feat: add support for tvOS platform

refactor: separate network extension sources for different protocols and platforms
feat: add Apple TV support for network extension and refactor ios cmake scripts
2026-06-21 02:01:03 +07:00 · 2026-04-14 16:34:04 +03:00 · 2026-02-16 15:15:52 +02:00 · 2026-02-13 16:51:44 +02:00 · 2026-02-13 00:17:19 +02:00
191 changed files with 2982 additions and 6755 deletions
@@ -10,14 +10,13 @@ env:

 jobs:
  Build-Linux-Ubuntu:
-    runs-on: android-runner
+    runs-on: 4-core

    env:
-      QT_VERSION: 6.10.1
+      QT_VERSION: 6.8.3
      QIF_VERSION: 4.7
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
-      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
@@ -59,7 +58,7 @@ jobs:

    - name: 'Build project'
      run: |
-        sudo apt-get install libxkbcommon-x11-0 libsecret-1-dev
+        sudo apt-get install libxkbcommon-x11-0
        export QT_BIN_DIR=${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/gcc_64/bin
        export QIF_BIN_DIR=${{ runner.temp }}/Qt/Tools/QtInstallerFramework/${{ env.QIF_VERSION }}/bin
        bash deploy/build_linux.sh
@@ -99,7 +98,6 @@ jobs:
      BUILD_ARCH: 64
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
-      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
@@ -206,7 +204,6 @@ jobs:
      CXX: c++
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
-      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
@@ -321,7 +318,6 @@ jobs:

      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
-      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
@@ -399,7 +395,6 @@ jobs:

      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
-      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
@@ -482,7 +477,6 @@ jobs:

      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
-      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
@@ -543,15 +537,14 @@ jobs:
 # ------------------------------------------------------

  Build-Android:
-    runs-on: android-runner
+    runs-on: 4-core

    env:
      ANDROID_BUILD_PLATFORM: android-36
-      QT_VERSION: 6.11.1
+      QT_VERSION: 6.10.1
      QT_MODULES: 'qtremoteobjects qt5compat qtimageformats qtshadertools'
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
-      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
@@ -17,7 +17,6 @@ jobs:
      QIF_VERSION: 4.5
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
-      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
@@ -24,7 +24,7 @@ jobs:
      - name: Verify git tag
        run: |
          TAG_NAME=${{ inputs.RELEASE_VERSION }}
-          CMAKE_TAG=$(grep 'set(AMNEZIAVPN_VERSION' CMakeLists.txt | sed -E 's/.*AMNEZIAVPN_VERSION ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/')
+          CMAKE_TAG=$(grep 'project.*VERSION' CMakeLists.txt | sed -E 's/.* ([0-9]+.[0-9]+.[0-9]+.[0-9]+)$/\1/')
          if [[ "$TAG_NAME" == "$CMAKE_TAG" ]]; then
            echo "Git tag ($TAG_NAME) matches CMakeLists.txt version ($CMAKE_TAG)."
          else
@@ -140,6 +140,3 @@ ios-ne-build.sh
 macos-ne-build.sh
 macos-signed-build.sh
 macos-with-sign-build.sh
-DeveloperIdApplicationCertificate.p12
-DeveloperIdInstallerCertificate.p12
-
@@ -14,7 +14,3 @@
 [submodule "client/3rd/QSimpleCrypto"]
 	path = client/3rd/QSimpleCrypto
 	url = https://github.com/amnezia-vpn/QSimpleCrypto.git
-[submodule "client/3rd/qtgamepad"]
-	path = client/3rd/qtgamepad
-	url = https://github.com/amnezia-vpn/qtgamepad.git
-	branch = 6.6
@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)

 set(PROJECT AmneziaVPN)
-set(AMNEZIAVPN_VERSION 4.8.19.0)
+set(AMNEZIAVPN_VERSION 4.8.12.8)

 project(${PROJECT} VERSION ${AMNEZIAVPN_VERSION}
        DESCRIPTION "AmneziaVPN"
@@ -12,7 +12,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")

 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2129)
+set(APP_ANDROID_VERSION_CODE 2104)

 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
    set(MZ_PLATFORM_NAME "linux")
@@ -24,6 +24,8 @@ elseif(${CMAKE_SYSTEM_NAME} STREQUAL "Android")
    set(MZ_PLATFORM_NAME "android")
 elseif(${CMAKE_SYSTEM_NAME} STREQUAL "iOS")
    set(MZ_PLATFORM_NAME "ios")
+elseif(${CMAKE_SYSTEM_NAME} STREQUAL "tvOS")
+    set(MZ_PLATFORM_NAME "ios")
 elseif(${CMAKE_SYSTEM_NAME} STREQUAL "Emscripten")
    set(MZ_PLATFORM_NAME "wasm")
 endif()
@@ -33,7 +35,7 @@ set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)

 if(APPLE)
-    if(IOS)
+    if(IOS OR CMAKE_SYSTEM_NAME STREQUAL "tvOS")
        set(CMAKE_OSX_ARCHITECTURES "arm64")
    elseif(MACOS_NE)
        set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64")
@@ -44,7 +46,7 @@ endif()

 add_subdirectory(client)

-if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
    add_subdirectory(service)

    include(${CMAKE_SOURCE_DIR}/deploy/installer/config.cmake)
@@ -52,7 +54,7 @@ endif()

 set(AMNEZIA_STAGE_DIR "${CMAKE_BINARY_DIR}/stage")

-if(WIN32 AND NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
+if(WIN32 AND NOT IOS AND NOT ANDROID AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
    file(TO_CMAKE_PATH "${AMNEZIA_STAGE_DIR}" AMNEZIA_STAGE_DIR_CMAKE)

    set(CPACK_GENERATOR "WIX")
@@ -61,9 +63,6 @@ if(WIN32 AND NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
    set(CPACK_PACKAGE_VENDOR "AmneziaVPN")
    set(CPACK_PACKAGE_VERSION ${AMNEZIAVPN_VERSION})
    set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "AmneziaVPN client")
-    set(AMNEZIA_LICENSE_TXT "${CMAKE_BINARY_DIR}/LICENSE.txt")
-    configure_file("${CMAKE_SOURCE_DIR}/LICENSE" "${AMNEZIA_LICENSE_TXT}" COPYONLY)
-    set(CPACK_RESOURCE_FILE_LICENSE "${AMNEZIA_LICENSE_TXT}")
    set(CPACK_PACKAGE_INSTALL_DIRECTORY "AmneziaVPN")
    set(CPACK_PACKAGE_DIRECTORY "${CMAKE_BINARY_DIR}")
    set(CPACK_PACKAGE_EXECUTABLES "AmneziaVPN" "AmneziaVPN")
@@ -179,7 +179,7 @@ You may face compiling issues in QT Creator after you've worked in Android Studi

 ## License

-This project is licensed under the GNU General Public License v3.0 (see LICENSE) and also includes third-party components distributed under their own terms (see THIRD_PARTY_LICENSES.md).
+GPL v3.0

 ## Donate

@@ -1,149 +0,0 @@
-# Third-Party Licenses
-
-This project is licensed under the GNU General Public License v3.0.
-This file lists third-party software components used by this repository.
-Each component is distributed under its own license as linked below.
-
---
-
-## QtKeychain
-
- Source: https://github.com/frankosterfeld/qtkeychain
- License: BSD License
- License Text: https://www.gnu.org/licenses/license-list.html#ModifiedBSD
-
---
-
-## QSimpleCrypto
-
- Source: https://github.com/n1flh31mur/QSimpleCrypto
- License: Apache License 2.0
- License Text: https://github.com/n1flh31mur/QSimpleCrypto/blob/master/LICENSE
-
---
-
-## SortFilterProxyModel
-
- Source: https://github.com/oKcerG/SortFilterProxyModel
- License: MIT License
- License Text: https://github.com/oKcerG/SortFilterProxyModel/blob/master/LICENSE
-
---
-
-## QJsonStruct
-
- Source: https://github.com/Qv2ray/QJsonStruct
- License: MIT License
- License Text: https://github.com/Qv2ray/QJsonStruct/blob/master/LICENSE
-
---
-
-## QR Code Generator (qrcodegen)
-
- Source: https://github.com/nayuki/QR-Code-generator
- License: MIT License
- License Text: https://www.nayuki.io/page/qr-code-generator-library
-
---
-
-## Qt Gamepad
-
- Source: https://github.com/qt/qtgamepad
- License: GNU General Public License v3.0 (GPL-3.0)
- License Text: https://www.gnu.org/licenses/gpl-3.0.en.html
-
---
-
-## AmneziaWG Apple (WireGuard)
-
- Source: https://github.com/amnezia-vpn/amneziawg-apple
- License: MIT License
- License Text: https://github.com/amnezia-vpn/amneziawg-apple/blob/master/COPYING
-
---
-
-## AmneziaWG Android
-
- Source: https://github.com/amnezia-vpn/amneziawg-go
- License: MIT License
- License Text: https://github.com/amnezia-vpn/amneziawg-go/blob/master/LICENSE
-
---
-
-## Xray Core
-
- Source: https://github.com/XTLS/Xray-core
- License: Mozilla Public License 2.0 (MPL-2.0)
- License Text: https://github.com/XTLS/Xray-core/blob/main/LICENSE
-
---
-
-## Cloak
-
- Source: https://github.com/cbeuw/Cloak
- License: GNU General Public License v3.0 (GPL-3.0)
- License Text: https://github.com/cbeuw/Cloak/blob/master/LICENSE
-
---
-
-## Shadowsocks
-
- Source: https://github.com/shadowsocks/shadowsocks-libev
- License: GPL-3.0-or-later
- License Text: http://www.gnu.org/licenses/
-
---
-
-## OpenSSL
-
- Source: https://github.com/openssl/openssl
- License: Apache License 2.0
- License Text: https://www.openssl.org/source/license.html
-
---
-
-## libssh
-
- Source: https://www.libssh.org/
- License: GNU Lesser General Public License (LGPL)
- License Text: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
-
---
-
-## OpenVPNAdapter
-
- Source: https://github.com/ss-abramchuk/OpenVPNAdapter
- License: GNU Affero General Public License v3.0 (AGPL-3.0)
- License Text: https://github.com/ss-abramchuk/OpenVPNAdapter/blob/master/LICENSE
-
---
-
-## Wintun
-
- Source: https://www.wintun.net/
- License: Prebuilt Binaries License
- License Text: https://github.com/WireGuard/wintun/blob/master/prebuilt-binaries-license.txt
-
---
-
-## Mullvad Split Tunnel Driver
-
- Source: https://github.com/mullvad/win-split-tunnel
- License: GNU General Public License v3.0 (GPL-3.0) and Mozilla Public License Version 2.0
- License Text: https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-GPL.md https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-MPL.txt
-
---
-
-## tun2socks
-
- Source: https://github.com/eycorsican/go-tun2socks
- License: MIT License
- License Text: https://github.com/eycorsican/go-tun2socks/blob/master/LICENSE
-
---
-
-## TAP-Windows Driver
-
- Source: https://github.com/OpenVPN/tap-windows6
- License: tap-windows6 license
- License Text: https://github.com/OpenVPN/tap-windows6/blob/master/COPYING
@@ -25,7 +25,6 @@ add_definitions(-DGIT_COMMIT_HASH="${GIT_COMMIT_HASH}")

 add_definitions(-DPROD_AGW_PUBLIC_KEY="$ENV{PROD_AGW_PUBLIC_KEY}")
 add_definitions(-DPROD_S3_ENDPOINT="$ENV{PROD_S3_ENDPOINT}")
-add_definitions(-DFALLBACK_S3_ENDPOINT="$ENV{FALLBACK_S3_ENDPOINT}")

 add_definitions(-DDEV_AGW_PUBLIC_KEY="$ENV{DEV_AGW_PUBLIC_KEY}")
 add_definitions(-DDEV_AGW_ENDPOINT="$ENV{DEV_AGW_ENDPOINT}")
@@ -34,7 +33,7 @@ add_definitions(-DDEV_S3_ENDPOINT="$ENV{DEV_S3_ENDPOINT}")
 add_definitions(-DFREE_V2_ENDPOINT="$ENV{FREE_V2_ENDPOINT}")
 add_definitions(-DPREM_V1_ENDPOINT="$ENV{PREM_V1_ENDPOINT}")

-if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (LINUX AND NOT ANDROID))
    set(PACKAGES ${PACKAGES} Widgets)
 endif()

@@ -47,7 +46,7 @@ set(LIBS ${LIBS}
    Qt6::Core5Compat Qt6::Concurrent
 )

-if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (LINUX AND NOT ANDROID))
    set(LIBS ${LIBS} Qt6::Widgets)
 endif()

@@ -57,9 +56,10 @@ target_include_directories(${PROJECT} PUBLIC
    $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
 )

-if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (LINUX AND NOT ANDROID))
    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_interface.rep)
    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_process_interface.rep)
+    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_process_tun2socks.rep)
 endif()

 qt6_add_resources(QRC ${QRC} ${CMAKE_CURRENT_LIST_DIR}/resources.qrc)
@@ -79,7 +79,6 @@ set(AMNEZIAVPN_TS_FILES
 )

 file(GLOB_RECURSE AMNEZIAVPN_TS_SOURCES *.qrc *.cpp *.h *.ui)
-list(FILTER AMNEZIAVPN_TS_SOURCES EXCLUDE REGEX "qtgamepad/examples")

 qt_create_translation(AMNEZIAVPN_QM_FILES ${AMNEZIAVPN_TS_SOURCES} ${AMNEZIAVPN_TS_FILES})

@@ -177,7 +176,7 @@ if(LINUX AND NOT ANDROID)
    link_directories(${CMAKE_CURRENT_LIST_DIR}/platforms/linux)
 endif()

-if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (LINUX AND NOT ANDROID))
    add_compile_definitions(AMNEZIA_DESKTOP)
 endif()

@@ -185,7 +184,8 @@ if(ANDROID)
    include(cmake/android.cmake)
 endif()

-if(IOS)
+if(IOS OR CMAKE_SYSTEM_NAME STREQUAL "tvOS")
+    option(AMNEZIA_IOS_ENABLE_APPLETV_TARGET "Enable Apple TV target settings for iOS/Xcode projects" OFF)
    include(cmake/ios.cmake)
    include(cmake/ios-arch-fixup.cmake)
 elseif(APPLE AND MACOS_NE)
@@ -207,11 +207,11 @@ if(WIN32)
    endif()
 elseif(LINUX)
    set(DEPLOY_PLATFORM_PATH "linux/client")
-elseif(APPLE AND NOT IOS)
+elseif(APPLE AND NOT IOS AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
    set(DEPLOY_PLATFORM_PATH "macos")
 endif()

-if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
    add_custom_command(
        TARGET ${PROJECT} POST_BUILD
        COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
@@ -229,13 +229,4 @@ if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
 endif()

 target_sources(${PROJECT} PRIVATE ${SOURCES} ${HEADERS} ${RESOURCES} ${QRC} ${I18NQRC})
-
-# Finalize the executable so Qt can gather/deploy QML modules and plugins correctly (Android needs this).
-if(COMMAND qt_import_qml_plugins)
-    qt_import_qml_plugins(${PROJECT})
-endif()
-if(COMMAND qt_finalize_executable)
-    qt_finalize_executable(${PROJECT})
-else()
-    qt_finalize_target(${PROJECT})
-endif()
+qt_finalize_target(${PROJECT})
@@ -109,16 +109,6 @@ void AmneziaApplication::init()
            // install filter on main window
            if (auto win = qobject_cast<QQuickWindow*>(obj)) {
                win->installEventFilter(this);
-#ifdef Q_OS_ANDROID
-                QObject::connect(win, &QQuickWindow::sceneGraphError,
-                    [](QQuickWindow::SceneGraphError, const QString &msg) {
-                        qWarning() << "Scene graph error (suppressed):" << msg;
-                    });
-                // Keep graphics context alive across hide/show cycles to avoid
-                // eglSwapBuffers/makeCurrent being called on a context Android has reclaimed.
-                win->setPersistentSceneGraph(true);
-                win->setPersistentGraphics(true);
-#endif
                win->show();
            }
        },
@@ -260,7 +250,7 @@ bool AmneziaApplication::parseCommands()
    return true;
 }

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
 void AmneziaApplication::startLocalServer() {
    const QString serverName("AmneziaVPNInstance");
    QLocalServer::removeServer(serverName);
@@ -281,7 +271,7 @@ void AmneziaApplication::startLocalServer() {
 bool AmneziaApplication::eventFilter(QObject *watched, QEvent *event)
 {
    if (event->type() == QEvent::Close) {
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS)
        quit();
 #else
        if (m_forceQuit) {
@@ -6,7 +6,7 @@
 #include <QQmlApplicationEngine>
 #include <QQmlContext>
 #include <QThread>
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS)
  #include <QGuiApplication>
 #else
  #include <QApplication>
@@ -19,7 +19,7 @@

 #define amnApp (static_cast<AmneziaApplication *>(QCoreApplication::instance()))

-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS)
  #define AMNEZIA_BASE_CLASS QGuiApplication
 #else
  #define AMNEZIA_BASE_CLASS QApplication
@@ -37,7 +37,7 @@ public:
    void loadFonts();
    bool parseCommands();

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
    void startLocalServer();
 #endif

@@ -26,8 +26,6 @@ import android.os.ParcelFileDescriptor
 import android.os.SystemClock
 import android.provider.OpenableColumns
 import android.provider.Settings
-import android.view.InputDevice
-import android.view.KeyEvent
 import android.view.MotionEvent
 import android.view.View
 import android.view.ViewGroup
@@ -75,8 +73,6 @@ private const val OPEN_FILE_ACTION_CODE = 3
 private const val CHECK_NOTIFICATION_PERMISSION_ACTION_CODE = 4

 private const val PREFS_NOTIFICATION_PERMISSION_ASKED = "NOTIFICATION_PERMISSION_ASKED"
-private const val OPEN_FILE_AFTER_RESUME_DELAY_MS = 400L
-private const val KEY_PENDING_OPEN_FILE_URI = "pending_open_file_uri"

 class AmneziaActivity : QtActivity() {

@@ -93,12 +89,6 @@ class AmneziaActivity : QtActivity() {
    private val actionResultHandlers = mutableMapOf<Int, ActivityResultHandler>()
    private val permissionRequestHandlers = mutableMapOf<Int, PermissionRequestHandler>()

-    private var isActivityResumed = false
-    private var hasWindowFocus = false
-    private val resumeHandler = Handler(Looper.getMainLooper())
-    private var pendingOpenFileUri: String? = null
-    private var openFileDeliveryScheduled = false
-
    private val vpnServiceEventHandler: Handler by lazy(NONE) {
        object : Handler(Looper.getMainLooper()) {
            override fun handleMessage(msg: Message) {
@@ -200,18 +190,11 @@ class AmneziaActivity : QtActivity() {
                doBindService()
            }
        )
-        pendingOpenFileUri = savedInstanceState?.getString(KEY_PENDING_OPEN_FILE_URI)
-        openFileDeliveryScheduled = false
        registerBroadcastReceivers()
        intent?.let(::processIntent)
        runBlocking { vpnProto = proto.await() }
    }

-    override fun onSaveInstanceState(outState: Bundle) {
-        super.onSaveInstanceState(outState)
-        pendingOpenFileUri?.let { outState.putString(KEY_PENDING_OPEN_FILE_URI, it) }
-    }
-
    private fun loadLibs() {
        listOf(
            "rsapss",
@@ -277,11 +260,6 @@ class AmneziaActivity : QtActivity() {
    }

    override fun onStop() {
-        isActivityResumed = false
-        hasWindowFocus = false
-        // Cancel all pending operations when activity stops
-        resumeHandler.removeCallbacksAndMessages(null)
-        openFileDeliveryScheduled = false
        Log.d(TAG, "Stop Amnezia activity")
        doUnbindService()
        mainScope.launch {
@@ -293,129 +271,35 @@ class AmneziaActivity : QtActivity() {

    override fun onWindowFocusChanged(hasFocus: Boolean) {
        super.onWindowFocusChanged(hasFocus)
-        hasWindowFocus = hasFocus
        Log.d(TAG, "Window focus changed: hasFocus=$hasFocus")
-
-        if (!hasFocus) {
-            // Cancel pending operations if window loses focus
-            resumeHandler.removeCallbacksAndMessages(null)
-        } else if (isActivityResumed && Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
-            window.decorView.apply {
-                invalidate()
-                resumeHandler.postDelayed({
-                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
-                        sendTouch(1f, 1f)
-                    }
-                }, 50)
-                resumeHandler.postDelayed({
-                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
-                        sendTouch(2f, 2f)
-                        requestLayout()
-                        invalidate()
-                    }
-                }, 150)
-            }
-        }
    }

-    override fun dispatchKeyEvent(event: KeyEvent): Boolean {
-        val keyCode = event.keyCode
-        val pressed = event.action == KeyEvent.ACTION_DOWN
-
-        when (keyCode) {
-            KeyEvent.KEYCODE_BUTTON_A,
-            KeyEvent.KEYCODE_BUTTON_B,
-            KeyEvent.KEYCODE_BUTTON_X,
-            KeyEvent.KEYCODE_BUTTON_Y,
-            KeyEvent.KEYCODE_BUTTON_START,
-            KeyEvent.KEYCODE_BUTTON_SELECT -> {
-                    nativeGamepadKeyEvent(0, keyCode, pressed)
-                    return true
-            }
-            KeyEvent.KEYCODE_DPAD_CENTER,
-            KeyEvent.KEYCODE_DPAD_UP,
-            KeyEvent.KEYCODE_DPAD_DOWN,
-            KeyEvent.KEYCODE_DPAD_LEFT,
-            KeyEvent.KEYCODE_DPAD_RIGHT -> {
-                    val syntheticKeyCode = if (keyCode == KeyEvent.KEYCODE_DPAD_CENTER) KeyEvent.KEYCODE_ENTER else keyCode
-                    val synthetic = KeyEvent(
-                        event.downTime, event.eventTime, event.action, syntheticKeyCode,
-                        event.repeatCount, event.metaState, -1, event.scanCode,
-                        event.flags, InputDevice.SOURCE_KEYBOARD
-                    )
-                    return super.dispatchKeyEvent(synthetic)
-            }
-        }
-
-        return super.dispatchKeyEvent(event)
-    }
-
-    private external fun nativeGamepadKeyEvent(deviceId: Int, keyCode: Int, pressed: Boolean)
-
    override fun onPause() {
-        // Notify Qt to stop rendering BEFORE super.onPause() destroys the EGL surface.
-        // Using a coroutine here would be too late — the surface is gone by the time
-        // the coroutine runs. A direct synchronous call gives Qt's render thread the
-        // best chance to process visible=false before surface destruction.
-        if (qtInitialized.isCompleted) {
-            QtAndroidController.onActivityPaused()
-        }
        super.onPause()
-        isActivityResumed = false
-        // Cancel all pending operations when activity pauses
-        resumeHandler.removeCallbacksAndMessages(null)
-        openFileDeliveryScheduled = false
        Log.d(TAG, "Pause Amnezia activity")
    }

    override fun onResume() {
        super.onResume()
-        isActivityResumed = true
-        Log.d(TAG, "Resume Amnezia activity")
-        if (qtInitialized.isCompleted) {
-            QtAndroidController.onActivityResumed()
-        }
-
-        if (pendingOpenFileUri != null && !openFileDeliveryScheduled) {
-            val uri = pendingOpenFileUri!!
-            openFileDeliveryScheduled = true
-            resumeHandler.postDelayed({
-                if (!isFinishing && !isDestroyed) {
-                    pendingOpenFileUri = null
-                    openFileDeliveryScheduled = false
-                    mainScope.launch {
-                        qtInitialized.await()
-                        QtAndroidController.onFileOpened(uri)
-                    }
-                }
-            }, OPEN_FILE_AFTER_RESUME_DELAY_MS)
-        }
-
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+       /* if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
            window.decorView.apply {
                invalidate()

-                resumeHandler.postDelayed({
-                    // Check if activity is still resumed and has focus before executing
-                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
-                        sendTouch(1f, 1f)
-                    }
+                postDelayed({
+                    sendTouch(1f, 1f)
                }, 100)
-
-                resumeHandler.postDelayed({
-                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
-                        sendTouch(2f, 2f)
-                    }
+                
+                postDelayed({
+                    sendTouch(2f, 2f)
                }, 200)
-
-                resumeHandler.postDelayed({
-                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
-                        requestLayout()
-                        invalidate()
-                    }
+                
+                postDelayed({
+                    requestLayout()
+                    invalidate()
                }, 250)
            }
-        }
+        }  */      
+        Log.d(TAG, "Resume Amnezia activity")
    }

    private fun configureWindowForEdgeToEdge() {
@@ -453,35 +337,31 @@ class AmneziaActivity : QtActivity() {
        ViewCompat.setOnApplyWindowInsetsListener(window.decorView) { view, windowInsets ->
            val imeInsets = windowInsets.getInsets(WindowInsetsCompat.Type.ime())
            val imeVisible = windowInsets.isVisible(WindowInsetsCompat.Type.ime())
-
+            
            val imeHeight = if (imeVisible) imeInsets.bottom else 0

            val density = resources.displayMetrics.density
            val imeHeightDp = (imeHeight / density).toInt()
-
+            
            // Also track system bars (navigation bar, status bar) changes
            val systemBarsInsets = windowInsets.getInsets(WindowInsetsCompat.Type.systemBars())
            val navBarHeight = systemBarsInsets.bottom
            val navBarHeightDp = (navBarHeight / density).toInt()
            val statusBarHeight = systemBarsInsets.top
            val statusBarHeightDp = (statusBarHeight / density).toInt()
-
+            
            mainScope.launch {
                qtInitialized.await()
                QtAndroidController.onImeInsetsChanged(imeHeightDp)
                QtAndroidController.onSystemBarsInsetsChanged(navBarHeightDp, statusBarHeightDp)
            }
-
+            
            // Return windowInsets instead of CONSUMED to allow proper handling
            windowInsets
        }
    }

    override fun onDestroy() {
-        isActivityResumed = false
-        hasWindowFocus = false
-        // Cancel all pending operations when activity is destroyed
-        resumeHandler.removeCallbacksAndMessages(null)
        Log.d(TAG, "Destroy Amnezia activity")
        unregisterBroadcastReceiver(notificationStateReceiver)
        notificationStateReceiver = null
@@ -792,16 +672,6 @@ class AmneziaActivity : QtActivity() {
                            else -> type = "*/*"
                        }
                    }
-                    // Force system document picker to avoid third-party file managers
-                    // that may lack storage permissions (common on Android TV devices)
-                    val systemPickerPackage = listOf("com.google.android.documentsui", "com.android.documentsui")
-                        .firstOrNull { pkg ->
-                            try { packageManager.getPackageInfo(pkg, 0); true }
-                            catch (_: PackageManager.NameNotFoundException) { false }
-                        }
-                    if (systemPickerPackage != null) {
-                        `package` = systemPickerPackage
-                    }
                }
            } else {
                Intent(this@AmneziaActivity, TvFilePicker::class.java)
@@ -817,13 +687,9 @@ class AmneziaActivity : QtActivity() {
                            grantUriPermission(packageName, this, Intent.FLAG_GRANT_READ_URI_PERMISSION)
                        }?.toString() ?: ""
                        Log.v(TAG, "Open file: $uri")
-                        if (uri.isNotEmpty()) {
-                            pendingOpenFileUri = uri
-                        } else {
-                            mainScope.launch {
-                                qtInitialized.await()
-                                QtAndroidController.onFileOpened(uri)
-                            }
+                        mainScope.launch {
+                            qtInitialized.await()
+                            QtAndroidController.onFileOpened(uri)
                        }
                    }
                ))
@@ -852,7 +718,7 @@ class AmneziaActivity : QtActivity() {
    @Suppress("unused")
    fun getFd(fileName: String): Int {
        Log.v(TAG, "Get fd for $fileName")
-        return blockingCall(Dispatchers.IO) {
+        return blockingCall {
            try {
                pfd = contentResolver.openFileDescriptor(Uri.parse(fileName), "r")
                pfd?.fd ?: -1
@@ -1074,11 +940,13 @@ class AmneziaActivity : QtActivity() {
    @Suppress("unused")
    fun sendTouch(x: Float, y: Float) {
        Log.v(TAG, "Send touch: $x, $y")
+        blockingCall {
            findQtWindow(window.decorView)?.let {
                Log.v(TAG, "Send touch to $it")
                it.dispatchTouchEvent(createEvent(x, y, SystemClock.uptimeMillis(), MotionEvent.ACTION_DOWN))
                it.dispatchTouchEvent(createEvent(x, y, SystemClock.uptimeMillis(), MotionEvent.ACTION_UP))
            }
+        }
    }

    private fun findQtWindow(view: View): View? {
@@ -1,10 +1,7 @@
 package org.amnezia.vpn

 import android.content.ActivityNotFoundException
-import android.content.Context
 import android.content.Intent
-import android.content.pm.PackageManager
-import android.os.Build
 import android.os.Bundle
 import androidx.activity.ComponentActivity
 import androidx.activity.result.contract.ActivityResultContracts
@@ -14,29 +11,8 @@ private const val TAG = "TvFilePicker"

 class TvFilePicker : ComponentActivity() {

-    private val fileChooseResultLauncher = registerForActivityResult(object : ActivityResultContracts.OpenDocument() {
-        override fun createIntent(context: Context, input: Array<String>): Intent {
-            val intent = super.createIntent(context, input)
-
-            val activitiesToResolveIntent = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
-                context.packageManager.queryIntentActivities(intent, PackageManager.ResolveInfoFlags.of(PackageManager.MATCH_DEFAULT_ONLY.toLong()))
-            } else {
-                @Suppress("DEPRECATION")
-                context.packageManager.queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY)
-            }
-            if (activitiesToResolveIntent.all {
-                    val name = it.activityInfo.packageName
-                    name.startsWith("com.google.android.tv.frameworkpackagestubs") || name.startsWith("com.android.tv.frameworkpackagestubs")
-                }) {
-                throw ActivityNotFoundException()
-            }
-            return intent
-        }
-    }) {
-        setResult(RESULT_OK, Intent().apply {
-            data = it
-            addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION)
-        })
+    private val fileChooseResultLauncher = registerForActivityResult(ActivityResultContracts.GetContent()) {
+        setResult(RESULT_OK, Intent().apply { data = it })
        finish()
    }

@@ -55,7 +31,7 @@ class TvFilePicker : ComponentActivity() {
    private fun getFile() {
        try {
            Log.v(TAG, "getFile")
-            fileChooseResultLauncher.launch(arrayOf("*/*"))
+            fileChooseResultLauncher.launch("*/*")
        } catch (_: ActivityNotFoundException) {
            Log.w(TAG, "Activity not found")
            setResult(RESULT_CANCELED, Intent().apply { putExtra("activityNotFound", true) })
@@ -31,7 +31,4 @@ object QtAndroidController {

    external fun onImeInsetsChanged(heightDp: Int)
    external fun onSystemBarsInsetsChanged(navBarHeightDp: Int, statusBarHeightDp: Int)
-
-    external fun onActivityPaused()
-    external fun onActivityResumed()
 }
@@ -4,9 +4,6 @@ import android.content.Context
 import android.net.VpnService.Builder
 import java.io.File
 import java.io.IOException
-import java.net.InetAddress
-import java.net.ServerSocket
-import java.util.UUID
 import go.Seq
 import org.amnezia.vpn.protocol.BadConfigException
 import org.amnezia.vpn.protocol.Protocol
@@ -22,32 +19,11 @@ import org.amnezia.vpn.util.Log
 import org.amnezia.vpn.util.net.InetNetwork
 import org.amnezia.vpn.util.net.ip
 import org.amnezia.vpn.util.net.parseInetAddress
-import org.json.JSONArray
 import org.json.JSONObject

 private const val TAG = "Xray"
 private const val LIBXRAY_TAG = "libXray"

-private fun findSocksInboundIndex(inbounds: JSONArray): Int {
-    for (i in 0 until inbounds.length()) {
-        val o = inbounds.optJSONObject(i) ?: continue
-        if (o.optString("protocol").equals("socks", ignoreCase = true)) {
-            return i
-        }
-    }
-    return -1
-}
-
-private fun acquireFreeLocalPort(): Int {
-    try {
-        ServerSocket(0, 1, InetAddress.getByName("127.0.0.1")).use { return it.localPort }
-    } catch (e: Exception) {
-        throw VpnStartException(
-            "Failed to acquire free TCP port on 127.0.0.1 for SOCKS inbound: ${e.message}"
-        )
-    }
-}
-
 class Xray : Protocol() {

    private var isRunning: Boolean = false
@@ -80,10 +56,6 @@ class Xray : Protocol() {
        val xrayJsonConfig = config.optJSONObject("xray_config_data")
            ?: config.optJSONObject("ssxray_config_data")
            ?: throw BadConfigException("config_data not found")
-
-        // Inject SOCKS5 auth before starting xray. Re-uses existing credentials if present.
-        ensureInboundAuth(xrayJsonConfig)
-
        val xrayConfig = parseConfig(config, xrayJsonConfig)

        (xrayJsonConfig.optJSONObject("log") ?: JSONObject().also { xrayJsonConfig.put("log", it) })
@@ -125,22 +97,9 @@ class Xray : Protocol() {
                if (it.isNotBlank()) setMtu(it.toInt())
            }

-            val inbounds = xrayJsonConfig.getJSONArray("inbounds")
-            val socksIdx = findSocksInboundIndex(inbounds)
-            if (socksIdx < 0) {
-                throw BadConfigException("socks inbound not found")
-            }
-            val socksConfig = inbounds.getJSONObject(socksIdx)
+            val socksConfig = xrayJsonConfig.getJSONArray("inbounds")[0] as JSONObject
            socksConfig.getInt("port").let { setSocksPort(it) }

-            val socksSettings = socksConfig.optJSONObject("settings")
-            val accounts = socksSettings?.optJSONArray("accounts")
-            if (accounts != null && accounts.length() > 0) {
-                val account = accounts.getJSONObject(0)
-                setSocksUser(account.optString("user"))
-                setSocksPass(account.optString("pass"))
-            }
-
            configSplitTunneling(config)
            configAppSplitTunneling(config)
        }
@@ -203,10 +162,9 @@ class Xray : Protocol() {
    }

    private fun runTun2Socks(config: XrayConfig, fd: Int) {
-        val proxyUrl = "socks5://${config.socksUser}:${config.socksPass}@127.0.0.1:${config.socksPort}"
        val tun2SocksConfig = Tun2SocksConfig().apply {
            mtu = config.mtu.toLong()
-            proxy = proxyUrl
+            proxy = "socks5://127.0.0.1:${config.socksPort}"
            device = "fd://$fd"
            logLevel = "warn"
        }
@@ -215,37 +173,6 @@ class Xray : Protocol() {
        }
    }

-    // Ensures SOCKS5 auth is present on the socks inbound settings.
-    // Re-uses existing credentials if already configured; otherwise generates random ones.
-    private fun ensureInboundAuth(xrayConfig: JSONObject) {
-        val inbounds = xrayConfig.optJSONArray("inbounds") ?: return
-        val socksIdx = findSocksInboundIndex(inbounds)
-        if (socksIdx < 0) return
-
-        val inbound = inbounds.getJSONObject(socksIdx)
-        inbound.put("port", acquireFreeLocalPort())
-        val settings = inbound.optJSONObject("settings") ?: JSONObject().also { inbound.put("settings", it) }
-        val accounts = settings.optJSONArray("accounts")
-        if (accounts != null && accounts.length() > 0) {
-            val account = accounts.getJSONObject(0)
-            if (account.optString("user").isNotEmpty() && account.optString("pass").isNotEmpty()) {
-                // Ensure auth mode is enforced even for imported configs that had accounts
-                // but auth: "noauth" (or no auth field).
-                settings.put("auth", "password")
-                inbound.put("settings", settings)
-                inbounds.put(socksIdx, inbound)
-                return
-            }
-        }
-
-        val user = UUID.randomUUID().toString().replace("-", "").substring(0, 16)
-        val pass = UUID.randomUUID().toString().replace("-", "")
-        settings.put("auth", "password")
-        settings.put("accounts", JSONArray().put(JSONObject().put("user", user).put("pass", pass)))
-        inbound.put("settings", settings)
-        inbounds.put(socksIdx, inbound)
-    }
-
    companion object {
        val instance: Xray by lazy { Xray() }
    }
@@ -9,16 +9,12 @@ private const val XRAY_DEFAULT_MAX_MEMORY: Long = 50 shl 20 // 50 MB
 class XrayConfig protected constructor(
    protocolConfigBuilder: ProtocolConfig.Builder,
    val socksPort: Int,
-    val socksUser: String,
-    val socksPass: String,
    val maxMemory: Long,
 ) : ProtocolConfig(protocolConfigBuilder) {

    protected constructor(builder: Builder) : this(
        builder,
        builder.socksPort,
-        builder.socksUser,
-        builder.socksPass,
        builder.maxMemory
    )

@@ -26,12 +22,6 @@ class XrayConfig protected constructor(
        internal var socksPort: Int = 0
            private set

-        internal var socksUser: String = ""
-            private set
-
-        internal var socksPass: String = ""
-            private set
-
        internal var maxMemory: Long = XRAY_DEFAULT_MAX_MEMORY
            private set

@@ -39,10 +29,6 @@ class XrayConfig protected constructor(

        fun setSocksPort(port: Int) = apply { socksPort = port }

-        fun setSocksUser(user: String) = apply { socksUser = user }
-
-        fun setSocksPass(pass: String) = apply { socksPass = pass }
-
        fun setMaxMemory(maxMemory: Long) = apply { this.maxMemory = maxMemory }

        override fun build(): XrayConfig = configBuild().run { XrayConfig(this@Builder) }
@@ -26,7 +26,7 @@ if(WIN32)
        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libssl.lib")
        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libcrypto.lib")
    endif()
-elseif(APPLE AND NOT IOS)
+elseif(APPLE AND NOT IOS AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
    if(MACOS_NE)
        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libssh.a")
        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libz.a")
@@ -39,6 +39,24 @@ elseif(APPLE AND NOT IOS)
    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/macos/include")
    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libssl.a")
    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libcrypto.a")    
+elseif(CMAKE_SYSTEM_NAME STREQUAL "tvOS")
+    set(TVOS_3RD_ROOT "$ENV{HOME}/Qt_tv/3rd-tvos")
+    execute_process(
+        COMMAND xcrun --sdk appletvos --show-sdk-path
+        OUTPUT_VARIABLE TVOS_SDK_PATH
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+    )
+
+    set(LIBSSH_ROOT_DIR "${TVOS_3RD_ROOT}/libssh/0.10.6/appletvos-arm64")
+    set(OPENSSL_ROOT_DIR "${TVOS_3RD_ROOT}/openssl/3.0.13/appletvos-arm64")
+    set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/lib")
+
+    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}")
+    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/lib/libssh.a")
+    set(ZLIB_LIB_PATH "${TVOS_SDK_PATH}/usr/lib/libz.tbd")
+    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include")
+    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/lib/libssl.a")
+    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/lib/libcrypto.a")
 elseif(IOS)
    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/ios/arm64")
    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/ios/arm64/libssh.a")
@@ -63,8 +81,10 @@ elseif(LINUX)
    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/linux/x86_64/libcrypto.a")
 endif()

-file(COPY ${OPENSSL_LIB_SSL_PATH} ${OPENSSL_LIB_CRYPTO_PATH}
-        DESTINATION ${OPENSSL_LIBRARIES_DIR})
+if(NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
+    file(COPY ${OPENSSL_LIB_SSL_PATH} ${OPENSSL_LIB_CRYPTO_PATH}
+            DESTINATION ${OPENSSL_LIBRARIES_DIR})
+endif()

 set(OPENSSL_USE_STATIC_LIBS TRUE)
  
@@ -83,26 +103,6 @@ add_compile_definitions(_WINSOCKAPI_)
 set(BUILD_SHARED_LIBS OFF CACHE BOOL "" FORCE)
 set(BUILD_WITH_QT6 ON)
 add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain)
-
-if(ANDROID)
-    # Use qtgamepad from amnezia-vpn/qtgamepad repository
-    # Only if Qt6CorePrivate is available (required by qtgamepad)
-    find_package(Qt6CorePrivate CONFIG QUIET)
-    if(Qt6CorePrivate_FOUND)
-        add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtgamepad)
-        # Link both the C++ module and QML plugin
-        if(TARGET GamepadLegacy)
-            target_link_libraries(${PROJECT} PRIVATE GamepadLegacy)
-        endif()
-        if(TARGET GamepadLegacyQuickPrivate)
-            target_link_libraries(${PROJECT} PRIVATE GamepadLegacyQuickPrivate)
-        endif()
-        message(STATUS "Gamepad support enabled for Android")
-    else()
-        message(STATUS "Qt6CorePrivate not found. Gamepad support disabled for Android.")
-    endif()
-endif()
-
 set(LIBS ${LIBS} qt6keychain)

 include_directories(
@@ -39,5 +39,7 @@ while(IOS_TARGETS)
    set_target_properties(${TARGET_NAME} PROPERTIES
        XCODE_ATTRIBUTE_ARCHS[sdk=iphoneos*] "arm64"
        XCODE_ATTRIBUTE_ARCHS[sdk=iphonesimulator*] "x86_64"
+        XCODE_ATTRIBUTE_ARCHS[sdk=appletvos*] "arm64"
+        XCODE_ATTRIBUTE_ARCHS[sdk=appletvsimulator*] "arm64"
    )
-endwhile()
+endwhile()
@@ -1,6 +1,20 @@
 message("Client iOS build")
 set(CMAKE_OSX_DEPLOYMENT_TARGET 13.0)
 set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
+set(AMNEZIA_IOS_APPLETV ${AMNEZIA_IOS_ENABLE_APPLETV_TARGET})
+
+if(AMNEZIA_IOS_APPLETV)
+    message("Apple TV target mode is ON")
+    set(CMAKE_OSX_DEPLOYMENT_TARGET 17.0)
+    set(QT_NO_SET_DEFAULT_IOS_LAUNCH_SCREEN TRUE)
+    set(QT_NO_ADD_IOS_LAUNCH_SCREEN_TO_BUNDLE TRUE)
+    set(IOS_INFO_PLIST ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Info-tvOS.plist.in)
+    set(IOS_LAUNCHSCREEN_STORYBOARD ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/tvOS/AmneziaVPNLaunchScreen.storyboard)
+else()
+    message("Apple TV target mode is OFF")
+    set(IOS_INFO_PLIST ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Info.plist.in)
+    set(IOS_LAUNCHSCREEN_STORYBOARD ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/AmneziaVPNLaunchScreen.storyboard)
+endif()


 enable_language(OBJC)
@@ -10,13 +24,23 @@ enable_language(Swift)
 find_package(Qt6 REQUIRED COMPONENTS ShaderTools)
 set(LIBS ${LIBS} Qt6::ShaderTools)

-find_library(FW_AUTHENTICATIONSERVICES AuthenticationServices)
-find_library(FW_UIKIT UIKit)
-find_library(FW_AVFOUNDATION AVFoundation)
-find_library(FW_FOUNDATION Foundation)
-find_library(FW_STOREKIT StoreKit)
-find_library(FW_USERNOTIFICATIONS UserNotifications)
-find_library(FW_NETWORKEXTENSION NetworkExtension)
+if(AMNEZIA_IOS_APPLETV)
+    # Use framework linker flags directly for tvOS to avoid iPhoneOS SDK absolute paths.
+    set(FW_AUTHENTICATIONSERVICES "-framework AuthenticationServices")
+    set(FW_UIKIT "-framework UIKit")
+    set(FW_AVFOUNDATION "-framework AVFoundation")
+    set(FW_FOUNDATION "-framework Foundation")
+    set(FW_STOREKIT "-framework StoreKit")
+    set(FW_USERNOTIFICATIONS "-framework UserNotifications")
+else()
+    find_library(FW_AUTHENTICATIONSERVICES AuthenticationServices)
+    find_library(FW_UIKIT UIKit)
+    find_library(FW_AVFOUNDATION AVFoundation)
+    find_library(FW_FOUNDATION Foundation)
+    find_library(FW_STOREKIT StoreKit)
+    find_library(FW_USERNOTIFICATIONS UserNotifications)
+    find_library(FW_NETWORKEXTENSION NetworkExtension)
+endif()

 set(LIBS ${LIBS}
    ${FW_AUTHENTICATIONSERVICES}
@@ -25,9 +49,12 @@ set(LIBS ${LIBS}
    ${FW_FOUNDATION}
    ${FW_STOREKIT}
    ${FW_USERNOTIFICATIONS}
-    ${FW_NETWORKEXTENSION}
 )

+if(NOT AMNEZIA_IOS_APPLETV)
+    set(LIBS ${LIBS} ${FW_NETWORKEXTENSION})
+endif()
+

 set(HEADERS ${HEADERS}
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h
@@ -57,7 +84,7 @@ target_include_directories(${PROJECT} PRIVATE ${Qt6Gui_PRIVATE_INCLUDE_DIRS})

 set_target_properties(${PROJECT} PROPERTIES
    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
-    MACOSX_BUNDLE_INFO_PLIST ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Info.plist.in
+    MACOSX_BUNDLE_INFO_PLIST ${IOS_INFO_PLIST}
    MACOSX_BUNDLE_ICON_FILE "AppIcon"
    MACOSX_BUNDLE_INFO_STRING "AmneziaVPN"
    MACOSX_BUNDLE_BUNDLE_NAME "AmneziaVPN"
@@ -66,7 +93,6 @@ set_target_properties(${PROJECT} PROPERTIES
    MACOSX_BUNDLE_LONG_VERSION_STRING "${APPLE_PROJECT_VERSION}-${CMAKE_PROJECT_VERSION_TWEAK}"
    MACOSX_BUNDLE_SHORT_VERSION_STRING "${APPLE_PROJECT_VERSION}"
    XCODE_ATTRIBUTE_PRODUCT_BUNDLE_IDENTIFIER "${BUILD_IOS_APP_IDENTIFIER}"
-    XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "${CMAKE_CURRENT_SOURCE_DIR}/ios/app/main.entitlements"
    XCODE_ATTRIBUTE_MARKETING_VERSION "${APPLE_PROJECT_VERSION}"
    XCODE_ATTRIBUTE_CURRENT_PROJECT_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
    XCODE_ATTRIBUTE_PRODUCT_NAME "AmneziaVPN"
@@ -74,13 +100,36 @@ set_target_properties(${PROJECT} PROPERTIES
    XCODE_GENERATE_SCHEME TRUE
    XCODE_ATTRIBUTE_ENABLE_BITCODE "NO"
    XCODE_ATTRIBUTE_ASSETCATALOG_COMPILER_APPICON_NAME "AppIcon"
-    XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "1,2"
    XCODE_EMBED_FRAMEWORKS_CODE_SIGN_ON_COPY ON
    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
    XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/Frameworks"
    XCODE_EMBED_APP_EXTENSIONS networkextension
 )

+if(AMNEZIA_IOS_APPLETV)
+    set_target_properties(${PROJECT} PROPERTIES
+        XCODE_ATTRIBUTE_SUPPORTED_PLATFORMS "appletvos appletvsimulator"
+        XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "3"
+        XCODE_ATTRIBUTE_TVOS_DEPLOYMENT_TARGET "${CMAKE_OSX_DEPLOYMENT_TARGET}"
+        XCODE_ATTRIBUTE_SDKROOT "appletvos"
+        XCODE_ATTRIBUTE_SDKROOT[sdk=appletvos*] "appletvos"
+        XCODE_ATTRIBUTE_SDKROOT[sdk=appletvsimulator*] "appletvsimulator"
+        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
+        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS[sdk=appletvos*] "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
+        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS[sdk=appletvsimulator*] "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
+        XCODE_ATTRIBUTE_EXCLUDED_LIBRARY_SEARCH_PATHS "/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS*.sdk/usr/lib/swift"
+        XCODE_ATTRIBUTE_EXCLUDED_FRAMEWORK_SEARCH_PATHS "/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS*.sdk/System/Library/Frameworks"
+    )
+    set_target_properties(${PROJECT} PROPERTIES
+        QT_IOS_PERMISSIONS ""
+    )
+else()
+    set_target_properties(${PROJECT} PROPERTIES
+        XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "${CMAKE_CURRENT_SOURCE_DIR}/ios/app/main.entitlements"
+        XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "1,2"
+    )
+endif()
+
 if(DEFINED DEPLOY)
    set_target_properties(${PROJECT} PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
@@ -111,6 +160,59 @@ target_compile_options(${PROJECT} PRIVATE
    -DVPN_NE_BUNDLEID=\"${BUILD_IOS_APP_IDENTIFIER}.network-extension\"
 )

+if(AMNEZIA_IOS_APPLETV)
+    # qscnetworkreachability plugin links IOKit, which is unavailable on tvOS.
+    qt_import_plugins(${PROJECT}
+        NO_DEFAULT
+        INCLUDE
+            QIOSIntegrationPlugin
+            QJpegPlugin
+            QSvgPlugin
+            QGifPlugin
+            QICOPlugin
+            QSvgIconPlugin
+            QSecureTransportBackendPlugin
+        EXCLUDE
+            QSCNetworkReachabilityNetworkInformationPlugin
+            QDarwinCameraPermissionPlugin
+    )
+
+    # Static tvOS Qt build doesn't auto-link these plugin archives into the
+    # Xcode target, but the app entry point lives in QIOSIntegrationPlugin.
+    set(_amnezia_tvos_static_plugins
+        Qt6::QIOSIntegrationPlugin
+        Qt6::QIOSIntegrationPlugin_init
+        Qt6::QJpegPlugin
+        Qt6::QJpegPlugin_init
+        Qt6::QSvgPlugin
+        Qt6::QSvgPlugin_init
+        Qt6::QGifPlugin
+        Qt6::QGifPlugin_init
+        Qt6::QICOPlugin
+        Qt6::QICOPlugin_init
+        Qt6::QSvgIconPlugin
+        Qt6::QSvgIconPlugin_init
+        Qt6::QSecureTransportBackendPlugin
+        Qt6::QSecureTransportBackendPlugin_init
+    )
+    foreach(_amnezia_tvos_static_plugin IN LISTS _amnezia_tvos_static_plugins)
+        if(TARGET ${_amnezia_tvos_static_plugin})
+            target_link_libraries(${PROJECT} PRIVATE ${_amnezia_tvos_static_plugin})
+        endif()
+    endforeach()
+    unset(_amnezia_tvos_static_plugin)
+    unset(_amnezia_tvos_static_plugins)
+
+    # Qt 6.9.2 iOS package links IOKit via Qt6::Core interface, but tvOS SDK
+    # does not provide IOKit. Strip this single framework for Apple TV builds.
+    get_target_property(_qtcore_iface_libs Qt6::Core INTERFACE_LINK_LIBRARIES)
+    if(_qtcore_iface_libs)
+        string(REPLACE "-framework IOKit;" "" _qtcore_iface_libs "${_qtcore_iface_libs}")
+        string(REPLACE ";-framework IOKit" "" _qtcore_iface_libs "${_qtcore_iface_libs}")
+        set_property(TARGET Qt6::Core PROPERTY INTERFACE_LINK_LIBRARIES "${_qtcore_iface_libs}")
+    endif()
+endif()
+
 set(WG_APPLE_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/3rd/amneziawg-apple/Sources)

 target_sources(${PROJECT} PRIVATE
@@ -121,28 +223,40 @@ target_sources(${PROJECT} PRIVATE
    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/StoreKit2Helper.swift
 )

-target_sources(${PROJECT} PRIVATE
-    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/AmneziaVPNLaunchScreen.storyboard
-    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
-    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
-)
+if(IOS_LAUNCHSCREEN_STORYBOARD)
+    target_sources(${PROJECT} PRIVATE
+        ${IOS_LAUNCHSCREEN_STORYBOARD}
+        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
+        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
+    )

-set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
-    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/AmneziaVPNLaunchScreen.storyboard
-    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
-    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
-)
+    set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
+        ${IOS_LAUNCHSCREEN_STORYBOARD}
+        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
+        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
+    )
+else()
+    target_sources(${PROJECT} PRIVATE
+        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
+        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
+    )
+
+    set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
+        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
+        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
+    )
+endif()

 add_subdirectory(ios/networkextension)
 add_dependencies(${PROJECT} networkextension)

-set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
-    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework"
-)
-
-set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/)
-target_link_libraries("networkextension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework")
+if(NOT AMNEZIA_IOS_APPLETV)
+    set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
+        "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework"
+    )

+    set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/)
+    target_link_libraries("networkextension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework")
+endif()
@@ -131,7 +131,6 @@ target_sources(${PROJECT} PRIVATE
    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/StoreKit2Helper.swift
 )

 target_sources(${PROJECT} PRIVATE
@@ -164,7 +163,7 @@ add_custom_command(TARGET ${PROJECT} POST_BUILD
    COMMAND ${CMAKE_COMMAND} -E make_directory
            $<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks
    COMMAND /usr/bin/find "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework" -name "*.sha256" -delete
-    COMMAND /usr/bin/codesign --force --sign "Apple Distribution: Privacy Technologies OU"
+    COMMAND /usr/bin/codesign --force --sign "Apple Distribution"
            "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework/Versions/Current/OpenVPNAdapter"
    COMMAND ${QT_BIN_DIR_DETECTED}/macdeployqt $<TARGET_BUNDLE_DIR:AmneziaVPN> -appstore-compliant -qmldir=${CMAKE_CURRENT_SOURCE_DIR}
    COMMENT "Signing OpenVPNAdapter framework"
@@ -39,7 +39,7 @@ set(HEADERS ${HEADERS}
    ${CLIENT_ROOT_DIR}/mozilla/controllerimpl.h
 )

-if(NOT IOS AND NOT MACOS_NE)
+if(NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
    set(HEADERS ${HEADERS}
        ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.h
    )
@@ -89,14 +89,14 @@ set(SOURCES ${SOURCES}
    ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.cpp
 )

-if(NOT IOS AND NOT MACOS_NE)
+if(NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
    set(SOURCES ${SOURCES}
        ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.cpp
    )
 endif()

 # Include native macOS platform helpers (dock/status-item)
-if(APPLE AND NOT IOS)
+if(APPLE AND NOT IOS AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
    list(APPEND HEADERS
        ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.h
        ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.h
@@ -175,12 +175,13 @@ if(WIN32)
    )
 endif()

-if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (LINUX AND NOT ANDROID))
    message("Client desktop build")
    add_compile_definitions(AMNEZIA_DESKTOP)

    set(HEADERS ${HEADERS}
        ${CLIENT_ROOT_DIR}/core/ipcclient.h
+        ${CLIENT_ROOT_DIR}/core/privileged_process.h
        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.h
        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.h
        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.h
@@ -193,6 +194,7 @@ if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))

    set(SOURCES ${SOURCES}
        ${CLIENT_ROOT_DIR}/core/ipcclient.cpp
+        ${CLIENT_ROOT_DIR}/core/privileged_process.cpp
        ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.cpp
        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.cpp
@@ -1,17 +1,13 @@
 #include "openvpn_configurator.h"

 #include <QDebug>
+#include <QCoreApplication>
 #include <QJsonDocument>
 #include <QJsonObject>
 #include <QProcess>
 #include <QString>
 #include <QTemporaryDir>
 #include <QTemporaryFile>
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
-    #include <QGuiApplication>
-#else
-    #include <QApplication>
-#endif

 #include "core/networkUtilities.h"
 #include "containers/containers_defs.h"
@@ -165,7 +161,7 @@ QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString,
    QString dnsConf = QString("\nscript-security 2\n"
                              "up %1/update-resolv-conf.sh\n"
                              "down %1/update-resolv-conf.sh\n")
-                              .arg(qApp->applicationDirPath());
+                              .arg(QCoreApplication::applicationDirPath());

    config.append(dnsConf);
 #endif
@@ -1,6 +1,7 @@
 #include "ssh_configurator.h"

 #include <QDebug>
+#include <QCoreApplication>
 #include <QObject>
 #include <QProcess>
 #include <QString>
@@ -8,11 +9,6 @@
 #include <QTemporaryFile>
 #include <QThread>
 #include <qtimer.h>
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
-    #include <QGuiApplication>
-#else
-    #include <QApplication>
-#endif

 #include "core/server_defs.h"
 #include "utilities.h"
@@ -24,7 +20,7 @@ SshConfigurator::SshConfigurator(std::shared_ptr<Settings> settings, const QShar

 QString SshConfigurator::convertOpenSShKey(const QString &key)
 {
-#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
    QProcess p;
    p.setProcessChannelMode(QProcess::MergedChannels);

@@ -70,13 +66,13 @@ QString SshConfigurator::convertOpenSShKey(const QString &key)
 // DEAD CODE.
 void SshConfigurator::openSshTerminal(const ServerCredentials &credentials)
 {
-#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
    QProcess *p = new QProcess();
    p->setProcessChannelMode(QProcess::SeparateChannels);

    #ifdef Q_OS_WIN
    p->setProcessEnvironment(prepareEnv());
-    p->setProgram(qApp->applicationDirPath() + "\\cygwin\\putty.exe");
+    p->setProgram(QCoreApplication::applicationDirPath() + "\\cygwin\\putty.exe");

    if (credentials.secretData.contains("PRIVATE KEY")) {
        // todo: connect by key
@@ -100,10 +96,10 @@ QProcessEnvironment SshConfigurator::prepareEnv()

 #ifdef Q_OS_WIN
    pathEnvVar.clear();
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\cygwin;");
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\openvpn;");
+    pathEnvVar.prepend(QDir::toNativeSeparators(QCoreApplication::applicationDirPath()) + "\\cygwin;");
+    pathEnvVar.prepend(QDir::toNativeSeparators(QCoreApplication::applicationDirPath()) + "\\openvpn;");
 #elif defined(Q_OS_MACX) && !defined(MACOS_NE)
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "/Contents/MacOS");
+    pathEnvVar.prepend(QDir::toNativeSeparators(QCoreApplication::applicationDirPath()) + "/Contents/MacOS");
 #endif

    env.insert("PATH", pathEnvVar);
@@ -298,14 +298,14 @@ bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
    }

 #elif defined(MACOS_NE)
-    // macOS build using Network Extension – allow OpenVPN for parity with iOS.
+    // macOS build using Network Extension – hide OpenVPN-based containers
    switch (c) {
-    case DockerContainer::OpenVpn: return true;
    case DockerContainer::WireGuard: return true;
    case DockerContainer::Awg2: return true;
    case DockerContainer::Awg: return true;
    case DockerContainer::Xray: return true;
    case DockerContainer::SSXray: return true;
+    case DockerContainer::OpenVpn:
    case DockerContainer::Cloak:
    case DockerContainer::ShadowSocks:
        return false;
@@ -11,8 +11,7 @@ namespace apiDefs
        AmneziaPremiumV1,
        AmneziaPremiumV2,
        SelfHosted,
-        ExternalPremium,
-        ExternalTrial
+        ExternalPremium
    };

    enum ConfigSource {
@@ -33,7 +32,6 @@ namespace apiDefs
        constexpr QLatin1String stackType("stack_type");
        constexpr QLatin1String serviceType("service_type");
        constexpr QLatin1String cliVersion("cli_version");
-        constexpr QLatin1String cliName("cli_name");
        constexpr QLatin1String supportedProtocols("supported_protocols");

        constexpr QLatin1String vpnKey("vpn_key");
@@ -55,14 +53,8 @@ namespace apiDefs
        constexpr QLatin1String activeDeviceCount("active_device_count");
        constexpr QLatin1String maxDeviceCount("max_device_count");
        constexpr QLatin1String subscriptionEndDate("subscription_end_date");
-        constexpr QLatin1String subscriptionExpiredByServer("subscription_expired_by_server");
-        constexpr QLatin1String subscriptionStatus("subscription_status");
-        constexpr QLatin1String subscription("subscription");
-        constexpr QLatin1String endDate("end_date");
        constexpr QLatin1String issuedConfigs("issued_configs");
        constexpr QLatin1String subscriptionDescription("subscription_description");
-        constexpr QLatin1String termsOfUseUrl("terms_of_use_url");
-        constexpr QLatin1String privacyPolicyUrl("privacy_policy_url");

        constexpr QLatin1String supportInfo("support_info");
        constexpr QLatin1String email("email");
@@ -77,13 +69,11 @@ namespace apiDefs

        constexpr QLatin1String transactionId("transaction_id");
        constexpr QLatin1String isTestPurchase("is_test_purchase");
-        constexpr QLatin1String isInAppPurchase("is_in_app_purchase");

        constexpr QLatin1String userCountryCode("user_country_code");

        constexpr QLatin1String serviceInfo("service_info");
        constexpr QLatin1String isAdVisible("is_ad_visible");
-        constexpr QLatin1String isRenewalAvailable("is_renewal_available");
        constexpr QLatin1String adHeader("ad_header");
        constexpr QLatin1String adDescription("ad_description");
        constexpr QLatin1String adEndpoint("ad_endpoint");
@@ -3,33 +3,11 @@
 #include <QDateTime>
 #include <QJsonDocument>
 #include <QJsonObject>
-#include <QJsonValue>

 namespace
 {
    const QByteArray AMNEZIA_CONFIG_SIGNATURE = QByteArray::fromHex("000000ff");

-    constexpr QLatin1String unprocessableSubscriptionMessage("Failed to retrieve subscription information. Is it activated?");
-    constexpr QLatin1String trialAlreadyUsedMessage("trial subscription already used");
-
-    QDateTime subscriptionEndUtcFromString(const QString &subscriptionEndDate)
-    {
-        if (subscriptionEndDate.isEmpty()) {
-            return {};
-        }
-        QDateTime endDate = QDateTime::fromString(subscriptionEndDate, Qt::ISODateWithMs).toUTC();
-        if (!endDate.isValid()) {
-            endDate = QDateTime::fromString(subscriptionEndDate, Qt::ISODate).toUTC();
-        }
-        return endDate;
-    }
-
-    QString apiErrorMessageFromJson(const QJsonObject &jsonObj)
-    {
-        const QJsonValue value = jsonObj.value(QStringLiteral("message"));
-        return value.isString() ? value.toString().trimmed() : QString();
-    }
-
    QString escapeUnicode(const QString &input)
    {
        QString output;
@@ -46,30 +24,9 @@ namespace

 bool apiUtils::isSubscriptionExpired(const QString &subscriptionEndDate)
 {
-    if (subscriptionEndDate.isEmpty()) {
-        return false;
-    }
-    const QDateTime endDate = subscriptionEndUtcFromString(subscriptionEndDate);
-    if (!endDate.isValid()) {
-        return false;
-    }
-    return endDate <= QDateTime::currentDateTimeUtc();
-}
-
-bool apiUtils::isSubscriptionExpiringSoon(const QString &subscriptionEndDate, int withinDays)
-{
-    if (subscriptionEndDate.isEmpty()) {
-        return false;
-    }
-    const QDateTime endDate = subscriptionEndUtcFromString(subscriptionEndDate);
-    if (!endDate.isValid()) {
-        return false;
-    }
-    const QDateTime nowUtc = QDateTime::currentDateTimeUtc();
-    if (endDate <= nowUtc) {
-        return false;
-    }
-    return endDate <= nowUtc.addDays(withinDays);
+    QDateTime now = QDateTime::currentDateTimeUtc();
+    QDateTime endDate = QDateTime::fromString(subscriptionEndDate, Qt::ISODateWithMs);
+    return endDate < now;
 }

 bool apiUtils::isServerFromApi(const QJsonObject &serverConfigObject)
@@ -103,7 +60,6 @@ apiDefs::ConfigType apiUtils::getConfigType(const QJsonObject &serverConfigObjec
        constexpr QLatin1String servicePremium("amnezia-premium");
        constexpr QLatin1String serviceFree("amnezia-free");
        constexpr QLatin1String serviceExternalPremium("external-premium");
-        constexpr QLatin1String serviceExternalTrial("external-trial");

        auto apiConfigObject = serverConfigObject.value(apiDefs::key::apiConfig).toObject();
        auto serviceType = apiConfigObject.value(apiDefs::key::serviceType).toString();
@@ -114,8 +70,6 @@ apiDefs::ConfigType apiUtils::getConfigType(const QJsonObject &serverConfigObjec
            return apiDefs::ConfigType::AmneziaFreeV3;
        } else if (serviceType == serviceExternalPremium) {
            return apiDefs::ConfigType::ExternalPremium;
-        } else if (serviceType == serviceExternalTrial) {
-            return apiDefs::ConfigType::ExternalTrial;
        }
    }
    default: {
@@ -136,66 +90,50 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
    const int httpStatusCodeConflict = 409;
    const int httpStatusCodeNotFound = 404;
    const int httpStatusCodeNotImplemented = 501;
-    const int httpStatusCodePaymentRequired = 402;
-    const int httpStatusCodeUnprocessableEntity = 422;

    if (!sslErrors.empty()) {
        qDebug().noquote() << sslErrors;
        return amnezia::ErrorCode::ApiConfigSslError;
-    }
-    if (replyError == QNetworkReply::NoError) {
+    } else if (replyError == QNetworkReply::NoError) {
        return amnezia::ErrorCode::NoError;
-    }
-    if (replyError == QNetworkReply::NetworkError::OperationCanceledError
-        || replyError == QNetworkReply::NetworkError::TimeoutError) {
+    } else if (replyError == QNetworkReply::NetworkError::OperationCanceledError
+               || replyError == QNetworkReply::NetworkError::TimeoutError) {
        qDebug() << replyError;
        return amnezia::ErrorCode::ApiConfigTimeoutError;
-    }
-    if (replyError == QNetworkReply::NetworkError::OperationNotImplementedError) {
+    } else if (replyError == QNetworkReply::NetworkError::OperationNotImplementedError) {
        qDebug() << replyError;
        return amnezia::ErrorCode::ApiUpdateRequestError;
-    }
+    } else {
+        qDebug() << QString::fromUtf8(responseBody);
+        qDebug() << replyError;
+        qDebug() << replyErrorString;
+        qDebug() << httpStatusCode;

-    qDebug() << QString::fromUtf8(responseBody);
-    qDebug() << replyError;
-    qDebug() << httpStatusCode;
+        int httpStatusFromBody = -1;
+        QJsonDocument jsonDoc = QJsonDocument::fromJson(responseBody);
+        if (jsonDoc.isObject()) {
+            QJsonObject jsonObj = jsonDoc.object();
+            httpStatusFromBody = jsonObj.value("http_status").toInt(-1);
+        }

-    QJsonDocument jsonDoc = QJsonDocument::fromJson(responseBody);
-    if (jsonDoc.isObject()) {
-        QJsonObject jsonObj = jsonDoc.object();
-        const int httpStatusFromBody = jsonObj.value(QStringLiteral("http_status")).toInt(-1);
        if (httpStatusFromBody == httpStatusCodeConflict) {
-            if (apiErrorMessageFromJson(jsonObj).contains(trialAlreadyUsedMessage, Qt::CaseInsensitive)) {
-                return amnezia::ErrorCode::ApiTrialAlreadyUsedError;
-            }
            return amnezia::ErrorCode::ApiConfigLimitError;
-        }
-        if (httpStatusFromBody == httpStatusCodeNotFound) {
+        } else if (httpStatusFromBody == httpStatusCodeNotFound) {
            return amnezia::ErrorCode::ApiNotFoundError;
-        }
-        if (httpStatusFromBody == httpStatusCodeNotImplemented) {
+        } else if (httpStatusFromBody == httpStatusCodeNotImplemented) {
            return amnezia::ErrorCode::ApiUpdateRequestError;
        }
-        if (httpStatusFromBody == httpStatusCodeUnprocessableEntity) {
-            if (apiErrorMessageFromJson(jsonObj) == unprocessableSubscriptionMessage) {
-                return amnezia::ErrorCode::ApiSubscriptionExpiredError;
-            }
-            return amnezia::ErrorCode::ApiConfigDownloadError;
-        }
-        if (httpStatusFromBody == httpStatusCodePaymentRequired) {
-            return amnezia::ErrorCode::ApiSubscriptionNotActiveError;
-        }
        return amnezia::ErrorCode::ApiConfigDownloadError;
    }

    qDebug() << "something went wrong";
-    return amnezia::ErrorCode::ApiConfigDownloadError;
+    return amnezia::ErrorCode::InternalError;
 }

 bool apiUtils::isPremiumServer(const QJsonObject &serverConfigObject)
 {
    static const QSet<apiDefs::ConfigType> premiumTypes = { apiDefs::ConfigType::AmneziaPremiumV1, apiDefs::ConfigType::AmneziaPremiumV2,
-                                                            apiDefs::ConfigType::ExternalPremium, apiDefs::ConfigType::ExternalTrial };
+                                                            apiDefs::ConfigType::ExternalPremium };
    return premiumTypes.contains(getConfigType(serverConfigObject));
 }

@@ -239,9 +177,7 @@ QString apiUtils::getPremiumV1VpnKey(const QJsonObject &serverConfigObject)

 QString apiUtils::getPremiumV2VpnKey(const QJsonObject &serverConfigObject)
 {
-    auto configType = apiUtils::getConfigType(serverConfigObject);
-    if (configType != apiDefs::ConfigType::AmneziaPremiumV2 && configType != apiDefs::ConfigType::ExternalPremium
-        && configType != apiDefs::ConfigType::ExternalTrial) {
+    if (apiUtils::getConfigType(serverConfigObject) != apiDefs::ConfigType::AmneziaPremiumV2) {
        return {};
    }

@@ -13,8 +13,6 @@ namespace apiUtils

    bool isSubscriptionExpired(const QString &subscriptionEndDate);

-    bool isSubscriptionExpiringSoon(const QString &subscriptionEndDate, int withinDays = 30);
-
    bool isPremiumServer(const QJsonObject &serverConfigObject);

    apiDefs::ConfigType getConfigType(const QJsonObject &serverConfigObject);
@@ -8,7 +8,7 @@
    #include "platforms/android/android_controller.h"
 #endif

-#if defined(Q_OS_IOS)
+#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
    #include "platforms/ios/ios_controller.h"
    #include <AmneziaVPN-Swift.h>
 #endif
@@ -91,12 +91,6 @@ void CoreController::initModels()
    m_apiServicesModel.reset(new ApiServicesModel(this));
    m_engine->rootContext()->setContextProperty("ApiServicesModel", m_apiServicesModel.get());

-    m_apiSubscriptionPlansModel.reset(new ApiSubscriptionPlansModel(this));
-    m_engine->rootContext()->setContextProperty("ApiSubscriptionPlansModel", m_apiSubscriptionPlansModel.get());
-
-    m_apiBenefitsModel.reset(new ApiBenefitsModel(this));
-    m_engine->rootContext()->setContextProperty("ApiBenefitsModel", m_apiBenefitsModel.get());
-
    m_apiCountryModel.reset(new ApiCountryModel(this));
    m_engine->rootContext()->setContextProperty("ApiCountryModel", m_apiCountryModel.get());

@@ -141,7 +135,7 @@ void CoreController::initControllers()
            new SettingsController(m_serversModel, m_containersModel, m_languageModel, m_sitesModel, m_appSplitTunnelingModel, m_settings));
    m_engine->rootContext()->setContextProperty("SettingsController", m_settingsController.get());

-    m_sitesController.reset(new SitesController(m_settings, m_sitesModel));
+    m_sitesController.reset(new SitesController(m_settings, m_vpnConnection, m_sitesModel));
    m_engine->rootContext()->setContextProperty("SitesController", m_sitesController.get());

    m_allowedDnsController.reset(new AllowedDnsController(m_settings, m_allowedDnsModel));
@@ -157,11 +151,8 @@ void CoreController::initControllers()
            new ApiSettingsController(m_serversModel, m_apiAccountInfoModel, m_apiCountryModel, m_apiDevicesModel, m_settings));
    m_engine->rootContext()->setContextProperty("ApiSettingsController", m_apiSettingsController.get());

-    m_apiConfigsController.reset(
-            new ApiConfigsController(m_serversModel, m_apiServicesModel, m_apiSubscriptionPlansModel, m_apiBenefitsModel, m_settings));
+    m_apiConfigsController.reset(new ApiConfigsController(m_serversModel, m_apiServicesModel, m_settings));
    m_engine->rootContext()->setContextProperty("ApiConfigsController", m_apiConfigsController.get());
-    connect(m_apiConfigsController.get(), &ApiConfigsController::subscriptionRefreshNeeded,
-            this, [this]() { m_apiSettingsController->getAccountInfo(false); });

    m_apiNewsController.reset(new ApiNewsController(m_newsModel, m_settings, m_serversModel, this));
    m_engine->rootContext()->setContextProperty("ApiNewsController", m_apiNewsController.get());
@@ -205,7 +196,7 @@ void CoreController::initAndroidController()

 void CoreController::initAppleController()
 {
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
    IosController::Instance()->initialize();
    connect(IosController::Instance(), &IosController::importConfigFromOutside, this, [this](QString data) {
        emit m_pageController->goToPageHome();
@@ -242,7 +233,7 @@ void CoreController::initSignalHandlers()

 void CoreController::initNotificationHandler()
 {
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS)
    m_notificationHandler.reset(NotificationHandler::create(nullptr));

    connect(m_vpnConnection.get(), &VpnConnection::connectionStateChanged, m_notificationHandler.get(),
@@ -257,7 +248,7 @@ void CoreController::initNotificationHandler()

    auto* trayHandler = qobject_cast<SystemTrayNotificationHandler*>(m_notificationHandler.get());
    connect(this, &CoreController::websiteUrlChanged, trayHandler, &SystemTrayNotificationHandler::updateWebsiteUrl);
-#endif    
+#endif
 }

 void CoreController::updateTranslator(const QLocale &locale)
@@ -377,11 +368,7 @@ void CoreController::initPrepareConfigHandler()
            return;
        }

-        m_installController->validateConfig();
-    });
-
-    connect(m_installController.get(), &InstallController::configValidated, this, [this](bool isValid) {
-        if (!isValid) {
+        if (!m_installController->isConfigValid()) {
            emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
            return;
        }
@@ -5,7 +5,7 @@
 #include <QQmlContext>
 #include <QThread>

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS)
    #include "ui/systemtray_notificationhandler.h"
 #endif

@@ -32,11 +32,9 @@
    #include "ui/models/protocols/ikev2ConfigModel.h"
 #endif
 #include "ui/models/api/apiAccountInfoModel.h"
-#include "ui/models/api/apiBenefitsModel.h"
 #include "ui/models/api/apiCountryModel.h"
 #include "ui/models/api/apiDevicesModel.h"
 #include "ui/models/api/apiServicesModel.h"
-#include "ui/models/api/apiSubscriptionPlansModel.h"
 #include "ui/models/appSplitTunnelingModel.h"
 #include "ui/models/clientManagementModel.h"
 #include "ui/models/protocols/awgConfigModel.h"
@@ -51,7 +49,7 @@
 #include "ui/models/sites_model.h"
 #include "ui/models/newsModel.h"

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS)
    #include "ui/notificationhandler.h"
 #endif

@@ -101,7 +99,7 @@ private:
    QSharedPointer<VpnConnection> m_vpnConnection;
    QSharedPointer<QTranslator> m_translator;

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS)
    QScopedPointer<NotificationHandler> m_notificationHandler;
 #endif

@@ -135,8 +133,6 @@ private:
    QSharedPointer<ClientManagementModel> m_clientManagementModel;

    QSharedPointer<ApiServicesModel> m_apiServicesModel;
-    QSharedPointer<ApiSubscriptionPlansModel> m_apiSubscriptionPlansModel;
-    QSharedPointer<ApiBenefitsModel> m_apiBenefitsModel;
    QSharedPointer<ApiCountryModel> m_apiCountryModel;
    QSharedPointer<ApiAccountInfoModel> m_apiAccountInfoModel;
    QSharedPointer<ApiDevicesModel> m_apiDevicesModel;
@@ -18,7 +18,6 @@
 #include "amnezia_application.h"
 #include "core/api/apiUtils.h"
 #include "core/networkUtilities.h"
-#include "settings.h"
 #include "utilities.h"

 #ifdef AMNEZIA_DESKTOP
@@ -45,85 +44,17 @@ namespace

    constexpr int httpStatusCodeNotFound = 404;
    constexpr int httpStatusCodeConflict = 409;
+
    constexpr int httpStatusCodeNotImplemented = 501;
-    constexpr int httpStatusCodePaymentRequired = 402;
-    constexpr int httpStatusCodeUnprocessableEntity = 422;
-
-    constexpr QLatin1String unprocessableSubscriptionMessage("Failed to retrieve subscription information. Is it activated?");
-
-    constexpr int proxyStorageRequestTimeoutMsecs = 3000;
-
-    QStringList shuffledProxyUrls(const QStringList &proxyUrls)
-    {
-        QStringList shuffled = proxyUrls;
-        std::random_device randomDevice;
-        std::mt19937 generator(randomDevice());
-        std::shuffle(shuffled.begin(), shuffled.end(), generator);
-        return shuffled;
-    }
-
-    QString getProxyUrlsCacheKey(const QString &serviceType, const QString &userCountryCode)
-    {
-        return QStringLiteral("service_%1_country_%2").arg(serviceType, userCountryCode);
-    }
-
-    bool decryptProxyUrlsPayload(const QByteArray &encryptedPayload, bool isDevEnvironment, QByteArray &decryptedPayload)
-    {
-        try {
-            QByteArray key = isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
-            if (!isDevEnvironment) {
-                QCryptographicHash hash(QCryptographicHash::Sha512);
-                hash.addData(key);
-                QByteArray h = hash.result().toHex();
-
-                QByteArray decKey = QByteArray::fromHex(h.left(64));
-                QByteArray iv = QByteArray::fromHex(h.mid(64, 32));
-                QByteArray ba = QByteArray::fromBase64(encryptedPayload);
-
-                QSimpleCrypto::QBlockCipher cipher;
-                decryptedPayload = cipher.decryptAesBlockCipher(ba, decKey, iv);
-            } else {
-                decryptedPayload = encryptedPayload;
-            }
-            return true;
-        } catch (...) {
-            Utils::logException();
-            return false;
-        }
-    }
-
-    QStringList readCachedProxyUrls(const QByteArray &cachedProxyUrlsEncrypted, bool isDevEnvironment)
-    {
-        if (cachedProxyUrlsEncrypted.isEmpty()) {
-            return {};
-        }
-
-        QByteArray cachedProxyUrlsDecrypted;
-        if (!decryptProxyUrlsPayload(cachedProxyUrlsEncrypted, isDevEnvironment, cachedProxyUrlsDecrypted)) {
-            qCritical() << "error decrypting cached proxy urls payload";
-            return {};
-        }
-
-        QJsonArray endpointsArray = QJsonDocument::fromJson(cachedProxyUrlsDecrypted).array();
-        QStringList endpoints;
-        endpoints.reserve(endpointsArray.size());
-        for (const QJsonValue &endpoint : endpointsArray) {
-            endpoints.push_back(endpoint.toString());
-        }
-
-        return endpoints;
-    }
 }

 GatewayController::GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
-                                     const bool isStrictKillSwitchEnabled, const std::shared_ptr<Settings> &settings,
-                                     QObject *parent)
+                                     const bool isStrictKillSwitchEnabled, QObject *parent)
    : QObject(parent),
      m_gatewayEndpoint(gatewayEndpoint),
      m_isDevEnvironment(isDevEnvironment),
      m_requestTimeoutMsecs(requestTimeoutMsecs),
-      m_isStrictKillSwitchEnabled(isStrictKillSwitchEnabled),
-      m_settings(settings)
+      m_isStrictKillSwitchEnabled(isStrictKillSwitchEnabled)
 {
 }

@@ -350,33 +281,25 @@ QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString
            auto serviceType = apiPayload.value(apiDefs::key::serviceType).toString("");
            auto userCountryCode = apiPayload.value(apiDefs::key::userCountryCode).toString("");

-            QStringList primaryBaseUrls;
-            QStringList fallbackBaseUrls;
+            QStringList baseUrls;
            if (m_isDevEnvironment) {
-                primaryBaseUrls = QString(DEV_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
+                baseUrls = QString(DEV_S3_ENDPOINT).split(", ");
            } else {
-                primaryBaseUrls = QString(PROD_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
-                fallbackBaseUrls = QString(FALLBACK_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
+                baseUrls = QString(PROD_S3_ENDPOINT).split(", ");
            }

-            auto appendStorageUrls = [&serviceType, &userCountryCode](const QStringList &baseUrls, QStringList &target) {
-                if (!serviceType.isEmpty()) {
-                    for (const auto &baseUrl : baseUrls) {
-                        QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
-                        target.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals) + ".json");
-                    }
-                }
-                for (const auto &baseUrl : baseUrls) {
-                    target.push_back(baseUrl + "endpoints.json");
-                }
-            };
-
            QStringList proxyStorageUrls;
-            appendStorageUrls(primaryBaseUrls, proxyStorageUrls);
-            appendStorageUrls(fallbackBaseUrls, proxyStorageUrls);
-            const QString proxyUrlsCacheKey = getProxyUrlsCacheKey(serviceType, userCountryCode);
+            if (!serviceType.isEmpty()) {
+                for (const auto &baseUrl : baseUrls) {
+                    QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
+                    proxyStorageUrls.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals)
+                                               + ".json");
+                }
+            }
+            for (const auto &baseUrl : baseUrls)
+                proxyStorageUrls.push_back(baseUrl + "endpoints.json");

-            getProxyUrlsAsync(proxyStorageUrls, 0, proxyUrlsCacheKey, [this, encRequestData, endpoint, processResponse](const QStringList &proxyUrls) {
+            getProxyUrlsAsync(proxyStorageUrls, 0, [this, encRequestData, endpoint, processResponse](const QStringList &proxyUrls) {
                getProxyUrlAsync(proxyUrls, 0, [this, encRequestData, endpoint, processResponse](const QString &proxyUrl) {
                    bypassProxyAsync(endpoint, proxyUrl, encRequestData,
                                     [processResponse, this](const QByteArray &decryptedBody, bool isDecryptionSuccessful,
@@ -401,48 +324,31 @@ QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString
 QStringList GatewayController::getProxyUrls(const QString &serviceType, const QString &userCountryCode)
 {
    QNetworkRequest request;
-    request.setTransferTimeout(proxyStorageRequestTimeoutMsecs);
+    request.setTransferTimeout(m_requestTimeoutMsecs);
    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");

    QEventLoop wait;
    QList<QSslError> sslErrors;
    QNetworkReply *reply;

-    QStringList primaryBaseUrls;
-    QStringList fallbackBaseUrls;
+    QStringList baseUrls;
    if (m_isDevEnvironment) {
-        primaryBaseUrls = QString(DEV_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
+        baseUrls = QString(DEV_S3_ENDPOINT).split(", ");
    } else {
-        primaryBaseUrls = QString(PROD_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
-        fallbackBaseUrls = QString(FALLBACK_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
+        baseUrls = QString(PROD_S3_ENDPOINT).split(", ");
    }

-    std::random_device randomDevice;
-    std::mt19937 generator(randomDevice());
-    std::shuffle(primaryBaseUrls.begin(), primaryBaseUrls.end(), generator);
-    std::shuffle(fallbackBaseUrls.begin(), fallbackBaseUrls.end(), generator);
-
-    auto appendStorageUrls = [&serviceType, &userCountryCode](const QStringList &baseUrls, QStringList &target) {
-        if (!serviceType.isEmpty()) {
-            for (const auto &baseUrl : baseUrls) {
-                QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
-                target.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals) + ".json");
-            }
-        }
-        for (const auto &baseUrl : baseUrls) {
-            target.push_back(baseUrl + "endpoints.json");
-        }
-    };
+    QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;

    QStringList proxyStorageUrls;
-    appendStorageUrls(primaryBaseUrls, proxyStorageUrls);
-    appendStorageUrls(fallbackBaseUrls, proxyStorageUrls);
-    const QString proxyUrlsCacheKey = getProxyUrlsCacheKey(serviceType, userCountryCode);
-    const QByteArray cachedProxyUrlsEncrypted = m_settings->readGatewayProxyUrls(proxyUrlsCacheKey);
-
-    if (proxyStorageUrls.empty()) {
-        qDebug() << "empty storage endpoint list";
-        return readCachedProxyUrls(cachedProxyUrlsEncrypted, m_isDevEnvironment);
+    if (!serviceType.isEmpty()) {
+        for (const auto &baseUrl : baseUrls) {
+            QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
+            proxyStorageUrls.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals) + ".json");
+        }
+    }
+    for (const auto &baseUrl : baseUrls) {
+        proxyStorageUrls.push_back(baseUrl + "endpoints.json");
    }

    for (const auto &proxyStorageUrl : proxyStorageUrls) {
@@ -457,8 +363,26 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
            auto encryptedResponseBody = reply->readAll();
            reply->deleteLater();

+            EVP_PKEY *privateKey = nullptr;
            QByteArray responseBody;
-            if (!decryptProxyUrlsPayload(encryptedResponseBody, m_isDevEnvironment, responseBody)) {
+            try {
+                if (!m_isDevEnvironment) {
+                    QCryptographicHash hash(QCryptographicHash::Sha512);
+                    hash.addData(key);
+                    QByteArray hashResult = hash.result().toHex();
+
+                    QByteArray key = QByteArray::fromHex(hashResult.left(64));
+                    QByteArray iv = QByteArray::fromHex(hashResult.mid(64, 32));
+
+                    QByteArray ba = QByteArray::fromBase64(encryptedResponseBody);
+
+                    QSimpleCrypto::QBlockCipher blockCipher;
+                    responseBody = blockCipher.decryptAesBlockCipher(ba, key, iv);
+                } else {
+                    responseBody = encryptedResponseBody;
+                }
+            } catch (...) {
+                Utils::logException();
                qCritical() << "error loading private key from environment variables or decrypting payload" << encryptedResponseBody;
                continue;
            }
@@ -469,8 +393,6 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
            for (const auto &endpoint : endpointsArray) {
                endpoints.push_back(endpoint.toString());
            }
-            m_settings->writeGatewayProxyUrls(proxyUrlsCacheKey, encryptedResponseBody);
-
            return endpoints;
        } else {
            auto replyError = reply->error();
@@ -482,7 +404,7 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
            reply->deleteLater();
        }
    }
-    return readCachedProxyUrls(cachedProxyUrlsEncrypted, m_isDevEnvironment);
+    return {};
 }

 bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &decryptedResponseBody,
@@ -490,14 +412,12 @@ bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &rep
 {
    const QByteArray &responseBody = decryptedResponseBody;

-    int apiHttpStatus = -1;
-    QString apiErrorMessage;
+    int httpStatus = -1;
    if (isDecryptionSuccessful) {
        QJsonDocument jsonDoc = QJsonDocument::fromJson(responseBody);
        if (jsonDoc.isObject()) {
            QJsonObject jsonObj = jsonDoc.object();
-            apiHttpStatus = jsonObj.value("http_status").toInt(-1);
-            apiErrorMessage = jsonObj.value(QStringLiteral("message")).toString().trimmed();
+            httpStatus = jsonObj.value("http_status").toInt(-1);
        }
    } else {
        qDebug() << "failed to decrypt the data";
@@ -508,12 +428,10 @@ bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &rep
        qDebug() << "timeout occurred";
        qDebug() << replyError;
        return true;
-    } 
-    if (responseBody.contains("html")) {
+    } else if (responseBody.contains("html")) {
        qDebug() << "the response contains an html tag";
        return true;
-    } 
-    if (apiHttpStatus == httpStatusCodeNotFound) {
+    } else if (httpStatus == httpStatusCodeNotFound) {
        if (responseBody.contains(errorResponsePattern1) || responseBody.contains(errorResponsePattern2)
            || responseBody.contains(errorResponsePattern3)) {
            return false;
@@ -521,25 +439,16 @@ bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &rep
            qDebug() << replyError;
            return true;
        }
-    } 
-    if (apiHttpStatus == httpStatusCodeNotImplemented) {
+    } else if (httpStatus == httpStatusCodeNotImplemented) {
        if (responseBody.contains(updateRequestResponsePattern)) {
            return false;
        } else {
            qDebug() << replyError;
            return true;
        }
-    } 
-    if (apiHttpStatus == httpStatusCodeConflict) {
+    } else if (httpStatus == httpStatusCodeConflict) {
        return false;
-    } 
-    if (apiHttpStatus == httpStatusCodePaymentRequired) {
-        return false;
-    } 
-    if (apiHttpStatus == httpStatusCodeUnprocessableEntity) {
-        return apiErrorMessage != unprocessableSubscriptionMessage;
-    } 
-    if (replyError != QNetworkReply::NetworkError::NoError) {
+    } else if (replyError != QNetworkReply::NetworkError::NoError) {
        qDebug() << replyError;
        return true;
    }
@@ -620,17 +529,15 @@ void GatewayController::bypassProxy(const QString &endpoint, const QString &serv
 }

 void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, const int currentProxyStorageIndex,
-                                          const QString &proxyUrlsCacheKey, std::function<void(const QStringList &)> onComplete)
+                                          std::function<void(const QStringList &)> onComplete)
 {
-    const QByteArray cachedProxyUrlsEncrypted = m_settings->readGatewayProxyUrls(proxyUrlsCacheKey);
-
    if (currentProxyStorageIndex >= proxyStorageUrls.size()) {
-        onComplete(shuffledProxyUrls(readCachedProxyUrls(cachedProxyUrlsEncrypted, m_isDevEnvironment)));
+        onComplete({});
        return;
    }

    QNetworkRequest request;
-    request.setTransferTimeout(proxyStorageRequestTimeoutMsecs);
+    request.setTransferTimeout(m_requestTimeoutMsecs);
    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
    request.setUrl(proxyStorageUrls[currentProxyStorageIndex]);

@@ -638,17 +545,33 @@ void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, co

    // connect(reply, &QNetworkReply::sslErrors, this, [state](const QList<QSslError> &e) { *(state->sslErrors) = e; });

-    connect(reply, &QNetworkReply::finished, this,
-            [this, proxyStorageUrls, currentProxyStorageIndex, proxyUrlsCacheKey, onComplete, reply]() {
+    connect(reply, &QNetworkReply::finished, this, [this, proxyStorageUrls, currentProxyStorageIndex, onComplete, reply]() {
        if (reply->error() == QNetworkReply::NoError) {
            QByteArray encrypted = reply->readAll();
            reply->deleteLater();

            QByteArray responseBody;
-            if (!decryptProxyUrlsPayload(encrypted, m_isDevEnvironment, responseBody)) {
+            try {
+                QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
+                if (!m_isDevEnvironment) {
+                    QCryptographicHash hash(QCryptographicHash::Sha512);
+                    hash.addData(key);
+                    QByteArray h = hash.result().toHex();
+
+                    QByteArray decKey = QByteArray::fromHex(h.left(64));
+                    QByteArray iv = QByteArray::fromHex(h.mid(64, 32));
+                    QByteArray ba = QByteArray::fromBase64(encrypted);
+
+                    QSimpleCrypto::QBlockCipher cipher;
+                    responseBody = cipher.decryptAesBlockCipher(ba, decKey, iv);
+                } else {
+                    responseBody = encrypted;
+                }
+            } catch (...) {
+                Utils::logException();
                qCritical() << "error decrypting payload";
                QMetaObject::invokeMethod(
-                        this, [=]() { getProxyUrlsAsync(proxyStorageUrls, currentProxyStorageIndex + 1, proxyUrlsCacheKey, onComplete); }, Qt::QueuedConnection);
+                        this, [=]() { getProxyUrlsAsync(proxyStorageUrls, currentProxyStorageIndex + 1, onComplete); }, Qt::QueuedConnection);
                return;
            }

@@ -656,9 +579,13 @@ void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, co
            QStringList endpoints;
            for (const QJsonValue &endpoint : endpointsArray)
                endpoints.push_back(endpoint.toString());
-            m_settings->writeGatewayProxyUrls(proxyUrlsCacheKey, encrypted);

-            onComplete(shuffledProxyUrls(endpoints));
+            QStringList shuffled = endpoints;
+            std::random_device randomDevice;
+            std::mt19937 generator(randomDevice());
+            std::shuffle(shuffled.begin(), shuffled.end(), generator);
+
+            onComplete(shuffled);
            return;
        }

@@ -667,7 +594,7 @@ void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, co
        qDebug() << "go to the next storage endpoint";
        reply->deleteLater();
        QMetaObject::invokeMethod(
-                this, [=]() { getProxyUrlsAsync(proxyStorageUrls, currentProxyStorageIndex + 1, proxyUrlsCacheKey, onComplete); }, Qt::QueuedConnection);
+                this, [=]() { getProxyUrlsAsync(proxyStorageUrls, currentProxyStorageIndex + 1, onComplete); }, Qt::QueuedConnection);
    });
 }

@@ -7,9 +7,6 @@
 #include <QPair>
 #include <QPromise>
 #include <QSharedPointer>
-#include <QString>
-#include <QStringList>
-#include <memory>

 #include "core/defs.h"

@@ -17,16 +14,13 @@
    #include "platforms/ios/ios_controller.h"
 #endif

-class Settings;
-
 class GatewayController : public QObject
 {
    Q_OBJECT

 public:
    explicit GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
-                               const bool isStrictKillSwitchEnabled, const std::shared_ptr<Settings> &settings,
-                               QObject *parent = nullptr);
+                               const bool isStrictKillSwitchEnabled, QObject *parent = nullptr);

    amnezia::ErrorCode post(const QString &endpoint, const QJsonObject apiPayload, QByteArray &responseBody);
    QFuture<QPair<amnezia::ErrorCode, QByteArray>> postAsync(const QString &endpoint, const QJsonObject apiPayload);
@@ -59,7 +53,7 @@ private:
                     std::function<bool(QNetworkReply *reply, const QList<QSslError> &sslErrors)> replyProcessingFunction);

    void getProxyUrlsAsync(const QStringList proxyStorageUrls, const int currentProxyStorageIndex,
-                           const QString &proxyUrlsCacheKey, std::function<void(const QStringList &)> onComplete);
+                           std::function<void(const QStringList &)> onComplete);
    void getProxyUrlAsync(const QStringList proxyUrls, const int currentProxyIndex, std::function<void(const QString &)> onComplete);
    void bypassProxyAsync(
            const QString &endpoint, const QString &proxyUrl, EncryptedRequestData encRequestData,
@@ -69,7 +63,6 @@ private:
    QString m_gatewayEndpoint;
    bool m_isDevEnvironment = false;
    bool m_isStrictKillSwitchEnabled = false;
-    std::shared_ptr<Settings> m_settings;

    inline static QString m_proxyUrl;
 };
@@ -419,18 +419,6 @@ ErrorCode ServerController::installDockerWorker(const ServerCredentials &credent
                      cbReadStdOut, cbReadStdErr);

    qDebug().noquote() << "ServerController::installDockerWorker" << stdOut;
-    if (container == DockerContainer::Awg2) {
-        QRegularExpression regex(R"(Linux\s+(\d+)\.(\d+)[^\d]*)");
-        QRegularExpressionMatch match = regex.match(stdOut);
-        if (match.hasMatch()) {
-            int majorVersion = match.captured(1).toInt();
-            int minorVersion = match.captured(2).toInt();
-
-            if (majorVersion < 4 || (majorVersion == 4 && minorVersion < 14)) {
-                return ErrorCode::ServerLinuxKernelTooOld;
-            }
-        }
-    }
    if (stdOut.contains("lock"))
        return ErrorCode::ServerPacketManagerError;
    if (stdOut.contains("command not found"))
@@ -61,7 +61,6 @@ namespace amnezia
        ServerDockerOnCgroupsV2 = 211,
        ServerCgroupMountpoint = 212,
        DockerPullRateLimit = 213,
-        ServerLinuxKernelTooOld = 214,

        // Ssh connection errors
        SshRequestDeniedError = 300,
@@ -123,9 +122,6 @@ namespace amnezia
        ApiUpdateRequestError = 1111,
        ApiSubscriptionExpiredError = 1112,
        ApiPurchaseError = 1113,
-        ApiSubscriptionNotActiveError = 1114,
-        ApiNoPurchasedSubscriptionsError = 1115,
-        ApiTrialAlreadyUsedError = 1116,

        // QFile errors
        OpenError = 1200,
@@ -29,7 +29,6 @@ QString errorString(ErrorCode code) {
    case(ErrorCode::ServerDockerOnCgroupsV2): errorMessage = QObject::tr("Docker error: runc doesn't work on cgroups v2"); break;
    case(ErrorCode::ServerCgroupMountpoint): errorMessage = QObject::tr("Server error: cgroup mountpoint does not exist"); break;
    case(ErrorCode::DockerPullRateLimit): errorMessage = QObject::tr("Docker error: The pull rate limit has been reached"); break;
-    case(ErrorCode::ServerLinuxKernelTooOld): errorMessage = QObject::tr("Server error: Linux kernel is too old"); break;

    // Libssh errors
    case(ErrorCode::SshRequestDeniedError): errorMessage = QObject::tr("SSH request was denied"); break;
@@ -80,9 +79,6 @@ QString errorString(ErrorCode code) {
    case (ErrorCode::ApiUpdateRequestError): errorMessage = QObject::tr("Please update the application to use this feature"); break;
    case (ErrorCode::ApiSubscriptionExpiredError): errorMessage = QObject::tr("Your Amnezia Premium subscription has expired.\n Please check your email for renewal instructions.\n If you haven't received an email, please contact our support."); break;
    case (ErrorCode::ApiPurchaseError): errorMessage = QObject::tr("Unable to process purchase"); break;
-    case (ErrorCode::ApiSubscriptionNotActiveError): errorMessage = QObject::tr("No active subscription found"); break;
-    case (ErrorCode::ApiNoPurchasedSubscriptionsError): errorMessage = QObject::tr("No purchased subscriptions found. Please purchase a subscription first"); break;
-    case (ErrorCode::ApiTrialAlreadyUsedError): errorMessage = QObject::tr("This email address has already been used to activate a trial"); break;

    // QFile errors
    case(ErrorCode::OpenError): errorMessage = QObject::tr("QFile error: The file could not be opened"); break;
@@ -7,6 +7,7 @@ IpcClient::IpcClient(QObject *parent) : QObject(parent)
 {
    m_node.connectToNode(QUrl("local:" + amnezia::getIpcServiceUrl()));
    m_interface.reset(m_node.acquire<IpcInterfaceReplica>());
+    m_tun2socks.reset(m_node.acquire<IpcProcessTun2SocksReplica>());
 }

 IpcClient& IpcClient::Instance()
@@ -32,43 +33,68 @@ QSharedPointer<IpcInterfaceReplica> IpcClient::Interface()
    return rep;
 }

-QSharedPointer<IpcProcessInterfaceReplica> IpcClient::CreatePrivilegedProcess()
+QSharedPointer<IpcProcessTun2SocksReplica> IpcClient::InterfaceTun2Socks()
 {
-    return withInterface([](QSharedPointer<IpcInterfaceReplica> &iface) -> QSharedPointer<IpcProcessInterfaceReplica> {
-        auto createPrivilegedProcess = iface->createPrivilegedProcess();
-        if (!createPrivilegedProcess.waitForFinished()) {
-            qCritical() << "Failed to create privileged process";
-            return nullptr;
-        }
-
-        const int pid = createPrivilegedProcess.returnValue();
-
-        auto* node = new QRemoteObjectNode();
-        node->connectToNode(QUrl(QString("local:%1").arg(amnezia::getIpcProcessUrl(pid))));
-
-        QSharedPointer<IpcProcessInterfaceReplica> rep(
-            node->acquire<IpcProcessInterfaceReplica>(),
-            [node] (IpcProcessInterfaceReplica *ptr) {
-                delete ptr;
-                node->deleteLater();
-            }
-        );
-        if (rep.isNull()) {
-            qCritical() << "IpcClient::CreatePrivilegedProcess(): Failed to acquire replica";
-            return nullptr;
-        }
-        if (!rep->waitForSource()) {
-            qCritical() << "IpcClient::CreatePrivilegedProcess(): Failed to initialize replica";
-            return nullptr;
-        }
-        if (!rep->isReplicaValid()) {
-            qCritical() << "IpcClient::CreatePrivilegedProcess(): Replica is invalid";
-            return nullptr;
-        }
-
-        return rep;
-    },
-    []() -> QSharedPointer<IpcProcessInterfaceReplica> {
+    QSharedPointer<IpcProcessTun2SocksReplica> rep = Instance().m_tun2socks;
+    if (rep.isNull()) {
+        qCritical() << "IpcClient::InterfaceTun2Socks: Replica is undefined";
        return nullptr;
-    });
+    }
+    if (!rep->waitForSource(1000)) {
+        qCritical() << "IpcClient::InterfaceTun2Socks: Failed to initialize replica";
+        return nullptr;
+    }
+    if (!rep->isReplicaValid()) {
+        qWarning() << "IpcClient::InterfaceTun2Socks(): Replica is invalid";
+    }
+    return rep;
+}
+
+QSharedPointer<PrivilegedProcess> IpcClient::CreatePrivilegedProcess()
+{
+    QSharedPointer<IpcInterfaceReplica> rep = Interface();
+    if (!rep) {
+        qCritical() << "IpcClient::createPrivilegedProcess: Replica is invalid";
+        return nullptr;
+    }
+
+    QRemoteObjectPendingReply<int> pidReply = rep->createPrivilegedProcess();
+    if (!pidReply.waitForFinished(5000)){
+        qCritical() << "IpcClient::createPrivilegedProcess: Failed to execute RO createPrivilegedProcess call";
+        return nullptr;
+    }
+
+    int pid = pidReply.returnValue();
+    QSharedPointer<ProcessDescriptor> pd(new ProcessDescriptor());
+
+    pd->localSocket.reset(new QLocalSocket(pd->replicaNode.data()));
+
+    connect(pd->localSocket.data(), &QLocalSocket::connected, pd->replicaNode.data(), [pd]() {
+        pd->replicaNode->addClientSideConnection(pd->localSocket.data());
+
+        IpcProcessInterfaceReplica *repl = pd->replicaNode->acquire<IpcProcessInterfaceReplica>();
+        // TODO: rework the unsafe cast below
+        PrivilegedProcess *priv = static_cast<PrivilegedProcess *>(repl);
+        pd->ipcProcess.reset(priv);
+        if (!pd->ipcProcess) {
+            qWarning() << "Acquire PrivilegedProcess failed";
+        } else {
+            pd->ipcProcess->waitForSource(1000);
+            if (!pd->ipcProcess->isReplicaValid()) {
+                qWarning() << "PrivilegedProcess replica is not connected!";
+            }
+
+            QObject::connect(pd->ipcProcess.data(), &PrivilegedProcess::destroyed, pd->ipcProcess.data(),
+                             [pd]() { pd->replicaNode->deleteLater(); });
+        }
+    });
+
+    pd->localSocket->connectToServer(amnezia::getIpcProcessUrl(pid));
+    if (!pd->localSocket->waitForConnected()) {
+        qCritical() << "IpcClient::createPrivilegedProcess: Failed to connect to process' socket";
+        return nullptr;
+    }
+
+    auto processReplica = QSharedPointer<PrivilegedProcess>(pd->ipcProcess);
+    return processReplica;
 }
@@ -5,7 +5,9 @@
 #include <QObject>

 #include "rep_ipc_interface_replica.h"
-#include "rep_ipc_process_interface_replica.h"
+#include "rep_ipc_process_tun2socks_replica.h"
+
+#include "privileged_process.h"

 class IpcClient : public QObject
 {
@@ -16,7 +18,8 @@ public:
    static IpcClient& Instance();

    static QSharedPointer<IpcInterfaceReplica> Interface();
-    static QSharedPointer<IpcProcessInterfaceReplica> CreatePrivilegedProcess();
+    static QSharedPointer<IpcProcessTun2SocksReplica> InterfaceTun2Socks();
+    static QSharedPointer<PrivilegedProcess> CreatePrivilegedProcess();

    template <typename Func>
    static auto withInterface(Func func)
@@ -51,6 +54,18 @@ signals:
 private:
    QRemoteObjectNode m_node;
    QSharedPointer<IpcInterfaceReplica> m_interface;
+    QSharedPointer<IpcProcessTun2SocksReplica> m_tun2socks;
+
+    struct ProcessDescriptor {
+        ProcessDescriptor () {
+            replicaNode = QSharedPointer<QRemoteObjectNode>(new QRemoteObjectNode());
+            ipcProcess = QSharedPointer<PrivilegedProcess>();
+            localSocket = QSharedPointer<QLocalSocket>();
+        }
+        QSharedPointer<PrivilegedProcess> ipcProcess;
+        QSharedPointer<QRemoteObjectNode> replicaNode;
+        QSharedPointer<QLocalSocket> localSocket;
+    };
 };

 #endif // IPCCLIENT_H
@@ -24,7 +24,7 @@
    #include <sys/socket.h>
    #include <unistd.h>
 #endif
-#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
    #include <sys/param.h>
    #include <sys/sysctl.h>
    #include <sys/socket.h>
@@ -404,7 +404,7 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
    close(sock);
    return { gateway_address, QNetworkInterface::interfaceFromName(interface) };
 #endif
-#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
    QString gateway;
    int index = -1;

@@ -0,0 +1,27 @@
+#include "privileged_process.h"
+
+PrivilegedProcess::PrivilegedProcess() :
+    IpcProcessInterfaceReplica()
+{
+}
+
+PrivilegedProcess::~PrivilegedProcess()
+{
+    qDebug() << "PrivilegedProcess::~PrivilegedProcess()";
+}
+
+void PrivilegedProcess::waitForFinished(int msecs)
+{
+    QSharedPointer<QEventLoop> loop(new QEventLoop);
+    connect(this, &PrivilegedProcess::finished, this, [this, loop](int exitCode, QProcess::ExitStatus exitStatus) mutable{
+        loop->quit();
+        loop.clear();
+    });
+
+    QTimer::singleShot(msecs, this, [this, loop]() mutable {
+        loop->quit();
+        loop.clear();
+    });
+
+    loop->exec();
+}
@@ -0,0 +1,24 @@
+#ifndef PRIVILEGED_PROCESS_H
+#define PRIVILEGED_PROCESS_H
+
+#include <QObject>
+
+#include "rep_ipc_process_interface_replica.h"
+// This class is dangerous - instance of this class casted from base class,
+// so it support only functions
+// Do not add any members into it
+//
+class PrivilegedProcess : public IpcProcessInterfaceReplica
+{
+    Q_OBJECT
+public:
+    PrivilegedProcess();
+    ~PrivilegedProcess() override;
+
+    void waitForFinished(int msecs);
+
+};
+
+#endif // PRIVILEGED_PROCESS_H
+
+
@@ -1,11 +1,6 @@
 #include <QString>
-#include <QJsonArray>
 #include <QJsonObject>
 #include <QList>
-#include <QHostAddress>
-#include <QRandomGenerator>
-#include <QTcpServer>
-#include <stdexcept>
 #include "3rd/QJsonStruct/QJsonIO.hpp"
 #include "transfer.h"
 #include "serialization.h"
@@ -19,125 +14,25 @@ namespace amnezia::serialization::inbounds
 //                     "port": 10808,
 //                     "protocol": "socks",
 //                     "settings": {
-//                         "auth": "password",
-//                         "accounts": [{"user": "...", "pass": "..."}],
 //                         "udp": true
 //                     }
 //                 }
 //],

 const static QString listen = "127.0.0.1";
-const static int defaultPort = 10808;
+const static int port = 10808;
 const static QString protocol = "socks";

-static int indexOfSocksInbound(const QJsonArray &inbounds)
-{
-    for (int i = 0; i < inbounds.size(); ++i) {
-        const QString p = inbounds.at(i).toObject().value(QLatin1String("protocol")).toString();
-        if (p.compare(QLatin1String("socks"), Qt::CaseInsensitive) == 0)
-            return i;
-    }
-    return -1;
-}
-
-// Ask the OS for a free TCP port on loopback (same stack as inbound "listen": "127.0.0.1").
-static int acquireFreeLocalPort()
-{
-    QTcpServer probe;
-    if (!probe.listen(QHostAddress(QStringLiteral("127.0.0.1")), 0)) {
-        throw std::runtime_error(
-            "Failed to bind a local TCP port on 127.0.0.1 for SOCKS inbound "
-            "(QTcpServer::listen failed; possible permission or OS network error).");
-    }
-    return static_cast<int>(probe.serverPort());
-}
-
-// Generates a hex string of `byteCount` random bytes (URL-safe, no special chars).
-static QString generateRandomHex(int byteCount)
-{
-    if (byteCount <= 0)
-        return {};
-    // fillRange writes full quint32 words; size the buffer to a multiple of 4 bytes to avoid
-    // overrunning a short buffer when byteCount is not divisible by 4.
-    const int numUint32 = (byteCount + int(sizeof(quint32)) - 1) / int(sizeof(quint32));
-    QByteArray buf(numUint32 * int(sizeof(quint32)), '\0');
-    QRandomGenerator::system()->fillRange(reinterpret_cast<quint32 *>(buf.data()), numUint32);
-    return QString::fromLatin1(buf.left(byteCount).toHex());
-}
-
 QJsonObject GenerateInboundEntry()
 {
    QJsonObject root;
    QJsonIO::SetValue(root, listen, "listen");
-    QJsonIO::SetValue(root, defaultPort, "port");
+    QJsonIO::SetValue(root, port, "port");
    QJsonIO::SetValue(root, protocol, "protocol");
    QJsonIO::SetValue(root, true, "settings", "udp");
    return root;
 }

-InboundCredentials GetInboundCredentials(const QJsonObject &xrayConfig)
-{
-    InboundCredentials creds;
-    creds.port = defaultPort;
-
-    const QJsonArray inbounds = xrayConfig.value("inbounds").toArray();
-    const int socksIdx = indexOfSocksInbound(inbounds);
-    if (socksIdx < 0)
-        return creds;
-
-    const QJsonObject inbound = inbounds.at(socksIdx).toObject();
-    creds.port = inbound.value("port").toInt(defaultPort);
-
-    const QJsonObject settings = inbound.value("settings").toObject();
-    const QJsonArray accounts = settings.value("accounts").toArray();
-    if (accounts.isEmpty())
-        return creds;
-
-    const QJsonObject account = accounts.first().toObject();
-    creds.username = account.value("user").toString();
-    creds.password = account.value("pass").toString();
-    return creds;
-}
-
-InboundCredentials EnsureInboundAuth(QJsonObject &xrayConfig)
-{
-    QJsonArray inbounds = xrayConfig.value("inbounds").toArray();
-    const int socksIdx = indexOfSocksInbound(inbounds);
-    if (socksIdx < 0)
-        return GetInboundCredentials(xrayConfig); // no SOCKS inbound to patch
-
-    QJsonObject inbound = inbounds.at(socksIdx).toObject();
-    InboundCredentials creds;
-    creds.port = acquireFreeLocalPort();
-    inbound["port"] = creds.port;
-
-    QJsonObject settings = inbound.value("settings").toObject();
-    const QJsonArray accounts = settings.value("accounts").toArray();
-    if (!accounts.isEmpty()) {
-        const QJsonObject account = accounts.first().toObject();
-        creds.username = account.value("user").toString();
-        creds.password = account.value("pass").toString();
-    }
-
-    if (creds.username.isEmpty() || creds.password.isEmpty()) {
-        // Generate fresh credentials for this session (never persisted)
-        creds.username = generateRandomHex(8);  // 16 hex chars
-        creds.password = generateRandomHex(16); // 32 hex chars
-        QJsonObject account;
-        account["user"] = creds.username;
-        account["pass"] = creds.password;
-        settings["accounts"] = QJsonArray{ account };
-    }
-
-    // Always ensure auth mode is enforced, even for imported configs that had
-    // accounts but auth: "noauth" (or no auth field at all).
-    settings["auth"] = QStringLiteral("password");
-    inbound["settings"] = settings;
-    inbounds[socksIdx] = inbound;
-    xrayConfig["inbounds"] = inbounds;
-
-    return creds;
-}

 } // namespace amnezia::serialization::inbounds

@@ -60,24 +60,7 @@ namespace amnezia::serialization

    namespace inbounds
    {
-        struct InboundCredentials {
-            QString username;
-            QString password;
-            int port;
-        };
-
        QJsonObject GenerateInboundEntry();
-
-        // Reads existing SOCKS5 auth from the first inbound with protocol "socks"
-        // (.settings.accounts[0]). Returns empty username/password if none.
-        InboundCredentials GetInboundCredentials(const QJsonObject &xrayConfig);
-
-        // Ensures SOCKS5 auth is present on the inbound whose protocol is "socks".
-        // Re-uses existing credentials if already set; otherwise generates random ones
-        // and writes them into the config. Assigns a free loopback TCP port each session
-        // (OS-assigned). Throws std::runtime_error if a SOCKS inbound exists but binding
-        // a local port on 127.0.0.1 fails (e.g. permissions or OS error).
-        InboundCredentials EnsureInboundAuth(QJsonObject &xrayConfig);
    }
 }

@@ -390,55 +390,55 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {

  config.m_killSwitchEnabled = QVariant(obj.value("killSwitchOption").toString()).toBool();

-  if (const auto jc = obj.value("Jc"); !jc.isUndefined()) {
-    config.m_junkPacketCount = jc.toString();
+  if (!obj.value("Jc").isNull()) {
+    config.m_junkPacketCount = obj.value("Jc").toString();
  }
-  if (const auto jmin = obj.value("Jmin"); !jmin.isUndefined()) {
-    config.m_junkPacketMinSize = jmin.toString();
+  if (!obj.value("Jmin").isNull()) {
+    config.m_junkPacketMinSize = obj.value("Jmin").toString();
  }
-  if (const auto jmax = obj.value("Jmax"); !jmax.isUndefined()) {
-    config.m_junkPacketMaxSize = jmax.toString();
+  if (!obj.value("Jmax").isNull()) {
+    config.m_junkPacketMaxSize = obj.value("Jmax").toString();
  }
-  if (const auto s1 = obj.value("S1"); !s1.isUndefined()) {
-    config.m_initPacketJunkSize = s1.toString();
+  if (!obj.value("S1").isNull()) {
+    config.m_initPacketJunkSize = obj.value("S1").toString();
  }
-  if (const auto s2 = obj.value("S2"); !s2.isUndefined()) {
-    config.m_responsePacketJunkSize = s2.toString();
+  if (!obj.value("S2").isNull()) {
+    config.m_responsePacketJunkSize = obj.value("S2").toString();
  }
-  if (const auto s3 = obj.value("S3"); !s3.isUndefined()) {
-    config.m_cookieReplyPacketJunkSize = s3.toString();
+  if (!obj.value("S3").isNull()) {
+    config.m_cookieReplyPacketJunkSize = obj.value("S3").toString();
  }
-  if (const auto s4 = obj.value("S4"); !s4.isUndefined()) {
-    config.m_transportPacketJunkSize = s4.toString();
+  if (!obj.value("S4").isNull()) {
+    config.m_transportPacketJunkSize = obj.value("S4").toString();
  }

-  if (const auto h1 = obj.value("H1"); !h1.isUndefined()) {
-    config.m_initPacketMagicHeader = h1.toString();
+  if (!obj.value("H1").isNull()) {
+    config.m_initPacketMagicHeader = obj.value("H1").toString();
  }
-  if (const auto h2 = obj.value("H2"); !h2.isUndefined()) {
-    config.m_responsePacketMagicHeader = h2.toString();
+  if (!obj.value("H2").isNull()) {
+    config.m_responsePacketMagicHeader = obj.value("H2").toString();
  }
-  if (const auto h3 = obj.value("H3"); !h3.isUndefined()) {
-    config.m_underloadPacketMagicHeader = h3.toString();
+  if (!obj.value("H3").isNull()) {
+    config.m_underloadPacketMagicHeader = obj.value("H3").toString();
  }
-  if (const auto h4 = obj.value("H4"); !h4.isUndefined()) {
-    config.m_transportPacketMagicHeader = h4.toString();
+  if (!obj.value("H4").isNull()) {
+    config.m_transportPacketMagicHeader = obj.value("H4").toString();
  }

-  if (const auto i1 = obj.value("I1"); !i1.isUndefined()) {
-    config.m_specialJunk["I1"] = i1.toString();
+  if (!obj.value("I1").isNull()) {
+    config.m_specialJunk["I1"] = obj.value("I1").toString();
  }
-  if (const auto i2 = obj.value("I2"); !i2.isUndefined()) {
-    config.m_specialJunk["I2"] = i2.toString();
+  if (!obj.value("I2").isNull()) {
+    config.m_specialJunk["I2"] = obj.value("I2").toString();
  }
-  if (const auto i3 = obj.value("I3"); !i3.isUndefined()) {
-    config.m_specialJunk["I3"] = i3.toString();
+  if (!obj.value("I3").isNull()) {
+    config.m_specialJunk["I3"] = obj.value("I3").toString();
  }
-  if (const auto i4 = obj.value("I4"); !i4.isUndefined()) {
-    config.m_specialJunk["I4"] = i4.toString();
+  if (!obj.value("I4").isNull()) {
+    config.m_specialJunk["I4"] = obj.value("I4").toString();
  }
-  if (const auto i5 = obj.value("I5"); !i5.isUndefined()) {
-    config.m_specialJunk["I5"] = i5.toString();
+  if (!obj.value("I5").isNull()) {
+    config.m_specialJunk["I5"] = obj.value("I5").toString();
  }

  return true;
@@ -1,6 +0,0 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M15 21V17C15 16.4696 15.2107 15.9609 15.5858 15.5858C15.9609 15.2107 16.4696 15 17 15H21" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M7 4V6C7.21572 6.61347 7.62494 7.14024 8.16602 7.50096C8.7071 7.86168 9.35075 8.03682 10 8V8C10.5304 8 11.0391 8.21071 11.4142 8.58579C11.7893 8.96086 12 9.46957 12 10C12 10.5304 12.2107 11.0391 12.5858 11.4142C12.9609 11.7893 13.4696 12 14 12C14.5304 12 15.0391 11.7893 15.4142 11.4142C15.7893 11.0391 16 10.5304 16 10C16 9.46957 16.2107 8.96086 16.5858 8.58579C16.9609 8.21071 17.4696 8 18 8H21" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M3 11H5C5.53043 11 6.03914 11.2107 6.41421 11.5858C6.78929 11.9609 7 12.4696 7 13V14C7 14.5304 7.21071 15.0391 7.58579 15.4142C7.96086 15.7893 8.46957 16 9 16C9.53043 16 10.0391 16.2107 10.4142 16.5858C10.7893 16.9609 11 17.4696 11 18V22" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M12 22C17.5228 22 22 17.5228 22 12C22 6.47715 17.5228 2 12 2C6.47715 2 2 6.47715 2 12C2 17.5228 6.47715 22 12 22Z" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
@@ -1,3 +0,0 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M18.1777 8C23.2737 8 23.2737 16 18.1777 16C13.0827 16 11.0447 8 5.43875 8C0.85375 8 0.85375 16 5.43875 16C11.0447 16 13.0828 8 18.1788 8H18.1777Z" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
@@ -1,4 +0,0 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M17 2H7C5.89543 2 5 2.89543 5 4V20C5 21.1046 5.89543 22 7 22H17C18.1046 22 19 21.1046 19 20V4C19 2.89543 18.1046 2 17 2Z" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M12 18H12.01" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>CFBundleAllowMixedLocalizations</key>
+    <true/>
+    <key>CFBundleDevelopmentRegion</key>
+    <string>en</string>
+    <key>CFBundleDisplayName</key>
+    <string>${QT_INTERNAL_DOLLAR_VAR}{PRODUCT_NAME}</string>
+    <key>CFBundleExecutable</key>
+    <string>${MACOSX_BUNDLE_EXECUTABLE_NAME}</string>
+    <key>CFBundleIdentifier</key>
+    <string>${MACOSX_BUNDLE_GUI_IDENTIFIER}</string>
+    <key>CFBundleInfoDictionaryVersion</key>
+    <string>6.0</string>
+    <key>CFBundleName</key>
+    <string>${MACOSX_BUNDLE_BUNDLE_NAME}</string>
+    <key>CFBundlePackageType</key>
+    <string>APPL</string>
+    <key>CFBundleShortVersionString</key>
+    <string>${MACOSX_BUNDLE_SHORT_VERSION_STRING}</string>
+    <key>CFBundleVersion</key>
+    <string>${MACOSX_BUNDLE_BUNDLE_VERSION}</string>
+    <key>NSHumanReadableCopyright</key>
+    <string>${MACOSX_BUNDLE_COPYRIGHT}</string>
+    <key>ITSAppUsesNonExemptEncryption</key>
+    <false/>
+    <key>UIRequiredDeviceCapabilities</key>
+    <array/>
+    <key>UIRequiresFullScreen</key>
+    <true/>
+    <key>UISupportedInterfaceOrientations</key>
+    <array>
+        <string>UIInterfaceOrientationLandscapeLeft</string>
+        <string>UIInterfaceOrientationLandscapeRight</string>
+    </array>
+    <key>UILaunchStoryboardName</key>
+    <string>AmneziaVPNLaunchScreen</string>
+    <key>UIUserInterfaceStyle</key>
+    <string>Light</string>
+    <key>com.wireguard.ios.app_group_id</key>
+    <string>group.org.amnezia.AmneziaVPN</string>
+    <key>UIViewControllerBasedStatusBarAppearance</key>
+    <true/>
+    <key>NSAppTransportSecurity</key>
+    <dict>
+        <key>NSAllowsArbitraryLoads</key>
+        <false/>
+        <key>NSAllowsLocalNetworking</key>
+        <true/>
+    </dict>
+</dict>
+</plist>
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<document type="com.apple.InterfaceBuilder.AppleTV.Storyboard" version="3.0" toolsVersion="13122.16" targetRuntime="AppleTV" propertyAccessControl="none" useAutolayout="YES" launchScreen="YES" useTraitCollections="YES" useSafeAreas="YES" colorMatched="YES" initialViewController="BYZ-38-t0r">
+    <dependencies>
+        <plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="13104.12"/>
+        <capability name="Safe area layout guides" minToolsVersion="9.0"/>
+        <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
+    </dependencies>
+    <scenes>
+        <scene sceneID="tne-QT-ifu">
+            <objects>
+                <viewController id="BYZ-38-t0r" sceneMemberID="viewController">
+                    <view key="view" contentMode="scaleToFill" id="8bC-Xf-vdC">
+                        <rect key="frame" x="0.0" y="0.0" width="1920" height="1080"/>
+                        <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
+                        <color key="backgroundColor" red="0.0" green="0.0" blue="0.0" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
+                        <viewLayoutGuide key="safeArea" id="wu6-TO-1qx"/>
+                    </view>
+                </viewController>
+                <placeholder placeholderIdentifier="IBFirstResponder" id="dkx-z0-nzr" sceneMemberID="firstResponder"/>
+            </objects>
+        </scene>
+    </scenes>
+</document>
@@ -1,6 +1,13 @@
 enable_language(Swift)

 set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
+set(AMNEZIA_IOS_APPLETV ${AMNEZIA_IOS_ENABLE_APPLETV_TARGET})
+
+if(AMNEZIA_IOS_APPLETV)
+    message("Network Extension tvOS mode is ON")
+else()
+    message("Network Extension tvOS mode is OFF")
+endif()

 add_executable(networkextension)
 set_target_properties(networkextension PROPERTIES
@@ -28,6 +35,23 @@ set_target_properties(networkextension PROPERTIES
    XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/../../Frameworks"
 )

+if(AMNEZIA_IOS_APPLETV)
+    set_target_properties(networkextension PROPERTIES
+        XCODE_ATTRIBUTE_SUPPORTED_PLATFORMS "appletvos appletvsimulator"
+        XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "3"
+        XCODE_ATTRIBUTE_TVOS_DEPLOYMENT_TARGET "${CMAKE_OSX_DEPLOYMENT_TARGET}"
+        XCODE_ATTRIBUTE_SDKROOT "appletvos"
+        XCODE_ATTRIBUTE_SDKROOT[sdk=appletvos*] "appletvos"
+        XCODE_ATTRIBUTE_SDKROOT[sdk=appletvsimulator*] "appletvsimulator"
+        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
+        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS[sdk=appletvos*] "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
+        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS[sdk=appletvsimulator*] "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
+        XCODE_ATTRIBUTE_EXCLUDED_LIBRARY_SEARCH_PATHS "/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS*.sdk/usr/lib/swift"
+        XCODE_ATTRIBUTE_EXCLUDED_FRAMEWORK_SEARCH_PATHS "/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS*.sdk/System/Library/Frameworks"
+        LINKER_LANGUAGE Swift
+    )
+endif()
+
 if(DEPLOY)
    set_target_properties(networkextension PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
@@ -45,38 +69,49 @@ endif()
 set_target_properties(networkextension PROPERTIES
    XCODE_ATTRIBUTE_SWIFT_VERSION "5.0"
    XCODE_ATTRIBUTE_CLANG_ENABLE_MODULES "YES"
-    XCODE_ATTRIBUTE_SWIFT_OBJC_BRIDGING_HEADER "${CMAKE_CURRENT_SOURCE_DIR}/WireGuardNetworkExtension-Bridging-Header.h"
    XCODE_ATTRIBUTE_SWIFT_OPTIMIZATION_LEVEL "-Onone"
    XCODE_ATTRIBUTE_SWIFT_PRECOMPILE_BRIDGING_HEADER "NO"
 )

+set_target_properties(networkextension PROPERTIES
+    XCODE_ATTRIBUTE_SWIFT_OBJC_BRIDGING_HEADER "${CMAKE_CURRENT_SOURCE_DIR}/WireGuardNetworkExtension-Bridging-Header.h"
+)
+
 set_target_properties("networkextension" PROPERTIES
    XCODE_ATTRIBUTE_DEVELOPMENT_TEAM "X7UJ388FXK"
 )

-find_library(FW_ASSETS_LIBRARY AssetsLibrary)
-find_library(FW_MOBILE_CORE MobileCoreServices)
 find_library(FW_UI_KIT UIKit)
 find_library(FW_LIBRESOLV libresolv.9.tbd)

-target_link_libraries(networkextension PRIVATE ${FW_ASSETS_LIBRARY})
-target_link_libraries(networkextension PRIVATE ${FW_MOBILE_CORE})
-target_link_libraries(networkextension PRIVATE ${FW_UI_KIT})
-target_link_libraries(networkextension PRIVATE ${FW_LIBRESOLV})
+if(NOT AMNEZIA_IOS_APPLETV)
+    target_link_libraries(networkextension PRIVATE ${FW_UI_KIT})
+    target_link_libraries(networkextension PRIVATE ${FW_LIBRESOLV})
+else()
+    target_link_libraries(networkextension PRIVATE -lresolv)
+endif()

 target_compile_options(networkextension PRIVATE -DGROUP_ID=\"${BUILD_IOS_GROUP_IDENTIFIER}\")
 target_compile_options(networkextension PRIVATE -DNETWORK_EXTENSION=1)

 set(WG_APPLE_SOURCE_DIR ${CLIENT_ROOT_DIR}/3rd/amneziawg-apple/Sources)

-target_sources(networkextension PRIVATE
+set(NE_COMMON_SOURCES
+    ${CLIENT_ROOT_DIR}/platforms/ios/NELogController.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/Log.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider.swift
+)
+
+set(NE_WIREGUARD_SOURCES
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/WireGuardAdapter.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PacketTunnelSettingsGenerator.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/DNSResolver.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardNetworkExtension/ErrorNotifier.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/Keychain.swift
-    ${WG_APPLE_SOURCE_DIR}/Shared/Model/TunnelConfiguration+WgQuickConfig.swift
+    ${WG_APPLE_SOURCE_DIR}/Shared/FileManager+Extension.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/Model/NETunnelProviderProtocol+Extension.swift
+    ${WG_APPLE_SOURCE_DIR}/Shared/Model/TunnelConfiguration+WgQuickConfig.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/Model/String+ArrayConversion.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/TunnelConfiguration.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/IPAddressRange.swift
@@ -84,24 +119,50 @@ target_sources(networkextension PRIVATE
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/DNSServer.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/InterfaceConfiguration.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PeerConfiguration.swift
-    ${WG_APPLE_SOURCE_DIR}/Shared/FileManager+Extension.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKitC/x25519.c
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/Array+ConcurrentMap.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/IPAddress+AddrInfo.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PrivateKey.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/HevSocksTunnel.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/NELogController.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/Log.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+WireGuard.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+OpenVPN.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+Xray.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/WGConfig.swift
+)
+
+set(NE_XRAY_SOURCES
+    ${CLIENT_ROOT_DIR}/platforms/ios/HevSocksTunnel.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+Xray.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/XrayConfig.swift
+)
+
+set(NE_OPENVPN_SOURCES
+    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+OpenVPN.swift
+)
+
+set(NE_APPLE_GLUE_SOURCES
    ${CLIENT_ROOT_DIR}/platforms/ios/iosglue.mm
 )

+if(AMNEZIA_IOS_APPLETV)
+    list(APPEND NE_APPLE_GLUE_SOURCES
+        ${CLIENT_ROOT_DIR}/platforms/ios/tvos_cgo_stubs.c
+    )
+endif()
+
+target_sources(networkextension PRIVATE ${NE_COMMON_SOURCES})
+
+if(NOT AMNEZIA_IOS_APPLETV)
+    target_sources(networkextension PRIVATE
+        ${NE_WIREGUARD_SOURCES}
+        ${NE_OPENVPN_SOURCES}
+        ${NE_XRAY_SOURCES}
+        ${NE_APPLE_GLUE_SOURCES}
+    )
+else()
+    target_sources(networkextension PRIVATE
+        ${NE_WIREGUARD_SOURCES}
+        ${NE_APPLE_GLUE_SOURCES}
+    )
+endif()
+
 target_sources(networkextension PRIVATE
    ${CMAKE_CURRENT_SOURCE_DIR}/PrivacyInfo.xcprivacy
 )
@@ -113,7 +174,7 @@ set_property(TARGET networkextension APPEND PROPERTY RESOURCE
 ## Build wireguard-go-version.h
 execute_process(
    COMMAND go list -m golang.zx2c4.com/wireguard
-    WORKING_DIRECTORY ${CLIENT_ROOT_DIR}/3rd/wireguard-apple/Sources/WireGuardKitGo
+    WORKING_DIRECTORY ${WG_APPLE_SOURCE_DIR}/WireGuardKitGo
    OUTPUT_VARIABLE WG_VERSION_FULL
 )
 string(REGEX REPLACE ".*v\([0-9.]*\).*" "\\1" WG_VERSION_STRING 1.1.1)
@@ -122,9 +183,46 @@ configure_file(${CMAKE_CURRENT_SOURCE_DIR}/wireguard-go-version.h.in
 target_sources(networkextension PRIVATE
    ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-version.h)

+if(AMNEZIA_IOS_APPLETV)
+    set(WG_TVOS_LIB_DIR ${CMAKE_CURRENT_BINARY_DIR}/WireGuardKitGo-appletvos)
+    set(WG_TVOS_TMP_DIR ${CMAKE_CURRENT_BINARY_DIR}/WireGuardKitGo-appletvos-tmp)
+    execute_process(
+        COMMAND make clean
+        WORKING_DIRECTORY ${WG_APPLE_SOURCE_DIR}/WireGuardKitGo
+        OUTPUT_QUIET
+        ERROR_QUIET
+    )
+    execute_process(
+        COMMAND make build
+            PLATFORM_NAME=appletvos
+            GOOS_appletvos=ios
+            GOFLAGS=-tags=netgo
+            ARCHS=arm64
+            DEPLOYMENT_TARGET_CLANG_FLAG_NAME=mtvos-version-min
+            DEPLOYMENT_TARGET_CLANG_ENV_NAME=TVOS_DEPLOYMENT_TARGET
+            TVOS_DEPLOYMENT_TARGET=${CMAKE_OSX_DEPLOYMENT_TARGET}
+            CONFIGURATION_BUILD_DIR=${WG_TVOS_LIB_DIR}
+            CONFIGURATION_TEMP_DIR=${WG_TVOS_TMP_DIR}
+        WORKING_DIRECTORY ${WG_APPLE_SOURCE_DIR}/WireGuardKitGo
+        RESULT_VARIABLE WG_TVOS_BUILD_RESULT
+    )
+    if(NOT WG_TVOS_BUILD_RESULT EQUAL 0)
+        message(FATAL_ERROR "Failed to build tvOS WireGuard Go bridge (libwg-go.a)")
+    endif()
+endif()
+
 target_include_directories(networkextension PRIVATE ${CLIENT_ROOT_DIR})
 target_include_directories(networkextension PRIVATE ${CMAKE_CURRENT_BINARY_DIR})

-target_link_libraries(networkextension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/wireguard/ios/arm64/libwg-go.a)
-
-target_link_libraries(networkextension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework)
+if(NOT AMNEZIA_IOS_APPLETV)
+    target_link_directories(networkextension PRIVATE
+        ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/wireguard/ios/arm64
+    )
+    target_link_libraries(networkextension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/wireguard/ios/arm64/libwg-go.a)
+    target_link_libraries(networkextension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework)
+else()
+    target_link_directories(networkextension PRIVATE
+        ${WG_TVOS_LIB_DIR}
+    )
+    target_link_libraries(networkextension PRIVATE ${WG_TVOS_LIB_DIR}/libwg-go.a)
+endif()
@@ -16,7 +16,7 @@ set_target_properties(AmneziaVPNNetworkExtension PROPERTIES
    XCODE_ATTRIBUTE_PRODUCT_BUNDLE_NAME "${BUILD_IOS_APP_IDENTIFIER}.network-extension"
    XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS ${CMAKE_CURRENT_SOURCE_DIR}/AmneziaVPNNetworkExtension.entitlements
    XCODE_ATTRIBUTE_MARKETING_VERSION "${APP_MAJOR_VERSION}"
-    XCODE_ATTRIBUTE_CURRENT_PROJECT_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
+    XCODE_ATTRIBUTE_CURRENT_PROJECT_VERSION "${BUILD_ID}"
    XCODE_ATTRIBUTE_PRODUCT_NAME "AmneziaVPNNetworkExtension"

    XCODE_ATTRIBUTE_APPLICATION_EXTENSION_API_ONLY "YES"
@@ -8,7 +8,7 @@
 	<string>AmneziaVPNNetworkExtension</string>

 	<key>CFBundleIdentifier</key>
-	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<string>org.amnezia.AmneziaVPN.network-extension</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
@@ -16,9 +16,9 @@
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
-	<string>$(MARKETING_VERSION)</string>
+	<string>${APPLE_PROJECT_VERSION}</string>
 	<key>CFBundleVersion</key>
-	<string>$(CURRENT_PROJECT_VERSION)</string>
+	<string>${CMAKE_PROJECT_VERSION_TWEAK}</string>

 	<key>ITSAppUsesNonExemptEncryption</key>
 	<false/>
@@ -41,6 +41,6 @@
 	<string>group.org.amnezia.AmneziaVPN</string>

 	<key>com.wireguard.macos.app_group_id</key>
-	<string>$(DEVELOPMENT_TEAM).group.org.amnezia.AmneziaVPN</string>
+	<string>${BUILD_VPN_DEVELOPMENT_TEAM}.group.org.amnezia.AmneziaVPN</string>
 </dict>
 </plist>
@@ -12,11 +12,11 @@
    #include "Windows.h"
 #endif

-#if defined(Q_OS_IOS)
+#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
    #include "platforms/ios/QtAppDelegate-C-Interface.h"
 #endif

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
 bool isAnotherInstanceRunning()
 {
    QLocalSocket socket;
@@ -47,7 +47,7 @@ int main(int argc, char *argv[])
    AmneziaApplication app(argc, argv);
    OsSignalHandler::setup();

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
    if (isAnotherInstanceRunning()) {
        QTimer::singleShot(1000, &app, [&]() { app.quit(); });
        return app.exec();
@@ -270,7 +270,12 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
             && !wgConfig.value(amnezia::config_key::initPacketMagicHeader).isUndefined()
             && !wgConfig.value(amnezia::config_key::responsePacketMagicHeader).isUndefined()
             && !wgConfig.value(amnezia::config_key::underloadPacketMagicHeader).isUndefined()
-             && !wgConfig.value(amnezia::config_key::transportPacketMagicHeader).isUndefined()) {
+             && !wgConfig.value(amnezia::config_key::transportPacketMagicHeader).isUndefined()
+             && !wgConfig.value(amnezia::config_key::specialJunk1).isUndefined()
+             && !wgConfig.value(amnezia::config_key::specialJunk2).isUndefined()
+             && !wgConfig.value(amnezia::config_key::specialJunk3).isUndefined()
+             && !wgConfig.value(amnezia::config_key::specialJunk4).isUndefined()
+             && !wgConfig.value(amnezia::config_key::specialJunk5).isUndefined()) {
    json.insert(amnezia::config_key::junkPacketCount, wgConfig.value(amnezia::config_key::junkPacketCount));
    json.insert(amnezia::config_key::junkPacketMinSize, wgConfig.value(amnezia::config_key::junkPacketMinSize));
    json.insert(amnezia::config_key::junkPacketMaxSize, wgConfig.value(amnezia::config_key::junkPacketMaxSize));
@@ -72,9 +72,9 @@ void NetworkWatcher::initialize() {
  connect(m_impl, &NetworkWatcherImpl::unsecuredNetwork, this,
          &NetworkWatcher::unsecuredNetwork);
  connect(m_impl, &NetworkWatcherImpl::networkChanged, this,
-          &NetworkWatcher::networkChanged);
-  connect(m_impl, &NetworkWatcherImpl::wakeup, this,
-          &NetworkWatcher::wakeup);
+          &NetworkWatcher::networkChange);
+  connect(m_impl, &NetworkWatcherImpl::sleepMode, this,
+          &NetworkWatcher::onSleepMode);
  m_impl->initialize();

  // Enable sleep/wake monitoring for VPN auto-reconnection
@@ -97,6 +97,12 @@ void NetworkWatcher::settingsChanged() {
  logger.debug() << "NetworkWatcher settings changed - keeping sleep monitoring active";
 }

+void NetworkWatcher::onSleepMode()
+{
+  logger.debug() << "Resumed from sleep mode";
+  emit sleepMode();
+}
+
 void NetworkWatcher::unsecuredNetwork(const QString& networkName,
                                      const QString& networkId) {
  logger.debug() << "Unsecured network:" << logger.sensitive(networkName)
@@ -29,11 +29,13 @@ public:
    // false to restore.
    void simulateDisconnection(bool simulatedDisconnection);

+    void onSleepMode();
+
    QNetworkInformation::Reachability getReachability();

 signals:
-    void networkChanged();
-    void wakeup();
+    void networkChange();
+    void sleepMode();

 private:
    void settingsChanged();
@@ -41,7 +41,7 @@ signals:
    // TODO: Only windows-networkwatcher has this, the other plattforms should
    // too.
    void networkChanged(QString newBSSID);
-    void wakeup();
+    void sleepMode();


 private:
@@ -101,9 +101,7 @@ bool AndroidController::initialize()
        {"onAuthResult", "(Z)V", reinterpret_cast<void *>(onAuthResult)},
        {"decodeQrCode", "(Ljava/lang/String;)Z", reinterpret_cast<bool *>(decodeQrCode)},
        {"onImeInsetsChanged", "(I)V", reinterpret_cast<void *>(onImeInsetsChanged)},
-        {"onSystemBarsInsetsChanged", "(II)V", reinterpret_cast<void *>(onSystemBarsInsetsChanged)},
-        {"onActivityPaused", "()V", reinterpret_cast<void *>(onActivityPaused)},
-        {"onActivityResumed", "()V", reinterpret_cast<void *>(onActivityResumed)}
+        {"onSystemBarsInsetsChanged", "(II)V", reinterpret_cast<void *>(onSystemBarsInsetsChanged)}
    };

    QJniEnvironment env;
@@ -560,22 +558,3 @@ void AndroidController::onSystemBarsInsetsChanged(JNIEnv *env, jobject thiz, jin
    emit AndroidController::instance()->systemBarsInsetsChanged(navBarHeightDp, statusBarHeightDp);
 }

-// static
-void AndroidController::onActivityPaused(JNIEnv *env, jobject thiz)
-{
-    Q_UNUSED(env);
-    Q_UNUSED(thiz);
-
-    emit AndroidController::instance()->activityPaused();
-}
-
-// static
-void AndroidController::onActivityResumed(JNIEnv *env, jobject thiz)
-{
-    Q_UNUSED(env);
-    Q_UNUSED(thiz);
-
-    emit AndroidController::instance()->activityResumed();
-}
-
-
@@ -75,8 +75,6 @@ signals:
    void authenticationResult(bool result);
    void imeInsetsChanged(int heightDp);
    void systemBarsInsetsChanged(int navBarHeightDp, int statusBarHeightDp);
-    void activityPaused();
-    void activityResumed();

 private:
    bool isWaitingStatus = true;
@@ -107,8 +105,6 @@ private:
    static bool decodeQrCode(JNIEnv *env, jobject thiz, jstring data);
    static void onImeInsetsChanged(JNIEnv *env, jobject thiz, jint heightDp);
    static void onSystemBarsInsetsChanged(JNIEnv *env, jobject thiz, jint navBarHeightDp, jint statusBarHeightDp);
-    static void onActivityPaused(JNIEnv *env, jobject thiz);
-    static void onActivityResumed(JNIEnv *env, jobject thiz);

    template <typename Ret, typename ...Args>
    static auto callActivityMethod(const char *methodName, const char *signature, Args &&...args);
@@ -15,12 +15,6 @@ struct OpenVPNConfig: Decodable {

 extension PacketTunnelProvider {
    func startOpenVPN(completionHandler: @escaping (Error?) -> Void) {
-        // Reset session-derived state so reconnects never reuse stale gateway/address data.
-        openVpnGatewayAddress = nil
-        openVpnLocalAddress = nil
-        openVpnLocalMask = nil
-        lastOpenVPNSettings = nil
-
        guard let protocolConfiguration = self.protocolConfiguration as? NETunnelProviderProtocol,
              let providerConfiguration = protocolConfiguration.providerConfiguration,
              let openVPNConfigData = providerConfiguration[Constants.ovpnConfigKey] as? Data else {
@@ -31,25 +25,7 @@ extension PacketTunnelProvider {
        do {
            let openVPNConfig = try JSONDecoder().decode(OpenVPNConfig.self, from: openVPNConfigData)
            ovpnLog(.info, title: "config: ", message: openVPNConfig.str)
-            let wrapperPreview = String(decoding: openVPNConfigData.prefix(512), as: UTF8.self)
-            let ovpnPreview = String(openVPNConfig.config.prefix(512))
-            ovpnLog(.info, title: "config wrapper", message: "bytes=\(openVPNConfigData.count) preview=\(wrapperPreview)")
-            ovpnLog(.info, title: "config raw", message: "chars=\(openVPNConfig.config.count) preview=\(ovpnPreview)")
            let ovpnConfiguration = Data(openVPNConfig.config.utf8)
-            splitTunnelType = openVPNConfig.splitTunnelType
-            splitTunnelSites = openVPNConfig.splitTunnelSites
-            openVpnDnsServers = Self.extractDnsServers(from: openVPNConfig.config)
-            openVpnRemoteAddress = Self.extractRemoteHost(from: openVPNConfig.config)
-            openVpnRedirectGatewayDef1 = Self.hasRedirectGatewayDef1(in: openVPNConfig.config)
-            if let openVpnRemoteAddress {
-                ovpnLog(.info, title: "Remote", message: "host=\(openVpnRemoteAddress)")
-            }
-            if !openVpnDnsServers.isEmpty {
-                ovpnLog(.info, title: "DNS", message: "servers=\(openVpnDnsServers)")
-            }
-            if openVpnRedirectGatewayDef1 {
-                ovpnLog(.info, title: "IPv4Routes", message: "redirect-gateway def1 detected")
-            }
            setupAndlaunchOpenVPN(withConfig: ovpnConfiguration, completionHandler: completionHandler)
        } catch {
            ovpnLog(.error, message: "Can't parse OpenVPN config: \(error.localizedDescription)")
@@ -97,11 +73,6 @@ extension PacketTunnelProvider {
        let digestString = digest.map { String(format: "%02x", $0) }.joined()
        ovpnLog(.info, title: "ConfigDigest", message: digestString)

-        let hasCertTag = configString.contains("<cert>") && configString.contains("</cert>")
-        let hasKeyTag = configString.contains("<key>") && configString.contains("</key>")
-        let hasAuthUserPass = configString.contains("auth-user-pass")
-        ovpnLog(.info, title: "ConfigCreds", message: "inlineCert=\(hasCertTag) inlineKey=\(hasKeyTag) authUserPass=\(hasAuthUserPass)")
-
        let hasTlsAuthOpen = configString.contains("<tls-auth>")
        let hasTlsAuthClose = configString.contains("</tls-auth>")
        ovpnLog(.info, title: "ConfigFlags", message: "tls-auth open=\(hasTlsAuthOpen) close=\(hasTlsAuthClose)")
@@ -112,98 +83,27 @@ extension PacketTunnelProvider {
        ovpnLog(.debug, title: "ConfigHead", message: head)
        ovpnLog(.debug, title: "ConfigTail", message: tail)

-        if hasTlsAuthOpen && hasTlsAuthClose {
-            ovpnLog(.info, title: "TLSAuthSanitized", message: "preserve original tls-auth block")
+        if let start = configString.range(of: "<tls-auth>"),
+           let end = configString.range(of: "</tls-auth>", range: start.upperBound..<configString.endIndex) {
+            let keyBody = String(configString[start.upperBound..<end.lowerBound])
+            ovpnLog(.debug, title: "TLSAuthInline", message: keyBody)
+            let sanitizedLines = keyBody
+                .split(whereSeparator: { $0.isNewline })
+                .map { $0.trimmingCharacters(in: .whitespacesAndNewlines) }
+                .filter { !$0.isEmpty }
+                .filter { !$0.hasPrefix("#") }
+
+            let sanitizedKey = sanitizedLines.joined(separator: "\n")
+            ovpnLog(.debug, title: "TLSAuthSanitized", message: sanitizedKey)
+            let sanitizedBlock = "<tls-auth>\n\(sanitizedKey)\n</tls-auth>"
+            configString.replaceSubrange(start.lowerBound..<end.upperBound, with: sanitizedBlock)
        }

-        var normalizedConfig = configString.replacingOccurrences(of: "\r\n", with: "\n")
-        normalizedConfig = Self.normalizeInlineBlock(
-            in: normalizedConfig,
-            tag: "ca",
-            beginMarkers: ["-----BEGIN CERTIFICATE-----"],
-            endMarkers: ["-----END CERTIFICATE-----"]
-        )
-        normalizedConfig = Self.normalizeInlineBlock(
-            in: normalizedConfig,
-            tag: "cert",
-            beginMarkers: ["-----BEGIN CERTIFICATE-----"],
-            endMarkers: ["-----END CERTIFICATE-----"]
-        )
-        normalizedConfig = Self.normalizeInlineBlock(
-            in: normalizedConfig,
-            tag: "key",
-            beginMarkers: [
-                "-----BEGIN PRIVATE KEY-----",
-                "-----BEGIN RSA PRIVATE KEY-----",
-                "-----BEGIN EC PRIVATE KEY-----",
-                "-----BEGIN ENCRYPTED PRIVATE KEY-----"
-            ],
-            endMarkers: [
-                "-----END PRIVATE KEY-----",
-                "-----END RSA PRIVATE KEY-----",
-                "-----END EC PRIVATE KEY-----",
-                "-----END ENCRYPTED PRIVATE KEY-----"
-            ]
-        )
-        normalizedConfig = Self.normalizeInlineBlock(
-            in: normalizedConfig,
-            tag: "tls-auth",
-            beginMarkers: ["-----BEGIN OpenVPN Static key V1-----"],
-            endMarkers: ["-----END OpenVPN Static key V1-----"]
-        )
-        normalizedConfig = Self.stripUnsupportedOptions(forOpenVPNAdapter: normalizedConfig)
-        if !normalizedConfig.hasSuffix("\n") {
-            normalizedConfig.append("\n")
-        }
-        let normalizedLines = normalizedConfig.split(whereSeparator: \.isNewline)
-        let normalizedTail = normalizedLines.suffix(10).joined(separator: "\n")
-        ovpnLog(.debug, title: "ConfigTailSanitized", message: normalizedTail)
-        let redirectLines = normalizedLines
-            .map(String.init)
-            .filter { $0.lowercased().contains("redirect-gateway") }
-        if !redirectLines.isEmpty {
-            ovpnLog(.info, title: "ConfigRedirect", message: redirectLines.joined(separator: " | "))
-        }
-        let controlScalars = normalizedConfig.unicodeScalars.filter {
-            ($0.value < 0x20 && $0 != "\n" && $0 != "\r" && $0 != "\t")
-        }
-        if !controlScalars.isEmpty {
-            ovpnLog(.error, title: "ConfigChars", message: "nonPrintableControlCount=\(controlScalars.count)")
-        }
-#if os(macOS)
-        let dumpBaseURL = FileManager.default.urls(for: .cachesDirectory, in: .userDomainMask).first
-            ?? FileManager.default.temporaryDirectory
-        let dumpURL = dumpBaseURL.appendingPathComponent("amnezia_ovpn_adapter_config.conf")
-        do {
-            try normalizedConfig.write(to: dumpURL, atomically: true, encoding: .utf8)
-            ovpnLog(.info, title: "ConfigDump", message: "path=\(dumpURL.path) bytes=\(normalizedConfig.utf8.count)")
-        } catch {
-            ovpnLog(.error, title: "ConfigDump", message: "write failed: \(error.localizedDescription)")
-        }
-#endif
+        let normalizedConfig = configString.replacingOccurrences(of: "\r\n", with: "\n")
        let sanitizedData = Data(normalizedConfig.utf8)

        let configuration = OpenVPNConfiguration()
        configuration.fileContent = sanitizedData
-        // Be explicit: enum default is 0 (enabled), we need stubs-only behavior.
-        configuration.compressionMode = .disabled
-        // A-012: emulate OpenVPN2 CLI capability advertisement as closely as possible.
-        configuration.peerInfo = [
-            "IV_VER": "2.6.10",
-            "IV_PLAT": "mac",
-            "IV_TCPNL": "1",
-            "IV_MTU": "1600",
-            "IV_NCP": "2",
-            "IV_CIPHERS": "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305",
-            "IV_PROTO": "990",
-            "IV_LZO_STUB": "1",
-            "IV_COMP_STUB": "1",
-            "IV_COMP_STUBv2": "1"
-        ]
-        if let peerInfo = configuration.peerInfo {
-            let peerInfoSummary = peerInfo.keys.sorted().map { "\($0)=\(peerInfo[$0] ?? "")" }.joined(separator: " ")
-            ovpnLog(.info, title: "PeerInfoOverride", message: peerInfoSummary)
-        }
        if configString.contains("cloak") {
            configuration.setPTCloak()
        }
@@ -224,15 +124,11 @@ extension PacketTunnelProvider {
        if evaluation?.autologin == false {
            ovpnLog(.info, message: "Implement login with user credentials")
        }
-        if let evaluation {
-            ovpnLog(.info, title: "ConfigEval", message: "autologin=\(evaluation.autologin) externalPki=\(evaluation.externalPki)")
-        }

-#if !os(macOS)
        vpnReachability.startTracking { [weak self] status in
-            self?.handleOpenVPNReachabilityChange(status)
+            guard status == .reachableViaWiFi else { return }
+            self?.ovpnAdapter?.reconnect(afterTimeInterval: 5)
        }
-#endif

        startHandler = completionHandler
        ovpnAdapter?.connect(using: openVPNPacketFlow())
@@ -248,8 +144,6 @@ extension PacketTunnelProvider {
            return
        }

-        ovpnLog(.info, title: "Transport", message: "bytesIn=\(bytesin) bytesOut=\(bytesout)")
-
        let response: [String: Any] = [
            "rx_bytes": bytesin,
            "tx_bytes": bytesout
@@ -262,10 +156,6 @@ extension PacketTunnelProvider {
        ovpnLog(.info, message: "Stopping tunnel: reason: \(reason.amneziaDescription)")

        stopHandler = completionHandler
-        openVpnGatewayAddress = nil
-        openVpnLocalAddress = nil
-        openVpnLocalMask = nil
-        lastOpenVPNSettings = nil
        if vpnReachability.isTracking {
            vpnReachability.stopTracking()
        }
@@ -285,99 +175,11 @@ extension PacketTunnelProvider: OpenVPNAdapterDelegate {
        configureTunnelWithNetworkSettings networkSettings: NEPacketTunnelNetworkSettings?,
        completionHandler: @escaping (Error?) -> Void
    ) {
-        guard var effectiveSettings = networkSettings else {
-            ovpnLog(.info, title: "SetTunnelNetworkSettings", message: "nil settings; skipping update")
-            completionHandler(nil)
-            return
-        }
-        let splitType = splitTunnelType ?? 0
-
-        if let ipv4Settings = effectiveSettings.ipv4Settings {
-            openVpnLocalAddress = ipv4Settings.addresses.first
-            openVpnLocalMask = ipv4Settings.subnetMasks.first
-        }
-
-        let serverIP = openVPNAdapter.connectionInformation?.serverIP
-        let configRemote = openVpnRemoteAddress
-        let serverEndpoint: String? = {
-            if let ip = serverIP, Self.isIPv4Address(ip) { return ip }
-            if let ip = configRemote, Self.isIPv4Address(ip) { return ip }
-            return effectiveSettings.tunnelRemoteAddress
-        }()
-
-        if let serverEndpoint,
-           Self.isIPv4Address(serverEndpoint),
-           effectiveSettings.tunnelRemoteAddress != serverEndpoint {
-            let updatedSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: serverEndpoint)
-            updatedSettings.ipv4Settings = effectiveSettings.ipv4Settings
-            updatedSettings.ipv6Settings = effectiveSettings.ipv6Settings
-            updatedSettings.dnsSettings = effectiveSettings.dnsSettings
-            updatedSettings.proxySettings = effectiveSettings.proxySettings
-            updatedSettings.mtu = effectiveSettings.mtu
-            effectiveSettings = updatedSettings
-            ovpnLog(.info, title: "Remote", message: "tunnelRemoteAddress set to server=\(serverEndpoint)")
-        } else if let serverEndpoint, !Self.isIPv4Address(serverEndpoint) {
-            ovpnLog(.info, title: "Remote", message: "skip tunnelRemoteAddress override; non-ip serverEndpoint=\(serverEndpoint)")
-        }
-
        // In order to direct all DNS queries first to the VPN DNS servers before the primary DNS servers
        // send empty string to NEDNSSettings.matchDomains
-        if let dnsSettings = effectiveSettings.dnsSettings {
-            if dnsSettings.servers.isEmpty, !openVpnDnsServers.isEmpty {
-                let newSettings = NEDNSSettings(servers: openVpnDnsServers)
-                newSettings.matchDomains = dnsSettings.matchDomains
-                effectiveSettings.dnsSettings = newSettings
-            }
-        } else if !openVpnDnsServers.isEmpty {
-            let newSettings = NEDNSSettings(servers: openVpnDnsServers)
-            effectiveSettings.dnsSettings = newSettings
-        }
+        networkSettings?.dnsSettings?.matchDomains = [""]

-        effectiveSettings.dnsSettings?.matchDomains = [""]
-        if let dnsSettings = effectiveSettings.dnsSettings {
-            let servers = dnsSettings.servers.joined(separator: ",")
-            let domains = dnsSettings.matchDomains?.joined(separator: ",") ?? ""
-            ovpnLog(.info, title: "DNS", message: "servers=[\(servers)] matchDomains=[\(domains)]")
-        } else {
-            ovpnLog(.error, title: "DNS", message: "dnsSettings is nil")
-        }
-
-        let tunnelRemote = effectiveSettings.tunnelRemoteAddress
-        if !tunnelRemote.isEmpty {
-            ovpnLog(.info, title: "Remote", message: "tunnelRemoteAddress=\(tunnelRemote)")
-        } else if let remoteAddress = openVpnRemoteAddress {
-            ovpnLog(.info, title: "Remote", message: "tunnelRemoteAddress is empty, configRemote=\(remoteAddress)")
-        }
-
-        if let ipv4Settings = effectiveSettings.ipv4Settings {
-            let included = (ipv4Settings.includedRoutes ?? []).map { "\($0.destinationAddress)/\($0.destinationSubnetMask)" }
-            let excluded = (ipv4Settings.excludedRoutes ?? []).map { "\($0.destinationAddress)/\($0.destinationSubnetMask)" }
-            let addresses = ipv4Settings.addresses.joined(separator: ",")
-            let masks = ipv4Settings.subnetMasks.joined(separator: ",")
-            let router: String
-#if os(macOS)
-            if #available(macOS 13.0, *) {
-                router = ipv4Settings.router ?? ""
-            } else {
-                router = ""
-            }
-#else
-            router = ""
-#endif
-            ovpnLog(.info, title: "IPv4RoutesPre", message: "addresses=[\(addresses)] masks=[\(masks)] router=\(router) included=\(included) excluded=\(excluded)")
-        } else {
-            ovpnLog(.error, title: "IPv4RoutesPre", message: "ipv4Settings is nil")
-        }
-
-        if let ipv6Settings = effectiveSettings.ipv6Settings {
-            let included = (ipv6Settings.includedRoutes ?? []).map { "\($0.destinationAddress)/\($0.destinationNetworkPrefixLength)" }
-            let excluded = (ipv6Settings.excludedRoutes ?? []).map { "\($0.destinationAddress)/\($0.destinationNetworkPrefixLength)" }
-            let addresses = ipv6Settings.addresses.joined(separator: ",")
-            let prefixes = ipv6Settings.networkPrefixLengths.map { "\($0)" }.joined(separator: ",")
-            ovpnLog(.info, title: "IPv6RoutesPre", message: "addresses=[\(addresses)] prefixes=[\(prefixes)] included=\(included) excluded=\(excluded)")
-        }
-
-        if splitType == 1 {
+        if splitTunnelType == 1 {
            var ipv4IncludedRoutes = [NEIPv4Route]()

            guard let splitTunnelSites else {
@@ -393,8 +195,9 @@ extension PacketTunnelProvider: OpenVPNAdapterDelegate {
                }
            }

-            effectiveSettings.ipv4Settings?.includedRoutes = ipv4IncludedRoutes
-        } else if splitType == 2 {
+            networkSettings?.ipv4Settings?.includedRoutes = ipv4IncludedRoutes
+        } else {
+            if splitTunnelType == 2 {
                var ipv4ExcludedRoutes = [NEIPv4Route]()
                var ipv4IncludedRoutes = [NEIPv4Route]()
                var ipv6IncludedRoutes = [NEIPv6Route]()
@@ -422,418 +225,14 @@ extension PacketTunnelProvider: OpenVPNAdapterDelegate {
                        destinationAddress: "\(allIPv6.address)",
                        networkPrefixLength: NSNumber(value: allIPv6.networkPrefixLength)))
                }
-                effectiveSettings.ipv4Settings?.includedRoutes = ipv4IncludedRoutes
-                effectiveSettings.ipv6Settings?.includedRoutes = ipv6IncludedRoutes
-                effectiveSettings.ipv4Settings?.excludedRoutes = ipv4ExcludedRoutes
-        } else {
-            // Full tunnel: rely on adapter-provided routes.
-        }
-
-        if let serverEndpoint,
-           Self.isIPv4Address(serverEndpoint),
-           let ipv4Settings = effectiveSettings.ipv4Settings {
-            let hostMask = "255.255.255.255"
-            var excluded = ipv4Settings.excludedRoutes ?? []
-            let alreadyExcluded = excluded.contains {
-                $0.destinationAddress == serverEndpoint && $0.destinationSubnetMask == hostMask
-            }
-            if !alreadyExcluded {
-                excluded.append(NEIPv4Route(destinationAddress: serverEndpoint, subnetMask: hostMask))
-                ipv4Settings.excludedRoutes = excluded
-                ovpnLog(.info, title: "IPv4Routes", message: "excluded remoteAddress=\(serverEndpoint)")
-            }
-        } else if let serverEndpoint {
-            ovpnLog(.info, title: "IPv4Routes", message: "skip explicit remote exclude; non-ip server=\(serverEndpoint)")
-        }
-
-        let localAddr = openVpnLocalAddress
-        var net30Gateway: String?
-        if let localAddr, let mask = openVpnLocalMask {
-            net30Gateway = Self.net30Peer(for: localAddr, mask: mask)
-        }
-        var gateway = net30Gateway
-        if let adapterGateway = openVPNAdapter.connectionInformation?.gatewayIPv4, !adapterGateway.isEmpty {
-            if let localAddr, adapterGateway == localAddr {
-                ovpnLog(.info, title: "IPv4Gateway", message: "ignore adapter gateway equal to local address=\(adapterGateway)")
-            } else if let net30Gateway, net30Gateway != adapterGateway {
-                ovpnLog(.info, title: "IPv4Gateway", message: "ignore mismatched adapter gateway=\(adapterGateway), using net30 peer=\(net30Gateway)")
-            } else {
-                gateway = adapterGateway
+                networkSettings?.ipv4Settings?.includedRoutes = ipv4IncludedRoutes
+                networkSettings?.ipv6Settings?.includedRoutes = ipv6IncludedRoutes
+                networkSettings?.ipv4Settings?.excludedRoutes = ipv4ExcludedRoutes
            }
        }

-        openVpnGatewayAddress = gateway
-        if let gateway, !gateway.isEmpty {
-            ovpnLog(.info, title: "IPv4Gateway", message: "gateway=\(gateway)")
-        }
-#if os(macOS)
-        if splitType == 0, let gateway, !gateway.isEmpty, effectiveSettings.tunnelRemoteAddress != gateway {
-            let updatedSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: gateway)
-            updatedSettings.ipv4Settings = effectiveSettings.ipv4Settings
-            updatedSettings.ipv6Settings = effectiveSettings.ipv6Settings
-            updatedSettings.dnsSettings = effectiveSettings.dnsSettings
-            updatedSettings.proxySettings = effectiveSettings.proxySettings
-            updatedSettings.mtu = effectiveSettings.mtu
-            effectiveSettings = updatedSettings
-            ovpnLog(.info, title: "Remote", message: "tunnelRemoteAddress set to gateway=\(gateway) on macOS full-tunnel")
-        }
-#endif
-#if os(macOS)
-        if var ipv4Settings = effectiveSettings.ipv4Settings {
-            if splitType == 0 {
-                let hasNet30Mask = ipv4Settings.subnetMasks.contains("255.255.255.252")
-                if hasNet30Mask {
-                    let normalizedMasks = Array(repeating: "255.255.255.255",
-                                                count: ipv4Settings.subnetMasks.count)
-                    let normalized = NEIPv4Settings(addresses: ipv4Settings.addresses,
-                                                    subnetMasks: normalizedMasks)
-                    normalized.includedRoutes = ipv4Settings.includedRoutes
-                    normalized.excludedRoutes = ipv4Settings.excludedRoutes
-                    if #available(macOS 13.0, *) {
-                        normalized.router = ipv4Settings.router
-                    }
-                    ipv4Settings = normalized
-                    ovpnLog(.info, title: "IPv4Routes", message: "normalized net30 /30 masks to /32 on macOS full-tunnel")
-                }
-
-                if let gateway, !gateway.isEmpty {
-                    if #available(macOS 13.0, *) {
-                        ipv4Settings.router = gateway
-                        ovpnLog(.info, title: "IPv4Routes", message: "set ipv4 router=\(gateway) on macOS full-tunnel")
-                    }
-                }
-
-                var included = ipv4Settings.includedRoutes ?? []
-                let hasDefault = included.contains {
-                    $0.destinationAddress == "0.0.0.0" && $0.destinationSubnetMask == "0.0.0.0"
-                }
-                if hasDefault {
-                    included.removeAll {
-                        $0.destinationAddress == "0.0.0.0" && $0.destinationSubnetMask == "0.0.0.0"
-                    }
-                }
-                let hasDef1Low = included.contains {
-                    $0.destinationAddress == "0.0.0.0" && $0.destinationSubnetMask == "128.0.0.0"
-                }
-                let hasDef1High = included.contains {
-                    $0.destinationAddress == "128.0.0.0" && $0.destinationSubnetMask == "128.0.0.0"
-                }
-                if (hasDefault || openVpnRedirectGatewayDef1) && !(hasDef1Low && hasDef1High) {
-                    if !hasDef1Low {
-                        let route = NEIPv4Route(destinationAddress: "0.0.0.0", subnetMask: "128.0.0.0")
-                        if let gateway, !gateway.isEmpty {
-                            route.gatewayAddress = gateway
-                        }
-                        included.append(route)
-                    }
-                    if !hasDef1High {
-                        let route = NEIPv4Route(destinationAddress: "128.0.0.0", subnetMask: "128.0.0.0")
-                        if let gateway, !gateway.isEmpty {
-                            route.gatewayAddress = gateway
-                        }
-                        included.append(route)
-                    }
-                    ovpnLog(.info, title: "IPv4Routes", message: "ensured def1 routes (/1 + /1) on macOS full-tunnel")
-                }
-                if let gateway, !gateway.isEmpty {
-                    included = included.map { route in
-                        let isDef1 =
-                            (route.destinationAddress == "0.0.0.0" && route.destinationSubnetMask == "128.0.0.0") ||
-                            (route.destinationAddress == "128.0.0.0" && route.destinationSubnetMask == "128.0.0.0")
-                        guard isDef1 else { return route }
-                        if route.gatewayAddress == gateway {
-                            return route
-                        }
-                        let updatedRoute = NEIPv4Route(destinationAddress: route.destinationAddress,
-                                                       subnetMask: route.destinationSubnetMask)
-                        updatedRoute.gatewayAddress = gateway
-                        return updatedRoute
-                    }
-                    ovpnLog(.info, title: "IPv4Routes", message: "set gateway=\(gateway) on macOS def1 routes")
-                }
-                ipv4Settings.includedRoutes = included
-                effectiveSettings.ipv4Settings = ipv4Settings
-            }
-        }
-#endif
-        if let ipv4Settings = effectiveSettings.ipv4Settings {
-            let included = (ipv4Settings.includedRoutes ?? []).map {
-                let gw = $0.gatewayAddress ?? ""
-                return "\($0.destinationAddress)/\($0.destinationSubnetMask) gw=\(gw)"
-            }
-            let excluded = (ipv4Settings.excludedRoutes ?? []).map { "\($0.destinationAddress)/\($0.destinationSubnetMask)" }
-            let addresses = ipv4Settings.addresses.joined(separator: ",")
-            let masks = ipv4Settings.subnetMasks.joined(separator: ",")
-            let router: String
-#if os(macOS)
-            if #available(macOS 13.0, *) {
-                router = ipv4Settings.router ?? ""
-            } else {
-                router = ""
-            }
-#else
-            router = ""
-#endif
-            ovpnLog(.info, title: "IPv4Routes", message: "addresses=[\(addresses)] masks=[\(masks)] router=\(router) included=\(included) excluded=\(excluded)")
-        } else {
-            ovpnLog(.error, title: "IPv4Routes", message: "ipv4Settings is nil")
-        }
-
-        if let ipv6Settings = effectiveSettings.ipv6Settings {
-            let included = (ipv6Settings.includedRoutes ?? []).map { "\($0.destinationAddress)/\($0.destinationNetworkPrefixLength)" }
-            let excluded = (ipv6Settings.excludedRoutes ?? []).map { "\($0.destinationAddress)/\($0.destinationNetworkPrefixLength)" }
-            let addresses = ipv6Settings.addresses.joined(separator: ",")
-            let prefixes = ipv6Settings.networkPrefixLengths.map { "\($0)" }.joined(separator: ",")
-            ovpnLog(.info, title: "IPv6Routes", message: "addresses=[\(addresses)] prefixes=[\(prefixes)] included=\(included) excluded=\(excluded)")
-        }
-#if os(macOS)
-        if effectiveSettings.ipv6Settings != nil {
-            effectiveSettings.ipv6Settings = nil
-            ovpnLog(.info, title: "IPv6", message: "cleared ipv6Settings on macOS")
-        }
-#endif
-
-        lastOpenVPNSettings = effectiveSettings
-
        // Set the network settings for the current tunneling session.
-        setTunnelNetworkSettings(effectiveSettings) { error in
-            if let error {
-                ovpnLog(.error, title: "SetTunnelNetworkSettings", message: error.localizedDescription)
-            } else {
-                ovpnLog(.info, title: "SetTunnelNetworkSettings", message: "ok")
-            }
-            completionHandler(error)
-        }
-    }
-
-    private static func extractDnsServers(from config: String) -> [String] {
-        let lines = config.split(whereSeparator: \.isNewline)
-        var servers: [String] = []
-        for line in lines {
-            let trimmed = line.trimmingCharacters(in: .whitespacesAndNewlines)
-            if trimmed.hasPrefix("dhcp-option DNS ") {
-                let parts = trimmed.split(separator: " ")
-                if let last = parts.last {
-                    servers.append(String(last))
-                }
-            }
-        }
-        return servers
-    }
-
-    private static func extractRemoteHost(from config: String) -> String? {
-        let lines = config.split(whereSeparator: \.isNewline)
-        for line in lines {
-            let trimmed = line.trimmingCharacters(in: .whitespacesAndNewlines)
-            if trimmed.hasPrefix("remote ") {
-                let parts = trimmed.split(separator: " ")
-                if parts.count >= 2 {
-                    return String(parts[1])
-                }
-            }
-        }
-        return nil
-    }
-
-    private static func hasRedirectGatewayDef1(in config: String) -> Bool {
-        let lines = config.split(whereSeparator: \.isNewline)
-        for line in lines {
-            let trimmed = line.trimmingCharacters(in: .whitespacesAndNewlines)
-            if trimmed.hasPrefix("redirect-gateway") {
-                return trimmed.split(whereSeparator: { $0 == " " || $0 == "\t" }).contains("def1")
-            }
-        }
-        return false
-    }
-
-    private static func net30Peer(for address: String, mask: String) -> String? {
-        guard mask == "255.255.255.252" else { return nil }
-        let parts = address.split(separator: ".")
-        guard parts.count == 4 else { return nil }
-        var octets: [Int] = []
-        for part in parts {
-            guard let num = Int(part), num >= 0 && num <= 255 else { return nil }
-            octets.append(num)
-        }
-        let ip = (octets[0] << 24) | (octets[1] << 16) | (octets[2] << 8) | octets[3]
-        let network = ip & ~3
-        let host = ip - network
-        let peerHost: Int
-        switch host {
-        case 1: peerHost = 2
-        case 2: peerHost = 1
-        default: return nil
-        }
-        let peerIP = network + peerHost
-        return "\((peerIP >> 24) & 0xff).\((peerIP >> 16) & 0xff).\((peerIP >> 8) & 0xff).\(peerIP & 0xff)"
-    }
-
-    private func logOpenVPNConnectionInfo() {
-        guard let info = ovpnAdapter?.connectionInformation else { return }
-        let message = "vpnIPv4=\(info.vpnIPv4 ?? "") gatewayIPv4=\(info.gatewayIPv4 ?? "") serverIP=\(info.serverIP ?? "") tun=\(info.tunName ?? "")"
-        ovpnLog(.info, title: "ConnInfo", message: message)
-    }
-
-    private static func normalizeInlineBlock(
-        in config: String,
-        tag: String,
-        beginMarkers: [String],
-        endMarkers: [String]
-    ) -> String {
-        guard !beginMarkers.isEmpty, !endMarkers.isEmpty else { return config }
-
-        var normalizedConfig = config
-        let openTag = "<\(tag)>"
-        let closeTag = "</\(tag)>"
-        var searchStart = normalizedConfig.startIndex
-
-        while let openRange = normalizedConfig.range(of: openTag, range: searchStart..<normalizedConfig.endIndex),
-              let closeRange = normalizedConfig.range(of: closeTag, range: openRange.upperBound..<normalizedConfig.endIndex) {
-            let rawBody = String(normalizedConfig[openRange.upperBound..<closeRange.lowerBound])
-            let lines = rawBody
-                .split(whereSeparator: \.isNewline)
-                .map { $0.trimmingCharacters(in: .whitespacesAndNewlines) }
-                .filter { !$0.isEmpty }
-
-            var beginIndex: Int?
-            var endIndex: Int?
-            for (idx, line) in lines.enumerated() {
-                if beginIndex == nil,
-                   beginMarkers.contains(where: { line.contains($0) }) {
-                    beginIndex = idx
-                }
-                if beginIndex != nil,
-                   endMarkers.contains(where: { line.contains($0) }) {
-                    endIndex = idx
-                }
-            }
-
-            if let beginIndex,
-               let endIndex,
-               endIndex >= beginIndex {
-                let extracted = lines[beginIndex...endIndex].joined(separator: "\n")
-                let replacement = "<\(tag)>\n\(extracted)\n</\(tag)>"
-                normalizedConfig.replaceSubrange(openRange.lowerBound..<closeRange.upperBound, with: replacement)
-                ovpnLog(.info, title: "ConfigInline", message: "tag=<\(tag)> linesIn=\(lines.count) linesOut=\(endIndex - beginIndex + 1)")
-                searchStart = normalizedConfig.index(openRange.lowerBound, offsetBy: replacement.count)
-            } else {
-                ovpnLog(.error, title: "ConfigInline", message: "tag=<\(tag)> missing markers, keeping original body")
-                searchStart = closeRange.upperBound
-            }
-        }
-
-        return normalizedConfig
-    }
-
-
-    private static func stripUnsupportedOptions(forOpenVPNAdapter config: String) -> String {
-        let unsupportedTokens: Set<String> = [
-            "block-ipv6",
-            "script-security",
-            "up",
-            "down",
-            "resolv-retry",
-            "persist-key",
-            "persist-tun",
-            "compat-mode",
-            "disable-dco"
-        ]
-        let inlineBlockTags: Set<String> = [
-            "ca",
-            "cert",
-            "key",
-            "pkcs12",
-            "tls-auth",
-            "tls-crypt",
-            "tls-crypt-v2",
-            "secret",
-            "crl-verify",
-            "extra-certs"
-        ]
-
-        var removed: [String: Int] = [:]
-        var normalized: [String: Int] = [:]
-        var output: [String] = []
-        var activeInlineTag: String?
-
-        for rawLine in config.split(whereSeparator: \.isNewline) {
-            let line = String(rawLine)
-            let trimmed = line.trimmingCharacters(in: .whitespacesAndNewlines)
-            if trimmed.isEmpty {
-                output.append(line)
-                continue
-            }
-
-            let trimmedLowercased = trimmed.lowercased()
-
-            if let currentInlineTag = activeInlineTag {
-                output.append(line)
-                if trimmedLowercased == "</\(currentInlineTag)>" {
-                    activeInlineTag = nil
-                }
-                continue
-            }
-
-            if trimmedLowercased.hasPrefix("<"),
-               trimmedLowercased.hasSuffix(">"),
-               !trimmedLowercased.hasPrefix("</") {
-                let tagContent = String(trimmedLowercased.dropFirst().dropLast())
-                let tagName = tagContent
-                    .split(whereSeparator: { $0 == " " || $0 == "\t" })
-                    .first
-                    .map(String.init) ?? ""
-                if inlineBlockTags.contains(tagName) {
-                    activeInlineTag = tagName
-                    output.append(line)
-                    continue
-                }
-            }
-
-            if trimmed.hasPrefix("#") || trimmed.hasPrefix(";") {
-                output.append(line)
-                continue
-            }
-
-            let parts = trimmed.split(whereSeparator: { $0 == " " || $0 == "\t" })
-            let token = parts.first.map(String.init)?.lowercased() ?? ""
-            if trimmedLowercased.hasPrefix("redirect-gateway") || token.hasPrefix("redirect-gateway") {
-                let hasDef1 = parts.dropFirst().contains { String($0).lowercased().hasPrefix("def1") }
-                if hasDef1 {
-                    output.append("redirect-gateway def1")
-                    normalized["redirect-gateway", default: 0] += 1
-                } else {
-                    removed["redirect-gateway", default: 0] += 1
-                }
-                continue
-            }
-
-            if let matchedUnsupported = unsupportedTokens.first(where: { token.hasPrefix($0) }) {
-                removed[matchedUnsupported, default: 0] += 1
-                continue
-            }
-
-            output.append(line)
-        }
-
-        if !removed.isEmpty {
-            let summary = removed.keys.sorted().map { "\($0)=\(removed[$0] ?? 0)" }.joined(separator: " ")
-            ovpnLog(.info, title: "ConfigStrip", message: summary)
-        }
-        if !normalized.isEmpty {
-            let summary = normalized.keys.sorted().map { "\($0)=\(normalized[$0] ?? 0)" }.joined(separator: " ")
-            ovpnLog(.info, title: "ConfigNormalize", message: summary)
-        }
-
-        return output.joined(separator: "\n")
-    }
-
-    private static func isIPv4Address(_ value: String) -> Bool {
-        let parts = value.split(separator: ".")
-        if parts.count != 4 { return false }
-        for part in parts {
-            guard let num = Int(part), num >= 0 && num <= 255 else { return false }
-        }
-        return true
+        setTunnelNetworkSettings(networkSettings, completionHandler: completionHandler)
    }

    // Process events returned by the OpenVPN library
@@ -851,9 +250,6 @@ extension PacketTunnelProvider: OpenVPNAdapterDelegate {

                startHandler(nil)
                self.startHandler = nil
-
-                logOpenVPNConnectionInfo()
-                refreshOpenVPNSettingsAfterConnect()
            case .disconnected:
                guard let stopHandler = stopHandler else { return }

@@ -896,41 +292,4 @@ extension PacketTunnelProvider: OpenVPNAdapterDelegate {
        // Handle log messages
        ovpnLog(.info, message: logMessage)
    }
-
-    func openVPNAdapterDidReceiveClockTick(_ openVPNAdapter: OpenVPNAdapter) {
-        let now = Date()
-        if now.timeIntervalSince(lastOpenVPNStatsLogTime) < 5 {
-            return
-        }
-        lastOpenVPNStatsLogTime = now
-
-        let transport = openVPNAdapter.transportStatistics
-        let iface = openVPNAdapter.interfaceStatistics
-        let transportLine = "transport bytesIn=\(transport.bytesIn) bytesOut=\(transport.bytesOut) packetsIn=\(transport.packetsIn) packetsOut=\(transport.packetsOut)"
-        let ifaceLine = "iface bytesIn=\(iface.bytesIn) bytesOut=\(iface.bytesOut) packetsIn=\(iface.packetsIn) packetsOut=\(iface.packetsOut) errorsIn=\(iface.errorsIn) errorsOut=\(iface.errorsOut)"
-        ovpnLog(.info, title: "Stats", message: "\(transportLine) | \(ifaceLine)")
-    }
-
-    private func refreshOpenVPNSettingsAfterConnect() {
-        let localAddr = openVpnLocalAddress
-        var net30Gateway: String?
-        if let localAddr, let mask = openVpnLocalMask {
-            net30Gateway = Self.net30Peer(for: localAddr, mask: mask)
-        }
-        var gateway = net30Gateway
-        if let adapterGateway = ovpnAdapter?.connectionInformation?.gatewayIPv4, !adapterGateway.isEmpty {
-            if let localAddr, adapterGateway == localAddr {
-                ovpnLog(.info, title: "IPv4Gateway", message: "post-connect ignoring adapter gateway equal to local address=\(adapterGateway)")
-            } else if let net30Gateway, net30Gateway != adapterGateway {
-                ovpnLog(.info, title: "IPv4Gateway", message: "post-connect keeping net30 peer=\(net30Gateway), adapter gateway=\(adapterGateway)")
-            } else {
-                gateway = adapterGateway
-            }
-        }
-
-        guard let gateway, !gateway.isEmpty else { return }
-        openVpnGatewayAddress = gateway
-        ovpnLog(.info, title: "IPv4Gateway", message: "post-connect gateway=\(gateway)")
-    }
-
 }
@@ -1,4 +1,3 @@
-import Darwin
 import Foundation
 import NetworkExtension

@@ -7,7 +6,6 @@ enum XrayErrors: Error {
    case xrayConfigIsWrong
    case cantSaveXrayConfig
    case cantParseListenAndPort
-    case cantAcquireLocalPort
    case cantSaveHevSocksConfig
 }

@@ -23,80 +21,6 @@ extension Constants {
 }

 extension PacketTunnelProvider {
-    /// TCP port chosen by the OS on IPv6 loopback (::1), matching inbound listen address.
-    private func acquireFreeLocalPort() throws -> Int {
-        let fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP)
-        guard fd != -1 else {
-            throw XrayErrors.cantAcquireLocalPort
-        }
-        defer { close(fd) }
-        var reuse: Int32 = 1
-        _ = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &reuse, socklen_t(MemoryLayout<Int32>.size))
-        var addr = sockaddr_in6()
-        addr.sin6_len = UInt8(MemoryLayout<sockaddr_in6>.size)
-        addr.sin6_family = sa_family_t(AF_INET6)
-        addr.sin6_port = in_port_t(0).bigEndian
-        addr.sin6_addr = in6addr_loopback
-        addr.sin6_scope_id = 0
-        let bindResult = withUnsafePointer(to: &addr) { ptr in
-            ptr.withMemoryRebound(to: sockaddr.self, capacity: 1) { p in
-                bind(fd, p, socklen_t(MemoryLayout<sockaddr_in6>.size))
-            }
-        }
-        guard bindResult == 0 else {
-            throw XrayErrors.cantAcquireLocalPort
-        }
-        var bound = sockaddr_in6()
-        var len = socklen_t(MemoryLayout<sockaddr_in6>.size)
-        let gr = withUnsafeMutablePointer(to: &bound) { p in
-            p.withMemoryRebound(to: sockaddr.self, capacity: 1) { bp in
-                getsockname(fd, bp, &len)
-            }
-        }
-        guard gr == 0 else {
-            throw XrayErrors.cantAcquireLocalPort
-        }
-        return Int(bound.sin6_port.byteSwapped)
-    }
-
-    private func applyXraySplitTunnel(_ xrayConfig: XrayConfig,
-                                      settings: NEPacketTunnelNetworkSettings) {
-        guard let splitTunnelType = xrayConfig.splitTunnelType else {
-            return
-        }
-
-        guard let splitTunnelSites = xrayConfig.splitTunnelSites else {
-            xrayLog(.error, message: "Split tunnel sites are not set")
-            return
-        }
-
-        if splitTunnelType == 1 {
-            var ipv4IncludedRoutes = [NEIPv4Route]()
-
-            for allowedIPString in splitTunnelSites {
-                if let allowedIP = IPAddressRange(from: allowedIPString) {
-                    ipv4IncludedRoutes.append(NEIPv4Route(
-                        destinationAddress: "\(allowedIP.address)",
-                        subnetMask: "\(allowedIP.subnetMask())"))
-                }
-            }
-
-            settings.ipv4Settings?.includedRoutes = ipv4IncludedRoutes
-        } else if splitTunnelType == 2 {
-            var ipv4ExcludedRoutes = [NEIPv4Route]()
-
-            for excludedIPString in splitTunnelSites {
-                if let excludedIP = IPAddressRange(from: excludedIPString) {
-                    ipv4ExcludedRoutes.append(NEIPv4Route(
-                        destinationAddress: "\(excludedIP.address)",
-                        subnetMask: "\(excludedIP.subnetMask())"))
-                }
-            }
-
-            settings.ipv4Settings?.excludedRoutes = ipv4ExcludedRoutes
-        }
-    }
-
    func startXray(completionHandler: @escaping (Error?) -> Void) {

        // Xray configuration
@@ -148,7 +72,6 @@ extension PacketTunnelProvider {
            settings.dnsSettings = !dnsArray.isEmpty
            ? NEDNSSettings(servers: dnsArray)
            : NEDNSSettings(servers: ["1.1.1.1"])
-            applyXraySplitTunnel(xrayConfig, settings: settings)

            let xrayConfigData = xrayConfig.config.data(using: .utf8)

@@ -167,11 +90,14 @@ extension PacketTunnelProvider {
                return
            }

-            let port = try acquireFreeLocalPort()
+            let port = 10808
            let address = "::1"

-            // Extract existing SOCKS5 credentials or generate new ones per session.
-            let socksCredentials = ensureInboundAuth(jsonDict: &jsonDict, port: port, address: address)
+            if var inboundsArray = jsonDict["inbounds"] as? [[String: Any]], !inboundsArray.isEmpty {
+                inboundsArray[0]["port"] = port
+                inboundsArray[0]["listen"] = address
+                jsonDict["inbounds"] = inboundsArray
+            }

            let updatedData = try JSONSerialization.data(withJSONObject: jsonDict, options: [])

@@ -194,8 +120,6 @@ extension PacketTunnelProvider {
                    self?.setupAndRunTun2socks(configData: updatedData,
                                               address: address,
                                               port: port,
-                                               username: socksCredentials.username,
-                                               password: socksCredentials.password,
                                               completionHandler: completionHandler)
                }
            }
@@ -220,62 +144,6 @@ extension PacketTunnelProvider {
        }
    }

-    private struct SocksCredentials {
-        let username: String
-        let password: String
-    }
-
-    private func indexOfSocksInbound(in inboundsArray: [[String: Any]]) -> Int? {
-        for (i, inbound) in inboundsArray.enumerated() {
-            guard let proto = inbound["protocol"] as? String else { continue }
-            if proto.caseInsensitiveCompare("socks") == .orderedSame {
-                return i
-            }
-        }
-        return nil
-    }
-
-    // Returns existing SOCKS5 credentials from the inbound config, or generates and injects
-    // new random ones. Also sets port and address on the socks inbound entry.
-    private func ensureInboundAuth(jsonDict: inout [String: Any], port: Int, address: String) -> SocksCredentials {
-        var inboundsArray = jsonDict["inbounds"] as? [[String: Any]] ?? []
-
-        if let socksIdx = indexOfSocksInbound(in: inboundsArray) {
-            var inbound = inboundsArray[socksIdx]
-            inbound["port"] = port
-            inbound["listen"] = address
-
-            var settings = inbound["settings"] as? [String: Any] ?? [:]
-            if let accounts = settings["accounts"] as? [[String: Any]],
-               let first = accounts.first,
-               let user = first["user"] as? String, !user.isEmpty,
-               let pass = first["pass"] as? String, !pass.isEmpty {
-                // Re-use existing credentials, but always enforce auth mode in case the
-                // imported config had accounts but auth: "noauth" (or no auth field).
-                settings["auth"] = "password"
-                inbound["settings"] = settings
-                inboundsArray[socksIdx] = inbound
-                jsonDict["inbounds"] = inboundsArray
-                return SocksCredentials(username: user, password: pass)
-            }
-
-            // Generate new random credentials for this session
-            let user = UUID().uuidString.replacingOccurrences(of: "-", with: "").lowercased().prefix(16)
-            let pass = UUID().uuidString.replacingOccurrences(of: "-", with: "").lowercased()
-            settings["auth"] = "password"
-            settings["accounts"] = [["user": String(user), "pass": pass]]
-            inbound["settings"] = settings
-            inboundsArray[socksIdx] = inbound
-            jsonDict["inbounds"] = inboundsArray
-            return SocksCredentials(username: String(user), password: pass)
-        }
-
-        // Fallback: no socks inbound — generate credentials but can't inject
-        let user = UUID().uuidString.replacingOccurrences(of: "-", with: "").lowercased().prefix(16)
-        let pass = UUID().uuidString.replacingOccurrences(of: "-", with: "").lowercased()
-        return SocksCredentials(username: String(user), password: pass)
-    }
-
    private func setupAndStartXray(configData: Data,
                                   completionHandler: @escaping (Error?) -> Void) {
        let path = Constants.cachesDirectory.appendingPathComponent("config.json", isDirectory: false).path
@@ -307,8 +175,6 @@ extension PacketTunnelProvider {
    private func setupAndRunTun2socks(configData: Data,
                                      address: String,
                                      port: Int,
-                                      username: String,
-                                      password: String,
                                      completionHandler: @escaping (Error?) -> Void) {
        let config = """
        tunnel:
@@ -316,8 +182,6 @@ extension PacketTunnelProvider {
        socks5:
          port: \(port)
          address: \(address)
-          username: \(username)
-          password: \(password)
          udp: 'udp'
        misc:
          task-stack-size: 20480
@@ -3,7 +3,9 @@ import NetworkExtension
 import Network
 import os
 import Darwin
+#if !os(tvOS)
 import OpenVPNAdapter
+#endif

 enum TunnelProtoType: String {
  case wireguard, openvpn, xray
@@ -38,31 +40,22 @@ struct Constants {

 class PacketTunnelProvider: NEPacketTunnelProvider {
    var wgAdapter: WireGuardAdapter?
+#if !os(tvOS)
    var ovpnAdapter: OpenVPNAdapter?
    private lazy var openVPNPacketFlowAdapter = PacketTunnelFlowAdapter(flow: packetFlow)
+#endif
    private let pathMonitorQueue = DispatchQueue(label: Constants.processQueueName + ".path-monitor")
-    private let networkChangeQueue = DispatchQueue(label: Constants.processQueueName + ".network-change")
    private let pathMonitor = NWPathMonitor()
    private var didReceiveInitialPathUpdate = false
    private var currentPath: Network.NWPath?
    private var currentPathSignature: String?
-    private var pendingOpenVPNReconnectWorkItem: DispatchWorkItem?
-    private var pendingNetworkChangeWorkItem: DispatchWorkItem?
-    private var isApplyingNetworkChange = false
-    private var lastOpenVPNReachabilityStatus: OpenVPNReachabilityStatus?

    var splitTunnelType: Int?
    var splitTunnelSites: [String]?
-    var openVpnDnsServers: [String] = []
-    var openVpnRemoteAddress: String?
-    var openVpnRedirectGatewayDef1 = false
-    var openVpnLocalAddress: String?
-    var openVpnLocalMask: String?
-    var openVpnGatewayAddress: String?
-    var lastOpenVPNSettings: NEPacketTunnelNetworkSettings?
-    var lastOpenVPNStatsLogTime = Date.distantPast

+#if !os(tvOS)
    let vpnReachability = OpenVPNReachability()
+#endif

    var startHandler: ((Error?) -> Void)?
    var stopHandler: (() -> Void)?
@@ -70,9 +63,11 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
    
    var activeIfaceIdx: UInt32 = 0

+#if !os(tvOS)
    func openVPNPacketFlow() -> OpenVPNAdapterPacketFlow {
        openVPNPacketFlowAdapter
    }
+#endif

    override init() {
        super.init()
@@ -91,22 +86,14 @@ class PacketTunnelProvider: NEPacketTunnelProvider {

            guard hasMeaningfulChange, let proto = self.protoType else { return }

-            // WireGuard/AWG and OpenVPN manages network changes internally in its own adapter.
-            if proto == .wireguard || proto == .openvpn {
+            // WireGuard/AWG manages network changes internally; avoid restarting the tunnel here.
+            if proto == .wireguard {
                return
            }

-            if proto == .openvpn {
-                self.scheduleOpenVPNReconnect(reason: "NWPath changed")
-                return
+            DispatchQueue.main.async {
+                self.handle(networkChange: path) { _ in }
            }
-
-            if self.isApplyingNetworkChange || self.reasserting {
-                xrayLog(.debug, message: "Ignoring path change while xray restart is in progress")
-                return
-            }
-
-            self.scheduleNetworkChangeHandling(for: proto, path: path)
        }
        pathMonitor.start(queue: pathMonitorQueue)

@@ -200,26 +187,9 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
        let errorNotifier = ErrorNotifier(activationAttemptId: activationAttemptId)

        neLog(.info, message: "Start tunnel")
-        if let vpnProto = protocolConfiguration as? NEVPNProtocol {
-            if #available(iOS 14.0, macOS 11.0, *) {
-                var details = "includeAllNetworks=\(vpnProto.includeAllNetworks)"
-                if #available(iOS 14.2, macOS 11.0, *) {
-                    details += " excludeLocalNetworks=\(vpnProto.excludeLocalNetworks)"
-                }
-                neLog(.info, title: "Protocol", message: details)
-            }
-        }

        if let protocolConfiguration = protocolConfiguration as? NETunnelProviderProtocol {
            let providerConfiguration = protocolConfiguration.providerConfiguration
-            let providerKeys = providerConfiguration?.keys.sorted().joined(separator: ",") ?? ""
-            var protocolDetails = "bundleId=\(protocolConfiguration.providerBundleIdentifier ?? "") keys=[\(providerKeys)]"
-            if let ovpnData = providerConfiguration?[Constants.ovpnConfigKey] as? Data {
-                let preview = String(decoding: ovpnData.prefix(512), as: UTF8.self)
-                protocolDetails += " ovpnBytes=\(ovpnData.count) ovpnPreview=\(preview)"
-            }
-            neLog(.info, title: "Protocol", message: protocolDetails)
-
            if (providerConfiguration?[Constants.ovpnConfigKey] as? Data) != nil {
                protoType = .openvpn
            } else if (providerConfiguration?[Constants.wireGuardConfigKey] as? Data) != nil {
@@ -235,8 +205,6 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
            return
        }

-        cancelPendingOpenVPNReconnect()
-        cancelPendingNetworkChangeHandling()
        didReceiveInitialPathUpdate = false
        updateActiveInterfaceIndexForCurrentPath()

@@ -246,18 +214,27 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
                           errorNotifier: errorNotifier,
                           completionHandler: completionHandler)
        case .openvpn:
+#if os(tvOS)
+            completionHandler(NSError(domain: "org.amnezia.ne",
+                                      code: -1002,
+                                      userInfo: [NSLocalizedDescriptionKey: "OpenVPN backend is not available for tvOS in this build"]))
+#else
            startOpenVPN(completionHandler: completionHandler)
+#endif
        case .xray:
+#if os(tvOS)
+            completionHandler(NSError(domain: "org.amnezia.ne",
+                                      code: -1003,
+                                      userInfo: [NSLocalizedDescriptionKey: "Xray backend is not available for tvOS in this build"]))
+#else
            startXray(completionHandler: completionHandler)
+#endif

        }
    }

  
    override func stopTunnel(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
-        cancelPendingOpenVPNReconnect()
-        cancelPendingNetworkChangeHandling()
-
        guard let protoType else {
            completionHandler()
            return
@@ -268,10 +245,18 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
            stopWireguard(with: reason,
                          completionHandler: completionHandler)
        case .openvpn:
+#if os(tvOS)
+            completionHandler()
+#else
            stopOpenVPN(with: reason,
                        completionHandler: completionHandler)
+#endif
        case .xray:
+#if os(tvOS)
+            completionHandler()
+#else
            stopXray(completionHandler: completionHandler)
+#endif
        }
    }
  
@@ -285,7 +270,11 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
        case .wireguard:
            handleWireguardStatusMessage(messageData, completionHandler: completionHandler)
        case .openvpn:
+#if !os(tvOS)
            handleOpenVPNStatusMessage(messageData, completionHandler: completionHandler)
+#else
+            completionHandler?(nil)
+#endif
        case .xray:
            break;
        }
@@ -302,111 +291,9 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
    }
  
    private func handle(networkChange changePath: Network.NWPath, completion: @escaping (Error?) -> Void) {
-        guard protoType == .xray else {
-            updateActiveInterfaceIndex(for: changePath)
-            completion(nil)
-            return
-        }
-
        updateActiveInterfaceIndex(for: changePath)
-        reasserting = true
-        xrayLog(.info, message: "Applying network change to xray tunnel")
-        stopXray { }
-        startXray { [weak self] error in
-            self?.reasserting = false
-            completion(error)
-        }
-    }
-
-    private func scheduleNetworkChangeHandling(for proto: TunnelProtoType, path: Network.NWPath) {
-        guard proto == .xray else { return }
-
-        pendingNetworkChangeWorkItem?.cancel()
-
-        let workItem = DispatchWorkItem { [weak self] in
-            guard let self else { return }
-            self.pendingNetworkChangeWorkItem = nil
-
-            if self.isApplyingNetworkChange || self.reasserting {
-                xrayLog(.debug, message: "Skipping network change while restart is already in progress")
-                return
-            }
-
-            self.isApplyingNetworkChange = true
-            DispatchQueue.main.async {
-                self.handle(networkChange: path) { [weak self] _ in
-                    self?.networkChangeQueue.async {
-                        self?.isApplyingNetworkChange = false
-                    }
-                }
-            }
-        }
-
-        pendingNetworkChangeWorkItem = workItem
-        networkChangeQueue.asyncAfter(deadline: .now() + 1.0, execute: workItem)
-    }
-
-    private func scheduleOpenVPNReconnect(reason: String) {
-        guard protoType == .openvpn else { return }
-
-        pendingOpenVPNReconnectWorkItem?.cancel()
-
-        let workItem = DispatchWorkItem { [weak self] in
-            guard let self else { return }
-            self.pendingOpenVPNReconnectWorkItem = nil
-
-            guard self.protoType == .openvpn else { return }
-
-            if self.reasserting {
-                ovpnLog(.debug, message: "Skipping OpenVPN reconnect while session is already reasserting")
-                return
-            }
-
-            DispatchQueue.main.async { [weak self] in
-                guard let self else { return }
-                guard !self.reasserting else {
-                    ovpnLog(.debug, message: "Skipping OpenVPN reconnect while session is already reasserting")
-                    return
-                }
-
-                ovpnLog(.info, message: "\(reason), reconnecting OpenVPN session")
-                self.ovpnAdapter?.reconnect(afterTimeInterval: 1)
-            }
-        }
-
-        pendingOpenVPNReconnectWorkItem = workItem
-        networkChangeQueue.asyncAfter(deadline: .now() + 1.0, execute: workItem)
-    }
-
-    func handleOpenVPNReachabilityChange(_ status: OpenVPNReachabilityStatus) {
-        defer { lastOpenVPNReachabilityStatus = status }
-
-        guard let previousStatus = lastOpenVPNReachabilityStatus else {
-            return
-        }
-
-        guard previousStatus != status else {
-            return
-        }
-
-        switch status {
-        case .reachableViaWiFi, .reachableViaWWAN:
-            scheduleOpenVPNReconnect(reason: "Reachability changed")
-        default:
-            break
-        }
-    }
-
-    private func cancelPendingOpenVPNReconnect() {
-        pendingOpenVPNReconnectWorkItem?.cancel()
-        pendingOpenVPNReconnectWorkItem = nil
-        lastOpenVPNReachabilityStatus = nil
-    }
-
-    private func cancelPendingNetworkChangeHandling() {
-        pendingNetworkChangeWorkItem?.cancel()
-        pendingNetworkChangeWorkItem = nil
-        isApplyingNetworkChange = false
+        neLog(.info, message: "Tunnel restarted.")
+        startTunnel(options: nil, completionHandler: completion)
    }
 }

@@ -416,14 +303,8 @@ private extension PacketTunnelProvider {
        signatureComponents.append(path.isExpensive ? "exp" : "noexp")
        signatureComponents.append(path.isConstrained ? "con" : "nocon")

-        // Ignore loopback and tunnel-style `.other` interfaces so Xray does not
-        // react to its own utun lifecycle as if the physical uplink changed.
-        let preferredTypes: [NWInterface.InterfaceType] = [.wiredEthernet, .wifi, .cellular]
-        let externalInterfaces = path.availableInterfaces.filter { interface in
-            interface.type == .wiredEthernet || interface.type == .wifi || interface.type == .cellular
-        }
-
-        let sortedInterfaces = externalInterfaces.sorted { lhs, rhs in
+        let preferredTypes: [NWInterface.InterfaceType] = [.wiredEthernet, .wifi, .cellular, .loopback, .other]
+        let sortedInterfaces = path.availableInterfaces.sorted { lhs, rhs in
            if lhs.type == rhs.type {
                return lhs.index < rhs.index
            }
@@ -444,8 +325,8 @@ private extension PacketTunnelProvider {
            case .wiredEthernet: typeName = "ethernet"
            case .wifi: typeName = "wifi"
            case .cellular: typeName = "cellular"
-            case .loopback, .other:
-                continue
+            case .loopback: typeName = "loopback"
+            case .other: typeName = "other"
            @unknown default: typeName = "unknown"
            }
            signatureComponents.append("\(typeName):\(interface.index)")
@@ -462,20 +343,19 @@ private extension PacketTunnelProvider {
 }

 extension WireGuardLogLevel {
-  var osLogLevel: OSLogType {
-    switch self {
-    case .verbose:
-      return .debug
-    case .error:
-      return .error
+    var osLogLevel: OSLogType {
+        switch self {
+        case .verbose:
+            return .debug
+        case .error:
+            return .error
+        }
    }
-  }
 }

+#if !os(tvOS)
 final class PacketTunnelFlowAdapter: NSObject, OpenVPNAdapterPacketFlow {
  private let flow: NEPacketTunnelFlow
-  private var readLogCounter = 0
-  private var writeLogCounter = 0

  init(flow: NEPacketTunnelFlow) {
    self.flow = flow
@@ -484,97 +364,15 @@ final class PacketTunnelFlowAdapter: NSObject, OpenVPNAdapterPacketFlow {

  @objc(readPacketsWithCompletionHandler:)
  func readPackets(completionHandler: @escaping ([Data], [NSNumber]) -> Void) {
-    flow.readPackets { packets, protocols in
-#if os(macOS)
-      if self.readLogCounter < 20, let firstPacket = packets.first, let firstProtocol = protocols.first {
-        let prefix = firstPacket.prefix(12).map { String(format: "%02x", $0) }.joined()
-        let header = Self.describePacketHeader(firstPacket)
-        ovpnLog(.info, title: "FlowRead", message: "count=\(packets.count) proto0=\(firstProtocol) len0=\(firstPacket.count) prefix=\(prefix) \(header)")
-        self.readLogCounter += 1
-      }
-#endif
-      completionHandler(packets, protocols)
-    }
+    flow.readPackets(completionHandler: completionHandler)
  }

  @objc(writePackets:withProtocols:)
  func writePackets(_ packets: [Data], withProtocols protocols: [NSNumber]) -> Bool {
-#if os(macOS)
-    if writeLogCounter < 20, let firstPacket = packets.first, let firstProtocol = protocols.first {
-      let prefix = firstPacket.prefix(12).map { String(format: "%02x", $0) }.joined()
-      let header = Self.describePacketHeader(firstPacket)
-      ovpnLog(.info, title: "FlowWrite", message: "count=\(packets.count) proto0=\(firstProtocol) len0=\(firstPacket.count) prefix=\(prefix) \(header)")
-      writeLogCounter += 1
-    }
-#endif
-    return flow.writePackets(packets, withProtocols: protocols)
-  }
-
-  private static func describePacketHeader(_ packet: Data) -> String {
-    guard let versionNibble = packet.first.map({ Int($0 >> 4) }) else {
-      return "ip=unknown"
-    }
-
-    if versionNibble == 4, packet.count >= 20 {
-      let ihl = Int(packet[0] & 0x0f) * 4
-      guard ihl >= 20, packet.count >= ihl else {
-        return "ip=ipv4 malformed"
-      }
-
-      let proto = packet[9]
-      let src = "\(packet[12]).\(packet[13]).\(packet[14]).\(packet[15])"
-      let dst = "\(packet[16]).\(packet[17]).\(packet[18]).\(packet[19])"
-      let l4Offset = ihl
-      let ports: String
-      if (proto == 6 || proto == 17) && packet.count >= l4Offset + 4 {
-        let srcPort = (UInt16(packet[l4Offset]) << 8) | UInt16(packet[l4Offset + 1])
-        let dstPort = (UInt16(packet[l4Offset + 2]) << 8) | UInt16(packet[l4Offset + 3])
-        ports = "sport=\(srcPort) dport=\(dstPort)"
-      } else {
-        ports = "sport=- dport=-"
-      }
-      let protoName: String
-      switch proto {
-      case 1: protoName = "ICMP"
-      case 6: protoName = "TCP"
-      case 17: protoName = "UDP"
-      default: protoName = "P\(proto)"
-      }
-      return "ip=ipv4 src=\(src) dst=\(dst) proto=\(protoName) \(ports)"
-    }
-
-    if versionNibble == 6, packet.count >= 40 {
-      let proto = packet[6]
-      func hex16(_ start: Int) -> String {
-        let value = (UInt16(packet[start]) << 8) | UInt16(packet[start + 1])
-        return String(format: "%x", value)
-      }
-      let src = stride(from: 8, to: 24, by: 2).map(hex16).joined(separator: ":")
-      let dst = stride(from: 24, to: 40, by: 2).map(hex16).joined(separator: ":")
-      let l4Offset = 40
-      let ports: String
-      if (proto == 6 || proto == 17) && packet.count >= l4Offset + 4 {
-        let srcPort = (UInt16(packet[l4Offset]) << 8) | UInt16(packet[l4Offset + 1])
-        let dstPort = (UInt16(packet[l4Offset + 2]) << 8) | UInt16(packet[l4Offset + 3])
-        ports = "sport=\(srcPort) dport=\(dstPort)"
-      } else {
-        ports = "sport=- dport=-"
-      }
-      let protoName: String
-      switch proto {
-      case 58: protoName = "ICMPv6"
-      case 6: protoName = "TCP"
-      case 17: protoName = "UDP"
-      default: protoName = "P\(proto)"
-      }
-      return "ip=ipv6 src=\(src) dst=\(dst) proto=\(protoName) \(ports)"
-    }
-
-    return "ip=v\(versionNibble) len=\(packet.count)"
+    flow.writePackets(packets, withProtocols: protocols)
  }
 }
-
-extension NEPacketTunnelFlow: OpenVPNAdapterPacketFlow {}
+#endif

 extension NEProviderStopReason {
  var amneziaDescription: String {
@@ -1,4 +1,4 @@
-#if !MACOS_NE
+#if !MACOS_NE && !TARGET_OS_TV
 #include "QRCodeReaderBase.h"

 #import <UIKit/UIKit.h>
@@ -1,178 +0,0 @@
-import Foundation
-import StoreKit
-
-@available(iOS 15.0, macOS 12.0, *)
-@objcMembers
-public class StoreKit2Helper: NSObject {
-
-    public static let shared = StoreKit2Helper()
-    private static let errorDomain = "StoreKit2Helper"
-
-    private struct EntitlementInfo {
-        let transactionId: UInt64
-        let originalTransactionId: UInt64
-        let productId: String
-        let purchaseDate: Date
-
-        var dictionary: NSDictionary {
-            [
-                "transactionId": String(transactionId),
-                "originalTransactionId": String(originalTransactionId),
-                "productId": productId
-            ]
-        }
-    }
-
-    public func fetchCurrentEntitlements(completion: @escaping (Bool, [NSDictionary]?, NSError?) -> Void) {
-        Task { @MainActor in
-            do {
-                try await AppStore.sync()
-
-                var entitlements: [EntitlementInfo] = []
-                for await result in Transaction.currentEntitlements {
-                    switch result {
-                    case .verified(let transaction):
-                        entitlements.append(EntitlementInfo(transactionId: transaction.id,
-                                                            originalTransactionId: transaction.originalID,
-                                                            productId: transaction.productID,
-                                                            purchaseDate: transaction.purchaseDate))
-                    case .unverified(_, let error):
-                        print("[IAP][StoreKit2] Unverified transaction skipped: \(error.localizedDescription)")
-                    }
-                }
-                let sortedEntitlements = entitlements.sorted { lhs, rhs in
-                    if lhs.purchaseDate != rhs.purchaseDate {
-                        return lhs.purchaseDate > rhs.purchaseDate
-                    }
-                    return lhs.transactionId > rhs.transactionId
-                }.map { $0.dictionary }
-                completion(true, sortedEntitlements, nil)
-            } catch {
-                completion(false, nil, error as NSError)
-            }
-        }
-    }
-
-    public func purchaseProduct(productIdentifier: String, completion: @escaping (Bool, String?, String?, String?, NSError?) -> Void) {
-        Task {
-            do {
-                let products = try await Product.products(for: [productIdentifier])
-                guard let product = products.first else {
-                    completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
-                                     error: makeError(code: 0, description: "Product not found"))
-                    return
-                }
-                let result = try await product.purchase()
-                switch result {
-                case .success(let verification):
-                    switch verification {
-                    case .verified(let transaction):
-                        await transaction.finish()
-                        completePurchase(completion: completion, success: true, transactionId: String(transaction.id),
-                                         productId: transaction.productID, originalTransactionId: String(transaction.originalID), error: nil)
-                    case .unverified(_, let error):
-                        completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
-                                         error: error as NSError)
-                    }
-                case .userCancelled:
-                    completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
-                                     error: makeError(code: 1, description: "Purchase cancelled"))
-                case .pending:
-                    completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
-                                     error: makeError(code: 2, description: "Purchase pending"))
-                @unknown default:
-                    completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
-                                     error: makeError(code: 3, description: "Unknown purchase result"))
-                }
-            } catch {
-                completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
-                                 error: error as NSError)
-            }
-        }
-    }
-
-    private func storefrontCurrencyCode(for product: Product) -> String {
-        product.priceFormatStyle.locale.currencyCode ?? ""
-    }
-
-    private func subscriptionBillingMonths(_ period: Product.SubscriptionPeriod) -> Double {
-        let periodValue = Double(period.value)
-        switch period.unit {
-        case .day:
-            return periodValue / 30.0
-        case .week:
-            return periodValue * 7.0 / 30.0
-        case .month:
-            return periodValue
-        case .year:
-            return periodValue * 12.0
-        @unknown default:
-            return periodValue
-        }
-    }
-
-    public func fetchProducts(identifiers: Set<String>, completion: @escaping ([NSDictionary], [String], NSError?) -> Void) {
-        Task {
-            do {
-                let products = try await Product.products(for: identifiers)
-                let productDicts = products.map { product in productDictionary(for: product) }
-                let fetchedIds = Set(products.map { $0.id })
-                let invalidIdentifiers = identifiers.filter { !fetchedIds.contains($0) }
-                DispatchQueue.main.async { completion(productDicts, Array(invalidIdentifiers), nil) }
-            } catch {
-                DispatchQueue.main.async { completion([], Array(identifiers), error as NSError) }
-            }
-        }
-    }
-
-    private func makeError(code: Int, description: String) -> NSError {
-        NSError(domain: Self.errorDomain, code: code, userInfo: [NSLocalizedDescriptionKey: description])
-    }
-
-    private func completePurchase(completion: @escaping (Bool, String?, String?, String?, NSError?) -> Void,
-                                  success: Bool,
-                                  transactionId: String?,
-                                  productId: String?,
-                                  originalTransactionId: String?,
-                                  error: NSError?) {
-        DispatchQueue.main.async {
-            completion(success, transactionId, productId, originalTransactionId, error)
-        }
-    }
-
-    private func productDictionary(for product: Product) -> NSDictionary {
-        let currencyCode = storefrontCurrencyCode(for: product)
-        var productData: [String: Any] = [
-            "productId": product.id,
-            "title": product.displayName,
-            "description": product.description,
-            "price": "\(product.price)",
-            "displayPrice": product.displayPrice,
-            "currencyCode": currencyCode,
-            "priceAmount": NSDecimalNumber(decimal: product.price).doubleValue
-        ]
-        if let subscription = product.subscription {
-            let billingMonths = subscriptionBillingMonths(subscription.subscriptionPeriod)
-            productData["subscriptionBillingMonths"] = billingMonths
-            if let perMonthPrice = displayPricePerMonth(for: product, billingMonths: billingMonths, currencyCode: currencyCode) {
-                productData["displayPricePerMonth"] = perMonthPrice
-            }
-        }
-        return productData as NSDictionary
-    }
-
-    private func displayPricePerMonth(for product: Product, billingMonths: Double, currencyCode: String) -> String? {
-        if billingMonths <= 1e-6 {
-            return nil
-        }
-
-        let perMonthPrice = product.price / Decimal(billingMonths)
-        let formatter = NumberFormatter()
-        formatter.numberStyle = .currency
-        formatter.locale = product.priceFormatStyle.locale
-        if !currencyCode.isEmpty {
-            formatter.currencyCode = currencyCode
-        }
-        return formatter.string(from: NSDecimalNumber(decimal: perMonthPrice))
-    }
-}
@@ -4,20 +4,27 @@

 #import "StoreKitController.h"
 #import <StoreKit/StoreKit.h>
-#import <AmneziaVPN-Swift.h>

 #include <QtCore/QDebug>
 #include <QtCore/QString>

-namespace
-{
-QString toQString(NSString *value)
-{
-    return QString::fromUtf8((value ?: @"").UTF8String);
-}
-}
-
 API_AVAILABLE(ios(15.0), macos(12.0))
+@interface StoreKitController () <SKProductsRequestDelegate, SKPaymentTransactionObserver>
+@property (nonatomic, copy) void (^purchaseCompletion)(BOOL success,
+                                                       NSString *_Nullable transactionId,
+                                                       NSString *_Nullable productId,
+                                                       NSString *_Nullable originalTransactionId,
+                                                       NSError *_Nullable error);
+@property (nonatomic, copy) void (^restoreCompletion)(BOOL success,
+                                                      NSArray<NSDictionary *> *_Nullable restoredTransactions,
+                                                      NSError *_Nullable error);
+@property (nonatomic, copy) void (^productsFetchCompletion)(NSArray<NSDictionary *> *products,
+                                                            NSArray<NSString *> *invalidIdentifiers,
+                                                            NSError *_Nullable error);
+@property (nonatomic, strong) SKProductsRequest *productsRequest;
+@property (nonatomic, strong) NSMutableArray<NSDictionary *> *restoredTransactions;
+@end
+
@implementation StoreKitController

 + (instancetype)sharedInstance
@@ -35,9 +42,17 @@ API_AVAILABLE(ios(15.0), macos(12.0))
 - (instancetype)init API_AVAILABLE(ios(15.0), macos(12.0))
 {
    self = [super init];
+    if (self) {
+        [[SKPaymentQueue defaultQueue] addTransactionObserver:self];
+    }
    return self;
 }

+- (void)dealloc
+{
+    [[SKPaymentQueue defaultQueue] removeTransactionObserver:self];
+}
+
 - (void)purchaseProduct:(NSString *)productIdentifier
             completion:(void (^)(BOOL success,
                                  NSString *_Nullable transactionId,
@@ -45,48 +60,41 @@ API_AVAILABLE(ios(15.0), macos(12.0))
                                  NSString *_Nullable originalTransactionId,
                                  NSError *_Nullable error))completion API_AVAILABLE(ios(15.0), macos(12.0))
 {
-    qInfo().noquote() << "[IAP][StoreKit2] Starting purchase for" << QString::fromUtf8(productIdentifier.UTF8String);
-    [[StoreKit2Helper shared] purchaseProductWithProductIdentifier:productIdentifier
-                                                      completion:^(BOOL success,
-                                                                   NSString *transactionId,
-                                                                   NSString *productId,
-                                                                   NSString *originalTransactionId,
-                                                                   NSError *error) {
-        if (success) {
-            qInfo().noquote() << "[IAP][StoreKit2] Purchase success. transactionId =" << toQString(transactionId)
-                              << "originalTransactionId =" << toQString(originalTransactionId) << "productId =" << toQString(productId);
-        } else if (error) {
-            qWarning().noquote() << "[IAP][StoreKit2] Purchase failed:" << toQString(error.localizedDescription);
+    self.purchaseCompletion = completion;
+    
+    qInfo().noquote() << "[IAP][StoreKit] Starting purchase for" << QString::fromUtf8(productIdentifier.UTF8String);
+    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+        [self performPurchaseAsync:productIdentifier];
+    });
+}
+
+- (void)performPurchaseAsync:(NSString *)productIdentifier API_AVAILABLE(ios(15.0), macos(12.0))
+{
+    dispatch_async(dispatch_get_main_queue(), ^{
+        @try {
+            SKProductsRequest *request = [[SKProductsRequest alloc] initWithProductIdentifiers:[NSSet setWithObject:productIdentifier]];
+            request.delegate = self;
+            [request start];
+            
+        } @catch (NSException *exception) {
+            NSError *error = [NSError errorWithDomain:@"StoreKitController"
+                                                 code:1
+                                             userInfo:@{ NSLocalizedDescriptionKey : exception.reason ?: @"Purchase failed" }];
+            if (self.purchaseCompletion) {
+                self.purchaseCompletion(NO, nil, nil, nil, error);
+                self.purchaseCompletion = nil;
+            }
        }
-        if (completion) {
-            completion(success, transactionId, productId, originalTransactionId, error);
-        }
-    }];
+    });
 }

 - (void)restorePurchasesWithCompletion:(void (^)(BOOL success,
                                                 NSArray<NSDictionary *> *_Nullable restoredTransactions,
                                                 NSError *_Nullable error))completion API_AVAILABLE(ios(15.0), macos(12.0))
 {
-    [[StoreKit2Helper shared] fetchCurrentEntitlementsWithCompletion:^(BOOL success,
-                                                                      NSArray<NSDictionary *> *entitlements,
-                                                                      NSError *error) {
-        if (success) {
-            qInfo().noquote() << "[IAP][StoreKit2] currentEntitlements returned"
-                              << (int)(entitlements ? entitlements.count : 0) << "active entitlements";
-            for (NSDictionary *entitlement in entitlements) {
-                qInfo().noquote() << "[IAP][StoreKit2] Active entitlement:"
-                                  << "transactionId=" << toQString(entitlement[@"transactionId"])
-                                  << "originalTransactionId=" << toQString(entitlement[@"originalTransactionId"])
-                                  << "productId=" << toQString(entitlement[@"productId"]);
-            }
-        } else {
-            qWarning().noquote() << "[IAP][StoreKit2] fetchCurrentEntitlements failed:" << toQString(error.localizedDescription);
-        }
-        if (completion) {
-            completion(success, entitlements, error);
-        }
-    }];
+    self.restoreCompletion = completion;
+    self.restoredTransactions = [NSMutableArray array];
+    [[SKPaymentQueue defaultQueue] restoreCompletedTransactions];
 }

 - (void)fetchProductsWithIdentifiers:(NSSet<NSString *> *)productIdentifiers
@@ -94,21 +102,163 @@ API_AVAILABLE(ios(15.0), macos(12.0))
                                               NSArray<NSString *> *invalidIdentifiers,
                                               NSError *_Nullable error))completion API_AVAILABLE(ios(15.0), macos(12.0))
 {
-    [[StoreKit2Helper shared] fetchProductsWithIdentifiers:productIdentifiers
-                                               completion:^(NSArray<NSDictionary *> *products,
-                                                            NSArray<NSString *> *invalidIdentifiers,
-                                                            NSError *error) {
-        if (!error) {
-            for (NSDictionary *productInfo in products) {
-                qInfo().noquote() << "[IAP][StoreKit2] Fetched product info" << toQString(productInfo[@"productId"])
-                                  << "price=" << toQString(productInfo[@"price"])
-                                  << "currency=" << toQString(productInfo[@"currencyCode"]);
+    self.productsFetchCompletion = completion;
+    self.productsRequest = [[SKProductsRequest alloc] initWithProductIdentifiers:productIdentifiers];
+    self.productsRequest.delegate = self;
+    [self.productsRequest start];
+}
+
+#pragma mark - SKProductsRequestDelegate / SKRequestDelegate
+
+- (void)productsRequest:(SKProductsRequest *)request didReceiveResponse:(SKProductsResponse *)response
+{
+    if (self.purchaseCompletion) {
+        SKProduct *product = response.products.firstObject;
+        if (!product) {
+            NSError *error = [NSError errorWithDomain:@"StoreKitController"
+                                                 code:0
+                                             userInfo:@{ NSLocalizedDescriptionKey : @"Product not found" }];
+            self.purchaseCompletion(NO, nil, nil, nil, error);
+            self.purchaseCompletion = nil;
+            self.productsRequest = nil;
+            return;
+        }
+        NSString *currencyCode = [product.priceLocale objectForKey:NSLocaleCurrencyCode] ?: @"";
+        NSString *priceString = [product.price stringValue] ?: @"";
+        qInfo().noquote() << "[IAP][StoreKit] Received product" << QString::fromUtf8(product.productIdentifier.UTF8String)
+                          << "price=" << QString::fromUtf8(priceString.UTF8String)
+                          << "currency=" << QString::fromUtf8(currencyCode.UTF8String);
+        SKPayment *payment = [SKPayment paymentWithProduct:product];
+        [[SKPaymentQueue defaultQueue] addPayment:payment];
+        self.productsRequest = nil;
+        return;
+    }
+
+    if (self.productsFetchCompletion) {
+        NSMutableArray<NSDictionary *> *productDicts = [NSMutableArray array];
+        for (SKProduct *p in response.products) {
+            NSDictionary *productDict = @{
+                @"productId": p.productIdentifier,
+                @"title": p.localizedTitle,
+                @"description": p.localizedDescription,
+                @"price": p.price.stringValue,
+                @"currencyCode": [p.priceLocale objectForKey:NSLocaleCurrencyCode] ?: @""
+            };
+            [productDicts addObject:productDict];
+            NSString *productCurrency = [p.priceLocale objectForKey:NSLocaleCurrencyCode] ?: @"";
+            NSString *productPrice = [p.price stringValue] ?: @"";
+            qInfo().noquote() << "[IAP][StoreKit] Fetched product info" << QString::fromUtf8(p.productIdentifier.UTF8String)
+                              << "price=" << QString::fromUtf8(productPrice.UTF8String)
+                              << "currency=" << QString::fromUtf8(productCurrency.UTF8String);
+        }
+        
+        self.productsFetchCompletion(productDicts, response.invalidProductIdentifiers, nil);
+        self.productsFetchCompletion = nil;
+        self.productsRequest = nil;
+        return;
+    }
+}
+
+- (void)request:(SKRequest *)request didFailWithError:(NSError *)error
+{
+    if (self.purchaseCompletion) {
+        self.purchaseCompletion(NO, nil, nil, nil, error);
+        self.purchaseCompletion = nil;
+    }
+    if (self.productsFetchCompletion) {
+        self.productsFetchCompletion(@[], @[], error);
+        self.productsFetchCompletion = nil;
+    }
+    self.productsRequest = nil;
+}
+
+#pragma mark - SKPaymentTransactionObserver
+
+- (void)paymentQueue:(SKPaymentQueue *)queue updatedTransactions:(NSArray<SKPaymentTransaction *> *)transactions
+{
+    for (SKPaymentTransaction *transaction in transactions) {
+        switch (transaction.transactionState) {
+        case SKPaymentTransactionStatePurchased: {
+            NSString *originalTransactionId = transaction.originalTransaction.transactionIdentifier ?: transaction.transactionIdentifier;
+            qInfo().noquote() << "[IAP][StoreKit] Transaction purchased" << QString::fromUtf8(transaction.transactionIdentifier.UTF8String)
+                              << "original=" << QString::fromUtf8((originalTransactionId ?: @"").UTF8String)
+                              << "product=" << QString::fromUtf8(transaction.payment.productIdentifier.UTF8String);
+            
+            if (self.purchaseCompletion) {
+                self.purchaseCompletion(YES,
+                                       transaction.transactionIdentifier,
+                                       transaction.payment.productIdentifier,
+                                       originalTransactionId,
+                                       nil);
+                self.purchaseCompletion = nil;
            }
+            [[SKPaymentQueue defaultQueue] finishTransaction:transaction];
+            break;
        }
-        if (completion) {
-            completion(products ?: @[], invalidIdentifiers ?: @[], error);
+        case SKPaymentTransactionStateFailed:
+            qInfo().noquote() << "[IAP][StoreKit] Transaction failed" << QString::fromUtf8(transaction.transactionIdentifier.UTF8String)
+                              << "product=" << QString::fromUtf8(transaction.payment.productIdentifier.UTF8String)
+                              << "error=" << QString::fromUtf8(transaction.error.localizedDescription.UTF8String);
+            if (self.purchaseCompletion) {
+                self.purchaseCompletion(NO,
+                                       transaction.transactionIdentifier,
+                                       transaction.payment.productIdentifier,
+                                       nil,
+                                       transaction.error);
+                self.purchaseCompletion = nil;
+            }
+            [[SKPaymentQueue defaultQueue] finishTransaction:transaction];
+            break;
+        case SKPaymentTransactionStateRestored: {
+            if (self.restoreCompletion) {
+                NSString *transactionId = transaction.transactionIdentifier ?: @"";
+                NSString *originalTransactionId = transaction.originalTransaction.transactionIdentifier ?: transactionId;
+                NSString *productId = transaction.payment.productIdentifier ?: @"";
+
+                qInfo().noquote() << "[IAP][StoreKit] Transaction restored"
+                                  << QString::fromUtf8(transactionId.UTF8String)
+                                  << "original="
+                                  << QString::fromUtf8((originalTransactionId ?: @"").UTF8String)
+                                  << "product="
+                                  << QString::fromUtf8((productId ?: @"").UTF8String);
+
+                NSDictionary *info = @{
+                    @"transactionId": transactionId,
+                    @"originalTransactionId": originalTransactionId ?: @"",
+                    @"productId": productId ?: @""
+                };
+                if (!self.restoredTransactions) {
+                    self.restoredTransactions = [NSMutableArray array];
+                }
+                [self.restoredTransactions addObject:info];
+            }
+            [[SKPaymentQueue defaultQueue] finishTransaction:transaction];
+            break;
        }
-    }];
+        case SKPaymentTransactionStatePurchasing:
+        case SKPaymentTransactionStateDeferred: 
+            break;
+        }
+    }
+}
+
+- (void)paymentQueueRestoreCompletedTransactionsFinished:(SKPaymentQueue *)queue
+{
+    if (self.restoreCompletion) {
+        NSArray<NSDictionary *> *transactions = [self.restoredTransactions copy];
+        self.restoreCompletion(YES, transactions, nil);
+        self.restoreCompletion = nil;
+        self.restoredTransactions = nil;
+    }
+}
+
+- (void)paymentQueue:(SKPaymentQueue *)queue restoreCompletedTransactionsFailedWithError:(NSError *)error
+{
+    if (self.restoreCompletion) {
+        self.restoreCompletion(NO, nil, error);
+        self.restoreCompletion = nil;
+        self.restoredTransactions = nil;
+    }
 }

@end
@@ -3,7 +3,5 @@ import Foundation
 struct XrayConfig: Decodable {
    let dns1: String?
    let dns2: String?
-    let splitTunnelType: Int?
-    let splitTunnelSites: [String]?
    let config: String
 }
@@ -179,9 +179,8 @@ bool IosController::initialize()
    [NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:^(NSArray<NETunnelProviderManager *> * _Nullable managers, NSError * _Nullable error) {
        @try {
            if (error) {
-                qWarning() << "IosController::initialize : loadAllFromPreferences failed:"
-                           << [error.localizedDescription UTF8String]
-                           << "domain:" << [error.domain UTF8String] << "code:" << error.code;
+                qDebug() << "IosController::initialize : Error:" << [error.localizedDescription UTF8String];
+                emit connectionStateChanged(Vpn::ConnectionState::Error);
                ok = false;
                return;
            }
@@ -218,13 +217,16 @@ bool IosController::connectVpn(amnezia::Proto proto, const QJsonObject& configur
    m_rawConfig = configuration;
    m_serverAddress = configuration.value(config_key::hostName).toString().toNSString();

-    const QString serverDescription = configuration.value(config_key::description).toString().trimmed();
    QString tunnelName;
-    if (serverDescription.isEmpty()) {
-        tunnelName = ProtocolProps::protoToString(proto);
-    } else {
+    if (configuration.value(config_key::description).toString().isEmpty()) {
        tunnelName = QString("%1 %2")
-          .arg(serverDescription)
+          .arg(configuration.value(config_key::hostName).toString())
+          .arg(ProtocolProps::protoToString(proto));
+    }
+    else {
+        tunnelName = QString("%1 (%2) %3")
+          .arg(configuration.value(config_key::description).toString())
+          .arg(configuration.value(config_key::hostName).toString())
          .arg(ProtocolProps::protoToString(proto));
    }

@@ -395,14 +397,8 @@ void IosController::vpnStatusDidChange(void *pNotification)
 {
    NETunnelProviderSession *session = (NETunnelProviderSession *)pNotification;

-    if (!session) {
-        return;
-    }
-    if (!m_currentTunnel || (NETunnelProviderSession *)m_currentTunnel.connection != session) {
-        return;
-    }
-
-    qDebug() << "IosController::vpnStatusDidChange" << iosStatusToState(session.status) << session;
+    if (session /* && session == TunnelManager.session */ ) {
+        qDebug() << "IosController::vpnStatusDidChange" << iosStatusToState(session.status) << session;

        if (session.status == NEVPNStatusDisconnected) {
            if (@available(iOS 16.0, *)) {
@@ -516,6 +512,7 @@ void IosController::vpnStatusDidChange(void *pNotification)
            m_statusRequestInFlight = false;
        }
        emitConnectionStateIfChanged(nextState);
+    }
 }

 void IosController::vpnConfigurationDidChange(void *pNotification)
@@ -549,16 +546,6 @@ bool IosController::setupOpenVPN()

    QJsonDocument openVPNConfigDoc(openVPNConfig);
    QString openVPNConfigStr(openVPNConfigDoc.toJson(QJsonDocument::Compact));
-    QString openVPNConfigPreview = openVPNConfigStr.left(512);
-    QString ovpnPreview = ovpnConfig.left(512);
-
-    qDebug().noquote() << "IosController::setupOpenVPN payload"
-                       << "jsonBytes=" << openVPNConfigStr.toUtf8().size()
-                       << "ovpnChars=" << ovpnConfig.size()
-                       << "splitTunnelType=" << m_rawConfig[config_key::splitTunnelType].toInt()
-                       << "splitTunnelSites=" << splitTunnelSites;
-    qDebug().noquote() << "IosController::setupOpenVPN payload jsonPreview=" << openVPNConfigPreview;
-    qDebug().noquote() << "IosController::setupOpenVPN payload ovpnPreview=" << ovpnPreview;

    return startOpenVPN(openVPNConfigStr);
 }
@@ -697,15 +684,6 @@ bool IosController::setupXray()
    QJsonObject finalConfig;
    finalConfig.insert(config_key::dns1, m_rawConfig[config_key::dns1].toString());
    finalConfig.insert(config_key::dns2, m_rawConfig[config_key::dns2].toString());
-    finalConfig.insert(config_key::splitTunnelType, m_rawConfig[config_key::splitTunnelType]);
-
-    QJsonArray splitTunnelSites = m_rawConfig[config_key::splitTunnelSites].toArray();
-
-    for(int index = 0; index < splitTunnelSites.count(); index++) {
-        splitTunnelSites[index] = splitTunnelSites[index].toString().remove(" ");
-    }
-
-    finalConfig.insert(config_key::splitTunnelSites, splitTunnelSites);
    finalConfig.insert(config_key::config, xrayConfigStr);

    QJsonDocument finalConfigDoc(finalConfig);
@@ -807,59 +785,11 @@ bool IosController::startOpenVPN(const QString &config)

    NETunnelProviderProtocol *tunnelProtocol = [[NETunnelProviderProtocol alloc] init];
    tunnelProtocol.providerBundleIdentifier = [NSString stringWithUTF8String:VPN_NE_BUNDLEID];
-    QByteArray configUtf8 = config.toUtf8();
-    NSData *ovpnConfigData = [NSData dataWithBytes:configUtf8.constData() length:configUtf8.size()];
-    tunnelProtocol.providerConfiguration = @{@"ovpn": ovpnConfigData};
+    tunnelProtocol.providerConfiguration = @{@"ovpn": [[NSString stringWithUTF8String:config.toStdString().c_str()] dataUsingEncoding:NSUTF8StringEncoding]};
    tunnelProtocol.serverAddress = m_serverAddress;
-    if (@available(iOS 14.0, macOS 11.0, *)) {
-        int splitTunnelType = 0;
-        QJsonParseError parseError;
-        QJsonDocument doc = QJsonDocument::fromJson(config.toUtf8(), &parseError);
-        if (parseError.error == QJsonParseError::NoError && doc.isObject()) {
-            QJsonObject obj = doc.object();
-            splitTunnelType = obj.value(config_key::splitTunnelType).toInt(0);
-        }
-#if defined(MACOS_NE)
-        // On macOS NE use route-based full tunnel. includeAllNetworks enables
-        // policy-based drop-all mode and causes enforceRoutes to be ignored.
-        tunnelProtocol.includeAllNetworks = NO;
-        if (splitTunnelType == 0) {
-            tunnelProtocol.enforceRoutes = YES;
-            if (@available(iOS 14.2, macOS 11.0, *)) {
-                tunnelProtocol.excludeLocalNetworks = YES;
-            }
-        }
-#else
-        tunnelProtocol.includeAllNetworks = (splitTunnelType == 0);
-        if (@available(iOS 14.2, macOS 11.0, *)) {
-            // Keep existing iOS behavior.
-            if (splitTunnelType == 0) {
-                tunnelProtocol.excludeLocalNetworks = NO;
-            }
-        }
-#endif
-    }

    m_currentTunnel.protocolConfiguration = tunnelProtocol;

-    NETunnelProviderProtocol *appliedProtocol = (NETunnelProviderProtocol *)m_currentTunnel.protocolConfiguration;
-    NSData *ovpnPayload = appliedProtocol.providerConfiguration[@"ovpn"];
-    NSString *payloadPreview = @"";
-    if (ovpnPayload != nil) {
-        NSString *decodedPayload = [[NSString alloc] initWithData:ovpnPayload encoding:NSUTF8StringEncoding];
-        if (decodedPayload != nil) {
-            payloadPreview = [decodedPayload substringToIndex:MIN((NSUInteger)512, decodedPayload.length)];
-        }
-    }
-
-    qDebug().noquote() << "IosController::startOpenVPN protocolConfiguration"
-                       << "bundleId=" << QString::fromNSString(appliedProtocol.providerBundleIdentifier ?: @"")
-                       << "serverAddress=" << QString::fromNSString(appliedProtocol.serverAddress ?: @"")
-                       << "providerKeys=" << QString::fromNSString([[appliedProtocol.providerConfiguration.allKeys description] copy])
-                       << "ovpnBytes=" << (ovpnPayload != nil ? ovpnPayload.length : 0);
-    qDebug().noquote() << "IosController::startOpenVPN protocolConfiguration payloadPreview="
-                       << QString::fromNSString(payloadPreview);
-
    startTunnel();
 }

@@ -869,9 +799,7 @@ bool IosController::startWireGuard(const QString &config)

    NETunnelProviderProtocol *tunnelProtocol = [[NETunnelProviderProtocol alloc] init];
    tunnelProtocol.providerBundleIdentifier = [NSString stringWithUTF8String:VPN_NE_BUNDLEID];
-    QByteArray configUtf8 = config.toUtf8();
-    NSData *wgConfigData = [NSData dataWithBytes:configUtf8.constData() length:configUtf8.size()];
-    tunnelProtocol.providerConfiguration = @{@"wireguard": wgConfigData};
+    tunnelProtocol.providerConfiguration = @{@"wireguard": [[NSString stringWithUTF8String:config.toStdString().c_str()] dataUsingEncoding:NSUTF8StringEncoding]};
    tunnelProtocol.serverAddress = m_serverAddress;

    m_currentTunnel.protocolConfiguration = tunnelProtocol;
@@ -885,9 +813,7 @@ bool IosController::startXray(const QString &config)

    NETunnelProviderProtocol *tunnelProtocol = [[NETunnelProviderProtocol alloc] init];
    tunnelProtocol.providerBundleIdentifier = [NSString stringWithUTF8String:VPN_NE_BUNDLEID];
-    QByteArray configUtf8 = config.toUtf8();
-    NSData *xrayConfigData = [NSData dataWithBytes:configUtf8.constData() length:configUtf8.size()];
-    tunnelProtocol.providerConfiguration = @{@"xray": xrayConfigData};
+    tunnelProtocol.providerConfiguration = @{@"xray": [[NSString stringWithUTF8String:config.toStdString().c_str()] dataUsingEncoding:NSUTF8StringEncoding]};
    tunnelProtocol.serverAddress = m_serverAddress;

    m_currentTunnel.protocolConfiguration = tunnelProtocol;
@@ -909,49 +835,39 @@ void IosController::startTunnel()
    m_rxBytes = 0;
    m_txBytes = 0;

-    NETunnelProviderManager *tunnel = m_currentTunnel;
-    [tunnel setEnabled:YES];
+    [m_currentTunnel setEnabled:YES];

-    dispatch_async(dispatch_get_main_queue(), ^{
-        [tunnel saveToPreferencesWithCompletionHandler:^(NSError *saveError) {
-            dispatch_async(dispatch_get_main_queue(), ^{
-                if (saveError) {
-                    qDebug().nospace() << "IosController::startTunnel" << protocolName << ": Connect " << protocolName
-                                       << " Tunnel Save Error" << saveError.localizedDescription.UTF8String << " domain:"
-                                       << saveError.domain.UTF8String << " code:" << saveError.code;
-                    emit connectionStateChanged(Vpn::ConnectionState::Error);
-                    return;
-                }
+    [m_currentTunnel saveToPreferencesWithCompletionHandler:^(NSError *saveError) {
+        dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{

-                [tunnel loadFromPreferencesWithCompletionHandler:^(NSError *loadError) {
-                    dispatch_async(dispatch_get_main_queue(), ^{
-                        if (loadError) {
-                            qDebug().nospace() << "IosController::startTunnel :" << tunnel.localizedDescription << protocolName
-                                               << ": Connect " << protocolName << " Tunnel Load Error"
-                                               << loadError.localizedDescription.UTF8String;
-                            emit connectionStateChanged(Vpn::ConnectionState::Error);
-                            return;
-                        }
+            if (saveError) {
+                qDebug().nospace() << "IosController::startTunnel" << protocolName << ": Connect " << protocolName << " Tunnel Save Error" << saveError.localizedDescription.UTF8String;
+                emit connectionStateChanged(Vpn::ConnectionState::Error);
+                return;
+            }

-                        NSError *startError = nil;
-                        qDebug() << iosStatusToState(tunnel.connection.status);
+            [m_currentTunnel loadFromPreferencesWithCompletionHandler:^(NSError *loadError) {
+                    if (loadError) {
+                        qDebug().nospace() << "IosController::startTunnel :" << m_currentTunnel.localizedDescription << protocolName << ": Connect " << protocolName << " Tunnel Load Error" << loadError.localizedDescription.UTF8String;
+                        emit connectionStateChanged(Vpn::ConnectionState::Error);
+                        return;
+                    }

-                        BOOL started = [tunnel.connection startVPNTunnelWithOptions:nil andReturnError:&startError];
+                    NSError *startError = nil;
+                    qDebug() << iosStatusToState(m_currentTunnel.connection.status);

-                        if (!started || startError) {
-                            qDebug().nospace() << "IosController::startTunnel :" << tunnel.localizedDescription << protocolName
-                                               << " : Connect " << protocolName << " Tunnel Start Error"
-                                               << (startError ? startError.localizedDescription.UTF8String : "");
-                            emit connectionStateChanged(Vpn::ConnectionState::Error);
-                        } else {
-                            qDebug().nospace() << "IosController::startTunnel :" << tunnel.localizedDescription << protocolName
-                                               << " : Starting the tunnel succeeded";
-                        }
-                    });
-                }];
-            });
-        }];
-    });
+                    BOOL started = [m_currentTunnel.connection startVPNTunnelWithOptions:nil andReturnError:&startError];
+
+                    if (!started || startError) {
+                        qDebug().nospace() << "IosController::startTunnel :" << m_currentTunnel.localizedDescription << protocolName << " : Connect " << protocolName << " Tunnel Start Error"
+                            << (startError ? startError.localizedDescription.UTF8String : "");
+                        emit connectionStateChanged(Vpn::ConnectionState::Error);
+                    } else {
+                        qDebug().nospace() << "IosController::startTunnel :" << m_currentTunnel.localizedDescription << protocolName << " : Starting the tunnel succeeded";
+                    }
+            }];
+        });
+    }];
 }

 bool IosController::isOurManager(NETunnelProviderManager* manager) {
@@ -1043,6 +959,10 @@ void IosController::sendVpnExtensionMessage(NSDictionary* message, std::function
 }

 bool IosController::shareText(const QStringList& filesToSend) {
+#if defined(Q_OS_TVOS)
+    Q_UNUSED(filesToSend)
+    return false;
+#else
    NSMutableArray *sharingItems = [NSMutableArray new];

    for (int i = 0; i < filesToSend.size(); i++) {
@@ -1051,7 +971,7 @@ bool IosController::shareText(const QStringList& filesToSend) {
    }
 #if !MACOS_NE
    UIViewController *qtController = getViewController();
-    if (!qtController) return;
+    if (!qtController) return false;

    UIActivityViewController *activityController = [[UIActivityViewController alloc] initWithActivityItems:sharingItems applicationActivities:nil];
 #endif
@@ -1075,23 +995,25 @@ bool IosController::shareText(const QStringList& filesToSend) {
    wait.exec();

    return isAccepted;
+#endif
 }

 QString IosController::openFile() {
-#if !MACOS_NE
+#if defined(Q_OS_TVOS)
+    return QString();
+#elif !MACOS_NE
    UIDocumentPickerViewController *documentPicker = [[UIDocumentPickerViewController alloc] initWithDocumentTypes:@[@"public.item"] inMode:UIDocumentPickerModeOpen];

    DocumentPickerDelegate *documentPickerDelegate = [[DocumentPickerDelegate alloc] init];
    documentPicker.delegate = documentPickerDelegate;

    UIViewController *qtController = getViewController();
-    if (!qtController) return;
+    if (!qtController) return QString();

    [qtController presentViewController:documentPicker animated:YES completion:nil];
-
 #endif
    __block QString filePath;
-#if !MACOS_NE
+#if !MACOS_NE && !defined(Q_OS_TVOS)
    documentPickerDelegate.documentPickerClosedCallback = ^(NSString *path) {
        if (path) {
            filePath = QString::fromUtf8(path.UTF8String);
@@ -1206,26 +1128,14 @@ void IosController::fetchProducts(const QStringList &productIds,
                                                   NSArray<NSString *> * _Nonnull invalidIdentifiers,
                                                   NSError * _Nullable error) {
            QList<QVariantMap> outProducts;
-            for (NSDictionary *productInfo in products) {
-                QVariantMap productData;
-                productData["productId"] = QString::fromUtf8([productInfo[@"productId"] UTF8String]);
-                productData["title"] = QString::fromUtf8([productInfo[@"title"] UTF8String]);
-                productData["description"] = QString::fromUtf8([productInfo[@"description"] UTF8String]);
-                productData["price"] = QString::fromUtf8([productInfo[@"price"] UTF8String]);
-                if (productInfo[@"displayPrice"]) {
-                    productData["displayPrice"] = QString::fromUtf8([productInfo[@"displayPrice"] UTF8String]);
-                }
-                productData["currencyCode"] = QString::fromUtf8([productInfo[@"currencyCode"] UTF8String]);
-                if (productInfo[@"priceAmount"]) {
-                    productData["priceAmount"] = [productInfo[@"priceAmount"] doubleValue];
-                }
-                if (productInfo[@"subscriptionBillingMonths"]) {
-                    productData["subscriptionBillingMonths"] = [productInfo[@"subscriptionBillingMonths"] doubleValue];
-                }
-                if (productInfo[@"displayPricePerMonth"]) {
-                    productData["displayPricePerMonth"] = QString::fromUtf8([productInfo[@"displayPricePerMonth"] UTF8String]);
-                }
-                outProducts.push_back(productData);
+            for (NSDictionary *p in products) {
+                QVariantMap m;
+                m["productId"] = QString::fromUtf8([p[@"productId"] UTF8String]);
+                m["title"] = QString::fromUtf8([p[@"title"] UTF8String]);
+                m["description"] = QString::fromUtf8([p[@"description"] UTF8String]);
+                m["price"] = QString::fromUtf8([p[@"price"] UTF8String]);
+                m["currencyCode"] = QString::fromUtf8([p[@"currencyCode"] UTF8String]);
+                outProducts.push_back(m);
            }

            QStringList invalid;
@@ -1,6 +1,7 @@
 #import <NetworkExtension/NetworkExtension.h>
 #import <NetworkExtension/NETunnelProviderSession.h>
 #import <Foundation/Foundation.h>
+#include <TargetConditionals.h>

 #if !MACOS_NE
 #include <UIKit/UIKit.h>
@@ -21,7 +22,7 @@ class IosController;
@end

 typedef void (^DocumentPickerClosedCallback)(NSString *path);
-#if !MACOS_NE
+#if !MACOS_NE && !TARGET_OS_TV
@interface DocumentPickerDelegate : NSObject <UIDocumentPickerDelegate>

@property (nonatomic, copy) DocumentPickerClosedCallback documentPickerClosedCallback;
@@ -26,7 +26,7 @@

@end

-#if !MACOS_NE
+#if !MACOS_NE && !TARGET_OS_TV
@implementation DocumentPickerDelegate

 - (void)documentPicker:(UIDocumentPickerViewController *)controller didPickDocumentsAtURLs:(NSArray<NSURL *> *)urls {
@@ -7,6 +7,24 @@
 #import <UserNotifications/UserNotifications.h>
 #import <Foundation/Foundation.h>

+#if defined(Q_OS_TVOS)
+
+IOSNotificationHandler::IOSNotificationHandler(QObject* parent) : NotificationHandler(parent) {}
+
+IOSNotificationHandler::~IOSNotificationHandler() {}
+
+void IOSNotificationHandler::notify(NotificationHandler::Message type,
+                                    const QString& title,
+                                    const QString& message,
+                                    int timerMsec) {
+  Q_UNUSED(type)
+  Q_UNUSED(title)
+  Q_UNUSED(message)
+  Q_UNUSED(timerMsec)
+}
+
+#else
+
 #if !MACOS_NE
 #import <UIKit/UIKit.h>

@@ -172,3 +190,5 @@ void IOSNotificationHandler::notify(NotificationHandler::Message type, const QSt
           }];
 }
 #endif
+
+#endif  // Q_OS_TVOS
@@ -164,13 +164,8 @@ bool LinuxRouteMonitor::rtmSendRoute(int action, int flags, int type,
    }

    if (rtm->rtm_type == RTN_THROW) {
-    QString gateway = NetworkUtilities::getGatewayAndIface().first;
-    if (gateway.isEmpty()) {
-        logger.warning() << "No default gateway available, skipping exclusion route";
-        return false;
-    }
    struct in_addr ip4;
-    inet_pton(AF_INET, gateway.toUtf8(), &ip4);
+    inet_pton(AF_INET, NetworkUtilities::getGatewayAndIface().first.toUtf8(), &ip4);
    nlmsg_append_attr(nlmsg, sizeof(buf), RTA_GATEWAY, &ip4, sizeof(ip4));
    nlmsg_append_attr32(nlmsg, sizeof(buf), RTA_PRIORITY, 0);
    rtm->rtm_type = RTN_UNICAST;
@@ -41,11 +41,8 @@ void LinuxNetworkWatcher::initialize() {
  connect(m_worker, &LinuxNetworkWatcherWorker::unsecuredNetwork, this,
          &LinuxNetworkWatcher::unsecuredNetwork);

-  connect(m_worker, &LinuxNetworkWatcherWorker::wakeup, this,
-          &NetworkWatcherImpl::wakeup);
-
-  connect(m_worker, &LinuxNetworkWatcherWorker::networkChanged, this,
-          [this]() { emit networkChanged(""); });
+  connect(m_worker, &LinuxNetworkWatcherWorker::sleepMode, this,
+          &NetworkWatcherImpl::sleepMode);

  // Let's wait a few seconds to allow the UI to be fully loaded and shown.
  // This is not strictly needed, but it's better for user experience because
@@ -37,7 +37,6 @@
 enum NMState {
    NM_STATE_UNKNOWN = 0,
    NM_STATE_ASLEEP = 10,
-    NM_STATE_DISABLED = 10,
    NM_STATE_DISCONNECTED = 20,
    NM_STATE_DISCONNECTING = 30,
    NM_STATE_CONNECTING = 40,
@@ -200,11 +199,10 @@ void LinuxNetworkWatcherWorker::checkDevices() {

 void LinuxNetworkWatcherWorker::NMStateChanged(quint32 state)
 {
-    logger.debug() << "NMStateChanged " << state;
+  if (state == NM_STATE_ASLEEP) {
+    emit sleepMode();
+  }
+
+  logger.debug() << "NMStateChanged " << state;
+}

-    if (state == NM_STATE_ASLEEP || state == NM_STATE_DISABLED) {
-        emit wakeup();
-    } else if (state == NM_STATE_CONNECTED_GLOBAL) {
-        emit networkChanged();
-    }
-}
@@ -23,8 +23,7 @@ class LinuxNetworkWatcherWorker final : public QObject {

 signals:
  void unsecuredNetwork(const QString& networkName, const QString& networkId);
-  void wakeup();
-  void networkChanged();
+  void sleepMode();

 public slots:
  void initialize();
@@ -173,10 +173,10 @@ void PowerNotificationsListener::sleepWakeupCallBack(void *refParam, io_service_

    case kIOMessageSystemHasPoweredOn:
        /* Announces that the system and its devices have woken up. */
-        logger.debug() << "System has powered on - emitting wakeup signal from dedicated CFRunLoop thread";
+        logger.debug() << "System has powered on - emitting sleepMode signal from dedicated CFRunLoop thread";
        if (listener->m_watcher) {
            // Use QMetaObject::invokeMethod for thread-safe signal emission
-            QMetaObject::invokeMethod(listener->m_watcher, "wakeup", Qt::QueuedConnection);
+            QMetaObject::invokeMethod(listener->m_watcher, "sleepMode", Qt::QueuedConnection);
        }
        break;

@@ -62,9 +62,6 @@ void WindowsDaemon::prepareActivation(const InterfaceConfig& config, int inetAda
 }

 void WindowsDaemon::activateSplitTunnel(const InterfaceConfig& config, int vpnAdapterIndex) {
-    if (m_splitTunnelManager == nullptr)
-        return;
-
  if (config.m_vpnDisabledApps.length() > 0) {
      m_splitTunnelManager->start(m_inetAdapterIndex, vpnAdapterIndex);
      m_splitTunnelManager->excludeApps(config.m_vpnDisabledApps);
@@ -41,7 +41,7 @@ LRESULT WindowsNetworkWatcher::PowerWndProcCallback(HWND hwnd, UINT uMsg, WPARAM
  switch (uMsg) {
  case WM_POWERBROADCAST:
    if (wParam == PBT_APMRESUMESUSPEND) {
-        emit obj->wakeup();
+        emit obj->sleepMode();
    }
    break;
  default:
@@ -232,6 +232,12 @@ ErrorCode OpenVpnProtocol::start()
        return ErrorCode::AmneziaServiceConnectionFailed;
    }

+    m_openVpnProcess->waitForSource(5000);
+    if (!m_openVpnProcess->isInitialized()) {
+        qWarning() << "IpcProcess replica is not connected!";
+        setLastError(ErrorCode::AmneziaServiceConnectionFailed);
+        return ErrorCode::AmneziaServiceConnectionFailed;
+    }
    m_openVpnProcess->setProgram(PermittedProcess::OpenVPN);
    QStringList arguments({
            "--config", configPath(), "--management", m_managementHost, QString::number(mgmtPort),
@@ -240,13 +246,13 @@ ErrorCode OpenVpnProtocol::start()
    m_openVpnProcess->setArguments(arguments);

    qDebug() << arguments.join(" ");
-    connect(m_openVpnProcess.data(), &IpcProcessInterfaceReplica::errorOccurred,
+    connect(m_openVpnProcess.data(), &PrivilegedProcess::errorOccurred,
            [&](QProcess::ProcessError error) { qDebug() << "PrivilegedProcess errorOccurred" << error; });

-    connect(m_openVpnProcess.data(), &IpcProcessInterfaceReplica::stateChanged,
+    connect(m_openVpnProcess.data(), &PrivilegedProcess::stateChanged,
            [&](QProcess::ProcessState newState) { qDebug() << "PrivilegedProcess stateChanged" << newState; });

-    connect(m_openVpnProcess.data(), &IpcProcessInterfaceReplica::finished, this,
+    connect(m_openVpnProcess.data(), &PrivilegedProcess::finished, this,
            [&]() { setConnectionState(Vpn::ConnectionState::Disconnected); });

    m_openVpnProcess->start();
@@ -53,7 +53,7 @@ private:
    void updateRouteGateway(QString line);
    void updateVpnGateway(const QString &line);

-    QSharedPointer<IpcProcessInterfaceReplica> m_openVpnProcess;
+    QSharedPointer<PrivilegedProcess> m_openVpnProcess;
 };

 #endif // OPENVPNPROTOCOL_H
@@ -190,7 +190,7 @@ namespace amnezia

            constexpr char defaultPort[] = "51820";

-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS) || defined(MACOS_NE)
            constexpr char defaultMtu[] = "1280";
 #else
            constexpr char defaultMtu[] = "1376";
@@ -210,7 +210,7 @@ namespace amnezia
        namespace awg
        {
            constexpr char defaultPort[] = "55424";
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS) || defined(MACOS_NE)
            constexpr char defaultMtu[] = "1280";
 #else
            constexpr char defaultMtu[] = "1376";
@@ -233,7 +233,7 @@ namespace amnezia
            constexpr char defaultResponsePacketMagicHeader[] = "3288052141";
            constexpr char defaultTransportPacketMagicHeader[] = "2528465083";
            constexpr char defaultUnderloadPacketMagicHeader[] = "1766607858";
-            constexpr char defaultSpecialJunk1[] = "<r 2><b 0x858000010001000000000669636c6f756403636f6d0000010001c00c000100010000105a00044d583737>";
+            constexpr char defaultSpecialJunk1[] = "<b 0x084481800001000300000000077469636b65747306776964676574096b696e6f706f69736b0272750000010001c00c0005000100000039001806776964676574077469636b6574730679616e646578c025c0390005000100000039002b1765787465726e616c2d7469636b6574732d776964676574066166697368610679616e646578036e657400c05d000100010000001c000457fafe25>";
            constexpr char defaultSpecialJunk2[] = "";
            constexpr char defaultSpecialJunk3[] = "";
            constexpr char defaultSpecialJunk4[] = "";
@@ -4,7 +4,7 @@
 #include "core/errorstrings.h"
 #include "vpnprotocol.h"

-#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) and !defined MACOS_NE || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
+#if defined(Q_OS_WINDOWS) || (defined(Q_OS_MACX) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)) || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
    #include "openvpnovercloakprotocol.h"
    #include "openvpnprotocol.h"
    #include "shadowsocksvpnprotocol.h"
@@ -114,7 +114,7 @@ VpnProtocol *VpnProtocol::factory(DockerContainer container, const QJsonObject &
 #if defined(Q_OS_WINDOWS)
    case DockerContainer::Ipsec: return new Ikev2Protocol(configuration);
 #endif
-#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) and !defined MACOS_NE || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
+#if defined(Q_OS_WINDOWS) || (defined(Q_OS_MACX) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)) || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
    case DockerContainer::OpenVpn: return new OpenVpnProtocol(configuration);
    case DockerContainer::Cloak: return new OpenVpnOverCloakProtocol(configuration);
    case DockerContainer::ShadowSocks: return new ShadowSocksVpnProtocol(configuration);
@@ -15,7 +15,7 @@ WireguardProtocol::WireguardProtocol(const QJsonObject &configuration, QObject *
    m_impl.reset(new LocalSocketController());
    connect(m_impl.get(), &ControllerImpl::connected, this,
            [this](const QString &pubkey, const QDateTime &connectionTimestamp) {
-                setConnectionState(Vpn::ConnectionState::Connected);
+                emit connectionStateChanged(Vpn::ConnectionState::Connected);
            });
    connect(m_impl.get(), &ControllerImpl::statusUpdated, this,
            [this](const QString& serverIpv4Gateway,
@@ -38,7 +38,7 @@ WireguardProtocol::WireguardProtocol(const QJsonObject &configuration, QObject *
            });

    connect(m_impl.get(), &ControllerImpl::disconnected, this,
-            [this]() { setConnectionState(Vpn::ConnectionState::Disconnected); });
+            [this]() { emit connectionStateChanged(Vpn::ConnectionState::Disconnected); });
    m_impl->initialize(nullptr, nullptr);
 }

@@ -1,8 +1,6 @@
 #include "xrayprotocol.h"

 #include "core/ipcclient.h"
-#include "core/serialization/serialization.h"
-#include "ipc.h"
 #include "utilities.h"
 #include "core/networkUtilities.h"

@@ -11,39 +9,14 @@
 #include <QJsonObject>
 #include <QNetworkInterface>
 #include <QJsonDocument>
-#include <QtCore/qlogging.h>
-#include <QtCore/qobjectdefs.h>
-#include <QtCore/qprocess.h>
-
-#include <exception>
-
-#ifdef Q_OS_MACOS
-static const QString tunName = "utun22";
-#else
-static const QString tunName = "tun2";
-#endif

 XrayProtocol::XrayProtocol(const QJsonObject &configuration, QObject *parent) : VpnProtocol(configuration, parent)
 {
+    readXrayConfiguration(configuration);
+    m_routeGateway = NetworkUtilities::getGatewayAndIface().first;
    m_vpnGateway = amnezia::protocols::xray::defaultLocalAddr;
    m_vpnLocalAddress = amnezia::protocols::xray::defaultLocalAddr;
-    m_routeGateway = NetworkUtilities::getGatewayAndIface().first;
-
-    m_routeMode = static_cast<Settings::RouteMode>(configuration.value(amnezia::config_key::splitTunnelType).toInt());
-    m_remoteAddress = NetworkUtilities::getIPAddress(m_rawConfig.value(amnezia::config_key::hostName).toString());
-
-    const QString primaryDns = configuration.value(amnezia::config_key::dns1).toString();
-    m_dnsServers.push_back(QHostAddress(primaryDns));
-    if (primaryDns != amnezia::protocols::dns::amneziaDnsIp) {
-        const QString secondaryDns = configuration.value(amnezia::config_key::dns2).toString();
-        m_dnsServers.push_back(QHostAddress(secondaryDns));
-    }
-
-    QJsonObject xrayConfiguration = configuration.value(ProtocolProps::key_proto_config_data(Proto::Xray)).toObject();
-    if (xrayConfiguration.isEmpty()) {
-        xrayConfiguration = configuration.value(ProtocolProps::key_proto_config_data(Proto::SSXray)).toObject();
-    }
-    m_xrayConfig = xrayConfiguration;
+    m_t2sProcess = IpcClient::InterfaceTun2Socks();
 }

 XrayProtocol::~XrayProtocol()
@@ -56,29 +29,72 @@ ErrorCode XrayProtocol::start()
 {
    qDebug() << "XrayProtocol::start()";

-    // Inject SOCKS5 auth into the inbound before starting xray.
-    // Re-uses existing credentials if the config already has them (e.g. imported config).
-    amnezia::serialization::inbounds::InboundCredentials creds;
-    try {
-        creds = amnezia::serialization::inbounds::EnsureInboundAuth(m_xrayConfig);
-    } catch (const std::exception &e) {
-        qCritical() << "EnsureInboundAuth failed:" << e.what();
-        return ErrorCode::InternalError;
-    }
-    m_socksUser     = creds.username;
-    m_socksPassword = creds.password;
-    m_socksPort     = creds.port;
-
-    return IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-        auto xrayStart = iface->xrayStart(QJsonDocument(m_xrayConfig).toJson());
-        if (!xrayStart.waitForFinished() || !xrayStart.returnValue()) {
-            qCritical() << "Failed to start xray";
-            return ErrorCode::XrayExecutableCrashed;
-        }
-        return startTun2Socks();
+    const ErrorCode err = IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
+        iface->xrayStart(QJsonDocument(m_xrayConfig).toJson());
+        return ErrorCode::NoError;
    }, [] () {
        return ErrorCode::AmneziaServiceConnectionFailed;
    });
+    if (err != ErrorCode::NoError)
+        return err;
+
+    setConnectionState(Vpn::ConnectionState::Connecting);
+    return startTun2Sock();
+}
+
+ErrorCode XrayProtocol::startTun2Sock()
+{
+    m_t2sProcess->start();
+
+    connect(m_t2sProcess.data(), &IpcProcessTun2SocksReplica::stateChanged, this,
+            [&](QProcess::ProcessState newState) { qDebug() << "PrivilegedProcess stateChanged" << newState; });
+
+    connect(m_t2sProcess.data(), &IpcProcessTun2SocksReplica::setConnectionState, this, [&](int vpnState) {
+        qDebug() << "PrivilegedProcess setConnectionState " << vpnState;
+        IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
+            if (vpnState == Vpn::ConnectionState::Connected) {
+                setConnectionState(Vpn::ConnectionState::Connecting);
+                QList<QHostAddress> dnsAddr;
+
+                dnsAddr.push_back(QHostAddress(m_primaryDNS));
+                // We don't use secondary DNS if primary DNS is AmneziaDNS
+                if (!m_primaryDNS.contains(amnezia::protocols::dns::amneziaDnsIp)) {
+                    dnsAddr.push_back(QHostAddress(m_secondaryDNS));
+                }
+    #ifdef Q_OS_WIN
+                QThread::msleep(8000);
+    #endif
+    #ifdef Q_OS_MACOS
+                QThread::msleep(5000);
+                iface->createTun("utun22", amnezia::protocols::xray::defaultLocalAddr);
+                iface->updateResolvers("utun22", dnsAddr);
+    #endif
+    #ifdef Q_OS_LINUX
+                QThread::msleep(1000);
+                iface->createTun("tun2", amnezia::protocols::xray::defaultLocalAddr);
+                iface->updateResolvers("tun2", dnsAddr);
+    #endif
+                if (m_routeMode == Settings::RouteMode::VpnAllSites) {
+                    iface->routeAddList(m_vpnGateway, QStringList() << "1.0.0.0/8" << "2.0.0.0/7" << "4.0.0.0/6" << "8.0.0.0/5" << "16.0.0.0/4" << "32.0.0.0/3" << "64.0.0.0/2" << "128.0.0.0/1");
+                }
+                iface->StopRoutingIpv6();
+    #ifdef Q_OS_WIN
+                iface->updateResolvers("tun2", dnsAddr);
+    #endif
+                setConnectionState(Vpn::ConnectionState::Connected);
+            }
+    #if !defined(Q_OS_MACOS)
+            if (vpnState == Vpn::ConnectionState::Disconnected) {
+                setConnectionState(Vpn::ConnectionState::Disconnected);
+                iface->deleteTun("tun2");
+                iface->StartRoutingIpv6();
+                iface->clearSavedRoutes();
+            }
+#endif
+        });
+    });
+
+    return ErrorCode::NoError;
 }

 void XrayProtocol::stop()
@@ -86,180 +102,43 @@ void XrayProtocol::stop()
    qDebug() << "XrayProtocol::stop()";

    IpcClient::withInterface([](QSharedPointer<IpcInterfaceReplica> iface) {
-        auto disableKillSwitch = iface->disableKillSwitch();
-        if (!disableKillSwitch.waitForFinished() || !disableKillSwitch.returnValue())
-            qWarning() << "Failed to disable killswitch";
+#ifdef AMNEZIA_DESKTOP
+        QRemoteObjectPendingReply<bool> StartRoutingIpv6Resp = iface->StartRoutingIpv6();
+        if (!StartRoutingIpv6Resp.waitForFinished(1000)) {
+            qWarning() << "XrayProtocol::stop(): Failed to start routing ipv6";
+        }

-        auto StartRoutingIpv6 = iface->StartRoutingIpv6();
-        if (!StartRoutingIpv6.waitForFinished() || !StartRoutingIpv6.returnValue())
-            qWarning() << "Failed to start routing ipv6";
+        QRemoteObjectPendingReply<bool> restoreResolvers = iface->restoreResolvers();
+        if (!restoreResolvers.waitForFinished(1000)) {
+            qWarning() << "XrayProtocol::stop(): Failed to restore resolvers";
+        }

-        auto restoreResolvers = iface->restoreResolvers();
-        if (!restoreResolvers.waitForFinished() || !restoreResolvers.returnValue())
-            qWarning() << "Failed to restore resolvers";
-
-        auto deleteTun = iface->deleteTun(tunName);
-        if (!deleteTun.waitForFinished() || !deleteTun.returnValue())
-            qWarning() << "Failed to delete tun";
-
-        auto xrayStop = iface->xrayStop();
-        if (!xrayStop.waitForFinished() || !xrayStop.returnValue())
-            qWarning() << "Failed to stop xray";
+    #if !defined(Q_OS_MACOS)
+        QRemoteObjectPendingReply<bool> deleteTunResp = iface->deleteTun("tun2");
+        if (!deleteTunResp.waitForFinished(1000)) {
+            qWarning() << "XrayProtocol::stop(): Failed to delete tun";
+        }
+    #endif
+#endif
+        iface->xrayStop();
    });

-    if (m_tun2socksProcess) {
-        m_tun2socksProcess->blockSignals(true);
-
-#ifndef Q_OS_WIN
-        m_tun2socksProcess->terminate();
-        auto waitForFinished = m_tun2socksProcess->waitForFinished(1000);
-        if (!waitForFinished.waitForFinished() || !waitForFinished.returnValue()) {
-            qWarning() << "Failed to terminate tun2socks. Killing the process...";
-            m_tun2socksProcess->kill();
-        }
-#else
-        // terminate does not do anything useful on Windows
-        // so just kill the process
-        m_tun2socksProcess->kill();
-#endif
-
-        m_tun2socksProcess->close();
-        m_tun2socksProcess.reset();
+    if (m_t2sProcess) {
+        m_t2sProcess->stop();
+        QThread::msleep(200);
    }

    setConnectionState(Vpn::ConnectionState::Disconnected);
 }

-ErrorCode XrayProtocol::startTun2Socks()
+void XrayProtocol::readXrayConfiguration(const QJsonObject &configuration)
 {
-    m_tun2socksProcess = IpcClient::CreatePrivilegedProcess();
-    if (!m_tun2socksProcess->waitForSource()) {
-        return ErrorCode::AmneziaServiceConnectionFailed;
+    QJsonObject xrayConfiguration = configuration.value(ProtocolProps::key_proto_config_data(Proto::Xray)).toObject();
+    if (xrayConfiguration.isEmpty()) {
+        xrayConfiguration = configuration.value(ProtocolProps::key_proto_config_data(Proto::SSXray)).toObject();
    }
-
-    const QString proxyUrl = QString("socks5://%1:%2@127.0.0.1:%3")
-                                 .arg(m_socksUser, m_socksPassword, QString::number(m_socksPort));
-
-    m_tun2socksProcess->setProgram(PermittedProcess::Tun2Socks);
-    m_tun2socksProcess->setArguments({"-device", QString("tun://%1").arg(tunName), "-proxy", proxyUrl});
-
-    connect(m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::readyReadStandardOutput, this, [this]() {
-        auto readAllStandardOutput = m_tun2socksProcess->readAllStandardOutput();
-        if (!readAllStandardOutput.waitForFinished()) {
-            qWarning() << "Failed to read output from tun2socks";
-            return;
-        }
-
-        const QString line = readAllStandardOutput.returnValue();
-
-        if (!line.contains("[TCP]") && !line.contains("[UDP]"))
-            qDebug() << "[tun2socks]:" << line;
-        
-        if (line.contains("[STACK] tun://") && line.contains("<-> socks5://")) {
-            disconnect(m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::readyReadStandardOutput, this, nullptr);
-
-            if (ErrorCode res = setupRouting(); res != ErrorCode::NoError) {
-                stop();
-                setLastError(res);
-            } else {
-                setConnectionState(Vpn::ConnectionState::Connected);
-            }
-        }
-    }, Qt::QueuedConnection);
-
-    connect(m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::finished, this, [this](int exitCode, QProcess::ExitStatus exitStatus) {
-        if (exitStatus == QProcess::ExitStatus::CrashExit) {
-            qCritical() << "Tun2socks process crashed!";
-        } else {
-            qCritical() << QString("Tun2socks process was closed with %1 exit code").arg(exitCode);
-        }
-        stop();
-        setLastError(ErrorCode::Tun2SockExecutableCrashed);
-    }, Qt::QueuedConnection);
-
-    m_tun2socksProcess->start();
-    return ErrorCode::NoError;
-}
-
-ErrorCode XrayProtocol::setupRouting() {
-    return IpcClient::withInterface([this](QSharedPointer<IpcInterfaceReplica> iface) -> ErrorCode {
-#ifdef Q_OS_WIN
-        const int inetAdapterIndex = NetworkUtilities::AdapterIndexTo(QHostAddress(m_remoteAddress));
-#endif
-        auto createTun = iface->createTun(tunName, amnezia::protocols::xray::defaultLocalAddr);
-        if (!createTun.waitForFinished() || !createTun.returnValue()) {
-            qCritical() << "Failed to assign IP address for TUN";
-            return ErrorCode::InternalError;
-        }
-
-        auto updateResolvers = iface->updateResolvers(tunName, m_dnsServers);
-        if (!updateResolvers.waitForFinished() || !updateResolvers.returnValue()) {
-            qCritical() << "Failed to set DNS resolvers for TUN";
-            return ErrorCode::InternalError;
-        }
-
-#ifdef Q_OS_WIN
-        int vpnAdapterIndex = -1;
-        QList<QNetworkInterface> netInterfaces = QNetworkInterface::allInterfaces();
-        for (auto& netInterface : netInterfaces) {
-            for (auto& address : netInterface.addressEntries()) {
-                if (m_vpnLocalAddress == address.ip().toString())
-                    vpnAdapterIndex = netInterface.index();
-            }
-        }
-#else
-        static const int vpnAdapterIndex = 0;
-#endif
-        const bool killSwitchEnabled = QVariant(m_rawConfig.value(config_key::killSwitchOption).toString()).toBool();
-        if (killSwitchEnabled) {
-            if (vpnAdapterIndex != -1) {
-                QJsonObject config = m_rawConfig;
-                config.insert("vpnServer", m_remoteAddress);
-
-                auto enableKillSwitch = IpcClient::Interface()->enableKillSwitch(config, vpnAdapterIndex);
-                if (!enableKillSwitch.waitForFinished() || !enableKillSwitch.returnValue()) {
-                    qCritical() << "Failed to enable killswitch";
-                    return ErrorCode::InternalError;
-                }
-            } else
-                qWarning() << "Failed to get vpnAdapterIndex. Killswitch disabled";
-        }
-
-        if (m_routeMode == Settings::RouteMode::VpnAllSites) {
-            static const QStringList subnets = { "1.0.0.0/8", "2.0.0.0/7", "4.0.0.0/6", "8.0.0.0/5", "16.0.0.0/4", "32.0.0.0/3", "64.0.0.0/2", "128.0.0.0/1" };
-
-            auto routeAddList =  iface->routeAddList(m_vpnGateway, subnets);
-            if (!routeAddList.waitForFinished() || routeAddList.returnValue() != subnets.count()) {
-                qCritical() << "Failed to set routes for TUN";
-                return ErrorCode::InternalError;
-            }
-        }
-
-        auto StopRoutingIpv6 = iface->StopRoutingIpv6();
-        if (!StopRoutingIpv6.waitForFinished() || !StopRoutingIpv6.returnValue()) {
-            qCritical() << "Failed to disable IPv6 routing";
-            return ErrorCode::InternalError;
-        }
-
-#ifdef Q_OS_WIN
-        if (inetAdapterIndex != -1 && vpnAdapterIndex != -1) {
-            QJsonObject config = m_rawConfig;
-            config.insert("inetAdapterIndex", inetAdapterIndex);
-            config.insert("vpnAdapterIndex", vpnAdapterIndex);
-            config.insert("vpnGateway", m_vpnGateway);
-            config.insert("vpnServer", m_remoteAddress);
-
-            auto enablePeerTraffic = iface->enablePeerTraffic(config);
-            if (!enablePeerTraffic.waitForFinished() || !enablePeerTraffic.returnValue()) {
-                qCritical() << "Failed to enable peer traffic";
-                return ErrorCode::InternalError;
-            }
-        } else
-            qWarning() << "Failed to get adapter indexes. Split-tunneling disabled";
-#endif
-        return ErrorCode::NoError;
-    },
-    [] () {
-        return ErrorCode::AmneziaServiceConnectionFailed;
-    });
+    m_xrayConfig = xrayConfiguration;
+    m_routeMode = static_cast<Settings::RouteMode>(configuration.value(amnezia::config_key::splitTunnelType).toInt());
+    m_primaryDNS = configuration.value(amnezia::config_key::dns1).toString();
+    m_secondaryDNS = configuration.value(amnezia::config_key::dns2).toString();
 }
@@ -6,7 +6,6 @@
 #include "core/ipcclient.h"
 #include "vpnprotocol.h"
 #include "settings.h"
-#include <QtCore/qsharedpointer.h>

 class XrayProtocol : public VpnProtocol
 {
@@ -15,22 +14,19 @@ public:
    virtual ~XrayProtocol() override;

    ErrorCode start() override;
+    ErrorCode startTun2Sock();
    void stop() override;

 private:
-    ErrorCode setupRouting();
-    ErrorCode startTun2Socks();
-
+    void readXrayConfiguration(const QJsonObject &configuration);
+    
    QJsonObject m_xrayConfig;
    Settings::RouteMode m_routeMode;
-    QList<QHostAddress> m_dnsServers;
-    QString m_remoteAddress;
-
-    QString m_socksUser;
-    QString m_socksPassword;
-    int m_socksPort = 10808;
-
-    QSharedPointer<IpcProcessInterfaceReplica> m_tun2socksProcess;
+    QString m_primaryDNS;
+    QString m_secondaryDNS;
+#ifndef Q_OS_IOS
+    QSharedPointer<IpcProcessTun2SocksReplica> m_t2sProcess;
+#endif
 };

 #endif // XRAYPROTOCOL_H
@@ -27,12 +27,10 @@
        <file>images/controls/folder-open.svg</file>
        <file>images/controls/folder-search-2.svg</file>
        <file>images/controls/gauge.svg</file>
-        <file>images/controls/globe-2.svg</file>
        <file>images/controls/github.svg</file>
        <file>images/controls/help-circle.svg</file>
        <file>images/controls/history.svg</file>
        <file>images/controls/home.svg</file>
-        <file>images/controls/infinity.svg</file>
        <file>images/controls/info.svg</file>
        <file>images/controls/mail.svg</file>
        <file>images/controls/map-pin.svg</file>
@@ -57,7 +55,6 @@
        <file>images/controls/settings-news.svg</file>
        <file>images/controls/share-2.svg</file>
        <file>images/controls/split-tunneling.svg</file>
-        <file>images/controls/smartphone.svg</file>
        <file>images/controls/tag.svg</file>
        <file>images/controls/telegram.svg</file>
        <file>images/controls/text-cursor.svg</file>
@@ -132,17 +129,11 @@
        <file>ui/qml/Components/AdLabel.qml</file>
        <file>ui/qml/Components/ConnectButton.qml</file>
        <file>ui/qml/Components/ConnectionTypeSelectionDrawer.qml</file>
-        <file>ui/qml/Components/GamepadLoader.qml</file>
        <file>ui/qml/Components/HomeContainersListView.qml</file>
        <file>ui/qml/Components/HomeSplitTunnelingDrawer.qml</file>
        <file>ui/qml/Components/InstalledAppsDrawer.qml</file>
-        <file>ui/qml/Components/BenefitRow.qml</file>
-        <file>ui/qml/Components/BenefitsPanel.qml</file>
-        <file>ui/qml/Components/SubscriptionPlanCard.qml</file>
-        <file>ui/qml/Components/TermsAndPrivacyText.qml</file>
        <file>ui/qml/Components/QuestionDrawer.qml</file>
        <file>ui/qml/Components/SelectLanguageDrawer.qml</file>
-        <file>ui/qml/Components/SubscriptionExpiredDrawer.qml</file>
        <file>ui/qml/Components/ServersListView.qml</file>
        <file>ui/qml/Components/SettingsContainersListView.qml</file>
        <file>ui/qml/Components/TransportProtoSelector.qml</file>
@@ -188,7 +179,6 @@
        <file>ui/qml/Controls2/TextTypes/LabelTextType.qml</file>
        <file>ui/qml/Controls2/TextTypes/ListItemTitleType.qml</file>
        <file>ui/qml/Controls2/TextTypes/ParagraphTextType.qml</file>
-        <file>ui/qml/Controls2/TextTypes/BadgeTextType.qml</file>
        <file>ui/qml/Controls2/TextTypes/SmallTextType.qml</file>
        <file>ui/qml/Controls2/TopCloseButtonType.qml</file>
        <file>ui/qml/Controls2/VerticalRadioButton.qml</file>
@@ -234,9 +224,7 @@
        <file>ui/qml/Pages2/PageSettingsNewsDetail.qml</file>
        <file>ui/qml/Pages2/PageProtocolAwgClientSettings.qml</file>
        <file>ui/qml/Pages2/PageProtocolWireGuardClientSettings.qml</file>
-        <file>ui/qml/Pages2/PageSetupWizardApiFreeInfo.qml</file>
-        <file>ui/qml/Pages2/PageSetupWizardApiPremiumInfo.qml</file>
-        <file>ui/qml/Pages2/PageSetupWizardApiTrialEmail.qml</file>
+        <file>ui/qml/Pages2/PageSetupWizardApiServiceInfo.qml</file>
        <file>ui/qml/Pages2/PageSetupWizardApiServicesList.qml</file>
        <file>ui/qml/Pages2/PageSetupWizardConfigSource.qml</file>
        <file>ui/qml/Pages2/PageSetupWizardCredentials.qml</file>
@@ -35,12 +35,13 @@ SecureQSettings::SecureQSettings(const QString &organization, const QString &app
            }
        }
        m_settings.setValue("Conf/encrypted", true);
+        m_settings.sync();
    }
 }

 QVariant SecureQSettings::value(const QString &key, const QVariant &defaultValue) const
 {
-    QMutexLocker locker(&m_mutex);
+    QMutexLocker locker(&mutex);

    if (m_cache.contains(key)) {
        return m_cache.value(key);
@@ -84,7 +85,7 @@ QVariant SecureQSettings::value(const QString &key, const QVariant &defaultValue

 void SecureQSettings::setValue(const QString &key, const QVariant &value)
 {
-    QMutexLocker locker(&m_mutex);
+    QMutexLocker locker(&mutex);

    if (encryptionRequired() && encryptedKeys.contains(key)) {
        if (!getEncKey().isEmpty() && !getEncIv().isEmpty()) {
@@ -106,20 +107,26 @@ void SecureQSettings::setValue(const QString &key, const QVariant &value)
    }

    m_cache.insert(key, value);
+    sync();
 }

 void SecureQSettings::remove(const QString &key)
 {
-    QMutexLocker locker(&m_mutex);
+    QMutexLocker locker(&mutex);

    m_settings.remove(key);
    m_cache.remove(key);
+
+    sync();
+}
+
+void SecureQSettings::sync()
+{
+    m_settings.sync();
 }

 QByteArray SecureQSettings::backupAppConfig() const
 {
-    QMutexLocker locker(&m_mutex);
-
    QJsonObject cfg;

    const auto needToBackup = [this](const auto &key) {
@@ -154,8 +161,6 @@ QByteArray SecureQSettings::backupAppConfig() const

 bool SecureQSettings::restoreAppConfig(const QByteArray &json)
 {
-    QMutexLocker locker(&m_mutex);
-
    QJsonObject cfg = QJsonDocument::fromJson(json).object();
    if (cfg.isEmpty())
        return false;
@@ -168,16 +173,10 @@ bool SecureQSettings::restoreAppConfig(const QByteArray &json)
        setValue(key, cfg.value(key).toVariant());
    }

+    sync();
    return true;
 }

-void SecureQSettings::clearSettings()
-{
-    QMutexLocker locker(&m_mutex);
-    m_settings.clear();
-    m_cache.clear();
-}
-
 QByteArray SecureQSettings::encryptText(const QByteArray &value) const
 {
    QSimpleCrypto::QBlockCipher cipher;
@@ -295,3 +294,11 @@ void SecureQSettings::setSecTag(const QString &tag, const QByteArray &data)
        qCritical() << "SecureQSettings::setSecTag Error:" << job->errorString();
    }
 }
+
+void SecureQSettings::clearSettings()
+{
+    QMutexLocker locker(&mutex);
+    m_settings.clear();
+    m_cache.clear();
+    sync();
+}
@@ -16,16 +16,14 @@ public:
    explicit SecureQSettings(const QString &organization, const QString &application = QString(),
                             QObject *parent = nullptr);

-    QVariant value(const QString &key, const QVariant &defaultValue = QVariant()) const;
-    void setValue(const QString &key, const QVariant &value);
+    Q_INVOKABLE QVariant value(const QString &key, const QVariant &defaultValue = QVariant()) const;
+    Q_INVOKABLE void setValue(const QString &key, const QVariant &value);
    void remove(const QString &key);
+    void sync();

    QByteArray backupAppConfig() const;
    bool restoreAppConfig(const QByteArray &json);

-    void clearSettings();
-
-private:
    QByteArray encryptText(const QByteArray &value) const;
    QByteArray decryptText(const QByteArray &ba) const;

@@ -37,6 +35,9 @@ private:
    static QByteArray getSecTag(const QString &tag);
    static void setSecTag(const QString &tag, const QByteArray &data);

+    void clearSettings();
+
+private:
    QSettings m_settings;

    mutable QHash<QString, QVariant> m_cache;
@@ -52,7 +53,7 @@ private:

    const QByteArray magicString { "EncData" }; // Magic keyword used for mark encrypted QByteArray

-    mutable QRecursiveMutex m_mutex;
+    mutable QMutex mutex;
 };

 #endif // SECUREQSETTINGS_H
@@ -21,5 +21,4 @@ if [ "$(systemctl is-active docker)" != "active" ]; then \
  sleep 5; sudo systemctl start docker; sleep 5;\
 fi;\
 if ! command -v sudo > /dev/null 2>&1; then echo "Failed to install sudo, command not found"; exit 1; fi;\
-docker --version;\
-uname -sr
+docker --version
@@ -1,5 +1,5 @@
 sudo docker ps -a | grep amnezia | awk '{print $1}' | xargs sudo docker stop;\
 sudo docker ps -a | grep amnezia | awk '{print $1}' | xargs sudo docker rm -fv;\
-sudo docker images -a --format table | grep amnezia | awk '{print $3, $1 ":" $2}' | xargs sudo docker rmi;\
+sudo docker images -a --format table | grep amnezia | awk '{print $3}' | xargs sudo docker rmi;\
 sudo docker network ls | grep amnezia-dns-net | awk '{print $1}' | xargs sudo docker network rm;\
 sudo rm -frd /opt/amnezia
@@ -1,4 +1,4 @@
-FROM 3proxy/3proxy:0.9.5
+FROM 3proxy/3proxy:latest

 LABEL maintainer="AmneziaVPN" 

@@ -7,4 +7,4 @@ RUN echo -e "#!/bin/bash\ntail -f /dev/null" > /opt/amnezia/start.sh
 RUN chmod a+x /opt/amnezia/start.sh

 ENTRYPOINT [ "/bin/sh", "/opt/amnezia/start.sh" ]
-CMD [ "" ]
+CMD [ "" ]
@@ -15,17 +15,16 @@ namespace
    const char cloudFlareNs2[] = "1.0.0.1";

    constexpr char gatewayEndpoint[] = "http://gw.amnezia.org:80/";
-    constexpr char proxyUrlsKey[] = "Conf/proxyUrls/";
 }

 Settings::Settings(QObject *parent) : QObject(parent), m_settings(ORGANIZATION_NAME, APPLICATION_NAME, this)
 {
    // Import old settings
    if (serversCount() == 0) {
-        QString user = m_settings.value("Server/userName").toString();
-        QString password = m_settings.value("Server/password").toString();
-        QString serverName = m_settings.value("Server/serverName").toString();
-        int port = m_settings.value("Server/serverPort").toInt();
+        QString user = value("Server/userName").toString();
+        QString password = value("Server/password").toString();
+        QString serverName = value("Server/serverName").toString();
+        int port = value("Server/serverPort").toInt();

        if (!user.isEmpty() && !password.isEmpty() && !serverName.isEmpty()) {
            QJsonObject server;
@@ -223,7 +222,7 @@ QString Settings::nextAvailableServerName() const

 void Settings::setSaveLogs(bool enabled)
 {
-    m_settings.setValue("Conf/saveLogs", enabled);
+    setValue("Conf/saveLogs", enabled);
 #ifndef Q_OS_ANDROID
    if (!isSaveLogs()) {
        Logger::deInit();
@@ -243,12 +242,12 @@ void Settings::setSaveLogs(bool enabled)

 QDateTime Settings::getLogEnableDate()
 {
-    return m_settings.value("Conf/logEnableDate").toDateTime();
+    return value("Conf/logEnableDate").toDateTime();
 }

 void Settings::setLogEnableDate(QDateTime date)
 {
-    m_settings.setValue("Conf/logEnableDate", date);
+    setValue("Conf/logEnableDate", date);
 }

 QString Settings::routeModeString(RouteMode mode) const
@@ -262,17 +261,17 @@ QString Settings::routeModeString(RouteMode mode) const

 Settings::RouteMode Settings::routeMode() const
 {
-    return static_cast<RouteMode>(m_settings.value("Conf/routeMode", 0).toInt());
+    return static_cast<RouteMode>(value("Conf/routeMode", 0).toInt());
 }

 bool Settings::isSitesSplitTunnelingEnabled() const
 {
-    return m_settings.value("Conf/sitesSplitTunnelingEnabled", false).toBool();
+    return value("Conf/sitesSplitTunnelingEnabled", false).toBool();
 }

 void Settings::setSitesSplitTunnelingEnabled(bool enabled)
 {
-    m_settings.setValue("Conf/sitesSplitTunnelingEnabled", enabled);
+    setValue("Conf/sitesSplitTunnelingEnabled", enabled);
 }

 bool Settings::addVpnSite(RouteMode mode, const QString &site, const QString &ip)
@@ -360,12 +359,12 @@ void Settings::removeAllVpnSites(RouteMode mode)

 QString Settings::primaryDns() const
 {
-    return m_settings.value("Conf/primaryDns", cloudFlareNs1).toString();
+    return value("Conf/primaryDns", cloudFlareNs1).toString();
 }

 QString Settings::secondaryDns() const
 {
-    return m_settings.value("Conf/secondaryDns", cloudFlareNs2).toString();
+    return value("Conf/secondaryDns", cloudFlareNs2).toString();
 }

 void Settings::clearSettings()
@@ -387,18 +386,18 @@ QString Settings::appsRouteModeString(AppsRouteMode mode) const

 Settings::AppsRouteMode Settings::getAppsRouteMode() const
 {
-    return static_cast<AppsRouteMode>(m_settings.value("Conf/appsRouteMode", 0).toInt());
+    return static_cast<AppsRouteMode>(value("Conf/appsRouteMode", 0).toInt());
 }

 void Settings::setAppsRouteMode(AppsRouteMode mode)
 {
-    m_settings.setValue("Conf/appsRouteMode", mode);
+    setValue("Conf/appsRouteMode", mode);
 }

 QVector<InstalledAppInfo> Settings::getVpnApps(AppsRouteMode mode) const
 {
    QVector<InstalledAppInfo> apps;
-    auto appsArray = m_settings.value("Conf/" + appsRouteModeString(mode)).toJsonArray();
+    auto appsArray = value("Conf/" + appsRouteModeString(mode)).toJsonArray();
    for (const auto &app : appsArray) {
        InstalledAppInfo appInfo;
        appInfo.appName = app.toObject().value("appName").toString();
@@ -420,42 +419,43 @@ void Settings::setVpnApps(AppsRouteMode mode, const QVector<InstalledAppInfo> &a
        appInfo.insert("appPath", app.appPath);
        appsArray.push_back(appInfo);
    }
-    m_settings.setValue("Conf/" + appsRouteModeString(mode), appsArray);
+    setValue("Conf/" + appsRouteModeString(mode), appsArray);
+    m_settings.sync();
 }

 bool Settings::isAppsSplitTunnelingEnabled() const
 {
-    return m_settings.value("Conf/appsSplitTunnelingEnabled", false).toBool();
+    return value("Conf/appsSplitTunnelingEnabled", false).toBool();
 }

 void Settings::setAppsSplitTunnelingEnabled(bool enabled)
 {
-    m_settings.setValue("Conf/appsSplitTunnelingEnabled", enabled);
+    setValue("Conf/appsSplitTunnelingEnabled", enabled);
 }

 bool Settings::isKillSwitchEnabled() const
 {
-    return m_settings.value("Conf/killSwitchEnabled", true).toBool();
+    return value("Conf/killSwitchEnabled", true).toBool();
 }

 void Settings::setKillSwitchEnabled(bool enabled)
 {
-    m_settings.setValue("Conf/killSwitchEnabled", enabled);
+    setValue("Conf/killSwitchEnabled", enabled);
 }

 bool Settings::isStrictKillSwitchEnabled() const
 {
-    return m_settings.value("Conf/strictKillSwitchEnabled", false).toBool();
+    return value("Conf/strictKillSwitchEnabled", false).toBool();
 }

 void Settings::setStrictKillSwitchEnabled(bool enabled)
 {
-    m_settings.setValue("Conf/strictKillSwitchEnabled", enabled);
+    setValue("Conf/strictKillSwitchEnabled", enabled);
 }

 QString Settings::getInstallationUuid(const bool needCreate)
 {
-    auto uuid = m_settings.value("Conf/installationUuid", "").toString();
+    auto uuid = value("Conf/installationUuid", "").toString();
    if (needCreate && uuid.isEmpty()) {
        uuid = QUuid::createUuid().toString();

@@ -476,7 +476,7 @@ QString Settings::getInstallationUuid(const bool needCreate)

 void Settings::setInstallationUuid(const QString &uuid)
 {
-    m_settings.setValue("Conf/installationUuid", uuid);
+    setValue("Conf/installationUuid", uuid);
 }

 ServerCredentials Settings::defaultServerCredentials() const
@@ -497,6 +497,28 @@ ServerCredentials Settings::serverCredentials(int index) const
    return credentials;
 }

+QVariant Settings::value(const QString &key, const QVariant &defaultValue) const
+{
+    QVariant returnValue;
+    if (QThread::currentThread() == QCoreApplication::instance()->thread()) {
+        returnValue = m_settings.value(key, defaultValue);
+    } else {
+        QMetaObject::invokeMethod(&m_settings, "value", Qt::BlockingQueuedConnection, Q_RETURN_ARG(QVariant, returnValue),
+                                  Q_ARG(const QString &, key), Q_ARG(const QVariant &, defaultValue));
+    }
+    return returnValue;
+}
+
+void Settings::setValue(const QString &key, const QVariant &value)
+{
+    if (QThread::currentThread() == QCoreApplication::instance()->thread()) {
+        m_settings.setValue(key, value);
+    } else {
+        QMetaObject::invokeMethod(&m_settings, "setValue", Qt::BlockingQueuedConnection, Q_ARG(const QString &, key),
+                                  Q_ARG(const QVariant &, value));
+    }
+}
+
 void Settings::resetGatewayEndpoint()
 {
    m_gatewayEndpoint = gatewayEndpoint;
@@ -519,68 +541,50 @@ QString Settings::getGatewayEndpoint(bool isTestPurchase)

 bool Settings::isDevGatewayEnv(bool isTestPurchase)
 {
-    return isTestPurchase ? true : m_settings.value("Conf/devGatewayEnv", false).toBool();
+    return isTestPurchase ? true : value("Conf/devGatewayEnv", false).toBool();
 }

 void Settings::toggleDevGatewayEnv(bool enabled)
 {
-    m_settings.setValue("Conf/devGatewayEnv", enabled);
-}
-
-QByteArray Settings::readGatewayProxyUrls(const QString &cacheKey) const
-{
-    if (cacheKey.isEmpty()) {
-        return {};
-    }
-
-    return m_settings.value(QString(proxyUrlsKey) + cacheKey).toByteArray();
-}
-
-void Settings::writeGatewayProxyUrls(const QString &cacheKey, const QByteArray &proxyUrlsEncrypted)
-{
-    if (cacheKey.isEmpty()) {
-        return;
-    }
-
-    m_settings.setValue(QString(proxyUrlsKey) + cacheKey, proxyUrlsEncrypted);
+    setValue("Conf/devGatewayEnv", enabled);
 }

 bool Settings::isHomeAdLabelVisible()
 {
-    return m_settings.value("Conf/homeAdLabelVisible", true).toBool();
+    return value("Conf/homeAdLabelVisible", true).toBool();
 }

 void Settings::disableHomeAdLabel()
 {
-    m_settings.setValue("Conf/homeAdLabelVisible", false);
+    setValue("Conf/homeAdLabelVisible", false);
 }

 bool Settings::isPremV1MigrationReminderActive()
 {
-    return m_settings.value("Conf/premV1MigrationReminderActive", true).toBool();
+    return value("Conf/premV1MigrationReminderActive", true).toBool();
 }

 void Settings::disablePremV1MigrationReminder()
 {
-    m_settings.setValue("Conf/premV1MigrationReminderActive", false);
+    setValue("Conf/premV1MigrationReminderActive", false);
 }

 QStringList Settings::allowedDnsServers() const
 {
-    return m_settings.value("Conf/allowedDnsServers").toStringList();
+    return value("Conf/allowedDnsServers").toStringList();
 }

 void Settings::setAllowedDnsServers(const QStringList &servers)
 {
-    m_settings.setValue("Conf/allowedDnsServers", servers);
+    setValue("Conf/allowedDnsServers", servers);
 }

 QStringList Settings::readNewsIds() const
 {
-    return m_settings.value("News/readIds").toStringList();
+    return value("News/readIds").toStringList();
 }

 void Settings::setReadNewsIds(const QStringList &ids)
 {
-    m_settings.setValue("News/readIds", ids);
+    setValue("News/readIds", ids);
 }
@@ -4,7 +4,6 @@
 #include <QObject>
 #include <QSettings>
 #include <QString>
-#include <QByteArray>

 #include <QJsonArray>
 #include <QJsonDocument>
@@ -30,11 +29,11 @@ public:

    QJsonArray serversArray() const
    {
-        return QJsonDocument::fromJson(m_settings.value("Servers/serversList").toByteArray()).array();
+        return QJsonDocument::fromJson(value("Servers/serversList").toByteArray()).array();
    }
    void setServersArray(const QJsonArray &servers)
    {
-        m_settings.setValue("Servers/serversList", QJsonDocument(servers).toJson());
+        setValue("Servers/serversList", QJsonDocument(servers).toJson());
    }

    // Servers section
@@ -46,11 +45,11 @@ public:

    int defaultServerIndex() const
    {
-        return m_settings.value("Servers/defaultServerIndex", 0).toInt();
+        return value("Servers/defaultServerIndex", 0).toInt();
    }
    void setDefaultServer(int index)
    {
-        m_settings.setValue("Servers/defaultServerIndex", index);
+        setValue("Servers/defaultServerIndex", index);
    }
    QJsonObject defaultServer() const
    {
@@ -79,34 +78,25 @@ public:
    // App settings section
    bool isAutoConnect() const
    {
-        return m_settings.value("Conf/autoConnect", false).toBool();
+        return value("Conf/autoConnect", false).toBool();
    }
    void setAutoConnect(bool enabled)
    {
-        m_settings.setValue("Conf/autoConnect", enabled);
+        setValue("Conf/autoConnect", enabled);
    }

    bool isStartMinimized() const
    {
-        return m_settings.value("Conf/startMinimized", false).toBool();
+        return value("Conf/startMinimized", false).toBool();
    }
    void setStartMinimized(bool enabled)
    {
-        m_settings.setValue("Conf/startMinimized", enabled);
-    }
-
-    bool isNewsNotifications() const
-    {
-        return m_settings.value("Conf/newsNotifications", true).toBool();
-    }
-    void setNewsNotifications(bool enabled)
-    {
-        m_settings.setValue("Conf/newsNotifications", enabled);
+        setValue("Conf/startMinimized", enabled);
    }

    bool isSaveLogs() const
    {
-        return m_settings.value("Conf/saveLogs", false).toBool();
+        return value("Conf/saveLogs", false).toBool();
    }
    void setSaveLogs(bool enabled);

@@ -123,18 +113,19 @@ public:
    QString routeModeString(RouteMode mode) const;

    RouteMode routeMode() const;
-    void setRouteMode(RouteMode mode) { m_settings.setValue("Conf/routeMode", mode); }
+    void setRouteMode(RouteMode mode) { setValue("Conf/routeMode", mode); }

    bool isSitesSplitTunnelingEnabled() const;
    void setSitesSplitTunnelingEnabled(bool enabled);

    QVariantMap vpnSites(RouteMode mode) const
    {
-        return m_settings.value("Conf/" + routeModeString(mode)).toMap();
+        return value("Conf/" + routeModeString(mode)).toMap();
    }
    void setVpnSites(RouteMode mode, const QVariantMap &sites)
    {
-        m_settings.setValue("Conf/" + routeModeString(mode), sites);
+        setValue("Conf/" + routeModeString(mode), sites);
+        m_settings.sync();
    }
    bool addVpnSite(RouteMode mode, const QString &site, const QString &ip = "");
    void addVpnSites(RouteMode mode, const QMap<QString, QString> &sites); // map <site, ip>
@@ -147,11 +138,11 @@ public:

    bool useAmneziaDns() const
    {
-        return m_settings.value("Conf/useAmneziaDns", true).toBool();
+        return value("Conf/useAmneziaDns", true).toBool();
    }
    void setUseAmneziaDns(bool enabled)
    {
-        m_settings.setValue("Conf/useAmneziaDns", enabled);
+        setValue("Conf/useAmneziaDns", enabled);
    }

    QString primaryDns() const;
@@ -160,13 +151,13 @@ public:
    // QString primaryDns() const { return m_primaryDns; }
    void setPrimaryDns(const QString &primaryDns)
    {
-        m_settings.setValue("Conf/primaryDns", primaryDns);
+        setValue("Conf/primaryDns", primaryDns);
    }

    // QString secondaryDns() const { return m_secondaryDns; }
    void setSecondaryDns(const QString &secondaryDns)
    {
-        m_settings.setValue("Conf/secondaryDns", secondaryDns);
+        setValue("Conf/secondaryDns", secondaryDns);
    }

    //    static constexpr char openNicNs5[] = "94.103.153.176";
@@ -188,16 +179,16 @@ public:
    };
    void setAppLanguage(QLocale locale)
    {
-        m_settings.setValue("Conf/appLanguage", locale.name());
+        setValue("Conf/appLanguage", locale.name());
    };

    bool isScreenshotsEnabled() const
    {
-        return m_settings.value("Conf/screenshotsEnabled", true).toBool();
+        return value("Conf/screenshotsEnabled", true).toBool();
    }
    void setScreenshotsEnabled(bool enabled)
    {
-        m_settings.setValue("Conf/screenshotsEnabled", enabled);
+        setValue("Conf/screenshotsEnabled", enabled);
        emit screenshotsEnabledChanged(enabled);
    }

@@ -235,8 +226,6 @@ public:
    QString getGatewayEndpoint(bool isTestPurchase = false);
    bool isDevGatewayEnv(bool isTestPurchase = false);
    void toggleDevGatewayEnv(bool enabled);
-    QByteArray readGatewayProxyUrls(const QString &cacheKey) const;
-    void writeGatewayProxyUrls(const QString &cacheKey, const QByteArray &proxyUrlsEncrypted);

    bool isHomeAdLabelVisible();
    void disableHomeAdLabel();
@@ -257,6 +246,9 @@ signals:
    void settingsCleared();

 private:
+    QVariant value(const QString &key, const QVariant &defaultValue = QVariant()) const;
+    void setValue(const QString &key, const QVariant &value);
+
    void setInstallationUuid(const QString &uuid);

    mutable SecureQSettings m_settings;
@@ -9,14 +9,9 @@
 #include "ui/controllers/systemController.h"
 #include "version.h"
 #include <QClipboard>
-#include <QCoreApplication>
 #include <QDebug>
 #include <QEventLoop>
-#include <QHash>
-#include <QJsonArray>
 #include <QSet>
-#include <QVariantMap>
-#include <limits>

 #include "platforms/ios/ios_controller.h"

@@ -44,15 +39,6 @@ namespace
        constexpr char serviceInfo[] = "service_info";
        constexpr char serviceProtocol[] = "service_protocol";

-        constexpr char services[] = "services";
-        constexpr char serviceDescription[] = "service_description";
-        constexpr char subscriptionPlans[] = "subscription_plans";
-        constexpr char storeProductId[] = "store_product_id";
-        constexpr char priceLabel[] = "price_label";
-        constexpr char subtitle[] = "subtitle";
-        constexpr char isTrial[] = "is_trial";
-        constexpr char minPriceLabel[] = "min_price_label";
-
        constexpr char apiPayload[] = "api_payload";
        constexpr char keyPayload[] = "key_payload";

@@ -61,6 +47,9 @@ namespace

        constexpr char config[] = "config";

+        constexpr char subscription[] = "subscription";
+        constexpr char endDate[] = "end_date";
+
        constexpr char isConnectEvent[] = "is_connect_event";
    }

@@ -252,190 +241,13 @@ namespace

        return ErrorCode::NoError;
    }
-
-#if defined(Q_OS_IOS) || defined(MACOS_NE)
-    struct StoreKitPlanQuote {
-        QString displayPrice;
-        double priceAmount = 0.0;
-        double subscriptionBillingMonths = 0.0;
-        QString displayPricePerMonth;
-    };
-
-    constexpr double kOneMonthThreshold = 1.0 + 1e-6;
-    constexpr double kMonthsFallbackThreshold = 1e-6;
-    constexpr double kMonthlyPriceEpsilon = 1e-9;
-
-    QStringList collectPremiumStoreProductIds(const QJsonArray &services)
-    {
-        QStringList productIds;
-        QSet<QString> seenProductIds;
-        for (const QJsonValue &serviceValue : services) {
-            const QJsonObject serviceObject = serviceValue.toObject();
-            if (serviceObject.value(configKey::serviceType).toString() != serviceType::amneziaPremium) {
-                continue;
-            }
-            const QJsonArray subscriptionPlans =
-                    serviceObject.value(configKey::serviceDescription).toObject().value(configKey::subscriptionPlans).toArray();
-            for (const QJsonValue &planValue : subscriptionPlans) {
-                if (!planValue.isObject()) {
-                    continue;
-                }
-                const QString storeProductId = planValue.toObject().value(configKey::storeProductId).toString();
-                if (storeProductId.isEmpty() || seenProductIds.contains(storeProductId)) {
-                    continue;
-                }
-                seenProductIds.insert(storeProductId);
-                productIds.append(storeProductId);
-            }
-        }
-        return productIds;
-    }
-
-    QHash<QString, StoreKitPlanQuote> buildStoreKitQuoteMap(const QList<QVariantMap> &fetchedProducts)
-    {
-        QHash<QString, StoreKitPlanQuote> quotesByProductId;
-        quotesByProductId.reserve(fetchedProducts.size());
-
-        for (const QVariantMap &productInfo : fetchedProducts) {
-            const QString productId = productInfo.value(QStringLiteral("productId")).toString();
-            if (productId.isEmpty()) {
-                continue;
-            }
-
-            QString displayPrice = productInfo.value(QStringLiteral("displayPrice")).toString();
-            if (displayPrice.isEmpty()) {
-                const QString price = productInfo.value(QStringLiteral("price")).toString();
-                const QString currencyCode = productInfo.value(QStringLiteral("currencyCode")).toString();
-                displayPrice = currencyCode.isEmpty() ? price : (price + QLatin1Char(' ') + currencyCode);
-            }
-
-            StoreKitPlanQuote quote;
-            quote.displayPrice = displayPrice;
-            quote.priceAmount = productInfo.value(QStringLiteral("priceAmount")).toDouble();
-            quote.subscriptionBillingMonths = productInfo.value(QStringLiteral("subscriptionBillingMonths")).toDouble();
-            quote.displayPricePerMonth = productInfo.value(QStringLiteral("displayPricePerMonth")).toString();
-            quotesByProductId.insert(productId, quote);
-        }
-
-        return quotesByProductId;
-    }
-
-    void mergeStoreKitPricesIntoPremiumPlans(QJsonObject &data)
-    {
-        QJsonArray services = data.value(configKey::services).toArray();
-        if (services.isEmpty()) {
-            return;
-        }
-
-        const QStringList productIds = collectPremiumStoreProductIds(services);
-        if (productIds.isEmpty()) {
-            qInfo().noquote() << "[IAP] No store_product_id in premium plans; skip StoreKit merge into services payload";
-            return;
-        }
-
-        QList<QVariantMap> fetchedProducts;
-        QEventLoop loop;
-        IosController::Instance()->fetchProducts(productIds,
-                                                 [&](const QList<QVariantMap> &products, const QStringList &invalidIds,
-                                                     const QString &errorString) {
-                                                     if (!errorString.isEmpty()) {
-                                                         qWarning().noquote() << "[IAP] StoreKit merge fetch:" << errorString;
-                                                     }
-                                                     if (!invalidIds.isEmpty()) {
-                                                         qWarning().noquote() << "[IAP] Unknown App Store product ids:" << invalidIds;
-                                                     }
-                                                     fetchedProducts = products;
-                                                     loop.quit();
-                                                 });
-        loop.exec();
-
-        const QHash<QString, StoreKitPlanQuote> quotesByProductId = buildStoreKitQuoteMap(fetchedProducts);
-
-        for (int serviceIndex = 0; serviceIndex < services.size(); ++serviceIndex) {
-            QJsonObject serviceObject = services.at(serviceIndex).toObject();
-            if (serviceObject.value(configKey::serviceType).toString() != serviceType::amneziaPremium) {
-                continue;
-            }
-
-            QJsonObject descriptionObject = serviceObject.value(configKey::serviceDescription).toObject();
-            const QJsonArray sourcePlans = descriptionObject.value(configKey::subscriptionPlans).toArray();
-
-            QJsonArray mergedPlans;
-            double minMonthlyAmount = std::numeric_limits<double>::infinity();
-            QString minMonthlyDisplay;
-
-            for (const QJsonValue &planValue : sourcePlans) {
-                if (!planValue.isObject()) {
-                    continue;
-                }
-
-                QJsonObject planObject = planValue.toObject();
-                const QString storeProductId = planObject.value(configKey::storeProductId).toString();
-                if (storeProductId.isEmpty()) {
-                    continue;
-                }
-
-                const auto quoteIterator = quotesByProductId.constFind(storeProductId);
-                if (quoteIterator == quotesByProductId.cend()) {
-                    continue;
-                }
-
-                const bool isTrialPlan = planObject.value(configKey::isTrial).toBool();
-                const StoreKitPlanQuote &quote = *quoteIterator;
-                planObject.insert(configKey::priceLabel, quote.displayPrice);
-
-                const double months = quote.subscriptionBillingMonths;
-                if (!isTrialPlan && months > kOneMonthThreshold && !quote.displayPricePerMonth.isEmpty()) {
-                    planObject.insert(
-                            configKey::subtitle,
-                            QCoreApplication::translate("ApiConfigsController", "%1/mo", "IAP: price per month in plan subtitle")
-                                    .arg(quote.displayPricePerMonth));
-                }
-
-                if (!isTrialPlan && quote.priceAmount > 0.0) {
-                    const double monthsForMin = months > kMonthsFallbackThreshold ? months : 1.0;
-                    const double monthly = quote.priceAmount / monthsForMin;
-                    if (monthly < minMonthlyAmount - kMonthlyPriceEpsilon) {
-                        minMonthlyAmount = monthly;
-                        minMonthlyDisplay = !quote.displayPricePerMonth.isEmpty() ? quote.displayPricePerMonth : quote.displayPrice;
-                    }
-                }
-
-                mergedPlans.append(planObject);
-            }
-
-            descriptionObject.insert(configKey::subscriptionPlans, mergedPlans);
-            if (minMonthlyAmount < std::numeric_limits<double>::infinity() && !minMonthlyDisplay.isEmpty()) {
-                descriptionObject.insert(configKey::minPriceLabel,
-                                         QCoreApplication::translate("ApiConfigsController", "from %1 per month",
-                                                                     "IAP: card footer minimum monthly price from StoreKit")
-                                                 .arg(minMonthlyDisplay));
-            }
-            serviceObject.insert(configKey::serviceDescription, descriptionObject);
-            services.replace(serviceIndex, serviceObject);
-        }
-        data.insert(configKey::services, services);
-    }
-#endif
 }

 ApiConfigsController::ApiConfigsController(const QSharedPointer<ServersModel> &serversModel,
                                           const QSharedPointer<ApiServicesModel> &apiServicesModel,
-                                           const QSharedPointer<ApiSubscriptionPlansModel> &subscriptionPlansModel,
-                                           const QSharedPointer<ApiBenefitsModel> &benefitsModel,
                                           const std::shared_ptr<Settings> &settings, QObject *parent)
-    : QObject(parent)
-    , m_serversModel(serversModel)
-    , m_apiServicesModel(apiServicesModel)
-    , m_subscriptionPlansModel(subscriptionPlansModel)
-    , m_benefitsModel(benefitsModel)
-    , m_settings(settings)
+    : QObject(parent), m_serversModel(serversModel), m_apiServicesModel(apiServicesModel), m_settings(settings)
 {
-    connect(m_apiServicesModel.data(), &ApiServicesModel::serviceSelectionChanged, this, [this]() {
-        const ApiServicesModel::ApiServicesData serviceData = m_apiServicesModel->selectedServiceData();
-        m_subscriptionPlansModel->updateModel(serviceData.subscriptionPlansJson);
-        m_benefitsModel->updateModel(serviceData.benefits);
-    });
 }

 bool ApiConfigsController::exportVpnKey(const QString &fileName)
@@ -554,8 +366,6 @@ bool ApiConfigsController::fillAvailableServices()
 {
    QJsonObject apiPayload;
    apiPayload[configKey::osVersion] = QSysInfo::productType();
-    apiPayload[configKey::appVersion] = QString(APP_VERSION);
-    apiPayload[apiDefs::key::cliName] = QString(APPLICATION_NAME);
    apiPayload[apiDefs::key::appLanguage] = m_settings->getAppLanguage().name().split("_").first();

    QByteArray responseBody;
@@ -572,11 +382,6 @@ bool ApiConfigsController::fillAvailableServices()
    }

    QJsonObject data = QJsonDocument::fromJson(responseBody).object();
-
-#if defined(Q_OS_IOS) || defined(MACOS_NE)
-    mergeStoreKitPricesIntoPremiumPlans(data);
-#endif
-
    m_apiServicesModel->updateModel(data);
    if (m_apiServicesModel->rowCount() > 0) {
        m_apiServicesModel->setServiceIndex(0);
@@ -587,42 +392,39 @@ bool ApiConfigsController::fillAvailableServices()
 bool ApiConfigsController::importService()
 {
 #if defined(Q_OS_IOS) || defined(MACOS_NE)
-    const bool isIosOrMacOsNe = true;
+    bool isIosOrMacOsNe = true;
 #else
-    const bool isIosOrMacOsNe = false;
+    bool isIosOrMacOsNe = false;
 #endif

    if (m_apiServicesModel->getSelectedServiceType() == serviceType::amneziaPremium) {
        if (isIosOrMacOsNe) {
-            return importPremiumFromAppStore(QString());
+            importSerivceFromAppStore();
+            return true;
        }
-    } else if (m_apiServicesModel->getSelectedServiceType() == serviceType::amneziaFree) {
-        return importFreeFromGateway();
+    } else {
+        importServiceFromGateway();
+        return true;
    }
    return false;
 }

-bool ApiConfigsController::importPremiumFromAppStore(const QString &storeProductId)
+bool ApiConfigsController::importSerivceFromAppStore()
 {
 #if defined(Q_OS_IOS) || defined(MACOS_NE)
-    QString productId = storeProductId.trimmed();
-    if (productId.isEmpty()) {
-        productId = QStringLiteral("amnezia_premium_6_month");
-    }
-
    bool purchaseOk = false;
    QString originalTransactionId;
    QString storeTransactionId;
-    QString purchasedStoreProductId;
+    QString storeProductId;
    QString purchaseError;
    QEventLoop waitPurchase;
-    IosController::Instance()->purchaseProduct(productId,
-                                               [&](bool success, const QString &transactionId, const QString &purchasedProductId,
-                                                   const QString &originalTransactionIdResponse, const QString &errorString) {
+    IosController::Instance()->purchaseProduct(QStringLiteral("amnezia_premium_6_month"),
+                                               [&](bool success, const QString &txId, const QString &purchasedProductId,
+                                                   const QString &originalTxId, const QString &errorString) {
                                                   purchaseOk = success;
-                                                   originalTransactionId = originalTransactionIdResponse;
-                                                   storeTransactionId = transactionId;
-                                                   purchasedStoreProductId = purchasedProductId;
+                                                   originalTransactionId = originalTxId;
+                                                   storeTransactionId = txId;
+                                                   storeProductId = purchasedProductId;
                                                   purchaseError = errorString;
                                                   waitPurchase.quit();
                                               });
@@ -634,7 +436,7 @@ bool ApiConfigsController::importPremiumFromAppStore(const QString &storeProduct
        return false;
    }
    qInfo().noquote() << "[IAP] Purchase success. transactionId =" << storeTransactionId
-                      << "originalTransactionId =" << originalTransactionId << "productId =" << purchasedStoreProductId;
+                      << "originalTransactionId =" << originalTransactionId << "productId =" << storeProductId;

    GatewayRequestData gatewayRequestData { QSysInfo::productType(),
                                            QString(APP_VERSION),
@@ -658,26 +460,18 @@ bool ApiConfigsController::importPremiumFromAppStore(const QString &storeProduct
        return false;
    }

-    int duplicateServerIndex = -1;
-    errorCode = importServiceFromBilling(responseBody, isTestPurchase, duplicateServerIndex);
-    if (errorCode == ErrorCode::ApiConfigAlreadyAdded) {
-        emit installServerFromApiFinished(tr("This subscription has already been added"), duplicateServerIndex);
-        return true;
-    }
+    errorCode = importServiceFromBilling(responseBody, isTestPurchase);
    if (errorCode != ErrorCode::NoError) {
        emit errorOccurred(errorCode);
        return false;
    }
-    emit installServerFromApiFinished(
-            tr("%1 has been added to the app").arg(m_apiServicesModel->getSelectedServiceName()));
-    return true;
-#else
-    Q_UNUSED(storeProductId);
-    return false;
+
+    emit installServerFromApiFinished(tr("%1 installed successfully.").arg(m_apiServicesModel->getSelectedServiceName()));
 #endif
+    return true;
 }

-bool ApiConfigsController::restoreServiceFromAppStore()
+bool ApiConfigsController::restoreSerivceFromAppStore()
 {
 #if defined(Q_OS_IOS) || defined(MACOS_NE)
    const QString premiumServiceType = QStringLiteral("amnezia-premium");
@@ -693,12 +487,20 @@ bool ApiConfigsController::restoreServiceFromAppStore()
        return false;
    }

-    const int premiumServiceIndex = m_apiServicesModel->serviceIndexForType(premiumServiceType);
-    if (premiumServiceIndex < 0) {
+    // Ensure we have a valid premium selection for gateway requests
+    bool premiumSelected = false;
+    for (int i = 0; i < m_apiServicesModel->rowCount(); ++i) {
+        m_apiServicesModel->setServiceIndex(i);
+        if (m_apiServicesModel->getSelectedServiceType() == premiumServiceType) {
+            premiumSelected = true;
+            break;
+        }
+    }
+
+    if (!premiumSelected) {
        emit errorOccurred(ErrorCode::ApiServicesMissingError);
        return false;
    }
-    m_apiServicesModel->setServiceIndex(premiumServiceIndex);

    bool restoreSuccess = false;
    QList<QVariantMap> restoredTransactions;
@@ -720,23 +522,15 @@ bool ApiConfigsController::restoreServiceFromAppStore()
    }

    if (restoredTransactions.isEmpty()) {
-        qInfo().noquote() << "[IAP] Restore completed, but no active entitlements found";
-        emit errorOccurred(ErrorCode::ApiNoPurchasedSubscriptionsError);
+        qInfo().noquote() << "[IAP] Restore completed, but no transactions were returned";
+        emit errorOccurred(ErrorCode::ApiPurchaseError);
        return false;
    }

-    const bool isTestPurchase = IosController::Instance()->isTestFlight();
-    const QString serviceType = m_apiServicesModel->getSelectedServiceType();
-    const QString serviceProtocol = m_apiServicesModel->getSelectedServiceProtocol();
-    const QString countryCode = m_apiServicesModel->getCountryCode();
-    const QString appLanguage = m_settings->getAppLanguage().name().split("_").first();
-    const QString installationUuid = m_settings->getInstallationUuid(true);
-
    bool hasInstalledConfig = false;
    bool duplicateConfigAlreadyPresent = false;
-    int duplicateServerIndex = -1;
-    QSet<QString> processedOriginalTransactionIds;
-
+    int duplicateCount = 0;
+    QSet<QString> processedTransactions;
    for (const QVariantMap &transaction : restoredTransactions) {
        const QString originalTransactionId = transaction.value(QStringLiteral("originalTransactionId")).toString();
        const QString transactionId = transaction.value(QStringLiteral("transactionId")).toString();
@@ -747,28 +541,28 @@ bool ApiConfigsController::restoreServiceFromAppStore()
            continue;
        }

-        if (processedOriginalTransactionIds.contains(originalTransactionId)) {
-            qInfo().noquote() << "[IAP] Skipping duplicate restored transaction" << originalTransactionId;
+        if (processedTransactions.contains(originalTransactionId)) {
+            duplicateCount++;
            continue;
        }
-        processedOriginalTransactionIds.insert(originalTransactionId);
+        processedTransactions.insert(originalTransactionId);

        qInfo().noquote() << "[IAP] Restoring subscription. transactionId =" << transactionId
                          << "originalTransactionId =" << originalTransactionId << "productId =" << productId;

        GatewayRequestData gatewayRequestData { QSysInfo::productType(),
                                                QString(APP_VERSION),
-                                                appLanguage,
-                                                installationUuid,
-                                                countryCode,
+                                                m_settings->getAppLanguage().name().split("_").first(),
+                                                m_settings->getInstallationUuid(true),
+                                                m_apiServicesModel->getCountryCode(),
                                                "",
-                                                serviceType,
-                                                serviceProtocol,
+                                                m_apiServicesModel->getSelectedServiceType(),
+                                                m_apiServicesModel->getSelectedServiceProtocol(),
                                                QJsonObject() };

        QJsonObject apiPayload = gatewayRequestData.toJsonObject();
        apiPayload[apiDefs::key::transactionId] = originalTransactionId;
-
+        auto isTestPurchase = IosController::Instance()->isTestFlight();
        QByteArray responseBody;
        ErrorCode errorCode = executeRequest(QString("%1v1/subscriptions"), apiPayload, responseBody, isTestPurchase);
        if (errorCode != ErrorCode::NoError) {
@@ -777,42 +571,34 @@ bool ApiConfigsController::restoreServiceFromAppStore()
            continue;
        }

-        int currentDuplicateServerIndex = -1;
-        errorCode = importServiceFromBilling(responseBody, isTestPurchase, currentDuplicateServerIndex);
+        ErrorCode installError = importServiceFromBilling(responseBody, isTestPurchase);
        if (errorCode == ErrorCode::ApiConfigAlreadyAdded) {
            duplicateConfigAlreadyPresent = true;
-            if (duplicateServerIndex < 0) {
-                duplicateServerIndex = currentDuplicateServerIndex;
-            }
-            qInfo().noquote() << "[IAP] Subscription config with the same vpn_key already exists" << originalTransactionId;
-            continue;
+            qInfo().noquote() << "[IAP] Skipping restored transaction" << originalTransactionId
+                              << "because subscription config with the same vpn_key already exists";
+        } else if (errorCode != ErrorCode::NoError) {
+            qWarning().noquote() << "[IAP] Failed to process restored subscription response for transaction" << originalTransactionId;
+        } else {
+            hasInstalledConfig = true;
        }
-
-        if (errorCode != ErrorCode::NoError) {
-            qWarning().noquote() << "[IAP] Failed to process restored subscription response for transaction" << originalTransactionId
-                                 << "errorCode =" << static_cast<int>(errorCode);
-            continue;
-        }
-
-        hasInstalledConfig = true;
    }

    if (!hasInstalledConfig) {
-        if (duplicateConfigAlreadyPresent) {
-            emit installServerFromApiFinished(tr("This subscription has already been added"), duplicateServerIndex);
-            return true;
-        }
-
-        emit errorOccurred(ErrorCode::ApiPurchaseError);
+        const ErrorCode restoreError = duplicateConfigAlreadyPresent ? ErrorCode::ApiConfigAlreadyAdded : ErrorCode::ApiPurchaseError;
+        emit errorOccurred(restoreError);
        return false;
    }

    emit installServerFromApiFinished(tr("Subscription restored successfully."));
+    if (duplicateCount > 0) {
+        qInfo().noquote() << "[IAP] Skipped" << duplicateCount
+                          << "duplicate restored transactions for original transaction IDs already processed";
+    }
 #endif
    return true;
 }

-bool ApiConfigsController::importFreeFromGateway()
+bool ApiConfigsController::importServiceFromGateway()
 {
    GatewayRequestData gatewayRequestData { QSysInfo::productType(),
                                            QString(APP_VERSION),
@@ -864,72 +650,6 @@ bool ApiConfigsController::importFreeFromGateway()
    }
 }

-bool ApiConfigsController::importTrialFromGateway(const QString &email)
-{
-    emit trialEmailError(QString());
-
-    const QString trimmedEmail = email.trimmed();
-    if (trimmedEmail.isEmpty()) {
-        emit errorOccurred(ErrorCode::ApiConfigEmptyError);
-        return false;
-    }
-
-    GatewayRequestData gatewayRequestData { QSysInfo::productType(),
-                                            QString(APP_VERSION),
-                                            m_settings->getAppLanguage().name().split("_").first(),
-                                            m_settings->getInstallationUuid(true),
-                                            m_apiServicesModel->getCountryCode(),
-                                            "",
-                                            m_apiServicesModel->getSelectedServiceType(),
-                                            m_apiServicesModel->getSelectedServiceProtocol(),
-                                            QJsonObject() };
-
-    ProtocolData protocolData = generateProtocolData(gatewayRequestData.serviceProtocol);
-
-    QJsonObject apiPayload = gatewayRequestData.toJsonObject();
-    appendProtocolDataToApiPayload(gatewayRequestData.serviceProtocol, protocolData, apiPayload);
-    apiPayload.insert(apiDefs::key::email, trimmedEmail);
-
-    QByteArray responseBody;
-    ErrorCode errorCode = executeRequest(QString("%1v1/trial"), apiPayload, responseBody);
-    if (errorCode != ErrorCode::NoError) {
-        if (errorCode == ErrorCode::ApiTrialAlreadyUsedError) {
-            emit trialEmailError(tr("This email address has already been used to activate a trial. If you like the service, you can upgrade to Premium"));
-            return false;
-        }
-        emit errorOccurred(errorCode);
-        return false;
-    }
-
-    QJsonObject responseObject = QJsonDocument::fromJson(responseBody).object();
-    QString key = responseObject.value(apiDefs::key::config).toString();
-    if (key.isEmpty()) {
-        qWarning().noquote() << "[Trial] trial response does not contain config field";
-        emit errorOccurred(ErrorCode::ApiConfigEmptyError);
-        return false;
-    }
-
-    key.replace(QStringLiteral("vpn://"), QString());
-    QByteArray configBytes = QByteArray::fromBase64(key.toUtf8(), QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
-    QByteArray uncompressed = qUncompress(configBytes);
-    if (!uncompressed.isEmpty()) {
-        configBytes = uncompressed;
-    }
-    if (configBytes.isEmpty()) {
-        qWarning().noquote() << "[Trial] trial response config payload is empty";
-        emit errorOccurred(ErrorCode::ApiConfigEmptyError);
-        return false;
-    }
-
-    QJsonObject configObject = QJsonDocument::fromJson(configBytes).object();
-    quint16 crc = qChecksum(QJsonDocument(configObject).toJson());
-    configObject.insert(config_key::crc, crc);
-    m_serversModel->addServer(configObject);
-
-    emit installServerFromApiFinished(tr("%1 installed successfully.").arg(m_apiServicesModel->getSelectedServiceName()));
-    return true;
-}
-
 bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const QString &newCountryCode, const QString &newCountryName,
                                                    bool reloadServiceConfig)
 {
@@ -956,7 +676,6 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
    }

    bool isTestPurchase = apiConfig.value(apiDefs::key::isTestPurchase).toBool(false);
-    bool wasSubscriptionExpired = m_serversModel->data(serverIndex, ServersModel::IsSubscriptionExpiredRole).toBool();
    QByteArray responseBody;
    ErrorCode errorCode = executeRequest(QString("%1v1/config"), apiPayload, responseBody, isTestPurchase);

@@ -973,12 +692,6 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
        newApiConfig.insert(configKey::serviceType, apiConfig.value(configKey::serviceType));
        newApiConfig.insert(configKey::serviceProtocol, apiConfig.value(configKey::serviceProtocol));
        newApiConfig.insert(apiDefs::key::vpnKey, apiConfig.value(apiDefs::key::vpnKey));
-        if (apiConfig.contains(apiDefs::key::isInAppPurchase)) {
-            newApiConfig.insert(apiDefs::key::isInAppPurchase, apiConfig.value(apiDefs::key::isInAppPurchase));
-        }
-        if (apiConfig.contains(apiDefs::key::isTestPurchase)) {
-            newApiConfig.insert(apiDefs::key::isTestPurchase, apiConfig.value(apiDefs::key::isTestPurchase));
-        }

        newServerConfig.insert(configKey::apiConfig, newApiConfig);
        newServerConfig.insert(configKey::authData, gatewayRequestData.authData);
@@ -989,11 +702,6 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
            newServerConfig.insert(config_key::nameOverriddenByUser, true);
        }
        m_serversModel->editServer(newServerConfig, serverIndex);
-
-        if (wasSubscriptionExpired) {
-            emit subscriptionRefreshNeeded();
-        }
-
        if (reloadServiceConfig) {
            emit reloadServerFromApiFinished(tr("API config reloaded"));
        } else if (newCountryName.isEmpty()) {
@@ -1003,18 +711,7 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
        }
        return true;
    } else {
-        if (errorCode == ErrorCode::ApiSubscriptionExpiredError) {
-            if (!apiConfig.value(apiDefs::key::isInAppPurchase).toBool(false)) {
-                apiConfig.insert(apiDefs::key::subscriptionExpiredByServer, true);
-                serverConfig.insert(configKey::apiConfig, apiConfig);
-                m_serversModel->editServer(serverConfig, serverIndex);
-                emit subscriptionExpiredOnServer();
-            } else {
-                emit errorOccurred(errorCode);
-            }
-        } else {
-            emit errorOccurred(errorCode);
-        }
+        emit errorOccurred(errorCode);
        return false;
    }
 }
@@ -1027,7 +724,7 @@ bool ApiConfigsController::updateServiceFromTelegram(const int serverIndex)
 #endif

    GatewayController gatewayController(m_settings->getGatewayEndpoint(), m_settings->isDevGatewayEnv(), apiDefs::requestTimeoutMsecs,
-                                        m_settings->isStrictKillSwitchEnabled(), m_settings);
+                                        m_settings->isStrictKillSwitchEnabled());

    auto serverConfig = m_serversModel->getServerConfig(serverIndex);
    auto installationUuid = m_settings->getInstallationUuid(true);
@@ -1200,63 +897,43 @@ QString ApiConfigsController::getVpnKey()
    return m_vpnKey;
 }

-ErrorCode ApiConfigsController::importServiceFromBilling(const QByteArray &responseBody, const bool isTestPurchase,
-                                                         int &duplicateServerIndex)
+ErrorCode ApiConfigsController::importServiceFromBilling(const QByteArray &responseBody, const bool isTestPurchase)
 {
-#if defined(Q_OS_IOS) || defined(MACOS_NE)
-    duplicateServerIndex = -1;
+#ifdef Q_OS_IOS
    QJsonObject responseObject = QJsonDocument::fromJson(responseBody).object();
-    const QString rawVpnKey = responseObject.value(QStringLiteral("key")).toString();
-    if (rawVpnKey.isEmpty()) {
+    QString key = responseObject.value(QStringLiteral("key")).toString();
+    if (key.isEmpty()) {
        qWarning().noquote() << "[IAP] Subscription response does not contain a key field";
        return ErrorCode::ApiPurchaseError;
    }

-    QString normalizedVpnKey = rawVpnKey;
-    normalizedVpnKey.replace(QStringLiteral("vpn://"), QString());
-
-    duplicateServerIndex = m_serversModel->indexOfServerWithVpnKey(normalizedVpnKey);
-    if (duplicateServerIndex >= 0) {
+    if (m_serversModel->hasServerWithVpnKey(key)) {
        qInfo().noquote() << "[IAP] Subscription config with the same vpn_key already exists";
        return ErrorCode::ApiConfigAlreadyAdded;
    }

-    QByteArray configPayload =
-            QByteArray::fromBase64(normalizedVpnKey.toUtf8(), QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
-    QByteArray configUncompressed = qUncompress(configPayload);
-    const bool payloadWasCompressed = !configUncompressed.isEmpty();
-    if (payloadWasCompressed) {
-        configPayload = configUncompressed;
+    QString normalizedKey = key;
+    normalizedKey.replace(QStringLiteral("vpn://"), QString());
+
+    QByteArray configString = QByteArray::fromBase64(normalizedKey.toUtf8(), QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
+    QByteArray configUncompressed = qUncompress(configString);
+    if (!configUncompressed.isEmpty()) {
+        configString = configUncompressed;
    }

-    if (configPayload.isEmpty()) {
+    if (configString.isEmpty()) {
        qWarning().noquote() << "[IAP] Subscription response config payload is empty";
        return ErrorCode::ApiPurchaseError;
    }

-    QJsonObject configObject = QJsonDocument::fromJson(configPayload).object();
-
-    auto apiConfig = configObject.value(apiDefs::key::apiConfig).toObject();
-    apiConfig.insert(apiDefs::key::isTestPurchase, isTestPurchase);
-    apiConfig.insert(apiDefs::key::isInAppPurchase, true);
-    configObject.insert(apiDefs::key::apiConfig, apiConfig);
-
-    configPayload = QJsonDocument(configObject).toJson();
-    if (payloadWasCompressed) {
-        configPayload = qCompress(configPayload, 8);
-    }
-    normalizedVpnKey = QString(configPayload.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals));
-
-    duplicateServerIndex = m_serversModel->indexOfServerWithVpnKey(normalizedVpnKey);
-    if (duplicateServerIndex >= 0) {
-        qInfo().noquote() << "[IAP] Subscription config with the same vpn_key already exists";
-        return ErrorCode::ApiConfigAlreadyAdded;
-    }
-
-    apiConfig.insert(apiDefs::key::vpnKey, normalizedVpnKey);
-    configObject.insert(apiDefs::key::apiConfig, apiConfig);
+    QJsonObject configObject = QJsonDocument::fromJson(configString).object();

    quint16 crc = qChecksum(QJsonDocument(configObject).toJson());
+    auto apiConfig = configObject.value(apiDefs::key::apiConfig).toObject();
+    apiConfig[apiDefs::key::vpnKey] = normalizedKey;
+    apiConfig[apiDefs::key::isTestPurchase] = isTestPurchase;
+
+    configObject.insert(apiDefs::key::apiConfig, apiConfig);
    configObject.insert(config_key::crc, crc);
    m_serversModel->addServer(configObject);

@@ -1264,7 +941,6 @@ ErrorCode ApiConfigsController::importServiceFromBilling(const QByteArray &respo
 #else
    Q_UNUSED(responseBody)
    Q_UNUSED(isTestPurchase)
-    duplicateServerIndex = -1;
    return ErrorCode::NoError;
 #endif
 }
@@ -1273,6 +949,6 @@ ErrorCode ApiConfigsController::executeRequest(const QString &endpoint, const QJ
                                               bool isTestPurchase)
 {
    GatewayController gatewayController(m_settings->getGatewayEndpoint(isTestPurchase), m_settings->isDevGatewayEnv(isTestPurchase),
-                                        apiDefs::requestTimeoutMsecs, m_settings->isStrictKillSwitchEnabled(), m_settings);
+                                        apiDefs::requestTimeoutMsecs, m_settings->isStrictKillSwitchEnabled());
    return gatewayController.post(endpoint, apiPayload, responseBody);
 }
@@ -1,13 +1,10 @@
 #ifndef APICONFIGSCONTROLLER_H
 #define APICONFIGSCONTROLLER_H

-#include <QList>
 #include <QObject>

 #include "configurators/openvpn_configurator.h"
-#include "ui/models/api/apiBenefitsModel.h"
 #include "ui/models/api/apiServicesModel.h"
-#include "ui/models/api/apiSubscriptionPlansModel.h"
 #include "ui/models/servers_model.h"

 class ApiConfigsController : public QObject
@@ -15,9 +12,7 @@ class ApiConfigsController : public QObject
    Q_OBJECT
 public:
    ApiConfigsController(const QSharedPointer<ServersModel> &serversModel, const QSharedPointer<ApiServicesModel> &apiServicesModel,
-                         const QSharedPointer<ApiSubscriptionPlansModel> &subscriptionPlansModel,
-                         const QSharedPointer<ApiBenefitsModel> &benefitsModel, const std::shared_ptr<Settings> &settings,
-                         QObject *parent = nullptr);
+                         const std::shared_ptr<Settings> &settings, QObject *parent = nullptr);

    Q_PROPERTY(QList<QString> qrCodes READ getQrCodes NOTIFY vpnKeyExportReady)
    Q_PROPERTY(int qrCodesCount READ getQrCodesCount NOTIFY vpnKeyExportReady)
@@ -32,10 +27,9 @@ public slots:

    bool fillAvailableServices();
    bool importService();
-    bool importPremiumFromAppStore(const QString &storeProductId);
-    bool restoreServiceFromAppStore();
-    bool importFreeFromGateway();
-    bool importTrialFromGateway(const QString &email);
+    bool importSerivceFromAppStore();
+    bool restoreSerivceFromAppStore();
+    bool importServiceFromGateway();
    bool updateServiceFromGateway(const int serverIndex, const QString &newCountryCode, const QString &newCountryName,
                                  bool reloadServiceConfig = false);
    bool updateServiceFromTelegram(const int serverIndex);
@@ -49,11 +43,8 @@ public slots:

 signals:
    void errorOccurred(ErrorCode errorCode);
-    void trialEmailError(const QString &message);
-    void subscriptionExpiredOnServer();
-    void subscriptionRefreshNeeded();

-    void installServerFromApiFinished(const QString &message, int preferredDefaultServerIndex = -1);
+    void installServerFromApiFinished(const QString &message);
    void changeApiCountryFinished(const QString &message);
    void reloadServerFromApiFinished(const QString &message);
    void updateServerFromApiFinished();
@@ -66,7 +57,7 @@ private:
    QString getVpnKey();

    ErrorCode executeRequest(const QString &endpoint, const QJsonObject &apiPayload, QByteArray &responseBody, bool isTestPurchase = false);
-    ErrorCode importServiceFromBilling(const QByteArray &responseBody, const bool isTestPurchase, int &duplicateServerIndex);
+    ErrorCode importServiceFromBilling(const QByteArray &responseBody, const bool isTestPurchase);

    QList<QString> m_qrCodes;
    QString m_vpnKey;
@@ -74,9 +65,6 @@ private:
    QSharedPointer<ServersModel> m_serversModel;
    QSharedPointer<ApiServicesModel> m_apiServicesModel;
    std::shared_ptr<Settings> m_settings;
-
-    QSharedPointer<ApiSubscriptionPlansModel> m_subscriptionPlansModel;
-    QSharedPointer<ApiBenefitsModel> m_benefitsModel;
 };

-#endif
+#endif // APICONFIGSCONTROLLER_H
@@ -32,8 +32,7 @@ void ApiNewsController::fetchNews(bool showError)
    }

    auto gatewayController = QSharedPointer<GatewayController>::create(m_settings->getGatewayEndpoint(), m_settings->isDevGatewayEnv(),
-                                                                       apiDefs::requestTimeoutMsecs,
-                                                                       m_settings->isStrictKillSwitchEnabled(), m_settings);
+                                                                       apiDefs::requestTimeoutMsecs, m_settings->isStrictKillSwitchEnabled());
    QJsonObject payload;
    payload.insert("locale", m_settings->getAppLanguage().name().split("_").first());

@@ -1,7 +1,6 @@
 #include "apiSettingsController.h"

 #include <QEventLoop>
-#include <QJsonDocument>
 #include <QTimer>

 #include "core/api/apiUtils.h"
@@ -23,19 +22,6 @@ namespace
    }

    const int requestTimeoutMsecs = 12 * 1000; // 12 secs
-
-    QString getSubscriptionStatusForRenewal(const QSharedPointer<ApiAccountInfoModel> &accountInfoModel)
-    {
-        if (!accountInfoModel.isNull() && accountInfoModel->data(QStringLiteral("isSubscriptionExpired")).toBool()) {
-            return QStringLiteral("expired");
-        }
-
-        if (!accountInfoModel.isNull() && accountInfoModel->data(QStringLiteral("isSubscriptionExpiringSoon")).toBool()) {
-            return QStringLiteral("expire_soon");
-        }
-
-        return QStringLiteral("active");
-    }
 }

 ApiSettingsController::ApiSettingsController(const QSharedPointer<ServersModel> &serversModel,
@@ -71,7 +57,7 @@ bool ApiSettingsController::getAccountInfo(bool reload)

    bool isTestPurchase = apiConfig.value(apiDefs::key::isTestPurchase).toBool(false);
    GatewayController gatewayController(m_settings->getGatewayEndpoint(isTestPurchase), m_settings->isDevGatewayEnv(isTestPurchase),
-                                        requestTimeoutMsecs, m_settings->isStrictKillSwitchEnabled(), m_settings);
+                                        requestTimeoutMsecs, m_settings->isStrictKillSwitchEnabled());

    QJsonObject apiPayload;
    apiPayload[configKey::userCountryCode] = apiConfig.value(configKey::userCountryCode).toString();
@@ -99,43 +85,6 @@ bool ApiSettingsController::getAccountInfo(bool reload)
    return true;
 }

-void ApiSettingsController::getRenewalLink()
-{
-    auto processedIndex = m_serversModel->getProcessedServerIndex();
-    auto serverConfig = m_serversModel->getServerConfig(processedIndex);
-    auto apiConfig = serverConfig.value(configKey::apiConfig).toObject();
-    auto authData = serverConfig.value(configKey::authData).toObject();
-
-    bool isTestPurchase = apiConfig.value(apiDefs::key::isTestPurchase).toBool(false);
-    auto gatewayController = QSharedPointer<GatewayController>::create(m_settings->getGatewayEndpoint(isTestPurchase),
-                                                                       m_settings->isDevGatewayEnv(isTestPurchase),
-                                                                       requestTimeoutMsecs,
-                                                                       m_settings->isStrictKillSwitchEnabled(), m_settings);
-
-    QJsonObject apiPayload;
-    apiPayload[configKey::userCountryCode] = apiConfig.value(configKey::userCountryCode).toString();
-    apiPayload[configKey::serviceType] = apiConfig.value(configKey::serviceType).toString();
-    apiPayload[configKey::authData] = authData;
-    apiPayload[apiDefs::key::cliVersion] = QString(APP_VERSION);
-    apiPayload[apiDefs::key::appLanguage] = m_settings->getAppLanguage().name().split("_").first();
-    apiPayload[apiDefs::key::subscriptionStatus] = getSubscriptionStatusForRenewal(m_apiAccountInfoModel);
-
-    auto future = gatewayController->postAsync(QString("%1v1/renewal_link"), apiPayload);
-    future.then(this, [this, gatewayController](QPair<ErrorCode, QByteArray> result) {
-        auto [errorCode, responseBody] = result;
-        if (errorCode != ErrorCode::NoError) {
-            emit errorOccurred(errorCode);
-            return;
-        }
-
-        QJsonObject responseJson = QJsonDocument::fromJson(responseBody).object();
-        QString url = responseJson.value("renewal_url").toString();
-        if (!url.isEmpty()) {
-            emit renewalLinkReceived(url);
-        }
-    });
-}
-
 void ApiSettingsController::updateApiCountryModel()
 {
    m_apiCountryModel->updateModel(m_apiAccountInfoModel->getAvailableCountries(), "");
@@ -21,11 +21,9 @@ public slots:
    bool getAccountInfo(bool reload);
    void updateApiCountryModel();
    void updateApiDevicesModel();
-    void getRenewalLink();

 signals:
    void errorOccurred(ErrorCode errorCode);
-    void renewalLinkReceived(const QString &url);

 private:
    QSharedPointer<ServersModel> m_serversModel;
@@ -1,12 +1,5 @@
 #include "connectionController.h"

-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
-    #include <QGuiApplication>
-#else
-    #include <QApplication>
-#endif
-
-#include "amnezia_application.h"
 #include "utilities.h"
 #include "core/controllers/vpnConfigurationController.h"
 #include "version.h"
@@ -34,7 +27,7 @@ ConnectionController::ConnectionController(const QSharedPointer<ServersModel> &s

 void ConnectionController::openConnection()
 {
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
    if (!Utils::processIsRunning(Utils::executable(SERVICE_NAME, false), true))
    {
        emit connectionErrorOccurred(ErrorCode::AmneziaServiceNotRunning);
@@ -82,8 +75,6 @@ void ConnectionController::onConnectionStateChanged(Vpn::ConnectionState state)
    m_connectionStateText = tr("Connecting...");
    switch (state) {
    case Vpn::ConnectionState::Connected: {
-        amnApp->networkManager()->clearConnectionCache();
-
        m_isConnectionInProgress = false;
        m_isConnected = true;
        m_connectionStateText = tr("Connected");
@@ -7,6 +7,7 @@
 #include <QFileInfo>
 #include <QImage>
 #include <QStandardPaths>
+
 #include "core/controllers/vpnConfigurationController.h"
 #include "core/qrCodeUtils.h"
 #include "core/serialization/serialization.h"
@@ -169,7 +170,8 @@ void ExportController::generateWireGuardConfig(const QString &clientName)
        m_config.append(line + "\n");
    }

-    m_qrCodes = qrCodeUtils::generateQrCodeImageSeries(m_config.toUtf8());
+    auto qr = qrCodeUtils::generateQrCode(m_config.toUtf8());
+    m_qrCodes << qrCodeUtils::svgToBase64(QString::fromStdString(toSvgString(qr, 1)));

    emit exportConfigChanged();
 }
@@ -189,7 +191,8 @@ void ExportController::generateAwgConfig(const QString &clientName)
        m_config.append(line + "\n");
    }

-    m_qrCodes = qrCodeUtils::generateQrCodeImageSeries(m_config.toUtf8());
+    auto qr = qrCodeUtils::generateQrCode(m_config.toUtf8());
+    m_qrCodes << qrCodeUtils::svgToBase64(QString::fromStdString(toSvgString(qr, 1)));

    emit exportConfigChanged();
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
spectrum	40cc856ece	feat: add support for tvOS platform	2026-04-14 16:34:04 +03:00
spectrum	c551d759bb	refactor: separate network extension sources for different protocols and platforms	2026-02-16 15:15:52 +02:00
spectrum	d00d409cda	feat: add Apple TV support for network extension and refactor ios cmake scripts	2026-02-13 16:51:44 +02:00
spectrum	c897963bac	feat: add support for Apple TV target settings for iOS/Xcode projects	2026-02-13 00:17:19 +02:00