remove old code & & ref code

client/core/controllers/selfhosted/installController.cpp

@@ -103,7 +103,7 @@ ErrorCode InstallController::setupContainer(const ServerCredentials &credentials
                                             bool isUpdate)
 {
     qDebug().noquote() << "InstallController::setupContainer" << ContainerUtils::containerToString(container);
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode e = ErrorCode::NoError;
 
     e = isUserInSudo(credentials, sshSession);
@@ -168,11 +168,11 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
         }
         if (container == DockerContainer::MtProxy) {
             ServerCredentials credentials = adminConfig->credentials();
-            SshSession sshSession(this);
+            SshSession sshSession;
             MtProxyInstaller::uploadClientSettingsSnapshot(sshSession, credentials, container, newConfig);
         } else if (container == DockerContainer::Telemt) {
             ServerCredentials credentials = adminConfig->credentials();
-            SshSession sshSession(this);
+            SshSession sshSession;
             TelemtInstaller::uploadClientSettingsSnapshot(sshSession, credentials, container, newConfig);
         }
         adminConfig->updateContainerConfig(container, newConfig);
@@ -188,7 +188,7 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     bool reinstallRequired = isReinstallContainerRequired(container, oldConfig, newConfig);
     qDebug() << "InstallController::updateServerConfig for container" << container << "reinstall required is" << reinstallRequired;
@@ -211,6 +211,12 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
         if (errorCode == ErrorCode::NoError) {
             errorCode = startupContainerWorker(credentials, container, newConfig, sshSession);
         }
+
+        if (errorCode == ErrorCode::NoError
+            && (container == DockerContainer::MtProxy || container == DockerContainer::Telemt)) {
+            const QString containerName = ContainerUtils::containerToString(container);
+            errorCode = sshSession.runScript(credentials, "sudo docker restart " + containerName);
+        }
     }
 
     const bool skipXrayInboundSync =
@@ -737,18 +743,6 @@ bool InstallController::isReinstallContainerRequired(DockerContainer container,
             if (oldPort != newPort) {
                 return true;
             }
-            const QString oldTransport = oldMt->transportMode.isEmpty() ? QString(
-                    protocols::mtProxy::transportModeStandard)
-                                                                        : oldMt->transportMode;
-            const QString newTransport = newMt->transportMode.isEmpty() ? QString(
-                    protocols::mtProxy::transportModeStandard)
-                                                                        : newMt->transportMode;
-            if (oldTransport != newTransport) {
-                return true;
-            }
-            if (oldMt->tlsDomain != newMt->tlsDomain) {
-                return true;
-            }
         }
     }
 
@@ -763,39 +757,6 @@ bool InstallController::isReinstallContainerRequired(DockerContainer container,
             if (oldPort != newPort) {
                 return true;
             }
-            const QString oldTransport = oldT->transportMode.isEmpty()
-                    ? QString(protocols::telemt::transportModeStandard)
-                    : oldT->transportMode;
-            const QString newTransport = newT->transportMode.isEmpty()
-                    ? QString(protocols::telemt::transportModeStandard)
-                    : newT->transportMode;
-            if (oldTransport != newTransport) {
-                return true;
-            }
-            if (oldT->tlsDomain != newT->tlsDomain) {
-                return true;
-            }
-            if (oldT->maskEnabled != newT->maskEnabled) {
-                return true;
-            }
-            if (oldT->tlsEmulation != newT->tlsEmulation) {
-                return true;
-            }
-            if (oldT->useMiddleProxy != newT->useMiddleProxy) {
-                return true;
-            }
-            if (oldT->tag != newT->tag) {
-                return true;
-            }
-            const QString oldUser = oldT->userName.isEmpty()
-                    ? QString::fromUtf8(protocols::telemt::defaultUserName)
-                    : oldT->userName;
-            const QString newUser = newT->userName.isEmpty()
-                    ? QString::fromUtf8(protocols::telemt::defaultUserName)
-                    : newT->userName;
-            if (oldUser != newUser) {
-                return true;
-            }
         }
     }
 
@@ -835,6 +796,20 @@ ErrorCode InstallController::installDockerWorker(const ServerCredentials &creden
 
     qDebug().noquote() << "InstallController::installDockerWorker" << stdOut;
 
+    if (container == DockerContainer::MtProxy || container == DockerContainer::Telemt) {
+        QString conntrackOut;
+        auto cbConntrack = [&](const QString &data, libssh::Client &) {
+            conntrackOut += data + "\n";
+            return ErrorCode::NoError;
+        };
+        sshSession.runScript(
+                credentials,
+                sshSession.replaceVars(amnezia::scriptData(SharedScriptType::install_conntrack),
+                                       amnezia::genBaseVars(credentials, DockerContainer::None, QString(), QString())),
+                cbConntrack, cbConntrack);
+        qDebug().noquote() << "InstallController::installDockerWorker install_conntrack:" << conntrackOut;
+    }
+
     if (container == DockerContainer::Awg2) {
         QRegularExpression regex(R"(Linux\s+(\d+)\.(\d+)[^\d]*)");
         QRegularExpressionMatch match = regex.match(stdOut);
@@ -970,7 +945,7 @@ ErrorCode InstallController::rebootServer(const QString &serverId)
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     QString script = QString("sudo reboot");
 
@@ -998,7 +973,7 @@ ErrorCode InstallController::removeAllContainers(const QString &serverId)
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode errorCode = sshSession.runScript(credentials, amnezia::scriptData(SharedScriptType::remove_all_containers));
 
     if (errorCode == ErrorCode::NoError) {
@@ -1020,7 +995,7 @@ ErrorCode InstallController::removeContainer(const QString &serverId, DockerCont
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     const amnezia::ScriptVars removeContainerVars =
             amnezia::genBaseVars(credentials, container, QString(), QString());
     const bool removeDataVolume = (container == DockerContainer::MtProxy || container == DockerContainer::Telemt);
@@ -1129,7 +1104,7 @@ ErrorCode InstallController::scanServerForInstalledContainers(const QString &ser
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
@@ -1172,7 +1147,7 @@ ErrorCode InstallController::scanServerForInstalledContainers(const QString &ser
 ErrorCode InstallController::installServer(const ServerCredentials &credentials, DockerContainer container, int port,
                                            TransportProto transportProto, bool &wasContainerInstalled)
 {
-    SshSession sshSession(this);
+    SshSession sshSession;
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
     if (errorCode) {
@@ -1241,7 +1216,7 @@ ErrorCode InstallController::installContainer(const QString &serverId, DockerCon
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
@@ -1283,7 +1258,7 @@ ErrorCode InstallController::installContainer(const QString &serverId, DockerCon
 ErrorCode InstallController::checkSshConnection(ServerCredentials &credentials, QString &output,
                                                 std::function<QString()> passphraseCallback)
 {
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode errorCode = ErrorCode::NoError;
 
     if (credentials.secretData.contains("BEGIN") && credentials.secretData.contains("PRIVATE KEY")) {
@@ -1564,7 +1539,7 @@ ErrorCode InstallController::setDockerContainerEnabledState(const QString &serve
         return ErrorCode::InternalError;
     }
     const QString containerName = ContainerUtils::containerToString(container);
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString script = enabled ? QStringLiteral("sudo docker start %1").arg(containerName)
                                    : QStringLiteral("sudo docker stop %1").arg(containerName);
     const ErrorCode runError = sshSession.runScript(credentials, script);
@@ -1604,7 +1579,7 @@ ErrorCode InstallController::queryDockerContainerStatus(const QString &serverId,
         stdOut += data;
         return ErrorCode::NoError;
     };
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString script = QStringLiteral(
             "sudo docker inspect --format '{{.State.Status}}' %1 2>/dev/null || echo 'not_found'")
             .arg(containerName);
@@ -1638,7 +1613,7 @@ ErrorCode InstallController::queryMtProxyDiagnostics(const QString &serverId, Do
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     return MtProxyInstaller::queryDiagnostics(sshSession, credentials, container, listenPort, out);
 }
 
@@ -1661,7 +1636,7 @@ QString InstallController::fetchDockerContainerSecret(const QString &serverId, D
         stdOut += data;
         return ErrorCode::NoError;
     };
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString path = QStringLiteral("/data/secret");
     const QString cmd = QStringLiteral("sudo docker exec %1 cat %2").arg(containerName, path);
     const ErrorCode errorCode = sshSession.runScript(credentials, cmd, cbReadStdOut);

client/core/installers/mtProxyInstaller.cpp

@@ -71,48 +71,62 @@ ErrorCode MtProxyInstaller::queryDiagnostics(SshSession &sshSession, const Serve
                                              DockerContainer container, int listenPort,
                                              MtProxyContainerDiagnostics &out)
 {
-    out = {};
+    out = { };
-    if (container != DockerContainer::MtProxy && container != DockerContainer::Telemt) {
+    if (container == DockerContainer::MtProxy || container == DockerContainer::Telemt) {
-        return ErrorCode::InternalError;
+        const QString containerName = ContainerUtils::containerToString(container);
-    }
+        const bool isTelemt = container == DockerContainer::Telemt;
-    const QString containerName = ContainerUtils::containerToString(container);
-    const QString script =
-            QStringLiteral(
-                    "PORT_OK=$(sudo docker exec %1 sh -c 'ss -tlnp 2>/dev/null | grep -q :%2 && echo yes || echo no' 2>/dev/null || echo no); "
-                    "TG_OK=$(curl -s --max-time 5 -o /dev/null -w '%%{http_code}' https://core.telegram.org/getProxySecret 2>/dev/null | grep -q '200' && echo yes || echo no); "
-                    "CLIENTS=$(sudo docker exec amnezia-mtproxy sh -c 'curl -s --max-time 3 http://localhost:2398/stats 2>/dev/null | grep -o \"total_special_connections:[0-9]*\" | cut -d: -f2' 2>/dev/null); "
-                    "CONF_TIME=$(sudo docker exec amnezia-mtproxy sh -c 'stat -c \"%%y\" /data/proxy-multi.conf 2>/dev/null | cut -d. -f1' 2>/dev/null || echo unknown); "
-                    "echo \"PORT_OK=${PORT_OK}\"; "
-                    "echo \"TG_OK=${TG_OK}\"; "
-                    "echo \"CLIENTS=${CLIENTS:-0}\"; "
-                    "echo \"CONF_TIME=${CONF_TIME}\"; "
-                    "echo \"STATS=http://localhost:2398/stats\";")
-                    .arg(containerName)
-                    .arg(listenPort);
 
-    QString stdOut;
+        const QString sportFilter = QString::number(listenPort);
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
+        const QString peersCmd = QStringLiteral("sudo conntrack -L -p tcp --dport ") + sportFilter
-        stdOut += data;
+                + QStringLiteral(" 2>/dev/null | grep ESTABLISHED | awk '{for(i=1;i<=NF;i++) if($i ~ /^src=/){print "
-        return ErrorCode::NoError;
+                                 "substr($i,5); break}}'");
-    };
+        const QString publicFilter = QStringLiteral(" | grep -vE "
-    const ErrorCode errorCode = sshSession.runScript(credentials, script, cbReadStdOut);
+                                                    "'^(10\\.|127\\.|169\\.254\\.|192\\.168\\.|172\\.(1[6-9]|2[0-9]|3["
-    if (errorCode != ErrorCode::NoError) {
+                                                    "01])\\.|::1$|fe80:|f[cd][0-9a-f][0-9a-f]:)'");
-        return errorCode;
+        const QString clientsCmd =
-    }
+                QStringLiteral("CLIENTS=$(") + peersCmd + publicFilter + QStringLiteral(" | sort -u | grep -c .); ");
-    for (const QString &line : stdOut.split('\n', Qt::SkipEmptyParts)) {
+        const QString confFile =
-        if (line.startsWith(QLatin1String("PORT_OK="))) {
+                isTelemt ? QStringLiteral("/data/config.toml") : QStringLiteral("/data/proxy-multi.conf");
-            out.portReachable = line.mid(8).trimmed() == QLatin1String("yes");
+        const QString statsUrl = QString();
-        } else if (line.startsWith(QLatin1String("TG_OK="))) {
+
-            out.upstreamReachable = line.mid(6).trimmed() == QLatin1String("yes");
+        const QString script = QStringLiteral("CN=") + containerName + QStringLiteral("; ")
-        } else if (line.startsWith(QLatin1String("CLIENTS="))) {
+                + QStringLiteral("PORT_OK=$(sudo ss -tlnp 2>/dev/null | grep -q :") + QString::number(listenPort)
-            out.clientsConnected = line.mid(8).trimmed().toInt();
+                + QStringLiteral(" && echo yes || echo no); ")
-        } else if (line.startsWith(QLatin1String("CONF_TIME="))) {
+                + QStringLiteral("TG_OK=$(curl -s --max-time 5 -o /dev/null -w '%{http_code}' "
-            out.lastConfigRefresh = line.mid(10).trimmed();
+                                 "https://core.telegram.org/getProxySecret 2>/dev/null | grep -q '200' && echo yes || "
-        } else if (line.startsWith(QLatin1String("STATS="))) {
+                                 "echo no); ")
-            out.statsEndpoint = line.mid(6).trimmed();
+                + clientsCmd + QStringLiteral("CONF_TIME=$(sudo docker exec \"$CN\" sh -c 'stat -c \"%y\" ") + confFile
+                + QStringLiteral(" 2>/dev/null | cut -d. -f1' 2>/dev/null || echo unknown); ")
+                + QStringLiteral("echo \"PORT_OK=${PORT_OK}\"; ") + QStringLiteral("echo \"TG_OK=${TG_OK}\"; ")
+                + QStringLiteral("echo \"CLIENTS=${CLIENTS:-0}\"; ") + QStringLiteral("echo \"CONF_TIME=${CONF_TIME}\"; ")
+                + QStringLiteral("echo \"STATS=") + statsUrl + QStringLiteral("\";");
+
+        QString stdOut;
+        auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
+            stdOut += data;
+            return ErrorCode::NoError;
+        };
+        const ErrorCode errorCode = sshSession.runScript(credentials, script, cbReadStdOut);
+        if (errorCode != ErrorCode::NoError) {
+            return errorCode;
         }
+        for (const QString &line : stdOut.split('\n', Qt::SkipEmptyParts)) {
+            if (line.startsWith(QLatin1String("PORT_OK="))) {
+                out.portReachable = line.mid(8).trimmed() == QLatin1String("yes");
+            } else if (line.startsWith(QLatin1String("TG_OK="))) {
+                out.upstreamReachable = line.mid(6).trimmed() == QLatin1String("yes");
+            } else if (line.startsWith(QLatin1String("CLIENTS="))) {
+                out.clientsConnected = line.mid(8).trimmed().toInt();
+            } else if (line.startsWith(QLatin1String("CONF_TIME="))) {
+                out.lastConfigRefresh = line.mid(10).trimmed();
+            } else if (line.startsWith(QLatin1String("STATS="))) {
+                out.statsEndpoint = line.mid(6).trimmed();
+            }
+        }
+        return ErrorCode::NoError;
     }
-    return ErrorCode::NoError;
+
+    return ErrorCode::InternalError;
 }
 
 void MtProxyInstaller::uploadClientSettingsSnapshot(SshSession &sshSession, const ServerCredentials &credentials,

client/core/protocols/xrayProtocol.cpp

@@ -9,13 +9,10 @@
 #include "ipc.h"
 
 #include <QCryptographicHash>
-#include <QJsonArray>
 #include <QJsonDocument>
 #include <QTimer>
 #include <QJsonObject>
 #include <QNetworkInterface>
-#include <QNetworkProxy>
-#include <QTcpSocket>
 #include <QtCore/qlogging.h>
 #include <QtCore/qobjectdefs.h>
 #include <QtCore/qprocess.h>
@@ -59,28 +56,6 @@ XrayProtocol::XrayProtocol(const QJsonObject &configuration, QObject *parent) :
         qWarning() << "Xray config string is not a valid JSON object";
         m_xrayConfig = {};
     }
-
-    m_serverPort = extractServerPort();
-}
-
-int XrayProtocol::extractServerPort() const
-{
-    const QJsonArray outbounds = m_xrayConfig.value(amnezia::protocols::xray::outbounds).toArray();
-    if (outbounds.isEmpty())
-        return 0;
-
-    const QJsonObject settings = outbounds.first().toObject().value(amnezia::protocols::xray::settings).toObject();
-
-    QJsonArray servers;
-    if (settings.contains(amnezia::protocols::xray::vnext))
-        servers = settings.value(amnezia::protocols::xray::vnext).toArray();
-    else if (settings.contains(amnezia::protocols::xray::servers))
-        servers = settings.value(amnezia::protocols::xray::servers).toArray();
-
-    if (servers.isEmpty())
-        return 0;
-
-    return servers.first().toObject().value(amnezia::protocols::xray::port).toInt();
 }
 
 XrayProtocol::~XrayProtocol()
@@ -93,13 +68,6 @@ ErrorCode XrayProtocol::start()
 {
     qDebug() << "XrayProtocol::start()";
 
-    m_connectivityProbeStarted = false;
-
-    if (!probeServerReachable()) {
-        qCritical() << "XrayProtocol: VPN server" << m_remoteAddress << "is unreachable";
-        return ErrorCode::XrayServerUnreachable;
-    }
-
     // Inject SOCKS5 auth into the inbound before starting xray.
     // Re-uses existing credentials if the config already has them (e.g. imported config).
     amnezia::serialization::inbounds::InboundCredentials creds;
@@ -136,50 +104,22 @@ ErrorCode XrayProtocol::start()
         qDebug() << "XrayProtocol: patched legacy inbound listen address to 127.0.0.1";
     }
 
-    startTimeoutTimer();
-
     return IpcClient::withInterface(
             [&](QSharedPointer<IpcInterfaceReplica> iface) {
                 auto xrayStart = iface->xrayStart(xrayConfigStr);
                 if (!xrayStart.waitForFinished() || !xrayStart.returnValue()) {
                     qCritical() << "Failed to start xray";
-                    stopTimeoutTimer();
                     return ErrorCode::XrayExecutableCrashed;
                 }
                 return startTun2Socks();
             },
-            [this]() {
+            []() { return ErrorCode::AmneziaServiceConnectionFailed; });
-                stopTimeoutTimer();
-                return ErrorCode::AmneziaServiceConnectionFailed;
-            });
 }
 
 void XrayProtocol::stop()
 {
     qDebug() << "XrayProtocol::stop()";
 
-    stopTimeoutTimer();
-    stopLivenessMonitor();
-
-    if (m_tun2socksProcess) {
-        m_tun2socksProcess->blockSignals(true);
-
-#ifndef Q_OS_WIN
-        m_tun2socksProcess->terminate();
-        auto waitForFinished = m_tun2socksProcess->waitForFinished(1000);
-        if (!waitForFinished.waitForFinished() || !waitForFinished.returnValue()) {
-            qWarning() << "Failed to terminate tun2socks. Killing the process...";
-            m_tun2socksProcess->kill();
-            m_tun2socksProcess->waitForFinished(1000);
-        }
-#else
-        m_tun2socksProcess->kill();
-#endif
-
-        m_tun2socksProcess->close();
-        m_tun2socksProcess.reset();
-    }
-
     IpcClient::withInterface([](QSharedPointer<IpcInterfaceReplica> iface) {
         auto disableKillSwitch = iface->disableKillSwitch();
         if (!disableKillSwitch.waitForFinished() || !disableKillSwitch.returnValue())
@@ -202,13 +142,31 @@ void XrayProtocol::stop()
             qWarning() << "Failed to stop xray";
     });
 
+    if (m_tun2socksProcess) {
+        m_tun2socksProcess->blockSignals(true);
+
+#ifndef Q_OS_WIN
+        m_tun2socksProcess->terminate();
+        auto waitForFinished = m_tun2socksProcess->waitForFinished(1000);
+        if (!waitForFinished.waitForFinished() || !waitForFinished.returnValue()) {
+            qWarning() << "Failed to terminate tun2socks. Killing the process...";
+            m_tun2socksProcess->kill();
+        }
+#else
+        // terminate does not do anything useful on Windows
+        // so just kill the process
+        m_tun2socksProcess->kill();
+#endif
+
+        m_tun2socksProcess->close();
+        m_tun2socksProcess.reset();
+    }
+
     setConnectionState(Vpn::ConnectionState::Disconnected);
 }
 
 ErrorCode XrayProtocol::startTun2Socks()
 {
-    m_tunResourceBusy = false;
-
     m_tun2socksProcess = IpcClient::CreatePrivilegedProcess();
     if (!m_tun2socksProcess->waitForSource()) {
         return ErrorCode::AmneziaServiceConnectionFailed;
@@ -233,31 +191,15 @@ ErrorCode XrayProtocol::startTun2Socks()
                 if (!line.contains("[TCP]") && !line.contains("[UDP]"))
                     qDebug() << "[tun2socks]:" << line;
 
-                if (line.contains("resource busy"))
+                if (line.contains("[STACK] tun://") && line.contains("<-> socks5://")) {
-                    m_tunResourceBusy = true;
-
-                if (line.contains("[STACK] tun://") && line.contains("<-> socks5://") && !m_connectivityProbeStarted) {
-                    m_connectivityProbeStarted = true;
                     disconnect(m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::readyReadStandardOutput, this, nullptr);
-                    disconnect(m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::readyReadStandardError, this, nullptr);
 
-                    runConnectivityProbe([this](bool ok) {
+                    if (ErrorCode res = setupRouting(); res != ErrorCode::NoError) {
-                        if (!ok) {
+                        stop();
-                            qCritical() << "Xray connectivity probe failed: no traffic flows through the tunnel";
+                        setLastError(res);
-                            stop();
+                    } else {
-                            setLastError(ErrorCode::XrayConnectivityCheckFailed);
+                        setConnectionState(Vpn::ConnectionState::Connected);
-                            return;
+                    }
-                        }
-
-                        if (ErrorCode res = setupRouting(); res != ErrorCode::NoError) {
-                            stop();
-                            setLastError(res);
-                        } else {
-                            stopTimeoutTimer();
-                            setConnectionState(Vpn::ConnectionState::Connected);
-                            startLivenessMonitor();
-                        }
-                    });
                 }
             },
             Qt::QueuedConnection);
@@ -265,7 +207,15 @@ ErrorCode XrayProtocol::startTun2Socks()
     connect(
             m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::finished, this,
             [this](int exitCode, QProcess::ExitStatus exitStatus) {
-                const bool resourceBusy = m_tunResourceBusy;
+                // Check stdout for "resource busy" — the TUN device was not yet released
+                // by the previous tun2socks instance. Retry after a short delay.
+                bool resourceBusy = false;
+                if (m_tun2socksProcess) {
+                    auto readOut = m_tun2socksProcess->readAllStandardOutput();
+                    if (readOut.waitForFinished()) {
+                        resourceBusy = readOut.returnValue().contains("resource busy");
+                    }
+                }
 
                 if (resourceBusy && m_tun2socksRetryCount < maxTun2SocksRetries) {
                     m_tun2socksRetryCount++;
@@ -381,98 +331,3 @@ ErrorCode XrayProtocol::setupRouting()
             },
             []() { return ErrorCode::AmneziaServiceConnectionFailed; });
 }
-
-bool XrayProtocol::probeServerReachable()
-{
-    if (m_remoteAddress.isEmpty() || m_serverPort <= 0) {
-        qWarning() << "XrayProtocol: skipping server reachability probe (address/port unknown)";
-        return true;
-    }
-
-    QTcpSocket sock;
-    sock.connectToHost(m_remoteAddress, static_cast<quint16>(m_serverPort));
-    const bool ok = sock.waitForConnected(m_serverProbeTimeoutMs);
-    if (!ok) {
-        qWarning() << "XrayProtocol: server" << m_remoteAddress << ":" << m_serverPort
-                   << "unreachable:" << sock.errorString();
-    }
-    sock.abort();
-    return ok;
-}
-
-void XrayProtocol::runConnectivityProbe(std::function<void(bool)> onResult)
-{
-    if (m_remoteAddress.isEmpty() || m_serverPort <= 0) {
-        qWarning() << "XrayProtocol: connectivity probe skipped (server address/port unknown)";
-        onResult(true);
-        return;
-    }
-
-    auto *sock = new QTcpSocket(this);
-
-    QNetworkProxy proxy(QNetworkProxy::Socks5Proxy, QStringLiteral("127.0.0.1"),
-                        static_cast<quint16>(m_socksPort), m_socksUser, m_socksPassword);
-    proxy.setCapabilities(QNetworkProxy::TunnelingCapability | QNetworkProxy::HostNameLookupCapability);
-    sock->setProxy(proxy);
-
-    auto *timeout = new QTimer(this);
-    timeout->setSingleShot(true);
-
-    auto done = QSharedPointer<bool>::create(false);
-
-    auto finish = [=](bool ok) {
-        if (*done)
-            return;
-        *done = true;
-        timeout->stop();
-        timeout->deleteLater();
-        sock->abort();
-        sock->deleteLater();
-        onResult(ok);
-    };
-
-    connect(sock, &QTcpSocket::connected, this, [=]() { finish(true); });
-    connect(sock, &QAbstractSocket::errorOccurred, this, [=](QAbstractSocket::SocketError) { finish(false); });
-    connect(timeout, &QTimer::timeout, this, [=]() { finish(false); });
-
-    timeout->start(m_connectivityProbeTimeoutMs);
-    sock->connectToHost(m_remoteAddress, static_cast<quint16>(m_serverPort));
-}
-
-void XrayProtocol::startLivenessMonitor()
-{
-    if (!m_livenessTimer) {
-        m_livenessTimer = new QTimer(this);
-        connect(m_livenessTimer, &QTimer::timeout, this, [this]() {
-            if (connectionState() != Vpn::ConnectionState::Connected)
-                return;
-
-            runConnectivityProbe([this](bool ok) {
-                if (connectionState() != Vpn::ConnectionState::Connected)
-                    return;
-
-                if (ok) {
-                    m_livenessFailures = 0;
-                } else if (++m_livenessFailures >= m_maxLivenessFailures) {
-                    qCritical() << "XrayProtocol: liveness check failed" << m_livenessFailures
-                                << "times in a row, the tunnel is dead";
-                    stop();
-                    setLastError(ErrorCode::XrayConnectionLost);
-                } else {
-                    qWarning() << "XrayProtocol: liveness check failed (" << m_livenessFailures << "/"
-                               << m_maxLivenessFailures << ")";
-                }
-            });
-        });
-    }
-
-    m_livenessFailures = 0;
-    m_livenessTimer->start(m_livenessIntervalMs);
-}
-
-void XrayProtocol::stopLivenessMonitor()
-{
-    if (m_livenessTimer)
-        m_livenessTimer->stop();
-    m_livenessFailures = 0;
-}

client/core/protocols/xrayProtocol.h

@@ -6,16 +6,12 @@
 #include <QHostAddress>
 #include <QList>
 
-#include <functional>
-
 #include "core/utils/errorCodes.h"
 #include "core/utils/routeModes.h"
 #include "core/utils/commonStructs.h"
 #include "core/utils/ipcClient.h"
 #include "vpnProtocol.h"
 
-class QTimer;
-
 class XrayProtocol : public VpnProtocol
 {
 public:
@@ -29,17 +25,10 @@ private:
     ErrorCode setupRouting();
     ErrorCode startTun2Socks();
 
-    bool probeServerReachable();
-    void runConnectivityProbe(std::function<void(bool)> onResult);
-    void startLivenessMonitor();
-    void stopLivenessMonitor();
-    int extractServerPort() const;
-
     QJsonObject m_xrayConfig;
     amnezia::RouteMode m_routeMode;
     QList<QHostAddress> m_dnsServers;
     QString m_remoteAddress;
-    int m_serverPort = 0;
 
     QString m_socksUser;
     QString m_socksPassword;
@@ -49,22 +38,6 @@ private:
     int m_tun2socksRetryCount = 0;
     static constexpr int maxTun2SocksRetries = 5;
     static constexpr int tun2socksRetryDelayMs = 400;
-
-    bool m_connectivityProbeStarted = false;
-    bool m_tunResourceBusy = false;
-
-    QTimer *m_livenessTimer = nullptr;
-    int m_livenessFailures = 0;
-
-    static constexpr int defaultServerProbeTimeoutMs = 5000;
-    static constexpr int defaultConnectivityProbeTimeoutMs = 7000;
-    static constexpr int defaultLivenessIntervalMs = 15000;
-    static constexpr int defaultMaxLivenessFailures = 3;
-
-    int m_serverProbeTimeoutMs = defaultServerProbeTimeoutMs;
-    int m_connectivityProbeTimeoutMs = defaultConnectivityProbeTimeoutMs;
-    int m_livenessIntervalMs = defaultLivenessIntervalMs;
-    int m_maxLivenessFailures = defaultMaxLivenessFailures;
 };
 
 #endif // XRAYPROTOCOL_H

client/core/utils/constants/protocolConstants.h

@@ -271,6 +271,7 @@ namespace amnezia
             constexpr char workersModeAuto[]       = "auto";
             constexpr char workersModeManual[]     = "manual";
             constexpr int  maxWorkers              = 32;
+            constexpr int  botTagHexLength         = 32;
         }
 
     } // namespace protocols

client/core/utils/errorCodes.h

@@ -71,9 +71,6 @@ namespace amnezia
         OpenSslFailed = 800,
         XrayExecutableCrashed = 803,
         Tun2SockExecutableCrashed = 804,
-        XrayServerUnreachable = 805,
-        XrayConnectivityCheckFailed = 806,
-        XrayConnectionLost = 807,
 
         // import and install errors
         ImportInvalidConfigError = 900,

client/core/utils/errorStrings.cpp

@@ -59,9 +59,6 @@ QString errorString(ErrorCode code) {
     case (ErrorCode::OpenVpnExecutableMissing): errorMessage = QObject::tr("OpenVPN executable missing"); break;
     case (ErrorCode::AmneziaServiceConnectionFailed): errorMessage = QObject::tr("Amnezia helper service error"); break;
     case (ErrorCode::OpenSslFailed): errorMessage = QObject::tr("OpenSSL failed"); break;
-    case (ErrorCode::XrayServerUnreachable): errorMessage = QObject::tr("Can't connect: the VPN server is unreachable"); break;
-    case (ErrorCode::XrayConnectivityCheckFailed): errorMessage = QObject::tr("Can't connect: no internet traffic flows through the tunnel"); break;
-    case (ErrorCode::XrayConnectionLost): errorMessage = QObject::tr("Connection lost: traffic stopped flowing through the tunnel"); break;
 
     // VPN errors
     case (ErrorCode::OpenVpnAdaptersInUseError): errorMessage = QObject::tr("Can't connect: another VPN connection is active"); break;

client/core/utils/selfhosted/scriptsRegistry.cpp

@@ -50,6 +50,7 @@ QString amnezia::scriptName(SharedScriptType type)
     switch (type) {
     case SharedScriptType::prepare_host: return QLatin1String("prepare_host.sh");
     case SharedScriptType::install_docker: return QLatin1String("install_docker.sh");
+    case SharedScriptType::install_conntrack: return QLatin1String("install_conntrack.sh");
     case SharedScriptType::build_container: return QLatin1String("build_container.sh");
     case SharedScriptType::remove_container: return QLatin1String("remove_container.sh");
     case SharedScriptType::remove_all_containers: return QLatin1String("remove_all_containers.sh");
@@ -366,6 +367,14 @@ amnezia::ScriptVars amnezia::genTelemtVars(const ContainerConfig &containerConfi
         vars.append({ { "$TELEMT_USE_MIDDLE_PROXY", c.useMiddleProxy ? QLatin1String("true") : QLatin1String("false") } });
         vars.append({ { "$TELEMT_MASK", c.maskEnabled ? QLatin1String("true") : QLatin1String("false") } });
         vars.append({ { "$TELEMT_TLS_EMULATION", c.tlsEmulation ? QLatin1String("true") : QLatin1String("false") } });
+
+        QStringList additionalList;
+        for (const QString &s : c.additionalSecrets) {
+            if (!s.isEmpty()) {
+                additionalList << s;
+            }
+        }
+        vars.append({ { "$TELEMT_ADDITIONAL_SECRETS", additionalList.join(QLatin1Char(',')) } });
     }
 
     return vars;

client/core/utils/selfhosted/scriptsRegistry.h

@@ -21,6 +21,7 @@ enum SharedScriptType {
     // General scripts
     prepare_host,
     install_docker,
+    install_conntrack,
     build_container,
     remove_container,
     remove_all_containers,

client/daemon/daemonlocalserver.cpp

@@ -8,7 +8,6 @@
 #include <QFileInfo>
 #include <QLocalSocket>
 
-#include "daemon.h"
 #include "daemonlocalserverconnection.h"
 #include "leakdetector.h"
 #include "logger.h"
@@ -59,11 +58,8 @@ bool DaemonLocalServer::initialize() {
 
     DaemonLocalServerConnection* connection =
         new DaemonLocalServerConnection(&m_server, socket);
-    connect(socket, &QLocalSocket::disconnected, connection, [connection]() {
+    connect(socket, &QLocalSocket::disconnected, connection,
-      logger.debug() << "Client connection dropped, deactivating daemon";
+            &DaemonLocalServerConnection::deleteLater);
-      Daemon::instance()->deactivate(true);
-      connection->deleteLater();
-    });
   });
 
   return true;

client/server_scripts/install_conntrack.sh

@@ -0,0 +1,10 @@
+if command -v conntrack > /dev/null 2>&1; then echo "conntrack already installed"; exit 0; fi;\
+if which apt-get > /dev/null 2>&1; then pm=$(which apt-get); silent_inst="-yq install --install-recommends"; check_pkgs="-yq update"; conntrack_pkg="conntrack"; dist="debian";\
+elif which dnf > /dev/null 2>&1; then pm=$(which dnf); silent_inst="-yq install"; check_pkgs="-yq check-update"; conntrack_pkg="conntrack-tools"; dist="fedora";\
+elif which yum > /dev/null 2>&1; then pm=$(which yum); silent_inst="-y -q install"; check_pkgs="-y -q check-update"; conntrack_pkg="conntrack-tools"; dist="centos";\
+elif which zypper > /dev/null 2>&1; then pm=$(which zypper); silent_inst="-nq install"; check_pkgs="-nq refresh"; conntrack_pkg="conntrack-tools"; dist="opensuse";\
+elif which pacman > /dev/null 2>&1; then pm=$(which pacman); silent_inst="-S --noconfirm --noprogressbar --quiet"; check_pkgs="-Sup"; conntrack_pkg="conntrack-tools"; dist="archlinux";\
+else echo "Packet manager not found"; exit 0; fi;\
+if [ "$dist" = "debian" ]; then export DEBIAN_FRONTEND=noninteractive; fi;\
+sudo $pm $check_pkgs; sudo $pm $silent_inst $conntrack_pkg;\
+command -v conntrack > /dev/null 2>&1 && echo "conntrack installed" || echo "conntrack install failed"

client/server_scripts/remove_all_containers.sh

@@ -1,6 +1,6 @@
 sudo docker ps -a | grep amnezia | awk '{print $1}' | xargs sudo docker stop;\
 sudo docker ps -a | grep amnezia | awk '{print $1}' | xargs sudo docker rm -fv;\
 sudo docker images -a --format table | grep amnezia | awk '{print $3, $1 ":" $2}' | xargs sudo docker rmi;\
-sudo docker volume ls | grep amnezia | awk '{print $2}' | xargs sudo docker volume rm -f;\
+sudo docker volume ls --format '{{.Name}}' | grep '^amnezia-' | xargs -r sudo docker volume rm -f;\
 sudo docker network ls | grep amnezia-dns-net | awk '{print $1}' | xargs sudo docker network rm;\
 sudo rm -frd /opt/amnezia

client/server_scripts/serverScripts.qrc

@@ -18,6 +18,7 @@
         <file>dns/Dockerfile</file>
         <file>dns/run_container.sh</file>
         <file>install_docker.sh</file>
+        <file>install_conntrack.sh</file>
         <file>ipsec/configure_container.sh</file>
         <file>ipsec/Dockerfile</file>
         <file>ipsec/mobileconfig.plist</file>

client/server_scripts/telemt/configure_container.sh

@@ -61,6 +61,12 @@ rm -f /data/config.toml
     echo ""
     echo "[access.users]"
     echo "$TELEMT_USER_NAME = \"$SECRET\""
+    i=1
+    for EXTRA in $(echo "$TELEMT_ADDITIONAL_SECRETS" | tr ',' ' '); do
+        echo "$EXTRA" | grep -qE '^[0-9a-fA-F]{32}$' || continue
+        echo "extra_$i = \"$EXTRA\""
+        i=$((i + 1))
+    done
 } > /data/config.toml
 
 echo "$SECRET" > /data/secret

client/ui/controllers/selfhosted/installUiController.cpp

@@ -9,6 +9,7 @@
 #include <QStandardPaths>
 #include <QFutureWatcher>
 #include <QtConcurrent>
+#include <utility>
 
 #include "core/utils/api/apiUtils.h"
 #include "core/controllers/selfhosted/installController.h"
@@ -359,17 +360,27 @@ void InstallUiController::setContainerEnabled(const QString &serverId, int conta
     }
 
     emit serverIsBusy(true);
-    const ErrorCode errorCode = m_installController->setDockerContainerEnabledState(serverId, container, enabled);
-    emit serverIsBusy(false);
 
-    if (errorCode == ErrorCode::NoError) {
+    InstallController *installController = m_installController;
-        const ContainerConfig currentConfig = m_serversController->getContainerConfig(serverId, container);
+    auto *watcher = new QFutureWatcher<ErrorCode>(this);
-        m_protocolModel->updateModel(currentConfig);
+    QObject::connect(watcher, &QFutureWatcher<ErrorCode>::finished, this,
-        emit setContainerEnabledFinished(enabled);
+                     [this, watcher, serverId, container, enabled]() {
-        return;
+                         const ErrorCode errorCode = watcher->result();
-    }
+                         watcher->deleteLater();
+                         emit serverIsBusy(false);
 
-    emit installationErrorOccurred(errorCode);
+                         if (errorCode == ErrorCode::NoError) {
+                             const ContainerConfig currentConfig = m_serversController->getContainerConfig(serverId, container);
+                             m_protocolModel->updateModel(currentConfig);
+                             emit setContainerEnabledFinished(enabled);
+                             return;
+                         }
+                         emit installationErrorOccurred(errorCode);
+                     });
+    QFuture<ErrorCode> future = QtConcurrent::run([installController, serverId, container, enabled]() -> ErrorCode {
+        return installController->setDockerContainerEnabledState(serverId, container, enabled);
+    });
+    watcher->setFuture(future);
 }
 
 void InstallUiController::refreshContainerStatus(const QString &serverId, int containerIndex)
@@ -379,13 +390,23 @@ void InstallUiController::refreshContainerStatus(const QString &serverId, int co
         return;
     }
 
-    int status = 3;
+    using StatusResult = std::pair<int, int>; // {status, errorCode}
-    const ErrorCode errorCode = m_installController->queryDockerContainerStatus(serverId, container, status);
+    InstallController *installController = m_installController;
-    if (errorCode != ErrorCode::NoError) {
+    auto *watcher = new QFutureWatcher<StatusResult>(this);
-        emit containerStatusRefreshed(3);
+    QObject::connect(watcher, &QFutureWatcher<StatusResult>::finished, this, [this, watcher]() {
-        return;
+        const StatusResult result = watcher->result();
-    }
+        watcher->deleteLater();
-    emit containerStatusRefreshed(status);
+        emit containerStatusRefreshed(result.first, result.second);
+    });
+    QFuture<StatusResult> future = QtConcurrent::run([installController, serverId, container]() -> StatusResult {
+        int status = 3;
+        const ErrorCode errorCode = installController->queryDockerContainerStatus(serverId, container, status);
+        if (errorCode != ErrorCode::NoError) {
+            return { 3, static_cast<int>(errorCode) };
+        }
+        return { status, static_cast<int>(ErrorCode::NoError) };
+    });
+    watcher->setFuture(future);
 }
 
 void InstallUiController::refreshContainerDiagnostics(const QString &serverId, int containerIndex, int port)
@@ -395,14 +416,27 @@ void InstallUiController::refreshContainerDiagnostics(const QString &serverId, i
         return;
     }
 
-    MtProxyContainerDiagnostics diag;
+    using DiagResult = std::pair<bool, MtProxyContainerDiagnostics>;
-    const ErrorCode errorCode = m_installController->queryMtProxyDiagnostics(serverId, container, port, diag);
+    InstallController *installController = m_installController;
-    if (errorCode != ErrorCode::NoError) {
+    auto *watcher = new QFutureWatcher<DiagResult>(this);
-        emit containerDiagnosticsRefreshed(false, false, -1, QString(), QString());
+    QObject::connect(watcher, &QFutureWatcher<DiagResult>::finished, this, [this, watcher]() {
-        return;
+        const DiagResult result = watcher->result();
-    }
+        watcher->deleteLater();
-    emit containerDiagnosticsRefreshed(diag.portReachable, diag.upstreamReachable, diag.clientsConnected,
+        if (!result.first) {
-                                       diag.lastConfigRefresh, diag.statsEndpoint);
+            emit containerDiagnosticsRefreshed(false, false, -1, QString(), QString());
+            return;
+        }
+        const MtProxyContainerDiagnostics &diag = result.second;
+        emit containerDiagnosticsRefreshed(diag.portReachable, diag.upstreamReachable, diag.clientsConnected,
+                                           diag.lastConfigRefresh, diag.statsEndpoint);
+    });
+    QFuture<DiagResult> future =
+            QtConcurrent::run([installController, serverId, container, port]() -> DiagResult {
+                MtProxyContainerDiagnostics diag;
+                const ErrorCode errorCode = installController->queryMtProxyDiagnostics(serverId, container, port, diag);
+                return { errorCode == ErrorCode::NoError, diag };
+            });
+    watcher->setFuture(future);
 }
 
 void InstallUiController::fetchContainerSecret(const QString &serverId, int containerIndex)
@@ -412,8 +446,17 @@ void InstallUiController::fetchContainerSecret(const QString &serverId, int cont
         return;
     }
 
-    const QString secret = m_installController->fetchDockerContainerSecret(serverId, container);
+    InstallController *installController = m_installController;
-    emit containerSecretFetched(secret);
+    auto *watcher = new QFutureWatcher<QString>(this);
+    QObject::connect(watcher, &QFutureWatcher<QString>::finished, this, [this, watcher]() {
+        const QString secret = watcher->result();
+        watcher->deleteLater();
+        emit containerSecretFetched(secret);
+    });
+    QFuture<QString> future = QtConcurrent::run([installController, serverId, container]() -> QString {
+        return installController->fetchDockerContainerSecret(serverId, container);
+    });
+    watcher->setFuture(future);
 }
 
 void InstallUiController::rebootServer(const QString &serverId)

client/ui/controllers/selfhosted/installUiController.h

@@ -114,7 +114,7 @@ signals:
     void removeAllContainersFinished(const QString &finishedMessage);
     void removeContainerFinished(const QString &finishedMessage);
     void setContainerEnabledFinished(bool enabled);
-    void containerStatusRefreshed(int status);
+    void containerStatusRefreshed(int status, int errorCode);
     void containerDiagnosticsRefreshed(bool portReachable, bool upstreamReachable, int clientsConnected,
                                        const QString &lastConfigRefresh, const QString &statsEndpoint);
     void containerSecretFetched(const QString &secret);

client/ui/models/services/mtProxyConfigModel.cpp

@@ -8,8 +8,6 @@
 #include "core/utils/constants/configKeys.h"
 #include "qrcodegen.hpp"
 
-#include <QClipboard>
-#include <QGuiApplication>
 #include <QHostAddress>
 #include <QRegExp>
 #include <QRegularExpression>
@@ -332,7 +330,7 @@ void MtProxyConfigModel::removeAdditionalSecret(int idx) {
 QVariantList MtProxyConfigModel::additionalSecretsList() const {
     QVariantList out;
     out.reserve(m_protocolConfig.additionalSecrets.size());
-    for (const auto &s: m_protocolConfig.additionalSecrets) {
+    for (const auto &s : m_protocolConfig.additionalSecrets) {
         if (!s.isEmpty()) {
             out.append(s);
         }
@@ -398,6 +396,9 @@ bool MtProxyConfigModel::isValidPublicHost(const QString &host) const {
         return NetworkUtilities::checkIPv4Format(t);
     }
     if (a.protocol() == QHostAddress::IPv6Protocol) {
+        if (a.isNull() || a.isLoopback() || a == QHostAddress(QHostAddress::AnyIPv6)) {
+            return false;
+        }
         return true;
     }
     static const QRegularExpression onlyAsciiDigits(QStringLiteral(R"(^\d+$)"));
@@ -504,20 +505,12 @@ bool MtProxyConfigModel::isValidFakeTlsDomain(const QString &domain) const {
     if (!re.exactMatch(t)) {
         return false;
     }
-    // ee + 32 hex (base secret) + hex(UTF-8 domain); keep headroom under typical client limits.
     if (t.toUtf8().size() > 111) {
         return false;
     }
     return true;
 }
 
-QString MtProxyConfigModel::clipboardText() const {
-    if (QClipboard *c = QGuiApplication::clipboard()) {
-        return c->text();
-    }
-    return QString();
-}
-
 QString MtProxyConfigModel::sanitizeFakeTlsDomainFieldText(const QString &input) const {
     const QString t = normalizeFakeTlsDomainInput(input);
     QString out;
@@ -578,7 +571,6 @@ QString MtProxyConfigModel::sanitizeMtProxyTagFieldText(const QString &input) co
     if (trimmed.startsWith(QLatin1String("0x"), Qt::CaseInsensitive)) {
         trimmed = trimmed.mid(2).trimmed();
     }
-    // Prefer a contiguous 32-hex run (paste from bot message with extra text).
     static const QRegularExpression runHex(QStringLiteral(R"(([0-9a-fA-F]{32}))"));
     const QRegularExpressionMatch m = runHex.match(trimmed);
     if (m.hasMatch()) {
@@ -599,18 +591,6 @@ QString MtProxyConfigModel::sanitizeMtProxyTagFieldText(const QString &input) co
     return out;
 }
 
-QString MtProxyConfigModel::sanitizeWorkersFieldText(const QString &input) const {
-    QString out;
-    out.reserve(qMin(input.size(), 3));
-    for (const QChar &c: input) {
-        const ushort u = c.unicode();
-        if (u >= '0' && u <= '9' && out.size() < 3) {
-            out.append(c);
-        }
-    }
-    return out;
-}
-
 QString MtProxyConfigModel::sanitizeOptionalIpv4FieldText(const QString &input) const {
     QString out;
     out.reserve(qMin(input.size(), 15));

client/ui/models/services/mtProxyConfigModel.h

@@ -128,16 +128,12 @@ public slots:
 
     Q_INVOKABLE bool isFakeTlsDomainInputAllowed(const QString &text) const;
 
-    Q_INVOKABLE QString clipboardText() const;
-
     Q_INVOKABLE QString sanitizePublicHostFieldText(const QString &input) const;
 
     Q_INVOKABLE QString sanitizePortFieldText(const QString &input) const;
 
     Q_INVOKABLE QString sanitizeMtProxyTagFieldText(const QString &input) const;
 
-    Q_INVOKABLE QString sanitizeWorkersFieldText(const QString &input) const;
-
     Q_INVOKABLE QString sanitizeOptionalIpv4FieldText(const QString &input) const;
 
     Q_INVOKABLE bool isFakeTlsDomainTypingIncomplete(const QString &text) const;

client/ui/models/services/telemtConfigModel.cpp

@@ -1,7 +1,13 @@
 #include "telemtConfigModel.h"
 
-#include <QRegularExpression>
+#include "ui/models/utils/mtproxy_public_host_input.h"
 
+#include <QHostAddress>
+#include <QRegExp>
+#include <QRegularExpression>
+#include <qqml.h>
+
+#include "core/utils/networkUtilities.h"
 #include "core/utils/qrCodeUtils.h"
 #include "core/utils/constants/configKeys.h"
 #include "core/utils/constants/protocolConstants.h"
@@ -9,7 +15,9 @@
 
 using namespace amnezia;
 
-TelemtConfigModel::TelemtConfigModel(QObject *parent) : QAbstractListModel(parent) {}
+TelemtConfigModel::TelemtConfigModel(QObject *parent) : QAbstractListModel(parent) {
+    qmlRegisterType<PublicHostInputValidator>("TelemtConfig", 1, 0, "PublicHostInputValidator");
+}
 
 void TelemtConfigModel::applyDefaults(TelemtProtocolConfig &c) {
     if (c.port.isEmpty()) {
@@ -49,7 +57,11 @@ bool TelemtConfigModel::setData(const QModelIndex &index, const QVariant &value,
             break;
         }
         case Roles::TagRole: {
-            m_protocolConfig.tag = value.toString();
+            const QString tag = sanitizeMtProxyTagFieldText(value.toString());
+            if (!isValidMtProxyTag(tag)) {
+                return false;
+            }
+            m_protocolConfig.tag = tag;
             break;
         }
         case Roles::IsEnabledRole: {
@@ -57,7 +69,11 @@ bool TelemtConfigModel::setData(const QModelIndex &index, const QVariant &value,
             break;
         }
         case Roles::PublicHostRole: {
-            m_protocolConfig.publicHost = value.toString();
+            const QString h = value.toString().trimmed();
+            if (!isValidPublicHost(h)) {
+                return false;
+            }
+            m_protocolConfig.publicHost = h;
             break;
         }
         case Roles::TransportModeRole: {
@@ -65,7 +81,11 @@ bool TelemtConfigModel::setData(const QModelIndex &index, const QVariant &value,
             break;
         }
         case Roles::TlsDomainRole: {
-            m_protocolConfig.tlsDomain = value.toString();
+            const QString d = value.toString().trimmed();
+            if (!isValidFakeTlsDomain(d)) {
+                return false;
+            }
+            m_protocolConfig.tlsDomain = d;
             break;
         }
         case Roles::AdditionalSecretsRole: {
@@ -85,11 +105,19 @@ bool TelemtConfigModel::setData(const QModelIndex &index, const QVariant &value,
             break;
         }
         case Roles::NatInternalIpRole: {
-            m_protocolConfig.natInternalIp = value.toString();
+            const QString ip = value.toString().trimmed();
+            if (!isValidOptionalIpv4(ip)) {
+                return false;
+            }
+            m_protocolConfig.natInternalIp = ip;
             break;
         }
         case Roles::NatExternalIpRole: {
-            m_protocolConfig.natExternalIp = value.toString();
+            const QString ip = value.toString().trimmed();
+            if (!isValidOptionalIpv4(ip)) {
+                return false;
+            }
+            m_protocolConfig.natExternalIp = ip;
             break;
         }
         case Roles::MaskEnabledRole: {
@@ -238,7 +266,7 @@ void TelemtConfigModel::setSecret(const QString &secret) {
 }
 
 bool TelemtConfigModel::validateAndSetSecret(const QString &rawSecret) {
-    if (!QRegularExpression(QStringLiteral("^[0-9a-fA-F]{32}$")).match(rawSecret).hasMatch()) {
+    if (!QRegularExpression("^[0-9a-fA-F]{32}$").match(rawSecret).hasMatch()) {
         return false;
     }
     setData(index(0), rawSecret, SecretRole);
@@ -254,7 +282,11 @@ void TelemtConfigModel::setTag(const QString &tag) {
 }
 
 void TelemtConfigModel::setPublicHost(const QString &host) {
-    setData(index(0), host, PublicHostRole);
+    const QString t = host.trimmed();
+    if (!isValidPublicHost(t)) {
+        return;
+    }
+    setData(index(0), t, PublicHostRole);
 }
 
 void TelemtConfigModel::setTransportMode(const QString &mode) {
@@ -262,13 +294,15 @@ void TelemtConfigModel::setTransportMode(const QString &mode) {
 }
 
 QString TelemtConfigModel::getTransportMode() const {
-    return m_protocolConfig.transportMode.isEmpty() ? QString::fromUtf8(protocols::telemt::transportModeStandard)
+    return m_protocolConfig.transportMode.isEmpty()
-                                                    : m_protocolConfig.transportMode;
+           ? QString(protocols::telemt::transportModeStandard)
+           : m_protocolConfig.transportMode;
 }
 
 QString TelemtConfigModel::getTlsDomain() const {
-    return m_protocolConfig.tlsDomain.isEmpty() ? QString::fromUtf8(protocols::telemt::defaultTlsDomain)
+    return m_protocolConfig.tlsDomain.isEmpty()
-                                                : m_protocolConfig.tlsDomain;
+           ? QString(protocols::telemt::defaultTlsDomain)
+           : m_protocolConfig.tlsDomain;
 }
 
 QString TelemtConfigModel::getPublicHost() const {
@@ -276,7 +310,11 @@ QString TelemtConfigModel::getPublicHost() const {
 }
 
 void TelemtConfigModel::setTlsDomain(const QString &domain) {
-    setData(index(0), domain, TlsDomainRole);
+    const QString t = domain.trimmed();
+    if (!isValidFakeTlsDomain(t)) {
+        return;
+    }
+    setData(index(0), t, TlsDomainRole);
 }
 
 void TelemtConfigModel::setWorkersMode(const QString &mode) {
@@ -292,11 +330,19 @@ void TelemtConfigModel::setNatEnabled(bool enabled) {
 }
 
 void TelemtConfigModel::setNatInternalIp(const QString &ip) {
-    setData(index(0), ip, NatInternalIpRole);
+    const QString t = ip.trimmed();
+    if (!isValidOptionalIpv4(t)) {
+        return;
+    }
+    setData(index(0), t, NatInternalIpRole);
 }
 
 void TelemtConfigModel::setNatExternalIp(const QString &ip) {
-    setData(index(0), ip, NatExternalIpRole);
+    const QString t = ip.trimmed();
+    if (!isValidOptionalIpv4(t)) {
+        return;
+    }
+    setData(index(0), t, NatExternalIpRole);
 }
 
 void TelemtConfigModel::setMaskEnabled(bool enabled) {
@@ -334,6 +380,17 @@ void TelemtConfigModel::removeAdditionalSecret(int idx) {
     emit dataChanged(index(0), index(0), QList<int>{AdditionalSecretsRole});
 }
 
+QVariantList TelemtConfigModel::additionalSecretsList() const {
+    QVariantList out;
+    out.reserve(m_protocolConfig.additionalSecrets.size());
+    for (const auto &s : m_protocolConfig.additionalSecrets) {
+        if (!s.isEmpty()) {
+            out.append(s);
+        }
+    }
+    return out;
+}
+
 void TelemtConfigModel::setEnabled(bool enabled) {
     m_protocolConfig.isEnabled = enabled;
     emit dataChanged(index(0), index(0), QList<int>{IsEnabledRole});
@@ -348,15 +405,15 @@ QString TelemtConfigModel::generateQrCode(const QString &text) {
 }
 
 QString TelemtConfigModel::defaultTlsDomain() const {
-    return QString::fromUtf8(protocols::telemt::defaultTlsDomain);
+    return protocols::telemt::defaultTlsDomain;
 }
 
 QString TelemtConfigModel::defaultPort() const {
-    return QString::fromUtf8(protocols::telemt::defaultPort);
+    return protocols::telemt::defaultPort;
 }
 
 QString TelemtConfigModel::defaultWorkers() const {
-    return QString::fromUtf8(protocols::telemt::defaultWorkers);
+    return protocols::telemt::defaultWorkers;
 }
 
 int TelemtConfigModel::maxWorkers() const {
@@ -364,19 +421,303 @@ int TelemtConfigModel::maxWorkers() const {
 }
 
 QString TelemtConfigModel::transportModeStandard() const {
-    return QString::fromUtf8(protocols::telemt::transportModeStandard);
+    return protocols::telemt::transportModeStandard;
 }
 
 QString TelemtConfigModel::transportModeFakeTLS() const {
-    return QString::fromUtf8(protocols::telemt::transportModeFakeTLS);
+    return protocols::telemt::transportModeFakeTLS;
 }
 
 QString TelemtConfigModel::workersModeAuto() const {
-    return QString::fromUtf8(protocols::telemt::workersModeAuto);
+    return protocols::telemt::workersModeAuto;
 }
 
 QString TelemtConfigModel::workersModeManual() const {
-    return QString::fromUtf8(protocols::telemt::workersModeManual);
+    return protocols::telemt::workersModeManual;
+}
+
+bool TelemtConfigModel::isValidPublicHost(const QString &host) const {
+    const QString t = host.trimmed();
+    if (t.isEmpty()) {
+        return true;
+    }
+    if (t.length() > 253) {
+        return false;
+    }
+    QHostAddress a(t);
+    if (a.protocol() == QHostAddress::IPv4Protocol) {
+        return NetworkUtilities::checkIPv4Format(t);
+    }
+    if (a.protocol() == QHostAddress::IPv6Protocol) {
+        if (a.isNull() || a.isLoopback() || a == QHostAddress(QHostAddress::AnyIPv6)) {
+            return false;
+        }
+        return true;
+    }
+    static const QRegularExpression onlyAsciiDigits(QStringLiteral(R"(^\d+$)"));
+    if (onlyAsciiDigits.match(t).hasMatch()) {
+        return false;
+    }
+    return NetworkUtilities::domainRegExp().exactMatch(t);
+}
+
+bool TelemtConfigModel::isPublicHostInputAllowed(const QString &text) const {
+    return mtproxyPublicHostInputAllowed(text);
+}
+
+bool TelemtConfigModel::isPublicHostTypingIncomplete(const QString &text) const {
+    const QString t = text.trimmed();
+    if (isValidPublicHost(t)) {
+        return false;
+    }
+
+    static const QRegularExpression onlyDigitDot(QStringLiteral(R"(^[0-9.]+$)"));
+    if (onlyDigitDot.match(t).hasMatch()) {
+        if (t.endsWith(QLatin1Char('.'))) {
+            return true;
+        }
+        const QStringList parts = t.split(QLatin1Char('.'), Qt::KeepEmptyParts);
+        if (parts.size() < 4) {
+            return true;
+        }
+        for (const QString &part: parts) {
+            if (part.isEmpty()) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    if (t.contains(QLatin1Char(':'))) {
+        if (t.contains(QLatin1String(":::"))) {
+            return false;
+        }
+        if (t.endsWith(QLatin1Char(':'))) {
+            return true;
+        }
+        QHostAddress a(t);
+        if (a.protocol() == QHostAddress::IPv6Protocol) {
+            return false;
+        }
+        if (!t.contains(QLatin1String("::")) && t.count(QLatin1Char(':')) < 7 && !t.contains(QLatin1Char('.'))) {
+            return true;
+        }
+        return false;
+    }
+
+    if (!t.contains(QLatin1Char('.'))) {
+        return true;
+    }
+
+    return false;
+}
+
+bool TelemtConfigModel::isValidMtProxyTag(const QString &tag) const {
+    if (tag.isEmpty()) {
+        return true;
+    }
+    static const QRegularExpression re(
+            QStringLiteral("^([0-9a-fA-F]{%1})$").arg(protocols::telemt::botTagHexLength));
+    return re.match(tag).hasMatch();
+}
+
+bool TelemtConfigModel::isMtProxyTagTypingIncomplete(const QString &text) const {
+    const QString t = text.trimmed();
+    if (t.isEmpty()) {
+        return true;
+    }
+    static const QRegularExpression hexOnly(QStringLiteral(R"(^[0-9a-fA-F]*$)"));
+    if (!hexOnly.match(t).hasMatch()) {
+        return false;
+    }
+    return t.size() < protocols::telemt::botTagHexLength;
+}
+
+int TelemtConfigModel::mtProxyBotTagHexLength() const {
+    return protocols::telemt::botTagHexLength;
+}
+
+bool TelemtConfigModel::isValidFakeTlsDomain(const QString &domain) const {
+    const QString t = domain.trimmed();
+    if (t.isEmpty()) {
+        return true;
+    }
+    if (t.length() > 253) {
+        return false;
+    }
+    QHostAddress addr;
+    if (addr.setAddress(t)) {
+        return false;
+    }
+    static const QRegularExpression onlyAsciiDigits(QStringLiteral(R"(^\d+$)"));
+    if (onlyAsciiDigits.match(t).hasMatch()) {
+        return false;
+    }
+    QRegExp re(NetworkUtilities::domainRegExp());
+    re.setCaseSensitivity(Qt::CaseInsensitive);
+    if (!re.exactMatch(t)) {
+        return false;
+    }
+    if (t.toUtf8().size() > 111) {
+        return false;
+    }
+    return true;
+}
+
+QString TelemtConfigModel::normalizeFakeTlsDomainInput(const QString &input) const {
+    QString t = input.trimmed();
+    if (t.startsWith(QLatin1String("https://"), Qt::CaseInsensitive)) {
+        t = t.mid(8);
+    } else if (t.startsWith(QLatin1String("http://"), Qt::CaseInsensitive)) {
+        t = t.mid(7);
+    }
+    if (const int slash = t.indexOf(QLatin1Char('/')); slash >= 0) {
+        t = t.left(slash);
+    }
+    if (const int at = t.indexOf(QLatin1Char('@')); at >= 0) {
+        t = t.mid(at + 1);
+    }
+    if (const int colon = t.indexOf(QLatin1Char(':')); colon >= 0) {
+        t = t.left(colon);
+    }
+    if (t.startsWith(QLatin1String("www."), Qt::CaseInsensitive)) {
+        const QString rest = t.mid(4);
+        if (rest.contains(QLatin1Char('.'))) {
+            t = rest;
+        }
+    }
+    return t.trimmed();
+}
+
+bool TelemtConfigModel::isFakeTlsDomainTypingIncomplete(const QString &text) const {
+    const QString t = text.trimmed();
+    if (t.isEmpty()) {
+        return true;
+    }
+    if (isValidFakeTlsDomain(t)) {
+        return false;
+    }
+    if (t.contains(QLatin1Char('/')) || t.contains(QLatin1Char(':')) || t.contains(QLatin1Char('@'))
+        || t.contains(QLatin1Char(' '))) {
+        return false;
+    }
+    if (t.contains(QLatin1String(".."))) {
+        return false;
+    }
+    if (!t.contains(QLatin1Char('.'))) {
+        return true;
+    }
+    if (t.endsWith(QLatin1Char('.'))) {
+        return true;
+    }
+    static const QRegularExpression legalPartial(QStringLiteral(R"(^[a-zA-Z0-9.-]*$)"));
+    if (!legalPartial.match(t).hasMatch()) {
+        return false;
+    }
+    return true;
+}
+
+bool TelemtConfigModel::isFakeTlsDomainInputAllowed(const QString &text) const {
+    if (text.length() > 253) {
+        return false;
+    }
+    static const QRegularExpression re(QStringLiteral(R"(^[a-zA-Z0-9.-]*$)"));
+    return re.match(text).hasMatch();
+}
+
+QString TelemtConfigModel::sanitizeFakeTlsDomainFieldText(const QString &input) const {
+    const QString t = normalizeFakeTlsDomainInput(input);
+    QString out;
+    out.reserve(t.size());
+    for (const QChar &c: t) {
+        const ushort u = c.unicode();
+        const bool letter = (u >= 'a' && u <= 'z') || (u >= 'A' && u <= 'Z');
+        const bool digit = (u >= '0' && u <= '9');
+        if (letter || digit || u == '.' || u == '-') {
+            out.append(c);
+        }
+    }
+    if (out.size() > 253) {
+        out.truncate(253);
+    }
+    return out;
+}
+
+QString TelemtConfigModel::sanitizePublicHostFieldText(const QString &input) const {
+    QString out;
+    const int cap = qMin(input.size(), 253);
+    out.reserve(cap);
+    for (const QChar &c: input) {
+        if (out.size() >= 253) {
+            break;
+        }
+        const ushort u = c.unicode();
+        if ((u >= 'a' && u <= 'z') || (u >= 'A' && u <= 'Z') || (u >= '0' && u <= '9') || u == '.' || u == ':' ||
+            u == '-') {
+            out.append(c);
+        }
+    }
+    return out;
+}
+
+QString TelemtConfigModel::sanitizePortFieldText(const QString &input) const {
+    QString out;
+    out.reserve(qMin(input.size(), 5));
+    for (const QChar &c: input) {
+        const ushort u = c.unicode();
+        if (u >= '0' && u <= '9' && out.size() < 5) {
+            out.append(c);
+        }
+    }
+    return out;
+}
+
+QString TelemtConfigModel::sanitizeMtProxyTagFieldText(const QString &input) const {
+    QString trimmed = input.trimmed();
+    if (trimmed.startsWith(QLatin1String("0x"), Qt::CaseInsensitive)) {
+        trimmed = trimmed.mid(2).trimmed();
+    }
+    static const QRegularExpression runHex(QStringLiteral(R"(([0-9a-fA-F]{32}))"));
+    const QRegularExpressionMatch m = runHex.match(trimmed);
+    if (m.hasMatch()) {
+        return m.captured(1);
+    }
+    const int cap = protocols::telemt::botTagHexLength;
+    QString out;
+    out.reserve(qMin(trimmed.size(), cap));
+    for (const QChar &c: trimmed) {
+        if (out.size() >= cap) {
+            break;
+        }
+        const ushort u = c.unicode();
+        if ((u >= '0' && u <= '9') || (u >= 'a' && u <= 'f') || (u >= 'A' && u <= 'F')) {
+            out.append(c);
+        }
+    }
+    return out;
+}
+
+QString TelemtConfigModel::sanitizeOptionalIpv4FieldText(const QString &input) const {
+    QString out;
+    out.reserve(qMin(input.size(), 15));
+    for (const QChar &c: input) {
+        if (out.size() >= 15) {
+            break;
+        }
+        const ushort u = c.unicode();
+        if ((u >= '0' && u <= '9') || u == '.') {
+            out.append(c);
+        }
+    }
+    return out;
+}
+
+bool TelemtConfigModel::isValidOptionalIpv4(const QString &ip) const {
+    const QString t = ip.trimmed();
+    if (t.isEmpty()) {
+        return true;
+    }
+    return NetworkUtilities::checkIPv4Format(t);
 }
 
 QHash<int, QByteArray> TelemtConfigModel::roleNames() const {

client/ui/models/services/telemtConfigModel.h

@@ -88,6 +88,8 @@ public slots:
 
     Q_INVOKABLE void removeAdditionalSecret(int idx);
 
+    Q_INVOKABLE QVariantList additionalSecretsList() const;
+
     Q_INVOKABLE QString generateQrCode(const QString &text);
 
     Q_INVOKABLE void setEnabled(bool enabled);
@@ -116,12 +118,44 @@ public slots:
 
     Q_INVOKABLE QString workersModeManual() const;
 
+    Q_INVOKABLE bool isValidPublicHost(const QString &host) const;
+
+    Q_INVOKABLE bool isPublicHostInputAllowed(const QString &text) const;
+
+    Q_INVOKABLE bool isPublicHostTypingIncomplete(const QString &text) const;
+
+    Q_INVOKABLE bool isValidMtProxyTag(const QString &tag) const;
+
+    Q_INVOKABLE bool isMtProxyTagTypingIncomplete(const QString &text) const;
+
+    Q_INVOKABLE int mtProxyBotTagHexLength() const;
+
+    Q_INVOKABLE bool isValidFakeTlsDomain(const QString &domain) const;
+
+    Q_INVOKABLE bool isFakeTlsDomainTypingIncomplete(const QString &text) const;
+
+    Q_INVOKABLE bool isFakeTlsDomainInputAllowed(const QString &text) const;
+
+    Q_INVOKABLE QString sanitizeFakeTlsDomainFieldText(const QString &input) const;
+
+    Q_INVOKABLE QString sanitizePublicHostFieldText(const QString &input) const;
+
+    Q_INVOKABLE QString sanitizePortFieldText(const QString &input) const;
+
+    Q_INVOKABLE QString sanitizeMtProxyTagFieldText(const QString &input) const;
+
+    Q_INVOKABLE QString sanitizeOptionalIpv4FieldText(const QString &input) const;
+
+    Q_INVOKABLE bool isValidOptionalIpv4(const QString &ip) const;
+
 protected:
     QHash<int, QByteArray> roleNames() const override;
 
 private:
     static void applyDefaults(amnezia::TelemtProtocolConfig &c);
 
+    QString normalizeFakeTlsDomainInput(const QString &input) const;
+
     amnezia::DockerContainer m_container = amnezia::DockerContainer::None;
     QJsonObject m_fullConfig;
     amnezia::TelemtProtocolConfig m_protocolConfig;

client/ui/qml/Pages2/PageShareConnection.qml

@@ -320,7 +320,7 @@ PageType {
                 Layout.rightMargin: 16
                 visible: isQrCodeVisible
                 horizontalAlignment: Text.AlignHCenter
-                text: qsTr("To read the QR code in the Amnezia app, select \"Add server\" → \"I have data to connect\" → \"QR code, key or settings file\"")
+                text: qsTr("To read the QR code in the Amnezia app, tap + in the main menu → 'QR code'")
             }
         }
     }

ipc/ipcserver.cpp

@@ -28,42 +28,6 @@ IpcServer::IpcServer(QObject *parent) : IpcInterfaceSource(parent)
     connect(&m_pingHelper, &PingHelper::connectionLose, this, &IpcServer::connectionLose);
 }
 
-IpcServer::~IpcServer()
-{
-}
-
-void IpcServer::resetServiceState()
-{
-    qDebug() << "IpcServer::resetServiceState — tearing down active VPN state";
-
-    Xray::getInstance().stopXray();
-
-    for (auto it = m_processes.cbegin(); it != m_processes.cend(); ++it) {
-        const ProcessDescriptor &pd = it.value();
-        if (!pd.ipcProcess)
-            continue;
-        pd.ipcProcess->terminate();
-        if (!pd.ipcProcess->waitForFinished(1000)) {
-            pd.ipcProcess->kill();
-            pd.ipcProcess->waitForFinished(1000);
-        }
-        pd.ipcProcess->close();
-    }
-    m_processes.clear();
-
-    Utils::killProcessByName(Utils::tun2socksPath());
-    Utils::killProcessByName(Utils::openVpnExecPath());
-
-    KillSwitch::instance()->disableKillSwitch();
-
-    Router::restoreResolvers();
-    Router::clearSavedRoutes();
-    Router::StartRoutingIpv6();
-    Router::flushDns();
-
-    m_pingHelper.stop();
-}
-
 int IpcServer::createPrivilegedProcess()
 {
 #ifdef MZ_DEBUG

ipc/ipcserver.h

@@ -17,10 +17,6 @@ class IpcServer : public IpcInterfaceSource
 {
 public:
     explicit IpcServer(QObject *parent = nullptr);
-    virtual ~IpcServer();
-
-    void resetServiceState();
-
     virtual int createPrivilegedProcess() override;
 
     virtual int routeAddList(const QString &gw, const QStringList &ips) override;

service/server/localserver.cpp

@@ -35,20 +35,7 @@ LocalServer::LocalServer(QObject *parent) : QObject(parent),
 
     QObject::connect(m_server.data(), &QLocalServer::newConnection, this, [this]() {
         qDebug() << "LocalServer new connection";
-
+        m_serverNode.addHostSideConnection(m_server->nextPendingConnection());
-        QLocalSocket *socket = m_server->nextPendingConnection();
-        if (!socket)
-            return;
-
-        m_activeClientSocket = socket;
-
-        QObject::connect(socket, &QLocalSocket::disconnected, this, [this, socket]() {
-            qDebug() << "LocalServer: client disconnected";
-            if (m_activeClientSocket == socket)
-                m_ipcServer.resetServiceState();
-        });
-
-        m_serverNode.addHostSideConnection(socket);
 
         if (!m_isRemotingEnabled) {
             m_isRemotingEnabled = true;

service/server/localserver.h

@@ -41,8 +41,6 @@ public:
     QRemoteObjectHost m_serverNode;
     bool m_isRemotingEnabled = false;
 
-    QPointer<QLocalSocket> m_activeClientSocket;
-
     NetworkWatcher m_networkWatcher;
 #ifdef Q_OS_LINUX
     DaemonLocalServer server{qApp};