Merge branch 'dev' into feature/awg-net-fix-macos-wakeup

# Conflicts: # client/mozilla/localsocketcontroller.cpp # client/vpnconnection.cpp # ipc/ipcserver.cpp # service/server/localserver.cpp
2026-06-23 02:00:20 +07:00 · 2025-09-11 21:20:10 +07:00
parent 511b8fa6cc a77842c9e3
commit 23b530a0f8
275 changed files with 28523 additions and 15154 deletions
@@ -10,7 +10,7 @@ env:
 jobs:
  Build-Linux-Ubuntu:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    env:
      QT_VERSION: 6.6.2
@@ -20,6 +20,8 @@ jobs:
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
    steps:
    - name: 'Install Qt'
@@ -90,6 +92,8 @@ jobs:
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
    steps:
    - name: 'Get sources'
@@ -156,6 +160,8 @@ jobs:
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
    steps:
    - name: 'Setup xcode'
@@ -243,18 +249,33 @@ jobs:
 # ------------------------------------------------------
-  Build-MacOS:
+  Build-MacOS-old:
    runs-on: macos-latest
    env:
      # Keep compat with MacOS 10.15 aka Catalina by Qt 6.4
      QT_VERSION: 6.4.3
-      QIF_VERSION: 4.6
+
      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
    steps:
    - name: 'Setup xcode'
@@ -275,11 +296,6 @@ jobs:
        set-env: 'true'
        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
    - name: 'Install Qt Installer Framework ${{ env.QIF_VERSION }}'
      run: |
        mkdir -pv ${{ runner.temp }}/Qt/Tools/QtInstallerFramework
        wget https://qt.amzsvc.com/tools/ifw/${{ env.QIF_VERSION }}.zip
        unzip ${{ env.QIF_VERSION }}.zip -d ${{ runner.temp }}/Qt/Tools/QtInstallerFramework/
    - name: 'Get sources'
      uses: actions/checkout@v4
@@ -293,14 +309,90 @@ jobs:
    - name: 'Build project'
      run: |
        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-        export QIF_BIN_DIR="${{ runner.temp }}/Qt/Tools/QtInstallerFramework/${{ env.QIF_VERSION }}/bin"
+        bash deploy/build_macos.sh -n
-        bash deploy/build_macos.sh
+
    - name: 'Upload installer artifact'
      uses: actions/upload-artifact@v4
      with:
        name: AmneziaVPN_MacOS_old_installer
        path: deploy/build/pkg/AmneziaVPN.pkg
        retention-days: 7
    - name: 'Upload unpacked artifact'
      uses: actions/upload-artifact@v4
      with:
        name: AmneziaVPN_MacOS_old_unpacked
        path: deploy/build/client/AmneziaVPN.app
        retention-days: 7
 # ------------------------------------------------------
  Build-MacOS:
    runs-on: macos-latest
    env:
      QT_VERSION: 6.8.0
      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
    steps:
    - name: 'Setup xcode'
      uses: maxim-lobanov/setup-xcode@v1
      with:
        xcode-version: '16.2.0'
    - name: 'Install Qt'
      uses: jurplel/install-qt-action@v3
      with:
        version: ${{ env.QT_VERSION }}
        host: 'mac'
        target: 'desktop'
        arch: 'clang_64'
        modules: 'qtremoteobjects qt5compat qtshadertools'
        dir: ${{ runner.temp }}
        setup-python: 'true'
        set-env: 'true'
        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
    - name: 'Get sources'
      uses: actions/checkout@v4
      with:
        submodules: 'true'
        fetch-depth: 10
    - name: 'Setup ccache'
      uses: hendrikmuhs/ccache-action@v1.2
    - name: 'Build project'
      run: |
        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
        bash deploy/build_macos.sh -n
    - name: 'Upload installer artifact'
      uses: actions/upload-artifact@v4
      with:
        name: AmneziaVPN_MacOS_installer
-        path: AmneziaVPN.dmg
+        path: deploy/build/pkg/AmneziaVPN.pkg
        retention-days: 7
    - name: 'Upload unpacked artifact'
@@ -310,6 +402,67 @@ jobs:
        path: deploy/build/client/AmneziaVPN.app
        retention-days: 7
  Build-MacOS-NE:
    runs-on: macos-latest
    env:
      QT_VERSION: 6.8.3
      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
    steps:
    - name: 'Setup xcode'
      uses: maxim-lobanov/setup-xcode@v1
      with:
        xcode-version: '16.2.0'
    - name: 'Install Qt'
      uses: jurplel/install-qt-action@v3
      with:
        version: ${{ env.QT_VERSION }}
        host: 'mac'
        target: 'desktop'
        arch: 'clang_64'
        modules: 'qtremoteobjects qt5compat qtshadertools'
        dir: ${{ runner.temp }}
        setup-python: 'true'
        set-env: 'true'
        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
    - name: 'Get sources'
      uses: actions/checkout@v4
      with:
        submodules: 'true'
        fetch-depth: 10
    - name: 'Setup ccache'
      uses: hendrikmuhs/ccache-action@v1.2
    - name: 'Build project'
      run: |
        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
        bash deploy/build_macos_ne.sh
    - name: 'Upload unpacked artifact'
      uses: actions/upload-artifact@v4
      with:
        name: AmneziaVPN_MacOS_unpacked
        path: deploy/build/client/AmneziaVPN.app
        retention-days: 7
 # ------------------------------------------------------
  Build-Android:
@@ -324,6 +477,8 @@ jobs:
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
    steps:
    - name: 'Install desktop Qt'
@@ -20,6 +20,8 @@ jobs:
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
    steps:
    - name: 'Install desktop Qt'
@@ -1,64 +1,41 @@
 name: 'Upload a new version'
 on:
-  push:
+  workflow_dispatch:
-    tags:
+    inputs:
-    - '[0-9]+.[0-9]+.[0-9]+.[0-9]+'
+      RELEASE_VERSION:
        description: 'Release version (e.g. 1.2.3.4)'
        required: true
        type: string
 jobs:
-  upload:
+  Upload-S3:
    runs-on: ubuntu-latest
    name: upload
    steps:
-      - name: Checkout CMakeLists.txt
+      - name: Checkout
        uses: actions/checkout@v4
        with:
-          ref: ${{ github.ref_name }}
+          ref: ${{ inputs.RELEASE_VERSION }}
          sparse-checkout: |
            CMakeLists.txt
            deploy/deploy_s3.sh
          sparse-checkout-cone-mode: false
      - name: Verify git tag
        run: |
-          GIT_TAG=${{ github.ref_name }}
+          TAG_NAME=${{ inputs.RELEASE_VERSION }}
          CMAKE_TAG=$(grep 'project.*VERSION' CMakeLists.txt | sed -E 's/.* ([0-9]+.[0-9]+.[0-9]+.[0-9]+)$/\1/')
-
+          if [[ "$TAG_NAME" == "$CMAKE_TAG" ]]; then
-          if [[ "$GIT_TAG" == "$CMAKE_TAG" ]]; then
+            echo "Git tag ($TAG_NAME) matches CMakeLists.txt version ($CMAKE_TAG)."
            echo "Git tag ($GIT_TAG) and version in CMakeLists.txt ($CMAKE_TAG) are the same. Continuing..."
          else
-            echo "Git tag ($GIT_TAG) and version in CMakeLists.txt ($CMAKE_TAG) are not the same! Cancelling..."
+            echo "::error::Mismatch: Git tag ($TAG_NAME) != CMakeLists.txt version ($CMAKE_TAG). Exiting with error..."
            exit 1
          fi
-      - name: Download artifacts from the "${{ github.ref_name }}" tag
+      - name: Setup Rclone
-        uses: robinraju/release-downloader@v1.8
+        uses: AnimMouse/setup-rclone@v1
        with:
-          tag: ${{ github.ref_name }}
+          rclone_config: ${{ secrets.RCLONE_CONFIG }}
          fileName: "AmneziaVPN_(Linux_|)${{ github.ref_name }}*"
          out-file-path: ${{ github.ref_name }}
-      - name: Upload beta version
+      - name: Send dist to S3
-        uses: jakejarvis/s3-sync-action@master
+        run: bash deploy/deploy_s3.sh ${{ inputs.RELEASE_VERSION }}
        if: contains(github.event.base_ref, 'dev')
        with:
          args: --include "AmneziaVPN*" --delete
        env:
          AWS_S3_BUCKET: updates
          AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_SECRET_ACCESS_KEY }}
          AWS_S3_ENDPOINT: https://${{ vars.CF_ACCOUNT_ID }}.r2.cloudflarestorage.com
          SOURCE_DIR: ${{ github.ref_name }}
          DEST_DIR: beta/${{ github.ref_name }}
      - name: Upload stable version
        uses: jakejarvis/s3-sync-action@master
        if: contains(github.event.base_ref, 'master')
        with:
          args: --include "AmneziaVPN*" --delete
        env:
          AWS_S3_BUCKET: updates
          AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_SECRET_ACCESS_KEY }}
          AWS_S3_ENDPOINT: https://${{ vars.CF_ACCOUNT_ID }}.r2.cloudflarestorage.com
          SOURCE_DIR: ${{ github.ref_name }}
          DEST_DIR: stable/${{ github.ref_name }}
@@ -134,3 +134,8 @@ out/
 # CMake files
 CMakeFiles/
 ios-ne-build.sh
 macos-ne-build.sh
 macos-signed-build.sh
 macos-with-sign-build.sh
@@ -7,6 +7,7 @@
 [submodule "client/3rd-prebuilt"]
 	path = client/3rd-prebuilt
 	url = https://github.com/amnezia-vpn/3rd-prebuilt
 	branch = feature/special-handshake
 [submodule "client/3rd/amneziawg-apple"]
 	path = client/3rd/amneziawg-apple
 	url = https://github.com/amnezia-vpn/amneziawg-apple
@@ -1,8 +1,9 @@
 cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 set(PROJECT AmneziaVPN)
 set(AMNEZIAVPN_VERSION 4.8.10.0)
-project(${PROJECT} VERSION 4.8.5.0
+project(${PROJECT} VERSION ${AMNEZIAVPN_VERSION}
        DESCRIPTION "AmneziaVPN"
        HOMEPAGE_URL "https://amnezia.org/"
 )
@@ -11,7 +12,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")
 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2082)
+set(APP_ANDROID_VERSION_CODE 2093)
 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
    set(MZ_PLATFORM_NAME "linux")
@@ -31,13 +32,19 @@ set(QT_BUILD_TOOLS_WHEN_CROSS_COMPILING ON)
 set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
-if(APPLE AND NOT IOS)
+if(APPLE)
-    set(CMAKE_OSX_ARCHITECTURES "x86_64")
+    if(IOS)
        set(CMAKE_OSX_ARCHITECTURES "arm64")
    elseif(MACOS_NE)
        set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64")
    else()
        set(CMAKE_OSX_ARCHITECTURES "x86_64")
    endif()
 endif()
 add_subdirectory(client)
-if(NOT IOS AND NOT ANDROID)
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
    add_subdirectory(service)
    include(${CMAKE_SOURCE_DIR}/deploy/installer/config.cmake)
@@ -9,17 +9,17 @@
 ### [English]([https://github.com/amnezia-vpn/amnezia-client/blob/dev/README_RU.md](https://github.com/amnezia-vpn/amnezia-client/tree/dev?tab=readme-ov-file#)) | [Русский](https://github.com/amnezia-vpn/amnezia-client/blob/dev/README_RU.md)
-[Amnezia](https://amnezia.org) is an open-source VPN client, with a key feature that enables you to deploy your own VPN server on your server.
+[Amnezia](https://amnezia.org?utm_source=github&utm_campaign=amnezia_website-readme-en) is an open-source VPN client, with a key feature that enables you to deploy your own VPN server on your server.
 [![Image](https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/uipic4.png)](https://amnezia.org)
-### [Website](https://amnezia.org) | [Alt website link](https://storage.googleapis.com/amnezia/amnezia.org) | [Documentation](https://docs.amnezia.org) | [Troubleshooting](https://docs.amnezia.org/troubleshooting)
+### [Website](https://amnezia.org?utm_source=github&utm_campaign=amnezia_website-readme-en) | [Alt website link](https://storage.googleapis.com/amnezia/amnezia.org?utm_source=github&utm_campaign=amnezia_website-readme-en-mirror) | [Documentation](https://docs.amnezia.org) | [Troubleshooting](https://docs.amnezia.org/troubleshooting)
 > [!TIP]
-> If the [Amnezia website](https://amnezia.org) is blocked in your region, you can use an [Alternative website link](https://storage.googleapis.com/amnezia/amnezia.org ).
+> If the [Amnezia website](https://amnezia.org?utm_source=github&utm_campaign=amnezia_website-readme-en) is blocked in your region, you can use an [Alternative website link](https://storage.googleapis.com/amnezia/amnezia.org?utm_source=github&utm_campaign=amnezia_website-readme-en-mirror).
-<a href="https://amnezia.org/downloads"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/download-website.svg" width="150" style="max-width: 100%; margin-right: 10px"></a>
+<a href="https://amnezia.org/en/downloads?utm_source=github&utm_campaign=amnezia_button-readme-en"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/download-website.svg" width="150" style="max-width: 100%; margin-right: 10px"></a>
-<a href="https://storage.googleapis.com/amnezia/q9p19109"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/download-alt.svg" width="150" style="max-width: 100%;"></a>
+<a href="https://storage.googleapis.com/amnezia/amnezia.org?m-path=/en/downloads&utm_source=github&utm_campaign=amnezia_button-readme-en-mirrow"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/download-alt.svg" width="150" style="max-width: 100%;"></a>
 [All releases](https://github.com/amnezia-vpn/amnezia-client/releases)
@@ -6,16 +6,16 @@
 [![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/amnezia-vpn/amnezia-client)
 ### [English](https://github.com/amnezia-vpn/amnezia-client/blob/dev/README.md) | Русский
-[AmneziaVPN](https://amnezia.org) — это open source VPN-клиент, ключевая особенность которого заключается в возможности развернуть собственный VPN на вашем сервере.
+[AmneziaVPN](https://amnezia.org?utm_source=github&utm_campaign=amnezia_website-readme-ru) — это open source VPN-клиент, ключевая особенность которого заключается в возможности развернуть собственный VPN на вашем сервере.
 [![Image](https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/uipic4.png)](https://amnezia.org)
-### [Сайт](https://amnezia.org) | [Зеркало сайта](https://storage.googleapis.com/amnezia/amnezia.org) | [Документация](https://docs.amnezia.org) | [Решение проблем](https://docs.amnezia.org/troubleshooting)
+### [Сайт](https://amnezia.org?utm_source=github&utm_campaign=amnezia_website-readme-ru) | [Зеркало сайта](https://storage.googleapis.com/amnezia/amnezia.org?utm_source=github&utm_campaign=amnezia_website-readme-ru-mirror) | [Документация](https://docs.amnezia.org) | [Решение проблем](https://docs.amnezia.org/troubleshooting)
 > [!TIP]
-> Если [сайт Amnezia](https://amnezia.org) заблокирован в вашем регионе, вы можете воспользоваться [ссылкой на зеркало](https://storage.googleapis.com/amnezia/amnezia.org).
+> Если [сайт Amnezia](https://amnezia.org?utm_source=github&utm_campaign=amnezia_website-readme-ru) заблокирован в вашем регионе, вы можете воспользоваться [ссылкой на зеркало](https://storage.googleapis.com/amnezia/amnezia.org?utm_source=github&utm_campaign=amnezia_website-readme-ru-mirror).
-<a href="https://storage.googleapis.com/amnezia/q9p19109"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/download-website-ru.svg" width="150" style="max-width: 100%; margin-right: 10px"></a>
+<a href="https://storage.googleapis.com/amnezia/amnezia.org?m-path=/ru/downloads&utm_source=github&utm_campaign=amnezia_button-readme-ru-mirror"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/download-website-ru.svg" width="150" style="max-width: 100%; margin-right: 10px"></a>
 [Все релизы](https://github.com/amnezia-vpn/amnezia-client/releases)
@@ -3,7 +3,6 @@ cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 set(PROJECT AmneziaVPN)
 project(${PROJECT})
 set_property(GLOBAL PROPERTY USE_FOLDERS ON)
 set_property(GLOBAL PROPERTY AUTOGEN_TARGETS_FOLDER "Autogen")
 set_property(GLOBAL PROPERTY AUTOMOC_TARGETS_FOLDER "Autogen")
@@ -31,6 +30,9 @@ add_definitions(-DDEV_AGW_PUBLIC_KEY="$ENV{DEV_AGW_PUBLIC_KEY}")
 add_definitions(-DDEV_AGW_ENDPOINT="$ENV{DEV_AGW_ENDPOINT}")
 add_definitions(-DDEV_S3_ENDPOINT="$ENV{DEV_S3_ENDPOINT}")
 add_definitions(-DFREE_V2_ENDPOINT="$ENV{FREE_V2_ENDPOINT}")
 add_definitions(-DPREM_V1_ENDPOINT="$ENV{PREM_V1_ENDPOINT}")
 if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
    set(PACKAGES ${PACKAGES} Widgets)
 endif()
@@ -50,6 +52,9 @@ endif()
 qt_standard_project_setup()
 qt_add_executable(${PROJECT} MANUAL_FINALIZATION)
 target_include_directories(${PROJECT} PUBLIC
    $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
 )
 if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_interface.rep)
@@ -107,6 +112,15 @@ include_directories(
    ${CMAKE_CURRENT_BINARY_DIR}
 )
 if(MACOS_NE)
    message("MACOS_NE is ON")
    add_definitions(-DQ_OS_MAC)
    add_definitions(-DMACOS_NE)
    message("Add macros for MacOS Network Extension")
 else()
    message("MACOS_NE is OFF")
 endif()
 include_directories(mozilla)
 include_directories(mozilla/shared)
 include_directories(mozilla/models)
@@ -136,7 +150,7 @@ if(WIN32)
 endif()
 if(APPLE)
-    cmake_policy(SET CMP0099 OLD)
+    cmake_policy(SET CMP0099 NEW)
    cmake_policy(SET CMP0114 NEW)
    if(NOT BUILD_OSX_APP_IDENTIFIER)
@@ -155,7 +169,6 @@ if(APPLE)
    set(CMAKE_XCODE_GENERATE_SCHEME FALSE)
    set(CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM ${BUILD_VPN_DEVELOPMENT_TEAM})
    set(CMAKE_XCODE_ATTRIBUTE_GROUP_ID_IOS ${BUILD_IOS_GROUP_IDENTIFIER})
 endif()
 if(LINUX AND NOT ANDROID)
@@ -163,8 +176,7 @@ if(LINUX AND NOT ANDROID)
    link_directories(${CMAKE_CURRENT_LIST_DIR}/platforms/linux)
 endif()
-if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
    message("Client desktop build")
    add_compile_definitions(AMNEZIA_DESKTOP)
 endif()
@@ -175,7 +187,9 @@ endif()
 if(IOS)
    include(cmake/ios.cmake)
    include(cmake/ios-arch-fixup.cmake)
-elseif(APPLE AND NOT IOS)
+elseif(APPLE AND MACOS_NE)
    include(cmake/macos_ne.cmake)
 elseif(APPLE)
    include(cmake/osxtools.cmake)
    include(cmake/macos.cmake)
 endif()
@@ -196,7 +210,7 @@ elseif(APPLE AND NOT IOS)
    set(DEPLOY_PLATFORM_PATH "macos")
 endif()
-if(NOT IOS AND NOT ANDROID)
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
    add_custom_command(
        TARGET ${PROJECT} POST_BUILD
        COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
@@ -211,7 +225,6 @@ if(NOT IOS AND NOT ANDROID)
        $<TARGET_FILE_DIR:${PROJECT}>
        COMMAND_EXPAND_LISTS
    )
 endif()
 target_sources(${PROJECT} PRIVATE ${SOURCES} ${HEADERS} ${RESOURCES} ${QRC} ${I18NQRC})
@@ -12,6 +12,7 @@
 #include <QTextDocument>
 #include <QTimer>
 #include <QTranslator>
 #include <QEvent>
 #include "logger.h"
 #include "ui/controllers/pageController.h"
@@ -21,8 +22,12 @@
 #include "platforms/ios/QRCodeReaderBase.h"
 #include "protocols/qml_register_protocols.h"
 #include <QtQuick/QQuickWindow>  // for QQuickWindow
 #include <QWindow>              // for qobject_cast<QWindow*>
-AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_CLASS(argc, argv)
+AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_CLASS(argc, argv),
      m_optAutostart({QStringLiteral("a"), QStringLiteral("autostart")}, QStringLiteral("System autostart")),
      m_optCleanup  ({QStringLiteral("c"), QStringLiteral("cleanup")}, QStringLiteral("Cleanup logs"))
 {
    setQuitOnLastWindowClosed(false);
@@ -48,8 +53,17 @@ AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_C
 AmneziaApplication::~AmneziaApplication()
 {
    if (m_vpnConnection) {
        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectFromVpn", Qt::QueuedConnection);
        QMetaObject::invokeMethod(m_vpnConnection.get(), "deleteLater", Qt::QueuedConnection);
    }
    m_vpnConnectionThread.quit();
-    m_vpnConnectionThread.wait(3000);
+
    if (!m_vpnConnectionThread.wait(5000)) {
        m_vpnConnectionThread.terminate();
        m_vpnConnectionThread.wait();
    }
    if (m_engine) {
        QObject::disconnect(m_engine, 0, 0, 0);
@@ -63,15 +77,28 @@ void AmneziaApplication::init()
    const QUrl url(QStringLiteral("qrc:/ui/qml/main2.qml"));
    QObject::connect(
-            m_engine, &QQmlApplicationEngine::objectCreated, this,
+        m_engine, &QQmlApplicationEngine::objectCreated, this,
-            [url](QObject *obj, const QUrl &objUrl) {
+        [this, url](QObject *obj, const QUrl &objUrl) {
-                if (!obj && url == objUrl)
+            if (!obj && url == objUrl) {
-                    QCoreApplication::exit(-1);
+                QCoreApplication::exit(-1);
-            },
+                return;
-            Qt::QueuedConnection);
+            }
            // install filter on main window
            if (auto win = qobject_cast<QQuickWindow*>(obj)) {
                win->installEventFilter(this);
                win->show();
            }
        },
        Qt::QueuedConnection);
    m_engine->rootContext()->setContextProperty("Debug", &Logger::Instance());
 #ifdef MACOS_NE
    m_engine->rootContext()->setContextProperty("IsMacOsNeBuild", true);
 #else
    m_engine->rootContext()->setContextProperty("IsMacOsNeBuild", false);
 #endif
    m_vpnConnection.reset(new VpnConnection(m_settings));
    m_vpnConnection->moveToThread(&m_vpnConnectionThread);
    m_vpnConnectionThread.start();
@@ -94,7 +121,7 @@ void AmneziaApplication::init()
    Logger::setServiceLogsEnabled(enabled);
 #ifdef Q_OS_WIN //TODO
-    if (m_parser.isSet("a"))
+    if (m_parser.isSet(m_optAutostart))
        m_coreController->pageController()->showOnStartup();
    else
        emit m_coreController->pageController()->raiseMainWindow();
@@ -162,15 +189,12 @@ bool AmneziaApplication::parseCommands()
    m_parser.addHelpOption();
    m_parser.addVersionOption();
-    QCommandLineOption c_autostart { { "a", "autostart" }, "System autostart" };
+    m_parser.addOption(m_optAutostart);
-    m_parser.addOption(c_autostart);
+    m_parser.addOption(m_optCleanup);
    QCommandLineOption c_cleanup { { "c", "cleanup" }, "Cleanup logs" };
    m_parser.addOption(c_cleanup);
    m_parser.process(*this);
-    if (m_parser.isSet(c_cleanup)) {
+    if (m_parser.isSet(m_optCleanup)) {
        Logger::cleanUp();
        QTimer::singleShot(100, this, [this] { quit(); });
        exec();
@@ -179,9 +203,8 @@ bool AmneziaApplication::parseCommands()
    return true;
 }
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
-void AmneziaApplication::startLocalServer()
+void AmneziaApplication::startLocalServer() {
 {
    const QString serverName("AmneziaVPNInstance");
    QLocalServer::removeServer(serverName);
@@ -198,6 +221,22 @@ void AmneziaApplication::startLocalServer()
 }
 #endif
 bool AmneziaApplication::eventFilter(QObject *watched, QEvent *event)
 {
    if (event->type() == QEvent::Close) {
 #if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
        quit();
 #else
        if (m_coreController && m_coreController->pageController()) {
            m_coreController->pageController()->hideMainWindow();
        }
 #endif
        return true; // eat the close
    }
    // call base QObject::eventFilter
    return QObject::eventFilter(watched, event);
 }
 QQmlApplicationEngine *AmneziaApplication::qmlEngine() const
 {
    return m_engine;
@@ -7,9 +7,9 @@
 #include <QQmlContext>
 #include <QThread>
 #if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
-    #include <QGuiApplication>
+  #include <QGuiApplication>
 #else
-    #include <QApplication>
+  #include <QApplication>
 #endif
 #include <QClipboard>
@@ -20,9 +20,9 @@
 #define amnApp (static_cast<AmneziaApplication *>(QCoreApplication::instance()))
 #if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
-    #define AMNEZIA_BASE_CLASS QGuiApplication
+  #define AMNEZIA_BASE_CLASS QGuiApplication
 #else
-    #define AMNEZIA_BASE_CLASS QApplication
+  #define AMNEZIA_BASE_CLASS QApplication
 #endif
 class AmneziaApplication : public AMNEZIA_BASE_CLASS
@@ -37,7 +37,7 @@ public:
    void loadFonts();
    bool parseCommands();
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
    void startLocalServer();
 #endif
@@ -56,10 +56,15 @@ private:
    QCommandLineParser m_parser;
    QCommandLineOption m_optAutostart;
    QCommandLineOption m_optCleanup;
    QSharedPointer<VpnConnection> m_vpnConnection;
    QThread m_vpnConnectionThread;
    QNetworkAccessManager *m_nam;
 protected:
    bool eventFilter(QObject *watched, QEvent *event) override;
 };
 #endif // AMNEZIA_APPLICATION_H
@@ -10,6 +10,8 @@ import java.nio.channels.FileChannel
 import java.nio.channels.FileLock
 import java.time.LocalDateTime
 import java.time.format.DateTimeFormatter
 import java.time.ZonedDateTime
 import java.time.ZoneOffset
 import java.util.concurrent.locks.ReentrantLock
 import org.amnezia.vpn.util.Log.Priority.D
 import org.amnezia.vpn.util.Log.Priority.E
@@ -135,8 +137,8 @@ object Log {
    }
    private fun formatLogMsg(tag: String, msg: String, priority: Priority): String {
-        val date = LocalDateTime.now().format(dateTimeFormat)
+        val utcDate = ZonedDateTime.now(ZoneOffset.UTC).format(dateTimeFormat)
-        return "$date ${Process.myPid()} ${Process.myTid()} $priority [${Thread.currentThread().name}] " +
+        return "${utcDate}Z ${Process.myPid()} ${Process.myTid()} $priority [${Thread.currentThread().name}] " +
            "$tag: $msg\n"
    }
@@ -120,10 +120,21 @@ open class Wireguard : Protocol() {
        configData.optStringOrNull("Jmax")?.let { setJmax(it.toInt()) }
        configData.optStringOrNull("S1")?.let { setS1(it.toInt()) }
        configData.optStringOrNull("S2")?.let { setS2(it.toInt()) }
        configData.optStringOrNull("S3")?.let { setS3(it.toInt()) }
        configData.optStringOrNull("S4")?.let { setS4(it.toInt()) }
        configData.optStringOrNull("H1")?.let { setH1(it.toLong()) }
        configData.optStringOrNull("H2")?.let { setH2(it.toLong()) }
        configData.optStringOrNull("H3")?.let { setH3(it.toLong()) }
        configData.optStringOrNull("H4")?.let { setH4(it.toLong()) }
        configData.optStringOrNull("I1")?.let { setI1(it) }
        configData.optStringOrNull("I2")?.let { setI2(it) }
        configData.optStringOrNull("I3")?.let { setI3(it) }
        configData.optStringOrNull("I4")?.let { setI4(it) }
        configData.optStringOrNull("I5")?.let { setI5(it) }
        configData.optStringOrNull("J1")?.let { setJ1(it) }
        configData.optStringOrNull("J2")?.let { setJ2(it) }
        configData.optStringOrNull("J3")?.let { setJ3(it) }
        configData.optStringOrNull("Itime")?.let { setItime(it.toInt()) }
    }
    private fun start(config: WireguardConfig, vpnBuilder: Builder, protect: (Int) -> Boolean) {
@@ -20,10 +20,21 @@ open class WireguardConfig protected constructor(
    val jmax: Int?,
    val s1: Int?,
    val s2: Int?,
    val s3: Int?,
    val s4: Int?,
    val h1: Long?,
    val h2: Long?,
    val h3: Long?,
-    val h4: Long?
+    val h4: Long?,
    var i1: String?,
    var i2: String?,
    var i3: String?,
    var i4: String?,
    var i5: String?,
    var j1: String?,
    var j2: String?,
    var j3: String?,
    var itime: Int?
 ) : ProtocolConfig(protocolConfigBuilder) {
    protected constructor(builder: Builder) : this(
@@ -39,10 +50,21 @@ open class WireguardConfig protected constructor(
        builder.jmax,
        builder.s1,
        builder.s2,
        builder.s3,
        builder.s4,
        builder.h1,
        builder.h2,
        builder.h3,
-        builder.h4
+        builder.h4,
        builder.i1,
        builder.i2,
        builder.i3,
        builder.i4,
        builder.i5,
        builder.j1,
        builder.j2,
        builder.j3,
        builder.itime
    )
    fun toWgUserspaceString(): String = with(StringBuilder()) {
@@ -61,10 +83,21 @@ open class WireguardConfig protected constructor(
            appendLine("jmax=$jmax")
            appendLine("s1=$s1")
            appendLine("s2=$s2")
            s3?.let { appendLine("s3=$it") }
            s4?.let { appendLine("s4=$it") }
            appendLine("h1=$h1")
            appendLine("h2=$h2")
            appendLine("h3=$h3")
            appendLine("h4=$h4")
            i1?.let { appendLine("i1=$it") }
            i2?.let { appendLine("i2=$it") }
            i3?.let { appendLine("i3=$it") }
            i4?.let { appendLine("i4=$it") }
            i5?.let { appendLine("i5=$it") }
            j1?.let { appendLine("j1=$it") }
            j2?.let { appendLine("j2=$it") }
            j3?.let { appendLine("j3=$it") }
            itime?.let { appendLine("itime=$it") }
        }
    }
@@ -117,10 +150,21 @@ open class WireguardConfig protected constructor(
        internal var jmax: Int? = null
        internal var s1: Int? = null
        internal var s2: Int? = null
        internal var s3: Int? = null
        internal var s4: Int? = null
        internal var h1: Long? = null
        internal var h2: Long? = null
        internal var h3: Long? = null
        internal var h4: Long? = null
        internal var i1: String? = null
        internal var i2: String? = null
        internal var i3: String? = null
        internal var i4: String? = null
        internal var i5: String? = null
        internal var j1: String? = null
        internal var j2: String? = null
        internal var j3: String? = null
        internal var itime: Int? = null
        fun setEndpoint(endpoint: InetEndpoint) = apply { this.endpoint = endpoint }
@@ -139,10 +183,21 @@ open class WireguardConfig protected constructor(
        fun setJmax(jmax: Int) = apply { this.jmax = jmax }
        fun setS1(s1: Int) = apply { this.s1 = s1 }
        fun setS2(s2: Int) = apply { this.s2 = s2 }
        fun setS3(s3: Int) = apply { this.s3 = s3 }
        fun setS4(s4: Int) = apply { this.s4 = s4 }
        fun setH1(h1: Long) = apply { this.h1 = h1 }
        fun setH2(h2: Long) = apply { this.h2 = h2 }
        fun setH3(h3: Long) = apply { this.h3 = h3 }
        fun setH4(h4: Long) = apply { this.h4 = h4 }
        fun setI1(i1: String) = apply { this.i1 = i1 }
        fun setI2(i2: String) = apply { this.i2 = i2 }
        fun setI3(i3: String) = apply { this.i3 = i3 }
        fun setI4(i4: String) = apply { this.i4 = i4 }
        fun setI5(i5: String) = apply { this.i5 = i5 }
        fun setJ1(j1: String) = apply { this.j1 = j1 }
        fun setJ2(j2: String) = apply { this.j2 = j2 }
        fun setJ3(j3: String) = apply { this.j3 = j3 }
        fun setItime(itime: Int) = apply { this.itime = itime }
        override fun build(): WireguardConfig = configBuild().run { WireguardConfig(this@Builder) }
    }
@@ -27,9 +27,15 @@ if(WIN32)
        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libcrypto.lib")
    endif()
 elseif(APPLE AND NOT IOS)
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libssh.a")
+    if(MACOS_NE)
-    set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libz.a")
+        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libssh.a")
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/x86_64")
+        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libz.a")
        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/universal2")
    else()
        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libssh.a")
        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libz.a")
        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/x86_64")
    endif()
    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/macos/include")
    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libssl.a")
    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libcrypto.a")
@@ -76,8 +76,22 @@ set_target_properties(${PROJECT} PROPERTIES
    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
    XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/Frameworks"
    XCODE_EMBED_APP_EXTENSIONS networkextension
    XCODE_ATTRIBUTE_CODE_SIGN_STYLE Automatic
 )
 if(DEFINED DEPLOY)
    set_target_properties(${PROJECT} PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY[variant=Debug] "Apple Development"
        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Manual
        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER "distr ios.org.amnezia.AmneziaVPN"
        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER[variant=Debug] "dev ios.org.amnezia.AmneziaVPN"
    )
 else()
    set_target_properties(${PROJECT} PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Automatic
    )
 endif()
 set_target_properties(${PROJECT} PROPERTIES
    XCODE_ATTRIBUTE_SWIFT_VERSION "5.0"
    XCODE_ATTRIBUTE_CLANG_ENABLE_MODULES "YES"
@@ -14,11 +14,15 @@ set(LIBS ${LIBS}
    ${FW_SECURITY}
    ${FW_COREWLAN}
    ${FW_NETWORK}
-    ${FW_USERNOTIFICATIONS}
+    ${FW_USER_NOTIFICATIONS}
    ${FW_NETWORK_EXTENSION}
 )
-set_target_properties(${PROJECT} PROPERTIES MACOSX_BUNDLE TRUE)
+set_target_properties(${PROJECT} PROPERTIES 
    MACOSX_BUNDLE TRUE
    MACOSX_BUNDLE_SHORT_VERSION_STRING "${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH}"
    MACOSX_BUNDLE_BUNDLE_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
 )
 set(CMAKE_OSX_ARCHITECTURES "x86_64" CACHE INTERNAL "" FORCE)
 set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)
@@ -31,6 +35,8 @@ set(SOURCES ${SOURCES}
    ${CMAKE_CURRENT_SOURCE_DIR}/ui/macos_util.mm
 )
 set(ICON_FILE ${CMAKE_CURRENT_SOURCE_DIR}/images/app.icns)
 set(MACOSX_BUNDLE_ICON_FILE app.icns)
 set_source_files_properties(${ICON_FILE} PROPERTIES MACOSX_PACKAGE_LOCATION Resources)
@@ -49,4 +55,3 @@ execute_process(
 )
 message("OSX_SDK_PATH is: ${OSX_SDK_PATH}")
@@ -0,0 +1,168 @@
 message("Client ==> MacOS NE build")
 set_target_properties(${PROJECT} PROPERTIES MACOSX_BUNDLE TRUE)
 set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)
 set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
 enable_language(OBJC)
 enable_language(Swift)
 find_package(Qt6 REQUIRED COMPONENTS ShaderTools Widgets)
 # Link Qt Widgets for QWidget, QMenu, QAction etc.
 set(LIBS ${LIBS} Qt6::ShaderTools Qt6::Widgets)
 find_library(FW_AUTHENTICATIONSERVICES AuthenticationServices)
 find_library(FW_AVFOUNDATION AVFoundation)
 find_library(FW_FOUNDATION Foundation)
 find_library(FW_STOREKIT StoreKit)
 find_library(FW_SERVICEMGMT ServiceManagement)
 find_library(FW_USERNOTIFICATIONS UserNotifications)
 find_library(FW_NETWORKEXTENSION NetworkExtension)
 set(LIBS ${LIBS}
    ${FW_AUTHENTICATIONSERVICES}
    ${FW_AVFOUNDATION}
    ${FW_FOUNDATION}
    ${FW_STOREKIT}
    ${FW_SERVICEMGMT}
    ${FW_USERNOTIFICATIONS}
    ${FW_NETWORKEXTENSION}
 )
 set(HEADERS ${HEADERS}
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate-C-Interface.h
 )
 set_source_files_properties(${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h PROPERTIES OBJECTIVE_CPP_HEADER TRUE)
 set(SOURCES ${SOURCES}
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosglue.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QRCodeReaderBase.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.mm
 )
 set(ICON_FILE ${CMAKE_CURRENT_SOURCE_DIR}/images/app.icns)
 set(MACOSX_BUNDLE_ICON_FILE app.icns)
 set_source_files_properties(${ICON_FILE} PROPERTIES MACOSX_PACKAGE_LOCATION Resources)
 set(SOURCES ${SOURCES} ${ICON_FILE})
 target_include_directories(${PROJECT} PRIVATE
    ${Qt6Gui_PRIVATE_INCLUDE_DIRS}
    ${Qt6Widgets_PRIVATE_INCLUDE_DIRS}
 )
 set_target_properties(${PROJECT} PROPERTIES
    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
    MACOSX_BUNDLE_INFO_PLIST ${CMAKE_CURRENT_SOURCE_DIR}/macos/app/Info.plist.in
    MACOSX_BUNDLE_ICON_FILE "AppIcon"
    MACOSX_BUNDLE_INFO_STRING "AmneziaVPN"
    MACOSX_BUNDLE_BUNDLE_NAME "AmneziaVPN"
    MACOSX_BUNDLE_BUNDLE_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
    MACOSX_BUNDLE_LONG_VERSION_STRING "${APPLE_PROJECT_VERSION}-${CMAKE_PROJECT_VERSION_TWEAK}"
    MACOSX_BUNDLE_SHORT_VERSION_STRING "${APPLE_PROJECT_VERSION}"
    XCODE_ATTRIBUTE_PRODUCT_BUNDLE_IDENTIFIER "${BUILD_IOS_APP_IDENTIFIER}"
    XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "${CMAKE_CURRENT_SOURCE_DIR}/macos/app/app.entitlements"
    XCODE_ATTRIBUTE_MARKETING_VERSION "${APPLE_PROJECT_VERSION}"
    XCODE_ATTRIBUTE_CURRENT_PROJECT_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
    XCODE_ATTRIBUTE_PRODUCT_NAME "AmneziaVPN"
    XCODE_ATTRIBUTE_BUNDLE_INFO_STRING "AmneziaVPN"
    XCODE_GENERATE_SCHEME TRUE
    XCODE_ATTRIBUTE_ENABLE_BITCODE "NO"
    XCODE_ATTRIBUTE_ASSETCATALOG_COMPILER_APPICON_NAME "AppIcon"
    XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "1,2"
    XCODE_EMBED_FRAMEWORKS_CODE_SIGN_ON_COPY "NO"
    XCODE_EMBED_FRAMEWORKS_REMOVE_HEADERS_ON_COPY "YES"
    XCODE_ATTRIBUTE_MACOSX_DEPLOYMENT_TARGET "11.0"
    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
    XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/../Frameworks"
    XCODE_EMBED_APP_EXTENSIONS AmneziaVPNNetworkExtension
 )
 if(DEPLOY)
    set_target_properties(${PROJECT} PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY[variant=Debug] "Apple Development"
        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Manual
        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER "distr macos.org.amnezia.AmneziaVPN"
        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER[variant=Debug] "dev macos.org.amnezia.AmneziaVPN"
    )
 else()
    set_target_properties(${PROJECT} PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Automatic
    )
 endif()
 set_target_properties(${PROJECT} PROPERTIES
    XCODE_ATTRIBUTE_SWIFT_VERSION "5.0"
    XCODE_ATTRIBUTE_CLANG_ENABLE_MODULES "YES"
    XCODE_ATTRIBUTE_SWIFT_PRECOMPILE_BRIDGING_HEADER "NO"
    XCODE_ATTRIBUTE_SWIFT_OBJC_INTERFACE_HEADER_NAME "AmneziaVPN-Swift.h"
    XCODE_ATTRIBUTE_SWIFT_OBJC_INTEROP_MODE "objcxx"
 )
 set_target_properties(${PROJECT} PROPERTIES
    XCODE_ATTRIBUTE_DEVELOPMENT_TEAM "X7UJ388FXK"
 )
 target_include_directories(${PROJECT} PRIVATE ${CMAKE_CURRENT_LIST_DIR})
 target_compile_options(${PROJECT} PRIVATE
    -DGROUP_ID=\"${BUILD_IOS_GROUP_IDENTIFIER}\"
    -DVPN_NE_BUNDLEID=\"${BUILD_IOS_APP_IDENTIFIER}.network-extension\"
 )
 set(WG_APPLE_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/3rd/amneziawg-apple/Sources)
 target_sources(${PROJECT} PRIVATE
    ${WG_APPLE_SOURCE_DIR}/WireGuardKitC/x25519.c
    ${CLIENT_ROOT_DIR}/platforms/ios/LogController.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/Log.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
 )
 target_sources(${PROJECT} PRIVATE
    ${CMAKE_CURRENT_SOURCE_DIR}/macos/app/Images.xcassets
    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
 )
 set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
    ${CMAKE_CURRENT_SOURCE_DIR}/macos/app/Images.xcassets
    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
 )
 add_subdirectory(macos/networkextension)
 add_dependencies(${PROJECT} AmneziaVPNNetworkExtension)
 get_target_property(QtCore_location Qt6::Core LOCATION)
 message("QtCore_location")
 message(${QtCore_location})
 get_filename_component(QT_BIN_DIR_DETECTED "${QtCore_location}/../../../../../bin" ABSOLUTE)
 set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework"
 )
 set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos)
 target_link_libraries("AmneziaVPNNetworkExtension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework")
 add_custom_command(TARGET ${PROJECT} POST_BUILD
    COMMAND ${CMAKE_COMMAND} -E make_directory
            $<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks
    COMMAND /usr/bin/find "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework" -name "*.sha256" -delete
    COMMAND /usr/bin/codesign --force --sign "Apple Distribution"
            "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework/Versions/Current/OpenVPNAdapter"
    COMMAND ${QT_BIN_DIR_DETECTED}/macdeployqt $<TARGET_BUNDLE_DIR:AmneziaVPN> -appstore-compliant -qmldir=${CMAKE_CURRENT_SOURCE_DIR}
    COMMENT "Signing OpenVPNAdapter framework"
 )
@@ -38,7 +38,7 @@ set(HEADERS ${HEADERS}
    ${CLIENT_ROOT_DIR}/mozilla/controllerimpl.h
 )
-if(NOT IOS)
+if(NOT IOS AND NOT MACOS_NE)
    set(HEADERS ${HEADERS}
        ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.h
    )
@@ -87,12 +87,26 @@ set(SOURCES ${SOURCES}
    ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.cpp
 )
-if(NOT IOS)
+if(NOT IOS AND NOT MACOS_NE)
    set(SOURCES ${SOURCES}
        ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.cpp
    )
 endif()
 # Include native macOS platform helpers (dock/status-item)
 if(APPLE AND NOT IOS)
    list(APPEND HEADERS
        ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.h
        ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.h
        ${CLIENT_ROOT_DIR}/ui/macos_util.h
    )
    list(APPEND SOURCES
        ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.mm
        ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.mm
        ${CLIENT_ROOT_DIR}/ui/macos_util.mm
    )
 endif()
 if(NOT ANDROID)
    set(SOURCES ${SOURCES}
        ${CLIENT_ROOT_DIR}/ui/notificationhandler.cpp
@@ -1,4 +1,5 @@
 #include "awg_configurator.h"
 #include "protocols/protocols_defs.h"
 #include <QJsonDocument>
 #include <QJsonObject>
@@ -39,6 +40,20 @@ QString AwgConfigurator::createConfig(const ServerCredentials &credentials, Dock
    jsonConfig[config_key::responsePacketMagicHeader] = configMap.value(config_key::responsePacketMagicHeader);
    jsonConfig[config_key::underloadPacketMagicHeader] = configMap.value(config_key::underloadPacketMagicHeader);
    jsonConfig[config_key::transportPacketMagicHeader] = configMap.value(config_key::transportPacketMagicHeader);
    // jsonConfig[config_key::cookieReplyPacketJunkSize] = configMap.value(config_key::cookieReplyPacketJunkSize);
    // jsonConfig[config_key::transportPacketJunkSize] = configMap.value(config_key::transportPacketJunkSize);
    // jsonConfig[config_key::specialJunk1] = configMap.value(amnezia::config_key::specialJunk1);
    // jsonConfig[config_key::specialJunk2] = configMap.value(amnezia::config_key::specialJunk2);
    // jsonConfig[config_key::specialJunk3] = configMap.value(amnezia::config_key::specialJunk3);
    // jsonConfig[config_key::specialJunk4] = configMap.value(amnezia::config_key::specialJunk4);
    // jsonConfig[config_key::specialJunk5] = configMap.value(amnezia::config_key::specialJunk5);
    // jsonConfig[config_key::controlledJunk1] = configMap.value(amnezia::config_key::controlledJunk1);
    // jsonConfig[config_key::controlledJunk2] = configMap.value(amnezia::config_key::controlledJunk2);
    // jsonConfig[config_key::controlledJunk3] = configMap.value(amnezia::config_key::controlledJunk3);
    // jsonConfig[config_key::specialHandshakeTimeout] = configMap.value(amnezia::config_key::specialHandshakeTimeout);
    jsonConfig[config_key::mtu] =
            containerConfig.value(ProtocolProps::protoToString(Proto::Awg)).toObject().value(config_key::mtu).toString(protocols::awg::defaultMtu);
@@ -13,10 +13,10 @@
    #include <QApplication>
 #endif
 #include "core/networkUtilities.h"
 #include "containers/containers_defs.h"
 #include "core/controllers/serverController.h"
 #include "core/scripts_registry.h"
 #include "core/server_defs.h"
 #include "settings.h"
 #include "utilities.h"
@@ -24,6 +24,7 @@
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 OpenVpnConfigurator::OpenVpnConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
                                         QObject *parent)
    : ConfiguratorBase(settings, serverController, parent)
@@ -117,22 +118,22 @@ QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString,
        QRegularExpression regex("redirect-gateway.*");
        config.replace(regex, "");
        // We don't use secondary DNS if primary DNS is AmneziaDNS
        if (dns.first.contains(protocols::dns::amneziaDnsIp)) {
            QRegularExpression dnsRegex("dhcp-option DNS " + dns.second);
            config.replace(dnsRegex, "");
        }
        if (!m_settings->isSitesSplitTunnelingEnabled()) {
            config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
            // Prevent ipv6 leak
            config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
 #endif
            config.append("block-ipv6\n");
        } else if (m_settings->routeMode() == Settings::VpnOnlyForwardSites) {
-            // no redirect-gateway
+               // no redirect-gateway
        } else if (m_settings->routeMode() == Settings::VpnAllExceptSites) {
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
            config.append("\nredirect-gateway ipv6 !ipv4 bypass-dhcp\n");
            // Prevent ipv6 leak
            config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
 #endif
            config.append("block-ipv6\n");
        }
@@ -166,10 +167,15 @@ QString OpenVpnConfigurator::processConfigWithExportSettings(const QPair<QString
    QRegularExpression regex("redirect-gateway.*");
    config.replace(regex, "");
    // We don't use secondary DNS if primary DNS is AmneziaDNS
    if (dns.first.contains(protocols::dns::amneziaDnsIp)) {
        QRegularExpression dnsRegex("dhcp-option DNS " + dns.second);
        config.replace(dnsRegex, "");
    }
    config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");
    // Prevent ipv6 leak
    config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
    config.append("block-ipv6\n");
    // remove block-outside-dns for all exported configs
@@ -8,7 +8,7 @@
 #include <QTemporaryFile>
 #include <QThread>
 #include <qtimer.h>
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
    #include <QGuiApplication>
 #else
    #include <QApplication>
@@ -24,7 +24,7 @@ SshConfigurator::SshConfigurator(std::shared_ptr<Settings> settings, const QShar
 QString SshConfigurator::convertOpenSShKey(const QString &key)
 {
-#ifndef Q_OS_IOS
+#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
    QProcess p;
    p.setProcessChannelMode(QProcess::MergedChannels);
@@ -67,9 +67,10 @@ QString SshConfigurator::convertOpenSShKey(const QString &key)
 #endif
 }
 // DEAD CODE.
 void SshConfigurator::openSshTerminal(const ServerCredentials &credentials)
 {
-#ifndef Q_OS_IOS
+#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
    QProcess *p = new QProcess();
    p->setProcessChannelMode(QProcess::SeparateChannels);
@@ -101,7 +102,7 @@ QProcessEnvironment SshConfigurator::prepareEnv()
    pathEnvVar.clear();
    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\cygwin;");
    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\openvpn;");
-#elif defined(Q_OS_MACX)
+#elif defined(Q_OS_MACX) && !defined(MACOS_NE)
    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "/Contents/MacOS");
 #endif
@@ -140,98 +140,83 @@ QMap<DockerContainer, QString> ContainerProps::containerDetailedDescriptions()
 {
    return {
        { DockerContainer::OpenVpn,
-          QObject::tr(
+          QObject::tr("OpenVPN is one of the most popular and reliable VPN protocols. "
-                  "OpenVPN stands as one of the most popular and time-tested VPN protocols available.\n"
+                      "It uses SSL/TLS encryption, supports a wide variety of devices and operating systems, "
-                  "It employs its unique security protocol, "
+                      "and is continuously improved by the community due to its open-source nature. "
-                  "leveraging the strength of SSL/TLS for encryption and key exchange. "
+                      "It provides a good balance between speed and security but is easily recognized by DPI systems, "
-                  "Furthermore, OpenVPN's support for a multitude of authentication methods makes it versatile and adaptable, "
+                      "making it susceptible to blocking.\n"
-                  "catering to a wide range of devices and operating systems. "
+                      "\nFeatures:\n"
-                  "Due to its open-source nature, OpenVPN benefits from extensive scrutiny by the global community, "
+                      "* Available on all AmneziaVPN platforms\n"
-                  "which continually reinforces its security. "
+                      "* Normal battery consumption on mobile devices\n"
-                  "With a strong balance of performance, security, and compatibility, "
+                      "* Flexible customization for various devices and OS\n"
-                  "OpenVPN remains a top choice for privacy-conscious individuals and businesses alike.\n\n"
+                      "* Operates over both TCP and UDP protocols") },
                  "* Available in the AmneziaVPN across all platforms\n"
                  "* Normal power consumption on mobile devices\n"
                  "* Flexible customisation to suit user needs to work with different operating systems and devices\n"
                  "* Recognised by DPI systems and therefore susceptible to blocking\n"
                  "* Can operate over both TCP and UDP network protocols.") },
        { DockerContainer::ShadowSocks,
-          QObject::tr("Shadowsocks, inspired by the SOCKS5 protocol, safeguards the connection using the AEAD cipher. "
+          QObject::tr("Shadowsocks is based on the SOCKS5 protocol and encrypts connections using AEAD cipher. "
-                      "Although Shadowsocks is designed to be discreet and challenging to identify, it isn't identical to a standard HTTPS connection."
+                      "Although designed to be discreet, it doesn't mimic a standard HTTPS connection and can be detected by some DPI systems. "
-                      "However, certain traffic analysis systems might still detect a Shadowsocks connection. "
+                      "Due to limited support in Amnezia, we recommend using the AmneziaWG protocol.\n"
-                      "Due to limited support in Amnezia, it's recommended to use AmneziaWG protocol.\n\n"
+                      "\nFeatures:\n"
-                      "* Available in the AmneziaVPN only on desktop platforms\n"
+                      "* Available in AmneziaVPN only on desktop platforms\n"
-                      "* Configurable encryption protocol\n"
+                      "* Customizable encryption protocol\n"
                      "* Detectable by some DPI systems\n"
-                      "* Works over TCP network protocol.") },
+                      "* Operates over TCP protocol\n") },
        { DockerContainer::Cloak,
-          QObject::tr("This is a combination of the OpenVPN protocol and the Cloak plugin designed specifically for "
+          QObject::tr("This combination includes the OpenVPN protocol and the Cloak plugin, specifically designed to protect against blocking.\n"
-                      "protecting against detection.\n\n"
+                      "\nOpenVPN securely encrypts all internet traffic between your device and the server.\n"
-                      "OpenVPN provides a secure VPN connection by encrypting all internet traffic between the client "
+                      "\nThe Cloak plugin further protects the connection from DPI detection. "
-                      "and the server.\n\n"
+                      "It modifies traffic metadata to disguise VPN traffic as regular web traffic and prevents detection through active probing. "
-                      "Cloak protects OpenVPN from detection. \n\n"
+                      "If an incoming connection fails authentication, Cloak serves a fake website, making your VPN invisible to traffic analysis systems.\n"
-                      "Cloak can modify packet metadata so that it completely masks VPN traffic as normal web traffic, "
+                      "\nIn regions with heavy internet censorship, we strongly recommend using OpenVPN with Cloak from your first connection.\n"
-                      "and also protects the VPN from detection by Active Probing. This makes it very resistant to "
+                      "\nFeatures:\n"
-                      "being detected\n\n"
+                      "* Available on all AmneziaVPN platforms\n"
                      "Immediately after receiving the first data packet, Cloak authenticates the incoming connection. "
                      "If authentication fails, the plugin masks the server as a fake website and your VPN becomes "
                      "invisible to analysis systems.\n\n"
                      "* Available in the AmneziaVPN across all platforms\n"
                      "* High power consumption on mobile devices\n"
-                      "* Flexible settings\n"
+                      "* Flexible configuration options\n"
-                      "* Not recognised by detection systems\n"
+                      "* Undetectable by DPI systems\n"
-                      "* Works over TCP network protocol, 443 port.\n") },
+                      "* Operates over TCP protocol on port 443") },
        { DockerContainer::WireGuard,
-          QObject::tr("A relatively new popular VPN protocol with a simplified architecture.\n"
+          QObject::tr("WireGuard is a modern, streamlined VPN protocol offering stable connectivity and excellent performance across all devices. "
-                      "WireGuard provides stable VPN connection and high performance on all devices. It uses hard-coded encryption "
+                      "It uses fixed encryption settings, delivering lower latency and higher data transfer speeds compared to OpenVPN. "
-                      "settings. WireGuard compared to OpenVPN has lower latency and better data transfer throughput.\n"
+                      "However, WireGuard is easily identifiable by DPI systems due to its distinctive packet signatures, making it susceptible to blocking.\n"
-                      "WireGuard is very susceptible to detection and blocking due to its distinct packet signatures. "
+                      "\nFeatures:\n"
-                      "Unlike some other VPN protocols that employ obfuscation techniques, "
+                      "* Available on all AmneziaVPN platforms\n"
-                      "the consistent signature patterns of WireGuard packets can be more easily identified and "
+                      "* Low power consumption on mobile devices\n"
-                      "thus blocked by advanced Deep Packet Inspection (DPI) systems and other network monitoring tools.\n\n"
+                      "* Minimal configuration required\n"
-                      "* Available in the AmneziaVPN across all platforms\n"
+                      "* Easily detected by DPI systems (susceptible to blocking)\n"
-                      "* Low power consumption\n"
+                      "* Operates over UDP protocol") },
                      "* Minimum number of settings\n"
                      "* Easily recognised by DPI analysis systems, susceptible to blocking\n"
                      "* Works over UDP network protocol.") },
        { DockerContainer::Awg,
-          QObject::tr("A modern iteration of the popular VPN protocol, "
+          QObject::tr("AmneziaWG is a modern VPN protocol based on WireGuard, "
-                      "AmneziaWG builds upon the foundation set by WireGuard, "
+                      "combining simplified architecture with high performance across all devices. "
-                      "retaining its simplified architecture and high-performance capabilities across devices.\n"
+                      "It addresses WireGuard's main vulnerability (easy detection by DPI systems) through advanced obfuscation techniques, "
-                      "While WireGuard is known for its efficiency, "
+                      "making VPN traffic indistinguishable from regular internet traffic.\n"
-                      "it had issues with being easily detected due to its distinct packet signatures. "
+                      "\nAmneziaWG is an excellent choice for those seeking a fast, stealthy VPN connection.\n"
-                      "AmneziaWG solves this problem by using better obfuscation methods, "
+                      "\nFeatures:\n"
-                      "making its traffic blend in with regular internet traffic.\n"
+                      "* Available on all AmneziaVPN platforms\n"
-                      "This means that AmneziaWG keeps the fast performance of the original "
+                      "* Low battery consumption on mobile devices\n"
-                      "while adding an extra layer of stealth, "
+                      "* Minimal settings required\n"
-                      "making it a great choice for those wanting a fast and discreet VPN connection.\n\n"
+                      "* Undetectable by traffic analysis systems (DPI)\n"
-                      "* Available in the AmneziaVPN across all platforms\n"
+                      "* Operates over UDP protocol") },
                      "* Low power consumption\n"
                      "* Minimum number of settings\n"
                      "* Not recognised by traffic analysis systems\n"
                      "* Works over UDP network protocol.") },
        { DockerContainer::Xray,
-                QObject::tr("The REALITY protocol, a pioneering development by the creators of XRay, "
+          QObject::tr("REALITY is an innovative protocol developed by the creators of XRay, designed specifically to combat high levels of internet censorship. "
-                            "is designed to provide the highest level of protection against detection through its innovative approach to security and privacy.\n"
+                      "REALITY identifies censorship systems during the TLS handshake, "
-                            "It uniquely identifies attackers during the TLS handshake phase, seamlessly operating as a proxy for legitimate clients while diverting attackers to genuine websites, "
+                      "redirecting suspicious traffic seamlessly to legitimate websites like google.com while providing genuine TLS certificates. "
-                            "thus presenting an authentic TLS certificate and data. \n"
+                      "This allows VPN traffic to blend indistinguishably with regular web traffic without special configuration."
-                            "This advanced capability differentiates REALITY from similar technologies by its ability to disguise web traffic as coming from random, "
+                      "\nUnlike older protocols such as VMess, VLESS, and XTLS-Vision, REALITY incorporates an advanced built-in \"friend-or-foe\" detection mechanism, "
-                            "legitimate sites without the need for specific configurations. \n"
+                      "effectively protecting against DPI and other traffic analysis methods.\n"
-                            "Unlike older protocols such as VMess, VLESS, and the XTLS-Vision transport, "
+                      "\nFeatures:\n"
-                            "REALITY's innovative \"friend or foe\" recognition at the TLS handshake enhances security. "
+                      "* Resistant to active probing and DPI detection\n"
-                            "This makes REALITY a robust solution for maintaining internet freedom.")
+                      "* No special configuration required to disguise traffic\n"
-        },
+                      "* Highly effective in heavily censored regions\n"
                      "* Minimal battery consumption on devices\n"
                      "* Operates over TCP protocol") },
        { DockerContainer::Ipsec,
-          QObject::tr("IKEv2, paired with the IPSec encryption layer, stands as a modern and stable VPN protocol.\n"
+          QObject::tr("IKEv2, combined with IPSec encryption, is a modern and reliable VPN protocol. "
-                      "One of its distinguishing features is its ability to swiftly switch between networks and devices, "
+                      "It reconnects quickly when switching networks or devices, making it ideal for dynamic network environments. "
-                      "making it particularly adaptive in dynamic network environments. \n"
+                      "While it provides good security and speed, it's easily recognized by DPI systems and susceptible to blocking.\n"
-                      "While it offers a blend of security, stability, and speed, "
+                      "\nFeatures:\n"
-                      "it's essential to note that IKEv2 can be easily detected and is susceptible to blocking.\n\n"
+                      "* Available in AmneziaVPN only on Windows\n"
-                      "* Available in the AmneziaVPN only on Windows\n"
+                      "* Low battery consumption on mobile devices\n"
-                      "* Low power consumption, on mobile devices\n"
+                      "* Minimal configuration required\n"
-                      "* Minimal configuration\n"
+                      "* Detectable by DPI analysis systems(easily blocked)\n"
-                      "* Recognised by DPI analysis systems\n"
+                      "* Operates over UDP protocol(ports 500 and 4500)") },
                      "* Works over UDP network protocol, ports 500 and 4500.") },
        { DockerContainer::TorWebSite, QObject::tr("Website in Tor network") },
        { DockerContainer::Dns, QObject::tr("DNS Service") },
@@ -276,6 +261,7 @@ bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
    return true;
 #elif defined(Q_OS_IOS)
    // Standard iOS build (without Network Extension limitations)
    switch (c) {
    case DockerContainer::WireGuard: return true;
    case DockerContainer::OpenVpn: return true;
@@ -284,7 +270,23 @@ bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
    case DockerContainer::Cloak: return true;
    case DockerContainer::SSXray: return true;
        //    case DockerContainer::ShadowSocks: return true;
-    default: return false;
+    default:
        return false;
    }
 #elif defined(MACOS_NE)
    // macOS build using Network Extension – hide OpenVPN-based containers
    switch (c) {
    case DockerContainer::WireGuard: return true;
    case DockerContainer::Awg: return true;
    case DockerContainer::Xray: return true;
    case DockerContainer::SSXray: return true;
    case DockerContainer::OpenVpn:
    case DockerContainer::Cloak:
    case DockerContainer::ShadowSocks:
        return false;
    default:
        return false;
    }
 #elif defined(Q_OS_MAC)
    switch (c) {
@@ -10,7 +10,8 @@ namespace apiDefs
        AmneziaFreeV3,
        AmneziaPremiumV1,
        AmneziaPremiumV2,
-        SelfHosted
+        SelfHosted,
        ExternalPremium
    };
    enum ConfigSource {
@@ -21,12 +22,21 @@ namespace apiDefs
    namespace key
    {
        constexpr QLatin1String configVersion("config_version");
        constexpr QLatin1String apiEndpoint("api_endpoint");
        constexpr QLatin1String apiKey("api_key");
        constexpr QLatin1String description("description");
        constexpr QLatin1String name("name");
        constexpr QLatin1String protocol("protocol");
        constexpr QLatin1String apiConfig("api_config");
        constexpr QLatin1String stackType("stack_type");
        constexpr QLatin1String serviceType("service_type");
        constexpr QLatin1String cliVersion("cli_version");
        constexpr QLatin1String supportedProtocols("supported_protocols");
        constexpr QLatin1String vpnKey("vpn_key");
        constexpr QLatin1String config("config");
        constexpr QLatin1String configs("configs");
        constexpr QLatin1String installationUuid("installation_uuid");
        constexpr QLatin1String workerLastUpdated("worker_last_updated");
@@ -43,6 +53,17 @@ namespace apiDefs
        constexpr QLatin1String maxDeviceCount("max_device_count");
        constexpr QLatin1String subscriptionEndDate("subscription_end_date");
        constexpr QLatin1String issuedConfigs("issued_configs");
        constexpr QLatin1String supportInfo("support_info");
        constexpr QLatin1String email("email");
        constexpr QLatin1String billingEmail("billing_email");
        constexpr QLatin1String website("website");
        constexpr QLatin1String websiteName("website_name");
        constexpr QLatin1String telegram("telegram");
        constexpr QLatin1String id("id");
        constexpr QLatin1String orderId("order_id");
        constexpr QLatin1String migrationCode("migration_code");
    }
    const int requestTimeoutMsecs = 12 * 1000; // 12 secs
@@ -3,9 +3,27 @@
 #include <QDateTime>
 #include <QJsonObject>
 namespace
 {
    const QByteArray AMNEZIA_CONFIG_SIGNATURE = QByteArray::fromHex("000000ff");
    QString escapeUnicode(const QString &input)
    {
        QString output;
        for (QChar c : input) {
            if (c.unicode() < 0x20 || c.unicode() > 0x7E) {
                output += QString("\\u%1").arg(QString::number(c.unicode(), 16).rightJustified(4, '0'));
            } else {
                output += c;
            }
        }
        return output;
    }
 }
 bool apiUtils::isSubscriptionExpired(const QString &subscriptionEndDate)
 {
-    QDateTime now = QDateTime::currentDateTime();
+    QDateTime now = QDateTime::currentDateTimeUtc();
    QDateTime endDate = QDateTime::fromString(subscriptionEndDate, Qt::ISODateWithMs);
    return endDate < now;
 }
@@ -23,24 +41,34 @@ bool apiUtils::isServerFromApi(const QJsonObject &serverConfigObject)
 apiDefs::ConfigType apiUtils::getConfigType(const QJsonObject &serverConfigObject)
 {
    auto configVersion = serverConfigObject.value(apiDefs::key::configVersion).toInt();
    switch (configVersion) {
    case apiDefs::ConfigSource::Telegram: {
        constexpr QLatin1String freeV2Endpoint(FREE_V2_ENDPOINT);
        constexpr QLatin1String premiumV1Endpoint(PREM_V1_ENDPOINT);
        auto apiEndpoint = serverConfigObject.value(apiDefs::key::apiEndpoint).toString();
        if (apiEndpoint.contains(premiumV1Endpoint)) {
            return apiDefs::ConfigType::AmneziaPremiumV1;
        } else if (apiEndpoint.contains(freeV2Endpoint)) {
            return apiDefs::ConfigType::AmneziaFreeV2;
        }
    };
    case apiDefs::ConfigSource::AmneziaGateway: {
        constexpr QLatin1String stackPremium("prem");
        constexpr QLatin1String stackFree("free");
        constexpr QLatin1String servicePremium("amnezia-premium");
        constexpr QLatin1String serviceFree("amnezia-free");
        constexpr QLatin1String serviceExternalPremium("external-premium");
        auto apiConfigObject = serverConfigObject.value(apiDefs::key::apiConfig).toObject();
        auto stackType = apiConfigObject.value(apiDefs::key::stackType).toString();
        auto serviceType = apiConfigObject.value(apiDefs::key::serviceType).toString();
-        if (serviceType == servicePremium || stackType == stackPremium) {
+        if (serviceType == servicePremium) {
            return apiDefs::ConfigType::AmneziaPremiumV2;
-        } else if (serviceType == serviceFree || stackType == stackFree) {
+        } else if (serviceType == serviceFree) {
            return apiDefs::ConfigType::AmneziaFreeV3;
        } else if (serviceType == serviceExternalPremium) {
            return apiDefs::ConfigType::ExternalPremium;
        }
    }
    default: {
@@ -66,7 +94,11 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
        return amnezia::ErrorCode::NoError;
    } else if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError
               || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
        qDebug() << reply->error();
        return amnezia::ErrorCode::ApiConfigTimeoutError;
    } else if (reply->error() == QNetworkReply::NetworkError::OperationNotImplementedError) {
        qDebug() << reply->error();
        return amnezia::ErrorCode::ApiUpdateRequestError;
    } else {
        QString err = reply->errorString();
        int httpStatusCode = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
@@ -85,3 +117,48 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
    qDebug() << "something went wrong";
    return amnezia::ErrorCode::InternalError;
 }
 bool apiUtils::isPremiumServer(const QJsonObject &serverConfigObject)
 {
    static const QSet<apiDefs::ConfigType> premiumTypes = { apiDefs::ConfigType::AmneziaPremiumV1, apiDefs::ConfigType::AmneziaPremiumV2,
                                                            apiDefs::ConfigType::ExternalPremium };
    return premiumTypes.contains(getConfigType(serverConfigObject));
 }
 QString apiUtils::getPremiumV1VpnKey(const QJsonObject &serverConfigObject)
 {
    if (apiUtils::getConfigType(serverConfigObject) != apiDefs::ConfigType::AmneziaPremiumV1) {
        return {};
    }
    QList<QPair<QString, QVariant>> orderedFields;
    orderedFields.append(qMakePair(apiDefs::key::name, serverConfigObject[apiDefs::key::name].toString()));
    orderedFields.append(qMakePair(apiDefs::key::description, serverConfigObject[apiDefs::key::description].toString()));
    orderedFields.append(qMakePair(apiDefs::key::configVersion, serverConfigObject[apiDefs::key::configVersion].toDouble()));
    orderedFields.append(qMakePair(apiDefs::key::protocol, serverConfigObject[apiDefs::key::protocol].toString()));
    orderedFields.append(qMakePair(apiDefs::key::apiEndpoint, serverConfigObject[apiDefs::key::apiEndpoint].toString()));
    orderedFields.append(qMakePair(apiDefs::key::apiKey, serverConfigObject[apiDefs::key::apiKey].toString()));
    QString vpnKeyStr = "{";
    for (int i = 0; i < orderedFields.size(); ++i) {
        const auto &pair = orderedFields[i];
        if (pair.second.typeId() == QMetaType::Type::QString) {
            vpnKeyStr += "\"" + pair.first + "\": \"" + pair.second.toString() + "\"";
        } else if (pair.second.typeId() == QMetaType::Type::Double || pair.second.typeId() == QMetaType::Type::Int) {
            vpnKeyStr += "\"" + pair.first + "\": " + QString::number(pair.second.toDouble(), 'f', 1);
        }
        if (i < orderedFields.size() - 1) {
            vpnKeyStr += ", ";
        }
    }
    vpnKeyStr += "}";
    QByteArray vpnKeyCompressed = escapeUnicode(vpnKeyStr).toUtf8();
    vpnKeyCompressed = qCompress(vpnKeyCompressed, 6);
    vpnKeyCompressed = vpnKeyCompressed.mid(4);
    QByteArray signedData = AMNEZIA_CONFIG_SIGNATURE + vpnKeyCompressed;
    return QString("vpn://%1").arg(QString(signedData.toBase64(QByteArray::Base64UrlEncoding)));
 }
@@ -13,10 +13,14 @@ namespace apiUtils
    bool isSubscriptionExpired(const QString &subscriptionEndDate);
    bool isPremiumServer(const QJsonObject &serverConfigObject);
    apiDefs::ConfigType getConfigType(const QJsonObject &serverConfigObject);
    apiDefs::ConfigSource getConfigSource(const QJsonObject &serverConfigObject);
    amnezia::ErrorCode checkNetworkReplyErrors(const QList<QSslError> &sslErrors, QNetworkReply *reply);
    QString getPremiumV1VpnKey(const QJsonObject &serverConfigObject);
 }
 #endif // APIUTILS_H
@@ -48,6 +48,9 @@ void CoreController::initModels()
    m_sitesModel.reset(new SitesModel(m_settings, this));
    m_engine->rootContext()->setContextProperty("SitesModel", m_sitesModel.get());
    m_allowedDnsModel.reset(new AllowedDnsModel(m_settings, this));
    m_engine->rootContext()->setContextProperty("AllowedDnsModel", m_allowedDnsModel.get());
    m_appSplitTunnelingModel.reset(new AppSplitTunnelingModel(m_settings, this));
    m_engine->rootContext()->setContextProperty("AppSplitTunnelingModel", m_appSplitTunnelingModel.get());
@@ -117,6 +120,9 @@ void CoreController::initControllers()
    connect(m_installController.get(), &InstallController::currentContainerUpdated, m_connectionController.get(),
            &ConnectionController::onCurrentContainerUpdated); // TODO remove this
    connect(m_installController.get(), &InstallController::profileCleared,
            m_protocolsModel.get(), &ProtocolsModel::updateModel);
    m_importController.reset(new ImportController(m_serversModel, m_containersModel, m_settings));
    m_engine->rootContext()->setContextProperty("ImportController", m_importController.get());
@@ -130,6 +136,9 @@ void CoreController::initControllers()
    m_sitesController.reset(new SitesController(m_settings, m_vpnConnection, m_sitesModel));
    m_engine->rootContext()->setContextProperty("SitesController", m_sitesController.get());
    m_allowedDnsController.reset(new AllowedDnsController(m_settings, m_allowedDnsModel));
    m_engine->rootContext()->setContextProperty("AllowedDnsController", m_allowedDnsController.get());
    m_appSplitTunnelingController.reset(new AppSplitTunnelingController(m_settings, m_appSplitTunnelingModel));
    m_engine->rootContext()->setContextProperty("AppSplitTunnelingController", m_appSplitTunnelingController.get());
@@ -142,6 +151,9 @@ void CoreController::initControllers()
    m_apiConfigsController.reset(new ApiConfigsController(m_serversModel, m_apiServicesModel, m_settings));
    m_engine->rootContext()->setContextProperty("ApiConfigsController", m_apiConfigsController.get());
    m_apiPremV1MigrationController.reset(new ApiPremV1MigrationController(m_serversModel, m_settings, this));
    m_engine->rootContext()->setContextProperty("ApiPremV1MigrationController", m_apiPremV1MigrationController.get());
 }
 void CoreController::initAndroidController()
@@ -214,11 +226,14 @@ void CoreController::initSignalHandlers()
    initAutoConnectHandler();
    initAmneziaDnsToggledHandler();
    initPrepareConfigHandler();
    initImportPremiumV2VpnKeyHandler();
    initShowMigrationDrawerHandler();
    initStrictKillSwitchHandler();
 }
 void CoreController::initNotificationHandler()
 {
-#ifndef Q_OS_ANDROID
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    m_notificationHandler.reset(NotificationHandler::create(nullptr));
    connect(m_vpnConnection.get(), &VpnConnection::connectionStateChanged, m_notificationHandler.get(),
@@ -230,6 +245,9 @@ void CoreController::initNotificationHandler()
    connect(m_notificationHandler.get(), &NotificationHandler::disconnectRequested, m_connectionController.get(),
            &ConnectionController::closeConnection);
    connect(this, &CoreController::translationsUpdated, m_notificationHandler.get(), &NotificationHandler::onTranslationsUpdated);
    auto* trayHandler = qobject_cast<SystemTrayNotificationHandler*>(m_notificationHandler.get());
    connect(this, &CoreController::websiteUrlChanged, trayHandler, &SystemTrayNotificationHandler::updateWebsiteUrl);
 #endif    
 }
@@ -267,6 +285,7 @@ void CoreController::updateTranslator(const QLocale &locale)
    m_engine->retranslate();
    emit translationsUpdated();
    emit websiteUrlChanged(m_languageModel->getCurrentSiteUrl());
 }
 void CoreController::initErrorMessagesHandler()
@@ -287,13 +306,10 @@ void CoreController::setQmlRoot()
 void CoreController::initApiCountryModelUpdateHandler()
 {
    // TODO
    connect(m_serversModel.get(), &ServersModel::updateApiCountryModel, this, [this]() {
        m_apiCountryModel->updateModel(m_serversModel->getProcessedServerData("apiAvailableCountries").toJsonArray(),
                                       m_serversModel->getProcessedServerData("apiServerCountryCode").toString());
    });
    connect(m_serversModel.get(), &ServersModel::updateApiServicesModel, this,
            [this]() { m_apiServicesModel->updateModel(m_serversModel->getProcessedServerData("apiConfig").toJsonObject()); });
 }
 void CoreController::initContainerModelUpdateHandler()
@@ -356,6 +372,31 @@ void CoreController::initPrepareConfigHandler()
    });
 }
 void CoreController::initImportPremiumV2VpnKeyHandler()
 {
    connect(m_apiPremV1MigrationController.get(), &ApiPremV1MigrationController::importPremiumV2VpnKey, this, [this](const QString &vpnKey) {
        m_importController->extractConfigFromData(vpnKey);
        m_importController->importConfig();
        emit m_apiPremV1MigrationController->migrationFinished();
    });
 }
 void CoreController::initShowMigrationDrawerHandler()
 {
    QTimer::singleShot(1000, this, [this]() {
        if (m_apiPremV1MigrationController->isPremV1MigrationReminderActive() && m_apiPremV1MigrationController->hasConfigsToMigration()) {
            m_apiPremV1MigrationController->showMigrationDrawer();
        }
    });
 }
 void CoreController::initStrictKillSwitchHandler()
 {
    connect(m_settingsController.get(), &SettingsController::strictKillSwitchEnabledChanged, m_vpnConnection.get(),
            &VpnConnection::onKillSwitchModeChanged);
 }
 QSharedPointer<PageController> CoreController::pageController() const
 {
    return m_pageController;
@@ -5,9 +5,15 @@
 #include <QQmlContext>
 #include <QThread>
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    #include "ui/systemtray_notificationhandler.h"
 #endif
 #include "ui/controllers/api/apiConfigsController.h"
 #include "ui/controllers/api/apiSettingsController.h"
 #include "ui/controllers/api/apiPremV1MigrationController.h"
 #include "ui/controllers/appSplitTunnelingController.h"
 #include "ui/controllers/allowedDnsController.h"
 #include "ui/controllers/connectionController.h"
 #include "ui/controllers/exportController.h"
 #include "ui/controllers/focusController.h"
@@ -18,6 +24,7 @@
 #include "ui/controllers/sitesController.h"
 #include "ui/controllers/systemController.h"
 #include "ui/models/allowed_dns_model.h"
 #include "ui/models/containers_model.h"
 #include "ui/models/languageModel.h"
 #include "ui/models/protocols/cloakConfigModel.h"
@@ -41,7 +48,7 @@
 #include "ui/models/services/socks5ProxyConfigModel.h"
 #include "ui/models/sites_model.h"
-#ifndef Q_OS_ANDROID
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    #include "ui/notificationhandler.h"
 #endif
@@ -58,6 +65,7 @@ public:
 signals:
    void translationsUpdated();
    void websiteUrlChanged(const QString &newUrl);
 private:
    void initModels();
@@ -80,13 +88,16 @@ private:
    void initAutoConnectHandler();
    void initAmneziaDnsToggledHandler();
    void initPrepareConfigHandler();
    void initImportPremiumV2VpnKeyHandler();
    void initShowMigrationDrawerHandler();
    void initStrictKillSwitchHandler();
    QQmlApplicationEngine *m_engine {}; // TODO use parent child system here?
    std::shared_ptr<Settings> m_settings;
    QSharedPointer<VpnConnection> m_vpnConnection;
    QSharedPointer<QTranslator> m_translator;
-#ifndef Q_OS_ANDROID
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    QScopedPointer<NotificationHandler> m_notificationHandler;
 #endif
@@ -102,9 +113,11 @@ private:
    QScopedPointer<SitesController> m_sitesController;
    QScopedPointer<SystemController> m_systemController;
    QScopedPointer<AppSplitTunnelingController> m_appSplitTunnelingController;
    QScopedPointer<AllowedDnsController> m_allowedDnsController;
    QScopedPointer<ApiSettingsController> m_apiSettingsController;
    QScopedPointer<ApiConfigsController> m_apiConfigsController;
    QScopedPointer<ApiPremV1MigrationController> m_apiPremV1MigrationController;
    QSharedPointer<ContainersModel> m_containersModel;
    QSharedPointer<ContainersModel> m_defaultServerContainersModel;
@@ -112,6 +125,7 @@ private:
    QSharedPointer<LanguageModel> m_languageModel;
    QSharedPointer<ProtocolsModel> m_protocolsModel;
    QSharedPointer<SitesModel> m_sitesModel;
    QSharedPointer<AllowedDnsModel> m_allowedDnsModel;
    QSharedPointer<AppSplitTunnelingModel> m_appSplitTunnelingModel;
    QSharedPointer<ClientManagementModel> m_clientManagementModel;
@@ -7,14 +7,20 @@
 #include <QJsonDocument>
 #include <QJsonObject>
 #include <QNetworkReply>
 #include <QUrl>
 #include "QBlockCipher.h"
 #include "QRsa.h"
 #include "amnezia_application.h"
 #include "core/api/apiUtils.h"
 #include "core/networkUtilities.h"
 #include "utilities.h"
 #ifdef AMNEZIA_DESKTOP
    #include "core/ipcclient.h"
 #endif
 namespace
 {
    namespace configKey
@@ -30,10 +36,17 @@ namespace
    constexpr QLatin1String errorResponsePattern1("No active configuration found for");
    constexpr QLatin1String errorResponsePattern2("No non-revoked public key found for");
    constexpr QLatin1String errorResponsePattern3("Account not found.");
    constexpr QLatin1String updateRequestResponsePattern("client version update is required");
 }
-GatewayController::GatewayController(const QString &gatewayEndpoint, bool isDevEnvironment, int requestTimeoutMsecs, QObject *parent)
+GatewayController::GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
-    : QObject(parent), m_gatewayEndpoint(gatewayEndpoint), m_isDevEnvironment(isDevEnvironment), m_requestTimeoutMsecs(requestTimeoutMsecs)
+                                     const bool isStrictKillSwitchEnabled, QObject *parent)
    : QObject(parent),
      m_gatewayEndpoint(gatewayEndpoint),
      m_isDevEnvironment(isDevEnvironment),
      m_requestTimeoutMsecs(requestTimeoutMsecs),
      m_isStrictKillSwitchEnabled(isStrictKillSwitchEnabled)
 {
 }
@@ -47,8 +60,20 @@ ErrorCode GatewayController::get(const QString &endpoint, QByteArray &responseBo
    QNetworkRequest request;
    request.setTransferTimeout(m_requestTimeoutMsecs);
    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
    request.setRawHeader(QString("X-Client-Request-ID").toUtf8(), QUuid::createUuid().toString(QUuid::WithoutBraces).toUtf8());
-    request.setUrl(QString(endpoint).arg(m_gatewayEndpoint));
+    request.setUrl(QString(endpoint).arg(m_proxyUrl.isEmpty() ? m_gatewayEndpoint : m_proxyUrl));
    // bypass killSwitch exceptions for API-gateway
 #ifdef AMNEZIA_DESKTOP
    if (m_isStrictKillSwitchEnabled) {
        QString host = QUrl(request.url()).host();
        QString ip = NetworkUtilities::getIPAddress(host);
        if (!ip.isEmpty()) {
            IpcClient::Interface()->addKillSwitchAllowedRange(QStringList { ip });
        }
    }
 #endif
    QNetworkReply *reply;
    reply = amnApp->networkManager()->get(request);
@@ -98,8 +123,20 @@ ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject api
    QNetworkRequest request;
    request.setTransferTimeout(m_requestTimeoutMsecs);
    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
    request.setRawHeader(QString("X-Client-Request-ID").toUtf8(), QUuid::createUuid().toString(QUuid::WithoutBraces).toUtf8());
-    request.setUrl(endpoint.arg(m_gatewayEndpoint));
+    request.setUrl(endpoint.arg(m_proxyUrl.isEmpty() ? m_gatewayEndpoint : m_proxyUrl));
    // bypass killSwitch exceptions for API-gateway
 #ifdef AMNEZIA_DESKTOP
    if (m_isStrictKillSwitchEnabled) {
        QString host = QUrl(request.url()).host();
        QString ip = NetworkUtilities::getIPAddress(host);
        if (!ip.isEmpty()) {
            IpcClient::Interface()->addKillSwitchAllowedRange(QStringList { ip });
        }
    }
 #endif
    QSimpleCrypto::QBlockCipher blockCipher;
    QByteArray key = blockCipher.generatePrivateSalt(32);
@@ -251,6 +288,9 @@ QStringList GatewayController::getProxyUrls()
            }
            return endpoints;
        } else {
            apiUtils::checkNetworkReplyErrors(sslErrors, reply);
            qDebug() << "go to the next storage endpoint";
            reply->deleteLater();
        }
    }
@@ -261,26 +301,36 @@ bool GatewayController::shouldBypassProxy(QNetworkReply *reply, const QByteArray
                                          const QByteArray &iv, const QByteArray &salt)
 {
    if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
-        qDebug() << "Timeout occurred";
+        qDebug() << "timeout occurred";
        qDebug() << reply->error();
        return true;
    } else if (responseBody.contains("html")) {
-        qDebug() << "The response contains an html tag";
+        qDebug() << "the response contains an html tag";
        return true;
    } else if (reply->error() == QNetworkReply::NetworkError::ContentNotFoundError) {
        if (responseBody.contains(errorResponsePattern1) || responseBody.contains(errorResponsePattern2)
            || responseBody.contains(errorResponsePattern3)) {
            return false;
        } else {
            qDebug() << reply->error();
            return true;
        }
    } else if (reply->error() == QNetworkReply::NetworkError::OperationNotImplementedError) {
        if (responseBody.contains(updateRequestResponsePattern)) {
            return false;
        } else {
            qDebug() << reply->error();
            return true;
        }
    } else if (reply->error() != QNetworkReply::NetworkError::NoError) {
        qDebug() << reply->error();
        return true;
    } else if (checkEncryption) {
        try {
            QSimpleCrypto::QBlockCipher blockCipher;
            static_cast<void>(blockCipher.decryptAesBlockCipher(responseBody, key, iv, "", salt));
        } catch (...) {
-            qDebug() << "Failed to decrypt the data";
+            qDebug() << "failed to decrypt the data";
            return true;
        }
    }
@@ -296,12 +346,15 @@ void GatewayController::bypassProxy(const QString &endpoint, QNetworkReply *repl
    std::mt19937 generator(randomDevice());
    std::shuffle(proxyUrls.begin(), proxyUrls.end(), generator);
    QEventLoop wait;
    QList<QSslError> sslErrors;
    QByteArray responseBody;
-    for (const QString &proxyUrl : proxyUrls) {
+    auto bypassFunction = [this](const QString &endpoint, const QString &proxyUrl, QNetworkReply *reply,
-        qDebug() << "Go to the next endpoint";
+                                 std::function<QNetworkReply *(const QString &url)> requestFunction,
                                 std::function<bool(QNetworkReply * reply, const QList<QSslError> &sslErrors)> replyProcessingFunction) {
        QEventLoop wait;
        QList<QSslError> sslErrors;
        qDebug() << "go to the next proxy endpoint";
        reply->deleteLater(); // delete the previous reply
        reply = requestFunction(endpoint.arg(proxyUrl));
@@ -310,6 +363,50 @@ void GatewayController::bypassProxy(const QString &endpoint, QNetworkReply *repl
        wait.exec();
        if (replyProcessingFunction(reply, sslErrors)) {
            return true;
        }
        return false;
    };
    if (m_proxyUrl.isEmpty()) {
        QNetworkRequest request;
        request.setTransferTimeout(1000);
        request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
        QEventLoop wait;
        QList<QSslError> sslErrors;
        QNetworkReply *reply;
        for (const QString &proxyUrl : proxyUrls) {
            request.setUrl(proxyUrl + "lmbd-health");
            reply = amnApp->networkManager()->get(request);
            connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
            connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
            wait.exec();
            if (reply->error() == QNetworkReply::NetworkError::NoError) {
                reply->deleteLater();
                m_proxyUrl = proxyUrl;
                if (!m_proxyUrl.isEmpty()) {
                    break;
                }
            } else {
                reply->deleteLater();
            }
        }
    }
    if (!m_proxyUrl.isEmpty()) {
        if (bypassFunction(endpoint, m_proxyUrl, reply, requestFunction, replyProcessingFunction)) {
            return;
        }
    }
    for (const QString &proxyUrl : proxyUrls) {
        if (bypassFunction(endpoint, proxyUrl, reply, requestFunction, replyProcessingFunction)) {
            m_proxyUrl = proxyUrl;
            break;
        }
    }
@@ -15,7 +15,8 @@ class GatewayController : public QObject
    Q_OBJECT
 public:
-    explicit GatewayController(const QString &gatewayEndpoint, bool isDevEnvironment, int requestTimeoutMsecs, QObject *parent = nullptr);
+    explicit GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
                               const bool isStrictKillSwitchEnabled, QObject *parent = nullptr);
    amnezia::ErrorCode get(const QString &endpoint, QByteArray &responseBody);
    amnezia::ErrorCode post(const QString &endpoint, const QJsonObject apiPayload, QByteArray &responseBody);
@@ -30,6 +31,9 @@ private:
    int m_requestTimeoutMsecs;
    QString m_gatewayEndpoint;
    bool m_isDevEnvironment = false;
    bool m_isStrictKillSwitchEnabled = false;
    inline static QString m_proxyUrl;
 };
 #endif // GATEWAYCONTROLLER_H
@@ -138,7 +138,7 @@ ErrorCode ServerController::uploadTextFileToContainer(DockerContainer container,
    if (overwriteMode == libssh::ScpOverwriteMode::ScpOverwriteExisting) {
        e = runScript(credentials,
-                      replaceVars(QString("sudo docker cp %1 $CONTAINER_NAME:/%2").arg(tmpFileName).arg(path),
+                      replaceVars(QStringLiteral("sudo docker cp %1 $CONTAINER_NAME:/%2").arg(tmpFileName, path),
                                  genVarsForScript(credentials, container)),
                      cbReadStd, cbReadStd);
@@ -146,7 +146,7 @@ ErrorCode ServerController::uploadTextFileToContainer(DockerContainer container,
            return e;
    } else if (overwriteMode == libssh::ScpOverwriteMode::ScpAppendToExisting) {
        e = runScript(credentials,
-                      replaceVars(QString("sudo docker cp %1 $CONTAINER_NAME:/%2").arg(tmpFileName).arg(tmpFileName),
+                      replaceVars(QStringLiteral("sudo docker cp %1 $CONTAINER_NAME:/%2").arg(tmpFileName, tmpFileName),
                                  genVarsForScript(credentials, container)),
                      cbReadStd, cbReadStd);
@@ -154,7 +154,7 @@ ErrorCode ServerController::uploadTextFileToContainer(DockerContainer container,
            return e;
        e = runScript(credentials,
-                      replaceVars(QString("sudo docker exec -i $CONTAINER_NAME sh -c \"cat %1 >> %2\"").arg(tmpFileName).arg(path),
+                      replaceVars(QStringLiteral("sudo docker exec -i $CONTAINER_NAME sh -c \"cat %1 >> %2\"").arg(tmpFileName, path),
                                  genVarsForScript(credentials, container)),
                      cbReadStd, cbReadStd);
@@ -177,7 +177,7 @@ QByteArray ServerController::getTextFileFromContainer(DockerContainer container,
    errorCode = ErrorCode::NoError;
-    QString script = QString("sudo docker exec -i %1 sh -c \"xxd -p \'%2\'\"").arg(ContainerProps::containerToString(container)).arg(path);
+    QString script = QStringLiteral("sudo docker exec -i %1 sh -c \"xxd -p '%2'\"").arg(ContainerProps::containerToString(container), path);
    QString stdOut;
    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
@@ -349,7 +349,7 @@ bool ServerController::isReinstallContainerRequired(DockerContainer container, c
        if ((oldProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress)
             != newProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress))
            || (oldProtoConfig.value(config_key::port).toString(protocols::awg::defaultPort)
-             != newProtoConfig.value(config_key::port).toString(protocols::awg::defaultPort))
+                != newProtoConfig.value(config_key::port).toString(protocols::awg::defaultPort))
            || (oldProtoConfig.value(config_key::junkPacketCount).toString(protocols::awg::defaultJunkPacketCount)
                != newProtoConfig.value(config_key::junkPacketCount).toString(protocols::awg::defaultJunkPacketCount))
            || (oldProtoConfig.value(config_key::junkPacketMinSize).toString(protocols::awg::defaultJunkPacketMinSize)
@@ -366,8 +366,13 @@ bool ServerController::isReinstallContainerRequired(DockerContainer container, c
                != newProtoConfig.value(config_key::responsePacketMagicHeader).toString(protocols::awg::defaultResponsePacketMagicHeader))
            || (oldProtoConfig.value(config_key::underloadPacketMagicHeader).toString(protocols::awg::defaultUnderloadPacketMagicHeader)
                != newProtoConfig.value(config_key::underloadPacketMagicHeader).toString(protocols::awg::defaultUnderloadPacketMagicHeader))
-            || (oldProtoConfig.value(config_key::transportPacketMagicHeader).toString(protocols::awg::defaultTransportPacketMagicHeader)
+            || (oldProtoConfig.value(config_key::transportPacketMagicHeader).toString(protocols::awg::defaultTransportPacketMagicHeader))
-                != newProtoConfig.value(config_key::transportPacketMagicHeader).toString(protocols::awg::defaultTransportPacketMagicHeader)))
+                    != newProtoConfig.value(config_key::transportPacketMagicHeader).toString(protocols::awg::defaultTransportPacketMagicHeader))
            // || (oldProtoConfig.value(config_key::cookieReplyPacketJunkSize).toString(protocols::awg::defaultCookieReplyPacketJunkSize)
            //     != newProtoConfig.value(config_key::cookieReplyPacketJunkSize).toString(protocols::awg::defaultCookieReplyPacketJunkSize))
            // || (oldProtoConfig.value(config_key::transportPacketJunkSize).toString(protocols::awg::defaultTransportPacketJunkSize)
            //     != newProtoConfig.value(config_key::transportPacketJunkSize).toString(protocols::awg::defaultTransportPacketJunkSize))
            return true;
    }
@@ -375,7 +380,7 @@ bool ServerController::isReinstallContainerRequired(DockerContainer container, c
        if ((oldProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress)
             != newProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress))
            || (oldProtoConfig.value(config_key::port).toString(protocols::wireguard::defaultPort)
-            != newProtoConfig.value(config_key::port).toString(protocols::wireguard::defaultPort)))
+                != newProtoConfig.value(config_key::port).toString(protocols::wireguard::defaultPort)))
            return true;
    }
@@ -383,6 +388,13 @@ bool ServerController::isReinstallContainerRequired(DockerContainer container, c
        return true;
    }
    if (container == DockerContainer::Xray) {
        if (oldProtoConfig.value(config_key::port).toString(protocols::xray::defaultPort)
            != newProtoConfig.value(config_key::port).toString(protocols::xray::defaultPort)) {
            return true;
        }
    }
    return false;
 }
@@ -439,15 +451,24 @@ ErrorCode ServerController::buildContainerWorker(const ServerCredentials &creden
        stdOut += data + "\n";
        return ErrorCode::NoError;
    };
    auto cbReadStdErr = [&](const QString &data, libssh::Client &) {
        stdOut += data + "\n";
        return ErrorCode::NoError;
    };
-    errorCode =
+    ErrorCode error =
            runScript(credentials,
                      replaceVars(amnezia::scriptData(SharedScriptType::build_container), genVarsForScript(credentials, container, config)),
-                      cbReadStdOut);
+                      cbReadStdOut, cbReadStdErr);
    if (errorCode)
        return errorCode;
-    return errorCode;
+    if (stdOut.contains("doesn't work on cgroups v2"))
        return ErrorCode::ServerDockerOnCgroupsV2;
    if (stdOut.contains("cgroup mountpoint does not exist"))
        return ErrorCode::ServerCgroupMountpoint;
    if (stdOut.contains("have reached") && stdOut.contains("pull rate limit"))
        return ErrorCode::DockerPullRateLimit;
    return error;
 }
 ErrorCode ServerController::runContainerWorker(const ServerCredentials &credentials, DockerContainer container, QJsonObject &config)
@@ -625,6 +646,9 @@ ServerController::Vars ServerController::genVarsForScript(const ServerCredential
    vars.append({ { "$UNDERLOAD_PACKET_MAGIC_HEADER", amneziaWireguarConfig.value(config_key::underloadPacketMagicHeader).toString() } });
    vars.append({ { "$TRANSPORT_PACKET_MAGIC_HEADER", amneziaWireguarConfig.value(config_key::transportPacketMagicHeader).toString() } });
    vars.append({ { "$COOKIE_REPLY_PACKET_JUNK_SIZE", amneziaWireguarConfig.value(config_key::cookieReplyPacketJunkSize).toString() } });
    vars.append({ { "$TRANSPORT_PACKET_JUNK_SIZE", amneziaWireguarConfig.value(config_key::transportPacketJunkSize).toString() } });
    // Socks5 proxy vars
    vars.append({ { "$SOCKS5_PROXY_PORT", socks5ProxyConfig.value(config_key::port).toString(protocols::socks5Proxy::defaultPort) } });
    auto username = socks5ProxyConfig.value(config_key::userName).toString();
@@ -811,7 +835,7 @@ ErrorCode ServerController::isServerDpkgBusy(const ServerCredentials &credential
            if (stdOut.contains("Packet manager not found"))
                return ErrorCode::ServerPacketManagerError;
-            if (stdOut.contains("fuser not installed"))
+            if (stdOut.contains("fuser not installed") || stdOut.contains("cat not installed"))
                return ErrorCode::NoError;
            if (stdOut.isEmpty()) {
@@ -58,6 +58,9 @@ namespace amnezia
        ServerUserDirectoryNotAccessible = 208,
        ServerUserNotAllowedInSudoers = 209,
        ServerUserPasswordRequired = 210,
        ServerDockerOnCgroupsV2 = 211,
        ServerCgroupMountpoint = 212,
        DockerPullRateLimit = 213,
        // Ssh connection errors
        SshRequestDeniedError = 300,
@@ -115,6 +118,9 @@ namespace amnezia
        ApiServicesMissingError = 1107,
        ApiConfigLimitError = 1108,
        ApiNotFoundError = 1109,
        ApiMigrationError = 1110,
        ApiUpdateRequestError = 1111,
        ApiSubscriptionExpiredError = 1112,
        // QFile errors
        OpenError = 1200,
@@ -26,6 +26,9 @@ QString errorString(ErrorCode code) {
    case(ErrorCode::ServerUserDirectoryNotAccessible): errorMessage = QObject::tr("The server user's home directory is not accessible"); break;
    case(ErrorCode::ServerUserNotAllowedInSudoers): errorMessage = QObject::tr("Action not allowed in sudoers"); break;
    case(ErrorCode::ServerUserPasswordRequired): errorMessage = QObject::tr("The user's password is required"); break;
    case(ErrorCode::ServerDockerOnCgroupsV2): errorMessage = QObject::tr("Docker error: runc doesn't work on cgroups v2"); break;
    case(ErrorCode::ServerCgroupMountpoint): errorMessage = QObject::tr("Server error: cgroup mountpoint does not exist"); break;
    case(ErrorCode::DockerPullRateLimit): errorMessage = QObject::tr("Docker error: The pull rate limit has been reached"); break;
    // Libssh errors
    case(ErrorCode::SshRequestDeniedError): errorMessage = QObject::tr("SSH request was denied"); break;
@@ -72,6 +75,9 @@ QString errorString(ErrorCode code) {
    case (ErrorCode::ApiServicesMissingError): errorMessage = QObject::tr("Missing list of available services"); break;
    case (ErrorCode::ApiConfigLimitError): errorMessage = QObject::tr("The limit of allowed configurations per subscription has been exceeded"); break;
    case (ErrorCode::ApiNotFoundError): errorMessage = QObject::tr("Error when retrieving configuration from API"); break;
    case (ErrorCode::ApiMigrationError): errorMessage = QObject::tr("A migration error has occurred. Please contact our technical support"); break;
    case (ErrorCode::ApiUpdateRequestError): errorMessage = QObject::tr("Please update the application to use this feature"); break;
    case (ErrorCode::ApiSubscriptionExpiredError): errorMessage = QObject::tr("Your Amnezia Premium subscription has expired.\n Please check your email for renewal instructions.\n If you haven't received an email, please contact our support."); break;
    // QFile errors
    case(ErrorCode::OpenError): errorMessage = QObject::tr("QFile error: The file could not be opened"); break;
@@ -12,6 +12,7 @@
    #include <winsock.h>
    #include <QNetworkInterface>
    #include "qendian.h"
    #include <QSettings>
 #endif
 #ifdef Q_OS_LINUX
    #include <arpa/inet.h>
@@ -22,7 +23,7 @@
    #include <sys/socket.h>
    #include <unistd.h>
 #endif
-#if defined(Q_OS_MAC) && !defined(Q_OS_IOS)
+#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
    #include <sys/param.h>
    #include <sys/sysctl.h>
    #include <sys/socket.h>
@@ -185,6 +186,17 @@ int NetworkUtilities::AdapterIndexTo(const QHostAddress& dst) {
    return 0;
 }
 bool NetworkUtilities::checkIpv6Enabled() {
 #ifdef Q_OS_WIN
    QSettings RegHLM("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters",
                     QSettings::NativeFormat);
    int ret = RegHLM.value("DisabledComponents", 0).toInt();
    qDebug() << "Check for Windows disabled IPv6 return " << ret;
    return (ret != 255);
 #endif
    return true;
 }
 #ifdef Q_OS_WIN
 DWORD GetAdaptersAddressesWrapper(const ULONG Family,
                                  const ULONG Flags,
@@ -378,7 +390,7 @@ QString NetworkUtilities::getGatewayAndIface()
    close(sock);
    return gateway_address;
 #endif
-#if defined(Q_OS_MAC) && !defined(Q_OS_IOS)
+#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
    QString gateway;
    int mib[] = {CTL_NET, PF_ROUTE, 0, 0, NET_RT_FLAGS, RTF_GATEWAY};
    int afinet_type[] = {AF_INET, AF_INET6};
@@ -16,6 +16,7 @@ public:
    static QString getStringBetween(const QString &s, const QString &a, const QString &b);
    static bool checkIPv4Format(const QString &ip);
    static bool checkIpSubnetFormat(const QString &ip);
    static bool checkIpv6Enabled();
    static QString getGatewayAndIface();
    // Returns the Interface Index that could Route to dst
    static int AdapterIndexTo(const QHostAddress& dst);
@@ -29,7 +30,6 @@ public:
    static QString netMaskFromIpWithSubnet(const QString ip);
    static QString ipAddressFromIpWithSubnet(const QString ip);
    static QStringList summarizeRoutes(const QStringList &ips, const QString cidr);
 };
@@ -149,8 +149,7 @@ bool Daemon::activate(const InterfaceConfig& config) {
  // set routing
  for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
    if (!wgutils()->updateRoutePrefix(ip)) {
-      logger.debug() << "Routing configuration failed for"
+      logger.debug() << "Routing configuration failed for" << ip.toString();
                     << logger.sensitive(ip.toString());
      return false;
    }
  }
@@ -170,11 +169,14 @@ bool Daemon::maybeUpdateResolvers(const InterfaceConfig& config) {
  if ((config.m_hopType == InterfaceConfig::MultiHopExit) ||
      (config.m_hopType == InterfaceConfig::SingleHop)) {
    QList<QHostAddress> resolvers;
-    resolvers.append(QHostAddress(config.m_dnsServer));
+    resolvers.append(QHostAddress(config.m_primaryDnsServer));
    if (!config.m_secondaryDnsServer.isEmpty()) {
        resolvers.append(QHostAddress(config.m_secondaryDnsServer));
    }
    // If the DNS is not the Gateway, it's a user defined DNS
    // thus, not add any other :)
-    if (config.m_dnsServer == config.m_serverIpv4Gateway) {
+    if (config.m_primaryDnsServer == config.m_serverIpv4Gateway) {
      resolvers.append(QHostAddress(config.m_serverIpv6Gateway));
    }
@@ -280,15 +282,26 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
  config.m_serverIpv4Gateway = obj.value("serverIpv4Gateway").toString();
  config.m_serverIpv6Gateway = obj.value("serverIpv6Gateway").toString();
-  if (!obj.contains("dnsServer")) {
+  if (!obj.contains("primaryDnsServer")) {
-    config.m_dnsServer = QString();
+    config.m_primaryDnsServer = QString();
  } else {
-    QJsonValue value = obj.value("dnsServer");
+    QJsonValue value = obj.value("primaryDnsServer");
    if (!value.isString()) {
      logger.error() << "dnsServer is not a string";
      return false;
    }
-    config.m_dnsServer = value.toString();
+    config.m_primaryDnsServer = value.toString();
  }
  if (!obj.contains("secondaryDnsServer")) {
    config.m_secondaryDnsServer = QString();
  } else {
    QJsonValue value = obj.value("secondaryDnsServer");
    if (!value.isString()) {
      logger.error() << "dnsServer is not a string";
      return false;
    }
    config.m_secondaryDnsServer = value.toString();
  }
  if (!obj.contains("hopType")) {
@@ -371,6 +384,9 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
  if (!parseStringList(obj, "vpnDisabledApps", config.m_vpnDisabledApps)) {
    return false;
  }
  if (!parseStringList(obj, "allowedDnsServers", config.m_allowedDnsServers)) {
    return false;
  }
  config.m_killSwitchEnabled = QVariant(obj.value("killSwitchOption").toString()).toBool();
@@ -389,6 +405,13 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
  if (!obj.value("S2").isNull()) {
    config.m_responsePacketJunkSize = obj.value("S2").toString();
  }
  if (!obj.value("S3").isNull()) {
    config.m_cookieReplyPacketJunkSize = obj.value("S3").toString();
  }
  if (!obj.value("S4").isNull()) {
    config.m_transportPacketJunkSize = obj.value("S4").toString();
  }
  if (!obj.value("H1").isNull()) {
    config.m_initPacketMagicHeader = obj.value("H1").toString();
  }
@@ -402,6 +425,34 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
    config.m_transportPacketMagicHeader = obj.value("H4").toString();
  }
  if (!obj.value("I1").isNull()) {
    config.m_specialJunk["I1"] = obj.value("I1").toString();
  }
  if (!obj.value("I2").isNull()) {
    config.m_specialJunk["I2"] = obj.value("I2").toString();
  }
  if (!obj.value("I3").isNull()) {
    config.m_specialJunk["I3"] = obj.value("I3").toString();
  }
  if (!obj.value("I4").isNull()) {
    config.m_specialJunk["I4"] = obj.value("I4").toString();
  }
  if (!obj.value("I5").isNull()) {
    config.m_specialJunk["I5"] = obj.value("I5").toString();
  }
  if (!obj.value("J1").isNull()) {
    config.m_controlledJunk["J1"] = obj.value("J1").toString();
  }
  if (!obj.value("J2").isNull()) {
    config.m_controlledJunk["J2"] = obj.value("J2").toString();
  }
  if (!obj.value("J3").isNull()) {
    config.m_controlledJunk["J3"] = obj.value("J3").toString();
  }
  if (!obj.value("Itime").isNull()) {
    config.m_specialHandshakeTimeout = obj.value("Itime").toString();
  }
  return true;
 }
@@ -28,7 +28,8 @@ QJsonObject InterfaceConfig::toJson() const {
      (m_hopType == InterfaceConfig::SingleHop)) {
    json.insert("serverIpv4Gateway", QJsonValue(m_serverIpv4Gateway));
    json.insert("serverIpv6Gateway", QJsonValue(m_serverIpv6Gateway));
-    json.insert("dnsServer", QJsonValue(m_dnsServer));
+    json.insert("primaryDnsServer", QJsonValue(m_primaryDnsServer));
    json.insert("secondaryDnsServer", QJsonValue(m_secondaryDnsServer));
  }
  QJsonArray allowedIPAddesses;
@@ -48,6 +49,13 @@ QJsonObject InterfaceConfig::toJson() const {
  }
  json.insert("excludedAddresses", jsExcludedAddresses);
  QJsonArray jsAllowedDnsServers;
  for (const QString& i : m_allowedDnsServers) {
    jsAllowedDnsServers.append(QJsonValue(i));
  }
  json.insert("allowedDnsServers", jsAllowedDnsServers);
  QJsonArray disabledApps;
  for (const QString& i : m_vpnDisabledApps) {
    disabledApps.append(QJsonValue(i));
@@ -93,11 +101,15 @@ QString InterfaceConfig::toWgConf(const QMap<QString, QString>& extra) const {
    out << "MTU = " << m_deviceMTU << "\n";
  }
-  if (!m_dnsServer.isNull()) {
+  if (!m_primaryDnsServer.isEmpty()) {
-    QStringList dnsServers(m_dnsServer);
+    QStringList dnsServers;
    dnsServers.append(m_primaryDnsServer);
    if (!m_secondaryDnsServer.isEmpty()) {
        dnsServers.append(m_secondaryDnsServer);
    }
    // If the DNS is not the Gateway, it's a user defined DNS
    // thus, not add any other :)
-    if (m_dnsServer == m_serverIpv4Gateway) {
+    if (m_primaryDnsServer == m_serverIpv4Gateway) {
      dnsServers.append(m_serverIpv6Gateway);
    }
    out << "DNS = " << dnsServers.join(", ") << "\n";
@@ -118,6 +130,12 @@ QString InterfaceConfig::toWgConf(const QMap<QString, QString>& extra) const {
  if (!m_responsePacketJunkSize.isNull()) {
    out << "S2 = " << m_responsePacketJunkSize << "\n";
  }
  if (!m_cookieReplyPacketJunkSize.isNull()) {
    out << "S3 = " << m_cookieReplyPacketJunkSize << "\n";
  }
  if (!m_transportPacketJunkSize.isNull()) {
    out << "S4 = " << m_transportPacketJunkSize << "\n";
  }
  if (!m_initPacketMagicHeader.isNull()) {
    out << "H1 = " << m_initPacketMagicHeader << "\n";
  }
@@ -131,6 +149,16 @@ QString InterfaceConfig::toWgConf(const QMap<QString, QString>& extra) const {
    out << "H4 = " << m_transportPacketMagicHeader << "\n";
  }
  for (const QString& key : m_specialJunk.keys()) {
    out << key << " = " << m_specialJunk[key] << "\n";
  }
  for (const QString& key : m_controlledJunk.keys()) {
    out << key << " = " << m_controlledJunk[key] << "\n";
  }
  if (!m_specialHandshakeTimeout.isNull()) {
    out << "Itime = " << m_specialHandshakeTimeout << "\n";
  }
  // If any extra config was provided, append it now.
  for (const QString& key : extra.keys()) {
    out << key << " = " << extra[key] << "\n";
@@ -6,6 +6,7 @@
 #define INTERFACECONFIG_H
 #include <QList>
 #include <QMap>
 #include <QString>
 #include <QMap>
 #include "ipaddress.h"
@@ -31,12 +32,14 @@ class InterfaceConfig {
  QString m_serverIpv4AddrIn;
  QString m_serverPskKey;
  QString m_serverIpv6AddrIn;
-  QString m_dnsServer;
+  QString m_primaryDnsServer;
  QString m_secondaryDnsServer;
  int m_serverPort = 0;
  int m_deviceMTU = 1420;
  QList<IPAddress> m_allowedIPAddressRanges;
  QStringList m_excludedAddresses;
  QStringList m_vpnDisabledApps;
  QStringList m_allowedDnsServers;
  bool m_killSwitchEnabled;
 #if defined(MZ_ANDROID) || defined(MZ_IOS)
  QString m_installationId;
@@ -47,10 +50,15 @@ class InterfaceConfig {
  QString m_junkPacketMaxSize;
  QString m_initPacketJunkSize;
  QString m_responsePacketJunkSize;
  QString m_cookieReplyPacketJunkSize;
  QString m_transportPacketJunkSize;
  QString m_initPacketMagicHeader;
  QString m_responsePacketMagicHeader;
  QString m_underloadPacketMagicHeader;
  QString m_transportPacketMagicHeader;
  QMap<QString, QString> m_specialJunk;
  QMap<QString, QString> m_controlledJunk;
  QString m_specialHandshakeTimeout;
  QJsonObject toJson() const;
  QString toWgConf(
@@ -26,10 +26,22 @@ set_target_properties(networkextension PROPERTIES
    XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "1,2"
    XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/../../Frameworks"
    XCODE_ATTRIBUTE_CODE_SIGN_STYLE Automatic
 )
 if(DEPLOY)
    set_target_properties(networkextension PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY[variant=Debug] "Apple Development"
        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Manual
        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER "distr ios.org.amnezia.AmneziaVPN"
        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER[variant=Debug] "dev ios.org.amnezia.AmneziaVPN"
    )
 else()
    set_target_properties(networkextension PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Automatic
    )
 endif()
 set_target_properties(networkextension PROPERTIES
    XCODE_ATTRIBUTE_SWIFT_VERSION "5.0"
    XCODE_ATTRIBUTE_CLANG_ENABLE_MODULES "YES"
@@ -1,6 +1,68 @@
 {
-  "info" : {
+  "images": [
-    "author" : "xcode",
+    {
-    "version" : 1
+      "idiom": "mac",
      "size": "16x16",
      "scale": "1x",
      "filename": "16.png"
    },
    {
      "idiom": "mac",
      "size": "16x16",
      "scale": "2x",
      "filename": "16@2x.png"
    },
    {
      "idiom": "mac",
      "size": "32x32",
      "scale": "1x",
      "filename": "32.png"
    },
    {
      "idiom": "mac",
      "size": "32x32",
      "scale": "2x",
      "filename": "32@2x.png"
    },
    {
      "idiom": "mac",
      "size": "128x128",
      "scale": "1x",
      "filename": "128.png"
    },
    {
      "idiom": "mac",
      "size": "128x128",
      "scale": "2x",
      "filename": "128@2x.png"
    },
    {
      "idiom": "mac",
      "size": "256x256",
      "scale": "1x",
      "filename": "256.png"
    },
    {
      "idiom": "mac",
      "size": "256x256",
      "scale": "2x",
      "filename": "256@2x.png"
    },
    {
      "idiom": "mac",
      "size": "512x512",
      "scale": "1x",
      "filename": "512.png"
    },
    {
      "idiom": "mac",
      "size": "512x512",
      "scale": "2x",
      "filename": "512@2x.png"
    }
  ],
  "info": {
    "version": 1,
    "author": "xcode"
  }
 }
@@ -1,50 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>$(DEVELOPMENT_LANGUAGE)</string>
 	<key>CFBundleAllowMixedLocalizations</key>
 	<true/>
 	<key>CFBundleExecutable</key>
 	<string>${EXECUTABLE_NAME}</string>
 	<key>CFBundleIdentifier</key>
 	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
 	<string>$(PRODUCT_NAME)</string>
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
 	<string>$(MARKETING_VERSION)</string>
 	<key>CFBundleVersion</key>
 	<string>$(CURRENT_PROJECT_VERSION)</string>
 	<key>ITSAppUsesNonExemptEncryption</key>
 	<false/>
 	<key>LSApplicationCategoryType</key>
 	<string>public.app-category.utilities</string>
 	<key>LSMinimumSystemVersion</key>
 	<string>${MACOSX_DEPLOYMENT_TARGET}</string>
 	<key>LSMultipleInstancesProhibited</key>
 	<true/>
 	<key>NSPrincipalClass</key>
 	<string>NSApplication</string>
 	<key>NSSupportsAutomaticGraphicsSwitching</key>
 	<true/>
 </dict>
 </plist>
@@ -0,0 +1,172 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>CFBundleAllowMixedLocalizations</key>
 	<true/>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>en</string>
 	<key>CFBundleDisplayName</key>
 	<string>${QT_INTERNAL_DOLLAR_VAR}{PRODUCT_NAME}</string>
 	<key>CFBundleExecutable</key>
 	<string>${MACOSX_BUNDLE_EXECUTABLE_NAME}</string>
 	<key>CFBundleIdentifier</key>
 	<string>${MACOSX_BUNDLE_GUI_IDENTIFIER}</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
 	<string>${MACOSX_BUNDLE_BUNDLE_NAME}</string>
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
 	<string>${MACOSX_BUNDLE_SHORT_VERSION_STRING}</string>
 	<key>CFBundleVersion</key>
 	<string>${MACOSX_BUNDLE_BUNDLE_VERSION}</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>${MACOSX_BUNDLE_COPYRIGHT}</string>
 	<key>ITSAppUsesNonExemptEncryption</key>
 	<false/>
        <key>LSApplicationCategoryType</key>
 	<string>public.app-category.utilities</string>
 	<key>LSMinimumSystemVersion</key>
 	<string>${MACOSX_DEPLOYMENT_TARGET}</string>
 	<key>LSSupportsOpeningDocumentsInPlace</key>
 	<true/>
 	<key>com.wireguard.ios.app_group_id</key>
 	<string>group.org.amnezia.AmneziaVPN</string>
 	<key>NSCameraUsageDescription</key>
 	<string>Amnezia VPN needs access to the camera for reading QR-codes.</string>
 	<key>NSAppTransportSecurity</key>
 	<dict>
 		<key>NSAllowsArbitraryLoads</key>
 		<false/>
 		<key>NSAllowsLocalNetworking</key>
 		<true/>
 	</dict>
 	<key>CFBundleIcons</key>
        <dict/>
 	<key>UTImportedTypeDeclarations</key>
 	<array>
 		<dict>
 			<key>UTTypeConformsTo</key>
 			<array>
 				<string>public.data</string>
 			</array>
 			<key>UTTypeDescription</key>
 			<string>Amnezia VPN config</string>
 			<key>UTTypeIconFiles</key>
 			<array/>
 			<key>UTTypeIdentifier</key>
 			<string>org.amnezia.AmneziaVPN.amnezia-config</string>
 			<key>UTTypeTagSpecification</key>
 			<dict>
 				<key>public.filename-extension</key>
 				<array>
 					<string>vpn</string>
 				</array>
 				<key>public.mime-type</key>
 				<array>
 					<string>text/plain</string>
 				</array>
 			</dict>
 		</dict>
                <dict>
                        <key>UTTypeConformsTo</key>
                        <array>
                                <string>public.data</string>
                        </array>
                        <key>UTTypeDescription</key>
                        <string>WireGuard config</string>
                        <key>UTTypeIconFiles</key>
                        <array/>
                        <key>UTTypeIdentifier</key>
                        <string>org.amnezia.AmneziaVPN.wireguard-config</string>
                        <key>UTTypeTagSpecification</key>
                        <dict>
                                <key>public.filename-extension</key>
                                <array>
                                        <string>conf</string>
                                        <string>cfg</string>
                                </array>
                                <key>public.mime-type</key>
                                <array>
                                        <string>text/plain</string>
                                </array>
                        </dict>
                </dict>
                <dict>
                        <key>UTTypeConformsTo</key>
                        <array>
                                <string>public.data</string>
                        </array>
                        <key>UTTypeDescription</key>
                        <string>OpenVPN config</string>
                        <key>UTTypeIconFiles</key>
                        <array/>
                        <key>UTTypeIdentifier</key>
                        <string>org.amnezia.AmneziaVPN.openvpn-config</string>
                        <key>UTTypeTagSpecification</key>
                        <dict>
                                <key>public.filename-extension</key>
                                <array>
                                        <string>ovpn</string>
                                </array>
                                <key>public.mime-type</key>
                                <array>
                                        <string>text/plain</string>
                                </array>
                        </dict>
                </dict>
                <dict>
                        <key>UTTypeConformsTo</key>
                        <array>
                                <string>public.data</string>
                        </array>
                        <key>UTTypeDescription</key>
                        <string>AmneziaVPN backup file</string>
                        <key>UTTypeIconFiles</key>
                        <array/>
                        <key>UTTypeIdentifier</key>
                        <string>org.amnezia.AmneziaVPN.backup-config</string>
                        <key>UTTypeTagSpecification</key>
                        <dict>
                                <key>public.filename-extension</key>
                                <array>
                                        <string>backup</string>
                                </array>
                                <key>public.mime-type</key>
                                <array>
                                        <string>text/plain</string>
                                </array>
                        </dict>
                </dict>
 	</array>
        <key>CFBundleDocumentTypes</key>
        <array>
                <dict>
                        <key>CFBundleTypeName</key>
                        <string>Amnezia VPN config</string>
                        <key>LSHandlerRank</key>
                        <string>Alternate</string>
                        <key>LSItemContentTypes</key>
                        <array>
                                <string>org.amnezia.AmneziaVPN.amnezia-config</string>
                                <string>org.amnezia.AmneziaVPN.wireguard-config</string>
                                <string>org.amnezia.AmneziaVPN.openvpn-config</string>
                                <string>org.amnezia.AmneziaVPN.backup-config</string>
                        </array>
                </dict>
        </array>
        <key>NSExtensions</key>
        <array>
        <dict>
                <key>NSExtensionPointIdentifier</key>
                <string>com.apple.networkextension.packet-tunnel</string>
                <key>NSExtensionPrincipalClass</key>
                <string>$(PRODUCT_MODULE_NAME).PacketTunnelProvider</string>
        </dict>
        </array>
 </dict>
 </plist>
@@ -2,34 +2,40 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>com.apple.application-identifier</key>
+	<key>com.apple.developer.networking.custom-protocol</key>
-	<string>$(DEVELOPMENT_TEAM).$(APP_ID_MACOS)</string>
+	<true/>
 	<key>com.apple.developer.networking.networkextension</key>
 	<array>
 		<string>app-proxy-provider</string>
 		<string>packet-tunnel-provider</string>
 		<string>dns-settings</string>
 		<string>relay</string>
 		<string>content-filter-provider</string>
 		<string>dns-proxy</string>
 	</array>
-
+	<key>com.apple.developer.system-extension.install</key>
 	<true/>
 	<key>com.apple.developer.networking.vpn.api</key>
 	<array>
 		<string>allow-vpn</string>
 	</array>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
 	<key>com.apple.security.application-groups</key>
 	<array>
 		<string>group.org.amnezia.AmneziaVPN</string>
 	</array>
 	<key>com.apple.security.files.user-selected.read-only</key>
 	<true/>
 	<key>com.apple.security.files.user-selected.read-write</key>
 	<true/>
 	<key>com.apple.security.network.client</key>
 	<true/>
 	<key>com.apple.security.network.server</key>
 	<true/>
 	<key>keychain-access-groups</key>
 	<array>
 		<string>$(DEVELOPMENT_TEAM).*</string>
 	</array>
 	<key>com.apple.developer.team-identifier</key>
 	<string>$(DEVELOPMENT_TEAM)</string>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
 	<key>com.apple.security.application-groups</key>
 	<array>
 		<string>$(DEVELOPMENT_TEAM).$(GROUP_ID_MACOS)</string>
 	</array>
 	<key>com.apple.security.network.client</key>
 	<true/>
 	<key>com.apple.security.network.server</key>
 	<true/>
 </dict>
 </plist>
@@ -2,41 +2,30 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>com.apple.application-identifier</key>
+	<key>com.apple.developer.networking.custom-protocol</key>
-	<string>$(DEVELOPMENT_TEAM).$(NETEXT_ID_MACOS)</string>
+	<true/>
 	<key>com.apple.developer.networking.networkextension</key>
 	<array>
 		<string>dns-settings</string>
 		<string>relay</string>
 		<string>packet-tunnel-provider</string>
 		<string>content-filter-provider</string>
 		<string>dns-proxy</string>
 		<string>app-proxy-provider</string>
 	</array>
-
+	<key>com.apple.developer.networking.vpn.api</key>
 	<key>keychain-access-groups</key>
 	<array>
-		<string>$(DEVELOPMENT_TEAM).*</string>
+		<string>allow-vpn</string>
 	</array>
 	<key>com.apple.developer.team-identifier</key>
 	<string>$(DEVELOPMENT_TEAM)</string>
 	<key>com.apple.developer.system-extension.install</key>
 	<true/>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
 	<key>com.apple.security.application-groups</key>
 	<array>
-		<string>$(DEVELOPMENT_TEAM).$(GROUP_ID_MACOS)</string>
+		<string>group.org.amnezia.AmneziaVPN</string>
 	</array>
 	<key>com.apple.security.network.client</key>
 	<true/>
 	<key>com.apple.security.network.server</key>
 	<true/>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
 	<key>com.apple.private.network.socket-delegate</key>
 	<true/>
 </dict>
 </plist>
@@ -0,0 +1,138 @@
 enable_language(Swift)
 message("Client message >> macos build >> AmneziaVPNNetworkExtension")
 set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
 add_executable(AmneziaVPNNetworkExtension)
 message("executable_path is: @executable_path/../../Frameworks")
 set_target_properties(AmneziaVPNNetworkExtension PROPERTIES
    XCODE_PRODUCT_TYPE com.apple.product-type.app-extension
    # MACOSX_BUNDLE YES
    BUNDLE_EXTENSION appex
    MACOSX_BUNDLE_SHORT_VERSION_STRING "${APPLE_PROJECT_VERSION}"
    MACOSX_BUNDLE_INFO_STRING "AmneziaVPNNetworkExtension"
    MACOSX_BUNDLE_BUNDLE_NAME "AmneziaVPNNetworkExtension"
    XCODE_ATTRIBUTE_PRODUCT_BUNDLE_IDENTIFIER "${BUILD_IOS_APP_IDENTIFIER}.network-extension"
    XCODE_ATTRIBUTE_PRODUCT_BUNDLE_NAME "${BUILD_IOS_APP_IDENTIFIER}.network-extension"
    XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS ${CMAKE_CURRENT_SOURCE_DIR}/AmneziaVPNNetworkExtension.entitlements
    XCODE_ATTRIBUTE_MARKETING_VERSION "${APP_MAJOR_VERSION}"
    XCODE_ATTRIBUTE_CURRENT_PROJECT_VERSION "${BUILD_ID}"
    XCODE_ATTRIBUTE_PRODUCT_NAME "AmneziaVPNNetworkExtension"
    XCODE_ATTRIBUTE_APPLICATION_EXTENSION_API_ONLY "YES"
    XCODE_ATTRIBUTE_ENABLE_BITCODE "NO"
    XCODE_ATTRIBUTE_MACOSX_DEPLOYMENT_TARGET "11.0"
    XCODE_ATTRIBUTE_INFOPLIST_FILE ${CMAKE_CURRENT_SOURCE_DIR}/Info.plist.in
    XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/../../../../Frameworks @loader_path/../../../../Frameworks"
 )
 if(DEPLOY)
    message("DEPLOY is ON")
    set_target_properties(AmneziaVPNNetworkExtension PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY[variant=Debug] "Apple Development"
        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Manual
        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER "distr macos.org.amnezia.amneziaVPN.NE"
        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER[variant=Debug] "dev macos.org.amnezia.amneziaVPN.NE"
    )
 else()
    set_target_properties(AmneziaVPNNetworkExtension PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Automatic
    )
 endif()
 set_target_properties(AmneziaVPNNetworkExtension PROPERTIES
    XCODE_ATTRIBUTE_SWIFT_VERSION "5.0"
    XCODE_ATTRIBUTE_CLANG_ENABLE_MODULES "YES"
    XCODE_ATTRIBUTE_SWIFT_OBJC_BRIDGING_HEADER "${CMAKE_CURRENT_SOURCE_DIR}/WireGuardNetworkExtension-Bridging-Header.h"
    XCODE_ATTRIBUTE_SWIFT_OPTIMIZATION_LEVEL "-Onone"
    XCODE_ATTRIBUTE_SWIFT_PRECOMPILE_BRIDGING_HEADER "NO"
 )
 set_target_properties("AmneziaVPNNetworkExtension" PROPERTIES
    XCODE_ATTRIBUTE_DEVELOPMENT_TEAM "X7UJ388FXK"
 )
 find_library(FW_ASSETS_LIBRARY AssetsLibrary)
 find_library(FW_MOBILE_CORE MobileCoreServices)
 find_library(FW_UI_KIT UIKit)
 find_library(FW_LIBRESOLV libresolv.9.tbd)
 # Set the root directory
 set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
 target_link_libraries(AmneziaVPNNetworkExtension PRIVATE ${FW_LIBRESOLV})
 target_compile_options(AmneziaVPNNetworkExtension PRIVATE -DGROUP_ID=\"${BUILD_IOS_GROUP_IDENTIFIER}\")
 target_compile_options(AmneziaVPNNetworkExtension PRIVATE -DNETWORK_EXTENSION=1)
 set(WG_APPLE_SOURCE_DIR ${CLIENT_ROOT_DIR}/3rd/amneziawg-apple/Sources)
 message("WG_APPLE_SOURCE_DIR is: ${WG_APPLE_SOURCE_DIR}")
 message("CLIENT_ROOT_DIR is: ${CLIENT_ROOT_DIR}")
 target_sources(AmneziaVPNNetworkExtension PRIVATE
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/WireGuardAdapter.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PacketTunnelSettingsGenerator.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/DNSResolver.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardNetworkExtension/ErrorNotifier.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/Keychain.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/Model/TunnelConfiguration+WgQuickConfig.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/Model/NETunnelProviderProtocol+Extension.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/Model/String+ArrayConversion.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/TunnelConfiguration.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/IPAddressRange.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/Endpoint.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/DNSServer.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/InterfaceConfiguration.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PeerConfiguration.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/FileManager+Extension.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKitC/x25519.c
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/Array+ConcurrentMap.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/IPAddress+AddrInfo.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PrivateKey.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/HevSocksTunnel.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/NELogController.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/Log.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+WireGuard.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+OpenVPN.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+Xray.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/WGConfig.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/iosglue.mm
    ${CLIENT_ROOT_DIR}/platforms/ios/XrayConfig.swift
 )
 target_sources(AmneziaVPNNetworkExtension PRIVATE
    ${CMAKE_CURRENT_SOURCE_DIR}/PrivacyInfo.xcprivacy
 )
 set_property(TARGET AmneziaVPNNetworkExtension APPEND PROPERTY RESOURCE
    ${CMAKE_CURRENT_SOURCE_DIR}/PrivacyInfo.xcprivacy
 )
 ## Build wireguard-go-version.h
 execute_process(
    COMMAND go list -m golang.zx2c4.com/wireguard
    WORKING_DIRECTORY ${CLIENT_ROOT_DIR}/3rd/wireguard-apple/Sources/WireGuardKitGo
    OUTPUT_VARIABLE WG_VERSION_FULL
 )
 string(REGEX REPLACE ".*v\([0-9.]*\).*" "\\1" WG_VERSION_STRING 1.1.1)
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/wireguard-go-version.h.in
               ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-version.h)
 target_sources(AmneziaVPNNetworkExtension PRIVATE
    ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-version.h)
 target_include_directories(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR})
 target_include_directories(AmneziaVPNNetworkExtension PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 target_link_libraries(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/wireguard/macos/universal2/libwg-go.a)
 message(${CLIENT_ROOT_DIR})
 message(${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework/macos-arm64_x86_64/libhev-socks5-tunnel.a)
 target_link_libraries(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework/macos-arm64_x86_64/libhev-socks5-tunnel.a)
 target_include_directories(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework/macos-arm64_x86_64/Headers)
@@ -3,27 +3,32 @@
 <plist version="1.0">
 <dict>
 	<key>CFBundleDevelopmentRegion</key>
-	<string>$(DEVELOPMENT_LANGUAGE)</string>
+	<string>en</string>
 	<key>CFBundleDisplayName</key>
 	<string>AmneziaVPNNetworkExtension</string>
 	<key>CFBundleExecutable</key>
-	<string>$(EXECUTABLE_NAME)</string>
+	<string>AmneziaVPNNetworkExtension</string>
 	<key>CFBundleIdentifier</key>
-	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<string>org.amnezia.AmneziaVPN.network-extension</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
-	<string>$(PRODUCT_NAME)</string>
+	<string>AmneziaVPNNetworkExtension</string>
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
-	<string>$(MARKETING_VERSION)</string>
+	<string>${APPLE_PROJECT_VERSION}</string>
 	<key>CFBundleVersion</key>
-	<string>$(CURRENT_PROJECT_VERSION)</string>
+	<string>${CMAKE_PROJECT_VERSION_TWEAK}</string>
 	<key>ITSAppUsesNonExemptEncryption</key>
 	<false/>
 	<key>LSMinimumSystemVersion</key>
-	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
+	<string>${CMAKE_OSX_DEPLOYMENT_TARGET}</string>
 	<key>CFBundleDisplayName</key>
 	<string>AmneziaVPNNetworkExtension</string>
 	<key>NSExtension</key>
 	<dict>
 		<key>NSExtensionPointIdentifier</key>
@@ -31,5 +36,11 @@
 		<key>NSExtensionPrincipalClass</key>
 		<string>$(PRODUCT_MODULE_NAME).PacketTunnelProvider</string>
 	</dict>
 	<key>com.wireguard.ios.app_group_id</key>
 	<string>group.org.amnezia.AmneziaVPN</string>
 	<key>com.wireguard.macos.app_group_id</key>
 	<string>${BUILD_VPN_DEVELOPMENT_TEAM}.group.org.amnezia.AmneziaVPN</string>
 </dict>
 </plist>
@@ -0,0 +1,25 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>NSPrivacyAccessedAPITypes</key>
 	<array>
 		<dict>
 			<key>NSPrivacyAccessedAPIType</key>
 			<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
 			<key>NSPrivacyAccessedAPITypeReasons</key>
 			<array>
 				<string>1C8F.1</string>
 			</array>
 		</dict>
 		<dict>
 			<key>NSPrivacyAccessedAPIType</key>
 			<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
 			<key>NSPrivacyAccessedAPITypeReasons</key>
 			<array>
 				<string>C617.1</string>
 			</array>
 		</dict>
 	</array>
 </dict>
 </plist>
@@ -2,9 +2,9 @@
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "macos/gobridge/wireguard.h"
 #include "wireguard-go-version.h"
-#include "3rd/awg-apple/Sources/WireGuardKitC/WireGuardKitC.h"
+#include "3rd/amneziawg-apple/Sources/WireGuardKitGo/wireguard.h"
 #include "3rd/amneziawg-apple/Sources/WireGuardKitC/WireGuardKitC.h"
 #include <stdbool.h>
 #include <stdint.h>
@@ -23,3 +23,8 @@ bool key_from_hex(uint8_t key[WG_KEY_LEN], const char* hex);
 bool key_eq(const uint8_t key1[WG_KEY_LEN], const uint8_t key2[WG_KEY_LEN]);
 void write_msg_to_log(const char* tag, const char* msg);
 // init function definition in C 
 void hev_socks5_tunnel_quit(void);
 // Updated function definition in C
 int hev_socks5_tunnel_main(const char* configFile, int fd);
@@ -0,0 +1,3 @@
 #ifndef WIREGUARD_GO_VERSION
 #define WIREGUARD_GO_VERSION "@WG_VERSION_STRING@"
 #endif // WIREGUARD_GO_VERSION
@@ -15,7 +15,7 @@
    #include "platforms/ios/QtAppDelegate-C-Interface.h"
 #endif
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
 bool isAnotherInstanceRunning()
 {
    QLocalSocket socket;
@@ -45,7 +45,7 @@ int main(int argc, char *argv[])
    AmneziaApplication app(argc, argv);
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
    if (isAnotherInstanceRunning()) {
        QTimer::singleShot(1000, &app, [&]() { app.quit(); });
        return app.exec();
@@ -5,6 +5,9 @@
 #include <stdint.h>
 #include <QCoreApplication>
 #include <QDateTime>
 #include <QDebug>
 #include <QDir>
 #include <QFileInfo>
 #include <QHostAddress>
@@ -12,7 +15,10 @@
 #include <QJsonDocument>
 #include <QJsonObject>
 #include <QJsonValue>
 #include <QLocalSocket>
 #include <QObject>
 #include <QStandardPaths>
 #include <QTimer>
 #include "leakdetector.h"
 #include "logger.h"
@@ -120,6 +126,7 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
  int appSplitTunnelType = rawConfig.value(amnezia::config_key::appSplitTunnelType).toInt();
  QJsonArray splitTunnelApps = rawConfig.value(amnezia::config_key::splitTunnelApps).toArray();
  QJsonArray allowedDns = rawConfig.value(amnezia::config_key::allowedDnsServers).toArray();
  QJsonObject wgConfig = rawConfig.value(protocolName + "_config_data").toObject();
@@ -131,8 +138,7 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
  m_deviceIpv4 = wgConfig.value(amnezia::config_key::client_ip).toString();
  // set up IPv6 unique-local-address, ULA, with "fd00::/8" prefix, not globally routable.
-  // this will be default IPv6 gateway, OS recognizes that IPv6 link
+  // this will be default IPv6 gateway, OS recognizes that IPv6 link is local and switches to IPv4.
  // is local and switches to IPv4.
  // Otherwise some OSes (Linux) try IPv6 forever and hang.
  // https://en.wikipedia.org/wiki/Unique_local_address (RFC 4193)
  // https://man7.org/linux/man-pages/man5/gai.conf.5.html
@@ -149,7 +155,14 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
  json.insert("serverPort", wgConfig.value(amnezia::config_key::port).toInt());
  json.insert("serverIpv4Gateway", wgConfig.value(amnezia::config_key::hostName));
  //  json.insert("serverIpv6Gateway", QJsonValue(hop.m_server.ipv6Gateway()));
-  json.insert("dnsServer", rawConfig.value(amnezia::config_key::dns1));
+
  json.insert("primaryDnsServer", rawConfig.value(amnezia::config_key::dns1));
  // We don't use secondary DNS if primary DNS is AmneziaDNS
  if (!rawConfig.value(amnezia::config_key::dns1).toString().
    contains(amnezia::protocols::dns::amneziaDnsIp)) {
    json.insert("secondaryDnsServer", rawConfig.value(amnezia::config_key::dns2));
  }
  QJsonArray jsAllowedIPAddesses;
@@ -226,6 +239,8 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
  json.insert("vpnDisabledApps", splitTunnelApps);
  json.insert("allowedDnsServers", allowedDns);
  json.insert(amnezia::config_key::killSwitchOption, rawConfig.value(amnezia::config_key::killSwitchOption));
  if (protocolName == amnezia::config_key::awg) {
@@ -234,28 +249,61 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
    json.insert(amnezia::config_key::junkPacketMaxSize, wgConfig.value(amnezia::config_key::junkPacketMaxSize));
    json.insert(amnezia::config_key::initPacketJunkSize, wgConfig.value(amnezia::config_key::initPacketJunkSize));
    json.insert(amnezia::config_key::responsePacketJunkSize, wgConfig.value(amnezia::config_key::responsePacketJunkSize));
    json.insert(amnezia::config_key::cookieReplyPacketJunkSize, wgConfig.value(amnezia::config_key::cookieReplyPacketJunkSize));
    json.insert(amnezia::config_key::transportPacketJunkSize, wgConfig.value(amnezia::config_key::transportPacketJunkSize));
    json.insert(amnezia::config_key::initPacketMagicHeader, wgConfig.value(amnezia::config_key::initPacketMagicHeader));
    json.insert(amnezia::config_key::responsePacketMagicHeader, wgConfig.value(amnezia::config_key::responsePacketMagicHeader));
    json.insert(amnezia::config_key::underloadPacketMagicHeader, wgConfig.value(amnezia::config_key::underloadPacketMagicHeader));
    json.insert(amnezia::config_key::transportPacketMagicHeader, wgConfig.value(amnezia::config_key::transportPacketMagicHeader));
    json.insert(amnezia::config_key::specialJunk1, wgConfig.value(amnezia::config_key::specialJunk1));
    json.insert(amnezia::config_key::specialJunk2, wgConfig.value(amnezia::config_key::specialJunk2));
    json.insert(amnezia::config_key::specialJunk3, wgConfig.value(amnezia::config_key::specialJunk3));
    json.insert(amnezia::config_key::specialJunk4, wgConfig.value(amnezia::config_key::specialJunk4));
    json.insert(amnezia::config_key::specialJunk5, wgConfig.value(amnezia::config_key::specialJunk5));
    json.insert(amnezia::config_key::controlledJunk1, wgConfig.value(amnezia::config_key::controlledJunk1));
    json.insert(amnezia::config_key::controlledJunk2, wgConfig.value(amnezia::config_key::controlledJunk2));
    json.insert(amnezia::config_key::controlledJunk3, wgConfig.value(amnezia::config_key::controlledJunk3));
    json.insert(amnezia::config_key::specialHandshakeTimeout, wgConfig.value(amnezia::config_key::specialHandshakeTimeout));
  } else if (!wgConfig.value(amnezia::config_key::junkPacketCount).isUndefined()
             && !wgConfig.value(amnezia::config_key::junkPacketMinSize).isUndefined()
             && !wgConfig.value(amnezia::config_key::junkPacketMaxSize).isUndefined()
             && !wgConfig.value(amnezia::config_key::initPacketJunkSize).isUndefined()
             && !wgConfig.value(amnezia::config_key::responsePacketJunkSize).isUndefined()
             && !wgConfig.value(amnezia::config_key::cookieReplyPacketJunkSize).isUndefined()
             && !wgConfig.value(amnezia::config_key::transportPacketJunkSize).isUndefined()
             && !wgConfig.value(amnezia::config_key::initPacketMagicHeader).isUndefined()
             && !wgConfig.value(amnezia::config_key::responsePacketMagicHeader).isUndefined()
             && !wgConfig.value(amnezia::config_key::underloadPacketMagicHeader).isUndefined()
-             && !wgConfig.value(amnezia::config_key::transportPacketMagicHeader).isUndefined()) {
+             && !wgConfig.value(amnezia::config_key::transportPacketMagicHeader).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialJunk1).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialJunk2).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialJunk3).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialJunk4).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialJunk5).isUndefined()
             && !wgConfig.value(amnezia::config_key::controlledJunk1).isUndefined()
             && !wgConfig.value(amnezia::config_key::controlledJunk2).isUndefined()
             && !wgConfig.value(amnezia::config_key::controlledJunk3).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialHandshakeTimeout).isUndefined()) {
    json.insert(amnezia::config_key::junkPacketCount, wgConfig.value(amnezia::config_key::junkPacketCount));
    json.insert(amnezia::config_key::junkPacketMinSize, wgConfig.value(amnezia::config_key::junkPacketMinSize));
    json.insert(amnezia::config_key::junkPacketMaxSize, wgConfig.value(amnezia::config_key::junkPacketMaxSize));
    json.insert(amnezia::config_key::initPacketJunkSize, wgConfig.value(amnezia::config_key::initPacketJunkSize));
    json.insert(amnezia::config_key::responsePacketJunkSize, wgConfig.value(amnezia::config_key::responsePacketJunkSize));
    json.insert(amnezia::config_key::cookieReplyPacketJunkSize, wgConfig.value(amnezia::config_key::cookieReplyPacketJunkSize));
    json.insert(amnezia::config_key::transportPacketJunkSize, wgConfig.value(amnezia::config_key::transportPacketJunkSize));
    json.insert(amnezia::config_key::initPacketMagicHeader, wgConfig.value(amnezia::config_key::initPacketMagicHeader));
    json.insert(amnezia::config_key::responsePacketMagicHeader, wgConfig.value(amnezia::config_key::responsePacketMagicHeader));
    json.insert(amnezia::config_key::underloadPacketMagicHeader, wgConfig.value(amnezia::config_key::underloadPacketMagicHeader));
    json.insert(amnezia::config_key::transportPacketMagicHeader, wgConfig.value(amnezia::config_key::transportPacketMagicHeader));
    json.insert(amnezia::config_key::specialJunk1, wgConfig.value(amnezia::config_key::specialJunk1));
    json.insert(amnezia::config_key::specialJunk2, wgConfig.value(amnezia::config_key::specialJunk2));
    json.insert(amnezia::config_key::specialJunk3, wgConfig.value(amnezia::config_key::specialJunk3));
    json.insert(amnezia::config_key::specialJunk4, wgConfig.value(amnezia::config_key::specialJunk4));
    json.insert(amnezia::config_key::specialJunk5, wgConfig.value(amnezia::config_key::specialJunk5));
    json.insert(amnezia::config_key::controlledJunk1, wgConfig.value(amnezia::config_key::controlledJunk1));
    json.insert(amnezia::config_key::controlledJunk2, wgConfig.value(amnezia::config_key::controlledJunk2));
    json.insert(amnezia::config_key::controlledJunk3, wgConfig.value(amnezia::config_key::controlledJunk3));
    json.insert(amnezia::config_key::specialHandshakeTimeout, wgConfig.value(amnezia::config_key::specialHandshakeTimeout));
  }
  write(json);
@@ -112,9 +112,19 @@ extension PacketTunnelProvider {
                }
            }
            let lastHandshakeString = settingsDictionary["last_handshake_time_sec"]
            let lastHandshake: Int64
            if let lastHandshakeValue = lastHandshakeString, let handshakeValue = Int64(lastHandshakeValue) {
                lastHandshake = handshakeValue
            } else {
                lastHandshake = -2  // Return an error if there is no value for `last_handshake_time_sec`
            }
            let response: [String: Any] = [
                "rx_bytes": settingsDictionary["rx_bytes"] ?? "0",
-                "tx_bytes": settingsDictionary["tx_bytes"] ?? "0"
+                "tx_bytes": settingsDictionary["tx_bytes"] ?? "0",
                "last_handshake_time_sec": lastHandshake
            ]
            completionHandler(try? JSONSerialization.data(withJSONObject: response, options: []))
@@ -1,3 +1,4 @@
 #if !MACOS_NE
 #include "QRCodeReaderBase.h"
 #import <UIKit/UIKit.h>
@@ -108,3 +109,19 @@ void QRCodeReader::startReading() {
 void QRCodeReader::stopReading() {
    [m_qrCodeReader stopReading];
 }
 #else
 #include "QRCodeReaderBase.h"
 QRCodeReader::QRCodeReader()
 {
 }
 QRect QRCodeReader::cameraSize() {
    return QRect();
 }
 void QRCodeReader::startReading() {}
 void QRCodeReader::stopReading() {}
 void QRCodeReader::setCameraSize(QRect) {}
 #endif
@@ -1,5 +1,6 @@
 #if !MACOS_NE
 #import <UIKit/UIKit.h>
-
+#endif
@interface QIOSApplicationDelegate
@end
@@ -5,7 +5,7 @@
@implementation QIOSApplicationDelegate (AmneziaVPNDelegate)
-
+#if !MACOS_NE
 - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions
 {
    [application setMinimumBackgroundFetchInterval: UIApplicationBackgroundFetchIntervalMinimum];
@@ -57,5 +57,5 @@
    }
    return NO;
 }
-
+#endif
@end
@@ -1,3 +1,13 @@
 #if MACOS_NE
 public func toggleScreenshots(_ isEnabled: Bool) {
 }
 class ScreenProtection {
 }
 #else
 import UIKit
 public func toggleScreenshots(_ isEnabled: Bool) {
@@ -90,3 +100,4 @@ struct ProtectionPair {
    textField.removeFromSuperview()
  }
 }
 #endif
@@ -4,7 +4,10 @@ struct WGConfig: Decodable {
  let initPacketMagicHeader, responsePacketMagicHeader: String?
  let underloadPacketMagicHeader, transportPacketMagicHeader: String?
  let junkPacketCount, junkPacketMinSize, junkPacketMaxSize: String?
-  let initPacketJunkSize, responsePacketJunkSize: String?
+  let initPacketJunkSize, responsePacketJunkSize, cookieReplyPacketJunkSize, transportPacketJunkSize: String?
  let specialJunk1, specialJunk2, specialJunk3, specialJunk4, specialJunk5: String?
  let controlledJunk1, controlledJunk2, controlledJunk3: String?
  let specialHandshakeTimeout: String?
  let dns1: String
  let dns2: String
  let mtu: String
@@ -23,7 +26,10 @@ struct WGConfig: Decodable {
    case initPacketMagicHeader = "H1", responsePacketMagicHeader = "H2"
    case underloadPacketMagicHeader = "H3", transportPacketMagicHeader = "H4"
    case junkPacketCount = "Jc", junkPacketMinSize = "Jmin", junkPacketMaxSize = "Jmax"
-    case initPacketJunkSize = "S1", responsePacketJunkSize = "S2"
+    case initPacketJunkSize = "S1", responsePacketJunkSize = "S2", cookieReplyPacketJunkSize = "S3", transportPacketJunkSize = "S4"
    case specialJunk1 = "I1", specialJunk2 = "I2", specialJunk3 = "I3", specialJunk4 = "I4", specialJunk5 = "I5"
    case controlledJunk1 = "J1", controlledJunk2 = "J2", controlledJunk3 = "J3"
    case specialHandshakeTimeout = "Itime"
    case dns1
    case dns2
    case mtu
@@ -40,19 +46,59 @@ struct WGConfig: Decodable {
  }
  var settings: String {
-    junkPacketCount == nil ? "" :
+    guard junkPacketCount != nil else { return "" }
    """
    Jc = \(junkPacketCount!)
    Jmin = \(junkPacketMinSize!)
    Jmax = \(junkPacketMaxSize!)
    S1 = \(initPacketJunkSize!)
    S2 = \(responsePacketJunkSize!)
    H1 = \(initPacketMagicHeader!)
    H2 = \(responsePacketMagicHeader!)
    H3 = \(underloadPacketMagicHeader!)
    H4 = \(transportPacketMagicHeader!)
-    """
+    var settingsLines: [String] = []
    // Required parameters when junkPacketCount is present
    settingsLines.append("Jc = \(junkPacketCount!)")
    settingsLines.append("Jmin = \(junkPacketMinSize!)")
    settingsLines.append("Jmax = \(junkPacketMaxSize!)")
    settingsLines.append("S1 = \(initPacketJunkSize!)")
    settingsLines.append("S2 = \(responsePacketJunkSize!)")
    settingsLines.append("H1 = \(initPacketMagicHeader!)")
    settingsLines.append("H2 = \(responsePacketMagicHeader!)")
    settingsLines.append("H3 = \(underloadPacketMagicHeader!)")
    settingsLines.append("H4 = \(transportPacketMagicHeader!)")
    // Optional parameters - only add if not nil and not empty
    if let s3 = cookieReplyPacketJunkSize, !s3.isEmpty {
      settingsLines.append("S3 = \(s3)")
    }
    if let s4 = transportPacketJunkSize, !s4.isEmpty {
      settingsLines.append("S4 = \(s4)")
    }
    if let i1 = specialJunk1, !i1.isEmpty {
      settingsLines.append("I1 = \(i1)")
    }
    if let i2 = specialJunk2, !i2.isEmpty {
      settingsLines.append("I2 = \(i2)")
    }
    if let i3 = specialJunk3, !i3.isEmpty {
      settingsLines.append("I3 = \(i3)")
    }
    if let i4 = specialJunk4, !i4.isEmpty {
      settingsLines.append("I4 = \(i4)")
    }
    if let i5 = specialJunk5, !i5.isEmpty {
      settingsLines.append("I5 = \(i5)")
    }
    if let j1 = controlledJunk1, !j1.isEmpty {
      settingsLines.append("J1 = \(j1)")
    }
    if let j2 = controlledJunk2, !j2.isEmpty {
      settingsLines.append("J2 = \(j2)")
    }
    if let j3 = controlledJunk3, !j3.isEmpty {
      settingsLines.append("J3 = \(j3)")
    }
    if let itime = specialHandshakeTimeout, !itime.isEmpty {
      settingsLines.append("Itime = \(itime)")
    }
    return settingsLines.joined(separator: "\n")
  }
  var str: String {
@@ -46,6 +46,7 @@ public:
    void disconnectVpn();
    void vpnStatusDidChange(void *pNotification);
    void vpnConfigurationDidChange(void *pNotification);
    void getBackendLogs(std::function<void(const QString &)> &&callback);
@@ -27,6 +27,7 @@ const char* MessageKey::isOnDemand = "is-on-demand";
 const char* MessageKey::SplitTunnelType = "SplitTunnelType";
 const char* MessageKey::SplitTunnelSites = "SplitTunnelSites";
 #if !MACOS_NE
 static UIViewController* getViewController() {
    NSArray *windows = [[UIApplication sharedApplication]windows];
    for (UIWindow *window in windows) {
@@ -36,6 +37,7 @@ static UIViewController* getViewController() {
    }
    return nil;
 }
 #endif
 Vpn::ConnectionState iosStatusToState(NEVPNStatus status) {
  switch (status) {
@@ -249,6 +251,21 @@ void IosController::checkStatus()
    sendVpnExtensionMessage(message, [&](NSDictionary* response){
        uint64_t txBytes = [response[@"tx_bytes"] intValue];
        uint64_t rxBytes = [response[@"rx_bytes"] intValue];
        uint64_t last_handshake_time_sec = 0;
 #if !MACOS_NE
        if (response[@"last_handshake_time_sec"] && ![response[@"last_handshake_time_sec"] isKindOfClass:[NSNull class]]) {
            last_handshake_time_sec = [response[@"last_handshake_time_sec"] intValue];
        } else {
            qDebug() << "Key last_handshake_time_sec is missing or null";
        }
        if (last_handshake_time_sec < 0) {
            disconnectVpn();
            qDebug() << "Invalid handshake time, disconnecting VPN.";
        }
 #endif
        emit bytesChanged(rxBytes - m_rxBytes, txBytes - m_txBytes);
        m_rxBytes = rxBytes;
        m_txBytes = txBytes;
@@ -507,6 +524,8 @@ bool IosController::setupWireGuard()
        wgConfig.insert(config_key::initPacketJunkSize, config[config_key::initPacketJunkSize]);
        wgConfig.insert(config_key::responsePacketJunkSize, config[config_key::responsePacketJunkSize]);
        wgConfig.insert(config_key::cookieReplyPacketJunkSize, config[config_key::cookieReplyPacketJunkSize]);
        wgConfig.insert(config_key::transportPacketJunkSize, config[config_key::transportPacketJunkSize]);
        wgConfig.insert(config_key::junkPacketCount, config[config_key::junkPacketCount]);
        wgConfig.insert(config_key::junkPacketMinSize, config[config_key::junkPacketMinSize]);
@@ -605,11 +624,23 @@ bool IosController::setupAwg()
    wgConfig.insert(config_key::initPacketJunkSize, config[config_key::initPacketJunkSize]);
    wgConfig.insert(config_key::responsePacketJunkSize, config[config_key::responsePacketJunkSize]);
    wgConfig.insert(config_key::cookieReplyPacketJunkSize, config[config_key::cookieReplyPacketJunkSize]);
    wgConfig.insert(config_key::transportPacketJunkSize, config[config_key::transportPacketJunkSize]);
    wgConfig.insert(config_key::junkPacketCount, config[config_key::junkPacketCount]);
    wgConfig.insert(config_key::junkPacketMinSize, config[config_key::junkPacketMinSize]);
    wgConfig.insert(config_key::junkPacketMaxSize, config[config_key::junkPacketMaxSize]);
    wgConfig.insert(config_key::specialJunk1, config[config_key::specialJunk1]);
    wgConfig.insert(config_key::specialJunk2, config[config_key::specialJunk2]);
    wgConfig.insert(config_key::specialJunk3, config[config_key::specialJunk3]);
    wgConfig.insert(config_key::specialJunk4, config[config_key::specialJunk4]);
    wgConfig.insert(config_key::specialJunk5, config[config_key::specialJunk5]);
    wgConfig.insert(config_key::controlledJunk1, config[config_key::controlledJunk1]);
    wgConfig.insert(config_key::controlledJunk2, config[config_key::controlledJunk2]);
    wgConfig.insert(config_key::controlledJunk3, config[config_key::controlledJunk3]);
    wgConfig.insert(config_key::specialHandshakeTimeout, config[config_key::specialHandshakeTimeout]);
    QJsonDocument wgConfigDoc(wgConfig);
    QString wgConfigDocStr(wgConfigDoc.toJson(QJsonDocument::Compact));
@@ -789,14 +820,14 @@ bool IosController::shareText(const QStringList& filesToSend) {
        NSURL *logFileUrl = [[NSURL alloc] initFileURLWithPath:filesToSend[i].toNSString()];
        [sharingItems addObject:logFileUrl];
    }
-
+#if !MACOS_NE
    UIViewController *qtController = getViewController();
    if (!qtController) return;
    UIActivityViewController *activityController = [[UIActivityViewController alloc] initWithActivityItems:sharingItems applicationActivities:nil];
-    
+#endif
    __block bool isAccepted = false;
-    
+#if !MACOS_NE
    [activityController setCompletionWithItemsHandler:^(NSString *activityType, BOOL completed, NSArray *returnedItems, NSError *activityError) {
        isAccepted = completed;
        emit finished();
@@ -809,6 +840,7 @@ bool IosController::shareText(const QStringList& filesToSend) {
        popController.sourceRect = CGRectMake(100, 100, 100, 100);
    }
 #endif
    QEventLoop wait;
    QObject::connect(this, &IosController::finished, &wait, &QEventLoop::quit);
    wait.exec();
@@ -817,6 +849,7 @@ bool IosController::shareText(const QStringList& filesToSend) {
 }
 QString IosController::openFile() {
 #if !MACOS_NE
    UIDocumentPickerViewController *documentPicker = [[UIDocumentPickerViewController alloc] initWithDocumentTypes:@[@"public.item"] inMode:UIDocumentPickerModeOpen];
    DocumentPickerDelegate *documentPickerDelegate = [[DocumentPickerDelegate alloc] init];
@@ -827,8 +860,9 @@ QString IosController::openFile() {
    [qtController presentViewController:documentPicker animated:YES completion:nil];
 #endif
    __block QString filePath;
-
+#if !MACOS_NE
    documentPickerDelegate.documentPickerClosedCallback = ^(NSString *path) {
        if (path) {
            filePath = QString::fromUtf8(path.UTF8String);
@@ -837,7 +871,7 @@ QString IosController::openFile() {
        }
        emit finished();
    };
-
+#endif
    QEventLoop wait;
    QObject::connect(this, &IosController::finished, &wait, &QEventLoop::quit);
    wait.exec();
@@ -1,7 +1,11 @@
 #import <NetworkExtension/NetworkExtension.h>
 #import <NetworkExtension/NETunnelProviderSession.h>
 #import <Foundation/Foundation.h>
 #if !MACOS_NE
 #include <UIKit/UIKit.h>
 #endif
 #include <Security/Security.h>
 class IosController;
@@ -17,9 +21,10 @@ class IosController;
@end
 typedef void (^DocumentPickerClosedCallback)(NSString *path);
-
+#if !MACOS_NE
@interface DocumentPickerDelegate : NSObject <UIDocumentPickerDelegate>
@property (nonatomic, copy) DocumentPickerClosedCallback documentPickerClosedCallback;
@end
 #endif
@@ -26,6 +26,7 @@
@end
 #if !MACOS_NE
@implementation DocumentPickerDelegate
 - (void)documentPicker:(UIDocumentPickerViewController *)controller didPickDocumentsAtURLs:(NSArray<NSURL *> *)urls {
@@ -43,3 +44,4 @@
 }
@end
 #endif
@@ -6,6 +6,8 @@
 #import <UserNotifications/UserNotifications.h>
 #import <Foundation/Foundation.h>
 #if !MACOS_NE
 #import <UIKit/UIKit.h>
@interface IOSNotificationDelegate
@@ -87,3 +89,86 @@ void IOSNotificationHandler::notify(NotificationHandler::Message type, const QSt
             }
           }];
 }
 #else
 // Removed the UIResponder and UIApplicationDelegate references as these are not available in macOS
@interface IOSNotificationDelegate
    : NSObject <UNUserNotificationCenterDelegate> {
  IOSNotificationHandler* m_iosNotificationHandler;
 }
@end
@implementation IOSNotificationDelegate
 - (id)initWithObject:(IOSNotificationHandler*)notification {
  self = [super init];  // Removed `super init` as it refers to UIResponder, which is iOS specific
  if (self) {
    m_iosNotificationHandler = notification;
  }
  return self;
 }
 - (void)userNotificationCenter:(UNUserNotificationCenter*)center
       willPresentNotification:(UNNotification*)notification
         withCompletionHandler:
             (void (^)(UNNotificationPresentationOptions options))completionHandler {
  Q_UNUSED(center)
  completionHandler(UNNotificationPresentationOptionList | UNNotificationPresentationOptionBanner);
 }
 - (void)userNotificationCenter:(UNUserNotificationCenter*)center
    didReceiveNotificationResponse:(UNNotificationResponse*)response
             withCompletionHandler:(void (^)())completionHandler {
  Q_UNUSED(center)
  Q_UNUSED(response)
  completionHandler();
 }
@end
 IOSNotificationHandler::IOSNotificationHandler(QObject* parent) : NotificationHandler(parent) {
  UNUserNotificationCenter* center = [UNUserNotificationCenter currentNotificationCenter];
  [center requestAuthorizationWithOptions:(UNAuthorizationOptionSound | UNAuthorizationOptionAlert |
                                           UNAuthorizationOptionBadge)
                        completionHandler:^(BOOL granted, NSError* _Nullable error) {
                          Q_UNUSED(granted);
                          if (!error) {
                            m_delegate = [[IOSNotificationDelegate alloc] initWithObject:this];
                          }
                        }];
 }
 IOSNotificationHandler::~IOSNotificationHandler() { }
 void IOSNotificationHandler::notify(NotificationHandler::Message type, const QString& title,
                                    const QString& message, int timerMsec) {
  Q_UNUSED(type);
  if (!m_delegate) {
    return;
  }
  UNMutableNotificationContent* content = [[UNMutableNotificationContent alloc] init];
  content.title = title.toNSString();
  content.body = message.toNSString();
  content.sound = [UNNotificationSound defaultSound];
  int timerSec = timerMsec / 1000;
  UNTimeIntervalNotificationTrigger* trigger =
      [UNTimeIntervalNotificationTrigger triggerWithTimeInterval:timerSec repeats:NO];
  UNNotificationRequest* request = [UNNotificationRequest requestWithIdentifier:@"amneziavpn"
                                                                        content:content
                                                                        trigger:trigger];
  UNUserNotificationCenter* center = [UNUserNotificationCenter currentNotificationCenter];
  center.delegate = (id<UNUserNotificationCenterDelegate>)m_delegate;
  [center addNotificationRequest:request
           withCompletionHandler:^(NSError* _Nullable error) {
             if (error) {
               NSLog(@"Local Notification failed");
             }
           }];
 }
 #endif
@@ -31,7 +31,9 @@ IPUtilsLinux::~IPUtilsLinux() {
 }
 bool IPUtilsLinux::addInterfaceIPs(const InterfaceConfig& config) {
-  return addIP4AddressToDevice(config) && addIP6AddressToDevice(config);
+  bool ret = addIP4AddressToDevice(config);
  addIP6AddressToDevice(config);
  return ret;
 }
 bool IPUtilsLinux::setMTUAndUp(const InterfaceConfig& config) {
@@ -95,7 +97,7 @@ bool IPUtilsLinux::addIP4AddressToDevice(const InterfaceConfig& config) {
  // Set ifr to interface
  int ret = ioctl(sockfd, SIOCSIFADDR, &ifr);
  if (ret) {
-    logger.error() << "Failed to set IPv4: " << logger.sensitive(deviceAddr)
+    logger.error() << "Failed to set IPv4: " << deviceAddr
                   << "error:" << strerror(errno);
    return false;
  }
@@ -136,7 +138,7 @@ bool IPUtilsLinux::addIP6AddressToDevice(const InterfaceConfig& config) {
  // Set ifr6 to the interface
  ret = ioctl(sockfd, SIOCSIFADDR, &ifr6);
  if (ret && (errno != EEXIST)) {
-    logger.error() << "Failed to set IPv6: " << logger.sensitive(deviceAddr)
+    logger.error() << "Failed to set IPv6: " << deviceAddr
                   << "error:" << strerror(errno);
    return false;
  }
@@ -455,9 +455,6 @@ void LinuxFirewall::updateDNSServers(const QStringList& servers)
 void LinuxFirewall::updateAllowNets(const QStringList& servers)
 {
    static QStringList existingServers {};
    existingServers = servers;
    execute(QStringLiteral("iptables -F %1.110.allowNets").arg(kAnchorName));
    for (const QString& rule : getAllowRule(servers))
        execute(QStringLiteral("iptables -A %1.110.allowNets %2").arg(kAnchorName, rule));
@@ -17,6 +17,8 @@
 #include "leakdetector.h"
 #include "logger.h"
 #include "killswitch.h"
 constexpr const int WG_TUN_PROC_TIMEOUT = 5000;
 constexpr const char* WG_RUNTIME_DIR = "/var/run/amneziawg";
@@ -119,6 +121,12 @@ bool WireguardUtilsLinux::addInterface(const InterfaceConfig& config) {
    if (!config.m_responsePacketJunkSize.isEmpty()) {
        out << "s2=" << config.m_responsePacketJunkSize << "\n";
    }
    if (!config.m_cookieReplyPacketJunkSize.isEmpty()) {
        out << "s3=" << config.m_cookieReplyPacketJunkSize << "\n";
    }
    if (!config.m_transportPacketJunkSize.isEmpty()) {
        out << "s4=" << config.m_transportPacketJunkSize << "\n";
    }
    if (!config.m_initPacketMagicHeader.isEmpty()) {
        out << "h1=" << config.m_initPacketMagicHeader << "\n";
    }
@@ -132,13 +140,26 @@ bool WireguardUtilsLinux::addInterface(const InterfaceConfig& config) {
        out << "h4=" << config.m_transportPacketMagicHeader << "\n";
    }
    for (const QString& key : config.m_specialJunk.keys()) {
        out << key.toLower() << "=" << config.m_specialJunk.value(key) << "\n";
    }
    for (const QString& key : config.m_controlledJunk.keys()) {
        out << key.toLower() << "=" << config.m_controlledJunk.value(key) << "\n";
    }
    if (!config.m_specialHandshakeTimeout.isEmpty()) {
        out << "itime=" << config.m_specialHandshakeTimeout << "\n";
    }
    int err = uapiErrno(uapiCommand(message));
    if (err != 0) {
        logger.error() << "Interface configuration failed:" << strerror(err);
    } else {
        if (config.m_killSwitchEnabled) {
            FirewallParams params { };
-            params.dnsServers.append(config.m_dnsServer);
+            params.dnsServers.append(config.m_primaryDnsServer);
            if (!config.m_secondaryDnsServer.isEmpty()) {
                params.dnsServers.append(config.m_secondaryDnsServer);
            }
            if (config.m_allowedIPAddressRanges.contains(IPAddress("0.0.0.0/0"))) {
                params.blockAll = true;
                if (config.m_excludedAddresses.size()) {
@@ -182,7 +203,7 @@ bool WireguardUtilsLinux::deleteInterface() {
    QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));
    // double-check + ensure our firewall is installed and enabled
-    LinuxFirewall::uninstall();
+    KillSwitch::instance()->disableKillSwitch();
    return true;
 }
@@ -122,7 +122,7 @@ bool IPUtilsMacos::addIP4AddressToDevice(const InterfaceConfig& config) {
  // Set ifr to interface
  int ret = ioctl(sockfd, SIOCAIFADDR, &ifr);
  if (ret) {
-    logger.error() << "Failed to set IPv4: " << logger.sensitive(deviceAddr)
+    logger.error() << "Failed to set IPv4: " << deviceAddr
                   << "error:" << strerror(errno);
    return false;
  }
@@ -162,7 +162,7 @@ bool IPUtilsMacos::addIP6AddressToDevice(const InterfaceConfig& config) {
  // Set ifr to interface
  int ret = ioctl(sockfd, SIOCAIFADDR_IN6, &ifr6);
  if (ret) {
-    logger.error() << "Failed to set IPv6: " << logger.sensitive(deviceAddr)
+    logger.error() << "Failed to set IPv6: " << deviceAddr
                   << "error:" << strerror(errno);
    return false;
  }
@@ -43,8 +43,16 @@ namespace {
 #include "macosfirewall.h"
-#define ResourceDir qApp->applicationDirPath() + "/pf"
+#include <QDir>
-#define DaemonDataDir qApp->applicationDirPath() + "/pf"
+#include <QStandardPaths>
 // Read-only rules bundled with the application.
 #define ResourceDir (qApp->applicationDirPath() + "/pf")
 // Writable location that does NOT live inside the signed bundle.  Using a
 // constant path under /Library/Application Support keeps the signature intact
 // and is accessible to the root helper.
 #define DaemonDataDir QStringLiteral("/Library/Application Support/AmneziaVPN/pf")
 #include <QProcess>
@@ -121,6 +129,8 @@ void MacOSFirewall::install()
    logger.info() << "Installing PF root anchor";
    installRootAnchors();
    // Ensure writable directory exists, then store the token there.
    QDir().mkpath(DaemonDataDir);
    execute(QStringLiteral("pfctl -E 2>&1 | grep -F 'Token : ' | cut -c9- > '%1/pf.token'").arg(DaemonDataDir));
 }
@@ -144,7 +144,7 @@ void MacosRouteMonitor::handleRtmDelete(const struct rt_msghdr* rtm,
  for (const IPAddress& prefix : m_exclusionRoutes) {
    if (prefix.address().protocol() == protocol) {
      logger.debug() << "Removing exclusion route to"
-                     << logger.sensitive(prefix.toString());
+                     << prefix.toString();
      rtmSendRoute(RTM_DELETE, prefix, rtm->rtm_index, nullptr);
    }
  }
@@ -259,7 +259,7 @@ void MacosRouteMonitor::handleRtmUpdate(const struct rt_msghdr* rtm,
  for (const IPAddress& prefix : m_exclusionRoutes) {
    if (prefix.address().protocol() == protocol) {
      logger.debug() << "Updating exclusion route to"
-                     << logger.sensitive(prefix.toString());
+                     << prefix.toString();
      rtmSendRoute(rtm_type, prefix, ifindex, addrlist[1].constData());
    }
  }
@@ -510,8 +510,7 @@ bool MacosRouteMonitor::deleteRoute(const IPAddress& prefix, int flags) {
 }
 bool MacosRouteMonitor::addExclusionRoute(const IPAddress& prefix) {
-  logger.debug() << "Adding exclusion route for"
+  logger.debug() << "Adding exclusion route for" << prefix.toString();
                 << logger.sensitive(prefix.toString());
  if (m_exclusionRoutes.contains(prefix)) {
    logger.warning() << "Exclusion route already exists";
@@ -536,8 +535,7 @@ bool MacosRouteMonitor::addExclusionRoute(const IPAddress& prefix) {
 }
 bool MacosRouteMonitor::deleteExclusionRoute(const IPAddress& prefix) {
-  logger.debug() << "Deleting exclusion route for"
+  logger.debug() << "Deleting exclusion route for" << prefix.toString();
                 << logger.sensitive(prefix.toString());
  m_exclusionRoutes.removeAll(prefix);
  if (prefix.address().protocol() == QAbstractSocket::IPv4Protocol) {
@@ -16,6 +16,8 @@
 #include "leakdetector.h"
 #include "logger.h"
 #include "killswitch.h"
 constexpr const int WG_TUN_PROC_TIMEOUT = 5000;
 constexpr const char* WG_RUNTIME_DIR = "/var/run/amneziawg";
@@ -117,6 +119,12 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
  if (!config.m_responsePacketJunkSize.isEmpty()) {
    out << "s2=" << config.m_responsePacketJunkSize << "\n";
  }
  if (!config.m_cookieReplyPacketJunkSize.isEmpty()) {
    out << "s3=" << config.m_cookieReplyPacketJunkSize << "\n";
  }
  if (!config.m_transportPacketJunkSize.isEmpty()) {
    out << "s4=" << config.m_transportPacketJunkSize << "\n";
  }
  if (!config.m_initPacketMagicHeader.isEmpty()) {
    out << "h1=" << config.m_initPacketMagicHeader << "\n";
  }
@@ -130,30 +138,43 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
    out << "h4=" << config.m_transportPacketMagicHeader << "\n";
  }
  for (const QString& key : config.m_specialJunk.keys()) {
      out << key.toLower() << "=" << config.m_specialJunk.value(key) << "\n";
  }
  for (const QString& key : config.m_controlledJunk.keys()) {
      out << key.toLower() << "=" << config.m_controlledJunk.value(key) << "\n";
  }
  if (!config.m_specialHandshakeTimeout.isEmpty()) {
      out << "itime=" << config.m_specialHandshakeTimeout << "\n";
  }
  int err = uapiErrno(uapiCommand(message));
  if (err != 0) {
    logger.error() << "Interface configuration failed:" << strerror(err);
  } else {
-      if (config.m_killSwitchEnabled) {
+    if (config.m_killSwitchEnabled) {
-        FirewallParams params { };
+      FirewallParams params { };
-        params.dnsServers.append(config.m_dnsServer);
+      params.dnsServers.append(config.m_primaryDnsServer);
      if (!config.m_secondaryDnsServer.isEmpty()) {
          params.dnsServers.append(config.m_secondaryDnsServer);
      }
-        if (config.m_allowedIPAddressRanges.contains(IPAddress("0.0.0.0/0"))) {
+      if (config.m_allowedIPAddressRanges.contains(IPAddress("0.0.0.0/0"))) {
          params.blockAll = true;
          if (config.m_excludedAddresses.size()) {
-            params.allowNets = true;
+              params.allowNets = true;
-            foreach (auto net, config.m_excludedAddresses) {
+              foreach (auto net, config.m_excludedAddresses) {
-              params.allowAddrs.append(net.toUtf8());
+                  params.allowAddrs.append(net.toUtf8());
-            }
+              }
          }
-        } else {
+      } else {
          params.blockNets = true;
          foreach (auto net, config.m_allowedIPAddressRanges) {
-            params.blockAddrs.append(net.toString());
+              params.blockAddrs.append(net.toString());
          }
        }
        applyFirewallRules(params);
      }
      applyFirewallRules(params);
    }
  }
  return (err == 0);
 }
@@ -180,7 +201,7 @@ bool WireguardUtilsMacos::deleteInterface() {
  QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));
  // double-check + ensure our firewall is installed and enabled
-  MacOSFirewall::uninstall();
+  KillSwitch::instance()->disableKillSwitch();
  return true;
 }
@@ -29,6 +29,8 @@
 #include "logger.h"
 #include "platforms/windows/windowsutils.h"
 #include "killswitch.h"
 #define IPV6_ADDRESS_SIZE 16
 // ID for the Firewall Sublayer
@@ -180,16 +182,29 @@ bool WindowsFirewall::enableInterface(int vpnAdapterIndex) {
    }                                                                     \
  }
-  logger.info() << "Enabling firewall Using Adapter:" << vpnAdapterIndex;
+  logger.info() << "Enabling Killswitch Using Adapter:" << vpnAdapterIndex;
  if (vpnAdapterIndex < 0)
  {
    IPAddress allv4("0.0.0.0/0");
    if (!blockTrafficTo(allv4, MED_WEIGHT,
                        "Block Internet", "killswitch")) {
        return false;
    }
    IPAddress allv6("::/0");
    if (!blockTrafficTo(allv6, MED_WEIGHT,
                        "Block Internet", "killswitch")) {
      return false;
    }
  } else
  FW_OK(allowTrafficOfAdapter(vpnAdapterIndex, MED_WEIGHT,
-                              "Allow usage of VPN Adapter"));
+                                  "Allow usage of VPN Adapter"));
  FW_OK(allowDHCPTraffic(MED_WEIGHT, "Allow DHCP Traffic"));
-  FW_OK(allowHyperVTraffic(MED_WEIGHT, "Allow Hyper-V Traffic"));
+  FW_OK(allowHyperVTraffic(MAX_WEIGHT, "Allow Hyper-V Traffic"));
  FW_OK(allowTrafficForAppOnAll(getCurrentPath(), MAX_WEIGHT,
                                "Allow all for AmneziaVPN.exe"));
  FW_OK(blockTrafficOnPort(53, MED_WEIGHT, "Block all DNS"));
-  FW_OK(
+  FW_OK(allowLoopbackTraffic(MED_WEIGHT,
-      allowLoopbackTraffic(MED_WEIGHT, "Allow Loopback traffic on device %1"));
+                             "Allow Loopback traffic on device %1"));
  logger.debug() << "Killswitch on! Rules:" << m_activeRules.length();
  return true;
@@ -226,6 +241,37 @@ bool WindowsFirewall::enableLanBypass(const QList<IPAddress>& ranges) {
  return true;
 }
 // Allow unprotected traffic sent to the following address ranges.
 bool WindowsFirewall::allowTrafficRange(const QStringList& ranges) {
  // Start the firewall transaction
  auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
  if (result != ERROR_SUCCESS) {
    disableKillSwitch();
    return false;
  }
  auto cleanup = qScopeGuard([&] {
      FwpmTransactionAbort0(m_sessionHandle);
      disableKillSwitch();
  });
  for (const QString& addr : ranges) {
    logger.debug() << "Allow killswitch exclude: " << addr;
    if (!allowTrafficTo(QHostAddress(addr), HIGH_WEIGHT, "Allow killswitch bypass traffic")) {
      return false;
    }
  }
  result = FwpmTransactionCommit0(m_sessionHandle);
  if (result != ERROR_SUCCESS) {
    logger.error() << "FwpmTransactionCommit0 failed with error:" << result;
    return false;
  }
  cleanup.dismiss();
  return true;
 }
 bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
  // Start the firewall transaction
  auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
@@ -245,15 +291,15 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
                      "Block Internet", config.m_serverPublicKey)) {
    return false;
  }
-  if (!config.m_dnsServer.isEmpty()) {
+  if (!config.m_primaryDnsServer.isEmpty()) {
-    if (!allowTrafficTo(QHostAddress(config.m_dnsServer), 53, HIGH_WEIGHT,
+    if (!allowTrafficTo(QHostAddress(config.m_primaryDnsServer), 53, HIGH_WEIGHT,
                        "Allow DNS-Server", config.m_serverPublicKey)) {
      return false;
    }
    // In some cases, we might configure a 2nd DNS server for IPv6, however
    // this should probably be cleaned up by converting m_dnsServer into
    // a QStringList instead.
-    if (config.m_dnsServer == config.m_serverIpv4Gateway) {
+    if (config.m_primaryDnsServer == config.m_serverIpv4Gateway) {
      if (!allowTrafficTo(QHostAddress(config.m_serverIpv6Gateway), 53,
                          HIGH_WEIGHT, "Allow extra IPv6 DNS-Server",
                          config.m_serverPublicKey)) {
@@ -262,12 +308,37 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
    }
  }
  if (!config.m_secondaryDnsServer.isEmpty()) {
    if (!allowTrafficTo(QHostAddress(config.m_secondaryDnsServer), 53, HIGH_WEIGHT,
                        "Allow DNS-Server", config.m_serverPublicKey)) {
      return false;
    }
    // In some cases, we might configure a 2nd DNS server for IPv6, however
    // this should probably be cleaned up by converting m_dnsServer into
    // a QStringList instead.
    if (config.m_secondaryDnsServer == config.m_serverIpv4Gateway) {
      if (!allowTrafficTo(QHostAddress(config.m_serverIpv6Gateway), 53,
                          HIGH_WEIGHT, "Allow extra IPv6 DNS-Server",
                          config.m_serverPublicKey)) {
        return false;
      }
    }
  }
  for (const QString& dns : config.m_allowedDnsServers) {
    logger.debug() << "Allow DNS: " << dns;
    if (!allowTrafficTo(QHostAddress(dns), 53, HIGH_WEIGHT,
                        "Allow DNS-Server", config.m_serverPublicKey)) {
      return false;
    }
  }
  if (!config.m_excludedAddresses.empty()) {
    for (const QString& i : config.m_excludedAddresses) {
      logger.debug() << "excludedAddresses range: " << i;
      if (!allowTrafficTo(i, HIGH_WEIGHT,
-                               "Allow Ecxlude route", config.m_serverPublicKey)) {
+                          "Allow Ecxlude route", config.m_serverPublicKey)) {
        return false;
      }
    }
@@ -313,37 +384,41 @@ bool WindowsFirewall::disablePeerTraffic(const QString& pubkey) {
 }
 bool WindowsFirewall::disableKillSwitch() {
-  auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
+  return KillSwitch::instance()->disableKillSwitch();
-  auto cleanup = qScopeGuard([&] {
+}
 bool WindowsFirewall::allowAllTraffic() {
    auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
    auto cleanup = qScopeGuard([&] {
        if (result != ERROR_SUCCESS) {
            FwpmTransactionAbort0(m_sessionHandle);
        }
    });
    if (result != ERROR_SUCCESS) {
-      FwpmTransactionAbort0(m_sessionHandle);
+      logger.error() << "FwpmTransactionBegin0 failed. Return value:.\n"
                     << result;
      return false;
    }
  });
  if (result != ERROR_SUCCESS) {
    logger.error() << "FwpmTransactionBegin0 failed. Return value:.\n"
                   << result;
    return false;
  }
-  for (const auto& filterID : m_peerRules.values()) {
+    for (const auto& filterID : m_peerRules.values()) {
-    FwpmFilterDeleteById0(m_sessionHandle, filterID);
+      FwpmFilterDeleteById0(m_sessionHandle, filterID);
-  }
+    }
-  for (const auto& filterID : qAsConst(m_activeRules)) {
+    for (const auto& filterID : qAsConst(m_activeRules)) {
-    FwpmFilterDeleteById0(m_sessionHandle, filterID);
+      FwpmFilterDeleteById0(m_sessionHandle, filterID);
-  }
+    }
-  // Commit!
+           // Commit!
-  result = FwpmTransactionCommit0(m_sessionHandle);
+    result = FwpmTransactionCommit0(m_sessionHandle);
-  if (result != ERROR_SUCCESS) {
+    if (result != ERROR_SUCCESS) {
-    logger.error() << "FwpmTransactionCommit0 failed. Return value:.\n"
+      logger.error() << "FwpmTransactionCommit0 failed. Return value:.\n"
-                   << result;
+                     << result;
-    return false;
+      return false;
-  }
+    }
-  m_peerRules.clear();
+    m_peerRules.clear();
-  m_activeRules.clear();
+    m_activeRules.clear();
-  logger.debug() << "Firewall Disabled!";
+    logger.debug() << "Firewall Disabled!";
-  return true;
+    return true;
 }
 bool WindowsFirewall::allowTrafficForAppOnAll(const QString& exePath,
@@ -43,6 +43,8 @@ class WindowsFirewall final : public QObject {
  bool enablePeerTraffic(const InterfaceConfig& config);
  bool disablePeerTraffic(const QString& pubkey);
  bool disableKillSwitch();
  bool allowAllTraffic();
  bool allowTrafficRange(const QStringList& ranges);
 private:
  static bool initSublayer();
@@ -303,8 +303,7 @@ void WindowsRouteMonitor::updateCapturedRoutes(int family, void* ptable) {
      data->Age++;
      continue;
    }
-    logger.debug() << "Capturing route to"
+    logger.debug() << "Capturing route to" << prefix.toString();
                   << logger.sensitive(prefix.toString());
    // Clone the route and direct it into the VPN tunnel.
    data = new MIB_IPFORWARD_ROW2;
@@ -354,8 +353,7 @@ void WindowsRouteMonitor::updateCapturedRoutes(int family, void* ptable) {
      continue;
    }
-    logger.debug() << "Removing route capture for"
+    logger.debug() << "Removing route capture for" << i.key().toString();
                   << logger.sensitive(i.key().toString());
    // Otherwise, this route is no longer in use.
    DWORD result = DeleteIpForwardEntry2(data);
@@ -368,8 +366,7 @@ void WindowsRouteMonitor::updateCapturedRoutes(int family, void* ptable) {
 }
 bool WindowsRouteMonitor::addExclusionRoute(const IPAddress& prefix) {
-  logger.debug() << "Adding exclusion route for"
+  logger.debug() << "Adding exclusion route for" << prefix.toString();
                 << logger.sensitive(prefix.toString());
  // Silently ignore non-routeable addresses.
  QHostAddress addr = prefix.address();
@@ -437,7 +434,7 @@ bool WindowsRouteMonitor::addExclusionRoute(const IPAddress& prefix) {
 bool WindowsRouteMonitor::deleteExclusionRoute(const IPAddress& prefix) {
  logger.debug() << "Deleting exclusion route for"
-                 << logger.sensitive(prefix.address().toString());
+                 << prefix.address().toString();
  MIB_IPFORWARD_ROW2* data = m_exclusionRoutes.take(prefix);
  if (data == nullptr) {
@@ -447,7 +444,7 @@ bool WindowsRouteMonitor::deleteExclusionRoute(const IPAddress& prefix) {
  DWORD result = DeleteIpForwardEntry2(data);
  if ((result != ERROR_NOT_FOUND) && (result != NO_ERROR)) {
    logger.error() << "Failed to delete route to"
-                   << logger.sensitive(prefix.toString())
+                   << prefix.toString()
                   << "result:" << result;
  }
@@ -465,7 +462,7 @@ void WindowsRouteMonitor::flushRouteTable(
    DWORD result = DeleteIpForwardEntry2(data);
    if ((result != ERROR_NOT_FOUND) && (result != NO_ERROR)) {
      logger.error() << "Failed to delete route to"
-                     << logger.sensitive(i.key().toString())
+                     << i.key().toString()
                     << "result:" << result;
    }
    delete data;
@@ -14,8 +14,6 @@
 #include "leakdetector.h"
 #include "logger.h"
 #include "platforms/windows/windowscommons.h"
 #include "windowsdaemon.h"
 #include "windowsfirewall.h"
 #pragma comment(lib, "iphlpapi.lib")
@@ -132,6 +130,7 @@ bool WireguardUtilsWindows::addInterface(const InterfaceConfig& config) {
    // Enable the windows firewall
    NET_IFINDEX ifindex;
    ConvertInterfaceLuidToIndex(&luid, &ifindex);
    m_firewall->allowAllTraffic();
    m_firewall->enableInterface(ifindex);
  }
@@ -269,6 +268,13 @@ bool WireguardUtilsWindows::updateRoutePrefix(const IPAddress& prefix) {
  if (result == ERROR_OBJECT_ALREADY_EXISTS) {
    return true;
  }
  // Case for ipv6 route with disabled ipv6
  if (prefix.address().protocol() == QAbstractSocket::IPv6Protocol
      && result == ERROR_NOT_FOUND) {
    return true;
  }
  if (result != NO_ERROR) {
    logger.error() << "Failed to create route to"
                   << prefix.toString()
@@ -30,7 +30,6 @@ Ikev2Protocol::Ikev2Protocol(const QJsonObject &configuration, QObject* parent)
 Ikev2Protocol::~Ikev2Protocol()
 {
    qDebug() << "IpsecProtocol::~IpsecProtocol()";
    disconnect_vpn();
    Ikev2Protocol::stop();
 }
@@ -38,7 +37,7 @@ void Ikev2Protocol::stop()
 {
    setConnectionState(Vpn::ConnectionState::Disconnecting);
    {
-        if (! disconnect_vpn() ){
+        if (!disconnect_vpn()){
            qDebug()<<"We don't disconnect";
            setConnectionState(Vpn::ConnectionState::Error);
        }
@@ -311,7 +310,9 @@ bool Ikev2Protocol::connect_to_vpn(const QString & vpn_name){
 //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 bool Ikev2Protocol::disconnect_vpn(){
    if ( hRasConn != nullptr ){
-        if ( RasHangUp(hRasConn) != ERROR_SUCCESS)
+        auto ret = RasHangUp(hRasConn);
        qDebug() << "RasHangUp " << ret;
        if (ret != ERROR_SUCCESS)
            return false;
    }
    QThread::msleep(3000);
@@ -171,6 +171,11 @@ ErrorCode OpenVpnProtocol::start()
        return lastError();
    }
 #ifdef AMNEZIA_DESKTOP
    IpcClient::Interface()->addKillSwitchAllowedRange(QStringList(NetworkUtilities::getIPAddress(
            m_configData.value(amnezia::config_key::hostName).toString())));
 #endif
    // Detect default gateway
 #ifdef Q_OS_MAC
    QProcess p;
@@ -338,7 +343,7 @@ void OpenVpnProtocol::updateVpnGateway(const QString &line)
                        // killSwitch toggle
                        if (m_vpnLocalAddress == netInterfaces.at(i).addressEntries().at(j).ip().toString()) {
                            if (QVariant(m_configData.value(config_key::killSwitchOption).toString()).toBool()) {
-                                IpcClient::Interface()->enableKillSwitch(QJsonObject(), netInterfaces.at(i).index());
+                                IpcClient::Interface()->enableKillSwitch(m_configData, netInterfaces.at(i).index());
                            }
                            m_configData.insert("vpnAdapterIndex", netInterfaces.at(i).index());
                            m_configData.insert("vpnGateway", m_vpnGateway);
@@ -72,10 +72,21 @@ namespace amnezia
        constexpr char junkPacketMaxSize[] = "Jmax";
        constexpr char initPacketJunkSize[] = "S1";
        constexpr char responsePacketJunkSize[] = "S2";
        constexpr char cookieReplyPacketJunkSize[] = "S3";
        constexpr char transportPacketJunkSize[] = "S4";
        constexpr char initPacketMagicHeader[] = "H1";
        constexpr char responsePacketMagicHeader[] = "H2";
        constexpr char underloadPacketMagicHeader[] = "H3";
        constexpr char transportPacketMagicHeader[] = "H4";
        constexpr char specialJunk1[] = "I1";
        constexpr char specialJunk2[] = "I2";
        constexpr char specialJunk3[] = "I3";
        constexpr char specialJunk4[] = "I4";
        constexpr char specialJunk5[] = "I5";
        constexpr char controlledJunk1[] = "J1";
        constexpr char controlledJunk2[] = "J2";
        constexpr char controlledJunk3[] = "J3";
        constexpr char specialHandshakeTimeout[] = "Itime";
        constexpr char openvpn[] = "openvpn";
        constexpr char wireguard[] = "wireguard";
@@ -95,12 +106,16 @@ namespace amnezia
        constexpr char splitTunnelApps[] = "splitTunnelApps";
        constexpr char appSplitTunnelType[] = "appSplitTunnelType";
        constexpr char allowedDnsServers[] = "allowedDnsServers";
        constexpr char killSwitchOption[] = "killSwitchOption";
        constexpr char crc[] = "crc";
        constexpr char clientId[] = "clientId";
        constexpr char nameOverriddenByUser[] = "nameOverriddenByUser";
    }
    namespace protocols
@@ -177,7 +192,7 @@ namespace amnezia
            constexpr char defaultPort[] = "51820";
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
            constexpr char defaultMtu[] = "1280";
 #else
            constexpr char defaultMtu[] = "1376";
@@ -197,7 +212,7 @@ namespace amnezia
        namespace awg
        {
            constexpr char defaultPort[] = "55424";
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
            constexpr char defaultMtu[] = "1280";
 #else
            constexpr char defaultMtu[] = "1376";
@@ -212,10 +227,22 @@ namespace amnezia
            constexpr char defaultJunkPacketMaxSize[] = "30";
            constexpr char defaultInitPacketJunkSize[] = "15";
            constexpr char defaultResponsePacketJunkSize[] = "18";
            constexpr char defaultCookieReplyPacketJunkSize[] = "20";
            constexpr char defaultTransportPacketJunkSize[] = "23";
            constexpr char defaultInitPacketMagicHeader[] = "1020325451";
            constexpr char defaultResponsePacketMagicHeader[] = "3288052141";
            constexpr char defaultTransportPacketMagicHeader[] = "2528465083";
            constexpr char defaultUnderloadPacketMagicHeader[] = "1766607858";
            constexpr char defaultSpecialJunk1[] = "";
            constexpr char defaultSpecialJunk2[] = "";
            constexpr char defaultSpecialJunk3[] = "";
            constexpr char defaultSpecialJunk4[] = "";
            constexpr char defaultSpecialJunk5[] = "";
            constexpr char defaultControlledJunk1[] = "";
            constexpr char defaultControlledJunk2[] = "";
            constexpr char defaultControlledJunk3[] = "";
            constexpr char defaultSpecialHandshakeTimeout[] = "";
        }
        namespace socks5Proxy
@@ -4,7 +4,7 @@
 #include "core/errorstrings.h"
 #include "vpnprotocol.h"
-#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) and !defined MACOS_NE || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
    #include "openvpnovercloakprotocol.h"
    #include "openvpnprotocol.h"
    #include "shadowsocksvpnprotocol.h"
@@ -114,7 +114,7 @@ VpnProtocol *VpnProtocol::factory(DockerContainer container, const QJsonObject &
 #if defined(Q_OS_WINDOWS)
    case DockerContainer::Ipsec: return new Ikev2Protocol(configuration);
 #endif
-#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) and !defined MACOS_NE || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
    case DockerContainer::OpenVpn: return new OpenVpnProtocol(configuration);
    case DockerContainer::Cloak: return new OpenVpnOverCloakProtocol(configuration);
    case DockerContainer::ShadowSocks: return new ShadowSocksVpnProtocol(configuration);
@@ -98,8 +98,13 @@ ErrorCode XrayProtocol::startTun2Sock()
        if (vpnState == Vpn::ConnectionState::Connected) {
            setConnectionState(Vpn::ConnectionState::Connecting);
            QList<QHostAddress> dnsAddr;
            dnsAddr.push_back(QHostAddress(m_configData.value(config_key::dns1).toString()));
-            dnsAddr.push_back(QHostAddress(m_configData.value(config_key::dns2).toString()));
+            // We don't use secondary DNS if primary DNS is AmneziaDNS
            if (!m_configData.value(amnezia::config_key::dns1).toString().
                 contains(amnezia::protocols::dns::amneziaDnsIp)) {
                dnsAddr.push_back(QHostAddress(m_configData.value(config_key::dns2).toString()));
            }
 #ifdef Q_OS_WIN
            QThread::msleep(8000);
 #endif
@@ -134,7 +139,7 @@ ErrorCode XrayProtocol::startTun2Sock()
                    // killSwitch toggle
                    if (m_vpnLocalAddress == netInterfaces.at(i).addressEntries().at(j).ip().toString()) {
                        if (QVariant(m_configData.value(config_key::killSwitchOption).toString()).toBool()) {
-                            IpcClient::Interface()->enableKillSwitch(QJsonObject(), netInterfaces.at(i).index());
+                            IpcClient::Interface()->enableKillSwitch(m_configData, netInterfaces.at(i).index());
                        }
                        m_configData.insert("vpnAdapterIndex", netInterfaces.at(i).index());
                        m_configData.insert("vpnGateway", m_vpnGateway);
@@ -127,8 +127,9 @@
        <file>ui/qml/Components/SelectLanguageDrawer.qml</file>
        <file>ui/qml/Components/ServersListView.qml</file>
        <file>ui/qml/Components/SettingsContainersListView.qml</file>
-        <file>ui/qml/Components/ShareConnectionDrawer.qml</file>
+
        <file>ui/qml/Components/TransportProtoSelector.qml</file>
        <file>ui/qml/Components/AddSitePanel.qml</file>
        <file>ui/qml/Config/GlobalConfig.qml</file>
        <file>ui/qml/Config/qmldir</file>
        <file>ui/qml/Controls2/BackButtonType.qml</file>
@@ -143,7 +144,9 @@
        <file>ui/qml/Controls2/DropDownType.qml</file>
        <file>ui/qml/Controls2/FlickableType.qml</file>
        <file>ui/qml/Controls2/Header2Type.qml</file>
-        <file>ui/qml/Controls2/HeaderType.qml</file>
+        <file>ui/qml/Controls2/BaseHeaderType.qml</file>
        <file>ui/qml/Controls2/HeaderTypeWithButton.qml</file>
        <file>ui/qml/Controls2/HeaderTypeWithSwitcher.qml</file>
        <file>ui/qml/Controls2/HorizontalRadioButton.qml</file>
        <file>ui/qml/Controls2/ImageButtonType.qml</file>
        <file>ui/qml/Controls2/LabelWithButtonType.qml</file>
@@ -199,6 +202,8 @@
        <file>ui/qml/Pages2/PageSettingsBackup.qml</file>
        <file>ui/qml/Pages2/PageSettingsConnection.qml</file>
        <file>ui/qml/Pages2/PageSettingsDns.qml</file>
        <file>ui/qml/Pages2/PageSettingsKillSwitch.qml</file>
        <file>ui/qml/Pages2/PageSettingsKillSwitchExceptions.qml</file>
        <file>ui/qml/Pages2/PageSettingsLogging.qml</file>
        <file>ui/qml/Pages2/PageSettingsServerData.qml</file>
        <file>ui/qml/Pages2/PageSettingsServerInfo.qml</file>
@@ -223,6 +228,7 @@
        <file>ui/qml/Pages2/PageSetupWizardViewConfig.qml</file>
        <file>ui/qml/Pages2/PageShare.qml</file>
        <file>ui/qml/Pages2/PageShareFullAccess.qml</file>
        <file>ui/qml/Pages2/PageShareConnection.qml</file>
        <file>ui/qml/Pages2/PageStart.qml</file>
        <file>ui/qml/Components/RenameServerDrawer.qml</file>
        <file>ui/qml/Controls2/ListViewType.qml</file>
@@ -231,6 +237,11 @@
        <file>ui/qml/Pages2/PageSettingsApiNativeConfigs.qml</file>
        <file>ui/qml/Pages2/PageSettingsApiDevices.qml</file>
        <file>images/controls/monitor.svg</file>
        <file>ui/qml/Components/ApiPremV1MigrationDrawer.qml</file>
        <file>ui/qml/Components/ApiPremV1SubListDrawer.qml</file>
        <file>ui/qml/Components/OtpCodeDrawer.qml</file>
        <file>ui/qml/Components/AwgTextField.qml</file>
        <file>ui/qml/Pages2/PageSettingsApiSubscriptionKey.qml</file>
    </qresource>
    <qresource prefix="/countriesFlags">
        <file>images/flagKit/ZW.svg</file>
@@ -1,7 +1,7 @@
 #include "secure_qsettings.h"
-#include "QAead.h"
+#include "../client/3rd/QSimpleCrypto/src/include/QAead.h"
-#include "QBlockCipher.h"
+#include "../client/3rd/QSimpleCrypto/src/include/QBlockCipher.h"
 #include "utilities.h"
 #include <QDataStream>
 #include <QDebug>
@@ -6,7 +6,7 @@
 #include <QObject>
 #include <QSettings>
-#include "keychain.h"
+#include "../client/3rd/qtkeychain/qtkeychain/keychain.h"
 class SecureQSettings : public QObject
 {
@@ -44,3 +44,4 @@ RUN echo -e " \n\
 ENTRYPOINT [ "dumb-init", "/opt/amnezia/start.sh" ]
 CMD [ "" ]
@@ -23,4 +23,5 @@ H1 = $INIT_PACKET_MAGIC_HEADER
 H2 = $RESPONSE_PACKET_MAGIC_HEADER
 H3 = $UNDERLOAD_PACKET_MAGIC_HEADER
 H4 = $TRANSPORT_PACKET_MAGIC_HEADER
 EOF
@@ -0,0 +1,519 @@
 #!/bin/sh
 LOG_DATE=$(date -u +'%Y%m%d-%H%M%S')
 SCRIPT_DIR=$(dirname "$0")
 LOG_FILE="${SCRIPT_DIR}/server-diagnostics-${LOG_DATE}.log"
 # Logging function (sh compatible)
 log_and_display() {
    if [ "$1" = "-n" ]; then
        shift
        printf "%s" "$*" | tee -a "$LOG_FILE"
    else
        echo "$1" | tee -a "$LOG_FILE"
    fi
 }
 # Redirect stderr to stdout for logging
 exec 2>&1
 header() {
    log_and_display ""
    log_and_display "=== $1 ==="
 }
 # Pause for cancellation
 log_and_display ""
 log_and_display "VPN Server Diagnostics will start in 9s. Press Ctrl+C to cancel."
 sleep 9
 log_and_display ""
 header "STARTING VPN SERVER DIAGNOSTICS"
 log_and_display ""
 # ------------------------------------------------------------------------------
 # 1. Basic system information
 # ------------------------------------------------------------------------------
 header "System Information"
 # Uptime
 UPTIME_STR=$(awk '{printf "%d:%02d:%02d", int($1/3600), int(($1%3600)/60), int($1%60)}' /proc/uptime 2>/dev/null || echo "unknown")
    log_and_display "Uptime (H:M:S): $UPTIME_STR"
 # Date/time UTC
 DATE_UTC=$(date -u +'%d %b %Y|%T' 2>/dev/null || echo "unknown")
    log_and_display "Date|Time (UTC): $DATE_UTC"
 # Init system (PID 1)
 INIT_NAME=$(cat /proc/1/status 2>/dev/null | head -1 | awk '{print $2}' 2>/dev/null || echo "unknown")
    log_and_display "Init system (PID 1): $INIT_NAME"
 # Locale
 if echo "$LANG" | grep -E '^(en_US.UTF-8|C.UTF-8|C)$' >/dev/null 2>&1; then
  log_and_display "Locale: $LANG"
 else
  log_and_display "Locale: $LANG (not en_US.UTF-8, C.UTF-8 or C)"
 fi
 # ------------------------------------------------------------------------------
 # 2. Package manager detection
 # ------------------------------------------------------------------------------
 header "Package Manager Information"
 if command -v apt-get >/dev/null 2>&1; then
  log_and_display "Package Manager: APT"
  PM="apt-get"
  PM_VER_OPT="--version"
  DOCKER_PKG="docker.io"
 elif command -v dnf >/dev/null 2>&1; then
  log_and_display "Package Manager: DNF"
  PM="dnf"
  PM_VER_OPT="--version"
  DOCKER_PKG="docker"
 elif command -v yum >/dev/null 2>&1; then
  log_and_display "Package Manager: YUM"
  PM="yum"
  PM_VER_OPT="--version"
  DOCKER_PKG="docker"
 elif command -v zypper >/dev/null 2>&1; then
  log_and_display "Package Manager: ZYPPER"
  PM="zypper"
  PM_VER_OPT="--version"
  DOCKER_PKG="docker"
 elif command -v pacman >/dev/null 2>&1; then
  log_and_display "Package Manager: PACMAN"
  PM="pacman"
  PM_VER_OPT="--version"
  DOCKER_PKG="docker"
 elif command -v opkg >/dev/null 2>&1; then
  log_and_display "Package Manager: OPKG - Not supported on this platform"
  PM="opkg"
  PM_VER_OPT="--version"
  DOCKER_PKG="docker"
 else
  log_and_display "Package Manager: Unknown"
  # fallback
  PM="uname"
  PM_VER_OPT="-a"
  DOCKER_PKG="docker"
 fi
 # Check package versions
 log_and_display ""
 log_and_display "Package versions:"
 # Check sudo
 if [ "$PM" = "apt-get" ]; then
  sudo_version=$(dpkg -s "sudo" 2>/dev/null | grep '^Version:' | awk '{print $2}' || echo "not installed")
 elif [ "$PM" = "dnf" ] || [ "$PM" = "yum" ] || [ "$PM" = "zypper" ]; then
  sudo_version=$(rpm -q "sudo" 2>/dev/null || echo "not installed")
 elif [ "$PM" = "pacman" ]; then
  sudo_version=$(pacman -Q "sudo" 2>/dev/null || echo "not installed")
 elif [ "$PM" = "opkg" ]; then
  sudo_version=$(opkg info "sudo" 2>/dev/null | grep '^Version:' | awk '{print $2}' || echo "not installed")
 else
  sudo_version="unknown"
 fi
 log_and_display "  sudo: $sudo_version"
 # Check Docker package
 if [ "$PM" = "apt-get" ]; then
  docker_pkg_version=$(dpkg -s "$DOCKER_PKG" 2>/dev/null | grep '^Version:' | awk '{print $2}' || echo "not installed")
 elif [ "$PM" = "dnf" ] || [ "$PM" = "yum" ] || [ "$PM" = "zypper" ]; then
  docker_pkg_version=$(rpm -q "$DOCKER_PKG" 2>/dev/null || echo "not installed")
 elif [ "$PM" = "pacman" ]; then
  docker_pkg_version=$(pacman -Q "$DOCKER_PKG" 2>/dev/null || echo "not installed")
 elif [ "$PM" = "opkg" ]; then
  docker_pkg_version=$(opkg info "$DOCKER_PKG" 2>/dev/null | grep '^Version:' | awk '{print $2}' || echo "not installed")
 else
  docker_pkg_version="unknown"
 fi
 log_and_display "  $DOCKER_PKG: $docker_pkg_version"
 # Check lsof
 if [ "$PM" = "apt-get" ]; then
  lsof_version=$(dpkg -s "lsof" 2>/dev/null | grep '^Version:' | awk '{print $2}' || echo "not installed")
 elif [ "$PM" = "dnf" ] || [ "$PM" = "yum" ] || [ "$PM" = "zypper" ]; then
  lsof_version=$(rpm -q "lsof" 2>/dev/null || echo "not installed")
 elif [ "$PM" = "pacman" ]; then
  lsof_version=$(pacman -Q "lsof" 2>/dev/null || echo "not installed")
 elif [ "$PM" = "opkg" ]; then
  lsof_version=$(opkg info "lsof" 2>/dev/null | grep '^Version:' | awk '{print $2}' || echo "not installed")
 else
  lsof_version="unknown"
 fi
 log_and_display "  lsof: $lsof_version"
 # ------------------------------------------------------------------------------
 # 3. Additional system information (hostnamectl / /proc/version)
 # ------------------------------------------------------------------------------
 header "OS / Kernel Information"
 if command -v hostnamectl >/dev/null 2>&1; then
  hostnamectl 2>/dev/null | grep -E 'Operating System:|Virtualization:|Kernel:|Architecture:' | sed 's/^[ \t]*//;s/:/: /' | while read line; do
    log_and_display "  $line"
  done
 else
  log_and_display "Operating System: $(cat /proc/version 2>/dev/null || echo 'unknown')"
 fi
 # CPU threads
 CPU_THREADS=$(nproc 2>/dev/null || grep -c "^processor" /proc/cpuinfo 2>/dev/null || echo "unknown")
 log_and_display "  CPU threads: $CPU_THREADS"
 # ------------------------------------------------------------------------------
 # 4. Memory (RAM) check
 # ------------------------------------------------------------------------------
 header "Memory Information"
 if command -v free >/dev/null 2>&1; then
  # Remove extra spaces in header
  free -h 2>/dev/null | tee -a "$LOG_FILE" || log_and_display "  Error getting memory info"
 elif command -v vmstat >/dev/null 2>&1; then
  vmstat -S M -s 2>/dev/null | grep -iE 'total memory|total swap' | sed 's/ *//' | tee -a "$LOG_FILE" || log_and_display "  Error getting memory info"
 else
  grep -iE 'MemTotal|SwapTotal' /proc/meminfo 2>/dev/null | sed 's/ \+/ /' | tee -a "$LOG_FILE" || log_and_display "  Error getting memory info"
 fi
 if command -v free >/dev/null 2>&1; then
  log_and_display ""
  log_and_display "Detailed Memory Info:"
  free -h 2>/dev/null | awk 'NR==2{printf "  Used: %s / %s (%.1f%%)\n", $3, $2, $3/$2*100}' 2>/dev/null | tee -a "$LOG_FILE" || log_and_display "  Error calculating memory usage"
 free -h 2>/dev/null | awk 'NR==3{printf "  Swap: %s / %s (%.1f%%)\n", $3, $2, $2>0 ? $3/$2*100 : 0}' 2>/dev/null | tee -a "$LOG_FILE" || log_and_display "  Error calculating swap usage"
 fi
 # Disk usage
 header "Disk Usage"
 df -h 2>/dev/null | awk '
 BEGIN {print "  Filesystem   Size  Used Avail Use% Mounted"}
 NR>1 {printf "  %-10s %5s %5s %5s %4s %s\n", $1, $2, $3, $4, $5, $6}' | tee -a "$LOG_FILE" || log_and_display "  Error getting disk usage"
 # ------------------------------------------------------------------------------
 # 5. Current user and sudo check
 # ------------------------------------------------------------------------------
 header "User Check"
 CUR_USER=$(whoami 2>/dev/null || echo ~ | sed 's/.*\///')
 USER_GROUP=$(groups "$CUR_USER" 2>/dev/null || echo "")
 USER_GOOD=0
 log_and_display -n "Current user: $CUR_USER => "
 if [ "$CUR_USER" = "root" ]; then
  log_and_display "passed.. (is root)"
  USER_GOOD="r" # root
 else
  if echo "$USER_GROUP" | grep -qE '(^|[[:space:]])sudo($|[[:space:]])'; then
    log_and_display "passed.. (in sudo group)"
    USER_GOOD=1
  elif echo "$USER_GROUP" | grep -qE '(^|[[:space:]])wheel($|[[:space:]])'; then
    log_and_display "passed.. (in wheel group)"
    USER_GOOD=1
  elif echo "$USER_GROUP" | grep -qE '(^|[[:space:]])docker($|[[:space:]])'; then
    log_and_display "failed.. (only in docker group)"
    USER_GOOD="d"
  else
    log_and_display "failed.. (not a member of the sudo or wheel groups)"
    USER_GOOD=0
  fi
 fi
 # Check if password is required for sudo
 if [ "$USER_GOOD" = "0" ] || [ "$USER_GOOD" = "d" ]; then
  log_and_display -n "Passwd request: "
  log_and_display "check skipped (not sudoer)"
 else
  if command -v sudo >/dev/null 2>&1; then
    # Try sudo without password - more thorough check
    PASSWD_REQUEST=$(sudo -K 2>&1 && sudo -nu $CUR_USER $PM $PM_VER_OPT 2>&1 >/dev/null && sudo -n $PM $PM_VER_OPT 2>&1 >/dev/null)
    if [ -n "$PASSWD_REQUEST" ]; then
      USER_GOOD=0
      log_and_display -n "Passwd request: "
      log_and_display "failed.. ($PASSWD_REQUEST)" \
        | sed "s/$CUR_USER/User/g;s/$(hostname 2>/dev/null || echo 'Server')/Server/g;s/ user / /g"
    else
      log_and_display -n "Passwd request: "
      log_and_display "passed.. (not required)"
    fi
  else
    if [ "$USER_GOOD" = "r" ]; then
      log_and_display -n "Passwd request: "
      log_and_display "check skipped (sudo not installed, but root user)"
    else
      log_and_display "Warning! The sudo package must be pre-installed!"
      USER_GOOD=0
    fi
  fi
 fi
 # Home directory check
 log_and_display -n "Home dir: "
 if cd ~ 2>/dev/null; then
  log_and_display "passed.. (accessible)"
 else
  log_and_display "failed.. (not accessible)"
 fi
 log_and_display "Default shell: $SHELL"
 # ------------------------------------------------------------------------------
 # 6. Important components check (sudo, lsof, fuser, apparmor)
 # ------------------------------------------------------------------------------
 header "Component Checks"
 log_and_display -n "    sudo: "
 if command -v sudo >/dev/null 2>&1; then
  log_and_display "passed.. (installed)"
 else
  log_and_display "not installed"
 fi
 log_and_display -n "    lsof: "
 if command -v lsof >/dev/null 2>&1; then
  log_and_display "passed.. (installed)"
 else
  log_and_display "not installed"
 fi
 log_and_display -n "   fuser: "
 if command -v fuser >/dev/null 2>&1; then
  log_and_display "passed.. (installed)"
 else
  log_and_display "psmisc not installed"
 fi
 log_and_display -n "apparmor: "
 AA_ENABLED=$(cat /sys/module/apparmor/parameters/enabled 2>/dev/null || echo "N")
 if [ "$AA_ENABLED" = "Y" ]; then
  if command -v apparmor_parser >/dev/null 2>&1; then
    log_and_display "passed.. (used)"
  else
    log_and_display "failed.. (installation required)"
  fi
 else
  if command -v apparmor_parser >/dev/null 2>&1; then
    log_and_display "passed.. (not used)"
  else
    log_and_display "passed.. (not required)"
  fi
 fi
 # ------------------------------------------------------------------------------
 # 7. SELinux check
 # ------------------------------------------------------------------------------
 header "SELinux Check"
 if command -v getenforce >/dev/null 2>&1; then
  SELINUX_STATUS=$(getenforce 2>/dev/null || echo "unknown")
  if [ "$SELINUX_STATUS" = "Enforcing" ]; then
    log_and_display "SELinux status: $SELINUX_STATUS (strict mode)"
  elif [ "$SELINUX_STATUS" = "Permissive" ]; then
    log_and_display "SELinux status: $SELINUX_STATUS (permissive mode)"
  else
    log_and_display "SELinux status: $SELINUX_STATUS (disabled)"
  fi
 else
  log_and_display "SELinux: not found (or not applicable)"
 fi
 # ------------------------------------------------------------------------------
 # 8. Docker + Docker/Podman service check
 # ------------------------------------------------------------------------------
 header "Docker / Podman Status"
 CHECK_CONTAINERS=0
 if ! command -v docker >/dev/null 2>&1; then
  log_and_display "Docker: $DOCKER_PKG not installed"
 else
  # If user is in sudoers, use sudo without password
  if [ "$USER_GOOD" = "1" ]; then
    SUD="sudo -n"
  elif [ "$USER_GOOD" = "r" ]; then
    SUD="" # root
  else
    SUD=""
  fi
  DOCKER_VERSION=$($SUD docker -v 2>/dev/null || echo 'docker -v error')
  log_and_display "Installed: $DOCKER_VERSION"
  # Check for podman
  if echo "$DOCKER_VERSION" | grep -qi "podman"; then
    log_and_display "  WARNING: Podman detected - not supported at the moment!"
    log_and_display "  Podman (podman-docker) is not supported and is installed by mistake"
    docker_service="podman.socket"
  else
    docker_service="docker.service"
  fi
  log_and_display "  service: $docker_service"
  # Check status
  if command -v systemctl >/dev/null 2>&1; then
    docker_status=$(systemctl is-active "$docker_service" 2>/dev/null || echo "unknown")
    docker_loading=$(systemctl is-enabled "$docker_service" 2>/dev/null || echo "unknown")
  else
    docker_status="unknown (systemctl not found)"
    docker_loading="unknown"
  fi
  if [ "$docker_status" = "active" ]; then
    log_and_display "   status: passed.. ($docker_status)"
    CHECK_CONTAINERS=1
  else
    log_and_display "   status: incorrect.. ($docker_status)"
    CHECK_CONTAINERS=0
  fi
  if [ "$docker_loading" = "enabled" ]; then
    log_and_display "  loading: good (startup $docker_loading)"
  else
    log_and_display "  loading: bad (startup $docker_loading)"
  fi
 fi
 # ------------------------------------------------------------------------------
 # 9. Docker pull test + container check with improved Docker Hub verification
 # ------------------------------------------------------------------------------
 header "Docker Hub: pull hello-world test"
 if [ "$CHECK_CONTAINERS" = "1" ] && [ "$USER_GOOD" != "0" ]; then
  # First check Docker Hub availability
  log_and_display "Checking Docker Hub connectivity..."
  # Try to execute docker pull with timeout
  if timeout 30 $SUD docker pull docker.io/library/hello-world >/dev/null 2>&1; then
    log_and_display "Docker Hub: available"
    # Start container for testing
    if $SUD docker run --rm docker.io/library/hello-world >/dev/null 2>&1; then
      log_and_display "Hello-world container: successfully started and completed"
    else
      log_and_display "Hello-world container: startup error"
    fi
  else
    log_and_display "Docker Hub: unavailable or blocked (possibly exceeded download limit)"
    log_and_display "Docker Hub has download limits, try again later"
  fi
  log_and_display ""
  total_cont=$($SUD docker ps -aq 2>/dev/null | wc -l || echo "0")
  active_cont=$($SUD docker ps -q 2>/dev/null | wc -l || echo "0")
  amnezia_cont=$($SUD docker ps -a 2>/dev/null | grep -c amnezia || echo "0")
  log_and_display "Containers check: Total $total_cont / Active $active_cont / Amnezia $amnezia_cont"
  $SUD docker ps -a --format "{{.Names}} ({{.Image}}) ({{.Status}}) ({{.Ports}})" 2>/dev/null | grep amnezia || true
  # Peers check
  if $SUD docker ps 2>/dev/null | grep -qE '\<(amnezia-awg|amnezia-wireguard)\>'; then
    log_and_display ""
    log_and_display "Peers check (beta):"
    if $SUD docker ps 2>/dev/null | grep -q amnezia-awg; then
      AMNEZIA_WG_CONTAINER=$($SUD docker ps 2>/dev/null | grep amnezia-awg | awk '{print $1}' | head -1)
      if [ -n "$AMNEZIA_WG_CONTAINER" ]; then
        WG_PEERS=$($SUD docker exec -it "$AMNEZIA_WG_CONTAINER" wg show 2>/dev/null | grep -c 'peer' || echo "0")
        log_and_display "AmneziaWG peers: $WG_PEERS"
      fi
    fi
    if $SUD docker ps 2>/dev/null | grep -q amnezia-wireguard; then
      WIREGUARD_CONTAINER=$($SUD docker ps 2>/dev/null | grep amnezia-wireguard | awk '{print $1}' | head -1)
      if [ -n "$WIREGUARD_CONTAINER" ]; then
        WG_PEERS=$($SUD docker exec -it "$WIREGUARD_CONTAINER" wg show 2>/dev/null | grep -c 'peer' || echo "0")
        log_and_display "WireGuard peers: $WG_PEERS"
      fi
    fi
  fi
 else
  log_and_display "skipped.."
 fi
 # ------------------------------------------------------------------------------
 # 10. Additional improvements
 # ------------------------------------------------------------------------------
 #
 # 10.1. CPU and memory load check (Load average, top processes)
 #
 header "CPU & Memory usage (top)"
 # Load average (last 1,5,15 minutes)
 LOAD_AVG=$(uptime 2>/dev/null | awk -F'load average:' '{print $2}' || echo "unknown")
 log_and_display "Load average: $LOAD_AVG"
 log_and_display ""
 log_and_display "Top 5 processes by CPU:"
 ps aux 2>/dev/null | sort -k3 -nr | head -n 6 | awk '{printf "%s %s %s %s %s\n", $1,$2,$3"%",$4"%",$11}' | column -t 2>/dev/null | tee -a "$LOG_FILE" || log_and_display "  Error getting CPU processes"
 log_and_display ""
 log_and_display "Top 5 processes by MEM:"
 ps aux 2>/dev/null | sort -k4 -nr | head -n 6 | awk '{printf "%s %s %s %s %s\n", $1,$2,$3"%",$4"%",$11}' | column -t 2>/dev/null | tee -a "$LOG_FILE" || log_and_display "  Error getting MEM processes"
 # 10.2. System logs check (latest critical messages)
 header "Last 10 critical/error messages (journalctl)"
 if command -v journalctl >/dev/null 2>&1; then
  journalctl -p 3 -n 10 --no-pager 2>/dev/null | tee -a "$LOG_FILE" || log_and_display "  Error getting system logs"
 else
  log_and_display "journalctl not found (non-systemd system?)"
 fi
 # 10.3. System package versions check (examples)
 # Open ports check
 header "Network Ports Check"
 if command -v netstat >/dev/null 2>&1; then
  log_and_display "Listening ports:"
  netstat -tlnp 2>/dev/null | grep LISTEN | head -10 | while read line; do
    log_and_display "  $line"
  done
 elif command -v ss >/dev/null 2>&1; then
  log_and_display "Listening ports:"
  ss -tlnp 2>/dev/null | head -10 | while read line; do
    log_and_display "  $line"
  done
 else
  log_and_display "netstat/ss not found"
 fi
 # SSH check
 header "SSH Service Check"
 if command -v systemctl >/dev/null 2>&1; then
  ssh_status=$(systemctl is-active ssh 2>/dev/null || systemctl is-active sshd 2>/dev/null || echo "not found")
  if [ "$ssh_status" = "active" ]; then
    log_and_display "SSH service: $ssh_status"
  else
    log_and_display "SSH service: $ssh_status"
  fi
 else
  log_and_display "systemctl not found"
 fi
 # Time check
 header "Time Synchronization"
 if command -v timedatectl >/dev/null 2>&1; then
  timedatectl status 2>/dev/null | grep -E "System clock|NTP service" | while read line; do
    log_and_display "  $line"
  done
 else
  log_and_display "  System time: $(date 2>/dev/null || echo 'unknown')"
 fi
 # Kernel check
 header "Kernel Information"
 log_and_display "Kernel version: $(uname -r 2>/dev/null || echo 'unknown')"
 log_and_display "Kernel architecture: $(uname -m 2>/dev/null || echo 'unknown')"
 if [ -f /proc/cmdline ]; then
  log_and_display "Kernel parameters:"
  cat /proc/cmdline 2>/dev/null | tr ' ' '\n' | head -5 | while read param; do
    log_and_display "  $param"
  done
 fi
 # ------------------------------------------------------------------------------
 # Completion
 # ------------------------------------------------------------------------------
 log_and_display ""
 header "FINISH"
 log_and_display ""
 log_and_display "Diagnostics completed. Log saved to: $LOG_FILE"
 log_and_display ""
 # Variable cleanup
 pm="" && opt="" && docker_pkg="" && CUR_USER="" && USER_GOOD="" && USER_GROUP="" && PASSWD_REQUEST="" && CHECK_CONTAINERS="" && SUD="" && docker_service="" && docker_status="" && docker_loading="" 
@@ -1,6 +1,7 @@
-if which apt-get > /dev/null 2>&1; then LOCK_FILE="/var/lib/dpkg/lock-frontend";\
+if which apt-get > /dev/null 2>&1; then LOCK_CMD="fuser"; LOCK_FILE="/var/lib/dpkg/lock-frontend";\
-elif which dnf > /dev/null 2>&1; then LOCK_FILE="/var/run/dnf.pid";\
+elif which dnf > /dev/null 2>&1; then LOCK_CMD="fuser"; LOCK_FILE="/var/cache/dnf/* /var/run/dnf/* /var/lib/dnf/* /var/lib/rpm/*";\
-elif which yum > /dev/null 2>&1; then LOCK_FILE="/var/run/yum.pid";\
+elif which yum > /dev/null 2>&1; then LOCK_CMD="cat"; LOCK_FILE="/var/run/yum.pid";\
-elif which pacman > /dev/null 2>&1; then LOCK_FILE="/var/lib/pacman/db.lck";\
+elif which zypper > /dev/null 2>&1; then LOCK_CMD="cat"; LOCK_FILE="/var/run/zypp.pid";\
 elif which pacman > /dev/null 2>&1; then LOCK_CMD="fuser"; LOCK_FILE="/var/lib/pacman/db.lck";\
 else echo "Packet manager not found"; echo "Internal error"; exit 1; fi;\
-if command -v fuser > /dev/null 2>&1; then sudo fuser $LOCK_FILE 2>/dev/null; else echo "fuser not installed"; fi
+if command -v $LOCK_CMD > /dev/null 2>&1; then sudo $LOCK_CMD $LOCK_FILE 2>/dev/null; else echo "$LOCK_CMD not installed"; fi
@@ -1,6 +1,7 @@
 if which apt-get > /dev/null 2>&1; then pm=$(which apt-get); opt="--version";\
 elif which dnf > /dev/null 2>&1; then pm=$(which dnf); opt="--version";\
 elif which yum > /dev/null 2>&1; then pm=$(which yum); opt="--version";\
 elif which zypper > /dev/null 2>&1; then pm=$(which zypper); opt="--version";\
 elif which pacman > /dev/null 2>&1; then pm=$(which pacman); opt="--version";\
 else pm="uname"; opt="-a";\
 fi;\
@@ -1,6 +1,7 @@
 if which apt-get > /dev/null 2>&1; then pm=$(which apt-get); silent_inst="-yq install"; check_pkgs="-yq update"; docker_pkg="docker.io"; dist="debian";\
 elif which dnf > /dev/null 2>&1; then pm=$(which dnf); silent_inst="-yq install"; check_pkgs="-yq check-update"; docker_pkg="docker"; dist="fedora";\
 elif which yum > /dev/null 2>&1; then pm=$(which yum); silent_inst="-y -q install"; check_pkgs="-y -q check-update"; docker_pkg="docker"; dist="centos";\
 elif which zypper > /dev/null 2>&1; then pm=$(which zypper); silent_inst="-nq install"; check_pkgs="-nq refresh"; docker_pkg="docker"; dist="opensuse";\
 elif which pacman > /dev/null 2>&1; then pm=$(which pacman); silent_inst="-S --noconfirm --noprogressbar --quiet"; check_pkgs="-Sup"; docker_pkg="docker"; dist="archlinux";\
 else echo "Packet manager not found"; exit 1; fi;\
 echo "Dist: $dist, Packet manager: $pm, Install command: $silent_inst, Check pkgs command: $check_pkgs, Docker pkg: $docker_pkg";\
@@ -1,7 +1,7 @@
 FROM alpine:3.15
 LABEL maintainer="AmneziaVPN"
-ARG XRAY_RELEASE="v1.8.6"
+ARG XRAY_RELEASE="v25.8.3"
 RUN apk add --no-cache curl unzip bash openssl netcat-openbsd dumb-init rng-tools xz
 RUN apk --update upgrade --no-cache
--- a/Show More
+++ b/Show More
`@@ -44,3 +44,4 @@ RUN echo -e " \n\`

	`ENTRYPOINT [ "dumb-init", "/opt/amnezia/start.sh" ]`	`ENTRYPOINT [ "dumb-init", "/opt/amnezia/start.sh" ]`
	`CMD [ "" ]`	`CMD [ "" ]`