add new icons error & fix logic

fixed update icon windows
fixed update icon linux
2026-06-23 02:00:20 +07:00 · 2026-06-05 16:13:06 +03:00 · 2026-06-05 13:35:11 +03:00 · 2026-06-05 12:12:12 +03:00 · 2026-06-05 09:00:14 +03:00 · 2026-05-30 14:50:18 +03:00
193 changed files with 2838 additions and 3543 deletions
@@ -157,7 +157,7 @@ jobs:
      run: pip install "conan==2.28.0"

    - name: 'Build dependencies'
-      run: cmake -S . -B build -DPREBUILTS_ONLY=1
+      run: cmake -S . -B build -G "Visual Studio 17 2022" -DPREBUILTS_ONLY=1
    
    - name: 'Authorize in remote'
      if: github.ref == 'refs/heads/dev'
@@ -4,7 +4,7 @@ set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)

 set(PROJECT AmneziaVPN)
-set(AMNEZIAVPN_VERSION 4.9.0.2)
+set(AMNEZIAVPN_VERSION 4.9.0.1)

 set(QT_CREATOR_SKIP_PACKAGE_MANAGER_SETUP ON CACHE BOOL "" FORCE)
 set(CMAKE_PROJECT_TOP_LEVEL_INCLUDES
@@ -28,7 +28,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")

 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2123)
+set(APP_ANDROID_VERSION_CODE 2122)

 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
    set(MZ_PLATFORM_NAME "linux")
@@ -65,8 +65,6 @@ set(HEADERS ${HEADERS}
    ${CLIENT_ROOT_DIR}/core/utils/utilities.h
    ${CLIENT_ROOT_DIR}/core/utils/managementServer.h
    ${CLIENT_ROOT_DIR}/core/utils/constants.h
-    ${CLIENT_ROOT_DIR}/core/vpnTrafficGuard.h
-    ${CLIENT_ROOT_DIR}/core/tunnel.h
 )

 # Mozilla headres
@@ -147,8 +145,6 @@ set(SOURCES ${SOURCES}
    ${CLIENT_ROOT_DIR}/core/utils/osSignalHandler.cpp
    ${CLIENT_ROOT_DIR}/core/utils/utilities.cpp
    ${CLIENT_ROOT_DIR}/core/utils/managementServer.cpp
-    ${CLIENT_ROOT_DIR}/core/vpnTrafficGuard.cpp
-    ${CLIENT_ROOT_DIR}/core/tunnel.cpp
 )

 # Mozilla sources
@@ -271,6 +267,10 @@ if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
    set(HEADERS ${HEADERS}
        ${CLIENT_ROOT_DIR}/core/utils/ipcClient.h
        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.h
+        ${CLIENT_ROOT_DIR}/ui/utils/platformTheme.h
+        ${CLIENT_ROOT_DIR}/ui/utils/trayIconBackend.h
+        ${CLIENT_ROOT_DIR}/ui/utils/platformTrayTheme.h
+        ${CLIENT_ROOT_DIR}/ui/utils/trayIconCommon.h
        ${CLIENT_ROOT_DIR}/core/protocols/openVpnProtocol.h
        ${CLIENT_ROOT_DIR}/core/protocols/wireGuardProtocol.h
        ${CLIENT_ROOT_DIR}/core/protocols/xrayProtocol.h
@@ -282,20 +282,81 @@ if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
        ${CLIENT_ROOT_DIR}/core/utils/ipcClient.cpp
        ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/platformTheme.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/platformTrayTheme.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/trayIconCommon.cpp
        ${CLIENT_ROOT_DIR}/core/protocols/openVpnProtocol.cpp
        ${CLIENT_ROOT_DIR}/core/protocols/wireGuardProtocol.cpp
        ${CLIENT_ROOT_DIR}/core/protocols/xrayProtocol.cpp
        ${CLIENT_ROOT_DIR}/core/protocols/awgProtocol.cpp
    )
+
+    if(APPLE AND NOT MACOS_NE)
+        set(HEADERS ${HEADERS}
+            ${CLIENT_ROOT_DIR}/platforms/macos/mactrayiconbackend.h
+            ${CLIENT_ROOT_DIR}/platforms/macos/mactraytheme.h
+        )
+        set(SOURCES ${SOURCES}
+            ${CLIENT_ROOT_DIR}/platforms/macos/mactrayiconbackend.mm
+            ${CLIENT_ROOT_DIR}/platforms/macos/mactraytheme.cpp
+        )
+    endif()
 endif()

 if(APPLE AND MACOS_NE)
    # Include only the tray notification handler in NE builds
    set(HEADERS ${HEADERS}
        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.h
+        ${CLIENT_ROOT_DIR}/ui/utils/platformTheme.h
+        ${CLIENT_ROOT_DIR}/ui/utils/trayIconBackend.h
+        ${CLIENT_ROOT_DIR}/ui/utils/platformTrayTheme.h
+        ${CLIENT_ROOT_DIR}/ui/utils/trayIconCommon.h
+        ${CLIENT_ROOT_DIR}/platforms/windows/wintrayiconbackend.h
+        ${CLIENT_ROOT_DIR}/platforms/windows/wintrayicon.h
+        ${CLIENT_ROOT_DIR}/platforms/windows/wintraytheme.h
+        ${CLIENT_ROOT_DIR}/ui/utils/trayThemeChangeFilter.h
    )

    set(SOURCES ${SOURCES}
        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/platformTheme.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/platformTrayTheme.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/trayIconCommon.cpp
+        ${CLIENT_ROOT_DIR}/platforms/windows/wintrayiconbackend.cpp
+        ${CLIENT_ROOT_DIR}/platforms/windows/wintrayicon.cpp
+        ${CLIENT_ROOT_DIR}/platforms/windows/wintraytheme.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/trayThemeChangeFilter.cpp
+    )
+endif()
+
+if(WIN32)
+    set(HEADERS ${HEADERS}
+            ${CLIENT_ROOT_DIR}/platforms/windows/windowsutils.h
+            ${CLIENT_ROOT_DIR}/platforms/windows/wintrayiconbackend.h
+            ${CLIENT_ROOT_DIR}/platforms/windows/wintrayicon.h
+            ${CLIENT_ROOT_DIR}/platforms/windows/wintraytheme.h
+            ${CLIENT_ROOT_DIR}/ui/utils/trayThemeChangeFilter.h
+    )
+    set(SOURCES ${SOURCES}
+            ${CLIENT_ROOT_DIR}/platforms/windows/windowsutils.cpp
+            ${CLIENT_ROOT_DIR}/platforms/windows/wintrayiconbackend.cpp
+            ${CLIENT_ROOT_DIR}/platforms/windows/wintrayicon.cpp
+            ${CLIENT_ROOT_DIR}/platforms/windows/wintraytheme.cpp
+            ${CLIENT_ROOT_DIR}/ui/utils/trayThemeChangeFilter.cpp
+    )
+endif()
+
+if(LINUX)
+    set(HEADERS ${HEADERS}
+            ${CLIENT_ROOT_DIR}/platforms/linux/linuxutils.h
+            ${CLIENT_ROOT_DIR}/platforms/linux/linuxtrayiconbackend.h
+            ${CLIENT_ROOT_DIR}/platforms/linux/linuxtraytheme.h
+            ${CLIENT_ROOT_DIR}/ui/utils/trayThemeChangeFilter.h
+    )
+    set(SOURCES ${SOURCES}
+            ${CLIENT_ROOT_DIR}/platforms/linux/linuxutils.cpp
+            ${CLIENT_ROOT_DIR}/platforms/linux/linuxtrayiconbackend.cpp
+            ${CLIENT_ROOT_DIR}/platforms/linux/linuxtraytheme.cpp
+            ${CLIENT_ROOT_DIR}/ui/utils/trayThemeChangeFilter.cpp
    )
 endif()
@@ -484,12 +484,6 @@ ErrorCode SubscriptionController::updateServiceFromGateway(const QString &server
    return ErrorCode::NoError;
 }

-void SubscriptionController::restoreApiV2Config(const QString &serverId, const ApiV2ServerConfig &config)
-{
-    const QJsonObject json = config.toJson();
-    m_serversRepository->editServer(serverId, json, serverConfigUtils::configTypeFromJson(json));
-}
-
 ErrorCode SubscriptionController::deactivateDevice(const QString &serverId)
 {
    auto apiV2 = m_serversRepository->apiV2Config(serverId);
@@ -68,8 +68,6 @@ public:

    ErrorCode updateServiceFromGateway(const QString &serverId, const QString &newCountryCode, bool isConnectEvent);

-    void restoreApiV2Config(const QString &serverId, const ApiV2ServerConfig &config);
-
    ErrorCode deactivateDevice(const QString &serverId);

    ErrorCode deactivateExternalDevice(const QString &serverId, const QString &uuid, const QString &serverCountryCode);
@@ -28,7 +28,6 @@ ConnectionController::ConnectionController(SecureServersRepository* serversRepos
      m_vpnConnection(vpnConnection)
 {
    connect(m_vpnConnection, &VpnConnection::connectionStateChanged, this, &ConnectionController::connectionStateChanged);
-    connect(m_vpnConnection, &VpnConnection::serverSwitchFailed, this, &ConnectionController::serverSwitchFailed);
    connect(this, &ConnectionController::openConnectionRequested, m_vpnConnection, &VpnConnection::connectToVpn, Qt::QueuedConnection);
    connect(this, &ConnectionController::closeConnectionRequested, m_vpnConnection, &VpnConnection::disconnectFromVpn, Qt::QueuedConnection);
    connect(this, &ConnectionController::setConnectionStateRequested, m_vpnConnection, &VpnConnection::setConnectionState, Qt::QueuedConnection);
@@ -50,92 +49,14 @@ void ConnectionController::setConnectionState(Vpn::ConnectionState state)
    }
 }

-ErrorCode ConnectionController::defaultContainerForServer(const QString &serverId, DockerContainer &container) const
-{
-    const auto kind = m_serversRepository->serverKind(serverId);
-    switch (kind) {
-    case serverConfigUtils::ConfigType::SelfHostedAdmin: {
-        const auto cfg = m_serversRepository->selfHostedAdminConfig(serverId);
-        if (!cfg.has_value()) {
-            return ErrorCode::InternalError;
-        }
-        container = cfg->defaultContainer;
-        return ErrorCode::NoError;
-    }
-    case serverConfigUtils::ConfigType::SelfHostedUser: {
-        const auto cfg = m_serversRepository->selfHostedUserConfig(serverId);
-        if (!cfg.has_value()) {
-            return ErrorCode::InternalError;
-        }
-        container = cfg->defaultContainer;
-        return ErrorCode::NoError;
-    }
-    case serverConfigUtils::ConfigType::Native: {
-        const auto cfg = m_serversRepository->nativeConfig(serverId);
-        if (!cfg.has_value()) {
-            return ErrorCode::InternalError;
-        }
-        container = cfg->defaultContainer;
-        return ErrorCode::NoError;
-    }
-    case serverConfigUtils::ConfigType::AmneziaPremiumV2:
-    case serverConfigUtils::ConfigType::AmneziaFreeV3:
-    case serverConfigUtils::ConfigType::ExternalPremium: {
-        const auto cfg = m_serversRepository->apiV2Config(serverId);
-        if (!cfg.has_value()) {
-            return ErrorCode::InternalError;
-        }
-        container = cfg->defaultContainer;
-        return ErrorCode::NoError;
-    }
-    case serverConfigUtils::ConfigType::AmneziaPremiumV1:
-    case serverConfigUtils::ConfigType::AmneziaFreeV2:
-        return ErrorCode::LegacyApiV1NotSupportedError;
-    case serverConfigUtils::ConfigType::Invalid:
-    default:
-        return ErrorCode::InternalError;
-    }
-}
-
-ErrorCode ConnectionController::isConnectionSupported(const QString &serverId) const
-{
-    if (serverId.isEmpty()) {
-        return ErrorCode::InternalError;
-    }
-
-    if (!isServiceReady()) {
-        return ErrorCode::AmneziaServiceNotRunning;
-    }
-
-    if (serverConfigUtils::isLegacyApiSubscription(m_serversRepository->serverKind(serverId))) {
-        return ErrorCode::LegacyApiV1NotSupportedError;
-    }
-
-    DockerContainer container = DockerContainer::None;
-    const ErrorCode errorCode = defaultContainerForServer(serverId, container);
-    if (errorCode != ErrorCode::NoError) {
-        return errorCode;
-    }
-
-    if (container == DockerContainer::None) {
-        return ErrorCode::NoInstalledContainersError;
-    }
-
-    if (ContainerUtils::isUnsupportedContainer(container)) {
-        return ErrorCode::LegacyContainerNotSupportedError;
-    }
-
-    if (!isContainerSupported(container)) {
-        return ErrorCode::NotSupportedOnThisPlatform;
-    }
-
-    return ErrorCode::NoError;
-}
-
 ErrorCode ConnectionController::prepareConnection(const QString &serverId,
                                                 QJsonObject& vpnConfiguration,
                                                 DockerContainer& container)
 {
+    if (!isServiceReady()) {
+        return ErrorCode::AmneziaServiceNotRunning;
+    }
+
    ContainerConfig containerConfigModel;
    QPair<QString, QString> dns;
    QString hostName;
@@ -199,6 +120,10 @@ ErrorCode ConnectionController::prepareConnection(const QString &serverId,
        return ErrorCode::InternalError;
    }

+    if (!isContainerSupported(container)) {
+        return ErrorCode::NotSupportedOnThisPlatform;
+    }
+
    vpnConfiguration = createConnectionConfiguration(dns, isApiConfig, hostName, description, configVersion,
                                                     containerConfigModel, container);

@@ -34,8 +34,6 @@ public:
                               QJsonObject& vpnConfiguration,
                               DockerContainer& container);

-    ErrorCode isConnectionSupported(const QString &serverId) const;
-
    ErrorCode openConnection(const QString &serverId);

    void closeConnection();
@@ -69,15 +67,12 @@ signals:
    void closeConnectionRequested();
    void setConnectionStateRequested(Vpn::ConnectionState state);
    void killSwitchModeChangedRequested(bool enabled);
-    void serverSwitchFailed();

 #ifdef Q_OS_ANDROID
    void restoreConnectionRequested();
 #endif

 private:
-    ErrorCode defaultContainerForServer(const QString &serverId, DockerContainer &container) const;
-
    SecureServersRepository* m_serversRepository;
    SecureAppSettingsRepository* m_appSettingsRepository;
    VpnConnection* m_vpnConnection;
@@ -191,7 +191,7 @@ void CoreController::initControllers()
    m_languageUiController = new LanguageUiController(m_settingsController, m_languageModel, this);
    setQmlContextProperty("LanguageUiController", m_languageUiController);

-    m_settingsUiController = new SettingsUiController(m_settingsController, m_serversController, this);
+    m_settingsUiController = new SettingsUiController(m_settingsController, m_serversController, m_languageUiController, this);
    setQmlContextProperty("SettingsController", m_settingsUiController);

    m_pageController = new PageController(m_serversController, m_settingsController, this);
@@ -33,6 +33,7 @@
 #include "core/controllers/connectionController.h"
 #include "ui/models/clientManagementModel.h"
 #include "ui/controllers/api/apiNewsUiController.h"
+#include "ui/models/api/apiCountryModel.h"
 #include "ui/models/containersModel.h"
 #include "core/utils/containerEnum.h"

@@ -94,12 +95,6 @@ void CoreSignalHandlers::initErrorMessagesHandler()
        m_coreController->m_connectionController->setConnectionState(Vpn::ConnectionState::Disconnected);
    });

-    connect(m_coreController->m_connectionUiController, &ConnectionUiController::serverSwitchFailed, this, [this]() {
-        m_coreController->m_subscriptionUiController->revertLastCountryChange();
-        emit m_coreController->m_pageController->showNotificationMessage(
-            tr("Failed to switch server. Existing connection maintained."));
-    });
-
    connect(m_coreController->m_subscriptionUiController, &SubscriptionUiController::errorOccurred, m_coreController->m_pageController,
            qOverload<ErrorCode>(&PageController::showErrorMessage));

@@ -161,17 +156,15 @@ void CoreSignalHandlers::initExportControllerHandler()
 void CoreSignalHandlers::initImportControllerHandler()
 {
    connect(m_coreController->m_importCoreController, &ImportController::importFinished, this, [this]() {
-        if (m_coreController->m_connectionUiController->isConnected()) {
-            return;
-        }
-
-        const int newServerIndex = m_coreController->m_serversController->getServersCount() - 1;
-        const QString serverId = m_coreController->m_serversController->getServerId(newServerIndex);
-        if (!serverId.isEmpty()) {
-            m_coreController->m_serversController->setDefaultServer(serverId);
-        }
-        if (m_coreController->m_serversUiController) {
-            m_coreController->m_serversUiController->setProcessedServerId(serverId);
+        if (!m_coreController->m_connectionController->isConnected()) {
+            int newServerIndex = m_coreController->m_serversController->getServersCount() - 1;
+            const QString serverId = m_coreController->m_serversController->getServerId(newServerIndex);
+            if (!serverId.isEmpty()) {
+                m_coreController->m_serversController->setDefaultServer(serverId);
+            }
+            if (m_coreController->m_serversUiController) {
+                m_coreController->m_serversUiController->setProcessedServerId(serverId);
+            }
        }
    });
 }
@@ -183,14 +176,17 @@ void CoreSignalHandlers::initApiCountryModelUpdateHandler()
        if (processedServerId.isEmpty()) {
            return;
        }
+        
+        QJsonArray availableCountries;
+        QString serverCountryCode;

        const auto apiV2 = m_coreController->m_serversRepository->apiV2Config(processedServerId);
-        if (!apiV2.has_value()) {
-            return;
+        if (apiV2.has_value()) {
+            availableCountries = apiV2->apiConfig.availableCountries;
+            serverCountryCode = apiV2->apiConfig.serverCountryCode;
        }
-
-        m_coreController->m_apiCountryModel->updateModel(apiV2->apiConfig.availableCountries,
-                                                           apiV2->apiConfig.serverCountryCode);
+        
+        m_coreController->m_apiCountryModel->updateModel(availableCountries, serverCountryCode);
    });
 }

@@ -241,16 +237,13 @@ void CoreSignalHandlers::initLanguageHandler()
    connect(m_coreController->m_settingsUiController, &SettingsUiController::resetLanguageToSystem, m_coreController->m_languageUiController, [this]() {
        m_coreController->m_languageUiController->changeLanguage(m_coreController->m_languageUiController->getSystemLanguageEnum());
    });
-    connect(m_coreController->m_settingsUiController, &SettingsUiController::appLanguageChanged, m_coreController->m_languageUiController, [this]() {
-        m_coreController->m_languageUiController->onAppLanguageChanged(m_coreController->m_settingsController->getAppLanguage());
-    });
 }

 void CoreSignalHandlers::initAutoConnectHandler()
 {
    if (m_coreController->m_settingsUiController->isAutoConnectEnabled()
        && !m_coreController->m_serversController->getDefaultServerId().isEmpty()) {
-        QTimer::singleShot(1000, this, [this]() { m_coreController->m_connectionUiController->toggleConnection(); });
+        QTimer::singleShot(1000, this, [this]() { m_coreController->m_connectionUiController->openConnection(); });
    }
 }

@@ -355,9 +348,6 @@ void CoreSignalHandlers::initUnsupportedConnectDrawerHandler()
 {
    connect(m_coreController->m_subscriptionUiController, &SubscriptionUiController::unsupportedConnectDrawerRequested,
            m_coreController->m_pageController, &PageController::unsupportedConnectDrawerRequested);
-
-    connect(m_coreController->m_connectionUiController, &ConnectionUiController::unsupportedConnectDrawerRequested,
-            m_coreController->m_pageController, &PageController::unsupportedConnectDrawerRequested);
 }

 void CoreSignalHandlers::initStrictKillSwitchHandler()
@@ -435,7 +425,12 @@ void CoreSignalHandlers::initNotificationHandler()

    auto* trayHandler = qobject_cast<SystemTrayNotificationHandler*>(m_coreController->m_notificationHandler);
    connect(m_coreController, &CoreController::websiteUrlChanged, trayHandler, &SystemTrayNotificationHandler::updateWebsiteUrl);
-#endif    
+
+    connect(m_coreController->m_connectionUiController, &ConnectionUiController::connectionErrorOccurred, trayHandler,
+            &SystemTrayNotificationHandler::setConnectionError);
+    connect(m_coreController->m_pageController, &PageController::errorMessageClosed, trayHandler,
+            &SystemTrayNotificationHandler::clearConnectionError);
+#endif
 }

 void CoreSignalHandlers::initUpdateFoundHandler()
@@ -79,7 +79,7 @@ GatewayController::EncryptedRequestData GatewayController::prepareRequest(const
        QString ip = NetworkUtilities::getIPAddress(host);
        if (!ip.isEmpty()) {
            IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-                QRemoteObjectPendingReply<bool> reply = iface->addKillSwitchAllowedRange(QString(), QStringList { ip });
+                QRemoteObjectPendingReply<bool> reply = iface->addKillSwitchAllowedRange(QStringList { ip });
                if (!reply.waitForFinished(1000) || !reply.returnValue())
                    qWarning() << "GatewayController::prepareRequest(): Failed to execute remote addKillSwitchAllowedRange call";
            });
@@ -72,16 +72,6 @@ namespace
        }
        return false;
    }
-
-    QString buildRemoveContainerScript(const amnezia::ScriptVars &vars, bool removeDataVolume)
-    {
-        QString script = SshSession::replaceVars(amnezia::scriptData(SharedScriptType::remove_container), vars);
-        if (removeDataVolume) {
-            script += QLatin1String("\nsudo docker volume rm -f $CONTAINER_NAME-data 2>/dev/null || true");
-            script = SshSession::replaceVars(script, vars);
-        }
-        return script;
-    }
 }

 InstallController::InstallController(SecureServersRepository *serversRepository,
@@ -130,10 +120,14 @@ ErrorCode InstallController::setupContainer(const ServerCredentials &credentials
        return e;
    qDebug().noquote() << "InstallController::setupContainer prepareHostWorker finished";

-    const amnezia::ScriptVars removeContainerVars =
+    amnezia::ScriptVars removeContainerVars =
            amnezia::genBaseVars(credentials, container, QString(), QString());
-    const bool removeDataVolume = !isUpdate && (container == DockerContainer::MtProxy || container == DockerContainer::Telemt);
-    sshSession.runScript(credentials, buildRemoveContainerScript(removeContainerVars, removeDataVolume));
+    if (!isUpdate) {
+        removeContainerVars.append({ { "$REMOVE_CONTAINER_DATA", QStringLiteral("1") } });
+    }
+    sshSession.runScript(credentials,
+                         sshSession.replaceVars(amnezia::scriptData(SharedScriptType::remove_container),
+                                                removeContainerVars));
    qDebug().noquote() << "InstallController::setupContainer removeContainer finished";

    qDebug().noquote() << "buildContainerWorker start";
@@ -158,8 +152,8 @@ ErrorCode InstallController::setupContainer(const ServerCredentials &credentials
    return startupContainerWorker(credentials, container, config, sshSession);
 }

-ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerContainer container, const ContainerConfig &oldConfig,
-                                                ContainerConfig &newConfig)
+ErrorCode InstallController::updateContainer(const QString &serverId, DockerContainer container, const ContainerConfig &oldConfig,
+                                             ContainerConfig &newConfig)
 {
    if (!isUpdateDockerContainerRequired(container, oldConfig, newConfig)) {
        auto adminConfig = m_serversRepository->selfHostedAdminConfig(serverId);
@@ -191,7 +185,7 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
    SshSession sshSession(this);

    bool reinstallRequired = isReinstallContainerRequired(container, oldConfig, newConfig);
-    qDebug() << "InstallController::updateServerConfig for container" << container << "reinstall required is" << reinstallRequired;
+    qDebug() << "InstallController::updateContainer for container" << container << "reinstall required is" << reinstallRequired;

    bool xrayServerSettingsChanged = false;
    if (container == DockerContainer::Xray || container == DockerContainer::SSXray) {
@@ -219,11 +213,11 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
    if (errorCode == ErrorCode::NoError && xrayServerSettingsChanged && !skipXrayInboundSync) {
        DnsSettings dnsSettings = { m_appSettingsRepository->primaryDns(), m_appSettingsRepository->secondaryDns() };
        XrayConfigurator xrayConfigurator(&sshSession);
-        qDebug() << "InstallController::updateServerConfig applying Xray server inbound sync, reinstall="
+        qDebug() << "InstallController::updateContainer applying Xray server inbound sync, reinstall="
                 << reinstallRequired;
        errorCode = xrayConfigurator.applyServerSettingsToRemote(credentials, container, newConfig, dnsSettings, false);
        if (errorCode != ErrorCode::NoError) {
-            qDebug() << "InstallController::updateServerConfig Xray inbound sync failed, error="
+            qDebug() << "InstallController::updateContainer Xray inbound sync failed, error="
                     << static_cast<int>(errorCode);
        }
    }
@@ -242,41 +236,6 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
    return errorCode;
 }

-ErrorCode InstallController::updateClientConfig(const QString &serverId, DockerContainer container, ContainerConfig &newConfig)
-{
-    switch (m_serversRepository->serverKind(serverId)) {
-    case serverConfigUtils::ConfigType::SelfHostedAdmin: {
-        auto config = m_serversRepository->selfHostedAdminConfig(serverId);
-        if (!config.has_value()) {
-            return ErrorCode::InternalError;
-        }
-        config->updateContainerConfig(container, newConfig);
-        m_serversRepository->editServer(serverId, config->toJson(), serverConfigUtils::ConfigType::SelfHostedAdmin);
-        return ErrorCode::NoError;
-    }
-    case serverConfigUtils::ConfigType::SelfHostedUser: {
-        auto config = m_serversRepository->selfHostedUserConfig(serverId);
-        if (!config.has_value()) {
-            return ErrorCode::InternalError;
-        }
-        config->updateContainerConfig(container, newConfig);
-        m_serversRepository->editServer(serverId, config->toJson(), serverConfigUtils::ConfigType::SelfHostedUser);
-        return ErrorCode::NoError;
-    }
-    case serverConfigUtils::ConfigType::Native: {
-        auto config = m_serversRepository->nativeConfig(serverId);
-        if (!config.has_value()) {
-            return ErrorCode::InternalError;
-        }
-        config->updateContainerConfig(container, newConfig);
-        m_serversRepository->editServer(serverId, config->toJson(), serverConfigUtils::ConfigType::Native);
-        return ErrorCode::NoError;
-    }
-    default:
-        return ErrorCode::InternalError;
-    }
-}
-
 void InstallController::clearCachedProfile(const QString &serverId, DockerContainer container)
 {
    if (ContainerUtils::containerService(container) == ServiceType::Other) {
@@ -836,8 +795,8 @@ ErrorCode InstallController::installDockerWorker(const ServerCredentials &creden
    qDebug().noquote() << "InstallController::installDockerWorker" << stdOut;

    if (container == DockerContainer::Awg2) {
-        QRegularExpression kernelVersionRegex(R"(Linux\s+(\d+)\.(\d+)[^\d]*)");
-        QRegularExpressionMatch match = kernelVersionRegex.match(stdOut);
+        QRegularExpression regex(R"(Linux\s+(\d+)\.(\d+)[^\d]*)");
+        QRegularExpressionMatch match = regex.match(stdOut);
        if (match.hasMatch()) {
            int majorVersion = match.captured(1).toInt();
            int minorVersion = match.captured(2).toInt();
@@ -850,19 +809,8 @@ ErrorCode InstallController::installDockerWorker(const ServerCredentials &creden

    if (stdOut.contains("lock"))
        return ErrorCode::ServerPacketManagerError;
-    if (stdOut.contains("Container runtime is not supported"))
-        return ErrorCode::ServerContainerRuntimeNotSupported;
-    
-    QRegularExpression notFoundRegex(
-        R"(^.*(?:sudo:|docker:).*not found.*$)",
-        QRegularExpression::MultilineOption);
-
-    if (notFoundRegex.match(stdOut).hasMatch()) {
+    if (stdOut.contains("command not found"))
        return ErrorCode::ServerDockerFailedError;
-    }
-    
-    if (stdOut.contains("Container runtime service not running"))
-        return ErrorCode::ContainerRuntimeServiceNotRunning;

    return error;
 }
@@ -899,7 +847,7 @@ ErrorCode InstallController::isUserInSudo(const ServerCredentials &credentials,
        return ErrorCode::ServerUserNotInSudo;
    if (stdOut.contains("can't cd to") || stdOut.contains("Permission denied") || stdOut.contains("No such file or directory"))
        return ErrorCode::ServerUserDirectoryNotAccessible;
-    if (stdOut.contains(QRegularExpression(R"(\bsudoers\b)")) || stdOut.contains("is not allowed to") || stdOut.contains("can't do that"))
+    if (stdOut.contains("sudoers") || stdOut.contains("is not allowed to run sudo on"))
        return ErrorCode::ServerUserNotAllowedInSudoers;
    if (stdOut.contains("password is required") || stdOut.contains("authentication is required"))
        return ErrorCode::ServerUserPasswordRequired;
@@ -1032,11 +980,12 @@ ErrorCode InstallController::removeContainer(const QString &serverId, DockerCont
        return ErrorCode::InternalError;
    }
    SshSession sshSession(this);
-    const amnezia::ScriptVars removeContainerVars =
+    amnezia::ScriptVars removeContainerVars =
            amnezia::genBaseVars(credentials, container, QString(), QString());
-    const bool removeDataVolume = (container == DockerContainer::MtProxy || container == DockerContainer::Telemt);
-    ErrorCode errorCode =
-            sshSession.runScript(credentials, buildRemoveContainerScript(removeContainerVars, removeDataVolume));
+    removeContainerVars.append({ { "$REMOVE_CONTAINER_DATA", QStringLiteral("1") } });
+    ErrorCode errorCode = sshSession.runScript(
+            credentials,
+            sshSession.replaceVars(amnezia::scriptData(SharedScriptType::remove_container), removeContainerVars));

    if (errorCode == ErrorCode::NoError) {
        QMap<DockerContainer, ContainerConfig> containers = adminConfig->containers;
@@ -1514,7 +1463,7 @@ ErrorCode InstallController::getAlreadyInstalledContainers(const ServerCredentia
            QString transportProtoStr = containerAndPortMatch.captured(3);
            DockerContainer container = ContainerUtils::containerFromString(name);

-            if (container == DockerContainer::None || ContainerUtils::isUnsupportedContainer(container)) {
+            if (container == DockerContainer::None) {
                continue;
            }

@@ -1539,7 +1488,7 @@ ErrorCode InstallController::getAlreadyInstalledContainers(const ServerCredentia
            QString transportProtoStr = torOrDnsRegMatch.captured(3);
            DockerContainer container = ContainerUtils::containerFromString(name);

-            if (container == DockerContainer::None || ContainerUtils::isUnsupportedContainer(container)) {
+            if (container == DockerContainer::None) {
                continue;
            }

@@ -34,12 +34,7 @@ public:
    ~InstallController();

    ErrorCode setupContainer(const ServerCredentials &credentials, DockerContainer container, ContainerConfig &config, bool isUpdate = false);
-
-    // Updates server-side container settings (admin self-hosted only): reconfigures the container over SSH.
-    ErrorCode updateServerConfig(const QString &serverId, DockerContainer container, const ContainerConfig &oldConfig, ContainerConfig &newConfig);
-
-    // Updates client-local settings only: rewrites the stored container config for any self-hosted/native server. No SSH.
-    ErrorCode updateClientConfig(const QString &serverId, DockerContainer container, ContainerConfig &newConfig);
+    ErrorCode updateContainer(const QString &serverId, DockerContainer container, const ContainerConfig &oldConfig, ContainerConfig &newConfig);

    ErrorCode rebootServer(const QString &serverId);
    ErrorCode removeAllContainers(const QString &serverId);
@@ -7,8 +7,6 @@
 #include <QJsonObject>
 #include <QSysInfo>
 #include <QTimer>
-#include <QStandardPaths>
-#include <QTemporaryDir>

 #include "amneziaApplication.h"
 #include "logger.h"
@@ -29,11 +29,6 @@ ContainerConfig NativeServerConfig::containerConfig(DockerContainer container) c
    return containers.value(container);
 }

-void NativeServerConfig::updateContainerConfig(DockerContainer container, const ContainerConfig &config)
-{
-    containers[container] = config;
-}
-
 QPair<QString, QString> NativeServerConfig::getDnsPair(const QString &primaryDns, const QString &secondaryDns) const
 {
    QString d1 = dns1;
@@ -27,8 +27,6 @@ struct NativeServerConfig {
    bool hasContainers() const;
    ContainerConfig containerConfig(DockerContainer container) const;

-    void updateContainerConfig(DockerContainer container, const ContainerConfig &config);
-
    QPair<QString, QString> getDnsPair(const QString &primaryDns, const QString &secondaryDns) const;

    QJsonObject toJson() const;
@@ -43,11 +43,6 @@ ContainerConfig SelfHostedUserServerConfig::containerConfig(DockerContainer cont
    return containers.value(container);
 }

-void SelfHostedUserServerConfig::updateContainerConfig(DockerContainer container, const ContainerConfig &config)
-{
-    containers[container] = config;
-}
-
 QPair<QString, QString> SelfHostedUserServerConfig::getDnsPair(const QString &primaryDns,
                                                               const QString &secondaryDns) const
 {
@@ -32,8 +32,6 @@ struct SelfHostedUserServerConfig {
    bool hasContainers() const;
    ContainerConfig containerConfig(DockerContainer container) const;

-    void updateContainerConfig(DockerContainer container, const ContainerConfig &config);
-
    QPair<QString, QString> getDnsPair(const QString &primaryDns, const QString &secondaryDns) const;

    QJsonObject toJson() const;
@@ -39,35 +39,33 @@ QString OpenVpnProtocol::defaultConfigPath()
    return p;
 }

-void OpenVpnProtocol::cleanupResources()
+void OpenVpnProtocol::stop()
 {
-    if (m_openVpnProcess || openVpnProcessIsRunning()) {
+    qDebug() << "OpenVpnProtocol::stop()";
+    setConnectionState(Vpn::ConnectionState::Disconnecting);
+
+    // TODO: need refactoring
+    // sendTermSignal() will even return true while server connected ???
+    if ((m_connectionState == Vpn::ConnectionState::Preparing) || (m_connectionState == Vpn::ConnectionState::Connecting)
+        || (m_connectionState == Vpn::ConnectionState::Connected)
+        || (m_connectionState == Vpn::ConnectionState::Reconnecting)) {
        if (!sendTermSignal()) {
            killOpenVpnProcess();
        }
        QThread::msleep(10);
-    }
-    m_managementServer.stop();
-}
-
-void OpenVpnProtocol::stop()
-{
-    qDebug() << "OpenVpnProtocol::stop()";
-
-    const bool wasActive = m_connectionState == Vpn::ConnectionState::Preparing
-            || m_connectionState == Vpn::ConnectionState::Connecting
-            || m_connectionState == Vpn::ConnectionState::Connected
-            || m_connectionState == Vpn::ConnectionState::Reconnecting;
-
-    if (wasActive) {
-        setConnectionState(Vpn::ConnectionState::Disconnecting);
+        m_managementServer.stop();
    }

-    cleanupResources();
+#if defined(Q_OS_WIN) || defined(Q_OS_LINUX) || defined(Q_OS_MACOS)
+    IpcClient::withInterface([](QSharedPointer<IpcInterfaceReplica> iface) {
+        QRemoteObjectPendingReply<bool> reply = iface->disableKillSwitch();
+        if (!reply.waitForFinished(1000) && !reply.returnValue()) {
+            qWarning() << "OpenVpnProtocol::stop(): Failed to disable killswitch";
+        }
+    });
+#endif

-    if (wasActive || m_connectionState == Vpn::ConnectionState::Disconnecting) {
-        setConnectionState(Vpn::ConnectionState::Disconnected);
-    }
+    setConnectionState(Vpn::ConnectionState::Disconnected);
 }

 ErrorCode OpenVpnProtocol::prepare()
@@ -170,13 +168,27 @@ void OpenVpnProtocol::updateRouteGateway(QString line)

 ErrorCode OpenVpnProtocol::start()
 {
-    cleanupResources();
+    OpenVpnProtocol::stop();

    if (!QFileInfo::exists(configPath())) {
        setLastError(ErrorCode::OpenVpnConfigMissing);
        return lastError();
    }

+#ifdef AMNEZIA_DESKTOP
+    const ErrorCode res = IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
+        QString ip = NetworkUtilities::getIPAddress(m_configData.value(amnezia::configKey::hostName).toString());
+        QRemoteObjectPendingReply<bool> reply = iface->addKillSwitchAllowedRange(QStringList(ip));
+        if (!reply.waitForFinished(1000) || !reply.returnValue()) {
+            return ErrorCode::AmneziaServiceConnectionFailed;
+        }
+        return ErrorCode::NoError;
+    });
+    if (res != ErrorCode::NoError) {
+        return res;
+    }
+#endif
+
    // Detect default gateway
 #ifdef Q_OS_MAC
    QProcess p;
@@ -331,9 +343,38 @@ void OpenVpnProtocol::updateVpnGateway(const QString &line)
                m_vpnGateway = l.split(" ").at(2);
 #ifdef Q_OS_WIN
                QThread::msleep(300);
+                IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
+                    QList<QNetworkInterface> netInterfaces = QNetworkInterface::allInterfaces();
+                    for (int i = 0; i < netInterfaces.size(); i++) {
+                        for (int j=0; j < netInterfaces.at(i).addressEntries().size(); j++)
+                        {
+                            // killSwitch toggle
+                            if (m_vpnLocalAddress == netInterfaces.at(i).addressEntries().at(j).ip().toString()) {
+                                if (QVariant(m_configData.value(configKey::killSwitchOption).toString()).toBool()) {
+                                    iface->enableKillSwitch(m_configData, netInterfaces.at(i).index());
+                                }
+                                m_configData.insert("vpnAdapterIndex", netInterfaces.at(i).index());
+                                m_configData.insert("vpnGateway", m_vpnGateway);
+                                m_configData.insert("vpnServer",
+                                                    NetworkUtilities::getIPAddress(m_configData.value(amnezia::configKey::hostName).toString()));
+                                iface->enablePeerTraffic(m_configData);
+                            }
+                        }
+                    }
+                });
 #endif
-#if defined(Q_OS_WIN) || defined(Q_OS_LINUX) || defined(Q_OS_MACOS)
-                emit tunnelAddressesUpdated(m_vpnGateway, m_vpnLocalAddress);
+#if defined(Q_OS_LINUX) || defined(Q_OS_MACOS)
+                // killSwitch toggle
+                if (QVariant(m_configData.value(configKey::killSwitchOption).toString()).toBool()) {
+                    m_configData.insert("vpnServer",
+                                        NetworkUtilities::getIPAddress(m_configData.value(amnezia::configKey::hostName).toString()));
+                    IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
+                        QRemoteObjectPendingReply<bool> reply = iface->enableKillSwitch(m_configData, 0);
+                        if (!reply.waitForFinished(1000) || !reply.returnValue()) {
+                            qWarning() << "OpenVpnProtocol::updateVpnGateway(): Failed to enable killswitch";
+                        }
+                    });
+                }
 #endif
                qDebug() << QString("Set vpn local address %1, gw %2").arg(m_vpnLocalAddress).arg(vpnGateway());
            }
@@ -29,7 +29,6 @@ protected slots:
    void onReadyReadDataFromManagementServer();

 private:
-    void cleanupResources();
    QString configPath() const;
    bool openVpnProcessIsRunning() const;
    bool sendTermSignal();
@@ -106,19 +106,6 @@ QString VpnProtocol::vpnLocalAddress() const
    return m_vpnLocalAddress;
 }

-bool VpnProtocol::isWireGuardBased(amnezia::DockerContainer container)
-{
-    return container == amnezia::DockerContainer::Awg
-        || container == amnezia::DockerContainer::Awg2
-        || container == amnezia::DockerContainer::WireGuard;
-}
-
-bool VpnProtocol::isXrayBased(amnezia::DockerContainer container)
-{
-    return container == amnezia::DockerContainer::Xray
-        || container == amnezia::DockerContainer::SSXray;
-}
-
 VpnProtocol *VpnProtocol::factory(DockerContainer container, const QJsonObject &configuration)
 {
    switch (container) {
@@ -137,14 +124,6 @@ VpnProtocol *VpnProtocol::factory(DockerContainer container, const QJsonObject &
    }
 }

-void VpnProtocol::setPrimary(const QJsonObject &config)
-{
-    Q_UNUSED(config)
-    QMetaObject::invokeMethod(this, [this]() {
-        emit primaryReady();
-    }, Qt::QueuedConnection);
-}
-
 QString VpnProtocol::routeGateway() const
 {
    return m_routeGateway;
@@ -158,7 +137,6 @@ QString VpnProtocol::textConnectionState(Vpn::ConnectionState connectionState)
    case Vpn::ConnectionState::Preparing: return tr("Preparing");
    case Vpn::ConnectionState::Connecting: return tr("Connecting...");
    case Vpn::ConnectionState::Connected: return tr("Connected");
-    case Vpn::ConnectionState::Switching: return tr("Switching...");
    case Vpn::ConnectionState::Disconnecting: return tr("Disconnecting...");
    case Vpn::ConnectionState::Reconnecting: return tr("Reconnecting...");
    case Vpn::ConnectionState::Error: return tr("Error");
@@ -27,7 +27,6 @@ namespace Vpn
        Preparing,
        Connecting,
        Connected,
-        Switching,
        Disconnecting,
        Reconnecting,
        Error
@@ -61,7 +60,6 @@ public:
    virtual bool isDisconnected() const;
    virtual ErrorCode start() = 0;
    virtual void stop() = 0;
-    virtual void setPrimary(const QJsonObject& config);

    Vpn::ConnectionState connectionState() const;
    ErrorCode lastError() const;
@@ -73,8 +71,6 @@ public:
    QString vpnLocalAddress() const;

    static VpnProtocol* factory(amnezia::DockerContainer container, const QJsonObject &configuration);
-    static bool isWireGuardBased(amnezia::DockerContainer container);
-    static bool isXrayBased(amnezia::DockerContainer container);

 signals:
    void bytesChanged(quint64 receivedBytes, quint64 sentBytes);
@@ -82,8 +78,6 @@ signals:
    void timeoutTimerEvent();
    void protocolError(amnezia::ErrorCode e);
    void tunnelAddressesUpdated(const QString& gateway, const QString& localAddress);
-    void primaryReady();
-    void primaryFailed();

 public slots:
    virtual void onTimeout(); // todo: remove?
@@ -12,11 +12,9 @@
 WireguardProtocol::WireguardProtocol(const QJsonObject &configuration, QObject *parent)
    : VpnProtocol(configuration, parent)
 {
-    const QString ifname = configuration.value("ifname").toString();
-    m_impl.reset(new LocalSocketController(ifname));
+    m_impl.reset(new LocalSocketController());
    connect(m_impl.get(), &ControllerImpl::connected, this,
-            [this](const QString& pubkey, const QDateTime&) {
-                Q_UNUSED(pubkey)
+            [this](const QString &pubkey, const QDateTime &connectionTimestamp) {
                setConnectionState(Vpn::ConnectionState::Connected);
            });
    connect(m_impl.get(), &ControllerImpl::statusUpdated, this,
@@ -35,18 +33,12 @@ WireguardProtocol::WireguardProtocol(const QJsonObject &configuration, QObject *

                if ((!m_vpnGateway.isEmpty() && m_vpnGateway != previousGateway) ||
                    (!m_vpnLocalAddress.isEmpty() && m_vpnLocalAddress != previousLocal)) {
-                        if (m_connectionState == Vpn::ConnectionState::Connected) {
-                            emit tunnelAddressesUpdated(m_vpnGateway, m_vpnLocalAddress);
-                        }
-                    }
+                    emit tunnelAddressesUpdated(m_vpnGateway, m_vpnLocalAddress);
+                }
            });

    connect(m_impl.get(), &ControllerImpl::disconnected, this,
            [this]() { setConnectionState(Vpn::ConnectionState::Disconnected); });
-    connect(m_impl.get(), &ControllerImpl::primaryReady,
-            this, &WireguardProtocol::primaryReady);
-    connect(m_impl.get(), &ControllerImpl::primaryFailed,
-            this, &WireguardProtocol::primaryFailed);
    m_impl->initialize(nullptr, nullptr);
 }

@@ -56,7 +48,13 @@ WireguardProtocol::~WireguardProtocol()
    QThread::msleep(200);
 }

-ErrorCode WireguardProtocol::start()
+void WireguardProtocol::stop()
+{
+    stopMzImpl();
+    return;
+}
+
+ErrorCode WireguardProtocol::startMzImpl()
 {
    QString protocolName = m_rawConfig.value("protocol").toString();
    QJsonObject vpnConfigData = m_rawConfig.value(protocolName + "_config_data").toObject();
@@ -64,19 +62,18 @@ ErrorCode WireguardProtocol::start()
    m_rawConfig.insert(protocolName + "_config_data", vpnConfigData);
    m_rawConfig[configKey::hostName] = NetworkUtilities::getIPAddress(m_rawConfig[configKey::hostName].toString());

-    m_stopped = false;
    m_impl->activate(m_rawConfig);
    return ErrorCode::NoError;
 }

-void WireguardProtocol::stop()
+ErrorCode WireguardProtocol::stopMzImpl()
 {
-    if (m_stopped) return;
-    m_stopped = true;
    m_impl->deactivate();
+    return ErrorCode::NoError;
 }

-void WireguardProtocol::setPrimary(const QJsonObject& config)
+
+ErrorCode WireguardProtocol::start()
 {
-    m_impl->setPrimary(config);
+    return startMzImpl();
 }
@@ -21,10 +21,11 @@ public:

    ErrorCode start() override;
    void stop() override;
-    void setPrimary(const QJsonObject& config) override;
+
+    ErrorCode startMzImpl();
+    ErrorCode stopMzImpl();

 private:
-    bool m_stopped = false;

    QScopedPointer<ControllerImpl> m_impl;
 };
@@ -19,6 +19,12 @@

 #include <exception>

+#ifdef Q_OS_MACOS
+static const QString tunName = "utun22";
+#else
+static const QString tunName = "tun2";
+#endif
+
 XrayProtocol::XrayProtocol(const QJsonObject &configuration, QObject *parent) : VpnProtocol(configuration, parent)
 {
    m_vpnGateway = amnezia::protocols::xray::defaultLocalAddr;
@@ -28,16 +34,11 @@ XrayProtocol::XrayProtocol(const QJsonObject &configuration, QObject *parent) :
    m_routeMode = static_cast<amnezia::RouteMode>(configuration.value(amnezia::configKey::splitTunnelType).toInt());
    m_remoteAddress = NetworkUtilities::getIPAddress(m_rawConfig.value(amnezia::configKey::hostName).toString());

-    m_tunName = configuration.value("tunName").toString();
-    if (m_tunName.isEmpty()) {
-        m_tunName = configuration.value("ifname").toString();
-    }
-    if (m_tunName.isEmpty()) {
-#ifdef Q_OS_MACOS
-        m_tunName = QStringLiteral("utun22");
-#else
-        m_tunName = QStringLiteral("tun2");
-#endif
+    const QString primaryDns = configuration.value(amnezia::configKey::dns1).toString();
+    m_dnsServers.push_back(QHostAddress(primaryDns));
+    if (primaryDns != amnezia::protocols::dns::amneziaDnsIp) {
+        const QString secondaryDns = configuration.value(amnezia::configKey::dns2).toString();
+        m_dnsServers.push_back(QHostAddress(secondaryDns));
    }

    QJsonObject xrayConfiguration = configuration.value(ProtocolUtils::key_proto_config_data(Proto::Xray)).toObject();
@@ -67,8 +68,6 @@ ErrorCode XrayProtocol::start()
 {
    qDebug() << "XrayProtocol::start()";

-    m_phase = Phase::Active;
-
    // Inject SOCKS5 auth into the inbound before starting xray.
    // Re-uses existing credentials if the config already has them (e.g. imported config).
    amnezia::serialization::inbounds::InboundCredentials creds;
@@ -107,7 +106,7 @@ ErrorCode XrayProtocol::start()

    return IpcClient::withInterface(
            [&](QSharedPointer<IpcInterfaceReplica> iface) {
-                auto xrayStart = iface->xrayStart(m_tunName, xrayConfigStr);
+                auto xrayStart = iface->xrayStart(xrayConfigStr);
                if (!xrayStart.waitForFinished() || !xrayStart.returnValue()) {
                    qCritical() << "Failed to start xray";
                    return ErrorCode::XrayExecutableCrashed;
@@ -121,17 +120,24 @@ void XrayProtocol::stop()
 {
    qDebug() << "XrayProtocol::stop()";

-    if (m_phase != Phase::Active) {
-        return;
-    }
-    m_phase = Phase::Stopping;
+    IpcClient::withInterface([](QSharedPointer<IpcInterfaceReplica> iface) {
+        auto disableKillSwitch = iface->disableKillSwitch();
+        if (!disableKillSwitch.waitForFinished() || !disableKillSwitch.returnValue())
+            qWarning() << "Failed to disable killswitch";

-    IpcClient::withInterface([this](QSharedPointer<IpcInterfaceReplica> iface) {
-        auto deleteTun = iface->deleteTun(m_tunName);
+        auto StartRoutingIpv6 = iface->StartRoutingIpv6();
+        if (!StartRoutingIpv6.waitForFinished() || !StartRoutingIpv6.returnValue())
+            qWarning() << "Failed to start routing ipv6";
+
+        auto restoreResolvers = iface->restoreResolvers();
+        if (!restoreResolvers.waitForFinished() || !restoreResolvers.returnValue())
+            qWarning() << "Failed to restore resolvers";
+
+        auto deleteTun = iface->deleteTun(tunName);
        if (!deleteTun.waitForFinished() || !deleteTun.returnValue())
            qWarning() << "Failed to delete tun";

-        auto xrayStop = iface->xrayStop(m_tunName);
+        auto xrayStop = iface->xrayStop();
        if (!xrayStop.waitForFinished() || !xrayStop.returnValue())
            qWarning() << "Failed to stop xray";
    });
@@ -156,18 +162,9 @@ void XrayProtocol::stop()
        m_tun2socksProcess.reset();
    }

-    m_phase = Phase::Inactive;
    setConnectionState(Vpn::ConnectionState::Disconnected);
 }

-void XrayProtocol::setPrimary(const QJsonObject &config)
-{
-    Q_UNUSED(config)
-    QMetaObject::invokeMethod(this, [this]() {
-        emit primaryReady();
-    }, Qt::QueuedConnection);
-}
-
 ErrorCode XrayProtocol::startTun2Socks()
 {
    m_tun2socksProcess = IpcClient::CreatePrivilegedProcess();
@@ -178,23 +175,10 @@ ErrorCode XrayProtocol::startTun2Socks()
    const QString proxyUrl = QString("socks5://%1:%2@127.0.0.1:%3").arg(m_socksUser, m_socksPassword, QString::number(m_socksPort));

    m_tun2socksProcess->setProgram(PermittedProcess::Tun2Socks);
-    m_tun2socksProcess->setArguments({ "-device", QString("tun://%1").arg(m_tunName), "-proxy", proxyUrl });
+    m_tun2socksProcess->setArguments({ "-device", QString("tun://%1").arg(tunName), "-proxy", proxyUrl });

    connect(
-            m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::errorOccurred, this,
-            [this](QProcess::ProcessError error) {
-                if (error != QProcess::FailedToStart) {
-                    // Other errors are reported via the finished signal or are transient.
-                    return;
-                }
-                qCritical() << "Tun2socks failed to start";
-                stop();
-                setLastError(ErrorCode::Tun2SockExecutableMissing);
-            },
-            Qt::QueuedConnection);
-
-    connect(
-            m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::readyReadStandardError, this,
+            m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::readyReadStandardError, this, 
            [this]() {
                auto readAllStandardError = m_tun2socksProcess->readAllStandardError();
                if (!readAllStandardError.waitForFinished()) {
@@ -233,17 +217,13 @@ ErrorCode XrayProtocol::startTun2Socks()
                    }
                }

-                if (m_phase == Phase::Active && resourceBusy
-                    && m_tun2socksRetryCount < maxTun2SocksRetries) {
+                if (resourceBusy && m_tun2socksRetryCount < maxTun2SocksRetries) {
                    m_tun2socksRetryCount++;
                    qWarning() << QString("Tun2socks: TUN resource busy, retrying (%1/%2) in %3ms...")
                                      .arg(m_tun2socksRetryCount)
                                      .arg(maxTun2SocksRetries)
                                      .arg(tun2socksRetryDelayMs);
                    QTimer::singleShot(tun2socksRetryDelayMs, this, [this]() {
-                        if (m_phase != Phase::Active) {
-                            return;
-                        }
                        if (ErrorCode err = startTun2Socks(); err != ErrorCode::NoError) {
                            stop();
                            setLastError(err);
@@ -272,17 +252,81 @@ ErrorCode XrayProtocol::setupRouting()
 {
    return IpcClient::withInterface(
            [this](QSharedPointer<IpcInterfaceReplica> iface) -> ErrorCode {
-#ifndef Q_OS_WIN
-                auto createTun = iface->createTun(m_tunName, amnezia::protocols::xray::defaultLocalAddr);
+#ifdef Q_OS_WIN
+                const int inetAdapterIndex = NetworkUtilities::AdapterIndexTo(QHostAddress(m_remoteAddress));
+#endif
+                auto createTun = iface->createTun(tunName, amnezia::protocols::xray::defaultLocalAddr);
                if (!createTun.waitForFinished() || !createTun.returnValue()) {
                    qCritical() << "Failed to assign IP address for TUN";
                    return ErrorCode::InternalError;
                }
-#else
-                Q_UNUSED(iface)
-#endif

-                emit tunnelAddressesUpdated(m_vpnGateway, m_vpnLocalAddress);
+                auto updateResolvers = iface->updateResolvers(tunName, m_dnsServers);
+                if (!updateResolvers.waitForFinished() || !updateResolvers.returnValue()) {
+                    qCritical() << "Failed to set DNS resolvers for TUN";
+                    return ErrorCode::InternalError;
+                }
+
+#ifdef Q_OS_WIN
+                int vpnAdapterIndex = -1;
+                QList<QNetworkInterface> netInterfaces = QNetworkInterface::allInterfaces();
+                for (auto &netInterface : netInterfaces) {
+                    for (auto &address : netInterface.addressEntries()) {
+                        if (m_vpnLocalAddress == address.ip().toString())
+                            vpnAdapterIndex = netInterface.index();
+                    }
+                }
+#else
+                static const int vpnAdapterIndex = 0;
+#endif
+                const bool killSwitchEnabled = QVariant(m_rawConfig.value(configKey::killSwitchOption).toString()).toBool();
+                if (killSwitchEnabled) {
+                    if (vpnAdapterIndex != -1) {
+                        QJsonObject config = m_rawConfig;
+                        config.insert("vpnServer", m_remoteAddress);
+
+                        auto enableKillSwitch = IpcClient::Interface()->enableKillSwitch(config, vpnAdapterIndex);
+                        if (!enableKillSwitch.waitForFinished() || !enableKillSwitch.returnValue()) {
+                            qCritical() << "Failed to enable killswitch";
+                            return ErrorCode::InternalError;
+                        }
+                    } else
+                        qWarning() << "Failed to get vpnAdapterIndex. Killswitch disabled";
+                }
+
+                if (m_routeMode == amnezia::RouteMode::VpnAllSites) {
+                    static const QStringList subnets = { "1.0.0.0/8",  "2.0.0.0/7",  "4.0.0.0/6",  "8.0.0.0/5",
+                                                         "16.0.0.0/4", "32.0.0.0/3", "64.0.0.0/2", "128.0.0.0/1" };
+
+                    auto routeAddList = iface->routeAddList(m_vpnGateway, subnets);
+                    if (!routeAddList.waitForFinished() || routeAddList.returnValue() != subnets.count()) {
+                        qCritical() << "Failed to set routes for TUN";
+                        return ErrorCode::InternalError;
+                    }
+                }
+
+                auto StopRoutingIpv6 = iface->StopRoutingIpv6();
+                if (!StopRoutingIpv6.waitForFinished() || !StopRoutingIpv6.returnValue()) {
+                    qCritical() << "Failed to disable IPv6 routing";
+                    return ErrorCode::InternalError;
+                }
+
+#ifdef Q_OS_WIN
+                if (inetAdapterIndex != -1 && vpnAdapterIndex != -1) {
+                    QJsonObject config = m_rawConfig;
+                    config.insert("inetAdapterIndex", inetAdapterIndex);
+                    config.insert("vpnAdapterIndex", vpnAdapterIndex);
+                    config.insert("vpnGateway", m_vpnGateway);
+                    config.insert("vpnServer", m_remoteAddress);
+
+                    auto enablePeerTraffic = iface->enablePeerTraffic(config);
+                    if (!enablePeerTraffic.waitForFinished() || !enablePeerTraffic.returnValue()) {
+                        qCritical() << "Failed to enable peer traffic";
+                        return ErrorCode::InternalError;
+                    }
+                } else
+                    qWarning() << "Failed to get adapter indexes. Split-tunneling disabled";
+#endif
                return ErrorCode::NoError;
            },
            []() { return ErrorCode::AmneziaServiceConnectionFailed; });
@@ -20,20 +20,14 @@ public:

    ErrorCode start() override;
    void stop() override;
-    void setPrimary(const QJsonObject &config) override;

 private:
-    enum class Phase {
-        Inactive,
-        Active,
-        Stopping,
-    };
-
    ErrorCode setupRouting();
    ErrorCode startTun2Socks();

    QJsonObject m_xrayConfig;
    amnezia::RouteMode m_routeMode;
+    QList<QHostAddress> m_dnsServers;
    QString m_remoteAddress;

    QString m_socksUser;
@@ -44,9 +38,6 @@ private:
    int m_tun2socksRetryCount = 0;
    static constexpr int maxTun2SocksRetries = 5;
    static constexpr int tun2socksRetryDelayMs = 400;
-
-    QString m_tunName;
-    Phase m_phase = Phase::Inactive;
 };

 #endif // XRAYPROTOCOL_H
@@ -1,157 +0,0 @@
-#include "tunnel.h"
-
-#include <QTimer>
-
-#include "daemon/interfaceconfig.h"
-
-Tunnel::Tunnel(QString ifname,
-               amnezia::DockerContainer container,
-               QJsonObject config,
-               QString remoteAddress,
-               QObject* parent)
-    : QObject(parent),
-      m_ifname(std::move(ifname)),
-      m_remoteAddress(std::move(remoteAddress)),
-      m_container(container),
-      m_config(std::move(config)) {}
-
-Tunnel::~Tunnel() = default;
-
-void Tunnel::prepare() {
-    if (m_state != State::Idle) {
-        return;
-    }
-
-    setState(State::Preparing);
-
-    m_config.insert("ifname", m_ifname);
-    m_protocol.reset(VpnProtocol::factory(m_container, m_config));
-    if (!m_protocol) {
-        setState(State::Failed);
-        emit failed(amnezia::ErrorCode::InternalError);
-        return;
-    }
-
-    connect(m_protocol.data(), &VpnProtocol::connectionStateChanged,
-            this, &Tunnel::onProtocolStateChanged);
-    connect(m_protocol.data(), &VpnProtocol::bytesChanged,
-            this, &Tunnel::bytesChanged);
-    connect(m_protocol.data(), &VpnProtocol::tunnelAddressesUpdated,
-            this, &Tunnel::addressesUpdated);
-    connect(m_protocol.data(), &VpnProtocol::primaryReady,
-            this, &Tunnel::onPrimaryReady);
-    connect(m_protocol.data(), &VpnProtocol::primaryFailed,
-            this, &Tunnel::onPrimaryFailed);
-
-    const amnezia::ErrorCode prepareErr = m_protocol->prepare();
-    if (prepareErr != amnezia::ErrorCode::NoError) {
-        setState(State::Failed);
-        emit failed(prepareErr);
-        return;
-    }
-
-    startActivationDeadline(ACTIVATION_TIMEOUT_MSEC);
-
-    const amnezia::ErrorCode err = m_protocol->start();
-    if (err != amnezia::ErrorCode::NoError) {
-        cancelActivationDeadline();
-        setState(State::Failed);
-        emit failed(err);
-    }
-}
-
-void Tunnel::commit() {
-    if (m_state != State::Prepared) {
-        return;
-    }
-    setState(State::Committing);
-    startActivationDeadline(ACTIVATION_TIMEOUT_MSEC);
-    if (m_protocol) {
-        m_protocol->setPrimary(m_config);
-    }
-}
-
-void Tunnel::onPrimaryReady() {
-    if (m_state != State::Committing) {
-        return;
-    }
-    cancelActivationDeadline();
-    setState(State::Active);
-    emit activated();
-}
-
-void Tunnel::onPrimaryFailed() {
-    if (m_state != State::Committing) {
-        return;
-    }
-    cancelActivationDeadline();
-    setState(State::Failed);
-    emit failed(m_protocol ? m_protocol->lastError() : amnezia::ErrorCode::InternalError);
-}
-
-void Tunnel::deactivate() {
-    if (m_state == State::Gone || m_state == State::Idle) {
-        return;
-    }
-    cancelActivationDeadline();
-    setState(State::Gone);
-    if (m_protocol) {
-        m_protocol->stop();
-    }
-}
-
-void Tunnel::restart() {
-    deactivate();
-    setState(State::Idle);
-    prepare();
-}
-
-void Tunnel::setState(State next) {
-    if (m_state == next) {
-        return;
-    }
-    m_state = next;
-    emit stateChanged(m_state);
-}
-
-void Tunnel::startActivationDeadline(int msec) {
-    if (!m_deadline) {
-        m_deadline = new QTimer(this);
-        m_deadline->setSingleShot(true);
-        connect(m_deadline, &QTimer::timeout, this, [this]() {
-            if (m_state != State::Preparing && m_state != State::Committing) {
-                return;
-            }
-            setState(State::Failed);
-            emit failed(amnezia::ErrorCode::InternalError);
-        });
-    }
-    m_deadline->start(msec);
-}
-
-void Tunnel::cancelActivationDeadline() {
-    if (m_deadline) {
-        m_deadline->stop();
-    }
-}
-
-void Tunnel::onProtocolStateChanged(Vpn::ConnectionState state) {
-    if (m_state == State::Preparing && state == Vpn::ConnectionState::Connected) {
-        cancelActivationDeadline();
-        setState(State::Prepared);
-        emit prepared();
-        return;
-    }
-
-    const bool inLiveState = m_state == State::Preparing
-                          || m_state == State::Prepared
-                          || m_state == State::Committing
-                          || m_state == State::Active;
-    const bool isFailureSignal = state == Vpn::ConnectionState::Disconnected
-                              || state == Vpn::ConnectionState::Error;
-    if (inLiveState && isFailureSignal) {
-        cancelActivationDeadline();
-        setState(State::Failed);
-        emit failed(m_protocol ? m_protocol->lastError() : amnezia::ErrorCode::InternalError);
-    }
-}
@@ -1,82 +0,0 @@
-#ifndef TUNNEL_H
-#define TUNNEL_H
-
-#include <QJsonObject>
-#include <QObject>
-#include <QSharedPointer>
-#include <QString>
-
-#include "core/protocols/vpnProtocol.h"
-#include "core/utils/containerEnum.h"
-#include "core/utils/errorCodes.h"
-
-class QTimer;
-
-class Tunnel : public QObject {
-    Q_OBJECT
-
-public:
-    enum class State {
-        Idle,
-        Preparing,
-        Prepared,
-        Committing,
-        Active,
-        Gone,
-        Failed,
-    };
-    Q_ENUM(State)
-
-    Tunnel(QString ifname,
-           amnezia::DockerContainer container,
-           QJsonObject config,
-           QString remoteAddress,
-           QObject* parent = nullptr);
-    ~Tunnel() override;
-
-    const QString& ifname() const { return m_ifname; }
-    const QString& remoteAddress() const { return m_remoteAddress; }
-    amnezia::DockerContainer container() const { return m_container; }
-    const QJsonObject& config() const { return m_config; }
-    State state() const { return m_state; }
-    QSharedPointer<VpnProtocol> protocol() const { return m_protocol; }
-
-    const QString& handoverIfname() const { return m_handoverIfname; }
-    void setHandoverIfname(const QString& ifname) { m_handoverIfname = ifname; }
-    void clearHandoverIfname() { m_handoverIfname.clear(); }
-
-    virtual void prepare();
-    virtual void commit();
-    virtual void deactivate();
-    virtual void restart();
-
-signals:
-    void prepared();
-    void activated();
-    void failed(amnezia::ErrorCode);
-    void stateChanged(Tunnel::State);
-    void bytesChanged(quint64 rxBytes, quint64 txBytes);
-    void addressesUpdated(const QString& gateway, const QString& localAddress);
-
-protected:
-    void setState(State);
-    void startActivationDeadline(int msec);
-    void cancelActivationDeadline();
-
-    QString m_ifname;
-    QString m_remoteAddress;
-    QString m_handoverIfname;
-    amnezia::DockerContainer m_container;
-    QJsonObject m_config;
-    QSharedPointer<VpnProtocol> m_protocol;
-
-private:
-    void onProtocolStateChanged(Vpn::ConnectionState state);
-    void onPrimaryReady();
-    void onPrimaryFailed();
-
-    State m_state = State::Idle;
-    QTimer* m_deadline = nullptr;
-};
-
-#endif  // TUNNEL_H
@@ -15,8 +15,6 @@ namespace amnezia
            Awg2,
            WireGuard,
            OpenVpn,
-            Cloak,
-            ShadowSocks,
            Ipsec,
            Xray,
            SSXray,
@@ -21,8 +21,6 @@ QString ContainerUtils::containerToString(DockerContainer c)
 {
    if (c == DockerContainer::None)
        return "none";
-    if (c == DockerContainer::Cloak)
-        return "amnezia-openvpn-cloak";
    if (c == DockerContainer::Awg)
        return "amnezia-awg";
    if (c == DockerContainer::Awg2)
@@ -64,8 +62,6 @@ QMap<DockerContainer, QString> ContainerUtils::containerHumanNames()
 {
    return { { DockerContainer::None, "Not installed" },
             { DockerContainer::OpenVpn, "OpenVPN" },
-             { DockerContainer::ShadowSocks, "OpenVPN over SS" },
-             { DockerContainer::Cloak, "OpenVPN over Cloak" },
             { DockerContainer::WireGuard, "WireGuard" },
             { DockerContainer::Awg, "AmneziaWG" },
             { DockerContainer::Awg2, "AmneziaWG" },
@@ -87,10 +83,6 @@ QMap<DockerContainer, QString> ContainerUtils::containerDescriptions()
    return {              { DockerContainer::OpenVpn,
               QObject::tr("OpenVPN is the most popular VPN protocol, with flexible configuration options. It uses its "
                           "own security protocol with SSL/TLS for key exchange.") },
-             { DockerContainer::ShadowSocks,
-               QObject::tr("This protocol is no longer supported.") },
-             { DockerContainer::Cloak,
-               QObject::tr("This protocol is no longer supported.") },
             { DockerContainer::WireGuard,
               QObject::tr("WireGuard - popular VPN protocol with high performance, high speed and low power "
                           "consumption.") },
@@ -202,9 +194,6 @@ QMap<DockerContainer, QString> ContainerUtils::containerDetailedDescriptions()

 ServiceType ContainerUtils::containerService(DockerContainer c)
 {
-    if (isUnsupportedContainer(c)) {
-        return ServiceType::Vpn;
-    }
    return ProtocolUtils::protocolService(defaultProtocol(c));
 }

@@ -213,8 +202,6 @@ Proto ContainerUtils::defaultProtocol(DockerContainer c)
    switch (c) {
    case DockerContainer::None: return Proto::Unknown;
    case DockerContainer::OpenVpn: return Proto::OpenVpn;
-    case DockerContainer::Cloak:
-    case DockerContainer::ShadowSocks: return Proto::Unknown;
    case DockerContainer::WireGuard: return Proto::WireGuard;
    case DockerContainer::Awg2: return Proto::Awg;
    case DockerContainer::Awg: return Proto::Awg;
@@ -265,8 +252,6 @@ bool ContainerUtils::isSupportedByCurrentPlatform(DockerContainer c)
    // macOS build using Network Extension – allow OpenVPN for parity with iOS.
    switch (c) {
    case DockerContainer::OpenVpn: return true;
-    case DockerContainer::Cloak: return false;
-    case DockerContainer::ShadowSocks: return false;
    case DockerContainer::WireGuard: return true;
    case DockerContainer::Awg2: return true;
    case DockerContainer::Awg: return true;
@@ -351,10 +336,6 @@ int ContainerUtils::easySetupOrder(DockerContainer container)

 bool ContainerUtils::isShareable(DockerContainer container)
 {
-    if (isUnsupportedContainer(container)) {
-        return false;
-    }
-
    switch (container) {
    case DockerContainer::TorWebSite: return false;
    case DockerContainer::Dns: return false;
@@ -371,11 +352,6 @@ bool ContainerUtils::isAwgContainer(DockerContainer container)
    return container == DockerContainer::Awg || container == DockerContainer::Awg2;
 }

-bool ContainerUtils::isUnsupportedContainer(DockerContainer container)
-{
-    return container == DockerContainer::Cloak || container == DockerContainer::ShadowSocks;
-}
-
 QJsonObject ContainerUtils::getProtocolConfigFromContainer(const Proto protocol, const QJsonObject &containerConfig)
 {
    QString protocolConfigString = containerConfig.value(ProtocolUtils::protoToString(protocol))
@@ -45,8 +45,6 @@ namespace amnezia

        bool isAwgContainer(DockerContainer container);

-        bool isUnsupportedContainer(DockerContainer container);
-
        QJsonObject getProtocolConfigFromContainer(const Proto protocol, const QJsonObject &containerConfig);

        int installPageOrder(DockerContainer container);
@@ -38,8 +38,6 @@ namespace amnezia
        XrayServerConfigInvalid = 215,
        XrayServerNoVlessClients = 216,
        XrayRealityKeysReadFailed = 217,
-        ServerContainerRuntimeNotSupported = 218,
-        ContainerRuntimeServiceNotRunning = 219,

        // Ssh connection errors
        SshRequestDeniedError = 300,
@@ -81,7 +79,6 @@ namespace amnezia
        ImportBackupFileUseRestoreInstead = 903,
        RestoreBackupInvalidError = 904,
        LegacyApiV1NotSupportedError = 905,
-        LegacyContainerNotSupportedError = 906,

        // Android errors
        AndroidError = 1000,
@@ -126,3 +123,5 @@ namespace amnezia
 Q_DECLARE_METATYPE(amnezia::ErrorCode)

 #endif // ERRORCODES_H
+
+
@@ -39,8 +39,6 @@ QString errorString(ErrorCode code) {
    case(ErrorCode::XrayRealityKeysReadFailed):
        errorMessage = QObject::tr("Server error: failed to read XRay Reality keys from the server");
        break;
-    case(ErrorCode::ServerContainerRuntimeNotSupported): errorMessage = QObject::tr("Server error: The default container runtime available for installation on this server is not supported.\n Install Docker Engine on the server manually and try again."); break;
-    case(ErrorCode::ContainerRuntimeServiceNotRunning): errorMessage = QObject::tr("Container runtime error: The container runtime service is not running.\n Check the container runtime service on the server, or wait about a minute and try again."); break;

    // Libssh errors
    case(ErrorCode::SshRequestDeniedError): errorMessage = QObject::tr("SSH request was denied"); break;
@@ -71,7 +69,6 @@ QString errorString(ErrorCode code) {
    case (ErrorCode::ImportBackupFileUseRestoreInstead): errorMessage = QObject::tr("Backup files cannot be imported here. Use 'Restore from backup' instead."); break;
    case (ErrorCode::RestoreBackupInvalidError): errorMessage = QObject::tr("Backup file is corrupted or has invalid format"); break;
    case (ErrorCode::LegacyApiV1NotSupportedError): errorMessage = QObject::tr("This legacy Amnezia subscription format is no longer supported"); break;
-    case (ErrorCode::LegacyContainerNotSupportedError): errorMessage = QObject::tr("This protocol is no longer supported. Please select another protocol or remove this container from the server settings."); break;
    case (ErrorCode::ImportOpenConfigError): errorMessage = QObject::tr("Unable to open config file"); break;
    case (ErrorCode::NoInstalledContainersError): errorMessage = QObject::tr("VPN Protocols is not installed.\n Please install VPN container at first"); break;

@@ -286,7 +286,7 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
    return { resGateway, QNetworkInterface::interfaceFromIndex(resIndex) };
 #endif
 #ifdef Q_OS_LINUX
-    constexpr int BUFFER_SIZE = 8192;
+    constexpr int BUFFER_SIZE = 100;
    int     received_bytes = 0, msg_len = 0, route_attribute_len = 0;
    int     sock = -1, msgseq = 0;
    struct  nlmsghdr *nlh, *nlmsg;
@@ -294,7 +294,7 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
    // This struct contain route attributes (route type)
    struct  rtattr *route_attribute;
    char    gateway_address[INET_ADDRSTRLEN], interface[IF_NAMESIZE];
-    char    msgbuf[100], buffer[BUFFER_SIZE];
+    char    msgbuf[BUFFER_SIZE], buffer[BUFFER_SIZE];
    char    *ptr = buffer;
    struct timeval tv;

@@ -339,8 +339,8 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
        nlh = (struct nlmsghdr *) ptr;

        /* Check if the header is valid */
-        if((NLMSG_OK(nlh, received_bytes) == 0) ||
-            (nlh->nlmsg_type == NLMSG_ERROR))
+        if((NLMSG_OK(nlmsg, received_bytes) == 0) ||
+            (nlmsg->nlmsg_type == NLMSG_ERROR))
        {
            perror("Error in received packet");
            return {};
@@ -355,15 +355,13 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
        }

        /* Break if its not a multi part message */
-        if ((nlh->nlmsg_flags & NLM_F_MULTI) == 0)
+        if ((nlmsg->nlmsg_flags & NLM_F_MULTI) == 0)
            break;
    }
-    while ((nlh->nlmsg_seq != msgseq) || (nlh->nlmsg_pid != getpid()));
+    while ((nlmsg->nlmsg_seq != msgseq) || (nlmsg->nlmsg_pid != getpid()));

    /* parse response */
-    int remaining = msg_len + received_bytes;
-    nlh = (struct nlmsghdr *) buffer;
-    for ( ; NLMSG_OK(nlh, remaining); nlh = NLMSG_NEXT(nlh, remaining))
+    for ( ; NLMSG_OK(nlh, received_bytes); nlh = NLMSG_NEXT(nlh, received_bytes))
    {
        /* Get the route data */
        route_entry = (struct rtmsg *) NLMSG_DATA(nlh);
@@ -372,10 +370,6 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
        if (route_entry->rtm_table != RT_TABLE_MAIN)
            continue;

-        /* Reset per-route to avoid cross-route state pollution */
-        memset(gateway_address, 0, sizeof(gateway_address));
-        memset(interface, 0, sizeof(interface));
-
        route_attribute = (struct rtattr *) RTM_RTA(route_entry);
        route_attribute_len = RTM_PAYLOAD(nlh);

@@ -397,15 +391,10 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
        }

        if ((*gateway_address) && (*interface)) {
-            if (QString::fromUtf8(interface).startsWith("amn")) {
-                continue;
-            }
            qDebug() << "Gateway " << gateway_address << " for interface " << interface;
            break;
        }
    }
-    if (!(*gateway_address) || !(*interface))
-        qDebug() << "getGatewayAndIface: no gateway found";
    close(sock);
    return { gateway_address, QNetworkInterface::interfaceFromName(interface) };
 #endif
@@ -460,15 +449,10 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
                sa_tab[RTAX_DST]->sa_family == afinet_type[ip_type] &&
                sa_tab[RTAX_GATEWAY]->sa_family == afinet_type[ip_type])
            {
-                char ifname[IF_NAMESIZE] = {0};
-                const bool isTun = if_indextoname(rt->rtm_index, ifname)
-                                && QString::fromUtf8(ifname).startsWith("utun");
-
                if (afinet_type[ip_type] == AF_INET)
                {
                    if ((reinterpret_cast<struct sockaddr_in*>(sa_tab[RTAX_DST]))->sin_addr.s_addr == 0)
                    {
-                        if (isTun) continue;
                        char dstStr4[INET_ADDRSTRLEN];
                        char srcStr4[INET_ADDRSTRLEN];
                        memcpy(srcStr4,
@@ -486,7 +470,6 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
                {
                    if ((reinterpret_cast<struct sockaddr_in*>(sa_tab[RTAX_DST]))->sin_addr.s_addr == 0)
                    {
-                        if (isTun) continue;
                        char dstStr6[INET6_ADDRSTRLEN];
                        char srcStr6[INET6_ADDRSTRLEN];
                        memcpy(srcStr6,
@@ -1,584 +0,0 @@
-#include "vpnTrafficGuard.h"
-
-#include <QDebug>
-#include <QEventLoop>
-#include <QHostInfo>
-#include <QNetworkInterface>
-#include <QPointer>
-#include <QStringList>
-#include <QTimer>
-#include <QJsonObject>
-
-#ifdef AMNEZIA_DESKTOP
-    #include "core/utils/ipcClient.h"
-#endif
-
-#include "core/utils/networkUtilities.h"
-#include "core/utils/constants/protocolConstants.h"
-#include "core/tunnel.h"
-#include "mozilla/localsocketcontroller.h"
-
-VpnTrafficGuard::VpnTrafficGuard(SecureAppSettingsRepository* appSettings, QObject *parent)
-    : QObject(parent), m_appSettingsRepository(appSettings)
-{
-
-}
-
-VpnTrafficGuard::~VpnTrafficGuard()
-{
-}
-
-void VpnTrafficGuard::setConfig(const QJsonObject &config)
-{
-    m_config = config;
-}
-
-bool VpnTrafficGuard::allowEndpoint(const QString &remoteAddress, const QString &ifname)
-{
-#ifdef AMNEZIA_DESKTOP
-    if (remoteAddress.isEmpty()) {
-        return false;
-    }
-    if (m_allowedEndpoints.contains(remoteAddress)) {
-        return true;
-    }
-    m_allowedEndpoints.append(remoteAddress);
-    return IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-        QRemoteObjectPendingReply<bool> reply = iface->addKillSwitchAllowedRange(ifname, QStringList(remoteAddress));
-        return reply.waitForFinished(1000) && reply.returnValue();
-    });
-#else
-    Q_UNUSED(remoteAddress)
-    Q_UNUSED(ifname)
-    return true;
-#endif
-}
-
-void VpnTrafficGuard::setupRoutes(const QJsonObject &vpnConfiguration, const QSharedPointer<VpnProtocol> &protocol, const QString &remoteAddress)
-{
-#ifdef AMNEZIA_DESKTOP
-    if (!m_appSettingsRepository) {
-        qCritical() << "VpnTrafficGuard::setupRoutes: repositories not initialized";
-        return;
-    }
-    IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-        iface->resetIpStack();
-        auto flushDns = iface->flushDns();
-        if (flushDns.waitForFinished() && flushDns.returnValue())
-            qDebug() << "VpnTrafficGuard::setupRoutes: Successfully flushed DNS";
-        else
-            qWarning() << "VpnTrafficGuard::setupRoutes: Failed to flush DNS";
-
-        const QString proto = vpnConfiguration.value(configKey::vpnProto).toString();
-        const bool isWgBased = (proto == ProtocolUtils::protoToString(Proto::Awg) ||
-                                proto == ProtocolUtils::protoToString(Proto::WireGuard));
-        if (!isWgBased) {
-            if (!protocol) {
-                qWarning() << "VpnTrafficGuard::setupRoutes: protocol is null";
-                return;
-            }
-            QString dns1 = vpnConfiguration.value(configKey::dns1).toString();
-            QString dns2 = vpnConfiguration.value(configKey::dns2).toString();
-            const QString xrayIfname = vpnConfiguration.value("ifname").toString();
-#ifdef Q_OS_MACOS
-            if (!m_appSettingsRepository->isSitesSplitTunnelingEnabled() || m_appSettingsRepository->routeMode() != amnezia::RouteMode::VpnAllExceptSites) {
-                iface->routeAddListVia(xrayIfname, protocol->vpnGateway(), QStringList() << dns1 << dns2);
-            }
-#else
-            iface->routeAddListVia(xrayIfname, protocol->vpnGateway(), QStringList() << dns1 << dns2);
-#endif
-
-            if (m_appSettingsRepository->isSitesSplitTunnelingEnabled()) {
-                iface->routeDeleteList(protocol->vpnGateway(), QStringList() << "0.0.0.0");
-                if (m_appSettingsRepository->routeMode() == amnezia::route_mode_ns::VpnOnlyForwardSites) {
-                    QPointer<VpnProtocol> protocolPtr(protocol.data());
-                    QTimer::singleShot(1000, protocol.data(),
-                                        [this, protocolPtr]() {
-                                                if (!protocolPtr) {
-                                                    return;
-                                                }
-                                                addSplitTunnelRoutes(protocolPtr->vpnGateway(), m_appSettingsRepository->routeMode());
-                                            });
-                } else if (m_appSettingsRepository->routeMode() == amnezia::route_mode_ns::VpnAllExceptSites) {
-                    iface->routeAddListVia(xrayIfname, protocol->vpnGateway(), QStringList() << "0.0.0.0/1" << "128.0.0.0/1");
-
-                    iface->routeAddList(protocol->routeGateway(), QStringList() << remoteAddress);
-#ifdef Q_OS_MACOS
-                    iface->routeAddList(protocol->routeGateway(), QStringList() << dns1 << dns2);
-#endif
-                    addSplitTunnelRoutes(protocol->routeGateway(), m_appSettingsRepository->routeMode());
-                }
-            }
-        }
-    });
-#endif
-}
-
-void VpnTrafficGuard::addSplitTunnelRoutes(const QString &gw, amnezia::RouteMode mode)
-{
-#ifdef AMNEZIA_DESKTOP
-    if (!m_appSettingsRepository) {
-        qCritical() << "VpnTrafficGuard::addSplitTunnelRoutes: repositories not initialized";
-        return;
-    }
-
-    QStringList ips;
-    QStringList sites;
-    const QVariantMap &m = m_appSettingsRepository->vpnSites(mode);
-    for (auto i = m.constBegin(); i != m.constEnd(); ++i) {
-        if (NetworkUtilities::checkIpSubnetFormat(i.key())) {
-            ips.append(i.key());
-        } else {
-            if (NetworkUtilities::checkIpSubnetFormat(i.value().toString())) {
-                ips.append(i.value().toString());
-            }
-            sites.append(i.key());
-        }
-    }
-    ips.removeDuplicates();
-
-    IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-        iface->routeAddList(gw, ips);
-    });
-
-    for (const QString &site : sites) {
-        const auto &cbResolv = [this, site, gw, mode, ips](const QHostInfo &hostInfo) {
-            for (const QHostAddress &addr : hostInfo.addresses()) {
-                if (addr.protocol() == QAbstractSocket::NetworkLayerProtocol::IPv4Protocol) {
-                    const QString &ip = addr.toString();
-                    if (!ips.contains(ip)) {
-                        IpcClient::withInterface([gw, ip](QSharedPointer<IpcInterfaceReplica> iface) {
-                            iface->routeAddList(gw, QStringList() << ip);
-                        });
-                        m_appSettingsRepository->addVpnSite(mode, site, ip);
-                    }
-                    IpcClient::withInterface([](QSharedPointer<IpcInterfaceReplica> iface) {
-                        auto reply = iface->flushDns();
-                        if (!reply.waitForFinished() || !reply.returnValue())
-                            qWarning() << "VpnTrafficGuard::addSplitTunnelRoutes: Failed to flush DNS";
-                    });
-                    break;
-                }
-            }
-        };
-        QHostInfo::lookupHost(site, this, cbResolv);
-    }
-#endif
-}
-
-void VpnTrafficGuard::finishFirewallHandover(Tunnel* tunnel)
-{
-#if defined(AMNEZIA_DESKTOP) && defined(Q_OS_WIN)
-    if (!tunnel) return;
-    const QString handoverIfname = tunnel->handoverIfname();
-    if (handoverIfname.isEmpty() || handoverIfname == tunnel->ifname()) {
-        tunnel->clearHandoverIfname();
-        return;
-    }
-    IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-        iface->disableKillSwitchForTunnel(handoverIfname, QStringList());
-    });
-    tunnel->clearHandoverIfname();
-#else
-    Q_UNUSED(tunnel)
-#endif
-}
-
-void VpnTrafficGuard::applyKillSwitch(Tunnel* tunnel, const QString &gateway, const QString &localAddress)
-{
-#ifdef AMNEZIA_DESKTOP
-    finishFirewallHandover(tunnel);
-
-    QJsonObject updatedConfig = m_config;
-    IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-#ifdef Q_OS_WIN
-        const bool engineNamedInterface = tunnel
-            && (VpnProtocol::isWireGuardBased(tunnel->container())
-                || VpnProtocol::isXrayBased(tunnel->container()));
-        const QString ifname = engineNamedInterface ? updatedConfig.value("ifname").toString() : QString();
-        if (!ifname.isEmpty()) {
-            updatedConfig.insert("vpnGateway", gateway);
-            updatedConfig.insert("vpnServer", NetworkUtilities::getIPAddress(updatedConfig.value(configKey::hostName).toString()));
-            if (QVariant(updatedConfig.value(configKey::killSwitchOption).toString()).toBool()) {
-                iface->enableKillSwitch(updatedConfig, 0);
-            }
-            iface->enablePeerTraffic(updatedConfig);
-        } else {
-            QList<QNetworkInterface> netInterfaces = QNetworkInterface::allInterfaces();
-            for (int i = 0; i < netInterfaces.size(); i++) {
-                for (int j=0; j < netInterfaces.at(i).addressEntries().size(); j++)
-                {
-                    if (localAddress == netInterfaces.at(i).addressEntries().at(j).ip().toString()) {
-                        updatedConfig.insert("vpnAdapterIndex", netInterfaces.at(i).index());
-                        updatedConfig.insert("vpnGateway", gateway);
-                        updatedConfig.insert("vpnServer", NetworkUtilities::getIPAddress(updatedConfig.value(configKey::hostName).toString()));
-                        if (QVariant(updatedConfig.value(configKey::killSwitchOption).toString()).toBool()) {
-                            iface->enableKillSwitch(updatedConfig, netInterfaces.at(i).index());
-                        }
-                        iface->enablePeerTraffic(updatedConfig);
-                    }
-                }
-            }
-        }
-#endif
-#if defined(Q_OS_LINUX) || defined(Q_OS_MACOS)
-        if (QVariant(updatedConfig.value(configKey::killSwitchOption).toString()).toBool()) {
-            updatedConfig.insert("vpnServer",
-                                NetworkUtilities::getIPAddress(updatedConfig.value(amnezia::configKey::hostName).toString()));
-            QRemoteObjectPendingReply<bool> reply = iface->enableKillSwitch(updatedConfig, 0);
-            //TODO: why it takes so long?
-            if (!reply.waitForFinished(1000) || !reply.returnValue()) {
-                qWarning() << "VpnTrafficGuard::applyKillSwitch: Failed to enable killswitch";
-            } else {
-                qDebug() << "VpnTrafficGuard::applyKillSwitch: Successfully enabled killswitch";
-            }
-        }
-#endif
-        const QString proto = updatedConfig.value(configKey::vpnProto).toString();
-        const bool isXrayBased = (proto == ProtocolUtils::protoToString(Proto::Xray) ||
-                                  proto == ProtocolUtils::protoToString(Proto::SSXray));
-        if (isXrayBased) {
-            if (updatedConfig.value(configKey::splitTunnelType).toInt() == amnezia::route_mode_ns::VpnAllSites) {
-                static const QStringList subnets = { "1.0.0.0/8", "2.0.0.0/7", "4.0.0.0/6", "8.0.0.0/5", "16.0.0.0/4", "32.0.0.0/3", "64.0.0.0/2", "128.0.0.0/1" };
-                const QString xrayIfname = tunnel ? tunnel->ifname() : QString();
-                auto routeAddList = iface->routeAddListVia(xrayIfname, gateway, subnets);
-                if (!routeAddList.waitForFinished() || routeAddList.returnValue() != subnets.count()) {
-                    qCritical() << "Failed to set routes for TUN";
-                }
-            }
-            auto StopRoutingIpv6 = iface->StopRoutingIpv6();
-            if (!StopRoutingIpv6.waitForFinished() || !StopRoutingIpv6.returnValue()) {
-                qCritical() << "Failed to disable IPv6 routing";
-            } else {
-                m_ipv6RoutingStopped = true;
-            }
-        }
-    });
-#endif
-}
-
-void VpnTrafficGuard::flushAll()
-{
-#ifdef AMNEZIA_DESKTOP
-    IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-        iface->restoreTunnelResolvers();
-        QRemoteObjectPendingReply<bool> reply = iface->disableKillSwitch();
-        m_allowedEndpoints.clear();
-        //TODO: why it takes so long?
-        if (!reply.waitForFinished(1000) || !reply.returnValue()) {
-            qWarning() << "VpnTrafficGuard::flushAll: Failed to disable killswitch";
-        } else {
-            qDebug() << "VpnTrafficGuard::flushAll: Successfully disabled killswitch";
-        }
-        auto flushDns = iface->flushDns();
-        if (flushDns.waitForFinished() && flushDns.returnValue())
-            qDebug() << "VpnTrafficGuard::flushAll: Successfully flushed DNS";
-        else
-            qWarning() << "VpnTrafficGuard::flushAll: Failed to flush DNS";
-
-        auto clearSavedRoutes = iface->clearSavedRoutes();
-        if (clearSavedRoutes.waitForFinished() && clearSavedRoutes.returnValue())
-            qDebug() << "VpnTrafficGuard::flushAll: Successfully cleared saved routes";
-        else
-            qWarning() << "VpnTrafficGuard::flushAll: Failed to clear saved routes";
-        if (m_ipv6RoutingStopped) {
-            auto StartRoutingIpv6 = iface->StartRoutingIpv6();
-            if (!StartRoutingIpv6.waitForFinished() || !StartRoutingIpv6.returnValue()) {
-                qCritical() << "Failed to enable IPv6 routing";
-            } else {
-                m_ipv6RoutingStopped = false;
-            }
-        }
-    });
-#endif
-}
-
-namespace {
-QStringList allowedIpPrefixesFor(const QJsonObject& activateJson)
-{
-    QStringList prefixes;
-    const QJsonArray ranges = activateJson.value("allowedIPAddressRanges").toArray();
-    for (const QJsonValue& v : ranges) {
-        const QJsonObject r = v.toObject();
-        const QString addr = r.value("address").toString();
-        if (addr.isEmpty()) continue;
-        prefixes.append(QStringLiteral("%1/%2").arg(addr).arg(r.value("range").toInt()));
-    }
-    return prefixes;
-}
-
-QStringList excludedAddressesFor(const QJsonObject& activateJson)
-{
-    QStringList addrs;
-    const QJsonArray excluded = activateJson.value("excludedAddresses").toArray();
-    for (const QJsonValue& v : excluded) {
-        const QString s = v.toString();
-        if (!s.isEmpty()) addrs.append(s);
-    }
-    return addrs;
-}
-
-QStringList resolversFor(const QJsonObject& activateJson)
-{
-    QStringList dns;
-    const QString primary = activateJson.value("primaryDnsServer").toString();
-    if (!primary.isEmpty()) dns.append(primary);
-    const QString secondary = activateJson.value("secondaryDnsServer").toString();
-    if (!secondary.isEmpty()) dns.append(secondary);
-    return dns;
-}
-}
-
-void VpnTrafficGuard::reserve(Tunnel* tunnel)
-{
-    if (!tunnel) return;
-#ifdef AMNEZIA_DESKTOP
-    const bool engineNamedInterface = VpnProtocol::isWireGuardBased(tunnel->container())
-                                   || VpnProtocol::isXrayBased(tunnel->container());
-    allowEndpoint(tunnel->remoteAddress(), engineNamedInterface ? tunnel->ifname() : QString());
-#else
-    Q_UNUSED(tunnel)
-#endif
-}
-
-void VpnTrafficGuard::release(Tunnel* tunnel)
-{
-    if (!tunnel) return;
-    disconnect(tunnel, nullptr, this, nullptr);
-#ifdef AMNEZIA_DESKTOP
-    const bool engineNamedInterface = VpnProtocol::isWireGuardBased(tunnel->container())
-                                   || VpnProtocol::isXrayBased(tunnel->container());
-    m_allowedEndpoints.removeAll(tunnel->remoteAddress());
-    IpcClient::withInterface([this, &tunnel, engineNamedInterface](QSharedPointer<IpcInterfaceReplica> iface) {
-        iface->disableKillSwitchForTunnel(engineNamedInterface ? tunnel->ifname() : QString(), m_allowedEndpoints);
-    });
-#else
-    Q_UNUSED(tunnel)
-#endif
-}
-
-void VpnTrafficGuard::applyPolicy(Tunnel* tunnel)
-{
-    if (!tunnel) return;
-#ifdef AMNEZIA_DESKTOP
-    const QString ifname = tunnel->ifname();
-
-    if (VpnProtocol::isXrayBased(tunnel->container())) {
-        const QJsonObject cfg = tunnel->config();
-        const QString primary = cfg.value(amnezia::configKey::dns1).toString();
-        const QString secondary = cfg.value(amnezia::configKey::dns2).toString();
-        QList<QHostAddress> dns;
-        if (!primary.isEmpty()) dns.append(QHostAddress(primary));
-        if (!secondary.isEmpty() && secondary != primary) dns.append(QHostAddress(secondary));
-
-        IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-            auto updateRes = iface->updateResolvers(ifname, dns);
-            if (!updateRes.waitForFinished() || !updateRes.returnValue()) {
-                qWarning() << "VpnTrafficGuard::applyPolicy: updateResolvers failed for" << ifname;
-            }
-#ifdef Q_OS_MAC
-            const auto gw = NetworkUtilities::getGatewayAndIface();
-            const QString uplinkIface = gw.second.name();
-            const QString uplinkGateway = gw.first;
-            if (!uplinkIface.isEmpty() && !uplinkGateway.isEmpty()) {
-                auto add = iface->xrayAddUplinkRoutes(uplinkIface, uplinkGateway);
-                if (!add.waitForFinished() || !add.returnValue()) {
-                    qWarning() << "VpnTrafficGuard::applyPolicy: xrayAddUplinkRoutes failed on" << uplinkIface;
-                }
-            }
-#endif
-        });
-        return;
-    }
-
-    if (!VpnProtocol::isWireGuardBased(tunnel->container())) {
-        return;
-    }
-
-    const QJsonObject activate = LocalSocketController::buildActivateJson(tunnel->config(), tunnel->ifname());
-    const QStringList prefixes = allowedIpPrefixesFor(activate);
-    const QStringList excluded = excludedAddressesFor(activate);
-    const QStringList dns = resolversFor(activate);
-    const QString peer = tunnel->remoteAddress();
-
-    IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-        if (!peer.isEmpty()) iface->addExclusionRoute(ifname, peer);
-        for (const QString& addr : excluded) {
-            iface->addExclusionRoute(ifname, addr);
-        }
-        for (const QString& prefix : prefixes) {
-            iface->addAllowedIp(ifname, prefix);
-        }
-        iface->setTunnelResolvers(ifname, dns);
-        iface->flushDns();
-    });
-#else
-    Q_UNUSED(tunnel)
-#endif
-}
-
-void VpnTrafficGuard::revokePolicy(Tunnel* tunnel)
-{
-    if (!tunnel) return;
-#ifdef AMNEZIA_DESKTOP
-    const QString ifname = tunnel->ifname();
-
-    if (VpnProtocol::isXrayBased(tunnel->container())) {
-        IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-            iface->restoreResolvers();
-#ifdef Q_OS_MAC
-            const auto gw = NetworkUtilities::getGatewayAndIface();
-            const QString uplinkIface = gw.second.name();
-            const QString uplinkGateway = gw.first;
-            if (!uplinkIface.isEmpty()) {
-                iface->xrayRemoveUplinkRoutes(uplinkIface, uplinkGateway);
-            }
-#endif
-        });
-        return;
-    }
-
-    if (!VpnProtocol::isWireGuardBased(tunnel->container())) {
-        return;
-    }
-
-    const QJsonObject activate = LocalSocketController::buildActivateJson(tunnel->config(), tunnel->ifname());
-    const QStringList prefixes = allowedIpPrefixesFor(activate);
-    const QStringList excluded = excludedAddressesFor(activate);
-    const QString peer = tunnel->remoteAddress();
-
-    IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-        for (const QString& prefix : prefixes) {
-            iface->delAllowedIp(ifname, prefix);
-        }
-        for (const QString& addr : excluded) {
-            iface->delExclusionRoute(ifname, addr);
-        }
-        if (!peer.isEmpty()) iface->delExclusionRoute(ifname, peer);
-    });
-#else
-    Q_UNUSED(tunnel)
-#endif
-}
-
-void VpnTrafficGuard::bringUp(Tunnel* tunnel)
-{
-    if (!tunnel) return;
-    reserve(tunnel);
-    tunnel->prepare();
-}
-
-void VpnTrafficGuard::commit(Tunnel* tunnel)
-{
-    if (!tunnel) return;
-
-#ifdef Q_OS_WIN
-    const QString ipv4 = tunnel->config().value(QStringLiteral("deviceIpv4Address")).toString();
-    const QString ipv6 = tunnel->config().value(QStringLiteral("deviceIpv6Address")).toString();
-    if (!ipv4.isEmpty() || !ipv6.isEmpty()) {
-        IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-            auto ap = iface->applyAdapterAddress(tunnel->ifname(), ipv4, ipv6);
-            if (!ap.waitForFinished(15000) || !ap.returnValue()) {
-                qWarning() << "VpnTrafficGuard::commit: applyAdapterAddress failed for"
-                           << tunnel->ifname();
-            }
-        });
-    }
-#endif
-
-    applyPolicy(tunnel);
-    connect(tunnel, &Tunnel::activated, this, [this, tunnel] {
-        if (auto p = tunnel->protocol()) {
-            applyKillSwitch(tunnel, p->vpnGateway(), p->vpnLocalAddress());
-        }
-    });
-#ifdef Q_OS_WIN
-    connect(tunnel, &Tunnel::addressesUpdated, this,
-            [this, tunnel](const QString& gw, const QString& la) {
-        applyKillSwitch(tunnel, gw, la);
-    });
-#endif
-    tunnel->commit();
-}
-
-void VpnTrafficGuard::tearDown(Tunnel* tunnel)
-{
-    if (!tunnel) return;
-    revokePolicy(tunnel);
-    release(tunnel);
-    tunnel->deactivate();
-}
-
-void VpnTrafficGuard::swap(Tunnel* from, Tunnel* to)
-{
-    if (!to) return;
-    if (from) {
-        to->setHandoverIfname(from->ifname());
-    }
-
-#ifdef Q_OS_WIN
-    if (from) {
-        const QString fromIpv4 = from->config().value(QStringLiteral("deviceIpv4Address")).toString();
-        const QString fromIpv6 = from->config().value(QStringLiteral("deviceIpv6Address")).toString();
-        if (!fromIpv4.isEmpty() || !fromIpv6.isEmpty()) {
-            IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
-                auto rm = iface->removeAdapterAddress(from->ifname(), fromIpv4, fromIpv6);
-                if (!rm.waitForFinished(2000) || !rm.returnValue()) {
-                    qWarning() << "VpnTrafficGuard::swap: removeAdapterAddress failed for"
-                               << from->ifname();
-                }
-            });
-        }
-    }
-#endif
-
-    QEventLoop loop;
-    QTimer guard;
-    guard.setSingleShot(true);
-    const auto activatedConn = connect(to, &Tunnel::activated, &loop, &QEventLoop::quit);
-    const auto failedConn = connect(to, &Tunnel::failed, &loop, [&loop](amnezia::ErrorCode) { loop.quit(); });
-    const auto timeoutConn = connect(&guard, &QTimer::timeout, &loop, [&loop]() {
-        qWarning() << "VpnTrafficGuard::swap: timed out waiting for new tunnel activation";
-        loop.quit();
-    });
-
-    commit(to);
-
-    guard.start(5000);
-    loop.exec();
-    guard.stop();
-
-    disconnect(activatedConn);
-    disconnect(failedConn);
-    disconnect(timeoutConn);
-
-    // Service IPCs are processed in order on a single connection. Wait on a trailing
-    // sync request so the killswitch enable from the activation handlers is fully
-    // applied before we deactivate the previous tunnel.
-    IpcClient::withInterface([](QSharedPointer<IpcInterfaceReplica> iface) {
-        auto reply = iface->flushDns();
-        if (!reply.waitForFinished(5000) || !reply.returnValue()) {
-            qWarning() << "VpnTrafficGuard::swap: trailing sync IPC timed out or failed";
-        }
-    });
-
-    if (from) {
-        m_allowedEndpoints.removeAll(from->remoteAddress());
-#ifndef Q_OS_WIN
-        IpcClient::withInterface([this](QSharedPointer<IpcInterfaceReplica> iface) {
-            iface->resetKillSwitchAllowedRange(m_allowedEndpoints);
-        });
-#endif
-        revokePolicy(from);
-        from->deactivate();
-
-#ifdef Q_OS_MAC
-        if (VpnProtocol::isXrayBased(to->container())) {
-            if (auto p = to->protocol()) {
-                applyKillSwitch(to, p->vpnGateway(), p->vpnLocalAddress());
-                setupRoutes(to->config(), p, to->remoteAddress());
-            }
-        }
-#endif
-    }
-}
@@ -1,45 +0,0 @@
-#ifndef VPNTRAFFICGUARD_H
-#define VPNTRAFFICGUARD_H
-
-#include <qobject.h>
-#include "core/repositories/secureAppSettingsRepository.h"
-#include "protocols/vpnProtocol.h"
-
-class Tunnel;
-
-class VpnTrafficGuard : public QObject
-{
-    Q_OBJECT
-
-public:
-    explicit VpnTrafficGuard(SecureAppSettingsRepository* appSettings, QObject* parent = nullptr);
-    ~VpnTrafficGuard() override;
-    void setConfig(const QJsonObject &config);
-    void setupRoutes(const QJsonObject &vpnConfiguration,
-                                 const QSharedPointer<VpnProtocol> &protocol,
-                                 const QString &remoteAddress);
-
-    void flushAll();
-    bool allowEndpoint(const QString &remoteAddress, const QString &ifname = QString());
-    void applyKillSwitch(Tunnel* tunnel, const QString &vpnGateway, const QString &vpnLocalAddress);
-
-    void reserve(Tunnel* tunnel);
-    void release(Tunnel* tunnel);
-    void applyPolicy(Tunnel* tunnel);
-    void revokePolicy(Tunnel* tunnel);
-
-    void bringUp(Tunnel* tunnel);
-    void commit(Tunnel* tunnel);
-    void tearDown(Tunnel* tunnel);
-    void swap(Tunnel* from, Tunnel* to);
-
-private:
-    void addSplitTunnelRoutes(const QString &gateway, amnezia::RouteMode mode);
-    void finishFirewallHandover(Tunnel* tunnel);
-    SecureAppSettingsRepository* m_appSettingsRepository;
-    QJsonObject m_config;
-    bool m_ipv6RoutingStopped = false;
-    QStringList m_allowedEndpoints;
-};
-
-#endif // VPNTRAFFICGUARD_H
@@ -34,8 +34,8 @@ Daemon::Daemon(QObject* parent) : QObject(parent) {
  Q_ASSERT(s_daemon == nullptr);
  s_daemon = this;

-  m_activationTimer.setSingleShot(false);
-  connect(&m_activationTimer, &QTimer::timeout, this, &Daemon::checkActivations);
+  m_handshakeTimer.setSingleShot(true);
+  connect(&m_handshakeTimer, &QTimer::timeout, this, &Daemon::checkHandshake);
 }

 Daemon::~Daemon() {
@@ -43,9 +43,6 @@ Daemon::~Daemon() {

  logger.debug() << "Daemon released";

-  qDeleteAll(m_tunnels);
-  m_tunnels.clear();
-
  Q_ASSERT(s_daemon == this);
  s_daemon = nullptr;
 }
@@ -56,38 +53,69 @@ Daemon* Daemon::instance() {
  return s_daemon;
 }

-bool Daemon::activate(const QString& ifname, const InterfaceConfig& config) {
-  logger.debug() << "Activating tunnel";
+bool Daemon::activate(const InterfaceConfig& config) {
+  Q_ASSERT(wgutils() != nullptr);

-  WireguardUtils* wg = m_tunnels.value(ifname);
-  if (!wg) {
-    wg = createWgUtils();
-    if (!wg) {
-      logger.error() << "Failed to create wireguard utils.";
+  // There are 3 possible scenarios in which this method is called:
+  //
+  // 1. the VPN is off: the method tries to enable the VPN.
+  // 2. the VPN is on and the platform doesn't support the server-switching:
+  //    this method calls deactivate() and then it continues as 1.
+  // 3. the VPN is on and the platform supports the server-switching: this
+  //    method calls switchServer().
+  //
+  // At the end, if the activation succeds, the `connected` signal is emitted.
+  // If the activation abort's for any reason `the `activationFailure` signal is
+  // emitted.
+  logger.debug() << "Activating interface";
+  auto emit_failure_guard = qScopeGuard([this] { emit activationFailure(); });
+
+  if (m_connections.contains(config.m_hopType)) {
+    if (supportServerSwitching(config)) {
+      logger.debug() << "Already connected. Server switching supported.";
+
+      if (!switchServer(config)) {
+        return false;
+      }
+
+      if (!dnsutils()->restoreResolvers()) {
+        return false;
+      }
+
+      if (!maybeUpdateResolvers(config)) {
+        return false;
+      }
+
+      bool status = run(Switch, config);
+      logger.debug() << "Connection status:" << status;
+      if (status) {
+        m_connections[config.m_hopType] = ConnectionState(config);
+        m_handshakeTimer.start(HANDSHAKE_POLL_MSEC);
+        emit_failure_guard.dismiss();
+        return true;
+      }
      return false;
    }
-    m_tunnels.insert(ifname, wg);
-  }
-  if (m_primaryIfname.isEmpty()) {
-    m_primaryIfname = ifname;
-  }

-  ConnectionState& cs = m_connections[ifname];
-  cs.m_config = config;
-  cs.m_date = QDateTime();
-  cs.m_deadline = QDateTime::currentDateTime().addMSecs(ACTIVATION_TIMEOUT_MSEC);
+    logger.warning() << "Already connected. Server switching not supported.";
+    if (!deactivate(false)) {
+      return false;
+    }

-  auto failure_guard = qScopeGuard([this, ifname] {
-    deactivateTunnel(ifname);
-  });
+    Q_ASSERT(!m_connections.contains(config.m_hopType));
+    if (activate(config)) {
+      emit_failure_guard.dismiss();
+      return true;
+    }
+    return false;
+  }

  prepareActivation(config);

  // Bring up the wireguard interface if not already done.
-  if (!wg->interfaceExists()) {
-    InterfaceConfig bringupConfig = config;
-    bringupConfig.m_deferAddressSetup = (m_primaryIfname != ifname);
-    if (!wg->addInterface(bringupConfig)) {
+  if (!wgutils()->interfaceExists()) {
+    // Create the interface.
+    if (!wgutils()->addInterface(config)) {
      logger.error() << "Interface creation failed.";
      return false;
    }
@@ -103,71 +131,60 @@ bool Daemon::activate(const QString& ifname, const InterfaceConfig& config) {
    }
  }

+  // Configure routing for excluded addresses.
+  for (const QString& i : config.m_excludedAddresses) {
+    addExclusionRoute(IPAddress(i));
+  }
+
  // Add the peer to this interface.
-  if (!wg->updatePeer(config)) {
+  if (!wgutils()->updatePeer(config)) {
    logger.error() << "Peer creation failed.";
    return false;
  }

-  if (!m_activationTimer.isActive()) {
-    m_activationTimer.start(HANDSHAKE_POLL_MSEC);
-  }
-
-  failure_guard.dismiss();
-  return true;
-}
-
-bool Daemon::setPrimary(const QString& ifname, const InterfaceConfig& config) {
-  WireguardUtils* wg = m_tunnels.value(ifname);
-  if (!wg) {
-    logger.error() << "setPrimary: no tunnel for" << ifname;
-    return false;
-  }
-  logger.debug() << "setPrimary" << wg->interfaceName();
-
-  const QString priorPrimary = m_primaryIfname;
-  m_primaryIfname = ifname;
-
-  auto failure_guard = qScopeGuard([this, ifname, priorPrimary] {
-    deactivateTunnel(ifname);
-    m_primaryIfname = priorPrimary;
-  });
-
-  if (!run(Up, config)) {
+  if (!maybeUpdateResolvers(config)) {
    return false;
  }

-  m_connections[ifname].m_config = config;
-
-  failure_guard.dismiss();
-  return true;
-}
-
-bool Daemon::deactivateTunnel(const QString& ifname) {
-  WireguardUtils* wg = m_tunnels.value(ifname);
-  const ConnectionState cs = m_connections.value(ifname);
-  const InterfaceConfig& config = cs.m_config;
-  const bool wasPrimary = (ifname == m_primaryIfname);
-  const bool isLastTunnel = wg && m_tunnels.size() == 1;
-
-  if (wg) {
-    logger.debug() << "deactivateTunnel" << wg->interfaceName();
-    if (isLastTunnel) {
-      for (const IPAddress& prefix : m_excludedAddrSet.keys()) {
-        wg->deleteExclusionRoute(prefix);
-      }
-      m_excludedAddrSet.clear();
+  // set routing
+  for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
+    if (!wgutils()->updateRoutePrefix(ip)) {
+      logger.debug() << "Routing configuration failed for" << ip.toString();
+      return false;
    }
-    wg->deletePeer(config);
-    wg->deleteInterface();
-    m_tunnels.remove(ifname);
-    delete wg;
  }

-  m_connections.remove(ifname);
-  if (wasPrimary) {
-    m_primaryIfname.clear();
+  bool status = run(Up, config);
+  logger.debug() << "Connection status:" << status;
+  if (status) {
+    m_connections[config.m_hopType] = ConnectionState(config);
+    m_handshakeTimer.start(HANDSHAKE_POLL_MSEC);
+    emit_failure_guard.dismiss();
+    return true;
  }
+  return false;
+}
+
+bool Daemon::maybeUpdateResolvers(const InterfaceConfig& config) {
+  if ((config.m_hopType == InterfaceConfig::MultiHopExit) ||
+      (config.m_hopType == InterfaceConfig::SingleHop)) {
+    QList<QHostAddress> resolvers;
+    resolvers.append(QHostAddress(config.m_primaryDnsServer));
+    if (!config.m_secondaryDnsServer.isEmpty()) {
+        resolvers.append(QHostAddress(config.m_secondaryDnsServer));
+    }
+
+    // If the DNS is not the Gateway, it's a user defined DNS
+    // thus, not add any other :)
+    if (config.m_primaryDnsServer == config.m_serverIpv4Gateway) {
+      resolvers.append(QHostAddress(config.m_serverIpv6Gateway));
+    }
+
+    if (!dnsutils()->updateResolvers(wgutils()->interfaceName(), resolvers)) {
+      return false;
+    }
+  }
+
  return true;
 }

@@ -192,60 +209,26 @@ bool Daemon::parseStringList(const QJsonObject& obj, const QString& name,
  return true;
 }

-bool Daemon::addExclusionRoute(const QString &ifname, const QString &addr) {
-  IPAddress prefix(addr);
+bool Daemon::addExclusionRoute(const IPAddress& prefix) {
  if (m_excludedAddrSet.contains(prefix)) {
    m_excludedAddrSet[prefix]++;
    return true;
  }
-  WireguardUtils* wg = wgutilsFor(ifname);
-  if (!wg) wg = primaryWgutils();
-  if (!wg || !wg->addExclusionRoute(prefix)) {
+  if (!wgutils()->addExclusionRoute(prefix)) {
    return false;
  }
  m_excludedAddrSet[prefix] = 1;
  return true;
 }

-bool Daemon::delExclusionRoute(const QString &ifname, const QString &addr) {
-  IPAddress prefix(addr);
-  if (!m_excludedAddrSet.contains(prefix)) {
-    return false;
-  }
+bool Daemon::delExclusionRoute(const IPAddress& prefix) {
+  Q_ASSERT(m_excludedAddrSet.contains(prefix));
  if (m_excludedAddrSet[prefix] > 1) {
    m_excludedAddrSet[prefix]--;
    return true;
  }
  m_excludedAddrSet.remove(prefix);
-  WireguardUtils* wg = wgutilsFor(ifname);
-  if (!wg) wg = primaryWgutils();
-  return wg && wg->deleteExclusionRoute(prefix);
-}
-
-bool Daemon::addAllowedIp(const QString &ifname, const QString &prefix) {
-  WireguardUtils* wg = wgutilsFor(ifname);
-  return wg && wg->updateRoutePrefix(IPAddress(prefix));
-}
-
-bool Daemon::delAllowedIp(const QString &ifname, const QString &prefix) {
-  WireguardUtils* wg = wgutilsFor(ifname);
-  return wg && wg->deleteRoutePrefix(IPAddress(prefix));
-}
-
-bool Daemon::setTunnelResolvers(const QString &ifname, const QStringList &resolvers) {
-  WireguardUtils* wg = wgutilsFor(ifname);
-  if (!wg || !dnsutils()) {
-    return false;
-  }
-  QList<QHostAddress> hostAddrs;
-  for (const QString& r : resolvers) {
-    hostAddrs.append(QHostAddress(r));
-  }
-  return dnsutils()->updateResolvers(wg->interfaceName(), hostAddrs);
-}
-
-bool Daemon::restoreTunnelResolvers() {
-  return dnsutils() && dnsutils()->restoreResolvers();
+  return wgutils()->deleteExclusionRoute(prefix);
 }

 // static
@@ -457,16 +440,17 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
  if (!obj.value("I5").isNull()) {
    config.m_specialJunk["I5"] = obj.value("I5").toString();
  }
-  config.m_ifname = obj.value("ifname").toString();

  return true;
 }

 bool Daemon::deactivate(bool emitSignals) {
-  const QString primary = m_primaryIfname;
+  Q_ASSERT(wgutils() != nullptr);

-  if (m_connections.contains(primary)) {
-    if (!run(Down, m_connections.value(primary).m_config)) {
+  // Deactivate the main interface.
+  if (!m_connections.isEmpty()) {
+    const ConnectionState& state = m_connections.first();
+    if (!run(Down, state.m_config)) {
      return false;
    }
  }
@@ -475,26 +459,31 @@ bool Daemon::deactivate(bool emitSignals) {
    emit disconnected();
  }

-  const QStringList ifnames = m_tunnels.keys();
-  for (const QString& ifname : ifnames) {
-    if (ifname != primary) {
-      deactivateTunnel(ifname);
-    }
+  // Cleanup DNS
+  if (!dnsutils()->restoreResolvers()) {
+    logger.warning() << "Failed to restore DNS resolvers.";
  }

-  if (auto* wg = primaryWgutils()) {
-    for (const IPAddress& prefix : m_excludedAddrSet.keys()) {
-      wg->deleteExclusionRoute(prefix);
+  // Cleanup peers and routing
+  for (const ConnectionState& state : m_connections) {
+    const InterfaceConfig& config = state.m_config;
+    logger.debug() << "Deleting routes for" << config.m_hopType;
+    for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
+      wgutils()->deleteRoutePrefix(ip);
    }
+    wgutils()->deletePeer(config);
+  }
+
+  // Cleanup routing for excluded addresses.
+  for (auto iterator = m_excludedAddrSet.constBegin();
+       iterator != m_excludedAddrSet.constEnd(); ++iterator) {
+    wgutils()->deleteExclusionRoute(iterator.key());
  }
  m_excludedAddrSet.clear();

-  if (m_tunnels.contains(primary)) {
-    deactivateTunnel(primary);
-  }
-
-  m_activationTimer.stop();
-  return true;
+  m_connections.clear();
+  // Delete the interface
+  return wgutils()->deleteInterface();
 }

 QString Daemon::logs() {
@@ -503,18 +492,79 @@ QString Daemon::logs() {

 void Daemon::cleanLogs() { }

+bool Daemon::supportServerSwitching(const InterfaceConfig& config) const {
+  if (!m_connections.contains(config.m_hopType)) {
+    return false;
+  }
+  const InterfaceConfig& current =
+      m_connections.value(config.m_hopType).m_config;
+
+  return current.m_privateKey == config.m_privateKey &&
+         current.m_deviceIpv4Address == config.m_deviceIpv4Address &&
+         current.m_deviceIpv6Address == config.m_deviceIpv6Address &&
+         current.m_serverIpv4Gateway == config.m_serverIpv4Gateway &&
+         current.m_serverIpv6Gateway == config.m_serverIpv6Gateway;
+}
+
+bool Daemon::switchServer(const InterfaceConfig& config) {
+  Q_ASSERT(wgutils() != nullptr);
+
+  logger.debug() << "Switching server for" << config.m_hopType;
+
+  Q_ASSERT(m_connections.contains(config.m_hopType));
+  const InterfaceConfig& lastConfig =
+      m_connections.value(config.m_hopType).m_config;
+
+  // Configure routing for new excluded addresses.
+  for (const QString& i : config.m_excludedAddresses) {
+    addExclusionRoute(IPAddress(i));
+  }
+
+  // Activate the new peer and its routes.
+  if (!wgutils()->updatePeer(config)) {
+    logger.error() << "Server switch failed to update the wireguard interface";
+    return false;
+  }
+  for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
+    if (!wgutils()->updateRoutePrefix(ip)) {
+      logger.error() << "Server switch failed to update the routing table";
+      break;
+    }
+  }
+
+  // Remove routing entries for the old peer.
+  for (const QString& i : lastConfig.m_excludedAddresses) {
+    delExclusionRoute(QHostAddress(i));
+  }
+  for (const IPAddress& ip : lastConfig.m_allowedIPAddressRanges) {
+    if (!config.m_allowedIPAddressRanges.contains(ip)) {
+      wgutils()->deleteRoutePrefix(ip);
+    }
+  }
+
+  // Remove the old peer if it is no longer necessary.
+  if (config.m_serverPublicKey != lastConfig.m_serverPublicKey) {
+    if (!wgutils()->deletePeer(lastConfig)) {
+      return false;
+    }
+  }
+
+  m_connections[config.m_hopType] = ConnectionState(config);
+  return true;
+}
+
 QJsonObject Daemon::getStatus() {
+  Q_ASSERT(wgutils() != nullptr);
  QJsonObject json;
  logger.debug() << "Status request";

-  WireguardUtils* wg = primaryWgutils();
-  if (!wg || !wg->interfaceExists() || !m_connections.contains(m_primaryIfname)) {
+  if (!wgutils()->interfaceExists() || m_connections.isEmpty()) {
    json.insert("connected", QJsonValue(false));
    return json;
  }

-  const ConnectionState& connection = m_connections.value(m_primaryIfname);
-  QList<WireguardUtils::PeerStatus> peers = wg->getPeerStatus();
+  const ConnectionState& connection = m_connections.first();
+  QList<WireguardUtils::PeerStatus> peers = wgutils()->getPeerStatus();
  for (const WireguardUtils::PeerStatus& status : peers) {
    if (status.m_pubkey != connection.m_config.m_serverPublicKey) {
      continue;
@@ -534,50 +584,38 @@ QJsonObject Daemon::getStatus() {
  return json;
 }

-void Daemon::checkActivations() {
-  const QDateTime now = QDateTime::currentDateTime();
-  QStringList timedOut;
-  bool anyPending = false;
+void Daemon::checkHandshake() {
+  Q_ASSERT(wgutils() != nullptr);

-  for (auto it = m_connections.begin(); it != m_connections.end(); ++it) {
-    const QString& ifname = it.key();
-    ConnectionState& cs = it.value();
-    if (cs.m_date.isValid()) {
-      continue;  // already handshaked
-    }
-    logger.debug() << "awaiting" << cs.m_config.m_serverPublicKey;
+  logger.debug() << "Checking for handshake...";

-    WireguardUtils* wg = m_tunnels.value(ifname);
-    bool handshaked = false;
-    if (wg) {
-      for (const WireguardUtils::PeerStatus& status : wg->getPeerStatus()) {
-        if (status.m_pubkey != cs.m_config.m_serverPublicKey) {
-          continue;
-        }
-        if (status.m_handshake != 0) {
-          cs.m_date.setMSecsSinceEpoch(status.m_handshake);
-          emit tunnelConnected(ifname, status.m_pubkey);
-          handshaked = true;
-        }
-      }
-    }
-    if (handshaked) {
+  int pendingHandshakes = 0;
+  QList<WireguardUtils::PeerStatus> peers = wgutils()->getPeerStatus();
+  for (ConnectionState& connection : m_connections) {
+    const InterfaceConfig& config = connection.m_config;
+    if (connection.m_date.isValid()) {
      continue;
    }
-    if (cs.m_deadline.isValid() && now > cs.m_deadline) {
-      timedOut.append(ifname);
-    } else {
-      anyPending = true;
+    logger.debug() << "awaiting" << config.m_serverPublicKey;
+
+    // Check if the handshake has completed.
+    for (const WireguardUtils::PeerStatus& status : peers) {
+      if (config.m_serverPublicKey != status.m_pubkey) {
+        continue;
+      }
+      if (status.m_handshake != 0) {
+        connection.m_date.setMSecsSinceEpoch(status.m_handshake);
+        emit connected(status.m_pubkey);
+      }
+    }
+
+    if (!connection.m_date.isValid()) {
+      pendingHandshakes++;
    }
  }

-  for (const QString& ifname : timedOut) {
-    logger.warning() << "Tunnel handshake timed out:" << m_tunnels.value(ifname)->interfaceName();
-    emit tunnelHandshakeFailed(ifname);
-    deactivateTunnel(ifname);
-  }
-
-  if (!anyPending) {
-    m_activationTimer.stop();
+  // Check again if there were connections that haven't completed a handshake.
+  if (pendingHandshakes > 0) {
+    m_handshakeTimer.start(HANDSHAKE_POLL_MSEC);
  }
 }
@@ -22,6 +22,7 @@ class Daemon : public QObject {
  enum Op {
    Up,
    Down,
+    Switch,
  };

  explicit Daemon(QObject* parent);
@@ -31,22 +32,10 @@ class Daemon : public QObject {

  static bool parseConfig(const QJsonObject& obj, InterfaceConfig& config);

-  bool activate(const QString& ifname, const InterfaceConfig& config);
-  bool setPrimary(const QString& ifname, const InterfaceConfig& config);
-  bool deactivateTunnel(const QString& ifname);
+  virtual bool activate(const InterfaceConfig& config);
  virtual bool deactivate(bool emitSignals = true);
  virtual QJsonObject getStatus();

-  bool addExclusionRoute(const QString &ifname, const QString &addr);
-  bool delExclusionRoute(const QString &ifname, const QString &addr);
-  bool addAllowedIp(const QString &ifname, const QString &prefix);
-  bool delAllowedIp(const QString &ifname, const QString &prefix);
-  bool setTunnelResolvers(const QString &ifname, const QStringList &resolvers);
-  bool restoreTunnelResolvers();
-
-  const QString& primaryIfname() const { return m_primaryIfname; }
-  WireguardUtils* wgutilsFor(const QString& ifname) const { return m_tunnels.value(ifname); }
-
  // Callback before any Activating measure is done
  virtual void prepareActivation(const InterfaceConfig& config, int inetAdapterIndex = 0) {
      Q_UNUSED(config)  };
@@ -57,15 +46,19 @@ class Daemon : public QObject {
  void cleanLogs();

 signals:
-  void tunnelConnected(const QString& ifname, const QString& pubkey);
-  void tunnelHandshakeFailed(const QString& ifname);
+  void connected(const QString& pubkey);
+  /**
+   * Can be fired if a call to activate() was unsucessfull
+   * and connected systems should rollback
+   */
+  void activationFailure();
  void disconnected();
  void backendFailure(DaemonError reason = DaemonError::ERROR_FATAL);

 private:
-  void checkActivations();
-  WireguardUtils* primaryWgutils() const { return m_tunnels.value(m_primaryIfname); }
-  QTimer m_activationTimer;
+  bool maybeUpdateResolvers(const InterfaceConfig& config);
+  bool addExclusionRoute(const IPAddress& address);
+  bool delExclusionRoute(const IPAddress& address);

 protected:
  virtual bool run(Op op, const InterfaceConfig& config) {
@@ -73,11 +66,9 @@ class Daemon : public QObject {
    Q_UNUSED(config);
    return true;
  }
-  virtual WireguardUtils* createWgUtils() = 0;
-
-  QMap<QString, WireguardUtils*> m_tunnels;
-  QString m_primaryIfname;
-
+  virtual bool supportServerSwitching(const InterfaceConfig& config) const;
+  virtual bool switchServer(const InterfaceConfig& config);
+  virtual WireguardUtils* wgutils() const = 0;
  virtual bool supportIPUtils() const { return false; }
  virtual IPUtils* iputils() { return nullptr; }
  virtual DnsUtils* dnsutils() { return nullptr; }
@@ -85,16 +76,18 @@ class Daemon : public QObject {
  static bool parseStringList(const QJsonObject& obj, const QString& name,
                              QStringList& list);

+  void checkHandshake();
+
  class ConnectionState {
   public:
    ConnectionState(){};
    ConnectionState(const InterfaceConfig& config) { m_config = config; }
    QDateTime m_date;
-    QDateTime m_deadline;
    InterfaceConfig m_config;
  };
-  QMap<QString, ConnectionState> m_connections;
+  QMap<InterfaceConfig::HopType, ConnectionState> m_connections;
  QHash<IPAddress, int> m_excludedAddrSet;
+  QTimer m_handshakeTimer;
 };

 #endif  // DAEMON_H
@@ -31,10 +31,8 @@ DaemonLocalServerConnection::DaemonLocalServerConnection(QObject* parent,
          &DaemonLocalServerConnection::readData);

  Daemon* daemon = Daemon::instance();
-  connect(daemon, &Daemon::tunnelConnected,
-          this, &DaemonLocalServerConnection::onTunnelConnected);
-  connect(daemon, &Daemon::tunnelHandshakeFailed,
-          this, &DaemonLocalServerConnection::onTunnelHandshakeFailed);
+  connect(daemon, &Daemon::connected, this,
+          &DaemonLocalServerConnection::connected);
  connect(daemon, &Daemon::disconnected, this,
          &DaemonLocalServerConnection::disconnected);
  connect(daemon, &Daemon::backendFailure, this,
@@ -109,44 +107,19 @@ void DaemonLocalServerConnection::parseCommand(const QByteArray& data) {
    InterfaceConfig config;
    if (!Daemon::parseConfig(obj, config)) {
      logger.error() << "Invalid configuration";
-      disconnected();
+      emit disconnected();
      return;
    }
-    if (!Daemon::instance()->activate(config.m_ifname, config)) {
+
+    if (!Daemon::instance()->activate(config)) {
      logger.error() << "Failed to activate the interface";
-      disconnected();
+      emit disconnected();
    }
    return;
  }

  if (type == "deactivate") {
-    const QString ifname = obj.value("ifname").toString();
-    if (!ifname.isEmpty()) {
-      Daemon::instance()->deactivateTunnel(ifname);
-    } else {
-      Daemon::instance()->deactivate(true);
-    }
-    return;
-  }
-
-  if (type == "setPrimary") {
-    InterfaceConfig config;
-    if (!Daemon::parseConfig(obj, config)) {
-      logger.error() << "setPrimary: invalid configuration";
-      return;
-    }
-    if (!Daemon::instance()->setPrimary(config.m_ifname, config)) {
-      logger.error() << "setPrimary failed";
-      QJsonObject reply;
-      reply.insert("type", "primaryFailed");
-      reply.insert("ifname", config.m_ifname);
-      write(reply);
-      return;
-    }
-    QJsonObject reply;
-    reply.insert("type", "primaryReady");
-    reply.insert("ifname", config.m_ifname);
-    write(reply);
+    Daemon::instance()->deactivate(true);
    return;
  }

@@ -173,19 +146,10 @@ void DaemonLocalServerConnection::parseCommand(const QByteArray& data) {
  logger.warning() << "Invalid command:" << type;
 }

-void DaemonLocalServerConnection::onTunnelConnected(const QString& ifname,
-                                                    const QString& pubkey) {
+void DaemonLocalServerConnection::connected(const QString& pubkey) {
  QJsonObject obj;
  obj.insert("type", "connected");
-  obj.insert("ifname", ifname);
-  obj.insert("pubkey", pubkey);
-  write(obj);
-}
-
-void DaemonLocalServerConnection::onTunnelHandshakeFailed(const QString& ifname) {
-  QJsonObject obj;
-  obj.insert("type", "disconnected");
-  obj.insert("ifname", ifname);
+  obj.insert("pubkey", QJsonValue(pubkey));
  write(obj);
 }

@@ -6,7 +6,6 @@
 #define DAEMONLOCALSERVERCONNECTION_H

 #include <QObject>
-#include <QString>

 #include "daemonerrors.h"

@@ -24,8 +23,7 @@ class DaemonLocalServerConnection final : public QObject {

  void parseCommand(const QByteArray& json);

-  void onTunnelConnected(const QString& ifname, const QString& pubkey);
-  void onTunnelHandshakeFailed(const QString& ifname);
+  void connected(const QString& pubkey);
  void disconnected();
  void backendFailure(DaemonError err);

@@ -62,8 +62,6 @@ QJsonObject InterfaceConfig::toJson() const {
  }
  json.insert("vpnDisabledApps", disabledApps);

-  json.insert("ifname", m_ifname);
-
  return json;
 }

@@ -13,8 +13,6 @@

 class QJsonObject;

-constexpr int ACTIVATION_TIMEOUT_MSEC = 30000;
-
 class InterfaceConfig {
  Q_GADGET

@@ -59,8 +57,6 @@ class InterfaceConfig {
  QString m_underloadPacketMagicHeader;
  QString m_transportPacketMagicHeader;
  QMap<QString, QString> m_specialJunk;
-  QString m_ifname;
-  bool m_deferAddressSetup = false;

  QJsonObject toJson() const;
  QString toWgConf(
@@ -14,6 +14,8 @@

 #include "interfaceconfig.h"

+constexpr const char* WG_INTERFACE = "amn0";
+
 constexpr uint16_t WG_KEEPALIVE_PERIOD = 60;

 class WireguardUtils : public QObject {
@@ -33,7 +35,7 @@ class WireguardUtils : public QObject {
  virtual ~WireguardUtils() = default;

  virtual bool interfaceExists() = 0;
-  virtual QString interfaceName() = 0;
+  virtual QString interfaceName() { return WG_INTERFACE; }
  virtual bool addInterface(const InterfaceConfig& config) = 0;
  virtual bool deleteInterface() = 0;

@@ -65,9 +65,12 @@
        <file>controls/text-cursor.svg</file>
        <file>controls/trash.svg</file>
        <file>controls/x-circle.svg</file>
-        <file>tray/active.png</file>
-        <file>tray/default.png</file>
-        <file>tray/error.png</file>
+        <file>tray/off-black.svg</file>
+        <file>tray/off-light.svg</file>
+        <file>tray/on-black.svg</file>
+        <file>tray/on-white.svg</file>
+        <file>tray/error-black.svg</file>
+        <file>tray/error-white.svg</file>
        <file>controls/monitor.svg</file>
    </qresource>
 </RCC>
@@ -1,6 +1,5 @@
 #include <QDebug>
 #include <QTimer>
-#include <QLocalSocket>
 #include <libssh/libssh.h>

 #include "amneziaApplication.h"
@@ -16,6 +15,10 @@
    #include "platforms/ios/QtAppDelegate-C-Interface.h"
 #endif

+#if defined(Q_OS_MAC) && !defined(MACOS_NE)
+    #include "platforms/macos/macosutils.h"
+#endif
+
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
 bool isAnotherInstanceRunning()
 {
@@ -47,6 +50,10 @@ int main(int argc, char *argv[])
    AmneziaApplication app(argc, argv);
    OsSignalHandler::setup();

+#if defined(Q_OS_MAC) && !defined(MACOS_NE)
+    MacOSUtils::patchNSStatusBarSetImageForBigSur();
+#endif
+
    ssh_init();
    QObject::connect(&app, &QCoreApplication::aboutToQuit, []() {
        ssh_finalize();
@@ -44,8 +44,6 @@ class ControllerImpl : public QObject {
  // "disconnecting" state until the "disconnected" signal is received.
  virtual void deactivate() = 0;

-  virtual void setPrimary(const QJsonObject& config) { Q_UNUSED(config) }
-
  // This method is used to retrieve the VPN tunnel status (mainly the number
  // of bytes sent and received). It's called always when the VPN tunnel is
  // active.
@@ -73,13 +71,11 @@ class ControllerImpl : public QObject {
  void initialized(bool status, bool connected,
                   const QDateTime& connectionDate);

+  // These 2 signals can be dispatched at any time.
  void connected(const QString& pubkey,
                 const QDateTime& connectionTimestamp = QDateTime());
  void disconnected();

-  void primaryReady();
-  void primaryFailed();
-
  // This method should be emitted after a checkStatus() call.
  // "serverIpv4Gateway" is the current VPN tunnel gateway.
  // "deviceIpv4Address" is the address of the VPN client.
@@ -39,8 +39,7 @@ namespace {
 Logger logger("LocalSocketController");
 }

-LocalSocketController::LocalSocketController(const QString& ifname)
-    : m_ifname(ifname) {
+LocalSocketController::LocalSocketController() {
  MZ_COUNT_CTOR(LocalSocketController);

  m_socket = new QLocalSocket(this);
@@ -122,8 +121,7 @@ void LocalSocketController::daemonConnected() {
  checkStatus();
 }

-QJsonObject LocalSocketController::buildActivateJson(const QJsonObject& rawConfig,
-                                                     const QString& ifname) {
+void LocalSocketController::activate(const QJsonObject &rawConfig) {
  QString protocolName = rawConfig.value("protocol").toString();

  int splitTunnelType = rawConfig.value("splitTunnelType").toInt();
@@ -136,9 +134,11 @@ QJsonObject LocalSocketController::buildActivateJson(const QJsonObject& rawConfi
  QJsonObject wgConfig = rawConfig.value(protocolName + "_config_data").toObject();

  QJsonObject json;
+  json.insert("type", "activate");
  //  json.insert("hopindex", QJsonValue((double)hop.m_hopindex));
  json.insert("privateKey", wgConfig.value(amnezia::configKey::clientPrivKey));
  json.insert("deviceIpv4Address", wgConfig.value(amnezia::configKey::clientIp));
+  m_deviceIpv4 = wgConfig.value(amnezia::configKey::clientIp).toString();

  // set up IPv6 unique-local-address, ULA, with "fd00::/8" prefix, not globally routable.
  // this will be default IPv6 gateway, OS recognizes that IPv6 link is local and switches to IPv4.
@@ -230,6 +230,7 @@ QJsonObject LocalSocketController::buildActivateJson(const QJsonObject& rawConfi
  json.insert("allowedIPAddressRanges", jsAllowedIPAddesses);

  QJsonArray jsExcludedAddresses;
+  jsExcludedAddresses.append(wgConfig.value(amnezia::configKey::hostName));
  if (splitTunnelType == 2) {
    for (auto v : splitTunnelSites) {
          QString ipRange = v.toString();
@@ -291,23 +292,6 @@ QJsonObject LocalSocketController::buildActivateJson(const QJsonObject& rawConfi
    json.insert(amnezia::configKey::specialJunk5, wgConfig.value(amnezia::configKey::specialJunk5));
  }

-  json.insert("ifname", ifname);
-  return json;
-}
-
-void LocalSocketController::activate(const QJsonObject& rawConfig) {
-  const QString protocolName = rawConfig.value("protocol").toString();
-  const QJsonObject wgConfig = rawConfig.value(protocolName + "_config_data").toObject();
-  m_deviceIpv4 = wgConfig.value(amnezia::configKey::clientIp).toString();
-
-  QJsonObject json = buildActivateJson(rawConfig, m_ifname);
-  json.insert("type", "activate");
-  write(json);
-}
-
-void LocalSocketController::setPrimary(const QJsonObject& rawConfig) {
-  QJsonObject json = buildActivateJson(rawConfig, m_ifname);
-  json.insert("type", "setPrimary");
  write(json);
 }

@@ -322,7 +306,6 @@ void LocalSocketController::deactivate() {

  QJsonObject json;
  json.insert("type", "deactivate");
-  json.insert("ifname", m_ifname);
  write(json);
  emit disconnected();
 }
@@ -488,20 +471,12 @@ void LocalSocketController::parseCommand(const QByteArray& command) {
    return;
  }

-  auto belongsToThisTunnel = [this, &obj]() {
-    const QJsonValue val = obj.value("ifname");
-    return !val.isString() || val.toString() == m_ifname;
-  };
-
  if (type == "disconnected") {
-    if (!belongsToThisTunnel()) return;
    disconnectInternal();
    return;
  }

  if (type == "connected") {
-    if (!belongsToThisTunnel()) return;
-
    QJsonValue pubkey = obj.value("pubkey");
    if (!pubkey.isString()) {
      logger.error() << "Unexpected pubkey value";
@@ -519,18 +494,6 @@ void LocalSocketController::parseCommand(const QByteArray& command) {
    return;
  }

-  if (type == "primaryReady") {
-    if (!belongsToThisTunnel()) return;
-    emit primaryReady();
-    return;
-  }
-
-  if (type == "primaryFailed") {
-    if (!belongsToThisTunnel()) return;
-    emit primaryFailed();
-    return;
-  }
-
  if (type == "backendFailure") {
    if (!obj.contains("errorCode")) {
      // report a generic error if we dont know what it is.
@@ -19,7 +19,7 @@ class LocalSocketController final : public ControllerImpl {
  Q_DISABLE_COPY_MOVE(LocalSocketController)

 public:
-  explicit LocalSocketController(const QString& ifname);
+  LocalSocketController();
  ~LocalSocketController();

  void initialize(const Device* device, const Keys* keys) override;
@@ -28,8 +28,6 @@ class LocalSocketController final : public ControllerImpl {

  void deactivate() override;

-  void setPrimary(const QJsonObject& rawConfig) override;
-
  void checkStatus() override;

  void getBackendLogs(std::function<void(const QString&)>&& callback) override;
@@ -38,10 +36,6 @@ class LocalSocketController final : public ControllerImpl {

  bool multihopSupported() override { return true; }

- public:
-  static QJsonObject buildActivateJson(const QJsonObject& rawConfig,
-                                       const QString& ifname);
-
 private:
  void initializeInternal();
  void disconnectInternal();
@@ -65,7 +59,6 @@ class LocalSocketController final : public ControllerImpl {

  QByteArray m_buffer;

-  QString m_ifname;
  QString m_deviceIpv4;
  std::function<void(const QString&)> m_logCallback = nullptr;

@@ -47,7 +47,7 @@ bool IPUtilsLinux::setMTUAndUp(const InterfaceConfig& config) {

  // Setup the interface to interact with
  struct ifreq ifr;
-  strncpy(ifr.ifr_name, config.m_ifname.toUtf8().constData(), IFNAMSIZ);
+  strncpy(ifr.ifr_name, WG_INTERFACE, IFNAMSIZ);

  // MTU
  // FIXME: We need to know how many layers deep this particular
@@ -76,7 +76,7 @@ bool IPUtilsLinux::addIP4AddressToDevice(const InterfaceConfig& config) {
  struct sockaddr_in* ifrAddr = (struct sockaddr_in*)&ifr.ifr_addr;

  // Name the interface and set family
-  strncpy(ifr.ifr_name, config.m_ifname.toUtf8().constData(), IFNAMSIZ);
+  strncpy(ifr.ifr_name, WG_INTERFACE, IFNAMSIZ);
  ifr.ifr_addr.sa_family = AF_INET;

  // Get the device address to add to interface
@@ -126,7 +126,7 @@ bool IPUtilsLinux::addIP6AddressToDevice(const InterfaceConfig& config) {

  // Get the index of named ifr and link with ifr6
  struct ifreq ifr;
-  strncpy(ifr.ifr_name, config.m_ifname.toUtf8().constData(), IFNAMSIZ);
+  strncpy(ifr.ifr_name, WG_INTERFACE, IFNAMSIZ);
  ifr.ifr_addr.sa_family = AF_INET6;
  int ret = ioctl(sockfd, SIOGIFINDEX, &ifr);
  if (ret) {
@@ -28,6 +28,7 @@ LinuxDaemon::LinuxDaemon() : Daemon(nullptr) {

    logger.debug() << "Daemon created";

+    m_wgutils = new WireguardUtilsLinux(this);
    m_dnsutils = new DnsUtilsLinux(this);
    m_iputils = new IPUtilsLinux(this);

@@ -49,4 +50,3 @@ LinuxDaemon* LinuxDaemon::instance() {
    Q_ASSERT(s_daemon);
    return s_daemon;
 }
-
@@ -12,6 +12,8 @@
 #include "wireguardutilslinux.h"

 class LinuxDaemon final : public Daemon {
+  friend class IPUtilsMacos;
+
 public:
  LinuxDaemon();
  ~LinuxDaemon();
@@ -19,15 +21,13 @@ class LinuxDaemon final : public Daemon {
  static LinuxDaemon* instance();

 protected:
+  WireguardUtils* wgutils() const override { return m_wgutils; }
  DnsUtils* dnsutils() override { return m_dnsutils; }
  bool supportIPUtils() const override { return true; }
  IPUtils* iputils() override { return m_iputils; }

-  WireguardUtils* createWgUtils() override {
-    return new WireguardUtilsLinux(this);
-  }
-
 private:
+  WireguardUtilsLinux* m_wgutils = nullptr;
  DnsUtilsLinux* m_dnsutils = nullptr;
  IPUtilsLinux* m_iputils = nullptr;
 };
@@ -193,8 +193,8 @@ QStringList LinuxFirewall::getDNSRules(const QStringList& servers)
    QStringList result;
    for (const QString& server : servers)
    {
-        result << QStringLiteral("-o amn+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
-        result << QStringLiteral("-o amn+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o amn0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o amn0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
        result << QStringLiteral("-o tun0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
        result << QStringLiteral("-o tun0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
        result << QStringLiteral("-o tun2+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
@@ -278,7 +278,7 @@ void LinuxFirewall::install()
                                                         });

    installAnchor(Both, QStringLiteral("200.allowVPN"), {
-                                                            QStringLiteral("-o amn+ -j ACCEPT"),
+                                                            QStringLiteral("-o amn0+ -j ACCEPT"),
                                                            QStringLiteral("-o tun0+ -j ACCEPT"),
                                                            QStringLiteral("-o tun2+ -j ACCEPT"),
                                                        });
@@ -37,6 +37,33 @@
 #include <QString>
 #include <QStringList>

+// Descriptor for a set of firewall rules to be appled.
+//
+struct FirewallParams
+{
+    QStringList dnsServers;
+    QVector<QString> excludeApps; // Apps to exclude if VPN exemptions are enabled
+    QStringList allowAddrs;
+    QStringList blockAddrs;
+    // The follow flags indicate which general rulesets are needed. Note that
+    // this is after some sanity filtering, i.e. an allow rule may be listed
+    // as not needed if there were no block rules preceding it. The rulesets
+    // should be thought of as in last-match order.
+
+    bool blockAll;      // Block all traffic by default
+    bool allowVPN;      // Exempt traffic through VPN tunnel
+    bool allowDHCP;     // Exempt DHCP traffic
+    bool blockIPv6;     // Block all IPv6 traffic
+    bool allowLAN;      // Exempt LAN traffic, including IPv6 LAN traffic
+    bool blockDNS;      // Block all DNS traffic except specified DNS servers
+    bool allowPIA;      // Exempt PIA executables
+    bool allowLoopback; // Exempt loopback traffic
+    bool allowHnsd;     // Exempt Handshake DNS traffic
+    bool allowVpnExemptions; // Exempt specified traffic from the tunnel (route it over the physical uplink instead)
+    bool allowNets;
+    bool blockNets;
+};
+
 class LinuxFirewall
 {
 public:
@@ -39,6 +39,8 @@ typedef struct wg_allowedip {
    struct wg_allowedip *next_allowedip;
 } wg_allowedip;

+constexpr const char* WG_INTERFACE = "amn0";
+
 static void nlmsg_append_attr(struct nlmsghdr* nlmsg, size_t maxlen,
                              int attrtype, const void* attrdata,
                              size_t attrlen);
@@ -53,8 +55,6 @@ LinuxRouteMonitor::LinuxRouteMonitor(const QString& ifname, QObject* parent)
  MZ_COUNT_CTOR(LinuxRouteMonitor);
  logger.debug() << "LinuxRouteMonitor created.";

-  m_physicalGateway = NetworkUtilities::getGatewayAndIface().first;
-
  m_nlsock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
  if (m_nlsock < 0) {
      logger.warning() << "Failed to create netlink socket:" << strerror(errno);
@@ -63,7 +63,7 @@ LinuxRouteMonitor::LinuxRouteMonitor(const QString& ifname, QObject* parent)
  struct sockaddr_nl nladdr;
  memset(&nladdr, 0, sizeof(nladdr));
  nladdr.nl_family = AF_NETLINK;
-  nladdr.nl_pid = 0;
+  nladdr.nl_pid = getpid();
  if (bind(m_nlsock, (struct sockaddr*)&nladdr, sizeof(nladdr)) != 0) {
      logger.warning() << "Failed to bind netlink socket:" << strerror(errno);
  }
@@ -153,7 +153,7 @@ bool LinuxRouteMonitor::rtmSendRoute(int action, int flags, int type,
    }

    if (rtm->rtm_type == RTN_UNICAST) {
-    int index = if_nametoindex(m_ifname.toUtf8().constData());
+    int index = if_nametoindex(WG_INTERFACE);

    if (index <= 0) {
        logger.error() << "if_nametoindex() failed:" << strerror(errno);
@@ -164,15 +164,14 @@ bool LinuxRouteMonitor::rtmSendRoute(int action, int flags, int type,
    }

    if (rtm->rtm_type == RTN_THROW) {
-    if (action == RTM_NEWROUTE) {
-        if (m_physicalGateway.isEmpty()) {
-            logger.warning() << "No physical gateway available, skipping exclusion route";
-            return false;
-        }
-        struct in_addr ip4;
-        inet_pton(AF_INET, m_physicalGateway.toUtf8(), &ip4);
-        nlmsg_append_attr(nlmsg, sizeof(buf), RTA_GATEWAY, &ip4, sizeof(ip4));
+    QString gateway = NetworkUtilities::getGatewayAndIface().first;
+    if (gateway.isEmpty()) {
+        logger.warning() << "No default gateway available, skipping exclusion route";
+        return false;
    }
+    struct in_addr ip4;
+    inet_pton(AF_INET, gateway.toUtf8(), &ip4);
+    nlmsg_append_attr(nlmsg, sizeof(buf), RTA_GATEWAY, &ip4, sizeof(ip4));
    nlmsg_append_attr32(nlmsg, sizeof(buf), RTA_PRIORITY, 0);
    rtm->rtm_type = RTN_UNICAST;
    }
@@ -32,7 +32,6 @@ class LinuxRouteMonitor final : public QObject {
  bool rtmSendRoute(int action, int flags, int type,
                    const IPAddress& prefix);
  QString m_ifname;
-  QString m_physicalGateway;
  unsigned int m_ifindex = 0;
  int m_nlsock = -1;
  int m_nlseq = 0;
@@ -8,15 +8,17 @@

 #include <QByteArray>
 #include <QDir>
-#include <QElapsedTimer>
 #include <QFile>
 #include <QLocalSocket>
 #include <QTimer>
 #include <QThread>

+#include "linuxfirewall.h"
 #include "leakdetector.h"
 #include "logger.h"

+#include "killswitch.h"
+
 constexpr const int WG_TUN_PROC_TIMEOUT = 5000;
 constexpr const char* WG_RUNTIME_DIR = "/var/run/amneziawg";

@@ -57,20 +59,19 @@ void WireguardUtilsLinux::tunnelErrorOccurred(QProcess::ProcessError error) {
 }

 bool WireguardUtilsLinux::addInterface(const InterfaceConfig& config) {
+    Q_UNUSED(config);
    if (m_tunnel.state() != QProcess::NotRunning) {
        logger.warning() << "Unable to start: tunnel process already running";
        return false;
    }

-    const QString ifname = config.m_ifname;
-
    QDir wgRuntimeDir(WG_RUNTIME_DIR);
    if (!wgRuntimeDir.exists()) {
        wgRuntimeDir.mkpath(".");
    }

    QProcessEnvironment pe = QProcessEnvironment::systemEnvironment();
-    QString wgNameFile = wgRuntimeDir.filePath(ifname + ".sock");
+    QString wgNameFile = wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".sock");
    pe.insert("WG_TUN_NAME_FILE", wgNameFile);
 #ifdef MZ_DEBUG
    pe.insert("LOG_LEVEL", "debug");
@@ -78,7 +79,7 @@ bool WireguardUtilsLinux::addInterface(const InterfaceConfig& config) {
    m_tunnel.setProcessEnvironment(pe);

    QDir appPath(QCoreApplication::applicationDirPath());
-    QStringList wgArgs = {"-f", ifname};
+    QStringList wgArgs = {"-f", "amn0"};
    m_tunnel.start(appPath.filePath("amneziawg-go"), wgArgs);
    if (!m_tunnel.waitForStarted(WG_TUN_PROC_TIMEOUT)) {
        logger.error() << "Unable to start tunnel process due to timeout";
@@ -146,6 +147,29 @@ bool WireguardUtilsLinux::addInterface(const InterfaceConfig& config) {
    int err = uapiErrno(uapiCommand(message));
    if (err != 0) {
        logger.error() << "Interface configuration failed:" << strerror(err);
+    } else {
+        if (config.m_killSwitchEnabled) {
+            FirewallParams params { };
+            params.dnsServers.append(config.m_primaryDnsServer);
+            if (!config.m_secondaryDnsServer.isEmpty()) {
+                params.dnsServers.append(config.m_secondaryDnsServer);
+            }
+            if (config.m_allowedIPAddressRanges.contains(IPAddress("0.0.0.0/0"))) {
+                params.blockAll = true;
+                if (config.m_excludedAddresses.size()) {
+                    params.allowNets = true;
+                    foreach (auto net, config.m_excludedAddresses) {
+                        params.allowAddrs.append(net.toUtf8());
+                    }
+                }
+            } else {
+                params.blockNets = true;
+                foreach (auto net, config.m_allowedIPAddressRanges) {
+                    params.blockAddrs.append(net.toString());
+                }
+            }
+            applyFirewallRules(params);
+        }
    }

    return (err == 0);
@@ -170,8 +194,10 @@ bool WireguardUtilsLinux::deleteInterface() {

    // Garbage collect.
    QDir wgRuntimeDir(WG_RUNTIME_DIR);
-    QFile::remove(wgRuntimeDir.filePath(m_ifname + ".name"));
+    QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));

+    // double-check + ensure our firewall is installed and enabled
+    KillSwitch::instance()->disableKillSwitch();
    return true;
 }

@@ -208,6 +234,13 @@ bool WireguardUtilsLinux::updatePeer(const InterfaceConfig& config) {
        out << "allowed_ip=" << ip.toString() << "\n";
    }

+    // Exclude the server address, except for multihop exit servers.
+    if ((config.m_hopType != InterfaceConfig::MultiHopExit) &&
+        (m_rtmonitor != nullptr)) {
+        m_rtmonitor->addExclusionRoute(IPAddress(config.m_serverIpv4AddrIn));
+        m_rtmonitor->addExclusionRoute(IPAddress(config.m_serverIpv6AddrIn));
+    }
+
    int err = uapiErrno(uapiCommand(message));
    if (err != 0) {
        logger.error() << "Peer configuration failed:" << strerror(err);
@@ -219,6 +252,13 @@ bool WireguardUtilsLinux::deletePeer(const InterfaceConfig& config) {
    QByteArray publicKey =
        QByteArray::fromBase64(qPrintable(config.m_serverPublicKey));

+    // Clear exclustion routes for this peer.
+    if ((config.m_hopType != InterfaceConfig::MultiHopExit) &&
+        (m_rtmonitor != nullptr)) {
+        m_rtmonitor->deleteExclusionRoute(IPAddress(config.m_serverIpv4AddrIn));
+        m_rtmonitor->deleteExclusionRoute(IPAddress(config.m_serverIpv6AddrIn));
+    }
+
    QString message;
    QTextStream out(&message);
    out << "set=1\n";
@@ -298,7 +338,7 @@ bool WireguardUtilsLinux::deleteRoutePrefix(const IPAddress& prefix) {
        return false;
    }
    if (prefix.prefixLength() > 0) {
-        return m_rtmonitor->deleteRoute(prefix);
+        return m_rtmonitor->insertRoute(prefix);
    }

    // Ensure that we do not replace the default route.
@@ -349,9 +389,13 @@ bool WireguardUtilsLinux::excludeLocalNetworks(const QList<IPAddress>& routes) {

 QString WireguardUtilsLinux::uapiCommand(const QString& command) {
    QLocalSocket socket;
+    QTimer uapiTimeout;
    QDir wgRuntimeDir(WG_RUNTIME_DIR);
    QString wgSocketFile = wgRuntimeDir.filePath(m_ifname + ".sock");

+    uapiTimeout.setSingleShot(true);
+    uapiTimeout.start(WG_TUN_PROC_TIMEOUT);
+
    socket.connectToServer(wgSocketFile, QIODevice::ReadWrite);
    if (!socket.waitForConnected(WG_TUN_PROC_TIMEOUT)) {
        logger.error() << "QLocalSocket::waitForConnected() failed:"
@@ -366,15 +410,13 @@ QString WireguardUtilsLinux::uapiCommand(const QString& command) {
    }
    socket.write(message);

-    QElapsedTimer elapsed;
-    elapsed.start();
    QByteArray reply;
    while (!reply.contains("\n\n")) {
-        const qint64 remaining = WG_TUN_PROC_TIMEOUT - elapsed.elapsed();
-        if (remaining <= 0 || !socket.waitForReadyRead(static_cast<int>(remaining))) {
+        if (!uapiTimeout.isActive()) {
            logger.error() << "UAPI command timed out";
            return QString();
        }
+        QCoreApplication::processEvents(QEventLoop::AllEvents, 100);
        reply.append(socket.readAll());
    }

@@ -400,15 +442,45 @@ QString WireguardUtilsLinux::waitForTunnelName(const QString& filename) {
    timeout.setSingleShot(true);
    timeout.start(WG_TUN_PROC_TIMEOUT);

+    QFile file(filename);
+
    while ((m_tunnel.state() == QProcess::Running) && timeout.isActive()) {
        QCoreApplication::processEvents(QEventLoop::AllEvents, 100);
+        QString ifname = "amn0";

+        // Test-connect to the UAPI socket.
        QLocalSocket sock;
-        sock.connectToServer(filename, QIODevice::ReadWrite);
+        QDir wgRuntimeDir(WG_RUNTIME_DIR);
+        QString sockName = wgRuntimeDir.filePath(ifname + ".sock");
+        sock.connectToServer(sockName, QIODevice::ReadWrite);
        if (sock.waitForConnected(100)) {
-            return QFileInfo(filename).baseName();
+            return ifname;
        }
    }

    return QString();
 }
+
+void WireguardUtilsLinux::applyFirewallRules(FirewallParams& params)
+{
+    // double-check + ensure our firewall is installed and enabled
+    if (!LinuxFirewall::isInstalled()) LinuxFirewall::install();
+
+    // Note: rule precedence is handled inside IpTablesFirewall
+    LinuxFirewall::ensureRootAnchorPriority();
+
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), params.blockAll);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), params.allowNets);
+    LinuxFirewall::updateAllowNets(params.allowAddrs);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("120.blockNets"), params.blockNets);
+    LinuxFirewall::updateBlockNets(params.blockAddrs);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("200.allowVPN"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv6, QStringLiteral("250.blockIPv6"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("290.allowDHCP"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("300.allowLAN"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), true);
+    LinuxFirewall::updateDNSServers(params.dnsServers);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);
+}
@@ -11,6 +11,7 @@

 #include "daemon/wireguardutils.h"
 #include "linuxroutemonitor.h"
+#include "linuxfirewall.h"


 class WireguardUtilsLinux final : public WireguardUtils {
@@ -39,6 +40,7 @@ public:

    bool excludeLocalNetworks(const QList<IPAddress>& lanAddressRanges) override;

+    void applyFirewallRules(FirewallParams& params);
 signals:
    void backendFailure();

@@ -0,0 +1,81 @@
+#include "linuxtrayiconbackend.h"
+
+#include "ui/utils/trayIconCommon.h"
+
+#include <QObject>
+
+namespace
+{
+
+    constexpr int kLinuxTrayIconSizes[] = { 16, 22, 24, 32, 48, 64, 128 };
+
+} // namespace
+
+LinuxTrayIconBackend::LinuxTrayIconBackend(QObject *parent) : m_trayIcon(parent)
+{
+}
+
+void LinuxTrayIconBackend::setMenu(QMenu *menu)
+{
+    m_trayIcon.setContextMenu(menu);
+}
+
+void LinuxTrayIconBackend::setToolTip(const QString &tooltip)
+{
+    m_trayIcon.setToolTip(tooltip);
+}
+
+void LinuxTrayIconBackend::show()
+{
+    m_trayIcon.show();
+}
+
+void LinuxTrayIconBackend::applyVisual(const TrayIconVisual &visual)
+{
+    if (m_hasLastVisual && visual.connectionState == m_lastState && visual.darkTheme == m_lastDarkTheme) {
+        return;
+    }
+
+    m_lastState = visual.connectionState;
+    m_lastDarkTheme = visual.darkTheme;
+    m_hasLastVisual = true;
+
+    const QIcon icon = buildTrayIcon(visual.connectionState, visual.darkTheme);
+    m_trayIcon.setIcon(icon);
+}
+
+void LinuxTrayIconBackend::showMessage(const QString &title, const QString &message, const TrayIconVisual &visual,
+                                       int timerMsec)
+{
+    m_trayIcon.showMessage(title, message,
+                           buildTrayIcon(Vpn::ConnectionState::Connected, visual.darkTheme),
+                           timerMsec);
+}
+
+void LinuxTrayIconBackend::rebuildMenu()
+{
+}
+
+void LinuxTrayIconBackend::setActivatedHandler(std::function<void(QSystemTrayIcon::ActivationReason)> handler)
+{
+    if (!handler) {
+        return;
+    }
+
+    QObject::connect(&m_trayIcon, &QSystemTrayIcon::activated, m_trayIcon.parent(),
+                     [handler](QSystemTrayIcon::ActivationReason reason) { handler(reason); });
+}
+
+QIcon LinuxTrayIconBackend::buildTrayIcon(Vpn::ConnectionState state, bool darkTheme) const
+{
+    QIcon icon;
+    for (int size : kLinuxTrayIconSizes) {
+        icon.addPixmap(TrayIconCommon::buildPixmap(size, state, darkTheme));
+    }
+    return icon;
+}
+
+std::unique_ptr<TrayIconBackend> createTrayIconBackend(QObject *parent)
+{
+    return std::make_unique<LinuxTrayIconBackend>(parent);
+}
@@ -0,0 +1,33 @@
+#ifndef LINUXTRAYICONBACKEND_H
+#define LINUXTRAYICONBACKEND_H
+
+#include "ui/utils/trayIconBackend.h"
+
+#include <QColor>
+#include <QIcon>
+#include <QString>
+#include <QSystemTrayIcon>
+
+class LinuxTrayIconBackend final : public TrayIconBackend
+{
+public:
+    explicit LinuxTrayIconBackend(QObject *parent);
+
+    void setMenu(QMenu *menu) override;
+    void setToolTip(const QString &tooltip) override;
+    void show() override;
+    void applyVisual(const TrayIconVisual &visual) override;
+    void showMessage(const QString &title, const QString &message, const TrayIconVisual &visual, int timerMsec) override;
+    void rebuildMenu() override;
+    void setActivatedHandler(std::function<void(QSystemTrayIcon::ActivationReason)> handler) override;
+
+private:
+    QIcon buildTrayIcon(Vpn::ConnectionState state, bool darkTheme) const;
+
+    QSystemTrayIcon m_trayIcon;
+    Vpn::ConnectionState m_lastState = Vpn::ConnectionState::Unknown;
+    bool m_lastDarkTheme = false;
+    bool m_hasLastVisual = false;
+};
+
+#endif // LINUXTRAYICONBACKEND_H
@@ -0,0 +1,24 @@
+#include "linuxtraytheme.h"
+
+#include "platforms/linux/linuxutils.h"
+#include "ui/utils/trayThemeChangeFilter.h"
+
+#include <QApplication>
+#include <QGuiApplication>
+#include <QObject>
+#include <QStyleHints>
+
+void LinuxTrayTheme::installThemeObserver(const std::function<void()> &onThemeChanged, QObject *parent)
+{
+    if (!onThemeChanged || !parent) {
+        return;
+    }
+
+    if (QStyleHints *styleHints = QGuiApplication::styleHints()) {
+        QObject::connect(styleHints, &QStyleHints::colorSchemeChanged, parent, [onThemeChanged]() { onThemeChanged(); });
+    }
+
+    qApp->installEventFilter(new TrayThemeChangeFilter(onThemeChanged, parent));
+
+    LinuxUtils::installThemeChangeObserver(onThemeChanged);
+}
@@ -0,0 +1,15 @@
+#ifndef LINUXTRAYTHEME_H
+#define LINUXTRAYTHEME_H
+
+#include <functional>
+
+class QObject;
+
+namespace LinuxTrayTheme
+{
+
+    void installThemeObserver(const std::function<void()> &onThemeChanged, QObject *parent);
+
+} // namespace LinuxTrayTheme
+
+#endif // LINUXTRAYTHEME_H
@@ -0,0 +1,128 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "linuxutils.h"
+
+#include <QApplication>
+#include <QDBusConnection>
+#include <QDBusVariant>
+#include <QGuiApplication>
+#include <QPalette>
+#include <QSettings>
+#include <QStyleHints>
+
+namespace {
+
+bool paletteSuggestsDarkTheme()
+{
+    const QPalette palette = QGuiApplication::palette();
+    const int windowLightness = palette.color(QPalette::Window).lightness();
+    const int textLightness = palette.color(QPalette::WindowText).lightness();
+
+    if (textLightness - windowLightness > 50) {
+        return true;
+    }
+    if (windowLightness - textLightness > 50) {
+        return false;
+    }
+
+    return windowLightness < 128;
+}
+
+class LinuxThemeObserver final : public QObject {
+    Q_OBJECT
+
+public:
+    explicit LinuxThemeObserver(std::function<void()> callback, QObject *parent = nullptr)
+        : QObject(parent)
+        , m_callback(std::move(callback))
+    {
+        QDBusConnection bus = QDBusConnection::sessionBus();
+        if (!bus.isConnected()) {
+            return;
+        }
+
+        bus.connect(QStringLiteral("org.freedesktop.portal.Desktop"),
+                    QStringLiteral("/org/freedesktop/portal/desktop"),
+                    QStringLiteral("org.freedesktop.portal.Settings"),
+                    QStringLiteral("SettingChanged"),
+                    this,
+                    SLOT(onPortalSettingChanged(QString, QString, QDBusVariant)));
+    }
+
+    void setCallback(std::function<void()> callback)
+    {
+        m_callback = std::move(callback);
+    }
+
+private slots:
+    void onPortalSettingChanged(const QString &namespaceName, const QString &key, const QDBusVariant &value)
+    {
+        Q_UNUSED(value);
+
+        if (namespaceName == QStringLiteral("org.freedesktop.appearance")
+            && key == QStringLiteral("color-scheme") && m_callback) {
+            m_callback();
+        }
+    }
+
+private:
+    std::function<void()> m_callback;
+};
+
+LinuxThemeObserver *g_themeObserver = nullptr;
+
+} // namespace
+
+bool LinuxUtils::isDarkTheme()
+{
+    if (QStyleHints *styleHints = QGuiApplication::styleHints()) {
+        switch (styleHints->colorScheme()) {
+        case Qt::ColorScheme::Dark:
+            return true;
+        case Qt::ColorScheme::Light:
+            return false;
+        case Qt::ColorScheme::Unknown:
+        default:
+            break;
+        }
+    }
+
+    QSettings settings(QSettings::IniFormat, QSettings::UserScope, QStringLiteral("gtk-3.0"),
+                       QStringLiteral("settings"));
+    const QString themeName = settings.value(QStringLiteral("gtk-theme-name")).toString();
+    if (themeName.contains(QStringLiteral("dark"), Qt::CaseInsensitive)) {
+        return true;
+    }
+    if (themeName.contains(QStringLiteral("light"), Qt::CaseInsensitive)) {
+        return false;
+    }
+
+    QSettings kdeSettings(QSettings::IniFormat, QSettings::UserScope, QStringLiteral("kdeglobals"));
+    const QString colorScheme = kdeSettings.value(QStringLiteral("General/ColorScheme")).toString();
+    if (colorScheme.contains(QStringLiteral("dark"), Qt::CaseInsensitive)) {
+        return true;
+    }
+    if (colorScheme.contains(QStringLiteral("light"), Qt::CaseInsensitive)) {
+        return false;
+    }
+
+    return paletteSuggestsDarkTheme();
+}
+
+void LinuxUtils::installThemeChangeObserver(std::function<void()> callback)
+{
+    if (!callback) {
+        return;
+    }
+
+    if (!g_themeObserver) {
+        g_themeObserver = new LinuxThemeObserver(std::move(callback), qApp);
+        return;
+    }
+
+    g_themeObserver->setCallback(std::move(callback));
+}
+
+#include "linuxutils.moc"
@@ -0,0 +1,19 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef LINUXUTILS_H
+#define LINUXUTILS_H
+
+#include <functional>
+
+class LinuxUtils final {
+ public:
+  static bool isDarkTheme();
+  static void installThemeChangeObserver(std::function<void()> callback);
+
+ private:
+  LinuxUtils() = default;
+};
+
+#endif  // LINUXUTILS_H
@@ -185,9 +185,6 @@ bool DnsUtilsMacos::restoreResolvers() {
 }

 void DnsUtilsMacos::backupService(const QString& uuid) {
-  if (m_prevServices.contains(uuid)) {
-    return;
-  }
  DnsBackup backup;
  CFStringRef path = CFStringCreateWithFormat(
      kCFAllocatorSystemDefault, nullptr,
@@ -39,12 +39,8 @@ bool IPUtilsMacos::addInterfaceIPs(const InterfaceConfig& config) {
 }

 bool IPUtilsMacos::setMTUAndUp(const InterfaceConfig& config) {
-  WireguardUtils* wg = MacOSDaemon::instance()->wgutilsFor(config.m_ifname);
-  if (!wg) {
-    logger.error() << "No wireguard interface for" << config.m_ifname;
-    return false;
-  }
-  QString ifname = wg->interfaceName();
+  Q_UNUSED(config);
+  QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
  struct ifreq ifr;

  // Create socket file descriptor to perform the ioctl operations on
@@ -84,12 +80,8 @@ bool IPUtilsMacos::setMTUAndUp(const InterfaceConfig& config) {
 }

 bool IPUtilsMacos::addIP4AddressToDevice(const InterfaceConfig& config) {
-  WireguardUtils* wg = MacOSDaemon::instance()->wgutilsFor(config.m_ifname);
-  if (!wg) {
-    logger.error() << "No wireguard interface for" << config.m_ifname;
-    return false;
-  }
-  QString ifname = wg->interfaceName();
+  Q_UNUSED(config);
+  QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
  struct ifaliasreq ifr;
  struct sockaddr_in* ifrAddr = (struct sockaddr_in*)&ifr.ifra_addr;
  struct sockaddr_in* ifrMask = (struct sockaddr_in*)&ifr.ifra_mask;
@@ -138,12 +130,8 @@ bool IPUtilsMacos::addIP4AddressToDevice(const InterfaceConfig& config) {
 }

 bool IPUtilsMacos::addIP6AddressToDevice(const InterfaceConfig& config) {
-  WireguardUtils* wg = MacOSDaemon::instance()->wgutilsFor(config.m_ifname);
-  if (!wg) {
-    logger.error() << "No wireguard interface for" << config.m_ifname;
-    return false;
-  }
-  QString ifname = wg->interfaceName();
+  Q_UNUSED(config);
+  QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
  struct in6_aliasreq ifr6;

  // Name the interface and set family
@@ -28,6 +28,7 @@ MacOSDaemon::MacOSDaemon() : Daemon(nullptr) {

  logger.debug() << "Daemon created";

+  m_wgutils = new WireguardUtilsMacos(this);
  m_dnsutils = new DnsUtilsMacos(this);
  m_iputils = new IPUtilsMacos(this);

@@ -49,4 +50,3 @@ MacOSDaemon* MacOSDaemon::instance() {
  Q_ASSERT(s_daemon);
  return s_daemon;
 }
-
@@ -11,6 +11,8 @@
 #include "wireguardutilsmacos.h"

 class MacOSDaemon final : public Daemon {
+  friend class IPUtilsMacos;
+
 public:
  MacOSDaemon();
  ~MacOSDaemon();
@@ -18,15 +20,13 @@ class MacOSDaemon final : public Daemon {
  static MacOSDaemon* instance();

 protected:
+  WireguardUtils* wgutils() const override { return m_wgutils; }
  DnsUtils* dnsutils() override { return m_dnsutils; }
  bool supportIPUtils() const override { return true; }
  IPUtils* iputils() override { return m_iputils; }

-  WireguardUtils* createWgUtils() override {
-    return new WireguardUtilsMacos(this);
-  }
-
 private:
+  WireguardUtilsMacos* m_wgutils = nullptr;
  DnsUtilsMacos* m_dnsutils = nullptr;
  IPUtilsMacos* m_iputils = nullptr;
 };
@@ -36,6 +36,35 @@
 #include <QString>
 #include <QStringList>

+// Descriptor for a set of firewall rules to be appled.
+//
+struct FirewallParams
+{
+    QStringList dnsServers;
+    QVector<QString> excludeApps; // Apps to exclude if VPN exemptions are enabled
+
+    QStringList allowAddrs;
+    QStringList blockAddrs;
+
+    // The follow flags indicate which general rulesets are needed. Note that
+    // this is after some sanity filtering, i.e. an allow rule may be listed
+    // as not needed if there were no block rules preceding it. The rulesets
+    // should be thought of as in last-match order.
+
+    bool blockAll;      // Block all traffic by default
+    bool blockNets;
+    bool allowNets;
+    bool allowVPN;      // Exempt traffic through VPN tunnel
+    bool allowDHCP;     // Exempt DHCP traffic
+    bool blockIPv6;     // Block all IPv6 traffic
+    bool allowLAN;      // Exempt LAN traffic, including IPv6 LAN traffic
+    bool blockDNS;      // Block all DNS traffic except specified DNS servers
+    bool allowPIA;      // Exempt PIA executables
+    bool allowLoopback; // Exempt loopback traffic
+    bool allowHnsd;     // Exempt Handshake DNS traffic
+    bool allowVpnExemptions; // Exempt specified traffic from the tunnel (route it over the physical uplink instead)
+};
+
 class MacOSFirewall
 {

@@ -51,6 +51,7 @@ MacosRouteMonitor::MacosRouteMonitor(const QString& ifname, QObject* parent)

 MacosRouteMonitor::~MacosRouteMonitor() {
  MZ_COUNT_DTOR(MacosRouteMonitor);
+  flushExclusionRoutes();
  if (m_rtsock >= 0) {
    close(m_rtsock);
  }
@@ -435,15 +436,7 @@ bool MacosRouteMonitor::rtmSendRoute(int action, const IPAddress& prefix,
    return true;
  }
  if ((action == RTM_ADD) && (errno == EEXIST)) {
-    rtm->rtm_type = RTM_DELETE;
-    rtm->rtm_seq = m_rtseq++;
-    write(m_rtsock, rtm, rtm->rtm_msglen);
-    rtm->rtm_type = RTM_ADD;
-    rtm->rtm_seq = m_rtseq++;
-    len = write(m_rtsock, rtm, rtm->rtm_msglen);
-    if (len == rtm->rtm_msglen) {
-      return true;
-    }
+    return true;
  }
  if ((action == RTM_DELETE) && (errno == ESRCH)) {
    return true;
@@ -9,7 +9,6 @@

 #include <QByteArray>
 #include <QDir>
-#include <QElapsedTimer>
 #include <QFile>
 #include <QLocalSocket>
 #include <QTimer>
@@ -17,6 +16,8 @@
 #include "leakdetector.h"
 #include "logger.h"

+#include "killswitch.h"
+
 constexpr const int WG_TUN_PROC_TIMEOUT = 5000;
 constexpr const char* WG_RUNTIME_DIR = "/var/run/amneziawg";

@@ -57,20 +58,19 @@ void WireguardUtilsMacos::tunnelErrorOccurred(QProcess::ProcessError error) {
 }

 bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
+  Q_UNUSED(config);
  if (m_tunnel.state() != QProcess::NotRunning) {
    logger.warning() << "Unable to start: tunnel process already running";
    return false;
  }

-  const QString ifname = config.m_ifname;
-
  QDir wgRuntimeDir(WG_RUNTIME_DIR);
  if (!wgRuntimeDir.exists()) {
    wgRuntimeDir.mkpath(".");
  }

  QProcessEnvironment pe = QProcessEnvironment::systemEnvironment();
-  QString wgNameFile = wgRuntimeDir.filePath(ifname + ".name");
+  QString wgNameFile = wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name");
  pe.insert("WG_TUN_NAME_FILE", wgNameFile);
 #ifdef MZ_DEBUG
  pe.insert("LOG_LEVEL", "debug");
@@ -92,7 +92,6 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
    m_tunnel.kill();
    return false;
  }
-  QFile::remove(wgNameFile);
  logger.debug() << "Created wireguard interface" << m_ifname;

  // Start the routing table monitor.
@@ -146,6 +145,30 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
  int err = uapiErrno(uapiCommand(message));
  if (err != 0) {
    logger.error() << "Interface configuration failed:" << strerror(err);
+  } else {
+    if (config.m_killSwitchEnabled) {
+      FirewallParams params { };
+      params.dnsServers.append(config.m_primaryDnsServer);
+      if (!config.m_secondaryDnsServer.isEmpty()) {
+          params.dnsServers.append(config.m_secondaryDnsServer);
+      }
+
+      if (config.m_allowedIPAddressRanges.contains(IPAddress("0.0.0.0/0"))) {
+          params.blockAll = true;
+          if (config.m_excludedAddresses.size()) {
+              params.allowNets = true;
+              foreach (auto net, config.m_excludedAddresses) {
+                  params.allowAddrs.append(net.toUtf8());
+              }
+          }
+      } else {
+          params.blockNets = true;
+          foreach (auto net, config.m_allowedIPAddressRanges) {
+              params.blockAddrs.append(net.toString());
+          }
+      }
+      applyFirewallRules(params);
+    }
  }
  return (err == 0);
 }
@@ -167,6 +190,13 @@ bool WireguardUtilsMacos::deleteInterface() {
    m_tunnel.waitForFinished(WG_TUN_PROC_TIMEOUT);
  }

+  // Garbage collect.
+  QDir wgRuntimeDir(WG_RUNTIME_DIR);
+  QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));
+
+  // double-check + ensure our firewall is installed and enabled
+  KillSwitch::instance()->disableKillSwitch();
+
  return true;
 }

@@ -204,6 +234,13 @@ bool WireguardUtilsMacos::updatePeer(const InterfaceConfig& config) {
    out << "allowed_ip=" << ip.toString() << "\n";
  }

+  // Exclude the server address, except for multihop exit servers.
+  if ((config.m_hopType != InterfaceConfig::MultiHopExit) &&
+      (m_rtmonitor != nullptr)) {
+    m_rtmonitor->addExclusionRoute(IPAddress(config.m_serverIpv4AddrIn));
+    m_rtmonitor->addExclusionRoute(IPAddress(config.m_serverIpv6AddrIn));
+  }
+
  int err = uapiErrno(uapiCommand(message));
  if (err != 0) {
    logger.error() << "Peer configuration failed:" << strerror(err);
@@ -215,6 +252,13 @@ bool WireguardUtilsMacos::deletePeer(const InterfaceConfig& config) {
  QByteArray publicKey =
      QByteArray::fromBase64(qPrintable(config.m_serverPublicKey));

+  // Clear exclustion routes for this peer.
+  if ((config.m_hopType != InterfaceConfig::MultiHopExit) &&
+      (m_rtmonitor != nullptr)) {
+    m_rtmonitor->deleteExclusionRoute(IPAddress(config.m_serverIpv4AddrIn));
+    m_rtmonitor->deleteExclusionRoute(IPAddress(config.m_serverIpv6AddrIn));
+  }
+
  QString message;
  QTextStream out(&message);
  out << "set=1\n";
@@ -345,9 +389,13 @@ bool WireguardUtilsMacos::excludeLocalNetworks(const QList<IPAddress>& routes) {

 QString WireguardUtilsMacos::uapiCommand(const QString& command) {
  QLocalSocket socket;
+  QTimer uapiTimeout;
  QDir wgRuntimeDir(WG_RUNTIME_DIR);
  QString wgSocketFile = wgRuntimeDir.filePath(m_ifname + ".sock");

+  uapiTimeout.setSingleShot(true);
+  uapiTimeout.start(WG_TUN_PROC_TIMEOUT);
+
  socket.connectToServer(wgSocketFile, QIODevice::ReadWrite);
  if (!socket.waitForConnected(WG_TUN_PROC_TIMEOUT)) {
    logger.error() << "QLocalSocket::waitForConnected() failed:"
@@ -362,15 +410,13 @@ QString WireguardUtilsMacos::uapiCommand(const QString& command) {
  }
  socket.write(message);

-  QElapsedTimer elapsed;
-  elapsed.start();
  QByteArray reply;
  while (!reply.contains("\n\n")) {
-    const qint64 remaining = WG_TUN_PROC_TIMEOUT - elapsed.elapsed();
-    if (remaining <= 0 || !socket.waitForReadyRead(static_cast<int>(remaining))) {
+    if (!uapiTimeout.isActive()) {
      logger.error() << "UAPI command timed out";
      return QString();
    }
+    QCoreApplication::processEvents(QEventLoop::AllEvents, 100);
    reply.append(socket.readAll());
  }

@@ -417,3 +463,28 @@ QString WireguardUtilsMacos::waitForTunnelName(const QString& filename) {

  return QString();
 }
+
+void WireguardUtilsMacos::applyFirewallRules(FirewallParams& params)
+{
+  // double-check + ensure our firewall is installed and enabled. This is necessary as
+  // other software may disable pfctl before re-enabling with their own rules (e.g other VPNs)
+  if (!MacOSFirewall::isInstalled()) MacOSFirewall::install();
+
+  MacOSFirewall::ensureRootAnchorPriority();
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("100.blockAll"), params.blockAll);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), params.allowNets);
+  MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), params.allowNets,
+                                QStringLiteral("allownets"), params.allowAddrs);
+
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("120.blockNets"), params.blockNets);
+  MacOSFirewall::setAnchorTable(QStringLiteral("120.blockNets"), params.blockNets,
+                                QStringLiteral("blocknets"), params.blockAddrs);
+
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("200.allowVPN"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("290.allowDHCP"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("300.allowLAN"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
+  MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), params.dnsServers);
+}
@@ -10,6 +10,7 @@

 #include "daemon/wireguardutils.h"
 #include "macosroutemonitor.h"
+#include "macosfirewall.h"

 class WireguardUtilsMacos final : public WireguardUtils {
  Q_OBJECT
@@ -37,6 +38,8 @@ class WireguardUtilsMacos final : public WireguardUtils {

  bool excludeLocalNetworks(const QList<IPAddress>& lanAddressRanges) override;

+  void applyFirewallRules(FirewallParams& params);
+
 signals:
  void backendFailure();

@@ -5,8 +5,12 @@
 #ifndef MACOSSTATUSICON_H
 #define MACOSSTATUSICON_H

+#include <QByteArray>
+#include <QColor>
 #include <QMenu>
 #include <QObject>
+#include <QPointer>
+#include <QString>

 class MacOSStatusIcon final : public QObject {
  Q_OBJECT
@@ -18,10 +22,14 @@ class MacOSStatusIcon final : public QObject {

 public:
  void setIcon(const QString& iconUrl);
-  void setIndicatorColor(const QColor& indicatorColor);
-  void setMenu(NSMenu* statusBarMenu);
+  void setIconFromData(const QByteArray& imageData, bool asTemplate = true);
+  void setMenu(QMenu* menu);
+  void rebuildNativeMenu();
  void setToolTip(const QString& tooltip);
  void showMessage(const QString& title, const QString& message);
+
+ private:
+  QPointer<QMenu> m_qtMenu;
 };

 #endif  // MACOSSTATUSICON_H
@@ -10,22 +10,38 @@
 #import <UserNotifications/UserNotifications.h>
 #import <QResource>

+#include <QAction>
+
+@interface MacOSStatusIconMenuTarget : NSObject {
+ @public
+  QAction* action;
+}
+- (void)triggerAction:(id)sender;
+@end
+
+@implementation MacOSStatusIconMenuTarget
+- (void)triggerAction:(id)sender {
+  Q_UNUSED(sender);
+  if (action) {
+    action->trigger();
+  }
+}
+@end
+
 /**
- * Creates a NSStatusItem with that can hold an icon. Additionally a NSView is
- * set as a subview to the button item of the status item. The view serves as
- * an indicator that can be displayed in color eventhough the icon is set as a
- * template. In that way we give the system control over it’s effective
- * appearance.
+ * Creates a NSStatusItem that holds the tray icon. The icon is set as a
+ * template image, so the system controls its effective appearance for the
+ * current menu bar theme. The connection status is baked into the artwork, so
+ * no separate colored indicator is drawn.
 */
@interface MacOSStatusIconDelegate : NSObject
@property(assign) NSStatusItem* statusItem;
-@property(assign) NSView* statusIndicator;
+@property(retain) NSMenu* nativeMenu;
+@property(retain) NSMutableArray* menuActionTargets;

- (void)setIcon:(NSData*)imageData;
- (void)setIndicator;
- (void)setIndicatorColor:(NSColor*)color;
- (void)setMenu:(NSMenu*)statusBarMenu;
+- (void)setIcon:(NSData*)imageData asTemplate:(BOOL)asTemplate;
 - (void)setToolTip:(NSString*)tooltip;
+- (void)rebuildMenuFromQMenu:(QMenu*)menu;
@end

@implementation MacOSStatusIconDelegate
@@ -36,58 +52,38 @@
 */
 - (id)init {
  self = [super init];
+  self.menuActionTargets = [[NSMutableArray alloc] init];

  // Create status item
  self.statusItem =
      [[[NSStatusBar systemStatusBar] statusItemWithLength:NSSquareStatusItemLength] retain];
  self.statusItem.visible = true;
-  // Add the indicator as a subview
-  [self setIndicator];

  return self;
 }

+- (void)dealloc {
+  self.nativeMenu = nil;
+  self.menuActionTargets = nil;
+  [super dealloc];
+}
+
 /**
 * Sets the image for the status icon.
 *
- * @param iconPath The data for the icon image.
+ * @param imageData The data for the icon image.
+ * @param asTemplate When true the icon is a template image recolored by the
+ *        system for the current menu bar appearance. When false the icon is
+ *        rendered in its original colors (used for the colored error icon).
 */
- (void)setIcon:(NSData*)imageData {
+- (void)setIcon:(NSData*)imageData asTemplate:(BOOL)asTemplate {
  NSImage* image = [[NSImage alloc] initWithData:imageData];
-  [image setTemplate:true];
+  [image setTemplate:asTemplate];

  [self.statusItem.button setImage:image];
  [image release];
 }

-/**
- * Adds status indicator as a subview to the status item button.
- */
- (void)setIndicator {
-  float viewHeight = NSHeight([self.statusItem.button bounds]);
-  float dotSize = viewHeight * 0.35;
-  float dotOrigin = (viewHeight - dotSize) * 0.8;
-
-  NSView* dot = [[NSView alloc] initWithFrame:NSMakeRect(dotOrigin, dotOrigin, dotSize, dotSize)];
-  self.statusIndicator = dot;
-  self.statusIndicator.wantsLayer = true;
-  self.statusIndicator.layer.cornerRadius = dotSize * 0.5;
-
-  [self.statusItem.button addSubview:self.statusIndicator];
-  [dot release];
-}
-
-/**
- * Sets the color if the indicator.
- *
- * @param color The indicator background color.
- */
- (void)setIndicatorColor:(NSColor*)color {
-  if (self.statusIndicator) {
-    self.statusIndicator.layer.backgroundColor = color.CGColor;
-  }
-}
-
 /**
 * Sets the status bar menu to the status item.
 *
@@ -105,6 +101,44 @@
 - (void)setToolTip:(NSString*)tooltip {
  [self.statusItem.button setToolTip:tooltip];
 }
+
+- (void)rebuildMenuFromQMenu:(QMenu*)menu {
+  [self.menuActionTargets removeAllObjects];
+
+  if (self.nativeMenu) {
+    [self.statusItem setMenu:nil];
+    self.nativeMenu = nil;
+  }
+
+  if (!menu) {
+    return;
+  }
+
+  NSMenu* nsMenu = [[NSMenu alloc] initWithTitle:@""];
+  for (QAction* action : menu->actions()) {
+    if (action->isSeparator()) {
+      [nsMenu addItem:[NSMenuItem separatorItem]];
+      continue;
+    }
+
+    MacOSStatusIconMenuTarget* target = [[MacOSStatusIconMenuTarget alloc] init];
+    target->action = action;
+    [self.menuActionTargets addObject:target];
+    [target release];
+
+    NSMenuItem* item = [[NSMenuItem alloc] initWithTitle:action->text().toNSString()
+                                                  action:@selector(triggerAction:)
+                                           keyEquivalent:@""];
+    [item setTarget:target];
+    [item setEnabled:action->isEnabled()];
+    [item setHidden:!action->isVisible()];
+    [nsMenu addItem:item];
+    [item release];
+  }
+
+  self.nativeMenu = nsMenu;
+  [self.statusItem setMenu:nsMenu];
+}
@end

 namespace {
@@ -138,27 +172,31 @@ void MacOSStatusIcon::setIcon(const QString& iconPath) {
  QResource imageResource = QResource(iconPath);
  Q_ASSERT(imageResource.isValid());

-  [m_statusBarIcon setIcon:imageResource.uncompressedData().toNSData()];
+  [m_statusBarIcon setIcon:imageResource.uncompressedData().toNSData() asTemplate:true];
 }

-void MacOSStatusIcon::setIndicatorColor(const QColor& indicatorColor) {
-  logger.debug() << "Set indicator color";
+void MacOSStatusIcon::setIconFromData(const QByteArray& imageData, bool asTemplate) {
+  logger.debug() << "Set icon from rendered data";

-  if (!indicatorColor.isValid()) {
-    [m_statusBarIcon setIndicatorColor:[NSColor clearColor]];
+  if (imageData.isEmpty()) {
    return;
  }

-  NSColor* color = [NSColor colorWithCalibratedRed:indicatorColor.red() / 255.0f
-                                             green:indicatorColor.green() / 255.0f
-                                              blue:indicatorColor.blue() / 255.0f
-                                             alpha:indicatorColor.alpha() / 255.0f];
-  [m_statusBarIcon setIndicatorColor:color];
+  NSData* data = [NSData dataWithBytes:imageData.constData() length:imageData.size()];
+  [m_statusBarIcon setIcon:data asTemplate:asTemplate];
 }

-void MacOSStatusIcon::setMenu(NSMenu* statusBarMenu) {
-  logger.debug() << "Set menu";
-  [m_statusBarIcon setMenu:statusBarMenu];
+void MacOSStatusIcon::setMenu(QMenu* menu) {
+  m_qtMenu = menu;
+  rebuildNativeMenu();
+
+  if (menu) {
+    connect(menu, &QMenu::aboutToShow, this, [this]() { rebuildNativeMenu(); });
+  }
+}
+
+void MacOSStatusIcon::rebuildNativeMenu() {
+  [m_statusBarIcon rebuildMenuFromQMenu:m_qtMenu.data()];
 }

 void MacOSStatusIcon::setToolTip(const QString& tooltip) {
@@ -174,7 +212,7 @@ void MacOSStatusIcon::showMessage(const QString& title, const QString& message)
  // This is a no-op is authorization has been granted.
  [center requestAuthorizationWithOptions:(UNAuthorizationOptionSound | UNAuthorizationOptionAlert |
                                           UNAuthorizationOptionBadge)
-                        completionHandler:^(BOOL granted, NSError* _Nullable error) {
+                        completionHandler:^(__unused BOOL granted, NSError* _Nullable error) {
                          if (error) {
                            // Note: This error may happen if the application is not signed.
                            NSLog(@"Error asking for permission to send notifications %@", error);
@@ -8,6 +8,8 @@
 #include <QObject>
 #include <QString>

+#include <functional>
+
 class MacOSUtils final {
 public:
  static NSString* appId();
@@ -23,6 +25,9 @@ class MacOSUtils final {
  static void showDockIcon();

  static void patchNSStatusBarSetImageForBigSur();
+
+  static bool isDarkTheme();
+  static void installInterfaceThemeObserver(std::function<void()> callback);
 };

 #endif  // MACOSUTILS_H
@@ -137,6 +137,30 @@ void MacOSUtils::showDockIcon() {
 * Original bug (and sample implementation):
 * https://bugreports.qt.io/browse/QTBUG-88600
 */
+bool MacOSUtils::isDarkTheme() {
+  if (@available(macOS 10.14, *)) {
+    NSAppearanceName appearanceName = [[NSApp effectiveAppearance] name];
+    return appearanceName && [appearanceName isEqualToString:NSAppearanceNameDarkAqua];
+  }
+  return false;
+}
+
+void MacOSUtils::installInterfaceThemeObserver(std::function<void()> callback) {
+  if (!callback) {
+    return;
+  }
+
+  const std::function<void()> themeCallback = std::move(callback);
+
+  NSDistributedNotificationCenter *center = [NSDistributedNotificationCenter defaultCenter];
+  [center addObserverForName:@"AppleInterfaceThemeChangedNotification"
+                      object:nil
+                       queue:[NSOperationQueue mainQueue]
+                  usingBlock:^(__unused NSNotification *notification) {
+                    themeCallback();
+                  }];
+}
+
 void MacOSUtils::patchNSStatusBarSetImageForBigSur() {
  Method original = class_getInstanceMethod([NSStatusBarButton class], @selector(setImage:));
  Method patched = class_getInstanceMethod([NSStatusBarButton class], @selector(setImagePatched:));
@@ -0,0 +1,25 @@
+#ifndef MACTRAYICONBACKEND_H
+#define MACTRAYICONBACKEND_H
+
+#include "ui/utils/trayIconBackend.h"
+
+#include "macosstatusicon.h"
+
+class MacTrayIconBackend final : public TrayIconBackend
+{
+public:
+    explicit MacTrayIconBackend(QObject *parent);
+
+    void setMenu(QMenu *menu) override;
+    void setToolTip(const QString &tooltip) override;
+    void show() override;
+    void applyVisual(const TrayIconVisual &visual) override;
+    void showMessage(const QString &title, const QString &message, const TrayIconVisual &visual, int timerMsec) override;
+    void rebuildMenu() override;
+    void setActivatedHandler(std::function<void(QSystemTrayIcon::ActivationReason)> handler) override;
+
+private:
+    MacOSStatusIcon m_statusIcon;
+};
+
+#endif // MACTRAYICONBACKEND_H
@@ -0,0 +1,55 @@
+#include "mactrayiconbackend.h"
+
+#include "ui/utils/trayIconCommon.h"
+
+MacTrayIconBackend::MacTrayIconBackend(QObject *parent)
+    : m_statusIcon(parent)
+{
+}
+
+void MacTrayIconBackend::setMenu(QMenu *menu)
+{
+    m_statusIcon.setMenu(menu);
+}
+
+void MacTrayIconBackend::setToolTip(const QString &tooltip)
+{
+    m_statusIcon.setToolTip(tooltip);
+}
+
+void MacTrayIconBackend::show()
+{
+}
+
+void MacTrayIconBackend::applyVisual(const TrayIconVisual &visual)
+{
+    if (TrayIconCommon::isColoredState(visual.connectionState)) {
+        // Error icon carries a red badge: render it in color, not as a template.
+        m_statusIcon.setIconFromData(TrayIconCommon::buildColorPng(visual.connectionState, visual.darkTheme),
+                                     /*asTemplate*/ false);
+    } else {
+        m_statusIcon.setIconFromData(TrayIconCommon::buildTemplatePng(visual.connectionState), /*asTemplate*/ true);
+    }
+}
+
+void MacTrayIconBackend::showMessage(const QString &title, const QString &message, const TrayIconVisual &visual, int timerMsec)
+{
+    Q_UNUSED(visual);
+    Q_UNUSED(timerMsec);
+    m_statusIcon.showMessage(title, message);
+}
+
+void MacTrayIconBackend::rebuildMenu()
+{
+    m_statusIcon.rebuildNativeMenu();
+}
+
+void MacTrayIconBackend::setActivatedHandler(std::function<void(QSystemTrayIcon::ActivationReason)> handler)
+{
+    Q_UNUSED(handler);
+}
+
+std::unique_ptr<TrayIconBackend> createTrayIconBackend(QObject *parent)
+{
+    return std::make_unique<MacTrayIconBackend>(parent);
+}
@@ -0,0 +1,10 @@
+#include "mactraytheme.h"
+
+#include <QObject>
+
+void MacTrayTheme::installThemeObserver(const std::function<void()> &onThemeChanged, QObject *parent)
+{
+    Q_UNUSED(onThemeChanged);
+    Q_UNUSED(parent);
+    // macOS template tray icons follow the menu bar appearance automatically.
+}
@@ -0,0 +1,15 @@
+#ifndef MACTRAYTHEME_H
+#define MACTRAYTHEME_H
+
+#include <functional>
+
+class QObject;
+
+namespace MacTrayTheme
+{
+
+    void installThemeObserver(const std::function<void()> &onThemeChanged, QObject *parent);
+
+} // namespace MacTrayTheme
+
+#endif // MACTRAYTHEME_H
@@ -35,8 +35,14 @@ WindowsDaemon::WindowsDaemon() : Daemon(nullptr) {
  m_firewallManager = WindowsFirewall::create(this);
  Q_ASSERT(m_firewallManager != nullptr);

+  m_wgutils = WireguardUtilsWindows::create(m_firewallManager, this);
  m_dnsutils = new DnsUtilsWindows(this);
  m_splitTunnelManager = WindowsSplitTunnel::create(m_firewallManager);
+
+  connect(m_wgutils.get(), &WireguardUtilsWindows::backendFailure, this,
+          &WindowsDaemon::monitorBackendFailure);
+  connect(this, &WindowsDaemon::activationFailure,
+          [this]() { m_firewallManager->disableKillSwitch(); });
 }

 WindowsDaemon::~WindowsDaemon() {
@@ -106,11 +112,3 @@ void WindowsDaemon::monitorBackendFailure() {
  emit backendFailure();
  deactivate();
 }
-
-WireguardUtils* WindowsDaemon::createWgUtils() {
-  auto utils = WireguardUtilsWindows::create(m_firewallManager, this);
-  if (!utils) return nullptr;
-  connect(utils.get(), &WireguardUtilsWindows::backendFailure, this,
-          &WindowsDaemon::monitorBackendFailure);
-  return utils.release();
-}
@@ -28,8 +28,8 @@ class WindowsDaemon final : public Daemon {

 protected:
  bool run(Op op, const InterfaceConfig& config) override;
+  WireguardUtils* wgutils() const override { return m_wgutils.get(); }
  DnsUtils* dnsutils() override { return m_dnsutils; }
-  WireguardUtils* createWgUtils() override;

 private:
  void monitorBackendFailure();
@@ -42,6 +42,7 @@ class WindowsDaemon final : public Daemon {

  int m_inetAdapterIndex = -1;

+  std::unique_ptr<WireguardUtilsWindows> m_wgutils;
  DnsUtilsWindows* m_dnsutils = nullptr;
  std::unique_ptr<WindowsSplitTunnel> m_splitTunnelManager;
  QPointer<WindowsFirewall> m_firewallManager;
@@ -37,14 +37,11 @@ int WindowsDaemonTunnel::run(QStringList& tokens) {
  QCoreApplication::setApplicationName("Amnezia VPN Tunnel");
  QCoreApplication::setApplicationVersion(Constants::versionString());

-  if (tokens.length() < 2 || tokens.length() > 3) {
-    logger.error() << "Expected: <config> [<ifname>]";
+  if (tokens.length() != 2) {
+    logger.error() << "Expected 1 parameter only: the config file.";
    return 1;
  }
  QString maybeConfig = tokens.at(1);
-  QString name = tokens.length() == 3 && !tokens.at(2).isEmpty()
-                     ? tokens.at(2)
-                     : WireguardUtilsWindows::s_defaultInterfaceName();

  if (!maybeConfig.startsWith("[Interface]")) {
    logger.error() << "parameter Does not seem to be a config";
@@ -67,6 +64,7 @@ int WindowsDaemonTunnel::run(QStringList& tokens) {
    WindowsUtils::windowsLog("Failed to get WireGuardTunnelService function");
    return 1;
  }
+  auto name = WireguardUtilsWindows::s_interfaceName();
  if (!tunnelProc(maybeConfig.utf16(), name.utf16())) {
    logger.error() << "Failed to activate the tunnel service";
    return 1;
@@ -159,7 +159,7 @@ bool WindowsFirewall::initSublayer() {
  return true;
 }

-bool WindowsFirewall::enableInterface(int vpnAdapterIndex, const QString& ifname) {
+bool WindowsFirewall::enableInterface(int vpnAdapterIndex) {
 // Checks if the FW_Rule was enabled succesfully,
 // disables the whole killswitch and returns false if not.
 #define FW_OK(rule)                                                       \
@@ -182,39 +182,31 @@ bool WindowsFirewall::enableInterface(int vpnAdapterIndex, const QString& ifname
    }                                                                     \
  }

-  logger.info() << "Enabling Killswitch Using Adapter:" << vpnAdapterIndex
-                << "ifname:" << ifname;
-
-  QList<uint64_t>& perTunnel = ifname.isEmpty() ? m_globalRules
-                                                : m_tunnelRules[ifname];
-  if (vpnAdapterIndex < 0) {
+  logger.info() << "Enabling Killswitch Using Adapter:" << vpnAdapterIndex;
+  if (vpnAdapterIndex < 0)
+  {
    IPAddress allv4("0.0.0.0/0");
-    if (!blockTrafficTo(allv4, MED_WEIGHT, "Block Internet", perTunnel)) {
-      return false;
+    if (!blockTrafficTo(allv4, MED_WEIGHT,
+                        "Block Internet", "killswitch")) {
+        return false;
    }
    IPAddress allv6("::/0");
-    if (!blockTrafficTo(allv6, MED_WEIGHT, "Block Internet", perTunnel)) {
+    if (!blockTrafficTo(allv6, MED_WEIGHT,
+                        "Block Internet", "killswitch")) {
      return false;
    }
-  } else {
-    FW_OK(allowTrafficOfAdapter(vpnAdapterIndex, MED_WEIGHT,
-                                "Allow usage of VPN Adapter", perTunnel));
-  }
+  } else
+  FW_OK(allowTrafficOfAdapter(vpnAdapterIndex, MED_WEIGHT,
+                                  "Allow usage of VPN Adapter"));
+  FW_OK(allowDHCPTraffic(MED_WEIGHT, "Allow DHCP Traffic"));
+  FW_OK(allowHyperVTraffic(MAX_WEIGHT, "Allow Hyper-V Traffic"));
+  FW_OK(allowTrafficForAppOnAll(getCurrentPath(), MAX_WEIGHT,
+                                "Allow all for AmneziaVPN.exe"));
+  FW_OK(blockTrafficOnPort(53, MED_WEIGHT, "Block all DNS"));
+  FW_OK(allowLoopbackTraffic(MED_WEIGHT,
+                             "Allow Loopback traffic on device %1"));

-  if (m_globalRules.isEmpty()) {
-    FW_OK(allowDHCPTraffic(MED_WEIGHT, "Allow DHCP Traffic", m_globalRules));
-    FW_OK(allowHyperVTraffic(MAX_WEIGHT, "Allow Hyper-V Traffic", m_globalRules));
-    FW_OK(allowTrafficForAppOnAll(getCurrentPath(), MAX_WEIGHT,
-                                  "Allow all for AmneziaVPN.exe", m_globalRules));
-    FW_OK(blockTrafficOnPort(53, MED_WEIGHT, "Block all DNS", m_globalRules));
-    FW_OK(allowLoopbackTraffic(MED_WEIGHT,
-                               "Allow Loopback traffic on device %1",
-                               m_globalRules));
-  }
-
-  logger.debug() << "Killswitch on! Globals:" << m_globalRules.length()
-                 << "Tunnel[" << ifname
-                 << "]:" << m_tunnelRules.value(ifname).length();
+  logger.debug() << "Killswitch on! Rules:" << m_activeRules.length();
  return true;
 #undef FW_OK
 }
@@ -234,8 +226,7 @@ bool WindowsFirewall::enableLanBypass(const QList<IPAddress>& ranges) {

  // Blocking unprotected traffic
  for (const IPAddress& prefix : ranges) {
-    if (!allowTrafficTo(prefix, LOW_WEIGHT + 1, "Allow LAN bypass traffic",
-                        m_globalRules)) {
+    if (!allowTrafficTo(prefix, LOW_WEIGHT + 1, "Allow LAN bypass traffic")) {
      return false;
    }
  }
@@ -251,10 +242,7 @@ bool WindowsFirewall::enableLanBypass(const QList<IPAddress>& ranges) {
 }

 // Allow unprotected traffic sent to the following address ranges.
-bool WindowsFirewall::allowTrafficRange(const QStringList& ranges, const QString& ifname) {
-  QList<uint64_t>& target = ifname.isEmpty() ? m_globalRules
-                                             : m_tunnelRules[ifname];
-
+bool WindowsFirewall::allowTrafficRange(const QStringList& ranges) {
  // Start the firewall transaction
  auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
  if (result != ERROR_SUCCESS) {
@@ -267,9 +255,8 @@ bool WindowsFirewall::allowTrafficRange(const QStringList& ranges, const QString
  });

  for (const QString& addr : ranges) {
-    logger.debug() << "Allow killswitch exclude: " << addr << "ifname:" << ifname;
-    if (!allowTrafficTo(QHostAddress(addr), HIGH_WEIGHT,
-                        "Allow killswitch bypass traffic", target)) {
+    logger.debug() << "Allow killswitch exclude: " << addr;
+    if (!allowTrafficTo(QHostAddress(addr), HIGH_WEIGHT, "Allow killswitch bypass traffic")) {
      return false;
    }
  }
@@ -286,10 +273,6 @@ bool WindowsFirewall::allowTrafficRange(const QStringList& ranges, const QString


 bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
-  QList<uint64_t>& target = config.m_ifname.isEmpty()
-                              ? m_globalRules
-                              : m_tunnelRules[config.m_ifname];
-
  // Start the firewall transaction
  auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
  if (result != ERROR_SUCCESS) {
@@ -305,12 +288,12 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
  logger.info() << "Enabling traffic for peer"
                << config.m_serverPublicKey;
  if (!blockTrafficTo(config.m_allowedIPAddressRanges, LOW_WEIGHT,
-                      "Block Internet", target)) {
+                      "Block Internet", config.m_serverPublicKey)) {
    return false;
  }
  if (!config.m_primaryDnsServer.isEmpty()) {
    if (!allowTrafficTo(QHostAddress(config.m_primaryDnsServer), 53, HIGH_WEIGHT,
-                        "Allow DNS-Server", target)) {
+                        "Allow DNS-Server", config.m_serverPublicKey)) {
      return false;
    }
    // In some cases, we might configure a 2nd DNS server for IPv6, however
@@ -319,7 +302,7 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
    if (config.m_primaryDnsServer == config.m_serverIpv4Gateway) {
      if (!allowTrafficTo(QHostAddress(config.m_serverIpv6Gateway), 53,
                          HIGH_WEIGHT, "Allow extra IPv6 DNS-Server",
-                          target)) {
+                          config.m_serverPublicKey)) {
        return false;
      }
    }
@@ -327,7 +310,7 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {

  if (!config.m_secondaryDnsServer.isEmpty()) {
    if (!allowTrafficTo(QHostAddress(config.m_secondaryDnsServer), 53, HIGH_WEIGHT,
-                        "Allow DNS-Server", target)) {
+                        "Allow DNS-Server", config.m_serverPublicKey)) {
      return false;
    }
    // In some cases, we might configure a 2nd DNS server for IPv6, however
@@ -336,7 +319,7 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
    if (config.m_secondaryDnsServer == config.m_serverIpv4Gateway) {
      if (!allowTrafficTo(QHostAddress(config.m_serverIpv6Gateway), 53,
                          HIGH_WEIGHT, "Allow extra IPv6 DNS-Server",
-                          target)) {
+                          config.m_serverPublicKey)) {
        return false;
      }
    }
@@ -345,7 +328,7 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
  for (const QString& dns : config.m_allowedDnsServers) {
    logger.debug() << "Allow DNS: " << dns;
    if (!allowTrafficTo(QHostAddress(dns), 53, HIGH_WEIGHT,
-                        "Allow DNS-Server", target)) {
+                        "Allow DNS-Server", config.m_serverPublicKey)) {
      return false;
    }
  }
@@ -355,7 +338,7 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
      logger.debug() << "excludedAddresses range: " << i;

      if (!allowTrafficTo(i, HIGH_WEIGHT,
-                          "Allow Ecxlude route", target)) {
+                          "Allow Ecxlude route", config.m_serverPublicKey)) {
        return false;
      }
    }
@@ -371,6 +354,35 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
  return true;
 }

+bool WindowsFirewall::disablePeerTraffic(const QString& pubkey) {
+  auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
+  auto cleanup = qScopeGuard([&] {
+    if (result != ERROR_SUCCESS) {
+      FwpmTransactionAbort0(m_sessionHandle);
+    }
+  });
+  if (result != ERROR_SUCCESS) {
+    logger.error() << "FwpmTransactionBegin0 failed. Return value:.\n"
+                   << result;
+    return false;
+  }
+
+  logger.info() << "Disabling traffic for peer" << pubkey;
+  for (const auto& filterID : m_peerRules.values(pubkey)) {
+    FwpmFilterDeleteById0(m_sessionHandle, filterID);
+    m_peerRules.remove(pubkey, filterID);
+  }
+
+  // Commit!
+  result = FwpmTransactionCommit0(m_sessionHandle);
+  if (result != ERROR_SUCCESS) {
+    logger.error() << "FwpmTransactionCommit0 failed. Return value:.\n"
+                   << result;
+    return false;
+  }
+  return true;
+}
+
 bool WindowsFirewall::disableKillSwitch() {
  return KillSwitch::instance()->disableKillSwitch();
 }
@@ -388,13 +400,11 @@ bool WindowsFirewall::allowAllTraffic() {
      return false;
    }

-    for (const auto& bucket : qAsConst(m_tunnelRules)) {
-      for (const auto& filterID : bucket) {
-        FwpmFilterDeleteById0(m_sessionHandle, filterID);
-      }
+    for (const auto& filterID : m_peerRules.values()) {
+      FwpmFilterDeleteById0(m_sessionHandle, filterID);
    }

-    for (const auto& filterID : qAsConst(m_globalRules)) {
+    for (const auto& filterID : qAsConst(m_activeRules)) {
      FwpmFilterDeleteById0(m_sessionHandle, filterID);
    }

@@ -405,42 +415,15 @@ bool WindowsFirewall::allowAllTraffic() {
                     << result;
      return false;
    }
-    m_tunnelRules.clear();
-    m_globalRules.clear();
+    m_peerRules.clear();
+    m_activeRules.clear();
    logger.debug() << "Firewall Disabled!";
    return true;
 }

-bool WindowsFirewall::disableKillSwitchForTunnel(const QString& ifname) {
-  if (ifname.isEmpty() || !m_tunnelRules.contains(ifname)) {
-    return true;
-  }
-
-  auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
-  if (result != ERROR_SUCCESS) {
-    logger.error() << "FwpmTransactionBegin0 failed. Return value:" << result;
-    return false;
-  }
-
-  const QList<uint64_t> filters = m_tunnelRules.take(ifname);
-  logger.info() << "Disabling killswitch filters for tunnel" << ifname
-                << "count:" << filters.length();
-  for (const auto& filterID : filters) {
-    FwpmFilterDeleteById0(m_sessionHandle, filterID);
-  }
-
-  result = FwpmTransactionCommit0(m_sessionHandle);
-  if (result != ERROR_SUCCESS) {
-    logger.error() << "FwpmTransactionCommit0 failed. Return value:" << result;
-    return false;
-  }
-  return true;
-}
-
 bool WindowsFirewall::allowTrafficForAppOnAll(const QString& exePath,
                                              int weight,
-                                              const QString& title,
-                                              QList<uint64_t>& target) {
+                                              const QString& title) {
  DWORD result = ERROR_SUCCESS;
  Q_ASSERT(weight <= 15);

@@ -477,7 +460,7 @@ bool WindowsFirewall::allowTrafficForAppOnAll(const QString& exePath,
  {
    QString desc("Permit (out) IPv4 Traffic of: " + appName);
    filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
-    if (!enableFilter(&filter, title, desc, target)) {
+    if (!enableFilter(&filter, title, desc)) {
      return false;
    }
  }
@@ -485,7 +468,7 @@ bool WindowsFirewall::allowTrafficForAppOnAll(const QString& exePath,
  {
    QString desc("Permit (in) IPv4 Traffic of: " + appName);
    filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4;
-    if (!enableFilter(&filter, title, desc, target)) {
+    if (!enableFilter(&filter, title, desc)) {
      return false;
    }
  }
@@ -493,8 +476,7 @@ bool WindowsFirewall::allowTrafficForAppOnAll(const QString& exePath,
 }

 bool WindowsFirewall::allowTrafficOfAdapter(int networkAdapter, uint8_t weight,
-                                            const QString& title,
-                                            QList<uint64_t>& target) {
+                                            const QString& title) {
  FWPM_FILTER_CONDITION0 conds;
  // Condition: Request must be targeting the TUN interface
  conds.fieldKey = FWPM_CONDITION_INTERFACE_INDEX;
@@ -516,25 +498,25 @@ bool WindowsFirewall::allowTrafficOfAdapter(int networkAdapter, uint8_t weight,
  // #1 Permit outbound IPv4 traffic.
  filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
  if (!enableFilter(&filter, title,
-                    description.arg("out").arg(networkAdapter), target)) {
+                    description.arg("out").arg(networkAdapter))) {
    return false;
  }
  // #2 Permit inbound IPv4 traffic.
  filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4;
  if (!enableFilter(&filter, title,
-                    description.arg("in").arg(networkAdapter), target)) {
+                    description.arg("in").arg(networkAdapter))) {
    return false;
  }
  // #3 Permit outbound IPv6 traffic.
  filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
  if (!enableFilter(&filter, title,
-                    description.arg("out").arg(networkAdapter), target)) {
+                    description.arg("out").arg(networkAdapter))) {
    return false;
  }
  // #4 Permit inbound IPv6 traffic.
  filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
  if (!enableFilter(&filter, title,
-                    description.arg("in").arg(networkAdapter), target)) {
+                    description.arg("in").arg(networkAdapter))) {
    return false;
  }
  return true;
@@ -542,7 +524,7 @@ bool WindowsFirewall::allowTrafficOfAdapter(int networkAdapter, uint8_t weight,

 bool WindowsFirewall::allowTrafficTo(const IPAddress& addr, int weight,
                                     const QString& title,
-                                     QList<uint64_t>& target) {
+                                     const QString& peer) {
  GUID layerKeyOut;
  GUID layerKeyIn;
  if (addr.type() == QAbstractSocket::IPv4Protocol) {
@@ -580,11 +562,11 @@ bool WindowsFirewall::allowTrafficTo(const IPAddress& addr, int weight,
  // Send the filters down to the firewall.
  QString description = "Permit traffic %1 " + addr.toString();
  filter.layerKey = layerKeyOut;
-  if (!enableFilter(&filter, title, description.arg("to"), target)) {
+  if (!enableFilter(&filter, title, description.arg("to"), peer)) {
    return false;
  }
  filter.layerKey = layerKeyIn;
-  if (!enableFilter(&filter, title, description.arg("from"), target)) {
+  if (!enableFilter(&filter, title, description.arg("from"), peer)) {
    return false;
  }
  return true;
@@ -592,7 +574,7 @@ bool WindowsFirewall::allowTrafficTo(const IPAddress& addr, int weight,

 bool WindowsFirewall::allowTrafficTo(const QHostAddress& targetIP, uint port,
                                     int weight, const QString& title,
-                                     QList<uint64_t>& target) {
+                                     const QString& peer) {
  bool isIPv4 = targetIP.protocol() == QAbstractSocket::IPv4Protocol;
  GUID layerOut =
      isIPv4 ? FWPM_LAYER_ALE_AUTH_CONNECT_V4 : FWPM_LAYER_ALE_AUTH_CONNECT_V6;
@@ -641,20 +623,19 @@ bool WindowsFirewall::allowTrafficTo(const QHostAddress& targetIP, uint port,
  filter.layerKey = layerOut;
  if (!enableFilter(&filter, title,
                    description.arg("to").arg(targetIP.toString()).arg(port),
-                    target)) {
+                    peer)) {
    return false;
  }
  filter.layerKey = layerIn;
  if (!enableFilter(&filter, title,
                    description.arg("from").arg(targetIP.toString()).arg(port),
-                    target)) {
+                    peer)) {
    return false;
  }
  return true;
 }

-bool WindowsFirewall::allowDHCPTraffic(uint8_t weight, const QString& title,
-                                       QList<uint64_t>& target) {
+bool WindowsFirewall::allowDHCPTraffic(uint8_t weight, const QString& title) {
  // Allow outbound DHCPv4
  {
    FWPM_FILTER_CONDITION0 conds[4];
@@ -691,7 +672,7 @@ bool WindowsFirewall::allowDHCPTraffic(uint8_t weight, const QString& title,

    filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;

-    if (!enableFilter(&filter, title, "Allow Outbound DHCP", target)) {
+    if (!enableFilter(&filter, title, "Allow Outbound DHCP")) {
      return false;
    }
  }
@@ -724,7 +705,7 @@ bool WindowsFirewall::allowDHCPTraffic(uint8_t weight, const QString& title,
    filter.subLayerKey = ST_FW_WINFW_BASELINE_SUBLAYER_KEY;
    filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4;

-    if (!enableFilter(&filter, title, "Allow inbound DHCP", target)) {
+    if (!enableFilter(&filter, title, "Allow inbound DHCP")) {
      return false;
    }
  }
@@ -759,7 +740,7 @@ bool WindowsFirewall::allowDHCPTraffic(uint8_t weight, const QString& title,
    filter.subLayerKey = ST_FW_WINFW_BASELINE_SUBLAYER_KEY;
    filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;

-    if (!enableFilter(&filter, title, "Allow outbound DHCPv6", target)) {
+    if (!enableFilter(&filter, title, "Allow outbound DHCPv6")) {
      return false;
    }
  }
@@ -792,7 +773,7 @@ bool WindowsFirewall::allowDHCPTraffic(uint8_t weight, const QString& title,
    filter.weight.uint8 = weight;
    filter.subLayerKey = ST_FW_WINFW_BASELINE_SUBLAYER_KEY;
    filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
-    if (!enableFilter(&filter, title, "Allow inbound DHCPv6", target)) {
+    if (!enableFilter(&filter, title, "Allow inbound DHCPv6")) {
      return false;
    }
  }
@@ -800,8 +781,7 @@ bool WindowsFirewall::allowDHCPTraffic(uint8_t weight, const QString& title,
 }

 // Allows the internal Hyper-V Switches to work.
-bool WindowsFirewall::allowHyperVTraffic(uint8_t weight, const QString& title,
-                                         QList<uint64_t>& target) {
+bool WindowsFirewall::allowHyperVTraffic(uint8_t weight, const QString& title) {
  FWPM_FILTER_CONDITION0 cond;
  // Condition: Request must be targeting the TUN interface
  cond.fieldKey = FWPM_CONDITION_L2_FLAGS;
@@ -821,12 +801,12 @@ bool WindowsFirewall::allowHyperVTraffic(uint8_t weight, const QString& title,

  // #1 Permit Hyper-V => Hyper-V outbound.
  filter.layerKey = FWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE;
-  if (!enableFilter(&filter, title, "Permit Hyper-V => Hyper-V outbound", target)) {
+  if (!enableFilter(&filter, title, "Permit Hyper-V => Hyper-V outbound")) {
    return false;
  }
  // #2 Permit Hyper-V => Hyper-V inbound.
  filter.layerKey = FWPM_LAYER_INBOUND_MAC_FRAME_NATIVE;
-  if (!enableFilter(&filter, title, "Permit Hyper-V => Hyper-V inbound", target)) {
+  if (!enableFilter(&filter, title, "Permit Hyper-V => Hyper-V inbound")) {
    return false;
  }
  return true;
@@ -834,7 +814,7 @@ bool WindowsFirewall::allowHyperVTraffic(uint8_t weight, const QString& title,

 bool WindowsFirewall::blockTrafficTo(const IPAddress& addr, uint8_t weight,
                                     const QString& title,
-                                     QList<uint64_t>& target) {
+                                     const QString& peer) {
  QString description("Block traffic %1 %2 ");

  auto lower = addr.address();
@@ -872,12 +852,12 @@ bool WindowsFirewall::blockTrafficTo(const IPAddress& addr, uint8_t weight,

  filter.layerKey = layerKeyOut;
  if (!enableFilter(&filter, title, description.arg("to").arg(addr.toString()),
-                    target)) {
+                    peer)) {
    return false;
  }
  filter.layerKey = layerKeyIn;
  if (!enableFilter(&filter, title,
-                    description.arg("from").arg(addr.toString()), target)) {
+                    description.arg("from").arg(addr.toString()), peer)) {
    return false;
  }
  return true;
@@ -885,9 +865,9 @@ bool WindowsFirewall::blockTrafficTo(const IPAddress& addr, uint8_t weight,

 bool WindowsFirewall::blockTrafficTo(const QList<IPAddress>& rangeList,
                                     uint8_t weight, const QString& title,
-                                     QList<uint64_t>& target) {
+                                     const QString& peer) {
  for (auto range : rangeList) {
-    if (!blockTrafficTo(range, weight, title, target)) {
+    if (!blockTrafficTo(range, weight, title, peer)) {
      logger.info() << "Setting Range of" << range.toString() << "failed";
      return false;
    }
@@ -943,8 +923,7 @@ void WindowsFirewall::importAddress(const QHostAddress& addr,
 }

 bool WindowsFirewall::blockTrafficOnPort(uint port, uint8_t weight,
-                                         const QString& title,
-                                         QList<uint64_t>& target) {
+                                         const QString& title) {
  // Allow Traffic to IP with PORT using any protocol
  FWPM_FILTER_CONDITION0 conds[3];
  conds[0].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
@@ -974,20 +953,20 @@ bool WindowsFirewall::blockTrafficOnPort(uint port, uint8_t weight,

  QString description("Block %1 on Port %2");
  filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
-  if (!enableFilter(&filter, title, description.arg("outgoing v6").arg(port), target)) {
+  if (!enableFilter(&filter, title, description.arg("outgoing v6").arg(port))) {
    return false;
  }
  filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
-  if (!enableFilter(&filter, title, description.arg("outgoing v4").arg(port), target)) {
+  if (!enableFilter(&filter, title, description.arg("outgoing v4").arg(port))) {
    return false;
  }

  filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4;
-  if (!enableFilter(&filter, title, description.arg("incoming v4").arg(port), target)) {
+  if (!enableFilter(&filter, title, description.arg("incoming v4").arg(port))) {
    return false;
  }
  filter.layerKey = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
-  if (!enableFilter(&filter, title, description.arg("incoming v6").arg(port), target)) {
+  if (!enableFilter(&filter, title, description.arg("incoming v6").arg(port))) {
    return false;
  }
  return true;
@@ -995,7 +974,7 @@ bool WindowsFirewall::blockTrafficOnPort(uint port, uint8_t weight,

 bool WindowsFirewall::enableFilter(FWPM_FILTER0* filter, const QString& title,
                                   const QString& description,
-                                   QList<uint64_t>& target) {
+                                   const QString& peer) {
  uint64_t filterID = 0;
  auto name = title.toStdWString();
  auto desc = description.toStdWString();
@@ -1008,12 +987,16 @@ bool WindowsFirewall::enableFilter(FWPM_FILTER0* filter, const QString& title,
    return false;
  }
  logger.info() << "Filter added: " << title << ":" << description;
-  target.append(filterID);
+  if (peer.isEmpty()) {
+    m_activeRules.append(filterID);
+  } else {
+    m_peerRules.insert(peer, filterID);
+  }
  return true;
 }

-bool WindowsFirewall::allowLoopbackTraffic(uint8_t weight, const QString& title,
-                                           QList<uint64_t>& target) {
+bool WindowsFirewall::allowLoopbackTraffic(uint8_t weight,
+                                           const QString& title) {
  QList<QNetworkInterface> networkInterfaces =
      QNetworkInterface::allInterfaces();
  for (const auto& iface : networkInterfaces) {
@@ -1021,7 +1004,7 @@ bool WindowsFirewall::allowLoopbackTraffic(uint8_t weight, const QString& title,
      continue;
    }
    if (!allowTrafficOfAdapter(iface.index(), weight,
-                               title.arg(iface.name()), target)) {
+                               title.arg(iface.name()))) {
      return false;
    }
  }
@@ -15,7 +15,6 @@

 #include <QByteArray>
 #include <QHostAddress>
-#include <QMap>
 #include <QObject>
 #include <QString>

@@ -39,42 +38,38 @@ class WindowsFirewall final : public QObject {
  static WindowsFirewall* create(QObject* parent);
  ~WindowsFirewall() override;

-  bool enableInterface(int vpnAdapterIndex, const QString& ifname = QString());
+  bool enableInterface(int vpnAdapterIndex);
  bool enableLanBypass(const QList<IPAddress>& ranges);
  bool enablePeerTraffic(const InterfaceConfig& config);
+  bool disablePeerTraffic(const QString& pubkey);
  bool disableKillSwitch();
-  bool disableKillSwitchForTunnel(const QString& ifname);
  bool allowAllTraffic();
-  bool allowTrafficRange(const QStringList& ranges, const QString& ifname = QString());
+  bool allowTrafficRange(const QStringList& ranges);

 private:
  static bool initSublayer();
  WindowsFirewall(HANDLE session, QObject* parent);
  HANDLE m_sessionHandle;
  bool m_init = false;
-  QList<uint64_t> m_globalRules;
-  QMap<QString, QList<uint64_t>> m_tunnelRules;
+  QList<uint64_t> m_activeRules;
+  QMultiMap<QString, uint64_t> m_peerRules;

  bool allowTrafficForAppOnAll(const QString& exePath, int weight,
-                               const QString& title, QList<uint64_t>& target);
+                               const QString& title);
  bool blockTrafficTo(const QList<IPAddress>& range, uint8_t weight,
-                      const QString& title, QList<uint64_t>& target);
+                      const QString& title, const QString& peer = QString());
  bool blockTrafficTo(const IPAddress& addr, uint8_t weight,
-                      const QString& title, QList<uint64_t>& target);
-  bool blockTrafficOnPort(uint port, uint8_t weight, const QString& title,
-                          QList<uint64_t>& target);
+                      const QString& title, const QString& peer = QString());
+  bool blockTrafficOnPort(uint port, uint8_t weight, const QString& title);
  bool allowTrafficTo(const IPAddress& addr, int weight, const QString& title,
-                      QList<uint64_t>& target);
+                      const QString& peer = QString());
  bool allowTrafficTo(const QHostAddress& targetIP, uint port, int weight,
-                      const QString& title, QList<uint64_t>& target);
+                      const QString& title, const QString& peer = QString());
  bool allowTrafficOfAdapter(int networkAdapter, uint8_t weight,
-                             const QString& title, QList<uint64_t>& target);
-  bool allowDHCPTraffic(uint8_t weight, const QString& title,
-                        QList<uint64_t>& target);
-  bool allowHyperVTraffic(uint8_t weight, const QString& title,
-                          QList<uint64_t>& target);
-  bool allowLoopbackTraffic(uint8_t weight, const QString& title,
-                            QList<uint64_t>& target);
+                             const QString& title);
+  bool allowDHCPTraffic(uint8_t weight, const QString& title);
+  bool allowHyperVTraffic(uint8_t weight, const QString& title);
+  bool allowLoopbackTraffic(uint8_t weight, const QString& title);

  // Utils
  QString getCurrentPath();
@@ -83,7 +78,8 @@ class WindowsFirewall final : public QObject {
  void importAddress(const QHostAddress& addr, OUT FWP_CONDITION_VALUE0_& value,
                     OUT QByteArray* v6DataBuffer);
  bool enableFilter(FWPM_FILTER0* filter, const QString& title,
-                    const QString& description, QList<uint64_t>& target);
+                    const QString& description,
+                    const QString& peer = QString());
 };

 #endif  // WINDOWSFIREWALL_H
@@ -58,12 +58,9 @@ static int prefixcmp(const void* a, const void* b, size_t bits) {
  return 0;
 }

-QSet<quint64> WindowsRouteMonitor::s_vpnLuids;
-
 WindowsRouteMonitor::WindowsRouteMonitor(quint64 luid, QObject* parent)
    : QObject(parent), m_luid(luid) {
  MZ_COUNT_CTOR(WindowsRouteMonitor);
-  s_vpnLuids.insert(luid);
  logger.debug() << "WindowsRouteMonitor created.";

  NotifyRouteChange2(AF_INET, routeChangeCallback, this, FALSE, &m_routeHandle);
@@ -72,8 +69,8 @@ WindowsRouteMonitor::WindowsRouteMonitor(quint64 luid, QObject* parent)
 WindowsRouteMonitor::~WindowsRouteMonitor() {
  MZ_COUNT_DTOR(WindowsRouteMonitor);
  CancelMibChangeNotify2(m_routeHandle);
-  s_vpnLuids.remove(m_luid);

+  flushRouteTable(m_exclusionRoutes);
  flushRouteTable(m_clonedRoutes);
  logger.debug() << "WindowsRouteMonitor destroyed.";
 }
@@ -98,8 +95,7 @@ void WindowsRouteMonitor::updateInterfaceMetrics(int family) {
  // Rebuild the list of interfaces that are valid for routing.
  for (ULONG i = 0; i < table->NumEntries; i++) {
    MIB_IPINTERFACE_ROW* row = &table->Table[i];
-    // Skip any VPN wintun (own or sibling) so exclusion routes never pick one.
-    if (s_vpnLuids.contains(row->InterfaceLuid.Value)) {
+    if (row->InterfaceLuid.Value == m_luid) {
      continue;
    }
    if (!row->Connected) {
@@ -130,8 +126,8 @@ void WindowsRouteMonitor::updateExclusionRoute(MIB_IPFORWARD_ROW2* data,
  nexthop.si_family = data->DestinationPrefix.Prefix.si_family;
  for (ULONG i = 0; i < table->NumEntries; i++) {
    MIB_IPFORWARD_ROW2* row = &table->Table[i];
-    // Skip any VPN wintun (own or sibling).
-    if (s_vpnLuids.contains(row->InterfaceLuid.Value)) {
+    // Ignore routes into the VPN interface.
+    if (row->InterfaceLuid.Value == m_luid) {
      continue;
    }
    if (row->DestinationPrefix.PrefixLength < bestMatch) {
@@ -243,16 +239,14 @@ QHostAddress WindowsRouteMonitor::prefixToAddress(
  }
 }

-bool WindowsRouteMonitor::isRouteExcluded(void* ptable,
-                                          const IP_ADDRESS_PREFIX* dest) const {
-  PMIB_IPFORWARD_TABLE2 table = reinterpret_cast<PMIB_IPFORWARD_TABLE2>(ptable);
-  for (ULONG i = 0; i < table->NumEntries; i++) {
-    const MIB_IPFORWARD_ROW2* row = &table->Table[i];
-    if (row->Protocol != MIB_IPPROTO_NETMGMT) continue;
-    if (row->Metric != EXCLUSION_ROUTE_METRIC) continue;
+bool WindowsRouteMonitor::isRouteExcluded(const IP_ADDRESS_PREFIX* dest) const {
+  auto i = m_exclusionRoutes.constBegin();
+  while (i != m_exclusionRoutes.constEnd()) {
+    const MIB_IPFORWARD_ROW2* row = i.value();
    if (routeContainsDest(&row->DestinationPrefix, dest)) {
      return true;
    }
+    i++;
  }
  return false;
 }
@@ -278,8 +272,8 @@ void WindowsRouteMonitor::updateCapturedRoutes(int family, void* ptable) {

  for (ULONG i = 0; i < table->NumEntries; i++) {
    MIB_IPFORWARD_ROW2* row = &table->Table[i];
-    // Skip any VPN wintun (own or sibling).
-    if (s_vpnLuids.contains(row->InterfaceLuid.Value)) {
+    // Ignore routes into the VPN interface.
+    if (row->InterfaceLuid.Value == m_luid) {
      continue;
    }
    // Ignore the default route
@@ -292,7 +286,7 @@ void WindowsRouteMonitor::updateCapturedRoutes(int family, void* ptable) {
      continue;
    }
    // Ignore routes which should be excluded.
-    if (isRouteExcluded(table, &row->DestinationPrefix)) {
+    if (isRouteExcluded(&row->DestinationPrefix)) {
      continue;
    }
    QHostAddress destination = prefixToAddress(&row->DestinationPrefix);
@@ -381,6 +375,11 @@ bool WindowsRouteMonitor::addExclusionRoute(const IPAddress& prefix) {
    return true;
  }

+  if (m_exclusionRoutes.contains(prefix)) {
+    logger.warning() << "Exclusion route already exists";
+    return false;
+  }
+
  // Allocate and initialize the MIB routing table row.
  MIB_IPFORWARD_ROW2* data = new MIB_IPFORWARD_ROW2;
  InitializeIpForwardEntry(data);
@@ -428,8 +427,8 @@ bool WindowsRouteMonitor::addExclusionRoute(const IPAddress& prefix) {
  updateCapturedRoutes(family, table);
  updateExclusionRoute(data, table);
  FreeMibTable(table);
-  delete data;
-  m_ownedExclusionRoutes.insert(prefix);
+
+  m_exclusionRoutes[prefix] = data;
  return true;
 }

@@ -437,39 +436,23 @@ bool WindowsRouteMonitor::deleteExclusionRoute(const IPAddress& prefix) {
  logger.debug() << "Deleting exclusion route for"
                 << prefix.address().toString();

-  m_ownedExclusionRoutes.remove(prefix);
-
-  PMIB_IPFORWARD_TABLE2 table;
-  DWORD result = GetIpForwardTable2(AF_UNSPEC, &table);
-  if (result != NO_ERROR) {
-    logger.error() << "Failed to fetch routing table:" << result;
-    return false;
+  MIB_IPFORWARD_ROW2* data = m_exclusionRoutes.take(prefix);
+  if (data == nullptr) {
+    return true;
  }

-  const bool isV4 = prefix.address().protocol() == QAbstractSocket::IPv4Protocol;
-  const ADDRESS_FAMILY addrFamily =
-      isV4 ? static_cast<ADDRESS_FAMILY>(AF_INET)
-           : static_cast<ADDRESS_FAMILY>(AF_INET6);
-  bool deleted = false;
-  for (ULONG i = 0; i < table->NumEntries; i++) {
-    MIB_IPFORWARD_ROW2* row = &table->Table[i];
-    if (row->Protocol != MIB_IPPROTO_NETMGMT) continue;
-    if (row->Metric != EXCLUSION_ROUTE_METRIC) continue;
-    if (row->DestinationPrefix.Prefix.si_family != addrFamily) continue;
-    if (row->DestinationPrefix.PrefixLength != prefix.prefixLength()) continue;
-    if (prefixToAddress(&row->DestinationPrefix) != prefix.address()) continue;
-    DWORD r = DeleteIpForwardEntry2(row);
-    if (r == NO_ERROR || r == ERROR_NOT_FOUND) {
-      deleted = true;
-    } else {
-      logger.error() << "Failed to delete route to" << prefix.toString()
-                     << "result:" << r;
-    }
-    break;
+  DWORD result = DeleteIpForwardEntry2(data);
+  if ((result != ERROR_NOT_FOUND) && (result != NO_ERROR)) {
+    logger.error() << "Failed to delete route to"
+                   << prefix.toString()
+                   << "result:" << result;
  }
-  FreeMibTable(table);
-  updateCapturedRoutes(addrFamily);
-  return deleted;
+
+  // Captured routes might have changed.
+  updateCapturedRoutes(data->DestinationPrefix.Prefix.si_family);
+
+  delete data;
+  return true;
 }

 void WindowsRouteMonitor::flushRouteTable(
@@ -509,24 +492,8 @@ void WindowsRouteMonitor::routeChanged() {

  updateInterfaceMetrics(AF_UNSPEC);
  updateCapturedRoutes(AF_UNSPEC, table);
-
-  for (const IPAddress& prefix : m_ownedExclusionRoutes) {
-    const bool isV4 =
-        prefix.address().protocol() == QAbstractSocket::IPv4Protocol;
-    const ADDRESS_FAMILY addrFamily =
-        isV4 ? static_cast<ADDRESS_FAMILY>(AF_INET)
-             : static_cast<ADDRESS_FAMILY>(AF_INET6);
-    for (ULONG i = 0; i < table->NumEntries; i++) {
-      MIB_IPFORWARD_ROW2* row = &table->Table[i];
-      if (row->Protocol != MIB_IPPROTO_NETMGMT) continue;
-      if (row->Metric != EXCLUSION_ROUTE_METRIC) continue;
-      if (row->DestinationPrefix.Prefix.si_family != addrFamily) continue;
-      if (row->DestinationPrefix.PrefixLength != prefix.prefixLength()) continue;
-      if (prefixToAddress(&row->DestinationPrefix) != prefix.address()) continue;
-      MIB_IPFORWARD_ROW2 copy = *row;
-      updateExclusionRoute(&copy, table);
-      break;
-    }
+  for (MIB_IPFORWARD_ROW2* data : m_exclusionRoutes) {
+    updateExclusionRoute(data, table);
  }

  FreeMibTable(table);
@@ -14,7 +14,6 @@
 #include <QHash>
 #include <QMap>
 #include <QObject>
-#include <QSet>

 #include "ipaddress.h"

@@ -29,6 +28,7 @@ class WindowsRouteMonitor final : public QObject {

  bool addExclusionRoute(const IPAddress& prefix);
  bool deleteExclusionRoute(const IPAddress& prefix);
+  void flushExclusionRoutes() { return flushRouteTable(m_exclusionRoutes); };

  quint64 getLuid() const { return m_luid; }

@@ -36,7 +36,7 @@ class WindowsRouteMonitor final : public QObject {
  void routeChanged();

 private:
-  bool isRouteExcluded(void* table, const IP_ADDRESS_PREFIX* dest) const;
+  bool isRouteExcluded(const IP_ADDRESS_PREFIX* dest) const;
  static bool routeContainsDest(const IP_ADDRESS_PREFIX* route,
                                const IP_ADDRESS_PREFIX* dest);
  static QHostAddress prefixToAddress(const IP_ADDRESS_PREFIX* dest);
@@ -47,7 +47,7 @@ class WindowsRouteMonitor final : public QObject {
  void updateCapturedRoutes(int family);
  void updateCapturedRoutes(int family, void* table);

-  QSet<IPAddress> m_ownedExclusionRoutes;
+  QHash<IPAddress, MIB_IPFORWARD_ROW2*> m_exclusionRoutes;
  QMap<quint64, ULONG> m_interfaceMetricsIpv4;
  QMap<quint64, ULONG> m_interfaceMetricsIpv6;

@@ -57,8 +57,6 @@ class WindowsRouteMonitor final : public QObject {

  const quint64 m_luid = 0;
  HANDLE m_routeHandle = INVALID_HANDLE_VALUE;
-
-  static QSet<quint64> s_vpnLuids;
 };

 #endif /* WINDOWSROUTEMONITOR_H */
@@ -15,8 +15,9 @@
 #include "platforms/windows/windowsutils.h"
 #include "windowsdaemon.h"

-#define TUNNEL_NAMED_PIPE_PREFIX \
-  "\\\\.\\pipe\\ProtectedPrefix\\Administrators\\AmneziaWG\\"
+#define TUNNEL_NAMED_PIPE \
+  "\\\\."                 \
+  "\\pipe\\ProtectedPrefix\\Administrators\\AmneziaWG\\AmneziaVPN"

 constexpr uint32_t WINDOWS_TUNNEL_MONITOR_TIMEOUT_MSEC = 2000;

@@ -27,10 +28,6 @@ Logger logger("WindowsTunnelService");
 static bool stopAndDeleteTunnelService(SC_HANDLE service);
 static bool waitForServiceStatus(SC_HANDLE service, DWORD expectedStatus);

-std::wstring WindowsTunnelService::serviceNameForIfname(const QString& ifname) {
-  return (QStringLiteral("AmneziaWGTunnel$") + ifname).toStdWString();
-}
-
 WindowsTunnelService::WindowsTunnelService(QObject* parent) : QObject(parent) {
  MZ_COUNT_CTOR(WindowsTunnelService);
  logger.debug() << "WindowsTunnelService created.";
@@ -40,7 +37,7 @@ WindowsTunnelService::WindowsTunnelService(QObject* parent) : QObject(parent) {
    WindowsUtils::windowsLog("Failed to open SCManager");
  }

-  // Is the legacy single-tunnel service still around? Terminate it.
+  // Is the service already running? Terminate it.
  SC_HANDLE service =
      OpenService((SC_HANDLE)m_scm, TUNNEL_SERVICE_NAME, SERVICE_ALL_ACCESS);
  if (service != nullptr) {
@@ -111,11 +108,8 @@ void WindowsTunnelService::timeout() {
  emit backendFailure();
 }

-bool WindowsTunnelService::start(const QString& configData, const QString& ifname) {
-  logger.debug() << "Starting the tunnel service for" << ifname;
-
-  m_ifname = ifname;
-  const std::wstring serviceName = serviceNameForIfname(ifname);
+bool WindowsTunnelService::start(const QString& configData) {
+  logger.debug() << "Starting the tunnel service";

  m_logworker = new WindowsTunnelLogger(WindowsCommons::tunnelLogFile());
  m_logworker->moveToThread(&m_logthread);
@@ -134,9 +128,10 @@ bool WindowsTunnelService::start(const QString& configData, const QString& ifnam
    m_logworker = nullptr;
  });

-  service = OpenService(scm, serviceName.c_str(), SERVICE_ALL_ACCESS);
+  // Let's see if we have to delete a previous instance.
+  service = OpenService(scm, TUNNEL_SERVICE_NAME, SERVICE_ALL_ACCESS);
  if (service) {
-    logger.debug() << "A stale service was detected. Cleaning it up.";
+    logger.debug() << "An existing service has been detected. Let's close it.";
    if (!stopAndDeleteTunnelService(service)) {
      return false;
    }
@@ -148,12 +143,12 @@ bool WindowsTunnelService::start(const QString& configData, const QString& ifnam
  {
    QTextStream out(&serviceCmdline);
    out << "\"" << qApp->applicationFilePath() << "\" tunneldaemon \""
-        << configData << "\" \"" << ifname << "\"";
+        << configData << "\"";
  }

  logger.debug() << "Service:" << qApp->applicationFilePath();

-  service = CreateService(scm, serviceName.c_str(), L"Amnezia VPN (tunnel)",
+  service = CreateService(scm, TUNNEL_SERVICE_NAME, L"Amnezia VPN (tunnel)",
                          SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
                          SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
                          (const wchar_t*)serviceCmdline.utf16(), nullptr, 0,
@@ -241,9 +236,8 @@ static bool stopAndDeleteTunnelService(SC_HANDLE service) {
 }

 QString WindowsTunnelService::uapiCommand(const QString& command) {
-  const std::wstring pipeName = std::wstring(TEXT(TUNNEL_NAMED_PIPE_PREFIX))
-                              + m_ifname.toStdWString();
-  LPCWSTR tunnelName = pipeName.c_str();
+  // Create a pipe to the tunnel service.
+  LPTSTR tunnelName = (LPTSTR)TEXT(TUNNEL_NAMED_PIPE);
  HANDLE pipe = CreateFile(tunnelName, GENERIC_READ | GENERIC_WRITE, 0, nullptr,
                           OPEN_EXISTING, 0, nullptr);
  if (pipe == INVALID_HANDLE_VALUE) {
@@ -9,7 +9,6 @@
 #include <QObject>
 #include <QThread>
 #include <QTimer>
-#include <string>

 #include "windowstunnellogger.h"

@@ -21,13 +20,11 @@ class WindowsTunnelService final : public QObject {
  WindowsTunnelService(QObject* parent = nullptr);
  ~WindowsTunnelService();

-  bool start(const QString& configData, const QString& ifname);
+  bool start(const QString& configData);
  void stop();
  bool isRunning();
  QString uapiCommand(const QString& command);

-  static std::wstring serviceNameForIfname(const QString& ifname);
-
 signals:
  void backendFailure();

@@ -39,7 +36,6 @@ class WindowsTunnelService final : public QObject {
  QTimer m_timer;
  QThread m_logthread;
  WindowsTunnelLogger* m_logworker = nullptr;
-  QString m_ifname;

  // These are really SC_HANDLEs in disguise.
  void* m_scm = nullptr;
@@ -102,36 +102,23 @@ bool WireguardUtilsWindows::addInterface(const InterfaceConfig& config) {
    return false;
  }

+  // We don't want to pass a peer just yet, that will happen later with
+  // a UAPI command in WireguardUtilsWindows::updatePeer(), so truncate
+  // the config file to remove the [Peer] section.
  qsizetype peerStart = configString.indexOf("[Peer]", 0, Qt::CaseSensitive);
  if (peerStart >= 0) {
    configString.truncate(peerStart);
  }

-  auto stripLine = [&](const QString& key) {
-    qsizetype start = configString.startsWith(key + " = ")
-                          ? 0
-                          : configString.indexOf("\n" + key + " = ");
-    if (start < 0) return;
-    if (start != 0) start += 1;
-    qsizetype end = configString.indexOf('\n', start);
-    if (end < 0) return;
-    configString.remove(start, end - start + 1);
-  };
-
-  stripLine("DNS");
-  if (config.m_deferAddressSetup) {
-    // Wintun rejects duplicate IPv4; daemon will assign at swap time.
-    stripLine("Address");
-  }
-
-  m_ifname = config.m_ifname.isEmpty() ? s_defaultInterfaceName() : config.m_ifname;
-  if (!m_tunnel.start(configString, m_ifname)) {
+  if (!m_tunnel.start(configString)) {
    logger.error() << "Failed to activate the tunnel service";
    return false;
  }

+  // Determine the interface LUID
  NET_LUID luid;
-  DWORD result = ConvertInterfaceAliasToLuid((wchar_t*)m_ifname.utf16(), &luid);
+  QString ifAlias = interfaceName();
+  DWORD result = ConvertInterfaceAliasToLuid((wchar_t*)ifAlias.utf16(), &luid);
  if (result != 0) {
    logger.error() << "Failed to lookup LUID:" << result;
    return false;
@@ -139,6 +126,14 @@ bool WireguardUtilsWindows::addInterface(const InterfaceConfig& config) {
  m_luid = luid.Value;
  m_routeMonitor = new WindowsRouteMonitor(luid.Value, this);

+  if (config.m_killSwitchEnabled) {
+    // Enable the windows firewall
+    NET_IFINDEX ifindex;
+    ConvertInterfaceLuidToIndex(&luid, &ifindex);
+    m_firewall->allowAllTraffic();
+    m_firewall->enableInterface(ifindex);
+  }
+
  logger.debug() << "Registration completed";
  return true;
 }
@@ -148,6 +143,7 @@ bool WireguardUtilsWindows::deleteInterface() {
    m_routeMonitor->deleteLater();
  }

+  m_firewall->disableKillSwitch();
  m_tunnel.stop();
  return true;
 }
@@ -158,6 +154,10 @@ bool WireguardUtilsWindows::updatePeer(const InterfaceConfig& config) {
  QByteArray pskKey =
      QByteArray::fromBase64(qPrintable(config.m_serverPskKey));

+  if (config.m_killSwitchEnabled) {
+    // Enable the windows firewall for this peer.
+    m_firewall->enablePeerTraffic(config);
+  }
  logger.debug() << "Configuring peer" << publicKey.toHex()
                 << "via" << config.m_serverIpv4AddrIn;

@@ -185,6 +185,12 @@ bool WireguardUtilsWindows::updatePeer(const InterfaceConfig& config) {
    out << "allowed_ip=" << ip.toString() << "\n";
  }

+  // Exclude the server address, except for multihop exit servers.
+  if (m_routeMonitor && config.m_hopType != InterfaceConfig::MultiHopExit) {
+    m_routeMonitor->addExclusionRoute(IPAddress(config.m_serverIpv4AddrIn));
+    m_routeMonitor->addExclusionRoute(IPAddress(config.m_serverIpv6AddrIn));
+  }
+
  QString reply = m_tunnel.uapiCommand(message);
  logger.debug() << "DATA:" << reply;
  return true;
@@ -194,6 +200,15 @@ bool WireguardUtilsWindows::deletePeer(const InterfaceConfig& config) {
  QByteArray publicKey =
      QByteArray::fromBase64(qPrintable(config.m_serverPublicKey));

+  // Clear exclustion routes for this peer.
+  if (m_routeMonitor && config.m_hopType != InterfaceConfig::MultiHopExit) {
+    m_routeMonitor->deleteExclusionRoute(IPAddress(config.m_serverIpv4AddrIn));
+    m_routeMonitor->deleteExclusionRoute(IPAddress(config.m_serverIpv6AddrIn));
+  }
+
+  // Disable the windows firewall for this peer.
+  m_firewall->disablePeerTraffic(config.m_serverPublicKey);
+
  QString message;
  QTextStream out(&message);
  out << "set=1\n";
@@ -27,8 +27,10 @@ class WireguardUtilsWindows final : public WireguardUtils {
  ~WireguardUtilsWindows();

  bool interfaceExists() override { return m_tunnel.isRunning(); }
-  QString interfaceName() override { return m_ifname; }
-  static const QString s_defaultInterfaceName() { return "AmneziaVPN"; }
+  QString interfaceName() override {
+    return WireguardUtilsWindows::s_interfaceName();
+  }
+  static const QString s_interfaceName() { return "AmneziaVPN"; }
  bool addInterface(const InterfaceConfig& config) override;
  bool deleteInterface() override;

@@ -52,7 +54,6 @@ class WireguardUtilsWindows final : public WireguardUtils {
  void buildMibForwardRow(const IPAddress& prefix, void* row);

  quint64 m_luid = 0;
-  QString m_ifname;
  WindowsTunnelService m_tunnel;
  QPointer<WindowsRouteMonitor> m_routeMonitor;
  QPointer<WindowsFirewall> m_firewall;
@@ -14,7 +14,41 @@

 namespace {
 Logger logger("WindowsUtils");
-}  // namespace
+
+constexpr const wchar_t kThemeWatcherClassName[] = L"AmneziaVpnThemeWatcher";
+
+struct ThemeObserverState
+{
+    std::function<void()> callback;
+    HWND hwnd = nullptr;
+};
+
+ThemeObserverState g_themeObserver;
+
+bool registryUsesDarkTheme(const QSettings &settings, const QString &lightThemeKey)
+{
+    if (settings.contains(lightThemeKey)) {
+        return settings.value(lightThemeKey).toInt() != 1;
+    }
+    return false;
+}
+
+LRESULT CALLBACK themeWndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)
+{
+    Q_UNUSED(wParam);
+
+    if (msg == WM_SETTINGCHANGE && lParam != 0) {
+        const wchar_t *section = reinterpret_cast<const wchar_t *>(lParam);
+        if (wcscmp(section, L"ImmersiveColorSet") == 0 || wcscmp(section, L"WindowsThemeElement") == 0) {
+            if (g_themeObserver.callback) {
+                g_themeObserver.callback();
+            }
+        }
+    }
+
+    return DefWindowProcW(hwnd, msg, wParam, lParam);
+}
+} // namespace

 constexpr const int WINDOWS_11_BUILD =
    22000;  // Build Number of the first release win 11 iso
@@ -60,3 +94,51 @@ QString WindowsUtils::windowsVersion() {
 void WindowsUtils::forceCrash() {
  RaiseException(0x0000DEAD, EXCEPTION_NONCONTINUABLE, 0, NULL);
 }
+
+// static
+bool WindowsUtils::isDarkTheme() {
+  QSettings settings(
+          QStringLiteral("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize"),
+          QSettings::NativeFormat);
+    settings.sync();
+
+  if (settings.contains(QStringLiteral("SystemUsesLightTheme"))) {
+      return registryUsesDarkTheme(settings, QStringLiteral("SystemUsesLightTheme"));
+  }
+
+  if (settings.contains(QStringLiteral("AppsUseLightTheme"))) {
+      return registryUsesDarkTheme(settings, QStringLiteral("AppsUseLightTheme"));
+  }
+
+  logger.warning() << "SystemUsesLightTheme registry key is unavailable; assuming dark theme";
+  return true;
+}
+
+void WindowsUtils::installThemeChangeObserver(std::function<void()> callback)
+{
+    g_themeObserver.callback = std::move(callback);
+
+    if (g_themeObserver.hwnd) {
+        return;
+    }
+
+    HINSTANCE instance = GetModuleHandleW(nullptr);
+    WNDCLASSW wc = {};
+    wc.lpfnWndProc = themeWndProc;
+    wc.hInstance = instance;
+    wc.lpszClassName = kThemeWatcherClassName;
+
+    WNDCLASSW existing = {};
+    if (!GetClassInfoW(instance, kThemeWatcherClassName, &existing)) {
+        if (!RegisterClassW(&wc)) {
+            WindowsUtils::windowsLog("Failed to register theme watcher window class");
+            return;
+        }
+    }
+
+    g_themeObserver.hwnd = CreateWindowExW(0, kThemeWatcherClassName, L"AmneziaVpnThemeWatcher", 0, 0, 0, 0, 0,
+                                           HWND_MESSAGE, nullptr, instance, nullptr);
+    if (!g_themeObserver.hwnd) {
+        WindowsUtils::windowsLog("Failed to create theme watcher window");
+    }
+}
@@ -7,6 +7,8 @@

 #include <QString>

+#include <functional>
+
 class WindowsUtils final {
 public:
  static QString getErrorMessage();
@@ -18,6 +20,9 @@ class WindowsUtils final {

  // Force an application crash for testing
  static void forceCrash();
+
+  static bool isDarkTheme();
+  static void installThemeChangeObserver(std::function<void()> callback);
 };

 #endif  // WINDOWSUTILS_H
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
dranik	6f34f3509b	add new icons error & fix logic	2026-06-05 16:13:06 +03:00
dranik	b21d77a911	fixed update icon windows	2026-06-05 13:35:11 +03:00
dranik	a4edb7279d	fixed update icon linux	2026-06-05 12:12:12 +03:00
dranik	e61b1dfa11	update icons	2026-06-05 09:00:14 +03:00
dranik	0db1e52468	fixed update icon windows & ref code	2026-05-30 14:50:18 +03:00
dranik	596a422475	reset file macos	2026-05-30 14:10:20 +03:00
dranik	345fbf99de	fix update linux	2026-05-30 12:55:27 +03:00
dranik	58d6c362f3	ref code sort files	2026-05-30 10:53:44 +03:00
dranik	9937add4eb	add linux file	2026-05-29 23:17:50 +03:00
dranik	7eecc3667f	format code	2026-05-29 22:57:54 +03:00
dranik	446e7b6a8e	fix build macos	2026-05-29 22:52:34 +03:00
dranik	10d5bdbc60	reset file	2026-05-29 22:48:16 +03:00
dranik	bb38388140	reset file	2026-05-29 22:45:03 +03:00
dranik	47834a10a6	format code	2026-05-29 22:43:02 +03:00
dranik	61afebcedb	format code	2026-05-29 22:40:24 +03:00
dranik	9fa03e5387	fixed update icon linux ubuntu 24	2026-05-29 22:22:53 +03:00
dranik	9857a5d90a	remove old include	2026-05-29 18:47:09 +03:00
dranik	2c37305cf0	fixed update icon & green indicator - windows	2026-05-29 18:30:23 +03:00
dranik	6fad9f56e4	fixed icon conn/disc macos	2026-05-29 17:01:08 +03:00
dranik	a40bd0d580	add new icon	2026-05-29 15:58:07 +03:00