Merge remote-tracking branch 'origin/main' into ssh

# Conflicts:
#	go.sum

.github/workflows/golang-test-darwin.yml

@@ -0,0 +1,29 @@
+name: Test Code Darwin
+on: [push,pull_request]
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [1.18.x]
+    runs-on: macos-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: macos-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            macos-go-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: Test
+        run: go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...

.github/workflows/golang-test-linux.yml

@@ -0,0 +1,34 @@
+name: Test Code Linux
+on: [push,pull_request]
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [1.18.x]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: Test
+        run: go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...

.github/workflows/golang-test-windows.yml

@@ -0,0 +1,57 @@
+name: Test Code Windows
+on: [push,pull_request]
+jobs:
+  pre:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - run: bash -x wireguard_nt.sh
+        working-directory: client
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: syso
+          path: client/*.syso
+          retention-days: 1
+
+  test:
+    needs: pre
+    strategy:
+      matrix:
+        go-version: [1.18.x]
+    runs-on: windows-latest
+    steps:
+      - name: disable defender
+        run: Set-MpPreference -DisableRealtimeMonitoring $true
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - uses: actions/cache@v2
+        with:
+          path: |
+            %LocalAppData%\go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: enable defender
+        run: Set-MpPreference -DisableRealtimeMonitoring $false
+
+      - uses: actions/download-artifact@v2
+        with:
+          name: syso
+          path: iface\
+
+#      - name: Install modules
+#        run: go mod tidy
+
+      - name: Test
+        run: go test -tags=load_wgnt_from_rsrc -timeout 5m -p 1 ./...

.github/workflows/golang-test.yml

@@ -1,59 +0,0 @@
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-name: Test
-jobs:
-  test:
-    strategy:
-      matrix:
-        go-version: [1.16.x]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ matrix.go-version }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Test
-        run: GOBIN=$(which go) && sudo --preserve-env=GOROOT $GOBIN test -p 1 ./...
-
-  test_build:
-    strategy:
-      matrix:
-        os: [ windows, linux, darwin ]
-        go-version: [1.16.x]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ matrix.go-version }}
-
-      - name: Cache Go modules
-        uses: actions/cache@v1
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: run build client
-        run: GOOS=${{ matrix.os }} go build .
-        working-directory: client
-
-      - name: run build management
-        run: GOOS=${{ matrix.os }} go build .
-        working-directory: management
-
-      - name: run build signal
-        run: GOOS=${{ matrix.os }} go build .
-        working-directory: signal

.github/workflows/golangci-lint.yml

@@ -1,16 +1,17 @@
 name: golangci-lint
-on:
-  push:
-    branches:
-      - main
-  pull_request:
+on: [pull_request]
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v2
+        with:
+          args: --timeout=6m
 
 

.github/workflows/release.yml

@@ -4,6 +4,12 @@ on:
   push:
     tags:
       - 'v*'
+    branches:
+      - main
+  pull_request:
+
+env:
+  SIGN_PIPE_VER: "v0.0.3"
 
 jobs:
   release:
@@ -14,11 +20,15 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 0 # It is required for GoReleaser to work properly
+
+      - name: Generate syso with DLL
+        run: bash -x wireguard_nt.sh
+        working-directory: client
       -
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16
+          go-version: 1.18
       -
         name: Cache Go modules
         uses: actions/cache@v1
@@ -38,28 +48,99 @@ jobs:
         uses: docker/setup-buildx-action@v1
       -
         name: Login to Docker hub
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v1
         with:
-          username: ${{ secrets.DOCKER_USER }}
+          username: netbirdio
           password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-mingw-w64-x86-64
+
+      - name: Install rsrc
+        run: go install github.com/akavel/rsrc@v0.10.2
+
+      - name: Generate windows rsrc
+        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/ui/manifest.xml -o client/ui/resources_windows_amd64.syso
+
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: latest
+          version: v1.6.3
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
           UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
           UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-
       -
         name: Trigger Windows binaries sign pipeline
         uses: benc-uk/workflow-dispatch@v1
+        if: startsWith(github.ref, 'refs/tags/')
         with:
           workflow: Sign windows bin and installer
-          repo: wiretrustee/windows-sign-pipeline
-          ref: v0.0.1
+          repo: netbirdio/sign-pipelines
+          ref: ${{ env.SIGN_PIPE_VER }}
           token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}" }'
+      -
+        name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v2
+        with:
+          name: build
+          path: dist/
+          retention-days: 3
+          
+  release_ui:
+    runs-on: macos-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+      -
+        name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.18
+      -
+        name: Cache Go modules
+        uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      -
+        name: Install modules
+        run: go mod tidy
+      -
+        name: Run GoReleaser
+        id: goreleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: v1.6.3
+          args: release --config .goreleaser_ui_darwin.yaml --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      -
+        name: Trigger Darwin App binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          workflow: Sign darwin ui app with dispatch
+          repo: netbirdio/sign-pipelines
+          ref: ${{ env.SIGN_PIPE_VER }}
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
+
+      -
+        name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v2
+        with:
+          name: build-ui-darwin
+          path: dist/
+          retention-days: 3

.gitignore

@@ -1,8 +1,11 @@
 .idea
 *.iml
 dist/
+bin/
 .env
 conf.json
 http-cmds.sh
 infrastructure_files/management.json
-infrastructure_files/docker-compose.yml
+infrastructure_files/docker-compose.yml
+*.syso
+client/.distfiles/

.goreleaser.yaml

@@ -1,10 +1,9 @@
-project_name: wiretrustee
+project_name: netbird
 builds:
-  - id: wiretrustee
+  - id: netbird
     dir: client
-    binary: wiretrustee
+    binary: netbird
     env: [CGO_ENABLED=0]
-
     goos:
       - linux
       - darwin
@@ -23,15 +22,15 @@ builds:
       - goos: windows
         goarch: arm
     ldflags:
-      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: '{{ .CommitTimestamp }}'
     tags:
-      - load_wintun_from_rsrc
+      - load_wgnt_from_rsrc
 
-  - id: wiretrustee-mgmt
+  - id: netbird-mgmt
     dir: management
     env: [CGO_ENABLED=0]
-    binary: wiretrustee-mgmt
+    binary: netbird-mgmt
     goos:
       - linux
     goarch:
@@ -42,10 +41,10 @@ builds:
       - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: '{{ .CommitTimestamp }}'
 
-  - id: wiretrustee-signal
+  - id: netbird-signal
     dir: signal
     env: [CGO_ENABLED=0]
-    binary: wiretrustee-signal
+    binary: netbird-signal
     goos:
       - linux
     goarch:
@@ -55,40 +54,132 @@ builds:
     ldflags:
       - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: '{{ .CommitTimestamp }}'
+
+  - id: netbird-ui
+    dir: client/ui
+    binary: netbird-ui
+    env:
+      - CGO_ENABLED=1
+    goos:
+      - linux
+    goarch:
+      - amd64
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+  - id: netbird-ui-windows
+    dir: client/ui
+    binary: netbird-ui
+    env:
+      - CGO_ENABLED=1
+      - CC=x86_64-w64-mingw32-gcc
+    goos:
+      - windows
+    goarch:
+      - amd64
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -H windowsgui
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
 archives:
   - builds:
-      - wiretrustee
-nfpms:
-  - maintainer: Wiretrustee <dev@wiretrustee.com>
-    description: Wiretrustee client.
-    homepage: https://wiretrustee.com/
-    id: deb
+      - netbird
+  - id: linux-arch
+    name_template: "{{ .ProjectName }}-ui-linux_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
     builds:
-      - wiretrustee
+      - netbird-ui
+  - id: windows-arch
+    name_template: "{{ .ProjectName }}-ui-windows_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    builds:
+      - netbird-ui-windows
+
+nfpms:
+
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client UI.
+    homepage: https://netbird.io/
+    id: netbird-ui-deb
+    package_name: netbird-ui
+    builds:
+      - netbird-ui
     formats:
       - deb
+    contents:
+      - src: client/ui/netbird.desktop
+        dst: /usr/share/applications/netbird.desktop
+      - src: client/ui/disconnected.png
+        dst: /usr/share/pixmaps/netbird.png
+    dependencies:
+      - libayatana-appindicator3-1
+      - libgtk-3-dev
+      - libappindicator3-dev
+      - netbird
+
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client UI.
+    homepage: https://netbird.io/
+    id: netbird-ui-rpm
+    package_name: netbird-ui
+    builds:
+      - netbird-ui
+    formats:
+      - rpm
+    contents:
+      - src: client/ui/netbird.desktop
+        dst: /usr/share/applications/netbird.desktop
+      - src: client/ui/disconnected.png
+        dst: /usr/share/pixmaps/netbird.png
+    dependencies:
+      - libayatana-appindicator3-1
+      - libgtk-3-dev
+      - libappindicator3-dev
+      - netbird
+
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client.
+    homepage: https://netbird.io/
+    id: netbird-deb
+    bindir: /usr/bin
+    builds:
+      - netbird
+    formats:
+      - deb
+
+    replaces:
+      - wiretrustee
+    conflicts:
+      - wiretrustee
 
     scripts:
       postinstall: "release_files/post_install.sh"
       preremove: "release_files/pre_remove.sh"
 
-  - maintainer: Wiretrustee <dev@wiretrustee.com>
-    description: Wiretrustee client.
-    homepage: https://wiretrustee.com/
-    id: rpm
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client.
+    homepage: https://netbird.io/
+    id: netbird-rpm
+    bindir: /usr/bin
     builds:
-      - wiretrustee
+      - netbird
     formats:
       - rpm
 
+    replaces:
+      - wiretrustee
+
+    conflicts:
+      - wiretrustee
+
     scripts:
       postinstall: "release_files/post_install.sh"
       preremove: "release_files/pre_remove.sh"
 dockers:
   - image_templates:
-      - wiretrustee/wiretrustee:{{ .Version }}-amd64
+      - netbirdio/netbird:{{ .Version }}-amd64
     ids:
-      - wiretrustee
+      - netbird
     goarch: amd64
     use: buildx
     dockerfile: client/Dockerfile
@@ -99,11 +190,11 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/wiretrustee:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm64v8
     ids:
-      - wiretrustee
+      - netbird
     goarch: arm64
     use: buildx
     dockerfile: client/Dockerfile
@@ -114,11 +205,11 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/wiretrustee:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-arm
     ids:
-      - wiretrustee
+      - netbird
     goarch: arm
     goarm: 6
     use: buildx
@@ -130,11 +221,11 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/signal:{{ .Version }}-amd64
+      - netbirdio/signal:{{ .Version }}-amd64
     ids:
-      - wiretrustee-signal
+      - netbird-signal
     goarch: amd64
     use: buildx
     dockerfile: signal/Dockerfile
@@ -145,11 +236,11 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm64v8
     ids:
-      - wiretrustee-signal
+      - netbird-signal
     goarch: arm64
     use: buildx
     dockerfile: signal/Dockerfile
@@ -160,11 +251,11 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-arm
     ids:
-      - wiretrustee-signal
+      - netbird-signal
     goarch: arm
     goarm: 6
     use: buildx
@@ -176,11 +267,11 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/management:{{ .Version }}-amd64
+      - netbirdio/management:{{ .Version }}-amd64
     ids:
-      - wiretrustee-mgmt
+      - netbird-mgmt
     goarch: amd64
     use: buildx
     dockerfile: management/Dockerfile
@@ -191,11 +282,11 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm64v8
     ids:
-      - wiretrustee-mgmt
+      - netbird-mgmt
     goarch: arm64
     use: buildx
     dockerfile: management/Dockerfile
@@ -206,11 +297,11 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-arm
     ids:
-      - wiretrustee-mgmt
+      - netbird-mgmt
     goarch: arm
     goarm: 6
     use: buildx
@@ -222,11 +313,11 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/management:{{ .Version }}-debug-amd64
+      - netbirdio/management:{{ .Version }}-debug-amd64
     ids:
-      - wiretrustee-mgmt
+      - netbird-mgmt
     goarch: amd64
     use: buildx
     dockerfile: management/Dockerfile.debug
@@ -237,11 +328,11 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
   - image_templates:
-      - wiretrustee/management:{{ .Version }}-debug-arm64v8
+      - netbirdio/management:{{ .Version }}-debug-arm64v8
     ids:
-      - wiretrustee-mgmt
+      - netbird-mgmt
     goarch: arm64
     use: buildx
     dockerfile: management/Dockerfile.debug
@@ -252,12 +343,12 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
 
   - image_templates:
-      - wiretrustee/management:{{ .Version }}-debug-arm
+      - netbirdio/management:{{ .Version }}-debug-arm
     ids:
-      - wiretrustee-mgmt
+      - netbird-mgmt
     goarch: arm
     goarm: 6
     use: buildx
@@ -269,78 +360,85 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=wiretrustee@wiretrustee.com"
+      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
-  - name_template: wiretrustee/wiretrustee:{{ .Version }}
+  - name_template: netbirdio/netbird:{{ .Version }}
     image_templates:
-      - wiretrustee/wiretrustee:{{ .Version }}-arm64v8
-      - wiretrustee/wiretrustee:{{ .Version }}-arm
-      - wiretrustee/wiretrustee:{{ .Version }}-amd64
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-amd64
 
-  - name_template: wiretrustee/wiretrustee:latest
+  - name_template: netbirdio/netbird:latest
     image_templates:
-      - wiretrustee/wiretrustee:{{ .Version }}-arm64v8
-      - wiretrustee/wiretrustee:{{ .Version }}-arm
-      - wiretrustee/wiretrustee:{{ .Version }}-amd64
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-amd64
 
-  - name_template: wiretrustee/signal:{{ .Version }}
+  - name_template: netbirdio/signal:{{ .Version }}
     image_templates:
-      - wiretrustee/signal:{{ .Version }}-arm64v8
-      - wiretrustee/signal:{{ .Version }}-arm
-      - wiretrustee/signal:{{ .Version }}-amd64
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-amd64
 
-  - name_template: wiretrustee/signal:latest
+  - name_template: netbirdio/signal:latest
     image_templates:
-      - wiretrustee/signal:{{ .Version }}-arm64v8
-      - wiretrustee/signal:{{ .Version }}-arm
-      - wiretrustee/signal:{{ .Version }}-amd64
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-amd64
 
-  - name_template: wiretrustee/management:{{ .Version }}
+  - name_template: netbirdio/management:{{ .Version }}
     image_templates:
-      - wiretrustee/management:{{ .Version }}-arm64v8
-      - wiretrustee/management:{{ .Version }}-arm
-      - wiretrustee/management:{{ .Version }}-amd64
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-amd64
 
-  - name_template: wiretrustee/management:latest
+  - name_template: netbirdio/management:latest
     image_templates:
-      - wiretrustee/management:{{ .Version }}-arm64v8
-      - wiretrustee/management:{{ .Version }}-arm
-      - wiretrustee/management:{{ .Version }}-amd64
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-amd64
 
-  - name_template: wiretrustee/management:debug-latest
+  - name_template: netbirdio/management:debug-latest
     image_templates:
-      - wiretrustee/management:{{ .Version }}-debug-arm64v8
-      - wiretrustee/management:{{ .Version }}-debug-arm
-      - wiretrustee/management:{{ .Version }}-debug-amd64
+      - netbirdio/management:{{ .Version }}-debug-arm64v8
+      - netbirdio/management:{{ .Version }}-debug-arm
+      - netbirdio/management:{{ .Version }}-debug-amd64
 
 brews:
   -
+    ids:
+      - default
     tap:
-      owner: wiretrustee
-      name: homebrew-client
+      owner: netbirdio
+      name: homebrew-tap
       token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
     commit_author:
-      name: Wiretrustee
-      email: wiretrustee@wiretrustee.com
-    description: Wiretrustee project.
+      name: Netbird
+      email: dev@netbird.io
+    description: Netbird project.
     download_strategy: CurlDownloadStrategy
-    homepage: https://wiretrustee.com/
+    homepage: https://netbird.io/
     license: "BSD3"
     test: |
-      system "#{bin}/{{ .ProjectName	}} -h"
+      system "#{bin}/{{ .ProjectName	}} version"
+    conflicts:
+      - wiretrustee
 
 uploads:
   - name: debian
     ids:
-    - deb
+    - netbird-deb
+    - netbird-ui-deb
     mode: archive
     target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
     username: dev@wiretrustee.com
     method: PUT
+
   - name: yum
     ids:
-      - rpm
+      - netbird-rpm
+      - netbird-ui-rpm
     mode: archive
     target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
     username: dev@wiretrustee.com
-    method: PUT
+    method: PUT

.goreleaser_ui_darwin.yaml

@@ -0,0 +1,27 @@
+project_name: netbird-ui
+builds:
+  - id: netbird-ui-darwin
+    dir: client/ui
+    binary: netbird-ui
+    env: [CGO_ENABLED=1]
+
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    gomips:
+      - hardfloat
+      - softfloat
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/ui/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    tags:
+      - load_wgnt_from_rsrc
+
+archives:
+  - builds:
+      - netbird-ui-darwin
+
+changelog:
+  skip: true

AUTHORS

@@ -1,2 +1,3 @@
 Mikhail Bragin (https://github.com/braginini)
 Maycon Santos (https://github.com/mlsmaycon)
+Wiretrustee UG (haftungsbeschränkt)

CODE_OF_CONDUCT.md

@@ -0,0 +1,132 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+dev@wiretrustee.com.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2021 Wiretrustee AUTHORS
+Copyright (c) 2022 Wiretrustee UG (haftungsbeschränkt) & AUTHORS
 
 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 

README.md

@@ -1,21 +1,42 @@
+<p align="center">
+ <strong>:hatching_chick: New release! Beta Update May 2022</strong>.
+  <a href="https://github.com/netbirdio/netbird/releases/tag/v0.6.0">
+       Learn more
+     </a>   
+</p>
+
+<br/>
 <div align="center">
 
 <p align="center">
-  <img width="250" src="docs/media/logo-full.png"/>
+  <img width="234" src="docs/media/logo-full.png"/>
 </p>
 
   <p>
-    <img src="https://img.shields.io/badge/license-BSD--3-blue" />
-    <img src="https://img.shields.io/docker/pulls/wiretrustee/management" />
-    <img src="https://badgen.net/badge/Open%20Source%3F/Yes%21/blue?icon=github" />
+     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
+       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
+     </a> 
+     <a href="https://hub.docker.com/r/wiretrustee/wiretrustee/tags">
+        <img src="https://img.shields.io/docker/pulls/wiretrustee/wiretrustee" />
+     </a> 
+    <br>
+    <a href="https://www.codacy.com/gh/wiretrustee/wiretrustee/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=wiretrustee/wiretrustee&amp;utm_campaign=Badge_Grade"><img src="https://app.codacy.com/project/badge/Grade/d366de2c9d8b4cf982da27f8f5831809"/></a>
+     <a href="https://goreportcard.com/report/wiretrustee/wiretrustee">
+        <img src="https://goreportcard.com/badge/github.com/wiretrustee/wiretrustee?style=flat-square" />
+     </a>
+    <br>
+    <a href="https://join.slack.com/t/wiretrustee/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">
+        <img src="https://img.shields.io/badge/slack-@wiretrustee-red.svg?logo=slack"/>
+     </a>    
   </p>
 </div>
 
+
 <p align="center">
 <strong>
-  Start using Wiretrustee at <a href="https://app.wiretrustee.com/">app.wiretrustee.com</a>
+  Start using NetBird at <a href="https://app.netbird.io/">app.netbird.io</a>
   <br/>
-  See <a href="docs/README.md">Documentation</a>
+  See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
    Join our <a href="https://join.slack.com/t/wiretrustee/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">Slack channel</a>
   <br/>
@@ -25,198 +46,69 @@
 
 <br>
 
-**Wiretrustee is an open-source VPN platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.**
+**NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.**
 
-It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, vpn gateways, and so forth.
+It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
 
-There is no centralized VPN server with Wiretrustee - your computers, devices, machines, and servers connect to each other directly over a fast encrypted tunnel.
+NetBird creates an overlay peer-to-peer network connecting machines automatically regardless of their location (home, office, datacenter, container, cloud or edge environments) unifying virtual private network management experience.
 
-**Wiretrustee automates Wireguard-based networks, offering a management layer with:**
-* Centralized Peer IP management with a neat UI dashboard.
-* Automatic Peer discovery and configuration.
-* UDP hole punching to establish peer-to-peer connections behind NAT, firewall, and without a public static IP.
+**Key features:**
+* Automatic IP allocation and management.
+* Automatic WireGuard peer (machine) discovery and configuration.
+* Encrypted peer-to-peer connections without a central VPN gateway.
 * Connection relay fallback in case a peer-to-peer connection is not possible.
-* Multitenancy (coming soon).
-* Client application SSO with MFA (coming soon).
-* Access Controls (coming soon).
-* Activity Monitoring (coming soon).
+* Network management layer with a neat Web UI panel ([separate repo](https://github.com/netbirdio/dashboard))
+* Desktop client applications for Linux, MacOS, and Windows.
+* Multiuser support - sharing network between multiple users.
+* SSO and MFA support. 
+* Multicloud and hybrid-cloud support.
+* Kernel WireGuard usage when possible.
+* Access Controls - groups & rules (coming soon).
+* Private DNS (coming soon).
+* Mobile clients (coming soon).
+* Network Activity Monitoring (coming soon).
 
-### Secure peer-to-peer VPN in minutes
+### Secure peer-to-peer VPN with SSO and MFA in minutes
 <p float="left" align="middle">
   <img src="docs/media/peerA.gif" width="400"/> 
   <img src="docs/media/peerB.gif" width="400"/>
 </p>
 
-**Note**: The `main` branch may be in an *unstable or even broken state* during development. For stable versions, see [releases](https://github.com/wiretrustee/wiretrustee/releases).
+**Note**: The `main` branch may be in an *unstable or even broken state* during development. 
+For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
 
-Hosted demo version: 
-[https://app.wiretrustee.com/](https://app.wiretrustee.com/peers). 
-
-[UI Dashboard Repo](https://github.com/wiretrustee/wiretrustee-dashboard)
+### Start using NetBird
+* Hosted version: [https://app.netbird.io/](https://app.netbird.io/).
+* See our documentation for [Quickstart Guide](https://netbird.io/docs/getting-started/quickstart).
+* If you are looking to self-host NetBird, check our [Self-Hosting Guide](https://netbird.io/docs/getting-started/self-hosting).
+* Step-by-step [Installation Guide](https://netbird.io/docs/getting-started/installation) for different platforms.
+* Web UI [repository](https://github.com/netbirdio/dashboard).
+* 5 min [demo video](https://youtu.be/Tu9tPsUWaY0) on YouTube.
 
 
-### A bit on Wiretrustee internals
-* Wiretrustee features a Management Service that offers peer IP management and network updates distribution (e.g. when new peer joins the network).
-* Wiretrustee uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between devices.
-* Peers negotiate connection through [Signal Service](signal/).
-* Signal Service uses public Wireguard keys to route messages between peers.
-  Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them.
-* Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT).
-  When this occurs the system falls back to relay server (TURN), and a secure Wireguard tunnel is established via TURN server.
-  [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in Wiretrustee setups.
+### A bit on NetBird internals
+* Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
+* NetBird features [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to peers.
+* Every agent is connected to Management Service.
+* NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
+* Connection candidates are discovered with a help of [STUN](https://en.wikipedia.org/wiki/STUN) server. 
+* Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages.
+* Signal Service uses public WireGuard keys to route messages between peers.
+* Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
+ 
+[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
 
-### Product Roadmap
-- [Public Roadmap](https://github.com/wiretrustee/wiretrustee/projects/2)
-- [Public Roadmap Progress Tracking](https://github.com/wiretrustee/wiretrustee/projects/1)
+<p float="left" align="middle">
+  <img src="https://netbird.io/docs/img/architecture/high-level-dia.png" width="700"/>
+</p>
 
-### Client Installation
-#### Linux
+See a complete [architecture overview](https://netbird.io/docs/overview/architecture) for details.
 
-**APT/Debian**
-1. Add the repository:
-    ```shell
-    sudo apt-get update
-    sudo apt-get install ca-certificates curl gnupg -y
-    curl -L https://pkgs.wiretrustee.com/debian/public.key | sudo apt-key add -
-    echo 'deb https://pkgs.wiretrustee.com/debian stable main' | sudo tee /etc/apt/sources.list.d/wiretrustee.list
-    ```
-2. Install the package
-    ```shell
-    sudo apt-get update
-    sudo apt-get install wiretrustee
-    ```
-**RPM/Red hat**
-1. Add the repository:
-    ```shell
-    cat <<EOF | sudo tee /etc/yum.repos.d/wiretrustee.repo
-    [Wiretrustee]
-    name=Wiretrustee
-    baseurl=https://pkgs.wiretrustee.com/yum/
-    enabled=1
-    gpgcheck=0
-    gpgkey=https://pkgs.wiretrustee.com/yum/repodata/repomd.xml.key
-    repo_gpgcheck=1
-    EOF
-    ```
-2. Install the package
-    ```shell
-    sudo yum install wiretrustee
-    ```
-#### MACOS
-**Brew install**
-1. Download and install Brew at https://brew.sh/
-2. Install the client
-  ```shell
-  brew install wiretrustee/client/wiretrustee
-  ```
-**Installation from binary**
-1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases/latest)
-2. Download the latest release (**Switch VERSION to the latest**):
-  ```shell
-  curl -o ./wiretrustee_<VERSION>_darwin_amd64.tar.gz https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_darwin_amd64.tar.gz
-  ```
-3. Decompress
-  ```shell
-  tar xcf ./wiretrustee_<VERSION>_darwin_amd64.tar.gz
-  sudo mv wiretrusee /usr/local/bin/wiretrustee
-  chmod +x /usr/local/bin/wiretrustee
-  ```
-After that you may need to add /usr/local/bin in your MAC's PATH environment variable:
-  ````shell
-  export PATH=$PATH:/usr/local/bin
-  ````
-
-#### Windows
-1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases/latest)
-2. Download the latest Windows release installer ```wiretrustee_installer_<VERSION>_windows_amd64.exe``` (**Switch VERSION to the latest**):
-3. Proceed with installation steps
-4. This will install the client in the C:\\Program Files\\Wiretrustee and add the client service
-5. After installing, you can follow the [Client Configuration](#Client-Configuration) steps.
-> To uninstall the client and service, you can use Add/Remove programs
-
-### Client Configuration
-1. Login to the Management Service. You need to have a `setup key` in hand (see ).
-
-For **Unix** systems:
-  ```shell
-  sudo wiretrustee up --setup-key <SETUP KEY>
-  ```
-For  **Windows** systems, start powershell as administrator and:
-  ```shell
-  wiretrustee up --setup-key <SETUP KEY>
-   ```
-For **Docker**, you can run with the following command:
-```shell
-docker run --network host --privileged --rm -d -e WT_SETUP_KEY=<SETUP KEY> -v wiretrustee-client:/etc/wiretrustee wiretrustee/wiretrustee:<TAG>
-```
-> TAG > 0.3.0 version
-
-Alternatively, if you are hosting your own Management Service provide `--management-url` property pointing to your Management Service:
-  ```shell
-  sudo wiretrustee up --setup-key <SETUP KEY> --management-url https://localhost:33073
-  ```
-
-> You could also omit `--setup-key` property. In this case the tool will prompt it the key.
-
-
-2. Check your IP:
-  For **MACOS** you will just start the service:
-  ````shell
-  sudo ipconfig getifaddr utun100
-  ````   
-For **Linux** systems:
-  ```shell
-  ip addr show wt0
-  ```
-For **Windows** systems:
-  ```shell
-  netsh interface ip show config name="wt0"
-  ```
-
-3. Repeat on other machines.  
-
-### Running Dashboard, Management, Signal and Coturn
-Wiretrustee uses [Auth0](https://auth0.com) for user authentication and authorization, therefore you will need to create a free account 
-and configure Auth0 variables in the compose file (dashboard) and in the management config file.
-We chose Auth0 to "outsource" the user management part of our platform because we believe that implementing a proper user auth is not a trivial task and requires significant amount of time to make it right. We focused on connectivity instead.
-It is worth mentioning that dependency to Auth0 is the only one that cannot be self-hosted.
-
-Configuring Wiretrustee Auth0 integration:
-- check [How to run](https://github.com/wiretrustee/wiretrustee-dashboard#how-to-run) to obtain Auth0 environment variables for UI Dashboard
-- set these variables in the [environment section of the docker-compose file](https://github.com/wiretrustee/wiretrustee/blob/main/infrastructure_files/docker-compose.yml)
-- check [Auth0 Golang API Guide](https://auth0.com/docs/quickstart/backend/golang) to obtain ```AuthIssuer```, ```AuthAudience```, and ```AuthKeysLocation```
-- set these properties in the [management config files](https://github.com/wiretrustee/wiretrustee/blob/main/infrastructure_files/management.json#L33)
-
-
-Under infrastructure_files we have a docker-compose example to run Dashboard, Wiretrustee Management and Signal services, plus an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration. 
-You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to **proper credentials**.
-
-The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#running-the-signal-service), the management in [Management](./management/README.md), and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn).
-
-> Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.
-
-Also, if you have an SSL certificate for Coturn, you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation
-to generate one from [Let’s Encrypt](https://letsencrypt.org/), or, we found that the example provided by [BigBlueButton](https://docs.bigbluebutton.org/2.2/setup-turn-server.html#generating-tls-certificates) covers the basics to configure Coturn with Let's Encrypt certs. 
-> The Wiretrustee Management service can generate and maintain the certificates automatically, all you need to do is run the servicein a host  with a public IP, configure a valid DNS record pointing to that IP and uncomment the 443 ports and command lines in the docker-compose.yml file.
-
-Simple docker-composer execution:
-````shell
-cd infrastructure_files
-docker-compose up -d
-````
-You can check logs by running:
-````shell
-cd infrastructure_files
-docker-compose logs signal
-docker-compose logs management
-docker-compose logs coturn
-````
-If you need to stop the services, run the following:
-````shell
-cd infrastructure_files
-docker-compose down
-````
+### Roadmap
+- [Public Roadmap](https://github.com/netbirdio/netbird/projects/2)
 
+### Testimonials
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), and [Coturn](https://github.com/coturn/coturn). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g. giving a star or a contribution).
 
 ### Legal
  [WireGuard](https://wireguard.com/) is a registered trademark of Jason A. Donenfeld.

client/Dockerfile

@@ -1,4 +1,4 @@
 FROM gcr.io/distroless/base:debug
 ENV WT_LOG_FILE=console
-ENTRYPOINT [ "/go/bin/wiretrustee","up"]
-COPY wiretrustee /go/bin/wiretrustee
+ENTRYPOINT [ "/go/bin/netbird","up"]
+COPY netbird /go/bin/netbird

client/cmd/down.go

@@ -0,0 +1,46 @@
+package cmd
+
+import (
+	"context"
+	"github.com/netbirdio/netbird/util"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var downCmd = &cobra.Command{
+	Use:   "down",
+	Short: "down netbird connections",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := util.InitLog(logLevel, "console")
+		if err != nil {
+			log.Errorf("failed initializing log %v", err)
+			return err
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
+		defer cancel()
+
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			log.Errorf("failed to connect to service CLI interface %v", err)
+			return err
+		}
+		defer conn.Close()
+
+		daemonClient := proto.NewDaemonServiceClient(conn)
+
+		if _, err := daemonClient.Down(ctx, &proto.DownRequest{}); err != nil {
+			log.Errorf("call service down method: %v", err)
+			return err
+		}
+		return nil
+	},
+}

client/cmd/login.go

@@ -1,153 +1,200 @@
 package cmd
 
 import (
-	"bufio"
 	"context"
 	"fmt"
-	"github.com/google/uuid"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/wiretrustee/wiretrustee/client/internal"
-	mgm "github.com/wiretrustee/wiretrustee/management/client"
-	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
-	"github.com/wiretrustee/wiretrustee/util"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"github.com/skratchdot/open-golang/open"
 	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-	"os"
+	gstatus "google.golang.org/grpc/status"
+	"time"
+
+	"github.com/netbirdio/netbird/util"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
 )
 
-var (
-	loginCmd = &cobra.Command{
-		Use:   "login",
-		Short: "login to the Wiretrustee Management Service (first run)",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars()
+var loginCmd = &cobra.Command{
+	Use:   "login",
+	Short: "login to the Netbird Management Service (first run)",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
 
-			err := util.InitLog(logLevel, logFile)
-			if err != nil {
-				log.Errorf("failed initializing log %v", err)
-				return err
-			}
+		cmd.SetOut(cmd.OutOrStdout())
 
-			config, err := internal.GetConfig(managementURL, configPath)
-			if err != nil {
-				log.Errorf("failed getting config %s %v", configPath, err)
-				//os.Exit(ExitSetupFailed)
-				return err
-			}
-
-			//validate our peer's Wireguard PRIVATE key
-			myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
-			if err != nil {
-				log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
-				//os.Exit(ExitSetupFailed)
-				return err
-			}
-
-			ctx := context.Background()
-
-			mgmTlsEnabled := false
-			if config.ManagementURL.Scheme == "https" {
-				mgmTlsEnabled = true
-			}
-
-			log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
-			mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
-			if err != nil {
-				log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
-				//os.Exit(ExitSetupFailed)
-				return err
-			}
-			log.Debugf("connected to anagement Service %s", config.ManagementURL.String())
-
-			serverKey, err := mgmClient.GetServerPublicKey()
-			if err != nil {
-				log.Errorf("failed while getting Management Service public key: %v", err)
-				//os.Exit(ExitSetupFailed)
-				return err
-			}
-
-			_, err = loginPeer(*serverKey, mgmClient, setupKey)
-			if err != nil {
-				log.Errorf("failed logging-in peer on Management Service : %v", err)
-				//os.Exit(ExitSetupFailed)
-				return err
-			}
-
-			err = mgmClient.Close()
-			if err != nil {
-				log.Errorf("failed closing Management Service client: %v", err)
-				//os.Exit(ExitSetupFailed)
-				return err
-			}
-
-			return nil
-		},
-	}
-)
-
-// loginPeer attempts to login to Management Service. If peer wasn't registered, tries the registration flow.
-func loginPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string) (*mgmProto.LoginResponse, error) {
-
-	loginResp, err := client.Login(serverPublicKey)
-	if err != nil {
-		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
-			log.Debugf("peer registration required")
-			return registerPeer(serverPublicKey, client, setupKey)
-		} else {
-			return nil, err
-		}
-	}
-
-	log.Info("peer has successfully logged-in to Management Service")
-
-	return loginResp, nil
-}
-
-// registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
-// Otherwise tries to register with the provided setupKey via command line.
-func registerPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string) (*mgmProto.LoginResponse, error) {
-
-	var err error
-	if setupKey == "" {
-		setupKey, err = promptPeerSetupKey()
+		err := util.InitLog(logLevel, "console")
 		if err != nil {
-			log.Errorf("failed getting setup key from user: %s", err)
-			return nil, err
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx := internal.CtxInitState(context.Background())
+
+		// workaround to run without service
+		if logFile == "console" {
+			err = handleRebrand(cmd)
+			if err != nil {
+				return err
+			}
+
+			config, err := internal.GetConfig(managementURL, adminURL, configPath, preSharedKey)
+			if err != nil {
+				return fmt.Errorf("get config file: %v", err)
+			}
+
+			err = foregroundLogin(ctx, cmd, config, setupKey)
+			if err != nil {
+				return fmt.Errorf("foreground login failed: %v", err)
+			}
+			cmd.Println("Logging successfully")
+			return nil
+		}
+
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			return fmt.Errorf("failed to connect to daemon error: %v\n"+
+				"If the daemon is not running please run: "+
+				"\nnetbird service install \nnetbird service start\n", err)
+		}
+		defer conn.Close()
+
+		client := proto.NewDaemonServiceClient(conn)
+
+		loginRequest := proto.LoginRequest{
+			SetupKey:      setupKey,
+			PreSharedKey:  preSharedKey,
+			ManagementUrl: managementURL,
+		}
+
+		var loginErr error
+
+		var loginResp *proto.LoginResponse
+
+		err = WithBackOff(func() error {
+			var backOffErr error
+			loginResp, backOffErr = client.Login(ctx, &loginRequest)
+			if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
+				s.Code() == codes.PermissionDenied ||
+				s.Code() == codes.NotFound ||
+				s.Code() == codes.Unimplemented) {
+				loginErr = backOffErr
+				return nil
+			}
+			return backOffErr
+		})
+		if err != nil {
+			return fmt.Errorf("login backoff cycle failed: %v", err)
+		}
+
+		if loginErr != nil {
+			return fmt.Errorf("login failed: %v", loginErr)
+		}
+
+		if loginResp.NeedsSSOLogin {
+			openURL(cmd, loginResp.VerificationURIComplete)
+
+			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
+			if err != nil {
+				return fmt.Errorf("waiting sso login failed with: %v", err)
+			}
+		}
+
+		cmd.Println("Logging successfully")
+
+		return nil
+	},
+}
+
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.Config, setupKey string) error {
+	needsLogin := false
+
+	err := WithBackOff(func() error {
+		err := internal.Login(ctx, config, "", "")
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			needsLogin = true
+			return nil
+		}
+		return err
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	jwtToken := ""
+	if setupKey == "" && needsLogin {
+		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config)
+		if err != nil {
+			return fmt.Errorf("interactive sso login failed: %v", err)
+		}
+		jwtToken = tokenInfo.AccessToken
+	}
+
+	err = WithBackOff(func() error {
+		err := internal.Login(ctx, config, setupKey, jwtToken)
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			return nil
+		}
+		return err
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	return nil
+}
+
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *internal.Config) (*internal.TokenInfo, error) {
+	providerConfig, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config)
+	if err != nil {
+		s, ok := gstatus.FromError(err)
+		if ok && s.Code() == codes.NotFound {
+			return nil, fmt.Errorf("no SSO provider returned from management. " +
+				"If you are using hosting Netbird see documentation at " +
+				"https://github.com/netbirdio/netbird/tree/main/management for details")
+		} else if ok && s.Code() == codes.Unimplemented {
+			mgmtURL := managementURL
+			if mgmtURL == "" {
+				mgmtURL = internal.ManagementURLDefault().String()
+			}
+			return nil, fmt.Errorf("the management server, %s, does not support SSO providers, "+
+				"please update your servver or use Setup Keys to login", mgmtURL)
+		} else {
+			return nil, fmt.Errorf("getting device authorization flow info failed with error: %v", err)
 		}
 	}
 
-	validSetupKey, err := uuid.Parse(setupKey)
+	hostedClient := internal.NewHostedDeviceFlow(
+		providerConfig.ProviderConfig.Audience,
+		providerConfig.ProviderConfig.ClientID,
+		providerConfig.ProviderConfig.Domain,
+	)
+
+	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("getting a request device code failed: %v", err)
 	}
 
-	log.Debugf("sending peer registration request to Management Service")
-	loginResp, err := client.Register(serverPublicKey, validSetupKey.String())
+	openURL(cmd, flowInfo.VerificationURIComplete)
+
+	waitTimeout := time.Duration(flowInfo.ExpiresIn)
+	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout*time.Second)
+	defer c()
+
+	tokenInfo, err := hostedClient.WaitToken(waitCTX, flowInfo)
 	if err != nil {
-		log.Errorf("failed registering peer %v", err)
-		return nil, err
+		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}
 
-	log.Infof("peer has been successfully registered on Management Service")
-
-	return loginResp, nil
+	return &tokenInfo, nil
 }
 
-// promptPeerSetupKey prompts user to enter Setup Key
-func promptPeerSetupKey() (string, error) {
-	fmt.Print("Enter setup key: ")
-
-	s := bufio.NewScanner(os.Stdin)
-	for s.Scan() {
-		input := s.Text()
-		if input != "" {
-			return input, nil
-		}
-		fmt.Println("Specified key is empty, try again:")
-
+func openURL(cmd *cobra.Command, verificationURIComplete string) {
+	err := open.Run(verificationURIComplete)
+	cmd.Printf("Please do the SSO login in your browser. \n" +
+		"If your browser didn't open automatically, use this URL to log in:\n\n" +
+		" " + verificationURIComplete + " \n\n")
+	if err != nil {
+		cmd.Printf("Alternatively, you may want to use a setup key, see:\n\n https://www.netbird.io/docs/overview/setup-keys\n")
 	}
-
-	return "", s.Err()
 }

client/cmd/login_test.go

@@ -2,34 +2,16 @@ package cmd
 
 import (
 	"fmt"
-	"github.com/wiretrustee/wiretrustee/client/internal"
-	"github.com/wiretrustee/wiretrustee/iface"
-	mgmt "github.com/wiretrustee/wiretrustee/management/server"
-	"github.com/wiretrustee/wiretrustee/util"
-	"path/filepath"
 	"strings"
 	"testing"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/util"
 )
 
-var mgmAddr string
-
-func TestLogin_Start(t *testing.T) {
-	config := &mgmt.Config{}
-	_, err := util.ReadJson("../testdata/management.json", config)
-	if err != nil {
-		t.Fatal(err)
-	}
-	testDir := t.TempDir()
-	config.Datadir = testDir
-	err = util.CopyFileContents("../testdata/store.json", filepath.Join(testDir, "store.json"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, listener := startManagement(config, t)
-	mgmAddr = listener.Addr().String()
-}
-
 func TestLogin(t *testing.T) {
+	mgmAddr := startTestingServices(t)
 
 	tempDir := t.TempDir()
 	confPath := tempDir + "/config.json"
@@ -38,6 +20,8 @@ func TestLogin(t *testing.T) {
 		"login",
 		"--config",
 		confPath,
+		"--log-file",
+		"console",
 		"--setup-key",
 		strings.ToUpper("a2c8e62b-38f5-4553-b31e-dd66c696cebb"),
 		"--management-url",
@@ -60,7 +44,7 @@ func TestLogin(t *testing.T) {
 	}
 
 	if actualConf.WgIface != iface.WgInterfaceDefault {
-		t.Errorf("expected WgIface %s got %s", iface.WgInterfaceDefault, actualConf.WgIface)
+		t.Errorf("expected WgIfaceName %s got %s", iface.WgInterfaceDefault, actualConf.WgIface)
 	}
 
 	if len(actualConf.PrivateKey) == 0 {

client/cmd/root.go

@@ -1,60 +1,97 @@
 package cmd
 
 import (
+	"context"
+	"errors"
 	"fmt"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	"github.com/wiretrustee/wiretrustee/client/internal"
+	"io"
+	"io/fs"
+	"io/ioutil"
 	"os"
 	"os/signal"
+	"path"
 	"runtime"
 	"strings"
 	"syscall"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/netbirdio/netbird/client/internal"
 )
 
 var (
-	configPath        string
-	defaultConfigPath string
-	logLevel          string
-	defaultLogFile    string
-	logFile           string
-	managementURL     string
-	setupKey          string
-	rootCmd           = &cobra.Command{
-		Use:   "wiretrustee",
-		Short: "",
-		Long:  "",
+	configPath              string
+	defaultConfigPathDir    string
+	defaultConfigPath       string
+	oldDefaultConfigPathDir string
+	oldDefaultConfigPath    string
+	logLevel                string
+	defaultLogFileDir       string
+	defaultLogFile          string
+	oldDefaultLogFileDir    string
+	oldDefaultLogFile       string
+	logFile                 string
+	daemonAddr              string
+	managementURL           string
+	adminURL                string
+	setupKey                string
+	preSharedKey            string
+	rootCmd                 = &cobra.Command{
+		Use:          "netbird",
+		Short:        "",
+		Long:         "",
+		SilenceUsage: true,
 	}
-
-	// Execution control channel for stopCh signal
-	stopCh    chan int
-	cleanupCh chan struct{}
 )
 
 // Execute executes the root command.
 func Execute() error {
 	return rootCmd.Execute()
 }
+
 func init() {
+	defaultConfigPathDir = "/etc/netbird/"
+	defaultLogFileDir = "/var/log/netbird/"
 
-	stopCh = make(chan int)
-	cleanupCh = make(chan struct{})
+	oldDefaultConfigPathDir = "/etc/wiretrustee/"
+	oldDefaultLogFileDir = "/var/log/wiretrustee/"
 
-	defaultConfigPath = "/etc/wiretrustee/config.json"
-	defaultLogFile = "/var/log/wiretrustee/client.log"
 	if runtime.GOOS == "windows" {
-		defaultConfigPath = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "config.json"
-		defaultLogFile = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "client.log"
+		defaultConfigPathDir = os.Getenv("PROGRAMDATA") + "\\Netbird\\"
+		defaultLogFileDir = os.Getenv("PROGRAMDATA") + "\\Netbird\\"
+
+		oldDefaultConfigPathDir = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\"
+		oldDefaultLogFileDir = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\"
 	}
 
+	defaultConfigPath = defaultConfigPathDir + "config.json"
+	defaultLogFile = defaultLogFileDir + "client.log"
+
+	oldDefaultConfigPath = oldDefaultConfigPathDir + "config.json"
+	oldDefaultLogFile = oldDefaultLogFileDir + "client.log"
+
+	defaultDaemonAddr := "unix:///var/run/netbird.sock"
+	if runtime.GOOS == "windows" {
+		defaultDaemonAddr = "tcp://127.0.0.1:41731"
+	}
+	rootCmd.PersistentFlags().StringVar(&daemonAddr, "daemon-addr", defaultDaemonAddr, "Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
 	rootCmd.PersistentFlags().StringVar(&managementURL, "management-url", "", fmt.Sprintf("Management Service URL [http|https]://[host]:[port] (default \"%s\")", internal.ManagementURLDefault().String()))
-	rootCmd.PersistentFlags().StringVar(&configPath, "config", defaultConfigPath, "Wiretrustee config file location")
-	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "sets Wiretrustee log level")
-	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Wiretrustee log path. If console is specified the the log will be output to stdout")
+	rootCmd.PersistentFlags().StringVar(&adminURL, "admin-url", "https://app.netbird.io", "Admin Panel URL [http|https]://[host]:[port]")
+	rootCmd.PersistentFlags().StringVar(&configPath, "config", defaultConfigPath, "Netbird config file location")
+	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "sets Netbird log level")
+	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Netbird log path. If console is specified the the log will be output to stdout")
 	rootCmd.PersistentFlags().StringVar(&setupKey, "setup-key", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
+	rootCmd.PersistentFlags().StringVar(&preSharedKey, "preshared-key", "", "Sets Wireguard PreSharedKey property. If set, then only peers that have the same key can communicate.")
 	rootCmd.AddCommand(serviceCmd)
 	rootCmd.AddCommand(upCmd)
+	rootCmd.AddCommand(downCmd)
+	rootCmd.AddCommand(statusCmd)
 	rootCmd.AddCommand(loginCmd)
 	rootCmd.AddCommand(versionCmd)
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
@@ -62,14 +99,18 @@ func init() {
 }
 
 // SetupCloseHandler handles SIGTERM signal and exits with success
-func SetupCloseHandler() {
-	c := make(chan os.Signal, 1)
-	signal.Notify(c, os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
+func SetupCloseHandler(ctx context.Context, cancel context.CancelFunc) {
+	termCh := make(chan os.Signal, 1)
+	signal.Notify(termCh, os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
 	go func() {
-		for range c {
-			log.Info("shutdown signal received")
-			stopCh <- 0
+		done := ctx.Done()
+		select {
+		case <-done:
+		case <-termCh:
 		}
+
+		log.Info("shutdown signal received")
+		cancel()
 	}()
 }
 
@@ -77,23 +118,171 @@ func SetupCloseHandler() {
 func SetFlagsFromEnvVars() {
 	flags := rootCmd.PersistentFlags()
 	flags.VisitAll(func(f *pflag.Flag) {
+		oldEnvVar := FlagNameToEnvVar(f.Name, "WT_")
 
-		envVar := FlagNameToEnvVar(f.Name)
-
-		if value, present := os.LookupEnv(envVar); present {
+		if value, present := os.LookupEnv(oldEnvVar); present {
 			err := flags.Set(f.Name, value)
 			if err != nil {
-				log.Infof("unable to configure flag %s using variable %s, err: %v", f.Name, envVar, err)
+				log.Infof("unable to configure flag %s using variable %s, err: %v", f.Name, oldEnvVar, err)
+			}
+		}
+
+		newEnvVar := FlagNameToEnvVar(f.Name, "NB_")
+
+		if value, present := os.LookupEnv(newEnvVar); present {
+			err := flags.Set(f.Name, value)
+			if err != nil {
+				log.Infof("unable to configure flag %s using variable %s, err: %v", f.Name, newEnvVar, err)
 			}
 		}
 	})
 }
 
 // FlagNameToEnvVar converts flag name to environment var name adding a prefix,
-// replacing dashes and making all uppercase (e.g. setup-keys is converted to WT_SETUP_KEYS)
-func FlagNameToEnvVar(f string) string {
-	prefix := "WT_"
-	parsed := strings.ReplaceAll(f, "-", "_")
+// replacing dashes and making all uppercase (e.g. setup-keys is converted to NB_SETUP_KEYS according to the input prefix)
+func FlagNameToEnvVar(cmdFlag string, prefix string) string {
+	parsed := strings.ReplaceAll(cmdFlag, "-", "_")
 	upper := strings.ToUpper(parsed)
 	return prefix + upper
 }
+
+// DialClientGRPCServer returns client connection to the dameno server.
+func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, error) {
+	ctx, cancel := context.WithTimeout(ctx, time.Second*3)
+	defer cancel()
+
+	return grpc.DialContext(
+		ctx,
+		strings.TrimPrefix(addr, "tcp://"),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithBlock(),
+	)
+}
+
+// WithBackOff execute function in backoff cycle.
+func WithBackOff(bf func() error) error {
+	return backoff.RetryNotify(bf, CLIBackOffSettings, func(err error, duration time.Duration) {
+		log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
+	})
+}
+
+// CLIBackOffSettings is default backoff settings for CLI commands.
+var CLIBackOffSettings = &backoff.ExponentialBackOff{
+	InitialInterval:     time.Second,
+	RandomizationFactor: backoff.DefaultRandomizationFactor,
+	Multiplier:          backoff.DefaultMultiplier,
+	MaxInterval:         10 * time.Second,
+	MaxElapsedTime:      30 * time.Second,
+	Stop:                backoff.Stop,
+	Clock:               backoff.SystemClock,
+}
+
+func handleRebrand(cmd *cobra.Command) error {
+	var err error
+	if logFile == defaultLogFile {
+		if migrateToNetbird(oldDefaultLogFile, defaultLogFile) {
+			cmd.Printf("will copy Log dir %s and its content to %s\n", oldDefaultLogFileDir, defaultLogFileDir)
+			err = cpDir(oldDefaultLogFileDir, defaultLogFileDir)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	if configPath == defaultConfigPath {
+		if migrateToNetbird(oldDefaultConfigPath, defaultConfigPath) {
+			cmd.Printf("will copy Config dir %s and its content to %s\n", oldDefaultConfigPathDir, defaultConfigPathDir)
+			err = cpDir(oldDefaultConfigPathDir, defaultConfigPathDir)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func cpFile(src, dst string) error {
+	var err error
+	var srcfd *os.File
+	var dstfd *os.File
+	var srcinfo os.FileInfo
+
+	if srcfd, err = os.Open(src); err != nil {
+		return err
+	}
+	defer srcfd.Close()
+
+	if dstfd, err = os.Create(dst); err != nil {
+		return err
+	}
+	defer dstfd.Close()
+
+	if _, err = io.Copy(dstfd, srcfd); err != nil {
+		return err
+	}
+	if srcinfo, err = os.Stat(src); err != nil {
+		return err
+	}
+	return os.Chmod(dst, srcinfo.Mode())
+}
+
+func copySymLink(source, dest string) error {
+	link, err := os.Readlink(source)
+	if err != nil {
+		return err
+	}
+	return os.Symlink(link, dest)
+}
+
+func cpDir(src string, dst string) error {
+	var err error
+	var fds []os.FileInfo
+	var srcinfo os.FileInfo
+
+	if srcinfo, err = os.Stat(src); err != nil {
+		return err
+	}
+
+	if err = os.MkdirAll(dst, srcinfo.Mode()); err != nil {
+		return err
+	}
+
+	if fds, err = ioutil.ReadDir(src); err != nil {
+		return err
+	}
+	for _, fd := range fds {
+		srcfp := path.Join(src, fd.Name())
+		dstfp := path.Join(dst, fd.Name())
+
+		fileInfo, err := os.Stat(srcfp)
+		if err != nil {
+			return fmt.Errorf("fouldn't get fileInfo; %v", err)
+		}
+
+		switch fileInfo.Mode() & os.ModeType {
+		case os.ModeSymlink:
+			if err = copySymLink(srcfp, dstfp); err != nil {
+				return fmt.Errorf("failed to copy from %s to %s; %v", srcfp, dstfp, err)
+			}
+		case os.ModeDir:
+			if err = cpDir(srcfp, dstfp); err != nil {
+				return fmt.Errorf("failed to copy from %s to %s; %v", srcfp, dstfp, err)
+			}
+		default:
+			if err = cpFile(srcfp, dstfp); err != nil {
+				return fmt.Errorf("failed to copy from %s to %s; %v", srcfp, dstfp, err)
+			}
+		}
+	}
+	return nil
+}
+
+func migrateToNetbird(oldPath, newPath string) bool {
+	_, errOld := os.Stat(oldPath)
+	_, errNew := os.Stat(newPath)
+
+	if errors.Is(errOld, fs.ErrNotExist) || errNew == nil {
+		return false
+	}
+
+	return true
+}

client/cmd/service.go

@@ -1,20 +1,36 @@
 package cmd
 
 import (
+	"context"
+	"runtime"
+
 	"github.com/kardianos/service"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+
+	"github.com/netbirdio/netbird/client/internal"
 )
 
 type program struct {
-	cmd  *cobra.Command
-	args []string
+	ctx    context.Context
+	cancel context.CancelFunc
+	serv   *grpc.Server
+}
+
+func newProgram(ctx context.Context, cancel context.CancelFunc) *program {
+	ctx = internal.CtxInitState(ctx)
+	return &program{ctx: ctx, cancel: cancel}
 }
 
 func newSVCConfig() *service.Config {
+	name := "netbird"
+	if runtime.GOOS == "windows" {
+		name = "Netbird"
+	}
 	return &service.Config{
-		Name:        "wiretrustee",
-		DisplayName: "Wiretrustee",
+		Name:        name,
+		DisplayName: "Netbird",
 		Description: "A WireGuard-based mesh network that connects your devices into a single private network.",
 	}
 }
@@ -28,9 +44,7 @@ func newSVC(prg *program, conf *service.Config) (service.Service, error) {
 	return s, nil
 }
 
-var (
-	serviceCmd = &cobra.Command{
-		Use:   "service",
-		Short: "manages wiretrustee service",
-	}
-)
+var serviceCmd = &cobra.Command{
+	Use:   "service",
+	Short: "manages Netbird service",
+}

client/cmd/service_controller.go

@@ -1,152 +1,216 @@
 package cmd
 
 import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"strings"
+	"time"
+
 	"github.com/kardianos/service"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/client/server"
+	"github.com/netbirdio/netbird/util"
 	"github.com/spf13/cobra"
-	"github.com/wiretrustee/wiretrustee/util"
-	"time"
+	"google.golang.org/grpc"
 )
 
-func (p *program) Start(service.Service) error {
-
+func (p *program) Start(svc service.Service) error {
 	// Start should not block. Do the actual work async.
-	log.Info("starting service") //nolint
+	log.Info("starting Netbird service") //nolint
+	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
+	p.serv = grpc.NewServer()
+
+	split := strings.Split(daemonAddr, "://")
+	switch split[0] {
+	case "unix":
+		// cleanup failed close
+		stat, err := os.Stat(split[1])
+		if err == nil && !stat.IsDir() {
+			if err := os.Remove(split[1]); err != nil {
+				log.Debugf("remove socket file: %v", err)
+			}
+		}
+	case "tcp":
+	default:
+		return fmt.Errorf("unsupported daemon address protocol: %v", split[0])
+	}
+
+	listen, err := net.Listen(split[0], split[1])
+	if err != nil {
+		return fmt.Errorf("failed to listen daemon interface: %w", err)
+	}
 	go func() {
-		err := runClient()
-		if err != nil {
-			log.Errorf("stopped Wiretrustee client app due to error: %v", err)
-			return
+		defer listen.Close()
+
+		if split[0] == "unix" {
+			err = os.Chmod(split[1], 0666)
+			if err != nil {
+				log.Errorf("failed setting daemon permissions: %v", split[1])
+				return
+			}
+		}
+
+		serverInstance := server.New(p.ctx, managementURL, adminURL, configPath, logFile)
+		if err := serverInstance.Start(); err != nil {
+			log.Fatalf("failed to start daemon: %v", err)
+		}
+		proto.RegisterDaemonServiceServer(p.serv, serverInstance)
+
+		log.Printf("started daemon server: %v", split[1])
+		if err := p.serv.Serve(listen); err != nil {
+			log.Errorf("failed to serve daemon requests: %v", err)
 		}
 	}()
 	return nil
 }
 
-func (p *program) Stop(service.Service) error {
-	go func() {
-		stopCh <- 1
-	}()
+func (p *program) Stop(srv service.Service) error {
+	p.cancel()
 
-	select {
-	case <-cleanupCh:
-	case <-time.After(time.Second * 10):
-		log.Warnf("failed waiting for service cleanup, terminating")
+	if p.serv != nil {
+		p.serv.Stop()
 	}
-	log.Info("stopped Wiretrustee service") //nolint
+
+	time.Sleep(time.Second * 2)
+	log.Info("stopped Netbird service") //nolint
 	return nil
 }
 
-var (
-	runCmd = &cobra.Command{
-		Use:   "run",
-		Short: "runs wiretrustee as service",
-		Run: func(cmd *cobra.Command, args []string) {
-			SetFlagsFromEnvVars()
+var runCmd = &cobra.Command{
+	Use:   "run",
+	Short: "runs Netbird as service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
 
-			err := util.InitLog(logLevel, logFile)
-			if err != nil {
-				log.Errorf("failed initializing log %v", err)
-				return
-			}
+		cmd.SetOut(cmd.OutOrStdout())
 
-			SetupCloseHandler()
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
 
-			prg := &program{
-				cmd:  cmd,
-				args: args,
-			}
+		err = util.InitLog(logLevel, logFile)
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
 
-			s, err := newSVC(prg, newSVCConfig())
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			err = s.Run()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			cmd.Printf("Wiretrustee service is running")
-		},
-	}
-)
+		ctx, cancel := context.WithCancel(cmd.Context())
+		SetupCloseHandler(ctx, cancel)
 
-var (
-	startCmd = &cobra.Command{
-		Use:   "start",
-		Short: "starts wiretrustee service",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars()
+		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
+		if err != nil {
+			return err
+		}
+		err = s.Run()
+		if err != nil {
+			return err
+		}
+		cmd.Printf("Netbird service is running")
+		return nil
+	},
+}
 
-			err := util.InitLog(logLevel, logFile)
-			if err != nil {
-				log.Errorf("failed initializing log %v", err)
-				return err
-			}
-			s, err := newSVC(&program{}, newSVCConfig())
-			if err != nil {
-				cmd.PrintErrln(err)
-				return err
-			}
-			err = s.Start()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return err
-			}
-			cmd.Println("Wiretrustee service has been started")
-			return nil
-		},
-	}
-)
+var startCmd = &cobra.Command{
+	Use:   "start",
+	Short: "starts Netbird service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
 
-var (
-	stopCmd = &cobra.Command{
-		Use:   "stop",
-		Short: "stops wiretrustee service",
-		Run: func(cmd *cobra.Command, args []string) {
-			SetFlagsFromEnvVars()
+		cmd.SetOut(cmd.OutOrStdout())
 
-			err := util.InitLog(logLevel, logFile)
-			if err != nil {
-				log.Errorf("failed initializing log %v", err)
-			}
-			s, err := newSVC(&program{}, newSVCConfig())
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			err = s.Stop()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			cmd.Println("Wiretrustee service has been stopped")
-		},
-	}
-)
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
 
-var (
-	restartCmd = &cobra.Command{
-		Use:   "restart",
-		Short: "restarts wiretrustee service",
-		Run: func(cmd *cobra.Command, args []string) {
-			SetFlagsFromEnvVars()
+		err = util.InitLog(logLevel, logFile)
+		if err != nil {
+			return err
+		}
 
-			err := util.InitLog(logLevel, logFile)
-			if err != nil {
-				log.Errorf("failed initializing log %v", err)
-			}
-			s, err := newSVC(&program{}, newSVCConfig())
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			err = s.Restart()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			cmd.Println("Wiretrustee service has been restarted")
-		},
-	}
-)
+		ctx, cancel := context.WithCancel(cmd.Context())
+
+		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+		err = s.Start()
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+		cmd.Println("Netbird service has been started")
+		return nil
+	},
+}
+
+var stopCmd = &cobra.Command{
+	Use:   "stop",
+	Short: "stops Netbird service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
+
+		err = util.InitLog(logLevel, logFile)
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx, cancel := context.WithCancel(cmd.Context())
+
+		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
+		if err != nil {
+			return err
+		}
+		err = s.Stop()
+		if err != nil {
+			return err
+		}
+		cmd.Println("Netbird service has been stopped")
+		return nil
+	},
+}
+
+var restartCmd = &cobra.Command{
+	Use:   "restart",
+	Short: "restarts Netbird service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
+
+		err = util.InitLog(logLevel, logFile)
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx, cancel := context.WithCancel(cmd.Context())
+
+		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
+		if err != nil {
+			return err
+		}
+		err = s.Restart()
+		if err != nil {
+			return err
+		}
+		cmd.Println("Netbird service has been restarted")
+		return nil
+	},
+}

client/cmd/service_installer.go

@@ -1,69 +1,89 @@
 package cmd
 
 import (
-	"github.com/spf13/cobra"
+	"context"
 	"runtime"
+
+	"github.com/spf13/cobra"
 )
 
-var (
-	installCmd = &cobra.Command{
-		Use:   "install",
-		Short: "installs wiretrustee service",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars()
+var installCmd = &cobra.Command{
+	Use:   "install",
+	Short: "installs Netbird service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
 
-			svcConfig := newSVCConfig()
+		cmd.SetOut(cmd.OutOrStdout())
 
-			svcConfig.Arguments = []string{
-				"service",
-				"run",
-				"--config",
-				configPath,
-				"--log-level",
-				logLevel,
-			}
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
 
-			if runtime.GOOS == "linux" {
-				// Respected only by systemd systems
-				svcConfig.Dependencies = []string{"After=network.target syslog.target"}
-			}
+		svcConfig := newSVCConfig()
 
-			s, err := newSVC(&program{}, svcConfig)
-			if err != nil {
-				cmd.PrintErrln(err)
-				return err
-			}
+		svcConfig.Arguments = []string{
+			"service",
+			"run",
+			"--config",
+			configPath,
+			"--log-level",
+			logLevel,
+		}
 
-			err = s.Install()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return err
-			}
-			cmd.Println("Wiretrustee service has been installed")
-			return nil
-		},
-	}
-)
+		if managementURL != "" {
+			svcConfig.Arguments = append(svcConfig.Arguments, "--management-url")
+			svcConfig.Arguments = append(svcConfig.Arguments, managementURL)
+		}
 
-var (
-	uninstallCmd = &cobra.Command{
-		Use:   "uninstall",
-		Short: "uninstalls wiretrustee service from system",
-		Run: func(cmd *cobra.Command, args []string) {
-			SetFlagsFromEnvVars()
+		if runtime.GOOS == "linux" {
+			// Respected only by systemd systems
+			svcConfig.Dependencies = []string{"After=network.target syslog.target"}
+		}
 
-			s, err := newSVC(&program{}, newSVCConfig())
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
+		ctx, cancel := context.WithCancel(cmd.Context())
 
-			err = s.Uninstall()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			cmd.Println("Wiretrustee has been uninstalled")
-		},
-	}
-)
+		s, err := newSVC(newProgram(ctx, cancel), svcConfig)
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+
+		err = s.Install()
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+		cmd.Println("Netbird service has been installed")
+		return nil
+	},
+}
+
+var uninstallCmd = &cobra.Command{
+	Use:   "uninstall",
+	Short: "uninstalls Netbird service from system",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := handleRebrand(cmd)
+		if err != nil {
+			return err
+		}
+
+		ctx, cancel := context.WithCancel(cmd.Context())
+
+		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
+		if err != nil {
+			return err
+		}
+
+		err = s.Uninstall()
+		if err != nil {
+			return err
+		}
+		cmd.Println("Netbird has been uninstalled")
+		return nil
+	},
+}

client/cmd/status.go

@@ -0,0 +1,55 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"github.com/netbirdio/netbird/util"
+
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var statusCmd = &cobra.Command{
+	Use:   "status",
+	Short: "status of the Netbird Service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := util.InitLog(logLevel, "console")
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx := internal.CtxInitState(context.Background())
+
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			return fmt.Errorf("failed to connect to daemon error: %v\n"+
+				"If the daemon is not running please run: "+
+				"\nnetbird service install \nnetbird service start\n", err)
+		}
+		defer conn.Close()
+
+		resp, err := proto.NewDaemonServiceClient(conn).Status(cmd.Context(), &proto.StatusRequest{})
+		if err != nil {
+			return fmt.Errorf("status failed: %v", status.Convert(err).Message())
+		}
+
+		cmd.Printf("Status: %s\n\n", resp.GetStatus())
+		if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
+
+			cmd.Printf("Run UP command to log in with SSO (interactive login):\n\n" +
+				" netbird up \n\n" +
+				"If you are running a self-hosted version and no SSO provider has been configured in your Management Server,\n" +
+				"you can use a setup-key:\n\n netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>\n\n" +
+				"More info: https://www.netbird.io/docs/overview/setup-keys\n\n")
+		}
+
+		return nil
+	},
+}

client/cmd/testutil.go

@@ -1,15 +1,45 @@
 package cmd
 
 import (
-	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
-	mgmt "github.com/wiretrustee/wiretrustee/management/server"
-	sigProto "github.com/wiretrustee/wiretrustee/signal/proto"
-	sig "github.com/wiretrustee/wiretrustee/signal/server"
-	"google.golang.org/grpc"
+	"context"
 	"net"
+	"path/filepath"
 	"testing"
+	"time"
+
+	"github.com/netbirdio/netbird/util"
+
+	clientProto "github.com/netbirdio/netbird/client/proto"
+	client "github.com/netbirdio/netbird/client/server"
+	mgmtProto "github.com/netbirdio/netbird/management/proto"
+	mgmt "github.com/netbirdio/netbird/management/server"
+	sigProto "github.com/netbirdio/netbird/signal/proto"
+	sig "github.com/netbirdio/netbird/signal/server"
+	"google.golang.org/grpc"
 )
 
+func startTestingServices(t *testing.T) string {
+	config := &mgmt.Config{}
+	_, err := util.ReadJson("../testdata/management.json", config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testDir := t.TempDir()
+	config.Datadir = testDir
+	err = util.CopyFileContents("../testdata/store.json", filepath.Join(testDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, signalLis := startSignal(t)
+	signalAddr := signalLis.Addr().String()
+	config.Signal.URI = signalAddr
+
+	_, mgmLis := startManagement(t, config)
+	mgmAddr := mgmLis.Addr().String()
+	return mgmAddr
+}
+
 func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 	lis, err := net.Listen("tcp", ":0")
 	if err != nil {
@@ -26,7 +56,7 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 	return s, lis
 }
 
-func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Listener) {
+func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Listener) {
 	lis, err := net.Listen("tcp", ":0")
 	if err != nil {
 		t.Fatal(err)
@@ -38,7 +68,10 @@ func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Liste
 	}
 
 	peersUpdateManager := mgmt.NewPeersUpdateManager()
-	accountManager := mgmt.NewManager(store, peersUpdateManager)
+	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
 	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
 	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
 	if err != nil {
@@ -48,9 +81,33 @@ func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Liste
 	go func() {
 		if err := s.Serve(lis); err != nil {
 			t.Error(err)
-			return
 		}
 	}()
 
 	return s, lis
 }
+
+func startClientDaemon(
+	t *testing.T, ctx context.Context, managementURL, configPath string,
+) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+
+	server := client.New(ctx, managementURL, adminURL, configPath, "")
+	if err := server.Start(); err != nil {
+		t.Fatal(err)
+	}
+	clientProto.RegisterDaemonServiceServer(s, server)
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			t.Error(err)
+		}
+	}()
+
+	time.Sleep(time.Second)
+
+	return s, lis
+}

client/cmd/up.go

@@ -2,224 +2,124 @@ package cmd
 
 import (
 	"context"
-	"github.com/cenkalti/backoff/v4"
-	"github.com/kardianos/service"
+	"fmt"
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/util"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"github.com/wiretrustee/wiretrustee/client/internal"
-	mgm "github.com/wiretrustee/wiretrustee/management/client"
-	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
-	signal "github.com/wiretrustee/wiretrustee/signal/client"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-	"time"
+	gstatus "google.golang.org/grpc/status"
 )
 
-var (
-	upCmd = &cobra.Command{
-		Use:   "up",
-		Short: "install, login and start wiretrustee client",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars()
-			err := loginCmd.RunE(cmd, args)
+var upCmd = &cobra.Command{
+	Use:   "up",
+	Short: "install, login and start Netbird client",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := util.InitLog(logLevel, "console")
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		ctx := internal.CtxInitState(cmd.Context())
+
+		// workaround to run without service
+		if logFile == "console" {
+			err = handleRebrand(cmd)
 			if err != nil {
 				return err
 			}
-			if logFile == "console" {
-				return runClient()
-			}
 
-			s, err := newSVC(&program{}, newSVCConfig())
+			config, err := internal.GetConfig(managementURL, adminURL, configPath, preSharedKey)
 			if err != nil {
-				cmd.PrintErrln(err)
-				return err
+				return fmt.Errorf("get config file: %v", err)
 			}
 
-			srvStatus, err := s.Status()
+			err = foregroundLogin(ctx, cmd, config, setupKey)
 			if err != nil {
-				if err == service.ErrNotInstalled {
-					log.Infof("%s. Installing it now", err.Error())
-					e := installCmd.RunE(cmd, args)
-					if e != nil {
-						return e
-					}
-				} else {
-					log.Warnf("failed retrieving service status: %v", err)
-				}
+				return fmt.Errorf("foreground login failed: %v", err)
 			}
-			if srvStatus == service.StatusRunning {
-				stopCmd.Run(cmd, args)
+
+			var cancel context.CancelFunc
+			ctx, cancel = context.WithCancel(ctx)
+			SetupCloseHandler(ctx, cancel)
+			return internal.RunClient(ctx, config)
+		}
+
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			return fmt.Errorf("failed to connect to daemon error: %v\n"+
+				"If the daemon is not running please run: "+
+				"\nnetbird service install \nnetbird service start\n", err)
+		}
+		defer func() {
+			err := conn.Close()
+			if err != nil {
+				log.Warnf("failed closing dameon gRPC client connection %v", err)
+				return
 			}
-			return startCmd.RunE(cmd, args)
-		},
-	}
-)
-
-// createEngineConfig converts configuration received from Management Service to EngineConfig
-func createEngineConfig(key wgtypes.Key, config *internal.Config, peerConfig *mgmProto.PeerConfig) (*internal.EngineConfig, error) {
-	iFaceBlackList := make(map[string]struct{})
-	for i := 0; i < len(config.IFaceBlackList); i += 2 {
-		iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
-	}
-
-	return &internal.EngineConfig{
-		WgIface:        config.WgIface,
-		WgAddr:         peerConfig.Address,
-		IFaceBlackList: iFaceBlackList,
-		WgPrivateKey:   key,
-	}, nil
-}
-
-// connectToSignal creates Signal Service client and established a connection
-func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig, ourPrivateKey wgtypes.Key) (*signal.Client, error) {
-	var sigTLSEnabled bool
-	if wtConfig.Signal.Protocol == mgmProto.HostConfig_HTTPS {
-		sigTLSEnabled = true
-	} else {
-		sigTLSEnabled = false
-	}
-
-	signalClient, err := signal.NewClient(ctx, wtConfig.Signal.Uri, ourPrivateKey, sigTLSEnabled)
-	if err != nil {
-		log.Errorf("error while connecting to the Signal Exchange Service %s: %s", wtConfig.Signal.Uri, err)
-		return nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
-	}
-
-	return signalClient, nil
-}
-
-// connectToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
-func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.Client, *mgmProto.LoginResponse, error) {
-	log.Debugf("connecting to management server %s", managementAddr)
-	client, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
-	if err != nil {
-		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err)
-	}
-	log.Debugf("connected to management server %s", managementAddr)
-
-	serverPublicKey, err := client.GetServerPublicKey()
-	if err != nil {
-		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
-	}
-
-	loginResp, err := client.Login(*serverPublicKey)
-	if err != nil {
-		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
-			log.Error("peer registration required. Please run wiretrustee login command first")
-			return nil, nil, err
-		} else {
-			return nil, nil, err
-		}
-	}
-
-	log.Debugf("peer logged in to Management Service %s", managementAddr)
-
-	return client, loginResp, nil
-}
-
-func runClient() error {
-	var backOff = &backoff.ExponentialBackOff{
-		InitialInterval:     time.Second,
-		RandomizationFactor: backoff.DefaultRandomizationFactor,
-		Multiplier:          backoff.DefaultMultiplier,
-		MaxInterval:         10 * time.Second,
-		MaxElapsedTime:      24 * 3 * time.Hour, //stop the client after 3 days trying (must be a huge problem, e.g permission denied)
-		Stop:                backoff.Stop,
-		Clock:               backoff.SystemClock,
-	}
-
-	operation := func() error {
-
-		config, err := internal.ReadConfig(managementURL, configPath)
-		if err != nil {
-			log.Errorf("failed reading config %s %v", configPath, err)
-			return err
-		}
-
-		//validate our peer's Wireguard PRIVATE key
-		myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
-		if err != nil {
-			log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
-			return err
-		}
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-
-		mgmTlsEnabled := false
-		if config.ManagementURL.Scheme == "https" {
-			mgmTlsEnabled = true
-		}
-
-		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Wiretrustee config
-		mgmClient, loginResp, err := connectToManagement(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
-		if err != nil {
-			log.Warn(err)
-			return err
-		}
-
-		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
-		signalClient, err := connectToSignal(ctx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
-		if err != nil {
-			log.Error(err)
-			return err
-		}
-
-		peerConfig := loginResp.GetPeerConfig()
-
-		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
-		if err != nil {
-			log.Error(err)
-			return err
-		}
-
-		// create start the Wiretrustee Engine that will connect to the Signal and Management streams and manage connections to remote peers.
-		engine := internal.NewEngine(signalClient, mgmClient, engineConfig, cancel, ctx)
-		err = engine.Start()
-		if err != nil {
-			log.Errorf("error while starting Wiretrustee Connection Engine: %s", err)
-			return err
-		}
-
-		log.Print("Wiretrustee engine started, my IP is: ", peerConfig.Address)
-
-		select {
-		case <-stopCh:
-		case <-ctx.Done():
-		}
-
-		backOff.Reset()
-
-		err = mgmClient.Close()
-		if err != nil {
-			log.Errorf("failed closing Management Service client %v", err)
-			return err
-		}
-		err = signalClient.Close()
-		if err != nil {
-			log.Errorf("failed closing Signal Service client %v", err)
-			return err
-		}
-
-		err = engine.Stop()
-		if err != nil {
-			log.Errorf("failed stopping engine %v", err)
-			return err
-		}
-
-		go func() {
-			cleanupCh <- struct{}{}
 		}()
 
-		log.Info("stopped Wiretrustee client")
+		client := proto.NewDaemonServiceClient(conn)
 
-		return ctx.Err()
-	}
+		status, err := client.Status(ctx, &proto.StatusRequest{})
+		if err != nil {
+			return fmt.Errorf("unable to get daemon status: %v", err)
+		}
 
-	err := backoff.Retry(operation, backOff)
-	if err != nil {
-		log.Errorf("exiting client retry loop due to unrecoverable error: %s", err)
-		return err
-	}
-	return nil
+		if status.Status == string(internal.StatusConnected) {
+			cmd.Println("Already connected")
+			return nil
+		}
+
+		loginRequest := proto.LoginRequest{
+			SetupKey:      setupKey,
+			PreSharedKey:  preSharedKey,
+			ManagementUrl: managementURL,
+		}
+
+		var loginErr error
+
+		var loginResp *proto.LoginResponse
+
+		err = WithBackOff(func() error {
+			var backOffErr error
+			loginResp, backOffErr = client.Login(ctx, &loginRequest)
+			if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
+				s.Code() == codes.PermissionDenied ||
+				s.Code() == codes.NotFound ||
+				s.Code() == codes.Unimplemented) {
+				loginErr = backOffErr
+				return nil
+			}
+			return backOffErr
+		})
+		if err != nil {
+			return fmt.Errorf("login backoff cycle failed: %v", err)
+		}
+
+		if loginErr != nil {
+			return fmt.Errorf("login failed: %v", loginErr)
+		}
+
+		if loginResp.NeedsSSOLogin {
+
+			openURL(cmd, loginResp.VerificationURIComplete)
+
+			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
+			if err != nil {
+				return fmt.Errorf("waiting sso login failed with: %v", err)
+			}
+		}
+
+		if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
+			return fmt.Errorf("call service up method: %v", err)
+		}
+		cmd.Println("Connected")
+		return nil
+	},
 }

client/cmd/up_daemon_test.go

@@ -0,0 +1,75 @@
+package cmd
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+var cliAddr string
+
+func TestUpDaemon(t *testing.T) {
+	mgmAddr := startTestingServices(t)
+
+	tempDir := t.TempDir()
+	confPath := tempDir + "/config.json"
+
+	ctx := internal.CtxInitState(context.Background())
+	state := internal.CtxGetState(ctx)
+
+	_, cliLis := startClientDaemon(t, ctx, "http://"+mgmAddr, confPath)
+
+	cliAddr = cliLis.Addr().String()
+
+	daemonAddr = "tcp://" + cliAddr
+	rootCmd.SetArgs([]string{
+		"login",
+		"--daemon-addr", "tcp://" + cliAddr,
+		"--setup-key", "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
+		"--log-file", "",
+	})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	time.Sleep(time.Second * 3)
+	if status, err := state.Status(); err != nil && status != internal.StatusIdle {
+		t.Errorf("wrong status after login: %s, %v", internal.StatusIdle, err)
+		return
+	}
+
+	rootCmd.SetArgs([]string{
+		"up",
+		"--daemon-addr", "tcp://" + cliAddr,
+		"--log-file", "",
+	})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	time.Sleep(time.Second * 3)
+	if status, err := state.Status(); err != nil && status != internal.StatusConnected {
+		t.Errorf("wrong status after connect: %s, %v", status, err)
+		return
+	}
+
+	rootCmd.SetArgs([]string{
+		"status",
+		"--daemon-addr", "tcp://" + cliAddr,
+	})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	time.Sleep(time.Second * 3)
+
+	rootCmd.SetErr(nil)
+	rootCmd.SetArgs([]string{"down", "--daemon-addr", "tcp://" + cliAddr})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	// we can't check status here, because context already canceled
+}

client/cmd/up_test.go

@@ -1,82 +0,0 @@
-package cmd
-
-import (
-	"github.com/wiretrustee/wiretrustee/iface"
-	mgmt "github.com/wiretrustee/wiretrustee/management/server"
-	"github.com/wiretrustee/wiretrustee/util"
-	"net/url"
-	"path/filepath"
-	"testing"
-	"time"
-)
-
-var signalAddr string
-
-func TestUp_Start(t *testing.T) {
-	config := &mgmt.Config{}
-	_, err := util.ReadJson("../testdata/management.json", config)
-	if err != nil {
-		t.Fatal(err)
-	}
-	testDir := t.TempDir()
-	config.Datadir = testDir
-	err = util.CopyFileContents("../testdata/store.json", filepath.Join(testDir, "store.json"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	_, signalLis := startSignal(t)
-	signalAddr = signalLis.Addr().String()
-	config.Signal.URI = signalAddr
-
-	_, mgmLis := startManagement(config, t)
-	mgmAddr = mgmLis.Addr().String()
-
-}
-
-func TestUp(t *testing.T) {
-
-	defer iface.Close()
-
-	tempDir := t.TempDir()
-	confPath := tempDir + "/config.json"
-	mgmtURL, err := url.Parse("http://" + mgmAddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	rootCmd.SetArgs([]string{
-		"up",
-		"--config",
-		confPath,
-		"--setup-key",
-		"A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
-		"--management-url",
-		mgmtURL.String(),
-		"--log-file",
-		"console",
-	})
-	go func() {
-		err = rootCmd.Execute()
-		if err != nil {
-			t.Errorf("expected no error while running up command, got %v", err)
-		}
-	}()
-
-	exists := false
-	for start := time.Now(); time.Since(start) < 15*time.Second; {
-		e, err := iface.Exists(iface.WgInterfaceDefault)
-		if err != nil {
-			continue
-		}
-		if *e {
-			exists = true
-			break
-		}
-
-	}
-
-	if !exists {
-		t.Errorf("expected wireguard interface %s to be created", iface.WgInterfaceDefault)
-	}
-}

client/cmd/version.go

@@ -1,14 +1,17 @@
 package cmd
 
-import "github.com/spf13/cobra"
+import (
+	"github.com/netbirdio/netbird/client/system"
+	"github.com/spf13/cobra"
+)
 
 var (
-	Version    string
 	versionCmd = &cobra.Command{
 		Use:   "version",
-		Short: "prints wiretrustee version",
+		Short: "prints Netbird version",
 		Run: func(cmd *cobra.Command, args []string) {
-			cmd.Println(Version)
+			cmd.SetOut(cmd.OutOrStdout())
+			cmd.Println(system.NetbirdVersion())
 		},
 	}
 )

client/installer.nsis

@@ -1,12 +1,12 @@
-!define APP_NAME "Wiretrustee"
-!define COMP_NAME "Wiretrustee"
-!define WEB_SITE "wiretrustee.com"
+!define APP_NAME "Netbird"
+!define COMP_NAME "Netbird"
+!define WEB_SITE "Netbird.io"
 !define VERSION $%APPVER%
-!define COPYRIGHT "Wiretrustee Authors, 2021"
+!define COPYRIGHT "Netbird Authors, 2022"
 !define DESCRIPTION "A WireGuard®-based mesh network that connects your devices into a single private network"
-!define INSTALLER_NAME "wiretrustee-installer.exe"
-!define MAIN_APP_EXE "Wiretrustee"
-!define ICON "ui\\wiretrustee.ico"
+!define INSTALLER_NAME "netbird-installer.exe"
+!define MAIN_APP_EXE "Netbird"
+!define ICON "ui\\netbird.ico"
 !define BANNER "ui\\banner.bmp"
 !define LICENSE_DATA "..\\LICENSE"
 
@@ -15,6 +15,13 @@
 !define REG_ROOT "HKLM"
 !define REG_APP_PATH "Software\Microsoft\Windows\CurrentVersion\App Paths\${MAIN_APP_EXE}"
 !define UNINSTALL_PATH "Software\Microsoft\Windows\CurrentVersion\Uninstall\${APP_NAME}"
+
+!define UI_APP_NAME "Netbird UI"
+!define UI_APP_EXE "Netbird-ui"
+
+!define UI_REG_APP_PATH "Software\Microsoft\Windows\CurrentVersion\App Paths\${UI_APP_EXE}"
+!define UI_UNINSTALL_PATH "Software\Microsoft\Windows\CurrentVersion\Uninstall\${UI_APP_NAME}"
+
 Unicode True
 
 ######################################################################
@@ -44,10 +51,13 @@ ShowInstDetails Show
 !define MUI_UNICON "${ICON}"
 !define MUI_WELCOMEFINISHPAGE_BITMAP "${BANNER}"
 !define MUI_UNWELCOMEFINISHPAGE_BITMAP "${BANNER}"
-
+!define MUI_FINISHPAGE_RUN
+!define MUI_FINISHPAGE_RUN_TEXT "Start ${UI_APP_NAME}"
+!define MUI_FINISHPAGE_RUN_FUNCTION "LaunchLink"
 ######################################################################
 
 !include "MUI2.nsh"
+!include LogicLib.nsh
 
 !define MUI_ABORTWARNING
 !define MUI_UNABORTWARNING
@@ -72,11 +82,71 @@ ShowInstDetails Show
 
 ######################################################################
 
+Function GetAppFromCommand
+Exch $1
+Push $2
+StrCpy $2 $1 1 0
+StrCmp $2 '"' 0 done
+Push $3
+StrCpy $3 ""
+loop:
+    IntOp $3 $3 + 1
+    StrCpy $2 $1 1 $3
+    StrCmp $2 '' +2
+    StrCmp $2 '"' 0 loop
+    StrCpy $1 $1 $3
+    StrCpy $1 $1 "" 1 ; Remove starting quote
+Pop $3
+done:
+Pop $2
+Exch $1
+FunctionEnd
+!macro GetAppFromCommand in out
+Push "${in}"
+Call GetAppFromCommand
+Pop ${out}
+!macroend
+
+!macro UninstallPreviousNSIS UninstCommand CustomParameters
+Push $0
+Push $1
+Push $2
+Push '${CustomParameters}'
+Push '${UninstCommand}'
+Call GetAppFromCommand ; Remove quotes and parameters from UninstCommand
+Pop $0
+Pop $1
+GetFullPathName $2 "$0\.."
+ExecWait '"$0" $1 _?=$2'
+Delete "$0" ; Extra cleanup because we used _?=
+RMDir "$2"
+Pop $2
+Pop $1
+Pop $0
+!macroend
+
+Function .onInit
+
+ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wiretrustee" "UninstallString"
+${If} $R0 != ""
+    MessageBox MB_YESNO|MB_ICONQUESTION "Wiretrustee is installed. We must remove it before installing Netbird. Procced?" IDNO noWTUninstOld
+    !insertmacro UninstallPreviousNSIS $R0 "/NoMsgBox"
+    noWTUninstOld:
+${EndIf}
+
+ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
+${If} $R0 != ""
+    MessageBox MB_YESNO|MB_ICONQUESTION "$(^NAME) is already installed. Do you want to remove the previous version?" IDNO noUninstOld
+    !insertmacro UninstallPreviousNSIS $R0 "/NoMsgBox"
+    noUninstOld:
+${EndIf}
+FunctionEnd
+######################################################################
 Section -MainProgram
 	${INSTALL_TYPE}
 	SetOverwrite ifnewer
 	SetOutPath "$INSTDIR"
-	File /r "..\\dist\\wiretrustee_windows_amd64\\"
+	File /r "..\\dist\\netbird_windows_amd64\\"
 
 SectionEnd
 
@@ -84,19 +154,27 @@ SectionEnd
 
 Section -Icons_Reg
 SetOutPath "$INSTDIR"
-WriteUninstaller "$INSTDIR\wiretrustee_uninstall.exe"
+WriteUninstaller "$INSTDIR\netbird_uninstall.exe"
 
 WriteRegStr ${REG_ROOT} "${REG_APP_PATH}" "" "$INSTDIR\${MAIN_APP_EXE}"
 WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayName" "${APP_NAME}"
-WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "UninstallString" "$INSTDIR\wiretrustee_uninstall.exe"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "UninstallString" "$INSTDIR\netbird_uninstall.exe"
 WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayIcon" "$INSTDIR\${MAIN_APP_EXE}"
 WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayVersion" "${VERSION}"
 WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"
 
+WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"
+
 EnVar::SetHKLM
 EnVar::AddValueEx "path" "$INSTDIR"
 
-Exec '"$INSTDIR\${MAIN_APP_EXE}" service install'
+SetShellVarContext current
+CreateShortCut "$SMPROGRAMS\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
+CreateShortCut "$DESKTOP\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
+SetShellVarContext all
+
+ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service install'
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service start'
 # sleep a bit for visibility
 Sleep 1000
 SectionEnd
@@ -106,14 +184,29 @@ SectionEnd
 Section Uninstall
 ${INSTALL_TYPE}
 
-Exec '"$INSTDIR\${MAIN_APP_EXE}" service stop'
+ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service stop'
 Exec '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
+# kill ui client
+ExecWait `taskkill /im ${UI_APP_EXE}.exe`
 # wait the service uninstall take unblock the executable
 Sleep 3000
 RmDir /r "$INSTDIR"
 
+SetShellVarContext current
+Delete "$DESKTOP\${APP_NAME}.lnk"
+Delete "$SMPROGRAMS\${APP_NAME}.lnk"
+SetShellVarContext all
+
 DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
 DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
 EnVar::SetHKLM
 EnVar::DeleteValue "path" "$INSTDIR"
-SectionEnd
+SectionEnd
+
+
+Function LaunchLink
+SetShellVarContext current
+   SetOutPath $INSTDIR
+   ShellExecAsUser::ShellExecAsUser "" "$DESKTOP\${APP_NAME}.lnk"
+SetShellVarContext all
+FunctionEnd

client/internal/cond.go

@@ -1,32 +0,0 @@
-package internal
-
-import "sync"
-
-// A Cond is a condition variable like sync.Cond, but using a channel so we can use select.
-type Cond struct {
-	once sync.Once
-	C    chan struct{}
-}
-
-// NewCond creates a new condition variable.
-func NewCond() *Cond {
-	return &Cond{C: make(chan struct{})}
-}
-
-// Do runs f if the condition hasn't been signaled yet. Afterwards it will be signaled.
-func (c *Cond) Do(f func()) {
-	c.once.Do(func() {
-		f()
-		close(c.C)
-	})
-}
-
-// Signal closes the condition variable channel.
-func (c *Cond) Signal() {
-	c.Do(func() {})
-}
-
-// Wait waits for the condition variable channel to close.
-func (c *Cond) Wait() {
-	<-c.C
-}

client/internal/config.go

@@ -1,13 +1,18 @@
 package internal
 
 import (
+	"context"
 	"fmt"
-	log "github.com/sirupsen/logrus"
-	"github.com/wiretrustee/wiretrustee/iface"
-	"github.com/wiretrustee/wiretrustee/util"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	mgm "github.com/netbirdio/netbird/management/client"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	"net/url"
 	"os"
+
+	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/util"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 var managementURLDefault *url.URL
@@ -17,7 +22,7 @@ func ManagementURLDefault() *url.URL {
 }
 
 func init() {
-	managementURL, err := parseManagementURL("https://api.wiretrustee.com:33073")
+	managementURL, err := parseURL("Management URL", "https://api.wiretrustee.com:33073")
 	if err != nil {
 		panic(err)
 	}
@@ -28,17 +33,19 @@ func init() {
 type Config struct {
 	// Wireguard private key of local peer
 	PrivateKey     string
+	PreSharedKey   string
 	ManagementURL  *url.URL
+	AdminURL       *url.URL
 	WgIface        string
 	IFaceBlackList []string
 }
 
-//createNewConfig creates a new config generating a new Wireguard key and saving to file
-func createNewConfig(managementURL string, configPath string) (*Config, error) {
+// createNewConfig creates a new config generating a new Wireguard key and saving to file
+func createNewConfig(managementURL, adminURL, configPath, preSharedKey string) (*Config, error) {
 	wgKey := generateKey()
 	config := &Config{PrivateKey: wgKey, WgIface: iface.WgInterfaceDefault, IFaceBlackList: []string{}}
 	if managementURL != "" {
-		URL, err := parseManagementURL(managementURL)
+		URL, err := parseURL("Management URL", managementURL)
 		if err != nil {
 			return nil, err
 		}
@@ -47,7 +54,12 @@ func createNewConfig(managementURL string, configPath string) (*Config, error) {
 		config.ManagementURL = managementURLDefault
 	}
 
-	config.IFaceBlackList = []string{iface.WgInterfaceDefault, "tun0"}
+	if preSharedKey != "" {
+		config.PreSharedKey = preSharedKey
+	}
+
+	config.IFaceBlackList = []string{iface.WgInterfaceDefault, "tun0", "zt", "ZeroTier", "utun", "wg", "ts",
+		"Tailscale", "tailscale"}
 
 	err := util.WriteJson(configPath, config)
 	if err != nil {
@@ -57,57 +69,168 @@ func createNewConfig(managementURL string, configPath string) (*Config, error) {
 	return config, nil
 }
 
-func parseManagementURL(managementURL string) (*url.URL, error) {
-
+func parseURL(serviceName, managementURL string) (*url.URL, error) {
 	parsedMgmtURL, err := url.ParseRequestURI(managementURL)
 	if err != nil {
 		log.Errorf("failed parsing management URL %s: [%s]", managementURL, err.Error())
 		return nil, err
 	}
 
-	if !(parsedMgmtURL.Scheme == "https" || parsedMgmtURL.Scheme == "http") {
-		return nil, fmt.Errorf("invalid Management Service URL provided %s. Supported format [http|https]://[host]:[port]", managementURL)
+	if parsedMgmtURL.Scheme != "https" && parsedMgmtURL.Scheme != "http" {
+		return nil, fmt.Errorf(
+			"invalid %s URL provided %s. Supported format [http|https]://[host]:[port]",
+			serviceName, managementURL)
 	}
 
 	return parsedMgmtURL, err
-
 }
 
 // ReadConfig reads existing config. In case provided managementURL is not empty overrides the read property
-func ReadConfig(managementURL string, configPath string) (*Config, error) {
+func ReadConfig(managementURL, adminURL, configPath string, preSharedKey *string) (*Config, error) {
 	config := &Config{}
-	_, err := util.ReadJson(configPath, config)
-	if err != nil {
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		return nil, status.Errorf(codes.NotFound, "config file doesn't exist")
+	}
+
+	if _, err := util.ReadJson(configPath, config); err != nil {
 		return nil, err
 	}
 
-	if managementURL != "" {
-		URL, err := parseManagementURL(managementURL)
+	refresh := false
+
+	if managementURL != "" && config.ManagementURL.String() != managementURL {
+		log.Infof("new Management URL provided, updated to %s (old value %s)",
+			managementURL, config.ManagementURL)
+		newURL, err := parseURL("Management URL", managementURL)
 		if err != nil {
 			return nil, err
 		}
-		config.ManagementURL = URL
+		config.ManagementURL = newURL
+		refresh = true
 	}
 
-	return config, err
+	if adminURL != "" && (config.AdminURL == nil || config.AdminURL.String() != adminURL) {
+		log.Infof("new Admin Panel URL provided, updated to %s (old value %s)",
+			adminURL, config.AdminURL)
+		newURL, err := parseURL("Admin Panel URL", adminURL)
+		if err != nil {
+			return nil, err
+		}
+		config.AdminURL = newURL
+		refresh = true
+	}
+
+	if preSharedKey != nil && config.PreSharedKey != *preSharedKey {
+		log.Infof("new pre-shared key provided, updated to %s (old value %s)",
+			*preSharedKey, config.PreSharedKey)
+		config.PreSharedKey = *preSharedKey
+		refresh = true
+	}
+
+	if refresh {
+		// since we have new management URL, we need to update config file
+		if err := util.WriteJson(configPath, config); err != nil {
+			return nil, err
+		}
+	}
+
+	return config, nil
 }
 
 // GetConfig reads existing config or generates a new one
-func GetConfig(managementURL string, configPath string) (*Config, error) {
-
+func GetConfig(managementURL, adminURL, configPath, preSharedKey string) (*Config, error) {
 	if _, err := os.Stat(configPath); os.IsNotExist(err) {
 		log.Infof("generating new config %s", configPath)
-		return createNewConfig(managementURL, configPath)
+		return createNewConfig(managementURL, adminURL, configPath, preSharedKey)
 	} else {
-		return ReadConfig(managementURL, configPath)
+		// don't overwrite pre-shared key if we receive asterisks from UI
+		pk := &preSharedKey
+		if preSharedKey == "**********" {
+			pk = nil
+		}
+		return ReadConfig(managementURL, adminURL, configPath, pk)
 	}
 }
 
 // generateKey generates a new Wireguard private key
 func generateKey() string {
-	key, err := wgtypes.GenerateKey()
+	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		panic(err)
 	}
 	return key.String()
 }
+
+// DeviceAuthorizationFlow represents Device Authorization Flow information
+type DeviceAuthorizationFlow struct {
+	Provider       string
+	ProviderConfig ProviderConfig
+}
+
+// ProviderConfig has all attributes needed to initiate a device authorization flow
+type ProviderConfig struct {
+	// ClientID An IDP application client id
+	ClientID string
+	// ClientSecret An IDP application client secret
+	ClientSecret string
+	// Domain An IDP API domain
+	Domain string
+	// Audience An Audience for to authorization validation
+	Audience string
+}
+
+func GetDeviceAuthorizationFlowInfo(ctx context.Context, config *Config) (DeviceAuthorizationFlow, error) {
+	// validate our peer's Wireguard PRIVATE key
+	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+	if err != nil {
+		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+		return DeviceAuthorizationFlow{}, err
+	}
+
+	var mgmTlsEnabled bool
+	if config.ManagementURL.Scheme == "https" {
+		mgmTlsEnabled = true
+	}
+
+	log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
+	mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+	if err != nil {
+		log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
+		return DeviceAuthorizationFlow{}, err
+	}
+	log.Debugf("connected to management Service %s", config.ManagementURL.String())
+
+	serverKey, err := mgmClient.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return DeviceAuthorizationFlow{}, err
+	}
+
+	protoDeviceAuthorizationFlow, err := mgmClient.GetDeviceAuthorizationFlow(*serverKey)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
+			log.Warnf("server couldn't find device flow, contact admin: %v", err)
+			return DeviceAuthorizationFlow{}, err
+		} else {
+			log.Errorf("failed to retrieve device flow: %v", err)
+			return DeviceAuthorizationFlow{}, err
+		}
+	}
+
+	err = mgmClient.Close()
+	if err != nil {
+		log.Errorf("failed closing Management Service client: %v", err)
+		return DeviceAuthorizationFlow{}, err
+	}
+
+	return DeviceAuthorizationFlow{
+		Provider: protoDeviceAuthorizationFlow.Provider.String(),
+
+		ProviderConfig: ProviderConfig{
+			Audience:     protoDeviceAuthorizationFlow.ProviderConfig.Audience,
+			ClientID:     protoDeviceAuthorizationFlow.ProviderConfig.ClientID,
+			ClientSecret: protoDeviceAuthorizationFlow.ProviderConfig.ClientSecret,
+			Domain:       protoDeviceAuthorizationFlow.ProviderConfig.Domain,
+		},
+	}, nil
+}

client/internal/config_test.go

@@ -0,0 +1,60 @@
+package internal
+
+import (
+	"errors"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/netbirdio/netbird/util"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestReadConfig(t *testing.T) {
+}
+
+func TestGetConfig(t *testing.T) {
+	managementURL := "https://test.management.url:33071"
+	adminURL := "https://app.admin.url"
+	path := filepath.Join(t.TempDir(), "config.json")
+	preSharedKey := "preSharedKey"
+
+	// case 1: new config has to be generated
+	config, err := GetConfig(managementURL, adminURL, path, preSharedKey)
+	if err != nil {
+		return
+	}
+
+	assert.Equal(t, config.ManagementURL.String(), managementURL)
+	assert.Equal(t, config.PreSharedKey, preSharedKey)
+
+	if _, err := os.Stat(path); errors.Is(err, os.ErrNotExist) {
+		t.Errorf("config file was expected to be created under path %s", path)
+	}
+
+	// case 2: existing config -> fetch it
+	config, err = GetConfig(managementURL, adminURL, path, preSharedKey)
+	if err != nil {
+		return
+	}
+
+	assert.Equal(t, config.ManagementURL.String(), managementURL)
+	assert.Equal(t, config.PreSharedKey, preSharedKey)
+
+	// case 3: existing config, but new managementURL has been provided -> update config
+	newManagementURL := "https://test.newManagement.url:33071"
+	config, err = GetConfig(newManagementURL, adminURL, path, preSharedKey)
+	if err != nil {
+		return
+	}
+
+	assert.Equal(t, config.ManagementURL.String(), newManagementURL)
+	assert.Equal(t, config.PreSharedKey, preSharedKey)
+
+	// read once more to make sure that config file has been updated with the new management URL
+	readConf, err := util.ReadJson(path, config)
+	if err != nil {
+		return
+	}
+	assert.Equal(t, readConf.(*Config).ManagementURL.String(), newManagementURL)
+}

client/internal/connect.go

@@ -0,0 +1,204 @@
+package internal
+
+import (
+	"context"
+	"time"
+
+	"github.com/netbirdio/netbird/client/system"
+
+	"github.com/netbirdio/netbird/iface"
+	mgm "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+	signal "github.com/netbirdio/netbird/signal/client"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/cenkalti/backoff/v4"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// RunClient with main logic.
+func RunClient(ctx context.Context, config *Config) error {
+	backOff := &backoff.ExponentialBackOff{
+		InitialInterval:     time.Second,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         10 * time.Second,
+		MaxElapsedTime:      24 * 3 * time.Hour, // stop the client after 3 days trying (must be a huge problem, e.g permission denied)
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}
+
+	state := CtxGetState(ctx)
+	defer func() {
+		s, err := state.Status()
+		if err != nil || s != StatusNeedsLogin {
+			state.Set(StatusIdle)
+		}
+	}()
+
+	wrapErr := state.Wrap
+	operation := func() error {
+		// if context cancelled we not start new backoff cycle
+		select {
+		case <-ctx.Done():
+			return nil
+		default:
+		}
+
+		state.Set(StatusConnecting)
+		// validate our peer's Wireguard PRIVATE key
+		myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+		if err != nil {
+			log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+			return wrapErr(err)
+		}
+
+		var mgmTlsEnabled bool
+		if config.ManagementURL.Scheme == "https" {
+			mgmTlsEnabled = true
+		}
+
+		engineCtx, cancel := context.WithCancel(ctx)
+		defer cancel()
+
+		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Wiretrustee config
+		mgmClient, loginResp, err := connectToManagement(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+		if err != nil {
+			log.Debug(err)
+			if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+				log.Info("peer registration required. Please run `netbird status` for details")
+				state.Set(StatusNeedsLogin)
+				return nil
+			}
+			return wrapErr(err)
+		}
+
+		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
+		signalClient, err := connectToSignal(engineCtx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
+		if err != nil {
+			log.Error(err)
+			return wrapErr(err)
+		}
+
+		peerConfig := loginResp.GetPeerConfig()
+
+		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
+		if err != nil {
+			log.Error(err)
+			return wrapErr(err)
+		}
+
+		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig)
+		err = engine.Start()
+		if err != nil {
+			log.Errorf("error while starting Netbird Connection Engine: %s", err)
+			return wrapErr(err)
+		}
+
+		log.Print("Netbird engine started, my IP is: ", peerConfig.Address)
+		state.Set(StatusConnected)
+
+		<-engineCtx.Done()
+
+		backOff.Reset()
+
+		err = mgmClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Management Service client %v", err)
+			return wrapErr(err)
+		}
+		err = signalClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Signal Service client %v", err)
+			return wrapErr(err)
+		}
+
+		err = engine.Stop()
+		if err != nil {
+			log.Errorf("failed stopping engine %v", err)
+			return wrapErr(err)
+		}
+
+		log.Info("stopped Netbird client")
+
+		if _, err := state.Status(); err == ErrResetConnection {
+			return err
+		}
+
+		return nil
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		log.Errorf("exiting client retry loop due to unrecoverable error: %s", err)
+		return err
+	}
+	return nil
+}
+
+// createEngineConfig converts configuration received from Management Service to EngineConfig
+func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
+
+	engineConf := &EngineConfig{
+		WgIfaceName:    config.WgIface,
+		WgAddr:         peerConfig.Address,
+		IFaceBlackList: config.IFaceBlackList,
+		WgPrivateKey:   key,
+		WgPort:         iface.DefaultWgPort,
+	}
+
+	if config.PreSharedKey != "" {
+		preSharedKey, err := wgtypes.ParseKey(config.PreSharedKey)
+		if err != nil {
+			return nil, err
+		}
+		engineConf.PreSharedKey = &preSharedKey
+	}
+
+	return engineConf, nil
+}
+
+// connectToSignal creates Signal Service client and established a connection
+func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig, ourPrivateKey wgtypes.Key) (*signal.GrpcClient, error) {
+	var sigTLSEnabled bool
+	if wtConfig.Signal.Protocol == mgmProto.HostConfig_HTTPS {
+		sigTLSEnabled = true
+	} else {
+		sigTLSEnabled = false
+	}
+
+	signalClient, err := signal.NewClient(ctx, wtConfig.Signal.Uri, ourPrivateKey, sigTLSEnabled)
+	if err != nil {
+		log.Errorf("error while connecting to the Signal Exchange Service %s: %s", wtConfig.Signal.Uri, err)
+		return nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
+	}
+
+	return signalClient, nil
+}
+
+// connectToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
+func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.GrpcClient, *mgmProto.LoginResponse, error) {
+	log.Debugf("connecting to Management Service %s", managementAddr)
+	client, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err)
+	}
+	log.Debugf("connected to management server %s", managementAddr)
+
+	serverPublicKey, err := client.GetServerPublicKey()
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
+	}
+
+	sysInfo := system.GetInfo(ctx)
+	loginResp, err := client.Login(*serverPublicKey, sysInfo)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	log.Debugf("peer logged in to Management Service %s", managementAddr)
+
+	return client, loginResp, nil
+}

client/internal/connection.go

@@ -1,423 +0,0 @@
-package internal
-
-import (
-	"context"
-	"fmt"
-	ice "github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/wiretrustee/wiretrustee/iface"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"net"
-	"sync"
-	"time"
-)
-
-var (
-	// DefaultWgKeepAlive default Wireguard keep alive constant
-	DefaultWgKeepAlive = 20 * time.Second
-	privateIPBlocks    []*net.IPNet
-)
-
-type Status string
-
-const (
-	StatusConnected    Status = "Connected"
-	StatusConnecting   Status = "Connecting"
-	StatusDisconnected Status = "Disconnected"
-)
-
-func init() {
-	for _, cidr := range []string{
-		"127.0.0.0/8",    // IPv4 loopback
-		"10.0.0.0/8",     // RFC1918
-		"172.16.0.0/12",  // RFC1918
-		"192.168.0.0/16", // RFC1918
-		"169.254.0.0/16", // RFC3927 link-local
-		"::1/128",        // IPv6 loopback
-		"fe80::/10",      // IPv6 link-local
-		"fc00::/7",       // IPv6 unique local addr
-	} {
-		_, block, err := net.ParseCIDR(cidr)
-		if err != nil {
-			panic(fmt.Errorf("parse error on %q: %v", cidr, err))
-		}
-		privateIPBlocks = append(privateIPBlocks, block)
-	}
-}
-
-// ConnConfig Connection configuration struct
-type ConnConfig struct {
-	// Local Wireguard listening address  e.g. 127.0.0.1:51820
-	WgListenAddr string
-	// A Local Wireguard Peer IP address in CIDR notation e.g. 10.30.30.1/24
-	WgPeerIP string
-	// Local Wireguard Interface name (e.g. wg0)
-	WgIface string
-	// Wireguard allowed IPs (e.g. 10.30.30.2/32)
-	WgAllowedIPs string
-	// Local Wireguard private key
-	WgKey wgtypes.Key
-	// Remote Wireguard public key
-	RemoteWgKey wgtypes.Key
-
-	StunTurnURLS []*ice.URL
-
-	iFaceBlackList map[string]struct{}
-}
-
-// IceCredentials ICE protocol credentials struct
-type IceCredentials struct {
-	uFrag string
-	pwd   string
-}
-
-// Connection Holds information about a connection and handles signal protocol
-type Connection struct {
-	Config ConnConfig
-	// signalCandidate is a handler function to signal remote peer about local connection candidate
-	signalCandidate func(candidate ice.Candidate) error
-
-	// signalOffer is a handler function to signal remote peer our connection offer (credentials)
-	signalOffer func(uFrag string, pwd string) error
-
-	// signalOffer is a handler function to signal remote peer our connection answer (credentials)
-	signalAnswer func(uFrag string, pwd string) error
-
-	// remoteAuthChannel is a channel used to wait for remote credentials to proceed with the connection
-	remoteAuthChannel chan IceCredentials
-
-	// agent is an actual ice.Agent that is used to negotiate and maintain a connection to a remote peer
-	agent *ice.Agent
-
-	wgProxy *WgProxy
-
-	connected *Cond
-	closeCond *Cond
-
-	remoteAuthCond sync.Once
-
-	Status Status
-}
-
-// NewConnection Creates a new connection and sets handling functions for signal protocol
-func NewConnection(config ConnConfig,
-	signalCandidate func(candidate ice.Candidate) error,
-	signalOffer func(uFrag string, pwd string) error,
-	signalAnswer func(uFrag string, pwd string) error,
-) *Connection {
-
-	return &Connection{
-		Config:            config,
-		signalCandidate:   signalCandidate,
-		signalOffer:       signalOffer,
-		signalAnswer:      signalAnswer,
-		remoteAuthChannel: make(chan IceCredentials, 1),
-		closeCond:         NewCond(),
-		connected:         NewCond(),
-		agent:             nil,
-		wgProxy:           NewWgProxy(config.WgIface, config.RemoteWgKey.String(), config.WgAllowedIPs, config.WgListenAddr),
-		Status:            StatusDisconnected,
-	}
-}
-
-// Open opens connection to a remote peer.
-// Will block until the connection has successfully established
-func (conn *Connection) Open(timeout time.Duration) error {
-
-	// create an ice.Agent that will be responsible for negotiating and establishing actual peer-to-peer connection
-	a, err := ice.NewAgent(&ice.AgentConfig{
-		// MulticastDNSMode: ice.MulticastDNSModeQueryAndGather,
-		NetworkTypes:   []ice.NetworkType{ice.NetworkTypeUDP4},
-		Urls:           conn.Config.StunTurnURLS,
-		CandidateTypes: []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
-		InterfaceFilter: func(s string) bool {
-			if conn.Config.iFaceBlackList == nil {
-				return true
-			}
-			_, ok := conn.Config.iFaceBlackList[s]
-			return !ok
-		},
-	})
-	if err != nil {
-		return err
-	}
-
-	conn.agent = a
-	defer func() {
-		err := conn.agent.Close()
-		if err != nil {
-			return
-		}
-	}()
-
-	err = conn.listenOnLocalCandidates()
-	if err != nil {
-		return err
-	}
-
-	err = conn.listenOnConnectionStateChanges()
-	if err != nil {
-		return err
-	}
-
-	err = conn.signalCredentials()
-	if err != nil {
-		return err
-	}
-
-	conn.Status = StatusConnecting
-	log.Debugf("trying to connect to peer %s", conn.Config.RemoteWgKey.String())
-
-	// wait until credentials have been sent from the remote peer (will arrive via a signal server)
-	select {
-	case remoteAuth := <-conn.remoteAuthChannel:
-
-		log.Debugf("got a connection confirmation from peer %s", conn.Config.RemoteWgKey.String())
-
-		err = conn.agent.GatherCandidates()
-		if err != nil {
-			return err
-		}
-
-		isControlling := conn.Config.WgKey.PublicKey().String() > conn.Config.RemoteWgKey.String()
-		var remoteConn *ice.Conn
-		remoteConn, err = conn.openConnectionToRemote(isControlling, remoteAuth)
-		if err != nil {
-			log.Errorf("failed establishing connection with the remote peer %s %s", conn.Config.RemoteWgKey.String(), err)
-			return err
-		}
-
-		var pair *ice.CandidatePair
-		pair, err = conn.agent.GetSelectedCandidatePair()
-		if err != nil {
-			return err
-		}
-
-		useProxy := useProxy(pair)
-
-		// in case the remote peer is in the local network or one of the peers has public static IP -> no need for a Wireguard proxy, direct communication is possible.
-		if !useProxy {
-			log.Debugf("it is possible to establish a direct connection (without proxy) to peer %s - my addr: %s, remote addr: %s", conn.Config.RemoteWgKey.String(), pair.Local, pair.Remote)
-			err = conn.wgProxy.StartLocal(fmt.Sprintf("%s:%d", pair.Remote.Address(), iface.WgPort))
-			if err != nil {
-				return err
-			}
-
-		} else {
-			log.Debugf("establishing secure tunnel to peer %s via selected candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
-			err = conn.wgProxy.Start(remoteConn)
-			if err != nil {
-				return err
-			}
-		}
-
-		relayed := pair.Remote.Type() == ice.CandidateTypeRelay || pair.Local.Type() == ice.CandidateTypeRelay
-
-		conn.Status = StatusConnected
-		log.Infof("opened connection to peer %s [localProxy=%v, relayed=%v]", conn.Config.RemoteWgKey.String(), useProxy, relayed)
-	case <-conn.closeCond.C:
-		conn.Status = StatusDisconnected
-		return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String())
-	case <-time.After(timeout):
-		err = conn.Close()
-		if err != nil {
-			log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error())
-		}
-		conn.Status = StatusDisconnected
-		return fmt.Errorf("timeout of %vs exceeded while waiting for the remote peer %s", timeout.Seconds(), conn.Config.RemoteWgKey.String())
-	}
-
-	// wait until connection has been closed
-	<-conn.closeCond.C
-	conn.Status = StatusDisconnected
-	return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String())
-}
-
-func isPublicIP(ip net.IP) bool {
-	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
-		return false
-	}
-
-	for _, block := range privateIPBlocks {
-		if block.Contains(ip) {
-			return false
-		}
-	}
-	return true
-}
-
-//useProxy determines whether a direct connection (without a go proxy) is possible
-//There are 3 cases: one of the peers has a public IP or both peers are in the same private network
-//Please note, that this check happens when peers were already able to ping each other with ICE layer.
-func useProxy(pair *ice.CandidatePair) bool {
-	remoteIP := net.ParseIP(pair.Remote.Address())
-	myIp := net.ParseIP(pair.Local.Address())
-	remoteIsPublic := isPublicIP(remoteIP)
-	myIsPublic := isPublicIP(myIp)
-
-	//one of the hosts has a public IP
-	if remoteIsPublic && pair.Remote.Type() == ice.CandidateTypeHost {
-		return false
-	}
-	if myIsPublic && pair.Local.Type() == ice.CandidateTypeHost {
-		return false
-	}
-
-	if pair.Local.Type() == ice.CandidateTypeHost && pair.Remote.Type() == ice.CandidateTypeHost {
-		if !remoteIsPublic && !myIsPublic {
-			//both hosts are in the same private network
-			return false
-		}
-	}
-
-	return true
-}
-
-// Close Closes a peer connection
-func (conn *Connection) Close() error {
-	var err error
-	conn.closeCond.Do(func() {
-
-		log.Debugf("closing connection to peer %s", conn.Config.RemoteWgKey.String())
-
-		if a := conn.agent; a != nil {
-			e := a.Close()
-			if e != nil {
-				log.Warnf("error while closing ICE agent of peer connection %s", conn.Config.RemoteWgKey.String())
-				err = e
-			}
-		}
-
-		if c := conn.wgProxy; c != nil {
-			e := c.Close()
-			if e != nil {
-				log.Warnf("error while closingWireguard proxy connection of peer connection %s", conn.Config.RemoteWgKey.String())
-				err = e
-			}
-		}
-	})
-	return err
-}
-
-// OnAnswer Handles the answer from the other peer
-func (conn *Connection) OnAnswer(remoteAuth IceCredentials) error {
-
-	conn.remoteAuthCond.Do(func() {
-		log.Debugf("OnAnswer from peer %s", conn.Config.RemoteWgKey.String())
-		conn.remoteAuthChannel <- remoteAuth
-	})
-	return nil
-}
-
-// OnOffer Handles the offer from the other peer
-func (conn *Connection) OnOffer(remoteAuth IceCredentials) error {
-
-	conn.remoteAuthCond.Do(func() {
-		log.Debugf("OnOffer from peer %s", conn.Config.RemoteWgKey.String())
-		conn.remoteAuthChannel <- remoteAuth
-		uFrag, pwd, err := conn.agent.GetLocalUserCredentials()
-		if err != nil { //nolint
-		}
-
-		err = conn.signalAnswer(uFrag, pwd)
-		if err != nil { //nolint
-		}
-	})
-
-	return nil
-}
-
-// OnRemoteCandidate Handles remote candidate provided by the peer.
-func (conn *Connection) OnRemoteCandidate(candidate ice.Candidate) error {
-
-	log.Debugf("onRemoteCandidate from peer %s -> %s", conn.Config.RemoteWgKey.String(), candidate.String())
-
-	err := conn.agent.AddRemoteCandidate(candidate)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// openConnectionToRemote opens an ice.Conn to the remote peer. This is a real peer-to-peer connection
-// blocks until connection has been established
-func (conn *Connection) openConnectionToRemote(isControlling bool, credentials IceCredentials) (*ice.Conn, error) {
-	var realConn *ice.Conn
-	var err error
-
-	if isControlling {
-		realConn, err = conn.agent.Dial(context.TODO(), credentials.uFrag, credentials.pwd)
-	} else {
-		realConn, err = conn.agent.Accept(context.TODO(), credentials.uFrag, credentials.pwd)
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	return realConn, err
-}
-
-// signalCredentials prepares local user credentials and signals them to the remote peer
-func (conn *Connection) signalCredentials() error {
-	localUFrag, localPwd, err := conn.agent.GetLocalUserCredentials()
-	if err != nil {
-		return err
-	}
-
-	err = conn.signalOffer(localUFrag, localPwd)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// listenOnLocalCandidates registers callback of an ICE Agent to receive new local connection candidates and then
-// signals them to the remote peer
-func (conn *Connection) listenOnLocalCandidates() error {
-	err := conn.agent.OnCandidate(func(candidate ice.Candidate) {
-		if candidate != nil {
-			log.Debugf("discovered local candidate %s", candidate.String())
-			err := conn.signalCandidate(candidate)
-			if err != nil {
-				log.Errorf("failed signaling candidate to the remote peer %s %s", conn.Config.RemoteWgKey.String(), err)
-				//todo ??
-				return
-			}
-		}
-	})
-
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// listenOnConnectionStateChanges registers callback of an ICE Agent to track connection state
-func (conn *Connection) listenOnConnectionStateChanges() error {
-	err := conn.agent.OnConnectionStateChange(func(state ice.ConnectionState) {
-		log.Debugf("ICE Connection State has changed for peer %s -> %s", conn.Config.RemoteWgKey.String(), state.String())
-		if state == ice.ConnectionStateConnected {
-			// closed the connection has been established we can check the selected candidate pair
-			pair, err := conn.agent.GetSelectedCandidatePair()
-			if err != nil {
-				log.Errorf("failed selecting active ICE candidate pair %s", err)
-				return
-			}
-			log.Debugf("ICE connected to peer %s via a selected connnection candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
-		} else if state == ice.ConnectionStateDisconnected || state == ice.ConnectionStateFailed {
-			err := conn.Close()
-			if err != nil {
-				log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error())
-			}
-		}
-	})
-
-	if err != nil {
-		return err
-	}
-
-	return nil
-}

client/internal/engine.go

@@ -3,54 +3,72 @@ package internal
 import (
 	"context"
 	"fmt"
-	"github.com/cenkalti/backoff/v4"
-	"github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/wiretrustee/wiretrustee/iface"
-	mgm "github.com/wiretrustee/wiretrustee/management/client"
-	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
-	signal "github.com/wiretrustee/wiretrustee/signal/client"
-	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"math/rand"
+	"net"
 	"strings"
 	"sync"
 	"time"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/proxy"
+	"github.com/netbirdio/netbird/iface"
+	mgm "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+	signal "github.com/netbirdio/netbird/signal/client"
+	sProto "github.com/netbirdio/netbird/signal/proto"
+	"github.com/netbirdio/netbird/util"
+	"github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
-// PeerConnectionTimeout is a timeout of an initial connection attempt to a remote peer.
-// E.g. this peer will wait PeerConnectionTimeout for the remote peer to respond, if not successful then it will retry the connection attempt.
-const PeerConnectionTimeout = 40 * time.Second
+// PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
+// E.g. this peer will wait PeerConnectionTimeoutMax for the remote peer to respond,
+// if not successful then it will retry the connection attempt.
+// Todo pass timeout at EnginConfig
+const (
+	PeerConnectionTimeoutMax = 45000 // ms
+	PeerConnectionTimeoutMin = 30000 // ms
+)
+
+var ErrResetConnection = fmt.Errorf("reset connection")
 
 // EngineConfig is a config for the Engine
 type EngineConfig struct {
-	WgIface string
-	// WgAddr is a Wireguard local address (Wiretrustee Network IP)
+	WgPort      int
+	WgIfaceName string
+
+	// WgAddr is a Wireguard local address (Netbird Network IP)
 	WgAddr string
+
 	// WgPrivateKey is a Wireguard private key of our peer (it MUST never leave the machine)
 	WgPrivateKey wgtypes.Key
+
 	// IFaceBlackList is a list of network interfaces to ignore when discovering connection candidates (ICE related)
-	IFaceBlackList map[string]struct{}
+	IFaceBlackList []string
+
+	PreSharedKey *wgtypes.Key
+
+	// UDPMuxPort default value 0 - the system will pick an available port
+	UDPMuxPort int
+
+	// UDPMuxSrflxPort default value 0 - the system will pick an available port
+	UDPMuxSrflxPort int
 }
 
 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
 type Engine struct {
 	// signal is a Signal Service client
-	signal *signal.Client
+	signal signal.Client
 	// mgmClient is a Management Service client
-	mgmClient *mgm.Client
-	// conns is a collection of remote peer connections indexed by local public key of the remote peers
-	conns map[string]*Connection
+	mgmClient mgm.Client
+	// peerConns is a map that holds all the peers that are known to this peer
+	peerConns map[string]*peer.Conn
 
-	// peerMux is used to sync peer operations (e.g. open connection, peer removal)
-	peerMux *sync.Mutex
 	// syncMsgMux is used to guarantee sequential Management Service message processing
 	syncMsgMux *sync.Mutex
 
 	config *EngineConfig
-
-	// wgPort is a Wireguard local listen port
-	wgPort int
-
 	// STUNs is a list of STUN servers used by ICE
 	STUNs []*ice.URL
 	// TURNs is a list of STUN servers used by ICE
@@ -59,6 +77,16 @@ type Engine struct {
 	cancel context.CancelFunc
 
 	ctx context.Context
+
+	wgInterface *iface.WGIface
+
+	udpMux          ice.UDPMux
+	udpMuxSrflx     ice.UniversalUDPMux
+	udpMuxConn      *net.UDPConn
+	udpMuxConnSrflx *net.UDPConn
+
+	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
+	networkSerial uint64
 }
 
 // Peer is an instance of the Connection Peer
@@ -68,35 +96,71 @@ type Peer struct {
 }
 
 // NewEngine creates a new Connection Engine
-func NewEngine(signalClient *signal.Client, mgmClient *mgm.Client, config *EngineConfig, cancel context.CancelFunc, ctx context.Context) *Engine {
+func NewEngine(
+	ctx context.Context, cancel context.CancelFunc,
+	signalClient signal.Client, mgmClient mgm.Client, config *EngineConfig,
+) *Engine {
 	return &Engine{
-		signal:     signalClient,
-		mgmClient:  mgmClient,
-		conns:      map[string]*Connection{},
-		peerMux:    &sync.Mutex{},
-		syncMsgMux: &sync.Mutex{},
-		config:     config,
-		STUNs:      []*ice.URL{},
-		TURNs:      []*ice.URL{},
-		cancel:     cancel,
-		ctx:        ctx,
+		ctx:           ctx,
+		cancel:        cancel,
+		signal:        signalClient,
+		mgmClient:     mgmClient,
+		peerConns:     map[string]*peer.Conn{},
+		syncMsgMux:    &sync.Mutex{},
+		config:        config,
+		STUNs:         []*ice.URL{},
+		TURNs:         []*ice.URL{},
+		networkSerial: 0,
 	}
 }
 
 func (e *Engine) Stop() error {
-	err := e.removeAllPeerConnections()
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	err := e.removeAllPeers()
 	if err != nil {
 		return err
 	}
 
-	log.Debugf("removing Wiretrustee interface %s", e.config.WgIface)
-	err = iface.Close()
-	if err != nil {
-		log.Errorf("failed closing Wiretrustee interface %s %v", e.config.WgIface, err)
-		return err
+	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
+	// Removing peers happens in the conn.CLose() asynchronously
+	time.Sleep(500 * time.Millisecond)
+
+	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
+	if e.wgInterface.Interface != nil {
+		err = e.wgInterface.Close()
+		if err != nil {
+			log.Errorf("failed closing Netbird interface %s %v", e.config.WgIfaceName, err)
+			return err
+		}
 	}
 
-	log.Infof("stopped Wiretrustee Engine")
+	if e.udpMux != nil {
+		if err := e.udpMux.Close(); err != nil {
+			log.Debugf("close udp mux: %v", err)
+		}
+	}
+
+	if e.udpMuxSrflx != nil {
+		if err := e.udpMuxSrflx.Close(); err != nil {
+			log.Debugf("close server reflexive udp mux: %v", err)
+		}
+	}
+
+	if e.udpMuxConn != nil {
+		if err := e.udpMuxConn.Close(); err != nil {
+			log.Debugf("close udp mux connection: %v", err)
+		}
+	}
+
+	if e.udpMuxConnSrflx != nil {
+		if err := e.udpMuxConnSrflx.Close(); err != nil {
+			log.Debugf("close server reflexive udp mux connection: %v", err)
+		}
+	}
+
+	log.Infof("stopped Netbird Engine")
 
 	return nil
 }
@@ -105,29 +169,46 @@ func (e *Engine) Stop() error {
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
 func (e *Engine) Start() error {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
 
-	wgIface := e.config.WgIface
+	wgIfaceName := e.config.WgIfaceName
 	wgAddr := e.config.WgAddr
 	myPrivateKey := e.config.WgPrivateKey
+	var err error
 
-	err := iface.Create(wgIface, wgAddr)
+	e.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU)
 	if err != nil {
-		log.Errorf("failed creating interface %s: [%s]", wgIface, err.Error())
+		log.Errorf("failed creating wireguard interface instance %s: [%s]", wgIfaceName, err.Error())
 		return err
 	}
 
-	err = iface.Configure(wgIface, myPrivateKey.String())
+	e.udpMuxConn, err = net.ListenUDP("udp4", &net.UDPAddr{Port: e.config.UDPMuxPort})
 	if err != nil {
-		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIface, err.Error())
+		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
 		return err
 	}
 
-	port, err := iface.GetListenPort(wgIface)
+	e.udpMuxConnSrflx, err = net.ListenUDP("udp4", &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
 	if err != nil {
-		log.Errorf("failed getting Wireguard listen port [%s]: %s", wgIface, err.Error())
+		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
+		return err
+	}
+
+	e.udpMux = ice.NewUDPMuxDefault(ice.UDPMuxParams{UDPConn: e.udpMuxConn})
+	e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx})
+
+	err = e.wgInterface.Create()
+	if err != nil {
+		log.Errorf("failed creating tunnel interface %s: [%s]", wgIfaceName, err.Error())
+		return err
+	}
+
+	err = e.wgInterface.Configure(myPrivateKey.String(), e.config.WgPort)
+	if err != nil {
+		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIfaceName, err.Error())
 		return err
 	}
-	e.wgPort = *port
 
 	e.receiveSignalEvents()
 	e.receiveManagementEvents()
@@ -135,51 +216,30 @@ func (e *Engine) Start() error {
 	return nil
 }
 
-// initializePeer peer agent attempt to open connection
-func (e *Engine) initializePeer(peer Peer) {
-	var backOff = backoff.WithContext(&backoff.ExponentialBackOff{
-		InitialInterval:     backoff.DefaultInitialInterval,
-		RandomizationFactor: backoff.DefaultRandomizationFactor,
-		Multiplier:          backoff.DefaultMultiplier,
-		MaxInterval:         5 * time.Second,
-		MaxElapsedTime:      0, //never stop
-		Stop:                backoff.Stop,
-		Clock:               backoff.SystemClock,
-	}, e.ctx)
+// modifyPeers updates peers that have been modified (e.g. IP address has been changed).
+// It closes the existing connection, removes it from the peerConns map, and creates a new one.
+func (e *Engine) modifyPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 
-	operation := func() error {
-
-		if e.signal.GetStatus() != signal.StreamConnected {
-			return fmt.Errorf("not opening connection to peer because Signal is unavailable")
-		}
-
-		_, err := e.openPeerConnection(e.wgPort, e.config.WgPrivateKey, peer)
-		e.peerMux.Lock()
-		defer e.peerMux.Unlock()
-		if _, ok := e.conns[peer.WgPubKey]; !ok {
-			log.Debugf("removed connection attempt to peer: %v, not retrying", peer.WgPubKey)
-			return nil
+	// first, check if peers have been modified
+	var modified []*mgmProto.RemotePeerConfig
+	for _, p := range peersUpdate {
+		if peerConn, ok := e.peerConns[p.GetWgPubKey()]; ok {
+			if peerConn.GetConf().ProxyConfig.AllowedIps != strings.Join(p.AllowedIps, ",") {
+				modified = append(modified, p)
+			}
 		}
+	}
 
+	// second, close all modified connections and remove them from the state map
+	for _, p := range modified {
+		err := e.removePeer(p.GetWgPubKey())
 		if err != nil {
-			log.Debugf("retrying connection because of error: %s", err.Error())
 			return err
 		}
-		return nil
 	}
-
-	err := backoff.Retry(operation, backOff)
-	if err != nil {
-		// should actually never happen
-		panic(err)
-	}
-}
-
-func (e *Engine) removePeerConnections(peers []string) error {
-	e.peerMux.Lock()
-	defer e.peerMux.Unlock()
-	for _, peer := range peers {
-		err := e.removePeerConnection(peer)
+	// third, add the peer connections again
+	for _, p := range modified {
+		err := e.addNewPeer(p)
 		if err != nil {
 			return err
 		}
@@ -187,12 +247,35 @@ func (e *Engine) removePeerConnections(peers []string) error {
 	return nil
 }
 
-func (e *Engine) removeAllPeerConnections() error {
+// removePeers finds and removes peers that do not exist anymore in the network map received from the Management Service.
+// It also removes peers that have been modified (e.g. change of IP address). They will be added again in addPeers method.
+func (e *Engine) removePeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
+	currentPeers := make([]string, 0, len(e.peerConns))
+	for p := range e.peerConns {
+		currentPeers = append(currentPeers, p)
+	}
+
+	newPeers := make([]string, 0, len(peersUpdate))
+	for _, p := range peersUpdate {
+		newPeers = append(newPeers, p.GetWgPubKey())
+	}
+
+	toRemove := util.SliceDiff(currentPeers, newPeers)
+
+	for _, p := range toRemove {
+		err := e.removePeer(p)
+		if err != nil {
+			return err
+		}
+		log.Infof("removed peer %s", p)
+	}
+	return nil
+}
+
+func (e *Engine) removeAllPeers() error {
 	log.Debugf("removing all peer connections")
-	e.peerMux.Lock()
-	defer e.peerMux.Unlock()
-	for peer := range e.conns {
-		err := e.removePeerConnection(peer)
+	for p := range e.peerConns {
+		err := e.removePeer(p)
 		if err != nil {
 			return err
 		}
@@ -200,69 +283,62 @@ func (e *Engine) removeAllPeerConnections() error {
 	return nil
 }
 
-// removePeerConnection closes existing peer connection and removes peer
-func (e *Engine) removePeerConnection(peerKey string) error {
-	conn, exists := e.conns[peerKey]
-	if exists && conn != nil {
-		delete(e.conns, peerKey)
-		return conn.Close()
+// removePeer closes an existing peer connection and removes a peer
+func (e *Engine) removePeer(peerKey string) error {
+	log.Debugf("removing peer from engine %s", peerKey)
+	conn, exists := e.peerConns[peerKey]
+	if exists {
+		delete(e.peerConns, peerKey)
+		err := conn.Close()
+		if err != nil {
+			switch err.(type) {
+			case *peer.ConnectionAlreadyClosedError:
+				return nil
+			default:
+				return err
+			}
+		}
 	}
-	log.Infof("removed connection to peer %s", peerKey)
 	return nil
 }
 
 // GetPeerConnectionStatus returns a connection Status or nil if peer connection wasn't found
-func (e *Engine) GetPeerConnectionStatus(peerKey string) *Status {
-	e.peerMux.Lock()
-	defer e.peerMux.Unlock()
-
-	conn, exists := e.conns[peerKey]
+func (e *Engine) GetPeerConnectionStatus(peerKey string) peer.ConnStatus {
+	conn, exists := e.peerConns[peerKey]
 	if exists && conn != nil {
-		return &conn.Status
+		return conn.Status()
 	}
 
-	return nil
+	return -1
 }
 
-// openPeerConnection opens a new remote peer connection
-func (e *Engine) openPeerConnection(wgPort int, myKey wgtypes.Key, peer Peer) (*Connection, error) {
-	e.peerMux.Lock()
+func (e *Engine) GetPeers() []string {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
 
-	remoteKey, _ := wgtypes.ParseKey(peer.WgPubKey)
-	connConfig := &ConnConfig{
-		WgListenAddr:   fmt.Sprintf("127.0.0.1:%d", wgPort),
-		WgPeerIP:       e.config.WgAddr,
-		WgIface:        e.config.WgIface,
-		WgAllowedIPs:   peer.WgAllowedIps,
-		WgKey:          myKey,
-		RemoteWgKey:    remoteKey,
-		StunTurnURLS:   append(e.STUNs, e.TURNs...),
-		iFaceBlackList: e.config.IFaceBlackList,
+	peers := []string{}
+	for s := range e.peerConns {
+		peers = append(peers, s)
 	}
-
-	signalOffer := func(uFrag string, pwd string) error {
-		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, false)
-	}
-
-	signalAnswer := func(uFrag string, pwd string) error {
-		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, true)
-	}
-	signalCandidate := func(candidate ice.Candidate) error {
-		return signalCandidate(candidate, myKey, remoteKey, e.signal)
-	}
-	conn := NewConnection(*connConfig, signalCandidate, signalOffer, signalAnswer)
-	e.conns[remoteKey.String()] = conn
-	e.peerMux.Unlock()
-
-	// blocks until the connection is open (or timeout)
-	err := conn.Open(PeerConnectionTimeout)
-	if err != nil {
-		return nil, err
-	}
-	return conn, nil
+	return peers
 }
 
-func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client) error {
+// GetConnectedPeers returns a connection Status or nil if peer connection wasn't found
+func (e *Engine) GetConnectedPeers() []string {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	peers := []string{}
+	for s, conn := range e.peerConns {
+		if conn.Status() == peer.StatusConnected {
+			peers = append(peers, s)
+		}
+	}
+
+	return peers
+}
+
+func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client) error {
 	err := s.Send(&sProto.Message{
 		Key:       myKey.PublicKey().String(),
 		RemoteKey: remoteKey.String(),
@@ -273,15 +349,14 @@ func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtyp
 	})
 	if err != nil {
 		log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err)
-		//todo ??
+		// todo ??
 		return err
 	}
 
 	return nil
 }
 
-func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client, isAnswer bool) error {
-
+func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client, isAnswer bool) error {
 	var t sProto.Body_Type
 	if isAnswer {
 		t = sProto.Body_ANSWER
@@ -291,7 +366,8 @@ func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.K
 
 	msg, err := signal.MarshalCredential(myKey, remoteKey, &signal.Credential{
 		UFrag: uFrag,
-		Pwd:   pwd}, t)
+		Pwd:   pwd,
+	}, t)
 	if err != nil {
 		return err
 	}
@@ -303,41 +379,66 @@ func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.K
 	return nil
 }
 
+func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	if update.GetWiretrusteeConfig() != nil {
+		err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
+		if err != nil {
+			return err
+		}
+
+		err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
+		if err != nil {
+			return err
+		}
+
+		// todo update signal
+	}
+
+	if update.GetNetworkMap() != nil {
+		if update.GetNetworkMap().GetPeerConfig() != nil {
+			err := e.updateConfig(update.GetNetworkMap().GetPeerConfig())
+			if err != nil {
+				return err
+			}
+		}
+		// only apply new changes and ignore old ones
+		err := e.updateNetworkMap(update.GetNetworkMap())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
+	if e.wgInterface.Address.String() != conf.Address {
+		oldAddr := e.wgInterface.Address.String()
+		log.Debugf("updating peer address from %s to %s", oldAddr, conf.Address)
+		err := e.wgInterface.UpdateAddr(conf.Address)
+		if err != nil {
+			return err
+		}
+		log.Infof("updated peer address from %s to %s", oldAddr, conf.Address)
+	}
+
+	return nil
+}
+
 // receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
 // E.g. when a new peer has been registered and we are allowed to connect to it.
 func (e *Engine) receiveManagementEvents() {
 	go func() {
 		err := e.mgmClient.Sync(func(update *mgmProto.SyncResponse) error {
-			e.syncMsgMux.Lock()
-			defer e.syncMsgMux.Unlock()
-
-			if update.GetWiretrusteeConfig() != nil {
-				err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
-				if err != nil {
-					return err
-				}
-
-				err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
-				if err != nil {
-					return err
-				}
-
-				//todo update signal
-			}
-
-			if update.GetRemotePeers() != nil || update.GetRemotePeersIsEmpty() {
-				// empty arrays are serialized by protobuf to null, but for our case empty array is a valid state.
-				err := e.updatePeers(update.GetRemotePeers())
-				if err != nil {
-					return err
-				}
-			}
-
-			return nil
+			return e.handleSync(update)
 		})
 		if err != nil {
 			// happens if management is unavailable for a long time.
 			// We want to cancel the operation of the whole client
+			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
 			e.cancel()
 			return
 		}
@@ -384,102 +485,202 @@ func (e *Engine) updateTURNs(turns []*mgmProto.ProtectedHostConfig) error {
 	return nil
 }
 
-func (e *Engine) updatePeers(remotePeers []*mgmProto.RemotePeerConfig) error {
-	log.Debugf("got peers update from Management Service, updating")
-	remotePeerMap := make(map[string]struct{})
-	for _, peer := range remotePeers {
-		remotePeerMap[peer.GetWgPubKey()] = struct{}{}
+func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
+	serial := networkMap.GetSerial()
+	if e.networkSerial > serial {
+		log.Debugf("received outdated NetworkMap with serial %d, ignoring", serial)
+		return nil
 	}
 
-	//remove peers that are no longer available for us
-	toRemove := []string{}
-	for p := range e.conns {
-		if _, ok := remotePeerMap[p]; !ok {
-			toRemove = append(toRemove, p)
+	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))
+
+	// cleanup request, most likely our peer has been deleted
+	if networkMap.GetRemotePeersIsEmpty() {
+		err := e.removeAllPeers()
+		if err != nil {
+			return err
 		}
-	}
-	err := e.removePeerConnections(toRemove)
-	if err != nil {
-		return err
-	}
-
-	// add new peers
-	for _, peer := range remotePeers {
-		peerKey := peer.GetWgPubKey()
-		peerIPs := peer.GetAllowedIps()
-		if _, ok := e.conns[peerKey]; !ok {
-			go e.initializePeer(Peer{
-				WgPubKey:     peerKey,
-				WgAllowedIps: strings.Join(peerIPs, ","),
-			})
+	} else {
+		err := e.removePeers(networkMap.GetRemotePeers())
+		if err != nil {
+			return err
 		}
 
+		err = e.modifyPeers(networkMap.GetRemotePeers())
+		if err != nil {
+			return err
+		}
+
+		err = e.addNewPeers(networkMap.GetRemotePeers())
+		if err != nil {
+			return err
+		}
+	}
+
+	e.networkSerial = serial
+	return nil
+}
+
+// addNewPeers adds peers that were not know before but arrived from the Management service with the update
+func (e *Engine) addNewPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
+	for _, p := range peersUpdate {
+		err := e.addNewPeer(p)
+		if err != nil {
+			return err
+		}
 	}
 	return nil
 }
 
+// addNewPeer add peer if connection doesn't exist
+func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
+	peerKey := peerConfig.GetWgPubKey()
+	peerIPs := peerConfig.GetAllowedIps()
+	if _, ok := e.peerConns[peerKey]; !ok {
+		conn, err := e.createPeerConn(peerKey, strings.Join(peerIPs, ","))
+		if err != nil {
+			return err
+		}
+		e.peerConns[peerKey] = conn
+
+		go e.connWorker(conn, peerKey)
+	}
+	return nil
+}
+
+func (e Engine) connWorker(conn *peer.Conn, peerKey string) {
+	for {
+
+		// randomize starting time a bit
+		min := 500
+		max := 2000
+		time.Sleep(time.Duration(rand.Intn(max-min)+min) * time.Millisecond)
+
+		// if peer has been removed -> give up
+		if !e.peerExists(peerKey) {
+			log.Debugf("peer %s doesn't exist anymore, won't retry connection", peerKey)
+			return
+		}
+
+		if !e.signal.Ready() {
+			log.Infof("signal client isn't ready, skipping connection attempt %s", peerKey)
+			continue
+		}
+
+		err := conn.Open()
+		if err != nil {
+			log.Debugf("connection to peer %s failed: %v", peerKey, err)
+			switch err.(type) {
+			case *peer.ConnectionClosedError:
+				// conn has been forced to close, so we exit the loop
+				return
+			default:
+			}
+		}
+	}
+}
+
+func (e Engine) peerExists(peerKey string) bool {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+	_, ok := e.peerConns[peerKey]
+	return ok
+}
+
+func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, error) {
+	var stunTurn []*ice.URL
+	stunTurn = append(stunTurn, e.STUNs...)
+	stunTurn = append(stunTurn, e.TURNs...)
+
+	proxyConfig := proxy.Config{
+		RemoteKey:    pubKey,
+		WgListenAddr: fmt.Sprintf("127.0.0.1:%d", e.config.WgPort),
+		WgInterface:  e.wgInterface,
+		AllowedIps:   allowedIPs,
+		PreSharedKey: e.config.PreSharedKey,
+	}
+
+	// randomize connection timeout
+	timeout := time.Duration(rand.Intn(PeerConnectionTimeoutMax-PeerConnectionTimeoutMin)+PeerConnectionTimeoutMin) * time.Millisecond
+	config := peer.ConnConfig{
+		Key:                pubKey,
+		LocalKey:           e.config.WgPrivateKey.PublicKey().String(),
+		StunTurn:           stunTurn,
+		InterfaceBlackList: e.config.IFaceBlackList,
+		Timeout:            timeout,
+		UDPMux:             e.udpMux,
+		UDPMuxSrflx:        e.udpMuxSrflx,
+		ProxyConfig:        proxyConfig,
+	}
+
+	peerConn, err := peer.NewConn(config)
+	if err != nil {
+		return nil, err
+	}
+
+	wgPubKey, err := wgtypes.ParseKey(pubKey)
+	if err != nil {
+		return nil, err
+	}
+
+	signalOffer := func(uFrag string, pwd string) error {
+		return signalAuth(uFrag, pwd, e.config.WgPrivateKey, wgPubKey, e.signal, false)
+	}
+
+	signalCandidate := func(candidate ice.Candidate) error {
+		return signalCandidate(candidate, e.config.WgPrivateKey, wgPubKey, e.signal)
+	}
+
+	signalAnswer := func(uFrag string, pwd string) error {
+		return signalAuth(uFrag, pwd, e.config.WgPrivateKey, wgPubKey, e.signal, true)
+	}
+
+	peerConn.SetSignalCandidate(signalCandidate)
+	peerConn.SetSignalOffer(signalOffer)
+	peerConn.SetSignalAnswer(signalAnswer)
+
+	return peerConn, nil
+}
+
 // receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
 func (e *Engine) receiveSignalEvents() {
-
 	go func() {
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(func(msg *sProto.Message) error {
-
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()
 
-			conn := e.conns[msg.Key]
+			conn := e.peerConns[msg.Key]
 			if conn == nil {
 				return fmt.Errorf("wrongly addressed message %s", msg.Key)
 			}
 
-			if conn.Config.RemoteWgKey.String() != msg.Key {
-				return fmt.Errorf("unknown peer %s", msg.Key)
-			}
-
 			switch msg.GetBody().Type {
 			case sProto.Body_OFFER:
 				remoteCred, err := signal.UnMarshalCredential(msg)
 				if err != nil {
 					return err
 				}
-				err = conn.OnOffer(IceCredentials{
-					uFrag: remoteCred.UFrag,
-					pwd:   remoteCred.Pwd,
+				conn.OnRemoteOffer(peer.IceCredentials{
+					UFrag: remoteCred.UFrag,
+					Pwd:   remoteCred.Pwd,
 				})
-
-				if err != nil {
-					return err
-				}
-
-				return nil
 			case sProto.Body_ANSWER:
 				remoteCred, err := signal.UnMarshalCredential(msg)
 				if err != nil {
 					return err
 				}
-				err = conn.OnAnswer(IceCredentials{
-					uFrag: remoteCred.UFrag,
-					pwd:   remoteCred.Pwd,
+				conn.OnRemoteAnswer(peer.IceCredentials{
+					UFrag: remoteCred.UFrag,
+					Pwd:   remoteCred.Pwd,
 				})
-
-				if err != nil {
-					return err
-				}
-
 			case sProto.Body_CANDIDATE:
-
 				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
 				if err != nil {
 					log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
 					return err
 				}
-
-				err = conn.OnRemoteCandidate(candidate)
-				if err != nil {
-					log.Errorf("error handling CANDIATE from %s", msg.Key)
-					return err
-				}
+				conn.OnRemoteCandidate(candidate)
 			}
 
 			return nil
@@ -487,6 +688,7 @@ func (e *Engine) receiveSignalEvents() {
 		if err != nil {
 			// happens if signal is unavailable for a long time.
 			// We want to cancel the operation of the whole client
+			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
 			e.cancel()
 			return
 		}

client/internal/engine_test.go

@@ -0,0 +1,502 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/netbirdio/netbird/client/system"
+	mgmt "github.com/netbirdio/netbird/management/client"
+	mgmtProto "github.com/netbirdio/netbird/management/proto"
+	"github.com/netbirdio/netbird/management/server"
+	signal "github.com/netbirdio/netbird/signal/client"
+	"github.com/netbirdio/netbird/signal/proto"
+	signalServer "github.com/netbirdio/netbird/signal/server"
+	"github.com/netbirdio/netbird/util"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/keepalive"
+)
+
+var (
+	kaep = keepalive.EnforcementPolicy{
+		MinTime:             15 * time.Second,
+		PermitWithoutStream: true,
+	}
+
+	kasp = keepalive.ServerParameters{
+		MaxConnectionIdle:     15 * time.Second,
+		MaxConnectionAgeGrace: 5 * time.Second,
+		Time:                  5 * time.Second,
+		Timeout:               2 * time.Second,
+	}
+)
+
+func TestEngine_UpdateNetworkMap(t *testing.T) {
+	// test setup
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
+		WgIfaceName:  "utun100",
+		WgAddr:       "100.64.0.1/24",
+		WgPrivateKey: key,
+		WgPort:       33100,
+	})
+
+	type testCase struct {
+		name       string
+		networkMap *mgmtProto.NetworkMap
+
+		expectedLen    int
+		expectedPeers  []*mgmtProto.RemotePeerConfig
+		expectedSerial uint64
+	}
+
+	peer1 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.10/24"},
+	}
+
+	peer2 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.11/24"},
+	}
+
+	peer3 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "GGHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.12/24"},
+	}
+
+	modifiedPeer3 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "GGHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.20/24"},
+	}
+
+	case1 := testCase{
+		name: "input with a new peer to add",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     1,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer1,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    1,
+		expectedPeers:  []*mgmtProto.RemotePeerConfig{peer1},
+		expectedSerial: 1,
+	}
+
+	// 2nd case - one extra peer added and network map has CurrentSerial grater than local => apply the update
+	case2 := testCase{
+		name: "input with an old peer and a new peer to add",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     2,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer1, peer2,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    2,
+		expectedPeers:  []*mgmtProto.RemotePeerConfig{peer1, peer2},
+		expectedSerial: 2,
+	}
+
+	case3 := testCase{
+		name: "input with outdated (old) update to ignore",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     0,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer1, peer2, peer3,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    2,
+		expectedPeers:  []*mgmtProto.RemotePeerConfig{peer1, peer2},
+		expectedSerial: 2,
+	}
+
+	case4 := testCase{
+		name: "input with one peer to remove and one new to add",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     4,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer2, peer3,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    2,
+		expectedPeers:  []*mgmtProto.RemotePeerConfig{peer2, peer3},
+		expectedSerial: 4,
+	}
+
+	case5 := testCase{
+		name: "input with one peer to modify",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     4,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				modifiedPeer3, peer2,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    2,
+		expectedPeers:  []*mgmtProto.RemotePeerConfig{peer2, modifiedPeer3},
+		expectedSerial: 4,
+	}
+
+	case6 := testCase{
+		name: "input with all peers to remove",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:             5,
+			PeerConfig:         nil,
+			RemotePeers:        []*mgmtProto.RemotePeerConfig{},
+			RemotePeersIsEmpty: true,
+		},
+		expectedLen:    0,
+		expectedPeers:  nil,
+		expectedSerial: 5,
+	}
+
+	for _, c := range []testCase{case1, case2, case3, case4, case5, case6} {
+		t.Run(c.name, func(t *testing.T) {
+			err = engine.updateNetworkMap(c.networkMap)
+			if err != nil {
+				t.Fatal(err)
+				return
+			}
+
+			if len(engine.peerConns) != c.expectedLen {
+				t.Errorf("expecting Engine.peerConns to be of size %d, got %d", c.expectedLen, len(engine.peerConns))
+			}
+
+			if engine.networkSerial != c.expectedSerial {
+				t.Errorf("expecting Engine.networkSerial to be equal to %d, actual %d", c.expectedSerial, engine.networkSerial)
+			}
+
+			for _, p := range c.expectedPeers {
+				conn, ok := engine.peerConns[p.GetWgPubKey()]
+				if !ok {
+					t.Errorf("expecting Engine.peerConns to contain peer %s", p)
+				}
+				expectedAllowedIPs := strings.Join(p.AllowedIps, ",")
+				if conn.GetConf().ProxyConfig.AllowedIps != expectedAllowedIPs {
+					t.Errorf("expecting peer %s to have AllowedIPs= %s, got %s", p.GetWgPubKey(),
+						expectedAllowedIPs, conn.GetConf().ProxyConfig.AllowedIps)
+				}
+			}
+		})
+	}
+}
+
+func TestEngine_Sync(t *testing.T) {
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// feed updates to Engine via mocked Management client
+	updates := make(chan *mgmtProto.SyncResponse)
+	defer close(updates)
+	syncFunc := func(msgHandler func(msg *mgmtProto.SyncResponse) error) error {
+		for msg := range updates {
+			err := msgHandler(msg)
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+		return nil
+	}
+
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, &EngineConfig{
+		WgIfaceName:  "utun100",
+		WgAddr:       "100.64.0.1/24",
+		WgPrivateKey: key,
+		WgPort:       33100,
+	})
+
+	defer func() {
+		err := engine.Stop()
+		if err != nil {
+			return
+		}
+	}()
+
+	err = engine.Start()
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	peer1 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.10/24"},
+	}
+	peer2 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "LLHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=",
+		AllowedIps: []string{"100.64.0.11/24"},
+	}
+	peer3 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "GGHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=",
+		AllowedIps: []string{"100.64.0.12/24"},
+	}
+	// 1st update with just 1 peer and serial larger than the current serial of the engine => apply update
+	updates <- &mgmtProto.SyncResponse{
+		NetworkMap: &mgmtProto.NetworkMap{
+			Serial:             10,
+			PeerConfig:         nil,
+			RemotePeers:        []*mgmtProto.RemotePeerConfig{peer1, peer2, peer3},
+			RemotePeersIsEmpty: false,
+		},
+	}
+
+	timeout := time.After(time.Second * 2)
+	for {
+		select {
+		case <-timeout:
+			t.Fatalf("timeout while waiting for test to finish")
+			return
+		default:
+		}
+
+		if len(engine.GetPeers()) == 3 && engine.networkSerial == 10 {
+			break
+		}
+	}
+}
+
+func TestEngine_MultiplePeers(t *testing.T) {
+	// log.SetLevel(log.DebugLevel)
+
+	dir := t.TempDir()
+
+	err := util.CopyFileContents("../testdata/store.json", filepath.Join(dir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = os.Remove(filepath.Join(dir, "store.json")) //nolint
+		if err != nil {
+			t.Fatal(err)
+			return
+		}
+	}()
+
+	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+	defer cancel()
+
+	sport := 10010
+	sigServer, err := startSignal(sport)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+	defer sigServer.Stop()
+	mport := 33081
+	mgmtServer, err := startManagement(mport, dir)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+	defer mgmtServer.GracefulStop()
+
+	setupKey := "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
+
+	mu := sync.Mutex{}
+	engines := []*Engine{}
+	numPeers := 10
+	wg := sync.WaitGroup{}
+	wg.Add(numPeers)
+	// create and start peers
+	for i := 0; i < numPeers; i++ {
+		j := i
+		go func() {
+			engine, err := createEngine(ctx, cancel, setupKey, j, mport, sport)
+			if err != nil {
+				wg.Done()
+				t.Errorf("unable to create the engine for peer %d with error %v", j, err)
+				return
+			}
+			mu.Lock()
+			defer mu.Unlock()
+			err = engine.Start()
+			if err != nil {
+				t.Errorf("unable to start engine for peer %d with error %v", j, err)
+				wg.Done()
+				return
+			}
+			engines = append(engines, engine)
+			wg.Done()
+		}()
+	}
+
+	// wait until all have been created and started
+	wg.Wait()
+	if len(engines) != numPeers {
+		t.Fatal("not all peers was started")
+	}
+	// check whether all the peer have expected peers connected
+
+	expectedConnected := numPeers * (numPeers - 1)
+
+	// adjust according to timeouts
+	timeout := 50 * time.Second
+	timeoutChan := time.After(timeout)
+	ticker := time.NewTicker(time.Second)
+	defer ticker.Stop()
+loop:
+	for {
+		select {
+		case <-timeoutChan:
+			t.Fatalf("waiting for expected connections timeout after %s", timeout.String())
+			break loop
+		case <-ticker.C:
+			totalConnected := 0
+			for _, engine := range engines {
+				totalConnected = totalConnected + len(engine.GetConnectedPeers())
+			}
+			if totalConnected == expectedConnected {
+				log.Infof("total connected=%d", totalConnected)
+				break loop
+			}
+			log.Infof("total connected=%d", totalConnected)
+		}
+	}
+	// cleanup test
+	for n, peerEngine := range engines {
+		t.Logf("stopping peer with interface %s from multipeer test, loopIndex %d", peerEngine.wgInterface.Name, n)
+		errStop := peerEngine.mgmClient.Close()
+		if errStop != nil {
+			log.Infoln("got error trying to close management clients from engine: ", errStop)
+		}
+		errStop = peerEngine.Stop()
+		if errStop != nil {
+			log.Infoln("got error trying to close testing peers engine: ", errStop)
+		}
+	}
+}
+
+func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int, mport int, sport int) (*Engine, error) {
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		return nil, err
+	}
+	mgmtClient, err := mgmt.NewClient(ctx, fmt.Sprintf("localhost:%d", mport), key, false)
+	if err != nil {
+		return nil, err
+	}
+	signalClient, err := signal.NewClient(ctx, fmt.Sprintf("localhost:%d", sport), key, false)
+	if err != nil {
+		return nil, err
+	}
+
+	publicKey, err := mgmtClient.GetServerPublicKey()
+	if err != nil {
+		return nil, err
+	}
+
+	info := system.GetInfo(ctx)
+	resp, err := mgmtClient.Register(*publicKey, setupKey, "", info)
+	if err != nil {
+		return nil, err
+	}
+
+	var ifaceName string
+	if runtime.GOOS == "darwin" {
+		ifaceName = fmt.Sprintf("utun1%d", i)
+	} else {
+		ifaceName = fmt.Sprintf("wt%d", i)
+	}
+
+	wgPort := 33100 + i
+	conf := &EngineConfig{
+		WgIfaceName:  ifaceName,
+		WgAddr:       resp.PeerConfig.Address,
+		WgPrivateKey: key,
+		WgPort:       wgPort,
+	}
+
+	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf), nil
+}
+
+func startSignal(port int) (*grpc.Server, error) {
+	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
+
+	lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+	if err != nil {
+		log.Fatalf("failed to listen: %v", err)
+	}
+
+	proto.RegisterSignalExchangeServer(s, signalServer.NewServer())
+
+	go func() {
+		if err = s.Serve(lis); err != nil {
+			log.Fatalf("failed to serve: %v", err)
+		}
+	}()
+
+	return s, nil
+}
+
+func startManagement(port int, dataDir string) (*grpc.Server, error) {
+	config := &server.Config{
+		Stuns:      []*server.Host{},
+		TURNConfig: &server.TURNConfig{},
+		Signal: &server.Host{
+			Proto: "http",
+			URI:   "localhost:10000",
+		},
+		Datadir:    dataDir,
+		HttpConfig: nil,
+	}
+
+	lis, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", port))
+	if err != nil {
+		return nil, err
+	}
+	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
+	store, err := server.NewStore(config.Datadir)
+	if err != nil {
+		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
+	}
+	peersUpdateManager := server.NewPeersUpdateManager()
+	accountManager, err := server.BuildManager(store, peersUpdateManager, nil)
+	if err != nil {
+		return nil, err
+	}
+	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager)
+	if err != nil {
+		return nil, err
+	}
+	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
+	go func() {
+		if err = s.Serve(lis); err != nil {
+			log.Fatalf("failed to serve: %v", err)
+		}
+	}()
+
+	return s, nil
+}

client/internal/login.go

@@ -0,0 +1,95 @@
+package internal
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/netbirdio/netbird/client/system"
+	mgm "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func Login(ctx context.Context, config *Config, setupKey string, jwtToken string) error {
+	// validate our peer's Wireguard PRIVATE key
+	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+	if err != nil {
+		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+		return err
+	}
+
+	var mgmTlsEnabled bool
+	if config.ManagementURL.Scheme == "https" {
+		mgmTlsEnabled = true
+	}
+
+	log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
+	mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+	if err != nil {
+		log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
+		return err
+	}
+	log.Debugf("connected to management Service %s", config.ManagementURL.String())
+
+	serverKey, err := mgmClient.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return err
+	}
+
+	_, err = loginPeer(ctx, *serverKey, mgmClient, setupKey, jwtToken)
+	if err != nil {
+		log.Errorf("failed logging-in peer on Management Service : %v", err)
+		return err
+	}
+
+	err = mgmClient.Close()
+	if err != nil {
+		log.Errorf("failed closing Management Service client: %v", err)
+		return err
+	}
+
+	return nil
+}
+
+// loginPeer attempts to login to Management Service. If peer wasn't registered, tries the registration flow.
+func loginPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string, jwtToken string) (*mgmProto.LoginResponse, error) {
+	sysInfo := system.GetInfo(ctx)
+	loginResp, err := client.Login(serverPublicKey, sysInfo)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			log.Debugf("peer registration required")
+			return registerPeer(ctx, serverPublicKey, client, setupKey, jwtToken)
+		} else {
+			return nil, err
+		}
+	}
+
+	log.Info("peer has successfully logged-in to Management Service")
+
+	return loginResp, nil
+}
+
+// registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
+// Otherwise tries to register with the provided setupKey via command line.
+func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string, jwtToken string) (*mgmProto.LoginResponse, error) {
+	validSetupKey, err := uuid.Parse(setupKey)
+	if err != nil && jwtToken == "" {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid setup-key or no sso information provided, err: %v", err)
+	}
+
+	log.Debugf("sending peer registration request to Management Service")
+	info := system.GetInfo(ctx)
+	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info)
+	if err != nil {
+		log.Errorf("failed registering peer %v,%s", err, validSetupKey.String())
+		return nil, err
+	}
+
+	log.Infof("peer has been successfully registered on Management Service")
+
+	return loginResp, nil
+}

client/internal/oauth.go

@@ -0,0 +1,305 @@
+package internal
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// OAuthClient is a OAuth client interface for various idp providers
+type OAuthClient interface {
+	RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
+	RotateAccessToken(ctx context.Context, refreshToken string) (TokenInfo, error)
+	WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo, error)
+	GetClientID(ctx context.Context) string
+}
+
+// HTTPClient http client interface for API calls
+type HTTPClient interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
+// DeviceAuthInfo holds information for the OAuth device login flow
+type DeviceAuthInfo struct {
+	DeviceCode              string `json:"device_code"`
+	UserCode                string `json:"user_code"`
+	VerificationURI         string `json:"verification_uri"`
+	VerificationURIComplete string `json:"verification_uri_complete"`
+	ExpiresIn               int    `json:"expires_in"`
+	Interval                int    `json:"interval"`
+}
+
+// TokenInfo holds information of issued access token
+type TokenInfo struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	IDToken      string `json:"id_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
+// HostedGrantType grant type for device flow on Hosted
+const (
+	HostedGrantType    = "urn:ietf:params:oauth:grant-type:device_code"
+	HostedRefreshGrant = "refresh_token"
+)
+
+// Hosted client
+type Hosted struct {
+	// Hosted API Audience for validation
+	Audience string
+	// Hosted Native application client id
+	ClientID string
+	// Hosted domain
+	Domain string
+
+	HTTPClient HTTPClient
+}
+
+// RequestDeviceCodePayload used for request device code payload for auth0
+type RequestDeviceCodePayload struct {
+	Audience string `json:"audience"`
+	ClientID string `json:"client_id"`
+}
+
+// TokenRequestPayload used for requesting the auth0 token
+type TokenRequestPayload struct {
+	GrantType    string `json:"grant_type"`
+	DeviceCode   string `json:"device_code,omitempty"`
+	ClientID     string `json:"client_id"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+}
+
+// TokenRequestResponse used for parsing Hosted token's response
+type TokenRequestResponse struct {
+	Error            string `json:"error"`
+	ErrorDescription string `json:"error_description"`
+	TokenInfo
+}
+
+// Claims used when validating the access token
+type Claims struct {
+	Audience string `json:"aud"`
+}
+
+// NewHostedDeviceFlow returns an Hosted OAuth client
+func NewHostedDeviceFlow(audience string, clientID string, domain string) *Hosted {
+	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
+	httpTransport.MaxIdleConns = 5
+
+	httpClient := &http.Client{
+		Timeout:   10 * time.Second,
+		Transport: httpTransport,
+	}
+
+	return &Hosted{
+		Audience:   audience,
+		ClientID:   clientID,
+		Domain:     domain,
+		HTTPClient: httpClient,
+	}
+}
+
+// GetClientID returns the provider client id
+func (h *Hosted) GetClientID(ctx context.Context) string {
+	return h.ClientID
+}
+
+// RequestDeviceCode requests a device code login flow information from Hosted
+func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error) {
+	url := "https://" + h.Domain + "/oauth/device/code"
+	codePayload := RequestDeviceCodePayload{
+		Audience: h.Audience,
+		ClientID: h.ClientID,
+	}
+	p, err := json.Marshal(codePayload)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("parsing payload failed with error: %v", err)
+	}
+	payload := strings.NewReader(string(p))
+	req, err := http.NewRequest("POST", url, payload)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("creating request failed with error: %v", err)
+	}
+
+	req.Header.Add("content-type", "application/json")
+
+	res, err := h.HTTPClient.Do(req)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("doing request failed with error: %v", err)
+	}
+
+	defer res.Body.Close()
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("reading body failed with error: %v", err)
+	}
+
+	if res.StatusCode != 200 {
+		return DeviceAuthInfo{}, fmt.Errorf("request device code returned status %d error: %s", res.StatusCode, string(body))
+	}
+
+	deviceCode := DeviceAuthInfo{}
+	err = json.Unmarshal(body, &deviceCode)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("unmarshaling response failed with error: %v", err)
+	}
+
+	return deviceCode, err
+}
+
+// WaitToken waits user's login and authorize the app. Once the user's authorize
+// it retrieves the access token from Hosted's endpoint and validates it before returning
+func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo, error) {
+	interval := time.Duration(info.Interval) * time.Second
+	ticker := time.NewTicker(interval)
+	for {
+		select {
+		case <-ctx.Done():
+			return TokenInfo{}, ctx.Err()
+		case <-ticker.C:
+			url := "https://" + h.Domain + "/oauth/token"
+			tokenReqPayload := TokenRequestPayload{
+				GrantType:  HostedGrantType,
+				DeviceCode: info.DeviceCode,
+				ClientID:   h.ClientID,
+			}
+
+			body, statusCode, err := requestToken(h.HTTPClient, url, tokenReqPayload)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("wait for token: %v", err)
+			}
+
+			if statusCode > 499 {
+				return TokenInfo{}, fmt.Errorf("wait token code returned error: %s", string(body))
+			}
+
+			tokenResponse := TokenRequestResponse{}
+			err = json.Unmarshal(body, &tokenResponse)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("parsing token response failed with error: %v", err)
+			}
+
+			if tokenResponse.Error != "" {
+				if tokenResponse.Error == "authorization_pending" {
+					continue
+				} else if tokenResponse.Error == "slow_down" {
+					interval = interval + (3 * time.Second)
+					ticker.Reset(interval)
+					continue
+				}
+
+				return TokenInfo{}, fmt.Errorf(tokenResponse.ErrorDescription)
+			}
+
+			err = isValidAccessToken(tokenResponse.AccessToken, h.Audience)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+			}
+
+			tokenInfo := TokenInfo{
+				AccessToken:  tokenResponse.AccessToken,
+				TokenType:    tokenResponse.TokenType,
+				RefreshToken: tokenResponse.RefreshToken,
+				IDToken:      tokenResponse.IDToken,
+				ExpiresIn:    tokenResponse.ExpiresIn,
+			}
+			return tokenInfo, err
+		}
+	}
+}
+
+// RotateAccessToken requests a new token using an existing refresh token
+func (h *Hosted) RotateAccessToken(ctx context.Context, refreshToken string) (TokenInfo, error) {
+	url := "https://" + h.Domain + "/oauth/token"
+	tokenReqPayload := TokenRequestPayload{
+		GrantType:    HostedRefreshGrant,
+		ClientID:     h.ClientID,
+		RefreshToken: refreshToken,
+	}
+
+	body, statusCode, err := requestToken(h.HTTPClient, url, tokenReqPayload)
+	if err != nil {
+		return TokenInfo{}, fmt.Errorf("rotate access token: %v", err)
+	}
+
+	if statusCode != 200 {
+		return TokenInfo{}, fmt.Errorf("rotating token returned error: %s", string(body))
+	}
+
+	tokenResponse := TokenRequestResponse{}
+	err = json.Unmarshal(body, &tokenResponse)
+	if err != nil {
+		return TokenInfo{}, fmt.Errorf("parsing token response failed with error: %v", err)
+	}
+
+	err = isValidAccessToken(tokenResponse.AccessToken, h.Audience)
+	if err != nil {
+		return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+	}
+
+	tokenInfo := TokenInfo{
+		AccessToken:  tokenResponse.AccessToken,
+		TokenType:    tokenResponse.TokenType,
+		RefreshToken: tokenResponse.RefreshToken,
+		IDToken:      tokenResponse.IDToken,
+		ExpiresIn:    tokenResponse.ExpiresIn,
+	}
+	return tokenInfo, err
+}
+
+func requestToken(client HTTPClient, url string, tokenReqPayload TokenRequestPayload) ([]byte, int, error) {
+	p, err := json.Marshal(tokenReqPayload)
+	if err != nil {
+		return nil, 0, fmt.Errorf("parsing token payload failed with error: %v", err)
+	}
+	payload := strings.NewReader(string(p))
+	req, err := http.NewRequest("POST", url, payload)
+	if err != nil {
+		return nil, 0, fmt.Errorf("creating token request failed with error: %v", err)
+	}
+
+	req.Header.Add("content-type", "application/json")
+
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, 0, fmt.Errorf("doing token request failed with error: %v", err)
+	}
+
+	defer res.Body.Close()
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, 0, fmt.Errorf("reading token body failed with error: %v", err)
+	}
+	return body, res.StatusCode, nil
+}
+
+// isValidAccessToken is a simple validation of the access token
+func isValidAccessToken(token string, audience string) error {
+	if token == "" {
+		return fmt.Errorf("token received is empty")
+	}
+
+	encodedClaims := strings.Split(token, ".")[1]
+	claimsString, err := base64.RawURLEncoding.DecodeString(encodedClaims)
+	if err != nil {
+		return err
+	}
+
+	claims := Claims{}
+	err = json.Unmarshal(claimsString, &claims)
+	if err != nil {
+		return err
+	}
+
+	if claims.Audience != audience {
+		return fmt.Errorf("invalid audience")
+	}
+
+	return nil
+}

client/internal/oauth_test.go

@@ -0,0 +1,415 @@
+package internal
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/golang-jwt/jwt"
+	"github.com/stretchr/testify/require"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+)
+
+type mockHTTPClient struct {
+	code         int
+	resBody      string
+	reqBody      string
+	MaxReqs      int
+	count        int
+	countResBody string
+	err          error
+}
+
+func (c *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
+	body, err := ioutil.ReadAll(req.Body)
+	if err == nil {
+		c.reqBody = string(body)
+	}
+
+	if c.MaxReqs > c.count {
+		c.count++
+		return &http.Response{
+			StatusCode: c.code,
+			Body:       ioutil.NopCloser(strings.NewReader(c.countResBody)),
+		}, c.err
+	}
+
+	return &http.Response{
+		StatusCode: c.code,
+		Body:       ioutil.NopCloser(strings.NewReader(c.resBody)),
+	}, c.err
+}
+
+func TestHosted_RequestDeviceCode(t *testing.T) {
+	type test struct {
+		name             string
+		inputResBody     string
+		inputReqCode     int
+		inputReqError    error
+		testingErrFunc   require.ErrorAssertionFunc
+		expectedErrorMSG string
+		testingFunc      require.ComparisonAssertionFunc
+		expectedOut      DeviceAuthInfo
+		expectedMSG      string
+		expectPayload    RequestDeviceCodePayload
+	}
+
+	testCase1 := test{
+		name: "Payload Is Valid",
+		expectPayload: RequestDeviceCodePayload{
+			Audience: "ok",
+			ClientID: "bla",
+		},
+		inputReqCode:   200,
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+	}
+
+	testCase2 := test{
+		name:             "Exit On Network Error",
+		inputReqError:    fmt.Errorf("error"),
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase3 := test{
+		name:             "Exit On Exit Code",
+		inputReqCode:     400,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+	testCase4Out := DeviceAuthInfo{ExpiresIn: 10}
+	testCase4 := test{
+		name:         "Got Device Code",
+		inputResBody: fmt.Sprintf("{\"expires_in\":%d}", testCase4Out.ExpiresIn),
+		expectPayload: RequestDeviceCodePayload{
+			Audience: "ok",
+			ClientID: "bla",
+		},
+		inputReqCode:   200,
+		testingErrFunc: require.NoError,
+		testingFunc:    require.EqualValues,
+		expectedOut:    testCase4Out,
+		expectedMSG:    "out should match",
+	}
+
+	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			httpClient := mockHTTPClient{
+				resBody: testCase.inputResBody,
+				code:    testCase.inputReqCode,
+				err:     testCase.inputReqError,
+			}
+
+			hosted := Hosted{
+				Audience:   testCase.expectPayload.Audience,
+				ClientID:   testCase.expectPayload.ClientID,
+				Domain:     "test.hosted.com",
+				HTTPClient: &httpClient,
+			}
+
+			authInfo, err := hosted.RequestDeviceCode(context.TODO())
+			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
+
+			payload, _ := json.Marshal(testCase.expectPayload)
+
+			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")
+
+			testCase.testingFunc(t, testCase.expectedOut, authInfo, testCase.expectedMSG)
+
+		})
+	}
+}
+
+func TestHosted_WaitToken(t *testing.T) {
+	type test struct {
+		name              string
+		inputResBody      string
+		inputReqCode      int
+		inputReqError     error
+		inputMaxReqs      int
+		inputCountResBody string
+		inputTimeout      time.Duration
+		inputInfo         DeviceAuthInfo
+		inputAudience     string
+		testingErrFunc    require.ErrorAssertionFunc
+		expectedErrorMSG  string
+		testingFunc       require.ComparisonAssertionFunc
+		expectedOut       TokenInfo
+		expectedMSG       string
+		expectPayload     TokenRequestPayload
+	}
+
+	defaultInfo := DeviceAuthInfo{
+		DeviceCode: "test",
+		ExpiresIn:  10,
+		Interval:   1,
+	}
+
+	tokenReqPayload := TokenRequestPayload{
+		GrantType:  HostedGrantType,
+		DeviceCode: defaultInfo.DeviceCode,
+		ClientID:   "test",
+	}
+
+	testCase1 := test{
+		name:           "Payload Is Valid",
+		inputInfo:      defaultInfo,
+		inputTimeout:   time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputReqCode:   200,
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+	}
+
+	testCase2 := test{
+		name:             "Exit On Network Error",
+		inputInfo:        defaultInfo,
+		inputTimeout:     time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		expectPayload:    tokenReqPayload,
+		inputReqError:    fmt.Errorf("error"),
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase3 := test{
+		name:             "Exit On 4XX When Not Pending",
+		inputInfo:        defaultInfo,
+		inputTimeout:     time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputReqCode:     400,
+		expectPayload:    tokenReqPayload,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase4 := test{
+		name:             "Exit On Exit Code 5XX",
+		inputInfo:        defaultInfo,
+		inputTimeout:     time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputReqCode:     500,
+		expectPayload:    tokenReqPayload,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase5 := test{
+		name:             "Exit On Content Timeout",
+		inputInfo:        defaultInfo,
+		inputTimeout:     0 * time.Second,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	audience := "test"
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{"aud": audience})
+	var hmacSampleSecret []byte
+	tokenString, _ := token.SignedString(hmacSampleSecret)
+
+	testCase6 := test{
+		name:           "Exit On Invalid Audience",
+		inputInfo:      defaultInfo,
+		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputTimeout:   time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputReqCode:   200,
+		inputAudience:  "super test",
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+	}
+
+	testCase7 := test{
+		name:           "Received Token Info",
+		inputInfo:      defaultInfo,
+		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputTimeout:   time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputReqCode:   200,
+		inputAudience:  audience,
+		testingErrFunc: require.NoError,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+		expectedOut:    TokenInfo{AccessToken: tokenString},
+	}
+
+	testCase8 := test{
+		name:              "Received Token Info after Multiple tries",
+		inputInfo:         defaultInfo,
+		inputResBody:      fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputTimeout:      time.Duration(defaultInfo.ExpiresIn) * time.Second,
+		inputMaxReqs:      2,
+		inputCountResBody: "{\"error\":\"authorization_pending\"}",
+		inputReqCode:      200,
+		inputAudience:     audience,
+		testingErrFunc:    require.NoError,
+		testingFunc:       require.EqualValues,
+		expectPayload:     tokenReqPayload,
+		expectedOut:       TokenInfo{AccessToken: tokenString},
+	}
+
+	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5, testCase6, testCase7, testCase8} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			httpClient := mockHTTPClient{
+				resBody:      testCase.inputResBody,
+				code:         testCase.inputReqCode,
+				err:          testCase.inputReqError,
+				MaxReqs:      testCase.inputMaxReqs,
+				countResBody: testCase.inputCountResBody,
+			}
+
+			hosted := Hosted{
+				Audience:   testCase.inputAudience,
+				ClientID:   testCase.expectPayload.ClientID,
+				Domain:     "test.hosted.com",
+				HTTPClient: &httpClient,
+			}
+
+			ctx, cancel := context.WithTimeout(context.TODO(), testCase.inputTimeout)
+			defer cancel()
+			tokenInfo, err := hosted.WaitToken(ctx, testCase.inputInfo)
+			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
+
+			var payload []byte
+			var emptyPayload TokenRequestPayload
+			if testCase.expectPayload != emptyPayload {
+				payload, _ = json.Marshal(testCase.expectPayload)
+			}
+			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")
+
+			testCase.testingFunc(t, testCase.expectedOut, tokenInfo, testCase.expectedMSG)
+
+			require.GreaterOrEqualf(t, testCase.inputMaxReqs, httpClient.count, "should run %d times", testCase.inputMaxReqs)
+
+		})
+	}
+}
+
+func TestHosted_RotateAccessToken(t *testing.T) {
+	type test struct {
+		name             string
+		inputResBody     string
+		inputReqCode     int
+		inputReqError    error
+		inputMaxReqs     int
+		inputInfo        DeviceAuthInfo
+		inputAudience    string
+		testingErrFunc   require.ErrorAssertionFunc
+		expectedErrorMSG string
+		testingFunc      require.ComparisonAssertionFunc
+		expectedOut      TokenInfo
+		expectedMSG      string
+		expectPayload    TokenRequestPayload
+	}
+
+	defaultInfo := DeviceAuthInfo{
+		DeviceCode: "test",
+		ExpiresIn:  10,
+		Interval:   1,
+	}
+
+	tokenReqPayload := TokenRequestPayload{
+		GrantType:    HostedRefreshGrant,
+		ClientID:     "test",
+		RefreshToken: "refresh_test",
+	}
+
+	testCase1 := test{
+		name:           "Payload Is Valid",
+		inputInfo:      defaultInfo,
+		inputReqCode:   200,
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+	}
+
+	testCase2 := test{
+		name:             "Exit On Network Error",
+		inputInfo:        defaultInfo,
+		expectPayload:    tokenReqPayload,
+		inputReqError:    fmt.Errorf("error"),
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase3 := test{
+		name:             "Exit On Non 200 Status Code",
+		inputInfo:        defaultInfo,
+		inputReqCode:     401,
+		expectPayload:    tokenReqPayload,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	audience := "test"
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{"aud": audience})
+	var hmacSampleSecret []byte
+	tokenString, _ := token.SignedString(hmacSampleSecret)
+
+	testCase4 := test{
+		name:           "Exit On Invalid Audience",
+		inputInfo:      defaultInfo,
+		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputReqCode:   200,
+		inputAudience:  "super test",
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+	}
+
+	testCase5 := test{
+		name:           "Received Token Info",
+		inputInfo:      defaultInfo,
+		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputReqCode:   200,
+		inputAudience:  audience,
+		testingErrFunc: require.NoError,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+		expectedOut:    TokenInfo{AccessToken: tokenString},
+	}
+
+	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			httpClient := mockHTTPClient{
+				resBody: testCase.inputResBody,
+				code:    testCase.inputReqCode,
+				err:     testCase.inputReqError,
+				MaxReqs: testCase.inputMaxReqs,
+			}
+
+			hosted := Hosted{
+				Audience:   testCase.inputAudience,
+				ClientID:   testCase.expectPayload.ClientID,
+				Domain:     "test.hosted.com",
+				HTTPClient: &httpClient,
+			}
+
+			tokenInfo, err := hosted.RotateAccessToken(context.TODO(), testCase.expectPayload.RefreshToken)
+			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
+
+			var payload []byte
+			var emptyPayload TokenRequestPayload
+			if testCase.expectPayload != emptyPayload {
+				payload, _ = json.Marshal(testCase.expectPayload)
+			}
+			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")
+
+			testCase.testingFunc(t, testCase.expectedOut, tokenInfo, testCase.expectedMSG)
+
+		})
+	}
+}

client/internal/peer/conn.go

@@ -0,0 +1,510 @@
+package peer
+
+import (
+	"context"
+	"github.com/netbirdio/netbird/iface"
+	"golang.zx2c4.com/wireguard/wgctrl"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/netbirdio/netbird/client/internal/proxy"
+	"github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+)
+
+// ConnConfig is a peer Connection configuration
+type ConnConfig struct {
+
+	// Key is a public key of a remote peer
+	Key string
+	// LocalKey is a public key of a local peer
+	LocalKey string
+
+	// StunTurn is a list of STUN and TURN URLs
+	StunTurn []*ice.URL
+
+	// InterfaceBlackList is a list of machine interfaces that should be filtered out by ICE Candidate gathering
+	// (e.g. if eth0 is in the list, host candidate of this interface won't be used)
+	InterfaceBlackList []string
+
+	Timeout time.Duration
+
+	ProxyConfig proxy.Config
+
+	UDPMux      ice.UDPMux
+	UDPMuxSrflx ice.UniversalUDPMux
+}
+
+// IceCredentials ICE protocol credentials struct
+type IceCredentials struct {
+	UFrag string
+	Pwd   string
+}
+
+type Conn struct {
+	config ConnConfig
+	mu     sync.Mutex
+
+	// signalCandidate is a handler function to signal remote peer about local connection candidate
+	signalCandidate func(candidate ice.Candidate) error
+	// signalOffer is a handler function to signal remote peer our connection offer (credentials)
+	signalOffer  func(uFrag string, pwd string) error
+	signalAnswer func(uFrag string, pwd string) error
+
+	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
+	remoteOffersCh chan IceCredentials
+	// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
+	remoteAnswerCh     chan IceCredentials
+	closeCh            chan struct{}
+	ctx                context.Context
+	notifyDisconnected context.CancelFunc
+
+	agent  *ice.Agent
+	status ConnStatus
+
+	proxy proxy.Proxy
+}
+
+// GetConf returns the connection config
+func (conn *Conn) GetConf() ConnConfig {
+	return conn.config
+}
+
+// NewConn creates a new not opened Conn to the remote peer.
+// To establish a connection run Conn.Open
+func NewConn(config ConnConfig) (*Conn, error) {
+	return &Conn{
+		config:         config,
+		mu:             sync.Mutex{},
+		status:         StatusDisconnected,
+		closeCh:        make(chan struct{}),
+		remoteOffersCh: make(chan IceCredentials),
+		remoteAnswerCh: make(chan IceCredentials),
+	}, nil
+}
+
+// interfaceFilter is a function passed to ICE Agent to filter out not allowed interfaces
+// to avoid building tunnel over them
+func interfaceFilter(blackList []string) func(string) bool {
+
+	return func(iFace string) bool {
+		for _, s := range blackList {
+			if strings.HasPrefix(iFace, s) {
+				log.Debugf("ignoring interface %s - it is not allowed", iFace)
+				return false
+			}
+		}
+		// look for unlisted WireGuard interfaces
+		wg, err := wgctrl.New()
+		if err != nil {
+			log.Debugf("trying to create a wgctrl client failed with: %v", err)
+		}
+		defer func() {
+			err := wg.Close()
+			if err != nil {
+				return
+			}
+		}()
+
+		_, err = wg.Device(iFace)
+		return err != nil
+	}
+}
+
+func (conn *Conn) reCreateAgent() error {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+
+	failedTimeout := 6 * time.Second
+	var err error
+	conn.agent, err = ice.NewAgent(&ice.AgentConfig{
+		MulticastDNSMode: ice.MulticastDNSModeDisabled,
+		NetworkTypes:     []ice.NetworkType{ice.NetworkTypeUDP4},
+		Urls:             conn.config.StunTurn,
+		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
+		FailedTimeout:    &failedTimeout,
+		InterfaceFilter:  interfaceFilter(conn.config.InterfaceBlackList),
+		UDPMux:           conn.config.UDPMux,
+		UDPMuxSrflx:      conn.config.UDPMuxSrflx,
+	})
+	if err != nil {
+		return err
+	}
+
+	err = conn.agent.OnCandidate(conn.onICECandidate)
+	if err != nil {
+		return err
+	}
+
+	err = conn.agent.OnConnectionStateChange(conn.onICEConnectionStateChange)
+	if err != nil {
+		return err
+	}
+
+	err = conn.agent.OnSelectedCandidatePairChange(conn.onICESelectedCandidatePair)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Open opens connection to the remote peer starting ICE candidate gathering process.
+// Blocks until connection has been closed or connection timeout.
+// ConnStatus will be set accordingly
+func (conn *Conn) Open() error {
+	log.Debugf("trying to connect to peer %s", conn.config.Key)
+
+	defer func() {
+		err := conn.cleanup()
+		if err != nil {
+			log.Warnf("error while cleaning up peer connection %s: %v", conn.config.Key, err)
+			return
+		}
+	}()
+
+	err := conn.reCreateAgent()
+	if err != nil {
+		return err
+	}
+
+	err = conn.sendOffer()
+	if err != nil {
+		return err
+	}
+
+	log.Debugf("connection offer sent to peer %s, waiting for the confirmation", conn.config.Key)
+
+	// Only continue once we got a connection confirmation from the remote peer.
+	// The connection timeout could have happened before a confirmation received from the remote.
+	// The connection could have also been closed externally (e.g. when we received an update from the management that peer shouldn't be connected)
+	var remoteCredentials IceCredentials
+	select {
+	case remoteCredentials = <-conn.remoteOffersCh:
+		// received confirmation from the remote peer -> ready to proceed
+		err = conn.sendAnswer()
+		if err != nil {
+			return err
+		}
+	case remoteCredentials = <-conn.remoteAnswerCh:
+	case <-time.After(conn.config.Timeout):
+		return NewConnectionTimeoutError(conn.config.Key, conn.config.Timeout)
+	case <-conn.closeCh:
+		// closed externally
+		return NewConnectionClosedError(conn.config.Key)
+	}
+
+	log.Debugf("received connection confirmation from peer %s", conn.config.Key)
+
+	// at this point we received offer/answer and we are ready to gather candidates
+	conn.mu.Lock()
+	conn.status = StatusConnecting
+	conn.ctx, conn.notifyDisconnected = context.WithCancel(context.Background())
+	defer conn.notifyDisconnected()
+	conn.mu.Unlock()
+
+	err = conn.agent.GatherCandidates()
+	if err != nil {
+		return err
+	}
+
+	// will block until connection succeeded
+	// but it won't release if ICE Agent went into Disconnected or Failed state,
+	// so we have to cancel it with the provided context once agent detected a broken connection
+	isControlling := conn.config.LocalKey > conn.config.Key
+	var remoteConn *ice.Conn
+	if isControlling {
+		remoteConn, err = conn.agent.Dial(conn.ctx, remoteCredentials.UFrag, remoteCredentials.Pwd)
+	} else {
+		remoteConn, err = conn.agent.Accept(conn.ctx, remoteCredentials.UFrag, remoteCredentials.Pwd)
+	}
+	if err != nil {
+		return err
+	}
+
+	// the connection has been established successfully so we are ready to start the proxy
+	err = conn.startProxy(remoteConn)
+	if err != nil {
+		return err
+	}
+
+	if conn.proxy.Type() == proxy.TypeNoProxy {
+		host, _, _ := net.SplitHostPort(remoteConn.LocalAddr().String())
+		rhost, _, _ := net.SplitHostPort(remoteConn.RemoteAddr().String())
+		// direct Wireguard connection
+		log.Infof("directly connected to peer %s [laddr <-> raddr] [%s:%d <-> %s:%d]", conn.config.Key, host, iface.DefaultWgPort, rhost, iface.DefaultWgPort)
+	} else {
+		log.Infof("connected to peer %s [laddr <-> raddr] [%s <-> %s]", conn.config.Key, remoteConn.LocalAddr().String(), remoteConn.RemoteAddr().String())
+	}
+
+	// wait until connection disconnected or has been closed externally (upper layer, e.g. engine)
+	select {
+	case <-conn.closeCh:
+		// closed externally
+		return NewConnectionClosedError(conn.config.Key)
+	case <-conn.ctx.Done():
+		// disconnected from the remote peer
+		return NewConnectionDisconnectedError(conn.config.Key)
+	}
+}
+
+// useProxy determines whether a direct connection (without a go proxy) is possible
+// There are 3 cases: one of the peers has a public IP or both peers are in the same private network
+// Please note, that this check happens when peers were already able to ping each other using ICE layer.
+func shouldUseProxy(pair *ice.CandidatePair) bool {
+	remoteIP := net.ParseIP(pair.Remote.Address())
+	myIp := net.ParseIP(pair.Local.Address())
+	remoteIsPublic := IsPublicIP(remoteIP)
+	myIsPublic := IsPublicIP(myIp)
+
+	//one of the hosts has a public IP
+	if remoteIsPublic && pair.Remote.Type() == ice.CandidateTypeHost {
+		return false
+	}
+	if myIsPublic && pair.Local.Type() == ice.CandidateTypeHost {
+		return false
+	}
+
+	if pair.Local.Type() == ice.CandidateTypeHost && pair.Remote.Type() == ice.CandidateTypeHost {
+		if !remoteIsPublic && !myIsPublic {
+			//both hosts are in the same private network
+			return false
+		}
+	}
+
+	return true
+}
+
+// IsPublicIP indicates whether IP is public or not.
+func IsPublicIP(ip net.IP) bool {
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsPrivate() {
+		return false
+	}
+	return true
+}
+
+// startProxy starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
+func (conn *Conn) startProxy(remoteConn net.Conn) error {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+
+	var pair *ice.CandidatePair
+	pair, err := conn.agent.GetSelectedCandidatePair()
+	if err != nil {
+		return err
+	}
+
+	useProxy := shouldUseProxy(pair)
+	var p proxy.Proxy
+	if useProxy {
+		p = proxy.NewWireguardProxy(conn.config.ProxyConfig)
+	} else {
+		p = proxy.NewNoProxy(conn.config.ProxyConfig)
+	}
+	conn.proxy = p
+	err = p.Start(remoteConn)
+	if err != nil {
+		return err
+	}
+
+	conn.status = StatusConnected
+
+	return nil
+}
+
+// cleanup closes all open resources and sets status to StatusDisconnected
+func (conn *Conn) cleanup() error {
+	log.Debugf("trying to cleanup %s", conn.config.Key)
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+
+	if conn.agent != nil {
+		err := conn.agent.Close()
+		if err != nil {
+			return err
+		}
+		conn.agent = nil
+	}
+
+	if conn.proxy != nil {
+		err := conn.proxy.Close()
+		if err != nil {
+			return err
+		}
+		conn.proxy = nil
+	}
+
+	if conn.notifyDisconnected != nil {
+		conn.notifyDisconnected()
+		conn.notifyDisconnected = nil
+	}
+
+	conn.status = StatusDisconnected
+
+	log.Debugf("cleaned up connection to peer %s", conn.config.Key)
+
+	return nil
+}
+
+// SetSignalOffer sets a handler function to be triggered by Conn when a new connection offer has to be signalled to the remote peer
+func (conn *Conn) SetSignalOffer(handler func(uFrag string, pwd string) error) {
+	conn.signalOffer = handler
+}
+
+// SetSignalAnswer sets a handler function to be triggered by Conn when a new connection answer has to be signalled to the remote peer
+func (conn *Conn) SetSignalAnswer(handler func(uFrag string, pwd string) error) {
+	conn.signalAnswer = handler
+}
+
+// SetSignalCandidate sets a handler function to be triggered by Conn when a new ICE local connection candidate has to be signalled to the remote peer
+func (conn *Conn) SetSignalCandidate(handler func(candidate ice.Candidate) error) {
+	conn.signalCandidate = handler
+}
+
+// onICECandidate is a callback attached to an ICE Agent to receive new local connection candidates
+// and then signals them to the remote peer
+func (conn *Conn) onICECandidate(candidate ice.Candidate) {
+	if candidate != nil {
+		// log.Debugf("discovered local candidate %s", candidate.String())
+		go func() {
+			err := conn.signalCandidate(candidate)
+			if err != nil {
+				log.Errorf("failed signaling candidate to the remote peer %s %s", conn.config.Key, err)
+			}
+		}()
+	}
+}
+
+func (conn *Conn) onICESelectedCandidatePair(c1 ice.Candidate, c2 ice.Candidate) {
+	log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
+		conn.config.Key)
+}
+
+// onICEConnectionStateChange registers callback of an ICE Agent to track connection state
+func (conn *Conn) onICEConnectionStateChange(state ice.ConnectionState) {
+	log.Debugf("peer %s ICE ConnectionState has changed to %s", conn.config.Key, state.String())
+	if state == ice.ConnectionStateFailed || state == ice.ConnectionStateDisconnected {
+		conn.notifyDisconnected()
+	}
+}
+
+func (conn *Conn) sendAnswer() error {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+
+	localUFrag, localPwd, err := conn.agent.GetLocalUserCredentials()
+	if err != nil {
+		return err
+	}
+
+	log.Debugf("sending asnwer to %s", conn.config.Key)
+	err = conn.signalAnswer(localUFrag, localPwd)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// sendOffer prepares local user credentials and signals them to the remote peer
+func (conn *Conn) sendOffer() error {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+
+	localUFrag, localPwd, err := conn.agent.GetLocalUserCredentials()
+	if err != nil {
+		return err
+	}
+	err = conn.signalOffer(localUFrag, localPwd)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Close closes this peer Conn issuing a close event to the Conn closeCh
+func (conn *Conn) Close() error {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+	select {
+	case conn.closeCh <- struct{}{}:
+		return nil
+	default:
+		// probably could happen when peer has been added and removed right after not even starting to connect
+		// todo further investigate
+		// this really happens due to unordered messages coming from management
+		// more importantly it causes inconsistency -> 2 Conn objects for the same peer
+		// e.g. this flow:
+		// update from management has peers: [1,2,3,4]
+		// engine creates a Conn for peers:  [1,2,3,4] and schedules Open in ~1sec
+		// before conn.Open() another update from management arrives with peers: [1,2,3]
+		// engine removes peer 4 and calls conn.Close() which does nothing (this default clause)
+		// before conn.Open() another update from management arrives with peers: [1,2,3,4,5]
+		// engine adds a new Conn for 4 and 5
+		// therefore peer 4 has 2 Conn objects
+		log.Warnf("connection has been already closed or attempted closing not started coonection %s", conn.config.Key)
+		return NewConnectionAlreadyClosed(conn.config.Key)
+	}
+}
+
+// Status returns current status of the Conn
+func (conn *Conn) Status() ConnStatus {
+	conn.mu.Lock()
+	defer conn.mu.Unlock()
+	return conn.status
+}
+
+// OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
+// doesn't block, discards the message if connection wasn't ready
+func (conn *Conn) OnRemoteOffer(remoteAuth IceCredentials) bool {
+	log.Debugf("OnRemoteOffer from peer %s on status %s", conn.config.Key, conn.status.String())
+
+	select {
+	case conn.remoteOffersCh <- remoteAuth:
+		return true
+	default:
+		log.Debugf("OnRemoteOffer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
+		// connection might not be ready yet to receive so we ignore the message
+		return false
+	}
+}
+
+// OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
+// doesn't block, discards the message if connection wasn't ready
+func (conn *Conn) OnRemoteAnswer(remoteAuth IceCredentials) bool {
+	log.Debugf("OnRemoteAnswer from peer %s on status %s", conn.config.Key, conn.status.String())
+
+	select {
+	case conn.remoteAnswerCh <- remoteAuth:
+		return true
+	default:
+		// connection might not be ready yet to receive so we ignore the message
+		log.Debugf("OnRemoteAnswer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
+		return false
+	}
+}
+
+// OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
+func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate) {
+	log.Debugf("OnRemoteCandidate from peer %s -> %s", conn.config.Key, candidate.String())
+	go func() {
+		conn.mu.Lock()
+		defer conn.mu.Unlock()
+
+		if conn.agent == nil {
+			return
+		}
+
+		err := conn.agent.AddRemoteCandidate(candidate)
+		if err != nil {
+			log.Errorf("error while handling remote candidate from peer %s", conn.config.Key)
+			return
+		}
+	}()
+}
+
+func (conn *Conn) GetKey() string {
+	return conn.config.Key
+}

client/internal/peer/conn_test.go

@@ -0,0 +1,157 @@
+package peer
+
+import (
+	"github.com/magiconair/properties/assert"
+	"github.com/netbirdio/netbird/client/internal/proxy"
+	"github.com/netbirdio/netbird/iface"
+	"github.com/pion/ice/v2"
+	"sync"
+	"testing"
+	"time"
+)
+
+var connConf = ConnConfig{
+	Key:                "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+	LocalKey:           "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+	StunTurn:           []*ice.URL{},
+	InterfaceBlackList: nil,
+	Timeout:            time.Second,
+	ProxyConfig:        proxy.Config{},
+}
+
+func TestNewConn_interfaceFilter(t *testing.T) {
+	ignore := []string{iface.WgInterfaceDefault, "tun0", "zt", "ZeroTier", "utun", "wg", "ts",
+		"Tailscale", "tailscale"}
+
+	filter := interfaceFilter(ignore)
+
+	for _, s := range ignore {
+		assert.Equal(t, filter(s), false)
+	}
+
+}
+
+func TestConn_GetKey(t *testing.T) {
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	got := conn.GetKey()
+
+	assert.Equal(t, got, connConf.Key, "they should be equal")
+}
+
+func TestConn_OnRemoteOffer(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(2)
+	go func() {
+		<-conn.remoteOffersCh
+		wg.Done()
+	}()
+
+	go func() {
+		for {
+			accepted := conn.OnRemoteOffer(IceCredentials{
+				UFrag: "test",
+				Pwd:   "test",
+			})
+			if accepted {
+				wg.Done()
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}
+
+func TestConn_OnRemoteAnswer(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(2)
+	go func() {
+		<-conn.remoteAnswerCh
+		wg.Done()
+	}()
+
+	go func() {
+		for {
+			accepted := conn.OnRemoteAnswer(IceCredentials{
+				UFrag: "test",
+				Pwd:   "test",
+			})
+			if accepted {
+				wg.Done()
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}
+func TestConn_Status(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	tables := []struct {
+		name   string
+		status ConnStatus
+		want   ConnStatus
+	}{
+		{"StatusConnected", StatusConnected, StatusConnected},
+		{"StatusDisconnected", StatusDisconnected, StatusDisconnected},
+		{"StatusConnecting", StatusConnecting, StatusConnecting},
+	}
+
+	for _, table := range tables {
+		t.Run(table.name, func(t *testing.T) {
+			conn.status = table.status
+
+			got := conn.Status()
+			assert.Equal(t, got, table.want, "they should be equal")
+		})
+	}
+}
+
+func TestConn_Close(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		<-conn.closeCh
+		wg.Done()
+	}()
+
+	go func() {
+		for {
+			err := conn.Close()
+			if err != nil {
+				continue
+			} else {
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}

client/internal/peer/error.go

@@ -0,0 +1,72 @@
+package peer
+
+import (
+	"fmt"
+	"time"
+)
+
+// ConnectionTimeoutError is an error indicating that a peer Conn has been timed out
+type ConnectionTimeoutError struct {
+	peer    string
+	timeout time.Duration
+}
+
+func (e *ConnectionTimeoutError) Error() string {
+	return fmt.Sprintf("connection to peer %s timed out after %s", e.peer, e.timeout.String())
+}
+
+// NewConnectionTimeoutError creates a new ConnectionTimeoutError error
+func NewConnectionTimeoutError(peer string, timeout time.Duration) error {
+	return &ConnectionTimeoutError{
+		peer:    peer,
+		timeout: timeout,
+	}
+}
+
+// ConnectionClosedError is an error indicating that a peer Conn has been forcefully closed
+type ConnectionClosedError struct {
+	peer string
+}
+
+func (e *ConnectionClosedError) Error() string {
+	return fmt.Sprintf("connection to peer %s has been closed", e.peer)
+}
+
+// NewConnectionClosedError creates a new ConnectionClosedError error
+func NewConnectionClosedError(peer string) error {
+	return &ConnectionClosedError{
+		peer: peer,
+	}
+}
+
+// ConnectionDisconnectedError is an error indicating that a peer Conn has ctx from the remote
+type ConnectionDisconnectedError struct {
+	peer string
+}
+
+func (e *ConnectionDisconnectedError) Error() string {
+	return fmt.Sprintf("disconnected from peer %s", e.peer)
+}
+
+// NewConnectionDisconnectedError creates a new ConnectionDisconnectedError error
+func NewConnectionDisconnectedError(peer string) error {
+	return &ConnectionDisconnectedError{
+		peer: peer,
+	}
+}
+
+// ConnectionAlreadyClosedError is an error indicating that a peer Conn has been already closed and the invocation of the Close() method has been performed over a closed connection
+type ConnectionAlreadyClosedError struct {
+	peer string
+}
+
+func (e *ConnectionAlreadyClosedError) Error() string {
+	return fmt.Sprintf("connection to peer %s has been already closed", e.peer)
+}
+
+// NewConnectionAlreadyClosed creates a new ConnectionAlreadyClosedError error
+func NewConnectionAlreadyClosed(peer string) error {
+	return &ConnectionAlreadyClosedError{
+		peer: peer,
+	}
+}

client/internal/peer/error_test.go

@@ -0,0 +1,27 @@
+package peer
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+	"time"
+)
+
+func TestNewConnectionClosedError(t *testing.T) {
+	err := NewConnectionClosedError("X")
+	assert.Equal(t, &ConnectionClosedError{peer: "X"}, err)
+}
+
+func TestNewConnectionDisconnectedError(t *testing.T) {
+	err := NewConnectionDisconnectedError("X")
+	assert.Equal(t, &ConnectionDisconnectedError{peer: "X"}, err)
+}
+
+func TestNewConnectionTimeoutErrorC(t *testing.T) {
+	err := NewConnectionTimeoutError("X", time.Second)
+	assert.Equal(t, &ConnectionTimeoutError{peer: "X", timeout: time.Second}, err)
+}
+
+func TestNewConnectionAlreadyClosed(t *testing.T) {
+	err := NewConnectionAlreadyClosed("X")
+	assert.Equal(t, &ConnectionAlreadyClosedError{peer: "X"}, err)
+}

client/internal/peer/status.go

@@ -0,0 +1,25 @@
+package peer
+
+import log "github.com/sirupsen/logrus"
+
+type ConnStatus int
+
+func (s ConnStatus) String() string {
+	switch s {
+	case StatusConnecting:
+		return "StatusConnecting"
+	case StatusConnected:
+		return "StatusConnected"
+	case StatusDisconnected:
+		return "StatusDisconnected"
+	default:
+		log.Errorf("unknown status: %d", s)
+		return "INVALID_PEER_CONNECTION_STATUS"
+	}
+}
+
+const (
+	StatusConnected = iota
+	StatusConnecting
+	StatusDisconnected
+)

client/internal/peer/status_test.go

@@ -0,0 +1,27 @@
+package peer
+
+import (
+	"github.com/magiconair/properties/assert"
+	"testing"
+)
+
+func TestConnStatus_String(t *testing.T) {
+
+	tables := []struct {
+		name   string
+		status ConnStatus
+		want   string
+	}{
+		{"StatusConnected", StatusConnected, "StatusConnected"},
+		{"StatusDisconnected", StatusDisconnected, "StatusDisconnected"},
+		{"StatusConnecting", StatusConnecting, "StatusConnecting"},
+	}
+
+	for _, table := range tables {
+		t.Run(table.name, func(t *testing.T) {
+			got := table.status.String()
+			assert.Equal(t, got, table.want, "they should be equal")
+		})
+	}
+
+}

client/internal/proxy/dummy.go

@@ -0,0 +1,72 @@
+package proxy
+
+import (
+	"context"
+	log "github.com/sirupsen/logrus"
+	"net"
+	"time"
+)
+
+// DummyProxy just sends pings to the RemoteKey peer and reads responses
+type DummyProxy struct {
+	conn   net.Conn
+	remote string
+	ctx    context.Context
+	cancel context.CancelFunc
+}
+
+func NewDummyProxy(remote string) *DummyProxy {
+	p := &DummyProxy{remote: remote}
+	p.ctx, p.cancel = context.WithCancel(context.Background())
+	return p
+}
+
+func (p *DummyProxy) Close() error {
+	p.cancel()
+	return nil
+}
+
+func (p *DummyProxy) Start(remoteConn net.Conn) error {
+	p.conn = remoteConn
+	go func() {
+		buf := make([]byte, 1500)
+		for {
+			select {
+			case <-p.ctx.Done():
+				return
+			default:
+				_, err := p.conn.Read(buf)
+				if err != nil {
+					log.Errorf("error while reading RemoteKey %s proxy %v", p.remote, err)
+					return
+				}
+				//log.Debugf("received %s from %s", string(buf[:n]), p.remote)
+			}
+
+		}
+	}()
+
+	go func() {
+		for {
+			select {
+			case <-p.ctx.Done():
+				return
+			default:
+				_, err := p.conn.Write([]byte("hello"))
+				//log.Debugf("sent ping to %s", p.remote)
+				if err != nil {
+					log.Errorf("error while writing to RemoteKey %s proxy %v", p.remote, err)
+					return
+				}
+				time.Sleep(5 * time.Second)
+			}
+		}
+
+	}()
+
+	return nil
+}
+
+func (p *DummyProxy) Type() Type {
+	return TypeDummy
+}

client/internal/proxy/noproxy.go

@@ -0,0 +1,52 @@
+package proxy
+
+import (
+	"github.com/netbirdio/netbird/iface"
+	log "github.com/sirupsen/logrus"
+	"net"
+)
+
+// NoProxy is used when there is no need for a proxy between ICE and Wireguard.
+// This is possible in either of these cases:
+// - peers are in the same local network
+// - one of the peers has a public static IP (host)
+// NoProxy will just update remote peer with a remote host and fixed Wireguard port (r.g. 51820).
+// In order NoProxy to work, Wireguard port has to be fixed for the time being.
+type NoProxy struct {
+	config Config
+}
+
+func NewNoProxy(config Config) *NoProxy {
+	return &NoProxy{config: config}
+}
+
+func (p *NoProxy) Close() error {
+	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Start just updates Wireguard peer with the remote IP and default Wireguard port
+func (p *NoProxy) Start(remoteConn net.Conn) error {
+
+	log.Debugf("using NoProxy while connecting to peer %s", p.config.RemoteKey)
+	addr, err := net.ResolveUDPAddr("udp", remoteConn.RemoteAddr().String())
+	if err != nil {
+		return err
+	}
+	addr.Port = iface.DefaultWgPort
+	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+		addr, p.config.PreSharedKey)
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (p *NoProxy) Type() Type {
+	return TypeNoProxy
+}

client/internal/proxy/proxy.go

@@ -0,0 +1,34 @@
+package proxy
+
+import (
+	"github.com/netbirdio/netbird/iface"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"io"
+	"net"
+	"time"
+)
+
+const DefaultWgKeepAlive = 25 * time.Second
+
+type Type string
+
+const (
+	TypeNoProxy   Type = "NoProxy"
+	TypeWireguard Type = "Wireguard"
+	TypeDummy     Type = "Dummy"
+)
+
+type Config struct {
+	WgListenAddr string
+	RemoteKey    string
+	WgInterface  *iface.WGIface
+	AllowedIps   string
+	PreSharedKey *wgtypes.Key
+}
+
+type Proxy interface {
+	io.Closer
+	// Start creates a local remoteConn and starts proxying data from/to remoteConn
+	Start(remoteConn net.Conn) error
+	Type() Type
+}

client/internal/proxy/wireguard.go

@@ -0,0 +1,128 @@
+package proxy
+
+import (
+	"context"
+	log "github.com/sirupsen/logrus"
+	"net"
+)
+
+// WireguardProxy proxies
+type WireguardProxy struct {
+	ctx    context.Context
+	cancel context.CancelFunc
+
+	config Config
+
+	remoteConn net.Conn
+	localConn  net.Conn
+}
+
+func NewWireguardProxy(config Config) *WireguardProxy {
+	p := &WireguardProxy{config: config}
+	p.ctx, p.cancel = context.WithCancel(context.Background())
+	return p
+}
+
+func (p *WireguardProxy) updateEndpoint() error {
+	udpAddr, err := net.ResolveUDPAddr(p.localConn.LocalAddr().Network(), p.localConn.LocalAddr().String())
+	if err != nil {
+		return err
+	}
+	// add local proxy connection as a Wireguard peer
+	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+		udpAddr, p.config.PreSharedKey)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (p *WireguardProxy) Start(remoteConn net.Conn) error {
+	p.remoteConn = remoteConn
+
+	var err error
+	p.localConn, err = net.Dial("udp", p.config.WgListenAddr)
+	if err != nil {
+		log.Errorf("failed dialing to local Wireguard port %s", err)
+		return err
+	}
+
+	err = p.updateEndpoint()
+	if err != nil {
+		log.Errorf("error while updating Wireguard peer endpoint [%s] %v", p.config.RemoteKey, err)
+		return err
+	}
+
+	go p.proxyToRemote()
+	go p.proxyToLocal()
+
+	return nil
+}
+
+func (p *WireguardProxy) Close() error {
+	p.cancel()
+	if c := p.localConn; c != nil {
+		err := p.localConn.Close()
+		if err != nil {
+			return err
+		}
+	}
+	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// proxyToRemote proxies everything from Wireguard to the RemoteKey peer
+// blocks
+func (p *WireguardProxy) proxyToRemote() {
+
+	buf := make([]byte, 1500)
+	for {
+		select {
+		case <-p.ctx.Done():
+			log.Debugf("stopped proxying to remote peer %s due to closed connection", p.config.RemoteKey)
+			return
+		default:
+			n, err := p.localConn.Read(buf)
+			if err != nil {
+				continue
+			}
+
+			_, err = p.remoteConn.Write(buf[:n])
+			if err != nil {
+				continue
+			}
+		}
+	}
+}
+
+// proxyToLocal proxies everything from the RemoteKey peer to local Wireguard
+// blocks
+func (p *WireguardProxy) proxyToLocal() {
+
+	buf := make([]byte, 1500)
+	for {
+		select {
+		case <-p.ctx.Done():
+			log.Debugf("stopped proxying from remote peer %s due to closed connection", p.config.RemoteKey)
+			return
+		default:
+			n, err := p.remoteConn.Read(buf)
+			if err != nil {
+				continue
+			}
+
+			_, err = p.localConn.Write(buf[:n])
+			if err != nil {
+				continue
+			}
+		}
+	}
+}
+
+func (p *WireguardProxy) Type() Type {
+	return TypeWireguard
+}

client/internal/state.go

@@ -0,0 +1,69 @@
+package internal
+
+import (
+	"context"
+	"sync"
+)
+
+type StatusType string
+
+const (
+	StatusIdle StatusType = "Idle"
+
+	StatusConnecting  StatusType = "Connecting"
+	StatusConnected   StatusType = "Connected"
+	StatusNeedsLogin  StatusType = "NeedsLogin"
+	StatusLoginFailed StatusType = "LoginFailed"
+)
+
+// CtxInitState setup context state into the context tree.
+//
+// This function should be used to initialize context before
+// CtxGetState will be executed.
+func CtxInitState(ctx context.Context) context.Context {
+	return context.WithValue(ctx, stateCtx, &contextState{
+		status: StatusIdle,
+	})
+}
+
+// CtxGetState object to get/update state/errors of process.
+func CtxGetState(ctx context.Context) *contextState {
+	return ctx.Value(stateCtx).(*contextState)
+}
+
+type contextState struct {
+	err    error
+	status StatusType
+	mutex  sync.Mutex
+}
+
+func (c *contextState) Set(update StatusType) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	c.status = update
+	c.err = nil
+}
+
+func (c *contextState) Status() (StatusType, error) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	if c.err != nil {
+		return "", c.err
+	}
+
+	return c.status, nil
+}
+
+func (c *contextState) Wrap(err error) error {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	c.err = err
+	return err
+}
+
+type stateKey int
+
+var stateCtx stateKey

client/internal/wgproxy.go

@@ -1,132 +0,0 @@
-package internal
-
-import (
-	ice "github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/wiretrustee/wiretrustee/iface"
-	"net"
-)
-
-// WgProxy an instance of an instance of the Connection Wireguard Proxy
-type WgProxy struct {
-	iface      string
-	remoteKey  string
-	allowedIps string
-	wgAddr     string
-	close      chan struct{}
-	wgConn     net.Conn
-}
-
-// NewWgProxy creates a new Connection Wireguard Proxy
-func NewWgProxy(iface string, remoteKey string, allowedIps string, wgAddr string) *WgProxy {
-	return &WgProxy{
-		iface:      iface,
-		remoteKey:  remoteKey,
-		allowedIps: allowedIps,
-		wgAddr:     wgAddr,
-		close:      make(chan struct{}),
-	}
-}
-
-// Close closes the proxy
-func (p *WgProxy) Close() error {
-
-	close(p.close)
-	if c := p.wgConn; c != nil {
-		err := p.wgConn.Close()
-		if err != nil {
-			return err
-		}
-	}
-	err := iface.RemovePeer(p.iface, p.remoteKey)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// StartLocal configure the interface with a peer using a direct IP:Port endpoint to the remote host
-func (p *WgProxy) StartLocal(host string) error {
-	err := iface.UpdatePeer(p.iface, p.remoteKey, p.allowedIps, DefaultWgKeepAlive, host)
-	if err != nil {
-		log.Errorf("error while configuring Wireguard peer [%s] %s", p.remoteKey, err.Error())
-		return err
-	}
-	return nil
-}
-
-// Start starts a new proxy using the ICE connection
-func (p *WgProxy) Start(remoteConn *ice.Conn) error {
-
-	wgConn, err := net.Dial("udp", p.wgAddr)
-	if err != nil {
-		log.Fatalf("failed dialing to local Wireguard port %s", err)
-		return err
-	}
-	p.wgConn = wgConn
-	// add local proxy connection as a Wireguard peer
-	err = iface.UpdatePeer(p.iface, p.remoteKey, p.allowedIps, DefaultWgKeepAlive,
-		wgConn.LocalAddr().String())
-	if err != nil {
-		log.Errorf("error while configuring Wireguard peer [%s] %s", p.remoteKey, err.Error())
-		return err
-	}
-
-	go func() { p.proxyToRemotePeer(remoteConn) }()
-	go func() { p.proxyToLocalWireguard(remoteConn) }()
-
-	return err
-}
-
-// proxyToRemotePeer proxies everything from Wireguard to the remote peer
-// blocks
-func (p *WgProxy) proxyToRemotePeer(remoteConn *ice.Conn) {
-
-	buf := make([]byte, 1500)
-	for {
-		select {
-		case <-p.close:
-			log.Debugf("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
-			return
-		default:
-			n, err := p.wgConn.Read(buf)
-			if err != nil {
-				//log.Warnln("failed reading from peer: ", err.Error())
-				continue
-			}
-
-			_, err = remoteConn.Write(buf[:n])
-			if err != nil {
-				//log.Warnln("failed writing to remote peer: ", err.Error())
-				continue
-			}
-		}
-	}
-}
-
-// proxyToLocalWireguard proxies everything from the remote peer to local Wireguard
-// blocks
-func (p *WgProxy) proxyToLocalWireguard(remoteConn *ice.Conn) {
-
-	buf := make([]byte, 1500)
-	for {
-		select {
-		case <-p.close:
-			log.Debugf("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
-			return
-		default:
-			n, err := remoteConn.Read(buf)
-			if err != nil {
-				//log.Errorf("failed reading from remote connection %s", err)
-				continue
-			}
-
-			_, err = p.wgConn.Write(buf[:n])
-			if err != nil {
-				//log.Errorf("failed writing to local Wireguard instance %s", err)
-				continue
-			}
-		}
-	}
-}

client/main.go

@@ -1,15 +1,12 @@
 package main
 
 import (
-	"github.com/wiretrustee/wiretrustee/client/cmd"
 	"os"
+
+	"github.com/netbirdio/netbird/client/cmd"
 )
 
-var version = "development"
-
 func main() {
-
-	cmd.Version = version
 	if err := cmd.Execute(); err != nil {
 		os.Exit(1)
 	}

client/manifest.xml

@@ -3,10 +3,10 @@
     <assemblyIdentity
             version="0.0.0.1"
             processorArchitecture="*"
-            name="wiretrustee.exe"
+            name="netbird.exe"
             type="win32"
     />
-    <description>Wiretrustee application</description>
+    <description>Netbird application</description>
     <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
         <security>
             <requestedPrivileges>

client/proto/daemon.pb.go

@@ -0,0 +1,910 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.26.0
+// 	protoc        v3.19.4
+// source: daemon.proto
+
+package proto
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	_ "google.golang.org/protobuf/types/descriptorpb"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type LoginRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// setupKey wiretrustee setup key.
+	SetupKey string `protobuf:"bytes,1,opt,name=setupKey,proto3" json:"setupKey,omitempty"`
+	// preSharedKey for wireguard setup.
+	PreSharedKey string `protobuf:"bytes,2,opt,name=preSharedKey,proto3" json:"preSharedKey,omitempty"`
+	// managementUrl to authenticate.
+	ManagementUrl string `protobuf:"bytes,3,opt,name=managementUrl,proto3" json:"managementUrl,omitempty"`
+	// adminUrl to manage keys.
+	AdminURL string `protobuf:"bytes,4,opt,name=adminURL,proto3" json:"adminURL,omitempty"`
+}
+
+func (x *LoginRequest) Reset() {
+	*x = LoginRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *LoginRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*LoginRequest) ProtoMessage() {}
+
+func (x *LoginRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use LoginRequest.ProtoReflect.Descriptor instead.
+func (*LoginRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *LoginRequest) GetSetupKey() string {
+	if x != nil {
+		return x.SetupKey
+	}
+	return ""
+}
+
+func (x *LoginRequest) GetPreSharedKey() string {
+	if x != nil {
+		return x.PreSharedKey
+	}
+	return ""
+}
+
+func (x *LoginRequest) GetManagementUrl() string {
+	if x != nil {
+		return x.ManagementUrl
+	}
+	return ""
+}
+
+func (x *LoginRequest) GetAdminURL() string {
+	if x != nil {
+		return x.AdminURL
+	}
+	return ""
+}
+
+type LoginResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	NeedsSSOLogin           bool   `protobuf:"varint,1,opt,name=needsSSOLogin,proto3" json:"needsSSOLogin,omitempty"`
+	UserCode                string `protobuf:"bytes,2,opt,name=userCode,proto3" json:"userCode,omitempty"`
+	VerificationURI         string `protobuf:"bytes,3,opt,name=verificationURI,proto3" json:"verificationURI,omitempty"`
+	VerificationURIComplete string `protobuf:"bytes,4,opt,name=verificationURIComplete,proto3" json:"verificationURIComplete,omitempty"`
+}
+
+func (x *LoginResponse) Reset() {
+	*x = LoginResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *LoginResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*LoginResponse) ProtoMessage() {}
+
+func (x *LoginResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use LoginResponse.ProtoReflect.Descriptor instead.
+func (*LoginResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *LoginResponse) GetNeedsSSOLogin() bool {
+	if x != nil {
+		return x.NeedsSSOLogin
+	}
+	return false
+}
+
+func (x *LoginResponse) GetUserCode() string {
+	if x != nil {
+		return x.UserCode
+	}
+	return ""
+}
+
+func (x *LoginResponse) GetVerificationURI() string {
+	if x != nil {
+		return x.VerificationURI
+	}
+	return ""
+}
+
+func (x *LoginResponse) GetVerificationURIComplete() string {
+	if x != nil {
+		return x.VerificationURIComplete
+	}
+	return ""
+}
+
+type WaitSSOLoginRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	UserCode string `protobuf:"bytes,1,opt,name=userCode,proto3" json:"userCode,omitempty"`
+}
+
+func (x *WaitSSOLoginRequest) Reset() {
+	*x = WaitSSOLoginRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *WaitSSOLoginRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WaitSSOLoginRequest) ProtoMessage() {}
+
+func (x *WaitSSOLoginRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WaitSSOLoginRequest.ProtoReflect.Descriptor instead.
+func (*WaitSSOLoginRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *WaitSSOLoginRequest) GetUserCode() string {
+	if x != nil {
+		return x.UserCode
+	}
+	return ""
+}
+
+type WaitSSOLoginResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *WaitSSOLoginResponse) Reset() {
+	*x = WaitSSOLoginResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *WaitSSOLoginResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WaitSSOLoginResponse) ProtoMessage() {}
+
+func (x *WaitSSOLoginResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WaitSSOLoginResponse.ProtoReflect.Descriptor instead.
+func (*WaitSSOLoginResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{3}
+}
+
+type UpRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *UpRequest) Reset() {
+	*x = UpRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UpRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UpRequest) ProtoMessage() {}
+
+func (x *UpRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UpRequest.ProtoReflect.Descriptor instead.
+func (*UpRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{4}
+}
+
+type UpResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *UpResponse) Reset() {
+	*x = UpResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UpResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UpResponse) ProtoMessage() {}
+
+func (x *UpResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UpResponse.ProtoReflect.Descriptor instead.
+func (*UpResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{5}
+}
+
+type StatusRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *StatusRequest) Reset() {
+	*x = StatusRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *StatusRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StatusRequest) ProtoMessage() {}
+
+func (x *StatusRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StatusRequest.ProtoReflect.Descriptor instead.
+func (*StatusRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{6}
+}
+
+type StatusResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// status of the server.
+	Status string `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
+}
+
+func (x *StatusResponse) Reset() {
+	*x = StatusResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *StatusResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StatusResponse) ProtoMessage() {}
+
+func (x *StatusResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StatusResponse.ProtoReflect.Descriptor instead.
+func (*StatusResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *StatusResponse) GetStatus() string {
+	if x != nil {
+		return x.Status
+	}
+	return ""
+}
+
+type DownRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *DownRequest) Reset() {
+	*x = DownRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[8]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DownRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DownRequest) ProtoMessage() {}
+
+func (x *DownRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[8]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DownRequest.ProtoReflect.Descriptor instead.
+func (*DownRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{8}
+}
+
+type DownResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *DownResponse) Reset() {
+	*x = DownResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[9]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DownResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DownResponse) ProtoMessage() {}
+
+func (x *DownResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[9]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DownResponse.ProtoReflect.Descriptor instead.
+func (*DownResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{9}
+}
+
+type GetConfigRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *GetConfigRequest) Reset() {
+	*x = GetConfigRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[10]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetConfigRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetConfigRequest) ProtoMessage() {}
+
+func (x *GetConfigRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[10]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetConfigRequest.ProtoReflect.Descriptor instead.
+func (*GetConfigRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{10}
+}
+
+type GetConfigResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// managementUrl settings value.
+	ManagementUrl string `protobuf:"bytes,1,opt,name=managementUrl,proto3" json:"managementUrl,omitempty"`
+	// configFile settings value.
+	ConfigFile string `protobuf:"bytes,2,opt,name=configFile,proto3" json:"configFile,omitempty"`
+	// logFile settings value.
+	LogFile string `protobuf:"bytes,3,opt,name=logFile,proto3" json:"logFile,omitempty"`
+	// preSharedKey settings value.
+	PreSharedKey string `protobuf:"bytes,4,opt,name=preSharedKey,proto3" json:"preSharedKey,omitempty"`
+	// adminURL settings value.
+	AdminURL string `protobuf:"bytes,5,opt,name=adminURL,proto3" json:"adminURL,omitempty"`
+}
+
+func (x *GetConfigResponse) Reset() {
+	*x = GetConfigResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[11]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetConfigResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetConfigResponse) ProtoMessage() {}
+
+func (x *GetConfigResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[11]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetConfigResponse.ProtoReflect.Descriptor instead.
+func (*GetConfigResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{11}
+}
+
+func (x *GetConfigResponse) GetManagementUrl() string {
+	if x != nil {
+		return x.ManagementUrl
+	}
+	return ""
+}
+
+func (x *GetConfigResponse) GetConfigFile() string {
+	if x != nil {
+		return x.ConfigFile
+	}
+	return ""
+}
+
+func (x *GetConfigResponse) GetLogFile() string {
+	if x != nil {
+		return x.LogFile
+	}
+	return ""
+}
+
+func (x *GetConfigResponse) GetPreSharedKey() string {
+	if x != nil {
+		return x.PreSharedKey
+	}
+	return ""
+}
+
+func (x *GetConfigResponse) GetAdminURL() string {
+	if x != nil {
+		return x.AdminURL
+	}
+	return ""
+}
+
+var File_daemon_proto protoreflect.FileDescriptor
+
+var file_daemon_proto_rawDesc = []byte{
+	0x0a, 0x0c, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06,
+	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
+	0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x90, 0x01, 0x0a, 0x0c, 0x4c, 0x6f, 0x67,
+	0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65, 0x74,
+	0x75, 0x70, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65, 0x74,
+	0x75, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72,
+	0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72, 0x65,
+	0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x0a, 0x0d, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x12,
+	0x1a, 0x0a, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x22, 0xb5, 0x01, 0x0a, 0x0d,
+	0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a,
+	0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f,
+	0x67, 0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x12,
+	0x28, 0x0a, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55,
+	0x52, 0x49, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69,
+	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x12, 0x38, 0x0a, 0x17, 0x76, 0x65, 0x72,
+	0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d, 0x70,
+	0x6c, 0x65, 0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x76, 0x65, 0x72, 0x69,
+	0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d, 0x70, 0x6c,
+	0x65, 0x74, 0x65, 0x22, 0x31, 0x0a, 0x13, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f,
+	0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73,
+	0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73,
+	0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x22, 0x16, 0x0a, 0x14, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53,
+	0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x0b,
+	0x0a, 0x09, 0x55, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0c, 0x0a, 0x0a, 0x55,
+	0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x0f, 0x0a, 0x0d, 0x53, 0x74, 0x61,
+	0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x28, 0x0a, 0x0e, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06,
+	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x22, 0x0d, 0x0a, 0x0b, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x22, 0x0e, 0x0a, 0x0c, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x12, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xb3, 0x01, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a,
+	0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x55, 0x72, 0x6c, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x46, 0x69, 0x6c,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x46,
+	0x69, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6c, 0x6f, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6c, 0x6f, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x22, 0x0a,
+	0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65,
+	0x79, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x18, 0x05, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x32, 0xf7, 0x02,
+	0x0a, 0x0d, 0x44, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12,
+	0x36, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f,
+	0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15,
+	0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x0c, 0x57, 0x61, 0x69, 0x74, 0x53,
+	0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1b, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e,
+	0x2e, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x57, 0x61,
+	0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x22, 0x00, 0x12, 0x2d, 0x0a, 0x02, 0x55, 0x70, 0x12, 0x11, 0x2e, 0x64, 0x61, 0x65,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e,
+	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x15, 0x2e,
+	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33,
+	0x0a, 0x04, 0x44, 0x6f, 0x77, 0x6e, 0x12, 0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e,
+	0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x64, 0x61,
+	0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x00, 0x12, 0x42, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x12, 0x18, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x64, 0x61, 0x65,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_daemon_proto_rawDescOnce sync.Once
+	file_daemon_proto_rawDescData = file_daemon_proto_rawDesc
+)
+
+func file_daemon_proto_rawDescGZIP() []byte {
+	file_daemon_proto_rawDescOnce.Do(func() {
+		file_daemon_proto_rawDescData = protoimpl.X.CompressGZIP(file_daemon_proto_rawDescData)
+	})
+	return file_daemon_proto_rawDescData
+}
+
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
+var file_daemon_proto_goTypes = []interface{}{
+	(*LoginRequest)(nil),         // 0: daemon.LoginRequest
+	(*LoginResponse)(nil),        // 1: daemon.LoginResponse
+	(*WaitSSOLoginRequest)(nil),  // 2: daemon.WaitSSOLoginRequest
+	(*WaitSSOLoginResponse)(nil), // 3: daemon.WaitSSOLoginResponse
+	(*UpRequest)(nil),            // 4: daemon.UpRequest
+	(*UpResponse)(nil),           // 5: daemon.UpResponse
+	(*StatusRequest)(nil),        // 6: daemon.StatusRequest
+	(*StatusResponse)(nil),       // 7: daemon.StatusResponse
+	(*DownRequest)(nil),          // 8: daemon.DownRequest
+	(*DownResponse)(nil),         // 9: daemon.DownResponse
+	(*GetConfigRequest)(nil),     // 10: daemon.GetConfigRequest
+	(*GetConfigResponse)(nil),    // 11: daemon.GetConfigResponse
+}
+var file_daemon_proto_depIdxs = []int32{
+	0,  // 0: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
+	2,  // 1: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
+	4,  // 2: daemon.DaemonService.Up:input_type -> daemon.UpRequest
+	6,  // 3: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
+	8,  // 4: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	10, // 5: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
+	1,  // 6: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	3,  // 7: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	5,  // 8: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	7,  // 9: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	9,  // 10: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	11, // 11: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	6,  // [6:12] is the sub-list for method output_type
+	0,  // [0:6] is the sub-list for method input_type
+	0,  // [0:0] is the sub-list for extension type_name
+	0,  // [0:0] is the sub-list for extension extendee
+	0,  // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_daemon_proto_init() }
+func file_daemon_proto_init() {
+	if File_daemon_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_daemon_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*LoginRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*LoginResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*WaitSSOLoginRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*WaitSSOLoginResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UpRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UpResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*StatusRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*StatusResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DownRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DownResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetConfigRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetConfigResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_daemon_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   12,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_daemon_proto_goTypes,
+		DependencyIndexes: file_daemon_proto_depIdxs,
+		MessageInfos:      file_daemon_proto_msgTypes,
+	}.Build()
+	File_daemon_proto = out.File
+	file_daemon_proto_rawDesc = nil
+	file_daemon_proto_goTypes = nil
+	file_daemon_proto_depIdxs = nil
+}

client/proto/daemon.proto

@@ -0,0 +1,90 @@
+syntax = "proto3";
+
+import "google/protobuf/descriptor.proto";
+
+option go_package = "/proto";
+
+package daemon;
+
+service DaemonService {
+  // Login uses setup key to prepare configuration for the daemon.
+  rpc Login(LoginRequest) returns (LoginResponse) {}
+
+  // WaitSSOLogin uses the userCode to validate the TokenInfo and
+  // waits for the user to continue with the login on a browser
+  rpc WaitSSOLogin(WaitSSOLoginRequest) returns (WaitSSOLoginResponse) {}
+
+  // Up starts engine work in the daemon.
+  rpc Up(UpRequest) returns (UpResponse) {}
+
+  // Status of the service.
+  rpc Status(StatusRequest) returns (StatusResponse) {}
+
+  // Down engine work in the daemon.
+  rpc Down(DownRequest) returns (DownResponse) {}
+
+  // GetConfig of the daemon.
+  rpc GetConfig(GetConfigRequest) returns (GetConfigResponse) {}
+};
+
+message LoginRequest {
+  // setupKey wiretrustee setup key.
+  string setupKey = 1;
+
+  // preSharedKey for wireguard setup.
+  string preSharedKey = 2;
+
+  // managementUrl to authenticate.
+  string managementUrl = 3;
+
+  // adminUrl to manage keys.
+  string adminURL = 4;
+
+}
+
+message LoginResponse {
+  bool   needsSSOLogin = 1;
+  string userCode = 2;
+  string verificationURI = 3;
+  string verificationURIComplete = 4;
+}
+
+message WaitSSOLoginRequest {
+  string userCode = 1;
+}
+
+message WaitSSOLoginResponse {}
+
+message UpRequest {}
+
+message UpResponse {}
+
+message StatusRequest{}
+
+message StatusResponse{
+  // status of the server.
+  string status = 1;
+}
+
+message DownRequest {}
+
+message DownResponse {}
+
+message GetConfigRequest {}
+
+message GetConfigResponse {
+  // managementUrl settings value.
+  string managementUrl = 1;
+
+  // configFile settings value.
+  string configFile = 2;
+
+  // logFile settings value.
+  string logFile = 3;
+
+  // preSharedKey settings value.
+  string preSharedKey = 4;
+
+  // adminURL settings value.
+  string adminURL = 5;
+}

client/proto/daemon_grpc.pb.go

@@ -0,0 +1,295 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+
+package proto
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// DaemonServiceClient is the client API for DaemonService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type DaemonServiceClient interface {
+	// Login uses setup key to prepare configuration for the daemon.
+	Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error)
+	// WaitSSOLogin uses the userCode to validate the TokenInfo and
+	// waits for the user to continue with the login on a browser
+	WaitSSOLogin(ctx context.Context, in *WaitSSOLoginRequest, opts ...grpc.CallOption) (*WaitSSOLoginResponse, error)
+	// Up starts engine work in the daemon.
+	Up(ctx context.Context, in *UpRequest, opts ...grpc.CallOption) (*UpResponse, error)
+	// Status of the service.
+	Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error)
+	// Down engine work in the daemon.
+	Down(ctx context.Context, in *DownRequest, opts ...grpc.CallOption) (*DownResponse, error)
+	// GetConfig of the daemon.
+	GetConfig(ctx context.Context, in *GetConfigRequest, opts ...grpc.CallOption) (*GetConfigResponse, error)
+}
+
+type daemonServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewDaemonServiceClient(cc grpc.ClientConnInterface) DaemonServiceClient {
+	return &daemonServiceClient{cc}
+}
+
+func (c *daemonServiceClient) Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error) {
+	out := new(LoginResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Login", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) WaitSSOLogin(ctx context.Context, in *WaitSSOLoginRequest, opts ...grpc.CallOption) (*WaitSSOLoginResponse, error) {
+	out := new(WaitSSOLoginResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/WaitSSOLogin", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) Up(ctx context.Context, in *UpRequest, opts ...grpc.CallOption) (*UpResponse, error) {
+	out := new(UpResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Up", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) {
+	out := new(StatusResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Status", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) Down(ctx context.Context, in *DownRequest, opts ...grpc.CallOption) (*DownResponse, error) {
+	out := new(DownResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Down", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) GetConfig(ctx context.Context, in *GetConfigRequest, opts ...grpc.CallOption) (*GetConfigResponse, error) {
+	out := new(GetConfigResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetConfig", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// DaemonServiceServer is the server API for DaemonService service.
+// All implementations must embed UnimplementedDaemonServiceServer
+// for forward compatibility
+type DaemonServiceServer interface {
+	// Login uses setup key to prepare configuration for the daemon.
+	Login(context.Context, *LoginRequest) (*LoginResponse, error)
+	// WaitSSOLogin uses the userCode to validate the TokenInfo and
+	// waits for the user to continue with the login on a browser
+	WaitSSOLogin(context.Context, *WaitSSOLoginRequest) (*WaitSSOLoginResponse, error)
+	// Up starts engine work in the daemon.
+	Up(context.Context, *UpRequest) (*UpResponse, error)
+	// Status of the service.
+	Status(context.Context, *StatusRequest) (*StatusResponse, error)
+	// Down engine work in the daemon.
+	Down(context.Context, *DownRequest) (*DownResponse, error)
+	// GetConfig of the daemon.
+	GetConfig(context.Context, *GetConfigRequest) (*GetConfigResponse, error)
+	mustEmbedUnimplementedDaemonServiceServer()
+}
+
+// UnimplementedDaemonServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedDaemonServiceServer struct {
+}
+
+func (UnimplementedDaemonServiceServer) Login(context.Context, *LoginRequest) (*LoginResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Login not implemented")
+}
+func (UnimplementedDaemonServiceServer) WaitSSOLogin(context.Context, *WaitSSOLoginRequest) (*WaitSSOLoginResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method WaitSSOLogin not implemented")
+}
+func (UnimplementedDaemonServiceServer) Up(context.Context, *UpRequest) (*UpResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Up not implemented")
+}
+func (UnimplementedDaemonServiceServer) Status(context.Context, *StatusRequest) (*StatusResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Status not implemented")
+}
+func (UnimplementedDaemonServiceServer) Down(context.Context, *DownRequest) (*DownResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Down not implemented")
+}
+func (UnimplementedDaemonServiceServer) GetConfig(context.Context, *GetConfigRequest) (*GetConfigResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetConfig not implemented")
+}
+func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
+
+// UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to DaemonServiceServer will
+// result in compilation errors.
+type UnsafeDaemonServiceServer interface {
+	mustEmbedUnimplementedDaemonServiceServer()
+}
+
+func RegisterDaemonServiceServer(s grpc.ServiceRegistrar, srv DaemonServiceServer) {
+	s.RegisterService(&DaemonService_ServiceDesc, srv)
+}
+
+func _DaemonService_Login_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(LoginRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Login(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Login",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Login(ctx, req.(*LoginRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_WaitSSOLogin_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(WaitSSOLoginRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).WaitSSOLogin(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/WaitSSOLogin",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).WaitSSOLogin(ctx, req.(*WaitSSOLoginRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_Up_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Up(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Up",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Up(ctx, req.(*UpRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_Status_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(StatusRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Status(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Status",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Status(ctx, req.(*StatusRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_Down_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DownRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Down(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Down",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Down(ctx, req.(*DownRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_GetConfig_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetConfigRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).GetConfig(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/GetConfig",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).GetConfig(ctx, req.(*GetConfigRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var DaemonService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "daemon.DaemonService",
+	HandlerType: (*DaemonServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Login",
+			Handler:    _DaemonService_Login_Handler,
+		},
+		{
+			MethodName: "WaitSSOLogin",
+			Handler:    _DaemonService_WaitSSOLogin_Handler,
+		},
+		{
+			MethodName: "Up",
+			Handler:    _DaemonService_Up_Handler,
+		},
+		{
+			MethodName: "Status",
+			Handler:    _DaemonService_Status_Handler,
+		},
+		{
+			MethodName: "Down",
+			Handler:    _DaemonService_Down_Handler,
+		},
+		{
+			MethodName: "GetConfig",
+			Handler:    _DaemonService_GetConfig_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "daemon.proto",
+}

client/proto/generate.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
+protoc -I proto/ proto/daemon.proto --go_out=. --go-grpc_out=.

client/resources.rc

@@ -5,5 +5,5 @@
 #define STRINGIZE(x) #x
 #define EXPAND(x) STRINGIZE(x)
 CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST manifest.xml
-wintun.dll RCDATA wintun.dll
-
+7 ICON ui/netbird.ico
+wireguard.dll RCDATA wireguard.dll

client/server/server.go

@@ -0,0 +1,420 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	gstatus "google.golang.org/grpc/status"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// Server for service control.
+type Server struct {
+	rootCtx   context.Context
+	actCancel context.CancelFunc
+
+	managementURL string
+	adminURL      string
+	configPath    string
+	logFile       string
+
+	oauthAuthFlow oauthAuthFlow
+
+	mutex  sync.Mutex
+	config *internal.Config
+	proto.UnimplementedDaemonServiceServer
+}
+
+type oauthAuthFlow struct {
+	expiresAt  time.Time
+	client     internal.OAuthClient
+	info       internal.DeviceAuthInfo
+	waitCancel context.CancelFunc
+}
+
+// New server instance constructor.
+func New(ctx context.Context, managementURL, adminURL, configPath, logFile string) *Server {
+	return &Server{
+		rootCtx:       ctx,
+		managementURL: managementURL,
+		adminURL:      adminURL,
+		configPath:    configPath,
+		logFile:       logFile,
+	}
+}
+
+func (s *Server) Start() error {
+	state := internal.CtxGetState(s.rootCtx)
+
+	// if current state contains any error, return it
+	// in all other cases we can continue execution only if status is idle and up command was
+	// not in the progress or already successfully established connection.
+	status, err := state.Status()
+	if err != nil {
+		return err
+	}
+
+	if status != internal.StatusIdle {
+		return nil
+	}
+
+	ctx, cancel := context.WithCancel(s.rootCtx)
+	s.actCancel = cancel
+
+	// if configuration exists, we just start connections. if is new config we skip and set status NeedsLogin
+	// on failure we return error to retry
+	config, err := internal.ReadConfig(s.managementURL, s.adminURL, s.configPath, nil)
+	if errorStatus, ok := gstatus.FromError(err); ok && errorStatus.Code() == codes.NotFound {
+		config, err = internal.GetConfig(s.managementURL, s.adminURL, s.configPath, "")
+		if err != nil {
+			log.Warnf("unable to create configuration file: %v", err)
+			return err
+		}
+		state.Set(internal.StatusNeedsLogin)
+		return nil
+	} else if err != nil {
+		log.Warnf("unable to create configuration file: %v", err)
+		return err
+	}
+
+	// if configuration exists, we just start connections.
+
+	s.config = config
+
+	go func() {
+		if err := internal.RunClient(ctx, config); err != nil {
+			log.Errorf("init connections: %v", err)
+		}
+	}()
+
+	return nil
+}
+
+// loginAttempt attempts to login using the provided information. it returns a status in case something fails
+func (s *Server) loginAttempt(ctx context.Context, setupKey, jwtToken string) (internal.StatusType, error) {
+	var status internal.StatusType
+	err := internal.Login(ctx, s.config, setupKey, jwtToken)
+	if err != nil {
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			log.Warnf("failed login: %v", err)
+			status = internal.StatusNeedsLogin
+		} else {
+			log.Errorf("failed login: %v", err)
+			status = internal.StatusLoginFailed
+		}
+		return status, err
+	}
+	return "", nil
+}
+
+// Login uses setup key to prepare configuration for the daemon.
+func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*proto.LoginResponse, error) {
+	s.mutex.Lock()
+	if s.actCancel != nil {
+		s.actCancel()
+	}
+	ctx, cancel := context.WithCancel(s.rootCtx)
+
+	md, ok := metadata.FromIncomingContext(callerCtx)
+	if ok {
+		ctx = metadata.NewOutgoingContext(ctx, md)
+	}
+
+	s.actCancel = cancel
+	s.mutex.Unlock()
+
+	state := internal.CtxGetState(ctx)
+	defer func() {
+		status, err := state.Status()
+		if err != nil || (status != internal.StatusNeedsLogin && status != internal.StatusLoginFailed) {
+			state.Set(internal.StatusIdle)
+		}
+	}()
+
+	s.mutex.Lock()
+	managementURL := s.managementURL
+	if msg.ManagementUrl != "" {
+		managementURL = msg.ManagementUrl
+		s.managementURL = msg.ManagementUrl
+	}
+
+	adminURL := s.adminURL
+	if msg.AdminURL != "" {
+		adminURL = msg.AdminURL
+		s.adminURL = msg.AdminURL
+	}
+	s.mutex.Unlock()
+
+	config, err := internal.GetConfig(managementURL, adminURL, s.configPath, msg.PreSharedKey)
+	if err != nil {
+		return nil, err
+	}
+
+	s.mutex.Lock()
+	s.config = config
+	s.mutex.Unlock()
+
+	if _, err := s.loginAttempt(ctx, "", ""); err == nil {
+		state.Set(internal.StatusIdle)
+		return &proto.LoginResponse{}, nil
+	}
+
+	state.Set(internal.StatusConnecting)
+
+	if msg.SetupKey == "" {
+		providerConfig, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config)
+		if err != nil {
+			state.Set(internal.StatusLoginFailed)
+			s, ok := gstatus.FromError(err)
+			if ok && s.Code() == codes.NotFound {
+				return nil, gstatus.Errorf(codes.NotFound, "no SSO provider returned from management. "+
+					"If you are using hosting Netbird see documentation at "+
+					"https://github.com/netbirdio/netbird/tree/main/management for details")
+			} else if ok && s.Code() == codes.Unimplemented {
+				return nil, gstatus.Errorf(codes.Unimplemented, "the management server, %s, does not support SSO providers, "+
+					"please update your server or use Setup Keys to login", config.ManagementURL)
+			} else {
+				log.Errorf("getting device authorization flow info failed with error: %v", err)
+				return nil, err
+			}
+		}
+
+		hostedClient := internal.NewHostedDeviceFlow(
+			providerConfig.ProviderConfig.Audience,
+			providerConfig.ProviderConfig.ClientID,
+			providerConfig.ProviderConfig.Domain,
+		)
+
+		if s.oauthAuthFlow.client != nil && s.oauthAuthFlow.client.GetClientID(ctx) == hostedClient.GetClientID(context.TODO()) {
+			if s.oauthAuthFlow.expiresAt.After(time.Now().Add(90 * time.Second)) {
+				log.Debugf("using previous device flow info")
+				return &proto.LoginResponse{
+					NeedsSSOLogin:           true,
+					VerificationURI:         s.oauthAuthFlow.info.VerificationURI,
+					VerificationURIComplete: s.oauthAuthFlow.info.VerificationURIComplete,
+					UserCode:                s.oauthAuthFlow.info.UserCode,
+				}, nil
+			} else {
+				log.Warnf("canceling previous waiting execution")
+				s.oauthAuthFlow.waitCancel()
+			}
+		}
+
+		deviceAuthInfo, err := hostedClient.RequestDeviceCode(context.TODO())
+		if err != nil {
+			log.Errorf("getting a request device code failed: %v", err)
+			return nil, err
+		}
+
+		s.mutex.Lock()
+		s.oauthAuthFlow.client = hostedClient
+		s.oauthAuthFlow.info = deviceAuthInfo
+		s.oauthAuthFlow.expiresAt = time.Now().Add(time.Duration(deviceAuthInfo.ExpiresIn) * time.Second)
+		s.mutex.Unlock()
+
+		state.Set(internal.StatusNeedsLogin)
+
+		return &proto.LoginResponse{
+			NeedsSSOLogin:           true,
+			VerificationURI:         deviceAuthInfo.VerificationURI,
+			VerificationURIComplete: deviceAuthInfo.VerificationURIComplete,
+			UserCode:                deviceAuthInfo.UserCode,
+		}, nil
+	}
+
+	if loginStatus, err := s.loginAttempt(ctx, msg.SetupKey, ""); err != nil {
+		state.Set(loginStatus)
+		return nil, err
+	}
+
+	return &proto.LoginResponse{}, nil
+}
+
+// WaitSSOLogin uses the userCode to validate the TokenInfo and
+// waits for the user to continue with the login on a browser
+func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLoginRequest) (*proto.WaitSSOLoginResponse, error) {
+	s.mutex.Lock()
+	if s.actCancel != nil {
+		s.actCancel()
+	}
+	ctx, cancel := context.WithCancel(s.rootCtx)
+
+	md, ok := metadata.FromIncomingContext(callerCtx)
+	if ok {
+		ctx = metadata.NewOutgoingContext(ctx, md)
+	}
+
+	s.actCancel = cancel
+	s.mutex.Unlock()
+
+	if s.oauthAuthFlow.client == nil {
+		return nil, gstatus.Errorf(codes.Internal, "oauth client is not initialized")
+	}
+
+	state := internal.CtxGetState(ctx)
+	defer func() {
+		s, err := state.Status()
+		if err != nil || (s != internal.StatusNeedsLogin && s != internal.StatusLoginFailed) {
+			state.Set(internal.StatusIdle)
+		}
+	}()
+
+	state.Set(internal.StatusConnecting)
+
+	s.mutex.Lock()
+	deviceAuthInfo := s.oauthAuthFlow.info
+	s.mutex.Unlock()
+
+	if deviceAuthInfo.UserCode != msg.UserCode {
+		state.Set(internal.StatusLoginFailed)
+		return nil, gstatus.Errorf(codes.InvalidArgument, "sso user code is invalid")
+	}
+
+	if s.oauthAuthFlow.waitCancel != nil {
+		s.oauthAuthFlow.waitCancel()
+	}
+
+	waitTimeout := time.Until(s.oauthAuthFlow.expiresAt)
+	waitCTX, cancel := context.WithTimeout(ctx, waitTimeout)
+	defer cancel()
+
+	s.mutex.Lock()
+	s.oauthAuthFlow.waitCancel = cancel
+	s.mutex.Unlock()
+
+	tokenInfo, err := s.oauthAuthFlow.client.WaitToken(waitCTX, deviceAuthInfo)
+	if err != nil {
+		if err == context.Canceled {
+			return nil, nil
+		}
+		s.mutex.Lock()
+		s.oauthAuthFlow.expiresAt = time.Now()
+		s.mutex.Unlock()
+		state.Set(internal.StatusLoginFailed)
+		log.Errorf("waiting for browser login failed: %v", err)
+		return nil, err
+	}
+
+	if loginStatus, err := s.loginAttempt(ctx, "", tokenInfo.AccessToken); err != nil {
+		state.Set(loginStatus)
+		return nil, err
+	}
+
+	return &proto.WaitSSOLoginResponse{}, nil
+}
+
+// Up starts engine work in the daemon.
+func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	state := internal.CtxGetState(s.rootCtx)
+
+	// if current state contains any error, return it
+	// in all other cases we can continue execution only if status is idle and up command was
+	// not in the progress or already successfully established connection.
+	status, err := state.Status()
+	if err != nil {
+		return nil, err
+	}
+	if status != internal.StatusIdle {
+		return nil, fmt.Errorf("up already in progress: current status %s", status)
+	}
+
+	// it should be nil here, but .
+	if s.actCancel != nil {
+		s.actCancel()
+	}
+	ctx, cancel := context.WithCancel(s.rootCtx)
+
+	md, ok := metadata.FromIncomingContext(callerCtx)
+	if ok {
+		ctx = metadata.NewOutgoingContext(ctx, md)
+	}
+
+	s.actCancel = cancel
+
+	if s.config == nil {
+		return nil, fmt.Errorf("config is not defined, please call login command first")
+	}
+
+	go func() {
+		if err := internal.RunClient(ctx, s.config); err != nil {
+			log.Errorf("run client connection: %v", state.Wrap(err))
+			return
+		}
+	}()
+
+	return &proto.UpResponse{}, nil
+}
+
+// Down engine work in the daemon.
+func (s *Server) Down(ctx context.Context, msg *proto.DownRequest) (*proto.DownResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if s.actCancel == nil {
+		return nil, fmt.Errorf("service is not up")
+	}
+	s.actCancel()
+
+	return &proto.DownResponse{}, nil
+}
+
+// Status starts engine work in the daemon.
+func (s *Server) Status(
+	ctx context.Context,
+	msg *proto.StatusRequest,
+) (*proto.StatusResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	status, err := internal.CtxGetState(s.rootCtx).Status()
+	if err != nil {
+		return nil, err
+	}
+
+	return &proto.StatusResponse{Status: string(status)}, nil
+}
+
+// GetConfig of the daemon.
+func (s *Server) GetConfig(ctx context.Context, msg *proto.GetConfigRequest) (*proto.GetConfigResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	managementURL := s.managementURL
+	adminURL := s.adminURL
+	preSharedKey := ""
+
+	if s.config != nil {
+		if managementURL == "" && s.config.ManagementURL != nil {
+			managementURL = s.config.ManagementURL.String()
+		}
+
+		if s.config.AdminURL != nil {
+			adminURL = s.config.AdminURL.String()
+		}
+
+		preSharedKey = s.config.PreSharedKey
+		if preSharedKey != "" {
+			preSharedKey = "**********"
+		}
+
+	}
+
+	return &proto.GetConfigResponse{
+		ManagementUrl: managementURL,
+		AdminURL:      adminURL,
+		ConfigFile:    s.configPath,
+		LogFile:       s.logFile,
+		PreSharedKey:  preSharedKey,
+	}, nil
+}

client/ssh/server.go

@@ -0,0 +1,84 @@
+package ssh
+
+import (
+	"fmt"
+	"github.com/gliderlabs/ssh"
+	gossh "golang.org/x/crypto/ssh"
+	"io"
+	"net"
+	"strings"
+	"sync"
+)
+
+type Server struct {
+	listener    net.Listener
+	allowedKeys map[string]ssh.PublicKey
+	mu          sync.Mutex
+	hostKeyPEM  []byte
+}
+
+// NewSSHServer creates new server with provided host key
+func NewSSHServer(hostKeyPEM []byte) (*Server, error) {
+	ln, err := net.Listen("tcp", ":2222")
+	if err != nil {
+		return nil, err
+	}
+	return &Server{listener: ln, mu: sync.Mutex{}, hostKeyPEM: hostKeyPEM}, nil
+}
+
+func (srv *Server) UpdateKeys(newKeys []string) error {
+	srv.mu.Lock()
+	defer srv.mu.Unlock()
+
+	srv.allowedKeys = make(map[string]ssh.PublicKey, len(newKeys))
+	for _, strKey := range newKeys {
+		parsedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(strKey))
+		if err != nil {
+			return err
+		}
+		srv.allowedKeys[strKey] = parsedKey
+	}
+
+	return nil
+}
+
+// Stop stops SSH server. Blocking
+func (srv *Server) Stop() error {
+	err := srv.listener.Close()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Start starts SSH server. Blocking
+func (srv *Server) Start() error {
+	handler := func(s ssh.Session) {
+		authorizedKey := gossh.MarshalAuthorizedKey(s.PublicKey())
+		io.WriteString(s, fmt.Sprintf("public key used by %s:\n", s.User()))
+		s.Write(authorizedKey)
+	}
+
+	publicKeyOption := ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) bool {
+		srv.mu.Lock()
+		defer srv.mu.Unlock()
+
+		k := strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key)))
+		if allowed, ok := srv.allowedKeys[k]; ok {
+			if ssh.KeysEqual(allowed, key) {
+				return true
+			}
+		}
+
+		return false
+	})
+
+	hostKeyPEM := ssh.HostKeyPEM(srv.hostKeyPEM)
+
+	err := ssh.Serve(srv.listener, handler, publicKeyOption, hostKeyPEM)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

client/ssh/ssh.go

@@ -0,0 +1,52 @@
+package ssh
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	gossh "golang.org/x/crypto/ssh"
+)
+
+// GeneratePrivateKey creates RSA Private Key of specified byte size
+func GeneratePrivateKey(bitSize int) (*rsa.PrivateKey, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, bitSize)
+	if err != nil {
+		return nil, err
+	}
+
+	err = privateKey.Validate()
+	if err != nil {
+		return nil, err
+	}
+
+	return privateKey, nil
+}
+
+// GeneratePublicKey takes a rsa.PublicKey and return bytes suitable for writing to .pub file
+// returns the key in format format "ssh-rsa ..."
+func GeneratePublicKey(privateKey *rsa.PublicKey) ([]byte, error) {
+	publicRsaKey, err := gossh.NewPublicKey(privateKey)
+	if err != nil {
+		return nil, err
+	}
+	return gossh.MarshalAuthorizedKey(publicRsaKey), nil
+}
+
+// EncodePrivateKeyToPEM encodes Private Key from RSA to PEM format
+func EncodePrivateKeyToPEM(privateKey *rsa.PrivateKey) []byte {
+	// Get ASN.1 DER format
+	privDER := x509.MarshalPKCS1PrivateKey(privateKey)
+
+	// pem.Block
+	privBlock := pem.Block{
+		Type:    "RSA PRIVATE KEY",
+		Headers: nil,
+		Bytes:   privDER,
+	}
+
+	// Private key in PEM format
+	privatePEM := pem.EncodeToMemory(&privBlock)
+
+	return privatePEM
+}

client/system/info.go

@@ -1,14 +1,52 @@
 package system
 
+import (
+	"context"
+	"google.golang.org/grpc/metadata"
+	"strings"
+)
+
+// this is the wiretrustee version
+// will be replaced with the release version when using goreleaser
+var version = "development"
+
 //Info is an object that contains machine information
 // Most of the code is taken from https://github.com/matishsiao/goInfo
 type Info struct {
-	GoOS      string
-	Kernel    string
-	Core      string
-	Platform  string
-	OS        string
-	OSVersion string
-	Hostname  string
-	CPUs      int
+	GoOS               string
+	Kernel             string
+	Core               string
+	Platform           string
+	OS                 string
+	OSVersion          string
+	Hostname           string
+	CPUs               int
+	WiretrusteeVersion string
+	UIVersion          string
+}
+
+// NetbirdVersion returns the Netbird version
+func NetbirdVersion() string {
+	return version
+}
+
+// extractUserAgent extracts Netbird's agent (client) name and version from the outgoing context
+func extractUserAgent(ctx context.Context) string {
+	md, hasMeta := metadata.FromOutgoingContext(ctx)
+	if hasMeta {
+		agent, ok := md["user-agent"]
+		if ok {
+			nbAgent := strings.Split(agent[0], " ")[0]
+			if strings.HasPrefix(nbAgent, "netbird") {
+				return nbAgent
+			}
+			return ""
+		}
+	}
+	return ""
+}
+
+// GetDesktopUIUserAgent returns the Desktop ui user agent
+func GetDesktopUIUserAgent() string {
+	return "netbird-desktop-ui/" + NetbirdVersion()
 }

client/system/info_darwin.go

@@ -2,6 +2,7 @@ package system
 
 import (
 	"bytes"
+	"context"
 	"fmt"
 	"os"
 	"os/exec"
@@ -10,7 +11,8 @@ import (
 	"time"
 )
 
-func GetInfo() *Info {
+// GetInfo retrieves and parses the system information
+func GetInfo(ctx context.Context) *Info {
 	out := _getInfo()
 	for strings.Contains(out, "broken pipe") {
 		out = _getInfo()
@@ -21,6 +23,9 @@ func GetInfo() *Info {
 	osInfo := strings.Split(osStr, " ")
 	gio := &Info{Kernel: osInfo[0], OSVersion: osInfo[1], Core: osInfo[1], Platform: osInfo[2], OS: osInfo[0], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.UIVersion = extractUserAgent(ctx)
+
 	return gio
 }
 

client/system/info_freebsd.go

@@ -2,6 +2,7 @@ package system
 
 import (
 	"bytes"
+	"context"
 	"fmt"
 	"os"
 	"os/exec"
@@ -10,7 +11,8 @@ import (
 	"time"
 )
 
-func GetInfo() *Info {
+// GetInfo retrieves and parses the system information
+func GetInfo(ctx context.Context) *Info {
 	out := _getInfo()
 	for strings.Contains(out, "broken pipe") {
 		out = _getInfo()
@@ -21,6 +23,9 @@ func GetInfo() *Info {
 	osInfo := strings.Split(osStr, " ")
 	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: runtime.GOARCH, OS: osInfo[2], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.UIVersion = extractUserAgent(ctx)
+
 	return gio
 }
 

client/system/info_linux.go

@@ -2,6 +2,7 @@ package system
 
 import (
 	"bytes"
+	"context"
 	"fmt"
 	"os"
 	"os/exec"
@@ -10,7 +11,8 @@ import (
 	"time"
 )
 
-func GetInfo() *Info {
+// GetInfo retrieves and parses the system information
+func GetInfo(ctx context.Context) *Info {
 	info := _getInfo()
 	for strings.Contains(info, "broken pipe") {
 		info = _getInfo()
@@ -44,6 +46,9 @@ func GetInfo() *Info {
 	}
 	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: osInfo[2], OS: osName, OSVersion: osVer, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.UIVersion = extractUserAgent(ctx)
+
 	return gio
 }
 

client/system/info_test.go

@@ -0,0 +1,26 @@
+package system
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/grpc/metadata"
+)
+
+func Test_LocalWTVersion(t *testing.T) {
+	got := GetInfo(context.TODO())
+	want := "development"
+	assert.Equal(t, want, got.WiretrusteeVersion)
+}
+
+func Test_UIVersion(t *testing.T) {
+	ctx := context.Background()
+	want := "netbird-desktop-ui/development"
+	ctx = metadata.NewOutgoingContext(ctx, map[string][]string{
+		"user-agent": {want},
+	})
+
+	got := GetInfo(ctx)
+	assert.Equal(t, want, got.UIVersion)
+}

client/system/info_windows.go

@@ -2,13 +2,15 @@ package system
 
 import (
 	"bytes"
+	"context"
 	"os"
 	"os/exec"
 	"runtime"
 	"strings"
 )
 
-func GetInfo() *Info {
+// GetInfo retrieves and parses the system information
+func GetInfo(ctx context.Context) *Info {
 	cmd := exec.Command("cmd", "ver")
 	cmd.Stdin = strings.NewReader("some")
 	var out bytes.Buffer
@@ -31,5 +33,8 @@ func GetInfo() *Info {
 	}
 	gio := &Info{Kernel: "windows", OSVersion: ver, Core: ver, Platform: "unknown", OS: "windows", GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = NetbirdVersion()
+	gio.UIVersion = extractUserAgent(ctx)
+
 	return gio
 }

client/testdata/management.json

@@ -1,37 +1,37 @@
 {
-    "Stuns": [
-        {
-            "Proto": "udp",
-            "URI": "stun:stun.wiretrustee.com:3468",
-            "Username": "",
-            "Password": null
-        }
-    ],
-    "TURNConfig": {
-        "Turns": [
-            {
-                "Proto": "udp",
-                "URI": "turn:stun.wiretrustee.com:3468",
-                "Username": "some_user",
-                "Password": "c29tZV9wYXNzd29yZA=="
-            }
-        ],
-        "CredentialsTTL": "1h",
-        "Secret": "c29tZV9wYXNzd29yZA==",
-        "TimeBasedCredentials": true
-    },
-    "Signal": {
-        "Proto": "http",
-        "URI": "signal.wiretrustee.com:10000",
-        "Username": "",
-        "Password": null
-    },
-    "DataDir": "",
-    "HttpConfig": {
-        "LetsEncryptDomain": "<PASTE YOUR LET'S ENCRYPT DOMAIN HERE>",
-        "Address": "0.0.0.0:33071",
-        "AuthIssuer": "<PASTE YOUR AUTH0 ISSUER HERE>,",
-        "AuthAudience": "<PASTE YOUR AUTH0 AUDIENCE HERE>",
-        "AuthKeysLocation": "<PASTE YOUR AUTH0 PUBLIC JWT KEYS LOCATION HERE>"
+  "Stuns": [
+    {
+      "Proto": "udp",
+      "URI": "stun:stun.wiretrustee.com:3468",
+      "Username": "",
+      "Password": null
     }
+  ],
+  "TURNConfig": {
+    "Turns": [
+      {
+        "Proto": "udp",
+        "URI": "turn:stun.wiretrustee.com:3468",
+        "Username": "some_user",
+        "Password": "c29tZV9wYXNzd29yZA=="
+      }
+    ],
+    "CredentialsTTL": "1h",
+    "Secret": "c29tZV9wYXNzd29yZA==",
+    "TimeBasedCredentials": true
+  },
+  "Signal": {
+    "Proto": "http",
+    "URI": "signal.wiretrustee.com:10000",
+    "Username": "",
+    "Password": null
+  },
+  "DataDir": "",
+  "HttpConfig": {
+    "LetsEncryptDomain": "<PASTE YOUR LET'S ENCRYPT DOMAIN HERE>",
+    "Address": "0.0.0.0:33071",
+    "AuthIssuer": "<PASTE YOUR AUTH0 ISSUER HERE>,",
+    "AuthAudience": "<PASTE YOUR AUTH0 AUDIENCE HERE>",
+    "AuthKeysLocation": "<PASTE YOUR AUTH0 PUBLIC JWT KEYS LOCATION HERE>"
+  }
 }

client/testdata/store.json

@@ -11,17 +11,28 @@
                     "ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
                     "Revoked": false,
                     "UsedTimes": 0
+
                 }
             },
             "Network": {
                 "Id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
                 "Net": {
                     "IP": "100.64.0.0",
-                    "Mask": "/8AAAA=="
+                    "Mask": "//8AAA=="
                 },
                 "Dns": null
             },
-            "Peers": {}
+            "Peers": {},
+            "Users": {
+                "edafee4e-63fb-11ec-90d6-0242ac120003": {
+                    "Id": "edafee4e-63fb-11ec-90d6-0242ac120003",
+                    "Role": "admin"
+                },
+                "f4f6d672-63fb-11ec-90d6-0242ac120003": {
+                    "Id": "f4f6d672-63fb-11ec-90d6-0242ac120003",
+                    "Role": "user"
+                }
+            }
         }
     }
 }

client/ui/Info.plist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>CFBundleExecutable</key>
+  <string>netbird-ui</string>
+  <key>CFBundleIconFile</key>
+  <string>Netbird</string>
+  <key>LSUIElement</key>
+  <string>1</string>
+</dict>
+</plist>

client/ui/client_ui.go

@@ -0,0 +1,511 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"github.com/netbirdio/netbird/client/system"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"runtime"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+
+	_ "embed"
+
+	"github.com/getlantern/systray"
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+	log "github.com/sirupsen/logrus"
+	"github.com/skratchdot/open-golang/open"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"fyne.io/fyne/v2"
+	"fyne.io/fyne/v2/app"
+	"fyne.io/fyne/v2/dialog"
+	"fyne.io/fyne/v2/widget"
+)
+
+const (
+	defaultFailTimeout = 3 * time.Second
+	failFastTimeout    = time.Second
+)
+
+func main() {
+	var daemonAddr string
+
+	defaultDaemonAddr := "unix:///var/run/netbird.sock"
+	if runtime.GOOS == "windows" {
+		defaultDaemonAddr = "tcp://127.0.0.1:41731"
+	}
+
+	flag.StringVar(
+		&daemonAddr, "daemon-addr",
+		defaultDaemonAddr,
+		"Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
+
+	var showSettings bool
+	flag.BoolVar(&showSettings, "settings", false, "run settings windows")
+
+	flag.Parse()
+
+	a := app.New()
+	client := newServiceClient(daemonAddr, a, showSettings)
+	if showSettings {
+		a.Run()
+	} else {
+		if err := checkPIDFile(); err != nil {
+			fmt.Println(err)
+			return
+		}
+		systray.Run(client.onTrayReady, client.onTrayExit)
+	}
+}
+
+//go:embed connected.ico
+var iconConnectedICO []byte
+
+//go:embed connected.png
+var iconConnectedPNG []byte
+
+//go:embed disconnected.ico
+var iconDisconnectedICO []byte
+
+//go:embed disconnected.png
+var iconDisconnectedPNG []byte
+
+type serviceClient struct {
+	ctx  context.Context
+	addr string
+	conn proto.DaemonServiceClient
+
+	icConnected    []byte
+	icDisconnected []byte
+
+	// systray menu items
+	mStatus     *systray.MenuItem
+	mUp         *systray.MenuItem
+	mDown       *systray.MenuItem
+	mAdminPanel *systray.MenuItem
+	mSettings   *systray.MenuItem
+	mQuit       *systray.MenuItem
+
+	// application with main windows.
+	app          fyne.App
+	wSettings    fyne.Window
+	showSettings bool
+
+	// input elements for settings form
+	iMngURL       *widget.Entry
+	iAdminURL     *widget.Entry
+	iConfigFile   *widget.Entry
+	iLogFile      *widget.Entry
+	iPreSharedKey *widget.Entry
+
+	// observable settings over correspondign iMngURL and iPreSharedKey values.
+	managementURL string
+	preSharedKey  string
+	adminURL      string
+}
+
+// newServiceClient instance constructor
+//
+// This constructor olso build UI elements for settings window.
+func newServiceClient(addr string, a fyne.App, showSettings bool) *serviceClient {
+	s := &serviceClient{
+		ctx:  context.Background(),
+		addr: addr,
+		app:  a,
+
+		showSettings: showSettings,
+	}
+
+	if runtime.GOOS == "windows" {
+		s.icConnected = iconConnectedICO
+		s.icDisconnected = iconDisconnectedICO
+	} else {
+		s.icConnected = iconConnectedPNG
+		s.icDisconnected = iconDisconnectedPNG
+	}
+
+	if showSettings {
+		s.showUIElements()
+		return s
+	}
+
+	return s
+}
+
+func (s *serviceClient) showUIElements() {
+	// add settings window UI elements.
+	s.wSettings = s.app.NewWindow("Settings")
+	s.iMngURL = widget.NewEntry()
+	s.iAdminURL = widget.NewEntry()
+	s.iConfigFile = widget.NewEntry()
+	s.iConfigFile.Disable()
+	s.iLogFile = widget.NewEntry()
+	s.iLogFile.Disable()
+	s.iPreSharedKey = widget.NewPasswordEntry()
+	s.wSettings.SetContent(s.getSettingsForm())
+	s.wSettings.Resize(fyne.NewSize(600, 100))
+
+	s.getSrvConfig()
+
+	s.wSettings.Show()
+}
+
+// getSettingsForm to embed it into settings window.
+func (s *serviceClient) getSettingsForm() *widget.Form {
+	return &widget.Form{
+		Items: []*widget.FormItem{
+			{Text: "Management URL", Widget: s.iMngURL},
+			{Text: "Admin URL", Widget: s.iAdminURL},
+			{Text: "Pre-shared Key", Widget: s.iPreSharedKey},
+			{Text: "Config File", Widget: s.iConfigFile},
+			{Text: "Log File", Widget: s.iLogFile},
+		},
+		SubmitText: "Save",
+		OnSubmit: func() {
+			if s.iPreSharedKey.Text != "" && s.iPreSharedKey.Text != "**********" {
+				// validate preSharedKey if it added
+				if _, err := wgtypes.ParseKey(s.iPreSharedKey.Text); err != nil {
+					dialog.ShowError(fmt.Errorf("Invalid Pre-shared Key Value"), s.wSettings)
+					return
+				}
+			}
+
+			defer s.wSettings.Close()
+			// if management URL or Pre-shared key changed, we try to re-login with new settings.
+			if s.managementURL != s.iMngURL.Text || s.preSharedKey != s.iPreSharedKey.Text ||
+				s.adminURL != s.iAdminURL.Text {
+
+				s.managementURL = s.iMngURL.Text
+				s.preSharedKey = s.iPreSharedKey.Text
+				s.adminURL = s.iAdminURL.Text
+
+				client, err := s.getSrvClient(failFastTimeout)
+				if err != nil {
+					log.Errorf("get daemon client: %v", err)
+					return
+				}
+
+				_, err = client.Login(s.ctx, &proto.LoginRequest{
+					ManagementUrl: s.iMngURL.Text,
+					AdminURL:      s.iAdminURL.Text,
+					PreSharedKey:  s.iPreSharedKey.Text,
+				})
+				if err != nil {
+					log.Errorf("login to management URL: %v", err)
+					return
+				}
+
+				_, err = client.Up(s.ctx, &proto.UpRequest{})
+				if err != nil {
+					log.Errorf("login to management URL: %v", err)
+					return
+				}
+
+			}
+			s.wSettings.Close()
+		},
+		OnCancel: func() {
+			s.wSettings.Close()
+		},
+	}
+}
+
+func (s *serviceClient) login() error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		log.Errorf("get client: %v", err)
+		return err
+	}
+
+	loginResp, err := conn.Login(s.ctx, &proto.LoginRequest{})
+	if err != nil {
+		log.Errorf("login to management URL with: %v", err)
+		return err
+	}
+
+	if loginResp.NeedsSSOLogin {
+		err = open.Run(loginResp.VerificationURIComplete)
+		if err != nil {
+			log.Errorf("opening the verification uri in the browser failed: %v", err)
+			return err
+		}
+
+		_, err = conn.WaitSSOLogin(s.ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
+		if err != nil {
+			log.Errorf("waiting sso login failed with: %v", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *serviceClient) menuUpClick() error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		log.Errorf("get client: %v", err)
+		return err
+	}
+
+	err = s.login()
+	if err != nil {
+		log.Errorf("login failed with: %v", err)
+		return err
+	}
+
+	status, err := conn.Status(s.ctx, &proto.StatusRequest{})
+	if err != nil {
+		log.Errorf("get service status: %v", err)
+		return err
+	}
+
+	if status.Status == string(internal.StatusConnected) {
+		log.Warnf("already connected")
+		return err
+	}
+
+	if _, err := s.conn.Up(s.ctx, &proto.UpRequest{}); err != nil {
+		log.Errorf("up service: %v", err)
+		return err
+	}
+	return nil
+}
+
+func (s *serviceClient) menuDownClick() error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		log.Errorf("get client: %v", err)
+		return err
+	}
+
+	status, err := conn.Status(s.ctx, &proto.StatusRequest{})
+	if err != nil {
+		log.Errorf("get service status: %v", err)
+		return err
+	}
+
+	if status.Status != string(internal.StatusConnected) {
+		log.Warnf("already down")
+		return nil
+	}
+
+	if _, err := s.conn.Down(s.ctx, &proto.DownRequest{}); err != nil {
+		log.Errorf("down service: %v", err)
+		return err
+	}
+
+	return nil
+}
+
+func (s *serviceClient) updateStatus() error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		return err
+	}
+	err = backoff.Retry(func() error {
+		status, err := conn.Status(s.ctx, &proto.StatusRequest{})
+		if err != nil {
+			log.Errorf("get service status: %v", err)
+			return err
+		}
+
+		if status.Status == string(internal.StatusConnected) {
+			systray.SetIcon(s.icConnected)
+			s.mStatus.SetTitle("Connected")
+			s.mUp.Disable()
+			s.mDown.Enable()
+		} else {
+			systray.SetIcon(s.icDisconnected)
+			s.mStatus.SetTitle("Disconnected")
+			s.mDown.Disable()
+			s.mUp.Enable()
+		}
+		return nil
+	}, &backoff.ExponentialBackOff{
+		InitialInterval:     time.Second,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         300 * time.Millisecond,
+		MaxElapsedTime:      2 * time.Second,
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	})
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (s *serviceClient) onTrayReady() {
+	systray.SetIcon(s.icDisconnected)
+
+	// setup systray menu items
+	s.mStatus = systray.AddMenuItem("Disconnected", "Disconnected")
+	s.mStatus.Disable()
+	systray.AddSeparator()
+	s.mUp = systray.AddMenuItem("Connect", "Connect")
+	s.mDown = systray.AddMenuItem("Disconnect", "Disconnect")
+	s.mDown.Disable()
+	s.mAdminPanel = systray.AddMenuItem("Admin Panel", "Wiretrustee Admin Panel")
+	systray.AddSeparator()
+	s.mSettings = systray.AddMenuItem("Settings", "Settings of the application")
+	systray.AddSeparator()
+	v := systray.AddMenuItem("v"+system.NetbirdVersion(), "Client Version: "+system.NetbirdVersion())
+	v.Disable()
+	systray.AddSeparator()
+	s.mQuit = systray.AddMenuItem("Quit", "Quit the client app")
+
+	go func() {
+		s.getSrvConfig()
+		for {
+			err := s.updateStatus()
+			if err != nil {
+				log.Errorf("error while updating status: %v", err)
+			}
+			time.Sleep(2 * time.Second)
+		}
+	}()
+
+	go func() {
+		var err error
+		for {
+			select {
+			case <-s.mAdminPanel.ClickedCh:
+				err = open.Run(s.adminURL)
+			case <-s.mUp.ClickedCh:
+				go func() {
+					err := s.menuUpClick()
+					if err != nil {
+						return
+					}
+				}()
+			case <-s.mDown.ClickedCh:
+				go func() {
+					err := s.menuDownClick()
+					if err != nil {
+						return
+					}
+				}()
+			case <-s.mSettings.ClickedCh:
+				s.mSettings.Disable()
+				go func() {
+					defer s.mSettings.Enable()
+					proc, err := os.Executable()
+					if err != nil {
+						log.Errorf("show settings: %v", err)
+						return
+					}
+
+					cmd := exec.Command(proc, "--settings=true")
+					out, err := cmd.CombinedOutput()
+					if exitErr, ok := err.(*exec.ExitError); ok && exitErr.ExitCode() == 1 {
+						log.Errorf("start settings UI: %v, %s", err, string(out))
+						return
+					}
+					if len(out) != 0 {
+						log.Info("settings change:", string(out))
+					}
+
+					// update config in systray when settings windows closed
+					s.getSrvConfig()
+				}()
+			case <-s.mQuit.ClickedCh:
+				systray.Quit()
+				return
+			}
+			if err != nil {
+				log.Errorf("process connection: %v", err)
+			}
+		}
+	}()
+}
+
+func (s *serviceClient) onTrayExit() {}
+
+// getSrvClient connection to the service.
+func (s *serviceClient) getSrvClient(timeout time.Duration) (proto.DaemonServiceClient, error) {
+	if s.conn != nil {
+		return s.conn, nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	conn, err := grpc.DialContext(
+		ctx,
+		strings.TrimPrefix(s.addr, "tcp://"),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithBlock(),
+		grpc.WithUserAgent(system.GetDesktopUIUserAgent()),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("dial service: %w", err)
+	}
+
+	s.conn = proto.NewDaemonServiceClient(conn)
+	return s.conn, nil
+}
+
+// getSrvConfig from the service to show it in the settings window.
+func (s *serviceClient) getSrvConfig() {
+	s.managementURL = "https://api.wiretrustee.com:33073"
+	s.adminURL = "https://app.netbird.io"
+
+	conn, err := s.getSrvClient(failFastTimeout)
+	if err != nil {
+		log.Errorf("get client: %v", err)
+		return
+	}
+
+	cfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{})
+	if err != nil {
+		log.Errorf("get config settings from server: %v", err)
+		return
+	}
+
+	if cfg.ManagementUrl != "" {
+		s.managementURL = cfg.ManagementUrl
+	}
+	if cfg.AdminURL != "" {
+		s.adminURL = cfg.AdminURL
+	}
+	s.preSharedKey = cfg.PreSharedKey
+
+	if s.showSettings {
+		s.iMngURL.SetText(s.managementURL)
+		s.iAdminURL.SetText(s.adminURL)
+		s.iConfigFile.SetText(cfg.ConfigFile)
+		s.iLogFile.SetText(cfg.LogFile)
+		s.iPreSharedKey.SetText(cfg.PreSharedKey)
+	}
+}
+
+// checkPIDFile exists and return error, or write new.
+func checkPIDFile() error {
+	pidFile := path.Join(os.TempDir(), "wiretrustee-ui.pid")
+	if piddata, err := ioutil.ReadFile(pidFile); err == nil {
+		if pid, err := strconv.Atoi(string(piddata)); err == nil {
+			if process, err := os.FindProcess(pid); err == nil {
+				if err := process.Signal(syscall.Signal(0)); err == nil {
+					return fmt.Errorf("process already exists: %d", pid)
+				}
+			}
+		}
+	}
+
+	return ioutil.WriteFile(pidFile, []byte(fmt.Sprintf("%d", os.Getpid())), 0o664)
+}

client/ui/config/config.go

@@ -0,0 +1,46 @@
+package config
+
+import (
+	"os"
+	"runtime"
+)
+
+// ClientConfig basic settings for the UI application.
+type ClientConfig struct {
+	configPath string
+	logFile    string
+	daemonAddr string
+}
+
+// Config object with default settings.
+//
+// We are creating this package to extract utility functions from the cmd package
+// reading and parsing the configurations for the client should be done here
+func Config() *ClientConfig {
+	defaultConfigPath := "/etc/wiretrustee/config.json"
+	defaultLogFile := "/var/log/wiretrustee/client.log"
+	if runtime.GOOS == "windows" {
+		defaultConfigPath = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "config.json"
+		defaultLogFile = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "client.log"
+	}
+
+	defaultDaemonAddr := "unix:///var/run/wiretrustee.sock"
+	if runtime.GOOS == "windows" {
+		defaultDaemonAddr = "tcp://127.0.0.1:41731"
+	}
+	return &ClientConfig{
+		configPath: defaultConfigPath,
+		logFile:    defaultLogFile,
+		daemonAddr: defaultDaemonAddr,
+	}
+}
+
+// DaemonAddr of the gRPC API.
+func (c *ClientConfig) DaemonAddr() string {
+	return c.daemonAddr
+}
+
+// LogFile path.
+func (c *ClientConfig) LogFile() string {
+	return c.logFile
+}

client/ui/manifest.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <assemblyIdentity
+            version="0.0.0.1"
+            processorArchitecture="*"
+            name="netbird-ui.exe"
+            type="win32"
+    />
+    <description>Netbird UI application</description>
+    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
+        <security>
+            <requestedPrivileges>
+                <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
+            </requestedPrivileges>
+        </security>
+    </trustInfo>
+</assembly>

client/ui/netbird-ui.rb.tmpl

@@ -0,0 +1,39 @@
+{{ $projectName := env.Getenv "PROJECT" }}{{ $amdFilePath := env.Getenv "AMD" }}{{ $armFilePath := env.Getenv "ARM" }}
+{{ $amdURL := env.Getenv "AMD_URL" }}{{ $armURL := env.Getenv "ARM_URL" }}
+{{ $amdFile := filepath.Base $amdFilePath }}{{ $armFile := filepath.Base $armFilePath }}{{ $amdFileBytes := file.Read $amdFilePath }}
+{{ $armFileBytes := file.Read $armFilePath }}# Netbird's UI Client Cask Formula
+cask "{{ $projectName }}" do
+  version "{{ env.Getenv "VERSION" }}"
+
+  if Hardware::CPU.intel?
+      url "{{ $amdURL }}"
+      sha256 "{{ crypto.SHA256 $amdFileBytes }}"
+      app "netbird_ui_darwin_amd64", target: "Netbird UI.app"
+  else
+      url "{{ $armURL }}"
+      sha256 "{{ crypto.SHA256 $armFileBytes }}"
+      app "netbird_ui_darwin_arm64", target: "Netbird UI.app"
+  end
+
+  depends_on formula: "netbird"
+
+  postflight do
+    set_permissions "/Applications/Netbird UI.app/installer.sh", '0755'
+    set_permissions "/Applications/Netbird UI.app/uninstaller.sh", '0755'
+  end
+
+  postflight do
+    system_command "#{appdir}/Netbird UI.app/installer.sh",
+                   args: ["#{version}"],
+                   sudo: true
+  end
+
+  uninstall_preflight do
+    system_command "#{appdir}/Netbird UI.app/uninstaller.sh",
+                   sudo: false
+  end
+
+  name "Netbird UI"
+  desc "Netbird UI Client"
+  homepage "https://www.netbird.io/"
+end

client/ui/netbird.desktop

@@ -0,0 +1,8 @@
+[Desktop Entry]
+Name=Netbird
+Exec=/usr/bin/netbird-ui
+Icon=netbird
+Type=Application
+Terminal=false
+Categories=Utility;
+Keywords=netbird;

client/wireguard_nt.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+ldir=$PWD
+tmp_dir_path=$ldir/.distfiles
+winnt=wireguard-nt.zip
+download_file_path=$tmp_dir_path/$winnt
+download_url=https://download.wireguard.com/wireguard-nt/wireguard-nt-0.10.1.zip
+download_sha=772c0b1463d8d2212716f43f06f4594d880dea4f735165bd68e388fc41b81605
+
+function resources_windows(){
+  cmd=$1
+  arch=$2
+  out=$3
+  docker run -i --rm -v $PWD:$PWD -w $PWD mstorsjo/llvm-mingw:latest $cmd -O coff -c 65001 -I $tmp_dir_path/wireguard-nt/bin/$arch -i resources.rc -o $out
+}
+
+mkdir -p $tmp_dir_path
+curl -L#o $download_file_path.unverified $download_url
+echo "$download_sha  $download_file_path.unverified" | sha256sum -c
+mv $download_file_path.unverified $download_file_path
+
+mkdir -p .deps
+unzip $download_file_path -d $tmp_dir_path
+
+resources_windows i686-w64-mingw32-windres x86 resources_windows_386.syso
+resources_windows aarch64-w64-mingw32-windres arm64 resources_windows_arm64.syso
+resources_windows x86_64-w64-mingw32-windres amd64 resources_windows_amd64.syso

docs/README.md

@@ -1,25 +1,25 @@
 ### Table of contents
 
-* [About Wiretrustee](#about-wiretrustee)
-* [Why Wireguard with Wiretrustee?](#why-wireguard-with-wiretrustee)
-* [Wiretrustee vs. Traditional VPN](#wiretrustee-vs-traditional-vpn)
+* [About Netbird](#about-netbird)
+* [Why Wireguard with Netbird?](#why-wireguard-with-netbird)
+* [Netbird vs. Traditional VPN](#netbird-vs-traditional-vpn)
 * [High-level technology overview](#high-level-technology-overview)
 * [Getting started](#getting-started)
 
-### About Wiretrustee
+### About Netbird
 
-Wiretrustee is an open-source VPN platform built on top of [WireGuard®](https://www.wireguard.com/) making it easy to create secure private networks for your organization or home.
+Netbird is an open-source VPN platform built on top of [WireGuard®](https://www.wireguard.com/) making it easy to create secure private networks for your organization or home.
 
 It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, vpn gateways, and so forth.
 
-There is no centralized VPN server with Wiretrustee - your computers, devices, machines, and servers connect to each other directly over a fast encrypted tunnel.
+There is no centralized VPN server with Netbird - your computers, devices, machines, and servers connect to each other directly over a fast encrypted tunnel.
 
-It literally takes less than 5 minutes to provision a secure peer-to-peer VPN with Wiretrustee. Check our [Quickstart Guide Video](https://www.youtube.com/watch?v=cWTsGUJAUaU) to see the setup in action.
+It literally takes less than 5 minutes to provision a secure peer-to-peer VPN with Netbird. Check our [Quickstart Guide Video](https://www.youtube.com/watch?v=cWTsGUJAUaU) to see the setup in action.
 
-### Why Wireguard with Wiretrustee?
+### Why Wireguard with Netbird?
 
 WireGuard is a modern and extremely fast VPN tunnel utilizing state-of-the-art [cryptography](https://www.wireguard.com/protocol/)
-and Wiretrustee uses Wireguard to establish a secure tunnel between machines.
+and Netbird uses Wireguard to establish a secure tunnel between machines.
 
 Built with simplicity in mind, Wireguard ensures that traffic between two machines is encrypted and flowing, however, it requires a few things to be done beforehand.
 
@@ -38,21 +38,21 @@ meaning that you may need to configure a port forwarding or open holes in your f
 
 The undertakings mentioned above might not be complicated if you have just a few machines, but the complexity grows as the number of machines increases.
 
-Wiretrustee simplifies the setup by automatically generating private and public keys, assigning unique private IP addresses, and takes care of sharing public keys between the machines.
+Netbird simplifies the setup by automatically generating private and public keys, assigning unique private IP addresses, and takes care of sharing public keys between the machines.
 It is worth mentioning that the private key never leaves the machine.
 So only the machine that owns the key can decrypt traffic addressed to it.
 The same applies also to the relayed traffic mentioned below.
 
-Furthermore, Wiretrustee ensures connectivity by leveraging advanced [NAT traversal techniques](https://en.wikipedia.org/wiki/NAT_traversal)
+Furthermore, Netbird ensures connectivity by leveraging advanced [NAT traversal techniques](https://en.wikipedia.org/wiki/NAT_traversal)
 and removing the necessity of port forwarding, opening holes in the firewall, and having a public static IP address.  
 In cases when a direct peer-to-peer connection isn't possible, all traffic is relayed securely between peers.
-Wiretrustee also monitors the connection health and restarts broken connections.
+Netbird also monitors the connection health and restarts broken connections.
 
 There are a few more things that we are working on to make secure private networks simple. A few examples are ACLs, MFA and activity monitoring.
 
-Check out the WireGuard [Quick Start](https://www.wireguard.com/quickstart/) guide to learn more about configuring "plain" WireGuard without Wiretrustee.
+Check out the WireGuard [Quick Start](https://www.wireguard.com/quickstart/) guide to learn more about configuring "plain" WireGuard without Netbird.
 
-### Wiretrustee vs. Traditional VPN
+### Netbird vs. Traditional VPN
 
 In the traditional VPN model, everything converges on a centralized, protected network where all the clients are connecting to a central VPN server.
 
@@ -67,38 +67,38 @@ Configuring firewalls, setting up NATs, SSO integration, and managing access con
 Traditional centralized VPNs are often compared to a [castle-and-moat](https://en.wikipedia.org/wiki/Moat) model
 in which once accessed, user is trusted and can access critical infrastructure and resources without any restrictions.
 
-Wiretrustee decentralizes networks using direct point-to-point connections, as opposed to traditional models.
+Netbird decentralizes networks using direct point-to-point connections, as opposed to traditional models.
 Consequently, network performance is increased since traffic flows directly between the machines bypassing VPN servers or gateways.
-To achieve this, Wiretrustee client applications employ signalling servers to find other machines and negotiate connections.
+To achieve this, Netbird client applications employ signalling servers to find other machines and negotiate connections.
 These are similar to the signaling servers used in [WebRTC](https://developer.mozilla.org/en-US/docs/Web/API/WebRTC_API/Signaling_and_video_calling#the_signaling_server)
 
 Thanks to [NAT traversal techniques](https://en.wikipedia.org/wiki/NAT_traversal),
-outlined in the [Why not just Wireguard?](#why-wireguard-with-wiretrustee) section above,
-Wiretrustee installation doesn't require complex network and firewall configuration.
+outlined in the [Why not just Wireguard?](#why-wireguard-with-netbird) section above,
+Netbird installation doesn't require complex network and firewall configuration.
 It just works, minimising the maintenance effort.
 
-Finally, each machine or device in the Wiretrustee network verifies incoming connections accepting only the trusted ones.
+Finally, each machine or device in the Netbird network verifies incoming connections accepting only the trusted ones.
 This is ensured by Wireguard's [Crypto Routing concept](https://www.wireguard.com/#cryptokey-routing).
 
 ### High-level technology overview
-In essence, Wiretrustee is an open source platform consisting of a collection of systems, responsible for handling peer-to-peer connections, tunneling and network management (IP, keys, ACLs, etc).
+In essence, Netbird is an open source platform consisting of a collection of systems, responsible for handling peer-to-peer connections, tunneling and network management (IP, keys, ACLs, etc).
 
 <p align="center">
     <img src="media/high-level-dia.png" alt="high-level-dia" width="781"/>
 </p>
 
-Wiretrustee uses open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn),
-and [software](https://github.com/wiretrustee/wiretrustee) developed by Wiretrustee authors to make it all work together.
+Netbird uses open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn),
+and [software](https://github.com/netbirdio/netbird) developed by Netbird authors to make it all work together.
 
-To learn more about Wiretrustee architecture, please refer to the [architecture section](../docs/architecture.md).
+To learn more about Netbird architecture, please refer to the [architecture section](../docs/architecture.md).
 
 ### Getting Started
 
-There are 2 ways of getting started with Wiretrustee:
+There are 2 ways of getting started with Netbird:
 - use Cloud Managed version
 - self-hosting
 
-We recommend starting with the cloud managed version hosted at [app.wiretrustee.com](https://app.wiretrustee.com) - the quickest way to get familiar with the system.
+We recommend starting with the cloud managed version hosted at [app.netbird.io](https://app.netbird.io) - the quickest way to get familiar with the system.
 See [Quickstart Guide](../docs/quickstart.md) for instructions.
 
 If you don't want to use the managed version, check out our [Self-hosting Guide](../docs/self-hosting.md).

docs/quickstart.md

@@ -1,14 +1,14 @@
 ## Quickstart guide (Cloud Managed version)
 Step-by-step video guide on YouTube:
 
-[![IMAGE ALT TEXT](https://img.youtube.com/vi/cWTsGUJAUaU/0.jpg)](https://youtu.be/cWTsGUJAUaU "Wiretrustee - secure private network in less than 5 minutes")
+[![IMAGE ALT TEXT](https://img.youtube.com/vi/cWTsGUJAUaU/0.jpg)](https://youtu.be/cWTsGUJAUaU "Netbird - secure private network in less than 5 minutes")
 
 This guide describes how to create secure VPN and connect 2 machines peer-to-peer.
 
 One machine is a Raspberry Pi Compute Module 4 hosted at home (Peer A), and the other one is a regular Ubuntu server running in the Data Center (Peer B).
 Both machines are running Linux (Raspbian and Ubuntu respectively), but you could also use Mac or Windows operating systems.
 
-1. Sign-up at [https://app.wiretrustee.com/](https://app.wiretrustee.com/peers)
+1. Sign-up at [https://app.netbird.io/](https://app.netbird.io/)
 
     You can use your email and password to sign-up or any available social login option (e.g., GitHub account)
     

docs/self-hosting.md

@@ -1,76 +1,80 @@
 ### Self-hosting
-Wiretrustee is an open-source platform that can be self-hosted on your servers.
+Netbird is an open-source platform that can be self-hosted on your servers.
 
-It relies on components developed by Wiretrustee Authors [Management Service](https://github.com/wiretrustee/wiretrustee/tree/main/management), [Management UI Dashboard](https://github.com/wiretrustee/wiretrustee-dashboard), [Signal Service](https://github.com/wiretrustee/wiretrustee/tree/main/signal), 
+It relies on components developed by Netbird Authors [Management Service](https://github.com/netbirdio/netbird/tree/main/management), [Management UI Dashboard](https://github.com/netbirdio/dashboard), [Signal Service](https://github.com/netbirdio/netbird/tree/main/signal), 
 a 3rd party open-source STUN/TURN service [Coturn](https://github.com/coturn/coturn) and a 3rd party service [Auth0](https://auth0.com/).
 
 All the components can be self-hosted except for the Auth0 service.
 We chose Auth0 to "outsource" the user management part of the platform because we believe that implementing a proper user auth requires significant amount of time to make it right. 
-We focused on connectivity instead.
+We focused on connectivity instead. It also offers an always free plan that should be ok for most users as its limits are high enough for most teams.
 
-If you would like to learn more about the architecture please refer to the [Wiretrustee Architecture section](architecture.md).
+If you would like to learn more about the architecture please refer to the [Netbird Architecture section](architecture.md).
 
 ### Step-by-step video guide on YouTube:
 
-[![IMAGE ALT TEXT](https://img.youtube.com/vi/Ofpgx5WhT0k/0.jpg)](https://youtu.be/Ofpgx5WhT0k "Wiretrustee Self-Hosting Guide")
+[![IMAGE ALT TEXT](https://img.youtube.com/vi/Ofpgx5WhT0k/0.jpg)](https://youtu.be/Ofpgx5WhT0k "Netbird Self-Hosting Guide")
 
 ### Requirements
 
 - Virtual machine offered by any cloud provider (e.g., AWS, DigitalOcean, Hetzner, Google Cloud, Azure ...). 
-- Any Linux OS.
+- Any Unix OS.
 - Docker Compose installed (see [Install Docker Compose](https://docs.docker.com/compose/install/)).
 - Domain name pointing to the public IP address of your server.
-- Open ports ```443, 33071, 33073, 10000, 3478``` (Dashboard, Management HTTP API, Management gRpc API, Signal gRpc, Coturn STUN/TURN respectively) on your server.
+- Netbird Open ports ```443, 33071, 33073, 10000``` (Dashboard, Management HTTP API, Management gRpc API, Signal gRpc) on your server. 
+- Coturn is used for relay using the STUN/TURN protocols. It requires a listening port, ```UDP 3478```,  and range of ports,```UDP 49152-65535```, for dynamic relay connections. These are set as defaults in [setup file](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env#L34), but can be configured to your requirements. 
 - Maybe a cup of coffee or tea :)
 
 ### Step-by-step guide
 
-For this tutorial we will be using domain ```test.wiretrustee.com``` which points to our Ubuntu 20.04 machine hosted at Hetzner.
+For this tutorial we will be using domain ```test.netbird.io``` which points to our Ubuntu 20.04 machine hosted at Hetzner.
 
 1. Create Auth0 account at [auth0.com](https://auth0.com/).
-2. Login to your server, clone Wiretrustee repository:
+2. Login to your server, clone Netbird repository:
    
    ```bash 
-   git clone https://github.com/wiretrustee/wiretrustee.git wiretrustee/
+   git clone https://github.com/netbirdio/netbird.git netbird/
    ```
    
-   and switch to the ```wiretrustee/infrastructure_files/``` folder that contains docker compose file:
+   and switch to the ```netbird/infrastructure_files/``` folder that contains docker compose file:
    
    ```bash 
-   cd wiretrustee/infrastructure_files/
+   cd netbird/infrastructure_files/
    ```
 3. Prepare configuration files.
    
-   To simplify the setup we have prepared a script to substitute required properties in the [docker-compose.yml.tmpl](../infrastructure_files/docker-compose.yml.tmpl) and [management.json.tmpl](../infrastructure_files/management.json.tmpl) files.
+   To simplify the setup we have prepared a script to substitute required properties in the [turnserver.conf.tmpl](../infrastructure_files/turnserver.conf.tmpl),[docker-compose.yml.tmpl](../infrastructure_files/docker-compose.yml.tmpl) and [management.json.tmpl](../infrastructure_files/management.json.tmpl) files.
    
    The [setup.env](../infrastructure_files/setup.env) file contains the following properties that have to be filled:
    
    ```bash
-   # e.g. app.mydomain.com
-   WIRETRUSTEE_DOMAIN=""
+   # Dashboard domain. e.g. app.mydomain.com
+   NETBIRD_DOMAIN=""
    # e.g. dev-24vkclam.us.auth0.com
-   WIRETRUSTEE_AUTH0_DOMAIN=""
+   NETBIRD_AUTH0_DOMAIN=""
    # e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
-   WIRETRUSTEE_AUTH0_CLIENT_ID=""
-   # e.g. https://app.mydomain.com/
-   WIRETRUSTEE_AUTH0_AUDIENCE=""
+   NETBIRD_AUTH0_CLIENT_ID=""
+   # e.g. https://app.mydomain.com/ or https://app.mydomain.com,
+   # Make sure you used the exact same value for Identifier
+   # you used when creating your Auth0 API
+   NETBIRD_AUTH0_AUDIENCE=""
    # e.g. hello@mydomain.com
-   WIRETRUSTEE_LETSENCRYPT_EMAIL=""
+   NETBIRD_LETSENCRYPT_EMAIL=""
    ```
+   > Other options are available, but they are automatically updated.
    
-   Please follow the steps to get the values.
+   Please follow the steps to get the values. 
 
-4. Configure ```WIRETRUSTEE_AUTH0_DOMAIN``` ```WIRETRUSTEE_AUTH0_CLIENT_ID``` ```WIRETRUSTEE_AUTH0_AUDIENCE``` properties.          
+4. Configure ```NETBIRD_AUTH0_DOMAIN``` ```NETBIRD_AUTH0_CLIENT_ID``` ```NETBIRD_AUTH0_AUDIENCE``` properties.          
    
    * To obtain these, please use [Auth0 React SDK Guide](https://auth0.com/docs/quickstart/spa/react/01-login#configure-auth0) up until "Install the Auth0 React SDK".
    
       :grey_exclamation: Use ```https://YOUR DOMAIN``` as ````Allowed Callback URLs````, ```Allowed Logout URLs```, ```Allowed Web Origins``` and ```Allowed Origins (CORS)```
    * set the variables in the ```setup.env```
-5. Configure ```WIRETRUSTEE_AUTH0_AUDIENCE``` property. 
+5. Configure ```NETBIRD_AUTH0_AUDIENCE``` property. 
    
    * Check [Auth0 Golang API Guide](https://auth0.com/docs/quickstart/backend/golang) to obtain AuthAudience.
    * set the property in the ```setup.env``` file.
-6. Configure ```WIRETRUSTEE_LETSENCRYPT_EMAIL``` property.
+6. Configure ```NETBIRD_LETSENCRYPT_EMAIL``` property.
    
    This can be any email address. [Let's Encrypt](https://letsencrypt.org/) will create an account while generating a new certificate.    
 
@@ -94,3 +98,9 @@ For this tutorial we will be using domain ```test.wiretrustee.com``` which point
     docker-compose logs management
     docker-compose logs coturn
     docker-compose logs dashboard
+
+10. Once the server is running, you can access the dashboard by https://$NETBIRD_DOMAIN
+11. Adding a peer will require you to enter the management URL by following the steps in the page https://$NETBIRD_DOMAIN/add-peer and in the 3rd step:
+```shell
+sudo netbird up --setup-key <PASTE-SETUP-KEY> --management-url https://$NETBIRD_DOMAIN:33073
+```

encryption/encryption_test.go

@@ -1,10 +1,10 @@
 package encryption_test
 
 import (
+	"github.com/netbirdio/netbird/encryption"
+	"github.com/netbirdio/netbird/encryption/testprotos"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
-	"github.com/wiretrustee/wiretrustee/encryption"
-	"github.com/wiretrustee/wiretrustee/encryption/testprotos"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 

go.mod

@@ -1,28 +1,114 @@
-module github.com/wiretrustee/wiretrustee
+module github.com/netbirdio/netbird
 
-go 1.16
+go 1.18
 
 require (
-	github.com/cenkalti/backoff/v4 v4.1.0
+	github.com/cenkalti/backoff/v4 v4.1.3
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.2
-	github.com/google/uuid v1.2.0
+	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.0
-	github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7
-	github.com/onsi/ginkgo v1.16.4
-	github.com/onsi/gomega v1.13.0
-	github.com/pion/ice/v2 v2.1.7
+	github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7 //keep this version otherwise wiretrustee up command breaks
+	github.com/onsi/ginkgo v1.16.5
+	github.com/onsi/gomega v1.18.1
+	github.com/pion/ice/v2 v2.1.17
 	github.com/rs/cors v1.8.0
-	github.com/sirupsen/logrus v1.7.0
-	github.com/spf13/cobra v1.1.3
+	github.com/sirupsen/logrus v1.8.1
+	github.com/spf13/cobra v1.3.0
 	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.1.0
-	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
-	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c
-	golang.zx2c4.com/wireguard v0.0.0-20210805125648-3957e9b9dd19
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c
-	golang.zx2c4.com/wireguard/windows v0.4.5
-	google.golang.org/grpc v1.32.0
-	google.golang.org/protobuf v1.26.0
+	golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838
+	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
+	golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de
+	golang.zx2c4.com/wireguard/windows v0.5.1
+	google.golang.org/grpc v1.43.0
+	google.golang.org/protobuf v1.28.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
+
+require (
+	fyne.io/fyne/v2 v2.1.4
+	github.com/c-robinson/iplib v1.0.3
+	github.com/eko/gocache/v2 v2.3.1
+	github.com/getlantern/systray v1.2.1
+	github.com/magiconair/properties v1.8.5
+	github.com/patrickmn/go-cache v2.1.0+incompatible
+	github.com/rs/xid v1.3.0
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
+	github.com/stretchr/testify v1.7.1
+)
+
+require (
+	github.com/BurntSushi/toml v0.4.1 // indirect
+	github.com/XiaoMi/pegasus-go-client v0.0.0-20210427083443-f3b6b08bc4c2 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/fredbi/uri v0.0.0-20181227131451-3dcfdacbaaf3 // indirect
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/getlantern/context v0.0.0-20190109183933-c447772a6520 // indirect
+	github.com/getlantern/errors v0.0.0-20190325191628-abdb3e3e36f7 // indirect
+	github.com/getlantern/golog v0.0.0-20190830074920-4ef2e798c2d7 // indirect
+	github.com/getlantern/hex v0.0.0-20190417191902-c6586a6fe0b7 // indirect
+	github.com/getlantern/hidden v0.0.0-20190325191715-f02dbb02be55 // indirect
+	github.com/getlantern/ops v0.0.0-20190325191751-d70cb0d6f85f // indirect
+	github.com/go-gl/gl v0.0.0-20210813123233-e4099ee2221f // indirect
+	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20211024062804-40e447a793be // indirect
+	github.com/go-redis/redis/v8 v8.11.5 // indirect
+	github.com/go-stack/stack v1.8.0 // indirect
+	github.com/godbus/dbus/v5 v5.0.4 // indirect
+	github.com/goki/freetype v0.0.0-20181231101311-fa8a33aabaff // indirect
+	github.com/google/go-cmp v0.5.7 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mdlayher/genetlink v1.1.0 // indirect
+	github.com/mdlayher/netlink v1.4.2 // indirect
+	github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
+	github.com/pegasus-kv/thrift v0.13.0 // indirect
+	github.com/pion/dtls/v2 v2.1.2 // indirect
+	github.com/pion/logging v0.2.2 // indirect
+	github.com/pion/mdns v0.0.5 // indirect
+	github.com/pion/randutil v0.1.0 // indirect
+	github.com/pion/stun v0.3.5 // indirect
+	github.com/pion/transport v0.13.0 // indirect
+	github.com/pion/turn/v2 v2.0.7 // indirect
+	github.com/pion/udp v0.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.12.2 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.33.0 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/srwiley/oksvg v0.0.0-20200311192757-870daf9aa564 // indirect
+	github.com/srwiley/rasterx v0.0.0-20200120212402-85cb7272f5e9 // indirect
+	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
+	github.com/yuin/goldmark v1.4.1 // indirect
+	golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf // indirect
+	golang.org/x/image v0.0.0-20200430140353-33d19683fad8 // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
+	golang.org/x/net v0.0.0-20220412020605-290c469a71a5 // indirect
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 // indirect
+	golang.org/x/tools v0.1.10 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d // indirect
+	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
+	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
+	gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
+	gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	honnef.co/go/tools v0.2.2 // indirect
+	k8s.io/apimachinery v0.23.5 // indirect
+)
+
+replace github.com/pion/ice/v2 => github.com/wiretrustee/ice/v2 v2.1.21-0.20220218121004-dc81faead4bb
+
+//replace github.com/eko/gocache/v3 => /home/braginini/Documents/projects/my/wiretrustee/gocache

iface/configuration.go

@@ -0,0 +1,140 @@
+package iface
+
+import (
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net"
+	"time"
+)
+
+// configureDevice configures the wireguard device
+func (w *WGIface) configureDevice(config wgtypes.Config) error {
+	wg, err := wgctrl.New()
+	if err != nil {
+		return err
+	}
+	defer wg.Close()
+
+	// validate if device with name exists
+	_, err = wg.Device(w.Name)
+	if err != nil {
+		return err
+	}
+	log.Debugf("got Wireguard device %s", w.Name)
+
+	return wg.ConfigureDevice(w.Name, config)
+}
+
+// Configure configures a Wireguard interface
+// The interface must exist before calling this method (e.g. call interface.Create() before)
+func (w *WGIface) Configure(privateKey string, port int) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	log.Debugf("configuring Wireguard interface %s", w.Name)
+
+	log.Debugf("adding Wireguard private key")
+	key, err := wgtypes.ParseKey(privateKey)
+	if err != nil {
+		return err
+	}
+	fwmark := 0
+	config := wgtypes.Config{
+		PrivateKey:   &key,
+		ReplacePeers: true,
+		FirewallMark: &fwmark,
+		ListenPort:   &port,
+	}
+
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf("received error \"%v\" while configuring interface %s with port %d", err, w.Name, port)
+	}
+	return nil
+}
+
+// GetListenPort returns the listening port of the Wireguard endpoint
+func (w *WGIface) GetListenPort() (*int, error) {
+	log.Debugf("getting Wireguard listen port of interface %s", w.Name)
+
+	//discover Wireguard current configuration
+	wg, err := wgctrl.New()
+	if err != nil {
+		return nil, err
+	}
+	defer wg.Close()
+
+	d, err := wg.Device(w.Name)
+	if err != nil {
+		return nil, err
+	}
+	log.Debugf("got Wireguard device listen port %s, %d", w.Name, d.ListenPort)
+
+	return &d.ListenPort, nil
+}
+
+// UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
+// Endpoint is optional
+func (w *WGIface) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	log.Debugf("updating interface %s peer %s: endpoint %s ", w.Name, peerKey, endpoint)
+
+	//parse allowed ips
+	_, ipNet, err := net.ParseCIDR(allowedIps)
+	if err != nil {
+		return err
+	}
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+	peer := wgtypes.PeerConfig{
+		PublicKey:                   peerKeyParsed,
+		ReplaceAllowedIPs:           true,
+		AllowedIPs:                  []net.IPNet{*ipNet},
+		PersistentKeepaliveInterval: &keepAlive,
+		PresharedKey:                preSharedKey,
+		Endpoint:                    endpoint,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf("received error \"%v\" while updating peer on interface %s with settings: allowed ips %s, endpoint %s", err, w.Name, allowedIps, endpoint.String())
+	}
+	return nil
+}
+
+// RemovePeer removes a Wireguard Peer from the interface iface
+func (w *WGIface) RemovePeer(peerKey string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	log.Debugf("Removing peer %s from interface %s ", peerKey, w.Name)
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+
+	peer := wgtypes.PeerConfig{
+		PublicKey: peerKeyParsed,
+		Remove:    true,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf("received error \"%v\" while removing peer %s from interface %s", err, peerKey, w.Name)
+	}
+	return nil
+}

iface/iface.go

@@ -1,240 +1,93 @@
 package iface
 
 import (
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/wgctrl"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"fmt"
 	"net"
-	"time"
+	"os"
+	"runtime"
+	"sync"
 )
 
 const (
-	defaultMTU = 1280
+	DefaultMTU    = 1280
+	DefaultWgPort = 51820
 )
 
-var (
-	tunIface tun.Device
-	// todo check after move the WgPort constant to the client
-	WgPort = 51820
-)
+// WGIface represents a interface instance
+type WGIface struct {
+	Name      string
+	Port      int
+	MTU       int
+	Address   WGAddress
+	Interface NetInterface
+	mu        sync.Mutex
+}
 
-// CreateWithUserspace Creates a new Wireguard interface, using wireguard-go userspace implementation
-func CreateWithUserspace(iface string, address string) error {
-	var err error
-	tunIface, err = tun.CreateTUN(iface, defaultMTU)
+// WGAddress Wireguard parsed address
+type WGAddress struct {
+	IP      net.IP
+	Network *net.IPNet
+}
+
+func (addr *WGAddress) String() string {
+	maskSize, _ := addr.Network.Mask.Size()
+	return fmt.Sprintf("%s/%d", addr.IP.String(), maskSize)
+}
+
+// NetInterface represents a generic network tunnel interface
+type NetInterface interface {
+	Close() error
+}
+
+// NewWGIFace Creates a new Wireguard interface instance
+func NewWGIFace(iface string, address string, mtu int) (*WGIface, error) {
+	wgIface := &WGIface{
+		Name: iface,
+		MTU:  mtu,
+		mu:   sync.Mutex{},
+	}
+
+	wgAddress, err := parseAddress(address)
+	if err != nil {
+		return wgIface, err
+	}
+
+	wgIface.Address = wgAddress
+
+	return wgIface, nil
+}
+
+// parseAddress parse a string ("1.2.3.4/24") address to WG Address
+func parseAddress(address string) (WGAddress, error) {
+	ip, network, err := net.ParseCIDR(address)
+	if err != nil {
+		return WGAddress{}, err
+	}
+	return WGAddress{
+		IP:      ip,
+		Network: network,
+	}, nil
+}
+
+// Close closes the tunnel interface
+func (w *WGIface) Close() error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	err := w.Interface.Close()
 	if err != nil {
 		return err
 	}
 
-	// We need to create a wireguard-go device and listen to configuration requests
-	tunDevice := device.NewDevice(tunIface, conn.NewDefaultBind(), device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
-	err = tunDevice.Up()
-	if err != nil {
-		return err
-	}
-	uapi, err := getUAPI(iface)
-	if err != nil {
-		return err
-	}
-
-	go func() {
-		for {
-			uapiConn, err := uapi.Accept()
-			if err != nil {
-				log.Debugln("uapi Accept failed with error: ", err)
-				continue
+	if runtime.GOOS == "darwin" {
+		sockPath := "/var/run/wireguard/" + w.Name + ".sock"
+		if _, statErr := os.Stat(sockPath); statErr == nil {
+			statErr = os.Remove(sockPath)
+			if statErr != nil {
+				return statErr
 			}
-			go tunDevice.IpcHandle(uapiConn)
 		}
-	}()
-
-	log.Debugln("UAPI listener started")
-
-	err = assignAddr(address, iface)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// configure peer for the wireguard device
-func configureDevice(iface string, config wgtypes.Config) error {
-	wg, err := wgctrl.New()
-	if err != nil {
-		return err
-	}
-	defer wg.Close()
-
-	_, err = wg.Device(iface)
-	if err != nil {
-		return err
-	}
-	log.Debugf("got Wireguard device %s", iface)
-
-	return wg.ConfigureDevice(iface, config)
-}
-
-// Exists checks whether specified Wireguard device exists or not
-func Exists(iface string) (*bool, error) {
-	wg, err := wgctrl.New()
-	if err != nil {
-		return nil, err
-	}
-	defer wg.Close()
-
-	devices, err := wg.Devices()
-	if err != nil {
-		return nil, err
-	}
-
-	var exists bool
-	for _, d := range devices {
-		if d.Name == iface {
-			exists = true
-			return &exists, nil
-		}
-	}
-	exists = false
-	return &exists, nil
-}
-
-// Configure configures a Wireguard interface
-// The interface must exist before calling this method (e.g. call interface.Create() before)
-func Configure(iface string, privateKey string) error {
-
-	log.Debugf("configuring Wireguard interface %s", iface)
-
-	log.Debugf("adding Wireguard private key")
-	key, err := wgtypes.ParseKey(privateKey)
-	if err != nil {
-		return err
-	}
-	fwmark := 0
-	p := WgPort
-	config := wgtypes.Config{
-		PrivateKey:   &key,
-		ReplacePeers: false,
-		FirewallMark: &fwmark,
-		ListenPort:   &p,
-	}
-
-	return configureDevice(iface, config)
-}
-
-// GetListenPort returns the listening port of the Wireguard endpoint
-func GetListenPort(iface string) (*int, error) {
-	log.Debugf("getting Wireguard listen port of interface %s", iface)
-
-	//discover Wireguard current configuration
-	wg, err := wgctrl.New()
-	if err != nil {
-		return nil, err
-	}
-	defer wg.Close()
-
-	d, err := wg.Device(iface)
-	if err != nil {
-		return nil, err
-	}
-	log.Debugf("got Wireguard device listen port %s, %d", iface, d.ListenPort)
-
-	return &d.ListenPort, nil
-}
-
-// UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
-// Endpoint is optional
-func UpdatePeer(iface string, peerKey string, allowedIps string, keepAlive time.Duration, endpoint string) error {
-
-	log.Debugf("updating interface %s peer %s: endpoint %s ", iface, peerKey, endpoint)
-
-	//parse allowed ips
-	_, ipNet, err := net.ParseCIDR(allowedIps)
-	if err != nil {
-		return err
-	}
-
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-	peer := wgtypes.PeerConfig{
-		PublicKey:                   peerKeyParsed,
-		ReplaceAllowedIPs:           true,
-		AllowedIPs:                  []net.IPNet{*ipNet},
-		PersistentKeepaliveInterval: &keepAlive,
-	}
-
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-
-	err = configureDevice(iface, config)
-	if err != nil {
-		return err
-	}
-
-	if endpoint != "" {
-		return UpdatePeerEndpoint(iface, peerKey, endpoint)
 	}
 
 	return nil
 }
-
-// UpdatePeerEndpoint updates a Wireguard interface Peer with the new endpoint
-// Used when NAT hole punching was successful and an update of the remote peer endpoint is required
-func UpdatePeerEndpoint(iface string, peerKey string, newEndpoint string) error {
-
-	log.Debugf("updating peer %s endpoint %s ", peerKey, newEndpoint)
-
-	peerAddr, err := net.ResolveUDPAddr("udp4", newEndpoint)
-	if err != nil {
-		return err
-	}
-
-	log.Debugf("parsed peer endpoint [%s]", peerAddr.String())
-
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	peer := wgtypes.PeerConfig{
-		PublicKey:         peerKeyParsed,
-		ReplaceAllowedIPs: false,
-		UpdateOnly:        true,
-		Endpoint:          peerAddr,
-	}
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-	return configureDevice(iface, config)
-}
-
-// RemovePeer removes a Wireguard Peer from the interface iface
-func RemovePeer(iface string, peerKey string) error {
-	log.Debugf("Removing peer %s from interface %s ", peerKey, iface)
-
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	peer := wgtypes.PeerConfig{
-		PublicKey: peerKeyParsed,
-		Remove:    true,
-	}
-
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-
-	return configureDevice(iface, config)
-}
-
-// Closes the User Space tunnel interface
-func CloseWithUserspace() error {
-	return tunIface.Close()
-}

iface/iface_darwin.go

@@ -2,62 +2,34 @@ package iface
 
 import (
 	log "github.com/sirupsen/logrus"
-	"net"
-	"os"
 	"os/exec"
-	"strings"
 )
 
 // Create Creates a new Wireguard interface, sets a given IP and brings it up.
-func Create(iface string, address string) error {
-	return CreateWithUserspace(iface, address)
+func (w *WGIface) Create() error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	return w.createWithUserspace()
 }
 
 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
-func assignAddr(address string, ifaceName string) error {
-	ip := strings.Split(address, "/")
-	cmd := exec.Command("ifconfig", ifaceName, "inet", address, ip[0])
+func (w *WGIface) assignAddr() error {
+	//mask,_ := w.Address.Network.Mask.Size()
+	//
+	//address := fmt.Sprintf("%s/%d",w.Address.IP.String() , mask)
+
+	cmd := exec.Command("ifconfig", w.Name, "inet", w.Address.IP.String(), w.Address.IP.String())
 	if out, err := cmd.CombinedOutput(); err != nil {
-		log.Infof("Command: %v failed with output %s and error: ", cmd.String(), out)
+		log.Infof("adding addreess command \"%v\" failed with output %s and error: ", cmd.String(), out)
 		return err
 	}
-	_, resolvedNet, err := net.ParseCIDR(address)
-	err = addRoute(ifaceName, resolvedNet)
-	if err != nil {
-		log.Infoln("Adding route failed with error:", err)
-	}
-	return nil
-}
-
-// addRoute Adds network route based on the range provided
-func addRoute(iface string, ipNet *net.IPNet) error {
-	cmd := exec.Command("route", "add", "-net", ipNet.String(), "-interface", iface)
-	if out, err := cmd.CombinedOutput(); err != nil {
-		log.Printf("Command: %v failed with output %s and error: ", cmd.String(), out)
-		return err
-	}
-	return nil
-}
-
-// Closes the tunnel interface
-func Close() error {
-	name, err := tunIface.Name()
-	if err != nil {
-		return err
-	}
-
-	sockPath := "/var/run/wireguard/" + name + ".sock"
-
-	err = CloseWithUserspace()
-	if err != nil {
-		return err
-	}
-
-	if _, err := os.Stat(sockPath); err == nil {
-		err = os.Remove(sockPath)
-		if err != nil {
-			return err
-		}
+
+	routeCmd := exec.Command("route", "add", "-net", w.Address.Network.String(), "-interface", w.Name)
+	if out, err := routeCmd.CombinedOutput(); err != nil {
+		log.Printf("adding route command \"%v\" failed with output %s and error: ", routeCmd.String(), out)
+		return err
 	}
+
 	return nil
 }

iface/iface_linux.go

@@ -1,37 +1,60 @@
 package iface
 
 import (
-	"fmt"
+	"errors"
+	"math"
+	"os"
+	"syscall"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
-	"golang.zx2c4.com/wireguard/wgctrl"
-	"os"
 )
 
-// Create Creates a new Wireguard interface, sets a given IP and brings it up.
+type NativeLink struct {
+	Link *netlink.Link
+}
+
+func WireguardModExists() bool {
+	link := newWGLink("mustnotexist")
+
+	// We willingly try to create a device with an invalid
+	// MTU here as the validation of the MTU will be performed after
+	// the validation of the link kind and hence allows us to check
+	// for the existance of the wireguard module without actually
+	// creating a link.
+	//
+	// As a side-effect, this will also let the kernel lazy-load
+	// the wireguard module.
+	link.attrs.MTU = math.MaxInt
+
+	err := netlink.LinkAdd(link)
+
+	return errors.Is(err, syscall.EINVAL)
+}
+
+// Create creates a new Wireguard interface, sets a given IP and brings it up.
 // Will reuse an existing one.
-func Create(iface string, address string) error {
+func (w *WGIface) Create() error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
 
 	if WireguardModExists() {
-		log.Debug("using kernel Wireguard module")
-		return CreateWithKernel(iface, address)
+		log.Info("using kernel WireGuard")
+		return w.createWithKernel()
 	} else {
-		return CreateWithUserspace(iface, address)
+		log.Info("using userspace WireGuard")
+		return w.createWithUserspace()
 	}
 }
 
-// CreateWithKernel Creates a new Wireguard interface using kernel Wireguard module.
+// createWithKernel Creates a new Wireguard interface using kernel Wireguard module.
 // Works for Linux and offers much better network performance
-func CreateWithKernel(iface string, address string) error {
-	attrs := netlink.NewLinkAttrs()
-	attrs.Name = iface
+func (w *WGIface) createWithKernel() error {
 
-	link := wgLink{
-		attrs: &attrs,
-	}
+	link := newWGLink(w.Name)
 
 	// check if interface exists
-	l, err := netlink.LinkByName(iface)
+	l, err := netlink.LinkByName(w.Name)
 	if err != nil {
 		switch err.(type) {
 		case netlink.LinkNotFoundError:
@@ -43,37 +66,39 @@ func CreateWithKernel(iface string, address string) error {
 
 	// remove if interface exists
 	if l != nil {
-		err = netlink.LinkDel(&link)
+		err = netlink.LinkDel(link)
 		if err != nil {
 			return err
 		}
 	}
 
-	log.Debugf("adding device: %s", iface)
-	err = netlink.LinkAdd(&link)
+	log.Debugf("adding device: %s", w.Name)
+	err = netlink.LinkAdd(link)
 	if os.IsExist(err) {
-		log.Infof("interface %s already exists. Will reuse.", iface)
+		log.Infof("interface %s already exists. Will reuse.", w.Name)
 	} else if err != nil {
 		return err
 	}
 
-	err = assignAddr(address, iface)
+	w.Interface = link
+
+	err = w.assignAddr()
 	if err != nil {
 		return err
 	}
 
 	// todo do a discovery
-	log.Debugf("setting MTU: %d interface: %s", defaultMTU, iface)
-	err = netlink.LinkSetMTU(&link, defaultMTU)
+	log.Debugf("setting MTU: %d interface: %s", w.MTU, w.Name)
+	err = netlink.LinkSetMTU(link, w.MTU)
 	if err != nil {
-		log.Errorf("error setting MTU on interface: %s", iface)
+		log.Errorf("error setting MTU on interface: %s", w.Name)
 		return err
 	}
 
-	log.Debugf("bringing up interface: %s", iface)
-	err = netlink.LinkSetUp(&link)
+	log.Debugf("bringing up interface: %s", w.Name)
+	err = netlink.LinkSetUp(link)
 	if err != nil {
-		log.Errorf("error bringing up interface: %s", iface)
+		log.Errorf("error bringing up interface: %s", w.Name)
 		return err
 	}
 
@@ -81,39 +106,33 @@ func CreateWithKernel(iface string, address string) error {
 }
 
 // assignAddr Adds IP address to the tunnel interface
-func assignAddr(address, name string) error {
-	var err error
-	attrs := netlink.NewLinkAttrs()
-	attrs.Name = name
-
-	link := wgLink{
-		attrs: &attrs,
-	}
+func (w *WGIface) assignAddr() error {
+	link := newWGLink(w.Name)
 
 	//delete existing addresses
-	list, err := netlink.AddrList(&link, 0)
+	list, err := netlink.AddrList(link, 0)
 	if err != nil {
 		return err
 	}
 	if len(list) > 0 {
 		for _, a := range list {
-			err = netlink.AddrDel(&link, &a)
+			err = netlink.AddrDel(link, &a)
 			if err != nil {
 				return err
 			}
 		}
 	}
 
-	log.Debugf("adding address %s to interface: %s", address, attrs.Name)
-	addr, _ := netlink.ParseAddr(address)
-	err = netlink.AddrAdd(&link, addr)
+	log.Debugf("adding address %s to interface: %s", w.Address.String(), w.Name)
+	addr, _ := netlink.ParseAddr(w.Address.String())
+	err = netlink.AddrAdd(link, addr)
 	if os.IsExist(err) {
-		log.Infof("interface %s already has the address: %s", attrs.Name, address)
+		log.Infof("interface %s already has the address: %s", w.Name, w.Address.String())
 	} else if err != nil {
 		return err
 	}
 	// On linux, the link must be brought up
-	err = netlink.LinkSetUp(&link)
+	err = netlink.LinkSetUp(link)
 	return err
 }
 
@@ -121,48 +140,26 @@ type wgLink struct {
 	attrs *netlink.LinkAttrs
 }
 
+func newWGLink(name string) *wgLink {
+	attrs := netlink.NewLinkAttrs()
+	attrs.Name = name
+
+	return &wgLink{
+		attrs: &attrs,
+	}
+}
+
 // Attrs returns the Wireguard's default attributes
-func (w *wgLink) Attrs() *netlink.LinkAttrs {
-	return w.attrs
+func (l *wgLink) Attrs() *netlink.LinkAttrs {
+	return l.attrs
 }
 
 // Type returns the interface type
-func (w *wgLink) Type() string {
+func (l *wgLink) Type() string {
 	return "wireguard"
 }
 
-// Closes the tunnel interface
-func Close() error {
-
-	if tunIface != nil {
-		return CloseWithUserspace()
-	} else {
-		var iface = ""
-		wg, err := wgctrl.New()
-		if err != nil {
-			return err
-		}
-		defer wg.Close()
-		devList, err := wg.Devices()
-		if err != nil {
-			return err
-		}
-		for _, wgDev := range devList {
-			// todo check after move the WgPort constant to the client
-			if wgDev.ListenPort == WgPort {
-				iface = wgDev.Name
-				break
-			}
-		}
-		if iface == "" {
-			return fmt.Errorf("Wireguard Interface not found")
-		}
-		attrs := netlink.NewLinkAttrs()
-		attrs.Name = iface
-
-		link := wgLink{
-			attrs: &attrs,
-		}
-		return netlink.LinkDel(&link)
-	}
+// Close deletes the link interface
+func (l *wgLink) Close() error {
+	return netlink.LinkDel(l)
 }

iface/iface_test.go

@@ -3,6 +3,7 @@ package iface
 import (
 	"fmt"
 	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"net"
@@ -12,24 +13,96 @@ import (
 
 // keep darwin compability
 const (
-	key        = "0PMI6OkB5JmB+Jj/iWWHekuQRx+bipZirWCWKFXexHc="
-	peerPubKey = "Ok0mC0qlJyXEPKh2UFIpsI2jG0L7LRpC3sLAusSJ5CQ="
+	WgIntNumber = 2000
+)
+
+var (
+	key        string
+	peerPubKey string
 )
 
 func init() {
 	log.SetLevel(log.DebugLevel)
+	privateKey, _ := wgtypes.GeneratePrivateKey()
+	key = privateKey.String()
+	peerPrivateKey, _ := wgtypes.GeneratePrivateKey()
+	peerPubKey = peerPrivateKey.PublicKey().String()
 }
 
-//
-func Test_CreateInterface(t *testing.T) {
-	ifaceName := "utun999"
-	wgIP := "10.99.99.1/24"
-	err := Create(ifaceName, wgIP)
+func TestWGIface_UpdateAddr(t *testing.T) {
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
+	addr := "100.64.0.1/8"
+	iface, err := NewWGIFace(ifaceName, addr, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close()
+		err = iface.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+	port, err := iface.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Configure(key, *port)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	addrs, err := getIfaceAddrs(ifaceName)
+	if err != nil {
+		t.Error(err)
+	}
+	assert.Equal(t, addr, addrs[0].String())
+
+	//update WireGuard address
+	addr = "100.64.0.2/8"
+	err = iface.UpdateAddr(addr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	addrs, err = getIfaceAddrs(ifaceName)
+	if err != nil {
+		t.Error(err)
+	}
+
+	assert.Equal(t, addr, addrs[0].String())
+
+}
+
+func getIfaceAddrs(ifaceName string) ([]net.Addr, error) {
+	ief, err := net.InterfaceByName(ifaceName)
+	if err != nil {
+		return nil, err
+	}
+	addrs, err := ief.Addrs()
+	if err != nil {
+		return nil, err
+	}
+	return addrs, nil
+}
+
+//
+func Test_CreateInterface(t *testing.T) {
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+1)
+	wgIP := "10.99.99.1/32"
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Create()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = iface.Close()
 		if err != nil {
 			t.Error(err)
 		}
@@ -44,29 +117,59 @@ func Test_CreateInterface(t *testing.T) {
 			t.Error(err)
 		}
 	}()
+}
 
-	d, err := wg.Device(ifaceName)
+func Test_Close(t *testing.T) {
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+2)
+	wgIP := "10.99.99.2/32"
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU)
 	if err != nil {
 		t.Fatal(err)
 	}
-	// todo move the WgPort constant to the client
-	WgPort = d.ListenPort
-}
-func Test_ConfigureInterface(t *testing.T) {
-	ifaceName := "utun1000"
-	wgIP := "10.99.99.10/24"
-	err := Create(ifaceName, wgIP)
+	err = iface.Create()
+	if err != nil {
+		t.Fatal(err)
+	}
+	wg, err := wgctrl.New()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close()
+		err = wg.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
 
-	err = Configure(ifaceName, key)
+	err = iface.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func Test_ConfigureInterface(t *testing.T) {
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+3)
+	wgIP := "10.99.99.5/30"
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Create()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = iface.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	port, err := iface.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Configure(key, *port)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -92,30 +195,41 @@ func Test_ConfigureInterface(t *testing.T) {
 }
 
 func Test_UpdatePeer(t *testing.T) {
-	ifaceName := "utun1001"
-	wgIP := "10.99.99.20/24"
-	err := Create(ifaceName, wgIP)
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
+	wgIP := "10.99.99.9/30"
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close()
+		err = iface.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
-	err = Configure(ifaceName, key)
+	port, err := iface.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Configure(key, *port)
 	if err != nil {
 		t.Fatal(err)
 	}
 	keepAlive := 15 * time.Second
-	allowedIP := "10.99.99.2/32"
-	endpoint := "127.0.0.1:9900"
-	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint)
+	allowedIP := "10.99.99.10/32"
+	endpoint, err := net.ResolveUDPAddr("udp", "127.0.0.1:9900")
 	if err != nil {
 		t.Fatal(err)
 	}
-	peer, err := getPeer(ifaceName, t)
+	err = iface.UpdatePeer(peerPubKey, allowedIP, keepAlive, endpoint, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer, err := getPeer(ifaceName, peerPubKey, t)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -123,11 +237,7 @@ func Test_UpdatePeer(t *testing.T) {
 		t.Fatal("configured peer with mismatched keepalive interval value")
 	}
 
-	resolvedEndpoint, err := net.ResolveUDPAddr("udp", endpoint)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if peer.Endpoint.String() != resolvedEndpoint.String() {
+	if peer.Endpoint.String() != endpoint.String() {
 		t.Fatal("configured peer with mismatched endpoint")
 	}
 
@@ -143,110 +253,144 @@ func Test_UpdatePeer(t *testing.T) {
 	}
 }
 
-func Test_UpdatePeerEndpoint(t *testing.T) {
-	ifaceName := "utun1002"
-	wgIP := "10.99.99.30/24"
-	err := Create(ifaceName, wgIP)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer func() {
-		err = Close()
-		if err != nil {
-			t.Error(err)
-		}
-	}()
-	err = Configure(ifaceName, key)
-	if err != nil {
-		t.Fatal(err)
-	}
-	keepAlive := 15 * time.Second
-	allowedIP := "10.99.99.2/32"
-	endpoint := "127.0.0.1:9900"
-	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	newEndpoint := "127.0.0.1:9999"
-	err = UpdatePeerEndpoint(ifaceName, peerPubKey, newEndpoint)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	peer, err := getPeer(ifaceName, t)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if peer.Endpoint.String() != newEndpoint {
-		t.Fatal("configured peer with mismatched endpoint")
-	}
-}
-
 func Test_RemovePeer(t *testing.T) {
-	ifaceName := "utun1003"
-	wgIP := "10.99.99.40/24"
-	err := Create(ifaceName, wgIP)
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
+	wgIP := "10.99.99.13/30"
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close()
+		err = iface.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
-	err = Configure(ifaceName, key)
+	port, err := iface.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Configure(key, *port)
 	if err != nil {
 		t.Fatal(err)
 	}
 	keepAlive := 15 * time.Second
-	allowedIP := "10.99.99.2/32"
-	endpoint := "127.0.0.1:9900"
-	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint)
+	allowedIP := "10.99.99.14/32"
+
+	err = iface.UpdatePeer(peerPubKey, allowedIP, keepAlive, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = RemovePeer(ifaceName, peerPubKey)
+	err = iface.RemovePeer(peerPubKey)
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, err = getPeer(ifaceName, t)
+	_, err = getPeer(ifaceName, peerPubKey, t)
 	if err.Error() != "peer not found" {
 		t.Fatal(err)
 	}
 }
-func Test_Close(t *testing.T) {
-	ifaceName := "utun1004"
-	wgIP := "10.99.99.50/24"
-	err := Create(ifaceName, wgIP)
+
+func Test_ConnectPeers(t *testing.T) {
+	peer1ifaceName := fmt.Sprintf("utun%d", WgIntNumber+400)
+	peer1wgIP := "10.99.99.17/30"
+	peer1Key, _ := wgtypes.GeneratePrivateKey()
+	//peer1Port := WgPort + 4
+
+	peer2ifaceName := fmt.Sprintf("utun%d", 500)
+	peer2wgIP := "10.99.99.18/30"
+	peer2Key, _ := wgtypes.GeneratePrivateKey()
+	//peer2Port := WgPort + 5
+
+	keepAlive := 1 * time.Second
+
+	iface1, err := NewWGIFace(peer1ifaceName, peer1wgIP, DefaultMTU)
 	if err != nil {
 		t.Fatal(err)
 	}
-	wg, err := wgctrl.New()
+	err = iface1.Create()
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer1Port, err := iface1.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer1endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", *peer1Port))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	iface2, err := NewWGIFace(peer2ifaceName, peer2wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface2.Create()
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer2Port, err := iface2.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer2endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", *peer2Port))
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = wg.Close()
+		err = iface1.Close()
+		if err != nil {
+			t.Error(err)
+		}
+		err = iface2.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
 
-	d, err := wg.Device(ifaceName)
+	err = iface1.Configure(peer1Key.String(), *peer1Port)
 	if err != nil {
 		t.Fatal(err)
 	}
-	// todo move the WgPort constant to the client
-	WgPort = d.ListenPort
-	err = Close()
+	err = iface2.Configure(peer2Key.String(), *peer2Port)
 	if err != nil {
 		t.Fatal(err)
 	}
+
+	err = iface1.UpdatePeer(peer2Key.PublicKey().String(), peer2wgIP, keepAlive, peer2endpoint, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface2.UpdatePeer(peer1Key.PublicKey().String(), peer1wgIP, keepAlive, peer1endpoint, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	timeout := 10 * time.Second
+	timeoutChannel := time.After(timeout)
+	for {
+		select {
+		case <-timeoutChannel:
+			t.Fatalf("waiting for peer handshake timeout after %s", timeout.String())
+		default:
+		}
+		peer, gpErr := getPeer(peer1ifaceName, peer2Key.PublicKey().String(), t)
+		if gpErr != nil {
+			t.Fatal(gpErr)
+		}
+		if !peer.LastHandshakeTime.IsZero() {
+			t.Log("peers successfully handshake")
+			break
+		}
+	}
+
 }
-func getPeer(ifaceName string, t *testing.T) (wgtypes.Peer, error) {
+
+func getPeer(ifaceName, peerPubKey string, t *testing.T) (wgtypes.Peer, error) {
 	emptyPeer := wgtypes.Peer{}
 	wg, err := wgctrl.New()
 	if err != nil {

iface/iface_unix.go

@@ -1,12 +1,58 @@
+//go:build linux || darwin
 // +build linux darwin
 
 package iface
 
 import (
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/ipc"
+	"golang.zx2c4.com/wireguard/tun"
 	"net"
 )
 
+// createWithUserspace Creates a new Wireguard interface, using wireguard-go userspace implementation
+func (w *WGIface) createWithUserspace() error {
+
+	tunIface, err := tun.CreateTUN(w.Name, w.MTU)
+	if err != nil {
+		return err
+	}
+
+	w.Interface = tunIface
+
+	// We need to create a wireguard-go device and listen to configuration requests
+	tunDevice := device.NewDevice(tunIface, conn.NewDefaultBind(), device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
+	err = tunDevice.Up()
+	if err != nil {
+		return err
+	}
+	uapi, err := getUAPI(w.Name)
+	if err != nil {
+		return err
+	}
+
+	go func() {
+		for {
+			uapiConn, uapiErr := uapi.Accept()
+			if uapiErr != nil {
+				log.Traceln("uapi Accept failed with error: ", uapiErr)
+				continue
+			}
+			go tunDevice.IpcHandle(uapiConn)
+		}
+	}()
+
+	log.Debugln("UAPI listener started")
+
+	err = w.assignAddr()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // getUAPI returns a Listener
 func getUAPI(iface string) (net.Listener, error) {
 	tunSock, err := ipc.UAPIOpen(iface)
@@ -15,3 +61,17 @@ func getUAPI(iface string) (net.Listener, error) {
 	}
 	return ipc.UAPIListen(iface, tunSock)
 }
+
+// UpdateAddr updates address of the interface
+func (w *WGIface) UpdateAddr(newAddr string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	addr, err := parseAddress(newAddr)
+	if err != nil {
+		return err
+	}
+
+	w.Address = addr
+	return w.assignAddr()
+}

iface/iface_windows.go

@@ -1,46 +1,59 @@
 package iface
 
 import (
+	"fmt"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/ipc"
-	"golang.zx2c4.com/wireguard/tun"
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/windows/driver"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"net"
 )
 
 // Create Creates a new Wireguard interface, sets a given IP and brings it up.
-func Create(iface string, address string) error {
-	return CreateWithUserspace(iface, address)
+func (w *WGIface) Create() error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	WintunStaticRequestedGUID, _ := windows.GenerateGUID()
+	adapter, err := driver.CreateAdapter(w.Name, "WireGuard", &WintunStaticRequestedGUID)
+	if err != nil {
+		err = fmt.Errorf("error creating adapter: %w", err)
+		return err
+	}
+	w.Interface = adapter
+	luid := adapter.LUID()
+	err = adapter.SetAdapterState(driver.AdapterStateUp)
+	if err != nil {
+		return err
+	}
+	state, _ := luid.GUID()
+	log.Debugln("device guid: ", state.String())
+	return w.assignAddr(luid)
 }
 
 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
-func assignAddr(address string, ifaceName string) error {
+func (w *WGIface) assignAddr(luid winipcfg.LUID) error {
 
-	nativeTunDevice := tunIface.(*tun.NativeTun)
-	luid := winipcfg.LUID(nativeTunDevice.LUID())
-
-	ip, ipnet, _ := net.ParseCIDR(address)
-
-	log.Debugf("adding address %s to interface: %s", address, ifaceName)
-	err := luid.SetIPAddresses([]net.IPNet{{ip, ipnet.Mask}})
+	log.Debugf("adding address %s to interface: %s", w.Address.IP, w.Name)
+	err := luid.SetIPAddresses([]net.IPNet{{w.Address.IP, w.Address.Network.Mask}})
 	if err != nil {
 		return err
 	}
 
-	log.Debugf("adding Routes to interface: %s", ifaceName)
-	err = luid.SetRoutes([]*winipcfg.RouteData{{*ipnet, ipnet.IP, 0}})
-	if err != nil {
-		return err
-	}
 	return nil
 }
 
-// getUAPI returns a Listener
-func getUAPI(iface string) (net.Listener, error) {
-	return ipc.UAPIListen(iface)
-}
+// UpdateAddr updates address of the interface
+func (w *WGIface) UpdateAddr(newAddr string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
 
-// Closes the tunnel interface
-func Close() error {
-	return CloseWithUserspace()
+	luid := w.Interface.(*driver.Adapter).LUID()
+	addr, err := parseAddress(newAddr)
+	if err != nil {
+		return err
+	}
+
+	w.Address = addr
+	return w.assignAddr(luid)
 }

iface/ifacename.go

@@ -1,3 +1,4 @@
+//go:build linux || windows
 // +build linux windows
 
 package iface