Feat: Fixed push notifications on VPN connect/disconnect

chore: hide extend buttons on external premium
chore: simplify benefits
2026-06-24 02:00:24 +07:00 · 2026-04-06 17:45:24 +03:00 · 2026-04-06 20:04:39 +08:00 · 2026-04-03 20:04:52 +08:00 · 2026-04-02 17:32:42 +08:00 · 2026-04-01 14:25:47 +08:00
264 changed files with 8954 additions and 4216 deletions
@@ -10,10 +10,10 @@ env:
 jobs:
  Build-Linux-Ubuntu:
-    runs-on: ubuntu-22.04
+    runs-on: android-runner
    env:
-      QT_VERSION: 6.6.2
+      QT_VERSION: 6.10.1
      QIF_VERSION: 4.7
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
@@ -30,13 +30,15 @@ jobs:
        version: ${{ env.QT_VERSION }}
        host: 'linux'
        target: 'desktop'
-        arch: 'gcc_64'
+        arch: 'linux_gcc_64'
        modules: 'qtremoteobjects qt5compat qtshadertools'
        dir: ${{ runner.temp }}
        setup-python: 'true'
        tools: 'tools_ifw'
        set-env: 'true'
-        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+        aqtversion: '==3.3.0'       
        py7zrversion: '==0.22.*'  
        extra: '--base ${{ env.QT_MIRROR }}' 
    - name: 'Get sources'
      uses: actions/checkout@v4
@@ -51,12 +53,12 @@ jobs:
        echo "VERSION=$VERSION" >> $GITHUB_ENV
        echo "Version: $VERSION"
-    - name: 'Setup ccache'
+    # - name: 'Setup ccache'
-      uses: hendrikmuhs/ccache-action@v1.2
+    #   uses: hendrikmuhs/ccache-action@v1.2
    - name: 'Build project'
      run: |
-        sudo apt-get install libxkbcommon-x11-0
+        sudo apt-get install libxkbcommon-x11-0 libsecret-1-dev
        export QT_BIN_DIR=${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/gcc_64/bin
        export QIF_BIN_DIR=${{ runner.temp }}/Qt/Tools/QtInstallerFramework/${{ env.QIF_VERSION }}/bin
        bash deploy/build_linux.sh
@@ -91,7 +93,7 @@ jobs:
    runs-on: windows-latest
    env:
-      QT_VERSION: 6.6.2
+      QT_VERSION: 6.10.1
      QIF_VERSION: 4.7
      BUILD_ARCH: 64
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
@@ -117,8 +119,8 @@ jobs:
        echo "VERSION=$VERSION" >> $GITHUB_ENV
        echo "Version: $VERSION"
-    - name: 'Setup ccache'
+    # - name: 'Setup ccache'
-      uses: hendrikmuhs/ccache-action@v1.2
+    #   uses: hendrikmuhs/ccache-action@v1.2
    - name: 'Install Qt'
      uses: jurplel/install-qt-action@v3
@@ -126,39 +128,62 @@ jobs:
        version: ${{ env.QT_VERSION }}
        host: 'windows'
        target: 'desktop'
-        arch: 'win64_msvc2019_64'
+        arch: 'win64_msvc2022_64'
        modules: 'qtremoteobjects qt5compat qtshadertools'
        dir: ${{ runner.temp }}
        setup-python: 'true'
        tools: 'tools_ifw'
        set-env: 'true'
-        aqtversion: '==3.1.21'
+        aqtversion: '==3.3.0'       
        py7zrversion: '==0.22.*'  
-        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+        extra: '--base ${{ env.QT_MIRROR }}' 
    - name: 'Setup mvsc'
      uses: ilammy/msvc-dev-cmd@v1
      with:
        arch: 'x64'
    - name: 'Setup .NET SDK'
      uses: actions/setup-dotnet@v4
      with:
        dotnet-version: '8.0.x'
    - name: 'Install WiX Toolset'
      shell: powershell
      run: |
        dotnet tool install --global wix --version 4.0.6
        wix extension add -g WixToolset.UI.wixext/4.0.6
        wix extension add -g WixToolset.Util.wixext/4.0.6
        wix extension list -g
        $wixBinDir = Join-Path $env:USERPROFILE ".dotnet\tools"
        echo "WIX_BIN_DIR=$wixBinDir" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
    - name: 'Build project'
      shell: cmd
      run: |
        set BUILD_ARCH=${{ env.BUILD_ARCH }}
-        set "QT_BIN_DIR=${{ runner.temp }}\Qt\${{ env.QT_VERSION }}\msvc2019_64\bin"
+        set QT_BIN_DIR="${{ runner.temp }}\\Qt\\${{ env.QT_VERSION }}\\msvc2022_64\\bin"
-        set "QIF_BIN_DIR=${{ runner.temp }}\Qt\Tools\QtInstallerFramework\${{ env.QIF_VERSION }}\bin"
+        set QIF_BIN_DIR="${{ runner.temp }}\\Qt\\Tools\\QtInstallerFramework\\${{ env.QIF_VERSION }}\\bin"
-        call deploy\build_windows.bat
+        set WIX_BIN_DIR=%USERPROFILE%\.dotnet\tools
        call deploy\\build_windows.bat
    - name: 'Rename Windows installer'
      shell: cmd
      run: |
-        copy AmneziaVPN_x${{ env.BUILD_ARCH }}.exe AmneziaVPN_%VERSION%_x${{ env.BUILD_ARCH }}.exe
+        copy AmneziaVPN_x${{ env.BUILD_ARCH }}.exe AmneziaVPN_%VERSION%_x64.exe
    - name: 'Upload installer artifact'
      uses: actions/upload-artifact@v4
      with:
-        name: AmneziaVPN_${{ env.VERSION }}_x${{ env.BUILD_ARCH }}.exe
+        name: AmneziaVPN_${{ env.VERSION }}_x64.exe
-        path: AmneziaVPN_${{ env.VERSION }}_x${{ env.BUILD_ARCH }}.exe
+        path: AmneziaVPN_${{ env.VERSION }}_x64.exe
        retention-days: 7
    - name: 'Upload MSI installer artifact'
      uses: actions/upload-artifact@v4
      with:
        name: AmneziaVPN_Windows_MSI_installer
        path: AmneziaVPN_x${{ env.BUILD_ARCH }}.msi
        retention-days: 7
    - name: 'Upload unpacked artifact'
@@ -168,143 +193,13 @@ jobs:
        path: deploy\\build_${{ env.BUILD_ARCH }}\\client\\Release
        retention-days: 7
 # ------------------------------------------------------
  Build-Windows-ARM64:
    runs-on: windows-latest
    env:
      QT_VERSION: 6.8.3
      QIF_VERSION: 4.7
      BUILD_ARCH: arm64
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
    steps:
    - name: 'Get sources'
      uses: actions/checkout@v4
      with:
        submodules: 'true'
        fetch-depth: 10
    - name: 'Get 3rd-prebuilt'
      shell: bash
      run: |
        rm -rf client/3rd-prebuilt
    - name: 'Checkout 3rd-prebuilt'
      uses: actions/checkout@v4
      with:
        repository: amnezia-vpn/3rd-prebuilt
        ref: feature/add-support-arm64
        path: client/3rd-prebuilt
    - name: 'Get version from CMakeLists.txt'
      id: get_version
      shell: bash
      run: |
        VERSION=$(grep 'set(AMNEZIAVPN_VERSION' CMakeLists.txt | sed -E 's/.*AMNEZIAVPN_VERSION ([0-9]+.[0-9]+.[0-9]+.[0-9]+)\)/\1/')
        echo "VERSION=$VERSION" >> $GITHUB_ENV
        echo "Version: $VERSION"
    - name: 'Setup ccache'
      uses: hendrikmuhs/ccache-action@v1.2
    - name: 'Cleanup Qt directory'
      shell: pwsh
      run: |
        $baseDir = "${{ runner.temp }}"
        $qtVersion = "${{ env.QT_VERSION }}"
        # Handle both path formats (with \ and /)
        $paths = @(
          "$baseDir\Qt\$qtVersion\msvc2022_64",
          "$baseDir/Qt/$qtVersion/msvc2022_64",
          "$baseDir\Qt\$qtVersion\msvc2022_arm64",
          "$baseDir/Qt/$qtVersion/msvc2022_arm64"
        )
        foreach ($path in $paths) {
          if (Test-Path $path) {
            Write-Host "Removing $path..."
            Remove-Item -Path $path -Recurse -Force -ErrorAction SilentlyContinue
          }
        }
    - name: 'Install Qt Desktop (host for cross-compilation)'
      uses: jurplel/install-qt-action@v3
      with:
        version: ${{ env.QT_VERSION }}
        host: 'windows'
        target: 'desktop'
        arch: 'win64_msvc2022_64'
        modules: 'qtremoteobjects qt5compat qtshadertools'
        dir: ${{ runner.temp }}
        setup-python: 'true'
        set-env: 'false'
        aqtversion: '==3.3.0'
        py7zrversion: '==0.22.*'
        extra: '--base ${{ env.QT_MIRROR }}'
    - name: 'Install Qt ARM64'
      uses: jurplel/install-qt-action@v3
      with:
        version: ${{ env.QT_VERSION }}
        host: 'windows'
        target: 'desktop'
        arch: 'win64_msvc2022_arm64_cross_compiled'
        modules: 'qtremoteobjects qt5compat qtshadertools'
        dir: ${{ runner.temp }}
        setup-python: 'true'
        tools: 'tools_ifw'
        set-env: 'false'
        aqtversion: '==3.3.0'
        py7zrversion: '==0.22.*'
        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
    - name: 'Setup mvsc'
      uses: ilammy/msvc-dev-cmd@v1
      with:
        arch: 'x64_arm64'
    - name: 'Build project'
      shell: cmd
      run: |
        set BUILD_ARCH=${{ env.BUILD_ARCH }}
        set "QT_BIN_DIR=${{ runner.temp }}\Qt\${{ env.QT_VERSION }}\msvc2022_arm64\bin"
        set "QT_HOST_PATH=${{ runner.temp }}\Qt\${{ env.QT_VERSION }}\msvc2022_64"
        set "QT_HOST_BIN_DIR=${{ runner.temp }}\Qt\${{ env.QT_VERSION }}\msvc2022_64\bin"
        set "QIF_BIN_DIR=${{ runner.temp }}\Qt\Tools\QtInstallerFramework\${{ env.QIF_VERSION }}\bin"
        call deploy\build_windows.bat
    - name: 'Rename Windows installer'
      shell: cmd
      run: |
        copy AmneziaVPN_x${{ env.BUILD_ARCH }}.exe AmneziaVPN_%VERSION%_x${{ env.BUILD_ARCH }}.exe
    - name: 'Upload installer artifact'
      uses: actions/upload-artifact@v4
      with:
        name: AmneziaVPN_${{ env.VERSION }}_x${{ env.BUILD_ARCH }}.exe
        path: AmneziaVPN_${{ env.VERSION }}_x${{ env.BUILD_ARCH }}.exe
        retention-days: 7
    - name: 'Upload unpacked artifact'
      uses: actions/upload-artifact@v4
      with:
        name: AmneziaVPN_Windows_ARM64_unpacked
        path: deploy\\build_${{ env.BUILD_ARCH }}\\client\\Release
        retention-days: 7
 # ------------------------------------------------------
  Build-iOS:
-    runs-on: macos-13
+    runs-on: macos-latest
    env:
-      QT_VERSION: 6.6.2
+      QT_VERSION: 6.10.1
      CC: cc
      CXX: c++
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
@@ -319,7 +214,7 @@ jobs:
    - name: 'Setup xcode'
      uses: maxim-lobanov/setup-xcode@v1
      with:
-        xcode-version: '15.2'
+        xcode-version: '26.1'
    - name: 'Install desktop Qt'
      uses: jurplel/install-qt-action@v3
@@ -363,8 +258,8 @@ jobs:
        submodules: 'true'
        fetch-depth: 10
-    - name: 'Setup ccache'
+    # - name: 'Setup ccache'
-      uses: hendrikmuhs/ccache-action@v1.2
+    #   uses: hendrikmuhs/ccache-action@v1.2
    - name: 'Install dependencies'
      run: pip install jsonschema jinja2
@@ -455,8 +350,8 @@ jobs:
        submodules: 'true'
        fetch-depth: 10
-    - name: 'Setup ccache'
+    # - name: 'Setup ccache'
-      uses: hendrikmuhs/ccache-action@v1.2
+    #   uses: hendrikmuhs/ccache-action@v1.2
    - name: 'Build project'
      run: |
@@ -483,7 +378,7 @@ jobs:
    runs-on: macos-latest
    env:
-      QT_VERSION: 6.8.0
+      QT_VERSION: 6.10.1
      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
@@ -513,7 +408,7 @@ jobs:
        xcode-version: '16.2.0'
    - name: 'Install Qt'
-      uses: jurplel/install-qt-action@v3
+      uses: jurplel/install-qt-action@v4
      with:
        version: ${{ env.QT_VERSION }}
        host: 'mac'
@@ -523,8 +418,9 @@ jobs:
        dir: ${{ runner.temp }}
        setup-python: 'true'
        set-env: 'true'
-        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+        aqtversion: '==3.3.0'       
-
+        py7zrversion: '==0.22.*'  
        extra: '--base ${{ env.QT_MIRROR }}' 
    - name: 'Get sources'
      uses: actions/checkout@v4
@@ -539,8 +435,8 @@ jobs:
        echo "VERSION=$VERSION" >> $GITHUB_ENV
        echo "Version: $VERSION"
-    - name: 'Setup ccache'
+    # - name: 'Setup ccache'
-      uses: hendrikmuhs/ccache-action@v1.2
+    #   uses: hendrikmuhs/ccache-action@v1.2
    - name: 'Build project'
      run: |
@@ -571,7 +467,7 @@ jobs:
    runs-on: macos-latest
    env:
-      QT_VERSION: 6.8.3
+      QT_VERSION: 6.10.1
      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
@@ -591,21 +487,31 @@ jobs:
    - name: 'Setup xcode'
      uses: maxim-lobanov/setup-xcode@v1
      with:
-        xcode-version: '16.2.0'
+        xcode-version: '26.1'
-    - name: 'Install Qt'
+    - name: 'Install desktop Qt'
      uses: jurplel/install-qt-action@v3
      with:
        version: ${{ env.QT_VERSION }}
        host: 'mac'
        target: 'desktop'
        modules: 'qtremoteobjects qt5compat qtshadertools qtmultimedia'
        arch: 'clang_64'
        modules: 'qtremoteobjects qt5compat qtshadertools'
        dir: ${{ runner.temp }}
        setup-python: 'true'
        set-env: 'true'
-        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+        extra: '--base ${{ env.QT_MIRROR }}'
    - name: 'Install go'
      uses: actions/setup-go@v5
      with:
        go-version: '1.24'
        cache: false
    - name: 'Setup gomobile'
      run: |
          export PATH=$PATH:~/go/bin
          go install golang.org/x/mobile/cmd/gomobile@latest
          gomobile init
    - name: 'Get sources'
      uses: actions/checkout@v4
@@ -613,8 +519,8 @@ jobs:
        submodules: 'true'
        fetch-depth: 10
-    - name: 'Setup ccache'
+    # - name: 'Setup ccache'
-      uses: hendrikmuhs/ccache-action@v1.2
+    #   uses: hendrikmuhs/ccache-action@v1.2
    - name: 'Build project'
      run: |
@@ -631,11 +537,11 @@ jobs:
 # ------------------------------------------------------
  Build-Android:
-    runs-on: ubuntu-latest
+    runs-on: android-runner
    env:
      ANDROID_BUILD_PLATFORM: android-36
-      QT_VERSION: 6.8.3
+      QT_VERSION: 6.10.1
      QT_MODULES: 'qtremoteobjects qt5compat qtimageformats qtshadertools'
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
@@ -723,15 +629,15 @@ jobs:
        echo "VERSION=$VERSION" >> $GITHUB_ENV
        echo "Version: $VERSION"
-    - name: 'Setup ccache'
+    # - name: 'Setup ccache'
-      uses: hendrikmuhs/ccache-action@v1.2
+    #   uses: hendrikmuhs/ccache-action@v1.2
    - name: 'Setup Java'
      uses: actions/setup-java@v4
      with:
        distribution: 'temurin'
        java-version: '17'
-        cache: 'gradle'
+        # cache: 'gradle'
    - name: 'Setup Android NDK'
      id: setup-ndk
@@ -24,7 +24,7 @@ jobs:
      - name: Verify git tag
        run: |
          TAG_NAME=${{ inputs.RELEASE_VERSION }}
-          CMAKE_TAG=$(grep 'project.*VERSION' CMakeLists.txt | sed -E 's/.* ([0-9]+.[0-9]+.[0-9]+.[0-9]+)$/\1/')
+          CMAKE_TAG=$(grep 'set(AMNEZIAVPN_VERSION' CMakeLists.txt | sed -E 's/.*AMNEZIAVPN_VERSION ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/')
          if [[ "$TAG_NAME" == "$CMAKE_TAG" ]]; then
            echo "Git tag ($TAG_NAME) matches CMakeLists.txt version ($CMAKE_TAG)."
          else
@@ -140,3 +140,6 @@ ios-ne-build.sh
 macos-ne-build.sh
 macos-signed-build.sh
 macos-with-sign-build.sh
 DeveloperIdApplicationCertificate.p12
 DeveloperIdInstallerCertificate.p12
@@ -14,3 +14,7 @@
 [submodule "client/3rd/QSimpleCrypto"]
 	path = client/3rd/QSimpleCrypto
 	url = https://github.com/amnezia-vpn/QSimpleCrypto.git
 [submodule "client/3rd/qtgamepad"]
 	path = client/3rd/qtgamepad
 	url = https://github.com/amnezia-vpn/qtgamepad.git
 	branch = 6.6
@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 set(PROJECT AmneziaVPN)
-set(AMNEZIAVPN_VERSION 4.8.11.5)
+set(AMNEZIAVPN_VERSION 4.8.15.0)
 project(${PROJECT} VERSION ${AMNEZIAVPN_VERSION}
        DESCRIPTION "AmneziaVPN"
@@ -12,7 +12,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")
 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2100)
+set(APP_ANDROID_VERSION_CODE 2118)
 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
    set(MZ_PLATFORM_NAME "linux")
@@ -49,3 +49,39 @@ if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
    include(${CMAKE_SOURCE_DIR}/deploy/installer/config.cmake)
 endif()
 set(AMNEZIA_STAGE_DIR "${CMAKE_BINARY_DIR}/stage")
 if(WIN32 AND NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
    file(TO_CMAKE_PATH "${AMNEZIA_STAGE_DIR}" AMNEZIA_STAGE_DIR_CMAKE)
    set(CPACK_GENERATOR "WIX")
    set(CPACK_WIX_VERSION 4)
    set(CPACK_PACKAGE_NAME "AmneziaVPN")
    set(CPACK_PACKAGE_VENDOR "AmneziaVPN")
    set(CPACK_PACKAGE_VERSION ${AMNEZIAVPN_VERSION})
    set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "AmneziaVPN client")
    set(AMNEZIA_LICENSE_TXT "${CMAKE_BINARY_DIR}/LICENSE.txt")
    configure_file("${CMAKE_SOURCE_DIR}/LICENSE" "${AMNEZIA_LICENSE_TXT}" COPYONLY)
    set(CPACK_RESOURCE_FILE_LICENSE "${AMNEZIA_LICENSE_TXT}")
    set(CPACK_PACKAGE_INSTALL_DIRECTORY "AmneziaVPN")
    set(CPACK_PACKAGE_DIRECTORY "${CMAKE_BINARY_DIR}")
    set(CPACK_PACKAGE_EXECUTABLES "AmneziaVPN" "AmneziaVPN")
    set(CPACK_WIX_UPGRADE_GUID "{2D55AC62-96D6-4692-8C05-0D85BBF95485}")
    set(CPACK_WIX_PRODUCT_ICON "${CMAKE_SOURCE_DIR}/client/images/app.ico")
    # WiX patches
    set(_AMNEZIA_WIX_PATCH_SERVICE "${CMAKE_SOURCE_DIR}/deploy/installer/wix/service_install_patch.xml")
    set(_AMNEZIA_WIX_PATCH_CLOSE_APP "${CMAKE_SOURCE_DIR}/deploy/installer/wix/close_client_patch.xml")
    file(TO_CMAKE_PATH "${_AMNEZIA_WIX_PATCH_SERVICE}" _AMNEZIA_WIX_PATCH_SERVICE_CMAKE)
    file(TO_CMAKE_PATH "${_AMNEZIA_WIX_PATCH_CLOSE_APP}" _AMNEZIA_WIX_PATCH_CLOSE_APP_CMAKE)
    set(CPACK_WIX_PATCH_FILE "${_AMNEZIA_WIX_PATCH_SERVICE_CMAKE};${_AMNEZIA_WIX_PATCH_CLOSE_APP_CMAKE}")
    # WiX v4 Util extension for CloseApplication + namespace for util
    set(CPACK_WIX_EXTENSIONS "${CPACK_WIX_EXTENSIONS};WixToolset.Util.wixext")
    set(CPACK_WIX_CUSTOM_XMLNS "util=http://wixtoolset.org/schemas/v4/wxs/util")
    set(CPACK_INSTALLED_DIRECTORIES "${AMNEZIA_STAGE_DIR_CMAKE};/")
    include(CPack)
 endif()
@@ -179,7 +179,7 @@ You may face compiling issues in QT Creator after you've worked in Android Studi
 ## License
-GPL v3.0
+This project is licensed under the GNU General Public License v3.0 (see LICENSE) and also includes third-party components distributed under their own terms (see THIRD_PARTY_LICENSES.md).
 ## Donate
@@ -0,0 +1,149 @@
 # Third-Party Licenses
 This project is licensed under the GNU General Public License v3.0.
 This file lists third-party software components used by this repository.
 Each component is distributed under its own license as linked below.
 ---
 ## QtKeychain
 - Source: https://github.com/frankosterfeld/qtkeychain
 - License: BSD License
 - License Text: https://www.gnu.org/licenses/license-list.html#ModifiedBSD
 ---
 ## QSimpleCrypto
 - Source: https://github.com/n1flh31mur/QSimpleCrypto
 - License: Apache License 2.0
 - License Text: https://github.com/n1flh31mur/QSimpleCrypto/blob/master/LICENSE
 ---
 ## SortFilterProxyModel
 - Source: https://github.com/oKcerG/SortFilterProxyModel
 - License: MIT License
 - License Text: https://github.com/oKcerG/SortFilterProxyModel/blob/master/LICENSE
 ---
 ## QJsonStruct
 - Source: https://github.com/Qv2ray/QJsonStruct
 - License: MIT License
 - License Text: https://github.com/Qv2ray/QJsonStruct/blob/master/LICENSE
 ---
 ## QR Code Generator (qrcodegen)
 - Source: https://github.com/nayuki/QR-Code-generator
 - License: MIT License
 - License Text: https://www.nayuki.io/page/qr-code-generator-library
 ---
 ## Qt Gamepad
 - Source: https://github.com/qt/qtgamepad
 - License: GNU General Public License v3.0 (GPL-3.0)
 - License Text: https://www.gnu.org/licenses/gpl-3.0.en.html
 ---
 ## AmneziaWG Apple (WireGuard)
 - Source: https://github.com/amnezia-vpn/amneziawg-apple
 - License: MIT License
 - License Text: https://github.com/amnezia-vpn/amneziawg-apple/blob/master/COPYING
 ---
 ## AmneziaWG Android
 - Source: https://github.com/amnezia-vpn/amneziawg-go
 - License: MIT License
 - License Text: https://github.com/amnezia-vpn/amneziawg-go/blob/master/LICENSE
 ---
 ## Xray Core
 - Source: https://github.com/XTLS/Xray-core
 - License: Mozilla Public License 2.0 (MPL-2.0)
 - License Text: https://github.com/XTLS/Xray-core/blob/main/LICENSE
 ---
 ## Cloak
 - Source: https://github.com/cbeuw/Cloak
 - License: GNU General Public License v3.0 (GPL-3.0)
 - License Text: https://github.com/cbeuw/Cloak/blob/master/LICENSE
 ---
 ## Shadowsocks
 - Source: https://github.com/shadowsocks/shadowsocks-libev
 - License: GPL-3.0-or-later
 - License Text: http://www.gnu.org/licenses/
 ---
 ## OpenSSL
 - Source: https://github.com/openssl/openssl
 - License: Apache License 2.0
 - License Text: https://www.openssl.org/source/license.html
 ---
 ## libssh
 - Source: https://www.libssh.org/
 - License: GNU Lesser General Public License (LGPL)
 - License Text: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
 ---
 ## OpenVPNAdapter
 - Source: https://github.com/ss-abramchuk/OpenVPNAdapter
 - License: GNU Affero General Public License v3.0 (AGPL-3.0)
 - License Text: https://github.com/ss-abramchuk/OpenVPNAdapter/blob/master/LICENSE
 ---
 ## Wintun
 - Source: https://www.wintun.net/
 - License: Prebuilt Binaries License
 - License Text: https://github.com/WireGuard/wintun/blob/master/prebuilt-binaries-license.txt
 ---
 ## Mullvad Split Tunnel Driver
 - Source: https://github.com/mullvad/win-split-tunnel
 - License: GNU General Public License v3.0 (GPL-3.0) and Mozilla Public License Version 2.0
 - License Text: https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-GPL.md https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-MPL.txt
 ---
 ## tun2socks
 - Source: https://github.com/eycorsican/go-tun2socks
 - License: MIT License
 - License Text: https://github.com/eycorsican/go-tun2socks/blob/master/LICENSE
 ---
 ## TAP-Windows Driver
 - Source: https://github.com/OpenVPN/tap-windows6
 - License: tap-windows6 license
 - License Text: https://github.com/OpenVPN/tap-windows6/blob/master/COPYING
@@ -39,20 +39,6 @@ endif()
 find_package(Qt6 REQUIRED COMPONENTS ${PACKAGES})
 # Diagnostic: Print Qt configuration
 message(STATUS "=== Qt Configuration Diagnostics ===")
 message(STATUS "Qt6_DIR: ${Qt6_DIR}")
 message(STATUS "CMAKE_PREFIX_PATH: ${CMAKE_PREFIX_PATH}")
 message(STATUS "CMAKE_GENERATOR_PLATFORM: ${CMAKE_GENERATOR_PLATFORM}")
 message(STATUS "CMAKE_SYSTEM_PROCESSOR: ${CMAKE_SYSTEM_PROCESSOR}")
 if(TARGET Qt6::Core)
    get_target_property(Qt6Core_LOCATION Qt6::Core LOCATION)
    message(STATUS "Qt6::Core location: ${Qt6Core_LOCATION}")
    get_target_property(Qt6Core_IMPLIB Qt6::Core IMPORTED_IMPLIB_RELEASE)
    message(STATUS "Qt6::Core import library: ${Qt6Core_IMPLIB}")
 endif()
 message(STATUS "====================================")
 set(LIBS ${LIBS}
    Qt6::Core Qt6::Gui
    Qt6::Network Qt6::Xml Qt6::RemoteObjects
@@ -73,7 +59,6 @@ target_include_directories(${PROJECT} PUBLIC
 if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_interface.rep)
    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_process_interface.rep)
    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_process_tun2socks.rep)
 endif()
 qt6_add_resources(QRC ${QRC} ${CMAKE_CURRENT_LIST_DIR}/resources.qrc)
@@ -93,6 +78,7 @@ set(AMNEZIAVPN_TS_FILES
 )
 file(GLOB_RECURSE AMNEZIAVPN_TS_SOURCES *.qrc *.cpp *.h *.ui)
 list(FILTER AMNEZIAVPN_TS_SOURCES EXCLUDE REGEX "qtgamepad/examples")
 qt_create_translation(AMNEZIAVPN_QM_FILES ${AMNEZIAVPN_TS_SOURCES} ${AMNEZIAVPN_TS_FILES})
@@ -213,9 +199,7 @@ target_compile_definitions(${PROJECT} PRIVATE "MZ_$<UPPER_CASE:${MZ_PLATFORM_NAM
 # deploy artifacts required to run the application to the debug build folder
 if(WIN32)
-    if("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "ARM64")
+    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
        set(DEPLOY_PLATFORM_PATH "windows/arm64")
    elseif("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
        set(DEPLOY_PLATFORM_PATH "windows/x64")
    else()
        set(DEPLOY_PLATFORM_PATH "windows/x32")
@@ -244,4 +228,13 @@ if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
 endif()
 target_sources(${PROJECT} PRIVATE ${SOURCES} ${HEADERS} ${RESOURCES} ${QRC} ${I18NQRC})
-qt_finalize_target(${PROJECT})
+
 # Finalize the executable so Qt can gather/deploy QML modules and plugins correctly (Android needs this).
 if(COMMAND qt_import_qml_plugins)
    qt_import_qml_plugins(${PROJECT})
 endif()
 if(COMMAND qt_finalize_executable)
    qt_finalize_executable(${PROJECT})
 else()
    qt_finalize_target(${PROJECT})
 endif()
@@ -27,10 +27,15 @@
 #include <QtQuick/QQuickWindow>  // for QQuickWindow
 #include <QWindow>              // for qobject_cast<QWindow*>
 bool AmneziaApplication::m_forceQuit = false;
 AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_CLASS(argc, argv),
      m_optAutostart({QStringLiteral("a"), QStringLiteral("autostart")}, QStringLiteral("System autostart")),
-      m_optCleanup  ({QStringLiteral("c"), QStringLiteral("cleanup")}, QStringLiteral("Cleanup logs"))
+      m_optCleanup  ({QStringLiteral("c"), QStringLiteral("cleanup")}, QStringLiteral("Cleanup logs")),
      m_optConnect  ({QStringLiteral("connect")}, QStringLiteral("Connect to server by index on startup"), QStringLiteral("index")),
      m_optImport   ({QStringLiteral("import")}, QStringLiteral("Import configuration from data string"), QStringLiteral("data"))
 {
    setDesktopFileName(QStringLiteral(APPLICATION_NAME));
    setQuitOnLastWindowClosed(false);
    // Fix config file permissions
@@ -55,11 +60,13 @@ AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_C
 AmneziaApplication::~AmneziaApplication()
 {
-    if (m_vpnConnection) {
+#ifdef AMNEZIA_DESKTOP
-        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectSlots", Qt::QueuedConnection);
+    if (m_vpnConnection && m_vpnConnectionThread.isRunning()) {
-        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectFromVpn", Qt::QueuedConnection);
+        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectSlots", Qt::BlockingQueuedConnection);
-        QThread::msleep(2000);
+        
        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectFromVpn", Qt::BlockingQueuedConnection);
    }
 #endif
    m_vpnConnectionThread.requestInterruption();
    m_vpnConnectionThread.quit();
@@ -70,7 +77,6 @@ AmneziaApplication::~AmneziaApplication()
    }
    if (m_engine) {
        QObject::disconnect(m_engine, 0, 0, 0);
        delete m_engine;
    }
 }
@@ -90,9 +96,6 @@ namespace {
 void AmneziaApplication::init()
 {
 #ifdef Q_OS_ANDROID
    clearQtCaches();
 #endif
    m_engine = new QQmlApplicationEngine;
    const QUrl url(QStringLiteral("qrc:/ui/qml/main2.qml"));
@@ -106,6 +109,16 @@ void AmneziaApplication::init()
            // install filter on main window
            if (auto win = qobject_cast<QQuickWindow*>(obj)) {
                win->installEventFilter(this);
 #ifdef Q_OS_ANDROID
                QObject::connect(win, &QQuickWindow::sceneGraphError,
                    [](QQuickWindow::SceneGraphError, const QString &msg) {
                        qWarning() << "Scene graph error (suppressed):" << msg;
                    });
                // Keep graphics context alive across hide/show cycles to avoid
                // eglSwapBuffers/makeCurrent being called on a context Android has reclaimed.
                win->setPersistentSceneGraph(true);
                win->setPersistentGraphics(true);
 #endif
                win->show();
            }
        },
@@ -126,6 +139,16 @@ void AmneziaApplication::init()
    m_coreController.reset(new CoreController(m_vpnConnection, m_settings, m_engine));
    m_engine->addImportPath("qrc:/ui/qml/Modules/");
    if (m_parser.isSet(m_optImport)) {
        const QString data = m_parser.value(m_optImport);
        if (!data.isEmpty()) {
            if (m_coreController) {
                m_coreController->importConfigFromData(data);
            }
        }
    }
    m_engine->load(url);
    m_coreController->setQmlRoot();
@@ -165,6 +188,18 @@ void AmneziaApplication::init()
        }
    });
 #endif
    if (m_parser.isSet(m_optConnect)) {
        bool ok = false;
        int idx = m_parser.value(m_optConnect).toInt(&ok);
        if (ok) {
            QTimer::singleShot(0, this, [this, idx]() {
                if (m_coreController) {
                    m_coreController->openConnectionByIndex(idx);
                }
            });
        }
    }
 }
 void AmneziaApplication::registerTypes()
@@ -211,6 +246,8 @@ bool AmneziaApplication::parseCommands()
    m_parser.addOption(m_optAutostart);
    m_parser.addOption(m_optCleanup);
    m_parser.addOption(m_optConnect);
    m_parser.addOption(m_optImport);
    m_parser.process(*this);
@@ -247,8 +284,12 @@ bool AmneziaApplication::eventFilter(QObject *watched, QEvent *event)
 #if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
        quit();
 #else
-        if (m_coreController && m_coreController->pageController()) {
+        if (m_forceQuit) {
-            m_coreController->pageController()->hideMainWindow();
+            quit();
        } else {
            if (m_coreController && m_coreController->pageController()) {
                m_coreController->pageController()->hideMainWindow();
            }
        }
 #endif
        return true; // eat the close
@@ -257,6 +298,12 @@ bool AmneziaApplication::eventFilter(QObject *watched, QEvent *event)
    return QObject::eventFilter(watched, event);
 }
 void AmneziaApplication::forceQuit()
 {
    m_forceQuit = true;
    quit();
 }
 QQmlApplicationEngine *AmneziaApplication::qmlEngine() const
 {
    return m_engine;
@@ -45,7 +45,11 @@ public:
    QNetworkAccessManager *networkManager();
    QClipboard *getClipboard();
 public slots:
    void forceQuit();
 private:
    static bool m_forceQuit;
    QQmlApplicationEngine *m_engine {};
    std::shared_ptr<Settings> m_settings;
@@ -58,6 +62,8 @@ private:
    QCommandLineOption m_optAutostart;
    QCommandLineOption m_optCleanup;
    QCommandLineOption m_optConnect;
    QCommandLineOption m_optImport;
    QSharedPointer<VpnConnection> m_vpnConnection;
    QThread m_vpnConnectionThread;
@@ -93,7 +93,7 @@ open class OpenVpn : Protocol() {
        openVpnClient = null
    }
-    override fun reconnectVpn(vpnBuilder: Builder) {
+    override fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean) {
        openVpnClient?.let {
            it.establish = makeEstablish(vpnBuilder)
            it.reconnect(0)
@@ -42,7 +42,7 @@ abstract class Protocol {
    abstract fun stopVpn()
-    abstract fun reconnectVpn(vpnBuilder: Builder)
+    abstract fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean)
    protected fun ProtocolConfig.Builder.configSplitTunneling(config: JSONObject) {
        if (!allowSplitTunneling) {
@@ -24,5 +24,8 @@
    <string name="notificationSettingsDialogMessage">Для показа уведомлений необходимо включить уведомления в системных настройках</string>
    <string name="openNotificationSettings">Открыть настройки уведомлений</string>
    <string name="vpnStateEventChannelName">Уведомления о VPN</string>
    <string name="vpnStateEventChannelDescription">Краткие оповещения при подключении и отключении VPN</string>
    <string name="tvNoFileBrowser">Пожалуйста, установите приложение для просмотра файлов</string>
 </resources>
@@ -24,5 +24,8 @@
    <string name="notificationSettingsDialogMessage">To show notifications, you must enable notifications in the system settings</string>
    <string name="openNotificationSettings">Open notification settings</string>
    <string name="vpnStateEventChannelName">VPN connection alerts</string>
    <string name="vpnStateEventChannelDescription">Brief alerts when VPN connects or disconnects</string>
    <string name="tvNoFileBrowser">Please install a file management utility to browse files</string>
 </resources>
@@ -26,6 +26,8 @@ import android.os.ParcelFileDescriptor
 import android.os.SystemClock
 import android.provider.OpenableColumns
 import android.provider.Settings
 import android.view.InputDevice
 import android.view.KeyEvent
 import android.view.MotionEvent
 import android.view.View
 import android.view.ViewGroup
@@ -73,6 +75,8 @@ private const val OPEN_FILE_ACTION_CODE = 3
 private const val CHECK_NOTIFICATION_PERMISSION_ACTION_CODE = 4
 private const val PREFS_NOTIFICATION_PERMISSION_ASKED = "NOTIFICATION_PERMISSION_ASKED"
 private const val OPEN_FILE_AFTER_RESUME_DELAY_MS = 400L
 private const val KEY_PENDING_OPEN_FILE_URI = "pending_open_file_uri"
 class AmneziaActivity : QtActivity() {
@@ -89,6 +93,12 @@ class AmneziaActivity : QtActivity() {
    private val actionResultHandlers = mutableMapOf<Int, ActivityResultHandler>()
    private val permissionRequestHandlers = mutableMapOf<Int, PermissionRequestHandler>()
    private var isActivityResumed = false
    private var hasWindowFocus = false
    private val resumeHandler = Handler(Looper.getMainLooper())
    private var pendingOpenFileUri: String? = null
    private var openFileDeliveryScheduled = false
    private val vpnServiceEventHandler: Handler by lazy(NONE) {
        object : Handler(Looper.getMainLooper()) {
            override fun handleMessage(msg: Message) {
@@ -190,11 +200,18 @@ class AmneziaActivity : QtActivity() {
                doBindService()
            }
        )
        pendingOpenFileUri = savedInstanceState?.getString(KEY_PENDING_OPEN_FILE_URI)
        openFileDeliveryScheduled = false
        registerBroadcastReceivers()
        intent?.let(::processIntent)
        runBlocking { vpnProto = proto.await() }
    }
    override fun onSaveInstanceState(outState: Bundle) {
        super.onSaveInstanceState(outState)
        pendingOpenFileUri?.let { outState.putString(KEY_PENDING_OPEN_FILE_URI, it) }
    }
    private fun loadLibs() {
        listOf(
            "rsapss",
@@ -260,6 +277,11 @@ class AmneziaActivity : QtActivity() {
    }
    override fun onStop() {
        isActivityResumed = false
        hasWindowFocus = false
        // Cancel all pending operations when activity stops
        resumeHandler.removeCallbacksAndMessages(null)
        openFileDeliveryScheduled = false
        Log.d(TAG, "Stop Amnezia activity")
        doUnbindService()
        mainScope.launch {
@@ -269,23 +291,128 @@ class AmneziaActivity : QtActivity() {
        super.onStop()
    }
    override fun onWindowFocusChanged(hasFocus: Boolean) {
        super.onWindowFocusChanged(hasFocus)
        hasWindowFocus = hasFocus
        Log.d(TAG, "Window focus changed: hasFocus=$hasFocus")
        if (!hasFocus) {
            // Cancel pending operations if window loses focus
            resumeHandler.removeCallbacksAndMessages(null)
        } else if (isActivityResumed && Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
            window.decorView.apply {
                invalidate()
                resumeHandler.postDelayed({
                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
                        sendTouch(1f, 1f)
                    }
                }, 50)
                resumeHandler.postDelayed({
                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
                        sendTouch(2f, 2f)
                        requestLayout()
                        invalidate()
                    }
                }, 150)
            }
        }
    }
    override fun dispatchKeyEvent(event: KeyEvent): Boolean {
        val keyCode = event.keyCode
        val pressed = event.action == KeyEvent.ACTION_DOWN
        when (keyCode) {
            KeyEvent.KEYCODE_BUTTON_A,
            KeyEvent.KEYCODE_BUTTON_B,
            KeyEvent.KEYCODE_BUTTON_X,
            KeyEvent.KEYCODE_BUTTON_Y,
            KeyEvent.KEYCODE_BUTTON_START,
            KeyEvent.KEYCODE_BUTTON_SELECT -> {
                    nativeGamepadKeyEvent(0, keyCode, pressed)
                    return true
            }
            KeyEvent.KEYCODE_DPAD_CENTER,
            KeyEvent.KEYCODE_DPAD_UP,
            KeyEvent.KEYCODE_DPAD_DOWN,
            KeyEvent.KEYCODE_DPAD_LEFT,
            KeyEvent.KEYCODE_DPAD_RIGHT -> {
                    val syntheticKeyCode = if (keyCode == KeyEvent.KEYCODE_DPAD_CENTER) KeyEvent.KEYCODE_ENTER else keyCode
                    val synthetic = KeyEvent(
                        event.downTime, event.eventTime, event.action, syntheticKeyCode,
                        event.repeatCount, event.metaState, -1, event.scanCode,
                        event.flags, InputDevice.SOURCE_KEYBOARD
                    )
                    return super.dispatchKeyEvent(synthetic)
            }
        }
        return super.dispatchKeyEvent(event)
    }
    private external fun nativeGamepadKeyEvent(deviceId: Int, keyCode: Int, pressed: Boolean)
    override fun onPause() {
        // Notify Qt to stop rendering BEFORE super.onPause() destroys the EGL surface.
        // Using a coroutine here would be too late — the surface is gone by the time
        // the coroutine runs. A direct synchronous call gives Qt's render thread the
        // best chance to process visible=false before surface destruction.
        if (qtInitialized.isCompleted) {
            QtAndroidController.onActivityPaused()
        }
        super.onPause()
        isActivityResumed = false
        // Cancel all pending operations when activity pauses
        resumeHandler.removeCallbacksAndMessages(null)
        openFileDeliveryScheduled = false
        Log.d(TAG, "Pause Amnezia activity")
    }
    override fun onResume() {
        super.onResume()
        isActivityResumed = true
        Log.d(TAG, "Resume Amnezia activity")
        if (qtInitialized.isCompleted) {
            QtAndroidController.onActivityResumed()
        }
        if (pendingOpenFileUri != null && !openFileDeliveryScheduled) {
            val uri = pendingOpenFileUri!!
            openFileDeliveryScheduled = true
            resumeHandler.postDelayed({
                if (!isFinishing && !isDestroyed) {
                    pendingOpenFileUri = null
                    openFileDeliveryScheduled = false
                    mainScope.launch {
                        qtInitialized.await()
                        QtAndroidController.onFileOpened(uri)
                    }
                }
            }, OPEN_FILE_AFTER_RESUME_DELAY_MS)
        }
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
            window.decorView.apply {
                invalidate()
-                postDelayed({
+                resumeHandler.postDelayed({
-                    sendTouch(1f, 1f)
+                    // Check if activity is still resumed and has focus before executing
                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
                        sendTouch(1f, 1f)
                    }
                }, 100)
-                postDelayed({
+                resumeHandler.postDelayed({
-                    sendTouch(2f, 2f)
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
                        sendTouch(2f, 2f)
                    }
                }, 200)
-                postDelayed({
+                resumeHandler.postDelayed({
-                    requestLayout()
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
-                    invalidate()
+                        requestLayout()
                        invalidate()
                    }
                }, 250)
            }
        }
@@ -314,6 +441,11 @@ class AmneziaActivity : QtActivity() {
                addFlags(LayoutParams.FLAG_DRAWS_SYSTEM_BAR_BACKGROUNDS)
                statusBarColor = getColor(R.color.black)
            }
            WindowInsetsControllerCompat(window, window.decorView).apply {
                isAppearanceLightStatusBars = false
                isAppearanceLightNavigationBars = false
            }
        }
    }
@@ -346,6 +478,10 @@ class AmneziaActivity : QtActivity() {
    }
    override fun onDestroy() {
        isActivityResumed = false
        hasWindowFocus = false
        // Cancel all pending operations when activity is destroyed
        resumeHandler.removeCallbacksAndMessages(null)
        Log.d(TAG, "Destroy Amnezia activity")
        unregisterBroadcastReceiver(notificationStateReceiver)
        notificationStateReceiver = null
@@ -671,9 +807,13 @@ class AmneziaActivity : QtActivity() {
                            grantUriPermission(packageName, this, Intent.FLAG_GRANT_READ_URI_PERMISSION)
                        }?.toString() ?: ""
                        Log.v(TAG, "Open file: $uri")
-                        mainScope.launch {
+                        if (uri.isNotEmpty()) {
-                            qtInitialized.await()
+                            pendingOpenFileUri = uri
-                            QtAndroidController.onFileOpened(uri)
+                        } else {
                            mainScope.launch {
                                qtInitialized.await()
                                QtAndroidController.onFileOpened(uri)
                            }
                        }
                    }
                ))
@@ -702,7 +842,7 @@ class AmneziaActivity : QtActivity() {
    @Suppress("unused")
    fun getFd(fileName: String): Int {
        Log.v(TAG, "Get fd for $fileName")
-        return blockingCall {
+        return blockingCall(Dispatchers.IO) {
            try {
                pfd = contentResolver.openFileDescriptor(Uri.parse(fileName), "r")
                pfd?.fd ?: -1
@@ -866,6 +1006,12 @@ class AmneziaActivity : QtActivity() {
    @Suppress("unused")
    fun isNotificationPermissionGranted(): Boolean = applicationContext.isNotificationPermissionGranted()
    /** Called from Qt (AndroidController) — CLI-570 VPN connect/disconnect heads-up. */
    @Suppress("unused")
    fun showVpnStateNotification(title: String, message: String) {
        ServiceNotification.showVpnStateEvent(applicationContext, title, message)
    }
    @Suppress("unused")
    fun requestNotificationPermission() {
        val shouldShowPreRequest = shouldShowRequestPermissionRationale(Manifest.permission.POST_NOTIFICATIONS)
@@ -565,7 +565,7 @@ open class AmneziaVpnService : VpnService() {
        protocolState.value = RECONNECTING
        connectionJob = connectionScope.launch {
-            vpnProto?.protocol?.reconnectVpn(Builder())
+            vpnProto?.protocol?.reconnectVpn(Builder(), ::protect)
        }
    }
@@ -26,6 +26,9 @@ private const val OLD_NOTIFICATION_CHANNEL_ID: String = "org.amnezia.vpn.notific
 private const val NOTIFICATION_CHANNEL_ID: String = "org.amnezia.vpn.notifications"
 const val NOTIFICATION_ID = 1337
 const val VPN_STATE_EVENT_NOTIFICATION_ID = 1338
 private const val VPN_STATE_EVENT_CHANNEL_ID = "org.amnezia.vpn.vpn_state_events"
 private const val GET_ACTIVITY_REQUEST_CODE = 0
 private const val CONNECT_REQUEST_CODE = 1
 private const val DISCONNECT_REQUEST_CODE = 2
@@ -162,8 +165,42 @@ class ServiceNotification(private val context: Context) {
                        .setDescription(context.resources.getString(R.string.notificationChannelDescription))
                        .build()
                )
                createNotificationChannel(
                    Builder(VPN_STATE_EVENT_CHANNEL_ID, NotificationManagerCompat.IMPORTANCE_DEFAULT)
                        .setShowBadge(false)
                        .setSound(null, null)
                        .setVibrationEnabled(false)
                        .setLightsEnabled(false)
                        .setName(context.getString(R.string.vpnStateEventChannelName))
                        .setDescription(context.getString(R.string.vpnStateEventChannelDescription))
                        .build()
                )
            }
        }
        /** Brief alert when VPN connects or disconnects (invoked from Qt via AmneziaActivity). */
        fun showVpnStateEvent(context: Context, title: String, message: String) {
            if (!context.isNotificationPermissionGranted()) return
            val nm = NotificationManagerCompat.from(context)
            val notification = NotificationCompat.Builder(context, VPN_STATE_EVENT_CHANNEL_ID)
                .setSmallIcon(R.drawable.ic_amnezia_round)
                .setContentTitle(title)
                .setContentText(message)
                .setPriority(NotificationCompat.PRIORITY_DEFAULT)
                .setCategory(NotificationCompat.CATEGORY_STATUS)
                .setAutoCancel(true)
                .setOnlyAlertOnce(true)
                .setContentIntent(
                    PendingIntent.getActivity(
                        context,
                        GET_ACTIVITY_REQUEST_CODE,
                        Intent(context, AmneziaActivity::class.java),
                        PendingIntent.FLAG_IMMUTABLE or PendingIntent.FLAG_UPDATE_CURRENT
                    )
                )
                .build()
            nm.notify(VPN_STATE_EVENT_NOTIFICATION_ID, notification)
        }
    }
 }
@@ -1,7 +1,10 @@
 package org.amnezia.vpn
 import android.content.ActivityNotFoundException
 import android.content.Context
 import android.content.Intent
 import android.content.pm.PackageManager
 import android.os.Build
 import android.os.Bundle
 import androidx.activity.ComponentActivity
 import androidx.activity.result.contract.ActivityResultContracts
@@ -11,8 +14,29 @@ private const val TAG = "TvFilePicker"
 class TvFilePicker : ComponentActivity() {
-    private val fileChooseResultLauncher = registerForActivityResult(ActivityResultContracts.GetContent()) {
+    private val fileChooseResultLauncher = registerForActivityResult(object : ActivityResultContracts.OpenDocument() {
-        setResult(RESULT_OK, Intent().apply { data = it })
+        override fun createIntent(context: Context, input: Array<String>): Intent {
            val intent = super.createIntent(context, input)
            val activitiesToResolveIntent = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
                context.packageManager.queryIntentActivities(intent, PackageManager.ResolveInfoFlags.of(PackageManager.MATCH_DEFAULT_ONLY.toLong()))
            } else {
                @Suppress("DEPRECATION")
                context.packageManager.queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY)
            }
            if (activitiesToResolveIntent.all {
                    val name = it.activityInfo.packageName
                    name.startsWith("com.google.android.tv.frameworkpackagestubs") || name.startsWith("com.android.tv.frameworkpackagestubs")
                }) {
                throw ActivityNotFoundException()
            }
            return intent
        }
    }) {
        setResult(RESULT_OK, Intent().apply {
            data = it
            addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION)
        })
        finish()
    }
@@ -31,7 +55,7 @@ class TvFilePicker : ComponentActivity() {
    private fun getFile() {
        try {
            Log.v(TAG, "getFile")
-            fileChooseResultLauncher.launch("*/*")
+            fileChooseResultLauncher.launch(arrayOf("*/*"))
        } catch (_: ActivityNotFoundException) {
            Log.w(TAG, "Activity not found")
            setResult(RESULT_CANCELED, Intent().apply { putExtra("activityNotFound", true) })
@@ -31,4 +31,7 @@ object QtAndroidController {
    external fun onImeInsetsChanged(heightDp: Int)
    external fun onSystemBarsInsetsChanged(navBarHeightDp: Int, statusBarHeightDp: Int)
    external fun onActivityPaused()
    external fun onActivityResumed()
 }
@@ -12,6 +12,7 @@ import org.amnezia.vpn.protocol.Protocol
 import org.amnezia.vpn.protocol.ProtocolState.CONNECTED
 import org.amnezia.vpn.protocol.ProtocolState.DISCONNECTED
 import org.amnezia.vpn.protocol.Statistics
 import org.amnezia.vpn.protocol.VpnException
 import org.amnezia.vpn.protocol.VpnStartException
 import org.amnezia.vpn.util.LibraryLoader.loadSharedLibrary
 import org.amnezia.vpn.util.Log
@@ -27,6 +28,7 @@ private const val TAG = "Wireguard"
 open class Wireguard : Protocol() {
    private var tunnelHandle: Int = -1
    private var config: WireguardConfig? = null // save config for reconnect
    protected open val ifName: String = "amn0"
    private lateinit var scope: CoroutineScope
    private var statusJob: Job? = null
@@ -61,6 +63,7 @@ open class Wireguard : Protocol() {
    override suspend fun startVpn(config: JSONObject, vpnBuilder: Builder, protect: (Int) -> Boolean) {
        val wireguardConfig = parseConfig(config)
        start(wireguardConfig, vpnBuilder, protect)
        this.config = wireguardConfig
    }
    protected open fun parseConfig(config: JSONObject): WireguardConfig {
@@ -122,23 +125,24 @@ open class Wireguard : Protocol() {
        configData.optStringOrNull("S2")?.let { setS2(it.toInt()) }
        configData.optStringOrNull("S3")?.let { setS3(it.toInt()) }
        configData.optStringOrNull("S4")?.let { setS4(it.toInt()) }
-        configData.optStringOrNull("H1")?.let { setH1(it.toLong()) }
+        configData.optStringOrNull("H1")?.trim()?.let { if (it.isNotEmpty()) setH1(it) }
-        configData.optStringOrNull("H2")?.let { setH2(it.toLong()) }
+        configData.optStringOrNull("H2")?.trim()?.let { if (it.isNotEmpty()) setH2(it) }
-        configData.optStringOrNull("H3")?.let { setH3(it.toLong()) }
+        configData.optStringOrNull("H3")?.trim()?.let { if (it.isNotEmpty()) setH3(it) }
-        configData.optStringOrNull("H4")?.let { setH4(it.toLong()) }
+        configData.optStringOrNull("H4")?.trim()?.let { if (it.isNotEmpty()) setH4(it) }
        configData.optStringOrNull("I1")?.let { setI1(it) }
        configData.optStringOrNull("I2")?.let { setI2(it) }
        configData.optStringOrNull("I3")?.let { setI3(it) }
        configData.optStringOrNull("I4")?.let { setI4(it) }
        configData.optStringOrNull("I5")?.let { setI5(it) }
        configData.optStringOrNull("J1")?.let { setJ1(it) }
        configData.optStringOrNull("J2")?.let { setJ2(it) }
        configData.optStringOrNull("J3")?.let { setJ3(it) }
        configData.optStringOrNull("Itime")?.let { setItime(it.toInt()) }
    }
-    private fun start(config: WireguardConfig, vpnBuilder: Builder, protect: (Int) -> Boolean) {
+    private fun start(
-        if (tunnelHandle != -1) {
+        config: WireguardConfig,
        vpnBuilder: Builder,
        protect: (Int) -> Boolean,
        stopExistingVpn: Boolean = false
    ) {
        if (!stopExistingVpn && tunnelHandle != -1) {
            Log.w(TAG, "Tunnel already up")
            return
        }
@@ -146,6 +150,9 @@ open class Wireguard : Protocol() {
        buildVpnInterface(config, vpnBuilder)
        vpnBuilder.establish().use { tunFd ->
            if (stopExistingVpn && tunnelHandle != -1) {
                turnOffVpn()
            }
            if (tunFd == null) {
                throw VpnStartException("Create VPN interface: permission not granted or revoked")
            }
@@ -202,20 +209,25 @@ open class Wireguard : Protocol() {
        return lastHandshake
    }
-    override fun stopVpn() {
+    private fun turnOffVpn() {
        if (tunnelHandle == -1) {
            Log.w(TAG, "Tunnel already down")
            return
        }
        statusJob?.cancel()
        statusJob = null
        val handleToClose = tunnelHandle
        tunnelHandle = -1
        GoBackend.awgTurnOff(handleToClose)
    }
    override fun stopVpn() {
        if (tunnelHandle == -1) {
            Log.w(TAG, "Tunnel already down")
            return
        }
        turnOffVpn()
        state.value = DISCONNECTED
    }
-    override fun reconnectVpn(vpnBuilder: Builder) {
+    override fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean) {
-        state.value = CONNECTED
+        val config = this.config ?: throw VpnException("Reconnect config is empty")
        start(config, vpnBuilder, protect, true)
    }
 }
@@ -22,19 +22,15 @@ open class WireguardConfig protected constructor(
    val s2: Int?,
    val s3: Int?,
    val s4: Int?,
-    val h1: Long?,
+    val h1: String?,
-    val h2: Long?,
+    val h2: String?,
-    val h3: Long?,
+    val h3: String?,
-    val h4: Long?,
+    val h4: String?,
    var i1: String?,
    var i2: String?,
    var i3: String?,
    var i4: String?,
    var i5: String?,
    var j1: String?,
    var j2: String?,
    var j3: String?,
    var itime: Int?
 ) : ProtocolConfig(protocolConfigBuilder) {
    protected constructor(builder: Builder) : this(
@@ -61,10 +57,6 @@ open class WireguardConfig protected constructor(
        builder.i3,
        builder.i4,
        builder.i5,
        builder.j1,
        builder.j2,
        builder.j3,
        builder.itime
    )
    fun toWgUserspaceString(): String = with(StringBuilder()) {
@@ -94,10 +86,6 @@ open class WireguardConfig protected constructor(
            i3?.let { appendLine("i3=$it") }
            i4?.let { appendLine("i4=$it") }
            i5?.let { appendLine("i5=$it") }
            j1?.let { appendLine("j1=$it") }
            j2?.let { appendLine("j2=$it") }
            j3?.let { appendLine("j3=$it") }
            itime?.let { appendLine("itime=$it") }
        }
    }
@@ -152,19 +140,15 @@ open class WireguardConfig protected constructor(
        internal var s2: Int? = null
        internal var s3: Int? = null
        internal var s4: Int? = null
-        internal var h1: Long? = null
+        internal var h1: String? = null
-        internal var h2: Long? = null
+        internal var h2: String? = null
-        internal var h3: Long? = null
+        internal var h3: String? = null
-        internal var h4: Long? = null
+        internal var h4: String? = null
        internal var i1: String? = null
        internal var i2: String? = null
        internal var i3: String? = null
        internal var i4: String? = null
        internal var i5: String? = null
        internal var j1: String? = null
        internal var j2: String? = null
        internal var j3: String? = null
        internal var itime: Int? = null
        fun setEndpoint(endpoint: InetEndpoint) = apply { this.endpoint = endpoint }
@@ -185,19 +169,15 @@ open class WireguardConfig protected constructor(
        fun setS2(s2: Int) = apply { this.s2 = s2 }
        fun setS3(s3: Int) = apply { this.s3 = s3 }
        fun setS4(s4: Int) = apply { this.s4 = s4 }
-        fun setH1(h1: Long) = apply { this.h1 = h1 }
+        fun setH1(h1: String) = apply { this.h1 = h1 }
-        fun setH2(h2: Long) = apply { this.h2 = h2 }
+        fun setH2(h2: String) = apply { this.h2 = h2 }
-        fun setH3(h3: Long) = apply { this.h3 = h3 }
+        fun setH3(h3: String) = apply { this.h3 = h3 }
-        fun setH4(h4: Long) = apply { this.h4 = h4 }
+        fun setH4(h4: String) = apply { this.h4 = h4 }
        fun setI1(i1: String) = apply { this.i1 = i1 }
        fun setI2(i2: String) = apply { this.i2 = i2 }
        fun setI3(i3: String) = apply { this.i3 = i3 }
        fun setI4(i4: String) = apply { this.i4 = i4 }
        fun setI5(i5: String) = apply { this.i5 = i5 }
        fun setJ1(j1: String) = apply { this.j1 = j1 }
        fun setJ2(j2: String) = apply { this.j2 = j2 }
        fun setJ3(j3: String) = apply { this.j3 = j3 }
        fun setItime(itime: Int) = apply { this.itime = itime }
        override fun build(): WireguardConfig = configBuild().run { WireguardConfig(this@Builder) }
    }
@@ -157,7 +157,7 @@ class Xray : Protocol() {
        state.value = DISCONNECTED
    }
-    override fun reconnectVpn(vpnBuilder: Builder) {
+    override fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean) {
        state.value = CONNECTED
    }
@@ -166,7 +166,7 @@ class Xray : Protocol() {
            mtu = config.mtu.toLong()
            proxy = "socks5://127.0.0.1:${config.socksPort}"
            device = "fd://$fd"
-            logLevel = "warning"
+            logLevel = "warn"
        }
        LibXray.startTun2Socks(tun2SocksConfig, fd.toLong()).isNotNullOrBlank { err ->
            throw VpnStartException("Failed to start tun2socks: $err")
@@ -15,35 +15,17 @@ set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/lib")
 if(WIN32)
    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/windows/include")
-    # Check for ARM64 architecture first (CMAKE_GENERATOR_PLATFORM is set to ARM64 for cross-compilation)
+    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
    message(STATUS "=== 3rd Party Libraries Configuration ===")
    message(STATUS "CMAKE_GENERATOR_PLATFORM: ${CMAKE_GENERATOR_PLATFORM}")
    message(STATUS "CMAKE_SYSTEM_PROCESSOR: ${CMAKE_SYSTEM_PROCESSOR}")
    message(STATUS "CMAKE_SIZEOF_VOID_P: ${CMAKE_SIZEOF_VOID_P}")
    if("${CMAKE_GENERATOR_PLATFORM}" STREQUAL "ARM64" OR "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "ARM64")
        # ARM64: use ARM64 versions for both OpenSSL and libssh
        message(STATUS "Building for Windows ARM64")
        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/arm64/ssh.lib")
        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/arm64")
        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/winarm64/libssl.lib")
        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/winarm64/libcrypto.lib")
        message(STATUS "libssh: ${LIBSSH_LIB_PATH}")
        message(STATUS "OpenSSL SSL: ${OPENSSL_LIB_SSL_PATH}")
        message(STATUS "OpenSSL Crypto: ${OPENSSL_LIB_CRYPTO_PATH}")
    elseif("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
        message(STATUS "Building for Windows x64")
        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/x86_64/ssh.lib")
        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/x86_64")
        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win64/libssl.lib")
        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win64/libcrypto.lib")
    else()
        message(STATUS "Building for Windows x86")
        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/x86/ssh.lib")
        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/x86")
        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libssl.lib")
        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libcrypto.lib")
    endif()
    message(STATUS "==========================================")
 elseif(APPLE AND NOT IOS)
    if(MACOS_NE)
        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libssh.a")
@@ -101,6 +83,26 @@ add_compile_definitions(_WINSOCKAPI_)
 set(BUILD_SHARED_LIBS OFF CACHE BOOL "" FORCE)
 set(BUILD_WITH_QT6 ON)
 add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain)
 if(ANDROID)
    # Use qtgamepad from amnezia-vpn/qtgamepad repository
    # Only if Qt6CorePrivate is available (required by qtgamepad)
    find_package(Qt6CorePrivate CONFIG QUIET)
    if(Qt6CorePrivate_FOUND)
        add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtgamepad)
        # Link both the C++ module and QML plugin
        if(TARGET GamepadLegacy)
            target_link_libraries(${PROJECT} PRIVATE GamepadLegacy)
        endif()
        if(TARGET GamepadLegacyQuickPrivate)
            target_link_libraries(${PROJECT} PRIVATE GamepadLegacyQuickPrivate)
        endif()
        message(STATUS "Gamepad support enabled for Android")
    else()
        message(STATUS "Qt6CorePrivate not found. Gamepad support disabled for Android.")
    endif()
 endif()
 set(LIBS ${LIBS} qt6keychain)
 include_directories(
@@ -20,7 +20,11 @@ set(QT_ANDROID_MULTI_ABI_FORWARD_VARS "QT_NO_GLOBAL_APK_TARGET_PART_OF_ALL;CMAKE
 # We need to include qtprivate api's
 # As QAndroidBinder is not yet implemented with a public api
-set(LIBS ${LIBS} Qt6::CorePrivate -ljnigraphics)
+# Check if Qt6::CorePrivate is available (may not be in all Qt versions/configurations)
 if(TARGET Qt6::CorePrivate)
    set(LIBS ${LIBS} Qt6::CorePrivate)
 endif()
 set(LIBS ${LIBS} -ljnigraphics)
 link_directories(${CMAKE_CURRENT_SOURCE_DIR}/platforms/android)
@@ -34,6 +34,7 @@ set(HEADERS ${HEADERS}
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate-C-Interface.h
 )
 set_source_files_properties(${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h PROPERTIES OBJECTIVE_CPP_HEADER TRUE)
@@ -46,6 +47,7 @@ set(SOURCES ${SOURCES}
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosglue.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QRCodeReaderBase.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/AmneziaSceneDelegateHooks.mm
 )
@@ -119,6 +121,7 @@ target_sources(${PROJECT} PRIVATE
    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/StoreKit2Helper.swift
 )
 target_sources(${PROJECT} PRIVATE
@@ -32,9 +32,11 @@ set(LIBS ${LIBS}
 set(HEADERS ${HEADERS}
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/macos_ne_vpn_notification.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate-C-Interface.h
 )
@@ -42,9 +44,11 @@ set_source_files_properties(${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_contro
 set(SOURCES ${SOURCES}
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/macos_ne_vpn_notification.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosglue.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QRCodeReaderBase.mm
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.mm
@@ -129,6 +133,7 @@ target_sources(${PROJECT} PRIVATE
    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/StoreKit2Helper.swift
 )
 target_sources(${PROJECT} PRIVATE
@@ -161,7 +166,7 @@ add_custom_command(TARGET ${PROJECT} POST_BUILD
    COMMAND ${CMAKE_COMMAND} -E make_directory
            $<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks
    COMMAND /usr/bin/find "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework" -name "*.sha256" -delete
-    COMMAND /usr/bin/codesign --force --sign "Apple Distribution"
+    COMMAND /usr/bin/codesign --force --sign "Apple Distribution: Privacy Technologies OU"
            "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework/Versions/Current/OpenVPNAdapter"
    COMMAND ${QT_BIN_DIR_DETECTED}/macdeployqt $<TARGET_BUNDLE_DIR:AmneziaVPN> -appstore-compliant -qmldir=${CMAKE_CURRENT_SOURCE_DIR}
    COMMENT "Signing OpenVPNAdapter framework"
@@ -37,7 +37,6 @@ set(HEADERS ${HEADERS}
    ${CLIENT_ROOT_DIR}/mozilla/shared/ipaddress.h
    ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.h
    ${CLIENT_ROOT_DIR}/mozilla/controllerimpl.h
    ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.h
 )
 if(NOT IOS AND NOT MACOS_NE)
@@ -46,9 +45,12 @@ if(NOT IOS AND NOT MACOS_NE)
    )
 endif()
-if(NOT ANDROID)
+set(HEADERS ${HEADERS}
    set(HEADERS ${HEADERS}
        ${CLIENT_ROOT_DIR}/ui/notificationhandler.h
 )
 if(ANDROID)
    set(HEADERS ${HEADERS}
        ${CLIENT_ROOT_DIR}/platforms/android/android_notificationhandler.h
    )
 endif()
@@ -88,7 +90,6 @@ set(SOURCES ${SOURCES}
    ${CLIENT_ROOT_DIR}/mozilla/models/server.cpp
    ${CLIENT_ROOT_DIR}/mozilla/shared/ipaddress.cpp
    ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.cpp
    ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
 )
 if(NOT IOS AND NOT MACOS_NE)
@@ -111,9 +112,12 @@ if(APPLE AND NOT IOS)
    )
 endif()
-if(NOT ANDROID)
+set(SOURCES ${SOURCES}
    set(SOURCES ${SOURCES}
        ${CLIENT_ROOT_DIR}/ui/notificationhandler.cpp
 )
 if(ANDROID)
    set(SOURCES ${SOURCES}
        ${CLIENT_ROOT_DIR}/platforms/android/android_notificationhandler.cpp
    )
 endif()
@@ -183,7 +187,6 @@ if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
    set(HEADERS ${HEADERS}
        ${CLIENT_ROOT_DIR}/core/ipcclient.h
        ${CLIENT_ROOT_DIR}/core/privileged_process.h
        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.h
        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.h
        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.h
@@ -191,11 +194,12 @@ if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
        ${CLIENT_ROOT_DIR}/protocols/wireguardprotocol.h
        ${CLIENT_ROOT_DIR}/protocols/xrayprotocol.h
        ${CLIENT_ROOT_DIR}/protocols/awgprotocol.h
        ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.h
    )
    set(SOURCES ${SOURCES}
        ${CLIENT_ROOT_DIR}/core/ipcclient.cpp
-        ${CLIENT_ROOT_DIR}/core/privileged_process.cpp
+        ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.cpp
        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.cpp
        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.cpp
@@ -41,18 +41,16 @@ QString AwgConfigurator::createConfig(const ServerCredentials &credentials, Dock
    jsonConfig[config_key::underloadPacketMagicHeader] = configMap.value(config_key::underloadPacketMagicHeader);
    jsonConfig[config_key::transportPacketMagicHeader] = configMap.value(config_key::transportPacketMagicHeader);
-    // jsonConfig[config_key::cookieReplyPacketJunkSize] = configMap.value(config_key::cookieReplyPacketJunkSize);
+    if (container == DockerContainer::Awg2) {
-    // jsonConfig[config_key::transportPacketJunkSize] = configMap.value(config_key::transportPacketJunkSize);
+        jsonConfig[config_key::cookieReplyPacketJunkSize] = configMap.value(config_key::cookieReplyPacketJunkSize);
        jsonConfig[config_key::transportPacketJunkSize] = configMap.value(config_key::transportPacketJunkSize);
    }
-    // jsonConfig[config_key::specialJunk1] = configMap.value(amnezia::config_key::specialJunk1);
+    jsonConfig[config_key::specialJunk1] = configMap.value(amnezia::config_key::specialJunk1);
-    // jsonConfig[config_key::specialJunk2] = configMap.value(amnezia::config_key::specialJunk2);
+    jsonConfig[config_key::specialJunk2] = configMap.value(amnezia::config_key::specialJunk2);
-    // jsonConfig[config_key::specialJunk3] = configMap.value(amnezia::config_key::specialJunk3);
+    jsonConfig[config_key::specialJunk3] = configMap.value(amnezia::config_key::specialJunk3);
-    // jsonConfig[config_key::specialJunk4] = configMap.value(amnezia::config_key::specialJunk4);
+    jsonConfig[config_key::specialJunk4] = configMap.value(amnezia::config_key::specialJunk4);
-    // jsonConfig[config_key::specialJunk5] = configMap.value(amnezia::config_key::specialJunk5);
+    jsonConfig[config_key::specialJunk5] = configMap.value(amnezia::config_key::specialJunk5);
    // jsonConfig[config_key::controlledJunk1] = configMap.value(amnezia::config_key::controlledJunk1);
    // jsonConfig[config_key::controlledJunk2] = configMap.value(amnezia::config_key::controlledJunk2);
    // jsonConfig[config_key::controlledJunk3] = configMap.value(amnezia::config_key::controlledJunk3);
    // jsonConfig[config_key::specialHandshakeTimeout] = configMap.value(amnezia::config_key::specialHandshakeTimeout);
    jsonConfig[config_key::mtu] =
            containerConfig.value(ProtocolProps::protoToString(Proto::Awg)).toObject().value(config_key::mtu).toString(protocols::awg::defaultMtu);
@@ -103,7 +103,11 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon
        return connData;
    }
-    QString getIpsScript = QString("cat %1 | grep AllowedIPs").arg(m_serverConfigPath);
+    QString configPath = m_serverConfigPath;
    if (container == DockerContainer::Awg) {
        configPath = amnezia::protocols::awg::serverLegacyConfigPath;
    }
    QString getIpsScript = QString("cat %1 | grep AllowedIPs").arg(configPath);
    QString stdOut;
    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
        stdOut += data + "\n";
@@ -161,15 +165,18 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon
                                 "AllowedIPs = %3/32\n\n")
                                 .arg(connData.clientPubKey, connData.pskKey, connData.clientIP);
-    errorCode = m_serverController->uploadTextFileToContainer(container, credentials, configPart, m_serverConfigPath,
+    errorCode = m_serverController->uploadTextFileToContainer(container, credentials, configPart, configPath,
                                                              libssh::ScpOverwriteMode::ScpAppendToExisting);
    if (errorCode != ErrorCode::NoError) {
        return connData;
    }
-    QString script = QString("sudo docker exec -i $CONTAINER_NAME bash -c 'wg syncconf wg0 <(wg-quick strip %1)'")
+    bool isAwg = (container == DockerContainer::Awg2);
-                             .arg(m_serverConfigPath);
+    QString bin = isAwg ? QStringLiteral("awg") : QStringLiteral("wg");
    QString iface = isAwg ? QStringLiteral("awg0") : QStringLiteral("wg0");
    QString script = QString(
        "sudo docker exec -i $CONTAINER_NAME bash -c '%1 syncconf %2 <(%1-quick strip %3)'").arg(bin, iface, configPath);
    errorCode = m_serverController->runScript(
            credentials,
@@ -28,7 +28,10 @@ QString ContainerProps::containerToString(amnezia::DockerContainer c)
        return "none";
    if (c == DockerContainer::Cloak)
        return "amnezia-openvpn-cloak";
-
+    if (c == DockerContainer::Awg)
        return "amnezia-awg";
    if (c == DockerContainer::Awg2)
        return "amnezia-awg2";
    QMetaEnum metaEnum = QMetaEnum::fromType<DockerContainer>();
    QString containerKey = metaEnum.valueToKey(static_cast<int>(c));
@@ -41,7 +44,10 @@ QString ContainerProps::containerTypeToString(amnezia::DockerContainer c)
        return "none";
    if (c == DockerContainer::Ipsec)
        return "ikev2";
-
+    if (c == DockerContainer::Awg)
        return "awg";
    if (c == DockerContainer::Awg2)
        return "awg";
    QMetaEnum metaEnum = QMetaEnum::fromType<DockerContainer>();
    QString containerKey = metaEnum.valueToKey(static_cast<int>(c));
@@ -71,6 +77,8 @@ QVector<amnezia::Proto> ContainerProps::protocolsForContainer(amnezia::DockerCon
    case DockerContainer::Socks5Proxy: return { Proto::Socks5Proxy };
    case DockerContainer::Awg: return { Proto::Awg };
    case DockerContainer::Awg2: return { Proto::Awg };
    default: return { defaultProtocol(container) };
    }
 }
@@ -94,6 +102,7 @@ QMap<DockerContainer, QString> ContainerProps::containerHumanNames()
             { DockerContainer::Cloak, "OpenVPN over Cloak" },
             { DockerContainer::WireGuard, "WireGuard" },
             { DockerContainer::Awg, "AmneziaWG" },
             { DockerContainer::Awg2, "AmneziaWG" },
             { DockerContainer::Xray, "XRay" },
             { DockerContainer::Ipsec, QObject::tr("IPsec") },
             { DockerContainer::SSXray, "Shadowsocks"},
@@ -120,6 +129,9 @@ QMap<DockerContainer, QString> ContainerProps::containerDescriptions()
             { DockerContainer::Awg,
               QObject::tr("AmneziaWG is a special protocol from Amnezia based on WireGuard. "
                           "It provides high connection speed and ensures stable operation even in the most challenging network conditions.") },
             { DockerContainer::Awg2,
               QObject::tr("AmneziaWG is a special protocol from Amnezia based on WireGuard. "
                           "It provides high connection speed and ensures stable operation even in the most challenging network conditions.") },
             { DockerContainer::Xray,
               QObject::tr("XRay with REALITY masks VPN traffic as web traffic and protects against active probing. "
                           "It is highly resistant to detection and offers high speed.") },
@@ -182,7 +194,7 @@ QMap<DockerContainer, QString> ContainerProps::containerDetailedDescriptions()
                      "* Minimal configuration required\n"
                      "* Easily detected by DPI systems (susceptible to blocking)\n"
                      "* Operates over UDP protocol") },
-        { DockerContainer::Awg,
+        { DockerContainer::Awg2,
          QObject::tr("AmneziaWG is a modern VPN protocol based on WireGuard, "
                      "combining simplified architecture with high performance across all devices. "
                      "It addresses WireGuard's main vulnerability (easy detection by DPI systems) through advanced obfuscation techniques, "
@@ -242,6 +254,7 @@ Proto ContainerProps::defaultProtocol(DockerContainer c)
    case DockerContainer::Cloak: return Proto::Cloak;
    case DockerContainer::ShadowSocks: return Proto::ShadowSocks;
    case DockerContainer::WireGuard: return Proto::WireGuard;
    case DockerContainer::Awg2: return Proto::Awg;
    case DockerContainer::Awg: return Proto::Awg;
    case DockerContainer::Xray: return Proto::Xray;
    case DockerContainer::Ipsec: return Proto::Ikev2;
@@ -255,6 +268,15 @@ Proto ContainerProps::defaultProtocol(DockerContainer c)
    }
 }
 QString ContainerProps::containerTypeToProtocolString(DockerContainer c)
 {
    if (c == DockerContainer::None)
        return "none";
    Proto p = defaultProtocol(c);
    return ProtocolProps::protoToString(p);
 }
 bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
 {
 #ifdef Q_OS_WINDOWS
@@ -265,6 +287,7 @@ bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
    switch (c) {
    case DockerContainer::WireGuard: return true;
    case DockerContainer::OpenVpn: return true;
    case DockerContainer::Awg2: return true;
    case DockerContainer::Awg: return true;
    case DockerContainer::Xray: return true;
    case DockerContainer::Cloak: return true;
@@ -278,6 +301,7 @@ bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
    // macOS build using Network Extension – hide OpenVPN-based containers
    switch (c) {
    case DockerContainer::WireGuard: return true;
    case DockerContainer::Awg2: return true;
    case DockerContainer::Awg: return true;
    case DockerContainer::Xray: return true;
    case DockerContainer::SSXray: return true;
@@ -300,6 +324,7 @@ bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
    case DockerContainer::WireGuard: return true;
    case DockerContainer::OpenVpn: return true;
    case DockerContainer::ShadowSocks: return false;
    case DockerContainer::Awg2: return true;
    case DockerContainer::Awg: return true;
    case DockerContainer::Cloak: return true;
    case DockerContainer::Xray: return true;
@@ -329,7 +354,7 @@ QStringList ContainerProps::fixedPortsForContainer(DockerContainer c)
 bool ContainerProps::isEasySetupContainer(DockerContainer container)
 {
    switch (container) {
-    case DockerContainer::Awg: return true;
+    case DockerContainer::Awg2: return true;
    default: return false;
    }
 }
@@ -337,7 +362,7 @@ bool ContainerProps::isEasySetupContainer(DockerContainer container)
 QString ContainerProps::easySetupHeader(DockerContainer container)
 {
    switch (container) {
-    case DockerContainer::Awg: return tr("Automatic");
+    case DockerContainer::Awg2: return tr("Automatic");
    default: return "";
    }
 }
@@ -345,7 +370,7 @@ QString ContainerProps::easySetupHeader(DockerContainer container)
 QString ContainerProps::easySetupDescription(DockerContainer container)
 {
    switch (container) {
-    case DockerContainer::Awg: return tr("AmneziaWG protocol will be installed. "
+    case DockerContainer::Awg2: return tr("AmneziaWG protocol will be installed. "
                                         "It provides high connection speed and ensures stable operation even in the most challenging network conditions.");
    default: return "";
    }
@@ -354,7 +379,7 @@ QString ContainerProps::easySetupDescription(DockerContainer container)
 int ContainerProps::easySetupOrder(DockerContainer container)
 {
    switch (container) {
-    case DockerContainer::Awg: return 1;
+    case DockerContainer::Awg2: return 1;
    default: return 0;
    }
 }
@@ -370,6 +395,12 @@ bool ContainerProps::isShareable(DockerContainer container)
    }
 }
 bool ContainerProps::isAwgContainer(DockerContainer container)
 {
    return container == DockerContainer::Awg || container == DockerContainer::Awg2;
 }
 QJsonObject ContainerProps::getProtocolConfigFromContainer(const Proto protocol, const QJsonObject &containerConfig)
 {
    QString protocolConfigString = containerConfig.value(ProtocolProps::protoToString(protocol))
@@ -387,7 +418,7 @@ int ContainerProps::installPageOrder(DockerContainer container)
    case DockerContainer::Cloak: return 5;
    case DockerContainer::ShadowSocks: return 6;
    case DockerContainer::WireGuard: return 2;
-    case DockerContainer::Awg: return 1;
+    case DockerContainer::Awg2: return 1;
    case DockerContainer::Xray: return 3;
    case DockerContainer::Ipsec: return 7;
    case DockerContainer::SSXray: return 8;
@@ -17,6 +17,7 @@ namespace amnezia
        enum DockerContainer {
            None = 0,
            Awg,
            Awg2,
            WireGuard,
            OpenVpn,
            Cloak,
@@ -45,6 +46,7 @@ namespace amnezia
        Q_INVOKABLE static amnezia::DockerContainer containerFromString(const QString &container);
        Q_INVOKABLE static QString containerToString(amnezia::DockerContainer container);
        Q_INVOKABLE static QString containerTypeToString(amnezia::DockerContainer c);
        Q_INVOKABLE static QString containerTypeToProtocolString(amnezia::DockerContainer c);
        Q_INVOKABLE static QList<amnezia::DockerContainer> allContainers();
@@ -71,6 +73,9 @@ namespace amnezia
        static bool isShareable(amnezia::DockerContainer container);
        static bool isAwgContainer(amnezia::DockerContainer container);
        static QJsonObject getProtocolConfigFromContainer(const amnezia::Proto protocol, const QJsonObject &containerConfig);
        static int installPageOrder(amnezia::DockerContainer container);
@@ -10,8 +10,10 @@ namespace apiDefs
        AmneziaFreeV3,
        AmneziaPremiumV1,
        AmneziaPremiumV2,
        AmneziaTrialV2,
        SelfHosted,
-        ExternalPremium
+        ExternalPremium,
        ExternalTrial
    };
    enum ConfigSource {
@@ -32,6 +34,7 @@ namespace apiDefs
        constexpr QLatin1String stackType("stack_type");
        constexpr QLatin1String serviceType("service_type");
        constexpr QLatin1String cliVersion("cli_version");
        constexpr QLatin1String cliName("cli_name");
        constexpr QLatin1String supportedProtocols("supported_protocols");
        constexpr QLatin1String vpnKey("vpn_key");
@@ -53,8 +56,13 @@ namespace apiDefs
        constexpr QLatin1String activeDeviceCount("active_device_count");
        constexpr QLatin1String maxDeviceCount("max_device_count");
        constexpr QLatin1String subscriptionEndDate("subscription_end_date");
        constexpr QLatin1String subscriptionExpiredByServer("subscription_expired_by_server");
        constexpr QLatin1String subscription("subscription");
        constexpr QLatin1String endDate("end_date");
        constexpr QLatin1String issuedConfigs("issued_configs");
        constexpr QLatin1String subscriptionDescription("subscription_description");
        constexpr QLatin1String termsOfUseUrl("terms_of_use_url");
        constexpr QLatin1String privacyPolicyUrl("privacy_policy_url");
        constexpr QLatin1String supportInfo("support_info");
        constexpr QLatin1String email("email");
@@ -68,6 +76,8 @@ namespace apiDefs
        constexpr QLatin1String migrationCode("migration_code");
        constexpr QLatin1String transactionId("transaction_id");
        constexpr QLatin1String isTestPurchase("is_test_purchase");
        constexpr QLatin1String isInAppPurchase("is_in_app_purchase");
        constexpr QLatin1String userCountryCode("user_country_code");
@@ -1,12 +1,34 @@
 #include "apiUtils.h"
 #include <QDateTime>
 #include <QJsonDocument>
 #include <QJsonObject>
 #include <QJsonValue>
 namespace
 {
    const QByteArray AMNEZIA_CONFIG_SIGNATURE = QByteArray::fromHex("000000ff");
    constexpr QLatin1String unprocessableSubscriptionMessage("Failed to retrieve subscription information. Is it activated?");
    QDateTime subscriptionEndUtcFromString(const QString &subscriptionEndDate)
    {
        if (subscriptionEndDate.isEmpty()) {
            return {};
        }
        QDateTime endDate = QDateTime::fromString(subscriptionEndDate, Qt::ISODateWithMs).toUTC();
        if (!endDate.isValid()) {
            endDate = QDateTime::fromString(subscriptionEndDate, Qt::ISODate).toUTC();
        }
        return endDate;
    }
    QString apiErrorMessageFromJson(const QJsonObject &jsonObj)
    {
        const QJsonValue value = jsonObj.value(QStringLiteral("message"));
        return value.isString() ? value.toString().trimmed() : QString();
    }
    QString escapeUnicode(const QString &input)
    {
        QString output;
@@ -23,9 +45,30 @@ namespace
 bool apiUtils::isSubscriptionExpired(const QString &subscriptionEndDate)
 {
-    QDateTime now = QDateTime::currentDateTimeUtc();
+    if (subscriptionEndDate.isEmpty()) {
-    QDateTime endDate = QDateTime::fromString(subscriptionEndDate, Qt::ISODateWithMs);
+        return false;
-    return endDate < now;
+    }
    const QDateTime endDate = subscriptionEndUtcFromString(subscriptionEndDate);
    if (!endDate.isValid()) {
        return false;
    }
    return endDate <= QDateTime::currentDateTimeUtc();
 }
 bool apiUtils::isSubscriptionExpiringSoon(const QString &subscriptionEndDate, int withinDays)
 {
    if (subscriptionEndDate.isEmpty()) {
        return false;
    }
    const QDateTime endDate = subscriptionEndUtcFromString(subscriptionEndDate);
    if (!endDate.isValid()) {
        return false;
    }
    const QDateTime nowUtc = QDateTime::currentDateTimeUtc();
    if (endDate <= nowUtc) {
        return false;
    }
    return endDate <= nowUtc.addDays(withinDays);
 }
 bool apiUtils::isServerFromApi(const QJsonObject &serverConfigObject)
@@ -57,18 +100,24 @@ apiDefs::ConfigType apiUtils::getConfigType(const QJsonObject &serverConfigObjec
    };
    case apiDefs::ConfigSource::AmneziaGateway: {
        constexpr QLatin1String servicePremium("amnezia-premium");
        constexpr QLatin1String serviceTrial("amnezia-trial");
        constexpr QLatin1String serviceFree("amnezia-free");
        constexpr QLatin1String serviceExternalPremium("external-premium");
        constexpr QLatin1String serviceExternalTrial("external-trial");
        auto apiConfigObject = serverConfigObject.value(apiDefs::key::apiConfig).toObject();
        auto serviceType = apiConfigObject.value(apiDefs::key::serviceType).toString();
        if (serviceType == servicePremium) {
            return apiDefs::ConfigType::AmneziaPremiumV2;
        } else if (serviceType == serviceTrial) {
            return apiDefs::ConfigType::AmneziaTrialV2;
        } else if (serviceType == serviceFree) {
            return apiDefs::ConfigType::AmneziaFreeV3;
        } else if (serviceType == serviceExternalPremium) {
            return apiDefs::ConfigType::ExternalPremium;
        } else if (serviceType == serviceExternalTrial) {
            return apiDefs::ConfigType::ExternalTrial;
        }
    }
    default: {
@@ -88,29 +137,54 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
 {
    const int httpStatusCodeConflict = 409;
    const int httpStatusCodeNotFound = 404;
    const int httpStatusCodeNotImplemented = 501;
    const int httpStatusCodePaymentRequired = 402;
    const int httpStatusCodeUnprocessableEntity = 422;
    if (!sslErrors.empty()) {
        qDebug().noquote() << sslErrors;
        return amnezia::ErrorCode::ApiConfigSslError;
-    } else if (replyError == QNetworkReply::NoError) {
+    }
    if (replyError == QNetworkReply::NoError) {
        return amnezia::ErrorCode::NoError;
-    } else if (replyError == QNetworkReply::NetworkError::OperationCanceledError
+    }
-               || replyError == QNetworkReply::NetworkError::TimeoutError) {
+    if (replyError == QNetworkReply::NetworkError::OperationCanceledError
        || replyError == QNetworkReply::NetworkError::TimeoutError) {
        qDebug() << replyError;
        return amnezia::ErrorCode::ApiConfigTimeoutError;
-    } else if (replyError == QNetworkReply::NetworkError::OperationNotImplementedError) {
+    }
    if (replyError == QNetworkReply::NetworkError::OperationNotImplementedError) {
        qDebug() << replyError;
        return amnezia::ErrorCode::ApiUpdateRequestError;
-    } else {
+    }
-        qDebug() << QString::fromUtf8(responseBody);
+
-        qDebug() << replyError;
+    qDebug() << QString::fromUtf8(responseBody);
-        qDebug() << replyErrorString;
+    qDebug() << replyError;
-        qDebug() << httpStatusCode;
+    qDebug() << replyErrorString;
-        if (httpStatusCode == httpStatusCodeConflict) {
+    qDebug() << httpStatusCode;
    QJsonDocument jsonDoc = QJsonDocument::fromJson(responseBody);
    if (jsonDoc.isObject()) {
        QJsonObject jsonObj = jsonDoc.object();
        const int httpStatusFromBody = jsonObj.value(QStringLiteral("http_status")).toInt(-1);
        if (httpStatusFromBody == httpStatusCodeConflict) {
            return amnezia::ErrorCode::ApiConfigLimitError;
-        } else if (httpStatusCode == httpStatusCodeNotFound) {
+        }
        if (httpStatusFromBody == httpStatusCodeNotFound) {
            return amnezia::ErrorCode::ApiNotFoundError;
        }
        if (httpStatusFromBody == httpStatusCodeNotImplemented) {
            return amnezia::ErrorCode::ApiUpdateRequestError;
        }
        if (httpStatusFromBody == httpStatusCodeUnprocessableEntity) {
            if (apiErrorMessageFromJson(jsonObj) == unprocessableSubscriptionMessage) {
                return amnezia::ErrorCode::ApiSubscriptionExpiredError;
            }
            return amnezia::ErrorCode::ApiConfigDownloadError;
        }
        if (httpStatusFromBody == httpStatusCodePaymentRequired) {
            return amnezia::ErrorCode::ApiSubscriptionNotActiveError;
        }
        return amnezia::ErrorCode::ApiConfigDownloadError;
    }
@@ -121,7 +195,8 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
 bool apiUtils::isPremiumServer(const QJsonObject &serverConfigObject)
 {
    static const QSet<apiDefs::ConfigType> premiumTypes = { apiDefs::ConfigType::AmneziaPremiumV1, apiDefs::ConfigType::AmneziaPremiumV2,
-                                                            apiDefs::ConfigType::ExternalPremium };
+                                                            apiDefs::ConfigType::AmneziaTrialV2, apiDefs::ConfigType::ExternalPremium,
                                                            apiDefs::ConfigType::ExternalTrial };
    return premiumTypes.contains(getConfigType(serverConfigObject));
 }
@@ -165,7 +240,9 @@ QString apiUtils::getPremiumV1VpnKey(const QJsonObject &serverConfigObject)
 QString apiUtils::getPremiumV2VpnKey(const QJsonObject &serverConfigObject)
 {
-    if (apiUtils::getConfigType(serverConfigObject) != apiDefs::ConfigType::AmneziaPremiumV2) {
+    auto configType = apiUtils::getConfigType(serverConfigObject);
    if (configType != apiDefs::ConfigType::AmneziaPremiumV2 && configType != apiDefs::ConfigType::AmneziaTrialV2
        && configType != apiDefs::ConfigType::ExternalPremium && configType != apiDefs::ConfigType::ExternalTrial) {
        return {};
    }
@@ -13,6 +13,8 @@ namespace apiUtils
    bool isSubscriptionExpired(const QString &subscriptionEndDate);
    bool isSubscriptionExpiringSoon(const QString &subscriptionEndDate, int withinDays = 10);
    bool isPremiumServer(const QJsonObject &serverConfigObject);
    apiDefs::ConfigType getConfigType(const QJsonObject &serverConfigObject);
@@ -8,6 +8,11 @@
    #include "platforms/android/android_controller.h"
 #endif
 // SystemTrayNotificationHandler exists only on desktop + macOS NE builds (see client/cmake/sources.cmake).
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    #include "ui/systemtray_notificationhandler.h"
 #endif
 #if defined(Q_OS_IOS)
    #include "platforms/ios/ios_controller.h"
    #include <AmneziaVPN-Swift.h>
@@ -91,6 +96,12 @@ void CoreController::initModels()
    m_apiServicesModel.reset(new ApiServicesModel(this));
    m_engine->rootContext()->setContextProperty("ApiServicesModel", m_apiServicesModel.get());
    m_apiSubscriptionPlansModel.reset(new ApiSubscriptionPlansModel(this));
    m_engine->rootContext()->setContextProperty("ApiSubscriptionPlansModel", m_apiSubscriptionPlansModel.get());
    m_apiBenefitsModel.reset(new ApiBenefitsModel(this));
    m_engine->rootContext()->setContextProperty("ApiBenefitsModel", m_apiBenefitsModel.get());
    m_apiCountryModel.reset(new ApiCountryModel(this));
    m_engine->rootContext()->setContextProperty("ApiCountryModel", m_apiCountryModel.get());
@@ -135,7 +146,7 @@ void CoreController::initControllers()
            new SettingsController(m_serversModel, m_containersModel, m_languageModel, m_sitesModel, m_appSplitTunnelingModel, m_settings));
    m_engine->rootContext()->setContextProperty("SettingsController", m_settingsController.get());
-    m_sitesController.reset(new SitesController(m_settings, m_vpnConnection, m_sitesModel));
+    m_sitesController.reset(new SitesController(m_settings, m_sitesModel));
    m_engine->rootContext()->setContextProperty("SitesController", m_sitesController.get());
    m_allowedDnsController.reset(new AllowedDnsController(m_settings, m_allowedDnsModel));
@@ -151,11 +162,11 @@ void CoreController::initControllers()
            new ApiSettingsController(m_serversModel, m_apiAccountInfoModel, m_apiCountryModel, m_apiDevicesModel, m_settings));
    m_engine->rootContext()->setContextProperty("ApiSettingsController", m_apiSettingsController.get());
-    m_apiConfigsController.reset(new ApiConfigsController(m_serversModel, m_apiServicesModel, m_settings));
+    m_apiConfigsController.reset(
            new ApiConfigsController(m_serversModel, m_apiServicesModel, m_apiSubscriptionPlansModel, m_apiBenefitsModel, m_settings));
    m_engine->rootContext()->setContextProperty("ApiConfigsController", m_apiConfigsController.get());
-
+    connect(m_apiConfigsController.get(), &ApiConfigsController::subscriptionRefreshNeeded,
-    m_apiPremV1MigrationController.reset(new ApiPremV1MigrationController(m_serversModel, m_settings, this));
+            this, [this]() { m_apiSettingsController->getAccountInfo(false); });
    m_engine->rootContext()->setContextProperty("ApiPremV1MigrationController", m_apiPremV1MigrationController.get());
    m_apiNewsController.reset(new ApiNewsController(m_newsModel, m_settings, m_serversModel, this));
    m_engine->rootContext()->setContextProperty("ApiNewsController", m_apiNewsController.get());
@@ -231,14 +242,11 @@ void CoreController::initSignalHandlers()
    initAutoConnectHandler();
    initAmneziaDnsToggledHandler();
    initPrepareConfigHandler();
    initImportPremiumV2VpnKeyHandler();
    initShowMigrationDrawerHandler();
    initStrictKillSwitchHandler();
 }
 void CoreController::initNotificationHandler()
 {
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    m_notificationHandler.reset(NotificationHandler::create(nullptr));
    connect(m_vpnConnection.get(), &VpnConnection::connectionStateChanged, m_notificationHandler.get(),
@@ -251,8 +259,10 @@ void CoreController::initNotificationHandler()
            &ConnectionController::closeConnection);
    connect(this, &CoreController::translationsUpdated, m_notificationHandler.get(), &NotificationHandler::onTranslationsUpdated);
-    auto* trayHandler = qobject_cast<SystemTrayNotificationHandler*>(m_notificationHandler.get());
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    connect(this, &CoreController::websiteUrlChanged, trayHandler, &SystemTrayNotificationHandler::updateWebsiteUrl);
+    if (auto *trayHandler = qobject_cast<SystemTrayNotificationHandler *>(m_notificationHandler.get())) {
        connect(this, &CoreController::websiteUrlChanged, trayHandler, &SystemTrayNotificationHandler::updateWebsiteUrl);
    }
 #endif
 }
@@ -373,7 +383,11 @@ void CoreController::initPrepareConfigHandler()
            return;
        }
-        if (!m_installController->isConfigValid()) {
+        m_installController->validateConfig();
    });
    connect(m_installController.get(), &InstallController::configValidated, this, [this](bool isValid) {
        if (!isValid) {
            emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
            return;
        }
@@ -382,25 +396,6 @@ void CoreController::initPrepareConfigHandler()
    });
 }
 void CoreController::initImportPremiumV2VpnKeyHandler()
 {
    connect(m_apiPremV1MigrationController.get(), &ApiPremV1MigrationController::importPremiumV2VpnKey, this, [this](const QString &vpnKey) {
        m_importController->extractConfigFromData(vpnKey);
        m_importController->importConfig();
        emit m_apiPremV1MigrationController->migrationFinished();
    });
 }
 void CoreController::initShowMigrationDrawerHandler()
 {
    QTimer::singleShot(1000, this, [this]() {
        if (m_apiPremV1MigrationController->isPremV1MigrationReminderActive() && m_apiPremV1MigrationController->hasConfigsToMigration()) {
            m_apiPremV1MigrationController->showMigrationDrawer();
        }
    });
 }
 void CoreController::initStrictKillSwitchHandler()
 {
    connect(m_settingsController.get(), &SettingsController::strictKillSwitchEnabledChanged, m_vpnConnection.get(),
@@ -411,3 +406,22 @@ QSharedPointer<PageController> CoreController::pageController() const
 {
    return m_pageController;
 }
 void CoreController::openConnectionByIndex(int serverIndex)
 {
    if (m_serversModel) {
        m_serversModel->setProcessedServerIndex(serverIndex);
        m_serversModel->setDefaultServerIndex(serverIndex);
    }
    m_connectionController->toggleConnection();
 }
 void CoreController::importConfigFromData(const QString &data)
 {
    if (!m_importController)
        return;
    if (m_importController->extractConfigFromData(data)) {
        m_importController->importConfig();
    }
 }
@@ -5,13 +5,10 @@
 #include <QQmlContext>
 #include <QThread>
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#include "ui/notificationhandler.h"
    #include "ui/systemtray_notificationhandler.h"
 #endif
 #include "ui/controllers/api/apiConfigsController.h"
 #include "ui/controllers/api/apiSettingsController.h"
 #include "ui/controllers/api/apiPremV1MigrationController.h"
 #include "ui/controllers/api/apiNewsController.h"
 #include "ui/controllers/appSplitTunnelingController.h"
 #include "ui/controllers/allowedDnsController.h"
@@ -33,9 +30,11 @@
    #include "ui/models/protocols/ikev2ConfigModel.h"
 #endif
 #include "ui/models/api/apiAccountInfoModel.h"
 #include "ui/models/api/apiBenefitsModel.h"
 #include "ui/models/api/apiCountryModel.h"
 #include "ui/models/api/apiDevicesModel.h"
 #include "ui/models/api/apiServicesModel.h"
 #include "ui/models/api/apiSubscriptionPlansModel.h"
 #include "ui/models/appSplitTunnelingModel.h"
 #include "ui/models/clientManagementModel.h"
 #include "ui/models/protocols/awgConfigModel.h"
@@ -50,10 +49,6 @@
 #include "ui/models/sites_model.h"
 #include "ui/models/newsModel.h"
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    #include "ui/notificationhandler.h"
 #endif
 class CoreController : public QObject
 {
    Q_OBJECT
@@ -65,6 +60,9 @@ public:
    QSharedPointer<PageController> pageController() const;
    void setQmlRoot();
    void openConnectionByIndex(int serverIndex);
    void importConfigFromData(const QString &data);
 signals:
    void translationsUpdated();
    void websiteUrlChanged(const QString &newUrl);
@@ -90,8 +88,6 @@ private:
    void initAutoConnectHandler();
    void initAmneziaDnsToggledHandler();
    void initPrepareConfigHandler();
    void initImportPremiumV2VpnKeyHandler();
    void initShowMigrationDrawerHandler();
    void initStrictKillSwitchHandler();
    QQmlApplicationEngine *m_engine {}; // TODO use parent child system here?
@@ -99,9 +95,7 @@ private:
    QSharedPointer<VpnConnection> m_vpnConnection;
    QSharedPointer<QTranslator> m_translator;
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    QScopedPointer<NotificationHandler> m_notificationHandler;
 #endif
    QMetaObject::Connection m_reloadConfigErrorOccurredConnection;
@@ -119,7 +113,6 @@ private:
    QScopedPointer<ApiSettingsController> m_apiSettingsController;
    QScopedPointer<ApiConfigsController> m_apiConfigsController;
    QScopedPointer<ApiPremV1MigrationController> m_apiPremV1MigrationController;
    QScopedPointer<ApiNewsController> m_apiNewsController;
    QSharedPointer<ContainersModel> m_containersModel;
@@ -134,6 +127,8 @@ private:
    QSharedPointer<ClientManagementModel> m_clientManagementModel;
    QSharedPointer<ApiServicesModel> m_apiServicesModel;
    QSharedPointer<ApiSubscriptionPlansModel> m_apiSubscriptionPlansModel;
    QSharedPointer<ApiBenefitsModel> m_apiBenefitsModel;
    QSharedPointer<ApiCountryModel> m_apiCountryModel;
    QSharedPointer<ApiAccountInfoModel> m_apiAccountInfoModel;
    QSharedPointer<ApiDevicesModel> m_apiDevicesModel;
@@ -41,6 +41,14 @@ namespace
    constexpr QLatin1String errorResponsePattern3("Account not found.");
    constexpr QLatin1String updateRequestResponsePattern("client version update is required");
    constexpr int httpStatusCodeNotFound = 404;
    constexpr int httpStatusCodeConflict = 409;
    constexpr int httpStatusCodeNotImplemented = 501;
    constexpr int httpStatusCodePaymentRequired = 402;
    constexpr int httpStatusCodeUnprocessableEntity = 422;
    constexpr QLatin1String unprocessableSubscriptionMessage("Failed to retrieve subscription information. Is it activated?");
 }
 GatewayController::GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
@@ -74,7 +82,11 @@ GatewayController::EncryptedRequestData GatewayController::prepareRequest(const
        QString host = QUrl(encRequestData.request.url()).host();
        QString ip = NetworkUtilities::getIPAddress(host);
        if (!ip.isEmpty()) {
-            IpcClient::Interface()->addKillSwitchAllowedRange(QStringList { ip });
+            IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
                QRemoteObjectPendingReply<bool> reply = iface->addKillSwitchAllowedRange(QStringList { ip });
                if (!reply.waitForFinished(1000) || !reply.returnValue())
                    qWarning() << "GatewayController::prepareRequest(): Failed to execute remote addKillSwitchAllowedRange call";
            });
        }
    }
 #endif
@@ -126,6 +138,26 @@ GatewayController::EncryptedRequestData GatewayController::prepareRequest(const
    return encRequestData;
 }
 GatewayController::DecryptionResult GatewayController::tryDecryptResponseBody(const QByteArray &encryptedResponseBody,
                                                                              QNetworkReply::NetworkError replyError, const QByteArray &key,
                                                                              const QByteArray &iv, const QByteArray &salt)
 {
    DecryptionResult result;
    result.decryptedBody = encryptedResponseBody;
    result.isDecryptionSuccessful = false;
    try {
        QSimpleCrypto::QBlockCipher blockCipher;
        result.decryptedBody = blockCipher.decryptAesBlockCipher(encryptedResponseBody, key, iv, "", salt);
        result.isDecryptionSuccessful = true;
    } catch (...) {
        result.decryptedBody = encryptedResponseBody;
        result.isDecryptionSuccessful = false;
    }
    return result;
 }
 ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject apiPayload, QByteArray &responseBody)
 {
    EncryptedRequestData encRequestData = prepareRequest(endpoint, apiPayload);
@@ -149,21 +181,27 @@ ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject api
    reply->deleteLater();
-    if (sslErrors.isEmpty()
+    auto decryptionResult =
-        && shouldBypassProxy(replyError, encryptedResponseBody, true, encRequestData.key, encRequestData.iv, encRequestData.salt)) {
+            tryDecryptResponseBody(encryptedResponseBody, replyError, encRequestData.key, encRequestData.iv, encRequestData.salt);
    if (sslErrors.isEmpty() && shouldBypassProxy(replyError, decryptionResult.decryptedBody, decryptionResult.isDecryptionSuccessful)) {
        auto requestFunction = [&encRequestData, &encryptedResponseBody](const QString &url) {
            encRequestData.request.setUrl(url);
            return amnApp->networkManager()->post(encRequestData.request, encRequestData.requestBody);
        };
-        auto replyProcessingFunction = [&encryptedResponseBody, &replyErrorString, &replyError, &httpStatusCode, &sslErrors,
+        auto replyProcessingFunction = [&encryptedResponseBody, &replyErrorString, &replyError, &httpStatusCode, &sslErrors, &encRequestData,
-                                        &encRequestData, this](QNetworkReply *reply, const QList<QSslError> &nestedSslErrors) {
+                                        &decryptionResult, this](QNetworkReply *reply, const QList<QSslError> &nestedSslErrors) {
            encryptedResponseBody = reply->readAll();
            replyErrorString = reply->errorString();
            replyError = reply->error();
            httpStatusCode = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
            decryptionResult =
                    tryDecryptResponseBody(encryptedResponseBody, replyError, encRequestData.key, encRequestData.iv, encRequestData.salt);
            if (!sslErrors.isEmpty()
-                || shouldBypassProxy(replyError, encryptedResponseBody, true, encRequestData.key, encRequestData.iv, encRequestData.salt)) {
+                || shouldBypassProxy(replyError, decryptionResult.decryptedBody, decryptionResult.isDecryptionSuccessful)) {
                sslErrors = nestedSslErrors;
                return false;
            }
@@ -175,21 +213,19 @@ ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject api
        bypassProxy(endpoint, serviceType, userCountryCode, requestFunction, replyProcessingFunction);
    }
-    auto errorCode = apiUtils::checkNetworkReplyErrors(sslErrors, replyErrorString, replyError, httpStatusCode, encryptedResponseBody);
+    auto errorCode =
            apiUtils::checkNetworkReplyErrors(sslErrors, replyErrorString, replyError, httpStatusCode, decryptionResult.decryptedBody);
    if (errorCode) {
        return errorCode;
    }
-    try {
+    if (!decryptionResult.isDecryptionSuccessful) {
        QSimpleCrypto::QBlockCipher blockCipher;
        responseBody =
                blockCipher.decryptAesBlockCipher(encryptedResponseBody, encRequestData.key, encRequestData.iv, "", encRequestData.salt);
        return ErrorCode::NoError;
    } catch (...) { // todo change error handling in QSimpleCrypto?
        Utils::logException();
        qCritical() << "error when decrypting the request body";
        return ErrorCode::ApiConfigDecryptionError;
    }
    responseBody = decryptionResult.decryptedBody;
    return ErrorCode::NoError;
 }
 QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString &endpoint, const QJsonObject apiPayload)
@@ -218,32 +254,33 @@ QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString
        reply->deleteLater();
-        auto processResponse = [promise, encRequestData](const QByteArray &ecryptedResponseBody, const QList<QSslError> &sslErrors,
+        auto decryptionResult =
-                                                         QNetworkReply::NetworkError replyError, const QString &replyErrorString,
+                tryDecryptResponseBody(encryptedResponseBody, replyError, encRequestData.key, encRequestData.iv, encRequestData.salt);
-                                                         int httpStatusCode) {
+
-            auto errorCode = apiUtils::checkNetworkReplyErrors(sslErrors, replyErrorString, replyError, httpStatusCode, ecryptedResponseBody);
+        auto processResponse = [promise, encRequestData](const GatewayController::DecryptionResult &decryptionResult,
                                                         const QList<QSslError> &sslErrors, QNetworkReply::NetworkError replyError,
                                                         const QString &replyErrorString, int httpStatusCode) {
            auto errorCode = apiUtils::checkNetworkReplyErrors(sslErrors, replyErrorString, replyError, httpStatusCode,
                                                               decryptionResult.decryptedBody);
            if (errorCode) {
                promise->addResult(qMakePair(errorCode, QByteArray()));
                promise->finish();
                return;
            }
-            QSimpleCrypto::QBlockCipher blockCipher;
+            if (!decryptionResult.isDecryptionSuccessful) {
            try {
                QByteArray responseBody = blockCipher.decryptAesBlockCipher(ecryptedResponseBody, encRequestData.key, encRequestData.iv, "",
                                                                            encRequestData.salt);
                promise->addResult(qMakePair(ErrorCode::NoError, responseBody));
                promise->finish();
            } catch (...) {
                Utils::logException();
                qCritical() << "error when decrypting the request body";
                promise->addResult(qMakePair(ErrorCode::ApiConfigDecryptionError, QByteArray()));
                promise->finish();
                return;
            }
            promise->addResult(qMakePair(ErrorCode::NoError, decryptionResult.decryptedBody));
            promise->finish();
        };
-        if (sslErrors->isEmpty()
+        if (sslErrors->isEmpty() && shouldBypassProxy(replyError, decryptionResult.decryptedBody, decryptionResult.isDecryptionSuccessful)) {
            && shouldBypassProxy(replyError, encryptedResponseBody, true, encRequestData.key, encRequestData.iv, encRequestData.salt)) {
            auto serviceType = apiPayload.value(apiDefs::key::serviceType).toString("");
            auto userCountryCode = apiPayload.value(apiDefs::key::userCountryCode).toString("");
@@ -266,13 +303,21 @@ QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString
                proxyStorageUrls.push_back(baseUrl + "endpoints.json");
            getProxyUrlsAsync(proxyStorageUrls, 0, [this, encRequestData, endpoint, processResponse](const QStringList &proxyUrls) {
-                getProxyUrlAsync(proxyUrls, 0, [this, encRequestData, endpoint, processResponse](const QString &proxyUrls) {
+                getProxyUrlAsync(proxyUrls, 0, [this, encRequestData, endpoint, processResponse](const QString &proxyUrl) {
-                    bypassProxyAsync(endpoint, proxyUrls, encRequestData, processResponse);
+                    bypassProxyAsync(endpoint, proxyUrl, encRequestData,
                                     [processResponse, this](const QByteArray &decryptedBody, bool isDecryptionSuccessful,
                                                             const QList<QSslError> &sslErrors, QNetworkReply::NetworkError replyError,
                                                             const QString &replyErrorString, int httpStatusCode) {
                                         GatewayController::DecryptionResult result;
                                         result.decryptedBody = decryptedBody;
                                         result.isDecryptionSuccessful = isDecryptionSuccessful;
                                         processResponse(result, sslErrors, replyError, replyErrorString, httpStatusCode);
                                     });
                });
            });
        } else {
-            processResponse(encryptedResponseBody, *sslErrors, replyError, replyErrorString, httpStatusCode);
+            processResponse(decryptionResult, *sslErrors, replyError, replyErrorString, httpStatusCode);
        }
    });
@@ -291,11 +336,20 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
    QStringList baseUrls;
    if (m_isDevEnvironment) {
-        baseUrls = QString(DEV_S3_ENDPOINT).split(", ");
+        baseUrls = QString(DEV_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
    } else {
-        baseUrls = QString(PROD_S3_ENDPOINT).split(", ");
+        baseUrls = QString(PROD_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
    }
    if (baseUrls.empty()) {
        qDebug() << "empty storage endpoint list";
        return {};
    }
    std::random_device randomDevice;
    std::mt19937 generator(randomDevice());
    std::shuffle(baseUrls.begin(), baseUrls.end(), generator);
    QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
    QStringList proxyStorageUrls;
@@ -365,17 +419,35 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
    return {};
 }
-bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &responseBody,
+bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &decryptedResponseBody,
-                                          bool checkEncryption, const QByteArray &key, const QByteArray &iv, const QByteArray &salt)
+                                          bool isDecryptionSuccessful)
 {
    const QByteArray &responseBody = decryptedResponseBody;
    int apiHttpStatus = -1;
    QString apiErrorMessage;
    if (isDecryptionSuccessful) {
        QJsonDocument jsonDoc = QJsonDocument::fromJson(responseBody);
        if (jsonDoc.isObject()) {
            QJsonObject jsonObj = jsonDoc.object();
            apiHttpStatus = jsonObj.value("http_status").toInt(-1);
            apiErrorMessage = jsonObj.value(QStringLiteral("message")).toString().trimmed();
        }
    } else {
        qDebug() << "failed to decrypt the data";
        return true;
    }
    if (replyError == QNetworkReply::NetworkError::OperationCanceledError || replyError == QNetworkReply::NetworkError::TimeoutError) {
        qDebug() << "timeout occurred";
        qDebug() << replyError;
        return true;
-    } else if (responseBody.contains("html")) {
+    } 
    if (responseBody.contains("html")) {
        qDebug() << "the response contains an html tag";
        return true;
-    } else if (replyError == QNetworkReply::NetworkError::ContentNotFoundError) {
+    } 
    if (apiHttpStatus == httpStatusCodeNotFound) {
        if (responseBody.contains(errorResponsePattern1) || responseBody.contains(errorResponsePattern2)
            || responseBody.contains(errorResponsePattern3)) {
            return false;
@@ -383,24 +455,27 @@ bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &rep
            qDebug() << replyError;
            return true;
        }
-    } else if (replyError == QNetworkReply::NetworkError::OperationNotImplementedError) {
+    } 
    if (apiHttpStatus == httpStatusCodeNotImplemented) {
        if (responseBody.contains(updateRequestResponsePattern)) {
            return false;
        } else {
            qDebug() << replyError;
            return true;
        }
-    } else if (replyError != QNetworkReply::NetworkError::NoError) {
+    } 
    if (apiHttpStatus == httpStatusCodeConflict) {
        return false;
    } 
    if (apiHttpStatus == httpStatusCodePaymentRequired) {
        return false;
    } 
    if (apiHttpStatus == httpStatusCodeUnprocessableEntity) {
        return apiErrorMessage != unprocessableSubscriptionMessage;
    } 
    if (replyError != QNetworkReply::NetworkError::NoError) {
        qDebug() << replyError;
        return true;
    } else if (checkEncryption) {
        try {
            QSimpleCrypto::QBlockCipher blockCipher;
            static_cast<void>(blockCipher.decryptAesBlockCipher(responseBody, key, iv, "", salt));
        } catch (...) {
            qDebug() << "failed to decrypt the data";
            return true;
        }
    }
    return false;
 }
@@ -548,7 +623,8 @@ void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, co
    });
 }
-void GatewayController::getProxyUrlAsync(const QStringList proxyUrls, const int currentProxyIndex, std::function<void(const QString &)> onComplete)
+void GatewayController::getProxyUrlAsync(const QStringList proxyUrls, const int currentProxyIndex,
                                         std::function<void(const QString &)> onComplete)
 {
    if (currentProxyIndex >= proxyUrls.size()) {
        onComplete("");
@@ -582,11 +658,11 @@ void GatewayController::getProxyUrlAsync(const QStringList proxyUrls, const int
 void GatewayController::bypassProxyAsync(
        const QString &endpoint, const QString &proxyUrl, EncryptedRequestData encRequestData,
-        std::function<void(const QByteArray &, const QList<QSslError> &, QNetworkReply::NetworkError, const QString &, int)> onComplete)
+        std::function<void(const QByteArray &, bool, const QList<QSslError> &, QNetworkReply::NetworkError, const QString &, int)> onComplete)
 {
    auto sslErrors = QSharedPointer<QList<QSslError>>::create();
    if (proxyUrl.isEmpty()) {
-        onComplete(QByteArray(), *sslErrors, QNetworkReply::InternalServerError, "empty proxy url", 0);
+        onComplete(QByteArray(), false, *sslErrors, QNetworkReply::InternalServerError, "empty proxy url", 0);
        return;
    }
@@ -597,7 +673,7 @@ void GatewayController::bypassProxyAsync(
    connect(reply, &QNetworkReply::sslErrors, this, [sslErrors](const QList<QSslError> &errors) { *sslErrors = errors; });
-    connect(reply, &QNetworkReply::finished, this, [sslErrors, onComplete, reply]() {
+    connect(reply, &QNetworkReply::finished, this, [sslErrors, onComplete, encRequestData, reply, this]() {
        QByteArray encryptedResponseBody = reply->readAll();
        QString replyErrorString = reply->errorString();
        auto replyError = reply->error();
@@ -605,6 +681,10 @@ void GatewayController::bypassProxyAsync(
        reply->deleteLater();
-        onComplete(encryptedResponseBody, *sslErrors, replyError, replyErrorString, httpStatusCode);
+        auto decryptionResult =
                tryDecryptResponseBody(encryptedResponseBody, replyError, encRequestData.key, encRequestData.iv, encRequestData.salt);
        onComplete(decryptionResult.decryptedBody, decryptionResult.isDecryptionSuccessful, *sslErrors, replyError, replyErrorString,
                   httpStatusCode);
    });
 }
@@ -36,11 +36,18 @@ private:
        amnezia::ErrorCode errorCode;
    };
    struct DecryptionResult
    {
        QByteArray decryptedBody;
        bool isDecryptionSuccessful;
    };
    EncryptedRequestData prepareRequest(const QString &endpoint, const QJsonObject &apiPayload);
    DecryptionResult tryDecryptResponseBody(const QByteArray &encryptedResponseBody, QNetworkReply::NetworkError replyError,
                                            const QByteArray &key, const QByteArray &iv, const QByteArray &salt);
    QStringList getProxyUrls(const QString &serviceType, const QString &userCountryCode);
-    bool shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &responseBody, bool checkEncryption,
+    bool shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &decryptedResponseBody, bool isDecryptionSuccessful);
                           const QByteArray &key = "", const QByteArray &iv = "", const QByteArray &salt = "");
    void bypassProxy(const QString &endpoint, const QString &serviceType, const QString &userCountryCode,
                     std::function<QNetworkReply *(const QString &url)> requestFunction,
                     std::function<bool(QNetworkReply *reply, const QList<QSslError> &sslErrors)> replyProcessingFunction);
@@ -50,7 +57,7 @@ private:
    void getProxyUrlAsync(const QStringList proxyUrls, const int currentProxyIndex, std::function<void(const QString &)> onComplete);
    void bypassProxyAsync(
            const QString &endpoint, const QString &proxyUrl, EncryptedRequestData encRequestData,
-            std::function<void(const QByteArray &, const QList<QSslError> &, QNetworkReply::NetworkError, const QString &, int)> onComplete);
+            std::function<void(const QByteArray &, bool, const QList<QSslError> &, QNetworkReply::NetworkError, const QString &, int)> onComplete);
    int m_requestTimeoutMsecs;
    QString m_gatewayEndpoint;
@@ -345,7 +345,7 @@ bool ServerController::isReinstallContainerRequired(DockerContainer container, c
            return true;
    }
-    if (container == DockerContainer::Awg) {
+    if (ContainerProps::isAwgContainer(container)) {
        if ((oldProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress)
             != newProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress))
            || (oldProtoConfig.value(config_key::port).toString(protocols::awg::defaultPort)
@@ -367,11 +367,11 @@ bool ServerController::isReinstallContainerRequired(DockerContainer container, c
            || (oldProtoConfig.value(config_key::underloadPacketMagicHeader).toString(protocols::awg::defaultUnderloadPacketMagicHeader)
                != newProtoConfig.value(config_key::underloadPacketMagicHeader).toString(protocols::awg::defaultUnderloadPacketMagicHeader))
            || (oldProtoConfig.value(config_key::transportPacketMagicHeader).toString(protocols::awg::defaultTransportPacketMagicHeader))
-                    != newProtoConfig.value(config_key::transportPacketMagicHeader).toString(protocols::awg::defaultTransportPacketMagicHeader))
+                    != newProtoConfig.value(config_key::transportPacketMagicHeader).toString(protocols::awg::defaultTransportPacketMagicHeader)
-            // || (oldProtoConfig.value(config_key::cookieReplyPacketJunkSize).toString(protocols::awg::defaultCookieReplyPacketJunkSize)
+            || (oldProtoConfig.value(config_key::cookieReplyPacketJunkSize).toString(protocols::awg::defaultCookieReplyPacketJunkSize)
-            //     != newProtoConfig.value(config_key::cookieReplyPacketJunkSize).toString(protocols::awg::defaultCookieReplyPacketJunkSize))
+                != newProtoConfig.value(config_key::cookieReplyPacketJunkSize).toString(protocols::awg::defaultCookieReplyPacketJunkSize))
-            // || (oldProtoConfig.value(config_key::transportPacketJunkSize).toString(protocols::awg::defaultTransportPacketJunkSize)
+            || (oldProtoConfig.value(config_key::transportPacketJunkSize).toString(protocols::awg::defaultTransportPacketJunkSize)
-            //     != newProtoConfig.value(config_key::transportPacketJunkSize).toString(protocols::awg::defaultTransportPacketJunkSize))
+                != newProtoConfig.value(config_key::transportPacketJunkSize).toString(protocols::awg::defaultTransportPacketJunkSize)))
            return true;
    }
@@ -419,6 +419,18 @@ ErrorCode ServerController::installDockerWorker(const ServerCredentials &credent
                      cbReadStdOut, cbReadStdErr);
    qDebug().noquote() << "ServerController::installDockerWorker" << stdOut;
    if (container == DockerContainer::Awg2) {
        QRegularExpression regex(R"(Linux\s+(\d+)\.(\d+)[^\d]*)");
        QRegularExpressionMatch match = regex.match(stdOut);
        if (match.hasMatch()) {
            int majorVersion = match.captured(1).toInt();
            int minorVersion = match.captured(2).toInt();
            if (majorVersion < 4 || (majorVersion == 4 && minorVersion < 14)) {
                return ErrorCode::ServerLinuxKernelTooOld;
            }
        }
    }
    if (stdOut.contains("lock"))
        return ErrorCode::ServerPacketManagerError;
    if (stdOut.contains("command not found"))
@@ -648,6 +660,11 @@ ServerController::Vars ServerController::genVarsForScript(const ServerCredential
    vars.append({ { "$COOKIE_REPLY_PACKET_JUNK_SIZE", amneziaWireguarConfig.value(config_key::cookieReplyPacketJunkSize).toString() } });
    vars.append({ { "$TRANSPORT_PACKET_JUNK_SIZE", amneziaWireguarConfig.value(config_key::transportPacketJunkSize).toString() } });
    vars.append({ { "$SPECIAL_JUNK_1", amneziaWireguarConfig.value(config_key::specialJunk1).toString() } });
    vars.append({ { "$SPECIAL_JUNK_2", amneziaWireguarConfig.value(config_key::specialJunk2).toString() } });
    vars.append({ { "$SPECIAL_JUNK_3", amneziaWireguarConfig.value(config_key::specialJunk3).toString() } });
    vars.append({ { "$SPECIAL_JUNK_4", amneziaWireguarConfig.value(config_key::specialJunk4).toString() } });
    vars.append({ { "$SPECIAL_JUNK_5", amneziaWireguarConfig.value(config_key::specialJunk5).toString() } });
    // Socks5 proxy vars
    vars.append({ { "$SOCKS5_PROXY_PORT", socks5ProxyConfig.value(config_key::port).toString(protocols::socks5Proxy::defaultPort) } });
@@ -657,7 +674,8 @@ ServerController::Vars ServerController::genVarsForScript(const ServerCredential
    vars.append({ { "$SOCKS5_USER", socks5user } });
    vars.append({ { "$SOCKS5_AUTH_TYPE", socks5user.isEmpty() ? "none" : "strong" } });
-    QString serverIp = (container != DockerContainer::Awg && container != DockerContainer::WireGuard && container != DockerContainer::Xray)
+    QString serverIp = (!ContainerProps::isAwgContainer(container) && 
        container != DockerContainer::WireGuard && container != DockerContainer::Xray)
            ? NetworkUtilities::getIPAddress(credentials.hostName)
            : credentials.hostName;
    if (!serverIp.isEmpty()) {
@@ -99,11 +99,12 @@ QJsonObject VpnConfigurationsController::createVpnConfiguration(const QPair<QStr
        protocolConfigString = configurator->processConfigWithLocalSettings(dns, isApiConfig, protocolConfigString);
        QJsonObject vpnConfigData = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();
-        if (container == DockerContainer::Awg || container == DockerContainer::WireGuard) {
+        if (ContainerProps::isAwgContainer(container) || container == DockerContainer::WireGuard) {
            // add mtu for old configs
            if (vpnConfigData[config_key::mtu].toString().isEmpty()) {
                vpnConfigData[config_key::mtu] =
-                        container == DockerContainer::Awg ? protocols::awg::defaultMtu : protocols::wireguard::defaultMtu;
+                        ContainerProps::isAwgContainer(container) ? protocols::awg::defaultMtu :
                        protocols::wireguard::defaultMtu;
            }
        }
@@ -61,6 +61,7 @@ namespace amnezia
        ServerDockerOnCgroupsV2 = 211,
        ServerCgroupMountpoint = 212,
        DockerPullRateLimit = 213,
        ServerLinuxKernelTooOld = 214,
        // Ssh connection errors
        SshRequestDeniedError = 300,
@@ -121,6 +122,9 @@ namespace amnezia
        ApiMigrationError = 1110,
        ApiUpdateRequestError = 1111,
        ApiSubscriptionExpiredError = 1112,
        ApiPurchaseError = 1113,
        ApiSubscriptionNotActiveError = 1114,
        ApiNoPurchasedSubscriptionsError = 1115,
        // QFile errors
        OpenError = 1200,
@@ -29,6 +29,7 @@ QString errorString(ErrorCode code) {
    case(ErrorCode::ServerDockerOnCgroupsV2): errorMessage = QObject::tr("Docker error: runc doesn't work on cgroups v2"); break;
    case(ErrorCode::ServerCgroupMountpoint): errorMessage = QObject::tr("Server error: cgroup mountpoint does not exist"); break;
    case(ErrorCode::DockerPullRateLimit): errorMessage = QObject::tr("Docker error: The pull rate limit has been reached"); break;
    case(ErrorCode::ServerLinuxKernelTooOld): errorMessage = QObject::tr("Server error: Linux kernel is too old"); break;
    // Libssh errors
    case(ErrorCode::SshRequestDeniedError): errorMessage = QObject::tr("SSH request was denied"); break;
@@ -78,6 +79,9 @@ QString errorString(ErrorCode code) {
    case (ErrorCode::ApiMigrationError): errorMessage = QObject::tr("A migration error has occurred. Please contact our technical support"); break;
    case (ErrorCode::ApiUpdateRequestError): errorMessage = QObject::tr("Please update the application to use this feature"); break;
    case (ErrorCode::ApiSubscriptionExpiredError): errorMessage = QObject::tr("Your Amnezia Premium subscription has expired.\n Please check your email for renewal instructions.\n If you haven't received an email, please contact our support."); break;
    case (ErrorCode::ApiPurchaseError): errorMessage = QObject::tr("Unable to process purchase"); break;
    case (ErrorCode::ApiSubscriptionNotActiveError): errorMessage = QObject::tr("No active subscription found"); break;
    case (ErrorCode::ApiNoPurchasedSubscriptionsError): errorMessage = QObject::tr("No purchased subscriptions found. Please purchase a subscription first"); break;
    // QFile errors
    case(ErrorCode::OpenError): errorMessage = QObject::tr("QFile error: The file could not be opened"); break;
@@ -1,133 +1,74 @@
 #include "ipcclient.h"
 #include "ipc.h"
 #include <QRemoteObjectNode>
-
+#include <QtNetwork/qlocalsocket.h>
 IpcClient *IpcClient::m_instance = nullptr;
 IpcClient::IpcClient(QObject *parent) : QObject(parent)
 {
    m_node.connectToNode(QUrl("local:" + amnezia::getIpcServiceUrl()));
    m_interface.reset(m_node.acquire<IpcInterfaceReplica>());
 }
-IpcClient::~IpcClient()
+IpcClient& IpcClient::Instance()
 {
-    if (m_localSocket)
+    thread_local IpcClient ipcClient;
-        m_localSocket->close();
+    return ipcClient;
 }
 bool IpcClient::isSocketConnected() const
 {
    return m_isSocketConnected;
 }
 IpcClient *IpcClient::Instance()
 {
    return m_instance;
 }
 QSharedPointer<IpcInterfaceReplica> IpcClient::Interface()
 {
-    if (!Instance())
+    QSharedPointer<IpcInterfaceReplica> rep = Instance().m_interface;
-        return nullptr;
+    if (rep.isNull()) {
-    return Instance()->m_ipcClient;
+        qCritical() << "IpcClient::Interface(): Failed to acquire replica";
 }
 QSharedPointer<IpcProcessTun2SocksReplica> IpcClient::InterfaceTun2Socks()
 {
    if (!Instance())
        return nullptr;
    return Instance()->m_Tun2SocksClient;
 }
 bool IpcClient::init(IpcClient *instance)
 {
    m_instance = instance;
    Instance()->m_localSocket = new QLocalSocket(Instance());
    connect(Instance()->m_localSocket.data(), &QLocalSocket::connected, &Instance()->m_ClientNode, []() {
        Instance()->m_ClientNode.addClientSideConnection(Instance()->m_localSocket.data());
        auto cliNode = Instance()->m_ClientNode.acquire<IpcInterfaceReplica>();
        cliNode->waitForSource(5000);
        Instance()->m_ipcClient.reset(cliNode);
        if (!Instance()->m_ipcClient) {
            qWarning() << "IpcClient is not ready!";
        }
        Instance()->m_ipcClient->waitForSource(1000);
        if (!Instance()->m_ipcClient->isReplicaValid()) {
            qWarning() << "IpcClient replica is not connected!";
        }
        auto t2sNode = Instance()->m_ClientNode.acquire<IpcProcessTun2SocksReplica>();
        t2sNode->waitForSource(5000);
        Instance()->m_Tun2SocksClient.reset(t2sNode);
        if (!Instance()->m_Tun2SocksClient) {
            qWarning() << "IpcClient::m_Tun2SocksClient is not ready!";
        }
        Instance()->m_Tun2SocksClient->waitForSource(1000);
        if (!Instance()->m_Tun2SocksClient->isReplicaValid()) {
            qWarning() << "IpcClient::m_Tun2SocksClient replica is not connected!";
        }
    });
    connect(Instance()->m_localSocket, &QLocalSocket::disconnected,
            [instance]() { instance->m_isSocketConnected = false; });
    Instance()->m_localSocket->connectToServer(amnezia::getIpcServiceUrl());
    Instance()->m_localSocket->waitForConnected();
    if (!Instance()->m_ipcClient) {
        qDebug() << "IpcClient::init failed";
        return false;
    }
    qDebug() << "IpcClient::init succeed";
    instance->m_isSocketConnected = (Instance()->m_ipcClient->isReplicaValid() && Instance()->m_Tun2SocksClient->isReplicaValid());
    return Instance()->isSocketConnected();
 }
 QSharedPointer<PrivilegedProcess> IpcClient::CreatePrivilegedProcess()
 {
    if (!Instance()->m_ipcClient || !Instance()->m_ipcClient->isReplicaValid()) {
        qWarning() << "IpcClient::createPrivilegedProcess : IpcClient IpcClient replica is not valid";
        return nullptr;
    }
    if (!rep->waitForSource(1000)) {
        qCritical() << "IpcClient::Interface(): Failed to initialize replica";
        return nullptr;
    }
    if (!rep->isReplicaValid()) {
        qWarning() << "IpcClient::Interface(): Replica is invalid";
    }
    return rep;
 }
-    QRemoteObjectPendingReply<int> futureResult = Instance()->m_ipcClient->createPrivilegedProcess();
+QSharedPointer<IpcProcessInterfaceReplica> IpcClient::CreatePrivilegedProcess()
-    futureResult.waitForFinished(5000);
+{
    return withInterface([](QSharedPointer<IpcInterfaceReplica> &iface) -> QSharedPointer<IpcProcessInterfaceReplica> {
        auto createPrivilegedProcess = iface->createPrivilegedProcess();
        if (!createPrivilegedProcess.waitForFinished()) {
            qCritical() << "Failed to create privileged process";
            return nullptr;
        }
-    int pid = futureResult.returnValue();
+        const int pid = createPrivilegedProcess.returnValue();
-    auto pd = QSharedPointer<ProcessDescriptor>(new ProcessDescriptor());
+        auto* node = new QRemoteObjectNode();
-    Instance()->m_processNodes.insert(pid, pd);
+        node->connectToNode(QUrl(QString("local:%1").arg(amnezia::getIpcProcessUrl(pid))));
-    pd->localSocket.reset(new QLocalSocket(pd->replicaNode.data()));
+        QSharedPointer<IpcProcessInterfaceReplica> rep(
-
+            node->acquire<IpcProcessInterfaceReplica>(),
-    connect(pd->localSocket.data(), &QLocalSocket::connected, pd->replicaNode.data(), [pd]() {
+            [node] (IpcProcessInterfaceReplica *ptr) {
-        pd->replicaNode->addClientSideConnection(pd->localSocket.data());
+                delete ptr;
-
+                node->deleteLater();
        IpcProcessInterfaceReplica *repl = pd->replicaNode->acquire<IpcProcessInterfaceReplica>();
        PrivilegedProcess *priv = static_cast<PrivilegedProcess *>(repl);
        pd->ipcProcess.reset(priv);
        if (!pd->ipcProcess) {
            qWarning() << "Acquire PrivilegedProcess failed";
        } else {
            pd->ipcProcess->waitForSource(1000);
            if (!pd->ipcProcess->isReplicaValid()) {
                qWarning() << "PrivilegedProcess replica is not connected!";
            }
-
+        );
-            QObject::connect(pd->ipcProcess.data(), &PrivilegedProcess::destroyed, pd->ipcProcess.data(),
+        if (rep.isNull()) {
-                             [pd]() { pd->replicaNode->deleteLater(); });
+            qCritical() << "IpcClient::CreatePrivilegedProcess(): Failed to acquire replica";
            return nullptr;
        }
        if (!rep->waitForSource()) {
            qCritical() << "IpcClient::CreatePrivilegedProcess(): Failed to initialize replica";
            return nullptr;
        }
        if (!rep->isReplicaValid()) {
            qCritical() << "IpcClient::CreatePrivilegedProcess(): Replica is invalid";
            return nullptr;
        }
    });
    pd->localSocket->connectToServer(amnezia::getIpcProcessUrl(pid));
    pd->localSocket->waitForConnected();
-    auto processReplica = QSharedPointer<PrivilegedProcess>(pd->ipcProcess);
+        return rep;
-    return processReplica;
+    },
    []() -> QSharedPointer<IpcProcessInterfaceReplica> {
        return nullptr;
    });
 }
@@ -4,53 +4,53 @@
 #include <QLocalSocket>
 #include <QObject>
 #include "ipc.h"
 #include "rep_ipc_interface_replica.h"
-#include "rep_ipc_process_tun2socks_replica.h"
+#include "rep_ipc_process_interface_replica.h"
 #include "privileged_process.h"
 class IpcClient : public QObject
 {
    Q_OBJECT
 public:
-   explicit IpcClient(QObject *parent = nullptr);
+    explicit IpcClient(QObject *parent = nullptr);
-   static IpcClient *Instance();
+    static IpcClient& Instance();
   static bool init(IpcClient *instance);
   static QSharedPointer<IpcInterfaceReplica> Interface();
   static QSharedPointer<IpcProcessTun2SocksReplica> InterfaceTun2Socks();
   static QSharedPointer<PrivilegedProcess> CreatePrivilegedProcess();
-   bool isSocketConnected() const;
+    static QSharedPointer<IpcInterfaceReplica> Interface();
    static QSharedPointer<IpcProcessInterfaceReplica> CreatePrivilegedProcess();
    template <typename Func>
    static auto withInterface(Func func)
    {
        QSharedPointer<IpcInterfaceReplica> iface = Instance().m_interface;
        using ReturnType = decltype(func(std::declval<QSharedPointer<IpcInterfaceReplica>>()));
        if (iface.isNull() || !iface->waitForSource(1000) || !iface->isReplicaValid()) {
            qWarning() << "IpcClient::withInterface(): Service is not running";
            if constexpr (std::is_void_v<ReturnType>)
                return;
            else
                return ReturnType{};
        }
        return func(iface);
    }
    template <typename OnSuccess, typename OnFailure>
    static auto withInterface(OnSuccess onSuccess, OnFailure onFailure)
    {
        QSharedPointer<IpcInterfaceReplica> iface = Instance().m_interface;
        if (iface.isNull() || !iface->waitForSource(1000) || !iface->isReplicaValid()) {
            return onFailure();
        }
        return onSuccess(iface);
    }
 signals:
 private:
-    ~IpcClient() override;
+    QRemoteObjectNode m_node;
-
+    QSharedPointer<IpcInterfaceReplica> m_interface;
    QRemoteObjectNode m_ClientNode;
    QRemoteObjectNode m_Tun2SocksNode;
    QSharedPointer<IpcInterfaceReplica> m_ipcClient;
    QPointer<QLocalSocket> m_localSocket;
    QPointer<QLocalSocket> m_tun2socksSocket;
    QSharedPointer<IpcProcessTun2SocksReplica> m_Tun2SocksClient;
    struct ProcessDescriptor {
        ProcessDescriptor () {
            replicaNode = QSharedPointer<QRemoteObjectNode>(new QRemoteObjectNode());
            ipcProcess = QSharedPointer<PrivilegedProcess>();
            localSocket = QSharedPointer<QLocalSocket>();
        }
        QSharedPointer<PrivilegedProcess> ipcProcess;
        QSharedPointer<QRemoteObjectNode> replicaNode;
        QSharedPointer<QLocalSocket> localSocket;
    };
    QMap<int, QSharedPointer<ProcessDescriptor>> m_processNodes;
    bool m_isSocketConnected {false};
    static IpcClient *m_instance;
 };
 #endif // IPCCLIENT_H
@@ -1,11 +1,12 @@
 #include "networkUtilities.h"
 #include <QtNetwork/qnetworkinterface.h>
 #include <cstddef>
 #ifdef Q_OS_WIN
    #include <windows.h>
    #include <Ipexport.h>
    #include <Ws2tcpip.h>
    #include <ws2ipdef.h>
    #include <stdint.h>
    #include <Iphlpapi.h>
    #include <Iptypes.h>
    #include <WinSock2.h>
@@ -30,6 +31,15 @@
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <net/route.h>
    #include <ifaddrs.h>
    #include <net/if.h>
    #include <net/if_dl.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <arpa/inet.h>
    #include <unistd.h>
    #include <ifaddrs.h>
    #include <net/if.h>
 #endif
 #include <QHostAddress>
@@ -239,12 +249,14 @@ DWORD GetAdaptersAddressesWrapper(const ULONG Family,
 }
 #endif
-QString NetworkUtilities::getGatewayAndIface()
+QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
 {
 #ifdef Q_OS_WIN
    constexpr int BUFF_LEN = 100;
    char buff[BUFF_LEN] = {'\0'};
-    QString result;
+
    QString resGateway;
    int resIndex = -1;
    PIP_ADAPTER_ADDRESSES pAdapterAddresses = nullptr;
    DWORD dwRetVal =
@@ -252,7 +264,7 @@ QString NetworkUtilities::getGatewayAndIface()
    if (dwRetVal != NO_ERROR) {
        qDebug() << "ipv4 stack detect GetAdaptersAddresses failed.";
-        return "";
+        return {};
    }
    PIP_ADAPTER_ADDRESSES pCurAddress = pAdapterAddresses;
@@ -267,7 +279,9 @@ QString NetworkUtilities::getGatewayAndIface()
                struct sockaddr_in addr;
                if (inet_pton(AF_INET, buff, &addr.sin_addr) == 1) {
                    qDebug() <<  "this is true v4 !";
-                    result = gw;
+                    
                    resGateway = gw;
                    resIndex = pCurAddress->IfIndex;
                }
            }
        }
@@ -275,7 +289,7 @@ QString NetworkUtilities::getGatewayAndIface()
    }
    free(pAdapterAddresses);
-    return result;
+    return { resGateway, QNetworkInterface::interfaceFromIndex(resIndex) };
 #endif
 #ifdef Q_OS_LINUX
    constexpr int BUFFER_SIZE = 100;
@@ -292,7 +306,7 @@ QString NetworkUtilities::getGatewayAndIface()
    if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) {
        perror("socket failed");
-        return "";
+        return {};
    }
    memset(msgbuf, 0, sizeof(msgbuf));
@@ -316,7 +330,7 @@ QString NetworkUtilities::getGatewayAndIface()
    /* send msg */
    if (send(sock, nlmsg, nlmsg->nlmsg_len, 0) < 0) {
        perror("send failed");
-        return "";
+        return {};
    }
    /* receive response */
@@ -325,7 +339,7 @@ QString NetworkUtilities::getGatewayAndIface()
        received_bytes = recv(sock, ptr, sizeof(buffer) - msg_len, 0);
        if (received_bytes < 0) {
            perror("Error in recv");
-            return "";
+            return {};
        }
        nlh = (struct nlmsghdr *) ptr;
@@ -335,7 +349,7 @@ QString NetworkUtilities::getGatewayAndIface()
            (nlmsg->nlmsg_type == NLMSG_ERROR))
        {
            perror("Error in received packet");
-            return "";
+            return {};
        }
        /* If we received all data break */
@@ -388,10 +402,12 @@ QString NetworkUtilities::getGatewayAndIface()
        }
    }
    close(sock);
-    return gateway_address;
+    return { gateway_address, QNetworkInterface::interfaceFromName(interface) };
 #endif
 #if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
    QString gateway;
    int index = -1;
    int mib[] = {CTL_NET, PF_ROUTE, 0, 0, NET_RT_FLAGS, RTF_GATEWAY};
    int afinet_type[] = {AF_INET, AF_INET6};
@@ -401,17 +417,17 @@ QString NetworkUtilities::getGatewayAndIface()
        size_t needed = 0;
        if (sysctl(mib, sizeof(mib) / sizeof(int), nullptr, &needed, nullptr, 0) < 0)
-            return "";
+            return {};
        char* buf;
        if ((buf = new char[needed]) == 0)
-            return "";
+            return {};
        if (sysctl(mib, sizeof(mib) / sizeof(int), buf, &needed, nullptr, 0) < 0)
        {
            qDebug() << "sysctl: net.route.0.0.dump";
            delete[] buf;
-            return gateway;
+            return {};
        }
        struct rt_msghdr* rt;
@@ -449,7 +465,10 @@ QString NetworkUtilities::getGatewayAndIface()
                               &(reinterpret_cast<struct sockaddr_in*>(sa_tab[RTAX_GATEWAY]))->sin_addr,
                               sizeof(struct in_addr));
                        if (inet_ntop(AF_INET, srcStr4, dstStr4, INET_ADDRSTRLEN) != nullptr)
                        {
                            gateway = dstStr4;
                            index = rt->rtm_index;
                        }
                        break;
                    }
                }
@@ -463,7 +482,10 @@ QString NetworkUtilities::getGatewayAndIface()
                               &(reinterpret_cast<struct sockaddr_in6*>(sa_tab[RTAX_GATEWAY]))->sin6_addr,
                               sizeof(struct in6_addr));
                        if (inet_ntop(AF_INET6, srcStr6, dstStr6, INET6_ADDRSTRLEN) != nullptr)
                        {
                            gateway = dstStr6;
                            index = rt->rtm_index;
                        }
                        break;
                    }
                }
@@ -472,6 +494,6 @@ QString NetworkUtilities::getGatewayAndIface()
        free(buf);
    }
-    return gateway;
+    return { gateway, QNetworkInterface::interfaceFromIndex(index) };
 #endif
 }
@@ -6,7 +6,7 @@
 #include <QString>
 #include <QHostAddress>
 #include <QNetworkReply>
-
+#include <QtNetwork/qnetworkinterface.h>
 class NetworkUtilities : public QObject
 {
@@ -17,7 +17,7 @@ public:
    static bool checkIPv4Format(const QString &ip);
    static bool checkIpSubnetFormat(const QString &ip);
    static bool checkIpv6Enabled();
-    static QString getGatewayAndIface();
+    static QPair<QString, QNetworkInterface> getGatewayAndIface();
    // Returns the Interface Index that could Route to dst
    static int AdapterIndexTo(const QHostAddress& dst);
@@ -1,8 +1,11 @@
 #include "osSignalHandler.h"
 #include <QCoreApplication>
 #include <QMetaObject>
 #include <QSocketNotifier>
 #include "../amnezia_application.h"
 #if defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)
    #include <pthread.h>
    #include <signal.h>
@@ -15,7 +18,8 @@
 #endif
 #ifdef Q_OS_WIN
-    #include <QMetaObject>
+    #include <QAbstractNativeEventFilter>
    #include <windows.h>
 #endif
@@ -25,21 +29,30 @@ namespace
    static bool initialized = false;
 #ifdef Q_OS_WIN
-    static BOOL WINAPI consoleHandler(DWORD signal)
+    class WindowsCloseFilter : public QAbstractNativeEventFilter
    {
-        switch (signal) {
+    public:
-        case CTRL_CLOSE_EVENT:
+        bool nativeEventFilter(const QByteArray &eventType, void *message, qintptr *result) override
-        case CTRL_C_EVENT:
+        {
-        case CTRL_BREAK_EVENT:
+            MSG *msg = static_cast<MSG *>(message);
-        case CTRL_LOGOFF_EVENT:
+
-        case CTRL_SHUTDOWN_EVENT:
+            switch (msg->message) {
-            if (QCoreApplication::instance()) {
+            case WM_CLOSE: {
-                QMetaObject::invokeMethod(QCoreApplication::instance(), "quit", Qt::QueuedConnection);
+                const HWND active = GetActiveWindow();
                const HWND self = msg->hwnd;
                if (active != self) {
                    AmneziaApplication *app = qobject_cast<AmneziaApplication *>(QCoreApplication::instance());
                    if (app) {
                        QMetaObject::invokeMethod(app, "forceQuit", Qt::QueuedConnection);
                    }
                }
            }
-            return TRUE;
+            }
-        default: return FALSE;
+            return false;
-        }
+        };
-    }
+    };
    static WindowsCloseFilter *windowsFilter = nullptr;
 #endif
 #if defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)
@@ -53,7 +66,7 @@ namespace
        sigaddset(&set, SIGINT);
        sigaddset(&set, SIGTERM);
-        pthread_sigmask(SIBLOCK, &set, nullptr);
+        pthread_sigmask(SIG_BLOCK, &set, nullptr);
        signalFd = signalfd(-1, &set, SFD_NONBLOCK | SFD_CLOEXEC);
        if (signalFd < 0)
@@ -70,14 +83,16 @@ namespace
            }
        });
    }
-#elif defined(Q_OS_MACX)
+#elif defined(Q_OS_MACOS)
    static int signalPipe[2] = { -1, -1 };
    static QSocketNotifier *socketNotifier = nullptr;
    static void macSignalHandler(int)
    {
-        const char ch = 1;
+        if (signalPipe[1] >= 0) {
-        ::write(signalPipe[1], &ch, sizeof(ch));
+            const char ch = 1;
            ::write(signalPipe[1], &ch, sizeof(ch));
        }
    }
    static void setupUnixSignalHandler()
@@ -88,14 +103,6 @@ namespace
        ::fcntl(signalPipe[0], F_SETFL, O_NONBLOCK);
        ::fcntl(signalPipe[1], F_SETFL, O_NONBLOCK);
        struct sigaction sa {};
        sa.sa_handler = macSignalHandler;
        sigemptyset(&sa.sa_mask);
        sa.sa_flags = 0;
        sigaction(SIGINT, &sa, nullptr);
        sigaction(SIGTERM, &sa, nullptr);
        socketNotifier = new QSocketNotifier(signalPipe[0], QSocketNotifier::Read, QCoreApplication::instance());
        QObject::connect(socketNotifier, &QSocketNotifier::activated, QCoreApplication::instance(), [](int) {
@@ -103,6 +110,14 @@ namespace
            ::read(signalPipe[0], buf, sizeof(buf));
            QCoreApplication::quit();
        });
        struct sigaction sa {};
        sa.sa_handler = macSignalHandler;
        sigemptyset(&sa.sa_mask);
        sa.sa_flags = 0;
        sigaction(SIGINT, &sa, nullptr);
        sigaction(SIGTERM, &sa, nullptr);
    }
 #endif
@@ -111,6 +126,8 @@ namespace
 #if defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)
        if (socketNotifier) {
            socketNotifier->setEnabled(false);
            socketNotifier->deleteLater();
            socketNotifier = nullptr;
        }
        if (signalFd >= 0) {
@@ -119,8 +136,17 @@ namespace
        }
 #elif defined(Q_OS_MACOS)
        struct sigaction sa {};
        sa.sa_handler = SIG_DFL;
        sigemptyset(&sa.sa_mask);
        sa.sa_flags = 0;
        sigaction(SIGINT, &sa, nullptr);
        sigaction(SIGTERM, &sa, nullptr);
        if (socketNotifier) {
            socketNotifier->setEnabled(false);
            socketNotifier->deleteLater();
            socketNotifier = nullptr;
        }
        if (signalPipe[0] >= 0) {
@@ -133,6 +159,14 @@ namespace
            signalPipe[1] = -1;
        }
 #endif
 #ifdef Q_OS_WIN
        if (windowsFilter) {
            QCoreApplication::instance()->removeNativeEventFilter(windowsFilter);
            delete windowsFilter;
            windowsFilter = nullptr;
        }
 #endif
    }
 }
@@ -147,12 +181,13 @@ void OsSignalHandler::setup()
    initialized = true;
-#if (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)) || defined(Q_OS_MACX)
+#if (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)) || defined(Q_OS_MACOS)
    setupUnixSignalHandler();
 #endif
 #ifdef Q_OS_WIN
-    SetConsoleCtrlHandler(consoleHandler, TRUE);
+    windowsFilter = new WindowsCloseFilter();
    QCoreApplication::instance()->installNativeEventFilter(windowsFilter);
 #endif
    QObject::connect(QCoreApplication::instance(), &QCoreApplication::aboutToQuit, [] { cleanupUnixSignalHandler(); });
@@ -1,27 +0,0 @@
 #include "privileged_process.h"
 PrivilegedProcess::PrivilegedProcess() :
    IpcProcessInterfaceReplica()
 {
 }
 PrivilegedProcess::~PrivilegedProcess()
 {
    qDebug() << "PrivilegedProcess::~PrivilegedProcess()";
 }
 void PrivilegedProcess::waitForFinished(int msecs)
 {
    QSharedPointer<QEventLoop> loop(new QEventLoop);
    connect(this, &PrivilegedProcess::finished, this, [this, loop](int exitCode, QProcess::ExitStatus exitStatus) mutable{
        loop->quit();
        loop.clear();
    });
    QTimer::singleShot(msecs, this, [this, loop]() mutable {
        loop->quit();
        loop.clear();
    });
    loop->exec();
 }
@@ -1,24 +0,0 @@
 #ifndef PRIVILEGED_PROCESS_H
 #define PRIVILEGED_PROCESS_H
 #include <QObject>
 #include "rep_ipc_process_interface_replica.h"
 // This class is dangerous - instance of this class casted from base class,
 // so it support only functions
 // Do not add any members into it
 //
 class PrivilegedProcess : public IpcProcessInterfaceReplica
 {
    Q_OBJECT
 public:
    PrivilegedProcess();
    ~PrivilegedProcess() override;
    void waitForFinished(int msecs);
 };
 #endif // PRIVILEGED_PROCESS_H
@@ -11,7 +11,8 @@ QString amnezia::scriptFolder(amnezia::DockerContainer container)
    case DockerContainer::Cloak: return QLatin1String("openvpn_cloak");
    case DockerContainer::ShadowSocks: return QLatin1String("openvpn_shadowsocks");
    case DockerContainer::WireGuard: return QLatin1String("wireguard");
-    case DockerContainer::Awg: return QLatin1String("awg");
+    case DockerContainer::Awg2: return QLatin1String("awg");
    case DockerContainer::Awg: return QLatin1String("awg_legacy");
    case DockerContainer::Ipsec: return QLatin1String("ipsec");
    case DockerContainer::Xray: return QLatin1String("xray");
@@ -21,6 +21,7 @@ namespace amnezia::serialization
    namespace vless
    {
        QJsonObject Deserialize(const QString &vless, QString *alias, QString *errMessage);
        const QString Serialize(const VlessServerObject &server, const QString &alias);
    } // namespace vless
    namespace ss
@@ -42,6 +42,25 @@ struct VMessServerObject
 };
 struct VlessServerObject
 {
    QString address;
    QString id;  // UUID
    int port;
    QString flow = "xtls-rprx-vision";
    QString encryption = "none";
    QString network = "tcp";
    QString security = "reality";
    QString serverName;  // SNI
    QString publicKey;
    QString shortId;
    QString fingerprint = "chrome";
    QString spiderX = "";
    JSONSTRUCT_COMPARE(VlessServerObject, address, id, port, flow, encryption)
    JSONSTRUCT_REGISTER(VlessServerObject, F(address, id, port, flow, encryption, network, security, serverName, publicKey, shortId, fingerprint, spiderX))
 };
 namespace transfer
 {
@@ -252,5 +252,65 @@ QJsonObject Deserialize(const QString &str, QString *alias, QString *errMessage)
    root["inbounds"] = QJsonArray { inbound };
    return root;
 }
-} // namespace amnezia::serialization::vless
+
 const QString Serialize(const VlessServerObject &server, const QString &alias)
 {
    QUrl url;
    // Set basic URL components
    url.setScheme("vless");
    url.setUserInfo(server.id);
    url.setHost(server.address);
    url.setPort(server.port);
    QUrlQuery query;
    if (!server.network.isEmpty() && server.network != "tcp") {
        query.addQueryItem("type", server.network);
    }
    if (!server.encryption.isEmpty()) {
        query.addQueryItem("encryption", server.encryption);
    }
    if (!server.security.isEmpty() && server.security != "none") {
        query.addQueryItem("security", server.security);
    }
    if (!server.flow.isEmpty() && (server.security == "xtls" || server.security == "reality")) {
        query.addQueryItem("flow", server.flow);
    }
    if (!server.serverName.isEmpty()) {
        query.addQueryItem("sni", server.serverName);
    }
    if (server.security == "reality") {
        if (!server.fingerprint.isEmpty()) {
            query.addQueryItem("fp", server.fingerprint);
        }
        if (!server.publicKey.isEmpty()) {
            query.addQueryItem("pbk", server.publicKey);
        }
        if (!server.shortId.isEmpty()) {
            query.addQueryItem("sid", server.shortId);
        }
        if (!server.spiderX.isEmpty()) {
            query.addQueryItem("spiderX", server.spiderX);
        }
    }
    url.setQuery(query);
    if (!alias.isEmpty()) {
        url.setFragment(alias);
    }
    return url.toString(QUrl::ComponentFormattingOption::FullyEncoded);
 }
 }
@@ -440,18 +440,6 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
  if (!obj.value("I5").isNull()) {
    config.m_specialJunk["I5"] = obj.value("I5").toString();
  }
  if (!obj.value("J1").isNull()) {
    config.m_controlledJunk["J1"] = obj.value("J1").toString();
  }
  if (!obj.value("J2").isNull()) {
    config.m_controlledJunk["J2"] = obj.value("J2").toString();
  }
  if (!obj.value("J3").isNull()) {
    config.m_controlledJunk["J3"] = obj.value("J3").toString();
  }
  if (!obj.value("Itime").isNull()) {
    config.m_specialHandshakeTimeout = obj.value("Itime").toString();
  }
  return true;
 }
@@ -152,12 +152,6 @@ QString InterfaceConfig::toWgConf(const QMap<QString, QString>& extra) const {
  for (const QString& key : m_specialJunk.keys()) {
    out << key << " = " << m_specialJunk[key] << "\n";
  }
  for (const QString& key : m_controlledJunk.keys()) {
    out << key << " = " << m_controlledJunk[key] << "\n";
  }
  if (!m_specialHandshakeTimeout.isNull()) {
    out << "Itime = " << m_specialHandshakeTimeout << "\n";
  }
  // If any extra config was provided, append it now.
  for (const QString& key : extra.keys()) {
@@ -8,7 +8,7 @@
 #include <QList>
 #include <QMap>
 #include <QString>
-
+#include <QMap>
 #include "ipaddress.h"
 class QJsonObject;
@@ -57,8 +57,6 @@ class InterfaceConfig {
  QString m_underloadPacketMagicHeader;
  QString m_transportPacketMagicHeader;
  QMap<QString, QString> m_specialJunk;
  QMap<QString, QString> m_controlledJunk;
  QString m_specialHandshakeTimeout;
  QJsonObject toJson() const;
  QString toWgConf(
@@ -0,0 +1,6 @@
 <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M15 21V17C15 16.4696 15.2107 15.9609 15.5858 15.5858C15.9609 15.2107 16.4696 15 17 15H21" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
 <path d="M7 4V6C7.21572 6.61347 7.62494 7.14024 8.16602 7.50096C8.7071 7.86168 9.35075 8.03682 10 8V8C10.5304 8 11.0391 8.21071 11.4142 8.58579C11.7893 8.96086 12 9.46957 12 10C12 10.5304 12.2107 11.0391 12.5858 11.4142C12.9609 11.7893 13.4696 12 14 12C14.5304 12 15.0391 11.7893 15.4142 11.4142C15.7893 11.0391 16 10.5304 16 10C16 9.46957 16.2107 8.96086 16.5858 8.58579C16.9609 8.21071 17.4696 8 18 8H21" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
 <path d="M3 11H5C5.53043 11 6.03914 11.2107 6.41421 11.5858C6.78929 11.9609 7 12.4696 7 13V14C7 14.5304 7.21071 15.0391 7.58579 15.4142C7.96086 15.7893 8.46957 16 9 16C9.53043 16 10.0391 16.2107 10.4142 16.5858C10.7893 16.9609 11 17.4696 11 18V22" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
 <path d="M12 22C17.5228 22 22 17.5228 22 12C22 6.47715 17.5228 2 12 2C6.47715 2 2 6.47715 2 12C2 17.5228 6.47715 22 12 22Z" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
 </svg>
@@ -0,0 +1,3 @@
 <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M18.1777 8C23.2737 8 23.2737 16 18.1777 16C13.0827 16 11.0447 8 5.43875 8C0.85375 8 0.85375 16 5.43875 16C11.0447 16 13.0828 8 18.1788 8H18.1777Z" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
 </svg>
@@ -0,0 +1,4 @@
 <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M17 2H7C5.89543 2 5 2.89543 5 4V20C5 21.1046 5.89543 22 7 22H17C18.1046 22 19 21.1046 19 20V4C19 2.89543 18.1046 2 17 2Z" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
 <path d="M12 18H12.01" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
 </svg>
@@ -5,6 +5,9 @@
 #include <stdint.h>
 #include <QCoreApplication>
 #include <QDateTime>
 #include <QDebug>
 #include <QDir>
 #include <QFileInfo>
 #include <QHostAddress>
@@ -12,12 +15,13 @@
 #include <QJsonDocument>
 #include <QJsonObject>
 #include <QJsonValue>
 #include <QLocalSocket>
 #include <QObject>
 #include <QStandardPaths>
 #include <QTimer>
 #include "ipaddress.h"
 #include "leakdetector.h"
 #include "logger.h"
 #include "models/server.h"
 #include "daemon/daemonerrors.h"
 #include "protocols/protocols_defs.h"
@@ -115,7 +119,6 @@ void LocalSocketController::daemonConnected() {
 }
 void LocalSocketController::activate(const QJsonObject &rawConfig) {
  QString protocolName = rawConfig.value("protocol").toString();
  int splitTunnelType = rawConfig.value("splitTunnelType").toInt();
@@ -132,13 +135,16 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
  //  json.insert("hopindex", QJsonValue((double)hop.m_hopindex));
  json.insert("privateKey", wgConfig.value(amnezia::config_key::client_priv_key));
  json.insert("deviceIpv4Address", wgConfig.value(amnezia::config_key::client_ip));
  m_deviceIpv4 = wgConfig.value(amnezia::config_key::client_ip).toString();
  // set up IPv6 unique-local-address, ULA, with "fd00::/8" prefix, not globally routable.
  // this will be default IPv6 gateway, OS recognizes that IPv6 link is local and switches to IPv4.
  // Otherwise some OSes (Linux) try IPv6 forever and hang.
  // https://en.wikipedia.org/wiki/Unique_local_address (RFC 4193)
  // https://man7.org/linux/man-pages/man5/gai.conf.5.html
-  json.insert("deviceIpv6Address", "fd58:baa6:dead::1"); // simply "dead::1" is globally-routable, don't use it
+
  // simply "dead::1" is globally-routable, don't use it
  json.insert("deviceIpv6Address", "fd58:baa6:dead::1");
  json.insert("serverPublicKey", wgConfig.value(amnezia::config_key::server_pub_key));
  json.insert("serverPskKey", wgConfig.value(amnezia::config_key::psk_key));
@@ -220,7 +226,6 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
  json.insert("allowedIPAddressRanges", jsAllowedIPAddesses);
  QJsonArray jsExcludedAddresses;
  jsExcludedAddresses.append(wgConfig.value(amnezia::config_key::hostName));
  if (splitTunnelType == 2) {
@@ -255,50 +260,33 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
    json.insert(amnezia::config_key::specialJunk3, wgConfig.value(amnezia::config_key::specialJunk3));
    json.insert(amnezia::config_key::specialJunk4, wgConfig.value(amnezia::config_key::specialJunk4));
    json.insert(amnezia::config_key::specialJunk5, wgConfig.value(amnezia::config_key::specialJunk5));
    json.insert(amnezia::config_key::controlledJunk1, wgConfig.value(amnezia::config_key::controlledJunk1));
    json.insert(amnezia::config_key::controlledJunk2, wgConfig.value(amnezia::config_key::controlledJunk2));
    json.insert(amnezia::config_key::controlledJunk3, wgConfig.value(amnezia::config_key::controlledJunk3));
    json.insert(amnezia::config_key::specialHandshakeTimeout, wgConfig.value(amnezia::config_key::specialHandshakeTimeout));
  } else if (!wgConfig.value(amnezia::config_key::junkPacketCount).isUndefined()
             && !wgConfig.value(amnezia::config_key::junkPacketMinSize).isUndefined()
             && !wgConfig.value(amnezia::config_key::junkPacketMaxSize).isUndefined()
             && !wgConfig.value(amnezia::config_key::initPacketJunkSize).isUndefined()
             && !wgConfig.value(amnezia::config_key::responsePacketJunkSize).isUndefined()
-             // && !wgConfig.value(amnezia::config_key::cookieReplyPacketJunkSize).isUndefined()
+             && !wgConfig.value(amnezia::config_key::cookieReplyPacketJunkSize).isUndefined()
-             // && !wgConfig.value(amnezia::config_key::transportPacketJunkSize).isUndefined()
+             && !wgConfig.value(amnezia::config_key::transportPacketJunkSize).isUndefined()
             && !wgConfig.value(amnezia::config_key::initPacketMagicHeader).isUndefined()
             && !wgConfig.value(amnezia::config_key::responsePacketMagicHeader).isUndefined()
             && !wgConfig.value(amnezia::config_key::underloadPacketMagicHeader).isUndefined()
-             && !wgConfig.value(amnezia::config_key::transportPacketMagicHeader).isUndefined()
+             && !wgConfig.value(amnezia::config_key::transportPacketMagicHeader).isUndefined()) {
 /*             && !wgConfig.value(amnezia::config_key::specialJunk1).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialJunk2).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialJunk3).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialJunk4).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialJunk5).isUndefined()
             && !wgConfig.value(amnezia::config_key::controlledJunk1).isUndefined()
             && !wgConfig.value(amnezia::config_key::controlledJunk2).isUndefined()
             && !wgConfig.value(amnezia::config_key::controlledJunk3).isUndefined()
             && !wgConfig.value(amnezia::config_key::specialHandshakeTimeout).isUndefined()*/) {
    json.insert(amnezia::config_key::junkPacketCount, wgConfig.value(amnezia::config_key::junkPacketCount));
    json.insert(amnezia::config_key::junkPacketMinSize, wgConfig.value(amnezia::config_key::junkPacketMinSize));
    json.insert(amnezia::config_key::junkPacketMaxSize, wgConfig.value(amnezia::config_key::junkPacketMaxSize));
    json.insert(amnezia::config_key::initPacketJunkSize, wgConfig.value(amnezia::config_key::initPacketJunkSize));
    json.insert(amnezia::config_key::responsePacketJunkSize, wgConfig.value(amnezia::config_key::responsePacketJunkSize));
-    // json.insert(amnezia::config_key::cookieReplyPacketJunkSize, wgConfig.value(amnezia::config_key::cookieReplyPacketJunkSize));
+    json.insert(amnezia::config_key::cookieReplyPacketJunkSize, wgConfig.value(amnezia::config_key::cookieReplyPacketJunkSize));
-    // json.insert(amnezia::config_key::transportPacketJunkSize, wgConfig.value(amnezia::config_key::transportPacketJunkSize));
+    json.insert(amnezia::config_key::transportPacketJunkSize, wgConfig.value(amnezia::config_key::transportPacketJunkSize));
    json.insert(amnezia::config_key::initPacketMagicHeader, wgConfig.value(amnezia::config_key::initPacketMagicHeader));
    json.insert(amnezia::config_key::responsePacketMagicHeader, wgConfig.value(amnezia::config_key::responsePacketMagicHeader));
    json.insert(amnezia::config_key::underloadPacketMagicHeader, wgConfig.value(amnezia::config_key::underloadPacketMagicHeader));
    json.insert(amnezia::config_key::transportPacketMagicHeader, wgConfig.value(amnezia::config_key::transportPacketMagicHeader));
-    // json.insert(amnezia::config_key::specialJunk1, wgConfig.value(amnezia::config_key::specialJunk1));
+    json.insert(amnezia::config_key::specialJunk1, wgConfig.value(amnezia::config_key::specialJunk1));
-    // json.insert(amnezia::config_key::specialJunk2, wgConfig.value(amnezia::config_key::specialJunk2));
+    json.insert(amnezia::config_key::specialJunk2, wgConfig.value(amnezia::config_key::specialJunk2));
-    // json.insert(amnezia::config_key::specialJunk3, wgConfig.value(amnezia::config_key::specialJunk3));
+    json.insert(amnezia::config_key::specialJunk3, wgConfig.value(amnezia::config_key::specialJunk3));
-    // json.insert(amnezia::config_key::specialJunk4, wgConfig.value(amnezia::config_key::specialJunk4));
+    json.insert(amnezia::config_key::specialJunk4, wgConfig.value(amnezia::config_key::specialJunk4));
-    // json.insert(amnezia::config_key::specialJunk5, wgConfig.value(amnezia::config_key::specialJunk5));
+    json.insert(amnezia::config_key::specialJunk5, wgConfig.value(amnezia::config_key::specialJunk5));
    // json.insert(amnezia::config_key::controlledJunk1, wgConfig.value(amnezia::config_key::controlledJunk1));
    // json.insert(amnezia::config_key::controlledJunk2, wgConfig.value(amnezia::config_key::controlledJunk2));
    // json.insert(amnezia::config_key::controlledJunk3, wgConfig.value(amnezia::config_key::controlledJunk3));
    // json.insert(amnezia::config_key::specialHandshakeTimeout, wgConfig.value(amnezia::config_key::specialHandshakeTimeout));
  }
  write(json);
@@ -449,6 +437,7 @@ void LocalSocketController::parseCommand(const QByteArray& command) {
  }
  if (type == "status") {
    QJsonValue serverIpv4Gateway = obj.value("serverIpv4Gateway");
    if (!serverIpv4Gateway.isString()) {
      logger.error() << "Unexpected serverIpv4Gateway value";
@@ -493,6 +482,11 @@ void LocalSocketController::parseCommand(const QByteArray& command) {
    logger.debug() << "Handshake completed with:"
                   << pubkey.toString();
    checkStatus();
    emit statusUpdated("", m_deviceIpv4, 0, 0);
    emit connected(pubkey.toString());
    return;
  }
@@ -12,6 +12,7 @@
 #include "controllerimpl.h"
 class QJsonObject;
 class LocalSocketController final : public ControllerImpl {
@@ -58,6 +59,7 @@ class LocalSocketController final : public ControllerImpl {
  QByteArray m_buffer;
  QString m_deviceIpv4;
  std::function<void(const QString&)> m_logCallback = nullptr;
  QTimer m_initializingTimer;
@@ -11,7 +11,6 @@
 #include "logger.h"
 //#include "mozillavpn.h"
 #include "networkwatcherimpl.h"
 #include "platforms/dummy/dummynetworkwatcher.h"
 //#include "settingsholder.h"
 #ifdef MZ_WINDOWS
@@ -51,7 +50,7 @@ NetworkWatcher::NetworkWatcher() { MZ_COUNT_CTOR(NetworkWatcher); }
 NetworkWatcher::~NetworkWatcher() { MZ_COUNT_DTOR(NetworkWatcher); }
 void NetworkWatcher::initialize() {
-  logger.debug() << "Initialize";
+  logger.debug() << "Initialize NetworkWatcher";
 #if defined(MZ_WINDOWS)
  m_impl = new WindowsNetworkWatcher(this);
@@ -69,59 +68,39 @@ void NetworkWatcher::initialize() {
  m_impl = new DummyNetworkWatcher(this);
 #endif
  connect(m_impl, &NetworkWatcherImpl::unsecuredNetwork, this,
          &NetworkWatcher::unsecuredNetwork);
  connect(m_impl, &NetworkWatcherImpl::networkChanged, this,
-          &NetworkWatcher::networkChange);
+          &NetworkWatcher::networkChanged);
-
+  connect(m_impl, &NetworkWatcherImpl::wakeup, this,
          &NetworkWatcher::wakeup);
  m_impl->initialize();
-
+  // Enable sleep/wake monitoring for VPN auto-reconnection
-// TODO: IMPL FOR AMNEZIA
+  logger.debug() << "Starting NetworkWatcher for sleep/wake monitoring";
-#if 0
+  logger.debug() << "About to call m_impl->start()";
-  SettingsHolder* settingsHolder = SettingsHolder::instance();
+  try {
  Q_ASSERT(settingsHolder);
  m_active = settingsHolder->unsecuredNetworkAlert() ||
             settingsHolder->captivePortalAlert();
  m_reportUnsecuredNetwork = settingsHolder->unsecuredNetworkAlert();
  if (m_active) {
    m_impl->start();
    logger.debug() << "m_impl->start() completed successfully";
  } catch (const std::exception& e) {
    logger.error() << "Exception in m_impl->start():" << e.what();
  } catch (...) {
    logger.error() << "Unknown exception in m_impl->start()";
  }
-
+  m_active = true;
-  connect(settingsHolder, &SettingsHolder::unsecuredNetworkAlertChanged, this,
+  m_reportUnsecuredNetwork = false; // Disable unsecured network alerts for Amnezia
          &NetworkWatcher::settingsChanged);
  connect(settingsHolder, &SettingsHolder::captivePortalAlertChanged, this,
          &NetworkWatcher::settingsChanged);
 #endif
 }
 void NetworkWatcher::settingsChanged() {
-// TODO: IMPL FOR AMNEZIA
+  // For Amnezia: Keep NetworkWatcher always active for sleep/wake monitoring
-#if 0
+  logger.debug() << "NetworkWatcher settings changed - keeping sleep monitoring active";
  SettingsHolder* settingsHolder = SettingsHolder::instance();
  m_active = settingsHolder->unsecuredNetworkAlert() ||
             settingsHolder->captivePortalAlert();
  m_reportUnsecuredNetwork = settingsHolder->unsecuredNetworkAlert();
  if (m_active) {
    logger.debug()
        << "Starting Network Watcher; Reporting of Unsecured Networks: "
        << m_reportUnsecuredNetwork;
    m_impl->start();
  } else {
    logger.debug() << "Stopping Network Watcher";
    m_impl->stop();
  }
 #endif
 }
 void NetworkWatcher::unsecuredNetwork(const QString& networkName,
                                      const QString& networkId) {
  logger.debug() << "Unsecured network:" << logger.sensitive(networkName)
                 << "id:" << logger.sensitive(networkId);
 #ifndef UNIT_TEST
  if (!m_reportUnsecuredNetwork) {
    logger.debug() << "Disabled. Ignoring unsecured network";
@@ -32,7 +32,8 @@ public:
    QNetworkInformation::Reachability getReachability();
 signals:
-    void networkChange();
+    void networkChanged();
    void wakeup();
 private:
    void settingsChanged();
@@ -41,6 +41,8 @@ signals:
    // TODO: Only windows-networkwatcher has this, the other plattforms should
    // too.
    void networkChanged(QString newBSSID);
    void wakeup();
 private:
    bool m_active = false;
@@ -41,6 +41,7 @@ void PingHelper::start(const QString& serverIpv4Gateway,
  m_gateway = QHostAddress(serverIpv4Gateway);
  m_source = QHostAddress(deviceIpv4Address.section('/', 0, 0));
  m_pingSender = PingSenderFactory::create(m_source, this);
  // Some platforms require root access to send and receive ICMP pings. If
@@ -53,8 +54,10 @@ void PingHelper::start(const QString& serverIpv4Gateway,
  connect(m_pingSender, &PingSender::recvPing, this, &PingHelper::pingReceived,
          Qt::QueuedConnection);
-  connect(m_pingSender, &PingSender::criticalPingError, this,
+  connect(m_pingSender, &PingSender::criticalPingError, this, [this]() {
-          []() { logger.info() << "Encountered Unrecoverable ping error"; });
+        logger.info() << "Encountered Unrecoverable ping error";
      emit connectionLose();
  });
  // Reset the ping statistics
  m_sequence = 0;
@@ -33,6 +33,8 @@ class PingHelper final : public QObject {
 signals:
  void pingSentAndReceived(qint64 msec);
  void connectionLose();
 private:
  void nextPing();
@@ -5,27 +5,26 @@
 #include "pingsenderfactory.h"
 #if defined(MZ_LINUX) || defined(MZ_ANDROID)
-//#  include "platforms/linux/linuxpingsender.h"
+    #  include "platforms/linux/linuxpingsender.h"
 #elif defined(MZ_MACOS) || defined(MZ_IOS)
-#  include "platforms/macos/macospingsender.h"
+    #  include "platforms/macos/macospingsender.h"
 #elif defined(MZ_WINDOWS)
-#  include "platforms/windows/windowspingsender.h"
+    #  include "platforms/windows/windowspingsender.h"
-#elif defined(MZ_DUMMY) || defined(UNIT_TEST)
+#elif defined(MZ_WASM) || defined(UNIT_TEST)
-#  include "platforms/dummy/dummypingsender.h"
+    #  include "platforms/dummy/dummypingsender.h"
 #else
-#  error "Unsupported platform"
+    #  error "Unsupported platform"
 #endif
 PingSender* PingSenderFactory::create(const QHostAddress& source,
                                      QObject* parent) {
 #if defined(MZ_LINUX) || defined(MZ_ANDROID)
-    return nullptr;
+    return new LinuxPingSender(source, parent);
    //  return new LinuxPingSender(source, parent);
 #elif defined(MZ_MACOS) || defined(MZ_IOS)
-  return new MacOSPingSender(source, parent);
+    return new MacOSPingSender(source, parent);
 #elif defined(MZ_WINDOWS)
-  return new WindowsPingSender(source, parent);
+    return new WindowsPingSender(source, parent);
 #else
-  return new DummyPingSender(source, parent);
+    return new DummyPingSender(source, parent);
 #endif
 }
@@ -10,9 +10,10 @@ class QHostAddress;
 class QObject;
 class PingSenderFactory final {
- public:
+public:
-  PingSenderFactory() = delete;
+    PingSenderFactory() = delete;
-  static PingSender* create(const QHostAddress& source, QObject* parent);
+    static PingSender* create(const QHostAddress& source, QObject* parent);
 };
 #endif  // PINGSENDERFACTORY_H
@@ -101,7 +101,9 @@ bool AndroidController::initialize()
        {"onAuthResult", "(Z)V", reinterpret_cast<void *>(onAuthResult)},
        {"decodeQrCode", "(Ljava/lang/String;)Z", reinterpret_cast<bool *>(decodeQrCode)},
        {"onImeInsetsChanged", "(I)V", reinterpret_cast<void *>(onImeInsetsChanged)},
-        {"onSystemBarsInsetsChanged", "(II)V", reinterpret_cast<void *>(onSystemBarsInsetsChanged)}
+        {"onSystemBarsInsetsChanged", "(II)V", reinterpret_cast<void *>(onSystemBarsInsetsChanged)},
        {"onActivityPaused", "()V", reinterpret_cast<void *>(onActivityPaused)},
        {"onActivityResumed", "()V", reinterpret_cast<void *>(onActivityResumed)}
    };
    QJniEnvironment env;
@@ -305,6 +307,16 @@ void AndroidController::requestNotificationPermission()
    callActivityMethod("requestNotificationPermission", "()V");
 }
 void AndroidController::showVpnStateNotification(const QString &title, const QString &message)
 {
    if (!isNotificationPermissionGranted()) {
        return;
    }
    callActivityMethod("showVpnStateNotification", "(Ljava/lang/String;Ljava/lang/String;)V",
                       QJniObject::fromString(title).object<jstring>(),
                       QJniObject::fromString(message).object<jstring>());
 }
 bool AndroidController::requestAuthentication()
 {
    QEventLoop wait;
@@ -558,3 +570,22 @@ void AndroidController::onSystemBarsInsetsChanged(JNIEnv *env, jobject thiz, jin
    emit AndroidController::instance()->systemBarsInsetsChanged(navBarHeightDp, statusBarHeightDp);
 }
 // static
 void AndroidController::onActivityPaused(JNIEnv *env, jobject thiz)
 {
    Q_UNUSED(env);
    Q_UNUSED(thiz);
    emit AndroidController::instance()->activityPaused();
 }
 // static
 void AndroidController::onActivityResumed(JNIEnv *env, jobject thiz)
 {
    Q_UNUSED(env);
    Q_UNUSED(thiz);
    emit AndroidController::instance()->activityResumed();
 }
@@ -53,6 +53,7 @@ public:
    QPixmap getAppIcon(const QString &package, QSize *size, const QSize &requestedSize);
    bool isNotificationPermissionGranted();
    void requestNotificationPermission();
    void showVpnStateNotification(const QString &title, const QString &message);
    bool requestAuthentication();
    void sendTouch(float x, float y);
@@ -75,6 +76,8 @@ signals:
    void authenticationResult(bool result);
    void imeInsetsChanged(int heightDp);
    void systemBarsInsetsChanged(int navBarHeightDp, int statusBarHeightDp);
    void activityPaused();
    void activityResumed();
 private:
    bool isWaitingStatus = true;
@@ -105,6 +108,8 @@ private:
    static bool decodeQrCode(JNIEnv *env, jobject thiz, jstring data);
    static void onImeInsetsChanged(JNIEnv *env, jobject thiz, jint heightDp);
    static void onSystemBarsInsetsChanged(JNIEnv *env, jobject thiz, jint navBarHeightDp, jint statusBarHeightDp);
    static void onActivityPaused(JNIEnv *env, jobject thiz);
    static void onActivityResumed(JNIEnv *env, jobject thiz);
    template <typename Ret, typename ...Args>
    static auto callActivityMethod(const char *methodName, const char *signature, Args &&...args);
@@ -0,0 +1,19 @@
 #include "android_notificationhandler.h"
 #include "android_controller.h"
 AndroidNotificationHandler::AndroidNotificationHandler(QObject *parent)
    : NotificationHandler(parent)
 {
 }
 void AndroidNotificationHandler::notify(Message type, const QString &title, const QString &message, int timerMsec)
 {
    Q_UNUSED(type);
    Q_UNUSED(timerMsec);
    // Permission is checked on the Kotlin side as well; avoid JNI if already denied.
    if (!AndroidController::instance()->isNotificationPermissionGranted()) {
        return;
    }
    AndroidController::instance()->showVpnStateNotification(title, message);
 }
@@ -0,0 +1,16 @@
 #ifndef ANDROID_NOTIFICATIONHANDLER_H
 #define ANDROID_NOTIFICATIONHANDLER_H
 #include "ui/notificationhandler.h"
 class AndroidNotificationHandler final : public NotificationHandler {
    Q_OBJECT
 public:
    explicit AndroidNotificationHandler(QObject *parent = nullptr);
 protected:
    void notify(Message type, const QString &title, const QString &message, int timerMsec) override;
 };
 #endif // ANDROID_NOTIFICATIONHANDLER_H
@@ -126,12 +126,11 @@ extension PacketTunnelProvider {
        }
        vpnReachability.startTracking { [weak self] status in
-            guard status == .reachableViaWiFi else { return }
+            self?.handleOpenVPNReachabilityChange(status)
            self?.ovpnAdapter?.reconnect(afterTimeInterval: 5)
        }
        startHandler = completionHandler
-        ovpnAdapter?.connect(using: packetFlow)
+        ovpnAdapter?.connect(using: openVPNPacketFlow())
    }
    func handleOpenVPNStatusMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)? = nil) {
@@ -153,7 +152,7 @@ extension PacketTunnelProvider {
    }
    func stopOpenVPN(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
-        ovpnLog(.info, message: "Stopping tunnel: reason: \(reason.description)")
+        ovpnLog(.info, message: "Stopping tunnel: reason: \(reason.amneziaDescription)")
        stopHandler = completionHandler
        if vpnReachability.isTracking {
@@ -293,5 +292,3 @@ extension PacketTunnelProvider: OpenVPNAdapterDelegate {
        ovpnLog(.info, message: logMessage)
    }
 }
 extension NEPacketTunnelFlow: OpenVPNAdapterPacketFlow {}
@@ -94,15 +94,24 @@ extension PacketTunnelProvider {
            }
        } catch {
            wg_log(.error, message: "Can't parse WG config: \(error.localizedDescription)")
-            completionHandler(nil)
+            errorNotifier.notify(PacketTunnelProviderError.savedProtocolConfigurationIsInvalid)
            completionHandler(PacketTunnelProviderError.savedProtocolConfigurationIsInvalid)
            return
        }
    }
    func handleWireguardStatusMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)? = nil) {
        guard let completionHandler = completionHandler else { return }
-        wgAdapter?.getRuntimeConfiguration { settings in
+        guard let wgAdapter = wgAdapter else {
-            let components = settings!.components(separatedBy: "\n")
+            completionHandler(nil)
            return
        }
        wgAdapter.getRuntimeConfiguration { settings in
            guard let settings = settings else {
                completionHandler(nil)
                return
            }
            let components = settings.components(separatedBy: "\n")
            var settingsDictionary: [String: String] = [:]
            for component in components {
@@ -131,7 +140,7 @@ extension PacketTunnelProvider {
        }
    }
-    private func handleWireguardAppMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)? = nil) {
+    func handleWireguardAppMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)? = nil) {
        guard let completionHandler = completionHandler else { return }
        if messageData.count == 1 && messageData[0] == 0 {
            wgAdapter?.getRuntimeConfiguration { settings in
@@ -176,7 +185,7 @@ extension PacketTunnelProvider {
    }
    func stopWireguard(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
-        wg_log(.info, message: "Stopping tunnel: reason: \(reason.description)")
+        wg_log(.info, message: "Stopping tunnel: reason: \(reason.amneziaDescription)")
        wgAdapter?.stop { error in
            ErrorNotifier.removeLastErrorFile()
@@ -21,6 +21,44 @@ extension Constants {
 }
 extension PacketTunnelProvider {
    private func applyXraySplitTunnel(_ xrayConfig: XrayConfig,
                                      settings: NEPacketTunnelNetworkSettings) {
        guard let splitTunnelType = xrayConfig.splitTunnelType else {
            return
        }
        guard let splitTunnelSites = xrayConfig.splitTunnelSites else {
            xrayLog(.error, message: "Split tunnel sites are not set")
            return
        }
        if splitTunnelType == 1 {
            var ipv4IncludedRoutes = [NEIPv4Route]()
            for allowedIPString in splitTunnelSites {
                if let allowedIP = IPAddressRange(from: allowedIPString) {
                    ipv4IncludedRoutes.append(NEIPv4Route(
                        destinationAddress: "\(allowedIP.address)",
                        subnetMask: "\(allowedIP.subnetMask())"))
                }
            }
            settings.ipv4Settings?.includedRoutes = ipv4IncludedRoutes
        } else if splitTunnelType == 2 {
            var ipv4ExcludedRoutes = [NEIPv4Route]()
            for excludedIPString in splitTunnelSites {
                if let excludedIP = IPAddressRange(from: excludedIPString) {
                    ipv4ExcludedRoutes.append(NEIPv4Route(
                        destinationAddress: "\(excludedIP.address)",
                        subnetMask: "\(excludedIP.subnetMask())"))
                }
            }
            settings.ipv4Settings?.excludedRoutes = ipv4ExcludedRoutes
        }
    }
    func startXray(completionHandler: @escaping (Error?) -> Void) {
        // Xray configuration
@@ -72,6 +110,7 @@ extension PacketTunnelProvider {
            settings.dnsSettings = !dnsArray.isEmpty
            ? NEDNSSettings(servers: dnsArray)
            : NEDNSSettings(servers: ["1.1.1.1"])
            applyXraySplitTunnel(xrayConfig, settings: settings)
            let xrayConfigData = xrayConfig.config.data(using: .utf8)
@@ -107,6 +146,8 @@ extension PacketTunnelProvider {
                    return
                }
                self?.updateActiveInterfaceIndexForCurrentPath()
                // Launch xray
                self?.setupAndStartXray(configData: updatedData) { xrayError in
                    if let xrayError {
@@ -133,6 +174,15 @@ extension PacketTunnelProvider {
        completionHandler()
    }
    func sockCallback(fd: uintptr_t) {
        if activeIfaceIdx != 0 {
            withUnsafePointer(to: activeIfaceIdx) { ptr in
                setsockopt(Int32(fd), IPPROTO_IP, IP_BOUND_IF, ptr, socklen_t(MemoryLayout<UInt32>.size))
                setsockopt(Int32(fd), IPPROTO_IPV6, IPV6_BOUND_IF, ptr, socklen_t(MemoryLayout<UInt32>.size))
            }
        }
    }
    private func setupAndStartXray(configData: Data,
                                   completionHandler: @escaping (Error?) -> Void) {
        let path = Constants.cachesDirectory.appendingPathComponent("config.json", isDirectory: false).path
@@ -142,6 +192,17 @@ extension PacketTunnelProvider {
            return
        }
        updateActiveInterfaceIndexForCurrentPath()
        let ctx = Unmanaged.passUnretained(self).toOpaque()
        let cb: libxray_sockcallback = { (fd, ctx) in
            guard let ctx = ctx else { return }
            let instance = Unmanaged<PacketTunnelProvider>.fromOpaque(ctx).takeUnretainedValue()
            instance.sockCallback(fd: fd)
        }
        LibXraySetSockCallback(cb, ctx)
        LibXrayRunXray(nil,
                       path,
                       Int64.max)
@@ -1,5 +1,6 @@
 import Foundation
 import NetworkExtension
 import Network
 import os
 import Darwin
 import OpenVPNAdapter
@@ -38,6 +39,17 @@ struct Constants {
 class PacketTunnelProvider: NEPacketTunnelProvider {
    var wgAdapter: WireGuardAdapter?
    var ovpnAdapter: OpenVPNAdapter?
    private lazy var openVPNPacketFlowAdapter = PacketTunnelFlowAdapter(flow: packetFlow)
    private let pathMonitorQueue = DispatchQueue(label: Constants.processQueueName + ".path-monitor")
    private let networkChangeQueue = DispatchQueue(label: Constants.processQueueName + ".network-change")
    private let pathMonitor = NWPathMonitor()
    private var didReceiveInitialPathUpdate = false
    private var currentPath: Network.NWPath?
    private var currentPathSignature: String?
    private var pendingOpenVPNReconnectWorkItem: DispatchWorkItem?
    private var pendingNetworkChangeWorkItem: DispatchWorkItem?
    private var isApplyingNetworkChange = false
    private var lastOpenVPNReachabilityStatus: OpenVPNReachabilityStatus?
    var splitTunnelType: Int?
    var splitTunnelSites: [String]?
@@ -48,7 +60,97 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
    var stopHandler: (() -> Void)?
    var protoType: TunnelProtoType?
    var activeIfaceIdx: UInt32 = 0
    func openVPNPacketFlow() -> OpenVPNAdapterPacketFlow {
        openVPNPacketFlowAdapter
    }
    override init() {
        super.init()
        pathMonitor.pathUpdateHandler = { [weak self] path in
            guard let self else { return }
            self.currentPath = path
            let signature = self.pathSignature(for: path)
            let hasMeaningfulChange = self.currentPathSignature != signature
            self.currentPathSignature = signature
            self.updateActiveInterfaceIndex(for: path)
            guard self.didReceiveInitialPathUpdate else {
                self.didReceiveInitialPathUpdate = true
                return
            }
            guard hasMeaningfulChange, let proto = self.protoType else { return }
            // WireGuard/AWG manages network changes internally in its own adapter.
            if proto == .wireguard {
                return
            }
            if proto == .openvpn {
                self.scheduleOpenVPNReconnect(reason: "NWPath changed")
                return
            }
            if self.isApplyingNetworkChange || self.reasserting {
                xrayLog(.debug, message: "Ignoring path change while xray restart is in progress")
                return
            }
            self.scheduleNetworkChangeHandling(for: proto, path: path)
        }
        pathMonitor.start(queue: pathMonitorQueue)
        currentPath = pathMonitor.currentPath
        currentPathSignature = pathSignature(for: pathMonitor.currentPath)
    }
    func updateActiveInterfaceIndex(for path: Network.NWPath?) {
        guard let path else {
            activeIfaceIdx = 0
            return
        }
        let preferredTypes: [NWInterface.InterfaceType] = [.wiredEthernet, .wifi, .cellular, .other]
        let nonLoopbackInterfaces = path.availableInterfaces.filter { $0.type != .loopback }
        let activeInterfaces = nonLoopbackInterfaces.filter { path.usesInterfaceType($0.type) }
        let candidate = preferredTypes.compactMap { type in
            activeInterfaces.first { $0.type == type }
        }.first ?? activeInterfaces.first ?? nonLoopbackInterfaces.first
        if let candidate {
            activeIfaceIdx = UInt32(candidate.index)
        } else {
            activeIfaceIdx = 0
        }
    }
    func updateActiveInterfaceIndexForCurrentPath() {
        if let currentPath {
            currentPathSignature = pathSignature(for: currentPath)
            updateActiveInterfaceIndex(for: currentPath)
            return
        }
        currentPath = pathMonitor.currentPath
        currentPathSignature = pathSignature(for: pathMonitor.currentPath)
        updateActiveInterfaceIndex(for: pathMonitor.currentPath)
    }
  override func handleAppMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)? = nil) {
      if messageData.count == 1 && messageData[0] == 0 {
          guard let completionHandler else { return }
          if protoType == .wireguard {
              handleWireguardAppMessage(messageData, completionHandler: completionHandler)
          } else {
              completionHandler(nil)
          }
          return
      }
      guard let message = String(data: messageData, encoding: .utf8) else {
          if let completionHandler {
              completionHandler(nil)
@@ -59,6 +161,10 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
      neLog(.info, title: "App said: ", message: message)
      guard let message = try? JSONSerialization.jsonObject(with: messageData, options: []) as? [String: Any] else {
          if protoType == .wireguard {
              handleWireguardAppMessage(messageData, completionHandler: completionHandler)
              return
          }
          neLog(.error, message: "Failed to serialize message from app")
          return
      }
@@ -104,6 +210,11 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
            return
        }
        cancelPendingOpenVPNReconnect()
        cancelPendingNetworkChangeHandling()
        didReceiveInitialPathUpdate = false
        updateActiveInterfaceIndexForCurrentPath()
        switch protoType {
        case .wireguard:
            startWireguard(activationAttemptId: activationAttemptId,
@@ -119,6 +230,9 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
    override func stopTunnel(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
        cancelPendingOpenVPNReconnect()
        cancelPendingNetworkChangeHandling()
        guard let protoType else {
            completionHandler()
            return
@@ -157,25 +271,168 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
                               of object: Any?,
                               change: [NSKeyValueChangeKey: Any]?,
                               context: UnsafeMutableRawPointer?) {
-        guard Constants.kDefaultPathKey != keyPath else { return }
+        guard Constants.kDefaultPathKey == keyPath else {
        // Since iOS 11, we have observed that this KVO event fires repeatedly when connecting over Wifi,
        // even though the underlying network has not changed (i.e. `isEqualToPath` returns false),
        // leading to "wakeup crashes" due to excessive network activity. Guard against false positives by
        // comparing the paths' string description, which includes properties not exposed by the class
        guard let lastPath: NWPath = change?[.oldKey] as? NWPath,
              let defPath = defaultPath,
              lastPath != defPath || lastPath.description != defPath.description else {
            return
        }
        DispatchQueue.main.async { [weak self] in
            guard let self, self.defaultPath != nil else { return }
            self.handle(networkChange: self.defaultPath!) { _ in }
        }
    }
-    private func handle(networkChange changePath: NWPath, completion: @escaping (Error?) -> Void) {
+    private func handle(networkChange changePath: Network.NWPath, completion: @escaping (Error?) -> Void) {
-        wg_log(.info, message: "Tunnel restarted.")
+        guard protoType == .xray else {
-        startTunnel(options: nil, completionHandler: completion)
+            updateActiveInterfaceIndex(for: changePath)
            completion(nil)
            return
        }
        updateActiveInterfaceIndex(for: changePath)
        reasserting = true
        xrayLog(.info, message: "Applying network change to xray tunnel")
        stopXray { }
        startXray { [weak self] error in
            self?.reasserting = false
            completion(error)
        }
    }
    private func scheduleNetworkChangeHandling(for proto: TunnelProtoType, path: Network.NWPath) {
        guard proto == .xray else { return }
        pendingNetworkChangeWorkItem?.cancel()
        let workItem = DispatchWorkItem { [weak self] in
            guard let self else { return }
            self.pendingNetworkChangeWorkItem = nil
            if self.isApplyingNetworkChange || self.reasserting {
                xrayLog(.debug, message: "Skipping network change while restart is already in progress")
                return
            }
            self.isApplyingNetworkChange = true
            DispatchQueue.main.async {
                self.handle(networkChange: path) { [weak self] _ in
                    self?.networkChangeQueue.async {
                        self?.isApplyingNetworkChange = false
                    }
                }
            }
        }
        pendingNetworkChangeWorkItem = workItem
        networkChangeQueue.asyncAfter(deadline: .now() + 1.0, execute: workItem)
    }
    private func scheduleOpenVPNReconnect(reason: String) {
        guard protoType == .openvpn else { return }
        pendingOpenVPNReconnectWorkItem?.cancel()
        let workItem = DispatchWorkItem { [weak self] in
            guard let self else { return }
            self.pendingOpenVPNReconnectWorkItem = nil
            guard self.protoType == .openvpn else { return }
            if self.reasserting {
                ovpnLog(.debug, message: "Skipping OpenVPN reconnect while session is already reasserting")
                return
            }
            DispatchQueue.main.async { [weak self] in
                guard let self else { return }
                guard !self.reasserting else {
                    ovpnLog(.debug, message: "Skipping OpenVPN reconnect while session is already reasserting")
                    return
                }
                ovpnLog(.info, message: "\(reason), reconnecting OpenVPN session")
                self.ovpnAdapter?.reconnect(afterTimeInterval: 1)
            }
        }
        pendingOpenVPNReconnectWorkItem = workItem
        networkChangeQueue.asyncAfter(deadline: .now() + 1.0, execute: workItem)
    }
    func handleOpenVPNReachabilityChange(_ status: OpenVPNReachabilityStatus) {
        defer { lastOpenVPNReachabilityStatus = status }
        guard let previousStatus = lastOpenVPNReachabilityStatus else {
            return
        }
        guard previousStatus != status else {
            return
        }
        switch status {
        case .reachableViaWiFi, .reachableViaWWAN:
            scheduleOpenVPNReconnect(reason: "Reachability changed")
        default:
            break
        }
    }
    private func cancelPendingOpenVPNReconnect() {
        pendingOpenVPNReconnectWorkItem?.cancel()
        pendingOpenVPNReconnectWorkItem = nil
        lastOpenVPNReachabilityStatus = nil
    }
    private func cancelPendingNetworkChangeHandling() {
        pendingNetworkChangeWorkItem?.cancel()
        pendingNetworkChangeWorkItem = nil
        isApplyingNetworkChange = false
    }
 }
 private extension PacketTunnelProvider {
    func pathSignature(for path: Network.NWPath) -> String {
        var signatureComponents = [String(describing: path.status)]
        signatureComponents.append(path.isExpensive ? "exp" : "noexp")
        signatureComponents.append(path.isConstrained ? "con" : "nocon")
        // Ignore loopback and tunnel-style `.other` interfaces so Xray does not
        // react to its own utun lifecycle as if the physical uplink changed.
        let preferredTypes: [NWInterface.InterfaceType] = [.wiredEthernet, .wifi, .cellular]
        let externalInterfaces = path.availableInterfaces.filter { interface in
            interface.type == .wiredEthernet || interface.type == .wifi || interface.type == .cellular
        }
        let sortedInterfaces = externalInterfaces.sorted { lhs, rhs in
            if lhs.type == rhs.type {
                return lhs.index < rhs.index
            }
            let lhsOrder = preferredTypes.firstIndex(of: lhs.type) ?? preferredTypes.count
            let rhsOrder = preferredTypes.firstIndex(of: rhs.type) ?? preferredTypes.count
            if lhsOrder == rhsOrder {
                return lhs.index < rhs.index
            }
            return lhsOrder < rhsOrder
        }
        for interface in sortedInterfaces {
            let typeName: String
            switch interface.type {
            case .wiredEthernet: typeName = "ethernet"
            case .wifi: typeName = "wifi"
            case .cellular: typeName = "cellular"
            case .loopback, .other:
                continue
            @unknown default: typeName = "unknown"
            }
            signatureComponents.append("\(typeName):\(interface.index)")
        }
        // Include currently used interface preference ordering
        for type in preferredTypes {
            let usesType = path.usesInterfaceType(type)
            signatureComponents.append("uses-\(type):\(usesType)")
        }
        return signatureComponents.joined(separator: "|")
    }
 }
@@ -190,8 +447,27 @@ extension WireGuardLogLevel {
  }
 }
-extension NEProviderStopReason: CustomStringConvertible {
+final class PacketTunnelFlowAdapter: NSObject, OpenVPNAdapterPacketFlow {
-  public var description: String {
+  private let flow: NEPacketTunnelFlow
  init(flow: NEPacketTunnelFlow) {
    self.flow = flow
    super.init()
  }
  @objc(readPacketsWithCompletionHandler:)
  func readPackets(completionHandler: @escaping ([Data], [NSNumber]) -> Void) {
    flow.readPackets(completionHandler: completionHandler)
  }
  @objc(writePackets:withProtocols:)
  func writePackets(_ packets: [Data], withProtocols protocols: [NSNumber]) -> Bool {
    flow.writePackets(packets, withProtocols: protocols)
  }
 }
 extension NEProviderStopReason {
  var amneziaDescription: String {
    switch self {
    case .none:
      return "No specific reason"
@@ -223,6 +499,8 @@ extension NEProviderStopReason: CustomStringConvertible {
      return "The current console user changed"
    case .connectionFailed:
      return "The connection failed"
    case .internalError:
      return "The network extension reported an internal error"
    case .sleep:
      return "A stop reason indicating the VPNC enabled disconnect on sleep and the device went to sleep"
    case .appUpdate:
@@ -11,13 +11,7 @@ class ScreenProtection {
 import UIKit
 public func toggleScreenshots(_ isEnabled: Bool) {
-  let window = UIApplication.shared.keyWindows.first!
+  ScreenProtection.shared.setScreenshotsEnabled(isEnabled)
  if isEnabled {
    ScreenProtection.shared.disable(for: window.rootViewController!.view)
  } else {
    ScreenProtection.shared.enable(for: window.rootViewController!.view)
  }
 }
 extension UIApplication {
@@ -45,6 +39,45 @@ class ScreenProtection {
  private var blurView: UIVisualEffectView?
  private var recordingObservation: NSKeyValueObservation?
  private var desiredScreenshotsEnabled: Bool?
  private var retryCount = 0
  private var retryWorkItem: DispatchWorkItem?
  public func setScreenshotsEnabled(_ isEnabled: Bool) {
    DispatchQueue.main.async {
      self.desiredScreenshotsEnabled = isEnabled
      self.applyScreenshotsSettingOrRetry()
    }
  }
  private func applyScreenshotsSettingOrRetry() {
    assert(Thread.isMainThread)
    guard let desiredScreenshotsEnabled else { return }
    guard let window = UIApplication.shared.keyWindows.first,
          let rootView = window.rootViewController?.view else {
      retryCount += 1
      guard retryCount <= 50 else { return } // ~5s total
      retryWorkItem?.cancel()
      let item = DispatchWorkItem { [weak self] in
        self?.applyScreenshotsSettingOrRetry()
      }
      retryWorkItem = item
      DispatchQueue.main.asyncAfter(deadline: .now() + 0.1, execute: item)
      return
    }
    retryWorkItem?.cancel()
    retryWorkItem = nil
    retryCount = 0
    if desiredScreenshotsEnabled {
      disable(for: rootView)
    } else {
      enable(for: rootView)
    }
  }
  public func enable(for view: UIView) {
    DispatchQueue.main.asyncAfter(deadline: .now() + 1.0) {
@@ -0,0 +1,178 @@
 import Foundation
 import StoreKit
@available(iOS 15.0, macOS 12.0, *)
@objcMembers
 public class StoreKit2Helper: NSObject {
    public static let shared = StoreKit2Helper()
    private static let errorDomain = "StoreKit2Helper"
    private struct EntitlementInfo {
        let transactionId: UInt64
        let originalTransactionId: UInt64
        let productId: String
        let purchaseDate: Date
        var dictionary: NSDictionary {
            [
                "transactionId": String(transactionId),
                "originalTransactionId": String(originalTransactionId),
                "productId": productId
            ]
        }
    }
    public func fetchCurrentEntitlements(completion: @escaping (Bool, [NSDictionary]?, NSError?) -> Void) {
        Task { @MainActor in
            do {
                try await AppStore.sync()
                var entitlements: [EntitlementInfo] = []
                for await result in Transaction.currentEntitlements {
                    switch result {
                    case .verified(let transaction):
                        entitlements.append(EntitlementInfo(transactionId: transaction.id,
                                                            originalTransactionId: transaction.originalID,
                                                            productId: transaction.productID,
                                                            purchaseDate: transaction.purchaseDate))
                    case .unverified(_, let error):
                        print("[IAP][StoreKit2] Unverified transaction skipped: \(error.localizedDescription)")
                    }
                }
                let sortedEntitlements = entitlements.sorted { lhs, rhs in
                    if lhs.purchaseDate != rhs.purchaseDate {
                        return lhs.purchaseDate > rhs.purchaseDate
                    }
                    return lhs.transactionId > rhs.transactionId
                }.map { $0.dictionary }
                completion(true, sortedEntitlements, nil)
            } catch {
                completion(false, nil, error as NSError)
            }
        }
    }
    public func purchaseProduct(productIdentifier: String, completion: @escaping (Bool, String?, String?, String?, NSError?) -> Void) {
        Task {
            do {
                let products = try await Product.products(for: [productIdentifier])
                guard let product = products.first else {
                    completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
                                     error: makeError(code: 0, description: "Product not found"))
                    return
                }
                let result = try await product.purchase()
                switch result {
                case .success(let verification):
                    switch verification {
                    case .verified(let transaction):
                        await transaction.finish()
                        completePurchase(completion: completion, success: true, transactionId: String(transaction.id),
                                         productId: transaction.productID, originalTransactionId: String(transaction.originalID), error: nil)
                    case .unverified(_, let error):
                        completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
                                         error: error as NSError)
                    }
                case .userCancelled:
                    completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
                                     error: makeError(code: 1, description: "Purchase cancelled"))
                case .pending:
                    completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
                                     error: makeError(code: 2, description: "Purchase pending"))
                @unknown default:
                    completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
                                     error: makeError(code: 3, description: "Unknown purchase result"))
                }
            } catch {
                completePurchase(completion: completion, success: false, transactionId: nil, productId: nil, originalTransactionId: nil,
                                 error: error as NSError)
            }
        }
    }
    private func storefrontCurrencyCode(for product: Product) -> String {
        product.priceFormatStyle.locale.currencyCode ?? ""
    }
    private func subscriptionBillingMonths(_ period: Product.SubscriptionPeriod) -> Double {
        let periodValue = Double(period.value)
        switch period.unit {
        case .day:
            return periodValue / 30.0
        case .week:
            return periodValue * 7.0 / 30.0
        case .month:
            return periodValue
        case .year:
            return periodValue * 12.0
        @unknown default:
            return periodValue
        }
    }
    public func fetchProducts(identifiers: Set<String>, completion: @escaping ([NSDictionary], [String], NSError?) -> Void) {
        Task {
            do {
                let products = try await Product.products(for: identifiers)
                let productDicts = products.map { product in productDictionary(for: product) }
                let fetchedIds = Set(products.map { $0.id })
                let invalidIdentifiers = identifiers.filter { !fetchedIds.contains($0) }
                DispatchQueue.main.async { completion(productDicts, Array(invalidIdentifiers), nil) }
            } catch {
                DispatchQueue.main.async { completion([], Array(identifiers), error as NSError) }
            }
        }
    }
    private func makeError(code: Int, description: String) -> NSError {
        NSError(domain: Self.errorDomain, code: code, userInfo: [NSLocalizedDescriptionKey: description])
    }
    private func completePurchase(completion: @escaping (Bool, String?, String?, String?, NSError?) -> Void,
                                  success: Bool,
                                  transactionId: String?,
                                  productId: String?,
                                  originalTransactionId: String?,
                                  error: NSError?) {
        DispatchQueue.main.async {
            completion(success, transactionId, productId, originalTransactionId, error)
        }
    }
    private func productDictionary(for product: Product) -> NSDictionary {
        let currencyCode = storefrontCurrencyCode(for: product)
        var productData: [String: Any] = [
            "productId": product.id,
            "title": product.displayName,
            "description": product.description,
            "price": "\(product.price)",
            "displayPrice": product.displayPrice,
            "currencyCode": currencyCode,
            "priceAmount": NSDecimalNumber(decimal: product.price).doubleValue
        ]
        if let subscription = product.subscription {
            let billingMonths = subscriptionBillingMonths(subscription.subscriptionPeriod)
            productData["subscriptionBillingMonths"] = billingMonths
            if let perMonthPrice = displayPricePerMonth(for: product, billingMonths: billingMonths, currencyCode: currencyCode) {
                productData["displayPricePerMonth"] = perMonthPrice
            }
        }
        return productData as NSDictionary
    }
    private func displayPricePerMonth(for product: Product, billingMonths: Double, currencyCode: String) -> String? {
        if billingMonths <= 1e-6 {
            return nil
        }
        let perMonthPrice = product.price / Decimal(billingMonths)
        let formatter = NumberFormatter()
        formatter.numberStyle = .currency
        formatter.locale = product.priceFormatStyle.locale
        if !currencyCode.isEmpty {
            formatter.currencyCode = currencyCode
        }
        return formatter.string(from: NSDecimalNumber(decimal: perMonthPrice))
    }
 }
@@ -0,0 +1,39 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #ifndef STOREKITCONTROLLER_H
 #define STOREKITCONTROLLER_H
 #import <Foundation/Foundation.h>
 #import <StoreKit/StoreKit.h>
@class Product;
@class Transaction;
@class VerificationResult;
 API_AVAILABLE(ios(15.0), macos(12.0))
@interface StoreKitController : NSObject
 + (instancetype)sharedInstance;
 - (void)purchaseProduct:(NSString *)productIdentifier
             completion:(void (^)(BOOL success,
                                  NSString *_Nullable transactionId,
                                  NSString *_Nullable productId,
                                  NSString *_Nullable originalTransactionId,
                                  NSError *_Nullable error))completion;
 - (void)restorePurchasesWithCompletion:(void (^)(BOOL success,
                                                 NSArray<NSDictionary *> *_Nullable restoredTransactions,
                                                 NSError *_Nullable error))completion;
 // Fetch product information for a set of identifiers without initiating a purchase
 - (void)fetchProductsWithIdentifiers:(NSSet<NSString *> *)productIdentifiers
                          completion:(void (^)(NSArray<NSDictionary *> *products,
                                               NSArray<NSString *> *invalidIdentifiers,
                                               NSError *_Nullable error))completion;
@end
 #endif // STOREKITCONTROLLER_H
@@ -0,0 +1,114 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #import "StoreKitController.h"
 #import <StoreKit/StoreKit.h>
 #import <AmneziaVPN-Swift.h>
 #include <QtCore/QDebug>
 #include <QtCore/QString>
 namespace
 {
 QString toQString(NSString *value)
 {
    return QString::fromUtf8((value ?: @"").UTF8String);
 }
 }
 API_AVAILABLE(ios(15.0), macos(12.0))
@implementation StoreKitController
 + (instancetype)sharedInstance
 {
    static dispatch_once_t onceToken;
    static StoreKitController *instance;
    dispatch_once(&onceToken, ^{
        if (@available(iOS 15.0, macOS 12.0, *)) {
            instance = [[StoreKitController alloc] init];
        }
    });
    return instance;
 }
 - (instancetype)init API_AVAILABLE(ios(15.0), macos(12.0))
 {
    self = [super init];
    return self;
 }
 - (void)purchaseProduct:(NSString *)productIdentifier
             completion:(void (^)(BOOL success,
                                  NSString *_Nullable transactionId,
                                  NSString *_Nullable productId,
                                  NSString *_Nullable originalTransactionId,
                                  NSError *_Nullable error))completion API_AVAILABLE(ios(15.0), macos(12.0))
 {
    qInfo().noquote() << "[IAP][StoreKit2] Starting purchase for" << QString::fromUtf8(productIdentifier.UTF8String);
    [[StoreKit2Helper shared] purchaseProductWithProductIdentifier:productIdentifier
                                                      completion:^(BOOL success,
                                                                   NSString *transactionId,
                                                                   NSString *productId,
                                                                   NSString *originalTransactionId,
                                                                   NSError *error) {
        if (success) {
            qInfo().noquote() << "[IAP][StoreKit2] Purchase success. transactionId =" << toQString(transactionId)
                              << "originalTransactionId =" << toQString(originalTransactionId) << "productId =" << toQString(productId);
        } else if (error) {
            qWarning().noquote() << "[IAP][StoreKit2] Purchase failed:" << toQString(error.localizedDescription);
        }
        if (completion) {
            completion(success, transactionId, productId, originalTransactionId, error);
        }
    }];
 }
 - (void)restorePurchasesWithCompletion:(void (^)(BOOL success,
                                                 NSArray<NSDictionary *> *_Nullable restoredTransactions,
                                                 NSError *_Nullable error))completion API_AVAILABLE(ios(15.0), macos(12.0))
 {
    [[StoreKit2Helper shared] fetchCurrentEntitlementsWithCompletion:^(BOOL success,
                                                                      NSArray<NSDictionary *> *entitlements,
                                                                      NSError *error) {
        if (success) {
            qInfo().noquote() << "[IAP][StoreKit2] currentEntitlements returned"
                              << (int)(entitlements ? entitlements.count : 0) << "active entitlements";
            for (NSDictionary *entitlement in entitlements) {
                qInfo().noquote() << "[IAP][StoreKit2] Active entitlement:"
                                  << "transactionId=" << toQString(entitlement[@"transactionId"])
                                  << "originalTransactionId=" << toQString(entitlement[@"originalTransactionId"])
                                  << "productId=" << toQString(entitlement[@"productId"]);
            }
        } else {
            qWarning().noquote() << "[IAP][StoreKit2] fetchCurrentEntitlements failed:" << toQString(error.localizedDescription);
        }
        if (completion) {
            completion(success, entitlements, error);
        }
    }];
 }
 - (void)fetchProductsWithIdentifiers:(NSSet<NSString *> *)productIdentifiers
                          completion:(void (^)(NSArray<NSDictionary *> *products,
                                               NSArray<NSString *> *invalidIdentifiers,
                                               NSError *_Nullable error))completion API_AVAILABLE(ios(15.0), macos(12.0))
 {
    [[StoreKit2Helper shared] fetchProductsWithIdentifiers:productIdentifiers
                                               completion:^(NSArray<NSDictionary *> *products,
                                                            NSArray<NSString *> *invalidIdentifiers,
                                                            NSError *error) {
        if (!error) {
            for (NSDictionary *productInfo in products) {
                qInfo().noquote() << "[IAP][StoreKit2] Fetched product info" << toQString(productInfo[@"productId"])
                                  << "price=" << toQString(productInfo[@"price"])
                                  << "currency=" << toQString(productInfo[@"currencyCode"]);
            }
        }
        if (completion) {
            completion(products ?: @[], invalidIdentifiers ?: @[], error);
        }
    }];
 }
@end
@@ -6,8 +6,6 @@ struct WGConfig: Decodable {
  let junkPacketCount, junkPacketMinSize, junkPacketMaxSize: String?
  let initPacketJunkSize, responsePacketJunkSize, cookieReplyPacketJunkSize, transportPacketJunkSize: String?
  let specialJunk1, specialJunk2, specialJunk3, specialJunk4, specialJunk5: String?
  let controlledJunk1, controlledJunk2, controlledJunk3: String?
  let specialHandshakeTimeout: String?
  let dns1: String
  let dns2: String
  let mtu: String
@@ -28,8 +26,6 @@ struct WGConfig: Decodable {
    case junkPacketCount = "Jc", junkPacketMinSize = "Jmin", junkPacketMaxSize = "Jmax"
    case initPacketJunkSize = "S1", responsePacketJunkSize = "S2", cookieReplyPacketJunkSize = "S3", transportPacketJunkSize = "S4"
    case specialJunk1 = "I1", specialJunk2 = "I2", specialJunk3 = "I3", specialJunk4 = "I4", specialJunk5 = "I5"
    case controlledJunk1 = "J1", controlledJunk2 = "J2", controlledJunk3 = "J3"
    case specialHandshakeTimeout = "Itime"
    case dns1
    case dns2
    case mtu
@@ -46,57 +42,63 @@ struct WGConfig: Decodable {
  }
  var settings: String {
-    guard junkPacketCount != nil else { return "" }
+    func trimmed(_ value: String?) -> String? {
      guard let value = value?.trimmingCharacters(in: .whitespacesAndNewlines),
            !value.isEmpty else {
        return nil
      }
      return value
    }
    guard
      let junkPacketCount = trimmed(junkPacketCount),
      let junkPacketMinSize = trimmed(junkPacketMinSize),
      let junkPacketMaxSize = trimmed(junkPacketMaxSize),
      let initPacketJunkSize = trimmed(initPacketJunkSize),
      let responsePacketJunkSize = trimmed(responsePacketJunkSize),
      let initPacketMagicHeader = trimmed(initPacketMagicHeader),
      let responsePacketMagicHeader = trimmed(responsePacketMagicHeader),
      let underloadPacketMagicHeader = trimmed(underloadPacketMagicHeader),
      let transportPacketMagicHeader = trimmed(transportPacketMagicHeader)
    else { return "" }
    var settingsLines: [String] = []
    // Required parameters when junkPacketCount is present
-    settingsLines.append("Jc = \(junkPacketCount!)")
+    settingsLines.append("Jc = \(junkPacketCount)")
-    settingsLines.append("Jmin = \(junkPacketMinSize!)")
+    settingsLines.append("Jmin = \(junkPacketMinSize)")
-    settingsLines.append("Jmax = \(junkPacketMaxSize!)")
+    settingsLines.append("Jmax = \(junkPacketMaxSize)")
-    settingsLines.append("S1 = \(initPacketJunkSize!)")
+    settingsLines.append("S1 = \(initPacketJunkSize)")
-    settingsLines.append("S2 = \(responsePacketJunkSize!)")
+    settingsLines.append("S2 = \(responsePacketJunkSize)")
-    settingsLines.append("H1 = \(initPacketMagicHeader!)")
+    settingsLines.append("H1 = \(initPacketMagicHeader)")
-    settingsLines.append("H2 = \(responsePacketMagicHeader!)")
+    settingsLines.append("H2 = \(responsePacketMagicHeader)")
-    settingsLines.append("H3 = \(underloadPacketMagicHeader!)")
+    settingsLines.append("H3 = \(underloadPacketMagicHeader)")
-    settingsLines.append("H4 = \(transportPacketMagicHeader!)")
+    settingsLines.append("H4 = \(transportPacketMagicHeader)")
    // Optional parameters - only add if not nil and not empty
-    if let s3 = cookieReplyPacketJunkSize, !s3.isEmpty {
+    if let s3 = trimmed(cookieReplyPacketJunkSize) {
      settingsLines.append("S3 = \(s3)")
    }
-    if let s4 = transportPacketJunkSize, !s4.isEmpty {
+    if let s4 = trimmed(transportPacketJunkSize) {
      settingsLines.append("S4 = \(s4)")
    }
-    if let i1 = specialJunk1, !i1.isEmpty {
+    if let i1 = trimmed(specialJunk1) {
      settingsLines.append("I1 = \(i1)")
    }
-    if let i2 = specialJunk2, !i2.isEmpty {
+    if let i2 = trimmed(specialJunk2) {
      settingsLines.append("I2 = \(i2)")
    }
-    if let i3 = specialJunk3, !i3.isEmpty {
+    if let i3 = trimmed(specialJunk3) {
      settingsLines.append("I3 = \(i3)")
    }
-    if let i4 = specialJunk4, !i4.isEmpty {
+    if let i4 = trimmed(specialJunk4) {
      settingsLines.append("I4 = \(i4)")
    }
-    if let i5 = specialJunk5, !i5.isEmpty {
+    if let i5 = trimmed(specialJunk5) {
      settingsLines.append("I5 = \(i5)")
    }
    if let j1 = controlledJunk1, !j1.isEmpty {
      settingsLines.append("J1 = \(j1)")
    }
    if let j2 = controlledJunk2, !j2.isEmpty {
      settingsLines.append("J2 = \(j2)")
    }
    if let j3 = controlledJunk3, !j3.isEmpty {
      settingsLines.append("J3 = \(j3)")
    }
    if let itime = specialHandshakeTimeout, !itime.isEmpty {
      settingsLines.append("Itime = \(itime)")
    }
    return settingsLines.joined(separator: "\n")
  }
@@ -3,5 +3,7 @@ import Foundation
 struct XrayConfig: Decodable {
    let dns1: String?
    let dns2: String?
    let splitTunnelType: Int?
    let splitTunnelSites: [String]?
    let config: String
 }
@@ -2,6 +2,13 @@
 #define IOS_CONTROLLER_H
 #include "protocols/vpnprotocol.h"
 #include <functional>
 #include <QVariant>
 #include <QVariantMap>
 #include <QStringList>
 #include <QList>
 #include <QElapsedTimer>
 #include <atomic>
 #ifdef __OBJC__
    #import <Foundation/Foundation.h>
@@ -55,7 +62,24 @@ public:
    bool shareText(const QStringList &filesToSend);
    QString openFile();
    void purchaseProduct(const QString &productId,
                         std::function<void(bool success,
                                            const QString &transactionId,
                                            const QString &purchasedProductId,
                                            const QString &originalTransactionId,
                                            const QString &errorString)> &&callback);
    void restorePurchases(std::function<void(bool success,
                                             const QList<QVariantMap> &transactions,
                                             const QString &errorString)> &&callback);
    // Fetch product info for given product identifiers and return basic fields for logging
    void fetchProducts(const QStringList &productIds,
                       std::function<void(const QList<QVariantMap> &products,
                                          const QStringList &invalidIds,
                                          const QString &errorString)> &&callback);
    void requestInetAccess();
    bool isTestFlight();
 signals:
    void connectionStateChanged(Vpn::ConnectionState state);
    void bytesChanged(quint64 receivedBytes, quint64 sentBytes);
@@ -81,6 +105,7 @@ private:
    bool startXray(const QString &jsonConfig);
    void startTunnel();
    void emitConnectionStateIfChanged(Vpn::ConnectionState state);
 private:
    void *m_iosControllerWrapper {};
@@ -94,8 +119,13 @@ private:
    amnezia::Proto m_proto;
    QJsonObject m_rawConfig;
    QString m_tunnelId;
-    uint64_t m_txBytes;
+    uint64_t m_txBytes = 0;
-    uint64_t m_rxBytes;
+    uint64_t m_rxBytes = 0;
    bool m_handshakeAwaiting = false;
    bool m_handshakeConfirmed = false;
    QElapsedTimer m_handshakeTimer;
    Vpn::ConnectionState m_lastEmittedState = Vpn::ConnectionState::Unknown;
    std::atomic_bool m_statusRequestInFlight { false };
 };
 #endif // IOS_CONTROLLER_H
@@ -10,6 +10,7 @@
 #include "../protocols/vpnprotocol.h"
 #import "ios_controller_wrapper.h"
 #import "StoreKitController.h"
 const char* Action::start = "start";
 const char* Action::restart = "restart";
@@ -92,6 +93,48 @@ Vpn::ConnectionState iosStatusToState(NEVPNStatus status) {
 }
 }
 namespace {
 constexpr int kHandshakeTimeoutMs = 12000;
 constexpr uint64_t kHandshakeRxThreshold = 4096;
 bool isWireGuardBasedProto(amnezia::Proto proto) {
    return proto == amnezia::Proto::WireGuard || proto == amnezia::Proto::Awg;
 }
 uint64_t uint64FromResponse(NSDictionary *response, NSString *key, uint64_t fallback = 0) {
    id value = response[key];
    if (!value || value == [NSNull null]) {
        return fallback;
    }
    if ([value isKindOfClass:[NSNumber class]]) {
        return [(NSNumber *)value unsignedLongLongValue];
    }
    if ([value isKindOfClass:[NSString class]]) {
        const char *str = [(NSString *)value UTF8String];
        if (str && *str) {
            return strtoull(str, nullptr, 10);
        }
    }
    return fallback;
 }
 long long int64FromResponse(NSDictionary *response, NSString *key, long long fallback = 0) {
    id value = response[key];
    if (!value || value == [NSNull null]) {
        return fallback;
    }
    if ([value isKindOfClass:[NSNumber class]]) {
        return [(NSNumber *)value longLongValue];
    }
    if ([value isKindOfClass:[NSString class]]) {
        const char *str = [(NSString *)value UTF8String];
        if (str && *str) {
            return strtoll(str, nullptr, 10);
        }
    }
    return fallback;
 }
 }
 namespace {
 IosController* s_instance = nullptr;
 }
@@ -101,6 +144,9 @@ IosController::IosController() : QObject()
    s_instance = this;
    m_iosControllerWrapper = [[IosControllerWrapper alloc] initWithCppController:this];
    // Initialize StoreKitController early to start observing the payment queue
    [StoreKitController sharedInstance];
    [[NSNotificationCenter defaultCenter]
        removeObserver: (__bridge NSObject *)m_iosControllerWrapper];
    [[NSNotificationCenter defaultCenter]
@@ -110,6 +156,15 @@ IosController::IosController() : QObject()
 }
 void IosController::emitConnectionStateIfChanged(Vpn::ConnectionState state)
 {
    if (m_lastEmittedState == state) {
        return;
    }
    m_lastEmittedState = state;
    emit connectionStateChanged(state);
 }
 IosController* IosController::Instance() {
    if (!s_instance) {
        s_instance = new IosController();
@@ -124,8 +179,9 @@ bool IosController::initialize()
    [NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:^(NSArray<NETunnelProviderManager *> * _Nullable managers, NSError * _Nullable error) {
        @try {
            if (error) {
-                qDebug() << "IosController::initialize : Error:" << [error.localizedDescription UTF8String];
+                qWarning() << "IosController::initialize : loadAllFromPreferences failed:"
-                emit connectionStateChanged(Vpn::ConnectionState::Error);
+                           << [error.localizedDescription UTF8String]
                           << "domain:" << [error.domain UTF8String] << "code:" << error.code;
                ok = false;
                return;
            }
@@ -276,33 +332,65 @@ void IosController::disconnectVpn()
 void IosController::checkStatus()
 {
    if (!m_currentTunnel) {
        return;
    }
    if (m_currentTunnel.connection.status != NEVPNStatusConnected) {
        return;
    }
    if (m_statusRequestInFlight.exchange(true)) {
        return;
    }
    NSString *actionKey = [NSString stringWithUTF8String:MessageKey::action];
    NSString *actionValue = [NSString stringWithUTF8String:Action::getStatus];
    NSString *tunnelIdKey = [NSString stringWithUTF8String:MessageKey::tunnelId];
    NSString *tunnelIdValue = !m_tunnelId.isEmpty() ? m_tunnelId.toNSString() : @"";
    NSDictionary* message = @{actionKey: actionValue, tunnelIdKey: tunnelIdValue};
    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
    sendVpnExtensionMessage(message, [&](NSDictionary* response){
-        uint64_t txBytes = [response[@"tx_bytes"] intValue];
+        if (!response) {
-        uint64_t rxBytes = [response[@"rx_bytes"] intValue];
+            QMetaObject::invokeMethod(this, [this]() {
-        
+                m_statusRequestInFlight = false;
-        uint64_t last_handshake_time_sec = 0;
+            }, Qt::QueuedConnection);
-#if !MACOS_NE
+            return;
        if (response[@"last_handshake_time_sec"] && ![response[@"last_handshake_time_sec"] isKindOfClass:[NSNull class]]) {
            last_handshake_time_sec = [response[@"last_handshake_time_sec"] intValue];
        } else {
            qDebug() << "Key last_handshake_time_sec is missing or null";
        }
-        if (last_handshake_time_sec < 0) {
+        const uint64_t txBytes = uint64FromResponse(response, @"tx_bytes");
-            disconnectVpn();
+        const uint64_t rxBytes = uint64FromResponse(response, @"rx_bytes");
-            qDebug() << "Invalid handshake time, disconnecting VPN.";
+        const long long last_handshake_time_sec = int64FromResponse(response, @"last_handshake_time_sec");
        }
 #endif
-        emit bytesChanged(rxBytes - m_rxBytes, txBytes - m_txBytes);
+        QMetaObject::invokeMethod(this, [this, txBytes, rxBytes, last_handshake_time_sec]() {
-        m_rxBytes = rxBytes;
+            if (isWireGuardBasedProto(m_proto) && m_handshakeAwaiting) {
-        m_txBytes = txBytes;
+                const bool hasHandshakeData = (last_handshake_time_sec >= 0);
                const bool hasFreshHandshake = hasHandshakeData &&
                        ((last_handshake_time_sec > 0) ||
                         (rxBytes >= kHandshakeRxThreshold) ||
                         (txBytes >= kHandshakeRxThreshold));
                if (hasFreshHandshake) {
                    m_handshakeConfirmed = true;
                    m_handshakeAwaiting = false;
                    m_handshakeTimer.invalidate();
                    qDebug() << "IosController::checkStatus : handshake confirmed";
                    emitConnectionStateIfChanged(Vpn::ConnectionState::Connected);
                } else if (m_handshakeTimer.isValid() &&
                           m_handshakeTimer.elapsed() > kHandshakeTimeoutMs) {
                    m_handshakeTimer.restart();
                    qDebug() << "IosController::checkStatus : handshake timed out, keeping tunnel alive";
                    emitConnectionStateIfChanged(Vpn::ConnectionState::Reconnecting);
                }
            }
            emit bytesChanged(rxBytes - m_rxBytes, txBytes - m_txBytes);
            m_rxBytes = rxBytes;
            m_txBytes = txBytes;
            m_statusRequestInFlight = false;
        }, Qt::QueuedConnection);
    });
    });
 }
@@ -310,8 +398,14 @@ void IosController::vpnStatusDidChange(void *pNotification)
 {
    NETunnelProviderSession *session = (NETunnelProviderSession *)pNotification;
-    if (session /* && session == TunnelManager.session */ ) {
+    if (!session) {
-        qDebug() << "IosController::vpnStatusDidChange" << iosStatusToState(session.status) << session;
+        return;
    }
    if (!m_currentTunnel || (NETunnelProviderSession *)m_currentTunnel.connection != session) {
        return;
    }
    qDebug() << "IosController::vpnStatusDidChange" << iosStatusToState(session.status) << session;
        if (session.status == NEVPNStatusDisconnected) {
            if (@available(iOS 16.0, *)) {
@@ -409,8 +503,22 @@ void IosController::vpnStatusDidChange(void *pNotification)
            }
        }
-        emit connectionStateChanged(iosStatusToState(session.status));
+        Vpn::ConnectionState nextState = iosStatusToState(session.status);
-    }
+        if (session.status == NEVPNStatusConnected && isWireGuardBasedProto(m_proto)) {
            if (!m_handshakeConfirmed) {
                nextState = Vpn::ConnectionState::Connecting;
                if (!m_handshakeAwaiting) {
                    m_handshakeAwaiting = true;
                    m_handshakeTimer.restart();
                }
            }
        } else if (session.status != NEVPNStatusConnected) {
            m_handshakeAwaiting = false;
            m_handshakeConfirmed = false;
            m_handshakeTimer.invalidate();
            m_statusRequestInFlight = false;
        }
        emitConnectionStateIfChanged(nextState);
 }
 void IosController::vpnConfigurationDidChange(void *pNotification)
@@ -582,6 +690,15 @@ bool IosController::setupXray()
    QJsonObject finalConfig;
    finalConfig.insert(config_key::dns1, m_rawConfig[config_key::dns1].toString());
    finalConfig.insert(config_key::dns2, m_rawConfig[config_key::dns2].toString());
    finalConfig.insert(config_key::splitTunnelType, m_rawConfig[config_key::splitTunnelType]);
    QJsonArray splitTunnelSites = m_rawConfig[config_key::splitTunnelSites].toArray();
    for(int index = 0; index < splitTunnelSites.count(); index++) {
        splitTunnelSites[index] = splitTunnelSites[index].toString().remove(" ");
    }
    finalConfig.insert(config_key::splitTunnelSites, splitTunnelSites);
    finalConfig.insert(config_key::config, xrayConfigStr);
    QJsonDocument finalConfigDoc(finalConfig);
@@ -670,10 +787,6 @@ bool IosController::setupAwg()
    wgConfig.insert(config_key::specialJunk3, config[config_key::specialJunk3]);
    wgConfig.insert(config_key::specialJunk4, config[config_key::specialJunk4]);
    wgConfig.insert(config_key::specialJunk5, config[config_key::specialJunk5]);
    wgConfig.insert(config_key::controlledJunk1, config[config_key::controlledJunk1]);
    wgConfig.insert(config_key::controlledJunk2, config[config_key::controlledJunk2]);
    wgConfig.insert(config_key::controlledJunk3, config[config_key::controlledJunk3]);
    wgConfig.insert(config_key::specialHandshakeTimeout, config[config_key::specialHandshakeTimeout]);
    QJsonDocument wgConfigDoc(wgConfig);
    QString wgConfigDocStr(wgConfigDoc.toJson(QJsonDocument::Compact));
@@ -737,39 +850,49 @@ void IosController::startTunnel()
    m_rxBytes = 0;
    m_txBytes = 0;
-    [m_currentTunnel setEnabled:YES];
+    NETunnelProviderManager *tunnel = m_currentTunnel;
    [tunnel setEnabled:YES];
-    [m_currentTunnel saveToPreferencesWithCompletionHandler:^(NSError *saveError) {
+    dispatch_async(dispatch_get_main_queue(), ^{
-        dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+        [tunnel saveToPreferencesWithCompletionHandler:^(NSError *saveError) {
            dispatch_async(dispatch_get_main_queue(), ^{
                if (saveError) {
                    qDebug().nospace() << "IosController::startTunnel" << protocolName << ": Connect " << protocolName
                                       << " Tunnel Save Error" << saveError.localizedDescription.UTF8String << " domain:"
                                       << saveError.domain.UTF8String << " code:" << saveError.code;
                    emit connectionStateChanged(Vpn::ConnectionState::Error);
                    return;
                }
-            if (saveError) {
+                [tunnel loadFromPreferencesWithCompletionHandler:^(NSError *loadError) {
-                qDebug().nospace() << "IosController::startTunnel" << protocolName << ": Connect " << protocolName << " Tunnel Save Error" << saveError.localizedDescription.UTF8String;
+                    dispatch_async(dispatch_get_main_queue(), ^{
-                emit connectionStateChanged(Vpn::ConnectionState::Error);
+                        if (loadError) {
-                return;
+                            qDebug().nospace() << "IosController::startTunnel :" << tunnel.localizedDescription << protocolName
-            }
+                                               << ": Connect " << protocolName << " Tunnel Load Error"
                                               << loadError.localizedDescription.UTF8String;
                            emit connectionStateChanged(Vpn::ConnectionState::Error);
                            return;
                        }
-            [m_currentTunnel loadFromPreferencesWithCompletionHandler:^(NSError *loadError) {
+                        NSError *startError = nil;
-                    if (loadError) {
+                        qDebug() << iosStatusToState(tunnel.connection.status);
                        qDebug().nospace() << "IosController::startTunnel :" << m_currentTunnel.localizedDescription << protocolName << ": Connect " << protocolName << " Tunnel Load Error" << loadError.localizedDescription.UTF8String;
                        emit connectionStateChanged(Vpn::ConnectionState::Error);
                        return;
                    }
-                    NSError *startError = nil;
+                        BOOL started = [tunnel.connection startVPNTunnelWithOptions:nil andReturnError:&startError];
                    qDebug() << iosStatusToState(m_currentTunnel.connection.status);
-                    BOOL started = [m_currentTunnel.connection startVPNTunnelWithOptions:nil andReturnError:&startError];
+                        if (!started || startError) {
-
+                            qDebug().nospace() << "IosController::startTunnel :" << tunnel.localizedDescription << protocolName
-                    if (!started || startError) {
+                                               << " : Connect " << protocolName << " Tunnel Start Error"
-                        qDebug().nospace() << "IosController::startTunnel :" << m_currentTunnel.localizedDescription << protocolName << " : Connect " << protocolName << " Tunnel Start Error"
+                                               << (startError ? startError.localizedDescription.UTF8String : "");
-                            << (startError ? startError.localizedDescription.UTF8String : "");
+                            emit connectionStateChanged(Vpn::ConnectionState::Error);
-                        emit connectionStateChanged(Vpn::ConnectionState::Error);
+                        } else {
-                    } else {
+                            qDebug().nospace() << "IosController::startTunnel :" << tunnel.localizedDescription << protocolName
-                        qDebug().nospace() << "IosController::startTunnel :" << m_currentTunnel.localizedDescription << protocolName << " : Starting the tunnel succeeded";
+                                               << " : Starting the tunnel succeeded";
-                    }
+                        }
-            }];
+                    });
-        });
+                }];
-    }];
+            });
        }];
    });
 }
 bool IosController::isOurManager(NETunnelProviderManager* manager) {
@@ -799,6 +922,9 @@ void IosController::sendVpnExtensionMessage(NSDictionary* message, std::function
 {
    if (!m_currentTunnel) {
        qDebug() << "Cannot set an extension callback without a tunnel manager";
        if (callback) {
            callback(nil);
        }
        return;
    }
@@ -808,6 +934,9 @@ void IosController::sendVpnExtensionMessage(NSDictionary* message, std::function
    if (!data || error) {
        qDebug() << "Failed to serialize message to VpnExtension as JSON. Error:"
                 << [error.localizedDescription UTF8String];
        if (callback) {
            callback(nil);
        }
        return;
    }
@@ -838,11 +967,18 @@ void IosController::sendVpnExtensionMessage(NSDictionary* message, std::function
        [session sendProviderMessage:data returnError:&sendError responseHandler:completionHandler];
    } else {
        qDebug() << "Method sendProviderMessage:responseHandler:error: does not exist";
        if (callback) {
            callback(nil);
        }
        return;
    }
    if (sendError) {
        qDebug() << "Failed to send message to VpnExtension. Error:"
                 << [sendError.localizedDescription UTF8String];
        if (callback) {
            callback(nil);
        }
    }
 }
@@ -913,6 +1049,147 @@ QString IosController::openFile() {
    return filePath;
 }
 void IosController::purchaseProduct(const QString &productId,
                                   std::function<void(bool success,
                                                      const QString &transactionId,
                                                      const QString &purchasedProductId,
                                                      const QString &originalTransactionId,
                                                      const QString &errorString)> &&callback)
 {
    qInfo().noquote() << "[IAP][IosController] purchaseProduct called" << productId;
    if (@available(iOS 15.0, macOS 12.0, *)) {
        StoreKitController *controller = [StoreKitController sharedInstance];
        __block auto cb = std::move(callback);
        [controller purchaseProduct:productId.toNSString() completion:^(BOOL s,
                                                                        NSString * _Nullable transactionId,
                                                                        NSString * _Nullable prodId,
                                                                        NSString * _Nullable originalTxId,
                                                                        NSError * _Nullable error) {
            const QString txId = QString::fromUtf8((transactionId ?: @"").UTF8String);
            const QString pId  = QString::fromUtf8((prodId        ?: @"").UTF8String);
            const QString origTxId = QString::fromUtf8((originalTxId ?: @"").UTF8String);
            const QString err  = QString::fromUtf8((error.localizedDescription ?: @"").UTF8String);
            qInfo().noquote() << "[IAP][IosController] purchase completion" << "success=" << s
                              << "transactionId=" << txId << "originalTransactionId=" << origTxId
                              << "productId=" << pId << "error=" << err;
            if (cb) {
                cb(s, txId, pId, origTxId, err);
            }
        }];
    } else {
        if (callback) {
            callback(false, QString(), QString(), QString(), "StoreKit 2 requires iOS 15.0 or later");
        }
    }
 }
 void IosController::restorePurchases(std::function<void(bool success,
                                                       const QList<QVariantMap> &transactions,
                                                       const QString &errorString)> &&callback)
 {
    if (@available(iOS 15.0, macOS 12.0, *)) {
        StoreKitController *controller = [StoreKitController sharedInstance];
        __block auto cb = std::move(callback);
        [controller restorePurchasesWithCompletion:^(BOOL s,
                                                     NSArray<NSDictionary *> * _Nullable restoredTransactions,
                                                     NSError * _Nullable error) {
            QString err;
            if (error) {
                err = QString::fromUtf8(error.localizedDescription.UTF8String);
            }
            QList<QVariantMap> transactions;
            for (NSDictionary *dict in restoredTransactions ?: @[]) {
                QVariantMap transaction;
                NSString *transactionId = dict[@"transactionId"];
                NSString *productId = dict[@"productId"];
                NSString *originalTransactionId = dict[@"originalTransactionId"];
                if (transactionId) {
                    transaction.insert(QStringLiteral("transactionId"), QString::fromUtf8(transactionId.UTF8String));
                }
                if (productId) {
                    transaction.insert(QStringLiteral("productId"), QString::fromUtf8(productId.UTF8String));
                }
                if (originalTransactionId) {
                    transaction.insert(QStringLiteral("originalTransactionId"),
                                       QString::fromUtf8(originalTransactionId.UTF8String));
                }
                transactions.push_back(transaction);
            }
            if (cb) {
                cb(s, transactions, err);
            }
        }];
    } else {
        if (callback) {
            callback(false, QList<QVariantMap>(), "StoreKit 2 requires iOS 15.0 or later");
        }
    }
 }
 void IosController::fetchProducts(const QStringList &productIds,
                                  std::function<void(const QList<QVariantMap> &products,
                                                     const QStringList &invalidIds,
                                                     const QString &errorString)> &&callback)
 {
    if (@available(iOS 15.0, macOS 12.0, *)) {
        StoreKitController *controller = [StoreKitController sharedInstance];
        NSMutableSet<NSString *> *ids = [NSMutableSet setWithCapacity:productIds.size()];
        for (const auto &pid : productIds) {
            [ids addObject:pid.toNSString()];
        }
        __block auto cb = std::move(callback);
        [controller fetchProductsWithIdentifiers:ids
                                      completion:^(NSArray<NSDictionary *> * _Nonnull products,
                                                   NSArray<NSString *> * _Nonnull invalidIdentifiers,
                                                   NSError * _Nullable error) {
            QList<QVariantMap> outProducts;
            for (NSDictionary *productInfo in products) {
                QVariantMap productData;
                productData["productId"] = QString::fromUtf8([productInfo[@"productId"] UTF8String]);
                productData["title"] = QString::fromUtf8([productInfo[@"title"] UTF8String]);
                productData["description"] = QString::fromUtf8([productInfo[@"description"] UTF8String]);
                productData["price"] = QString::fromUtf8([productInfo[@"price"] UTF8String]);
                if (productInfo[@"displayPrice"]) {
                    productData["displayPrice"] = QString::fromUtf8([productInfo[@"displayPrice"] UTF8String]);
                }
                productData["currencyCode"] = QString::fromUtf8([productInfo[@"currencyCode"] UTF8String]);
                if (productInfo[@"priceAmount"]) {
                    productData["priceAmount"] = [productInfo[@"priceAmount"] doubleValue];
                }
                if (productInfo[@"subscriptionBillingMonths"]) {
                    productData["subscriptionBillingMonths"] = [productInfo[@"subscriptionBillingMonths"] doubleValue];
                }
                if (productInfo[@"displayPricePerMonth"]) {
                    productData["displayPricePerMonth"] = QString::fromUtf8([productInfo[@"displayPricePerMonth"] UTF8String]);
                }
                outProducts.push_back(productData);
            }
            QStringList invalid;
            for (NSString *inv in invalidIdentifiers) {
                invalid.push_back(QString::fromUtf8(inv.UTF8String));
            }
            QString err;
            if (error) {
                err = QString::fromUtf8(error.localizedDescription.UTF8String);
            }
            if (cb) {
                cb(outProducts, invalid, err);
            }
        }];
    } else {
        if (callback) {
            callback(QList<QVariantMap>(), QStringList(), "StoreKit 2 requires iOS 15.0 or later");
        }
    }
 }
 void IosController::requestInetAccess() {
    NSURL *url = [NSURL URLWithString:@"http://captive.apple.com/generate_204"];
    if (!url) {
@@ -931,3 +1208,8 @@ void IosController::requestInetAccess() {
    }];
    [task resume];
 }
 bool IosController::isTestFlight() {
    NSURL *receiptURL = [[NSBundle mainBundle] appStoreReceiptURL];
    return receiptURL && [[receiptURL lastPathComponent] isEqualToString:@"sandboxReceipt"];
 }
@@ -34,6 +34,9 @@ void IOSNetworkWatcher::initialize() {
  });
  nw_path_monitor_start(m_networkMonitor);
  // Call start() to initialize sleep/wake monitoring (will call MacOSNetworkWatcher::start() if this is macOS)
  this->start();
  //TODO IMPL FOR AMNEZIA
 }
@@ -61,6 +61,8 @@ IOSNotificationHandler::~IOSNotificationHandler() { }
 void IOSNotificationHandler::notify(NotificationHandler::Message type, const QString& title,
                                    const QString& message, int timerMsec) {
  Q_UNUSED(type);
  // timerMsec is tray display hint on Windows, not a schedule delay — was wrongly used as seconds (CLI-570).
  Q_UNUSED(timerMsec);
  if (!m_delegate) {
    return;
@@ -71,11 +73,13 @@ void IOSNotificationHandler::notify(NotificationHandler::Message type, const QSt
  content.body = message.toNSString();
  content.sound = [UNNotificationSound defaultSound];
-  int timerSec = timerMsec / 1000;
+  NSTimeInterval delay = 0.1;
  UNTimeIntervalNotificationTrigger* trigger =
-      [UNTimeIntervalNotificationTrigger triggerWithTimeInterval:timerSec repeats:NO];
+      [UNTimeIntervalNotificationTrigger triggerWithTimeInterval:delay repeats:NO];
-  UNNotificationRequest* request = [UNNotificationRequest requestWithIdentifier:@"amneziavpn"
+  NSString* requestId = [NSString stringWithFormat:@"amneziavpn.vpnstate.%lld",
      (long long)([[NSDate date] timeIntervalSince1970] * 1000.0)];
  UNNotificationRequest* request = [UNNotificationRequest requestWithIdentifier:requestId
                                                                        content:content
                                                                        trigger:trigger];
@@ -143,6 +147,7 @@ IOSNotificationHandler::~IOSNotificationHandler() { }
 void IOSNotificationHandler::notify(NotificationHandler::Message type, const QString& title,
                                    const QString& message, int timerMsec) {
  Q_UNUSED(type);
  Q_UNUSED(timerMsec);
  if (!m_delegate) {
    return;
@@ -153,11 +158,13 @@ void IOSNotificationHandler::notify(NotificationHandler::Message type, const QSt
  content.body = message.toNSString();
  content.sound = [UNNotificationSound defaultSound];
-  int timerSec = timerMsec / 1000;
+  NSTimeInterval delay = 0.1;
  UNTimeIntervalNotificationTrigger* trigger =
-      [UNTimeIntervalNotificationTrigger triggerWithTimeInterval:timerSec repeats:NO];
+      [UNTimeIntervalNotificationTrigger triggerWithTimeInterval:delay repeats:NO];
-  UNNotificationRequest* request = [UNNotificationRequest requestWithIdentifier:@"amneziavpn"
+  NSString* requestId = [NSString stringWithFormat:@"amneziavpn.vpnstate.%lld",
      (long long)([[NSDate date] timeIntervalSince1970] * 1000.0)];
  UNNotificationRequest* request = [UNNotificationRequest requestWithIdentifier:requestId
                                                                        content:content
                                                                        trigger:trigger];
@@ -165,7 +165,7 @@ bool LinuxRouteMonitor::rtmSendRoute(int action, int flags, int type,
    if (rtm->rtm_type == RTN_THROW) {
    struct in_addr ip4;
-    inet_pton(AF_INET, NetworkUtilities::getGatewayAndIface().toUtf8(), &ip4);
+    inet_pton(AF_INET, NetworkUtilities::getGatewayAndIface().first.toUtf8(), &ip4);
    nlmsg_append_attr(nlmsg, sizeof(buf), RTA_GATEWAY, &ip4, sizeof(ip4));
    nlmsg_append_attr32(nlmsg, sizeof(buf), RTA_PRIORITY, 0);
    rtm->rtm_type = RTN_UNICAST;
@@ -143,12 +143,6 @@ bool WireguardUtilsLinux::addInterface(const InterfaceConfig& config) {
    for (const QString& key : config.m_specialJunk.keys()) {
        out << key.toLower() << "=" << config.m_specialJunk.value(key) << "\n";
    }
    for (const QString& key : config.m_controlledJunk.keys()) {
        out << key.toLower() << "=" << config.m_controlledJunk.value(key) << "\n";
    }
    if (!config.m_specialHandshakeTimeout.isEmpty()) {
        out << "itime=" << config.m_specialHandshakeTimeout << "\n";
    }
    int err = uapiErrno(uapiCommand(message));
    if (err != 0) {
@@ -41,6 +41,9 @@ void LinuxNetworkWatcher::initialize() {
  connect(m_worker, &LinuxNetworkWatcherWorker::unsecuredNetwork, this,
          &LinuxNetworkWatcher::unsecuredNetwork);
  connect(m_worker, &LinuxNetworkWatcherWorker::wakeup, this,
          &NetworkWatcherImpl::wakeup);
  // Let's wait a few seconds to allow the UI to be fully loaded and shown.
  // This is not strictly needed, but it's better for user experience because
  // it makes the UI faster to appear, plus it gives a bit of delay between the
@@ -33,7 +33,21 @@
 #define NM_802_11_AP_SEC_WEAK_CRYPTO \
  (NM_802_11_AP_SEC_PAIR_WEP40 | NM_802_11_AP_SEC_PAIR_WEP104)
 enum NMState {
    NM_STATE_UNKNOWN = 0,
    NM_STATE_ASLEEP = 10,
    NM_STATE_DISCONNECTED = 20,
    NM_STATE_DISCONNECTING = 30,
    NM_STATE_CONNECTING = 40,
    NM_STATE_CONNECTED_LOCAL = 50,
    NM_STATE_CONNECTED_SITE = 60,
    NM_STATE_CONNECTED_GLOBAL = 70
 };
 constexpr const char* DBUS_NETWORKMANAGER = "org.freedesktop.NetworkManager";
 constexpr const char* DBUS_NETWORKMANAGER_PATH = "/org/freedesktop/NetworkManager";
 namespace {
 Logger logger("LinuxNetworkWatcherWorker");
@@ -73,7 +87,7 @@ void LinuxNetworkWatcherWorker::initialize() {
  // documentation:
  // https://developer.gnome.org/NetworkManager/stable/gdbus-org.freedesktop.NetworkManager.html
-  QDBusInterface nm(DBUS_NETWORKMANAGER, "/org/freedesktop/NetworkManager",
+  QDBusInterface nm(DBUS_NETWORKMANAGER, DBUS_NETWORKMANAGER_PATH,
                    DBUS_NETWORKMANAGER, QDBusConnection::systemBus());
  if (!nm.isValid()) {
    logger.error()
@@ -108,6 +122,12 @@ void LinuxNetworkWatcherWorker::initialize() {
        SLOT(propertyChanged(QString, QVariantMap, QStringList)));
  }
  QDBusConnection::systemBus().connect(DBUS_NETWORKMANAGER,
                                       DBUS_NETWORKMANAGER_PATH,
                                       DBUS_NETWORKMANAGER,
                                       "StateChanged",
                                       this, SLOT(NMStateChanged(quint32)));
  if (m_devicePaths.isEmpty()) {
    logger.warning() << "No wifi devices found";
    return;
@@ -173,5 +193,16 @@ void LinuxNetworkWatcherWorker::checkDevices() {
      emit unsecuredNetwork(ssid, bssid);
      break;
    }
  }
 }
 void LinuxNetworkWatcherWorker::NMStateChanged(quint32 state)
 {
  if (state == NM_STATE_ASLEEP) {
    emit wakeup();
  }
  logger.debug() << "NMStateChanged " << state;
 }
@@ -23,6 +23,7 @@ class LinuxNetworkWatcherWorker final : public QObject {
 signals:
  void unsecuredNetwork(const QString& networkName, const QString& networkId);
  void wakeup();
 public slots:
  void initialize();
@@ -30,6 +31,7 @@ class LinuxNetworkWatcherWorker final : public QObject {
 private slots:
  void propertyChanged(QString interface, QVariantMap properties,
                       QStringList list);
  void NMStateChanged(quint32 state);
 private:
  // We collect the list of DBus wifi network device paths during the
@@ -0,0 +1,185 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "linuxpingsender.h"
 #include <arpa/inet.h>
 #include <errno.h>
 #include <linux/filter.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/ip_icmp.h>
 #include <sys/socket.h>
 #include <unistd.h>
 #include <QSocketNotifier>
 #include <QtEndian>
 #include "leakdetector.h"
 #include "logger.h"
 #include "qhostaddress.h"
 namespace {
 Logger logger("LinuxPingSender");
 }
 int LinuxPingSender::createSocket() {
  // Try creating an ICMP socket. This would be the ideal choice, but it can
  // fail depending on the kernel config (see: sys.net.ipv4.ping_group_range)
  m_socket = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
  if (m_socket >= 0) {
    m_ident = 0;
    return m_socket;
  }
  if ((errno != EPERM) && (errno != EACCES)) {
    return -1;
  }
  // As a fallback, create a raw socket, which requires root permissions
  // or CAP_NET_RAW to be granted to the VPN client.
  m_socket = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
  if (m_socket < 0) {
    return -1;
  }
  m_ident = getpid() & 0xffff;
  // Attach a BPF filter to discard everything but replies to our echo.
  struct sock_filter bpf_prog[] = {
      BPF_STMT(BPF_LDX | BPF_B | BPF_MSH, 0), /* Skip IP header. */
      BPF_STMT(BPF_LD | BPF_H | BPF_IND, 4),  /* Load icmp echo ident */
      BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, m_ident, 1, 0), /* Ours? */
      BPF_STMT(BPF_RET | BPF_K, 0), /* Unexpected identifier. Reject. */
      BPF_STMT(BPF_LD | BPF_B | BPF_IND, 0), /* Load icmp type */
      BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, ICMP_ECHOREPLY, 1, 0), /* Echo? */
      BPF_STMT(BPF_RET | BPF_K, 0),   /* Unexpected type. Reject. */
      BPF_STMT(BPF_RET | BPF_K, ~0U), /* Packet passes the filter. */
  };
  struct sock_fprog filter = {
      .len = sizeof(bpf_prog) / sizeof(struct sock_filter),
      .filter = bpf_prog,
  };
  setsockopt(m_socket, SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter));
  return m_socket;
 }
 LinuxPingSender::LinuxPingSender(const QHostAddress& source, QObject* parent)
    : PingSender(parent) {
  MZ_COUNT_CTOR(LinuxPingSender);
  logger.debug() << "LinuxPingSender(" + logger.sensitive(source.toString()) +
                        ") created";
  m_socket = createSocket();
  if (m_socket < 0) {
    logger.error() << "Socket creation error: " << strerror(errno);
    return;
  }
  quint32 ipv4addr = INADDR_ANY;
  if (!source.isNull()) {
    ipv4addr = source.toIPv4Address();
  }
  struct sockaddr_in addr;
  memset(&addr, 0, sizeof addr);
  addr.sin_family = AF_INET;
  addr.sin_addr.s_addr = qToBigEndian<quint32>(ipv4addr);
  if (bind(m_socket, (struct sockaddr*)&addr, sizeof(addr)) != 0) {
    close(m_socket);
    m_socket = -1;
    logger.error() << "bind error:" << strerror(errno);
    return;
  }
  m_notifier = new QSocketNotifier(m_socket, QSocketNotifier::Read, this);
  if (m_ident) {
    connect(m_notifier, &QSocketNotifier::activated, this,
            &LinuxPingSender::rawSocketReady);
  } else {
    connect(m_notifier, &QSocketNotifier::activated, this,
            &LinuxPingSender::icmpSocketReady);
  }
 }
 LinuxPingSender::~LinuxPingSender() {
  MZ_COUNT_DTOR(LinuxPingSender);
  if (m_socket >= 0) {
    close(m_socket);
  }
 }
 void LinuxPingSender::sendPing(const QHostAddress& dest, quint16 sequence) {
  quint32 ipv4dest = dest.toIPv4Address();
  struct sockaddr_in addr;
  memset(&addr, 0, sizeof(addr));
  addr.sin_family = AF_INET;
  addr.sin_addr.s_addr = qToBigEndian<quint32>(ipv4dest);
  struct icmphdr packet;
  memset(&packet, 0, sizeof(packet));
  packet.type = ICMP_ECHO;
  packet.un.echo.id = htons(m_ident);
  packet.un.echo.sequence = htons(sequence);
  packet.checksum = inetChecksum(&packet, sizeof(packet));
  int rc = sendto(m_socket, &packet, sizeof(packet), 0, (struct sockaddr*)&addr,
                  sizeof(addr));
  if (rc < 0) {
    logger.error() << "failed to send:" << strerror(errno);
    if (errno == ENETUNREACH) {
        emit criticalPingError();
    }
  }
 }
 void LinuxPingSender::icmpSocketReady() {
  socklen_t slen = 0;
  unsigned char data[2048];
  int rc = recvfrom(m_socket, data, sizeof(data), MSG_DONTWAIT, NULL, &slen);
  if (rc <= 0) {
    logger.error() << "recvfrom failed:" << strerror(errno);
    return;
  }
  struct icmphdr packet;
  if (rc >= (int)sizeof(packet)) {
    memcpy(&packet, data, sizeof(packet));
    if (packet.type == ICMP_ECHOREPLY) {
      emit recvPing(htons(packet.un.echo.sequence));
    }
  }
 }
 void LinuxPingSender::rawSocketReady() {
  socklen_t slen = 0;
  unsigned char data[2048];
  int rc = recvfrom(m_socket, data, sizeof(data), MSG_DONTWAIT, NULL, &slen);
  if (rc <= 0) {
    logger.error() << "recvfrom failed:" << strerror(errno);
    return;
  }
  // Check the IP header
  const struct iphdr* ip = (struct iphdr*)data;
  int iphdrlen = ip->ihl * 4;
  if (rc < iphdrlen || iphdrlen < (int)sizeof(struct iphdr)) {
    logger.error() << "malformed IP packet:" << strerror(errno);
    return;
  }
  // Check the ICMP packet
  struct icmphdr packet;
  if (inetChecksum(data + iphdrlen, rc - iphdrlen) != 0) {
    logger.warning() << "invalid checksum";
    return;
  }
  if (rc >= (iphdrlen + (int)sizeof(packet))) {
    memcpy(&packet, data + iphdrlen, sizeof(packet));
    quint16 id = htons(m_ident);
    if ((packet.type == ICMP_ECHOREPLY) && (packet.un.echo.id == id)) {
      emit recvPing(htons(packet.un.echo.sequence));
    }
  }
 }
@@ -0,0 +1,39 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #ifndef LINUXPINGSENDER_H
 #define LINUXPINGSENDER_H
 #include <QObject>
 #include "../../mozilla/pingsender.h"
 class QSocketNotifier;
 class LinuxPingSender final : public PingSender {
  Q_OBJECT
  Q_DISABLE_COPY_MOVE(LinuxPingSender)
 public:
  LinuxPingSender(const QHostAddress& source, QObject* parent = nullptr);
  ~LinuxPingSender();
  bool isValid() override { return (m_socket >= 0); };
  void sendPing(const QHostAddress& dest, quint16 sequence) override;
 private:
  int createSocket();
 private slots:
  void rawSocketReady();
  void icmpSocketReady();
 private:
  QSocketNotifier* m_notifier = nullptr;
  int m_socket = -1;
  quint16 m_ident = 0;
 };
 #endif  // LINUXPINGSENDER_H
@@ -141,12 +141,6 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
  for (const QString& key : config.m_specialJunk.keys()) {
      out << key.toLower() << "=" << config.m_specialJunk.value(key) << "\n";
  }
  for (const QString& key : config.m_controlledJunk.keys()) {
      out << key.toLower() << "=" << config.m_controlledJunk.value(key) << "\n";
  }
  if (!config.m_specialHandshakeTimeout.isEmpty()) {
      out << "itime=" << config.m_specialHandshakeTimeout << "\n";
  }
  int err = uapiErrno(uapiCommand(message));
  if (err != 0) {
@@ -0,0 +1,8 @@
 #ifndef MACOS_NE_VPN_NOTIFICATION_H
 #define MACOS_NE_VPN_NOTIFICATION_H
 class QString;
 void macosNePostVpnStateNotification(const QString &title, const QString &message);
 #endif
@@ -0,0 +1,91 @@
 #include "macos_ne_vpn_notification.h"
 #include <QtGlobal>
 #include <QString>
 #import <Foundation/Foundation.h>
 #import <UserNotifications/UserNotifications.h>
 namespace {
@interface MacosNeVpnNotificationDelegate : NSObject <UNUserNotificationCenterDelegate>
@end
@implementation MacosNeVpnNotificationDelegate
 - (void)userNotificationCenter:(UNUserNotificationCenter *)center
       willPresentNotification:(UNNotification *)notification
         withCompletionHandler:(void (^)(UNNotificationPresentationOptions options))completionHandler
 {
    Q_UNUSED(center)
    Q_UNUSED(notification)
    completionHandler(UNNotificationPresentationOptionList | UNNotificationPresentationOptionBanner);
 }
 - (void)userNotificationCenter:(UNUserNotificationCenter *)center
    didReceiveNotificationResponse:(UNNotificationResponse *)response
             withCompletionHandler:(void (^)(void))completionHandler
 {
    Q_UNUSED(center)
    Q_UNUSED(response)
    completionHandler();
 }
@end
 MacosNeVpnNotificationDelegate *delegateInstance()
 {
    static MacosNeVpnNotificationDelegate *d;
    static dispatch_once_t once;
    dispatch_once(&once, ^{
      d = [[MacosNeVpnNotificationDelegate alloc] init];
    });
    return d;
 }
 void ensureNotificationCenterSetup()
 {
    static dispatch_once_t once;
    dispatch_once(&once, ^{
      UNUserNotificationCenter *center = [UNUserNotificationCenter currentNotificationCenter];
      [center requestAuthorizationWithOptions:(UNAuthorizationOptionSound | UNAuthorizationOptionAlert |
                                               UNAuthorizationOptionBadge)
                            completionHandler:^(BOOL granted, NSError *_Nullable error) {
                              Q_UNUSED(granted);
                              if (!error) {
                                  center.delegate = delegateInstance();
                              }
                            }];
    });
 }
 } // namespace
 void macosNePostVpnStateNotification(const QString &title, const QString &message)
 {
    ensureNotificationCenterSetup();
    UNMutableNotificationContent *content = [[UNMutableNotificationContent alloc] init];
    content.title = title.toNSString();
    content.body = message.toNSString();
    content.sound = nil;
    NSTimeInterval delay = 0.1;
    UNTimeIntervalNotificationTrigger *trigger =
        [UNTimeIntervalNotificationTrigger triggerWithTimeInterval:delay repeats:NO];
    NSString *identifier =
        [NSString stringWithFormat:@"amneziavpn.vpnstate.%lld", (long long)([[NSDate date] timeIntervalSince1970] * 1000.0)];
    UNNotificationRequest *request = [UNNotificationRequest requestWithIdentifier:identifier
                                                                          content:content
                                                                          trigger:trigger];
    UNUserNotificationCenter *center = [UNUserNotificationCenter currentNotificationCenter];
    [center addNotificationRequest:request
             withCompletionHandler:^(NSError *_Nullable error) {
               if (error) {
                   NSLog(@"macosNePostVpnStateNotification failed: %@", error);
               }
             }];
 }
@@ -10,8 +10,31 @@
 #include "../ios/iosnetworkwatcher.h"
 #include "networkwatcherimpl.h"
 #include <IOKit/pwr_mgt/IOPMLib.h>
 #include <IOKit/IOMessage.h>
 class QString;
 // Inspired by https://ladydebug.com/blog/2020/05/21/programmatically-capture-energy-saver-event-on-mac/
 class PowerNotificationsListener
 {
 public:
    PowerNotificationsListener(class MacOSNetworkWatcher* watcher) : m_watcher(watcher) {}
    void registerForNotifications();
    void cleanup();
 private:
    static void sleepWakeupCallBack(void *refParam, io_service_t service, natural_t messageType, void *messageArgument);
 private:
    class MacOSNetworkWatcher* m_watcher = nullptr;
    IONotificationPortRef notifyPortRef = nullptr; // notification port allocated by IORegisterForSystemPower
    io_object_t notifierObj = IO_OBJECT_NULL; // notifier object, used to deregister later
    io_connect_t rootPowerDomain = IO_OBJECT_NULL; // a reference to the Root Power Domain IOService
 };
 class MacOSNetworkWatcher final : public IOSNetworkWatcher {
 public:
  MacOSNetworkWatcher(QObject* parent);
@@ -25,6 +48,7 @@ class MacOSNetworkWatcher final : public IOSNetworkWatcher {
 private:
  void* m_delegate = nullptr;
  PowerNotificationsListener m_powerlistener;
 };
 #endif  // MACOSNETWORKWATCHER_H
--- a/Show More
+++ b/Show More