Fix RemoveConnByUfrag

Fix some iface issues
Remove unused code
2026-03-31 14:44:34 -04:00 · 2022-09-08 19:39:05 +02:00 · 2022-09-07 21:59:01 +02:00 · 2022-09-07 21:40:45 +02:00 · 2022-09-07 19:40:34 +02:00 · 2022-09-07 19:02:17 +02:00
123 changed files with 10394 additions and 1389 deletions
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -3,15 +3,12 @@ on: [push,pull_request]

 jobs:
  test:
-    strategy:
-      matrix:
-        go-version: [1.18.x]
    runs-on: macos-latest
    steps:
      - name: Install Go
        uses: actions/setup-go@v2
        with:
-          go-version: ${{ matrix.go-version }}
+          go-version: 1.18.x
      - name: Checkout code
        uses: actions/checkout@v2

--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -5,13 +5,13 @@ jobs:
  test:
    strategy:
      matrix:
-        go-version: [1.18.x]
+        arch: ['386','amd64']
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
        uses: actions/setup-go@v2
        with:
-          go-version: ${{ matrix.go-version }}
+          go-version: 1.18.x


      - name: Cache Go modules
@@ -32,4 +32,4 @@ jobs:
        run: go mod tidy

      - name: Test
-        run: go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...
+        run: GOARCH=${{ matrix.arch }} go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -18,13 +18,8 @@ jobs:

  test:
    needs: pre
-    strategy:
-      matrix:
-        go-version: [1.18.x]
    runs-on: windows-latest
    steps:
-      - name: disable defender
-        run: Set-MpPreference -DisableRealtimeMonitoring $true

      - name: Checkout code
        uses: actions/checkout@v2
@@ -32,27 +27,22 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v2
        with:
-          go-version: ${{ matrix.go-version }}
+          go-version: 1.18.x

      - uses: actions/cache@v2
        with:
          path: |
            %LocalAppData%\go-build
-            ~/go/pkg/mod
+            ~\go\pkg\mod
+            ~\AppData\Local\go-build
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-

-      - name: enable defender
-        run: Set-MpPreference -DisableRealtimeMonitoring $false
-
      - uses: actions/download-artifact@v2
        with:
          name: syso
          path: iface\

-#      - name: Install modules
-#        run: go mod tidy
-
      - name: Test
-        run: go test -tags=load_wgnt_from_rsrc -timeout 5m -p 1 ./...
+        run: go test -tags=load_wgnt_from_rsrc -timeout 5m -p 1 ./...
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -6,12 +6,16 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
-
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.18.x
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v2
        with:
-          args: --timeout=6m
+          #  SA1019: "io/ioutil" has been deprecated since Go 1.16
+          args: --timeout=6m -e SA1019


--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,7 @@ on:

 env:
  SIGN_PIPE_VER: "v0.0.3"
+  GORELEASER_VER: "v1.6.3"

 jobs:
  release:
@@ -40,6 +41,9 @@ jobs:
      -
        name: Install modules
        run: go mod tidy
+      -
+        name: check git status
+        run: git --no-pager diff --exit-code
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v1
@@ -54,45 +58,75 @@ jobs:
          username: netbirdio
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-mingw-w64-x86-64
-
-      - name: Install rsrc
-        run: go install github.com/akavel/rsrc@v0.10.2
-
-      - name: Generate windows rsrc
-        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/ui/manifest.xml -o client/ui/resources_windows_amd64.syso
-
      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v2
        with:
-          version: v1.6.3
+          version: ${{ env.GORELEASER_VER }}
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-      -
-        name: Trigger Windows binaries sign pipeline
-        uses: benc-uk/workflow-dispatch@v1
-        if: startsWith(github.ref, 'refs/tags/')
-        with:
-          workflow: Sign windows bin and installer
-          repo: netbirdio/sign-pipelines
-          ref: ${{ env.SIGN_PIPE_VER }}
-          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
      -
        name: upload non tags for debug purposes
        uses: actions/upload-artifact@v2
        with:
-          name: build
+          name: release
          path: dist/
          retention-days: 3
-          
+
  release_ui:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.18
+      - name: Cache Go modules
+        uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-ui-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-ui-go-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-mingw-w64-x86-64
+      - name: Install rsrc
+        run: go install github.com/akavel/rsrc@v0.10.2
+      - name: Generate windows rsrc
+        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/ui/manifest.xml -o client/ui/resources_windows_amd64.syso
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: ${{ env.GORELEASER_VER }}
+          args: release --config .goreleaser_ui.yaml --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+      - name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v2
+        with:
+          name: release-ui
+          path: dist/
+          retention-days: 3
+
+  release_ui_darwin:
    runs-on: macos-latest
    steps:
      -
@@ -110,9 +144,9 @@ jobs:
        uses: actions/cache@v1
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-ui-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            ${{ runner.os }}-ui-go-
      -
        name: Install modules
        run: go mod tidy
@@ -121,26 +155,42 @@ jobs:
        id: goreleaser
        uses: goreleaser/goreleaser-action@v2
        with:
-          version: v1.6.3
+          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui_darwin.yaml --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
      -
-        name: Trigger Darwin App binaries sign pipeline
-        uses: benc-uk/workflow-dispatch@v1
-        if: startsWith(github.ref, 'refs/tags/')
+        name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v2
        with:
-          workflow: Sign darwin ui app with dispatch
+          name: release-ui-darwin
+          path: dist/
+          retention-days: 3
+
+  trigger_windows_signer:
+    runs-on: ubuntu-latest
+    needs: [release,release_ui]
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Trigger Windows binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: Sign windows bin and installer
          repo: netbirdio/sign-pipelines
          ref: ${{ env.SIGN_PIPE_VER }}
          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
          inputs: '{ "tag": "${{ github.ref }}" }'

-      -
-        name: upload non tags for debug purposes
-        uses: actions/upload-artifact@v2
+  trigger_darwin_signer:
+    runs-on: ubuntu-latest
+    needs: release_ui_darwin
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Trigger Darwin App binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
        with:
-          name: build-ui-darwin
-          path: dist/
-          retention-days: 3
+          workflow: Sign darwin ui app with dispatch
+          repo: netbirdio/sign-pipelines
+          ref: ${{ env.SIGN_PIPE_VER }}
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.github/workflows/test-docker-compose-linux.yml
+++ b/.github/workflows/test-docker-compose-linux.yml
@@ -5,6 +5,12 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Install curl
+        run: sudo apt-get install -y curl
+
      - name: Install Go
        uses: actions/setup-go@v2
        with:
@@ -28,22 +34,30 @@ jobs:
        working-directory: infrastructure_files
        run: bash -x configure.sh
        env:
-          CI_NETBIRD_AUTH0_DOMAIN: ${{ secrets.CI_NETBIRD_AUTH0_DOMAIN }}
-          CI_NETBIRD_AUTH0_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH0_CLIENT_ID }}
-          CI_NETBIRD_AUTH0_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH_CLIENT_ID }}
+          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
+          CI_NETBIRD_USE_AUTH0: true

      - name: check values
        working-directory: infrastructure_files
        env:
-          CI_NETBIRD_AUTH0_DOMAIN: ${{ secrets.CI_NETBIRD_AUTH0_DOMAIN }}
-          CI_NETBIRD_AUTH0_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH0_CLIENT_ID }}
-          CI_NETBIRD_AUTH0_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH_CLIENT_ID }}
+          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
+          CI_NETBIRD_USE_AUTH0: true
+          CI_NETBIRD_AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified"
+          CI_NETBIRD_AUTH_AUTHORITY: https://example.eu.auth0.com/
+          CI_NETBIRD_AUTH_JWT_CERTS: https://example.eu.auth0.com/.well-known/jwks.json
+          CI_NETBIRD_AUTH_TOKEN_ENDPOINT: https://example.eu.auth0.com/oauth/token
+          CI_NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT: https://example.eu.auth0.com/oauth/device/code
        run: |
-          grep AUTH0_DOMAIN docker-compose.yml | grep $CI_NETBIRD_AUTH0_DOMAIN
-          grep AUTH0_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH0_CLIENT_ID
-          grep AUTH0_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH0_AUDIENCE
-          grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "http://localhost:33071"  
-          grep NETBIRD_MGMT_GRPC_API_ENDPOINT docker-compose.yml | grep "http://localhost:33073"
+          grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
+          grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
+          grep AUTH_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH_AUDIENCE
+          grep AUTH_SUPPORTED_SCOPES docker-compose.yml | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
+          grep USE_AUTH0 docker-compose.yml | grep $CI_NETBIRD_USE_AUTH0
+          grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "http://localhost:33073"  

      - name: run docker compose up
        working-directory: infrastructure_files
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -13,6 +13,7 @@ builds:
      - amd64
      - arm64
      - mips
+      - 386
    gomips:
      - hardfloat
      - softfloat
@@ -21,6 +22,8 @@ builds:
        goarch: arm64
      - goos: windows
        goarch: arm
+      - goos: windows
+        goarch: 386
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'
@@ -55,88 +58,12 @@ builds:
      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'

-  - id: netbird-ui
-    dir: client/ui
-    binary: netbird-ui
-    env:
-      - CGO_ENABLED=1
-    goos:
-      - linux
-    goarch:
-      - amd64
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: '{{ .CommitTimestamp }}'
-
-  - id: netbird-ui-windows
-    dir: client/ui
-    binary: netbird-ui
-    env:
-      - CGO_ENABLED=1
-      - CC=x86_64-w64-mingw32-gcc
-    goos:
-      - windows
-    goarch:
-      - amd64
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-      - -H windowsgui
-    mod_timestamp: '{{ .CommitTimestamp }}'
-
 archives:
  - builds:
      - netbird
-  - id: linux-arch
-    name_template: "{{ .ProjectName }}-ui-linux_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
-    builds:
-      - netbird-ui
-  - id: windows-arch
-    name_template: "{{ .ProjectName }}-ui-windows_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
-    builds:
-      - netbird-ui-windows

 nfpms:

-  - maintainer: Netbird <dev@netbird.io>
-    description: Netbird client UI.
-    homepage: https://netbird.io/
-    id: netbird-ui-deb
-    package_name: netbird-ui
-    builds:
-      - netbird-ui
-    formats:
-      - deb
-    contents:
-      - src: client/ui/netbird.desktop
-        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/disconnected.png
-        dst: /usr/share/pixmaps/netbird.png
-    dependencies:
-      - libayatana-appindicator3-1
-      - libgtk-3-dev
-      - libappindicator3-dev
-      - netbird
-
-  - maintainer: Netbird <dev@netbird.io>
-    description: Netbird client UI.
-    homepage: https://netbird.io/
-    id: netbird-ui-rpm
-    package_name: netbird-ui
-    builds:
-      - netbird-ui
-    formats:
-      - rpm
-    contents:
-      - src: client/ui/netbird.desktop
-        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/disconnected.png
-        dst: /usr/share/pixmaps/netbird.png
-    dependencies:
-      - libayatana-appindicator3-1
-      - libgtk-3-dev
-      - libappindicator3-dev
-      - netbird
-
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
@@ -428,7 +355,6 @@ uploads:
  - name: debian
    ids:
    - netbird-deb
-    - netbird-ui-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -437,7 +363,6 @@ uploads:
  - name: yum
    ids:
      - netbird-rpm
-      - netbird-ui-rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -0,0 +1,98 @@
+project_name: netbird-ui
+builds:
+  - id: netbird-ui
+    dir: client/ui
+    binary: netbird-ui
+    env:
+      - CGO_ENABLED=1
+    goos:
+      - linux
+    goarch:
+      - amd64
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+  - id: netbird-ui-windows
+    dir: client/ui
+    binary: netbird-ui
+    env:
+      - CGO_ENABLED=1
+      - CC=x86_64-w64-mingw32-gcc
+    goos:
+      - windows
+    goarch:
+      - amd64
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -H windowsgui
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+archives:
+  - id: linux-arch
+    name_template: "{{ .ProjectName }}-linux_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    builds:
+      - netbird-ui
+  - id: windows-arch
+    name_template: "{{ .ProjectName }}-windows_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    builds:
+      - netbird-ui-windows
+
+nfpms:
+
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client UI.
+    homepage: https://netbird.io/
+    id: netbird-ui-deb
+    package_name: netbird-ui
+    builds:
+      - netbird-ui
+    formats:
+      - deb
+    contents:
+      - src: client/ui/netbird.desktop
+        dst: /usr/share/applications/netbird.desktop
+      - src: client/ui/disconnected.png
+        dst: /usr/share/pixmaps/netbird.png
+    dependencies:
+      - libayatana-appindicator3-1
+      - libgtk-3-dev
+      - libappindicator3-dev
+      - netbird
+
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client UI.
+    homepage: https://netbird.io/
+    id: netbird-ui-rpm
+    package_name: netbird-ui
+    builds:
+      - netbird-ui
+    formats:
+      - rpm
+    contents:
+      - src: client/ui/netbird.desktop
+        dst: /usr/share/applications/netbird.desktop
+      - src: client/ui/disconnected.png
+        dst: /usr/share/pixmaps/netbird.png
+    dependencies:
+      - libayatana-appindicator3-1
+      - libgtk-3-dev
+      - libappindicator3-dev
+      - netbird
+
+uploads:
+  - name: debian
+    ids:
+    - netbird-ui-deb
+    mode: archive
+    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
+    username: dev@wiretrustee.com
+    method: PUT
+
+  - name: yum
+    ids:
+      - netbird-ui-rpm
+    mode: archive
+    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
+    username: dev@wiretrustee.com
+    method: PUT
--- a/.goreleaser_ui_darwin.yaml
+++ b/.goreleaser_ui_darwin.yaml
@@ -14,7 +14,7 @@ builds:
      - hardfloat
      - softfloat
    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/client/ui/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
      - load_wgnt_from_rsrc
@@ -23,5 +23,7 @@ archives:
  - builds:
      - netbird-ui-darwin

+checksum:
+  name_template: "{{ .ProjectName }}_darwin_checksums.txt"
 changelog:
  skip: true
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 <p align="center">
- <strong>:hatching_chick: New release! Seamless Access Controls</strong>.
-  <a href="https://github.com/netbirdio/netbird/releases/tag/v0.7.0">
+ <strong>:hatching_chick: New release! NetBird Easy SSH</strong>.
+  <a href="https://github.com/netbirdio/netbird/releases/tag/v0.8.0">
       Learn more
     </a>   
 </p>
@@ -53,8 +53,10 @@ NetBird creates an overlay peer-to-peer network connecting machines automaticall
 -  \[x] Multicloud and hybrid-cloud support.
 -  \[x] Kernel WireGuard usage when possible.
 -  \[x] Access Controls - groups & rules.
+-  \[x] Remote SSH access without managing SSH keys.
  
 **Coming soon:**
+-  \[ ] Network Routes.
 -  \[ ] Private DNS.
 -  \[ ] Mobile clients.
 -  \[ ] Network Activity Monitoring.
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,4 +1,7 @@
 FROM gcr.io/distroless/base:debug
 ENV WT_LOG_FILE=console
+ENV PATH=/sbin:/usr/sbin:/bin:/usr/bin:/busybox
+SHELL ["/busybox/sh","-c"]
+RUN sed -i -E 's/(^root:.+)\/sbin\/nologin/\1\/busybox\/sh/g' /etc/passwd
 ENTRYPOINT [ "/go/bin/netbird","up"]
 COPY netbird /go/bin/netbird
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -43,6 +43,8 @@ var loginCmd = &cobra.Command{
 				return fmt.Errorf("get config file: %v", err)
 			}

+			config, _ = internal.UpdateOldManagementPort(ctx, config, configPath)
+
 			err = foregroundLogin(ctx, cmd, config, setupKey)
 			if err != nil {
 				return fmt.Errorf("foreground login failed: %v", err)
@@ -167,7 +169,8 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 	hostedClient := internal.NewHostedDeviceFlow(
 		providerConfig.ProviderConfig.Audience,
 		providerConfig.ProviderConfig.ClientID,
-		providerConfig.ProviderConfig.Domain,
+		providerConfig.ProviderConfig.TokenEndpoint,
+		providerConfig.ProviderConfig.DeviceAuthEndpoint,
 	)

 	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
--- a/client/cmd/ssh.go
+++ b/client/cmd/ssh.go
@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/proto"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/util"
 	log "github.com/sirupsen/logrus"
@@ -18,7 +17,7 @@ import (

 var (
 	port int
-	user = "netbird"
+	user = "root"
 	host string
 )

@@ -57,34 +56,6 @@ var sshCmd = &cobra.Command{

 		ctx := internal.CtxInitState(cmd.Context())

-		conn, err := DialClientGRPCServer(ctx, daemonAddr)
-		if err != nil {
-			return fmt.Errorf("failed to connect to daemon error: %v\n"+
-				"If the daemon is not running please run: "+
-				"\nnetbird service install \nnetbird service start\n", err)
-		}
-
-		defer func() {
-			err := conn.Close()
-			if err != nil {
-				log.Warnf("failed closing dameon gRPC client connection %v", err)
-				return
-			}
-		}()
-		client := proto.NewDaemonServiceClient(conn)
-
-		status, err := client.Status(ctx, &proto.StatusRequest{})
-		if err != nil {
-			return fmt.Errorf("unable to get daemon status: %v", err)
-		}
-
-		if status.Status != string(internal.StatusConnected) {
-			// todo maybe automatically start it?
-			cmd.Printf("You are disconnected from the NetBird network. Please run the UP command first to connect: \n\n" +
-				" netbird up \n\n")
-			return nil
-		}
-
 		config, err := internal.ReadConfig("", "", configPath, nil)
 		if err != nil {
 			return err
@@ -95,7 +66,8 @@ var sshCmd = &cobra.Command{
 		sshctx, cancel := context.WithCancel(ctx)

 		go func() {
-			if err := runSSH(sshctx, host, []byte(config.SSHKey)); err != nil {
+			// blocking
+			if err := runSSH(sshctx, host, []byte(config.SSHKey), cmd); err != nil {
 				log.Print(err)
 			}
 			cancel()
@@ -111,10 +83,16 @@ var sshCmd = &cobra.Command{
 	},
 }

-func runSSH(ctx context.Context, addr string, pemKey []byte) error {
+func runSSH(ctx context.Context, addr string, pemKey []byte, cmd *cobra.Command) error {
 	c, err := nbssh.DialWithKey(fmt.Sprintf("%s:%d", addr, port), user, pemKey)
 	if err != nil {
-		return err
+		cmd.Printf("Error: %v\n", err)
+		cmd.Printf("Couldn't connect. " +
+			"You might be disconnected from the NetBird network, or the NetBird agent isn't running.\n" +
+			"Run the status command: \n\n" +
+			" netbird status\n\n" +
+			"It might also be that the SSH server is disabled on the agent you are trying to connect to.\n")
+		return nil
 	}
 	go func() {
 		<-ctx.Done()
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -3,13 +3,24 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/proto"
+	nbStatus "github.com/netbirdio/netbird/client/status"
+	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/util"
-
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
+	"net/netip"
+	"sort"
+	"strings"
+)

-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/proto"
+var (
+	detailFlag   bool
+	ipsFilter    []string
+	statusFilter string
+	ipsFilterMap map[string]struct{}
 )

 var statusCmd = &cobra.Command{
@@ -20,7 +31,12 @@ var statusCmd = &cobra.Command{

 		cmd.SetOut(cmd.OutOrStdout())

-		err := util.InitLog(logLevel, "console")
+		err := parseFilters()
+		if err != nil {
+			return err
+		}
+
+		err = util.InitLog(logLevel, "console")
 		if err != nil {
 			return fmt.Errorf("failed initializing log %v", err)
 		}
@@ -35,21 +51,251 @@ var statusCmd = &cobra.Command{
 		}
 		defer conn.Close()

-		resp, err := proto.NewDaemonServiceClient(conn).Status(cmd.Context(), &proto.StatusRequest{})
+		resp, err := proto.NewDaemonServiceClient(conn).Status(cmd.Context(), &proto.StatusRequest{GetFullPeerStatus: true})
 		if err != nil {
 			return fmt.Errorf("status failed: %v", status.Convert(err).Message())
 		}

-		cmd.Printf("Status: %s\n\n", resp.GetStatus())
+		daemonStatus := fmt.Sprintf("Daemon status: %s\n", resp.GetStatus())
 		if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {

-			cmd.Printf("Run UP command to log in with SSO (interactive login):\n\n" +
-				" netbird up \n\n" +
-				"If you are running a self-hosted version and no SSO provider has been configured in your Management Server,\n" +
-				"you can use a setup-key:\n\n netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>\n\n" +
-				"More info: https://www.netbird.io/docs/overview/setup-keys\n\n")
+			cmd.Printf("%s\n"+
+				"Run UP command to log in with SSO (interactive login):\n\n"+
+				" netbird up \n\n"+
+				"If you are running a self-hosted version and no SSO provider has been configured in your Management Server,\n"+
+				"you can use a setup-key:\n\n netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>\n\n"+
+				"More info: https://www.netbird.io/docs/overview/setup-keys\n\n",
+				daemonStatus,
+			)
+			return nil
 		}

+		pbFullStatus := resp.GetFullStatus()
+		fullStatus := fromProtoFullStatus(pbFullStatus)
+
+		cmd.Print(parseFullStatus(fullStatus, detailFlag, daemonStatus, resp.GetDaemonVersion()))
+
 		return nil
 	},
 }
+
+func init() {
+	ipsFilterMap = make(map[string]struct{})
+	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information")
+	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g. --filter-by-ips 100.64.0.100,100.64.0.200")
+	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(connected|disconnected), e.g. --filter-by-status connected")
+}
+
+func parseFilters() error {
+	switch strings.ToLower(statusFilter) {
+	case "", "disconnected", "connected":
+	default:
+		return fmt.Errorf("wrong status filter, should be one of connected|disconnected, got: %s", statusFilter)
+	}
+
+	if len(ipsFilter) > 0 {
+		for _, addr := range ipsFilter {
+			_, err := netip.ParseAddr(addr)
+			if err != nil {
+				return fmt.Errorf("got an invalid IP address in the filter: address %s, error %s", addr, err)
+			}
+			ipsFilterMap[addr] = struct{}{}
+		}
+	}
+	return nil
+}
+
+func fromProtoFullStatus(pbFullStatus *proto.FullStatus) nbStatus.FullStatus {
+	var fullStatus nbStatus.FullStatus
+	managementState := pbFullStatus.GetManagementState()
+	fullStatus.ManagementState.URL = managementState.GetURL()
+	fullStatus.ManagementState.Connected = managementState.GetConnected()
+
+	signalState := pbFullStatus.GetSignalState()
+	fullStatus.SignalState.URL = signalState.GetURL()
+	fullStatus.SignalState.Connected = signalState.GetConnected()
+
+	localPeerState := pbFullStatus.GetLocalPeerState()
+	fullStatus.LocalPeerState.IP = localPeerState.GetIP()
+	fullStatus.LocalPeerState.PubKey = localPeerState.GetPubKey()
+	fullStatus.LocalPeerState.KernelInterface = localPeerState.GetKernelInterface()
+
+	var peersState []nbStatus.PeerState
+
+	for _, pbPeerState := range pbFullStatus.GetPeers() {
+		timeLocal := pbPeerState.GetConnStatusUpdate().AsTime().Local()
+		peerState := nbStatus.PeerState{
+			IP:                     pbPeerState.GetIP(),
+			PubKey:                 pbPeerState.GetPubKey(),
+			ConnStatus:             pbPeerState.GetConnStatus(),
+			ConnStatusUpdate:       timeLocal,
+			Relayed:                pbPeerState.GetRelayed(),
+			Direct:                 pbPeerState.GetDirect(),
+			LocalIceCandidateType:  pbPeerState.GetLocalIceCandidateType(),
+			RemoteIceCandidateType: pbPeerState.GetRemoteIceCandidateType(),
+		}
+		peersState = append(peersState, peerState)
+	}
+
+	fullStatus.Peers = peersState
+
+	return fullStatus
+}
+
+func parseFullStatus(fullStatus nbStatus.FullStatus, printDetail bool, daemonStatus string, daemonVersion string) string {
+	var (
+		managementStatusURL  = ""
+		signalStatusURL      = ""
+		managementConnString = "Disconnected"
+		signalConnString     = "Disconnected"
+		interfaceTypeString  = "Userspace"
+	)
+
+	if printDetail {
+		managementStatusURL = fmt.Sprintf(" to %s", fullStatus.ManagementState.URL)
+		signalStatusURL = fmt.Sprintf(" to %s", fullStatus.SignalState.URL)
+	}
+
+	if fullStatus.ManagementState.Connected {
+		managementConnString = "Connected"
+	}
+
+	if fullStatus.SignalState.Connected {
+		signalConnString = "Connected"
+	}
+
+	interfaceIP := fullStatus.LocalPeerState.IP
+
+	if fullStatus.LocalPeerState.KernelInterface {
+		interfaceTypeString = "Kernel"
+	} else if fullStatus.LocalPeerState.IP == "" {
+		interfaceTypeString = "N/A"
+		interfaceIP = "N/A"
+	}
+
+	parsedPeersString, peersConnected := parsePeers(fullStatus.Peers, printDetail)
+
+	peersCountString := fmt.Sprintf("%d/%d Connected", peersConnected, len(fullStatus.Peers))
+
+	summary := fmt.Sprintf(
+		"Daemon version: %s\n"+
+			"CLI version: %s\n"+
+			"%s"+ // daemon status
+			"Management: %s%s\n"+
+			"Signal:  %s%s\n"+
+			"NetBird IP: %s\n"+
+			"Interface type: %s\n"+
+			"Peers count: %s\n",
+		daemonVersion,
+		system.NetbirdVersion(),
+		daemonStatus,
+		managementConnString,
+		managementStatusURL,
+		signalConnString,
+		signalStatusURL,
+		interfaceIP,
+		interfaceTypeString,
+		peersCountString,
+	)
+
+	if printDetail {
+		return fmt.Sprintf(
+			"Peers detail:"+
+				"%s\n"+
+				"%s",
+			parsedPeersString,
+			summary,
+		)
+	}
+	return summary
+}
+
+func parsePeers(peers []nbStatus.PeerState, printDetail bool) (string, int) {
+	var (
+		peersString    = ""
+		peersConnected = 0
+	)
+
+	if len(peers) > 0 {
+		sort.SliceStable(peers, func(i, j int) bool {
+			iAddr, _ := netip.ParseAddr(peers[i].IP)
+			jAddr, _ := netip.ParseAddr(peers[j].IP)
+			return iAddr.Compare(jAddr) == -1
+		})
+	}
+
+	connectedStatusString := peer.StatusConnected.String()
+
+	for _, peerState := range peers {
+		peerConnectionStatus := false
+		if peerState.ConnStatus == connectedStatusString {
+			peersConnected = peersConnected + 1
+			peerConnectionStatus = true
+		}
+
+		if printDetail {
+
+			if skipDetailByFilters(peerState, peerConnectionStatus) {
+				continue
+			}
+
+			localICE := "-"
+			remoteICE := "-"
+			connType := "-"
+
+			if peerConnectionStatus {
+				localICE = peerState.LocalIceCandidateType
+				remoteICE = peerState.RemoteIceCandidateType
+				connType = "P2P"
+				if peerState.Relayed {
+					connType = "Relayed"
+				}
+			}
+
+			peerString := fmt.Sprintf(
+				"\n Peer:\n"+
+					"  NetBird IP: %s\n"+
+					"  Public key: %s\n"+
+					"  Status: %s\n"+
+					"  -- detail --\n"+
+					"  Connection type: %s\n"+
+					"  Direct: %t\n"+
+					"  ICE candidate (Local/Remote): %s/%s\n"+
+					"  Last connection update: %s\n",
+				peerState.IP,
+				peerState.PubKey,
+				peerState.ConnStatus,
+				connType,
+				peerState.Direct,
+				localICE,
+				remoteICE,
+				peerState.ConnStatusUpdate.Format("2006-01-02 15:04:05"),
+			)
+
+			peersString = peersString + peerString
+		}
+	}
+	return peersString, peersConnected
+}
+
+func skipDetailByFilters(peerState nbStatus.PeerState, isConnected bool) bool {
+	statusEval := false
+	ipEval := false
+
+	if statusFilter != "" {
+		lowerStatusFilter := strings.ToLower(statusFilter)
+		if lowerStatusFilter == "disconnected" && isConnected {
+			statusEval = true
+		} else if lowerStatusFilter == "connected" && !isConnected {
+			statusEval = true
+		}
+	}
+
+	if len(ipsFilter) > 0 {
+		_, ok := ipsFilterMap[peerState.IP]
+		if !ok {
+			ipEval = true
+		}
+	}
+	return statusEval || ipEval
+}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
+	nbStatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/util"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -39,6 +40,8 @@ var upCmd = &cobra.Command{
 				return fmt.Errorf("get config file: %v", err)
 			}

+			config, _ = internal.UpdateOldManagementPort(ctx, config, configPath)
+
 			err = foregroundLogin(ctx, cmd, config, setupKey)
 			if err != nil {
 				return fmt.Errorf("foreground login failed: %v", err)
@@ -47,7 +50,7 @@ var upCmd = &cobra.Command{
 			var cancel context.CancelFunc
 			ctx, cancel = context.WithCancel(ctx)
 			SetupCloseHandler(ctx, cancel)
-			return internal.RunClient(ctx, config)
+			return internal.RunClient(ctx, config, nbStatus.NewRecorder())
 		}

 		conn, err := DialClientGRPCServer(ctx, daemonAddr)
--- a/client/hhhh.go
+++ b/client/hhhh.go
@@ -0,0 +1,98 @@
+package main
+
+/*
+import (
+	"flag"
+	"github.com/netbirdio/netbird/iface"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net"
+	"net/http"
+	_ "net/http/pprof"
+	"time"
+)
+
+var name = flag.String("name", "wg0", "WireGuard interface name")
+var addr = flag.String("addr", "100.64.0.1/24", "interface WireGuard IP addr")
+var key = flag.String("key", "100.64.0.1/24", "WireGuard private key")
+var port = flag.Int("port", 51820, "WireGuard port")
+
+var remoteKey = flag.String("remote-key", "", "remote WireGuard public key")
+var remoteAddr = flag.String("remote-addr", "100.64.0.2/32", "remote WireGuard IP addr")
+var remoteEndpoint = flag.String("remote-endpoint", "127.0.0.1:51820", "remote WireGuard endpoint")
+
+func fff() {
+
+	flag.Parse()
+
+	go func() {
+		log.Println(http.ListenAndServe("localhost:6060", nil))
+	}()
+
+	myKey, err := wgtypes.ParseKey(*key)
+	if err != nil {
+		log.Error(err)
+		return
+	}
+
+	log.Infof("public key and addr [%s] [%s] ", myKey.PublicKey().String(), *addr)
+
+	wgIFace, err := iface.NewWGIFace(*name, *addr, 1280)
+	if err != nil {
+		log.Error(err)
+		return
+	}
+	defer wgIFace.Close()
+
+	// todo wrap into UDPMux
+	sharedSock, _, err := listenNet("udp4", *port)
+	if err != nil {
+		log.Error(err)
+		return
+	}
+	defer sharedSock.Close()
+
+	//	err = wgIFace.Create()
+	err = wgIFace.CreateNew(sharedSock)
+	if err != nil {
+		log.Errorf("failed to create interface %s %v", *name, err)
+		return
+	}
+
+	err = wgIFace.Configure(*key, *port)
+	if err != nil {
+		log.Errorf("failed to configure interface %s %v", *name, err)
+		return
+	}
+
+	ip, err := net.ResolveUDPAddr("udp4", *remoteEndpoint)
+	if err != nil {
+		// handle error
+	}
+
+	err = wgIFace.UpdatePeer(*remoteKey, *remoteAddr, 20*time.Second, ip, nil)
+	if err != nil {
+		log.Errorf("failed to configure remote peer %s %v", *remoteKey, err)
+		return
+	}
+
+	select {}
+
+}
+
+func listenNet(network string, port int) (*net.UDPConn, int, error) {
+	conn, err := net.ListenUDP(network, &net.UDPAddr{Port: port})
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// Retrieve port.
+	laddr := conn.LocalAddr()
+	uaddr, err := net.ResolveUDPAddr(
+		laddr.Network(),
+		laddr.String(),
+	)
+	if err != nil {
+		return nil, 0, err
+	}
+	return conn, uaddr.Port, nil
+}*/
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -22,7 +22,7 @@ func ManagementURLDefault() *url.URL {
 }

 func init() {
-	managementURL, err := parseURL("Management URL", "https://api.wiretrustee.com:33073")
+	managementURL, err := ParseURL("Management URL", "https://api.wiretrustee.com:443")
 	if err != nil {
 		panic(err)
 	}
@@ -37,6 +37,7 @@ type Config struct {
 	ManagementURL  *url.URL
 	AdminURL       *url.URL
 	WgIface        string
+	WgPort         int
 	IFaceBlackList []string
 	// SSHKey is a private SSH key in a PEM format
 	SSHKey string
@@ -49,9 +50,15 @@ func createNewConfig(managementURL, adminURL, configPath, preSharedKey string) (
 	if err != nil {
 		return nil, err
 	}
-	config := &Config{SSHKey: string(pem), PrivateKey: wgKey, WgIface: iface.WgInterfaceDefault, IFaceBlackList: []string{}}
+	config := &Config{
+		SSHKey:         string(pem),
+		PrivateKey:     wgKey,
+		WgIface:        iface.WgInterfaceDefault,
+		WgPort:         iface.DefaultWgPort,
+		IFaceBlackList: []string{},
+	}
 	if managementURL != "" {
-		URL, err := parseURL("Management URL", managementURL)
+		URL, err := ParseURL("Management URL", managementURL)
 		if err != nil {
 			return nil, err
 		}
@@ -64,8 +71,16 @@ func createNewConfig(managementURL, adminURL, configPath, preSharedKey string) (
 		config.PreSharedKey = preSharedKey
 	}

-	config.IFaceBlackList = []string{iface.WgInterfaceDefault, "tun0", "zt", "ZeroTier", "utun", "wg", "ts",
-		"Tailscale", "tailscale"}
+	if adminURL != "" {
+		newURL, err := ParseURL("Admin Panel URL", adminURL)
+		if err != nil {
+			return nil, err
+		}
+		config.AdminURL = newURL
+	}
+
+	config.IFaceBlackList = []string{iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "utun", "wg", "ts",
+		"Tailscale", "tailscale", "docker", "vet"}

 	err = util.WriteJson(configPath, config)
 	if err != nil {
@@ -75,7 +90,8 @@ func createNewConfig(managementURL, adminURL, configPath, preSharedKey string) (
 	return config, nil
 }

-func parseURL(serviceName, managementURL string) (*url.URL, error) {
+// ParseURL parses and validates management URL
+func ParseURL(serviceName, managementURL string) (*url.URL, error) {
 	parsedMgmtURL, err := url.ParseRequestURI(managementURL)
 	if err != nil {
 		log.Errorf("failed parsing management URL %s: [%s]", managementURL, err.Error())
@@ -107,7 +123,7 @@ func ReadConfig(managementURL, adminURL, configPath string, preSharedKey *string
 	if managementURL != "" && config.ManagementURL.String() != managementURL {
 		log.Infof("new Management URL provided, updated to %s (old value %s)",
 			managementURL, config.ManagementURL)
-		newURL, err := parseURL("Management URL", managementURL)
+		newURL, err := ParseURL("Management URL", managementURL)
 		if err != nil {
 			return nil, err
 		}
@@ -118,7 +134,7 @@ func ReadConfig(managementURL, adminURL, configPath string, preSharedKey *string
 	if adminURL != "" && (config.AdminURL == nil || config.AdminURL.String() != adminURL) {
 		log.Infof("new Admin Panel URL provided, updated to %s (old value %s)",
 			adminURL, config.AdminURL)
-		newURL, err := parseURL("Admin Panel URL", adminURL)
+		newURL, err := ParseURL("Admin Panel URL", adminURL)
 		if err != nil {
 			return nil, err
 		}
@@ -141,6 +157,11 @@ func ReadConfig(managementURL, adminURL, configPath string, preSharedKey *string
 		refresh = true
 	}

+	if config.WgPort == 0 {
+		config.WgPort = iface.DefaultWgPort
+		refresh = true
+	}
+
 	if refresh {
 		// since we have new management URL, we need to update config file
 		if err := util.WriteJson(configPath, config); err != nil {
@@ -188,9 +209,14 @@ type ProviderConfig struct {
 	// ClientSecret An IDP application client secret
 	ClientSecret string
 	// Domain An IDP API domain
+	// Deprecated. Use OIDCConfigEndpoint instead
 	Domain string
 	// Audience An Audience for to authorization validation
 	Audience string
+	// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
+	TokenEndpoint string
+	// DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code
+	DeviceAuthEndpoint string
 }

 func GetDeviceAuthorizationFlowInfo(ctx context.Context, config *Config) (DeviceAuthorizationFlow, error) {
@@ -212,7 +238,13 @@ func GetDeviceAuthorizationFlowInfo(ctx context.Context, config *Config) (Device
 		log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
 		return DeviceAuthorizationFlow{}, err
 	}
-	log.Debugf("connected to management Service %s", config.ManagementURL.String())
+	log.Debugf("connected to the Management service %s", config.ManagementURL.String())
+	defer func() {
+		err = mgmClient.Close()
+		if err != nil {
+			log.Warnf("failed to close the Management service client %v", err)
+		}
+	}()

 	serverKey, err := mgmClient.GetServerPublicKey()
 	if err != nil {
@@ -231,20 +263,16 @@ func GetDeviceAuthorizationFlowInfo(ctx context.Context, config *Config) (Device
 		}
 	}

-	err = mgmClient.Close()
-	if err != nil {
-		log.Errorf("failed closing Management Service client: %v", err)
-		return DeviceAuthorizationFlow{}, err
-	}
-
 	return DeviceAuthorizationFlow{
 		Provider: protoDeviceAuthorizationFlow.Provider.String(),

 		ProviderConfig: ProviderConfig{
-			Audience:     protoDeviceAuthorizationFlow.ProviderConfig.Audience,
-			ClientID:     protoDeviceAuthorizationFlow.ProviderConfig.ClientID,
-			ClientSecret: protoDeviceAuthorizationFlow.ProviderConfig.ClientSecret,
-			Domain:       protoDeviceAuthorizationFlow.ProviderConfig.Domain,
+			Audience:           protoDeviceAuthorizationFlow.GetProviderConfig().GetAudience(),
+			ClientID:           protoDeviceAuthorizationFlow.GetProviderConfig().GetClientID(),
+			ClientSecret:       protoDeviceAuthorizationFlow.GetProviderConfig().GetClientSecret(),
+			Domain:             protoDeviceAuthorizationFlow.GetProviderConfig().Domain,
+			TokenEndpoint:      protoDeviceAuthorizationFlow.GetProviderConfig().GetTokenEndpoint(),
+			DeviceAuthEndpoint: protoDeviceAuthorizationFlow.GetProviderConfig().GetDeviceAuthEndpoint(),
 		},
 	}, nil
 }
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -2,7 +2,10 @@ package internal

 import (
 	"context"
+	"fmt"
 	"github.com/netbirdio/netbird/client/ssh"
+	nbStatus "github.com/netbirdio/netbird/client/status"
+	"strings"
 	"time"

 	"github.com/netbirdio/netbird/client/system"
@@ -16,17 +19,17 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
+	gstatus "google.golang.org/grpc/status"
 )

 // RunClient with main logic.
-func RunClient(ctx context.Context, config *Config) error {
+func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Status) error {
 	backOff := &backoff.ExponentialBackOff{
 		InitialInterval:     time.Second,
-		RandomizationFactor: backoff.DefaultRandomizationFactor,
-		Multiplier:          backoff.DefaultMultiplier,
-		MaxInterval:         10 * time.Second,
-		MaxElapsedTime:      24 * 3 * time.Hour, // stop the client after 3 days trying (must be a huge problem, e.g permission denied)
+		RandomizationFactor: 1,
+		Multiplier:          1.7,
+		MaxInterval:         15 * time.Second,
+		MaxElapsedTime:      3 * 30 * 24 * time.Hour, // 3 months
 		Stop:                backoff.Stop,
 		Clock:               backoff.SystemClock,
 	}
@@ -40,6 +43,25 @@ func RunClient(ctx context.Context, config *Config) error {
 	}()

 	wrapErr := state.Wrap
+	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+	if err != nil {
+		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+		return wrapErr(err)
+	}
+
+	var mgmTlsEnabled bool
+	if config.ManagementURL.Scheme == "https" {
+		mgmTlsEnabled = true
+	}
+
+	publicSSHKey, err := ssh.GeneratePublicKey([]byte(config.SSHKey))
+	if err != nil {
+		return err
+	}
+
+	managementURL := config.ManagementURL.String()
+	statusRecorder.MarkManagementDisconnected(managementURL)
+
 	operation := func() error {
 		// if context cancelled we not start new backoff cycle
 		select {
@@ -49,37 +71,54 @@ func RunClient(ctx context.Context, config *Config) error {
 		}

 		state.Set(StatusConnecting)
-		// validate our peer's Wireguard PRIVATE key
-		myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
-		if err != nil {
-			log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
-			return wrapErr(err)
-		}
-
-		var mgmTlsEnabled bool
-		if config.ManagementURL.Scheme == "https" {
-			mgmTlsEnabled = true
-		}

 		engineCtx, cancel := context.WithCancel(ctx)
-		defer cancel()
+		defer func() {
+			statusRecorder.MarkManagementDisconnected(managementURL)
+			statusRecorder.CleanLocalPeerState()
+			cancel()
+		}()

-		publicSSHKey, err := ssh.GeneratePublicKey([]byte(config.SSHKey))
+		log.Debugf("conecting to the Management service %s", config.ManagementURL.Host)
+		mgmClient, err := mgm.NewClient(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 		if err != nil {
-			return err
+			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
 		}
+		log.Debugf("connected to the Management service %s", config.ManagementURL.Host)
+		defer func() {
+			err = mgmClient.Close()
+			if err != nil {
+				log.Warnf("failed to close the Management service client %v", err)
+			}
+		}()
+
 		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Wiretrustee config
-		mgmClient, loginResp, err := connectToManagement(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled,
-			publicSSHKey)
+		loginResp, err := loginToManagement(engineCtx, mgmClient, publicSSHKey)
 		if err != nil {
 			log.Debug(err)
-			if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
-				log.Info("peer registration required. Please run `netbird status` for details")
+			if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
 				state.Set(StatusNeedsLogin)
-				return nil
+				return backoff.Permanent(wrapErr(err)) // unrecoverable error
 			}
 			return wrapErr(err)
 		}
+		statusRecorder.MarkManagementConnected(managementURL)
+
+		localPeerState := nbStatus.LocalPeerState{
+			IP:              loginResp.GetPeerConfig().GetAddress(),
+			PubKey:          myPrivateKey.PublicKey().String(),
+			KernelInterface: iface.WireguardModExists(),
+		}
+
+		statusRecorder.UpdateLocalPeerState(localPeerState)
+
+		signalURL := fmt.Sprintf("%s://%s",
+			strings.ToLower(loginResp.GetWiretrusteeConfig().GetSignal().GetProtocol().String()),
+			loginResp.GetWiretrusteeConfig().GetSignal().GetUri(),
+		)
+
+		statusRecorder.MarkSignalDisconnected(signalURL)
+		defer statusRecorder.MarkSignalDisconnected(signalURL)

 		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
 		signalClient, err := connectToSignal(engineCtx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
@@ -87,6 +126,14 @@ func RunClient(ctx context.Context, config *Config) error {
 			log.Error(err)
 			return wrapErr(err)
 		}
+		defer func() {
+			err = signalClient.Close()
+			if err != nil {
+				log.Warnf("failed closing Signal service client %v", err)
+			}
+		}()
+
+		statusRecorder.MarkSignalConnected(signalURL)

 		peerConfig := loginResp.GetPeerConfig()

@@ -96,7 +143,7 @@ func RunClient(ctx context.Context, config *Config) error {
 			return wrapErr(err)
 		}

-		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig)
+		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig, statusRecorder)
 		err = engine.Start()
 		if err != nil {
 			log.Errorf("error while starting Netbird Connection Engine: %s", err)
@@ -110,24 +157,13 @@ func RunClient(ctx context.Context, config *Config) error {

 		backOff.Reset()

-		err = mgmClient.Close()
-		if err != nil {
-			log.Errorf("failed closing Management Service client %v", err)
-			return wrapErr(err)
-		}
-		err = signalClient.Close()
-		if err != nil {
-			log.Errorf("failed closing Signal Service client %v", err)
-			return wrapErr(err)
-		}
-
 		err = engine.Stop()
 		if err != nil {
 			log.Errorf("failed stopping engine %v", err)
 			return wrapErr(err)
 		}

-		log.Info("stopped Netbird client")
+		log.Info("stopped NetBird client")

 		if _, err := state.Status(); err == ErrResetConnection {
 			return err
@@ -136,9 +172,9 @@ func RunClient(ctx context.Context, config *Config) error {
 		return nil
 	}

-	err := backoff.Retry(operation, backOff)
+	err = backoff.Retry(operation, backOff)
 	if err != nil {
-		log.Errorf("exiting client retry loop due to unrecoverable error: %s", err)
+		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)
 		return err
 	}
 	return nil
@@ -152,7 +188,7 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		WgAddr:         peerConfig.Address,
 		IFaceBlackList: config.IFaceBlackList,
 		WgPrivateKey:   key,
-		WgPort:         iface.DefaultWgPort,
+		WgPort:         config.WgPort,
 		SSHKey:         []byte(config.SSHKey),
 	}

@@ -179,33 +215,99 @@ func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig,
 	signalClient, err := signal.NewClient(ctx, wtConfig.Signal.Uri, ourPrivateKey, sigTLSEnabled)
 	if err != nil {
 		log.Errorf("error while connecting to the Signal Exchange Service %s: %s", wtConfig.Signal.Uri, err)
-		return nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
+		return nil, gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
 	}

 	return signalClient, nil
 }

-// connectToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
-func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool, pubSSHKey []byte) (*mgm.GrpcClient, *mgmProto.LoginResponse, error) {
-	log.Debugf("connecting to Management Service %s", managementAddr)
-	client, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
-	if err != nil {
-		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err)
-	}
-	log.Debugf("connected to management server %s", managementAddr)
+// loginToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
+func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte) (*mgmProto.LoginResponse, error) {

 	serverPublicKey, err := client.GetServerPublicKey()
 	if err != nil {
-		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
+		return nil, gstatus.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
 	}

 	sysInfo := system.GetInfo(ctx)
 	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}

-	log.Debugf("peer logged in to Management Service %s", managementAddr)
-
-	return client, loginResp, nil
+	return loginResp, nil
+}
+
+// ManagementLegacyPort is the port that was used before by the Management gRPC server.
+// It is used for backward compatibility now.
+// NB: hardcoded from github.com/netbirdio/netbird/management/cmd to avoid import
+const ManagementLegacyPort = 33073
+
+// UpdateOldManagementPort checks whether client can switch to the new Management port 443.
+// If it can switch, then it updates the config and returns a new one. Otherwise, it returns the provided config.
+// The check is performed only for the NetBird's managed version.
+func UpdateOldManagementPort(ctx context.Context, config *Config, configPath string) (*Config, error) {
+
+	if config.ManagementURL.Hostname() != ManagementURLDefault().Hostname() {
+		// only do the check for the NetBird's managed version
+		return config, nil
+	}
+
+	var mgmTlsEnabled bool
+	if config.ManagementURL.Scheme == "https" {
+		mgmTlsEnabled = true
+	}
+
+	if !mgmTlsEnabled {
+		// only do the check for HTTPs scheme (the hosted version of the Management service is always HTTPs)
+		return config, nil
+	}
+
+	if mgmTlsEnabled && config.ManagementURL.Port() == fmt.Sprintf("%d", ManagementLegacyPort) {
+
+		newURL, err := ParseURL("Management URL", fmt.Sprintf("%s://%s:%d",
+			config.ManagementURL.Scheme, config.ManagementURL.Hostname(), 443))
+		if err != nil {
+			return nil, err
+		}
+		// here we check whether we could switch from the legacy 33073 port to the new 443
+		log.Infof("attempting to switch from the legacy Management URL %s to the new one %s",
+			config.ManagementURL.String(), newURL.String())
+		key, err := wgtypes.ParseKey(config.PrivateKey)
+		if err != nil {
+			log.Infof("couldn't switch to the new Management %s", newURL.String())
+			return config, err
+		}
+
+		client, err := mgm.NewClient(ctx, newURL.Host, key, mgmTlsEnabled)
+		if err != nil {
+			log.Infof("couldn't switch to the new Management %s", newURL.String())
+			return config, err
+		}
+		defer func() {
+			err = client.Close()
+			if err != nil {
+				log.Warnf("failed to close the Management service client %v", err)
+			}
+		}()
+
+		// gRPC check
+		_, err = client.GetServerPublicKey()
+		if err != nil {
+			log.Infof("couldn't switch to the new Management %s", newURL.String())
+			return nil, err
+		}
+
+		// everything is alright => update the config
+		newConfig, err := ReadConfig(newURL.String(), "", configPath, nil)
+		if err != nil {
+			log.Infof("couldn't switch to the new Management %s", newURL.String())
+			return config, fmt.Errorf("failed updating config file: %v", err)
+		}
+		log.Infof("successfully switched to the new Management URL: %s", newURL.String())
+
+		return newConfig, nil
+	}
+
+	return config, nil
 }
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -3,9 +3,12 @@ package internal
 import (
 	"context"
 	"fmt"
+	"github.com/netbirdio/netbird/client/internal/routemanager"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
+	nbstatus "github.com/netbirdio/netbird/client/status"
+	"github.com/netbirdio/netbird/route"
 	"math/rand"
-	"net"
+	"reflect"
 	"runtime"
 	"strings"
 	"sync"
@@ -85,16 +88,17 @@ type Engine struct {

 	wgInterface *iface.WGIface

-	udpMux          ice.UDPMux
-	udpMuxSrflx     ice.UniversalUDPMux
-	udpMuxConn      *net.UDPConn
-	udpMuxConnSrflx *net.UDPConn
+	iceMux ice.UniversalUDPMux

 	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
 	networkSerial uint64

 	sshServerFunc func(hostKeyPEM []byte, addr string) (nbssh.Server, error)
 	sshServer     nbssh.Server
+
+	statusRecorder *nbstatus.Status
+
+	routeManager routemanager.Manager
 }

 // Peer is an instance of the Connection Peer
@@ -106,20 +110,22 @@ type Peer struct {
 // NewEngine creates a new Connection Engine
 func NewEngine(
 	ctx context.Context, cancel context.CancelFunc,
-	signalClient signal.Client, mgmClient mgm.Client, config *EngineConfig,
+	signalClient signal.Client, mgmClient mgm.Client,
+	config *EngineConfig, statusRecorder *nbstatus.Status,
 ) *Engine {
 	return &Engine{
-		ctx:           ctx,
-		cancel:        cancel,
-		signal:        signalClient,
-		mgmClient:     mgmClient,
-		peerConns:     map[string]*peer.Conn{},
-		syncMsgMux:    &sync.Mutex{},
-		config:        config,
-		STUNs:         []*ice.URL{},
-		TURNs:         []*ice.URL{},
-		networkSerial: 0,
-		sshServerFunc: nbssh.DefaultSSHServer,
+		ctx:            ctx,
+		cancel:         cancel,
+		signal:         signalClient,
+		mgmClient:      mgmClient,
+		peerConns:      map[string]*peer.Conn{},
+		syncMsgMux:     &sync.Mutex{},
+		config:         config,
+		STUNs:          []*ice.URL{},
+		TURNs:          []*ice.URL{},
+		networkSerial:  0,
+		sshServerFunc:  nbssh.DefaultSSHServer,
+		statusRecorder: statusRecorder,
 	}
 }

@@ -145,28 +151,15 @@ func (e *Engine) Stop() error {
 		}
 	}

-	if e.udpMux != nil {
-		if err := e.udpMux.Close(); err != nil {
-			log.Debugf("close udp mux: %v", err)
+	if !isNil(e.sshServer) {
+		err := e.sshServer.Stop()
+		if err != nil {
+			log.Warnf("failed stopping the SSH server: %v", err)
 		}
 	}

-	if e.udpMuxSrflx != nil {
-		if err := e.udpMuxSrflx.Close(); err != nil {
-			log.Debugf("close server reflexive udp mux: %v", err)
-		}
-	}
-
-	if e.udpMuxConn != nil {
-		if err := e.udpMuxConn.Close(); err != nil {
-			log.Debugf("close udp mux connection: %v", err)
-		}
-	}
-
-	if e.udpMuxConnSrflx != nil {
-		if err := e.udpMuxConnSrflx.Close(); err != nil {
-			log.Debugf("close server reflexive udp mux connection: %v", err)
-		}
+	if e.routeManager != nil {
+		e.routeManager.Stop()
 	}

 	log.Infof("stopped Netbird Engine")
@@ -192,33 +185,35 @@ func (e *Engine) Start() error {
 		return err
 	}

-	e.udpMuxConn, err = net.ListenUDP("udp4", &net.UDPAddr{Port: e.config.UDPMuxPort})
-	if err != nil {
-		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
-		return err
-	}
-
-	e.udpMuxConnSrflx, err = net.ListenUDP("udp4", &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
-	if err != nil {
-		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
-		return err
-	}
-
-	e.udpMux = ice.NewUDPMuxDefault(ice.UDPMuxParams{UDPConn: e.udpMuxConn})
-	e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx})
-
-	err = e.wgInterface.Create()
+	bind := &iface.ICEBind{}
+	err = e.wgInterface.CreateNew(bind)
 	if err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", wgIfaceName, err.Error())
 		return err
 	}

-	err = e.wgInterface.Configure(myPrivateKey.String(), e.config.WgPort)
+	port, err := e.wgInterface.GetListenPort()
+	if err != nil {
+		return err
+	}
+
+	err = e.wgInterface.Configure(myPrivateKey.String(), *port)
 	if err != nil {
 		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIfaceName, err.Error())
 		return err
 	}

+	iceMux, err := bind.GetICEMux()
+	if err != nil {
+		return err
+	}
+	e.iceMux = iceMux
+
+	log.Infof("NetBird Engine started listening on WireGuard port %d", *port)
+
+	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder)
+	e.config.WgPort = *port
+
 	e.receiveSignalEvents()
 	e.receiveManagementEvents()

@@ -296,10 +291,17 @@ func (e *Engine) removeAllPeers() error {
 func (e *Engine) removePeer(peerKey string) error {
 	log.Debugf("removing peer from engine %s", peerKey)

-	if e.sshServer != nil {
+	if !isNil(e.sshServer) {
 		e.sshServer.RemoveAuthorizedKey(peerKey)
 	}

+	defer func() {
+		err := e.statusRecorder.RemovePeer(peerKey)
+		if err != nil {
+			log.Warnf("received error when removing peer %s from status recorder: %v", peerKey, err)
+		}
+	}()
+
 	conn, exists := e.peerConns[peerKey]
 	if exists {
 		delete(e.peerConns, peerKey)
@@ -362,15 +364,14 @@ func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtyp
 		},
 	})
 	if err != nil {
-		log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err)
-		// todo ??
 		return err
 	}

 	return nil
 }

-func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client, isAnswer bool) error {
+// SignalOfferAnswer signals either an offer or an answer to remote peer
+func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client, isAnswer bool) error {
 	var t sProto.Body_Type
 	if isAnswer {
 		t = sProto.Body_ANSWER
@@ -378,9 +379,9 @@ func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.K
 		t = sProto.Body_OFFER
 	}

-	msg, err := signal.MarshalCredential(myKey, remoteKey, &signal.Credential{
-		UFrag: uFrag,
-		Pwd:   pwd,
+	msg, err := signal.MarshalCredential(myKey, offerAnswer.WgListenPort, remoteKey, &signal.Credential{
+		UFrag: offerAnswer.IceCredentials.UFrag,
+		Pwd:   offerAnswer.IceCredentials.Pwd,
 	}, t)
 	if err != nil {
 		return err
@@ -422,6 +423,10 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	return nil
 }

+func isNil(server nbssh.Server) bool {
+	return server == nil || reflect.ValueOf(server).IsNil()
+}
+
 func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 	if sshConf.GetSshEnabled() {
 		if runtime.GOOS == "windows" {
@@ -429,7 +434,7 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 			return nil
 		}
 		// start SSH server if it wasn't running
-		if e.sshServer == nil {
+		if isNil(e.sshServer) {
 			//nil sshServer means it has not yet been started
 			var err error
 			e.sshServer, err = e.sshServerFunc(e.config.SSHKey,
@@ -454,7 +459,7 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 		}
 	} else {
 		// Disable SSH server request, so stop it if it was running
-		if e.sshServer != nil {
+		if !isNil(e.sshServer) {
 			err := e.sshServer.Stop()
 			if err != nil {
 				log.Warnf("failed to stop SSH server %v", err)
@@ -585,7 +590,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		}

 		// update SSHServer by adding remote peer SSH keys
-		if e.sshServer != nil {
+		if !isNil(e.sshServer) {
 			for _, config := range networkMap.GetRemotePeers() {
 				if config.GetSshConfig() != nil && config.GetSshConfig().GetSshPubKey() != nil {
 					err := e.sshServer.AddAuthorizedKey(config.WgPubKey, string(config.GetSshConfig().GetSshPubKey()))
@@ -596,11 +601,37 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 			}
 		}
 	}
+	protoRoutes := networkMap.GetRoutes()
+	if protoRoutes == nil {
+		protoRoutes = []*mgmProto.Route{}
+	}
+	err := e.routeManager.UpdateRoutes(serial, toRoutes(protoRoutes))
+	if err != nil {
+		log.Errorf("failed to update routes, err: %v", err)
+	}

 	e.networkSerial = serial
 	return nil
 }

+func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
+	routes := make([]*route.Route, 0)
+	for _, protoRoute := range protoRoutes {
+		_, prefix, _ := route.ParseNetwork(protoRoute.Network)
+		convertedRoute := &route.Route{
+			ID:          protoRoute.ID,
+			Network:     prefix,
+			NetID:       protoRoute.NetID,
+			NetworkType: route.NetworkType(protoRoute.NetworkType),
+			Peer:        protoRoute.Peer,
+			Metric:      int(protoRoute.Metric),
+			Masquerade:  protoRoute.Masquerade,
+		}
+		routes = append(routes, convertedRoute)
+	}
+	return routes
+}
+
 // addNewPeers adds peers that were not know before but arrived from the Management service with the update
 func (e *Engine) addNewPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 	for _, p := range peersUpdate {
@@ -623,12 +654,17 @@ func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 		}
 		e.peerConns[peerKey] = conn

+		err = e.statusRecorder.AddPeer(peerKey)
+		if err != nil {
+			log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
+		}
+
 		go e.connWorker(conn, peerKey)
 	}
 	return nil
 }

-func (e Engine) connWorker(conn *peer.Conn, peerKey string) {
+func (e *Engine) connWorker(conn *peer.Conn, peerKey string) {
 	for {

 		// randomize starting time a bit
@@ -647,6 +683,13 @@ func (e Engine) connWorker(conn *peer.Conn, peerKey string) {
 			continue
 		}

+		// we might have received new STUN and TURN servers meanwhile, so update them
+		e.syncMsgMux.Lock()
+		conf := conn.GetConf()
+		conf.StunTurn = append(e.STUNs, e.TURNs...)
+		conn.UpdateConf(conf)
+		e.syncMsgMux.Unlock()
+
 		err := conn.Open()
 		if err != nil {
 			log.Debugf("connection to peer %s failed: %v", peerKey, err)
@@ -668,6 +711,7 @@ func (e Engine) peerExists(peerKey string) bool {
 }

 func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, error) {
+	log.Debugf("creating peer connection %s", pubKey)
 	var stunTurn []*ice.URL
 	stunTurn = append(stunTurn, e.STUNs...)
 	stunTurn = append(stunTurn, e.TURNs...)
@@ -688,12 +732,13 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 		StunTurn:           stunTurn,
 		InterfaceBlackList: e.config.IFaceBlackList,
 		Timeout:            timeout,
-		UDPMux:             e.udpMux,
-		UDPMuxSrflx:        e.udpMuxSrflx,
+		UDPMux:             e.iceMux,
+		UDPMuxSrflx:        e.iceMux,
 		ProxyConfig:        proxyConfig,
+		LocalWgPort:        e.config.WgPort,
 	}

-	peerConn, err := peer.NewConn(config)
+	peerConn, err := peer.NewConn(config, e.statusRecorder)
 	if err != nil {
 		return nil, err
 	}
@@ -703,16 +748,16 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 		return nil, err
 	}

-	signalOffer := func(uFrag string, pwd string) error {
-		return signalAuth(uFrag, pwd, e.config.WgPrivateKey, wgPubKey, e.signal, false)
+	signalOffer := func(offerAnswer peer.OfferAnswer) error {
+		return SignalOfferAnswer(offerAnswer, e.config.WgPrivateKey, wgPubKey, e.signal, false)
 	}

 	signalCandidate := func(candidate ice.Candidate) error {
 		return signalCandidate(candidate, e.config.WgPrivateKey, wgPubKey, e.signal)
 	}

-	signalAnswer := func(uFrag string, pwd string) error {
-		return signalAuth(uFrag, pwd, e.config.WgPrivateKey, wgPubKey, e.signal, true)
+	signalAnswer := func(offerAnswer peer.OfferAnswer) error {
+		return SignalOfferAnswer(offerAnswer, e.config.WgPrivateKey, wgPubKey, e.signal, true)
 	}

 	peerConn.SetSignalCandidate(signalCandidate)
@@ -741,18 +786,26 @@ func (e *Engine) receiveSignalEvents() {
 				if err != nil {
 					return err
 				}
-				conn.OnRemoteOffer(peer.IceCredentials{
-					UFrag: remoteCred.UFrag,
-					Pwd:   remoteCred.Pwd,
+				conn.OnRemoteOffer(peer.OfferAnswer{
+					IceCredentials: peer.IceCredentials{
+						UFrag: remoteCred.UFrag,
+						Pwd:   remoteCred.Pwd,
+					},
+					WgListenPort: int(msg.GetBody().GetWgListenPort()),
+					Version:      msg.GetBody().GetNetBirdVersion(),
 				})
 			case sProto.Body_ANSWER:
 				remoteCred, err := signal.UnMarshalCredential(msg)
 				if err != nil {
 					return err
 				}
-				conn.OnRemoteAnswer(peer.IceCredentials{
-					UFrag: remoteCred.UFrag,
-					Pwd:   remoteCred.Pwd,
+				conn.OnRemoteAnswer(peer.OfferAnswer{
+					IceCredentials: peer.IceCredentials{
+						UFrag: remoteCred.UFrag,
+						Pwd:   remoteCred.Pwd,
+					},
+					WgListenPort: int(msg.GetBody().GetWgListenPort()),
+					Version:      msg.GetBody().GetNetBirdVersion(),
 				})
 			case sProto.Body_CANDIDATE:
 				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -3,10 +3,14 @@ package internal
 import (
 	"context"
 	"fmt"
+	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/ssh"
+	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/route"
 	"github.com/stretchr/testify/assert"
 	"net"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -63,7 +67,7 @@ func TestEngine_SSH(t *testing.T) {
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	})
+	}, nbstatus.NewRecorder())

 	var sshKeysAdded []string
 	var sshPeersRemoved []string
@@ -193,8 +197,9 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	})
+	}, nbstatus.NewRecorder())
 	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", iface.DefaultMTU)
+	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), engine.wgInterface, engine.statusRecorder)

 	type testCase struct {
 		name       string
@@ -373,7 +378,7 @@ func TestEngine_Sync(t *testing.T) {
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	})
+	}, nbstatus.NewRecorder())

 	defer func() {
 		err := engine.Stop()
@@ -425,6 +430,142 @@ func TestEngine_Sync(t *testing.T) {
 	}
 }

+func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
+	testCases := []struct {
+		name           string
+		inputErr       error
+		networkMap     *mgmtProto.NetworkMap
+		expectedLen    int
+		expectedRoutes []*route.Route
+		expectedSerial uint64
+	}{
+		{
+			name: "Routes Update Should Be Passed To Manager",
+			networkMap: &mgmtProto.NetworkMap{
+				Serial:             1,
+				PeerConfig:         nil,
+				RemotePeersIsEmpty: false,
+				Routes: []*mgmtProto.Route{
+					{
+						ID:          "a",
+						Network:     "192.168.0.0/24",
+						NetID:       "n1",
+						Peer:        "p1",
+						NetworkType: 1,
+						Masquerade:  false,
+					},
+					{
+						ID:          "b",
+						Network:     "192.168.1.0/24",
+						NetID:       "n2",
+						Peer:        "p1",
+						NetworkType: 1,
+						Masquerade:  false,
+					},
+				},
+			},
+			expectedLen: 2,
+			expectedRoutes: []*route.Route{
+				{
+					ID:          "a",
+					Network:     netip.MustParsePrefix("192.168.0.0/24"),
+					NetID:       "n1",
+					Peer:        "p1",
+					NetworkType: 1,
+					Masquerade:  false,
+				},
+				{
+					ID:          "b",
+					Network:     netip.MustParsePrefix("192.168.1.0/24"),
+					NetID:       "n2",
+					Peer:        "p1",
+					NetworkType: 1,
+					Masquerade:  false,
+				},
+			},
+			expectedSerial: 1,
+		},
+		{
+			name: "Empty Routes Update Should Be Passed",
+			networkMap: &mgmtProto.NetworkMap{
+				Serial:             1,
+				PeerConfig:         nil,
+				RemotePeersIsEmpty: false,
+				Routes:             nil,
+			},
+			expectedLen:    0,
+			expectedRoutes: []*route.Route{},
+			expectedSerial: 1,
+		},
+		{
+			name:     "Error Shouldn't Break Engine",
+			inputErr: fmt.Errorf("mocking error"),
+			networkMap: &mgmtProto.NetworkMap{
+				Serial:             1,
+				PeerConfig:         nil,
+				RemotePeersIsEmpty: false,
+				Routes:             nil,
+			},
+			expectedLen:    0,
+			expectedRoutes: []*route.Route{},
+			expectedSerial: 1,
+		},
+	}
+
+	for n, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			// test setup
+			key, err := wgtypes.GeneratePrivateKey()
+			if err != nil {
+				t.Fatal(err)
+				return
+			}
+
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
+			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)
+
+			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
+				WgIfaceName:  wgIfaceName,
+				WgAddr:       wgAddr,
+				WgPrivateKey: key,
+				WgPort:       33100,
+			}, nbstatus.NewRecorder())
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU)
+			assert.NoError(t, err, "shouldn't return error")
+			input := struct {
+				inputSerial uint64
+				inputRoutes []*route.Route
+			}{}
+
+			mockRouteManager := &routemanager.MockManager{
+				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) error {
+					input.inputSerial = updateSerial
+					input.inputRoutes = newRoutes
+					return testCase.inputErr
+				},
+			}
+
+			engine.routeManager = mockRouteManager
+
+			defer func() {
+				exitErr := engine.Stop()
+				if exitErr != nil {
+					return
+				}
+			}()
+
+			err = engine.updateNetworkMap(testCase.networkMap)
+			assert.NoError(t, err, "shouldn't return error")
+			assert.Equal(t, testCase.expectedSerial, input.inputSerial, "serial should match")
+			assert.Len(t, input.inputRoutes, testCase.expectedLen, "routes len should match")
+			assert.Equal(t, testCase.expectedRoutes, input.inputRoutes, "routes should match")
+		})
+	}
+}
+
 func TestEngine_MultiplePeers(t *testing.T) {
 	// log.SetLevel(log.DebugLevel)

@@ -576,7 +717,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		WgPort:       wgPort,
 	}

-	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf), nil
+	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf, nbstatus.NewRecorder()), nil
 }

 func startSignal(port int) (*grpc.Server, error) {
--- a/client/internal/login.go
+++ b/client/internal/login.go
@@ -26,13 +26,19 @@ func Login(ctx context.Context, config *Config, setupKey string, jwtToken string
 		mgmTlsEnabled = true
 	}

-	log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
+	log.Debugf("connecting to the Management service %s", config.ManagementURL.String())
 	mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 	if err != nil {
-		log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
+		log.Errorf("failed connecting to the Management service %s %v", config.ManagementURL.String(), err)
 		return err
 	}
-	log.Debugf("connected to management Service %s", config.ManagementURL.String())
+	log.Debugf("connected to the Management service %s", config.ManagementURL.String())
+	defer func() {
+		err = mgmClient.Close()
+		if err != nil {
+			log.Warnf("failed to close the Management service client %v", err)
+		}
+	}()

 	serverKey, err := mgmClient.GetServerPublicKey()
 	if err != nil {
@@ -49,10 +55,11 @@ func Login(ctx context.Context, config *Config, setupKey string, jwtToken string
 		log.Errorf("failed logging-in peer on Management Service : %v", err)
 		return err
 	}
+	log.Infof("peer has successfully logged-in to the Management service %s", config.ManagementURL.String())

 	err = mgmClient.Close()
 	if err != nil {
-		log.Errorf("failed closing Management Service client: %v", err)
+		log.Errorf("failed to close the Management service client: %v", err)
 		return err
 	}

@@ -72,8 +79,6 @@ func loginPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.Grp
 		}
 	}

-	log.Info("peer has successfully logged-in to Management Service")
-
 	return loginResp, nil
 }

--- a/client/internal/oauth.go
+++ b/client/internal/oauth.go
@@ -5,8 +5,10 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
+	"net/url"
+	"reflect"
 	"strings"
 	"time"
 )
@@ -14,7 +16,6 @@ import (
 // OAuthClient is a OAuth client interface for various idp providers
 type OAuthClient interface {
 	RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
-	RotateAccessToken(ctx context.Context, refreshToken string) (TokenInfo, error)
 	WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo, error)
 	GetClientID(ctx context.Context) string
 }
@@ -55,8 +56,10 @@ type Hosted struct {
 	Audience string
 	// Hosted Native application client id
 	ClientID string
-	// Hosted domain
-	Domain string
+	// TokenEndpoint to request access token
+	TokenEndpoint string
+	// DeviceAuthEndpoint to request device authorization code
+	DeviceAuthEndpoint string

 	HTTPClient HTTPClient
 }
@@ -84,11 +87,11 @@ type TokenRequestResponse struct {

 // Claims used when validating the access token
 type Claims struct {
-	Audience string `json:"aud"`
+	Audience interface{} `json:"aud"`
 }

 // NewHostedDeviceFlow returns an Hosted OAuth client
-func NewHostedDeviceFlow(audience string, clientID string, domain string) *Hosted {
+func NewHostedDeviceFlow(audience string, clientID string, tokenEndpoint string, deviceAuthEndpoint string) *Hosted {
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5

@@ -98,10 +101,11 @@ func NewHostedDeviceFlow(audience string, clientID string, domain string) *Hoste
 	}

 	return &Hosted{
-		Audience:   audience,
-		ClientID:   clientID,
-		Domain:     domain,
-		HTTPClient: httpClient,
+		Audience:           audience,
+		ClientID:           clientID,
+		TokenEndpoint:      tokenEndpoint,
+		HTTPClient:         httpClient,
+		DeviceAuthEndpoint: deviceAuthEndpoint,
 	}
 }

@@ -112,22 +116,15 @@ func (h *Hosted) GetClientID(ctx context.Context) string {

 // RequestDeviceCode requests a device code login flow information from Hosted
 func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error) {
-	url := "https://" + h.Domain + "/oauth/device/code"
-	codePayload := RequestDeviceCodePayload{
-		Audience: h.Audience,
-		ClientID: h.ClientID,
-	}
-	p, err := json.Marshal(codePayload)
-	if err != nil {
-		return DeviceAuthInfo{}, fmt.Errorf("parsing payload failed with error: %v", err)
-	}
-	payload := strings.NewReader(string(p))
-	req, err := http.NewRequest("POST", url, payload)
+	form := url.Values{}
+	form.Add("client_id", h.ClientID)
+	form.Add("audience", h.Audience)
+	req, err := http.NewRequest("POST", h.DeviceAuthEndpoint,
+		strings.NewReader(form.Encode()))
 	if err != nil {
 		return DeviceAuthInfo{}, fmt.Errorf("creating request failed with error: %v", err)
 	}
-
-	req.Header.Add("content-type", "application/json")
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")

 	res, err := h.HTTPClient.Do(req)
 	if err != nil {
@@ -135,7 +132,7 @@ func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
 	}

 	defer res.Body.Close()
-	body, err := ioutil.ReadAll(res.Body)
+	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		return DeviceAuthInfo{}, fmt.Errorf("reading body failed with error: %v", err)
 	}
@@ -153,6 +150,48 @@ func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
 	return deviceCode, err
 }

+func (h *Hosted) requestToken(info DeviceAuthInfo) (TokenRequestResponse, error) {
+	form := url.Values{}
+	form.Add("client_id", h.ClientID)
+	form.Add("grant_type", HostedGrantType)
+	form.Add("device_code", info.DeviceCode)
+	req, err := http.NewRequest("POST", h.TokenEndpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return TokenRequestResponse{}, fmt.Errorf("failed to create request access token: %v", err)
+	}
+
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	res, err := h.HTTPClient.Do(req)
+	if err != nil {
+		return TokenRequestResponse{}, fmt.Errorf("failed to request access token with error: %v", err)
+	}
+
+	defer func() {
+		err := res.Body.Close()
+		if err != nil {
+			return
+		}
+	}()
+
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return TokenRequestResponse{}, fmt.Errorf("failed reading access token response body with error: %v", err)
+	}
+
+	if res.StatusCode > 499 {
+		return TokenRequestResponse{}, fmt.Errorf("access token response returned code: %s", string(body))
+	}
+
+	tokenResponse := TokenRequestResponse{}
+	err = json.Unmarshal(body, &tokenResponse)
+	if err != nil {
+		return TokenRequestResponse{}, fmt.Errorf("parsing token response failed with error: %v", err)
+	}
+
+	return tokenResponse, nil
+}
+
 // WaitToken waits user's login and authorize the app. Once the user's authorize
 // it retrieves the access token from Hosted's endpoint and validates it before returning
 func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo, error) {
@@ -163,24 +202,8 @@ func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo,
 		case <-ctx.Done():
 			return TokenInfo{}, ctx.Err()
 		case <-ticker.C:
-			url := "https://" + h.Domain + "/oauth/token"
-			tokenReqPayload := TokenRequestPayload{
-				GrantType:  HostedGrantType,
-				DeviceCode: info.DeviceCode,
-				ClientID:   h.ClientID,
-			}

-			body, statusCode, err := requestToken(h.HTTPClient, url, tokenReqPayload)
-			if err != nil {
-				return TokenInfo{}, fmt.Errorf("wait for token: %v", err)
-			}
-
-			if statusCode > 499 {
-				return TokenInfo{}, fmt.Errorf("wait token code returned error: %s", string(body))
-			}
-
-			tokenResponse := TokenRequestResponse{}
-			err = json.Unmarshal(body, &tokenResponse)
+			tokenResponse, err := h.requestToken(info)
 			if err != nil {
 				return TokenInfo{}, fmt.Errorf("parsing token response failed with error: %v", err)
 			}
@@ -214,71 +237,6 @@ func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo,
 	}
 }

-// RotateAccessToken requests a new token using an existing refresh token
-func (h *Hosted) RotateAccessToken(ctx context.Context, refreshToken string) (TokenInfo, error) {
-	url := "https://" + h.Domain + "/oauth/token"
-	tokenReqPayload := TokenRequestPayload{
-		GrantType:    HostedRefreshGrant,
-		ClientID:     h.ClientID,
-		RefreshToken: refreshToken,
-	}
-
-	body, statusCode, err := requestToken(h.HTTPClient, url, tokenReqPayload)
-	if err != nil {
-		return TokenInfo{}, fmt.Errorf("rotate access token: %v", err)
-	}
-
-	if statusCode != 200 {
-		return TokenInfo{}, fmt.Errorf("rotating token returned error: %s", string(body))
-	}
-
-	tokenResponse := TokenRequestResponse{}
-	err = json.Unmarshal(body, &tokenResponse)
-	if err != nil {
-		return TokenInfo{}, fmt.Errorf("parsing token response failed with error: %v", err)
-	}
-
-	err = isValidAccessToken(tokenResponse.AccessToken, h.Audience)
-	if err != nil {
-		return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
-	}
-
-	tokenInfo := TokenInfo{
-		AccessToken:  tokenResponse.AccessToken,
-		TokenType:    tokenResponse.TokenType,
-		RefreshToken: tokenResponse.RefreshToken,
-		IDToken:      tokenResponse.IDToken,
-		ExpiresIn:    tokenResponse.ExpiresIn,
-	}
-	return tokenInfo, err
-}
-
-func requestToken(client HTTPClient, url string, tokenReqPayload TokenRequestPayload) ([]byte, int, error) {
-	p, err := json.Marshal(tokenReqPayload)
-	if err != nil {
-		return nil, 0, fmt.Errorf("parsing token payload failed with error: %v", err)
-	}
-	payload := strings.NewReader(string(p))
-	req, err := http.NewRequest("POST", url, payload)
-	if err != nil {
-		return nil, 0, fmt.Errorf("creating token request failed with error: %v", err)
-	}
-
-	req.Header.Add("content-type", "application/json")
-
-	res, err := client.Do(req)
-	if err != nil {
-		return nil, 0, fmt.Errorf("doing token request failed with error: %v", err)
-	}
-
-	defer res.Body.Close()
-	body, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return nil, 0, fmt.Errorf("reading token body failed with error: %v", err)
-	}
-	return body, res.StatusCode, nil
-}
-
 // isValidAccessToken is a simple validation of the access token
 func isValidAccessToken(token string, audience string) error {
 	if token == "" {
@@ -297,9 +255,24 @@ func isValidAccessToken(token string, audience string) error {
 		return err
 	}

-	if claims.Audience != audience {
-		return fmt.Errorf("invalid audience")
+	if claims.Audience == nil {
+		return fmt.Errorf("required token field audience is absent")
 	}

-	return nil
+	// Audience claim of JWT can be a string or an array of strings
+	typ := reflect.TypeOf(claims.Audience)
+	switch typ.Kind() {
+	case reflect.String:
+		if claims.Audience == audience {
+			return nil
+		}
+	case reflect.Slice:
+		for _, aud := range claims.Audience.([]interface{}) {
+			if audience == aud {
+				return nil
+			}
+		}
+	}
+
+	return fmt.Errorf("invalid JWT token audience field")
 }
--- a/client/internal/oauth_test.go
+++ b/client/internal/oauth_test.go
@@ -2,12 +2,12 @@ package internal

 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"github.com/golang-jwt/jwt"
 	"github.com/stretchr/testify/require"
-	"io/ioutil"
+	"io"
 	"net/http"
+	"net/url"
 	"strings"
 	"testing"
 	"time"
@@ -24,7 +24,7 @@ type mockHTTPClient struct {
 }

 func (c *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
-	body, err := ioutil.ReadAll(req.Body)
+	body, err := io.ReadAll(req.Body)
 	if err == nil {
 		c.reqBody = string(body)
 	}
@@ -33,13 +33,13 @@ func (c *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
 		c.count++
 		return &http.Response{
 			StatusCode: c.code,
-			Body:       ioutil.NopCloser(strings.NewReader(c.countResBody)),
+			Body:       io.NopCloser(strings.NewReader(c.countResBody)),
 		}, c.err
 	}

 	return &http.Response{
 		StatusCode: c.code,
-		Body:       ioutil.NopCloser(strings.NewReader(c.resBody)),
+		Body:       io.NopCloser(strings.NewReader(c.resBody)),
 	}, c.err
 }

@@ -54,15 +54,19 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 		testingFunc      require.ComparisonAssertionFunc
 		expectedOut      DeviceAuthInfo
 		expectedMSG      string
-		expectPayload    RequestDeviceCodePayload
+		expectPayload    string
 	}

+	expectedAudience := "ok"
+	expectedClientID := "bla"
+	form := url.Values{}
+	form.Add("audience", expectedAudience)
+	form.Add("client_id", expectedClientID)
+	expectPayload := form.Encode()
+
 	testCase1 := test{
-		name: "Payload Is Valid",
-		expectPayload: RequestDeviceCodePayload{
-			Audience: "ok",
-			ClientID: "bla",
-		},
+		name:           "Payload Is Valid",
+		expectPayload:  expectPayload,
 		inputReqCode:   200,
 		testingErrFunc: require.Error,
 		testingFunc:    require.EqualValues,
@@ -74,6 +78,7 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 		testingErrFunc:   require.Error,
 		expectedErrorMSG: "should return error",
 		testingFunc:      require.EqualValues,
+		expectPayload:    expectPayload,
 	}

 	testCase3 := test{
@@ -82,15 +87,13 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 		testingErrFunc:   require.Error,
 		expectedErrorMSG: "should return error",
 		testingFunc:      require.EqualValues,
+		expectPayload:    expectPayload,
 	}
 	testCase4Out := DeviceAuthInfo{ExpiresIn: 10}
 	testCase4 := test{
-		name:         "Got Device Code",
-		inputResBody: fmt.Sprintf("{\"expires_in\":%d}", testCase4Out.ExpiresIn),
-		expectPayload: RequestDeviceCodePayload{
-			Audience: "ok",
-			ClientID: "bla",
-		},
+		name:           "Got Device Code",
+		inputResBody:   fmt.Sprintf("{\"expires_in\":%d}", testCase4Out.ExpiresIn),
+		expectPayload:  expectPayload,
 		inputReqCode:   200,
 		testingErrFunc: require.NoError,
 		testingFunc:    require.EqualValues,
@@ -108,18 +111,17 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 			}

 			hosted := Hosted{
-				Audience:   testCase.expectPayload.Audience,
-				ClientID:   testCase.expectPayload.ClientID,
-				Domain:     "test.hosted.com",
-				HTTPClient: &httpClient,
+				Audience:           expectedAudience,
+				ClientID:           expectedClientID,
+				TokenEndpoint:      "test.hosted.com/token",
+				DeviceAuthEndpoint: "test.hosted.com/device/auth",
+				HTTPClient:         &httpClient,
 			}

 			authInfo, err := hosted.RequestDeviceCode(context.TODO())
 			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)

-			payload, _ := json.Marshal(testCase.expectPayload)
-
-			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")
+			require.EqualValues(t, expectPayload, httpClient.reqBody, "payload should match")

 			testCase.testingFunc(t, testCase.expectedOut, authInfo, testCase.expectedMSG)

@@ -143,7 +145,7 @@ func TestHosted_WaitToken(t *testing.T) {
 		testingFunc       require.ComparisonAssertionFunc
 		expectedOut       TokenInfo
 		expectedMSG       string
-		expectPayload     TokenRequestPayload
+		expectPayload     string
 	}

 	defaultInfo := DeviceAuthInfo{
@@ -152,11 +154,13 @@ func TestHosted_WaitToken(t *testing.T) {
 		Interval:   1,
 	}

-	tokenReqPayload := TokenRequestPayload{
-		GrantType:  HostedGrantType,
-		DeviceCode: defaultInfo.DeviceCode,
-		ClientID:   "test",
-	}
+	clientID := "test"
+
+	form := url.Values{}
+	form.Add("grant_type", HostedGrantType)
+	form.Add("device_code", defaultInfo.DeviceCode)
+	form.Add("client_id", clientID)
+	tokenReqPayload := form.Encode()

 	testCase1 := test{
 		name:           "Payload Is Valid",
@@ -268,10 +272,11 @@ func TestHosted_WaitToken(t *testing.T) {
 			}

 			hosted := Hosted{
-				Audience:   testCase.inputAudience,
-				ClientID:   testCase.expectPayload.ClientID,
-				Domain:     "test.hosted.com",
-				HTTPClient: &httpClient,
+				Audience:           testCase.inputAudience,
+				ClientID:           clientID,
+				TokenEndpoint:      "test.hosted.com/token",
+				DeviceAuthEndpoint: "test.hosted.com/device/auth",
+				HTTPClient:         &httpClient,
 			}

 			ctx, cancel := context.WithTimeout(context.TODO(), testCase.inputTimeout)
@@ -279,12 +284,7 @@ func TestHosted_WaitToken(t *testing.T) {
 			tokenInfo, err := hosted.WaitToken(ctx, testCase.inputInfo)
 			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)

-			var payload []byte
-			var emptyPayload TokenRequestPayload
-			if testCase.expectPayload != emptyPayload {
-				payload, _ = json.Marshal(testCase.expectPayload)
-			}
-			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")
+			require.EqualValues(t, testCase.expectPayload, httpClient.reqBody, "payload should match")

 			testCase.testingFunc(t, testCase.expectedOut, tokenInfo, testCase.expectedMSG)

@@ -293,123 +293,3 @@ func TestHosted_WaitToken(t *testing.T) {
 		})
 	}
 }
-
-func TestHosted_RotateAccessToken(t *testing.T) {
-	type test struct {
-		name             string
-		inputResBody     string
-		inputReqCode     int
-		inputReqError    error
-		inputMaxReqs     int
-		inputInfo        DeviceAuthInfo
-		inputAudience    string
-		testingErrFunc   require.ErrorAssertionFunc
-		expectedErrorMSG string
-		testingFunc      require.ComparisonAssertionFunc
-		expectedOut      TokenInfo
-		expectedMSG      string
-		expectPayload    TokenRequestPayload
-	}
-
-	defaultInfo := DeviceAuthInfo{
-		DeviceCode: "test",
-		ExpiresIn:  10,
-		Interval:   1,
-	}
-
-	tokenReqPayload := TokenRequestPayload{
-		GrantType:    HostedRefreshGrant,
-		ClientID:     "test",
-		RefreshToken: "refresh_test",
-	}
-
-	testCase1 := test{
-		name:           "Payload Is Valid",
-		inputInfo:      defaultInfo,
-		inputReqCode:   200,
-		testingErrFunc: require.Error,
-		testingFunc:    require.EqualValues,
-		expectPayload:  tokenReqPayload,
-	}
-
-	testCase2 := test{
-		name:             "Exit On Network Error",
-		inputInfo:        defaultInfo,
-		expectPayload:    tokenReqPayload,
-		inputReqError:    fmt.Errorf("error"),
-		testingErrFunc:   require.Error,
-		expectedErrorMSG: "should return error",
-		testingFunc:      require.EqualValues,
-	}
-
-	testCase3 := test{
-		name:             "Exit On Non 200 Status Code",
-		inputInfo:        defaultInfo,
-		inputReqCode:     401,
-		expectPayload:    tokenReqPayload,
-		testingErrFunc:   require.Error,
-		expectedErrorMSG: "should return error",
-		testingFunc:      require.EqualValues,
-	}
-
-	audience := "test"
-
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{"aud": audience})
-	var hmacSampleSecret []byte
-	tokenString, _ := token.SignedString(hmacSampleSecret)
-
-	testCase4 := test{
-		name:           "Exit On Invalid Audience",
-		inputInfo:      defaultInfo,
-		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
-		inputReqCode:   200,
-		inputAudience:  "super test",
-		testingErrFunc: require.Error,
-		testingFunc:    require.EqualValues,
-		expectPayload:  tokenReqPayload,
-	}
-
-	testCase5 := test{
-		name:           "Received Token Info",
-		inputInfo:      defaultInfo,
-		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
-		inputReqCode:   200,
-		inputAudience:  audience,
-		testingErrFunc: require.NoError,
-		testingFunc:    require.EqualValues,
-		expectPayload:  tokenReqPayload,
-		expectedOut:    TokenInfo{AccessToken: tokenString},
-	}
-
-	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5} {
-		t.Run(testCase.name, func(t *testing.T) {
-
-			httpClient := mockHTTPClient{
-				resBody: testCase.inputResBody,
-				code:    testCase.inputReqCode,
-				err:     testCase.inputReqError,
-				MaxReqs: testCase.inputMaxReqs,
-			}
-
-			hosted := Hosted{
-				Audience:   testCase.inputAudience,
-				ClientID:   testCase.expectPayload.ClientID,
-				Domain:     "test.hosted.com",
-				HTTPClient: &httpClient,
-			}
-
-			tokenInfo, err := hosted.RotateAccessToken(context.TODO(), testCase.expectPayload.RefreshToken)
-			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
-
-			var payload []byte
-			var emptyPayload TokenRequestPayload
-			if testCase.expectPayload != emptyPayload {
-				payload, _ = json.Marshal(testCase.expectPayload)
-			}
-			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")
-
-			testCase.testingFunc(t, testCase.expectedOut, tokenInfo, testCase.expectedMSG)
-
-		})
-	}
-}
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -2,6 +2,8 @@ package peer

 import (
 	"context"
+	nbStatus "github.com/netbirdio/netbird/client/status"
+	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/iface"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"net"
@@ -35,6 +37,20 @@ type ConnConfig struct {

 	UDPMux      ice.UDPMux
 	UDPMuxSrflx ice.UniversalUDPMux
+
+	LocalWgPort int
+}
+
+// OfferAnswer represents a session establishment offer or answer
+type OfferAnswer struct {
+	IceCredentials IceCredentials
+	// WgListenPort is a remote WireGuard listen port.
+	// This field is used when establishing a direct WireGuard connection without any proxy.
+	// We can set the remote peer's endpoint with this port.
+	WgListenPort int
+
+	// Version of NetBird Agent
+	Version string
 }

 // IceCredentials ICE protocol credentials struct
@@ -50,13 +66,13 @@ type Conn struct {
 	// signalCandidate is a handler function to signal remote peer about local connection candidate
 	signalCandidate func(candidate ice.Candidate) error
 	// signalOffer is a handler function to signal remote peer our connection offer (credentials)
-	signalOffer  func(uFrag string, pwd string) error
-	signalAnswer func(uFrag string, pwd string) error
+	signalOffer  func(OfferAnswer) error
+	signalAnswer func(OfferAnswer) error

 	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
-	remoteOffersCh chan IceCredentials
+	remoteOffersCh chan OfferAnswer
 	// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
-	remoteAnswerCh     chan IceCredentials
+	remoteAnswerCh     chan OfferAnswer
 	closeCh            chan struct{}
 	ctx                context.Context
 	notifyDisconnected context.CancelFunc
@@ -64,6 +80,8 @@ type Conn struct {
 	agent  *ice.Agent
 	status ConnStatus

+	statusRecorder *nbStatus.Status
+
 	proxy proxy.Proxy
 }

@@ -72,16 +90,22 @@ func (conn *Conn) GetConf() ConnConfig {
 	return conn.config
 }

+// UpdateConf updates the connection config
+func (conn *Conn) UpdateConf(conf ConnConfig) {
+	conn.config = conf
+}
+
 // NewConn creates a new not opened Conn to the remote peer.
 // To establish a connection run Conn.Open
-func NewConn(config ConnConfig) (*Conn, error) {
+func NewConn(config ConnConfig, statusRecorder *nbStatus.Status) (*Conn, error) {
 	return &Conn{
 		config:         config,
 		mu:             sync.Mutex{},
 		status:         StatusDisconnected,
 		closeCh:        make(chan struct{}),
-		remoteOffersCh: make(chan IceCredentials),
-		remoteAnswerCh: make(chan IceCredentials),
+		remoteOffersCh: make(chan OfferAnswer),
+		remoteAnswerCh: make(chan OfferAnswer),
+		statusRecorder: statusRecorder,
 	}, nil
 }

@@ -123,7 +147,7 @@ func (conn *Conn) reCreateAgent() error {
 		MulticastDNSMode: ice.MulticastDNSModeDisabled,
 		NetworkTypes:     []ice.NetworkType{ice.NetworkTypeUDP4},
 		Urls:             conn.config.StunTurn,
-		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
+		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeServerReflexive, ice.CandidateTypeHost, ice.CandidateTypeRelay},
 		FailedTimeout:    &failedTimeout,
 		InterfaceFilter:  interfaceFilter(conn.config.InterfaceBlackList),
 		UDPMux:           conn.config.UDPMux,
@@ -157,6 +181,17 @@ func (conn *Conn) reCreateAgent() error {
 func (conn *Conn) Open() error {
 	log.Debugf("trying to connect to peer %s", conn.config.Key)

+	peerState := nbStatus.PeerState{PubKey: conn.config.Key}
+
+	peerState.IP = strings.Split(conn.config.ProxyConfig.AllowedIps, "/")[0]
+	peerState.ConnStatusUpdate = time.Now()
+	peerState.ConnStatus = conn.status.String()
+
+	err := conn.statusRecorder.UpdatePeerState(peerState)
+	if err != nil {
+		log.Warnf("erro while updating the state of peer %s,err: %v", conn.config.Key, err)
+	}
+
 	defer func() {
 		err := conn.cleanup()
 		if err != nil {
@@ -165,7 +200,7 @@ func (conn *Conn) Open() error {
 		}
 	}()

-	err := conn.reCreateAgent()
+	err = conn.reCreateAgent()
 	if err != nil {
 		return err
 	}
@@ -180,15 +215,15 @@ func (conn *Conn) Open() error {
 	// Only continue once we got a connection confirmation from the remote peer.
 	// The connection timeout could have happened before a confirmation received from the remote.
 	// The connection could have also been closed externally (e.g. when we received an update from the management that peer shouldn't be connected)
-	var remoteCredentials IceCredentials
+	var remoteOfferAnswer OfferAnswer
 	select {
-	case remoteCredentials = <-conn.remoteOffersCh:
+	case remoteOfferAnswer = <-conn.remoteOffersCh:
 		// received confirmation from the remote peer -> ready to proceed
 		err = conn.sendAnswer()
 		if err != nil {
 			return err
 		}
-	case remoteCredentials = <-conn.remoteAnswerCh:
+	case remoteOfferAnswer = <-conn.remoteAnswerCh:
 	case <-time.After(conn.config.Timeout):
 		return NewConnectionTimeoutError(conn.config.Key, conn.config.Timeout)
 	case <-conn.closeCh:
@@ -196,7 +231,8 @@ func (conn *Conn) Open() error {
 		return NewConnectionClosedError(conn.config.Key)
 	}

-	log.Debugf("received connection confirmation from peer %s", conn.config.Key)
+	log.Debugf("received connection confirmation from peer %s running version %s and with remote WireGuard listen port %d",
+		conn.config.Key, remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort)

 	// at this point we received offer/answer and we are ready to gather candidates
 	conn.mu.Lock()
@@ -205,6 +241,15 @@ func (conn *Conn) Open() error {
 	defer conn.notifyDisconnected()
 	conn.mu.Unlock()

+	peerState = nbStatus.PeerState{PubKey: conn.config.Key}
+
+	peerState.ConnStatus = conn.status.String()
+	peerState.ConnStatusUpdate = time.Now()
+	err = conn.statusRecorder.UpdatePeerState(peerState)
+	if err != nil {
+		log.Warnf("erro while updating the state of peer %s,err: %v", conn.config.Key, err)
+	}
+
 	err = conn.agent.GatherCandidates()
 	if err != nil {
 		return err
@@ -216,28 +261,26 @@ func (conn *Conn) Open() error {
 	isControlling := conn.config.LocalKey > conn.config.Key
 	var remoteConn *ice.Conn
 	if isControlling {
-		remoteConn, err = conn.agent.Dial(conn.ctx, remoteCredentials.UFrag, remoteCredentials.Pwd)
+		remoteConn, err = conn.agent.Dial(conn.ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	} else {
-		remoteConn, err = conn.agent.Accept(conn.ctx, remoteCredentials.UFrag, remoteCredentials.Pwd)
+		remoteConn, err = conn.agent.Accept(conn.ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	}
 	if err != nil {
 		return err
 	}

-	// the connection has been established successfully so we are ready to start the proxy
-	err = conn.startProxy(remoteConn)
+	// dynamically set remote WireGuard port is other side specified a different one from the default one
+	remoteWgPort := iface.DefaultWgPort
+	if remoteOfferAnswer.WgListenPort != 0 {
+		remoteWgPort = remoteOfferAnswer.WgListenPort
+	}
+	// the ice connection has been established successfully so we are ready to start the proxy
+	err = conn.startProxy(remoteConn, remoteWgPort)
 	if err != nil {
 		return err
 	}

-	if conn.proxy.Type() == proxy.TypeNoProxy {
-		host, _, _ := net.SplitHostPort(remoteConn.LocalAddr().String())
-		rhost, _, _ := net.SplitHostPort(remoteConn.RemoteAddr().String())
-		// direct Wireguard connection
-		log.Infof("directly connected to peer %s [laddr <-> raddr] [%s:%d <-> %s:%d]", conn.config.Key, host, iface.DefaultWgPort, rhost, iface.DefaultWgPort)
-	} else {
-		log.Infof("connected to peer %s [laddr <-> raddr] [%s <-> %s]", conn.config.Key, remoteConn.LocalAddr().String(), remoteConn.RemoteAddr().String())
-	}
+	log.Infof("connected to peer %s [laddr <-> raddr] [%s <-> %s]", conn.config.Key, remoteConn.LocalAddr().String(), remoteConn.RemoteAddr().String())

 	// wait until connection disconnected or has been closed externally (upper layer, e.g. engine)
 	select {
@@ -259,6 +302,10 @@ func shouldUseProxy(pair *ice.CandidatePair) bool {
 	remoteIsPublic := IsPublicIP(remoteIP)
 	myIsPublic := IsPublicIP(myIp)

+	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
+		return true
+	}
+
 	//one of the hosts has a public IP
 	if remoteIsPublic && pair.Remote.Type() == ice.CandidateTypeHost {
 		return false
@@ -286,7 +333,7 @@ func IsPublicIP(ip net.IP) bool {
 }

 // startProxy starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
-func (conn *Conn) startProxy(remoteConn net.Conn) error {
+func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

@@ -296,13 +343,17 @@ func (conn *Conn) startProxy(remoteConn net.Conn) error {
 		return err
 	}

-	useProxy := shouldUseProxy(pair)
+	peerState := nbStatus.PeerState{PubKey: conn.config.Key}
+
 	var p proxy.Proxy
-	if useProxy {
+	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
 		p = proxy.NewWireguardProxy(conn.config.ProxyConfig)
+		peerState.Direct = false
 	} else {
-		p = proxy.NewNoProxy(conn.config.ProxyConfig)
+		p = proxy.NewNoProxy(conn.config.ProxyConfig, remoteWgPort)
+		peerState.Direct = true
 	}
+
 	conn.proxy = p
 	err = p.Start(remoteConn)
 	if err != nil {
@@ -311,6 +362,19 @@ func (conn *Conn) startProxy(remoteConn net.Conn) error {

 	conn.status = StatusConnected

+	peerState.ConnStatus = conn.status.String()
+	peerState.ConnStatusUpdate = time.Now()
+	peerState.LocalIceCandidateType = pair.Local.Type().String()
+	peerState.RemoteIceCandidateType = pair.Remote.Type().String()
+	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
+		peerState.Relayed = true
+	}
+
+	err = conn.statusRecorder.UpdatePeerState(peerState)
+	if err != nil {
+		log.Warnf("unable to save peer's state, got error: %v", err)
+	}
+
 	return nil
 }

@@ -343,18 +407,29 @@ func (conn *Conn) cleanup() error {

 	conn.status = StatusDisconnected

+	peerState := nbStatus.PeerState{PubKey: conn.config.Key}
+	peerState.ConnStatus = conn.status.String()
+	peerState.ConnStatusUpdate = time.Now()
+
+	err := conn.statusRecorder.UpdatePeerState(peerState)
+	if err != nil {
+		// pretty common error because by that time Engine can already remove the peer and status won't be available.
+		//todo rethink status updates
+		log.Debugf("error while updating peer's %s state, err: %v", conn.config.Key, err)
+	}
+
 	log.Debugf("cleaned up connection to peer %s", conn.config.Key)

 	return nil
 }

 // SetSignalOffer sets a handler function to be triggered by Conn when a new connection offer has to be signalled to the remote peer
-func (conn *Conn) SetSignalOffer(handler func(uFrag string, pwd string) error) {
+func (conn *Conn) SetSignalOffer(handler func(offer OfferAnswer) error) {
 	conn.signalOffer = handler
 }

 // SetSignalAnswer sets a handler function to be triggered by Conn when a new connection answer has to be signalled to the remote peer
-func (conn *Conn) SetSignalAnswer(handler func(uFrag string, pwd string) error) {
+func (conn *Conn) SetSignalAnswer(handler func(answer OfferAnswer) error) {
 	conn.signalAnswer = handler
 }

@@ -367,7 +442,7 @@ func (conn *Conn) SetSignalCandidate(handler func(candidate ice.Candidate) error
 // and then signals them to the remote peer
 func (conn *Conn) onICECandidate(candidate ice.Candidate) {
 	if candidate != nil {
-		// log.Debugf("discovered local candidate %s", candidate.String())
+		log.Debugf("discovered local candidate %s", candidate.String())
 		go func() {
 			err := conn.signalCandidate(candidate)
 			if err != nil {
@@ -399,8 +474,12 @@ func (conn *Conn) sendAnswer() error {
 		return err
 	}

-	log.Debugf("sending asnwer to %s", conn.config.Key)
-	err = conn.signalAnswer(localUFrag, localPwd)
+	log.Debugf("sending answer to %s", conn.config.Key)
+	err = conn.signalAnswer(OfferAnswer{
+		IceCredentials: IceCredentials{localUFrag, localPwd},
+		WgListenPort:   conn.config.LocalWgPort,
+		Version:        system.NetbirdVersion(),
+	})
 	if err != nil {
 		return err
 	}
@@ -417,7 +496,11 @@ func (conn *Conn) sendOffer() error {
 	if err != nil {
 		return err
 	}
-	err = conn.signalOffer(localUFrag, localPwd)
+	err = conn.signalOffer(OfferAnswer{
+		IceCredentials: IceCredentials{localUFrag, localPwd},
+		WgListenPort:   conn.config.LocalWgPort,
+		Version:        system.NetbirdVersion(),
+	})
 	if err != nil {
 		return err
 	}
@@ -458,11 +541,11 @@ func (conn *Conn) Status() ConnStatus {

 // OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
 // doesn't block, discards the message if connection wasn't ready
-func (conn *Conn) OnRemoteOffer(remoteAuth IceCredentials) bool {
+func (conn *Conn) OnRemoteOffer(offer OfferAnswer) bool {
 	log.Debugf("OnRemoteOffer from peer %s on status %s", conn.config.Key, conn.status.String())

 	select {
-	case conn.remoteOffersCh <- remoteAuth:
+	case conn.remoteOffersCh <- offer:
 		return true
 	default:
 		log.Debugf("OnRemoteOffer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
@@ -473,11 +556,11 @@ func (conn *Conn) OnRemoteOffer(remoteAuth IceCredentials) bool {

 // OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
 // doesn't block, discards the message if connection wasn't ready
-func (conn *Conn) OnRemoteAnswer(remoteAuth IceCredentials) bool {
+func (conn *Conn) OnRemoteAnswer(answer OfferAnswer) bool {
 	log.Debugf("OnRemoteAnswer from peer %s on status %s", conn.config.Key, conn.status.String())

 	select {
-	case conn.remoteAnswerCh <- remoteAuth:
+	case conn.remoteAnswerCh <- answer:
 		return true
 	default:
 		// connection might not be ready yet to receive so we ignore the message
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -3,6 +3,7 @@ package peer
 import (
 	"github.com/magiconair/properties/assert"
 	"github.com/netbirdio/netbird/client/internal/proxy"
+	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/pion/ice/v2"
 	"sync"
@@ -17,6 +18,7 @@ var connConf = ConnConfig{
 	InterfaceBlackList: nil,
 	Timeout:            time.Second,
 	ProxyConfig:        proxy.Config{},
+	LocalWgPort:        51820,
 }

 func TestNewConn_interfaceFilter(t *testing.T) {
@@ -32,7 +34,7 @@ func TestNewConn_interfaceFilter(t *testing.T) {
 }

 func TestConn_GetKey(t *testing.T) {
-	conn, err := NewConn(connConf)
+	conn, err := NewConn(connConf, nil)
 	if err != nil {
 		return
 	}
@@ -44,7 +46,7 @@ func TestConn_GetKey(t *testing.T) {

 func TestConn_OnRemoteOffer(t *testing.T) {

-	conn, err := NewConn(connConf)
+	conn, err := NewConn(connConf, nbstatus.NewRecorder())
 	if err != nil {
 		return
 	}
@@ -58,9 +60,13 @@ func TestConn_OnRemoteOffer(t *testing.T) {

 	go func() {
 		for {
-			accepted := conn.OnRemoteOffer(IceCredentials{
-				UFrag: "test",
-				Pwd:   "test",
+			accepted := conn.OnRemoteOffer(OfferAnswer{
+				IceCredentials: IceCredentials{
+					UFrag: "test",
+					Pwd:   "test",
+				},
+				WgListenPort: 0,
+				Version:      "",
 			})
 			if accepted {
 				wg.Done()
@@ -74,7 +80,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {

 func TestConn_OnRemoteAnswer(t *testing.T) {

-	conn, err := NewConn(connConf)
+	conn, err := NewConn(connConf, nbstatus.NewRecorder())
 	if err != nil {
 		return
 	}
@@ -88,9 +94,13 @@ func TestConn_OnRemoteAnswer(t *testing.T) {

 	go func() {
 		for {
-			accepted := conn.OnRemoteAnswer(IceCredentials{
-				UFrag: "test",
-				Pwd:   "test",
+			accepted := conn.OnRemoteAnswer(OfferAnswer{
+				IceCredentials: IceCredentials{
+					UFrag: "test",
+					Pwd:   "test",
+				},
+				WgListenPort: 0,
+				Version:      "",
 			})
 			if accepted {
 				wg.Done()
@@ -103,7 +113,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 }
 func TestConn_Status(t *testing.T) {

-	conn, err := NewConn(connConf)
+	conn, err := NewConn(connConf, nbstatus.NewRecorder())
 	if err != nil {
 		return
 	}
@@ -130,7 +140,7 @@ func TestConn_Status(t *testing.T) {

 func TestConn_Close(t *testing.T) {

-	conn, err := NewConn(connConf)
+	conn, err := NewConn(connConf, nbstatus.NewRecorder())
 	if err != nil {
 		return
 	}
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -7,11 +7,11 @@ type ConnStatus int
 func (s ConnStatus) String() string {
 	switch s {
 	case StatusConnecting:
-		return "StatusConnecting"
+		return "Connecting"
 	case StatusConnected:
-		return "StatusConnected"
+		return "Connected"
 	case StatusDisconnected:
-		return "StatusDisconnected"
+		return "Disconnected"
 	default:
 		log.Errorf("unknown status: %d", s)
 		return "INVALID_PEER_CONNECTION_STATUS"
@@ -19,7 +19,7 @@ func (s ConnStatus) String() string {
 }

 const (
-	StatusConnected = iota
+	StatusConnected ConnStatus = iota
 	StatusConnecting
 	StatusDisconnected
 )
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -12,9 +12,9 @@ func TestConnStatus_String(t *testing.T) {
 		status ConnStatus
 		want   string
 	}{
-		{"StatusConnected", StatusConnected, "StatusConnected"},
-		{"StatusDisconnected", StatusDisconnected, "StatusDisconnected"},
-		{"StatusConnecting", StatusConnecting, "StatusConnecting"},
+		{"StatusConnected", StatusConnected, "Connected"},
+		{"StatusDisconnected", StatusDisconnected, "Disconnected"},
+		{"StatusConnecting", StatusConnecting, "Connecting"},
 	}

 	for _, table := range tables {
--- a/client/internal/proxy/noproxy.go
+++ b/client/internal/proxy/noproxy.go
@@ -1,7 +1,6 @@
 package proxy

 import (
-	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
 	"net"
 )
@@ -14,10 +13,14 @@ import (
 // In order NoProxy to work, Wireguard port has to be fixed for the time being.
 type NoProxy struct {
 	config Config
+	// RemoteWgListenPort is a WireGuard port of a remote peer.
+	// It is used instead of the hardcoded 51820 port.
+	RemoteWgListenPort int
 }

-func NewNoProxy(config Config) *NoProxy {
-	return &NoProxy{config: config}
+// NewNoProxy creates a new NoProxy with a provided config and remote peer's WireGuard listen port
+func NewNoProxy(config Config, remoteWgPort int) *NoProxy {
+	return &NoProxy{config: config, RemoteWgListenPort: remoteWgPort}
 }

 func (p *NoProxy) Close() error {
@@ -36,7 +39,6 @@ func (p *NoProxy) Start(remoteConn net.Conn) error {
 	if err != nil {
 		return err
 	}
-	addr.Port = iface.DefaultWgPort
 	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
 		addr, p.config.PreSharedKey)

--- a/client/internal/routemanager/client.go
+++ b/client/internal/routemanager/client.go
@@ -0,0 +1,285 @@
+package routemanager
+
+import (
+	"context"
+	"fmt"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/status"
+	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/route"
+	log "github.com/sirupsen/logrus"
+	"net/netip"
+)
+
+type routerPeerStatus struct {
+	connected bool
+	relayed   bool
+	direct    bool
+}
+
+type routesUpdate struct {
+	updateSerial uint64
+	routes       []*route.Route
+}
+
+type clientNetwork struct {
+	ctx                 context.Context
+	stop                context.CancelFunc
+	statusRecorder      *status.Status
+	wgInterface         *iface.WGIface
+	routes              map[string]*route.Route
+	routeUpdate         chan routesUpdate
+	peerStateUpdate     chan struct{}
+	routePeersNotifiers map[string]chan struct{}
+	chosenRoute         *route.Route
+	network             netip.Prefix
+	updateSerial        uint64
+}
+
+func newClientNetworkWatcher(ctx context.Context, wgInterface *iface.WGIface, statusRecorder *status.Status, network netip.Prefix) *clientNetwork {
+	ctx, cancel := context.WithCancel(ctx)
+	client := &clientNetwork{
+		ctx:                 ctx,
+		stop:                cancel,
+		statusRecorder:      statusRecorder,
+		wgInterface:         wgInterface,
+		routes:              make(map[string]*route.Route),
+		routePeersNotifiers: make(map[string]chan struct{}),
+		routeUpdate:         make(chan routesUpdate),
+		peerStateUpdate:     make(chan struct{}),
+		network:             network,
+	}
+	return client
+}
+
+func getClientNetworkID(input *route.Route) string {
+	return input.NetID + "-" + input.Network.String()
+}
+
+func (c *clientNetwork) getRouterPeerStatuses() map[string]routerPeerStatus {
+	routePeerStatuses := make(map[string]routerPeerStatus)
+	for _, r := range c.routes {
+		peerStatus, err := c.statusRecorder.GetPeer(r.Peer)
+		if err != nil {
+			log.Debugf("couldn't fetch peer state: %v", err)
+			continue
+		}
+		routePeerStatuses[r.ID] = routerPeerStatus{
+			connected: peerStatus.ConnStatus == peer.StatusConnected.String(),
+			relayed:   peerStatus.Relayed,
+			direct:    peerStatus.Direct,
+		}
+	}
+	return routePeerStatuses
+}
+
+func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]routerPeerStatus) string {
+	var chosen string
+	chosenScore := 0
+
+	currID := ""
+	if c.chosenRoute != nil {
+		currID = c.chosenRoute.ID
+	}
+
+	for _, r := range c.routes {
+		tempScore := 0
+		peerStatus, found := routePeerStatuses[r.ID]
+		if !found || !peerStatus.connected {
+			continue
+		}
+		if r.Metric < route.MaxMetric {
+			metricDiff := route.MaxMetric - r.Metric
+			tempScore = metricDiff * 10
+		}
+		if !peerStatus.relayed {
+			tempScore++
+		}
+		if !peerStatus.direct {
+			tempScore++
+		}
+		if tempScore > chosenScore || (tempScore == chosenScore && currID == r.ID) {
+			chosen = r.ID
+			chosenScore = tempScore
+		}
+	}
+
+	if chosen == "" {
+		var peers []string
+		for _, r := range c.routes {
+			peers = append(peers, r.Peer)
+		}
+		log.Warnf("no route was chosen for network %s because no peers from list %s were connected", c.network, peers)
+	} else if chosen != currID {
+		log.Infof("new chosen route is %s with peer %s with score %d", chosen, c.routes[chosen].Peer, chosenScore)
+	}
+
+	return chosen
+}
+
+func (c *clientNetwork) watchPeerStatusChanges(ctx context.Context, peerKey string, peerStateUpdate chan struct{}, closer chan struct{}) {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-closer:
+			return
+		case <-c.statusRecorder.GetPeerStateChangeNotifier(peerKey):
+			state, err := c.statusRecorder.GetPeer(peerKey)
+			if err != nil || state.ConnStatus == peer.StatusConnecting.String() {
+				continue
+			}
+			peerStateUpdate <- struct{}{}
+			log.Debugf("triggered route state update for Peer %s, state: %s", peerKey, state.ConnStatus)
+		}
+	}
+}
+
+func (c *clientNetwork) startPeersStatusChangeWatcher() {
+	for _, r := range c.routes {
+		_, found := c.routePeersNotifiers[r.Peer]
+		if !found {
+			c.routePeersNotifiers[r.Peer] = make(chan struct{})
+			go c.watchPeerStatusChanges(c.ctx, r.Peer, c.peerStateUpdate, c.routePeersNotifiers[r.Peer])
+		}
+	}
+}
+
+func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {
+	state, err := c.statusRecorder.GetPeer(peerKey)
+	if err != nil || state.ConnStatus != peer.StatusConnected.String() {
+		return nil
+	}
+
+	err = c.wgInterface.RemoveAllowedIP(peerKey, c.network.String())
+	if err != nil {
+		return fmt.Errorf("couldn't remove allowed IP %s removed for peer %s, err: %v",
+			c.network, c.chosenRoute.Peer, err)
+	}
+	return nil
+}
+
+func (c *clientNetwork) removeRouteFromPeerAndSystem() error {
+	if c.chosenRoute != nil {
+		err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer)
+		if err != nil {
+			return err
+		}
+		err = removeFromRouteTableIfNonSystem(c.network, c.wgInterface.GetAddress().IP.String())
+		if err != nil {
+			return fmt.Errorf("couldn't remove route %s from system, err: %v",
+				c.network, err)
+		}
+	}
+	return nil
+}
+
+func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
+
+	var err error
+
+	routerPeerStatuses := c.getRouterPeerStatuses()
+
+	chosen := c.getBestRouteFromStatuses(routerPeerStatuses)
+	if chosen == "" {
+		err = c.removeRouteFromPeerAndSystem()
+		if err != nil {
+			return err
+		}
+
+		c.chosenRoute = nil
+
+		return nil
+	}
+
+	if c.chosenRoute != nil && c.chosenRoute.ID == chosen {
+		if c.chosenRoute.IsEqual(c.routes[chosen]) {
+			return nil
+		}
+	}
+
+	if c.chosenRoute != nil {
+		err = c.removeRouteFromWireguardPeer(c.chosenRoute.Peer)
+		if err != nil {
+			return err
+		}
+	} else {
+		err = addToRouteTableIfNoExists(c.network, c.wgInterface.GetAddress().IP.String())
+		if err != nil {
+			return fmt.Errorf("route %s couldn't be added for peer %s, err: %v",
+				c.chosenRoute.Network.String(), c.wgInterface.GetAddress().IP.String(), err)
+		}
+	}
+
+	c.chosenRoute = c.routes[chosen]
+	err = c.wgInterface.AddAllowedIP(c.chosenRoute.Peer, c.network.String())
+	if err != nil {
+		log.Errorf("couldn't add allowed IP %s added for peer %s, err: %v",
+			c.network, c.chosenRoute.Peer, err)
+	}
+
+	return nil
+}
+
+func (c *clientNetwork) sendUpdateToClientNetworkWatcher(update routesUpdate) {
+	go func() {
+		c.routeUpdate <- update
+	}()
+}
+
+func (c *clientNetwork) handleUpdate(update routesUpdate) {
+	updateMap := make(map[string]*route.Route)
+
+	for _, r := range update.routes {
+		updateMap[r.ID] = r
+	}
+
+	for id, r := range c.routes {
+		_, found := updateMap[id]
+		if !found {
+			close(c.routePeersNotifiers[r.Peer])
+			delete(c.routePeersNotifiers, r.Peer)
+		}
+	}
+
+	c.routes = updateMap
+}
+
+// peersStateAndUpdateWatcher is the main point of reacting on client network routing events.
+// All the processing related to the client network should be done here. Thread-safe.
+func (c *clientNetwork) peersStateAndUpdateWatcher() {
+	for {
+		select {
+		case <-c.ctx.Done():
+			log.Debugf("stopping watcher for network %s", c.network)
+			err := c.removeRouteFromPeerAndSystem()
+			if err != nil {
+				log.Error(err)
+			}
+			return
+		case <-c.peerStateUpdate:
+			err := c.recalculateRouteAndUpdatePeerAndSystem()
+			if err != nil {
+				log.Error(err)
+			}
+		case update := <-c.routeUpdate:
+			if update.updateSerial < c.updateSerial {
+				log.Warnf("received a routes update with smaller serial number, ignoring it")
+				continue
+			}
+
+			log.Debugf("received a new client network route update for %s", c.network)
+
+			c.handleUpdate(update)
+
+			c.updateSerial = update.updateSerial
+
+			err := c.recalculateRouteAndUpdatePeerAndSystem()
+			if err != nil {
+				log.Error(err)
+			}
+
+			c.startPeersStatusChangeWatcher()
+		}
+	}
+}
--- a/client/internal/routemanager/common_linux_test.go
+++ b/client/internal/routemanager/common_linux_test.go
@@ -0,0 +1,75 @@
+package routemanager
+
+var insertRuleTestCases = []struct {
+	name      string
+	inputPair routerPair
+	ipVersion string
+}{
+	{
+		name: "Insert Forwarding IPV4 Rule",
+		inputPair: routerPair{
+			ID:          "zxa",
+			source:      "100.100.100.1/32",
+			destination: "100.100.200.0/24",
+			masquerade:  false,
+		},
+		ipVersion: ipv4,
+	},
+	{
+		name: "Insert Forwarding And Nat IPV4 Rules",
+		inputPair: routerPair{
+			ID:          "zxa",
+			source:      "100.100.100.1/32",
+			destination: "100.100.200.0/24",
+			masquerade:  true,
+		},
+		ipVersion: ipv4,
+	},
+	{
+		name: "Insert Forwarding IPV6 Rule",
+		inputPair: routerPair{
+			ID:          "zxa",
+			source:      "fc00::1/128",
+			destination: "fc12::/64",
+			masquerade:  false,
+		},
+		ipVersion: ipv6,
+	},
+	{
+		name: "Insert Forwarding And Nat IPV6 Rules",
+		inputPair: routerPair{
+			ID:          "zxa",
+			source:      "fc00::1/128",
+			destination: "fc12::/64",
+			masquerade:  true,
+		},
+		ipVersion: ipv6,
+	},
+}
+
+var removeRuleTestCases = []struct {
+	name      string
+	inputPair routerPair
+	ipVersion string
+}{
+	{
+		name: "Remove Forwarding And Nat IPV4 Rules",
+		inputPair: routerPair{
+			ID:          "zxa",
+			source:      "100.100.100.1/32",
+			destination: "100.100.200.0/24",
+			masquerade:  true,
+		},
+		ipVersion: ipv4,
+	},
+	{
+		name: "Remove Forwarding And Nat IPV6 Rules",
+		inputPair: routerPair{
+			ID:          "zxa",
+			source:      "fc00::1/128",
+			destination: "fc12::/64",
+			masquerade:  true,
+		},
+		ipVersion: ipv6,
+	},
+}
--- a/client/internal/routemanager/firewall.go
+++ b/client/internal/routemanager/firewall.go
@@ -0,0 +1,12 @@
+package routemanager
+
+type firewallManager interface {
+	// RestoreOrCreateContainers restores or creates a firewall container set of rules, tables and default rules
+	RestoreOrCreateContainers() error
+	// InsertRoutingRules inserts a routing firewall rule
+	InsertRoutingRules(pair routerPair) error
+	// RemoveRoutingRules removes a routing firewall rule
+	RemoveRoutingRules(pair routerPair) error
+	// CleanRoutingRules cleans a firewall set of containers
+	CleanRoutingRules()
+}
--- a/client/internal/routemanager/firewall_linux.go
+++ b/client/internal/routemanager/firewall_linux.go
@@ -0,0 +1,55 @@
+package routemanager
+
+import (
+	"context"
+	"fmt"
+	"github.com/coreos/go-iptables/iptables"
+	log "github.com/sirupsen/logrus"
+)
+import "github.com/google/nftables"
+
+const (
+	ipv6Forwarding   = "netbird-rt-ipv6-forwarding"
+	ipv4Forwarding   = "netbird-rt-ipv4-forwarding"
+	ipv6Nat          = "netbird-rt-ipv6-nat"
+	ipv4Nat          = "netbird-rt-ipv4-nat"
+	natFormat        = "netbird-nat-%s"
+	forwardingFormat = "netbird-fwd-%s"
+	ipv6             = "ipv6"
+	ipv4             = "ipv4"
+)
+
+func genKey(format string, input string) string {
+	return fmt.Sprintf(format, input)
+}
+
+// NewFirewall if supported, returns an iptables manager, otherwise returns a nftables manager
+func NewFirewall(parentCTX context.Context) firewallManager {
+	ctx, cancel := context.WithCancel(parentCTX)
+
+	if isIptablesSupported() {
+		log.Debugf("iptables is supported")
+		ipv4Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+		ipv6Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+
+		return &iptablesManager{
+			ctx:        ctx,
+			stop:       cancel,
+			ipv4Client: ipv4Client,
+			ipv6Client: ipv6Client,
+			rules:      make(map[string]map[string][]string),
+		}
+	}
+
+	log.Debugf("iptables is not supported, using nftables")
+
+	manager := &nftablesManager{
+		ctx:    ctx,
+		stop:   cancel,
+		conn:   &nftables.Conn{},
+		chains: make(map[string]map[string]*nftables.Chain),
+		rules:  make(map[string]*nftables.Rule),
+	}
+
+	return manager
+}
--- a/client/internal/routemanager/firewall_nonlinux.go
+++ b/client/internal/routemanager/firewall_nonlinux.go
@@ -0,0 +1,27 @@
+//go:build !linux
+// +build !linux
+
+package routemanager
+
+import "context"
+
+type unimplementedFirewall struct{}
+
+func (unimplementedFirewall) RestoreOrCreateContainers() error {
+	return nil
+}
+func (unimplementedFirewall) InsertRoutingRules(pair routerPair) error {
+	return nil
+}
+func (unimplementedFirewall) RemoveRoutingRules(pair routerPair) error {
+	return nil
+}
+
+func (unimplementedFirewall) CleanRoutingRules() {
+	return
+}
+
+// NewFirewall returns an unimplemented Firewall manager
+func NewFirewall(parentCtx context.Context) firewallManager {
+	return unimplementedFirewall{}
+}
--- a/client/internal/routemanager/iptables_linux.go
+++ b/client/internal/routemanager/iptables_linux.go
@@ -0,0 +1,403 @@
+package routemanager
+
+import (
+	"context"
+	"fmt"
+	"github.com/coreos/go-iptables/iptables"
+	log "github.com/sirupsen/logrus"
+	"net/netip"
+	"os/exec"
+	"strings"
+	"sync"
+)
+
+func isIptablesSupported() bool {
+	_, err4 := exec.LookPath("iptables")
+	_, err6 := exec.LookPath("ip6tables")
+	return err4 == nil && err6 == nil
+}
+
+// constants needed to manage and create iptable rules
+const (
+	iptablesFilterTable            = "filter"
+	iptablesNatTable               = "nat"
+	iptablesForwardChain           = "FORWARD"
+	iptablesPostRoutingChain       = "POSTROUTING"
+	iptablesRoutingNatChain        = "NETBIRD-RT-NAT"
+	iptablesRoutingForwardingChain = "NETBIRD-RT-FWD"
+	routingFinalForwardJump        = "ACCEPT"
+	routingFinalNatJump            = "MASQUERADE"
+)
+
+// some presets for building nftable rules
+var (
+	iptablesDefaultForwardingRule        = []string{"-j", iptablesRoutingForwardingChain, "-m", "comment", "--comment"}
+	iptablesDefaultNetbirdForwardingRule = []string{"-j", "RETURN"}
+	iptablesDefaultNatRule               = []string{"-j", iptablesRoutingNatChain, "-m", "comment", "--comment"}
+	iptablesDefaultNetbirdNatRule        = []string{"-j", "RETURN"}
+)
+
+type iptablesManager struct {
+	ctx        context.Context
+	stop       context.CancelFunc
+	ipv4Client *iptables.IPTables
+	ipv6Client *iptables.IPTables
+	rules      map[string]map[string][]string
+	mux        sync.Mutex
+}
+
+// CleanRoutingRules cleans existing iptables resources that we created by the agent
+func (i *iptablesManager) CleanRoutingRules() {
+	i.mux.Lock()
+	defer i.mux.Unlock()
+
+	err := i.cleanJumpRules()
+	if err != nil {
+		log.Error(err)
+	}
+
+	log.Debug("flushing tables")
+	errMSGFormat := "iptables: failed cleaning %s chain %s,error: %v"
+	err = i.ipv4Client.ClearAndDeleteChain(iptablesFilterTable, iptablesRoutingForwardingChain)
+	if err != nil {
+		log.Errorf(errMSGFormat, ipv4, iptablesRoutingForwardingChain, err)
+	}
+
+	err = i.ipv4Client.ClearAndDeleteChain(iptablesNatTable, iptablesRoutingNatChain)
+	if err != nil {
+		log.Errorf(errMSGFormat, ipv4, iptablesRoutingNatChain, err)
+	}
+
+	err = i.ipv6Client.ClearAndDeleteChain(iptablesFilterTable, iptablesRoutingForwardingChain)
+	if err != nil {
+		log.Errorf(errMSGFormat, ipv6, iptablesRoutingForwardingChain, err)
+	}
+
+	err = i.ipv6Client.ClearAndDeleteChain(iptablesNatTable, iptablesRoutingNatChain)
+	if err != nil {
+		log.Errorf(errMSGFormat, ipv6, iptablesRoutingNatChain, err)
+	}
+
+	log.Info("done cleaning up iptables rules")
+}
+
+// RestoreOrCreateContainers restores existing iptables containers (chains and rules)
+// if they don't exist, we create them
+func (i *iptablesManager) RestoreOrCreateContainers() error {
+	i.mux.Lock()
+	defer i.mux.Unlock()
+
+	if i.rules[ipv4][ipv4Forwarding] != nil && i.rules[ipv6][ipv6Forwarding] != nil {
+		return nil
+	}
+
+	errMSGFormat := "iptables: failed creating %s chain %s,error: %v"
+
+	err := createChain(i.ipv4Client, iptablesFilterTable, iptablesRoutingForwardingChain)
+	if err != nil {
+		return fmt.Errorf(errMSGFormat, ipv4, iptablesRoutingForwardingChain, err)
+	}
+
+	err = createChain(i.ipv4Client, iptablesNatTable, iptablesRoutingNatChain)
+	if err != nil {
+		return fmt.Errorf(errMSGFormat, ipv4, iptablesRoutingNatChain, err)
+	}
+
+	err = createChain(i.ipv6Client, iptablesFilterTable, iptablesRoutingForwardingChain)
+	if err != nil {
+		return fmt.Errorf(errMSGFormat, ipv6, iptablesRoutingForwardingChain, err)
+	}
+
+	err = createChain(i.ipv6Client, iptablesNatTable, iptablesRoutingNatChain)
+	if err != nil {
+		return fmt.Errorf(errMSGFormat, ipv6, iptablesRoutingNatChain, err)
+	}
+
+	err = i.restoreRules(i.ipv4Client)
+	if err != nil {
+		return fmt.Errorf("iptables: error while restoring ipv4 rules: %v", err)
+	}
+
+	err = i.restoreRules(i.ipv6Client)
+	if err != nil {
+		return fmt.Errorf("iptables: error while restoring ipv6 rules: %v", err)
+	}
+
+	err = i.addJumpRules()
+	if err != nil {
+		return fmt.Errorf("iptables: error while creating jump rules: %v", err)
+	}
+
+	return nil
+}
+
+// addJumpRules create jump rules to send packets to NetBird chains
+func (i *iptablesManager) addJumpRules() error {
+	err := i.cleanJumpRules()
+	if err != nil {
+		return err
+	}
+	rule := append(iptablesDefaultForwardingRule, ipv4Forwarding)
+	err = i.ipv4Client.Insert(iptablesFilterTable, iptablesForwardChain, 1, rule...)
+	if err != nil {
+		return err
+	}
+
+	i.rules[ipv4][ipv4Forwarding] = rule
+
+	rule = append(iptablesDefaultNatRule, ipv4Nat)
+	err = i.ipv4Client.Insert(iptablesNatTable, iptablesPostRoutingChain, 1, rule...)
+	if err != nil {
+		return err
+	}
+	i.rules[ipv4][ipv4Nat] = rule
+
+	rule = append(iptablesDefaultForwardingRule, ipv6Forwarding)
+	err = i.ipv6Client.Insert(iptablesFilterTable, iptablesForwardChain, 1, rule...)
+	if err != nil {
+		return err
+	}
+	i.rules[ipv6][ipv6Forwarding] = rule
+
+	rule = append(iptablesDefaultNatRule, ipv6Nat)
+	err = i.ipv6Client.Insert(iptablesNatTable, iptablesPostRoutingChain, 1, rule...)
+	if err != nil {
+		return err
+	}
+	i.rules[ipv6][ipv6Nat] = rule
+
+	return nil
+}
+
+// cleanJumpRules cleans jump rules that was sending packets to NetBird chains
+func (i *iptablesManager) cleanJumpRules() error {
+	var err error
+	errMSGFormat := "iptables: failed cleaning rule from %s chain %s,err: %v"
+	rule, found := i.rules[ipv4][ipv4Forwarding]
+	if found {
+		log.Debugf("iptables: removing %s rule: %s ", ipv4, ipv4Forwarding)
+		err = i.ipv4Client.DeleteIfExists(iptablesFilterTable, iptablesForwardChain, rule...)
+		if err != nil {
+			return fmt.Errorf(errMSGFormat, ipv4, iptablesForwardChain, err)
+		}
+	}
+	rule, found = i.rules[ipv4][ipv4Nat]
+	if found {
+		log.Debugf("iptables: removing %s rule: %s ", ipv4, ipv4Nat)
+		err = i.ipv4Client.DeleteIfExists(iptablesNatTable, iptablesPostRoutingChain, rule...)
+		if err != nil {
+			return fmt.Errorf(errMSGFormat, ipv4, iptablesPostRoutingChain, err)
+		}
+	}
+	rule, found = i.rules[ipv6][ipv6Forwarding]
+	if found {
+		log.Debugf("iptables: removing %s rule: %s ", ipv6, ipv6Forwarding)
+		err = i.ipv6Client.DeleteIfExists(iptablesFilterTable, iptablesForwardChain, rule...)
+		if err != nil {
+			return fmt.Errorf(errMSGFormat, ipv6, iptablesForwardChain, err)
+		}
+	}
+	rule, found = i.rules[ipv6][ipv6Nat]
+	if found {
+		log.Debugf("iptables: removing %s rule: %s ", ipv6, ipv6Nat)
+		err = i.ipv6Client.DeleteIfExists(iptablesNatTable, iptablesPostRoutingChain, rule...)
+		if err != nil {
+			return fmt.Errorf(errMSGFormat, ipv6, iptablesPostRoutingChain, err)
+		}
+	}
+	return nil
+}
+
+func iptablesProtoToString(proto iptables.Protocol) string {
+	if proto == iptables.ProtocolIPv6 {
+		return ipv6
+	}
+	return ipv4
+}
+
+// restoreRules restores existing NetBird rules
+func (i *iptablesManager) restoreRules(iptablesClient *iptables.IPTables) error {
+	ipVersion := iptablesProtoToString(iptablesClient.Proto())
+
+	if i.rules[ipVersion] == nil {
+		i.rules[ipVersion] = make(map[string][]string)
+	}
+	table := iptablesFilterTable
+	for _, chain := range []string{iptablesForwardChain, iptablesRoutingForwardingChain} {
+		rules, err := iptablesClient.List(table, chain)
+		if err != nil {
+			return err
+		}
+		for _, ruleString := range rules {
+			rule := strings.Fields(ruleString)
+			id := getRuleRouteID(rule)
+			if id != "" {
+				i.rules[ipVersion][id] = rule[2:]
+			}
+		}
+	}
+
+	table = iptablesNatTable
+	for _, chain := range []string{iptablesPostRoutingChain, iptablesRoutingNatChain} {
+		rules, err := iptablesClient.List(table, chain)
+		if err != nil {
+			return err
+		}
+		for _, ruleString := range rules {
+			rule := strings.Fields(ruleString)
+			id := getRuleRouteID(rule)
+			if id != "" {
+				i.rules[ipVersion][id] = rule[2:]
+			}
+		}
+	}
+
+	return nil
+}
+
+// createChain create NetBird chains
+func createChain(iptables *iptables.IPTables, table, newChain string) error {
+	chains, err := iptables.ListChains(table)
+	if err != nil {
+		return fmt.Errorf("couldn't get %s %s table chains, error: %v", iptablesProtoToString(iptables.Proto()), table, err)
+	}
+
+	shouldCreateChain := true
+	for _, chain := range chains {
+		if chain == newChain {
+			shouldCreateChain = false
+		}
+	}
+
+	if shouldCreateChain {
+		err = iptables.NewChain(table, newChain)
+		if err != nil {
+			return fmt.Errorf("couldn't create %s chain %s in %s table, error: %v", iptablesProtoToString(iptables.Proto()), newChain, table, err)
+		}
+
+		if table == iptablesNatTable {
+			err = iptables.Append(table, newChain, iptablesDefaultNetbirdNatRule...)
+		} else {
+			err = iptables.Append(table, newChain, iptablesDefaultNetbirdForwardingRule...)
+		}
+		if err != nil {
+			return fmt.Errorf("couldn't create %s chain %s default rule, error: %v", iptablesProtoToString(iptables.Proto()), newChain, err)
+		}
+
+	}
+	return nil
+}
+
+// genRuleSpec generates rule specification with comment identifier
+func genRuleSpec(jump, id, source, destination string) []string {
+	return []string{"-s", source, "-d", destination, "-j", jump, "-m", "comment", "--comment", id}
+}
+
+// getRuleRouteID returns the rule ID if matches our prefix
+func getRuleRouteID(rule []string) string {
+	for i, flag := range rule {
+		if flag == "--comment" {
+			id := rule[i+1]
+			if strings.HasPrefix(id, "netbird-") {
+				return id
+			}
+		}
+	}
+	return ""
+}
+
+// InsertRoutingRules inserts an iptables rule pair to the forwarding chain and if enabled, to the nat chain
+func (i *iptablesManager) InsertRoutingRules(pair routerPair) error {
+	i.mux.Lock()
+	defer i.mux.Unlock()
+
+	var err error
+	prefix := netip.MustParsePrefix(pair.source)
+	ipVersion := ipv4
+	iptablesClient := i.ipv4Client
+	if prefix.Addr().Unmap().Is6() {
+		iptablesClient = i.ipv6Client
+		ipVersion = ipv6
+	}
+
+	forwardRuleKey := genKey(forwardingFormat, pair.ID)
+	forwardRule := genRuleSpec(routingFinalForwardJump, forwardRuleKey, pair.source, pair.destination)
+	existingRule, found := i.rules[ipVersion][forwardRuleKey]
+	if found {
+		err = iptablesClient.DeleteIfExists(iptablesFilterTable, iptablesRoutingForwardingChain, existingRule...)
+		if err != nil {
+			return fmt.Errorf("iptables: error while removing existing forwarding rule for %s: %v", pair.destination, err)
+		}
+		delete(i.rules[ipVersion], forwardRuleKey)
+	}
+	err = iptablesClient.Insert(iptablesFilterTable, iptablesRoutingForwardingChain, 1, forwardRule...)
+	if err != nil {
+		return fmt.Errorf("iptables: error while adding new forwarding rule for %s: %v", pair.destination, err)
+	}
+
+	i.rules[ipVersion][forwardRuleKey] = forwardRule
+
+	if !pair.masquerade {
+		return nil
+	}
+
+	natRuleKey := genKey(natFormat, pair.ID)
+	natRule := genRuleSpec(routingFinalNatJump, natRuleKey, pair.source, pair.destination)
+	existingRule, found = i.rules[ipVersion][natRuleKey]
+	if found {
+		err = iptablesClient.DeleteIfExists(iptablesNatTable, iptablesRoutingNatChain, existingRule...)
+		if err != nil {
+			return fmt.Errorf("iptables: error while removing existing nat rulefor %s: %v", pair.destination, err)
+		}
+		delete(i.rules[ipVersion], natRuleKey)
+	}
+	err = iptablesClient.Insert(iptablesNatTable, iptablesRoutingNatChain, 1, natRule...)
+	if err != nil {
+		return fmt.Errorf("iptables: error while adding new nat rulefor %s: %v", pair.destination, err)
+	}
+
+	i.rules[ipVersion][natRuleKey] = natRule
+
+	return nil
+}
+
+// RemoveRoutingRules removes an iptables rule pair from forwarding and nat chains
+func (i *iptablesManager) RemoveRoutingRules(pair routerPair) error {
+	i.mux.Lock()
+	defer i.mux.Unlock()
+
+	var err error
+	prefix := netip.MustParsePrefix(pair.source)
+	ipVersion := ipv4
+	iptablesClient := i.ipv4Client
+	if prefix.Addr().Unmap().Is6() {
+		iptablesClient = i.ipv6Client
+		ipVersion = ipv6
+	}
+
+	forwardRuleKey := genKey(forwardingFormat, pair.ID)
+	existingRule, found := i.rules[ipVersion][forwardRuleKey]
+	if found {
+		err = iptablesClient.DeleteIfExists(iptablesFilterTable, iptablesRoutingForwardingChain, existingRule...)
+		if err != nil {
+			return fmt.Errorf("iptables: error while removing existing forwarding rule for %s: %v", pair.destination, err)
+		}
+	}
+	delete(i.rules[ipVersion], forwardRuleKey)
+
+	if !pair.masquerade {
+		return nil
+	}
+
+	natRuleKey := genKey(natFormat, pair.ID)
+	existingRule, found = i.rules[ipVersion][natRuleKey]
+	if found {
+		err = iptablesClient.DeleteIfExists(iptablesNatTable, iptablesRoutingNatChain, existingRule...)
+		if err != nil {
+			return fmt.Errorf("iptables: error while removing existing nat rule for %s: %v", pair.destination, err)
+		}
+	}
+	delete(i.rules[ipVersion], natRuleKey)
+
+	return nil
+}
--- a/client/internal/routemanager/iptables_linux_test.go
+++ b/client/internal/routemanager/iptables_linux_test.go
@@ -0,0 +1,247 @@
+package routemanager
+
+import (
+	"context"
+	"github.com/coreos/go-iptables/iptables"
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
+
+	if !isIptablesSupported() {
+		t.SkipNow()
+	}
+
+	ctx, cancel := context.WithCancel(context.TODO())
+	ipv4Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	ipv6Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+
+	manager := &iptablesManager{
+		ctx:        ctx,
+		stop:       cancel,
+		ipv4Client: ipv4Client,
+		ipv6Client: ipv6Client,
+		rules:      make(map[string]map[string][]string),
+	}
+
+	defer manager.CleanRoutingRules()
+
+	err := manager.RestoreOrCreateContainers()
+	require.NoError(t, err, "shouldn't return error")
+
+	require.Len(t, manager.rules, 2, "should have created maps for ipv4 and ipv6")
+
+	require.Len(t, manager.rules[ipv4], 2, "should have created minimal rules for ipv4")
+
+	exists, err := ipv4Client.Exists(iptablesFilterTable, iptablesForwardChain, manager.rules[ipv4][ipv4Forwarding]...)
+	require.NoError(t, err, "should be able to query the iptables %s %s table and %s chain", ipv4, iptablesFilterTable, iptablesForwardChain)
+	require.True(t, exists, "forwarding rule should exist")
+
+	exists, err = ipv4Client.Exists(iptablesNatTable, iptablesPostRoutingChain, manager.rules[ipv4][ipv4Nat]...)
+	require.NoError(t, err, "should be able to query the iptables %s %s table and %s chain", ipv4, iptablesNatTable, iptablesPostRoutingChain)
+	require.True(t, exists, "postrouting rule should exist")
+
+	require.Len(t, manager.rules[ipv6], 2, "should have created minimal rules for ipv6")
+
+	exists, err = ipv6Client.Exists(iptablesFilterTable, iptablesForwardChain, manager.rules[ipv6][ipv6Forwarding]...)
+	require.NoError(t, err, "should be able to query the iptables %s %s table and %s chain", ipv6, iptablesFilterTable, iptablesForwardChain)
+	require.True(t, exists, "forwarding rule should exist")
+
+	exists, err = ipv6Client.Exists(iptablesNatTable, iptablesPostRoutingChain, manager.rules[ipv6][ipv6Nat]...)
+	require.NoError(t, err, "should be able to query the iptables %s %s table and %s chain", ipv6, iptablesNatTable, iptablesPostRoutingChain)
+	require.True(t, exists, "postrouting rule should exist")
+
+	pair := routerPair{
+		ID:          "abc",
+		source:      "100.100.100.1/32",
+		destination: "100.100.100.0/24",
+		masquerade:  true,
+	}
+	forward4RuleKey := genKey(forwardingFormat, pair.ID)
+	forward4Rule := genRuleSpec(routingFinalForwardJump, forward4RuleKey, pair.source, pair.destination)
+
+	err = ipv4Client.Insert(iptablesFilterTable, iptablesRoutingForwardingChain, 1, forward4Rule...)
+	require.NoError(t, err, "inserting rule should not return error")
+
+	nat4RuleKey := genKey(natFormat, pair.ID)
+	nat4Rule := genRuleSpec(routingFinalNatJump, nat4RuleKey, pair.source, pair.destination)
+
+	err = ipv4Client.Insert(iptablesNatTable, iptablesRoutingNatChain, 1, nat4Rule...)
+	require.NoError(t, err, "inserting rule should not return error")
+
+	pair = routerPair{
+		ID:          "abc",
+		source:      "fc00::1/128",
+		destination: "fc11::/64",
+		masquerade:  true,
+	}
+
+	forward6RuleKey := genKey(forwardingFormat, pair.ID)
+	forward6Rule := genRuleSpec(routingFinalForwardJump, forward6RuleKey, pair.source, pair.destination)
+
+	err = ipv6Client.Insert(iptablesFilterTable, iptablesRoutingForwardingChain, 1, forward6Rule...)
+	require.NoError(t, err, "inserting rule should not return error")
+
+	nat6RuleKey := genKey(natFormat, pair.ID)
+	nat6Rule := genRuleSpec(routingFinalNatJump, nat6RuleKey, pair.source, pair.destination)
+
+	err = ipv6Client.Insert(iptablesNatTable, iptablesRoutingNatChain, 1, nat6Rule...)
+	require.NoError(t, err, "inserting rule should not return error")
+
+	delete(manager.rules, ipv4)
+	delete(manager.rules, ipv6)
+
+	err = manager.RestoreOrCreateContainers()
+	require.NoError(t, err, "shouldn't return error")
+
+	require.Len(t, manager.rules[ipv4], 4, "should have restored all rules for ipv4")
+
+	foundRule, found := manager.rules[ipv4][forward4RuleKey]
+	require.True(t, found, "forwarding rule should exist in the map")
+	require.Equal(t, forward4Rule[:4], foundRule[:4], "stored forwarding rule should match")
+
+	foundRule, found = manager.rules[ipv4][nat4RuleKey]
+	require.True(t, found, "nat rule should exist in the map")
+	require.Equal(t, nat4Rule[:4], foundRule[:4], "stored nat rule should match")
+
+	require.Len(t, manager.rules[ipv6], 4, "should have restored all rules for ipv6")
+
+	foundRule, found = manager.rules[ipv6][forward6RuleKey]
+	require.True(t, found, "forwarding rule should exist in the map")
+	require.Equal(t, forward6Rule[:4], foundRule[:4], "stored forward rule should match")
+
+	foundRule, found = manager.rules[ipv6][nat6RuleKey]
+	require.True(t, found, "nat rule should exist in the map")
+	require.Equal(t, nat6Rule[:4], foundRule[:4], "stored nat rule should match")
+}
+
+func TestIptablesManager_InsertRoutingRules(t *testing.T) {
+
+	if !isIptablesSupported() {
+		t.SkipNow()
+	}
+
+	for _, testCase := range insertRuleTestCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.TODO())
+			ipv4Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+			ipv6Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+			iptablesClient := ipv4Client
+			if testCase.ipVersion == ipv6 {
+				iptablesClient = ipv6Client
+			}
+
+			manager := &iptablesManager{
+				ctx:        ctx,
+				stop:       cancel,
+				ipv4Client: ipv4Client,
+				ipv6Client: ipv6Client,
+				rules:      make(map[string]map[string][]string),
+			}
+
+			defer manager.CleanRoutingRules()
+
+			err := manager.RestoreOrCreateContainers()
+			require.NoError(t, err, "shouldn't return error")
+
+			err = manager.InsertRoutingRules(testCase.inputPair)
+			require.NoError(t, err, "forwarding pair should be inserted")
+
+			forwardRuleKey := genKey(forwardingFormat, testCase.inputPair.ID)
+			forwardRule := genRuleSpec(routingFinalForwardJump, forwardRuleKey, testCase.inputPair.source, testCase.inputPair.destination)
+
+			exists, err := iptablesClient.Exists(iptablesFilterTable, iptablesRoutingForwardingChain, forwardRule...)
+			require.NoError(t, err, "should be able to query the iptables %s %s table and %s chain", testCase.ipVersion, iptablesFilterTable, iptablesRoutingForwardingChain)
+			require.True(t, exists, "forwarding rule should exist")
+
+			foundRule, found := manager.rules[testCase.ipVersion][forwardRuleKey]
+			require.True(t, found, "forwarding rule should exist in the manager map")
+			require.Equal(t, forwardRule[:4], foundRule[:4], "stored forwarding rule should match")
+
+			natRuleKey := genKey(natFormat, testCase.inputPair.ID)
+			natRule := genRuleSpec(routingFinalNatJump, natRuleKey, testCase.inputPair.source, testCase.inputPair.destination)
+
+			exists, err = iptablesClient.Exists(iptablesNatTable, iptablesRoutingNatChain, natRule...)
+			require.NoError(t, err, "should be able to query the iptables %s %s table and %s chain", testCase.ipVersion, iptablesNatTable, iptablesRoutingNatChain)
+			if testCase.inputPair.masquerade {
+				require.True(t, exists, "nat rule should be created")
+				foundNatRule, foundNat := manager.rules[testCase.ipVersion][natRuleKey]
+				require.True(t, foundNat, "nat rule should exist in the map")
+				require.Equal(t, natRule[:4], foundNatRule[:4], "stored nat rule should match")
+			} else {
+				require.False(t, exists, "nat rule should not be created")
+				_, foundNat := manager.rules[testCase.ipVersion][natRuleKey]
+				require.False(t, foundNat, "nat rule should exist in the map")
+			}
+		})
+	}
+}
+
+func TestIptablesManager_RemoveRoutingRules(t *testing.T) {
+
+	if !isIptablesSupported() {
+		t.SkipNow()
+	}
+
+	for _, testCase := range removeRuleTestCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.TODO())
+			ipv4Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+			ipv6Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+			iptablesClient := ipv4Client
+			if testCase.ipVersion == ipv6 {
+				iptablesClient = ipv6Client
+			}
+
+			manager := &iptablesManager{
+				ctx:        ctx,
+				stop:       cancel,
+				ipv4Client: ipv4Client,
+				ipv6Client: ipv6Client,
+				rules:      make(map[string]map[string][]string),
+			}
+
+			defer manager.CleanRoutingRules()
+
+			err := manager.RestoreOrCreateContainers()
+			require.NoError(t, err, "shouldn't return error")
+
+			forwardRuleKey := genKey(forwardingFormat, testCase.inputPair.ID)
+			forwardRule := genRuleSpec(routingFinalForwardJump, forwardRuleKey, testCase.inputPair.source, testCase.inputPair.destination)
+
+			err = iptablesClient.Insert(iptablesFilterTable, iptablesRoutingForwardingChain, 1, forwardRule...)
+			require.NoError(t, err, "inserting rule should not return error")
+
+			natRuleKey := genKey(natFormat, testCase.inputPair.ID)
+			natRule := genRuleSpec(routingFinalNatJump, natRuleKey, testCase.inputPair.source, testCase.inputPair.destination)
+
+			err = iptablesClient.Insert(iptablesNatTable, iptablesRoutingNatChain, 1, natRule...)
+			require.NoError(t, err, "inserting rule should not return error")
+
+			delete(manager.rules, ipv4)
+			delete(manager.rules, ipv6)
+
+			err = manager.RestoreOrCreateContainers()
+			require.NoError(t, err, "shouldn't return error")
+
+			err = manager.RemoveRoutingRules(testCase.inputPair)
+			require.NoError(t, err, "shouldn't return error")
+
+			exists, err := iptablesClient.Exists(iptablesFilterTable, iptablesRoutingForwardingChain, forwardRule...)
+			require.NoError(t, err, "should be able to query the iptables %s %s table and %s chain", testCase.ipVersion, iptablesFilterTable, iptablesRoutingForwardingChain)
+			require.False(t, exists, "forwarding rule should not exist")
+
+			_, found := manager.rules[testCase.ipVersion][forwardRuleKey]
+			require.False(t, found, "forwarding rule should exist in the manager map")
+
+			exists, err = iptablesClient.Exists(iptablesNatTable, iptablesRoutingNatChain, natRule...)
+			require.NoError(t, err, "should be able to query the iptables %s %s table and %s chain", testCase.ipVersion, iptablesNatTable, iptablesRoutingNatChain)
+			require.False(t, exists, "nat rule should not exist")
+
+			_, found = manager.rules[testCase.ipVersion][natRuleKey]
+			require.False(t, found, "forwarding rule should exist in the manager map")
+
+		})
+	}
+}
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -0,0 +1,181 @@
+package routemanager
+
+import (
+	"context"
+	"fmt"
+	"github.com/netbirdio/netbird/client/status"
+	"github.com/netbirdio/netbird/client/system"
+	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/route"
+	log "github.com/sirupsen/logrus"
+	"runtime"
+	"sync"
+)
+
+// Manager is a route manager interface
+type Manager interface {
+	UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) error
+	Stop()
+}
+
+// DefaultManager is the default instance of a route manager
+type DefaultManager struct {
+	ctx            context.Context
+	stop           context.CancelFunc
+	mux            sync.Mutex
+	clientNetworks map[string]*clientNetwork
+	serverRoutes   map[string]*route.Route
+	serverRouter   *serverRouter
+	statusRecorder *status.Status
+	wgInterface    *iface.WGIface
+	pubKey         string
+}
+
+// NewManager returns a new route manager
+func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface, statusRecorder *status.Status) *DefaultManager {
+	mCTX, cancel := context.WithCancel(ctx)
+	return &DefaultManager{
+		ctx:            mCTX,
+		stop:           cancel,
+		clientNetworks: make(map[string]*clientNetwork),
+		serverRoutes:   make(map[string]*route.Route),
+		serverRouter: &serverRouter{
+			routes:                   make(map[string]*route.Route),
+			netForwardHistoryEnabled: isNetForwardHistoryEnabled(),
+			firewall:                 NewFirewall(ctx),
+		},
+		statusRecorder: statusRecorder,
+		wgInterface:    wgInterface,
+		pubKey:         pubKey,
+	}
+}
+
+// Stop stops the manager watchers and clean firewall rules
+func (m *DefaultManager) Stop() {
+	m.stop()
+	m.serverRouter.firewall.CleanRoutingRules()
+}
+
+func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks map[string][]*route.Route) {
+	// removing routes that do not exist as per the update from the Management service.
+	for id, client := range m.clientNetworks {
+		_, found := networks[id]
+		if !found {
+			log.Debugf("stopping client network watcher, %s", id)
+			client.stop()
+			delete(m.clientNetworks, id)
+		}
+	}
+
+	for id, routes := range networks {
+		clientNetworkWatcher, found := m.clientNetworks[id]
+		if !found {
+			clientNetworkWatcher = newClientNetworkWatcher(m.ctx, m.wgInterface, m.statusRecorder, routes[0].Network)
+			m.clientNetworks[id] = clientNetworkWatcher
+			go clientNetworkWatcher.peersStateAndUpdateWatcher()
+		}
+		update := routesUpdate{
+			updateSerial: updateSerial,
+			routes:       routes,
+		}
+
+		clientNetworkWatcher.sendUpdateToClientNetworkWatcher(update)
+	}
+}
+
+func (m *DefaultManager) updateServerRoutes(routesMap map[string]*route.Route) error {
+	serverRoutesToRemove := make([]string, 0)
+
+	if len(routesMap) > 0 {
+		err := m.serverRouter.firewall.RestoreOrCreateContainers()
+		if err != nil {
+			return fmt.Errorf("couldn't initialize firewall containers, got err: %v", err)
+		}
+	}
+
+	for routeID := range m.serverRoutes {
+		update, found := routesMap[routeID]
+		if !found || !update.IsEqual(m.serverRoutes[routeID]) {
+			serverRoutesToRemove = append(serverRoutesToRemove, routeID)
+			continue
+		}
+	}
+
+	for _, routeID := range serverRoutesToRemove {
+		oldRoute := m.serverRoutes[routeID]
+		err := m.removeFromServerNetwork(oldRoute)
+		if err != nil {
+			log.Errorf("unable to remove route id: %s, network %s, from server, got: %v",
+				oldRoute.ID, oldRoute.Network, err)
+		}
+		delete(m.serverRoutes, routeID)
+	}
+
+	for id, newRoute := range routesMap {
+		_, found := m.serverRoutes[id]
+		if found {
+			continue
+		}
+
+		err := m.addToServerNetwork(newRoute)
+		if err != nil {
+			log.Errorf("unable to add route %s from server, got: %v", newRoute.ID, err)
+			continue
+		}
+		m.serverRoutes[id] = newRoute
+	}
+
+	if len(m.serverRoutes) > 0 {
+		err := enableIPForwarding()
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// UpdateRoutes compares received routes with existing routes and remove, update or add them to the client and server maps
+func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) error {
+	select {
+	case <-m.ctx.Done():
+		log.Infof("not updating routes as context is closed")
+		return m.ctx.Err()
+	default:
+		m.mux.Lock()
+		defer m.mux.Unlock()
+
+		newClientRoutesIDMap := make(map[string][]*route.Route)
+		newServerRoutesMap := make(map[string]*route.Route)
+
+		for _, newRoute := range newRoutes {
+			// only linux is supported for now
+			if newRoute.Peer == m.pubKey {
+				if runtime.GOOS != "linux" {
+					log.Warnf("received a route to manage, but agent doesn't support router mode on %s OS", runtime.GOOS)
+					continue
+				}
+				newServerRoutesMap[newRoute.ID] = newRoute
+			} else {
+				// if prefix is too small, lets assume is a possible default route which is not yet supported
+				// we skip this route management
+				if newRoute.Network.Bits() < 7 {
+					log.Errorf("this agent version: %s, doesn't support default routes, received %s, skiping this route",
+						system.NetbirdVersion(), newRoute.Network)
+					continue
+				}
+				clientNetworkID := getClientNetworkID(newRoute)
+				newClientRoutesIDMap[clientNetworkID] = append(newClientRoutesIDMap[clientNetworkID], newRoute)
+			}
+		}
+
+		m.updateClientNetworks(updateSerial, newClientRoutesIDMap)
+
+		err := m.updateServerRoutes(newServerRoutesMap)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -0,0 +1,370 @@
+package routemanager
+
+import (
+	"context"
+	"fmt"
+	"github.com/netbirdio/netbird/client/status"
+	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/route"
+	"github.com/stretchr/testify/require"
+	"net/netip"
+	"runtime"
+	"testing"
+)
+
+// send 5 routes, one for server and 4 for clients, one normal and 2 HA and one small
+// if linux host, should have one for server in map
+// we should have 2 client manager
+// 2 ranges in our routing table
+
+const localPeerKey = "local"
+const remotePeerKey1 = "remote1"
+const remotePeerKey2 = "remote1"
+
+func TestManagerUpdateRoutes(t *testing.T) {
+	testCases := []struct {
+		name                          string
+		inputInitRoutes               []*route.Route
+		inputRoutes                   []*route.Route
+		inputSerial                   uint64
+		shouldCheckServerRoutes       bool
+		serverRoutesExpected          int
+		clientNetworkWatchersExpected int
+	}{
+		{
+			name:            "Should create 2 client networks",
+			inputInitRoutes: []*route.Route{},
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("100.64.251.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.8.8/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 2,
+		},
+		{
+			name: "Should Create 2 Server Routes",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("100.64.252.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("8.8.8.9/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			shouldCheckServerRoutes:       runtime.GOOS == "linux",
+			serverRoutesExpected:          2,
+			clientNetworkWatchersExpected: 0,
+		},
+		{
+			name: "Should Create 1 Route For Client And Server",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("100.64.30.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.9.9/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			shouldCheckServerRoutes:       runtime.GOOS == "linux",
+			serverRoutesExpected:          1,
+			clientNetworkWatchersExpected: 1,
+		},
+		{
+			name: "Should Create 1 HA Route and 1 Standalone",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.20.0/24"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeA",
+					Peer:        remotePeerKey2,
+					Network:     netip.MustParsePrefix("8.8.20.0/24"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "c",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.9.9/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 2,
+		},
+		{
+			name: "No Small Client Route Should Be Added",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("0.0.0.0/0"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 0,
+		},
+		{
+			name: "No Server Routes Should Be Added To Non Linux",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("1.2.3.4/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			shouldCheckServerRoutes:       runtime.GOOS != "linux",
+			serverRoutesExpected:          0,
+			clientNetworkWatchersExpected: 0,
+		},
+		{
+			name: "Remove 1 Client Route",
+			inputInitRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("100.64.251.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.8.8/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("100.64.251.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 1,
+		},
+		{
+			name: "Update Route to HA",
+			inputInitRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("100.64.251.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.8.8/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("100.64.251.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeA",
+					Peer:        remotePeerKey2,
+					Network:     netip.MustParsePrefix("100.64.251.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 1,
+		},
+		{
+			name: "Remove Client Routes",
+			inputInitRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("100.64.251.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.8.8/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputRoutes:                   []*route.Route{},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 0,
+		},
+		{
+			name: "Remove All Routes",
+			inputInitRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("100.64.251.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.8.8/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputRoutes:                   []*route.Route{},
+			inputSerial:                   1,
+			shouldCheckServerRoutes:       true,
+			serverRoutesExpected:          0,
+			clientNetworkWatchersExpected: 0,
+		},
+	}
+
+	for n, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", iface.DefaultMTU)
+			require.NoError(t, err, "should create testing WGIface interface")
+			defer wgInterface.Close()
+
+			err = wgInterface.Create()
+			require.NoError(t, err, "should create testing wireguard interface")
+
+			statusRecorder := status.NewRecorder()
+			ctx := context.TODO()
+			routeManager := NewManager(ctx, localPeerKey, wgInterface, statusRecorder)
+			defer routeManager.Stop()
+
+			if len(testCase.inputInitRoutes) > 0 {
+				err = routeManager.UpdateRoutes(testCase.inputSerial, testCase.inputRoutes)
+				require.NoError(t, err, "should update routes with init routes")
+			}
+
+			err = routeManager.UpdateRoutes(testCase.inputSerial+uint64(len(testCase.inputInitRoutes)), testCase.inputRoutes)
+			require.NoError(t, err, "should update routes")
+
+			require.Len(t, routeManager.clientNetworks, testCase.clientNetworkWatchersExpected, "client networks size should match")
+
+			if testCase.shouldCheckServerRoutes {
+				require.Len(t, routeManager.serverRoutes, testCase.serverRoutesExpected, "server networks size should match")
+			}
+		})
+	}
+}
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -0,0 +1,27 @@
+package routemanager
+
+import (
+	"fmt"
+	"github.com/netbirdio/netbird/route"
+)
+
+// MockManager is the mock instance of a route manager
+type MockManager struct {
+	UpdateRoutesFunc func(updateSerial uint64, newRoutes []*route.Route) error
+	StopFunc         func()
+}
+
+// UpdateRoutes mock implementation of UpdateRoutes from Manager interface
+func (m *MockManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) error {
+	if m.UpdateRoutesFunc != nil {
+		return m.UpdateRoutesFunc(updateSerial, newRoutes)
+	}
+	return fmt.Errorf("method UpdateRoutes is not implemented")
+}
+
+// Stop mock implementation of Stop from Manager interface
+func (m *MockManager) Stop() {
+	if m.StopFunc != nil {
+		m.StopFunc()
+	}
+}
--- a/client/internal/routemanager/nftables_linux.go
+++ b/client/internal/routemanager/nftables_linux.go
@@ -0,0 +1,384 @@
+package routemanager
+
+import (
+	"context"
+	"fmt"
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/expr"
+	log "github.com/sirupsen/logrus"
+	"net"
+	"net/netip"
+	"sync"
+)
+import "github.com/google/nftables"
+
+//
+const (
+	nftablesTable                  = "netbird-rt"
+	nftablesRoutingForwardingChain = "netbird-rt-fwd"
+	nftablesRoutingNatChain        = "netbird-rt-nat"
+)
+
+// constants needed to create nftable rules
+const (
+	ipv4Len                  = 4
+	ipv4SrcOffset            = 12
+	ipv4DestOffset           = 16
+	ipv6Len                  = 16
+	ipv6SrcOffset            = 8
+	ipv6DestOffset           = 24
+	exprDirectionSource      = "source"
+	exprDirectionDestination = "destination"
+)
+
+// some presets for building nftable rules
+var (
+	zeroXor = binaryutil.NativeEndian.PutUint32(0)
+
+	zeroXor6 = append(binaryutil.NativeEndian.PutUint64(0), binaryutil.NativeEndian.PutUint64(0)...)
+
+	exprAllowRelatedEstablished = []expr.Any{
+		&expr.Ct{
+			Register:       1,
+			SourceRegister: false,
+			Key:            0,
+		},
+		&expr.Bitwise{
+			DestRegister:   1,
+			SourceRegister: 1,
+			Len:            4,
+			Mask:           []uint8{0x6, 0x0, 0x0, 0x0},
+			Xor:            zeroXor,
+		},
+		&expr.Cmp{
+			Register: 1,
+			Data:     binaryutil.NativeEndian.PutUint32(0),
+		},
+		&expr.Counter{},
+		&expr.Verdict{
+			Kind: expr.VerdictAccept,
+		},
+	}
+
+	exprCounterAccept = []expr.Any{
+		&expr.Counter{},
+		&expr.Verdict{
+			Kind: expr.VerdictAccept,
+		},
+	}
+)
+
+type nftablesManager struct {
+	ctx       context.Context
+	stop      context.CancelFunc
+	conn      *nftables.Conn
+	tableIPv4 *nftables.Table
+	tableIPv6 *nftables.Table
+	chains    map[string]map[string]*nftables.Chain
+	rules     map[string]*nftables.Rule
+	mux       sync.Mutex
+}
+
+// CleanRoutingRules cleans existing nftables rules from the system
+func (n *nftablesManager) CleanRoutingRules() {
+	n.mux.Lock()
+	defer n.mux.Unlock()
+	log.Debug("flushing tables")
+	n.conn.FlushTable(n.tableIPv6)
+	n.conn.FlushTable(n.tableIPv4)
+	log.Debugf("flushing tables result in: %v error", n.conn.Flush())
+}
+
+// RestoreOrCreateContainers restores existing nftables containers (tables and chains)
+// if they don't exist, we create them
+func (n *nftablesManager) RestoreOrCreateContainers() error {
+	n.mux.Lock()
+	defer n.mux.Unlock()
+
+	if n.tableIPv6 != nil && n.tableIPv4 != nil {
+		log.Debugf("nftables: containers already restored, skipping")
+		return nil
+	}
+
+	tables, err := n.conn.ListTables()
+	if err != nil {
+		return fmt.Errorf("nftables: unable to list tables: %v", err)
+	}
+
+	for _, table := range tables {
+		if table.Name == nftablesTable {
+			if table.Family == nftables.TableFamilyIPv4 {
+				n.tableIPv4 = table
+				continue
+			}
+			n.tableIPv6 = table
+		}
+	}
+
+	if n.tableIPv4 == nil {
+		n.tableIPv4 = n.conn.AddTable(&nftables.Table{
+			Name:   nftablesTable,
+			Family: nftables.TableFamilyIPv4,
+		})
+	}
+
+	if n.tableIPv6 == nil {
+		n.tableIPv6 = n.conn.AddTable(&nftables.Table{
+			Name:   nftablesTable,
+			Family: nftables.TableFamilyIPv6,
+		})
+	}
+
+	chains, err := n.conn.ListChains()
+	if err != nil {
+		return fmt.Errorf("nftables: unable to list chains: %v", err)
+	}
+
+	n.chains[ipv4] = make(map[string]*nftables.Chain)
+	n.chains[ipv6] = make(map[string]*nftables.Chain)
+
+	for _, chain := range chains {
+		switch {
+		case chain.Table.Name == nftablesTable && chain.Table.Family == nftables.TableFamilyIPv4:
+			n.chains[ipv4][chain.Name] = chain
+		case chain.Table.Name == nftablesTable && chain.Table.Family == nftables.TableFamilyIPv6:
+			n.chains[ipv6][chain.Name] = chain
+		}
+	}
+
+	if _, found := n.chains[ipv4][nftablesRoutingForwardingChain]; !found {
+		n.chains[ipv4][nftablesRoutingForwardingChain] = n.conn.AddChain(&nftables.Chain{
+			Name:     nftablesRoutingForwardingChain,
+			Table:    n.tableIPv4,
+			Hooknum:  nftables.ChainHookForward,
+			Priority: nftables.ChainPriorityNATDest + 1,
+			Type:     nftables.ChainTypeFilter,
+		})
+	}
+
+	if _, found := n.chains[ipv4][nftablesRoutingNatChain]; !found {
+		n.chains[ipv4][nftablesRoutingNatChain] = n.conn.AddChain(&nftables.Chain{
+			Name:     nftablesRoutingNatChain,
+			Table:    n.tableIPv4,
+			Hooknum:  nftables.ChainHookPostrouting,
+			Priority: nftables.ChainPriorityNATSource - 1,
+			Type:     nftables.ChainTypeNAT,
+		})
+	}
+
+	if _, found := n.chains[ipv6][nftablesRoutingForwardingChain]; !found {
+		n.chains[ipv6][nftablesRoutingForwardingChain] = n.conn.AddChain(&nftables.Chain{
+			Name:     nftablesRoutingForwardingChain,
+			Table:    n.tableIPv6,
+			Hooknum:  nftables.ChainHookForward,
+			Priority: nftables.ChainPriorityNATDest + 1,
+			Type:     nftables.ChainTypeFilter,
+		})
+	}
+
+	if _, found := n.chains[ipv6][nftablesRoutingNatChain]; !found {
+		n.chains[ipv6][nftablesRoutingNatChain] = n.conn.AddChain(&nftables.Chain{
+			Name:     nftablesRoutingNatChain,
+			Table:    n.tableIPv6,
+			Hooknum:  nftables.ChainHookPostrouting,
+			Priority: nftables.ChainPriorityNATSource - 1,
+			Type:     nftables.ChainTypeNAT,
+		})
+	}
+
+	err = n.refreshRulesMap()
+	if err != nil {
+		return err
+	}
+
+	n.checkOrCreateDefaultForwardingRules()
+	err = n.conn.Flush()
+	if err != nil {
+		return fmt.Errorf("nftables: unable to initialize table: %v", err)
+	}
+	return nil
+}
+
+// refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
+// duplicates and to get missing attributes that we don't have when adding new rules
+func (n *nftablesManager) refreshRulesMap() error {
+	for _, registeredChains := range n.chains {
+		for _, chain := range registeredChains {
+			rules, err := n.conn.GetRules(chain.Table, chain)
+			if err != nil {
+				return fmt.Errorf("nftables: unable to list rules: %v", err)
+			}
+			for _, rule := range rules {
+				if len(rule.UserData) > 0 {
+					n.rules[string(rule.UserData)] = rule
+				}
+			}
+		}
+	}
+	return nil
+}
+
+// checkOrCreateDefaultForwardingRules checks if the default forwarding rules are enabled
+func (n *nftablesManager) checkOrCreateDefaultForwardingRules() {
+	_, foundIPv4 := n.rules[ipv4Forwarding]
+	if !foundIPv4 {
+		n.rules[ipv4Forwarding] = n.conn.AddRule(&nftables.Rule{
+			Table:    n.tableIPv4,
+			Chain:    n.chains[ipv4][nftablesRoutingForwardingChain],
+			Exprs:    exprAllowRelatedEstablished,
+			UserData: []byte(ipv4Forwarding),
+		})
+	}
+
+	_, foundIPv6 := n.rules[ipv6Forwarding]
+	if !foundIPv6 {
+		n.rules[ipv6Forwarding] = n.conn.AddRule(&nftables.Rule{
+			Table:    n.tableIPv6,
+			Chain:    n.chains[ipv6][nftablesRoutingForwardingChain],
+			Exprs:    exprAllowRelatedEstablished,
+			UserData: []byte(ipv6Forwarding),
+		})
+	}
+}
+
+// InsertRoutingRules inserts a nftable rule pair to the forwarding chain and if enabled, to the nat chain
+func (n *nftablesManager) InsertRoutingRules(pair routerPair) error {
+	n.mux.Lock()
+	defer n.mux.Unlock()
+
+	prefix := netip.MustParsePrefix(pair.source)
+
+	sourceExp := generateCIDRMatcherExpressions("source", pair.source)
+	destExp := generateCIDRMatcherExpressions("destination", pair.destination)
+
+	forwardExp := append(sourceExp, append(destExp, exprCounterAccept...)...)
+	fwdKey := genKey(forwardingFormat, pair.ID)
+	if prefix.Addr().Unmap().Is4() {
+		n.rules[fwdKey] = n.conn.InsertRule(&nftables.Rule{
+			Table:    n.tableIPv4,
+			Chain:    n.chains[ipv4][nftablesRoutingForwardingChain],
+			Exprs:    forwardExp,
+			UserData: []byte(fwdKey),
+		})
+	} else {
+		n.rules[fwdKey] = n.conn.InsertRule(&nftables.Rule{
+			Table:    n.tableIPv6,
+			Chain:    n.chains[ipv6][nftablesRoutingForwardingChain],
+			Exprs:    forwardExp,
+			UserData: []byte(fwdKey),
+		})
+	}
+
+	if pair.masquerade {
+		natExp := append(sourceExp, append(destExp, &expr.Counter{}, &expr.Masq{})...)
+		natKey := genKey(natFormat, pair.ID)
+
+		if prefix.Addr().Unmap().Is4() {
+			n.rules[natKey] = n.conn.InsertRule(&nftables.Rule{
+				Table:    n.tableIPv4,
+				Chain:    n.chains[ipv4][nftablesRoutingNatChain],
+				Exprs:    natExp,
+				UserData: []byte(natKey),
+			})
+		} else {
+			n.rules[natKey] = n.conn.InsertRule(&nftables.Rule{
+				Table:    n.tableIPv6,
+				Chain:    n.chains[ipv6][nftablesRoutingNatChain],
+				Exprs:    natExp,
+				UserData: []byte(natKey),
+			})
+		}
+	}
+
+	err := n.conn.Flush()
+	if err != nil {
+		return fmt.Errorf("nftables: unable to insert rules for %s: %v", pair.destination, err)
+	}
+	return nil
+}
+
+// RemoveRoutingRules removes a nftable rule pair from forwarding and nat chains
+func (n *nftablesManager) RemoveRoutingRules(pair routerPair) error {
+	n.mux.Lock()
+	defer n.mux.Unlock()
+
+	err := n.refreshRulesMap()
+	if err != nil {
+		return err
+	}
+
+	fwdKey := genKey(forwardingFormat, pair.ID)
+	natKey := genKey(natFormat, pair.ID)
+	fwdRule, found := n.rules[fwdKey]
+	if found {
+		err = n.conn.DelRule(fwdRule)
+		if err != nil {
+			return fmt.Errorf("nftables: unable to remove forwarding rule for %s: %v", pair.destination, err)
+		}
+		log.Debugf("nftables: removing forwarding rule for %s", pair.destination)
+		delete(n.rules, fwdKey)
+	}
+	natRule, found := n.rules[natKey]
+	if found {
+		err = n.conn.DelRule(natRule)
+		if err != nil {
+			return fmt.Errorf("nftables: unable to remove nat rule for %s: %v", pair.destination, err)
+		}
+		log.Debugf("nftables: removing nat rule for %s", pair.destination)
+		delete(n.rules, natKey)
+	}
+	err = n.conn.Flush()
+	if err != nil {
+		return fmt.Errorf("nftables: received error while applying rule removal for %s: %v", pair.destination, err)
+	}
+	log.Debugf("nftables: removed rules for %s", pair.destination)
+	return nil
+}
+
+// getPayloadDirectives get expression directives based on ip version and direction
+func getPayloadDirectives(direction string, isIPv4 bool, isIPv6 bool) (uint32, uint32, []byte) {
+	switch {
+	case direction == exprDirectionSource && isIPv4:
+		return ipv4SrcOffset, ipv4Len, zeroXor
+	case direction == exprDirectionDestination && isIPv4:
+		return ipv4DestOffset, ipv4Len, zeroXor
+	case direction == exprDirectionSource && isIPv6:
+		return ipv6SrcOffset, ipv6Len, zeroXor6
+	case direction == exprDirectionDestination && isIPv6:
+		return ipv6DestOffset, ipv6Len, zeroXor6
+	default:
+		panic("no matched payload directive")
+	}
+}
+
+// generateCIDRMatcherExpressions generates nftables expressions that matches a CIDR
+func generateCIDRMatcherExpressions(direction string, cidr string) []expr.Any {
+	ip, network, _ := net.ParseCIDR(cidr)
+	ipToAdd, _ := netip.AddrFromSlice(ip)
+	add := ipToAdd.Unmap()
+
+	offSet, packetLen, zeroXor := getPayloadDirectives(direction, add.Is4(), add.Is6())
+
+	return []expr.Any{
+		// fetch src add
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       offSet,
+			Len:          packetLen,
+		},
+		// net mask
+		&expr.Bitwise{
+			DestRegister:   1,
+			SourceRegister: 1,
+			Len:            packetLen,
+			Mask:           network.Mask,
+			Xor:            zeroXor,
+		},
+		// net address
+		&expr.Cmp{
+			Register: 1,
+			Data:     add.AsSlice(),
+		},
+	}
+}
--- a/client/internal/routemanager/nftables_linux_test.go
+++ b/client/internal/routemanager/nftables_linux_test.go
@@ -0,0 +1,270 @@
+package routemanager
+
+import (
+	"context"
+	"github.com/google/nftables"
+	"github.com/google/nftables/expr"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestNftablesManager_RestoreOrCreateContainers(t *testing.T) {
+
+	ctx, cancel := context.WithCancel(context.TODO())
+
+	manager := &nftablesManager{
+		ctx:    ctx,
+		stop:   cancel,
+		conn:   &nftables.Conn{},
+		chains: make(map[string]map[string]*nftables.Chain),
+		rules:  make(map[string]*nftables.Rule),
+	}
+
+	nftablesTestingClient := &nftables.Conn{}
+
+	defer manager.CleanRoutingRules()
+
+	err := manager.RestoreOrCreateContainers()
+	require.NoError(t, err, "shouldn't return error")
+
+	require.Len(t, manager.chains, 2, "should have created chains for ipv4 and ipv6")
+	require.Len(t, manager.chains[ipv4], 2, "should have created chains for ipv4")
+	require.Len(t, manager.chains[ipv4], 2, "should have created chains for ipv6")
+	require.Len(t, manager.rules, 2, "should have created rules for ipv4 and ipv6")
+
+	pair := routerPair{
+		ID:          "abc",
+		source:      "100.100.100.1/32",
+		destination: "100.100.100.0/24",
+		masquerade:  true,
+	}
+
+	sourceExp := generateCIDRMatcherExpressions("source", pair.source)
+	destExp := generateCIDRMatcherExpressions("destination", pair.destination)
+
+	forward4Exp := append(sourceExp, append(destExp, exprCounterAccept...)...)
+	forward4RuleKey := genKey(forwardingFormat, pair.ID)
+	inserted4Forwarding := nftablesTestingClient.InsertRule(&nftables.Rule{
+		Table:    manager.tableIPv4,
+		Chain:    manager.chains[ipv4][nftablesRoutingForwardingChain],
+		Exprs:    forward4Exp,
+		UserData: []byte(forward4RuleKey),
+	})
+
+	nat4Exp := append(sourceExp, append(destExp, &expr.Counter{}, &expr.Masq{})...)
+	nat4RuleKey := genKey(natFormat, pair.ID)
+
+	inserted4Nat := nftablesTestingClient.InsertRule(&nftables.Rule{
+		Table:    manager.tableIPv4,
+		Chain:    manager.chains[ipv4][nftablesRoutingNatChain],
+		Exprs:    nat4Exp,
+		UserData: []byte(nat4RuleKey),
+	})
+
+	err = nftablesTestingClient.Flush()
+	require.NoError(t, err, "shouldn't return error")
+
+	pair = routerPair{
+		ID:          "xyz",
+		source:      "fc00::1/128",
+		destination: "fc11::/64",
+		masquerade:  true,
+	}
+
+	sourceExp = generateCIDRMatcherExpressions("source", pair.source)
+	destExp = generateCIDRMatcherExpressions("destination", pair.destination)
+
+	forward6Exp := append(sourceExp, append(destExp, exprCounterAccept...)...)
+	forward6RuleKey := genKey(forwardingFormat, pair.ID)
+	inserted6Forwarding := nftablesTestingClient.InsertRule(&nftables.Rule{
+		Table:    manager.tableIPv6,
+		Chain:    manager.chains[ipv6][nftablesRoutingForwardingChain],
+		Exprs:    forward6Exp,
+		UserData: []byte(forward6RuleKey),
+	})
+
+	nat6Exp := append(sourceExp, append(destExp, &expr.Counter{}, &expr.Masq{})...)
+	nat6RuleKey := genKey(natFormat, pair.ID)
+
+	inserted6Nat := nftablesTestingClient.InsertRule(&nftables.Rule{
+		Table:    manager.tableIPv6,
+		Chain:    manager.chains[ipv6][nftablesRoutingNatChain],
+		Exprs:    nat6Exp,
+		UserData: []byte(nat6RuleKey),
+	})
+
+	err = nftablesTestingClient.Flush()
+	require.NoError(t, err, "shouldn't return error")
+
+	manager.tableIPv4 = nil
+	manager.tableIPv6 = nil
+
+	err = manager.RestoreOrCreateContainers()
+	require.NoError(t, err, "shouldn't return error")
+
+	require.Len(t, manager.chains, 2, "should have created chains for ipv4 and ipv6")
+	require.Len(t, manager.chains[ipv4], 2, "should have created chains for ipv4")
+	require.Len(t, manager.chains[ipv4], 2, "should have created chains for ipv6")
+	require.Len(t, manager.rules, 6, "should have restored all rules for ipv4 and ipv6")
+
+	foundRule, found := manager.rules[forward4RuleKey]
+	require.True(t, found, "forwarding rule should exist in the map")
+	assert.Equal(t, inserted4Forwarding.Exprs, foundRule.Exprs, "stored forwarding rule expressions should match")
+
+	foundRule, found = manager.rules[nat4RuleKey]
+	require.True(t, found, "nat rule should exist in the map")
+	// match len of output as nftables client doesn't return expressions with masquerade expression
+	assert.ElementsMatch(t, inserted4Nat.Exprs[:len(foundRule.Exprs)], foundRule.Exprs, "stored nat rule expressions should match")
+
+	foundRule, found = manager.rules[forward6RuleKey]
+	require.True(t, found, "forwarding rule should exist in the map")
+	assert.Equal(t, inserted6Forwarding.Exprs, foundRule.Exprs, "stored forward rule should match")
+
+	foundRule, found = manager.rules[nat6RuleKey]
+	require.True(t, found, "nat rule should exist in the map")
+	// match len of output as nftables client doesn't return expressions with masquerade expression
+	assert.ElementsMatch(t, inserted6Nat.Exprs[:len(foundRule.Exprs)], foundRule.Exprs, "stored nat rule should match")
+}
+
+func TestNftablesManager_InsertRoutingRules(t *testing.T) {
+
+	for _, testCase := range insertRuleTestCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.TODO())
+
+			manager := &nftablesManager{
+				ctx:    ctx,
+				stop:   cancel,
+				conn:   &nftables.Conn{},
+				chains: make(map[string]map[string]*nftables.Chain),
+				rules:  make(map[string]*nftables.Rule),
+			}
+
+			nftablesTestingClient := &nftables.Conn{}
+
+			defer manager.CleanRoutingRules()
+
+			err := manager.RestoreOrCreateContainers()
+			require.NoError(t, err, "shouldn't return error")
+
+			err = manager.InsertRoutingRules(testCase.inputPair)
+			require.NoError(t, err, "forwarding pair should be inserted")
+
+			sourceExp := generateCIDRMatcherExpressions("source", testCase.inputPair.source)
+			destExp := generateCIDRMatcherExpressions("destination", testCase.inputPair.destination)
+			testingExpression := append(sourceExp, destExp...)
+			fwdRuleKey := genKey(forwardingFormat, testCase.inputPair.ID)
+
+			found := 0
+			for _, registeredChains := range manager.chains {
+				for _, chain := range registeredChains {
+					rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+					require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+					for _, rule := range rules {
+						if len(rule.UserData) > 0 && string(rule.UserData) == fwdRuleKey {
+							require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "forwarding rule elements should match")
+							found = 1
+						}
+					}
+				}
+			}
+
+			require.Equal(t, 1, found, "should find at least 1 rule to test")
+
+			if testCase.inputPair.masquerade {
+				natRuleKey := genKey(natFormat, testCase.inputPair.ID)
+				found := 0
+				for _, registeredChains := range manager.chains {
+					for _, chain := range registeredChains {
+						rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+						require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+						for _, rule := range rules {
+							if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
+								require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "nat rule elements should match")
+								found = 1
+							}
+						}
+					}
+				}
+				require.Equal(t, 1, found, "should find at least 1 rule to test")
+			}
+		})
+	}
+}
+
+func TestNftablesManager_RemoveRoutingRules(t *testing.T) {
+
+	for _, testCase := range removeRuleTestCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.TODO())
+
+			manager := &nftablesManager{
+				ctx:    ctx,
+				stop:   cancel,
+				conn:   &nftables.Conn{},
+				chains: make(map[string]map[string]*nftables.Chain),
+				rules:  make(map[string]*nftables.Rule),
+			}
+
+			nftablesTestingClient := &nftables.Conn{}
+
+			defer manager.CleanRoutingRules()
+
+			err := manager.RestoreOrCreateContainers()
+			require.NoError(t, err, "shouldn't return error")
+
+			table := manager.tableIPv4
+			if testCase.ipVersion == ipv6 {
+				table = manager.tableIPv6
+			}
+
+			sourceExp := generateCIDRMatcherExpressions("source", testCase.inputPair.source)
+			destExp := generateCIDRMatcherExpressions("destination", testCase.inputPair.destination)
+
+			forwardExp := append(sourceExp, append(destExp, exprCounterAccept...)...)
+			forwardRuleKey := genKey(forwardingFormat, testCase.inputPair.ID)
+			insertedForwarding := nftablesTestingClient.InsertRule(&nftables.Rule{
+				Table:    table,
+				Chain:    manager.chains[testCase.ipVersion][nftablesRoutingForwardingChain],
+				Exprs:    forwardExp,
+				UserData: []byte(forwardRuleKey),
+			})
+
+			natExp := append(sourceExp, append(destExp, &expr.Counter{}, &expr.Masq{})...)
+			natRuleKey := genKey(natFormat, testCase.inputPair.ID)
+
+			insertedNat := nftablesTestingClient.InsertRule(&nftables.Rule{
+				Table:    table,
+				Chain:    manager.chains[testCase.ipVersion][nftablesRoutingNatChain],
+				Exprs:    natExp,
+				UserData: []byte(natRuleKey),
+			})
+
+			err = nftablesTestingClient.Flush()
+			require.NoError(t, err, "shouldn't return error")
+
+			manager.tableIPv4 = nil
+			manager.tableIPv6 = nil
+
+			err = manager.RestoreOrCreateContainers()
+			require.NoError(t, err, "shouldn't return error")
+
+			err = manager.RemoveRoutingRules(testCase.inputPair)
+			require.NoError(t, err, "shouldn't return error")
+
+			for _, registeredChains := range manager.chains {
+				for _, chain := range registeredChains {
+					rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+					require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+					for _, rule := range rules {
+						if len(rule.UserData) > 0 {
+							require.NotEqual(t, insertedForwarding.UserData, rule.UserData, "forwarding rule should exist")
+							require.NotEqual(t, insertedNat.UserData, rule.UserData, "nat rule should exist")
+						}
+					}
+				}
+			}
+		})
+	}
+}
--- a/client/internal/routemanager/server.go
+++ b/client/internal/routemanager/server.go
@@ -0,0 +1,67 @@
+package routemanager
+
+import (
+	"github.com/netbirdio/netbird/route"
+	log "github.com/sirupsen/logrus"
+	"net/netip"
+	"sync"
+)
+
+type serverRouter struct {
+	routes map[string]*route.Route
+	// best effort to keep net forward configuration as it was
+	netForwardHistoryEnabled bool
+	mux                      sync.Mutex
+	firewall                 firewallManager
+}
+
+type routerPair struct {
+	ID          string
+	source      string
+	destination string
+	masquerade  bool
+}
+
+func routeToRouterPair(source string, route *route.Route) routerPair {
+	parsed := netip.MustParsePrefix(source).Masked()
+	return routerPair{
+		ID:          route.ID,
+		source:      parsed.String(),
+		destination: route.Network.Masked().String(),
+		masquerade:  route.Masquerade,
+	}
+}
+
+func (m *DefaultManager) removeFromServerNetwork(route *route.Route) error {
+	select {
+	case <-m.ctx.Done():
+		log.Infof("not removing from server network because context is done")
+		return m.ctx.Err()
+	default:
+		m.serverRouter.mux.Lock()
+		defer m.serverRouter.mux.Unlock()
+		err := m.serverRouter.firewall.RemoveRoutingRules(routeToRouterPair(m.wgInterface.Address.String(), route))
+		if err != nil {
+			return err
+		}
+		delete(m.serverRouter.routes, route.ID)
+		return nil
+	}
+}
+
+func (m *DefaultManager) addToServerNetwork(route *route.Route) error {
+	select {
+	case <-m.ctx.Done():
+		log.Infof("not adding to server network because context is done")
+		return m.ctx.Err()
+	default:
+		m.serverRouter.mux.Lock()
+		defer m.serverRouter.mux.Unlock()
+		err := m.serverRouter.firewall.InsertRoutingRules(routeToRouterPair(m.wgInterface.Address.String(), route))
+		if err != nil {
+			return err
+		}
+		m.serverRouter.routes[route.ID] = route
+		return nil
+	}
+}
--- a/client/internal/routemanager/systemops.go
+++ b/client/internal/routemanager/systemops.go
@@ -0,0 +1,55 @@
+package routemanager
+
+import (
+	"fmt"
+	"github.com/libp2p/go-netroute"
+	log "github.com/sirupsen/logrus"
+	"net"
+	"net/netip"
+)
+
+var errRouteNotFound = fmt.Errorf("route not found")
+
+func addToRouteTableIfNoExists(prefix netip.Prefix, addr string) error {
+	gateway, err := getExistingRIBRouteGateway(netip.MustParsePrefix("0.0.0.0/0"))
+	if err != nil && err != errRouteNotFound {
+		return err
+	}
+	prefixGateway, err := getExistingRIBRouteGateway(prefix)
+	if err != nil && err != errRouteNotFound {
+		return err
+	}
+
+	if prefixGateway != nil && !prefixGateway.Equal(gateway) {
+		log.Warnf("route for network %s already exist and is pointing to the gateway: %s, won't add another one", prefix, prefixGateway)
+		return nil
+	}
+	return addToRouteTable(prefix, addr)
+}
+
+func removeFromRouteTableIfNonSystem(prefix netip.Prefix, addr string) error {
+	addrIP := net.ParseIP(addr)
+	prefixGateway, err := getExistingRIBRouteGateway(prefix)
+	if err != nil {
+		return err
+	}
+	if prefixGateway != nil && !prefixGateway.Equal(addrIP) {
+		log.Warnf("route for network %s is pointing to a different gateway: %s, should be pointing to: %s, not removing", prefix, prefixGateway, addrIP)
+		return nil
+	}
+	return removeFromRouteTable(prefix)
+}
+
+func getExistingRIBRouteGateway(prefix netip.Prefix) (net.IP, error) {
+	r, err := netroute.New()
+	if err != nil {
+		return nil, err
+	}
+	_, _, localGatewayAddress, err := r.Route(prefix.Addr().AsSlice())
+	if err != nil {
+		log.Errorf("getting routes returned an error: %v", err)
+		return nil, errRouteNotFound
+	}
+
+	return localGatewayAddress, nil
+}
--- a/client/internal/routemanager/systemops_linux.go
+++ b/client/internal/routemanager/systemops_linux.go
@@ -0,0 +1,73 @@
+package routemanager
+
+import (
+	"github.com/vishvananda/netlink"
+	"io/ioutil"
+	"net"
+	"net/netip"
+)
+
+const ipv4ForwardingPath = "/proc/sys/net/ipv4/ip_forward"
+
+func addToRouteTable(prefix netip.Prefix, addr string) error {
+	_, ipNet, err := net.ParseCIDR(prefix.String())
+	if err != nil {
+		return err
+	}
+
+	addrMask := "/32"
+	if prefix.Addr().Unmap().Is6() {
+		addrMask = "/128"
+	}
+
+	ip, _, err := net.ParseCIDR(addr + addrMask)
+	if err != nil {
+		return err
+	}
+
+	route := &netlink.Route{
+		Scope: netlink.SCOPE_UNIVERSE,
+		Dst:   ipNet,
+		Gw:    ip,
+	}
+
+	err = netlink.RouteAdd(route)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func removeFromRouteTable(prefix netip.Prefix) error {
+	_, ipNet, err := net.ParseCIDR(prefix.String())
+	if err != nil {
+		return err
+	}
+
+	route := &netlink.Route{
+		Scope: netlink.SCOPE_UNIVERSE,
+		Dst:   ipNet,
+	}
+
+	err = netlink.RouteDel(route)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func enableIPForwarding() error {
+	err := ioutil.WriteFile(ipv4ForwardingPath, []byte("1"), 0644)
+	return err
+}
+
+func isNetForwardHistoryEnabled() bool {
+	out, err := ioutil.ReadFile(ipv4ForwardingPath)
+	if err != nil {
+		// todo
+		panic(err)
+	}
+	return string(out) == "1"
+}
--- a/client/internal/routemanager/systemops_nonlinux.go
+++ b/client/internal/routemanager/systemops_nonlinux.go
@@ -0,0 +1,41 @@
+//go:build !linux
+// +build !linux
+
+package routemanager
+
+import (
+	log "github.com/sirupsen/logrus"
+	"net/netip"
+	"os/exec"
+	"runtime"
+)
+
+func addToRouteTable(prefix netip.Prefix, addr string) error {
+	cmd := exec.Command("route", "add", prefix.String(), addr)
+	out, err := cmd.Output()
+	if err != nil {
+		return err
+	}
+	log.Debugf(string(out))
+	return nil
+}
+
+func removeFromRouteTable(prefix netip.Prefix) error {
+	cmd := exec.Command("route", "delete", prefix.String())
+	out, err := cmd.Output()
+	if err != nil {
+		return err
+	}
+	log.Debugf(string(out))
+	return nil
+}
+
+func enableIPForwarding() error {
+	log.Infof("enable IP forwarding is not implemented on %s", runtime.GOOS)
+	return nil
+}
+
+func isNetForwardHistoryEnabled() bool {
+	log.Infof("check netforwad history is not implemented on %s", runtime.GOOS)
+	return false
+}
--- a/client/internal/routemanager/systemops_test.go
+++ b/client/internal/routemanager/systemops_test.go
@@ -0,0 +1,68 @@
+package routemanager
+
+import (
+	"fmt"
+	"github.com/netbirdio/netbird/iface"
+	"github.com/stretchr/testify/require"
+	"net/netip"
+	"testing"
+)
+
+func TestAddRemoveRoutes(t *testing.T) {
+	testCases := []struct {
+		name                   string
+		prefix                 netip.Prefix
+		shouldRouteToWireguard bool
+		shouldBeRemoved        bool
+	}{
+		{
+			name:                   "Should Add And Remove Route",
+			prefix:                 netip.MustParsePrefix("100.66.120.0/24"),
+			shouldRouteToWireguard: true,
+			shouldBeRemoved:        true,
+		},
+		{
+			name:                   "Should Not Add Or Remove Route",
+			prefix:                 netip.MustParsePrefix("127.0.0.1/32"),
+			shouldRouteToWireguard: false,
+			shouldBeRemoved:        false,
+		},
+	}
+
+	for n, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", iface.DefaultMTU)
+			require.NoError(t, err, "should create testing WGIface interface")
+			defer wgInterface.Close()
+
+			err = wgInterface.Create()
+			require.NoError(t, err, "should create testing wireguard interface")
+
+			err = addToRouteTableIfNoExists(testCase.prefix, wgInterface.GetAddress().IP.String())
+			require.NoError(t, err, "should not return err")
+
+			prefixGateway, err := getExistingRIBRouteGateway(testCase.prefix)
+			require.NoError(t, err, "should not return err")
+			if testCase.shouldRouteToWireguard {
+				require.Equal(t, wgInterface.GetAddress().IP.String(), prefixGateway.String(), "route should point to wireguard interface IP")
+			} else {
+				require.NotEqual(t, wgInterface.GetAddress().IP.String(), prefixGateway.String(), "route should point to a different interface")
+			}
+
+			err = removeFromRouteTableIfNonSystem(testCase.prefix, wgInterface.GetAddress().IP.String())
+			require.NoError(t, err, "should not return err")
+
+			prefixGateway, err = getExistingRIBRouteGateway(testCase.prefix)
+			require.NoError(t, err, "should not return err")
+
+			internetGateway, err := getExistingRIBRouteGateway(netip.MustParsePrefix("0.0.0.0/0"))
+			require.NoError(t, err)
+
+			if testCase.shouldBeRemoved {
+				require.Equal(t, internetGateway, prefixGateway, "route should be pointing to default internet gateway")
+			} else {
+				require.NotEqual(t, internetGateway, prefixGateway, "route should be pointing to a different gateway than the internet gateway")
+			}
+		})
+	}
+}
--- a/client/main.go
+++ b/client/main.go
@@ -1,9 +1,8 @@
 package main

 import (
-	"os"
-
 	"github.com/netbirdio/netbird/client/cmd"
+	"os"
 )

 func main() {
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
@@ -1,15 +1,16 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
-// 	protoc        v3.19.4
+// 	protoc        v3.12.4
 // source: daemon.proto

 package proto

 import (
+	_ "github.com/golang/protobuf/protoc-gen-go/descriptor"
+	timestamp "github.com/golang/protobuf/ptypes/timestamp"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
-	_ "google.golang.org/protobuf/types/descriptorpb"
 	reflect "reflect"
 	sync "sync"
 )
@@ -332,6 +333,8 @@ type StatusRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
+
+	GetFullPeerStatus bool `protobuf:"varint,1,opt,name=getFullPeerStatus,proto3" json:"getFullPeerStatus,omitempty"`
 }

 func (x *StatusRequest) Reset() {
@@ -366,13 +369,23 @@ func (*StatusRequest) Descriptor() ([]byte, []int) {
 	return file_daemon_proto_rawDescGZIP(), []int{6}
 }

+func (x *StatusRequest) GetGetFullPeerStatus() bool {
+	if x != nil {
+		return x.GetFullPeerStatus
+	}
+	return false
+}
+
 type StatusResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

 	// status of the server.
-	Status string `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
+	Status     string      `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
+	FullStatus *FullStatus `protobuf:"bytes,2,opt,name=fullStatus,proto3" json:"fullStatus,omitempty"`
+	// NetBird daemon version
+	DaemonVersion string `protobuf:"bytes,3,opt,name=daemonVersion,proto3" json:"daemonVersion,omitempty"`
 }

 func (x *StatusResponse) Reset() {
@@ -414,6 +427,20 @@ func (x *StatusResponse) GetStatus() string {
 	return ""
 }

+func (x *StatusResponse) GetFullStatus() *FullStatus {
+	if x != nil {
+		return x.FullStatus
+	}
+	return nil
+}
+
+func (x *StatusResponse) GetDaemonVersion() string {
+	if x != nil {
+		return x.DaemonVersion
+	}
+	return ""
+}
+
 type DownRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -612,58 +639,470 @@ func (x *GetConfigResponse) GetAdminURL() string {
 	return ""
 }

+// PeerState contains the latest state of a peer
+type PeerState struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	IP                     string               `protobuf:"bytes,1,opt,name=IP,proto3" json:"IP,omitempty"`
+	PubKey                 string               `protobuf:"bytes,2,opt,name=pubKey,proto3" json:"pubKey,omitempty"`
+	ConnStatus             string               `protobuf:"bytes,3,opt,name=connStatus,proto3" json:"connStatus,omitempty"`
+	ConnStatusUpdate       *timestamp.Timestamp `protobuf:"bytes,4,opt,name=connStatusUpdate,proto3" json:"connStatusUpdate,omitempty"`
+	Relayed                bool                 `protobuf:"varint,5,opt,name=relayed,proto3" json:"relayed,omitempty"`
+	Direct                 bool                 `protobuf:"varint,6,opt,name=direct,proto3" json:"direct,omitempty"`
+	LocalIceCandidateType  string               `protobuf:"bytes,7,opt,name=localIceCandidateType,proto3" json:"localIceCandidateType,omitempty"`
+	RemoteIceCandidateType string               `protobuf:"bytes,8,opt,name=remoteIceCandidateType,proto3" json:"remoteIceCandidateType,omitempty"`
+}
+
+func (x *PeerState) Reset() {
+	*x = PeerState{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[12]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *PeerState) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PeerState) ProtoMessage() {}
+
+func (x *PeerState) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[12]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PeerState.ProtoReflect.Descriptor instead.
+func (*PeerState) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *PeerState) GetIP() string {
+	if x != nil {
+		return x.IP
+	}
+	return ""
+}
+
+func (x *PeerState) GetPubKey() string {
+	if x != nil {
+		return x.PubKey
+	}
+	return ""
+}
+
+func (x *PeerState) GetConnStatus() string {
+	if x != nil {
+		return x.ConnStatus
+	}
+	return ""
+}
+
+func (x *PeerState) GetConnStatusUpdate() *timestamp.Timestamp {
+	if x != nil {
+		return x.ConnStatusUpdate
+	}
+	return nil
+}
+
+func (x *PeerState) GetRelayed() bool {
+	if x != nil {
+		return x.Relayed
+	}
+	return false
+}
+
+func (x *PeerState) GetDirect() bool {
+	if x != nil {
+		return x.Direct
+	}
+	return false
+}
+
+func (x *PeerState) GetLocalIceCandidateType() string {
+	if x != nil {
+		return x.LocalIceCandidateType
+	}
+	return ""
+}
+
+func (x *PeerState) GetRemoteIceCandidateType() string {
+	if x != nil {
+		return x.RemoteIceCandidateType
+	}
+	return ""
+}
+
+// LocalPeerState contains the latest state of the local peer
+type LocalPeerState struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	IP              string `protobuf:"bytes,1,opt,name=IP,proto3" json:"IP,omitempty"`
+	PubKey          string `protobuf:"bytes,2,opt,name=pubKey,proto3" json:"pubKey,omitempty"`
+	KernelInterface bool   `protobuf:"varint,3,opt,name=kernelInterface,proto3" json:"kernelInterface,omitempty"`
+}
+
+func (x *LocalPeerState) Reset() {
+	*x = LocalPeerState{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[13]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *LocalPeerState) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*LocalPeerState) ProtoMessage() {}
+
+func (x *LocalPeerState) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[13]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use LocalPeerState.ProtoReflect.Descriptor instead.
+func (*LocalPeerState) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{13}
+}
+
+func (x *LocalPeerState) GetIP() string {
+	if x != nil {
+		return x.IP
+	}
+	return ""
+}
+
+func (x *LocalPeerState) GetPubKey() string {
+	if x != nil {
+		return x.PubKey
+	}
+	return ""
+}
+
+func (x *LocalPeerState) GetKernelInterface() bool {
+	if x != nil {
+		return x.KernelInterface
+	}
+	return false
+}
+
+// SignalState contains the latest state of a signal connection
+type SignalState struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	URL       string `protobuf:"bytes,1,opt,name=URL,proto3" json:"URL,omitempty"`
+	Connected bool   `protobuf:"varint,2,opt,name=connected,proto3" json:"connected,omitempty"`
+}
+
+func (x *SignalState) Reset() {
+	*x = SignalState{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[14]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignalState) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignalState) ProtoMessage() {}
+
+func (x *SignalState) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[14]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignalState.ProtoReflect.Descriptor instead.
+func (*SignalState) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{14}
+}
+
+func (x *SignalState) GetURL() string {
+	if x != nil {
+		return x.URL
+	}
+	return ""
+}
+
+func (x *SignalState) GetConnected() bool {
+	if x != nil {
+		return x.Connected
+	}
+	return false
+}
+
+// ManagementState contains the latest state of a management connection
+type ManagementState struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	URL       string `protobuf:"bytes,1,opt,name=URL,proto3" json:"URL,omitempty"`
+	Connected bool   `protobuf:"varint,2,opt,name=connected,proto3" json:"connected,omitempty"`
+}
+
+func (x *ManagementState) Reset() {
+	*x = ManagementState{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[15]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ManagementState) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ManagementState) ProtoMessage() {}
+
+func (x *ManagementState) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[15]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ManagementState.ProtoReflect.Descriptor instead.
+func (*ManagementState) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{15}
+}
+
+func (x *ManagementState) GetURL() string {
+	if x != nil {
+		return x.URL
+	}
+	return ""
+}
+
+func (x *ManagementState) GetConnected() bool {
+	if x != nil {
+		return x.Connected
+	}
+	return false
+}
+
+// FullStatus contains the full state held by the Status instance
+type FullStatus struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	ManagementState *ManagementState `protobuf:"bytes,1,opt,name=managementState,proto3" json:"managementState,omitempty"`
+	SignalState     *SignalState     `protobuf:"bytes,2,opt,name=signalState,proto3" json:"signalState,omitempty"`
+	LocalPeerState  *LocalPeerState  `protobuf:"bytes,3,opt,name=localPeerState,proto3" json:"localPeerState,omitempty"`
+	Peers           []*PeerState     `protobuf:"bytes,4,rep,name=peers,proto3" json:"peers,omitempty"`
+}
+
+func (x *FullStatus) Reset() {
+	*x = FullStatus{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[16]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *FullStatus) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FullStatus) ProtoMessage() {}
+
+func (x *FullStatus) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[16]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FullStatus.ProtoReflect.Descriptor instead.
+func (*FullStatus) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{16}
+}
+
+func (x *FullStatus) GetManagementState() *ManagementState {
+	if x != nil {
+		return x.ManagementState
+	}
+	return nil
+}
+
+func (x *FullStatus) GetSignalState() *SignalState {
+	if x != nil {
+		return x.SignalState
+	}
+	return nil
+}
+
+func (x *FullStatus) GetLocalPeerState() *LocalPeerState {
+	if x != nil {
+		return x.LocalPeerState
+	}
+	return nil
+}
+
+func (x *FullStatus) GetPeers() []*PeerState {
+	if x != nil {
+		return x.Peers
+	}
+	return nil
+}
+
 var File_daemon_proto protoreflect.FileDescriptor

 var file_daemon_proto_rawDesc = []byte{
 	0x0a, 0x0c, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06,
 	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
-	0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x90, 0x01, 0x0a, 0x0c, 0x4c, 0x6f, 0x67,
-	0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65, 0x74,
-	0x75, 0x70, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65, 0x74,
-	0x75, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72,
-	0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72, 0x65,
-	0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x0a, 0x0d, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x12,
-	0x1a, 0x0a, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x18, 0x04, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x22, 0xb5, 0x01, 0x0a, 0x0d,
-	0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a,
-	0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f,
-	0x67, 0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x12,
-	0x28, 0x0a, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55,
-	0x52, 0x49, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69,
-	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x12, 0x38, 0x0a, 0x17, 0x76, 0x65, 0x72,
+	0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74,
+	0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x90, 0x01, 0x0a, 0x0c, 0x4c, 0x6f,
+	0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65,
+	0x74, 0x75, 0x70, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65,
+	0x74, 0x75, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61,
+	0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72,
+	0x65, 0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x0a, 0x0d, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c,
+	0x12, 0x1a, 0x0a, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x22, 0xb5, 0x01, 0x0a,
+	0x0d, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24,
+	0x0a, 0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c,
+	0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65,
+	0x12, 0x28, 0x0a, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x55, 0x52, 0x49, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66,
+	0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x12, 0x38, 0x0a, 0x17, 0x76, 0x65,
+	0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d,
+	0x70, 0x6c, 0x65, 0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x76, 0x65, 0x72,
 	0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d, 0x70,
-	0x6c, 0x65, 0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x76, 0x65, 0x72, 0x69,
-	0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d, 0x70, 0x6c,
-	0x65, 0x74, 0x65, 0x22, 0x31, 0x0a, 0x13, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f,
-	0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73,
-	0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73,
-	0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x22, 0x16, 0x0a, 0x14, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53,
-	0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x0b,
-	0x0a, 0x09, 0x55, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0c, 0x0a, 0x0a, 0x55,
-	0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x0f, 0x0a, 0x0d, 0x53, 0x74, 0x61,
-	0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x28, 0x0a, 0x0e, 0x53, 0x74,
+	0x6c, 0x65, 0x74, 0x65, 0x22, 0x31, 0x0a, 0x13, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c,
+	0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75,
+	0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75,
+	0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x22, 0x16, 0x0a, 0x14, 0x57, 0x61, 0x69, 0x74, 0x53,
+	0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x0b, 0x0a, 0x09, 0x55, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0c, 0x0a, 0x0a,
+	0x55, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x3d, 0x0a, 0x0d, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2c, 0x0a, 0x11, 0x67,
+	0x65, 0x74, 0x46, 0x75, 0x6c, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x11, 0x67, 0x65, 0x74, 0x46, 0x75, 0x6c, 0x6c, 0x50,
+	0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x82, 0x01, 0x0a, 0x0e, 0x53, 0x74,
 	0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06,
 	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74,
-	0x61, 0x74, 0x75, 0x73, 0x22, 0x0d, 0x0a, 0x0b, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x22, 0x0e, 0x0a, 0x0c, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x12, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xb3, 0x01, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x43,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a,
-	0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x55, 0x72, 0x6c, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x46, 0x69, 0x6c,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x46,
-	0x69, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6c, 0x6f, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6c, 0x6f, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x22, 0x0a,
-	0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65,
-	0x79, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x32, 0xf7, 0x02,
+	0x61, 0x74, 0x75, 0x73, 0x12, 0x32, 0x0a, 0x0a, 0x66, 0x75, 0x6c, 0x6c, 0x53, 0x74, 0x61, 0x74,
+	0x75, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f,
+	0x6e, 0x2e, 0x46, 0x75, 0x6c, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x0a, 0x66, 0x75,
+	0x6c, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x64, 0x61, 0x65, 0x6d,
+	0x6f, 0x6e, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0d, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x0d,
+	0x0a, 0x0b, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0e, 0x0a,
+	0x0c, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x12, 0x0a,
+	0x10, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x22, 0xb3, 0x01, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x12, 0x1e, 0x0a,
+	0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x18, 0x0a,
+	0x07, 0x6c, 0x6f, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07,
+	0x6c, 0x6f, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68,
+	0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70,
+	0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x61,
+	0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x61,
+	0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c, 0x22, 0xbb, 0x02, 0x0a, 0x09, 0x50, 0x65, 0x65, 0x72,
+	0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a,
+	0x0a, 0x63, 0x6f, 0x6e, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x46, 0x0a,
+	0x10, 0x63, 0x6f, 0x6e, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74,
+	0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74,
+	0x61, 0x6d, 0x70, 0x52, 0x10, 0x63, 0x6f, 0x6e, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x55,
+	0x70, 0x64, 0x61, 0x74, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x65, 0x64,
+	0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x65, 0x64, 0x12,
+	0x16, 0x0a, 0x06, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52,
+	0x06, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x12, 0x34, 0x0a, 0x15, 0x6c, 0x6f, 0x63, 0x61, 0x6c,
+	0x49, 0x63, 0x65, 0x43, 0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65,
+	0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x63, 0x65,
+	0x43, 0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x36, 0x0a,
+	0x16, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x49, 0x63, 0x65, 0x43, 0x61, 0x6e, 0x64, 0x69, 0x64,
+	0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, 0x72,
+	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x49, 0x63, 0x65, 0x43, 0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74,
+	0x65, 0x54, 0x79, 0x70, 0x65, 0x22, 0x62, 0x0a, 0x0e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65,
+	0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65,
+	0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12,
+	0x28, 0x0a, 0x0f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61,
+	0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c,
+	0x49, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x22, 0x3d, 0x0a, 0x0b, 0x53, 0x69, 0x67,
+	0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x52, 0x4c, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x55, 0x52, 0x4c, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x6f,
+	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x63,
+	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x22, 0x41, 0x0a, 0x0f, 0x4d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x55,
+	0x52, 0x4c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x55, 0x52, 0x4c, 0x12, 0x1c, 0x0a,
+	0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08,
+	0x52, 0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x22, 0xef, 0x01, 0x0a, 0x0a,
+	0x46, 0x75, 0x6c, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x41, 0x0a, 0x0f, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0f, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x35, 0x0a,
+	0x0b, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x69, 0x67, 0x6e,
+	0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0b, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53,
+	0x74, 0x61, 0x74, 0x65, 0x12, 0x3e, 0x0a, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65,
+	0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x64,
+	0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53,
+	0x74, 0x61, 0x74, 0x65, 0x52, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53,
+	0x74, 0x61, 0x74, 0x65, 0x12, 0x27, 0x0a, 0x05, 0x70, 0x65, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x65, 0x65,
+	0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x70, 0x65, 0x65, 0x72, 0x73, 0x32, 0xf7, 0x02,
 	0x0a, 0x0d, 0x44, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12,
 	0x36, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f,
 	0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15,
@@ -703,7 +1142,7 @@ func file_daemon_proto_rawDescGZIP() []byte {
 	return file_daemon_proto_rawDescData
 }

-var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 17)
 var file_daemon_proto_goTypes = []interface{}{
 	(*LoginRequest)(nil),         // 0: daemon.LoginRequest
 	(*LoginResponse)(nil),        // 1: daemon.LoginResponse
@@ -717,25 +1156,37 @@ var file_daemon_proto_goTypes = []interface{}{
 	(*DownResponse)(nil),         // 9: daemon.DownResponse
 	(*GetConfigRequest)(nil),     // 10: daemon.GetConfigRequest
 	(*GetConfigResponse)(nil),    // 11: daemon.GetConfigResponse
+	(*PeerState)(nil),            // 12: daemon.PeerState
+	(*LocalPeerState)(nil),       // 13: daemon.LocalPeerState
+	(*SignalState)(nil),          // 14: daemon.SignalState
+	(*ManagementState)(nil),      // 15: daemon.ManagementState
+	(*FullStatus)(nil),           // 16: daemon.FullStatus
+	(*timestamp.Timestamp)(nil),  // 17: google.protobuf.Timestamp
 }
 var file_daemon_proto_depIdxs = []int32{
-	0,  // 0: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
-	2,  // 1: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
-	4,  // 2: daemon.DaemonService.Up:input_type -> daemon.UpRequest
-	6,  // 3: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
-	8,  // 4: daemon.DaemonService.Down:input_type -> daemon.DownRequest
-	10, // 5: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
-	1,  // 6: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	3,  // 7: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	5,  // 8: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	7,  // 9: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	9,  // 10: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	11, // 11: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	6,  // [6:12] is the sub-list for method output_type
-	0,  // [0:6] is the sub-list for method input_type
-	0,  // [0:0] is the sub-list for extension type_name
-	0,  // [0:0] is the sub-list for extension extendee
-	0,  // [0:0] is the sub-list for field type_name
+	16, // 0: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
+	17, // 1: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
+	15, // 2: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
+	14, // 3: daemon.FullStatus.signalState:type_name -> daemon.SignalState
+	13, // 4: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
+	12, // 5: daemon.FullStatus.peers:type_name -> daemon.PeerState
+	0,  // 6: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
+	2,  // 7: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
+	4,  // 8: daemon.DaemonService.Up:input_type -> daemon.UpRequest
+	6,  // 9: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
+	8,  // 10: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	10, // 11: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
+	1,  // 12: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	3,  // 13: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	5,  // 14: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	7,  // 15: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	9,  // 16: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	11, // 17: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	12, // [12:18] is the sub-list for method output_type
+	6,  // [6:12] is the sub-list for method input_type
+	6,  // [6:6] is the sub-list for extension type_name
+	6,  // [6:6] is the sub-list for extension extendee
+	0,  // [0:6] is the sub-list for field type_name
 }

 func init() { file_daemon_proto_init() }
@@ -888,6 +1339,66 @@ func file_daemon_proto_init() {
 				return nil
 			}
 		}
+		file_daemon_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*PeerState); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*LocalPeerState); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignalState); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ManagementState); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[16].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*FullStatus); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -895,7 +1406,7 @@ func file_daemon_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_daemon_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   12,
+			NumMessages:   17,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -1,6 +1,7 @@
 syntax = "proto3";

 import "google/protobuf/descriptor.proto";
+import "google/protobuf/timestamp.proto";

 option go_package = "/proto";

@@ -59,11 +60,16 @@ message UpRequest {}

 message UpResponse {}

-message StatusRequest{}
+message StatusRequest{
+  bool getFullPeerStatus = 1;
+}

 message StatusResponse{
  // status of the server.
  string status = 1;
+  FullStatus fullStatus = 2;
+  // NetBird daemon version
+  string daemonVersion = 3;
 }

 message DownRequest {}
@@ -88,3 +94,41 @@ message GetConfigResponse {
  // adminURL settings value.
  string adminURL = 5;
 }
+
+// PeerState contains the latest state of a peer
+message PeerState {
+  string IP = 1;
+  string pubKey = 2;
+  string connStatus = 3;
+  google.protobuf.Timestamp connStatusUpdate = 4;
+  bool relayed = 5;
+  bool direct = 6;
+  string localIceCandidateType = 7;
+  string remoteIceCandidateType =8;
+}
+
+// LocalPeerState contains the latest state of the local peer
+message LocalPeerState {
+  string IP = 1;
+  string pubKey = 2;
+  bool  kernelInterface =3;
+}
+
+// SignalState contains the latest state of a signal connection
+message SignalState {
+  string URL = 1;
+  bool connected = 2;
+}
+
+// ManagementState contains the latest state of a management connection
+message ManagementState {
+  string URL = 1;
+  bool connected = 2;
+}
+// FullStatus contains the full state held by the Status instance
+message FullStatus {
+    ManagementState managementState = 1;
+    SignalState     signalState = 2;
+    LocalPeerState  localPeerState = 3;
+    repeated PeerState peers = 4;
+}
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -3,6 +3,9 @@ package server
 import (
 	"context"
 	"fmt"
+	nbStatus "github.com/netbirdio/netbird/client/status"
+	"github.com/netbirdio/netbird/client/system"
+	"google.golang.org/protobuf/types/known/timestamppb"
 	"sync"
 	"time"

@@ -31,6 +34,8 @@ type Server struct {
 	mutex  sync.Mutex
 	config *internal.Config
 	proto.UnimplementedDaemonServiceServer
+
+	statusRecorder *nbStatus.Status
 }

 type oauthAuthFlow struct {
@@ -52,6 +57,8 @@ func New(ctx context.Context, managementURL, adminURL, configPath, logFile strin
 }

 func (s *Server) Start() error {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
 	state := internal.CtxGetState(s.rootCtx)

 	// if current state contains any error, return it
@@ -86,11 +93,16 @@ func (s *Server) Start() error {
 	}

 	// if configuration exists, we just start connections.
+	config, _ = internal.UpdateOldManagementPort(ctx, config, s.configPath)

 	s.config = config

+	if s.statusRecorder == nil {
+		s.statusRecorder = nbStatus.NewRecorder()
+	}
+
 	go func() {
-		if err := internal.RunClient(ctx, config); err != nil {
+		if err := internal.RunClient(ctx, config, s.statusRecorder); err != nil {
 			log.Errorf("init connections: %v", err)
 		}
 	}()
@@ -158,6 +170,12 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 		return nil, err
 	}

+	if msg.ManagementUrl == "" {
+		config, _ = internal.UpdateOldManagementPort(ctx, config, s.configPath)
+		s.config = config
+		s.managementURL = config.ManagementURL.String()
+	}
+
 	s.mutex.Lock()
 	s.config = config
 	s.mutex.Unlock()
@@ -190,7 +208,8 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 		hostedClient := internal.NewHostedDeviceFlow(
 			providerConfig.ProviderConfig.Audience,
 			providerConfig.ProviderConfig.ClientID,
-			providerConfig.ProviderConfig.Domain,
+			providerConfig.ProviderConfig.TokenEndpoint,
+			providerConfig.ProviderConfig.DeviceAuthEndpoint,
 		)

 		if s.oauthAuthFlow.client != nil && s.oauthAuthFlow.client.GetClientID(ctx) == hostedClient.GetClientID(context.TODO()) {
@@ -350,8 +369,12 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 		return nil, fmt.Errorf("config is not defined, please call login command first")
 	}

+	if s.statusRecorder == nil {
+		s.statusRecorder = nbStatus.NewRecorder()
+	}
+
 	go func() {
-		if err := internal.RunClient(ctx, s.config); err != nil {
+		if err := internal.RunClient(ctx, s.config, s.statusRecorder); err != nil {
 			log.Errorf("run client connection: %v", state.Wrap(err))
 			return
 		}
@@ -375,7 +398,7 @@ func (s *Server) Down(ctx context.Context, msg *proto.DownRequest) (*proto.DownR

 // Status starts engine work in the daemon.
 func (s *Server) Status(
-	ctx context.Context,
+	_ context.Context,
 	msg *proto.StatusRequest,
 ) (*proto.StatusResponse, error) {
 	s.mutex.Lock()
@@ -386,7 +409,19 @@ func (s *Server) Status(
 		return nil, err
 	}

-	return &proto.StatusResponse{Status: string(status)}, nil
+	statusResponse := proto.StatusResponse{Status: string(status), DaemonVersion: system.NetbirdVersion()}
+
+	if s.statusRecorder == nil {
+		s.statusRecorder = nbStatus.NewRecorder()
+	}
+
+	if msg.GetFullPeerStatus {
+		fullStatus := s.statusRecorder.GetFullStatus()
+		pbFullStatus := toProtoFullStatus(fullStatus)
+		statusResponse.FullStatus = pbFullStatus
+	}
+
+	return &statusResponse, nil
 }

 // GetConfig of the daemon.
@@ -422,3 +457,37 @@ func (s *Server) GetConfig(ctx context.Context, msg *proto.GetConfigRequest) (*p
 		PreSharedKey:  preSharedKey,
 	}, nil
 }
+
+func toProtoFullStatus(fullStatus nbStatus.FullStatus) *proto.FullStatus {
+	pbFullStatus := proto.FullStatus{
+		ManagementState: &proto.ManagementState{},
+		SignalState:     &proto.SignalState{},
+		LocalPeerState:  &proto.LocalPeerState{},
+		Peers:           []*proto.PeerState{},
+	}
+
+	pbFullStatus.ManagementState.URL = fullStatus.ManagementState.URL
+	pbFullStatus.ManagementState.Connected = fullStatus.ManagementState.Connected
+
+	pbFullStatus.SignalState.URL = fullStatus.SignalState.URL
+	pbFullStatus.SignalState.Connected = fullStatus.SignalState.Connected
+
+	pbFullStatus.LocalPeerState.IP = fullStatus.LocalPeerState.IP
+	pbFullStatus.LocalPeerState.PubKey = fullStatus.LocalPeerState.PubKey
+	pbFullStatus.LocalPeerState.KernelInterface = fullStatus.LocalPeerState.KernelInterface
+
+	for _, peerState := range fullStatus.Peers {
+		pbPeerState := &proto.PeerState{
+			IP:                     peerState.IP,
+			PubKey:                 peerState.PubKey,
+			ConnStatus:             peerState.ConnStatus,
+			ConnStatusUpdate:       timestamppb.New(peerState.ConnStatusUpdate),
+			Relayed:                peerState.Relayed,
+			Direct:                 peerState.Direct,
+			LocalIceCandidateType:  peerState.LocalIceCandidateType,
+			RemoteIceCandidateType: peerState.RemoteIceCandidateType,
+		}
+		pbFullStatus.Peers = append(pbFullStatus.Peers, pbPeerState)
+	}
+	return &pbFullStatus
+}
--- a/client/ssh/client.go
+++ b/client/ssh/client.go
@@ -6,6 +6,7 @@ import (
 	"golang.org/x/term"
 	"net"
 	"os"
+	"time"
 )

 // Client wraps crypto/ssh Client to simplify usage
@@ -92,7 +93,8 @@ func DialWithKey(addr, user string, privateKey []byte) (*Client, error) {
 	}

 	config := &ssh.ClientConfig{
-		User: user,
+		User:    user,
+		Timeout: 5 * time.Second,
 		Auth: []ssh.AuthMethod{
 			ssh.PublicKeys(signer),
 		},
--- a/client/ssh/login.go
+++ b/client/ssh/login.go
@@ -0,0 +1,36 @@
+package ssh
+
+import (
+	"fmt"
+	"github.com/netbirdio/netbird/util"
+	"net"
+	"net/netip"
+	"os/exec"
+	"runtime"
+)
+
+func getLoginCmd(user string, remoteAddr net.Addr) (loginPath string, args []string, err error) {
+	loginPath, err = exec.LookPath("login")
+	if err != nil {
+		return "", nil, err
+	}
+
+	addrPort, err := netip.ParseAddrPort(remoteAddr.String())
+	if err != nil {
+		return "", nil, err
+	}
+
+	if runtime.GOOS == "linux" {
+
+		if util.FileExists("/etc/arch-release") && !util.FileExists("/etc/pam.d/remote") {
+			// detect if Arch Linux
+			return loginPath, []string{"-f", user, "-p"}, nil
+		}
+
+		return loginPath, []string{"-f", user, "-h", addrPort.Addr().String(), "-p"}, nil
+	} else if runtime.GOOS == "darwin" {
+		return loginPath, []string{"-fp", "-h", addrPort.Addr().String(), user}, nil
+	}
+
+	return "", nil, fmt.Errorf("unsupported platform")
+}
--- a/client/ssh/lookup.go
+++ b/client/ssh/lookup.go
@@ -0,0 +1,10 @@
+//go:build !darwin
+// +build !darwin
+
+package ssh
+
+import "os/user"
+
+func userNameLookup(username string) (*user.User, error) {
+	return user.Lookup(username)
+}
--- a/client/ssh/lookup_darwin.go
+++ b/client/ssh/lookup_darwin.go
@@ -0,0 +1,47 @@
+//go:build darwin
+// +build darwin
+
+package ssh
+
+import (
+	"bytes"
+	"fmt"
+	"os/exec"
+	"os/user"
+	"strings"
+)
+
+func userNameLookup(username string) (*user.User, error) {
+	var userObject *user.User
+	userObject, err := user.Lookup(username)
+	if err != nil && err.Error() == user.UnknownUserError(username).Error() {
+		return idUserNameLookup(username)
+	} else if err != nil {
+		return nil, err
+	}
+
+	return userObject, nil
+}
+
+func idUserNameLookup(username string) (*user.User, error) {
+	cmd := exec.Command("id", "-P", username)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return nil, fmt.Errorf("error while retrieving user with id -P command, error: %v", err)
+	}
+	colon := ":"
+
+	if !bytes.Contains(out, []byte(username+colon)) {
+		return nil, fmt.Errorf("unable to find user in returned string")
+	}
+	// netbird:********:501:20::0:0:netbird:/Users/netbird:/bin/zsh
+	parts := strings.SplitN(string(out), colon, 10)
+	userObject := &user.User{
+		Username: parts[0],
+		Uid:      parts[2],
+		Gid:      parts[3],
+		Name:     parts[7],
+		HomeDir:  parts[8],
+	}
+	return userObject, nil
+}
--- a/client/ssh/server.go
+++ b/client/ssh/server.go
@@ -9,6 +9,9 @@ import (
 	"net"
 	"os"
 	"os/exec"
+	"os/user"
+	"runtime"
+	"strings"
 	"sync"
 )

@@ -105,12 +108,20 @@ func (srv *DefaultServer) publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) b
 	return false
 }

-func getShellType() string {
-	shell := os.Getenv("SHELL")
-	if shell == "" {
-		shell = "sh"
+func prepareUserEnv(user *user.User, shell string) []string {
+	return []string{
+		fmt.Sprintf("SHELL=" + shell),
+		fmt.Sprintf("USER=" + user.Username),
+		fmt.Sprintf("HOME=" + user.HomeDir),
 	}
-	return shell
+}
+
+func acceptEnv(s string) bool {
+	split := strings.Split(s, "=")
+	if len(split) != 2 {
+		return false
+	}
+	return split[0] == "TERM" || split[0] == "LANG" || strings.HasPrefix(split[0], "LC_")
 }

 // sessionHandler handles SSH session post auth
@@ -118,14 +129,54 @@ func (srv *DefaultServer) sessionHandler(session ssh.Session) {
 	srv.mu.Lock()
 	srv.sessions = append(srv.sessions, session)
 	srv.mu.Unlock()
+
+	defer func() {
+		err := session.Close()
+		if err != nil {
+			return
+		}
+	}()
+
+	localUser, err := userNameLookup(session.User())
+	if err != nil {
+		_, err = fmt.Fprintf(session, "remote SSH server couldn't find local user %s\n", session.User()) //nolint
+		err = session.Exit(1)
+		if err != nil {
+			return
+		}
+		log.Warnf("failed SSH session from %v, user %s", session.RemoteAddr(), session.User())
+		return
+	}
+
 	ptyReq, winCh, isPty := session.Pty()
 	if isPty {
-		cmd := exec.Command(getShellType())
-		cmd.Env = append(cmd.Env, fmt.Sprintf("TERM=%session", ptyReq.Term))
+		loginCmd, loginArgs, err := getLoginCmd(localUser.Username, session.RemoteAddr())
+		if err != nil {
+			log.Warnf("failed logging-in user %s from remote IP %s", localUser.Username, session.RemoteAddr().String())
+			return
+		}
+		cmd := exec.Command(loginCmd, loginArgs...)
+		go func() {
+			<-session.Context().Done()
+			err := cmd.Process.Kill()
+			if err != nil {
+				return
+			}
+		}()
+		cmd.Dir = localUser.HomeDir
+		cmd.Env = append(cmd.Env, fmt.Sprintf("TERM=%s", ptyReq.Term))
+		cmd.Env = append(cmd.Env, prepareUserEnv(localUser, getUserShell(localUser.Uid))...)
+		for _, v := range session.Environ() {
+			if acceptEnv(v) {
+				cmd.Env = append(cmd.Env, v)
+			}
+		}
+
 		file, err := pty.Start(cmd)
 		if err != nil {
 			log.Errorf("failed starting SSH server %v", err)
 		}
+
 		go func() {
 			for win := range winCh {
 				setWinSize(file, win.Width, win.Height)
@@ -181,3 +232,19 @@ func (srv *DefaultServer) Start() error {

 	return nil
 }
+
+func getUserShell(userID string) string {
+	if runtime.GOOS == "linux" {
+		output, _ := exec.Command("getent", "passwd", userID).Output()
+		line := strings.SplitN(string(output), ":", 10)
+		if len(line) > 6 {
+			return strings.TrimSpace(line[6])
+		}
+	}
+
+	shell := os.Getenv("SHELL")
+	if shell == "" {
+		shell = "/bin/sh"
+	}
+	return shell
+}
--- a/client/status/status.go
+++ b/client/status/status.go
@@ -0,0 +1,223 @@
+package status
+
+import (
+	"errors"
+	"sync"
+	"time"
+)
+
+// PeerState contains the latest state of a peer
+type PeerState struct {
+	IP                     string
+	PubKey                 string
+	ConnStatus             string
+	ConnStatusUpdate       time.Time
+	Relayed                bool
+	Direct                 bool
+	LocalIceCandidateType  string
+	RemoteIceCandidateType string
+}
+
+// LocalPeerState contains the latest state of the local peer
+type LocalPeerState struct {
+	IP              string
+	PubKey          string
+	KernelInterface bool
+}
+
+// SignalState contains the latest state of a signal connection
+type SignalState struct {
+	URL       string
+	Connected bool
+}
+
+// ManagementState contains the latest state of a management connection
+type ManagementState struct {
+	URL       string
+	Connected bool
+}
+
+// FullStatus contains the full state held by the Status instance
+type FullStatus struct {
+	Peers           []PeerState
+	ManagementState ManagementState
+	SignalState     SignalState
+	LocalPeerState  LocalPeerState
+}
+
+// Status holds a state of peers, signal and management connections
+type Status struct {
+	mux          sync.Mutex
+	peers        map[string]PeerState
+	changeNotify map[string]chan struct{}
+	signal       SignalState
+	management   ManagementState
+	localPeer    LocalPeerState
+}
+
+// NewRecorder returns a new Status instance
+func NewRecorder() *Status {
+	return &Status{
+		peers:        make(map[string]PeerState),
+		changeNotify: make(map[string]chan struct{}),
+	}
+}
+
+// AddPeer adds peer to Daemon status map
+func (d *Status) AddPeer(peerPubKey string) error {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	_, ok := d.peers[peerPubKey]
+	if ok {
+		return errors.New("peer already exist")
+	}
+	d.peers[peerPubKey] = PeerState{PubKey: peerPubKey}
+	return nil
+}
+
+// GetPeer adds peer to Daemon status map
+func (d *Status) GetPeer(peerPubKey string) (PeerState, error) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	state, ok := d.peers[peerPubKey]
+	if !ok {
+		return PeerState{}, errors.New("peer not found")
+	}
+	return state, nil
+}
+
+// RemovePeer removes peer from Daemon status map
+func (d *Status) RemovePeer(peerPubKey string) error {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	_, ok := d.peers[peerPubKey]
+	if ok {
+		delete(d.peers, peerPubKey)
+		return nil
+	}
+
+	return errors.New("no peer with to remove")
+}
+
+// UpdatePeerState updates peer status
+func (d *Status) UpdatePeerState(receivedState PeerState) error {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	peerState, ok := d.peers[receivedState.PubKey]
+	if !ok {
+		return errors.New("peer doesn't exist")
+	}
+
+	if receivedState.IP != "" {
+		peerState.IP = receivedState.IP
+	}
+
+	if receivedState.ConnStatus != peerState.ConnStatus {
+		peerState.ConnStatus = receivedState.ConnStatus
+		peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
+		peerState.Direct = receivedState.Direct
+		peerState.Relayed = receivedState.Relayed
+		peerState.LocalIceCandidateType = receivedState.LocalIceCandidateType
+		peerState.RemoteIceCandidateType = receivedState.RemoteIceCandidateType
+	}
+
+	d.peers[receivedState.PubKey] = peerState
+
+	ch, found := d.changeNotify[receivedState.PubKey]
+	if found && ch != nil {
+		close(ch)
+		d.changeNotify[receivedState.PubKey] = nil
+	}
+
+	return nil
+}
+
+// GetPeerStateChangeNotifier returns a change notifier channel for a peer
+func (d *Status) GetPeerStateChangeNotifier(peer string) <-chan struct{} {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	ch, found := d.changeNotify[peer]
+	if !found || ch == nil {
+		ch = make(chan struct{})
+		d.changeNotify[peer] = ch
+	}
+	return ch
+}
+
+// UpdateLocalPeerState updates local peer status
+func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	d.localPeer = localPeerState
+}
+
+// CleanLocalPeerState cleans local peer status
+func (d *Status) CleanLocalPeerState() {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	d.localPeer = LocalPeerState{}
+}
+
+// MarkManagementDisconnected sets ManagementState to disconnected
+func (d *Status) MarkManagementDisconnected(managementURL string) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.management = ManagementState{
+		URL:       managementURL,
+		Connected: false,
+	}
+}
+
+// MarkManagementConnected sets ManagementState to connected
+func (d *Status) MarkManagementConnected(managementURL string) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.management = ManagementState{
+		URL:       managementURL,
+		Connected: true,
+	}
+}
+
+// MarkSignalDisconnected sets SignalState to disconnected
+func (d *Status) MarkSignalDisconnected(signalURL string) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.signal = SignalState{
+		signalURL,
+		false,
+	}
+}
+
+// MarkSignalConnected sets SignalState to connected
+func (d *Status) MarkSignalConnected(signalURL string) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.signal = SignalState{
+		signalURL,
+		true,
+	}
+}
+
+// GetFullStatus gets full status
+func (d *Status) GetFullStatus() FullStatus {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	fullStatus := FullStatus{
+		ManagementState: d.management,
+		SignalState:     d.signal,
+		LocalPeerState:  d.localPeer,
+	}
+
+	for _, status := range d.peers {
+		fullStatus.Peers = append(fullStatus.Peers, status)
+	}
+
+	return fullStatus
+}
--- a/client/status/status_test.go
+++ b/client/status/status_test.go
@@ -0,0 +1,225 @@
+package status
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestAddPeer(t *testing.T) {
+	key := "abc"
+	status := NewRecorder()
+	err := status.AddPeer(key)
+	assert.NoError(t, err, "shouldn't return error")
+
+	_, exists := status.peers[key]
+	assert.True(t, exists, "value was found")
+
+	err = status.AddPeer(key)
+
+	assert.Error(t, err, "should return error on duplicate")
+}
+
+func TestGetPeer(t *testing.T) {
+	key := "abc"
+	status := NewRecorder()
+	err := status.AddPeer(key)
+	assert.NoError(t, err, "shouldn't return error")
+
+	peerStatus, err := status.GetPeer(key)
+	assert.NoError(t, err, "shouldn't return error on getting peer")
+
+	assert.Equal(t, key, peerStatus.PubKey, "retrieved public key should match")
+
+	_, err = status.GetPeer("non_existing_key")
+	assert.Error(t, err, "should return error when peer doesn't exist")
+}
+
+func TestUpdatePeerState(t *testing.T) {
+	key := "abc"
+	ip := "10.10.10.10"
+	status := NewRecorder()
+	peerState := PeerState{
+		PubKey: key,
+	}
+
+	status.peers[key] = peerState
+
+	peerState.IP = ip
+
+	err := status.UpdatePeerState(peerState)
+	assert.NoError(t, err, "shouldn't return error")
+
+	state, exists := status.peers[key]
+	assert.True(t, exists, "state should be found")
+	assert.Equal(t, ip, state.IP, "ip should be equal")
+}
+
+func TestGetPeerStateChangeNotifierLogic(t *testing.T) {
+	key := "abc"
+	ip := "10.10.10.10"
+	status := NewRecorder()
+	peerState := PeerState{
+		PubKey: key,
+	}
+
+	status.peers[key] = peerState
+
+	ch := status.GetPeerStateChangeNotifier(key)
+	assert.NotNil(t, ch, "channel shouldn't be nil")
+
+	peerState.IP = ip
+
+	err := status.UpdatePeerState(peerState)
+	assert.NoError(t, err, "shouldn't return error")
+
+	select {
+	case <-ch:
+	default:
+		t.Errorf("channel wasn't closed after update")
+	}
+}
+
+func TestRemovePeer(t *testing.T) {
+	key := "abc"
+	status := NewRecorder()
+	peerState := PeerState{
+		PubKey: key,
+	}
+
+	status.peers[key] = peerState
+
+	err := status.RemovePeer(key)
+	assert.NoError(t, err, "shouldn't return error")
+
+	_, exists := status.peers[key]
+	assert.False(t, exists, "state value shouldn't be found")
+
+	err = status.RemovePeer("not existing")
+	assert.Error(t, err, "should return error when peer doesn't exist")
+}
+
+func TestUpdateLocalPeerState(t *testing.T) {
+	localPeerState := LocalPeerState{
+		IP:              "10.10.10.10",
+		PubKey:          "abc",
+		KernelInterface: false,
+	}
+	status := NewRecorder()
+
+	status.UpdateLocalPeerState(localPeerState)
+
+	assert.Equal(t, localPeerState, status.localPeer, "local peer status should be equal")
+}
+
+func TestCleanLocalPeerState(t *testing.T) {
+	emptyLocalPeerState := LocalPeerState{}
+	localPeerState := LocalPeerState{
+		IP:              "10.10.10.10",
+		PubKey:          "abc",
+		KernelInterface: false,
+	}
+	status := NewRecorder()
+
+	status.localPeer = localPeerState
+
+	status.CleanLocalPeerState()
+
+	assert.Equal(t, emptyLocalPeerState, status.localPeer, "local peer status should be empty")
+}
+
+func TestUpdateSignalState(t *testing.T) {
+	url := "https://signal"
+	var tests = []struct {
+		name      string
+		connected bool
+		want      SignalState
+	}{
+		{"should mark as connected", true, SignalState{
+
+			URL:       url,
+			Connected: true,
+		}},
+		{"should mark as disconnected", false, SignalState{
+			URL:       url,
+			Connected: false,
+		}},
+	}
+
+	status := NewRecorder()
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if test.connected {
+				status.MarkSignalConnected(url)
+			} else {
+				status.MarkSignalDisconnected(url)
+			}
+			assert.Equal(t, test.want, status.signal, "signal status should be equal")
+		})
+	}
+}
+
+func TestUpdateManagementState(t *testing.T) {
+	url := "https://management"
+	var tests = []struct {
+		name      string
+		connected bool
+		want      ManagementState
+	}{
+		{"should mark as connected", true, ManagementState{
+
+			URL:       url,
+			Connected: true,
+		}},
+		{"should mark as disconnected", false, ManagementState{
+			URL:       url,
+			Connected: false,
+		}},
+	}
+
+	status := NewRecorder()
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if test.connected {
+				status.MarkManagementConnected(url)
+			} else {
+				status.MarkManagementDisconnected(url)
+			}
+			assert.Equal(t, test.want, status.management, "signal status should be equal")
+		})
+	}
+}
+
+func TestGetFullStatus(t *testing.T) {
+	key1 := "abc"
+	key2 := "def"
+	managementState := ManagementState{
+		URL:       "https://signal",
+		Connected: true,
+	}
+	signalState := SignalState{
+		URL:       "https://signal",
+		Connected: true,
+	}
+	peerState1 := PeerState{
+		PubKey: key1,
+	}
+
+	peerState2 := PeerState{
+		PubKey: key2,
+	}
+
+	status := NewRecorder()
+
+	status.management = managementState
+	status.signal = signalState
+	status.peers[key1] = peerState1
+	status.peers[key2] = peerState2
+
+	fullStatus := status.GetFullStatus()
+
+	assert.Equal(t, managementState, fullStatus.ManagementState, "management status should be equal")
+	assert.Equal(t, signalState, fullStatus.SignalState, "signal status should be equal")
+	assert.ElementsMatch(t, []PeerState{peerState1, peerState2}, fullStatus.Peers, "peers states should match")
+}
--- a/client/system/info_darwin.go
+++ b/client/system/info_darwin.go
@@ -4,41 +4,25 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"golang.org/x/sys/unix"
 	"os"
-	"os/exec"
 	"runtime"
-	"strings"
-	"time"
 )

 // GetInfo retrieves and parses the system information
 func GetInfo(ctx context.Context) *Info {
-	out := _getInfo()
-	for strings.Contains(out, "broken pipe") {
-		out = _getInfo()
-		time.Sleep(500 * time.Millisecond)
+	utsname := unix.Utsname{}
+	err := unix.Uname(&utsname)
+	if err != nil {
+		fmt.Println("getInfo:", err)
 	}
-	osStr := strings.Replace(out, "\n", "", -1)
-	osStr = strings.Replace(osStr, "\r\n", "", -1)
-	osInfo := strings.Split(osStr, " ")
-	gio := &Info{Kernel: osInfo[0], OSVersion: osInfo[1], Core: osInfo[1], Platform: osInfo[2], OS: osInfo[0], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	sysName := string(bytes.Split(utsname.Sysname[:], []byte{0})[0])
+	machine := string(bytes.Split(utsname.Machine[:], []byte{0})[0])
+	release := string(bytes.Split(utsname.Release[:], []byte{0})[0])
+	gio := &Info{Kernel: sysName, OSVersion: release, Core: release, Platform: machine, OS: sysName, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
 	gio.WiretrusteeVersion = NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)

 	return gio
 }
-
-func _getInfo() string {
-	cmd := exec.Command("uname", "-srm")
-	cmd.Stdin = strings.NewReader("some input")
-	var out bytes.Buffer
-	var stderr bytes.Buffer
-	cmd.Stdout = &out
-	cmd.Stderr = &stderr
-	err := cmd.Run()
-	if err != nil {
-		fmt.Println("getInfo:", err)
-	}
-	return out.String()
-}
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -1,3 +1,7 @@
+//go:build !(linux && 386)
+// +build !linux !386
+
+// skipping linux 32 bits build and tests
 package main

 import (
@@ -5,7 +9,6 @@ import (
 	"flag"
 	"fmt"
 	"github.com/netbirdio/netbird/client/system"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
@@ -497,7 +500,7 @@ func (s *serviceClient) getSrvConfig() {
 // checkPIDFile exists and return error, or write new.
 func checkPIDFile() error {
 	pidFile := path.Join(os.TempDir(), "wiretrustee-ui.pid")
-	if piddata, err := ioutil.ReadFile(pidFile); err == nil {
+	if piddata, err := os.ReadFile(pidFile); err == nil {
 		if pid, err := strconv.Atoi(string(piddata)); err == nil {
 			if process, err := os.FindProcess(pid); err == nil {
 				if err := process.Signal(syscall.Signal(0)); err == nil {
@@ -507,5 +510,5 @@ func checkPIDFile() error {
 		}
 	}

-	return ioutil.WriteFile(pidFile, []byte(fmt.Sprintf("%d", os.Getpid())), 0o664)
+	return os.WriteFile(pidFile, []byte(fmt.Sprintf("%d", os.Getpid())), 0o664)
 }
--- a/encryption/letsencrypt.go
+++ b/encryption/letsencrypt.go
@@ -8,17 +8,17 @@ import (
 )

 // CreateCertManager wraps common logic of generating Let's encrypt certificate.
-func CreateCertManager(datadir string, letsencryptDomain string) *autocert.Manager {
+func CreateCertManager(datadir string, letsencryptDomain string) (*autocert.Manager, error) {
 	certDir := filepath.Join(datadir, "letsencrypt")

 	if _, err := os.Stat(certDir); os.IsNotExist(err) {
 		err = os.MkdirAll(certDir, os.ModeDir)
 		if err != nil {
-			log.Fatalf("failed creating Let's encrypt certdir: %s: %v", certDir, err)
+			return nil, err
 		}
 	}

-	log.Infof("running with Let's encrypt with domain %s. Cert will be stored in %s", letsencryptDomain, certDir)
+	log.Infof("running with LetsEncrypt (%s). Cert will be stored in %s", letsencryptDomain, certDir)

 	certManager := &autocert.Manager{
 		Prompt:     autocert.AcceptTOS,
@@ -26,5 +26,5 @@ func CreateCertManager(datadir string, letsencryptDomain string) *autocert.Manag
 		HostPolicy: autocert.HostWhitelist(letsencryptDomain),
 	}

-	return certManager
+	return certManager, nil
 }
--- a/go.mod
+++ b/go.mod
@@ -30,15 +30,23 @@ require (
 require (
 	fyne.io/fyne/v2 v2.1.4
 	github.com/c-robinson/iplib v1.0.3
+	github.com/coreos/go-iptables v0.6.0
 	github.com/creack/pty v1.1.18
 	github.com/eko/gocache/v2 v2.3.1
 	github.com/getlantern/systray v1.2.1
 	github.com/gliderlabs/ssh v0.3.4
+	github.com/google/nftables v0.0.0-20220808154552-2eca00135732
+	github.com/libp2p/go-netroute v0.2.0
 	github.com/magiconair/properties v1.8.5
 	github.com/patrickmn/go-cache v2.1.0+incompatible
+	github.com/pion/logging v0.2.2
+	github.com/pion/stun v0.3.5
+	github.com/pion/transport v0.13.0
 	github.com/rs/xid v1.3.0
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	github.com/stretchr/testify v1.7.1
+	go.uber.org/zap v1.17.0
+	golang.org/x/net v0.0.0-20220513224357-95641704303c
 	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
 )

@@ -66,6 +74,7 @@ require (
 	github.com/godbus/dbus/v5 v5.0.4 // indirect
 	github.com/goki/freetype v0.0.0-20181231101311-fa8a33aabaff // indirect
 	github.com/google/go-cmp v0.5.7 // indirect
+	github.com/google/gopacket v1.1.19 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
@@ -76,11 +85,8 @@ require (
 	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
 	github.com/pegasus-kv/thrift v0.13.0 // indirect
 	github.com/pion/dtls/v2 v2.1.2 // indirect
-	github.com/pion/logging v0.2.2 // indirect
 	github.com/pion/mdns v0.0.5 // indirect
 	github.com/pion/randutil v0.1.0 // indirect
-	github.com/pion/stun v0.3.5 // indirect
-	github.com/pion/transport v0.13.0 // indirect
 	github.com/pion/turn/v2 v2.0.7 // indirect
 	github.com/pion/udp v0.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -94,9 +100,10 @@ require (
 	github.com/srwiley/rasterx v0.0.0-20200120212402-85cb7272f5e9 // indirect
 	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
 	github.com/yuin/goldmark v1.4.1 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
 	golang.org/x/image v0.0.0-20200430140353-33d19683fad8 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
-	golang.org/x/net v0.0.0-20220513224357-95641704303c // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 // indirect
 	golang.org/x/tools v0.1.10 // indirect
@@ -114,3 +121,5 @@ require (
 )

 replace github.com/pion/ice/v2 => github.com/wiretrustee/ice/v2 v2.1.21-0.20220218121004-dc81faead4bb
+
+replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-20220905002524-6ac14ad5ea84
--- a/go.sum
+++ b/go.sum
@@ -115,6 +115,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/coocood/freecache v1.2.1 h1:/v1CqMq45NFH9mp/Pt142reundeBM0dVUD3osQBeu/U=
+github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
+github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
@@ -283,10 +285,14 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
+github.com/google/nftables v0.0.0-20220808154552-2eca00135732 h1:csc7dT82JiSLvq4aMyQMIQDL7986NH6Wxf/QrvOj55A=
+github.com/google/nftables v0.0.0-20220808154552-2eca00135732/go.mod h1:b97ulCCFipUC+kSin+zygkvUVpx0vyIAwxXFdY3PlNc=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
@@ -383,8 +389,6 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7 h1:oohm9Rk9JAxxmp2NLZa7Kebgz9h4+AJDcc64txg3dQ0=
-github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -401,6 +405,8 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw=
+github.com/libp2p/go-netroute v0.2.0 h1:0FpsbsvuSnAhXFnCY0VLFbJOzaK0VnP0r1QT/o4nWRE=
+github.com/libp2p/go-netroute v0.2.0/go.mod h1:Vio7LTzZ+6hoT4CMZi5/6CpY3Snzh2vgZhWgxMNwlQI=
 github.com/lucor/goinfo v0.0.0-20210802170112-c078a2b0f08b/go.mod h1:PRq09yoB+Q2OJReAmwzKivcYyremnibWGbK7WfftHzc=
 github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
 github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
@@ -466,6 +472,8 @@ github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/netbirdio/service v0.0.0-20220905002524-6ac14ad5ea84 h1:u8kpzR9ld1uAeH/BAXsS0SfcnhooLWeO7UgHSBVPD9I=
+github.com/netbirdio/service v0.0.0-20220905002524-6ac14ad5ea84/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
@@ -638,8 +646,11 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/zap v1.17.0 h1:MTjgFu6ZLKvY6Pvaqk97GlxNBuMpV4Hy/3P6tRGlI2U=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -748,6 +759,7 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
+golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -870,6 +882,7 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210426080607-c94f62235c83/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
--- a/iface/bind.go
+++ b/iface/bind.go
@@ -0,0 +1,185 @@
+package iface
+
+import (
+	"errors"
+	"fmt"
+	"github.com/pion/stun"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/conn"
+	"net"
+	"net/netip"
+	"sync"
+	"syscall"
+)
+
+type ICEBind struct {
+	sharedConn net.PacketConn
+	udpMux     *UniversalUDPMuxDefault
+	iceHostMux *UDPMuxDefault
+
+	mu sync.Mutex // protects following fields
+}
+
+func (b *ICEBind) GetICEMux() (UniversalUDPMux, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.udpMux == nil {
+		return nil, fmt.Errorf("ICEBind has not been initialized yet")
+	}
+
+	return b.udpMux, nil
+}
+
+func (b *ICEBind) GetICEHostMux() (UDPMux, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.iceHostMux == nil {
+		return nil, fmt.Errorf("ICEBind has not been initialized yet")
+	}
+
+	return b.iceHostMux, nil
+}
+
+func (b *ICEBind) Open(uport uint16) ([]conn.ReceiveFunc, uint16, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	if b.sharedConn != nil {
+		return nil, 0, conn.ErrBindAlreadyOpen
+	}
+
+	port := int(uport)
+	ipv4Conn, port, err := listenNet("udp4", port)
+	if err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return nil, 0, err
+	}
+	b.sharedConn = ipv4Conn
+	b.udpMux = NewUniversalUDPMuxDefault(UniversalUDPMuxParams{UDPConn: b.sharedConn})
+
+	portAddr1, err := netip.ParseAddrPort(ipv4Conn.LocalAddr().String())
+	if err != nil {
+		return nil, 0, err
+	}
+
+	log.Infof("opened ICEBind on %s", ipv4Conn.LocalAddr().String())
+
+	return []conn.ReceiveFunc{
+			b.makeReceiveIPv4(b.sharedConn),
+		},
+		portAddr1.Port(), nil
+}
+
+func listenNet(network string, port int) (*net.UDPConn, int, error) {
+	conn, err := net.ListenUDP(network, &net.UDPAddr{Port: port})
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// Retrieve port.
+	laddr := conn.LocalAddr()
+	uaddr, err := net.ResolveUDPAddr(
+		laddr.Network(),
+		laddr.String(),
+	)
+	if err != nil {
+		return nil, 0, err
+	}
+	return conn, uaddr.Port, nil
+}
+
+func parseSTUNMessage(raw []byte) (*stun.Message, error) {
+	msg := &stun.Message{
+		Raw: append([]byte{}, raw...),
+	}
+	if err := msg.Decode(); err != nil {
+		return nil, err
+	}
+
+	return msg, nil
+}
+
+func (b *ICEBind) makeReceiveIPv4(c net.PacketConn) conn.ReceiveFunc {
+	return func(buff []byte) (int, conn.Endpoint, error) {
+		n, endpoint, err := c.ReadFrom(buff)
+		if err != nil {
+			return 0, nil, err
+		}
+		e, err := netip.ParseAddrPort(endpoint.String())
+		if err != nil {
+			return 0, nil, err
+		}
+		if !stun.IsMessage(buff[:20]) {
+			// WireGuard traffic
+			return n, (*conn.StdNetEndpoint)(&net.UDPAddr{
+				IP:   e.Addr().AsSlice(),
+				Port: int(e.Port()),
+				Zone: e.Addr().Zone(),
+			}), nil
+		}
+
+		msg, err := parseSTUNMessage(buff[:n])
+		if err != nil {
+			return 0, nil, err
+		}
+
+		err = b.udpMux.HandleSTUNMessage(msg, endpoint)
+		if err != nil {
+			return 0, nil, err
+		}
+		if err != nil {
+			log.Warnf("failed to handle packet")
+		}
+
+		// discard packets because they are STUN related
+		return 0, nil, nil //todo proper return
+	}
+}
+
+func (b *ICEBind) Close() error {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	var err1, err2 error
+	if b.sharedConn != nil {
+		c := b.sharedConn
+		b.sharedConn = nil
+		err1 = c.Close()
+	}
+
+	if b.udpMux != nil {
+		m := b.udpMux
+		b.udpMux = nil
+		err2 = m.Close()
+	}
+
+	if err1 != nil {
+		return err1
+	}
+
+	return err2
+}
+
+// SetMark sets the mark for each packet sent through this Bind.
+// This mark is passed to the kernel as the socket option SO_MARK.
+func (b *ICEBind) SetMark(mark uint32) error {
+	return nil
+}
+
+func (b *ICEBind) Send(buff []byte, endpoint conn.Endpoint) error {
+	nend, ok := endpoint.(*conn.StdNetEndpoint)
+	if !ok {
+		return conn.ErrWrongEndpointType
+	}
+	_, err := b.sharedConn.WriteTo(buff, (*net.UDPAddr)(nend))
+	return err
+}
+
+// ParseEndpoint creates a new endpoint from a string.
+func (b *ICEBind) ParseEndpoint(s string) (ep conn.Endpoint, err error) {
+	e, err := netip.ParseAddrPort(s)
+	return (*conn.StdNetEndpoint)(&net.UDPAddr{
+		IP:   e.Addr().AsSlice(),
+		Port: int(e.Port()),
+		Zone: e.Addr().Zone(),
+	}), err
+}
--- a/iface/configuration.go
+++ b/iface/configuration.go
@@ -9,6 +9,16 @@ import (
 	"time"
 )

+// GetName returns the interface name
+func (w *WGIface) GetName() string {
+	return w.Name
+}
+
+// GetAddress returns the interface address
+func (w *WGIface) GetAddress() WGAddress {
+	return w.Address
+}
+
 // configureDevice configures the wireguard device
 func (w *WGIface) configureDevice(config wgtypes.Config) error {
 	wg, err := wgctrl.New()
@@ -45,7 +55,6 @@ func (w *WGIface) Configure(privateKey string, port int) error {
 		PrivateKey:   &key,
 		ReplacePeers: true,
 		FirewallMark: &fwmark,
-		ListenPort:   &port,
 	}

 	err = w.configureDevice(config)
@@ -112,6 +121,114 @@ func (w *WGIface) UpdatePeer(peerKey string, allowedIps string, keepAlive time.D
 	return nil
 }

+// AddAllowedIP adds a prefix to the allowed IPs list of peer
+func (w *WGIface) AddAllowedIP(peerKey string, allowedIP string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	log.Debugf("adding allowed IP to interface %s and peer %s: allowed IP %s ", w.Name, peerKey, allowedIP)
+
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
+	}
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+	peer := wgtypes.PeerConfig{
+		PublicKey:         peerKeyParsed,
+		UpdateOnly:        true,
+		ReplaceAllowedIPs: false,
+		AllowedIPs:        []net.IPNet{*ipNet},
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf("received error \"%v\" while adding allowed Ip to peer on interface %s with settings: allowed ips %s", err, w.Name, allowedIP)
+	}
+	return nil
+}
+
+// RemoveAllowedIP removes a prefix from the allowed IPs list of peer
+func (w *WGIface) RemoveAllowedIP(peerKey string, allowedIP string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	log.Debugf("removing allowed IP from interface %s and peer %s: allowed IP %s ", w.Name, peerKey, allowedIP)
+
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
+	}
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+
+	existingPeer, err := getPeer(w.Name, peerKey)
+	if err != nil {
+		return err
+	}
+
+	newAllowedIPs := existingPeer.AllowedIPs
+
+	for i, existingAllowedIP := range existingPeer.AllowedIPs {
+		if existingAllowedIP.String() == ipNet.String() {
+			newAllowedIPs = append(existingPeer.AllowedIPs[:i], existingPeer.AllowedIPs[i+1:]...)
+			break
+		}
+	}
+
+	if err != nil {
+		return err
+	}
+	peer := wgtypes.PeerConfig{
+		PublicKey:         peerKeyParsed,
+		UpdateOnly:        true,
+		ReplaceAllowedIPs: true,
+		AllowedIPs:        newAllowedIPs,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf("received error \"%v\" while removing allowed IP from peer on interface %s with settings: allowed ips %s", err, w.Name, allowedIP)
+	}
+	return nil
+}
+
+func getPeer(ifaceName, peerPubKey string) (wgtypes.Peer, error) {
+	wg, err := wgctrl.New()
+	if err != nil {
+		return wgtypes.Peer{}, err
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			log.Errorf("got error while closing wgctl: %v", err)
+		}
+	}()
+
+	wgDevice, err := wg.Device(ifaceName)
+	if err != nil {
+		return wgtypes.Peer{}, err
+	}
+	for _, peer := range wgDevice.Peers {
+		if peer.PublicKey.String() == peerPubKey {
+			return peer, nil
+		}
+	}
+	return wgtypes.Peer{}, fmt.Errorf("peer not found")
+}
+
 // RemovePeer removes a Wireguard Peer from the interface iface
 func (w *WGIface) RemovePeer(peerKey string) error {
 	w.mu.Lock()
--- a/iface/iface.go
+++ b/iface/iface.go
@@ -2,6 +2,10 @@ package iface

 import (
 	"fmt"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
 	"net"
 	"os"
 	"runtime"
@@ -21,6 +25,7 @@ type WGIface struct {
 	Address   WGAddress
 	Interface NetInterface
 	mu        sync.Mutex
+	Bind      *ICEBind
 }

 // WGAddress Wireguard parsed address
@@ -91,3 +96,49 @@ func (w *WGIface) Close() error {

 	return nil
 }
+
+func (w *WGIface) CreateNew(bind conn.Bind) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	return w.createWithUserspaceNew(bind)
+}
+
+func (w *WGIface) createWithUserspaceNew(bind conn.Bind) error {
+	tunIface, err := tun.CreateTUN(w.Name, w.MTU)
+	if err != nil {
+		return err
+	}
+
+	w.Interface = tunIface
+
+	// We need to create a wireguard-go device and listen to configuration requests
+	tunDevice := device.NewDevice(tunIface, bind, device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
+	err = tunDevice.Up()
+	if err != nil {
+		return err
+	}
+	uapi, err := getUAPI(w.Name)
+	if err != nil {
+		return err
+	}
+
+	go func() {
+		for {
+			uapiConn, uapiErr := uapi.Accept()
+			if uapiErr != nil {
+				log.Traceln("uapi Accept failed with error: ", uapiErr)
+				continue
+			}
+			go tunDevice.IpcHandle(uapiConn)
+		}
+	}()
+
+	log.Debugln("UAPI listener started")
+
+	err = w.assignAddr()
+	if err != nil {
+		return err
+	}
+	return nil
+}
--- a/iface/iface_darwin.go
+++ b/iface/iface_darwin.go
@@ -33,3 +33,8 @@ func (w *WGIface) assignAddr() error {

 	return nil
 }
+
+// WireguardModExists check if we can load wireguard mod (linux only)
+func WireguardModExists() bool {
+	return false
+}
--- a/iface/iface_linux.go
+++ b/iface/iface_linux.go
@@ -14,6 +14,7 @@ type NativeLink struct {
 	Link *netlink.Link
 }

+// WireguardModExists check if we can load wireguard mod (linux only)
 func WireguardModExists() bool {
 	link := newWGLink("mustnotexist")

@@ -38,13 +39,7 @@ func (w *WGIface) Create() error {
 	w.mu.Lock()
 	defer w.mu.Unlock()

-	if WireguardModExists() {
-		log.Info("using kernel WireGuard")
-		return w.createWithKernel()
-	} else {
-		log.Info("using userspace WireGuard")
-		return w.createWithUserspace()
-	}
+	return w.createWithUserspace()
 }

 // createWithKernel Creates a new Wireguard interface using kernel Wireguard module.
--- a/iface/iface_test.go
+++ b/iface/iface_test.go
@@ -229,7 +229,7 @@ func Test_UpdatePeer(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	peer, err := getPeer(ifaceName, peerPubKey, t)
+	peer, err := getPeer(ifaceName, peerPubKey)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -289,7 +289,7 @@ func Test_RemovePeer(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, err = getPeer(ifaceName, peerPubKey, t)
+	_, err = getPeer(ifaceName, peerPubKey)
 	if err.Error() != "peer not found" {
 		t.Fatal(err)
 	}
@@ -378,7 +378,7 @@ func Test_ConnectPeers(t *testing.T) {
 			t.Fatalf("waiting for peer handshake timeout after %s", timeout.String())
 		default:
 		}
-		peer, gpErr := getPeer(peer1ifaceName, peer2Key.PublicKey().String(), t)
+		peer, gpErr := getPeer(peer1ifaceName, peer2Key.PublicKey().String())
 		if gpErr != nil {
 			t.Fatal(gpErr)
 		}
@@ -389,28 +389,3 @@ func Test_ConnectPeers(t *testing.T) {
 	}

 }
-
-func getPeer(ifaceName, peerPubKey string, t *testing.T) (wgtypes.Peer, error) {
-	emptyPeer := wgtypes.Peer{}
-	wg, err := wgctrl.New()
-	if err != nil {
-		return emptyPeer, err
-	}
-	defer func() {
-		err = wg.Close()
-		if err != nil {
-			t.Error(err)
-		}
-	}()
-
-	wgDevice, err := wg.Device(ifaceName)
-	if err != nil {
-		return emptyPeer, err
-	}
-	for _, peer := range wgDevice.Peers {
-		if peer.PublicKey.String() == peerPubKey {
-			return peer, nil
-		}
-	}
-	return emptyPeer, fmt.Errorf("peer not found")
-}
--- a/iface/iface_windows.go
+++ b/iface/iface_windows.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/windows/driver"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"net"
@@ -57,3 +58,13 @@ func (w *WGIface) UpdateAddr(newAddr string) error {
 	w.Address = addr
 	return w.assignAddr(luid)
 }
+
+// WireguardModExists check if we can load wireguard mod (linux only)
+func WireguardModExists() bool {
+	return false
+}
+
+// getUAPI returns a Listener
+func getUAPI(iface string) (net.Listener, error) {
+	return ipc.UAPIListen(iface)
+}
--- a/iface/udp_mux.go
+++ b/iface/udp_mux.go
@@ -0,0 +1,288 @@
+package iface
+
+import (
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"io"
+	"net"
+	"strings"
+	"sync"
+
+	"github.com/pion/logging"
+	"github.com/pion/stun"
+)
+
+const receiveMTU = 8192
+
+// UDPMux allows multiple connections to go over a single UDP port
+type UDPMux interface {
+	io.Closer
+	GetConn(ufrag string) (net.PacketConn, error)
+	RemoveConnByUfrag(ufrag string)
+}
+
+// UDPMuxDefault is an implementation of the interface
+type UDPMuxDefault struct {
+	params UDPMuxParams
+
+	closedChan chan struct{}
+	closeOnce  sync.Once
+
+	// conns is a map of all udpMuxedConn indexed by ufrag|network|candidateType
+	conns map[string]*udpMuxedConn
+
+	addressMapMu sync.RWMutex
+	addressMap   map[string][]*udpMuxedConn
+
+	// buffer pool to recycle buffers for net.UDPAddr encodes/decodes
+	pool *sync.Pool
+
+	mu sync.Mutex
+}
+
+const maxAddrSize = 512
+
+// UDPMuxParams are parameters for UDPMux.
+type UDPMuxParams struct {
+	Logger  logging.LeveledLogger
+	UDPConn net.PacketConn
+}
+
+// NewUDPMuxDefault creates an implementation of UDPMux
+func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
+	if params.Logger == nil {
+		params.Logger = logging.NewDefaultLoggerFactory().NewLogger("ice")
+	}
+
+	return &UDPMuxDefault{
+		addressMap: map[string][]*udpMuxedConn{},
+		params:     params,
+		conns:      make(map[string]*udpMuxedConn),
+		closedChan: make(chan struct{}, 1),
+		pool: &sync.Pool{
+			New: func() interface{} {
+				// big enough buffer to fit both packet and address
+				return newBufferHolder(receiveMTU + maxAddrSize)
+			},
+		},
+	}
+}
+
+func (m *UDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
+
+	remoteAddr, ok := addr.(*net.UDPAddr)
+	if !ok {
+		return fmt.Errorf("underlying PacketConn did not return a UDPAddr")
+	}
+
+	// If we have already seen this address dispatch to the appropriate destination
+	// If you are using the same socket for the Host and SRFLX candidates, it might be that there are more than one
+	// muxed connection - one for the SRFLX candidate and the other one for the HOST one.
+	// We will then forward STUN packets to each of these connections.
+	m.addressMapMu.Lock()
+	var destinationConnList []*udpMuxedConn
+	if storedConns, ok := m.addressMap[addr.String()]; ok {
+		for _, conn := range storedConns {
+			destinationConnList = append(destinationConnList, conn)
+		}
+	}
+	m.addressMapMu.Unlock()
+
+	// This block is needed to discover Peer Reflexive Candidates for which we don't know the Endpoint upfront.
+	// However, we can take a username attribute from the STUN message which contains ufrag.
+	// We can use ufrag to identify the destination conn to route packet to.
+	attr, stunAttrErr := msg.Get(stun.AttrUsername)
+	if stunAttrErr == nil {
+		ufrag := strings.Split(string(attr), ":")[0]
+
+		m.mu.Lock()
+		if destinationConn, ok := m.conns[ufrag]; ok {
+			exists := false
+			for _, conn := range destinationConnList {
+				if conn.params.Key == destinationConn.params.Key {
+					exists = true
+					break
+				}
+			}
+			if !exists {
+				destinationConnList = append(destinationConnList, destinationConn)
+			}
+		}
+		m.mu.Unlock()
+	}
+
+	// Forward STUN packets to each destination connections even thought the STUN packet might not belong there.
+	// It will be discarded by the further ICE candidate logic if so.
+	for _, conn := range destinationConnList {
+		if err := conn.writePacket(msg.Raw, remoteAddr); err != nil {
+			log.Errorf("could not write packet: %v", err)
+		}
+	}
+
+	return nil
+}
+
+// LocalAddr returns the listening address of this UDPMuxDefault
+func (m *UDPMuxDefault) LocalAddr() net.Addr {
+	return m.params.UDPConn.LocalAddr()
+}
+
+// GetConn returns a PacketConn given the connection's ufrag and network
+// creates the connection if an existing one can't be found
+func (m *UDPMuxDefault) GetConn(ufrag string) (net.PacketConn, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	log.Debugf("ICE: getting muxed connection for %s", ufrag)
+
+	if m.IsClosed() {
+		return nil, io.ErrClosedPipe
+	}
+
+	if c, ok := m.conns[ufrag]; ok {
+		return c, nil
+	}
+
+	c := m.createMuxedConn(ufrag)
+	go func() {
+		<-c.CloseChannel()
+		m.removeConn(ufrag)
+	}()
+	m.conns[ufrag] = c
+	return c, nil
+}
+
+// RemoveConnByUfrag stops and removes the muxed packet connection
+func (m *UDPMuxDefault) RemoveConnByUfrag(ufrag string) {
+	m.mu.Lock()
+	removedConns := make([]*udpMuxedConn, 0)
+	for key := range m.conns {
+		if key != ufrag {
+			continue
+		}
+
+		c := m.conns[key]
+		delete(m.conns, key)
+		if c != nil {
+			removedConns = append(removedConns, c)
+		}
+	}
+	// keep lock section small to avoid deadlock with conn lock
+	m.mu.Unlock()
+
+	m.addressMapMu.Lock()
+	defer m.addressMapMu.Unlock()
+
+	for _, c := range removedConns {
+		addresses := c.getAddresses()
+		for _, addr := range addresses {
+			if connList, ok := m.addressMap[addr]; ok {
+				var newList []*udpMuxedConn
+				for _, conn := range connList {
+					if conn.params.Key != ufrag {
+						newList = append(newList, conn)
+					}
+				}
+				m.addressMap[addr] = newList
+			}
+		}
+	}
+}
+
+// IsClosed returns true if the mux had been closed
+func (m *UDPMuxDefault) IsClosed() bool {
+	select {
+	case <-m.closedChan:
+		return true
+	default:
+		return false
+	}
+}
+
+// Close the mux, no further connections could be created
+func (m *UDPMuxDefault) Close() error {
+	var err error
+	m.closeOnce.Do(func() {
+		m.mu.Lock()
+		defer m.mu.Unlock()
+
+		for _, c := range m.conns {
+			_ = c.Close()
+		}
+		m.conns = make(map[string]*udpMuxedConn)
+		close(m.closedChan)
+	})
+	return err
+}
+
+func (m *UDPMuxDefault) removeConn(key string) {
+	m.mu.Lock()
+	c := m.conns[key]
+	delete(m.conns, key)
+	// keep lock section small to avoid deadlock with conn lock
+	m.mu.Unlock()
+
+	if c == nil {
+		return
+	}
+
+	m.addressMapMu.Lock()
+	defer m.addressMapMu.Unlock()
+
+	addresses := c.getAddresses()
+	for _, addr := range addresses {
+		if connList, ok := m.addressMap[addr]; ok {
+			var newList []*udpMuxedConn
+			for _, conn := range connList {
+				if conn.params.Key != key {
+					newList = append(newList, conn)
+				}
+			}
+			m.addressMap[addr] = newList
+		}
+	}
+}
+
+func (m *UDPMuxDefault) writeTo(buf []byte, raddr net.Addr) (n int, err error) {
+	return m.params.UDPConn.WriteTo(buf, raddr)
+}
+
+func (m *UDPMuxDefault) registerConnForAddress(conn *udpMuxedConn, addr string) {
+	if m.IsClosed() {
+		return
+	}
+
+	m.addressMapMu.Lock()
+	defer m.addressMapMu.Unlock()
+
+	existing, ok := m.addressMap[addr]
+	if !ok {
+		existing = []*udpMuxedConn{}
+	}
+	existing = append(existing, conn)
+	m.addressMap[addr] = existing
+
+	log.Debugf("ICE: registered %s for %s", addr, conn.params.Key)
+}
+
+func (m *UDPMuxDefault) createMuxedConn(key string) *udpMuxedConn {
+	c := newUDPMuxedConn(&udpMuxedConnParams{
+		Mux:       m,
+		Key:       key,
+		AddrPool:  m.pool,
+		LocalAddr: m.LocalAddr(),
+		Logger:    m.params.Logger,
+	})
+	log.Debugf("ICE: created muxed connection %s for %s", c.LocalAddr().String(), key)
+	return c
+}
+
+type bufferHolder struct {
+	buffer []byte
+}
+
+func newBufferHolder(size int) *bufferHolder {
+	return &bufferHolder{
+		buffer: make([]byte, size),
+	}
+}
--- a/iface/udp_mux_universal.go
+++ b/iface/udp_mux_universal.go
@@ -0,0 +1,235 @@
+package iface
+
+import (
+	"errors"
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"net"
+	"time"
+
+	"github.com/pion/logging"
+	"github.com/pion/stun"
+)
+
+// UniversalUDPMux allows multiple connections to go over a single UDP port for
+// host, server reflexive and relayed candidates.
+// Actual connection muxing is happening in the UDPMux.
+type UniversalUDPMux interface {
+	UDPMux
+	GetXORMappedAddr(stunAddr net.Addr, deadline time.Duration) (*stun.XORMappedAddress, error)
+	GetRelayedAddr(turnAddr net.Addr, deadline time.Duration) (*net.Addr, error)
+	GetConnForURL(ufrag string, url string) (net.PacketConn, error)
+}
+
+// UniversalUDPMuxDefault handles STUN and TURN servers packets by wrapping the original UDPConn overriding ReadFrom.
+// It the passes packets to the UDPMux that does the actual connection muxing.
+type UniversalUDPMuxDefault struct {
+	*UDPMuxDefault
+	params UniversalUDPMuxParams
+
+	// since we have a shared socket, for srflx candidates it makes sense to have a shared mapped address across all the agents
+	// stun.XORMappedAddress indexed by the STUN server addr
+	xorMappedMap map[string]*xorMapped
+}
+
+// UniversalUDPMuxParams are parameters for UniversalUDPMux server reflexive.
+type UniversalUDPMuxParams struct {
+	Logger                logging.LeveledLogger
+	UDPConn               net.PacketConn
+	XORMappedAddrCacheTTL time.Duration
+}
+
+// NewUniversalUDPMuxDefault creates an implementation of UniversalUDPMux embedding UDPMux
+func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDefault {
+	if params.Logger == nil {
+		params.Logger = logging.NewDefaultLoggerFactory().NewLogger("ice")
+	}
+	if params.XORMappedAddrCacheTTL == 0 {
+		params.XORMappedAddrCacheTTL = time.Second * 25
+	}
+
+	m := &UniversalUDPMuxDefault{
+		params:       params,
+		xorMappedMap: make(map[string]*xorMapped),
+	}
+
+	// embed UDPMux
+	udpMuxParams := UDPMuxParams{
+		Logger:  params.Logger,
+		UDPConn: m.params.UDPConn,
+	}
+	m.UDPMuxDefault = NewUDPMuxDefault(udpMuxParams)
+
+	return m
+}
+
+// GetRelayedAddr creates relayed connection to the given TURN service and returns the relayed addr.
+// Not implemented yet.
+func (m *UniversalUDPMuxDefault) GetRelayedAddr(turnAddr net.Addr, deadline time.Duration) (*net.Addr, error) {
+	return nil, errors.New("not implemented yet")
+}
+
+// GetConnForURL add uniques to the muxed connection by concatenating ufrag and URL (e.g. STUN URL) to be able to support multiple STUN/TURN servers
+// and return a unique connection per server.
+func (m *UniversalUDPMuxDefault) GetConnForURL(ufrag string, url string) (net.PacketConn, error) {
+	return m.UDPMuxDefault.GetConn(fmt.Sprintf("%s%s", ufrag, url))
+}
+
+func (m *UniversalUDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
+
+	udpAddr, ok := addr.(*net.UDPAddr)
+	if !ok {
+		// message about this err will be logged in the UDPMux
+		return nil
+	}
+
+	if m.isXORMappedResponse(msg, udpAddr.String()) {
+		err := m.handleXORMappedResponse(udpAddr, msg)
+		if err != nil {
+			log.Debugf("%w: %v", errors.New("failed to get XOR-MAPPED-ADDRESS response"), err)
+			return nil
+		}
+		return nil
+	}
+	return m.UDPMuxDefault.HandleSTUNMessage(msg, addr)
+}
+
+// isXORMappedResponse indicates whether the message is a XORMappedAddress and is coming from the known STUN server.
+func (m *UniversalUDPMuxDefault) isXORMappedResponse(msg *stun.Message, stunAddr string) bool {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	// check first if it is a STUN server address because remote peer can also send similar messages but as a BindingSuccess
+	_, ok := m.xorMappedMap[stunAddr]
+	_, err := msg.Get(stun.AttrXORMappedAddress)
+	return err == nil && ok
+}
+
+// handleXORMappedResponse parses response from the STUN server, extracts XORMappedAddress attribute
+// and set the mapped address for the server
+func (m *UniversalUDPMuxDefault) handleXORMappedResponse(stunAddr *net.UDPAddr, msg *stun.Message) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	mappedAddr, ok := m.xorMappedMap[stunAddr.String()]
+	if !ok {
+		return errors.New("no address mapping")
+	}
+
+	var addr stun.XORMappedAddress
+	if err := addr.GetFrom(msg); err != nil {
+		return err
+	}
+
+	m.xorMappedMap[stunAddr.String()] = mappedAddr
+	mappedAddr.SetAddr(&addr)
+
+	return nil
+}
+
+// GetXORMappedAddr returns *stun.XORMappedAddress if already present for a given STUN server.
+// Makes a STUN binding request to discover mapped address otherwise.
+// Blocks until the stun.XORMappedAddress has been discovered or deadline.
+// Method is safe for concurrent use.
+func (m *UniversalUDPMuxDefault) GetXORMappedAddr(serverAddr net.Addr, deadline time.Duration) (*stun.XORMappedAddress, error) {
+	m.mu.Lock()
+	mappedAddr, ok := m.xorMappedMap[serverAddr.String()]
+	// if we already have a mapping for this STUN server (address already received)
+	// and if it is not too old we return it without making a new request to STUN server
+	if ok {
+		if mappedAddr.expired() {
+			mappedAddr.closeWaiters()
+			delete(m.xorMappedMap, serverAddr.String())
+			ok = false
+		} else if mappedAddr.pending() {
+			ok = false
+		}
+	}
+	m.mu.Unlock()
+	if ok {
+		return mappedAddr.addr, nil
+	}
+
+	// otherwise, make a STUN request to discover the address
+	// or wait for already sent request to complete
+	waitAddrReceived, err := m.sendStun(serverAddr)
+	if err != nil {
+		return nil, errors.New("failed to send STUN packet")
+	}
+
+	// block until response was handled by the connWorker routine and XORMappedAddress was updated
+	select {
+	case <-waitAddrReceived:
+		// when channel closed, addr was obtained
+		m.mu.Lock()
+		mappedAddr := *m.xorMappedMap[serverAddr.String()]
+		m.mu.Unlock()
+		if mappedAddr.addr == nil {
+			return nil, errors.New("no address mapping")
+		}
+		return mappedAddr.addr, nil
+	case <-time.After(deadline):
+		return nil, errors.New("timeout while waiting for XORMappedAddr")
+	}
+}
+
+// sendStun sends a STUN request via UDP conn.
+//
+// The returned channel is closed when the STUN response has been received.
+// Method is safe for concurrent use.
+func (m *UniversalUDPMuxDefault) sendStun(serverAddr net.Addr) (chan struct{}, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	// if record present in the map, we already sent a STUN request,
+	// just wait when waitAddrReceived will be closed
+	addrMap, ok := m.xorMappedMap[serverAddr.String()]
+	if !ok {
+		addrMap = &xorMapped{
+			expiresAt:        time.Now().Add(m.params.XORMappedAddrCacheTTL),
+			waitAddrReceived: make(chan struct{}),
+		}
+		m.xorMappedMap[serverAddr.String()] = addrMap
+	}
+
+	req, err := stun.Build(stun.BindingRequest, stun.TransactionID)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err = m.params.UDPConn.WriteTo(req.Raw, serverAddr); err != nil {
+		return nil, err
+	}
+
+	return addrMap.waitAddrReceived, nil
+}
+
+type xorMapped struct {
+	addr             *stun.XORMappedAddress
+	waitAddrReceived chan struct{}
+	expiresAt        time.Time
+}
+
+func (a *xorMapped) closeWaiters() {
+	select {
+	case <-a.waitAddrReceived:
+		// notify was close, ok, that means we received duplicate response
+		// just exit
+		break
+	default:
+		// notify tha twe have a new addr
+		close(a.waitAddrReceived)
+	}
+}
+
+func (a *xorMapped) pending() bool {
+	return a.addr == nil
+}
+
+func (a *xorMapped) expired() bool {
+	return a.expiresAt.Before(time.Now())
+}
+
+func (a *xorMapped) SetAddr(addr *stun.XORMappedAddress) {
+	a.addr = addr
+	a.closeWaiters()
+}
--- a/iface/udp_muxed_conn.go
+++ b/iface/udp_muxed_conn.go
@@ -0,0 +1,246 @@
+package iface
+
+import (
+	"encoding/binary"
+	"io"
+	"net"
+	"sync"
+	"time"
+
+	"github.com/pion/logging"
+	"github.com/pion/transport/packetio"
+)
+
+type udpMuxedConnParams struct {
+	Mux       *UDPMuxDefault
+	AddrPool  *sync.Pool
+	Key       string
+	LocalAddr net.Addr
+	Logger    logging.LeveledLogger
+}
+
+// udpMuxedConn represents a logical packet conn for a single remote as identified by ufrag
+type udpMuxedConn struct {
+	params *udpMuxedConnParams
+	// remote addresses that we have sent to on this conn
+	addresses []string
+
+	// channel holding incoming packets
+	buffer     *packetio.Buffer
+	closedChan chan struct{}
+	closeOnce  sync.Once
+	mu         sync.Mutex
+}
+
+func newUDPMuxedConn(params *udpMuxedConnParams) *udpMuxedConn {
+	p := &udpMuxedConn{
+		params:     params,
+		buffer:     packetio.NewBuffer(),
+		closedChan: make(chan struct{}),
+	}
+
+	return p
+}
+
+func (c *udpMuxedConn) ReadFrom(b []byte) (n int, raddr net.Addr, err error) {
+	buf := c.params.AddrPool.Get().(*bufferHolder)
+	defer c.params.AddrPool.Put(buf)
+
+	// read address
+	total, err := c.buffer.Read(buf.buffer)
+	if err != nil {
+		return 0, nil, err
+	}
+
+	dataLen := int(binary.LittleEndian.Uint16(buf.buffer[:2]))
+	if dataLen > total || dataLen > len(b) {
+		return 0, nil, io.ErrShortBuffer
+	}
+
+	// read data and then address
+	offset := 2
+	copy(b, buf.buffer[offset:offset+dataLen])
+	offset += dataLen
+
+	// read address len & decode address
+	addrLen := int(binary.LittleEndian.Uint16(buf.buffer[offset : offset+2]))
+	offset += 2
+
+	if raddr, err = decodeUDPAddr(buf.buffer[offset : offset+addrLen]); err != nil {
+		return 0, nil, err
+	}
+
+	return dataLen, raddr, nil
+}
+
+func (c *udpMuxedConn) WriteTo(buf []byte, raddr net.Addr) (n int, err error) {
+	if c.isClosed() {
+		return 0, io.ErrClosedPipe
+	}
+	// each time we write to a new address, we'll register it with the mux
+	addr := raddr.String()
+	if !c.containsAddress(addr) {
+		c.addAddress(addr)
+	}
+
+	return c.params.Mux.writeTo(buf, raddr)
+}
+
+func (c *udpMuxedConn) LocalAddr() net.Addr {
+	return c.params.LocalAddr
+}
+
+func (c *udpMuxedConn) SetDeadline(tm time.Time) error {
+	return nil
+}
+
+func (c *udpMuxedConn) SetReadDeadline(tm time.Time) error {
+	return nil
+}
+
+func (c *udpMuxedConn) SetWriteDeadline(tm time.Time) error {
+	return nil
+}
+
+func (c *udpMuxedConn) CloseChannel() <-chan struct{} {
+	return c.closedChan
+}
+
+func (c *udpMuxedConn) Close() error {
+	var err error
+	c.closeOnce.Do(func() {
+		err = c.buffer.Close()
+		close(c.closedChan)
+	})
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.addresses = nil
+	return err
+}
+
+func (c *udpMuxedConn) isClosed() bool {
+	select {
+	case <-c.closedChan:
+		return true
+	default:
+		return false
+	}
+}
+
+func (c *udpMuxedConn) getAddresses() []string {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	addresses := make([]string, len(c.addresses))
+	copy(addresses, c.addresses)
+	return addresses
+}
+
+func (c *udpMuxedConn) addAddress(addr string) {
+	c.mu.Lock()
+	c.addresses = append(c.addresses, addr)
+	c.mu.Unlock()
+
+	// map it on mux
+	c.params.Mux.registerConnForAddress(c, addr)
+}
+
+func (c *udpMuxedConn) removeAddress(addr string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	newAddresses := make([]string, 0, len(c.addresses))
+	for _, a := range c.addresses {
+		if a != addr {
+			newAddresses = append(newAddresses, a)
+		}
+	}
+
+	c.addresses = newAddresses
+}
+
+func (c *udpMuxedConn) containsAddress(addr string) bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	for _, a := range c.addresses {
+		if addr == a {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *udpMuxedConn) writePacket(data []byte, addr *net.UDPAddr) error {
+	// write two packets, address and data
+	buf := c.params.AddrPool.Get().(*bufferHolder)
+	defer c.params.AddrPool.Put(buf)
+
+	// format of buffer | data len | data bytes | addr len | addr bytes |
+	if len(buf.buffer) < len(data)+maxAddrSize {
+		return io.ErrShortBuffer
+	}
+	// data len
+	binary.LittleEndian.PutUint16(buf.buffer, uint16(len(data)))
+	offset := 2
+
+	// data
+	copy(buf.buffer[offset:], data)
+	offset += len(data)
+
+	// write address first, leaving room for its length
+	n, err := encodeUDPAddr(addr, buf.buffer[offset+2:])
+	if err != nil {
+		return nil
+	}
+	total := offset + n + 2
+
+	// address len
+	binary.LittleEndian.PutUint16(buf.buffer[offset:], uint16(n))
+
+	if _, err := c.buffer.Write(buf.buffer[:total]); err != nil {
+		return err
+	}
+	return nil
+}
+
+func encodeUDPAddr(addr *net.UDPAddr, buf []byte) (int, error) {
+	ipdata, err := addr.IP.MarshalText()
+	if err != nil {
+		return 0, err
+	}
+	total := 2 + len(ipdata) + 2 + len(addr.Zone)
+	if total > len(buf) {
+		return 0, io.ErrShortBuffer
+	}
+
+	binary.LittleEndian.PutUint16(buf, uint16(len(ipdata)))
+	offset := 2
+	n := copy(buf[offset:], ipdata)
+	offset += n
+	binary.LittleEndian.PutUint16(buf[offset:], uint16(addr.Port))
+	offset += 2
+	copy(buf[offset:], addr.Zone)
+	return total, nil
+}
+
+func decodeUDPAddr(buf []byte) (*net.UDPAddr, error) {
+	addr := net.UDPAddr{}
+
+	offset := 0
+	ipLen := int(binary.LittleEndian.Uint16(buf[:2]))
+	offset += 2
+	// basic bounds checking
+	if ipLen+offset > len(buf) {
+		return nil, io.ErrShortBuffer
+	}
+	if err := addr.IP.UnmarshalText(buf[offset : offset+ipLen]); err != nil {
+		return nil, err
+	}
+	offset += ipLen
+	addr.Port = int(binary.LittleEndian.Uint16(buf[offset : offset+2]))
+	offset += 2
+	zone := make([]byte, len(buf[offset:]))
+	copy(zone, buf[offset:])
+	addr.Zone = string(zone)
+
+	return &addr, nil
+}
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@@ -3,13 +3,9 @@
 # Management API

 # Management API port
-NETBIRD_MGMT_API_PORT=33071
-# Management GRPC API port
-NETBIRD_MGMT_GRPC_API_PORT=33073
+NETBIRD_MGMT_API_PORT=33073
 # Management API endpoint address, used by the Dashboard
 NETBIRD_MGMT_API_ENDPOINT=https://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
-# Management GRPC API endpoint address, used by the hosts to register
-NETBIRD_MGMT_GRPC_API_ENDPOINT=https://$NETBIRD_DOMAIN:$NETBIRD_MGMT_GRPC_API_PORT
 # Management Certficate file path. These are generated by the Dashboard container
 NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_DOMAIN/fullchain.pem"
 # Management Certficate key file path.
@@ -31,18 +27,24 @@ MGMT_VOLUMESUFFIX="mgmt"
 SIGNAL_VOLUMESUFFIX="signal"
 LETSENCRYPT_VOLUMESUFFIX="letsencrypt"

+NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
+
 # exports
 export NETBIRD_DOMAIN
-export NETBIRD_AUTH0_DOMAIN
-export NETBIRD_AUTH0_CLIENT_ID
-export NETBIRD_AUTH0_AUDIENCE
+export NETBIRD_AUTH_CLIENT_ID
+export NETBIRD_AUTH_AUDIENCE
+export NETBIRD_AUTH_AUTHORITY
+export NETBIRD_USE_AUTH0
+export NETBIRD_AUTH_SUPPORTED_SCOPES
+export NETBIRD_AUTH_JWT_CERTS
 export NETBIRD_LETSENCRYPT_EMAIL
 export NETBIRD_MGMT_API_PORT
 export NETBIRD_MGMT_API_ENDPOINT
-export NETBIRD_MGMT_GRPC_API_PORT
-export NETBIRD_MGMT_GRPC_API_ENDPOINT
 export NETBIRD_MGMT_API_CERT_FILE
 export NETBIRD_MGMT_API_CERT_KEY_FILE
+export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER
+export NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID
+export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT
 export TURN_USER
 export TURN_PASSWORD
 export TURN_MIN_PORT
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@@ -1,5 +1,21 @@
 #!/bin/bash

+if ! which curl > /dev/null 2>&1
+then
+    echo "This script uses curl fetch OpenID configuration from IDP."
+    echo "Please install curl and re-run the script https://curl.se/"
+    echo ""
+    exit 1
+fi
+
+if ! which jq > /dev/null 2>&1
+then
+    echo "This script uses jq to load OpenID configuration from IDP."
+    echo "Please install jq and re-run the script https://stedolan.github.io/jq/"
+    echo ""
+    exit 1
+fi
+
 source setup.env
 source base.setup.env

@@ -34,7 +50,6 @@ fi
 if [[ $NETBIRD_DOMAIN == "localhost" || $NETBIRD_DOMAIN == "127.0.0.1" ]]
 then
  export NETBIRD_MGMT_API_ENDPOINT=http://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
-  export NETBIRD_MGMT_GRPC_API_ENDPOINT=http://$NETBIRD_DOMAIN:$NETBIRD_MGMT_GRPC_API_PORT
  unset NETBIRD_MGMT_API_CERT_FILE
  unset NETBIRD_MGMT_API_CERT_KEY_FILE
 fi
@@ -64,6 +79,49 @@ export MGMT_VOLUMENAME
 export SIGNAL_VOLUMENAME
 export LETSENCRYPT_VOLUMENAME

+#backwards compatibility after migrating to generic OIDC with Auth0
+if [[ -z "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" ]]; then
+
+    if [[ -z "${NETBIRD_AUTH0_DOMAIN}" ]]; then
+       # not a backward compatible state
+       echo "NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT property must be set in the setup.env file"
+       exit 1
+    fi
+
+    echo "It seems like you provided an old setup.env file."
+    echo "Since the release of v0.8.10, we introduced a new set of properties."
+    echo "The script is backward compatible and will continue automatically."
+    echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting"
+
+    export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/openid-configuration"
+    export NETBIRD_USE_AUTH0="true"
+    export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE}
+    export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
+fi
+
+echo "loading OpenID configuration from ${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT} to the openid-configuration.json file"
+curl "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" -q -o openid-configuration.json
+
+export NETBIRD_AUTH_AUTHORITY=$( jq -r  '.issuer' openid-configuration.json )
+export NETBIRD_AUTH_JWT_CERTS=$( jq -r  '.jwks_uri' openid-configuration.json )
+export NETBIRD_AUTH_SUPPORTED_SCOPES=$( jq -r '.scopes_supported | join(" ")' openid-configuration.json )
+export NETBIRD_AUTH_TOKEN_ENDPOINT=$( jq -r  '.token_endpoint' openid-configuration.json )
+export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$( jq -r  '.device_authorization_endpoint' openid-configuration.json )
+
+if [ $NETBIRD_USE_AUTH0 == "true" ]
+then
+    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api email_verified"
+else
+    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
+fi
+
+if [[ ! -z "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}" ]]; then
+    # user enabled Device Authorization Grant feature
+    export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
+fi
+
+env | grep NETBIRD
+
 envsubst < docker-compose.yml.tmpl > docker-compose.yml
 envsubst < management.json.tmpl > management.json
 envsubst < turnserver.conf.tmpl > turnserver.conf
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@@ -8,11 +8,13 @@ services:
      - 80:80
      - 443:443
    environment:
-      - AUTH0_DOMAIN=$NETBIRD_AUTH0_DOMAIN
-      - AUTH0_CLIENT_ID=$NETBIRD_AUTH0_CLIENT_ID
-      - AUTH0_AUDIENCE=$NETBIRD_AUTH0_AUDIENCE
+      - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
+      - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
+      - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY
+      - USE_AUTH0=$NETBIRD_USE_AUTH0
+      - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
      - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
-      - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_GRPC_API_ENDPOINT
+      - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
      - NGINX_SSL_PORT=443
      - LETSENCRYPT_DOMAIN=$NETBIRD_DOMAIN
      - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL
@@ -25,7 +27,7 @@ services:
    volumes:
      - $SIGNAL_VOLUMENAME:/var/lib/netbird
    ports:
-      - 10000:10000
+      - 10000:80
  #     # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"]
@@ -40,11 +42,11 @@ services:
      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
-      - $NETBIRD_MGMT_GRPC_API_PORT:33073 #gRPC port
-      - $NETBIRD_MGMT_API_PORT:33071 #API port
+      - $NETBIRD_MGMT_API_PORT:443 #API port
  #     # port and command for Let's Encrypt validation without dashboard container
  #   - 443:443
  #    command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"]
+    command: ["--port", "443", "--log-file", "console"]
  # Coturn
  coturn:
    image: coturn/coturn
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -29,13 +29,24 @@
    "Datadir": "",
    "HttpConfig": {
        "Address": "0.0.0.0:$NETBIRD_MGMT_API_PORT",
-        "AuthIssuer": "https://$NETBIRD_AUTH0_DOMAIN/",
-        "AuthAudience": "$NETBIRD_AUTH0_AUDIENCE",
-        "AuthKeysLocation": "https://$NETBIRD_AUTH0_DOMAIN/.well-known/jwks.json",
+        "AuthIssuer": "$NETBIRD_AUTH_AUTHORITY",
+        "AuthAudience": "$NETBIRD_AUTH_AUDIENCE",
+        "AuthKeysLocation": "$NETBIRD_AUTH_JWT_CERTS",
        "CertFile":"$NETBIRD_MGMT_API_CERT_FILE",
-        "CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE"
+        "CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE",
+        "OIDCConfigEndpoint":"$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT"
    },
    "IdpManagerConfig": {
        "Manager": "none"
-     }
+     },
+    "DeviceAuthorizationFlow": {
+        "Provider": "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER",
+        "ProviderConfig": {
+          "Audience": "$NETBIRD_AUTH_AUDIENCE",
+          "Domain": "$NETBIRD_AUTH0_DOMAIN",
+          "ClientID": "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID",
+          "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
+          "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT"
+         }
+    }
 }
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@@ -1,16 +1,15 @@
 ## example file, you can copy this file to setup.env and update its values
 ##
-# Dashboard domain and auth0 configuration
-
 # Dashboard domain. e.g. app.mydomain.com
 NETBIRD_DOMAIN=""
-# e.g. dev-24vkclam.us.auth0.com
-NETBIRD_AUTH0_DOMAIN=""
-# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
-NETBIRD_AUTH0_CLIENT_ID=""
-# e.g. https://app.mydomain.com/ or https://app.mydomain.com,
-# Make sure you used the exact same value for Identifier
-# you used when creating your Auth0 API
-NETBIRD_AUTH0_AUDIENCE=""
+# OIDC configuration e.g., https://example.eu.auth0.com/.well-known/openid-configuration
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=""
+NETBIRD_AUTH_AUDIENCE=""
+# e.g. netbird-client
+NETBIRD_AUTH_CLIENT_ID=""
+# indicates whether to use Auth0 or not: true or false
+NETBIRD_USE_AUTH0="false"
+NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
+NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""
--- a/infrastructure_files/tests/setup.env
+++ b/infrastructure_files/tests/setup.env
@@ -1,16 +1,13 @@
 ## example file, you can copy this file to setup.env and update its values
 ##
-# Dashboard domain and auth0 configuration
-
 # Dashboard domain. e.g. app.mydomain.com
 NETBIRD_DOMAIN="localhost"
-# e.g. dev-24vkclam.us.auth0.com
-NETBIRD_AUTH0_DOMAIN=$CI_NETBIRD_AUTH0_DOMAIN
-# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
-NETBIRD_AUTH0_CLIENT_ID=$CI_NETBIRD_AUTH0_CLIENT_ID
-# e.g. https://app.mydomain.com/ or https://app.mydomain.com,
-# Make sure you used the exact same value for Identifier
-# you used when creating your Auth0 API
-NETBIRD_AUTH0_AUDIENCE=$CI_NETBIRD_AUTH0_AUDIENCE
+# e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://example.eu.auth0.com/.well-known/openid-configuration"
+# e.g. netbird-client
+NETBIRD_AUTH_CLIENT_ID=$CI_NETBIRD_AUTH_CLIENT_ID
+# indicates whether to use Auth0 or not: true or false
+NETBIRD_USE_AUTH0=$CI_NETBIRD_USE_AUTH0
+NETBIRD_AUTH_AUDIENCE=$CI_NETBIRD_AUTH_AUDIENCE
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""
--- a/management/client/grpc.go
+++ b/management/client/grpc.go
@@ -37,7 +37,7 @@ func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsE
 		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
 	}

-	mgmCtx, cancel := context.WithTimeout(ctx, time.Second*3)
+	mgmCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
 	conn, err := grpc.DialContext(
 		mgmCtx,
@@ -72,10 +72,10 @@ func (c *GrpcClient) Close() error {
 func defaultBackoff(ctx context.Context) backoff.BackOff {
 	return backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval:     800 * time.Millisecond,
-		RandomizationFactor: backoff.DefaultRandomizationFactor,
-		Multiplier:          backoff.DefaultMultiplier,
+		RandomizationFactor: 1,
+		Multiplier:          1.7,
 		MaxInterval:         10 * time.Second,
-		MaxElapsedTime:      12 * time.Hour, // stop after 12 hours of trying, the error will be propagated to the general retry of the client
+		MaxElapsedTime:      3 * 30 * 24 * time.Hour, // 3 months
 		Stop:                backoff.Stop,
 		Clock:               backoff.SystemClock,
 	}, ctx)
@@ -95,32 +95,42 @@ func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error
 	operation := func() error {
 		log.Debugf("management connection state %v", c.conn.GetState())

-		if !c.ready() {
-			return fmt.Errorf("no connection to management")
+		connState := c.conn.GetState()
+		if connState == connectivity.Shutdown {
+			return backoff.Permanent(fmt.Errorf("connection to management has been shut down"))
+		} else if !(connState == connectivity.Ready || connState == connectivity.Idle) {
+			c.conn.WaitForStateChange(c.ctx, connState)
+			return fmt.Errorf("connection to management is not ready and in %s state", connState)
 		}

-		// todo we already have it since we did the Login, maybe cache it locally?
 		serverPubKey, err := c.GetServerPublicKey()
 		if err != nil {
-			log.Errorf("failed getting Management Service public key: %s", err)
+			log.Debugf("failed getting Management Service public key: %s", err)
 			return err
 		}

-		stream, err := c.connectToStream(*serverPubKey)
+		cancel, stream, err := c.connectToStream(*serverPubKey)
 		if err != nil {
-			log.Errorf("failed to open Management Service stream: %s", err)
+			log.Debugf("failed to open Management Service stream: %s", err)
+			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.PermissionDenied {
+				return backoff.Permanent(err) // unrecoverable error, propagate to the upper layer
+			}
 			return err
 		}
+		defer cancel()

 		log.Infof("connected to the Management Service stream")

 		// blocking until error
 		err = c.receiveEvents(stream, *serverPubKey, msgHandler)
 		if err != nil {
-			if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
-				return backoff.Permanent(err)
+			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.PermissionDenied {
+				return backoff.Permanent(err) // unrecoverable error, propagate to the upper layer
 			}
+			// we need this reset because after a successful connection and a consequent error, backoff lib doesn't
+			// reset times and next try will start with a long delay
 			backOff.Reset()
+			log.Warnf("disconnected from the Management service but will retry silently. Reason: %v", err)
 			return err
 		}

@@ -129,14 +139,14 @@ func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error

 	err := backoff.Retry(operation, backOff)
 	if err != nil {
-		log.Warnf("exiting Management Service connection retry loop due to Permanent error: %s", err)
+		log.Warnf("exiting the Management service connection retry loop due to the unrecoverable error: %s", err)
 		return err
 	}

 	return nil
 }

-func (c *GrpcClient) connectToStream(serverPubKey wgtypes.Key) (proto.ManagementService_SyncClient, error) {
+func (c *GrpcClient) connectToStream(serverPubKey wgtypes.Key) (context.CancelFunc, proto.ManagementService_SyncClient, error) {
 	req := &proto.SyncRequest{}

 	myPrivateKey := c.key
@@ -145,22 +155,27 @@ func (c *GrpcClient) connectToStream(serverPubKey wgtypes.Key) (proto.Management
 	encryptedReq, err := encryption.EncryptMessage(serverPubKey, myPrivateKey, req)
 	if err != nil {
 		log.Errorf("failed encrypting message: %s", err)
-		return nil, err
+		return nil, nil, err
 	}
-
+	ctx, cancel := context.WithCancel(c.ctx)
 	syncReq := &proto.EncryptedMessage{WgPubKey: myPublicKey.String(), Body: encryptedReq}
-	return c.realClient.Sync(c.ctx, syncReq)
+	sync, err := c.realClient.Sync(ctx, syncReq)
+	if err != nil {
+		cancel()
+		return nil, nil, err
+	}
+	return cancel, sync, nil
 }

 func (c *GrpcClient) receiveEvents(stream proto.ManagementService_SyncClient, serverPubKey wgtypes.Key, msgHandler func(msg *proto.SyncResponse) error) error {
 	for {
 		update, err := stream.Recv()
 		if err == io.EOF {
-			log.Errorf("Management stream has been closed by server: %s", err)
+			log.Debugf("Management stream has been closed by server: %s", err)
 			return err
 		}
 		if err != nil {
-			log.Warnf("disconnected from Management Service sync stream: %v", err)
+			log.Debugf("disconnected from Management Service sync stream: %v", err)
 			return err
 		}

@@ -180,13 +195,13 @@ func (c *GrpcClient) receiveEvents(stream proto.ManagementService_SyncClient, se
 	}
 }

-// GetServerPublicKey returns server Wireguard public key (used later for encrypting messages sent to the server)
+// GetServerPublicKey returns server's WireGuard public key (used later for encrypting messages sent to the server)
 func (c *GrpcClient) GetServerPublicKey() (*wgtypes.Key, error) {
 	if !c.ready() {
 		return nil, fmt.Errorf("no connection to management")
 	}

-	mgmCtx, cancel := context.WithTimeout(c.ctx, time.Second*2)
+	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second)
 	defer cancel()
 	resp, err := c.realClient.GetServerKey(mgmCtx, &proto.Empty{})
 	if err != nil {
@@ -210,7 +225,7 @@ func (c *GrpcClient) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*pro
 		log.Errorf("failed to encrypt message: %s", err)
 		return nil, err
 	}
-	mgmCtx, cancel := context.WithTimeout(c.ctx, time.Second*2)
+	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second)
 	defer cancel()
 	resp, err := c.realClient.Login(mgmCtx, &proto.EncryptedMessage{
 		WgPubKey: c.key.PublicKey().String(),
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -1,21 +1,26 @@
 package cmd

 import (
-	"context"
 	"crypto/tls"
+	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
+	httpapi "github.com/netbirdio/netbird/management/server/http"
+	"golang.org/x/crypto/acme/autocert"
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
 	"io"
 	"io/fs"
-	"io/ioutil"
 	"net"
+	"net/http"
+	"net/url"
 	"os"
 	"path"
+	"strings"
 	"time"

 	"github.com/netbirdio/netbird/management/server"
-	"github.com/netbirdio/netbird/management/server/http"
 	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/util"

@@ -28,11 +33,16 @@ import (
 	"google.golang.org/grpc/keepalive"
 )

+// ManagementLegacyPort is the port that was used before by the Management gRPC server.
+// It is used for backward compatibility now.
+const ManagementLegacyPort = 33073
+
 var (
 	mgmtPort              int
 	mgmtLetsencryptDomain string
 	certFile              string
 	certKey               string
+	config                *server.Config

 	kaep = keepalive.EnforcementPolicy{
 		MinTime:             15 * time.Second,
@@ -48,34 +58,55 @@ var (

 	mgmtCmd = &cobra.Command{
 		Use:   "management",
-		Short: "start Netbird Management Server",
-		Run: func(cmd *cobra.Command, args []string) {
+		Short: "start NetBird Management Server",
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			// detect whether user specified a port
+			userPort := cmd.Flag("port").Changed
+
+			var err error
+			config, err = loadMgmtConfig(mgmtConfig)
+			if err != nil {
+				return fmt.Errorf("failed reading provided config file: %s: %v", mgmtConfig, err)
+			}
+
+			tlsEnabled := false
+			if mgmtLetsencryptDomain != "" || (config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "") {
+				tlsEnabled = true
+			}
+
+			if !userPort {
+				// different defaults for port when tls enabled/disabled
+				if tlsEnabled {
+					mgmtPort = 443
+				} else {
+					mgmtPort = 80
+				}
+			}
+
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
 			flag.Parse()
 			err := util.InitLog(logLevel, logFile)
 			if err != nil {
-				log.Fatalf("failed initializing log %v", err)
+				return fmt.Errorf("failed initializing log %v", err)
 			}

 			err = handleRebrand(cmd)
 			if err != nil {
-				log.Fatalf("failed to migrate files %v", err)
-			}
-
-			config, err := loadMgmtConfig(mgmtConfig)
-			if err != nil {
-				log.Fatalf("failed reading provided config file: %s: %v", mgmtConfig, err)
+				return fmt.Errorf("failed to migrate files %v", err)
 			}

 			if _, err = os.Stat(config.Datadir); os.IsNotExist(err) {
 				err = os.MkdirAll(config.Datadir, os.ModeDir)
 				if err != nil {
-					log.Fatalf("failed creating datadir: %s: %v", config.Datadir, err)
+					return fmt.Errorf("failed creating datadir: %s: %v", config.Datadir, err)
 				}
 			}

 			store, err := server.NewStore(config.Datadir)
 			if err != nil {
-				log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
+				return fmt.Errorf("failed creating Store: %s: %v", config.Datadir, err)
 			}
 			peersUpdateManager := server.NewPeersUpdateManager()

@@ -83,82 +114,180 @@ var (
 			if config.IdpManagerConfig != nil {
 				idpManager, err = idp.NewManager(*config.IdpManagerConfig)
 				if err != nil {
-					log.Fatalln("failed retrieving a new idp manager with err: ", err)
+					return fmt.Errorf("failed retrieving a new idp manager with err: %v", err)
 				}
 			}

 			accountManager, err := server.BuildManager(store, peersUpdateManager, idpManager)
 			if err != nil {
-				log.Fatalln("failed build default manager: ", err)
+				return fmt.Errorf("failed to build default manager: %v", err)
 			}

-			var opts []grpc.ServerOption
+			turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)

-			var httpServer *http.Server
+			gRPCOpts := []grpc.ServerOption{grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp)}
+			var certManager *autocert.Manager
+			var tlsConfig *tls.Config
+			tlsEnabled := false
 			if config.HttpConfig.LetsEncryptDomain != "" {
-				// automatically generate a new certificate with Let's Encrypt
-				certManager := encryption.CreateCertManager(config.Datadir, config.HttpConfig.LetsEncryptDomain)
-				transportCredentials := credentials.NewTLS(certManager.TLSConfig())
-				opts = append(opts, grpc.Creds(transportCredentials))
-
-				httpServer = http.NewHttpsServer(config.HttpConfig, certManager, accountManager)
-			} else if config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "" {
-				// use provided certificate
-				tlsConfig, err := loadTLSConfig(config.HttpConfig.CertFile, config.HttpConfig.CertKey)
+				certManager, err = encryption.CreateCertManager(config.Datadir, config.HttpConfig.LetsEncryptDomain)
 				if err != nil {
-					log.Fatal("cannot load TLS credentials: ", err)
+					return fmt.Errorf("failed creating LetsEncrypt cert manager: %v", err)
+				}
+				transportCredentials := credentials.NewTLS(certManager.TLSConfig())
+				gRPCOpts = append(gRPCOpts, grpc.Creds(transportCredentials))
+				tlsEnabled = true
+			} else if config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "" {
+				tlsConfig, err = loadTLSConfig(config.HttpConfig.CertFile, config.HttpConfig.CertKey)
+				if err != nil {
+					log.Errorf("cannot load TLS credentials: %v", err)
+					return err
 				}
 				transportCredentials := credentials.NewTLS(tlsConfig)
-				opts = append(opts, grpc.Creds(transportCredentials))
-				httpServer = http.NewHttpsServerWithTLSConfig(config.HttpConfig, tlsConfig, accountManager)
-			} else {
-				// start server without SSL
-				httpServer = http.NewHttpServer(config.HttpConfig, accountManager)
+				gRPCOpts = append(gRPCOpts, grpc.Creds(transportCredentials))
+				tlsEnabled = true
 			}

-			opts = append(opts, grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
-			grpcServer := grpc.NewServer(opts...)
-			turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
-			server, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager)
+			httpAPIHandler, err := httpapi.APIHandler(accountManager,
+				config.HttpConfig.AuthIssuer, config.HttpConfig.AuthAudience, config.HttpConfig.AuthKeysLocation)
 			if err != nil {
-				log.Fatalf("failed creating new server: %v", err)
+				return fmt.Errorf("failed creating HTTP API handler: %v", err)
 			}
-			mgmtProto.RegisterManagementServiceServer(grpcServer, server)
-			log.Printf("started server: localhost:%v", mgmtPort)

-			lis, err := net.Listen("tcp", fmt.Sprintf(":%d", mgmtPort))
+			gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
+			srv, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager)
 			if err != nil {
-				log.Fatalf("failed to listen: %v", err)
+				return fmt.Errorf("failed creating gRPC API handler: %v", err)
 			}
+			mgmtProto.RegisterManagementServiceServer(gRPCAPIHandler, srv)

-			go func() {
-				if err = grpcServer.Serve(lis); err != nil {
-					log.Fatalf("failed to serve gRpc server: %v", err)
-				}
-			}()
-
-			go func() {
-				err = httpServer.Start()
+			var compatListener net.Listener
+			if mgmtPort != ManagementLegacyPort {
+				// The Management gRPC server was running on port 33073 previously. Old agents that are already connected to it
+				// are using port 33073. For compatibility purposes we keep running a 2nd gRPC server on port 33073.
+				compatListener, err = serveGRPC(gRPCAPIHandler, ManagementLegacyPort)
 				if err != nil {
-					log.Fatalf("failed to serve http server: %v", err)
+					return err
 				}
-			}()
+				log.Infof("running gRPC backward compatibility server: %s", compatListener.Addr().String())
+			}
+
+			rootHandler := handlerFunc(gRPCAPIHandler, httpAPIHandler)
+			var listener net.Listener
+			if certManager != nil {
+				// a call to certManager.Listener() always creates a new listener so we do it once
+				cml := certManager.Listener()
+				if mgmtPort == 443 {
+					// CertManager, HTTP and gRPC API all on the same port
+					rootHandler = certManager.HTTPHandler(rootHandler)
+					listener = cml
+				} else {
+					listener, err = tls.Listen("tcp", fmt.Sprintf(":%d", mgmtPort), certManager.TLSConfig())
+					if err != nil {
+						return fmt.Errorf("failed creating TLS listener on port %d: %v", mgmtPort, err)
+					}
+					log.Infof("running HTTP server (LetsEncrypt challenge handler): %s", cml.Addr().String())
+					serveHTTP(cml, certManager.HTTPHandler(nil))
+				}
+			} else if tlsConfig != nil {
+				listener, err = tls.Listen("tcp", fmt.Sprintf(":%d", mgmtPort), tlsConfig)
+				if err != nil {
+					return fmt.Errorf("failed creating TLS listener on port %d: %v", mgmtPort, err)
+				}
+			} else {
+				listener, err = net.Listen("tcp", fmt.Sprintf(":%d", mgmtPort))
+				if err != nil {
+					return fmt.Errorf("failed creating TCP listener on port %d: %v", mgmtPort, err)
+				}
+			}
+
+			log.Infof("running HTTP server and gRPC server on the same port: %s", listener.Addr().String())
+			serveGRPCWithHTTP(listener, rootHandler, tlsEnabled)

 			SetupCloseHandler()
-			<-stopCh
-			log.Println("Receive signal to stop running Management server")
-			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-			defer cancel()
-			err = httpServer.Stop(ctx)
-			if err != nil {
-				log.Fatalf("failed stopping the http server %v", err)
-			}

-			grpcServer.Stop()
+			<-stopCh
+			_ = listener.Close()
+			if certManager != nil {
+				_ = certManager.Listener().Close()
+			}
+			gRPCAPIHandler.Stop()
+			log.Infof("stopped Management Service")
+
+			return nil
 		},
 	}
 )

+func notifyStop(msg string) {
+	select {
+	case stopCh <- 1:
+		log.Error(msg)
+	default:
+		// stop has been already called, nothing to report
+	}
+}
+
+func serveGRPC(grpcServer *grpc.Server, port int) (net.Listener, error) {
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+	if err != nil {
+		return nil, err
+	}
+	go func() {
+		err := grpcServer.Serve(listener)
+		if err != nil {
+			notifyStop(fmt.Sprintf("failed running gRPC server on port %d: %v", port, err))
+		}
+	}()
+	return listener, nil
+}
+
+func serveHTTP(httpListener net.Listener, handler http.Handler) {
+	go func() {
+		err := http.Serve(httpListener, handler)
+		if err != nil {
+			notifyStop(fmt.Sprintf("failed running HTTP server: %v", err))
+		}
+	}()
+}
+
+func serveGRPCWithHTTP(listener net.Listener, handler http.Handler, tlsEnabled bool) {
+	go func() {
+		var err error
+		if tlsEnabled {
+			err = http.Serve(listener, handler)
+		} else {
+			// the following magic is needed to support HTTP2 without TLS
+			// and still share a single port between gRPC and HTTP APIs
+			h1s := &http.Server{
+				Handler: h2c.NewHandler(handler, &http2.Server{}),
+			}
+			err = h1s.Serve(listener)
+		}
+
+		if err != nil {
+			select {
+			case stopCh <- 1:
+				log.Errorf("failed to serve HTTP and gRPC server: %v", err)
+			default:
+				// stop has been already called, nothing to report
+			}
+		}
+	}()
+}
+
+func handlerFunc(gRPCHandler *grpc.Server, httpHandler http.Handler) http.Handler {
+	return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
+		grpcHeader := strings.HasPrefix(request.Header.Get("Content-Type"), "application/grpc") ||
+			strings.HasPrefix(request.Header.Get("Content-Type"), "application/grpc+proto")
+		if request.ProtoMajor == 2 && grpcHeader {
+			gRPCHandler.ServeHTTP(writer, request)
+		} else {
+			httpHandler.ServeHTTP(writer, request)
+		}
+	})
+}
+
 func loadMgmtConfig(mgmtConfigPath string) (*server.Config, error) {
 	config := &server.Config{}
 	_, err := util.ReadJson(mgmtConfigPath, config)
@@ -177,9 +306,88 @@ func loadMgmtConfig(mgmtConfigPath string) (*server.Config, error) {
 		config.HttpConfig.CertKey = certKey
 	}

+	oidcEndpoint := config.HttpConfig.OIDCConfigEndpoint
+	if oidcEndpoint != "" {
+		// if OIDCConfigEndpoint is specified, we can load DeviceAuthEndpoint and TokenEndpoint automatically
+		log.Infof("loading OIDC configuration from the provided IDP configuration endpoint %s", oidcEndpoint)
+		oidcConfig, err := fetchOIDCConfig(oidcEndpoint)
+		if err != nil {
+			return nil, err
+		}
+		log.Infof("loaded OIDC configuration from the provided IDP configuration endpoint: %s", oidcEndpoint)
+
+		log.Infof("overriding HttpConfig.AuthIssuer with a new value %s, previously configured value: %s",
+			oidcConfig.Issuer, config.HttpConfig.AuthIssuer)
+		config.HttpConfig.AuthIssuer = oidcConfig.Issuer
+
+		log.Infof("overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value %s, previously configured value: %s",
+			oidcConfig.JwksURI, config.HttpConfig.AuthKeysLocation)
+		config.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI
+
+		if !(config.DeviceAuthorizationFlow == nil || strings.ToLower(config.DeviceAuthorizationFlow.Provider) == string(server.NONE)) {
+			log.Infof("overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: %s, previously configured value: %s",
+				oidcConfig.TokenEndpoint, config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint)
+			config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
+			log.Infof("overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: %s, previously configured value: %s",
+				oidcConfig.DeviceAuthEndpoint, config.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint)
+			config.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint = oidcConfig.DeviceAuthEndpoint
+
+			u, err := url.Parse(oidcEndpoint)
+			if err != nil {
+				return nil, err
+			}
+			log.Infof("overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: %s, previously configured value: %s",
+				u.Host, config.DeviceAuthorizationFlow.ProviderConfig.Domain)
+			config.DeviceAuthorizationFlow.ProviderConfig.Domain = u.Host
+		}
+	}
+
 	return config, err
 }

+// OIDCConfigResponse used for parsing OIDC config response
+type OIDCConfigResponse struct {
+	Issuer             string `json:"issuer"`
+	TokenEndpoint      string `json:"token_endpoint"`
+	DeviceAuthEndpoint string `json:"device_authorization_endpoint"`
+	JwksURI            string `json:"jwks_uri"`
+}
+
+// fetchOIDCConfig fetches OIDC configuration from the IDP
+func fetchOIDCConfig(oidcEndpoint string) (OIDCConfigResponse, error) {
+
+	res, err := http.Get(oidcEndpoint)
+	if err != nil {
+		return OIDCConfigResponse{}, fmt.Errorf("failed fetching OIDC configuration fro mendpoint %s %v", oidcEndpoint, err)
+	}
+
+	defer func() {
+		err := res.Body.Close()
+		if err != nil {
+			log.Debugf("failed closing response body %v", err)
+		}
+	}()
+
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return OIDCConfigResponse{}, fmt.Errorf("failed reading OIDC configuration response body: %v", err)
+	}
+
+	if res.StatusCode != 200 {
+		return OIDCConfigResponse{}, fmt.Errorf("OIDC configuration request returned status %d with response: %s",
+			res.StatusCode, string(body))
+	}
+
+	config := OIDCConfigResponse{}
+	err = json.Unmarshal(body, &config)
+	if err != nil {
+		return OIDCConfigResponse{}, fmt.Errorf("failed unmarshaling OIDC configuration response: %v", err)
+	}
+
+	return config, nil
+
+}
+
 func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) {
 	// Load server's certificate and private key
 	serverCert, err := tls.LoadX509KeyPair(certFile, certKey)
@@ -191,6 +399,9 @@ func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) {
 	config := &tls.Config{
 		Certificates: []tls.Certificate{serverCert},
 		ClientAuth:   tls.NoClientCert,
+		NextProtos: []string{
+			"h2", "http/1.1", // enable HTTP/2
+		},
 	}

 	return config, nil
@@ -263,7 +474,7 @@ func copySymLink(source, dest string) error {

 func cpDir(src string, dst string) error {
 	var err error
-	var fds []os.FileInfo
+	var fds []os.DirEntry
 	var srcinfo os.FileInfo

 	if srcinfo, err = os.Stat(src); err != nil {
@@ -274,7 +485,7 @@ func cpDir(src string, dst string) error {
 		return err
 	}

-	if fds, err = ioutil.ReadDir(src); err != nil {
+	if fds, err = os.ReadDir(src); err != nil {
 		return err
 	}
 	for _, fd := range fds {
--- a/management/cmd/root.go
+++ b/management/cmd/root.go
@@ -60,7 +60,7 @@ func init() {
 	oldDefaultMgmtConfig = oldDefaultMgmtConfigDir + "/management.json"
 	oldDefaultLogFile = oldDefaultLogDir + "/management.log"

-	mgmtCmd.Flags().IntVar(&mgmtPort, "port", 33073, "server port to listen on")
+	mgmtCmd.Flags().IntVar(&mgmtPort, "port", 80, "server port to listen on (defaults to 443 if TLS is enabled, 80 otherwise")
 	mgmtCmd.Flags().StringVar(&mgmtDataDir, "datadir", defaultMgmtDataDir, "server data directory location")
 	mgmtCmd.Flags().StringVar(&mgmtConfig, "config", defaultMgmtConfig, "Netbird config file location. Config params specified via command line (e.g. datadir) have a precedence over configuration from this file")
 	mgmtCmd.Flags().StringVar(&mgmtLetsencryptDomain, "letsencrypt-domain", "", "a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS")
--- a/management/proto/management.pb.go
+++ b/management/proto/management.pb.go
@@ -980,6 +980,8 @@ type NetworkMap struct {
 	RemotePeers []*RemotePeerConfig `protobuf:"bytes,3,rep,name=remotePeers,proto3" json:"remotePeers,omitempty"`
 	// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
 	RemotePeersIsEmpty bool `protobuf:"varint,4,opt,name=remotePeersIsEmpty,proto3" json:"remotePeersIsEmpty,omitempty"`
+	// List of routes to be applied
+	Routes []*Route `protobuf:"bytes,5,rep,name=Routes,proto3" json:"Routes,omitempty"`
 }

 func (x *NetworkMap) Reset() {
@@ -1042,6 +1044,13 @@ func (x *NetworkMap) GetRemotePeersIsEmpty() bool {
 	return false
 }

+func (x *NetworkMap) GetRoutes() []*Route {
+	if x != nil {
+		return x.Routes
+	}
+	return nil
+}
+
 // RemotePeerConfig represents a configuration of a remote peer.
 // The properties are used to configure Wireguard Peers sections
 type RemotePeerConfig struct {
@@ -1278,9 +1287,14 @@ type ProviderConfig struct {
 	// An IDP application client secret
 	ClientSecret string `protobuf:"bytes,2,opt,name=ClientSecret,proto3" json:"ClientSecret,omitempty"`
 	// An IDP API domain
+	// Deprecated. Use a DeviceAuthEndpoint and TokenEndpoint
 	Domain string `protobuf:"bytes,3,opt,name=Domain,proto3" json:"Domain,omitempty"`
 	// An Audience for validation
 	Audience string `protobuf:"bytes,4,opt,name=Audience,proto3" json:"Audience,omitempty"`
+	// DeviceAuthEndpoint is an endpoint to request device authentication code.
+	DeviceAuthEndpoint string `protobuf:"bytes,5,opt,name=DeviceAuthEndpoint,proto3" json:"DeviceAuthEndpoint,omitempty"`
+	// TokenEndpoint is an endpoint to request auth token.
+	TokenEndpoint string `protobuf:"bytes,6,opt,name=TokenEndpoint,proto3" json:"TokenEndpoint,omitempty"`
 }

 func (x *ProviderConfig) Reset() {
@@ -1343,6 +1357,116 @@ func (x *ProviderConfig) GetAudience() string {
 	return ""
 }

+func (x *ProviderConfig) GetDeviceAuthEndpoint() string {
+	if x != nil {
+		return x.DeviceAuthEndpoint
+	}
+	return ""
+}
+
+func (x *ProviderConfig) GetTokenEndpoint() string {
+	if x != nil {
+		return x.TokenEndpoint
+	}
+	return ""
+}
+
+// Route represents a route.Route object
+type Route struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	ID          string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	Network     string `protobuf:"bytes,2,opt,name=Network,proto3" json:"Network,omitempty"`
+	NetworkType int64  `protobuf:"varint,3,opt,name=NetworkType,proto3" json:"NetworkType,omitempty"`
+	Peer        string `protobuf:"bytes,4,opt,name=Peer,proto3" json:"Peer,omitempty"`
+	Metric      int64  `protobuf:"varint,5,opt,name=Metric,proto3" json:"Metric,omitempty"`
+	Masquerade  bool   `protobuf:"varint,6,opt,name=Masquerade,proto3" json:"Masquerade,omitempty"`
+	NetID       string `protobuf:"bytes,7,opt,name=NetID,proto3" json:"NetID,omitempty"`
+}
+
+func (x *Route) Reset() {
+	*x = Route{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_management_proto_msgTypes[19]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Route) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Route) ProtoMessage() {}
+
+func (x *Route) ProtoReflect() protoreflect.Message {
+	mi := &file_management_proto_msgTypes[19]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Route.ProtoReflect.Descriptor instead.
+func (*Route) Descriptor() ([]byte, []int) {
+	return file_management_proto_rawDescGZIP(), []int{19}
+}
+
+func (x *Route) GetID() string {
+	if x != nil {
+		return x.ID
+	}
+	return ""
+}
+
+func (x *Route) GetNetwork() string {
+	if x != nil {
+		return x.Network
+	}
+	return ""
+}
+
+func (x *Route) GetNetworkType() int64 {
+	if x != nil {
+		return x.NetworkType
+	}
+	return 0
+}
+
+func (x *Route) GetPeer() string {
+	if x != nil {
+		return x.Peer
+	}
+	return ""
+}
+
+func (x *Route) GetMetric() int64 {
+	if x != nil {
+		return x.Metric
+	}
+	return 0
+}
+
+func (x *Route) GetMasquerade() bool {
+	if x != nil {
+		return x.Masquerade
+	}
+	return false
+}
+
+func (x *Route) GetNetID() string {
+	if x != nil {
+		return x.NetID
+	}
+	return ""
+}
+
 var File_management_proto protoreflect.FileDescriptor

 var file_management_proto_rawDesc = []byte{
@@ -1459,7 +1583,7 @@ var file_management_proto_rawDesc = []byte{
 	0x0a, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28,
 	0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53,
 	0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x22, 0xcc, 0x01, 0x0a, 0x0a, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d,
+	0x66, 0x69, 0x67, 0x22, 0xf7, 0x01, 0x0a, 0x0a, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d,
 	0x61, 0x70, 0x12, 0x16, 0x0a, 0x06, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01,
 	0x28, 0x04, 0x52, 0x06, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x36, 0x0a, 0x0a, 0x70, 0x65,
 	0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16,
@@ -1472,67 +1596,87 @@ var file_management_proto_rawDesc = []byte{
 	0x72, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72,
 	0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12,
 	0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70,
-	0x74, 0x79, 0x22, 0x83, 0x01, 0x0a, 0x10, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65,
-	0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62,
-	0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62,
-	0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70,
-	0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64,
-	0x49, 0x70, 0x73, 0x12, 0x33, 0x0a, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x2e, 0x53, 0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x73,
-	0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x49, 0x0a, 0x09, 0x53, 0x53, 0x48, 0x43,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x73, 0x68, 0x45, 0x6e, 0x61, 0x62,
-	0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73, 0x73, 0x68, 0x45, 0x6e,
-	0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x73, 0x68, 0x50, 0x75, 0x62, 0x4b,
-	0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x73, 0x68, 0x50, 0x75, 0x62,
-	0x4b, 0x65, 0x79, 0x22, 0x20, 0x0a, 0x1e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74,
-	0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xbf, 0x01, 0x0a, 0x17, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65,
-	0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f,
-	0x77, 0x12, 0x48, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x0e, 0x32, 0x2c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x2e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x2e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65,
-	0x72, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x42, 0x0a, 0x0e, 0x50,
-	0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52,
-	0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22,
-	0x16, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x0a, 0x0a, 0x06, 0x48,
-	0x4f, 0x53, 0x54, 0x45, 0x44, 0x10, 0x00, 0x22, 0x84, 0x01, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76,
-	0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x43, 0x6c,
-	0x69, 0x65, 0x6e, 0x74, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x43, 0x6c,
-	0x69, 0x65, 0x6e, 0x74, 0x49, 0x44, 0x12, 0x22, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74,
-	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x43, 0x6c,
-	0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f,
-	0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61,
-	0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x32, 0xf7,
-	0x02, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72,
-	0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79,
-	0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
-	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04, 0x53,
-	0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x74, 0x79, 0x12, 0x29, 0x0a, 0x06, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03,
+	0x28, 0x0b, 0x32, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x06, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x83, 0x01,
+	0x0a, 0x10, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e,
+	0x0a, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03,
+	0x28, 0x09, 0x52, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x12, 0x33,
+	0x0a, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53,
+	0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x22, 0x49, 0x0a, 0x09, 0x53, 0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x73, 0x68, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73, 0x73, 0x68, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64,
+	0x12, 0x1c, 0x0a, 0x09, 0x73, 0x73, 0x68, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x73, 0x68, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x22, 0x20,
+	0x0a, 0x1e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x22, 0xbf, 0x01, 0x0a, 0x17, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f,
+	0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x48, 0x0a, 0x08,
+	0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2c,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x44, 0x65, 0x76, 0x69,
+	0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46,
+	0x6c, 0x6f, 0x77, 0x2e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x52, 0x08, 0x50, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x42, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64,
+	0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x76,
+	0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x50, 0x72, 0x6f, 0x76,
+	0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x16, 0x0a, 0x08, 0x70, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x4f, 0x53, 0x54, 0x45, 0x44,
+	0x10, 0x00, 0x22, 0xda, 0x01, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49,
+	0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49,
+	0x44, 0x12, 0x22, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x1a, 0x0a,
+	0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x2e, 0x0a, 0x12, 0x44, 0x65, 0x76,
+	0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18,
+	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74,
+	0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x0d, 0x54, 0x6f, 0x6b,
+	0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x22,
+	0xb5, 0x01, 0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x44, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x4e, 0x65, 0x74,
+	0x77, 0x6f, 0x72, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x4e, 0x65, 0x74, 0x77,
+	0x6f, 0x72, 0x6b, 0x12, 0x20, 0x0a, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x54, 0x79,
+	0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+	0x6b, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x65, 0x65, 0x72, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x65, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x4d, 0x65, 0x74,
+	0x72, 0x69, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69,
+	0x63, 0x12, 0x1e, 0x0a, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64, 0x65, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64,
+	0x65, 0x12, 0x14, 0x0a, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x32, 0xf7, 0x02, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a,
+	0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73,
+	0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61,
+	0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
+	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
+	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c,
+	0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a,
+	0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72,
+	0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
+	0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
+	0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d,
+	0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x1a, 0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69,
+	0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46,
+	0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
 	0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
 	0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
 	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22,
-	0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65, 0x61,
-	0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x1a,
-	0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
-	0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
-	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x33,
 }

 var (
@@ -1548,7 +1692,7 @@ func file_management_proto_rawDescGZIP() []byte {
 }

 var file_management_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
-var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 19)
+var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 20)
 var file_management_proto_goTypes = []interface{}{
 	(HostConfig_Protocol)(0),               // 0: management.HostConfig.Protocol
 	(DeviceAuthorizationFlowProvider)(0),   // 1: management.DeviceAuthorizationFlow.provider
@@ -1571,7 +1715,8 @@ var file_management_proto_goTypes = []interface{}{
 	(*DeviceAuthorizationFlowRequest)(nil), // 18: management.DeviceAuthorizationFlowRequest
 	(*DeviceAuthorizationFlow)(nil),        // 19: management.DeviceAuthorizationFlow
 	(*ProviderConfig)(nil),                 // 20: management.ProviderConfig
-	(*timestamp.Timestamp)(nil),            // 21: google.protobuf.Timestamp
+	(*Route)(nil),                          // 21: management.Route
+	(*timestamp.Timestamp)(nil),            // 22: google.protobuf.Timestamp
 }
 var file_management_proto_depIdxs = []int32{
 	11, // 0: management.SyncResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
@@ -1582,7 +1727,7 @@ var file_management_proto_depIdxs = []int32{
 	6,  // 5: management.LoginRequest.peerKeys:type_name -> management.PeerKeys
 	11, // 6: management.LoginResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
 	14, // 7: management.LoginResponse.peerConfig:type_name -> management.PeerConfig
-	21, // 8: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
+	22, // 8: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
 	12, // 9: management.WiretrusteeConfig.stuns:type_name -> management.HostConfig
 	13, // 10: management.WiretrusteeConfig.turns:type_name -> management.ProtectedHostConfig
 	12, // 11: management.WiretrusteeConfig.signal:type_name -> management.HostConfig
@@ -1591,24 +1736,25 @@ var file_management_proto_depIdxs = []int32{
 	17, // 14: management.PeerConfig.sshConfig:type_name -> management.SSHConfig
 	14, // 15: management.NetworkMap.peerConfig:type_name -> management.PeerConfig
 	16, // 16: management.NetworkMap.remotePeers:type_name -> management.RemotePeerConfig
-	17, // 17: management.RemotePeerConfig.sshConfig:type_name -> management.SSHConfig
-	1,  // 18: management.DeviceAuthorizationFlow.Provider:type_name -> management.DeviceAuthorizationFlow.provider
-	20, // 19: management.DeviceAuthorizationFlow.ProviderConfig:type_name -> management.ProviderConfig
-	2,  // 20: management.ManagementService.Login:input_type -> management.EncryptedMessage
-	2,  // 21: management.ManagementService.Sync:input_type -> management.EncryptedMessage
-	10, // 22: management.ManagementService.GetServerKey:input_type -> management.Empty
-	10, // 23: management.ManagementService.isHealthy:input_type -> management.Empty
-	2,  // 24: management.ManagementService.GetDeviceAuthorizationFlow:input_type -> management.EncryptedMessage
-	2,  // 25: management.ManagementService.Login:output_type -> management.EncryptedMessage
-	2,  // 26: management.ManagementService.Sync:output_type -> management.EncryptedMessage
-	9,  // 27: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
-	10, // 28: management.ManagementService.isHealthy:output_type -> management.Empty
-	2,  // 29: management.ManagementService.GetDeviceAuthorizationFlow:output_type -> management.EncryptedMessage
-	25, // [25:30] is the sub-list for method output_type
-	20, // [20:25] is the sub-list for method input_type
-	20, // [20:20] is the sub-list for extension type_name
-	20, // [20:20] is the sub-list for extension extendee
-	0,  // [0:20] is the sub-list for field type_name
+	21, // 17: management.NetworkMap.Routes:type_name -> management.Route
+	17, // 18: management.RemotePeerConfig.sshConfig:type_name -> management.SSHConfig
+	1,  // 19: management.DeviceAuthorizationFlow.Provider:type_name -> management.DeviceAuthorizationFlow.provider
+	20, // 20: management.DeviceAuthorizationFlow.ProviderConfig:type_name -> management.ProviderConfig
+	2,  // 21: management.ManagementService.Login:input_type -> management.EncryptedMessage
+	2,  // 22: management.ManagementService.Sync:input_type -> management.EncryptedMessage
+	10, // 23: management.ManagementService.GetServerKey:input_type -> management.Empty
+	10, // 24: management.ManagementService.isHealthy:input_type -> management.Empty
+	2,  // 25: management.ManagementService.GetDeviceAuthorizationFlow:input_type -> management.EncryptedMessage
+	2,  // 26: management.ManagementService.Login:output_type -> management.EncryptedMessage
+	2,  // 27: management.ManagementService.Sync:output_type -> management.EncryptedMessage
+	9,  // 28: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
+	10, // 29: management.ManagementService.isHealthy:output_type -> management.Empty
+	2,  // 30: management.ManagementService.GetDeviceAuthorizationFlow:output_type -> management.EncryptedMessage
+	26, // [26:31] is the sub-list for method output_type
+	21, // [21:26] is the sub-list for method input_type
+	21, // [21:21] is the sub-list for extension type_name
+	21, // [21:21] is the sub-list for extension extendee
+	0,  // [0:21] is the sub-list for field type_name
 }

 func init() { file_management_proto_init() }
@@ -1845,6 +1991,18 @@ func file_management_proto_init() {
 				return nil
 			}
 		}
+		file_management_proto_msgTypes[19].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Route); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -1852,7 +2010,7 @@ func file_management_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_management_proto_rawDesc,
 			NumEnums:      2,
-			NumMessages:   19,
+			NumMessages:   20,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/management/proto/management.proto
+++ b/management/proto/management.proto
@@ -176,6 +176,8 @@ message NetworkMap {
  // Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
  bool remotePeersIsEmpty = 4;

+  // List of routes to be applied
+  repeated Route Routes = 5;
 }

 // RemotePeerConfig represents a configuration of a remote peer.
@@ -225,7 +227,23 @@ message ProviderConfig {
  // An IDP application client secret
  string ClientSecret = 2;
  // An IDP API domain
-  string Domain =3;
+  // Deprecated. Use a DeviceAuthEndpoint and TokenEndpoint
+  string Domain = 3;
  // An Audience for validation
  string Audience = 4;
+  // DeviceAuthEndpoint is an endpoint to request device authentication code.
+  string DeviceAuthEndpoint = 5;
+  // TokenEndpoint is an endpoint to request auth token.
+  string TokenEndpoint = 6;
 }
+
+// Route represents a route.Route object
+message Route {
+  string ID = 1;
+  string Network = 2;
+  int64  NetworkType = 3;
+  string Peer = 4;
+  int64  Metric = 5;
+  bool   Masquerade = 6;
+  string NetID = 7;
+}
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -7,6 +7,7 @@ import (
 	cacheStore "github.com/eko/gocache/v2/store"
 	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	"github.com/netbirdio/netbird/route"
 	gocache "github.com/patrickmn/go-cache"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
@@ -48,6 +49,7 @@ type AccountManager interface {
 	RenamePeer(accountId string, peerKey string, newName string) (*Peer, error)
 	DeletePeer(accountId string, peerKey string) (*Peer, error)
 	GetPeerByIP(accountId string, peerIP string) (*Peer, error)
+	UpdatePeer(accountID string, peer *Peer) (*Peer, error)
 	GetNetworkMap(peerKey string) (*NetworkMap, error)
 	GetPeerNetwork(peerKey string) (*Network, error)
 	AddPeer(setupKey string, userId string, peer *Peer) (*Peer, error)
@@ -67,7 +69,12 @@ type AccountManager interface {
 	UpdateRule(accountID string, ruleID string, operations []RuleUpdateOperation) (*Rule, error)
 	DeleteRule(accountId, ruleID string) error
 	ListRules(accountId string) ([]*Rule, error)
-	UpdatePeer(accountID string, peer *Peer) (*Peer, error)
+	GetRoute(accountID, routeID string) (*route.Route, error)
+	CreateRoute(accountID string, prefix, peer, description, netID string, masquerade bool, metric int, enabled bool) (*route.Route, error)
+	SaveRoute(accountID string, route *route.Route) error
+	UpdateRoute(accountID string, routeID string, operations []RouteUpdateOperation) (*route.Route, error)
+	DeleteRoute(accountID, routeID string) error
+	ListRoutes(accountID string) ([]*route.Route, error)
 }

 type DefaultAccountManager struct {
@@ -94,6 +101,7 @@ type Account struct {
 	Users                  map[string]*User
 	Groups                 map[string]*Group
 	Rules                  map[string]*Rule
+	Routes                 map[string]*route.Route
 }

 type UserInfo struct {
@@ -686,6 +694,7 @@ func newAccountWithId(accountId, userId, domain string) *Account {
 	network := NewNetwork()
 	peers := make(map[string]*Peer)
 	users := make(map[string]*User)
+	routes := make(map[string]*route.Route)
 	users[userId] = NewAdminUser(userId)
 	log.Debugf("created new account %s with setup key %s", accountId, defaultKey.Key)

@@ -697,6 +706,7 @@ func newAccountWithId(accountId, userId, domain string) *Account {
 		Users:     users,
 		CreatedBy: userId,
 		Domain:    domain,
+		Routes:    routes,
 	}

 	addAllGroup(acc)
--- a/management/server/config.go
+++ b/management/server/config.go
@@ -16,7 +16,7 @@ const (
 	TCP   Protocol = "tcp"
 	HTTP  Protocol = "http"
 	HTTPS Protocol = "https"
-	AUTH0 Provider = "auth0"
+	NONE  Provider = "none"
 )

 // Config of the Management service
@@ -49,13 +49,14 @@ type HttpServerConfig struct {
 	CertFile string
 	//CertKey is the location of the certificate private key
 	CertKey string
-	Address string
 	// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)
 	AuthAudience string
 	// AuthIssuer identifies principal that issued the JWT.
 	AuthIssuer string
 	// AuthKeysLocation is a location of JWT key set containing the public keys used to verify JWT
 	AuthKeysLocation string
+	// OIDCConfigEndpoint is the endpoint of an IDP manager to get OIDC configuration
+	OIDCConfigEndpoint string
 }

 // Host represents a Wiretrustee host (e.g. STUN, TURN, Signal)
@@ -82,9 +83,14 @@ type ProviderConfig struct {
 	// ClientSecret An IDP application client secret
 	ClientSecret string
 	// Domain An IDP API domain
+	// Deprecated. Use TokenEndpoint and DeviceAuthEndpoint
 	Domain string
 	// Audience An Audience for to authorization validation
 	Audience string
+	// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
+	TokenEndpoint string
+	// DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code
+	DeviceAuthEndpoint string
 }

 // validateURL validates input http url
--- a/management/server/file_store.go
+++ b/management/server/file_store.go
@@ -2,6 +2,8 @@ package server

 import (
 	"fmt"
+	"github.com/netbirdio/netbird/route"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"strings"
@@ -25,6 +27,8 @@ type FileStore struct {
 	PrivateDomain2AccountId map[string]string              `json:"-"`
 	PeerKeyId2SrcRulesId    map[string]map[string]struct{} `json:"-"`
 	PeerKeyId2DstRulesId    map[string]map[string]struct{} `json:"-"`
+	PeerKeyID2RouteIDs      map[string]map[string]struct{} `json:"-"`
+	AccountPrefix2RouteIDs  map[string]map[string][]string `json:"-"`

 	// mutex to synchronise Store read/write operations
 	mux       sync.Mutex `json:"-"`
@@ -51,7 +55,9 @@ func restore(file string) (*FileStore, error) {
 			UserId2AccountId:        make(map[string]string),
 			PrivateDomain2AccountId: make(map[string]string),
 			PeerKeyId2SrcRulesId:    make(map[string]map[string]struct{}),
+			PeerKeyID2RouteIDs:      make(map[string]map[string]struct{}),
 			PeerKeyId2DstRulesId:    make(map[string]map[string]struct{}),
+			AccountPrefix2RouteIDs:  make(map[string]map[string][]string),
 			storeFile:               file,
 		}

@@ -74,8 +80,10 @@ func restore(file string) (*FileStore, error) {
 	store.PeerKeyId2AccountId = make(map[string]string)
 	store.UserId2AccountId = make(map[string]string)
 	store.PrivateDomain2AccountId = make(map[string]string)
-	store.PeerKeyId2SrcRulesId = map[string]map[string]struct{}{}
-	store.PeerKeyId2DstRulesId = map[string]map[string]struct{}{}
+	store.PeerKeyId2SrcRulesId = make(map[string]map[string]struct{})
+	store.PeerKeyId2DstRulesId = make(map[string]map[string]struct{})
+	store.PeerKeyID2RouteIDs = make(map[string]map[string]struct{})
+	store.AccountPrefix2RouteIDs = make(map[string]map[string][]string)

 	for accountId, account := range store.Accounts {
 		for setupKeyId := range account.SetupKeys {
@@ -116,6 +124,25 @@ func restore(file string) (*FileStore, error) {
 		for _, user := range account.Users {
 			store.UserId2AccountId[user.Id] = accountId
 		}
+		for _, route := range account.Routes {
+			if route.Peer == "" {
+				continue
+			}
+			if store.PeerKeyID2RouteIDs[route.Peer] == nil {
+				store.PeerKeyID2RouteIDs[route.Peer] = make(map[string]struct{})
+			}
+			store.PeerKeyID2RouteIDs[route.Peer][route.ID] = struct{}{}
+			if store.AccountPrefix2RouteIDs[account.Id] == nil {
+				store.AccountPrefix2RouteIDs[account.Id] = make(map[string][]string)
+			}
+			if _, ok := store.AccountPrefix2RouteIDs[account.Id][route.Network.String()]; !ok {
+				store.AccountPrefix2RouteIDs[account.Id][route.Network.String()] = make([]string, 0)
+			}
+			store.AccountPrefix2RouteIDs[account.Id][route.Network.String()] = append(
+				store.AccountPrefix2RouteIDs[account.Id][route.Network.String()],
+				route.ID,
+			)
+		}
 		if account.Domain != "" && account.DomainCategory == PrivateCategory &&
 			account.IsDomainPrimaryAccount {
 			store.PrivateDomain2AccountId[account.Domain] = accountId
@@ -177,11 +204,12 @@ func (s *FileStore) DeletePeer(accountId string, peerKey string) (*Peer, error)
 	if peer == nil {
 		return nil, status.Errorf(codes.NotFound, "peer not found")
 	}
-
+	peerRoutes := s.PeerKeyID2RouteIDs[peerKey]
 	delete(account.Peers, peerKey)
 	delete(s.PeerKeyId2AccountId, peerKey)
 	delete(s.PeerKeyId2DstRulesId, peerKey)
 	delete(s.PeerKeyId2SrcRulesId, peerKey)
+	delete(s.PeerKeyID2RouteIDs, peerKey)

 	// cleanup groups
 	for _, g := range account.Groups {
@@ -194,6 +222,11 @@ func (s *FileStore) DeletePeer(accountId string, peerKey string) (*Peer, error)
 		g.Peers = peers
 	}

+	for routeID := range peerRoutes {
+		account.Routes[routeID].Enabled = false
+		account.Routes[routeID].Peer = ""
+	}
+
 	err = s.persist(s.storeFile)
 	if err != nil {
 		return nil, err
@@ -238,10 +271,14 @@ func (s *FileStore) SaveAccount(account *Account) error {
 		s.SetupKeyId2AccountId[strings.ToUpper(keyId)] = account.Id
 	}

+	// enforce peer to account index and delete peer to route indexes for rebuild
 	for _, peer := range account.Peers {
 		s.PeerKeyId2AccountId[peer.Key] = account.Id
+		delete(s.PeerKeyID2RouteIDs, peer.Key)
 	}

+	delete(s.AccountPrefix2RouteIDs, account.Id)
+
 	// remove all peers related to account from rules indexes
 	cleanIDs := make([]string, 0)
 	for key := range s.PeerKeyId2SrcRulesId {
@@ -294,6 +331,26 @@ func (s *FileStore) SaveAccount(account *Account) error {
 		}
 	}

+	for _, route := range account.Routes {
+		if route.Peer == "" {
+			continue
+		}
+		if s.PeerKeyID2RouteIDs[route.Peer] == nil {
+			s.PeerKeyID2RouteIDs[route.Peer] = make(map[string]struct{})
+		}
+		s.PeerKeyID2RouteIDs[route.Peer][route.ID] = struct{}{}
+		if s.AccountPrefix2RouteIDs[account.Id] == nil {
+			s.AccountPrefix2RouteIDs[account.Id] = make(map[string][]string)
+		}
+		if _, ok := s.AccountPrefix2RouteIDs[account.Id][route.Network.String()]; !ok {
+			s.AccountPrefix2RouteIDs[account.Id][route.Network.String()] = make([]string, 0)
+		}
+		s.AccountPrefix2RouteIDs[account.Id][route.Network.String()] = append(
+			s.AccountPrefix2RouteIDs[account.Id][route.Network.String()],
+			route.ID,
+		)
+	}
+
 	for _, user := range account.Users {
 		s.UserId2AccountId[user.Id] = account.Id
 	}
@@ -305,6 +362,7 @@ func (s *FileStore) SaveAccount(account *Account) error {
 	return s.persist(s.storeFile)
 }

+// GetAccountByPrivateDomain returns account by private domain
 func (s *FileStore) GetAccountByPrivateDomain(domain string) (*Account, error) {
 	accountId, accountIdFound := s.PrivateDomain2AccountId[strings.ToLower(domain)]
 	if !accountIdFound {
@@ -322,6 +380,7 @@ func (s *FileStore) GetAccountByPrivateDomain(domain string) (*Account, error) {
 	return account, nil
 }

+// GetAccountBySetupKey returns account by setup key id
 func (s *FileStore) GetAccountBySetupKey(setupKey string) (*Account, error) {
 	accountId, accountIdFound := s.SetupKeyId2AccountId[strings.ToUpper(setupKey)]
 	if !accountIdFound {
@@ -336,6 +395,7 @@ func (s *FileStore) GetAccountBySetupKey(setupKey string) (*Account, error) {
 	return account, nil
 }

+// GetAccountPeers returns account peers
 func (s *FileStore) GetAccountPeers(accountId string) ([]*Peer, error) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
@@ -353,6 +413,7 @@ func (s *FileStore) GetAccountPeers(accountId string) ([]*Peer, error) {
 	return peers, nil
 }

+// GetAllAccounts returns all accounts
 func (s *FileStore) GetAllAccounts() (all []*Account) {
 	for _, a := range s.Accounts {
 		all = append(all, a)
@@ -361,6 +422,7 @@ func (s *FileStore) GetAllAccounts() (all []*Account) {
 	return all
 }

+// GetAccount returns an account for id
 func (s *FileStore) GetAccount(accountId string) (*Account, error) {
 	account, accountFound := s.Accounts[accountId]
 	if !accountFound {
@@ -370,6 +432,7 @@ func (s *FileStore) GetAccount(accountId string) (*Account, error) {
 	return account, nil
 }

+// GetUserAccount returns a user account
 func (s *FileStore) GetUserAccount(userId string) (*Account, error) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
@@ -382,10 +445,7 @@ func (s *FileStore) GetUserAccount(userId string) (*Account, error) {
 	return s.GetAccount(accountId)
 }

-func (s *FileStore) GetPeerAccount(peerKey string) (*Account, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
+func (s *FileStore) getPeerAccount(peerKey string) (*Account, error) {
 	accountId, accountIdFound := s.PeerKeyId2AccountId[peerKey]
 	if !accountIdFound {
 		return nil, status.Errorf(codes.NotFound, "Provided peer key doesn't exists %s", peerKey)
@@ -394,6 +454,15 @@ func (s *FileStore) GetPeerAccount(peerKey string) (*Account, error) {
 	return s.GetAccount(accountId)
 }

+// GetPeerAccount returns user account if exists
+func (s *FileStore) GetPeerAccount(peerKey string) (*Account, error) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+
+	return s.getPeerAccount(peerKey)
+}
+
+// GetPeerSrcRules return list of source rules for peer
 func (s *FileStore) GetPeerSrcRules(accountId, peerKey string) ([]*Rule, error) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
@@ -419,6 +488,7 @@ func (s *FileStore) GetPeerSrcRules(accountId, peerKey string) ([]*Rule, error)
 	return rules, nil
 }

+// GetPeerDstRules return list of destination rules for peer
 func (s *FileStore) GetPeerDstRules(accountId, peerKey string) ([]*Rule, error) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
@@ -443,3 +513,56 @@ func (s *FileStore) GetPeerDstRules(accountId, peerKey string) ([]*Rule, error)

 	return rules, nil
 }
+
+// GetPeerRoutes return list of routes for peer
+func (s *FileStore) GetPeerRoutes(peerKey string) ([]*route.Route, error) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+
+	account, err := s.getPeerAccount(peerKey)
+	if err != nil {
+		return nil, err
+	}
+
+	var routes []*route.Route
+
+	routeIDs, ok := s.PeerKeyID2RouteIDs[peerKey]
+	if !ok {
+		return routes, nil
+	}
+
+	for id := range routeIDs {
+		route, found := account.Routes[id]
+		if found {
+			routes = append(routes, route)
+		}
+	}
+
+	return routes, nil
+}
+
+// GetRoutesByPrefix return list of routes by account and route prefix
+func (s *FileStore) GetRoutesByPrefix(accountID string, prefix netip.Prefix) ([]*route.Route, error) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+
+	account, err := s.GetAccount(accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	routeIDs, ok := s.AccountPrefix2RouteIDs[accountID][prefix.String()]
+	if !ok {
+		return nil, status.Errorf(codes.NotFound, "no routes for prefix: %v", prefix.String())
+	}
+
+	var routes []*route.Route
+	for _, id := range routeIDs {
+		route, found := account.Routes[id]
+		if found {
+			routes = append(routes, route)
+		}
+	}
+
+	return routes, nil
+}
--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -3,6 +3,8 @@ package server
 import (
 	"context"
 	"fmt"
+	"github.com/netbirdio/netbird/route"
+	gPeer "google.golang.org/grpc/peer"
 	"strings"
 	"time"

@@ -18,8 +20,8 @@ import (
 	"google.golang.org/grpc/status"
 )

-// Server an instance of a Management server
-type Server struct {
+// GRPCServer an instance of a Management gRPC API server
+type GRPCServer struct {
 	accountManager AccountManager
 	wgKey          wgtypes.Key
 	proto.UnimplementedManagementServiceServer
@@ -30,7 +32,7 @@ type Server struct {
 }

 // NewServer creates a new Management server
-func NewServer(config *Config, accountManager AccountManager, peersUpdateManager *PeersUpdateManager, turnCredentialsManager TURNCredentialsManager) (*Server, error) {
+func NewServer(config *Config, accountManager AccountManager, peersUpdateManager *PeersUpdateManager, turnCredentialsManager TURNCredentialsManager) (*GRPCServer, error) {
 	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		return nil, err
@@ -50,7 +52,7 @@ func NewServer(config *Config, accountManager AccountManager, peersUpdateManager
 		log.Debug("unable to use http config to create new jwt middleware")
 	}

-	return &Server{
+	return &GRPCServer{
 		wgKey: key,
 		// peerKey -> event channel
 		peersUpdateManager:     peersUpdateManager,
@@ -61,7 +63,7 @@ func NewServer(config *Config, accountManager AccountManager, peersUpdateManager
 	}, nil
 }

-func (s *Server) GetServerKey(ctx context.Context, req *proto.Empty) (*proto.ServerKeyResponse, error) {
+func (s *GRPCServer) GetServerKey(ctx context.Context, req *proto.Empty) (*proto.ServerKeyResponse, error) {
 	// todo introduce something more meaningful with the key expiration/rotation
 	now := time.Now().Add(24 * time.Hour)
 	secs := int64(now.Second())
@@ -76,7 +78,7 @@ func (s *Server) GetServerKey(ctx context.Context, req *proto.Empty) (*proto.Ser

 // Sync validates the existence of a connecting peer, sends an initial state (all available for the connecting peers) and
 // notifies the connected peer of any updates (e.g. new peers under the same account)
-func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error {
+func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error {
 	log.Debugf("Sync request from peer %s", req.WgPubKey)

 	peerKey, err := wgtypes.ParseKey(req.GetWgPubKey())
@@ -87,17 +89,24 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S

 	peer, err := s.accountManager.GetPeer(peerKey.String())
 	if err != nil {
-		return status.Errorf(codes.PermissionDenied, "provided peer with the key wgPubKey %s is not registered", peerKey.String())
+		p, _ := gPeer.FromContext(srv.Context())
+		msg := status.Errorf(codes.PermissionDenied, "provided peer with the key wgPubKey %s is not registered, remote addr is %s", peerKey.String(), p.Addr.String())
+		log.Debug(msg)
+		return msg
 	}

 	syncReq := &proto.SyncRequest{}
 	err = encryption.DecryptMessage(peerKey, s.wgKey, req.Body, syncReq)
 	if err != nil {
-		return status.Errorf(codes.InvalidArgument, "invalid request message")
+		p, _ := gPeer.FromContext(srv.Context())
+		msg := status.Errorf(codes.InvalidArgument, "invalid request message from %s,remote addr is %s", peerKey.String(), p.Addr.String())
+		log.Debug(msg)
+		return msg
 	}

 	err = s.sendInitialSync(peerKey, peer, srv)
 	if err != nil {
+		log.Debugf("error while sending initial sync for %s: %v", peerKey.String(), err)
 		return err
 	}

@@ -116,7 +125,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 		// condition when there are some updates
 		case update, open := <-updates:
 			if !open {
-				// updates channel has been closed
+				log.Debugf("updates channel for peer %s was closed", peerKey.String())
 				return nil
 			}
 			log.Debugf("recevied an update for peer %s", peerKey.String())
@@ -150,7 +159,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	}
 }

-func (s *Server) registerPeer(peerKey wgtypes.Key, req *proto.LoginRequest) (*Peer, error) {
+func (s *GRPCServer) registerPeer(peerKey wgtypes.Key, req *proto.LoginRequest) (*Peer, error) {
 	var (
 		reqSetupKey string
 		userId      string
@@ -230,7 +239,7 @@ func (s *Server) registerPeer(peerKey wgtypes.Key, req *proto.LoginRequest) (*Pe
 				peersToSend = append(peersToSend, p)
 			}
 		}
-		update := toSyncResponse(s.config, remotePeer, peersToSend, nil, networkMap.Network.CurrentSerial(), networkMap.Network)
+		update := toSyncResponse(s.config, remotePeer, peersToSend, networkMap.Routes, nil, networkMap.Network.CurrentSerial(), networkMap.Network)
 		err = s.peersUpdateManager.SendUpdate(remotePeer.Key, &UpdateMessage{Update: update})
 		if err != nil {
 			// todo rethink if we should keep this return
@@ -245,7 +254,7 @@ func (s *Server) registerPeer(peerKey wgtypes.Key, req *proto.LoginRequest) (*Pe
 // In case it is, the login is successful
 // In case it isn't, the endpoint checks whether setup key is provided within the request and tries to register a peer.
 // In case of the successful registration login is also successful
-func (s *Server) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
+func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
 	log.Debugf("Login request from peer %s", req.WgPubKey)

 	peerKey, err := wgtypes.ParseKey(req.GetWgPubKey())
@@ -265,8 +274,13 @@ func (s *Server) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto
 		if errStatus, ok := status.FromError(err); ok && errStatus.Code() == codes.NotFound {
 			// peer doesn't exist -> check if setup key was provided
 			if loginReq.GetJwtToken() == "" && loginReq.GetSetupKey() == "" {
-				// absent setup key -> permission denied
-				return nil, status.Errorf(codes.PermissionDenied, "provided peer with the key wgPubKey %s is not registered and no setup key or jwt was provided", peerKey.String())
+				// absent setup key or jwt -> permission denied
+				p, _ := gPeer.FromContext(ctx)
+				msg := status.Errorf(codes.PermissionDenied,
+					"provided peer with the key wgPubKey %s is not registered and no setup key or jwt was provided,"+
+						" remote addr is %s", peerKey.String(), p.Addr.String())
+				log.Debug(msg)
+				return nil, msg
 			}

 			// setup key or jwt is present -> try normal registration flow
@@ -407,13 +421,15 @@ func toRemotePeerConfig(peers []*Peer) []*proto.RemotePeerConfig {
 	return remotePeers
 }

-func toSyncResponse(config *Config, peer *Peer, peers []*Peer, turnCredentials *TURNCredentials, serial uint64, network *Network) *proto.SyncResponse {
+func toSyncResponse(config *Config, peer *Peer, peers []*Peer, routes []*route.Route, turnCredentials *TURNCredentials, serial uint64, network *Network) *proto.SyncResponse {
 	wtConfig := toWiretrusteeConfig(config, turnCredentials)

 	pConfig := toPeerConfig(peer, network)

 	remotePeers := toRemotePeerConfig(peers)

+	routesUpdate := toProtocolRoutes(routes)
+
 	return &proto.SyncResponse{
 		WiretrusteeConfig:  wtConfig,
 		PeerConfig:         pConfig,
@@ -424,17 +440,18 @@ func toSyncResponse(config *Config, peer *Peer, peers []*Peer, turnCredentials *
 			PeerConfig:         pConfig,
 			RemotePeers:        remotePeers,
 			RemotePeersIsEmpty: len(remotePeers) == 0,
+			Routes:             routesUpdate,
 		},
 	}
 }

 // IsHealthy indicates whether the service is healthy
-func (s *Server) IsHealthy(ctx context.Context, req *proto.Empty) (*proto.Empty, error) {
+func (s *GRPCServer) IsHealthy(ctx context.Context, req *proto.Empty) (*proto.Empty, error) {
 	return &proto.Empty{}, nil
 }

 // sendInitialSync sends initial proto.SyncResponse to the peer requesting synchronization
-func (s *Server) sendInitialSync(peerKey wgtypes.Key, peer *Peer, srv proto.ManagementService_SyncServer) error {
+func (s *GRPCServer) sendInitialSync(peerKey wgtypes.Key, peer *Peer, srv proto.ManagementService_SyncServer) error {
 	networkMap, err := s.accountManager.GetNetworkMap(peer.Key)
 	if err != nil {
 		log.Warnf("error getting a list of peers for a peer %s", peer.Key)
@@ -449,7 +466,7 @@ func (s *Server) sendInitialSync(peerKey wgtypes.Key, peer *Peer, srv proto.Mana
 	} else {
 		turnCredentials = nil
 	}
-	plainResp := toSyncResponse(s.config, peer, networkMap.Peers, turnCredentials, networkMap.Network.CurrentSerial(), networkMap.Network)
+	plainResp := toSyncResponse(s.config, peer, networkMap.Peers, networkMap.Routes, turnCredentials, networkMap.Network.CurrentSerial(), networkMap.Network)

 	encryptedResp, err := encryption.EncryptMessage(peerKey, s.wgKey, plainResp)
 	if err != nil {
@@ -472,7 +489,7 @@ func (s *Server) sendInitialSync(peerKey wgtypes.Key, peer *Peer, srv proto.Mana
 // GetDeviceAuthorizationFlow returns a device authorization flow information
 // This is used for initiating an Oauth 2 device authorization grant flow
 // which will be used by our clients to Login
-func (s *Server) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
+func (s *GRPCServer) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
 	peerKey, err := wgtypes.ParseKey(req.GetWgPubKey())
 	if err != nil {
 		errMSG := fmt.Sprintf("error while parsing peer's Wireguard public key %s on GetDeviceAuthorizationFlow request.", req.WgPubKey)
@@ -487,7 +504,7 @@ func (s *Server) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.Encr
 		return nil, status.Error(codes.InvalidArgument, errMSG)
 	}

-	if s.config.DeviceAuthorizationFlow == nil {
+	if s.config.DeviceAuthorizationFlow == nil || s.config.DeviceAuthorizationFlow.Provider == string(NONE) {
 		return nil, status.Error(codes.NotFound, "no device authorization flow information available")
 	}

@@ -499,10 +516,12 @@ func (s *Server) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.Encr
 	flowInfoResp := &proto.DeviceAuthorizationFlow{
 		Provider: proto.DeviceAuthorizationFlowProvider(provider),
 		ProviderConfig: &proto.ProviderConfig{
-			ClientID:     s.config.DeviceAuthorizationFlow.ProviderConfig.ClientID,
-			ClientSecret: s.config.DeviceAuthorizationFlow.ProviderConfig.ClientSecret,
-			Domain:       s.config.DeviceAuthorizationFlow.ProviderConfig.Domain,
-			Audience:     s.config.DeviceAuthorizationFlow.ProviderConfig.Audience,
+			ClientID:           s.config.DeviceAuthorizationFlow.ProviderConfig.ClientID,
+			ClientSecret:       s.config.DeviceAuthorizationFlow.ProviderConfig.ClientSecret,
+			Domain:             s.config.DeviceAuthorizationFlow.ProviderConfig.Domain,
+			Audience:           s.config.DeviceAuthorizationFlow.ProviderConfig.Audience,
+			DeviceAuthEndpoint: s.config.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint,
+			TokenEndpoint:      s.config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint,
 		},
 	}

--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -14,6 +14,8 @@ tags:
    description: Interact with and view information about groups.
  - name: Rules
    description: Interact with and view information about rules.
+  - name: Routes
+    description: Interact with and view information about routes.
 components:
  schemas:
    User:
@@ -191,17 +193,13 @@ components:
                $ref: '#/components/schemas/PeerMinimum'
          required:
          - peers
-    GroupPatchOperation:
+    PatchMinimum:
      type: object
      properties:
        op:
          description: Patch operation type
          type: string
          enum: [ "replace","add","remove" ]
-        path:
-          description: Group field to update in form /<field>
-          type: string
-          enum: [ "name","peers" ]
        value:
          description: Values to be applied
          type: array
@@ -209,8 +207,19 @@ components:
            type: string
      required:
        - op
-        - path
        - value
+    GroupPatchOperation:
+      allOf:
+        - $ref: '#/components/schemas/PatchMinimum'
+        - type: object
+          properties:
+            path:
+              description: Group field to update in form /<field>
+              type: string
+              enum: [ "name","peers" ]
+          required:
+            - path
+
    RuleMinimum:
      type: object
      properties:
@@ -257,25 +266,79 @@ components:
          - sources
          - destinations
    RulePatchOperation:
+      allOf:
+        - $ref: '#/components/schemas/PatchMinimum'
+        - type: object
+          properties:
+            path:
+              description: Rule field to update in form /<field>
+              type: string
+              enum: [ "name","description","disabled","flow","sources","destinations" ]
+          required:
+            - path
+    RouteRequest:
      type: object
      properties:
-        op:
-          description: Patch operation type
+        description:
+          description: Route description
          type: string
-          enum: [ "replace","add","remove" ]
-        path:
-          description: Rule field to update in form /<field>
+        network_id:
+          description: Route network identifier, to group HA routes
          type: string
-          enum: [ "name","description","disabled","flow","sources","destinations" ]
-        value:
-          description: Values to be applied
-          type: array
-          items:
-            type: string
+          maxLength: 40
+          minLength: 1
+        enabled:
+          description: Route status
+          type: boolean
+        peer:
+          description: Peer Identifier associated with route
+          type: string
+        network:
+          description: Network range in CIDR format
+          type: string
+        metric:
+          description: Route metric number. Lowest number has higher priority
+          type: integer
+          maximum: 9999
+          minimum: 1
+        masquerade:
+          description: Indicate if peer should masquerade traffic to this route's prefix
+          type: boolean
      required:
-        - op
-        - path
-        - value
+        - id
+        - description
+        - network_id
+        - enabled
+        - peer
+        - network
+        - metric
+        - masquerade
+    Route:
+      allOf:
+        - type: object
+          properties:
+            id:
+              description: Route Id
+              type: string
+            network_type:
+              description: Network type indicating if it is IPv4 or IPv6
+              type: string
+          required:
+            - id
+            - network_type
+        - $ref: '#/components/schemas/RouteRequest'
+    RoutePatchOperation:
+      allOf:
+        - $ref: '#/components/schemas/PatchMinimum'
+        - type: object
+          properties:
+            path:
+              description: Route field to update in form /<field>
+              type: string
+              enum: [ "network","network_id","description","enabled","peer","metric","masquerade" ]
+          required:
+            - path
+
  responses:
    not_found:
      description: Resource not found
@@ -945,5 +1008,176 @@ paths:
          "$ref": "#/components/responses/requires_authentication"
        '403':
          "$ref": "#/components/responses/forbidden"
+        '500':
+          "$ref": "#/components/responses/internal_error"
+
+  /api/routes:
+    get:
+      summary: Returns a list of all routes
+      tags: [ Routes ]
+      security:
+        - BearerAuth: [ ]
+      responses:
+        '200':
+          description: A JSON Array of Routes
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Route'
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
+        '500':
+          "$ref": "#/components/responses/internal_error"
+    post:
+      summary: Creates a Route
+      tags: [ Routes ]
+      security:
+        - BearerAuth: [ ]
+      requestBody:
+        description: New Routes request
+        content:
+          'application/json':
+            schema:
+              $ref: '#/components/schemas/RouteRequest'
+      responses:
+        '200':
+          description: A Route Object
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Route'
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
+        '500':
+          "$ref": "#/components/responses/internal_error"
+
+  /api/routes/{id}:
+    get:
+      summary: Get information about a Routes
+      tags: [ Routes ]
+      security:
+        - BearerAuth: [ ]
+      parameters:
+        - in: path
+          name: id
+          required: true
+          schema:
+            type: string
+          description: The Route ID
+      responses:
+        '200':
+          description: A Route object
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Route'
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
+        '500':
+          "$ref": "#/components/responses/internal_error"
+    put:
+      summary: Update/Replace a Route
+      tags: [ Routes ]
+      security:
+        - BearerAuth: [ ]
+      parameters:
+        - in: path
+          name: id
+          required: true
+          schema:
+            type: string
+          description: The Route ID
+      requestBody:
+        description: Update Route request
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RouteRequest'
+      responses:
+        '200':
+          description: A Route object
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Route'
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
+        '500':
+          "$ref": "#/components/responses/internal_error"
+    patch:
+      summary: Update information about a Route
+      tags: [ Routes ]
+      security:
+        - BearerAuth: [ ]
+      parameters:
+        - in: path
+          name: id
+          required: true
+          schema:
+            type: string
+          description: The Route ID
+      requestBody:
+        description: Update Route request using a list of json patch objects
+        content:
+          'application/json':
+            schema:
+              type: array
+              items:
+                $ref: '#/components/schemas/RoutePatchOperation'
+      responses:
+        '200':
+          description: A Route object
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Route'
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
+        '500':
+          "$ref": "#/components/responses/internal_error"
+    delete:
+      summary: Delete a Route
+      tags: [ Routes ]
+      security:
+        - BearerAuth: [ ]
+      parameters:
+        - in: path
+          name: id
+          required: true
+          schema:
+            type: string
+          description: The Route ID
+      responses:
+        '200':
+          description: Delete status code
+          content: { }
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
        '500':
          "$ref": "#/components/responses/internal_error"
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -24,6 +24,31 @@ const (
 	GroupPatchOperationPathPeers GroupPatchOperationPath = "peers"
 )

+// Defines values for PatchMinimumOp.
+const (
+	PatchMinimumOpAdd     PatchMinimumOp = "add"
+	PatchMinimumOpRemove  PatchMinimumOp = "remove"
+	PatchMinimumOpReplace PatchMinimumOp = "replace"
+)
+
+// Defines values for RoutePatchOperationOp.
+const (
+	RoutePatchOperationOpAdd     RoutePatchOperationOp = "add"
+	RoutePatchOperationOpRemove  RoutePatchOperationOp = "remove"
+	RoutePatchOperationOpReplace RoutePatchOperationOp = "replace"
+)
+
+// Defines values for RoutePatchOperationPath.
+const (
+	RoutePatchOperationPathDescription RoutePatchOperationPath = "description"
+	RoutePatchOperationPathEnabled     RoutePatchOperationPath = "enabled"
+	RoutePatchOperationPathMasquerade  RoutePatchOperationPath = "masquerade"
+	RoutePatchOperationPathMetric      RoutePatchOperationPath = "metric"
+	RoutePatchOperationPathNetwork     RoutePatchOperationPath = "network"
+	RoutePatchOperationPathNetworkId   RoutePatchOperationPath = "network_id"
+	RoutePatchOperationPathPeer        RoutePatchOperationPath = "peer"
+)
+
 // Defines values for RulePatchOperationOp.
 const (
 	RulePatchOperationOpAdd     RulePatchOperationOp = "add"
@@ -86,6 +111,18 @@ type GroupPatchOperationOp string
 // Group field to update in form /<field>
 type GroupPatchOperationPath string

+// PatchMinimum defines model for PatchMinimum.
+type PatchMinimum struct {
+	// Patch operation type
+	Op PatchMinimumOp `json:"op"`
+
+	// Values to be applied
+	Value []string `json:"value"`
+}
+
+// Patch operation type
+type PatchMinimumOp string
+
 // Peer defines model for Peer.
 type Peer struct {
 	// Provides information of who activated the Peer. User or Setup Key
@@ -131,6 +168,78 @@ type PeerMinimum struct {
 	Name string `json:"name"`
 }

+// Route defines model for Route.
+type Route struct {
+	// Route description
+	Description string `json:"description"`
+
+	// Route status
+	Enabled bool `json:"enabled"`
+
+	// Route Id
+	Id string `json:"id"`
+
+	// Indicate if peer should masquerade traffic to this route's prefix
+	Masquerade bool `json:"masquerade"`
+
+	// Route metric number. Lowest number has higher priority
+	Metric int `json:"metric"`
+
+	// Network range in CIDR format
+	Network string `json:"network"`
+
+	// Route network identifier, to group HA routes
+	NetworkId string `json:"network_id"`
+
+	// Network type indicating if it is IPv4 or IPv6
+	NetworkType string `json:"network_type"`
+
+	// Peer Identifier associated with route
+	Peer string `json:"peer"`
+}
+
+// RoutePatchOperation defines model for RoutePatchOperation.
+type RoutePatchOperation struct {
+	// Patch operation type
+	Op RoutePatchOperationOp `json:"op"`
+
+	// Route field to update in form /<field>
+	Path RoutePatchOperationPath `json:"path"`
+
+	// Values to be applied
+	Value []string `json:"value"`
+}
+
+// Patch operation type
+type RoutePatchOperationOp string
+
+// Route field to update in form /<field>
+type RoutePatchOperationPath string
+
+// RouteRequest defines model for RouteRequest.
+type RouteRequest struct {
+	// Route description
+	Description string `json:"description"`
+
+	// Route status
+	Enabled bool `json:"enabled"`
+
+	// Indicate if peer should masquerade traffic to this route's prefix
+	Masquerade bool `json:"masquerade"`
+
+	// Route metric number. Lowest number has higher priority
+	Metric int `json:"metric"`
+
+	// Network range in CIDR format
+	Network string `json:"network"`
+
+	// Route network identifier, to group HA routes
+	NetworkId string `json:"network_id"`
+
+	// Peer Identifier associated with route
+	Peer string `json:"peer"`
+}
+
 // Rule defines model for Rule.
 type Rule struct {
 	// Rule friendly description
@@ -272,6 +381,15 @@ type PutApiPeersIdJSONBody struct {
 	SshEnabled bool   `json:"ssh_enabled"`
 }

+// PostApiRoutesJSONBody defines parameters for PostApiRoutes.
+type PostApiRoutesJSONBody = RouteRequest
+
+// PatchApiRoutesIdJSONBody defines parameters for PatchApiRoutesId.
+type PatchApiRoutesIdJSONBody = []RoutePatchOperation
+
+// PutApiRoutesIdJSONBody defines parameters for PutApiRoutesId.
+type PutApiRoutesIdJSONBody = RouteRequest
+
 // PostApiRulesJSONBody defines parameters for PostApiRules.
 type PostApiRulesJSONBody struct {
 	// Rule friendly description
@@ -327,6 +445,15 @@ type PutApiGroupsIdJSONRequestBody PutApiGroupsIdJSONBody
 // PutApiPeersIdJSONRequestBody defines body for PutApiPeersId for application/json ContentType.
 type PutApiPeersIdJSONRequestBody PutApiPeersIdJSONBody

+// PostApiRoutesJSONRequestBody defines body for PostApiRoutes for application/json ContentType.
+type PostApiRoutesJSONRequestBody = PostApiRoutesJSONBody
+
+// PatchApiRoutesIdJSONRequestBody defines body for PatchApiRoutesId for application/json ContentType.
+type PatchApiRoutesIdJSONRequestBody = PatchApiRoutesIdJSONBody
+
+// PutApiRoutesIdJSONRequestBody defines body for PutApiRoutesId for application/json ContentType.
+type PutApiRoutesIdJSONRequestBody = PutApiRoutesIdJSONBody
+
 // PostApiRulesJSONRequestBody defines body for PostApiRules for application/json ContentType.
 type PostApiRulesJSONRequestBody PostApiRulesJSONBody

--- a/management/server/http/handler/groups.go
+++ b/management/server/http/handler/groups.go
@@ -1,4 +1,4 @@
-package handler
+package http

 import (
 	"encoding/json"
--- a/management/server/http/handler/groups_test.go
+++ b/management/server/http/handler/groups_test.go
@@ -1,4 +1,4 @@
-package handler
+package http

 import (
 	"bytes"
--- a/management/server/http/handler.go
+++ b/management/server/http/handler.go
@@ -0,0 +1,72 @@
+package http
+
+import (
+	"github.com/gorilla/mux"
+	s "github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/http/middleware"
+	"github.com/rs/cors"
+	"net/http"
+)
+
+// APIHandler creates the Management service HTTP API handler registering all the available endpoints.
+func APIHandler(accountManager s.AccountManager, authIssuer string, authAudience string, authKeysLocation string) (http.Handler, error) {
+	jwtMiddleware, err := middleware.NewJwtMiddleware(
+		authIssuer,
+		authAudience,
+		authKeysLocation,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	corsMiddleware := cors.AllowAll()
+
+	acMiddleware := middleware.NewAccessControll(
+		authAudience,
+		accountManager.IsUserAdmin)
+
+	apiHandler := mux.NewRouter()
+	apiHandler.Use(corsMiddleware.Handler, jwtMiddleware.Handler, acMiddleware.Handler)
+
+	groupsHandler := NewGroups(accountManager, authAudience)
+	rulesHandler := NewRules(accountManager, authAudience)
+	peersHandler := NewPeers(accountManager, authAudience)
+	keysHandler := NewSetupKeysHandler(accountManager, authAudience)
+	userHandler := NewUserHandler(accountManager, authAudience)
+	routesHandler := NewRoutes(accountManager, authAudience)
+
+	apiHandler.HandleFunc("/api/peers", peersHandler.GetPeers).Methods("GET", "OPTIONS")
+	apiHandler.HandleFunc("/api/peers/{id}", peersHandler.HandlePeer).
+		Methods("GET", "PUT", "DELETE", "OPTIONS")
+	apiHandler.HandleFunc("/api/users", userHandler.GetUsers).Methods("GET", "OPTIONS")
+	apiHandler.HandleFunc("/api/setup-keys", keysHandler.GetKeys).Methods("GET", "POST", "OPTIONS")
+	apiHandler.HandleFunc("/api/setup-keys/{id}", keysHandler.HandleKey).Methods("GET", "PUT", "OPTIONS")
+
+	apiHandler.HandleFunc("/api/setup-keys", keysHandler.GetKeys).Methods("POST", "OPTIONS")
+	apiHandler.HandleFunc("/api/setup-keys/{id}", keysHandler.HandleKey).
+		Methods("GET", "PUT", "DELETE", "OPTIONS")
+
+	apiHandler.HandleFunc("/api/rules", rulesHandler.GetAllRulesHandler).Methods("GET", "OPTIONS")
+	apiHandler.HandleFunc("/api/rules", rulesHandler.CreateRuleHandler).Methods("POST", "OPTIONS")
+	apiHandler.HandleFunc("/api/rules/{id}", rulesHandler.UpdateRuleHandler).Methods("PUT", "OPTIONS")
+	apiHandler.HandleFunc("/api/rules/{id}", rulesHandler.PatchRuleHandler).Methods("PATCH", "OPTIONS")
+	apiHandler.HandleFunc("/api/rules/{id}", rulesHandler.GetRuleHandler).Methods("GET", "OPTIONS")
+	apiHandler.HandleFunc("/api/rules/{id}", rulesHandler.DeleteRuleHandler).Methods("DELETE", "OPTIONS")
+
+	apiHandler.HandleFunc("/api/groups", groupsHandler.GetAllGroupsHandler).Methods("GET", "OPTIONS")
+	apiHandler.HandleFunc("/api/groups", groupsHandler.CreateGroupHandler).Methods("POST", "OPTIONS")
+	apiHandler.HandleFunc("/api/groups/{id}", groupsHandler.UpdateGroupHandler).Methods("PUT", "OPTIONS")
+	apiHandler.HandleFunc("/api/groups/{id}", groupsHandler.PatchGroupHandler).Methods("PATCH", "OPTIONS")
+	apiHandler.HandleFunc("/api/groups/{id}", groupsHandler.GetGroupHandler).Methods("GET", "OPTIONS")
+	apiHandler.HandleFunc("/api/groups/{id}", groupsHandler.DeleteGroupHandler).Methods("DELETE", "OPTIONS")
+
+	apiHandler.HandleFunc("/api/routes", routesHandler.GetAllRoutesHandler).Methods("GET", "OPTIONS")
+	apiHandler.HandleFunc("/api/routes", routesHandler.CreateRouteHandler).Methods("POST", "OPTIONS")
+	apiHandler.HandleFunc("/api/routes/{id}", routesHandler.UpdateRouteHandler).Methods("PUT", "OPTIONS")
+	apiHandler.HandleFunc("/api/routes/{id}", routesHandler.PatchRouteHandler).Methods("PATCH", "OPTIONS")
+	apiHandler.HandleFunc("/api/routes/{id}", routesHandler.GetRouteHandler).Methods("GET", "OPTIONS")
+	apiHandler.HandleFunc("/api/routes/{id}", routesHandler.DeleteRouteHandler).Methods("DELETE", "OPTIONS")
+
+	return apiHandler, nil
+
+}
--- a/management/server/http/handler/peers.go
+++ b/management/server/http/handler/peers.go
@@ -1,4 +1,4 @@
-package handler
+package http

 import (
 	"encoding/json"
--- a/management/server/http/handler/peers_test.go
+++ b/management/server/http/handler/peers_test.go
@@ -1,4 +1,4 @@
-package handler
+package http

 import (
 	"encoding/json"
--- a/management/server/http/routes.go
+++ b/management/server/http/routes.go
@@ -0,0 +1,403 @@
+package http
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/gorilla/mux"
+	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/http/api"
+	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	"github.com/netbirdio/netbird/route"
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"net/http"
+	"unicode/utf8"
+)
+
+// Routes is the routes handler of the account
+type Routes struct {
+	jwtExtractor   jwtclaims.ClaimsExtractor
+	accountManager server.AccountManager
+	authAudience   string
+}
+
+// NewRoutes returns a new instance of Routes handler
+func NewRoutes(accountManager server.AccountManager, authAudience string) *Routes {
+	return &Routes{
+		accountManager: accountManager,
+		authAudience:   authAudience,
+		jwtExtractor:   *jwtclaims.NewClaimsExtractor(nil),
+	}
+}
+
+// GetAllRoutesHandler returns the list of routes for the account
+func (h *Routes) GetAllRoutesHandler(w http.ResponseWriter, r *http.Request) {
+	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
+	if err != nil {
+		log.Error(err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	routes, err := h.accountManager.ListRoutes(account.Id)
+	if err != nil {
+		log.Error(err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+	apiRoutes := make([]*api.Route, 0)
+	for _, r := range routes {
+		apiRoutes = append(apiRoutes, toRouteResponse(account, r))
+	}
+
+	writeJSONObject(w, apiRoutes)
+}
+
+// CreateRouteHandler handles route creation request
+func (h *Routes) CreateRouteHandler(w http.ResponseWriter, r *http.Request) {
+	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
+	if err != nil {
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	var req api.PostApiRoutesJSONRequestBody
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	peerKey := req.Peer
+	if req.Peer != "" {
+		peer, err := h.accountManager.GetPeerByIP(account.Id, req.Peer)
+		if err != nil {
+			log.Error(err)
+			http.Redirect(w, r, "/", http.StatusUnprocessableEntity)
+			return
+		}
+		peerKey = peer.Key
+	}
+
+	_, newPrefix, err := route.ParseNetwork(req.Network)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("couldn't parse update prefix %s", req.Network), http.StatusBadRequest)
+		return
+	}
+
+	if utf8.RuneCountInString(req.NetworkId) > route.MaxNetIDChar || req.NetworkId == "" {
+		http.Error(w, fmt.Sprintf("identifier should be between 1 and %d", route.MaxNetIDChar), http.StatusBadRequest)
+		return
+	}
+
+	newRoute, err := h.accountManager.CreateRoute(account.Id, newPrefix.String(), peerKey, req.Description, req.NetworkId, req.Masquerade, req.Metric, req.Enabled)
+	if err != nil {
+		log.Error(err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	resp := toRouteResponse(account, newRoute)
+
+	writeJSONObject(w, &resp)
+}
+
+// UpdateRouteHandler handles update to a route identified by a given ID
+func (h *Routes) UpdateRouteHandler(w http.ResponseWriter, r *http.Request) {
+	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
+	if err != nil {
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	vars := mux.Vars(r)
+	routeID := vars["id"]
+	if len(routeID) == 0 {
+		http.Error(w, "invalid route Id", http.StatusBadRequest)
+		return
+	}
+
+	_, err = h.accountManager.GetRoute(account.Id, routeID)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("couldn't find route for ID %s", routeID), http.StatusNotFound)
+		return
+	}
+
+	var req api.PutApiRoutesIdJSONBody
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	prefixType, newPrefix, err := route.ParseNetwork(req.Network)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("couldn't parse update prefix %s for route ID %s", req.Network, routeID), http.StatusBadRequest)
+		return
+	}
+
+	peerKey := req.Peer
+	if req.Peer != "" {
+		peer, err := h.accountManager.GetPeerByIP(account.Id, req.Peer)
+		if err != nil {
+			log.Error(err)
+			http.Redirect(w, r, "/", http.StatusUnprocessableEntity)
+			return
+		}
+		peerKey = peer.Key
+	}
+
+	if utf8.RuneCountInString(req.NetworkId) > route.MaxNetIDChar || req.NetworkId == "" {
+		http.Error(w, fmt.Sprintf("identifier should be between 1 and %d", route.MaxNetIDChar), http.StatusBadRequest)
+		return
+	}
+
+	newRoute := &route.Route{
+		ID:          routeID,
+		Network:     newPrefix,
+		NetID:       req.NetworkId,
+		NetworkType: prefixType,
+		Masquerade:  req.Masquerade,
+		Peer:        peerKey,
+		Metric:      req.Metric,
+		Description: req.Description,
+		Enabled:     req.Enabled,
+	}
+
+	err = h.accountManager.SaveRoute(account.Id, newRoute)
+	if err != nil {
+		log.Errorf("failed updating route \"%s\" under account %s %v", routeID, account.Id, err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	resp := toRouteResponse(account, newRoute)
+
+	writeJSONObject(w, &resp)
+}
+
+// PatchRouteHandler handles patch updates to a route identified by a given ID
+func (h *Routes) PatchRouteHandler(w http.ResponseWriter, r *http.Request) {
+	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
+	if err != nil {
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	vars := mux.Vars(r)
+	routeID := vars["id"]
+	if len(routeID) == 0 {
+		http.Error(w, "invalid route ID", http.StatusBadRequest)
+		return
+	}
+
+	_, err = h.accountManager.GetRoute(account.Id, routeID)
+	if err != nil {
+		log.Error(err)
+		http.Error(w, fmt.Sprintf("couldn't find route ID %s", routeID), http.StatusNotFound)
+		return
+	}
+
+	var req api.PatchApiRoutesIdJSONRequestBody
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	if len(req) == 0 {
+		http.Error(w, "no patch instruction received", http.StatusBadRequest)
+		return
+	}
+
+	var operations []server.RouteUpdateOperation
+
+	for _, patch := range req {
+		switch patch.Path {
+		case api.RoutePatchOperationPathNetwork:
+			if patch.Op != api.RoutePatchOperationOpReplace {
+				http.Error(w, fmt.Sprintf("Network field only accepts replace operation, got %s", patch.Op),
+					http.StatusBadRequest)
+				return
+			}
+			operations = append(operations, server.RouteUpdateOperation{
+				Type:   server.UpdateRouteNetwork,
+				Values: patch.Value,
+			})
+		case api.RoutePatchOperationPathDescription:
+			if patch.Op != api.RoutePatchOperationOpReplace {
+				http.Error(w, fmt.Sprintf("Description field only accepts replace operation, got %s", patch.Op),
+					http.StatusBadRequest)
+				return
+			}
+			operations = append(operations, server.RouteUpdateOperation{
+				Type:   server.UpdateRouteDescription,
+				Values: patch.Value,
+			})
+		case api.RoutePatchOperationPathNetworkId:
+			if patch.Op != api.RoutePatchOperationOpReplace {
+				http.Error(w, fmt.Sprintf("Network Identifier field only accepts replace operation, got %s", patch.Op),
+					http.StatusBadRequest)
+				return
+			}
+			operations = append(operations, server.RouteUpdateOperation{
+				Type:   server.UpdateRouteNetworkIdentifier,
+				Values: patch.Value,
+			})
+		case api.RoutePatchOperationPathPeer:
+			if patch.Op != api.RoutePatchOperationOpReplace {
+				http.Error(w, fmt.Sprintf("Peer field only accepts replace operation, got %s", patch.Op),
+					http.StatusBadRequest)
+				return
+			}
+			if len(patch.Value) > 1 {
+				http.Error(w, fmt.Sprintf("Value field only accepts 1 value, got %d", len(patch.Value)),
+					http.StatusBadRequest)
+				return
+			}
+			peerValue := patch.Value
+			if patch.Value[0] != "" {
+				peer, err := h.accountManager.GetPeerByIP(account.Id, patch.Value[0])
+				if err != nil {
+					log.Error(err)
+					http.Redirect(w, r, "/", http.StatusUnprocessableEntity)
+					return
+				}
+				peerValue = []string{peer.Key}
+			}
+			operations = append(operations, server.RouteUpdateOperation{
+				Type:   server.UpdateRoutePeer,
+				Values: peerValue,
+			})
+		case api.RoutePatchOperationPathMetric:
+			if patch.Op != api.RoutePatchOperationOpReplace {
+				http.Error(w, fmt.Sprintf("Metric field only accepts replace operation, got %s", patch.Op),
+					http.StatusBadRequest)
+				return
+			}
+			operations = append(operations, server.RouteUpdateOperation{
+				Type:   server.UpdateRouteMetric,
+				Values: patch.Value,
+			})
+		case api.RoutePatchOperationPathMasquerade:
+			if patch.Op != api.RoutePatchOperationOpReplace {
+				http.Error(w, fmt.Sprintf("Masquerade field only accepts replace operation, got %s", patch.Op),
+					http.StatusBadRequest)
+				return
+			}
+			operations = append(operations, server.RouteUpdateOperation{
+				Type:   server.UpdateRouteMasquerade,
+				Values: patch.Value,
+			})
+		case api.RoutePatchOperationPathEnabled:
+			if patch.Op != api.RoutePatchOperationOpReplace {
+				http.Error(w, fmt.Sprintf("Enabled field only accepts replace operation, got %s", patch.Op),
+					http.StatusBadRequest)
+				return
+			}
+			operations = append(operations, server.RouteUpdateOperation{
+				Type:   server.UpdateRouteEnabled,
+				Values: patch.Value,
+			})
+		default:
+			http.Error(w, "invalid patch path", http.StatusBadRequest)
+			return
+		}
+	}
+
+	route, err := h.accountManager.UpdateRoute(account.Id, routeID, operations)
+
+	if err != nil {
+		errStatus, ok := status.FromError(err)
+		if ok && errStatus.Code() == codes.Internal {
+			http.Error(w, errStatus.String(), http.StatusInternalServerError)
+			return
+		}
+
+		if ok && errStatus.Code() == codes.NotFound {
+			http.Error(w, errStatus.String(), http.StatusNotFound)
+			return
+		}
+
+		if ok && errStatus.Code() == codes.InvalidArgument {
+			http.Error(w, errStatus.String(), http.StatusBadRequest)
+			return
+		}
+
+		log.Errorf("failed updating route %s under account %s %v", routeID, account.Id, err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	resp := toRouteResponse(account, route)
+
+	writeJSONObject(w, &resp)
+}
+
+// DeleteRouteHandler handles route deletion request
+func (h *Routes) DeleteRouteHandler(w http.ResponseWriter, r *http.Request) {
+	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
+	if err != nil {
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	routeID := mux.Vars(r)["id"]
+	if len(routeID) == 0 {
+		http.Error(w, "invalid route ID", http.StatusBadRequest)
+		return
+	}
+
+	err = h.accountManager.DeleteRoute(account.Id, routeID)
+	if err != nil {
+		log.Errorf("failed delete route %s under account %s %v", routeID, account.Id, err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	writeJSONObject(w, "")
+}
+
+// GetRouteHandler handles a route Get request identified by ID
+func (h *Routes) GetRouteHandler(w http.ResponseWriter, r *http.Request) {
+	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
+	if err != nil {
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	routeID := mux.Vars(r)["id"]
+	if len(routeID) == 0 {
+		http.Error(w, "invalid route ID", http.StatusBadRequest)
+		return
+	}
+
+	foundRoute, err := h.accountManager.GetRoute(account.Id, routeID)
+	if err != nil {
+		http.Error(w, "route not found", http.StatusNotFound)
+		return
+	}
+
+	writeJSONObject(w, toRouteResponse(account, foundRoute))
+}
+
+func toRouteResponse(account *server.Account, serverRoute *route.Route) *api.Route {
+	var peerIP string
+	if serverRoute.Peer != "" {
+		peer, found := account.Peers[serverRoute.Peer]
+		if !found {
+			panic("peer ID not found")
+		}
+		peerIP = peer.IP.String()
+	}
+
+	return &api.Route{
+		Id:          serverRoute.ID,
+		Description: serverRoute.Description,
+		NetworkId:   serverRoute.NetID,
+		Enabled:     serverRoute.Enabled,
+		Peer:        peerIP,
+		Network:     serverRoute.Network.String(),
+		NetworkType: serverRoute.NetworkType.String(),
+		Masquerade:  serverRoute.Masquerade,
+		Metric:      serverRoute.Metric,
+	}
+}
--- a/management/server/http/routes_test.go
+++ b/management/server/http/routes_test.go
@@ -0,0 +1,362 @@
+package http
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"github.com/netbirdio/netbird/management/server/http/api"
+	"github.com/netbirdio/netbird/route"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/netip"
+	"strconv"
+	"testing"
+
+	"github.com/gorilla/mux"
+	"github.com/magiconair/properties/assert"
+	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	"github.com/netbirdio/netbird/management/server/mock_server"
+)
+
+const (
+	existingRouteID = "existingRouteID"
+	notFoundRouteID = "notFoundRouteID"
+	existingPeerID  = "100.64.0.100"
+	notFoundPeerID  = "100.64.0.200"
+	existingPeerKey = "existingPeerKey"
+	testAccountID   = "test_id"
+)
+
+var baseExistingRoute = &route.Route{
+	ID:          existingRouteID,
+	Description: "base route",
+	NetID:       "awesomeNet",
+	Network:     netip.MustParsePrefix("192.168.0.0/24"),
+	NetworkType: route.IPv4Network,
+	Metric:      9999,
+	Masquerade:  false,
+	Enabled:     true,
+}
+
+var testingAccount = &server.Account{
+	Id:     testAccountID,
+	Domain: "hotmail.com",
+	Peers: map[string]*server.Peer{
+		existingPeerKey: {
+			Key: existingPeerID,
+			IP:  netip.MustParseAddr(existingPeerID).AsSlice(),
+		},
+	},
+}
+
+func initRoutesTestData() *Routes {
+	return &Routes{
+		accountManager: &mock_server.MockAccountManager{
+			GetRouteFunc: func(_, routeID string) (*route.Route, error) {
+				if routeID == existingRouteID {
+					return baseExistingRoute, nil
+				}
+				return nil, status.Errorf(codes.NotFound, "route with ID %s not found", routeID)
+			},
+			CreateRouteFunc: func(accountID string, network, peer, description, netID string, masquerade bool, metric int, enabled bool) (*route.Route, error) {
+				networkType, p, _ := route.ParseNetwork(network)
+				return &route.Route{
+					ID:          existingRouteID,
+					NetID:       netID,
+					Peer:        peer,
+					Network:     p,
+					NetworkType: networkType,
+					Description: description,
+					Masquerade:  masquerade,
+					Enabled:     enabled,
+				}, nil
+			},
+			SaveRouteFunc: func(_ string, _ *route.Route) error {
+				return nil
+			},
+			DeleteRouteFunc: func(_ string, _ string) error {
+				return nil
+			},
+			GetPeerByIPFunc: func(_ string, peerIP string) (*server.Peer, error) {
+				if peerIP != existingPeerID {
+					return nil, status.Errorf(codes.NotFound, "Peer with ID %s not found", peerIP)
+				}
+				return &server.Peer{
+					Key: existingPeerKey,
+					IP:  netip.MustParseAddr(existingPeerID).AsSlice(),
+				}, nil
+			},
+			UpdateRouteFunc: func(_ string, routeID string, operations []server.RouteUpdateOperation) (*route.Route, error) {
+				routeToUpdate := baseExistingRoute
+				if routeID != routeToUpdate.ID {
+					return nil, status.Errorf(codes.NotFound, "route %s no longer exists", routeID)
+				}
+				for _, operation := range operations {
+					switch operation.Type {
+					case server.UpdateRouteNetwork:
+						routeToUpdate.NetworkType, routeToUpdate.Network, _ = route.ParseNetwork(operation.Values[0])
+					case server.UpdateRouteDescription:
+						routeToUpdate.Description = operation.Values[0]
+					case server.UpdateRouteNetworkIdentifier:
+						routeToUpdate.NetID = operation.Values[0]
+					case server.UpdateRoutePeer:
+						routeToUpdate.Peer = operation.Values[0]
+					case server.UpdateRouteMetric:
+						routeToUpdate.Metric, _ = strconv.Atoi(operation.Values[0])
+					case server.UpdateRouteMasquerade:
+						routeToUpdate.Masquerade, _ = strconv.ParseBool(operation.Values[0])
+					case server.UpdateRouteEnabled:
+						routeToUpdate.Enabled, _ = strconv.ParseBool(operation.Values[0])
+					default:
+						return nil, fmt.Errorf("no operation")
+					}
+				}
+				return routeToUpdate, nil
+			},
+			GetAccountWithAuthorizationClaimsFunc: func(_ jwtclaims.AuthorizationClaims) (*server.Account, error) {
+				return testingAccount, nil
+			},
+		},
+		authAudience: "",
+		jwtExtractor: jwtclaims.ClaimsExtractor{
+			ExtractClaimsFromRequestContext: func(r *http.Request, authAudiance string) jwtclaims.AuthorizationClaims {
+				return jwtclaims.AuthorizationClaims{
+					UserId:    "test_user",
+					Domain:    "hotmail.com",
+					AccountId: testAccountID,
+				}
+			},
+		},
+	}
+}
+
+func TestRoutesHandlers(t *testing.T) {
+	tt := []struct {
+		name           string
+		expectedStatus int
+		expectedBody   bool
+		expectedRoute  *api.Route
+		requestType    string
+		requestPath    string
+		requestBody    io.Reader
+	}{
+		{
+			name:           "Get Existing Route",
+			requestType:    http.MethodGet,
+			requestPath:    "/api/routes/" + existingRouteID,
+			expectedStatus: http.StatusOK,
+			expectedBody:   true,
+			expectedRoute:  toRouteResponse(testingAccount, baseExistingRoute),
+		},
+		{
+			name:           "Get Not Existing Route",
+			requestType:    http.MethodGet,
+			requestPath:    "/api/rules/" + notFoundRouteID,
+			expectedStatus: http.StatusNotFound,
+		},
+		{
+			name:           "Delete Existing Route",
+			requestType:    http.MethodDelete,
+			requestPath:    "/api/routes/" + existingRouteID,
+			expectedStatus: http.StatusOK,
+			expectedBody:   false,
+		},
+		{
+			name:           "Delete Not Existing Route",
+			requestType:    http.MethodDelete,
+			requestPath:    "/api/rules/" + notFoundRouteID,
+			expectedStatus: http.StatusNotFound,
+		},
+		{
+			name:        "POST OK",
+			requestType: http.MethodPost,
+			requestPath: "/api/routes",
+			requestBody: bytes.NewBuffer(
+				[]byte(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\"}", existingPeerID))),
+			expectedStatus: http.StatusOK,
+			expectedBody:   true,
+			expectedRoute: &api.Route{
+				Id:          existingRouteID,
+				Description: "Post",
+				NetworkId:   "awesomeNet",
+				Network:     "192.168.0.0/16",
+				Peer:        existingPeerID,
+				NetworkType: route.IPv4NetworkString,
+				Masquerade:  false,
+				Enabled:     false,
+			},
+		},
+		{
+			name:           "POST Not Found Peer",
+			requestType:    http.MethodPost,
+			requestPath:    "/api/routes",
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\"}", notFoundPeerID)),
+			expectedStatus: http.StatusUnprocessableEntity,
+			expectedBody:   false,
+		},
+		{
+			name:           "POST Not Invalid Network Identifier",
+			requestType:    http.MethodPost,
+			requestPath:    "/api/routes",
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"12345678901234567890qwertyuiopqwertyuiop1\",\"Peer\":\"%s\"}", existingPeerID)),
+			expectedStatus: http.StatusBadRequest,
+			expectedBody:   false,
+		},
+		{
+			name:           "POST Invalid Network",
+			requestType:    http.MethodPost,
+			requestPath:    "/api/routes",
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/34\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\"}", existingPeerID)),
+			expectedStatus: http.StatusBadRequest,
+			expectedBody:   false,
+		},
+		{
+			name:           "PUT OK",
+			requestType:    http.MethodPut,
+			requestPath:    "/api/routes/" + existingRouteID,
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\"}", existingPeerID)),
+			expectedStatus: http.StatusOK,
+			expectedBody:   true,
+			expectedRoute: &api.Route{
+				Id:          existingRouteID,
+				Description: "Post",
+				NetworkId:   "awesomeNet",
+				Network:     "192.168.0.0/16",
+				Peer:        existingPeerID,
+				NetworkType: route.IPv4NetworkString,
+				Masquerade:  false,
+				Enabled:     false,
+			},
+		},
+		{
+			name:           "PUT Not Found Route",
+			requestType:    http.MethodPut,
+			requestPath:    "/api/routes/" + notFoundRouteID,
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\"}", existingPeerID)),
+			expectedStatus: http.StatusNotFound,
+			expectedBody:   false,
+		},
+		{
+			name:           "PUT Not Found Peer",
+			requestType:    http.MethodPut,
+			requestPath:    "/api/routes/" + existingRouteID,
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\"}", notFoundPeerID)),
+			expectedStatus: http.StatusUnprocessableEntity,
+			expectedBody:   false,
+		},
+		{
+			name:           "PUT Invalid Network Identifier",
+			requestType:    http.MethodPut,
+			requestPath:    "/api/routes/" + existingRouteID,
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/16\",\"network_id\":\"12345678901234567890qwertyuiopqwertyuiop1\",\"Peer\":\"%s\"}", existingPeerID)),
+			expectedStatus: http.StatusBadRequest,
+			expectedBody:   false,
+		},
+		{
+			name:           "PUT Invalid Network",
+			requestType:    http.MethodPut,
+			requestPath:    "/api/routes/" + existingRouteID,
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("{\"Description\":\"Post\",\"Network\":\"192.168.0.0/34\",\"network_id\":\"awesomeNet\",\"Peer\":\"%s\"}", existingPeerID)),
+			expectedStatus: http.StatusBadRequest,
+			expectedBody:   false,
+		},
+		{
+			name:           "PATCH Description OK",
+			requestType:    http.MethodPatch,
+			requestPath:    "/api/routes/" + existingRouteID,
+			requestBody:    bytes.NewBufferString("[{\"op\":\"replace\",\"path\":\"description\",\"value\":[\"NewDesc\"]}]"),
+			expectedStatus: http.StatusOK,
+			expectedBody:   true,
+			expectedRoute: &api.Route{
+				Id:          existingRouteID,
+				Description: "NewDesc",
+				NetworkId:   "awesomeNet",
+				Network:     baseExistingRoute.Network.String(),
+				NetworkType: route.IPv4NetworkString,
+				Masquerade:  baseExistingRoute.Masquerade,
+				Enabled:     baseExistingRoute.Enabled,
+				Metric:      baseExistingRoute.Metric,
+			},
+		},
+		{
+			name:           "PATCH Peer OK",
+			requestType:    http.MethodPatch,
+			requestPath:    "/api/routes/" + existingRouteID,
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("[{\"op\":\"replace\",\"path\":\"peer\",\"value\":[\"%s\"]}]", existingPeerID)),
+			expectedStatus: http.StatusOK,
+			expectedBody:   true,
+			expectedRoute: &api.Route{
+				Id:          existingRouteID,
+				Description: "NewDesc",
+				NetworkId:   "awesomeNet",
+				Network:     baseExistingRoute.Network.String(),
+				NetworkType: route.IPv4NetworkString,
+				Peer:        existingPeerID,
+				Masquerade:  baseExistingRoute.Masquerade,
+				Enabled:     baseExistingRoute.Enabled,
+				Metric:      baseExistingRoute.Metric,
+			},
+		},
+		{
+			name:           "PATCH Not Found Peer",
+			requestType:    http.MethodPatch,
+			requestPath:    "/api/routes/" + existingRouteID,
+			requestBody:    bytes.NewBufferString(fmt.Sprintf("[{\"op\":\"replace\",\"path\":\"peer\",\"value\":[\"%s\"]}]", notFoundPeerID)),
+			expectedStatus: http.StatusUnprocessableEntity,
+			expectedBody:   false,
+		},
+		{
+			name:           "PATCH Not Found Route",
+			requestType:    http.MethodPatch,
+			requestPath:    "/api/routes/" + notFoundRouteID,
+			requestBody:    bytes.NewBufferString("[{\"op\":\"replace\",\"path\":\"network\",\"value\":[\"192.168.0.0/34\"]}]"),
+			expectedStatus: http.StatusNotFound,
+			expectedBody:   false,
+		},
+	}
+
+	p := initRoutesTestData()
+
+	for _, tc := range tt {
+		t.Run(tc.name, func(t *testing.T) {
+			recorder := httptest.NewRecorder()
+			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
+
+			router := mux.NewRouter()
+			router.HandleFunc("/api/routes/{id}", p.GetRouteHandler).Methods("GET")
+			router.HandleFunc("/api/routes/{id}", p.DeleteRouteHandler).Methods("DELETE")
+			router.HandleFunc("/api/routes", p.CreateRouteHandler).Methods("POST")
+			router.HandleFunc("/api/routes/{id}", p.UpdateRouteHandler).Methods("PUT")
+			router.HandleFunc("/api/routes/{id}", p.PatchRouteHandler).Methods("PATCH")
+			router.ServeHTTP(recorder, req)
+
+			res := recorder.Result()
+			defer res.Body.Close()
+
+			content, err := io.ReadAll(res.Body)
+			if err != nil {
+				t.Fatalf("I don't know what I expected; %v", err)
+			}
+
+			if status := recorder.Code; status != tc.expectedStatus {
+				t.Errorf("handler returned wrong status code: got %v want %v, content: %s",
+					status, tc.expectedStatus, string(content))
+				return
+			}
+
+			if !tc.expectedBody {
+				return
+			}
+
+			got := &api.Route{}
+			if err = json.Unmarshal(content, &got); err != nil {
+				t.Fatalf("Sent content is not in correct json format; %v", err)
+			}
+			assert.Equal(t, got, tc.expectedRoute)
+		})
+	}
+}
--- a/management/server/http/handler/rules.go
+++ b/management/server/http/handler/rules.go
@@ -1,4 +1,4 @@
-package handler
+package http

 import (
 	"encoding/json"
--- a/management/server/http/handler/rules_test.go
+++ b/management/server/http/handler/rules_test.go
@@ -1,4 +1,4 @@
-package handler
+package http

 import (
 	"bytes"
--- a/management/server/http/server.go
+++ b/management/server/http/server.go
@@ -1,167 +0,0 @@
-package http
-
-import (
-	"context"
-	"crypto/tls"
-	"net/http"
-	"time"
-
-	"github.com/gorilla/mux"
-	s "github.com/netbirdio/netbird/management/server"
-	"github.com/netbirdio/netbird/management/server/http/handler"
-	"github.com/netbirdio/netbird/management/server/http/middleware"
-	"github.com/rs/cors"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/crypto/acme/autocert"
-)
-
-type Server struct {
-	server         *http.Server
-	config         *s.HttpServerConfig
-	certManager    *autocert.Manager
-	tlsConfig      *tls.Config
-	accountManager s.AccountManager
-}
-
-// NewHttpsServer creates a new HTTPs server (with HTTPS support) and a certManager that is responsible for generating and renewing Let's Encrypt certificate
-// The listening address will be :443 no matter what was specified in s.HttpServerConfig.Address
-func NewHttpsServer(
-	config *s.HttpServerConfig,
-	certManager *autocert.Manager,
-	accountManager s.AccountManager,
-) *Server {
-	server := &http.Server{
-		Addr:         config.Address,
-		WriteTimeout: time.Second * 15,
-		ReadTimeout:  time.Second * 15,
-		IdleTimeout:  time.Second * 60,
-	}
-	return &Server{
-		server:         server,
-		config:         config,
-		certManager:    certManager,
-		accountManager: accountManager,
-	}
-}
-
-// NewHttpsServerWithTLSConfig creates a new HTTPs server with a provided tls.Config.
-// Usually used when you already have a certificate
-func NewHttpsServerWithTLSConfig(
-	config *s.HttpServerConfig,
-	tlsConfig *tls.Config,
-	accountManager s.AccountManager,
-) *Server {
-	server := &http.Server{
-		Addr:         config.Address,
-		WriteTimeout: time.Second * 15,
-		ReadTimeout:  time.Second * 15,
-		IdleTimeout:  time.Second * 60,
-	}
-	return &Server{
-		server:         server,
-		config:         config,
-		tlsConfig:      tlsConfig,
-		accountManager: accountManager,
-	}
-}
-
-// NewHttpServer creates a new HTTP server (without HTTPS)
-func NewHttpServer(config *s.HttpServerConfig, accountManager s.AccountManager) *Server {
-	return NewHttpsServer(config, nil, accountManager)
-}
-
-// Stop stops the http server
-func (s *Server) Stop(ctx context.Context) error {
-	err := s.server.Shutdown(ctx)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// Start defines http handlers and starts the http server. Blocks until server is shutdown.
-func (s *Server) Start() error {
-	jwtMiddleware, err := middleware.NewJwtMiddleware(
-		s.config.AuthIssuer,
-		s.config.AuthAudience,
-		s.config.AuthKeysLocation,
-	)
-	if err != nil {
-		return err
-	}
-
-	corsMiddleware := cors.AllowAll()
-
-	acMiddleware := middleware.NewAccessControll(
-		s.config.AuthAudience,
-		s.accountManager.IsUserAdmin)
-
-	r := mux.NewRouter()
-	r.Use(jwtMiddleware.Handler, corsMiddleware.Handler, acMiddleware.Handler)
-
-	groupsHandler := handler.NewGroups(s.accountManager, s.config.AuthAudience)
-	rulesHandler := handler.NewRules(s.accountManager, s.config.AuthAudience)
-	peersHandler := handler.NewPeers(s.accountManager, s.config.AuthAudience)
-	keysHandler := handler.NewSetupKeysHandler(s.accountManager, s.config.AuthAudience)
-	userHandler := handler.NewUserHandler(s.accountManager, s.config.AuthAudience)
-
-	r.HandleFunc("/api/peers", peersHandler.GetPeers).Methods("GET", "OPTIONS")
-	r.HandleFunc("/api/peers/{id}", peersHandler.HandlePeer).
-		Methods("GET", "PUT", "DELETE", "OPTIONS")
-	r.HandleFunc("/api/users", userHandler.GetUsers).Methods("GET", "OPTIONS")
-	r.HandleFunc("/api/setup-keys", keysHandler.GetKeys).Methods("GET", "POST", "OPTIONS")
-	r.HandleFunc("/api/setup-keys/{id}", keysHandler.HandleKey).Methods("GET", "PUT", "OPTIONS")
-
-	r.HandleFunc("/api/setup-keys", keysHandler.GetKeys).Methods("POST", "OPTIONS")
-	r.HandleFunc("/api/setup-keys/{id}", keysHandler.HandleKey).
-		Methods("GET", "PUT", "DELETE", "OPTIONS")
-
-	r.HandleFunc("/api/rules", rulesHandler.GetAllRulesHandler).Methods("GET", "OPTIONS")
-	r.HandleFunc("/api/rules", rulesHandler.CreateRuleHandler).Methods("POST", "OPTIONS")
-	r.HandleFunc("/api/rules/{id}", rulesHandler.UpdateRuleHandler).Methods("PUT", "OPTIONS")
-	r.HandleFunc("/api/rules/{id}", rulesHandler.PatchRuleHandler).Methods("PATCH", "OPTIONS")
-	r.HandleFunc("/api/rules/{id}", rulesHandler.GetRuleHandler).Methods("GET", "OPTIONS")
-	r.HandleFunc("/api/rules/{id}", rulesHandler.DeleteRuleHandler).Methods("DELETE", "OPTIONS")
-
-	r.HandleFunc("/api/groups", groupsHandler.GetAllGroupsHandler).Methods("GET", "OPTIONS")
-	r.HandleFunc("/api/groups", groupsHandler.CreateGroupHandler).Methods("POST", "OPTIONS")
-	r.HandleFunc("/api/groups/{id}", groupsHandler.UpdateGroupHandler).Methods("PUT", "OPTIONS")
-	r.HandleFunc("/api/groups/{id}", groupsHandler.PatchGroupHandler).Methods("PATCH", "OPTIONS")
-	r.HandleFunc("/api/groups/{id}", groupsHandler.GetGroupHandler).Methods("GET", "OPTIONS")
-	r.HandleFunc("/api/groups/{id}", groupsHandler.DeleteGroupHandler).Methods("DELETE", "OPTIONS")
-	http.Handle("/", r)
-
-	if s.certManager != nil {
-		// if HTTPS is enabled we reuse the listener from the cert manager
-		listener := s.certManager.Listener()
-		log.Infof(
-			"HTTPs server listening on %s with Let's Encrypt autocert configured",
-			listener.Addr(),
-		)
-		if err = http.Serve(listener, s.certManager.HTTPHandler(r)); err != nil {
-			log.Errorf("failed to serve https server: %v", err)
-			return err
-		}
-	} else if s.tlsConfig != nil {
-		listener, err := tls.Listen("tcp", s.config.Address, s.tlsConfig)
-		if err != nil {
-			log.Errorf("failed to serve https server: %v", err)
-			return err
-		}
-		log.Infof("HTTPs server listening on %s", listener.Addr())
-
-		if err = http.Serve(listener, r); err != nil {
-			log.Errorf("failed to serve https server: %v", err)
-			return err
-		}
-
-	} else {
-		log.Infof("HTTP server listening on %s", s.server.Addr)
-		if err = s.server.ListenAndServe(); err != nil {
-			log.Errorf("failed to serve http server: %v", err)
-			return err
-		}
-	}
-
-	return nil
-}
--- a/management/server/http/handler/setupkeys.go
+++ b/management/server/http/handler/setupkeys.go
@@ -1,4 +1,4 @@
-package handler
+package http

 import (
 	"encoding/json"
--- a/management/server/http/handler/users.go
+++ b/management/server/http/handler/users.go
@@ -1,4 +1,4 @@
-package handler
+package http

 import (
 	"github.com/netbirdio/netbird/management/server/http/api"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
braginini	f07671cf49	Fix RemoveConnByUfrag	2022-09-08 19:39:05 +02:00
braginini	5a504ee6be	Fix some iface issues	2022-09-07 21:59:01 +02:00
braginini	660b2542d2	Remove unused code	2022-09-07 21:40:45 +02:00
braginini	d0ad53b247	Remove unnecessary endpoint map	2022-09-07 19:40:34 +02:00
braginini	2cffe6526a	Add more logging	2022-09-07 19:02:17 +02:00
braginini	dded91235e	Refactor UDP mux to handle STUN only messages	2022-09-07 18:49:15 +02:00
braginini	314f34f916	Single Mux	2022-09-07 18:40:42 +02:00
braginini	eaf985624d	Single Mux	2022-09-07 18:39:58 +02:00
braginini	48b7c6ec3c	Fix TURN issue	2022-09-07 11:17:54 +02:00
braginini	acf271bf25	Merge remote-tracking branch 'origin/main' into feature/interface-bind	2022-09-07 11:09:45 +02:00
braginini	f49c299d77	Check for stun packet with a fixed size	2022-09-06 21:07:21 +02:00
braginini	73b5f8d63b	Proper endpoint log	2022-09-06 20:59:19 +02:00
braginini	6653894691	Remove unused code	2022-09-06 20:55:51 +02:00
braginini	a7facc2d72	Split UDPMux and UniversalUDPMux	2022-09-06 20:54:40 +02:00
braginini	0721b87c56	Split UDPMux and UniversalUDPMux	2022-09-06 20:44:49 +02:00
braginini	2829cce644	Implement ICEBind	2022-09-06 20:06:51 +02:00
braginini	9350c5f8d8	bind	2022-09-05 15:56:36 +02:00
Maycon Santos	1012172f04	Add routing peer support (#441 ) Handle routes updates from management Manage routing firewall rules Manage peer RIB table Add get peer and get notification channel from the status recorder Update interface peers allowed IPs	2022-09-05 09:06:35 +02:00
Maycon Santos	788bb00ef1	Fix service install when sysV service bin exists (#450 )	2022-09-05 08:56:07 +02:00
braginini	2ae4c204af	Working single channel bind	2022-09-05 02:03:16 +02:00
braginini	f5e974c04c	Bind test	2022-09-04 22:52:52 +02:00
Maycon Santos	4e5ee70b3d	Load WgPort from config file and exchange via signal (#449 ) Added additional common blacklisted interfaces Updated the signal protocol to pass the peer port and netbird version Co-authored-by: braginini <bangvalo@gmail.com>	2022-09-02 19:33:35 +02:00
Maycon Santos	f1c00ae543	Update service library with rcS init system support (#447 )	2022-09-02 14:03:02 +02:00
Misha Bragin	553a13588b	Free up gRPC client resources on errors (#448 )	2022-09-01 18:28:45 +02:00
Maycon Santos	586c0f5c3d	Log remote address when not registered (#445 )	2022-08-27 17:55:05 +02:00
Maycon Santos	c13f0b9f07	Use select for turn credentials and peers update (#443 ) Also, prevent peer update when SSH is the same	2022-08-27 12:57:03 +02:00
Misha Bragin	dd4ff61b51	Do not autoload authissuer for the IDPManager config (#442 )	2022-08-25 09:24:24 +02:00
szakharchenko	e3657610bc	Avoid pulling in management code in client (#437 ) Avoid management code import for the legacy port value, hardcoding it instead (it's literally spelled out in a comment below as well).	2022-08-24 16:30:40 +02:00
Misha Bragin	e8733a37af	Update scripts for the self-hosted Oauth 2.0 Device Auth Grant support (#439 ) Support Oauth 2.0 Device Auth Grant in the self-hosted scripts.	2022-08-24 14:37:18 +02:00
Misha Bragin	3def84b111	Support Generic OAuth 2.0 Device Authorization Grant (#433 ) Support Generic OAuth 2.0 Device Authorization Grant as per RFC specification https://www.rfc-editor.org/rfc/rfc8628. The previous version supported only Auth0 as an IDP backend. This implementation enables the Interactive SSO Login feature for any IDP compatible with the specification, e.g., Keycloak.	2022-08-23 15:46:12 +02:00
Maycon Santos	47add9a9c3	Don't create index if peer is empty (#435 ) When checking for existing prefix routes Return nil if peer is empty	2022-08-23 11:09:56 +02:00
Maycon Santos	09312b3e6d	Add Network ID and rename Prefix to Network (#432 ) Adding network ID will allow us to group Renaming Prefix with Network will keep things more clear and Consistent	2022-08-22 14:10:24 +02:00
Misha Bragin	762a26dcea	Fix Register/Deregister race on Signal (#431 ) This PR fixes a race condition that happens when agents connect to a Signal stream, multiple times within a short amount of time. Common on slow and unstable internet connections. Every time an agent establishes a new connection to Signal, Signal creates a Stream and writes an entry to the registry of connected peers storing the stream. Every time an agent disconnects, Signal removes the stream from the registry. Due to unstable connections, the agent could detect a broken connection, and attempt to reconnect to Signal. Signal will override the stream, but it might detect the old broken connection later, causing peer deregistration. It will deregister the peer leaving the client thinking it is still connected, rejecting any messages.	2022-08-22 12:21:19 +02:00
Maycon Santos	000ea72aec	Add routing Rest API support (#428 ) Routing API will allow us to list, create, update, and delete routes.	2022-08-20 19:11:54 +02:00
Maycon Santos	4b34a6d6df	Add routing support to management service (#424 ) Management will receive and store routes that are associated with a peer ID. The routes are distributed to peers according to their ACLs.	2022-08-18 18:22:15 +02:00
Misha Bragin	c39cd2f7b0	Support new properties for OIDC auth (#426 ) This PR updates infrastructure_scripts to support self-hosted setup with a generic OIDC provider.	2022-08-17 21:44:20 +02:00
Misha Bragin	6dc3e8ca90	Enable HTTP/2 when loading TLS config from file (#423 ) When creating TLSConfig from provided certificate file, the HTTP/2 support is not enabled. It works with Certmanager because it adds h2 support. We enable it the same way when creating TLSConfig from files.	2022-08-15 19:36:00 +02:00
Misha Bragin	245863cd51	Update docker-compose to reflect new ports (#411 )	2022-08-05 22:41:57 +02:00
Maycon Santos	14e322d3f7	Handle CORS requests before authentication (#413 ) This helps our FE to get proper request responses	2022-08-05 22:41:04 +02:00
Misha Bragin	1be8c16e34	Decrease log level on peer status remove (#410 )	2022-08-01 17:52:22 +02:00
Misha Bragin	851de3fd4e	Output NetBird daemon and CLI versions on status command (#408 )	2022-08-01 12:42:45 +02:00
Maycon Santos	c13288781f	Fix checksum conflict and version injection (#409 ) custom name_template for darwin ui release checksum file fix darwin ui version injection to correct path	2022-08-01 12:20:30 +02:00
Misha Bragin	e34e0ccd12	Check and update Agent's Management URL if is legacy (#406 ) All the existing agents by default connect to port 33073 of the Management service. This value is also stored in the local config. All the agents won't switch to the new port 443 unless explicitly specified in the config. We want the transition to be smooth for our users, therefore this PR adds logic to check whether the old port 33073 can be changed to 443 and updates the config automatically.	2022-07-30 19:17:18 +02:00
Maycon Santos	95dc9cc16c	Split goreleaser for UI and parallelized workflow (#405 ) decouple goreleaser ui might help us parallelize workflow and run local tests dividing the release workflow for each goreleaser and making trigger sign a different job them when small issues with sign happen	2022-07-30 14:44:01 +02:00
Maycon Santos	d1c2b3d703	Use unix.Uname to get Darwin system info (#404 ) This prevents the client from needing to use command line tools	2022-07-30 11:31:27 +02:00
Misha Bragin	966661fe91	Serve Management gRPC and HTTP on a single 80/443 port (#400 ) This PR is a part of an effort to use standard ports (443 or 80) that are usually allowed by default in most of the environments. Right now Management Service runs the Let'sEncrypt manager on port 443, HTTP API server on port 33071, and a gRPC server on port 33073. There are three separate listeners. This PR combines these listeners into one. With this change, the HTTP and gRPC server runs on either 443 with TLS or 80 without TLS by default (no --port specified). Let's Encrypt manager always runs on port 443 if enabled. The backward compatibility server runs on port 33073 (with TLS or without). HTTP port 33071 is obsolete and not used anymore. Newly installed agents will connect to port 443 by default instead of port 33073 if not specified otherwise.	2022-07-29 20:37:09 +02:00
Misha Bragin	67ddaade58	Go mod tidy (#401 ) Check git status after go mod tidy	2022-07-27 20:19:55 +02:00
Maycon Santos	138cf35e00	Sync go mod (#399 )	2022-07-27 18:57:18 +02:00
Maycon Santos	2555a6c3e8	Use proxy when any candidate is relay (#398 ) We should use relayed port when remote or local candidate is of the relay type	2022-07-27 18:12:39 +02:00
Misha Bragin	86a66c6202	Make Signal Service listen on a standard 443/80 port instead of 10000 (#396 ) Right now Signal Service runs the Let'sEncrypt manager on port 80 and a gRPC server on port 10000. There are two separate listeners. This PR combines these listeners into one with a cmux lib. The gRPC server runs on either 443 with TLS or 80 without TLS. Let's Encrypt manager always runs on port 80.	2022-07-25 19:55:38 +02:00
Misha Bragin	275d364df6	Fix TURN credentials renewal (#394 ) Update conn config with new TURN credentials Updated Signal connection timeout to 5s	2022-07-21 22:07:38 +02:00
Maycon Santos	a3c5fa1307	Add PATH to client Dockerfile (#389 ) Useful when SSH to client containers	2022-07-12 15:35:51 +02:00
Maycon Santos	75a69ca26b	Write the Admin URL when creating new config (#388 )	2022-07-12 15:02:51 +02:00
Misha Bragin	ae8e3ad6fe	Enable SSH Login for docker (#385 )	2022-07-07 16:33:16 +02:00
Maycon Santos	ff729f6755	Use id command for user lookup on MacOS (#384 ) When building client without CGO, user.Lookup attempts to get user from /etc/passwd Which doesn't have the user as MacOS uses opendirectoryd as user directory	2022-07-07 16:13:46 +02:00
Maycon Santos	7e1b20da5d	Always initialize status recorder (#383 ) Always initialize the status recorder Utilize proto methods to get pbFullStatus values.	2022-07-07 13:54:47 +02:00
Misha Bragin	d4a3ee9d87	Load user profile when SSH (#380 ) This PR fixes issues with the terminal when running netbird ssh to a remote agent. Every session looks up a user and loads its profile. If no user is found, the connection is rejected. The default user is root.	2022-07-07 11:24:38 +02:00
Maycon Santos	49e9113e0f	Enhance status command (#382 ) Print peer status from the package Added --detail flag for detailed status output	2022-07-05 19:47:50 +02:00
Misha Bragin	3bdfa3cc8e	Introduce larger retries for the agent (#379 ) The Management client will try reconnecting in case. of network issues or non-permanent errors. If the device was off-boarded, then the client will stop retrying.	2022-07-02 20:38:16 +02:00
Maycon Santos	8c953c5a2c	Add client status collection (#368 )	2022-07-02 12:02:17 +02:00
Maycon Santos	e95f0f7acb	Support 32 bit (#374 ) Add build for 32 bits linux improved windows test time	2022-07-01 10:42:38 +02:00
Misha Bragin	fa7b413fe7	Fix SSH command on Docker (#377 )	2022-06-29 14:03:30 +02:00
Misha Bragin	295f0c755a	Add Router nodes feature to the coming soon list	2022-06-27 08:57:06 +03:00
Misha Bragin	a98f6f840a	Add Easy SSH to the features list	2022-06-27 08:55:32 +03:00
Misha Bragin	faad5a1e98	Add Easy SSH banner	2022-06-27 08:50:34 +03:00