Add Tauri UI

White mac native + notification test
Wails UI
2026-04-06 09:34:05 -04:00 · 2026-03-05 08:53:24 +01:00 · 2026-03-04 11:12:43 +01:00 · 2026-03-02 15:59:09 +01:00 · 2026-02-24 22:47:41 +03:00 · 2026-02-24 21:19:43 +03:00
541 changed files with 85276 additions and 2421 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,6 @@
+.env
+.env.*
+*.pem
+*.key
+*.crt
+*.p12
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -23,7 +23,7 @@ jobs:

      - name: Check for problematic license dependencies
        run: |
-          echo "Checking for dependencies on management/, signal/, and relay/ packages..."
+          echo "Checking for dependencies on management/, signal/, relay/, and proxy/ packages..."
          echo ""

          # Find all directories except the problematic ones and system dirs
@@ -31,7 +31,7 @@ jobs:
          while IFS= read -r dir; do
            echo "=== Checking $dir ==="
            # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
            if [ -n "$RESULTS" ]; then
              echo "❌ Found problematic dependencies:"
              echo "$RESULTS"
@@ -39,11 +39,11 @@ jobs:
            else
              echo "✓ No problematic dependencies found"
            fi
-          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name "combined" -not -name ".git*" | sort)

          echo ""
          if [ $FOUND_ISSUES -eq 1 ]; then
-            echo "❌ Found dependencies on management/, signal/, or relay/ packages"
+            echo "❌ Found dependencies on management/, signal/, relay/, or proxy/ packages"
            echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
            exit 1
          else
@@ -88,7 +88,7 @@ jobs:
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")

              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\)" | head -1)

              if [ -n "$BSD_IMPORTER" ]; then
                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -43,5 +43,5 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)

--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -46,6 +46,5 @@ jobs:
            time go test -timeout 1m -failfast ./client/iface/...
            time go test -timeout 1m -failfast ./route/...
            time go test -timeout 1m -failfast ./sharedsock/...
-            time go test -timeout 1m -failfast ./signal/...
            time go test -timeout 1m -failfast ./util/...
            time go test -timeout 1m -failfast ./version/...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -97,6 +97,16 @@ jobs:
        working-directory: relay
        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .

+      - name: Build combined
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: combined
+        run: CGO_ENABLED=1 go build .
+
+      - name: Build combined 386
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: combined
+        run: CGO_ENABLED=1 GOARCH=386 go build -o combined-386 .
+
  test:
    name: "Client / Unit"
    needs: [build-cache]
@@ -144,7 +154,7 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)

  test_client_on_docker:
    name: "Client (Docker) / Unit"
@@ -204,7 +214,7 @@ jobs:
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
            '

  test_relay:
@@ -261,6 +271,53 @@ jobs:
            -exec 'sudo' \
            -timeout 10m -p 1 ./relay/... ./shared/relay/...

+  test_proxy:
+    name: "Proxy / Unit"
+    needs: [build-cache]
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ '386','amd64' ]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: false
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Test
+        run: |
+          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
+          go test -timeout 10m -p 1 ./proxy/...
+
  test_signal:
    name: "Signal / Unit"
    needs: [build-cache]
@@ -352,12 +409,19 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
-        uses: docker/login-action@v1
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

+      - name: docker login for root user
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        env:
+          DOCKER_USER: ${{ secrets.DOCKER_USER }}
+          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+
      - name: download mysql image
        if: matrix.store == 'mysql'
        run: docker pull mlsmaycon/warmed-mysql:8
@@ -440,15 +504,18 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
-        uses: docker/login-action@v1
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: download mysql image
-        if: matrix.store == 'mysql'
-        run: docker pull mlsmaycon/warmed-mysql:8
+      - name: docker login for root user
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        env:
+          DOCKER_USER: ${{ secrets.DOCKER_USER }}
+          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin

      - name: Test
        run: |
@@ -529,15 +596,18 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
-        uses: docker/login-action@v1
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: download mysql image
-        if: matrix.store == 'mysql'
-        run: docker pull mlsmaycon/warmed-mysql:8
+      - name: docker login for root user
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        env:
+          DOCKER_USER: ${{ secrets.DOCKER_USER }}
+          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin

      - name: Test
        run: |
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -63,7 +63,7 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' })" >> $env:GITHUB_ENV

      - name: test
        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,8 +19,8 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans
-          skip: go.mod,go.sum
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver
+          skip: go.mod,go.sum,**/proxy/web/**
  golangci:
    strategy:
      fail-fast: false
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.1.0"
+  SIGN_PIPE_VER: "v0.1.1"
  GORELEASER_VER: "v2.3.2"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
@@ -160,7 +160,7 @@ jobs:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@@ -176,6 +176,7 @@ jobs:
      - name: Generate windows syso arm64
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
+        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
@@ -185,6 +186,19 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+      - name: Tag and push PR images (amd64 only)
+        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
+        run: |
+          PR_TAG="pr-${{ github.event.pull_request.number }}"
+          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
+            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
+            grep '^ghcr.io/' | while read -r SRC; do
+              IMG_NAME="${SRC%%:*}"
+              DST="${IMG_NAME}:${PR_TAG}"
+              echo "Tagging ${SRC} -> ${DST}"
+              docker tag "$SRC" "$DST"
+              docker push "$DST"
+            done
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 .run
 *.iml
 dist/
+!proxy/web/dist/
 bin/
 .env
 conf.json
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -106,6 +106,26 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

+  - id: netbird-server
+    dir: combined
+    env:
+      - CGO_ENABLED=1
+      - >-
+        {{- if eq .Runtime.Goos "linux" }}
+          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
+          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
+        {{- end }}
+    binary: netbird-server
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
  - id: netbird-upload
    dir: upload-server
    env: [CGO_ENABLED=0]
@@ -120,6 +140,20 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

+  - id: netbird-proxy
+    dir: proxy/cmd/proxy
+    env: [CGO_ENABLED=0]
+    binary: netbird-proxy
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
 universal_binaries:
  - id: netbird

@@ -520,6 +554,104 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
+    ids:
+      - netbird-server
+    goarch: amd64
+    use: buildx
+    dockerfile: combined/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
+    ids:
+      - netbird-server
+    goarch: arm64
+    use: buildx
+    dockerfile: combined/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
+    ids:
+      - netbird-server
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: combined/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
+    ids:
+      - netbird-proxy
+    goarch: amd64
+    use: buildx
+    dockerfile: proxy/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+    ids:
+      - netbird-proxy
+    goarch: arm64
+    use: buildx
+    dockerfile: proxy/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
+    ids:
+      - netbird-proxy
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: proxy/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
@@ -598,6 +730,18 @@ docker_manifests:
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64

+  - name_template: netbirdio/netbird-server:{{ .Version }}
+    image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - netbirdio/netbird-server:{{ .Version }}-arm
+      - netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: netbirdio/netbird-server:latest
+    image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - netbirdio/netbird-server:{{ .Version }}-arm
+      - netbirdio/netbird-server:{{ .Version }}-amd64
+
  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
@@ -675,6 +819,43 @@ docker_manifests:
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird-server:latest
+    image_templates:
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: netbirdio/reverse-proxy:{{ .Version }}
+    image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - netbirdio/reverse-proxy:{{ .Version }}-arm
+      - netbirdio/reverse-proxy:{{ .Version }}-amd64
+
+  - name_template: netbirdio/reverse-proxy:latest
+    image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - netbirdio/reverse-proxy:{{ .Version }}-arm
+      - netbirdio/reverse-proxy:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
+    image_templates:
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
+
 brews:
  - ids:
      - default
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/ and relay/.
+This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/, relay/ and combined/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

 BSD 3-Clause License
--- a/README.md
+++ b/README.md
@@ -60,8 +60,8 @@

 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2

-### NetBird on Lawrence Systems (Video)
-[![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)
+### Self-Host NetBird (Video)
+[![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)

 ### Key features

--- a/client/android/env_list.go
+++ b/client/android/env_list.go
@@ -1,10 +1,19 @@
 package android

-import "github.com/netbirdio/netbird/client/internal/peer"
+import (
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+	"github.com/netbirdio/netbird/client/internal/peer"
+)

 var (
-	// EnvKeyNBForceRelay Exported for Android java client
+	// EnvKeyNBForceRelay Exported for Android java client to force relay connections
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
+
+	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
+	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
+
+	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
+	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold
 )

 // EnvList wraps a Go map for export to Java
--- a/client/cmd/expose.go
+++ b/client/cmd/expose.go
@@ -0,0 +1,194 @@
+package cmd
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/signal"
+	"regexp"
+	"strconv"
+	"strings"
+	"syscall"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/util"
+)
+
+var pinRegexp = regexp.MustCompile(`^\d{6}$`)
+
+var (
+	exposePin        string
+	exposePassword   string
+	exposeUserGroups []string
+	exposeDomain     string
+	exposeNamePrefix string
+	exposeProtocol   string
+)
+
+var exposeCmd = &cobra.Command{
+	Use:     "expose <port>",
+	Short:   "Expose a local port via the NetBird reverse proxy",
+	Args:    cobra.ExactArgs(1),
+	Example: "netbird expose --with-password safe-pass 8080",
+	RunE:    exposeFn,
+}
+
+func init() {
+	exposeCmd.Flags().StringVar(&exposePin, "with-pin", "", "Protect the exposed service with a 6-digit PIN (e.g. --with-pin 123456)")
+	exposeCmd.Flags().StringVar(&exposePassword, "with-password", "", "Protect the exposed service with a password (e.g. --with-password my-secret)")
+	exposeCmd.Flags().StringSliceVar(&exposeUserGroups, "with-user-groups", nil, "Restrict access to specific user groups with SSO (e.g. --with-user-groups devops,Backend)")
+	exposeCmd.Flags().StringVar(&exposeDomain, "with-custom-domain", "", "Custom domain for the exposed service, must be configured to your account (e.g. --with-custom-domain myapp.example.com)")
+	exposeCmd.Flags().StringVar(&exposeNamePrefix, "with-name-prefix", "", "Prefix for the generated service name (e.g. --with-name-prefix my-app)")
+	exposeCmd.Flags().StringVar(&exposeProtocol, "protocol", "http", "Protocol to use, http/https is supported (e.g. --protocol http)")
+}
+
+func validateExposeFlags(cmd *cobra.Command, portStr string) (uint64, error) {
+	port, err := strconv.ParseUint(portStr, 10, 32)
+	if err != nil {
+		return 0, fmt.Errorf("invalid port number: %s", portStr)
+	}
+	if port == 0 || port > 65535 {
+		return 0, fmt.Errorf("invalid port number: must be between 1 and 65535")
+	}
+
+	if !isProtocolValid(exposeProtocol) {
+		return 0, fmt.Errorf("unsupported protocol %q: only 'http' or 'https' are supported", exposeProtocol)
+	}
+
+	if exposePin != "" && !pinRegexp.MatchString(exposePin) {
+		return 0, fmt.Errorf("invalid pin: must be exactly 6 digits")
+	}
+
+	if cmd.Flags().Changed("with-password") && exposePassword == "" {
+		return 0, fmt.Errorf("password cannot be empty")
+	}
+
+	if cmd.Flags().Changed("with-user-groups") && len(exposeUserGroups) == 0 {
+		return 0, fmt.Errorf("user groups cannot be empty")
+	}
+
+	return port, nil
+}
+
+func isProtocolValid(exposeProtocol string) bool {
+	return strings.ToLower(exposeProtocol) == "http" || strings.ToLower(exposeProtocol) == "https"
+}
+
+func exposeFn(cmd *cobra.Command, args []string) error {
+	SetFlagsFromEnvVars(rootCmd)
+
+	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
+		log.Errorf("failed initializing log %v", err)
+		return err
+	}
+
+	cmd.Root().SilenceUsage = false
+
+	port, err := validateExposeFlags(cmd, args[0])
+	if err != nil {
+		return err
+	}
+
+	cmd.Root().SilenceUsage = true
+
+	ctx, cancel := context.WithCancel(cmd.Context())
+	defer cancel()
+
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		<-sigCh
+		cancel()
+	}()
+
+	conn, err := DialClientGRPCServer(ctx, daemonAddr)
+	if err != nil {
+		return fmt.Errorf("connect to daemon: %w", err)
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Debugf("failed to close daemon connection: %v", err)
+		}
+	}()
+
+	client := proto.NewDaemonServiceClient(conn)
+
+	protocol, err := toExposeProtocol(exposeProtocol)
+	if err != nil {
+		return err
+	}
+
+	stream, err := client.ExposeService(ctx, &proto.ExposeServiceRequest{
+		Port:       uint32(port),
+		Protocol:   protocol,
+		Pin:        exposePin,
+		Password:   exposePassword,
+		UserGroups: exposeUserGroups,
+		Domain:     exposeDomain,
+		NamePrefix: exposeNamePrefix,
+	})
+	if err != nil {
+		return fmt.Errorf("expose service: %w", err)
+	}
+
+	if err := handleExposeReady(cmd, stream, port); err != nil {
+		return err
+	}
+
+	return waitForExposeEvents(cmd, ctx, stream)
+}
+
+func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
+	switch strings.ToLower(exposeProtocol) {
+	case "http":
+		return proto.ExposeProtocol_EXPOSE_HTTP, nil
+	case "https":
+		return proto.ExposeProtocol_EXPOSE_HTTPS, nil
+	default:
+		return 0, fmt.Errorf("unsupported protocol %q: only 'http' or 'https' are supported", exposeProtocol)
+	}
+}
+
+func handleExposeReady(cmd *cobra.Command, stream proto.DaemonService_ExposeServiceClient, port uint64) error {
+	event, err := stream.Recv()
+	if err != nil {
+		return fmt.Errorf("receive expose event: %w", err)
+	}
+
+	switch e := event.Event.(type) {
+	case *proto.ExposeServiceEvent_Ready:
+		cmd.Println("Service exposed successfully!")
+		cmd.Printf("  Name:     %s\n", e.Ready.ServiceName)
+		cmd.Printf("  URL:      %s\n", e.Ready.ServiceUrl)
+		cmd.Printf("  Domain:   %s\n", e.Ready.Domain)
+		cmd.Printf("  Protocol: %s\n", exposeProtocol)
+		cmd.Printf("  Port:     %d\n", port)
+		cmd.Println()
+		cmd.Println("Press Ctrl+C to stop exposing.")
+		return nil
+	default:
+		return fmt.Errorf("unexpected expose event: %T", event.Event)
+	}
+}
+
+func waitForExposeEvents(cmd *cobra.Command, ctx context.Context, stream proto.DaemonService_ExposeServiceClient) error {
+	for {
+		_, err := stream.Recv()
+		if err != nil {
+			if ctx.Err() != nil {
+				cmd.Println("\nService stopped.")
+				//nolint:nilerr
+				return nil
+			}
+			if errors.Is(err, io.EOF) {
+				return fmt.Errorf("connection to daemon closed unexpectedly")
+			}
+			return fmt.Errorf("stream error: %w", err)
+		}
+	}
+}
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -282,13 +282,9 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	}
 	defer authClient.Close()

-	needsLogin := false
-
-	err, isAuthError := authClient.Login(ctx, "", "")
-	if isAuthError {
-		needsLogin = true
-	} else if err != nil {
-		return fmt.Errorf("login check failed: %v", err)
+	needsLogin, err := authClient.IsLoginRequired(ctx)
+	if err != nil {
+		return fmt.Errorf("check login required: %v", err)
 	}

 	jwtToken := ""
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -22,6 +22,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

+	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )

@@ -80,6 +81,15 @@ var (
 		Short:        "",
 		Long:         "",
 		SilenceUsage: true,
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			SetFlagsFromEnvVars(cmd.Root())
+
+			// Don't resolve for service commands — they create the socket, not connect to it.
+			if !isServiceCmd(cmd) {
+				daemonAddr = daddr.ResolveUnixDaemonAddr(daemonAddr)
+			}
+			return nil
+		},
 	}
 )

@@ -144,6 +154,7 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
+	rootCmd.AddCommand(exposeCmd)

 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
@@ -385,7 +396,6 @@ func migrateToNetbird(oldPath, newPath string) bool {
 }

 func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
-	SetFlagsFromEnvVars(rootCmd)
 	cmd.SetOut(cmd.OutOrStdout())

 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
@@ -398,3 +408,13 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {

 	return conn, nil
 }
+
+// isServiceCmd returns true if cmd is the "service" command or a child of it.
+func isServiceCmd(cmd *cobra.Command) bool {
+	for c := cmd; c != nil; c = c.Parent() {
+		if c.Name() == "service" {
+			return true
+		}
+	}
+	return false
+}
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -31,6 +31,14 @@ var (
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )

+// PeerConnStatus is a peer's connection status.
+type PeerConnStatus = peer.ConnStatus
+
+const (
+	// PeerStatusConnected indicates the peer is in connected state.
+	PeerStatusConnected = peer.StatusConnected
+)
+
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string
@@ -71,6 +79,8 @@ type Options struct {
 	DisableClientRoutes bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
+	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
+	WireguardPort *int
 }

 // validateCredentials checks that exactly one credential type is provided
@@ -140,6 +150,7 @@ func New(opts Options) (*Client, error) {
 		DisableServerRoutes: &t,
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		BlockInbound:        &opts.BlockInbound,
+		WireguardPort:       opts.WireguardPort,
 	}
 	if opts.ConfigPath != "" {
 		config, err = profilemanager.UpdateOrCreateConfig(input)
@@ -159,6 +170,7 @@ func New(opts Options) (*Client, error) {
 		setupKey:   opts.SetupKey,
 		jwtToken:   opts.JWTToken,
 		config:     config,
+		recorder:   peer.NewRecorder(config.ManagementURL.String()),
 	}, nil
 }

@@ -180,6 +192,7 @@ func (c *Client) Start(startCtx context.Context) error {

 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
+
 	authClient, err := auth.NewAuth(ctx, c.config.PrivateKey, c.config.ManagementURL, c.config)
 	if err != nil {
 		return fmt.Errorf("create auth client: %w", err)
@@ -189,10 +202,7 @@ func (c *Client) Start(startCtx context.Context) error {
 	if err, _ := authClient.Login(ctx, c.setupKey, c.jwtToken); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
-
-	recorder := peer.NewRecorder(c.config.ManagementURL.String())
-	c.recorder = recorder
-	client := internal.NewConnectClient(ctx, c.config, recorder, false)
+	client := internal.NewConnectClient(ctx, c.config, c.recorder, false)
 	client.SetSyncResponsePersistence(true)

 	// either startup error (permanent backoff err) or nil err (successful engine up)
@@ -345,14 +355,9 @@ func (c *Client) NewHTTPClient() *http.Client {
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
-	recorder := c.recorder
 	connect := c.connect
 	c.mu.Unlock()

-	if recorder == nil {
-		return peer.FullStatus{}, errors.New("client not started")
-	}
-
 	if connect != nil {
 		engine := connect.Engine()
 		if engine != nil {
@@ -360,7 +365,7 @@ func (c *Client) Status() (peer.FullStatus, error) {
 		}
 	}

-	return recorder.GetFullStatus(), nil
+	return c.recorder.GetFullStatus(), nil
 }

 // GetLatestSyncResponse returns the latest sync response from the management server.
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -483,7 +483,12 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	}

 	if nftRule.Handle == 0 {
-		return fmt.Errorf("route rule %s has no handle", ruleKey)
+		log.Warnf("route rule %s has no handle, removing stale entry", ruleKey)
+		if err := r.decrementSetCounter(nftRule); err != nil {
+			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
+		}
+		delete(r.rules, ruleKey)
+		return nil
 	}

 	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
@@ -660,13 +665,32 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 	}

 	if err := r.conn.Flush(); err != nil {
-		// TODO: rollback ipset counter
-		return fmt.Errorf("insert rules for %s: %v", pair.Destination, err)
+		r.rollbackRules(pair)
+		return fmt.Errorf("insert rules for %s: %w", pair.Destination, err)
 	}

 	return nil
 }

+// rollbackRules cleans up unflushed rules and their set counters after a flush failure.
+func (r *router) rollbackRules(pair firewall.RouterPair) {
+	keys := []string{
+		firewall.GenKey(firewall.ForwardingFormat, pair),
+		firewall.GenKey(firewall.PreroutingFormat, pair),
+		firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair)),
+	}
+	for _, key := range keys {
+		rule, ok := r.rules[key]
+		if !ok {
+			continue
+		}
+		if err := r.decrementSetCounter(rule); err != nil {
+			log.Warnf("rollback set counter for %s: %v", key, err)
+		}
+		delete(r.rules, key)
+	}
+}
+
 // addNatRule inserts a nftables rule to the conn client flush queue
 func (r *router) addNatRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -928,18 +952,30 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)

-	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
-			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
-		}
-
-		log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
-
-		delete(r.rules, ruleKey)
+	rule, exists := r.rules[ruleKey]
+	if !exists {
+		return nil
+	}

+	if rule.Handle == 0 {
+		log.Warnf("legacy forwarding rule %s has no handle, removing stale entry", ruleKey)
 		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement set counter: %w", err)
+			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
 		}
+		delete(r.rules, ruleKey)
+		return nil
+	}
+
+	if err := r.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("remove legacy forwarding rule %s -> %s: %w", pair.Source, pair.Destination, err)
+	}
+
+	log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
+
+	delete(r.rules, ruleKey)
+
+	if err := r.decrementSetCounter(rule); err != nil {
+		return fmt.Errorf("decrement set counter: %w", err)
 	}

 	return nil
@@ -1329,65 +1365,89 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}

+	var merr *multierror.Error
+
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
-			return fmt.Errorf("remove prerouting rule: %w", err)
+			merr = multierror.Append(merr, fmt.Errorf("remove prerouting rule: %w", err))
 		}

 		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			return fmt.Errorf("remove inverse prerouting rule: %w", err)
+			merr = multierror.Append(merr, fmt.Errorf("remove inverse prerouting rule: %w", err))
 		}
 	}

 	if err := r.removeLegacyRouteRule(pair); err != nil {
-		return fmt.Errorf("remove legacy routing rule: %w", err)
+		merr = multierror.Append(merr, fmt.Errorf("remove legacy routing rule: %w", err))
 	}

+	// Set counters are decremented in the sub-methods above before flush. If flush fails,
+	// counters will be off until the next successful removal or refresh cycle.
 	if err := r.conn.Flush(); err != nil {
-		// TODO: rollback set counter
-		return fmt.Errorf("remove nat rules rule %s: %v", pair.Destination, err)
+		merr = multierror.Append(merr, fmt.Errorf("flush remove nat rules %s: %w", pair.Destination, err))
 	}

-	return nil
+	return nberrors.FormatErrorOrNil(merr)
 }

 func (r *router) removeNatRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)

-	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
-			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
-		}
-
-		log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
-
-		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement set counter: %w", err)
-		}
-	} else {
+	rule, exists := r.rules[ruleKey]
+	if !exists {
 		log.Debugf("prerouting rule %s not found", ruleKey)
+		return nil
+	}
+
+	if rule.Handle == 0 {
+		log.Warnf("prerouting rule %s has no handle, removing stale entry", ruleKey)
+		if err := r.decrementSetCounter(rule); err != nil {
+			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
+		}
+		delete(r.rules, ruleKey)
+		return nil
+	}
+
+	if err := r.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("remove prerouting rule %s -> %s: %w", pair.Source, pair.Destination, err)
+	}
+
+	log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
+
+	delete(r.rules, ruleKey)
+
+	if err := r.decrementSetCounter(rule); err != nil {
+		return fmt.Errorf("decrement set counter: %w", err)
 	}

 	return nil
 }

-// refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
-// duplicates and to get missing attributes that we don't have when adding new rules
+// refreshRulesMap rebuilds the rule map from the kernel. This removes stale entries
+// (e.g. from failed flushes) and updates handles for all existing rules.
 func (r *router) refreshRulesMap() error {
+	var merr *multierror.Error
+	newRules := make(map[string]*nftables.Rule)
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			return fmt.Errorf("list rules: %w", err)
+			merr = multierror.Append(merr, fmt.Errorf("list rules for chain %s: %w", chain.Name, err))
+			// preserve existing entries for this chain since we can't verify their state
+			for k, v := range r.rules {
+				if v.Chain != nil && v.Chain.Name == chain.Name {
+					newRules[k] = v
+				}
+			}
+			continue
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
-				r.rules[string(rule.UserData)] = rule
+				newRules[string(rule.UserData)] = rule
 			}
 		}
 	}
-	return nil
+	r.rules = newRules
+	return nberrors.FormatErrorOrNil(merr)
 }

 func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
@@ -1629,20 +1689,34 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	}

 	var merr *multierror.Error
+	var needsFlush bool
+
 	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		if err := r.conn.DelRule(dnatRule); err != nil {
+		if dnatRule.Handle == 0 {
+			log.Warnf("dnat rule %s has no handle, removing stale entry", ruleKey+dnatSuffix)
+			delete(r.rules, ruleKey+dnatSuffix)
+		} else if err := r.conn.DelRule(dnatRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete dnat rule: %w", err))
+		} else {
+			needsFlush = true
 		}
 	}

 	if masqRule, exists := r.rules[ruleKey+snatSuffix]; exists {
-		if err := r.conn.DelRule(masqRule); err != nil {
+		if masqRule.Handle == 0 {
+			log.Warnf("snat rule %s has no handle, removing stale entry", ruleKey+snatSuffix)
+			delete(r.rules, ruleKey+snatSuffix)
+		} else if err := r.conn.DelRule(masqRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete snat rule: %w", err))
+		} else {
+			needsFlush = true
 		}
 	}

-	if err := r.conn.Flush(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
+	if needsFlush {
+		if err := r.conn.Flush(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf(flushError, err))
+		}
 	}

 	if merr == nil {
@@ -1757,16 +1831,25 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto

 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)

-	if rule, exists := r.rules[ruleID]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
-			return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
-		}
-		if err := r.conn.Flush(); err != nil {
-			return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
+	rule, exists := r.rules[ruleID]
+	if !exists {
+		return nil
 	}

+	if rule.Handle == 0 {
+		log.Warnf("inbound DNAT rule %s has no handle, removing stale entry", ruleID)
+		delete(r.rules, ruleID)
+		return nil
+	}
+
+	if err := r.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
+	}
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
+	}
+	delete(r.rules, ruleID)
+
 	return nil
 }

--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -18,6 +18,7 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/internal/acl/id"
 )

 const (
@@ -719,3 +720,137 @@ func deleteWorkTable() {
 		}
 	}
 }
+
+func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	workTable, err := createWorkTable()
+	require.NoError(t, err)
+	defer deleteWorkTable()
+
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err)
+	require.NoError(t, r.init(workTable))
+	defer func() { require.NoError(t, r.Reset()) }()
+
+	// Add a real rule to the kernel
+	ruleKey, err := r.AddRouteFiltering(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
+		firewall.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
+		firewall.ProtocolTCP,
+		nil,
+		&firewall.Port{Values: []uint16{80}},
+		firewall.ActionAccept,
+	)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, r.DeleteRouteRule(ruleKey))
+	})
+
+	// Inject a stale entry with Handle=0 (simulates store-before-flush failure)
+	staleKey := "stale-rule-that-does-not-exist"
+	r.rules[staleKey] = &nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainNameRoutingFw],
+		Handle:   0,
+		UserData: []byte(staleKey),
+	}
+
+	require.Contains(t, r.rules, staleKey, "stale entry should be in map before refresh")
+
+	err = r.refreshRulesMap()
+	require.NoError(t, err)
+
+	assert.NotContains(t, r.rules, staleKey, "stale entry should be removed after refresh")
+
+	realRule, ok := r.rules[ruleKey.ID()]
+	assert.True(t, ok, "real rule should still exist after refresh")
+	assert.NotZero(t, realRule.Handle, "real rule should have a valid handle")
+}
+
+func TestRouter_DeleteRouteRule_StaleHandle(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	workTable, err := createWorkTable()
+	require.NoError(t, err)
+	defer deleteWorkTable()
+
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err)
+	require.NoError(t, r.init(workTable))
+	defer func() { require.NoError(t, r.Reset()) }()
+
+	// Inject a stale entry with Handle=0
+	staleKey := "stale-route-rule"
+	r.rules[staleKey] = &nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainNameRoutingFw],
+		Handle:   0,
+		UserData: []byte(staleKey),
+	}
+
+	// DeleteRouteRule should not return an error for stale handles
+	err = r.DeleteRouteRule(id.RuleID(staleKey))
+	assert.NoError(t, err, "deleting a stale rule should not error")
+	assert.NotContains(t, r.rules, staleKey, "stale entry should be cleaned up")
+}
+
+func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err)
+	require.NoError(t, manager.Init(nil))
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil))
+	})
+
+	pair := firewall.RouterPair{
+		ID:          "staletest",
+		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
+		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+		Masquerade:  true,
+	}
+
+	rtr := manager.router
+
+	// First add succeeds
+	err = rtr.AddNatRule(pair)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, rtr.RemoveNatRule(pair))
+	})
+
+	// Corrupt the handle to simulate stale state
+	natRuleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
+	if rule, exists := rtr.rules[natRuleKey]; exists {
+		rule.Handle = 0
+	}
+	inverseKey := firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair))
+	if rule, exists := rtr.rules[inverseKey]; exists {
+		rule.Handle = 0
+	}
+
+	// Adding the same rule again should succeed despite stale handles
+	err = rtr.AddNatRule(pair)
+	assert.NoError(t, err, "AddNatRule should succeed even with stale entries")
+
+	// Verify rules exist in kernel
+	rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
+	require.NoError(t, err)
+
+	found := 0
+	for _, rule := range rules {
+		if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
+			found++
+		}
+	}
+	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
+}
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -3,12 +3,6 @@
 package uspfilter

 import (
-	"context"
-	"net/netip"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

@@ -17,33 +11,7 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	m.outgoingRules = make(map[netip.Addr]RuleSet)
-	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
-	m.incomingRules = make(map[netip.Addr]RuleSet)
-
-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-	}
-
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.Stop()
-	}
-
-	if m.logger != nil {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-		if err := m.logger.Stop(ctx); err != nil {
-			log.Errorf("failed to shutdown logger: %v", err)
-		}
-	}
+	m.resetState()

 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -1,12 +1,9 @@
 package uspfilter

 import (
-	"context"
 	"fmt"
-	"net/netip"
 	"os/exec"
 	"syscall"
-	"time"

 	log "github.com/sirupsen/logrus"

@@ -26,33 +23,7 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	m.outgoingRules = make(map[netip.Addr]RuleSet)
-	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
-	m.incomingRules = make(map[netip.Addr]RuleSet)
-
-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-	}
-
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.Stop()
-	}
-
-	if m.logger != nil {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-		if err := m.logger.Stop(ctx); err != nil {
-			log.Errorf("failed to shutdown logger: %v", err)
-		}
-	}
+	m.resetState()

 	if !isWindowsFirewallReachable() {
 		return nil
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -115,6 +115,17 @@ func (t *TCPConnTrack) IsTombstone() bool {
 	return t.tombstone.Load()
 }

+// IsSupersededBy returns true if this connection should be replaced by a new one
+// carrying the given flags. Tombstoned connections are always superseded; TIME-WAIT
+// connections are superseded by a pure SYN (a new connection attempt for the same
+// four-tuple, as contemplated by RFC 1122 §4.2.2.13 and RFC 6191).
+func (t *TCPConnTrack) IsSupersededBy(flags uint8) bool {
+	if t.tombstone.Load() {
+		return true
+	}
+	return flags&TCPSyn != 0 && flags&TCPAck == 0 && TCPState(t.state.Load()) == TCPStateTimeWait
+}
+
 // SetTombstone safely marks the connection for deletion
 func (t *TCPConnTrack) SetTombstone() {
 	t.tombstone.Store(true)
@@ -169,7 +180,7 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()

-	if exists {
+	if exists && !conn.IsSupersededBy(flags) {
 		t.updateState(key, conn, flags, direction, size)
 		return key, uint16(conn.DNATOrigPort.Load()), true
 	}
@@ -241,7 +252,7 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()

-	if !exists || conn.IsTombstone() {
+	if !exists || conn.IsSupersededBy(flags) {
 		return false
 	}

--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -485,6 +485,261 @@ func TestTCPAbnormalSequences(t *testing.T) {
 	})
 }

+// TestTCPPortReuseTombstone verifies that a new connection on a port with a
+// tombstoned (closed) conntrack entry is properly tracked. Without the fix,
+// updateIfExists treats tombstoned entries as live, causing track() to skip
+// creating a new connection. The subsequent SYN-ACK then fails IsValidInbound
+// because the entry is tombstoned, and the response packet gets dropped by ACL.
+func TestTCPPortReuseTombstone(t *testing.T) {
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+
+	t.Run("Outbound port reuse after graceful close", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish and gracefully close a connection (server-initiated close)
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+		// Server sends FIN
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+		require.True(t, valid)
+
+		// Client sends FIN-ACK
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+
+		// Server sends final ACK
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		require.True(t, valid)
+
+		// Connection should be tombstoned
+		conn := tracker.connections[key]
+		require.NotNil(t, conn, "old connection should still be in map")
+		require.True(t, conn.IsTombstone(), "old connection should be tombstoned")
+
+		// Now reuse the same port for a new connection
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
+
+		// The old tombstoned entry should be replaced with a new one
+		newConn := tracker.connections[key]
+		require.NotNil(t, newConn, "new connection should exist")
+		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
+		require.Equal(t, TCPStateSynSent, newConn.GetState())
+
+		// SYN-ACK for the new connection should be valid
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
+		require.True(t, valid, "SYN-ACK for new connection on reused port should be accepted")
+		require.Equal(t, TCPStateEstablished, newConn.GetState())
+
+		// Data transfer should work
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 500)
+		require.True(t, valid, "data should be allowed on new connection")
+	})
+
+	t.Run("Outbound port reuse after RST", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish and RST a connection
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst|TCPAck, 0)
+		require.True(t, valid)
+
+		conn := tracker.connections[key]
+		require.True(t, conn.IsTombstone(), "RST connection should be tombstoned")
+
+		// Reuse the same port
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
+
+		newConn := tracker.connections[key]
+		require.NotNil(t, newConn)
+		require.False(t, newConn.IsTombstone())
+		require.Equal(t, TCPStateSynSent, newConn.GetState())
+
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
+		require.True(t, valid, "SYN-ACK should be accepted after RST tombstone")
+	})
+
+	t.Run("Inbound port reuse after close", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		clientIP := srcIP
+		serverIP := dstIP
+		clientPort := srcPort
+		serverPort := dstPort
+		key := ConnKey{SrcIP: clientIP, DstIP: serverIP, SrcPort: clientPort, DstPort: serverPort}
+
+		// Inbound connection: client SYN → server SYN-ACK → client ACK
+		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
+		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
+		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+
+		conn := tracker.connections[key]
+		require.Equal(t, TCPStateEstablished, conn.GetState())
+
+		// Server-initiated close to reach Closed/tombstoned:
+		// Server FIN (opposite dir) → CloseWait
+		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPFin|TCPAck, 100)
+		require.Equal(t, TCPStateCloseWait, conn.GetState())
+		// Client FIN-ACK (same dir as conn) → LastAck
+		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPFin|TCPAck, nil, 100, 0)
+		require.Equal(t, TCPStateLastAck, conn.GetState())
+		// Server final ACK (opposite dir) → Closed → tombstoned
+		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
+
+		require.True(t, conn.IsTombstone())
+
+		// New inbound connection on same ports
+		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
+
+		newConn := tracker.connections[key]
+		require.NotNil(t, newConn)
+		require.False(t, newConn.IsTombstone())
+		require.Equal(t, TCPStateSynReceived, newConn.GetState())
+
+		// Complete handshake: server SYN-ACK, then client ACK
+		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
+		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+		require.Equal(t, TCPStateEstablished, newConn.GetState())
+	})
+
+	t.Run("Late ACK on tombstoned connection is harmless", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish and close via passive close (server-initiated FIN → Closed → tombstoned)
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0) // CloseWait
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)  // LastAck
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)        // Closed
+
+		conn := tracker.connections[key]
+		require.True(t, conn.IsTombstone())
+
+		// Late ACK should be rejected (tombstoned)
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		require.False(t, valid, "late ACK on tombstoned connection should be rejected")
+
+		// Late outbound ACK should not create a new connection (not a SYN)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+		require.True(t, tracker.connections[key].IsTombstone(), "late outbound ACK should not replace tombstoned entry")
+	})
+}
+
+func TestTCPPortReuseTimeWait(t *testing.T) {
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+
+	t.Run("Outbound port reuse during TIME-WAIT (active close)", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish connection
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+		// Active close: client (outbound initiator) sends FIN first
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+		conn := tracker.connections[key]
+		require.Equal(t, TCPStateFinWait1, conn.GetState())
+
+		// Server ACKs the FIN
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		require.True(t, valid)
+		require.Equal(t, TCPStateFinWait2, conn.GetState())
+
+		// Server sends its own FIN
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+		require.True(t, valid)
+		require.Equal(t, TCPStateTimeWait, conn.GetState())
+
+		// Client sends final ACK (TIME-WAIT stays, not tombstoned)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+		require.False(t, conn.IsTombstone(), "TIME-WAIT should not be tombstoned")
+
+		// New outbound SYN on the same port (port reuse during TIME-WAIT)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
+
+		// Per RFC 1122/6191, new SYN during TIME-WAIT should start a new connection
+		newConn := tracker.connections[key]
+		require.NotNil(t, newConn, "new connection should exist")
+		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
+		require.Equal(t, TCPStateSynSent, newConn.GetState(), "new connection should be in SYN-SENT")
+
+		// SYN-ACK for new connection should be valid
+		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
+		require.True(t, valid, "SYN-ACK for new connection should be accepted")
+		require.Equal(t, TCPStateEstablished, newConn.GetState())
+	})
+
+	t.Run("Inbound SYN during TIME-WAIT falls through to normal tracking", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish outbound connection and close via active close → TIME-WAIT
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+
+		conn := tracker.connections[key]
+		require.Equal(t, TCPStateTimeWait, conn.GetState())
+
+		// Inbound SYN on same ports during TIME-WAIT: IsValidInbound returns false
+		// so the filter falls through to ACL check + TrackInbound (which creates
+		// a new connection via track() → updateIfExists skips TIME-WAIT for SYN)
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, 0)
+		require.False(t, valid, "inbound SYN during TIME-WAIT should fail conntrack validation")
+
+		// Simulate what the filter does next: TrackInbound via the normal path
+		tracker.TrackInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, nil, 100, 0)
+
+		// The new inbound connection uses the inverted key (dst→src becomes src→dst in track)
+		invertedKey := ConnKey{SrcIP: dstIP, DstIP: srcIP, SrcPort: dstPort, DstPort: srcPort}
+		newConn := tracker.connections[invertedKey]
+		require.NotNil(t, newConn, "new inbound connection should be tracked")
+		require.Equal(t, TCPStateSynReceived, newConn.GetState())
+		require.False(t, newConn.IsTombstone())
+	})
+
+	t.Run("Late retransmit during TIME-WAIT still allowed", func(t *testing.T) {
+		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+		defer tracker.Close()
+
+		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+		// Establish and active close → TIME-WAIT
+		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+
+		conn := tracker.connections[key]
+		require.Equal(t, TCPStateTimeWait, conn.GetState())
+
+		// Late ACK retransmits during TIME-WAIT should still be accepted
+		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+		require.True(t, valid, "retransmitted ACK during TIME-WAIT should be accepted")
+	})
+}
+
 func TestTCPTimeoutHandling(t *testing.T) {
 	// Create tracker with a very short timeout for testing
 	shortTimeout := 100 * time.Millisecond
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -1,6 +1,7 @@
 package uspfilter

 import (
+	"context"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -12,11 +13,13 @@ import (
 	"strings"
 	"sync"
 	"sync/atomic"
+	"time"

 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
@@ -24,6 +27,7 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	"github.com/netbirdio/netbird/client/iface/netstack"
+	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -89,6 +93,7 @@ type Manager struct {
 	incomingDenyRules map[netip.Addr]RuleSet
 	incomingRules     map[netip.Addr]RuleSet
 	routeRules        RouteRules
+	routeRulesMap     map[nbid.RuleID]*RouteRule
 	decoders          sync.Pool
 	wgIface           common.IFaceMapper
 	nativeFirewall    firewall.Manager
@@ -229,6 +234,7 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		flowLogger:          flowLogger,
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
+		routeRulesMap:       make(map[nbid.RuleID]*RouteRule),
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
 		netstackServices:    make(map[serviceKey]struct{}),
@@ -480,11 +486,15 @@ func (m *Manager) addRouteFiltering(
 		return m.nativeFirewall.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}

-	ruleID := uuid.New().String()
+	ruleKey := nbid.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
+
+	if existingRule, ok := m.routeRulesMap[ruleKey]; ok {
+		return existingRule, nil
+	}

 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:         ruleID,
+		id:         string(ruleKey),
 		mgmtId:     id,
 		sources:    sources,
 		dstSet:     destination.Set,
@@ -499,6 +509,7 @@ func (m *Manager) addRouteFiltering(

 	m.routeRules = append(m.routeRules, &rule)
 	m.routeRules.Sort()
+	m.routeRulesMap[ruleKey] = &rule

 	return &rule, nil
 }
@@ -515,15 +526,20 @@ func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}

-	ruleID := rule.ID()
+	ruleKey := nbid.RuleID(rule.ID())
+	if _, ok := m.routeRulesMap[ruleKey]; !ok {
+		return fmt.Errorf("route rule not found: %s", ruleKey)
+	}
+
 	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
-		return r.id == ruleID
+		return r.id == string(ruleKey)
 	})
 	if idx < 0 {
-		return fmt.Errorf("route rule not found: %s", ruleID)
+		return fmt.Errorf("route rule not found in slice: %s", ruleKey)
 	}

 	m.routeRules = slices.Delete(m.routeRules, idx, idx+1)
+	delete(m.routeRulesMap, ruleKey)
 	return nil
 }

@@ -570,6 +586,40 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }

+// resetState clears all firewall rules and closes connection trackers.
+// Must be called with m.mutex held.
+func (m *Manager) resetState() {
+	maps.Clear(m.outgoingRules)
+	maps.Clear(m.incomingDenyRules)
+	maps.Clear(m.incomingRules)
+	maps.Clear(m.routeRulesMap)
+	m.routeRules = m.routeRules[:0]
+
+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+	}
+
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.Stop()
+	}
+
+	if m.logger != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := m.logger.Stop(ctx); err != nil {
+			log.Errorf("failed to shutdown logger: %v", err)
+		}
+	}
+}
+
 // SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
 func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	if m.nativeFirewall == nil {
--- a/client/firewall/uspfilter/filter_routeacl_test.go
+++ b/client/firewall/uspfilter/filter_routeacl_test.go
@@ -0,0 +1,376 @@
+package uspfilter
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/google/gopacket/layers"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	wgdevice "golang.zx2c4.com/wireguard/device"
+
+	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/mocks"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+)
+
+// TestAddRouteFilteringReturnsExistingRule verifies that adding the same route
+// filtering rule twice returns the same rule ID (idempotent behavior).
+func TestAddRouteFilteringReturnsExistingRule(t *testing.T) {
+	manager := setupTestManager(t)
+
+	sources := []netip.Prefix{
+		netip.MustParsePrefix("100.64.1.0/24"),
+		netip.MustParsePrefix("100.64.2.0/24"),
+	}
+	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
+
+	// Add rule first time
+	rule1, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+	require.NotNil(t, rule1)
+
+	// Add the same rule again
+	rule2, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+	require.NotNil(t, rule2)
+
+	// These should be the same (idempotent) like nftables/iptables implementations
+	assert.Equal(t, rule1.ID(), rule2.ID(),
+		"Adding the same rule twice should return the same rule ID (idempotent)")
+
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+
+	assert.Equal(t, 2, ruleCount,
+		"Should have exactly 2 rules (1 user rule + 1 block rule)")
+}
+
+// TestAddRouteFilteringDifferentRulesGetDifferentIDs verifies that rules with
+// different parameters get distinct IDs.
+func TestAddRouteFilteringDifferentRulesGetDifferentIDs(t *testing.T) {
+	manager := setupTestManager(t)
+
+	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
+
+	// Add first rule
+	rule1, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	// Add different rule (different destination)
+	rule2, err := manager.AddRouteFiltering(
+		[]byte("policy-2"),
+		sources,
+		fw.Network{Prefix: netip.MustParsePrefix("192.168.2.0/24")}, // Different!
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	assert.NotEqual(t, rule1.ID(), rule2.ID(),
+		"Different rules should have different IDs")
+
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+
+	assert.Equal(t, 3, ruleCount, "Should have 3 rules (2 user rules + 1 block rule)")
+}
+
+// TestRouteRuleUpdateDoesNotCauseGap verifies that re-adding the same route
+// rule during a network map update does not disrupt existing traffic.
+func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
+	manager := setupTestManager(t)
+
+	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
+	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
+
+	rule1, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		nil,
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	srcIP := netip.MustParseAddr("100.64.1.5")
+	dstIP := netip.MustParseAddr("192.168.1.10")
+	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
+	require.True(t, pass, "Traffic should pass with rule in place")
+
+	// Re-add same rule (simulates network map update)
+	rule2, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		nil,
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	// Idempotent IDs mean rule1.ID() == rule2.ID(), so the ACL manager
+	// won't delete rule1 during cleanup. If IDs differed, deleting rule1
+	// would remove the only matching rule and cause a traffic gap.
+	if rule1.ID() != rule2.ID() {
+		err = manager.DeleteRouteRule(rule1)
+		require.NoError(t, err)
+	}
+
+	_, passAfter := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
+	assert.True(t, passAfter,
+		"Traffic should still pass after rule update - no gap should occur")
+}
+
+// TestBlockInvalidRoutedIdempotent verifies that blockInvalidRouted creates
+// exactly one drop rule for the WireGuard network prefix, and calling it again
+// returns the same rule without duplicating.
+func TestBlockInvalidRoutedIdempotent(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	dev := mocks.NewMockDevice(ctrl)
+	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
+
+	wgNet := netip.MustParsePrefix("100.64.0.1/16")
+
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      wgNet.Addr(),
+				Network: wgNet,
+			}
+		},
+		GetDeviceFunc: func() *device.FilteredDevice {
+			return &device.FilteredDevice{Device: dev}
+		},
+		GetWGDeviceFunc: func() *wgdevice.Device {
+			return &wgdevice.Device{}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil))
+	})
+
+	// Call blockInvalidRouted directly multiple times
+	rule1, err := manager.blockInvalidRouted(ifaceMock)
+	require.NoError(t, err)
+	require.NotNil(t, rule1)
+
+	rule2, err := manager.blockInvalidRouted(ifaceMock)
+	require.NoError(t, err)
+	require.NotNil(t, rule2)
+
+	rule3, err := manager.blockInvalidRouted(ifaceMock)
+	require.NoError(t, err)
+	require.NotNil(t, rule3)
+
+	// All should return the same rule
+	assert.Equal(t, rule1.ID(), rule2.ID(), "Second call should return same rule")
+	assert.Equal(t, rule2.ID(), rule3.ID(), "Third call should return same rule")
+
+	// Should have exactly 1 route rule
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+
+	assert.Equal(t, 1, ruleCount, "Should have exactly 1 block rule after 3 calls")
+
+	// Verify the rule blocks traffic to the WG network
+	srcIP := netip.MustParseAddr("10.0.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.50")
+	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 80)
+	assert.False(t, pass, "Block rule should deny traffic to WG prefix")
+}
+
+// TestBlockRuleNotAccumulatedOnRepeatedEnableRouting verifies that calling
+// EnableRouting multiple times (as happens on each route update) does not
+// accumulate duplicate block rules in the routeRules slice.
+func TestBlockRuleNotAccumulatedOnRepeatedEnableRouting(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	dev := mocks.NewMockDevice(ctrl)
+	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
+
+	wgNet := netip.MustParsePrefix("100.64.0.1/16")
+
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      wgNet.Addr(),
+				Network: wgNet,
+			}
+		},
+		GetDeviceFunc: func() *device.FilteredDevice {
+			return &device.FilteredDevice{Device: dev}
+		},
+		GetWGDeviceFunc: func() *wgdevice.Device {
+			return &wgdevice.Device{}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil))
+	})
+
+	// Call EnableRouting multiple times (simulating repeated route updates)
+	for i := 0; i < 5; i++ {
+		require.NoError(t, manager.EnableRouting())
+	}
+
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+
+	assert.Equal(t, 1, ruleCount,
+		"Repeated EnableRouting should not accumulate block rules")
+}
+
+// TestRouteRuleCountStableAcrossUpdates verifies that adding the same route
+// rule multiple times does not create duplicate entries.
+func TestRouteRuleCountStableAcrossUpdates(t *testing.T) {
+	manager := setupTestManager(t)
+
+	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
+	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
+
+	// Simulate 5 network map updates with the same route rule
+	for i := 0; i < 5; i++ {
+		rule, err := manager.AddRouteFiltering(
+			[]byte("policy-1"),
+			sources,
+			destination,
+			fw.ProtocolTCP,
+			nil,
+			&fw.Port{Values: []uint16{443}},
+			fw.ActionAccept,
+		)
+		require.NoError(t, err)
+		require.NotNil(t, rule)
+	}
+
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+
+	assert.Equal(t, 2, ruleCount,
+		"Should have exactly 2 rules (1 user rule + 1 block rule) after 5 updates")
+}
+
+// TestDeleteRouteRuleAfterIdempotentAdd verifies that deleting a route rule
+// after adding it multiple times works correctly.
+func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
+	manager := setupTestManager(t)
+
+	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
+	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
+
+	// Add same rule twice
+	rule1, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		nil,
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	rule2, err := manager.AddRouteFiltering(
+		[]byte("policy-1"),
+		sources,
+		destination,
+		fw.ProtocolTCP,
+		nil,
+		nil,
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	require.Equal(t, rule1.ID(), rule2.ID(), "Should return same rule ID")
+
+	// Delete using first reference
+	err = manager.DeleteRouteRule(rule1)
+	require.NoError(t, err)
+
+	// Verify traffic no longer passes
+	srcIP := netip.MustParseAddr("100.64.1.5")
+	dstIP := netip.MustParseAddr("192.168.1.10")
+	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
+	assert.False(t, pass, "Traffic should not pass after rule deletion")
+}
+
+func setupTestManager(t *testing.T) *Manager {
+	t.Helper()
+
+	ctrl := gomock.NewController(t)
+	dev := mocks.NewMockDevice(ctrl)
+	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
+
+	wgNet := netip.MustParsePrefix("100.64.0.1/16")
+
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      wgNet.Addr(),
+				Network: wgNet,
+			}
+		},
+		GetDeviceFunc: func() *device.FilteredDevice {
+			return &device.FilteredDevice{Device: dev}
+		},
+		GetWGDeviceFunc: func() *wgdevice.Device {
+			return &wgdevice.Device{}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	require.NoError(t, manager.EnableRouting())
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil))
+	})
+
+	return manager
+}
--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -263,6 +263,158 @@ func TestAddUDPPacketHook(t *testing.T) {
 	}
 }

+// TestPeerRuleLifecycleDenyRules verifies that deny rules are correctly added
+// to the deny map and can be cleanly deleted without leaving orphans.
+func TestPeerRuleLifecycleDenyRules(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}
+
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, m.Close(nil))
+	}()
+
+	ip := net.ParseIP("192.168.1.1")
+	addr := netip.MustParseAddr("192.168.1.1")
+
+	// Add multiple deny rules for different ports
+	rule1, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
+	require.NoError(t, err)
+
+	rule2, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+		&fw.Port{Values: []uint16{80}}, fw.ActionDrop, "")
+	require.NoError(t, err)
+
+	m.mutex.RLock()
+	denyCount := len(m.incomingDenyRules[addr])
+	m.mutex.RUnlock()
+	require.Equal(t, 2, denyCount, "Should have exactly 2 deny rules")
+
+	// Delete the first deny rule
+	err = m.DeletePeerRule(rule1[0])
+	require.NoError(t, err)
+
+	m.mutex.RLock()
+	denyCount = len(m.incomingDenyRules[addr])
+	m.mutex.RUnlock()
+	require.Equal(t, 1, denyCount, "Should have 1 deny rule after deleting first")
+
+	// Delete the second deny rule
+	err = m.DeletePeerRule(rule2[0])
+	require.NoError(t, err)
+
+	m.mutex.RLock()
+	_, exists := m.incomingDenyRules[addr]
+	m.mutex.RUnlock()
+	require.False(t, exists, "Deny rules IP entry should be cleaned up when empty")
+}
+
+// TestPeerRuleAddAndDeleteDontLeak verifies that repeatedly adding and deleting
+// peer rules (simulating network map updates) does not leak rules in the maps.
+func TestPeerRuleAddAndDeleteDontLeak(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}
+
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, m.Close(nil))
+	}()
+
+	ip := net.ParseIP("192.168.1.1")
+	addr := netip.MustParseAddr("192.168.1.1")
+
+	// Simulate 10 network map updates: add rule, delete old, add new
+	for i := 0; i < 10; i++ {
+		// Add a deny rule
+		rules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+			&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
+		require.NoError(t, err)
+
+		// Add an allow rule
+		allowRules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+			&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+		require.NoError(t, err)
+
+		// Delete them (simulating ACL manager cleanup)
+		for _, r := range rules {
+			require.NoError(t, m.DeletePeerRule(r))
+		}
+		for _, r := range allowRules {
+			require.NoError(t, m.DeletePeerRule(r))
+		}
+	}
+
+	m.mutex.RLock()
+	denyCount := len(m.incomingDenyRules[addr])
+	allowCount := len(m.incomingRules[addr])
+	m.mutex.RUnlock()
+
+	require.Equal(t, 0, denyCount, "No deny rules should remain after cleanup")
+	require.Equal(t, 0, allowCount, "No allow rules should remain after cleanup")
+}
+
+// TestMixedAllowDenyRulesSameIP verifies that allow and deny rules for the same
+// IP are stored in separate maps and don't interfere with each other.
+func TestMixedAllowDenyRulesSameIP(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}
+
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, m.Close(nil))
+	}()
+
+	ip := net.ParseIP("192.168.1.1")
+
+	// Add allow rule for port 80
+	allowRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+		&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+	require.NoError(t, err)
+
+	// Add deny rule for port 22
+	denyRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
+	require.NoError(t, err)
+
+	addr := netip.MustParseAddr("192.168.1.1")
+	m.mutex.RLock()
+	allowCount := len(m.incomingRules[addr])
+	denyCount := len(m.incomingDenyRules[addr])
+	m.mutex.RUnlock()
+
+	require.Equal(t, 1, allowCount, "Should have 1 allow rule")
+	require.Equal(t, 1, denyCount, "Should have 1 deny rule")
+
+	// Delete allow rule should not affect deny rule
+	err = m.DeletePeerRule(allowRule[0])
+	require.NoError(t, err)
+
+	m.mutex.RLock()
+	denyCountAfter := len(m.incomingDenyRules[addr])
+	m.mutex.RUnlock()
+
+	require.Equal(t, 1, denyCountAfter, "Deny rule should still exist after deleting allow rule")
+
+	// Delete deny rule
+	err = m.DeletePeerRule(denyRule[0])
+	require.NoError(t, err)
+
+	m.mutex.RLock()
+	_, denyExists := m.incomingDenyRules[addr]
+	_, allowExists := m.incomingRules[addr]
+	m.mutex.RUnlock()
+
+	require.False(t, denyExists, "Deny rules should be empty")
+	require.False(t, allowExists, "Allow rules should be empty")
+}
+
 func TestManagerReset(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
--- a/client/firewall/uspfilter/log/log.go
+++ b/client/firewall/uspfilter/log/log.go
@@ -5,6 +5,8 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"os"
+	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -16,9 +18,18 @@ const (
 	maxBatchSize         = 1024 * 16
 	maxMessageSize       = 1024 * 2
 	defaultFlushInterval = 2 * time.Second
-	logChannelSize       = 1000
+	defaultLogChanSize   = 1000
 )

+func getLogChannelSize() int {
+	if v := os.Getenv("NB_USPFILTER_LOG_BUFFER"); v != "" {
+		if n, err := strconv.Atoi(v); err == nil && n > 0 {
+			return n
+		}
+	}
+	return defaultLogChanSize
+}
+
 type Level uint32

 const (
@@ -69,7 +80,7 @@ type Logger struct {
 func NewFromLogrus(logrusLogger *log.Logger) *Logger {
 	l := &Logger{
 		output:     logrusLogger.Out,
-		msgChannel: make(chan logMessage, logChannelSize),
+		msgChannel: make(chan logMessage, getLogChannelSize()),
 		shutdown:   make(chan struct{}),
 		bufPool: sync.Pool{
 			New: func() any {
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -358,9 +358,9 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	// Fast path for IPv4 addresses (4 bytes) - most common case
 	if len(oldBytes) == 4 && len(newBytes) == 4 {
 		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4])) //nolint:gosec // length checked above
 		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
+		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4])) //nolint:gosec // length checked above
 	} else {
 		// Fallback for other lengths
 		for i := 0; i < len(oldBytes)-1; i += 2 {
--- a/client/iface/configurer/uapi.go
+++ b/client/iface/configurer/uapi.go
@@ -5,20 +5,18 @@ package configurer
 import (
 	"net"

-	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/ipc"
 )

 func openUAPI(deviceName string) (net.Listener, error) {
 	uapiSock, err := ipc.UAPIOpen(deviceName)
 	if err != nil {
-		log.Errorf("failed to open uapi socket: %v", err)
 		return nil, err
 	}

 	listener, err := ipc.UAPIListen(deviceName, uapiSock)
 	if err != nil {
-		log.Errorf("failed to listen on uapi socket: %v", err)
+		_ = uapiSock.Close()
 		return nil, err
 	}

--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -54,6 +54,14 @@ func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder
 	return wgCfg
 }

+func NewUSPConfigurerNoUAPI(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
+	return &WGUSPConfigurer{
+		device:           device,
+		deviceName:       deviceName,
+		activityRecorder: activityRecorder,
+	}
+}
+
 func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error {
 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
--- a/client/iface/device/device_filter.go
+++ b/client/iface/device/device_filter.go
@@ -29,8 +29,9 @@ type PacketFilter interface {
 type FilteredDevice struct {
 	tun.Device

-	filter PacketFilter
-	mutex  sync.RWMutex
+	filter    PacketFilter
+	mutex     sync.RWMutex
+	closeOnce sync.Once
 }

 // newDeviceFilter constructor function
@@ -40,6 +41,20 @@ func newDeviceFilter(device tun.Device) *FilteredDevice {
 	}
 }

+// Close closes the underlying tun device exactly once.
+// wireguard-go's netTun.Close() panics on double-close due to a bare close(channel),
+// and multiple code paths can trigger Close on the same device.
+func (d *FilteredDevice) Close() error {
+	var err error
+	d.closeOnce.Do(func() {
+		err = d.Device.Close()
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // Read wraps read method with filtering feature
 func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
 	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -79,10 +79,12 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)

-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurerNoUAPI(t.device, t.name, t.bind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
-		_ = tunIface.Close()
+		if cErr := tunIface.Close(); cErr != nil {
+			log.Debugf("failed to close tun device: %v", cErr)
+		}
 		return nil, fmt.Errorf("error configuring interface: %s", err)
 	}

--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -18,6 +18,7 @@ import (
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
+	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
@@ -228,6 +229,10 @@ func (w *WGIface) Close() error {
 		result = multierror.Append(result, fmt.Errorf("failed to close wireguard interface %s: %w", w.Name(), err))
 	}

+	if nbnetstack.IsEnabled() {
+		return errors.FormatErrorOrNil(result)
+	}
+
 	if err := w.waitUntilRemoved(); err != nil {
 		log.Warnf("failed to remove WireGuard interface %s: %v", w.Name(), err)
 		if err := w.Destroy(); err != nil {
--- a/client/iface/netstack/tun.go
+++ b/client/iface/netstack/tun.go
@@ -66,7 +66,7 @@ func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
 		}
 	}()

-	return nsTunDev, tunNet, nil
+	return t.tundev, tunNet, nil
 }

 func (t *NetStackTun) Close() error {
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -189,6 +189,212 @@ func TestDefaultManagerStateless(t *testing.T) {
 	})
 }

+// TestDenyRulesNotAccumulatedOnRepeatedApply verifies that applying the same
+// deny rules repeatedly does not accumulate duplicate rules in the uspfilter.
+// This tests the full ACL manager -> uspfilter integration.
+func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
+	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+
+	networkMap := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_DROP,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "22",
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_DROP,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "80",
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "443",
+			},
+		},
+		FirewallRulesIsEmpty: false,
+	}
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
+	network := netip.MustParsePrefix("172.0.0.1/32")
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
+		IP:      network.Addr(),
+		Network: network,
+	}).AnyTimes()
+	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
+
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, fw.Close(nil))
+	}()
+
+	acl := NewDefaultManager(fw)
+
+	// Apply the same rules 5 times (simulating repeated network map updates)
+	for i := 0; i < 5; i++ {
+		acl.ApplyFiltering(networkMap, false)
+	}
+
+	// The ACL manager should track exactly 3 rule pairs (2 deny + 1 accept inbound)
+	assert.Equal(t, 3, len(acl.peerRulesPairs),
+		"Should have exactly 3 rule pairs after 5 identical updates")
+}
+
+// TestDenyRulesCleanedUpOnRemoval verifies that deny rules are properly cleaned
+// up when they're removed from the network map in a subsequent update.
+func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
+	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
+	network := netip.MustParsePrefix("172.0.0.1/32")
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
+		IP:      network.Addr(),
+		Network: network,
+	}).AnyTimes()
+	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
+
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, fw.Close(nil))
+	}()
+
+	acl := NewDefaultManager(fw)
+
+	// First update: add deny and accept rules
+	networkMap1 := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_DROP,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "22",
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "443",
+			},
+		},
+		FirewallRulesIsEmpty: false,
+	}
+
+	acl.ApplyFiltering(networkMap1, false)
+	assert.Equal(t, 2, len(acl.peerRulesPairs), "Should have 2 rules after first update")
+
+	// Second update: remove the deny rule, keep only accept
+	networkMap2 := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "443",
+			},
+		},
+		FirewallRulesIsEmpty: false,
+	}
+
+	acl.ApplyFiltering(networkMap2, false)
+	assert.Equal(t, 1, len(acl.peerRulesPairs),
+		"Should have 1 rule after removing deny rule")
+
+	// Third update: remove all rules
+	networkMap3 := &mgmProto.NetworkMap{
+		FirewallRules:        []*mgmProto.FirewallRule{},
+		FirewallRulesIsEmpty: true,
+	}
+
+	acl.ApplyFiltering(networkMap3, false)
+	assert.Equal(t, 0, len(acl.peerRulesPairs),
+		"Should have 0 rules after removing all rules")
+}
+
+// TestRuleUpdateChangingAction verifies that when a rule's action changes from
+// accept to deny (or vice versa), the old rule is properly removed and the new
+// one added without leaking.
+func TestRuleUpdateChangingAction(t *testing.T) {
+	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
+	network := netip.MustParsePrefix("172.0.0.1/32")
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
+		IP:      network.Addr(),
+		Network: network,
+	}).AnyTimes()
+	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
+
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, fw.Close(nil))
+	}()
+
+	acl := NewDefaultManager(fw)
+
+	// First update: accept rule
+	networkMap := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "22",
+			},
+		},
+		FirewallRulesIsEmpty: false,
+	}
+	acl.ApplyFiltering(networkMap, false)
+	assert.Equal(t, 1, len(acl.peerRulesPairs))
+
+	// Second update: change to deny (same IP/port/proto, different action)
+	networkMap.FirewallRules = []*mgmProto.FirewallRule{
+		{
+			PeerIP:    "10.93.0.1",
+			Direction: mgmProto.RuleDirection_IN,
+			Action:    mgmProto.RuleAction_DROP,
+			Protocol:  mgmProto.RuleProtocol_TCP,
+			Port:      "22",
+		},
+	}
+	acl.ApplyFiltering(networkMap, false)
+
+	// Should still have exactly 1 rule (the old accept removed, new deny added)
+	assert.Equal(t, 1, len(acl.peerRulesPairs),
+		"Changing action should result in exactly 1 rule, not 2")
+}
+
 func TestPortInfoEmpty(t *testing.T) {
 	tests := []struct {
 		name     string
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -20,6 +20,7 @@ import (

 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -244,7 +245,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		localPeerState := peer.LocalPeerState{
 			IP:              loginResp.GetPeerConfig().GetAddress(),
 			PubKey:          myPrivateKey.PublicKey().String(),
-			KernelInterface: device.WireGuardModuleIsLoaded(),
+			KernelInterface: device.WireGuardModuleIsLoaded() && !netstack.IsEnabled(),
 			FQDN:            loginResp.GetPeerConfig().GetFqdn(),
 		}
 		c.statusRecorder.UpdateLocalPeerState(localPeerState)
--- a/client/internal/daemonaddr/resolve.go
+++ b/client/internal/daemonaddr/resolve.go
@@ -0,0 +1,60 @@
+//go:build !windows && !ios && !android
+
+package daemonaddr
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+var scanDir = "/var/run/netbird"
+
+// setScanDir overrides the scan directory (used by tests).
+func setScanDir(dir string) {
+	scanDir = dir
+}
+
+// ResolveUnixDaemonAddr checks whether the default Unix socket exists and, if not,
+// scans /var/run/netbird/ for a single .sock file to use instead. This handles the
+// mismatch between the netbird@.service template (which places the socket under
+// /var/run/netbird/<instance>.sock) and the CLI default (/var/run/netbird.sock).
+func ResolveUnixDaemonAddr(addr string) string {
+	if !strings.HasPrefix(addr, "unix://") {
+		return addr
+	}
+
+	sockPath := strings.TrimPrefix(addr, "unix://")
+	if _, err := os.Stat(sockPath); err == nil {
+		return addr
+	}
+
+	entries, err := os.ReadDir(scanDir)
+	if err != nil {
+		return addr
+	}
+
+	var found []string
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		if strings.HasSuffix(e.Name(), ".sock") {
+			found = append(found, filepath.Join(scanDir, e.Name()))
+		}
+	}
+
+	switch len(found) {
+	case 1:
+		resolved := "unix://" + found[0]
+		log.Infof("Default daemon socket not found, using discovered socket: %s", resolved)
+		return resolved
+	case 0:
+		return addr
+	default:
+		log.Warnf("Default daemon socket not found and multiple sockets discovered in %s; pass --daemon-addr explicitly", scanDir)
+		return addr
+	}
+}
--- a/client/internal/daemonaddr/resolve_stub.go
+++ b/client/internal/daemonaddr/resolve_stub.go
@@ -0,0 +1,8 @@
+//go:build windows || ios || android
+
+package daemonaddr
+
+// ResolveUnixDaemonAddr is a no-op on platforms that don't use Unix sockets.
+func ResolveUnixDaemonAddr(addr string) string {
+	return addr
+}
--- a/client/internal/daemonaddr/resolve_test.go
+++ b/client/internal/daemonaddr/resolve_test.go
@@ -0,0 +1,121 @@
+//go:build !windows && !ios && !android
+
+package daemonaddr
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// createSockFile creates a regular file with a .sock extension.
+// ResolveUnixDaemonAddr uses os.Stat (not net.Dial), so a regular file is
+// sufficient and avoids Unix socket path-length limits on macOS.
+func createSockFile(t *testing.T, path string) {
+	t.Helper()
+	if err := os.WriteFile(path, nil, 0o600); err != nil {
+		t.Fatalf("failed to create test sock file at %s: %v", path, err)
+	}
+}
+
+func TestResolveUnixDaemonAddr_DefaultExists(t *testing.T) {
+	tmp := t.TempDir()
+	sock := filepath.Join(tmp, "netbird.sock")
+	createSockFile(t, sock)
+
+	addr := "unix://" + sock
+	got := ResolveUnixDaemonAddr(addr)
+	if got != addr {
+		t.Errorf("expected %s, got %s", addr, got)
+	}
+}
+
+func TestResolveUnixDaemonAddr_SingleDiscovered(t *testing.T) {
+	tmp := t.TempDir()
+
+	// Default socket does not exist
+	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
+
+	// Create a scan dir with one socket
+	sd := filepath.Join(tmp, "netbird")
+	if err := os.MkdirAll(sd, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	instanceSock := filepath.Join(sd, "main.sock")
+	createSockFile(t, instanceSock)
+
+	origScanDir := scanDir
+	setScanDir(sd)
+	t.Cleanup(func() { setScanDir(origScanDir) })
+
+	got := ResolveUnixDaemonAddr(defaultAddr)
+	expected := "unix://" + instanceSock
+	if got != expected {
+		t.Errorf("expected %s, got %s", expected, got)
+	}
+}
+
+func TestResolveUnixDaemonAddr_MultipleDiscovered(t *testing.T) {
+	tmp := t.TempDir()
+
+	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
+
+	sd := filepath.Join(tmp, "netbird")
+	if err := os.MkdirAll(sd, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	createSockFile(t, filepath.Join(sd, "main.sock"))
+	createSockFile(t, filepath.Join(sd, "other.sock"))
+
+	origScanDir := scanDir
+	setScanDir(sd)
+	t.Cleanup(func() { setScanDir(origScanDir) })
+
+	got := ResolveUnixDaemonAddr(defaultAddr)
+	if got != defaultAddr {
+		t.Errorf("expected original %s, got %s", defaultAddr, got)
+	}
+}
+
+func TestResolveUnixDaemonAddr_NoSocketsFound(t *testing.T) {
+	tmp := t.TempDir()
+
+	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
+
+	sd := filepath.Join(tmp, "netbird")
+	if err := os.MkdirAll(sd, 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	origScanDir := scanDir
+	setScanDir(sd)
+	t.Cleanup(func() { setScanDir(origScanDir) })
+
+	got := ResolveUnixDaemonAddr(defaultAddr)
+	if got != defaultAddr {
+		t.Errorf("expected original %s, got %s", defaultAddr, got)
+	}
+}
+
+func TestResolveUnixDaemonAddr_NonUnixAddr(t *testing.T) {
+	addr := "tcp://127.0.0.1:41731"
+	got := ResolveUnixDaemonAddr(addr)
+	if got != addr {
+		t.Errorf("expected %s, got %s", addr, got)
+	}
+}
+
+func TestResolveUnixDaemonAddr_ScanDirMissing(t *testing.T) {
+	tmp := t.TempDir()
+
+	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
+
+	origScanDir := scanDir
+	setScanDir(filepath.Join(tmp, "nonexistent"))
+	t.Cleanup(func() { setScanDir(origScanDir) })
+
+	got := ResolveUnixDaemonAddr(defaultAddr)
+	if got != defaultAddr {
+		t.Errorf("expected original %s, got %s", defaultAddr, got)
+	}
+}
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -14,6 +14,8 @@ import (
 	"strings"
 	"sync"

+	"github.com/hashicorp/go-multierror"
+	nberrors "github.com/netbirdio/netbird/client/errors"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"

@@ -22,6 +24,7 @@ import (

 const (
 	netbirdDNSStateKeyFormat            = "State:/Network/Service/NetBird-%s/DNS"
+	netbirdDNSStateKeyIndexedFormat     = "State:/Network/Service/NetBird-%s-%d/DNS"
 	globalIPv4State                     = "State:/Network/Global/IPv4"
 	primaryServiceStateKeyFormat        = "State:/Network/Service/%s/DNS"
 	keySupplementalMatchDomains         = "SupplementalMatchDomains"
@@ -35,6 +38,14 @@ const (
 	searchSuffix                        = "Search"
 	matchSuffix                         = "Match"
 	localSuffix                         = "Local"
+
+	// maxDomainsPerResolverEntry is the max number of domains per scutil resolver key.
+	// scutil's d.add has maxArgs=101 (key + * + 99 values), so 99 is the hard cap.
+	maxDomainsPerResolverEntry = 50
+
+	// maxDomainBytesPerResolverEntry is the max total bytes of domain strings per key.
+	// scutil has an undocumented ~2048 byte value buffer; we stay well under it.
+	maxDomainBytesPerResolverEntry = 1500
 )

 type systemConfigurator struct {
@@ -84,28 +95,23 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 		searchDomains = append(searchDomains, strings.TrimSuffix(""+dConf.Domain, "."))
 	}

-	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
-	var err error
-	if len(matchDomains) != 0 {
-		err = s.addMatchDomains(matchKey, strings.Join(matchDomains, " "), config.ServerIP, config.ServerPort)
-	} else {
-		log.Infof("removing match domains from the system")
-		err = s.removeKeyFromSystemConfig(matchKey)
+	if err := s.removeKeysContaining(matchSuffix); err != nil {
+		log.Warnf("failed to remove old match keys: %v", err)
 	}
-	if err != nil {
-		return fmt.Errorf("add match domains: %w", err)
+	if len(matchDomains) != 0 {
+		if err := s.addBatchedDomains(matchSuffix, matchDomains, config.ServerIP, config.ServerPort, false); err != nil {
+			return fmt.Errorf("add match domains: %w", err)
+		}
 	}
 	s.updateState(stateManager)

-	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
-	if len(searchDomains) != 0 {
-		err = s.addSearchDomains(searchKey, strings.Join(searchDomains, " "), config.ServerIP, config.ServerPort)
-	} else {
-		log.Infof("removing search domains from the system")
-		err = s.removeKeyFromSystemConfig(searchKey)
+	if err := s.removeKeysContaining(searchSuffix); err != nil {
+		log.Warnf("failed to remove old search keys: %v", err)
 	}
-	if err != nil {
-		return fmt.Errorf("add search domains: %w", err)
+	if len(searchDomains) != 0 {
+		if err := s.addBatchedDomains(searchSuffix, searchDomains, config.ServerIP, config.ServerPort, true); err != nil {
+			return fmt.Errorf("add search domains: %w", err)
+		}
 	}
 	s.updateState(stateManager)

@@ -149,8 +155,7 @@ func (s *systemConfigurator) restoreHostDNS() error {

 func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
 	if len(s.createdKeys) == 0 {
-		// return defaults for startup calls
-		return []string{getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix), getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)}
+		return s.discoverExistingKeys()
 	}

 	keys := make([]string, 0, len(s.createdKeys))
@@ -160,6 +165,47 @@ func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
 	return keys
 }

+// discoverExistingKeys probes scutil for all NetBird DNS keys that may exist.
+// This handles the case where createdKeys is empty (e.g., state file lost after unclean shutdown).
+func (s *systemConfigurator) discoverExistingKeys() []string {
+	dnsKeys, err := getSystemDNSKeys()
+	if err != nil {
+		log.Errorf("failed to get system DNS keys: %v", err)
+		return nil
+	}
+
+	var keys []string
+
+	for _, suffix := range []string{searchSuffix, matchSuffix, localSuffix} {
+		key := getKeyWithInput(netbirdDNSStateKeyFormat, suffix)
+		if strings.Contains(dnsKeys, key) {
+			keys = append(keys, key)
+		}
+	}
+
+	for _, suffix := range []string{searchSuffix, matchSuffix} {
+		for i := 0; ; i++ {
+			key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, suffix, i)
+			if !strings.Contains(dnsKeys, key) {
+				break
+			}
+			keys = append(keys, key)
+		}
+	}
+
+	return keys
+}
+
+// getSystemDNSKeys gets all DNS keys
+func getSystemDNSKeys() (string, error) {
+	command := "list .*DNS\nquit\n"
+	out, err := runSystemConfigCommand(command)
+	if err != nil {
+		return "", err
+	}
+	return string(out), nil
+}
+
 func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 	line := buildRemoveKeyOperation(key)
 	_, err := runSystemConfigCommand(wrapCommand(line))
@@ -184,12 +230,11 @@ func (s *systemConfigurator) addLocalDNS() error {
 		return nil
 	}

-	if err := s.addSearchDomains(
-		localKey,
-		strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort,
-	); err != nil {
-		return fmt.Errorf("add search domains: %w", err)
+	domainsStr := strings.Join(s.systemDNSSettings.Domains, " ")
+	if err := s.addDNSState(localKey, domainsStr, s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort, true); err != nil {
+		return fmt.Errorf("add local dns state: %w", err)
 	}
+	s.createdKeys[localKey] = struct{}{}

 	return nil
 }
@@ -280,28 +325,77 @@ func (s *systemConfigurator) getOriginalNameservers() []netip.Addr {
 	return slices.Clone(s.origNameservers)
 }

-func (s *systemConfigurator) addSearchDomains(key, domains string, ip netip.Addr, port int) error {
-	err := s.addDNSState(key, domains, ip, port, true)
-	if err != nil {
-		return fmt.Errorf("add dns state: %w", err)
+// splitDomainsIntoBatches splits domains into batches respecting both element count and byte size limits.
+func splitDomainsIntoBatches(domains []string) [][]string {
+	if len(domains) == 0 {
+		return nil
 	}

-	log.Infof("added %d search domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)
+	var batches [][]string
+	var current []string
+	currentBytes := 0

-	s.createdKeys[key] = struct{}{}
+	for _, d := range domains {
+		domainLen := len(d)
+		newBytes := currentBytes + domainLen
+		if currentBytes > 0 {
+			newBytes++ // space separator
+		}

-	return nil
+		if len(current) > 0 && (len(current) >= maxDomainsPerResolverEntry || newBytes > maxDomainBytesPerResolverEntry) {
+			batches = append(batches, current)
+			current = nil
+			currentBytes = 0
+		}
+
+		current = append(current, d)
+		if currentBytes > 0 {
+			currentBytes += 1 + domainLen
+		} else {
+			currentBytes = domainLen
+		}
+	}
+
+	if len(current) > 0 {
+		batches = append(batches, current)
+	}
+
+	return batches
 }

-func (s *systemConfigurator) addMatchDomains(key, domains string, dnsServer netip.Addr, port int) error {
-	err := s.addDNSState(key, domains, dnsServer, port, false)
-	if err != nil {
-		return fmt.Errorf("add dns state: %w", err)
+// removeKeysContaining removes all created keys that contain the given substring.
+func (s *systemConfigurator) removeKeysContaining(suffix string) error {
+	var toRemove []string
+	for key := range s.createdKeys {
+		if strings.Contains(key, suffix) {
+			toRemove = append(toRemove, key)
+		}
+	}
+	var multiErr *multierror.Error
+	for _, key := range toRemove {
+		if err := s.removeKeyFromSystemConfig(key); err != nil {
+			multiErr = multierror.Append(multiErr, fmt.Errorf("couldn't remove key %s: %w", key, err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(multiErr)
+}
+
+// addBatchedDomains splits domains into batches and creates indexed scutil keys for each batch.
+func (s *systemConfigurator) addBatchedDomains(suffix string, domains []string, ip netip.Addr, port int, enableSearch bool) error {
+	batches := splitDomainsIntoBatches(domains)
+
+	for i, batch := range batches {
+		key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, suffix, i)
+		domainsStr := strings.Join(batch, " ")
+
+		if err := s.addDNSState(key, domainsStr, ip, port, enableSearch); err != nil {
+			return fmt.Errorf("add dns state for batch %d: %w", i, err)
+		}
+
+		s.createdKeys[key] = struct{}{}
 	}

-	log.Infof("added %d match domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)
-
-	s.createdKeys[key] = struct{}{}
+	log.Infof("added %d %s domains across %d resolver entries", len(domains), suffix, len(batches))

 	return nil
 }
@@ -364,7 +458,6 @@ func (s *systemConfigurator) flushDNSCache() error {
 	if out, err := cmd.CombinedOutput(); err != nil {
 		return fmt.Errorf("restart mDNSResponder: %w, output: %s", err, out)
 	}
-
 	log.Info("flushed DNS cache")
 	return nil
 }
--- a/client/internal/dns/host_darwin_test.go
+++ b/client/internal/dns/host_darwin_test.go
@@ -3,7 +3,10 @@
 package dns

 import (
+	"bufio"
+	"bytes"
 	"context"
+	"fmt"
 	"net/netip"
 	"os/exec"
 	"path/filepath"
@@ -49,17 +52,22 @@ func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {

 	require.NoError(t, sm.PersistState(context.Background()))

-	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
-	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)

+	// Collect all created keys for cleanup verification
+	createdKeys := make([]string, 0, len(configurator.createdKeys))
+	for key := range configurator.createdKeys {
+		createdKeys = append(createdKeys, key)
+	}
+
 	defer func() {
-		for _, key := range []string{searchKey, matchKey, localKey} {
+		for _, key := range createdKeys {
 			_ = removeTestDNSKey(key)
 		}
+		_ = removeTestDNSKey(localKey)
 	}()

-	for _, key := range []string{searchKey, matchKey, localKey} {
+	for _, key := range createdKeys {
 		exists, err := checkDNSKeyExists(key)
 		require.NoError(t, err)
 		if exists {
@@ -83,13 +91,223 @@ func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {
 	err = shutdownState.Cleanup()
 	require.NoError(t, err)

-	for _, key := range []string{searchKey, matchKey, localKey} {
+	for _, key := range createdKeys {
 		exists, err := checkDNSKeyExists(key)
 		require.NoError(t, err)
 		assert.False(t, exists, "Key %s should NOT exist after cleanup", key)
 	}
 }

+// generateShortDomains generates domains like a.com, b.com, ..., aa.com, ab.com, etc.
+func generateShortDomains(count int) []string {
+	domains := make([]string, 0, count)
+	for i := range count {
+		label := ""
+		n := i
+		for {
+			label = string(rune('a'+n%26)) + label
+			n = n/26 - 1
+			if n < 0 {
+				break
+			}
+		}
+		domains = append(domains, label+".com")
+	}
+	return domains
+}
+
+// generateLongDomains generates domains like subdomain-000.department.organization-name.example.com
+func generateLongDomains(count int) []string {
+	domains := make([]string, 0, count)
+	for i := range count {
+		domains = append(domains, fmt.Sprintf("subdomain-%03d.department.organization-name.example.com", i))
+	}
+	return domains
+}
+
+// readDomainsFromKey reads the SupplementalMatchDomains array back from scutil for a given key.
+func readDomainsFromKey(t *testing.T, key string) []string {
+	t.Helper()
+
+	cmd := exec.Command(scutilPath)
+	cmd.Stdin = strings.NewReader(fmt.Sprintf("open\nshow %s\nquit\n", key))
+	out, err := cmd.Output()
+	require.NoError(t, err, "scutil show should succeed")
+
+	var domains []string
+	inArray := false
+	scanner := bufio.NewScanner(bytes.NewReader(out))
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if strings.HasPrefix(line, "SupplementalMatchDomains") && strings.Contains(line, "<array>") {
+			inArray = true
+			continue
+		}
+		if inArray {
+			if line == "}" {
+				break
+			}
+			// lines look like: "0 : a.com"
+			parts := strings.SplitN(line, " : ", 2)
+			if len(parts) == 2 {
+				domains = append(domains, parts[1])
+			}
+		}
+	}
+	require.NoError(t, scanner.Err())
+	return domains
+}
+
+func TestSplitDomainsIntoBatches(t *testing.T) {
+	tests := []struct {
+		name            string
+		domains         []string
+		expectedCount   int
+		checkAllPresent bool
+	}{
+		{
+			name:          "empty",
+			domains:       nil,
+			expectedCount: 0,
+		},
+		{
+			name:            "under_limit",
+			domains:         generateShortDomains(10),
+			expectedCount:   1,
+			checkAllPresent: true,
+		},
+		{
+			name:            "at_element_limit",
+			domains:         generateShortDomains(50),
+			expectedCount:   1,
+			checkAllPresent: true,
+		},
+		{
+			name:            "over_element_limit",
+			domains:         generateShortDomains(51),
+			expectedCount:   2,
+			checkAllPresent: true,
+		},
+		{
+			name:            "triple_element_limit",
+			domains:         generateShortDomains(150),
+			expectedCount:   3,
+			checkAllPresent: true,
+		},
+		{
+			name:            "long_domains_hit_byte_limit",
+			domains:         generateLongDomains(50),
+			checkAllPresent: true,
+		},
+		{
+			name:            "500_short_domains",
+			domains:         generateShortDomains(500),
+			expectedCount:   10,
+			checkAllPresent: true,
+		},
+		{
+			name:            "500_long_domains",
+			domains:         generateLongDomains(500),
+			checkAllPresent: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			batches := splitDomainsIntoBatches(tc.domains)
+
+			if tc.expectedCount > 0 {
+				assert.Len(t, batches, tc.expectedCount, "expected %d batches", tc.expectedCount)
+			}
+
+			// Verify each batch respects limits
+			for i, batch := range batches {
+				assert.LessOrEqual(t, len(batch), maxDomainsPerResolverEntry,
+					"batch %d exceeds element limit", i)
+
+				totalBytes := 0
+				for j, d := range batch {
+					if j > 0 {
+						totalBytes++
+					}
+					totalBytes += len(d)
+				}
+				assert.LessOrEqual(t, totalBytes, maxDomainBytesPerResolverEntry,
+					"batch %d exceeds byte limit (%d bytes)", i, totalBytes)
+			}
+
+			if tc.checkAllPresent {
+				var all []string
+				for _, batch := range batches {
+					all = append(all, batch...)
+				}
+				assert.Equal(t, tc.domains, all, "all domains should be present in order")
+			}
+		})
+	}
+}
+
+// TestMatchDomainBatching writes increasing numbers of domains via the batching mechanism
+// and verifies all domains are readable across multiple scutil keys.
+func TestMatchDomainBatching(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping scutil integration test in short mode")
+	}
+
+	testCases := []struct {
+		name      string
+		count     int
+		generator func(int) []string
+	}{
+		{"short_10", 10, generateShortDomains},
+		{"short_50", 50, generateShortDomains},
+		{"short_100", 100, generateShortDomains},
+		{"short_200", 200, generateShortDomains},
+		{"short_500", 500, generateShortDomains},
+		{"long_10", 10, generateLongDomains},
+		{"long_50", 50, generateLongDomains},
+		{"long_100", 100, generateLongDomains},
+		{"long_200", 200, generateLongDomains},
+		{"long_500", 500, generateLongDomains},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			configurator := &systemConfigurator{
+				createdKeys: make(map[string]struct{}),
+			}
+
+			defer func() {
+				for key := range configurator.createdKeys {
+					_ = removeTestDNSKey(key)
+				}
+			}()
+
+			domains := tc.generator(tc.count)
+			err := configurator.addBatchedDomains(matchSuffix, domains, netip.MustParseAddr("100.64.0.1"), 53, false)
+			require.NoError(t, err)
+
+			batches := splitDomainsIntoBatches(domains)
+			t.Logf("wrote %d domains across %d batched keys", tc.count, len(batches))
+
+			// Read back all domains from all batched keys
+			var got []string
+			for i := range batches {
+				key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, matchSuffix, i)
+				exists, err := checkDNSKeyExists(key)
+				require.NoError(t, err)
+				require.True(t, exists, "key %s should exist", key)
+
+				got = append(got, readDomainsFromKey(t, key)...)
+			}
+
+			t.Logf("read back %d/%d domains from %d keys", len(got), tc.count, len(batches))
+			assert.Equal(t, tc.count, len(got), "all domains should be readable")
+			assert.Equal(t, domains, got, "domains should match in order")
+		})
+	}
+}
+
 func checkDNSKeyExists(key string) (bool, error) {
 	cmd := exec.Command(scutilPath)
 	cmd.Stdin = strings.NewReader("show " + key + "\nquit\n")
@@ -158,15 +376,15 @@ func setupTestConfigurator(t *testing.T) (*systemConfigurator, *statemanager.Man
 		createdKeys: make(map[string]struct{}),
 	}

-	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
-	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
-	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
-
 	cleanup := func() {
 		_ = sm.Stop(context.Background())
-		for _, key := range []string{searchKey, matchKey, localKey} {
+		for key := range configurator.createdKeys {
 			_ = removeTestDNSKey(key)
 		}
+		// Also clean up old-format keys and local key in case they exist
+		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix))
+		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix))
+		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix))
 	}

 	return configurator, sm, cleanup
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -42,6 +42,8 @@ const (
 	dnsPolicyConfigConfigOptionsKey     = "ConfigOptions"
 	dnsPolicyConfigConfigOptionsValue   = 0x8

+	nrptMaxDomainsPerRule = 50
+
 	interfaceConfigPath          = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
 	interfaceConfigNameServerKey = "NameServer"
 	interfaceConfigSearchListKey = "SearchList"
@@ -198,10 +200,11 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager

 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
+		// Update count even on error to ensure cleanup covers partially created rules
+		r.nrptEntryCount = count
 		if err != nil {
 			return fmt.Errorf("add dns match policy: %w", err)
 		}
-		r.nrptEntryCount = count
 	} else {
 		r.nrptEntryCount = 0
 	}
@@ -239,23 +242,33 @@ func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr) (int, error) {
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
-	for i, domain := range domains {
-		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
-		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)

-		singleDomain := []string{domain}
+	// We need to batch domains into chunks and create one NRPT rule per batch.
+	ruleIndex := 0
+	for i := 0; i < len(domains); i += nrptMaxDomainsPerRule {
+		end := i + nrptMaxDomainsPerRule
+		if end > len(domains) {
+			end = len(domains)
+		}
+		batchDomains := domains[i:end]

-		if err := r.configureDNSPolicy(localPath, singleDomain, ip); err != nil {
-			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
+		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, ruleIndex)
+		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, ruleIndex)
+
+		if err := r.configureDNSPolicy(localPath, batchDomains, ip); err != nil {
+			return ruleIndex, fmt.Errorf("configure DNS Local policy for rule %d: %w", ruleIndex, err)
 		}

+		// Increment immediately so the caller's cleanup path knows about this rule
+		ruleIndex++
+
 		if r.gpo {
-			if err := r.configureDNSPolicy(gpoPath, singleDomain, ip); err != nil {
-				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
+			if err := r.configureDNSPolicy(gpoPath, batchDomains, ip); err != nil {
+				return ruleIndex, fmt.Errorf("configure gpo DNS policy for rule %d: %w", ruleIndex-1, err)
 			}
 		}

-		log.Debugf("added NRPT entry for domain: %s", domain)
+		log.Debugf("added NRPT rule %d with %d domains", ruleIndex-1, len(batchDomains))
 	}

 	if r.gpo {
@@ -264,8 +277,8 @@ func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr
 		}
 	}

-	log.Infof("added %d separate NRPT entries. Domain list: %s", len(domains), domains)
-	return len(domains), nil
+	log.Infof("added %d NRPT rules for %d domains", ruleIndex, len(domains))
+	return ruleIndex, nil
 }

 func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []string, ip netip.Addr) error {
--- a/client/internal/dns/host_windows_test.go
+++ b/client/internal/dns/host_windows_test.go
@@ -12,6 +12,7 @@ import (

 // TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
 // when the number of match domains decreases between configuration changes.
+// With batching enabled (50 domains per rule), we need enough domains to create multiple rules.
 func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping registry integration test in short mode")
@@ -37,51 +38,60 @@ func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 		gpo:  false,
 	}

-	config5 := HostDNSConfig{
-		ServerIP: testIP,
-		Domains: []DomainConfig{
-			{Domain: "domain1.com", MatchOnly: true},
-			{Domain: "domain2.com", MatchOnly: true},
-			{Domain: "domain3.com", MatchOnly: true},
-			{Domain: "domain4.com", MatchOnly: true},
-			{Domain: "domain5.com", MatchOnly: true},
-		},
+	// Create 125 domains which will result in 3 NRPT rules (50+50+25)
+	domains125 := make([]DomainConfig, 125)
+	for i := 0; i < 125; i++ {
+		domains125[i] = DomainConfig{
+			Domain:    fmt.Sprintf("domain%d.com", i+1),
+			MatchOnly: true,
+		}
 	}

-	err = cfg.applyDNSConfig(config5, nil)
+	config125 := HostDNSConfig{
+		ServerIP: testIP,
+		Domains:  domains125,
+	}
+
+	err = cfg.applyDNSConfig(config125, nil)
 	require.NoError(t, err)

-	// Verify all 5 entries exist
-	for i := 0; i < 5; i++ {
+	// Verify 3 NRPT rules exist
+	assert.Equal(t, 3, cfg.nrptEntryCount, "Should create 3 NRPT rules for 125 domains")
+	for i := 0; i < 3; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "Entry %d should exist after first config", i)
+		assert.True(t, exists, "NRPT rule %d should exist after first config", i)
 	}

-	config2 := HostDNSConfig{
+	// Reduce to 75 domains which will result in 2 NRPT rules (50+25)
+	domains75 := make([]DomainConfig, 75)
+	for i := 0; i < 75; i++ {
+		domains75[i] = DomainConfig{
+			Domain:    fmt.Sprintf("domain%d.com", i+1),
+			MatchOnly: true,
+		}
+	}
+
+	config75 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains: []DomainConfig{
-			{Domain: "domain1.com", MatchOnly: true},
-			{Domain: "domain2.com", MatchOnly: true},
-		},
+		Domains:  domains75,
 	}

-	err = cfg.applyDNSConfig(config2, nil)
+	err = cfg.applyDNSConfig(config75, nil)
 	require.NoError(t, err)

-	// Verify first 2 entries exist
+	// Verify first 2 NRPT rules exist
+	assert.Equal(t, 2, cfg.nrptEntryCount, "Should create 2 NRPT rules for 75 domains")
 	for i := 0; i < 2; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "Entry %d should exist after second config", i)
+		assert.True(t, exists, "NRPT rule %d should exist after second config", i)
 	}

-	// Verify entries 2-4 are cleaned up
-	for i := 2; i < 5; i++ {
-		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-		require.NoError(t, err)
-		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
-	}
+	// Verify rule 2 is cleaned up
+	exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, 2))
+	require.NoError(t, err)
+	assert.False(t, exists, "NRPT rule 2 should NOT exist after reducing to 75 domains")
 }

 func registryKeyExists(path string) (bool, error) {
@@ -97,6 +107,106 @@ func registryKeyExists(path string) (bool, error) {
 }

 func cleanupRegistryKeys(*testing.T) {
-	cfg := &registryConfigurator{nrptEntryCount: 10}
+	// Clean up more entries to account for batching tests with many domains
+	cfg := &registryConfigurator{nrptEntryCount: 20}
 	_ = cfg.removeDNSMatchPolicies()
 }
+
+// TestNRPTDomainBatching verifies that domains are correctly batched into NRPT rules.
+func TestNRPTDomainBatching(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping registry integration test in short mode")
+	}
+
+	defer cleanupRegistryKeys(t)
+	cleanupRegistryKeys(t)
+
+	testIP := netip.MustParseAddr("100.64.0.1")
+
+	// Create a test interface registry key so updateSearchDomains doesn't fail
+	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
+	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
+	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
+	require.NoError(t, err, "Should create test interface registry key")
+	testKey.Close()
+	defer func() {
+		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
+	}()
+
+	cfg := &registryConfigurator{
+		guid: testGUID,
+		gpo:  false,
+	}
+
+	testCases := []struct {
+		name              string
+		domainCount       int
+		expectedRuleCount int
+	}{
+		{
+			name:              "Less than 50 domains (single rule)",
+			domainCount:       30,
+			expectedRuleCount: 1,
+		},
+		{
+			name:              "Exactly 50 domains (single rule)",
+			domainCount:       50,
+			expectedRuleCount: 1,
+		},
+		{
+			name:              "51 domains (two rules)",
+			domainCount:       51,
+			expectedRuleCount: 2,
+		},
+		{
+			name:              "100 domains (two rules)",
+			domainCount:       100,
+			expectedRuleCount: 2,
+		},
+		{
+			name:              "125 domains (three rules: 50+50+25)",
+			domainCount:       125,
+			expectedRuleCount: 3,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Clean up before each subtest
+			cleanupRegistryKeys(t)
+
+			// Generate domains
+			domains := make([]DomainConfig, tc.domainCount)
+			for i := 0; i < tc.domainCount; i++ {
+				domains[i] = DomainConfig{
+					Domain:    fmt.Sprintf("domain%d.com", i+1),
+					MatchOnly: true,
+				}
+			}
+
+			config := HostDNSConfig{
+				ServerIP: testIP,
+				Domains:  domains,
+			}
+
+			err := cfg.applyDNSConfig(config, nil)
+			require.NoError(t, err)
+
+			// Verify that exactly expectedRuleCount rules were created
+			assert.Equal(t, tc.expectedRuleCount, cfg.nrptEntryCount,
+				"Should create %d NRPT rules for %d domains", tc.expectedRuleCount, tc.domainCount)
+
+			// Verify all expected rules exist
+			for i := 0; i < tc.expectedRuleCount; i++ {
+				exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+				require.NoError(t, err)
+				assert.True(t, exists, "NRPT rule %d should exist", i)
+			}
+
+			// Verify no extra rules were created
+			exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, tc.expectedRuleCount))
+			require.NoError(t, err)
+			assert.False(t, exists, "No NRPT rule should exist at index %d", tc.expectedRuleCount)
+		})
+	}
+}
--- a/client/internal/dns/mgmt/mgmt.go
+++ b/client/internal/dns/mgmt/mgmt.go
@@ -376,9 +376,9 @@ func (m *Resolver) extractDomainsFromServerDomains(serverDomains dnsconfig.Serve
 		}
 	}

-	if serverDomains.Flow != "" {
-		domains = append(domains, serverDomains.Flow)
-	}
+	// Flow receiver domain is intentionally excluded from caching.
+	// Cloud providers may rotate the IP behind this domain; a stale cached record
+	// causes TLS certificate verification failures on reconnect.

 	for _, stun := range serverDomains.Stuns {
 		if stun != "" {
--- a/client/internal/dns/mgmt/mgmt_test.go
+++ b/client/internal/dns/mgmt/mgmt_test.go
@@ -391,7 +391,8 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 	}
 	assert.Len(t, resolver.GetCachedDomains(), 3)

-	// Update with partial ServerDomains (only flow domain - new type, should preserve all existing)
+	// Update with partial ServerDomains (only flow domain - flow is intentionally excluded from
+	// caching to prevent TLS failures from stale records, so all existing domains are preserved)
 	partialDomains := dnsconfig.ServerDomains{
 		Flow: "github.com",
 	}
@@ -400,10 +401,10 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
 	}

-	assert.Len(t, removedDomains, 0, "Should not remove any domains when adding new type")
+	assert.Len(t, removedDomains, 0, "Should not remove any domains when only flow domain is provided")

 	finalDomains := resolver.GetCachedDomains()
-	assert.Len(t, finalDomains, 4, "Should have all original domains plus new flow domain")
+	assert.Len(t, finalDomains, 3, "Flow domain is not cached; all original domains should be preserved")

 	domainStrings := make([]string, len(finalDomains))
 	for i, d := range finalDomains {
@@ -412,5 +413,5 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 	assert.Contains(t, domainStrings, "example.org")
 	assert.Contains(t, domainStrings, "google.com")
 	assert.Contains(t, domainStrings, "cloudflare.com")
-	assert.Contains(t, domainStrings, "github.com")
+	assert.NotContains(t, domainStrings, "github.com")
 }
--- a/client/internal/dns/mock_server.go
+++ b/client/internal/dns/mock_server.go
@@ -84,3 +84,18 @@ func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
 func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }
+
+// BeginBatch mock implementation of BeginBatch from Server interface
+func (m *MockServer) BeginBatch() {
+	// Mock implementation - no-op
+}
+
+// EndBatch mock implementation of EndBatch from Server interface
+func (m *MockServer) EndBatch() {
+	// Mock implementation - no-op
+}
+
+// CancelBatch mock implementation of CancelBatch from Server interface
+func (m *MockServer) CancelBatch() {
+	// Mock implementation - no-op
+}
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -6,7 +6,9 @@ import (
 	"fmt"
 	"net/netip"
 	"net/url"
+	"os"
 	"runtime"
+	"strconv"
 	"strings"
 	"sync"

@@ -27,6 +29,8 @@ import (
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

+const envSkipDNSProbe = "NB_SKIP_DNS_PROBE"
+
 // ReadyListener is a notification mechanism what indicate the server is ready to handle host dns address changes
 type ReadyListener interface {
 	OnReady()
@@ -41,6 +45,9 @@ type IosDnsManager interface {
 type Server interface {
 	RegisterHandler(domains domain.List, handler dns.Handler, priority int)
 	DeregisterHandler(domains domain.List, priority int)
+	BeginBatch()
+	EndBatch()
+	CancelBatch()
 	Initialize() error
 	Stop()
 	DnsIP() netip.Addr
@@ -83,6 +90,7 @@ type DefaultServer struct {
 	currentConfigHash  uint64
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int
+	batchMode          bool

 	mgmtCacheResolver *mgmt.Resolver

@@ -230,7 +238,9 @@ func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler
 		// convert to zone with simple ref counter
 		s.extraDomains[toZone(domain)]++
 	}
-	s.applyHostConfig()
+	if !s.batchMode {
+		s.applyHostConfig()
+	}
 }

 func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
@@ -259,9 +269,41 @@ func (s *DefaultServer) DeregisterHandler(domains domain.List, priority int) {
 			delete(s.extraDomains, zone)
 		}
 	}
+	if !s.batchMode {
+		s.applyHostConfig()
+	}
+}
+
+// BeginBatch starts batch mode for DNS handler registration/deregistration.
+// In batch mode, applyHostConfig() is not called after each handler operation,
+// allowing multiple handlers to be registered/deregistered efficiently.
+// Must be followed by EndBatch() to apply the accumulated changes.
+func (s *DefaultServer) BeginBatch() {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	log.Debugf("DNS batch mode enabled")
+	s.batchMode = true
+}
+
+// EndBatch ends batch mode and applies all accumulated DNS configuration changes.
+func (s *DefaultServer) EndBatch() {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	log.Debugf("DNS batch mode disabled, applying accumulated changes")
+	s.batchMode = false
 	s.applyHostConfig()
 }

+// CancelBatch cancels batch mode without applying accumulated changes.
+// This is useful when operations fail partway through and you want to
+// discard partial state rather than applying it.
+func (s *DefaultServer) CancelBatch() {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	log.Debugf("DNS batch mode cancelled, discarding accumulated changes")
+	s.batchMode = false
+}
+
 func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
 	log.Debugf("deregistering handler with priority %d for %v", priority, domains)

@@ -439,6 +481,17 @@ func (s *DefaultServer) SearchDomains() []string {
 // ProbeAvailability tests each upstream group's servers for availability
 // and deactivates the group if no server responds
 func (s *DefaultServer) ProbeAvailability() {
+	if val := os.Getenv(envSkipDNSProbe); val != "" {
+		skipProbe, err := strconv.ParseBool(val)
+		if err != nil {
+			log.Warnf("failed to parse %s: %v", envSkipDNSProbe, err)
+		}
+		if skipProbe {
+			log.Infof("skipping DNS probe due to %s", envSkipDNSProbe)
+			return
+		}
+	}
+
 	var wg sync.WaitGroup
 	for _, mux := range s.dnsMuxMap {
 		wg.Add(1)
@@ -508,6 +561,7 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.currentConfig.RouteAll = false
 	}

+	// Always apply host config for management updates, regardless of batch mode
 	s.applyHostConfig()

 	s.shutdownWg.Add(1)
@@ -872,6 +926,7 @@ func (s *DefaultServer) upstreamCallbacks(
 			}
 		}

+		// Always apply host config when nameserver goes down, regardless of batch mode
 		s.applyHostConfig()

 		go func() {
@@ -907,6 +962,7 @@ func (s *DefaultServer) upstreamCallbacks(
 			s.registerHandler([]string{nbdns.RootZone}, handler, priority)
 		}

+		// Always apply host config when nameserver reactivates, regardless of batch mode
 		s.applyHostConfig()

 		s.updateNSState(nsGroup, nil, true)
--- a/client/internal/dns/server_export_test.go
+++ b/client/internal/dns/server_export_test.go
@@ -18,7 +18,12 @@ func TestGetServerDns(t *testing.T) {
 		t.Errorf("invalid dns server instance: %s", err)
 	}

-	if srvB != srv {
+	mockSrvB, ok := srvB.(*MockServer)
+	if !ok {
+		t.Errorf("returned server is not a MockServer")
+	}
+
+	if mockSrvB != srv {
 		t.Errorf("mismatch dns instances")
 	}
 }
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -351,9 +351,13 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 		return fmt.Errorf("upstream check call error")
 	}

-	err := backoff.Retry(operation, exponentialBackOff)
+	err := backoff.Retry(operation, backoff.WithContext(exponentialBackOff, u.ctx))
 	if err != nil {
-		log.Warn(err)
+		if errors.Is(err, context.Canceled) {
+			log.Debugf("upstream retry loop exited for upstreams %s", u.upstreamServersString())
+		} else {
+			log.Warnf("upstream retry loop exited for upstreams %s: %v", u.upstreamServersString(), err)
+		}
 		return
 	}

--- a/client/internal/dnsfwd/forwarder.go
+++ b/client/internal/dnsfwd/forwarder.go
@@ -190,50 +190,75 @@ func (f *DNSForwarder) Close(ctx context.Context) error {
 	return nberrors.FormatErrorOrNil(result)
 }

-func (f *DNSForwarder) handleDNSQuery(logger *log.Entry, w dns.ResponseWriter, query *dns.Msg) *dns.Msg {
+func (f *DNSForwarder) handleDNSQuery(logger *log.Entry, w dns.ResponseWriter, query *dns.Msg, startTime time.Time) {
 	if len(query.Question) == 0 {
-		return nil
+		return
 	}
 	question := query.Question[0]
-	logger.Tracef("received DNS request for DNS forwarder: domain=%s type=%s class=%s",
-		question.Name, dns.TypeToString[question.Qtype], dns.ClassToString[question.Qclass])
+	qname := strings.ToLower(question.Name)

-	domain := strings.ToLower(question.Name)
+	logger.Tracef("question: domain=%s type=%s class=%s",
+		qname, dns.TypeToString[question.Qtype], dns.ClassToString[question.Qclass])

 	resp := query.SetReply(query)
 	network := resutil.NetworkForQtype(question.Qtype)
 	if network == "" {
 		resp.Rcode = dns.RcodeNotImplemented
-		if err := w.WriteMsg(resp); err != nil {
-			logger.Errorf("failed to write DNS response: %v", err)
-		}
-		return nil
+		f.writeResponse(logger, w, resp, qname, startTime)
+		return
 	}

-	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(domain, "."))
-	// query doesn't match any configured domain
+	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(qname, "."))
 	if mostSpecificResId == "" {
 		resp.Rcode = dns.RcodeRefused
-		if err := w.WriteMsg(resp); err != nil {
-			logger.Errorf("failed to write DNS response: %v", err)
-		}
-		return nil
+		f.writeResponse(logger, w, resp, qname, startTime)
+		return
 	}

 	ctx, cancel := context.WithTimeout(context.Background(), upstreamTimeout)
 	defer cancel()

-	result := resutil.LookupIP(ctx, f.resolver, network, domain, question.Qtype)
+	result := resutil.LookupIP(ctx, f.resolver, network, qname, question.Qtype)
 	if result.Err != nil {
-		f.handleDNSError(ctx, logger, w, question, resp, domain, result)
-		return nil
+		f.handleDNSError(ctx, logger, w, question, resp, qname, result, startTime)
+		return
 	}

 	f.updateInternalState(result.IPs, mostSpecificResId, matchingEntries)
-	resp.Answer = append(resp.Answer, resutil.IPsToRRs(domain, result.IPs, f.ttl)...)
-	f.cache.set(domain, question.Qtype, result.IPs)
+	resp.Answer = append(resp.Answer, resutil.IPsToRRs(qname, result.IPs, f.ttl)...)
+	f.cache.set(qname, question.Qtype, result.IPs)

-	return resp
+	f.writeResponse(logger, w, resp, qname, startTime)
+}
+
+func (f *DNSForwarder) writeResponse(logger *log.Entry, w dns.ResponseWriter, resp *dns.Msg, qname string, startTime time.Time) {
+	if err := w.WriteMsg(resp); err != nil {
+		logger.Errorf("failed to write DNS response: %v", err)
+		return
+	}
+
+	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
+		qname, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
+}
+
+// udpResponseWriter wraps a dns.ResponseWriter to handle UDP-specific truncation.
+type udpResponseWriter struct {
+	dns.ResponseWriter
+	query *dns.Msg
+}
+
+func (u *udpResponseWriter) WriteMsg(resp *dns.Msg) error {
+	opt := u.query.IsEdns0()
+	maxSize := dns.MinMsgSize
+	if opt != nil {
+		maxSize = int(opt.UDPSize())
+	}
+
+	if resp.Len() > maxSize {
+		resp.Truncate(maxSize)
+	}
+
+	return u.ResponseWriter.WriteMsg(resp)
 }

 func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
@@ -243,30 +268,7 @@ func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
 		"dns_id":     fmt.Sprintf("%04x", query.Id),
 	})

-	resp := f.handleDNSQuery(logger, w, query)
-	if resp == nil {
-		return
-	}
-
-	opt := query.IsEdns0()
-	maxSize := dns.MinMsgSize
-	if opt != nil {
-		// client advertised a larger EDNS0 buffer
-		maxSize = int(opt.UDPSize())
-	}
-
-	// if our response is too big, truncate and set the TC bit
-	if resp.Len() > maxSize {
-		resp.Truncate(maxSize)
-	}
-
-	if err := w.WriteMsg(resp); err != nil {
-		logger.Errorf("failed to write DNS response: %v", err)
-		return
-	}
-
-	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
-		query.Question[0].Name, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
+	f.handleDNSQuery(logger, &udpResponseWriter{ResponseWriter: w, query: query}, query, startTime)
 }

 func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
@@ -276,18 +278,7 @@ func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
 		"dns_id":     fmt.Sprintf("%04x", query.Id),
 	})

-	resp := f.handleDNSQuery(logger, w, query)
-	if resp == nil {
-		return
-	}
-
-	if err := w.WriteMsg(resp); err != nil {
-		logger.Errorf("failed to write DNS response: %v", err)
-		return
-	}
-
-	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
-		query.Question[0].Name, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
+	f.handleDNSQuery(logger, w, query, startTime)
 }

 func (f *DNSForwarder) updateInternalState(ips []netip.Addr, mostSpecificResId route.ResID, matchingEntries []*ForwarderEntry) {
@@ -334,6 +325,7 @@ func (f *DNSForwarder) handleDNSError(
 	resp *dns.Msg,
 	domain string,
 	result resutil.LookupResult,
+	startTime time.Time,
 ) {
 	qType := question.Qtype
 	qTypeName := dns.TypeToString[qType]
@@ -343,9 +335,7 @@ func (f *DNSForwarder) handleDNSError(
 	// NotFound: cache negative result and respond
 	if result.Rcode == dns.RcodeNameError || result.Rcode == dns.RcodeSuccess {
 		f.cache.set(domain, question.Qtype, nil)
-		if writeErr := w.WriteMsg(resp); writeErr != nil {
-			logger.Errorf("failed to write failure DNS response: %v", writeErr)
-		}
+		f.writeResponse(logger, w, resp, domain, startTime)
 		return
 	}

@@ -355,9 +345,7 @@ func (f *DNSForwarder) handleDNSError(
 			logger.Debugf("serving cached DNS response after upstream failure: domain=%s type=%s", domain, qTypeName)
 			resp.Answer = append(resp.Answer, resutil.IPsToRRs(domain, ips, f.ttl)...)
 			resp.Rcode = dns.RcodeSuccess
-			if writeErr := w.WriteMsg(resp); writeErr != nil {
-				logger.Errorf("failed to write cached DNS response: %v", writeErr)
-			}
+			f.writeResponse(logger, w, resp, domain, startTime)
 			return
 		}

@@ -365,9 +353,7 @@ func (f *DNSForwarder) handleDNSError(
 		verifyResult := resutil.LookupIP(ctx, f.resolver, resutil.NetworkForQtype(qType), domain, qType)
 		if verifyResult.Rcode == dns.RcodeNameError || verifyResult.Rcode == dns.RcodeSuccess {
 			resp.Rcode = verifyResult.Rcode
-			if writeErr := w.WriteMsg(resp); writeErr != nil {
-				logger.Errorf("failed to write failure DNS response: %v", writeErr)
-			}
+			f.writeResponse(logger, w, resp, domain, startTime)
 			return
 		}
 	}
@@ -375,15 +361,12 @@ func (f *DNSForwarder) handleDNSError(
 	// No cache or verification failed. Log with or without the server field for more context.
 	var dnsErr *net.DNSError
 	if errors.As(result.Err, &dnsErr) && dnsErr.Server != "" {
-		logger.Warnf("failed to resolve: type=%s domain=%s server=%s: %v", qTypeName, domain, dnsErr.Server, result.Err)
+		logger.Warnf("upstream failure: type=%s domain=%s server=%s: %v", qTypeName, domain, dnsErr.Server, result.Err)
 	} else {
 		logger.Warnf(errResolveFailed, domain, result.Err)
 	}

-	// Write final failure response.
-	if writeErr := w.WriteMsg(resp); writeErr != nil {
-		logger.Errorf("failed to write failure DNS response: %v", writeErr)
-	}
+	f.writeResponse(logger, w, resp, domain, startTime)
 }

 // getMatchingEntries retrieves the resource IDs for a given domain.
--- a/client/internal/dnsfwd/forwarder_test.go
+++ b/client/internal/dnsfwd/forwarder_test.go
@@ -318,8 +318,9 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 			query.SetQuestion(dns.Fqdn(tt.queryDomain), dns.TypeA)

 			mockWriter := &test.MockResponseWriter{}
-			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())

+			resp := mockWriter.GetLastResponse()
 			if tt.shouldResolve {
 				require.NotNil(t, resp, "Expected response for authorized domain")
 				require.Equal(t, dns.RcodeSuccess, resp.Rcode, "Expected successful response")
@@ -329,10 +330,9 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 				mockFirewall.AssertExpectations(t)
 				mockResolver.AssertExpectations(t)
 			} else {
-				if resp != nil {
-					assert.True(t, len(resp.Answer) == 0 || resp.Rcode != dns.RcodeSuccess,
-						"Unauthorized domain should not return successful answers")
-				}
+				require.NotNil(t, resp, "Expected response")
+				assert.True(t, len(resp.Answer) == 0 || resp.Rcode != dns.RcodeSuccess,
+					"Unauthorized domain should not return successful answers")
 				mockFirewall.AssertNotCalled(t, "UpdateSet")
 				mockResolver.AssertNotCalled(t, "LookupNetIP")
 			}
@@ -466,14 +466,16 @@ func TestDNSForwarder_FirewallSetUpdates(t *testing.T) {
 			dnsQuery.SetQuestion(dns.Fqdn(tt.query), dns.TypeA)

 			mockWriter := &test.MockResponseWriter{}
-			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, dnsQuery)
+			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, dnsQuery, time.Now())

 			// Verify response
+			resp := mockWriter.GetLastResponse()
 			if tt.shouldResolve {
 				require.NotNil(t, resp, "Expected response for authorized domain")
 				require.Equal(t, dns.RcodeSuccess, resp.Rcode)
 				require.NotEmpty(t, resp.Answer)
-			} else if resp != nil {
+			} else {
+				require.NotNil(t, resp, "Expected response")
 				assert.True(t, resp.Rcode == dns.RcodeRefused || len(resp.Answer) == 0,
 					"Unauthorized domain should be refused or have no answers")
 			}
@@ -528,9 +530,10 @@ func TestDNSForwarder_MultipleIPsInSingleUpdate(t *testing.T) {
 	query.SetQuestion("example.com.", dns.TypeA)

 	mockWriter := &test.MockResponseWriter{}
-	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())

 	// Verify response contains all IPs
+	resp := mockWriter.GetLastResponse()
 	require.NotNil(t, resp)
 	require.Equal(t, dns.RcodeSuccess, resp.Rcode)
 	require.Len(t, resp.Answer, 3, "Should have 3 answer records")
@@ -605,7 +608,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 				},
 			}

-			_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())

 			// Check the response written to the writer
 			require.NotNil(t, writtenResp, "Expected response to be written")
@@ -675,7 +678,8 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	q1 := &dns.Msg{}
 	q1.SetQuestion(dns.Fqdn("example.com"), dns.TypeA)
 	w1 := &test.MockResponseWriter{}
-	resp1 := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1)
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1, time.Now())
+	resp1 := w1.GetLastResponse()
 	require.NotNil(t, resp1)
 	require.Equal(t, dns.RcodeSuccess, resp1.Rcode)
 	require.Len(t, resp1.Answer, 1)
@@ -683,13 +687,13 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	// Second query: serve from cache after upstream failure
 	q2 := &dns.Msg{}
 	q2.SetQuestion(dns.Fqdn("example.com"), dns.TypeA)
-	var writtenResp *dns.Msg
-	w2 := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { writtenResp = m; return nil }}
-	_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2)
+	w2 := &test.MockResponseWriter{}
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2, time.Now())

-	require.NotNil(t, writtenResp, "expected response to be written")
-	require.Equal(t, dns.RcodeSuccess, writtenResp.Rcode)
-	require.Len(t, writtenResp.Answer, 1)
+	resp2 := w2.GetLastResponse()
+	require.NotNil(t, resp2, "expected response to be written")
+	require.Equal(t, dns.RcodeSuccess, resp2.Rcode)
+	require.Len(t, resp2.Answer, 1)

 	mockResolver.AssertExpectations(t)
 }
@@ -715,7 +719,8 @@ func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
 	q1 := &dns.Msg{}
 	q1.SetQuestion(mixedQuery+".", dns.TypeA)
 	w1 := &test.MockResponseWriter{}
-	resp1 := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1)
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1, time.Now())
+	resp1 := w1.GetLastResponse()
 	require.NotNil(t, resp1)
 	require.Equal(t, dns.RcodeSuccess, resp1.Rcode)
 	require.Len(t, resp1.Answer, 1)
@@ -727,13 +732,13 @@ func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {

 	q2 := &dns.Msg{}
 	q2.SetQuestion("EXAMPLE.COM", dns.TypeA)
-	var writtenResp *dns.Msg
-	w2 := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { writtenResp = m; return nil }}
-	_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2)
+	w2 := &test.MockResponseWriter{}
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2, time.Now())

-	require.NotNil(t, writtenResp)
-	require.Equal(t, dns.RcodeSuccess, writtenResp.Rcode)
-	require.Len(t, writtenResp.Answer, 1)
+	resp2 := w2.GetLastResponse()
+	require.NotNil(t, resp2)
+	require.Equal(t, dns.RcodeSuccess, resp2.Rcode)
+	require.Len(t, resp2.Answer, 1)

 	mockResolver.AssertExpectations(t)
 }
@@ -784,8 +789,9 @@ func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
 	query.SetQuestion("smtp.mail.example.com.", dns.TypeA)

 	mockWriter := &test.MockResponseWriter{}
-	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())

+	resp := mockWriter.GetLastResponse()
 	require.NotNil(t, resp)
 	assert.Equal(t, dns.RcodeSuccess, resp.Rcode)

@@ -897,26 +903,15 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 			query := &dns.Msg{}
 			query.SetQuestion(dns.Fqdn("example.com"), tt.queryType)

-			var writtenResp *dns.Msg
-			mockWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					writtenResp = m
-					return nil
-				},
-			}
+			mockWriter := &test.MockResponseWriter{}
+			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())

-			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
-
-			// If a response was returned, it means it should be written (happens in wrapper functions)
-			if resp != nil && writtenResp == nil {
-				writtenResp = resp
-			}
-
-			require.NotNil(t, writtenResp, "Expected response to be written")
-			assert.Equal(t, tt.expectedCode, writtenResp.Rcode, tt.description)
+			resp := mockWriter.GetLastResponse()
+			require.NotNil(t, resp, "Expected response to be written")
+			assert.Equal(t, tt.expectedCode, resp.Rcode, tt.description)

 			if tt.expectNoAnswer {
-				assert.Empty(t, writtenResp.Answer, "Response should have no answer records")
+				assert.Empty(t, resp.Answer, "Response should have no answer records")
 			}

 			mockResolver.AssertExpectations(t)
@@ -931,15 +926,8 @@ func TestDNSForwarder_EmptyQuery(t *testing.T) {
 	query := &dns.Msg{}
 	// Don't set any question

-	writeCalled := false
-	mockWriter := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			writeCalled = true
-			return nil
-		},
-	}
-	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+	mockWriter := &test.MockResponseWriter{}
+	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())

-	assert.Nil(t, resp, "Should return nil for empty query")
-	assert.False(t, writeCalled, "Should not write response for empty query")
+	assert.Nil(t, mockWriter.GetLastResponse(), "Should not write response for empty query")
 }
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -29,12 +29,14 @@ import (
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
+	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
+	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
@@ -52,13 +54,11 @@ import (
 	"github.com/netbirdio/netbird/client/internal/updatemanager"
 	"github.com/netbirdio/netbird/client/jobexec"
 	cProto "github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/shared/management/domain"
-	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
-
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
+	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	auth "github.com/netbirdio/netbird/shared/relay/auth/hmac"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -74,7 +74,6 @@ import (
 const (
 	PeerConnectionTimeoutMax = 45000 // ms
 	PeerConnectionTimeoutMin = 30000 // ms
-	connInitLimit            = 200
 	disableAutoUpdate        = "disabled"
 )

@@ -207,7 +206,6 @@ type Engine struct {
 	syncRespMux         sync.RWMutex
 	persistSyncResponse bool
 	latestSyncResponse  *mgmProto.SyncResponse
-	connSemaphore       *semaphoregroup.SemaphoreGroup
 	flowManager         nftypes.FlowManager

 	// auto-update
@@ -223,6 +221,8 @@ type Engine struct {

 	jobExecutor   *jobexec.Executor
 	jobExecutorWG sync.WaitGroup
+
+	exposeManager *expose.Manager
 }

 // Peer is an instance of the Connection Peer
@@ -265,7 +265,6 @@ func NewEngine(
 		statusRecorder: statusRecorder,
 		stateManager:   stateManager,
 		checks:         checks,
-		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
 		probeStunTurn:  relay.NewStunTurnProbe(relay.DefaultCacheTTL),
 		jobExecutor:    jobexec.NewExecutor(),
 	}
@@ -418,6 +417,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		e.cancel()
 	}
 	e.ctx, e.cancel = context.WithCancel(e.clientCtx)
+	e.exposeManager = expose.NewManager(e.ctx, e.mgmClient)

 	wgIface, err := e.newWgIface()
 	if err != nil {
@@ -543,11 +543,12 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	// monitor WireGuard interface lifecycle and restart engine on changes
 	e.wgIfaceMonitor = NewWGIfaceMonitor()
 	e.shutdownWg.Add(1)
+	wgIfaceName := e.wgInterface.Name()

 	go func() {
 		defer e.shutdownWg.Done()

-		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, e.wgInterface.Name()); shouldRestart {
+		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, wgIfaceName); shouldRestart {
 			log.Infof("WireGuard interface monitor: %s, restarting engine", err)
 			e.triggerClientRestart()
 		} else if err != nil {
@@ -799,7 +800,7 @@ func (e *Engine) handleAutoUpdateVersion(autoUpdateSettings *mgmProto.AutoUpdate

 	disabled := autoUpdateSettings.Version == disableAutoUpdate

-	// Stop and cleanup if disabled
+	// stop and cleanup if disabled
 	if e.updateManager != nil && disabled {
 		log.Infof("auto-update is disabled, stopping update manager")
 		e.updateManager.Stop()
@@ -828,6 +829,10 @@ func (e *Engine) handleAutoUpdateVersion(autoUpdateSettings *mgmProto.AutoUpdate
 }

 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
+	started := time.Now()
+	defer func() {
+		log.Infof("sync finished in %s", time.Since(started))
+	}()
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

@@ -1017,7 +1022,7 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	state := e.statusRecorder.GetLocalPeerState()
 	state.IP = e.wgInterface.Address().String()
 	state.PubKey = e.config.WgPrivateKey.PublicKey().String()
-	state.KernelInterface = device.WireGuardModuleIsLoaded()
+	state.KernelInterface = !e.wgInterface.IsUserspaceBind()
 	state.FQDN = conf.GetFqdn()

 	e.statusRecorder.UpdateLocalPeerState(state)
@@ -1533,7 +1538,6 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 		IFaceDiscover:  e.mobileDep.IFaceDiscover,
 		RelayManager:   e.relayManager,
 		SrWatcher:      e.srWatcher,
-		Semaphore:      e.connSemaphore,
 	}
 	peerConn, err := peer.NewConn(config, serviceDependencies)
 	if err != nil {
@@ -1556,8 +1560,10 @@ func (e *Engine) receiveSignalEvents() {
 		defer e.shutdownWg.Done()
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
+			start := time.Now()
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()
+			gotLock := time.Since(start)

 			// Check context INSIDE lock to ensure atomicity with shutdown
 			if e.ctx.Err() != nil {
@@ -1581,6 +1587,8 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}

+				log.Debugf("receiveMSG: took %s to get lock for peer %s with session id %s", gotLock, msg.Key, offerAnswer.SessionID)
+
 				if msg.Body.Type == sProto.Body_OFFER {
 					conn.OnRemoteOffer(*offerAnswer)
 				} else {
@@ -1814,11 +1822,18 @@ func (e *Engine) GetRouteManager() routemanager.Manager {
 	return e.routeManager
 }

-// GetFirewallManager returns the firewall manager
+// GetFirewallManager returns the firewall manager.
 func (e *Engine) GetFirewallManager() firewallManager.Manager {
 	return e.firewall
 }

+// GetExposeManager returns the expose session manager.
+func (e *Engine) GetExposeManager() *expose.Manager {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+	return e.exposeManager
+}
+
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {
@@ -1918,7 +1933,7 @@ func (e *Engine) triggerClientRestart() {
 }

 func (e *Engine) startNetworkMonitor() {
-	if !e.config.NetworkMonitor {
+	if !e.config.NetworkMonitor || nbnetstack.IsEnabled() {
 		log.Infof("Network monitor is disabled, not starting")
 		return
 	}
--- a/client/internal/engine_ssh.go
+++ b/client/internal/engine_ssh.go
@@ -10,6 +10,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
@@ -94,6 +95,10 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {

 // updateSSHClientConfig updates the SSH client configuration with peer information
 func (e *Engine) updateSSHClientConfig(remotePeers []*mgmProto.RemotePeerConfig) error {
+	if netstack.IsEnabled() {
+		return nil
+	}
+
 	peerInfo := e.extractPeerSSHInfo(remotePeers)
 	if len(peerInfo) == 0 {
 		log.Debug("no SSH-enabled peers found, skipping SSH config update")
@@ -216,6 +221,10 @@ func (e *Engine) GetPeerSSHKey(peerAddress string) ([]byte, bool) {

 // cleanupSSHConfig removes NetBird SSH client configuration on shutdown
 func (e *Engine) cleanupSSHConfig() {
+	if netstack.IsEnabled() {
+		return
+	}
+
 	configMgr := sshconfig.New()

 	if err := configMgr.RemoveSSHClientConfig(); err != nil {
--- a/client/internal/expose/manager.go
+++ b/client/internal/expose/manager.go
@@ -0,0 +1,95 @@
+package expose
+
+import (
+	"context"
+	"time"
+
+	mgm "github.com/netbirdio/netbird/shared/management/client"
+	log "github.com/sirupsen/logrus"
+)
+
+const renewTimeout = 10 * time.Second
+
+// Response holds the response from exposing a service.
+type Response struct {
+	ServiceName string
+	ServiceURL  string
+	Domain      string
+}
+
+type Request struct {
+	NamePrefix string
+	Domain     string
+	Port       uint16
+	Protocol   int
+	Pin        string
+	Password   string
+	UserGroups []string
+}
+
+type ManagementClient interface {
+	CreateExpose(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error)
+	RenewExpose(ctx context.Context, domain string) error
+	StopExpose(ctx context.Context, domain string) error
+}
+
+// Manager handles expose session lifecycle via the management client.
+type Manager struct {
+	mgmClient ManagementClient
+	ctx       context.Context
+}
+
+// NewManager creates a new expose Manager using the given management client.
+func NewManager(ctx context.Context, mgmClient ManagementClient) *Manager {
+	return &Manager{mgmClient: mgmClient, ctx: ctx}
+}
+
+// Expose creates a new expose session via the management server.
+func (m *Manager) Expose(ctx context.Context, req Request) (*Response, error) {
+	log.Infof("exposing service on port %d", req.Port)
+	resp, err := m.mgmClient.CreateExpose(ctx, toClientExposeRequest(req))
+	if err != nil {
+		return nil, err
+	}
+
+	log.Infof("expose session created for %s", resp.Domain)
+
+	return fromClientExposeResponse(resp), nil
+}
+
+func (m *Manager) KeepAlive(ctx context.Context, domain string) error {
+	ticker := time.NewTicker(30 * time.Second)
+	defer ticker.Stop()
+	defer m.stop(domain)
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Infof("context canceled, stopping keep alive for %s", domain)
+
+			return nil
+		case <-ticker.C:
+			if err := m.renew(ctx, domain); err != nil {
+				log.Errorf("renewing expose session for %s: %v", domain, err)
+				return err
+			}
+		}
+	}
+}
+
+// renew extends the TTL of an active expose session.
+func (m *Manager) renew(ctx context.Context, domain string) error {
+	renewCtx, cancel := context.WithTimeout(ctx, renewTimeout)
+	defer cancel()
+	return m.mgmClient.RenewExpose(renewCtx, domain)
+}
+
+// stop terminates an active expose session.
+func (m *Manager) stop(domain string) {
+	stopCtx, cancel := context.WithTimeout(m.ctx, renewTimeout)
+	defer cancel()
+	err := m.mgmClient.StopExpose(stopCtx, domain)
+	if err != nil {
+		log.Warnf("Failed stopping expose session for %s: %v", domain, err)
+	}
+}
--- a/client/internal/expose/manager_test.go
+++ b/client/internal/expose/manager_test.go
@@ -0,0 +1,95 @@
+package expose
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	daemonProto "github.com/netbirdio/netbird/client/proto"
+	mgm "github.com/netbirdio/netbird/shared/management/client"
+)
+
+func TestManager_Expose_Success(t *testing.T) {
+	mock := &mgm.MockClient{
+		CreateExposeFunc: func(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error) {
+			return &mgm.ExposeResponse{
+				ServiceName: "my-service",
+				ServiceURL:  "https://my-service.example.com",
+				Domain:      "my-service.example.com",
+			}, nil
+		},
+	}
+
+	m := NewManager(context.Background(), mock)
+	result, err := m.Expose(context.Background(), Request{Port: 8080})
+	require.NoError(t, err)
+	assert.Equal(t, "my-service", result.ServiceName, "service name should match")
+	assert.Equal(t, "https://my-service.example.com", result.ServiceURL, "service URL should match")
+	assert.Equal(t, "my-service.example.com", result.Domain, "domain should match")
+}
+
+func TestManager_Expose_Error(t *testing.T) {
+	mock := &mgm.MockClient{
+		CreateExposeFunc: func(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error) {
+			return nil, errors.New("permission denied")
+		},
+	}
+
+	m := NewManager(context.Background(), mock)
+	_, err := m.Expose(context.Background(), Request{Port: 8080})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "permission denied", "error should propagate")
+}
+
+func TestManager_Renew_Success(t *testing.T) {
+	mock := &mgm.MockClient{
+		RenewExposeFunc: func(ctx context.Context, domain string) error {
+			assert.Equal(t, "my-service.example.com", domain, "domain should be passed through")
+			return nil
+		},
+	}
+
+	m := NewManager(context.Background(), mock)
+	err := m.renew(context.Background(), "my-service.example.com")
+	require.NoError(t, err)
+}
+
+func TestManager_Renew_Timeout(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	mock := &mgm.MockClient{
+		RenewExposeFunc: func(ctx context.Context, domain string) error {
+			return ctx.Err()
+		},
+	}
+
+	m := NewManager(ctx, mock)
+	err := m.renew(ctx, "my-service.example.com")
+	require.Error(t, err)
+}
+
+func TestNewRequest(t *testing.T) {
+	req := &daemonProto.ExposeServiceRequest{
+		Port:       8080,
+		Protocol:   daemonProto.ExposeProtocol_EXPOSE_HTTPS,
+		Pin:        "123456",
+		Password:   "secret",
+		UserGroups: []string{"group1", "group2"},
+		Domain:     "custom.example.com",
+		NamePrefix: "my-prefix",
+	}
+
+	exposeReq := NewRequest(req)
+
+	assert.Equal(t, uint16(8080), exposeReq.Port, "port should match")
+	assert.Equal(t, int(daemonProto.ExposeProtocol_EXPOSE_HTTPS), exposeReq.Protocol, "protocol should match")
+	assert.Equal(t, "123456", exposeReq.Pin, "pin should match")
+	assert.Equal(t, "secret", exposeReq.Password, "password should match")
+	assert.Equal(t, []string{"group1", "group2"}, exposeReq.UserGroups, "user groups should match")
+	assert.Equal(t, "custom.example.com", exposeReq.Domain, "domain should match")
+	assert.Equal(t, "my-prefix", exposeReq.NamePrefix, "name prefix should match")
+}
--- a/client/internal/expose/request.go
+++ b/client/internal/expose/request.go
@@ -0,0 +1,39 @@
+package expose
+
+import (
+	daemonProto "github.com/netbirdio/netbird/client/proto"
+	mgm "github.com/netbirdio/netbird/shared/management/client"
+)
+
+// NewRequest converts a daemon ExposeServiceRequest to a management ExposeServiceRequest.
+func NewRequest(req *daemonProto.ExposeServiceRequest) *Request {
+	return &Request{
+		Port:       uint16(req.Port),
+		Protocol:   int(req.Protocol),
+		Pin:        req.Pin,
+		Password:   req.Password,
+		UserGroups: req.UserGroups,
+		Domain:     req.Domain,
+		NamePrefix: req.NamePrefix,
+	}
+}
+
+func toClientExposeRequest(req Request) mgm.ExposeRequest {
+	return mgm.ExposeRequest{
+		NamePrefix: req.NamePrefix,
+		Domain:     req.Domain,
+		Port:       req.Port,
+		Protocol:   req.Protocol,
+		Pin:        req.Pin,
+		Password:   req.Password,
+		UserGroups: req.UserGroups,
+	}
+}
+
+func fromClientExposeResponse(response *mgm.ExposeResponse) *Response {
+	return &Response{
+		ServiceName: response.ServiceName,
+		Domain:      response.Domain,
+		ServiceURL:  response.ServiceURL,
+	}
+}
--- a/client/internal/lazyconn/activity/manager.go
+++ b/client/internal/lazyconn/activity/manager.go
@@ -11,6 +11,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
@@ -74,12 +75,13 @@ func (m *Manager) createListener(peerCfg lazyconn.PeerConfig) (listener, error)
 		return NewUDPListener(m.wgIface, peerCfg)
 	}

-	// BindListener is only used on Windows and JS platforms:
+	// BindListener is used on Windows, JS, and netstack platforms:
 	// - JS: Cannot listen to UDP sockets
 	// - Windows: IP_UNICAST_IF socket option forces packets out the interface the default
 	//   gateway points to, preventing them from reaching the loopback interface.
-	//   BindListener bypasses this by passing data directly through the bind.
-	if runtime.GOOS != "windows" && runtime.GOOS != "js" {
+	// - Netstack: Allows multiple instances on the same host without port conflicts.
+	// BindListener bypasses these issues by passing data directly through the bind.
+	if runtime.GOOS != "windows" && runtime.GOOS != "js" && !netstack.IsEnabled() {
 		return NewUDPListener(m.wgIface, peerCfg)
 	}

--- a/client/internal/networkmonitor/check_change_common.go
+++ b/client/internal/networkmonitor/check_change_common.go
@@ -22,51 +22,56 @@ func prepareFd() (int, error) {

 func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Nexthop) error {
 	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-			buf := make([]byte, 2048)
-			n, err := unix.Read(fd, buf)
+		// Wait until fd is readable or context is cancelled, to avoid a busy-loop
+		// when the routing socket returns EAGAIN (e.g. immediately after wakeup).
+		if err := waitReadable(ctx, fd); err != nil {
+			return err
+		}
+
+		buf := make([]byte, 2048)
+		n, err := unix.Read(fd, buf)
+		if err != nil {
+			if errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EINTR) {
+				continue
+			}
+			if errors.Is(err, unix.EBADF) || errors.Is(err, unix.EINVAL) {
+				return fmt.Errorf("routing socket closed: %w", err)
+			}
+			return fmt.Errorf("read routing socket: %w", err)
+		}
+
+		if n < unix.SizeofRtMsghdr {
+			log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
+			continue
+		}
+
+		msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
+
+		switch msg.Type {
+		// handle route changes
+		case unix.RTM_ADD, syscall.RTM_DELETE:
+			route, err := parseRouteMessage(buf[:n])
 			if err != nil {
-				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
-					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
-				}
-				continue
-			}
-			if n < unix.SizeofRtMsghdr {
-				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
+				log.Debugf("Network monitor: error parsing routing message: %v", err)
 				continue
 			}

-			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
+			if route.Dst.Bits() != 0 {
+				continue
+			}

+			intf := "<nil>"
+			if route.Interface != nil {
+				intf = route.Interface.Name
+			}
 			switch msg.Type {
-			// handle route changes
-			case unix.RTM_ADD, syscall.RTM_DELETE:
-				route, err := parseRouteMessage(buf[:n])
-				if err != nil {
-					log.Debugf("Network monitor: error parsing routing message: %v", err)
-					continue
-				}
-
-				if route.Dst.Bits() != 0 {
-					continue
-				}
-
-				intf := "<nil>"
-				if route.Interface != nil {
-					intf = route.Interface.Name
-				}
-				switch msg.Type {
-				case unix.RTM_ADD:
-					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
+			case unix.RTM_ADD:
+				log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
+				return nil
+			case unix.RTM_DELETE:
+				if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
+					log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
 					return nil
-				case unix.RTM_DELETE:
-					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
-						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
-						return nil
-					}
 				}
 			}
 		}
@@ -90,3 +95,33 @@ func parseRouteMessage(buf []byte) (*systemops.Route, error) {

 	return systemops.MsgToRoute(msg)
 }
+
+// waitReadable blocks until fd has data to read, or ctx is cancelled.
+func waitReadable(ctx context.Context, fd int) error {
+	var fdset unix.FdSet
+	if fd < 0 || fd/unix.NFDBITS >= len(fdset.Bits) {
+		return fmt.Errorf("fd %d out of range for FdSet", fd)
+	}
+
+	for {
+		if err := ctx.Err(); err != nil {
+			return err
+		}
+
+		fdset = unix.FdSet{}
+		fdset.Set(fd)
+		// Use a 1-second timeout so we can re-check ctx periodically.
+		tv := unix.Timeval{Sec: 1}
+		n, err := unix.Select(fd+1, &fdset, nil, nil, &tv)
+		if err != nil {
+			if errors.Is(err, unix.EINTR) {
+				continue
+			}
+			return fmt.Errorf("select on routing socket: %w", err)
+		}
+		if n > 0 {
+			return nil
+		}
+		// timeout — loop back and re-check ctx
+	}
+}
--- a/client/internal/networkmonitor/monitor.go
+++ b/client/internal/networkmonitor/monitor.go
@@ -14,7 +14,6 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )

@@ -38,11 +37,6 @@ func New() *NetworkMonitor {

 // Listen begins monitoring network changes. When a change is detected, this function will return without error.
 func (nw *NetworkMonitor) Listen(ctx context.Context) (err error) {
-	if netstack.IsEnabled() {
-		log.Debugf("Network monitor: skipping in netstack mode")
-		return nil
-	}
-
 	nw.mu.Lock()
 	if nw.cancel != nil {
 		nw.mu.Unlock()
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -3,7 +3,6 @@ package peer
 import (
 	"context"
 	"fmt"
-	"math/rand"
 	"net"
 	"net/netip"
 	"runtime"
@@ -25,7 +24,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
-	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )

 type ServiceDependencies struct {
@@ -34,7 +32,6 @@ type ServiceDependencies struct {
 	IFaceDiscover      stdnet.ExternalIFaceDiscover
 	RelayManager       *relayClient.Manager
 	SrWatcher          *guard.SRWatcher
-	Semaphore          *semaphoregroup.SemaphoreGroup
 	PeerConnDispatcher *dispatcher.ConnectionDispatcher
 }

@@ -111,9 +108,8 @@ type Conn struct {
 	wgProxyRelay wgproxy.Proxy
 	handshaker   *Handshaker

-	guard     *guard.Guard
-	semaphore *semaphoregroup.SemaphoreGroup
-	wg        sync.WaitGroup
+	guard *guard.Guard
+	wg    sync.WaitGroup

 	// debug purpose
 	dumpState *stateDump
@@ -139,7 +135,6 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 		iFaceDiscover:   services.IFaceDiscover,
 		relayManager:    services.RelayManager,
 		srWatcher:       services.SrWatcher,
-		semaphore:       services.Semaphore,
 		statusRelay:     worker.NewAtomicStatus(),
 		statusICE:       worker.NewAtomicStatus(),
 		dumpState:       dumpState,
@@ -154,15 +149,10 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 // It will try to establish a connection using ICE and in parallel with relay. The higher priority connection type will
 // be used.
 func (conn *Conn) Open(engineCtx context.Context) error {
-	if err := conn.semaphore.Add(engineCtx); err != nil {
-		return err
-	}
-
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

 	if conn.opened {
-		conn.semaphore.Done()
 		return nil
 	}

@@ -173,7 +163,6 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
 	workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
 	if err != nil {
-		conn.semaphore.Done()
 		return err
 	}
 	conn.workerICE = workerICE
@@ -207,10 +196,6 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	conn.wg.Add(1)
 	go func() {
 		defer conn.wg.Done()
-
-		conn.waitInitialRandomSleepTime(conn.ctx)
-		conn.semaphore.Done()
-
 		conn.guard.Start(conn.ctx, conn.onGuardEvent)
 	}()
 	conn.opened = true
@@ -410,7 +395,7 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 	conn.doOnConnected(iceConnInfo.RosenpassPubKey, iceConnInfo.RosenpassAddr)
 }

-func (conn *Conn) onICEStateDisconnected() {
+func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

@@ -430,14 +415,18 @@ func (conn *Conn) onICEStateDisconnected() {
 	if conn.isReadyToUpgrade() {
 		conn.Log.Infof("ICE disconnected, set Relay to active connection")
 		conn.dumpState.SwitchToRelay()
+		if sessionChanged {
+			conn.resetEndpoint()
+		}
+
+		// todo consider to move after the ConfigureWGEndpoint
 		conn.wgProxyRelay.Work()

 		presharedKey := conn.presharedKey(conn.rosenpassRemoteKey)
-		if err := conn.endpointUpdater.ConfigureWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
+		if err := conn.endpointUpdater.SwitchWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
 			conn.Log.Errorf("failed to switch to relay conn: %v", err)
 		}

-		conn.wgProxyRelay.Work()
 		conn.currentConnPriority = conntype.Relay
 	} else {
 		conn.Log.Infof("ICE disconnected, do not switch to Relay. Reset priority to: %s", conntype.None.String())
@@ -499,20 +488,22 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 		return
 	}

-	wgProxy.Work()
-	presharedKey := conn.presharedKey(rci.rosenpassPubKey)
+	controller := isController(conn.config)

+	if controller {
+		wgProxy.Work()
+	}
 	conn.enableWgWatcherIfNeeded()
-
-	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), presharedKey); err != nil {
+	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), conn.presharedKey(rci.rosenpassPubKey)); err != nil {
 		if err := wgProxy.CloseConn(); err != nil {
 			conn.Log.Warnf("Failed to close relay connection: %v", err)
 		}
 		conn.Log.Errorf("Failed to update WireGuard peer configuration: %v", err)
 		return
 	}
-
-	wgConfigWorkaround()
+	if !controller {
+		wgProxy.Work()
+	}
 	conn.rosenpassRemoteKey = rci.rosenpassPubKey
 	conn.currentConnPriority = conntype.Relay
 	conn.statusRelay.SetConnected()
@@ -664,19 +655,6 @@ func (conn *Conn) doOnConnected(remoteRosenpassPubKey []byte, remoteRosenpassAdd
 	}
 }

-func (conn *Conn) waitInitialRandomSleepTime(ctx context.Context) {
-	maxWait := 300
-	duration := time.Duration(rand.Intn(maxWait)) * time.Millisecond
-
-	timeout := time.NewTimer(duration)
-	defer timeout.Stop()
-
-	select {
-	case <-ctx.Done():
-	case <-timeout.C:
-	}
-}
-
 func (conn *Conn) isRelayed() bool {
 	switch conn.currentConnPriority {
 	case conntype.Relay, conntype.ICETurn:
@@ -757,6 +735,17 @@ func (conn *Conn) newProxy(remoteConn net.Conn) (wgproxy.Proxy, error) {
 	return wgProxy, nil
 }

+func (conn *Conn) resetEndpoint() {
+	if !isController(conn.config) {
+		return
+	}
+	conn.Log.Infof("reset wg endpoint")
+	conn.wgWatcher.Reset()
+	if err := conn.endpointUpdater.RemoveEndpointAddress(); err != nil {
+		conn.Log.Warnf("failed to remove endpoint address before update: %v", err)
+	}
+}
+
 func (conn *Conn) isReadyToUpgrade() bool {
 	return conn.wgProxyRelay != nil && conn.currentConnPriority != conntype.Relay
 }
@@ -862,9 +851,3 @@ func isController(config ConnConfig) bool {
 func isRosenpassEnabled(remoteRosenpassPubKey []byte) bool {
 	return remoteRosenpassPubKey != nil
 }
-
-// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
-// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
-func wgConfigWorkaround() {
-	time.Sleep(100 * time.Millisecond)
-}
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -15,7 +15,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/util"
-	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )

 var testDispatcher = dispatcher.NewConnectionDispatcher()
@@ -53,7 +52,6 @@ func TestConn_GetKey(t *testing.T) {

 	sd := ServiceDependencies{
 		SrWatcher:          swWatcher,
-		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
@@ -71,7 +69,6 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 	sd := ServiceDependencies{
 		StatusRecorder:     NewRecorder("https://mgm"),
 		SrWatcher:          swWatcher,
-		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
@@ -110,7 +107,6 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	sd := ServiceDependencies{
 		StatusRecorder:     NewRecorder("https://mgm"),
 		SrWatcher:          swWatcher,
-		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
--- a/client/internal/peer/endpoint.go
+++ b/client/internal/peer/endpoint.go
@@ -34,28 +34,27 @@ func NewEndpointUpdater(log *logrus.Entry, wgConfig WgConfig, initiator bool) *E
 	}
 }

-// ConfigureWGEndpoint sets up the WireGuard endpoint configuration.
-// The initiator immediately configures the endpoint, while the non-initiator
-// waits for a fallback period before configuring to avoid handshake congestion.
 func (e *EndpointUpdater) ConfigureWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
 	e.mu.Lock()
 	defer e.mu.Unlock()

 	if e.initiator {
-		e.log.Debugf("configure up WireGuard as initiatr")
-		return e.updateWireGuardPeer(addr, presharedKey)
+		e.log.Debugf("configure up WireGuard as initiator")
+		return e.configureAsInitiator(addr, presharedKey)
 	}

+	e.log.Debugf("configure up WireGuard as responder")
+	return e.configureAsResponder(addr, presharedKey)
+}
+
+func (e *EndpointUpdater) SwitchWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
 	// prevent to run new update while cancel the previous update
 	e.waitForCloseTheDelayedUpdate()

-	var ctx context.Context
-	ctx, e.cancelFunc = context.WithCancel(context.Background())
-	e.updateWg.Add(1)
-	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
-
-	e.log.Debugf("configure up WireGuard and wait for handshake")
-	return e.updateWireGuardPeer(nil, presharedKey)
+	return e.updateWireGuardPeer(addr, presharedKey)
 }

 func (e *EndpointUpdater) RemoveWgPeer() error {
@@ -66,6 +65,38 @@ func (e *EndpointUpdater) RemoveWgPeer() error {
 	return e.wgConfig.WgInterface.RemovePeer(e.wgConfig.RemoteKey)
 }

+func (e *EndpointUpdater) RemoveEndpointAddress() error {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
+	e.waitForCloseTheDelayedUpdate()
+	return e.wgConfig.WgInterface.RemoveEndpointAddress(e.wgConfig.RemoteKey)
+}
+
+func (e *EndpointUpdater) configureAsInitiator(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
+	if err := e.updateWireGuardPeer(addr, presharedKey); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (e *EndpointUpdater) configureAsResponder(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
+	// prevent to run new update while cancel the previous update
+	e.waitForCloseTheDelayedUpdate()
+
+	e.log.Debugf("configure up WireGuard and wait for handshake")
+	var ctx context.Context
+	ctx, e.cancelFunc = context.WithCancel(context.Background())
+	e.updateWg.Add(1)
+	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
+
+	if err := e.updateWireGuardPeer(nil, presharedKey); err != nil {
+		e.waitForCloseTheDelayedUpdate()
+		return err
+	}
+	return nil
+}
+
 func (e *EndpointUpdater) waitForCloseTheDelayedUpdate() {
 	if e.cancelFunc == nil {
 		return
@@ -101,3 +132,9 @@ func (e *EndpointUpdater) updateWireGuardPeer(endpoint *net.UDPAddr, presharedKe
 		presharedKey,
 	)
 }
+
+// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
+// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
+func wgConfigWorkaround() {
+	time.Sleep(100 * time.Millisecond)
+}
--- a/client/internal/peer/ice/agent.go
+++ b/client/internal/peer/ice/agent.go
@@ -2,6 +2,7 @@ package ice

 import (
 	"context"
+	"fmt"
 	"sync"
 	"time"

@@ -32,24 +33,6 @@ type ThreadSafeAgent struct {
 	once sync.Once
 }

-func (a *ThreadSafeAgent) Close() error {
-	var err error
-	a.once.Do(func() {
-		done := make(chan error, 1)
-		go func() {
-			done <- a.Agent.Close()
-		}()
-
-		select {
-		case err = <-done:
-		case <-time.After(iceAgentCloseTimeout):
-			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
-			err = nil
-		}
-	})
-	return err
-}
-
 func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
@@ -93,9 +76,41 @@ func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, c
 		return nil, err
 	}

+	if agent == nil {
+		return nil, fmt.Errorf("ice.NewAgent returned nil agent without error")
+	}
+
 	return &ThreadSafeAgent{Agent: agent}, nil
 }

+func (a *ThreadSafeAgent) Close() error {
+	var err error
+	a.once.Do(func() {
+		// Defensive check to prevent nil pointer dereference
+		// This can happen during sleep/wake transitions or memory corruption scenarios
+		// github.com/netbirdio/netbird/client/internal/peer/ice.(*ThreadSafeAgent).Close(0x40006883f0?)
+		//  [signal 0xc0000005 code=0x0 addr=0x0 pc=0x7ff7e73af83c]
+		agent := a.Agent
+		if agent == nil {
+			log.Warnf("ICE agent is nil during close, skipping")
+			return
+		}
+
+		done := make(chan error, 1)
+		go func() {
+			done <- agent.Close()
+		}()
+
+		select {
+		case err = <-done:
+		case <-time.After(iceAgentCloseTimeout):
+			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
+			err = nil
+		}
+	})
+	return err
+}
+
 func GenerateICECredentials() (string, string, error) {
 	ufrag, err := randutil.GenerateCryptoRandomString(lenUFrag, runesAlpha)
 	if err != nil {
--- a/client/internal/peer/wg_watcher.go
+++ b/client/internal/peer/wg_watcher.go
@@ -32,6 +32,8 @@ type WGWatcher struct {

 	enabled   bool
 	muEnabled sync.RWMutex
+
+	resetCh chan struct{}
 }

 func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey string, stateDump *stateDump) *WGWatcher {
@@ -40,6 +42,7 @@ func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey strin
 		wgIfaceStater: wgIfaceStater,
 		peerKey:       peerKey,
 		stateDump:     stateDump,
+		resetCh:       make(chan struct{}, 1),
 	}
 }

@@ -76,6 +79,15 @@ func (w *WGWatcher) IsEnabled() bool {
 	return w.enabled
 }

+// Reset signals the watcher that the WireGuard peer has been reset and a new
+// handshake is expected. This restarts the handshake timeout from scratch.
+func (w *WGWatcher) Reset() {
+	select {
+	case w.resetCh <- struct{}{}:
+	default:
+	}
+}
+
 // wgStateCheck help to check the state of the WireGuard handshake and relay connection
 func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn func(), enabledTime time.Time, initialHandshake time.Time) {
 	w.log.Infof("WireGuard watcher started")
@@ -105,6 +117,12 @@ func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn
 			w.stateDump.WGcheckSuccess()

 			w.log.Debugf("WireGuard watcher reset timer: %v", resetTime)
+		case <-w.resetCh:
+			w.log.Infof("WireGuard watcher received peer reset, restarting handshake timeout")
+			lastHandshake = time.Time{}
+			enabledTime = time.Now()
+			timer.Stop()
+			timer.Reset(wgHandshakeOvertime)
 		case <-ctx.Done():
 			w.log.Infof("WireGuard watcher stopped")
 			return
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -52,8 +52,9 @@ type WorkerICE struct {
 	// increase by one when disconnecting the agent
 	// with it the remote peer can discard the already deprecated offer/answer
 	// Without it the remote peer may recreate a workable ICE connection
-	sessionID ICESessionID
-	muxAgent  sync.Mutex
+	sessionID            ICESessionID
+	remoteSessionChanged bool
+	muxAgent             sync.Mutex

 	localUfrag string
 	localPwd   string
@@ -106,9 +107,12 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 			return
 		}
 		w.log.Debugf("agent already exists, recreate the connection")
+		w.remoteSessionChanged = true
 		w.agentDialerCancel()
-		if err := w.agent.Close(); err != nil {
-			w.log.Warnf("failed to close ICE agent: %s", err)
+		if w.agent != nil {
+			if err := w.agent.Close(); err != nil {
+				w.log.Warnf("failed to close ICE agent: %s", err)
+			}
 		}

 		sessionID, err := NewICESessionID()
@@ -304,13 +308,17 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 	w.conn.onICEConnectionIsReady(selectedPriority(pair), ci)
 }

-func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) {
+func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) bool {
 	cancel()
 	if err := agent.Close(); err != nil {
 		w.log.Warnf("failed to close ICE agent: %s", err)
 	}

 	w.muxAgent.Lock()
+	defer w.muxAgent.Unlock()
+
+	sessionChanged := w.remoteSessionChanged
+	w.remoteSessionChanged = false

 	if w.agent == agent {
 		// consider to remove from here and move to the OnNewOffer
@@ -323,7 +331,7 @@ func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.C
 		w.agentConnecting = false
 		w.remoteSessionID = ""
 	}
-	w.muxAgent.Unlock()
+	return sessionChanged
 }

 func (w *WorkerICE) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
@@ -424,11 +432,11 @@ func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dia
 			// ice.ConnectionStateClosed happens when we recreate the agent. For the P2P to TURN switch important to
 			// notify the conn.onICEStateDisconnected changes to update the current used priority

-			w.closeAgent(agent, dialerCancel)
+			sessionChanged := w.closeAgent(agent, dialerCancel)

 			if w.lastKnownState == ice.ConnectionStateConnected {
 				w.lastKnownState = ice.ConnectionStateDisconnected
-				w.conn.onICEStateDisconnected()
+				w.conn.onICEStateDisconnected(sessionChanged)
 			}
 		default:
 			return
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -252,7 +252,7 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 	}

 	if config.AdminURL == nil {
-		log.Infof("using default Admin URL %s", DefaultManagementURL)
+		log.Infof("using default Admin URL %s", DefaultAdminURL)
 		config.AdminURL, err = parseURL("Admin URL", DefaultAdminURL)
 		if err != nil {
 			return false, err
--- a/client/internal/routemanager/dnsinterceptor/handler.go
+++ b/client/internal/routemanager/dnsinterceptor/handler.go
@@ -351,6 +351,11 @@ func (d *DnsInterceptor) writeMsg(w dns.ResponseWriter, r *dns.Msg, logger *log.
 				logger.Errorf("failed to update domain prefixes: %v", err)
 			}

+			// Allow time for route changes to be applied before sending
+			// the DNS response (relevant on iOS where setTunnelNetworkSettings
+			// is asynchronous).
+			waitForRouteSettlement(logger)
+
 			d.replaceIPsInDNSResponse(r, newPrefixes, logger)
 		}
 	}
--- a/client/internal/routemanager/dnsinterceptor/handler_ios.go
+++ b/client/internal/routemanager/dnsinterceptor/handler_ios.go
@@ -0,0 +1,20 @@
+//go:build ios
+
+package dnsinterceptor
+
+import (
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const routeSettleDelay = 500 * time.Millisecond
+
+// waitForRouteSettlement introduces a short delay on iOS to allow
+// setTunnelNetworkSettings to apply route changes before the DNS
+// response reaches the application. Without this, the first request
+// to a newly resolved domain may bypass the tunnel.
+func waitForRouteSettlement(logger *log.Entry) {
+	logger.Tracef("waiting %v for iOS route settlement", routeSettleDelay)
+	time.Sleep(routeSettleDelay)
+}
--- a/client/internal/routemanager/dnsinterceptor/handler_nonios.go
+++ b/client/internal/routemanager/dnsinterceptor/handler_nonios.go
@@ -0,0 +1,12 @@
+//go:build !ios
+
+package dnsinterceptor
+
+import log "github.com/sirupsen/logrus"
+
+func waitForRouteSettlement(_ *log.Entry) {
+	// No-op on non-iOS platforms: route changes are applied synchronously by
+	// the kernel, so no settlement delay is needed before the DNS response
+	// reaches the application. The delay is only required on iOS where
+	// setTunnelNetworkSettings applies routes asynchronously.
+}
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -173,12 +173,21 @@ func (m *DefaultManager) setupAndroidRoutes(config ManagerConfig) {
 }

 func (m *DefaultManager) setupRefCounters(useNoop bool) {
+	var once sync.Once
+	var wgIface *net.Interface
+	toInterface := func() *net.Interface {
+		once.Do(func() {
+			wgIface = m.wgInterface.ToInterface()
+		})
+		return wgIface
+	}
+
 	m.routeRefCounter = refcounter.New(
 		func(prefix netip.Prefix, _ struct{}) (struct{}, error) {
-			return struct{}{}, m.sysOps.AddVPNRoute(prefix, m.wgInterface.ToInterface())
+			return struct{}{}, m.sysOps.AddVPNRoute(prefix, toInterface())
 		},
 		func(prefix netip.Prefix, _ struct{}) error {
-			return m.sysOps.RemoveVPNRoute(prefix, m.wgInterface.ToInterface())
+			return m.sysOps.RemoveVPNRoute(prefix, toInterface())
 		},
 	)

@@ -337,6 +346,23 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 	}

 	var merr *multierror.Error
+
+	// Begin batch mode to avoid calling applyHostConfig() after each DNS handler operation
+	batchStarted := false
+	if m.dnsServer != nil {
+		m.dnsServer.BeginBatch()
+		batchStarted = true
+		defer func() {
+			if merr != nil {
+				// On error, cancel batch to discard partial DNS state
+				m.dnsServer.CancelBatch()
+			} else {
+				// On success, apply accumulated DNS changes
+				m.dnsServer.EndBatch()
+			}
+		}()
+	}
+
 	for id, handler := range toRemove {
 		if err := handler.RemoveRoute(); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove route %s: %w", handler.String(), err))
@@ -367,6 +393,7 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 		m.activeRoutes[id] = handler
 	}

+	_ = batchStarted // Mark as used
 	return nberrors.FormatErrorOrNil(merr)
 }

--- a/client/internal/routemanager/systemops/routeflags_bsd.go
+++ b/client/internal/routemanager/systemops/routeflags_bsd.go
@@ -4,16 +4,17 @@ package systemops

 import (
 	"strings"
-	"syscall"
+
+	"golang.org/x/sys/unix"
 )

 // filterRoutesByFlags returns true if the route message should be ignored based on its flags.
 func filterRoutesByFlags(routeMessageFlags int) bool {
-	if routeMessageFlags&syscall.RTF_UP == 0 {
+	if routeMessageFlags&unix.RTF_UP == 0 {
 		return true
 	}

-	if routeMessageFlags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE|syscall.RTF_WASCLONED) != 0 {
+	if routeMessageFlags&(unix.RTF_REJECT|unix.RTF_BLACKHOLE|unix.RTF_WASCLONED) != 0 {
 		return true
 	}

@@ -24,42 +25,51 @@ func filterRoutesByFlags(routeMessageFlags int) bool {
 func formatBSDFlags(flags int) string {
 	var flagStrs []string

-	if flags&syscall.RTF_UP != 0 {
+	if flags&unix.RTF_UP != 0 {
 		flagStrs = append(flagStrs, "U")
 	}
-	if flags&syscall.RTF_GATEWAY != 0 {
+	if flags&unix.RTF_GATEWAY != 0 {
 		flagStrs = append(flagStrs, "G")
 	}
-	if flags&syscall.RTF_HOST != 0 {
+	if flags&unix.RTF_HOST != 0 {
 		flagStrs = append(flagStrs, "H")
 	}
-	if flags&syscall.RTF_REJECT != 0 {
+	if flags&unix.RTF_REJECT != 0 {
 		flagStrs = append(flagStrs, "R")
 	}
-	if flags&syscall.RTF_DYNAMIC != 0 {
+	if flags&unix.RTF_DYNAMIC != 0 {
 		flagStrs = append(flagStrs, "D")
 	}
-	if flags&syscall.RTF_MODIFIED != 0 {
+	if flags&unix.RTF_MODIFIED != 0 {
 		flagStrs = append(flagStrs, "M")
 	}
-	if flags&syscall.RTF_STATIC != 0 {
+	if flags&unix.RTF_STATIC != 0 {
 		flagStrs = append(flagStrs, "S")
 	}
-	if flags&syscall.RTF_LLINFO != 0 {
+	if flags&unix.RTF_LLINFO != 0 {
 		flagStrs = append(flagStrs, "L")
 	}
-	if flags&syscall.RTF_LOCAL != 0 {
+	if flags&unix.RTF_LOCAL != 0 {
 		flagStrs = append(flagStrs, "l")
 	}
-	if flags&syscall.RTF_BLACKHOLE != 0 {
+	if flags&unix.RTF_BLACKHOLE != 0 {
 		flagStrs = append(flagStrs, "B")
 	}
-	if flags&syscall.RTF_CLONING != 0 {
+	if flags&unix.RTF_CLONING != 0 {
 		flagStrs = append(flagStrs, "C")
 	}
-	if flags&syscall.RTF_WASCLONED != 0 {
+	if flags&unix.RTF_WASCLONED != 0 {
 		flagStrs = append(flagStrs, "W")
 	}
+	if flags&unix.RTF_PROTO1 != 0 {
+		flagStrs = append(flagStrs, "1")
+	}
+	if flags&unix.RTF_PROTO2 != 0 {
+		flagStrs = append(flagStrs, "2")
+	}
+	if flags&unix.RTF_PROTO3 != 0 {
+		flagStrs = append(flagStrs, "3")
+	}

 	if len(flagStrs) == 0 {
 		return "-"
--- a/client/internal/routemanager/systemops/routeflags_freebsd.go
+++ b/client/internal/routemanager/systemops/routeflags_freebsd.go
@@ -4,17 +4,18 @@ package systemops

 import (
 	"strings"
-	"syscall"
+
+	"golang.org/x/sys/unix"
 )

 // filterRoutesByFlags returns true if the route message should be ignored based on its flags.
 func filterRoutesByFlags(routeMessageFlags int) bool {
-	if routeMessageFlags&syscall.RTF_UP == 0 {
+	if routeMessageFlags&unix.RTF_UP == 0 {
 		return true
 	}

-	// NOTE: syscall.RTF_WASCLONED deprecated in FreeBSD 8.0
-	if routeMessageFlags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE) != 0 {
+	// NOTE: RTF_WASCLONED deprecated in FreeBSD 8.0
+	if routeMessageFlags&(unix.RTF_REJECT|unix.RTF_BLACKHOLE) != 0 {
 		return true
 	}

@@ -25,37 +26,46 @@ func filterRoutesByFlags(routeMessageFlags int) bool {
 func formatBSDFlags(flags int) string {
 	var flagStrs []string

-	if flags&syscall.RTF_UP != 0 {
+	if flags&unix.RTF_UP != 0 {
 		flagStrs = append(flagStrs, "U")
 	}
-	if flags&syscall.RTF_GATEWAY != 0 {
+	if flags&unix.RTF_GATEWAY != 0 {
 		flagStrs = append(flagStrs, "G")
 	}
-	if flags&syscall.RTF_HOST != 0 {
+	if flags&unix.RTF_HOST != 0 {
 		flagStrs = append(flagStrs, "H")
 	}
-	if flags&syscall.RTF_REJECT != 0 {
+	if flags&unix.RTF_REJECT != 0 {
 		flagStrs = append(flagStrs, "R")
 	}
-	if flags&syscall.RTF_DYNAMIC != 0 {
+	if flags&unix.RTF_DYNAMIC != 0 {
 		flagStrs = append(flagStrs, "D")
 	}
-	if flags&syscall.RTF_MODIFIED != 0 {
+	if flags&unix.RTF_MODIFIED != 0 {
 		flagStrs = append(flagStrs, "M")
 	}
-	if flags&syscall.RTF_STATIC != 0 {
+	if flags&unix.RTF_STATIC != 0 {
 		flagStrs = append(flagStrs, "S")
 	}
-	if flags&syscall.RTF_LLINFO != 0 {
+	if flags&unix.RTF_LLINFO != 0 {
 		flagStrs = append(flagStrs, "L")
 	}
-	if flags&syscall.RTF_LOCAL != 0 {
+	if flags&unix.RTF_LOCAL != 0 {
 		flagStrs = append(flagStrs, "l")
 	}
-	if flags&syscall.RTF_BLACKHOLE != 0 {
+	if flags&unix.RTF_BLACKHOLE != 0 {
 		flagStrs = append(flagStrs, "B")
 	}
 	// Note: RTF_CLONING and RTF_WASCLONED deprecated in FreeBSD 8.0
+	if flags&unix.RTF_PROTO1 != 0 {
+		flagStrs = append(flagStrs, "1")
+	}
+	if flags&unix.RTF_PROTO2 != 0 {
+		flagStrs = append(flagStrs, "2")
+	}
+	if flags&unix.RTF_PROTO3 != 0 {
+		flagStrs = append(flagStrs, "3")
+	}

 	if len(flagStrs) == 0 {
 		return "-"
--- a/client/internal/sleep/handler/handler.go
+++ b/client/internal/sleep/handler/handler.go
@@ -0,0 +1,80 @@
+package handler
+
+import (
+	"context"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+type Agent interface {
+	Up(ctx context.Context) error
+	Down(ctx context.Context) error
+	Status() (internal.StatusType, error)
+}
+
+type SleepHandler struct {
+	agent Agent
+
+	mu sync.Mutex
+	// sleepTriggeredDown indicates whether the sleep handler triggered the last client down, to avoid unnecessary up on wake
+	sleepTriggeredDown bool
+}
+
+func New(agent Agent) *SleepHandler {
+	return &SleepHandler{
+		agent: agent,
+	}
+}
+
+func (s *SleepHandler) HandleWakeUp(ctx context.Context) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if !s.sleepTriggeredDown {
+		log.Info("skipping up because wasn't sleep down")
+		return nil
+	}
+
+	// avoid other wakeup runs if sleep didn't make the computer sleep
+	s.sleepTriggeredDown = false
+
+	log.Info("running up after wake up")
+	err := s.agent.Up(ctx)
+	if err != nil {
+		log.Errorf("running up failed: %v", err)
+		return err
+	}
+
+	log.Info("running up command executed successfully")
+	return nil
+}
+
+func (s *SleepHandler) HandleSleep(ctx context.Context) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	status, err := s.agent.Status()
+	if err != nil {
+		return err
+	}
+
+	if status != internal.StatusConnecting && status != internal.StatusConnected {
+		log.Infof("skipping setting the agent down because status is %s", status)
+		return nil
+	}
+
+	log.Info("running down after system started sleeping")
+
+	if err = s.agent.Down(ctx); err != nil {
+		log.Errorf("running down failed: %v", err)
+		return err
+	}
+
+	s.sleepTriggeredDown = true
+
+	log.Info("running down executed successfully")
+	return nil
+}
--- a/client/internal/sleep/handler/handler_test.go
+++ b/client/internal/sleep/handler/handler_test.go
@@ -0,0 +1,153 @@
+package handler
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+type mockAgent struct {
+	upErr     error
+	downErr   error
+	statusErr error
+	status    internal.StatusType
+	upCalls   int
+}
+
+func (m *mockAgent) Up(_ context.Context) error {
+	m.upCalls++
+	return m.upErr
+}
+
+func (m *mockAgent) Down(_ context.Context) error {
+	return m.downErr
+}
+
+func (m *mockAgent) Status() (internal.StatusType, error) {
+	return m.status, m.statusErr
+}
+
+func newHandler(status internal.StatusType) (*SleepHandler, *mockAgent) {
+	agent := &mockAgent{status: status}
+	return New(agent), agent
+}
+
+func TestHandleWakeUp_SkipsWhenFlagFalse(t *testing.T) {
+	h, agent := newHandler(internal.StatusIdle)
+
+	err := h.HandleWakeUp(context.Background())
+
+	require.NoError(t, err)
+	assert.Equal(t, 0, agent.upCalls, "Up should not be called when flag is false")
+}
+
+func TestHandleWakeUp_ResetsFlagBeforeUp(t *testing.T) {
+	h, _ := newHandler(internal.StatusIdle)
+	h.sleepTriggeredDown = true
+
+	// Even if Up fails, flag should be reset
+	_ = h.HandleWakeUp(context.Background())
+
+	assert.False(t, h.sleepTriggeredDown, "flag must be reset before calling Up")
+}
+
+func TestHandleWakeUp_CallsUpWhenFlagSet(t *testing.T) {
+	h, agent := newHandler(internal.StatusIdle)
+	h.sleepTriggeredDown = true
+
+	err := h.HandleWakeUp(context.Background())
+
+	require.NoError(t, err)
+	assert.Equal(t, 1, agent.upCalls)
+	assert.False(t, h.sleepTriggeredDown)
+}
+
+func TestHandleWakeUp_ReturnsErrorFromUp(t *testing.T) {
+	h, agent := newHandler(internal.StatusIdle)
+	h.sleepTriggeredDown = true
+	agent.upErr = errors.New("up failed")
+
+	err := h.HandleWakeUp(context.Background())
+
+	assert.ErrorIs(t, err, agent.upErr)
+	assert.False(t, h.sleepTriggeredDown, "flag should still be reset even when Up fails")
+}
+
+func TestHandleWakeUp_SecondCallIsNoOp(t *testing.T) {
+	h, agent := newHandler(internal.StatusIdle)
+	h.sleepTriggeredDown = true
+
+	_ = h.HandleWakeUp(context.Background())
+	err := h.HandleWakeUp(context.Background())
+
+	require.NoError(t, err)
+	assert.Equal(t, 1, agent.upCalls, "second wakeup should be no-op")
+}
+
+func TestHandleSleep_SkipsForNonActiveStates(t *testing.T) {
+	tests := []struct {
+		name   string
+		status internal.StatusType
+	}{
+		{"Idle", internal.StatusIdle},
+		{"NeedsLogin", internal.StatusNeedsLogin},
+		{"LoginFailed", internal.StatusLoginFailed},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h, _ := newHandler(tt.status)
+
+			err := h.HandleSleep(context.Background())
+
+			require.NoError(t, err)
+			assert.False(t, h.sleepTriggeredDown)
+		})
+	}
+}
+
+func TestHandleSleep_ProceedsForActiveStates(t *testing.T) {
+	tests := []struct {
+		name   string
+		status internal.StatusType
+	}{
+		{"Connecting", internal.StatusConnecting},
+		{"Connected", internal.StatusConnected},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h, _ := newHandler(tt.status)
+
+			err := h.HandleSleep(context.Background())
+
+			require.NoError(t, err)
+			assert.True(t, h.sleepTriggeredDown)
+		})
+	}
+}
+
+func TestHandleSleep_ReturnsErrorFromStatus(t *testing.T) {
+	agent := &mockAgent{statusErr: errors.New("status error")}
+	h := New(agent)
+
+	err := h.HandleSleep(context.Background())
+
+	assert.ErrorIs(t, err, agent.statusErr)
+	assert.False(t, h.sleepTriggeredDown)
+}
+
+func TestHandleSleep_ReturnsErrorFromDown(t *testing.T) {
+	agent := &mockAgent{status: internal.StatusConnected, downErr: errors.New("down failed")}
+	h := New(agent)
+
+	err := h.HandleSleep(context.Background())
+
+	assert.ErrorIs(t, err, agent.downErr)
+	assert.False(t, h.sleepTriggeredDown, "flag should not be set when Down fails")
+}
--- a/client/ios/NetBirdSDK/env_list.go
+++ b/client/ios/NetBirdSDK/env_list.go
@@ -2,7 +2,10 @@

 package NetBirdSDK

-import "github.com/netbirdio/netbird/client/internal/peer"
+import (
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+	"github.com/netbirdio/netbird/client/internal/peer"
+)

 // EnvList is an exported struct to be bound by gomobile
 type EnvList struct {
@@ -32,3 +35,13 @@ func (el *EnvList) AllItems() map[string]string {
 func GetEnvKeyNBForceRelay() string {
 	return peer.EnvKeyNBForceRelay
 }
+
+// GetEnvKeyNBLazyConn Exports the environment variable for the iOS client
+func GetEnvKeyNBLazyConn() string {
+	return lazyconn.EnvEnableLazyConn
+}
+
+// GetEnvKeyNBInactivityThreshold Exports the environment variable for the iOS client
+func GetEnvKeyNBInactivityThreshold() string {
+	return lazyconn.EnvInactivityThreshold
+}
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.6
-// 	protoc        v6.32.1
+// 	protoc        v6.33.3
 // source: daemon.proto

 package proto
@@ -88,6 +88,58 @@ func (LogLevel) EnumDescriptor() ([]byte, []int) {
 	return file_daemon_proto_rawDescGZIP(), []int{0}
 }

+type ExposeProtocol int32
+
+const (
+	ExposeProtocol_EXPOSE_HTTP  ExposeProtocol = 0
+	ExposeProtocol_EXPOSE_HTTPS ExposeProtocol = 1
+	ExposeProtocol_EXPOSE_TCP   ExposeProtocol = 2
+	ExposeProtocol_EXPOSE_UDP   ExposeProtocol = 3
+)
+
+// Enum value maps for ExposeProtocol.
+var (
+	ExposeProtocol_name = map[int32]string{
+		0: "EXPOSE_HTTP",
+		1: "EXPOSE_HTTPS",
+		2: "EXPOSE_TCP",
+		3: "EXPOSE_UDP",
+	}
+	ExposeProtocol_value = map[string]int32{
+		"EXPOSE_HTTP":  0,
+		"EXPOSE_HTTPS": 1,
+		"EXPOSE_TCP":   2,
+		"EXPOSE_UDP":   3,
+	}
+)
+
+func (x ExposeProtocol) Enum() *ExposeProtocol {
+	p := new(ExposeProtocol)
+	*p = x
+	return p
+}
+
+func (x ExposeProtocol) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (ExposeProtocol) Descriptor() protoreflect.EnumDescriptor {
+	return file_daemon_proto_enumTypes[1].Descriptor()
+}
+
+func (ExposeProtocol) Type() protoreflect.EnumType {
+	return &file_daemon_proto_enumTypes[1]
+}
+
+func (x ExposeProtocol) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use ExposeProtocol.Descriptor instead.
+func (ExposeProtocol) EnumDescriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{1}
+}
+
 // avoid collision with loglevel enum
 type OSLifecycleRequest_CycleType int32

@@ -122,11 +174,11 @@ func (x OSLifecycleRequest_CycleType) String() string {
 }

 func (OSLifecycleRequest_CycleType) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[1].Descriptor()
+	return file_daemon_proto_enumTypes[2].Descriptor()
 }

 func (OSLifecycleRequest_CycleType) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[1]
+	return &file_daemon_proto_enumTypes[2]
 }

 func (x OSLifecycleRequest_CycleType) Number() protoreflect.EnumNumber {
@@ -174,11 +226,11 @@ func (x SystemEvent_Severity) String() string {
 }

 func (SystemEvent_Severity) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[2].Descriptor()
+	return file_daemon_proto_enumTypes[3].Descriptor()
 }

 func (SystemEvent_Severity) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[2]
+	return &file_daemon_proto_enumTypes[3]
 }

 func (x SystemEvent_Severity) Number() protoreflect.EnumNumber {
@@ -229,11 +281,11 @@ func (x SystemEvent_Category) String() string {
 }

 func (SystemEvent_Category) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[3].Descriptor()
+	return file_daemon_proto_enumTypes[4].Descriptor()
 }

 func (SystemEvent_Category) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[3]
+	return &file_daemon_proto_enumTypes[4]
 }

 func (x SystemEvent_Category) Number() protoreflect.EnumNumber {
@@ -5600,6 +5652,224 @@ func (x *InstallerResultResponse) GetErrorMsg() string {
 	return ""
 }

+type ExposeServiceRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Port          uint32                 `protobuf:"varint,1,opt,name=port,proto3" json:"port,omitempty"`
+	Protocol      ExposeProtocol         `protobuf:"varint,2,opt,name=protocol,proto3,enum=daemon.ExposeProtocol" json:"protocol,omitempty"`
+	Pin           string                 `protobuf:"bytes,3,opt,name=pin,proto3" json:"pin,omitempty"`
+	Password      string                 `protobuf:"bytes,4,opt,name=password,proto3" json:"password,omitempty"`
+	UserGroups    []string               `protobuf:"bytes,5,rep,name=user_groups,json=userGroups,proto3" json:"user_groups,omitempty"`
+	Domain        string                 `protobuf:"bytes,6,opt,name=domain,proto3" json:"domain,omitempty"`
+	NamePrefix    string                 `protobuf:"bytes,7,opt,name=name_prefix,json=namePrefix,proto3" json:"name_prefix,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ExposeServiceRequest) Reset() {
+	*x = ExposeServiceRequest{}
+	mi := &file_daemon_proto_msgTypes[85]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ExposeServiceRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExposeServiceRequest) ProtoMessage() {}
+
+func (x *ExposeServiceRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[85]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExposeServiceRequest.ProtoReflect.Descriptor instead.
+func (*ExposeServiceRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{85}
+}
+
+func (x *ExposeServiceRequest) GetPort() uint32 {
+	if x != nil {
+		return x.Port
+	}
+	return 0
+}
+
+func (x *ExposeServiceRequest) GetProtocol() ExposeProtocol {
+	if x != nil {
+		return x.Protocol
+	}
+	return ExposeProtocol_EXPOSE_HTTP
+}
+
+func (x *ExposeServiceRequest) GetPin() string {
+	if x != nil {
+		return x.Pin
+	}
+	return ""
+}
+
+func (x *ExposeServiceRequest) GetPassword() string {
+	if x != nil {
+		return x.Password
+	}
+	return ""
+}
+
+func (x *ExposeServiceRequest) GetUserGroups() []string {
+	if x != nil {
+		return x.UserGroups
+	}
+	return nil
+}
+
+func (x *ExposeServiceRequest) GetDomain() string {
+	if x != nil {
+		return x.Domain
+	}
+	return ""
+}
+
+func (x *ExposeServiceRequest) GetNamePrefix() string {
+	if x != nil {
+		return x.NamePrefix
+	}
+	return ""
+}
+
+type ExposeServiceEvent struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Event:
+	//
+	//	*ExposeServiceEvent_Ready
+	Event         isExposeServiceEvent_Event `protobuf_oneof:"event"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ExposeServiceEvent) Reset() {
+	*x = ExposeServiceEvent{}
+	mi := &file_daemon_proto_msgTypes[86]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ExposeServiceEvent) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExposeServiceEvent) ProtoMessage() {}
+
+func (x *ExposeServiceEvent) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[86]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExposeServiceEvent.ProtoReflect.Descriptor instead.
+func (*ExposeServiceEvent) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{86}
+}
+
+func (x *ExposeServiceEvent) GetEvent() isExposeServiceEvent_Event {
+	if x != nil {
+		return x.Event
+	}
+	return nil
+}
+
+func (x *ExposeServiceEvent) GetReady() *ExposeServiceReady {
+	if x != nil {
+		if x, ok := x.Event.(*ExposeServiceEvent_Ready); ok {
+			return x.Ready
+		}
+	}
+	return nil
+}
+
+type isExposeServiceEvent_Event interface {
+	isExposeServiceEvent_Event()
+}
+
+type ExposeServiceEvent_Ready struct {
+	Ready *ExposeServiceReady `protobuf:"bytes,1,opt,name=ready,proto3,oneof"`
+}
+
+func (*ExposeServiceEvent_Ready) isExposeServiceEvent_Event() {}
+
+type ExposeServiceReady struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	ServiceName   string                 `protobuf:"bytes,1,opt,name=service_name,json=serviceName,proto3" json:"service_name,omitempty"`
+	ServiceUrl    string                 `protobuf:"bytes,2,opt,name=service_url,json=serviceUrl,proto3" json:"service_url,omitempty"`
+	Domain        string                 `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ExposeServiceReady) Reset() {
+	*x = ExposeServiceReady{}
+	mi := &file_daemon_proto_msgTypes[87]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ExposeServiceReady) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExposeServiceReady) ProtoMessage() {}
+
+func (x *ExposeServiceReady) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[87]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExposeServiceReady.ProtoReflect.Descriptor instead.
+func (*ExposeServiceReady) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{87}
+}
+
+func (x *ExposeServiceReady) GetServiceName() string {
+	if x != nil {
+		return x.ServiceName
+	}
+	return ""
+}
+
+func (x *ExposeServiceReady) GetServiceUrl() string {
+	if x != nil {
+		return x.ServiceUrl
+	}
+	return ""
+}
+
+func (x *ExposeServiceReady) GetDomain() string {
+	if x != nil {
+		return x.Domain
+	}
+	return ""
+}
+
 type PortInfo_Range struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Start         uint32                 `protobuf:"varint,1,opt,name=start,proto3" json:"start,omitempty"`
@@ -5610,7 +5880,7 @@ type PortInfo_Range struct {

 func (x *PortInfo_Range) Reset() {
 	*x = PortInfo_Range{}
-	mi := &file_daemon_proto_msgTypes[86]
+	mi := &file_daemon_proto_msgTypes[89]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -5622,7 +5892,7 @@ func (x *PortInfo_Range) String() string {
 func (*PortInfo_Range) ProtoMessage() {}

 func (x *PortInfo_Range) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[86]
+	mi := &file_daemon_proto_msgTypes[89]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -6149,7 +6419,25 @@ const file_daemon_proto_rawDesc = "" +
 	"\x16InstallerResultRequest\"O\n" +
 	"\x17InstallerResultResponse\x12\x18\n" +
 	"\asuccess\x18\x01 \x01(\bR\asuccess\x12\x1a\n" +
-	"\berrorMsg\x18\x02 \x01(\tR\berrorMsg*b\n" +
+	"\berrorMsg\x18\x02 \x01(\tR\berrorMsg\"\xe6\x01\n" +
+	"\x14ExposeServiceRequest\x12\x12\n" +
+	"\x04port\x18\x01 \x01(\rR\x04port\x122\n" +
+	"\bprotocol\x18\x02 \x01(\x0e2\x16.daemon.ExposeProtocolR\bprotocol\x12\x10\n" +
+	"\x03pin\x18\x03 \x01(\tR\x03pin\x12\x1a\n" +
+	"\bpassword\x18\x04 \x01(\tR\bpassword\x12\x1f\n" +
+	"\vuser_groups\x18\x05 \x03(\tR\n" +
+	"userGroups\x12\x16\n" +
+	"\x06domain\x18\x06 \x01(\tR\x06domain\x12\x1f\n" +
+	"\vname_prefix\x18\a \x01(\tR\n" +
+	"namePrefix\"Q\n" +
+	"\x12ExposeServiceEvent\x122\n" +
+	"\x05ready\x18\x01 \x01(\v2\x1a.daemon.ExposeServiceReadyH\x00R\x05readyB\a\n" +
+	"\x05event\"p\n" +
+	"\x12ExposeServiceReady\x12!\n" +
+	"\fservice_name\x18\x01 \x01(\tR\vserviceName\x12\x1f\n" +
+	"\vservice_url\x18\x02 \x01(\tR\n" +
+	"serviceUrl\x12\x16\n" +
+	"\x06domain\x18\x03 \x01(\tR\x06domain*b\n" +
 	"\bLogLevel\x12\v\n" +
 	"\aUNKNOWN\x10\x00\x12\t\n" +
 	"\x05PANIC\x10\x01\x12\t\n" +
@@ -6158,7 +6446,14 @@ const file_daemon_proto_rawDesc = "" +
 	"\x04WARN\x10\x04\x12\b\n" +
 	"\x04INFO\x10\x05\x12\t\n" +
 	"\x05DEBUG\x10\x06\x12\t\n" +
-	"\x05TRACE\x10\a2\xdd\x14\n" +
+	"\x05TRACE\x10\a*S\n" +
+	"\x0eExposeProtocol\x12\x0f\n" +
+	"\vEXPOSE_HTTP\x10\x00\x12\x10\n" +
+	"\fEXPOSE_HTTPS\x10\x01\x12\x0e\n" +
+	"\n" +
+	"EXPOSE_TCP\x10\x02\x12\x0e\n" +
+	"\n" +
+	"EXPOSE_UDP\x10\x032\xac\x15\n" +
 	"\rDaemonService\x126\n" +
 	"\x05Login\x12\x14.daemon.LoginRequest\x1a\x15.daemon.LoginResponse\"\x00\x12K\n" +
 	"\fWaitSSOLogin\x12\x1b.daemon.WaitSSOLoginRequest\x1a\x1c.daemon.WaitSSOLoginResponse\"\x00\x12-\n" +
@@ -6197,7 +6492,8 @@ const file_daemon_proto_rawDesc = "" +
 	"\x0fStartCPUProfile\x12\x1e.daemon.StartCPUProfileRequest\x1a\x1f.daemon.StartCPUProfileResponse\"\x00\x12Q\n" +
 	"\x0eStopCPUProfile\x12\x1d.daemon.StopCPUProfileRequest\x1a\x1e.daemon.StopCPUProfileResponse\"\x00\x12N\n" +
 	"\x11NotifyOSLifecycle\x12\x1a.daemon.OSLifecycleRequest\x1a\x1b.daemon.OSLifecycleResponse\"\x00\x12W\n" +
-	"\x12GetInstallerResult\x12\x1e.daemon.InstallerResultRequest\x1a\x1f.daemon.InstallerResultResponse\"\x00B\bZ\x06/protob\x06proto3"
+	"\x12GetInstallerResult\x12\x1e.daemon.InstallerResultRequest\x1a\x1f.daemon.InstallerResultResponse\"\x00\x12M\n" +
+	"\rExposeService\x12\x1c.daemon.ExposeServiceRequest\x1a\x1a.daemon.ExposeServiceEvent\"\x000\x01B\bZ\x06/protob\x06proto3"

 var (
 	file_daemon_proto_rawDescOnce sync.Once
@@ -6211,214 +6507,222 @@ func file_daemon_proto_rawDescGZIP() []byte {
 	return file_daemon_proto_rawDescData
 }

-var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
-var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 88)
+var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 91)
 var file_daemon_proto_goTypes = []any{
 	(LogLevel)(0),                              // 0: daemon.LogLevel
-	(OSLifecycleRequest_CycleType)(0),          // 1: daemon.OSLifecycleRequest.CycleType
-	(SystemEvent_Severity)(0),                  // 2: daemon.SystemEvent.Severity
-	(SystemEvent_Category)(0),                  // 3: daemon.SystemEvent.Category
-	(*EmptyRequest)(nil),                       // 4: daemon.EmptyRequest
-	(*OSLifecycleRequest)(nil),                 // 5: daemon.OSLifecycleRequest
-	(*OSLifecycleResponse)(nil),                // 6: daemon.OSLifecycleResponse
-	(*LoginRequest)(nil),                       // 7: daemon.LoginRequest
-	(*LoginResponse)(nil),                      // 8: daemon.LoginResponse
-	(*WaitSSOLoginRequest)(nil),                // 9: daemon.WaitSSOLoginRequest
-	(*WaitSSOLoginResponse)(nil),               // 10: daemon.WaitSSOLoginResponse
-	(*UpRequest)(nil),                          // 11: daemon.UpRequest
-	(*UpResponse)(nil),                         // 12: daemon.UpResponse
-	(*StatusRequest)(nil),                      // 13: daemon.StatusRequest
-	(*StatusResponse)(nil),                     // 14: daemon.StatusResponse
-	(*DownRequest)(nil),                        // 15: daemon.DownRequest
-	(*DownResponse)(nil),                       // 16: daemon.DownResponse
-	(*GetConfigRequest)(nil),                   // 17: daemon.GetConfigRequest
-	(*GetConfigResponse)(nil),                  // 18: daemon.GetConfigResponse
-	(*PeerState)(nil),                          // 19: daemon.PeerState
-	(*LocalPeerState)(nil),                     // 20: daemon.LocalPeerState
-	(*SignalState)(nil),                        // 21: daemon.SignalState
-	(*ManagementState)(nil),                    // 22: daemon.ManagementState
-	(*RelayState)(nil),                         // 23: daemon.RelayState
-	(*NSGroupState)(nil),                       // 24: daemon.NSGroupState
-	(*SSHSessionInfo)(nil),                     // 25: daemon.SSHSessionInfo
-	(*SSHServerState)(nil),                     // 26: daemon.SSHServerState
-	(*FullStatus)(nil),                         // 27: daemon.FullStatus
-	(*ListNetworksRequest)(nil),                // 28: daemon.ListNetworksRequest
-	(*ListNetworksResponse)(nil),               // 29: daemon.ListNetworksResponse
-	(*SelectNetworksRequest)(nil),              // 30: daemon.SelectNetworksRequest
-	(*SelectNetworksResponse)(nil),             // 31: daemon.SelectNetworksResponse
-	(*IPList)(nil),                             // 32: daemon.IPList
-	(*Network)(nil),                            // 33: daemon.Network
-	(*PortInfo)(nil),                           // 34: daemon.PortInfo
-	(*ForwardingRule)(nil),                     // 35: daemon.ForwardingRule
-	(*ForwardingRulesResponse)(nil),            // 36: daemon.ForwardingRulesResponse
-	(*DebugBundleRequest)(nil),                 // 37: daemon.DebugBundleRequest
-	(*DebugBundleResponse)(nil),                // 38: daemon.DebugBundleResponse
-	(*GetLogLevelRequest)(nil),                 // 39: daemon.GetLogLevelRequest
-	(*GetLogLevelResponse)(nil),                // 40: daemon.GetLogLevelResponse
-	(*SetLogLevelRequest)(nil),                 // 41: daemon.SetLogLevelRequest
-	(*SetLogLevelResponse)(nil),                // 42: daemon.SetLogLevelResponse
-	(*State)(nil),                              // 43: daemon.State
-	(*ListStatesRequest)(nil),                  // 44: daemon.ListStatesRequest
-	(*ListStatesResponse)(nil),                 // 45: daemon.ListStatesResponse
-	(*CleanStateRequest)(nil),                  // 46: daemon.CleanStateRequest
-	(*CleanStateResponse)(nil),                 // 47: daemon.CleanStateResponse
-	(*DeleteStateRequest)(nil),                 // 48: daemon.DeleteStateRequest
-	(*DeleteStateResponse)(nil),                // 49: daemon.DeleteStateResponse
-	(*SetSyncResponsePersistenceRequest)(nil),  // 50: daemon.SetSyncResponsePersistenceRequest
-	(*SetSyncResponsePersistenceResponse)(nil), // 51: daemon.SetSyncResponsePersistenceResponse
-	(*TCPFlags)(nil),                           // 52: daemon.TCPFlags
-	(*TracePacketRequest)(nil),                 // 53: daemon.TracePacketRequest
-	(*TraceStage)(nil),                         // 54: daemon.TraceStage
-	(*TracePacketResponse)(nil),                // 55: daemon.TracePacketResponse
-	(*SubscribeRequest)(nil),                   // 56: daemon.SubscribeRequest
-	(*SystemEvent)(nil),                        // 57: daemon.SystemEvent
-	(*GetEventsRequest)(nil),                   // 58: daemon.GetEventsRequest
-	(*GetEventsResponse)(nil),                  // 59: daemon.GetEventsResponse
-	(*SwitchProfileRequest)(nil),               // 60: daemon.SwitchProfileRequest
-	(*SwitchProfileResponse)(nil),              // 61: daemon.SwitchProfileResponse
-	(*SetConfigRequest)(nil),                   // 62: daemon.SetConfigRequest
-	(*SetConfigResponse)(nil),                  // 63: daemon.SetConfigResponse
-	(*AddProfileRequest)(nil),                  // 64: daemon.AddProfileRequest
-	(*AddProfileResponse)(nil),                 // 65: daemon.AddProfileResponse
-	(*RemoveProfileRequest)(nil),               // 66: daemon.RemoveProfileRequest
-	(*RemoveProfileResponse)(nil),              // 67: daemon.RemoveProfileResponse
-	(*ListProfilesRequest)(nil),                // 68: daemon.ListProfilesRequest
-	(*ListProfilesResponse)(nil),               // 69: daemon.ListProfilesResponse
-	(*Profile)(nil),                            // 70: daemon.Profile
-	(*GetActiveProfileRequest)(nil),            // 71: daemon.GetActiveProfileRequest
-	(*GetActiveProfileResponse)(nil),           // 72: daemon.GetActiveProfileResponse
-	(*LogoutRequest)(nil),                      // 73: daemon.LogoutRequest
-	(*LogoutResponse)(nil),                     // 74: daemon.LogoutResponse
-	(*GetFeaturesRequest)(nil),                 // 75: daemon.GetFeaturesRequest
-	(*GetFeaturesResponse)(nil),                // 76: daemon.GetFeaturesResponse
-	(*GetPeerSSHHostKeyRequest)(nil),           // 77: daemon.GetPeerSSHHostKeyRequest
-	(*GetPeerSSHHostKeyResponse)(nil),          // 78: daemon.GetPeerSSHHostKeyResponse
-	(*RequestJWTAuthRequest)(nil),              // 79: daemon.RequestJWTAuthRequest
-	(*RequestJWTAuthResponse)(nil),             // 80: daemon.RequestJWTAuthResponse
-	(*WaitJWTTokenRequest)(nil),                // 81: daemon.WaitJWTTokenRequest
-	(*WaitJWTTokenResponse)(nil),               // 82: daemon.WaitJWTTokenResponse
-	(*StartCPUProfileRequest)(nil),             // 83: daemon.StartCPUProfileRequest
-	(*StartCPUProfileResponse)(nil),            // 84: daemon.StartCPUProfileResponse
-	(*StopCPUProfileRequest)(nil),              // 85: daemon.StopCPUProfileRequest
-	(*StopCPUProfileResponse)(nil),             // 86: daemon.StopCPUProfileResponse
-	(*InstallerResultRequest)(nil),             // 87: daemon.InstallerResultRequest
-	(*InstallerResultResponse)(nil),            // 88: daemon.InstallerResultResponse
-	nil,                                        // 89: daemon.Network.ResolvedIPsEntry
-	(*PortInfo_Range)(nil),                     // 90: daemon.PortInfo.Range
-	nil,                                        // 91: daemon.SystemEvent.MetadataEntry
-	(*durationpb.Duration)(nil),                // 92: google.protobuf.Duration
-	(*timestamppb.Timestamp)(nil),              // 93: google.protobuf.Timestamp
+	(ExposeProtocol)(0),                        // 1: daemon.ExposeProtocol
+	(OSLifecycleRequest_CycleType)(0),          // 2: daemon.OSLifecycleRequest.CycleType
+	(SystemEvent_Severity)(0),                  // 3: daemon.SystemEvent.Severity
+	(SystemEvent_Category)(0),                  // 4: daemon.SystemEvent.Category
+	(*EmptyRequest)(nil),                       // 5: daemon.EmptyRequest
+	(*OSLifecycleRequest)(nil),                 // 6: daemon.OSLifecycleRequest
+	(*OSLifecycleResponse)(nil),                // 7: daemon.OSLifecycleResponse
+	(*LoginRequest)(nil),                       // 8: daemon.LoginRequest
+	(*LoginResponse)(nil),                      // 9: daemon.LoginResponse
+	(*WaitSSOLoginRequest)(nil),                // 10: daemon.WaitSSOLoginRequest
+	(*WaitSSOLoginResponse)(nil),               // 11: daemon.WaitSSOLoginResponse
+	(*UpRequest)(nil),                          // 12: daemon.UpRequest
+	(*UpResponse)(nil),                         // 13: daemon.UpResponse
+	(*StatusRequest)(nil),                      // 14: daemon.StatusRequest
+	(*StatusResponse)(nil),                     // 15: daemon.StatusResponse
+	(*DownRequest)(nil),                        // 16: daemon.DownRequest
+	(*DownResponse)(nil),                       // 17: daemon.DownResponse
+	(*GetConfigRequest)(nil),                   // 18: daemon.GetConfigRequest
+	(*GetConfigResponse)(nil),                  // 19: daemon.GetConfigResponse
+	(*PeerState)(nil),                          // 20: daemon.PeerState
+	(*LocalPeerState)(nil),                     // 21: daemon.LocalPeerState
+	(*SignalState)(nil),                        // 22: daemon.SignalState
+	(*ManagementState)(nil),                    // 23: daemon.ManagementState
+	(*RelayState)(nil),                         // 24: daemon.RelayState
+	(*NSGroupState)(nil),                       // 25: daemon.NSGroupState
+	(*SSHSessionInfo)(nil),                     // 26: daemon.SSHSessionInfo
+	(*SSHServerState)(nil),                     // 27: daemon.SSHServerState
+	(*FullStatus)(nil),                         // 28: daemon.FullStatus
+	(*ListNetworksRequest)(nil),                // 29: daemon.ListNetworksRequest
+	(*ListNetworksResponse)(nil),               // 30: daemon.ListNetworksResponse
+	(*SelectNetworksRequest)(nil),              // 31: daemon.SelectNetworksRequest
+	(*SelectNetworksResponse)(nil),             // 32: daemon.SelectNetworksResponse
+	(*IPList)(nil),                             // 33: daemon.IPList
+	(*Network)(nil),                            // 34: daemon.Network
+	(*PortInfo)(nil),                           // 35: daemon.PortInfo
+	(*ForwardingRule)(nil),                     // 36: daemon.ForwardingRule
+	(*ForwardingRulesResponse)(nil),            // 37: daemon.ForwardingRulesResponse
+	(*DebugBundleRequest)(nil),                 // 38: daemon.DebugBundleRequest
+	(*DebugBundleResponse)(nil),                // 39: daemon.DebugBundleResponse
+	(*GetLogLevelRequest)(nil),                 // 40: daemon.GetLogLevelRequest
+	(*GetLogLevelResponse)(nil),                // 41: daemon.GetLogLevelResponse
+	(*SetLogLevelRequest)(nil),                 // 42: daemon.SetLogLevelRequest
+	(*SetLogLevelResponse)(nil),                // 43: daemon.SetLogLevelResponse
+	(*State)(nil),                              // 44: daemon.State
+	(*ListStatesRequest)(nil),                  // 45: daemon.ListStatesRequest
+	(*ListStatesResponse)(nil),                 // 46: daemon.ListStatesResponse
+	(*CleanStateRequest)(nil),                  // 47: daemon.CleanStateRequest
+	(*CleanStateResponse)(nil),                 // 48: daemon.CleanStateResponse
+	(*DeleteStateRequest)(nil),                 // 49: daemon.DeleteStateRequest
+	(*DeleteStateResponse)(nil),                // 50: daemon.DeleteStateResponse
+	(*SetSyncResponsePersistenceRequest)(nil),  // 51: daemon.SetSyncResponsePersistenceRequest
+	(*SetSyncResponsePersistenceResponse)(nil), // 52: daemon.SetSyncResponsePersistenceResponse
+	(*TCPFlags)(nil),                           // 53: daemon.TCPFlags
+	(*TracePacketRequest)(nil),                 // 54: daemon.TracePacketRequest
+	(*TraceStage)(nil),                         // 55: daemon.TraceStage
+	(*TracePacketResponse)(nil),                // 56: daemon.TracePacketResponse
+	(*SubscribeRequest)(nil),                   // 57: daemon.SubscribeRequest
+	(*SystemEvent)(nil),                        // 58: daemon.SystemEvent
+	(*GetEventsRequest)(nil),                   // 59: daemon.GetEventsRequest
+	(*GetEventsResponse)(nil),                  // 60: daemon.GetEventsResponse
+	(*SwitchProfileRequest)(nil),               // 61: daemon.SwitchProfileRequest
+	(*SwitchProfileResponse)(nil),              // 62: daemon.SwitchProfileResponse
+	(*SetConfigRequest)(nil),                   // 63: daemon.SetConfigRequest
+	(*SetConfigResponse)(nil),                  // 64: daemon.SetConfigResponse
+	(*AddProfileRequest)(nil),                  // 65: daemon.AddProfileRequest
+	(*AddProfileResponse)(nil),                 // 66: daemon.AddProfileResponse
+	(*RemoveProfileRequest)(nil),               // 67: daemon.RemoveProfileRequest
+	(*RemoveProfileResponse)(nil),              // 68: daemon.RemoveProfileResponse
+	(*ListProfilesRequest)(nil),                // 69: daemon.ListProfilesRequest
+	(*ListProfilesResponse)(nil),               // 70: daemon.ListProfilesResponse
+	(*Profile)(nil),                            // 71: daemon.Profile
+	(*GetActiveProfileRequest)(nil),            // 72: daemon.GetActiveProfileRequest
+	(*GetActiveProfileResponse)(nil),           // 73: daemon.GetActiveProfileResponse
+	(*LogoutRequest)(nil),                      // 74: daemon.LogoutRequest
+	(*LogoutResponse)(nil),                     // 75: daemon.LogoutResponse
+	(*GetFeaturesRequest)(nil),                 // 76: daemon.GetFeaturesRequest
+	(*GetFeaturesResponse)(nil),                // 77: daemon.GetFeaturesResponse
+	(*GetPeerSSHHostKeyRequest)(nil),           // 78: daemon.GetPeerSSHHostKeyRequest
+	(*GetPeerSSHHostKeyResponse)(nil),          // 79: daemon.GetPeerSSHHostKeyResponse
+	(*RequestJWTAuthRequest)(nil),              // 80: daemon.RequestJWTAuthRequest
+	(*RequestJWTAuthResponse)(nil),             // 81: daemon.RequestJWTAuthResponse
+	(*WaitJWTTokenRequest)(nil),                // 82: daemon.WaitJWTTokenRequest
+	(*WaitJWTTokenResponse)(nil),               // 83: daemon.WaitJWTTokenResponse
+	(*StartCPUProfileRequest)(nil),             // 84: daemon.StartCPUProfileRequest
+	(*StartCPUProfileResponse)(nil),            // 85: daemon.StartCPUProfileResponse
+	(*StopCPUProfileRequest)(nil),              // 86: daemon.StopCPUProfileRequest
+	(*StopCPUProfileResponse)(nil),             // 87: daemon.StopCPUProfileResponse
+	(*InstallerResultRequest)(nil),             // 88: daemon.InstallerResultRequest
+	(*InstallerResultResponse)(nil),            // 89: daemon.InstallerResultResponse
+	(*ExposeServiceRequest)(nil),               // 90: daemon.ExposeServiceRequest
+	(*ExposeServiceEvent)(nil),                 // 91: daemon.ExposeServiceEvent
+	(*ExposeServiceReady)(nil),                 // 92: daemon.ExposeServiceReady
+	nil,                                        // 93: daemon.Network.ResolvedIPsEntry
+	(*PortInfo_Range)(nil),                     // 94: daemon.PortInfo.Range
+	nil,                                        // 95: daemon.SystemEvent.MetadataEntry
+	(*durationpb.Duration)(nil),                // 96: google.protobuf.Duration
+	(*timestamppb.Timestamp)(nil),              // 97: google.protobuf.Timestamp
 }
 var file_daemon_proto_depIdxs = []int32{
-	1,  // 0: daemon.OSLifecycleRequest.type:type_name -> daemon.OSLifecycleRequest.CycleType
-	92, // 1: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
-	27, // 2: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
-	93, // 3: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
-	93, // 4: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
-	92, // 5: daemon.PeerState.latency:type_name -> google.protobuf.Duration
-	25, // 6: daemon.SSHServerState.sessions:type_name -> daemon.SSHSessionInfo
-	22, // 7: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
-	21, // 8: daemon.FullStatus.signalState:type_name -> daemon.SignalState
-	20, // 9: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
-	19, // 10: daemon.FullStatus.peers:type_name -> daemon.PeerState
-	23, // 11: daemon.FullStatus.relays:type_name -> daemon.RelayState
-	24, // 12: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
-	57, // 13: daemon.FullStatus.events:type_name -> daemon.SystemEvent
-	26, // 14: daemon.FullStatus.sshServerState:type_name -> daemon.SSHServerState
-	33, // 15: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
-	89, // 16: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
-	90, // 17: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
-	34, // 18: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
-	34, // 19: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
-	35, // 20: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
+	2,  // 0: daemon.OSLifecycleRequest.type:type_name -> daemon.OSLifecycleRequest.CycleType
+	96, // 1: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	28, // 2: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
+	97, // 3: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
+	97, // 4: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
+	96, // 5: daemon.PeerState.latency:type_name -> google.protobuf.Duration
+	26, // 6: daemon.SSHServerState.sessions:type_name -> daemon.SSHSessionInfo
+	23, // 7: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
+	22, // 8: daemon.FullStatus.signalState:type_name -> daemon.SignalState
+	21, // 9: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
+	20, // 10: daemon.FullStatus.peers:type_name -> daemon.PeerState
+	24, // 11: daemon.FullStatus.relays:type_name -> daemon.RelayState
+	25, // 12: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
+	58, // 13: daemon.FullStatus.events:type_name -> daemon.SystemEvent
+	27, // 14: daemon.FullStatus.sshServerState:type_name -> daemon.SSHServerState
+	34, // 15: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
+	93, // 16: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
+	94, // 17: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
+	35, // 18: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
+	35, // 19: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
+	36, // 20: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
 	0,  // 21: daemon.GetLogLevelResponse.level:type_name -> daemon.LogLevel
 	0,  // 22: daemon.SetLogLevelRequest.level:type_name -> daemon.LogLevel
-	43, // 23: daemon.ListStatesResponse.states:type_name -> daemon.State
-	52, // 24: daemon.TracePacketRequest.tcp_flags:type_name -> daemon.TCPFlags
-	54, // 25: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
-	2,  // 26: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
-	3,  // 27: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
-	93, // 28: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
-	91, // 29: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
-	57, // 30: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
-	92, // 31: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
-	70, // 32: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
-	32, // 33: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
-	7,  // 34: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
-	9,  // 35: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
-	11, // 36: daemon.DaemonService.Up:input_type -> daemon.UpRequest
-	13, // 37: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
-	15, // 38: daemon.DaemonService.Down:input_type -> daemon.DownRequest
-	17, // 39: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
-	28, // 40: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
-	30, // 41: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
-	30, // 42: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
-	4,  // 43: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
-	37, // 44: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
-	39, // 45: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
-	41, // 46: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
-	44, // 47: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
-	46, // 48: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
-	48, // 49: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
-	50, // 50: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
-	53, // 51: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
-	56, // 52: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
-	58, // 53: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
-	60, // 54: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
-	62, // 55: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
-	64, // 56: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
-	66, // 57: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
-	68, // 58: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
-	71, // 59: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
-	73, // 60: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
-	75, // 61: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
-	77, // 62: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
-	79, // 63: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
-	81, // 64: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
-	83, // 65: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
-	85, // 66: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
-	5,  // 67: daemon.DaemonService.NotifyOSLifecycle:input_type -> daemon.OSLifecycleRequest
-	87, // 68: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
-	8,  // 69: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	10, // 70: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	12, // 71: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	14, // 72: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	16, // 73: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	18, // 74: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	29, // 75: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
-	31, // 76: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
-	31, // 77: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
-	36, // 78: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
-	38, // 79: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
-	40, // 80: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
-	42, // 81: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
-	45, // 82: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
-	47, // 83: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
-	49, // 84: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
-	51, // 85: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
-	55, // 86: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
-	57, // 87: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
-	59, // 88: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
-	61, // 89: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
-	63, // 90: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
-	65, // 91: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
-	67, // 92: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
-	69, // 93: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
-	72, // 94: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
-	74, // 95: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
-	76, // 96: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
-	78, // 97: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
-	80, // 98: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
-	82, // 99: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
-	84, // 100: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
-	86, // 101: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
-	6,  // 102: daemon.DaemonService.NotifyOSLifecycle:output_type -> daemon.OSLifecycleResponse
-	88, // 103: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
-	69, // [69:104] is the sub-list for method output_type
-	34, // [34:69] is the sub-list for method input_type
-	34, // [34:34] is the sub-list for extension type_name
-	34, // [34:34] is the sub-list for extension extendee
-	0,  // [0:34] is the sub-list for field type_name
+	44, // 23: daemon.ListStatesResponse.states:type_name -> daemon.State
+	53, // 24: daemon.TracePacketRequest.tcp_flags:type_name -> daemon.TCPFlags
+	55, // 25: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
+	3,  // 26: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
+	4,  // 27: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
+	97, // 28: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
+	95, // 29: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
+	58, // 30: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
+	96, // 31: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	71, // 32: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
+	1,  // 33: daemon.ExposeServiceRequest.protocol:type_name -> daemon.ExposeProtocol
+	92, // 34: daemon.ExposeServiceEvent.ready:type_name -> daemon.ExposeServiceReady
+	33, // 35: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
+	8,  // 36: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
+	10, // 37: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
+	12, // 38: daemon.DaemonService.Up:input_type -> daemon.UpRequest
+	14, // 39: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
+	16, // 40: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	18, // 41: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
+	29, // 42: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
+	31, // 43: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
+	31, // 44: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
+	5,  // 45: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
+	38, // 46: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
+	40, // 47: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
+	42, // 48: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
+	45, // 49: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
+	47, // 50: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
+	49, // 51: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
+	51, // 52: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
+	54, // 53: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
+	57, // 54: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
+	59, // 55: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
+	61, // 56: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
+	63, // 57: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
+	65, // 58: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
+	67, // 59: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
+	69, // 60: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
+	72, // 61: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
+	74, // 62: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
+	76, // 63: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
+	78, // 64: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
+	80, // 65: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
+	82, // 66: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
+	84, // 67: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
+	86, // 68: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
+	6,  // 69: daemon.DaemonService.NotifyOSLifecycle:input_type -> daemon.OSLifecycleRequest
+	88, // 70: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
+	90, // 71: daemon.DaemonService.ExposeService:input_type -> daemon.ExposeServiceRequest
+	9,  // 72: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	11, // 73: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	13, // 74: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	15, // 75: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	17, // 76: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	19, // 77: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	30, // 78: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
+	32, // 79: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
+	32, // 80: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
+	37, // 81: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
+	39, // 82: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
+	41, // 83: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
+	43, // 84: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
+	46, // 85: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
+	48, // 86: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
+	50, // 87: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
+	52, // 88: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
+	56, // 89: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
+	58, // 90: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
+	60, // 91: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
+	62, // 92: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
+	64, // 93: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
+	66, // 94: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
+	68, // 95: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
+	70, // 96: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
+	73, // 97: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
+	75, // 98: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
+	77, // 99: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
+	79, // 100: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
+	81, // 101: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
+	83, // 102: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
+	85, // 103: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
+	87, // 104: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
+	7,  // 105: daemon.DaemonService.NotifyOSLifecycle:output_type -> daemon.OSLifecycleResponse
+	89, // 106: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
+	91, // 107: daemon.DaemonService.ExposeService:output_type -> daemon.ExposeServiceEvent
+	72, // [72:108] is the sub-list for method output_type
+	36, // [36:72] is the sub-list for method input_type
+	36, // [36:36] is the sub-list for extension type_name
+	36, // [36:36] is the sub-list for extension extendee
+	0,  // [0:36] is the sub-list for field type_name
 }

 func init() { file_daemon_proto_init() }
@@ -6439,13 +6743,16 @@ func file_daemon_proto_init() {
 	file_daemon_proto_msgTypes[58].OneofWrappers = []any{}
 	file_daemon_proto_msgTypes[69].OneofWrappers = []any{}
 	file_daemon_proto_msgTypes[75].OneofWrappers = []any{}
+	file_daemon_proto_msgTypes[86].OneofWrappers = []any{
+		(*ExposeServiceEvent_Ready)(nil),
+	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_proto_rawDesc), len(file_daemon_proto_rawDesc)),
-			NumEnums:      4,
-			NumMessages:   88,
+			NumEnums:      5,
+			NumMessages:   91,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -103,6 +103,9 @@ service DaemonService {
  rpc NotifyOSLifecycle(OSLifecycleRequest) returns(OSLifecycleResponse) {}

  rpc GetInstallerResult(InstallerResultRequest) returns (InstallerResultResponse) {}
+
+  // ExposeService exposes a local port via the NetBird reverse proxy
+  rpc ExposeService(ExposeServiceRequest) returns (stream ExposeServiceEvent) {}
 }


@@ -801,3 +804,32 @@ message InstallerResultResponse {
  bool success = 1;
  string errorMsg = 2;
 }
+
+enum ExposeProtocol {
+  EXPOSE_HTTP = 0;
+  EXPOSE_HTTPS = 1;
+  EXPOSE_TCP = 2;
+  EXPOSE_UDP = 3;
+}
+
+message ExposeServiceRequest {
+  uint32 port = 1;
+  ExposeProtocol protocol = 2;
+  string pin = 3;
+  string password = 4;
+  repeated string user_groups = 5;
+  string domain = 6;
+  string name_prefix = 7;
+}
+
+message ExposeServiceEvent {
+  oneof event {
+    ExposeServiceReady ready = 1;
+  }
+}
+
+message ExposeServiceReady {
+  string service_name = 1;
+  string service_url = 2;
+  string domain = 3;
+}
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -76,6 +76,8 @@ type DaemonServiceClient interface {
 	StopCPUProfile(ctx context.Context, in *StopCPUProfileRequest, opts ...grpc.CallOption) (*StopCPUProfileResponse, error)
 	NotifyOSLifecycle(ctx context.Context, in *OSLifecycleRequest, opts ...grpc.CallOption) (*OSLifecycleResponse, error)
 	GetInstallerResult(ctx context.Context, in *InstallerResultRequest, opts ...grpc.CallOption) (*InstallerResultResponse, error)
+	// ExposeService exposes a local port via the NetBird reverse proxy
+	ExposeService(ctx context.Context, in *ExposeServiceRequest, opts ...grpc.CallOption) (DaemonService_ExposeServiceClient, error)
 }

 type daemonServiceClient struct {
@@ -424,6 +426,38 @@ func (c *daemonServiceClient) GetInstallerResult(ctx context.Context, in *Instal
 	return out, nil
 }

+func (c *daemonServiceClient) ExposeService(ctx context.Context, in *ExposeServiceRequest, opts ...grpc.CallOption) (DaemonService_ExposeServiceClient, error) {
+	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[1], "/daemon.DaemonService/ExposeService", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &daemonServiceExposeServiceClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type DaemonService_ExposeServiceClient interface {
+	Recv() (*ExposeServiceEvent, error)
+	grpc.ClientStream
+}
+
+type daemonServiceExposeServiceClient struct {
+	grpc.ClientStream
+}
+
+func (x *daemonServiceExposeServiceClient) Recv() (*ExposeServiceEvent, error) {
+	m := new(ExposeServiceEvent)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
 // for forward compatibility
@@ -486,6 +520,8 @@ type DaemonServiceServer interface {
 	StopCPUProfile(context.Context, *StopCPUProfileRequest) (*StopCPUProfileResponse, error)
 	NotifyOSLifecycle(context.Context, *OSLifecycleRequest) (*OSLifecycleResponse, error)
 	GetInstallerResult(context.Context, *InstallerResultRequest) (*InstallerResultResponse, error)
+	// ExposeService exposes a local port via the NetBird reverse proxy
+	ExposeService(*ExposeServiceRequest, DaemonService_ExposeServiceServer) error
 	mustEmbedUnimplementedDaemonServiceServer()
 }

@@ -598,6 +634,9 @@ func (UnimplementedDaemonServiceServer) NotifyOSLifecycle(context.Context, *OSLi
 func (UnimplementedDaemonServiceServer) GetInstallerResult(context.Context, *InstallerResultRequest) (*InstallerResultResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetInstallerResult not implemented")
 }
+func (UnimplementedDaemonServiceServer) ExposeService(*ExposeServiceRequest, DaemonService_ExposeServiceServer) error {
+	return status.Errorf(codes.Unimplemented, "method ExposeService not implemented")
+}
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}

 // UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -1244,6 +1283,27 @@ func _DaemonService_GetInstallerResult_Handler(srv interface{}, ctx context.Cont
 	return interceptor(ctx, in, info, handler)
 }

+func _DaemonService_ExposeService_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(ExposeServiceRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(DaemonServiceServer).ExposeService(m, &daemonServiceExposeServiceServer{stream})
+}
+
+type DaemonService_ExposeServiceServer interface {
+	Send(*ExposeServiceEvent) error
+	grpc.ServerStream
+}
+
+type daemonServiceExposeServiceServer struct {
+	grpc.ServerStream
+}
+
+func (x *daemonServiceExposeServiceServer) Send(m *ExposeServiceEvent) error {
+	return x.ServerStream.SendMsg(m)
+}
+
 // DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -1394,6 +1454,11 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _DaemonService_SubscribeEvents_Handler,
 			ServerStreams: true,
 		},
+		{
+			StreamName:    "ExposeService",
+			Handler:       _DaemonService_ExposeService_Handler,
+			ServerStreams: true,
+		},
 	},
 	Metadata: "daemon.proto",
 }
--- a/client/server/lifecycle.go
+++ b/client/server/lifecycle.go
@@ -1,77 +0,0 @@
-package server
-
-import (
-	"context"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
-func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
-	switch req.GetType() {
-	case proto.OSLifecycleRequest_WAKEUP:
-		return s.handleWakeUp(callerCtx)
-	case proto.OSLifecycleRequest_SLEEP:
-		return s.handleSleep(callerCtx)
-	default:
-		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
-	}
-	return &proto.OSLifecycleResponse{}, nil
-}
-
-// handleWakeUp processes a wake-up event by triggering the Up command if the system was previously put to sleep.
-// It resets the sleep state and logs the process. Returns a response or an error if the Up command fails.
-func (s *Server) handleWakeUp(callerCtx context.Context) (*proto.OSLifecycleResponse, error) {
-	if !s.sleepTriggeredDown.Load() {
-		log.Info("skipping up because wasn't sleep down")
-		return &proto.OSLifecycleResponse{}, nil
-	}
-
-	// avoid other wakeup runs if sleep didn't make the computer sleep
-	s.sleepTriggeredDown.Store(false)
-
-	log.Info("running up after wake up")
-	_, err := s.Up(callerCtx, &proto.UpRequest{})
-	if err != nil {
-		log.Errorf("running up failed: %v", err)
-		return &proto.OSLifecycleResponse{}, err
-	}
-
-	log.Info("running up command executed successfully")
-	return &proto.OSLifecycleResponse{}, nil
-}
-
-// handleSleep handles the sleep event by initiating a "down" sequence if the system is in a connected or connecting state.
-func (s *Server) handleSleep(callerCtx context.Context) (*proto.OSLifecycleResponse, error) {
-	s.mutex.Lock()
-
-	state := internal.CtxGetState(s.rootCtx)
-	status, err := state.Status()
-	if err != nil {
-		s.mutex.Unlock()
-		return &proto.OSLifecycleResponse{}, err
-	}
-
-	if status != internal.StatusConnecting && status != internal.StatusConnected {
-		log.Infof("skipping setting the agent down because status is %s", status)
-		s.mutex.Unlock()
-		return &proto.OSLifecycleResponse{}, nil
-	}
-	s.mutex.Unlock()
-
-	log.Info("running down after system started sleeping")
-
-	_, err = s.Down(callerCtx, &proto.DownRequest{})
-	if err != nil {
-		log.Errorf("running down failed: %v", err)
-		return &proto.OSLifecycleResponse{}, err
-	}
-
-	s.sleepTriggeredDown.Store(true)
-
-	log.Info("running down executed successfully")
-	return &proto.OSLifecycleResponse{}, nil
-}
--- a/client/server/lifecycle_test.go
+++ b/client/server/lifecycle_test.go
@@ -1,219 +0,0 @@
-package server
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-func newTestServer() *Server {
-	ctx := internal.CtxInitState(context.Background())
-	return &Server{
-		rootCtx:        ctx,
-		statusRecorder: peer.NewRecorder(""),
-	}
-}
-
-func TestNotifyOSLifecycle_WakeUp_SkipsWhenNotSleepTriggered(t *testing.T) {
-	s := newTestServer()
-
-	// sleepTriggeredDown is false by default
-	assert.False(t, s.sleepTriggeredDown.Load())
-
-	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
-		Type: proto.OSLifecycleRequest_WAKEUP,
-	})
-
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	assert.False(t, s.sleepTriggeredDown.Load(), "flag should remain false")
-}
-
-func TestNotifyOSLifecycle_Sleep_SkipsWhenStatusIdle(t *testing.T) {
-	s := newTestServer()
-
-	state := internal.CtxGetState(s.rootCtx)
-	state.Set(internal.StatusIdle)
-
-	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
-		Type: proto.OSLifecycleRequest_SLEEP,
-	})
-
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	assert.False(t, s.sleepTriggeredDown.Load(), "flag should remain false when status is Idle")
-}
-
-func TestNotifyOSLifecycle_Sleep_SkipsWhenStatusNeedsLogin(t *testing.T) {
-	s := newTestServer()
-
-	state := internal.CtxGetState(s.rootCtx)
-	state.Set(internal.StatusNeedsLogin)
-
-	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
-		Type: proto.OSLifecycleRequest_SLEEP,
-	})
-
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	assert.False(t, s.sleepTriggeredDown.Load(), "flag should remain false when status is NeedsLogin")
-}
-
-func TestNotifyOSLifecycle_Sleep_SetsFlag_WhenConnecting(t *testing.T) {
-	s := newTestServer()
-
-	state := internal.CtxGetState(s.rootCtx)
-	state.Set(internal.StatusConnecting)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	s.actCancel = cancel
-
-	resp, err := s.NotifyOSLifecycle(ctx, &proto.OSLifecycleRequest{
-		Type: proto.OSLifecycleRequest_SLEEP,
-	})
-
-	require.NoError(t, err)
-	assert.NotNil(t, resp, "handleSleep returns not nil response on success")
-	assert.True(t, s.sleepTriggeredDown.Load(), "flag should be set after sleep when connecting")
-}
-
-func TestNotifyOSLifecycle_Sleep_SetsFlag_WhenConnected(t *testing.T) {
-	s := newTestServer()
-
-	state := internal.CtxGetState(s.rootCtx)
-	state.Set(internal.StatusConnected)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	s.actCancel = cancel
-
-	resp, err := s.NotifyOSLifecycle(ctx, &proto.OSLifecycleRequest{
-		Type: proto.OSLifecycleRequest_SLEEP,
-	})
-
-	require.NoError(t, err)
-	assert.NotNil(t, resp, "handleSleep returns not nil response on success")
-	assert.True(t, s.sleepTriggeredDown.Load(), "flag should be set after sleep when connected")
-}
-
-func TestNotifyOSLifecycle_WakeUp_ResetsFlag(t *testing.T) {
-	s := newTestServer()
-
-	// Manually set the flag to simulate prior sleep down
-	s.sleepTriggeredDown.Store(true)
-
-	// WakeUp will try to call Up which fails without proper setup, but flag should reset first
-	_, _ = s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
-		Type: proto.OSLifecycleRequest_WAKEUP,
-	})
-
-	assert.False(t, s.sleepTriggeredDown.Load(), "flag should be reset after WakeUp attempt")
-}
-
-func TestNotifyOSLifecycle_MultipleWakeUpCalls(t *testing.T) {
-	s := newTestServer()
-
-	// First wakeup without prior sleep - should be no-op
-	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
-		Type: proto.OSLifecycleRequest_WAKEUP,
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	assert.False(t, s.sleepTriggeredDown.Load())
-
-	// Simulate prior sleep
-	s.sleepTriggeredDown.Store(true)
-
-	// First wakeup after sleep - should reset flag
-	_, _ = s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
-		Type: proto.OSLifecycleRequest_WAKEUP,
-	})
-	assert.False(t, s.sleepTriggeredDown.Load())
-
-	// Second wakeup - should be no-op
-	resp, err = s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
-		Type: proto.OSLifecycleRequest_WAKEUP,
-	})
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-	assert.False(t, s.sleepTriggeredDown.Load())
-}
-
-func TestHandleWakeUp_SkipsWhenFlagFalse(t *testing.T) {
-	s := newTestServer()
-
-	resp, err := s.handleWakeUp(context.Background())
-
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-}
-
-func TestHandleWakeUp_ResetsFlagBeforeUp(t *testing.T) {
-	s := newTestServer()
-	s.sleepTriggeredDown.Store(true)
-
-	// Even if Up fails, flag should be reset
-	_, _ = s.handleWakeUp(context.Background())
-
-	assert.False(t, s.sleepTriggeredDown.Load(), "flag must be reset before calling Up")
-}
-
-func TestHandleSleep_SkipsForNonActiveStates(t *testing.T) {
-	tests := []struct {
-		name   string
-		status internal.StatusType
-	}{
-		{"Idle", internal.StatusIdle},
-		{"NeedsLogin", internal.StatusNeedsLogin},
-		{"LoginFailed", internal.StatusLoginFailed},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			s := newTestServer()
-			state := internal.CtxGetState(s.rootCtx)
-			state.Set(tt.status)
-
-			resp, err := s.handleSleep(context.Background())
-
-			require.NoError(t, err)
-			require.NotNil(t, resp)
-			assert.False(t, s.sleepTriggeredDown.Load())
-		})
-	}
-}
-
-func TestHandleSleep_ProceedsForActiveStates(t *testing.T) {
-	tests := []struct {
-		name   string
-		status internal.StatusType
-	}{
-		{"Connecting", internal.StatusConnecting},
-		{"Connected", internal.StatusConnected},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			s := newTestServer()
-			state := internal.CtxGetState(s.rootCtx)
-			state.Set(tt.status)
-
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-			s.actCancel = cancel
-
-			resp, err := s.handleSleep(ctx)
-
-			require.NoError(t, err)
-			assert.NotNil(t, resp)
-			assert.True(t, s.sleepTriggeredDown.Load())
-		})
-	}
-}
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -21,7 +21,9 @@ import (
 	gstatus "google.golang.org/grpc/status"

 	"github.com/netbirdio/netbird/client/internal/auth"
+	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	sleephandler "github.com/netbirdio/netbird/client/internal/sleep/handler"
 	"github.com/netbirdio/netbird/client/system"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -85,8 +87,7 @@ type Server struct {
 	profilesDisabled       bool
 	updateSettingsDisabled bool

-	// sleepTriggeredDown holds a state indicated if the sleep handler triggered the last client down
-	sleepTriggeredDown atomic.Bool
+	sleepHandler *sleephandler.SleepHandler

 	jwtCache *jwtCache
 }
@@ -100,7 +101,7 @@ type oauthAuthFlow struct {

 // New server instance constructor.
 func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool) *Server {
-	return &Server{
+	s := &Server{
 		rootCtx:                ctx,
 		logFile:                logFile,
 		persistSyncResponse:    true,
@@ -110,6 +111,10 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 		updateSettingsDisabled: updateSettingsDisabled,
 		jwtCache:               newJWTCache(),
 	}
+	agent := &serverAgent{s}
+	s.sleepHandler = sleephandler.New(agent)
+
+	return s
 }

 func (s *Server) Start() error {
@@ -1312,6 +1317,60 @@ func (s *Server) WaitJWTToken(
 	}, nil
 }

+// ExposeService exposes a local port via the NetBird reverse proxy.
+func (s *Server) ExposeService(req *proto.ExposeServiceRequest, srv proto.DaemonService_ExposeServiceServer) error {
+	s.mutex.Lock()
+	if !s.clientRunning {
+		s.mutex.Unlock()
+		return gstatus.Errorf(codes.FailedPrecondition, "client is not running, run 'netbird up' first")
+	}
+	connectClient := s.connectClient
+	s.mutex.Unlock()
+
+	if connectClient == nil {
+		return gstatus.Errorf(codes.FailedPrecondition, "client not initialized")
+	}
+
+	engine := connectClient.Engine()
+	if engine == nil {
+		return gstatus.Errorf(codes.FailedPrecondition, "engine not initialized")
+	}
+
+	mgr := engine.GetExposeManager()
+	if mgr == nil {
+		return gstatus.Errorf(codes.Internal, "expose manager not available")
+	}
+
+	ctx := srv.Context()
+
+	exposeCtx, exposeCancel := context.WithTimeout(ctx, 30*time.Second)
+	defer exposeCancel()
+
+	mgmReq := expose.NewRequest(req)
+	result, err := mgr.Expose(exposeCtx, *mgmReq)
+	if err != nil {
+		return err
+	}
+
+	if err := srv.Send(&proto.ExposeServiceEvent{
+		Event: &proto.ExposeServiceEvent_Ready{
+			Ready: &proto.ExposeServiceReady{
+				ServiceName: result.ServiceName,
+				ServiceUrl:  result.ServiceURL,
+				Domain:      result.Domain,
+			},
+		},
+	}); err != nil {
+		return err
+	}
+
+	err = mgr.KeepAlive(ctx, result.Domain)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func isUnixRunningDesktop() bool {
 	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {
 		return false
--- a/client/server/sleep.go
+++ b/client/server/sleep.go
@@ -0,0 +1,46 @@
+package server
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// serverAgent adapts Server to the handler.Agent and handler.StatusChecker interfaces
+type serverAgent struct {
+	s *Server
+}
+
+func (a *serverAgent) Up(ctx context.Context) error {
+	_, err := a.s.Up(ctx, &proto.UpRequest{})
+	return err
+}
+
+func (a *serverAgent) Down(ctx context.Context) error {
+	_, err := a.s.Down(ctx, &proto.DownRequest{})
+	return err
+}
+
+func (a *serverAgent) Status() (internal.StatusType, error) {
+	return internal.CtxGetState(a.s.rootCtx).Status()
+}
+
+// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
+func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
+	switch req.GetType() {
+	case proto.OSLifecycleRequest_WAKEUP:
+		if err := s.sleepHandler.HandleWakeUp(callerCtx); err != nil {
+			return &proto.OSLifecycleResponse{}, err
+		}
+	case proto.OSLifecycleRequest_SLEEP:
+		if err := s.sleepHandler.HandleSleep(callerCtx); err != nil {
+			return &proto.OSLifecycleResponse{}, err
+		}
+	default:
+		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
+	}
+	return &proto.OSLifecycleResponse{}, nil
+}
--- a/client/ssh/client/client.go
+++ b/client/ssh/client/client.go
@@ -19,6 +19,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

+	"github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
@@ -268,7 +269,7 @@ func getDefaultDaemonAddr() string {
 	if runtime.GOOS == "windows" {
 		return DefaultDaemonAddrWindows
 	}
-	return DefaultDaemonAddr
+	return daemonaddr.ResolveUnixDaemonAddr(DefaultDaemonAddr)
 }

 // DialOptions contains options for SSH connections
--- a/client/uitauri/.gitignore
+++ b/client/uitauri/.gitignore
@@ -0,0 +1,3 @@
+frontend/node_modules/
+frontend/dist/
+src-tauri/target/
--- a/client/uitauri/README.md
+++ b/client/uitauri/README.md
@@ -0,0 +1,26 @@
+# NetBird Tauri UI
+
+## Prerequisites
+
+- Rust (https://rustup.rs)
+- Node.js 18+
+- Linux: `sudo apt install libwebkit2gtk-4.1-dev libgtk-3-dev libappindicator3-dev librsvg2-dev patchelf protobuf-compiler`
+
+## Build & Run
+
+```bash
+# Frontend
+cd frontend && npm install && npm run build && cd ..
+
+# Backend (debug)
+cd src-tauri && cargo build
+
+# Run
+RUST_LOG=info ./src-tauri/target/debug/netbird-ui
+
+# Release build
+cd src-tauri && cargo build --release
+./src-tauri/target/release/netbird-ui
+```
+
+The NetBird daemon must be running (`netbird service start`).
--- a/client/uitauri/frontend/index.html
+++ b/client/uitauri/frontend/index.html
@@ -0,0 +1,13 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="color-scheme" content="light dark" />
+    <title>NetBird</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>
--- a/client/uitauri/frontend/package-lock.json
+++ b/client/uitauri/frontend/package-lock.json
--- a/client/uitauri/frontend/package.json
+++ b/client/uitauri/frontend/package.json
@@ -0,0 +1,27 @@
+{
+  "name": "netbird-ui",
+  "private": true,
+  "version": "0.0.0",
+  "type": "module",
+  "scripts": {
+    "dev": "vite",
+    "build": "tsc && vite build",
+    "preview": "vite preview"
+  },
+  "dependencies": {
+    "@tauri-apps/api": "^2",
+    "@tauri-apps/plugin-notification": "^2",
+    "react": "^18.3.1",
+    "react-dom": "^18.3.1",
+    "react-router-dom": "^6.28.0"
+  },
+  "devDependencies": {
+    "@tailwindcss/vite": "^4.0.6",
+    "@types/react": "^18.3.12",
+    "@types/react-dom": "^18.3.1",
+    "@vitejs/plugin-react": "^4.3.4",
+    "tailwindcss": "^4.0.6",
+    "typescript": "^5.6.3",
+    "vite": "^6.0.5"
+  }
+}
--- a/client/uitauri/frontend/src/App.tsx
+++ b/client/uitauri/frontend/src/App.tsx
@@ -0,0 +1,59 @@
+import { HashRouter, Routes, Route, useNavigate } from 'react-router-dom'
+import { useEffect } from 'react'
+import { listen } from '@tauri-apps/api/event'
+import Status from './pages/Status'
+import Settings from './pages/Settings'
+import Networks from './pages/Networks'
+import Profiles from './pages/Profiles'
+import Peers from './pages/Peers'
+import Debug from './pages/Debug'
+import Update from './pages/Update'
+import NavBar from './components/NavBar'
+
+/**
+ * Navigator listens for the "navigate" event emitted by the Rust backend
+ * and programmatically navigates the React router.
+ */
+function Navigator() {
+  const navigate = useNavigate()
+
+  useEffect(() => {
+    const unlisten = listen<string>('navigate', (event) => {
+      const path = event.payload
+      if (path) navigate(path)
+    })
+    return () => {
+      unlisten.then(fn => fn())
+    }
+  }, [navigate])
+
+  return null
+}
+
+export default function App() {
+  return (
+    <HashRouter>
+      <Navigator />
+      <div
+        className="min-h-screen flex"
+        style={{
+          backgroundColor: 'var(--color-bg-primary)',
+          color: 'var(--color-text-primary)',
+        }}
+      >
+        <NavBar />
+        <main className="flex-1 px-10 py-8 overflow-y-auto h-screen">
+          <Routes>
+            <Route path="/" element={<Status />} />
+            <Route path="/settings" element={<Settings />} />
+            <Route path="/peers" element={<Peers />} />
+            <Route path="/networks" element={<Networks />} />
+            <Route path="/profiles" element={<Profiles />} />
+            <Route path="/debug" element={<Debug />} />
+            <Route path="/update" element={<Update />} />
+          </Routes>
+        </main>
+      </div>
+    </HashRouter>
+  )
+}
--- a/client/uitauri/frontend/src/bindings.ts
+++ b/client/uitauri/frontend/src/bindings.ts
@@ -0,0 +1,100 @@
+/**
+ * Type definitions for Tauri command responses.
+ * These mirror the Rust serde-serialized DTOs.
+ */
+
+// ---- Connection service ----
+
+export interface StatusInfo {
+  status: string
+  ip: string
+  publicKey: string
+  fqdn: string
+  connectedPeers: number
+}
+
+// ---- Settings service ----
+
+export interface ConfigInfo {
+  managementUrl: string
+  adminUrl: string
+  preSharedKey: string
+  interfaceName: string
+  wireguardPort: number
+  disableAutoConnect: boolean
+  serverSshAllowed: boolean
+  rosenpassEnabled: boolean
+  rosenpassPermissive: boolean
+  lazyConnectionEnabled: boolean
+  blockInbound: boolean
+  disableNotifications: boolean
+}
+
+// ---- Network service ----
+
+export interface NetworkInfo {
+  id: string
+  range: string
+  domains: string[]
+  selected: boolean
+  resolvedIPs: Record<string, string[]>
+}
+
+// ---- Profile service ----
+
+export interface ProfileInfo {
+  name: string
+  isActive: boolean
+}
+
+export interface ActiveProfileInfo {
+  profileName: string
+  username: string
+  email: string
+}
+
+// ---- Debug service ----
+
+export interface DebugBundleParams {
+  anonymize: boolean
+  systemInfo: boolean
+  upload: boolean
+  uploadUrl: string
+  runDurationMins: number
+  enablePersistence: boolean
+}
+
+export interface DebugBundleResult {
+  localPath: string
+  uploadedKey: string
+  uploadFailureReason: string
+}
+
+// ---- Peers service ----
+
+export interface PeerInfo {
+  ip: string
+  pubKey: string
+  fqdn: string
+  connStatus: string
+  connStatusUpdate: string
+  relayed: boolean
+  relayAddress: string
+  latencyMs: number
+  bytesRx: number
+  bytesTx: number
+  rosenpassEnabled: boolean
+  networks: string[]
+  lastHandshake: string
+  localIceType: string
+  remoteIceType: string
+  localEndpoint: string
+  remoteEndpoint: string
+}
+
+// ---- Update service ----
+
+export interface InstallerResult {
+  success: boolean
+  errorMsg: string
+}
--- a/client/uitauri/frontend/src/components/NavBar.tsx
+++ b/client/uitauri/frontend/src/components/NavBar.tsx
@@ -0,0 +1,162 @@
+import { NavLink } from 'react-router-dom'
+import NetBirdLogo from './NetBirdLogo'
+
+const mainItems = [
+  { to: '/', label: 'Status', icon: StatusIcon },
+  { to: '/peers', label: 'Peers', icon: PeersIcon },
+  { to: '/networks', label: 'Networks', icon: NetworksIcon },
+  { to: '/profiles', label: 'Profiles', icon: ProfilesIcon },
+]
+
+const systemItems = [
+  { to: '/settings', label: 'Settings', icon: SettingsIcon },
+  { to: '/debug', label: 'Debug', icon: DebugIcon },
+  { to: '/update', label: 'Update', icon: UpdateIcon },
+]
+
+function NavGroup({ items }: { items: typeof mainItems }) {
+  return (
+    <div className="space-y-0.5">
+      {items.map((item) => (
+        <NavLink
+          key={item.to}
+          to={item.to}
+          end={item.to === '/'}
+          className="block"
+        >
+          {({ isActive }) => (
+            <div
+              className="flex items-center gap-2.5 px-2.5 py-[5px] rounded-[var(--radius-sidebar-item)] text-[13px] transition-colors"
+              style={{
+                backgroundColor: isActive ? 'var(--color-sidebar-selected)' : 'transparent',
+                fontWeight: isActive ? 500 : 400,
+                color: isActive ? 'var(--color-text-primary)' : 'var(--color-text-secondary)',
+              }}
+              onMouseEnter={e => {
+                if (!isActive) e.currentTarget.style.backgroundColor = 'var(--color-sidebar-hover)'
+              }}
+              onMouseLeave={e => {
+                if (!isActive) e.currentTarget.style.backgroundColor = 'transparent'
+              }}
+            >
+              <item.icon active={isActive} />
+              <span>{item.label}</span>
+            </div>
+          )}
+        </NavLink>
+      ))}
+    </div>
+  )
+}
+
+export default function NavBar() {
+  return (
+    <nav
+      className="w-[216px] min-w-[216px] flex flex-col h-screen"
+      style={{
+        backgroundColor: 'var(--color-bg-sidebar)',
+        backdropFilter: 'blur(20px)',
+        WebkitBackdropFilter: 'blur(20px)',
+        borderRight: '0.5px solid var(--color-separator)',
+      }}
+    >
+      {/* Logo */}
+      <div className="px-4 py-4" style={{ borderBottom: '0.5px solid var(--color-separator)' }}>
+        <NetBirdLogo full />
+      </div>
+
+      {/* Nav items */}
+      <div className="flex-1 px-2.5 py-3 overflow-y-auto">
+        <NavGroup items={mainItems} />
+        <div className="my-2 mx-2.5" style={{ borderTop: '0.5px solid var(--color-separator)' }} />
+        <NavGroup items={systemItems} />
+      </div>
+
+      {/* Version footer */}
+      <div className="px-4 py-2.5 text-[11px]" style={{ color: 'var(--color-text-quaternary)', borderTop: '0.5px solid var(--color-separator)' }}>
+        NetBird Client
+      </div>
+    </nav>
+  )
+}
+
+/* ── Icons (18px, stroke) ──────────────────────────────────────── */
+
+function StatusIcon({ active }: { active: boolean }) {
+  return (
+    <svg className="w-[18px] h-[18px] shrink-0" style={{ color: active ? 'var(--color-accent)' : 'var(--color-text-secondary)' }} viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+      <path d="M22 12h-4l-3 9L9 3l-3 9H2" />
+    </svg>
+  )
+}
+
+function PeersIcon({ active }: { active: boolean }) {
+  return (
+    <svg className="w-[18px] h-[18px] shrink-0" style={{ color: active ? 'var(--color-accent)' : 'var(--color-text-secondary)' }} viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+      <rect x="2" y="3" width="20" height="14" rx="2" />
+      <line x1="8" y1="21" x2="16" y2="21" />
+      <line x1="12" y1="17" x2="12" y2="21" />
+    </svg>
+  )
+}
+
+function NetworksIcon({ active }: { active: boolean }) {
+  return (
+    <svg className="w-[18px] h-[18px] shrink-0" style={{ color: active ? 'var(--color-accent)' : 'var(--color-text-secondary)' }} viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+      <circle cx="12" cy="5" r="2" />
+      <circle cx="5" cy="19" r="2" />
+      <circle cx="19" cy="19" r="2" />
+      <line x1="12" y1="7" x2="5" y2="17" />
+      <line x1="12" y1="7" x2="19" y2="17" />
+    </svg>
+  )
+}
+
+function ProfilesIcon({ active }: { active: boolean }) {
+  return (
+    <svg className="w-[18px] h-[18px] shrink-0" style={{ color: active ? 'var(--color-accent)' : 'var(--color-text-secondary)' }} viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+      <path d="M16 21v-2a4 4 0 0 0-4-4H6a4 4 0 0 0-4 4v2" />
+      <circle cx="9" cy="7" r="4" />
+      <path d="M22 21v-2a4 4 0 0 0-3-3.87" />
+      <path d="M16 3.13a4 4 0 0 1 0 7.75" />
+    </svg>
+  )
+}
+
+function SettingsIcon({ active }: { active: boolean }) {
+  return (
+    <svg className="w-[18px] h-[18px] shrink-0" style={{ color: active ? 'var(--color-accent)' : 'var(--color-text-secondary)' }} viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+      <path d="M12.22 2h-.44a2 2 0 0 0-2 2v.18a2 2 0 0 1-1 1.73l-.43.25a2 2 0 0 1-2 0l-.15-.08a2 2 0 0 0-2.73.73l-.22.38a2 2 0 0 0 .73 2.73l.15.1a2 2 0 0 1 1 1.72v.51a2 2 0 0 1-1 1.74l-.15.09a2 2 0 0 0-.73 2.73l.22.38a2 2 0 0 0 2.73.73l.15-.08a2 2 0 0 1 2 0l.43.25a2 2 0 0 1 1 1.73V20a2 2 0 0 0 2 2h.44a2 2 0 0 0 2-2v-.18a2 2 0 0 1 1-1.73l.43-.25a2 2 0 0 1 2 0l.15.08a2 2 0 0 0 2.73-.73l.22-.39a2 2 0 0 0-.73-2.73l-.15-.08a2 2 0 0 1-1-1.74v-.5a2 2 0 0 1 1-1.74l.15-.09a2 2 0 0 0 .73-2.73l-.22-.38a2 2 0 0 0-2.73-.73l-.15.08a2 2 0 0 1-2 0l-.43-.25a2 2 0 0 1-1-1.73V4a2 2 0 0 0-2-2z" />
+      <circle cx="12" cy="12" r="3" />
+    </svg>
+  )
+}
+
+function DebugIcon({ active }: { active: boolean }) {
+  return (
+    <svg className="w-[18px] h-[18px] shrink-0" style={{ color: active ? 'var(--color-accent)' : 'var(--color-text-secondary)' }} viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+      <path d="m8 2 1.88 1.88" />
+      <path d="M14.12 3.88 16 2" />
+      <path d="M9 7.13v-1a3.003 3.003 0 1 1 6 0v1" />
+      <path d="M12 20c-3.3 0-6-2.7-6-6v-3a4 4 0 0 1 4-4h4a4 4 0 0 1 4 4v3c0 3.3-2.7 6-6 6" />
+      <path d="M12 20v-9" />
+      <path d="M6.53 9C4.6 8.8 3 7.1 3 5" />
+      <path d="M6 13H2" />
+      <path d="M3 21c0-2.1 1.7-3.9 3.8-4" />
+      <path d="M20.97 5c0 2.1-1.6 3.8-3.5 4" />
+      <path d="M22 13h-4" />
+      <path d="M17.2 17c2.1.1 3.8 1.9 3.8 4" />
+    </svg>
+  )
+}
+
+function UpdateIcon({ active }: { active: boolean }) {
+  return (
+    <svg className="w-[18px] h-[18px] shrink-0" style={{ color: active ? 'var(--color-accent)' : 'var(--color-text-secondary)' }} viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+      <path d="M21 12a9 9 0 0 0-9-9 9.75 9.75 0 0 0-6.74 2.74L3 8" />
+      <path d="M3 3v5h5" />
+      <path d="M3 12a9 9 0 0 0 9 9 9.75 9.75 0 0 0 6.74-2.74L21 16" />
+      <path d="M16 16h5v5" />
+    </svg>
+  )
+}
--- a/client/uitauri/frontend/src/components/NetBirdLogo.tsx
+++ b/client/uitauri/frontend/src/components/NetBirdLogo.tsx
@@ -0,0 +1,20 @@
+function BirdMark({ className }: { className?: string }) {
+  return (
+    <svg className={className} width="31" height="23" viewBox="0 0 31 23" fill="none" xmlns="http://www.w3.org/2000/svg">
+      <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
+      <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
+      <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
+    </svg>
+  )
+}
+
+export default function NetBirdLogo({ full = false, className }: { full?: boolean; className?: string }) {
+  if (!full) return <BirdMark className={className} />
+
+  return (
+    <div className={`flex items-center gap-2 ${className ?? ''}`}>
+      <BirdMark />
+      <span className="text-lg font-bold tracking-wide" style={{ color: 'var(--color-text-primary)' }}>NETBIRD</span>
+    </div>
+  )
+}
--- a/client/uitauri/frontend/src/components/ui/Button.tsx
+++ b/client/uitauri/frontend/src/components/ui/Button.tsx
@@ -0,0 +1,35 @@
+interface ButtonProps extends React.ButtonHTMLAttributes<HTMLButtonElement> {
+  variant?: 'primary' | 'secondary' | 'destructive'
+  size?: 'sm' | 'md'
+}
+
+const styles: Record<string, React.CSSProperties> = {
+  primary: {
+    backgroundColor: 'var(--color-accent)',
+    color: '#ffffff',
+  },
+  secondary: {
+    backgroundColor: 'var(--color-control-bg)',
+    color: 'var(--color-text-primary)',
+  },
+  destructive: {
+    backgroundColor: 'var(--color-status-red-bg)',
+    color: 'var(--color-status-red)',
+  },
+}
+
+export default function Button({ variant = 'primary', size = 'md', className, style, children, ...props }: ButtonProps) {
+  const variantStyle = styles[variant]
+  const pad = size === 'sm' ? '4px 12px' : '6px 20px'
+  const fontSize = size === 'sm' ? 12 : 13
+
+  return (
+    <button
+      className={`inline-flex items-center justify-center gap-1.5 font-medium rounded-[8px] transition-opacity hover:opacity-85 active:opacity-75 disabled:opacity-50 disabled:cursor-not-allowed ${className ?? ''}`}
+      style={{ padding: pad, fontSize, ...variantStyle, ...style }}
+      {...props}
+    >
+      {children}
+    </button>
+  )
+}
--- a/client/uitauri/frontend/src/components/ui/Card.tsx
+++ b/client/uitauri/frontend/src/components/ui/Card.tsx
@@ -0,0 +1,26 @@
+interface CardProps {
+  label?: string
+  children: React.ReactNode
+  className?: string
+}
+
+export default function Card({ label, children, className }: CardProps) {
+  return (
+    <div className={className}>
+      {label && (
+        <h3 className="text-[11px] font-semibold uppercase tracking-wide px-4 mb-1.5" style={{ color: 'var(--color-text-tertiary)' }}>
+          {label}
+        </h3>
+      )}
+      <div
+        className="rounded-[var(--radius-card)] overflow-hidden"
+        style={{
+          backgroundColor: 'var(--color-bg-secondary)',
+          boxShadow: 'var(--shadow-card)',
+        }}
+      >
+        {children}
+      </div>
+    </div>
+  )
+}
--- a/client/uitauri/frontend/src/components/ui/CardRow.tsx
+++ b/client/uitauri/frontend/src/components/ui/CardRow.tsx
@@ -0,0 +1,31 @@
+interface CardRowProps {
+  label?: string
+  description?: string
+  children?: React.ReactNode
+  className?: string
+  onClick?: () => void
+}
+
+export default function CardRow({ label, description, children, className, onClick }: CardRowProps) {
+  return (
+    <div
+      className={`flex items-center justify-between gap-4 px-4 py-3 min-h-[44px] ${onClick ? 'cursor-pointer' : ''} ${className ?? ''}`}
+      style={{ borderBottom: '0.5px solid var(--color-separator)' }}
+      onClick={onClick}
+    >
+      <div className="flex flex-col min-w-0 flex-1">
+        {label && (
+          <span className="text-[13px]" style={{ color: 'var(--color-text-primary)' }}>
+            {label}
+          </span>
+        )}
+        {description && (
+          <span className="text-[11px] mt-0.5" style={{ color: 'var(--color-text-tertiary)' }}>
+            {description}
+          </span>
+        )}
+      </div>
+      {children && <div className="shrink-0 flex items-center">{children}</div>}
+    </div>
+  )
+}
--- a/client/uitauri/frontend/src/components/ui/Input.tsx
+++ b/client/uitauri/frontend/src/components/ui/Input.tsx
@@ -0,0 +1,40 @@
+interface InputProps extends React.InputHTMLAttributes<HTMLInputElement> {
+  label?: string
+}
+
+export default function Input({ label, className, style, ...props }: InputProps) {
+  const input = (
+    <input
+      className={`w-full rounded-[var(--radius-control)] text-[13px] outline-none transition-shadow ${className ?? ''}`}
+      style={{
+        height: 28,
+        padding: '0 8px',
+        backgroundColor: 'var(--color-input-bg)',
+        border: '0.5px solid var(--color-input-border)',
+        color: 'var(--color-text-primary)',
+        boxShadow: 'none',
+        ...style,
+      }}
+      onFocus={e => {
+        e.currentTarget.style.boxShadow = '0 0 0 3px rgba(246,131,48,0.3)'
+        e.currentTarget.style.borderColor = 'var(--color-accent)'
+      }}
+      onBlur={e => {
+        e.currentTarget.style.boxShadow = 'none'
+        e.currentTarget.style.borderColor = 'var(--color-input-border)'
+      }}
+      {...props}
+    />
+  )
+
+  if (!label) return input
+
+  return (
+    <div>
+      <label className="block text-[11px] font-medium mb-1" style={{ color: 'var(--color-text-secondary)' }}>
+        {label}
+      </label>
+      {input}
+    </div>
+  )
+}
--- a/client/uitauri/frontend/src/components/ui/Modal.tsx
+++ b/client/uitauri/frontend/src/components/ui/Modal.tsx
@@ -0,0 +1,46 @@
+import Button from './Button'
+
+interface ModalProps {
+  title: string
+  message: string
+  confirmLabel?: string
+  cancelLabel?: string
+  destructive?: boolean
+  loading?: boolean
+  onConfirm: () => void
+  onCancel: () => void
+}
+
+export default function Modal({ title, message, confirmLabel = 'Confirm', cancelLabel = 'Cancel', destructive, loading, onConfirm, onCancel }: ModalProps) {
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center" style={{ backgroundColor: 'rgba(0,0,0,0.4)' }}>
+      <div
+        className="max-w-sm w-full mx-4 p-5 rounded-[12px]"
+        style={{
+          backgroundColor: 'var(--color-bg-elevated)',
+          boxShadow: 'var(--shadow-elevated)',
+        }}
+      >
+        <h2 className="text-[15px] font-semibold mb-1" style={{ color: 'var(--color-text-primary)' }}>
+          {title}
+        </h2>
+        <p className="text-[13px] mb-5" style={{ color: 'var(--color-text-secondary)' }}>
+          {message}
+        </p>
+        <div className="flex gap-2 justify-end">
+          <Button variant="secondary" size="sm" onClick={onCancel}>
+            {cancelLabel}
+          </Button>
+          <Button
+            variant={destructive ? 'destructive' : 'primary'}
+            size="sm"
+            onClick={onConfirm}
+            disabled={loading}
+          >
+            {confirmLabel}
+          </Button>
+        </div>
+      </div>
+    </div>
+  )
+}
--- a/client/uitauri/frontend/src/components/ui/SearchInput.tsx
+++ b/client/uitauri/frontend/src/components/ui/SearchInput.tsx
@@ -0,0 +1,47 @@
+interface SearchInputProps {
+  value: string
+  onChange: (value: string) => void
+  placeholder?: string
+  className?: string
+}
+
+export default function SearchInput({ value, onChange, placeholder = 'Search...', className }: SearchInputProps) {
+  return (
+    <div className={`relative ${className ?? ''}`}>
+      <svg
+        className="absolute left-2.5 top-1/2 -translate-y-1/2 w-3.5 h-3.5"
+        style={{ color: 'var(--color-text-tertiary)' }}
+        fill="none"
+        viewBox="0 0 24 24"
+        stroke="currentColor"
+        strokeWidth={2}
+      >
+        <circle cx={11} cy={11} r={8} />
+        <path d="m21 21-4.3-4.3" />
+      </svg>
+      <input
+        className="w-full text-[13px] outline-none transition-shadow"
+        style={{
+          height: 28,
+          paddingLeft: 28,
+          paddingRight: 8,
+          backgroundColor: 'var(--color-control-bg)',
+          border: '0.5px solid transparent',
+          borderRadius: 999,
+          color: 'var(--color-text-primary)',
+        }}
+        placeholder={placeholder}
+        value={value}
+        onChange={e => onChange(e.target.value)}
+        onFocus={e => {
+          e.currentTarget.style.boxShadow = '0 0 0 3px rgba(246,131,48,0.3)'
+          e.currentTarget.style.borderColor = 'var(--color-accent)'
+        }}
+        onBlur={e => {
+          e.currentTarget.style.boxShadow = 'none'
+          e.currentTarget.style.borderColor = 'transparent'
+        }}
+      />
+    </div>
+  )
+}
--- a/client/uitauri/frontend/src/components/ui/SegmentedControl.tsx
+++ b/client/uitauri/frontend/src/components/ui/SegmentedControl.tsx
@@ -0,0 +1,34 @@
+interface SegmentedControlProps<T extends string> {
+  options: { value: T; label: string }[]
+  value: T
+  onChange: (value: T) => void
+  className?: string
+}
+
+export default function SegmentedControl<T extends string>({ options, value, onChange, className }: SegmentedControlProps<T>) {
+  return (
+    <div
+      className={`inline-flex rounded-[8px] p-[3px] ${className ?? ''}`}
+      style={{ backgroundColor: 'var(--color-control-bg)' }}
+    >
+      {options.map(opt => {
+        const active = opt.value === value
+        return (
+          <button
+            key={opt.value}
+            onClick={() => onChange(opt.value)}
+            className="relative px-3 py-1 text-[12px] font-medium rounded-[6px] transition-all duration-200"
+            style={{
+              backgroundColor: active ? 'var(--color-bg-elevated)' : 'transparent',
+              color: active ? 'var(--color-text-primary)' : 'var(--color-text-secondary)',
+              boxShadow: active ? 'var(--shadow-segment)' : 'none',
+              minWidth: 64,
+            }}
+          >
+            {opt.label}
+          </button>
+        )
+      })}
+    </div>
+  )
+}
--- a/client/uitauri/frontend/src/components/ui/StatusBadge.tsx
+++ b/client/uitauri/frontend/src/components/ui/StatusBadge.tsx
@@ -0,0 +1,34 @@
+interface StatusBadgeProps {
+  status: 'connected' | 'disconnected' | 'connecting' | string
+  label?: string
+}
+
+function getStatusColors(status: string): { dot: string; text: string; bg: string } {
+  switch (status.toLowerCase()) {
+    case 'connected':
+      return { dot: 'var(--color-status-green)', text: 'var(--color-status-green)', bg: 'var(--color-status-green-bg)' }
+    case 'connecting':
+      return { dot: 'var(--color-status-yellow)', text: 'var(--color-status-yellow)', bg: 'var(--color-status-yellow-bg)' }
+    case 'disconnected':
+      return { dot: 'var(--color-status-gray)', text: 'var(--color-text-secondary)', bg: 'var(--color-status-gray-bg)' }
+    default:
+      return { dot: 'var(--color-status-red)', text: 'var(--color-status-red)', bg: 'var(--color-status-red-bg)' }
+  }
+}
+
+export default function StatusBadge({ status, label }: StatusBadgeProps) {
+  const colors = getStatusColors(status)
+
+  return (
+    <span
+      className="inline-flex items-center gap-1.5 px-2 py-0.5 rounded-full text-[11px] font-medium"
+      style={{ backgroundColor: colors.bg, color: colors.text }}
+    >
+      <span
+        className={`w-1.5 h-1.5 rounded-full ${status.toLowerCase() === 'connecting' ? 'animate-pulse' : ''}`}
+        style={{ backgroundColor: colors.dot }}
+      />
+      {label ?? status}
+    </span>
+  )
+}
--- a/Show More
+++ b/Show More