Fix(auth0) caching Users by accountId

* Update links in Start using NetBird

* Update internals overview and co structure

* Netbird to NetBird

.github/workflows/golang-test-darwin.yml

@@ -0,0 +1,29 @@
+name: Test Code Darwin
+on: [push,pull_request]
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [1.18.x]
+    runs-on: macos-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: macos-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            macos-go-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: Test
+        run: go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...

.github/workflows/golang-test-linux.yml

@@ -0,0 +1,34 @@
+name: Test Code Linux
+on: [push,pull_request]
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [1.18.x]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: Test
+        run: go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...

.github/workflows/golang-test-windows.yml

@@ -0,0 +1,57 @@
+name: Test Code Windows
+on: [push,pull_request]
+jobs:
+  pre:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - run: bash -x wireguard_nt.sh
+        working-directory: client
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: syso
+          path: client/*.syso
+          retention-days: 1
+
+  test:
+    needs: pre
+    strategy:
+      matrix:
+        go-version: [1.18.x]
+    runs-on: windows-latest
+    steps:
+      - name: disable defender
+        run: Set-MpPreference -DisableRealtimeMonitoring $true
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - uses: actions/cache@v2
+        with:
+          path: |
+            %LocalAppData%\go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: enable defender
+        run: Set-MpPreference -DisableRealtimeMonitoring $false
+
+      - uses: actions/download-artifact@v2
+        with:
+          name: syso
+          path: iface\
+
+#      - name: Install modules
+#        run: go mod tidy
+
+      - name: Test
+        run: go test -tags=load_wgnt_from_rsrc -timeout 5m -p 1 ./...

.github/workflows/golangci-lint.yml

@@ -0,0 +1,17 @@
+name: golangci-lint
+on: [pull_request]
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          args: --timeout=6m
+
+

.github/workflows/release.yml

@@ -4,6 +4,12 @@ on:
   push:
     tags:
       - 'v*'
+    branches:
+      - main
+  pull_request:
+
+env:
+  SIGN_PIPE_VER: "v0.0.3"
 
 jobs:
   release:
@@ -14,11 +20,15 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 0 # It is required for GoReleaser to work properly
+
+      - name: Generate syso with DLL
+        run: bash -x wireguard_nt.sh
+        working-directory: client
       -
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16
+          go-version: 1.18
       -
         name: Cache Go modules
         uses: actions/cache@v1
@@ -38,15 +48,99 @@ jobs:
         uses: docker/setup-buildx-action@v1
       -
         name: Login to Docker hub
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v1
         with:
-          username: ${{ secrets.DOCKER_USER }}
+          username: netbirdio
           password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-mingw-w64-x86-64
+
+      - name: Install rsrc
+        run: go install github.com/akavel/rsrc@v0.10.2
+
+      - name: Generate windows rsrc
+        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/ui/manifest.xml -o client/ui/resources_windows_amd64.syso
+
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: latest
+          version: v1.6.3
           args: release --rm-dist
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+      -
+        name: Trigger Windows binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          workflow: Sign windows bin and installer
+          repo: netbirdio/sign-pipelines
+          ref: ${{ env.SIGN_PIPE_VER }}
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
+      -
+        name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v2
+        with:
+          name: build
+          path: dist/
+          retention-days: 3
+          
+  release_ui:
+    runs-on: macos-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+      -
+        name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.18
+      -
+        name: Cache Go modules
+        uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      -
+        name: Install modules
+        run: go mod tidy
+      -
+        name: Run GoReleaser
+        id: goreleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: v1.6.3
+          args: release --config .goreleaser_ui_darwin.yaml --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      -
+        name: Trigger Darwin App binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          workflow: Sign darwin ui app with dispatch
+          repo: netbirdio/sign-pipelines
+          ref: ${{ env.SIGN_PIPE_VER }}
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
+
+      -
+        name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v2
+        with:
+          name: build-ui-darwin
+          path: dist/
+          retention-days: 3

.gitignore

@@ -1,2 +1,11 @@
 .idea
-*.iml
+*.iml
+dist/
+bin/
+.env
+conf.json
+http-cmds.sh
+infrastructure_files/management.json
+infrastructure_files/docker-compose.yml
+*.syso
+client/.distfiles/

.goreleaser.yaml

@@ -1,39 +1,188 @@
-project_name: wiretrustee
+project_name: netbird
 builds:
-  - env: [CGO_ENABLED=0]
+  - id: netbird
+    dir: client
+    binary: netbird
+    env: [CGO_ENABLED=0]
     goos:
       - linux
       - darwin
+      - windows
     goarch:
       - arm
       - amd64
       - arm64
+      - mips
+    gomips:
+      - hardfloat
+      - softfloat
     ignore:
-      - goos: darwin
+      - goos: windows
         goarch: arm64
+      - goos: windows
+        goarch: arm
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    tags:
+      - load_wgnt_from_rsrc
+
+  - id: netbird-mgmt
+    dir: management
+    env: [CGO_ENABLED=0]
+    binary: netbird-mgmt
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+  - id: netbird-signal
+    dir: signal
+    env: [CGO_ENABLED=0]
+    binary: netbird-signal
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+  - id: netbird-ui
+    dir: client/ui
+    binary: netbird-ui
+    env:
+      - CGO_ENABLED=1
+    goos:
+      - linux
+    goarch:
+      - amd64
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+  - id: netbird-ui-windows
+    dir: client/ui
+    binary: netbird-ui
+    env:
+      - CGO_ENABLED=1
+      - CC=x86_64-w64-mingw32-gcc
+    goos:
+      - windows
+    goarch:
+      - amd64
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -H windowsgui
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+archives:
+  - builds:
+      - netbird
+  - id: linux-arch
+    name_template: "{{ .ProjectName }}-ui-linux_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    builds:
+      - netbird-ui
+  - id: windows-arch
+    name_template: "{{ .ProjectName }}-ui-windows_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    builds:
+      - netbird-ui-windows
+
 nfpms:
-  - maintainer: Wiretrustee <wiretrustee@wiretrustee.com>
-    description: Wiretrustee project.
-    homepage: https://wiretrustee.com/
+
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client UI.
+    homepage: https://netbird.io/
+    id: netbird-ui-deb
+    package_name: netbird-ui
+    builds:
+      - netbird-ui
     formats:
       - deb
+    contents:
+      - src: client/ui/netbird.desktop
+        dst: /usr/share/applications/netbird.desktop
+      - src: client/ui/disconnected.png
+        dst: /usr/share/pixmaps/netbird.png
+    dependencies:
+      - libayatana-appindicator3-1
+      - libgtk-3-dev
+      - libappindicator3-dev
+      - netbird
+
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client UI.
+    homepage: https://netbird.io/
+    id: netbird-ui-rpm
+    package_name: netbird-ui
+    builds:
+      - netbird-ui
+    formats:
       - rpm
     contents:
-      - src: release_files/wiretrustee.service
-        dst: /lib/systemd/system/wiretrustee.service
+      - src: client/ui/netbird.desktop
+        dst: /usr/share/applications/netbird.desktop
+      - src: client/ui/disconnected.png
+        dst: /usr/share/pixmaps/netbird.png
+    dependencies:
+      - libayatana-appindicator3-1
+      - libgtk-3-dev
+      - libappindicator3-dev
+      - netbird
 
-      - src: release_files/wiretrustee.json
-        dst: /etc/wiretrustee/wiretrustee.json
-        type: "config|noreplace"
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client.
+    homepage: https://netbird.io/
+    id: netbird-deb
+    bindir: /usr/bin
+    builds:
+      - netbird
+    formats:
+      - deb
+
+    replaces:
+      - wiretrustee
+    conflicts:
+      - wiretrustee
 
     scripts:
       postinstall: "release_files/post_install.sh"
+      preremove: "release_files/pre_remove.sh"
+
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client.
+    homepage: https://netbird.io/
+    id: netbird-rpm
+    bindir: /usr/bin
+    builds:
+      - netbird
+    formats:
+      - rpm
+
+    replaces:
+      - wiretrustee
+
+    conflicts:
+      - wiretrustee
+
+    scripts:
+      postinstall: "release_files/post_install.sh"
+      preremove: "release_files/pre_remove.sh"
 dockers:
   - image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64
+      - netbirdio/netbird:{{ .Version }}-amd64
+    ids:
+      - netbird
     goarch: amd64
-    use_buildx: true
-    dockerfile: Dockerfile
+    use: buildx
+    dockerfile: client/Dockerfile
     build_flag_templates:
       - "--platform=linux/amd64"
       - "--label=org.opencontainers.image.created={{.Date}}"
@@ -41,12 +190,14 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+    ids:
+      - netbird
     goarch: arm64
-    use_buildx: true
-    dockerfile: Dockerfile
+    use: buildx
+    dockerfile: client/Dockerfile
     build_flag_templates:
       - "--platform=linux/arm64"
       - "--label=org.opencontainers.image.created={{.Date}}"
@@ -54,15 +205,240 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm
+    ids:
+      - netbird
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: client/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-amd64
+    ids:
+      - netbird-signal
+    goarch: amd64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+    ids:
+      - netbird-signal
+    goarch: arm64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-arm
+    ids:
+      - netbird-signal
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-amd64
+    ids:
+      - netbird-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+    ids:
+      - netbird-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-arm
+    ids:
+      - netbird-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-amd64
+    ids:
+      - netbird-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm64v8
+    ids:
+      - netbird-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
 
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm
+    ids:
+      - netbird-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
-  - name_template: wiretrustee/wiretrustee:signal-{{ .Version }}
+  - name_template: netbirdio/netbird:{{ .Version }}
     image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-amd64
 
-  - name_template: wiretrustee/wiretrustee:signal-latest
+  - name_template: netbirdio/netbird:latest
     image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-amd64
+
+  - name_template: netbirdio/signal:{{ .Version }}
+    image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: netbirdio/signal:latest
+    image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:{{ .Version }}
+    image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:latest
+    image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:debug-latest
+    image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm64v8
+      - netbirdio/management:{{ .Version }}-debug-arm
+      - netbirdio/management:{{ .Version }}-debug-amd64
+
+brews:
+  -
+    ids:
+      - default
+    tap:
+      owner: netbirdio
+      name: homebrew-tap
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    commit_author:
+      name: Netbird
+      email: dev@netbird.io
+    description: Netbird project.
+    download_strategy: CurlDownloadStrategy
+    homepage: https://netbird.io/
+    license: "BSD3"
+    test: |
+      system "#{bin}/{{ .ProjectName	}} version"
+    conflicts:
+      - wiretrustee
+
+uploads:
+  - name: debian
+    ids:
+    - netbird-deb
+    - netbird-ui-deb
+    mode: archive
+    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
+    username: dev@wiretrustee.com
+    method: PUT
+
+  - name: yum
+    ids:
+      - netbird-rpm
+      - netbird-ui-rpm
+    mode: archive
+    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
+    username: dev@wiretrustee.com
+    method: PUT

.goreleaser_ui_darwin.yaml

@@ -0,0 +1,27 @@
+project_name: netbird-ui
+builds:
+  - id: netbird-ui-darwin
+    dir: client/ui
+    binary: netbird-ui
+    env: [CGO_ENABLED=1]
+
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    gomips:
+      - hardfloat
+      - softfloat
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/ui/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    tags:
+      - load_wgnt_from_rsrc
+
+archives:
+  - builds:
+      - netbird-ui-darwin
+
+changelog:
+  skip: true

AUTHORS

@@ -1,2 +1,3 @@
 Mikhail Bragin (https://github.com/braginini)
 Maycon Santos (https://github.com/mlsmaycon)
+Wiretrustee UG (haftungsbeschränkt)

CODE_OF_CONDUCT.md

@@ -0,0 +1,132 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+dev@wiretrustee.com.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

Dockerfile

@@ -1,5 +0,0 @@
-FROM gcr.io/distroless/base:debug
-EXPOSE 10000
-ENTRYPOINT [ "/go/bin/wiretrustee","signal" ]
-CMD ["--log-level","DEBUG"]
-COPY wiretrustee /go/bin/wiretrustee

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2021 Wiretrustee AUTHORS
+Copyright (c) 2022 Wiretrustee UG (haftungsbeschränkt) & AUTHORS
 
 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 

README.md

@@ -1,83 +1,115 @@
-# Wiretrustee
+<p align="center">
+ <strong>:hatching_chick: New release! Beta Update May 2022</strong>.
+  <a href="https://github.com/netbirdio/netbird/releases/tag/v0.6.0">
+       Learn more
+     </a>   
+</p>
 
-A WireGuard®-based mesh network that connects your devices into a single private network.
+<br/>
+<div align="center">
 
-### Why using Wiretrustee?
+<p align="center">
+  <img width="234" src="docs/media/logo-full.png"/>
+</p>
 
-* Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else.
-* No need to open ports and expose public IPs on the device.
-* Automatically reconnects in case of network failures or switches.
-* Automatic NAT traversal.
-* Relay server fallback in case of an unsuccessful peer-to-peer connection.
-* Private key never leaves your device.
-* Works on ARM devices (e.g. Raspberry Pi).
+  <p>
+     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
+       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
+     </a> 
+     <a href="https://hub.docker.com/r/wiretrustee/wiretrustee/tags">
+        <img src="https://img.shields.io/docker/pulls/wiretrustee/wiretrustee" />
+     </a> 
+    <br>
+    <a href="https://www.codacy.com/gh/wiretrustee/wiretrustee/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=wiretrustee/wiretrustee&amp;utm_campaign=Badge_Grade"><img src="https://app.codacy.com/project/badge/Grade/d366de2c9d8b4cf982da27f8f5831809"/></a>
+     <a href="https://goreportcard.com/report/wiretrustee/wiretrustee">
+        <img src="https://goreportcard.com/badge/github.com/wiretrustee/wiretrustee?style=flat-square" />
+     </a>
+    <br>
+    <a href="https://join.slack.com/t/wiretrustee/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">
+        <img src="https://img.shields.io/badge/slack-@wiretrustee-red.svg?logo=slack"/>
+     </a>    
+  </p>
+</div>
 
-### A bit on Wiretrustee internals
-* Wiretrustee uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between devices.
-* A connection session negotiation between peers is achieved with the Wiretrustee Signalling server [signal](signal/)
-* Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them.
-  The routing of the messages on a Signalling server is based on public Wireguard keys. 
-* Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT).
-  For that matter, there is support for a relay server fallback (TURN) and a secure Wireguard tunnel is established via TURN server.
-  [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in Wiretrustee setups.
 
-### What Wiretrustee is not doing:
-* Wireguard key management. In consequence, you need to generate peer keys and specify them on Wiretrustee initialization step.
-* Peer address management. You have to specify a unique peer local address (e.g. 10.30.30.1/24) when configuring Wiretrustee
-
-### Client Installation
-1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases)   
-2. Download the latest release:
-```shell
-wget https://github.com/wiretrustee/wiretrustee/releases/download/v0.0.4/wiretrustee_0.0.4_linux_amd64.rpm
-```
-3. Install the package
-```shell
-sudo dpkg -i wiretrustee_0.0.4_linux_amd64.deb
-```
-### Client Configuration
-1. Initialize Wiretrustee:
-```shell
-sudo wiretrustee init \
- --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 \
- --turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468  \
- --signalAddr signal.wiretrustee.com:10000  \
- --wgLocalAddr 10.30.30.1/24  \
- --log-level info
-```
-It is important to mention that the ```wgLocalAddr``` parameter has to be unique across your network.
-E.g. if you have Peer A with ```wgLocalAddr=10.30.30.1/24``` then another Peer B can have ```wgLocalAddr=10.30.30.2/24```
-
-If for some reason, you already have a generated Wireguard key, you can specify it with the ```--wgKey``` parameter. 
-If not specified, then a new one will be generated, and its corresponding public key will be output to the log.
-A new config will be generated and stored under ```/etc/wiretrustee/config.json```
-
-2. Add a peer to connect to. 
-```shell
-sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
-```
-
-3. Restart Wiretrustee to reload changes
-```shell
-sudo systemctl restart wiretrustee.service
-sudo systemctl status wiretrustee.service 
-```
-### Running the Signal service
-After installing the application, you can run the signal using the command below:
-````shell
-/usr/local/bin/wiretrustee signal --log-level INFO
-````
-This will launch the signal service on port 10000, in case you want to change the port, use the flag --port.
-#### Docker image
-We have packed the signal into docker images. You can pull the images from the Docker Hub and execute it with the following commands:
-````shell
-docker pull wiretrustee/wiretrustee:signal-latest
-docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest
-````
-The default log-level is set to INFO, if you need you can change it using by updating the docker cmd as followed:
-````shell
-docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest --log-level DEBUG
-````
-### Roadmap
-* Android app
+<p align="center">
+<strong>
+  Start using NetBird at <a href="https://app.netbird.io/">app.netbird.io</a>
+  <br/>
+  See <a href="https://netbird.io/docs/">Documentation</a>
+  <br/>
+   Join our <a href="https://join.slack.com/t/wiretrustee/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">Slack channel</a>
+  <br/>
  
+</strong>
+</p>
+
+<br>
+
+**NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.**
+
+It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
+
+NetBird creates an overlay peer-to-peer network connecting machines automatically regardless of their location (home, office, datacenter, container, cloud or edge environments) unifying virtual private network management experience.
+
+**Key features:**
+* Automatic IP allocation and management.
+* Automatic WireGuard peer (machine) discovery and configuration.
+* Encrypted peer-to-peer connections without a central VPN gateway.
+* Connection relay fallback in case a peer-to-peer connection is not possible.
+* Network management layer with a neat Web UI panel ([separate repo](https://github.com/netbirdio/dashboard))
+* Desktop client applications for Linux, MacOS, and Windows.
+* Multiuser support - sharing network between multiple users.
+* SSO and MFA support. 
+* Multicloud and hybrid-cloud support.
+* Kernel WireGuard usage when possible.
+* Access Controls - groups & rules (coming soon).
+* Private DNS (coming soon).
+* Mobile clients (coming soon).
+* Network Activity Monitoring (coming soon).
+
+### Secure peer-to-peer VPN with SSO and MFA in minutes
+<p float="left" align="middle">
+  <img src="docs/media/peerA.gif" width="400"/> 
+  <img src="docs/media/peerB.gif" width="400"/>
+</p>
+
+**Note**: The `main` branch may be in an *unstable or even broken state* during development. 
+For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
+
+### Start using NetBird
+* Hosted version: [https://app.netbird.io/](https://app.netbird.io/).
+* See our documentation for [Quickstart Guide](https://netbird.io/docs/getting-started/quickstart).
+* If you are looking to self-host NetBird, check our [Self-Hosting Guide](https://netbird.io/docs/getting-started/self-hosting).
+* Step-by-step [Installation Guide](https://netbird.io/docs/getting-started/installation) for different platforms.
+* Web UI [repository](https://github.com/netbirdio/dashboard).
+* 5 min [demo video](https://youtu.be/Tu9tPsUWaY0) on YouTube.
+
+
+### A bit on NetBird internals
+* Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
+* NetBird features [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to peers.
+* Every agent is connected to Management Service.
+* NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
+* Connection candidates are discovered with a help of [STUN](https://en.wikipedia.org/wiki/STUN) server. 
+* Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages.
+* Signal Service uses public WireGuard keys to route messages between peers.
+* Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
+ 
+[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
+
+<p float="left" align="middle">
+  <img src="https://netbird.io/docs/img/architecture/high-level-dia.png" width="700"/>
+</p>
+
+See a complete [architecture overview](https://netbird.io/docs/overview/architecture) for details.
+
+### Roadmap
+- [Public Roadmap](https://github.com/netbirdio/netbird/projects/2)
+
+### Testimonials
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), and [Coturn](https://github.com/coturn/coturn). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g. giving a star or a contribution).
+
+### Legal
+ [WireGuard](https://wireguard.com/) is a registered trademark of Jason A. Donenfeld.
+

client/Dockerfile

@@ -0,0 +1,4 @@
+FROM gcr.io/distroless/base:debug
+ENV WT_LOG_FILE=console
+ENTRYPOINT [ "/go/bin/netbird","up"]
+COPY netbird /go/bin/netbird

client/cmd/down.go

@@ -0,0 +1,46 @@
+package cmd
+
+import (
+	"context"
+	"github.com/netbirdio/netbird/util"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var downCmd = &cobra.Command{
+	Use:   "down",
+	Short: "down netbird connections",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := util.InitLog(logLevel, "console")
+		if err != nil {
+			log.Errorf("failed initializing log %v", err)
+			return err
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
+		defer cancel()
+
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			log.Errorf("failed to connect to service CLI interface %v", err)
+			return err
+		}
+		defer conn.Close()
+
+		daemonClient := proto.NewDaemonServiceClient(conn)
+
+		if _, err := daemonClient.Down(ctx, &proto.DownRequest{}); err != nil {
+			log.Errorf("call service down method: %v", err)
+			return err
+		}
+		return nil
+	},
+}

client/cmd/login.go

@@ -0,0 +1,200 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"github.com/skratchdot/open-golang/open"
+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
+	"time"
+
+	"github.com/netbirdio/netbird/util"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var loginCmd = &cobra.Command{
+	Use:   "login",
+	Short: "login to the Netbird Management Service (first run)",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := util.InitLog(logLevel, "console")
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx := internal.CtxInitState(context.Background())
+
+		// workaround to run without service
+		if logFile == "console" {
+			err = handleRebrand(cmd)
+			if err != nil {
+				return err
+			}
+
+			config, err := internal.GetConfig(managementURL, adminURL, configPath, preSharedKey)
+			if err != nil {
+				return fmt.Errorf("get config file: %v", err)
+			}
+
+			err = foregroundLogin(ctx, cmd, config, setupKey)
+			if err != nil {
+				return fmt.Errorf("foreground login failed: %v", err)
+			}
+			cmd.Println("Logging successfully")
+			return nil
+		}
+
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			return fmt.Errorf("failed to connect to daemon error: %v\n"+
+				"If the daemon is not running please run: "+
+				"\nnetbird service install \nnetbird service start\n", err)
+		}
+		defer conn.Close()
+
+		client := proto.NewDaemonServiceClient(conn)
+
+		loginRequest := proto.LoginRequest{
+			SetupKey:      setupKey,
+			PreSharedKey:  preSharedKey,
+			ManagementUrl: managementURL,
+		}
+
+		var loginErr error
+
+		var loginResp *proto.LoginResponse
+
+		err = WithBackOff(func() error {
+			var backOffErr error
+			loginResp, backOffErr = client.Login(ctx, &loginRequest)
+			if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
+				s.Code() == codes.PermissionDenied ||
+				s.Code() == codes.NotFound ||
+				s.Code() == codes.Unimplemented) {
+				loginErr = backOffErr
+				return nil
+			}
+			return backOffErr
+		})
+		if err != nil {
+			return fmt.Errorf("login backoff cycle failed: %v", err)
+		}
+
+		if loginErr != nil {
+			return fmt.Errorf("login failed: %v", loginErr)
+		}
+
+		if loginResp.NeedsSSOLogin {
+			openURL(cmd, loginResp.VerificationURIComplete)
+
+			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
+			if err != nil {
+				return fmt.Errorf("waiting sso login failed with: %v", err)
+			}
+		}
+
+		cmd.Println("Logging successfully")
+
+		return nil
+	},
+}
+
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.Config, setupKey string) error {
+	needsLogin := false
+
+	err := WithBackOff(func() error {
+		err := internal.Login(ctx, config, "", "")
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			needsLogin = true
+			return nil
+		}
+		return err
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	jwtToken := ""
+	if setupKey == "" && needsLogin {
+		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config)
+		if err != nil {
+			return fmt.Errorf("interactive sso login failed: %v", err)
+		}
+		jwtToken = tokenInfo.AccessToken
+	}
+
+	err = WithBackOff(func() error {
+		err := internal.Login(ctx, config, setupKey, jwtToken)
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			return nil
+		}
+		return err
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	return nil
+}
+
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *internal.Config) (*internal.TokenInfo, error) {
+	providerConfig, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config)
+	if err != nil {
+		s, ok := gstatus.FromError(err)
+		if ok && s.Code() == codes.NotFound {
+			return nil, fmt.Errorf("no SSO provider returned from management. " +
+				"If you are using hosting Netbird see documentation at " +
+				"https://github.com/netbirdio/netbird/tree/main/management for details")
+		} else if ok && s.Code() == codes.Unimplemented {
+			mgmtURL := managementURL
+			if mgmtURL == "" {
+				mgmtURL = internal.ManagementURLDefault().String()
+			}
+			return nil, fmt.Errorf("the management server, %s, does not support SSO providers, "+
+				"please update your servver or use Setup Keys to login", mgmtURL)
+		} else {
+			return nil, fmt.Errorf("getting device authorization flow info failed with error: %v", err)
+		}
+	}
+
+	hostedClient := internal.NewHostedDeviceFlow(
+		providerConfig.ProviderConfig.Audience,
+		providerConfig.ProviderConfig.ClientID,
+		providerConfig.ProviderConfig.Domain,
+	)
+
+	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
+	if err != nil {
+		return nil, fmt.Errorf("getting a request device code failed: %v", err)
+	}
+
+	openURL(cmd, flowInfo.VerificationURIComplete)
+
+	waitTimeout := time.Duration(flowInfo.ExpiresIn)
+	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout*time.Second)
+	defer c()
+
+	tokenInfo, err := hostedClient.WaitToken(waitCTX, flowInfo)
+	if err != nil {
+		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
+	}
+
+	return &tokenInfo, nil
+}
+
+func openURL(cmd *cobra.Command, verificationURIComplete string) {
+	err := open.Run(verificationURIComplete)
+	cmd.Printf("Please do the SSO login in your browser. \n" +
+		"If your browser didn't open automatically, use this URL to log in:\n\n" +
+		" " + verificationURIComplete + " \n\n")
+	if err != nil {
+		cmd.Printf("Alternatively, you may want to use a setup key, see:\n\n https://www.netbird.io/docs/overview/setup-keys\n")
+	}
+}

client/cmd/login_test.go

@@ -0,0 +1,53 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/util"
+)
+
+func TestLogin(t *testing.T) {
+	mgmAddr := startTestingServices(t)
+
+	tempDir := t.TempDir()
+	confPath := tempDir + "/config.json"
+	mgmtURL := fmt.Sprintf("http://%s", mgmAddr)
+	rootCmd.SetArgs([]string{
+		"login",
+		"--config",
+		confPath,
+		"--log-file",
+		"console",
+		"--setup-key",
+		strings.ToUpper("a2c8e62b-38f5-4553-b31e-dd66c696cebb"),
+		"--management-url",
+		mgmtURL,
+	})
+	err := rootCmd.Execute()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// validate generated config
+	actualConf := &internal.Config{}
+	_, err = util.ReadJson(confPath, actualConf)
+	if err != nil {
+		t.Errorf("expected proper config file written, got broken %v", err)
+	}
+
+	if actualConf.ManagementURL.String() != mgmtURL {
+		t.Errorf("expected management URL %s got %s", mgmtURL, actualConf.ManagementURL.String())
+	}
+
+	if actualConf.WgIface != iface.WgInterfaceDefault {
+		t.Errorf("expected WgIfaceName %s got %s", iface.WgInterfaceDefault, actualConf.WgIface)
+	}
+
+	if len(actualConf.PrivateKey) == 0 {
+		t.Errorf("expected non empty Private key, got empty")
+	}
+}

client/cmd/root.go

@@ -0,0 +1,288 @@
+package cmd
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"io/ioutil"
+	"os"
+	"os/signal"
+	"path"
+	"runtime"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+var (
+	configPath              string
+	defaultConfigPathDir    string
+	defaultConfigPath       string
+	oldDefaultConfigPathDir string
+	oldDefaultConfigPath    string
+	logLevel                string
+	defaultLogFileDir       string
+	defaultLogFile          string
+	oldDefaultLogFileDir    string
+	oldDefaultLogFile       string
+	logFile                 string
+	daemonAddr              string
+	managementURL           string
+	adminURL                string
+	setupKey                string
+	preSharedKey            string
+	rootCmd                 = &cobra.Command{
+		Use:          "netbird",
+		Short:        "",
+		Long:         "",
+		SilenceUsage: true,
+	}
+)
+
+// Execute executes the root command.
+func Execute() error {
+	return rootCmd.Execute()
+}
+
+func init() {
+	defaultConfigPathDir = "/etc/netbird/"
+	defaultLogFileDir = "/var/log/netbird/"
+
+	oldDefaultConfigPathDir = "/etc/wiretrustee/"
+	oldDefaultLogFileDir = "/var/log/wiretrustee/"
+
+	if runtime.GOOS == "windows" {
+		defaultConfigPathDir = os.Getenv("PROGRAMDATA") + "\\Netbird\\"
+		defaultLogFileDir = os.Getenv("PROGRAMDATA") + "\\Netbird\\"
+
+		oldDefaultConfigPathDir = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\"
+		oldDefaultLogFileDir = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\"
+	}
+
+	defaultConfigPath = defaultConfigPathDir + "config.json"
+	defaultLogFile = defaultLogFileDir + "client.log"
+
+	oldDefaultConfigPath = oldDefaultConfigPathDir + "config.json"
+	oldDefaultLogFile = oldDefaultLogFileDir + "client.log"
+
+	defaultDaemonAddr := "unix:///var/run/netbird.sock"
+	if runtime.GOOS == "windows" {
+		defaultDaemonAddr = "tcp://127.0.0.1:41731"
+	}
+	rootCmd.PersistentFlags().StringVar(&daemonAddr, "daemon-addr", defaultDaemonAddr, "Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
+	rootCmd.PersistentFlags().StringVar(&managementURL, "management-url", "", fmt.Sprintf("Management Service URL [http|https]://[host]:[port] (default \"%s\")", internal.ManagementURLDefault().String()))
+	rootCmd.PersistentFlags().StringVar(&adminURL, "admin-url", "https://app.netbird.io", "Admin Panel URL [http|https]://[host]:[port]")
+	rootCmd.PersistentFlags().StringVar(&configPath, "config", defaultConfigPath, "Netbird config file location")
+	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "sets Netbird log level")
+	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Netbird log path. If console is specified the the log will be output to stdout")
+	rootCmd.PersistentFlags().StringVar(&setupKey, "setup-key", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
+	rootCmd.PersistentFlags().StringVar(&preSharedKey, "preshared-key", "", "Sets Wireguard PreSharedKey property. If set, then only peers that have the same key can communicate.")
+	rootCmd.AddCommand(serviceCmd)
+	rootCmd.AddCommand(upCmd)
+	rootCmd.AddCommand(downCmd)
+	rootCmd.AddCommand(statusCmd)
+	rootCmd.AddCommand(loginCmd)
+	rootCmd.AddCommand(versionCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
+	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service
+}
+
+// SetupCloseHandler handles SIGTERM signal and exits with success
+func SetupCloseHandler(ctx context.Context, cancel context.CancelFunc) {
+	termCh := make(chan os.Signal, 1)
+	signal.Notify(termCh, os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		done := ctx.Done()
+		select {
+		case <-done:
+		case <-termCh:
+		}
+
+		log.Info("shutdown signal received")
+		cancel()
+	}()
+}
+
+// SetFlagsFromEnvVars reads and updates flag values from environment variables with prefix WT_
+func SetFlagsFromEnvVars() {
+	flags := rootCmd.PersistentFlags()
+	flags.VisitAll(func(f *pflag.Flag) {
+		oldEnvVar := FlagNameToEnvVar(f.Name, "WT_")
+
+		if value, present := os.LookupEnv(oldEnvVar); present {
+			err := flags.Set(f.Name, value)
+			if err != nil {
+				log.Infof("unable to configure flag %s using variable %s, err: %v", f.Name, oldEnvVar, err)
+			}
+		}
+
+		newEnvVar := FlagNameToEnvVar(f.Name, "NB_")
+
+		if value, present := os.LookupEnv(newEnvVar); present {
+			err := flags.Set(f.Name, value)
+			if err != nil {
+				log.Infof("unable to configure flag %s using variable %s, err: %v", f.Name, newEnvVar, err)
+			}
+		}
+	})
+}
+
+// FlagNameToEnvVar converts flag name to environment var name adding a prefix,
+// replacing dashes and making all uppercase (e.g. setup-keys is converted to NB_SETUP_KEYS according to the input prefix)
+func FlagNameToEnvVar(cmdFlag string, prefix string) string {
+	parsed := strings.ReplaceAll(cmdFlag, "-", "_")
+	upper := strings.ToUpper(parsed)
+	return prefix + upper
+}
+
+// DialClientGRPCServer returns client connection to the dameno server.
+func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, error) {
+	ctx, cancel := context.WithTimeout(ctx, time.Second*3)
+	defer cancel()
+
+	return grpc.DialContext(
+		ctx,
+		strings.TrimPrefix(addr, "tcp://"),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithBlock(),
+	)
+}
+
+// WithBackOff execute function in backoff cycle.
+func WithBackOff(bf func() error) error {
+	return backoff.RetryNotify(bf, CLIBackOffSettings, func(err error, duration time.Duration) {
+		log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
+	})
+}
+
+// CLIBackOffSettings is default backoff settings for CLI commands.
+var CLIBackOffSettings = &backoff.ExponentialBackOff{
+	InitialInterval:     time.Second,
+	RandomizationFactor: backoff.DefaultRandomizationFactor,
+	Multiplier:          backoff.DefaultMultiplier,
+	MaxInterval:         10 * time.Second,
+	MaxElapsedTime:      30 * time.Second,
+	Stop:                backoff.Stop,
+	Clock:               backoff.SystemClock,
+}
+
+func handleRebrand(cmd *cobra.Command) error {
+	var err error
+	if logFile == defaultLogFile {
+		if migrateToNetbird(oldDefaultLogFile, defaultLogFile) {
+			cmd.Printf("will copy Log dir %s and its content to %s\n", oldDefaultLogFileDir, defaultLogFileDir)
+			err = cpDir(oldDefaultLogFileDir, defaultLogFileDir)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	if configPath == defaultConfigPath {
+		if migrateToNetbird(oldDefaultConfigPath, defaultConfigPath) {
+			cmd.Printf("will copy Config dir %s and its content to %s\n", oldDefaultConfigPathDir, defaultConfigPathDir)
+			err = cpDir(oldDefaultConfigPathDir, defaultConfigPathDir)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func cpFile(src, dst string) error {
+	var err error
+	var srcfd *os.File
+	var dstfd *os.File
+	var srcinfo os.FileInfo
+
+	if srcfd, err = os.Open(src); err != nil {
+		return err
+	}
+	defer srcfd.Close()
+
+	if dstfd, err = os.Create(dst); err != nil {
+		return err
+	}
+	defer dstfd.Close()
+
+	if _, err = io.Copy(dstfd, srcfd); err != nil {
+		return err
+	}
+	if srcinfo, err = os.Stat(src); err != nil {
+		return err
+	}
+	return os.Chmod(dst, srcinfo.Mode())
+}
+
+func copySymLink(source, dest string) error {
+	link, err := os.Readlink(source)
+	if err != nil {
+		return err
+	}
+	return os.Symlink(link, dest)
+}
+
+func cpDir(src string, dst string) error {
+	var err error
+	var fds []os.FileInfo
+	var srcinfo os.FileInfo
+
+	if srcinfo, err = os.Stat(src); err != nil {
+		return err
+	}
+
+	if err = os.MkdirAll(dst, srcinfo.Mode()); err != nil {
+		return err
+	}
+
+	if fds, err = ioutil.ReadDir(src); err != nil {
+		return err
+	}
+	for _, fd := range fds {
+		srcfp := path.Join(src, fd.Name())
+		dstfp := path.Join(dst, fd.Name())
+
+		fileInfo, err := os.Stat(srcfp)
+		if err != nil {
+			return fmt.Errorf("fouldn't get fileInfo; %v", err)
+		}
+
+		switch fileInfo.Mode() & os.ModeType {
+		case os.ModeSymlink:
+			if err = copySymLink(srcfp, dstfp); err != nil {
+				return fmt.Errorf("failed to copy from %s to %s; %v", srcfp, dstfp, err)
+			}
+		case os.ModeDir:
+			if err = cpDir(srcfp, dstfp); err != nil {
+				return fmt.Errorf("failed to copy from %s to %s; %v", srcfp, dstfp, err)
+			}
+		default:
+			if err = cpFile(srcfp, dstfp); err != nil {
+				return fmt.Errorf("failed to copy from %s to %s; %v", srcfp, dstfp, err)
+			}
+		}
+	}
+	return nil
+}
+
+func migrateToNetbird(oldPath, newPath string) bool {
+	_, errOld := os.Stat(oldPath)
+	_, errNew := os.Stat(newPath)
+
+	if errors.Is(errOld, fs.ErrNotExist) || errNew == nil {
+		return false
+	}
+
+	return true
+}

client/cmd/service.go

@@ -0,0 +1,50 @@
+package cmd
+
+import (
+	"context"
+	"runtime"
+
+	"github.com/kardianos/service"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+type program struct {
+	ctx    context.Context
+	cancel context.CancelFunc
+	serv   *grpc.Server
+}
+
+func newProgram(ctx context.Context, cancel context.CancelFunc) *program {
+	ctx = internal.CtxInitState(ctx)
+	return &program{ctx: ctx, cancel: cancel}
+}
+
+func newSVCConfig() *service.Config {
+	name := "netbird"
+	if runtime.GOOS == "windows" {
+		name = "Netbird"
+	}
+	return &service.Config{
+		Name:        name,
+		DisplayName: "Netbird",
+		Description: "A WireGuard-based mesh network that connects your devices into a single private network.",
+	}
+}
+
+func newSVC(prg *program, conf *service.Config) (service.Service, error) {
+	s, err := service.New(prg, conf)
+	if err != nil {
+		log.Fatal(err)
+		return nil, err
+	}
+	return s, nil
+}
+
+var serviceCmd = &cobra.Command{
+	Use:   "service",
+	Short: "manages Netbird service",
+}

client/cmd/service_controller.go

@@ -0,0 +1,216 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/kardianos/service"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/client/server"
+	"github.com/netbirdio/netbird/util"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+)
+
+func (p *program) Start(svc service.Service) error {
+	// Start should not block. Do the actual work async.
+	log.Info("starting Netbird service") //nolint
+	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
+	p.serv = grpc.NewServer()
+
+	split := strings.Split(daemonAddr, "://")
+	switch split[0] {
+	case "unix":
+		// cleanup failed close
+		stat, err := os.Stat(split[1])
+		if err == nil && !stat.IsDir() {
+			if err := os.Remove(split[1]); err != nil {
+				log.Debugf("remove socket file: %v", err)
+			}
+		}
+	case "tcp":
+	default:
+		return fmt.Errorf("unsupported daemon address protocol: %v", split[0])
+	}
+
+	listen, err := net.Listen(split[0], split[1])
+	if err != nil {
+		return fmt.Errorf("failed to listen daemon interface: %w", err)
+	}
+	go func() {
+		defer listen.Close()
+
+		if split[0] == "unix" {
+			err = os.Chmod(split[1], 0666)
+			if err != nil {
+				log.Errorf("failed setting daemon permissions: %v", split[1])
+				return
+			}
+		}
+
+		serverInstance := server.New(p.ctx, managementURL, adminURL, configPath, logFile)
+		if err := serverInstance.Start(); err != nil {
+			log.Fatalf("failed to start daemon: %v", err)
+		}
+		proto.RegisterDaemonServiceServer(p.serv, serverInstance)
+
+		log.Printf("started daemon server: %v", split[1])
+		if err := p.serv.Serve(listen); err != nil {
+			log.Errorf("failed to serve daemon requests: %v", err)
+		}
+	}()
+	return nil
+}
+
+func (p *program) Stop(srv service.Service) error {
+	p.cancel()
+
+	if p.serv != nil {
+		p.serv.Stop()
+	}
+
+	time.Sleep(time.Second * 2)
+	log.Info("stopped Netbird service") //nolint
+	return nil
+}
+
+var runCmd = &cobra.Command{
+	Use:   "run",
+	Short: "runs Netbird as service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
+
+		err = util.InitLog(logLevel, logFile)
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx, cancel := context.WithCancel(cmd.Context())
+		SetupCloseHandler(ctx, cancel)
+
+		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
+		if err != nil {
+			return err
+		}
+		err = s.Run()
+		if err != nil {
+			return err
+		}
+		cmd.Printf("Netbird service is running")
+		return nil
+	},
+}
+
+var startCmd = &cobra.Command{
+	Use:   "start",
+	Short: "starts Netbird service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
+
+		err = util.InitLog(logLevel, logFile)
+		if err != nil {
+			return err
+		}
+
+		ctx, cancel := context.WithCancel(cmd.Context())
+
+		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+		err = s.Start()
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+		cmd.Println("Netbird service has been started")
+		return nil
+	},
+}
+
+var stopCmd = &cobra.Command{
+	Use:   "stop",
+	Short: "stops Netbird service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
+
+		err = util.InitLog(logLevel, logFile)
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx, cancel := context.WithCancel(cmd.Context())
+
+		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
+		if err != nil {
+			return err
+		}
+		err = s.Stop()
+		if err != nil {
+			return err
+		}
+		cmd.Println("Netbird service has been stopped")
+		return nil
+	},
+}
+
+var restartCmd = &cobra.Command{
+	Use:   "restart",
+	Short: "restarts Netbird service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
+
+		err = util.InitLog(logLevel, logFile)
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx, cancel := context.WithCancel(cmd.Context())
+
+		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
+		if err != nil {
+			return err
+		}
+		err = s.Restart()
+		if err != nil {
+			return err
+		}
+		cmd.Println("Netbird service has been restarted")
+		return nil
+	},
+}

client/cmd/service_installer.go

@@ -0,0 +1,89 @@
+package cmd
+
+import (
+	"context"
+	"runtime"
+
+	"github.com/spf13/cobra"
+)
+
+var installCmd = &cobra.Command{
+	Use:   "install",
+	Short: "installs Netbird service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
+
+		svcConfig := newSVCConfig()
+
+		svcConfig.Arguments = []string{
+			"service",
+			"run",
+			"--config",
+			configPath,
+			"--log-level",
+			logLevel,
+		}
+
+		if managementURL != "" {
+			svcConfig.Arguments = append(svcConfig.Arguments, "--management-url")
+			svcConfig.Arguments = append(svcConfig.Arguments, managementURL)
+		}
+
+		if runtime.GOOS == "linux" {
+			// Respected only by systemd systems
+			svcConfig.Dependencies = []string{"After=network.target syslog.target"}
+		}
+
+		ctx, cancel := context.WithCancel(cmd.Context())
+
+		s, err := newSVC(newProgram(ctx, cancel), svcConfig)
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+
+		err = s.Install()
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+		cmd.Println("Netbird service has been installed")
+		return nil
+	},
+}
+
+var uninstallCmd = &cobra.Command{
+	Use:   "uninstall",
+	Short: "uninstalls Netbird service from system",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
+
+		ctx, cancel := context.WithCancel(cmd.Context())
+
+		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
+		if err != nil {
+			return err
+		}
+
+		err = s.Uninstall()
+		if err != nil {
+			return err
+		}
+		cmd.Println("Netbird has been uninstalled")
+		return nil
+	},
+}

client/cmd/status.go

@@ -0,0 +1,55 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"github.com/netbirdio/netbird/util"
+
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var statusCmd = &cobra.Command{
+	Use:   "status",
+	Short: "status of the Netbird Service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := util.InitLog(logLevel, "console")
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx := internal.CtxInitState(context.Background())
+
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			return fmt.Errorf("failed to connect to daemon error: %v\n"+
+				"If the daemon is not running please run: "+
+				"\nnetbird service install \nnetbird service start\n", err)
+		}
+		defer conn.Close()
+
+		resp, err := proto.NewDaemonServiceClient(conn).Status(cmd.Context(), &proto.StatusRequest{})
+		if err != nil {
+			return fmt.Errorf("status failed: %v", status.Convert(err).Message())
+		}
+
+		cmd.Printf("Status: %s\n\n", resp.GetStatus())
+		if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
+
+			cmd.Printf("Run UP command to log in with SSO (interactive login):\n\n" +
+				" netbird up \n\n" +
+				"If you are running a self-hosted version and no SSO provider has been configured in your Management Server,\n" +
+				"you can use a setup-key:\n\n netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>\n\n" +
+				"More info: https://www.netbird.io/docs/overview/setup-keys\n\n")
+		}
+
+		return nil
+	},
+}

client/cmd/testutil.go

@@ -0,0 +1,113 @@
+package cmd
+
+import (
+	"context"
+	"net"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/netbirdio/netbird/util"
+
+	clientProto "github.com/netbirdio/netbird/client/proto"
+	client "github.com/netbirdio/netbird/client/server"
+	mgmtProto "github.com/netbirdio/netbird/management/proto"
+	mgmt "github.com/netbirdio/netbird/management/server"
+	sigProto "github.com/netbirdio/netbird/signal/proto"
+	sig "github.com/netbirdio/netbird/signal/server"
+	"google.golang.org/grpc"
+)
+
+func startTestingServices(t *testing.T) string {
+	config := &mgmt.Config{}
+	_, err := util.ReadJson("../testdata/management.json", config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testDir := t.TempDir()
+	config.Datadir = testDir
+	err = util.CopyFileContents("../testdata/store.json", filepath.Join(testDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, signalLis := startSignal(t)
+	signalAddr := signalLis.Addr().String()
+	config.Signal.URI = signalAddr
+
+	_, mgmLis := startManagement(t, config)
+	mgmAddr := mgmLis.Addr().String()
+	return mgmAddr
+}
+
+func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+	sigProto.RegisterSignalExchangeServer(s, sig.NewServer())
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			panic(err)
+		}
+	}()
+
+	return s, lis
+}
+
+func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+	store, err := mgmt.NewStore(config.Datadir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	peersUpdateManager := mgmt.NewPeersUpdateManager()
+	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
+	if err != nil {
+		t.Fatal(err)
+	}
+	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			t.Error(err)
+		}
+	}()
+
+	return s, lis
+}
+
+func startClientDaemon(
+	t *testing.T, ctx context.Context, managementURL, configPath string,
+) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+
+	server := client.New(ctx, managementURL, adminURL, configPath, "")
+	if err := server.Start(); err != nil {
+		t.Fatal(err)
+	}
+	clientProto.RegisterDaemonServiceServer(s, server)
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			t.Error(err)
+		}
+	}()
+
+	time.Sleep(time.Second)
+
+	return s, lis
+}

client/cmd/up.go

@@ -0,0 +1,125 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/util"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
+)
+
+var upCmd = &cobra.Command{
+	Use:   "up",
+	Short: "install, login and start Netbird client",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := util.InitLog(logLevel, "console")
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx := internal.CtxInitState(cmd.Context())
+
+		// workaround to run without service
+		if logFile == "console" {
+			err = handleRebrand(cmd)
+			if err != nil {
+				return err
+			}
+
+			config, err := internal.GetConfig(managementURL, adminURL, configPath, preSharedKey)
+			if err != nil {
+				return fmt.Errorf("get config file: %v", err)
+			}
+
+			err = foregroundLogin(ctx, cmd, config, setupKey)
+			if err != nil {
+				return fmt.Errorf("foreground login failed: %v", err)
+			}
+
+			var cancel context.CancelFunc
+			ctx, cancel = context.WithCancel(ctx)
+			SetupCloseHandler(ctx, cancel)
+			return internal.RunClient(ctx, config)
+		}
+
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			return fmt.Errorf("failed to connect to daemon error: %v\n"+
+				"If the daemon is not running please run: "+
+				"\nnetbird service install \nnetbird service start\n", err)
+		}
+		defer func() {
+			err := conn.Close()
+			if err != nil {
+				log.Warnf("failed closing dameon gRPC client connection %v", err)
+				return
+			}
+		}()
+
+		client := proto.NewDaemonServiceClient(conn)
+
+		status, err := client.Status(ctx, &proto.StatusRequest{})
+		if err != nil {
+			return fmt.Errorf("unable to get daemon status: %v", err)
+		}
+
+		if status.Status == string(internal.StatusConnected) {
+			cmd.Println("Already connected")
+			return nil
+		}
+
+		loginRequest := proto.LoginRequest{
+			SetupKey:      setupKey,
+			PreSharedKey:  preSharedKey,
+			ManagementUrl: managementURL,
+		}
+
+		var loginErr error
+
+		var loginResp *proto.LoginResponse
+
+		err = WithBackOff(func() error {
+			var backOffErr error
+			loginResp, backOffErr = client.Login(ctx, &loginRequest)
+			if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
+				s.Code() == codes.PermissionDenied ||
+				s.Code() == codes.NotFound ||
+				s.Code() == codes.Unimplemented) {
+				loginErr = backOffErr
+				return nil
+			}
+			return backOffErr
+		})
+		if err != nil {
+			return fmt.Errorf("login backoff cycle failed: %v", err)
+		}
+
+		if loginErr != nil {
+			return fmt.Errorf("login failed: %v", loginErr)
+		}
+
+		if loginResp.NeedsSSOLogin {
+
+			openURL(cmd, loginResp.VerificationURIComplete)
+
+			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
+			if err != nil {
+				return fmt.Errorf("waiting sso login failed with: %v", err)
+			}
+		}
+
+		if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
+			return fmt.Errorf("call service up method: %v", err)
+		}
+		cmd.Println("Connected")
+		return nil
+	},
+}

client/cmd/up_daemon_test.go

@@ -0,0 +1,75 @@
+package cmd
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+var cliAddr string
+
+func TestUpDaemon(t *testing.T) {
+	mgmAddr := startTestingServices(t)
+
+	tempDir := t.TempDir()
+	confPath := tempDir + "/config.json"
+
+	ctx := internal.CtxInitState(context.Background())
+	state := internal.CtxGetState(ctx)
+
+	_, cliLis := startClientDaemon(t, ctx, "http://"+mgmAddr, confPath)
+
+	cliAddr = cliLis.Addr().String()
+
+	daemonAddr = "tcp://" + cliAddr
+	rootCmd.SetArgs([]string{
+		"login",
+		"--daemon-addr", "tcp://" + cliAddr,
+		"--setup-key", "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
+		"--log-file", "",
+	})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	time.Sleep(time.Second * 3)
+	if status, err := state.Status(); err != nil && status != internal.StatusIdle {
+		t.Errorf("wrong status after login: %s, %v", internal.StatusIdle, err)
+		return
+	}
+
+	rootCmd.SetArgs([]string{
+		"up",
+		"--daemon-addr", "tcp://" + cliAddr,
+		"--log-file", "",
+	})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	time.Sleep(time.Second * 3)
+	if status, err := state.Status(); err != nil && status != internal.StatusConnected {
+		t.Errorf("wrong status after connect: %s, %v", status, err)
+		return
+	}
+
+	rootCmd.SetArgs([]string{
+		"status",
+		"--daemon-addr", "tcp://" + cliAddr,
+	})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	time.Sleep(time.Second * 3)
+
+	rootCmd.SetErr(nil)
+	rootCmd.SetArgs([]string{"down", "--daemon-addr", "tcp://" + cliAddr})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	// we can't check status here, because context already canceled
+}

client/cmd/version.go

@@ -0,0 +1,17 @@
+package cmd
+
+import (
+	"github.com/netbirdio/netbird/client/system"
+	"github.com/spf13/cobra"
+)
+
+var (
+	versionCmd = &cobra.Command{
+		Use:   "version",
+		Short: "prints Netbird version",
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.SetOut(cmd.OutOrStdout())
+			cmd.Println(system.NetbirdVersion())
+		},
+	}
+)

client/installer.nsis

@@ -0,0 +1,212 @@
+!define APP_NAME "Netbird"
+!define COMP_NAME "Netbird"
+!define WEB_SITE "Netbird.io"
+!define VERSION $%APPVER%
+!define COPYRIGHT "Netbird Authors, 2022"
+!define DESCRIPTION "A WireGuard®-based mesh network that connects your devices into a single private network"
+!define INSTALLER_NAME "netbird-installer.exe"
+!define MAIN_APP_EXE "Netbird"
+!define ICON "ui\\netbird.ico"
+!define BANNER "ui\\banner.bmp"
+!define LICENSE_DATA "..\\LICENSE"
+
+!define INSTALL_DIR "$PROGRAMFILES64\${APP_NAME}"
+!define INSTALL_TYPE "SetShellVarContext all"
+!define REG_ROOT "HKLM"
+!define REG_APP_PATH "Software\Microsoft\Windows\CurrentVersion\App Paths\${MAIN_APP_EXE}"
+!define UNINSTALL_PATH "Software\Microsoft\Windows\CurrentVersion\Uninstall\${APP_NAME}"
+
+!define UI_APP_NAME "Netbird UI"
+!define UI_APP_EXE "Netbird-ui"
+
+!define UI_REG_APP_PATH "Software\Microsoft\Windows\CurrentVersion\App Paths\${UI_APP_EXE}"
+!define UI_UNINSTALL_PATH "Software\Microsoft\Windows\CurrentVersion\Uninstall\${UI_APP_NAME}"
+
+Unicode True
+
+######################################################################
+
+VIProductVersion  "${VERSION}"
+VIAddVersionKey "ProductName"  "${APP_NAME}"
+VIAddVersionKey "CompanyName"  "${COMP_NAME}"
+VIAddVersionKey "LegalCopyright"  "${COPYRIGHT}"
+VIAddVersionKey "FileDescription"  "${DESCRIPTION}"
+VIAddVersionKey "FileVersion"  "${VERSION}"
+
+######################################################################
+
+SetCompressor /SOLID Lzma
+Name "${APP_NAME}"
+Caption "${APP_NAME}"
+OutFile "..\\${INSTALLER_NAME}"
+BrandingText "${APP_NAME}"
+InstallDirRegKey "${REG_ROOT}" "${REG_APP_PATH}" ""
+InstallDir "${INSTALL_DIR}"
+LicenseData "${LICENSE_DATA}"
+ShowInstDetails Show
+
+######################################################################
+
+!define MUI_ICON "${ICON}"
+!define MUI_UNICON "${ICON}"
+!define MUI_WELCOMEFINISHPAGE_BITMAP "${BANNER}"
+!define MUI_UNWELCOMEFINISHPAGE_BITMAP "${BANNER}"
+!define MUI_FINISHPAGE_RUN
+!define MUI_FINISHPAGE_RUN_TEXT "Start ${UI_APP_NAME}"
+!define MUI_FINISHPAGE_RUN_FUNCTION "LaunchLink"
+######################################################################
+
+!include "MUI2.nsh"
+!include LogicLib.nsh
+
+!define MUI_ABORTWARNING
+!define MUI_UNABORTWARNING
+
+!insertmacro MUI_PAGE_WELCOME
+
+!insertmacro MUI_PAGE_LICENSE "${LICENSE_DATA}"
+
+!insertmacro MUI_PAGE_DIRECTORY
+
+!insertmacro MUI_PAGE_INSTFILES
+
+!insertmacro MUI_PAGE_FINISH
+
+!insertmacro MUI_UNPAGE_CONFIRM
+
+!insertmacro MUI_UNPAGE_INSTFILES
+
+!insertmacro MUI_UNPAGE_FINISH
+
+!insertmacro MUI_LANGUAGE "English"
+
+######################################################################
+
+Function GetAppFromCommand
+Exch $1
+Push $2
+StrCpy $2 $1 1 0
+StrCmp $2 '"' 0 done
+Push $3
+StrCpy $3 ""
+loop:
+    IntOp $3 $3 + 1
+    StrCpy $2 $1 1 $3
+    StrCmp $2 '' +2
+    StrCmp $2 '"' 0 loop
+    StrCpy $1 $1 $3
+    StrCpy $1 $1 "" 1 ; Remove starting quote
+Pop $3
+done:
+Pop $2
+Exch $1
+FunctionEnd
+!macro GetAppFromCommand in out
+Push "${in}"
+Call GetAppFromCommand
+Pop ${out}
+!macroend
+
+!macro UninstallPreviousNSIS UninstCommand CustomParameters
+Push $0
+Push $1
+Push $2
+Push '${CustomParameters}'
+Push '${UninstCommand}'
+Call GetAppFromCommand ; Remove quotes and parameters from UninstCommand
+Pop $0
+Pop $1
+GetFullPathName $2 "$0\.."
+ExecWait '"$0" $1 _?=$2'
+Delete "$0" ; Extra cleanup because we used _?=
+RMDir "$2"
+Pop $2
+Pop $1
+Pop $0
+!macroend
+
+Function .onInit
+
+ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wiretrustee" "UninstallString"
+${If} $R0 != ""
+    MessageBox MB_YESNO|MB_ICONQUESTION "Wiretrustee is installed. We must remove it before installing Netbird. Procced?" IDNO noWTUninstOld
+    !insertmacro UninstallPreviousNSIS $R0 "/NoMsgBox"
+    noWTUninstOld:
+${EndIf}
+
+ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
+${If} $R0 != ""
+    MessageBox MB_YESNO|MB_ICONQUESTION "$(^NAME) is already installed. Do you want to remove the previous version?" IDNO noUninstOld
+    !insertmacro UninstallPreviousNSIS $R0 "/NoMsgBox"
+    noUninstOld:
+${EndIf}
+FunctionEnd
+######################################################################
+Section -MainProgram
+	${INSTALL_TYPE}
+	SetOverwrite ifnewer
+	SetOutPath "$INSTDIR"
+	File /r "..\\dist\\netbird_windows_amd64\\"
+
+SectionEnd
+
+######################################################################
+
+Section -Icons_Reg
+SetOutPath "$INSTDIR"
+WriteUninstaller "$INSTDIR\netbird_uninstall.exe"
+
+WriteRegStr ${REG_ROOT} "${REG_APP_PATH}" "" "$INSTDIR\${MAIN_APP_EXE}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayName" "${APP_NAME}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "UninstallString" "$INSTDIR\netbird_uninstall.exe"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayIcon" "$INSTDIR\${MAIN_APP_EXE}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayVersion" "${VERSION}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"
+
+WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"
+
+EnVar::SetHKLM
+EnVar::AddValueEx "path" "$INSTDIR"
+
+SetShellVarContext current
+CreateShortCut "$SMPROGRAMS\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
+CreateShortCut "$DESKTOP\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
+SetShellVarContext all
+
+ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service install'
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service start'
+# sleep a bit for visibility
+Sleep 1000
+SectionEnd
+
+######################################################################
+
+Section Uninstall
+${INSTALL_TYPE}
+
+ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service stop'
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
+# kill ui client
+ExecWait `taskkill /im ${UI_APP_EXE}.exe`
+# wait the service uninstall take unblock the executable
+Sleep 3000
+RmDir /r "$INSTDIR"
+
+SetShellVarContext current
+Delete "$DESKTOP\${APP_NAME}.lnk"
+Delete "$SMPROGRAMS\${APP_NAME}.lnk"
+SetShellVarContext all
+
+DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
+DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
+EnVar::SetHKLM
+EnVar::DeleteValue "path" "$INSTDIR"
+SectionEnd
+
+
+Function LaunchLink
+SetShellVarContext current
+   SetOutPath $INSTDIR
+   ShellExecAsUser::ShellExecAsUser "" "$DESKTOP\${APP_NAME}.lnk"
+SetShellVarContext all
+FunctionEnd

client/internal/config.go

@@ -0,0 +1,235 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	mgm "github.com/netbirdio/netbird/management/client"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"net/url"
+	"os"
+
+	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/util"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+var managementURLDefault *url.URL
+
+func ManagementURLDefault() *url.URL {
+	return managementURLDefault
+}
+
+func init() {
+	managementURL, err := parseURL("Management URL", "https://api.wiretrustee.com:33073")
+	if err != nil {
+		panic(err)
+	}
+	managementURLDefault = managementURL
+}
+
+// Config Configuration type
+type Config struct {
+	// Wireguard private key of local peer
+	PrivateKey     string
+	PreSharedKey   string
+	ManagementURL  *url.URL
+	AdminURL       *url.URL
+	WgIface        string
+	IFaceBlackList []string
+}
+
+// createNewConfig creates a new config generating a new Wireguard key and saving to file
+func createNewConfig(managementURL, adminURL, configPath, preSharedKey string) (*Config, error) {
+	wgKey := generateKey()
+	config := &Config{PrivateKey: wgKey, WgIface: iface.WgInterfaceDefault, IFaceBlackList: []string{}}
+	if managementURL != "" {
+		URL, err := parseURL("Management URL", managementURL)
+		if err != nil {
+			return nil, err
+		}
+		config.ManagementURL = URL
+	} else {
+		config.ManagementURL = managementURLDefault
+	}
+
+	if preSharedKey != "" {
+		config.PreSharedKey = preSharedKey
+	}
+
+	config.IFaceBlackList = []string{iface.WgInterfaceDefault, "tun0"}
+
+	err := util.WriteJson(configPath, config)
+	if err != nil {
+		return nil, err
+	}
+
+	return config, nil
+}
+
+func parseURL(serviceName, managementURL string) (*url.URL, error) {
+	parsedMgmtURL, err := url.ParseRequestURI(managementURL)
+	if err != nil {
+		log.Errorf("failed parsing management URL %s: [%s]", managementURL, err.Error())
+		return nil, err
+	}
+
+	if parsedMgmtURL.Scheme != "https" && parsedMgmtURL.Scheme != "http" {
+		return nil, fmt.Errorf(
+			"invalid %s URL provided %s. Supported format [http|https]://[host]:[port]",
+			serviceName, managementURL)
+	}
+
+	return parsedMgmtURL, err
+}
+
+// ReadConfig reads existing config. In case provided managementURL is not empty overrides the read property
+func ReadConfig(managementURL, adminURL, configPath string, preSharedKey *string) (*Config, error) {
+	config := &Config{}
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		return nil, status.Errorf(codes.NotFound, "config file doesn't exist")
+	}
+
+	if _, err := util.ReadJson(configPath, config); err != nil {
+		return nil, err
+	}
+
+	refresh := false
+
+	if managementURL != "" && config.ManagementURL.String() != managementURL {
+		log.Infof("new Management URL provided, updated to %s (old value %s)",
+			managementURL, config.ManagementURL)
+		newURL, err := parseURL("Management URL", managementURL)
+		if err != nil {
+			return nil, err
+		}
+		config.ManagementURL = newURL
+		refresh = true
+	}
+
+	if adminURL != "" && (config.AdminURL == nil || config.AdminURL.String() != adminURL) {
+		log.Infof("new Admin Panel URL provided, updated to %s (old value %s)",
+			adminURL, config.AdminURL)
+		newURL, err := parseURL("Admin Panel URL", adminURL)
+		if err != nil {
+			return nil, err
+		}
+		config.AdminURL = newURL
+		refresh = true
+	}
+
+	if preSharedKey != nil && config.PreSharedKey != *preSharedKey {
+		log.Infof("new pre-shared key provided, updated to %s (old value %s)",
+			*preSharedKey, config.PreSharedKey)
+		config.PreSharedKey = *preSharedKey
+		refresh = true
+	}
+
+	if refresh {
+		// since we have new management URL, we need to update config file
+		if err := util.WriteJson(configPath, config); err != nil {
+			return nil, err
+		}
+	}
+
+	return config, nil
+}
+
+// GetConfig reads existing config or generates a new one
+func GetConfig(managementURL, adminURL, configPath, preSharedKey string) (*Config, error) {
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		log.Infof("generating new config %s", configPath)
+		return createNewConfig(managementURL, adminURL, configPath, preSharedKey)
+	} else {
+		// don't overwrite pre-shared key if we receive asterisks from UI
+		pk := &preSharedKey
+		if preSharedKey == "**********" {
+			pk = nil
+		}
+		return ReadConfig(managementURL, adminURL, configPath, pk)
+	}
+}
+
+// generateKey generates a new Wireguard private key
+func generateKey() string {
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		panic(err)
+	}
+	return key.String()
+}
+
+// DeviceAuthorizationFlow represents Device Authorization Flow information
+type DeviceAuthorizationFlow struct {
+	Provider       string
+	ProviderConfig ProviderConfig
+}
+
+// ProviderConfig has all attributes needed to initiate a device authorization flow
+type ProviderConfig struct {
+	// ClientID An IDP application client id
+	ClientID string
+	// ClientSecret An IDP application client secret
+	ClientSecret string
+	// Domain An IDP API domain
+	Domain string
+	// Audience An Audience for to authorization validation
+	Audience string
+}
+
+func GetDeviceAuthorizationFlowInfo(ctx context.Context, config *Config) (DeviceAuthorizationFlow, error) {
+	// validate our peer's Wireguard PRIVATE key
+	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+	if err != nil {
+		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+		return DeviceAuthorizationFlow{}, err
+	}
+
+	var mgmTlsEnabled bool
+	if config.ManagementURL.Scheme == "https" {
+		mgmTlsEnabled = true
+	}
+
+	log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
+	mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+	if err != nil {
+		log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
+		return DeviceAuthorizationFlow{}, err
+	}
+	log.Debugf("connected to management Service %s", config.ManagementURL.String())
+
+	serverKey, err := mgmClient.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return DeviceAuthorizationFlow{}, err
+	}
+
+	protoDeviceAuthorizationFlow, err := mgmClient.GetDeviceAuthorizationFlow(*serverKey)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
+			log.Warnf("server couldn't find device flow, contact admin: %v", err)
+			return DeviceAuthorizationFlow{}, err
+		} else {
+			log.Errorf("failed to retrieve device flow: %v", err)
+			return DeviceAuthorizationFlow{}, err
+		}
+	}
+
+	err = mgmClient.Close()
+	if err != nil {
+		log.Errorf("failed closing Management Service client: %v", err)
+		return DeviceAuthorizationFlow{}, err
+	}
+
+	return DeviceAuthorizationFlow{
+		Provider: protoDeviceAuthorizationFlow.Provider.String(),
+
+		ProviderConfig: ProviderConfig{
+			Audience:     protoDeviceAuthorizationFlow.ProviderConfig.Audience,
+			ClientID:     protoDeviceAuthorizationFlow.ProviderConfig.ClientID,
+			ClientSecret: protoDeviceAuthorizationFlow.ProviderConfig.ClientSecret,
+			Domain:       protoDeviceAuthorizationFlow.ProviderConfig.Domain,
+		},
+	}, nil
+}

client/internal/config_test.go

@@ -0,0 +1,60 @@
+package internal
+
+import (
+	"errors"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/netbirdio/netbird/util"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestReadConfig(t *testing.T) {
+}
+
+func TestGetConfig(t *testing.T) {
+	managementURL := "https://test.management.url:33071"
+	adminURL := "https://app.admin.url"
+	path := filepath.Join(t.TempDir(), "config.json")
+	preSharedKey := "preSharedKey"
+
+	// case 1: new config has to be generated
+	config, err := GetConfig(managementURL, adminURL, path, preSharedKey)
+	if err != nil {
+		return
+	}
+
+	assert.Equal(t, config.ManagementURL.String(), managementURL)
+	assert.Equal(t, config.PreSharedKey, preSharedKey)
+
+	if _, err := os.Stat(path); errors.Is(err, os.ErrNotExist) {
+		t.Errorf("config file was expected to be created under path %s", path)
+	}
+
+	// case 2: existing config -> fetch it
+	config, err = GetConfig(managementURL, adminURL, path, preSharedKey)
+	if err != nil {
+		return
+	}
+
+	assert.Equal(t, config.ManagementURL.String(), managementURL)
+	assert.Equal(t, config.PreSharedKey, preSharedKey)
+
+	// case 3: existing config, but new managementURL has been provided -> update config
+	newManagementURL := "https://test.newManagement.url:33071"
+	config, err = GetConfig(newManagementURL, adminURL, path, preSharedKey)
+	if err != nil {
+		return
+	}
+
+	assert.Equal(t, config.ManagementURL.String(), newManagementURL)
+	assert.Equal(t, config.PreSharedKey, preSharedKey)
+
+	// read once more to make sure that config file has been updated with the new management URL
+	readConf, err := util.ReadJson(path, config)
+	if err != nil {
+		return
+	}
+	assert.Equal(t, readConf.(*Config).ManagementURL.String(), newManagementURL)
+}

client/internal/connect.go

@@ -0,0 +1,208 @@
+package internal
+
+import (
+	"context"
+	"time"
+
+	"github.com/netbirdio/netbird/client/system"
+
+	"github.com/netbirdio/netbird/iface"
+	mgm "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+	signal "github.com/netbirdio/netbird/signal/client"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/cenkalti/backoff/v4"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// RunClient with main logic.
+func RunClient(ctx context.Context, config *Config) error {
+	backOff := &backoff.ExponentialBackOff{
+		InitialInterval:     time.Second,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         10 * time.Second,
+		MaxElapsedTime:      24 * 3 * time.Hour, // stop the client after 3 days trying (must be a huge problem, e.g permission denied)
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}
+
+	state := CtxGetState(ctx)
+	defer func() {
+		s, err := state.Status()
+		if err != nil || s != StatusNeedsLogin {
+			state.Set(StatusIdle)
+		}
+	}()
+
+	wrapErr := state.Wrap
+	operation := func() error {
+		// if context cancelled we not start new backoff cycle
+		select {
+		case <-ctx.Done():
+			return nil
+		default:
+		}
+
+		state.Set(StatusConnecting)
+		// validate our peer's Wireguard PRIVATE key
+		myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+		if err != nil {
+			log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+			return wrapErr(err)
+		}
+
+		var mgmTlsEnabled bool
+		if config.ManagementURL.Scheme == "https" {
+			mgmTlsEnabled = true
+		}
+
+		engineCtx, cancel := context.WithCancel(ctx)
+		defer cancel()
+
+		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Wiretrustee config
+		mgmClient, loginResp, err := connectToManagement(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+		if err != nil {
+			log.Debug(err)
+			if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+				log.Info("peer registration required. Please run `netbird status` for details")
+				state.Set(StatusNeedsLogin)
+				return nil
+			}
+			return wrapErr(err)
+		}
+
+		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
+		signalClient, err := connectToSignal(engineCtx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
+		if err != nil {
+			log.Error(err)
+			return wrapErr(err)
+		}
+
+		peerConfig := loginResp.GetPeerConfig()
+
+		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
+		if err != nil {
+			log.Error(err)
+			return wrapErr(err)
+		}
+
+		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig)
+		err = engine.Start()
+		if err != nil {
+			log.Errorf("error while starting Netbird Connection Engine: %s", err)
+			return wrapErr(err)
+		}
+
+		log.Print("Netbird engine started, my IP is: ", peerConfig.Address)
+		state.Set(StatusConnected)
+
+		<-engineCtx.Done()
+
+		backOff.Reset()
+
+		err = mgmClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Management Service client %v", err)
+			return wrapErr(err)
+		}
+		err = signalClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Signal Service client %v", err)
+			return wrapErr(err)
+		}
+
+		err = engine.Stop()
+		if err != nil {
+			log.Errorf("failed stopping engine %v", err)
+			return wrapErr(err)
+		}
+
+		log.Info("stopped Netbird client")
+
+		if _, err := state.Status(); err == ErrResetConnection {
+			return err
+		}
+
+		return nil
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		log.Errorf("exiting client retry loop due to unrecoverable error: %s", err)
+		return err
+	}
+	return nil
+}
+
+// createEngineConfig converts configuration received from Management Service to EngineConfig
+func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
+	iFaceBlackList := make(map[string]struct{})
+	for i := 0; i < len(config.IFaceBlackList); i += 2 {
+		iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
+	}
+
+	engineConf := &EngineConfig{
+		WgIfaceName:    config.WgIface,
+		WgAddr:         peerConfig.Address,
+		IFaceBlackList: iFaceBlackList,
+		WgPrivateKey:   key,
+		WgPort:         iface.DefaultWgPort,
+	}
+
+	if config.PreSharedKey != "" {
+		preSharedKey, err := wgtypes.ParseKey(config.PreSharedKey)
+		if err != nil {
+			return nil, err
+		}
+		engineConf.PreSharedKey = &preSharedKey
+	}
+
+	return engineConf, nil
+}
+
+// connectToSignal creates Signal Service client and established a connection
+func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig, ourPrivateKey wgtypes.Key) (*signal.GrpcClient, error) {
+	var sigTLSEnabled bool
+	if wtConfig.Signal.Protocol == mgmProto.HostConfig_HTTPS {
+		sigTLSEnabled = true
+	} else {
+		sigTLSEnabled = false
+	}
+
+	signalClient, err := signal.NewClient(ctx, wtConfig.Signal.Uri, ourPrivateKey, sigTLSEnabled)
+	if err != nil {
+		log.Errorf("error while connecting to the Signal Exchange Service %s: %s", wtConfig.Signal.Uri, err)
+		return nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
+	}
+
+	return signalClient, nil
+}
+
+// connectToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
+func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.GrpcClient, *mgmProto.LoginResponse, error) {
+	log.Debugf("connecting to Management Service %s", managementAddr)
+	client, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err)
+	}
+	log.Debugf("connected to management server %s", managementAddr)
+
+	serverPublicKey, err := client.GetServerPublicKey()
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
+	}
+
+	sysInfo := system.GetInfo(ctx)
+	loginResp, err := client.Login(*serverPublicKey, sysInfo)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	log.Debugf("peer logged in to Management Service %s", managementAddr)
+
+	return client, loginResp, nil
+}

client/internal/engine.go

@@ -0,0 +1,632 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	"math/rand"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/proxy"
+	"github.com/netbirdio/netbird/iface"
+	mgm "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+	signal "github.com/netbirdio/netbird/signal/client"
+	sProto "github.com/netbirdio/netbird/signal/proto"
+	"github.com/netbirdio/netbird/util"
+	"github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+// PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
+// E.g. this peer will wait PeerConnectionTimeoutMax for the remote peer to respond,
+// if not successful then it will retry the connection attempt.
+// Todo pass timeout at EnginConfig
+const (
+	PeerConnectionTimeoutMax = 45000 // ms
+	PeerConnectionTimeoutMin = 30000 // ms
+)
+
+var ErrResetConnection = fmt.Errorf("reset connection")
+
+// EngineConfig is a config for the Engine
+type EngineConfig struct {
+	WgPort      int
+	WgIfaceName string
+
+	// WgAddr is a Wireguard local address (Netbird Network IP)
+	WgAddr string
+
+	// WgPrivateKey is a Wireguard private key of our peer (it MUST never leave the machine)
+	WgPrivateKey wgtypes.Key
+
+	// IFaceBlackList is a list of network interfaces to ignore when discovering connection candidates (ICE related)
+	IFaceBlackList map[string]struct{}
+
+	PreSharedKey *wgtypes.Key
+
+	// UDPMuxPort default value 0 - the system will pick an available port
+	UDPMuxPort int
+
+	// UDPMuxSrflxPort default value 0 - the system will pick an available port
+	UDPMuxSrflxPort int
+}
+
+// Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
+type Engine struct {
+	// signal is a Signal Service client
+	signal signal.Client
+	// mgmClient is a Management Service client
+	mgmClient mgm.Client
+	// peerConns is a map that holds all the peers that are known to this peer
+	peerConns map[string]*peer.Conn
+
+	// syncMsgMux is used to guarantee sequential Management Service message processing
+	syncMsgMux *sync.Mutex
+
+	config *EngineConfig
+	// STUNs is a list of STUN servers used by ICE
+	STUNs []*ice.URL
+	// TURNs is a list of STUN servers used by ICE
+	TURNs []*ice.URL
+
+	cancel context.CancelFunc
+
+	ctx context.Context
+
+	wgInterface iface.WGIface
+
+	udpMux          ice.UDPMux
+	udpMuxSrflx     ice.UniversalUDPMux
+	udpMuxConn      *net.UDPConn
+	udpMuxConnSrflx *net.UDPConn
+
+	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
+	networkSerial uint64
+}
+
+// Peer is an instance of the Connection Peer
+type Peer struct {
+	WgPubKey     string
+	WgAllowedIps string
+}
+
+// NewEngine creates a new Connection Engine
+func NewEngine(
+	ctx context.Context, cancel context.CancelFunc,
+	signalClient signal.Client, mgmClient mgm.Client, config *EngineConfig,
+) *Engine {
+	return &Engine{
+		ctx:           ctx,
+		cancel:        cancel,
+		signal:        signalClient,
+		mgmClient:     mgmClient,
+		peerConns:     map[string]*peer.Conn{},
+		syncMsgMux:    &sync.Mutex{},
+		config:        config,
+		STUNs:         []*ice.URL{},
+		TURNs:         []*ice.URL{},
+		networkSerial: 0,
+	}
+}
+
+func (e *Engine) Stop() error {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	err := e.removeAllPeers()
+	if err != nil {
+		return err
+	}
+
+	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
+	// Removing peers happens in the conn.CLose() asynchronously
+	time.Sleep(500 * time.Millisecond)
+
+	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
+	if e.wgInterface.Interface != nil {
+		err = e.wgInterface.Close()
+		if err != nil {
+			log.Errorf("failed closing Netbird interface %s %v", e.config.WgIfaceName, err)
+			return err
+		}
+	}
+
+	if e.udpMux != nil {
+		if err := e.udpMux.Close(); err != nil {
+			log.Debugf("close udp mux: %v", err)
+		}
+	}
+
+	if e.udpMuxSrflx != nil {
+		if err := e.udpMuxSrflx.Close(); err != nil {
+			log.Debugf("close server reflexive udp mux: %v", err)
+		}
+	}
+
+	if e.udpMuxConn != nil {
+		if err := e.udpMuxConn.Close(); err != nil {
+			log.Debugf("close udp mux connection: %v", err)
+		}
+	}
+
+	if e.udpMuxConnSrflx != nil {
+		if err := e.udpMuxConnSrflx.Close(); err != nil {
+			log.Debugf("close server reflexive udp mux connection: %v", err)
+		}
+	}
+
+	log.Infof("stopped Netbird Engine")
+
+	return nil
+}
+
+// Start creates a new Wireguard tunnel interface and listens to events from Signal and Management services
+// Connections to remote peers are not established here.
+// However, they will be established once an event with a list of peers to connect to will be received from Management Service
+func (e *Engine) Start() error {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	wgIfaceName := e.config.WgIfaceName
+	wgAddr := e.config.WgAddr
+	myPrivateKey := e.config.WgPrivateKey
+	var err error
+
+	e.wgInterface, err = iface.NewWGIface(wgIfaceName, wgAddr, iface.DefaultMTU)
+	if err != nil {
+		log.Errorf("failed creating wireguard interface instance %s: [%s]", wgIfaceName, err.Error())
+		return err
+	}
+
+	e.udpMuxConn, err = net.ListenUDP("udp4", &net.UDPAddr{Port: e.config.UDPMuxPort})
+	if err != nil {
+		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
+		return err
+	}
+
+	e.udpMuxConnSrflx, err = net.ListenUDP("udp4", &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
+	if err != nil {
+		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
+		return err
+	}
+
+	e.udpMux = ice.NewUDPMuxDefault(ice.UDPMuxParams{UDPConn: e.udpMuxConn})
+	e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx})
+
+	err = e.wgInterface.Create()
+	if err != nil {
+		log.Errorf("failed creating tunnel interface %s: [%s]", wgIfaceName, err.Error())
+		return err
+	}
+
+	err = e.wgInterface.Configure(myPrivateKey.String(), e.config.WgPort)
+	if err != nil {
+		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIfaceName, err.Error())
+		return err
+	}
+
+	e.receiveSignalEvents()
+	e.receiveManagementEvents()
+
+	return nil
+}
+
+// removePeers finds and removes peers that do not exist anymore in the network map received from the Management Service
+func (e *Engine) removePeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
+	currentPeers := make([]string, 0, len(e.peerConns))
+	for p := range e.peerConns {
+		currentPeers = append(currentPeers, p)
+	}
+
+	newPeers := make([]string, 0, len(peersUpdate))
+	for _, p := range peersUpdate {
+		newPeers = append(newPeers, p.GetWgPubKey())
+	}
+
+	toRemove := util.SliceDiff(currentPeers, newPeers)
+
+	for _, p := range toRemove {
+		err := e.removePeer(p)
+		if err != nil {
+			return err
+		}
+		log.Infof("removed peer %s", p)
+	}
+	return nil
+}
+
+func (e *Engine) removeAllPeers() error {
+	log.Debugf("removing all peer connections")
+	for p := range e.peerConns {
+		err := e.removePeer(p)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// removePeer closes an existing peer connection and removes a peer
+func (e *Engine) removePeer(peerKey string) error {
+	log.Debugf("removing peer from engine %s", peerKey)
+	conn, exists := e.peerConns[peerKey]
+	if exists {
+		delete(e.peerConns, peerKey)
+		err := conn.Close()
+		if err != nil {
+			switch err.(type) {
+			case *peer.ConnectionAlreadyClosedError:
+				return nil
+			default:
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// GetPeerConnectionStatus returns a connection Status or nil if peer connection wasn't found
+func (e *Engine) GetPeerConnectionStatus(peerKey string) peer.ConnStatus {
+	conn, exists := e.peerConns[peerKey]
+	if exists && conn != nil {
+		return conn.Status()
+	}
+
+	return -1
+}
+
+func (e *Engine) GetPeers() []string {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	peers := []string{}
+	for s := range e.peerConns {
+		peers = append(peers, s)
+	}
+	return peers
+}
+
+// GetConnectedPeers returns a connection Status or nil if peer connection wasn't found
+func (e *Engine) GetConnectedPeers() []string {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	peers := []string{}
+	for s, conn := range e.peerConns {
+		if conn.Status() == peer.StatusConnected {
+			peers = append(peers, s)
+		}
+	}
+
+	return peers
+}
+
+func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client) error {
+	err := s.Send(&sProto.Message{
+		Key:       myKey.PublicKey().String(),
+		RemoteKey: remoteKey.String(),
+		Body: &sProto.Body{
+			Type:    sProto.Body_CANDIDATE,
+			Payload: candidate.Marshal(),
+		},
+	})
+	if err != nil {
+		log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err)
+		// todo ??
+		return err
+	}
+
+	return nil
+}
+
+func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client, isAnswer bool) error {
+	var t sProto.Body_Type
+	if isAnswer {
+		t = sProto.Body_ANSWER
+	} else {
+		t = sProto.Body_OFFER
+	}
+
+	msg, err := signal.MarshalCredential(myKey, remoteKey, &signal.Credential{
+		UFrag: uFrag,
+		Pwd:   pwd,
+	}, t)
+	if err != nil {
+		return err
+	}
+	err = s.Send(msg)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	if update.GetWiretrusteeConfig() != nil {
+		err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
+		if err != nil {
+			return err
+		}
+
+		err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
+		if err != nil {
+			return err
+		}
+
+		// todo update signal
+	}
+
+	if update.GetNetworkMap() != nil {
+		// only apply new changes and ignore old ones
+		err := e.updateNetworkMap(update.GetNetworkMap())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
+// E.g. when a new peer has been registered and we are allowed to connect to it.
+func (e *Engine) receiveManagementEvents() {
+	go func() {
+		err := e.mgmClient.Sync(func(update *mgmProto.SyncResponse) error {
+			return e.handleSync(update)
+		})
+		if err != nil {
+			// happens if management is unavailable for a long time.
+			// We want to cancel the operation of the whole client
+			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
+			e.cancel()
+			return
+		}
+		log.Debugf("stopped receiving updates from Management Service")
+	}()
+	log.Debugf("connecting to Management Service updates stream")
+}
+
+func (e *Engine) updateSTUNs(stuns []*mgmProto.HostConfig) error {
+	if len(stuns) == 0 {
+		return nil
+	}
+	var newSTUNs []*ice.URL
+	log.Debugf("got STUNs update from Management Service, updating")
+	for _, stun := range stuns {
+		url, err := ice.ParseURL(stun.Uri)
+		if err != nil {
+			return err
+		}
+		newSTUNs = append(newSTUNs, url)
+	}
+	e.STUNs = newSTUNs
+
+	return nil
+}
+
+func (e *Engine) updateTURNs(turns []*mgmProto.ProtectedHostConfig) error {
+	if len(turns) == 0 {
+		return nil
+	}
+	var newTURNs []*ice.URL
+	log.Debugf("got TURNs update from Management Service, updating")
+	for _, turn := range turns {
+		url, err := ice.ParseURL(turn.HostConfig.Uri)
+		if err != nil {
+			return err
+		}
+		url.Username = turn.User
+		url.Password = turn.Password
+		newTURNs = append(newTURNs, url)
+	}
+	e.TURNs = newTURNs
+
+	return nil
+}
+
+func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
+	serial := networkMap.GetSerial()
+	if e.networkSerial > serial {
+		log.Debugf("received outdated NetworkMap with serial %d, ignoring", serial)
+		return nil
+	}
+
+	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))
+
+	// cleanup request, most likely our peer has been deleted
+	if networkMap.GetRemotePeersIsEmpty() {
+		err := e.removeAllPeers()
+		if err != nil {
+			return err
+		}
+	} else {
+		err := e.removePeers(networkMap.GetRemotePeers())
+		if err != nil {
+			return err
+		}
+
+		err = e.addNewPeers(networkMap.GetRemotePeers())
+		if err != nil {
+			return err
+		}
+	}
+
+	e.networkSerial = serial
+	return nil
+}
+
+// addNewPeers finds and adds peers that were not know before but arrived from the Management service with the update
+func (e *Engine) addNewPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
+	for _, p := range peersUpdate {
+		peerKey := p.GetWgPubKey()
+		peerIPs := p.GetAllowedIps()
+		if _, ok := e.peerConns[peerKey]; !ok {
+			conn, err := e.createPeerConn(peerKey, strings.Join(peerIPs, ","))
+			if err != nil {
+				return err
+			}
+			e.peerConns[peerKey] = conn
+
+			go e.connWorker(conn, peerKey)
+		}
+
+	}
+	return nil
+}
+
+func (e Engine) connWorker(conn *peer.Conn, peerKey string) {
+	for {
+
+		// randomize starting time a bit
+		min := 500
+		max := 2000
+		time.Sleep(time.Duration(rand.Intn(max-min)+min) * time.Millisecond)
+
+		// if peer has been removed -> give up
+		if !e.peerExists(peerKey) {
+			log.Debugf("peer %s doesn't exist anymore, won't retry connection", peerKey)
+			return
+		}
+
+		if !e.signal.Ready() {
+			log.Infof("signal client isn't ready, skipping connection attempt %s", peerKey)
+			continue
+		}
+
+		err := conn.Open()
+		if err != nil {
+			log.Debugf("connection to peer %s failed: %v", peerKey, err)
+		}
+	}
+}
+
+func (e Engine) peerExists(peerKey string) bool {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+	_, ok := e.peerConns[peerKey]
+	return ok
+}
+
+func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, error) {
+	var stunTurn []*ice.URL
+	stunTurn = append(stunTurn, e.STUNs...)
+	stunTurn = append(stunTurn, e.TURNs...)
+
+	interfaceBlacklist := make([]string, 0, len(e.config.IFaceBlackList))
+	for k := range e.config.IFaceBlackList {
+		interfaceBlacklist = append(interfaceBlacklist, k)
+	}
+
+	proxyConfig := proxy.Config{
+		RemoteKey:    pubKey,
+		WgListenAddr: fmt.Sprintf("127.0.0.1:%d", e.config.WgPort),
+		WgInterface:  e.wgInterface,
+		AllowedIps:   allowedIPs,
+		PreSharedKey: e.config.PreSharedKey,
+	}
+
+	// randomize connection timeout
+	timeout := time.Duration(rand.Intn(PeerConnectionTimeoutMax-PeerConnectionTimeoutMin)+PeerConnectionTimeoutMin) * time.Millisecond
+	config := peer.ConnConfig{
+		Key:                pubKey,
+		LocalKey:           e.config.WgPrivateKey.PublicKey().String(),
+		StunTurn:           stunTurn,
+		InterfaceBlackList: interfaceBlacklist,
+		Timeout:            timeout,
+		UDPMux:             e.udpMux,
+		UDPMuxSrflx:        e.udpMuxSrflx,
+		ProxyConfig:        proxyConfig,
+	}
+
+	peerConn, err := peer.NewConn(config)
+	if err != nil {
+		return nil, err
+	}
+
+	wgPubKey, err := wgtypes.ParseKey(pubKey)
+	if err != nil {
+		return nil, err
+	}
+
+	signalOffer := func(uFrag string, pwd string) error {
+		return signalAuth(uFrag, pwd, e.config.WgPrivateKey, wgPubKey, e.signal, false)
+	}
+
+	signalCandidate := func(candidate ice.Candidate) error {
+		return signalCandidate(candidate, e.config.WgPrivateKey, wgPubKey, e.signal)
+	}
+
+	signalAnswer := func(uFrag string, pwd string) error {
+		return signalAuth(uFrag, pwd, e.config.WgPrivateKey, wgPubKey, e.signal, true)
+	}
+
+	peerConn.SetSignalCandidate(signalCandidate)
+	peerConn.SetSignalOffer(signalOffer)
+	peerConn.SetSignalAnswer(signalAnswer)
+
+	return peerConn, nil
+}
+
+// receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
+func (e *Engine) receiveSignalEvents() {
+	go func() {
+		// connect to a stream of messages coming from the signal server
+		err := e.signal.Receive(func(msg *sProto.Message) error {
+			e.syncMsgMux.Lock()
+			defer e.syncMsgMux.Unlock()
+
+			conn := e.peerConns[msg.Key]
+			if conn == nil {
+				return fmt.Errorf("wrongly addressed message %s", msg.Key)
+			}
+
+			switch msg.GetBody().Type {
+			case sProto.Body_OFFER:
+				remoteCred, err := signal.UnMarshalCredential(msg)
+				if err != nil {
+					return err
+				}
+				conn.OnRemoteOffer(peer.IceCredentials{
+					UFrag: remoteCred.UFrag,
+					Pwd:   remoteCred.Pwd,
+				})
+			case sProto.Body_ANSWER:
+				remoteCred, err := signal.UnMarshalCredential(msg)
+				if err != nil {
+					return err
+				}
+				conn.OnRemoteAnswer(peer.IceCredentials{
+					UFrag: remoteCred.UFrag,
+					Pwd:   remoteCred.Pwd,
+				})
+			case sProto.Body_CANDIDATE:
+				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
+				if err != nil {
+					log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
+					return err
+				}
+				conn.OnRemoteCandidate(candidate)
+			}
+
+			return nil
+		})
+		if err != nil {
+			// happens if signal is unavailable for a long time.
+			// We want to cancel the operation of the whole client
+			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
+			e.cancel()
+			return
+		}
+	}()
+
+	e.signal.WaitStreamConnected()
+}

client/internal/engine_test.go

@@ -0,0 +1,475 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/netbirdio/netbird/client/system"
+	mgmt "github.com/netbirdio/netbird/management/client"
+	mgmtProto "github.com/netbirdio/netbird/management/proto"
+	"github.com/netbirdio/netbird/management/server"
+	signal "github.com/netbirdio/netbird/signal/client"
+	"github.com/netbirdio/netbird/signal/proto"
+	signalServer "github.com/netbirdio/netbird/signal/server"
+	"github.com/netbirdio/netbird/util"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/keepalive"
+)
+
+var (
+	kaep = keepalive.EnforcementPolicy{
+		MinTime:             15 * time.Second,
+		PermitWithoutStream: true,
+	}
+
+	kasp = keepalive.ServerParameters{
+		MaxConnectionIdle:     15 * time.Second,
+		MaxConnectionAgeGrace: 5 * time.Second,
+		Time:                  5 * time.Second,
+		Timeout:               2 * time.Second,
+	}
+)
+
+func TestEngine_UpdateNetworkMap(t *testing.T) {
+	// test setup
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
+		WgIfaceName:  "utun100",
+		WgAddr:       "100.64.0.1/24",
+		WgPrivateKey: key,
+		WgPort:       33100,
+	})
+
+	type testCase struct {
+		name       string
+		networkMap *mgmtProto.NetworkMap
+
+		expectedLen    int
+		expectedPeers  []string
+		expectedSerial uint64
+	}
+
+	peer1 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.10/24"},
+	}
+
+	peer2 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.11/24"},
+	}
+
+	peer3 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "GGHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.12/24"},
+	}
+
+	case1 := testCase{
+		name: "input with a new peer to add",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     1,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer1,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    1,
+		expectedPeers:  []string{peer1.GetWgPubKey()},
+		expectedSerial: 1,
+	}
+
+	// 2nd case - one extra peer added and network map has CurrentSerial grater than local => apply the update
+	case2 := testCase{
+		name: "input with an old peer and a new peer to add",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     2,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer1, peer2,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    2,
+		expectedPeers:  []string{peer1.GetWgPubKey(), peer2.GetWgPubKey()},
+		expectedSerial: 2,
+	}
+
+	case3 := testCase{
+		name: "input with outdated (old) update to ignore",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     0,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer1, peer2, peer3,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    2,
+		expectedPeers:  []string{peer1.GetWgPubKey(), peer2.GetWgPubKey()},
+		expectedSerial: 2,
+	}
+
+	case4 := testCase{
+		name: "input with one peer to remove and one new to add",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     4,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer2, peer3,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    2,
+		expectedPeers:  []string{peer2.GetWgPubKey(), peer3.GetWgPubKey()},
+		expectedSerial: 4,
+	}
+
+	case5 := testCase{
+		name: "input with all peers to remove",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:             5,
+			PeerConfig:         nil,
+			RemotePeers:        []*mgmtProto.RemotePeerConfig{},
+			RemotePeersIsEmpty: true,
+		},
+		expectedLen:    0,
+		expectedPeers:  nil,
+		expectedSerial: 5,
+	}
+
+	for _, c := range []testCase{case1, case2, case3, case4, case5} {
+		t.Run(c.name, func(t *testing.T) {
+			err = engine.updateNetworkMap(c.networkMap)
+			if err != nil {
+				t.Fatal(err)
+				return
+			}
+
+			if len(engine.peerConns) != c.expectedLen {
+				t.Errorf("expecting Engine.peerConns to be of size %d, got %d", c.expectedLen, len(engine.peerConns))
+			}
+
+			if engine.networkSerial != c.expectedSerial {
+				t.Errorf("expecting Engine.networkSerial to be equal to %d, actual %d", c.expectedSerial, engine.networkSerial)
+			}
+
+			for _, p := range c.expectedPeers {
+				if _, ok := engine.peerConns[p]; !ok {
+					t.Errorf("expecting Engine.peerConns to contain peer %s", p)
+				}
+			}
+		})
+	}
+}
+
+func TestEngine_Sync(t *testing.T) {
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// feed updates to Engine via mocked Management client
+	updates := make(chan *mgmtProto.SyncResponse)
+	defer close(updates)
+	syncFunc := func(msgHandler func(msg *mgmtProto.SyncResponse) error) error {
+		for msg := range updates {
+			err := msgHandler(msg)
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+		return nil
+	}
+
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, &EngineConfig{
+		WgIfaceName:  "utun100",
+		WgAddr:       "100.64.0.1/24",
+		WgPrivateKey: key,
+		WgPort:       33100,
+	})
+
+	defer func() {
+		err := engine.Stop()
+		if err != nil {
+			return
+		}
+	}()
+
+	err = engine.Start()
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	peer1 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.10/24"},
+	}
+	peer2 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "LLHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=",
+		AllowedIps: []string{"100.64.0.11/24"},
+	}
+	peer3 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "GGHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=",
+		AllowedIps: []string{"100.64.0.12/24"},
+	}
+	// 1st update with just 1 peer and serial larger than the current serial of the engine => apply update
+	updates <- &mgmtProto.SyncResponse{
+		NetworkMap: &mgmtProto.NetworkMap{
+			Serial:             10,
+			PeerConfig:         nil,
+			RemotePeers:        []*mgmtProto.RemotePeerConfig{peer1, peer2, peer3},
+			RemotePeersIsEmpty: false,
+		},
+	}
+
+	timeout := time.After(time.Second * 2)
+	for {
+		select {
+		case <-timeout:
+			t.Fatalf("timeout while waiting for test to finish")
+			return
+		default:
+		}
+
+		if len(engine.GetPeers()) == 3 && engine.networkSerial == 10 {
+			break
+		}
+	}
+}
+
+func TestEngine_MultiplePeers(t *testing.T) {
+	// log.SetLevel(log.DebugLevel)
+
+	dir := t.TempDir()
+
+	err := util.CopyFileContents("../testdata/store.json", filepath.Join(dir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = os.Remove(filepath.Join(dir, "store.json")) //nolint
+		if err != nil {
+			t.Fatal(err)
+			return
+		}
+	}()
+
+	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+	defer cancel()
+
+	sport := 10010
+	sigServer, err := startSignal(sport)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+	defer sigServer.Stop()
+	mport := 33081
+	mgmtServer, err := startManagement(mport, dir)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+	defer mgmtServer.GracefulStop()
+
+	setupKey := "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
+
+	mu := sync.Mutex{}
+	engines := []*Engine{}
+	numPeers := 10
+	wg := sync.WaitGroup{}
+	wg.Add(numPeers)
+	// create and start peers
+	for i := 0; i < numPeers; i++ {
+		j := i
+		go func() {
+			engine, err := createEngine(ctx, cancel, setupKey, j, mport, sport)
+			if err != nil {
+				wg.Done()
+				t.Errorf("unable to create the engine for peer %d with error %v", j, err)
+				return
+			}
+			mu.Lock()
+			defer mu.Unlock()
+			err = engine.Start()
+			if err != nil {
+				t.Errorf("unable to start engine for peer %d with error %v", j, err)
+				wg.Done()
+				return
+			}
+			engines = append(engines, engine)
+			wg.Done()
+		}()
+	}
+
+	// wait until all have been created and started
+	wg.Wait()
+	if len(engines) != numPeers {
+		t.Fatal("not all peers was started")
+	}
+	// check whether all the peer have expected peers connected
+
+	expectedConnected := numPeers * (numPeers - 1)
+
+	// adjust according to timeouts
+	timeout := 50 * time.Second
+	timeoutChan := time.After(timeout)
+	ticker := time.NewTicker(time.Second)
+	defer ticker.Stop()
+loop:
+	for {
+		select {
+		case <-timeoutChan:
+			t.Fatalf("waiting for expected connections timeout after %s", timeout.String())
+			break loop
+		case <-ticker.C:
+			totalConnected := 0
+			for _, engine := range engines {
+				totalConnected = totalConnected + len(engine.GetConnectedPeers())
+			}
+			if totalConnected == expectedConnected {
+				log.Infof("total connected=%d", totalConnected)
+				break loop
+			}
+			log.Infof("total connected=%d", totalConnected)
+		}
+	}
+	// cleanup test
+	for n, peerEngine := range engines {
+		t.Logf("stopping peer with interface %s from multipeer test, loopIndex %d", peerEngine.wgInterface.Name, n)
+		errStop := peerEngine.mgmClient.Close()
+		if errStop != nil {
+			log.Infoln("got error trying to close management clients from engine: ", errStop)
+		}
+		errStop = peerEngine.Stop()
+		if errStop != nil {
+			log.Infoln("got error trying to close testing peers engine: ", errStop)
+		}
+	}
+}
+
+func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int, mport int, sport int) (*Engine, error) {
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return nil, err
+	}
+	mgmtClient, err := mgmt.NewClient(ctx, fmt.Sprintf("localhost:%d", mport), key, false)
+	if err != nil {
+		return nil, err
+	}
+	signalClient, err := signal.NewClient(ctx, fmt.Sprintf("localhost:%d", sport), key, false)
+	if err != nil {
+		return nil, err
+	}
+
+	publicKey, err := mgmtClient.GetServerPublicKey()
+	if err != nil {
+		return nil, err
+	}
+
+	info := system.GetInfo(ctx)
+	resp, err := mgmtClient.Register(*publicKey, setupKey, "", info)
+	if err != nil {
+		return nil, err
+	}
+
+	var ifaceName string
+	if runtime.GOOS == "darwin" {
+		ifaceName = fmt.Sprintf("utun1%d", i)
+	} else {
+		ifaceName = fmt.Sprintf("wt%d", i)
+	}
+
+	wgPort := 33100 + i
+	conf := &EngineConfig{
+		WgIfaceName:  ifaceName,
+		WgAddr:       resp.PeerConfig.Address,
+		WgPrivateKey: key,
+		WgPort:       wgPort,
+	}
+
+	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf), nil
+}
+
+func startSignal(port int) (*grpc.Server, error) {
+	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
+
+	lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+	if err != nil {
+		log.Fatalf("failed to listen: %v", err)
+	}
+
+	proto.RegisterSignalExchangeServer(s, signalServer.NewServer())
+
+	go func() {
+		if err = s.Serve(lis); err != nil {
+			log.Fatalf("failed to serve: %v", err)
+		}
+	}()
+
+	return s, nil
+}
+
+func startManagement(port int, dataDir string) (*grpc.Server, error) {
+	config := &server.Config{
+		Stuns:      []*server.Host{},
+		TURNConfig: &server.TURNConfig{},
+		Signal: &server.Host{
+			Proto: "http",
+			URI:   "localhost:10000",
+		},
+		Datadir:    dataDir,
+		HttpConfig: nil,
+	}
+
+	lis, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", port))
+	if err != nil {
+		return nil, err
+	}
+	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
+	store, err := server.NewStore(config.Datadir)
+	if err != nil {
+		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
+	}
+	peersUpdateManager := server.NewPeersUpdateManager()
+	accountManager, err := server.BuildManager(store, peersUpdateManager, nil)
+	if err != nil {
+		return nil, err
+	}
+	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager)
+	if err != nil {
+		return nil, err
+	}
+	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
+	go func() {
+		if err = s.Serve(lis); err != nil {
+			log.Fatalf("failed to serve: %v", err)
+		}
+	}()
+
+	return s, nil
+}

client/internal/login.go

@@ -0,0 +1,95 @@
+package internal
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/netbirdio/netbird/client/system"
+	mgm "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func Login(ctx context.Context, config *Config, setupKey string, jwtToken string) error {
+	// validate our peer's Wireguard PRIVATE key
+	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+	if err != nil {
+		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+		return err
+	}
+
+	var mgmTlsEnabled bool
+	if config.ManagementURL.Scheme == "https" {
+		mgmTlsEnabled = true
+	}
+
+	log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
+	mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+	if err != nil {
+		log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
+		return err
+	}
+	log.Debugf("connected to management Service %s", config.ManagementURL.String())
+
+	serverKey, err := mgmClient.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return err
+	}
+
+	_, err = loginPeer(ctx, *serverKey, mgmClient, setupKey, jwtToken)
+	if err != nil {
+		log.Errorf("failed logging-in peer on Management Service : %v", err)
+		return err
+	}
+
+	err = mgmClient.Close()
+	if err != nil {
+		log.Errorf("failed closing Management Service client: %v", err)
+		return err
+	}
+
+	return nil
+}
+
+// loginPeer attempts to login to Management Service. If peer wasn't registered, tries the registration flow.
+func loginPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string, jwtToken string) (*mgmProto.LoginResponse, error) {
+	sysInfo := system.GetInfo(ctx)
+	loginResp, err := client.Login(serverPublicKey, sysInfo)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			log.Debugf("peer registration required")
+			return registerPeer(ctx, serverPublicKey, client, setupKey, jwtToken)
+		} else {
+			return nil, err
+		}
+	}
+
+	log.Info("peer has successfully logged-in to Management Service")
+
+	return loginResp, nil
+}
+
+// registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
+// Otherwise tries to register with the provided setupKey via command line.
+func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string, jwtToken string) (*mgmProto.LoginResponse, error) {
+	validSetupKey, err := uuid.Parse(setupKey)
+	if err != nil && jwtToken == "" {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid setup-key or no sso information provided, err: %v", err)
+	}
+
+	log.Debugf("sending peer registration request to Management Service")
+	info := system.GetInfo(ctx)
+	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info)
+	if err != nil {
+		log.Errorf("failed registering peer %v,%s", err, validSetupKey.String())
+		return nil, err
+	}
+
+	log.Infof("peer has been successfully registered on Management Service")
+
+	return loginResp, nil
+}

client/internal/oauth.go

@@ -0,0 +1,305 @@
+package internal
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// OAuthClient is a OAuth client interface for various idp providers
+type OAuthClient interface {
+	RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
+	RotateAccessToken(ctx context.Context, refreshToken string) (TokenInfo, error)
+	WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo, error)
+	GetClientID(ctx context.Context) string
+}
+
+// HTTPClient http client interface for API calls
+type HTTPClient interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
+// DeviceAuthInfo holds information for the OAuth device login flow
+type DeviceAuthInfo struct {
+	DeviceCode              string `json:"device_code"`
+	UserCode                string `json:"user_code"`
+	VerificationURI         string `json:"verification_uri"`
+	VerificationURIComplete string `json:"verification_uri_complete"`
+	ExpiresIn               int    `json:"expires_in"`
+	Interval                int    `json:"interval"`
+}
+
+// TokenInfo holds information of issued access token
+type TokenInfo struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	IDToken      string `json:"id_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
+// HostedGrantType grant type for device flow on Hosted
+const (
+	HostedGrantType    = "urn:ietf:params:oauth:grant-type:device_code"
+	HostedRefreshGrant = "refresh_token"
+)
+
+// Hosted client
+type Hosted struct {
+	// Hosted API Audience for validation
+	Audience string
+	// Hosted Native application client id
+	ClientID string
+	// Hosted domain
+	Domain string
+
+	HTTPClient HTTPClient
+}
+
+// RequestDeviceCodePayload used for request device code payload for auth0
+type RequestDeviceCodePayload struct {
+	Audience string `json:"audience"`
+	ClientID string `json:"client_id"`
+}
+
+// TokenRequestPayload used for requesting the auth0 token
+type TokenRequestPayload struct {
+	GrantType    string `json:"grant_type"`
+	DeviceCode   string `json:"device_code,omitempty"`
+	ClientID     string `json:"client_id"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+}
+
+// TokenRequestResponse used for parsing Hosted token's response
+type TokenRequestResponse struct {
+	Error            string `json:"error"`
+	ErrorDescription string `json:"error_description"`
+	TokenInfo
+}
+
+// Claims used when validating the access token
+type Claims struct {
+	Audience string `json:"aud"`
+}
+
+// NewHostedDeviceFlow returns an Hosted OAuth client
+func NewHostedDeviceFlow(audience string, clientID string, domain string) *Hosted {
+	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
+	httpTransport.MaxIdleConns = 5
+
+	httpClient := &http.Client{
+		Timeout:   10 * time.Second,
+		Transport: httpTransport,
+	}
+
+	return &Hosted{
+		Audience:   audience,
+		ClientID:   clientID,
+		Domain:     domain,
+		HTTPClient: httpClient,
+	}
+}
+
+// GetClientID returns the provider client id
+func (h *Hosted) GetClientID(ctx context.Context) string {
+	return h.ClientID
+}
+
+// RequestDeviceCode requests a device code login flow information from Hosted
+func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error) {
+	url := "https://" + h.Domain + "/oauth/device/code"
+	codePayload := RequestDeviceCodePayload{
+		Audience: h.Audience,
+		ClientID: h.ClientID,
+	}
+	p, err := json.Marshal(codePayload)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("parsing payload failed with error: %v", err)
+	}
+	payload := strings.NewReader(string(p))
+	req, err := http.NewRequest("POST", url, payload)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("creating request failed with error: %v", err)
+	}
+
+	req.Header.Add("content-type", "application/json")
+
+	res, err := h.HTTPClient.Do(req)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("doing request failed with error: %v", err)
+	}
+
+	defer res.Body.Close()
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("reading body failed with error: %v", err)
+	}
+
+	if res.StatusCode != 200 {
+		return DeviceAuthInfo{}, fmt.Errorf("request device code returned status %d error: %s", res.StatusCode, string(body))
+	}
+
+	deviceCode := DeviceAuthInfo{}
+	err = json.Unmarshal(body, &deviceCode)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("unmarshaling response failed with error: %v", err)
+	}
+
+	return deviceCode, err
+}
+
+// WaitToken waits user's login and authorize the app. Once the user's authorize
+// it retrieves the access token from Hosted's endpoint and validates it before returning
+func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo, error) {
+	interval := time.Duration(info.Interval) * time.Second
+	ticker := time.NewTicker(interval)
+	for {
+		select {
+		case <-ctx.Done():
+			return TokenInfo{}, ctx.Err()
+		case <-ticker.C:
+			url := "https://" + h.Domain + "/oauth/token"
+			tokenReqPayload := TokenRequestPayload{
+				GrantType:  HostedGrantType,
+				DeviceCode: info.DeviceCode,
+				ClientID:   h.ClientID,
+			}
+
+			body, statusCode, err := requestToken(h.HTTPClient, url, tokenReqPayload)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("wait for token: %v", err)
+			}
+
+			if statusCode > 499 {
+				return TokenInfo{}, fmt.Errorf("wait token code returned error: %s", string(body))
+			}
+
+			tokenResponse := TokenRequestResponse{}
+			err = json.Unmarshal(body, &tokenResponse)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("parsing token response failed with error: %v", err)
+			}
+
+			if tokenResponse.Error != "" {
+				if tokenResponse.Error == "authorization_pending" {
+					continue
+				} else if tokenResponse.Error == "slow_down" {
+					interval = interval + (3 * time.Second)
+					ticker.Reset(interval)
+					continue
+				}
+
+				return TokenInfo{}, fmt.Errorf(tokenResponse.ErrorDescription)
+			}
+
+			err = isValidAccessToken(tokenResponse.AccessToken, h.Audience)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+			}
+
+			tokenInfo := TokenInfo{
+				AccessToken:  tokenResponse.AccessToken,
+				TokenType:    tokenResponse.TokenType,
+				RefreshToken: tokenResponse.RefreshToken,
+				IDToken:      tokenResponse.IDToken,
+				ExpiresIn:    tokenResponse.ExpiresIn,
+			}
+			return tokenInfo, err
+		}
+	}
+}
+
+// RotateAccessToken requests a new token using an existing refresh token
+func (h *Hosted) RotateAccessToken(ctx context.Context, refreshToken string) (TokenInfo, error) {
+	url := "https://" + h.Domain + "/oauth/token"
+	tokenReqPayload := TokenRequestPayload{
+		GrantType:    HostedRefreshGrant,
+		ClientID:     h.ClientID,
+		RefreshToken: refreshToken,
+	}
+
+	body, statusCode, err := requestToken(h.HTTPClient, url, tokenReqPayload)
+	if err != nil {
+		return TokenInfo{}, fmt.Errorf("rotate access token: %v", err)
+	}
+
+	if statusCode != 200 {
+		return TokenInfo{}, fmt.Errorf("rotating token returned error: %s", string(body))
+	}
+
+	tokenResponse := TokenRequestResponse{}
+	err = json.Unmarshal(body, &tokenResponse)
+	if err != nil {
+		return TokenInfo{}, fmt.Errorf("parsing token response failed with error: %v", err)
+	}
+
+	err = isValidAccessToken(tokenResponse.AccessToken, h.Audience)
+	if err != nil {
+		return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+	}
+
+	tokenInfo := TokenInfo{
+		AccessToken:  tokenResponse.AccessToken,
+		TokenType:    tokenResponse.TokenType,
+		RefreshToken: tokenResponse.RefreshToken,
+		IDToken:      tokenResponse.IDToken,
+		ExpiresIn:    tokenResponse.ExpiresIn,
+	}
+	return tokenInfo, err
+}
+
+func requestToken(client HTTPClient, url string, tokenReqPayload TokenRequestPayload) ([]byte, int, error) {
+	p, err := json.Marshal(tokenReqPayload)
+	if err != nil {
+		return nil, 0, fmt.Errorf("parsing token payload failed with error: %v", err)
+	}
+	payload := strings.NewReader(string(p))
+	req, err := http.NewRequest("POST", url, payload)
+	if err != nil {
+		return nil, 0, fmt.Errorf("creating token request failed with error: %v", err)
+	}
+
+	req.Header.Add("content-type", "application/json")
+
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, 0, fmt.Errorf("doing token request failed with error: %v", err)
+	}
+
+	defer res.Body.Close()
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, 0, fmt.Errorf("reading token body failed with error: %v", err)
+	}
+	return body, res.StatusCode, nil
+}
+
+// isValidAccessToken is a simple validation of the access token
+func isValidAccessToken(token string, audience string) error {
+	if token == "" {
+		return fmt.Errorf("token received is empty")
+	}
+
+	encodedClaims := strings.Split(token, ".")[1]
+	claimsString, err := base64.RawURLEncoding.DecodeString(encodedClaims)
+	if err != nil {
+		return err
+	}
+
+	claims := Claims{}
+	err = json.Unmarshal(claimsString, &claims)
+	if err != nil {
+		return err
+	}
+
+	if claims.Audience != audience {
+		return fmt.Errorf("invalid audience")
+	}
+
+	return nil
+}

client/internal/oauth_test.go

@@ -0,0 +1,415 @@
+package internal
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/golang-jwt/jwt"
+	"github.com/stretchr/testify/require"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+)
+
+type mockHTTPClient struct {
+	code         int
+	resBody      string
+	reqBody      string
+	MaxReqs      int
+	count        int
+	countResBody string
+	err          error
+}
+
+func (c *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
+	body, err := ioutil.ReadAll(req.Body)
+	if err == nil {
+		c.reqBody = string(body)
+	}
+
+	if c.MaxReqs > c.count {
+		c.count++
+		return &http.Response{
+			StatusCode: c.code,
+			Body:       ioutil.NopCloser(strings.NewReader(c.countResBody)),
+		}, c.err
+	}
+
+	return &http.Response{
+		StatusCode: c.code,
+		Body:       ioutil.NopCloser(strings.NewReader(c.resBody)),
+	}, c.err
+}
+
+func TestHosted_RequestDeviceCode(t *testing.T) {
+	type test struct {
+		name             string
+		inputResBody     string
+		inputReqCode     int
+		inputReqError    error
+		testingErrFunc   require.ErrorAssertionFunc
+		expectedErrorMSG string
+		testingFunc      require.ComparisonAssertionFunc
+		expectedOut      DeviceAuthInfo
+		expectedMSG      string
+		expectPayload    RequestDeviceCodePayload
+	}
+
+	testCase1 := test{
+		name: "Payload Is Valid",
+		expectPayload: RequestDeviceCodePayload{
+			Audience: "ok",
+			ClientID: "bla",
+		},
+		inputReqCode:   200,
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+	}
+
+	testCase2 := test{
+		name:             "Exit On Network Error",
+		inputReqError:    fmt.Errorf("error"),
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase3 := test{
+		name:             "Exit On Exit Code",
+		inputReqCode:     400,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+	testCase4Out := DeviceAuthInfo{ExpiresIn: 10}
+	testCase4 := test{
+		name:         "Got Device Code",
+		inputResBody: fmt.Sprintf("{\"expires_in\":%d}", testCase4Out.ExpiresIn),
+		expectPayload: RequestDeviceCodePayload{
+			Audience: "ok",
+			ClientID: "bla",
+		},
+		inputReqCode:   200,
+		testingErrFunc: require.NoError,
+		testingFunc:    require.EqualValues,
+		expectedOut:    testCase4Out,
+		expectedMSG:    "out should match",
+	}
+
+	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			httpClient := mockHTTPClient{
+				resBody: testCase.inputResBody,
+				code:    testCase.inputReqCode,
+				err:     testCase.inputReqError,
+			}
+
+			hosted := Hosted{
+				Audience:   testCase.expectPayload.Audience,
+				ClientID:   testCase.expectPayload.ClientID,
+				Domain:     "test.hosted.com",
+				HTTPClient: &httpClient,
+			}
+
+			authInfo, err := hosted.RequestDeviceCode(context.TODO())
+			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
+
+			payload, _ := json.Marshal(testCase.expectPayload)
+
+			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")
+
+			testCase.testingFunc(t, testCase.expectedOut, authInfo, testCase.expectedMSG)
+
+		})
+	}
+}
+
+func TestHosted_WaitToken(t *testing.T) {
+	type test struct {
+		name              string
+		inputResBody      string
+		inputReqCode      int
+		inputReqError     error
+		inputMaxReqs      int
+		inputCountResBody string
+		inputTimeout      time.Duration
+		inputInfo         DeviceAuthInfo
+		inputAudience     string
+		testingErrFunc    require.ErrorAssertionFunc
+		expectedErrorMSG  string
+		testingFunc       require.ComparisonAssertionFunc
+		expectedOut       TokenInfo
+		expectedMSG       string
+		expectPayload     TokenRequestPayload
+	}
+
+	defaultInfo := DeviceAuthInfo{
+		DeviceCode: "test",
+		ExpiresIn:  10,
+		Interval:   1,
+	}
+
+	tokenReqPayload := TokenRequestPayload{
+		GrantType:  HostedGrantType,
+		DeviceCode: defaultInfo.DeviceCode,
+		ClientID:   "test",
+	}
+
+	testCase1 := test{
+		name:           "Payload Is Valid",
+		inputInfo:      defaultInfo,
+		inputTimeout:   time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputReqCode:   200,
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+	}
+
+	testCase2 := test{
+		name:             "Exit On Network Error",
+		inputInfo:        defaultInfo,
+		inputTimeout:     time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		expectPayload:    tokenReqPayload,
+		inputReqError:    fmt.Errorf("error"),
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase3 := test{
+		name:             "Exit On 4XX When Not Pending",
+		inputInfo:        defaultInfo,
+		inputTimeout:     time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputReqCode:     400,
+		expectPayload:    tokenReqPayload,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase4 := test{
+		name:             "Exit On Exit Code 5XX",
+		inputInfo:        defaultInfo,
+		inputTimeout:     time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputReqCode:     500,
+		expectPayload:    tokenReqPayload,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase5 := test{
+		name:             "Exit On Content Timeout",
+		inputInfo:        defaultInfo,
+		inputTimeout:     0 * time.Second,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	audience := "test"
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{"aud": audience})
+	var hmacSampleSecret []byte
+	tokenString, _ := token.SignedString(hmacSampleSecret)
+
+	testCase6 := test{
+		name:           "Exit On Invalid Audience",
+		inputInfo:      defaultInfo,
+		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputTimeout:   time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputReqCode:   200,
+		inputAudience:  "super test",
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+	}
+
+	testCase7 := test{
+		name:           "Received Token Info",
+		inputInfo:      defaultInfo,
+		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputTimeout:   time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputReqCode:   200,
+		inputAudience:  audience,
+		testingErrFunc: require.NoError,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+		expectedOut:    TokenInfo{AccessToken: tokenString},
+	}
+
+	testCase8 := test{
+		name:              "Received Token Info after Multiple tries",
+		inputInfo:         defaultInfo,
+		inputResBody:      fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputTimeout:      time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputMaxReqs:      2,
+		inputCountResBody: "{\"error\":\"authorization_pending\"}",
+		inputReqCode:      200,
+		inputAudience:     audience,
+		testingErrFunc:    require.NoError,
+		testingFunc:       require.EqualValues,
+		expectPayload:     tokenReqPayload,
+		expectedOut:       TokenInfo{AccessToken: tokenString},
+	}
+
+	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5, testCase6, testCase7, testCase8} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			httpClient := mockHTTPClient{
+				resBody:      testCase.inputResBody,
+				code:         testCase.inputReqCode,
+				err:          testCase.inputReqError,
+				MaxReqs:      testCase.inputMaxReqs,
+				countResBody: testCase.inputCountResBody,
+			}
+
+			hosted := Hosted{
+				Audience:   testCase.inputAudience,
+				ClientID:   testCase.expectPayload.ClientID,
+				Domain:     "test.hosted.com",
+				HTTPClient: &httpClient,
+			}
+
+			ctx, cancel := context.WithTimeout(context.TODO(), testCase.inputTimeout)
+			defer cancel()
+			tokenInfo, err := hosted.WaitToken(ctx, testCase.inputInfo)
+			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
+
+			var payload []byte
+			var emptyPayload TokenRequestPayload
+			if testCase.expectPayload != emptyPayload {
+				payload, _ = json.Marshal(testCase.expectPayload)
+			}
+			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")
+
+			testCase.testingFunc(t, testCase.expectedOut, tokenInfo, testCase.expectedMSG)
+
+			require.GreaterOrEqualf(t, testCase.inputMaxReqs, httpClient.count, "should run %d times", testCase.inputMaxReqs)
+
+		})
+	}
+}
+
+func TestHosted_RotateAccessToken(t *testing.T) {
+	type test struct {
+		name             string
+		inputResBody     string
+		inputReqCode     int
+		inputReqError    error
+		inputMaxReqs     int
+		inputInfo        DeviceAuthInfo
+		inputAudience    string
+		testingErrFunc   require.ErrorAssertionFunc
+		expectedErrorMSG string
+		testingFunc      require.ComparisonAssertionFunc
+		expectedOut      TokenInfo
+		expectedMSG      string
+		expectPayload    TokenRequestPayload
+	}
+
+	defaultInfo := DeviceAuthInfo{
+		DeviceCode: "test",
+		ExpiresIn:  10,
+		Interval:   1,
+	}
+
+	tokenReqPayload := TokenRequestPayload{
+		GrantType:    HostedRefreshGrant,
+		ClientID:     "test",
+		RefreshToken: "refresh_test",
+	}
+
+	testCase1 := test{
+		name:           "Payload Is Valid",
+		inputInfo:      defaultInfo,
+		inputReqCode:   200,
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+	}
+
+	testCase2 := test{
+		name:             "Exit On Network Error",
+		inputInfo:        defaultInfo,
+		expectPayload:    tokenReqPayload,
+		inputReqError:    fmt.Errorf("error"),
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase3 := test{
+		name:             "Exit On Non 200 Status Code",
+		inputInfo:        defaultInfo,
+		inputReqCode:     401,
+		expectPayload:    tokenReqPayload,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	audience := "test"
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{"aud": audience})
+	var hmacSampleSecret []byte
+	tokenString, _ := token.SignedString(hmacSampleSecret)
+
+	testCase4 := test{
+		name:           "Exit On Invalid Audience",
+		inputInfo:      defaultInfo,
+		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputReqCode:   200,
+		inputAudience:  "super test",
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+	}
+
+	testCase5 := test{
+		name:           "Received Token Info",
+		inputInfo:      defaultInfo,
+		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputReqCode:   200,
+		inputAudience:  audience,
+		testingErrFunc: require.NoError,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+		expectedOut:    TokenInfo{AccessToken: tokenString},
+	}
+
+	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			httpClient := mockHTTPClient{
+				resBody: testCase.inputResBody,
+				code:    testCase.inputReqCode,
+				err:     testCase.inputReqError,
+				MaxReqs: testCase.inputMaxReqs,
+			}
+
+			hosted := Hosted{
+				Audience:   testCase.inputAudience,
+				ClientID:   testCase.expectPayload.ClientID,
+				Domain:     "test.hosted.com",
+				HTTPClient: &httpClient,
+			}
+
+			tokenInfo, err := hosted.RotateAccessToken(context.TODO(), testCase.expectPayload.RefreshToken)
+			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
+
+			var payload []byte
+			var emptyPayload TokenRequestPayload
+			if testCase.expectPayload != emptyPayload {
+				payload, _ = json.Marshal(testCase.expectPayload)
+			}
+			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")
+
+			testCase.testingFunc(t, testCase.expectedOut, tokenInfo, testCase.expectedMSG)
+
+		})
+	}
+}

client/internal/peer/conn.go

@@ -0,0 +1,503 @@
+package peer
+
+import (
+	"context"
+	"github.com/netbirdio/netbird/iface"
+	"golang.zx2c4.com/wireguard/wgctrl"
+	"net"
+	"sync"
+	"time"
+
+	"github.com/netbirdio/netbird/client/internal/proxy"
+	"github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+)
+
+// ConnConfig is a peer Connection configuration
+type ConnConfig struct {
+
+	// Key is a public key of a remote peer
+	Key string
+	// LocalKey is a public key of a local peer
+	LocalKey string
+
+	// StunTurn is a list of STUN and TURN URLs
+	StunTurn []*ice.URL
+
+	// InterfaceBlackList is a list of machine interfaces that should be filtered out by ICE Candidate gathering
+	// (e.g. if eth0 is in the list, host candidate of this interface won't be used)
+	InterfaceBlackList []string
+
+	Timeout time.Duration
+
+	ProxyConfig proxy.Config
+
+	UDPMux      ice.UDPMux
+	UDPMuxSrflx ice.UniversalUDPMux
+}
+
+// IceCredentials ICE protocol credentials struct
+type IceCredentials struct {
+	UFrag string
+	Pwd   string
+}
+
+type Conn struct {
+	config ConnConfig
+	mu     sync.Mutex
+
+	// signalCandidate is a handler function to signal remote peer about local connection candidate
+	signalCandidate func(candidate ice.Candidate) error
+	// signalOffer is a handler function to signal remote peer our connection offer (credentials)
+	signalOffer  func(uFrag string, pwd string) error
+	signalAnswer func(uFrag string, pwd string) error
+
+	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
+	remoteOffersCh chan IceCredentials
+	// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
+	remoteAnswerCh     chan IceCredentials
+	closeCh            chan struct{}
+	ctx                context.Context
+	notifyDisconnected context.CancelFunc
+
+	agent  *ice.Agent
+	status ConnStatus
+
+	proxy proxy.Proxy
+}
+
+// NewConn creates a new not opened Conn to the remote peer.
+// To establish a connection run Conn.Open
+func NewConn(config ConnConfig) (*Conn, error) {
+	return &Conn{
+		config:         config,
+		mu:             sync.Mutex{},
+		status:         StatusDisconnected,
+		closeCh:        make(chan struct{}),
+		remoteOffersCh: make(chan IceCredentials),
+		remoteAnswerCh: make(chan IceCredentials),
+	}, nil
+}
+
+// interfaceFilter is a function passed to ICE Agent to filter out blacklisted interfaces
+func interfaceFilter(blackList []string) func(string) bool {
+	var blackListMap map[string]struct{}
+	if blackList != nil {
+		blackListMap = make(map[string]struct{})
+		for _, s := range blackList {
+			blackListMap[s] = struct{}{}
+		}
+	}
+	return func(iFace string) bool {
+
+		_, ok := blackListMap[iFace]
+		if ok {
+			return false
+		}
+		// look for unlisted Wireguard interfaces
+		wg, err := wgctrl.New()
+		if err != nil {
+			log.Debugf("trying to create a wgctrl client failed with: %v", err)
+		}
+		defer wg.Close()
+
+		_, err = wg.Device(iFace)
+		return err != nil
+	}
+}
+
+func (conn *Conn) reCreateAgent() error {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+
+	failedTimeout := 6 * time.Second
+	var err error
+	conn.agent, err = ice.NewAgent(&ice.AgentConfig{
+		MulticastDNSMode: ice.MulticastDNSModeDisabled,
+		NetworkTypes:     []ice.NetworkType{ice.NetworkTypeUDP4},
+		Urls:             conn.config.StunTurn,
+		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
+		FailedTimeout:    &failedTimeout,
+		InterfaceFilter:  interfaceFilter(conn.config.InterfaceBlackList),
+		UDPMux:           conn.config.UDPMux,
+		UDPMuxSrflx:      conn.config.UDPMuxSrflx,
+	})
+	if err != nil {
+		return err
+	}
+
+	err = conn.agent.OnCandidate(conn.onICECandidate)
+	if err != nil {
+		return err
+	}
+
+	err = conn.agent.OnConnectionStateChange(conn.onICEConnectionStateChange)
+	if err != nil {
+		return err
+	}
+
+	err = conn.agent.OnSelectedCandidatePairChange(conn.onICESelectedCandidatePair)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Open opens connection to the remote peer starting ICE candidate gathering process.
+// Blocks until connection has been closed or connection timeout.
+// ConnStatus will be set accordingly
+func (conn *Conn) Open() error {
+	log.Debugf("trying to connect to peer %s", conn.config.Key)
+
+	defer func() {
+		err := conn.cleanup()
+		if err != nil {
+			log.Warnf("error while cleaning up peer connection %s: %v", conn.config.Key, err)
+			return
+		}
+	}()
+
+	err := conn.reCreateAgent()
+	if err != nil {
+		return err
+	}
+
+	err = conn.sendOffer()
+	if err != nil {
+		return err
+	}
+
+	log.Debugf("connection offer sent to peer %s, waiting for the confirmation", conn.config.Key)
+
+	// Only continue once we got a connection confirmation from the remote peer.
+	// The connection timeout could have happened before a confirmation received from the remote.
+	// The connection could have also been closed externally (e.g. when we received an update from the management that peer shouldn't be connected)
+	var remoteCredentials IceCredentials
+	select {
+	case remoteCredentials = <-conn.remoteOffersCh:
+		// received confirmation from the remote peer -> ready to proceed
+		err = conn.sendAnswer()
+		if err != nil {
+			return err
+		}
+	case remoteCredentials = <-conn.remoteAnswerCh:
+	case <-time.After(conn.config.Timeout):
+		return NewConnectionTimeoutError(conn.config.Key, conn.config.Timeout)
+	case <-conn.closeCh:
+		// closed externally
+		return NewConnectionClosedError(conn.config.Key)
+	}
+
+	log.Debugf("received connection confirmation from peer %s", conn.config.Key)
+
+	// at this point we received offer/answer and we are ready to gather candidates
+	conn.mu.Lock()
+	conn.status = StatusConnecting
+	conn.ctx, conn.notifyDisconnected = context.WithCancel(context.Background())
+	defer conn.notifyDisconnected()
+	conn.mu.Unlock()
+
+	err = conn.agent.GatherCandidates()
+	if err != nil {
+		return err
+	}
+
+	// will block until connection succeeded
+	// but it won't release if ICE Agent went into Disconnected or Failed state,
+	// so we have to cancel it with the provided context once agent detected a broken connection
+	isControlling := conn.config.LocalKey > conn.config.Key
+	var remoteConn *ice.Conn
+	if isControlling {
+		remoteConn, err = conn.agent.Dial(conn.ctx, remoteCredentials.UFrag, remoteCredentials.Pwd)
+	} else {
+		remoteConn, err = conn.agent.Accept(conn.ctx, remoteCredentials.UFrag, remoteCredentials.Pwd)
+	}
+	if err != nil {
+		return err
+	}
+
+	// the connection has been established successfully so we are ready to start the proxy
+	err = conn.startProxy(remoteConn)
+	if err != nil {
+		return err
+	}
+
+	if conn.proxy.Type() == proxy.TypeNoProxy {
+		host, _, _ := net.SplitHostPort(remoteConn.LocalAddr().String())
+		rhost, _, _ := net.SplitHostPort(remoteConn.RemoteAddr().String())
+		// direct Wireguard connection
+		log.Infof("directly connected to peer %s [laddr <-> raddr] [%s:%d <-> %s:%d]", conn.config.Key, host, iface.DefaultWgPort, rhost, iface.DefaultWgPort)
+	} else {
+		log.Infof("connected to peer %s [laddr <-> raddr] [%s <-> %s]", conn.config.Key, remoteConn.LocalAddr().String(), remoteConn.RemoteAddr().String())
+	}
+
+	// wait until connection disconnected or has been closed externally (upper layer, e.g. engine)
+	select {
+	case <-conn.closeCh:
+		// closed externally
+		return NewConnectionClosedError(conn.config.Key)
+	case <-conn.ctx.Done():
+		// disconnected from the remote peer
+		return NewConnectionDisconnectedError(conn.config.Key)
+	}
+}
+
+// useProxy determines whether a direct connection (without a go proxy) is possible
+// There are 3 cases: one of the peers has a public IP or both peers are in the same private network
+// Please note, that this check happens when peers were already able to ping each other using ICE layer.
+func shouldUseProxy(pair *ice.CandidatePair) bool {
+	remoteIP := net.ParseIP(pair.Remote.Address())
+	myIp := net.ParseIP(pair.Local.Address())
+	remoteIsPublic := IsPublicIP(remoteIP)
+	myIsPublic := IsPublicIP(myIp)
+
+	//one of the hosts has a public IP
+	if remoteIsPublic && pair.Remote.Type() == ice.CandidateTypeHost {
+		return false
+	}
+	if myIsPublic && pair.Local.Type() == ice.CandidateTypeHost {
+		return false
+	}
+
+	if pair.Local.Type() == ice.CandidateTypeHost && pair.Remote.Type() == ice.CandidateTypeHost {
+		if !remoteIsPublic && !myIsPublic {
+			//both hosts are in the same private network
+			return false
+		}
+	}
+
+	return true
+}
+
+// IsPublicIP indicates whether IP is public or not.
+func IsPublicIP(ip net.IP) bool {
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsPrivate() {
+		return false
+	}
+	return true
+}
+
+// startProxy starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
+func (conn *Conn) startProxy(remoteConn net.Conn) error {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+
+	var pair *ice.CandidatePair
+	pair, err := conn.agent.GetSelectedCandidatePair()
+	if err != nil {
+		return err
+	}
+
+	useProxy := shouldUseProxy(pair)
+	var p proxy.Proxy
+	if useProxy {
+		p = proxy.NewWireguardProxy(conn.config.ProxyConfig)
+	} else {
+		p = proxy.NewNoProxy(conn.config.ProxyConfig)
+	}
+	conn.proxy = p
+	err = p.Start(remoteConn)
+	if err != nil {
+		return err
+	}
+
+	conn.status = StatusConnected
+
+	return nil
+}
+
+// cleanup closes all open resources and sets status to StatusDisconnected
+func (conn *Conn) cleanup() error {
+	log.Debugf("trying to cleanup %s", conn.config.Key)
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+
+	if conn.agent != nil {
+		err := conn.agent.Close()
+		if err != nil {
+			return err
+		}
+		conn.agent = nil
+	}
+
+	if conn.proxy != nil {
+		err := conn.proxy.Close()
+		if err != nil {
+			return err
+		}
+		conn.proxy = nil
+	}
+
+	if conn.notifyDisconnected != nil {
+		conn.notifyDisconnected()
+		conn.notifyDisconnected = nil
+	}
+
+	conn.status = StatusDisconnected
+
+	log.Debugf("cleaned up connection to peer %s", conn.config.Key)
+
+	return nil
+}
+
+// SetSignalOffer sets a handler function to be triggered by Conn when a new connection offer has to be signalled to the remote peer
+func (conn *Conn) SetSignalOffer(handler func(uFrag string, pwd string) error) {
+	conn.signalOffer = handler
+}
+
+// SetSignalAnswer sets a handler function to be triggered by Conn when a new connection answer has to be signalled to the remote peer
+func (conn *Conn) SetSignalAnswer(handler func(uFrag string, pwd string) error) {
+	conn.signalAnswer = handler
+}
+
+// SetSignalCandidate sets a handler function to be triggered by Conn when a new ICE local connection candidate has to be signalled to the remote peer
+func (conn *Conn) SetSignalCandidate(handler func(candidate ice.Candidate) error) {
+	conn.signalCandidate = handler
+}
+
+// onICECandidate is a callback attached to an ICE Agent to receive new local connection candidates
+// and then signals them to the remote peer
+func (conn *Conn) onICECandidate(candidate ice.Candidate) {
+	if candidate != nil {
+		// log.Debugf("discovered local candidate %s", candidate.String())
+		go func() {
+			err := conn.signalCandidate(candidate)
+			if err != nil {
+				log.Errorf("failed signaling candidate to the remote peer %s %s", conn.config.Key, err)
+			}
+		}()
+	}
+}
+
+func (conn *Conn) onICESelectedCandidatePair(c1 ice.Candidate, c2 ice.Candidate) {
+	log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
+		conn.config.Key)
+}
+
+// onICEConnectionStateChange registers callback of an ICE Agent to track connection state
+func (conn *Conn) onICEConnectionStateChange(state ice.ConnectionState) {
+	log.Debugf("peer %s ICE ConnectionState has changed to %s", conn.config.Key, state.String())
+	if state == ice.ConnectionStateFailed || state == ice.ConnectionStateDisconnected {
+		conn.notifyDisconnected()
+	}
+}
+
+func (conn *Conn) sendAnswer() error {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+
+	localUFrag, localPwd, err := conn.agent.GetLocalUserCredentials()
+	if err != nil {
+		return err
+	}
+
+	log.Debugf("sending asnwer to %s", conn.config.Key)
+	err = conn.signalAnswer(localUFrag, localPwd)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// sendOffer prepares local user credentials and signals them to the remote peer
+func (conn *Conn) sendOffer() error {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+
+	localUFrag, localPwd, err := conn.agent.GetLocalUserCredentials()
+	if err != nil {
+		return err
+	}
+	err = conn.signalOffer(localUFrag, localPwd)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Close closes this peer Conn issuing a close event to the Conn closeCh
+func (conn *Conn) Close() error {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+	select {
+	case conn.closeCh <- struct{}{}:
+		return nil
+	default:
+		// probably could happen when peer has been added and removed right after not even starting to connect
+		// todo further investigate
+		// this really happens due to unordered messages coming from management
+		// more importantly it causes inconsistency -> 2 Conn objects for the same peer
+		// e.g. this flow:
+		// update from management has peers: [1,2,3,4]
+		// engine creates a Conn for peers:  [1,2,3,4] and schedules Open in ~1sec
+		// before conn.Open() another update from management arrives with peers: [1,2,3]
+		// engine removes peer 4 and calls conn.Close() which does nothing (this default clause)
+		// before conn.Open() another update from management arrives with peers: [1,2,3,4,5]
+		// engine adds a new Conn for 4 and 5
+		// therefore peer 4 has 2 Conn objects
+		log.Warnf("closing not started coonection %s", conn.config.Key)
+		return NewConnectionAlreadyClosed(conn.config.Key)
+	}
+}
+
+// Status returns current status of the Conn
+func (conn *Conn) Status() ConnStatus {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+	return conn.status
+}
+
+// OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
+// doesn't block, discards the message if connection wasn't ready
+func (conn *Conn) OnRemoteOffer(remoteAuth IceCredentials) bool {
+	log.Debugf("OnRemoteOffer from peer %s on status %s", conn.config.Key, conn.status.String())
+
+	select {
+	case conn.remoteOffersCh <- remoteAuth:
+		return true
+	default:
+		log.Debugf("OnRemoteOffer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
+		// connection might not be ready yet to receive so we ignore the message
+		return false
+	}
+}
+
+// OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
+// doesn't block, discards the message if connection wasn't ready
+func (conn *Conn) OnRemoteAnswer(remoteAuth IceCredentials) bool {
+	log.Debugf("OnRemoteAnswer from peer %s on status %s", conn.config.Key, conn.status.String())
+
+	select {
+	case conn.remoteAnswerCh <- remoteAuth:
+		return true
+	default:
+		// connection might not be ready yet to receive so we ignore the message
+		log.Debugf("OnRemoteAnswer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
+		return false
+	}
+}
+
+// OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
+func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate) {
+	log.Debugf("OnRemoteCandidate from peer %s -> %s", conn.config.Key, candidate.String())
+	go func() {
+		conn.mu.Lock()
+		defer conn.mu.Unlock()
+
+		if conn.agent == nil {
+			return
+		}
+
+		err := conn.agent.AddRemoteCandidate(candidate)
+		if err != nil {
+			log.Errorf("error while handling remote candidate from peer %s", conn.config.Key)
+			return
+		}
+	}()
+}
+
+func (conn *Conn) GetKey() string {
+	return conn.config.Key
+}

client/internal/peer/conn_test.go

@@ -0,0 +1,144 @@
+package peer
+
+import (
+	"github.com/magiconair/properties/assert"
+	"github.com/netbirdio/netbird/client/internal/proxy"
+	"github.com/pion/ice/v2"
+	"sync"
+	"testing"
+	"time"
+)
+
+var connConf = ConnConfig{
+	Key:                "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+	LocalKey:           "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+	StunTurn:           []*ice.URL{},
+	InterfaceBlackList: nil,
+	Timeout:            time.Second,
+	ProxyConfig:        proxy.Config{},
+}
+
+func TestConn_GetKey(t *testing.T) {
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	got := conn.GetKey()
+
+	assert.Equal(t, got, connConf.Key, "they should be equal")
+}
+
+func TestConn_OnRemoteOffer(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(2)
+	go func() {
+		<-conn.remoteOffersCh
+		wg.Done()
+	}()
+
+	go func() {
+		for {
+			accepted := conn.OnRemoteOffer(IceCredentials{
+				UFrag: "test",
+				Pwd:   "test",
+			})
+			if accepted {
+				wg.Done()
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}
+
+func TestConn_OnRemoteAnswer(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(2)
+	go func() {
+		<-conn.remoteAnswerCh
+		wg.Done()
+	}()
+
+	go func() {
+		for {
+			accepted := conn.OnRemoteAnswer(IceCredentials{
+				UFrag: "test",
+				Pwd:   "test",
+			})
+			if accepted {
+				wg.Done()
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}
+func TestConn_Status(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	tables := []struct {
+		name   string
+		status ConnStatus
+		want   ConnStatus
+	}{
+		{"StatusConnected", StatusConnected, StatusConnected},
+		{"StatusDisconnected", StatusDisconnected, StatusDisconnected},
+		{"StatusConnecting", StatusConnecting, StatusConnecting},
+	}
+
+	for _, table := range tables {
+		t.Run(table.name, func(t *testing.T) {
+			conn.status = table.status
+
+			got := conn.Status()
+			assert.Equal(t, got, table.want, "they should be equal")
+		})
+	}
+}
+
+func TestConn_Close(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		<-conn.closeCh
+		wg.Done()
+	}()
+
+	go func() {
+		for {
+			err := conn.Close()
+			if err != nil {
+				continue
+			} else {
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}

client/internal/peer/error.go

@@ -0,0 +1,72 @@
+package peer
+
+import (
+	"fmt"
+	"time"
+)
+
+// ConnectionTimeoutError is an error indicating that a peer Conn has been timed out
+type ConnectionTimeoutError struct {
+	peer    string
+	timeout time.Duration
+}
+
+func (e *ConnectionTimeoutError) Error() string {
+	return fmt.Sprintf("connection to peer %s timed out after %s", e.peer, e.timeout.String())
+}
+
+// NewConnectionTimeoutError creates a new ConnectionTimeoutError error
+func NewConnectionTimeoutError(peer string, timeout time.Duration) error {
+	return &ConnectionTimeoutError{
+		peer:    peer,
+		timeout: timeout,
+	}
+}
+
+// ConnectionClosedError is an error indicating that a peer Conn has been forcefully closed
+type ConnectionClosedError struct {
+	peer string
+}
+
+func (e *ConnectionClosedError) Error() string {
+	return fmt.Sprintf("connection to peer %s has been closed", e.peer)
+}
+
+// NewConnectionClosedError creates a new ConnectionClosedError error
+func NewConnectionClosedError(peer string) error {
+	return &ConnectionClosedError{
+		peer: peer,
+	}
+}
+
+// ConnectionDisconnectedError is an error indicating that a peer Conn has ctx from the remote
+type ConnectionDisconnectedError struct {
+	peer string
+}
+
+func (e *ConnectionDisconnectedError) Error() string {
+	return fmt.Sprintf("disconnected from peer %s", e.peer)
+}
+
+// NewConnectionDisconnectedError creates a new ConnectionDisconnectedError error
+func NewConnectionDisconnectedError(peer string) error {
+	return &ConnectionDisconnectedError{
+		peer: peer,
+	}
+}
+
+// ConnectionAlreadyClosedError is an error indicating that a peer Conn has been already closed and the invocation of the Close() method has been performed over a closed connection
+type ConnectionAlreadyClosedError struct {
+	peer string
+}
+
+func (e *ConnectionAlreadyClosedError) Error() string {
+	return fmt.Sprintf("connection to peer %s has been already closed", e.peer)
+}
+
+// NewConnectionAlreadyClosed creates a new ConnectionAlreadyClosedError error
+func NewConnectionAlreadyClosed(peer string) error {
+	return &ConnectionAlreadyClosedError{
+		peer: peer,
+	}
+}

client/internal/peer/error_test.go

@@ -0,0 +1,27 @@
+package peer
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+	"time"
+)
+
+func TestNewConnectionClosedError(t *testing.T) {
+	err := NewConnectionClosedError("X")
+	assert.Equal(t, &ConnectionClosedError{peer: "X"}, err)
+}
+
+func TestNewConnectionDisconnectedError(t *testing.T) {
+	err := NewConnectionDisconnectedError("X")
+	assert.Equal(t, &ConnectionDisconnectedError{peer: "X"}, err)
+}
+
+func TestNewConnectionTimeoutErrorC(t *testing.T) {
+	err := NewConnectionTimeoutError("X", time.Second)
+	assert.Equal(t, &ConnectionTimeoutError{peer: "X", timeout: time.Second}, err)
+}
+
+func TestNewConnectionAlreadyClosed(t *testing.T) {
+	err := NewConnectionAlreadyClosed("X")
+	assert.Equal(t, &ConnectionAlreadyClosedError{peer: "X"}, err)
+}

client/internal/peer/status.go

@@ -0,0 +1,25 @@
+package peer
+
+import log "github.com/sirupsen/logrus"
+
+type ConnStatus int
+
+func (s ConnStatus) String() string {
+	switch s {
+	case StatusConnecting:
+		return "StatusConnecting"
+	case StatusConnected:
+		return "StatusConnected"
+	case StatusDisconnected:
+		return "StatusDisconnected"
+	default:
+		log.Errorf("unknown status: %d", s)
+		return "INVALID_PEER_CONNECTION_STATUS"
+	}
+}
+
+const (
+	StatusConnected = iota
+	StatusConnecting
+	StatusDisconnected
+)

client/internal/peer/status_test.go

@@ -0,0 +1,27 @@
+package peer
+
+import (
+	"github.com/magiconair/properties/assert"
+	"testing"
+)
+
+func TestConnStatus_String(t *testing.T) {
+
+	tables := []struct {
+		name   string
+		status ConnStatus
+		want   string
+	}{
+		{"StatusConnected", StatusConnected, "StatusConnected"},
+		{"StatusDisconnected", StatusDisconnected, "StatusDisconnected"},
+		{"StatusConnecting", StatusConnecting, "StatusConnecting"},
+	}
+
+	for _, table := range tables {
+		t.Run(table.name, func(t *testing.T) {
+			got := table.status.String()
+			assert.Equal(t, got, table.want, "they should be equal")
+		})
+	}
+
+}

client/internal/proxy/dummy.go

@@ -0,0 +1,72 @@
+package proxy
+
+import (
+	"context"
+	log "github.com/sirupsen/logrus"
+	"net"
+	"time"
+)
+
+// DummyProxy just sends pings to the RemoteKey peer and reads responses
+type DummyProxy struct {
+	conn   net.Conn
+	remote string
+	ctx    context.Context
+	cancel context.CancelFunc
+}
+
+func NewDummyProxy(remote string) *DummyProxy {
+	p := &DummyProxy{remote: remote}
+	p.ctx, p.cancel = context.WithCancel(context.Background())
+	return p
+}
+
+func (p *DummyProxy) Close() error {
+	p.cancel()
+	return nil
+}
+
+func (p *DummyProxy) Start(remoteConn net.Conn) error {
+	p.conn = remoteConn
+	go func() {
+		buf := make([]byte, 1500)
+		for {
+			select {
+			case <-p.ctx.Done():
+				return
+			default:
+				_, err := p.conn.Read(buf)
+				if err != nil {
+					log.Errorf("error while reading RemoteKey %s proxy %v", p.remote, err)
+					return
+				}
+				//log.Debugf("received %s from %s", string(buf[:n]), p.remote)
+			}
+
+		}
+	}()
+
+	go func() {
+		for {
+			select {
+			case <-p.ctx.Done():
+				return
+			default:
+				_, err := p.conn.Write([]byte("hello"))
+				//log.Debugf("sent ping to %s", p.remote)
+				if err != nil {
+					log.Errorf("error while writing to RemoteKey %s proxy %v", p.remote, err)
+					return
+				}
+				time.Sleep(5 * time.Second)
+			}
+		}
+
+	}()
+
+	return nil
+}
+
+func (p *DummyProxy) Type() Type {
+	return TypeDummy
+}

client/internal/proxy/noproxy.go

@@ -0,0 +1,52 @@
+package proxy
+
+import (
+	"github.com/netbirdio/netbird/iface"
+	log "github.com/sirupsen/logrus"
+	"net"
+)
+
+// NoProxy is used when there is no need for a proxy between ICE and Wireguard.
+// This is possible in either of these cases:
+// - peers are in the same local network
+// - one of the peers has a public static IP (host)
+// NoProxy will just update remote peer with a remote host and fixed Wireguard port (r.g. 51820).
+// In order NoProxy to work, Wireguard port has to be fixed for the time being.
+type NoProxy struct {
+	config Config
+}
+
+func NewNoProxy(config Config) *NoProxy {
+	return &NoProxy{config: config}
+}
+
+func (p *NoProxy) Close() error {
+	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Start just updates Wireguard peer with the remote IP and default Wireguard port
+func (p *NoProxy) Start(remoteConn net.Conn) error {
+
+	log.Debugf("using NoProxy while connecting to peer %s", p.config.RemoteKey)
+	addr, err := net.ResolveUDPAddr("udp", remoteConn.RemoteAddr().String())
+	if err != nil {
+		return err
+	}
+	addr.Port = iface.DefaultWgPort
+	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+		addr, p.config.PreSharedKey)
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (p *NoProxy) Type() Type {
+	return TypeNoProxy
+}

client/internal/proxy/proxy.go

@@ -0,0 +1,34 @@
+package proxy
+
+import (
+	"github.com/netbirdio/netbird/iface"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"io"
+	"net"
+	"time"
+)
+
+const DefaultWgKeepAlive = 25 * time.Second
+
+type Type string
+
+const (
+	TypeNoProxy   Type = "NoProxy"
+	TypeWireguard Type = "Wireguard"
+	TypeDummy     Type = "Dummy"
+)
+
+type Config struct {
+	WgListenAddr string
+	RemoteKey    string
+	WgInterface  iface.WGIface
+	AllowedIps   string
+	PreSharedKey *wgtypes.Key
+}
+
+type Proxy interface {
+	io.Closer
+	// Start creates a local remoteConn and starts proxying data from/to remoteConn
+	Start(remoteConn net.Conn) error
+	Type() Type
+}

client/internal/proxy/wireguard.go

@@ -0,0 +1,128 @@
+package proxy
+
+import (
+	"context"
+	log "github.com/sirupsen/logrus"
+	"net"
+)
+
+// WireguardProxy proxies
+type WireguardProxy struct {
+	ctx    context.Context
+	cancel context.CancelFunc
+
+	config Config
+
+	remoteConn net.Conn
+	localConn  net.Conn
+}
+
+func NewWireguardProxy(config Config) *WireguardProxy {
+	p := &WireguardProxy{config: config}
+	p.ctx, p.cancel = context.WithCancel(context.Background())
+	return p
+}
+
+func (p *WireguardProxy) updateEndpoint() error {
+	udpAddr, err := net.ResolveUDPAddr(p.localConn.LocalAddr().Network(), p.localConn.LocalAddr().String())
+	if err != nil {
+		return err
+	}
+	// add local proxy connection as a Wireguard peer
+	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+		udpAddr, p.config.PreSharedKey)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (p *WireguardProxy) Start(remoteConn net.Conn) error {
+	p.remoteConn = remoteConn
+
+	var err error
+	p.localConn, err = net.Dial("udp", p.config.WgListenAddr)
+	if err != nil {
+		log.Errorf("failed dialing to local Wireguard port %s", err)
+		return err
+	}
+
+	err = p.updateEndpoint()
+	if err != nil {
+		log.Errorf("error while updating Wireguard peer endpoint [%s] %v", p.config.RemoteKey, err)
+		return err
+	}
+
+	go p.proxyToRemote()
+	go p.proxyToLocal()
+
+	return nil
+}
+
+func (p *WireguardProxy) Close() error {
+	p.cancel()
+	if c := p.localConn; c != nil {
+		err := p.localConn.Close()
+		if err != nil {
+			return err
+		}
+	}
+	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// proxyToRemote proxies everything from Wireguard to the RemoteKey peer
+// blocks
+func (p *WireguardProxy) proxyToRemote() {
+
+	buf := make([]byte, 1500)
+	for {
+		select {
+		case <-p.ctx.Done():
+			log.Debugf("stopped proxying to remote peer %s due to closed connection", p.config.RemoteKey)
+			return
+		default:
+			n, err := p.localConn.Read(buf)
+			if err != nil {
+				continue
+			}
+
+			_, err = p.remoteConn.Write(buf[:n])
+			if err != nil {
+				continue
+			}
+		}
+	}
+}
+
+// proxyToLocal proxies everything from the RemoteKey peer to local Wireguard
+// blocks
+func (p *WireguardProxy) proxyToLocal() {
+
+	buf := make([]byte, 1500)
+	for {
+		select {
+		case <-p.ctx.Done():
+			log.Debugf("stopped proxying from remote peer %s due to closed connection", p.config.RemoteKey)
+			return
+		default:
+			n, err := p.remoteConn.Read(buf)
+			if err != nil {
+				continue
+			}
+
+			_, err = p.localConn.Write(buf[:n])
+			if err != nil {
+				continue
+			}
+		}
+	}
+}
+
+func (p *WireguardProxy) Type() Type {
+	return TypeWireguard
+}

client/internal/state.go

@@ -0,0 +1,69 @@
+package internal
+
+import (
+	"context"
+	"sync"
+)
+
+type StatusType string
+
+const (
+	StatusIdle StatusType = "Idle"
+
+	StatusConnecting  StatusType = "Connecting"
+	StatusConnected   StatusType = "Connected"
+	StatusNeedsLogin  StatusType = "NeedsLogin"
+	StatusLoginFailed StatusType = "LoginFailed"
+)
+
+// CtxInitState setup context state into the context tree.
+//
+// This function should be used to initialize context before
+// CtxGetState will be executed.
+func CtxInitState(ctx context.Context) context.Context {
+	return context.WithValue(ctx, stateCtx, &contextState{
+		status: StatusIdle,
+	})
+}
+
+// CtxGetState object to get/update state/errors of process.
+func CtxGetState(ctx context.Context) *contextState {
+	return ctx.Value(stateCtx).(*contextState)
+}
+
+type contextState struct {
+	err    error
+	status StatusType
+	mutex  sync.Mutex
+}
+
+func (c *contextState) Set(update StatusType) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	c.status = update
+	c.err = nil
+}
+
+func (c *contextState) Status() (StatusType, error) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	if c.err != nil {
+		return "", c.err
+	}
+
+	return c.status, nil
+}
+
+func (c *contextState) Wrap(err error) error {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	c.err = err
+	return err
+}
+
+type stateKey int
+
+var stateCtx stateKey

client/main.go

@@ -0,0 +1,13 @@
+package main
+
+import (
+	"os"
+
+	"github.com/netbirdio/netbird/client/cmd"
+)
+
+func main() {
+	if err := cmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}

client/manifest.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <assemblyIdentity
+            version="0.0.0.1"
+            processorArchitecture="*"
+            name="netbird.exe"
+            type="win32"
+    />
+    <description>Netbird application</description>
+    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
+        <security>
+            <requestedPrivileges>
+                <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
+            </requestedPrivileges>
+        </security>
+    </trustInfo>
+</assembly>

client/proto/daemon.pb.go

@@ -0,0 +1,910 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.26.0
+// 	protoc        v3.19.4
+// source: daemon.proto
+
+package proto
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	_ "google.golang.org/protobuf/types/descriptorpb"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type LoginRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// setupKey wiretrustee setup key.
+	SetupKey string `protobuf:"bytes,1,opt,name=setupKey,proto3" json:"setupKey,omitempty"`
+	// preSharedKey for wireguard setup.
+	PreSharedKey string `protobuf:"bytes,2,opt,name=preSharedKey,proto3" json:"preSharedKey,omitempty"`
+	// managementUrl to authenticate.
+	ManagementUrl string `protobuf:"bytes,3,opt,name=managementUrl,proto3" json:"managementUrl,omitempty"`
+	// adminUrl to manage keys.
+	AdminURL string `protobuf:"bytes,4,opt,name=adminURL,proto3" json:"adminURL,omitempty"`
+}
+
+func (x *LoginRequest) Reset() {
+	*x = LoginRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *LoginRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*LoginRequest) ProtoMessage() {}
+
+func (x *LoginRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use LoginRequest.ProtoReflect.Descriptor instead.
+func (*LoginRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *LoginRequest) GetSetupKey() string {
+	if x != nil {
+		return x.SetupKey
+	}
+	return ""
+}
+
+func (x *LoginRequest) GetPreSharedKey() string {
+	if x != nil {
+		return x.PreSharedKey
+	}
+	return ""
+}
+
+func (x *LoginRequest) GetManagementUrl() string {
+	if x != nil {
+		return x.ManagementUrl
+	}
+	return ""
+}
+
+func (x *LoginRequest) GetAdminURL() string {
+	if x != nil {
+		return x.AdminURL
+	}
+	return ""
+}
+
+type LoginResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	NeedsSSOLogin           bool   `protobuf:"varint,1,opt,name=needsSSOLogin,proto3" json:"needsSSOLogin,omitempty"`
+	UserCode                string `protobuf:"bytes,2,opt,name=userCode,proto3" json:"userCode,omitempty"`
+	VerificationURI         string `protobuf:"bytes,3,opt,name=verificationURI,proto3" json:"verificationURI,omitempty"`
+	VerificationURIComplete string `protobuf:"bytes,4,opt,name=verificationURIComplete,proto3" json:"verificationURIComplete,omitempty"`
+}
+
+func (x *LoginResponse) Reset() {
+	*x = LoginResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *LoginResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*LoginResponse) ProtoMessage() {}
+
+func (x *LoginResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use LoginResponse.ProtoReflect.Descriptor instead.
+func (*LoginResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *LoginResponse) GetNeedsSSOLogin() bool {
+	if x != nil {
+		return x.NeedsSSOLogin
+	}
+	return false
+}
+
+func (x *LoginResponse) GetUserCode() string {
+	if x != nil {
+		return x.UserCode
+	}
+	return ""
+}
+
+func (x *LoginResponse) GetVerificationURI() string {
+	if x != nil {
+		return x.VerificationURI
+	}
+	return ""
+}
+
+func (x *LoginResponse) GetVerificationURIComplete() string {
+	if x != nil {
+		return x.VerificationURIComplete
+	}
+	return ""
+}
+
+type WaitSSOLoginRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	UserCode string `protobuf:"bytes,1,opt,name=userCode,proto3" json:"userCode,omitempty"`
+}
+
+func (x *WaitSSOLoginRequest) Reset() {
+	*x = WaitSSOLoginRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *WaitSSOLoginRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WaitSSOLoginRequest) ProtoMessage() {}
+
+func (x *WaitSSOLoginRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WaitSSOLoginRequest.ProtoReflect.Descriptor instead.
+func (*WaitSSOLoginRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *WaitSSOLoginRequest) GetUserCode() string {
+	if x != nil {
+		return x.UserCode
+	}
+	return ""
+}
+
+type WaitSSOLoginResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *WaitSSOLoginResponse) Reset() {
+	*x = WaitSSOLoginResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *WaitSSOLoginResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WaitSSOLoginResponse) ProtoMessage() {}
+
+func (x *WaitSSOLoginResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WaitSSOLoginResponse.ProtoReflect.Descriptor instead.
+func (*WaitSSOLoginResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{3}
+}
+
+type UpRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *UpRequest) Reset() {
+	*x = UpRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UpRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UpRequest) ProtoMessage() {}
+
+func (x *UpRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UpRequest.ProtoReflect.Descriptor instead.
+func (*UpRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{4}
+}
+
+type UpResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *UpResponse) Reset() {
+	*x = UpResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UpResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UpResponse) ProtoMessage() {}
+
+func (x *UpResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UpResponse.ProtoReflect.Descriptor instead.
+func (*UpResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{5}
+}
+
+type StatusRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *StatusRequest) Reset() {
+	*x = StatusRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *StatusRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StatusRequest) ProtoMessage() {}
+
+func (x *StatusRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StatusRequest.ProtoReflect.Descriptor instead.
+func (*StatusRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{6}
+}
+
+type StatusResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// status of the server.
+	Status string `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
+}
+
+func (x *StatusResponse) Reset() {
+	*x = StatusResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *StatusResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StatusResponse) ProtoMessage() {}
+
+func (x *StatusResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StatusResponse.ProtoReflect.Descriptor instead.
+func (*StatusResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *StatusResponse) GetStatus() string {
+	if x != nil {
+		return x.Status
+	}
+	return ""
+}
+
+type DownRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *DownRequest) Reset() {
+	*x = DownRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[8]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DownRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DownRequest) ProtoMessage() {}
+
+func (x *DownRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[8]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DownRequest.ProtoReflect.Descriptor instead.
+func (*DownRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{8}
+}
+
+type DownResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *DownResponse) Reset() {
+	*x = DownResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[9]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DownResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DownResponse) ProtoMessage() {}
+
+func (x *DownResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[9]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DownResponse.ProtoReflect.Descriptor instead.
+func (*DownResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{9}
+}
+
+type GetConfigRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *GetConfigRequest) Reset() {
+	*x = GetConfigRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[10]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetConfigRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetConfigRequest) ProtoMessage() {}
+
+func (x *GetConfigRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[10]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetConfigRequest.ProtoReflect.Descriptor instead.
+func (*GetConfigRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{10}
+}
+
+type GetConfigResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// managementUrl settings value.
+	ManagementUrl string `protobuf:"bytes,1,opt,name=managementUrl,proto3" json:"managementUrl,omitempty"`
+	// configFile settings value.
+	ConfigFile string `protobuf:"bytes,2,opt,name=configFile,proto3" json:"configFile,omitempty"`
+	// logFile settings value.
+	LogFile string `protobuf:"bytes,3,opt,name=logFile,proto3" json:"logFile,omitempty"`
+	// preSharedKey settings value.
+	PreSharedKey string `protobuf:"bytes,4,opt,name=preSharedKey,proto3" json:"preSharedKey,omitempty"`
+	// adminURL settings value.
+	AdminURL string `protobuf:"bytes,5,opt,name=adminURL,proto3" json:"adminURL,omitempty"`
+}
+
+func (x *GetConfigResponse) Reset() {
+	*x = GetConfigResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[11]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetConfigResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetConfigResponse) ProtoMessage() {}
+
+func (x *GetConfigResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[11]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetConfigResponse.ProtoReflect.Descriptor instead.
+func (*GetConfigResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{11}
+}
+
+func (x *GetConfigResponse) GetManagementUrl() string {
+	if x != nil {
+		return x.ManagementUrl
+	}
+	return ""
+}
+
+func (x *GetConfigResponse) GetConfigFile() string {
+	if x != nil {
+		return x.ConfigFile
+	}
+	return ""
+}
+
+func (x *GetConfigResponse) GetLogFile() string {
+	if x != nil {
+		return x.LogFile
+	}
+	return ""
+}
+
+func (x *GetConfigResponse) GetPreSharedKey() string {
+	if x != nil {
+		return x.PreSharedKey
+	}
+	return ""
+}
+
+func (x *GetConfigResponse) GetAdminURL() string {
+	if x != nil {
+		return x.AdminURL
+	}
+	return ""
+}
+
+var File_daemon_proto protoreflect.FileDescriptor
+
+var file_daemon_proto_rawDesc = []byte{
+	0x0a, 0x0c, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06,
+	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
+	0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x90, 0x01, 0x0a, 0x0c, 0x4c, 0x6f, 0x67,
+	0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65, 0x74,
+	0x75, 0x70, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65, 0x74,
+	0x75, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72,
+	0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72, 0x65,
+	0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x0a, 0x0d, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x12,
+	0x1a, 0x0a, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x22, 0xb5, 0x01, 0x0a, 0x0d,
+	0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a,
+	0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f,
+	0x67, 0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x12,
+	0x28, 0x0a, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55,
+	0x52, 0x49, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69,
+	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x12, 0x38, 0x0a, 0x17, 0x76, 0x65, 0x72,
+	0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d, 0x70,
+	0x6c, 0x65, 0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x76, 0x65, 0x72, 0x69,
+	0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d, 0x70, 0x6c,
+	0x65, 0x74, 0x65, 0x22, 0x31, 0x0a, 0x13, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f,
+	0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73,
+	0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73,
+	0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x22, 0x16, 0x0a, 0x14, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53,
+	0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x0b,
+	0x0a, 0x09, 0x55, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0c, 0x0a, 0x0a, 0x55,
+	0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x0f, 0x0a, 0x0d, 0x53, 0x74, 0x61,
+	0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x28, 0x0a, 0x0e, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06,
+	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x22, 0x0d, 0x0a, 0x0b, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x22, 0x0e, 0x0a, 0x0c, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x12, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xb3, 0x01, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a,
+	0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x55, 0x72, 0x6c, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x46, 0x69, 0x6c,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x46,
+	0x69, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6c, 0x6f, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6c, 0x6f, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x22, 0x0a,
+	0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65,
+	0x79, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x18, 0x05, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x32, 0xf7, 0x02,
+	0x0a, 0x0d, 0x44, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12,
+	0x36, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f,
+	0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15,
+	0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x0c, 0x57, 0x61, 0x69, 0x74, 0x53,
+	0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1b, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e,
+	0x2e, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x57, 0x61,
+	0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x22, 0x00, 0x12, 0x2d, 0x0a, 0x02, 0x55, 0x70, 0x12, 0x11, 0x2e, 0x64, 0x61, 0x65,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e,
+	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x15, 0x2e,
+	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33,
+	0x0a, 0x04, 0x44, 0x6f, 0x77, 0x6e, 0x12, 0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e,
+	0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x64, 0x61,
+	0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x00, 0x12, 0x42, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x12, 0x18, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x64, 0x61, 0x65,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_daemon_proto_rawDescOnce sync.Once
+	file_daemon_proto_rawDescData = file_daemon_proto_rawDesc
+)
+
+func file_daemon_proto_rawDescGZIP() []byte {
+	file_daemon_proto_rawDescOnce.Do(func() {
+		file_daemon_proto_rawDescData = protoimpl.X.CompressGZIP(file_daemon_proto_rawDescData)
+	})
+	return file_daemon_proto_rawDescData
+}
+
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
+var file_daemon_proto_goTypes = []interface{}{
+	(*LoginRequest)(nil),         // 0: daemon.LoginRequest
+	(*LoginResponse)(nil),        // 1: daemon.LoginResponse
+	(*WaitSSOLoginRequest)(nil),  // 2: daemon.WaitSSOLoginRequest
+	(*WaitSSOLoginResponse)(nil), // 3: daemon.WaitSSOLoginResponse
+	(*UpRequest)(nil),            // 4: daemon.UpRequest
+	(*UpResponse)(nil),           // 5: daemon.UpResponse
+	(*StatusRequest)(nil),        // 6: daemon.StatusRequest
+	(*StatusResponse)(nil),       // 7: daemon.StatusResponse
+	(*DownRequest)(nil),          // 8: daemon.DownRequest
+	(*DownResponse)(nil),         // 9: daemon.DownResponse
+	(*GetConfigRequest)(nil),     // 10: daemon.GetConfigRequest
+	(*GetConfigResponse)(nil),    // 11: daemon.GetConfigResponse
+}
+var file_daemon_proto_depIdxs = []int32{
+	0,  // 0: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
+	2,  // 1: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
+	4,  // 2: daemon.DaemonService.Up:input_type -> daemon.UpRequest
+	6,  // 3: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
+	8,  // 4: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	10, // 5: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
+	1,  // 6: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	3,  // 7: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	5,  // 8: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	7,  // 9: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	9,  // 10: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	11, // 11: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	6,  // [6:12] is the sub-list for method output_type
+	0,  // [0:6] is the sub-list for method input_type
+	0,  // [0:0] is the sub-list for extension type_name
+	0,  // [0:0] is the sub-list for extension extendee
+	0,  // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_daemon_proto_init() }
+func file_daemon_proto_init() {
+	if File_daemon_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_daemon_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*LoginRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*LoginResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*WaitSSOLoginRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*WaitSSOLoginResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UpRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UpResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*StatusRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*StatusResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DownRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DownResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetConfigRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetConfigResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_daemon_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   12,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_daemon_proto_goTypes,
+		DependencyIndexes: file_daemon_proto_depIdxs,
+		MessageInfos:      file_daemon_proto_msgTypes,
+	}.Build()
+	File_daemon_proto = out.File
+	file_daemon_proto_rawDesc = nil
+	file_daemon_proto_goTypes = nil
+	file_daemon_proto_depIdxs = nil
+}

client/proto/daemon.proto

@@ -0,0 +1,90 @@
+syntax = "proto3";
+
+import "google/protobuf/descriptor.proto";
+
+option go_package = "/proto";
+
+package daemon;
+
+service DaemonService {
+  // Login uses setup key to prepare configuration for the daemon.
+  rpc Login(LoginRequest) returns (LoginResponse) {}
+
+  // WaitSSOLogin uses the userCode to validate the TokenInfo and
+  // waits for the user to continue with the login on a browser
+  rpc WaitSSOLogin(WaitSSOLoginRequest) returns (WaitSSOLoginResponse) {}
+
+  // Up starts engine work in the daemon.
+  rpc Up(UpRequest) returns (UpResponse) {}
+
+  // Status of the service.
+  rpc Status(StatusRequest) returns (StatusResponse) {}
+
+  // Down engine work in the daemon.
+  rpc Down(DownRequest) returns (DownResponse) {}
+
+  // GetConfig of the daemon.
+  rpc GetConfig(GetConfigRequest) returns (GetConfigResponse) {}
+};
+
+message LoginRequest {
+  // setupKey wiretrustee setup key.
+  string setupKey = 1;
+
+  // preSharedKey for wireguard setup.
+  string preSharedKey = 2;
+
+  // managementUrl to authenticate.
+  string managementUrl = 3;
+
+  // adminUrl to manage keys.
+  string adminURL = 4;
+
+}
+
+message LoginResponse {
+  bool   needsSSOLogin = 1;
+  string userCode = 2;
+  string verificationURI = 3;
+  string verificationURIComplete = 4;
+}
+
+message WaitSSOLoginRequest {
+  string userCode = 1;
+}
+
+message WaitSSOLoginResponse {}
+
+message UpRequest {}
+
+message UpResponse {}
+
+message StatusRequest{}
+
+message StatusResponse{
+  // status of the server.
+  string status = 1;
+}
+
+message DownRequest {}
+
+message DownResponse {}
+
+message GetConfigRequest {}
+
+message GetConfigResponse {
+  // managementUrl settings value.
+  string managementUrl = 1;
+
+  // configFile settings value.
+  string configFile = 2;
+
+  // logFile settings value.
+  string logFile = 3;
+
+  // preSharedKey settings value.
+  string preSharedKey = 4;
+
+  // adminURL settings value.
+  string adminURL = 5;
+}

client/proto/daemon_grpc.pb.go

@@ -0,0 +1,295 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+
+package proto
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// DaemonServiceClient is the client API for DaemonService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type DaemonServiceClient interface {
+	// Login uses setup key to prepare configuration for the daemon.
+	Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error)
+	// WaitSSOLogin uses the userCode to validate the TokenInfo and
+	// waits for the user to continue with the login on a browser
+	WaitSSOLogin(ctx context.Context, in *WaitSSOLoginRequest, opts ...grpc.CallOption) (*WaitSSOLoginResponse, error)
+	// Up starts engine work in the daemon.
+	Up(ctx context.Context, in *UpRequest, opts ...grpc.CallOption) (*UpResponse, error)
+	// Status of the service.
+	Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error)
+	// Down engine work in the daemon.
+	Down(ctx context.Context, in *DownRequest, opts ...grpc.CallOption) (*DownResponse, error)
+	// GetConfig of the daemon.
+	GetConfig(ctx context.Context, in *GetConfigRequest, opts ...grpc.CallOption) (*GetConfigResponse, error)
+}
+
+type daemonServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewDaemonServiceClient(cc grpc.ClientConnInterface) DaemonServiceClient {
+	return &daemonServiceClient{cc}
+}
+
+func (c *daemonServiceClient) Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error) {
+	out := new(LoginResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Login", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) WaitSSOLogin(ctx context.Context, in *WaitSSOLoginRequest, opts ...grpc.CallOption) (*WaitSSOLoginResponse, error) {
+	out := new(WaitSSOLoginResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/WaitSSOLogin", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) Up(ctx context.Context, in *UpRequest, opts ...grpc.CallOption) (*UpResponse, error) {
+	out := new(UpResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Up", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) {
+	out := new(StatusResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Status", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) Down(ctx context.Context, in *DownRequest, opts ...grpc.CallOption) (*DownResponse, error) {
+	out := new(DownResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Down", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) GetConfig(ctx context.Context, in *GetConfigRequest, opts ...grpc.CallOption) (*GetConfigResponse, error) {
+	out := new(GetConfigResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetConfig", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// DaemonServiceServer is the server API for DaemonService service.
+// All implementations must embed UnimplementedDaemonServiceServer
+// for forward compatibility
+type DaemonServiceServer interface {
+	// Login uses setup key to prepare configuration for the daemon.
+	Login(context.Context, *LoginRequest) (*LoginResponse, error)
+	// WaitSSOLogin uses the userCode to validate the TokenInfo and
+	// waits for the user to continue with the login on a browser
+	WaitSSOLogin(context.Context, *WaitSSOLoginRequest) (*WaitSSOLoginResponse, error)
+	// Up starts engine work in the daemon.
+	Up(context.Context, *UpRequest) (*UpResponse, error)
+	// Status of the service.
+	Status(context.Context, *StatusRequest) (*StatusResponse, error)
+	// Down engine work in the daemon.
+	Down(context.Context, *DownRequest) (*DownResponse, error)
+	// GetConfig of the daemon.
+	GetConfig(context.Context, *GetConfigRequest) (*GetConfigResponse, error)
+	mustEmbedUnimplementedDaemonServiceServer()
+}
+
+// UnimplementedDaemonServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedDaemonServiceServer struct {
+}
+
+func (UnimplementedDaemonServiceServer) Login(context.Context, *LoginRequest) (*LoginResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Login not implemented")
+}
+func (UnimplementedDaemonServiceServer) WaitSSOLogin(context.Context, *WaitSSOLoginRequest) (*WaitSSOLoginResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method WaitSSOLogin not implemented")
+}
+func (UnimplementedDaemonServiceServer) Up(context.Context, *UpRequest) (*UpResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Up not implemented")
+}
+func (UnimplementedDaemonServiceServer) Status(context.Context, *StatusRequest) (*StatusResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Status not implemented")
+}
+func (UnimplementedDaemonServiceServer) Down(context.Context, *DownRequest) (*DownResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Down not implemented")
+}
+func (UnimplementedDaemonServiceServer) GetConfig(context.Context, *GetConfigRequest) (*GetConfigResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetConfig not implemented")
+}
+func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
+
+// UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to DaemonServiceServer will
+// result in compilation errors.
+type UnsafeDaemonServiceServer interface {
+	mustEmbedUnimplementedDaemonServiceServer()
+}
+
+func RegisterDaemonServiceServer(s grpc.ServiceRegistrar, srv DaemonServiceServer) {
+	s.RegisterService(&DaemonService_ServiceDesc, srv)
+}
+
+func _DaemonService_Login_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(LoginRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Login(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Login",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Login(ctx, req.(*LoginRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_WaitSSOLogin_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(WaitSSOLoginRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).WaitSSOLogin(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/WaitSSOLogin",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).WaitSSOLogin(ctx, req.(*WaitSSOLoginRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_Up_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Up(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Up",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Up(ctx, req.(*UpRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_Status_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(StatusRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Status(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Status",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Status(ctx, req.(*StatusRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_Down_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DownRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Down(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Down",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Down(ctx, req.(*DownRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_GetConfig_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetConfigRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).GetConfig(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/GetConfig",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).GetConfig(ctx, req.(*GetConfigRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var DaemonService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "daemon.DaemonService",
+	HandlerType: (*DaemonServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Login",
+			Handler:    _DaemonService_Login_Handler,
+		},
+		{
+			MethodName: "WaitSSOLogin",
+			Handler:    _DaemonService_WaitSSOLogin_Handler,
+		},
+		{
+			MethodName: "Up",
+			Handler:    _DaemonService_Up_Handler,
+		},
+		{
+			MethodName: "Status",
+			Handler:    _DaemonService_Status_Handler,
+		},
+		{
+			MethodName: "Down",
+			Handler:    _DaemonService_Down_Handler,
+		},
+		{
+			MethodName: "GetConfig",
+			Handler:    _DaemonService_GetConfig_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "daemon.proto",
+}

client/proto/generate.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
+protoc -I proto/ proto/daemon.proto --go_out=. --go-grpc_out=.

client/resources.rc

@@ -0,0 +1,9 @@
+#include <windows.h>
+
+#pragma code_page(65001) // UTF-8
+
+#define STRINGIZE(x) #x
+#define EXPAND(x) STRINGIZE(x)
+CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST manifest.xml
+7 ICON ui/netbird.ico
+wireguard.dll RCDATA wireguard.dll

client/server/server.go

@@ -0,0 +1,420 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	gstatus "google.golang.org/grpc/status"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// Server for service control.
+type Server struct {
+	rootCtx   context.Context
+	actCancel context.CancelFunc
+
+	managementURL string
+	adminURL      string
+	configPath    string
+	logFile       string
+
+	oauthAuthFlow oauthAuthFlow
+
+	mutex  sync.Mutex
+	config *internal.Config
+	proto.UnimplementedDaemonServiceServer
+}
+
+type oauthAuthFlow struct {
+	expiresAt  time.Time
+	client     internal.OAuthClient
+	info       internal.DeviceAuthInfo
+	waitCancel context.CancelFunc
+}
+
+// New server instance constructor.
+func New(ctx context.Context, managementURL, adminURL, configPath, logFile string) *Server {
+	return &Server{
+		rootCtx:       ctx,
+		managementURL: managementURL,
+		adminURL:      adminURL,
+		configPath:    configPath,
+		logFile:       logFile,
+	}
+}
+
+func (s *Server) Start() error {
+	state := internal.CtxGetState(s.rootCtx)
+
+	// if current state contains any error, return it
+	// in all other cases we can continue execution only if status is idle and up command was
+	// not in the progress or already successfully established connection.
+	status, err := state.Status()
+	if err != nil {
+		return err
+	}
+
+	if status != internal.StatusIdle {
+		return nil
+	}
+
+	ctx, cancel := context.WithCancel(s.rootCtx)
+	s.actCancel = cancel
+
+	// if configuration exists, we just start connections. if is new config we skip and set status NeedsLogin
+	// on failure we return error to retry
+	config, err := internal.ReadConfig(s.managementURL, s.adminURL, s.configPath, nil)
+	if errorStatus, ok := gstatus.FromError(err); ok && errorStatus.Code() == codes.NotFound {
+		config, err = internal.GetConfig(s.managementURL, s.adminURL, s.configPath, "")
+		if err != nil {
+			log.Warnf("unable to create configuration file: %v", err)
+			return err
+		}
+		state.Set(internal.StatusNeedsLogin)
+		return nil
+	} else if err != nil {
+		log.Warnf("unable to create configuration file: %v", err)
+		return err
+	}
+
+	// if configuration exists, we just start connections.
+
+	s.config = config
+
+	go func() {
+		if err := internal.RunClient(ctx, config); err != nil {
+			log.Errorf("init connections: %v", err)
+		}
+	}()
+
+	return nil
+}
+
+// loginAttempt attempts to login using the provided information. it returns a status in case something fails
+func (s *Server) loginAttempt(ctx context.Context, setupKey, jwtToken string) (internal.StatusType, error) {
+	var status internal.StatusType
+	err := internal.Login(ctx, s.config, setupKey, jwtToken)
+	if err != nil {
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			log.Warnf("failed login: %v", err)
+			status = internal.StatusNeedsLogin
+		} else {
+			log.Errorf("failed login: %v", err)
+			status = internal.StatusLoginFailed
+		}
+		return status, err
+	}
+	return "", nil
+}
+
+// Login uses setup key to prepare configuration for the daemon.
+func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*proto.LoginResponse, error) {
+	s.mutex.Lock()
+	if s.actCancel != nil {
+		s.actCancel()
+	}
+	ctx, cancel := context.WithCancel(s.rootCtx)
+
+	md, ok := metadata.FromIncomingContext(callerCtx)
+	if ok {
+		ctx = metadata.NewOutgoingContext(ctx, md)
+	}
+
+	s.actCancel = cancel
+	s.mutex.Unlock()
+
+	state := internal.CtxGetState(ctx)
+	defer func() {
+		status, err := state.Status()
+		if err != nil || (status != internal.StatusNeedsLogin && status != internal.StatusLoginFailed) {
+			state.Set(internal.StatusIdle)
+		}
+	}()
+
+	s.mutex.Lock()
+	managementURL := s.managementURL
+	if msg.ManagementUrl != "" {
+		managementURL = msg.ManagementUrl
+		s.managementURL = msg.ManagementUrl
+	}
+
+	adminURL := s.adminURL
+	if msg.AdminURL != "" {
+		adminURL = msg.AdminURL
+		s.adminURL = msg.AdminURL
+	}
+	s.mutex.Unlock()
+
+	config, err := internal.GetConfig(managementURL, adminURL, s.configPath, msg.PreSharedKey)
+	if err != nil {
+		return nil, err
+	}
+
+	s.mutex.Lock()
+	s.config = config
+	s.mutex.Unlock()
+
+	if _, err := s.loginAttempt(ctx, "", ""); err == nil {
+		state.Set(internal.StatusIdle)
+		return &proto.LoginResponse{}, nil
+	}
+
+	state.Set(internal.StatusConnecting)
+
+	if msg.SetupKey == "" {
+		providerConfig, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config)
+		if err != nil {
+			state.Set(internal.StatusLoginFailed)
+			s, ok := gstatus.FromError(err)
+			if ok && s.Code() == codes.NotFound {
+				return nil, gstatus.Errorf(codes.NotFound, "no SSO provider returned from management. "+
+					"If you are using hosting Netbird see documentation at "+
+					"https://github.com/netbirdio/netbird/tree/main/management for details")
+			} else if ok && s.Code() == codes.Unimplemented {
+				return nil, gstatus.Errorf(codes.Unimplemented, "the management server, %s, does not support SSO providers, "+
+					"please update your server or use Setup Keys to login", config.ManagementURL)
+			} else {
+				log.Errorf("getting device authorization flow info failed with error: %v", err)
+				return nil, err
+			}
+		}
+
+		hostedClient := internal.NewHostedDeviceFlow(
+			providerConfig.ProviderConfig.Audience,
+			providerConfig.ProviderConfig.ClientID,
+			providerConfig.ProviderConfig.Domain,
+		)
+
+		if s.oauthAuthFlow.client != nil && s.oauthAuthFlow.client.GetClientID(ctx) == hostedClient.GetClientID(context.TODO()) {
+			if s.oauthAuthFlow.expiresAt.After(time.Now().Add(90 * time.Second)) {
+				log.Debugf("using previous device flow info")
+				return &proto.LoginResponse{
+					NeedsSSOLogin:           true,
+					VerificationURI:         s.oauthAuthFlow.info.VerificationURI,
+					VerificationURIComplete: s.oauthAuthFlow.info.VerificationURIComplete,
+					UserCode:                s.oauthAuthFlow.info.UserCode,
+				}, nil
+			} else {
+				log.Warnf("canceling previous waiting execution")
+				s.oauthAuthFlow.waitCancel()
+			}
+		}
+
+		deviceAuthInfo, err := hostedClient.RequestDeviceCode(context.TODO())
+		if err != nil {
+			log.Errorf("getting a request device code failed: %v", err)
+			return nil, err
+		}
+
+		s.mutex.Lock()
+		s.oauthAuthFlow.client = hostedClient
+		s.oauthAuthFlow.info = deviceAuthInfo
+		s.oauthAuthFlow.expiresAt = time.Now().Add(time.Duration(deviceAuthInfo.ExpiresIn) * time.Second)
+		s.mutex.Unlock()
+
+		state.Set(internal.StatusNeedsLogin)
+
+		return &proto.LoginResponse{
+			NeedsSSOLogin:           true,
+			VerificationURI:         deviceAuthInfo.VerificationURI,
+			VerificationURIComplete: deviceAuthInfo.VerificationURIComplete,
+			UserCode:                deviceAuthInfo.UserCode,
+		}, nil
+	}
+
+	if loginStatus, err := s.loginAttempt(ctx, msg.SetupKey, ""); err != nil {
+		state.Set(loginStatus)
+		return nil, err
+	}
+
+	return &proto.LoginResponse{}, nil
+}
+
+// WaitSSOLogin uses the userCode to validate the TokenInfo and
+// waits for the user to continue with the login on a browser
+func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLoginRequest) (*proto.WaitSSOLoginResponse, error) {
+	s.mutex.Lock()
+	if s.actCancel != nil {
+		s.actCancel()
+	}
+	ctx, cancel := context.WithCancel(s.rootCtx)
+
+	md, ok := metadata.FromIncomingContext(callerCtx)
+	if ok {
+		ctx = metadata.NewOutgoingContext(ctx, md)
+	}
+
+	s.actCancel = cancel
+	s.mutex.Unlock()
+
+	if s.oauthAuthFlow.client == nil {
+		return nil, gstatus.Errorf(codes.Internal, "oauth client is not initialized")
+	}
+
+	state := internal.CtxGetState(ctx)
+	defer func() {
+		s, err := state.Status()
+		if err != nil || (s != internal.StatusNeedsLogin && s != internal.StatusLoginFailed) {
+			state.Set(internal.StatusIdle)
+		}
+	}()
+
+	state.Set(internal.StatusConnecting)
+
+	s.mutex.Lock()
+	deviceAuthInfo := s.oauthAuthFlow.info
+	s.mutex.Unlock()
+
+	if deviceAuthInfo.UserCode != msg.UserCode {
+		state.Set(internal.StatusLoginFailed)
+		return nil, gstatus.Errorf(codes.InvalidArgument, "sso user code is invalid")
+	}
+
+	if s.oauthAuthFlow.waitCancel != nil {
+		s.oauthAuthFlow.waitCancel()
+	}
+
+	waitTimeout := time.Until(s.oauthAuthFlow.expiresAt)
+	waitCTX, cancel := context.WithTimeout(ctx, waitTimeout)
+	defer cancel()
+
+	s.mutex.Lock()
+	s.oauthAuthFlow.waitCancel = cancel
+	s.mutex.Unlock()
+
+	tokenInfo, err := s.oauthAuthFlow.client.WaitToken(waitCTX, deviceAuthInfo)
+	if err != nil {
+		if err == context.Canceled {
+			return nil, nil
+		}
+		s.mutex.Lock()
+		s.oauthAuthFlow.expiresAt = time.Now()
+		s.mutex.Unlock()
+		state.Set(internal.StatusLoginFailed)
+		log.Errorf("waiting for browser login failed: %v", err)
+		return nil, err
+	}
+
+	if loginStatus, err := s.loginAttempt(ctx, "", tokenInfo.AccessToken); err != nil {
+		state.Set(loginStatus)
+		return nil, err
+	}
+
+	return &proto.WaitSSOLoginResponse{}, nil
+}
+
+// Up starts engine work in the daemon.
+func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	state := internal.CtxGetState(s.rootCtx)
+
+	// if current state contains any error, return it
+	// in all other cases we can continue execution only if status is idle and up command was
+	// not in the progress or already successfully established connection.
+	status, err := state.Status()
+	if err != nil {
+		return nil, err
+	}
+	if status != internal.StatusIdle {
+		return nil, fmt.Errorf("up already in progress: current status %s", status)
+	}
+
+	// it should be nil here, but .
+	if s.actCancel != nil {
+		s.actCancel()
+	}
+	ctx, cancel := context.WithCancel(s.rootCtx)
+
+	md, ok := metadata.FromIncomingContext(callerCtx)
+	if ok {
+		ctx = metadata.NewOutgoingContext(ctx, md)
+	}
+
+	s.actCancel = cancel
+
+	if s.config == nil {
+		return nil, fmt.Errorf("config is not defined, please call login command first")
+	}
+
+	go func() {
+		if err := internal.RunClient(ctx, s.config); err != nil {
+			log.Errorf("run client connection: %v", state.Wrap(err))
+			return
+		}
+	}()
+
+	return &proto.UpResponse{}, nil
+}
+
+// Down engine work in the daemon.
+func (s *Server) Down(ctx context.Context, msg *proto.DownRequest) (*proto.DownResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if s.actCancel == nil {
+		return nil, fmt.Errorf("service is not up")
+	}
+	s.actCancel()
+
+	return &proto.DownResponse{}, nil
+}
+
+// Status starts engine work in the daemon.
+func (s *Server) Status(
+	ctx context.Context,
+	msg *proto.StatusRequest,
+) (*proto.StatusResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	status, err := internal.CtxGetState(s.rootCtx).Status()
+	if err != nil {
+		return nil, err
+	}
+
+	return &proto.StatusResponse{Status: string(status)}, nil
+}
+
+// GetConfig of the daemon.
+func (s *Server) GetConfig(ctx context.Context, msg *proto.GetConfigRequest) (*proto.GetConfigResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	managementURL := s.managementURL
+	adminURL := s.adminURL
+	preSharedKey := ""
+
+	if s.config != nil {
+		if managementURL == "" && s.config.ManagementURL != nil {
+			managementURL = s.config.ManagementURL.String()
+		}
+
+		if s.config.AdminURL != nil {
+			adminURL = s.config.AdminURL.String()
+		}
+
+		preSharedKey = s.config.PreSharedKey
+		if preSharedKey != "" {
+			preSharedKey = "**********"
+		}
+
+	}
+
+	return &proto.GetConfigResponse{
+		ManagementUrl: managementURL,
+		AdminURL:      adminURL,
+		ConfigFile:    s.configPath,
+		LogFile:       s.logFile,
+		PreSharedKey:  preSharedKey,
+	}, nil
+}

client/system/info.go

@@ -0,0 +1,52 @@
+package system
+
+import (
+	"context"
+	"google.golang.org/grpc/metadata"
+	"strings"
+)
+
+// this is the wiretrustee version
+// will be replaced with the release version when using goreleaser
+var version = "development"
+
+//Info is an object that contains machine information
+// Most of the code is taken from https://github.com/matishsiao/goInfo
+type Info struct {
+	GoOS               string
+	Kernel             string
+	Core               string
+	Platform           string
+	OS                 string
+	OSVersion          string
+	Hostname           string
+	CPUs               int
+	WiretrusteeVersion string
+	UIVersion          string
+}
+
+// NetbirdVersion returns the Netbird version
+func NetbirdVersion() string {
+	return version
+}
+
+// extractUserAgent extracts Netbird's agent (client) name and version from the outgoing context
+func extractUserAgent(ctx context.Context) string {
+	md, hasMeta := metadata.FromOutgoingContext(ctx)
+	if hasMeta {
+		agent, ok := md["user-agent"]
+		if ok {
+			nbAgent := strings.Split(agent[0], " ")[0]
+			if strings.HasPrefix(nbAgent, "netbird") {
+				return nbAgent
+			}
+			return ""
+		}
+	}
+	return ""
+}
+
+// GetDesktopUIUserAgent returns the Desktop ui user agent
+func GetDesktopUIUserAgent() string {
+	return "netbird-desktop-ui/" + NetbirdVersion()
+}

client/system/info_darwin.go

@@ -0,0 +1,44 @@
+package system
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+)
+
+// GetInfo retrieves and parses the system information
+func GetInfo(ctx context.Context) *Info {
+	out := _getInfo()
+	for strings.Contains(out, "broken pipe") {
+		out = _getInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+	osStr := strings.Replace(out, "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	osInfo := strings.Split(osStr, " ")
+	gio := &Info{Kernel: osInfo[0], OSVersion: osInfo[1], Core: osInfo[1], Platform: osInfo[2], OS: osInfo[0], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.UIVersion = extractUserAgent(ctx)
+
+	return gio
+}
+
+func _getInfo() string {
+	cmd := exec.Command("uname", "-srm")
+	cmd.Stdin = strings.NewReader("some input")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getInfo:", err)
+	}
+	return out.String()
+}

client/system/info_freebsd.go

@@ -0,0 +1,44 @@
+package system
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+)
+
+// GetInfo retrieves and parses the system information
+func GetInfo(ctx context.Context) *Info {
+	out := _getInfo()
+	for strings.Contains(out, "broken pipe") {
+		out = _getInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+	osStr := strings.Replace(out, "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	osInfo := strings.Split(osStr, " ")
+	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: runtime.GOARCH, OS: osInfo[2], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.UIVersion = extractUserAgent(ctx)
+
+	return gio
+}
+
+func _getInfo() string {
+	cmd := exec.Command("uname", "-sri")
+	cmd.Stdin = strings.NewReader("some input")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getInfo:", err)
+	}
+	return out.String()
+}

client/system/info_linux.go

@@ -0,0 +1,81 @@
+package system
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+)
+
+// GetInfo retrieves and parses the system information
+func GetInfo(ctx context.Context) *Info {
+	info := _getInfo()
+	for strings.Contains(info, "broken pipe") {
+		info = _getInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+
+	releaseInfo := _getReleaseInfo()
+	for strings.Contains(info, "broken pipe") {
+		releaseInfo = _getReleaseInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+
+	osRelease := strings.Split(releaseInfo, "\n")
+	var osName string
+	var osVer string
+	for _, s := range osRelease {
+		if strings.HasPrefix(s, "NAME=") {
+			osName = strings.Split(s, "=")[1]
+			osName = strings.ReplaceAll(osName, "\"", "")
+		} else if strings.HasPrefix(s, "VERSION_ID=") {
+			osVer = strings.Split(s, "=")[1]
+			osVer = strings.ReplaceAll(osVer, "\"", "")
+		}
+	}
+
+	osStr := strings.Replace(info, "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	osInfo := strings.Split(osStr, " ")
+	if osName == "" {
+		osName = osInfo[3]
+	}
+	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: osInfo[2], OS: osName, OSVersion: osVer, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.UIVersion = extractUserAgent(ctx)
+
+	return gio
+}
+
+func _getInfo() string {
+	cmd := exec.Command("uname", "-srio")
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getInfo:", err)
+	}
+	return out.String()
+}
+
+func _getReleaseInfo() string {
+	cmd := exec.Command("cat", "/etc/os-release")
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getReleaseInfo:", err)
+	}
+	return out.String()
+}

client/system/info_test.go

@@ -0,0 +1,26 @@
+package system
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/grpc/metadata"
+)
+
+func Test_LocalWTVersion(t *testing.T) {
+	got := GetInfo(context.TODO())
+	want := "development"
+	assert.Equal(t, want, got.WiretrusteeVersion)
+}
+
+func Test_UIVersion(t *testing.T) {
+	ctx := context.Background()
+	want := "netbird-desktop-ui/development"
+	ctx = metadata.NewOutgoingContext(ctx, map[string][]string{
+		"user-agent": {want},
+	})
+
+	got := GetInfo(ctx)
+	assert.Equal(t, want, got.UIVersion)
+}

client/system/info_windows.go

@@ -0,0 +1,40 @@
+package system
+
+import (
+	"bytes"
+	"context"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+)
+
+// GetInfo retrieves and parses the system information
+func GetInfo(ctx context.Context) *Info {
+	cmd := exec.Command("cmd", "ver")
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		panic(err)
+	}
+	osStr := strings.Replace(out.String(), "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	tmp1 := strings.Index(osStr, "[Version")
+	tmp2 := strings.Index(osStr, "]")
+	var ver string
+	if tmp1 == -1 || tmp2 == -1 {
+		ver = "unknown"
+	} else {
+		ver = osStr[tmp1+9 : tmp2]
+	}
+	gio := &Info{Kernel: "windows", OSVersion: ver, Core: ver, Platform: "unknown", OS: "windows", GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.UIVersion = extractUserAgent(ctx)
+
+	return gio
+}

client/testdata/management.json

@@ -0,0 +1,37 @@
+{
+  "Stuns": [
+    {
+      "Proto": "udp",
+      "URI": "stun:stun.wiretrustee.com:3468",
+      "Username": "",
+      "Password": null
+    }
+  ],
+  "TURNConfig": {
+    "Turns": [
+      {
+        "Proto": "udp",
+        "URI": "turn:stun.wiretrustee.com:3468",
+        "Username": "some_user",
+        "Password": "c29tZV9wYXNzd29yZA=="
+      }
+    ],
+    "CredentialsTTL": "1h",
+    "Secret": "c29tZV9wYXNzd29yZA==",
+    "TimeBasedCredentials": true
+  },
+  "Signal": {
+    "Proto": "http",
+    "URI": "signal.wiretrustee.com:10000",
+    "Username": "",
+    "Password": null
+  },
+  "DataDir": "",
+  "HttpConfig": {
+    "LetsEncryptDomain": "<PASTE YOUR LET'S ENCRYPT DOMAIN HERE>",
+    "Address": "0.0.0.0:33071",
+    "AuthIssuer": "<PASTE YOUR AUTH0 ISSUER HERE>,",
+    "AuthAudience": "<PASTE YOUR AUTH0 AUDIENCE HERE>",
+    "AuthKeysLocation": "<PASTE YOUR AUTH0 PUBLIC JWT KEYS LOCATION HERE>"
+  }
+}

client/testdata/store.json

@@ -0,0 +1,38 @@
+{
+    "Accounts": {
+        "bf1c8084-ba50-4ce7-9439-34653001fc3b": {
+            "Id": "bf1c8084-ba50-4ce7-9439-34653001fc3b",
+            "SetupKeys": {
+                "A2C8E62B-38F5-4553-B31E-DD66C696CEBB": {
+                    "Key": "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
+                    "Name": "Default key",
+                    "Type": "reusable",
+                    "CreatedAt": "2021-08-19T20:46:20.005936822+02:00",
+                    "ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
+                    "Revoked": false,
+                    "UsedTimes": 0
+
+                }
+            },
+            "Network": {
+                "Id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
+                "Net": {
+                    "IP": "100.64.0.0",
+                    "Mask": "//8AAA=="
+                },
+                "Dns": null
+            },
+            "Peers": {},
+            "Users": {
+                "edafee4e-63fb-11ec-90d6-0242ac120003": {
+                    "Id": "edafee4e-63fb-11ec-90d6-0242ac120003",
+                    "Role": "admin"
+                },
+                "f4f6d672-63fb-11ec-90d6-0242ac120003": {
+                    "Id": "f4f6d672-63fb-11ec-90d6-0242ac120003",
+                    "Role": "user"
+                }
+            }
+        }
+    }
+}

client/ui/Info.plist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>CFBundleExecutable</key>
+  <string>netbird-ui</string>
+  <key>CFBundleIconFile</key>
+  <string>Netbird</string>
+  <key>LSUIElement</key>
+  <string>1</string>
+</dict>
+</plist>

client/ui/client_ui.go

@@ -0,0 +1,511 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"github.com/netbirdio/netbird/client/system"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"runtime"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+
+	_ "embed"
+
+	"github.com/getlantern/systray"
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+	log "github.com/sirupsen/logrus"
+	"github.com/skratchdot/open-golang/open"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"fyne.io/fyne/v2"
+	"fyne.io/fyne/v2/app"
+	"fyne.io/fyne/v2/dialog"
+	"fyne.io/fyne/v2/widget"
+)
+
+const (
+	defaultFailTimeout = 3 * time.Second
+	failFastTimeout    = time.Second
+)
+
+func main() {
+	var daemonAddr string
+
+	defaultDaemonAddr := "unix:///var/run/netbird.sock"
+	if runtime.GOOS == "windows" {
+		defaultDaemonAddr = "tcp://127.0.0.1:41731"
+	}
+
+	flag.StringVar(
+		&daemonAddr, "daemon-addr",
+		defaultDaemonAddr,
+		"Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
+
+	var showSettings bool
+	flag.BoolVar(&showSettings, "settings", false, "run settings windows")
+
+	flag.Parse()
+
+	a := app.New()
+	client := newServiceClient(daemonAddr, a, showSettings)
+	if showSettings {
+		a.Run()
+	} else {
+		if err := checkPIDFile(); err != nil {
+			fmt.Println(err)
+			return
+		}
+		systray.Run(client.onTrayReady, client.onTrayExit)
+	}
+}
+
+//go:embed connected.ico
+var iconConnectedICO []byte
+
+//go:embed connected.png
+var iconConnectedPNG []byte
+
+//go:embed disconnected.ico
+var iconDisconnectedICO []byte
+
+//go:embed disconnected.png
+var iconDisconnectedPNG []byte
+
+type serviceClient struct {
+	ctx  context.Context
+	addr string
+	conn proto.DaemonServiceClient
+
+	icConnected    []byte
+	icDisconnected []byte
+
+	// systray menu items
+	mStatus     *systray.MenuItem
+	mUp         *systray.MenuItem
+	mDown       *systray.MenuItem
+	mAdminPanel *systray.MenuItem
+	mSettings   *systray.MenuItem
+	mQuit       *systray.MenuItem
+
+	// application with main windows.
+	app          fyne.App
+	wSettings    fyne.Window
+	showSettings bool
+
+	// input elements for settings form
+	iMngURL       *widget.Entry
+	iAdminURL     *widget.Entry
+	iConfigFile   *widget.Entry
+	iLogFile      *widget.Entry
+	iPreSharedKey *widget.Entry
+
+	// observable settings over correspondign iMngURL and iPreSharedKey values.
+	managementURL string
+	preSharedKey  string
+	adminURL      string
+}
+
+// newServiceClient instance constructor
+//
+// This constructor olso build UI elements for settings window.
+func newServiceClient(addr string, a fyne.App, showSettings bool) *serviceClient {
+	s := &serviceClient{
+		ctx:  context.Background(),
+		addr: addr,
+		app:  a,
+
+		showSettings: showSettings,
+	}
+
+	if runtime.GOOS == "windows" {
+		s.icConnected = iconConnectedICO
+		s.icDisconnected = iconDisconnectedICO
+	} else {
+		s.icConnected = iconConnectedPNG
+		s.icDisconnected = iconDisconnectedPNG
+	}
+
+	if showSettings {
+		s.showUIElements()
+		return s
+	}
+
+	return s
+}
+
+func (s *serviceClient) showUIElements() {
+	// add settings window UI elements.
+	s.wSettings = s.app.NewWindow("Settings")
+	s.iMngURL = widget.NewEntry()
+	s.iAdminURL = widget.NewEntry()
+	s.iConfigFile = widget.NewEntry()
+	s.iConfigFile.Disable()
+	s.iLogFile = widget.NewEntry()
+	s.iLogFile.Disable()
+	s.iPreSharedKey = widget.NewPasswordEntry()
+	s.wSettings.SetContent(s.getSettingsForm())
+	s.wSettings.Resize(fyne.NewSize(600, 100))
+
+	s.getSrvConfig()
+
+	s.wSettings.Show()
+}
+
+// getSettingsForm to embed it into settings window.
+func (s *serviceClient) getSettingsForm() *widget.Form {
+	return &widget.Form{
+		Items: []*widget.FormItem{
+			{Text: "Management URL", Widget: s.iMngURL},
+			{Text: "Admin URL", Widget: s.iAdminURL},
+			{Text: "Pre-shared Key", Widget: s.iPreSharedKey},
+			{Text: "Config File", Widget: s.iConfigFile},
+			{Text: "Log File", Widget: s.iLogFile},
+		},
+		SubmitText: "Save",
+		OnSubmit: func() {
+			if s.iPreSharedKey.Text != "" && s.iPreSharedKey.Text != "**********" {
+				// validate preSharedKey if it added
+				if _, err := wgtypes.ParseKey(s.iPreSharedKey.Text); err != nil {
+					dialog.ShowError(fmt.Errorf("Invalid Pre-shared Key Value"), s.wSettings)
+					return
+				}
+			}
+
+			defer s.wSettings.Close()
+			// if management URL or Pre-shared key changed, we try to re-login with new settings.
+			if s.managementURL != s.iMngURL.Text || s.preSharedKey != s.iPreSharedKey.Text ||
+				s.adminURL != s.iAdminURL.Text {
+
+				s.managementURL = s.iMngURL.Text
+				s.preSharedKey = s.iPreSharedKey.Text
+				s.adminURL = s.iAdminURL.Text
+
+				client, err := s.getSrvClient(failFastTimeout)
+				if err != nil {
+					log.Errorf("get daemon client: %v", err)
+					return
+				}
+
+				_, err = client.Login(s.ctx, &proto.LoginRequest{
+					ManagementUrl: s.iMngURL.Text,
+					AdminURL:      s.iAdminURL.Text,
+					PreSharedKey:  s.iPreSharedKey.Text,
+				})
+				if err != nil {
+					log.Errorf("login to management URL: %v", err)
+					return
+				}
+
+				_, err = client.Up(s.ctx, &proto.UpRequest{})
+				if err != nil {
+					log.Errorf("login to management URL: %v", err)
+					return
+				}
+
+			}
+			s.wSettings.Close()
+		},
+		OnCancel: func() {
+			s.wSettings.Close()
+		},
+	}
+}
+
+func (s *serviceClient) login() error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		log.Errorf("get client: %v", err)
+		return err
+	}
+
+	loginResp, err := conn.Login(s.ctx, &proto.LoginRequest{})
+	if err != nil {
+		log.Errorf("login to management URL with: %v", err)
+		return err
+	}
+
+	if loginResp.NeedsSSOLogin {
+		err = open.Run(loginResp.VerificationURIComplete)
+		if err != nil {
+			log.Errorf("opening the verification uri in the browser failed: %v", err)
+			return err
+		}
+
+		_, err = conn.WaitSSOLogin(s.ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
+		if err != nil {
+			log.Errorf("waiting sso login failed with: %v", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *serviceClient) menuUpClick() error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		log.Errorf("get client: %v", err)
+		return err
+	}
+
+	err = s.login()
+	if err != nil {
+		log.Errorf("login failed with: %v", err)
+		return err
+	}
+
+	status, err := conn.Status(s.ctx, &proto.StatusRequest{})
+	if err != nil {
+		log.Errorf("get service status: %v", err)
+		return err
+	}
+
+	if status.Status == string(internal.StatusConnected) {
+		log.Warnf("already connected")
+		return err
+	}
+
+	if _, err := s.conn.Up(s.ctx, &proto.UpRequest{}); err != nil {
+		log.Errorf("up service: %v", err)
+		return err
+	}
+	return nil
+}
+
+func (s *serviceClient) menuDownClick() error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		log.Errorf("get client: %v", err)
+		return err
+	}
+
+	status, err := conn.Status(s.ctx, &proto.StatusRequest{})
+	if err != nil {
+		log.Errorf("get service status: %v", err)
+		return err
+	}
+
+	if status.Status != string(internal.StatusConnected) {
+		log.Warnf("already down")
+		return nil
+	}
+
+	if _, err := s.conn.Down(s.ctx, &proto.DownRequest{}); err != nil {
+		log.Errorf("down service: %v", err)
+		return err
+	}
+
+	return nil
+}
+
+func (s *serviceClient) updateStatus() error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		return err
+	}
+	err = backoff.Retry(func() error {
+		status, err := conn.Status(s.ctx, &proto.StatusRequest{})
+		if err != nil {
+			log.Errorf("get service status: %v", err)
+			return err
+		}
+
+		if status.Status == string(internal.StatusConnected) {
+			systray.SetIcon(s.icConnected)
+			s.mStatus.SetTitle("Connected")
+			s.mUp.Disable()
+			s.mDown.Enable()
+		} else {
+			systray.SetIcon(s.icDisconnected)
+			s.mStatus.SetTitle("Disconnected")
+			s.mDown.Disable()
+			s.mUp.Enable()
+		}
+		return nil
+	}, &backoff.ExponentialBackOff{
+		InitialInterval:     time.Second,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         300 * time.Millisecond,
+		MaxElapsedTime:      2 * time.Second,
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	})
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (s *serviceClient) onTrayReady() {
+	systray.SetIcon(s.icDisconnected)
+
+	// setup systray menu items
+	s.mStatus = systray.AddMenuItem("Disconnected", "Disconnected")
+	s.mStatus.Disable()
+	systray.AddSeparator()
+	s.mUp = systray.AddMenuItem("Connect", "Connect")
+	s.mDown = systray.AddMenuItem("Disconnect", "Disconnect")
+	s.mDown.Disable()
+	s.mAdminPanel = systray.AddMenuItem("Admin Panel", "Wiretrustee Admin Panel")
+	systray.AddSeparator()
+	s.mSettings = systray.AddMenuItem("Settings", "Settings of the application")
+	systray.AddSeparator()
+	v := systray.AddMenuItem("v"+system.NetbirdVersion(), "Client Version: "+system.NetbirdVersion())
+	v.Disable()
+	systray.AddSeparator()
+	s.mQuit = systray.AddMenuItem("Quit", "Quit the client app")
+
+	go func() {
+		s.getSrvConfig()
+		for {
+			err := s.updateStatus()
+			if err != nil {
+				log.Errorf("error while updating status: %v", err)
+			}
+			time.Sleep(2 * time.Second)
+		}
+	}()
+
+	go func() {
+		var err error
+		for {
+			select {
+			case <-s.mAdminPanel.ClickedCh:
+				err = open.Run(s.adminURL)
+			case <-s.mUp.ClickedCh:
+				go func() {
+					err := s.menuUpClick()
+					if err != nil {
+						return
+					}
+				}()
+			case <-s.mDown.ClickedCh:
+				go func() {
+					err := s.menuDownClick()
+					if err != nil {
+						return
+					}
+				}()
+			case <-s.mSettings.ClickedCh:
+				s.mSettings.Disable()
+				go func() {
+					defer s.mSettings.Enable()
+					proc, err := os.Executable()
+					if err != nil {
+						log.Errorf("show settings: %v", err)
+						return
+					}
+
+					cmd := exec.Command(proc, "--settings=true")
+					out, err := cmd.CombinedOutput()
+					if exitErr, ok := err.(*exec.ExitError); ok && exitErr.ExitCode() == 1 {
+						log.Errorf("start settings UI: %v, %s", err, string(out))
+						return
+					}
+					if len(out) != 0 {
+						log.Info("settings change:", string(out))
+					}
+
+					// update config in systray when settings windows closed
+					s.getSrvConfig()
+				}()
+			case <-s.mQuit.ClickedCh:
+				systray.Quit()
+				return
+			}
+			if err != nil {
+				log.Errorf("process connection: %v", err)
+			}
+		}
+	}()
+}
+
+func (s *serviceClient) onTrayExit() {}
+
+// getSrvClient connection to the service.
+func (s *serviceClient) getSrvClient(timeout time.Duration) (proto.DaemonServiceClient, error) {
+	if s.conn != nil {
+		return s.conn, nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	conn, err := grpc.DialContext(
+		ctx,
+		strings.TrimPrefix(s.addr, "tcp://"),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithBlock(),
+		grpc.WithUserAgent(system.GetDesktopUIUserAgent()),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("dial service: %w", err)
+	}
+
+	s.conn = proto.NewDaemonServiceClient(conn)
+	return s.conn, nil
+}
+
+// getSrvConfig from the service to show it in the settings window.
+func (s *serviceClient) getSrvConfig() {
+	s.managementURL = "https://api.wiretrustee.com:33073"
+	s.adminURL = "https://app.netbird.io"
+
+	conn, err := s.getSrvClient(failFastTimeout)
+	if err != nil {
+		log.Errorf("get client: %v", err)
+		return
+	}
+
+	cfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{})
+	if err != nil {
+		log.Errorf("get config settings from server: %v", err)
+		return
+	}
+
+	if cfg.ManagementUrl != "" {
+		s.managementURL = cfg.ManagementUrl
+	}
+	if cfg.AdminURL != "" {
+		s.adminURL = cfg.AdminURL
+	}
+	s.preSharedKey = cfg.PreSharedKey
+
+	if s.showSettings {
+		s.iMngURL.SetText(s.managementURL)
+		s.iAdminURL.SetText(s.adminURL)
+		s.iConfigFile.SetText(cfg.ConfigFile)
+		s.iLogFile.SetText(cfg.LogFile)
+		s.iPreSharedKey.SetText(cfg.PreSharedKey)
+	}
+}
+
+// checkPIDFile exists and return error, or write new.
+func checkPIDFile() error {
+	pidFile := path.Join(os.TempDir(), "wiretrustee-ui.pid")
+	if piddata, err := ioutil.ReadFile(pidFile); err == nil {
+		if pid, err := strconv.Atoi(string(piddata)); err == nil {
+			if process, err := os.FindProcess(pid); err == nil {
+				if err := process.Signal(syscall.Signal(0)); err == nil {
+					return fmt.Errorf("process already exists: %d", pid)
+				}
+			}
+		}
+	}
+
+	return ioutil.WriteFile(pidFile, []byte(fmt.Sprintf("%d", os.Getpid())), 0o664)
+}

client/ui/config/config.go

@@ -0,0 +1,46 @@
+package config
+
+import (
+	"os"
+	"runtime"
+)
+
+// ClientConfig basic settings for the UI application.
+type ClientConfig struct {
+	configPath string
+	logFile    string
+	daemonAddr string
+}
+
+// Config object with default settings.
+//
+// We are creating this package to extract utility functions from the cmd package
+// reading and parsing the configurations for the client should be done here
+func Config() *ClientConfig {
+	defaultConfigPath := "/etc/wiretrustee/config.json"
+	defaultLogFile := "/var/log/wiretrustee/client.log"
+	if runtime.GOOS == "windows" {
+		defaultConfigPath = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "config.json"
+		defaultLogFile = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "client.log"
+	}
+
+	defaultDaemonAddr := "unix:///var/run/wiretrustee.sock"
+	if runtime.GOOS == "windows" {
+		defaultDaemonAddr = "tcp://127.0.0.1:41731"
+	}
+	return &ClientConfig{
+		configPath: defaultConfigPath,
+		logFile:    defaultLogFile,
+		daemonAddr: defaultDaemonAddr,
+	}
+}
+
+// DaemonAddr of the gRPC API.
+func (c *ClientConfig) DaemonAddr() string {
+	return c.daemonAddr
+}
+
+// LogFile path.
+func (c *ClientConfig) LogFile() string {
+	return c.logFile
+}

client/ui/manifest.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <assemblyIdentity
+            version="0.0.0.1"
+            processorArchitecture="*"
+            name="netbird-ui.exe"
+            type="win32"
+    />
+    <description>Netbird UI application</description>
+    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
+        <security>
+            <requestedPrivileges>
+                <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
+            </requestedPrivileges>
+        </security>
+    </trustInfo>
+</assembly>

client/ui/netbird-ui.rb.tmpl

@@ -0,0 +1,39 @@
+{{ $projectName := env.Getenv "PROJECT" }}{{ $amdFilePath := env.Getenv "AMD" }}{{ $armFilePath := env.Getenv "ARM" }}
+{{ $amdURL := env.Getenv "AMD_URL" }}{{ $armURL := env.Getenv "ARM_URL" }}
+{{ $amdFile := filepath.Base $amdFilePath }}{{ $armFile := filepath.Base $armFilePath }}{{ $amdFileBytes := file.Read $amdFilePath }}
+{{ $armFileBytes := file.Read $armFilePath }}# Netbird's UI Client Cask Formula
+cask "{{ $projectName }}" do
+  version "{{ env.Getenv "VERSION" }}"
+
+  if Hardware::CPU.intel?
+      url "{{ $amdURL }}"
+      sha256 "{{ crypto.SHA256 $amdFileBytes }}"
+      app "netbird_ui_darwin_amd64", target: "Netbird UI.app"
+  else
+      url "{{ $armURL }}"
+      sha256 "{{ crypto.SHA256 $armFileBytes }}"
+      app "netbird_ui_darwin_arm64", target: "Netbird UI.app"
+  end
+
+  depends_on formula: "netbird"
+
+  postflight do
+    set_permissions "/Applications/Netbird UI.app/installer.sh", '0755'
+    set_permissions "/Applications/Netbird UI.app/uninstaller.sh", '0755'
+  end
+
+  postflight do
+    system_command "#{appdir}/Netbird UI.app/installer.sh",
+                   args: ["#{version}"],
+                   sudo: true
+  end
+
+  uninstall_preflight do
+    system_command "#{appdir}/Netbird UI.app/uninstaller.sh",
+                   sudo: false
+  end
+
+  name "Netbird UI"
+  desc "Netbird UI Client"
+  homepage "https://www.netbird.io/"
+end

client/ui/netbird.desktop

@@ -0,0 +1,8 @@
+[Desktop Entry]
+Name=Netbird
+Exec=/usr/bin/netbird-ui
+Icon=netbird
+Type=Application
+Terminal=false
+Categories=Utility;
+Keywords=netbird;

client/wireguard_nt.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+ldir=$PWD
+tmp_dir_path=$ldir/.distfiles
+winnt=wireguard-nt.zip
+download_file_path=$tmp_dir_path/$winnt
+download_url=https://download.wireguard.com/wireguard-nt/wireguard-nt-0.10.1.zip
+download_sha=772c0b1463d8d2212716f43f06f4594d880dea4f735165bd68e388fc41b81605
+
+function resources_windows(){
+  cmd=$1
+  arch=$2
+  out=$3
+  docker run -i --rm -v $PWD:$PWD -w $PWD mstorsjo/llvm-mingw:latest $cmd -O coff -c 65001 -I $tmp_dir_path/wireguard-nt/bin/$arch -i resources.rc -o $out
+}
+
+mkdir -p $tmp_dir_path
+curl -L#o $download_file_path.unverified $download_url
+echo "$download_sha  $download_file_path.unverified" | sha256sum -c
+mv $download_file_path.unverified $download_file_path
+
+mkdir -p .deps
+unzip $download_file_path -d $tmp_dir_path
+
+resources_windows i686-w64-mingw32-windres x86 resources_windows_386.syso
+resources_windows aarch64-w64-mingw32-windres arm64 resources_windows_arm64.syso
+resources_windows x86_64-w64-mingw32-windres amd64 resources_windows_amd64.syso

cmd/addpeer.go

@@ -1,45 +0,0 @@
-package cmd
-
-import (
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/wiretrustee/wiretrustee/connection"
-	"os"
-)
-
-var (
-	key        string
-	allowedIPs string
-
-	addPeerCmd = &cobra.Command{
-		Use:   "add-peer",
-		Short: "add remote peer",
-		Run: func(cmd *cobra.Command, args []string) {
-			InitLog(logLevel)
-
-			if _, err := os.Stat(configPath); os.IsNotExist(err) {
-				log.Error("config doesn't exist, please run 'wiretrustee init' first")
-				os.Exit(ExitSetupFailed)
-			}
-
-			config, _ := Read(configPath)
-			config.Peers = append(config.Peers, connection.Peer{
-				WgPubKey:     key,
-				WgAllowedIps: allowedIPs,
-			})
-
-			err := config.Write(configPath)
-			if err != nil {
-				log.Errorf("failed writing config to %s: %s", config, err.Error())
-				os.Exit(ExitSetupFailed)
-			}
-		},
-	}
-)
-
-func init() {
-	addPeerCmd.PersistentFlags().StringVar(&key, "key", "", "Wireguard public key of the remote peer")
-	addPeerCmd.PersistentFlags().StringVar(&allowedIPs, "allowedIPs", "", "Wireguard Allowed IPs for the remote peer, e.g 10.30.30.2/32")
-	addPeerCmd.MarkPersistentFlagRequired("key")
-	addPeerCmd.MarkPersistentFlagRequired("allowedIPs")
-}

cmd/config.go

@@ -1,58 +0,0 @@
-package cmd
-
-import (
-	"encoding/json"
-	"github.com/pion/ice/v2"
-	"github.com/wiretrustee/wiretrustee/connection"
-	"io/ioutil"
-	"os"
-)
-
-type Config struct {
-	// Wireguard private key of local peer
-	PrivateKey   string
-	Peers        []connection.Peer
-	StunTurnURLs []*ice.URL
-	// host:port of the signal server
-	SignalAddr     string
-	WgAddr         string
-	WgIface        string
-	IFaceBlackList []string
-}
-
-//Write writes configPath to a file
-func (cfg *Config) Write(path string) error {
-	bs, err := json.Marshal(cfg)
-	if err != nil {
-		return err
-	}
-
-	err = ioutil.WriteFile(path, bs, 0600)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-//Read reads configPath from a file
-func Read(path string) (*Config, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	bs, err := ioutil.ReadAll(f)
-	if err != nil {
-		return nil, err
-	}
-
-	var cfg Config
-	err = json.Unmarshal(bs, &cfg)
-	if err != nil {
-		return nil, err
-	}
-
-	return &cfg, nil
-}

cmd/init.go

@@ -1,125 +0,0 @@
-package cmd
-
-import (
-	"github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"os"
-	"strings"
-)
-
-var (
-	wgKey       string
-	wgInterface string
-	wgLocalAddr string
-	signalAddr  string
-	stunURLs    string
-	turnURLs    string
-
-	initCmd = &cobra.Command{
-		Use:   "init",
-		Short: "init wiretrustee",
-		Run: func(cmd *cobra.Command, args []string) {
-			InitLog(logLevel)
-
-			if _, err := os.Stat(configPath); !os.IsNotExist(err) {
-				log.Warnf("config already exists under path %s", configPath)
-				os.Exit(ExitSetupFailed)
-			}
-
-			if wgKey == "" {
-				wgKey = generateKey()
-				log.Warnf("there was no Wireguard private key specified, a new Wireguard key has been generated")
-			}
-
-			parsedKey, err := wgtypes.ParseKey(wgKey)
-			if err != nil {
-				log.Errorf("invalid Wireguard private key %s", wgKey)
-				os.Exit(ExitSetupFailed)
-			}
-
-			log.Infof("my public Wireguard key is %s", parsedKey.PublicKey().String())
-
-			var stunTurnURLs []*ice.URL
-			stuns := strings.Split(stunURLs, ",")
-			for _, url := range stuns {
-
-				parsedURL, err := ice.ParseURL(url)
-				if err != nil {
-					log.Errorf("failed parsing STUN URL %s: %s", url, err.Error())
-					os.Exit(ExitSetupFailed)
-				}
-				stunTurnURLs = append(stunTurnURLs, parsedURL)
-			}
-
-			turns := strings.Split(turnURLs, ",")
-			for _, url := range turns {
-
-				var urlToParse string
-				var user string
-				var pwd string
-				//extract user:password from user:password@proto:host:port
-				urlSplit := strings.Split(url, "@")
-				if len(urlSplit) == 2 {
-					urlToParse = urlSplit[1]
-					credential := strings.Split(urlSplit[0], ":")
-					user = credential[0]
-					pwd = credential[1]
-				} else {
-					urlToParse = url
-				}
-
-				parsedURL, err := ice.ParseURL(urlToParse)
-				if err != nil {
-					log.Errorf("failed parsing TURN URL %s: %s", url, err.Error())
-					os.Exit(ExitSetupFailed)
-				}
-				parsedURL.Username = user
-				parsedURL.Password = pwd
-				stunTurnURLs = append(stunTurnURLs, parsedURL)
-			}
-
-			config := &Config{
-				PrivateKey:   wgKey,
-				Peers:        nil,
-				StunTurnURLs: stunTurnURLs,
-				SignalAddr:   signalAddr,
-				WgAddr:       wgLocalAddr,
-				WgIface:      wgInterface,
-			}
-
-			err = config.Write(configPath)
-			if err != nil {
-				log.Errorf("failed writing config to %s: %s", config, err.Error())
-				os.Exit(ExitSetupFailed)
-			}
-
-			log.Infof("a new config has been generated and written to %s", configPath)
-		},
-	}
-)
-
-func init() {
-	initCmd.PersistentFlags().StringVar(&wgKey, "wgKey", "", "Wireguard private key, if not specified a new one will be generated")
-	initCmd.PersistentFlags().StringVar(&wgInterface, "wgInterface", "wiretrustee0", "Wireguard interface name, e.g. wiretreustee0 or wg0")
-	initCmd.PersistentFlags().StringVar(&wgLocalAddr, "wgLocalAddr", "", "Wireguard local address, e.g. 10.30.30.1/24")
-	initCmd.PersistentFlags().StringVar(&signalAddr, "signalAddr", "", "Signal server address, e.g. signal.wiretrustee.com:10000")
-	initCmd.PersistentFlags().StringVar(&stunURLs, "stunURLs", "", "Comma separated STUN server URLs: protocol:host:port, e.g. stun:stun.l.google.com:19302,stun:stun1.l.google.com:19302")
-	//todo user:password@protocol:host:port not the best way to pass TURN credentials, do it according to https://tools.ietf.org/html/rfc7065 E.g. use oauth
-	initCmd.PersistentFlags().StringVar(&turnURLs, "turnURLs", "", "Comma separated TURN server URLs: user:password@protocol:host:port, e.g. user:password@turn:stun.wiretrustee.com:3468")
-	//initCmd.MarkPersistentFlagRequired("configPath")
-	initCmd.MarkPersistentFlagRequired("wgLocalAddr")
-	initCmd.MarkPersistentFlagRequired("signalAddr")
-	initCmd.MarkPersistentFlagRequired("stunURLs")
-	initCmd.MarkPersistentFlagRequired("turnURLs")
-}
-
-// generateKey generates a new Wireguard private key
-func generateKey() string {
-	key, err := wgtypes.GenerateKey()
-	if err != nil {
-		panic(err)
-	}
-	return key.String()
-}

cmd/root.go

@@ -1,56 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"os"
-	"os/signal"
-	"syscall"
-)
-
-const (
-	ExitSetupFailed = 1
-)
-
-var (
-	configPath string
-	logLevel   string
-
-	rootCmd = &cobra.Command{
-		Use:   "wiretrustee",
-		Short: "",
-		Long:  "",
-	}
-)
-
-// Execute executes the root command.
-func Execute() error {
-	return rootCmd.Execute()
-}
-
-func init() {
-	rootCmd.PersistentFlags().StringVar(&configPath, "config", "/etc/wiretrustee/config.json", "Wiretrustee config file location to write new config to")
-	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "")
-	rootCmd.AddCommand(initCmd)
-	rootCmd.AddCommand(addPeerCmd)
-	rootCmd.AddCommand(upCmd)
-	rootCmd.AddCommand(signalCmd)
-}
-
-func SetupCloseHandler() {
-	c := make(chan os.Signal)
-	signal.Notify(c, os.Interrupt, syscall.SIGTERM)
-	<-c
-	fmt.Println("\r- Ctrl+C pressed in Terminal")
-	os.Exit(0)
-}
-
-func InitLog(logLevel string) {
-	level, err := log.ParseLevel(logLevel)
-	if err != nil {
-		log.Errorf("efailed parsing log-level %s: %s", logLevel, err)
-		os.Exit(ExitSetupFailed)
-	}
-	log.SetLevel(level)
-}

cmd/signal.go

@@ -1,46 +0,0 @@
-package cmd
-
-import (
-	"flag"
-	"fmt"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	sig "github.com/wiretrustee/wiretrustee/signal"
-	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
-	"google.golang.org/grpc"
-	"net"
-)
-
-var (
-	port int
-
-	signalCmd = &cobra.Command{
-		Use:   "signal",
-		Short: "start Wiretrustee Signal Server",
-		Run: func(cmd *cobra.Command, args []string) {
-			flag.Parse()
-
-			lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
-			if err != nil {
-				log.Fatalf("failed to listen: %v", err)
-			}
-
-			if err != nil {
-				log.Fatalf("failed to listen: %v", err)
-			}
-			var opts []grpc.ServerOption
-			grpcServer := grpc.NewServer(opts...)
-			sProto.RegisterSignalExchangeServer(grpcServer, sig.NewServer())
-			log.Printf("started server: localhost:%v", port)
-			if err := grpcServer.Serve(lis); err != nil {
-				log.Fatalf("failed to serve: %v", err)
-			}
-
-			SetupCloseHandler()
-		},
-	}
-)
-
-func init() {
-	signalCmd.PersistentFlags().IntVar(&port, "port", 10000, "Server port to listen on (e.g. 10000)")
-}

cmd/up.go

@@ -1,57 +0,0 @@
-package cmd
-
-import (
-	"context"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/wiretrustee/wiretrustee/connection"
-	sig "github.com/wiretrustee/wiretrustee/signal"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"os"
-)
-
-func toByte32(key wgtypes.Key) *[32]byte {
-	return (*[32]byte)(&key)
-}
-
-var (
-	upCmd = &cobra.Command{
-		Use:   "up",
-		Short: "start wiretrustee",
-		Run: func(cmd *cobra.Command, args []string) {
-			InitLog(logLevel)
-
-			config, _ := Read(configPath)
-
-			myKey, err := wgtypes.ParseKey(config.PrivateKey)
-			if err != nil {
-				log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
-				os.Exit(ExitSetupFailed)
-			}
-
-			ctx := context.Background()
-			signalClient, err := sig.NewClient(config.SignalAddr, myKey, ctx)
-			if err != nil {
-				log.Errorf("error while connecting to the Signal Exchange Service %s: %s", config.SignalAddr, err)
-				os.Exit(ExitSetupFailed)
-			}
-			//todo proper close handling
-			defer func() { signalClient.Close() }()
-
-			iFaceBlackList := make(map[string]struct{})
-			for i := 0; i < len(config.IFaceBlackList); i += 2 {
-				iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
-			}
-			engine := connection.NewEngine(signalClient, config.StunTurnURLs, config.WgIface, config.WgAddr, iFaceBlackList)
-
-			err = engine.Start(myKey, config.Peers)
-
-			//signalClient.WaitConnected()
-
-			SetupCloseHandler()
-		},
-	}
-)
-
-func init() {
-}

connection/cond.go

@@ -1,32 +0,0 @@
-package connection
-
-import "sync"
-
-// A Cond is a condition variable like sync.Cond, but using a channel so we can use select.
-type Cond struct {
-	once sync.Once
-	C    chan struct{}
-}
-
-// NewCond creates a new condition variable.
-func NewCond() *Cond {
-	return &Cond{C: make(chan struct{})}
-}
-
-// Do runs f if the condition hasn't been signaled yet. Afterwards it will be signaled.
-func (c *Cond) Do(f func()) {
-	c.once.Do(func() {
-		f()
-		close(c.C)
-	})
-}
-
-// Signal closes the condition variable channel.
-func (c *Cond) Signal() {
-	c.Do(func() {})
-}
-
-// Wait waits for the condition variable channel to close.
-func (c *Cond) Wait() {
-	<-c.C
-}

connection/connection.go

@@ -1,307 +0,0 @@
-package connection
-
-import (
-	"context"
-	"fmt"
-	"github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"sync"
-	"time"
-)
-
-var (
-	DefaultWgKeepAlive = 20 * time.Second
-)
-
-type ConnConfig struct {
-	// Local Wireguard listening address  e.g. 127.0.0.1:51820
-	WgListenAddr string
-	// A Local Wireguard Peer IP address in CIDR notation e.g. 10.30.30.1/24
-	WgPeerIp string
-	// Local Wireguard Interface name (e.g. wg0)
-	WgIface string
-	// Wireguard allowed IPs (e.g. 10.30.30.2/32)
-	WgAllowedIPs string
-	// Local Wireguard private key
-	WgKey wgtypes.Key
-	// Remote Wireguard public key
-	RemoteWgKey wgtypes.Key
-
-	StunTurnURLS []*ice.URL
-
-	iFaceBlackList map[string]struct{}
-}
-
-type IceCredentials struct {
-	uFrag string
-	pwd   string
-}
-
-type Connection struct {
-	Config ConnConfig
-	// signalCandidate is a handler function to signal remote peer about local connection candidate
-	signalCandidate func(candidate ice.Candidate) error
-
-	// signalOffer is a handler function to signal remote peer our connection offer (credentials)
-	signalOffer func(uFrag string, pwd string) error
-
-	// signalOffer is a handler function to signal remote peer our connection answer (credentials)
-	signalAnswer func(uFrag string, pwd string) error
-
-	// remoteAuthChannel is a channel used to wait for remote credentials to proceed with the connection
-	remoteAuthChannel chan IceCredentials
-
-	// agent is an actual ice.Agent that is used to negotiate and maintain a connection to a remote peer
-	agent *ice.Agent
-
-	wgProxy *WgProxy
-
-	connected *Cond
-	closeCond *Cond
-
-	remoteAuthCond sync.Once
-}
-
-func NewConnection(config ConnConfig,
-	signalCandidate func(candidate ice.Candidate) error,
-	signalOffer func(uFrag string, pwd string) error,
-	signalAnswer func(uFrag string, pwd string) error,
-) *Connection {
-
-	return &Connection{
-		Config:            config,
-		signalCandidate:   signalCandidate,
-		signalOffer:       signalOffer,
-		signalAnswer:      signalAnswer,
-		remoteAuthChannel: make(chan IceCredentials, 1),
-		closeCond:         NewCond(),
-		connected:         NewCond(),
-		agent:             nil,
-		wgProxy:           NewWgProxy(config.WgIface, config.RemoteWgKey.String(), config.WgAllowedIPs, config.WgListenAddr),
-	}
-}
-
-// Open opens connection to a remote peer.
-// Will block until the connection has successfully established
-func (conn *Connection) Open(timeout time.Duration) error {
-
-	// create an ice.Agent that will be responsible for negotiating and establishing actual peer-to-peer connection
-	a, err := ice.NewAgent(&ice.AgentConfig{
-		NetworkTypes: []ice.NetworkType{ice.NetworkTypeUDP4},
-		Urls:         conn.Config.StunTurnURLS,
-		InterfaceFilter: func(s string) bool {
-			if conn.Config.iFaceBlackList == nil {
-				return true
-			}
-			_, ok := conn.Config.iFaceBlackList[s]
-			return !ok
-		},
-	})
-	conn.agent = a
-
-	if err != nil {
-		return err
-	}
-
-	err = conn.listenOnLocalCandidates()
-	if err != nil {
-		return err
-	}
-
-	err = conn.listenOnConnectionStateChanges()
-	if err != nil {
-		return err
-	}
-
-	err = conn.signalCredentials()
-	if err != nil {
-		return err
-	}
-
-	log.Infof("trying to connect to peer %s", conn.Config.RemoteWgKey.String())
-
-	// wait until credentials have been sent from the remote peer (will arrive via a signal server)
-	select {
-	case remoteAuth := <-conn.remoteAuthChannel:
-
-		log.Infof("got a connection confirmation from peer %s", conn.Config.RemoteWgKey.String())
-
-		err = conn.agent.GatherCandidates()
-		if err != nil {
-			return err
-		}
-
-		isControlling := conn.Config.WgKey.PublicKey().String() > conn.Config.RemoteWgKey.String()
-		remoteConn, err := conn.openConnectionToRemote(isControlling, remoteAuth)
-		if err != nil {
-			log.Errorf("failed establishing connection with the remote peer %s %s", conn.Config.RemoteWgKey.String(), err)
-			return err
-		}
-
-		err = conn.wgProxy.Start(remoteConn)
-		if err != nil {
-			return err
-		}
-
-		log.Infof("opened connection to peer %s", conn.Config.RemoteWgKey.String())
-	case <-time.After(timeout):
-		err := conn.Close()
-		if err != nil {
-			log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error())
-		}
-		return fmt.Errorf("timeout of %vs exceeded while waiting for the remote peer %s", timeout.Seconds(), conn.Config.RemoteWgKey.String())
-	}
-
-	// wait until connection has been closed
-	select {
-	case <-conn.closeCond.C:
-		return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String())
-	}
-}
-
-func (conn *Connection) Close() error {
-	var err error
-	conn.closeCond.Do(func() {
-
-		log.Warnf("closing connection to peer %s", conn.Config.RemoteWgKey.String())
-
-		if a := conn.agent; a != nil {
-			e := a.Close()
-			if e != nil {
-				log.Warnf("error while closing ICE agent of peer connection %s", conn.Config.RemoteWgKey.String())
-				err = e
-			}
-		}
-
-		if c := conn.wgProxy; c != nil {
-			e := c.Close()
-			if e != nil {
-				log.Warnf("error while closingWireguard proxy connection of peer connection %s", conn.Config.RemoteWgKey.String())
-				err = e
-			}
-		}
-	})
-	return err
-}
-
-func (conn *Connection) OnAnswer(remoteAuth IceCredentials) error {
-
-	conn.remoteAuthCond.Do(func() {
-		log.Debugf("OnAnswer from peer %s", conn.Config.RemoteWgKey.String())
-		conn.remoteAuthChannel <- remoteAuth
-	})
-	return nil
-}
-
-func (conn *Connection) OnOffer(remoteAuth IceCredentials) error {
-
-	conn.remoteAuthCond.Do(func() {
-		log.Debugf("OnOffer from peer %s", conn.Config.RemoteWgKey.String())
-		conn.remoteAuthChannel <- remoteAuth
-		uFrag, pwd, err := conn.agent.GetLocalUserCredentials()
-		if err != nil {
-		}
-
-		err = conn.signalAnswer(uFrag, pwd)
-		if err != nil {
-		}
-	})
-
-	return nil
-}
-
-func (conn *Connection) OnRemoteCandidate(candidate ice.Candidate) error {
-
-	log.Debugf("onRemoteCandidate from peer %s -> %s", conn.Config.RemoteWgKey.String(), candidate.String())
-
-	err := conn.agent.AddRemoteCandidate(candidate)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// openConnectionToRemote opens an ice.Conn to the remote peer. This is a real peer-to-peer connection
-// blocks until connection has been established
-func (conn *Connection) openConnectionToRemote(isControlling bool, credentials IceCredentials) (*ice.Conn, error) {
-	var realConn *ice.Conn
-	var err error
-
-	if isControlling {
-		realConn, err = conn.agent.Dial(context.TODO(), credentials.uFrag, credentials.pwd)
-	} else {
-		realConn, err = conn.agent.Accept(context.TODO(), credentials.uFrag, credentials.pwd)
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	return realConn, err
-}
-
-// signalCredentials prepares local user credentials and signals them to the remote peer
-func (conn *Connection) signalCredentials() error {
-	localUFrag, localPwd, err := conn.agent.GetLocalUserCredentials()
-	if err != nil {
-		return err
-	}
-
-	err = conn.signalOffer(localUFrag, localPwd)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// listenOnLocalCandidates registers callback of an ICE Agent to receive new local connection candidates and then
-// signals them to the remote peer
-func (conn *Connection) listenOnLocalCandidates() error {
-	err := conn.agent.OnCandidate(func(candidate ice.Candidate) {
-		if candidate != nil {
-			log.Debugf("discovered local candidate %s", candidate.String())
-			err := conn.signalCandidate(candidate)
-			if err != nil {
-				log.Errorf("failed signaling candidate to the remote peer %s %s", conn.Config.RemoteWgKey.String(), err)
-				//todo ??
-				return
-			}
-		}
-	})
-
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// listenOnConnectionStateChanges registers callback of an ICE Agent to track connection state
-func (conn *Connection) listenOnConnectionStateChanges() error {
-	err := conn.agent.OnConnectionStateChange(func(state ice.ConnectionState) {
-		log.Debugf("ICE Connection State has changed for peer %s -> %s", conn.Config.RemoteWgKey.String(), state.String())
-		if state == ice.ConnectionStateConnected {
-			// closed the connection has been established we can check the selected candidate pair
-			pair, err := conn.agent.GetSelectedCandidatePair()
-			if err != nil {
-				log.Errorf("failed selecting active ICE candidate pair %s", err)
-				return
-			}
-			log.Infof("will connect to peer %s via a selected connnection candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
-		} else if state == ice.ConnectionStateDisconnected || state == ice.ConnectionStateFailed {
-			// todo do we really wanna have a connection restart within connection itself? Think of moving it outside
-			err := conn.Close()
-			if err != nil {
-				log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error())
-			}
-		}
-	})
-
-	if err != nil {
-		return err
-	}
-
-	return nil
-}

connection/engine.go

@@ -1,240 +0,0 @@
-package connection
-
-import (
-	"fmt"
-	"github.com/cenkalti/backoff/v4"
-	"github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/wiretrustee/wiretrustee/iface"
-	"github.com/wiretrustee/wiretrustee/signal"
-	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"time"
-)
-
-type Engine struct {
-	// a list of STUN and TURN servers
-	stunsTurns []*ice.URL
-	// signal server client
-	signal *signal.Client
-	// peer agents indexed by local public key of the remote peers
-	conns map[string]*Connection
-	// Wireguard interface
-	wgIface string
-	// Wireguard local address
-	wgIp string
-
-	iFaceBlackList map[string]struct{}
-}
-
-type Peer struct {
-	WgPubKey     string
-	WgAllowedIps string
-}
-
-func NewEngine(signal *signal.Client, stunsTurns []*ice.URL, wgIface string, wgAddr string,
-	iFaceBlackList map[string]struct{}) *Engine {
-	return &Engine{
-		stunsTurns:     stunsTurns,
-		signal:         signal,
-		wgIface:        wgIface,
-		wgIp:           wgAddr,
-		conns:          map[string]*Connection{},
-		iFaceBlackList: iFaceBlackList,
-	}
-}
-
-func (e *Engine) Start(myKey wgtypes.Key, peers []Peer) error {
-
-	err := iface.Create(e.wgIface, e.wgIp)
-	if err != nil {
-		log.Errorf("error while creating interface %s: [%s]", e.wgIface, err.Error())
-		return err
-	}
-
-	err = iface.Configure(e.wgIface, myKey.String())
-	if err != nil {
-		log.Errorf("error while configuring Wireguard interface [%s]: %s", e.wgIface, err.Error())
-		return err
-	}
-
-	wgPort, err := iface.GetListenPort(e.wgIface)
-	if err != nil {
-		log.Errorf("error while getting Wireguard interface port [%s]: %s", e.wgIface, err.Error())
-		return err
-	}
-
-	e.receiveSignal()
-
-	// initialize peer agents
-	for _, peer := range peers {
-
-		peer := peer
-		go func() {
-			var backOff = &backoff.ExponentialBackOff{
-				InitialInterval:     backoff.DefaultInitialInterval,
-				RandomizationFactor: backoff.DefaultRandomizationFactor,
-				Multiplier:          backoff.DefaultMultiplier,
-				MaxInterval:         5 * time.Second,
-				MaxElapsedTime:      time.Duration(0), //never stop
-				Stop:                backoff.Stop,
-				Clock:               backoff.SystemClock,
-			}
-			operation := func() error {
-				_, err := e.openPeerConnection(*wgPort, myKey, peer)
-				if err != nil {
-					log.Warnln("retrying connection because of error: ", err.Error())
-					e.conns[peer.WgPubKey] = nil
-					return err
-				}
-				backOff.Reset()
-				return nil
-			}
-
-			err = backoff.Retry(operation, backOff)
-			if err != nil {
-				// should actually never happen
-				panic(err)
-			}
-		}()
-	}
-	return nil
-}
-
-func (e *Engine) openPeerConnection(wgPort int, myKey wgtypes.Key, peer Peer) (*Connection, error) {
-
-	remoteKey, _ := wgtypes.ParseKey(peer.WgPubKey)
-	connConfig := &ConnConfig{
-		WgListenAddr:   fmt.Sprintf("127.0.0.1:%d", wgPort),
-		WgPeerIp:       e.wgIp,
-		WgIface:        e.wgIface,
-		WgAllowedIPs:   peer.WgAllowedIps,
-		WgKey:          myKey,
-		RemoteWgKey:    remoteKey,
-		StunTurnURLS:   e.stunsTurns,
-		iFaceBlackList: e.iFaceBlackList,
-	}
-
-	signalOffer := func(uFrag string, pwd string) error {
-		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, false)
-	}
-
-	signalAnswer := func(uFrag string, pwd string) error {
-		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, true)
-	}
-	signalCandidate := func(candidate ice.Candidate) error {
-		return signalCandidate(candidate, myKey, remoteKey, e.signal)
-	}
-
-	conn := NewConnection(*connConfig, signalCandidate, signalOffer, signalAnswer)
-	e.conns[remoteKey.String()] = conn
-	// blocks until the connection is open (or timeout)
-	err := conn.Open(60 * time.Second)
-	if err != nil {
-		return nil, err
-	}
-	return conn, nil
-}
-
-func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client) error {
-	err := s.Send(&sProto.Message{
-		Key:       myKey.PublicKey().String(),
-		RemoteKey: remoteKey.String(),
-		Body: &sProto.Body{
-			Type:    sProto.Body_CANDIDATE,
-			Payload: candidate.Marshal(),
-		},
-	})
-	if err != nil {
-		log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err)
-		//todo ??
-		return err
-	}
-
-	return nil
-}
-
-func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client, isAnswer bool) error {
-
-	var t sProto.Body_Type
-	if isAnswer {
-		t = sProto.Body_ANSWER
-	} else {
-		t = sProto.Body_OFFER
-	}
-
-	msg, err := signal.MarshalCredential(myKey, remoteKey, &signal.Credential{
-		UFrag: uFrag,
-		Pwd:   pwd}, t)
-
-	err = s.Send(msg)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (e *Engine) receiveSignal() {
-	// connect to a stream of messages coming from the signal server
-	e.signal.Receive(func(msg *sProto.Message) error {
-
-		conn := e.conns[msg.Key]
-		if conn == nil {
-			return fmt.Errorf("wrongly addressed message %s", msg.Key)
-		}
-
-		if conn.Config.RemoteWgKey.String() != msg.Key {
-			return fmt.Errorf("unknown peer %s", msg.Key)
-		}
-
-		switch msg.GetBody().Type {
-		case sProto.Body_OFFER:
-			remoteCred, err := signal.UnMarshalCredential(msg)
-			if err != nil {
-				return err
-			}
-			err = conn.OnOffer(IceCredentials{
-				uFrag: remoteCred.UFrag,
-				pwd:   remoteCred.Pwd,
-			})
-
-			if err != nil {
-				return err
-			}
-
-			return nil
-		case sProto.Body_ANSWER:
-			remoteCred, err := signal.UnMarshalCredential(msg)
-			if err != nil {
-				return err
-			}
-			err = conn.OnAnswer(IceCredentials{
-				uFrag: remoteCred.UFrag,
-				pwd:   remoteCred.Pwd,
-			})
-
-			if err != nil {
-				return err
-			}
-
-		case sProto.Body_CANDIDATE:
-
-			candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
-			if err != nil {
-				log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
-				return err
-			}
-
-			err = conn.OnRemoteCandidate(candidate)
-			if err != nil {
-				log.Errorf("error handling CANDIATE from %s", msg.Key)
-				return err
-			}
-		}
-
-		return nil
-	})
-
-	e.signal.WaitConnected()
-}

connection/wgproxy.go

@@ -1,111 +0,0 @@
-package connection
-
-import (
-	"github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/wiretrustee/wiretrustee/iface"
-	"net"
-)
-
-type WgProxy struct {
-	iface      string
-	remoteKey  string
-	allowedIps string
-	wgAddr     string
-	close      chan struct{}
-	wgConn     net.Conn
-}
-
-func NewWgProxy(iface string, remoteKey string, allowedIps string, wgAddr string) *WgProxy {
-	return &WgProxy{
-		iface:      iface,
-		remoteKey:  remoteKey,
-		allowedIps: allowedIps,
-		wgAddr:     wgAddr,
-		close:      make(chan struct{}),
-	}
-}
-
-func (p *WgProxy) Close() error {
-
-	close(p.close)
-	if c := p.wgConn; c != nil {
-		err := p.wgConn.Close()
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (p *WgProxy) Start(remoteConn *ice.Conn) error {
-
-	wgConn, err := net.Dial("udp", p.wgAddr)
-	if err != nil {
-		log.Fatalf("failed dialing to local Wireguard port %s", err)
-		return err
-	}
-	p.wgConn = wgConn
-	// add local proxy connection as a Wireguard peer
-	err = iface.UpdatePeer(p.iface, p.remoteKey, p.allowedIps, DefaultWgKeepAlive,
-		wgConn.LocalAddr().String())
-	if err != nil {
-		log.Errorf("error while configuring Wireguard peer [%s] %s", p.remoteKey, err.Error())
-		return err
-	}
-
-	go func() { p.proxyToRemotePeer(remoteConn) }()
-	go func() { p.proxyToLocalWireguard(remoteConn) }()
-
-	return err
-}
-
-// proxyToRemotePeer proxies everything from Wireguard to the remote peer
-// blocks
-func (p *WgProxy) proxyToRemotePeer(remoteConn *ice.Conn) {
-
-	buf := make([]byte, 1500)
-	for {
-		select {
-		case <-p.close:
-			log.Infof("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
-			return
-		default:
-			n, err := p.wgConn.Read(buf)
-			if err != nil {
-				//log.Warnln("failed reading from peer: ", err.Error())
-				continue
-			}
-
-			n, err = remoteConn.Write(buf[:n])
-			if err != nil {
-				//log.Warnln("failed writing to remote peer: ", err.Error())
-			}
-		}
-	}
-}
-
-// proxyToLocalWireguard proxies everything from the remote peer to local Wireguard
-// blocks
-func (p *WgProxy) proxyToLocalWireguard(remoteConn *ice.Conn) {
-
-	buf := make([]byte, 1500)
-	for {
-		select {
-		case <-p.close:
-			log.Infof("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
-			return
-		default:
-			n, err := remoteConn.Read(buf)
-			if err != nil {
-				//log.Errorf("failed reading from remote connection %s", err)
-			}
-
-			n, err = p.wgConn.Write(buf[:n])
-			if err != nil {
-				//log.Errorf("failed writing to local Wireguard instance %s", err)
-			}
-		}
-	}
-}

docs/README.md

@@ -0,0 +1,104 @@
+### Table of contents
+
+* [About Netbird](#about-netbird)
+* [Why Wireguard with Netbird?](#why-wireguard-with-netbird)
+* [Netbird vs. Traditional VPN](#netbird-vs-traditional-vpn)
+* [High-level technology overview](#high-level-technology-overview)
+* [Getting started](#getting-started)
+
+### About Netbird
+
+Netbird is an open-source VPN platform built on top of [WireGuard®](https://www.wireguard.com/) making it easy to create secure private networks for your organization or home.
+
+It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, vpn gateways, and so forth.
+
+There is no centralized VPN server with Netbird - your computers, devices, machines, and servers connect to each other directly over a fast encrypted tunnel.
+
+It literally takes less than 5 minutes to provision a secure peer-to-peer VPN with Netbird. Check our [Quickstart Guide Video](https://www.youtube.com/watch?v=cWTsGUJAUaU) to see the setup in action.
+
+### Why Wireguard with Netbird?
+
+WireGuard is a modern and extremely fast VPN tunnel utilizing state-of-the-art [cryptography](https://www.wireguard.com/protocol/)
+and Netbird uses Wireguard to establish a secure tunnel between machines.
+
+Built with simplicity in mind, Wireguard ensures that traffic between two machines is encrypted and flowing, however, it requires a few things to be done beforehand.
+
+First, in order to connect, the machines have to be configured.
+On each machine, you need to generate private and public keys and prepare a WireGuard configuration file.
+The configuration also includes a private IP address that should be unique per machine.
+
+Secondly, to accept the incoming traffic, the machines have to trust each other.
+The generated public keys have to be pre-shared on the machines.
+This works similarly to SSH with its authorised_keys file.
+
+Lastly, the connectivity between the machines has to be ensured.
+To make machines reach one another, you are required to set a WireGuard endpoint property which indicates the IP address and port of the remote machine to connect to.
+On many occasions, machines are hidden behind firewalls and NAT devices,
+meaning that you may need to configure a port forwarding or open holes in your firewall to ensure the machines are reachable.
+
+The undertakings mentioned above might not be complicated if you have just a few machines, but the complexity grows as the number of machines increases.
+
+Netbird simplifies the setup by automatically generating private and public keys, assigning unique private IP addresses, and takes care of sharing public keys between the machines.
+It is worth mentioning that the private key never leaves the machine.
+So only the machine that owns the key can decrypt traffic addressed to it.
+The same applies also to the relayed traffic mentioned below.
+
+Furthermore, Netbird ensures connectivity by leveraging advanced [NAT traversal techniques](https://en.wikipedia.org/wiki/NAT_traversal)
+and removing the necessity of port forwarding, opening holes in the firewall, and having a public static IP address.  
+In cases when a direct peer-to-peer connection isn't possible, all traffic is relayed securely between peers.
+Netbird also monitors the connection health and restarts broken connections.
+
+There are a few more things that we are working on to make secure private networks simple. A few examples are ACLs, MFA and activity monitoring.
+
+Check out the WireGuard [Quick Start](https://www.wireguard.com/quickstart/) guide to learn more about configuring "plain" WireGuard without Netbird.
+
+### Netbird vs. Traditional VPN
+
+In the traditional VPN model, everything converges on a centralized, protected network where all the clients are connecting to a central VPN server.
+
+An increasing amount of connections can easily overload the VPN server.
+Even a short downtime of a server can cause expensive system disruptions, and a remote team's inability to work.
+
+Centralized VPNs imply all the traffic going through the central server causing network delays and increased traffic usage.
+
+Such systems require an experienced team to set up and maintain.
+Configuring firewalls, setting up NATs, SSO integration, and managing access control lists can be a nightmare.
+
+Traditional centralized VPNs are often compared to a [castle-and-moat](https://en.wikipedia.org/wiki/Moat) model
+in which once accessed, user is trusted and can access critical infrastructure and resources without any restrictions.
+
+Netbird decentralizes networks using direct point-to-point connections, as opposed to traditional models.
+Consequently, network performance is increased since traffic flows directly between the machines bypassing VPN servers or gateways.
+To achieve this, Netbird client applications employ signalling servers to find other machines and negotiate connections.
+These are similar to the signaling servers used in [WebRTC](https://developer.mozilla.org/en-US/docs/Web/API/WebRTC_API/Signaling_and_video_calling#the_signaling_server)
+
+Thanks to [NAT traversal techniques](https://en.wikipedia.org/wiki/NAT_traversal),
+outlined in the [Why not just Wireguard?](#why-wireguard-with-netbird) section above,
+Netbird installation doesn't require complex network and firewall configuration.
+It just works, minimising the maintenance effort.
+
+Finally, each machine or device in the Netbird network verifies incoming connections accepting only the trusted ones.
+This is ensured by Wireguard's [Crypto Routing concept](https://www.wireguard.com/#cryptokey-routing).
+
+### High-level technology overview
+In essence, Netbird is an open source platform consisting of a collection of systems, responsible for handling peer-to-peer connections, tunneling and network management (IP, keys, ACLs, etc).
+
+<p align="center">
+    <img src="media/high-level-dia.png" alt="high-level-dia" width="781"/>
+</p>
+
+Netbird uses open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn),
+and [software](https://github.com/netbirdio/netbird) developed by Netbird authors to make it all work together.
+
+To learn more about Netbird architecture, please refer to the [architecture section](../docs/architecture.md).
+
+### Getting Started
+
+There are 2 ways of getting started with Netbird:
+- use Cloud Managed version
+- self-hosting
+
+We recommend starting with the cloud managed version hosted at [app.netbird.io](https://app.netbird.io) - the quickest way to get familiar with the system.
+See [Quickstart Guide](../docs/quickstart.md) for instructions.
+
+If you don't want to use the managed version, check out our [Self-hosting Guide](../docs/self-hosting.md).

docs/architecture.md

@@ -0,0 +1,2 @@
+### Architecture
+TODO

docs/quickstart.md

@@ -0,0 +1,41 @@
+## Quickstart guide (Cloud Managed version)
+Step-by-step video guide on YouTube:
+
+[![IMAGE ALT TEXT](https://img.youtube.com/vi/cWTsGUJAUaU/0.jpg)](https://youtu.be/cWTsGUJAUaU "Netbird - secure private network in less than 5 minutes")
+
+This guide describes how to create secure VPN and connect 2 machines peer-to-peer.
+
+One machine is a Raspberry Pi Compute Module 4 hosted at home (Peer A), and the other one is a regular Ubuntu server running in the Data Center (Peer B).
+Both machines are running Linux (Raspbian and Ubuntu respectively), but you could also use Mac or Windows operating systems.
+
+1. Sign-up at [https://app.netbird.io/](https://app.netbird.io/)
+
+    You can use your email and password to sign-up or any available social login option (e.g., GitHub account)
+    
+    <img src="media/auth.png" alt="auth" width="350"/>
+
+2. After a successful login you will be redirected to the ```Peers``` screen which is empty because you don't have any peers yet.
+   
+    Click ```Add peer``` to add a new machine.
+    
+    <img src="media/empty-peers.png" alt="empty-peers" width="700"/>
+    
+3.  Choose a setup key which will be used to associate your new machine with your account (in our case it is ```Default key```).
+
+    Choose your machine operating system (in our case it is ```Linux```) and proceed with the installation steps on the machine.
+
+    <img src="media/add-peer.png" alt="add-peer" width="700"/>    
+
+4. Repeat #3 for the 2nd machine.
+5. Return to ```Peers``` and you should notice 2 new machines with status ```Connected```
+   
+    <img src="media/peers.png" alt="peers" width="700"/>
+
+6. To test the connection you could try pinging devices:
+   
+    On Peer A:
+    ```ping 100.64.0.2```
+    
+    On Peer B:
+    ```ping 100.64.0.1```
+7. Done! You now have a secure peer-to-peer VPN configured.

docs/self-hosting.md

@@ -0,0 +1,106 @@
+### Self-hosting
+Netbird is an open-source platform that can be self-hosted on your servers.
+
+It relies on components developed by Netbird Authors [Management Service](https://github.com/netbirdio/netbird/tree/main/management), [Management UI Dashboard](https://github.com/netbirdio/dashboard), [Signal Service](https://github.com/netbirdio/netbird/tree/main/signal), 
+a 3rd party open-source STUN/TURN service [Coturn](https://github.com/coturn/coturn) and a 3rd party service [Auth0](https://auth0.com/).
+
+All the components can be self-hosted except for the Auth0 service.
+We chose Auth0 to "outsource" the user management part of the platform because we believe that implementing a proper user auth requires significant amount of time to make it right. 
+We focused on connectivity instead. It also offers an always free plan that should be ok for most users as its limits are high enough for most teams.
+
+If you would like to learn more about the architecture please refer to the [Netbird Architecture section](architecture.md).
+
+### Step-by-step video guide on YouTube:
+
+[![IMAGE ALT TEXT](https://img.youtube.com/vi/Ofpgx5WhT0k/0.jpg)](https://youtu.be/Ofpgx5WhT0k "Netbird Self-Hosting Guide")
+
+### Requirements
+
+- Virtual machine offered by any cloud provider (e.g., AWS, DigitalOcean, Hetzner, Google Cloud, Azure ...). 
+- Any Unix OS.
+- Docker Compose installed (see [Install Docker Compose](https://docs.docker.com/compose/install/)).
+- Domain name pointing to the public IP address of your server.
+- Netbird Open ports ```443, 33071, 33073, 10000``` (Dashboard, Management HTTP API, Management gRpc API, Signal gRpc) on your server. 
+- Coturn is used for relay using the STUN/TURN protocols. It requires a listening port, ```UDP 3478```,  and range of ports,```UDP 49152-65535```, for dynamic relay connections. These are set as defaults in [setup file](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env#L34), but can be configured to your requirements. 
+- Maybe a cup of coffee or tea :)
+
+### Step-by-step guide
+
+For this tutorial we will be using domain ```test.netbird.io``` which points to our Ubuntu 20.04 machine hosted at Hetzner.
+
+1. Create Auth0 account at [auth0.com](https://auth0.com/).
+2. Login to your server, clone Netbird repository:
+   
+   ```bash 
+   git clone https://github.com/netbirdio/netbird.git netbird/
+   ```
+   
+   and switch to the ```netbird/infrastructure_files/``` folder that contains docker compose file:
+   
+   ```bash 
+   cd netbird/infrastructure_files/
+   ```
+3. Prepare configuration files.
+   
+   To simplify the setup we have prepared a script to substitute required properties in the [turnserver.conf.tmpl](../infrastructure_files/turnserver.conf.tmpl),[docker-compose.yml.tmpl](../infrastructure_files/docker-compose.yml.tmpl) and [management.json.tmpl](../infrastructure_files/management.json.tmpl) files.
+   
+   The [setup.env](../infrastructure_files/setup.env) file contains the following properties that have to be filled:
+   
+   ```bash
+   # Dashboard domain. e.g. app.mydomain.com
+   NETBIRD_DOMAIN=""
+   # e.g. dev-24vkclam.us.auth0.com
+   NETBIRD_AUTH0_DOMAIN=""
+   # e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
+   NETBIRD_AUTH0_CLIENT_ID=""
+   # e.g. https://app.mydomain.com/ or https://app.mydomain.com,
+   # Make sure you used the exact same value for Identifier
+   # you used when creating your Auth0 API
+   NETBIRD_AUTH0_AUDIENCE=""
+   # e.g. hello@mydomain.com
+   NETBIRD_LETSENCRYPT_EMAIL=""
+   ```
+   > Other options are available, but they are automatically updated.
+   
+   Please follow the steps to get the values. 
+
+4. Configure ```NETBIRD_AUTH0_DOMAIN``` ```NETBIRD_AUTH0_CLIENT_ID``` ```NETBIRD_AUTH0_AUDIENCE``` properties.          
+   
+   * To obtain these, please use [Auth0 React SDK Guide](https://auth0.com/docs/quickstart/spa/react/01-login#configure-auth0) up until "Install the Auth0 React SDK".
+   
+      :grey_exclamation: Use ```https://YOUR DOMAIN``` as ````Allowed Callback URLs````, ```Allowed Logout URLs```, ```Allowed Web Origins``` and ```Allowed Origins (CORS)```
+   * set the variables in the ```setup.env```
+5. Configure ```NETBIRD_AUTH0_AUDIENCE``` property. 
+   
+   * Check [Auth0 Golang API Guide](https://auth0.com/docs/quickstart/backend/golang) to obtain AuthAudience.
+   * set the property in the ```setup.env``` file.
+6. Configure ```NETBIRD_LETSENCRYPT_EMAIL``` property.
+   
+   This can be any email address. [Let's Encrypt](https://letsencrypt.org/) will create an account while generating a new certificate.    
+
+7. Make sure all the properties set in the ```setup.env``` file and run: 
+   
+    ```bash
+    ./configure.sh
+    ```
+   
+   This will export all the properties as environment variables and generate ```docker-compose.yml``` and ```management.json``` files substituting required variables.
+
+8. Run docker compose:
+
+   ```bash
+   docker-compose up -d
+   ```
+9. Optionally check the logs by running: 
+        
+    ```bash
+    docker-compose logs signal
+    docker-compose logs management
+    docker-compose logs coturn
+    docker-compose logs dashboard
+
+10. Once the server is running, you can access the dashboard by https://$NETBIRD_DOMAIN
+11. Adding a peer will require you to enter the management URL by following the steps in the page https://$NETBIRD_DOMAIN/add-peer and in the 3rd step:
+```shell
+sudo netbird up --setup-key <PASTE-SETUP-KEY> --management-url https://$NETBIRD_DOMAIN:33073
+```