fix: flush dns after in connected status

* There's a common issue of building iOS apps on Qt 6.8 because of new introduced ffmpeg dependency in multimedia Qt package
ref: https://community.esri.com/t5/qt-maps-sdk-questions/build-failure-on-ios-with-qt-6-8/m-p/1548701#M5339

* Cmake related changes

* Source code changes

* Various entitlements

* Ci-cd config update

* Resources changes

* Submodules updated

* Remove me

* QtWidget exclusion omitted

* Distribution errors fixed

* Outdated files deleted

* macos_ne cmake fixed

* fix: update provisioning profile specifiers for macOS network extension

* fix: update provisioning profile specifiers and code sign flags for macOS build

* Revert me
(temporary 3rd-build commit pointer)

* fix: Welcome screen fix

* fix: ci/cd hanging forever fix

* fix: Fixed error popup on macos on file save

* refactor: rename networkextension target to AmneziaVPNNetworkExtension in macos build configuration

* feat: add autostart support for Mac App Store builds on macOS

Fixes: QA-8

* feat: add debug logging to Autostart functionality on macOS

* Revert "feat: add autostart support for Mac App Store builds on macOS"

This reverts commit 3bd25656fb.

* feat: add platform-specific close window behavior for macOS App Store build with Network Extension

Closes: QA-12

* When the application starts with "Start minimized" enabled on macOS (especially the
sandboxed App-Store build compiled with MACOS_NE), fully hiding the window prevents it
from being restored by clicking the Dock icon. The proper behaviour is to start the
window in the *minimized* state instead. That way the window is still part of the
window list and the system automatically brings it back when the user clicks the Dock
icon, replicating the native experience.

On the other platforms we keep the old behaviour (hide the window completely and rely
on the tray icon), therefore we switch at runtime by checking the current OS.

Closes: QA-7

Closes: QA-8

* Revert "When the application starts with "Start minimized" enabled on macOS (especially the"

This reverts commit 7b0d17987c.

* feat: MACOS_NE systray menu support

* feat: add macOS notification handler and install event filter on main window

* feat: implement custom close behavior for Amnezia application on different platforms

* fix: update provisioning profile specifiers for macos builds

* fix: Fatal error in logs

CLI-216

* fix: disabled unavailable on macos ne service logs

* fix: dock icon now hides only when window is closed; menubar icon shows always

Initial state of the docker icon to be presented follows "Start minimized" setting in app settings.

* temp-fix: temporary disable all OpenVPN options of VPN on MACOS_NE since it's not working yet.

* fix: build script updated

* feat: add macOS NE build workflow to GitHub Actions

* fix: Not working Auto start toggle is hidden

* fix: Log spamming during xray connection fixed

* 3rd-prebuild points to commit that stores macos_ne universal binaries.

* fix: missing native dependency on linking stage fixed

* chore: update link to submodule

---------

Co-authored-by: vladimir.kuznetsov <nethiuswork@gmail.com>

.github/workflows/deploy.yml

@@ -358,7 +358,7 @@ jobs:
     - name: 'Setup xcode'
       uses: maxim-lobanov/setup-xcode@v1
       with:
-        xcode-version: '15.4.0'
+        xcode-version: '16.2.0'
 
     - name: 'Install Qt'
       uses: jurplel/install-qt-action@v3
@@ -402,6 +402,67 @@ jobs:
         path: deploy/build/client/AmneziaVPN.app
         retention-days: 7
 
+  Build-MacOS-NE:
+    runs-on: macos-latest
+
+    env:
+      QT_VERSION: 6.8.3
+
+      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
+
+      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
+      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
+      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
+
+      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
+      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
+      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
+      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
+      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
+      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
+      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
+
+    steps:
+    - name: 'Setup xcode'
+      uses: maxim-lobanov/setup-xcode@v1
+      with:
+        xcode-version: '16.2.0'
+
+    - name: 'Install Qt'
+      uses: jurplel/install-qt-action@v3
+      with:
+        version: ${{ env.QT_VERSION }}
+        host: 'mac'
+        target: 'desktop'
+        arch: 'clang_64'
+        modules: 'qtremoteobjects qt5compat qtshadertools'
+        dir: ${{ runner.temp }}
+        setup-python: 'true'
+        set-env: 'true'
+        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+
+
+    - name: 'Get sources'
+      uses: actions/checkout@v4
+      with:
+        submodules: 'true'
+        fetch-depth: 10
+
+    - name: 'Setup ccache'
+      uses: hendrikmuhs/ccache-action@v1.2
+
+    - name: 'Build project'
+      run: |
+        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
+        bash deploy/build_macos_ne.sh
+
+    - name: 'Upload unpacked artifact'
+      uses: actions/upload-artifact@v4
+      with:
+        name: AmneziaVPN_MacOS_unpacked
+        path: deploy/build/client/AmneziaVPN.app
+        retention-days: 7
+
 # ------------------------------------------------------
 
   Build-Android:

CMakeLists.txt

@@ -32,13 +32,19 @@ set(QT_BUILD_TOOLS_WHEN_CROSS_COMPILING ON)
 set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
-if(APPLE AND NOT IOS)
-    set(CMAKE_OSX_ARCHITECTURES "x86_64")
+if(APPLE)
+    if(IOS)
+        set(CMAKE_OSX_ARCHITECTURES "arm64")
+    elseif(MACOS_NE)
+        set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64")
+    else()
+        set(CMAKE_OSX_ARCHITECTURES "x86_64")
+    endif()
 endif()
 
 add_subdirectory(client)
 
-if(NOT IOS AND NOT ANDROID)
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
     add_subdirectory(service)
 
     include(${CMAKE_SOURCE_DIR}/deploy/installer/config.cmake)

client/CMakeLists.txt

@@ -3,7 +3,6 @@ cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 set(PROJECT AmneziaVPN)
 project(${PROJECT})
 
-
 set_property(GLOBAL PROPERTY USE_FOLDERS ON)
 set_property(GLOBAL PROPERTY AUTOGEN_TARGETS_FOLDER "Autogen")
 set_property(GLOBAL PROPERTY AUTOMOC_TARGETS_FOLDER "Autogen")
@@ -53,6 +52,9 @@ endif()
 
 qt_standard_project_setup()
 qt_add_executable(${PROJECT} MANUAL_FINALIZATION)
+target_include_directories(${PROJECT} PUBLIC
+    $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
+)
 
 if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
     qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_interface.rep)
@@ -110,6 +112,15 @@ include_directories(
     ${CMAKE_CURRENT_BINARY_DIR}
 )
 
+if(MACOS_NE)
+    message("MACOS_NE is ON")
+    add_definitions(-DQ_OS_MAC)
+    add_definitions(-DMACOS_NE)
+    message("Add macros for MacOS Network Extension")
+else()
+    message("MACOS_NE is OFF")
+endif()
+
 include_directories(mozilla)
 include_directories(mozilla/shared)
 include_directories(mozilla/models)
@@ -139,7 +150,7 @@ if(WIN32)
 endif()
 
 if(APPLE)
-    cmake_policy(SET CMP0099 OLD)
+    cmake_policy(SET CMP0099 NEW)
     cmake_policy(SET CMP0114 NEW)
 
     if(NOT BUILD_OSX_APP_IDENTIFIER)
@@ -158,16 +169,23 @@ if(APPLE)
     set(CMAKE_XCODE_GENERATE_SCHEME FALSE)
     set(CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM ${BUILD_VPN_DEVELOPMENT_TEAM})
     set(CMAKE_XCODE_ATTRIBUTE_GROUP_ID_IOS ${BUILD_IOS_GROUP_IDENTIFIER})
-
 endif()
 
 if(LINUX AND NOT ANDROID)
     set(LIBS ${LIBS} -static-libstdc++ -static-libgcc -ldl)
     link_directories(${CMAKE_CURRENT_LIST_DIR}/platforms/linux)
+
+    set(HEADERS ${HEADERS}
+        ${CMAKE_CURRENT_LIST_DIR}/protocols/ikev2_vpn_protocol_linux.h
+    )
+    
+    set(SOURCES ${SOURCES}
+        ${CMAKE_CURRENT_LIST_DIR}/protocols/ikev2_vpn_protocol_linux.cpp
+    )
+
 endif()
 
-if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
-    message("Client desktop build")
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
     add_compile_definitions(AMNEZIA_DESKTOP)
 endif()
 
@@ -178,7 +196,9 @@ endif()
 if(IOS)
     include(cmake/ios.cmake)
     include(cmake/ios-arch-fixup.cmake)
-elseif(APPLE AND NOT IOS)
+elseif(APPLE AND MACOS_NE)
+    include(cmake/macos_ne.cmake)
+elseif(APPLE)
     include(cmake/osxtools.cmake)
     include(cmake/macos.cmake)
 endif()
@@ -199,7 +219,7 @@ elseif(APPLE AND NOT IOS)
     set(DEPLOY_PLATFORM_PATH "macos")
 endif()
 
-if(NOT IOS AND NOT ANDROID)
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
     add_custom_command(
         TARGET ${PROJECT} POST_BUILD
         COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
@@ -214,7 +234,6 @@ if(NOT IOS AND NOT ANDROID)
         $<TARGET_FILE_DIR:${PROJECT}>
         COMMAND_EXPAND_LISTS
     )
-
 endif()
 
 target_sources(${PROJECT} PRIVATE ${SOURCES} ${HEADERS} ${RESOURCES} ${QRC} ${I18NQRC})

client/amnezia_application.cpp

@@ -12,6 +12,7 @@
 #include <QTextDocument>
 #include <QTimer>
 #include <QTranslator>
+#include <QEvent>
 
 #include "logger.h"
 #include "ui/controllers/pageController.h"
@@ -21,6 +22,8 @@
 #include "platforms/ios/QRCodeReaderBase.h"
 
 #include "protocols/qml_register_protocols.h"
+#include <QtQuick/QQuickWindow>  // for QQuickWindow
+#include <QWindow>              // for qobject_cast<QWindow*>
 
 AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_CLASS(argc, argv)
 {
@@ -48,8 +51,17 @@ AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_C
 
 AmneziaApplication::~AmneziaApplication()
 {
+    if (m_vpnConnection) {
+        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectFromVpn", Qt::QueuedConnection);
+        QMetaObject::invokeMethod(m_vpnConnection.get(), "deleteLater", Qt::QueuedConnection);
+    }
+
     m_vpnConnectionThread.quit();
-    m_vpnConnectionThread.wait(3000);
+
+    if (!m_vpnConnectionThread.wait(5000)) {
+        m_vpnConnectionThread.terminate();
+        m_vpnConnectionThread.wait();
+    }
 
     if (m_engine) {
         QObject::disconnect(m_engine, 0, 0, 0);
@@ -63,15 +75,28 @@ void AmneziaApplication::init()
 
     const QUrl url(QStringLiteral("qrc:/ui/qml/main2.qml"));
     QObject::connect(
-            m_engine, &QQmlApplicationEngine::objectCreated, this,
-            [url](QObject *obj, const QUrl &objUrl) {
-                if (!obj && url == objUrl)
-                    QCoreApplication::exit(-1);
-            },
-            Qt::QueuedConnection);
+        m_engine, &QQmlApplicationEngine::objectCreated, this,
+        [this, url](QObject *obj, const QUrl &objUrl) {
+            if (!obj && url == objUrl) {
+                QCoreApplication::exit(-1);
+                return;
+            }
+            // install filter on main window
+            if (auto win = qobject_cast<QQuickWindow*>(obj)) {
+                win->installEventFilter(this);
+                win->show();
+            }
+        },
+        Qt::QueuedConnection);
 
     m_engine->rootContext()->setContextProperty("Debug", &Logger::Instance());
 
+#ifdef MACOS_NE
+    m_engine->rootContext()->setContextProperty("IsMacOsNeBuild", true);
+#else
+    m_engine->rootContext()->setContextProperty("IsMacOsNeBuild", false);
+#endif
+
     m_vpnConnection.reset(new VpnConnection(m_settings));
     m_vpnConnection->moveToThread(&m_vpnConnectionThread);
     m_vpnConnectionThread.start();
@@ -167,7 +192,7 @@ bool AmneziaApplication::parseCommands()
 
     QCommandLineOption c_cleanup { { "c", "cleanup" }, "Cleanup logs" };
     m_parser.addOption(c_cleanup);
-
+    
     m_parser.process(*this);
 
     if (m_parser.isSet(c_cleanup)) {
@@ -179,9 +204,8 @@ bool AmneziaApplication::parseCommands()
     return true;
 }
 
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-void AmneziaApplication::startLocalServer()
-{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+void AmneziaApplication::startLocalServer() {
     const QString serverName("AmneziaVPNInstance");
     QLocalServer::removeServer(serverName);
 
@@ -198,6 +222,22 @@ void AmneziaApplication::startLocalServer()
 }
 #endif
 
+bool AmneziaApplication::eventFilter(QObject *watched, QEvent *event)
+{
+    if (event->type() == QEvent::Close) {
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+        quit();
+#else
+        if (m_coreController && m_coreController->pageController()) {
+            m_coreController->pageController()->hideMainWindow();
+        }
+#endif
+        return true; // eat the close
+    }
+    // call base QObject::eventFilter
+    return QObject::eventFilter(watched, event);
+}
+
 QQmlApplicationEngine *AmneziaApplication::qmlEngine() const
 {
     return m_engine;

client/amnezia_application.h

@@ -7,9 +7,9 @@
 #include <QQmlContext>
 #include <QThread>
 #if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
-    #include <QGuiApplication>
+  #include <QGuiApplication>
 #else
-    #include <QApplication>
+  #include <QApplication>
 #endif
 #include <QClipboard>
 
@@ -20,9 +20,9 @@
 #define amnApp (static_cast<AmneziaApplication *>(QCoreApplication::instance()))
 
 #if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
-    #define AMNEZIA_BASE_CLASS QGuiApplication
+  #define AMNEZIA_BASE_CLASS QGuiApplication
 #else
-    #define AMNEZIA_BASE_CLASS QApplication
+  #define AMNEZIA_BASE_CLASS QApplication
 #endif
 
 class AmneziaApplication : public AMNEZIA_BASE_CLASS
@@ -37,7 +37,7 @@ public:
     void loadFonts();
     bool parseCommands();
 
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
     void startLocalServer();
 #endif
 
@@ -60,6 +60,8 @@ private:
     QThread m_vpnConnectionThread;
 
     QNetworkAccessManager *m_nam;
+protected:
+    bool eventFilter(QObject *watched, QEvent *event) override;
 };
 
 #endif // AMNEZIA_APPLICATION_H

client/cmake/3rdparty.cmake

@@ -27,9 +27,15 @@ if(WIN32)
         set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libcrypto.lib")
     endif()
 elseif(APPLE AND NOT IOS)
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libssh.a")
-    set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libz.a")
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/x86_64")
+    if(MACOS_NE)
+        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libssh.a")
+        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libz.a")
+        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/universal2")
+    else()
+        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libssh.a")
+        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libz.a")
+        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/x86_64")
+    endif()
     set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/macos/include")
     set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libssl.a")
     set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libcrypto.a")

client/cmake/macos.cmake

@@ -14,7 +14,7 @@ set(LIBS ${LIBS}
     ${FW_SECURITY}
     ${FW_COREWLAN}
     ${FW_NETWORK}
-    ${FW_USERNOTIFICATIONS}
+    ${FW_USER_NOTIFICATIONS}
     ${FW_NETWORK_EXTENSION}
 )
 
@@ -35,6 +35,8 @@ set(SOURCES ${SOURCES}
     ${CMAKE_CURRENT_SOURCE_DIR}/ui/macos_util.mm
 )
 
+
+
 set(ICON_FILE ${CMAKE_CURRENT_SOURCE_DIR}/images/app.icns)
 set(MACOSX_BUNDLE_ICON_FILE app.icns)
 set_source_files_properties(${ICON_FILE} PROPERTIES MACOSX_PACKAGE_LOCATION Resources)
@@ -53,4 +55,3 @@ execute_process(
 )
 message("OSX_SDK_PATH is: ${OSX_SDK_PATH}")
 
-

client/cmake/macos_ne.cmake

@@ -0,0 +1,168 @@
+message("Client ==> MacOS NE build")
+
+set_target_properties(${PROJECT} PROPERTIES MACOSX_BUNDLE TRUE)
+set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)
+
+set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
+
+enable_language(OBJC)
+enable_language(Swift)
+
+find_package(Qt6 REQUIRED COMPONENTS ShaderTools Widgets)
+# Link Qt Widgets for QWidget, QMenu, QAction etc.
+set(LIBS ${LIBS} Qt6::ShaderTools Qt6::Widgets)
+
+find_library(FW_AUTHENTICATIONSERVICES AuthenticationServices)
+find_library(FW_AVFOUNDATION AVFoundation)
+find_library(FW_FOUNDATION Foundation)
+find_library(FW_STOREKIT StoreKit)
+find_library(FW_SERVICEMGMT ServiceManagement)
+find_library(FW_USERNOTIFICATIONS UserNotifications)
+find_library(FW_NETWORKEXTENSION NetworkExtension)
+
+set(LIBS ${LIBS}
+    ${FW_AUTHENTICATIONSERVICES}
+    ${FW_AVFOUNDATION}
+    ${FW_FOUNDATION}
+    ${FW_STOREKIT}
+    ${FW_SERVICEMGMT}
+    ${FW_USERNOTIFICATIONS}
+    ${FW_NETWORKEXTENSION}
+)
+
+
+set(HEADERS ${HEADERS}
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate-C-Interface.h
+)
+set_source_files_properties(${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h PROPERTIES OBJECTIVE_CPP_HEADER TRUE)
+
+
+set(SOURCES ${SOURCES}
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosglue.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QRCodeReaderBase.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.mm
+)
+
+set(ICON_FILE ${CMAKE_CURRENT_SOURCE_DIR}/images/app.icns)
+set(MACOSX_BUNDLE_ICON_FILE app.icns)
+set_source_files_properties(${ICON_FILE} PROPERTIES MACOSX_PACKAGE_LOCATION Resources)
+set(SOURCES ${SOURCES} ${ICON_FILE})
+
+
+target_include_directories(${PROJECT} PRIVATE
+    ${Qt6Gui_PRIVATE_INCLUDE_DIRS}
+    ${Qt6Widgets_PRIVATE_INCLUDE_DIRS}
+)
+
+
+set_target_properties(${PROJECT} PROPERTIES
+    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
+    MACOSX_BUNDLE_INFO_PLIST ${CMAKE_CURRENT_SOURCE_DIR}/macos/app/Info.plist.in
+    MACOSX_BUNDLE_ICON_FILE "AppIcon"
+    MACOSX_BUNDLE_INFO_STRING "AmneziaVPN"
+    MACOSX_BUNDLE_BUNDLE_NAME "AmneziaVPN"
+    MACOSX_BUNDLE_BUNDLE_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
+    MACOSX_BUNDLE_LONG_VERSION_STRING "${APPLE_PROJECT_VERSION}-${CMAKE_PROJECT_VERSION_TWEAK}"
+    MACOSX_BUNDLE_SHORT_VERSION_STRING "${APPLE_PROJECT_VERSION}"
+    XCODE_ATTRIBUTE_PRODUCT_BUNDLE_IDENTIFIER "${BUILD_IOS_APP_IDENTIFIER}"
+    XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "${CMAKE_CURRENT_SOURCE_DIR}/macos/app/app.entitlements"
+    XCODE_ATTRIBUTE_MARKETING_VERSION "${APPLE_PROJECT_VERSION}"
+    XCODE_ATTRIBUTE_CURRENT_PROJECT_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
+    XCODE_ATTRIBUTE_PRODUCT_NAME "AmneziaVPN"
+    XCODE_ATTRIBUTE_BUNDLE_INFO_STRING "AmneziaVPN"
+    XCODE_GENERATE_SCHEME TRUE
+    XCODE_ATTRIBUTE_ENABLE_BITCODE "NO"
+    XCODE_ATTRIBUTE_ASSETCATALOG_COMPILER_APPICON_NAME "AppIcon"
+    XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "1,2"
+    XCODE_EMBED_FRAMEWORKS_CODE_SIGN_ON_COPY "NO"
+    XCODE_EMBED_FRAMEWORKS_REMOVE_HEADERS_ON_COPY "YES"
+    XCODE_ATTRIBUTE_MACOSX_DEPLOYMENT_TARGET "11.0"
+
+    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
+    XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/../Frameworks"
+    XCODE_EMBED_APP_EXTENSIONS AmneziaVPNNetworkExtension
+)
+
+if(DEPLOY)
+    set_target_properties(${PROJECT} PROPERTIES
+        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
+        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY[variant=Debug] "Apple Development"
+        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Manual
+        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER "distr macos.org.amnezia.AmneziaVPN"
+        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER[variant=Debug] "dev macos.org.amnezia.AmneziaVPN"
+    )
+else()
+    set_target_properties(${PROJECT} PROPERTIES
+        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Automatic
+    )
+endif()
+
+set_target_properties(${PROJECT} PROPERTIES
+    XCODE_ATTRIBUTE_SWIFT_VERSION "5.0"
+    XCODE_ATTRIBUTE_CLANG_ENABLE_MODULES "YES"
+    XCODE_ATTRIBUTE_SWIFT_PRECOMPILE_BRIDGING_HEADER "NO"
+    XCODE_ATTRIBUTE_SWIFT_OBJC_INTERFACE_HEADER_NAME "AmneziaVPN-Swift.h"
+    XCODE_ATTRIBUTE_SWIFT_OBJC_INTEROP_MODE "objcxx"
+)
+set_target_properties(${PROJECT} PROPERTIES
+    XCODE_ATTRIBUTE_DEVELOPMENT_TEAM "X7UJ388FXK"
+)
+target_include_directories(${PROJECT} PRIVATE ${CMAKE_CURRENT_LIST_DIR})
+target_compile_options(${PROJECT} PRIVATE
+    -DGROUP_ID=\"${BUILD_IOS_GROUP_IDENTIFIER}\"
+    -DVPN_NE_BUNDLEID=\"${BUILD_IOS_APP_IDENTIFIER}.network-extension\"
+)
+
+set(WG_APPLE_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/3rd/amneziawg-apple/Sources)
+
+target_sources(${PROJECT} PRIVATE
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKitC/x25519.c
+    ${CLIENT_ROOT_DIR}/platforms/ios/LogController.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/Log.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
+)
+
+target_sources(${PROJECT} PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}/macos/app/Images.xcassets
+    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
+)
+
+set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
+    ${CMAKE_CURRENT_SOURCE_DIR}/macos/app/Images.xcassets
+    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
+)
+
+add_subdirectory(macos/networkextension)
+add_dependencies(${PROJECT} AmneziaVPNNetworkExtension)
+
+get_target_property(QtCore_location Qt6::Core LOCATION)
+message("QtCore_location")
+message(${QtCore_location})
+
+get_filename_component(QT_BIN_DIR_DETECTED "${QtCore_location}/../../../../../bin" ABSOLUTE)
+
+set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
+    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework"
+)
+
+set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos)
+target_link_libraries("AmneziaVPNNetworkExtension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework")
+
+add_custom_command(TARGET ${PROJECT} POST_BUILD
+    COMMAND ${CMAKE_COMMAND} -E make_directory
+            $<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks
+    COMMAND /usr/bin/find "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework" -name "*.sha256" -delete
+    COMMAND /usr/bin/codesign --force --sign "Apple Distribution"
+            "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework/Versions/Current/OpenVPNAdapter"
+    COMMAND ${QT_BIN_DIR_DETECTED}/macdeployqt $<TARGET_BUNDLE_DIR:AmneziaVPN> -appstore-compliant -qmldir=${CMAKE_CURRENT_SOURCE_DIR}
+    COMMENT "Signing OpenVPNAdapter framework"
+)

client/cmake/sources.cmake

@@ -39,7 +39,7 @@ set(HEADERS ${HEADERS}
     ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.h
 )
 
-if(NOT IOS)
+if(NOT IOS AND NOT MACOS_NE)
     set(HEADERS ${HEADERS}
         ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.h
     )
@@ -89,12 +89,26 @@ set(SOURCES ${SOURCES}
     ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
 )
 
-if(NOT IOS)
+if(NOT IOS AND NOT MACOS_NE)
     set(SOURCES ${SOURCES}
         ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.cpp
     )
 endif()
 
+# Include native macOS platform helpers (dock/status-item)
+if(APPLE AND NOT IOS)
+    list(APPEND HEADERS
+        ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.h
+        ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.h
+        ${CLIENT_ROOT_DIR}/ui/macos_util.h
+    )
+    list(APPEND SOURCES
+        ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.mm
+        ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.mm
+        ${CLIENT_ROOT_DIR}/ui/macos_util.mm
+    )
+endif()
+
 if(NOT ANDROID)
     set(SOURCES ${SOURCES}
         ${CLIENT_ROOT_DIR}/ui/notificationhandler.cpp

client/configurators/ikev2_configurator.cpp

@@ -64,6 +64,26 @@ QString Ikev2Configurator::createConfig(const ServerCredentials &credentials, Do
         return "";
     }
 
+#if defined(Q_OS_LINUX)
+    QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::ipsec_template, container),
+                                                     m_serverController->genVarsForScript(credentials, container, containerConfig));
+
+    config.replace("$CLIENT_NAME", connData.clientId);
+    config.replace("$UUID1", QUuid::createUuid().toString());
+    config.replace("$SERVER_ADDR", connData.host);
+
+    QJsonObject jConfig;
+    jConfig[config_key::config] = config;
+
+    jConfig[config_key::hostName] = connData.host;
+    jConfig[config_key::userName] = connData.clientId;
+    jConfig[config_key::cert] = QString(connData.clientCert.toBase64());
+    jConfig[config_key::cacert] = QString(connData.caCert);
+    jConfig[config_key::password] = connData.password;
+
+    return QJsonDocument(jConfig).toJson();
+#endif
+
     return genIkev2Config(connData);
 }
 
@@ -73,6 +93,7 @@ QString Ikev2Configurator::genIkev2Config(const ConnectionData &connData)
     config[config_key::hostName] = connData.host;
     config[config_key::userName] = connData.clientId;
     config[config_key::cert] = QString(connData.clientCert.toBase64());
+    config[config_key::cacert] = QString(connData.caCert);
     config[config_key::password] = connData.password;
 
     return QJsonDocument(config).toJson();
@@ -115,3 +136,22 @@ QString Ikev2Configurator::genStrongSwanConfig(const ConnectionData &connData)
 
     return config;
 }
+
+QString Ikev2Configurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
+                                                              QString &protocolConfigString)
+{
+    processConfigWithDnsSettings(dns, protocolConfigString);
+
+    QJsonObject json;
+    json[config_key::config] = protocolConfigString;
+    return QJsonDocument(json).toJson();
+}
+
+QString Ikev2Configurator::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
+                                                               QString &protocolConfigString)
+{
+    processConfigWithDnsSettings(dns, protocolConfigString);
+    QJsonObject json;
+    json[config_key::config] = protocolConfigString;
+    return QJsonDocument(json).toJson();
+}

client/configurators/ikev2_configurator.h

@@ -27,6 +27,10 @@ public:
     QString genIkev2Config(const ConnectionData &connData);
     QString genMobileConfig(const ConnectionData &connData);
     QString genStrongSwanConfig(const ConnectionData &connData);
+    QString genIPSecConfig(const ConnectionData &connData);
+
+    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig, QString &protocolConfigString);
+    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig, QString &protocolConfigString);
 
     ConnectionData prepareIkev2Config(const ServerCredentials &credentials,
         DockerContainer container, ErrorCode &errorCode);

client/configurators/openvpn_configurator.cpp

@@ -131,7 +131,7 @@ QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString,
 
                // no redirect-gateway
         } else if (m_settings->routeMode() == Settings::VpnAllExceptSites) {
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
             config.append("\nredirect-gateway ipv6 !ipv4 bypass-dhcp\n");
             // Prevent ipv6 leak
 #endif

client/configurators/ssh_configurator.cpp

@@ -8,7 +8,7 @@
 #include <QTemporaryFile>
 #include <QThread>
 #include <qtimer.h>
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
     #include <QGuiApplication>
 #else
     #include <QApplication>
@@ -24,7 +24,7 @@ SshConfigurator::SshConfigurator(std::shared_ptr<Settings> settings, const QShar
 
 QString SshConfigurator::convertOpenSShKey(const QString &key)
 {
-#ifndef Q_OS_IOS
+#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
     QProcess p;
     p.setProcessChannelMode(QProcess::MergedChannels);
 
@@ -67,9 +67,10 @@ QString SshConfigurator::convertOpenSShKey(const QString &key)
 #endif
 }
 
+// DEAD CODE.
 void SshConfigurator::openSshTerminal(const ServerCredentials &credentials)
 {
-#ifndef Q_OS_IOS
+#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
     QProcess *p = new QProcess();
     p->setProcessChannelMode(QProcess::SeparateChannels);
 
@@ -101,7 +102,7 @@ QProcessEnvironment SshConfigurator::prepareEnv()
     pathEnvVar.clear();
     pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\cygwin;");
     pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\openvpn;");
-#elif defined(Q_OS_MACX)
+#elif defined(Q_OS_MACX) && !defined(MACOS_NE)
     pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "/Contents/MacOS");
 #endif
 

client/containers/containers_defs.cpp

@@ -257,10 +257,11 @@ Proto ContainerProps::defaultProtocol(DockerContainer c)
 
 bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
 {
-#ifdef Q_OS_WINDOWS
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_LINUX)
     return true;
 
 #elif defined(Q_OS_IOS)
+    // Standard iOS build (without Network Extension limitations)
     switch (c) {
     case DockerContainer::WireGuard: return true;
     case DockerContainer::OpenVpn: return true;
@@ -269,7 +270,23 @@ bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
     case DockerContainer::Cloak: return true;
     case DockerContainer::SSXray: return true;
         //    case DockerContainer::ShadowSocks: return true;
-    default: return false;
+    default:
+        return false;
+    }
+
+#elif defined(MACOS_NE)
+    // macOS build using Network Extension – hide OpenVPN-based containers
+    switch (c) {
+    case DockerContainer::WireGuard: return true;
+    case DockerContainer::Awg: return true;
+    case DockerContainer::Xray: return true;
+    case DockerContainer::SSXray: return true;
+    case DockerContainer::OpenVpn:
+    case DockerContainer::Cloak:
+    case DockerContainer::ShadowSocks:
+        return false;
+    default:
+        return false;
     }
 #elif defined(Q_OS_MAC)
     switch (c) {
@@ -289,13 +306,6 @@ bool ContainerProps::isSupportedByCurrentPlatform(DockerContainer c)
     case DockerContainer::SSXray: return true;
     default: return false;
     }
-
-#elif defined(Q_OS_LINUX)
-    switch (c) {
-    case DockerContainer::Ipsec: return false;
-    default: return true;
-    }
-
 #else
     return false;
 #endif

client/core/networkUtilities.cpp

@@ -23,7 +23,7 @@
     #include <sys/socket.h>
     #include <unistd.h>
 #endif
-#if defined(Q_OS_MAC) && !defined(Q_OS_IOS)
+#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
     #include <sys/param.h>
     #include <sys/sysctl.h>
     #include <sys/socket.h>
@@ -390,7 +390,7 @@ QString NetworkUtilities::getGatewayAndIface()
     close(sock);
     return gateway_address;
 #endif
-#if defined(Q_OS_MAC) && !defined(Q_OS_IOS)
+#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
     QString gateway;
     int mib[] = {CTL_NET, PF_ROUTE, 0, 0, NET_RT_FLAGS, RTF_GATEWAY};
     int afinet_type[] = {AF_INET, AF_INET6};

client/core/scripts_registry.cpp

@@ -50,6 +50,7 @@ QString amnezia::scriptName(ProtocolScriptType type)
     case ProtocolScriptType::wireguard_template: return QLatin1String("template.conf");
     case ProtocolScriptType::awg_template: return QLatin1String("template.conf");
     case ProtocolScriptType::xray_template: return QLatin1String("template.json");
+    case ProtocolScriptType::ipsec_template: return QLatin1String("template.conf");
     default: return QString();
     }
 }

client/core/scripts_registry.h

@@ -28,7 +28,8 @@ enum ProtocolScriptType {
     openvpn_template,
     wireguard_template,
     awg_template,
-    xray_template
+    xray_template,
+    ipsec_template
 };
 
 

client/macos/app/Images.xcassets/Contents.json

@@ -1,6 +1,68 @@
 {
-  "info" : {
-    "author" : "xcode",
-    "version" : 1
+  "images": [
+    {
+      "idiom": "mac",
+      "size": "16x16",
+      "scale": "1x",
+      "filename": "16.png"
+    },
+    {
+      "idiom": "mac",
+      "size": "16x16",
+      "scale": "2x",
+      "filename": "16@2x.png"
+    },
+    {
+      "idiom": "mac",
+      "size": "32x32",
+      "scale": "1x",
+      "filename": "32.png"
+    },
+    {
+      "idiom": "mac",
+      "size": "32x32",
+      "scale": "2x",
+      "filename": "32@2x.png"
+    },
+    {
+      "idiom": "mac",
+      "size": "128x128",
+      "scale": "1x",
+      "filename": "128.png"
+    },
+    {
+      "idiom": "mac",
+      "size": "128x128",
+      "scale": "2x",
+      "filename": "128@2x.png"
+    },
+    {
+      "idiom": "mac",
+      "size": "256x256",
+      "scale": "1x",
+      "filename": "256.png"
+    },
+    {
+      "idiom": "mac",
+      "size": "256x256",
+      "scale": "2x",
+      "filename": "256@2x.png"
+    },
+    {
+      "idiom": "mac",
+      "size": "512x512",
+      "scale": "1x",
+      "filename": "512.png"
+    },
+    {
+      "idiom": "mac",
+      "size": "512x512",
+      "scale": "2x",
+      "filename": "512@2x.png"
+    }
+  ],
+  "info": {
+    "version": 1,
+    "author": "xcode"
   }
 }

client/macos/app/Info.plist.in

@@ -0,0 +1,172 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleAllowMixedLocalizations</key>
+	<true/>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleDisplayName</key>
+	<string>${QT_INTERNAL_DOLLAR_VAR}{PRODUCT_NAME}</string>
+	<key>CFBundleExecutable</key>
+	<string>${MACOSX_BUNDLE_EXECUTABLE_NAME}</string>
+	<key>CFBundleIdentifier</key>
+	<string>${MACOSX_BUNDLE_GUI_IDENTIFIER}</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>${MACOSX_BUNDLE_BUNDLE_NAME}</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>${MACOSX_BUNDLE_SHORT_VERSION_STRING}</string>
+	<key>CFBundleVersion</key>
+	<string>${MACOSX_BUNDLE_BUNDLE_VERSION}</string>
+	<key>NSHumanReadableCopyright</key>
+	<string>${MACOSX_BUNDLE_COPYRIGHT}</string>
+	<key>ITSAppUsesNonExemptEncryption</key>
+	<false/>
+        <key>LSApplicationCategoryType</key>
+	<string>public.app-category.utilities</string>
+
+	<key>LSMinimumSystemVersion</key>
+	<string>${MACOSX_DEPLOYMENT_TARGET}</string>
+	<key>LSSupportsOpeningDocumentsInPlace</key>
+	<true/>
+	<key>com.wireguard.ios.app_group_id</key>
+	<string>group.org.amnezia.AmneziaVPN</string>
+	<key>NSCameraUsageDescription</key>
+	<string>Amnezia VPN needs access to the camera for reading QR-codes.</string>
+	<key>NSAppTransportSecurity</key>
+	<dict>
+		<key>NSAllowsArbitraryLoads</key>
+		<false/>
+		<key>NSAllowsLocalNetworking</key>
+		<true/>
+	</dict>
+	<key>CFBundleIcons</key>
+        <dict/>
+	<key>UTImportedTypeDeclarations</key>
+	<array>
+		<dict>
+			<key>UTTypeConformsTo</key>
+			<array>
+				<string>public.data</string>
+			</array>
+			<key>UTTypeDescription</key>
+			<string>Amnezia VPN config</string>
+			<key>UTTypeIconFiles</key>
+			<array/>
+			<key>UTTypeIdentifier</key>
+			<string>org.amnezia.AmneziaVPN.amnezia-config</string>
+			<key>UTTypeTagSpecification</key>
+			<dict>
+				<key>public.filename-extension</key>
+				<array>
+					<string>vpn</string>
+				</array>
+				<key>public.mime-type</key>
+				<array>
+					<string>text/plain</string>
+				</array>
+			</dict>
+		</dict>
+                <dict>
+                        <key>UTTypeConformsTo</key>
+                        <array>
+                                <string>public.data</string>
+                        </array>
+                        <key>UTTypeDescription</key>
+                        <string>WireGuard config</string>
+                        <key>UTTypeIconFiles</key>
+                        <array/>
+                        <key>UTTypeIdentifier</key>
+                        <string>org.amnezia.AmneziaVPN.wireguard-config</string>
+                        <key>UTTypeTagSpecification</key>
+                        <dict>
+                                <key>public.filename-extension</key>
+                                <array>
+                                        <string>conf</string>
+                                        <string>cfg</string>
+                                </array>
+                                <key>public.mime-type</key>
+                                <array>
+                                        <string>text/plain</string>
+                                </array>
+                        </dict>
+                </dict>
+                <dict>
+                        <key>UTTypeConformsTo</key>
+                        <array>
+                                <string>public.data</string>
+                        </array>
+                        <key>UTTypeDescription</key>
+                        <string>OpenVPN config</string>
+                        <key>UTTypeIconFiles</key>
+                        <array/>
+                        <key>UTTypeIdentifier</key>
+                        <string>org.amnezia.AmneziaVPN.openvpn-config</string>
+                        <key>UTTypeTagSpecification</key>
+                        <dict>
+                                <key>public.filename-extension</key>
+                                <array>
+                                        <string>ovpn</string>
+                                </array>
+                                <key>public.mime-type</key>
+                                <array>
+                                        <string>text/plain</string>
+                                </array>
+                        </dict>
+                </dict>
+                <dict>
+                        <key>UTTypeConformsTo</key>
+                        <array>
+                                <string>public.data</string>
+                        </array>
+                        <key>UTTypeDescription</key>
+                        <string>AmneziaVPN backup file</string>
+                        <key>UTTypeIconFiles</key>
+                        <array/>
+                        <key>UTTypeIdentifier</key>
+                        <string>org.amnezia.AmneziaVPN.backup-config</string>
+                        <key>UTTypeTagSpecification</key>
+                        <dict>
+                                <key>public.filename-extension</key>
+                                <array>
+                                        <string>backup</string>
+                                </array>
+                                <key>public.mime-type</key>
+                                <array>
+                                        <string>text/plain</string>
+                                </array>
+                        </dict>
+                </dict>
+	</array>
+        <key>CFBundleDocumentTypes</key>
+        <array>
+                <dict>
+                        <key>CFBundleTypeName</key>
+                        <string>Amnezia VPN config</string>
+                        <key>LSHandlerRank</key>
+                        <string>Alternate</string>
+                        <key>LSItemContentTypes</key>
+                        <array>
+                                <string>org.amnezia.AmneziaVPN.amnezia-config</string>
+                                <string>org.amnezia.AmneziaVPN.wireguard-config</string>
+                                <string>org.amnezia.AmneziaVPN.openvpn-config</string>
+                                <string>org.amnezia.AmneziaVPN.backup-config</string>
+                        </array>
+                </dict>
+        </array>
+        <key>NSExtensions</key>
+        <array>
+        <dict>
+                <key>NSExtensionPointIdentifier</key>
+                <string>com.apple.networkextension.packet-tunnel</string>
+                <key>NSExtensionPrincipalClass</key>
+                <string>$(PRODUCT_MODULE_NAME).PacketTunnelProvider</string>
+        </dict>
+        </array>
+
+</dict>
+</plist>

client/macos/app/app.entitlements

@@ -2,34 +2,40 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>com.apple.application-identifier</key>
-	<string>$(DEVELOPMENT_TEAM).$(APP_ID_MACOS)</string>
-
+	<key>com.apple.developer.networking.custom-protocol</key>
+	<true/>
 	<key>com.apple.developer.networking.networkextension</key>
 	<array>
+		<string>app-proxy-provider</string>
 		<string>packet-tunnel-provider</string>
+		<string>dns-settings</string>
+		<string>relay</string>
+		<string>content-filter-provider</string>
+		<string>dns-proxy</string>
 	</array>
-
+	<key>com.apple.developer.system-extension.install</key>
+	<true/>
+	<key>com.apple.developer.networking.vpn.api</key>
+	<array>
+		<string>allow-vpn</string>
+	</array>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.application-groups</key>
+	<array>
+		<string>group.org.amnezia.AmneziaVPN</string>
+	</array>
+	<key>com.apple.security.files.user-selected.read-only</key>
+	<true/>
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+	<key>com.apple.security.network.server</key>
+	<true/>
 	<key>keychain-access-groups</key>
 	<array>
 		<string>$(DEVELOPMENT_TEAM).*</string>
 	</array>
-
-	<key>com.apple.developer.team-identifier</key>
-	<string>$(DEVELOPMENT_TEAM)</string>
-
-	<key>com.apple.security.app-sandbox</key>
-	<true/>
-
-	<key>com.apple.security.application-groups</key>
-	<array>
-		<string>$(DEVELOPMENT_TEAM).$(GROUP_ID_MACOS)</string>
-	</array>
-
-	<key>com.apple.security.network.client</key>
-	<true/>
-
-	<key>com.apple.security.network.server</key>
-	<true/>
 </dict>
 </plist>

client/macos/networkextension/AmneziaVPNNetworkExtension.entitlements

@@ -2,41 +2,30 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>com.apple.application-identifier</key>
-	<string>$(DEVELOPMENT_TEAM).$(NETEXT_ID_MACOS)</string>
-
+	<key>com.apple.developer.networking.custom-protocol</key>
+	<true/>
 	<key>com.apple.developer.networking.networkextension</key>
 	<array>
+		<string>dns-settings</string>
+		<string>relay</string>
 		<string>packet-tunnel-provider</string>
+		<string>content-filter-provider</string>
+		<string>dns-proxy</string>
+		<string>app-proxy-provider</string>
 	</array>
-
-	<key>keychain-access-groups</key>
+	<key>com.apple.developer.networking.vpn.api</key>
 	<array>
-		<string>$(DEVELOPMENT_TEAM).*</string>
+		<string>allow-vpn</string>
 	</array>
-
-	<key>com.apple.developer.team-identifier</key>
-	<string>$(DEVELOPMENT_TEAM)</string>
-
-	<key>com.apple.developer.system-extension.install</key>
-	<true/>
-
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
-
 	<key>com.apple.security.application-groups</key>
 	<array>
-		<string>$(DEVELOPMENT_TEAM).$(GROUP_ID_MACOS)</string>
+		<string>group.org.amnezia.AmneziaVPN</string>
 	</array>
-
 	<key>com.apple.security.network.client</key>
 	<true/>
-
 	<key>com.apple.security.network.server</key>
 	<true/>
-	<key>com.apple.security.app-sandbox</key>
-	<true/>
-	<key>com.apple.private.network.socket-delegate</key>
-	<true/>
 </dict>
 </plist>

client/macos/networkextension/CMakeLists.txt

@@ -0,0 +1,138 @@
+enable_language(Swift)
+message("Client message >> macos build >> AmneziaVPNNetworkExtension")
+set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
+
+add_executable(AmneziaVPNNetworkExtension)
+
+message("executable_path is: @executable_path/../../Frameworks")
+set_target_properties(AmneziaVPNNetworkExtension PROPERTIES
+    XCODE_PRODUCT_TYPE com.apple.product-type.app-extension
+    # MACOSX_BUNDLE YES
+    BUNDLE_EXTENSION appex
+    MACOSX_BUNDLE_SHORT_VERSION_STRING "${APPLE_PROJECT_VERSION}"
+    MACOSX_BUNDLE_INFO_STRING "AmneziaVPNNetworkExtension"
+    MACOSX_BUNDLE_BUNDLE_NAME "AmneziaVPNNetworkExtension"
+    XCODE_ATTRIBUTE_PRODUCT_BUNDLE_IDENTIFIER "${BUILD_IOS_APP_IDENTIFIER}.network-extension"
+    XCODE_ATTRIBUTE_PRODUCT_BUNDLE_NAME "${BUILD_IOS_APP_IDENTIFIER}.network-extension"
+    XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS ${CMAKE_CURRENT_SOURCE_DIR}/AmneziaVPNNetworkExtension.entitlements
+    XCODE_ATTRIBUTE_MARKETING_VERSION "${APP_MAJOR_VERSION}"
+    XCODE_ATTRIBUTE_CURRENT_PROJECT_VERSION "${BUILD_ID}"
+    XCODE_ATTRIBUTE_PRODUCT_NAME "AmneziaVPNNetworkExtension"
+
+    XCODE_ATTRIBUTE_APPLICATION_EXTENSION_API_ONLY "YES"
+    XCODE_ATTRIBUTE_ENABLE_BITCODE "NO"
+    XCODE_ATTRIBUTE_MACOSX_DEPLOYMENT_TARGET "11.0"
+
+    XCODE_ATTRIBUTE_INFOPLIST_FILE ${CMAKE_CURRENT_SOURCE_DIR}/Info.plist.in
+    XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/../../../../Frameworks @loader_path/../../../../Frameworks"
+)
+
+if(DEPLOY)
+    message("DEPLOY is ON")
+    set_target_properties(AmneziaVPNNetworkExtension PROPERTIES
+        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
+        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY[variant=Debug] "Apple Development"
+        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Manual
+        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER "distr macos.org.amnezia.amneziaVPN.NE"
+        XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER[variant=Debug] "dev macos.org.amnezia.amneziaVPN.NE"
+    )
+else()
+    set_target_properties(AmneziaVPNNetworkExtension PROPERTIES
+        XCODE_ATTRIBUTE_CODE_SIGN_STYLE Automatic
+    )
+endif()
+
+set_target_properties(AmneziaVPNNetworkExtension PROPERTIES
+    XCODE_ATTRIBUTE_SWIFT_VERSION "5.0"
+    XCODE_ATTRIBUTE_CLANG_ENABLE_MODULES "YES"
+    XCODE_ATTRIBUTE_SWIFT_OBJC_BRIDGING_HEADER "${CMAKE_CURRENT_SOURCE_DIR}/WireGuardNetworkExtension-Bridging-Header.h"
+    XCODE_ATTRIBUTE_SWIFT_OPTIMIZATION_LEVEL "-Onone"
+    XCODE_ATTRIBUTE_SWIFT_PRECOMPILE_BRIDGING_HEADER "NO"
+)
+
+set_target_properties("AmneziaVPNNetworkExtension" PROPERTIES
+    XCODE_ATTRIBUTE_DEVELOPMENT_TEAM "X7UJ388FXK"
+)
+
+find_library(FW_ASSETS_LIBRARY AssetsLibrary)
+find_library(FW_MOBILE_CORE MobileCoreServices)
+find_library(FW_UI_KIT UIKit)
+find_library(FW_LIBRESOLV libresolv.9.tbd)
+
+
+# Set the root directory
+set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
+
+target_link_libraries(AmneziaVPNNetworkExtension PRIVATE ${FW_LIBRESOLV})
+
+target_compile_options(AmneziaVPNNetworkExtension PRIVATE -DGROUP_ID=\"${BUILD_IOS_GROUP_IDENTIFIER}\")
+target_compile_options(AmneziaVPNNetworkExtension PRIVATE -DNETWORK_EXTENSION=1)
+
+set(WG_APPLE_SOURCE_DIR ${CLIENT_ROOT_DIR}/3rd/amneziawg-apple/Sources)
+
+message("WG_APPLE_SOURCE_DIR is: ${WG_APPLE_SOURCE_DIR}")
+message("CLIENT_ROOT_DIR is: ${CLIENT_ROOT_DIR}")
+
+target_sources(AmneziaVPNNetworkExtension PRIVATE
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/WireGuardAdapter.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PacketTunnelSettingsGenerator.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/DNSResolver.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardNetworkExtension/ErrorNotifier.swift
+    ${WG_APPLE_SOURCE_DIR}/Shared/Keychain.swift
+    ${WG_APPLE_SOURCE_DIR}/Shared/Model/TunnelConfiguration+WgQuickConfig.swift
+    ${WG_APPLE_SOURCE_DIR}/Shared/Model/NETunnelProviderProtocol+Extension.swift
+    ${WG_APPLE_SOURCE_DIR}/Shared/Model/String+ArrayConversion.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/TunnelConfiguration.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/IPAddressRange.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/Endpoint.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/DNSServer.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/InterfaceConfiguration.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PeerConfiguration.swift
+    ${WG_APPLE_SOURCE_DIR}/Shared/FileManager+Extension.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKitC/x25519.c
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/Array+ConcurrentMap.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/IPAddress+AddrInfo.swift
+    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PrivateKey.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/HevSocksTunnel.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/NELogController.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/Log.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+WireGuard.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+OpenVPN.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+Xray.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/WGConfig.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/iosglue.mm
+    ${CLIENT_ROOT_DIR}/platforms/ios/XrayConfig.swift
+)
+
+target_sources(AmneziaVPNNetworkExtension PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}/PrivacyInfo.xcprivacy
+)
+
+set_property(TARGET AmneziaVPNNetworkExtension APPEND PROPERTY RESOURCE
+    ${CMAKE_CURRENT_SOURCE_DIR}/PrivacyInfo.xcprivacy
+)
+
+## Build wireguard-go-version.h
+execute_process(
+    COMMAND go list -m golang.zx2c4.com/wireguard
+    WORKING_DIRECTORY ${CLIENT_ROOT_DIR}/3rd/wireguard-apple/Sources/WireGuardKitGo
+    OUTPUT_VARIABLE WG_VERSION_FULL
+)
+string(REGEX REPLACE ".*v\([0-9.]*\).*" "\\1" WG_VERSION_STRING 1.1.1)
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/wireguard-go-version.h.in
+               ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-version.h)
+target_sources(AmneziaVPNNetworkExtension PRIVATE
+    ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-version.h)
+
+target_include_directories(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR})
+target_include_directories(AmneziaVPNNetworkExtension PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+
+target_link_libraries(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/wireguard/macos/universal2/libwg-go.a)
+
+message(${CLIENT_ROOT_DIR})
+message(${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework/macos-arm64_x86_64/libhev-socks5-tunnel.a)
+target_link_libraries(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework/macos-arm64_x86_64/libhev-socks5-tunnel.a)
+
+target_include_directories(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework/macos-arm64_x86_64/Headers)

client/macos/networkextension/Info.plist.in

@@ -3,27 +3,32 @@
 <plist version="1.0">
 <dict>
 	<key>CFBundleDevelopmentRegion</key>
-	<string>$(DEVELOPMENT_LANGUAGE)</string>
-	<key>CFBundleDisplayName</key>
-	<string>AmneziaVPNNetworkExtension</string>
+	<string>en</string>
 	<key>CFBundleExecutable</key>
-	<string>$(EXECUTABLE_NAME)</string>
+	<string>AmneziaVPNNetworkExtension</string>
+
 	<key>CFBundleIdentifier</key>
-	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<string>org.amnezia.AmneziaVPN.network-extension</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
-	<string>$(PRODUCT_NAME)</string>
+	<string>AmneziaVPNNetworkExtension</string>
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
-	<string>$(MARKETING_VERSION)</string>
+	<string>${APPLE_PROJECT_VERSION}</string>
 	<key>CFBundleVersion</key>
-	<string>$(CURRENT_PROJECT_VERSION)</string>
+	<string>${CMAKE_PROJECT_VERSION_TWEAK}</string>
+
 	<key>ITSAppUsesNonExemptEncryption</key>
 	<false/>
+
 	<key>LSMinimumSystemVersion</key>
-	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
+	<string>${CMAKE_OSX_DEPLOYMENT_TARGET}</string>
+
+	<key>CFBundleDisplayName</key>
+	<string>AmneziaVPNNetworkExtension</string>
+
 	<key>NSExtension</key>
 	<dict>
 		<key>NSExtensionPointIdentifier</key>
@@ -31,5 +36,11 @@
 		<key>NSExtensionPrincipalClass</key>
 		<string>$(PRODUCT_MODULE_NAME).PacketTunnelProvider</string>
 	</dict>
+
+	<key>com.wireguard.ios.app_group_id</key>
+	<string>group.org.amnezia.AmneziaVPN</string>
+
+	<key>com.wireguard.macos.app_group_id</key>
+	<string>${BUILD_VPN_DEVELOPMENT_TEAM}.group.org.amnezia.AmneziaVPN</string>
 </dict>
 </plist>

client/macos/networkextension/PrivacyInfo.xcprivacy

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>NSPrivacyAccessedAPITypes</key>
+	<array>
+		<dict>
+			<key>NSPrivacyAccessedAPIType</key>
+			<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
+			<key>NSPrivacyAccessedAPITypeReasons</key>
+			<array>
+				<string>1C8F.1</string>
+			</array>
+		</dict>
+		<dict>
+			<key>NSPrivacyAccessedAPIType</key>
+			<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
+			<key>NSPrivacyAccessedAPITypeReasons</key>
+			<array>
+				<string>C617.1</string>
+			</array>
+		</dict>
+	</array>
+</dict>
+</plist>

client/macos/networkextension/WireGuardNetworkExtension-Bridging-Header.h

@@ -1,10 +1,10 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "macos/gobridge/wireguard.h"
+ 
 #include "wireguard-go-version.h"
-#include "3rd/awg-apple/Sources/WireGuardKitC/WireGuardKitC.h"
+#include "3rd/amneziawg-apple/Sources/WireGuardKitGo/wireguard.h"
+#include "3rd/amneziawg-apple/Sources/WireGuardKitC/WireGuardKitC.h"
 
 #include <stdbool.h>
 #include <stdint.h>
@@ -23,3 +23,8 @@ bool key_from_hex(uint8_t key[WG_KEY_LEN], const char* hex);
 bool key_eq(const uint8_t key1[WG_KEY_LEN], const uint8_t key2[WG_KEY_LEN]);
 
 void write_msg_to_log(const char* tag, const char* msg);
+
+// init function definition in C 
+void hev_socks5_tunnel_quit(void);
+// Updated function definition in C
+int hev_socks5_tunnel_main(const char* configFile, int fd);

client/macos/networkextension/wireguard-go-version.h.in

@@ -0,0 +1,3 @@
+#ifndef WIREGUARD_GO_VERSION
+#define WIREGUARD_GO_VERSION "@WG_VERSION_STRING@"
+#endif // WIREGUARD_GO_VERSION

client/main.cpp

@@ -15,7 +15,7 @@
     #include "platforms/ios/QtAppDelegate-C-Interface.h"
 #endif
 
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
 bool isAnotherInstanceRunning()
 {
     QLocalSocket socket;
@@ -45,7 +45,7 @@ int main(int argc, char *argv[])
 
     AmneziaApplication app(argc, argv);
 
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
     if (isAnotherInstanceRunning()) {
         QTimer::singleShot(1000, &app, [&]() { app.quit(); });
         return app.exec();

client/platforms/ios/PacketTunnelProvider+OpenVPN.swift

@@ -73,7 +73,7 @@ extension PacketTunnelProvider {
         startHandler = completionHandler
         ovpnAdapter?.connect(using: packetFlow)
     }
-    
+
     func handleOpenVPNStatusMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)? = nil) {
         guard let completionHandler = completionHandler else { return }
         let bytesin = ovpnAdapter?.transportStatistics.bytesIn

client/platforms/ios/PacketTunnelProvider+WireGuard.swift

@@ -112,9 +112,19 @@ extension PacketTunnelProvider {
                 }
             }
 
+            let lastHandshakeString = settingsDictionary["last_handshake_time_sec"]
+            let lastHandshake: Int64
+
+            if let lastHandshakeValue = lastHandshakeString, let handshakeValue = Int64(lastHandshakeValue) {
+                lastHandshake = handshakeValue
+            } else {
+                lastHandshake = -2  // Return an error if there is no value for `last_handshake_time_sec`
+            }
+
             let response: [String: Any] = [
                 "rx_bytes": settingsDictionary["rx_bytes"] ?? "0",
-                "tx_bytes": settingsDictionary["tx_bytes"] ?? "0"
+                "tx_bytes": settingsDictionary["tx_bytes"] ?? "0",
+                "last_handshake_time_sec": lastHandshake
             ]
 
             completionHandler(try? JSONSerialization.data(withJSONObject: response, options: []))

client/platforms/ios/QRCodeReaderBase.mm

@@ -1,3 +1,4 @@
+#if !MACOS_NE
 #include "QRCodeReaderBase.h"
 
 #import <UIKit/UIKit.h>
@@ -108,3 +109,19 @@ void QRCodeReader::startReading() {
 void QRCodeReader::stopReading() {
     [m_qrCodeReader stopReading];
 }
+#else
+#include "QRCodeReaderBase.h"
+
+QRCodeReader::QRCodeReader()
+{
+
+}
+
+QRect QRCodeReader::cameraSize() {
+    return QRect();
+}
+
+void QRCodeReader::startReading() {}
+void QRCodeReader::stopReading() {}
+void QRCodeReader::setCameraSize(QRect) {}
+#endif

client/platforms/ios/QtAppDelegate.h

@@ -1,5 +1,6 @@
+#if !MACOS_NE
 #import <UIKit/UIKit.h>
-
+#endif
 @interface QIOSApplicationDelegate
 @end
 

client/platforms/ios/QtAppDelegate.mm

@@ -5,7 +5,7 @@
 
 
 @implementation QIOSApplicationDelegate (AmneziaVPNDelegate)
-
+#if !MACOS_NE
 - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions
 {
     [application setMinimumBackgroundFetchInterval: UIApplicationBackgroundFetchIntervalMinimum];
@@ -57,5 +57,5 @@
     }
     return NO;
 }
-
+#endif
 @end

client/platforms/ios/ScreenProtection.swift

@@ -1,3 +1,13 @@
+#if MACOS_NE
+public func toggleScreenshots(_ isEnabled: Bool) {
+  
+}
+
+class ScreenProtection {
+
+
+}
+#else
 import UIKit
 
 public func toggleScreenshots(_ isEnabled: Bool) {
@@ -90,3 +100,4 @@ struct ProtectionPair {
     textField.removeFromSuperview()
   }
 }
+#endif

client/platforms/ios/ios_controller.h

@@ -46,6 +46,7 @@ public:
     void disconnectVpn();
 
     void vpnStatusDidChange(void *pNotification);
+    
     void vpnConfigurationDidChange(void *pNotification);
 
     void getBackendLogs(std::function<void(const QString &)> &&callback);

client/platforms/ios/ios_controller.mm

@@ -27,6 +27,7 @@ const char* MessageKey::isOnDemand = "is-on-demand";
 const char* MessageKey::SplitTunnelType = "SplitTunnelType";
 const char* MessageKey::SplitTunnelSites = "SplitTunnelSites";
 
+#if !MACOS_NE
 static UIViewController* getViewController() {
     NSArray *windows = [[UIApplication sharedApplication]windows];
     for (UIWindow *window in windows) {
@@ -36,6 +37,7 @@ static UIViewController* getViewController() {
     }
     return nil;
 }
+#endif
 
 Vpn::ConnectionState iosStatusToState(NEVPNStatus status) {
   switch (status) {
@@ -249,6 +251,21 @@ void IosController::checkStatus()
     sendVpnExtensionMessage(message, [&](NSDictionary* response){
         uint64_t txBytes = [response[@"tx_bytes"] intValue];
         uint64_t rxBytes = [response[@"rx_bytes"] intValue];
+        
+        uint64_t last_handshake_time_sec = 0;
+#if !MACOS_NE
+        if (response[@"last_handshake_time_sec"] && ![response[@"last_handshake_time_sec"] isKindOfClass:[NSNull class]]) {
+            last_handshake_time_sec = [response[@"last_handshake_time_sec"] intValue];
+        } else {
+            qDebug() << "Key last_handshake_time_sec is missing or null";
+        }
+
+        if (last_handshake_time_sec < 0) {
+            disconnectVpn();
+            qDebug() << "Invalid handshake time, disconnecting VPN.";
+        }
+#endif
+
         emit bytesChanged(rxBytes - m_rxBytes, txBytes - m_txBytes);
         m_rxBytes = rxBytes;
         m_txBytes = txBytes;
@@ -803,14 +820,14 @@ bool IosController::shareText(const QStringList& filesToSend) {
         NSURL *logFileUrl = [[NSURL alloc] initFileURLWithPath:filesToSend[i].toNSString()];
         [sharingItems addObject:logFileUrl];
     }
-
+#if !MACOS_NE
     UIViewController *qtController = getViewController();
     if (!qtController) return;
 
     UIActivityViewController *activityController = [[UIActivityViewController alloc] initWithActivityItems:sharingItems applicationActivities:nil];
-
+#endif
     __block bool isAccepted = false;
-
+#if !MACOS_NE
     [activityController setCompletionWithItemsHandler:^(NSString *activityType, BOOL completed, NSArray *returnedItems, NSError *activityError) {
         isAccepted = completed;
         emit finished();
@@ -823,6 +840,7 @@ bool IosController::shareText(const QStringList& filesToSend) {
         popController.sourceRect = CGRectMake(100, 100, 100, 100);
     }
 
+#endif
     QEventLoop wait;
     QObject::connect(this, &IosController::finished, &wait, &QEventLoop::quit);
     wait.exec();
@@ -831,6 +849,7 @@ bool IosController::shareText(const QStringList& filesToSend) {
 }
 
 QString IosController::openFile() {
+#if !MACOS_NE
     UIDocumentPickerViewController *documentPicker = [[UIDocumentPickerViewController alloc] initWithDocumentTypes:@[@"public.item"] inMode:UIDocumentPickerModeOpen];
 
     DocumentPickerDelegate *documentPickerDelegate = [[DocumentPickerDelegate alloc] init];
@@ -841,8 +860,9 @@ QString IosController::openFile() {
 
     [qtController presentViewController:documentPicker animated:YES completion:nil];
 
+#endif
     __block QString filePath;
-
+#if !MACOS_NE
     documentPickerDelegate.documentPickerClosedCallback = ^(NSString *path) {
         if (path) {
             filePath = QString::fromUtf8(path.UTF8String);
@@ -851,7 +871,7 @@ QString IosController::openFile() {
         }
         emit finished();
     };
-
+#endif
     QEventLoop wait;
     QObject::connect(this, &IosController::finished, &wait, &QEventLoop::quit);
     wait.exec();

client/platforms/ios/ios_controller_wrapper.h

@@ -1,7 +1,11 @@
 #import <NetworkExtension/NetworkExtension.h>
 #import <NetworkExtension/NETunnelProviderSession.h>
 #import <Foundation/Foundation.h>
+
+#if !MACOS_NE
 #include <UIKit/UIKit.h>
+#endif
+
 #include <Security/Security.h>
 
 class IosController;
@@ -17,9 +21,10 @@ class IosController;
 @end
 
 typedef void (^DocumentPickerClosedCallback)(NSString *path);
-
+#if !MACOS_NE
 @interface DocumentPickerDelegate : NSObject <UIDocumentPickerDelegate>
 
 @property (nonatomic, copy) DocumentPickerClosedCallback documentPickerClosedCallback;
 
 @end
+#endif

client/platforms/ios/ios_controller_wrapper.mm

@@ -26,7 +26,8 @@
 
 @end
 
-@implementation DocumentPickerDelegate 
+#if !MACOS_NE
+@implementation DocumentPickerDelegate
 
 - (void)documentPicker:(UIDocumentPickerViewController *)controller didPickDocumentsAtURLs:(NSArray<NSURL *> *)urls {
     for (NSURL *url in urls) {
@@ -42,4 +43,5 @@
     }
 }
 
-@end
+@end
+#endif

client/platforms/ios/iosnotificationhandler.mm

@@ -6,6 +6,8 @@
 
 #import <UserNotifications/UserNotifications.h>
 #import <Foundation/Foundation.h>
+
+#if !MACOS_NE
 #import <UIKit/UIKit.h>
 
 @interface IOSNotificationDelegate
@@ -87,3 +89,86 @@ void IOSNotificationHandler::notify(NotificationHandler::Message type, const QSt
              }
            }];
 }
+#else
+
+// Removed the UIResponder and UIApplicationDelegate references as these are not available in macOS
+@interface IOSNotificationDelegate
+    : NSObject <UNUserNotificationCenterDelegate> {
+  IOSNotificationHandler* m_iosNotificationHandler;
+}
+@end
+
+@implementation IOSNotificationDelegate
+
+- (id)initWithObject:(IOSNotificationHandler*)notification {
+  self = [super init];  // Removed `super init` as it refers to UIResponder, which is iOS specific
+  if (self) {
+    m_iosNotificationHandler = notification;
+  }
+  return self;
+}
+
+- (void)userNotificationCenter:(UNUserNotificationCenter*)center
+       willPresentNotification:(UNNotification*)notification
+         withCompletionHandler:
+             (void (^)(UNNotificationPresentationOptions options))completionHandler {
+  Q_UNUSED(center)
+  completionHandler(UNNotificationPresentationOptionList | UNNotificationPresentationOptionBanner);
+}
+
+- (void)userNotificationCenter:(UNUserNotificationCenter*)center
+    didReceiveNotificationResponse:(UNNotificationResponse*)response
+             withCompletionHandler:(void (^)())completionHandler {
+  Q_UNUSED(center)
+  Q_UNUSED(response)
+  completionHandler();
+}
+@end
+
+IOSNotificationHandler::IOSNotificationHandler(QObject* parent) : NotificationHandler(parent) {
+
+  UNUserNotificationCenter* center = [UNUserNotificationCenter currentNotificationCenter];
+  [center requestAuthorizationWithOptions:(UNAuthorizationOptionSound | UNAuthorizationOptionAlert |
+                                           UNAuthorizationOptionBadge)
+                        completionHandler:^(BOOL granted, NSError* _Nullable error) {
+                          Q_UNUSED(granted);
+                          if (!error) {
+                            m_delegate = [[IOSNotificationDelegate alloc] initWithObject:this];
+                          }
+                        }];
+}
+
+IOSNotificationHandler::~IOSNotificationHandler() { }
+
+void IOSNotificationHandler::notify(NotificationHandler::Message type, const QString& title,
+                                    const QString& message, int timerMsec) {
+  Q_UNUSED(type);
+
+  if (!m_delegate) {
+    return;
+  }
+
+  UNMutableNotificationContent* content = [[UNMutableNotificationContent alloc] init];
+  content.title = title.toNSString();
+  content.body = message.toNSString();
+  content.sound = [UNNotificationSound defaultSound];
+
+  int timerSec = timerMsec / 1000;
+  UNTimeIntervalNotificationTrigger* trigger =
+      [UNTimeIntervalNotificationTrigger triggerWithTimeInterval:timerSec repeats:NO];
+
+  UNNotificationRequest* request = [UNNotificationRequest requestWithIdentifier:@"amneziavpn"
+                                                                        content:content
+                                                                        trigger:trigger];
+
+  UNUserNotificationCenter* center = [UNUserNotificationCenter currentNotificationCenter];
+  center.delegate = (id<UNUserNotificationCenterDelegate>)m_delegate;
+
+  [center addNotificationRequest:request
+           withCompletionHandler:^(NSError* _Nullable error) {
+             if (error) {
+               NSLog(@"Local Notification failed");
+             }
+           }];
+}
+#endif

client/protocols/ikev2_vpn_protocol_linux.cpp

@@ -0,0 +1,185 @@
+#include <QCoreApplication>
+#include <QFileInfo>
+#include <QProcess>
+
+#include <QNetworkInterface>
+
+#include <QThread>
+
+#include <chrono>
+
+#include "core/networkUtilities.h"
+
+#include "settings.h"
+#include "logger.h"
+#include "ikev2_vpn_protocol_linux.h"
+#include "utilities.h"
+#include "core/ipcclient.h"
+#include <openssl/pkcs12.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+
+
+static Ikev2Protocol* self = nullptr;
+
+
+Ikev2Protocol::Ikev2Protocol(const QJsonObject &configuration, QObject* parent) :
+    VpnProtocol(configuration, parent)
+{
+    qDebug() << "IpsecProtocol::Ikev2Protocol()";
+    self = this;
+    readIkev2Configuration(configuration);
+    m_routeGateway = NetworkUtilities::getGatewayAndIface();
+    m_vpnGateway = "192.168.43.10";
+    m_vpnLocalAddress = "192.168.43.10";
+    m_remoteAddress = NetworkUtilities::getIPAddress(configuration.value(amnezia::config_key::hostName).toString());
+    m_routeMode = static_cast<Settings::RouteMode>(configuration.value(amnezia::config_key::splitTunnelType).toInt());
+    m_configData = configuration;
+}
+
+Ikev2Protocol::~Ikev2Protocol()
+{
+    qDebug() << "IpsecProtocol::~IpsecProtocol()";
+    Ikev2Protocol::stop();
+}
+
+void Ikev2Protocol::stop()
+{
+    setConnectionState(Vpn::ConnectionState::Disconnected);
+    Ikev2Protocol::disconnect_vpn();
+    qDebug() << "IpsecProtocol::stop()";
+}
+
+void Ikev2Protocol::readIkev2Configuration(const QJsonObject &configuration)
+{
+    qDebug() << "IpsecProtocol::readIkev2Configuration()";
+    QJsonObject ikev2_data = configuration.value(ProtocolProps::key_proto_config_data(Proto::Ikev2)).toObject();
+    m_config = QJsonDocument::fromJson(ikev2_data.value(config_key::config).toString().toUtf8()).object();
+}
+
+ErrorCode Ikev2Protocol::start()
+{
+    qDebug() << "IpsecProtocol::start()";
+    STACK_OF(X509) *certstack = sk_X509_new_null();
+    BIO *p12 = BIO_new(BIO_s_mem());
+
+    EVP_PKEY *pkey;
+    X509 *cert;
+
+    BIO_write(p12, QByteArray::fromBase64(m_config[config_key::cert].toString().toUtf8()),
+              QByteArray::fromBase64(m_config[config_key::cert].toString().toUtf8()).size());
+
+    PKCS12 *pkcs12 = d2i_PKCS12_bio(p12, NULL);
+    PKCS12_parse(pkcs12, m_config[config_key::password].toString().toStdString().c_str(), &pkey, &cert, &certstack);
+    BIO *bio = BIO_new(BIO_s_mem());
+    PEM_write_bio_X509(bio, cert);
+
+    BUF_MEM *mem = NULL;
+    BIO_get_mem_ptr(bio, &mem);
+
+    std::string pem(mem->data, mem->length);
+    QString alias(pem.c_str());
+
+    IpcClient::Interface()->writeIPsecUserCert(alias, m_config[config_key::userName].toString());
+    IpcClient::Interface()->writeIPsecConfig(m_config[config_key::config].toString());
+    IpcClient::Interface()->writeIPsecCaCert(m_config[config_key::cacert].toString(), m_config[config_key::userName].toString());
+    IpcClient::Interface()->writeIPsecPrivate(m_config[config_key::cert].toString(), m_config[config_key::userName].toString());
+    IpcClient::Interface()->writeIPsecPrivatePass(m_config[config_key::password].toString(), m_config[config_key::hostName].toString(),
+                                                  m_config[config_key::userName].toString());
+
+    connect_to_vpn("ikev2-vpn");
+
+    if (!IpcClient::Interface()) {
+        return ErrorCode::AmneziaServiceConnectionFailed;
+    }
+
+    QString connectionStatus;
+
+    auto futureResult = IpcClient::Interface()->getTunnelStatus("ikev2-vpn");
+    futureResult.waitForFinished();
+
+    if (futureResult.returnValue().isEmpty()) {
+        auto futureResult = IpcClient::Interface()->getTunnelStatus("ikev2-vpn");
+        futureResult.waitForFinished();
+    }
+
+    connectionStatus = futureResult.returnValue();
+
+    if (connectionStatus.contains("ESTABLISHED")) {
+        QStringList lines = connectionStatus.split('\n');
+        for (auto iter = lines.begin(); iter!=lines.end(); iter++)
+        {
+            if (iter->contains("0.0.0.0/0")) {
+                QList<QHostAddress> dnsAddr;
+
+                dnsAddr.push_back(QHostAddress(m_configData.value(config_key::dns1).toString()));
+                // We don't use secondary DNS if primary DNS is AmneziaDNS
+                if (!m_configData.value(amnezia::config_key::dns1).toString().
+                     contains(amnezia::protocols::dns::amneziaDnsIp)) {
+                    dnsAddr.push_back(QHostAddress(m_configData.value(config_key::dns2).toString()));
+                }
+
+                m_vpnGateway = iter->split("===", Qt::SkipEmptyParts).first();
+                m_vpnGateway = m_vpnGateway.split("   ").at(2);
+                m_vpnGateway = m_vpnGateway.split("/").first();
+                m_vpnLocalAddress = m_vpnGateway;
+
+                // killSwitch toggle
+                if (QVariant(m_config.value(config_key::killSwitchOption).toString()).toBool()) {
+                    m_config.insert("vpnServer", m_remoteAddress);
+                    IpcClient::Interface()->enableKillSwitch(m_config, 0);
+                }
+
+                if (m_routeMode == Settings::RouteMode::VpnAllSites) {
+                    IpcClient::Interface()->routeAddList(m_vpnGateway, QStringList() << "0.0.0.0/1");
+                    IpcClient::Interface()->routeAddList(m_vpnGateway, QStringList() << "128.0.0.0/1");
+                    IpcClient::Interface()->routeAddList(m_routeGateway, QStringList() << m_remoteAddress);
+                }
+
+                QList<QNetworkInterface> netInterfaces = QNetworkInterface::allInterfaces();
+                for (int i = 0; i < netInterfaces.size(); i++) {
+                    for (int j=0; j < netInterfaces.at(i).addressEntries().size(); j++)
+                    {
+                        if (netInterfaces.at(i).addressEntries().at(j).ip().toString() == m_vpnGateway)
+                        {
+                            IpcClient::Interface()->updateResolvers(netInterfaces.at(i).humanReadableName(), dnsAddr);
+                        }
+                    }
+                }
+
+                IpcClient::Interface()->StopRoutingIpv6();
+            }
+        }
+        setConnectionState(Vpn::ConnectionState::Connected);
+    } else {
+        setConnectionState(Vpn::ConnectionState::Disconnected);
+    }
+
+    return ErrorCode::NoError;
+}
+//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+bool Ikev2Protocol::create_new_vpn(const QString & vpn_name,
+                                   const QString & serv_addr) {
+    qDebug() << "Ikev2Protocol::create_new_vpn()";
+    return true;
+}
+//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+bool Ikev2Protocol::delete_vpn_connection(const QString &vpn_name) {
+
+    return false;
+}
+//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+bool Ikev2Protocol::connect_to_vpn(const QString &vpn_name) {
+    qDebug() << "IpsecProtocol::connect_to_vpn()";
+    IpcClient::Interface()->startIPsec(vpn_name);
+    QThread::msleep(3000);
+    return true;
+}
+//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+bool Ikev2Protocol::disconnect_vpn() {
+    qDebug() << "IpsecProtocol::disconnect_vpn()";
+    IpcClient::Interface()->stopIPsec("ikev2-vpn");
+    IpcClient::Interface()->disableKillSwitch();
+    IpcClient::Interface()->StartRoutingIpv6();
+    return true;
+}

client/protocols/ikev2_vpn_protocol_linux.h

@@ -0,0 +1,52 @@
+#ifndef IKEV2_VPN_PROTOCOL_LINUX_H
+#define IKEV2_VPN_PROTOCOL_LINUX_H
+
+#include <QObject>
+#include <QProcess>
+#include <QString>
+#include <QTemporaryFile>
+#include <QTimer>
+
+#include "vpnprotocol.h"
+
+#include <string>
+#include <memory>
+#include <atomic>
+#include <thread>
+#include <condition_variable>
+#include <mutex>
+
+class Ikev2Protocol : public VpnProtocol
+{
+    Q_OBJECT
+
+public:
+    explicit Ikev2Protocol(const QJsonObject& configuration, QObject* parent = nullptr);
+    virtual ~Ikev2Protocol() override;
+
+    ErrorCode start() override;
+    void stop() override;
+
+    static QString tunnelName() { return "AmneziaVPN IKEv2"; }
+
+
+private:
+    void readIkev2Configuration(const QJsonObject &configuration);
+
+private:
+    QJsonObject m_config;
+    QJsonObject m_configData;
+    QString m_remoteAddress;
+    int m_routeMode;
+
+
+    bool create_new_vpn(const QString & vpn_name,
+                        const QString & serv_addr);
+    bool delete_vpn_connection(const QString &vpn_name);
+
+    bool connect_to_vpn(const QString & vpn_name);
+    bool disconnect_vpn();
+};
+
+
+#endif // IKEV2_VPN_PROTOCOL_LINUX_H

client/protocols/ikev2_vpn_protocol_windows.cpp

@@ -172,7 +172,8 @@ void Ikev2Protocol::newConnectionStateEventReceived(UINT unMsg, tagRASCONNSTATE
 
 void Ikev2Protocol::readIkev2Configuration(const QJsonObject &configuration)
 {
-    m_config = configuration.value(ProtocolProps::key_proto_config_data(Proto::Ikev2)).toObject();
+    QJsonObject ikev2_data = configuration.value(ProtocolProps::key_proto_config_data(Proto::Ikev2)).toObject();
+    m_config = QJsonDocument::fromJson(ikev2_data.value(config_key::config).toString().toUtf8()).object();
 }
 
 ErrorCode Ikev2Protocol::start()

client/protocols/protocols_defs.h

@@ -24,6 +24,7 @@ namespace amnezia
         constexpr char description[] = "description";
         constexpr char name[] = "name";
         constexpr char cert[] = "cert";
+        constexpr char cacert[] = "cacert";
         constexpr char config[] = "config";
 
         constexpr char containers[] = "containers";
@@ -192,7 +193,7 @@ namespace amnezia
 
             constexpr char defaultPort[] = "51820";
 
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
             constexpr char defaultMtu[] = "1280";
 #else
             constexpr char defaultMtu[] = "1376";
@@ -212,7 +213,7 @@ namespace amnezia
         namespace awg
         {
             constexpr char defaultPort[] = "55424";
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
             constexpr char defaultMtu[] = "1280";
 #else
             constexpr char defaultMtu[] = "1376";

client/protocols/vpnprotocol.cpp

@@ -4,7 +4,7 @@
 #include "core/errorstrings.h"
 #include "vpnprotocol.h"
 
-#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) and !defined MACOS_NE || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
     #include "openvpnovercloakprotocol.h"
     #include "openvpnprotocol.h"
     #include "shadowsocksvpnprotocol.h"
@@ -16,6 +16,10 @@
     #include "ikev2_vpn_protocol_windows.h"
 #endif
 
+#ifdef Q_OS_LINUX
+#include "ikev2_vpn_protocol_linux.h"
+#endif
+
 VpnProtocol::VpnProtocol(const QJsonObject &configuration, QObject *parent)
     : QObject(parent),
       m_connectionState(Vpn::ConnectionState::Unknown),
@@ -106,10 +110,10 @@ QString VpnProtocol::vpnGateway() const
 VpnProtocol *VpnProtocol::factory(DockerContainer container, const QJsonObject &configuration)
 {
     switch (container) {
-#if defined(Q_OS_WINDOWS)
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)
     case DockerContainer::Ipsec: return new Ikev2Protocol(configuration);
 #endif
-#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) and !defined MACOS_NE || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
     case DockerContainer::OpenVpn: return new OpenVpnProtocol(configuration);
     case DockerContainer::Cloak: return new OpenVpnOverCloakProtocol(configuration);
     case DockerContainer::ShadowSocks: return new ShadowSocksVpnProtocol(configuration);

client/resources.qrc

@@ -77,6 +77,7 @@
         <file>server_scripts/ipsec/mobileconfig.plist</file>
         <file>server_scripts/ipsec/run_container.sh</file>
         <file>server_scripts/ipsec/start.sh</file>
+        <file>server_scripts/ipsec/template.conf</file>
         <file>server_scripts/ipsec/strongswan.profile</file>
         <file>server_scripts/openvpn_cloak/configure_container.sh</file>
         <file>server_scripts/openvpn_cloak/Dockerfile</file>

client/server_scripts/ipsec/configure_container.sh

@@ -242,6 +242,7 @@ conn ikev2-cp
   dpdtimeout=120
   dpdaction=clear
   auto=add
+  authby=rsa-sha1
   ikev2=insist
   rekey=no
   pfs=yes

client/server_scripts/ipsec/template.conf

@@ -0,0 +1,28 @@
+config setup
+    charondebug="ike 1, knl 1, cfg 0"
+    uniqueids=no
+
+conn ikev2-vpn
+    auto=add
+    type=tunnel
+    keyexchange=ikev2
+    fragmentation=yes
+    forceencaps=yes 
+    dpdaction=clear
+    dpddelay=300s
+    rekey=no 
+    leftid=$CLIENT_NAME
+    leftcert=$CLIENT_NAME.crt
+    leftdns=$PRIMARY_DNS,$SECONDARY_DNS
+    leftsendcert=always
+    leftsourceip=%config
+    right=$SERVER_IP_ADDRESS
+    rightsubnet=0.0.0.0/0
+    rightsendcert=never
+    eap_identity=%identity
+    encapsulation=yes 
+    pfs=yes 
+    ike=aes256-sha256-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024
+    esp=aes256-sha256,aes256-sha1,3des-sha1
+
+

client/ui/controllers/connectionController.cpp

@@ -1,6 +1,6 @@
 #include "connectionController.h"
 
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
     #include <QGuiApplication>
 #else
     #include <QApplication>
@@ -32,8 +32,9 @@ ConnectionController::ConnectionController(const QSharedPointer<ServersModel> &s
 
 void ConnectionController::openConnection()
 {
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    if (!Utils::processIsRunning(Utils::executable(SERVICE_NAME, false), true)) {
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+    if (!Utils::processIsRunning(Utils::executable(SERVICE_NAME, false), true))
+    {
         emit connectionErrorOccurred(ErrorCode::AmneziaServiceNotRunning);
         return;
     }

client/ui/controllers/importController.cpp

@@ -19,7 +19,7 @@
 #ifdef Q_OS_ANDROID
     #include "platforms/android/android_controller.h"
 #endif
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
     #include <CoreFoundation/CoreFoundation.h>
 #endif
 
@@ -595,7 +595,7 @@ void ImportController::startDecodingQr()
     m_totalQrCodeChunksCount = 0;
     m_receivedQrCodeChunksCount = 0;
 
-    #if defined Q_OS_IOS
+    #if defined(Q_OS_IOS) || defined(MACOS_NE)
     m_isQrCodeProcessed = true;
     #endif
     #if defined Q_OS_ANDROID

client/ui/controllers/pageController.cpp

@@ -1,8 +1,11 @@
 #include "pageController.h"
 #include "utils/converter.h"
 #include "core/errorstrings.h"
+#if defined(MACOS_NE)
+#include "platforms/ios/ios_controller.h"
+#endif
 
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
     #include <QGuiApplication>
 #else
     #include <QApplication>
@@ -25,8 +28,12 @@ PageController::PageController(const QSharedPointer<ServersModel> &serversModel,
 #endif
 
 #if defined Q_OS_MACX
-    connect(this, &PageController::raiseMainWindow, []() { setDockIconVisible(true); });
-    connect(this, &PageController::hideMainWindow, []() { setDockIconVisible(false); });
+    connect(this, &PageController::raiseMainWindow, []() {
+        setDockIconVisible(true);
+    });
+    connect(this, &PageController::hideMainWindow, []() {
+        setDockIconVisible(false);
+    });
 #endif
 
     connect(this, qOverload<ErrorCode>(&PageController::showErrorMessage), this, &PageController::onShowErrorMessage);
@@ -56,14 +63,11 @@ QString PageController::getPagePath(PageLoader::PageEnum page)
 
 void PageController::closeWindow()
 {
-#ifdef Q_OS_ANDROID
+// On mobile platforms, quit app on close; on desktop, just hide window
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
     qApp->quit();
 #else
-    if (m_serversModel->getServersCount() == 0) {
-        qApp->quit();
-    } else {
-        emit hideMainWindow();
-    }
+    emit hideMainWindow();
 #endif
 }
 
@@ -114,7 +118,7 @@ void PageController::showOnStartup()
     } else {
 #if defined(Q_OS_WIN) || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
         emit hideMainWindow();
-#elif defined Q_OS_MACX
+#elif defined(Q_OS_MACX)
         setDockIconVisible(false);
 #endif
     }

client/ui/controllers/settingsController.cpp

@@ -10,7 +10,7 @@
     #include "platforms/android/android_controller.h"
 #endif
 
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
     #include <AmneziaVPN-Swift.h>
 #endif
 
@@ -93,7 +93,7 @@ bool SettingsController::isLoggingEnabled()
 void SettingsController::toggleLogging(bool enable)
 {
     m_settings->setSaveLogs(enable);
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS)
     AmneziaVPN::toggleLogging(enable);
 #endif
     if (enable == true) {
@@ -157,8 +157,12 @@ void SettingsController::backupAppConfig(const QString &fileName)
 
 void SettingsController::restoreAppConfig(const QString &fileName)
 {
-    QByteArray data;
-    SystemController::readFile(fileName, data);
+    QFile file(fileName);
+
+    file.open(QIODevice::ReadOnly);
+
+    QByteArray data = file.readAll();
+
     restoreAppConfigFromData(data);
 }
 
@@ -237,7 +241,7 @@ void SettingsController::clearSettings()
 
     emit changeSettingsFinished(tr("All settings have been reset to default values"));
 
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
     AmneziaVPN::clearSettings();
 #endif
 }

client/ui/controllers/systemController.cpp

@@ -14,7 +14,7 @@
     #include "platforms/android/android_controller.h"
 #endif
 
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
     #include "platforms/ios/ios_controller.h"
     #include <CoreFoundation/CoreFoundation.h>
 #endif
@@ -58,8 +58,10 @@ void SystemController::saveFile(const QString &fileName, const QString &data)
     const auto url = fi.absoluteDir().absolutePath();
 #endif
 
+#ifndef MACOS_NE
     QDesktopServices::openUrl(url);
 #endif
+#endif
 }
 
 bool SystemController::readFile(const QString &fileName, QByteArray &data)

client/ui/models/servers_model.cpp

@@ -4,7 +4,7 @@
 #include "core/controllers/serverController.h"
 #include "core/networkUtilities.h"
 
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
     #include <AmneziaVPN-Swift.h>
 #endif
 
@@ -782,7 +782,7 @@ void ServersModel::removeApiConfig(const int serverIndex)
 {
     auto serverConfig = getServerConfig(serverIndex);
 
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
     QString vpncName = QString("%1 (%2) %3")
                                .arg(serverConfig[config_key::description].toString())
                                .arg(serverConfig[config_key::hostName].toString())

client/ui/ne_notificationhandler.h

@@ -0,0 +1,36 @@
+#ifndef NE_NOTIFICATION_HANDLER_H
+#define NE_NOTIFICATION_HANDLER_H
+
+#include "notificationhandler.h"
+#include <QMenu>
+#include <QAction>
+
+class MacOSStatusIcon;
+
+class NEStatusBarNotificationHandler : public NotificationHandler {
+    Q_OBJECT
+public:
+    explicit NEStatusBarNotificationHandler(QObject* parent);
+    ~NEStatusBarNotificationHandler() override;
+
+    void setConnectionState(Vpn::ConnectionState state) override;
+    void onTranslationsUpdated() override;
+
+protected:
+    void notify(Message type, const QString& title,
+                const QString& message, int timerMsec) override;
+
+private:
+    void buildMenu();
+
+    QMenu m_menu;
+    MacOSStatusIcon* m_statusIcon;
+
+    QAction* m_actionShow;
+    QAction* m_actionConnect;
+    QAction* m_actionDisconnect;
+    QAction* m_actionVisitWebsite;
+    QAction* m_actionQuit;
+};
+
+#endif // NE_NOTIFICATION_HANDLER_H

client/ui/notificationhandler.cpp

@@ -11,18 +11,12 @@
 #  include "systemtray_notificationhandler.h"
 #endif
 
+
 // static
 NotificationHandler* NotificationHandler::create(QObject* parent) {
 #if defined(Q_OS_IOS)
     return new IOSNotificationHandler(parent);
 #else
-
-#  if defined(Q_OS_LINUX)
-    //if (LinuxSystemTrayNotificationHandler::requiredCustomImpl()) {
-    //    return new LinuxSystemTrayNotificationHandler(parent);
-    //}
-#  endif
-
     return new SystemTrayNotificationHandler(parent);
 #endif
 }

client/ui/qml/Controls2/CheckBoxType.qml

@@ -173,15 +173,17 @@ CheckBox {
         enabled: false
     }
 
+    Keys.onEnterPressed: event => handleSwitch(event)
+    Keys.onReturnPressed: event => handleSwitch(event)
+    Keys.onSpacePressed: event => handleSwitch(event)
 
-    Keys.onEnterPressed: {
-        root.checked = !root.checked
+    function handleSwitch(event) {
+        if (!event.isAutoRepeat) {
+            root.checked = !root.checked
+            root.checkedChanged()
+        }
+        event.accepted = true
     }
-
-    Keys.onReturnPressed: {
-        root.checked = !root.checked
-    }
-
 }
 
 

client/ui/qml/Pages2/PageSettingsApplication.qml

@@ -140,7 +140,7 @@ PageType {
             }
 
             DividerType {
-                visible: !GC.isMobile()
+                visible: !GC.isMobile() && !IsMacOsNeBuild
             }
 
             SwitcherType {

client/ui/qml/Pages2/PageSettingsLogging.qml

@@ -165,7 +165,11 @@ PageType {
         }
     }
 
-    property list<QtObject> logTypes: [
+    // Show service logs only if this is NOT a macOS build with
+    // Network-Extension (IsMacOsNeBuild is injected from C++ at run-time)
+    property list<QtObject> logTypes: IsMacOsNeBuild ? [
+        clientLogs
+    ] : [
         clientLogs,
         serviceLogs
     ]
@@ -204,7 +208,7 @@ PageType {
 
         readonly property string title: qsTr("Service logs")
         readonly property string description: qsTr("AmneziaVPN-service logs")
-        readonly property bool isVisible: !GC.isMobile()
+        readonly property bool isVisible: !GC.isMobile() && !IsMacOsNeBuild
         readonly property var openLogsHandler: function() {
             SettingsController.openServiceLogsFolder()
         }

client/ui/qml/main2.qml

@@ -26,7 +26,8 @@ Window  {
 
     color: AmneziaStyle.color.midnightBlack
 
-    onClosing: function() {
+    onClosing: function(close) {
+        close.accepted = false
         PageController.closeWindow()
     }
 

client/ui/systemtray_notificationhandler.cpp

@@ -38,9 +38,11 @@ SystemTrayNotificationHandler::SystemTrayNotificationHandler(QObject* parent) :
         QDesktopServices::openUrl(QUrl(websiteUrl));
     });
 
-    m_trayActionQuit = m_menu.addAction(QIcon(":/images/tray/cancel.png"), tr("Quit") + " " + APPLICATION_NAME, this, [&](){
-        qApp->quit();
-    });
+    // Quit action: disconnect VPN first on macOS NE, else quit directly
+    m_trayActionQuit = m_menu.addAction(QIcon(":/images/tray/cancel.png"),
+                                       tr("Quit") + " " + APPLICATION_NAME,
+                                       this,
+                                       [&](){ qApp->quit(); });
 
     m_systemTrayIcon.setContextMenu(&m_menu);
     setTrayState(Vpn::ConnectionState::Disconnected);

client/utilities.cpp

@@ -190,7 +190,7 @@ bool Utils::processIsRunning(const QString &fileName, const bool fullFlag)
     CloseHandle(hSnapshot);
     return false;
 
-#elif defined(Q_OS_IOS) || defined(Q_OS_ANDROID)
+#elif defined(Q_OS_IOS) || defined(Q_OS_ANDROID) || defined(MACOS_NE)
     return false;
 #else
     QProcess process;

client/vpnconnection.cpp

@@ -22,7 +22,7 @@
     #include "platforms/android/android_controller.h"
 #endif
 
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
     #include "platforms/ios/ios_controller.h"
 #endif
 
@@ -33,7 +33,7 @@ VpnConnection::VpnConnection(std::shared_ptr<Settings> settings, QObject *parent
     : QObject(parent), m_settings(settings), m_checkTimer(new QTimer(this))
 {
     m_checkTimer.setInterval(1000);
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
     connect(IosController::Instance(), &IosController::connectionStateChanged, this, &VpnConnection::onConnectionStateChanged);
     connect(IosController::Instance(), &IosController::bytesChanged, this, &VpnConnection::onBytesChanged);
 
@@ -83,7 +83,9 @@ void VpnConnection::onConnectionStateChanged(Vpn::ConnectionState state)
     if (IpcClient::Interface()) {
         if (state == Vpn::ConnectionState::Connected) {
             IpcClient::Interface()->resetIpStack();
-            IpcClient::Interface()->flushDns();
+            if (container != DockerContainer::Ipsec) {
+                IpcClient::Interface()->flushDns();
+            }
 
             if (container != DockerContainer::Awg && container != DockerContainer::WireGuard) {
                 QString dns1 = m_vpnConfiguration.value(config_key::dns1).toString();
@@ -122,7 +124,7 @@ void VpnConnection::onConnectionStateChanged(Vpn::ConnectionState state)
     }
 #endif
 
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
     if (state == Vpn::ConnectionState::Connected) {
         m_checkTimer.start();
     } else {
@@ -236,10 +238,11 @@ ErrorCode VpnConnection::lastError() const
 void VpnConnection::connectToVpn(int serverIndex, const ServerCredentials &credentials, DockerContainer container,
                                  const QJsonObject &vpnConfiguration)
 {
-    qDebug() << QString("Trying to connect to VPN, server index is %1, container is %2")
+    qDebug() << QString("ConnectToVpn, Server index is %1, container is %2, route mode is")
                         .arg(serverIndex)
-                        .arg(ContainerProps::containerToString(container));
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+                        .arg(ContainerProps::containerToString(container))
+             << m_settings->routeMode();
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
     if (!m_IpcClient) {
         m_IpcClient = new IpcClient(this);
     }
@@ -270,7 +273,7 @@ void VpnConnection::connectToVpn(int serverIndex, const ServerCredentials &crede
 
     appendSplitTunnelingConfig();
 
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
     m_vpnProtocol.reset(VpnProtocol::factory(container, m_vpnConfiguration));
     if (!m_vpnProtocol) {
         emit connectionStateChanged(Vpn::ConnectionState::Error);
@@ -282,7 +285,7 @@ void VpnConnection::connectToVpn(int serverIndex, const ServerCredentials &crede
     createAndroidConnections();
 
     m_vpnProtocol.reset(androidVpnProtocol);
-#elif defined Q_OS_IOS
+#elif defined Q_OS_IOS || defined(MACOS_NE)
     Proto proto = ContainerProps::defaultProtocol(container);
     IosController::Instance()->connectVpn(proto, m_vpnConfiguration);
     connect(&m_checkTimer, &QTimer::timeout, IosController::Instance(), &IosController::checkStatus);
@@ -362,20 +365,20 @@ void VpnConnection::appendSplitTunnelingConfig()
         }
     }
 
-    Settings::RouteMode sitesRouteMode = Settings::RouteMode::VpnAllSites;
+    Settings::RouteMode routeMode = Settings::RouteMode::VpnAllSites;
     QJsonArray sitesJsonArray;
     if (m_settings->isSitesSplitTunnelingEnabled()) {
-        sitesRouteMode = m_settings->routeMode();
+        routeMode = m_settings->routeMode();
 
         if (allowSiteBasedSplitTunneling) {
-            auto sites = m_settings->getVpnIps(sitesRouteMode);
+            auto sites = m_settings->getVpnIps(routeMode);
             for (const auto &site : sites) {
                 sitesJsonArray.append(site);
             }
 
             if (sitesJsonArray.isEmpty()) {
-                sitesRouteMode = Settings::RouteMode::VpnAllSites;
-            } else if (sitesRouteMode == Settings::VpnOnlyForwardSites) {
+                routeMode = Settings::RouteMode::VpnAllSites;
+            } else if (routeMode == Settings::VpnOnlyForwardSites) {
                 // Allow traffic to Amnezia DNS
                 sitesJsonArray.append(m_vpnConfiguration.value(config_key::dns1).toString());
                 sitesJsonArray.append(m_vpnConfiguration.value(config_key::dns2).toString());
@@ -383,7 +386,7 @@ void VpnConnection::appendSplitTunnelingConfig()
         }
     }
 
-    m_vpnConfiguration.insert(config_key::splitTunnelType, sitesRouteMode);
+    m_vpnConfiguration.insert(config_key::splitTunnelType, routeMode);
     m_vpnConfiguration.insert(config_key::splitTunnelSites, sitesJsonArray);
 
     Settings::AppsRouteMode appsRouteMode = Settings::AppsRouteMode::VpnAllApps;
@@ -403,13 +406,6 @@ void VpnConnection::appendSplitTunnelingConfig()
 
     m_vpnConfiguration.insert(config_key::appSplitTunnelType, appsRouteMode);
     m_vpnConfiguration.insert(config_key::splitTunnelApps, appsJsonArray);
-
-    qDebug() << QString("Site split tunneling is %1, route mode is %2")
-                        .arg(m_settings->isSitesSplitTunnelingEnabled() ? "enabled" : "disabled")
-                        .arg(sitesRouteMode);
-    qDebug() << QString("App split tunneling is %1, route mode is %2")
-                        .arg(m_settings->isAppsSplitTunnelingEnabled() ? "enabled" : "disabled")
-                        .arg(appsRouteMode);
 }
 
 #ifdef Q_OS_ANDROID
@@ -471,7 +467,7 @@ void VpnConnection::disconnectFromVpn()
     }
 #endif
 
-#ifdef Q_OS_IOS
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
     IosController::Instance()->disconnectVpn();
     disconnect(&m_checkTimer, &QTimer::timeout, IosController::Instance(), &IosController::checkStatus);
 #endif

deploy/build_ios.sh

@@ -32,7 +32,7 @@ cmake --version
 clang -v
 
 # Generate XCodeProj
-$QT_BIN_DIR/qt-cmake . -B $BUILD_DIR -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR
+$QT_BIN_DIR/qt-cmake . -B $BUILD_DIR -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR -DDEPLOY=ON
 
 KEYCHAIN=amnezia.build.ios.keychain
 KEYCHAIN_FILE=$HOME/Library/Keychains/${KEYCHAIN}-db

deploy/build_macos_ne.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+echo "Build script for macOS Network Extension started ..."
+
+set -o errexit -o nounset
+
+while getopts n flag
+do
+    case "${flag}" in
+        n) NOTARIZE_APP=1;;
+    esac
+done
+
+# Hold on to current directory
+PROJECT_DIR=$(pwd)
+DEPLOY_DIR=$PROJECT_DIR/deploy
+
+mkdir -p $DEPLOY_DIR/build-macos
+BUILD_DIR=$DEPLOY_DIR/build-macos
+
+echo "Project dir: ${PROJECT_DIR}" 
+echo "Build dir: ${BUILD_DIR}"
+
+APP_NAME=AmneziaVPN
+APP_FILENAME=$APP_NAME.app
+APP_DOMAIN=org.amneziavpn.package
+PLIST_NAME=$APP_NAME.plist
+
+OUT_APP_DIR=$BUILD_DIR/client
+BUNDLE_DIR=$OUT_APP_DIR/$APP_FILENAME
+
+PREBUILT_DEPLOY_DATA_DIR=$PROJECT_DIR/deploy/data/deploy-prebuilt/macos
+DEPLOY_DATA_DIR=$PROJECT_DIR/deploy/data/macos
+
+INSTALLER_DATA_DIR=$BUILD_DIR/installer/packages/$APP_DOMAIN/data
+INSTALLER_BUNDLE_DIR=$BUILD_DIR/installer/$APP_FILENAME
+DMG_FILENAME=$PROJECT_DIR/${APP_NAME}.dmg
+
+echo "Import certificate"
+
+TRUST_CERT_CER=$BUILD_DIR/trust-cert.cer
+SIGNING_CERT_P12=$BUILD_DIR/signing-cert.p12
+
+echo $MAC_TRUST_CERT_BASE64 | base64 --decode > $TRUST_CERT_CER
+echo $MAC_SIGNING_CERT_BASE64 | base64 --decode > $SIGNING_CERT_P12
+
+shasum -a 256 $TRUST_CERT_CER
+shasum -a 256 $SIGNING_CERT_P12
+KEYCHAIN_PASS=$MAC_SIGNING_CERT_PASSWORD
+
+# Keychain setup
+KEYCHAIN=amnezia.build.macos.keychain
+TEMP_PASS=tmp_pass
+KEYCHAIN_FILE=$HOME/Library/Keychains/$KEYCHAIN-db
+
+security create-keychain -p $TEMP_PASS $KEYCHAIN || true
+security default-keychain -s $KEYCHAIN
+security unlock-keychain -p $TEMP_PASS $KEYCHAIN
+
+security default-keychain
+security list-keychains
+
+# Import certificates into keychain
+security import $TRUST_CERT_CER -k $KEYCHAIN -P "" -T /usr/bin/codesign || true
+security import $SIGNING_CERT_P12 -k $KEYCHAIN -P $MAC_SIGNING_CERT_PASSWORD -T /usr/bin/codesign || true
+
+# Configure keychain settings
+security set-key-partition-list -S apple-tool:,apple: -k $TEMP_PASS $KEYCHAIN
+security find-identity -p codesigning
+
+# Setup provisioning profiles for main app and NE
+echo "Setting up provisioning profiles..."
+
+# Copy provisioning prifiles
+mkdir -p  "$HOME/Library/MobileDevice/Provisioning Profiles/"
+
+echo $MAC_APP_PROVISIONING_PROFILE | base64 --decode > ~/Library/MobileDevice/Provisioning\ Profiles/app.mobileprovision
+echo $MAC_NE_PROVISIONING_PROFILE | base64 --decode > ~/Library/MobileDevice/Provisioning\ Profiles/ne.mobileprovision
+
+shasum -a 256 ~/Library/MobileDevice/Provisioning\ Profiles/app.mobileprovision
+shasum -a 256 ~/Library/MobileDevice/Provisioning\ Profiles/ne.mobileprovision
+
+profile_uuid=`grep UUID -A1 -a ~/Library/MobileDevice/Provisioning\ Profiles/app.mobileprovision | grep -io "[-A-F0-9]\{36\}"`
+echo $profile_uuid
+profile_ne_uuid=`grep UUID -A1 -a ~/Library/MobileDevice/Provisioning\ Profiles/ne.mobileprovision | grep -io "[-A-F0-9]\{36\}"`
+echo $profile_ne_uuid
+
+mv ~/Library/MobileDevice/Provisioning\ Profiles/app.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/$profile_uuid.mobileprovision
+mv ~/Library/MobileDevice/Provisioning\ Profiles/ne.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/$profile_ne_uuid.mobileprovision
+
+# setup environment
+QT_MACOS_BIN=$QT_BIN_DIR
+export PATH=$PATH:~/go/bin
+echo "QT_BIN_DIR: $QT_BIN_DIR"
+
+
+# Build the Network Extension app
+echo "Building MAC Network Extension App..."
+mkdir -p build-macos
+
+$QT_MACOS_BIN/qt-cmake . -B build-macos -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR -DMACOS_NE=TRUE -DCMAKE_BUILD_TYPE=Release -DDEPLOY=ON
+
+# Build and run tests here
+
+echo "____________________________________"
+echo "............Deploying..............."
+echo "____________________________________"
+echo "Deploying MAC Network Extension App..."
+
+echo "xcode build"
+xcodebuild \
+"OTHER_CODE_SIGN_FLAGS=--keychain '$KEYCHAIN_FILE'" \
+-configuration Release \
+-scheme AmneziaVPN \
+-destination "platform=macOS" \
+-project $PROJECT_DIR/build-macos/AmneziaVPN.xcodeproj
+
+
+# Restore keychain to default
+echo "Restoring default keychain..."
+security default-keychain -s "/Users/runner/Library/Keychains/login.keychain-db"
+
+echo "Build and signing process completed successfully!"

ipc/ipc_interface.rep

@@ -36,5 +36,17 @@ class IpcInterface
     SLOT( bool enablePeerTraffic( const QJsonObject &configStr) );
     SLOT( bool enableKillSwitch( const QJsonObject &excludeAddr, int vpnAdapterIndex) );
     SLOT( bool updateResolvers(const QString& ifname, const QList<QHostAddress>& resolvers) );
+
+    SLOT( bool writeIPsecCaCert(QString cacert, QString uuid) );
+    SLOT( bool writeIPsecPrivate(QString privKey, QString uuid) );
+    SLOT( bool writeIPsecConfig(QString config) );
+    SLOT( bool writeIPsecUserCert(QString usercert, QString uuid) );
+    SLOT( bool writeIPsecPrivatePass(QString pass, QString host, QString uuid) );
+
+    SLOT( bool stopIPsec(QString tunnelName) );
+    SLOT( bool startIPsec(QString tunnelName) );
+
+    SLOT( QString getTunnelStatus(QString tunnelName) );
+
 };
 

ipc/ipcserver.cpp

@@ -4,6 +4,7 @@
 #include <QFileInfo>
 #include <QLocalSocket>
 #include <QObject>
+#include <QJsonArray>
 
 #include "logger.h"
 #include "router.h"
@@ -161,6 +162,7 @@ void IpcServer::StartRoutingIpv6()
 {
     Router::StartRoutingIpv6();
 }
+
 void IpcServer::StopRoutingIpv6()
 {
     Router::StopRoutingIpv6();
@@ -204,6 +206,196 @@ bool IpcServer::disableKillSwitch()
     return KillSwitch::instance()->disableKillSwitch();
 }
 
+bool IpcServer::startIPsec(QString tunnelName)
+{
+#ifdef Q_OS_LINUX
+    QProcess processSystemd;
+    QStringList commandsSystemd;
+    commandsSystemd << "systemctl" << "restart" << "ipsec";
+    processSystemd.start("sudo", commandsSystemd);
+    if (!processSystemd.waitForStarted(1000))
+    {
+        qDebug().noquote() << "Could not start ipsec tunnel!\n";
+        return false;
+    }
+    else if (!processSystemd.waitForFinished(2000))
+    {
+        qDebug().noquote() << "Could not start ipsec tunnel\n";
+        return false;
+    }
+    commandsSystemd.clear();
+
+    QThread::msleep(5000);
+
+    QProcess process;
+    QStringList commands;
+    commands << "ipsec" << "up" << QString("%1").arg(tunnelName);
+    process.start("sudo", commands);
+    if (!process.waitForStarted(1000))
+    {
+        qDebug().noquote() << "Could not start ipsec tunnel!\n";
+        return false;
+    }
+    else if (!process.waitForFinished(2000))
+    {
+        qDebug().noquote() << "Could not start ipsec tunnel\n";
+        return false;
+    }
+    commands.clear();
+#endif
+    return true;
+}
+
+bool IpcServer::stopIPsec(QString tunnelName)
+{
+#ifdef Q_OS_LINUX
+    QProcess process;
+    QStringList commands;
+    commands << "ipsec" << "down" << QString("%1").arg(tunnelName);
+    process.start("sudo", commands);
+    if (!process.waitForStarted(1000))
+    {
+        qDebug().noquote() << "Could not stop ipsec tunnel\n";
+        return false;
+    }
+    else if (!process.waitForFinished(2000))
+    {
+        qDebug().noquote() << "Could not stop ipsec tunnel\n";
+        return false;
+    }
+    commands.clear();
+#endif
+    return true;
+}
+
+bool IpcServer::writeIPsecConfig(QString config)
+{
+#ifdef Q_OS_LINUX
+    qDebug() << "IPSEC: IPSec config file";
+    QString configFile = QString("/etc/ipsec.conf");
+    QFile ipSecConfFile(configFile);
+    if (ipSecConfFile.open(QIODevice::WriteOnly)) {
+        ipSecConfFile.write(config.toUtf8());
+        ipSecConfFile.close();
+    }
+#endif
+    return true;
+}
+
+bool IpcServer::writeIPsecUserCert(QString usercert, QString uuid)
+{
+#ifdef Q_OS_LINUX
+    qDebug() << "IPSEC: Write user cert " << uuid;
+    QString certName = QString("/etc/ipsec.d/certs/%1.crt").arg(uuid);
+    QFile userCertFile(certName);
+    if (userCertFile.open(QIODevice::WriteOnly)) {
+        userCertFile.write(usercert.toUtf8());
+        userCertFile.close();
+    }
+#endif
+    return true;
+}
+
+bool IpcServer::writeIPsecCaCert(QString cacert, QString uuid)
+{
+#ifdef Q_OS_LINUX
+    qDebug() << "IPSEC: Write CA cert user " << uuid;
+    QString certName = QString("/etc/ipsec.d/cacerts/%1.crt").arg(uuid);
+    QFile caCertFile(certName);
+    if (caCertFile.open(QIODevice::WriteOnly)) {
+        caCertFile.write(cacert.toUtf8());
+        caCertFile.close();
+    }
+#endif
+    return true;
+}
+
+bool IpcServer::writeIPsecPrivate(QString privKey, QString uuid)
+{
+#ifdef Q_OS_LINUX
+    qDebug() << "IPSEC: User private key " << uuid;
+    QString privateKey = QString("/etc/ipsec.d/private/%1.p12").arg(uuid);
+    QFile pKeyFile(privateKey);
+    if (pKeyFile.open(QIODevice::WriteOnly)) {
+        pKeyFile.write(QByteArray::fromBase64(privKey.toUtf8()));
+        pKeyFile.close();
+    }
+#endif
+    return true;
+}
+
+
+bool IpcServer::writeIPsecPrivatePass(QString pass, QString host, QString uuid)
+{
+#ifdef Q_OS_LINUX
+    qDebug() << "IPSEC: User private key " << uuid;
+    const QString secretsFilename = "/etc/ipsec.secrets";
+    QStringList lines;
+
+    {
+        QFile secretsFile(secretsFilename);
+        if (secretsFile.open(QIODevice::ReadOnly | QIODevice::Text))
+        {
+            QTextStream edit(&secretsFile);
+            while (!edit.atEnd()) lines.push_back(edit.readLine());
+        }
+        secretsFile.close();
+    }
+
+    for (auto iter = lines.begin(); iter!=lines.end();)
+    {
+        if (iter->contains(host))
+        {
+            iter = lines.erase(iter);
+        }
+        else
+        {
+            ++iter;
+        }
+    }
+
+    {
+        QFile secretsFile(secretsFilename);
+        if (secretsFile.open(QIODevice::WriteOnly | QIODevice::Text))
+        {
+            QTextStream edit(&secretsFile);
+            for (int i=0; i<lines.size(); i++) edit << lines[i] << Qt::endl;
+        }
+        QString P12 = QString("%any %1 : P12 %2.p12 \"%3\" \n").arg(host, uuid, pass);
+        secretsFile.write(P12.toUtf8());
+        secretsFile.close();
+    }
+#endif
+    return true;
+}
+
+QString IpcServer::getTunnelStatus(QString tunnelName)
+{
+#ifdef Q_OS_LINUX
+    QProcess process;
+    QStringList commands;
+    commands << "ipsec" << "status" << QString("%1").arg(tunnelName);
+    process.start("sudo", commands);
+    if (!process.waitForStarted(1000))
+    {
+        qDebug().noquote() << "Could not stop ipsec tunnel\n";
+        return "";
+    }
+    else if (!process.waitForFinished(2000))
+    {
+        qDebug().noquote() << "Could not stop ipsec tunnel\n";
+        return "";
+    }
+    commands.clear();
+
+
+    QString status = process.readAll();
+    return status;
+#endif
+    return QString();
+
+}
+
 bool IpcServer::enablePeerTraffic(const QJsonObject &configStr)
 {
     return KillSwitch::instance()->enablePeerTraffic(configStr);

ipc/ipcserver.h

@@ -42,6 +42,14 @@ public:
     virtual bool disableKillSwitch() override;
     virtual bool refreshKillSwitch( bool enabled ) override;
     virtual bool updateResolvers(const QString& ifname, const QList<QHostAddress>& resolvers) override;
+    virtual bool writeIPsecCaCert(QString cacert, QString uuid) override;
+    virtual bool writeIPsecPrivate(QString privKey, QString uuid) override;
+    virtual bool writeIPsecConfig(QString config) override;
+    virtual bool writeIPsecUserCert(QString usercert, QString uuid) override;
+    virtual bool writeIPsecPrivatePass(QString pass, QString host, QString uuid) override;
+    virtual bool stopIPsec(QString tunnelName) override;
+    virtual bool startIPsec(QString tunnelName) override;
+    virtual QString getTunnelStatus(QString tunnelName) override;
 
 private:
     int m_localpid = 0;

service/CMakeLists.txt

@@ -6,6 +6,6 @@ project(${PROJECT} VERSION ${AMNEZIAVPN_VERSION})
 set(CMAKE_CXX_STANDARD 20)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
-if(NOT IOS AND NOT ANDROID)
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
     add_subdirectory(server)
 endif()