalAddr().(*net.UDPAddr)
-			isIPv4 := localAddr.IP.To4() != nil
-			assert.Equal(t, tt.wantIPv4, isIPv4)
-		})
-	}
-}
-
-// helpers
-
-func setupICEBind(t *testing.T) *ICEBind {
-	t.Helper()
-	transportNet, err := stdnet.NewNet()
-	require.NoError(t, err)
-
-	address := wgaddr.Address{
-		IP:      netip.MustParseAddr("100.64.0.1"),
-		Network: netip.MustParsePrefix("100.64.0.0/10"),
-	}
-	return NewICEBind(transportNet, nil, address, 1280)
-}
-
-func createDualStackConns(t *testing.T) (*net.UDPConn, *net.UDPConn) {
-	t.Helper()
-	ipv4Conn, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
-	require.NoError(t, err)
-
-	ipv6Conn, err := net.ListenUDP("udp6", &net.UDPAddr{IP: net.IPv6zero, Port: 0})
-	if err != nil {
-		ipv4Conn.Close()
-		t.Skipf("IPv6 not available: %v", err)
-	}
-	return ipv4Conn, ipv6Conn
-}
-
-func createMsgPool() *sync.Pool {
-	return &sync.Pool{
-		New: func() any {
-			msgs := make([]ipv6.Message, 1)
-			for i := range msgs {
-				msgs[i].Buffers = make(net.Buffers, 1)
-				msgs[i].OOB = make([]byte, 0, 40)
-			}
-			return &msgs
-		},
-	}
-}
-
-func listenUDP(t *testing.T, network, addr string) *net.UDPConn {
-	t.Helper()
-	udpAddr, err := net.ResolveUDPAddr(network, addr)
-	require.NoError(t, err)
-	conn, err := net.ListenUDP(network, udpAddr)
-	require.NoError(t, err)
-	return conn
-}
--- a/client/iface/configurer/common.go
+++ b/client/iface/configurer/common.go
@@ -3,22 +3,8 @@ package configurer
 import (
 	"net"
 	"net/netip"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )

-// buildPresharedKeyConfig creates a wgtypes.Config for setting a preshared key on a peer.
-// This is a shared helper used by both kernel and userspace configurers.
-func buildPresharedKeyConfig(peerKey wgtypes.Key, psk wgtypes.Key, updateOnly bool) wgtypes.Config {
-	return wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{{
-			PublicKey:    peerKey,
-			PresharedKey: &psk,
-			UpdateOnly:   updateOnly,
-		}},
-	}
-}
-
 func prefixesToIPNets(prefixes []netip.Prefix) []net.IPNet {
 	ipNets := make([]net.IPNet, len(prefixes))
 	for i, prefix := range prefixes {
--- a/client/iface/configurer/kernel_unix.go
+++ b/client/iface/configurer/kernel_unix.go
@@ -15,6 +15,8 @@ import (
 	"github.com/netbirdio/netbird/monotime"
 )

+var zeroKey wgtypes.Key
+
 type KernelConfigurer struct {
 	deviceName string
 }
@@ -46,18 +48,6 @@ func (c *KernelConfigurer) ConfigureInterface(privateKey string, port int) error
 	return nil
 }

-// SetPresharedKey sets the preshared key for a peer.
-// If updateOnly is true, only updates the existing peer; if false, creates or updates.
-func (c *KernelConfigurer) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
-	parsedPeerKey, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	cfg := buildPresharedKeyConfig(parsedPeerKey, psk, updateOnly)
-	return c.configure(cfg)
-}
-
 func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
@@ -289,7 +279,7 @@ func (c *KernelConfigurer) FullStats() (*Stats, error) {
 			TxBytes:       p.TransmitBytes,
 			RxBytes:       p.ReceiveBytes,
 			LastHandshake: p.LastHandshakeTime,
-			PresharedKey:  [32]byte(p.PresharedKey),
+			PresharedKey:  p.PresharedKey != zeroKey,
 		}
 		if p.Endpoint != nil {
 			peer.Endpoint = *p.Endpoint
--- a/client/iface/configurer/uapi.go
+++ b/client/iface/configurer/uapi.go
@@ -5,18 +5,20 @@ package configurer
 import (
 	"net"

+	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/ipc"
 )

 func openUAPI(deviceName string) (net.Listener, error) {
 	uapiSock, err := ipc.UAPIOpen(deviceName)
 	if err != nil {
+		log.Errorf("failed to open uapi socket: %v", err)
 		return nil, err
 	}

 	listener, err := ipc.UAPIListen(deviceName, uapiSock)
 	if err != nil {
-		_ = uapiSock.Close()
+		log.Errorf("failed to listen on uapi socket: %v", err)
 		return nil, err
 	}

--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -22,16 +22,17 @@ import (
 )

 const (
-	privateKey                 = "private_key"
-	ipcKeyLastHandshakeTimeSec = "last_handshake_time_sec"
-	ipcKeyTxBytes              = "tx_bytes"
-	ipcKeyRxBytes              = "rx_bytes"
-	allowedIP                  = "allowed_ip"
-	endpoint                   = "endpoint"
-	fwmark                     = "fwmark"
-	listenPort                 = "listen_port"
-	publicKey                  = "public_key"
-	presharedKey               = "preshared_key"
+	privateKey                  = "private_key"
+	ipcKeyLastHandshakeTimeSec  = "last_handshake_time_sec"
+	ipcKeyLastHandshakeTimeNsec = "last_handshake_time_nsec"
+	ipcKeyTxBytes               = "tx_bytes"
+	ipcKeyRxBytes               = "rx_bytes"
+	allowedIP                   = "allowed_ip"
+	endpoint                    = "endpoint"
+	fwmark                      = "fwmark"
+	listenPort                  = "listen_port"
+	publicKey                   = "public_key"
+	presharedKey                = "preshared_key"
 )

 var ErrAllowedIPNotFound = fmt.Errorf("allowed IP not found")
@@ -54,14 +55,6 @@ func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder
 	return wgCfg
 }

-func NewUSPConfigurerNoUAPI(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
-	return &WGUSPConfigurer{
-		device:           device,
-		deviceName:       deviceName,
-		activityRecorder: activityRecorder,
-	}
-}
-
 func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error {
 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
@@ -79,18 +72,6 @@ func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error
 	return c.device.IpcSet(toWgUserspaceString(config))
 }

-// SetPresharedKey sets the preshared key for a peer.
-// If updateOnly is true, only updates the existing peer; if false, creates or updates.
-func (c *WGUSPConfigurer) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
-	parsedPeerKey, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	cfg := buildPresharedKeyConfig(parsedPeerKey, psk, updateOnly)
-	return c.device.IpcSet(toWgUserspaceString(cfg))
-}
-
 func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
@@ -441,25 +422,13 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 		hexKey := hex.EncodeToString(p.PublicKey[:])
 		sb.WriteString(fmt.Sprintf("public_key=%s\n", hexKey))

-		if p.Remove {
-			sb.WriteString("remove=true\n")
-		}
-
-		if p.UpdateOnly {
-			sb.WriteString("update_only=true\n")
-		}
-
 		if p.PresharedKey != nil {
 			preSharedHexKey := hex.EncodeToString(p.PresharedKey[:])
 			sb.WriteString(fmt.Sprintf("preshared_key=%s\n", preSharedHexKey))
 		}

-		if p.Endpoint != nil {
-			sb.WriteString(fmt.Sprintf("endpoint=%s\n", p.Endpoint.String()))
-		}
-
-		if p.PersistentKeepaliveInterval != nil {
-			sb.WriteString(fmt.Sprintf("persistent_keepalive_interval=%d\n", int(p.PersistentKeepaliveInterval.Seconds())))
+		if p.Remove {
+			sb.WriteString("remove=true")
 		}

 		if p.ReplaceAllowedIPs {
@@ -469,6 +438,14 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 		for _, aip := range p.AllowedIPs {
 			sb.WriteString(fmt.Sprintf("allowed_ip=%s\n", aip.String()))
 		}
+
+		if p.Endpoint != nil {
+			sb.WriteString(fmt.Sprintf("endpoint=%s\n", p.Endpoint.String()))
+		}
+
+		if p.PersistentKeepaliveInterval != nil {
+			sb.WriteString(fmt.Sprintf("persistent_keepalive_interval=%d\n", int(p.PersistentKeepaliveInterval.Seconds())))
+		}
 	}
 	return sb.String()
 }
@@ -566,7 +543,7 @@ func parseStatus(deviceName, ipcStr string) (*Stats, error) {
 				continue
 			}

-			host, portStr, err := net.SplitHostPort(val)
+			host, portStr, err := net.SplitHostPort(strings.Trim(val, "[]"))
 			if err != nil {
 				log.Errorf("failed to parse endpoint: %v", err)
 				continue
@@ -622,9 +599,7 @@ func parseStatus(deviceName, ipcStr string) (*Stats, error) {
 				continue
 			}
 			if val != "" && val != "0000000000000000000000000000000000000000000000000000000000000000" {
-				if pskKey, err := hexToWireguardKey(val); err == nil {
-					currentPeer.PresharedKey = [32]byte(pskKey)
-				}
+				currentPeer.PresharedKey = true
 			}
 		}
 	}
--- a/client/iface/configurer/wgshow.go
+++ b/client/iface/configurer/wgshow.go
@@ -12,7 +12,7 @@ type Peer struct {
 	TxBytes       int64
 	RxBytes       int64
 	LastHandshake time.Time
-	PresharedKey  [32]byte
+	PresharedKey  bool
 }

 type Stats struct {
--- a/client/iface/device/device_filter.go
+++ b/client/iface/device/device_filter.go
@@ -15,26 +15,22 @@ type PacketFilter interface {
 	// FilterInbound filter incoming packets from external sources to host
 	FilterInbound(packetData []byte, size int) bool

-	// SetUDPPacketHook registers a hook for outbound UDP packets matching the given IP and port.
-	// Hook function returns true if the packet should be dropped.
-	// Only one UDP hook is supported; calling again replaces the previous hook.
-	// Pass nil hook to remove.
-	SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool)
+	// AddUDPPacketHook calls hook when UDP packet from given direction matched
+	//
+	// Hook function returns flag which indicates should be the matched package dropped or not.
+	// Hook function receives raw network packet data as argument.
+	AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook func(packet []byte) bool) string

-	// SetTCPPacketHook registers a hook for outbound TCP packets matching the given IP and port.
-	// Hook function returns true if the packet should be dropped.
-	// Only one TCP hook is supported; calling again replaces the previous hook.
-	// Pass nil hook to remove.
-	SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool)
+	// RemovePacketHook removes hook by ID
+	RemovePacketHook(hookID string) error
 }

 // FilteredDevice to override Read or Write of packets
 type FilteredDevice struct {
 	tun.Device

-	filter    PacketFilter
-	mutex     sync.RWMutex
-	closeOnce sync.Once
+	filter PacketFilter
+	mutex  sync.RWMutex
 }

 // newDeviceFilter constructor function
@@ -44,20 +40,6 @@ func newDeviceFilter(device tun.Device) *FilteredDevice {
 	}
 }

-// Close closes the underlying tun device exactly once.
-// wireguard-go's netTun.Close() panics on double-close due to a bare close(channel),
-// and multiple code paths can trigger Close on the same device.
-func (d *FilteredDevice) Close() error {
-	var err error
-	d.closeOnce.Do(func() {
-		err = d.Device.Close()
-	})
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
 // Read wraps read method with filtering feature
 func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
 	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -79,12 +79,10 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)

-	t.configurer = configurer.NewUSPConfigurerNoUAPI(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
-		if cErr := tunIface.Close(); cErr != nil {
-			log.Debugf("failed to close tun device: %v", cErr)
-		}
+		_ = tunIface.Close()
 		return nil, fmt.Errorf("error configuring interface: %s", err)
 	}

--- a/client/iface/device/interface.go
+++ b/client/iface/device/interface.go
@@ -17,7 +17,6 @@ type WGConfigurer interface {
 	RemovePeer(peerKey string) error
 	AddAllowedIP(peerKey string, allowedIP netip.Prefix) error
 	RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error
-	SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error
 	Close()
 	GetStats() (map[string]configurer.WGStats, error)
 	FullStats() (*configurer.Stats, error)
--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -18,7 +18,6 @@ import (
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
-	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
@@ -51,7 +50,6 @@ func ValidateMTU(mtu uint16) error {

 type wgProxyFactory interface {
 	GetProxy() wgproxy.Proxy
-	GetProxyPort() uint16
 	Free() error
 }

@@ -82,12 +80,6 @@ func (w *WGIface) GetProxy() wgproxy.Proxy {
 	return w.wgProxyFactory.GetProxy()
 }

-// GetProxyPort returns the proxy port used by the WireGuard proxy.
-// Returns 0 if no proxy port is used (e.g., for userspace WireGuard).
-func (w *WGIface) GetProxyPort() uint16 {
-	return w.wgProxyFactory.GetProxyPort()
-}
-
 // GetBind returns the EndpointManager userspace bind mode.
 func (w *WGIface) GetBind() device.EndpointManager {
 	w.mu.Lock()
@@ -229,10 +221,6 @@ func (w *WGIface) Close() error {
 		result = multierror.Append(result, fmt.Errorf("failed to close wireguard interface %s: %w", w.Name(), err))
 	}

-	if nbnetstack.IsEnabled() {
-		return errors.FormatErrorOrNil(result)
-	}
-
 	if err := w.waitUntilRemoved(); err != nil {
 		log.Warnf("failed to remove WireGuard interface %s: %v", w.Name(), err)
 		if err := w.Destroy(); err != nil {
@@ -309,19 +297,6 @@ func (w *WGIface) FullStats() (*configurer.Stats, error) {
 	return w.configurer.FullStats()
 }

-// SetPresharedKey sets or updates the preshared key for a peer.
-// If updateOnly is true, only updates existing peer; if false, creates or updates.
-func (w *WGIface) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	if w.configurer == nil {
-		return ErrIfaceNotFound
-	}
-
-	return w.configurer.SetPresharedKey(peerKey, psk, updateOnly)
-}
-
 func (w *WGIface) waitUntilRemoved() error {
 	maxWaitTime := 5 * time.Second
 	timeout := time.NewTimer(maxWaitTime)
--- a/client/iface/mocks/filter.go
+++ b/client/iface/mocks/filter.go
@@ -34,28 +34,18 @@ func (m *MockPacketFilter) EXPECT() *MockPacketFilterMockRecorder {
 	return m.recorder
 }

-// SetUDPPacketHook mocks base method.
-func (m *MockPacketFilter) SetUDPPacketHook(arg0 netip.Addr, arg1 uint16, arg2 func([]byte) bool) {
+// AddUDPPacketHook mocks base method.
+func (m *MockPacketFilter) AddUDPPacketHook(arg0 bool, arg1 netip.Addr, arg2 uint16, arg3 func([]byte) bool) string {
 	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "SetUDPPacketHook", arg0, arg1, arg2)
+	ret := m.ctrl.Call(m, "AddUDPPacketHook", arg0, arg1, arg2, arg3)
+	ret0, _ := ret[0].(string)
+	return ret0
 }

-// SetUDPPacketHook indicates an expected call of SetUDPPacketHook.
-func (mr *MockPacketFilterMockRecorder) SetUDPPacketHook(arg0, arg1, arg2 interface{}) *gomock.Call {
+// AddUDPPacketHook indicates an expected call of AddUDPPacketHook.
+func (mr *MockPacketFilterMockRecorder) AddUDPPacketHook(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).SetUDPPacketHook), arg0, arg1, arg2)
-}
-
-// SetTCPPacketHook mocks base method.
-func (m *MockPacketFilter) SetTCPPacketHook(arg0 netip.Addr, arg1 uint16, arg2 func([]byte) bool) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "SetTCPPacketHook", arg0, arg1, arg2)
-}
-
-// SetTCPPacketHook indicates an expected call of SetTCPPacketHook.
-func (mr *MockPacketFilterMockRecorder) SetTCPPacketHook(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetTCPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).SetTCPPacketHook), arg0, arg1, arg2)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).AddUDPPacketHook), arg0, arg1, arg2, arg3)
 }

 // FilterInbound mocks base method.
@@ -85,3 +75,17 @@ func (mr *MockPacketFilterMockRecorder) FilterOutbound(arg0 interface{}, arg1 an
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterOutbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterOutbound), arg0, arg1)
 }
+
+// RemovePacketHook mocks base method.
+func (m *MockPacketFilter) RemovePacketHook(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "RemovePacketHook", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// RemovePacketHook indicates an expected call of RemovePacketHook.
+func (mr *MockPacketFilterMockRecorder) RemovePacketHook(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePacketHook", reflect.TypeOf((*MockPacketFilter)(nil).RemovePacketHook), arg0)
+}
--- a/client/iface/mocks/iface/mocks/filter.go
+++ b/client/iface/mocks/iface/mocks/filter.go
@@ -0,0 +1,87 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/netbirdio/netbird/client/iface (interfaces: PacketFilter)
+
+// Package mocks is a generated GoMock package.
+package mocks
+
+import (
+	net "net"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockPacketFilter is a mock of PacketFilter interface.
+type MockPacketFilter struct {
+	ctrl     *gomock.Controller
+	recorder *MockPacketFilterMockRecorder
+}
+
+// MockPacketFilterMockRecorder is the mock recorder for MockPacketFilter.
+type MockPacketFilterMockRecorder struct {
+	mock *MockPacketFilter
+}
+
+// NewMockPacketFilter creates a new mock instance.
+func NewMockPacketFilter(ctrl *gomock.Controller) *MockPacketFilter {
+	mock := &MockPacketFilter{ctrl: ctrl}
+	mock.recorder = &MockPacketFilterMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockPacketFilter) EXPECT() *MockPacketFilterMockRecorder {
+	return m.recorder
+}
+
+// AddUDPPacketHook mocks base method.
+func (m *MockPacketFilter) AddUDPPacketHook(arg0 bool, arg1 net.IP, arg2 uint16, arg3 func(*net.UDPAddr, []byte) bool) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "AddUDPPacketHook", arg0, arg1, arg2, arg3)
+}
+
+// AddUDPPacketHook indicates an expected call of AddUDPPacketHook.
+func (mr *MockPacketFilterMockRecorder) AddUDPPacketHook(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).AddUDPPacketHook), arg0, arg1, arg2, arg3)
+}
+
+// FilterInbound mocks base method.
+func (m *MockPacketFilter) FilterInbound(arg0 []byte) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "FilterInbound", arg0)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// FilterInbound indicates an expected call of FilterInbound.
+func (mr *MockPacketFilterMockRecorder) FilterInbound(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterInbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterInbound), arg0)
+}
+
+// FilterOutbound mocks base method.
+func (m *MockPacketFilter) FilterOutbound(arg0 []byte) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "FilterOutbound", arg0)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// FilterOutbound indicates an expected call of FilterOutbound.
+func (mr *MockPacketFilterMockRecorder) FilterOutbound(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterOutbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterOutbound), arg0)
+}
+
+// SetNetwork mocks base method.
+func (m *MockPacketFilter) SetNetwork(arg0 *net.IPNet) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetNetwork", arg0)
+}
+
+// SetNetwork indicates an expected call of SetNetwork.
+func (mr *MockPacketFilterMockRecorder) SetNetwork(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetwork", reflect.TypeOf((*MockPacketFilter)(nil).SetNetwork), arg0)
+}
--- a/client/iface/netstack/tun.go
+++ b/client/iface/netstack/tun.go
@@ -66,7 +66,7 @@ func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
 		}
 	}()

-	return t.tundev, tunNet, nil
+	return nsTunDev, tunNet, nil
 }

 func (t *NetStackTun) Close() error {
--- a/client/iface/wgproxy/bind/proxy.go
+++ b/client/iface/wgproxy/bind/proxy.go
@@ -114,21 +114,21 @@ func (p *ProxyBind) Pause() {
 }

 func (p *ProxyBind) RedirectAs(endpoint *net.UDPAddr) {
-	ep, err := addrToEndpoint(endpoint)
-	if err != nil {
-		log.Errorf("failed to start package redirection: %v", err)
-		return
-	}
-
 	p.pausedCond.L.Lock()
 	p.paused = false

-	p.wgCurrentUsed = ep
+	p.wgCurrentUsed = addrToEndpoint(endpoint)

 	p.pausedCond.Signal()
 	p.pausedCond.L.Unlock()
 }

+func addrToEndpoint(addr *net.UDPAddr) *bind.Endpoint {
+	ip, _ := netip.AddrFromSlice(addr.IP.To4())
+	addrPort := netip.AddrPortFrom(ip, uint16(addr.Port))
+	return &bind.Endpoint{AddrPort: addrPort}
+}
+
 func (p *ProxyBind) CloseConn() error {
 	if p.cancel == nil {
 		return fmt.Errorf("proxy not started")
@@ -212,16 +212,3 @@ func fakeAddress(peerAddress *net.UDPAddr) (*netip.AddrPort, error) {
 	netipAddr := netip.AddrPortFrom(fakeIP, uint16(peerAddress.Port))
 	return &netipAddr, nil
 }
-
-func addrToEndpoint(addr *net.UDPAddr) (*bind.Endpoint, error) {
-	if addr == nil {
-		return nil, fmt.Errorf("invalid address")
-	}
-	ip, ok := netip.AddrFromSlice(addr.IP)
-	if !ok {
-		return nil, fmt.Errorf("convert %s to netip.Addr", addr)
-	}
-
-	addrPort := netip.AddrPortFrom(ip.Unmap(), uint16(addr.Port))
-	return &bind.Endpoint{AddrPort: addrPort}, nil
-}
--- a/client/iface/wgproxy/ebpf/proxy.go
+++ b/client/iface/wgproxy/ebpf/proxy.go
@@ -8,6 +8,8 @@ import (
 	"net"
 	"sync"

+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
 	"github.com/hashicorp/go-multierror"
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
@@ -24,10 +26,13 @@ const (
 	loopbackAddr = "127.0.0.1"
 )

+var (
+	localHostNetIP = net.ParseIP("127.0.0.1")
+)
+
 // WGEBPFProxy definition for proxy with EBPF support
 type WGEBPFProxy struct {
 	localWGListenPort int
-	proxyPort         int
 	mtu               uint16

 	ebpfManager   ebpfMgr.Manager
@@ -35,8 +40,7 @@ type WGEBPFProxy struct {
 	turnConnMutex sync.Mutex

 	lastUsedPort uint16
-	rawConnIPv4  net.PacketConn
-	rawConnIPv6  net.PacketConn
+	rawConn      net.PacketConn
 	conn         transport.UDPConn

 	ctx       context.Context
@@ -58,39 +62,23 @@ func NewWGEBPFProxy(wgPort int, mtu uint16) *WGEBPFProxy {
 // Listen load ebpf program and listen the proxy
 func (p *WGEBPFProxy) Listen() error {
 	pl := portLookup{}
-	proxyPort, err := pl.searchFreePort()
-	if err != nil {
-		return err
-	}
-	p.proxyPort = proxyPort
-
-	// Prepare IPv4 raw socket (required)
-	p.rawConnIPv4, err = rawsocket.PrepareSenderRawSocketIPv4()
+	wgPorxyPort, err := pl.searchFreePort()
 	if err != nil {
 		return err
 	}

-	// Prepare IPv6 raw socket (optional)
-	p.rawConnIPv6, err = rawsocket.PrepareSenderRawSocketIPv6()
+	p.rawConn, err = rawsocket.PrepareSenderRawSocket()
 	if err != nil {
-		log.Warnf("failed to prepare IPv6 raw socket, continuing with IPv4 only: %v", err)
+		return err
 	}

-	err = p.ebpfManager.LoadWgProxy(proxyPort, p.localWGListenPort)
+	err = p.ebpfManager.LoadWgProxy(wgPorxyPort, p.localWGListenPort)
 	if err != nil {
-		if closeErr := p.rawConnIPv4.Close(); closeErr != nil {
-			log.Warnf("failed to close IPv4 raw socket: %v", closeErr)
-		}
-		if p.rawConnIPv6 != nil {
-			if closeErr := p.rawConnIPv6.Close(); closeErr != nil {
-				log.Warnf("failed to close IPv6 raw socket: %v", closeErr)
-			}
-		}
 		return err
 	}

 	addr := net.UDPAddr{
-		Port: proxyPort,
+		Port: wgPorxyPort,
 		IP:   net.ParseIP(loopbackAddr),
 	}

@@ -106,7 +94,7 @@ func (p *WGEBPFProxy) Listen() error {
 	p.conn = conn

 	go p.proxyToRemote()
-	log.Infof("local wg proxy listening on: %d", proxyPort)
+	log.Infof("local wg proxy listening on: %d", wgPorxyPort)
 	return nil
 }

@@ -147,25 +135,12 @@ func (p *WGEBPFProxy) Free() error {
 		result = multierror.Append(result, err)
 	}

-	if p.rawConnIPv4 != nil {
-		if err := p.rawConnIPv4.Close(); err != nil {
-			result = multierror.Append(result, err)
-		}
-	}
-
-	if p.rawConnIPv6 != nil {
-		if err := p.rawConnIPv6.Close(); err != nil {
-			result = multierror.Append(result, err)
-		}
+	if err := p.rawConn.Close(); err != nil {
+		result = multierror.Append(result, err)
 	}
 	return nberrors.FormatErrorOrNil(result)
 }

-// GetProxyPort returns the proxy listening port.
-func (p *WGEBPFProxy) GetProxyPort() uint16 {
-	return uint16(p.proxyPort)
-}
-
 // proxyToRemote read messages from local WireGuard interface and forward it to remote conn
 // From this go routine has only one instance.
 func (p *WGEBPFProxy) proxyToRemote() {
@@ -241,3 +216,34 @@ generatePort:
 	}
 	return p.lastUsedPort, nil
 }
+
+func (p *WGEBPFProxy) sendPkg(data []byte, endpointAddr *net.UDPAddr) error {
+	payload := gopacket.Payload(data)
+	ipH := &layers.IPv4{
+		DstIP:    localHostNetIP,
+		SrcIP:    endpointAddr.IP,
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolUDP,
+	}
+	udpH := &layers.UDP{
+		SrcPort: layers.UDPPort(endpointAddr.Port),
+		DstPort: layers.UDPPort(p.localWGListenPort),
+	}
+
+	err := udpH.SetNetworkLayerForChecksum(ipH)
+	if err != nil {
+		return fmt.Errorf("set network layer for checksum: %w", err)
+	}
+
+	layerBuffer := gopacket.NewSerializeBuffer()
+
+	err = gopacket.SerializeLayers(layerBuffer, gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}, ipH, udpH, payload)
+	if err != nil {
+		return fmt.Errorf("serialize layers: %w", err)
+	}
+	if _, err = p.rawConn.WriteTo(layerBuffer.Bytes(), &net.IPAddr{IP: localHostNetIP}); err != nil {
+		return fmt.Errorf("write to raw conn: %w", err)
+	}
+	return nil
+}
--- a/client/iface/wgproxy/ebpf/wrapper.go
+++ b/client/iface/wgproxy/ebpf/wrapper.go
@@ -10,89 +10,12 @@ import (
 	"net"
 	"sync"

-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )

-var (
-	errIPv6ConnNotAvailable = errors.New("IPv6 endpoint but rawConnIPv6 is not available")
-	errIPv4ConnNotAvailable = errors.New("IPv4 endpoint but rawConnIPv4 is not available")
-
-	localHostNetIPv4 = net.ParseIP("127.0.0.1")
-	localHostNetIPv6 = net.ParseIP("::1")
-
-	serializeOpts = gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-)
-
-// PacketHeaders holds pre-created headers and buffers for efficient packet sending
-type PacketHeaders struct {
-	ipH           gopacket.SerializableLayer
-	udpH          *layers.UDP
-	layerBuffer   gopacket.SerializeBuffer
-	localHostAddr net.IP
-	isIPv4        bool
-}
-
-func NewPacketHeaders(localWGListenPort int, endpoint *net.UDPAddr) (*PacketHeaders, error) {
-	var ipH gopacket.SerializableLayer
-	var networkLayer gopacket.NetworkLayer
-	var localHostAddr net.IP
-	var isIPv4 bool
-
-	// Check if source address is IPv4 or IPv6
-	if endpoint.IP.To4() != nil {
-		// IPv4 path
-		ipv4 := &layers.IPv4{
-			DstIP:    localHostNetIPv4,
-			SrcIP:    endpoint.IP,
-			Version:  4,
-			TTL:      64,
-			Protocol: layers.IPProtocolUDP,
-		}
-		ipH = ipv4
-		networkLayer = ipv4
-		localHostAddr = localHostNetIPv4
-		isIPv4 = true
-	} else {
-		// IPv6 path
-		ipv6 := &layers.IPv6{
-			DstIP:      localHostNetIPv6,
-			SrcIP:      endpoint.IP,
-			Version:    6,
-			HopLimit:   64,
-			NextHeader: layers.IPProtocolUDP,
-		}
-		ipH = ipv6
-		networkLayer = ipv6
-		localHostAddr = localHostNetIPv6
-		isIPv4 = false
-	}
-
-	udpH := &layers.UDP{
-		SrcPort: layers.UDPPort(endpoint.Port),
-		DstPort: layers.UDPPort(localWGListenPort),
-	}
-
-	if err := udpH.SetNetworkLayerForChecksum(networkLayer); err != nil {
-		return nil, fmt.Errorf("set network layer for checksum: %w", err)
-	}
-
-	return &PacketHeaders{
-		ipH:           ipH,
-		udpH:          udpH,
-		layerBuffer:   gopacket.NewSerializeBuffer(),
-		localHostAddr: localHostAddr,
-		isIPv4:        isIPv4,
-	}, nil
-}
-
 // ProxyWrapper help to keep the remoteConn instance for net.Conn.Close function call
 type ProxyWrapper struct {
 	wgeBPFProxy *WGEBPFProxy
@@ -101,10 +24,8 @@ type ProxyWrapper struct {
 	ctx        context.Context
 	cancel     context.CancelFunc

-	wgRelayedEndpointAddr *net.UDPAddr
-	headers               *PacketHeaders
-	headerCurrentUsed     *PacketHeaders
-	rawConn               net.PacketConn
+	wgRelayedEndpointAddr     *net.UDPAddr
+	wgEndpointCurrentUsedAddr *net.UDPAddr

 	paused     bool
 	pausedCond *sync.Cond
@@ -120,32 +41,15 @@ func NewProxyWrapper(proxy *WGEBPFProxy) *ProxyWrapper {
 		closeListener: listener.NewCloseListener(),
 	}
 }
-
-func (p *ProxyWrapper) AddTurnConn(ctx context.Context, _ *net.UDPAddr, remoteConn net.Conn) error {
+func (p *ProxyWrapper) AddTurnConn(ctx context.Context, endpoint *net.UDPAddr, remoteConn net.Conn) error {
 	addr, err := p.wgeBPFProxy.AddTurnConn(remoteConn)
 	if err != nil {
 		return fmt.Errorf("add turn conn: %w", err)
 	}
-
-	headers, err := NewPacketHeaders(p.wgeBPFProxy.localWGListenPort, addr)
-	if err != nil {
-		return fmt.Errorf("create packet sender: %w", err)
-	}
-
-	// Check if required raw connection is available
-	if !headers.isIPv4 && p.wgeBPFProxy.rawConnIPv6 == nil {
-		return errIPv6ConnNotAvailable
-	}
-	if headers.isIPv4 && p.wgeBPFProxy.rawConnIPv4 == nil {
-		return errIPv4ConnNotAvailable
-	}
-
 	p.remoteConn = remoteConn
 	p.ctx, p.cancel = context.WithCancel(ctx)
 	p.wgRelayedEndpointAddr = addr
-	p.headers = headers
-	p.rawConn = p.selectRawConn(headers)
-	return nil
+	return err
 }

 func (p *ProxyWrapper) EndpointAddr() *net.UDPAddr {
@@ -164,8 +68,7 @@ func (p *ProxyWrapper) Work() {
 	p.pausedCond.L.Lock()
 	p.paused = false

-	p.headerCurrentUsed = p.headers
-	p.rawConn = p.selectRawConn(p.headerCurrentUsed)
+	p.wgEndpointCurrentUsedAddr = p.wgRelayedEndpointAddr

 	if !p.isStarted {
 		p.isStarted = true
@@ -188,32 +91,10 @@ func (p *ProxyWrapper) Pause() {
 }

 func (p *ProxyWrapper) RedirectAs(endpoint *net.UDPAddr) {
-	if endpoint == nil || endpoint.IP == nil {
-		log.Errorf("failed to start package redirection, endpoint is nil")
-		return
-	}
-
-	header, err := NewPacketHeaders(p.wgeBPFProxy.localWGListenPort, endpoint)
-	if err != nil {
-		log.Errorf("failed to create packet headers: %s", err)
-		return
-	}
-
-	// Check if required raw connection is available
-	if !header.isIPv4 && p.wgeBPFProxy.rawConnIPv6 == nil {
-		log.Error(errIPv6ConnNotAvailable)
-		return
-	}
-	if header.isIPv4 && p.wgeBPFProxy.rawConnIPv4 == nil {
-		log.Error(errIPv4ConnNotAvailable)
-		return
-	}
-
 	p.pausedCond.L.Lock()
 	p.paused = false

-	p.headerCurrentUsed = header
-	p.rawConn = p.selectRawConn(header)
+	p.wgEndpointCurrentUsedAddr = endpoint

 	p.pausedCond.Signal()
 	p.pausedCond.L.Unlock()
@@ -255,7 +136,7 @@ func (p *ProxyWrapper) proxyToLocal(ctx context.Context) {
 			p.pausedCond.Wait()
 		}

-		err = p.sendPkg(buf[:n], p.headerCurrentUsed)
+		err = p.wgeBPFProxy.sendPkg(buf[:n], p.wgEndpointCurrentUsedAddr)
 		p.pausedCond.L.Unlock()

 		if err != nil {
@@ -281,29 +162,3 @@ func (p *ProxyWrapper) readFromRemote(ctx context.Context, buf []byte) (int, err
 	}
 	return n, nil
 }
-
-func (p *ProxyWrapper) sendPkg(data []byte, header *PacketHeaders) error {
-	defer func() {
-		if err := header.layerBuffer.Clear(); err != nil {
-			log.Errorf("failed to clear layer buffer: %s", err)
-		}
-	}()
-
-	payload := gopacket.Payload(data)
-
-	if err := gopacket.SerializeLayers(header.layerBuffer, serializeOpts, header.ipH, header.udpH, payload); err != nil {
-		return fmt.Errorf("serialize layers: %w", err)
-	}
-
-	if _, err := p.rawConn.WriteTo(header.layerBuffer.Bytes(), &net.IPAddr{IP: header.localHostAddr}); err != nil {
-		return fmt.Errorf("write to raw conn: %w", err)
-	}
-	return nil
-}
-
-func (p *ProxyWrapper) selectRawConn(header *PacketHeaders) net.PacketConn {
-	if header.isIPv4 {
-		return p.wgeBPFProxy.rawConnIPv4
-	}
-	return p.wgeBPFProxy.rawConnIPv6
-}
--- a/client/iface/wgproxy/factory_kernel.go
+++ b/client/iface/wgproxy/factory_kernel.go
@@ -54,14 +54,6 @@ func (w *KernelFactory) GetProxy() Proxy {
 	return ebpf.NewProxyWrapper(w.ebpfProxy)
 }

-// GetProxyPort returns the eBPF proxy port, or 0 if eBPF is not active.
-func (w *KernelFactory) GetProxyPort() uint16 {
-	if w.ebpfProxy == nil {
-		return 0
-	}
-	return w.ebpfProxy.GetProxyPort()
-}
-
 func (w *KernelFactory) Free() error {
 	if w.ebpfProxy == nil {
 		return nil
--- a/client/iface/wgproxy/factory_usp.go
+++ b/client/iface/wgproxy/factory_usp.go
@@ -24,11 +24,6 @@ func (w *USPFactory) GetProxy() Proxy {
 	return proxyBind.NewProxyBind(w.bind, w.mtu)
 }

-// GetProxyPort returns 0 as userspace WireGuard doesn't use a separate proxy port.
-func (w *USPFactory) GetProxyPort() uint16 {
-	return 0
-}
-
 func (w *USPFactory) Free() error {
 	return nil
 }
--- a/client/iface/wgproxy/rawsocket/rawsocket.go
+++ b/client/iface/wgproxy/rawsocket/rawsocket.go
@@ -8,87 +8,43 @@ import (
 	"os"
 	"syscall"

-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-
 	nbnet "github.com/netbirdio/netbird/client/net"
 )

-// PrepareSenderRawSocketIPv4 creates and configures a raw socket for sending IPv4 packets
-func PrepareSenderRawSocketIPv4() (net.PacketConn, error) {
-	return prepareSenderRawSocket(syscall.AF_INET, true)
-}
-
-// PrepareSenderRawSocketIPv6 creates and configures a raw socket for sending IPv6 packets
-func PrepareSenderRawSocketIPv6() (net.PacketConn, error) {
-	return prepareSenderRawSocket(syscall.AF_INET6, false)
-}
-
-func prepareSenderRawSocket(family int, isIPv4 bool) (net.PacketConn, error) {
+func PrepareSenderRawSocket() (net.PacketConn, error) {
 	// Create a raw socket.
-	fd, err := syscall.Socket(family, syscall.SOCK_RAW, syscall.IPPROTO_RAW)
+	fd, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_RAW, syscall.IPPROTO_RAW)
 	if err != nil {
 		return nil, fmt.Errorf("creating raw socket failed: %w", err)
 	}

-	// Set the header include option on the socket to tell the kernel that headers are included in the packet.
-	// For IPv4, we need to set IP_HDRINCL. For IPv6, we need to set IPV6_HDRINCL to accept application-provided IPv6 headers.
-	if isIPv4 {
-		err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, unix.IP_HDRINCL, 1)
-		if err != nil {
-			if closeErr := syscall.Close(fd); closeErr != nil {
-				log.Warnf("failed to close raw socket fd: %v", closeErr)
-			}
-			return nil, fmt.Errorf("setting IP_HDRINCL failed: %w", err)
-		}
-	} else {
-		err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IPV6, unix.IPV6_HDRINCL, 1)
-		if err != nil {
-			if closeErr := syscall.Close(fd); closeErr != nil {
-				log.Warnf("failed to close raw socket fd: %v", closeErr)
-			}
-			return nil, fmt.Errorf("setting IPV6_HDRINCL failed: %w", err)
-		}
+	// Set the IP_HDRINCL option on the socket to tell the kernel that headers are included in the packet.
+	err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_HDRINCL, 1)
+	if err != nil {
+		return nil, fmt.Errorf("setting IP_HDRINCL failed: %w", err)
 	}

 	// Bind the socket to the "lo" interface.
 	err = syscall.SetsockoptString(fd, syscall.SOL_SOCKET, syscall.SO_BINDTODEVICE, "lo")
 	if err != nil {
-		if closeErr := syscall.Close(fd); closeErr != nil {
-			log.Warnf("failed to close raw socket fd: %v", closeErr)
-		}
 		return nil, fmt.Errorf("binding to lo interface failed: %w", err)
 	}

 	// Set the fwmark on the socket.
 	err = nbnet.SetSocketOpt(fd)
 	if err != nil {
-		if closeErr := syscall.Close(fd); closeErr != nil {
-			log.Warnf("failed to close raw socket fd: %v", closeErr)
-		}
 		return nil, fmt.Errorf("setting fwmark failed: %w", err)
 	}

 	// Convert the file descriptor to a PacketConn.
 	file := os.NewFile(uintptr(fd), fmt.Sprintf("fd %d", fd))
 	if file == nil {
-		if closeErr := syscall.Close(fd); closeErr != nil {
-			log.Warnf("failed to close raw socket fd: %v", closeErr)
-		}
 		return nil, fmt.Errorf("converting fd to file failed")
 	}
 	packetConn, err := net.FilePacketConn(file)
 	if err != nil {
-		if closeErr := file.Close(); closeErr != nil {
-			log.Warnf("failed to close file: %v", closeErr)
-		}
 		return nil, fmt.Errorf("converting file to packet conn failed: %w", err)
 	}

-	// Close the original file to release the FD (net.FilePacketConn duplicates it)
-	if closeErr := file.Close(); closeErr != nil {
-		log.Warnf("failed to close file after creating packet conn: %v", closeErr)
-	}
-
 	return packetConn, nil
 }
--- a/client/iface/wgproxy/redirect_test.go
+++ b/client/iface/wgproxy/redirect_test.go
@@ -1,353 +0,0 @@
-//go:build linux && !android
-
-package wgproxy
-
-import (
-	"context"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/netbirdio/netbird/client/iface/wgproxy/ebpf"
-	"github.com/netbirdio/netbird/client/iface/wgproxy/udp"
-)
-
-// compareUDPAddr compares two UDP addresses, ignoring IPv6 zone IDs
-// IPv6 link-local addresses include zone IDs (e.g., fe80::1%lo) which we should ignore
-func compareUDPAddr(addr1, addr2 net.Addr) bool {
-	udpAddr1, ok1 := addr1.(*net.UDPAddr)
-	udpAddr2, ok2 := addr2.(*net.UDPAddr)
-
-	if !ok1 || !ok2 {
-		return addr1.String() == addr2.String()
-	}
-
-	// Compare IP and Port, ignoring zone
-	return udpAddr1.IP.Equal(udpAddr2.IP) && udpAddr1.Port == udpAddr2.Port
-}
-
-// TestRedirectAs_eBPF_IPv4 tests RedirectAs with eBPF proxy using IPv4 addresses
-func TestRedirectAs_eBPF_IPv4(t *testing.T) {
-	wgPort := 51850
-	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, 1280)
-	if err := ebpfProxy.Listen(); err != nil {
-		t.Fatalf("failed to initialize ebpf proxy: %v", err)
-	}
-	defer func() {
-		if err := ebpfProxy.Free(); err != nil {
-			t.Errorf("failed to free ebpf proxy: %v", err)
-		}
-	}()
-
-	proxy := ebpf.NewProxyWrapper(ebpfProxy)
-
-	// NetBird UDP address of the remote peer
-	nbAddr := &net.UDPAddr{
-		IP:   net.ParseIP("100.108.111.177"),
-		Port: 38746,
-	}
-
-	p2pEndpoint := &net.UDPAddr{
-		IP:   net.ParseIP("192.168.0.56"),
-		Port: 51820,
-	}
-
-	testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint)
-}
-
-// TestRedirectAs_eBPF_IPv6 tests RedirectAs with eBPF proxy using IPv6 addresses
-func TestRedirectAs_eBPF_IPv6(t *testing.T) {
-	wgPort := 51851
-	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, 1280)
-	if err := ebpfProxy.Listen(); err != nil {
-		t.Fatalf("failed to initialize ebpf proxy: %v", err)
-	}
-	defer func() {
-		if err := ebpfProxy.Free(); err != nil {
-			t.Errorf("failed to free ebpf proxy: %v", err)
-		}
-	}()
-
-	proxy := ebpf.NewProxyWrapper(ebpfProxy)
-
-	// NetBird UDP address of the remote peer
-	nbAddr := &net.UDPAddr{
-		IP:   net.ParseIP("100.108.111.177"),
-		Port: 38746,
-	}
-
-	p2pEndpoint := &net.UDPAddr{
-		IP:   net.ParseIP("fe80::56"),
-		Port: 51820,
-	}
-
-	testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint)
-}
-
-// TestRedirectAs_UDP_IPv4 tests RedirectAs with UDP proxy using IPv4 addresses
-func TestRedirectAs_UDP_IPv4(t *testing.T) {
-	wgPort := 51852
-	proxy := udp.NewWGUDPProxy(wgPort, 1280)
-
-	// NetBird UDP address of the remote peer
-	nbAddr := &net.UDPAddr{
-		IP:   net.ParseIP("100.108.111.177"),
-		Port: 38746,
-	}
-
-	p2pEndpoint := &net.UDPAddr{
-		IP:   net.ParseIP("192.168.0.56"),
-		Port: 51820,
-	}
-
-	testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint)
-}
-
-// TestRedirectAs_UDP_IPv6 tests RedirectAs with UDP proxy using IPv6 addresses
-func TestRedirectAs_UDP_IPv6(t *testing.T) {
-	wgPort := 51853
-	proxy := udp.NewWGUDPProxy(wgPort, 1280)
-
-	// NetBird UDP address of the remote peer
-	nbAddr := &net.UDPAddr{
-		IP:   net.ParseIP("100.108.111.177"),
-		Port: 38746,
-	}
-
-	p2pEndpoint := &net.UDPAddr{
-		IP:   net.ParseIP("fe80::56"),
-		Port: 51820,
-	}
-
-	testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint)
-}
-
-// testRedirectAs is a helper function that tests the RedirectAs functionality
-// It verifies that:
-// 1. Initial traffic from relay connection works
-// 2. After calling RedirectAs, packets appear to come from the p2p endpoint
-// 3. Multiple packets are correctly redirected with the new source address
-func testRedirectAs(t *testing.T, proxy Proxy, wgPort int, nbAddr, p2pEndpoint *net.UDPAddr) {
-	t.Helper()
-
-	ctx := context.Background()
-
-	// Create WireGuard listeners on both IPv4 and IPv6 to support both P2P connection types
-	// In reality, WireGuard binds to a port and receives from both IPv4 and IPv6
-	wgListener4, err := net.ListenUDP("udp4", &net.UDPAddr{
-		IP:   net.ParseIP("127.0.0.1"),
-		Port: wgPort,
-	})
-	if err != nil {
-		t.Fatalf("failed to create IPv4 WireGuard listener: %v", err)
-	}
-	defer wgListener4.Close()
-
-	wgListener6, err := net.ListenUDP("udp6", &net.UDPAddr{
-		IP:   net.ParseIP("::1"),
-		Port: wgPort,
-	})
-	if err != nil {
-		t.Fatalf("failed to create IPv6 WireGuard listener: %v", err)
-	}
-	defer wgListener6.Close()
-
-	// Determine which listener to use based on the NetBird address IP version
-	// (this is where initial traffic will come from before RedirectAs is called)
-	var wgListener *net.UDPConn
-	if p2pEndpoint.IP.To4() == nil {
-		wgListener = wgListener6
-	} else {
-		wgListener = wgListener4
-	}
-
-	// Create relay server and connection
-	relayServer, err := net.ListenUDP("udp", &net.UDPAddr{
-		IP:   net.ParseIP("127.0.0.1"),
-		Port: 0, // Random port
-	})
-	if err != nil {
-		t.Fatalf("failed to create relay server: %v", err)
-	}
-	defer relayServer.Close()
-
-	relayConn, err := net.Dial("udp", relayServer.LocalAddr().String())
-	if err != nil {
-		t.Fatalf("failed to create relay connection: %v", err)
-	}
-	defer relayConn.Close()
-
-	// Add TURN connection to proxy
-	if err := proxy.AddTurnConn(ctx, nbAddr, relayConn); err != nil {
-		t.Fatalf("failed to add TURN connection: %v", err)
-	}
-	defer func() {
-		if err := proxy.CloseConn(); err != nil {
-			t.Errorf("failed to close proxy connection: %v", err)
-		}
-	}()
-
-	// Start the proxy
-	proxy.Work()
-
-	// Phase 1: Test initial relay traffic
-	msgFromRelay := []byte("hello from relay")
-	if _, err := relayServer.WriteTo(msgFromRelay, relayConn.LocalAddr()); err != nil {
-		t.Fatalf("failed to write to relay server: %v", err)
-	}
-
-	// Set read deadline to avoid hanging
-	if err := wgListener4.SetReadDeadline(time.Now().Add(2 * time.Second)); err != nil {
-		t.Fatalf("failed to set read deadline: %v", err)
-	}
-
-	buf := make([]byte, 1024)
-	n, _, err := wgListener4.ReadFrom(buf)
-	if err != nil {
-		t.Fatalf("failed to read from WireGuard listener: %v", err)
-	}
-
-	if n != len(msgFromRelay) {
-		t.Errorf("expected %d bytes, got %d", len(msgFromRelay), n)
-	}
-
-	if string(buf[:n]) != string(msgFromRelay) {
-		t.Errorf("expected message %q, got %q", msgFromRelay, buf[:n])
-	}
-
-	// Phase 2: Redirect to p2p endpoint
-	proxy.RedirectAs(p2pEndpoint)
-
-	// Give the proxy a moment to process the redirect
-	time.Sleep(100 * time.Millisecond)
-
-	// Phase 3: Test redirected traffic
-	redirectedMessages := [][]byte{
-		[]byte("redirected message 1"),
-		[]byte("redirected message 2"),
-		[]byte("redirected message 3"),
-	}
-
-	for i, msg := range redirectedMessages {
-		if _, err := relayServer.WriteTo(msg, relayConn.LocalAddr()); err != nil {
-			t.Fatalf("failed to write redirected message %d: %v", i+1, err)
-		}
-
-		if err := wgListener.SetReadDeadline(time.Now().Add(2 * time.Second)); err != nil {
-			t.Fatalf("failed to set read deadline: %v", err)
-		}
-
-		n, srcAddr, err := wgListener.ReadFrom(buf)
-		if err != nil {
-			t.Fatalf("failed to read redirected message %d: %v", i+1, err)
-		}
-
-		// Verify message content
-		if string(buf[:n]) != string(msg) {
-			t.Errorf("message %d: expected %q, got %q", i+1, msg, buf[:n])
-		}
-
-		// Verify source address matches p2p endpoint (this is the key test)
-		// Use compareUDPAddr to ignore IPv6 zone IDs
-		if !compareUDPAddr(srcAddr, p2pEndpoint) {
-			t.Errorf("message %d: expected source address %s, got %s",
-				i+1, p2pEndpoint.String(), srcAddr.String())
-		}
-	}
-}
-
-// TestRedirectAs_Multiple_Switches tests switching between multiple endpoints
-func TestRedirectAs_Multiple_Switches(t *testing.T) {
-	wgPort := 51856
-	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, 1280)
-	if err := ebpfProxy.Listen(); err != nil {
-		t.Fatalf("failed to initialize ebpf proxy: %v", err)
-	}
-	defer func() {
-		if err := ebpfProxy.Free(); err != nil {
-			t.Errorf("failed to free ebpf proxy: %v", err)
-		}
-	}()
-
-	proxy := ebpf.NewProxyWrapper(ebpfProxy)
-
-	ctx := context.Background()
-
-	// Create WireGuard listener
-	wgListener, err := net.ListenUDP("udp4", &net.UDPAddr{
-		IP:   net.ParseIP("127.0.0.1"),
-		Port: wgPort,
-	})
-	if err != nil {
-		t.Fatalf("failed to create WireGuard listener: %v", err)
-	}
-	defer wgListener.Close()
-
-	// Create relay server and connection
-	relayServer, err := net.ListenUDP("udp", &net.UDPAddr{
-		IP:   net.ParseIP("127.0.0.1"),
-		Port: 0,
-	})
-	if err != nil {
-		t.Fatalf("failed to create relay server: %v", err)
-	}
-	defer relayServer.Close()
-
-	relayConn, err := net.Dial("udp", relayServer.LocalAddr().String())
-	if err != nil {
-		t.Fatalf("failed to create relay connection: %v", err)
-	}
-	defer relayConn.Close()
-
-	nbAddr := &net.UDPAddr{
-		IP:   net.ParseIP("100.108.111.177"),
-		Port: 38746,
-	}
-
-	if err := proxy.AddTurnConn(ctx, nbAddr, relayConn); err != nil {
-		t.Fatalf("failed to add TURN connection: %v", err)
-	}
-	defer func() {
-		if err := proxy.CloseConn(); err != nil {
-			t.Errorf("failed to close proxy connection: %v", err)
-		}
-	}()
-
-	proxy.Work()
-
-	// Test switching between multiple endpoints - using addresses in local subnet
-	endpoints := []*net.UDPAddr{
-		{IP: net.ParseIP("192.168.0.100"), Port: 51820},
-		{IP: net.ParseIP("192.168.0.101"), Port: 51821},
-		{IP: net.ParseIP("192.168.0.102"), Port: 51822},
-	}
-
-	for i, endpoint := range endpoints {
-		proxy.RedirectAs(endpoint)
-		time.Sleep(100 * time.Millisecond)
-
-		msg := []byte("test message")
-		if _, err := relayServer.WriteTo(msg, relayConn.LocalAddr()); err != nil {
-			t.Fatalf("failed to write message for endpoint %d: %v", i, err)
-		}
-
-		buf := make([]byte, 1024)
-		if err := wgListener.SetReadDeadline(time.Now().Add(2 * time.Second)); err != nil {
-			t.Fatalf("failed to set read deadline: %v", err)
-		}
-
-		n, srcAddr, err := wgListener.ReadFrom(buf)
-		if err != nil {
-			t.Fatalf("failed to read message for endpoint %d: %v", i, err)
-		}
-
-		if string(buf[:n]) != string(msg) {
-			t.Errorf("endpoint %d: expected message %q, got %q", i, msg, buf[:n])
-		}
-
-		if !compareUDPAddr(srcAddr, endpoint) {
-			t.Errorf("endpoint %d: expected source %s, got %s",
-				i, endpoint.String(), srcAddr.String())
-		}
-	}
-}
--- a/client/iface/wgproxy/udp/proxy.go
+++ b/client/iface/wgproxy/udp/proxy.go
@@ -56,7 +56,7 @@ func NewWGUDPProxy(wgPort int, mtu uint16) *WGUDPProxy {
 // the connection is complete, an error is returned. Once successfully
 // connected, any expiration of the context will not affect the
 // connection.
-func (p *WGUDPProxy) AddTurnConn(ctx context.Context, _ *net.UDPAddr, remoteConn net.Conn) error {
+func (p *WGUDPProxy) AddTurnConn(ctx context.Context, endpoint *net.UDPAddr, remoteConn net.Conn) error {
 	dialer := net.Dialer{}
 	localConn, err := dialer.DialContext(ctx, "udp", fmt.Sprintf(":%d", p.localWGListenPort))
 	if err != nil {
--- a/client/iface/wgproxy/udp/rawsocket.go
+++ b/client/iface/wgproxy/udp/rawsocket.go
@@ -19,56 +19,37 @@ var (
 		FixLengths:       true,
 	}

-	localHostNetIPAddrV4 = &net.IPAddr{
+	localHostNetIPAddr = &net.IPAddr{
 		IP: net.ParseIP("127.0.0.1"),
 	}
-	localHostNetIPAddrV6 = &net.IPAddr{
-		IP: net.ParseIP("::1"),
-	}
 )

 type SrcFaker struct {
 	srcAddr *net.UDPAddr

-	rawSocket     net.PacketConn
-	ipH           gopacket.SerializableLayer
-	udpH          gopacket.SerializableLayer
-	layerBuffer   gopacket.SerializeBuffer
-	localHostAddr *net.IPAddr
+	rawSocket   net.PacketConn
+	ipH         gopacket.SerializableLayer
+	udpH        gopacket.SerializableLayer
+	layerBuffer gopacket.SerializeBuffer
 }

 func NewSrcFaker(dstPort int, srcAddr *net.UDPAddr) (*SrcFaker, error) {
-	// Create only the raw socket for the address family we need
-	var rawSocket net.PacketConn
-	var err error
-	var localHostAddr *net.IPAddr
-
-	if srcAddr.IP.To4() != nil {
-		rawSocket, err = rawsocket.PrepareSenderRawSocketIPv4()
-		localHostAddr = localHostNetIPAddrV4
-	} else {
-		rawSocket, err = rawsocket.PrepareSenderRawSocketIPv6()
-		localHostAddr = localHostNetIPAddrV6
-	}
+	rawSocket, err := rawsocket.PrepareSenderRawSocket()
 	if err != nil {
 		return nil, err
 	}

 	ipH, udpH, err := prepareHeaders(dstPort, srcAddr)
 	if err != nil {
-		if closeErr := rawSocket.Close(); closeErr != nil {
-			log.Warnf("failed to close raw socket: %v", closeErr)
-		}
 		return nil, err
 	}

 	f := &SrcFaker{
-		srcAddr:       srcAddr,
-		rawSocket:     rawSocket,
-		ipH:           ipH,
-		udpH:          udpH,
-		layerBuffer:   gopacket.NewSerializeBuffer(),
-		localHostAddr: localHostAddr,
+		srcAddr:     srcAddr,
+		rawSocket:   rawSocket,
+		ipH:         ipH,
+		udpH:        udpH,
+		layerBuffer: gopacket.NewSerializeBuffer(),
 	}

 	return f, nil
@@ -91,7 +72,7 @@ func (f *SrcFaker) SendPkg(data []byte) (int, error) {
 	if err != nil {
 		return 0, fmt.Errorf("serialize layers: %w", err)
 	}
-	n, err := f.rawSocket.WriteTo(f.layerBuffer.Bytes(), f.localHostAddr)
+	n, err := f.rawSocket.WriteTo(f.layerBuffer.Bytes(), localHostNetIPAddr)
 	if err != nil {
 		return 0, fmt.Errorf("write to raw conn: %w", err)
 	}
@@ -99,40 +80,19 @@ func (f *SrcFaker) SendPkg(data []byte) (int, error) {
 }

 func prepareHeaders(dstPort int, srcAddr *net.UDPAddr) (gopacket.SerializableLayer, gopacket.SerializableLayer, error) {
-	var ipH gopacket.SerializableLayer
-	var networkLayer gopacket.NetworkLayer
-
-	// Check if source IP is IPv4 or IPv6
-	if srcAddr.IP.To4() != nil {
-		// IPv4
-		ipv4 := &layers.IPv4{
-			DstIP:    localHostNetIPAddrV4.IP,
-			SrcIP:    srcAddr.IP,
-			Version:  4,
-			TTL:      64,
-			Protocol: layers.IPProtocolUDP,
-		}
-		ipH = ipv4
-		networkLayer = ipv4
-	} else {
-		// IPv6
-		ipv6 := &layers.IPv6{
-			DstIP:      localHostNetIPAddrV6.IP,
-			SrcIP:      srcAddr.IP,
-			Version:    6,
-			HopLimit:   64,
-			NextHeader: layers.IPProtocolUDP,
-		}
-		ipH = ipv6
-		networkLayer = ipv6
+	ipH := &layers.IPv4{
+		DstIP:    net.ParseIP("127.0.0.1"),
+		SrcIP:    srcAddr.IP,
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolUDP,
 	}
-
 	udpH := &layers.UDP{
 		SrcPort: layers.UDPPort(srcAddr.Port),
 		DstPort: layers.UDPPort(dstPort), // dst is the localhost WireGuard port
 	}

-	err := udpH.SetNetworkLayerForChecksum(networkLayer)
+	err := udpH.SetNetworkLayerForChecksum(ipH)
 	if err != nil {
 		return nil, nil, fmt.Errorf("set network layer for checksum: %w", err)
 	}
--- a/client/inspect/config.go
+++ b/client/inspect/config.go
@@ -1,212 +0,0 @@
-package inspect
-
-import (
-	"crypto"
-	"crypto/x509"
-	"net"
-	"net/netip"
-	"net/url"
-	"strings"
-
-	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-// InspectResult holds the outcome of connection inspection.
-type InspectResult struct {
-	// Action is the rule evaluation result.
-	Action Action
-	// PassthroughConn is the client connection with buffered peeked bytes.
-	// Non-nil only when Action is ActionAllow and the caller should relay
-	// (TLS passthrough or non-HTTP/TLS protocol). The caller takes ownership
-	// and is responsible for closing this connection.
-	PassthroughConn net.Conn
-}
-
-const (
-	// DefaultTProxyPort is the default TPROXY listener port for kernel mode.
-	// Override with NB_TPROXY_PORT environment variable.
-	DefaultTProxyPort = 22080
-)
-
-// Action determines how the proxy handles a matched connection.
-type Action string
-
-const (
-	// ActionAllow passes the connection through without decryption.
-	ActionAllow Action = "allow"
-	// ActionBlock denies the connection.
-	ActionBlock Action = "block"
-	// ActionInspect decrypts (MITM) and inspects the connection.
-	ActionInspect Action = "inspect"
-)
-
-// ProxyMode determines the proxy operating mode.
-type ProxyMode string
-
-const (
-	// ModeBuiltin uses the built-in proxy with rules and optional ICAP.
-	ModeBuiltin ProxyMode = "builtin"
-	// ModeEnvoy runs a local envoy sidecar for L7 processing.
-	// Go manages envoy lifecycle, config generation, and rule evaluation.
-	// USP path forwards via PROXY protocol v2; kernel path uses nftables redirect.
-	ModeEnvoy ProxyMode = "envoy"
-	// ModeExternal forwards all traffic to an external proxy.
-	ModeExternal ProxyMode = "external"
-)
-
-// PolicyID is the management policy identifier associated with a connection.
-type PolicyID []byte
-
-// MatchDomain reports whether target matches the pattern.
-// If pattern starts with "*.", it matches any subdomain (but not the base itself).
-// Otherwise it requires an exact match.
-func MatchDomain(pattern, target domain.Domain) bool {
-	p := pattern.PunycodeString()
-	t := target.PunycodeString()
-
-	if strings.HasPrefix(p, "*.") {
-		base := p[2:]
-		return strings.HasSuffix(t, "."+base)
-	}
-
-	return p == t
-}
-
-// SourceInfo carries source identity context for rule evaluation.
-// The source may be a direct WireGuard peer or a host behind
-// a site-to-site gateway.
-type SourceInfo struct {
-	// IP is the original source address from the packet.
-	IP netip.Addr
-	// PolicyID is the management policy that allowed this traffic
-	// through route ACLs.
-	PolicyID PolicyID
-}
-
-// ProtoType identifies a protocol handled by the proxy.
-type ProtoType string
-
-const (
-	ProtoHTTP      ProtoType = "http"
-	ProtoHTTPS     ProtoType = "https"
-	ProtoH2        ProtoType = "h2"
-	ProtoH3        ProtoType = "h3"
-	ProtoWebSocket ProtoType = "websocket"
-	ProtoOther     ProtoType = "other"
-)
-
-// Rule defines a proxy inspection/filtering rule.
-type Rule struct {
-	// ID uniquely identifies this rule.
-	ID id.RuleID
-	// Sources are the source CIDRs this rule applies to.
-	// Includes both direct peer IPs and routed networks behind gateways.
-	Sources []netip.Prefix
-	// Domains are the destination domain patterns to match (via SNI or Host header).
-	// Supports exact match ("example.com") and wildcard ("*.example.com").
-	Domains []domain.Domain
-	// Networks are the destination CIDRs to match.
-	Networks []netip.Prefix
-	// Ports are the destination ports to match. Empty means all ports.
-	Ports []uint16
-	// Protocols restricts which protocols this rule applies to.
-	// Empty means all protocols.
-	Protocols []ProtoType
-	// Paths are URL path patterns to match (HTTP only, requires inspect for HTTPS).
-	// Supports prefix ("/api/"), exact ("/login"), and wildcard ("/admin/*").
-	// Empty means all paths.
-	Paths []string
-	// Action determines what to do with matched connections.
-	Action Action
-	// Priority controls evaluation order. Lower values are evaluated first.
-	Priority int
-}
-
-// ICAPConfig holds ICAP service configuration.
-type ICAPConfig struct {
-	// ReqModURL is the ICAP REQMOD service URL (e.g., icap://server:1344/reqmod).
-	ReqModURL *url.URL
-	// RespModURL is the ICAP RESPMOD service URL (e.g., icap://server:1344/respmod).
-	RespModURL *url.URL
-	// MaxConnections is the connection pool size. Zero uses a default.
-	MaxConnections int
-}
-
-// TLSConfig holds the MITM CA configuration for TLS inspection.
-type TLSConfig struct {
-	// CA is the certificate authority used to sign dynamic certificates.
-	CA *x509.Certificate
-	// CAKey is the CA's private key.
-	CAKey crypto.PrivateKey
-}
-
-// Config holds the transparent proxy configuration.
-type Config struct {
-	// Enabled controls whether the proxy is active.
-	Enabled bool
-	// Mode selects built-in or external proxy operation.
-	Mode ProxyMode
-	// ExternalURL is the upstream proxy URL for ModeExternal.
-	// Supports http:// and socks5:// schemes.
-	ExternalURL *url.URL
-
-	// DefaultAction applies when no rule matches a connection.
-	DefaultAction Action
-
-	// RedirectSources are the source CIDRs whose traffic should be intercepted.
-	// Admin decides: "activate for these users/subnets."
-	// Used for both kernel TPROXY rules and userspace forwarder source filtering.
-	RedirectSources []netip.Prefix
-	// RedirectPorts are the destination ports to intercept. Empty means all ports.
-	RedirectPorts []uint16
-
-	// Rules are the proxy inspection/filtering rules, evaluated in Priority order.
-	Rules []Rule
-
-	// ICAP holds ICAP service configuration. Nil disables ICAP.
-	ICAP *ICAPConfig
-	// TLS holds the MITM CA. Nil means no MITM capability (ActionInspect rules ignored).
-	TLS *TLSConfig
-
-	// Envoy configuration (ModeEnvoy only)
-	Envoy *EnvoyConfig
-
-	// ListenAddr is the TPROXY listen address for kernel mode.
-	// Zero value disables the TPROXY listener.
-	ListenAddr netip.AddrPort
-	// WGNetwork is the WireGuard overlay network prefix.
-	// The proxy blocks dialing destinations inside this network.
-	WGNetwork netip.Prefix
-	// LocalIPChecker reports whether an IP belongs to the routing peer.
-	// Used to prevent SSRF to local services. May be nil.
-	LocalIPChecker LocalIPChecker
-}
-
-// EnvoyConfig holds configuration for the envoy sidecar mode.
-type EnvoyConfig struct {
-	// BinaryPath is the path to the envoy binary.
-	// Empty means search $PATH for "envoy".
-	BinaryPath string
-	// AdminPort is the port for envoy's admin API (health checks, stats).
-	// Zero means auto-assign.
-	AdminPort uint16
-	// Snippets are user-provided config fragments merged into the generated bootstrap.
-	Snippets *EnvoySnippets
-}
-
-// EnvoySnippets holds user-provided YAML fragments for envoy config customization.
-// Only safe snippet types are allowed: filters (HTTP and network) and clusters
-// needed as dependencies for filter services. Listeners and bootstrap overrides
-// are not exposed since we manage the listener and bootstrap.
-type EnvoySnippets struct {
-	// HTTPFilters is YAML injected into the HCM filter chain before the router filter.
-	// Used for ext_authz, rate limiting, Lua, Wasm, RBAC, JWT auth, etc.
-	HTTPFilters string
-	// NetworkFilters is YAML injected into the TLS filter chain before tcp_proxy.
-	// Used for network-level RBAC, rate limiting, ext_authz on raw TCP.
-	NetworkFilters string
-	// Clusters is YAML for additional upstream clusters referenced by filters.
-	// Needed when filters call external services (ext_authz backend, rate limit service).
-	Clusters string
-}
--- a/client/inspect/config_test.go
+++ b/client/inspect/config_test.go
@@ -1,93 +0,0 @@
-package inspect
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-func TestMatchDomain(t *testing.T) {
-	tests := []struct {
-		name    string
-		pattern string
-		target  string
-		want    bool
-	}{
-		{
-			name:    "exact match",
-			pattern: "example.com",
-			target:  "example.com",
-			want:    true,
-		},
-		{
-			name:    "exact no match",
-			pattern: "example.com",
-			target:  "other.com",
-			want:    false,
-		},
-		{
-			name:    "wildcard matches subdomain",
-			pattern: "*.example.com",
-			target:  "foo.example.com",
-			want:    true,
-		},
-		{
-			name:    "wildcard matches deep subdomain",
-			pattern: "*.example.com",
-			target:  "a.b.c.example.com",
-			want:    true,
-		},
-		{
-			name:    "wildcard does not match base",
-			pattern: "*.example.com",
-			target:  "example.com",
-			want:    false,
-		},
-		{
-			name:    "wildcard does not match unrelated",
-			pattern: "*.example.com",
-			target:  "foo.other.com",
-			want:    false,
-		},
-		{
-			name:    "case insensitive exact match",
-			pattern: "Example.COM",
-			target:  "example.com",
-			want:    true,
-		},
-		{
-			name:    "case insensitive wildcard match",
-			pattern: "*.Example.COM",
-			target:  "FOO.example.com",
-			want:    true,
-		},
-		{
-			name:    "wildcard does not match partial suffix",
-			pattern: "*.example.com",
-			target:  "notexample.com",
-			want:    false,
-		},
-		{
-			name:    "unicode domain punycode match",
-			pattern: "*.münchen.de",
-			target:  "sub.xn--mnchen-3ya.de",
-			want:    true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			pattern, err := domain.FromString(tt.pattern)
-			require.NoError(t, err)
-
-			target, err := domain.FromString(tt.target)
-			require.NoError(t, err)
-
-			got := MatchDomain(pattern, target)
-			assert.Equal(t, tt.want, got)
-		})
-	}
-}
--- a/client/inspect/dialer_linux.go
+++ b/client/inspect/dialer_linux.go
@@ -1,25 +0,0 @@
-package inspect
-
-import (
-	"net"
-	"syscall"
-)
-
-// newOutboundDialer creates a net.Dialer that clears the socket fwmark.
-// In kernel TPROXY mode, accepted connections inherit the TPROXY fwmark.
-// Without clearing it, outbound connections from the proxy would match
-// the ip rule (fwmark -> local loopback) and loop back to the proxy
-// instead of reaching the real destination.
-func newOutboundDialer() net.Dialer {
-	return net.Dialer{
-		Control: func(_, _ string, c syscall.RawConn) error {
-			var sockErr error
-			if err := c.Control(func(fd uintptr) {
-				sockErr = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, 0)
-			}); err != nil {
-				return err
-			}
-			return sockErr
-		},
-	}
-}
--- a/client/inspect/dialer_other.go
+++ b/client/inspect/dialer_other.go
@@ -1,11 +0,0 @@
-//go:build !linux
-
-package inspect
-
-import "net"
-
-// newOutboundDialer returns a plain dialer on non-Linux platforms.
-// TPROXY is Linux-only, so no fwmark clearing is needed.
-func newOutboundDialer() net.Dialer {
-	return net.Dialer{}
-}
--- a/Show More
+++ b/Show More