Merge branch 'master' into stable

2026-04-03 05:56:23 +00:00 · 2026-03-22 22:34:48 +01:00
parent 95394628d3 31ad35809c
commit cc472216b4
28 changed files with 466 additions and 79 deletions
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@@ -44,7 +44,7 @@ jobs:
      - name: Run chart-testing (lint)
        run: ct lint --config ct.yaml
-      - uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9
+      - uses: nolar/setup-k3d-k3s@8bf8d22160e8b1d184dcb780e390d6952a7eec65 # v1.0.10
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -21,10 +21,10 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Get Version
        shell: bash
@@ -32,14 +32,14 @@ jobs:
      - name: Login to Docker Hub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -47,7 +47,7 @@ jobs:
      - name: Extract metadata (tags, labels) for Docker
        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: |
            wgportal/wg-portal
@@ -68,7 +68,7 @@ jobs:
            type=semver,pattern=v{{major}}
      - name: Build and push Docker image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
@@ -80,7 +80,7 @@ jobs:
            BUILD_VERSION=${{ env.BUILD_VERSION }}
      - name: Export binaries from images
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/arm/v7
@@ -110,12 +110,12 @@ jobs:
      contents: write
    steps:
      - name: Download binaries
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: binaries
      - name: Create GitHub Release
-        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
          files: 'wg-portal_linux*'
          generate_release_notes: true
--- a/cmd/wg-portal/main.go
+++ b/cmd/wg-portal/main.go
@@ -80,7 +80,7 @@ func main() {
 	internal.AssertNoError(err)
 	auditRecorder.StartBackgroundJobs(ctx)
-	userManager, err := users.NewUserManager(cfg, eventBus, database, database)
+	userManager, err := users.NewUserManager(cfg, eventBus, database, database, database)
 	internal.AssertNoError(err)
 	userManager.StartBackgroundJobs(ctx)
--- a/docs/documentation/configuration/examples.md
+++ b/docs/documentation/configuration/examples.md
@@ -86,6 +86,9 @@ auth:
        memberof: memberOf
      admin_group: CN=WireGuardAdmins,OU=Some-OU,DC=COMPANY,DC=LOCAL
      registration_enabled: true
      # Restrict interface access based on LDAP filters
      interface_filter:
        wg0: "(memberOf=CN=VPNUsers,OU=Groups,DC=COMPANY,DC=LOCAL)"
      log_user_info: true
 ```
--- a/docs/documentation/configuration/overview.md
+++ b/docs/documentation/configuration/overview.md
@@ -28,6 +28,7 @@ core:
 backend:
  default: local
  rekey_timeout_interval: 125s
  local_resolvconf_prefix: tun.
 advanced:
@@ -203,6 +204,13 @@ The current MikroTik backend is in **BETA** and may not support all features.
 - **Description:** The default backend to use for managing WireGuard interfaces. 
  Valid options are: `local`, or other backend id's configured in the `mikrotik` section.
 ### `rekey_timeout_interval`
 - **Default:** `180s`
 - **Environment Variable:** `WG_PORTAL_BACKEND_REKEY_TIMEOUT_INTERVAL`
 - **Description:** The interval after which a WireGuard peer is considered disconnected if no handshake updates are received. 
  This corresponds to the WireGuard rekey timeout setting of 120 seconds plus a 60-second buffer to account for latency or retry handling.
  Uses Go duration format (e.g., `10s`, `1m`). If omitted, a default of 180 seconds is used.
 ### `local_resolvconf_prefix`
 - **Default:** `tun.`
 - **Environment Variable:** `WG_PORTAL_BACKEND_LOCAL_RESOLVCONF_PREFIX`
@@ -734,6 +742,16 @@ Below are the properties for each LDAP provider entry inside `auth.ldap`:
 - **Important**: The `login_filter` must always be a valid LDAP filter. It should at most return one user. 
  If the filter returns multiple or no users, the login will fail.
 #### `interface_filter`
 - **Default:** *(empty)*
 - **Description:** A map of LDAP filters to restrict access to specific WireGuard interfaces. The map keys are the interface identifiers (e.g., `wg0`), and the values are LDAP filters. Only users matching the filter will be allowed to provision peers for the respective interface.
  For example:
  ```yaml
  interface_filter:
    wg0: "(memberOf=CN=VPNUsers,OU=Groups,DC=COMPANY,DC=LOCAL)"
    wg1: "(description=special-access)"
  ```
 #### `admin_group`
 - **Default:** *(empty)*
 - **Description:** A specific LDAP group whose members are considered administrators in WireGuard Portal.
--- a/docs/documentation/getting-started/docker.md
+++ b/docs/documentation/getting-started/docker.md
@@ -35,6 +35,14 @@ WireGuard Portal supports managing WireGuard interfaces through three distinct d
   > :warning: If host networking is used, the WireGuard Portal UI will be accessible on all the host's IP addresses if the listening address is set to `:8888` in the configuration file.
   To avoid this, you can bind the listening address to a specific IP address, for example, the loopback address (`127.0.0.1:8888`). It is also possible to deploy firewall rules to restrict access to the WireGuard Portal UI.
   > :warning: If the host is running **systemd-networkd**, routes managed by WireGuard Portal may be removed whenever systemd-networkd restarts, as it will clean up routes it considers "foreign". To prevent this, add the following to your host's network configuration (e.g. `/etc/systemd/networkd.conf` or a drop-in file):
   > ```ini
   > [Network]
   > ManageForeignRoutingPolicyRules=no
   > ManageForeignRoutes=no
   > ```
   > After editing, reload the configuration with `sudo systemctl restart systemd-networkd`. For more information refer to the [systemd-networkd documentation](https://www.freedesktop.org/software/systemd/man/latest/networkd.conf.html#ManageForeignRoutes=).
 - **Within the WireGuard Portal Docker container**: 
   WireGuard interfaces can be managed directly from within the WireGuard Portal container itself.
   This is the recommended approach when running WireGuard Portal via Docker, as it encapsulates all functionality in a single, portable container without requiring a separate WireGuard host or image.
--- a/docs/documentation/usage/authentication.md
+++ b/docs/documentation/usage/authentication.md
@@ -147,6 +147,26 @@ You can map users to admin roles based on their group membership in the LDAP ser
 The `admin_group` property defines the distinguished name of the group that is allowed to log in as admin.
 All groups that are listed in the `memberof` attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.
 ### Interface-specific Provisioning Filters
 You can restrict which users are allowed to provision peers for specific WireGuard interfaces by setting the `interface_filter` property.
 This property is a map where each key corresponds to a WireGuard interface identifier, and the value is an LDAP filter.
 A user will only be able to see and provision peers for an interface if they match the specified LDAP filter for that interface.
 Example:
 ```yaml
 auth:
  ldap:
    - provider_name: "ldap1"
      # ... other settings
      interface_filter:
        wg0: "(memberOf=CN=VPNUsers,OU=Groups,DC=COMPANY,DC=LOCAL)"
        wg1: "(department=IT)"
 ```
 This feature works by materializing the list of authorized users for each interface during the periodic LDAP synchronization.
 Even if a user bypasses the UI, the backend will enforce these restrictions at the service layer.
 ## User Synchronization
--- a/docs/documentation/usage/user-sync.md
+++ b/docs/documentation/usage/user-sync.md
@@ -44,3 +44,11 @@ All peers associated with that user will also be disabled.
 If you want a user and its peers to be automatically re-enabled once they are found in LDAP again, set the `auto_re_enable` property to `true`.
 This will only re-enable the user if they were disabled by the synchronization process. Manually disabled users will not be re-enabled.
 ##### Interface-specific Access Materialization
 If `interface_filter` is configured in the LDAP provider, the synchronization process will evaluate these filters for each enabled user.
 The results are materialized in the `interfaces` table of the database in a hidden field. 
 This materialized list is used by the backend to quickly determine if a user has permission to provision peers for a specific interface, without having to query the LDAP server for every request.
 The list is refreshed every time the LDAP synchronization runs.
 For more details on how to configure these filters, see the [Authentication](./authentication.md#interface-specific-provisioning-filters) section.
--- a/frontend/src/stores/profile.js
+++ b/frontend/src/stores/profile.js
@@ -74,6 +74,7 @@ export const profileStore = defineStore('profile', {
    },
    hasStatistics: (state) => state.statsEnabled,
    CountInterfaces: (state) => state.interfaces.length,
    HasInterface: (state) => (id) => state.interfaces.some((i) => i.Identifier === id),
  },
  actions: {
    afterPageSizeChange() {
--- a/frontend/src/views/ProfileView.vue
+++ b/frontend/src/views/ProfileView.vue
@@ -80,6 +80,8 @@ onMounted(async () => {
    <div class="col-12 col-lg-5">
      <h2 class="mt-2">{{ $t('profile.headline') }}</h2>
    </div>
    <div class="col-12 col-lg-3 text-lg-end" v-if="!settings.Setting('SelfProvisioning') || profile.CountInterfaces===0">
    </div>
    <div class="col-12 col-lg-4 text-lg-end">
      <div class="form-group d-inline">
        <div class="input-group mb-3">
@@ -90,8 +92,8 @@ onMounted(async () => {
        </div>
      </div>
    </div>
-    <div class="col-12 col-lg-3 text-lg-end">
+    <div class="col-12 col-lg-3 text-lg-end" v-if="settings.Setting('SelfProvisioning') && profile.CountInterfaces>0">
-      <div class="form-group" v-if="settings.Setting('SelfProvisioning')">
+      <div class="form-group">
        <div class="input-group mb-3">
          <button class="btn btn-primary" :title="$t('interfaces.button-add-peer')" @click.prevent="editPeerId = '#NEW#'">
            <i class="fa fa-plus me-1"></i><i class="fa fa-user"></i>
@@ -160,8 +162,7 @@ onMounted(async () => {
          </td>
          <td v-if="profile.hasStatistics">
            <div v-if="profile.Statistics(peer.Identifier).IsConnected">
-              <span class="badge rounded-pill bg-success"><i class="fa-solid fa-link"></i></span>
+              <span class="badge rounded-pill bg-success" :title="$t('profile.peer-connected')"><i class="fa-solid fa-link"></i></span> <small class="text-muted" :title="$t('interfaces.peer-handshake') + ' ' + profile.Statistics(peer.Identifier).LastHandshake"><i class="fa-solid fa-circle-info"></i></small>
              <span :title="profile.Statistics(peer.Identifier).LastHandshake">{{ $t('profile.peer-connected') }}</span>
            </div>
            <div v-else>
              <span class="badge rounded-pill bg-light"><i class="fa-solid fa-link-slash"></i></span>
@@ -174,7 +175,7 @@ onMounted(async () => {
          <td class="text-center">
            <a href="#" :title="$t('profile.button-show-peer')" @click.prevent="viewedPeerId = peer.Identifier"><i
                class="fas fa-eye me-2"></i></a>
-            <a href="#" :title="$t('profile.button-edit-peer')" @click.prevent="editPeerId = peer.Identifier"><i
+            <a href="#" :title="$t('profile.button-edit-peer')" @click.prevent="editPeerId = peer.Identifier" v-if="settings.Setting('SelfProvisioning') && profile.HasInterface(peer.InterfaceIdentifier)"><i
                class="fas fa-cog"></i></a>
          </td>
        </tr>
--- a/go.mod
+++ b/go.mod
@@ -7,10 +7,10 @@ require (
 	github.com/alexedwards/scs/v2 v2.9.0
 	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/glebarez/sqlite v1.11.0
-	github.com/go-ldap/ldap/v3 v3.4.12
+	github.com/go-ldap/ldap/v3 v3.4.13
 	github.com/go-pkgz/routegroup v1.6.0
 	github.com/go-playground/validator/v10 v10.30.1
-	github.com/go-webauthn/webauthn v0.16.0
+	github.com/go-webauthn/webauthn v0.16.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/prometheus-community/pro-bing v0.8.0
@@ -22,9 +22,9 @@ require (
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	github.com/yeqown/go-qrcode/v2 v2.2.5
 	github.com/yeqown/go-qrcode/writer/compressed v1.0.1
-	golang.org/x/crypto v0.48.0
+	golang.org/x/crypto v0.49.0
-	golang.org/x/oauth2 v0.35.0
+	golang.org/x/oauth2 v0.36.0
-	golang.org/x/sys v0.41.0
+	golang.org/x/sys v0.42.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.6.0
@@ -61,7 +61,7 @@ require (
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/go-test/deep v1.1.1 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
-	github.com/go-webauthn/x v0.2.1 // indirect
+	github.com/go-webauthn/x v0.2.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
@@ -95,9 +95,9 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa // indirect
 	golang.org/x/mod v0.33.0 // indirect
-	golang.org/x/net v0.50.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
 	golang.org/x/tools v0.42.0 // indirect
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
--- a/go.sum
+++ b/go.sum
@@ -60,8 +60,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
 github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
-github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
-github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
+github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
 github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4=
 github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80=
 github.com/go-openapi/jsonreference v0.21.4 h1:24qaE2y9bx/q3uRK/qN+TDwbok1NhbSmGjjySRCHtC8=
@@ -105,10 +105,10 @@ github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
 github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/go-webauthn/webauthn v0.16.0 h1:A9BkfYIwWAMPSQCbM2HoWqo6JO5LFI8aqYAzo6nW7AY=
+github.com/go-webauthn/webauthn v0.16.1 h1:x5/SSki5/aIfogaRukqvbg/RXa3Sgxy/9vU7UfFPHKU=
-github.com/go-webauthn/webauthn v0.16.0/go.mod h1:hm9RS/JNYeUu3KqGbzqlnHClhDGCZzTZlABjathwnN0=
+github.com/go-webauthn/webauthn v0.16.1/go.mod h1:RBS+rtQJMkE5VfMQ4diDA2VNrEL8OeUhp4Srz37FHbQ=
-github.com/go-webauthn/x v0.2.1 h1:/oB8i0FhSANuoN+YJF5XHMtppa7zGEYaQrrf6ytotjc=
+github.com/go-webauthn/x v0.2.2 h1:zIiipvMbr48CXi5RG0XdBJR94kd8I5LfzHPb/q+YYmk=
-github.com/go-webauthn/x v0.2.1/go.mod h1:Wm0X0zXkzznit4gHj4m82GiBZRMEm+TDUIoJWIQLsE4=
+github.com/go-webauthn/x v0.2.2/go.mod h1:IpJ5qyWB9NRhLX3C7gIfjTU7RZLXEP6kzFkoVSE7Fz4=
 github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
@@ -274,8 +274,8 @@ golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOM
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa h1:Zt3DZoOFFYkKhDT3v7Lm9FDMEV06GpzjG2jrqW+QTE0=
 golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa/go.mod h1:K79w1Vqn7PoiZn+TkNpx3BUWUQksGO3JcVX6qIjytmA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -303,10 +303,10 @@ golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
-golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
-golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -314,8 +314,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -336,8 +336,8 @@ golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -366,8 +366,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
--- a/internal/adapters/metrics.go
+++ b/internal/adapters/metrics.go
@@ -30,7 +30,7 @@ type MetricsServer struct {
 // Wireguard metrics labels
 var (
 	ifaceLabels = []string{"interface"}
-	peerLabels  = []string{"interface", "addresses", "id", "name"}
+	peerLabels  = []string{"interface", "addresses", "id", "name", "user"}
 )
 // NewMetricsServer returns a new prometheus server
@@ -126,6 +126,7 @@ func (m *MetricsServer) UpdatePeerMetrics(peer *domain.Peer, status domain.PeerS
 		peer.Interface.AddressStr(),
 		string(status.PeerId),
 		peer.DisplayName,
 		string(peer.UserIdentifier),
 	}
 	if status.LastHandshake != nil {
--- a/internal/app/users/ldap_sync.go
+++ b/internal/app/users/ldap_sync.go
@@ -90,6 +90,12 @@ func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.Ldap
 		}
 	}
 	// Update interface allowed users based on LDAP filters
 	err = m.updateInterfaceLdapFilters(ctx, conn, provider)
 	if err != nil {
 		return err
 	}
 	return nil
 }
@@ -237,3 +243,59 @@ func (m Manager) disableMissingLdapUsers(
 	return nil
 }
 func (m Manager) updateInterfaceLdapFilters(
 	ctx context.Context,
 	conn *ldap.Conn,
 	provider *config.LdapProvider,
 ) error {
 	if len(provider.InterfaceFilter) == 0 {
 		return nil // nothing to do if no interfaces are configured for this provider
 	}
 	for ifaceName, groupFilter := range provider.InterfaceFilter {
 		ifaceId := domain.InterfaceIdentifier(ifaceName)
 		// Combined filter: user must match the provider's base SyncFilter AND the interface's LdapGroupFilter
 		combinedFilter := fmt.Sprintf("(&(%s)(%s))", provider.SyncFilter, groupFilter)
 		rawUsers, err := internal.LdapFindAllUsers(conn, provider.BaseDN, combinedFilter, &provider.FieldMap)
 		if err != nil {
 			slog.Error("failed to find users for interface filter", 
 				"interface", ifaceId, 
 				"provider", provider.ProviderName, 
 				"error", err)
 			continue
 		}
 		matchedUserIds := make([]domain.UserIdentifier, 0, len(rawUsers))
 		for _, rawUser := range rawUsers {
 			userId := domain.UserIdentifier(internal.MapDefaultString(rawUser, provider.FieldMap.UserIdentifier, ""))
 			if userId != "" {
 				matchedUserIds = append(matchedUserIds, userId)
 			}
 		}
 		// Save the interface
 		err = m.interfaces.SaveInterface(ctx, ifaceId, func(i *domain.Interface) (*domain.Interface, error) {
 			if i.LdapAllowedUsers == nil {
 				i.LdapAllowedUsers = make(map[string][]domain.UserIdentifier)
 			}
 			i.LdapAllowedUsers[provider.ProviderName] = matchedUserIds
 			return i, nil
 		})
 		if err != nil {
 			slog.Error("failed to save interface ldap allowed users", 
 				"interface", ifaceId, 
 				"provider", provider.ProviderName, 
 				"error", err)
 		} else {
 			slog.Debug("updated interface ldap allowed users", 
 				"interface", ifaceId, 
 				"provider", provider.ProviderName, 
 				"matched_count", len(matchedUserIds))
 		}
 	}
 	return nil
 }
--- a/internal/app/users/user_manager.go
+++ b/internal/app/users/user_manager.go
@@ -39,6 +39,11 @@ type PeerDatabaseRepo interface {
 	GetUserPeers(ctx context.Context, id domain.UserIdentifier) ([]domain.Peer, error)
 }
 type InterfaceDatabaseRepo interface {
 	// SaveInterface saves the interface with the given identifier.
 	SaveInterface(ctx context.Context, id domain.InterfaceIdentifier, updateFunc func(i *domain.Interface) (*domain.Interface, error)) error
 }
 type EventBus interface {
 	// Publish sends a message to the message bus.
 	Publish(topic string, args ...any)
@@ -53,19 +58,24 @@ type Manager struct {
 	bus        EventBus
 	users      UserDatabaseRepo
 	peers      PeerDatabaseRepo
 	interfaces InterfaceDatabaseRepo
 }
 // NewUserManager creates a new user manager instance.
-func NewUserManager(cfg *config.Config, bus EventBus, users UserDatabaseRepo, peers PeerDatabaseRepo) (
+func NewUserManager(
-	*Manager,
+	cfg *config.Config,
-	error,
+	bus EventBus,
-) {
+	users UserDatabaseRepo,
 	peers PeerDatabaseRepo,
 	interfaces InterfaceDatabaseRepo,
 ) (*Manager, error) {
 	m := &Manager{
 		cfg: cfg,
 		bus: bus,
 		users:      users,
 		peers:      peers,
 		interfaces: interfaces,
 	}
 	return m, nil
 }
--- a/internal/app/wireguard/statistics.go
+++ b/internal/app/wireguard/statistics.go
@@ -204,13 +204,13 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 							// calculate if session was restarted
 							p.UpdatedAt = now
-							p.LastSessionStart = getSessionStartTime(*p, peer.BytesUpload, peer.BytesDownload,
+							p.LastSessionStart = c.getSessionStartTime(*p, peer.BytesUpload, peer.BytesDownload,
 								lastHandshake)
 							p.BytesReceived = peer.BytesUpload      // store bytes that where uploaded from the peer and received by the server
 							p.BytesTransmitted = peer.BytesDownload // store bytes that where received from the peer and sent by the server
 							p.Endpoint = peer.Endpoint
 							p.LastHandshake = lastHandshake
-							p.CalcConnected()
+							p.CalcConnected(c.cfg.Backend.ReKeyTimeoutInterval)
 							if wasConnected != p.IsConnected {
 								slog.Debug("peer connection state changed",
@@ -249,7 +249,7 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 	}
 }
-func getSessionStartTime(
+func (c *StatisticsCollector) getSessionStartTime(
 	oldStats domain.PeerStatus,
 	newReceived, newTransmitted uint64,
 	latestHandshake *time.Time,
@@ -258,7 +258,7 @@ func getSessionStartTime(
 		return nil // currently not connected
 	}
-	oldestHandshakeTime := time.Now().Add(-2 * time.Minute) // if a handshake is older than 2 minutes, the peer is no longer connected
+	oldestHandshakeTime := time.Now().Add(-1 * c.cfg.Backend.ReKeyTimeoutInterval) // if a handshake is older than the rekey interval + grace-period, the peer is no longer connected
 	switch {
 	// old session was never initiated
 	case oldStats.BytesReceived == 0 && oldStats.BytesTransmitted == 0 && (newReceived > 0 || newTransmitted > 0):
@@ -369,7 +369,7 @@ func (c *StatisticsCollector) pingWorker(ctx context.Context) {
 					p.LastPing = nil
 				}
 				p.UpdatedAt = time.Now()
-				p.CalcConnected()
+				p.CalcConnected(c.cfg.Backend.ReKeyTimeoutInterval)
 				if wasConnected != p.IsConnected {
 					connectionStateChanged = true
--- a/internal/app/wireguard/statistics_test.go
+++ b/internal/app/wireguard/statistics_test.go
@@ -5,10 +5,11 @@ import (
 	"testing"
 	"time"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 )
-func Test_getSessionStartTime(t *testing.T) {
+func TestStatisticsCollector_getSessionStartTime(t *testing.T) {
 	now := time.Now()
 	nowMinus1 := now.Add(-1 * time.Minute)
 	nowMinus3 := now.Add(-3 * time.Minute)
@@ -133,7 +134,14 @@ func Test_getSessionStartTime(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := getSessionStartTime(tt.args.oldStats, tt.args.newReceived, tt.args.newTransmitted,
+			c := &StatisticsCollector{
 				cfg: &config.Config{
 					Backend: config.Backend{
 						ReKeyTimeoutInterval: 180 * time.Second,
 					},
 				},
 			}
 			if got := c.getSessionStartTime(tt.args.oldStats, tt.args.newReceived, tt.args.newTransmitted,
 				tt.args.lastHandshake); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("getSessionStartTime() = %v, want %v", got, tt.want)
 			}
--- a/internal/app/wireguard/wireguard.go
+++ b/internal/app/wireguard/wireguard.go
@@ -35,6 +35,7 @@ type InterfaceAndPeerDatabaseRepo interface {
 	DeletePeer(ctx context.Context, id domain.PeerIdentifier) error
 	GetPeer(ctx context.Context, id domain.PeerIdentifier) (*domain.Peer, error)
 	GetUsedIpsPerSubnet(ctx context.Context, subnets []domain.Cidr) (map[domain.Cidr][]domain.Cidr, error)
 	GetUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error)
 }
 type WgQuickController interface {
--- a/internal/app/wireguard/wireguard_interfaces.go
+++ b/internal/app/wireguard/wireguard_interfaces.go
@@ -16,6 +16,11 @@ import (
 	"github.com/h44z/wg-portal/internal/domain"
 )
 // GetInterface returns the interface for the given interface identifier.
 func (m Manager) GetInterface(ctx context.Context, id domain.InterfaceIdentifier) (*domain.Interface, error) {
 	return m.db.GetInterface(ctx, id)
 }
 // GetInterfaceAndPeers returns the interface and all peers for the given interface identifier.
 func (m Manager) GetInterfaceAndPeers(ctx context.Context, id domain.InterfaceIdentifier) (
 	*domain.Interface,
@@ -63,12 +68,17 @@ func (m Manager) GetAllInterfacesAndPeers(ctx context.Context) ([]domain.Interfa
 // GetUserInterfaces returns all interfaces that are available for users to create new peers.
 // If self-provisioning is disabled, this function will return an empty list.
-// At the moment, there are no interfaces specific to single users, thus the user id is not used.
+func (m Manager) GetUserInterfaces(ctx context.Context, userId domain.UserIdentifier) ([]domain.Interface, error) {
 func (m Manager) GetUserInterfaces(ctx context.Context, _ domain.UserIdentifier) ([]domain.Interface, error) {
 	if !m.cfg.Core.SelfProvisioningAllowed {
 		return nil, nil // self-provisioning is disabled - no interfaces for users
 	}
 	user, err := m.db.GetUser(ctx, userId)
 	if err != nil {
 		slog.Error("failed to load user for interface group verification", "user", userId, "error", err)
 		return nil, nil // fail closed
 	}
 	interfaces, err := m.db.GetAllInterfaces(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("unable to load all interfaces: %w", err)
@@ -83,6 +93,9 @@ func (m Manager) GetUserInterfaces(ctx context.Context, _ domain.UserIdentifier)
 		if iface.Type != domain.InterfaceTypeServer {
 			continue // skip client interfaces
 		}
 		if !user.IsAdmin && !iface.IsUserAllowed(userId, m.cfg) {
 			continue // user not allowed due to LDAP group filter
 		}
 		userInterfaces = append(userInterfaces, iface.PublicInfo())
 	}
--- a/internal/app/wireguard/wireguard_interfaces_test.go
+++ b/internal/app/wireguard/wireguard_interfaces_test.go
@@ -6,6 +6,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 )
@@ -92,3 +93,126 @@ func TestImportPeer_AddressMapping(t *testing.T) {
 		})
 	}
 }
 func (f *mockDB) GetUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error) {
 	return &domain.User{
 		Identifier: id,
 		IsAdmin:    false,
 	}, nil
 }
 func TestInterface_IsUserAllowed(t *testing.T) {
 	cfg := &config.Config{
 		Auth: config.Auth{
 			Ldap: []config.LdapProvider{
 				{
 					ProviderName: "ldap1",
 					InterfaceFilter: map[string]string{
 						"wg0": "(memberOf=CN=VPNUsers,...)",
 					},
 				},
 			},
 		},
 	}
 	tests := []struct {
 		name   string
 		iface  domain.Interface
 		userId domain.UserIdentifier
 		expect bool
 	}{
 		{
 			name: "Unrestricted interface",
 			iface: domain.Interface{
 				Identifier: "wg1",
 			},
 			userId: "user1",
 			expect: true,
 		},
 		{
 			name: "Restricted interface - user allowed",
 			iface: domain.Interface{
 				Identifier: "wg0",
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"user1"},
 				},
 			},
 			userId: "user1",
 			expect: true,
 		},
 		{
 			name: "Restricted interface - user allowed (at least one match)",
 			iface: domain.Interface{
 				Identifier: "wg0",
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"user2"},
 					"ldap2": {"user1"},
 				},
 			},
 			userId: "user1",
 			expect: true,
 		},
 		{
 			name: "Restricted interface - user NOT allowed",
 			iface: domain.Interface{
 				Identifier: "wg0",
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"user2"},
 				},
 			},
 			userId: "user1",
 			expect: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert.Equal(t, tt.expect, tt.iface.IsUserAllowed(tt.userId, cfg))
 		})
 	}
 }
 func TestManager_GetUserInterfaces_Filtering(t *testing.T) {
 	cfg := &config.Config{}
 	cfg.Core.SelfProvisioningAllowed = true
 	cfg.Auth.Ldap = []config.LdapProvider{
 		{
 			ProviderName: "ldap1",
 			InterfaceFilter: map[string]string{
 				"wg_restricted": "(some-filter)",
 			},
 		},
 	}
 	db := &mockDB{
 		interfaces: []domain.Interface{
 			{Identifier: "wg_public", Type: domain.InterfaceTypeServer},
 			{
 				Identifier: "wg_restricted",
 				Type:       domain.InterfaceTypeServer,
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"allowed_user"},
 				},
 			},
 		},
 	}
 	m := Manager{
 		cfg: cfg,
 		db:  db,
 	}
 	t.Run("Allowed user sees both", func(t *testing.T) {
 		ifaces, err := m.GetUserInterfaces(context.Background(), "allowed_user")
 		assert.NoError(t, err)
 		assert.Equal(t, 2, len(ifaces))
 	})
 	t.Run("Unallowed user sees only public", func(t *testing.T) {
 		ifaces, err := m.GetUserInterfaces(context.Background(), "other_user")
 		assert.NoError(t, err)
 		assert.Equal(t, 1, len(ifaces))
 		if len(ifaces) > 0 {
 			assert.Equal(t, domain.InterfaceIdentifier("wg_public"), ifaces[0].Identifier)
 		}
 	})
 }
--- a/internal/app/wireguard/wireguard_peers.go
+++ b/internal/app/wireguard/wireguard_peers.go
@@ -93,6 +93,10 @@ func (m Manager) PreparePeer(ctx context.Context, id domain.InterfaceIdentifier)
 	currentUser := domain.GetUserInfo(ctx)
 	if err := m.checkInterfaceAccess(ctx, id); err != nil {
 		return nil, err
 	}
 	iface, err := m.db.GetInterface(ctx, id)
 	if err != nil {
 		return nil, fmt.Errorf("unable to find interface %s: %w", id, err)
@@ -188,6 +192,9 @@ func (m Manager) CreatePeer(ctx context.Context, peer *domain.Peer) (*domain.Pee
 		if err := domain.ValidateUserAccessRights(ctx, peer.UserIdentifier); err != nil {
 			return nil, err
 		}
 		if err := m.checkInterfaceAccess(ctx, peer.InterfaceIdentifier); err != nil {
 			return nil, err
 		}
 	}
 	sessionUser := domain.GetUserInfo(ctx)
@@ -304,6 +311,10 @@ func (m Manager) UpdatePeer(ctx context.Context, peer *domain.Peer) (*domain.Pee
 		return nil, err
 	}
 	if err := m.checkInterfaceAccess(ctx, existingPeer.InterfaceIdentifier); err != nil {
 		return nil, err
 	}
 	if err := m.validatePeerModifications(ctx, existingPeer, peer); err != nil {
 		return nil, fmt.Errorf("update not allowed: %w", err)
 	}
@@ -373,6 +384,10 @@ func (m Manager) DeletePeer(ctx context.Context, id domain.PeerIdentifier) error
 		return err
 	}
 	if err := m.checkInterfaceAccess(ctx, peer.InterfaceIdentifier); err != nil {
 		return err
 	}
 	if err := m.validatePeerDeletion(ctx, peer); err != nil {
 		return fmt.Errorf("delete not allowed: %w", err)
 	}
@@ -606,4 +621,22 @@ func (m Manager) validatePeerDeletion(ctx context.Context, _ *domain.Peer) error
 	return nil
 }
 func (m Manager) checkInterfaceAccess(ctx context.Context, id domain.InterfaceIdentifier) error {
 	user := domain.GetUserInfo(ctx)
 	if user.IsAdmin {
 		return nil
 	}
 	iface, err := m.db.GetInterface(ctx, id)
 	if err != nil {
 		return fmt.Errorf("failed to get interface %s: %w", id, err)
 	}
 	if !iface.IsUserAllowed(user.Id, m.cfg) {
 		return fmt.Errorf("user %s is not allowed to access interface %s: %w", user.Id, id, domain.ErrNoPermission)
 	}
 	return nil
 }
 // endregion helper-functions
--- a/internal/app/wireguard/wireguard_peers_test.go
+++ b/internal/app/wireguard/wireguard_peers_test.go
@@ -60,6 +60,7 @@ func (f *mockController) PingAddresses(_ context.Context, _ string) (*domain.Pin
 type mockDB struct {
 	savedPeers map[domain.PeerIdentifier]*domain.Peer
 	iface      *domain.Interface
 	interfaces []domain.Interface
 }
 func (f *mockDB) GetInterface(ctx context.Context, id domain.InterfaceIdentifier) (*domain.Interface, error) {
@@ -79,6 +80,9 @@ func (f *mockDB) GetPeersStats(ctx context.Context, ids ...domain.PeerIdentifier
 	return nil, nil
 }
 func (f *mockDB) GetAllInterfaces(ctx context.Context) ([]domain.Interface, error) {
 	if f.interfaces != nil {
 		return f.interfaces, nil
 	}
 	if f.iface != nil {
 		return []domain.Interface{*f.iface}, nil
 	}
--- a/internal/config/auth.go
+++ b/internal/config/auth.go
@@ -214,6 +214,10 @@ type LdapProvider struct {
 	// If RegistrationEnabled is set to true, wg-portal will create new users that do not exist in the database.
 	RegistrationEnabled bool `yaml:"registration_enabled"`
 	// InterfaceFilter allows restricting interfaces using an LDAP filter.
 	// Map key is the interface identifier (e.g., "wg0"), value is the filter string.
 	InterfaceFilter map[string]string `yaml:"interface_filter"`
 	// If LogUserInfo is set to true, the user info retrieved from the LDAP provider will be logged in trace level.
 	LogUserInfo bool `yaml:"log_user_info"`
 }
--- a/internal/config/backend.go
+++ b/internal/config/backend.go
@@ -10,6 +10,8 @@ const LocalBackendName = "local"
 type Backend struct {
 	Default string `yaml:"default"` // The default backend to use (defaults to the internal backend)
 	ReKeyTimeoutInterval time.Duration `yaml:"rekey_timeout_interval"` // Interval after which a connection is assumed dead
 	// Local Backend-specific configuration
 	IgnoredLocalInterfaces []string `yaml:"ignored_local_interfaces"` // A list of interface names that should be ignored by this backend (e.g., "wg0")
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -139,6 +139,7 @@ func defaultConfig() *Config {
 	cfg.Backend = Backend{
 		Default:                LocalBackendName, // local backend is the default (using wgcrtl)
 		ReKeyTimeoutInterval:   getEnvDuration("WG_PORTAL_BACKEND_REKEY_TIMEOUT_INTERVAL", 180*time.Second),
 		IgnoredLocalInterfaces: getEnvStrSlice("WG_PORTAL_BACKEND_IGNORED_LOCAL_INTERFACES", nil),
 		// Most resolconf implementations use "tun." as a prefix for interface names.
 		// But systemd's implementation uses no prefix, for example.
--- a/internal/domain/interface.go
+++ b/internal/domain/interface.go
@@ -78,6 +78,33 @@ type Interface struct {
 	PeerDefPostUp   string // default action that is executed after the device is up
 	PeerDefPreDown  string // default action that is executed before the device is down
 	PeerDefPostDown string // default action that is executed after the device is down
 	// Self-provisioning access control
 	LdapAllowedUsers map[string][]UserIdentifier `gorm:"serializer:json"` // Materialised during LDAP sync, keyed by ProviderName
 }
 // IsUserAllowed returns true if the interface has no filter, or if the user is in the allowed list.
 func (i *Interface) IsUserAllowed(userId UserIdentifier, cfg *config.Config) bool {
 	isRestricted := false
 	for _, provider := range cfg.Auth.Ldap {
 		if _, exists := provider.InterfaceFilter[string(i.Identifier)]; exists {
 			isRestricted = true
 			break
 		}
 	}
 	if !isRestricted {
 		return true // The interface is completely unrestricted by LDAP config
 	}
 	for _, allowedUsers := range i.LdapAllowedUsers {
 		for _, uid := range allowedUsers {
 			if uid == userId {
 				return true
 			}
 		}
 	}
 	return false
 }
 // PublicInfo returns a copy of the interface with only the public information.
--- a/internal/domain/statistics.go
+++ b/internal/domain/statistics.go
@@ -21,8 +21,8 @@ type PeerStatus struct {
 	LastSessionStart *time.Time `gorm:"column:last_session_start" json:"LastSessionStart"`
 }
-func (s *PeerStatus) CalcConnected() {
+func (s *PeerStatus) CalcConnected(timeout time.Duration) {
-	oldestHandshakeTime := time.Now().Add(-2 * time.Minute) // if a handshake is older than 2 minutes, the peer is no longer connected
+	oldestHandshakeTime := time.Now().Add(-1 * timeout) // if a handshake is older than the rekey-interval + grace-period, the peer is no longer connected
 	handshakeValid := false
 	if s.LastHandshake != nil {
--- a/internal/domain/statistics_test.go
+++ b/internal/domain/statistics_test.go
@@ -9,10 +9,15 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 	now := time.Now()
 	past := now.Add(-3 * time.Minute)
 	recent := now.Add(-1 * time.Minute)
 	defaultTimeout := 125 * time.Second // rekey interval of 120s + 5 seconds grace period
 	past126 := now.Add(-1*defaultTimeout - 1*time.Second)
 	past125 := now.Add(-1 * defaultTimeout)
 	past124 := now.Add(-1*defaultTimeout + 1*time.Second)
 	tests := []struct {
 		name    string
 		status  PeerStatus
 		timeout time.Duration
 		want    bool
 	}{
 		{
@@ -21,6 +26,7 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    true,
 				LastHandshake: &recent,
 			},
 			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
@@ -29,6 +35,7 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    false,
 				LastHandshake: &recent,
 			},
 			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
@@ -37,14 +44,43 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    true,
 				LastHandshake: &past,
 			},
 			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
-			name: "Not pingable and old handshake",
+			name: "Not pingable and ok handshake (-124s)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past124,
 			},
 			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
 			name: "Not pingable and old handshake (-125s)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past125,
 			},
 			timeout: defaultTimeout,
 			want:    false,
 		},
 		{
 			name: "Not pingable and old handshake (-126s)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past126,
 			},
 			timeout: defaultTimeout,
 			want:    false,
 		},
 		{
 			name: "Not pingable and old handshake (very old)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past,
 			},
 			timeout: defaultTimeout,
 			want:    false,
 		},
 		{
@@ -53,6 +89,7 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    true,
 				LastHandshake: nil,
 			},
 			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
@@ -61,12 +98,13 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    false,
 				LastHandshake: nil,
 			},
 			timeout: defaultTimeout,
 			want:    false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			tt.status.CalcConnected()
+			tt.status.CalcConnected(tt.timeout)
 			if got := tt.status.IsConnected; got != tt.want {
 				t.Errorf("IsConnected = %v, want %v", got, tt.want)
 			}