Remove unused wait group

Add parallel processing
Fix Linux implementation
2026-04-03 16:13:53 -04:00 · 2023-04-18 18:59:11 +02:00 · 2023-04-17 16:44:45 +02:00 · 2023-04-17 14:46:14 +02:00 · 2023-04-17 14:37:51 +02:00 · 2023-04-17 14:37:51 +02:00
222 changed files with 14583 additions and 4169 deletions
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -6,6 +6,10 @@ on:
      - main
  pull_request:

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
 jobs:
  test:
    runs-on: macos-latest
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -6,6 +6,10 @@ on:
      - main
  pull_request:

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
 jobs:
  test:
    strategy:
@@ -66,13 +70,13 @@ jobs:
        run: go mod tidy

      - name: Generate Iface Test bin
-        run: go test -c -o iface-testing.bin ./iface/...
+        run: go test -c -o iface-testing.bin ./iface/

      - name: Generate RouteManager Test bin
        run: go test -c -o routemanager-testing.bin ./client/internal/routemanager/...

      - name: Generate Engine Test bin
-        run: go test -c -o engine-testing.bin ./client/internal/*.go
+        run: go test -c -o engine-testing.bin ./client/internal

      - name: Generate Peer Test bin
        run: go test -c -o peer-testing.bin ./client/internal/peer/...
@@ -89,4 +93,4 @@ jobs:
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1

      - name: Run Peer tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -6,47 +6,45 @@ on:
      - main
  pull_request:

+env:
+  downloadPath: '${{ github.workspace }}\temp'
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
 jobs:
-  pre:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - run: bash -x wireguard_nt.sh
-        working-directory: client
-
-      - uses: actions/upload-artifact@v2
-        with:
-          name: syso
-          path: client/*.syso
-          retention-days: 1
-
  test:
-    needs: pre
    runs-on: windows-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
+        id: go
        with:
          go-version: 1.19.x

-      - uses: actions/cache@v2
+      - name: Download wintun
+        uses: carlosperate/download-file-action@v2
+        id: download-wintun
        with:
-          path: |
-            %LocalAppData%\go-build
-            ~\go\pkg\mod
-            ~\AppData\Local\go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+          file-url: https://www.wintun.net/builds/wintun-0.14.1.zip
+          file-name: wintun.zip
+          location: ${{ env.downloadPath }}
+          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'

-      - uses: actions/download-artifact@v2
-        with:
-          name: syso
-          path: iface\
+      - name: Decompressing wintun files
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}

-      - name: Test
-        run: go test -tags=load_wgnt_from_rsrc -timeout 5m -p 1 ./...
+      - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'
+
+      - run: choco install -y sysinternals
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=C:\Users\runneradmin\go\pkg\mod
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=C:\Users\runneradmin\AppData\Local\go-build
+
+      - name: test
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 5m -p 1 ./... > test-out.txt 2>&1"
+      - name: test output
+        if: ${{ always() }}
+        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -1,5 +1,8 @@
 name: golangci-lint
 on: [pull_request]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
 jobs:
  golangci:
    name: lint
--- a/.github/workflows/install-test-darwin.yml
+++ b/.github/workflows/install-test-darwin.yml
@@ -0,0 +1,60 @@
+name: Test installation Darwin
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - "release_files/install.sh"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+jobs:
+  install-cli-only:
+    runs-on: macos-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Rename brew package
+        if: ${{ matrix.check_bin_install }}
+        run: mv /opt/homebrew/bin/brew /opt/homebrew/bin/brew.bak
+
+      - name: Run install script
+        run: |
+          sh ./release_files/install.sh
+        env:
+          SKIP_UI_APP: true
+
+      - name: Run tests
+        run: |
+          if ! command -v netbird &> /dev/null; then
+            echo "Error: netbird is not installed"
+            exit 1
+          fi
+  install-all:
+    runs-on: macos-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Rename brew package
+        if: ${{ matrix.check_bin_install }}
+        run: mv /opt/homebrew/bin/brew /opt/homebrew/bin/brew.bak
+
+      - name: Run install script
+        run: |
+          sh ./release_files/install.sh
+
+      - name: Run tests
+        run: |
+          if ! command -v netbird &> /dev/null; then
+              echo "Error: netbird is not installed"
+              exit 1
+          fi
+
+          if [[ $(mdfind "kMDItemContentType == 'com.apple.application-bundle' && kMDItemFSName == '*NetBird UI.app'") ]]; then
+            echo "Error: NetBird UI is not installed"
+            exit 1
+          fi
--- a/.github/workflows/install-test-linux.yml
+++ b/.github/workflows/install-test-linux.yml
@@ -0,0 +1,38 @@
+name: Test installation Linux
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - "release_files/install.sh"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+jobs:
+  install-cli-only:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        check_bin_install: [true, false]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Rename apt package
+        if: ${{ matrix.check_bin_install }}
+        run: |
+          sudo mv /usr/bin/apt /usr/bin/apt.bak
+          sudo mv /usr/bin/apt-get /usr/bin/apt-get.bak
+
+      - name: Run install script
+        run: |
+          sh ./release_files/install.sh
+
+      - name: Run tests
+        run: |
+          if ! command -v netbird &> /dev/null; then
+            echo "Error: netbird is not installed"
+            exit 1
+          fi
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,9 +9,13 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.0.5"
+  SIGN_PIPE_VER: "v0.0.6"
  GORELEASER_VER: "v1.14.1"

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
 jobs:
  release:
    runs-on: ubuntu-latest
@@ -21,10 +25,6 @@ jobs:
        uses: actions/checkout@v2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
-
-      - name: Generate syso with DLL
-        run: bash -x wireguard_nt.sh
-        working-directory: client
      -
        name: Set up Go
        uses: actions/setup-go@v2
@@ -59,6 +59,17 @@ jobs:
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Install OS build dependencies
        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
+
+      - name: Install rsrc
+        run: go install github.com/akavel/rsrc@v0.10.2
+      - name: Generate windows rsrc amd64
+        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_amd64.syso
+      - name: Generate windows rsrc arm64
+        run: rsrc -arch arm64 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_arm64.syso
+      - name: Generate windows rsrc arm
+        run: rsrc -arch arm -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_arm.syso
+      - name: Generate windows rsrc 386
+        run: rsrc -arch 386 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_386.syso
      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v2
--- a/.github/workflows/test-docker-compose-linux.yml
+++ b/.github/workflows/test-docker-compose-linux.yml
@@ -6,6 +6,10 @@ on:
      - main
  pull_request:

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -59,6 +63,11 @@ jobs:
          CI_NETBIRD_AUTH_TOKEN_ENDPOINT: https://example.eu.auth0.com/oauth/token
          CI_NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT: https://example.eu.auth0.com/oauth/device/code
          CI_NETBIRD_AUTH_REDIRECT_URI: "/peers"
+          CI_NETBIRD_TOKEN_SOURCE: "idToken"
+          CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
+          CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
+          CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE: "openid email"
+
        run: |
          grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
          grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
@@ -68,6 +77,12 @@ jobs:
          grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "$CI_NETBIRD_DOMAIN:33073"
          grep AUTH_REDIRECT_URI docker-compose.yml | grep $CI_NETBIRD_AUTH_REDIRECT_URI
          grep AUTH_SILENT_REDIRECT_URI docker-compose.yml | egrep 'AUTH_SILENT_REDIRECT_URI=$'
+          grep LETSENCRYPT_DOMAIN docker-compose.yml | egrep 'LETSENCRYPT_DOMAIN=$'
+          grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
+          grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
+          grep -A 1 ProviderConfig management.json | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
+          grep Scope management.json | grep "$CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE"
+          grep UseIDToken management.json | grep false

      - name: run docker compose up
        working-directory: infrastructure_files
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -25,7 +25,7 @@ builds:
      - goos: windows
        goarch: 386
    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
      - load_wgnt_from_rsrc
@@ -47,7 +47,7 @@ builds:
      - arm64
      - arm
    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'

  - id: netbird-signal
@@ -61,7 +61,7 @@ builds:
      - arm64
      - arm
    ldflags:
-      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'

 archives:
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -10,7 +10,7 @@ builds:
    goarch:
      - amd64
    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'

  - id: netbird-ui-windows
@@ -24,7 +24,7 @@ builds:
    goarch:
      - amd64
    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
      - -H windowsgui
    mod_timestamp: '{{ .CommitTimestamp }}'

--- a/.goreleaser_ui_darwin.yaml
+++ b/.goreleaser_ui_darwin.yaml
@@ -14,7 +14,7 @@ builds:
      - hardfloat
      - softfloat
    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
      - load_wgnt_from_rsrc
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <p align="center">
- <strong>:hatching_chick: New Release! DNS support.</strong>
+ <strong>:hatching_chick: New Release! Peer expiration.</strong>
  <a href="https://github.com/netbirdio/netbird/releases">
       Learn more
     </a>   
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -0,0 +1,129 @@
+package android
+
+import (
+	"context"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/client/system"
+	"github.com/netbirdio/netbird/formatter"
+	"github.com/netbirdio/netbird/iface"
+)
+
+// ConnectionListener export internal Listener for mobile
+type ConnectionListener interface {
+	peer.Listener
+}
+
+// TunAdapter export internal TunAdapter for mobile
+type TunAdapter interface {
+	iface.TunAdapter
+}
+
+// IFaceDiscover export internal IFaceDiscover for mobile
+type IFaceDiscover interface {
+	stdnet.ExternalIFaceDiscover
+}
+
+func init() {
+	formatter.SetLogcatFormatter(log.StandardLogger())
+}
+
+// Client struct manage the life circle of background service
+type Client struct {
+	cfgFile       string
+	tunAdapter    iface.TunAdapter
+	iFaceDiscover IFaceDiscover
+	recorder      *peer.Status
+	ctxCancel     context.CancelFunc
+	ctxCancelLock *sync.Mutex
+	deviceName    string
+}
+
+// NewClient instantiate a new Client
+func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover) *Client {
+	lvl, _ := log.ParseLevel("trace")
+	log.SetLevel(lvl)
+
+	return &Client{
+		cfgFile:       cfgFile,
+		deviceName:    deviceName,
+		tunAdapter:    tunAdapter,
+		iFaceDiscover: iFaceDiscover,
+		recorder:      peer.NewRecorder(""),
+		ctxCancelLock: &sync.Mutex{},
+	}
+}
+
+// Run start the internal client. It is a blocker function
+func (c *Client) Run(urlOpener URLOpener) error {
+	cfg, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
+		ConfigPath: c.cfgFile,
+	})
+	if err != nil {
+		return err
+	}
+	c.recorder.UpdateManagementAddress(cfg.ManagementURL.String())
+
+	var ctx context.Context
+	//nolint
+	ctxWithValues := context.WithValue(context.Background(), system.DeviceNameCtxKey, c.deviceName)
+	c.ctxCancelLock.Lock()
+	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
+	defer c.ctxCancel()
+	c.ctxCancelLock.Unlock()
+
+	auth := NewAuthWithConfig(ctx, cfg)
+	err = auth.login(urlOpener)
+	if err != nil {
+		return err
+	}
+
+	// todo do not throw error in case of cancelled context
+	ctx = internal.CtxInitState(ctx)
+	return internal.RunClient(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover)
+}
+
+// Stop the internal client and free the resources
+func (c *Client) Stop() {
+	c.ctxCancelLock.Lock()
+	defer c.ctxCancelLock.Unlock()
+	if c.ctxCancel == nil {
+		return
+	}
+
+	c.ctxCancel()
+}
+
+// PeersList return with the list of the PeerInfos
+func (c *Client) PeersList() *PeerInfoArray {
+
+	fullStatus := c.recorder.GetFullStatus()
+
+	peerInfos := make([]PeerInfo, len(fullStatus.Peers))
+	for n, p := range fullStatus.Peers {
+		pi := PeerInfo{
+			p.IP,
+			p.FQDN,
+			p.ConnStatus.String(),
+			p.Direct,
+		}
+		peerInfos[n] = pi
+	}
+
+	return &PeerInfoArray{items: peerInfos}
+}
+
+// SetConnectionListener set the network connection listener
+func (c *Client) SetConnectionListener(listener ConnectionListener) {
+	c.recorder.SetConnectionListener(listener)
+}
+
+// RemoveConnectionListener remove connection listener
+func (c *Client) RemoveConnectionListener() {
+	c.recorder.RemoveConnectionListener()
+}
--- a/client/android/login.go
+++ b/client/android/login.go
@@ -0,0 +1,229 @@
+package android
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/cmd"
+	"github.com/netbirdio/netbird/client/system"
+
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+// SSOListener is async listener for mobile framework
+type SSOListener interface {
+	OnSuccess(bool)
+	OnError(error)
+}
+
+// ErrListener is async listener for mobile framework
+type ErrListener interface {
+	OnSuccess()
+	OnError(error)
+}
+
+// URLOpener it is a callback interface. The Open function will be triggered if
+// the backend want to show an url for the user
+type URLOpener interface {
+	Open(string)
+}
+
+// Auth can register or login new client
+type Auth struct {
+	ctx     context.Context
+	config  *internal.Config
+	cfgPath string
+}
+
+// NewAuth instantiate Auth struct and validate the management URL
+func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {
+	inputCfg := internal.ConfigInput{
+		ManagementURL: mgmURL,
+	}
+
+	cfg, err := internal.CreateInMemoryConfig(inputCfg)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Auth{
+		ctx:     context.Background(),
+		config:  cfg,
+		cfgPath: cfgPath,
+	}, nil
+}
+
+// NewAuthWithConfig instantiate Auth based on existing config
+func NewAuthWithConfig(ctx context.Context, config *internal.Config) *Auth {
+	return &Auth{
+		ctx:    ctx,
+		config: config,
+	}
+}
+
+// SaveConfigIfSSOSupported test the connectivity with the management server by retrieving the server device flow info.
+// If it returns a flow info than save the configuration and return true. If it gets a codes.NotFound, it means that SSO
+// is not supported and returns false without saving the configuration. For other errors return false.
+func (a *Auth) SaveConfigIfSSOSupported(listener SSOListener) {
+	go func() {
+		sso, err := a.saveConfigIfSSOSupported()
+		if err != nil {
+			listener.OnError(err)
+		} else {
+			listener.OnSuccess(sso)
+		}
+	}()
+}
+
+func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
+	supportsSSO := true
+	err := a.withBackOff(a.ctx, func() (err error) {
+		_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+		if s, ok := gstatus.FromError(err); ok && s.Code() == codes.NotFound {
+			supportsSSO = false
+			err = nil
+		}
+		return err
+	})
+
+	if !supportsSSO {
+		return false, nil
+	}
+
+	if err != nil {
+		return false, fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	err = internal.WriteOutConfig(a.cfgPath, a.config)
+	return true, err
+}
+
+// LoginWithSetupKeyAndSaveConfig test the connectivity with the management server with the setup key.
+func (a *Auth) LoginWithSetupKeyAndSaveConfig(resultListener ErrListener, setupKey string, deviceName string) {
+	go func() {
+		err := a.loginWithSetupKeyAndSaveConfig(setupKey, deviceName)
+		if err != nil {
+			resultListener.OnError(err)
+		} else {
+			resultListener.OnSuccess()
+		}
+	}()
+}
+
+func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string) error {
+	//nolint
+	ctxWithValues := context.WithValue(a.ctx, system.DeviceNameCtxKey, deviceName)
+
+	err := a.withBackOff(a.ctx, func() error {
+		backoffErr := internal.Login(ctxWithValues, a.config, setupKey, "")
+		if s, ok := gstatus.FromError(backoffErr); ok && (s.Code() == codes.PermissionDenied) {
+			// we got an answer from management, exit backoff earlier
+			return backoff.Permanent(backoffErr)
+		}
+		return backoffErr
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	return internal.WriteOutConfig(a.cfgPath, a.config)
+}
+
+// Login try register the client on the server
+func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener) {
+	go func() {
+		err := a.login(urlOpener)
+		if err != nil {
+			resultListener.OnError(err)
+		} else {
+			resultListener.OnSuccess()
+		}
+	}()
+}
+
+func (a *Auth) login(urlOpener URLOpener) error {
+	var needsLogin bool
+
+	// check if we need to generate JWT token
+	err := a.withBackOff(a.ctx, func() (err error) {
+		needsLogin, err = internal.IsLoginRequired(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config.SSHKey)
+		return
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	jwtToken := ""
+	if needsLogin {
+		tokenInfo, err := a.foregroundGetTokenInfo(urlOpener)
+		if err != nil {
+			return fmt.Errorf("interactive sso login failed: %v", err)
+		}
+		jwtToken = tokenInfo.GetTokenToUse()
+	}
+
+	err = a.withBackOff(a.ctx, func() error {
+		err := internal.Login(a.ctx, a.config, "", jwtToken)
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			return nil
+		}
+		return err
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	return nil
+}
+
+func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*internal.TokenInfo, error) {
+	providerConfig, err := internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+	if err != nil {
+		s, ok := gstatus.FromError(err)
+		if ok && s.Code() == codes.NotFound {
+			return nil, fmt.Errorf("no SSO provider returned from management. " +
+				"If you are using hosting Netbird see documentation at " +
+				"https://github.com/netbirdio/netbird/tree/main/management for details")
+		} else if ok && s.Code() == codes.Unimplemented {
+			return nil, fmt.Errorf("the management server, %s, does not support SSO providers, "+
+				"please update your servver or use Setup Keys to login", a.config.ManagementURL)
+		} else {
+			return nil, fmt.Errorf("getting device authorization flow info failed with error: %v", err)
+		}
+	}
+
+	hostedClient := internal.NewHostedDeviceFlow(providerConfig.ProviderConfig)
+
+	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
+	if err != nil {
+		return nil, fmt.Errorf("getting a request device code failed: %v", err)
+	}
+
+	go urlOpener.Open(flowInfo.VerificationURIComplete)
+
+	waitTimeout := time.Duration(flowInfo.ExpiresIn)
+	waitCTX, cancel := context.WithTimeout(a.ctx, waitTimeout*time.Second)
+	defer cancel()
+	tokenInfo, err := hostedClient.WaitToken(waitCTX, flowInfo)
+	if err != nil {
+		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
+	}
+
+	return &tokenInfo, nil
+}
+
+func (a *Auth) withBackOff(ctx context.Context, bf func() error) error {
+	return backoff.RetryNotify(
+		bf,
+		backoff.WithContext(cmd.CLIBackOffSettings, ctx),
+		func(err error, duration time.Duration) {
+			log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
+		})
+}
--- a/client/android/peer_notifier.go
+++ b/client/android/peer_notifier.go
@@ -0,0 +1,37 @@
+package android
+
+// PeerInfo describe information about the peers. It designed for the UI usage
+type PeerInfo struct {
+	IP         string
+	FQDN       string
+	ConnStatus string // Todo replace to enum
+	Direct     bool
+}
+
+// PeerInfoCollection made for Java layer to get non default types as collection
+type PeerInfoCollection interface {
+	Add(s string) PeerInfoCollection
+	Get(i int) string
+	Size() int
+}
+
+// PeerInfoArray is the implementation of the PeerInfoCollection
+type PeerInfoArray struct {
+	items []PeerInfo
+}
+
+// Add new PeerInfo to the collection
+func (array PeerInfoArray) Add(s PeerInfo) PeerInfoArray {
+	array.items = append(array.items, s)
+	return array
+}
+
+// Get return an element of the collection
+func (array PeerInfoArray) Get(i int) *PeerInfo {
+	return &array.items[i]
+}
+
+// Size return with the size of the collection
+func (array PeerInfoArray) Size() int {
+	return len(array.items)
+}
--- a/client/android/preferences.go
+++ b/client/android/preferences.go
@@ -0,0 +1,78 @@
+package android
+
+import (
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+// Preferences export a subset of the internal config for gomobile
+type Preferences struct {
+	configInput internal.ConfigInput
+}
+
+// NewPreferences create new Preferences instance
+func NewPreferences(configPath string) *Preferences {
+	ci := internal.ConfigInput{
+		ConfigPath: configPath,
+	}
+	return &Preferences{ci}
+}
+
+// GetManagementURL read url from config file
+func (p *Preferences) GetManagementURL() (string, error) {
+	if p.configInput.ManagementURL != "" {
+		return p.configInput.ManagementURL, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return "", err
+	}
+	return cfg.ManagementURL.String(), err
+}
+
+// SetManagementURL store the given url and wait for commit
+func (p *Preferences) SetManagementURL(url string) {
+	p.configInput.ManagementURL = url
+}
+
+// GetAdminURL read url from config file
+func (p *Preferences) GetAdminURL() (string, error) {
+	if p.configInput.AdminURL != "" {
+		return p.configInput.AdminURL, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return "", err
+	}
+	return cfg.AdminURL.String(), err
+}
+
+// SetAdminURL store the given url and wait for commit
+func (p *Preferences) SetAdminURL(url string) {
+	p.configInput.AdminURL = url
+}
+
+// GetPreSharedKey read preshared key from config file
+func (p *Preferences) GetPreSharedKey() (string, error) {
+	if p.configInput.PreSharedKey != nil {
+		return *p.configInput.PreSharedKey, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return "", err
+	}
+	return cfg.PreSharedKey, err
+}
+
+// SetPreSharedKey store the given key and wait for commit
+func (p *Preferences) SetPreSharedKey(key string) {
+	p.configInput.PreSharedKey = &key
+}
+
+// Commit write out the changes into config file
+func (p *Preferences) Commit() error {
+	_, err := internal.UpdateOrCreateConfig(p.configInput)
+	return err
+}
--- a/client/android/preferences_test.go
+++ b/client/android/preferences_test.go
@@ -0,0 +1,120 @@
+package android
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+func TestPreferences_DefaultValues(t *testing.T) {
+	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
+	p := NewPreferences(cfgFile)
+	defaultVar, err := p.GetAdminURL()
+	if err != nil {
+		t.Fatalf("failed to read default value: %s", err)
+	}
+
+	if defaultVar != internal.DefaultAdminURL {
+		t.Errorf("invalid default admin url: %s", defaultVar)
+	}
+
+	defaultVar, err = p.GetManagementURL()
+	if err != nil {
+		t.Fatalf("failed to read default management URL: %s", err)
+	}
+
+	if defaultVar != internal.DefaultManagementURL {
+		t.Errorf("invalid default management url: %s", defaultVar)
+	}
+
+	var preSharedKey string
+	preSharedKey, err = p.GetPreSharedKey()
+	if err != nil {
+		t.Fatalf("failed to read default preshared key: %s", err)
+	}
+
+	if preSharedKey != "" {
+		t.Errorf("invalid preshared key: %s", preSharedKey)
+	}
+}
+
+func TestPreferences_ReadUncommitedValues(t *testing.T) {
+	exampleString := "exampleString"
+	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
+	p := NewPreferences(cfgFile)
+
+	p.SetAdminURL(exampleString)
+	resp, err := p.GetAdminURL()
+	if err != nil {
+		t.Fatalf("failed to read admin url: %s", err)
+	}
+
+	if resp != exampleString {
+		t.Errorf("unexpected admin url: %s", resp)
+	}
+
+	p.SetManagementURL(exampleString)
+	resp, err = p.GetManagementURL()
+	if err != nil {
+		t.Fatalf("failed to read managmenet url: %s", err)
+	}
+
+	if resp != exampleString {
+		t.Errorf("unexpected managemenet url: %s", resp)
+	}
+
+	p.SetPreSharedKey(exampleString)
+	resp, err = p.GetPreSharedKey()
+	if err != nil {
+		t.Fatalf("failed to read preshared key: %s", err)
+	}
+
+	if resp != exampleString {
+		t.Errorf("unexpected preshared key: %s", resp)
+	}
+}
+
+func TestPreferences_Commit(t *testing.T) {
+	exampleURL := "https://myurl.com:443"
+	examplePresharedKey := "topsecret"
+	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
+	p := NewPreferences(cfgFile)
+
+	p.SetAdminURL(exampleURL)
+	p.SetManagementURL(exampleURL)
+	p.SetPreSharedKey(examplePresharedKey)
+
+	err := p.Commit()
+	if err != nil {
+		t.Fatalf("failed to save changes: %s", err)
+	}
+
+	p = NewPreferences(cfgFile)
+	resp, err := p.GetAdminURL()
+	if err != nil {
+		t.Fatalf("failed to read admin url: %s", err)
+	}
+
+	if resp != exampleURL {
+		t.Errorf("unexpected admin url: %s", resp)
+	}
+
+	resp, err = p.GetManagementURL()
+	if err != nil {
+		t.Fatalf("failed to read managmenet url: %s", err)
+	}
+
+	if resp != exampleURL {
+		t.Errorf("unexpected managemenet url: %s", resp)
+	}
+
+	resp, err = p.GetPreSharedKey()
+	if err != nil {
+		t.Fatalf("failed to read preshared key: %s", err)
+	}
+
+	if resp != examplePresharedKey {
+		t.Errorf("unexpected preshared key: %s", resp)
+	}
+}
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -135,7 +135,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.C
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
-		jwtToken = tokenInfo.AccessToken
+		jwtToken = tokenInfo.GetTokenToUse()
 	}

 	err = WithBackOff(func() error {
@@ -172,12 +172,7 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 		}
 	}

-	hostedClient := internal.NewHostedDeviceFlow(
-		providerConfig.ProviderConfig.Audience,
-		providerConfig.ProviderConfig.ClientID,
-		providerConfig.ProviderConfig.TokenEndpoint,
-		providerConfig.ProviderConfig.DeviceAuthEndpoint,
-	)
+	hostedClient := internal.NewHostedDeviceFlow(providerConfig.ProviderConfig)

 	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
 	if err != nil {
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -17,8 +17,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
 )

 type peerStateDetailOutput struct {
@@ -209,7 +209,7 @@ func convertToStatusOutputOverview(resp *proto.StatusResponse) statusOutputOverv

 	overview := statusOutputOverview{
 		Peers:           peersOverview,
-		CliVersion:      system.NetbirdVersion(),
+		CliVersion:      version.NetbirdVersion(),
 		DaemonVersion:   resp.GetDaemonVersion(),
 		ManagementState: managementOverview,
 		SignalState:     signalOverview,
@@ -345,7 +345,7 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool) string {
 			"Interface type: %s\n"+
 			"Peers count: %s\n",
 		overview.DaemonVersion,
-		system.NetbirdVersion(),
+		version.NetbirdVersion(),
 		managementConnString,
 		signalConnString,
 		overview.FQDN,
--- a/client/cmd/status_test.go
+++ b/client/cmd/status_test.go
@@ -8,7 +8,7 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/client/system"
+	"github.com/netbirdio/netbird/version"
 )

 var resp = &proto.StatusResponse{
@@ -89,7 +89,7 @@ var overview = statusOutputOverview{
 			},
 		},
 	},
-	CliVersion:    system.NetbirdVersion(),
+	CliVersion:    version.NetbirdVersion(),
 	DaemonVersion: "0.14.1",
 	ManagementState: managementStateOutput{
 		URL:       "my-awesome-management.com:443",
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -13,8 +13,8 @@ import (
 	gstatus "google.golang.org/grpc/status"

 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
-	nbStatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/util"
 )

@@ -94,7 +94,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	var cancel context.CancelFunc
 	ctx, cancel = context.WithCancel(ctx)
 	SetupCloseHandler(ctx, cancel)
-	return internal.RunClient(ctx, config, nbStatus.NewRecorder())
+	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()), nil, nil)
 }

 func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
--- a/client/cmd/version.go
+++ b/client/cmd/version.go
@@ -1,8 +1,9 @@
 package cmd

 import (
-	"github.com/netbirdio/netbird/client/system"
 	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/version"
 )

 var (
@@ -11,7 +12,7 @@ var (
 		Short: "prints Netbird version",
 		Run: func(cmd *cobra.Command, args []string) {
 			cmd.SetOut(cmd.OutOrStdout())
-			cmd.Println(system.NetbirdVersion())
+			cmd.Println(version.NetbirdVersion())
 		},
 	}
 )
--- a/client/firewall/firewall.go
+++ b/client/firewall/firewall.go
@@ -0,0 +1,57 @@
+package firewall
+
+import (
+	"net"
+)
+
+// Rule abstraction should be implemented by each firewall manager
+//
+// Each firewall type for different OS can use different type
+// of the properties to hold data of the created rule
+type Rule interface {
+	// GetRuleID returns the rule id
+	GetRuleID() string
+}
+
+// Direction is the direction of the traffic
+type Direction int
+
+const (
+	// DirectionSrc is the direction of the traffic from the source
+	DirectionSrc Direction = iota
+	// DirectionDst is the direction of the traffic from the destination
+	DirectionDst
+)
+
+// Action is the action to be taken on a rule
+type Action int
+
+const (
+	// ActionAccept is the action to accept a packet
+	ActionAccept Action = iota
+	// ActionDrop is the action to drop a packet
+	ActionDrop
+)
+
+// Manager is the high level abstraction of a firewall manager
+//
+// It declares methods which handle actions required by the
+// Netbird client for ACL and routing functionality
+type Manager interface {
+	// AddFiltering rule to the firewall
+	AddFiltering(
+		ip net.IP,
+		port *Port,
+		direction Direction,
+		action Action,
+		comment string,
+	) (Rule, error)
+
+	// DeleteRule from the firewall by rule definition
+	DeleteRule(rule Rule) error
+
+	// Reset firewall to the default state
+	Reset() error
+
+	// TODO: migrate routemanager firewal actions to this interface
+}
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -0,0 +1,160 @@
+package iptables
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"sync"
+
+	"github.com/coreos/go-iptables/iptables"
+	"github.com/google/uuid"
+
+	fw "github.com/netbirdio/netbird/client/firewall"
+)
+
+const (
+	// ChainFilterName is the name of the chain that is used for filtering by the Netbird client
+	ChainFilterName = "NETBIRD-ACL"
+)
+
+// Manager of iptables firewall
+type Manager struct {
+	mutex sync.Mutex
+
+	ipv4Client *iptables.IPTables
+	ipv6Client *iptables.IPTables
+}
+
+// Create iptables firewall manager
+func Create() (*Manager, error) {
+	m := &Manager{}
+
+	// init clients for booth ipv4 and ipv6
+	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if err != nil {
+		return nil, fmt.Errorf("iptables is not installed in the system or not supported")
+	}
+	m.ipv4Client = ipv4Client
+
+	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	if err != nil {
+		return nil, fmt.Errorf("ip6tables is not installed in the system or not supported")
+	}
+	m.ipv6Client = ipv6Client
+
+	if err := m.Reset(); err != nil {
+		return nil, fmt.Errorf("failed to reset firewall: %s", err)
+	}
+
+	return m, nil
+}
+
+// AddFiltering rule to the firewall
+func (m *Manager) AddFiltering(
+	ip net.IP,
+	port *fw.Port,
+	direction fw.Direction,
+	action fw.Action,
+	comment string,
+) (fw.Rule, error) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+	client := m.client(ip)
+	ok, err := client.ChainExists("filter", ChainFilterName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if chain exists: %s", err)
+	}
+	if !ok {
+		if err := client.NewChain("filter", ChainFilterName); err != nil {
+			return nil, fmt.Errorf("failed to create chain: %s", err)
+		}
+	}
+	if port == nil || port.Values == nil || (port.IsRange && len(port.Values) != 2) {
+		return nil, fmt.Errorf("invalid port definition")
+	}
+	pv := strconv.Itoa(port.Values[0])
+	if port.IsRange {
+		pv += ":" + strconv.Itoa(port.Values[1])
+	}
+	specs := m.filterRuleSpecs("filter", ChainFilterName, ip, pv, direction, action, comment)
+	if err := client.AppendUnique("filter", ChainFilterName, specs...); err != nil {
+		return nil, err
+	}
+	rule := &Rule{
+		id:    uuid.New().String(),
+		specs: specs,
+		v6:    ip.To4() == nil,
+	}
+	return rule, nil
+}
+
+// DeleteRule from the firewall by rule definition
+func (m *Manager) DeleteRule(rule fw.Rule) error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+	r, ok := rule.(*Rule)
+	if !ok {
+		return fmt.Errorf("invalid rule type")
+	}
+	client := m.ipv4Client
+	if r.v6 {
+		client = m.ipv6Client
+	}
+	return client.Delete("filter", ChainFilterName, r.specs...)
+}
+
+// Reset firewall to the default state
+func (m *Manager) Reset() error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+	if err := m.reset(m.ipv4Client, "filter", ChainFilterName); err != nil {
+		return fmt.Errorf("clean ipv4 firewall ACL chain: %w", err)
+	}
+	if err := m.reset(m.ipv6Client, "filter", ChainFilterName); err != nil {
+		return fmt.Errorf("clean ipv6 firewall ACL chain: %w", err)
+	}
+	return nil
+}
+
+// reset firewall chain, clear it and drop it
+func (m *Manager) reset(client *iptables.IPTables, table, chain string) error {
+	ok, err := client.ChainExists(table, chain)
+	if err != nil {
+		return fmt.Errorf("failed to check if chain exists: %w", err)
+	}
+	if !ok {
+		return nil
+	}
+	if err := client.ClearChain(table, ChainFilterName); err != nil {
+		return fmt.Errorf("failed to clear chain: %w", err)
+	}
+	return client.DeleteChain(table, ChainFilterName)
+}
+
+// filterRuleSpecs returns the specs of a filtering rule
+func (m *Manager) filterRuleSpecs(
+	table string, chain string, ip net.IP, port string,
+	direction fw.Direction, action fw.Action, comment string,
+) (specs []string) {
+	if direction == fw.DirectionSrc {
+		specs = append(specs, "-s", ip.String())
+	}
+	specs = append(specs, "-p", "tcp", "--dport", port)
+	specs = append(specs, "-j", m.actionToStr(action))
+	return append(specs, "-m", "comment", "--comment", comment)
+}
+
+// client returns corresponding iptables client for the given ip
+func (m *Manager) client(ip net.IP) *iptables.IPTables {
+	if ip.To4() != nil {
+		return m.ipv4Client
+	}
+	return m.ipv6Client
+}
+
+func (m *Manager) actionToStr(action fw.Action) string {
+	if action == fw.ActionAccept {
+		return "ACCEPT"
+	}
+	return "DROP"
+}
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -0,0 +1,105 @@
+package iptables
+
+import (
+	"net"
+	"testing"
+
+	"github.com/coreos/go-iptables/iptables"
+	fw "github.com/netbirdio/netbird/client/firewall"
+)
+
+func TestNewManager(t *testing.T) {
+	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	manager, err := Create()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var rule1 fw.Rule
+	t.Run("add first rule", func(t *testing.T) {
+		ip := net.ParseIP("10.20.0.2")
+		port := &fw.Port{Proto: fw.PortProtocolTCP, Values: []int{8080}}
+		rule1, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTP traffic")
+		if err != nil {
+			t.Errorf("failed to add rule: %v", err)
+		}
+
+		checkRuleSpecs(t, ipv4Client, true, rule1.(*Rule).specs...)
+	})
+
+	var rule2 fw.Rule
+	t.Run("add second rule", func(t *testing.T) {
+		ip := net.ParseIP("10.20.0.3")
+		port := &fw.Port{
+			Proto:  fw.PortProtocolTCP,
+			Values: []int{8043: 8046},
+		}
+		rule2, err = manager.AddFiltering(
+			ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTPS traffic from ports range")
+		if err != nil {
+			t.Errorf("failed to add rule: %v", err)
+		}
+
+		checkRuleSpecs(t, ipv4Client, true, rule2.(*Rule).specs...)
+	})
+
+	t.Run("delete first rule", func(t *testing.T) {
+		if err := manager.DeleteRule(rule1); err != nil {
+			t.Errorf("failed to delete rule: %v", err)
+		}
+
+		checkRuleSpecs(t, ipv4Client, false, rule1.(*Rule).specs...)
+	})
+
+	t.Run("delete second rule", func(t *testing.T) {
+		if err := manager.DeleteRule(rule2); err != nil {
+			t.Errorf("failed to delete rule: %v", err)
+		}
+
+		checkRuleSpecs(t, ipv4Client, false, rule2.(*Rule).specs...)
+	})
+
+	t.Run("reset check", func(t *testing.T) {
+		// add second rule
+		ip := net.ParseIP("10.20.0.3")
+		port := &fw.Port{Proto: fw.PortProtocolUDP, Values: []int{5353}}
+		_, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept Fake DNS traffic")
+		if err != nil {
+			t.Errorf("failed to add rule: %v", err)
+		}
+
+		if err := manager.Reset(); err != nil {
+			t.Errorf("failed to reset: %v", err)
+		}
+
+		ok, err := ipv4Client.ChainExists("filter", ChainFilterName)
+		if err != nil {
+			t.Errorf("failed to drop chain: %v", err)
+		}
+
+		if ok {
+			t.Errorf("chain '%v' still exists after Reset", ChainFilterName)
+		}
+	})
+}
+
+func checkRuleSpecs(t *testing.T, ipv4Client *iptables.IPTables, mustExists bool, rulespec ...string) {
+	exists, err := ipv4Client.Exists("filter", ChainFilterName, rulespec...)
+	if err != nil {
+		t.Errorf("failed to check rule: %v", err)
+		return
+	}
+
+	if !exists && mustExists {
+		t.Errorf("rule '%v' does not exist", rulespec)
+		return
+	}
+	if exists && !mustExists {
+		t.Errorf("rule '%v' exist", rulespec)
+		return
+	}
+}
--- a/client/firewall/iptables/rule.go
+++ b/client/firewall/iptables/rule.go
@@ -0,0 +1,13 @@
+package iptables
+
+// Rule to handle management of rules
+type Rule struct {
+	id    string
+	specs []string
+	v6    bool
+}
+
+// GetRuleID returns the rule id
+func (r *Rule) GetRuleID() string {
+	return r.id
+}
--- a/client/firewall/port.go
+++ b/client/firewall/port.go
@@ -0,0 +1,24 @@
+package firewall
+
+// PortProtocol is the protocol of the port
+type PortProtocol string
+
+const (
+	// PortProtocolTCP is the TCP protocol
+	PortProtocolTCP PortProtocol = "tcp"
+
+	// PortProtocolUDP is the UDP protocol
+	PortProtocolUDP PortProtocol = "udp"
+)
+
+// Port of the address for firewall rule
+type Port struct {
+	// IsRange is true Values contains two values, the first is the start port, the second is the end port
+	IsRange bool
+
+	// Values contains one value for single port, multiple values for the list of ports, or two values for the range of ports
+	Values []int
+
+	// Proto is the protocol of the port
+	Proto PortProtocol
+}
--- a/client/installer.nsis
+++ b/client/installer.nsis
@@ -193,6 +193,7 @@ ExecWait `taskkill /im ${UI_APP_EXE}.exe`
 Sleep 3000
 Delete "$INSTDIR\${UI_APP_EXE}"
 Delete "$INSTDIR\${MAIN_APP_EXE}"
+Delete "$INSTDIR\wintun.dll"
 RmDir /r "$INSTDIR"

 SetShellVarContext current
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -27,7 +27,7 @@ const (
 )

 var defaultInterfaceBlacklist = []string{iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
-	"Tailscale", "tailscale", "docker", "veth", "br-"}
+	"Tailscale", "tailscale", "docker", "veth", "br-", "lo"}

 // ConfigInput carries configuration changes to the client
 type ConfigInput struct {
@@ -73,6 +73,25 @@ type Config struct {
 	CustomDNSAddress string
 }

+// ReadConfig read config file and return with Config. If it is not exists create a new with default values
+func ReadConfig(configPath string) (*Config, error) {
+	if configFileIsExists(configPath) {
+		config := &Config{}
+		if _, err := util.ReadJson(configPath, config); err != nil {
+			return nil, err
+		}
+		return config, nil
+	}
+
+	cfg, err := createNewConfig(ConfigInput{ConfigPath: configPath})
+	if err != nil {
+		return nil, err
+	}
+
+	err = WriteOutConfig(configPath, cfg)
+	return cfg, err
+}
+
 // UpdateConfig update existing configuration according to input configuration and return with the configuration
 func UpdateConfig(input ConfigInput) (*Config, error) {
 	if !configFileIsExists(input.ConfigPath) {
@@ -86,7 +105,12 @@ func UpdateConfig(input ConfigInput) (*Config, error) {
 func UpdateOrCreateConfig(input ConfigInput) (*Config, error) {
 	if !configFileIsExists(input.ConfigPath) {
 		log.Infof("generating new config %s", input.ConfigPath)
-		return createNewConfig(input)
+		cfg, err := createNewConfig(input)
+		if err != nil {
+			return nil, err
+		}
+		err = WriteOutConfig(input.ConfigPath, cfg)
+		return cfg, err
 	}

 	if isPreSharedKeyHidden(input.PreSharedKey) {
@@ -95,6 +119,16 @@ func UpdateOrCreateConfig(input ConfigInput) (*Config, error) {
 	return update(input)
 }

+// CreateInMemoryConfig generate a new config but do not write out it to the store
+func CreateInMemoryConfig(input ConfigInput) (*Config, error) {
+	return createNewConfig(input)
+}
+
+// WriteOutConfig write put the prepared config to the given path
+func WriteOutConfig(path string, config *Config) error {
+	return util.WriteJson(path, config)
+}
+
 // createNewConfig creates a new config generating a new Wireguard key and saving to file
 func createNewConfig(input ConfigInput) (*Config, error) {
 	wgKey := generateKey()
@@ -146,12 +180,6 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 	}

 	config.IFaceBlackList = defaultInterfaceBlacklist
-
-	err = util.WriteJson(input.ConfigPath, config)
-	if err != nil {
-		return nil, err
-	}
-
 	return config, nil
 }

--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -12,8 +12,9 @@ import (
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"

+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/ssh"
-	nbStatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/iface"
 	mgm "github.com/netbirdio/netbird/management/client"
@@ -22,7 +23,7 @@ import (
 )

 // RunClient with main logic.
-func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Status) error {
+func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status, tunAdapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) error {
 	backOff := &backoff.ExponentialBackOff{
 		InitialInterval:     time.Second,
 		RandomizationFactor: 1,
@@ -58,9 +59,7 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Sta
 		return err
 	}

-	managementURL := config.ManagementURL.String()
-	statusRecorder.MarkManagementDisconnected(managementURL)
-
+	defer statusRecorder.ClientStop()
 	operation := func() error {
 		// if context cancelled we not start new backoff cycle
 		select {
@@ -73,7 +72,7 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Sta

 		engineCtx, cancel := context.WithCancel(ctx)
 		defer func() {
-			statusRecorder.MarkManagementDisconnected(managementURL)
+			statusRecorder.MarkManagementDisconnected()
 			statusRecorder.CleanLocalPeerState()
 			cancel()
 		}()
@@ -83,6 +82,9 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Sta
 		if err != nil {
 			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
 		}
+		mgmNotifier := statusRecorderToMgmConnStateNotifier(statusRecorder)
+		mgmClient.SetConnStateListener(mgmNotifier)
+
 		log.Debugf("connected to the Management service %s", config.ManagementURL.Host)
 		defer func() {
 			err = mgmClient.Close()
@@ -101,12 +103,12 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Sta
 			}
 			return wrapErr(err)
 		}
-		statusRecorder.MarkManagementConnected(managementURL)
+		statusRecorder.MarkManagementConnected()

-		localPeerState := nbStatus.LocalPeerState{
+		localPeerState := peer.LocalPeerState{
 			IP:              loginResp.GetPeerConfig().GetAddress(),
 			PubKey:          myPrivateKey.PublicKey().String(),
-			KernelInterface: iface.WireguardModuleIsLoaded(),
+			KernelInterface: iface.WireGuardModuleIsLoaded(),
 			FQDN:            loginResp.GetPeerConfig().GetFqdn(),
 		}

@@ -117,8 +119,10 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Sta
 			loginResp.GetWiretrusteeConfig().GetSignal().GetUri(),
 		)

-		statusRecorder.MarkSignalDisconnected(signalURL)
-		defer statusRecorder.MarkSignalDisconnected(signalURL)
+		statusRecorder.UpdateSignalAddress(signalURL)
+
+		statusRecorder.MarkSignalDisconnected()
+		defer statusRecorder.MarkSignalDisconnected()

 		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
 		signalClient, err := connectToSignal(engineCtx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
@@ -133,7 +137,10 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Sta
 			}
 		}()

-		statusRecorder.MarkSignalConnected(signalURL)
+		signalNotifier := statusRecorderToSignalConnStateNotifier(statusRecorder)
+		signalClient.SetConnStateListener(signalNotifier)
+
+		statusRecorder.MarkSignalConnected()

 		peerConfig := loginResp.GetPeerConfig()

@@ -143,7 +150,13 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Sta
 			return wrapErr(err)
 		}

-		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig, statusRecorder)
+		md, err := newMobileDependency(tunAdapter, iFaceDiscover, mgmClient)
+		if err != nil {
+			log.Error(err)
+			return wrapErr(err)
+		}
+
+		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig, md, statusRecorder)
 		err = engine.Start()
 		if err != nil {
 			log.Errorf("error while starting Netbird Connection Engine: %s", err)
@@ -153,7 +166,10 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Sta
 		log.Print("Netbird engine started, my IP is: ", peerConfig.Address)
 		state.Set(StatusConnected)

+		statusRecorder.ClientStart()
+
 		<-engineCtx.Done()
+		statusRecorder.ClientTeardown()

 		backOff.Reset()

@@ -185,7 +201,6 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Sta

 // createEngineConfig converts configuration received from Management Service to EngineConfig
 func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
-
 	engineConf := &EngineConfig{
 		WgIfaceName:          config.WgIface,
 		WgAddr:               peerConfig.Address,
@@ -320,3 +335,15 @@ func UpdateOldManagementPort(ctx context.Context, config *Config, configPath str

 	return config, nil
 }
+
+func statusRecorderToMgmConnStateNotifier(statusRecorder *peer.Status) mgm.ConnStateNotifier {
+	var sri interface{} = statusRecorder
+	mgmNotifier, _ := sri.(mgm.ConnStateNotifier)
+	return mgmNotifier
+}
+
+func statusRecorderToSignalConnStateNotifier(statusRecorder *peer.Status) signal.ConnStateNotifier {
+	var sri interface{} = statusRecorder
+	notifier, _ := sri.(signal.ConnStateNotifier)
+	return notifier
+}
--- a/client/internal/device_auth.go
+++ b/client/internal/device_auth.go
@@ -34,6 +34,10 @@ type ProviderConfig struct {
 	TokenEndpoint string
 	// DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code
 	DeviceAuthEndpoint string
+	// Scopes provides the scopes to be included in the token request
+	Scope string
+	// UseIDToken indicates if the id token should be used for authentication
+	UseIDToken bool
 }

 // GetDeviceAuthorizationFlowInfo initialize a DeviceAuthorizationFlow instance and return with it
@@ -57,6 +61,7 @@ func GetDeviceAuthorizationFlowInfo(ctx context.Context, privateKey string, mgmU
 		return DeviceAuthorizationFlow{}, err
 	}
 	log.Debugf("connected to the Management service %s", mgmURL.String())
+
 	defer func() {
 		err = mgmClient.Close()
 		if err != nil {
@@ -90,9 +95,16 @@ func GetDeviceAuthorizationFlowInfo(ctx context.Context, privateKey string, mgmU
 			Domain:             protoDeviceAuthorizationFlow.GetProviderConfig().Domain,
 			TokenEndpoint:      protoDeviceAuthorizationFlow.GetProviderConfig().GetTokenEndpoint(),
 			DeviceAuthEndpoint: protoDeviceAuthorizationFlow.GetProviderConfig().GetDeviceAuthEndpoint(),
+			Scope:              protoDeviceAuthorizationFlow.GetProviderConfig().GetScope(),
+			UseIDToken:         protoDeviceAuthorizationFlow.GetProviderConfig().GetUseIDToken(),
 		},
 	}

+	// keep compatibility with older management versions
+	if deviceAuthorizationFlow.ProviderConfig.Scope == "" {
+		deviceAuthorizationFlow.ProviderConfig.Scope = "openid"
+	}
+
 	err = isProviderConfigValid(deviceAuthorizationFlow.ProviderConfig)
 	if err != nil {
 		return DeviceAuthorizationFlow{}, err
@@ -115,5 +127,8 @@ func isProviderConfigValid(config ProviderConfig) error {
 	if config.DeviceAuthEndpoint == "" {
 		return fmt.Errorf(errorMSGFormat, "Device Auth Endpoint")
 	}
+	if config.Scope == "" {
+		return fmt.Errorf(errorMSGFormat, "Device Auth Scopes")
+	}
 	return nil
 }
--- a/client/internal/dns/local.go
+++ b/client/internal/dns/local.go
@@ -8,6 +8,8 @@ import (
 	"sync"
 )

+type registrationMap map[string]struct{}
+
 type localResolver struct {
 	registeredMap registrationMap
 	records       sync.Map
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -1,27 +1,6 @@
 package dns

-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"runtime"
-	"sync"
-	"time"
-
-	"github.com/miekg/dns"
-	"github.com/mitchellh/hashstructure/v2"
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/iface"
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	defaultPort = 53
-	customPort  = 5053
-	defaultIP   = "127.0.0.1"
-	customIP    = "127.0.0.153"
-)
+import nbdns "github.com/netbirdio/netbird/dns"

 // Server is a dns server interface
 type Server interface {
@@ -29,444 +8,3 @@ type Server interface {
 	Stop()
 	UpdateDNSServer(serial uint64, update nbdns.Config) error
 }
-
-// DefaultServer dns server object
-type DefaultServer struct {
-	ctx                context.Context
-	ctxCancel          context.CancelFunc
-	upstreamCtxCancel  context.CancelFunc
-	mux                sync.Mutex
-	server             *dns.Server
-	dnsMux             *dns.ServeMux
-	dnsMuxMap          registrationMap
-	localResolver      *localResolver
-	wgInterface        *iface.WGIface
-	hostManager        hostManager
-	updateSerial       uint64
-	listenerIsRunning  bool
-	runtimePort        int
-	runtimeIP          string
-	previousConfigHash uint64
-	currentConfig      hostDNSConfig
-	customAddress      *netip.AddrPort
-}
-
-type registrationMap map[string]struct{}
-
-type muxUpdate struct {
-	domain  string
-	handler dns.Handler
-}
-
-// NewDefaultServer returns a new dns server
-func NewDefaultServer(ctx context.Context, wgInterface *iface.WGIface, customAddress string) (*DefaultServer, error) {
-	mux := dns.NewServeMux()
-
-	dnsServer := &dns.Server{
-		Net:     "udp",
-		Handler: mux,
-		UDPSize: 65535,
-	}
-
-	ctx, stop := context.WithCancel(ctx)
-
-	var addrPort *netip.AddrPort
-	if customAddress != "" {
-		parsedAddrPort, err := netip.ParseAddrPort(customAddress)
-		if err != nil {
-			stop()
-			return nil, fmt.Errorf("unable to parse the custom dns address, got error: %s", err)
-		}
-		addrPort = &parsedAddrPort
-	}
-
-	defaultServer := &DefaultServer{
-		ctx:       ctx,
-		ctxCancel: stop,
-		server:    dnsServer,
-		dnsMux:    mux,
-		dnsMuxMap: make(registrationMap),
-		localResolver: &localResolver{
-			registeredMap: make(registrationMap),
-		},
-		wgInterface:   wgInterface,
-		runtimePort:   defaultPort,
-		customAddress: addrPort,
-	}
-
-	hostmanager, err := newHostManager(wgInterface)
-	if err != nil {
-		stop()
-		return nil, err
-	}
-	defaultServer.hostManager = hostmanager
-	return defaultServer, err
-}
-
-// Start runs the listener in a go routine
-func (s *DefaultServer) Start() {
-	if s.customAddress != nil {
-		s.runtimeIP = s.customAddress.Addr().String()
-		s.runtimePort = int(s.customAddress.Port())
-	} else {
-		ip, port, err := s.getFirstListenerAvailable()
-		if err != nil {
-			log.Error(err)
-			return
-		}
-		s.runtimeIP = ip
-		s.runtimePort = port
-	}
-
-	s.server.Addr = fmt.Sprintf("%s:%d", s.runtimeIP, s.runtimePort)
-
-	log.Debugf("starting dns on %s", s.server.Addr)
-
-	go func() {
-		s.setListenerStatus(true)
-		defer s.setListenerStatus(false)
-
-		err := s.server.ListenAndServe()
-		if err != nil {
-			log.Errorf("dns server running with %d port returned an error: %v. Will not retry", s.runtimePort, err)
-		}
-	}()
-}
-
-func (s *DefaultServer) getFirstListenerAvailable() (string, int, error) {
-	ips := []string{defaultIP, customIP}
-	if runtime.GOOS != "darwin" && s.wgInterface != nil {
-		ips = append([]string{s.wgInterface.Address().IP.String()}, ips...)
-	}
-	ports := []int{defaultPort, customPort}
-	for _, port := range ports {
-		for _, ip := range ips {
-			addrString := fmt.Sprintf("%s:%d", ip, port)
-			udpAddr := net.UDPAddrFromAddrPort(netip.MustParseAddrPort(addrString))
-			probeListener, err := net.ListenUDP("udp", udpAddr)
-			if err == nil {
-				err = probeListener.Close()
-				if err != nil {
-					log.Errorf("got an error closing the probe listener, error: %s", err)
-				}
-				return ip, port, nil
-			}
-			log.Warnf("binding dns on %s is not available, error: %s", addrString, err)
-		}
-	}
-	return "", 0, fmt.Errorf("unable to find an unused ip and port combination. IPs tested: %v and ports %v", ips, ports)
-}
-
-func (s *DefaultServer) setListenerStatus(running bool) {
-	s.listenerIsRunning = running
-}
-
-// Stop stops the server
-func (s *DefaultServer) Stop() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	s.ctxCancel()
-
-	err := s.hostManager.restoreHostDNS()
-	if err != nil {
-		log.Error(err)
-	}
-
-	err = s.stopListener()
-	if err != nil {
-		log.Error(err)
-	}
-}
-
-func (s *DefaultServer) stopListener() error {
-	if !s.listenerIsRunning {
-		return nil
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	err := s.server.ShutdownContext(ctx)
-	if err != nil {
-		return fmt.Errorf("stopping dns server listener returned an error: %v", err)
-	}
-	return nil
-}
-
-// UpdateDNSServer processes an update received from the management service
-func (s *DefaultServer) UpdateDNSServer(serial uint64, update nbdns.Config) error {
-	select {
-	case <-s.ctx.Done():
-		log.Infof("not updating DNS server as context is closed")
-		return s.ctx.Err()
-	default:
-		if serial < s.updateSerial {
-			return fmt.Errorf("not applying dns update, error: "+
-				"network update is %d behind the last applied update", s.updateSerial-serial)
-		}
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		hash, err := hashstructure.Hash(update, hashstructure.FormatV2, &hashstructure.HashOptions{
-			ZeroNil:         true,
-			IgnoreZeroValue: true,
-			SlicesAsSets:    true,
-			UseStringer:     true,
-		})
-		if err != nil {
-			log.Errorf("unable to hash the dns configuration update, got error: %s", err)
-		}
-
-		if s.previousConfigHash == hash {
-			log.Debugf("not applying the dns configuration update as there is nothing new")
-			s.updateSerial = serial
-			return nil
-		}
-
-		if err := s.applyConfiguration(update); err != nil {
-			return err
-		}
-
-		s.updateSerial = serial
-		s.previousConfigHash = hash
-
-		return nil
-	}
-}
-
-func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
-	// is the service should be disabled, we stop the listener
-	// and proceed with a regular update to clean up the handlers and records
-	if !update.ServiceEnable {
-		err := s.stopListener()
-		if err != nil {
-			log.Error(err)
-		}
-	} else if !s.listenerIsRunning {
-		s.Start()
-	}
-
-	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
-	if err != nil {
-		return fmt.Errorf("not applying dns update, error: %v", err)
-	}
-	upstreamMuxUpdates, err := s.buildUpstreamHandlerUpdate(update.NameServerGroups)
-	if err != nil {
-		return fmt.Errorf("not applying dns update, error: %v", err)
-	}
-
-	muxUpdates := append(localMuxUpdates, upstreamMuxUpdates...)
-
-	s.updateMux(muxUpdates)
-	s.updateLocalResolver(localRecords)
-	s.currentConfig = dnsConfigToHostDNSConfig(update, s.runtimeIP, s.runtimePort)
-
-	if err = s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
-		log.Error(err)
-	}
-
-	return nil
-}
-
-func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]muxUpdate, map[string]nbdns.SimpleRecord, error) {
-	var muxUpdates []muxUpdate
-	localRecords := make(map[string]nbdns.SimpleRecord, 0)
-
-	for _, customZone := range customZones {
-
-		if len(customZone.Records) == 0 {
-			return nil, nil, fmt.Errorf("received an empty list of records")
-		}
-
-		muxUpdates = append(muxUpdates, muxUpdate{
-			domain:  customZone.Domain,
-			handler: s.localResolver,
-		})
-
-		for _, record := range customZone.Records {
-			var class uint16 = dns.ClassINET
-			if record.Class != nbdns.DefaultClass {
-				return nil, nil, fmt.Errorf("received an invalid class type: %s", record.Class)
-			}
-			key := buildRecordKey(record.Name, class, uint16(record.Type))
-			localRecords[key] = record
-		}
-	}
-	return muxUpdates, localRecords, nil
-}
-
-func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.NameServerGroup) ([]muxUpdate, error) {
-	// clean up the previous upstream resolver
-	if s.upstreamCtxCancel != nil {
-		s.upstreamCtxCancel()
-	}
-
-	var muxUpdates []muxUpdate
-	for _, nsGroup := range nameServerGroups {
-		if len(nsGroup.NameServers) == 0 {
-			log.Warn("received a nameserver group with empty nameserver list")
-			continue
-		}
-
-		var ctx context.Context
-		ctx, s.upstreamCtxCancel = context.WithCancel(s.ctx)
-
-		handler := newUpstreamResolver(ctx)
-		for _, ns := range nsGroup.NameServers {
-			if ns.NSType != nbdns.UDPNameServerType {
-				log.Warnf("skiping nameserver %s with type %s, this peer supports only %s",
-					ns.IP.String(), ns.NSType.String(), nbdns.UDPNameServerType.String())
-				continue
-			}
-			handler.upstreamServers = append(handler.upstreamServers, getNSHostPort(ns))
-		}
-
-		if len(handler.upstreamServers) == 0 {
-			log.Errorf("received a nameserver group with an invalid nameserver list")
-			continue
-		}
-
-		// when upstream fails to resolve domain several times over all it servers
-		// it will calls this hook to exclude self from the configuration and
-		// reapply DNS settings, but it not touch the original configuration and serial number
-		// because it is temporal deactivation until next try
-		//
-		// after some period defined by upstream it trys to reactivate self by calling this hook
-		// everything we need here is just to re-apply current configuration because it already
-		// contains this upstream settings (temporal deactivation not removed it)
-		handler.deactivate, handler.reactivate = s.upstreamCallbacks(nsGroup, handler)
-
-		if nsGroup.Primary {
-			muxUpdates = append(muxUpdates, muxUpdate{
-				domain:  nbdns.RootZone,
-				handler: handler,
-			})
-			continue
-		}
-
-		if len(nsGroup.Domains) == 0 {
-			return nil, fmt.Errorf("received a non primary nameserver group with an empty domain list")
-		}
-
-		for _, domain := range nsGroup.Domains {
-			if domain == "" {
-				return nil, fmt.Errorf("received a nameserver group with an empty domain element")
-			}
-			muxUpdates = append(muxUpdates, muxUpdate{
-				domain:  domain,
-				handler: handler,
-			})
-		}
-	}
-	return muxUpdates, nil
-}
-
-func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
-	muxUpdateMap := make(registrationMap)
-
-	for _, update := range muxUpdates {
-		s.registerMux(update.domain, update.handler)
-		muxUpdateMap[update.domain] = struct{}{}
-	}
-
-	for key := range s.dnsMuxMap {
-		_, found := muxUpdateMap[key]
-		if !found {
-			s.deregisterMux(key)
-		}
-	}
-
-	s.dnsMuxMap = muxUpdateMap
-}
-
-func (s *DefaultServer) updateLocalResolver(update map[string]nbdns.SimpleRecord) {
-	for key := range s.localResolver.registeredMap {
-		_, found := update[key]
-		if !found {
-			s.localResolver.deleteRecord(key)
-		}
-	}
-
-	updatedMap := make(registrationMap)
-	for key, record := range update {
-		err := s.localResolver.registerRecord(record)
-		if err != nil {
-			log.Warnf("got an error while registering the record (%s), error: %v", record.String(), err)
-		}
-		updatedMap[key] = struct{}{}
-	}
-
-	s.localResolver.registeredMap = updatedMap
-}
-
-func getNSHostPort(ns nbdns.NameServer) string {
-	return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
-}
-
-func (s *DefaultServer) registerMux(pattern string, handler dns.Handler) {
-	s.dnsMux.Handle(pattern, handler)
-}
-
-func (s *DefaultServer) deregisterMux(pattern string) {
-	s.dnsMux.HandleRemove(pattern)
-}
-
-// upstreamCallbacks returns two functions, the first one is used to deactivate
-// the upstream resolver from the configuration, the second one is used to
-// reactivate it. Not allowed to call reactivate before deactivate.
-func (s *DefaultServer) upstreamCallbacks(
-	nsGroup *nbdns.NameServerGroup,
-	handler dns.Handler,
-) (deactivate func(), reactivate func()) {
-	var removeIndex map[string]int
-	deactivate = func() {
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		l := log.WithField("nameservers", nsGroup.NameServers)
-		l.Info("temporary deactivate nameservers group due timeout")
-
-		removeIndex = make(map[string]int)
-		for _, domain := range nsGroup.Domains {
-			removeIndex[domain] = -1
-		}
-		if nsGroup.Primary {
-			removeIndex[nbdns.RootZone] = -1
-			s.currentConfig.routeAll = false
-		}
-
-		for i, item := range s.currentConfig.domains {
-			if _, found := removeIndex[item.domain]; found {
-				s.currentConfig.domains[i].disabled = true
-				s.deregisterMux(item.domain)
-				removeIndex[item.domain] = i
-			}
-		}
-		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
-			l.WithError(err).Error("fail to apply nameserver deactivation on the host")
-		}
-	}
-	reactivate = func() {
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		for domain, i := range removeIndex {
-			if i == -1 || i >= len(s.currentConfig.domains) || s.currentConfig.domains[i].domain != domain {
-				continue
-			}
-			s.currentConfig.domains[i].disabled = false
-			s.registerMux(domain, handler)
-		}
-
-		l := log.WithField("nameservers", nsGroup.NameServers)
-		l.Debug("reactivate temporary disabled nameserver group")
-
-		if nsGroup.Primary {
-			s.currentConfig.routeAll = true
-		}
-		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
-			l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
-		}
-	}
-	return
-}
--- a/client/internal/dns/server_android.go
+++ b/client/internal/dns/server_android.go
@@ -0,0 +1,32 @@
+package dns
+
+import (
+	"context"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/iface"
+)
+
+// DefaultServer dummy dns server
+type DefaultServer struct {
+}
+
+// NewDefaultServer On Android the DNS feature is not supported yet
+func NewDefaultServer(ctx context.Context, wgInterface *iface.WGIface, customAddress string) (*DefaultServer, error) {
+	return &DefaultServer{}, nil
+}
+
+// Start dummy implementation
+func (s DefaultServer) Start() {
+
+}
+
+// Stop dummy implementation
+func (s DefaultServer) Stop() {
+
+}
+
+// UpdateDNSServer dummy implementation
+func (s DefaultServer) UpdateDNSServer(serial uint64, update nbdns.Config) error {
+	return nil
+}
--- a/client/internal/dns/server_nonandroid.go
+++ b/client/internal/dns/server_nonandroid.go
@@ -0,0 +1,465 @@
+//go:build !android
+
+package dns
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"runtime"
+	"sync"
+	"time"
+
+	"github.com/miekg/dns"
+	"github.com/mitchellh/hashstructure/v2"
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/iface"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	defaultPort = 53
+	customPort  = 5053
+	defaultIP   = "127.0.0.1"
+	customIP    = "127.0.0.153"
+)
+
+// DefaultServer dns server object
+type DefaultServer struct {
+	ctx                context.Context
+	ctxCancel          context.CancelFunc
+	upstreamCtxCancel  context.CancelFunc
+	mux                sync.Mutex
+	server             *dns.Server
+	dnsMux             *dns.ServeMux
+	dnsMuxMap          registrationMap
+	localResolver      *localResolver
+	wgInterface        *iface.WGIface
+	hostManager        hostManager
+	updateSerial       uint64
+	listenerIsRunning  bool
+	runtimePort        int
+	runtimeIP          string
+	previousConfigHash uint64
+	currentConfig      hostDNSConfig
+	customAddress      *netip.AddrPort
+}
+
+type muxUpdate struct {
+	domain  string
+	handler dns.Handler
+}
+
+// NewDefaultServer returns a new dns server
+func NewDefaultServer(ctx context.Context, wgInterface *iface.WGIface, customAddress string) (*DefaultServer, error) {
+	mux := dns.NewServeMux()
+
+	dnsServer := &dns.Server{
+		Net:     "udp",
+		Handler: mux,
+		UDPSize: 65535,
+	}
+
+	ctx, stop := context.WithCancel(ctx)
+
+	var addrPort *netip.AddrPort
+	if customAddress != "" {
+		parsedAddrPort, err := netip.ParseAddrPort(customAddress)
+		if err != nil {
+			stop()
+			return nil, fmt.Errorf("unable to parse the custom dns address, got error: %s", err)
+		}
+		addrPort = &parsedAddrPort
+	}
+
+	defaultServer := &DefaultServer{
+		ctx:       ctx,
+		ctxCancel: stop,
+		server:    dnsServer,
+		dnsMux:    mux,
+		dnsMuxMap: make(registrationMap),
+		localResolver: &localResolver{
+			registeredMap: make(registrationMap),
+		},
+		wgInterface:   wgInterface,
+		runtimePort:   defaultPort,
+		customAddress: addrPort,
+	}
+
+	hostmanager, err := newHostManager(wgInterface)
+	if err != nil {
+		stop()
+		return nil, err
+	}
+	defaultServer.hostManager = hostmanager
+	return defaultServer, err
+}
+
+// Start runs the listener in a go routine
+func (s *DefaultServer) Start() {
+	if s.customAddress != nil {
+		s.runtimeIP = s.customAddress.Addr().String()
+		s.runtimePort = int(s.customAddress.Port())
+	} else {
+		ip, port, err := s.getFirstListenerAvailable()
+		if err != nil {
+			log.Error(err)
+			return
+		}
+		s.runtimeIP = ip
+		s.runtimePort = port
+	}
+
+	s.server.Addr = fmt.Sprintf("%s:%d", s.runtimeIP, s.runtimePort)
+
+	log.Debugf("starting dns on %s", s.server.Addr)
+
+	go func() {
+		s.setListenerStatus(true)
+		defer s.setListenerStatus(false)
+
+		err := s.server.ListenAndServe()
+		if err != nil {
+			log.Errorf("dns server running with %d port returned an error: %v. Will not retry", s.runtimePort, err)
+		}
+	}()
+}
+
+func (s *DefaultServer) getFirstListenerAvailable() (string, int, error) {
+	ips := []string{defaultIP, customIP}
+	if runtime.GOOS != "darwin" && s.wgInterface != nil {
+		ips = append([]string{s.wgInterface.Address().IP.String()}, ips...)
+	}
+	ports := []int{defaultPort, customPort}
+	for _, port := range ports {
+		for _, ip := range ips {
+			addrString := fmt.Sprintf("%s:%d", ip, port)
+			udpAddr := net.UDPAddrFromAddrPort(netip.MustParseAddrPort(addrString))
+			probeListener, err := net.ListenUDP("udp", udpAddr)
+			if err == nil {
+				err = probeListener.Close()
+				if err != nil {
+					log.Errorf("got an error closing the probe listener, error: %s", err)
+				}
+				return ip, port, nil
+			}
+			log.Warnf("binding dns on %s is not available, error: %s", addrString, err)
+		}
+	}
+	return "", 0, fmt.Errorf("unable to find an unused ip and port combination. IPs tested: %v and ports %v", ips, ports)
+}
+
+func (s *DefaultServer) setListenerStatus(running bool) {
+	s.listenerIsRunning = running
+}
+
+// Stop stops the server
+func (s *DefaultServer) Stop() {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	s.ctxCancel()
+
+	err := s.hostManager.restoreHostDNS()
+	if err != nil {
+		log.Error(err)
+	}
+
+	err = s.stopListener()
+	if err != nil {
+		log.Error(err)
+	}
+}
+
+func (s *DefaultServer) stopListener() error {
+	if !s.listenerIsRunning {
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	err := s.server.ShutdownContext(ctx)
+	if err != nil {
+		return fmt.Errorf("stopping dns server listener returned an error: %v", err)
+	}
+	return nil
+}
+
+// UpdateDNSServer processes an update received from the management service
+func (s *DefaultServer) UpdateDNSServer(serial uint64, update nbdns.Config) error {
+	select {
+	case <-s.ctx.Done():
+		log.Infof("not updating DNS server as context is closed")
+		return s.ctx.Err()
+	default:
+		if serial < s.updateSerial {
+			return fmt.Errorf("not applying dns update, error: "+
+				"network update is %d behind the last applied update", s.updateSerial-serial)
+		}
+		s.mux.Lock()
+		defer s.mux.Unlock()
+
+		hash, err := hashstructure.Hash(update, hashstructure.FormatV2, &hashstructure.HashOptions{
+			ZeroNil:         true,
+			IgnoreZeroValue: true,
+			SlicesAsSets:    true,
+			UseStringer:     true,
+		})
+		if err != nil {
+			log.Errorf("unable to hash the dns configuration update, got error: %s", err)
+		}
+
+		if s.previousConfigHash == hash {
+			log.Debugf("not applying the dns configuration update as there is nothing new")
+			s.updateSerial = serial
+			return nil
+		}
+
+		if err := s.applyConfiguration(update); err != nil {
+			return err
+		}
+
+		s.updateSerial = serial
+		s.previousConfigHash = hash
+
+		return nil
+	}
+}
+
+func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
+	// is the service should be disabled, we stop the listener
+	// and proceed with a regular update to clean up the handlers and records
+	if !update.ServiceEnable {
+		err := s.stopListener()
+		if err != nil {
+			log.Error(err)
+		}
+	} else if !s.listenerIsRunning {
+		s.Start()
+	}
+
+	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
+	if err != nil {
+		return fmt.Errorf("not applying dns update, error: %v", err)
+	}
+	upstreamMuxUpdates, err := s.buildUpstreamHandlerUpdate(update.NameServerGroups)
+	if err != nil {
+		return fmt.Errorf("not applying dns update, error: %v", err)
+	}
+
+	muxUpdates := append(localMuxUpdates, upstreamMuxUpdates...)
+
+	s.updateMux(muxUpdates)
+	s.updateLocalResolver(localRecords)
+	s.currentConfig = dnsConfigToHostDNSConfig(update, s.runtimeIP, s.runtimePort)
+
+	if err = s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
+		log.Error(err)
+	}
+
+	return nil
+}
+
+func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]muxUpdate, map[string]nbdns.SimpleRecord, error) {
+	var muxUpdates []muxUpdate
+	localRecords := make(map[string]nbdns.SimpleRecord, 0)
+
+	for _, customZone := range customZones {
+
+		if len(customZone.Records) == 0 {
+			return nil, nil, fmt.Errorf("received an empty list of records")
+		}
+
+		muxUpdates = append(muxUpdates, muxUpdate{
+			domain:  customZone.Domain,
+			handler: s.localResolver,
+		})
+
+		for _, record := range customZone.Records {
+			var class uint16 = dns.ClassINET
+			if record.Class != nbdns.DefaultClass {
+				return nil, nil, fmt.Errorf("received an invalid class type: %s", record.Class)
+			}
+			key := buildRecordKey(record.Name, class, uint16(record.Type))
+			localRecords[key] = record
+		}
+	}
+	return muxUpdates, localRecords, nil
+}
+
+func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.NameServerGroup) ([]muxUpdate, error) {
+	// clean up the previous upstream resolver
+	if s.upstreamCtxCancel != nil {
+		s.upstreamCtxCancel()
+	}
+
+	var muxUpdates []muxUpdate
+	for _, nsGroup := range nameServerGroups {
+		if len(nsGroup.NameServers) == 0 {
+			log.Warn("received a nameserver group with empty nameserver list")
+			continue
+		}
+
+		var ctx context.Context
+		ctx, s.upstreamCtxCancel = context.WithCancel(s.ctx)
+
+		handler := newUpstreamResolver(ctx)
+		for _, ns := range nsGroup.NameServers {
+			if ns.NSType != nbdns.UDPNameServerType {
+				log.Warnf("skiping nameserver %s with type %s, this peer supports only %s",
+					ns.IP.String(), ns.NSType.String(), nbdns.UDPNameServerType.String())
+				continue
+			}
+			handler.upstreamServers = append(handler.upstreamServers, getNSHostPort(ns))
+		}
+
+		if len(handler.upstreamServers) == 0 {
+			log.Errorf("received a nameserver group with an invalid nameserver list")
+			continue
+		}
+
+		// when upstream fails to resolve domain several times over all it servers
+		// it will calls this hook to exclude self from the configuration and
+		// reapply DNS settings, but it not touch the original configuration and serial number
+		// because it is temporal deactivation until next try
+		//
+		// after some period defined by upstream it trys to reactivate self by calling this hook
+		// everything we need here is just to re-apply current configuration because it already
+		// contains this upstream settings (temporal deactivation not removed it)
+		handler.deactivate, handler.reactivate = s.upstreamCallbacks(nsGroup, handler)
+
+		if nsGroup.Primary {
+			muxUpdates = append(muxUpdates, muxUpdate{
+				domain:  nbdns.RootZone,
+				handler: handler,
+			})
+			continue
+		}
+
+		if len(nsGroup.Domains) == 0 {
+			return nil, fmt.Errorf("received a non primary nameserver group with an empty domain list")
+		}
+
+		for _, domain := range nsGroup.Domains {
+			if domain == "" {
+				return nil, fmt.Errorf("received a nameserver group with an empty domain element")
+			}
+			muxUpdates = append(muxUpdates, muxUpdate{
+				domain:  domain,
+				handler: handler,
+			})
+		}
+	}
+	return muxUpdates, nil
+}
+
+func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
+	muxUpdateMap := make(registrationMap)
+
+	for _, update := range muxUpdates {
+		s.registerMux(update.domain, update.handler)
+		muxUpdateMap[update.domain] = struct{}{}
+	}
+
+	for key := range s.dnsMuxMap {
+		_, found := muxUpdateMap[key]
+		if !found {
+			s.deregisterMux(key)
+		}
+	}
+
+	s.dnsMuxMap = muxUpdateMap
+}
+
+func (s *DefaultServer) updateLocalResolver(update map[string]nbdns.SimpleRecord) {
+	for key := range s.localResolver.registeredMap {
+		_, found := update[key]
+		if !found {
+			s.localResolver.deleteRecord(key)
+		}
+	}
+
+	updatedMap := make(registrationMap)
+	for key, record := range update {
+		err := s.localResolver.registerRecord(record)
+		if err != nil {
+			log.Warnf("got an error while registering the record (%s), error: %v", record.String(), err)
+		}
+		updatedMap[key] = struct{}{}
+	}
+
+	s.localResolver.registeredMap = updatedMap
+}
+
+func getNSHostPort(ns nbdns.NameServer) string {
+	return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
+}
+
+func (s *DefaultServer) registerMux(pattern string, handler dns.Handler) {
+	s.dnsMux.Handle(pattern, handler)
+}
+
+func (s *DefaultServer) deregisterMux(pattern string) {
+	s.dnsMux.HandleRemove(pattern)
+}
+
+// upstreamCallbacks returns two functions, the first one is used to deactivate
+// the upstream resolver from the configuration, the second one is used to
+// reactivate it. Not allowed to call reactivate before deactivate.
+func (s *DefaultServer) upstreamCallbacks(
+	nsGroup *nbdns.NameServerGroup,
+	handler dns.Handler,
+) (deactivate func(), reactivate func()) {
+	var removeIndex map[string]int
+	deactivate = func() {
+		s.mux.Lock()
+		defer s.mux.Unlock()
+
+		l := log.WithField("nameservers", nsGroup.NameServers)
+		l.Info("temporary deactivate nameservers group due timeout")
+
+		removeIndex = make(map[string]int)
+		for _, domain := range nsGroup.Domains {
+			removeIndex[domain] = -1
+		}
+		if nsGroup.Primary {
+			removeIndex[nbdns.RootZone] = -1
+			s.currentConfig.routeAll = false
+		}
+
+		for i, item := range s.currentConfig.domains {
+			if _, found := removeIndex[item.domain]; found {
+				s.currentConfig.domains[i].disabled = true
+				s.deregisterMux(item.domain)
+				removeIndex[item.domain] = i
+			}
+		}
+		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
+			l.WithError(err).Error("fail to apply nameserver deactivation on the host")
+		}
+	}
+	reactivate = func() {
+		s.mux.Lock()
+		defer s.mux.Unlock()
+
+		for domain, i := range removeIndex {
+			if i == -1 || i >= len(s.currentConfig.domains) || s.currentConfig.domains[i].domain != domain {
+				continue
+			}
+			s.currentConfig.domains[i].disabled = false
+			s.registerMux(domain, handler)
+		}
+
+		l := log.WithField("nameservers", nsGroup.NameServers)
+		l.Debug("reactivate temporary disabled nameserver group")
+
+		if nsGroup.Primary {
+			s.currentConfig.routeAll = true
+		}
+		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
+			l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
+		}
+	}
+	return
+}
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -9,7 +9,10 @@ import (
 	"testing"
 	"time"

+	"github.com/netbirdio/netbird/client/internal/stdnet"
+
 	"github.com/miekg/dns"
+
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
 )
@@ -199,7 +202,11 @@ func TestUpdateDNSServer(t *testing.T) {

 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), iface.DefaultMTU)
+			newNet, err := stdnet.NewNet(nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), iface.DefaultMTU, nil, nil, newNet)
 			if err != nil {
 				t.Fatal(err)
 			}
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -12,24 +12,23 @@ import (
 	"sync"
 	"time"

-	"github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/routemanager"
-	nbssh "github.com/netbirdio/netbird/client/ssh"
-	nbstatus "github.com/netbirdio/netbird/client/status"
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/route"
-
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/proxy"
-	"github.com/netbirdio/netbird/iface"
-	mgm "github.com/netbirdio/netbird/management/client"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
-	signal "github.com/netbirdio/netbird/signal/client"
-	sProto "github.com/netbirdio/netbird/signal/proto"
-	"github.com/netbirdio/netbird/util"
 	"github.com/pion/ice/v2"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/proxy"
+	"github.com/netbirdio/netbird/client/internal/routemanager"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/iface"
+	mgm "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+	"github.com/netbirdio/netbird/route"
+	signal "github.com/netbirdio/netbird/signal/client"
+	sProto "github.com/netbirdio/netbird/signal/proto"
+	"github.com/netbirdio/netbird/util"
 )

 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -86,7 +85,9 @@ type Engine struct {
 	// syncMsgMux is used to guarantee sequential Management Service message processing
 	syncMsgMux *sync.Mutex

-	config *EngineConfig
+	config    *EngineConfig
+	mobileDep MobileDependency
+
 	// STUNs is a list of STUN servers used by ICE
 	STUNs []*ice.URL
 	// TURNs is a list of STUN servers used by ICE
@@ -109,7 +110,7 @@ type Engine struct {
 	sshServerFunc func(hostKeyPEM []byte, addr string) (nbssh.Server, error)
 	sshServer     nbssh.Server

-	statusRecorder *nbstatus.Status
+	statusRecorder *peer.Status

 	routeManager routemanager.Manager

@@ -126,16 +127,17 @@ type Peer struct {
 func NewEngine(
 	ctx context.Context, cancel context.CancelFunc,
 	signalClient signal.Client, mgmClient mgm.Client,
-	config *EngineConfig, statusRecorder *nbstatus.Status,
+	config *EngineConfig, mobileDep MobileDependency, statusRecorder *peer.Status,
 ) *Engine {
 	return &Engine{
 		ctx:            ctx,
 		cancel:         cancel,
 		signal:         signalClient,
 		mgmClient:      mgmClient,
-		peerConns:      map[string]*peer.Conn{},
+		peerConns:      make(map[string]*peer.Conn),
 		syncMsgMux:     &sync.Mutex{},
 		config:         config,
+		mobileDep:      mobileDep,
 		STUNs:          []*ice.URL{},
 		TURNs:          []*ice.URL{},
 		networkSerial:  0,
@@ -162,60 +164,77 @@ func (e *Engine) Stop() error {
 	return nil
 }

-// Start creates a new Wireguard tunnel interface and listens to events from Signal and Management services
+// Start creates a new WireGuard tunnel interface and listens to events from Signal and Management services
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
 func (e *Engine) Start() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

-	wgIfaceName := e.config.WgIfaceName
+	wgIFaceName := e.config.WgIfaceName
 	wgAddr := e.config.WgAddr
 	myPrivateKey := e.config.WgPrivateKey
 	var err error
-
-	e.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU)
+	transportNet, err := e.newStdNet()
 	if err != nil {
-		log.Errorf("failed creating wireguard interface instance %s: [%s]", wgIfaceName, err.Error())
+		log.Errorf("failed to create pion's stdnet: %s", err)
+	}
+	e.wgInterface, err = iface.NewWGIFace(wgIFaceName, wgAddr, iface.DefaultMTU, e.mobileDep.Routes, e.mobileDep.TunAdapter, transportNet)
+	if err != nil {
+		log.Errorf("failed creating wireguard interface instance %s: [%s]", wgIFaceName, err.Error())
 		return err
 	}

-	networkName := "udp"
-	if e.config.DisableIPv6Discovery {
-		networkName = "udp4"
-	}
-
-	e.udpMuxConn, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxPort})
-	if err != nil {
-		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
-		e.close()
-		return err
-	}
-
-	e.udpMuxConnSrflx, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
-	if err != nil {
-		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
-		e.close()
-		return err
-	}
-
-	e.udpMux = ice.NewUDPMuxDefault(ice.UDPMuxParams{UDPConn: e.udpMuxConn})
-	e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx})
-
 	err = e.wgInterface.Create()
 	if err != nil {
-		log.Errorf("failed creating tunnel interface %s: [%s]", wgIfaceName, err.Error())
+		log.Errorf("failed creating tunnel interface %s: [%s]", wgIFaceName, err.Error())
 		e.close()
 		return err
 	}

 	err = e.wgInterface.Configure(myPrivateKey.String(), e.config.WgPort)
 	if err != nil {
-		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIfaceName, err.Error())
+		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIFaceName, err.Error())
 		e.close()
 		return err
 	}

+	if e.wgInterface.IsUserspaceBind() {
+		iceBind := e.wgInterface.GetBind()
+		udpMux, err := iceBind.GetICEMux()
+		if err != nil {
+			e.close()
+			return err
+		}
+		e.udpMux = udpMux.UDPMuxDefault
+		e.udpMuxSrflx = udpMux
+		log.Infof("using userspace bind mode %s", udpMux.LocalAddr().String())
+	} else {
+		networkName := "udp"
+		if e.config.DisableIPv6Discovery {
+			networkName = "udp4"
+		}
+		e.udpMuxConn, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxPort})
+		if err != nil {
+			log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
+			e.close()
+			return err
+		}
+		udpMuxParams := ice.UDPMuxParams{
+			UDPConn: e.udpMuxConn,
+			Net:     transportNet,
+		}
+		e.udpMux = ice.NewUDPMuxDefault(udpMuxParams)
+
+		e.udpMuxConnSrflx, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
+		if err != nil {
+			log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
+			e.close()
+			return err
+		}
+		e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx, Net: transportNet})
+	}
+
 	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder)

 	if e.dnsServer == nil {
@@ -338,42 +357,6 @@ func (e *Engine) removePeer(peerKey string) error {
 	return nil
 }

-// GetPeerConnectionStatus returns a connection Status or nil if peer connection wasn't found
-func (e *Engine) GetPeerConnectionStatus(peerKey string) peer.ConnStatus {
-	conn, exists := e.peerConns[peerKey]
-	if exists && conn != nil {
-		return conn.Status()
-	}
-
-	return -1
-}
-
-func (e *Engine) GetPeers() []string {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-
-	peers := []string{}
-	for s := range e.peerConns {
-		peers = append(peers, s)
-	}
-	return peers
-}
-
-// GetConnectedPeers returns a connection Status or nil if peer connection wasn't found
-func (e *Engine) GetConnectedPeers() []string {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-
-	peers := []string{}
-	for s, conn := range e.peerConns {
-		if conn.Status() == peer.StatusConnected {
-			peers = append(peers, s)
-		}
-	}
-
-	return peers
-}
-
 func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client) error {
 	err := s.Send(&sProto.Message{
 		Key:       myKey.PublicKey().String(),
@@ -390,6 +373,10 @@ func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtyp
 	return nil
 }

+func sendSignal(message *sProto.Message, s signal.Client) error {
+	return s.Send(message)
+}
+
 // SignalOfferAnswer signals either an offer or an answer to remote peer
 func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client, isAnswer bool) error {
 	var t sProto.Body_Type
@@ -406,6 +393,10 @@ func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKe
 	if err != nil {
 		return err
 	}
+
+	// indicates message support in gRPC
+	msg.Body.FeaturesSupported = []uint32{signal.DirectCheck}
+
 	err = s.Send(msg)
 	if err != nil {
 		return err
@@ -509,10 +500,10 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 		}
 	}

-	e.statusRecorder.UpdateLocalPeerState(nbstatus.LocalPeerState{
+	e.statusRecorder.UpdateLocalPeerState(peer.LocalPeerState{
 		IP:              e.config.WgAddr,
 		PubKey:          e.config.WgPrivateKey.PublicKey().String(),
-		KernelInterface: iface.WireguardModuleIsLoaded(),
+		KernelInterface: iface.WireGuardModuleIsLoaded(),
 		FQDN:            conf.GetFqdn(),
 	})

@@ -594,6 +585,8 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {

 	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))

+	e.updateOfflinePeers(networkMap.GetOfflinePeers())
+
 	// cleanup request, most likely our peer has been deleted
 	if networkMap.GetRemotePeersIsEmpty() {
 		err := e.removeAllPeers()
@@ -641,6 +634,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	if protoDNSConfig == nil {
 		protoDNSConfig = &mgmProto.DNSConfig{}
 	}
+
 	err = e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig))
 	if err != nil {
 		log.Errorf("failed to update dns server, err: %v", err)
@@ -710,6 +704,21 @@ func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig) nbdns.Config {
 	return dnsUpdate
 }

+func (e *Engine) updateOfflinePeers(offlinePeers []*mgmProto.RemotePeerConfig) {
+	replacement := make([]peer.State, len(offlinePeers))
+	for i, offlinePeer := range offlinePeers {
+		log.Debugf("added offline peer %s", offlinePeer.Fqdn)
+		replacement[i] = peer.State{
+			IP:               strings.Join(offlinePeer.GetAllowedIps(), ","),
+			PubKey:           offlinePeer.GetWgPubKey(),
+			FQDN:             offlinePeer.GetFqdn(),
+			ConnStatus:       peer.StatusDisconnected,
+			ConnStatusUpdate: time.Now(),
+		}
+	}
+	e.statusRecorder.ReplaceOfflinePeers(replacement)
+}
+
 // addNewPeers adds peers that were not know before but arrived from the Management service with the update
 func (e *Engine) addNewPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 	for _, p := range peersUpdate {
@@ -820,9 +829,10 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 		ProxyConfig:          proxyConfig,
 		LocalWgPort:          e.config.WgPort,
 		NATExternalIPs:       e.parseNATExternalIPMappings(),
+		UserspaceBind:        e.wgInterface.IsUserspaceBind(),
 	}

-	peerConn, err := peer.NewConn(config, e.statusRecorder)
+	peerConn, err := peer.NewConn(config, e.statusRecorder, e.mobileDep.TunAdapter, e.mobileDep.IFaceDiscover)
 	if err != nil {
 		return nil, err
 	}
@@ -847,6 +857,9 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 	peerConn.SetSignalCandidate(signalCandidate)
 	peerConn.SetSignalOffer(signalOffer)
 	peerConn.SetSignalAnswer(signalAnswer)
+	peerConn.SetSendSignalMessage(func(message *sProto.Message) error {
+		return sendSignal(message, e.signal)
+	})

 	return peerConn, nil
 }
@@ -870,6 +883,9 @@ func (e *Engine) receiveSignalEvents() {
 				if err != nil {
 					return err
 				}
+
+				conn.RegisterProtoSupportMeta(msg.Body.GetFeaturesSupported())
+
 				conn.OnRemoteOffer(peer.OfferAnswer{
 					IceCredentials: peer.IceCredentials{
 						UFrag: remoteCred.UFrag,
@@ -883,6 +899,9 @@ func (e *Engine) receiveSignalEvents() {
 				if err != nil {
 					return err
 				}
+
+				conn.RegisterProtoSupportMeta(msg.Body.GetFeaturesSupported())
+
 				conn.OnRemoteAnswer(peer.OfferAnswer{
 					IceCredentials: peer.IceCredentials{
 						UFrag: remoteCred.UFrag,
@@ -898,6 +917,19 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}
 				conn.OnRemoteCandidate(candidate)
+			case sProto.Body_MODE:
+				protoMode := msg.GetBody().GetMode()
+				if protoMode == nil {
+					return fmt.Errorf("received an empty mode message")
+				}
+
+				err := conn.OnModeMessage(peer.ModeMessage{
+					Direct: protoMode.GetDirect(),
+				})
+				if err != nil {
+					log.Errorf("failed processing a mode message -> %s", err)
+					return err
+				}
 			}

 			return nil
@@ -982,12 +1014,6 @@ func (e *Engine) close() {
 		}
 	}

-	if e.udpMuxSrflx != nil {
-		if err := e.udpMuxSrflx.Close(); err != nil {
-			log.Debugf("close server reflexive udp mux: %v", err)
-		}
-	}
-
 	if e.udpMuxConn != nil {
 		if err := e.udpMuxConn.Close(); err != nil {
 			log.Debugf("close udp mux connection: %v", err)
--- a/client/internal/engine_stdnet.go
+++ b/client/internal/engine_stdnet.go
@@ -0,0 +1,11 @@
+//go:build !android
+
+package internal
+
+import (
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+)
+
+func (e *Engine) newStdNet() (*stdnet.Net, error) {
+	return stdnet.NewNet(e.config.IFaceBlackList)
+}
--- a/client/internal/engine_stdnet_android.go
+++ b/client/internal/engine_stdnet_android.go
@@ -0,0 +1,7 @@
+package internal
+
+import "github.com/netbirdio/netbird/client/internal/stdnet"
+
+func (e *Engine) newStdNet() (*stdnet.Net, error) {
+	return stdnet.NewNetWithDiscover(e.mobileDep.IFaceDiscover, e.config.IFaceBlackList)
+}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -3,16 +3,8 @@ package internal
 import (
 	"context"
 	"fmt"
-	"github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/ssh"
-	nbstatus "github.com/netbirdio/netbird/client/status"
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/route"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
+	"github.com/netbirdio/netbird/iface/bind"
+	"github.com/pion/transport/v2/stdnet"
 	"net"
 	"net/netip"
 	"os"
@@ -23,18 +15,29 @@ import (
 	"testing"
 	"time"

+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/keepalive"
+
+	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routemanager"
+	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/iface"
 	mgmt "github.com/netbirdio/netbird/management/client"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/route"
 	signal "github.com/netbirdio/netbird/signal/client"
 	"github.com/netbirdio/netbird/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
 	"github.com/netbirdio/netbird/util"
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/keepalive"
 )

 var (
@@ -71,7 +74,7 @@ func TestEngine_SSH(t *testing.T) {
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, nbstatus.NewRecorder())
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"))

 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -205,12 +208,24 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, nbstatus.NewRecorder())
-	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", iface.DefaultMTU)
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+	newNet, err := stdnet.NewNet()
+	if err != nil {
+		t.Fatal(err)
+	}
+	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", iface.DefaultMTU, nil, nil, newNet)
+	if err != nil {
+		t.Fatal(err)
+	}
 	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), engine.wgInterface, engine.statusRecorder)
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
 	}
+	conn, err := net.ListenUDP("udp4", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn})

 	type testCase struct {
 		name       string
@@ -389,7 +404,7 @@ func TestEngine_Sync(t *testing.T) {
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, nbstatus.NewRecorder())
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"))

 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -439,7 +454,7 @@ func TestEngine_Sync(t *testing.T) {
 		default:
 		}

-		if len(engine.GetPeers()) == 3 && engine.networkSerial == 10 {
+		if getPeers(engine) == 3 && engine.networkSerial == 10 {
 			break
 		}
 	}
@@ -547,8 +562,12 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-			}, nbstatus.NewRecorder())
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU)
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+			newNet, err := stdnet.NewNet()
+			if err != nil {
+				t.Fatal(err)
+			}
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil, nil, newNet)
 			assert.NoError(t, err, "shouldn't return error")
 			input := struct {
 				inputSerial uint64
@@ -712,8 +731,12 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-			}, nbstatus.NewRecorder())
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU)
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+			newNet, err := stdnet.NewNet()
+			if err != nil {
+				t.Fatal(err)
+			}
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil, nil, newNet)
 			assert.NoError(t, err, "shouldn't return error")

 			mockRouteManager := &routemanager.MockManager{
@@ -846,7 +869,7 @@ loop:
 		case <-ticker.C:
 			totalConnected := 0
 			for _, engine := range engines {
-				totalConnected = totalConnected + len(engine.GetConnectedPeers())
+				totalConnected = totalConnected + getConnectedPeers(engine)
 			}
 			if totalConnected == expectedConnected {
 				log.Infof("total connected=%d", totalConnected)
@@ -977,7 +1000,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		WgPort:       wgPort,
 	}

-	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf, nbstatus.NewRecorder()), nil
+	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf, MobileDependency{}, peer.NewRecorder("https://mgm")), nil
 }

 func startSignal() (*grpc.Server, string, error) {
@@ -1044,3 +1067,23 @@ func startManagement(dataDir string) (*grpc.Server, string, error) {

 	return s, lis.Addr().String(), nil
 }
+
+// getConnectedPeers returns a connection Status or nil if peer connection wasn't found
+func getConnectedPeers(e *Engine) int {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+	i := 0
+	for _, conn := range e.peerConns {
+		if conn.Status() == peer.StatusConnected {
+			i++
+		}
+	}
+	return i
+}
+
+func getPeers(e *Engine) int {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	return len(e.peerConns)
+}
--- a/client/internal/login.go
+++ b/client/internal/login.go
@@ -2,37 +2,26 @@ package internal

 import (
 	"context"
+	"net/url"
+
 	"github.com/google/uuid"
-	"github.com/netbirdio/netbird/client/ssh"
-	"github.com/netbirdio/netbird/client/system"
-	mgm "github.com/netbirdio/netbird/management/client"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/ssh"
+	"github.com/netbirdio/netbird/client/system"
+	mgm "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
 )

-func Login(ctx context.Context, config *Config, setupKey string, jwtToken string) error {
-	// validate our peer's Wireguard PRIVATE key
-	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+// IsLoginRequired check that the server is support SSO or not
+func IsLoginRequired(ctx context.Context, privateKey string, mgmURL *url.URL, sshKey string) (bool, error) {
+	mgmClient, err := getMgmClient(ctx, privateKey, mgmURL)
 	if err != nil {
-		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
-		return err
+		return false, err
 	}
-
-	var mgmTlsEnabled bool
-	if config.ManagementURL.Scheme == "https" {
-		mgmTlsEnabled = true
-	}
-
-	log.Debugf("connecting to the Management service %s", config.ManagementURL.String())
-	mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
-	if err != nil {
-		log.Errorf("failed connecting to the Management service %s %v", config.ManagementURL.String(), err)
-		return err
-	}
-	log.Debugf("connected to the Management service %s", config.ManagementURL.String())
 	defer func() {
 		err = mgmClient.Close()
 		if err != nil {
@@ -42,47 +31,84 @@ func Login(ctx context.Context, config *Config, setupKey string, jwtToken string
 			}
 		}
 	}()
+	log.Debugf("connected to the Management service %s", mgmURL.String())

-	serverKey, err := mgmClient.GetServerPublicKey()
+	pubSSHKey, err := ssh.GeneratePublicKey([]byte(sshKey))
+	if err != nil {
+		return false, err
+	}
+
+	_, err = doMgmLogin(ctx, mgmClient, pubSSHKey)
+	if isLoginNeeded(err) {
+		return true, nil
+	}
+	return false, err
+}
+
+// Login or register the client
+func Login(ctx context.Context, config *Config, setupKey string, jwtToken string) error {
+	mgmClient, err := getMgmClient(ctx, config.PrivateKey, config.ManagementURL)
 	if err != nil {
-		log.Errorf("failed while getting Management Service public key: %v", err)
 		return err
 	}
+	defer func() {
+		err = mgmClient.Close()
+		if err != nil {
+			cStatus, ok := status.FromError(err)
+			if !ok || ok && cStatus.Code() != codes.Canceled {
+				log.Warnf("failed to close the Management service client, err: %v", err)
+			}
+		}
+	}()
+	log.Debugf("connected to the Management service %s", config.ManagementURL.String())

 	pubSSHKey, err := ssh.GeneratePublicKey([]byte(config.SSHKey))
 	if err != nil {
 		return err
 	}
-	_, err = loginPeer(ctx, *serverKey, mgmClient, setupKey, jwtToken, pubSSHKey)
-	if err != nil {
-		log.Errorf("failed logging-in peer on Management Service : %v", err)
-		return err
-	}
-	log.Infof("peer has successfully logged-in to the Management service %s", config.ManagementURL.String())

-	err = mgmClient.Close()
-	if err != nil {
-		log.Errorf("failed to close the Management service client: %v", err)
+	serverKey, err := doMgmLogin(ctx, mgmClient, pubSSHKey)
+	if isRegistrationNeeded(err) {
+		log.Debugf("peer registration required")
+		_, err = registerPeer(ctx, *serverKey, mgmClient, setupKey, jwtToken, pubSSHKey)
 		return err
 	}

-	return nil
+	return err
 }

-// loginPeer attempts to login to Management Service. If peer wasn't registered, tries the registration flow.
-func loginPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string, jwtToken string, pubSSHKey []byte) (*mgmProto.LoginResponse, error) {
-	sysInfo := system.GetInfo(ctx)
-	loginResp, err := client.Login(serverPublicKey, sysInfo, pubSSHKey)
+func getMgmClient(ctx context.Context, privateKey string, mgmURL *url.URL) (*mgm.GrpcClient, error) {
+	// validate our peer's Wireguard PRIVATE key
+	myPrivateKey, err := wgtypes.ParseKey(privateKey)
 	if err != nil {
-		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
-			log.Debugf("peer registration required")
-			return registerPeer(ctx, serverPublicKey, client, setupKey, jwtToken, pubSSHKey)
-		} else {
-			return nil, err
-		}
+		log.Errorf("failed parsing Wireguard key %s: [%s]", privateKey, err.Error())
+		return nil, err
 	}

-	return loginResp, nil
+	var mgmTlsEnabled bool
+	if mgmURL.Scheme == "https" {
+		mgmTlsEnabled = true
+	}
+
+	log.Debugf("connecting to the Management service %s", mgmURL.String())
+	mgmClient, err := mgm.NewClient(ctx, mgmURL.Host, myPrivateKey, mgmTlsEnabled)
+	if err != nil {
+		log.Errorf("failed connecting to the Management service %s %v", mgmURL.String(), err)
+		return nil, err
+	}
+	return mgmClient, err
+}
+
+func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte) (*wgtypes.Key, error) {
+	serverKey, err := mgmClient.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return nil, err
+	}
+
+	sysInfo := system.GetInfo(ctx)
+	_, err = mgmClient.Login(*serverKey, sysInfo, pubSSHKey)
+	return serverKey, err
 }

 // registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
@@ -105,3 +131,31 @@ func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.

 	return loginResp, nil
 }
+
+func isLoginNeeded(err error) bool {
+	if err == nil {
+		return false
+	}
+	s, ok := status.FromError(err)
+	if !ok {
+		return false
+	}
+	if s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied {
+		return true
+	}
+	return false
+}
+
+func isRegistrationNeeded(err error) bool {
+	if err == nil {
+		return false
+	}
+	s, ok := status.FromError(err)
+	if !ok {
+		return false
+	}
+	if s.Code() == codes.PermissionDenied {
+		return true
+	}
+	return false
+}
--- a/client/internal/mobile_dependency.go
+++ b/client/internal/mobile_dependency.go
@@ -0,0 +1,13 @@
+package internal
+
+import (
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/iface"
+)
+
+// MobileDependency collect all dependencies for mobile platform
+type MobileDependency struct {
+	TunAdapter    iface.TunAdapter
+	IFaceDiscover stdnet.ExternalIFaceDiscover
+	Routes        []string
+}
--- a/client/internal/mobile_dependency_android.go
+++ b/client/internal/mobile_dependency_android.go
@@ -0,0 +1,29 @@
+package internal
+
+import (
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/iface"
+	mgm "github.com/netbirdio/netbird/management/client"
+)
+
+func newMobileDependency(tunAdapter iface.TunAdapter, ifaceDiscover stdnet.ExternalIFaceDiscover, mgmClient *mgm.GrpcClient) (MobileDependency, error) {
+	md := MobileDependency{
+		TunAdapter:    tunAdapter,
+		IFaceDiscover: ifaceDiscover,
+	}
+	err := md.readMap(mgmClient)
+	return md, err
+}
+
+func (d *MobileDependency) readMap(mgmClient *mgm.GrpcClient) error {
+	routes, err := mgmClient.GetRoutes()
+	if err != nil {
+		return err
+	}
+
+	d.Routes = make([]string, len(routes))
+	for i, r := range routes {
+		d.Routes[i] = r.GetNetwork()
+	}
+	return nil
+}
--- a/client/internal/mobile_dependency_nonandroid.go
+++ b/client/internal/mobile_dependency_nonandroid.go
@@ -0,0 +1,13 @@
+//go:build !android
+
+package internal
+
+import (
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/iface"
+	mgm "github.com/netbirdio/netbird/management/client"
+)
+
+func newMobileDependency(tunAdapter iface.TunAdapter, ifaceDiscover stdnet.ExternalIFaceDiscover, mgmClient *mgm.GrpcClient) (MobileDependency, error) {
+	return MobileDependency{}, nil
+}
--- a/client/internal/oauth.go
+++ b/client/internal/oauth.go
@@ -35,15 +35,6 @@ type DeviceAuthInfo struct {
 	Interval                int    `json:"interval"`
 }

-// TokenInfo holds information of issued access token
-type TokenInfo struct {
-	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
-	IDToken      string `json:"id_token"`
-	TokenType    string `json:"token_type"`
-	ExpiresIn    int    `json:"expires_in"`
-}
-
 // HostedGrantType grant type for device flow on Hosted
 const (
 	HostedGrantType    = "urn:ietf:params:oauth:grant-type:device_code"
@@ -52,16 +43,7 @@ const (

 // Hosted client
 type Hosted struct {
-	// Hosted API Audience for validation
-	Audience string
-	// Hosted Native application client id
-	ClientID string
-	// Hosted Native application request scope
-	Scope string
-	// TokenEndpoint to request access token
-	TokenEndpoint string
-	// DeviceAuthEndpoint to request device authorization code
-	DeviceAuthEndpoint string
+	providerConfig ProviderConfig

 	HTTPClient HTTPClient
 }
@@ -70,7 +52,7 @@ type Hosted struct {
 type RequestDeviceCodePayload struct {
 	Audience string `json:"audience"`
 	ClientID string `json:"client_id"`
-	Scope 	 string `json:"scope"`
+	Scope    string `json:"scope"`
 }

 // TokenRequestPayload used for requesting the auth0 token
@@ -93,8 +75,26 @@ type Claims struct {
 	Audience interface{} `json:"aud"`
 }

+// TokenInfo holds information of issued access token
+type TokenInfo struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	IDToken      string `json:"id_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+	UseIDToken   bool   `json:"-"`
+}
+
+// GetTokenToUse returns either the access or id token based on UseIDToken field
+func (t TokenInfo) GetTokenToUse() string {
+	if t.UseIDToken {
+		return t.IDToken
+	}
+	return t.AccessToken
+}
+
 // NewHostedDeviceFlow returns an Hosted OAuth client
-func NewHostedDeviceFlow(audience string, clientID string, tokenEndpoint string, deviceAuthEndpoint string) *Hosted {
+func NewHostedDeviceFlow(config ProviderConfig) *Hosted {
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5

@@ -104,27 +104,23 @@ func NewHostedDeviceFlow(audience string, clientID string, tokenEndpoint string,
 	}

 	return &Hosted{
-		Audience:           audience,
-		ClientID:           clientID,
-		Scope:              "openid",
-		TokenEndpoint:      tokenEndpoint,
-		HTTPClient:         httpClient,
-		DeviceAuthEndpoint: deviceAuthEndpoint,
+		providerConfig: config,
+		HTTPClient:     httpClient,
 	}
 }

 // GetClientID returns the provider client id
 func (h *Hosted) GetClientID(ctx context.Context) string {
-	return h.ClientID
+	return h.providerConfig.ClientID
 }

 // RequestDeviceCode requests a device code login flow information from Hosted
 func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error) {
 	form := url.Values{}
-	form.Add("client_id", h.ClientID)
-	form.Add("audience", h.Audience)
-	form.Add("scope", h.Scope)
-	req, err := http.NewRequest("POST", h.DeviceAuthEndpoint,
+	form.Add("client_id", h.providerConfig.ClientID)
+	form.Add("audience", h.providerConfig.Audience)
+	form.Add("scope", h.providerConfig.Scope)
+	req, err := http.NewRequest("POST", h.providerConfig.DeviceAuthEndpoint,
 		strings.NewReader(form.Encode()))
 	if err != nil {
 		return DeviceAuthInfo{}, fmt.Errorf("creating request failed with error: %v", err)
@@ -157,10 +153,10 @@ func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)

 func (h *Hosted) requestToken(info DeviceAuthInfo) (TokenRequestResponse, error) {
 	form := url.Values{}
-	form.Add("client_id", h.ClientID)
+	form.Add("client_id", h.providerConfig.ClientID)
 	form.Add("grant_type", HostedGrantType)
 	form.Add("device_code", info.DeviceCode)
-	req, err := http.NewRequest("POST", h.TokenEndpoint, strings.NewReader(form.Encode()))
+	req, err := http.NewRequest("POST", h.providerConfig.TokenEndpoint, strings.NewReader(form.Encode()))
 	if err != nil {
 		return TokenRequestResponse{}, fmt.Errorf("failed to create request access token: %v", err)
 	}
@@ -225,18 +221,20 @@ func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo,
 				return TokenInfo{}, fmt.Errorf(tokenResponse.ErrorDescription)
 			}

-			err = isValidAccessToken(tokenResponse.AccessToken, h.Audience)
-			if err != nil {
-				return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
-			}
-
 			tokenInfo := TokenInfo{
 				AccessToken:  tokenResponse.AccessToken,
 				TokenType:    tokenResponse.TokenType,
 				RefreshToken: tokenResponse.RefreshToken,
 				IDToken:      tokenResponse.IDToken,
 				ExpiresIn:    tokenResponse.ExpiresIn,
+				UseIDToken:   h.providerConfig.UseIDToken,
 			}
+
+			err = isValidAccessToken(tokenInfo.GetTokenToUse(), h.providerConfig.Audience)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+			}
+
 			return tokenInfo, err
 		}
 	}
--- a/client/internal/oauth_test.go
+++ b/client/internal/oauth_test.go
@@ -3,14 +3,15 @@ package internal
 import (
 	"context"
 	"fmt"
-	"github.com/golang-jwt/jwt"
-	"github.com/stretchr/testify/require"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/golang-jwt/jwt"
+	"github.com/stretchr/testify/require"
 )

 type mockHTTPClient struct {
@@ -113,12 +114,15 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 			}

 			hosted := Hosted{
-				Audience:           expectedAudience,
-				ClientID:           expectedClientID,
-				Scope:              expectedScope,
-				TokenEndpoint:      "test.hosted.com/token",
-				DeviceAuthEndpoint: "test.hosted.com/device/auth",
-				HTTPClient:         &httpClient,
+				providerConfig: ProviderConfig{
+					Audience:           expectedAudience,
+					ClientID:           expectedClientID,
+					Scope:              expectedScope,
+					TokenEndpoint:      "test.hosted.com/token",
+					DeviceAuthEndpoint: "test.hosted.com/device/auth",
+					UseIDToken:         false,
+				},
+				HTTPClient: &httpClient,
 			}

 			authInfo, err := hosted.RequestDeviceCode(context.TODO())
@@ -275,12 +279,15 @@ func TestHosted_WaitToken(t *testing.T) {
 			}

 			hosted := Hosted{
-				Audience:           testCase.inputAudience,
-				ClientID:           clientID,
-				TokenEndpoint:      "test.hosted.com/token",
-				DeviceAuthEndpoint: "test.hosted.com/device/auth",
-				HTTPClient:         &httpClient,
-			}
+				providerConfig: ProviderConfig{
+					Audience:           testCase.inputAudience,
+					ClientID:           clientID,
+					TokenEndpoint:      "test.hosted.com/token",
+					DeviceAuthEndpoint: "test.hosted.com/device/auth",
+					Scope:              "openid",
+					UseIDToken:         false,
+				},
+				HTTPClient: &httpClient}

 			ctx, cancel := context.WithTimeout(context.TODO(), testCase.inputTimeout)
 			defer cancel()
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -2,18 +2,21 @@ package peer

 import (
 	"context"
+	"fmt"
 	"net"
 	"strings"
 	"sync"
 	"time"

-	"github.com/netbirdio/netbird/client/internal/proxy"
-	nbStatus "github.com/netbirdio/netbird/client/status"
-	"github.com/netbirdio/netbird/client/system"
-	"github.com/netbirdio/netbird/iface"
 	"github.com/pion/ice/v2"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl"
+
+	"github.com/netbirdio/netbird/client/internal/proxy"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/iface"
+	signal "github.com/netbirdio/netbird/signal/client"
+	sProto "github.com/netbirdio/netbird/signal/proto"
+	"github.com/netbirdio/netbird/version"
 )

 // ConnConfig is a peer Connection configuration
@@ -42,6 +45,9 @@ type ConnConfig struct {
 	LocalWgPort int

 	NATExternalIPs []string
+
+	// UsesBind indicates whether the WireGuard interface is userspace and uses bind.ICEBind
+	UserspaceBind bool
 }

 // OfferAnswer represents a session establishment offer or answer
@@ -69,8 +75,9 @@ type Conn struct {
 	// signalCandidate is a handler function to signal remote peer about local connection candidate
 	signalCandidate func(candidate ice.Candidate) error
 	// signalOffer is a handler function to signal remote peer our connection offer (credentials)
-	signalOffer  func(OfferAnswer) error
-	signalAnswer func(OfferAnswer) error
+	signalOffer       func(OfferAnswer) error
+	signalAnswer      func(OfferAnswer) error
+	sendSignalMessage func(message *sProto.Message) error

 	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
 	remoteOffersCh chan OfferAnswer
@@ -83,9 +90,25 @@ type Conn struct {
 	agent  *ice.Agent
 	status ConnStatus

-	statusRecorder *nbStatus.Status
+	statusRecorder *Status

-	proxy proxy.Proxy
+	proxy        proxy.Proxy
+	remoteModeCh chan ModeMessage
+	meta         meta
+
+	adapter       iface.TunAdapter
+	iFaceDiscover stdnet.ExternalIFaceDiscover
+}
+
+// meta holds meta information about a connection
+type meta struct {
+	protoSupport signal.FeaturesSupport
+}
+
+// ModeMessage represents a connection mode chosen by the peer
+type ModeMessage struct {
+	// Direct indicates that it decided to use a direct connection
+	Direct bool
 }

 // GetConf returns the connection config
@@ -100,7 +123,7 @@ func (conn *Conn) UpdateConf(conf ConnConfig) {

 // NewConn creates a new not opened Conn to the remote peer.
 // To establish a connection run Conn.Open
-func NewConn(config ConnConfig, statusRecorder *nbStatus.Status) (*Conn, error) {
+func NewConn(config ConnConfig, statusRecorder *Status, adapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) (*Conn, error) {
 	return &Conn{
 		config:         config,
 		mu:             sync.Mutex{},
@@ -109,51 +132,34 @@ func NewConn(config ConnConfig, statusRecorder *nbStatus.Status) (*Conn, error)
 		remoteOffersCh: make(chan OfferAnswer),
 		remoteAnswerCh: make(chan OfferAnswer),
 		statusRecorder: statusRecorder,
+		remoteModeCh:   make(chan ModeMessage, 1),
+		adapter:        adapter,
+		iFaceDiscover:  iFaceDiscover,
 	}, nil
 }

-// interfaceFilter is a function passed to ICE Agent to filter out not allowed interfaces
-// to avoid building tunnel over them
-func interfaceFilter(blackList []string) func(string) bool {
-
-	return func(iFace string) bool {
-		for _, s := range blackList {
-			if strings.HasPrefix(iFace, s) {
-				log.Debugf("ignoring interface %s - it is not allowed", iFace)
-				return false
-			}
-		}
-		// look for unlisted WireGuard interfaces
-		wg, err := wgctrl.New()
-		if err != nil {
-			log.Debugf("trying to create a wgctrl client failed with: %v", err)
-			return true
-		}
-		defer func() {
-			_ = wg.Close()
-		}()
-
-		_, err = wg.Device(iFace)
-		return err != nil
-	}
-}
-
 func (conn *Conn) reCreateAgent() error {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

 	failedTimeout := 6 * time.Second
+
 	var err error
+	transportNet, err := conn.newStdNet()
+	if err != nil {
+		log.Errorf("failed to create pion's stdnet: %s", err)
+	}
 	agentConfig := &ice.AgentConfig{
 		MulticastDNSMode: ice.MulticastDNSModeDisabled,
 		NetworkTypes:     []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
 		Urls:             conn.config.StunTurn,
 		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
 		FailedTimeout:    &failedTimeout,
-		InterfaceFilter:  interfaceFilter(conn.config.InterfaceBlackList),
+		InterfaceFilter:  stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
 		UDPMux:           conn.config.UDPMux,
 		UDPMuxSrflx:      conn.config.UDPMuxSrflx,
 		NAT1To1IPs:       conn.config.NATExternalIPs,
+		Net:              transportNet,
 	}

 	if conn.config.DisableIPv6Discovery {
@@ -190,11 +196,11 @@ func (conn *Conn) reCreateAgent() error {
 func (conn *Conn) Open() error {
 	log.Debugf("trying to connect to peer %s", conn.config.Key)

-	peerState := nbStatus.PeerState{PubKey: conn.config.Key}
+	peerState := State{PubKey: conn.config.Key}

 	peerState.IP = strings.Split(conn.config.ProxyConfig.AllowedIps, "/")[0]
 	peerState.ConnStatusUpdate = time.Now()
-	peerState.ConnStatus = conn.status.String()
+	peerState.ConnStatus = conn.status

 	err := conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -250,9 +256,9 @@ func (conn *Conn) Open() error {
 	defer conn.notifyDisconnected()
 	conn.mu.Unlock()

-	peerState = nbStatus.PeerState{PubKey: conn.config.Key}
+	peerState = State{PubKey: conn.config.Key}

-	peerState.ConnStatus = conn.status.String()
+	peerState.ConnStatus = conn.status
 	peerState.ConnStatusUpdate = time.Now()
 	err = conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -289,7 +295,7 @@ func (conn *Conn) Open() error {
 		return err
 	}

-	if conn.proxy.Type() == proxy.TypeNoProxy {
+	if conn.proxy.Type() == proxy.TypeDirectNoProxy {
 		host, _, _ := net.SplitHostPort(remoteConn.LocalAddr().String())
 		rhost, _, _ := net.SplitHostPort(remoteConn.RemoteAddr().String())
 		// direct Wireguard connection
@@ -310,39 +316,82 @@ func (conn *Conn) Open() error {
 }

 // useProxy determines whether a direct connection (without a go proxy) is possible
-// There are 3 cases: one of the peers has a public IP or both peers are in the same private network
+//
+// There are 3 cases:
+//
+// * When neither candidate is from hard nat and one of the peers has a public IP
+//
+// * both peers are in the same private network
+//
+// * Local peer uses userspace interface with bind.ICEBind and is not relayed
+//
 // Please note, that this check happens when peers were already able to ping each other using ICE layer.
-func shouldUseProxy(pair *ice.CandidatePair) bool {
-	remoteIP := net.ParseIP(pair.Remote.Address())
-	myIp := net.ParseIP(pair.Local.Address())
-	remoteIsPublic := IsPublicIP(remoteIP)
-	myIsPublic := IsPublicIP(myIp)
+func shouldUseProxy(pair *ice.CandidatePair, userspaceBind bool) bool {

-	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
-		return true
-	}
-
-	//one of the hosts has a public IP
-	if remoteIsPublic && pair.Remote.Type() == ice.CandidateTypeHost {
-		return false
-	}
-	if myIsPublic && pair.Local.Type() == ice.CandidateTypeHost {
+	if !isRelayCandidate(pair.Local) && userspaceBind {
+		log.Debugf("shouldn't use proxy because using Bind and the connection is not relayed")
 		return false
 	}

-	if pair.Local.Type() == ice.CandidateTypeHost && pair.Remote.Type() == ice.CandidateTypeHost {
-		if !remoteIsPublic && !myIsPublic {
-			//both hosts are in the same private network
-			return false
-		}
+	if !isHardNATCandidate(pair.Local) && isHostCandidateWithPublicIP(pair.Remote) {
+		log.Debugf("shouldn't use proxy because the local peer is not behind a hard NAT and the remote one has a public IP")
+		return false
+	}
+
+	if !isHardNATCandidate(pair.Remote) && isHostCandidateWithPublicIP(pair.Local) {
+		log.Debugf("shouldn't use proxy because the remote peer is not behind a hard NAT and the local one has a public IP")
+		return false
+	}
+
+	if isHostCandidateWithPrivateIP(pair.Local) && isHostCandidateWithPrivateIP(pair.Remote) && isSameNetworkPrefix(pair) {
+		log.Debugf("shouldn't use proxy because peers are in the same private /16 network")
+		return false
+	}
+
+	if (isPeerReflexiveCandidateWithPrivateIP(pair.Local) && isHostCandidateWithPrivateIP(pair.Remote) ||
+		isHostCandidateWithPrivateIP(pair.Local) && isPeerReflexiveCandidateWithPrivateIP(pair.Remote)) && isSameNetworkPrefix(pair) {
+		log.Debugf("shouldn't use proxy because peers are in the same private /16 network and one peer is peer reflexive")
+		return false
 	}

 	return true
 }

-// IsPublicIP indicates whether IP is public or not.
-func IsPublicIP(ip net.IP) bool {
-	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsPrivate() {
+func isSameNetworkPrefix(pair *ice.CandidatePair) bool {
+
+	localIP := net.ParseIP(pair.Local.Address())
+	remoteIP := net.ParseIP(pair.Remote.Address())
+	if localIP == nil || remoteIP == nil {
+		return false
+	}
+	// only consider /16 networks
+	mask := net.IPMask{255, 255, 0, 0}
+	return localIP.Mask(mask).Equal(remoteIP.Mask(mask))
+}
+
+func isRelayCandidate(candidate ice.Candidate) bool {
+	return candidate.Type() == ice.CandidateTypeRelay
+}
+
+func isHardNATCandidate(candidate ice.Candidate) bool {
+	return candidate.Type() == ice.CandidateTypeRelay || candidate.Type() == ice.CandidateTypePeerReflexive
+}
+
+func isHostCandidateWithPublicIP(candidate ice.Candidate) bool {
+	return candidate.Type() == ice.CandidateTypeHost && isPublicIP(candidate.Address())
+}
+
+func isHostCandidateWithPrivateIP(candidate ice.Candidate) bool {
+	return candidate.Type() == ice.CandidateTypeHost && !isPublicIP(candidate.Address())
+}
+
+func isPeerReflexiveCandidateWithPrivateIP(candidate ice.Candidate) bool {
+	return candidate.Type() == ice.CandidateTypePeerReflexive && !isPublicIP(candidate.Address())
+}
+
+func isPublicIP(address string) bool {
+	ip := net.ParseIP(address)
+	if ip == nil || ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsPrivate() {
 		return false
 	}
 	return true
@@ -359,16 +408,8 @@ func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 		return err
 	}

-	peerState := nbStatus.PeerState{PubKey: conn.config.Key}
-	useProxy := shouldUseProxy(pair)
-	var p proxy.Proxy
-	if useProxy {
-		p = proxy.NewWireguardProxy(conn.config.ProxyConfig)
-		peerState.Direct = false
-	} else {
-		p = proxy.NewNoProxy(conn.config.ProxyConfig, remoteWgPort)
-		peerState.Direct = true
-	}
+	peerState := State{PubKey: conn.config.Key}
+	p := conn.getProxyWithMessageExchange(pair, remoteWgPort)
 	conn.proxy = p
 	err = p.Start(remoteConn)
 	if err != nil {
@@ -377,13 +418,14 @@ func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {

 	conn.status = StatusConnected

-	peerState.ConnStatus = conn.status.String()
+	peerState.ConnStatus = conn.status
 	peerState.ConnStatusUpdate = time.Now()
 	peerState.LocalIceCandidateType = pair.Local.Type().String()
 	peerState.RemoteIceCandidateType = pair.Remote.Type().String()
 	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
 		peerState.Relayed = true
 	}
+	peerState.Direct = p.Type() == proxy.TypeDirectNoProxy || p.Type() == proxy.TypeNoProxy

 	err = conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -393,6 +435,65 @@ func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 	return nil
 }

+func (conn *Conn) getProxyWithMessageExchange(pair *ice.CandidatePair, remoteWgPort int) proxy.Proxy {
+	useProxy := shouldUseProxy(pair, conn.config.UserspaceBind)
+	localDirectMode := !useProxy
+	remoteDirectMode := localDirectMode
+
+	if conn.meta.protoSupport.DirectCheck {
+		go conn.sendLocalDirectMode(localDirectMode)
+		// will block until message received or timeout
+		remoteDirectMode = conn.receiveRemoteDirectMode()
+	}
+
+	if conn.config.UserspaceBind && localDirectMode {
+		return proxy.NewNoProxy(conn.config.ProxyConfig)
+	}
+
+	if localDirectMode && remoteDirectMode {
+		return proxy.NewDirectNoProxy(conn.config.ProxyConfig, remoteWgPort)
+	}
+
+	log.Debugf("falling back to local proxy mode with peer %s", conn.config.Key)
+	return proxy.NewWireGuardProxy(conn.config.ProxyConfig)
+}
+
+func (conn *Conn) sendLocalDirectMode(localMode bool) {
+	// todo what happens when we couldn't deliver this message?
+	// we could retry, etc but there is no guarantee
+
+	err := conn.sendSignalMessage(&sProto.Message{
+		Key:       conn.config.LocalKey,
+		RemoteKey: conn.config.Key,
+		Body: &sProto.Body{
+			Type: sProto.Body_MODE,
+			Mode: &sProto.Mode{
+				Direct: &localMode,
+			},
+			NetBirdVersion: version.NetbirdVersion(),
+		},
+	})
+	if err != nil {
+		log.Errorf("failed to send local proxy mode to remote peer %s, error: %s", conn.config.Key, err)
+	}
+}
+
+func (conn *Conn) receiveRemoteDirectMode() bool {
+	timeout := time.Second
+	timer := time.NewTimer(timeout)
+	defer timer.Stop()
+
+	select {
+	case receivedMSG := <-conn.remoteModeCh:
+		return receivedMSG.Direct
+	case <-timer.C:
+		// we didn't receive a message from remote so we assume that it supports the direct mode to keep the old behaviour
+		log.Debugf("timeout after %s while waiting for remote direct mode message from remote peer %s",
+			timeout, conn.config.Key)
+		return true
+	}
+}
+
 // cleanup closes all open resources and sets status to StatusDisconnected
 func (conn *Conn) cleanup() error {
 	log.Debugf("trying to cleanup %s", conn.config.Key)
@@ -422,8 +523,8 @@ func (conn *Conn) cleanup() error {

 	conn.status = StatusDisconnected

-	peerState := nbStatus.PeerState{PubKey: conn.config.Key}
-	peerState.ConnStatus = conn.status.String()
+	peerState := State{PubKey: conn.config.Key}
+	peerState.ConnStatus = conn.status
 	peerState.ConnStatusUpdate = time.Now()

 	err := conn.statusRecorder.UpdatePeerState(peerState)
@@ -453,6 +554,11 @@ func (conn *Conn) SetSignalCandidate(handler func(candidate ice.Candidate) error
 	conn.signalCandidate = handler
 }

+// SetSendSignalMessage sets a handler function to be triggered by Conn when there is new message to send via signal
+func (conn *Conn) SetSendSignalMessage(handler func(message *sProto.Message) error) {
+	conn.sendSignalMessage = handler
+}
+
 // onICECandidate is a callback attached to an ICE Agent to receive new local connection candidates
 // and then signals them to the remote peer
 func (conn *Conn) onICECandidate(candidate ice.Candidate) {
@@ -494,7 +600,7 @@ func (conn *Conn) sendAnswer() error {
 	err = conn.signalAnswer(OfferAnswer{
 		IceCredentials: IceCredentials{localUFrag, localPwd},
 		WgListenPort:   conn.config.LocalWgPort,
-		Version:        system.NetbirdVersion(),
+		Version:        version.NetbirdVersion(),
 	})
 	if err != nil {
 		return err
@@ -515,7 +621,7 @@ func (conn *Conn) sendOffer() error {
 	err = conn.signalOffer(OfferAnswer{
 		IceCredentials: IceCredentials{localUFrag, localPwd},
 		WgListenPort:   conn.config.LocalWgPort,
-		Version:        system.NetbirdVersion(),
+		Version:        version.NetbirdVersion(),
 	})
 	if err != nil {
 		return err
@@ -607,3 +713,19 @@ func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate) {
 func (conn *Conn) GetKey() string {
 	return conn.config.Key
 }
+
+// OnModeMessage unmarshall the payload message and send it to the mode message channel
+func (conn *Conn) OnModeMessage(message ModeMessage) error {
+	select {
+	case conn.remoteModeCh <- message:
+		return nil
+	default:
+		return fmt.Errorf("unable to process mode message: channel busy")
+	}
+}
+
+// RegisterProtoSupportMeta register supported proto message in the connection metadata
+func (conn *Conn) RegisterProtoSupportMeta(support []uint32) {
+	protoSupport := signal.ParseFeaturesSupported(support)
+	conn.meta.protoSupport = protoSupport
+}
--- a/client/internal/peer/conn_status.go
+++ b/client/internal/peer/conn_status.go
@@ -0,0 +1,29 @@
+package peer
+
+import log "github.com/sirupsen/logrus"
+
+const (
+	// StatusConnected indicate the peer is in connected state
+	StatusConnected ConnStatus = iota
+	// StatusConnecting indicate the peer is in connecting state
+	StatusConnecting
+	// StatusDisconnected indicate the peer is in disconnected state
+	StatusDisconnected
+)
+
+// ConnStatus describe the status of a peer's connection
+type ConnStatus int
+
+func (s ConnStatus) String() string {
+	switch s {
+	case StatusConnecting:
+		return "Connecting"
+	case StatusConnected:
+		return "Connected"
+	case StatusDisconnected:
+		return "Disconnected"
+	default:
+		log.Errorf("unknown status: %d", s)
+		return "INVALID_PEER_CONNECTION_STATUS"
+	}
+}
--- a/client/internal/peer/conn_status_test.go
+++ b/client/internal/peer/conn_status_test.go
@@ -0,0 +1,27 @@
+package peer
+
+import (
+	"github.com/magiconair/properties/assert"
+	"testing"
+)
+
+func TestConnStatus_String(t *testing.T) {
+
+	tables := []struct {
+		name   string
+		status ConnStatus
+		want   string
+	}{
+		{"StatusConnected", StatusConnected, "Connected"},
+		{"StatusDisconnected", StatusDisconnected, "Disconnected"},
+		{"StatusConnecting", StatusConnecting, "Connecting"},
+	}
+
+	for _, table := range tables {
+		t.Run(table.name, func(t *testing.T) {
+			got := table.status.String()
+			assert.Equal(t, got, table.want, "they should be equal")
+		})
+	}
+
+}
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -1,14 +1,19 @@
 package peer

 import (
-	"github.com/magiconair/properties/assert"
-	"github.com/netbirdio/netbird/client/internal/proxy"
-	nbstatus "github.com/netbirdio/netbird/client/status"
-	"github.com/netbirdio/netbird/iface"
-	"github.com/pion/ice/v2"
 	"sync"
 	"testing"
 	"time"
+
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+
+	"github.com/magiconair/properties/assert"
+	"github.com/pion/ice/v2"
+	"golang.org/x/sync/errgroup"
+
+	"github.com/netbirdio/netbird/client/internal/proxy"
+	"github.com/netbirdio/netbird/iface"
+	sproto "github.com/netbirdio/netbird/signal/proto"
 )

 var connConf = ConnConfig{
@@ -25,7 +30,7 @@ func TestNewConn_interfaceFilter(t *testing.T) {
 	ignore := []string{iface.WgInterfaceDefault, "tun0", "zt", "ZeroTier", "utun", "wg", "ts",
 		"Tailscale", "tailscale"}

-	filter := interfaceFilter(ignore)
+	filter := stdnet.InterfaceFilter(ignore)

 	for _, s := range ignore {
 		assert.Equal(t, filter(s), false)
@@ -34,7 +39,7 @@ func TestNewConn_interfaceFilter(t *testing.T) {
 }

 func TestConn_GetKey(t *testing.T) {
-	conn, err := NewConn(connConf, nil)
+	conn, err := NewConn(connConf, nil, nil, nil)
 	if err != nil {
 		return
 	}
@@ -46,7 +51,7 @@ func TestConn_GetKey(t *testing.T) {

 func TestConn_OnRemoteOffer(t *testing.T) {

-	conn, err := NewConn(connConf, nbstatus.NewRecorder())
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
 	if err != nil {
 		return
 	}
@@ -80,7 +85,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {

 func TestConn_OnRemoteAnswer(t *testing.T) {

-	conn, err := NewConn(connConf, nbstatus.NewRecorder())
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
 	if err != nil {
 		return
 	}
@@ -113,7 +118,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 }
 func TestConn_Status(t *testing.T) {

-	conn, err := NewConn(connConf, nbstatus.NewRecorder())
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
 	if err != nil {
 		return
 	}
@@ -140,7 +145,7 @@ func TestConn_Status(t *testing.T) {

 func TestConn_Close(t *testing.T) {

-	conn, err := NewConn(connConf, nbstatus.NewRecorder())
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
 	if err != nil {
 		return
 	}
@@ -165,3 +170,310 @@ func TestConn_Close(t *testing.T) {

 	wg.Wait()
 }
+
+type mockICECandidate struct {
+	ice.Candidate
+	AddressFunc func() string
+	TypeFunc    func() ice.CandidateType
+}
+
+// Address mocks and overwrite ice.Candidate Address method
+func (m *mockICECandidate) Address() string {
+	if m.AddressFunc != nil {
+		return m.AddressFunc()
+	}
+	return ""
+}
+
+// Type mocks and overwrite ice.Candidate Type method
+func (m *mockICECandidate) Type() ice.CandidateType {
+	if m.TypeFunc != nil {
+		return m.TypeFunc()
+	}
+	return ice.CandidateTypeUnspecified
+}
+
+func TestConn_ShouldUseProxy(t *testing.T) {
+	publicHostCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "8.8.8.8"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeHost
+		},
+	}
+	privateHostCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "10.0.0.1"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeHost
+		},
+	}
+
+	srflxCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "1.1.1.1"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeServerReflexive
+		},
+	}
+
+	prflxCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "1.1.1.1"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypePeerReflexive
+		},
+	}
+
+	relayCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "1.1.1.1"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeRelay
+		},
+	}
+
+	testCases := []struct {
+		name        string
+		candatePair *ice.CandidatePair
+		expected    bool
+	}{
+		{
+			name: "Use Proxy When Local Candidate Is Relay",
+			candatePair: &ice.CandidatePair{
+				Local:  relayCandidate,
+				Remote: privateHostCandidate,
+			},
+			expected: true,
+		},
+		{
+			name: "Use Proxy When Remote Candidate Is Relay",
+			candatePair: &ice.CandidatePair{
+				Local:  privateHostCandidate,
+				Remote: relayCandidate,
+			},
+			expected: true,
+		},
+		{
+			name: "Use Proxy When Local Candidate Is Peer Reflexive",
+			candatePair: &ice.CandidatePair{
+				Local:  prflxCandidate,
+				Remote: privateHostCandidate,
+			},
+			expected: true,
+		},
+		{
+			name: "Use Proxy When Remote Candidate Is Peer Reflexive",
+			candatePair: &ice.CandidatePair{
+				Local:  privateHostCandidate,
+				Remote: prflxCandidate,
+			},
+			expected: true,
+		},
+		{
+			name: "Don't Use Proxy When Local Candidate Is Public And Remote Is Private",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: privateHostCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Remote Candidate Is Public And Local Is Private",
+			candatePair: &ice.CandidatePair{
+				Local:  privateHostCandidate,
+				Remote: publicHostCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Local Candidate is Public And Remote Is Server Reflexive",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: srflxCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Remote Candidate is Public And Local Is Server Reflexive",
+			candatePair: &ice.CandidatePair{
+				Local:  srflxCandidate,
+				Remote: publicHostCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Both Candidates Are Public",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: publicHostCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Both Candidates Are Private",
+			candatePair: &ice.CandidatePair{
+				Local:  privateHostCandidate,
+				Remote: privateHostCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Both Candidates are in private network and one is peer reflexive",
+			candatePair: &ice.CandidatePair{
+				Local: &mockICECandidate{AddressFunc: func() string {
+					return "10.16.102.168"
+				},
+					TypeFunc: func() ice.CandidateType {
+						return ice.CandidateTypeHost
+					}},
+				Remote: &mockICECandidate{AddressFunc: func() string {
+					return "10.16.101.96"
+				},
+					TypeFunc: func() ice.CandidateType {
+						return ice.CandidateTypePeerReflexive
+					}},
+			},
+			expected: false,
+		},
+		{
+			name: "Should Use Proxy When Both Candidates are in private network and both are peer reflexive",
+			candatePair: &ice.CandidatePair{
+				Local: &mockICECandidate{AddressFunc: func() string {
+					return "10.16.102.168"
+				},
+					TypeFunc: func() ice.CandidateType {
+						return ice.CandidateTypePeerReflexive
+					}},
+				Remote: &mockICECandidate{AddressFunc: func() string {
+					return "10.16.101.96"
+				},
+					TypeFunc: func() ice.CandidateType {
+						return ice.CandidateTypePeerReflexive
+					}},
+			},
+			expected: true,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			result := shouldUseProxy(testCase.candatePair, false)
+			if result != testCase.expected {
+				t.Errorf("got a different result. Expected %t Got %t", testCase.expected, result)
+			}
+		})
+	}
+}
+
+func TestGetProxyWithMessageExchange(t *testing.T) {
+	publicHostCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "8.8.8.8"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeHost
+		},
+	}
+	relayCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "1.1.1.1"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeRelay
+		},
+	}
+
+	testCases := []struct {
+		name                   string
+		candatePair            *ice.CandidatePair
+		inputDirectModeSupport bool
+		inputRemoteModeMessage bool
+		expected               proxy.Type
+	}{
+		{
+			name: "Should Result In Using Wireguard Proxy When Local Eval Is Use Proxy",
+			candatePair: &ice.CandidatePair{
+				Local:  relayCandidate,
+				Remote: publicHostCandidate,
+			},
+			inputDirectModeSupport: true,
+			inputRemoteModeMessage: true,
+			expected:               proxy.TypeWireGuard,
+		},
+		{
+			name: "Should Result In Using Wireguard Proxy When Remote Eval Is Use Proxy",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: publicHostCandidate,
+			},
+			inputDirectModeSupport: true,
+			inputRemoteModeMessage: false,
+			expected:               proxy.TypeWireGuard,
+		},
+		{
+			name: "Should Result In Using Wireguard Proxy When Remote Direct Mode Support Is False And Local Eval Is Use Proxy",
+			candatePair: &ice.CandidatePair{
+				Local:  relayCandidate,
+				Remote: publicHostCandidate,
+			},
+			inputDirectModeSupport: false,
+			inputRemoteModeMessage: false,
+			expected:               proxy.TypeWireGuard,
+		},
+		{
+			name: "Should Result In Using Direct When Remote Direct Mode Support Is False And Local Eval Is No Use Proxy",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: publicHostCandidate,
+			},
+			inputDirectModeSupport: false,
+			inputRemoteModeMessage: false,
+			expected:               proxy.TypeDirectNoProxy,
+		},
+		{
+			name: "Should Result In Using Direct When Local And Remote Eval Is No Proxy",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: publicHostCandidate,
+			},
+			inputDirectModeSupport: true,
+			inputRemoteModeMessage: true,
+			expected:               proxy.TypeDirectNoProxy,
+		},
+	}
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			g := errgroup.Group{}
+			conn, err := NewConn(connConf, nil, nil, nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+			conn.meta.protoSupport.DirectCheck = testCase.inputDirectModeSupport
+			conn.SetSendSignalMessage(func(message *sproto.Message) error {
+				return nil
+			})
+
+			g.Go(func() error {
+				return conn.OnModeMessage(ModeMessage{
+					Direct: testCase.inputRemoteModeMessage,
+				})
+			})
+
+			resultProxy := conn.getProxyWithMessageExchange(testCase.candatePair, 1000)
+
+			err = g.Wait()
+			if err != nil {
+				t.Error(err)
+			}
+			if resultProxy.Type() != testCase.expected {
+				t.Errorf("result didn't match expected value: Expected: %s, Got: %s", testCase.expected, resultProxy.Type())
+			}
+		})
+	}
+}
--- a/client/internal/peer/listener.go
+++ b/client/internal/peer/listener.go
@@ -0,0 +1,11 @@
+package peer
+
+// Listener is a callback type about the NetBird network connection state
+type Listener interface {
+	OnConnected()
+	OnDisconnected()
+	OnConnecting()
+	OnDisconnecting()
+	OnAddressChanged(string, string)
+	OnPeersListChanged(int)
+}
--- a/client/internal/peer/notifier.go
+++ b/client/internal/peer/notifier.go
@@ -0,0 +1,142 @@
+package peer
+
+import (
+	"sync"
+)
+
+const (
+	stateDisconnected = iota
+	stateConnected
+	stateConnecting
+	stateDisconnecting
+)
+
+type notifier struct {
+	serverStateLock    sync.Mutex
+	listenersLock      sync.Mutex
+	listener           Listener
+	currentClientState bool
+	lastNotification   int
+}
+
+func newNotifier() *notifier {
+	return &notifier{}
+}
+
+func (n *notifier) setListener(listener Listener) {
+	n.listenersLock.Lock()
+	defer n.listenersLock.Unlock()
+
+	n.serverStateLock.Lock()
+	n.notifyListener(listener, n.lastNotification)
+	n.serverStateLock.Unlock()
+
+	n.listener = listener
+}
+
+func (n *notifier) removeListener() {
+	n.listenersLock.Lock()
+	defer n.listenersLock.Unlock()
+	n.listener = nil
+}
+
+func (n *notifier) updateServerStates(mgmState bool, signalState bool) {
+	n.serverStateLock.Lock()
+	defer n.serverStateLock.Unlock()
+
+	calculatedState := n.calculateState(mgmState, signalState)
+
+	if !n.isServerStateChanged(calculatedState) {
+		return
+	}
+
+	n.lastNotification = calculatedState
+
+	n.notify(n.lastNotification)
+}
+
+func (n *notifier) clientStart() {
+	n.serverStateLock.Lock()
+	defer n.serverStateLock.Unlock()
+	n.currentClientState = true
+	n.lastNotification = stateConnected
+	n.notify(n.lastNotification)
+}
+
+func (n *notifier) clientStop() {
+	n.serverStateLock.Lock()
+	defer n.serverStateLock.Unlock()
+	n.currentClientState = false
+	n.lastNotification = stateDisconnected
+	n.notify(n.lastNotification)
+}
+
+func (n *notifier) clientTearDown() {
+	n.serverStateLock.Lock()
+	defer n.serverStateLock.Unlock()
+	n.currentClientState = false
+	n.lastNotification = stateDisconnecting
+	n.notify(n.lastNotification)
+}
+
+func (n *notifier) isServerStateChanged(newState int) bool {
+	return n.lastNotification != newState
+}
+
+func (n *notifier) notify(state int) {
+	n.listenersLock.Lock()
+	defer n.listenersLock.Unlock()
+	if n.listener == nil {
+		return
+	}
+	n.notifyListener(n.listener, state)
+}
+
+func (n *notifier) notifyListener(l Listener, state int) {
+	go func() {
+		switch state {
+		case stateDisconnected:
+			l.OnDisconnected()
+		case stateConnected:
+			l.OnConnected()
+		case stateConnecting:
+			l.OnConnecting()
+		case stateDisconnecting:
+			l.OnDisconnecting()
+		}
+	}()
+}
+
+func (n *notifier) calculateState(managementConn, signalConn bool) int {
+	if managementConn && signalConn {
+		return stateConnected
+	}
+
+	if !managementConn && !signalConn {
+		return stateDisconnected
+	}
+
+	if n.lastNotification == stateDisconnecting {
+		return stateDisconnecting
+	}
+
+	return stateConnecting
+}
+
+func (n *notifier) peerListChanged(numOfPeers int) {
+	n.listenersLock.Lock()
+	defer n.listenersLock.Unlock()
+	if n.listener == nil {
+		return
+	}
+	n.listener.OnPeersListChanged(numOfPeers)
+}
+
+func (n *notifier) localAddressChanged(fqdn, address string) {
+	n.listenersLock.Lock()
+	defer n.listenersLock.Unlock()
+	if n.listener == nil {
+		return
+	}
+	n.listener.OnAddressChanged(fqdn, address)
+}
--- a/client/internal/peer/notifier_test.go
+++ b/client/internal/peer/notifier_test.go
@@ -0,0 +1,97 @@
+package peer
+
+import (
+	"sync"
+	"testing"
+)
+
+type mocListener struct {
+	lastState int
+	wg        sync.WaitGroup
+	peers     int
+}
+
+func (l *mocListener) OnConnected() {
+	l.lastState = stateConnected
+	l.wg.Done()
+}
+func (l *mocListener) OnDisconnected() {
+	l.lastState = stateDisconnected
+	l.wg.Done()
+}
+func (l *mocListener) OnConnecting() {
+	l.lastState = stateConnecting
+	l.wg.Done()
+}
+func (l *mocListener) OnDisconnecting() {
+	l.lastState = stateDisconnecting
+	l.wg.Done()
+}
+
+func (l *mocListener) OnAddressChanged(host, addr string) {
+
+}
+func (l *mocListener) OnPeersListChanged(size int) {
+	l.peers = size
+}
+
+func (l *mocListener) setWaiter() {
+	l.wg.Add(1)
+}
+
+func (l *mocListener) wait() {
+	l.wg.Wait()
+}
+
+func Test_notifier_serverState(t *testing.T) {
+
+	type scenario struct {
+		name        string
+		expected    int
+		mgmState    bool
+		signalState bool
+	}
+	scenarios := []scenario{
+		{"connected", stateConnected, true, true},
+		{"mgm down", stateConnecting, false, true},
+		{"signal down", stateConnecting, true, false},
+		{"disconnected", stateDisconnected, false, false},
+	}
+
+	for _, tt := range scenarios {
+		t.Run(tt.name, func(t *testing.T) {
+			n := newNotifier()
+			n.updateServerStates(tt.mgmState, tt.signalState)
+			if n.lastNotification != tt.expected {
+				t.Errorf("invalid serverstate: %d, expected: %d", n.lastNotification, tt.expected)
+			}
+		})
+	}
+}
+
+func Test_notifier_SetListener(t *testing.T) {
+	listener := &mocListener{}
+	listener.setWaiter()
+
+	n := newNotifier()
+	n.lastNotification = stateConnecting
+	n.setListener(listener)
+	listener.wait()
+	if listener.lastState != n.lastNotification {
+		t.Errorf("invalid state: %d, expected: %d", listener.lastState, n.lastNotification)
+	}
+}
+
+func Test_notifier_RemoveListener(t *testing.T) {
+	listener := &mocListener{}
+	listener.setWaiter()
+	n := newNotifier()
+	n.lastNotification = stateConnecting
+	n.setListener(listener)
+	n.removeListener()
+	n.peerListChanged(1)
+
+	if listener.peers != 0 {
+		t.Errorf("invalid state: %d", listener.peers)
+	}
+}
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -1,25 +1,316 @@
 package peer

-import log "github.com/sirupsen/logrus"
+import (
+	"errors"
+	"sync"
+	"time"
+)

-type ConnStatus int
+// State contains the latest state of a peer
+type State struct {
+	IP                     string
+	PubKey                 string
+	FQDN                   string
+	ConnStatus             ConnStatus
+	ConnStatusUpdate       time.Time
+	Relayed                bool
+	Direct                 bool
+	LocalIceCandidateType  string
+	RemoteIceCandidateType string
+}

-func (s ConnStatus) String() string {
-	switch s {
-	case StatusConnecting:
-		return "Connecting"
-	case StatusConnected:
-		return "Connected"
-	case StatusDisconnected:
-		return "Disconnected"
-	default:
-		log.Errorf("unknown status: %d", s)
-		return "INVALID_PEER_CONNECTION_STATUS"
+// LocalPeerState contains the latest state of the local peer
+type LocalPeerState struct {
+	IP              string
+	PubKey          string
+	KernelInterface bool
+	FQDN            string
+}
+
+// SignalState contains the latest state of a signal connection
+type SignalState struct {
+	URL       string
+	Connected bool
+}
+
+// ManagementState contains the latest state of a management connection
+type ManagementState struct {
+	URL       string
+	Connected bool
+}
+
+// FullStatus contains the full state held by the Status instance
+type FullStatus struct {
+	Peers           []State
+	ManagementState ManagementState
+	SignalState     SignalState
+	LocalPeerState  LocalPeerState
+}
+
+// Status holds a state of peers, signal and management connections
+type Status struct {
+	mux             sync.Mutex
+	peers           map[string]State
+	changeNotify    map[string]chan struct{}
+	signalState     bool
+	managementState bool
+	localPeer       LocalPeerState
+	offlinePeers    []State
+	mgmAddress      string
+	signalAddress   string
+	notifier        *notifier
+}
+
+// NewRecorder returns a new Status instance
+func NewRecorder(mgmAddress string) *Status {
+	return &Status{
+		peers:        make(map[string]State),
+		changeNotify: make(map[string]chan struct{}),
+		offlinePeers: make([]State, 0),
+		notifier:     newNotifier(),
+		mgmAddress:   mgmAddress,
 	}
 }

-const (
-	StatusConnected ConnStatus = iota
-	StatusConnecting
-	StatusDisconnected
-)
+// ReplaceOfflinePeers replaces
+func (d *Status) ReplaceOfflinePeers(replacement []State) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.offlinePeers = make([]State, len(replacement))
+	copy(d.offlinePeers, replacement)
+}
+
+// AddPeer adds peer to Daemon status map
+func (d *Status) AddPeer(peerPubKey string) error {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	_, ok := d.peers[peerPubKey]
+	if ok {
+		return errors.New("peer already exist")
+	}
+	d.peers[peerPubKey] = State{PubKey: peerPubKey, ConnStatus: StatusDisconnected}
+	return nil
+}
+
+// GetPeer adds peer to Daemon status map
+func (d *Status) GetPeer(peerPubKey string) (State, error) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	state, ok := d.peers[peerPubKey]
+	if !ok {
+		return State{}, errors.New("peer not found")
+	}
+	return state, nil
+}
+
+// RemovePeer removes peer from Daemon status map
+func (d *Status) RemovePeer(peerPubKey string) error {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	_, ok := d.peers[peerPubKey]
+	if ok {
+		delete(d.peers, peerPubKey)
+		return nil
+	}
+
+	d.notifyPeerListChanged()
+	return errors.New("no peer with to remove")
+}
+
+// UpdatePeerState updates peer status
+func (d *Status) UpdatePeerState(receivedState State) error {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	peerState, ok := d.peers[receivedState.PubKey]
+	if !ok {
+		return errors.New("peer doesn't exist")
+	}
+
+	if receivedState.IP != "" {
+		peerState.IP = receivedState.IP
+	}
+
+	if receivedState.ConnStatus != peerState.ConnStatus {
+		peerState.ConnStatus = receivedState.ConnStatus
+		peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
+		peerState.Direct = receivedState.Direct
+		peerState.Relayed = receivedState.Relayed
+		peerState.LocalIceCandidateType = receivedState.LocalIceCandidateType
+		peerState.RemoteIceCandidateType = receivedState.RemoteIceCandidateType
+	}
+
+	d.peers[receivedState.PubKey] = peerState
+
+	ch, found := d.changeNotify[receivedState.PubKey]
+	if found && ch != nil {
+		close(ch)
+		d.changeNotify[receivedState.PubKey] = nil
+	}
+
+	d.notifyPeerListChanged()
+	return nil
+}
+
+// UpdatePeerFQDN update peer's state fqdn only
+func (d *Status) UpdatePeerFQDN(peerPubKey, fqdn string) error {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	peerState, ok := d.peers[peerPubKey]
+	if !ok {
+		return errors.New("peer doesn't exist")
+	}
+
+	peerState.FQDN = fqdn
+	d.peers[peerPubKey] = peerState
+
+	d.notifyPeerListChanged()
+	return nil
+}
+
+// GetPeerStateChangeNotifier returns a change notifier channel for a peer
+func (d *Status) GetPeerStateChangeNotifier(peer string) <-chan struct{} {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	ch, found := d.changeNotify[peer]
+	if !found || ch == nil {
+		ch = make(chan struct{})
+		d.changeNotify[peer] = ch
+	}
+	return ch
+}
+
+// UpdateLocalPeerState updates local peer status
+func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	d.localPeer = localPeerState
+	d.notifyAddressChanged()
+}
+
+// CleanLocalPeerState cleans local peer status
+func (d *Status) CleanLocalPeerState() {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	d.localPeer = LocalPeerState{}
+	d.notifyAddressChanged()
+}
+
+// MarkManagementDisconnected sets ManagementState to disconnected
+func (d *Status) MarkManagementDisconnected() {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	defer d.onConnectionChanged()
+
+	d.managementState = false
+}
+
+// MarkManagementConnected sets ManagementState to connected
+func (d *Status) MarkManagementConnected() {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	defer d.onConnectionChanged()
+
+	d.managementState = true
+}
+
+// UpdateSignalAddress update the address of the signal server
+func (d *Status) UpdateSignalAddress(signalURL string) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.signalAddress = signalURL
+}
+
+// UpdateManagementAddress update the address of the management server
+func (d *Status) UpdateManagementAddress(mgmAddress string) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.mgmAddress = mgmAddress
+}
+
+// MarkSignalDisconnected sets SignalState to disconnected
+func (d *Status) MarkSignalDisconnected() {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	defer d.onConnectionChanged()
+
+	d.signalState = false
+}
+
+// MarkSignalConnected sets SignalState to connected
+func (d *Status) MarkSignalConnected() {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	defer d.onConnectionChanged()
+
+	d.signalState = true
+}
+
+// GetFullStatus gets full status
+func (d *Status) GetFullStatus() FullStatus {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	fullStatus := FullStatus{
+		ManagementState: ManagementState{
+			d.mgmAddress,
+			d.managementState,
+		},
+		SignalState: SignalState{
+			d.signalAddress,
+			d.signalState,
+		},
+		LocalPeerState: d.localPeer,
+	}
+
+	for _, status := range d.peers {
+		fullStatus.Peers = append(fullStatus.Peers, status)
+	}
+
+	fullStatus.Peers = append(fullStatus.Peers, d.offlinePeers...)
+
+	return fullStatus
+}
+
+// ClientStart will notify all listeners about the new service state
+func (d *Status) ClientStart() {
+	d.notifier.clientStart()
+}
+
+// ClientStop will notify all listeners about the new service state
+func (d *Status) ClientStop() {
+	d.notifier.clientStop()
+}
+
+// ClientTeardown will notify all listeners about the service is under teardown
+func (d *Status) ClientTeardown() {
+	d.notifier.clientTearDown()
+}
+
+// SetConnectionListener set a listener to the notifier
+func (d *Status) SetConnectionListener(listener Listener) {
+	d.notifier.setListener(listener)
+}
+
+// RemoveConnectionListener remove the listener from the notifier
+func (d *Status) RemoveConnectionListener() {
+	d.notifier.removeListener()
+}
+
+func (d *Status) onConnectionChanged() {
+	d.notifier.updateServerStates(d.managementState, d.signalState)
+}
+
+func (d *Status) notifyPeerListChanged() {
+	d.notifier.peerListChanged(len(d.peers))
+}
+
+func (d *Status) notifyAddressChanged() {
+	d.notifier.localAddressChanged(d.localPeer.FQDN, d.localPeer.IP)
+}
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -1,27 +1,233 @@
 package peer

 import (
-	"github.com/magiconair/properties/assert"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )

-func TestConnStatus_String(t *testing.T) {
+func TestAddPeer(t *testing.T) {
+	key := "abc"
+	status := NewRecorder("https://mgm")
+	err := status.AddPeer(key)
+	assert.NoError(t, err, "shouldn't return error")

-	tables := []struct {
-		name   string
-		status ConnStatus
-		want   string
-	}{
-		{"StatusConnected", StatusConnected, "Connected"},
-		{"StatusDisconnected", StatusDisconnected, "Disconnected"},
-		{"StatusConnecting", StatusConnecting, "Connecting"},
+	_, exists := status.peers[key]
+	assert.True(t, exists, "value was found")
+
+	err = status.AddPeer(key)
+
+	assert.Error(t, err, "should return error on duplicate")
+}
+
+func TestGetPeer(t *testing.T) {
+	key := "abc"
+	status := NewRecorder("https://mgm")
+	err := status.AddPeer(key)
+	assert.NoError(t, err, "shouldn't return error")
+
+	peerStatus, err := status.GetPeer(key)
+	assert.NoError(t, err, "shouldn't return error on getting peer")
+
+	assert.Equal(t, key, peerStatus.PubKey, "retrieved public key should match")
+
+	_, err = status.GetPeer("non_existing_key")
+	assert.Error(t, err, "should return error when peer doesn't exist")
+}
+
+func TestUpdatePeerState(t *testing.T) {
+	key := "abc"
+	ip := "10.10.10.10"
+	status := NewRecorder("https://mgm")
+	peerState := State{
+		PubKey: key,
 	}

-	for _, table := range tables {
-		t.Run(table.name, func(t *testing.T) {
-			got := table.status.String()
-			assert.Equal(t, got, table.want, "they should be equal")
+	status.peers[key] = peerState
+
+	peerState.IP = ip
+
+	err := status.UpdatePeerState(peerState)
+	assert.NoError(t, err, "shouldn't return error")
+
+	state, exists := status.peers[key]
+	assert.True(t, exists, "state should be found")
+	assert.Equal(t, ip, state.IP, "ip should be equal")
+}
+
+func TestStatus_UpdatePeerFQDN(t *testing.T) {
+	key := "abc"
+	fqdn := "peer-a.netbird.local"
+	status := NewRecorder("https://mgm")
+	peerState := State{
+		PubKey: key,
+	}
+
+	status.peers[key] = peerState
+
+	err := status.UpdatePeerFQDN(key, fqdn)
+	assert.NoError(t, err, "shouldn't return error")
+
+	state, exists := status.peers[key]
+	assert.True(t, exists, "state should be found")
+	assert.Equal(t, fqdn, state.FQDN, "fqdn should be equal")
+}
+
+func TestGetPeerStateChangeNotifierLogic(t *testing.T) {
+	key := "abc"
+	ip := "10.10.10.10"
+	status := NewRecorder("https://mgm")
+	peerState := State{
+		PubKey: key,
+	}
+
+	status.peers[key] = peerState
+
+	ch := status.GetPeerStateChangeNotifier(key)
+	assert.NotNil(t, ch, "channel shouldn't be nil")
+
+	peerState.IP = ip
+
+	err := status.UpdatePeerState(peerState)
+	assert.NoError(t, err, "shouldn't return error")
+
+	select {
+	case <-ch:
+	default:
+		t.Errorf("channel wasn't closed after update")
+	}
+}
+
+func TestRemovePeer(t *testing.T) {
+	key := "abc"
+	status := NewRecorder("https://mgm")
+	peerState := State{
+		PubKey: key,
+	}
+
+	status.peers[key] = peerState
+
+	err := status.RemovePeer(key)
+	assert.NoError(t, err, "shouldn't return error")
+
+	_, exists := status.peers[key]
+	assert.False(t, exists, "state value shouldn't be found")
+
+	err = status.RemovePeer("not existing")
+	assert.Error(t, err, "should return error when peer doesn't exist")
+}
+
+func TestUpdateLocalPeerState(t *testing.T) {
+	localPeerState := LocalPeerState{
+		IP:              "10.10.10.10",
+		PubKey:          "abc",
+		KernelInterface: false,
+	}
+	status := NewRecorder("https://mgm")
+
+	status.UpdateLocalPeerState(localPeerState)
+
+	assert.Equal(t, localPeerState, status.localPeer, "local peer status should be equal")
+}
+
+func TestCleanLocalPeerState(t *testing.T) {
+	emptyLocalPeerState := LocalPeerState{}
+	localPeerState := LocalPeerState{
+		IP:              "10.10.10.10",
+		PubKey:          "abc",
+		KernelInterface: false,
+	}
+	status := NewRecorder("https://mgm")
+
+	status.localPeer = localPeerState
+
+	status.CleanLocalPeerState()
+
+	assert.Equal(t, emptyLocalPeerState, status.localPeer, "local peer status should be empty")
+}
+
+func TestUpdateSignalState(t *testing.T) {
+	url := "https://signal"
+	var tests = []struct {
+		name      string
+		connected bool
+		want      bool
+	}{
+		{"should mark as connected", true, true},
+		{"should mark as disconnected", false, false},
+	}
+
+	status := NewRecorder("https://mgm")
+	status.UpdateSignalAddress(url)
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if test.connected {
+				status.MarkSignalConnected()
+			} else {
+				status.MarkSignalDisconnected()
+			}
+			assert.Equal(t, test.want, status.signalState, "signal status should be equal")
 		})
 	}
-
+}
+
+func TestUpdateManagementState(t *testing.T) {
+	url := "https://management"
+	var tests = []struct {
+		name      string
+		connected bool
+		want      bool
+	}{
+		{"should mark as connected", true, true},
+		{"should mark as disconnected", false, false},
+	}
+
+	status := NewRecorder(url)
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if test.connected {
+				status.MarkManagementConnected()
+			} else {
+				status.MarkManagementDisconnected()
+			}
+			assert.Equal(t, test.want, status.managementState, "signalState status should be equal")
+		})
+	}
+}
+
+func TestGetFullStatus(t *testing.T) {
+	key1 := "abc"
+	key2 := "def"
+	signalAddr := "https://signal"
+	managementState := ManagementState{
+		URL:       "https://mgm",
+		Connected: true,
+	}
+	signalState := SignalState{
+		URL:       signalAddr,
+		Connected: true,
+	}
+	peerState1 := State{
+		PubKey: key1,
+	}
+
+	peerState2 := State{
+		PubKey: key2,
+	}
+
+	status := NewRecorder("https://mgm")
+	status.UpdateSignalAddress(signalAddr)
+
+	status.managementState = managementState.Connected
+	status.signalState = signalState.Connected
+	status.peers[key1] = peerState1
+	status.peers[key2] = peerState2
+
+	fullStatus := status.GetFullStatus()
+
+	assert.Equal(t, managementState, fullStatus.ManagementState, "management status should be equal")
+	assert.Equal(t, signalState, fullStatus.SignalState, "signal status should be equal")
+	assert.ElementsMatch(t, []State{peerState1, peerState2}, fullStatus.Peers, "peers states should match")
 }
--- a/client/internal/peer/stdnet.go
+++ b/client/internal/peer/stdnet.go
@@ -0,0 +1,11 @@
+//go:build !android
+
+package peer
+
+import (
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+)
+
+func (conn *Conn) newStdNet() (*stdnet.Net, error) {
+	return stdnet.NewNet(conn.config.InterfaceBlackList)
+}
--- a/client/internal/peer/stdnet_android.go
+++ b/client/internal/peer/stdnet_android.go
@@ -0,0 +1,7 @@
+package peer
+
+import "github.com/netbirdio/netbird/client/internal/stdnet"
+
+func (conn *Conn) newStdNet() (*stdnet.Net, error) {
+	return stdnet.NewNetWithDiscover(conn.iFaceDiscover, conn.config.InterfaceBlackList)
+}
--- a/client/internal/proxy/direct.go
+++ b/client/internal/proxy/direct.go
@@ -0,0 +1,57 @@
+package proxy
+
+import (
+	log "github.com/sirupsen/logrus"
+	"net"
+)
+
+// DirectNoProxy is used when there is no need for a proxy between ICE and WireGuard.
+// This is possible in either of these cases:
+// - peers are in the same local network
+// - one of the peers has a public static IP (host)
+// DirectNoProxy will just update remote peer with a remote host and fixed WireGuard port (r.g. 51820).
+// In order DirectNoProxy to work, WireGuard port has to be fixed for the time being.
+type DirectNoProxy struct {
+	config Config
+	// RemoteWgListenPort is a WireGuard port of a remote peer.
+	// It is used instead of the hardcoded 51820 port.
+	RemoteWgListenPort int
+}
+
+// NewDirectNoProxy creates a new DirectNoProxy with a provided config and remote peer's WireGuard listen port
+func NewDirectNoProxy(config Config, remoteWgPort int) *DirectNoProxy {
+	return &DirectNoProxy{config: config, RemoteWgListenPort: remoteWgPort}
+}
+
+// Close removes peer from the WireGuard interface
+func (p *DirectNoProxy) Close() error {
+	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Start just updates WireGuard peer with the remote IP and default WireGuard port
+func (p *DirectNoProxy) Start(remoteConn net.Conn) error {
+
+	log.Debugf("using DirectNoProxy while connecting to peer %s", p.config.RemoteKey)
+	addr, err := net.ResolveUDPAddr("udp", remoteConn.RemoteAddr().String())
+	if err != nil {
+		return err
+	}
+	addr.Port = p.RemoteWgListenPort
+	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+		addr, p.config.PreSharedKey)
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Type returns the type of this proxy
+func (p *DirectNoProxy) Type() Type {
+	return TypeDirectNoProxy
+}
--- a/client/internal/proxy/noproxy.go
+++ b/client/internal/proxy/noproxy.go
@@ -5,24 +5,18 @@ import (
 	"net"
 )

-// NoProxy is used when there is no need for a proxy between ICE and Wireguard.
-// This is possible in either of these cases:
-// - peers are in the same local network
-// - one of the peers has a public static IP (host)
-// NoProxy will just update remote peer with a remote host and fixed Wireguard port (r.g. 51820).
-// In order NoProxy to work, Wireguard port has to be fixed for the time being.
+// NoProxy is used just to configure WireGuard without any local proxy in between.
+// Used when the WireGuard interface is userspace and uses bind.ICEBind
 type NoProxy struct {
 	config Config
-	// RemoteWgListenPort is a WireGuard port of a remote peer.
-	// It is used instead of the hardcoded 51820 port.
-	RemoteWgListenPort int
 }

-// NewNoProxy creates a new NoProxy with a provided config and remote peer's WireGuard listen port
-func NewNoProxy(config Config, remoteWgPort int) *NoProxy {
-	return &NoProxy{config: config, RemoteWgListenPort: remoteWgPort}
+// NewNoProxy creates a new NoProxy with a provided config
+func NewNoProxy(config Config) *NoProxy {
+	return &NoProxy{config: config}
 }

+// Close removes peer from the WireGuard interface
 func (p *NoProxy) Close() error {
 	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
 	if err != nil {
@@ -31,23 +25,16 @@ func (p *NoProxy) Close() error {
 	return nil
 }

-// Start just updates Wireguard peer with the remote IP and default Wireguard port
+// Start just updates WireGuard peer with the remote address
 func (p *NoProxy) Start(remoteConn net.Conn) error {

-	log.Debugf("using NoProxy while connecting to peer %s", p.config.RemoteKey)
+	log.Debugf("using NoProxy to connect to peer %s at %s", p.config.RemoteKey, remoteConn.RemoteAddr().String())
 	addr, err := net.ResolveUDPAddr("udp", remoteConn.RemoteAddr().String())
 	if err != nil {
 		return err
 	}
-	addr.Port = p.RemoteWgListenPort
-	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+	return p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
 		addr, p.config.PreSharedKey)
-
-	if err != nil {
-		return err
-	}
-
-	return nil
 }

 func (p *NoProxy) Type() Type {
--- a/client/internal/proxy/proxy.go
+++ b/client/internal/proxy/proxy.go
@@ -13,9 +13,10 @@ const DefaultWgKeepAlive = 25 * time.Second
 type Type string

 const (
-	TypeNoProxy   Type = "NoProxy"
-	TypeWireguard Type = "Wireguard"
-	TypeDummy     Type = "Dummy"
+	TypeDirectNoProxy Type = "DirectNoProxy"
+	TypeWireGuard     Type = "WireGuard"
+	TypeDummy         Type = "Dummy"
+	TypeNoProxy       Type = "NoProxy"
 )

 type Config struct {
--- a/client/internal/proxy/wireguard.go
+++ b/client/internal/proxy/wireguard.go
@@ -6,8 +6,8 @@ import (
 	"net"
 )

-// WireguardProxy proxies
-type WireguardProxy struct {
+// WireGuardProxy proxies
+type WireGuardProxy struct {
 	ctx    context.Context
 	cancel context.CancelFunc

@@ -17,13 +17,13 @@ type WireguardProxy struct {
 	localConn  net.Conn
 }

-func NewWireguardProxy(config Config) *WireguardProxy {
-	p := &WireguardProxy{config: config}
+func NewWireGuardProxy(config Config) *WireGuardProxy {
+	p := &WireGuardProxy{config: config}
 	p.ctx, p.cancel = context.WithCancel(context.Background())
 	return p
 }

-func (p *WireguardProxy) updateEndpoint() error {
+func (p *WireGuardProxy) updateEndpoint() error {
 	udpAddr, err := net.ResolveUDPAddr(p.localConn.LocalAddr().Network(), p.localConn.LocalAddr().String())
 	if err != nil {
 		return err
@@ -38,7 +38,7 @@ func (p *WireguardProxy) updateEndpoint() error {
 	return nil
 }

-func (p *WireguardProxy) Start(remoteConn net.Conn) error {
+func (p *WireGuardProxy) Start(remoteConn net.Conn) error {
 	p.remoteConn = remoteConn

 	var err error
@@ -60,7 +60,7 @@ func (p *WireguardProxy) Start(remoteConn net.Conn) error {
 	return nil
 }

-func (p *WireguardProxy) Close() error {
+func (p *WireGuardProxy) Close() error {
 	p.cancel()
 	if c := p.localConn; c != nil {
 		err := p.localConn.Close()
@@ -77,7 +77,7 @@ func (p *WireguardProxy) Close() error {

 // proxyToRemote proxies everything from Wireguard to the RemoteKey peer
 // blocks
-func (p *WireguardProxy) proxyToRemote() {
+func (p *WireGuardProxy) proxyToRemote() {

 	buf := make([]byte, 1500)
 	for {
@@ -101,7 +101,7 @@ func (p *WireguardProxy) proxyToRemote() {

 // proxyToLocal proxies everything from the RemoteKey peer to local Wireguard
 // blocks
-func (p *WireguardProxy) proxyToLocal() {
+func (p *WireGuardProxy) proxyToLocal() {

 	buf := make([]byte, 1500)
 	for {
@@ -123,6 +123,6 @@ func (p *WireguardProxy) proxyToLocal() {
 	}
 }

-func (p *WireguardProxy) Type() Type {
-	return TypeWireguard
+func (p *WireGuardProxy) Type() Type {
+	return TypeWireGuard
 }
--- a/client/internal/routemanager/client.go
+++ b/client/internal/routemanager/client.go
@@ -5,11 +5,11 @@ import (
 	"fmt"
 	"net/netip"

+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
-	log "github.com/sirupsen/logrus"
 )

 type routerPeerStatus struct {
@@ -26,7 +26,7 @@ type routesUpdate struct {
 type clientNetwork struct {
 	ctx                 context.Context
 	stop                context.CancelFunc
-	statusRecorder      *status.Status
+	statusRecorder      *peer.Status
 	wgInterface         *iface.WGIface
 	routes              map[string]*route.Route
 	routeUpdate         chan routesUpdate
@@ -37,7 +37,7 @@ type clientNetwork struct {
 	updateSerial        uint64
 }

-func newClientNetworkWatcher(ctx context.Context, wgInterface *iface.WGIface, statusRecorder *status.Status, network netip.Prefix) *clientNetwork {
+func newClientNetworkWatcher(ctx context.Context, wgInterface *iface.WGIface, statusRecorder *peer.Status, network netip.Prefix) *clientNetwork {
 	ctx, cancel := context.WithCancel(ctx)
 	client := &clientNetwork{
 		ctx:                 ctx,
@@ -62,7 +62,7 @@ func (c *clientNetwork) getRouterPeerStatuses() map[string]routerPeerStatus {
 			continue
 		}
 		routePeerStatuses[r.ID] = routerPeerStatus{
-			connected: peerStatus.ConnStatus == peer.StatusConnected.String(),
+			connected: peerStatus.ConnStatus == peer.StatusConnected,
 			relayed:   peerStatus.Relayed,
 			direct:    peerStatus.Direct,
 		}
@@ -123,7 +123,7 @@ func (c *clientNetwork) watchPeerStatusChanges(ctx context.Context, peerKey stri
 			return
 		case <-c.statusRecorder.GetPeerStateChangeNotifier(peerKey):
 			state, err := c.statusRecorder.GetPeer(peerKey)
-			if err != nil || state.ConnStatus == peer.StatusConnecting.String() {
+			if err != nil || state.ConnStatus == peer.StatusConnecting {
 				continue
 			}
 			peerStateUpdate <- struct{}{}
@@ -144,7 +144,7 @@ func (c *clientNetwork) startPeersStatusChangeWatcher() {

 func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {
 	state, err := c.statusRecorder.GetPeer(peerKey)
-	if err != nil || state.ConnStatus != peer.StatusConnected.String() {
+	if err != nil || state.ConnStatus != peer.StatusConnected {
 		return nil
 	}

--- a/client/internal/routemanager/firewall_linux.go
+++ b/client/internal/routemanager/firewall_linux.go
@@ -1,12 +1,15 @@
+//go:build !android
+
 package routemanager

 import (
 	"context"
 	"fmt"
+
 	"github.com/coreos/go-iptables/iptables"
+	"github.com/google/nftables"
 	log "github.com/sirupsen/logrus"
 )
-import "github.com/google/nftables"

 const (
 	ipv6Forwarding     = "netbird-rt-ipv6-forwarding"
--- a/client/internal/routemanager/iptables_linux.go
+++ b/client/internal/routemanager/iptables_linux.go
@@ -1,14 +1,17 @@
+//go:build !android
+
 package routemanager

 import (
 	"context"
 	"fmt"
-	"github.com/coreos/go-iptables/iptables"
-	log "github.com/sirupsen/logrus"
 	"net/netip"
 	"os/exec"
 	"strings"
 	"sync"
+
+	"github.com/coreos/go-iptables/iptables"
+	log "github.com/sirupsen/logrus"
 )

 func isIptablesSupported() bool {
--- a/client/internal/routemanager/iptables_linux_test.go
+++ b/client/internal/routemanager/iptables_linux_test.go
@@ -1,10 +1,13 @@
+//go:build !android
+
 package routemanager

 import (
 	"context"
+	"testing"
+
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/stretchr/testify/require"
-	"testing"
 )

 func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -2,15 +2,15 @@ package routemanager

 import (
 	"context"
-	"fmt"
 	"runtime"
 	"sync"

-	"github.com/netbirdio/netbird/client/status"
-	"github.com/netbirdio/netbird/client/system"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
-	log "github.com/sirupsen/logrus"
+	"github.com/netbirdio/netbird/version"
 )

 // Manager is a route manager interface
@@ -25,26 +25,20 @@ type DefaultManager struct {
 	stop           context.CancelFunc
 	mux            sync.Mutex
 	clientNetworks map[string]*clientNetwork
-	serverRoutes   map[string]*route.Route
 	serverRouter   *serverRouter
-	statusRecorder *status.Status
+	statusRecorder *peer.Status
 	wgInterface    *iface.WGIface
 	pubKey         string
 }

 // NewManager returns a new route manager
-func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface, statusRecorder *status.Status) *DefaultManager {
+func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface, statusRecorder *peer.Status) *DefaultManager {
 	mCTX, cancel := context.WithCancel(ctx)
 	return &DefaultManager{
 		ctx:            mCTX,
 		stop:           cancel,
 		clientNetworks: make(map[string]*clientNetwork),
-		serverRoutes:   make(map[string]*route.Route),
-		serverRouter: &serverRouter{
-			routes:                   make(map[string]*route.Route),
-			netForwardHistoryEnabled: isNetForwardHistoryEnabled(),
-			firewall:                 NewFirewall(ctx),
-		},
+		serverRouter:   newServerRouter(ctx, wgInterface),
 		statusRecorder: statusRecorder,
 		wgInterface:    wgInterface,
 		pubKey:         pubKey,
@@ -54,86 +48,7 @@ func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface,
 // Stop stops the manager watchers and clean firewall rules
 func (m *DefaultManager) Stop() {
 	m.stop()
-	m.serverRouter.firewall.CleanRoutingRules()
-}
-
-func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks map[string][]*route.Route) {
-	// removing routes that do not exist as per the update from the Management service.
-	for id, client := range m.clientNetworks {
-		_, found := networks[id]
-		if !found {
-			log.Debugf("stopping client network watcher, %s", id)
-			client.stop()
-			delete(m.clientNetworks, id)
-		}
-	}
-
-	for id, routes := range networks {
-		clientNetworkWatcher, found := m.clientNetworks[id]
-		if !found {
-			clientNetworkWatcher = newClientNetworkWatcher(m.ctx, m.wgInterface, m.statusRecorder, routes[0].Network)
-			m.clientNetworks[id] = clientNetworkWatcher
-			go clientNetworkWatcher.peersStateAndUpdateWatcher()
-		}
-		update := routesUpdate{
-			updateSerial: updateSerial,
-			routes:       routes,
-		}
-
-		clientNetworkWatcher.sendUpdateToClientNetworkWatcher(update)
-	}
-}
-
-func (m *DefaultManager) updateServerRoutes(routesMap map[string]*route.Route) error {
-	serverRoutesToRemove := make([]string, 0)
-
-	if len(routesMap) > 0 {
-		err := m.serverRouter.firewall.RestoreOrCreateContainers()
-		if err != nil {
-			return fmt.Errorf("couldn't initialize firewall containers, got err: %v", err)
-		}
-	}
-
-	for routeID := range m.serverRoutes {
-		update, found := routesMap[routeID]
-		if !found || !update.IsEqual(m.serverRoutes[routeID]) {
-			serverRoutesToRemove = append(serverRoutesToRemove, routeID)
-			continue
-		}
-	}
-
-	for _, routeID := range serverRoutesToRemove {
-		oldRoute := m.serverRoutes[routeID]
-		err := m.removeFromServerNetwork(oldRoute)
-		if err != nil {
-			log.Errorf("unable to remove route id: %s, network %s, from server, got: %v",
-				oldRoute.ID, oldRoute.Network, err)
-		}
-		delete(m.serverRoutes, routeID)
-	}
-
-	for id, newRoute := range routesMap {
-		_, found := m.serverRoutes[id]
-		if found {
-			continue
-		}
-
-		err := m.addToServerNetwork(newRoute)
-		if err != nil {
-			log.Errorf("unable to add route %s from server, got: %v", newRoute.ID, err)
-			continue
-		}
-		m.serverRoutes[id] = newRoute
-	}
-
-	if len(m.serverRoutes) > 0 {
-		err := enableIPForwarding()
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
+	m.serverRouter.cleanUp()
 }

 // UpdateRoutes compares received routes with existing routes and remove, update or add them to the client and server maps
@@ -170,7 +85,7 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro
 				// we skip this route management
 				if newRoute.Network.Bits() < 7 {
 					log.Errorf("this agent version: %s, doesn't support default routes, received %s, skiping this route",
-						system.NetbirdVersion(), newRoute.Network)
+						version.NetbirdVersion(), newRoute.Network)
 					continue
 				}
 				newClientRoutesIDMap[networkID] = append(newClientRoutesIDMap[networkID], newRoute)
@@ -179,7 +94,7 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro

 		m.updateClientNetworks(updateSerial, newClientRoutesIDMap)

-		err := m.updateServerRoutes(newServerRoutesMap)
+		err := m.serverRouter.updateRoutes(newServerRoutesMap)
 		if err != nil {
 			return err
 		}
@@ -187,3 +102,29 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro
 		return nil
 	}
 }
+
+func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks map[string][]*route.Route) {
+	// removing routes that do not exist as per the update from the Management service.
+	for id, client := range m.clientNetworks {
+		_, found := networks[id]
+		if !found {
+			log.Debugf("stopping client network watcher, %s", id)
+			client.stop()
+			delete(m.clientNetworks, id)
+		}
+	}
+
+	for id, routes := range networks {
+		clientNetworkWatcher, found := m.clientNetworks[id]
+		if !found {
+			clientNetworkWatcher = newClientNetworkWatcher(m.ctx, m.wgInterface, m.statusRecorder, routes[0].Network)
+			m.clientNetworks[id] = clientNetworkWatcher
+			go clientNetworkWatcher.peersStateAndUpdateWatcher()
+		}
+		update := routesUpdate{
+			updateSerial: updateSerial,
+			routes:       routes,
+		}
+		clientNetworkWatcher.sendUpdateToClientNetworkWatcher(update)
+	}
+}
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -3,14 +3,16 @@ package routemanager
 import (
 	"context"
 	"fmt"
+	"github.com/pion/transport/v2/stdnet"
 	"net/netip"
 	"runtime"
 	"testing"

-	"github.com/netbirdio/netbird/client/status"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
-	"github.com/stretchr/testify/require"
 )

 // send 5 routes, one for server and 4 for clients, one normal and 2 HA and one small
@@ -390,14 +392,19 @@ func TestManagerUpdateRoutes(t *testing.T) {

 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", iface.DefaultMTU)
+
+			newNet, err := stdnet.NewNet()
+			if err != nil {
+				t.Fatal(err)
+			}
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", iface.DefaultMTU, nil, nil, newNet)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()

 			err = wgInterface.Create()
 			require.NoError(t, err, "should create testing wireguard interface")

-			statusRecorder := status.NewRecorder()
+			statusRecorder := peer.NewRecorder("https://mgm")
 			ctx := context.TODO()
 			routeManager := NewManager(ctx, localPeerKey, wgInterface, statusRecorder)
 			defer routeManager.Stop()
@@ -413,7 +420,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			require.Len(t, routeManager.clientNetworks, testCase.clientNetworkWatchersExpected, "client networks size should match")

 			if testCase.shouldCheckServerRoutes {
-				require.Len(t, routeManager.serverRoutes, testCase.serverRoutesExpected, "server networks size should match")
+				require.Len(t, routeManager.serverRouter.routes, testCase.serverRoutesExpected, "server networks size should match")
 			}
 		})
 	}
--- a/client/internal/routemanager/nftables_linux.go
+++ b/client/internal/routemanager/nftables_linux.go
@@ -1,16 +1,19 @@
+//go:build !android
+
 package routemanager

 import (
 	"context"
 	"fmt"
-	"github.com/google/nftables/binaryutil"
-	"github.com/google/nftables/expr"
-	log "github.com/sirupsen/logrus"
 	"net"
 	"net/netip"
 	"sync"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/expr"
+	log "github.com/sirupsen/logrus"
 )
-import "github.com/google/nftables"

 const (
 	nftablesTable                  = "netbird-rt"
--- a/client/internal/routemanager/nftables_linux_test.go
+++ b/client/internal/routemanager/nftables_linux_test.go
@@ -1,12 +1,15 @@
+//go:build !android
+
 package routemanager

 import (
 	"context"
+	"testing"
+
 	"github.com/google/nftables"
 	"github.com/google/nftables/expr"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"testing"
 )

 func TestNftablesManager_RestoreOrCreateContainers(t *testing.T) {
--- a/client/internal/routemanager/router_pair.go
+++ b/client/internal/routemanager/router_pair.go
@@ -0,0 +1,24 @@
+package routemanager
+
+import (
+	"net/netip"
+
+	"github.com/netbirdio/netbird/route"
+)
+
+type routerPair struct {
+	ID          string
+	source      string
+	destination string
+	masquerade  bool
+}
+
+func routeToRouterPair(source string, route *route.Route) routerPair {
+	parsed := netip.MustParsePrefix(source).Masked()
+	return routerPair{
+		ID:          route.ID,
+		source:      parsed.String(),
+		destination: route.Network.Masked().String(),
+		masquerade:  route.Masquerade,
+	}
+}
--- a/client/internal/routemanager/server.go
+++ b/client/internal/routemanager/server.go
@@ -1,67 +0,0 @@
-package routemanager
-
-import (
-	"github.com/netbirdio/netbird/route"
-	log "github.com/sirupsen/logrus"
-	"net/netip"
-	"sync"
-)
-
-type serverRouter struct {
-	routes map[string]*route.Route
-	// best effort to keep net forward configuration as it was
-	netForwardHistoryEnabled bool
-	mux                      sync.Mutex
-	firewall                 firewallManager
-}
-
-type routerPair struct {
-	ID          string
-	source      string
-	destination string
-	masquerade  bool
-}
-
-func routeToRouterPair(source string, route *route.Route) routerPair {
-	parsed := netip.MustParsePrefix(source).Masked()
-	return routerPair{
-		ID:          route.ID,
-		source:      parsed.String(),
-		destination: route.Network.Masked().String(),
-		masquerade:  route.Masquerade,
-	}
-}
-
-func (m *DefaultManager) removeFromServerNetwork(route *route.Route) error {
-	select {
-	case <-m.ctx.Done():
-		log.Infof("not removing from server network because context is done")
-		return m.ctx.Err()
-	default:
-		m.serverRouter.mux.Lock()
-		defer m.serverRouter.mux.Unlock()
-		err := m.serverRouter.firewall.RemoveRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), route))
-		if err != nil {
-			return err
-		}
-		delete(m.serverRouter.routes, route.ID)
-		return nil
-	}
-}
-
-func (m *DefaultManager) addToServerNetwork(route *route.Route) error {
-	select {
-	case <-m.ctx.Done():
-		log.Infof("not adding to server network because context is done")
-		return m.ctx.Err()
-	default:
-		m.serverRouter.mux.Lock()
-		defer m.serverRouter.mux.Unlock()
-		err := m.serverRouter.firewall.InsertRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), route))
-		if err != nil {
-			return err
-		}
-		m.serverRouter.routes[route.ID] = route
-		return nil
-	}
-}
--- a/client/internal/routemanager/server_android.go
+++ b/client/internal/routemanager/server_android.go
@@ -0,0 +1,21 @@
+package routemanager
+
+import (
+	"context"
+
+	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/route"
+)
+
+type serverRouter struct {
+}
+
+func newServerRouter(ctx context.Context, wgInterface *iface.WGIface) *serverRouter {
+	return &serverRouter{}
+}
+
+func (r *serverRouter) updateRoutes(routesMap map[string]*route.Route) error {
+	return nil
+}
+
+func (r *serverRouter) cleanUp() {}
--- a/client/internal/routemanager/server_nonandroid.go
+++ b/client/internal/routemanager/server_nonandroid.go
@@ -0,0 +1,120 @@
+//go:build !android
+
+package routemanager
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/route"
+)
+
+type serverRouter struct {
+	mux         sync.Mutex
+	ctx         context.Context
+	routes      map[string]*route.Route
+	firewall    firewallManager
+	wgInterface *iface.WGIface
+}
+
+func newServerRouter(ctx context.Context, wgInterface *iface.WGIface) *serverRouter {
+	return &serverRouter{
+		ctx:         ctx,
+		routes:      make(map[string]*route.Route),
+		firewall:    NewFirewall(ctx),
+		wgInterface: wgInterface,
+	}
+}
+
+func (m *serverRouter) updateRoutes(routesMap map[string]*route.Route) error {
+	serverRoutesToRemove := make([]string, 0)
+
+	if len(routesMap) > 0 {
+		err := m.firewall.RestoreOrCreateContainers()
+		if err != nil {
+			return fmt.Errorf("couldn't initialize firewall containers, got err: %v", err)
+		}
+	}
+
+	for routeID := range m.routes {
+		update, found := routesMap[routeID]
+		if !found || !update.IsEqual(m.routes[routeID]) {
+			serverRoutesToRemove = append(serverRoutesToRemove, routeID)
+		}
+	}
+
+	for _, routeID := range serverRoutesToRemove {
+		oldRoute := m.routes[routeID]
+		err := m.removeFromServerNetwork(oldRoute)
+		if err != nil {
+			log.Errorf("unable to remove route id: %s, network %s, from server, got: %v",
+				oldRoute.ID, oldRoute.Network, err)
+		}
+		delete(m.routes, routeID)
+	}
+
+	for id, newRoute := range routesMap {
+		_, found := m.routes[id]
+		if found {
+			continue
+		}
+
+		err := m.addToServerNetwork(newRoute)
+		if err != nil {
+			log.Errorf("unable to add route %s from server, got: %v", newRoute.ID, err)
+			continue
+		}
+		m.routes[id] = newRoute
+	}
+
+	if len(m.routes) > 0 {
+		err := enableIPForwarding()
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *serverRouter) removeFromServerNetwork(route *route.Route) error {
+	select {
+	case <-m.ctx.Done():
+		log.Infof("not removing from server network because context is done")
+		return m.ctx.Err()
+	default:
+		m.mux.Lock()
+		defer m.mux.Unlock()
+		err := m.firewall.RemoveRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), route))
+		if err != nil {
+			return err
+		}
+		delete(m.routes, route.ID)
+		return nil
+	}
+}
+
+func (m *serverRouter) addToServerNetwork(route *route.Route) error {
+	select {
+	case <-m.ctx.Done():
+		log.Infof("not adding to server network because context is done")
+		return m.ctx.Err()
+	default:
+		m.mux.Lock()
+		defer m.mux.Unlock()
+		err := m.firewall.InsertRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), route))
+		if err != nil {
+			return err
+		}
+		m.routes[route.ID] = route
+		return nil
+	}
+}
+
+func (m *serverRouter) cleanUp() {
+	m.firewall.CleanRoutingRules()
+}
--- a/client/internal/routemanager/systemops_android.go
+++ b/client/internal/routemanager/systemops_android.go
@@ -0,0 +1,13 @@
+package routemanager
+
+import (
+	"net/netip"
+)
+
+func addToRouteTableIfNoExists(prefix netip.Prefix, addr string) error {
+	return nil
+}
+
+func removeFromRouteTableIfNonSystem(prefix netip.Prefix, addr string) error {
+	return nil
+}
--- a/client/internal/routemanager/systemops_linux.go
+++ b/client/internal/routemanager/systemops_linux.go
@@ -1,10 +1,13 @@
+//go:build !android
+
 package routemanager

 import (
-	"github.com/vishvananda/netlink"
 	"net"
 	"net/netip"
 	"os"
+
+	"github.com/vishvananda/netlink"
 )

 const ipv4ForwardingPath = "/proc/sys/net/ipv4/ip_forward"
@@ -62,12 +65,3 @@ func enableIPForwarding() error {
 	err := os.WriteFile(ipv4ForwardingPath, []byte("1"), 0644)
 	return err
 }
-
-func isNetForwardHistoryEnabled() bool {
-	out, err := os.ReadFile(ipv4ForwardingPath)
-	if err != nil {
-		// todo
-		panic(err)
-	}
-	return string(out) == "1"
-}
--- a/client/internal/routemanager/systemops_nonandroid.go
+++ b/client/internal/routemanager/systemops_nonandroid.go
@@ -1,11 +1,14 @@
+//go:build !android
+
 package routemanager

 import (
 	"fmt"
-	"github.com/libp2p/go-netroute"
-	log "github.com/sirupsen/logrus"
 	"net"
 	"net/netip"
+
+	"github.com/libp2p/go-netroute"
+	log "github.com/sirupsen/logrus"
 )

 var errRouteNotFound = fmt.Errorf("route not found")
--- a/client/internal/routemanager/systemops_nonandroid_test.go
+++ b/client/internal/routemanager/systemops_nonandroid_test.go
@@ -3,6 +3,7 @@ package routemanager
 import (
 	"fmt"
 	"github.com/netbirdio/netbird/iface"
+	"github.com/pion/transport/v2/stdnet"
 	"github.com/stretchr/testify/require"
 	"net"
 	"net/netip"
@@ -32,7 +33,11 @@ func TestAddRemoveRoutes(t *testing.T) {

 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", iface.DefaultMTU)
+			newNet, err := stdnet.NewNet()
+			if err != nil {
+				t.Fatal(err)
+			}
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", iface.DefaultMTU, nil, nil, newNet)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()

--- a/client/internal/routemanager/systemops_nonlinux.go
+++ b/client/internal/routemanager/systemops_nonlinux.go
@@ -4,10 +4,11 @@
 package routemanager

 import (
-	log "github.com/sirupsen/logrus"
 	"net/netip"
 	"os/exec"
 	"runtime"
+
+	log "github.com/sirupsen/logrus"
 )

 func addToRouteTable(prefix netip.Prefix, addr string) error {
@@ -34,8 +35,3 @@ func enableIPForwarding() error {
 	log.Infof("enable IP forwarding is not implemented on %s", runtime.GOOS)
 	return nil
 }
-
-func isNetForwardHistoryEnabled() bool {
-	log.Infof("check netforward history is not implemented on %s", runtime.GOOS)
-	return false
-}
--- a/client/internal/stdnet/discover.go
+++ b/client/internal/stdnet/discover.go
@@ -0,0 +1,14 @@
+package stdnet
+
+import "github.com/pion/transport/v2"
+
+// ExternalIFaceDiscover provide an option for external services (mobile)
+// to collect network interface information
+type ExternalIFaceDiscover interface {
+	// IFaces return with the description of the interfaces
+	IFaces() (string, error)
+}
+
+type iFaceDiscover interface {
+	iFaces() ([]*transport.Interface, error)
+}
--- a/client/internal/stdnet/discover_mobile.go
+++ b/client/internal/stdnet/discover_mobile.go
@@ -0,0 +1,98 @@
+package stdnet
+
+import (
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/pion/transport/v2"
+	log "github.com/sirupsen/logrus"
+)
+
+type mobileIFaceDiscover struct {
+	externalDiscover ExternalIFaceDiscover
+}
+
+func newMobileIFaceDiscover(externalDiscover ExternalIFaceDiscover) *mobileIFaceDiscover {
+	return &mobileIFaceDiscover{
+		externalDiscover: externalDiscover,
+	}
+}
+
+func (m *mobileIFaceDiscover) iFaces() ([]*transport.Interface, error) {
+	ifacesString, err := m.externalDiscover.IFaces()
+	if err != nil {
+		return nil, err
+	}
+	interfaces := m.parseInterfacesString(ifacesString)
+	return interfaces, nil
+}
+
+func (m *mobileIFaceDiscover) parseInterfacesString(interfaces string) []*transport.Interface {
+	ifs := []*transport.Interface{}
+
+	for _, iface := range strings.Split(interfaces, "\n") {
+		if strings.TrimSpace(iface) == "" {
+			continue
+		}
+
+		fields := strings.Split(iface, "|")
+		if len(fields) != 2 {
+			log.Warnf("parseInterfacesString: unable to split %q", iface)
+			continue
+		}
+
+		var name string
+		var index, mtu int
+		var up, broadcast, loopback, pointToPoint, multicast bool
+		_, err := fmt.Sscanf(fields[0], "%s %d %d %t %t %t %t %t",
+			&name, &index, &mtu, &up, &broadcast, &loopback, &pointToPoint, &multicast)
+		if err != nil {
+			log.Warnf("parseInterfacesString: unable to parse %q: %v", iface, err)
+			continue
+		}
+
+		newIf := net.Interface{
+			Name:  name,
+			Index: index,
+			MTU:   mtu,
+		}
+		if up {
+			newIf.Flags |= net.FlagUp
+		}
+		if broadcast {
+			newIf.Flags |= net.FlagBroadcast
+		}
+		if loopback {
+			newIf.Flags |= net.FlagLoopback
+		}
+		if pointToPoint {
+			newIf.Flags |= net.FlagPointToPoint
+		}
+		if multicast {
+			newIf.Flags |= net.FlagMulticast
+		}
+
+		ifc := transport.NewInterface(newIf)
+
+		addrs := strings.Trim(fields[1], " \n")
+		foundAddress := false
+		for _, addr := range strings.Split(addrs, " ") {
+			if strings.Contains(addr, "%") {
+				continue
+			}
+			ip, ipNet, err := net.ParseCIDR(addr)
+			if err != nil {
+				log.Warnf("%s", err)
+				continue
+			}
+			ipNet.IP = ip
+			ifc.AddAddress(ipNet)
+			foundAddress = true
+		}
+		if foundAddress {
+			ifs = append(ifs, ifc)
+		}
+	}
+	return ifs
+}
--- a/client/internal/stdnet/discover_mobile_test.go
+++ b/client/internal/stdnet/discover_mobile_test.go
@@ -0,0 +1,71 @@
+package stdnet
+
+import (
+	"fmt"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+)
+
+func Test_parseInterfacesString(t *testing.T) {
+	testData := []struct {
+		name         string
+		index        int
+		mtu          int
+		up           bool
+		broadcast    bool
+		loopBack     bool
+		pointToPoint bool
+		multicast    bool
+		addr         string
+	}{
+		{"wlan0", 30, 1500, true, true, false, false, true, "10.1.10.131/24"},
+		{"rmnet0", 30, 1500, true, true, false, false, true, "192.168.0.56/24"},
+		{"rmnet_data1", 30, 1500, true, true, false, false, true, "fec0::118c:faf7:8d97:3cb2/64"},
+		{"rmnet_data2", 30, 1500, true, true, false, false, true, "fec0::118c:faf7:8d97:3cb2%rmnet2/64"},
+	}
+
+	var exampleString string
+	for _, d := range testData {
+		exampleString = fmt.Sprintf("%s\n%s %d %d %t %t %t %t %t | %s", exampleString,
+			d.name,
+			d.index,
+			d.mtu,
+			d.up,
+			d.broadcast,
+			d.loopBack,
+			d.pointToPoint,
+			d.multicast,
+			d.addr)
+	}
+	d := mobileIFaceDiscover{}
+	nets := d.parseInterfacesString(exampleString)
+	if len(nets) == 0 {
+		t.Fatalf("failed to parse interfaces")
+	}
+
+	log.Printf("%d", len(nets))
+	for i, net := range nets {
+		if net.MTU != testData[i].mtu {
+			t.Errorf("invalid mtu: %d, expected: %d", net.MTU, testData[0].mtu)
+
+		}
+
+		if net.Interface.Name != testData[i].name {
+			t.Errorf("invalid interface name: %s, expected: %s", net.Interface.Name, testData[i].name)
+		}
+
+		addr, err := net.Addrs()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if len(addr) == 0 {
+			t.Errorf("invalid address parsing")
+		}
+		log.Printf("%v", addr)
+		if addr[0].String() != testData[i].addr {
+			t.Errorf("invalid address: %s, expected: %s", addr[0].String(), testData[i].addr)
+		}
+	}
+}
--- a/client/internal/stdnet/discover_pion.go
+++ b/client/internal/stdnet/discover_pion.go
@@ -0,0 +1,36 @@
+package stdnet
+
+import (
+	"net"
+
+	"github.com/pion/transport/v2"
+)
+
+type pionDiscover struct {
+}
+
+func (d pionDiscover) iFaces() ([]*transport.Interface, error) {
+	ifs := []*transport.Interface{}
+
+	oifs, err := net.Interfaces()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, oif := range oifs {
+		ifc := transport.NewInterface(oif)
+
+		addrs, err := oif.Addrs()
+		if err != nil {
+			return nil, err
+		}
+
+		for _, addr := range addrs {
+			ifc.AddAddress(addr)
+		}
+
+		ifs = append(ifs, ifc)
+	}
+
+	return ifs, nil
+}
--- a/client/internal/stdnet/filter.go
+++ b/client/internal/stdnet/filter.go
@@ -0,0 +1,40 @@
+package stdnet
+
+import (
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl"
+)
+
+// InterfaceFilter is a function passed to ICE Agent to filter out not allowed interfaces
+// to avoid building tunnel over them.
+func InterfaceFilter(disallowList []string) func(string) bool {
+
+	return func(iFace string) bool {
+
+		if strings.HasPrefix(iFace, "lo") {
+			// hardcoded loopback check to support already installed agents
+			return false
+		}
+
+		for _, s := range disallowList {
+			if strings.HasPrefix(iFace, s) {
+				log.Debugf("ignoring interface %s - it is not allowed", iFace)
+				return false
+			}
+		}
+		// look for unlisted WireGuard interfaces
+		wg, err := wgctrl.New()
+		if err != nil {
+			log.Debugf("trying to create a wgctrl client failed with: %v", err)
+			return true
+		}
+		defer func() {
+			_ = wg.Close()
+		}()
+
+		_, err = wg.Device(iFace)
+		return err != nil
+	}
+}
--- a/client/internal/stdnet/stdnet.go
+++ b/client/internal/stdnet/stdnet.go
@@ -0,0 +1,97 @@
+// Package stdnet is an extension of the pion's stdnet.
+// With it the list of the interface can come from external source.
+// More info: https://github.com/golang/go/issues/40569
+package stdnet
+
+import (
+	"fmt"
+
+	"github.com/pion/transport/v2"
+	"github.com/pion/transport/v2/stdnet"
+)
+
+// Net is an implementation of the net.Net interface
+// based on functions of the standard net package.
+type Net struct {
+	stdnet.Net
+	interfaces    []*transport.Interface
+	iFaceDiscover iFaceDiscover
+	// interfaceFilter should return true if the given interfaceName is allowed
+	interfaceFilter func(interfaceName string) bool
+}
+
+// NewNetWithDiscover creates a new StdNet instance.
+func NewNetWithDiscover(iFaceDiscover ExternalIFaceDiscover, disallowList []string) (*Net, error) {
+	n := &Net{
+		iFaceDiscover:   newMobileIFaceDiscover(iFaceDiscover),
+		interfaceFilter: InterfaceFilter(disallowList),
+	}
+	return n, n.UpdateInterfaces()
+}
+
+// NewNet creates a new StdNet instance.
+func NewNet(disallowList []string) (*Net, error) {
+	n := &Net{
+		iFaceDiscover:   pionDiscover{},
+		interfaceFilter: InterfaceFilter(disallowList),
+	}
+	return n, n.UpdateInterfaces()
+}
+
+// UpdateInterfaces updates the internal list of network interfaces
+// and associated addresses filtering them by name.
+// The interfaces are discovered by an external iFaceDiscover function or by a default discoverer if the external one
+// wasn't specified.
+func (n *Net) UpdateInterfaces() (err error) {
+	allIfaces, err := n.iFaceDiscover.iFaces()
+	if err != nil {
+		return err
+	}
+	n.interfaces = n.filterInterfaces(allIfaces)
+	return nil
+}
+
+// Interfaces returns a slice of interfaces which are available on the
+// system
+func (n *Net) Interfaces() ([]*transport.Interface, error) {
+	return n.interfaces, nil
+}
+
+// InterfaceByIndex returns the interface specified by index.
+//
+// On Solaris, it returns one of the logical network interfaces
+// sharing the logical data link; for more precision use
+// InterfaceByName.
+func (n *Net) InterfaceByIndex(index int) (*transport.Interface, error) {
+	for _, ifc := range n.interfaces {
+		if ifc.Index == index {
+			return ifc, nil
+		}
+	}
+
+	return nil, fmt.Errorf("%w: index=%d", transport.ErrInterfaceNotFound, index)
+}
+
+// InterfaceByName returns the interface specified by name.
+func (n *Net) InterfaceByName(name string) (*transport.Interface, error) {
+	for _, ifc := range n.interfaces {
+		if ifc.Name == name {
+			return ifc, nil
+		}
+	}
+
+	return nil, fmt.Errorf("%w: %s", transport.ErrInterfaceNotFound, name)
+}
+
+func (n *Net) filterInterfaces(interfaces []*transport.Interface) []*transport.Interface {
+	if n.interfaceFilter == nil {
+		return interfaces
+	}
+	result := []*transport.Interface{}
+	for _, iface := range interfaces {
+		if n.interfaceFilter(iface.Name) {
+			result = append(result, iface)
+		}
+	}
+	return result
+}
--- a/client/resources.rc
+++ b/client/resources.rc
@@ -6,4 +6,4 @@
 #define EXPAND(x) STRINGIZE(x)
 CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST manifest.xml
 7 ICON ui/netbird.ico
-wireguard.dll RCDATA wireguard.dll
+wintun.dll RCDATA wintun.dll
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -13,9 +13,9 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
-	nbStatus "github.com/netbirdio/netbird/client/status"
-	"github.com/netbirdio/netbird/client/system"
+	"github.com/netbirdio/netbird/version"
 )

 // Server for service control.
@@ -33,7 +33,7 @@ type Server struct {
 	config *internal.Config
 	proto.UnimplementedDaemonServiceServer

-	statusRecorder *nbStatus.Status
+	statusRecorder *peer.Status
 }

 type oauthAuthFlow struct {
@@ -78,7 +78,7 @@ func (s *Server) Start() error {
 	// on failure we return error to retry
 	config, err := internal.UpdateConfig(s.latestConfigInput)
 	if errorStatus, ok := gstatus.FromError(err); ok && errorStatus.Code() == codes.NotFound {
-		config, err = internal.UpdateOrCreateConfig(s.latestConfigInput)
+		s.config, err = internal.UpdateOrCreateConfig(s.latestConfigInput)
 		if err != nil {
 			log.Warnf("unable to create configuration file: %v", err)
 			return err
@@ -96,11 +96,13 @@ func (s *Server) Start() error {
 	s.config = config

 	if s.statusRecorder == nil {
-		s.statusRecorder = nbStatus.NewRecorder()
+		s.statusRecorder = peer.NewRecorder(config.ManagementURL.String())
+	} else {
+		s.statusRecorder.UpdateManagementAddress(config.ManagementURL.String())
 	}

 	go func() {
-		if err := internal.RunClient(ctx, config, s.statusRecorder); err != nil {
+		if err := internal.RunClient(ctx, config, s.statusRecorder, nil, nil); err != nil {
 			log.Errorf("init connections: %v", err)
 		}
 	}()
@@ -221,12 +223,7 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 			}
 		}

-		hostedClient := internal.NewHostedDeviceFlow(
-			providerConfig.ProviderConfig.Audience,
-			providerConfig.ProviderConfig.ClientID,
-			providerConfig.ProviderConfig.TokenEndpoint,
-			providerConfig.ProviderConfig.DeviceAuthEndpoint,
-		)
+		hostedClient := internal.NewHostedDeviceFlow(providerConfig.ProviderConfig)

 		if s.oauthAuthFlow.client != nil && s.oauthAuthFlow.client.GetClientID(ctx) == hostedClient.GetClientID(context.TODO()) {
 			if s.oauthAuthFlow.expiresAt.After(time.Now().Add(90 * time.Second)) {
@@ -342,7 +339,7 @@ func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLogin
 	s.oauthAuthFlow.expiresAt = time.Now()
 	s.mutex.Unlock()

-	if loginStatus, err := s.loginAttempt(ctx, "", tokenInfo.AccessToken); err != nil {
+	if loginStatus, err := s.loginAttempt(ctx, "", tokenInfo.GetTokenToUse()); err != nil {
 		state.Set(loginStatus)
 		return nil, err
 	}
@@ -386,11 +383,13 @@ func (s *Server) Up(callerCtx context.Context, _ *proto.UpRequest) (*proto.UpRes
 	}

 	if s.statusRecorder == nil {
-		s.statusRecorder = nbStatus.NewRecorder()
+		s.statusRecorder = peer.NewRecorder(s.config.ManagementURL.String())
+	} else {
+		s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	}

 	go func() {
-		if err := internal.RunClient(ctx, s.config, s.statusRecorder); err != nil {
+		if err := internal.RunClient(ctx, s.config, s.statusRecorder, nil, nil); err != nil {
 			log.Errorf("run client connection: %v", err)
 			return
 		}
@@ -427,10 +426,12 @@ func (s *Server) Status(
 		return nil, err
 	}

-	statusResponse := proto.StatusResponse{Status: string(status), DaemonVersion: system.NetbirdVersion()}
+	statusResponse := proto.StatusResponse{Status: string(status), DaemonVersion: version.NetbirdVersion()}

 	if s.statusRecorder == nil {
-		s.statusRecorder = nbStatus.NewRecorder()
+		s.statusRecorder = peer.NewRecorder(s.config.ManagementURL.String())
+	} else {
+		s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	}

 	if msg.GetFullPeerStatus {
@@ -476,7 +477,7 @@ func (s *Server) GetConfig(_ context.Context, _ *proto.GetConfigRequest) (*proto
 	}, nil
 }

-func toProtoFullStatus(fullStatus nbStatus.FullStatus) *proto.FullStatus {
+func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 	pbFullStatus := proto.FullStatus{
 		ManagementState: &proto.ManagementState{},
 		SignalState:     &proto.SignalState{},
@@ -499,7 +500,7 @@ func toProtoFullStatus(fullStatus nbStatus.FullStatus) *proto.FullStatus {
 		pbPeerState := &proto.PeerState{
 			IP:                     peerState.IP,
 			PubKey:                 peerState.PubKey,
-			ConnStatus:             peerState.ConnStatus,
+			ConnStatus:             peerState.ConnStatus.String(),
 			ConnStatusUpdate:       timestamppb.New(peerState.ConnStatusUpdate),
 			Relayed:                peerState.Relayed,
 			Direct:                 peerState.Direct,
--- a/client/status/status.go
+++ b/client/status/status.go
@@ -1,241 +0,0 @@
-package status
-
-import (
-	"errors"
-	"sync"
-	"time"
-)
-
-// PeerState contains the latest state of a peer
-type PeerState struct {
-	IP                     string
-	PubKey                 string
-	FQDN                   string
-	ConnStatus             string
-	ConnStatusUpdate       time.Time
-	Relayed                bool
-	Direct                 bool
-	LocalIceCandidateType  string
-	RemoteIceCandidateType string
-}
-
-// LocalPeerState contains the latest state of the local peer
-type LocalPeerState struct {
-	IP              string
-	PubKey          string
-	KernelInterface bool
-	FQDN            string
-}
-
-// SignalState contains the latest state of a signal connection
-type SignalState struct {
-	URL       string
-	Connected bool
-}
-
-// ManagementState contains the latest state of a management connection
-type ManagementState struct {
-	URL       string
-	Connected bool
-}
-
-// FullStatus contains the full state held by the Status instance
-type FullStatus struct {
-	Peers           []PeerState
-	ManagementState ManagementState
-	SignalState     SignalState
-	LocalPeerState  LocalPeerState
-}
-
-// Status holds a state of peers, signal and management connections
-type Status struct {
-	mux          sync.Mutex
-	peers        map[string]PeerState
-	changeNotify map[string]chan struct{}
-	signal       SignalState
-	management   ManagementState
-	localPeer    LocalPeerState
-}
-
-// NewRecorder returns a new Status instance
-func NewRecorder() *Status {
-	return &Status{
-		peers:        make(map[string]PeerState),
-		changeNotify: make(map[string]chan struct{}),
-	}
-}
-
-// AddPeer adds peer to Daemon status map
-func (d *Status) AddPeer(peerPubKey string) error {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	_, ok := d.peers[peerPubKey]
-	if ok {
-		return errors.New("peer already exist")
-	}
-	d.peers[peerPubKey] = PeerState{PubKey: peerPubKey}
-	return nil
-}
-
-// GetPeer adds peer to Daemon status map
-func (d *Status) GetPeer(peerPubKey string) (PeerState, error) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	state, ok := d.peers[peerPubKey]
-	if !ok {
-		return PeerState{}, errors.New("peer not found")
-	}
-	return state, nil
-}
-
-// RemovePeer removes peer from Daemon status map
-func (d *Status) RemovePeer(peerPubKey string) error {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	_, ok := d.peers[peerPubKey]
-	if ok {
-		delete(d.peers, peerPubKey)
-		return nil
-	}
-
-	return errors.New("no peer with to remove")
-}
-
-// UpdatePeerState updates peer status
-func (d *Status) UpdatePeerState(receivedState PeerState) error {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	peerState, ok := d.peers[receivedState.PubKey]
-	if !ok {
-		return errors.New("peer doesn't exist")
-	}
-
-	if receivedState.IP != "" {
-		peerState.IP = receivedState.IP
-	}
-
-	if receivedState.ConnStatus != peerState.ConnStatus {
-		peerState.ConnStatus = receivedState.ConnStatus
-		peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
-		peerState.Direct = receivedState.Direct
-		peerState.Relayed = receivedState.Relayed
-		peerState.LocalIceCandidateType = receivedState.LocalIceCandidateType
-		peerState.RemoteIceCandidateType = receivedState.RemoteIceCandidateType
-	}
-
-	d.peers[receivedState.PubKey] = peerState
-
-	ch, found := d.changeNotify[receivedState.PubKey]
-	if found && ch != nil {
-		close(ch)
-		d.changeNotify[receivedState.PubKey] = nil
-	}
-
-	return nil
-}
-
-// UpdatePeerFQDN update peer's state fqdn only
-func (d *Status) UpdatePeerFQDN(peerPubKey, fqdn string) error {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	peerState, ok := d.peers[peerPubKey]
-	if !ok {
-		return errors.New("peer doesn't exist")
-	}
-
-	peerState.FQDN = fqdn
-	d.peers[peerPubKey] = peerState
-
-	return nil
-}
-
-// GetPeerStateChangeNotifier returns a change notifier channel for a peer
-func (d *Status) GetPeerStateChangeNotifier(peer string) <-chan struct{} {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	ch, found := d.changeNotify[peer]
-	if !found || ch == nil {
-		ch = make(chan struct{})
-		d.changeNotify[peer] = ch
-	}
-	return ch
-}
-
-// UpdateLocalPeerState updates local peer status
-func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	d.localPeer = localPeerState
-}
-
-// CleanLocalPeerState cleans local peer status
-func (d *Status) CleanLocalPeerState() {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	d.localPeer = LocalPeerState{}
-}
-
-// MarkManagementDisconnected sets ManagementState to disconnected
-func (d *Status) MarkManagementDisconnected(managementURL string) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	d.management = ManagementState{
-		URL:       managementURL,
-		Connected: false,
-	}
-}
-
-// MarkManagementConnected sets ManagementState to connected
-func (d *Status) MarkManagementConnected(managementURL string) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	d.management = ManagementState{
-		URL:       managementURL,
-		Connected: true,
-	}
-}
-
-// MarkSignalDisconnected sets SignalState to disconnected
-func (d *Status) MarkSignalDisconnected(signalURL string) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	d.signal = SignalState{
-		signalURL,
-		false,
-	}
-}
-
-// MarkSignalConnected sets SignalState to connected
-func (d *Status) MarkSignalConnected(signalURL string) {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-	d.signal = SignalState{
-		signalURL,
-		true,
-	}
-}
-
-// GetFullStatus gets full status
-func (d *Status) GetFullStatus() FullStatus {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	fullStatus := FullStatus{
-		ManagementState: d.management,
-		SignalState:     d.signal,
-		LocalPeerState:  d.localPeer,
-	}
-
-	for _, status := range d.peers {
-		fullStatus.Peers = append(fullStatus.Peers, status)
-	}
-
-	return fullStatus
-}
--- a/client/status/status_test.go
+++ b/client/status/status_test.go
@@ -1,243 +0,0 @@
-package status
-
-import (
-	"github.com/stretchr/testify/assert"
-	"testing"
-)
-
-func TestAddPeer(t *testing.T) {
-	key := "abc"
-	status := NewRecorder()
-	err := status.AddPeer(key)
-	assert.NoError(t, err, "shouldn't return error")
-
-	_, exists := status.peers[key]
-	assert.True(t, exists, "value was found")
-
-	err = status.AddPeer(key)
-
-	assert.Error(t, err, "should return error on duplicate")
-}
-
-func TestGetPeer(t *testing.T) {
-	key := "abc"
-	status := NewRecorder()
-	err := status.AddPeer(key)
-	assert.NoError(t, err, "shouldn't return error")
-
-	peerStatus, err := status.GetPeer(key)
-	assert.NoError(t, err, "shouldn't return error on getting peer")
-
-	assert.Equal(t, key, peerStatus.PubKey, "retrieved public key should match")
-
-	_, err = status.GetPeer("non_existing_key")
-	assert.Error(t, err, "should return error when peer doesn't exist")
-}
-
-func TestUpdatePeerState(t *testing.T) {
-	key := "abc"
-	ip := "10.10.10.10"
-	status := NewRecorder()
-	peerState := PeerState{
-		PubKey: key,
-	}
-
-	status.peers[key] = peerState
-
-	peerState.IP = ip
-
-	err := status.UpdatePeerState(peerState)
-	assert.NoError(t, err, "shouldn't return error")
-
-	state, exists := status.peers[key]
-	assert.True(t, exists, "state should be found")
-	assert.Equal(t, ip, state.IP, "ip should be equal")
-}
-
-func TestStatus_UpdatePeerFQDN(t *testing.T) {
-	key := "abc"
-	fqdn := "peer-a.netbird.local"
-	status := NewRecorder()
-	peerState := PeerState{
-		PubKey: key,
-	}
-
-	status.peers[key] = peerState
-
-	err := status.UpdatePeerFQDN(key, fqdn)
-	assert.NoError(t, err, "shouldn't return error")
-
-	state, exists := status.peers[key]
-	assert.True(t, exists, "state should be found")
-	assert.Equal(t, fqdn, state.FQDN, "fqdn should be equal")
-}
-
-func TestGetPeerStateChangeNotifierLogic(t *testing.T) {
-	key := "abc"
-	ip := "10.10.10.10"
-	status := NewRecorder()
-	peerState := PeerState{
-		PubKey: key,
-	}
-
-	status.peers[key] = peerState
-
-	ch := status.GetPeerStateChangeNotifier(key)
-	assert.NotNil(t, ch, "channel shouldn't be nil")
-
-	peerState.IP = ip
-
-	err := status.UpdatePeerState(peerState)
-	assert.NoError(t, err, "shouldn't return error")
-
-	select {
-	case <-ch:
-	default:
-		t.Errorf("channel wasn't closed after update")
-	}
-}
-
-func TestRemovePeer(t *testing.T) {
-	key := "abc"
-	status := NewRecorder()
-	peerState := PeerState{
-		PubKey: key,
-	}
-
-	status.peers[key] = peerState
-
-	err := status.RemovePeer(key)
-	assert.NoError(t, err, "shouldn't return error")
-
-	_, exists := status.peers[key]
-	assert.False(t, exists, "state value shouldn't be found")
-
-	err = status.RemovePeer("not existing")
-	assert.Error(t, err, "should return error when peer doesn't exist")
-}
-
-func TestUpdateLocalPeerState(t *testing.T) {
-	localPeerState := LocalPeerState{
-		IP:              "10.10.10.10",
-		PubKey:          "abc",
-		KernelInterface: false,
-	}
-	status := NewRecorder()
-
-	status.UpdateLocalPeerState(localPeerState)
-
-	assert.Equal(t, localPeerState, status.localPeer, "local peer status should be equal")
-}
-
-func TestCleanLocalPeerState(t *testing.T) {
-	emptyLocalPeerState := LocalPeerState{}
-	localPeerState := LocalPeerState{
-		IP:              "10.10.10.10",
-		PubKey:          "abc",
-		KernelInterface: false,
-	}
-	status := NewRecorder()
-
-	status.localPeer = localPeerState
-
-	status.CleanLocalPeerState()
-
-	assert.Equal(t, emptyLocalPeerState, status.localPeer, "local peer status should be empty")
-}
-
-func TestUpdateSignalState(t *testing.T) {
-	url := "https://signal"
-	var tests = []struct {
-		name      string
-		connected bool
-		want      SignalState
-	}{
-		{"should mark as connected", true, SignalState{
-
-			URL:       url,
-			Connected: true,
-		}},
-		{"should mark as disconnected", false, SignalState{
-			URL:       url,
-			Connected: false,
-		}},
-	}
-
-	status := NewRecorder()
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			if test.connected {
-				status.MarkSignalConnected(url)
-			} else {
-				status.MarkSignalDisconnected(url)
-			}
-			assert.Equal(t, test.want, status.signal, "signal status should be equal")
-		})
-	}
-}
-
-func TestUpdateManagementState(t *testing.T) {
-	url := "https://management"
-	var tests = []struct {
-		name      string
-		connected bool
-		want      ManagementState
-	}{
-		{"should mark as connected", true, ManagementState{
-
-			URL:       url,
-			Connected: true,
-		}},
-		{"should mark as disconnected", false, ManagementState{
-			URL:       url,
-			Connected: false,
-		}},
-	}
-
-	status := NewRecorder()
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			if test.connected {
-				status.MarkManagementConnected(url)
-			} else {
-				status.MarkManagementDisconnected(url)
-			}
-			assert.Equal(t, test.want, status.management, "signal status should be equal")
-		})
-	}
-}
-
-func TestGetFullStatus(t *testing.T) {
-	key1 := "abc"
-	key2 := "def"
-	managementState := ManagementState{
-		URL:       "https://signal",
-		Connected: true,
-	}
-	signalState := SignalState{
-		URL:       "https://signal",
-		Connected: true,
-	}
-	peerState1 := PeerState{
-		PubKey: key1,
-	}
-
-	peerState2 := PeerState{
-		PubKey: key2,
-	}
-
-	status := NewRecorder()
-
-	status.management = managementState
-	status.signal = signalState
-	status.peers[key1] = peerState1
-	status.peers[key2] = peerState2
-
-	fullStatus := status.GetFullStatus()
-
-	assert.Equal(t, managementState, fullStatus.ManagementState, "management status should be equal")
-	assert.Equal(t, signalState, fullStatus.SignalState, "signal status should be equal")
-	assert.ElementsMatch(t, []PeerState{peerState1, peerState2}, fullStatus.Peers, "peers states should match")
-}
--- a/client/system/info.go
+++ b/client/system/info.go
@@ -2,15 +2,17 @@ package system

 import (
 	"context"
-	"google.golang.org/grpc/metadata"
 	"strings"
+
+	"google.golang.org/grpc/metadata"
+
+	"github.com/netbirdio/netbird/version"
 )

-// this is the wiretrustee version
-// will be replaced with the release version when using goreleaser
-var version = "development"
+// DeviceNameCtxKey context key for device name
+const DeviceNameCtxKey = "deviceName"

-//Info is an object that contains machine information
+// Info is an object that contains machine information
 // Most of the code is taken from https://github.com/matishsiao/goInfo
 type Info struct {
 	GoOS               string
@@ -25,11 +27,6 @@ type Info struct {
 	UIVersion          string
 }

-// NetbirdVersion returns the Netbird version
-func NetbirdVersion() string {
-	return version
-}
-
 // extractUserAgent extracts Netbird's agent (client) name and version from the outgoing context
 func extractUserAgent(ctx context.Context) string {
 	md, hasMeta := metadata.FromOutgoingContext(ctx)
@@ -48,5 +45,5 @@ func extractUserAgent(ctx context.Context) string {

 // GetDesktopUIUserAgent returns the Desktop ui user agent
 func GetDesktopUIUserAgent() string {
-	return "netbird-desktop-ui/" + NetbirdVersion()
+	return "netbird-desktop-ui/" + version.NetbirdVersion()
 }
--- a/client/system/info_android.go
+++ b/client/system/info_android.go
@@ -0,0 +1,63 @@
+//go:build android
+// +build android
+
+package system
+
+import (
+	"bytes"
+	"context"
+	"os/exec"
+	"runtime"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/version"
+)
+
+// GetInfo retrieves and parses the system information
+func GetInfo(ctx context.Context) *Info {
+	kernel := "android"
+	osInfo := uname()
+	if len(osInfo) == 2 {
+		kernel = osInfo[1]
+	}
+
+	gio := &Info{Kernel: kernel, Core: osVersion(), Platform: "unknown", OS: "android", OSVersion: osVersion(), GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname = extractDeviceName(ctx)
+	gio.WiretrusteeVersion = version.NetbirdVersion()
+	gio.UIVersion = extractUserAgent(ctx)
+
+	return gio
+}
+
+func extractDeviceName(ctx context.Context) string {
+	v, ok := ctx.Value(DeviceNameCtxKey).(string)
+	if !ok {
+		return "android"
+	}
+	return v
+}
+
+func uname() []string {
+	res := run("/system/bin/uname", "-a")
+	return strings.Split(res, " ")
+}
+
+func osVersion() string {
+	return run("/system/bin/getprop", "ro.build.version.release")
+}
+
+func run(name string, arg ...string) string {
+	cmd := exec.Command(name, arg...)
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		log.Errorf("getInfo: %s", err)
+	}
+	return out.String()
+}
--- a/client/system/info_darwin.go
+++ b/client/system/info_darwin.go
@@ -4,12 +4,16 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
 	"os"
 	"os/exec"
 	"runtime"
 	"strings"
+
+	"golang.org/x/sys/unix"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/version"
 )

 // GetInfo retrieves and parses the system information
@@ -22,14 +26,14 @@ func GetInfo(ctx context.Context) *Info {
 	sysName := string(bytes.Split(utsname.Sysname[:], []byte{0})[0])
 	machine := string(bytes.Split(utsname.Machine[:], []byte{0})[0])
 	release := string(bytes.Split(utsname.Release[:], []byte{0})[0])
-	version, err := exec.Command("sw_vers", "-productVersion").Output()
+	swVersion, err := exec.Command("sw_vers", "-productVersion").Output()
 	if err != nil {
 		log.Warnf("got an error while retrieving macOS version with sw_vers, error: %s. Using darwin version instead.\n", err)
-		version = []byte(release)
+		swVersion = []byte(release)
 	}
-	gio := &Info{Kernel: sysName, OSVersion: strings.TrimSpace(string(version)), Core: release, Platform: machine, OS: sysName, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio := &Info{Kernel: sysName, OSVersion: strings.TrimSpace(string(swVersion)), Core: release, Platform: machine, OS: sysName, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
-	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.WiretrusteeVersion = version.NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)

 	return gio
--- a/client/system/info_freebsd.go
+++ b/client/system/info_freebsd.go
@@ -9,6 +9,8 @@ import (
 	"runtime"
 	"strings"
 	"time"
+
+	"github.com/netbirdio/netbird/version"
 )

 // GetInfo retrieves and parses the system information
@@ -23,7 +25,7 @@ func GetInfo(ctx context.Context) *Info {
 	osInfo := strings.Split(osStr, " ")
 	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: runtime.GOARCH, OS: osInfo[2], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
-	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.WiretrusteeVersion = version.NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)

 	return gio
--- a/client/system/info_linux.go
+++ b/client/system/info_linux.go
@@ -1,3 +1,6 @@
+//go:build !android
+// +build !android
+
 package system

 import (
@@ -9,6 +12,8 @@ import (
 	"runtime"
 	"strings"
 	"time"
+
+	"github.com/netbirdio/netbird/version"
 )

 // GetInfo retrieves and parses the system information
@@ -46,7 +51,7 @@ func GetInfo(ctx context.Context) *Info {
 	}
 	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: osInfo[2], OS: osName, OSVersion: osVer, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
-	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.WiretrusteeVersion = version.NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)

 	return gio
--- a/client/system/info_windows.go
+++ b/client/system/info_windows.go
@@ -3,10 +3,13 @@ package system
 import (
 	"context"
 	"fmt"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows/registry"
 	"os"
 	"runtime"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows/registry"
+
+	"github.com/netbirdio/netbird/version"
 )

 // GetInfo retrieves and parses the system information
@@ -14,7 +17,7 @@ func GetInfo(ctx context.Context) *Info {
 	ver := getOSVersion()
 	gio := &Info{Kernel: "windows", OSVersion: ver, Core: ver, Platform: "unknown", OS: "windows", GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
-	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.WiretrusteeVersion = version.NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)

 	return gio
@@ -32,7 +35,7 @@ func getOSVersion() string {
 			log.Error(deferErr)
 		}
 	}()
-	
+
 	major, _, err := k.GetIntegerValue("CurrentMajorVersionNumber")
 	if err != nil {
 		log.Error(err)
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -6,6 +6,7 @@ package main

 import (
 	"context"
+	_ "embed"
 	"flag"
 	"fmt"
 	"os"
@@ -17,25 +18,22 @@ import (
 	"syscall"
 	"time"

-	"github.com/netbirdio/netbird/client/system"
-
+	"fyne.io/fyne/v2"
+	"fyne.io/fyne/v2/app"
+	"fyne.io/fyne/v2/dialog"
+	"fyne.io/fyne/v2/widget"
 	"github.com/cenkalti/backoff/v4"
-
-	_ "embed"
-
 	"github.com/getlantern/systray"
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/proto"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

-	"fyne.io/fyne/v2"
-	"fyne.io/fyne/v2/app"
-	"fyne.io/fyne/v2/dialog"
-	"fyne.io/fyne/v2/widget"
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/client/system"
+	"github.com/netbirdio/netbird/version"
 )

 const (
@@ -373,7 +371,7 @@ func (s *serviceClient) onTrayReady() {
 	systray.AddSeparator()
 	s.mSettings = systray.AddMenuItem("Settings", "Settings of the application")
 	systray.AddSeparator()
-	v := systray.AddMenuItem("v"+system.NetbirdVersion(), "Client Version: "+system.NetbirdVersion())
+	v := systray.AddMenuItem("v"+version.NetbirdVersion(), "Client Version: "+version.NetbirdVersion())
 	v.Disable()
 	systray.AddSeparator()
 	s.mQuit = systray.AddMenuItem("Quit", "Quit the client app")
--- a/client/wireguard_nt.sh
+++ b/client/wireguard_nt.sh
@@ -1,27 +0,0 @@
-#!/bin/bash
-
-ldir=$PWD
-tmp_dir_path=$ldir/.distfiles
-winnt=wireguard-nt.zip
-download_file_path=$tmp_dir_path/$winnt
-download_url=https://download.wireguard.com/wireguard-nt/wireguard-nt-0.10.1.zip
-download_sha=772c0b1463d8d2212716f43f06f4594d880dea4f735165bd68e388fc41b81605
-
-function resources_windows(){
-  cmd=$1
-  arch=$2
-  out=$3
-  docker run -i --rm -v $PWD:$PWD -w $PWD mstorsjo/llvm-mingw:latest $cmd -O coff -c 65001 -I $tmp_dir_path/wireguard-nt/bin/$arch -i resources.rc -o $out
-}
-
-mkdir -p $tmp_dir_path
-curl -L#o $download_file_path.unverified $download_url
-echo "$download_sha  $download_file_path.unverified" | sha256sum -c
-mv $download_file_path.unverified $download_file_path
-
-mkdir -p .deps
-unzip $download_file_path -d $tmp_dir_path
-
-resources_windows i686-w64-mingw32-windres x86 resources_windows_386.syso
-resources_windows aarch64-w64-mingw32-windres arm64 resources_windows_arm64.syso
-resources_windows x86_64-w64-mingw32-windres amd64 resources_windows_amd64.syso
--- a/encryption/encryption.go
+++ b/encryption/encryption.go
@@ -3,10 +3,13 @@ package encryption
 import (
 	"crypto/rand"
 	"fmt"
+
 	"golang.org/x/crypto/nacl/box"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )

+const nonceSize = 24
+
 // A set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service or Management Service
 // These tools use Golang crypto package (Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate)
 // Wireguard keys are used for encryption
@@ -26,8 +29,11 @@ func Decrypt(encryptedMsg []byte, peerPublicKey wgtypes.Key, privateKey wgtypes.
 	if err != nil {
 		return nil, err
 	}
-	copy(nonce[:], encryptedMsg[:24])
-	opened, ok := box.Open(nil, encryptedMsg[24:], nonce, toByte32(peerPublicKey), toByte32(privateKey))
+	if len(encryptedMsg) < nonceSize {
+		return nil, fmt.Errorf("invalid encrypted message lenght")
+	}
+	copy(nonce[:], encryptedMsg[:nonceSize])
+	opened, ok := box.Open(nil, encryptedMsg[nonceSize:], nonce, toByte32(peerPublicKey), toByte32(privateKey))
 	if !ok {
 		return nil, fmt.Errorf("failed to decrypt message from peer %s", peerPublicKey.String())
 	}
@@ -36,8 +42,8 @@ func Decrypt(encryptedMsg []byte, peerPublicKey wgtypes.Key, privateKey wgtypes.
 }

 // Generates nonce of size 24
-func genNonce() (*[24]byte, error) {
-	var nonce [24]byte
+func genNonce() (*[nonceSize]byte, error) {
+	var nonce [nonceSize]byte
 	if _, err := rand.Read(nonce[:]); err != nil {
 		return nil, err
 	}
--- a/formatter/formatter.go
+++ b/formatter/formatter.go
@@ -10,15 +10,15 @@ import (

 // TextFormatter formats logs into text with included source code's path
 type TextFormatter struct {
-	TimestampFormat string
-	LevelDesc       []string
+	timestampFormat string
+	levelDesc       []string
 }

 // NewTextFormatter create new MyTextFormatter instance
 func NewTextFormatter() *TextFormatter {
 	return &TextFormatter{
-		LevelDesc:       []string{"PANC", "FATL", "ERRO", "WARN", "INFO", "DEBG", "TRAC"},
-		TimestampFormat: time.RFC3339, // or RFC3339
+		levelDesc:       []string{"PANC", "FATL", "ERRO", "WARN", "INFO", "DEBG", "TRAC"},
+		timestampFormat: time.RFC3339, // or RFC3339
 	}
 }

@@ -39,13 +39,13 @@ func (f *TextFormatter) Format(entry *logrus.Entry) ([]byte, error) {

 	level := f.parseLevel(entry.Level)

-	return []byte(fmt.Sprintf("%s %s %s%s: %s\n", entry.Time.Format(f.TimestampFormat), level, fields, entry.Data["source"], entry.Message)), nil
+	return []byte(fmt.Sprintf("%s %s %s%s: %s\n", entry.Time.Format(f.timestampFormat), level, fields, entry.Data["source"], entry.Message)), nil
 }

 func (f *TextFormatter) parseLevel(level logrus.Level) string {
-	if len(f.LevelDesc) < int(level) {
+	if len(f.levelDesc) < int(level) {
 		return ""
 	}

-	return f.LevelDesc[level]
+	return f.levelDesc[level]
 }
--- a/formatter/logcat.go
+++ b/formatter/logcat.go
@@ -0,0 +1,48 @@
+package formatter
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+)
+
+// LogcatFormatter formats logs into text what is fit for logcat
+type LogcatFormatter struct {
+	levelDesc []string
+}
+
+// NewLogcatFormatter create new LogcatFormatter instance
+func NewLogcatFormatter() *LogcatFormatter {
+	return &LogcatFormatter{
+		levelDesc: []string{"PANC", "FATL", "ERRO", "WARN", "INFO", "DEBG", "TRAC"},
+	}
+}
+
+// Format renders a single log entry
+func (f *LogcatFormatter) Format(entry *logrus.Entry) ([]byte, error) {
+	var fields string
+	keys := make([]string, 0, len(entry.Data))
+	for k, v := range entry.Data {
+		if k == "source" {
+			continue
+		}
+		keys = append(keys, fmt.Sprintf("%s: %v", k, v))
+	}
+
+	if len(keys) > 0 {
+		fields = fmt.Sprintf("[%s] ", strings.Join(keys, ", "))
+	}
+
+	level := f.parseLevel(entry.Level)
+
+	return []byte(fmt.Sprintf("[%s] %s%s %s\n", level, fields, entry.Data["source"], entry.Message)), nil
+}
+
+func (f *LogcatFormatter) parseLevel(level logrus.Level) string {
+	if len(f.levelDesc) < int(level) {
+		return ""
+	}
+
+	return f.levelDesc[level]
+}
--- a/formatter/logcat_test.go
+++ b/formatter/logcat_test.go
@@ -0,0 +1,28 @@
+package formatter
+
+import (
+	"testing"
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
+
+func TestLogcatMessageFormat(t *testing.T) {
+
+	someEntry := &logrus.Entry{
+		Data:    logrus.Fields{"att1": 1, "att2": 2, "source": "some/fancy/path.go:46"},
+		Time:    time.Date(2021, time.Month(2), 21, 1, 10, 30, 0, time.UTC),
+		Level:   3,
+		Message: "Some Message",
+	}
+
+	formatter := NewLogcatFormatter()
+	result, _ := formatter.Format(someEntry)
+
+	expectedString := "[WARN] [att1: 1, att2: 2] some/fancy/path.go:46 Some Message\n"
+	expectedStringVariant := "[WARN] [att2: 2, att1: 1] some/fancy/path.go:46 Some Message\n"
+	parsedString := string(result)
+	if parsedString != expectedString && parsedString != expectedStringVariant {
+		t.Errorf("The log messages don't match. Expected: '%s', got: '%s'", expectedString, parsedString)
+	}
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Zoltan Papp	940367e1c6	Remove unused wait group	2023-04-18 18:59:11 +02:00
Zoltan Papp	c80cb22cc0	Add parallel processing	2023-04-17 16:44:45 +02:00
Zoltan Papp	d0e51dfc11	Fix Linux implementation	2023-04-17 14:46:14 +02:00
Zoltan Papp	7e11842a5e	Fix unix implementation	2023-04-17 14:37:51 +02:00
pzoli	1bf3e6feec	Better pkg destroyer	2023-04-17 14:37:51 +02:00
pzoli	c392fe44e4	Handle STUN msg	2023-04-17 14:37:51 +02:00
pzoli	fef24b4a4d	Update ICEBind to the latest Bind version	2023-04-17 14:37:48 +02:00
Zoltan Papp	bb1efe68aa	Update wireguard version to 9e2f38602202	2023-04-17 14:37:28 +02:00
Zoltan Papp	bb147c2a7c	Remove unnecessary uapi open (#807 ) Remove unnecessary uapi open from Android implementation	2023-04-17 11:50:12 +02:00
Zoltan Papp	4616bc5258	Add route management for Android interface (#801 ) Support client route management feature on Android	2023-04-17 11:15:37 +02:00
Zoltan Papp	1803cf3678	Fix error handling in case of the port is in used (#810 )	2023-04-14 16:18:00 +02:00
Zoltan Papp	9f35a7fb8d	Ignore ipv6 labeled address (#809 ) Ignore ipv6 labeled address	2023-04-14 15:40:27 +02:00
Misha Bragin	2eeed55c18	Bind implementation (#779 ) This PR adds supports for the WireGuard userspace implementation using Bind interface from wireguard-go. The newly introduced ICEBind struct implements Bind with UDPMux-based structs from pion/ice to handle hole punching using ICE. The core implementation was taken from StdBind of wireguard-go. The result is a single WireGuard port that is used for host and server reflexive candidates. Relay candidates are still handled separately and will be integrated in the following PRs. ICEBind checks the incoming packets for being STUN or WireGuard ones and routes them to UDPMux (to handle hole punching) or to WireGuard respectively.	2023-04-13 17:00:01 +02:00
Givi Khojanashvili	0343c5f239	Rollback simple ACL rules processing. (#803 )	2023-04-12 09:39:17 +02:00
Misha Bragin	251f2d7bc2	Pass newly generated ID to network map when adding peer (#800 )	2023-04-11 14:28:22 +02:00
Maycon Santos	306e02d32b	Update calculate server state (#796 ) Refactored updateServerStates and calculateState added some checks to ensure we are not sending connecting on context canceled removed some state updates from the RunClient function	2023-04-10 18:22:25 +02:00
pascal-fischer	8375491708	Merge pull request #778 from netbirdio/fix/consistent_time_format_for_pat fix/use_utc_for_time_operations	2023-04-10 18:11:41 +02:00
Pascal Fischer	e197b89ac3	remove UTC from some not store related operations	2023-04-10 11:09:27 +02:00
Pascal Fischer	6aba28ccb7	remove UTC from some not store related operations	2023-04-10 10:54:23 +02:00
Maycon Santos	8f9826b207	Fix export path for certificate files (#794 ) assign the value for NETBIRD_LETSENCRYPT_DOMAIN in the base.setup.env file	2023-04-07 10:34:17 +02:00
Zoltan Papp	0aad9169e9	Fix nil pointer exception (#790 ) Nil pointer exception fix. The error handling was in wrong order.	2023-04-06 18:15:55 +02:00
Maycon Santos	1057cd211d	Add scope and id token environment variables (#785 )	2023-04-05 21:57:47 +02:00
Maycon Santos	32b345991a	Support remote scope and use id token configuration (#784 ) Some IDP requires different scope requests and issue access tokens for different purposes This change allow for remote configurable scopes and the use of ID token	2023-04-05 17:46:34 +02:00
Maycon Santos	e903522f8c	Configurable port defaults from setup.env (#783 ) Allow configuring management and signal ports from setup.env Allow configuring Coturn range from setup.env	2023-04-05 15:22:06 +02:00
Maycon Santos	ea88ec6d27	Roolback configurable port defaults from setup.env	2023-04-05 11:42:14 +02:00
Maycon Santos	2be1a82f4a	Configurable port defaults from setup.env Allow configuring management and signal ports from setup.env Allow configuring Coturn range from setup.env	2023-04-05 11:39:22 +02:00
Maycon Santos	fe1ea4a2d0	Check multiple audience values (#781 ) Some IDP use different audience for different clients. This update checks HTTP and Device authorization flow audience values. --------- Co-authored-by: Givi Khojanashvili <gigovich@gmail.com>	2023-04-04 16:40:56 +02:00
Maycon Santos	f14f34cf2b	Add token source and device flow audience variables (#780 ) Supporting new dashboard option to configure a source token. Adding configuration support for setting a different audience for device authorization flow. fix custom id claim variable	2023-04-04 15:56:02 +02:00
Bethuel	109481e26d	Use first available package manager (#782 )	2023-04-04 14:26:17 +02:00
Bethuel	18098e7a7d	Add single line installer (#775 ) detect OS package manager If a supported package manager is not available, use binary installation Check if desktop environment is available Skip installing the UI client if SKIP_UI_APP is set to true added tests for Ubuntu and macOS tests	2023-04-04 00:35:54 +02:00
Ruakij	5993982cca	Add disable letsencrypt (#747 ) Add NETBIRD_DISABLE_LETSENCRYPT support to explicit disable let's encrypt Organize the setup.env.example variables into sections Add traefik example	2023-04-04 00:21:40 +02:00
Zoltan Papp	86f9051a30	Fix/connection listener (#777 ) Fix add/remove connection listener In case we call the RemoveConnListener from Java then we lose the reference from the original instance	2023-04-03 16:59:13 +02:00
Pascal Fischer	489892553a	use UTC everywhere in server	2023-04-03 15:09:35 +02:00
Pascal Fischer	b05e30ac5a	do not use UTC for time to stay consistent	2023-04-03 12:44:55 +02:00
pascal-fischer	769388cd21	Merge pull request #776 from netbirdio/feature/activity_events_for_pat feature/activity_events_for_pat	2023-04-03 12:27:51 +02:00
pascal-fischer	c54fb9643c	Merge pull request #774 from netbirdio/feature/add_pat_middleware Feature/add pat middleware	2023-04-03 12:09:11 +02:00
Givi Khojanashvili	5dc0ff42a5	Fix broken auto-generated Rego rule (#769 ) Default Rego policy generated from the rules in some cases is broken. This change fixes the Rego template for rules to generate policies. Also, file store load constantly regenerates policy objects from rules. It allows updating/fixing of the default Rego template during releases.	2023-04-01 12:02:08 +02:00
Pascal Fischer	45badd2c39	add event store to user tests	2023-04-01 11:11:30 +02:00
Pascal Fischer	d3de035961	error responses always lower case + duplicate error response fix	2023-04-01 11:04:21 +02:00
Pascal Fischer	b2da0ae70f	add activity events on PAT creation and deletion	2023-03-31 17:41:22 +02:00
Pascal Fischer	931c20c8fe	fix test name	2023-03-31 12:45:10 +02:00
Pascal Fischer	2eaf4aa8d7	add test for auth middleware	2023-03-31 12:44:22 +02:00
Pascal Fischer	110067c00f	change order for access control checks and aquire account lock after global lock	2023-03-31 12:03:53 +02:00
Pascal Fischer	32c96c15b8	disable linter errors by comment	2023-03-31 10:30:05 +02:00
Pascal Fischer	ca1dc5ac88	disable access control for token endpoint	2023-03-30 19:03:44 +02:00
Pascal Fischer	ce775d59ae	revert codacy	2023-03-30 18:59:35 +02:00
Pascal Fischer	f273fe9f51	revert codacy	2023-03-30 18:54:55 +02:00
Pascal Fischer	e08af7fcdf	codacy	2023-03-30 17:46:21 +02:00
Pascal Fischer	454240ca05	comments for codacy	2023-03-30 17:32:44 +02:00
Pascal Fischer	1343a3f00e	add test + codacy	2023-03-30 16:43:39 +02:00
Pascal Fischer	2a79995706	fix linter	2023-03-30 16:22:15 +02:00
Pascal Fischer	e869882da1	fix merge	2023-03-30 16:14:51 +02:00
Pascal Fischer	6c8bb60632	fix merge	2023-03-30 16:06:46 +02:00
Pascal Fischer	4d7029d80c	Merge branch 'main' into feature/add_pat_middleware # Conflicts: # management/server/grpcserver.go # management/server/http/middleware/jwt.go	2023-03-30 16:06:21 +02:00
pascal-fischer	909f305728	Merge pull request #766 from netbirdio/feature/add_rest_endpoints_for_pat Feature/add rest endpoints for pat	2023-03-30 15:55:48 +02:00
Pascal Fischer	5e2f66d591	fix codacy	2023-03-30 15:23:24 +02:00
Pascal Fischer	a7519859bc	fix test	2023-03-30 14:15:44 +02:00
Pascal Fischer	9b000b89d5	Merge branch 'feature/add_rest_endpoints_for_pat' into feature/add_pat_middleware # Conflicts: # management/server/mock_server/account_mock.go	2023-03-30 14:02:58 +02:00
Pascal Fischer	5c1acdbf2f	move validation into account manager + func for get requests	2023-03-30 13:58:44 +02:00
Pascal Fischer	db3a9f0aa2	refactor jwt token validation and add PAT to middleware auth	2023-03-30 10:54:09 +02:00
Pascal Fischer	ecc4f8a10d	fix Pat handler test	2023-03-29 19:13:01 +02:00
Pascal Fischer	03abdfa112	return empty object on all handlers instead of empty string	2023-03-29 18:46:40 +02:00
Pascal Fischer	9746a7f61a	remove debug logs	2023-03-29 18:27:01 +02:00
Pascal Fischer	4ec6d5d20b	remove debug logs	2023-03-29 18:23:10 +02:00
Pascal Fischer	3bab745142	last_used can be nil	2023-03-29 17:46:09 +02:00
Pascal Fischer	0ca3d27a80	update account mock	2023-03-29 15:25:44 +02:00
Pascal Fischer	c5942e6b33	store hashed token base64 encoded	2023-03-29 15:21:53 +02:00
Pascal Fischer	726ffb5740	add comments for exported functions	2023-03-29 15:06:54 +02:00
Maycon Santos	dfb7960cd4	Fix pre-shared key query name for android configuration (#773 )	2023-03-29 10:41:14 +02:00
Zoltan Papp	ab0cf1b8aa	Fix slice bounds out of range in msg decryption (#768 )	2023-03-29 10:40:31 +02:00
Zoltan Papp	8ebd6ce963	Add OnDisconnecting service callback (#767 ) Add OnDisconnecting service callback for mobile	2023-03-29 10:39:54 +02:00
Pascal Fischer	42ba0765c8	fix linter	2023-03-28 14:54:06 +02:00
Pascal Fischer	514403db37	use object instead of plain token for create response + handler test	2023-03-28 14:47:15 +02:00
Zoltan Papp	488d338ce8	Refactor the authentication part of mobile exports (#759 ) Refactor the auth code into async calls for mobile framework --------- Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>	2023-03-28 09:57:23 +02:00
Pascal Fischer	6a75ec4ab7	fix http error codes	2023-03-27 17:42:05 +02:00
Pascal Fischer	b66e984ddd	set limits for expiration	2023-03-27 17:28:24 +02:00
Pascal Fischer	c65a934107	refactor to use name instead of description	2023-03-27 16:28:49 +02:00
Zoltan Papp	55ebf93815	Fix nil pointer exception when create config (#765 ) The config stored in a wrong variable when has been generated a new config	2023-03-27 15:37:58 +02:00
Pascal Fischer	9e74f30d2f	fix delete token parameter lookup	2023-03-27 15:19:19 +02:00
Zoltan Papp	71d24e59e6	Add fqdn and address for notification listener (#757 ) Extend the status notification listeners with FQDN and address changes. It is required for mobile services.	2023-03-24 18:51:35 +01:00
Zoltan Papp	992cfe64e1	Add ipv6 test for stdnet pkg (#761 )	2023-03-24 10:46:40 +01:00
Zoltan Papp	d1703479ff	Add custom ice stdnet implementation (#754 ) On Android, because of the hard SELinux policies can not list the interfaces of the ICE package. Without it can not generate a host type candidate. In this pull request, the list of interfaces comes via the Java interface.	2023-03-24 08:40:39 +01:00
Maycon Santos	a27fe4326c	Add JWT middleware validation failure log (#760 ) We will log the middleware log now, but in the next releases we should provide a generic error that can be parsed by the dashboard.	2023-03-23 18:26:41 +01:00
Misha Bragin	e6292e3124	Disable peer expiration of peers added with setup keys (#758 )	2023-03-23 17:47:53 +01:00
Maycon Santos	628b497e81	Adjustments for the change server flow (#756 ) Check SSO support by calling the internal.GetDeviceAuthorizationFlowInfo Rename LoginSaveConfigIfSSOSupported to SaveConfigIfSSOSupported Receive device name as input for setup-key login have a default android name when no context value is provided log non parsed errors from management registration calls	2023-03-23 16:35:06 +01:00
Bethuel	8f66dea11c	Add Keycloak Idp Manager (#746 ) Added intergration with keycloak user API.	2023-03-23 14:54:31 +01:00
Pascal Fischer	de8608f99f	add rest endpoints and update openapi doc	2023-03-21 16:02:19 +01:00
pascal-fischer	9c5adfea2b	Merge pull request #745 from netbirdio/feature/pat_persistence PAT persistence	2023-03-21 14:38:24 +01:00
Pascal Fischer	8e4710763e	use single line return for SaveAccount	2023-03-21 14:02:34 +01:00
Pascal Fischer	82af60838e	use "ok" convention for check variables throughout files_store	2023-03-21 14:00:59 +01:00
Pascal Fischer	311b67fe5a	change error messages	2023-03-21 13:56:31 +01:00
Pascal Fischer	94d39ab48c	improve style for tests	2023-03-21 13:34:48 +01:00
Pascal Fischer	41a47be379	add function comments, implement account mock functions and added error handling in tests	2023-03-20 16:38:17 +01:00
Pascal Fischer	e30def175b	switch PATs to map and add deletion	2023-03-20 16:14:55 +01:00
Pascal Fischer	e1ef091d45	remove unnecessary string conversion	2023-03-20 12:08:01 +01:00
pascal-fischer	511ba6d51f	Delete pat_handler.go	2023-03-20 11:47:54 +01:00
Pascal Fischer	b852198f67	codacy and lint hints	2023-03-20 11:44:12 +01:00
Zoltan Papp	891ba277b1	Mobile (#735 ) Initial modification to support mobile client Export necessary interfaces for Android framework	2023-03-17 10:37:27 +01:00
Zoltan Papp	747797271e	Fix connstate indication (#732 ) Fix the status indication in the client service. The status of the management server and the signal server was incorrect if the network connection was broken. Basically the status update was not used by the management and signal library.	2023-03-16 17:22:36 +01:00
Pascal Fischer	628a201e31	fix PAT array split	2023-03-16 16:59:32 +01:00
Maycon Santos	731d3ae464	Exchange proxy mode via signal (#727 ) Before defining if we will use direct or proxy connection we will exchange a message with the other peer if the modes match we keep the decision from the shouldUseProxy function otherwise we skip using direct connection. Added a feature support message to the signal protocol	2023-03-16 16:46:17 +01:00
Pascal Fischer	453643683d	add method to account mock	2023-03-16 16:44:05 +01:00
Pascal Fischer	b8cab2882b	storing and retrieving PATs	2023-03-16 15:57:44 +01:00
pascal-fischer	6143b819c5	Merge pull request #725 from netbirdio/feature/add_PAT_generation Adding Personal Access Token generation	2023-03-16 15:50:40 +01:00
Pascal Fischer	3b42d5e48a	fix imports after merge	2023-03-16 11:59:12 +01:00
Pascal Fischer	1d4dfa41d2	clean dependencies	2023-03-16 11:46:53 +01:00
pascal-fischer	f8db5742b5	Merge branch 'main' into feature/add_PAT_generation	2023-03-16 11:36:43 +01:00
Pascal Fischer	bc3cec23ec	use slice copy	2023-03-16 11:32:55 +01:00
Givi Khojanashvili	f03aadf064	Feat firewall controller interface (#740 ) Add a standard interface for the client firewall to support ACL.	2023-03-16 13:00:08 +04:00
Zoltan Papp	292ee260ad	Add version info command to signal server (#739 ) Add version command to signal and management servers. The version information will be filled during build time.	2023-03-15 07:54:51 +01:00
Givi Khojanashvili	2a1efbd0fd	Don't drop Rules from file storage after migration to Policies (#741 ) Rego policy migration clears the rules property of the file storage, but it does not allow rollback management upgrade, so this changes pre-saves rules in the file store and updates it from the policies.	2023-03-15 09:42:40 +04:00
Givi Khojanashvili	3bfa26b13b	Feat rego default policy (#700 ) Converts rules to Rego policies and allow users to write raw policies to set up connectivity and firewall on the clients.	2023-03-13 18:14:18 +04:00
Misha Bragin	221934447e	Send remote agents updates when peer re-authenticates (#737 ) When peer login expires, all remote peers are updated to exclude the peer from connecting. Once a peer re-authenticates, the remote peers are not updated. This peer fixes the behavior.	2023-03-10 17:39:29 +01:00
Misha Bragin	9ce8056b17	Use global login expiration setting when sending network map (#731 ) Peers were considered expired and not sent to remote peers when global expiration was disabled.	2023-03-09 11:24:42 +01:00
Misha Bragin	c65a5acab9	Update release banner	2023-03-09 08:24:25 +01:00
Pascal Fischer	62de082961	fix account test	2023-03-08 12:21:44 +01:00
Pascal Fischer	c4d9b76634	add comment for exported const	2023-03-08 12:09:22 +01:00
Pascal Fischer	b4bb5c6bb8	use const and do array copy	2023-03-08 11:54:10 +01:00
Pascal Fischer	2b1965c941	switch secret generation to use lib	2023-03-08 11:36:03 +01:00
Pascal Fischer	83e7e30218	store hashedToken as string	2023-03-08 11:30:09 +01:00
Zoltan Papp	24310c63e2	Remove mgm close steps, in defer doing it already (#729 ) Simple code cleaning. Remove duplicated steps in login. In the defer already close the management connection.	2023-03-07 15:01:47 +01:00
Misha Bragin	ed4f90b6aa	Report offline peers to agents (#728 ) The peer login expiration ACL check introduced in #714 filters out peers that are expired and agents receive a network map without that expired peers. However, the agents should see those peers in status "Disconnected". This PR extends the Agent <-> Management protocol by introducing a new field OfflinePeers that contain expired peers. Agents keep track of those and display then just in the Status response.	2023-03-07 10:17:25 +01:00
Maycon Santos	0e9610c5b2	Refactor/clean shouldUseProxy (#722 ) make code more readable by split code into smaller functions add CandidateTypePeerReflexive check Add shouldUseProxy tests	2023-03-06 17:33:54 +01:00
Pascal Fischer	ed470d7dbe	add comments for exported functions	2023-03-06 14:46:04 +01:00
Pascal Fischer	cb8abacadd	extend User Copy function	2023-03-06 14:01:18 +01:00
Pascal Fischer	bcac5f7b32	fixed some namings	2023-03-06 13:51:32 +01:00
Pascal Fischer	95d87384ab	fixed some namings	2023-03-06 13:49:07 +01:00
Maycon Santos	ea3899e6d6	Update ICE to version 2.3.1 (#720 ) It resolves a TLS relay issue with servername fixes #719	2023-03-05 16:42:49 +01:00
Zoltan Papp	337d3edcc4	Use the conn state of peer on proper way (#717 ) The ConnStatus is a custom type based on iota like an enum. The problem was nowhere used to the benefits of this implementation. All ConnStatus instances has been compared with strings. I suppose the reason to do it to avoid a circle dependency. In this commit the separated status package has been moved to peer package. Remove unused, exported functions from engine	2023-03-03 19:49:18 +01:00
Misha Bragin	e914adb5cd	Move Login business logic from gRPC API to Accountmanager (#713 ) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.	2023-03-03 18:35:38 +01:00
Pascal Fischer	2f2d45de9e	updated PAT struct to only use user id instead of user	2023-03-03 16:37:39 +01:00
Pascal Fischer	b3f339c753	improved code for token checksum calc	2023-03-03 14:51:33 +01:00
Pascal Fischer	e0fc779f58	add id to the PAT	2023-03-02 16:19:31 +01:00
Pascal Fischer	69be2a8071	add generating token (only frame for now, actual token is only dummy)	2023-03-01 20:12:04 +01:00