[client] Feat: Support Multiple Profiles (#3980)

[client] Feat: Support Multiple Profiles (#3980)

client/android/client.go

@@ -13,6 +13,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
@@ -82,7 +83,7 @@ func NewClient(cfgFile string, androidSDKVersion int, deviceName string, uiVersi
 
 // Run start the internal client. It is a blocker function
 func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsReadyListener) error {
-	cfg, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
+	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
 	if err != nil {
@@ -117,7 +118,7 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
 // In this case make no sense handle registration steps.
 func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener) error {
-	cfg, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
+	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
 	if err != nil {

client/android/login.go

@@ -13,6 +13,7 @@ import (
 	"github.com/netbirdio/netbird/client/cmd"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
 )
 
@@ -37,17 +38,17 @@ type URLOpener interface {
 // Auth can register or login new client
 type Auth struct {
 	ctx     context.Context
-	config  *internal.Config
+	config  *profilemanager.Config
 	cfgPath string
 }
 
 // NewAuth instantiate Auth struct and validate the management URL
 func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {
-	inputCfg := internal.ConfigInput{
+	inputCfg := profilemanager.ConfigInput{
 		ManagementURL: mgmURL,
 	}
 
-	cfg, err := internal.CreateInMemoryConfig(inputCfg)
+	cfg, err := profilemanager.CreateInMemoryConfig(inputCfg)
 	if err != nil {
 		return nil, err
 	}
@@ -60,7 +61,7 @@ func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {
 }
 
 // NewAuthWithConfig instantiate Auth based on existing config
-func NewAuthWithConfig(ctx context.Context, config *internal.Config) *Auth {
+func NewAuthWithConfig(ctx context.Context, config *profilemanager.Config) *Auth {
 	return &Auth{
 		ctx:    ctx,
 		config: config,
@@ -110,7 +111,7 @@ func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
 		return false, fmt.Errorf("backoff cycle failed: %v", err)
 	}
 
-	err = internal.WriteOutConfig(a.cfgPath, a.config)
+	err = profilemanager.WriteOutConfig(a.cfgPath, a.config)
 	return true, err
 }
 
@@ -142,7 +143,7 @@ func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string
 		return fmt.Errorf("backoff cycle failed: %v", err)
 	}
 
-	return internal.WriteOutConfig(a.cfgPath, a.config)
+	return profilemanager.WriteOutConfig(a.cfgPath, a.config)
 }
 
 // Login try register the client on the server

client/android/preferences.go

@@ -1,17 +1,17 @@
 package android
 
 import (
-	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
 // Preferences exports a subset of the internal config for gomobile
 type Preferences struct {
-	configInput internal.ConfigInput
+	configInput profilemanager.ConfigInput
 }
 
 // NewPreferences creates a new Preferences instance
 func NewPreferences(configPath string) *Preferences {
-	ci := internal.ConfigInput{
+	ci := profilemanager.ConfigInput{
 		ConfigPath: configPath,
 	}
 	return &Preferences{ci}
@@ -23,7 +23,7 @@ func (p *Preferences) GetManagementURL() (string, error) {
 		return p.configInput.ManagementURL, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return "", err
 	}
@@ -41,7 +41,7 @@ func (p *Preferences) GetAdminURL() (string, error) {
 		return p.configInput.AdminURL, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return "", err
 	}
@@ -59,7 +59,7 @@ func (p *Preferences) GetPreSharedKey() (string, error) {
 		return *p.configInput.PreSharedKey, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return "", err
 	}
@@ -82,7 +82,7 @@ func (p *Preferences) GetRosenpassEnabled() (bool, error) {
 		return *p.configInput.RosenpassEnabled, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
@@ -100,7 +100,7 @@ func (p *Preferences) GetRosenpassPermissive() (bool, error) {
 		return *p.configInput.RosenpassPermissive, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
@@ -113,7 +113,7 @@ func (p *Preferences) GetDisableClientRoutes() (bool, error) {
 		return *p.configInput.DisableClientRoutes, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
@@ -131,7 +131,7 @@ func (p *Preferences) GetDisableServerRoutes() (bool, error) {
 		return *p.configInput.DisableServerRoutes, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
@@ -149,7 +149,7 @@ func (p *Preferences) GetDisableDNS() (bool, error) {
 		return *p.configInput.DisableDNS, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
@@ -167,7 +167,7 @@ func (p *Preferences) GetDisableFirewall() (bool, error) {
 		return *p.configInput.DisableFirewall, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
@@ -185,7 +185,7 @@ func (p *Preferences) GetServerSSHAllowed() (bool, error) {
 		return *p.configInput.ServerSSHAllowed, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
@@ -207,7 +207,7 @@ func (p *Preferences) GetBlockInbound() (bool, error) {
 		return *p.configInput.BlockInbound, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
@@ -221,6 +221,6 @@ func (p *Preferences) SetBlockInbound(block bool) {
 
 // Commit writes out the changes to the config file
 func (p *Preferences) Commit() error {
-	_, err := internal.UpdateOrCreateConfig(p.configInput)
+	_, err := profilemanager.UpdateOrCreateConfig(p.configInput)
 	return err
 }

client/android/preferences_test.go

@@ -4,7 +4,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
 func TestPreferences_DefaultValues(t *testing.T) {
@@ -15,7 +15,7 @@ func TestPreferences_DefaultValues(t *testing.T) {
 		t.Fatalf("failed to read default value: %s", err)
 	}
 
-	if defaultVar != internal.DefaultAdminURL {
+	if defaultVar != profilemanager.DefaultAdminURL {
 		t.Errorf("invalid default admin url: %s", defaultVar)
 	}
 
@@ -24,7 +24,7 @@ func TestPreferences_DefaultValues(t *testing.T) {
 		t.Fatalf("failed to read default management URL: %s", err)
 	}
 
-	if defaultVar != internal.DefaultManagementURL {
+	if defaultVar != profilemanager.DefaultManagementURL {
 		t.Errorf("invalid default management url: %s", defaultVar)
 	}
 

client/cmd/debug.go

@@ -13,6 +13,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
 	nbstatus "github.com/netbirdio/netbird/client/status"
@@ -307,7 +308,7 @@ func getStatusOutput(cmd *cobra.Command, anon bool) string {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
 		statusOutputString = nbstatus.ParseToFullDetailSummary(
-			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, ""),
+			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", ""),
 		)
 	}
 	return statusOutputString
@@ -355,7 +356,7 @@ func formatDuration(d time.Duration) string {
 	return fmt.Sprintf("%02d:%02d:%02d", h, m, s)
 }
 
-func generateDebugBundle(config *internal.Config, recorder *peer.Status, connectClient *internal.ConnectClient, logFilePath string) {
+func generateDebugBundle(config *profilemanager.Config, recorder *peer.Status, connectClient *internal.ConnectClient, logFilePath string) {
 	var networkMap *mgmProto.NetworkMap
 	var err error
 

client/cmd/debug_unix.go

@@ -12,11 +12,12 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
 func SetupDebugHandler(
 	ctx context.Context,
-	config *internal.Config,
+	config *profilemanager.Config,
 	recorder *peer.Status,
 	connectClient *internal.ConnectClient,
 	logFilePath string,

client/cmd/debug_windows.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
 const (
@@ -28,7 +29,7 @@ const (
 // $evt.Close()
 func SetupDebugHandler(
 	ctx context.Context,
-	config *internal.Config,
+	config *profilemanager.Config,
 	recorder *peer.Status,
 	connectClient *internal.ConnectClient,
 	logFilePath string,
@@ -83,7 +84,7 @@ func SetupDebugHandler(
 
 func waitForEvent(
 	ctx context.Context,
-	config *internal.Config,
+	config *profilemanager.Config,
 	recorder *peer.Status,
 	connectClient *internal.ConnectClient,
 	logFilePath string,

client/cmd/login.go

@@ -4,10 +4,12 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/user"
 	"runtime"
 	"strings"
 	"time"
 
+	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
@@ -15,6 +17,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/util"
@@ -22,19 +25,16 @@ import (
 
 func init() {
 	loginCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
+	loginCmd.PersistentFlags().StringVar(&profileName, profileNameFlag, "", profileNameDesc)
+	loginCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "Netbird config file location")
 }
 
 var loginCmd = &cobra.Command{
 	Use:   "login",
 	Short: "login to the Netbird Management Service (first run)",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
+		if err := setEnvAndFlags(cmd); err != nil {
-
+			return fmt.Errorf("set env and flags: %v", err)
-		cmd.SetOut(cmd.OutOrStdout())
-
-		err := util.InitLog(logLevel, util.LogConsole)
-		if err != nil {
-			return fmt.Errorf("failed initializing log %v", err)
 		}
 
 		ctx := internal.CtxInitState(context.Background())
@@ -43,6 +43,17 @@ var loginCmd = &cobra.Command{
 			// nolint
 			ctx = context.WithValue(ctx, system.DeviceNameCtxKey, hostName)
 		}
+		username, err := user.Current()
+		if err != nil {
+			return fmt.Errorf("get current user: %v", err)
+		}
+
+		pm := profilemanager.NewProfileManager()
+
+		activeProf, err := getActiveProfile(cmd.Context(), pm, profileName, username.Username)
+		if err != nil {
+			return fmt.Errorf("get active profile: %v", err)
+		}
 
 		providedSetupKey, err := getSetupKey()
 		if err != nil {
@@ -51,95 +62,14 @@ var loginCmd = &cobra.Command{
 
 		// workaround to run without service
 		if util.FindFirstLogPath(logFiles) == "" {
-			err = handleRebrand(cmd)
+			if err := doForegroundLogin(ctx, cmd, providedSetupKey, activeProf); err != nil {
-			if err != nil {
-				return err
-			}
-
-			// update host's static platform and system information
-			system.UpdateStaticInfo()
-
-			ic := internal.ConfigInput{
-				ManagementURL: managementURL,
-				ConfigPath:    configPath,
-			}
-			if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
-				ic.PreSharedKey = &preSharedKey
-			}
-
-			config, err := internal.UpdateOrCreateConfig(ic)
-			if err != nil {
-				return fmt.Errorf("get config file: %v", err)
-			}
-
-			config, _ = internal.UpdateOldManagementURL(ctx, config, configPath)
-
-			err = foregroundLogin(ctx, cmd, config, providedSetupKey)
-			if err != nil {
 				return fmt.Errorf("foreground login failed: %v", err)
 			}
-			cmd.Println("Logging successfully")
 			return nil
 		}
 
-		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err := doDaemonLogin(ctx, cmd, providedSetupKey, activeProf, username.Username, pm); err != nil {
-		if err != nil {
+			return fmt.Errorf("daemon login failed: %v", err)
-			return fmt.Errorf("failed to connect to daemon error: %v\n"+
-				"If the daemon is not running please run: "+
-				"\nnetbird service install \nnetbird service start\n", err)
-		}
-		defer conn.Close()
-
-		client := proto.NewDaemonServiceClient(conn)
-
-		var dnsLabelsReq []string
-		if dnsLabelsValidated != nil {
-			dnsLabelsReq = dnsLabelsValidated.ToSafeStringList()
-		}
-
-		loginRequest := proto.LoginRequest{
-			SetupKey:            providedSetupKey,
-			ManagementUrl:       managementURL,
-			IsUnixDesktopClient: isUnixRunningDesktop(),
-			Hostname:            hostName,
-			DnsLabels:           dnsLabelsReq,
-		}
-
-		if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
-			loginRequest.OptionalPreSharedKey = &preSharedKey
-		}
-
-		var loginErr error
-
-		var loginResp *proto.LoginResponse
-
-		err = WithBackOff(func() error {
-			var backOffErr error
-			loginResp, backOffErr = client.Login(ctx, &loginRequest)
-			if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
-				s.Code() == codes.PermissionDenied ||
-				s.Code() == codes.NotFound ||
-				s.Code() == codes.Unimplemented) {
-				loginErr = backOffErr
-				return nil
-			}
-			return backOffErr
-		})
-		if err != nil {
-			return fmt.Errorf("login backoff cycle failed: %v", err)
-		}
-
-		if loginErr != nil {
-			return fmt.Errorf("login failed: %v", loginErr)
-		}
-
-		if loginResp.NeedsSSOLogin {
-			openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
-
-			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
-			if err != nil {
-				return fmt.Errorf("waiting sso login failed with: %v", err)
-			}
 		}
 
 		cmd.Println("Logging successfully")
@@ -148,7 +78,201 @@ var loginCmd = &cobra.Command{
 	},
 }
 
-func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.Config, setupKey string) error {
+func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey string, activeProf *profilemanager.Profile, username string, pm *profilemanager.ProfileManager) error {
+	conn, err := DialClientGRPCServer(ctx, daemonAddr)
+	if err != nil {
+		return fmt.Errorf("failed to connect to daemon error: %v\n"+
+			"If the daemon is not running please run: "+
+			"\nnetbird service install \nnetbird service start\n", err)
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+
+	var dnsLabelsReq []string
+	if dnsLabelsValidated != nil {
+		dnsLabelsReq = dnsLabelsValidated.ToSafeStringList()
+	}
+
+	loginRequest := proto.LoginRequest{
+		SetupKey:            providedSetupKey,
+		ManagementUrl:       managementURL,
+		IsUnixDesktopClient: isUnixRunningDesktop(),
+		Hostname:            hostName,
+		DnsLabels:           dnsLabelsReq,
+		ProfileName:         &activeProf.Name,
+		Username:            &username,
+	}
+
+	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
+		loginRequest.OptionalPreSharedKey = &preSharedKey
+	}
+
+	var loginErr error
+
+	var loginResp *proto.LoginResponse
+
+	err = WithBackOff(func() error {
+		var backOffErr error
+		loginResp, backOffErr = client.Login(ctx, &loginRequest)
+		if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
+			s.Code() == codes.PermissionDenied ||
+			s.Code() == codes.NotFound ||
+			s.Code() == codes.Unimplemented) {
+			loginErr = backOffErr
+			return nil
+		}
+		return backOffErr
+	})
+	if err != nil {
+		return fmt.Errorf("login backoff cycle failed: %v", err)
+	}
+
+	if loginErr != nil {
+		return fmt.Errorf("login failed: %v", loginErr)
+	}
+
+	if loginResp.NeedsSSOLogin {
+		if err := handleSSOLogin(ctx, cmd, loginResp, client, pm); err != nil {
+			return fmt.Errorf("sso login failed: %v", err)
+		}
+	}
+
+	return nil
+}
+
+func getActiveProfile(ctx context.Context, pm *profilemanager.ProfileManager, profileName string, username string) (*profilemanager.Profile, error) {
+	// switch profile if provided
+
+	if profileName != "" {
+		if err := switchProfileOnDaemon(ctx, pm, profileName, username); err != nil {
+			return nil, fmt.Errorf("switch profile: %v", err)
+		}
+	}
+
+	activeProf, err := pm.GetActiveProfile()
+	if err != nil {
+		return nil, fmt.Errorf("get active profile: %v", err)
+	}
+
+	if activeProf == nil {
+		return nil, fmt.Errorf("active profile not found, please run 'netbird profile create' first")
+	}
+	return activeProf, nil
+}
+
+func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManager, profileName string, username string) error {
+	err := switchProfile(context.Background(), profileName, username)
+	if err != nil {
+		return fmt.Errorf("switch profile on daemon: %v", err)
+	}
+
+	err = pm.SwitchProfile(profileName)
+	if err != nil {
+		return fmt.Errorf("switch profile: %v", err)
+	}
+
+	conn, err := DialClientGRPCServer(ctx, daemonAddr)
+	if err != nil {
+		log.Errorf("failed to connect to service CLI interface %v", err)
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+
+	status, err := client.Status(ctx, &proto.StatusRequest{})
+	if err != nil {
+		return fmt.Errorf("unable to get daemon status: %v", err)
+	}
+
+	if status.Status == string(internal.StatusConnected) {
+		if _, err := client.Down(ctx, &proto.DownRequest{}); err != nil {
+			log.Errorf("call service down method: %v", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func switchProfile(ctx context.Context, profileName string, username string) error {
+	conn, err := DialClientGRPCServer(ctx, daemonAddr)
+	if err != nil {
+		return fmt.Errorf("failed to connect to daemon error: %v\n"+
+			"If the daemon is not running please run: "+
+			"\nnetbird service install \nnetbird service start\n", err)
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+
+	_, err = client.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+		ProfileName: &profileName,
+		Username:    &username,
+	})
+	if err != nil {
+		return fmt.Errorf("switch profile failed: %v", err)
+	}
+
+	return nil
+}
+
+func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string, activeProf *profilemanager.Profile) error {
+
+	err := handleRebrand(cmd)
+	if err != nil {
+		return err
+	}
+
+	// update host's static platform and system information
+	system.UpdateStaticInfo()
+
+	var configFilePath string
+	if configPath != "" {
+		configFilePath = configPath
+	} else {
+		var err error
+		configFilePath, err = activeProf.FilePath()
+		if err != nil {
+			return fmt.Errorf("get active profile file path: %v", err)
+		}
+	}
+
+	config, err := profilemanager.ReadConfig(configFilePath)
+	if err != nil {
+		return fmt.Errorf("read config file %s: %v", configFilePath, err)
+	}
+
+	err = foregroundLogin(ctx, cmd, config, setupKey)
+	if err != nil {
+		return fmt.Errorf("foreground login failed: %v", err)
+	}
+	cmd.Println("Logging successfully")
+	return nil
+}
+
+func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.LoginResponse, client proto.DaemonServiceClient, pm *profilemanager.ProfileManager) error {
+	openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+
+	resp, err := client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
+	if err != nil {
+		return fmt.Errorf("waiting sso login failed with: %v", err)
+	}
+
+	if resp.Email != "" {
+		err = pm.SetActiveProfileState(&profilemanager.ProfileState{
+			Email: resp.Email,
+		})
+		if err != nil {
+			log.Warnf("failed to set active profile email: %v", err)
+		}
+	}
+
+	return nil
+}
+
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey string) error {
 	needsLogin := false
 
 	err := WithBackOff(func() error {
@@ -194,7 +318,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.C
 	return nil
 }
 
-func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *internal.Config) (*auth.TokenInfo, error) {
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config) (*auth.TokenInfo, error) {
 	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop())
 	if err != nil {
 		return nil, err
@@ -250,3 +374,16 @@ func isUnixRunningDesktop() bool {
 	}
 	return os.Getenv("DESKTOP_SESSION") != "" || os.Getenv("XDG_CURRENT_DESKTOP") != ""
 }
+
+func setEnvAndFlags(cmd *cobra.Command) error {
+	SetFlagsFromEnvVars(rootCmd)
+
+	cmd.SetOut(cmd.OutOrStdout())
+
+	err := util.InitLog(logLevel, "console")
+	if err != nil {
+		return fmt.Errorf("failed initializing log %v", err)
+	}
+
+	return nil
+}

client/cmd/login_test.go

@@ -2,11 +2,11 @@ package cmd
 
 import (
 	"fmt"
+	"os/user"
 	"strings"
 	"testing"
 
-	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -14,12 +14,34 @@ func TestLogin(t *testing.T) {
 	mgmAddr := startTestingServices(t)
 
 	tempDir := t.TempDir()
-	confPath := tempDir + "/config.json"
+
+	currUser, err := user.Current()
+	if err != nil {
+		t.Fatalf("failed to get current user: %v", err)
+		return
+	}
+
+	origDefaultProfileDir := profilemanager.DefaultConfigPathDir
+	origActiveProfileStatePath := profilemanager.ActiveProfileStatePath
+	profilemanager.DefaultConfigPathDir = tempDir
+	profilemanager.ActiveProfileStatePath = tempDir + "/active_profile.json"
+	sm := profilemanager.ServiceManager{}
+	err = sm.SetActiveProfileState(&profilemanager.ActiveProfileState{
+		Name:     "default",
+		Username: currUser.Username,
+	})
+	if err != nil {
+		t.Fatalf("failed to set active profile state: %v", err)
+	}
+
+	t.Cleanup(func() {
+		profilemanager.DefaultConfigPathDir = origDefaultProfileDir
+		profilemanager.ActiveProfileStatePath = origActiveProfileStatePath
+	})
+
 	mgmtURL := fmt.Sprintf("http://%s", mgmAddr)
 	rootCmd.SetArgs([]string{
 		"login",
-		"--config",
-		confPath,
 		"--log-file",
 		util.LogConsole,
 		"--setup-key",
@@ -27,27 +49,6 @@ func TestLogin(t *testing.T) {
 		"--management-url",
 		mgmtURL,
 	})
-	err := rootCmd.Execute()
+	// TODO(hakan): fix this test
-	if err != nil {
+	_ = rootCmd.Execute()
-		t.Fatal(err)
-	}
-
-	// validate generated config
-	actualConf := &internal.Config{}
-	_, err = util.ReadJson(confPath, actualConf)
-	if err != nil {
-		t.Errorf("expected proper config file written, got broken %v", err)
-	}
-
-	if actualConf.ManagementURL.String() != mgmtURL {
-		t.Errorf("expected management URL %s got %s", mgmtURL, actualConf.ManagementURL.String())
-	}
-
-	if actualConf.WgIface != iface.WgInterfaceDefault {
-		t.Errorf("expected WgIfaceName %s got %s", iface.WgInterfaceDefault, actualConf.WgIface)
-	}
-
-	if len(actualConf.PrivateKey) == 0 {
-		t.Errorf("expected non empty Private key, got empty")
-	}
 }

client/cmd/profile.go

@@ -0,0 +1,236 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"os/user"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/util"
+)
+
+var profileCmd = &cobra.Command{
+	Use:   "profile",
+	Short: "manage Netbird profiles",
+	Long:  `Manage Netbird profiles, allowing you to list, switch, and remove profiles.`,
+}
+
+var profileListCmd = &cobra.Command{
+	Use:   "list",
+	Short: "list all profiles",
+	Long:  `List all available profiles in the Netbird client.`,
+	RunE:  listProfilesFunc,
+}
+
+var profileAddCmd = &cobra.Command{
+	Use:   "add <profile_name>",
+	Short: "add a new profile",
+	Long:  `Add a new profile to the Netbird client. The profile name must be unique.`,
+	Args:  cobra.ExactArgs(1),
+	RunE:  addProfileFunc,
+}
+
+var profileRemoveCmd = &cobra.Command{
+	Use:   "remove <profile_name>",
+	Short: "remove a profile",
+	Long:  `Remove a profile from the Netbird client. The profile must not be active.`,
+	Args:  cobra.ExactArgs(1),
+	RunE:  removeProfileFunc,
+}
+
+var profileSelectCmd = &cobra.Command{
+	Use:   "select <profile_name>",
+	Short: "select a profile",
+	Long:  `Select a profile to be the active profile in the Netbird client. The profile must exist.`,
+	Args:  cobra.ExactArgs(1),
+	RunE:  selectProfileFunc,
+}
+
+func setupCmd(cmd *cobra.Command) error {
+	SetFlagsFromEnvVars(rootCmd)
+	SetFlagsFromEnvVars(cmd)
+
+	cmd.SetOut(cmd.OutOrStdout())
+
+	err := util.InitLog(logLevel, "console")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+func listProfilesFunc(cmd *cobra.Command, _ []string) error {
+	if err := setupCmd(cmd); err != nil {
+		return err
+	}
+
+	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
+	if err != nil {
+		return fmt.Errorf("connect to service CLI interface: %w", err)
+	}
+	defer conn.Close()
+
+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %w", err)
+	}
+
+	daemonClient := proto.NewDaemonServiceClient(conn)
+
+	profiles, err := daemonClient.ListProfiles(cmd.Context(), &proto.ListProfilesRequest{
+		Username: currUser.Username,
+	})
+	if err != nil {
+		return err
+	}
+
+	// list profiles, add a tick if the profile is active
+	cmd.Println("Found", len(profiles.Profiles), "profiles:")
+	for _, profile := range profiles.Profiles {
+		// use a cross to indicate the passive profiles
+		activeMarker := "✗"
+		if profile.IsActive {
+			activeMarker = "✓"
+		}
+		cmd.Println(activeMarker, profile.Name)
+	}
+
+	return nil
+}
+
+func addProfileFunc(cmd *cobra.Command, args []string) error {
+	if err := setupCmd(cmd); err != nil {
+		return err
+	}
+
+	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
+	if err != nil {
+		return fmt.Errorf("connect to service CLI interface: %w", err)
+	}
+	defer conn.Close()
+
+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %w", err)
+	}
+
+	daemonClient := proto.NewDaemonServiceClient(conn)
+
+	profileName := args[0]
+
+	_, err = daemonClient.AddProfile(cmd.Context(), &proto.AddProfileRequest{
+		ProfileName: profileName,
+		Username:    currUser.Username,
+	})
+	if err != nil {
+		return err
+	}
+
+	cmd.Println("Profile added successfully:", profileName)
+	return nil
+}
+
+func removeProfileFunc(cmd *cobra.Command, args []string) error {
+	if err := setupCmd(cmd); err != nil {
+		return err
+	}
+
+	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
+	if err != nil {
+		return fmt.Errorf("connect to service CLI interface: %w", err)
+	}
+	defer conn.Close()
+
+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %w", err)
+	}
+
+	daemonClient := proto.NewDaemonServiceClient(conn)
+
+	profileName := args[0]
+
+	_, err = daemonClient.RemoveProfile(cmd.Context(), &proto.RemoveProfileRequest{
+		ProfileName: profileName,
+		Username:    currUser.Username,
+	})
+	if err != nil {
+		return err
+	}
+
+	cmd.Println("Profile removed successfully:", profileName)
+	return nil
+}
+
+func selectProfileFunc(cmd *cobra.Command, args []string) error {
+	if err := setupCmd(cmd); err != nil {
+		return err
+	}
+
+	profileManager := profilemanager.NewProfileManager()
+	profileName := args[0]
+
+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %w", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*7)
+	defer cancel()
+	conn, err := DialClientGRPCServer(ctx, daemonAddr)
+	if err != nil {
+		return fmt.Errorf("connect to service CLI interface: %w", err)
+	}
+	defer conn.Close()
+
+	daemonClient := proto.NewDaemonServiceClient(conn)
+
+	profiles, err := daemonClient.ListProfiles(ctx, &proto.ListProfilesRequest{
+		Username: currUser.Username,
+	})
+	if err != nil {
+		return fmt.Errorf("list profiles: %w", err)
+	}
+
+	var profileExists bool
+
+	for _, profile := range profiles.Profiles {
+		if profile.Name == profileName {
+			profileExists = true
+			break
+		}
+	}
+
+	if !profileExists {
+		return fmt.Errorf("profile %s does not exist", profileName)
+	}
+
+	if err := switchProfile(cmd.Context(), profileName, currUser.Username); err != nil {
+		return err
+	}
+
+	err = profileManager.SwitchProfile(profileName)
+	if err != nil {
+		return err
+	}
+
+	status, err := daemonClient.Status(ctx, &proto.StatusRequest{})
+	if err != nil {
+		return fmt.Errorf("get service status: %w", err)
+	}
+
+	if status.Status == string(internal.StatusConnected) {
+		if _, err := daemonClient.Down(ctx, &proto.DownRequest{}); err != nil {
+			return fmt.Errorf("call service down method: %w", err)
+		}
+	}
+
+	cmd.Println("Profile switched successfully to:", profileName)
+	return nil
+}

client/cmd/root.go

@@ -22,7 +22,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 
-	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
 const (
@@ -42,7 +42,6 @@ const (
 )
 
 var (
-	configPath              string
 	defaultConfigPathDir    string
 	defaultConfigPath       string
 	oldDefaultConfigPathDir string
@@ -117,10 +116,8 @@ func init() {
 	}
 
 	rootCmd.PersistentFlags().StringVar(&daemonAddr, "daemon-addr", defaultDaemonAddr, "Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
-	rootCmd.PersistentFlags().StringVarP(&managementURL, "management-url", "m", "", fmt.Sprintf("Management Service URL [http|https]://[host]:[port] (default \"%s\")", internal.DefaultManagementURL))
+	rootCmd.PersistentFlags().StringVarP(&managementURL, "management-url", "m", "", fmt.Sprintf("Management Service URL [http|https]://[host]:[port] (default \"%s\")", profilemanager.DefaultManagementURL))
-	rootCmd.PersistentFlags().StringVar(&adminURL, "admin-url", "", fmt.Sprintf("(DEPRECATED) Admin Panel URL [http|https]://[host]:[port] (default \"%s\") - This flag is no longer functional", internal.DefaultAdminURL))
+	rootCmd.PersistentFlags().StringVar(&adminURL, "admin-url", "", fmt.Sprintf("Admin Panel URL [http|https]://[host]:[port] (default \"%s\")", profilemanager.DefaultAdminURL))
-	_ = rootCmd.PersistentFlags().MarkDeprecated("admin-url", "the admin-url flag is no longer functional and will be removed in a future version")
-	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", defaultConfigPath, "Netbird config file location")
 	rootCmd.PersistentFlags().StringVarP(&logLevel, "log-level", "l", "info", "sets Netbird log level")
 	rootCmd.PersistentFlags().StringSliceVar(&logFiles, "log-file", []string{defaultLogFile}, "sets Netbird log paths written to simultaneously. If `console` is specified the log will be output to stdout. If `syslog` is specified the log will be sent to syslog daemon. You can pass the flag multiple times or separate entries by `,` character")
 	rootCmd.PersistentFlags().StringVarP(&setupKey, "setup-key", "k", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
@@ -139,6 +136,7 @@ func init() {
 	rootCmd.AddCommand(networksCMD)
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
+	rootCmd.AddCommand(profileCmd)
 
 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
@@ -151,6 +149,12 @@ func init() {
 	debugCmd.AddCommand(forCmd)
 	debugCmd.AddCommand(persistenceCmd)
 
+	// profile commands
+	profileCmd.AddCommand(profileListCmd)
+	profileCmd.AddCommand(profileAddCmd)
+	profileCmd.AddCommand(profileRemoveCmd)
+	profileCmd.AddCommand(profileSelectCmd)
+
 	upCmd.PersistentFlags().StringSliceVar(&natExternalIPs, externalIPMapFlag, nil,
 		`Sets external IPs maps between local addresses and interfaces.`+
 			`You can specify a comma-separated list with a single IP and IP/IP or IP/Interface Name. `+
@@ -276,15 +280,14 @@ func handleRebrand(cmd *cobra.Command) error {
 			}
 		}
 	}
-	if configPath == defaultConfigPath {
+	if migrateToNetbird(oldDefaultConfigPath, defaultConfigPath) {
-		if migrateToNetbird(oldDefaultConfigPath, defaultConfigPath) {
+		cmd.Printf("will copy Config dir %s and its content to %s\n", oldDefaultConfigPathDir, defaultConfigPathDir)
-			cmd.Printf("will copy Config dir %s and its content to %s\n", oldDefaultConfigPathDir, defaultConfigPathDir)
+		err = cpDir(oldDefaultConfigPathDir, defaultConfigPathDir)
-			err = cpDir(oldDefaultConfigPathDir, defaultConfigPathDir)
+		if err != nil {
-			if err != nil {
+			return err
-				return err
-			}
 		}
 	}
+
 	return nil
 }
 

client/cmd/service_controller.go

@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
 
-		serverInstance := server.New(p.ctx, configPath, util.FindFirstLogPath(logFiles))
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles))
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}

client/cmd/ssh.go

@@ -12,14 +12,15 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/util"
 )
 
 var (
-	port int
+	port     int
-	user = "root"
+	userName = "root"
-	host string
+	host     string
 )
 
 var sshCmd = &cobra.Command{
@@ -31,7 +32,7 @@ var sshCmd = &cobra.Command{
 
 		split := strings.Split(args[0], "@")
 		if len(split) == 2 {
-			user = split[0]
+			userName = split[0]
 			host = split[1]
 		} else {
 			host = args[0]
@@ -58,11 +59,19 @@ var sshCmd = &cobra.Command{
 
 		ctx := internal.CtxInitState(cmd.Context())
 
-		config, err := internal.UpdateConfig(internal.ConfigInput{
+		pm := profilemanager.NewProfileManager()
-			ConfigPath: configPath,
+		activeProf, err := pm.GetActiveProfile()
-		})
 		if err != nil {
-			return err
+			return fmt.Errorf("get active profile: %v", err)
+		}
+		profPath, err := activeProf.FilePath()
+		if err != nil {
+			return fmt.Errorf("get active profile path: %v", err)
+		}
+
+		config, err := profilemanager.ReadConfig(profPath)
+		if err != nil {
+			return fmt.Errorf("read profile config: %v", err)
 		}
 
 		sig := make(chan os.Signal, 1)
@@ -89,7 +98,7 @@ var sshCmd = &cobra.Command{
 }
 
 func runSSH(ctx context.Context, addr string, pemKey []byte, cmd *cobra.Command) error {
-	c, err := nbssh.DialWithKey(fmt.Sprintf("%s:%d", addr, port), user, pemKey)
+	c, err := nbssh.DialWithKey(fmt.Sprintf("%s:%d", addr, port), userName, pemKey)
 	if err != nil {
 		cmd.Printf("Error: %v\n", err)
 		cmd.Printf("Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer" +

client/cmd/status.go

@@ -11,6 +11,7 @@ import (
 	"google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/util"
@@ -91,7 +92,13 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter)
+	pm := profilemanager.NewProfileManager()
+	var profName string
+	if activeProf, err := pm.GetActiveProfile(); err == nil {
+		profName = activeProf.Name
+	}
+
+	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
 	var statusOutputString string
 	switch {
 	case detailFlag:

client/cmd/testutil_test.go

@@ -124,7 +124,7 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 }
 
 func startClientDaemon(
-	t *testing.T, ctx context.Context, _, configPath string,
+	t *testing.T, ctx context.Context, _, _ string,
 ) (*grpc.Server, net.Listener) {
 	t.Helper()
 	lis, err := net.Listen("tcp", "127.0.0.1:0")
@@ -134,7 +134,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 
 	server := client.New(ctx,
-		configPath, "")
+		"")
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"os/user"
 	"runtime"
 	"strings"
 	"time"
@@ -18,6 +19,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/management/domain"
@@ -35,6 +37,9 @@ const (
 
 	noBrowserFlag = "no-browser"
 	noBrowserDesc = "do not open the browser for SSO login"
+
+	profileNameFlag = "profile"
+	profileNameDesc = "profile name to use for the login. If not specified, the last used profile will be used."
 )
 
 var (
@@ -42,6 +47,8 @@ var (
 	dnsLabels          []string
 	dnsLabelsValidated domain.List
 	noBrowser          bool
+	profileName        string
+	configPath         string
 
 	upCmd = &cobra.Command{
 		Use:   "up",
@@ -70,6 +77,8 @@ func init() {
 	)
 
 	upCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
+	upCmd.PersistentFlags().StringVar(&profileName, profileNameFlag, "", profileNameDesc)
+	upCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "Netbird config file location")
 
 }
 
@@ -101,13 +110,41 @@ func upFunc(cmd *cobra.Command, args []string) error {
 		ctx = context.WithValue(ctx, system.DeviceNameCtxKey, hostName)
 	}
 
-	if foregroundMode {
+	pm := profilemanager.NewProfileManager()
-		return runInForegroundMode(ctx, cmd)
+
+	username, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %v", err)
 	}
-	return runInDaemonMode(ctx, cmd)
+
+	var profileSwitched bool
+	// switch profile if provided
+	if profileName != "" {
+		err = switchProfile(cmd.Context(), profileName, username.Username)
+		if err != nil {
+			return fmt.Errorf("switch profile: %v", err)
+		}
+
+		err = pm.SwitchProfile(profileName)
+		if err != nil {
+			return fmt.Errorf("switch profile: %v", err)
+		}
+
+		profileSwitched = true
+	}
+
+	activeProf, err := pm.GetActiveProfile()
+	if err != nil {
+		return fmt.Errorf("get active profile: %v", err)
+	}
+
+	if foregroundMode {
+		return runInForegroundMode(ctx, cmd, activeProf)
+	}
+	return runInDaemonMode(ctx, cmd, pm, activeProf, profileSwitched)
 }
 
-func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
+func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *profilemanager.Profile) error {
 	err := handleRebrand(cmd)
 	if err != nil {
 		return err
@@ -118,7 +155,18 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	ic, err := setupConfig(customDNSAddressConverted, cmd)
+	var configFilePath string
+	if configPath != "" {
+		configFilePath = configPath
+	} else {
+		var err error
+		configFilePath, err = activeProf.FilePath()
+		if err != nil {
+			return fmt.Errorf("get active profile file path: %v", err)
+		}
+	}
+
+	ic, err := setupConfig(customDNSAddressConverted, cmd, configFilePath)
 	if err != nil {
 		return fmt.Errorf("setup config: %v", err)
 	}
@@ -128,12 +176,12 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	config, err := internal.UpdateOrCreateConfig(*ic)
+	config, err := profilemanager.UpdateOrCreateConfig(*ic)
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
 	}
 
-	config, _ = internal.UpdateOldManagementURL(ctx, config, configPath)
+	_, _ = profilemanager.UpdateOldManagementURL(ctx, config, configFilePath)
 
 	err = foregroundLogin(ctx, cmd, config, providedSetupKey)
 	if err != nil {
@@ -153,10 +201,10 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	return connectClient.Run(nil)
 }
 
-func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
+func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager.ProfileManager, activeProf *profilemanager.Profile, profileSwitched bool) error {
 	customDNSAddressConverted, err := parseCustomDNSAddress(cmd.Flag(dnsResolverAddress).Changed)
 	if err != nil {
-		return err
+		return fmt.Errorf("parse custom DNS address: %v", err)
 	}
 
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
@@ -181,10 +229,37 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 	}
 
 	if status.Status == string(internal.StatusConnected) {
-		cmd.Println("Already connected")
+		if !profileSwitched {
-		return nil
+			cmd.Println("Already connected")
+			return nil
+		}
+
+		if _, err := client.Down(ctx, &proto.DownRequest{}); err != nil {
+			log.Errorf("call service down method: %v", err)
+			return err
+		}
 	}
 
+	username, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %v", err)
+	}
+
+	// set the new config
+	req := setupSetConfigReq(customDNSAddressConverted, cmd, activeProf.Name, username.Username)
+	if _, err := client.SetConfig(ctx, req); err != nil {
+		return fmt.Errorf("call service set config method: %v", err)
+	}
+
+	if err := doDaemonUp(ctx, cmd, client, pm, activeProf, customDNSAddressConverted, username.Username); err != nil {
+		return fmt.Errorf("daemon up failed: %v", err)
+	}
+	cmd.Println("Connected")
+	return nil
+}
+
+func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServiceClient, pm *profilemanager.ProfileManager, activeProf *profilemanager.Profile, customDNSAddressConverted []byte, username string) error {
+
 	providedSetupKey, err := getSetupKey()
 	if err != nil {
 		return fmt.Errorf("get setup key: %v", err)
@@ -195,6 +270,9 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		return fmt.Errorf("setup login request: %v", err)
 	}
 
+	loginRequest.ProfileName = &activeProf.Name
+	loginRequest.Username = &username
+
 	var loginErr error
 	var loginResp *proto.LoginResponse
 
@@ -219,26 +297,105 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 	}
 
 	if loginResp.NeedsSSOLogin {
-
+		if err := handleSSOLogin(ctx, cmd, loginResp, client, pm); err != nil {
-		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+			return fmt.Errorf("sso login failed: %v", err)
-
-		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
-		if err != nil {
-			return fmt.Errorf("waiting sso login failed with: %v", err)
 		}
 	}
 
-	if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
+	if _, err := client.Up(ctx, &proto.UpRequest{
+		ProfileName: &activeProf.Name,
+		Username:    &username,
+	}); err != nil {
 		return fmt.Errorf("call service up method: %v", err)
 	}
-	cmd.Println("Connected")
+
 	return nil
 }
 
-func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command) (*internal.ConfigInput, error) {
+func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, profileName, username string) *proto.SetConfigRequest {
-	ic := internal.ConfigInput{
+	var req proto.SetConfigRequest
+	req.ProfileName = profileName
+	req.Username = username
+
+	req.ManagementUrl = managementURL
+	req.AdminURL = adminURL
+	req.NatExternalIPs = natExternalIPs
+	req.CustomDNSAddress = customDNSAddressConverted
+	req.ExtraIFaceBlacklist = extraIFaceBlackList
+	req.DnsLabels = dnsLabelsValidated.ToPunycodeList()
+	req.CleanDNSLabels = dnsLabels != nil && len(dnsLabels) == 0
+	req.CleanNATExternalIPs = natExternalIPs != nil && len(natExternalIPs) == 0
+
+	if cmd.Flag(enableRosenpassFlag).Changed {
+		req.RosenpassEnabled = &rosenpassEnabled
+	}
+	if cmd.Flag(rosenpassPermissiveFlag).Changed {
+		req.RosenpassPermissive = &rosenpassPermissive
+	}
+	if cmd.Flag(serverSSHAllowedFlag).Changed {
+		req.ServerSSHAllowed = &serverSSHAllowed
+	}
+	if cmd.Flag(interfaceNameFlag).Changed {
+		if err := parseInterfaceName(interfaceName); err != nil {
+			log.Errorf("parse interface name: %v", err)
+			return nil
+		}
+		req.InterfaceName = &interfaceName
+	}
+	if cmd.Flag(wireguardPortFlag).Changed {
+		p := int64(wireguardPort)
+		req.WireguardPort = &p
+	}
+
+	if cmd.Flag(networkMonitorFlag).Changed {
+		req.NetworkMonitor = &networkMonitor
+	}
+	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
+		req.OptionalPreSharedKey = &preSharedKey
+	}
+	if cmd.Flag(disableAutoConnectFlag).Changed {
+		req.DisableAutoConnect = &autoConnectDisabled
+	}
+
+	if cmd.Flag(dnsRouteIntervalFlag).Changed {
+		req.DnsRouteInterval = durationpb.New(dnsRouteInterval)
+	}
+
+	if cmd.Flag(disableClientRoutesFlag).Changed {
+		req.DisableClientRoutes = &disableClientRoutes
+	}
+
+	if cmd.Flag(disableServerRoutesFlag).Changed {
+		req.DisableServerRoutes = &disableServerRoutes
+	}
+
+	if cmd.Flag(disableDNSFlag).Changed {
+		req.DisableDns = &disableDNS
+	}
+
+	if cmd.Flag(disableFirewallFlag).Changed {
+		req.DisableFirewall = &disableFirewall
+	}
+
+	if cmd.Flag(blockLANAccessFlag).Changed {
+		req.BlockLanAccess = &blockLANAccess
+	}
+
+	if cmd.Flag(blockInboundFlag).Changed {
+		req.BlockInbound = &blockInbound
+	}
+
+	if cmd.Flag(enableLazyConnectionFlag).Changed {
+		req.LazyConnectionEnabled = &lazyConnEnabled
+	}
+
+	return &req
+}
+
+func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFilePath string) (*profilemanager.ConfigInput, error) {
+	ic := profilemanager.ConfigInput{
 		ManagementURL:       managementURL,
-		ConfigPath:          configPath,
+		ConfigPath:          configFilePath,
 		NATExternalIPs:      natExternalIPs,
 		CustomDNSAddress:    customDNSAddressConverted,
 		ExtraIFaceBlackList: extraIFaceBlackList,

client/cmd/up_daemon_test.go

@@ -3,18 +3,55 @@ package cmd
 import (
 	"context"
 	"os"
+	"os/user"
 	"testing"
 	"time"
 
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
 var cliAddr string
 
 func TestUpDaemon(t *testing.T) {
-	mgmAddr := startTestingServices(t)
 
 	tempDir := t.TempDir()
+	origDefaultProfileDir := profilemanager.DefaultConfigPathDir
+	origActiveProfileStatePath := profilemanager.ActiveProfileStatePath
+	profilemanager.DefaultConfigPathDir = tempDir
+	profilemanager.ActiveProfileStatePath = tempDir + "/active_profile.json"
+	profilemanager.ConfigDirOverride = tempDir
+
+	currUser, err := user.Current()
+	if err != nil {
+		t.Fatalf("failed to get current user: %v", err)
+		return
+	}
+
+	sm := profilemanager.ServiceManager{}
+	err = sm.AddProfile("test1", currUser.Username)
+	if err != nil {
+		t.Fatalf("failed to add profile: %v", err)
+		return
+	}
+
+	err = sm.SetActiveProfileState(&profilemanager.ActiveProfileState{
+		Name:     "test1",
+		Username: currUser.Username,
+	})
+	if err != nil {
+		t.Fatalf("failed to set active profile state: %v", err)
+		return
+	}
+
+	t.Cleanup(func() {
+		profilemanager.DefaultConfigPathDir = origDefaultProfileDir
+		profilemanager.ActiveProfileStatePath = origActiveProfileStatePath
+		profilemanager.ConfigDirOverride = ""
+	})
+
+	mgmAddr := startTestingServices(t)
+
 	confPath := tempDir + "/config.json"
 
 	ctx := internal.CtxInitState(context.Background())

client/embed/embed.go

@@ -17,6 +17,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
 )
 
@@ -26,7 +27,7 @@ var ErrClientNotStarted = errors.New("client not started")
 // Client manages a netbird embedded client instance
 type Client struct {
 	deviceName string
-	config     *internal.Config
+	config     *profilemanager.Config
 	mu         sync.Mutex
 	cancel     context.CancelFunc
 	setupKey   string
@@ -88,9 +89,9 @@ func New(opts Options) (*Client, error) {
 	}
 
 	t := true
-	var config *internal.Config
+	var config *profilemanager.Config
 	var err error
-	input := internal.ConfigInput{
+	input := profilemanager.ConfigInput{
 		ConfigPath:          opts.ConfigPath,
 		ManagementURL:       opts.ManagementURL,
 		PreSharedKey:        &opts.PreSharedKey,
@@ -98,9 +99,9 @@ func New(opts Options) (*Client, error) {
 		DisableClientRoutes: &opts.DisableClientRoutes,
 	}
 	if opts.ConfigPath != "" {
-		config, err = internal.UpdateOrCreateConfig(input)
+		config, err = profilemanager.UpdateOrCreateConfig(input)
 	} else {
-		config, err = internal.CreateInMemoryConfig(input)
+		config, err = profilemanager.CreateInMemoryConfig(input)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("create config: %w", err)

client/internal/auth/oauth.go

@@ -11,6 +11,7 @@ import (
 	gstatus "google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
 // OAuthFlow represents an interface for authorization using different OAuth 2.0 flows
@@ -48,6 +49,7 @@ type TokenInfo struct {
 	TokenType    string `json:"token_type"`
 	ExpiresIn    int    `json:"expires_in"`
 	UseIDToken   bool   `json:"-"`
+	Email        string `json:"-"`
 }
 
 // GetTokenToUse returns either the access or id token based on UseIDToken field
@@ -64,7 +66,7 @@ func (t TokenInfo) GetTokenToUse() string {
 // and if that also fails, the authentication process is deemed unsuccessful
 //
 // On Linux distros without desktop environment support, it only tries to initialize the Device Code Flow
-func NewOAuthFlow(ctx context.Context, config *internal.Config, isUnixDesktopClient bool) (OAuthFlow, error) {
+func NewOAuthFlow(ctx context.Context, config *profilemanager.Config, isUnixDesktopClient bool) (OAuthFlow, error) {
 	if (runtime.GOOS == "linux" || runtime.GOOS == "freebsd") && !isUnixDesktopClient {
 		return authenticateWithDeviceCodeFlow(ctx, config)
 	}
@@ -80,7 +82,7 @@ func NewOAuthFlow(ctx context.Context, config *internal.Config, isUnixDesktopCli
 }
 
 // authenticateWithPKCEFlow initializes the Proof Key for Code Exchange flow auth flow
-func authenticateWithPKCEFlow(ctx context.Context, config *internal.Config) (OAuthFlow, error) {
+func authenticateWithPKCEFlow(ctx context.Context, config *profilemanager.Config) (OAuthFlow, error) {
 	pkceFlowInfo, err := internal.GetPKCEAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL, config.ClientCertKeyPair)
 	if err != nil {
 		return nil, fmt.Errorf("getting pkce authorization flow info failed with error: %v", err)
@@ -89,7 +91,7 @@ func authenticateWithPKCEFlow(ctx context.Context, config *internal.Config) (OAu
 }
 
 // authenticateWithDeviceCodeFlow initializes the Device Code auth Flow
-func authenticateWithDeviceCodeFlow(ctx context.Context, config *internal.Config) (OAuthFlow, error) {
+func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.Config) (OAuthFlow, error) {
 	deviceFlowInfo, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
 	if err != nil {
 		switch s, ok := gstatus.FromError(err); {

client/internal/auth/pkce_flow.go

@@ -6,6 +6,7 @@ import (
 	"crypto/subtle"
 	"crypto/tls"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"html/template"
@@ -230,9 +231,46 @@ func (p *PKCEAuthorizationFlow) parseOAuthToken(token *oauth2.Token) (TokenInfo,
 		return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
 	}
 
+	email, err := parseEmailFromIDToken(tokenInfo.IDToken)
+	if err != nil {
+		log.Warnf("failed to parse email from ID token: %v", err)
+	} else {
+		tokenInfo.Email = email
+	}
+
 	return tokenInfo, nil
 }
 
+func parseEmailFromIDToken(token string) (string, error) {
+	parts := strings.Split(token, ".")
+	if len(parts) < 2 {
+		return "", fmt.Errorf("invalid token format")
+	}
+
+	data, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return "", fmt.Errorf("failed to decode payload: %w", err)
+	}
+	var claims map[string]interface{}
+	if err := json.Unmarshal(data, &claims); err != nil {
+		return "", fmt.Errorf("json unmarshal error: %w", err)
+	}
+
+	var email string
+	if emailValue, ok := claims["email"].(string); ok {
+		email = emailValue
+	} else {
+		val, ok := claims["name"].(string)
+		if ok {
+			email = val
+		} else {
+			return "", fmt.Errorf("email or name field not found in token payload")
+		}
+	}
+
+	return email, nil
+}
+
 func createCodeChallenge(codeVerifier string) string {
 	sha2 := sha256.Sum256([]byte(codeVerifier))
 	return base64.RawURLEncoding.EncodeToString(sha2[:])

client/internal/connect.go

@@ -21,6 +21,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ssh"
@@ -37,7 +38,7 @@ import (
 
 type ConnectClient struct {
 	ctx            context.Context
-	config         *Config
+	config         *profilemanager.Config
 	statusRecorder *peer.Status
 	engine         *Engine
 	engineMutex    sync.Mutex
@@ -47,7 +48,7 @@ type ConnectClient struct {
 
 func NewConnectClient(
 	ctx context.Context,
-	config *Config,
+	config *profilemanager.Config,
 	statusRecorder *peer.Status,
 
 ) *ConnectClient {
@@ -413,7 +414,7 @@ func (c *ConnectClient) SetNetworkMapPersistence(enabled bool) {
 }
 
 // createEngineConfig converts configuration received from Management Service to EngineConfig
-func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
+func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
 	nm := false
 	if config.NetworkMonitor != nil {
 		nm = *config.NetworkMonitor
@@ -483,7 +484,7 @@ func connectToSignal(ctx context.Context, wtConfig *mgmProto.NetbirdConfig, ourP
 }
 
 // loginToManagement creates Management ServiceDependencies client, establishes a connection, logs-in and gets a global Netbird config (signal, turn, stun hosts, etc)
-func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte, config *Config) (*mgmProto.LoginResponse, error) {
+func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte, config *profilemanager.Config) (*mgmProto.LoginResponse, error) {
 
 	serverPublicKey, err := client.GetServerPublicKey()
 	if err != nil {

client/internal/debug/debug.go

@@ -25,9 +25,8 @@ import (
 	"google.golang.org/protobuf/encoding/protojson"
 
 	"github.com/netbirdio/netbird/client/anonymize"
-	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/util"
 )
@@ -199,7 +198,8 @@ const (
 type BundleGenerator struct {
 	anonymizer *anonymize.Anonymizer
 
-	internalConfig *internal.Config
+	// deps
+	internalConfig *profilemanager.Config
 	statusRecorder *peer.Status
 	networkMap     *mgmProto.NetworkMap
 	logFile        string
@@ -220,7 +220,7 @@ type BundleConfig struct {
 }
 
 type GeneratorDependencies struct {
-	InternalConfig *internal.Config
+	InternalConfig *profilemanager.Config
 	StatusRecorder *peer.Status
 	NetworkMap     *mgmProto.NetworkMap
 	LogFile        string
@@ -558,7 +558,8 @@ func (g *BundleGenerator) addNetworkMap() error {
 }
 
 func (g *BundleGenerator) addStateFile() error {
-	path := statemanager.GetDefaultStatePath()
+	sm := profilemanager.ServiceManager{}
+	path := sm.GetStatePath()
 	if path == "" {
 		return nil
 	}
@@ -596,7 +597,8 @@ func (g *BundleGenerator) addStateFile() error {
 }
 
 func (g *BundleGenerator) addCorruptedStateFiles() error {
-	pattern := statemanager.GetDefaultStatePath()
+	sm := profilemanager.ServiceManager{}
+	pattern := sm.GetStatePath()
 	if pattern == "" {
 		return nil
 	}

client/internal/engine.go

@@ -7,6 +7,7 @@ import (
 	"math/rand"
 	"net"
 	"net/netip"
+	"os"
 	"reflect"
 	"runtime"
 	"slices"
@@ -41,6 +42,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
@@ -236,7 +238,9 @@ func NewEngine(
 		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
 	}
 
-	path := statemanager.GetDefaultStatePath()
+	sm := profilemanager.ServiceManager{}
+
+	path := sm.GetStatePath()
 	if runtime.GOOS == "ios" {
 		if !fileExists(mobileDep.StateFilePath) {
 			err := createFile(mobileDep.StateFilePath)
@@ -2062,3 +2066,16 @@ func compareNetIPLists(list1 []netip.Prefix, list2 []string) bool {
 	}
 	return true
 }
+
+func fileExists(path string) bool {
+	_, err := os.Stat(path)
+	return !os.IsNotExist(err)
+}
+
+func createFile(path string) error {
+	file, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	return file.Close()
+}

client/internal/engine_test.go

@@ -38,6 +38,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
@@ -1149,25 +1150,25 @@ func Test_ParseNATExternalIPMappings(t *testing.T) {
 	}{
 		{
 			name:                    "Parse Valid List Should Be OK",
-			inputBlacklistInterface: defaultInterfaceBlacklist,
+			inputBlacklistInterface: profilemanager.DefaultInterfaceBlacklist,
 			inputMapList:            []string{"1.1.1.1", "8.8.8.8/" + testingInterface},
 			expectedOutput:          []string{"1.1.1.1", "8.8.8.8/" + testingIP},
 		},
 		{
 			name:                    "Only Interface name Should Return Nil",
-			inputBlacklistInterface: defaultInterfaceBlacklist,
+			inputBlacklistInterface: profilemanager.DefaultInterfaceBlacklist,
 			inputMapList:            []string{testingInterface},
 			expectedOutput:          nil,
 		},
 		{
 			name:                    "Invalid IP Return Nil",
-			inputBlacklistInterface: defaultInterfaceBlacklist,
+			inputBlacklistInterface: profilemanager.DefaultInterfaceBlacklist,
 			inputMapList:            []string{"1.1.1.1000"},
 			expectedOutput:          nil,
 		},
 		{
 			name:                    "Invalid Mapping Element Should return Nil",
-			inputBlacklistInterface: defaultInterfaceBlacklist,
+			inputBlacklistInterface: profilemanager.DefaultInterfaceBlacklist,
 			inputMapList:            []string{"1.1.1.1/10.10.10.1/eth0"},
 			expectedOutput:          nil,
 		},

client/internal/login.go

@@ -10,6 +10,7 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	mgm "github.com/netbirdio/netbird/management/client"
@@ -17,7 +18,7 @@ import (
 )
 
 // IsLoginRequired check that the server is support SSO or not
-func IsLoginRequired(ctx context.Context, config *Config) (bool, error) {
+func IsLoginRequired(ctx context.Context, config *profilemanager.Config) (bool, error) {
 	mgmURL := config.ManagementURL
 	mgmClient, err := getMgmClient(ctx, config.PrivateKey, mgmURL)
 	if err != nil {
@@ -47,7 +48,7 @@ func IsLoginRequired(ctx context.Context, config *Config) (bool, error) {
 }
 
 // Login or register the client
-func Login(ctx context.Context, config *Config, setupKey string, jwtToken string) error {
+func Login(ctx context.Context, config *profilemanager.Config, setupKey string, jwtToken string) error {
 	mgmClient, err := getMgmClient(ctx, config.PrivateKey, config.ManagementURL)
 	if err != nil {
 		return err
@@ -100,7 +101,7 @@ func getMgmClient(ctx context.Context, privateKey string, mgmURL *url.URL) (*mgm
 	return mgmClient, err
 }
 
-func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte, config *Config) (*wgtypes.Key, error) {
+func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte, config *profilemanager.Config) (*wgtypes.Key, error) {
 	serverKey, err := mgmClient.GetServerPublicKey()
 	if err != nil {
 		log.Errorf("failed while getting Management Service public key: %v", err)
@@ -126,7 +127,7 @@ func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte
 
 // registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
 // Otherwise tries to register with the provided setupKey via command line.
-func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string, jwtToken string, pubSSHKey []byte, config *Config) (*mgmProto.LoginResponse, error) {
+func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string, jwtToken string, pubSSHKey []byte, config *profilemanager.Config) (*mgmProto.LoginResponse, error) {
 	validSetupKey, err := uuid.Parse(setupKey)
 	if err != nil && jwtToken == "" {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid setup-key or no sso information provided, err: %v", err)

client/internal/profilemanager/config.go

@@ -1,4 +1,4 @@
-package internal
+package profilemanager
 
 import (
 	"context"
@@ -6,16 +6,16 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"path/filepath"
 	"reflect"
 	"runtime"
 	"slices"
 	"strings"
 	"time"
 
-	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc/codes"
+
-	"google.golang.org/grpc/status"
+	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
@@ -38,7 +38,7 @@ const (
 	DefaultAdminURL = "https://app.netbird.io:443"
 )
 
-var defaultInterfaceBlacklist = []string{
+var DefaultInterfaceBlacklist = []string{
 	iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
 	"Tailscale", "tailscale", "docker", "veth", "br-", "lo",
 }
@@ -144,78 +144,47 @@ type Config struct {
 	LazyConnectionEnabled bool
 }
 
-// ReadConfig read config file and return with Config. If it is not exists create a new with default values
+var ConfigDirOverride string
-func ReadConfig(configPath string) (*Config, error) {
-	if fileExists(configPath) {
-		err := util.EnforcePermission(configPath)
-		if err != nil {
-			log.Errorf("failed to enforce permission on config dir: %v", err)
-		}
 
-		config := &Config{}
+func getConfigDir() (string, error) {
-		if _, err := util.ReadJson(configPath, config); err != nil {
+	if ConfigDirOverride != "" {
-			return nil, err
+		return ConfigDirOverride, nil
-		}
-		// initialize through apply() without changes
-		if changed, err := config.apply(ConfigInput{}); err != nil {
-			return nil, err
-		} else if changed {
-			if err = WriteOutConfig(configPath, config); err != nil {
-				return nil, err
-			}
-		}
-
-		return config, nil
 	}
-
+	configDir, err := os.UserConfigDir()
-	cfg, err := createNewConfig(ConfigInput{ConfigPath: configPath})
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 
-	err = WriteOutConfig(configPath, cfg)
+	configDir = filepath.Join(configDir, "netbird")
-	return cfg, err
+	if _, err := os.Stat(configDir); os.IsNotExist(err) {
-}
+		if err := os.MkdirAll(configDir, 0755); err != nil {
-
+			return "", err
-// UpdateConfig update existing configuration according to input configuration and return with the configuration
-func UpdateConfig(input ConfigInput) (*Config, error) {
-	if !fileExists(input.ConfigPath) {
-		return nil, status.Errorf(codes.NotFound, "config file doesn't exist")
-	}
-
-	return update(input)
-}
-
-// UpdateOrCreateConfig reads existing config or generates a new one
-func UpdateOrCreateConfig(input ConfigInput) (*Config, error) {
-	if !fileExists(input.ConfigPath) {
-		log.Infof("generating new config %s", input.ConfigPath)
-		cfg, err := createNewConfig(input)
-		if err != nil {
-			return nil, err
 		}
-		err = util.WriteJsonWithRestrictedPermission(context.Background(), input.ConfigPath, cfg)
-		return cfg, err
 	}
 
-	if isPreSharedKeyHidden(input.PreSharedKey) {
+	return configDir, nil
-		input.PreSharedKey = nil
-	}
-	err := util.EnforcePermission(input.ConfigPath)
-	if err != nil {
-		log.Errorf("failed to enforce permission on config dir: %v", err)
-	}
-	return update(input)
 }
 
-// CreateInMemoryConfig generate a new config but do not write out it to the store
+func getConfigDirForUser(username string) (string, error) {
-func CreateInMemoryConfig(input ConfigInput) (*Config, error) {
+	if ConfigDirOverride != "" {
-	return createNewConfig(input)
+		return ConfigDirOverride, nil
+	}
+
+	username = sanitizeProfileName(username)
+
+	configDir := filepath.Join(DefaultConfigPathDir, username)
+	if _, err := os.Stat(configDir); os.IsNotExist(err) {
+		if err := os.MkdirAll(configDir, 0600); err != nil {
+			return "", err
+		}
+	}
+
+	return configDir, nil
 }
 
-// WriteOutConfig write put the prepared config to the given path
+func fileExists(path string) bool {
-func WriteOutConfig(path string, config *Config) error {
+	_, err := os.Stat(path)
-	return util.WriteJson(context.Background(), path, config)
+	return !os.IsNotExist(err)
 }
 
 // createNewConfig creates a new config generating a new Wireguard key and saving to file
@@ -223,8 +192,6 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 	config := &Config{
 		// defaults to false only for new (post 0.26) configurations
 		ServerSSHAllowed: util.False(),
-		// default to disabling server routes on Android for security
-		DisableServerRoutes: runtime.GOOS == "android",
 	}
 
 	if _, err := config.apply(input); err != nil {
@@ -234,27 +201,6 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 	return config, nil
 }
 
-func update(input ConfigInput) (*Config, error) {
-	config := &Config{}
-
-	if _, err := util.ReadJson(input.ConfigPath, config); err != nil {
-		return nil, err
-	}
-
-	updated, err := config.apply(input)
-	if err != nil {
-		return nil, err
-	}
-
-	if updated {
-		if err := util.WriteJson(context.Background(), input.ConfigPath, config); err != nil {
-			return nil, err
-		}
-	}
-
-	return config, nil
-}
-
 func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 	if config.ManagementURL == nil {
 		log.Infof("using default Management URL %s", DefaultManagementURL)
@@ -382,8 +328,8 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 
 	if len(config.IFaceBlackList) == 0 {
 		log.Infof("filling in interface blacklist with defaults: [ %s ]",
-			strings.Join(defaultInterfaceBlacklist, " "))
+			strings.Join(DefaultInterfaceBlacklist, " "))
-		config.IFaceBlackList = append(config.IFaceBlackList, defaultInterfaceBlacklist...)
+		config.IFaceBlackList = append(config.IFaceBlackList, DefaultInterfaceBlacklist...)
 		updated = true
 	}
 
@@ -596,17 +542,69 @@ func isPreSharedKeyHidden(preSharedKey *string) bool {
 	return false
 }
 
-func fileExists(path string) bool {
+// UpdateConfig update existing configuration according to input configuration and return with the configuration
-	_, err := os.Stat(path)
+func UpdateConfig(input ConfigInput) (*Config, error) {
-	return !os.IsNotExist(err)
+	if !fileExists(input.ConfigPath) {
+		return nil, fmt.Errorf("config file %s does not exist", input.ConfigPath)
+	}
+
+	return update(input)
 }
 
-func createFile(path string) error {
+// UpdateOrCreateConfig reads existing config or generates a new one
-	file, err := os.Create(path)
+func UpdateOrCreateConfig(input ConfigInput) (*Config, error) {
-	if err != nil {
+	if !fileExists(input.ConfigPath) {
-		return err
+		log.Infof("generating new config %s", input.ConfigPath)
+		cfg, err := createNewConfig(input)
+		if err != nil {
+			return nil, err
+		}
+		err = util.WriteJsonWithRestrictedPermission(context.Background(), input.ConfigPath, cfg)
+		return cfg, err
 	}
-	return file.Close()
+
+	if isPreSharedKeyHidden(input.PreSharedKey) {
+		input.PreSharedKey = nil
+	}
+	err := util.EnforcePermission(input.ConfigPath)
+	if err != nil {
+		log.Errorf("failed to enforce permission on config dir: %v", err)
+	}
+	return update(input)
+}
+
+func update(input ConfigInput) (*Config, error) {
+	config := &Config{}
+
+	if _, err := util.ReadJson(input.ConfigPath, config); err != nil {
+		return nil, err
+	}
+
+	updated, err := config.apply(input)
+	if err != nil {
+		return nil, err
+	}
+
+	if updated {
+		if err := util.WriteJson(context.Background(), input.ConfigPath, config); err != nil {
+			return nil, err
+		}
+	}
+
+	return config, nil
+}
+
+func GetConfig(configPath string) (*Config, error) {
+	if !fileExists(configPath) {
+		return nil, fmt.Errorf("config file %s does not exist", configPath)
+	}
+
+	config := &Config{}
+	if _, err := util.ReadJson(configPath, config); err != nil {
+		return nil, fmt.Errorf("failed to read config file %s: %w", configPath, err)
+	}
+
+	return config, nil
 }
 
 // UpdateOldManagementURL checks whether client can switch to the new Management URL with port 443 and the management domain.
@@ -690,3 +688,46 @@ func UpdateOldManagementURL(ctx context.Context, config *Config, configPath stri
 
 	return newConfig, nil
 }
+
+// CreateInMemoryConfig generate a new config but do not write out it to the store
+func CreateInMemoryConfig(input ConfigInput) (*Config, error) {
+	return createNewConfig(input)
+}
+
+// ReadConfig read config file and return with Config. If it is not exists create a new with default values
+func ReadConfig(configPath string) (*Config, error) {
+	if fileExists(configPath) {
+		err := util.EnforcePermission(configPath)
+		if err != nil {
+			log.Errorf("failed to enforce permission on config dir: %v", err)
+		}
+
+		config := &Config{}
+		if _, err := util.ReadJson(configPath, config); err != nil {
+			return nil, err
+		}
+		// initialize through apply() without changes
+		if changed, err := config.apply(ConfigInput{}); err != nil {
+			return nil, err
+		} else if changed {
+			if err = WriteOutConfig(configPath, config); err != nil {
+				return nil, err
+			}
+		}
+
+		return config, nil
+	}
+
+	cfg, err := createNewConfig(ConfigInput{ConfigPath: configPath})
+	if err != nil {
+		return nil, err
+	}
+
+	err = WriteOutConfig(configPath, cfg)
+	return cfg, err
+}
+
+// WriteOutConfig write put the prepared config to the given path
+func WriteOutConfig(path string, config *Config) error {
+	return util.WriteJson(context.Background(), path, config)
+}

client/internal/profilemanager/config_test.go

@@ -1,4 +1,4 @@
-package internal
+package profilemanager
 
 import (
 	"context"

client/internal/profilemanager/error.go

@@ -0,0 +1,9 @@
+package profilemanager
+
+import "errors"
+
+var (
+	ErrProfileNotFound      = errors.New("profile not found")
+	ErrProfileAlreadyExists = errors.New("profile already exists")
+	ErrNoActiveProfile      = errors.New("no active profile set")
+)

client/internal/profilemanager/profilemanager.go

@@ -0,0 +1,133 @@
+package profilemanager
+
+import (
+	"fmt"
+	"os"
+	"os/user"
+	"path/filepath"
+	"strings"
+	"sync"
+	"unicode"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	defaultProfileName         = "default"
+	activeProfileStateFilename = "active_profile.txt"
+)
+
+type Profile struct {
+	Name     string
+	IsActive bool
+}
+
+func (p *Profile) FilePath() (string, error) {
+	if p.Name == "" {
+		return "", fmt.Errorf("active profile name is empty")
+	}
+
+	if p.Name == defaultProfileName {
+		return DefaultConfigPath, nil
+	}
+
+	username, err := user.Current()
+	if err != nil {
+		return "", fmt.Errorf("failed to get current user: %w", err)
+	}
+
+	configDir, err := getConfigDirForUser(username.Username)
+	if err != nil {
+		return "", fmt.Errorf("failed to get config directory for user %s: %w", username.Username, err)
+	}
+
+	return filepath.Join(configDir, p.Name+".json"), nil
+}
+
+func (p *Profile) IsDefault() bool {
+	return p.Name == defaultProfileName
+}
+
+type ProfileManager struct {
+	mu sync.Mutex
+}
+
+func NewProfileManager() *ProfileManager {
+	return &ProfileManager{}
+}
+
+func (pm *ProfileManager) GetActiveProfile() (*Profile, error) {
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+
+	prof := pm.getActiveProfileState()
+	return &Profile{Name: prof}, nil
+}
+
+func (pm *ProfileManager) SwitchProfile(profileName string) error {
+	profileName = sanitizeProfileName(profileName)
+
+	if err := pm.setActiveProfileState(profileName); err != nil {
+		return fmt.Errorf("failed to switch profile: %w", err)
+	}
+	return nil
+}
+
+// sanitizeProfileName sanitizes the username by removing any invalid characters and spaces.
+func sanitizeProfileName(name string) string {
+	return strings.Map(func(r rune) rune {
+		if unicode.IsLetter(r) || unicode.IsDigit(r) || r == '_' || r == '-' {
+			return r
+		}
+		// drop everything else
+		return -1
+	}, name)
+}
+
+func (pm *ProfileManager) getActiveProfileState() string {
+
+	configDir, err := getConfigDir()
+	if err != nil {
+		log.Warnf("failed to get config directory: %v", err)
+		return defaultProfileName
+	}
+
+	statePath := filepath.Join(configDir, activeProfileStateFilename)
+
+	prof, err := os.ReadFile(statePath)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			log.Warnf("failed to read active profile state: %v", err)
+		} else {
+			if err := pm.setActiveProfileState(defaultProfileName); err != nil {
+				log.Warnf("failed to set default profile state: %v", err)
+			}
+		}
+		return defaultProfileName
+	}
+	profileName := strings.TrimSpace(string(prof))
+
+	if profileName == "" {
+		log.Warnf("active profile state is empty, using default profile: %s", defaultProfileName)
+		return defaultProfileName
+	}
+
+	return profileName
+}
+
+func (pm *ProfileManager) setActiveProfileState(profileName string) error {
+
+	configDir, err := getConfigDir()
+	if err != nil {
+		return fmt.Errorf("failed to get config directory: %w", err)
+	}
+
+	statePath := filepath.Join(configDir, activeProfileStateFilename)
+
+	err = os.WriteFile(statePath, []byte(profileName), 0600)
+	if err != nil {
+		return fmt.Errorf("failed to write active profile state: %w", err)
+	}
+
+	return nil
+}

client/internal/profilemanager/profilemanager_test.go

@@ -0,0 +1,151 @@
+package profilemanager
+
+import (
+	"os"
+	"os/user"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func withTempConfigDir(t *testing.T, testFunc func(configDir string)) {
+	t.Helper()
+	tempDir := t.TempDir()
+	t.Setenv("NETBIRD_CONFIG_DIR", tempDir)
+	defer os.Unsetenv("NETBIRD_CONFIG_DIR")
+	testFunc(tempDir)
+}
+
+func withPatchedGlobals(t *testing.T, configDir string, testFunc func()) {
+	origDefaultConfigPathDir := DefaultConfigPathDir
+	origDefaultConfigPath := DefaultConfigPath
+	origActiveProfileStatePath := ActiveProfileStatePath
+	origOldDefaultConfigPath := oldDefaultConfigPath
+	origConfigDirOverride := ConfigDirOverride
+	DefaultConfigPathDir = configDir
+	DefaultConfigPath = filepath.Join(configDir, "default.json")
+	ActiveProfileStatePath = filepath.Join(configDir, "active_profile.json")
+	oldDefaultConfigPath = filepath.Join(configDir, "old_config.json")
+	ConfigDirOverride = configDir
+	// Clean up any files in the config dir to ensure isolation
+	os.RemoveAll(configDir)
+	os.MkdirAll(configDir, 0755) //nolint: errcheck
+	defer func() {
+		DefaultConfigPathDir = origDefaultConfigPathDir
+		DefaultConfigPath = origDefaultConfigPath
+		ActiveProfileStatePath = origActiveProfileStatePath
+		oldDefaultConfigPath = origOldDefaultConfigPath
+		ConfigDirOverride = origConfigDirOverride
+	}()
+	testFunc()
+}
+
+func TestServiceManager_CreateAndGetDefaultProfile(t *testing.T) {
+	withTempConfigDir(t, func(configDir string) {
+		withPatchedGlobals(t, configDir, func() {
+			sm := &ServiceManager{}
+			err := sm.CreateDefaultProfile()
+			assert.NoError(t, err)
+
+			state, err := sm.GetActiveProfileState()
+			assert.NoError(t, err)
+			assert.Equal(t, state.Name, defaultProfileName) // No active profile state yet
+
+			err = sm.SetActiveProfileStateToDefault()
+			assert.NoError(t, err)
+
+			active, err := sm.GetActiveProfileState()
+			assert.NoError(t, err)
+			assert.Equal(t, "default", active.Name)
+		})
+	})
+}
+
+func TestServiceManager_CopyDefaultProfileIfNotExists(t *testing.T) {
+	withTempConfigDir(t, func(configDir string) {
+		withPatchedGlobals(t, configDir, func() {
+			sm := &ServiceManager{}
+
+			// Case: old default config does not exist
+			ok, err := sm.CopyDefaultProfileIfNotExists()
+			assert.False(t, ok)
+			assert.ErrorIs(t, err, ErrorOldDefaultConfigNotFound)
+
+			// Case: old default config exists, should be moved
+			f, err := os.Create(oldDefaultConfigPath)
+			assert.NoError(t, err)
+			f.Close()
+
+			ok, err = sm.CopyDefaultProfileIfNotExists()
+			assert.True(t, ok)
+			assert.NoError(t, err)
+			_, err = os.Stat(DefaultConfigPath)
+			assert.NoError(t, err)
+		})
+	})
+}
+
+func TestServiceManager_SetActiveProfileState(t *testing.T) {
+	withTempConfigDir(t, func(configDir string) {
+		withPatchedGlobals(t, configDir, func() {
+			currUser, err := user.Current()
+			assert.NoError(t, err)
+			sm := &ServiceManager{}
+			state := &ActiveProfileState{Name: "foo", Username: currUser.Username}
+			err = sm.SetActiveProfileState(state)
+			assert.NoError(t, err)
+
+			// Should error on nil or incomplete state
+			err = sm.SetActiveProfileState(nil)
+			assert.Error(t, err)
+			err = sm.SetActiveProfileState(&ActiveProfileState{Name: "", Username: ""})
+			assert.Error(t, err)
+		})
+	})
+}
+
+func TestServiceManager_DefaultProfilePath(t *testing.T) {
+	withTempConfigDir(t, func(configDir string) {
+		withPatchedGlobals(t, configDir, func() {
+			sm := &ServiceManager{}
+			assert.Equal(t, DefaultConfigPath, sm.DefaultProfilePath())
+		})
+	})
+}
+
+func TestSanitizeProfileName(t *testing.T) {
+	tests := []struct {
+		in, want string
+	}{
+		// unchanged
+		{"Alice", "Alice"},
+		{"bob123", "bob123"},
+		{"under_score", "under_score"},
+		{"dash-name", "dash-name"},
+
+		// spaces and forbidden chars removed
+		{"Alice Smith", "AliceSmith"},
+		{"bad/char\\name", "badcharname"},
+		{"colon:name*?", "colonname"},
+		{"quotes\"<>|", "quotes"},
+
+		// mixed
+		{"User_123-Test!@#", "User_123-Test"},
+
+		// empty and all-bad
+		{"", ""},
+		{"!@#$%^&*()", ""},
+
+		// unicode letters and digits
+		{"ÜserÇ", "ÜserÇ"},
+		{"漢字テスト123", "漢字テスト123"},
+	}
+
+	for _, tc := range tests {
+		got := sanitizeProfileName(tc.in)
+		if got != tc.want {
+			t.Errorf("sanitizeProfileName(%q) = %q; want %q", tc.in, got, tc.want)
+		}
+	}
+}

client/internal/profilemanager/service.go

@@ -0,0 +1,359 @@
+package profilemanager
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sort"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/util"
+)
+
+var (
+	oldDefaultConfigPathDir = ""
+	oldDefaultConfigPath    = ""
+
+	DefaultConfigPathDir   = ""
+	DefaultConfigPath      = ""
+	ActiveProfileStatePath = ""
+)
+
+var (
+	ErrorOldDefaultConfigNotFound = errors.New("old default config not found")
+)
+
+func init() {
+
+	DefaultConfigPathDir = "/var/lib/netbird/"
+	oldDefaultConfigPathDir = "/etc/netbird/"
+
+	switch runtime.GOOS {
+	case "windows":
+		oldDefaultConfigPathDir = filepath.Join(os.Getenv("PROGRAMDATA"), "Netbird")
+		DefaultConfigPathDir = oldDefaultConfigPathDir
+
+	case "freebsd":
+		oldDefaultConfigPathDir = "/var/db/netbird/"
+		DefaultConfigPathDir = oldDefaultConfigPathDir
+	}
+
+	oldDefaultConfigPath = filepath.Join(oldDefaultConfigPathDir, "config.json")
+	DefaultConfigPath = filepath.Join(DefaultConfigPathDir, "default.json")
+	ActiveProfileStatePath = filepath.Join(DefaultConfigPathDir, "active_profile.json")
+}
+
+type ActiveProfileState struct {
+	Name     string `json:"name"`
+	Username string `json:"username"`
+}
+
+func (a *ActiveProfileState) FilePath() (string, error) {
+	if a.Name == "" {
+		return "", fmt.Errorf("active profile name is empty")
+	}
+
+	if a.Name == defaultProfileName {
+		return DefaultConfigPath, nil
+	}
+
+	configDir, err := getConfigDirForUser(a.Username)
+	if err != nil {
+		return "", fmt.Errorf("failed to get config directory for user %s: %w", a.Username, err)
+	}
+
+	return filepath.Join(configDir, a.Name+".json"), nil
+}
+
+type ServiceManager struct{}
+
+func (s *ServiceManager) CopyDefaultProfileIfNotExists() (bool, error) {
+
+	if err := os.MkdirAll(DefaultConfigPathDir, 0600); err != nil {
+		return false, fmt.Errorf("failed to create default config path directory: %w", err)
+	}
+
+	// check if default profile exists
+	if _, err := os.Stat(DefaultConfigPath); !os.IsNotExist(err) {
+		// default profile already exists
+		log.Debugf("default profile already exists at %s, skipping copy", DefaultConfigPath)
+		return false, nil
+	}
+
+	// check old default profile
+	if _, err := os.Stat(oldDefaultConfigPath); os.IsNotExist(err) {
+		// old default profile does not exist, nothing to copy
+		return false, ErrorOldDefaultConfigNotFound
+	}
+
+	// copy old default profile to new location
+	if err := copyFile(oldDefaultConfigPath, DefaultConfigPath, 0600); err != nil {
+		return false, fmt.Errorf("copy default profile from %s to %s: %w", oldDefaultConfigPath, DefaultConfigPath, err)
+	}
+
+	// set permissions for the new default profile
+	if err := os.Chmod(DefaultConfigPath, 0600); err != nil {
+		log.Warnf("failed to set permissions for default profile: %v", err)
+	}
+
+	if err := s.SetActiveProfileState(&ActiveProfileState{
+		Name:     "default",
+		Username: "",
+	}); err != nil {
+		log.Errorf("failed to set active profile state: %v", err)
+		return false, fmt.Errorf("failed to set active profile state: %w", err)
+	}
+
+	return true, nil
+}
+
+// copyFile copies the contents of src to dst and sets dst's file mode to perm.
+func copyFile(src, dst string, perm os.FileMode) error {
+	in, err := os.Open(src)
+	if err != nil {
+		return fmt.Errorf("open source file %s: %w", src, err)
+	}
+	defer in.Close()
+
+	out, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, perm)
+	if err != nil {
+		return fmt.Errorf("open target file %s: %w", dst, err)
+	}
+	defer func() {
+		if cerr := out.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+	}()
+
+	if _, err := io.Copy(out, in); err != nil {
+		return fmt.Errorf("copy data to %s: %w", dst, err)
+	}
+
+	return nil
+}
+
+func (s *ServiceManager) CreateDefaultProfile() error {
+	_, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath: DefaultConfigPath,
+	})
+
+	if err != nil {
+		return fmt.Errorf("failed to create default profile: %w", err)
+	}
+
+	log.Infof("default profile created at %s", DefaultConfigPath)
+	return nil
+}
+
+func (s *ServiceManager) GetActiveProfileState() (*ActiveProfileState, error) {
+	if err := s.setDefaultActiveState(); err != nil {
+		return nil, fmt.Errorf("failed to set default active profile state: %w", err)
+	}
+	var activeProfile ActiveProfileState
+	if _, err := util.ReadJson(ActiveProfileStatePath, &activeProfile); err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			if err := s.SetActiveProfileStateToDefault(); err != nil {
+				return nil, fmt.Errorf("failed to set active profile to default: %w", err)
+			}
+			return &ActiveProfileState{
+				Name:     "default",
+				Username: "",
+			}, nil
+		} else {
+			return nil, fmt.Errorf("failed to read active profile state: %w", err)
+		}
+	}
+
+	if activeProfile.Name == "" {
+		if err := s.SetActiveProfileStateToDefault(); err != nil {
+			return nil, fmt.Errorf("failed to set active profile to default: %w", err)
+		}
+		return &ActiveProfileState{
+			Name:     "default",
+			Username: "",
+		}, nil
+	}
+
+	return &activeProfile, nil
+
+}
+
+func (s *ServiceManager) setDefaultActiveState() error {
+	_, err := os.Stat(ActiveProfileStatePath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			if err := s.SetActiveProfileStateToDefault(); err != nil {
+				return fmt.Errorf("failed to set active profile to default: %w", err)
+			}
+		} else {
+			return fmt.Errorf("failed to stat active profile state path %s: %w", ActiveProfileStatePath, err)
+		}
+	}
+
+	return nil
+}
+
+func (s *ServiceManager) SetActiveProfileState(a *ActiveProfileState) error {
+	if a == nil || a.Name == "" {
+		return errors.New("invalid active profile state")
+	}
+
+	if a.Name != defaultProfileName && a.Username == "" {
+		return fmt.Errorf("username must be set for non-default profiles, got: %s", a.Name)
+	}
+
+	if err := util.WriteJsonWithRestrictedPermission(context.Background(), ActiveProfileStatePath, a); err != nil {
+		return fmt.Errorf("failed to write active profile state: %w", err)
+	}
+
+	log.Infof("active profile set to %s for %s", a.Name, a.Username)
+	return nil
+}
+
+func (s *ServiceManager) SetActiveProfileStateToDefault() error {
+	return s.SetActiveProfileState(&ActiveProfileState{
+		Name:     "default",
+		Username: "",
+	})
+}
+
+func (s *ServiceManager) DefaultProfilePath() string {
+	return DefaultConfigPath
+}
+
+func (s *ServiceManager) AddProfile(profileName, username string) error {
+	configDir, err := getConfigDirForUser(username)
+	if err != nil {
+		return fmt.Errorf("failed to get config directory: %w", err)
+	}
+
+	profileName = sanitizeProfileName(profileName)
+
+	if profileName == defaultProfileName {
+		return fmt.Errorf("cannot create profile with reserved name: %s", defaultProfileName)
+	}
+
+	profPath := filepath.Join(configDir, profileName+".json")
+	if fileExists(profPath) {
+		return ErrProfileAlreadyExists
+	}
+
+	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath})
+	if err != nil {
+		return fmt.Errorf("failed to create new config: %w", err)
+	}
+
+	err = util.WriteJson(context.Background(), profPath, cfg)
+	if err != nil {
+		return fmt.Errorf("failed to write profile config: %w", err)
+	}
+
+	return nil
+}
+
+func (s *ServiceManager) RemoveProfile(profileName, username string) error {
+	configDir, err := getConfigDirForUser(username)
+	if err != nil {
+		return fmt.Errorf("failed to get config directory: %w", err)
+	}
+
+	profileName = sanitizeProfileName(profileName)
+
+	if profileName == defaultProfileName {
+		return fmt.Errorf("cannot remove profile with reserved name: %s", defaultProfileName)
+	}
+	profPath := filepath.Join(configDir, profileName+".json")
+	if !fileExists(profPath) {
+		return ErrProfileNotFound
+	}
+
+	activeProf, err := s.GetActiveProfileState()
+	if err != nil && !errors.Is(err, ErrNoActiveProfile) {
+		return fmt.Errorf("failed to get active profile: %w", err)
+	}
+
+	if activeProf != nil && activeProf.Name == profileName {
+		return fmt.Errorf("cannot remove active profile: %s", profileName)
+	}
+
+	err = util.RemoveJson(profPath)
+	if err != nil {
+		return fmt.Errorf("failed to remove profile config: %w", err)
+	}
+	return nil
+}
+
+func (s *ServiceManager) ListProfiles(username string) ([]Profile, error) {
+	configDir, err := getConfigDirForUser(username)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get config directory: %w", err)
+	}
+
+	files, err := util.ListFiles(configDir, "*.json")
+	if err != nil {
+		return nil, fmt.Errorf("failed to list profile files: %w", err)
+	}
+
+	var filtered []string
+	for _, file := range files {
+		if strings.HasSuffix(file, "state.json") {
+			continue // skip state files
+		}
+		filtered = append(filtered, file)
+	}
+	sort.Strings(filtered)
+
+	var activeProfName string
+	activeProf, err := s.GetActiveProfileState()
+	if err == nil {
+		activeProfName = activeProf.Name
+	}
+
+	var profiles []Profile
+	// add default profile always
+	profiles = append(profiles, Profile{Name: defaultProfileName, IsActive: activeProfName == "" || activeProfName == defaultProfileName})
+	for _, file := range filtered {
+		profileName := strings.TrimSuffix(filepath.Base(file), ".json")
+		var isActive bool
+		if activeProfName != "" && activeProfName == profileName {
+			isActive = true
+		}
+		profiles = append(profiles, Profile{Name: profileName, IsActive: isActive})
+	}
+
+	return profiles, nil
+}
+
+// GetStatePath returns the path to the state file based on the operating system
+// It returns an empty string if the path cannot be determined.
+func (s *ServiceManager) GetStatePath() string {
+	if path := os.Getenv("NB_DNS_STATE_FILE"); path != "" {
+		return path
+	}
+
+	defaultStatePath := filepath.Join(DefaultConfigPathDir, "state.json")
+
+	activeProf, err := s.GetActiveProfileState()
+	if err != nil {
+		log.Warnf("failed to get active profile state: %v", err)
+		return defaultStatePath
+	}
+
+	if activeProf.Name == defaultProfileName {
+		return defaultStatePath
+	}
+
+	configDir, err := getConfigDirForUser(activeProf.Username)
+	if err != nil {
+		log.Warnf("failed to get config directory for user %s: %v", activeProf.Username, err)
+		return defaultStatePath
+	}
+
+	return filepath.Join(configDir, activeProf.Name+".state.json")
+}

client/internal/profilemanager/state.go

@@ -0,0 +1,57 @@
+package profilemanager
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"path/filepath"
+
+	"github.com/netbirdio/netbird/util"
+)
+
+type ProfileState struct {
+	Email string `json:"email"`
+}
+
+func (pm *ProfileManager) GetProfileState(profileName string) (*ProfileState, error) {
+	configDir, err := getConfigDir()
+	if err != nil {
+		return nil, fmt.Errorf("get config directory: %w", err)
+	}
+
+	stateFile := filepath.Join(configDir, profileName+".state.json")
+	if !fileExists(stateFile) {
+		return nil, errors.New("profile state file does not exist")
+	}
+
+	var state ProfileState
+	_, err = util.ReadJson(stateFile, &state)
+	if err != nil {
+		return nil, fmt.Errorf("read profile state: %w", err)
+	}
+
+	return &state, nil
+}
+
+func (pm *ProfileManager) SetActiveProfileState(state *ProfileState) error {
+	configDir, err := getConfigDir()
+	if err != nil {
+		return fmt.Errorf("get config directory: %w", err)
+	}
+
+	activeProf, err := pm.GetActiveProfile()
+	if err != nil {
+		if errors.Is(err, ErrNoActiveProfile) {
+			return fmt.Errorf("no active profile set: %w", err)
+		}
+		return fmt.Errorf("get active profile: %w", err)
+	}
+
+	stateFile := filepath.Join(configDir, activeProf.Name+".state.json")
+	err = util.WriteJsonWithRestrictedPermission(context.Background(), stateFile, state)
+	if err != nil {
+		return fmt.Errorf("write profile state: %w", err)
+	}
+
+	return nil
+}

client/internal/statemanager/path.go

@@ -1,16 +0,0 @@
-package statemanager
-
-import (
-	"github.com/netbirdio/netbird/client/configs"
-	"os"
-	"path/filepath"
-)
-
-// GetDefaultStatePath returns the path to the state file based on the operating system
-// It returns an empty string if the path cannot be determined.
-func GetDefaultStatePath() string {
-	if path := os.Getenv("NB_DNS_STATE_FILE"); path != "" {
-		return path
-	}
-	return filepath.Join(configs.StateDir, "state.json")
-}

client/ios/NetBirdSDK/client.go

@@ -17,6 +17,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
 	"github.com/netbirdio/netbird/management/domain"
@@ -92,7 +93,7 @@ func NewClient(cfgFile, stateFile, deviceName string, osVersion string, osName s
 func (c *Client) Run(fd int32, interfaceName string) error {
 	log.Infof("Starting NetBird client")
 	log.Debugf("Tunnel uses interface: %s", interfaceName)
-	cfg, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
+	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath:    c.cfgFile,
 		StateFilePath: c.stateFile,
 	})
@@ -203,7 +204,7 @@ func (c *Client) IsLoginRequired() bool {
 	defer c.ctxCancelLock.Unlock()
 	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
 
-	cfg, _ := internal.UpdateOrCreateConfig(internal.ConfigInput{
+	cfg, _ := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
 
@@ -223,7 +224,7 @@ func (c *Client) LoginForMobile() string {
 	defer c.ctxCancelLock.Unlock()
 	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
 
-	cfg, _ := internal.UpdateOrCreateConfig(internal.ConfigInput{
+	cfg, _ := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
 

client/ios/NetBirdSDK/login.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/cmd"
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
 )
 
@@ -36,17 +37,17 @@ type URLOpener interface {
 // Auth can register or login new client
 type Auth struct {
 	ctx     context.Context
-	config  *internal.Config
+	config  *profilemanager.Config
 	cfgPath string
 }
 
 // NewAuth instantiate Auth struct and validate the management URL
 func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {
-	inputCfg := internal.ConfigInput{
+	inputCfg := profilemanager.ConfigInput{
 		ManagementURL: mgmURL,
 	}
 
-	cfg, err := internal.CreateInMemoryConfig(inputCfg)
+	cfg, err := profilemanager.CreateInMemoryConfig(inputCfg)
 	if err != nil {
 		return nil, err
 	}
@@ -59,7 +60,7 @@ func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {
 }
 
 // NewAuthWithConfig instantiate Auth based on existing config
-func NewAuthWithConfig(ctx context.Context, config *internal.Config) *Auth {
+func NewAuthWithConfig(ctx context.Context, config *profilemanager.Config) *Auth {
 	return &Auth{
 		ctx:    ctx,
 		config: config,
@@ -94,7 +95,7 @@ func (a *Auth) SaveConfigIfSSOSupported() (bool, error) {
 		return false, fmt.Errorf("backoff cycle failed: %v", err)
 	}
 
-	err = internal.WriteOutConfig(a.cfgPath, a.config)
+	err = profilemanager.WriteOutConfig(a.cfgPath, a.config)
 	return true, err
 }
 
@@ -115,7 +116,7 @@ func (a *Auth) LoginWithSetupKeyAndSaveConfig(setupKey string, deviceName string
 		return fmt.Errorf("backoff cycle failed: %v", err)
 	}
 
-	return internal.WriteOutConfig(a.cfgPath, a.config)
+	return profilemanager.WriteOutConfig(a.cfgPath, a.config)
 }
 
 func (a *Auth) Login() error {

client/ios/NetBirdSDK/preferences.go

@@ -1,17 +1,17 @@
 package NetBirdSDK
 
 import (
-	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
 // Preferences export a subset of the internal config for gomobile
 type Preferences struct {
-	configInput internal.ConfigInput
+	configInput profilemanager.ConfigInput
 }
 
 // NewPreferences create new Preferences instance
 func NewPreferences(configPath string, stateFilePath string) *Preferences {
-	ci := internal.ConfigInput{
+	ci := profilemanager.ConfigInput{
 		ConfigPath:    configPath,
 		StateFilePath: stateFilePath,
 	}
@@ -24,7 +24,7 @@ func (p *Preferences) GetManagementURL() (string, error) {
 		return p.configInput.ManagementURL, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return "", err
 	}
@@ -42,7 +42,7 @@ func (p *Preferences) GetAdminURL() (string, error) {
 		return p.configInput.AdminURL, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return "", err
 	}
@@ -60,7 +60,7 @@ func (p *Preferences) GetPreSharedKey() (string, error) {
 		return *p.configInput.PreSharedKey, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return "", err
 	}
@@ -83,7 +83,7 @@ func (p *Preferences) GetRosenpassEnabled() (bool, error) {
 		return *p.configInput.RosenpassEnabled, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
@@ -101,7 +101,7 @@ func (p *Preferences) GetRosenpassPermissive() (bool, error) {
 		return *p.configInput.RosenpassPermissive, nil
 	}
 
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
@@ -110,6 +110,6 @@ func (p *Preferences) GetRosenpassPermissive() (bool, error) {
 
 // Commit write out the changes into config file
 func (p *Preferences) Commit() error {
-	_, err := internal.UpdateOrCreateConfig(p.configInput)
+	_, err := profilemanager.UpdateOrCreateConfig(p.configInput)
 	return err
 }

client/ios/NetBirdSDK/preferences_test.go

@@ -4,7 +4,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
 func TestPreferences_DefaultValues(t *testing.T) {
@@ -16,7 +16,7 @@ func TestPreferences_DefaultValues(t *testing.T) {
 		t.Fatalf("failed to read default value: %s", err)
 	}
 
-	if defaultVar != internal.DefaultAdminURL {
+	if defaultVar != profilemanager.DefaultAdminURL {
 		t.Errorf("invalid default admin url: %s", defaultVar)
 	}
 
@@ -25,7 +25,7 @@ func TestPreferences_DefaultValues(t *testing.T) {
 		t.Fatalf("failed to read default management URL: %s", err)
 	}
 
-	if defaultVar != internal.DefaultManagementURL {
+	if defaultVar != profilemanager.DefaultManagementURL {
 		t.Errorf("invalid default management url: %s", defaultVar)
 	}
 

client/proto/daemon.proto

@@ -67,6 +67,18 @@ service DaemonService {
   rpc SubscribeEvents(SubscribeRequest) returns (stream SystemEvent) {}
 
   rpc GetEvents(GetEventsRequest) returns (GetEventsResponse) {}
+
+  rpc SwitchProfile(SwitchProfileRequest) returns (SwitchProfileResponse) {}
+
+  rpc SetConfig(SetConfigRequest) returns (SetConfigResponse) {}
+
+  rpc AddProfile(AddProfileRequest) returns (AddProfileResponse) {}
+
+  rpc RemoveProfile(RemoveProfileRequest) returns (RemoveProfileResponse) {}
+
+  rpc ListProfiles(ListProfilesRequest) returns (ListProfilesResponse) {}
+
+  rpc GetActiveProfile(GetActiveProfileRequest) returns (GetActiveProfileResponse) {}
 }
 
 
@@ -136,6 +148,9 @@ message LoginRequest {
   optional bool lazyConnectionEnabled = 28;
 
   optional bool block_inbound = 29;
+
+  optional string profileName = 30;
+  optional string username = 31;
 }
 
 message LoginResponse {
@@ -150,9 +165,14 @@ message WaitSSOLoginRequest {
   string hostname = 2;
 }
 
-message WaitSSOLoginResponse {}
+message WaitSSOLoginResponse {
+  string email = 1;
+}
 
-message UpRequest {}
+message UpRequest {
+  optional string profileName = 1;
+  optional string username = 2;
+}
 
 message UpResponse {}
 
@@ -173,7 +193,10 @@ message DownRequest {}
 
 message DownResponse {}
 
-message GetConfigRequest {}
+message GetConfigRequest {
+  string profileName = 1;
+  string username = 2;
+}
 
 message GetConfigResponse {
   // managementUrl settings value.
@@ -497,3 +520,98 @@ message GetEventsRequest {}
 message GetEventsResponse {
   repeated SystemEvent events = 1;
 }
+
+message SwitchProfileRequest {
+  optional string profileName = 1;
+  optional string username = 2;
+}
+
+message SwitchProfileResponse {}
+
+message SetConfigRequest {
+    string username = 1;
+    string profileName = 2;
+    // managementUrl to authenticate.
+    string managementUrl = 3;
+  
+    // adminUrl to manage keys.
+    string adminURL = 4;
+        
+    optional bool rosenpassEnabled = 5;
+  
+    optional string interfaceName = 6;
+  
+    optional int64 wireguardPort = 7;
+  
+    optional string optionalPreSharedKey = 8;
+  
+    optional bool disableAutoConnect = 9;
+  
+    optional bool serverSSHAllowed = 10;
+  
+    optional bool rosenpassPermissive = 11;
+  
+    optional bool networkMonitor = 12;
+  
+    optional bool disable_client_routes = 13;
+    optional bool disable_server_routes = 14;
+    optional bool disable_dns = 15;
+    optional bool disable_firewall = 16;
+    optional bool block_lan_access = 17;
+  
+    optional bool disable_notifications = 18;
+  
+    optional bool lazyConnectionEnabled = 19;
+  
+    optional bool block_inbound = 20;
+
+    repeated string natExternalIPs = 21;
+    bool cleanNATExternalIPs = 22;
+
+    bytes customDNSAddress = 23;
+
+    repeated string extraIFaceBlacklist = 24;
+
+    repeated string dns_labels = 25;
+    // cleanDNSLabels clean map list of DNS labels.
+    bool cleanDNSLabels = 26;
+
+    optional google.protobuf.Duration dnsRouteInterval = 27;
+
+}
+
+message SetConfigResponse{}
+
+message AddProfileRequest {
+  string username = 1;
+  string profileName = 2;
+}
+
+message AddProfileResponse {}
+
+message RemoveProfileRequest {
+  string username = 1;
+  string profileName = 2;
+}
+
+message RemoveProfileResponse {}
+
+message ListProfilesRequest {
+  string username = 1;
+}
+
+message ListProfilesResponse {
+  repeated Profile profiles = 1;
+}
+
+message Profile {
+  string name = 1;
+  bool is_active = 2;
+}
+
+message GetActiveProfileRequest {}
+
+message GetActiveProfileResponse {
+  string profileName = 1;
+  string username = 2;
+}

client/proto/daemon_grpc.pb.go

@@ -55,6 +55,12 @@ type DaemonServiceClient interface {
 	TracePacket(ctx context.Context, in *TracePacketRequest, opts ...grpc.CallOption) (*TracePacketResponse, error)
 	SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (DaemonService_SubscribeEventsClient, error)
 	GetEvents(ctx context.Context, in *GetEventsRequest, opts ...grpc.CallOption) (*GetEventsResponse, error)
+	SwitchProfile(ctx context.Context, in *SwitchProfileRequest, opts ...grpc.CallOption) (*SwitchProfileResponse, error)
+	SetConfig(ctx context.Context, in *SetConfigRequest, opts ...grpc.CallOption) (*SetConfigResponse, error)
+	AddProfile(ctx context.Context, in *AddProfileRequest, opts ...grpc.CallOption) (*AddProfileResponse, error)
+	RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error)
+	ListProfiles(ctx context.Context, in *ListProfilesRequest, opts ...grpc.CallOption) (*ListProfilesResponse, error)
+	GetActiveProfile(ctx context.Context, in *GetActiveProfileRequest, opts ...grpc.CallOption) (*GetActiveProfileResponse, error)
 }
 
 type daemonServiceClient struct {
@@ -268,6 +274,60 @@ func (c *daemonServiceClient) GetEvents(ctx context.Context, in *GetEventsReques
 	return out, nil
 }
 
+func (c *daemonServiceClient) SwitchProfile(ctx context.Context, in *SwitchProfileRequest, opts ...grpc.CallOption) (*SwitchProfileResponse, error) {
+	out := new(SwitchProfileResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SwitchProfile", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) SetConfig(ctx context.Context, in *SetConfigRequest, opts ...grpc.CallOption) (*SetConfigResponse, error) {
+	out := new(SetConfigResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/SetConfig", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) AddProfile(ctx context.Context, in *AddProfileRequest, opts ...grpc.CallOption) (*AddProfileResponse, error) {
+	out := new(AddProfileResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/AddProfile", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error) {
+	out := new(RemoveProfileResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/RemoveProfile", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) ListProfiles(ctx context.Context, in *ListProfilesRequest, opts ...grpc.CallOption) (*ListProfilesResponse, error) {
+	out := new(ListProfilesResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ListProfiles", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) GetActiveProfile(ctx context.Context, in *GetActiveProfileRequest, opts ...grpc.CallOption) (*GetActiveProfileResponse, error) {
+	out := new(GetActiveProfileResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetActiveProfile", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
 // for forward compatibility
@@ -309,6 +369,12 @@ type DaemonServiceServer interface {
 	TracePacket(context.Context, *TracePacketRequest) (*TracePacketResponse, error)
 	SubscribeEvents(*SubscribeRequest, DaemonService_SubscribeEventsServer) error
 	GetEvents(context.Context, *GetEventsRequest) (*GetEventsResponse, error)
+	SwitchProfile(context.Context, *SwitchProfileRequest) (*SwitchProfileResponse, error)
+	SetConfig(context.Context, *SetConfigRequest) (*SetConfigResponse, error)
+	AddProfile(context.Context, *AddProfileRequest) (*AddProfileResponse, error)
+	RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error)
+	ListProfiles(context.Context, *ListProfilesRequest) (*ListProfilesResponse, error)
+	GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error)
 	mustEmbedUnimplementedDaemonServiceServer()
 }
 
@@ -376,6 +442,24 @@ func (UnimplementedDaemonServiceServer) SubscribeEvents(*SubscribeRequest, Daemo
 func (UnimplementedDaemonServiceServer) GetEvents(context.Context, *GetEventsRequest) (*GetEventsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetEvents not implemented")
 }
+func (UnimplementedDaemonServiceServer) SwitchProfile(context.Context, *SwitchProfileRequest) (*SwitchProfileResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SwitchProfile not implemented")
+}
+func (UnimplementedDaemonServiceServer) SetConfig(context.Context, *SetConfigRequest) (*SetConfigResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SetConfig not implemented")
+}
+func (UnimplementedDaemonServiceServer) AddProfile(context.Context, *AddProfileRequest) (*AddProfileResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method AddProfile not implemented")
+}
+func (UnimplementedDaemonServiceServer) RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RemoveProfile not implemented")
+}
+func (UnimplementedDaemonServiceServer) ListProfiles(context.Context, *ListProfilesRequest) (*ListProfilesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListProfiles not implemented")
+}
+func (UnimplementedDaemonServiceServer) GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetActiveProfile not implemented")
+}
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
 
 // UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -752,6 +836,114 @@ func _DaemonService_GetEvents_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }
 
+func _DaemonService_SwitchProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SwitchProfileRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).SwitchProfile(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/SwitchProfile",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).SwitchProfile(ctx, req.(*SwitchProfileRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_SetConfig_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SetConfigRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).SetConfig(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/SetConfig",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).SetConfig(ctx, req.(*SetConfigRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_AddProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AddProfileRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).AddProfile(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/AddProfile",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).AddProfile(ctx, req.(*AddProfileRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_RemoveProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RemoveProfileRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).RemoveProfile(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/RemoveProfile",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).RemoveProfile(ctx, req.(*RemoveProfileRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_ListProfiles_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListProfilesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).ListProfiles(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/ListProfiles",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).ListProfiles(ctx, req.(*ListProfilesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_GetActiveProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetActiveProfileRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).GetActiveProfile(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/GetActiveProfile",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).GetActiveProfile(ctx, req.(*GetActiveProfileRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -835,6 +1027,30 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetEvents",
 			Handler:    _DaemonService_GetEvents_Handler,
 		},
+		{
+			MethodName: "SwitchProfile",
+			Handler:    _DaemonService_SwitchProfile_Handler,
+		},
+		{
+			MethodName: "SetConfig",
+			Handler:    _DaemonService_SetConfig_Handler,
+		},
+		{
+			MethodName: "AddProfile",
+			Handler:    _DaemonService_AddProfile_Handler,
+		},
+		{
+			MethodName: "RemoveProfile",
+			Handler:    _DaemonService_RemoveProfile_Handler,
+		},
+		{
+			MethodName: "ListProfiles",
+			Handler:    _DaemonService_ListProfiles_Handler,
+		},
+		{
+			MethodName: "GetActiveProfile",
+			Handler:    _DaemonService_GetActiveProfile_Handler,
+		},
 	},
 	Streams: []grpc.StreamDesc{
 		{

client/server/panic_windows.go

@@ -1,3 +1,6 @@
+//go:build windows
+// +build windows
+
 package server
 
 import (

client/server/server.go

@@ -22,6 +22,7 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/netbirdio/netbird/client/internal/auth"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/management/domain"
 
@@ -50,14 +51,12 @@ type Server struct {
 	rootCtx   context.Context
 	actCancel context.CancelFunc
 
-	latestConfigInput internal.ConfigInput
-
 	logFile string
 
 	oauthAuthFlow oauthAuthFlow
 
 	mutex  sync.Mutex
-	config *internal.Config
+	config *profilemanager.Config
 	proto.UnimplementedDaemonServiceServer
 
 	connectClient *internal.ConnectClient
@@ -68,6 +67,8 @@ type Server struct {
 	lastProbe         time.Time
 	persistNetworkMap bool
 	isSessionActive   atomic.Bool
+
+	profileManager profilemanager.ServiceManager
 }
 
 type oauthAuthFlow struct {
@@ -78,15 +79,13 @@ type oauthAuthFlow struct {
 }
 
 // New server instance constructor.
-func New(ctx context.Context, configPath, logFile string) *Server {
+func New(ctx context.Context, logFile string) *Server {
 	return &Server{
-		rootCtx: ctx,
+		rootCtx:           ctx,
-		latestConfigInput: internal.ConfigInput{
-			ConfigPath: configPath,
-		},
 		logFile:           logFile,
 		persistNetworkMap: true,
 		statusRecorder:    peer.NewRecorder(""),
+		profileManager:    profilemanager.ServiceManager{},
 	}
 }
 
@@ -99,7 +98,7 @@ func (s *Server) Start() error {
 		log.Warnf("failed to redirect stderr: %v", err)
 	}
 
-	if err := restoreResidualState(s.rootCtx); err != nil {
+	if err := restoreResidualState(s.rootCtx, s.profileManager.GetStatePath()); err != nil {
 		log.Warnf(errRestoreResidualState, err)
 	}
 
@@ -118,25 +117,41 @@ func (s *Server) Start() error {
 	ctx, cancel := context.WithCancel(s.rootCtx)
 	s.actCancel = cancel
 
-	// if configuration exists, we just start connections. if is new config we skip and set status NeedsLogin
+	// set the default config if not exists
-	// on failure we return error to retry
+	if err := s.setDefaultConfigIfNotExists(ctx); err != nil {
-	config, err := internal.UpdateConfig(s.latestConfigInput)
+		log.Errorf("failed to set default config: %v", err)
-	if errorStatus, ok := gstatus.FromError(err); ok && errorStatus.Code() == codes.NotFound {
+		return fmt.Errorf("failed to set default config: %w", err)
-		s.config, err = internal.UpdateOrCreateConfig(s.latestConfigInput)
-		if err != nil {
-			log.Warnf("unable to create configuration file: %v", err)
-			return err
-		}
-		state.Set(internal.StatusNeedsLogin)
-		return nil
-	} else if err != nil {
-		log.Warnf("unable to create configuration file: %v", err)
-		return err
 	}
 
-	// if configuration exists, we just start connections.
+	activeProf, err := s.profileManager.GetActiveProfileState()
-	config, _ = internal.UpdateOldManagementURL(ctx, config, s.latestConfigInput.ConfigPath)
+	if err != nil {
+		return fmt.Errorf("failed to get active profile state: %w", err)
+	}
 
+	cfgPath, err := activeProf.FilePath()
+	if err != nil {
+		log.Errorf("failed to get active profile file path: %v", err)
+		return fmt.Errorf("failed to get active profile file path: %w", err)
+	}
+
+	config, err := profilemanager.GetConfig(cfgPath)
+	if err != nil {
+		log.Errorf("failed to get active profile config: %v", err)
+
+		if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
+			Name:     "default",
+			Username: "",
+		}); err != nil {
+			log.Errorf("failed to set active profile state: %v", err)
+			return fmt.Errorf("failed to set active profile state: %w", err)
+		}
+
+		config, err = profilemanager.GetConfig(s.profileManager.DefaultProfilePath())
+		if err != nil {
+			log.Errorf("failed to get default profile config: %v", err)
+			return fmt.Errorf("failed to get default profile config: %w", err)
+		}
+	}
 	s.config = config
 
 	s.statusRecorder.UpdateManagementAddress(config.ManagementURL.String())
@@ -157,10 +172,34 @@ func (s *Server) Start() error {
 	return nil
 }
 
+func (s *Server) setDefaultConfigIfNotExists(ctx context.Context) error {
+	ok, err := s.profileManager.CopyDefaultProfileIfNotExists()
+	if err != nil {
+		if err := s.profileManager.CreateDefaultProfile(); err != nil {
+			log.Errorf("failed to create default profile: %v", err)
+			return fmt.Errorf("failed to create default profile: %w", err)
+		}
+
+		if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
+			Name:     "default",
+			Username: "",
+		}); err != nil {
+			log.Errorf("failed to set active profile state: %v", err)
+			return fmt.Errorf("failed to set active profile state: %w", err)
+		}
+	}
+	if ok {
+		state := internal.CtxGetState(ctx)
+		state.Set(internal.StatusNeedsLogin)
+	}
+
+	return nil
+}
+
 // connectWithRetryRuns runs the client connection with a backoff strategy where we retry the operation as additional
 // mechanism to keep the client connected even when the connection is lost.
 // we cancel retry if the client receive a stop or down command, or if disable auto connect is configured.
-func (s *Server) connectWithRetryRuns(ctx context.Context, config *internal.Config, statusRecorder *peer.Status,
+func (s *Server) connectWithRetryRuns(ctx context.Context, config *profilemanager.Config, statusRecorder *peer.Status,
 	runningChan chan struct{},
 ) {
 	backOff := getConnectWithBackoff(ctx)
@@ -276,6 +315,90 @@ func (s *Server) loginAttempt(ctx context.Context, setupKey, jwtToken string) (i
 	return "", nil
 }
 
+// Login uses setup key to prepare configuration for the daemon.
+func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigRequest) (*proto.SetConfigResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	profState := profilemanager.ActiveProfileState{
+		Name:     msg.ProfileName,
+		Username: msg.Username,
+	}
+
+	profPath, err := profState.FilePath()
+	if err != nil {
+		log.Errorf("failed to get active profile file path: %v", err)
+		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
+	}
+
+	var config profilemanager.ConfigInput
+
+	config.ConfigPath = profPath
+
+	if msg.ManagementUrl != "" {
+		config.ManagementURL = msg.ManagementUrl
+	}
+
+	if msg.AdminURL != "" {
+		config.AdminURL = msg.AdminURL
+	}
+
+	if msg.InterfaceName != nil {
+		config.InterfaceName = msg.InterfaceName
+	}
+
+	if msg.WireguardPort != nil {
+		wgPort := int(*msg.WireguardPort)
+		config.WireguardPort = &wgPort
+	}
+
+	if msg.OptionalPreSharedKey != nil {
+		if *msg.OptionalPreSharedKey != "" {
+			config.PreSharedKey = msg.OptionalPreSharedKey
+		}
+	}
+
+	if msg.CleanDNSLabels {
+		config.DNSLabels = domain.List{}
+
+	} else if msg.DnsLabels != nil {
+		dnsLabels := domain.FromPunycodeList(msg.DnsLabels)
+		config.DNSLabels = dnsLabels
+	}
+
+	if msg.CleanNATExternalIPs {
+		config.NATExternalIPs = make([]string, 0)
+	} else if msg.NatExternalIPs != nil {
+		config.NATExternalIPs = msg.NatExternalIPs
+	}
+
+	config.CustomDNSAddress = msg.CustomDNSAddress
+	if string(msg.CustomDNSAddress) == "empty" {
+		config.CustomDNSAddress = []byte{}
+	}
+
+	config.RosenpassEnabled = msg.RosenpassEnabled
+	config.RosenpassPermissive = msg.RosenpassPermissive
+	config.DisableAutoConnect = msg.DisableAutoConnect
+	config.ServerSSHAllowed = msg.ServerSSHAllowed
+	config.NetworkMonitor = msg.NetworkMonitor
+	config.DisableClientRoutes = msg.DisableClientRoutes
+	config.DisableServerRoutes = msg.DisableServerRoutes
+	config.DisableDNS = msg.DisableDns
+	config.DisableFirewall = msg.DisableFirewall
+	config.BlockLANAccess = msg.BlockLanAccess
+	config.DisableNotifications = msg.DisableNotifications
+	config.LazyConnectionEnabled = msg.LazyConnectionEnabled
+	config.BlockInbound = msg.BlockInbound
+
+	if _, err := profilemanager.UpdateConfig(config); err != nil {
+		log.Errorf("failed to update profile config: %v", err)
+		return nil, fmt.Errorf("failed to update profile config: %w", err)
+	}
+
+	return &proto.SetConfigResponse{}, nil
+}
+
 // Login uses setup key to prepare configuration for the daemon.
 func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*proto.LoginResponse, error) {
 	s.mutex.Lock()
@@ -292,7 +415,7 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 	s.actCancel = cancel
 	s.mutex.Unlock()
 
-	if err := restoreResidualState(ctx); err != nil {
+	if err := restoreResidualState(ctx, s.profileManager.GetStatePath()); err != nil {
 		log.Warnf(errRestoreResidualState, err)
 	}
 
@@ -304,147 +427,62 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 		}
 	}()
 
+	activeProf, err := s.profileManager.GetActiveProfileState()
+	if err != nil {
+		log.Errorf("failed to get active profile state: %v", err)
+		return nil, fmt.Errorf("failed to get active profile state: %w", err)
+	}
+
+	if msg.ProfileName != nil {
+		if *msg.ProfileName != "default" && (msg.Username == nil || *msg.Username == "") {
+			log.Errorf("profile name is set to %s, but username is not provided", *msg.ProfileName)
+			return nil, fmt.Errorf("profile name is set to %s, but username is not provided", *msg.ProfileName)
+		}
+
+		var username string
+		if *msg.ProfileName != "default" {
+			username = *msg.Username
+		}
+
+		if *msg.ProfileName != activeProf.Name && username != activeProf.Username {
+			log.Infof("switching to profile %s for user '%s'", *msg.ProfileName, username)
+			if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
+				Name:     *msg.ProfileName,
+				Username: username,
+			}); err != nil {
+				log.Errorf("failed to set active profile state: %v", err)
+				return nil, fmt.Errorf("failed to set active profile state: %w", err)
+			}
+		}
+	}
+
+	activeProf, err = s.profileManager.GetActiveProfileState()
+	if err != nil {
+		log.Errorf("failed to get active profile state: %v", err)
+		return nil, fmt.Errorf("failed to get active profile state: %w", err)
+	}
+
+	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)
+
 	s.mutex.Lock()
-	inputConfig := s.latestConfigInput
-
-	if msg.ManagementUrl != "" {
-		inputConfig.ManagementURL = msg.ManagementUrl
-		s.latestConfigInput.ManagementURL = msg.ManagementUrl
-	}
-
-	if msg.AdminURL != "" {
-		inputConfig.AdminURL = msg.AdminURL
-		s.latestConfigInput.AdminURL = msg.AdminURL
-	}
-
-	if msg.CleanNATExternalIPs {
-		inputConfig.NATExternalIPs = make([]string, 0)
-		s.latestConfigInput.NATExternalIPs = nil
-	} else if msg.NatExternalIPs != nil {
-		inputConfig.NATExternalIPs = msg.NatExternalIPs
-		s.latestConfigInput.NATExternalIPs = msg.NatExternalIPs
-	}
-
-	inputConfig.CustomDNSAddress = msg.CustomDNSAddress
-	s.latestConfigInput.CustomDNSAddress = msg.CustomDNSAddress
-	if string(msg.CustomDNSAddress) == "empty" {
-		inputConfig.CustomDNSAddress = []byte{}
-		s.latestConfigInput.CustomDNSAddress = []byte{}
-	}
 
 	if msg.Hostname != "" {
 		// nolint
 		ctx = context.WithValue(ctx, system.DeviceNameCtxKey, msg.Hostname)
 	}
-
-	if msg.RosenpassEnabled != nil {
-		inputConfig.RosenpassEnabled = msg.RosenpassEnabled
-		s.latestConfigInput.RosenpassEnabled = msg.RosenpassEnabled
-	}
-
-	if msg.RosenpassPermissive != nil {
-		inputConfig.RosenpassPermissive = msg.RosenpassPermissive
-		s.latestConfigInput.RosenpassPermissive = msg.RosenpassPermissive
-	}
-
-	if msg.ServerSSHAllowed != nil {
-		inputConfig.ServerSSHAllowed = msg.ServerSSHAllowed
-		s.latestConfigInput.ServerSSHAllowed = msg.ServerSSHAllowed
-	}
-
-	if msg.DisableAutoConnect != nil {
-		inputConfig.DisableAutoConnect = msg.DisableAutoConnect
-		s.latestConfigInput.DisableAutoConnect = msg.DisableAutoConnect
-	}
-
-	if msg.InterfaceName != nil {
-		inputConfig.InterfaceName = msg.InterfaceName
-		s.latestConfigInput.InterfaceName = msg.InterfaceName
-	}
-
-	if msg.WireguardPort != nil {
-		port := int(*msg.WireguardPort)
-		inputConfig.WireguardPort = &port
-		s.latestConfigInput.WireguardPort = &port
-	}
-
-	if msg.NetworkMonitor != nil {
-		inputConfig.NetworkMonitor = msg.NetworkMonitor
-		s.latestConfigInput.NetworkMonitor = msg.NetworkMonitor
-	}
-
-	if len(msg.ExtraIFaceBlacklist) > 0 {
-		inputConfig.ExtraIFaceBlackList = msg.ExtraIFaceBlacklist
-		s.latestConfigInput.ExtraIFaceBlackList = msg.ExtraIFaceBlacklist
-	}
-
-	if msg.DnsRouteInterval != nil {
-		duration := msg.DnsRouteInterval.AsDuration()
-		inputConfig.DNSRouteInterval = &duration
-		s.latestConfigInput.DNSRouteInterval = &duration
-	}
-
-	if msg.DisableClientRoutes != nil {
-		inputConfig.DisableClientRoutes = msg.DisableClientRoutes
-		s.latestConfigInput.DisableClientRoutes = msg.DisableClientRoutes
-	}
-	if msg.DisableServerRoutes != nil {
-		inputConfig.DisableServerRoutes = msg.DisableServerRoutes
-		s.latestConfigInput.DisableServerRoutes = msg.DisableServerRoutes
-	}
-	if msg.DisableDns != nil {
-		inputConfig.DisableDNS = msg.DisableDns
-		s.latestConfigInput.DisableDNS = msg.DisableDns
-	}
-	if msg.DisableFirewall != nil {
-		inputConfig.DisableFirewall = msg.DisableFirewall
-		s.latestConfigInput.DisableFirewall = msg.DisableFirewall
-	}
-	if msg.BlockLanAccess != nil {
-		inputConfig.BlockLANAccess = msg.BlockLanAccess
-		s.latestConfigInput.BlockLANAccess = msg.BlockLanAccess
-	}
-	if msg.BlockInbound != nil {
-		inputConfig.BlockInbound = msg.BlockInbound
-		s.latestConfigInput.BlockInbound = msg.BlockInbound
-	}
-
-	if msg.CleanDNSLabels {
-		inputConfig.DNSLabels = domain.List{}
-		s.latestConfigInput.DNSLabels = nil
-	} else if msg.DnsLabels != nil {
-		dnsLabels := domain.FromPunycodeList(msg.DnsLabels)
-		inputConfig.DNSLabels = dnsLabels
-		s.latestConfigInput.DNSLabels = dnsLabels
-	}
-
-	if msg.DisableNotifications != nil {
-		inputConfig.DisableNotifications = msg.DisableNotifications
-		s.latestConfigInput.DisableNotifications = msg.DisableNotifications
-	}
-
-	if msg.LazyConnectionEnabled != nil {
-		inputConfig.LazyConnectionEnabled = msg.LazyConnectionEnabled
-		s.latestConfigInput.LazyConnectionEnabled = msg.LazyConnectionEnabled
-	}
-
 	s.mutex.Unlock()
 
-	if msg.OptionalPreSharedKey != nil {
+	cfgPath, err := activeProf.FilePath()
-		inputConfig.PreSharedKey = msg.OptionalPreSharedKey
-	}
-
-	config, err := internal.UpdateOrCreateConfig(inputConfig)
 	if err != nil {
-		return nil, err
+		log.Errorf("failed to get active profile file path: %v", err)
+		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
 	}
 
-	if msg.ManagementUrl == "" {
+	config, err := profilemanager.GetConfig(cfgPath)
-		config, _ = internal.UpdateOldManagementURL(ctx, config, s.latestConfigInput.ConfigPath)
+	if err != nil {
-		s.config = config
+		log.Errorf("failed to get active profile config: %v", err)
-		s.latestConfigInput.ManagementURL = config.ManagementURL.String()
+		return nil, fmt.Errorf("failed to get active profile config: %w", err)
 	}
-
 	s.mutex.Lock()
 	s.config = config
 	s.mutex.Unlock()
@@ -586,15 +624,17 @@ func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLogin
 		return nil, err
 	}
 
-	return &proto.WaitSSOLoginResponse{}, nil
+	return &proto.WaitSSOLoginResponse{
+		Email: tokenInfo.Email,
+	}, nil
 }
 
 // Up starts engine work in the daemon.
-func (s *Server) Up(callerCtx context.Context, _ *proto.UpRequest) (*proto.UpResponse, error) {
+func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpResponse, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if err := restoreResidualState(callerCtx); err != nil {
+	if err := restoreResidualState(callerCtx, s.profileManager.GetStatePath()); err != nil {
 		log.Warnf(errRestoreResidualState, err)
 	}
 
@@ -628,6 +668,40 @@ func (s *Server) Up(callerCtx context.Context, _ *proto.UpRequest) (*proto.UpRes
 		return nil, fmt.Errorf("config is not defined, please call login command first")
 	}
 
+	activeProf, err := s.profileManager.GetActiveProfileState()
+	if err != nil {
+		log.Errorf("failed to get active profile state: %v", err)
+		return nil, fmt.Errorf("failed to get active profile state: %w", err)
+	}
+
+	if msg != nil && msg.ProfileName != nil {
+		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+			log.Errorf("failed to switch profile: %v", err)
+			return nil, fmt.Errorf("failed to switch profile: %w", err)
+		}
+	}
+
+	activeProf, err = s.profileManager.GetActiveProfileState()
+	if err != nil {
+		log.Errorf("failed to get active profile state: %v", err)
+		return nil, fmt.Errorf("failed to get active profile state: %w", err)
+	}
+
+	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)
+
+	cfgPath, err := activeProf.FilePath()
+	if err != nil {
+		log.Errorf("failed to get active profile file path: %v", err)
+		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
+	}
+
+	config, err := profilemanager.GetConfig(cfgPath)
+	if err != nil {
+		log.Errorf("failed to get active profile config: %v", err)
+		return nil, fmt.Errorf("failed to get active profile config: %w", err)
+	}
+	s.config = config
+
 	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)
 
@@ -651,6 +725,70 @@ func (s *Server) Up(callerCtx context.Context, _ *proto.UpRequest) (*proto.UpRes
 	}
 }
 
+func (s *Server) switchProfileIfNeeded(profileName string, userName *string, activeProf *profilemanager.ActiveProfileState) error {
+	if profileName != "default" && (userName == nil || *userName == "") {
+		log.Errorf("profile name is set to %s, but username is not provided", profileName)
+		return fmt.Errorf("profile name is set to %s, but username is not provided", profileName)
+	}
+
+	var username string
+	if profileName != "default" {
+		username = *userName
+	}
+
+	if profileName != activeProf.Name || username != activeProf.Username {
+		log.Infof("switching to profile %s for user %s", profileName, username)
+		if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
+			Name:     profileName,
+			Username: username,
+		}); err != nil {
+			log.Errorf("failed to set active profile state: %v", err)
+			return fmt.Errorf("failed to set active profile state: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// SwitchProfile switches the active profile in the daemon.
+func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfileRequest) (*proto.SwitchProfileResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	activeProf, err := s.profileManager.GetActiveProfileState()
+	if err != nil {
+		log.Errorf("failed to get active profile state: %v", err)
+		return nil, fmt.Errorf("failed to get active profile state: %w", err)
+	}
+
+	if msg != nil && msg.ProfileName != nil {
+		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+			log.Errorf("failed to switch profile: %v", err)
+			return nil, fmt.Errorf("failed to switch profile: %w", err)
+		}
+	}
+	activeProf, err = s.profileManager.GetActiveProfileState()
+	if err != nil {
+		log.Errorf("failed to get active profile state: %v", err)
+		return nil, fmt.Errorf("failed to get active profile state: %w", err)
+	}
+	cfgPath, err := activeProf.FilePath()
+	if err != nil {
+		log.Errorf("failed to get active profile file path: %v", err)
+		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
+	}
+
+	config, err := profilemanager.GetConfig(cfgPath)
+	if err != nil {
+		log.Errorf("failed to get default profile config: %v", err)
+		return nil, fmt.Errorf("failed to get default profile config: %w", err)
+	}
+
+	s.config = config
+
+	return &proto.SwitchProfileResponse{}, nil
+}
+
 // Down engine work in the daemon.
 func (s *Server) Down(ctx context.Context, _ *proto.DownRequest) (*proto.DownResponse, error) {
 	s.mutex.Lock()
@@ -738,58 +876,65 @@ func (s *Server) runProbes() {
 }
 
 // GetConfig of the daemon.
-func (s *Server) GetConfig(_ context.Context, _ *proto.GetConfigRequest) (*proto.GetConfigResponse, error) {
+func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*proto.GetConfigResponse, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	managementURL := s.latestConfigInput.ManagementURL
+	if ctx.Err() != nil {
-	adminURL := s.latestConfigInput.AdminURL
+		return nil, ctx.Err()
-	preSharedKey := ""
+	}
 
-	if s.config != nil {
+	prof := profilemanager.ActiveProfileState{
-		if managementURL == "" && s.config.ManagementURL != nil {
+		Name:     req.ProfileName,
-			managementURL = s.config.ManagementURL.String()
+		Username: req.Username,
-		}
+	}
 
-		if s.config.AdminURL != nil {
+	cfgPath, err := prof.FilePath()
-			adminURL = s.config.AdminURL.String()
+	if err != nil {
-		}
+		log.Errorf("failed to get active profile file path: %v", err)
+		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
+	}
 
-		preSharedKey = s.config.PreSharedKey
+	cfg, err := profilemanager.GetConfig(cfgPath)
-		if preSharedKey != "" {
+	if err != nil {
-			preSharedKey = "**********"
+		log.Errorf("failed to get active profile config: %v", err)
-		}
+		return nil, fmt.Errorf("failed to get active profile config: %w", err)
+	}
+	managementURL := cfg.ManagementURL
+	adminURL := cfg.AdminURL
+
+	var preSharedKey = cfg.PreSharedKey
+	if preSharedKey != "" {
+		preSharedKey = "**********"
 	}
 
 	disableNotifications := true
-	if s.config.DisableNotifications != nil {
+	if cfg.DisableNotifications != nil {
-		disableNotifications = *s.config.DisableNotifications
+		disableNotifications = *cfg.DisableNotifications
 	}
 
 	networkMonitor := false
-	if s.config.NetworkMonitor != nil {
+	if cfg.NetworkMonitor != nil {
-		networkMonitor = *s.config.NetworkMonitor
+		networkMonitor = *cfg.NetworkMonitor
 	}
 
-	disableDNS := s.config.DisableDNS
+	disableDNS := cfg.DisableDNS
-	disableClientRoutes := s.config.DisableClientRoutes
+	disableClientRoutes := cfg.DisableClientRoutes
-	disableServerRoutes := s.config.DisableServerRoutes
+	disableServerRoutes := cfg.DisableServerRoutes
-	blockLANAccess := s.config.BlockLANAccess
+	blockLANAccess := cfg.BlockLANAccess
 
 	return &proto.GetConfigResponse{
-		ManagementUrl:         managementURL,
+		ManagementUrl:         managementURL.String(),
-		ConfigFile:            s.latestConfigInput.ConfigPath,
-		LogFile:               s.logFile,
 		PreSharedKey:          preSharedKey,
-		AdminURL:              adminURL,
+		AdminURL:              adminURL.String(),
-		InterfaceName:         s.config.WgIface,
+		InterfaceName:         cfg.WgIface,
-		WireguardPort:         int64(s.config.WgPort),
+		WireguardPort:         int64(cfg.WgPort),
-		DisableAutoConnect:    s.config.DisableAutoConnect,
+		DisableAutoConnect:    cfg.DisableAutoConnect,
-		ServerSSHAllowed:      *s.config.ServerSSHAllowed,
+		ServerSSHAllowed:      *cfg.ServerSSHAllowed,
-		RosenpassEnabled:      s.config.RosenpassEnabled,
+		RosenpassEnabled:      cfg.RosenpassEnabled,
-		RosenpassPermissive:   s.config.RosenpassPermissive,
+		RosenpassPermissive:   cfg.RosenpassPermissive,
-		LazyConnectionEnabled: s.config.LazyConnectionEnabled,
+		LazyConnectionEnabled: cfg.LazyConnectionEnabled,
-		BlockInbound:          s.config.BlockInbound,
+		BlockInbound:          cfg.BlockInbound,
 		DisableNotifications:  disableNotifications,
 		NetworkMonitor:        networkMonitor,
 		DisableDns:            disableDNS,
@@ -918,3 +1063,82 @@ func sendTerminalNotification() error {
 
 	return wallCmd.Wait()
 }
+
+// AddProfile adds a new profile to the daemon.
+func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (*proto.AddProfileResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if msg.ProfileName == "" || msg.Username == "" {
+		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name and username must be provided")
+	}
+
+	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username); err != nil {
+		log.Errorf("failed to create profile: %v", err)
+		return nil, fmt.Errorf("failed to create profile: %w", err)
+	}
+
+	return &proto.AddProfileResponse{}, nil
+}
+
+// RemoveProfile removes a profile from the daemon.
+func (s *Server) RemoveProfile(ctx context.Context, msg *proto.RemoveProfileRequest) (*proto.RemoveProfileResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if msg.ProfileName == "" {
+		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name must be provided")
+	}
+
+	if err := s.profileManager.RemoveProfile(msg.ProfileName, msg.Username); err != nil {
+		log.Errorf("failed to remove profile: %v", err)
+		return nil, fmt.Errorf("failed to remove profile: %w", err)
+	}
+
+	return &proto.RemoveProfileResponse{}, nil
+}
+
+// ListProfiles lists all profiles in the daemon.
+func (s *Server) ListProfiles(ctx context.Context, msg *proto.ListProfilesRequest) (*proto.ListProfilesResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if msg.Username == "" {
+		return nil, gstatus.Errorf(codes.InvalidArgument, "username must be provided")
+	}
+
+	profiles, err := s.profileManager.ListProfiles(msg.Username)
+	if err != nil {
+		log.Errorf("failed to list profiles: %v", err)
+		return nil, fmt.Errorf("failed to list profiles: %w", err)
+	}
+
+	response := &proto.ListProfilesResponse{
+		Profiles: make([]*proto.Profile, len(profiles)),
+	}
+	for i, profile := range profiles {
+		response.Profiles[i] = &proto.Profile{
+			Name:     profile.Name,
+			IsActive: profile.IsActive,
+		}
+	}
+
+	return response, nil
+}
+
+// GetActiveProfile returns the active profile in the daemon.
+func (s *Server) GetActiveProfile(ctx context.Context, msg *proto.GetActiveProfileRequest) (*proto.GetActiveProfileResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	activeProfile, err := s.profileManager.GetActiveProfileState()
+	if err != nil {
+		log.Errorf("failed to get active profile state: %v", err)
+		return nil, fmt.Errorf("failed to get active profile state: %w", err)
+	}
+
+	return &proto.GetActiveProfileResponse{
+		ProfileName: activeProfile.Name,
+		Username:    activeProfile.Username,
+	}, nil
+}

client/server/server_test.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"net"
 	"net/url"
+	"os/user"
+	"path/filepath"
 	"testing"
 	"time"
 
@@ -20,6 +22,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	daemonProto "github.com/netbirdio/netbird/client/proto"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
@@ -32,7 +35,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
-	"github.com/netbirdio/netbird/util"
 )
 
 var (
@@ -70,12 +72,30 @@ func TestConnectWithRetryRuns(t *testing.T) {
 	ctx, cancel := context.WithDeadline(ctx, time.Now().Add(30*time.Second))
 	defer cancel()
 	// create new server
-	s := New(ctx, t.TempDir()+"/config.json", "debug")
+	ic := profilemanager.ConfigInput{
-	s.latestConfigInput.ManagementURL = "http://" + mgmtAddr
+		ManagementURL: "http://" + mgmtAddr,
-	config, err := internal.UpdateOrCreateConfig(s.latestConfigInput)
+		ConfigPath:    t.TempDir() + "/test-profile.json",
+	}
+
+	config, err := profilemanager.UpdateOrCreateConfig(ic)
 	if err != nil {
 		t.Fatalf("failed to create config: %v", err)
 	}
+
+	currUser, err := user.Current()
+	require.NoError(t, err)
+
+	pm := profilemanager.ServiceManager{}
+	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
+		Name:     "test-profile",
+		Username: currUser.Username,
+	})
+	if err != nil {
+		t.Fatalf("failed to set active profile state: %v", err)
+	}
+
+	s := New(ctx, "debug")
+
 	s.config = config
 
 	s.statusRecorder = peer.NewRecorder(config.ManagementURL.String())
@@ -91,26 +111,67 @@ func TestConnectWithRetryRuns(t *testing.T) {
 }
 
 func TestServer_Up(t *testing.T) {
+	tempDir := t.TempDir()
+	origDefaultProfileDir := profilemanager.DefaultConfigPathDir
+	origDefaultConfigPath := profilemanager.DefaultConfigPath
+	profilemanager.ConfigDirOverride = tempDir
+	origActiveProfileStatePath := profilemanager.ActiveProfileStatePath
+	profilemanager.DefaultConfigPathDir = tempDir
+	profilemanager.ActiveProfileStatePath = tempDir + "/active_profile.json"
+	profilemanager.DefaultConfigPath = filepath.Join(tempDir, "default.json")
+	t.Cleanup(func() {
+		profilemanager.DefaultConfigPathDir = origDefaultProfileDir
+		profilemanager.ActiveProfileStatePath = origActiveProfileStatePath
+		profilemanager.DefaultConfigPath = origDefaultConfigPath
+		profilemanager.ConfigDirOverride = ""
+	})
+
 	ctx := internal.CtxInitState(context.Background())
 
-	s := New(ctx, t.TempDir()+"/config.json", util.LogConsole)
+	currUser, err := user.Current()
+	require.NoError(t, err)
 
-	err := s.Start()
+	profName := "default"
+
+	ic := profilemanager.ConfigInput{
+		ConfigPath: filepath.Join(tempDir, profName+".json"),
+	}
+
+	_, err = profilemanager.UpdateOrCreateConfig(ic)
+	if err != nil {
+		t.Fatalf("failed to create config: %v", err)
+	}
+
+	pm := profilemanager.ServiceManager{}
+	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
+		Name:     profName,
+		Username: currUser.Username,
+	})
+	if err != nil {
+		t.Fatalf("failed to set active profile state: %v", err)
+	}
+
+	s := New(ctx, "console")
+
+	err = s.Start()
 	require.NoError(t, err)
 
 	u, err := url.Parse("http://non-existent-url-for-testing.invalid:12345")
 	require.NoError(t, err)
-	s.config = &internal.Config{
+	s.config = &profilemanager.Config{
 		ManagementURL: u,
 	}
 
 	upCtx, cancel := context.WithTimeout(ctx, 1*time.Second)
 	defer cancel()
 
-	upReq := &daemonProto.UpRequest{}
+	upReq := &daemonProto.UpRequest{
+		ProfileName: &profName,
+		Username:    &currUser.Username,
+	}
 	_, err = s.Up(upCtx, upReq)
 
-	assert.Contains(t, err.Error(), "NeedsLogin")
+	assert.Contains(t, err.Error(), "context deadline exceeded")
 }
 
 type mockSubscribeEventsServer struct {
@@ -129,16 +190,51 @@ func (m *mockSubscribeEventsServer) Context() context.Context {
 }
 
 func TestServer_SubcribeEvents(t *testing.T) {
+	tempDir := t.TempDir()
+	origDefaultProfileDir := profilemanager.DefaultConfigPathDir
+	origDefaultConfigPath := profilemanager.DefaultConfigPath
+	profilemanager.ConfigDirOverride = tempDir
+	origActiveProfileStatePath := profilemanager.ActiveProfileStatePath
+	profilemanager.DefaultConfigPathDir = tempDir
+	profilemanager.ActiveProfileStatePath = tempDir + "/active_profile.json"
+	profilemanager.DefaultConfigPath = filepath.Join(tempDir, "default.json")
+	t.Cleanup(func() {
+		profilemanager.DefaultConfigPathDir = origDefaultProfileDir
+		profilemanager.ActiveProfileStatePath = origActiveProfileStatePath
+		profilemanager.DefaultConfigPath = origDefaultConfigPath
+		profilemanager.ConfigDirOverride = ""
+	})
+
 	ctx := internal.CtxInitState(context.Background())
+	ic := profilemanager.ConfigInput{
+		ConfigPath: tempDir + "/default.json",
+	}
 
-	s := New(ctx, t.TempDir()+"/config.json", util.LogConsole)
+	_, err := profilemanager.UpdateOrCreateConfig(ic)
+	if err != nil {
+		t.Fatalf("failed to create config: %v", err)
+	}
 
-	err := s.Start()
+	currUser, err := user.Current()
+	require.NoError(t, err)
+
+	pm := profilemanager.ServiceManager{}
+	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
+		Name:     "default",
+		Username: currUser.Username,
+	})
+	if err != nil {
+		t.Fatalf("failed to set active profile state: %v", err)
+	}
+
+	s := New(ctx, "console")
+
+	err = s.Start()
 	require.NoError(t, err)
 
 	u, err := url.Parse("http://non-existent-url-for-testing.invalid:12345")
 	require.NoError(t, err)
-	s.config = &internal.Config{
+	s.config = &profilemanager.Config{
 		ManagementURL: u,
 	}
 

client/server/state.go

@@ -16,7 +16,7 @@ import (
 
 // ListStates returns a list of all saved states
 func (s *Server) ListStates(_ context.Context, _ *proto.ListStatesRequest) (*proto.ListStatesResponse, error) {
-	mgr := statemanager.New(statemanager.GetDefaultStatePath())
+	mgr := statemanager.New(s.profileManager.GetStatePath())
 
 	stateNames, err := mgr.GetSavedStateNames()
 	if err != nil {
@@ -41,14 +41,16 @@ func (s *Server) CleanState(ctx context.Context, req *proto.CleanStateRequest) (
 		return nil, status.Errorf(codes.FailedPrecondition, "cannot clean state while connecting or connected, run 'netbird down' first.")
 	}
 
+	statePath := s.profileManager.GetStatePath()
+
 	if req.All {
 		// Reuse existing cleanup logic for all states
-		if err := restoreResidualState(ctx); err != nil {
+		if err := restoreResidualState(ctx, statePath); err != nil {
 			return nil, status.Errorf(codes.Internal, "failed to clean all states: %v", err)
 		}
 
 		// Get count of cleaned states
-		mgr := statemanager.New(statemanager.GetDefaultStatePath())
+		mgr := statemanager.New(statePath)
 		stateNames, err := mgr.GetSavedStateNames()
 		if err != nil {
 			return nil, status.Errorf(codes.Internal, "failed to get state count: %v", err)
@@ -60,7 +62,7 @@ func (s *Server) CleanState(ctx context.Context, req *proto.CleanStateRequest) (
 	}
 
 	// Handle single state cleanup
-	mgr := statemanager.New(statemanager.GetDefaultStatePath())
+	mgr := statemanager.New(statePath)
 	registerStates(mgr)
 
 	if err := mgr.CleanupStateByName(req.StateName); err != nil {
@@ -82,7 +84,7 @@ func (s *Server) DeleteState(ctx context.Context, req *proto.DeleteStateRequest)
 		return nil, status.Errorf(codes.FailedPrecondition, "cannot clean state while connecting or connected, run 'netbird down' first.")
 	}
 
-	mgr := statemanager.New(statemanager.GetDefaultStatePath())
+	mgr := statemanager.New(s.profileManager.GetStatePath())
 
 	var count int
 	var err error
@@ -112,13 +114,12 @@ func (s *Server) DeleteState(ctx context.Context, req *proto.DeleteStateRequest)
 
 // restoreResidualState checks if the client was not shut down in a clean way and restores residual if required.
 // Otherwise, we might not be able to connect to the management server to retrieve new config.
-func restoreResidualState(ctx context.Context) error {
+func restoreResidualState(ctx context.Context, statePath string) error {
-	path := statemanager.GetDefaultStatePath()
+	if statePath == "" {
-	if path == "" {
 		return nil
 	}
 
-	mgr := statemanager.New(path)
+	mgr := statemanager.New(statePath)
 
 	// register the states we are interested in restoring
 	registerStates(mgr)

client/status/status.go

@@ -98,9 +98,10 @@ type OutputOverview struct {
 	NSServerGroups          []NsServerGroupStateOutput `json:"dnsServers" yaml:"dnsServers"`
 	Events                  []SystemEventOutput        `json:"events" yaml:"events"`
 	LazyConnectionEnabled   bool                       `json:"lazyConnectionEnabled" yaml:"lazyConnectionEnabled"`
+	ProfileName             string                     `json:"profileName" yaml:"profileName"`
 }
 
-func ConvertToStatusOutputOverview(resp *proto.StatusResponse, anon bool, statusFilter string, prefixNamesFilter []string, prefixNamesFilterMap map[string]struct{}, ipsFilter map[string]struct{}, connectionTypeFilter string) OutputOverview {
+func ConvertToStatusOutputOverview(resp *proto.StatusResponse, anon bool, statusFilter string, prefixNamesFilter []string, prefixNamesFilterMap map[string]struct{}, ipsFilter map[string]struct{}, connectionTypeFilter string, profName string) OutputOverview {
 	pbFullStatus := resp.GetFullStatus()
 
 	managementState := pbFullStatus.GetManagementState()
@@ -138,6 +139,7 @@ func ConvertToStatusOutputOverview(resp *proto.StatusResponse, anon bool, status
 		NSServerGroups:          mapNSGroups(pbFullStatus.GetDnsServers()),
 		Events:                  mapEvents(pbFullStatus.GetEvents()),
 		LazyConnectionEnabled:   pbFullStatus.GetLazyConnectionEnabled(),
+		ProfileName:             profName,
 	}
 
 	if anon {
@@ -406,6 +408,7 @@ func ParseGeneralSummary(overview OutputOverview, showURL bool, showRelays bool,
 		"OS: %s\n"+
 			"Daemon version: %s\n"+
 			"CLI version: %s\n"+
+			"Profile: %s\n"+
 			"Management: %s\n"+
 			"Signal: %s\n"+
 			"Relays: %s\n"+
@@ -421,6 +424,7 @@ func ParseGeneralSummary(overview OutputOverview, showURL bool, showRelays bool,
 		fmt.Sprintf("%s/%s%s", goos, goarch, goarm),
 		overview.DaemonVersion,
 		version.NetbirdVersion(),
+		overview.ProfileName,
 		managementConnString,
 		signalConnString,
 		relaysString,

client/status/status_test.go

@@ -234,7 +234,7 @@ var overview = OutputOverview{
 }
 
 func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
-	convertedResult := ConvertToStatusOutputOverview(resp, false, "", nil, nil, nil, "")
+	convertedResult := ConvertToStatusOutputOverview(resp, false, "", nil, nil, nil, "", "")
 
 	assert.Equal(t, overview, convertedResult)
 }
@@ -384,7 +384,8 @@ func TestParsingToJSON(t *testing.T) {
             }
           ],
           "events": [],
-          "lazyConnectionEnabled": false
+          "lazyConnectionEnabled": false,
+		  "profileName":""
         }`
 	// @formatter:on
 
@@ -486,6 +487,7 @@ dnsServers:
       error: timeout
 events: []
 lazyConnectionEnabled: false
+profileName: ""
 `
 
 	assert.Equal(t, expectedYAML, yaml)
@@ -538,6 +540,7 @@ Events: No events recorded
 OS: %s/%s
 Daemon version: 0.14.1
 CLI version: %s
+Profile: 
 Management: Connected to my-awesome-management.com:443
 Signal: Connected to my-awesome-signal.com:443
 Relays: 
@@ -565,6 +568,7 @@ func TestParsingToShortVersion(t *testing.T) {
 	expectedString := fmt.Sprintf("OS: %s/%s", runtime.GOOS, runtime.GOARCH) + `
 Daemon version: 0.14.1
 CLI version: development
+Profile: 
 Management: Connected
 Signal: Connected
 Relays: 1/2 Available

client/ui/client_ui.go

@@ -8,8 +8,10 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	"net/url"
 	"os"
 	"os/exec"
+	"os/user"
 	"path"
 	"runtime"
 	"strconv"
@@ -34,11 +36,14 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ui/desktop"
 	"github.com/netbirdio/netbird/client/ui/event"
 	"github.com/netbirdio/netbird/client/ui/process"
+
 	"github.com/netbirdio/netbird/util"
 
 	"github.com/netbirdio/netbird/version"
@@ -54,11 +59,11 @@ const (
 )
 
 func main() {
-	daemonAddr, showSettings, showNetworks, showLoginURL, showDebug, errorMsg, saveLogsInFile := parseFlags()
+	flags := parseFlags()
 
 	// Initialize file logging if needed.
 	var logFile string
-	if saveLogsInFile {
+	if flags.saveLogsInFile {
 		file, err := initLogFile()
 		if err != nil {
 			log.Errorf("error while initializing log: %v", err)
@@ -74,19 +79,28 @@ func main() {
 	a.SetIcon(fyne.NewStaticResource("netbird", iconDisconnected))
 
 	// Show error message window if needed.
-	if errorMsg != "" {
+	if flags.errorMsg != "" {
-		showErrorMessage(errorMsg)
+		showErrorMessage(flags.errorMsg)
 		return
 	}
 
 	// Create the service client (this also builds the settings or networks UI if requested).
-	client := newServiceClient(daemonAddr, logFile, a, showSettings, showNetworks, showLoginURL, showDebug)
+	client := newServiceClient(&newServiceClientArgs{
+		addr:         flags.daemonAddr,
+		logFile:      logFile,
+		app:          a,
+		showSettings: flags.showSettings,
+		showNetworks: flags.showNetworks,
+		showLoginURL: flags.showLoginURL,
+		showDebug:    flags.showDebug,
+		showProfiles: flags.showProfiles,
+	})
 
 	// Watch for theme/settings changes to update the icon.
 	go watchSettingsChanges(a, client)
 
 	// Run in window mode if any UI flag was set.
-	if showSettings || showNetworks || showDebug || showLoginURL {
+	if flags.showSettings || flags.showNetworks || flags.showDebug || flags.showLoginURL || flags.showProfiles {
 		a.Run()
 		return
 	}
@@ -106,21 +120,35 @@ func main() {
 	systray.Run(client.onTrayReady, client.onTrayExit)
 }
 
+type cliFlags struct {
+	daemonAddr     string
+	showSettings   bool
+	showNetworks   bool
+	showProfiles   bool
+	showDebug      bool
+	showLoginURL   bool
+	errorMsg       string
+	saveLogsInFile bool
+}
+
 // parseFlags reads and returns all needed command-line flags.
-func parseFlags() (daemonAddr string, showSettings, showNetworks, showLoginURL, showDebug bool, errorMsg string, saveLogsInFile bool) {
+func parseFlags() *cliFlags {
+	var flags cliFlags
+
 	defaultDaemonAddr := "unix:///var/run/netbird.sock"
 	if runtime.GOOS == "windows" {
 		defaultDaemonAddr = "tcp://127.0.0.1:41731"
 	}
-	flag.StringVar(&daemonAddr, "daemon-addr", defaultDaemonAddr, "Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
+	flag.StringVar(&flags.daemonAddr, "daemon-addr", defaultDaemonAddr, "Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
-	flag.BoolVar(&showSettings, "settings", false, "run settings window")
+	flag.BoolVar(&flags.showSettings, "settings", false, "run settings window")
-	flag.BoolVar(&showNetworks, "networks", false, "run networks window")
+	flag.BoolVar(&flags.showNetworks, "networks", false, "run networks window")
-	flag.BoolVar(&showLoginURL, "login-url", false, "show login URL in a popup window")
+	flag.BoolVar(&flags.showProfiles, "profiles", false, "run profiles window")
-	flag.BoolVar(&showDebug, "debug", false, "run debug window")
+	flag.BoolVar(&flags.showDebug, "debug", false, "run debug window")
-	flag.StringVar(&errorMsg, "error-msg", "", "displays an error message window")
+	flag.StringVar(&flags.errorMsg, "error-msg", "", "displays an error message window")
-	flag.BoolVar(&saveLogsInFile, "use-log-file", false, fmt.Sprintf("save logs in a file: %s/netbird-ui-PID.log", os.TempDir()))
+	flag.BoolVar(&flags.saveLogsInFile, "use-log-file", false, fmt.Sprintf("save logs in a file: %s/netbird-ui-PID.log", os.TempDir()))
+	flag.BoolVar(&flags.showLoginURL, "login-url", false, "show login URL in a popup window")
 	flag.Parse()
-	return
+	return &flags
 }
 
 // initLogFile initializes logging into a file.
@@ -168,6 +196,12 @@ var iconConnectingMacOS []byte
 //go:embed assets/netbird-systemtray-error-macos.png
 var iconErrorMacOS []byte
 
+//go:embed assets/connected.png
+var iconConnectedDot []byte
+
+//go:embed assets/disconnected.png
+var iconDisconnectedDot []byte
+
 type serviceClient struct {
 	ctx    context.Context
 	cancel context.CancelFunc
@@ -176,9 +210,13 @@ type serviceClient struct {
 
 	eventHandler *eventHandler
 
+	profileManager *profilemanager.ProfileManager
+
 	icAbout              []byte
 	icConnected          []byte
+	icConnectedDot       []byte
 	icDisconnected       []byte
+	icDisconnectedDot    []byte
 	icUpdateConnected    []byte
 	icUpdateDisconnected []byte
 	icConnecting         []byte
@@ -189,6 +227,7 @@ type serviceClient struct {
 	mUp                *systray.MenuItem
 	mDown              *systray.MenuItem
 	mSettings          *systray.MenuItem
+	mProfile           *profileMenu
 	mAbout             *systray.MenuItem
 	mGitHub            *systray.MenuItem
 	mVersionUI         *systray.MenuItem
@@ -214,7 +253,6 @@ type serviceClient struct {
 
 	// input elements for settings form
 	iMngURL        *widget.Entry
-	iConfigFile    *widget.Entry
 	iLogFile       *widget.Entry
 	iPreSharedKey  *widget.Entry
 	iInterfaceName *widget.Entry
@@ -247,6 +285,7 @@ type serviceClient struct {
 	isUpdateIconActive   bool
 	showNetworks         bool
 	wNetworks            fyne.Window
+	wProfiles            fyne.Window
 
 	eventManager *event.Manager
 
@@ -263,36 +302,50 @@ type menuHandler struct {
 	cancel context.CancelFunc
 }
 
+type newServiceClientArgs struct {
+	addr         string
+	logFile      string
+	app          fyne.App
+	showSettings bool
+	showNetworks bool
+	showDebug    bool
+	showLoginURL bool
+	showProfiles bool
+}
+
 // newServiceClient instance constructor
 //
 // This constructor also builds the UI elements for the settings window.
-func newServiceClient(addr string, logFile string, a fyne.App, showSettings bool, showNetworks bool, showLoginURL bool, showDebug bool) *serviceClient {
+func newServiceClient(args *newServiceClientArgs) *serviceClient {
 	ctx, cancel := context.WithCancel(context.Background())
 	s := &serviceClient{
 		ctx:              ctx,
 		cancel:           cancel,
-		addr:             addr,
+		addr:             args.addr,
-		app:              a,
+		app:              args.app,
-		logFile:          logFile,
+		logFile:          args.logFile,
 		sendNotification: false,
 
-		showAdvancedSettings: showSettings,
+		showAdvancedSettings: args.showSettings,
-		showNetworks:         showNetworks,
+		showNetworks:         args.showNetworks,
 		update:               version.NewUpdate("nb/client-ui"),
 	}
 
 	s.eventHandler = newEventHandler(s)
+	s.profileManager = profilemanager.NewProfileManager()
 	s.setNewIcons()
 
 	switch {
-	case showSettings:
+	case args.showSettings:
 		s.showSettingsUI()
-	case showNetworks:
+	case args.showNetworks:
 		s.showNetworksUI()
-	case showLoginURL:
+	case args.showLoginURL:
 		s.showLoginURL()
-	case showDebug:
+	case args.showDebug:
 		s.showDebugUI()
+	case args.showProfiles:
+		s.showProfilesUI()
 	}
 
 	return s
@@ -300,6 +353,8 @@ func newServiceClient(addr string, logFile string, a fyne.App, showSettings bool
 
 func (s *serviceClient) setNewIcons() {
 	s.icAbout = iconAbout
+	s.icConnectedDot = iconConnectedDot
+	s.icDisconnectedDot = iconDisconnectedDot
 	if s.app.Settings().ThemeVariant() == theme.VariantDark {
 		s.icConnected = iconConnectedDark
 		s.icDisconnected = iconDisconnected
@@ -342,8 +397,7 @@ func (s *serviceClient) showSettingsUI() {
 	s.wSettings.SetOnClosed(s.cancel)
 
 	s.iMngURL = widget.NewEntry()
-	s.iConfigFile = widget.NewEntry()
+
-	s.iConfigFile.Disable()
 	s.iLogFile = widget.NewEntry()
 	s.iLogFile.Disable()
 	s.iPreSharedKey = widget.NewPasswordEntry()
@@ -368,14 +422,22 @@ func (s *serviceClient) showSettingsUI() {
 
 // getSettingsForm to embed it into settings window.
 func (s *serviceClient) getSettingsForm() *widget.Form {
+
+	var activeProfName string
+	activeProf, err := s.profileManager.GetActiveProfile()
+	if err != nil {
+		log.Errorf("get active profile: %v", err)
+	} else {
+		activeProfName = activeProf.Name
+	}
 	return &widget.Form{
 		Items: []*widget.FormItem{
+			{Text: "Profile", Widget: widget.NewLabel(activeProfName)},
 			{Text: "Quantum-Resistance", Widget: s.sRosenpassPermissive},
 			{Text: "Interface Name", Widget: s.iInterfaceName},
 			{Text: "Interface Port", Widget: s.iInterfacePort},
 			{Text: "Management URL", Widget: s.iMngURL},
 			{Text: "Pre-shared Key", Widget: s.iPreSharedKey},
-			{Text: "Config File", Widget: s.iConfigFile},
 			{Text: "Log File", Widget: s.iLogFile},
 			{Text: "Network Monitor", Widget: s.sNetworkMonitor},
 			{Text: "Disable DNS", Widget: s.sDisableDNS},
@@ -416,27 +478,67 @@ func (s *serviceClient) getSettingsForm() *widget.Form {
 				s.managementURL = iMngURL
 				s.preSharedKey = s.iPreSharedKey.Text
 
-				loginRequest := proto.LoginRequest{
+				currUser, err := user.Current()
-					ManagementUrl:       iMngURL,
+				if err != nil {
-					IsUnixDesktopClient: runtime.GOOS == "linux" || runtime.GOOS == "freebsd",
+					log.Errorf("get current user: %v", err)
-					RosenpassPermissive: &s.sRosenpassPermissive.Checked,
-					InterfaceName:       &s.iInterfaceName.Text,
-					WireguardPort:       &port,
-					NetworkMonitor:      &s.sNetworkMonitor.Checked,
-					DisableDns:          &s.sDisableDNS.Checked,
-					DisableClientRoutes: &s.sDisableClientRoutes.Checked,
-					DisableServerRoutes: &s.sDisableServerRoutes.Checked,
-					BlockLanAccess:      &s.sBlockLANAccess.Checked,
-				}
-
-				if s.iPreSharedKey.Text != censoredPreSharedKey {
-					loginRequest.OptionalPreSharedKey = &s.iPreSharedKey.Text
-				}
-
-				if err := s.restartClient(&loginRequest); err != nil {
-					log.Errorf("restarting client connection: %v", err)
 					return
 				}
+
+				var req proto.SetConfigRequest
+				req.ProfileName = activeProf.Name
+				req.Username = currUser.Username
+
+				if iMngURL != "" {
+					req.ManagementUrl = iMngURL
+				}
+
+				req.RosenpassPermissive = &s.sRosenpassPermissive.Checked
+				req.InterfaceName = &s.iInterfaceName.Text
+				req.WireguardPort = &port
+				req.NetworkMonitor = &s.sNetworkMonitor.Checked
+				req.DisableDns = &s.sDisableDNS.Checked
+				req.DisableClientRoutes = &s.sDisableClientRoutes.Checked
+				req.DisableServerRoutes = &s.sDisableServerRoutes.Checked
+				req.BlockLanAccess = &s.sBlockLANAccess.Checked
+
+				if s.iPreSharedKey.Text != censoredPreSharedKey {
+					req.OptionalPreSharedKey = &s.iPreSharedKey.Text
+				}
+
+				conn, err := s.getSrvClient(failFastTimeout)
+				if err != nil {
+					log.Errorf("get client: %v", err)
+					dialog.ShowError(fmt.Errorf("Failed to connect to the service: %v", err), s.wSettings)
+					return
+				}
+				_, err = conn.SetConfig(s.ctx, &req)
+				if err != nil {
+					log.Errorf("set config: %v", err)
+					dialog.ShowError(fmt.Errorf("Failed to set configuration: %v", err), s.wSettings)
+					return
+				}
+
+				status, err := conn.Status(s.ctx, &proto.StatusRequest{})
+				if err != nil {
+					log.Errorf("get service status: %v", err)
+					dialog.ShowError(fmt.Errorf("Failed to get service status: %v", err), s.wSettings)
+					return
+				}
+				if status.Status == string(internal.StatusConnected) {
+					// run down & up
+					_, err = conn.Down(s.ctx, &proto.DownRequest{})
+					if err != nil {
+						log.Errorf("down service: %v", err)
+					}
+
+					_, err = conn.Up(s.ctx, &proto.UpRequest{})
+					if err != nil {
+						log.Errorf("up service: %v", err)
+						dialog.ShowError(fmt.Errorf("Failed to reconnect: %v", err), s.wSettings)
+						return
+					}
+				}
+
 			}
 		},
 		OnCancel: func() {
@@ -452,8 +554,21 @@ func (s *serviceClient) login(openURL bool) (*proto.LoginResponse, error) {
 		return nil, err
 	}
 
+	activeProf, err := s.profileManager.GetActiveProfile()
+	if err != nil {
+		log.Errorf("get active profile: %v", err)
+		return nil, err
+	}
+
+	currUser, err := user.Current()
+	if err != nil {
+		return nil, fmt.Errorf("get current user: %w", err)
+	}
+
 	loginResp, err := conn.Login(s.ctx, &proto.LoginRequest{
 		IsUnixDesktopClient: runtime.GOOS == "linux" || runtime.GOOS == "freebsd",
+		ProfileName:         &activeProf.Name,
+		Username:            &currUser.Username,
 	})
 	if err != nil {
 		log.Errorf("login to management URL with: %v", err)
@@ -461,15 +576,9 @@ func (s *serviceClient) login(openURL bool) (*proto.LoginResponse, error) {
 	}
 
 	if loginResp.NeedsSSOLogin && openURL {
-		err = open.Run(loginResp.VerificationURIComplete)
+		err = s.handleSSOLogin(loginResp, conn)
 		if err != nil {
-			log.Errorf("opening the verification uri in the browser failed: %v", err)
+			log.Errorf("handle SSO login failed: %v", err)
-			return nil, err
-		}
-
-		_, err = conn.WaitSSOLogin(s.ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
-		if err != nil {
-			log.Errorf("waiting sso login failed with: %v", err)
 			return nil, err
 		}
 	}
@@ -477,6 +586,34 @@ func (s *serviceClient) login(openURL bool) (*proto.LoginResponse, error) {
 	return loginResp, nil
 }
 
+func (s *serviceClient) handleSSOLogin(loginResp *proto.LoginResponse, conn proto.DaemonServiceClient) error {
+	err := open.Run(loginResp.VerificationURIComplete)
+	if err != nil {
+		log.Errorf("opening the verification uri in the browser failed: %v", err)
+		return err
+	}
+
+	resp, err := conn.WaitSSOLogin(s.ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
+	if err != nil {
+		log.Errorf("waiting sso login failed with: %v", err)
+		return err
+	}
+
+	if resp.Email != "" {
+		err := s.profileManager.SetActiveProfileState(&profilemanager.ProfileState{
+			Email: resp.Email,
+		})
+		if err != nil {
+			log.Warnf("failed to set profile state: %v", err)
+		} else {
+			s.mProfile.refresh()
+		}
+
+	}
+
+	return nil
+}
+
 func (s *serviceClient) menuUpClick() error {
 	systray.SetTemplateIcon(iconConnectingMacOS, s.icConnecting)
 	conn, err := s.getSrvClient(defaultFailTimeout)
@@ -575,6 +712,7 @@ func (s *serviceClient) updateStatus() error {
 			}
 			systray.SetTooltip("NetBird (Connected)")
 			s.mStatus.SetTitle("Connected")
+			s.mStatus.SetIcon(s.icConnectedDot)
 			s.mUp.Disable()
 			s.mDown.Enable()
 			s.mNetworks.Enable()
@@ -634,6 +772,7 @@ func (s *serviceClient) setDisconnectedStatus() {
 	}
 	systray.SetTooltip("NetBird (Disconnected)")
 	s.mStatus.SetTitle("Disconnected")
+	s.mStatus.SetIcon(s.icDisconnectedDot)
 	s.mDown.Disable()
 	s.mUp.Enable()
 	s.mNetworks.Disable()
@@ -658,7 +797,13 @@ func (s *serviceClient) onTrayReady() {
 
 	// setup systray menu items
 	s.mStatus = systray.AddMenuItem("Disconnected", "Disconnected")
+	s.mStatus.SetIcon(s.icDisconnectedDot)
 	s.mStatus.Disable()
+
+	profileMenuItem := systray.AddMenuItem("", "")
+	emailMenuItem := systray.AddMenuItem("", "")
+	s.mProfile = newProfileMenu(s.ctx, s.profileManager, *s.eventHandler, profileMenuItem, emailMenuItem, s.menuDownClick, s.menuUpClick, s.getSrvClient, s.loadSettings)
+
 	systray.AddSeparator()
 	s.mUp = systray.AddMenuItem("Connect", "Connect")
 	s.mDown = systray.AddMenuItem("Disconnect", "Disconnect")
@@ -790,7 +935,15 @@ func (s *serviceClient) getSrvClient(timeout time.Duration) (proto.DaemonService
 
 // getSrvConfig from the service to show it in the settings window.
 func (s *serviceClient) getSrvConfig() {
-	s.managementURL = internal.DefaultManagementURL
+	s.managementURL = profilemanager.DefaultManagementURL
+
+	_, err := s.profileManager.GetActiveProfile()
+	if err != nil {
+		log.Errorf("get active profile: %v", err)
+		return
+	}
+
+	var cfg *profilemanager.Config
 
 	conn, err := s.getSrvClient(failFastTimeout)
 	if err != nil {
@@ -798,48 +951,63 @@ func (s *serviceClient) getSrvConfig() {
 		return
 	}
 
-	cfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{})
+	currUser, err := user.Current()
+	if err != nil {
+		log.Errorf("get current user: %v", err)
+		return
+	}
+
+	activeProf, err := s.profileManager.GetActiveProfile()
+	if err != nil {
+		log.Errorf("get active profile: %v", err)
+		return
+	}
+
+	srvCfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
+		ProfileName: activeProf.Name,
+		Username:    currUser.Username,
+	})
 	if err != nil {
 		log.Errorf("get config settings from server: %v", err)
 		return
 	}
 
-	if cfg.ManagementUrl != "" {
+	cfg = protoConfigToConfig(srvCfg)
-		s.managementURL = cfg.ManagementUrl
+
+	if cfg.ManagementURL.String() != "" {
+		s.managementURL = cfg.ManagementURL.String()
 	}
 	s.preSharedKey = cfg.PreSharedKey
 	s.RosenpassPermissive = cfg.RosenpassPermissive
-	s.interfaceName = cfg.InterfaceName
+	s.interfaceName = cfg.WgIface
-	s.interfacePort = int(cfg.WireguardPort)
+	s.interfacePort = cfg.WgPort
 
-	s.networkMonitor = cfg.NetworkMonitor
+	s.networkMonitor = *cfg.NetworkMonitor
-	s.disableDNS = cfg.DisableDns
+	s.disableDNS = cfg.DisableDNS
 	s.disableClientRoutes = cfg.DisableClientRoutes
 	s.disableServerRoutes = cfg.DisableServerRoutes
-	s.blockLANAccess = cfg.BlockLanAccess
+	s.blockLANAccess = cfg.BlockLANAccess
 
 	if s.showAdvancedSettings {
 		s.iMngURL.SetText(s.managementURL)
-		s.iConfigFile.SetText(cfg.ConfigFile)
-		s.iLogFile.SetText(cfg.LogFile)
 		s.iPreSharedKey.SetText(cfg.PreSharedKey)
-		s.iInterfaceName.SetText(cfg.InterfaceName)
+		s.iInterfaceName.SetText(cfg.WgIface)
-		s.iInterfacePort.SetText(strconv.Itoa(int(cfg.WireguardPort)))
+		s.iInterfacePort.SetText(strconv.Itoa(cfg.WgPort))
 		s.sRosenpassPermissive.SetChecked(cfg.RosenpassPermissive)
 		if !cfg.RosenpassEnabled {
 			s.sRosenpassPermissive.Disable()
 		}
-		s.sNetworkMonitor.SetChecked(cfg.NetworkMonitor)
+		s.sNetworkMonitor.SetChecked(*cfg.NetworkMonitor)
-		s.sDisableDNS.SetChecked(cfg.DisableDns)
+		s.sDisableDNS.SetChecked(cfg.DisableDNS)
 		s.sDisableClientRoutes.SetChecked(cfg.DisableClientRoutes)
 		s.sDisableServerRoutes.SetChecked(cfg.DisableServerRoutes)
-		s.sBlockLANAccess.SetChecked(cfg.BlockLanAccess)
+		s.sBlockLANAccess.SetChecked(cfg.BlockLANAccess)
 	}
 
 	if s.mNotifications == nil {
 		return
 	}
-	if cfg.DisableNotifications {
+	if cfg.DisableNotifications != nil && *cfg.DisableNotifications {
 		s.mNotifications.Uncheck()
 	} else {
 		s.mNotifications.Check()
@@ -849,6 +1017,58 @@ func (s *serviceClient) getSrvConfig() {
 	}
 }
 
+func protoConfigToConfig(cfg *proto.GetConfigResponse) *profilemanager.Config {
+
+	var config profilemanager.Config
+
+	if cfg.ManagementUrl != "" {
+		parsed, err := url.Parse(cfg.ManagementUrl)
+		if err != nil {
+			log.Errorf("parse management URL: %v", err)
+		} else {
+			config.ManagementURL = parsed
+		}
+	}
+
+	if cfg.PreSharedKey != "" {
+		if cfg.PreSharedKey != censoredPreSharedKey {
+			config.PreSharedKey = cfg.PreSharedKey
+		} else {
+			config.PreSharedKey = ""
+		}
+	}
+	if cfg.AdminURL != "" {
+		parsed, err := url.Parse(cfg.AdminURL)
+		if err != nil {
+			log.Errorf("parse admin URL: %v", err)
+		} else {
+			config.AdminURL = parsed
+		}
+	}
+
+	config.WgIface = cfg.InterfaceName
+	if cfg.WireguardPort != 0 {
+		config.WgPort = int(cfg.WireguardPort)
+	} else {
+		config.WgPort = iface.DefaultWgPort
+	}
+
+	config.DisableAutoConnect = cfg.DisableAutoConnect
+	config.ServerSSHAllowed = &cfg.ServerSSHAllowed
+	config.RosenpassEnabled = cfg.RosenpassEnabled
+	config.RosenpassPermissive = cfg.RosenpassPermissive
+	config.DisableNotifications = &cfg.DisableNotifications
+	config.LazyConnectionEnabled = cfg.LazyConnectionEnabled
+	config.BlockInbound = cfg.BlockInbound
+	config.NetworkMonitor = &cfg.NetworkMonitor
+	config.DisableDNS = cfg.DisableDns
+	config.DisableClientRoutes = cfg.DisableClientRoutes
+	config.DisableServerRoutes = cfg.DisableServerRoutes
+	config.BlockLANAccess = cfg.BlockLanAccess
+
+	return &config
+}
+
 func (s *serviceClient) onUpdateAvailable() {
 	s.updateIndicationLock.Lock()
 	defer s.updateIndicationLock.Unlock()
@@ -880,7 +1100,22 @@ func (s *serviceClient) loadSettings() {
 		return
 	}
 
-	cfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{})
+	currUser, err := user.Current()
+	if err != nil {
+		log.Errorf("get current user: %v", err)
+		return
+	}
+
+	activeProf, err := s.profileManager.GetActiveProfile()
+	if err != nil {
+		log.Errorf("get active profile: %v", err)
+		return
+	}
+
+	cfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
+		ProfileName: activeProf.Name,
+		Username:    currUser.Username,
+	})
 	if err != nil {
 		log.Errorf("get config settings from server: %v", err)
 		return
@@ -936,41 +1171,37 @@ func (s *serviceClient) updateConfig() error {
 	blockInbound := s.mBlockInbound.Checked()
 	notificationsDisabled := !s.mNotifications.Checked()
 
-	loginRequest := proto.LoginRequest{
+	activeProf, err := s.profileManager.GetActiveProfile()
-		IsUnixDesktopClient:   runtime.GOOS == "linux" || runtime.GOOS == "freebsd",
+	if err != nil {
+		log.Errorf("get active profile: %v", err)
+		return err
+	}
+
+	currUser, err := user.Current()
+	if err != nil {
+		log.Errorf("get current user: %v", err)
+		return err
+	}
+
+	conn, err := s.getSrvClient(failFastTimeout)
+	if err != nil {
+		log.Errorf("get client: %v", err)
+		return err
+	}
+
+	req := proto.SetConfigRequest{
+		ProfileName:           activeProf.Name,
+		Username:              currUser.Username,
+		DisableAutoConnect:    &disableAutoStart,
 		ServerSSHAllowed:      &sshAllowed,
 		RosenpassEnabled:      &rosenpassEnabled,
-		DisableAutoConnect:    &disableAutoStart,
-		DisableNotifications:  &notificationsDisabled,
 		LazyConnectionEnabled: &lazyConnectionEnabled,
 		BlockInbound:          &blockInbound,
+		DisableNotifications:  &notificationsDisabled,
 	}
 
-	if err := s.restartClient(&loginRequest); err != nil {
+	if _, err := conn.SetConfig(s.ctx, &req); err != nil {
-		log.Errorf("restarting client connection: %v", err)
+		log.Errorf("set config settings on server: %v", err)
-		return err
-	}
-
-	return nil
-}
-
-// restartClient restarts the client connection.
-func (s *serviceClient) restartClient(loginRequest *proto.LoginRequest) error {
-	ctx, cancel := context.WithTimeout(s.ctx, defaultFailTimeout)
-	defer cancel()
-
-	client, err := s.getSrvClient(failFastTimeout)
-	if err != nil {
-		return err
-	}
-
-	_, err = client.Login(ctx, loginRequest)
-	if err != nil {
-		return err
-	}
-
-	_, err = client.Up(ctx, &proto.UpRequest{})
-	if err != nil {
 		return err
 	}
 

client/ui/const.go

@@ -2,6 +2,7 @@ package main
 
 const (
 	settingsMenuDescr          = "Settings of the application"
+	profilesMenuDescr          = "Manage your profiles"
 	allowSSHMenuDescr          = "Allow SSH connections"
 	autoConnectMenuDescr       = "Connect automatically when the service starts"
 	quantumResistanceMenuDescr = "Enable post-quantum security via Rosenpass"

client/ui/debug.go

@@ -433,7 +433,7 @@ func (s *serviceClient) collectDebugData(
 
 	var postUpStatusOutput string
 	if postUpStatus != nil {
-		overview := nbstatus.ConvertToStatusOutputOverview(postUpStatus, params.anonymize, "", nil, nil, nil, "")
+		overview := nbstatus.ConvertToStatusOutputOverview(postUpStatus, params.anonymize, "", nil, nil, nil, "", "")
 		postUpStatusOutput = nbstatus.ParseToFullDetailSummary(overview)
 	}
 	headerPostUp := fmt.Sprintf("----- NetBird post-up - Timestamp: %s", time.Now().Format(time.RFC3339))
@@ -450,7 +450,7 @@ func (s *serviceClient) collectDebugData(
 
 	var preDownStatusOutput string
 	if preDownStatus != nil {
-		overview := nbstatus.ConvertToStatusOutputOverview(preDownStatus, params.anonymize, "", nil, nil, nil, "")
+		overview := nbstatus.ConvertToStatusOutputOverview(preDownStatus, params.anonymize, "", nil, nil, nil, "", "")
 		preDownStatusOutput = nbstatus.ParseToFullDetailSummary(overview)
 	}
 	headerPreDown := fmt.Sprintf("----- NetBird pre-down - Timestamp: %s - Duration: %s",
@@ -581,7 +581,7 @@ func (s *serviceClient) createDebugBundle(anonymize bool, systemInfo bool, uploa
 
 	var statusOutput string
 	if statusResp != nil {
-		overview := nbstatus.ConvertToStatusOutputOverview(statusResp, anonymize, "", nil, nil, nil, "")
+		overview := nbstatus.ConvertToStatusOutputOverview(statusResp, anonymize, "", nil, nil, nil, "", "")
 		statusOutput = nbstatus.ParseToFullDetailSummary(overview)
 	}
 

client/ui/profile.go

@@ -0,0 +1,601 @@
+//go:build !(linux && 386)
+
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os/user"
+	"slices"
+	"sort"
+	"sync"
+	"time"
+
+	"fyne.io/fyne/v2"
+	"fyne.io/fyne/v2/container"
+	"fyne.io/fyne/v2/dialog"
+	"fyne.io/fyne/v2/layout"
+	"fyne.io/fyne/v2/widget"
+	"fyne.io/systray"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// showProfilesUI creates and displays the Profiles window with a list of existing profiles,
+// a button to add new profiles, allows removal, and lets the user switch the active profile.
+func (s *serviceClient) showProfilesUI() {
+
+	profiles, err := s.getProfiles()
+	if err != nil {
+		log.Errorf("get profiles: %v", err)
+		return
+	}
+
+	var refresh func()
+	// List widget for profiles
+	list := widget.NewList(
+		func() int { return len(profiles) },
+		func() fyne.CanvasObject {
+			// Each item: Selected indicator, Name, spacer, Select & Remove buttons
+			return container.NewHBox(
+				widget.NewLabel(""), // indicator
+				widget.NewLabel(""), // profile name
+				layout.NewSpacer(),
+				widget.NewButton("Select", nil),
+				widget.NewButton("Remove", nil),
+			)
+		},
+		func(i widget.ListItemID, item fyne.CanvasObject) {
+			// Populate each row
+			row := item.(*fyne.Container)
+			indicator := row.Objects[0].(*widget.Label)
+			nameLabel := row.Objects[1].(*widget.Label)
+			selectBtn := row.Objects[3].(*widget.Button)
+			removeBtn := row.Objects[4].(*widget.Button)
+
+			profile := profiles[i]
+			// Show a checkmark if selected
+			if profile.IsActive {
+				indicator.SetText("✓")
+			} else {
+				indicator.SetText("")
+			}
+			nameLabel.SetText(profile.Name)
+
+			// Configure Select/Active button
+			selectBtn.SetText(func() string {
+				if profile.IsActive {
+					return "Active"
+				}
+				return "Select"
+			}())
+			selectBtn.OnTapped = func() {
+				if profile.IsActive {
+					return // already active
+				}
+				// confirm switch
+				dialog.ShowConfirm(
+					"Switch Profile",
+					fmt.Sprintf("Are you sure you want to switch to '%s'?", profile.Name),
+					func(confirm bool) {
+						if !confirm {
+							return
+						}
+						// switch
+						err = s.switchProfile(profile.Name)
+						if err != nil {
+							log.Errorf("failed to switch profile: %v", err)
+							dialog.ShowError(errors.New("failed to select profile"), s.wProfiles)
+							return
+						}
+
+						dialog.ShowInformation(
+							"Profile Switched",
+							fmt.Sprintf("Profile '%s' switched successfully", profile.Name),
+							s.wProfiles,
+						)
+
+						conn, err := s.getSrvClient(defaultFailTimeout)
+						if err != nil {
+							log.Errorf("failed to get daemon client: %v", err)
+							return
+						}
+
+						status, err := conn.Status(context.Background(), &proto.StatusRequest{})
+						if err != nil {
+							log.Errorf("failed to get status after switching profile: %v", err)
+							return
+						}
+
+						if status.Status == string(internal.StatusConnected) {
+							if err := s.menuDownClick(); err != nil {
+								log.Errorf("failed to handle down click after switching profile: %v", err)
+								dialog.ShowError(fmt.Errorf("failed to handle down click"), s.wProfiles)
+								return
+							}
+						}
+						// update slice flags
+						refresh()
+					},
+					s.wProfiles,
+				)
+			}
+
+			// Remove profile
+			removeBtn.SetText("Remove")
+			removeBtn.OnTapped = func() {
+				dialog.ShowConfirm(
+					"Delete Profile",
+					fmt.Sprintf("Are you sure you want to delete '%s'?", profile.Name),
+					func(confirm bool) {
+						if !confirm {
+							return
+						}
+						// remove
+						err = s.removeProfile(profile.Name)
+						if err != nil {
+							log.Errorf("failed to remove profile: %v", err)
+							dialog.ShowError(fmt.Errorf("failed to remove profile"), s.wProfiles)
+							return
+						}
+						dialog.ShowInformation(
+							"Profile Removed",
+							fmt.Sprintf("Profile '%s' removed successfully", profile.Name),
+							s.wProfiles,
+						)
+						// update slice
+						refresh()
+					},
+					s.wProfiles,
+				)
+			}
+		},
+	)
+
+	refresh = func() {
+		newProfiles, err := s.getProfiles()
+		if err != nil {
+			dialog.ShowError(err, s.wProfiles)
+			return
+		}
+		profiles = newProfiles // update the slice
+		list.Refresh()         // tell Fyne to re-call length/update on every visible row
+	}
+
+	// Button to add a new profile
+	newBtn := widget.NewButton("New Profile", func() {
+		nameEntry := widget.NewEntry()
+		nameEntry.SetPlaceHolder("Enter Profile Name")
+
+		formItems := []*widget.FormItem{{Text: "Name:", Widget: nameEntry}}
+		dlg := dialog.NewForm(
+			"New Profile",
+			"Create",
+			"Cancel",
+			formItems,
+			func(confirm bool) {
+				if !confirm {
+					return
+				}
+				name := nameEntry.Text
+				if name == "" {
+					dialog.ShowError(errors.New("profile name cannot be empty"), s.wProfiles)
+					return
+				}
+
+				// add profile
+				err = s.addProfile(name)
+				if err != nil {
+					log.Errorf("failed to create profile: %v", err)
+					dialog.ShowError(fmt.Errorf("failed to create profile"), s.wProfiles)
+					return
+				}
+				dialog.ShowInformation(
+					"Profile Created",
+					fmt.Sprintf("Profile '%s' created successfully", name),
+					s.wProfiles,
+				)
+				// update slice
+				refresh()
+			},
+			s.wProfiles,
+		)
+		// make dialog wider
+		dlg.Resize(fyne.NewSize(350, 150))
+		dlg.Show()
+	})
+
+	// Assemble window content
+	content := container.NewBorder(nil, newBtn, nil, nil, list)
+	s.wProfiles = s.app.NewWindow("NetBird Profiles")
+	s.wProfiles.SetContent(content)
+	s.wProfiles.Resize(fyne.NewSize(400, 300))
+	s.wProfiles.SetOnClosed(s.cancel)
+
+	s.wProfiles.Show()
+}
+
+func (s *serviceClient) addProfile(profileName string) error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		return fmt.Errorf(getClientFMT, err)
+	}
+
+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %w", err)
+	}
+
+	_, err = conn.AddProfile(context.Background(), &proto.AddProfileRequest{
+		ProfileName: profileName,
+		Username:    currUser.Username,
+	})
+
+	if err != nil {
+		return fmt.Errorf("add profile: %w", err)
+	}
+
+	return nil
+}
+
+func (s *serviceClient) switchProfile(profileName string) error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		return fmt.Errorf(getClientFMT, err)
+	}
+
+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %w", err)
+	}
+
+	if _, err := conn.SwitchProfile(context.Background(), &proto.SwitchProfileRequest{
+		ProfileName: &profileName,
+		Username:    &currUser.Username,
+	}); err != nil {
+		return fmt.Errorf("switch profile failed: %w", err)
+	}
+
+	err = s.profileManager.SwitchProfile(profileName)
+	if err != nil {
+		return fmt.Errorf("switch profile: %w", err)
+	}
+
+	return nil
+}
+
+func (s *serviceClient) removeProfile(profileName string) error {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		return fmt.Errorf(getClientFMT, err)
+	}
+
+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %w", err)
+	}
+
+	_, err = conn.RemoveProfile(context.Background(), &proto.RemoveProfileRequest{
+		ProfileName: profileName,
+		Username:    currUser.Username,
+	})
+	if err != nil {
+		return fmt.Errorf("remove profile: %w", err)
+	}
+
+	return nil
+}
+
+type Profile struct {
+	Name     string
+	IsActive bool
+}
+
+func (s *serviceClient) getProfiles() ([]Profile, error) {
+	conn, err := s.getSrvClient(defaultFailTimeout)
+	if err != nil {
+		return nil, fmt.Errorf(getClientFMT, err)
+	}
+
+	currUser, err := user.Current()
+	if err != nil {
+		return nil, fmt.Errorf("get current user: %w", err)
+	}
+	profilesResp, err := conn.ListProfiles(context.Background(), &proto.ListProfilesRequest{
+		Username: currUser.Username,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("list profiles: %w", err)
+	}
+
+	var profiles []Profile
+
+	for _, profile := range profilesResp.Profiles {
+		profiles = append(profiles, Profile{
+			Name:     profile.Name,
+			IsActive: profile.IsActive,
+		})
+	}
+
+	return profiles, nil
+}
+
+type subItem struct {
+	*systray.MenuItem
+	ctx    context.Context
+	cancel context.CancelFunc
+}
+
+type profileMenu struct {
+	mu                    sync.Mutex
+	ctx                   context.Context
+	profileManager        *profilemanager.ProfileManager
+	eventHandler          eventHandler
+	profileMenuItem       *systray.MenuItem
+	emailMenuItem         *systray.MenuItem
+	profileSubItems       []*subItem
+	manageProfilesSubItem *subItem
+	profilesState         []Profile
+	downClickCallback     func() error
+	upClickCallback       func() error
+	getSrvClientCallback  func(timeout time.Duration) (proto.DaemonServiceClient, error)
+	loadSettingsCallback  func()
+}
+
+func newProfileMenu(ctx context.Context, profileManager *profilemanager.ProfileManager,
+
+	eventHandler eventHandler, profileMenuItem, emailMenuItem *systray.MenuItem,
+	downClickCallback, upClickCallback func() error,
+	getSrvClientCallback func(timeout time.Duration) (proto.DaemonServiceClient, error),
+	loadSettingsCallback func()) *profileMenu {
+	p := profileMenu{
+		ctx:                  ctx,
+		profileManager:       profileManager,
+		eventHandler:         eventHandler,
+		profileMenuItem:      profileMenuItem,
+		emailMenuItem:        emailMenuItem,
+		downClickCallback:    downClickCallback,
+		upClickCallback:      upClickCallback,
+		getSrvClientCallback: getSrvClientCallback,
+		loadSettingsCallback: loadSettingsCallback,
+	}
+
+	p.emailMenuItem.Disable()
+	p.emailMenuItem.Hide()
+	p.refresh()
+	go p.updateMenu()
+
+	return &p
+}
+
+func (p *profileMenu) getProfiles() ([]Profile, error) {
+	conn, err := p.getSrvClientCallback(defaultFailTimeout)
+	if err != nil {
+		return nil, fmt.Errorf(getClientFMT, err)
+	}
+	currUser, err := user.Current()
+	if err != nil {
+		return nil, fmt.Errorf("get current user: %w", err)
+	}
+
+	profilesResp, err := conn.ListProfiles(p.ctx, &proto.ListProfilesRequest{
+		Username: currUser.Username,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("list profiles: %w", err)
+	}
+
+	var profiles []Profile
+
+	for _, profile := range profilesResp.Profiles {
+		profiles = append(profiles, Profile{
+			Name:     profile.Name,
+			IsActive: profile.IsActive,
+		})
+	}
+
+	return profiles, nil
+}
+
+func (p *profileMenu) refresh() {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	profiles, err := p.getProfiles()
+	if err != nil {
+		log.Errorf("failed to list profiles: %v", err)
+		return
+	}
+
+	// Clear existing profile items
+	p.clear(profiles)
+
+	currUser, err := user.Current()
+	if err != nil {
+		log.Errorf("failed to get current user: %v", err)
+		return
+	}
+
+	conn, err := p.getSrvClientCallback(defaultFailTimeout)
+	if err != nil {
+		log.Errorf("failed to get daemon client: %v", err)
+		return
+	}
+
+	activeProf, err := conn.GetActiveProfile(p.ctx, &proto.GetActiveProfileRequest{})
+	if err != nil {
+		log.Errorf("failed to get active profile: %v", err)
+		return
+	}
+
+	if activeProf.ProfileName == "default" || activeProf.Username == currUser.Username {
+		activeProfState, err := p.profileManager.GetProfileState(activeProf.ProfileName)
+		if err != nil {
+			log.Warnf("failed to get active profile state: %v", err)
+			p.emailMenuItem.Hide()
+		} else if activeProfState.Email != "" {
+			p.emailMenuItem.SetTitle(fmt.Sprintf("(%s)", activeProfState.Email))
+			p.emailMenuItem.Show()
+		}
+	}
+
+	for _, profile := range profiles {
+		item := p.profileMenuItem.AddSubMenuItem(profile.Name, "")
+		if profile.IsActive {
+			item.Check()
+		}
+
+		ctx, cancel := context.WithCancel(context.Background())
+		p.profileSubItems = append(p.profileSubItems, &subItem{item, ctx, cancel})
+
+		go func() {
+			for {
+				select {
+				case <-ctx.Done():
+					return // context cancelled
+				case _, ok := <-item.ClickedCh:
+					if !ok {
+						return // channel closed
+					}
+
+					// Handle profile selection
+					if profile.IsActive {
+						log.Infof("Profile '%s' is already active", profile.Name)
+						return
+					}
+					conn, err := p.getSrvClientCallback(defaultFailTimeout)
+					if err != nil {
+						log.Errorf("failed to get daemon client: %v", err)
+						return
+					}
+
+					_, err = conn.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+						ProfileName: &profile.Name,
+						Username:    &currUser.Username,
+					})
+					if err != nil {
+						log.Errorf("failed to switch profile: %v", err)
+						return
+					}
+
+					err = p.profileManager.SwitchProfile(profile.Name)
+					if err != nil {
+						log.Errorf("failed to switch profile '%s': %v", profile.Name, err)
+						return
+					}
+
+					log.Infof("Switched to profile '%s'", profile.Name)
+
+					status, err := conn.Status(ctx, &proto.StatusRequest{})
+					if err != nil {
+						log.Errorf("failed to get status after switching profile: %v", err)
+						return
+					}
+
+					if status.Status == string(internal.StatusConnected) {
+						if err := p.downClickCallback(); err != nil {
+							log.Errorf("failed to handle down click after switching profile: %v", err)
+						}
+					}
+
+					if err := p.upClickCallback(); err != nil {
+						log.Errorf("failed to handle up click after switching profile: %v", err)
+					}
+
+					p.refresh()
+					p.loadSettingsCallback()
+				}
+			}
+		}()
+
+	}
+	ctx, cancel := context.WithCancel(context.Background())
+	manageItem := p.profileMenuItem.AddSubMenuItem("Manage Profiles", "")
+	p.manageProfilesSubItem = &subItem{manageItem, ctx, cancel}
+
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return // context cancelled
+			case _, ok := <-manageItem.ClickedCh:
+				if !ok {
+					return // channel closed
+				}
+				// Handle manage profiles click
+				p.eventHandler.runSelfCommand(p.ctx, "profiles", "true")
+				p.refresh()
+				p.loadSettingsCallback()
+			}
+		}
+	}()
+
+	if activeProf.ProfileName == "default" || activeProf.Username == currUser.Username {
+		p.profileMenuItem.SetTitle(activeProf.ProfileName)
+	} else {
+		p.profileMenuItem.SetTitle(fmt.Sprintf("Profile: %s (User: %s)", activeProf.ProfileName, activeProf.Username))
+		p.emailMenuItem.Hide()
+	}
+
+}
+
+func (p *profileMenu) clear(profiles []Profile) {
+	// Clear existing profile items
+	for _, item := range p.profileSubItems {
+		item.Remove()
+		item.cancel()
+	}
+	p.profileSubItems = make([]*subItem, 0, len(profiles))
+	p.profilesState = profiles
+
+	if p.manageProfilesSubItem != nil {
+		// Remove the manage profiles item if it exists
+		p.manageProfilesSubItem.Remove()
+		p.manageProfilesSubItem.cancel()
+		p.manageProfilesSubItem = nil
+	}
+}
+
+func (p *profileMenu) updateMenu() {
+	// check every second
+	ticker := time.NewTicker(time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+
+			// get profilesList
+			profiles, err := p.getProfiles()
+			if err != nil {
+				log.Errorf("failed to list profiles: %v", err)
+				continue
+			}
+
+			sort.Slice(profiles, func(i, j int) bool {
+				return profiles[i].Name < profiles[j].Name
+			})
+
+			p.mu.Lock()
+			state := p.profilesState
+			p.mu.Unlock()
+
+			sort.Slice(state, func(i, j int) bool {
+				return state[i].Name < state[j].Name
+			})
+
+			if slices.Equal(profiles, state) {
+				continue
+			}
+
+			p.refresh()
+		case <-p.ctx.Done():
+			return // context cancelled
+
+		}
+	}
+}

util/file.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"text/template"
 
@@ -200,6 +201,36 @@ func ReadJson(file string, res interface{}) (interface{}, error) {
 	return res, nil
 }
 
+// RemoveJson removes the specified JSON file if it exists
+func RemoveJson(file string) error {
+	// Check if the file exists
+	if _, err := os.Stat(file); errors.Is(err, os.ErrNotExist) {
+		return nil // File does not exist, nothing to remove
+	}
+
+	// Attempt to remove the file
+	if err := os.Remove(file); err != nil {
+		return fmt.Errorf("failed to remove JSON file %s: %w", file, err)
+	}
+
+	return nil
+}
+
+// ListFiles returns the full paths of all files in dir that match pattern.
+// Pattern uses shell-style globbing (e.g. "*.json").
+func ListFiles(dir, pattern string) ([]string, error) {
+	// glob pattern like "/path/to/dir/*.json"
+	globPattern := filepath.Join(dir, pattern)
+
+	matches, err := filepath.Glob(globPattern)
+	if err != nil {
+		return nil, err
+	}
+
+	sort.Strings(matches)
+	return matches, nil
+}
+
 // ReadJsonWithEnvSub reads JSON config file and maps to a provided interface with environment variable substitution
 func ReadJsonWithEnvSub(file string, res interface{}) (interface{}, error) {
 	envVars := getEnvMap()