fix: resolve flush error and fix comment

fix: add support system with nscd service
fix: infinite reconnection when NM up
2026-06-21 02:01:03 +07:00 · 2026-04-11 00:12:58 +03:00 · 2026-04-10 23:08:32 +03:00 · 2026-04-10 23:06:16 +03:00 · 2026-04-10 23:06:16 +03:00 · 2026-04-10 23:06:16 +03:00
187 changed files with 9160 additions and 14817 deletions
@@ -1,56 +0,0 @@
-# .github/actions/setup-keychain/action.yml
-name: Setup apple keychain
-description: Creates and configures a temporary build keychain
-
-inputs:
-  keychain-path:
-    description: Name of the keychain
-    required: true
-  keychain-password:
-    description: Temporary keychain password
-    required: true
-  app-cert-base64:
-    description: Base64-encoded P12 app certificate
-    required: true
-  app-cert-password:
-    description: Application certificate password
-    required: true
-  installer-cert-base64:
-    description: Base64-encoded P12 installer certificate
-    required: true
-  installer-cert-password:
-    description: Installer certificate password
-    required: true
-
-runs:
-  using: composite
-  steps:
-    - name: Create keychain
-      shell: bash
-      env:
-        KEYCHAIN_PATH: ${{ inputs.keychain-path }}
-        KEYCHAIN_PASSWORD: ${{ inputs.keychain-password }}
-        APP_CERT_BASE64: ${{ inputs.app-cert-base64 }}
-        APP_CERT_PASSWORD: ${{ inputs.app-cert-password }}
-        INSTALLER_CERT_BASE64: ${{ inputs.installer-cert-base64 }}
-        INSTALLER_CERT_PASSWORD: ${{ inputs.installer-cert-password }}
-      run: |
-        set -e
-
-        APP_CERT_PATH=$RUNNER_TEMP/DeveloperIdApplicationCertificate.p12
-        INSTALLER_CERT_PATH=$RUNNER_TEMP/DeveloperIdInstallerCertificate.p12
-
-        echo -n "$APP_CERT_BASE64" | base64 --decode -o "$APP_CERT_PATH"
-        echo -n "$INSTALLER_CERT_BASE64" | base64 --decode -o "$INSTALLER_CERT_PATH"
-
-        security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
-        security default-keychain -s "$KEYCHAIN_PATH"
-        security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
-        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
-
-        security import "${{ github.action_path }}/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -A
-        security import "$APP_CERT_PATH" -k "$KEYCHAIN_PATH" -P "$APP_CERT_PASSWORD" -A -t cert -f pkcs12
-        security import "$INSTALLER_CERT_PATH" -k "$KEYCHAIN_PATH" -P "$INSTALLER_CERT_PASSWORD" -A -t cert -f pkcs12
-
-        security set-key-partition-list -S apple-tool:,apple:,codesign: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
-        security list-keychain -d user -s "$KEYCHAIN_PATH"
@@ -38,18 +38,7 @@ jobs:
        set-env: 'true'
        aqtversion: '==3.3.0'       
        py7zrversion: '==0.22.*'  
-        extra: '--base ${{ env.QT_MIRROR }}'
-
-    - name: 'Setup python'
-      uses: actions/setup-python@v6
-      with:
-        python-version: 3.14
-      
-    - name: 'Install conan'
-      run: pip install "conan==2.26.2"
-
-    - name: 'Install system packages'
-      run: sudo apt-get install libxkbcommon-x11-0 libsecret-1-dev
+        extra: '--base ${{ env.QT_MIRROR }}' 

    - name: 'Get sources'
      uses: actions/checkout@v4
@@ -57,17 +46,38 @@ jobs:
        submodules: 'true'
        fetch-depth: 10

+    - name: 'Get version from CMakeLists.txt'
+      id: get_version
+      run: |
+        VERSION=$(grep 'set(AMNEZIAVPN_VERSION' CMakeLists.txt | sed -E 's/.*AMNEZIAVPN_VERSION ([0-9]+.[0-9]+.[0-9]+.[0-9]+)\)/\1/')
+        echo "VERSION=$VERSION" >> $GITHUB_ENV
+        echo "Version: $VERSION"
+
+    # - name: 'Setup ccache'
+    #   uses: hendrikmuhs/ccache-action@v1.2
+
    - name: 'Build project'
-      shell: bash
-      env:
-        QT_INSTALL_DIR: ${{ runner.temp }}
-      run: ./deploy/build.sh
+      run: |
+        sudo apt-get install libxkbcommon-x11-0 libsecret-1-dev
+        export QT_BIN_DIR=${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/gcc_64/bin
+        export QIF_BIN_DIR=${{ runner.temp }}/Qt/Tools/QtInstallerFramework/${{ env.QIF_VERSION }}/bin
+        bash deploy/build_linux.sh
+
+    - name: 'Pack installer'
+      run: cd deploy && tar -cf AmneziaVPN_Linux_Installer.tar AmneziaVPN_Linux_Installer.bin && zip AmneziaVPN_${VERSION}_linux_x64.tar.zip AmneziaVPN_Linux_Installer.tar

    - name: 'Upload installer artifact'
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@v4
      with:
-        path: deploy/build/AmneziaVPN-*-Linux.run
-        archive: false
+        name: AmneziaVPN_${{ env.VERSION }}_linux_x64.tar.zip
+        path: deploy/AmneziaVPN_${{ env.VERSION }}_linux_x64.tar.zip
+        retention-days: 7
+
+    - name: 'Upload unpacked artifact'
+      uses: actions/upload-artifact@v4
+      with:
+        name: AmneziaVPN_Linux_unpacked
+        path: deploy/AppDir
        retention-days: 7

    - name: 'Upload translations artifact'
@@ -85,6 +95,7 @@ jobs:
    env:
      QT_VERSION: 6.10.1
      QIF_VERSION: 4.7
+      BUILD_ARCH: 64
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
@@ -100,6 +111,17 @@ jobs:
        submodules: 'true'
        fetch-depth: 10

+    - name: 'Get version from CMakeLists.txt'
+      id: get_version
+      shell: bash
+      run: |
+        VERSION=$(grep 'set(AMNEZIAVPN_VERSION' CMakeLists.txt | sed -E 's/.*AMNEZIAVPN_VERSION ([0-9]+.[0-9]+.[0-9]+.[0-9]+)\)/\1/')
+        echo "VERSION=$VERSION" >> $GITHUB_ENV
+        echo "Version: $VERSION"
+
+    # - name: 'Setup ccache'
+    #   uses: hendrikmuhs/ccache-action@v1.2
+
    - name: 'Install Qt'
      uses: jurplel/install-qt-action@v3
      with:
@@ -136,34 +158,39 @@ jobs:
        $wixBinDir = Join-Path $env:USERPROFILE ".dotnet\tools"
        echo "WIX_BIN_DIR=$wixBinDir" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append

-    - name: 'Setup python'
-      uses: actions/setup-python@v6
-      with:
-        python-version: 3.14
-
-    - name: 'Install conan'
-      run: pip install "conan==2.26.2"
-
    - name: 'Build project'
      shell: cmd
-      env:
-        QT_INSTALL_DIR: ${{ runner.temp }}
      run: |
-        set WIX_ROOT_PATH="${{ env.USERPROFILE }}\.dotnet\tools"
-        deploy\build.bat --installer all
+        set BUILD_ARCH=${{ env.BUILD_ARCH }}
+        set QT_BIN_DIR="${{ runner.temp }}\\Qt\\${{ env.QT_VERSION }}\\msvc2022_64\\bin"
+        set QIF_BIN_DIR="${{ runner.temp }}\\Qt\\Tools\\QtInstallerFramework\\${{ env.QIF_VERSION }}\\bin"
+        set WIX_BIN_DIR=%USERPROFILE%\.dotnet\tools
+        call deploy\\build_windows.bat

-    - name: 'Upload WIX installer artifact'
-      uses: actions/upload-artifact@v7
+    - name: 'Rename Windows installer'
+      shell: cmd
+      run: |
+        copy AmneziaVPN_x${{ env.BUILD_ARCH }}.exe AmneziaVPN_%VERSION%_x64.exe
+
+    - name: 'Upload installer artifact'
+      uses: actions/upload-artifact@v4
      with:
-        path: deploy/build/AmneziaVPN-*-win64.msi
-        archive: false
+        name: AmneziaVPN_${{ env.VERSION }}_x64.exe
+        path: AmneziaVPN_${{ env.VERSION }}_x64.exe
        retention-days: 7
-      
-    - name: 'Upload IFW installer artifact'
-      uses: actions/upload-artifact@v7
+
+    - name: 'Upload MSI installer artifact'
+      uses: actions/upload-artifact@v4
      with:
-        path: deploy/build/AmneziaVPN-*-win64.exe
-        archive: false
+        name: AmneziaVPN_Windows_MSI_installer
+        path: AmneziaVPN_x${{ env.BUILD_ARCH }}.msi
+        retention-days: 7
+
+    - name: 'Upload unpacked artifact'
+      uses: actions/upload-artifact@v4
+      with:
+        name: AmneziaVPN_Windows_unpacked
+        path: deploy\\build_${{ env.BUILD_ARCH }}\\client\\Release
        retention-days: 7

 # ------------------------------------------------------
@@ -231,13 +258,11 @@ jobs:
        submodules: 'true'
        fetch-depth: 10

-    - name: 'Setup python'
-      uses: actions/setup-python@v6
-      with:
-        python-version: 3.14
+    # - name: 'Setup ccache'
+    #   uses: hendrikmuhs/ccache-action@v1.2

-    - name: 'Install deps'
-      run: pip install "conan==2.26.2" jsonschema jinja2
+    - name: 'Install dependencies'
+      run: pip install jsonschema jinja2

    - name: 'Build project'
      run: |
@@ -260,6 +285,93 @@ jobs:
        IOS_APP_PROVISIONING_PROFILE: ${{ secrets.IOS_APP_PROVISIONING_PROFILE }}
        IOS_NE_PROVISIONING_PROFILE: ${{ secrets.IOS_NE_PROVISIONING_PROFILE }}

+#    - name: 'Upload appstore .ipa and dSYMs to artifacts'
+#      uses: actions/upload-artifact@v4
+#      with:
+#        name: app-store ipa & dsyms
+#        path: |
+#          ${{ github.workspace }}/AmneziaVPN-iOS.ipa
+#          ${{ github.workspace }}/*.app.dSYM.zip
+#        retention-days: 7
+
+# ------------------------------------------------------
+
+  Build-MacOS-old:
+    runs-on: macos-latest
+
+    env:
+      # Keep compat with MacOS 10.15 aka Catalina by Qt 6.4
+      QT_VERSION: 6.4.3
+
+      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
+
+      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
+      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
+      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
+
+      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
+      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
+      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
+
+      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
+      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+
+      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
+      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
+      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
+      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
+      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
+      FREE_V2_ENDPOINT: ${{ secrets.FREE_V2_ENDPOINT }}
+      PREM_V1_ENDPOINT: ${{ secrets.PREM_V1_ENDPOINT }}
+
+    steps:
+    - name: 'Setup xcode'
+      uses: maxim-lobanov/setup-xcode@v1
+      with:
+        xcode-version: '15.4.0'
+
+    - name: 'Install Qt'
+      uses: jurplel/install-qt-action@v3
+      with:
+        version: ${{ env.QT_VERSION }}
+        host: 'mac'
+        target: 'desktop'
+        arch: 'clang_64'
+        modules: 'qtremoteobjects qt5compat qtshadertools'
+        dir: ${{ runner.temp }}
+        setup-python: 'true'
+        set-env: 'true'
+        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+
+
+    - name: 'Get sources'
+      uses: actions/checkout@v4
+      with:
+        submodules: 'true'
+        fetch-depth: 10
+
+    # - name: 'Setup ccache'
+    #   uses: hendrikmuhs/ccache-action@v1.2
+
+    - name: 'Build project'
+      run: |
+        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
+        bash deploy/build_macos.sh -n
+
+    - name: 'Upload installer artifact'
+      uses: actions/upload-artifact@v4
+      with:
+        name: AmneziaVPN_MacOS_old_installer
+        path: deploy/build/pkg/AmneziaVPN.pkg
+        retention-days: 7
+
+    - name: 'Upload unpacked artifact'
+      uses: actions/upload-artifact@v4
+      with:
+        name: AmneziaVPN_MacOS_old_unpacked
+        path: deploy/build/client/AmneziaVPN.app
+        retention-days: 7
+
 # ------------------------------------------------------

  Build-MacOS:
@@ -267,8 +379,19 @@ jobs:

    env:
      QT_VERSION: 6.10.1
-      KEYCHAIN_NAME: "build.keychain"
-      KEYCHAIN_PASSWORD: ""
+
+      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
+
+      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
+      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
+      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
+
+      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
+      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
+      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
+
+      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
+      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}

      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
@@ -297,15 +420,7 @@ jobs:
        set-env: 'true'
        aqtversion: '==3.3.0'       
        py7zrversion: '==0.22.*'  
-        extra: '--base ${{ env.QT_MIRROR }}'
-
-    - name: 'Setup python'
-      uses: actions/setup-python@v6
-      with:
-        python-version: 3.14
-
-    - name: 'Install conan'
-      run: pip install "conan==2.26.2"
+        extra: '--base ${{ env.QT_MIRROR }}' 

    - name: 'Get sources'
      uses: actions/checkout@v4
@@ -313,34 +428,39 @@ jobs:
        submodules: 'true'
        fetch-depth: 10

-    - name: 'Install certs'
-      uses: ./.github/actions/setup-keychain
-      with:
-        keychain-path: ${{ env.KEYCHAIN_NAME }}
-        keychain-password: ${{ env.KEYCHAIN_PASSWORD }}
-        app-cert-base64: ${{ secrets.MAC_APP_CERT_CERT }}
-        app-cert-password: ${{ secrets.MAC_APP_CERT_PW }}
-        installer-cert-base64: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
-        installer-cert-password: ${{ secrets.MAC_INSTALL_CERT_PW }}
+    - name: 'Get version from CMakeLists.txt'
+      id: get_version
+      run: |
+        VERSION=$(grep 'set(AMNEZIAVPN_VERSION' CMakeLists.txt | sed -E 's/.*AMNEZIAVPN_VERSION ([0-9]+.[0-9]+.[0-9]+.[0-9]+)\)/\1/')
+        echo "VERSION=$VERSION" >> $GITHUB_ENV
+        echo "Version: $VERSION"
+
+    # - name: 'Setup ccache'
+    #   uses: hendrikmuhs/ccache-action@v1.2

    - name: 'Build project'
-      env:
-        QT_INSTALL_DIR: ${{ runner.temp }}
-        CODESIGN_KEYCHAIN: ${{ env.KEYCHAIN_NAME }}
-        CODESIGN_SIGNATURE: ${{ secrets.MAC_SIGNER_ID }}
-        CODESIGN_INSTALLER_KEYCHAIN: ${{ env.KEYCHAIN_NAME }}
-        CODESIGN_INSTALLER_SIGNATURE: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
-        NOTARYTOOL_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
-        NOTARYTOOL_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
-        NOTARYTOOL_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
-      shell: bash
-      run: deploy/build.sh
+      run: |
+        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
+        bash deploy/build_macos.sh -n
+
+    - name: 'Pack macOS installer'
+      run: |
+        cd deploy/build/pkg
+        zip -r ../../AmneziaVPN_${VERSION}_macos.zip AmneziaVPN.pkg
+        cd ../../..

    - name: 'Upload installer artifact'
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@v4
      with:
-        path: deploy/build/AmneziaVPN-*-Darwin.pkg
-        archive: false
+        name: AmneziaVPN_${{ env.VERSION }}_macos.zip
+        path: deploy/AmneziaVPN_${{ env.VERSION }}_macos.zip
+        retention-days: 7
+
+    - name: 'Upload unpacked artifact'
+      uses: actions/upload-artifact@v4
+      with:
+        name: AmneziaVPN_MacOS_unpacked
+        path: deploy/build/client/AmneziaVPN.app
        retention-days: 7

  Build-MacOS-NE:
@@ -399,13 +519,8 @@ jobs:
        submodules: 'true'
        fetch-depth: 10

-    - name: 'Setup python'
-      uses: actions/setup-python@v6
-      with:
-        python-version: 3.14
-
-    - name: 'Install conan'
-      run: pip install "conan==2.26.2"
+    # - name: 'Setup ccache'
+    #   uses: hendrikmuhs/ccache-action@v1.2

    - name: 'Build project'
      run: |
@@ -537,14 +652,6 @@ jobs:
      run: |
        echo $KEYSTORE_BASE64 | base64 --decode > android.keystore

-    - name: 'Setup python'
-      uses: actions/setup-python@v6
-      with:
-        python-version: 3.14
-
-    - name: 'Install conan'
-      run: pip install "conan==2.26.2"
-
    - name: 'Build project'
      env:
        ANDROID_NDK_ROOT: ${{ steps.setup-ndk.outputs.ndk-path }}
@@ -1,14 +1,7 @@
 cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)

 set(PROJECT AmneziaVPN)
-set(AMNEZIAVPN_VERSION 4.8.13.1)
-
-set(QT_CREATOR_SKIP_PACKAGE_MANAGER_SETUP ON CACHE BOOL "" FORCE)
-set(CMAKE_PROJECT_TOP_LEVEL_INCLUDES
-    ${CMAKE_SOURCE_DIR}/cmake/platform_settings.cmake
-    ${CMAKE_SOURCE_DIR}/cmake/recipes_bootstrap.cmake
-    ${CMAKE_SOURCE_DIR}/cmake/conan_provider.cmake
-    CACHE STRING "" FORCE)
+set(AMNEZIAVPN_VERSION 4.8.14.5)

 project(${PROJECT} VERSION ${AMNEZIAVPN_VERSION}
        DESCRIPTION "AmneziaVPN"
@@ -19,7 +12,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")

 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2107)
+set(APP_ANDROID_VERSION_CODE 2118)

 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
    set(MZ_PLATFORM_NAME "linux")
@@ -31,8 +24,6 @@ elseif(${CMAKE_SYSTEM_NAME} STREQUAL "Android")
    set(MZ_PLATFORM_NAME "android")
 elseif(${CMAKE_SYSTEM_NAME} STREQUAL "iOS")
    set(MZ_PLATFORM_NAME "ios")
-elseif(${CMAKE_SYSTEM_NAME} STREQUAL "tvOS")
-    set(MZ_PLATFORM_NAME "ios")
 elseif(${CMAKE_SYSTEM_NAME} STREQUAL "Emscripten")
    set(MZ_PLATFORM_NAME "wasm")
 endif()
@@ -42,7 +33,7 @@ set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)

 if(APPLE)
-    if(IOS OR CMAKE_SYSTEM_NAME STREQUAL "tvOS")
+    if(IOS)
        set(CMAKE_OSX_ARCHITECTURES "arm64")
    elseif(MACOS_NE)
        set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64")
@@ -53,10 +44,44 @@ endif()

 add_subdirectory(client)

-if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
    add_subdirectory(service)
+
+    include(${CMAKE_SOURCE_DIR}/deploy/installer/config.cmake)
 endif()

-if ((LINUX AND NOT ANDROID) OR (APPLE AND NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (WIN32))
-    include(${CMAKE_SOURCE_DIR}/cmake/CPack.cmake)
+set(AMNEZIA_STAGE_DIR "${CMAKE_BINARY_DIR}/stage")
+
+if(WIN32 AND NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
+    file(TO_CMAKE_PATH "${AMNEZIA_STAGE_DIR}" AMNEZIA_STAGE_DIR_CMAKE)
+
+    set(CPACK_GENERATOR "WIX")
+    set(CPACK_WIX_VERSION 4)
+    set(CPACK_PACKAGE_NAME "AmneziaVPN")
+    set(CPACK_PACKAGE_VENDOR "AmneziaVPN")
+    set(CPACK_PACKAGE_VERSION ${AMNEZIAVPN_VERSION})
+    set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "AmneziaVPN client")
+    set(AMNEZIA_LICENSE_TXT "${CMAKE_BINARY_DIR}/LICENSE.txt")
+    configure_file("${CMAKE_SOURCE_DIR}/LICENSE" "${AMNEZIA_LICENSE_TXT}" COPYONLY)
+    set(CPACK_RESOURCE_FILE_LICENSE "${AMNEZIA_LICENSE_TXT}")
+    set(CPACK_PACKAGE_INSTALL_DIRECTORY "AmneziaVPN")
+    set(CPACK_PACKAGE_DIRECTORY "${CMAKE_BINARY_DIR}")
+    set(CPACK_PACKAGE_EXECUTABLES "AmneziaVPN" "AmneziaVPN")
+    set(CPACK_WIX_UPGRADE_GUID "{2D55AC62-96D6-4692-8C05-0D85BBF95485}")
+    set(CPACK_WIX_PRODUCT_ICON "${CMAKE_SOURCE_DIR}/client/images/app.ico")
+
+    # WiX patches
+    set(_AMNEZIA_WIX_PATCH_SERVICE "${CMAKE_SOURCE_DIR}/deploy/installer/wix/service_install_patch.xml")
+    set(_AMNEZIA_WIX_PATCH_CLOSE_APP "${CMAKE_SOURCE_DIR}/deploy/installer/wix/close_client_patch.xml")
+    file(TO_CMAKE_PATH "${_AMNEZIA_WIX_PATCH_SERVICE}" _AMNEZIA_WIX_PATCH_SERVICE_CMAKE)
+    file(TO_CMAKE_PATH "${_AMNEZIA_WIX_PATCH_CLOSE_APP}" _AMNEZIA_WIX_PATCH_CLOSE_APP_CMAKE)
+    set(CPACK_WIX_PATCH_FILE "${_AMNEZIA_WIX_PATCH_SERVICE_CMAKE};${_AMNEZIA_WIX_PATCH_CLOSE_APP_CMAKE}")
+
+    # WiX v4 Util extension for CloseApplication + namespace for util
+    set(CPACK_WIX_EXTENSIONS "${CPACK_WIX_EXTENSIONS};WixToolset.Util.wixext")
+    set(CPACK_WIX_CUSTOM_XMLNS "util=http://wixtoolset.org/schemas/v4/wxs/util")
+
+    set(CPACK_INSTALLED_DIRECTORIES "${AMNEZIA_STAGE_DIR_CMAKE};/")
+
+    include(CPack)
 endif()
@@ -179,7 +179,7 @@ You may face compiling issues in QT Creator after you've worked in Android Studi

 ## License

-GPL v3.0
+This project is licensed under the GNU General Public License v3.0 (see LICENSE) and also includes third-party components distributed under their own terms (see THIRD_PARTY_LICENSES.md).

 ## Donate

@@ -0,0 +1,149 @@
+# Third-Party Licenses
+
+This project is licensed under the GNU General Public License v3.0.
+This file lists third-party software components used by this repository.
+Each component is distributed under its own license as linked below.
+
+---
+
+## QtKeychain
+
+- Source: https://github.com/frankosterfeld/qtkeychain
+- License: BSD License
+- License Text: https://www.gnu.org/licenses/license-list.html#ModifiedBSD
+
+---
+
+## QSimpleCrypto
+
+- Source: https://github.com/n1flh31mur/QSimpleCrypto
+- License: Apache License 2.0
+- License Text: https://github.com/n1flh31mur/QSimpleCrypto/blob/master/LICENSE
+
+---
+
+## SortFilterProxyModel
+
+- Source: https://github.com/oKcerG/SortFilterProxyModel
+- License: MIT License
+- License Text: https://github.com/oKcerG/SortFilterProxyModel/blob/master/LICENSE
+
+---
+
+## QJsonStruct
+
+- Source: https://github.com/Qv2ray/QJsonStruct
+- License: MIT License
+- License Text: https://github.com/Qv2ray/QJsonStruct/blob/master/LICENSE
+
+---
+
+## QR Code Generator (qrcodegen)
+
+- Source: https://github.com/nayuki/QR-Code-generator
+- License: MIT License
+- License Text: https://www.nayuki.io/page/qr-code-generator-library
+
+---
+
+## Qt Gamepad
+
+- Source: https://github.com/qt/qtgamepad
+- License: GNU General Public License v3.0 (GPL-3.0)
+- License Text: https://www.gnu.org/licenses/gpl-3.0.en.html
+
+---
+
+## AmneziaWG Apple (WireGuard)
+
+- Source: https://github.com/amnezia-vpn/amneziawg-apple
+- License: MIT License
+- License Text: https://github.com/amnezia-vpn/amneziawg-apple/blob/master/COPYING
+
+---
+
+## AmneziaWG Android
+
+- Source: https://github.com/amnezia-vpn/amneziawg-go
+- License: MIT License
+- License Text: https://github.com/amnezia-vpn/amneziawg-go/blob/master/LICENSE
+
+---
+
+## Xray Core
+
+- Source: https://github.com/XTLS/Xray-core
+- License: Mozilla Public License 2.0 (MPL-2.0)
+- License Text: https://github.com/XTLS/Xray-core/blob/main/LICENSE
+
+---
+
+## Cloak
+
+- Source: https://github.com/cbeuw/Cloak
+- License: GNU General Public License v3.0 (GPL-3.0)
+- License Text: https://github.com/cbeuw/Cloak/blob/master/LICENSE
+
+---
+
+## Shadowsocks
+
+- Source: https://github.com/shadowsocks/shadowsocks-libev
+- License: GPL-3.0-or-later
+- License Text: http://www.gnu.org/licenses/
+
+---
+
+## OpenSSL
+
+- Source: https://github.com/openssl/openssl
+- License: Apache License 2.0
+- License Text: https://www.openssl.org/source/license.html
+
+---
+
+## libssh
+
+- Source: https://www.libssh.org/
+- License: GNU Lesser General Public License (LGPL)
+- License Text: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
+
+---
+
+## OpenVPNAdapter
+
+- Source: https://github.com/ss-abramchuk/OpenVPNAdapter
+- License: GNU Affero General Public License v3.0 (AGPL-3.0)
+- License Text: https://github.com/ss-abramchuk/OpenVPNAdapter/blob/master/LICENSE
+
+---
+
+## Wintun
+
+- Source: https://www.wintun.net/
+- License: Prebuilt Binaries License
+- License Text: https://github.com/WireGuard/wintun/blob/master/prebuilt-binaries-license.txt
+
+---
+
+## Mullvad Split Tunnel Driver
+
+- Source: https://github.com/mullvad/win-split-tunnel
+- License: GNU General Public License v3.0 (GPL-3.0) and Mozilla Public License Version 2.0
+- License Text: https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-GPL.md https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-MPL.txt
+
+---
+
+## tun2socks
+
+- Source: https://github.com/eycorsican/go-tun2socks
+- License: MIT License
+- License Text: https://github.com/eycorsican/go-tun2socks/blob/master/LICENSE
+
+---
+
+## TAP-Windows Driver
+
+- Source: https://github.com/OpenVPN/tap-windows6
+- License: tap-windows6 license
+- License Text: https://github.com/OpenVPN/tap-windows6/blob/master/COPYING
@@ -1,340 +0,0 @@
-# AmneziaVPN Apple TV Build
-
-This document describes how to build the current branch for Apple TV from the repository root.
-
-The pipeline is:
-
-1. Use a separately built static Qt 6.9.2 for `tvOS`.
-2. Let Conan build/provide C/C++ dependencies.
-3. Generate an Xcode project with `qt-cmake`.
-4. Build the `.app` and embedded Network Extension with `xcodebuild`.
-
-Important:
-
- Run the project commands from the repository root.
- This is a device build for `appletvos`, not a simulator build.
- `xcodebuild build` produces `.app`.
- `.ipa` is produced later via `archive` and `-exportArchive`.
- The current tvOS Network Extension scope is WireGuard-only.
- The temporary tvOS WireGuard bridge prebuilt is opt-in. The Conan recipe does not contain machine-specific fallback paths.
- Do not initialize or update submodules just for this build. If a clean checkout has empty `client/3rd` folders, pass `AMNEZIA_THIRDPARTY_ROOT` to an already initialized read-only `client/3rd` tree.
-
-## 1. Environment
-
-Set these paths for your machine:
-
-```bash
-export REPO_ROOT="$PWD"
-export QT_DESKTOP_PREFIX="$HOME/Qt/6.9.2/macos"
-export QT_TVOS_SRC="$HOME/Qt_tv/qt-6.9.2-tvos-src"
-export QT_TVOS_PREFIX="$HOME/Qt_tv/6.9.2/tvos-device"
-export BUILD_DIR="$REPO_ROOT/build-tvos-device-conan"
-```
-
-If this checkout does not have initialized `client/3rd` sources, point CMake at an initialized tree:
-
-```bash
-export AMNEZIA_THIRDPARTY_ROOT="/path/to/initialized/amnezia/client/3rd"
-```
-
-If you are using a temporary prebuilt tvOS WireGuard bridge, point Conan at it explicitly:
-
-```bash
-export AMNEZIA_TVOS_AWG_PREBUILT_DIR="/path/to/WireGuardKitGo-appletvos"
-export AMNEZIA_TVOS_AWG_VERSION_HEADER_DIR="/path/to/directory/with/wireguard-go-version.h"
-```
-
-`AMNEZIA_TVOS_AWG_PREBUILT_DIR` must contain `libwg-go.a`.
-
-`AMNEZIA_TVOS_AWG_VERSION_HEADER_DIR` is optional when `wireguard-go-version.h` lives in the same directory as `libwg-go.a`.
-
-If the env vars are not set, the recipe uses the normal source build path. Rebuilding and publishing the tvOS WireGuard bridge through the registry is a separate task.
-
-## 2. Required Local Tools
-
-Conan must be available:
-
-```bash
-uv tool install conan
-export PATH="$HOME/.local/bin:$PATH"
-conan --version
-```
-
-Validated version:
-
-```text
-Conan version 2.27.1
-```
-
-The build uses Xcode's AppleTVOS SDK:
-
-```bash
-xcrun --sdk appletvos --show-sdk-path
-```
-
-## 3. Prepare Qt Sources
-
-Do not edit the installed Qt sources in place. Copy them into a separate tvOS fork:
-
-```bash
-mkdir -p "$HOME/Qt_tv"
-rsync -a "$HOME/Qt/6.9.2/Src/" "$QT_TVOS_SRC/"
-```
-
-Recommended for reproducibility:
-
-```bash
-cd "$QT_TVOS_SRC"
-git init
-git add .
-git commit -m "Qt 6.9.2 source snapshot"
-```
-
-## 4. Apply the Qt tvOS Patchset
-
-Apply the local Qt tvOS patchset to `$QT_TVOS_SRC`.
-
-If you need to recreate the patchset from a fresh copy, compare these files against `$HOME/Qt/6.9.2/Src` and reapply the same changes:
-
- `qtbase/cmake/QtBaseGlobalTargets.cmake`
- `qtbase/cmake/QtBaseHelpers.cmake`
- `qtbase/cmake/QtBuildPathsHelpers.cmake`
- `qtbase/cmake/QtMkspecHelpers.cmake`
- `qtbase/cmake/QtConfig.cmake.in`
- `qtbase/mkspecs/unsupported/macx-tvos-clang/qplatformdefs.h`
- `qtbase/src/corelib/CMakeLists.txt`
- `qtbase/src/corelib/platform/darwin/qdarwinpermissionplugin_location.mm`
- `qtbase/src/gui/CMakeLists.txt`
- `qtbase/src/widgets/CMakeLists.txt`
- `qtbase/src/network/kernel/qnetworkproxy_darwin.cpp`
- `qtbase/src/testlib/qtestcrashhandler.cpp`
- `qtbase/src/plugins/platforms/ios/qiosapplicationdelegate.mm`
- `qtbase/src/plugins/platforms/ios/qiosscreen.mm`
- `qtbase/src/plugins/platforms/ios/qiostheme.mm`
- `qtbase/src/plugins/platforms/ios/quiview.mm`
- `qtbase/src/plugins/platforms/ios/qiosclipboard.mm`
-
-Recommended after patching:
-
-```bash
-git -C "$QT_TVOS_SRC" diff > "$HOME/Qt_tv/qt-6.9.2-tvos.patch"
-```
-
-Do not use `QT_APPLE_SDK=appletvos`. The working path is `CMAKE_SYSTEM_NAME=tvOS` with `CMAKE_OSX_SYSROOT=appletvos`.
-
-## 5. Build Qt 6.9.2 for Apple TV
-
-Only the modules required by this project are built.
-
-```bash
-mkdir -p /private/tmp/qt6.9.2-tvos-device-build
-cd /private/tmp/qt6.9.2-tvos-device-build
-
-"$QT_TVOS_SRC/configure" \
-  -release -static -appstore-compliant \
-  -nomake tests -nomake examples \
-  -submodules qtbase,qtdeclarative,qtshadertools,qtremoteobjects,qtsvg,qt5compat,qttools \
-  -qt-host-path "$QT_DESKTOP_PREFIX" \
-  -prefix "$QT_TVOS_PREFIX" \
-  -- \
-  -G Ninja \
-  -DQT_QMAKE_TARGET_MKSPEC=macx-tvos-clang \
-  -DCMAKE_SYSTEM_NAME=tvOS \
-  -DCMAKE_OSX_SYSROOT=appletvos \
-  -DCMAKE_OSX_ARCHITECTURES=arm64 \
-  -DCMAKE_OSX_DEPLOYMENT_TARGET=17.0 \
-  -DBUILD_SHARED_LIBS=OFF \
-  -DQT_NO_APPLE_SDK_MAX_VERSION_CHECK=ON
-
-cmake --build . --parallel 8
-cmake --install .
-```
-
-Sanity checks:
-
-```bash
-"$QT_TVOS_PREFIX/bin/qt-cmake" --version
-"$QT_TVOS_PREFIX/bin/qmake" -query QMAKE_XSPEC
-```
-
-Expected `QMAKE_XSPEC`:
-
-```text
-macx-tvos-clang
-```
-
-Return to the repository root after building Qt:
-
-```bash
-cd "$REPO_ROOT"
-```
-
-## 6. Conan Dependency Behavior
-
-For `CMAKE_SYSTEM_NAME=tvOS`, the project-level Conan graph is intentionally reduced:
-
- included: `awg-apple/2.0.1`
- included: `libssh/0.11.3@amnezia`
- included: `openssl/3.6.1` with `no_apps=True`
- excluded: `openvpnadapter`
- excluded: `hev-socks5-tunnel`
-
-This keeps the current Apple TV target in the same practical scope as before: app plus WireGuard-only Network Extension.
-
-`libssh` is built with `WITH_EXEC=OFF` on tvOS because tvOS does not provide `fork()` or `execv()`.
-
-## 7. Configure the Project
-
-From the repository root:
-
-```bash
-cd "$REPO_ROOT"
-
-"$QT_TVOS_PREFIX/bin/qt-cmake" \
-  -B"$BUILD_DIR" \
-  -GXcode \
-  -DQT_HOST_PATH="$QT_DESKTOP_PREFIX" \
-  -DCMAKE_BUILD_TYPE=RelWithDebInfo \
-  -DCMAKE_SYSTEM_NAME=tvOS \
-  -DCMAKE_OSX_SYSROOT=appletvos
-```
-
-If you need to provide an external initialized `client/3rd` tree:
-
-```bash
-"$QT_TVOS_PREFIX/bin/qt-cmake" \
-  -B"$BUILD_DIR" \
-  -GXcode \
-  -DQT_HOST_PATH="$QT_DESKTOP_PREFIX" \
-  -DCMAKE_BUILD_TYPE=RelWithDebInfo \
-  -DCMAKE_SYSTEM_NAME=tvOS \
-  -DCMAKE_OSX_SYSROOT=appletvos \
-  -DAMNEZIA_THIRDPARTY_ROOT="$AMNEZIA_THIRDPARTY_ROOT"
-```
-
-Expected non-fatal configure warnings:
-
-```text
-Warning: plug-in QIOSIntegrationPlugin is not known to the current Qt installation.
-Warning: plug-in QJpegPlugin is not known to the current Qt installation.
-...
-```
-
-In this repo those warnings are tolerated because `client/cmake/ios.cmake` also links the static plugin targets explicitly when available.
-
-## 8. Build the Apple TV App
-
-```bash
-xcodebuild -quiet \
-  -project "$BUILD_DIR/AmneziaVPN.xcodeproj" \
-  -scheme AmneziaVPN \
-  -configuration RelWithDebInfo \
-  -sdk appletvos \
-  CODE_SIGNING_ALLOWED=NO \
-  build
-```
-
-Outputs:
-
- `$BUILD_DIR/client/RelWithDebInfo-appletvos/AmneziaVPN.app`
- `$BUILD_DIR/client/RelWithDebInfo-appletvos/AmneziaVPN.app/PlugIns/AmneziaVPNNetworkExtension.appex`
-
-Verification:
-
-```bash
-file "$BUILD_DIR/client/RelWithDebInfo-appletvos/AmneziaVPN.app/AmneziaVPN"
-file "$BUILD_DIR/client/RelWithDebInfo-appletvos/AmneziaVPN.app/PlugIns/AmneziaVPNNetworkExtension.appex/AmneziaVPNNetworkExtension"
-lipo -info "$BUILD_DIR/client/RelWithDebInfo-appletvos/AmneziaVPN.app/AmneziaVPN"
-lipo -info "$BUILD_DIR/client/RelWithDebInfo-appletvos/AmneziaVPN.app/PlugIns/AmneziaVPNNetworkExtension.appex/AmneziaVPNNetworkExtension"
-```
-
-Expected:
-
-```text
-Mach-O 64-bit executable arm64
-Non-fat file: ... is architecture: arm64
-```
-
-Useful plist checks:
-
-```bash
-plutil -p "$BUILD_DIR/client/RelWithDebInfo-appletvos/AmneziaVPN.app/Info.plist" | rg 'CFBundleIdentifier|DTPlatformName|UIDeviceFamily|MinimumOSVersion' -C 1
-plutil -p "$BUILD_DIR/client/RelWithDebInfo-appletvos/AmneziaVPN.app/PlugIns/AmneziaVPNNetworkExtension.appex/Info.plist" | rg 'CFBundleIdentifier|NSExtension|DTPlatformName|MinimumOSVersion' -C 1
-```
-
-Expected:
-
- `DTPlatformName => appletvos`
- `UIDeviceFamily => 3`
- `MinimumOSVersion => 17.0`
- extension point `com.apple.networkextension.packet-tunnel`
-
-## 9. `.app` vs `.ipa`
-
-This is the normal sequence:
-
-1. `xcodebuild build` -> `.app`
-2. `xcodebuild archive` -> `.xcarchive`
-3. `xcodebuild -exportArchive` -> `.ipa`
-
-So seeing `.app` after a successful `build` is correct.
-
-## 10. Optional Archive and Export
-
-The commands below are the next step for packaging, but signing and provisioning must be configured first.
-
-Archive:
-
-```bash
-xcodebuild \
-  -project "$BUILD_DIR/AmneziaVPN.xcodeproj" \
-  -scheme AmneziaVPN \
-  -configuration RelWithDebInfo \
-  -sdk appletvos \
-  -archivePath "$BUILD_DIR/AmneziaVPN-tvos.xcarchive" \
-  archive
-```
-
-Export:
-
-```bash
-xcodebuild -exportArchive \
-  -archivePath "$BUILD_DIR/AmneziaVPN-tvos.xcarchive" \
-  -exportPath "$BUILD_DIR/export-tvos" \
-  -exportOptionsPlist /absolute/path/to/ExportOptions.plist
-```
-
-The resulting `.ipa` should appear under:
-
-```text
-$BUILD_DIR/export-tvos
-```
-
-## 11. Known Non-Fatal Warnings
-
-The validated `xcodebuild` still prints warnings that do not break the build:
-
- missing Swift search path under the active Xcode Metal toolchain
- `SDKROOT[sdk=...]` target-level warnings generated by Xcode project export
- Swift conditional compilation flag warnings such as `GROUP_ID="..."`
- asset catalog warnings because the current icon set is still iOS-shaped, not a full tvOS Top Shelf asset set
- Go/WireGuard umbrella-header warnings from the temporary local `libwg-go.a` bridge
- deprecated libssh SCP API warnings in existing app code
- `qt_import_plugins()` warnings shown during configure
-
-If the static platform plugin is not linked correctly, the typical failure is:
-
- `_OBJC_CLASS_$_QIOSApplicationDelegate`
- `_qt_main_wrapper`
-
-Those are cleanup tasks, not blockers for the current build proof.
-
-## 12. Fast Rebuild Checklist
-
-If everything is already built once:
-
-1. Reuse `$QT_TVOS_PREFIX`
-2. Reuse Conan cache under `$HOME/.conan2`
-3. Reuse or pass an initialized `AMNEZIA_THIRDPARTY_ROOT`
-4. Re-run `qt-cmake` into `$BUILD_DIR`
-5. Re-run `xcodebuild -quiet ... build`
@@ -3,9 +3,6 @@ cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 set(PROJECT AmneziaVPN)
 project(${PROJECT})

-set(AMNEZIA_THIRDPARTY_ROOT "${CMAKE_CURRENT_LIST_DIR}/3rd" CACHE PATH "Path to Amnezia client/3rd sources")
-get_filename_component(AMNEZIA_THIRDPARTY_CLIENT_ROOT "${AMNEZIA_THIRDPARTY_ROOT}/.." ABSOLUTE)
-
 set_property(GLOBAL PROPERTY USE_FOLDERS ON)
 set_property(GLOBAL PROPERTY AUTOGEN_TARGETS_FOLDER "Autogen")
 set_property(GLOBAL PROPERTY AUTOMOC_TARGETS_FOLDER "Autogen")
@@ -36,7 +33,7 @@ add_definitions(-DDEV_S3_ENDPOINT="$ENV{DEV_S3_ENDPOINT}")
 add_definitions(-DFREE_V2_ENDPOINT="$ENV{FREE_V2_ENDPOINT}")
 add_definitions(-DPREM_V1_ENDPOINT="$ENV{PREM_V1_ENDPOINT}")

-if(WIN32 OR (APPLE AND NOT IOS AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
    set(PACKAGES ${PACKAGES} Widgets)
 endif()

@@ -49,7 +46,7 @@ set(LIBS ${LIBS}
    Qt6::Core5Compat Qt6::Concurrent
 )

-if(WIN32 OR (APPLE AND NOT IOS AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
    set(LIBS ${LIBS} Qt6::Widgets)
 endif()

@@ -59,7 +56,7 @@ target_include_directories(${PROJECT} PUBLIC
    $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
 )

-if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_interface.rep)
    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_process_interface.rep)
 endif()
@@ -81,6 +78,7 @@ set(AMNEZIAVPN_TS_FILES
 )

 file(GLOB_RECURSE AMNEZIAVPN_TS_SOURCES *.qrc *.cpp *.h *.ui)
+list(FILTER AMNEZIAVPN_TS_SOURCES EXCLUDE REGEX "qtgamepad/examples")

 qt_create_translation(AMNEZIAVPN_QM_FILES ${AMNEZIAVPN_TS_SOURCES} ${AMNEZIAVPN_TS_FILES})

@@ -111,7 +109,6 @@ include_directories(
    ${CMAKE_CURRENT_LIST_DIR}/../ipc
    ${CMAKE_CURRENT_LIST_DIR}/../common/logger
    ${CMAKE_CURRENT_LIST_DIR}
-    ${AMNEZIA_THIRDPARTY_CLIENT_ROOT}
    ${CMAKE_CURRENT_BINARY_DIR}
 )

@@ -179,7 +176,7 @@ if(LINUX AND NOT ANDROID)
    link_directories(${CMAKE_CURRENT_LIST_DIR}/platforms/linux)
 endif()

-if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
    add_compile_definitions(AMNEZIA_DESKTOP)
 endif()

@@ -187,8 +184,7 @@ if(ANDROID)
    include(cmake/android.cmake)
 endif()

-if(IOS OR CMAKE_SYSTEM_NAME STREQUAL "tvOS")
-    option(AMNEZIA_IOS_ENABLE_APPLETV_TARGET "Enable Apple TV target settings for iOS/Xcode projects" OFF)
+if(IOS)
    include(cmake/ios.cmake)
    include(cmake/ios-arch-fixup.cmake)
 elseif(APPLE AND MACOS_NE)
@@ -201,6 +197,36 @@ endif()
 target_link_libraries(${PROJECT} PRIVATE ${LIBS})
 target_compile_definitions(${PROJECT} PRIVATE "MZ_$<UPPER_CASE:${MZ_PLATFORM_NAME}>")

+# deploy artifacts required to run the application to the debug build folder
+if(WIN32)
+    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
+        set(DEPLOY_PLATFORM_PATH "windows/x64")
+    else()
+        set(DEPLOY_PLATFORM_PATH "windows/x32")
+    endif()
+elseif(LINUX)
+    set(DEPLOY_PLATFORM_PATH "linux/client")
+elseif(APPLE AND NOT IOS)
+    set(DEPLOY_PLATFORM_PATH "macos")
+endif()
+
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
+    add_custom_command(
+        TARGET ${PROJECT} POST_BUILD
+        COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
+        ${CMAKE_SOURCE_DIR}/deploy/data/${DEPLOY_PLATFORM_PATH}
+        $<TARGET_FILE_DIR:${PROJECT}>
+        COMMAND_EXPAND_LISTS
+    )
+    add_custom_command(
+        TARGET ${PROJECT} POST_BUILD
+        COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
+        ${CMAKE_SOURCE_DIR}/client/3rd-prebuilt/deploy-prebuilt/${DEPLOY_PLATFORM_PATH}
+        $<TARGET_FILE_DIR:${PROJECT}>
+        COMMAND_EXPAND_LISTS
+    )
+endif()
+
 target_sources(${PROJECT} PRIVATE ${SOURCES} ${HEADERS} ${RESOURCES} ${QRC} ${I18NQRC})

 # Finalize the executable so Qt can gather/deploy QML modules and plugins correctly (Android needs this).
@@ -212,29 +238,3 @@ if(COMMAND qt_finalize_executable)
 else()
    qt_finalize_target(${PROJECT})
 endif()
-
-if(NOT IOS AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
-    install(TARGETS ${PROJECT}
-        DESTINATION ${CMAKE_INSTALL_BINDIR}
-        COMPONENT AmneziaVPN
-    )
-    install(FILES $<TARGET_RUNTIME_DLLS:${PROJECT}>
-        DESTINATION ${CMAKE_INSTALL_BINDIR}
-        COMPONENT AmneziaVPN
-    )
-
-    set(deploy_tool_options "")
-    if(WIN32)
-        set(deploy_tool_options "--force-openssl --force")
-    endif()
-
-    qt_generate_deploy_qml_app_script(
-        TARGET ${PROJECT}
-        OUTPUT_SCRIPT QT_DEPLOY_SCRIPT
-        NO_UNSUPPORTED_PLATFORM_ERROR
-        DEPLOY_TOOL_OPTIONS ${deploy_tool_options}
-    )
-    install(SCRIPT ${QT_DEPLOY_SCRIPT}
-        COMPONENT AmneziaVPN
-    )
-endif()
@@ -109,6 +109,16 @@ void AmneziaApplication::init()
            // install filter on main window
            if (auto win = qobject_cast<QQuickWindow*>(obj)) {
                win->installEventFilter(this);
+#ifdef Q_OS_ANDROID
+                QObject::connect(win, &QQuickWindow::sceneGraphError,
+                    [](QQuickWindow::SceneGraphError, const QString &msg) {
+                        qWarning() << "Scene graph error (suppressed):" << msg;
+                    });
+                // Keep graphics context alive across hide/show cycles to avoid
+                // eglSwapBuffers/makeCurrent being called on a context Android has reclaimed.
+                win->setPersistentSceneGraph(true);
+                win->setPersistentGraphics(true);
+#endif
                win->show();
            }
        },
@@ -250,7 +260,7 @@ bool AmneziaApplication::parseCommands()
    return true;
 }

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
 void AmneziaApplication::startLocalServer() {
    const QString serverName("AmneziaVPNInstance");
    QLocalServer::removeServer(serverName);
@@ -271,7 +281,7 @@ void AmneziaApplication::startLocalServer() {
 bool AmneziaApplication::eventFilter(QObject *watched, QEvent *event)
 {
    if (event->type() == QEvent::Close) {
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
        quit();
 #else
        if (m_forceQuit) {
@@ -6,7 +6,7 @@
 #include <QQmlApplicationEngine>
 #include <QQmlContext>
 #include <QThread>
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
  #include <QGuiApplication>
 #else
  #include <QApplication>
@@ -19,7 +19,7 @@

 #define amnApp (static_cast<AmneziaApplication *>(QCoreApplication::instance()))

-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
  #define AMNEZIA_BASE_CLASS QGuiApplication
 #else
  #define AMNEZIA_BASE_CLASS QApplication
@@ -37,7 +37,7 @@ public:
    void loadFonts();
    bool parseCommands();

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
    void startLocalServer();
 #endif

@@ -1,11 +1,11 @@
 [versions]
-agp = "8.6.1"
+agp = "8.5.2"
 kotlin = "1.9.24"
 androidx-core = "1.13.1"
 androidx-activity = "1.9.1"
 androidx-annotation = "1.8.2"
 androidx-biometric = "1.2.0-alpha05"
-androidx-camera = "1.5.3"
+androidx-camera = "1.3.4"
 androidx-fragment = "1.8.2"
 androidx-security-crypto = "1.1.0-alpha06"
 androidx-datastore = "1.1.1"
@@ -75,6 +75,8 @@ private const val OPEN_FILE_ACTION_CODE = 3
 private const val CHECK_NOTIFICATION_PERMISSION_ACTION_CODE = 4

 private const val PREFS_NOTIFICATION_PERMISSION_ASKED = "NOTIFICATION_PERMISSION_ASKED"
+private const val OPEN_FILE_AFTER_RESUME_DELAY_MS = 400L
+private const val KEY_PENDING_OPEN_FILE_URI = "pending_open_file_uri"

 class AmneziaActivity : QtActivity() {

@@ -90,10 +92,12 @@ class AmneziaActivity : QtActivity() {

    private val actionResultHandlers = mutableMapOf<Int, ActivityResultHandler>()
    private val permissionRequestHandlers = mutableMapOf<Int, PermissionRequestHandler>()
-    
+
    private var isActivityResumed = false
    private var hasWindowFocus = false
    private val resumeHandler = Handler(Looper.getMainLooper())
+    private var pendingOpenFileUri: String? = null
+    private var openFileDeliveryScheduled = false

    private val vpnServiceEventHandler: Handler by lazy(NONE) {
        object : Handler(Looper.getMainLooper()) {
@@ -196,14 +200,24 @@ class AmneziaActivity : QtActivity() {
                doBindService()
            }
        )
+        pendingOpenFileUri = savedInstanceState?.getString(KEY_PENDING_OPEN_FILE_URI)
+        openFileDeliveryScheduled = false
        registerBroadcastReceivers()
        intent?.let(::processIntent)
        runBlocking { vpnProto = proto.await() }
    }

+    override fun onSaveInstanceState(outState: Bundle) {
+        super.onSaveInstanceState(outState)
+        pendingOpenFileUri?.let { outState.putString(KEY_PENDING_OPEN_FILE_URI, it) }
+    }
+
    private fun loadLibs() {
        listOf(
-            "rsapss"
+            "rsapss",
+            "crypto_3",
+            "ssl_3",
+            "ssh"
        ).forEach {
            loadSharedLibrary(this.applicationContext, it)
        }
@@ -267,6 +281,7 @@ class AmneziaActivity : QtActivity() {
        hasWindowFocus = false
        // Cancel all pending operations when activity stops
        resumeHandler.removeCallbacksAndMessages(null)
+        openFileDeliveryScheduled = false
        Log.d(TAG, "Stop Amnezia activity")
        doUnbindService()
        mainScope.launch {
@@ -280,43 +295,55 @@ class AmneziaActivity : QtActivity() {
        super.onWindowFocusChanged(hasFocus)
        hasWindowFocus = hasFocus
        Log.d(TAG, "Window focus changed: hasFocus=$hasFocus")
-        
-        // Cancel pending operations if window loses focus
+
        if (!hasFocus) {
+            // Cancel pending operations if window loses focus
            resumeHandler.removeCallbacksAndMessages(null)
+        } else if (isActivityResumed && Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            window.decorView.apply {
+                invalidate()
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(1f, 1f)
+                    }
+                }, 50)
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(2f, 2f)
+                        requestLayout()
+                        invalidate()
+                    }
+                }, 150)
+            }
        }
    }

    override fun dispatchKeyEvent(event: KeyEvent): Boolean {
-        val deviceId = event.deviceId
        val keyCode = event.keyCode
        val pressed = event.action == KeyEvent.ACTION_DOWN
-        val source = event.source

-        if (deviceId < 0 && pressed) {
-            when (keyCode) {
-                KeyEvent.KEYCODE_BUTTON_A,
-                KeyEvent.KEYCODE_BUTTON_B,
-                KeyEvent.KEYCODE_BUTTON_X,
-                KeyEvent.KEYCODE_BUTTON_Y,
-                KeyEvent.KEYCODE_BUTTON_START,
-                KeyEvent.KEYCODE_BUTTON_SELECT,
-                KeyEvent.KEYCODE_DPAD_CENTER -> {
-                    nativeGamepadKeyEvent(0, keyCode, true)
-                    nativeGamepadKeyEvent(0, keyCode, false)
+        when (keyCode) {
+            KeyEvent.KEYCODE_BUTTON_A,
+            KeyEvent.KEYCODE_BUTTON_B,
+            KeyEvent.KEYCODE_BUTTON_X,
+            KeyEvent.KEYCODE_BUTTON_Y,
+            KeyEvent.KEYCODE_BUTTON_START,
+            KeyEvent.KEYCODE_BUTTON_SELECT -> {
+                    nativeGamepadKeyEvent(0, keyCode, pressed)
                    return true
-                }
            }
-        }
-
-        // Real gamepad events (deviceId >= 0)
-        if (deviceId >= 0) {
-            val isGamepad = (source and InputDevice.SOURCE_GAMEPAD) == InputDevice.SOURCE_GAMEPAD
-            val isJoystick = (source and InputDevice.SOURCE_JOYSTICK) == InputDevice.SOURCE_JOYSTICK
-            val isDpad = (source and InputDevice.SOURCE_DPAD) == InputDevice.SOURCE_DPAD
-            if (isGamepad || isJoystick || isDpad) {
-                nativeGamepadKeyEvent(deviceId, keyCode, pressed)
-                return true
+            KeyEvent.KEYCODE_DPAD_CENTER,
+            KeyEvent.KEYCODE_DPAD_UP,
+            KeyEvent.KEYCODE_DPAD_DOWN,
+            KeyEvent.KEYCODE_DPAD_LEFT,
+            KeyEvent.KEYCODE_DPAD_RIGHT -> {
+                    val syntheticKeyCode = if (keyCode == KeyEvent.KEYCODE_DPAD_CENTER) KeyEvent.KEYCODE_ENTER else keyCode
+                    val synthetic = KeyEvent(
+                        event.downTime, event.eventTime, event.action, syntheticKeyCode,
+                        event.repeatCount, event.metaState, -1, event.scanCode,
+                        event.flags, InputDevice.SOURCE_KEYBOARD
+                    )
+                    return super.dispatchKeyEvent(synthetic)
            }
        }

@@ -326,10 +353,18 @@ class AmneziaActivity : QtActivity() {
    private external fun nativeGamepadKeyEvent(deviceId: Int, keyCode: Int, pressed: Boolean)

    override fun onPause() {
+        // Notify Qt to stop rendering BEFORE super.onPause() destroys the EGL surface.
+        // Using a coroutine here would be too late — the surface is gone by the time
+        // the coroutine runs. A direct synchronous call gives Qt's render thread the
+        // best chance to process visible=false before surface destruction.
+        if (qtInitialized.isCompleted) {
+            QtAndroidController.onActivityPaused()
+        }
        super.onPause()
        isActivityResumed = false
        // Cancel all pending operations when activity pauses
        resumeHandler.removeCallbacksAndMessages(null)
+        openFileDeliveryScheduled = false
        Log.d(TAG, "Pause Amnezia activity")
    }

@@ -337,6 +372,24 @@ class AmneziaActivity : QtActivity() {
        super.onResume()
        isActivityResumed = true
        Log.d(TAG, "Resume Amnezia activity")
+        if (qtInitialized.isCompleted) {
+            QtAndroidController.onActivityResumed()
+        }
+
+        if (pendingOpenFileUri != null && !openFileDeliveryScheduled) {
+            val uri = pendingOpenFileUri!!
+            openFileDeliveryScheduled = true
+            resumeHandler.postDelayed({
+                if (!isFinishing && !isDestroyed) {
+                    pendingOpenFileUri = null
+                    openFileDeliveryScheduled = false
+                    mainScope.launch {
+                        qtInitialized.await()
+                        QtAndroidController.onFileOpened(uri)
+                    }
+                }
+            }, OPEN_FILE_AFTER_RESUME_DELAY_MS)
+        }

        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
            window.decorView.apply {
@@ -348,13 +401,13 @@ class AmneziaActivity : QtActivity() {
                        sendTouch(1f, 1f)
                    }
                }, 100)
-                
+
                resumeHandler.postDelayed({
                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
                        sendTouch(2f, 2f)
                    }
                }, 200)
-                
+
                resumeHandler.postDelayed({
                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
                        requestLayout()
@@ -400,25 +453,25 @@ class AmneziaActivity : QtActivity() {
        ViewCompat.setOnApplyWindowInsetsListener(window.decorView) { view, windowInsets ->
            val imeInsets = windowInsets.getInsets(WindowInsetsCompat.Type.ime())
            val imeVisible = windowInsets.isVisible(WindowInsetsCompat.Type.ime())
-            
+
            val imeHeight = if (imeVisible) imeInsets.bottom else 0

            val density = resources.displayMetrics.density
            val imeHeightDp = (imeHeight / density).toInt()
-            
+
            // Also track system bars (navigation bar, status bar) changes
            val systemBarsInsets = windowInsets.getInsets(WindowInsetsCompat.Type.systemBars())
            val navBarHeight = systemBarsInsets.bottom
            val navBarHeightDp = (navBarHeight / density).toInt()
            val statusBarHeight = systemBarsInsets.top
            val statusBarHeightDp = (statusBarHeight / density).toInt()
-            
+
            mainScope.launch {
                qtInitialized.await()
                QtAndroidController.onImeInsetsChanged(imeHeightDp)
                QtAndroidController.onSystemBarsInsetsChanged(navBarHeightDp, statusBarHeightDp)
            }
-            
+
            // Return windowInsets instead of CONSUMED to allow proper handling
            windowInsets
        }
@@ -754,9 +807,13 @@ class AmneziaActivity : QtActivity() {
                            grantUriPermission(packageName, this, Intent.FLAG_GRANT_READ_URI_PERMISSION)
                        }?.toString() ?: ""
                        Log.v(TAG, "Open file: $uri")
-                        mainScope.launch {
-                            qtInitialized.await()
-                            QtAndroidController.onFileOpened(uri)
+                        if (uri.isNotEmpty()) {
+                            pendingOpenFileUri = uri
+                        } else {
+                            mainScope.launch {
+                                qtInitialized.await()
+                                QtAndroidController.onFileOpened(uri)
+                            }
                        }
                    }
                ))
@@ -785,7 +842,7 @@ class AmneziaActivity : QtActivity() {
    @Suppress("unused")
    fun getFd(fileName: String): Int {
        Log.v(TAG, "Get fd for $fileName")
-        return blockingCall {
+        return blockingCall(Dispatchers.IO) {
            try {
                pfd = contentResolver.openFileDescriptor(Uri.parse(fileName), "r")
                pfd?.fd ?: -1
@@ -33,7 +33,10 @@ class TvFilePicker : ComponentActivity() {
            return intent
        }
    }) {
-        setResult(RESULT_OK, Intent().apply { data = it })
+        setResult(RESULT_OK, Intent().apply {
+            data = it
+            addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION)
+        })
        finish()
    }

@@ -31,4 +31,7 @@ object QtAndroidController {

    external fun onImeInsetsChanged(heightDp: Int)
    external fun onSystemBarsInsetsChanged(navBarHeightDp: Int, statusBarHeightDp: Int)
+
+    external fun onActivityPaused()
+    external fun onActivityResumed()
 }
@@ -1,19 +1,88 @@
 set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/..)
-set(AMNEZIA_THIRDPARTY_ROOT "${CLIENT_ROOT_DIR}/3rd" CACHE PATH "Path to Amnezia client/3rd sources")

 set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/Modules;${CMAKE_MODULE_PATH}")

-add_subdirectory(${AMNEZIA_THIRDPARTY_ROOT}/SortFilterProxyModel ${CMAKE_CURRENT_BINARY_DIR}/3rd/SortFilterProxyModel)
+add_subdirectory(${CLIENT_ROOT_DIR}/3rd/SortFilterProxyModel)
 set(LIBS ${LIBS} SortFilterProxyModel)
 include(${CLIENT_ROOT_DIR}/cmake/QSimpleCrypto.cmake)

-include(${AMNEZIA_THIRDPARTY_ROOT}/qrcodegen/qrcodegen.cmake)
+include(${CLIENT_ROOT_DIR}/3rd/qrcodegen/qrcodegen.cmake)
+
+set(LIBSSH_ROOT_DIR "${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/libssh/")
+set(OPENSSL_ROOT_DIR "${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/")
+
+set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/lib")
+
+if(WIN32)
+    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/windows/include")
+    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
+        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/x86_64/ssh.lib")
+        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/x86_64")
+        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win64/libssl.lib")
+        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win64/libcrypto.lib")
+    else()
+        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/x86/ssh.lib")
+        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/x86")
+        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libssl.lib")
+        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libcrypto.lib")
+    endif()
+elseif(APPLE AND NOT IOS)
+    if(MACOS_NE)
+        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libssh.a")
+        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libz.a")
+        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/universal2")
+    else()
+        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libssh.a")
+        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libz.a")
+        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/x86_64")
+    endif()
+    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/macos/include")
+    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libssl.a")
+    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libcrypto.a")    
+elseif(IOS)
+    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/ios/arm64")
+    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/ios/arm64/libssh.a")
+    set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/ios/arm64/libz.a")
+    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/ios/iphone/include")
+    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/ios/iphone/lib/libssl.a")
+    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/ios/iphone/lib/libcrypto.a")
+elseif(ANDROID)
+    set(abi ${CMAKE_ANDROID_ARCH_ABI})
+    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/android/${abi}")
+    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/android/${abi}/libssh.so")
+    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/android/include")
+    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/android/${abi}/libssl.a")
+    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/android/${abi}/libcrypto.a")
+    set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/android/${abi}")
+elseif(LINUX)
+    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/linux/x86_64")
+    set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/linux/x86_64/libz.a")
+    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/linux/x86_64/libssh.a")
+    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/linux/include")
+    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/linux/x86_64/libssl.a")
+    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/linux/x86_64/libcrypto.a")
+endif()
+
+file(COPY ${OPENSSL_LIB_SSL_PATH} ${OPENSSL_LIB_CRYPTO_PATH}
+        DESTINATION ${OPENSSL_LIBRARIES_DIR})
+
+set(OPENSSL_USE_STATIC_LIBS TRUE)
+  
+set(LIBS ${LIBS} 
+    ${LIBSSH_LIB_PATH} 
+    ${ZLIB_LIB_PATH}
+)
+  
+set(LIBS ${LIBS}
+    ${OPENSSL_LIB_SSL_PATH}
+    ${OPENSSL_LIB_CRYPTO_PATH}
+)

 add_compile_definitions(_WINSOCKAPI_)

 set(BUILD_SHARED_LIBS OFF CACHE BOOL "" FORCE)
 set(BUILD_WITH_QT6 ON)
-add_subdirectory(${AMNEZIA_THIRDPARTY_ROOT}/qtkeychain ${CMAKE_CURRENT_BINARY_DIR}/3rd/qtkeychain EXCLUDE_FROM_ALL)
+add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain)

 if(ANDROID)
    # Use qtgamepad from amnezia-vpn/qtgamepad repository
@@ -37,13 +106,12 @@ endif()
 set(LIBS ${LIBS} qt6keychain)

 include_directories(
-    ${AMNEZIA_THIRDPARTY_ROOT}/QSimpleCrypto/src/include
-    ${AMNEZIA_THIRDPARTY_ROOT}/qtkeychain/qtkeychain
+    ${OPENSSL_INCLUDE_DIR}
+    ${LIBSSH_INCLUDE_DIR}/include
+    ${LIBSSH_ROOT_DIR}/include
+    ${CLIENT_ROOT_DIR}/3rd/libssh/include
+    ${CLIENT_ROOT_DIR}/3rd/QSimpleCrypto/src/include
+    ${CLIENT_ROOT_DIR}/3rd/qtkeychain/qtkeychain
    ${CMAKE_CURRENT_BINARY_DIR}/3rd/qtkeychain
+    ${CMAKE_CURRENT_BINARY_DIR}/3rd/libssh/include
 )
-
-find_package(OpenSSL REQUIRED)
-list(APPEND LIBS OpenSSL::SSL OpenSSL::Crypto)
-
-find_package(libssh REQUIRED)
-list(APPEND LIBS ssh::ssh)
@@ -1,6 +1,5 @@
 set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/..)
-set(AMNEZIA_THIRDPARTY_ROOT "${CLIENT_ROOT_DIR}/3rd" CACHE PATH "Path to Amnezia client/3rd sources")
-set(QSIMPLECRYPTO_DIR ${AMNEZIA_THIRDPARTY_ROOT}/QSimpleCrypto/src)
+set(QSIMPLECRYPTO_DIR ${CLIENT_ROOT_DIR}/3rd/QSimpleCrypto/src)

 include_directories(${QSIMPLECRYPTO_DIR})

@@ -42,14 +42,18 @@ set(SOURCES ${SOURCES}
    ${CMAKE_CURRENT_SOURCE_DIR}/core/installedAppsImageProvider.cpp
 )

+foreach(abi IN ITEMS ${QT_ANDROID_ABIS})
+    set_property(TARGET ${PROJECT} PROPERTY QT_ANDROID_EXTRA_LIBS
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/amneziawg/android/${abi}/libwg-go.so
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libck-ovpn-plugin.so
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libovpn3.so
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libovpnutil.so
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/librsapss.so
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/android/${abi}/libcrypto_3.so
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/android/${abi}/libssl_3.so
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/libssh/android/${abi}/libssh.so
+    )
+endforeach()

-find_package(awg-android REQUIRED)
-set(LIBS ${LIBS} amnezia::awg-android)
-set_property(TARGET ${PROJECT} APPEND PROPERTY QT_ANDROID_EXTRA_LIBS ${AMNEZIA_ANDROID_LIBWG_PATH} ${AMNEZIA_ANDROID_LIBWG_QUICK_PATH})
-
-find_package(amnezia-libxray REQUIRED)
-file(COPY ${AMNEZIA_LIBXRAY_PATH} DESTINATION ${CMAKE_CURRENT_SOURCE_DIR}/android/xray/libXray)
-
-find_package(openvpn-pt-android REQUIRED)
-set(LIBS ${LIBS} amnezia::openvpn-pt-android)
-set_property(TARGET ${PROJECT} APPEND PROPERTY QT_ANDROID_EXTRA_LIBS ${OPENVPN_PT_ANDROID_LIBCK_OVPN_PLUGIN_PATH})
+file(COPY ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/xray/android/libxray.aar
+        DESTINATION ${CMAKE_CURRENT_SOURCE_DIR}/android/xray/libXray)
@@ -39,7 +39,5 @@ while(IOS_TARGETS)
    set_target_properties(${TARGET_NAME} PROPERTIES
        XCODE_ATTRIBUTE_ARCHS[sdk=iphoneos*] "arm64"
        XCODE_ATTRIBUTE_ARCHS[sdk=iphonesimulator*] "x86_64"
-        XCODE_ATTRIBUTE_ARCHS[sdk=appletvos*] "arm64"
-        XCODE_ATTRIBUTE_ARCHS[sdk=appletvsimulator*] "arm64"
    )
-endwhile()
+endwhile()
@@ -1,19 +1,7 @@
 message("Client iOS build")
+set(CMAKE_OSX_DEPLOYMENT_TARGET 13.0)
 set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(AMNEZIA_IOS_APPLETV ${AMNEZIA_IOS_ENABLE_APPLETV_TARGET})

-if(AMNEZIA_IOS_APPLETV)
-    message("Apple TV target mode is ON")
-    set(CMAKE_OSX_DEPLOYMENT_TARGET 17.0)
-    set(QT_NO_SET_DEFAULT_IOS_LAUNCH_SCREEN TRUE)
-    set(QT_NO_ADD_IOS_LAUNCH_SCREEN_TO_BUNDLE TRUE)
-    set(IOS_INFO_PLIST ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Info-tvOS.plist.in)
-    set(IOS_LAUNCHSCREEN_STORYBOARD ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/tvOS/AmneziaVPNLaunchScreen.storyboard)
-else()
-    message("Apple TV target mode is OFF")
-    set(IOS_INFO_PLIST ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Info.plist.in)
-    set(IOS_LAUNCHSCREEN_STORYBOARD ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/AmneziaVPNLaunchScreen.storyboard)
-endif()

 enable_language(OBJC)
 enable_language(OBJCXX)
@@ -22,23 +10,13 @@ enable_language(Swift)
 find_package(Qt6 REQUIRED COMPONENTS ShaderTools)
 set(LIBS ${LIBS} Qt6::ShaderTools)

-if(AMNEZIA_IOS_APPLETV)
-    # Use framework linker flags directly for tvOS to avoid iPhoneOS SDK absolute paths.
-    set(FW_AUTHENTICATIONSERVICES "-framework AuthenticationServices")
-    set(FW_UIKIT "-framework UIKit")
-    set(FW_AVFOUNDATION "-framework AVFoundation")
-    set(FW_FOUNDATION "-framework Foundation")
-    set(FW_STOREKIT "-framework StoreKit")
-    set(FW_USERNOTIFICATIONS "-framework UserNotifications")
-else()
-    find_library(FW_AUTHENTICATIONSERVICES AuthenticationServices)
-    find_library(FW_UIKIT UIKit)
-    find_library(FW_AVFOUNDATION AVFoundation)
-    find_library(FW_FOUNDATION Foundation)
-    find_library(FW_STOREKIT StoreKit)
-    find_library(FW_USERNOTIFICATIONS UserNotifications)
-    find_library(FW_NETWORKEXTENSION NetworkExtension)
-endif()
+find_library(FW_AUTHENTICATIONSERVICES AuthenticationServices)
+find_library(FW_UIKIT UIKit)
+find_library(FW_AVFOUNDATION AVFoundation)
+find_library(FW_FOUNDATION Foundation)
+find_library(FW_STOREKIT StoreKit)
+find_library(FW_USERNOTIFICATIONS UserNotifications)
+find_library(FW_NETWORKEXTENSION NetworkExtension)

 set(LIBS ${LIBS}
    ${FW_AUTHENTICATIONSERVICES}
@@ -47,12 +25,9 @@ set(LIBS ${LIBS}
    ${FW_FOUNDATION}
    ${FW_STOREKIT}
    ${FW_USERNOTIFICATIONS}
+    ${FW_NETWORKEXTENSION}
 )

-if(NOT AMNEZIA_IOS_APPLETV)
-    set(LIBS ${LIBS} ${FW_NETWORKEXTENSION})
-endif()
-

 set(HEADERS ${HEADERS}
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h
@@ -82,7 +57,7 @@ target_include_directories(${PROJECT} PRIVATE ${Qt6Gui_PRIVATE_INCLUDE_DIRS})

 set_target_properties(${PROJECT} PROPERTIES
    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
-    MACOSX_BUNDLE_INFO_PLIST ${IOS_INFO_PLIST}
+    MACOSX_BUNDLE_INFO_PLIST ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Info.plist.in
    MACOSX_BUNDLE_ICON_FILE "AppIcon"
    MACOSX_BUNDLE_INFO_STRING "AmneziaVPN"
    MACOSX_BUNDLE_BUNDLE_NAME "AmneziaVPN"
@@ -91,6 +66,7 @@ set_target_properties(${PROJECT} PROPERTIES
    MACOSX_BUNDLE_LONG_VERSION_STRING "${APPLE_PROJECT_VERSION}-${CMAKE_PROJECT_VERSION_TWEAK}"
    MACOSX_BUNDLE_SHORT_VERSION_STRING "${APPLE_PROJECT_VERSION}"
    XCODE_ATTRIBUTE_PRODUCT_BUNDLE_IDENTIFIER "${BUILD_IOS_APP_IDENTIFIER}"
+    XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "${CMAKE_CURRENT_SOURCE_DIR}/ios/app/main.entitlements"
    XCODE_ATTRIBUTE_MARKETING_VERSION "${APPLE_PROJECT_VERSION}"
    XCODE_ATTRIBUTE_CURRENT_PROJECT_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
    XCODE_ATTRIBUTE_PRODUCT_NAME "AmneziaVPN"
@@ -98,36 +74,13 @@ set_target_properties(${PROJECT} PROPERTIES
    XCODE_GENERATE_SCHEME TRUE
    XCODE_ATTRIBUTE_ENABLE_BITCODE "NO"
    XCODE_ATTRIBUTE_ASSETCATALOG_COMPILER_APPICON_NAME "AppIcon"
+    XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "1,2"
    XCODE_EMBED_FRAMEWORKS_CODE_SIGN_ON_COPY ON
    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
    XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/Frameworks"
    XCODE_EMBED_APP_EXTENSIONS networkextension
 )

-if(AMNEZIA_IOS_APPLETV)
-    set_target_properties(${PROJECT} PROPERTIES
-        XCODE_ATTRIBUTE_SUPPORTED_PLATFORMS "appletvos appletvsimulator"
-        XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "3"
-        XCODE_ATTRIBUTE_TVOS_DEPLOYMENT_TARGET "${CMAKE_OSX_DEPLOYMENT_TARGET}"
-        XCODE_ATTRIBUTE_SDKROOT "appletvos"
-        XCODE_ATTRIBUTE_SDKROOT[sdk=appletvos*] "appletvos"
-        XCODE_ATTRIBUTE_SDKROOT[sdk=appletvsimulator*] "appletvsimulator"
-        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
-        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS[sdk=appletvos*] "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
-        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS[sdk=appletvsimulator*] "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
-        XCODE_ATTRIBUTE_EXCLUDED_LIBRARY_SEARCH_PATHS "/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS*.sdk/usr/lib/swift"
-        XCODE_ATTRIBUTE_EXCLUDED_FRAMEWORK_SEARCH_PATHS "/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS*.sdk/System/Library/Frameworks"
-    )
-    set_target_properties(${PROJECT} PROPERTIES
-        QT_IOS_PERMISSIONS ""
-    )
-else()
-    set_target_properties(${PROJECT} PROPERTIES
-        XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "${CMAKE_CURRENT_SOURCE_DIR}/ios/app/main.entitlements"
-        XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "1,2"
-    )
-endif()
-
 if(DEFINED DEPLOY)
    set_target_properties(${PROJECT} PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
@@ -158,61 +111,7 @@ target_compile_options(${PROJECT} PRIVATE
    -DVPN_NE_BUNDLEID=\"${BUILD_IOS_APP_IDENTIFIER}.network-extension\"
 )

-if(AMNEZIA_IOS_APPLETV)
-    # qscnetworkreachability plugin links IOKit, which is unavailable on tvOS.
-    qt_import_plugins(${PROJECT}
-        NO_DEFAULT
-        INCLUDE
-            QIOSIntegrationPlugin
-            QJpegPlugin
-            QSvgPlugin
-            QGifPlugin
-            QICOPlugin
-            QSvgIconPlugin
-            QSecureTransportBackendPlugin
-        EXCLUDE
-            QSCNetworkReachabilityNetworkInformationPlugin
-            QDarwinCameraPermissionPlugin
-    )
-
-    # Static tvOS Qt build doesn't auto-link these plugin archives into the
-    # Xcode target, but the app entry point lives in QIOSIntegrationPlugin.
-    set(_amnezia_tvos_static_plugins
-        Qt6::QIOSIntegrationPlugin
-        Qt6::QIOSIntegrationPlugin_init
-        Qt6::QJpegPlugin
-        Qt6::QJpegPlugin_init
-        Qt6::QSvgPlugin
-        Qt6::QSvgPlugin_init
-        Qt6::QGifPlugin
-        Qt6::QGifPlugin_init
-        Qt6::QICOPlugin
-        Qt6::QICOPlugin_init
-        Qt6::QSvgIconPlugin
-        Qt6::QSvgIconPlugin_init
-        Qt6::QSecureTransportBackendPlugin
-        Qt6::QSecureTransportBackendPlugin_init
-    )
-    foreach(_amnezia_tvos_static_plugin IN LISTS _amnezia_tvos_static_plugins)
-        if(TARGET ${_amnezia_tvos_static_plugin})
-            target_link_libraries(${PROJECT} PRIVATE ${_amnezia_tvos_static_plugin})
-        endif()
-    endforeach()
-    unset(_amnezia_tvos_static_plugin)
-    unset(_amnezia_tvos_static_plugins)
-
-    # Qt 6.9.2 iOS package links IOKit via Qt6::Core interface, but tvOS SDK
-    # does not provide IOKit. Strip this single framework for Apple TV builds.
-    get_target_property(_qtcore_iface_libs Qt6::Core INTERFACE_LINK_LIBRARIES)
-    if(_qtcore_iface_libs)
-        string(REPLACE "-framework IOKit;" "" _qtcore_iface_libs "${_qtcore_iface_libs}")
-        string(REPLACE ";-framework IOKit" "" _qtcore_iface_libs "${_qtcore_iface_libs}")
-        set_property(TARGET Qt6::Core PROPERTY INTERFACE_LINK_LIBRARIES "${_qtcore_iface_libs}")
-    endif()
-endif()
-
-set(AMNEZIA_THIRDPARTY_ROOT "${CMAKE_CURRENT_SOURCE_DIR}/3rd" CACHE PATH "Path to Amnezia client/3rd sources")
-set(WG_APPLE_SOURCE_DIR ${AMNEZIA_THIRDPARTY_ROOT}/amneziawg-apple/Sources)
+set(WG_APPLE_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/3rd/amneziawg-apple/Sources)

 target_sources(${PROJECT} PRIVATE
 #    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosvpnprotocol.swift
@@ -224,29 +123,25 @@ target_sources(${PROJECT} PRIVATE
    ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
 )

-if(IOS_LAUNCHSCREEN_STORYBOARD)
-    target_sources(${PROJECT} PRIVATE
-        ${IOS_LAUNCHSCREEN_STORYBOARD}
-        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
-        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
-    )
+target_sources(${PROJECT} PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/AmneziaVPNLaunchScreen.storyboard
+    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
+    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
+)

-    set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
-        ${IOS_LAUNCHSCREEN_STORYBOARD}
-        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
-        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
-    )
-else()
-    target_sources(${PROJECT} PRIVATE
-        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
-        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
-    )
-
-    set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
-        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
-        ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
-    )
-endif()
+set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
+    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/AmneziaVPNLaunchScreen.storyboard
+    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
+    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
+)

 add_subdirectory(ios/networkextension)
 add_dependencies(${PROJECT} networkextension)
+
+set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
+    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework"
+)
+
+set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/)
+target_link_libraries("networkextension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework")
+
@@ -23,6 +23,9 @@ set_target_properties(${PROJECT} PROPERTIES
    MACOSX_BUNDLE_SHORT_VERSION_STRING "${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH}"
    MACOSX_BUNDLE_BUNDLE_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
 )
+set(CMAKE_OSX_ARCHITECTURES "x86_64" CACHE INTERNAL "" FORCE)
+set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)
+

 set(HEADERS ${HEADERS}
    ${CMAKE_CURRENT_SOURCE_DIR}/ui/macos_util.h
@@ -1,6 +1,7 @@
 message("Client ==> MacOS NE build")

 set_target_properties(${PROJECT} PROPERTIES MACOSX_BUNDLE TRUE)
+set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)

 set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})

@@ -151,6 +152,19 @@ message(${QtCore_location})

 get_filename_component(QT_BIN_DIR_DETECTED "${QtCore_location}/../../../../../bin" ABSOLUTE)

-add_custom_command(TARGET ${PROJECT} POST_BUILD
-    COMMAND ${QT_BIN_DIR_DETECTED}/macdeployqt $<TARGET_BUNDLE_DIR:AmneziaVPN> -appstore-compliant -qmldir=${CMAKE_CURRENT_SOURCE_DIR}
+set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
+    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework"
+)
+
+set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos)
+target_link_libraries("AmneziaVPNNetworkExtension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework")
+
+add_custom_command(TARGET ${PROJECT} POST_BUILD
+    COMMAND ${CMAKE_COMMAND} -E make_directory
+            $<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks
+    COMMAND /usr/bin/find "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework" -name "*.sha256" -delete
+    COMMAND /usr/bin/codesign --force --sign "Apple Distribution: Privacy Technologies OU"
+            "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework/Versions/Current/OpenVPNAdapter"
+    COMMAND ${QT_BIN_DIR_DETECTED}/macdeployqt $<TARGET_BUNDLE_DIR:AmneziaVPN> -appstore-compliant -qmldir=${CMAKE_CURRENT_SOURCE_DIR}
+    COMMENT "Signing OpenVPNAdapter framework"
 )
@@ -39,7 +39,7 @@ set(HEADERS ${HEADERS}
    ${CLIENT_ROOT_DIR}/mozilla/controllerimpl.h
 )

-if(NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
+if(NOT IOS AND NOT MACOS_NE)
    set(HEADERS ${HEADERS}
        ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.h
    )
@@ -89,14 +89,14 @@ set(SOURCES ${SOURCES}
    ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.cpp
 )

-if(NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
+if(NOT IOS AND NOT MACOS_NE)
    set(SOURCES ${SOURCES}
        ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.cpp
    )
 endif()

 # Include native macOS platform helpers (dock/status-item)
-if(APPLE AND NOT IOS AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS")
+if(APPLE AND NOT IOS)
    list(APPEND HEADERS
        ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.h
        ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.h
@@ -175,7 +175,7 @@ if(WIN32)
    )
 endif()

-if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE AND NOT CMAKE_SYSTEM_NAME STREQUAL "tvOS") OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
    message("Client desktop build")
    add_compile_definitions(AMNEZIA_DESKTOP)

@@ -1,13 +1,17 @@
 #include "openvpn_configurator.h"

 #include <QDebug>
-#include <QCoreApplication>
 #include <QJsonDocument>
 #include <QJsonObject>
 #include <QProcess>
 #include <QString>
 #include <QTemporaryDir>
 #include <QTemporaryFile>
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+    #include <QGuiApplication>
+#else
+    #include <QApplication>
+#endif

 #include "core/networkUtilities.h"
 #include "containers/containers_defs.h"
@@ -161,7 +165,7 @@ QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString,
    QString dnsConf = QString("\nscript-security 2\n"
                              "up %1/update-resolv-conf.sh\n"
                              "down %1/update-resolv-conf.sh\n")
-                              .arg(QCoreApplication::applicationDirPath());
+                              .arg(qApp->applicationDirPath());

    config.append(dnsConf);
 #endif
@@ -1,7 +1,6 @@
 #include "ssh_configurator.h"

 #include <QDebug>
-#include <QCoreApplication>
 #include <QObject>
 #include <QProcess>
 #include <QString>
@@ -9,6 +8,11 @@
 #include <QTemporaryFile>
 #include <QThread>
 #include <qtimer.h>
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
+    #include <QGuiApplication>
+#else
+    #include <QApplication>
+#endif

 #include "core/server_defs.h"
 #include "utilities.h"
@@ -20,7 +24,7 @@ SshConfigurator::SshConfigurator(std::shared_ptr<Settings> settings, const QShar

 QString SshConfigurator::convertOpenSShKey(const QString &key)
 {
-#if !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
    QProcess p;
    p.setProcessChannelMode(QProcess::MergedChannels);

@@ -66,13 +70,13 @@ QString SshConfigurator::convertOpenSShKey(const QString &key)
 // DEAD CODE.
 void SshConfigurator::openSshTerminal(const ServerCredentials &credentials)
 {
-#if !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
    QProcess *p = new QProcess();
    p->setProcessChannelMode(QProcess::SeparateChannels);

    #ifdef Q_OS_WIN
    p->setProcessEnvironment(prepareEnv());
-    p->setProgram(QCoreApplication::applicationDirPath() + "\\cygwin\\putty.exe");
+    p->setProgram(qApp->applicationDirPath() + "\\cygwin\\putty.exe");

    if (credentials.secretData.contains("PRIVATE KEY")) {
        // todo: connect by key
@@ -96,10 +100,10 @@ QProcessEnvironment SshConfigurator::prepareEnv()

 #ifdef Q_OS_WIN
    pathEnvVar.clear();
-    pathEnvVar.prepend(QDir::toNativeSeparators(QCoreApplication::applicationDirPath()) + "\\cygwin;");
-    pathEnvVar.prepend(QDir::toNativeSeparators(QCoreApplication::applicationDirPath()) + "\\openvpn;");
+    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\cygwin;");
+    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\openvpn;");
 #elif defined(Q_OS_MACX) && !defined(MACOS_NE)
-    pathEnvVar.prepend(QDir::toNativeSeparators(QCoreApplication::applicationDirPath()) + "/Contents/MacOS");
+    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "/Contents/MacOS");
 #endif

    env.insert("PATH", pathEnvVar);
@@ -10,8 +10,10 @@ namespace apiDefs
        AmneziaFreeV3,
        AmneziaPremiumV1,
        AmneziaPremiumV2,
+        AmneziaTrialV2,
        SelfHosted,
-        ExternalPremium
+        ExternalPremium,
+        ExternalTrial
    };

    enum ConfigSource {
@@ -32,6 +34,7 @@ namespace apiDefs
        constexpr QLatin1String stackType("stack_type");
        constexpr QLatin1String serviceType("service_type");
        constexpr QLatin1String cliVersion("cli_version");
+        constexpr QLatin1String cliName("cli_name");
        constexpr QLatin1String supportedProtocols("supported_protocols");

        constexpr QLatin1String vpnKey("vpn_key");
@@ -58,18 +58,24 @@ apiDefs::ConfigType apiUtils::getConfigType(const QJsonObject &serverConfigObjec
    };
    case apiDefs::ConfigSource::AmneziaGateway: {
        constexpr QLatin1String servicePremium("amnezia-premium");
+        constexpr QLatin1String serviceTrial("amnezia-trial");
        constexpr QLatin1String serviceFree("amnezia-free");
        constexpr QLatin1String serviceExternalPremium("external-premium");
+        constexpr QLatin1String serviceExternalTrial("external-trial");

        auto apiConfigObject = serverConfigObject.value(apiDefs::key::apiConfig).toObject();
        auto serviceType = apiConfigObject.value(apiDefs::key::serviceType).toString();

        if (serviceType == servicePremium) {
            return apiDefs::ConfigType::AmneziaPremiumV2;
+        } else if (serviceType == serviceTrial) {
+            return apiDefs::ConfigType::AmneziaTrialV2;
        } else if (serviceType == serviceFree) {
            return apiDefs::ConfigType::AmneziaFreeV3;
        } else if (serviceType == serviceExternalPremium) {
            return apiDefs::ConfigType::ExternalPremium;
+        } else if (serviceType == serviceExternalTrial) {
+            return apiDefs::ConfigType::ExternalTrial;
        }
    }
    default: {
@@ -90,6 +96,7 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
    const int httpStatusCodeConflict = 409;
    const int httpStatusCodeNotFound = 404;
    const int httpStatusCodeNotImplemented = 501;
+    const int httpStatusCodeUnprocessableEntity = 422;

    if (!sslErrors.empty()) {
        qDebug().noquote() << sslErrors;
@@ -122,6 +129,8 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
            return amnezia::ErrorCode::ApiNotFoundError;
        } else if (httpStatusFromBody == httpStatusCodeNotImplemented) {
            return amnezia::ErrorCode::ApiUpdateRequestError;
+        } else if (httpStatusFromBody == httpStatusCodeUnprocessableEntity) {
+            return amnezia::ErrorCode::ApiSubscriptionExpiredError;
        }
        return amnezia::ErrorCode::ApiConfigDownloadError;
    }
@@ -133,7 +142,8 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
 bool apiUtils::isPremiumServer(const QJsonObject &serverConfigObject)
 {
    static const QSet<apiDefs::ConfigType> premiumTypes = { apiDefs::ConfigType::AmneziaPremiumV1, apiDefs::ConfigType::AmneziaPremiumV2,
-                                                            apiDefs::ConfigType::ExternalPremium };
+                                                            apiDefs::ConfigType::AmneziaTrialV2, apiDefs::ConfigType::ExternalPremium,
+                                                            apiDefs::ConfigType::ExternalTrial };
    return premiumTypes.contains(getConfigType(serverConfigObject));
 }

@@ -177,7 +187,9 @@ QString apiUtils::getPremiumV1VpnKey(const QJsonObject &serverConfigObject)

 QString apiUtils::getPremiumV2VpnKey(const QJsonObject &serverConfigObject)
 {
-    if (apiUtils::getConfigType(serverConfigObject) != apiDefs::ConfigType::AmneziaPremiumV2) {
+    auto configType = apiUtils::getConfigType(serverConfigObject);
+    if (configType != apiDefs::ConfigType::AmneziaPremiumV2 && configType != apiDefs::ConfigType::AmneziaTrialV2
+        && configType != apiDefs::ConfigType::ExternalPremium && configType != apiDefs::ConfigType::ExternalTrial) {
        return {};
    }

@@ -8,7 +8,7 @@
    #include "platforms/android/android_controller.h"
 #endif

-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#if defined(Q_OS_IOS)
    #include "platforms/ios/ios_controller.h"
    #include <AmneziaVPN-Swift.h>
 #endif
@@ -135,7 +135,7 @@ void CoreController::initControllers()
            new SettingsController(m_serversModel, m_containersModel, m_languageModel, m_sitesModel, m_appSplitTunnelingModel, m_settings));
    m_engine->rootContext()->setContextProperty("SettingsController", m_settingsController.get());

-    m_sitesController.reset(new SitesController(m_settings, m_vpnConnection, m_sitesModel));
+    m_sitesController.reset(new SitesController(m_settings, m_sitesModel));
    m_engine->rootContext()->setContextProperty("SitesController", m_sitesController.get());

    m_allowedDnsController.reset(new AllowedDnsController(m_settings, m_allowedDnsModel));
@@ -153,6 +153,8 @@ void CoreController::initControllers()

    m_apiConfigsController.reset(new ApiConfigsController(m_serversModel, m_apiServicesModel, m_settings));
    m_engine->rootContext()->setContextProperty("ApiConfigsController", m_apiConfigsController.get());
+    connect(m_apiConfigsController.get(), &ApiConfigsController::subscriptionRefreshNeeded,
+            this, [this]() { m_apiSettingsController->getAccountInfo(false); });

    m_apiNewsController.reset(new ApiNewsController(m_newsModel, m_settings, m_serversModel, this));
    m_engine->rootContext()->setContextProperty("ApiNewsController", m_apiNewsController.get());
@@ -196,7 +198,7 @@ void CoreController::initAndroidController()

 void CoreController::initAppleController()
 {
-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#ifdef Q_OS_IOS
    IosController::Instance()->initialize();
    connect(IosController::Instance(), &IosController::importConfigFromOutside, this, [this](QString data) {
        emit m_pageController->goToPageHome();
@@ -233,7 +235,7 @@ void CoreController::initSignalHandlers()

 void CoreController::initNotificationHandler()
 {
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    m_notificationHandler.reset(NotificationHandler::create(nullptr));

    connect(m_vpnConnection.get(), &VpnConnection::connectionStateChanged, m_notificationHandler.get(),
@@ -248,7 +250,7 @@ void CoreController::initNotificationHandler()

    auto* trayHandler = qobject_cast<SystemTrayNotificationHandler*>(m_notificationHandler.get());
    connect(this, &CoreController::websiteUrlChanged, trayHandler, &SystemTrayNotificationHandler::updateWebsiteUrl);
-#endif
+#endif    
 }

 void CoreController::updateTranslator(const QLocale &locale)
@@ -368,7 +370,11 @@ void CoreController::initPrepareConfigHandler()
            return;
        }

-        if (!m_installController->isConfigValid()) {
+        m_installController->validateConfig();
+    });
+
+    connect(m_installController.get(), &InstallController::configValidated, this, [this](bool isValid) {
+        if (!isValid) {
            emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
            return;
        }
@@ -5,7 +5,7 @@
 #include <QQmlContext>
 #include <QThread>

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    #include "ui/systemtray_notificationhandler.h"
 #endif

@@ -49,7 +49,7 @@
 #include "ui/models/sites_model.h"
 #include "ui/models/newsModel.h"

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    #include "ui/notificationhandler.h"
 #endif

@@ -99,7 +99,7 @@ private:
    QSharedPointer<VpnConnection> m_vpnConnection;
    QSharedPointer<QTranslator> m_translator;

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
    QScopedPointer<NotificationHandler> m_notificationHandler;
 #endif

@@ -46,6 +46,7 @@ namespace
    constexpr int httpStatusCodeConflict = 409;

    constexpr int httpStatusCodeNotImplemented = 501;
+    constexpr int httpStatusCodeUnprocessableEntity = 422;
 }

 GatewayController::GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
@@ -337,6 +338,9 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
    } else {
        baseUrls = QString(PROD_S3_ENDPOINT).split(", ");
    }
+    std::random_device randomDevice;
+    std::mt19937 generator(randomDevice());
+    std::shuffle(baseUrls.begin(), baseUrls.end(), generator);

    QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;

@@ -448,6 +452,8 @@ bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &rep
        }
    } else if (httpStatus == httpStatusCodeConflict) {
        return false;
+    } else if (httpStatus == httpStatusCodeUnprocessableEntity) {
+        return false;
    } else if (replyError != QNetworkReply::NetworkError::NoError) {
        qDebug() << replyError;
        return true;
@@ -24,7 +24,7 @@
    #include <sys/socket.h>
    #include <unistd.h>
 #endif
-#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
+#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
    #include <sys/param.h>
    #include <sys/sysctl.h>
    #include <sys/socket.h>
@@ -292,119 +292,105 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
    return { resGateway, QNetworkInterface::interfaceFromIndex(resIndex) };
 #endif
 #ifdef Q_OS_LINUX
-    constexpr int BUFFER_SIZE = 100;
-    int     received_bytes = 0, msg_len = 0, route_attribute_len = 0;
-    int     sock = -1, msgseq = 0;
-    struct  nlmsghdr *nlh, *nlmsg;
-    struct  rtmsg *route_entry;
-    // This struct contain route attributes (route type)
-    struct  rtattr *route_attribute;
-    char    gateway_address[INET_ADDRSTRLEN], interface[IF_NAMESIZE];
-    char    msgbuf[BUFFER_SIZE], buffer[BUFFER_SIZE];
-    char    *ptr = buffer;
-    struct timeval tv;
+    static constexpr size_t BUFFER_SIZE = 8192;

-    if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) {
+    int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+    if (sock < 0) {
        perror("socket failed");
        return {};
    }

-    memset(msgbuf, 0, sizeof(msgbuf));
-    memset(gateway_address, 0, sizeof(gateway_address));
-    memset(interface, 0, sizeof(interface));
-    memset(buffer, 0, sizeof(buffer));
+    struct timeval tv { 1, 0 };
+    setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));

-    /* point the header and the msg structure pointers into the buffer */
-    nlmsg = (struct nlmsghdr *)msgbuf;
+    struct {
+        struct nlmsghdr hdr;
+        struct rtmsg    rt;
+    } req {};
+    req.hdr.nlmsg_len   = NLMSG_LENGTH(sizeof(struct rtmsg));
+    req.hdr.nlmsg_type  = RTM_GETROUTE;
+    req.hdr.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;
+    req.hdr.nlmsg_seq   = 1;
+    req.hdr.nlmsg_pid   = static_cast<uint32_t>(getpid());
+    req.rt.rtm_family   = AF_INET;

-    /* Fill in the nlmsg header*/
-    nlmsg->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
-    nlmsg->nlmsg_type = RTM_GETROUTE; // Get the routes from kernel routing table .
-    nlmsg->nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST; // The message is a request for dump.
-    nlmsg->nlmsg_seq = msgseq++; // Sequence of the message packet.
-    nlmsg->nlmsg_pid = getpid(); // PID of process sending the request.
-
-    /* 1 Sec Timeout to avoid stall */
-    tv.tv_sec = 1;
-    setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, (struct timeval *)&tv, sizeof(struct timeval));
-    /* send msg */
-    if (send(sock, nlmsg, nlmsg->nlmsg_len, 0) < 0) {
+    if (send(sock, &req, req.hdr.nlmsg_len, 0) < 0) {
        perror("send failed");
+        close(sock);
        return {};
    }

-    /* receive response */
-    do
-    {
-        received_bytes = recv(sock, ptr, sizeof(buffer) - msg_len, 0);
-        if (received_bytes < 0) {
-            perror("Error in recv");
-            return {};
-        }
+    char   buffer[BUFFER_SIZE];
+    size_t total_len = 0;
+    bool   done = false;

-        nlh = (struct nlmsghdr *) ptr;
-
-        /* Check if the header is valid */
-        if((NLMSG_OK(nlmsg, received_bytes) == 0) ||
-            (nlmsg->nlmsg_type == NLMSG_ERROR))
-        {
-            perror("Error in received packet");
-            return {};
-        }
-
-        /* If we received all data break */
-        if (nlh->nlmsg_type == NLMSG_DONE)
+    while (!done && total_len < BUFFER_SIZE) {
+        ssize_t n = recv(sock, buffer + total_len, BUFFER_SIZE - total_len, 0);
+        if (n <= 0)
            break;
-        else {
-            ptr += received_bytes;
-            msg_len += received_bytes;
-        }

-        /* Break if its not a multi part message */
-        if ((nlmsg->nlmsg_flags & NLM_F_MULTI) == 0)
-            break;
-    }
-    while ((nlmsg->nlmsg_seq != msgseq) || (nlmsg->nlmsg_pid != getpid()));
-
-    /* parse response */
-    for ( ; NLMSG_OK(nlh, received_bytes); nlh = NLMSG_NEXT(nlh, received_bytes))
-    {
-        /* Get the route data */
-        route_entry = (struct rtmsg *) NLMSG_DATA(nlh);
-
-        /* We are just interested in main routing table */
-        if (route_entry->rtm_table != RT_TABLE_MAIN)
-            continue;
-
-        route_attribute = (struct rtattr *) RTM_RTA(route_entry);
-        route_attribute_len = RTM_PAYLOAD(nlh);
-
-        /* Loop through all attributes */
-        for ( ; RTA_OK(route_attribute, route_attribute_len);
-             route_attribute = RTA_NEXT(route_attribute, route_attribute_len))
+        int scan_len = static_cast<int>(n);
+        for (struct nlmsghdr *h = reinterpret_cast<struct nlmsghdr *>(buffer + total_len);
+             NLMSG_OK(h, scan_len);
+             h = NLMSG_NEXT(h, scan_len))
        {
-            switch(route_attribute->rta_type) {
-            case RTA_OIF:
-                if_indextoname(*(int *)RTA_DATA(route_attribute), interface);
-                break;
-            case RTA_GATEWAY:
-                inet_ntop(AF_INET, RTA_DATA(route_attribute),
-                          gateway_address, sizeof(gateway_address));
-                break;
-            default:
+            if (h->nlmsg_type == NLMSG_DONE || h->nlmsg_type == NLMSG_ERROR) {
+                done = true;
                break;
            }
        }
-
-        if ((*gateway_address) && (*interface)) {
-            qDebug() << "Gateway " << gateway_address << " for interface " << interface;
-            break;
-        }
+        total_len += static_cast<size_t>(n);
    }
+
+    QString resultGw;
+    QString resultIf;
+    int remaining = static_cast<int>(total_len);
+
+    for (struct nlmsghdr *nlh = reinterpret_cast<struct nlmsghdr *>(buffer);
+         NLMSG_OK(nlh, remaining);
+         nlh = NLMSG_NEXT(nlh, remaining))
+    {
+        if (nlh->nlmsg_type == NLMSG_DONE || nlh->nlmsg_type == NLMSG_ERROR)
+            break;
+        if (nlh->nlmsg_type != RTM_NEWROUTE)
+            continue;
+
+        struct rtmsg *rt = static_cast<struct rtmsg *>(NLMSG_DATA(nlh));
+        if (rt->rtm_table != RT_TABLE_MAIN || rt->rtm_family != AF_INET)
+            continue;
+
+        char route_gw[INET_ADDRSTRLEN] = {};
+        char route_if[IF_NAMESIZE]     = {};
+        int  attr_len = RTM_PAYLOAD(nlh);
+
+        for (struct rtattr *rta = RTM_RTA(rt);
+             RTA_OK(rta, attr_len);
+             rta = RTA_NEXT(rta, attr_len))
+        {
+            if (rta->rta_type == RTA_GATEWAY)
+                inet_ntop(AF_INET, RTA_DATA(rta), route_gw, sizeof(route_gw));
+            else if (rta->rta_type == RTA_OIF)
+                if_indextoname(*static_cast<int *>(RTA_DATA(rta)), route_if);
+        }
+
+        if (!route_gw[0] || !route_if[0])
+            continue;
+
+        QString ifStr(route_if);
+        if (ifStr.startsWith(QLatin1String("amn")) ||
+            ifStr.startsWith(QLatin1String("tun")))
+            continue;
+
+        resultGw = QString::fromLatin1(route_gw);
+        resultIf = QString::fromLatin1(route_if);
+        qDebug() << "Gateway " << route_gw << " for interface " << route_if;
+        break;
+    }
+
    close(sock);
-    return { gateway_address, QNetworkInterface::interfaceFromName(interface) };
+    return { resultGw, QNetworkInterface::interfaceFromName(resultIf) };
 #endif
-#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
+#if defined(Q_OS_MAC) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
    QString gateway;
    int index = -1;

@@ -142,10 +142,6 @@ bool Daemon::activate(const InterfaceConfig& config) {
    return false;
  }

-  if (!maybeUpdateResolvers(config)) {
-    return false;
-  }
-
  // set routing
  for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
    if (!wgutils()->updateRoutePrefix(ip)) {
@@ -215,6 +211,11 @@ bool Daemon::addExclusionRoute(const IPAddress& prefix) {
    return true;
  }
  if (!wgutils()->addExclusionRoute(prefix)) {
+    if (!m_pendingExclusionRoutes.contains(prefix)) {
+      logger.warning() << "Exclusion route deferred (no gateway):"
+                       << prefix.toString();
+      m_pendingExclusionRoutes.append(prefix);
+    }
    return false;
  }
  m_excludedAddrSet[prefix] = 1;
@@ -480,6 +481,7 @@ bool Daemon::deactivate(bool emitSignals) {
    wgutils()->deleteExclusionRoute(iterator.key());
  }
  m_excludedAddrSet.clear();
+  m_pendingExclusionRoutes.clear();

  m_connections.clear();
  // Delete the interface
@@ -589,6 +591,19 @@ void Daemon::checkHandshake() {

  logger.debug() << "Checking for handshake...";

+  if (!m_pendingExclusionRoutes.isEmpty()) {
+    QList<IPAddress> stillPending;
+    for (const IPAddress& prefix : m_pendingExclusionRoutes) {
+      if (!wgutils()->addExclusionRoute(prefix)) {
+        stillPending.append(prefix);
+      } else {
+        logger.debug() << "Deferred exclusion route added:" << prefix.toString();
+        m_excludedAddrSet[prefix] = 1;
+      }
+    }
+    m_pendingExclusionRoutes = stillPending;
+  }
+
  int pendingHandshakes = 0;
  QList<WireguardUtils::PeerStatus> peers = wgutils()->getPeerStatus();
  for (ConnectionState& connection : m_connections) {
@@ -605,6 +620,7 @@ void Daemon::checkHandshake() {
      }
      if (status.m_handshake != 0) {
        connection.m_date.setMSecsSinceEpoch(status.m_handshake);
+        maybeUpdateResolvers(config);
        emit connected(status.m_pubkey);
      }
    }
@@ -87,6 +87,7 @@ class Daemon : public QObject {
  };
  QMap<InterfaceConfig::HopType, ConnectionState> m_connections;
  QHash<IPAddress, int> m_excludedAddrSet;
+  QList<IPAddress> m_pendingExclusionRoutes;
  QTimer m_handshakeTimer;
 };

@@ -1,54 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>CFBundleAllowMixedLocalizations</key>
-    <true/>
-    <key>CFBundleDevelopmentRegion</key>
-    <string>en</string>
-    <key>CFBundleDisplayName</key>
-    <string>${QT_INTERNAL_DOLLAR_VAR}{PRODUCT_NAME}</string>
-    <key>CFBundleExecutable</key>
-    <string>${MACOSX_BUNDLE_EXECUTABLE_NAME}</string>
-    <key>CFBundleIdentifier</key>
-    <string>${MACOSX_BUNDLE_GUI_IDENTIFIER}</string>
-    <key>CFBundleInfoDictionaryVersion</key>
-    <string>6.0</string>
-    <key>CFBundleName</key>
-    <string>${MACOSX_BUNDLE_BUNDLE_NAME}</string>
-    <key>CFBundlePackageType</key>
-    <string>APPL</string>
-    <key>CFBundleShortVersionString</key>
-    <string>${MACOSX_BUNDLE_SHORT_VERSION_STRING}</string>
-    <key>CFBundleVersion</key>
-    <string>${MACOSX_BUNDLE_BUNDLE_VERSION}</string>
-    <key>NSHumanReadableCopyright</key>
-    <string>${MACOSX_BUNDLE_COPYRIGHT}</string>
-    <key>ITSAppUsesNonExemptEncryption</key>
-    <false/>
-    <key>UIRequiredDeviceCapabilities</key>
-    <array/>
-    <key>UIRequiresFullScreen</key>
-    <true/>
-    <key>UISupportedInterfaceOrientations</key>
-    <array>
-        <string>UIInterfaceOrientationLandscapeLeft</string>
-        <string>UIInterfaceOrientationLandscapeRight</string>
-    </array>
-    <key>UILaunchStoryboardName</key>
-    <string>AmneziaVPNLaunchScreen</string>
-    <key>UIUserInterfaceStyle</key>
-    <string>Light</string>
-    <key>com.wireguard.ios.app_group_id</key>
-    <string>group.org.amnezia.AmneziaVPN</string>
-    <key>UIViewControllerBasedStatusBarAppearance</key>
-    <true/>
-    <key>NSAppTransportSecurity</key>
-    <dict>
-        <key>NSAllowsArbitraryLoads</key>
-        <false/>
-        <key>NSAllowsLocalNetworking</key>
-        <true/>
-    </dict>
-</dict>
-</plist>
@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<document type="com.apple.InterfaceBuilder.AppleTV.Storyboard" version="3.0" toolsVersion="13122.16" targetRuntime="AppleTV" propertyAccessControl="none" useAutolayout="YES" launchScreen="YES" useTraitCollections="YES" useSafeAreas="YES" colorMatched="YES" initialViewController="BYZ-38-t0r">
-    <dependencies>
-        <plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="13104.12"/>
-        <capability name="Safe area layout guides" minToolsVersion="9.0"/>
-        <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
-    </dependencies>
-    <scenes>
-        <scene sceneID="tne-QT-ifu">
-            <objects>
-                <viewController id="BYZ-38-t0r" sceneMemberID="viewController">
-                    <view key="view" contentMode="scaleToFill" id="8bC-Xf-vdC">
-                        <rect key="frame" x="0.0" y="0.0" width="1920" height="1080"/>
-                        <autoresizingMask key="autoresizingMask" widthSizable="YES" heightSizable="YES"/>
-                        <color key="backgroundColor" red="0.0" green="0.0" blue="0.0" alpha="1" colorSpace="custom" customColorSpace="sRGB"/>
-                        <viewLayoutGuide key="safeArea" id="wu6-TO-1qx"/>
-                    </view>
-                </viewController>
-                <placeholder placeholderIdentifier="IBFirstResponder" id="dkx-z0-nzr" sceneMemberID="firstResponder"/>
-            </objects>
-        </scene>
-    </scenes>
-</document>
@@ -1,14 +1,6 @@
 enable_language(Swift)

 set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
-set(AMNEZIA_THIRDPARTY_ROOT "${CLIENT_ROOT_DIR}/3rd" CACHE PATH "Path to Amnezia client/3rd sources")
-set(AMNEZIA_IOS_APPLETV ${AMNEZIA_IOS_ENABLE_APPLETV_TARGET})
-
-if(AMNEZIA_IOS_APPLETV)
-    message("Network Extension tvOS mode is ON")
-else()
-    message("Network Extension tvOS mode is OFF")
-endif()

 add_executable(networkextension)
 set_target_properties(networkextension PROPERTIES
@@ -36,23 +28,6 @@ set_target_properties(networkextension PROPERTIES
    XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/../../Frameworks"
 )

-if(AMNEZIA_IOS_APPLETV)
-    set_target_properties(networkextension PROPERTIES
-        XCODE_ATTRIBUTE_SUPPORTED_PLATFORMS "appletvos appletvsimulator"
-        XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "3"
-        XCODE_ATTRIBUTE_TVOS_DEPLOYMENT_TARGET "${CMAKE_OSX_DEPLOYMENT_TARGET}"
-        XCODE_ATTRIBUTE_SDKROOT "appletvos"
-        XCODE_ATTRIBUTE_SDKROOT[sdk=appletvos*] "appletvos"
-        XCODE_ATTRIBUTE_SDKROOT[sdk=appletvsimulator*] "appletvsimulator"
-        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
-        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS[sdk=appletvos*] "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
-        XCODE_ATTRIBUTE_LIBRARY_SEARCH_PATHS[sdk=appletvsimulator*] "$(inherited) $(SDKROOT)/usr/lib/swift $(TOOLCHAIN_DIR)/usr/lib/swift/$(PLATFORM_NAME)"
-        XCODE_ATTRIBUTE_EXCLUDED_LIBRARY_SEARCH_PATHS "/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS*.sdk/usr/lib/swift"
-        XCODE_ATTRIBUTE_EXCLUDED_FRAMEWORK_SEARCH_PATHS "/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS*.sdk/System/Library/Frameworks"
-        LINKER_LANGUAGE Swift
-    )
-endif()
-
 if(DEPLOY)
    set_target_properties(networkextension PROPERTIES
        XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
@@ -70,49 +45,38 @@ endif()
 set_target_properties(networkextension PROPERTIES
    XCODE_ATTRIBUTE_SWIFT_VERSION "5.0"
    XCODE_ATTRIBUTE_CLANG_ENABLE_MODULES "YES"
+    XCODE_ATTRIBUTE_SWIFT_OBJC_BRIDGING_HEADER "${CMAKE_CURRENT_SOURCE_DIR}/WireGuardNetworkExtension-Bridging-Header.h"
    XCODE_ATTRIBUTE_SWIFT_OPTIMIZATION_LEVEL "-Onone"
    XCODE_ATTRIBUTE_SWIFT_PRECOMPILE_BRIDGING_HEADER "NO"
 )

-set_target_properties(networkextension PROPERTIES
-    XCODE_ATTRIBUTE_SWIFT_OBJC_BRIDGING_HEADER "${CMAKE_CURRENT_SOURCE_DIR}/WireGuardNetworkExtension-Bridging-Header.h"
-)
-
 set_target_properties("networkextension" PROPERTIES
    XCODE_ATTRIBUTE_DEVELOPMENT_TEAM "X7UJ388FXK"
 )

+find_library(FW_ASSETS_LIBRARY AssetsLibrary)
+find_library(FW_MOBILE_CORE MobileCoreServices)
 find_library(FW_UI_KIT UIKit)
 find_library(FW_LIBRESOLV libresolv.9.tbd)

-if(NOT AMNEZIA_IOS_APPLETV)
-    target_link_libraries(networkextension PRIVATE ${FW_UI_KIT})
-    target_link_libraries(networkextension PRIVATE ${FW_LIBRESOLV})
-else()
-    target_link_libraries(networkextension PRIVATE -lresolv)
-endif()
+target_link_libraries(networkextension PRIVATE ${FW_ASSETS_LIBRARY})
+target_link_libraries(networkextension PRIVATE ${FW_MOBILE_CORE})
+target_link_libraries(networkextension PRIVATE ${FW_UI_KIT})
+target_link_libraries(networkextension PRIVATE ${FW_LIBRESOLV})

 target_compile_options(networkextension PRIVATE -DGROUP_ID=\"${BUILD_IOS_GROUP_IDENTIFIER}\")
 target_compile_options(networkextension PRIVATE -DNETWORK_EXTENSION=1)

-set(WG_APPLE_SOURCE_DIR ${AMNEZIA_THIRDPARTY_ROOT}/amneziawg-apple/Sources)
+set(WG_APPLE_SOURCE_DIR ${CLIENT_ROOT_DIR}/3rd/amneziawg-apple/Sources)

-set(NE_COMMON_SOURCES
-    ${CLIENT_ROOT_DIR}/platforms/ios/NELogController.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/Log.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider.swift
-)
-
-set(NE_WIREGUARD_SOURCES
+target_sources(networkextension PRIVATE
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/WireGuardAdapter.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PacketTunnelSettingsGenerator.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/DNSResolver.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardNetworkExtension/ErrorNotifier.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/Keychain.swift
-    ${WG_APPLE_SOURCE_DIR}/Shared/FileManager+Extension.swift
-    ${WG_APPLE_SOURCE_DIR}/Shared/Model/NETunnelProviderProtocol+Extension.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/Model/TunnelConfiguration+WgQuickConfig.swift
+    ${WG_APPLE_SOURCE_DIR}/Shared/Model/NETunnelProviderProtocol+Extension.swift
    ${WG_APPLE_SOURCE_DIR}/Shared/Model/String+ArrayConversion.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/TunnelConfiguration.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/IPAddressRange.swift
@@ -120,50 +84,24 @@ set(NE_WIREGUARD_SOURCES
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/DNSServer.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/InterfaceConfiguration.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PeerConfiguration.swift
+    ${WG_APPLE_SOURCE_DIR}/Shared/FileManager+Extension.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKitC/x25519.c
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/Array+ConcurrentMap.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/IPAddress+AddrInfo.swift
    ${WG_APPLE_SOURCE_DIR}/WireGuardKit/PrivateKey.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+WireGuard.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/WGConfig.swift
-)
-
-set(NE_XRAY_SOURCES
    ${CLIENT_ROOT_DIR}/platforms/ios/HevSocksTunnel.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+Xray.swift
-    ${CLIENT_ROOT_DIR}/platforms/ios/XrayConfig.swift
-)
-
-set(NE_OPENVPN_SOURCES
+    ${CLIENT_ROOT_DIR}/platforms/ios/NELogController.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/Log.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+WireGuard.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+OpenVPN.swift
-)
-
-set(NE_APPLE_GLUE_SOURCES
+    ${CLIENT_ROOT_DIR}/platforms/ios/PacketTunnelProvider+Xray.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/WGConfig.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/XrayConfig.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/iosglue.mm
 )

-if(AMNEZIA_IOS_APPLETV)
-    list(APPEND NE_APPLE_GLUE_SOURCES
-        ${CLIENT_ROOT_DIR}/platforms/ios/tvos_cgo_stubs.c
-    )
-endif()
-
-target_sources(networkextension PRIVATE ${NE_COMMON_SOURCES})
-
-if(NOT AMNEZIA_IOS_APPLETV)
-    target_sources(networkextension PRIVATE
-        ${NE_WIREGUARD_SOURCES}
-        ${NE_OPENVPN_SOURCES}
-        ${NE_XRAY_SOURCES}
-        ${NE_APPLE_GLUE_SOURCES}
-    )
-else()
-    target_sources(networkextension PRIVATE
-        ${NE_WIREGUARD_SOURCES}
-        ${NE_APPLE_GLUE_SOURCES}
-    )
-endif()
-
 target_sources(networkextension PRIVATE
    ${CMAKE_CURRENT_SOURCE_DIR}/PrivacyInfo.xcprivacy
 )
@@ -172,16 +110,21 @@ set_property(TARGET networkextension APPEND PROPERTY RESOURCE
    ${CMAKE_CURRENT_SOURCE_DIR}/PrivacyInfo.xcprivacy
 )

+## Build wireguard-go-version.h
+execute_process(
+    COMMAND go list -m golang.zx2c4.com/wireguard
+    WORKING_DIRECTORY ${CLIENT_ROOT_DIR}/3rd/wireguard-apple/Sources/WireGuardKitGo
+    OUTPUT_VARIABLE WG_VERSION_FULL
+)
+string(REGEX REPLACE ".*v\([0-9.]*\).*" "\\1" WG_VERSION_STRING 1.1.1)
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/wireguard-go-version.h.in
+               ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-version.h)
+target_sources(networkextension PRIVATE
+    ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-version.h)
+
 target_include_directories(networkextension PRIVATE ${CLIENT_ROOT_DIR})
 target_include_directories(networkextension PRIVATE ${CMAKE_CURRENT_BINARY_DIR})

-find_package(awg-apple REQUIRED)
-target_link_libraries(networkextension PRIVATE amnezia::awg-apple)
+target_link_libraries(networkextension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/wireguard/ios/arm64/libwg-go.a)

-if(NOT AMNEZIA_IOS_APPLETV)
-    find_package(openvpnadapter REQUIRED)
-    target_link_libraries(networkextension PRIVATE amnezia::openvpnadapter)
-
-    find_package(hev-socks5-tunnel REQUIRED)
-    target_link_libraries(networkextension PRIVATE heiher::hev-socks5-tunnel)
-endif()
+target_link_libraries(networkextension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework)
@@ -0,0 +1,3 @@
+#ifndef WIREGUARD_GO_VERSION
+#define WIREGUARD_GO_VERSION "@WG_VERSION_STRING@"
+#endif // WIREGUARD_GO_VERSION
@@ -114,14 +114,25 @@ set_property(TARGET AmneziaVPNNetworkExtension APPEND PROPERTY RESOURCE
    ${CMAKE_CURRENT_SOURCE_DIR}/PrivacyInfo.xcprivacy
 )

+## Build wireguard-go-version.h
+execute_process(
+    COMMAND go list -m golang.zx2c4.com/wireguard
+    WORKING_DIRECTORY ${CLIENT_ROOT_DIR}/3rd/wireguard-apple/Sources/WireGuardKitGo
+    OUTPUT_VARIABLE WG_VERSION_FULL
+)
+string(REGEX REPLACE ".*v\([0-9.]*\).*" "\\1" WG_VERSION_STRING 1.1.1)
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/wireguard-go-version.h.in
+               ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-version.h)
+target_sources(AmneziaVPNNetworkExtension PRIVATE
+    ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-version.h)
+
 target_include_directories(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR})
 target_include_directories(AmneziaVPNNetworkExtension PRIVATE ${CMAKE_CURRENT_BINARY_DIR})

-find_package(openvpnadapter REQUIRED)
-target_link_libraries(AmneziaVPNNetworkExtension PRIVATE amnezia::openvpnadapter)
+target_link_libraries(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/wireguard/macos/universal2/libwg-go.a)

-find_package(awg-apple REQUIRED)
-target_link_libraries(AmneziaVPNNetworkExtension PRIVATE amnezia::awg-apple)
+message(${CLIENT_ROOT_DIR})
+message(${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework/macos-arm64_x86_64/libhev-socks5-tunnel.a)
+target_link_libraries(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework/macos-arm64_x86_64/libhev-socks5-tunnel.a)

-find_package(hev-socks5-tunnel REQUIRED)
-target_link_libraries(AmneziaVPNNetworkExtension PRIVATE heiher::hev-socks5-tunnel)
+target_include_directories(AmneziaVPNNetworkExtension PRIVATE ${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/xray/HevSocks5Tunnel.xcframework/macos-arm64_x86_64/Headers)
@@ -0,0 +1,3 @@
+#ifndef WIREGUARD_GO_VERSION
+#define WIREGUARD_GO_VERSION "@WG_VERSION_STRING@"
+#endif // WIREGUARD_GO_VERSION
@@ -12,11 +12,11 @@
    #include "Windows.h"
 #endif

-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#if defined(Q_OS_IOS)
    #include "platforms/ios/QtAppDelegate-C-Interface.h"
 #endif

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
 bool isAnotherInstanceRunning()
 {
    QLocalSocket socket;
@@ -47,7 +47,7 @@ int main(int argc, char *argv[])
    AmneziaApplication app(argc, argv);
    OsSignalHandler::setup();

-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
    if (isAnotherInstanceRunning()) {
        QTimer::singleShot(1000, &app, [&]() { app.quit(); });
        return app.exec();
@@ -75,6 +75,7 @@ int main(int argc, char *argv[])

        qInfo().noquote() << QString("Started %1 version %2 %3").arg(APPLICATION_NAME, APP_VERSION, GIT_COMMIT_HASH);
        qInfo().noquote() << QString("%1 (%2)").arg(QSysInfo::prettyProductName(), QSysInfo::currentCpuArchitecture());
+        qInfo().noquote() << QString("SSL backend: %1").arg(QSslSocket::sslLibraryVersionString());

        return app.exec();
    }
@@ -101,7 +101,9 @@ bool AndroidController::initialize()
        {"onAuthResult", "(Z)V", reinterpret_cast<void *>(onAuthResult)},
        {"decodeQrCode", "(Ljava/lang/String;)Z", reinterpret_cast<bool *>(decodeQrCode)},
        {"onImeInsetsChanged", "(I)V", reinterpret_cast<void *>(onImeInsetsChanged)},
-        {"onSystemBarsInsetsChanged", "(II)V", reinterpret_cast<void *>(onSystemBarsInsetsChanged)}
+        {"onSystemBarsInsetsChanged", "(II)V", reinterpret_cast<void *>(onSystemBarsInsetsChanged)},
+        {"onActivityPaused", "()V", reinterpret_cast<void *>(onActivityPaused)},
+        {"onActivityResumed", "()V", reinterpret_cast<void *>(onActivityResumed)}
    };

    QJniEnvironment env;
@@ -558,3 +560,22 @@ void AndroidController::onSystemBarsInsetsChanged(JNIEnv *env, jobject thiz, jin
    emit AndroidController::instance()->systemBarsInsetsChanged(navBarHeightDp, statusBarHeightDp);
 }

+// static
+void AndroidController::onActivityPaused(JNIEnv *env, jobject thiz)
+{
+    Q_UNUSED(env);
+    Q_UNUSED(thiz);
+
+    emit AndroidController::instance()->activityPaused();
+}
+
+// static
+void AndroidController::onActivityResumed(JNIEnv *env, jobject thiz)
+{
+    Q_UNUSED(env);
+    Q_UNUSED(thiz);
+
+    emit AndroidController::instance()->activityResumed();
+}
+
+
@@ -75,6 +75,8 @@ signals:
    void authenticationResult(bool result);
    void imeInsetsChanged(int heightDp);
    void systemBarsInsetsChanged(int navBarHeightDp, int statusBarHeightDp);
+    void activityPaused();
+    void activityResumed();

 private:
    bool isWaitingStatus = true;
@@ -105,6 +107,8 @@ private:
    static bool decodeQrCode(JNIEnv *env, jobject thiz, jstring data);
    static void onImeInsetsChanged(JNIEnv *env, jobject thiz, jint heightDp);
    static void onSystemBarsInsetsChanged(JNIEnv *env, jobject thiz, jint navBarHeightDp, jint statusBarHeightDp);
+    static void onActivityPaused(JNIEnv *env, jobject thiz);
+    static void onActivityResumed(JNIEnv *env, jobject thiz);

    template <typename Ret, typename ...Args>
    static auto callActivityMethod(const char *methodName, const char *signature, Args &&...args);
@@ -126,8 +126,7 @@ extension PacketTunnelProvider {
        }

        vpnReachability.startTracking { [weak self] status in
-            guard status == .reachableViaWiFi else { return }
-            self?.ovpnAdapter?.reconnect(afterTimeInterval: 5)
+            self?.handleOpenVPNReachabilityChange(status)
        }

        startHandler = completionHandler
@@ -21,6 +21,44 @@ extension Constants {
 }

 extension PacketTunnelProvider {
+    private func applyXraySplitTunnel(_ xrayConfig: XrayConfig,
+                                      settings: NEPacketTunnelNetworkSettings) {
+        guard let splitTunnelType = xrayConfig.splitTunnelType else {
+            return
+        }
+
+        guard let splitTunnelSites = xrayConfig.splitTunnelSites else {
+            xrayLog(.error, message: "Split tunnel sites are not set")
+            return
+        }
+
+        if splitTunnelType == 1 {
+            var ipv4IncludedRoutes = [NEIPv4Route]()
+
+            for allowedIPString in splitTunnelSites {
+                if let allowedIP = IPAddressRange(from: allowedIPString) {
+                    ipv4IncludedRoutes.append(NEIPv4Route(
+                        destinationAddress: "\(allowedIP.address)",
+                        subnetMask: "\(allowedIP.subnetMask())"))
+                }
+            }
+
+            settings.ipv4Settings?.includedRoutes = ipv4IncludedRoutes
+        } else if splitTunnelType == 2 {
+            var ipv4ExcludedRoutes = [NEIPv4Route]()
+
+            for excludedIPString in splitTunnelSites {
+                if let excludedIP = IPAddressRange(from: excludedIPString) {
+                    ipv4ExcludedRoutes.append(NEIPv4Route(
+                        destinationAddress: "\(excludedIP.address)",
+                        subnetMask: "\(excludedIP.subnetMask())"))
+                }
+            }
+
+            settings.ipv4Settings?.excludedRoutes = ipv4ExcludedRoutes
+        }
+    }
+
    func startXray(completionHandler: @escaping (Error?) -> Void) {

        // Xray configuration
@@ -72,6 +110,7 @@ extension PacketTunnelProvider {
            settings.dnsSettings = !dnsArray.isEmpty
            ? NEDNSSettings(servers: dnsArray)
            : NEDNSSettings(servers: ["1.1.1.1"])
+            applyXraySplitTunnel(xrayConfig, settings: settings)

            let xrayConfigData = xrayConfig.config.data(using: .utf8)

@@ -3,9 +3,7 @@ import NetworkExtension
 import Network
 import os
 import Darwin
-#if !os(tvOS)
 import OpenVPNAdapter
-#endif

 enum TunnelProtoType: String {
  case wireguard, openvpn, xray
@@ -40,22 +38,23 @@ struct Constants {

 class PacketTunnelProvider: NEPacketTunnelProvider {
    var wgAdapter: WireGuardAdapter?
-#if !os(tvOS)
    var ovpnAdapter: OpenVPNAdapter?
    private lazy var openVPNPacketFlowAdapter = PacketTunnelFlowAdapter(flow: packetFlow)
-#endif
    private let pathMonitorQueue = DispatchQueue(label: Constants.processQueueName + ".path-monitor")
+    private let networkChangeQueue = DispatchQueue(label: Constants.processQueueName + ".network-change")
    private let pathMonitor = NWPathMonitor()
    private var didReceiveInitialPathUpdate = false
    private var currentPath: Network.NWPath?
    private var currentPathSignature: String?
+    private var pendingOpenVPNReconnectWorkItem: DispatchWorkItem?
+    private var pendingNetworkChangeWorkItem: DispatchWorkItem?
+    private var isApplyingNetworkChange = false
+    private var lastOpenVPNReachabilityStatus: OpenVPNReachabilityStatus?

    var splitTunnelType: Int?
    var splitTunnelSites: [String]?

-#if !os(tvOS)
    let vpnReachability = OpenVPNReachability()
-#endif

    var startHandler: ((Error?) -> Void)?
    var stopHandler: (() -> Void)?
@@ -63,11 +62,9 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
    
    var activeIfaceIdx: UInt32 = 0

-#if !os(tvOS)
    func openVPNPacketFlow() -> OpenVPNAdapterPacketFlow {
        openVPNPacketFlowAdapter
    }
-#endif

    override init() {
        super.init()
@@ -86,14 +83,22 @@ class PacketTunnelProvider: NEPacketTunnelProvider {

            guard hasMeaningfulChange, let proto = self.protoType else { return }

-            // WireGuard/AWG manages network changes internally; avoid restarting the tunnel here.
+            // WireGuard/AWG manages network changes internally in its own adapter.
            if proto == .wireguard {
                return
            }

-            DispatchQueue.main.async {
-                self.handle(networkChange: path) { _ in }
+            if proto == .openvpn {
+                self.scheduleOpenVPNReconnect(reason: "NWPath changed")
+                return
            }
+
+            if self.isApplyingNetworkChange || self.reasserting {
+                xrayLog(.debug, message: "Ignoring path change while xray restart is in progress")
+                return
+            }
+
+            self.scheduleNetworkChangeHandling(for: proto, path: path)
        }
        pathMonitor.start(queue: pathMonitorQueue)

@@ -205,6 +210,8 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
            return
        }

+        cancelPendingOpenVPNReconnect()
+        cancelPendingNetworkChangeHandling()
        didReceiveInitialPathUpdate = false
        updateActiveInterfaceIndexForCurrentPath()

@@ -214,27 +221,18 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
                           errorNotifier: errorNotifier,
                           completionHandler: completionHandler)
        case .openvpn:
-#if os(tvOS)
-            completionHandler(NSError(domain: "org.amnezia.ne",
-                                      code: -1002,
-                                      userInfo: [NSLocalizedDescriptionKey: "OpenVPN backend is not available for tvOS in this build"]))
-#else
            startOpenVPN(completionHandler: completionHandler)
-#endif
        case .xray:
-#if os(tvOS)
-            completionHandler(NSError(domain: "org.amnezia.ne",
-                                      code: -1003,
-                                      userInfo: [NSLocalizedDescriptionKey: "Xray backend is not available for tvOS in this build"]))
-#else
            startXray(completionHandler: completionHandler)
-#endif

        }
    }

  
    override func stopTunnel(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
+        cancelPendingOpenVPNReconnect()
+        cancelPendingNetworkChangeHandling()
+
        guard let protoType else {
            completionHandler()
            return
@@ -245,18 +243,10 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
            stopWireguard(with: reason,
                          completionHandler: completionHandler)
        case .openvpn:
-#if os(tvOS)
-            completionHandler()
-#else
            stopOpenVPN(with: reason,
                        completionHandler: completionHandler)
-#endif
        case .xray:
-#if os(tvOS)
-            completionHandler()
-#else
            stopXray(completionHandler: completionHandler)
-#endif
        }
    }
  
@@ -270,11 +260,7 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
        case .wireguard:
            handleWireguardStatusMessage(messageData, completionHandler: completionHandler)
        case .openvpn:
-#if !os(tvOS)
            handleOpenVPNStatusMessage(messageData, completionHandler: completionHandler)
-#else
-            completionHandler?(nil)
-#endif
        case .xray:
            break;
        }
@@ -291,9 +277,111 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
    }
  
    private func handle(networkChange changePath: Network.NWPath, completion: @escaping (Error?) -> Void) {
+        guard protoType == .xray else {
+            updateActiveInterfaceIndex(for: changePath)
+            completion(nil)
+            return
+        }
+
        updateActiveInterfaceIndex(for: changePath)
-        neLog(.info, message: "Tunnel restarted.")
-        startTunnel(options: nil, completionHandler: completion)
+        reasserting = true
+        xrayLog(.info, message: "Applying network change to xray tunnel")
+        stopXray { }
+        startXray { [weak self] error in
+            self?.reasserting = false
+            completion(error)
+        }
+    }
+
+    private func scheduleNetworkChangeHandling(for proto: TunnelProtoType, path: Network.NWPath) {
+        guard proto == .xray else { return }
+
+        pendingNetworkChangeWorkItem?.cancel()
+
+        let workItem = DispatchWorkItem { [weak self] in
+            guard let self else { return }
+            self.pendingNetworkChangeWorkItem = nil
+
+            if self.isApplyingNetworkChange || self.reasserting {
+                xrayLog(.debug, message: "Skipping network change while restart is already in progress")
+                return
+            }
+
+            self.isApplyingNetworkChange = true
+            DispatchQueue.main.async {
+                self.handle(networkChange: path) { [weak self] _ in
+                    self?.networkChangeQueue.async {
+                        self?.isApplyingNetworkChange = false
+                    }
+                }
+            }
+        }
+
+        pendingNetworkChangeWorkItem = workItem
+        networkChangeQueue.asyncAfter(deadline: .now() + 1.0, execute: workItem)
+    }
+
+    private func scheduleOpenVPNReconnect(reason: String) {
+        guard protoType == .openvpn else { return }
+
+        pendingOpenVPNReconnectWorkItem?.cancel()
+
+        let workItem = DispatchWorkItem { [weak self] in
+            guard let self else { return }
+            self.pendingOpenVPNReconnectWorkItem = nil
+
+            guard self.protoType == .openvpn else { return }
+
+            if self.reasserting {
+                ovpnLog(.debug, message: "Skipping OpenVPN reconnect while session is already reasserting")
+                return
+            }
+
+            DispatchQueue.main.async { [weak self] in
+                guard let self else { return }
+                guard !self.reasserting else {
+                    ovpnLog(.debug, message: "Skipping OpenVPN reconnect while session is already reasserting")
+                    return
+                }
+
+                ovpnLog(.info, message: "\(reason), reconnecting OpenVPN session")
+                self.ovpnAdapter?.reconnect(afterTimeInterval: 1)
+            }
+        }
+
+        pendingOpenVPNReconnectWorkItem = workItem
+        networkChangeQueue.asyncAfter(deadline: .now() + 1.0, execute: workItem)
+    }
+
+    func handleOpenVPNReachabilityChange(_ status: OpenVPNReachabilityStatus) {
+        defer { lastOpenVPNReachabilityStatus = status }
+
+        guard let previousStatus = lastOpenVPNReachabilityStatus else {
+            return
+        }
+
+        guard previousStatus != status else {
+            return
+        }
+
+        switch status {
+        case .reachableViaWiFi, .reachableViaWWAN:
+            scheduleOpenVPNReconnect(reason: "Reachability changed")
+        default:
+            break
+        }
+    }
+
+    private func cancelPendingOpenVPNReconnect() {
+        pendingOpenVPNReconnectWorkItem?.cancel()
+        pendingOpenVPNReconnectWorkItem = nil
+        lastOpenVPNReachabilityStatus = nil
+    }
+
+    private func cancelPendingNetworkChangeHandling() {
+        pendingNetworkChangeWorkItem?.cancel()
+        pendingNetworkChangeWorkItem = nil
+        isApplyingNetworkChange = false
    }
 }

@@ -303,8 +391,14 @@ private extension PacketTunnelProvider {
        signatureComponents.append(path.isExpensive ? "exp" : "noexp")
        signatureComponents.append(path.isConstrained ? "con" : "nocon")

-        let preferredTypes: [NWInterface.InterfaceType] = [.wiredEthernet, .wifi, .cellular, .loopback, .other]
-        let sortedInterfaces = path.availableInterfaces.sorted { lhs, rhs in
+        // Ignore loopback and tunnel-style `.other` interfaces so Xray does not
+        // react to its own utun lifecycle as if the physical uplink changed.
+        let preferredTypes: [NWInterface.InterfaceType] = [.wiredEthernet, .wifi, .cellular]
+        let externalInterfaces = path.availableInterfaces.filter { interface in
+            interface.type == .wiredEthernet || interface.type == .wifi || interface.type == .cellular
+        }
+
+        let sortedInterfaces = externalInterfaces.sorted { lhs, rhs in
            if lhs.type == rhs.type {
                return lhs.index < rhs.index
            }
@@ -325,8 +419,8 @@ private extension PacketTunnelProvider {
            case .wiredEthernet: typeName = "ethernet"
            case .wifi: typeName = "wifi"
            case .cellular: typeName = "cellular"
-            case .loopback: typeName = "loopback"
-            case .other: typeName = "other"
+            case .loopback, .other:
+                continue
            @unknown default: typeName = "unknown"
            }
            signatureComponents.append("\(typeName):\(interface.index)")
@@ -343,17 +437,16 @@ private extension PacketTunnelProvider {
 }

 extension WireGuardLogLevel {
-    var osLogLevel: OSLogType {
-        switch self {
-        case .verbose:
-            return .debug
-        case .error:
-            return .error
-        }
+  var osLogLevel: OSLogType {
+    switch self {
+    case .verbose:
+      return .debug
+    case .error:
+      return .error
    }
+  }
 }

-#if !os(tvOS)
 final class PacketTunnelFlowAdapter: NSObject, OpenVPNAdapterPacketFlow {
  private let flow: NEPacketTunnelFlow

@@ -372,7 +465,6 @@ final class PacketTunnelFlowAdapter: NSObject, OpenVPNAdapterPacketFlow {
    flow.writePackets(packets, withProtocols: protocols)
  }
 }
-#endif

 extension NEProviderStopReason {
  var amneziaDescription: String {
@@ -1,4 +1,4 @@
-#if !MACOS_NE && !TARGET_OS_TV
+#if !MACOS_NE
 #include "QRCodeReaderBase.h"

 #import <UIKit/UIKit.h>
@@ -3,5 +3,7 @@ import Foundation
 struct XrayConfig: Decodable {
    let dns1: String?
    let dns2: String?
+    let splitTunnelType: Int?
+    let splitTunnelSites: [String]?
    let config: String
 }
@@ -684,6 +684,15 @@ bool IosController::setupXray()
    QJsonObject finalConfig;
    finalConfig.insert(config_key::dns1, m_rawConfig[config_key::dns1].toString());
    finalConfig.insert(config_key::dns2, m_rawConfig[config_key::dns2].toString());
+    finalConfig.insert(config_key::splitTunnelType, m_rawConfig[config_key::splitTunnelType]);
+
+    QJsonArray splitTunnelSites = m_rawConfig[config_key::splitTunnelSites].toArray();
+
+    for(int index = 0; index < splitTunnelSites.count(); index++) {
+        splitTunnelSites[index] = splitTunnelSites[index].toString().remove(" ");
+    }
+
+    finalConfig.insert(config_key::splitTunnelSites, splitTunnelSites);
    finalConfig.insert(config_key::config, xrayConfigStr);

    QJsonDocument finalConfigDoc(finalConfig);
@@ -959,10 +968,6 @@ void IosController::sendVpnExtensionMessage(NSDictionary* message, std::function
 }

 bool IosController::shareText(const QStringList& filesToSend) {
-#if defined(Q_OS_TVOS)
-    Q_UNUSED(filesToSend)
-    return false;
-#else
    NSMutableArray *sharingItems = [NSMutableArray new];

    for (int i = 0; i < filesToSend.size(); i++) {
@@ -971,7 +976,7 @@ bool IosController::shareText(const QStringList& filesToSend) {
    }
 #if !MACOS_NE
    UIViewController *qtController = getViewController();
-    if (!qtController) return false;
+    if (!qtController) return;

    UIActivityViewController *activityController = [[UIActivityViewController alloc] initWithActivityItems:sharingItems applicationActivities:nil];
 #endif
@@ -995,25 +1000,23 @@ bool IosController::shareText(const QStringList& filesToSend) {
    wait.exec();

    return isAccepted;
-#endif
 }

 QString IosController::openFile() {
-#if defined(Q_OS_TVOS)
-    return QString();
-#elif !MACOS_NE
+#if !MACOS_NE
    UIDocumentPickerViewController *documentPicker = [[UIDocumentPickerViewController alloc] initWithDocumentTypes:@[@"public.item"] inMode:UIDocumentPickerModeOpen];

    DocumentPickerDelegate *documentPickerDelegate = [[DocumentPickerDelegate alloc] init];
    documentPicker.delegate = documentPickerDelegate;

    UIViewController *qtController = getViewController();
-    if (!qtController) return QString();
+    if (!qtController) return;

    [qtController presentViewController:documentPicker animated:YES completion:nil];
+
 #endif
    __block QString filePath;
-#if !MACOS_NE && !defined(Q_OS_TVOS)
+#if !MACOS_NE
    documentPickerDelegate.documentPickerClosedCallback = ^(NSString *path) {
        if (path) {
            filePath = QString::fromUtf8(path.UTF8String);
@@ -1,7 +1,6 @@
 #import <NetworkExtension/NetworkExtension.h>
 #import <NetworkExtension/NETunnelProviderSession.h>
 #import <Foundation/Foundation.h>
-#include <TargetConditionals.h>

 #if !MACOS_NE
 #include <UIKit/UIKit.h>
@@ -22,7 +21,7 @@ class IosController;
@end

 typedef void (^DocumentPickerClosedCallback)(NSString *path);
-#if !MACOS_NE && !TARGET_OS_TV
+#if !MACOS_NE
@interface DocumentPickerDelegate : NSObject <UIDocumentPickerDelegate>

@property (nonatomic, copy) DocumentPickerClosedCallback documentPickerClosedCallback;
@@ -26,7 +26,7 @@

@end

-#if !MACOS_NE && !TARGET_OS_TV
+#if !MACOS_NE
@implementation DocumentPickerDelegate

 - (void)documentPicker:(UIDocumentPickerViewController *)controller didPickDocumentsAtURLs:(NSArray<NSURL *> *)urls {
@@ -7,24 +7,6 @@
 #import <UserNotifications/UserNotifications.h>
 #import <Foundation/Foundation.h>

-#if defined(Q_OS_TVOS)
-
-IOSNotificationHandler::IOSNotificationHandler(QObject* parent) : NotificationHandler(parent) {}
-
-IOSNotificationHandler::~IOSNotificationHandler() {}
-
-void IOSNotificationHandler::notify(NotificationHandler::Message type,
-                                    const QString& title,
-                                    const QString& message,
-                                    int timerMsec) {
-  Q_UNUSED(type)
-  Q_UNUSED(title)
-  Q_UNUSED(message)
-  Q_UNUSED(timerMsec)
-}
-
-#else
-
 #if !MACOS_NE
 #import <UIKit/UIKit.h>

@@ -190,5 +172,3 @@ void IOSNotificationHandler::notify(NotificationHandler::Message type, const QSt
           }];
 }
 #endif
-
-#endif  // Q_OS_TVOS
@@ -1,6 +0,0 @@
-/*
- * tvOS does not export these iOS runtime helpers used by Go cgo archives.
- * WireGuardKitGo references them indirectly; provide no-op stubs for tvOS.
- */
-void darwin_arm_init_mach_exception_handler(void) {}
-void darwin_arm_init_thread_exception_port(void) {}
@@ -4,20 +4,14 @@

 #include "dnsutilslinux.h"

-#include <net/if.h>
-
-#include <QDBusVariant>
-#include <QtDBus/QtDBus>
+#include <QDir>
+#include <QFile>
+#include <QFileInfo>
+#include <QProcess>

 #include "leakdetector.h"
 #include "logger.h"

-constexpr const char* DBUS_RESOLVE_SERVICE = "org.freedesktop.resolve1";
-constexpr const char* DBUS_RESOLVE_PATH = "/org/freedesktop/resolve1";
-constexpr const char* DBUS_RESOLVE_MANAGER = "org.freedesktop.resolve1.Manager";
-constexpr const char* DBUS_PROPERTY_INTERFACE =
-    "org.freedesktop.DBus.Properties";
-
 namespace {
 Logger logger("DnsUtilsLinux");
 }
@@ -25,188 +19,147 @@ Logger logger("DnsUtilsLinux");
 DnsUtilsLinux::DnsUtilsLinux(QObject* parent) : DnsUtils(parent) {
  MZ_COUNT_CTOR(DnsUtilsLinux);
  logger.debug() << "DnsUtilsLinux created.";
-
-  QDBusConnection conn = QDBusConnection::systemBus();
-  m_resolver = new QDBusInterface(DBUS_RESOLVE_SERVICE, DBUS_RESOLVE_PATH,
-                                  DBUS_RESOLVE_MANAGER, conn, this);
 }

 DnsUtilsLinux::~DnsUtilsLinux() {
  MZ_COUNT_DTOR(DnsUtilsLinux);
-
-  for (auto iterator = m_linkDomains.constBegin();
-       iterator != m_linkDomains.constEnd(); ++iterator) {
-    QList<QVariant> argumentList;
-    argumentList << QVariant::fromValue(iterator.key());
-    argumentList << QVariant::fromValue(iterator.value());
-    m_resolver->asyncCallWithArgumentList(QStringLiteral("SetLinkDomains"),
-                                          argumentList);
-  }
-
-  if (m_ifindex > 0) {
-    m_resolver->asyncCall(QStringLiteral("RevertLink"), m_ifindex);
-  }
-
  logger.debug() << "DnsUtilsLinux destroyed.";
 }

+void DnsUtilsLinux::writeResolvConf(const QList<QHostAddress>& resolvers) {
+  if (resolvers.isEmpty()) return;
+
+  static const QString kPath = QStringLiteral("/etc/resolv.conf");
+
+  if (m_resolvConfOriginal.isEmpty()) {
+    QFileInfo fi(kPath);
+    if (fi.isSymLink()) {
+      m_resolvConfOriginal = fi.symLinkTarget();
+      logger.debug() << "Saved resolv.conf symlink target:"
+                     << m_resolvConfOriginal;
+      if (!m_stateFilePath.isEmpty()) {
+        QFile sf(m_stateFilePath);
+        if (sf.open(QIODevice::WriteOnly | QIODevice::Text))
+          sf.write(m_resolvConfOriginal.toUtf8());
+      }
+    } else {
+      QFile orig(kPath);
+      if (orig.open(QIODevice::ReadOnly | QIODevice::Text)) {
+        QByteArray content = orig.readAll();
+        orig.close();
+        m_resolvConfOriginal = QStringLiteral("__file__");
+        logger.debug() << "resolv.conf is a regular file; saved content for restore";
+        if (!m_stateFilePath.isEmpty()) {
+          QFile sf(m_stateFilePath);
+          if (sf.open(QIODevice::WriteOnly | QIODevice::Text)) {
+            sf.write("__file__:");
+            sf.write(content);
+          }
+        }
+      } else {
+        m_resolvConfOriginal = QStringLiteral("__file__");
+      }
+    }
+  }
+
+  QFile::remove(kPath);
+  QFile f(kPath);
+  if (!f.open(QIODevice::WriteOnly | QIODevice::Text)) {
+    logger.warning() << "Failed to write" << kPath << ":" << f.errorString();
+    if (m_resolvConfOriginal != QStringLiteral("__file__"))
+      QFile::link(m_resolvConfOriginal, kPath);
+    m_resolvConfOriginal.clear();
+    if (!m_stateFilePath.isEmpty()) QFile::remove(m_stateFilePath);
+    return;
+  }
+  for (const auto& r : resolvers) {
+    if (r.protocol() == QAbstractSocket::IPv4Protocol)
+      f.write(
+          QStringLiteral("nameserver %1\n").arg(r.toString()).toUtf8());
+  }
+  f.close();
+  logger.debug() << "Wrote resolv.conf with" << resolvers.size()
+                 << "DNS servers";
+}
+
+void DnsUtilsLinux::restoreResolvConf() {
+  if (m_resolvConfOriginal.isEmpty()) return;
+
+  const QString original = m_resolvConfOriginal;
+  m_resolvConfOriginal.clear();
+
+  if (!m_stateFilePath.isEmpty())
+    QFile::remove(m_stateFilePath);
+
+  static const char* kPath = "/etc/resolv.conf";
+
+  QFile::remove(kPath);
+
+  if (original == QStringLiteral("__file__")) {
+    if (!m_resolvConfSavedContent.isEmpty()) {
+      QFile f(kPath);
+      if (f.open(QIODevice::WriteOnly | QIODevice::Text)) {
+        f.write(m_resolvConfSavedContent.toUtf8());
+        logger.debug() << "Restored resolv.conf from saved content";
+      }
+      m_resolvConfSavedContent.clear();
+    } else if (QFile::exists(QStringLiteral("/run/systemd/resolve/stub-resolv.conf"))) {
+      QFile::link(QStringLiteral("/run/systemd/resolve/stub-resolv.conf"), kPath);
+      logger.debug() << "Restored resolv.conf symlink to stub-resolv.conf";
+    }
+  } else {
+    QFile::link(original, kPath);
+    logger.debug() << "Restored resolv.conf symlink to" << original;
+  }
+}
+
 bool DnsUtilsLinux::updateResolvers(const QString& ifname,
                                    const QList<QHostAddress>& resolvers) {
-  m_ifindex = if_nametoindex(qPrintable(ifname));
-  if (m_ifindex <= 0) {
-    logger.error() << "Unable to resolve ifindex for" << ifname;
-    return false;
-  }
+  m_stateFilePath = QStringLiteral("/run/amnezia-dns-%1").arg(ifname);

-  setLinkDNS(m_ifindex, resolvers);
-  setLinkDefaultRoute(m_ifindex, true);
-  updateLinkDomains();
+  writeResolvConf(resolvers);
  return true;
 }

 bool DnsUtilsLinux::restoreResolvers() {
-  for (auto iterator = m_linkDomains.constBegin();
-       iterator != m_linkDomains.constEnd(); ++iterator) {
-    setLinkDomains(iterator.key(), iterator.value());
+
+  if (m_resolvConfOriginal.isEmpty()) {
+    QStringList candidates;
+    if (!m_stateFilePath.isEmpty()) {
+      candidates << m_stateFilePath;
+    } else {
+
+      QDir runDir(QStringLiteral("/run"));
+      for (const QString& name : runDir.entryList(
+               {QStringLiteral("amnezia-dns-*")}, QDir::Files)) {
+        candidates << runDir.filePath(name);
+      }
+    }
+    for (const QString& path : candidates) {
+      QFile sf(path);
+      if (sf.open(QIODevice::ReadOnly)) {
+        QByteArray data = sf.readAll();
+        sf.close();
+        m_stateFilePath = path;
+        if (data.startsWith("__file__:")) {
+          m_resolvConfOriginal = QStringLiteral("__file__");
+          m_resolvConfSavedContent = QString::fromUtf8(data.mid(9));
+        } else {
+          m_resolvConfOriginal = QString::fromUtf8(data).trimmed();
+        }
+        logger.debug() << "Recovered DNS original from" << path << ":"
+                       << m_resolvConfOriginal;
+        break;
+      }
+    }
  }
-  m_linkDomains.clear();

-  /* Revert the VPN interface's DNS configuration */
-  if (m_ifindex > 0) {
-    QList<QVariant> argumentList = {QVariant::fromValue(m_ifindex)};
-    QDBusPendingReply<> reply = m_resolver->asyncCallWithArgumentList(
-        QStringLiteral("RevertLink"), argumentList);
+  const bool hadDnsState = !m_resolvConfOriginal.isEmpty();
+  restoreResolvConf();

-    QDBusPendingCallWatcher* watcher = new QDBusPendingCallWatcher(reply, this);
-    QObject::connect(watcher, SIGNAL(finished(QDBusPendingCallWatcher*)), this,
-                     SLOT(dnsCallCompleted(QDBusPendingCallWatcher*)));
-
-    m_ifindex = 0;
+  if (hadDnsState && QFile::exists(QStringLiteral("/run/systemd/resolve"))) {
+    QProcess::startDetached("systemctl", {"restart", "systemd-resolved"});
  }

  return true;
 }
-
-void DnsUtilsLinux::dnsCallCompleted(QDBusPendingCallWatcher* call) {
-  QDBusPendingReply<> reply = *call;
-  if (reply.isError()) {
-    logger.error() << "Error received from the DBus service";
-  }
-  delete call;
-}
-
-void DnsUtilsLinux::setLinkDNS(int ifindex,
-                               const QList<QHostAddress>& resolvers) {
-  QList<DnsResolver> resolverList;
-  char ifnamebuf[IF_NAMESIZE];
-  const char* ifname = if_indextoname(ifindex, ifnamebuf);
-  for (const auto& ip : resolvers) {
-    resolverList.append(ip);
-    if (ifname) {
-      logger.debug() << "Adding DNS resolver" << ip.toString() << "via"
-                     << ifname;
-    }
-  }
-
-  QList<QVariant> argumentList;
-  argumentList << QVariant::fromValue(ifindex);
-  argumentList << QVariant::fromValue(resolverList);
-  QDBusPendingReply<> reply = m_resolver->asyncCallWithArgumentList(
-      QStringLiteral("SetLinkDNS"), argumentList);
-
-  QDBusPendingCallWatcher* watcher = new QDBusPendingCallWatcher(reply, this);
-  QObject::connect(watcher, SIGNAL(finished(QDBusPendingCallWatcher*)), this,
-                   SLOT(dnsCallCompleted(QDBusPendingCallWatcher*)));
-}
-
-void DnsUtilsLinux::setLinkDomains(int ifindex,
-                                   const QList<DnsLinkDomain>& domains) {
-  char ifnamebuf[IF_NAMESIZE];
-  const char* ifname = if_indextoname(ifindex, ifnamebuf);
-  if (ifname) {
-    for (const auto& d : domains) {
-      // The DNS search domains often winds up revealing user's ISP which
-      // can correlate back to their location.
-      logger.debug() << "Setting DNS domain:" << logger.sensitive(d.domain)
-                     << "via" << ifname << (d.search ? "search" : "");
-    }
-  }
-
-  QList<QVariant> argumentList;
-  argumentList << QVariant::fromValue(ifindex);
-  argumentList << QVariant::fromValue(domains);
-  QDBusPendingReply<> reply = m_resolver->asyncCallWithArgumentList(
-      QStringLiteral("SetLinkDomains"), argumentList);
-
-  QDBusPendingCallWatcher* watcher = new QDBusPendingCallWatcher(reply, this);
-  QObject::connect(watcher, SIGNAL(finished(QDBusPendingCallWatcher*)), this,
-                   SLOT(dnsCallCompleted(QDBusPendingCallWatcher*)));
-}
-
-void DnsUtilsLinux::setLinkDefaultRoute(int ifindex, bool enable) {
-  QList<QVariant> argumentList;
-  argumentList << QVariant::fromValue(ifindex);
-  argumentList << QVariant::fromValue(enable);
-  QDBusPendingReply<> reply = m_resolver->asyncCallWithArgumentList(
-      QStringLiteral("SetLinkDefaultRoute"), argumentList);
-
-  QDBusPendingCallWatcher* watcher = new QDBusPendingCallWatcher(reply, this);
-  QObject::connect(watcher, SIGNAL(finished(QDBusPendingCallWatcher*)), this,
-                   SLOT(dnsCallCompleted(QDBusPendingCallWatcher*)));
-}
-
-void DnsUtilsLinux::updateLinkDomains() {
-  /* Get the list of search domains, and remove any others that might conspire
-   * to satisfy DNS resolution. Unfortunately, this is a pain because Qt doesn't
-   * seem to be able to demarshall complex property types.
-   */
-  QDBusMessage message = QDBusMessage::createMethodCall(
-      DBUS_RESOLVE_SERVICE, DBUS_RESOLVE_PATH, DBUS_PROPERTY_INTERFACE, "Get");
-  message << QString(DBUS_RESOLVE_MANAGER);
-  message << QString("Domains");
-  QDBusPendingReply<QVariant> reply =
-      m_resolver->connection().asyncCall(message);
-
-  QDBusPendingCallWatcher* watcher = new QDBusPendingCallWatcher(reply, this);
-  QObject::connect(watcher, SIGNAL(finished(QDBusPendingCallWatcher*)), this,
-                   SLOT(dnsDomainsReceived(QDBusPendingCallWatcher*)));
-}
-
-void DnsUtilsLinux::dnsDomainsReceived(QDBusPendingCallWatcher* call) {
-  QDBusPendingReply<QVariant> reply = *call;
-  if (reply.isError()) {
-    logger.error() << "Error retrieving the DNS  domains from the DBus service";
-    delete call;
-    return;
-  }
-
-  /* Update the state of the DNS domains */
-  m_linkDomains.clear();
-  QDBusArgument args = qvariant_cast<QDBusArgument>(reply.value());
-  QList<DnsDomain> list = qdbus_cast<QList<DnsDomain>>(args);
-  for (const auto& d : list) {
-    if (d.ifindex == 0) {
-      continue;
-    }
-    m_linkDomains[d.ifindex].append(DnsLinkDomain(d.domain, d.search));
-  }
-
-  /* Drop any competing root search domains. */
-  DnsLinkDomain root = DnsLinkDomain(".", true);
-  for (auto iterator = m_linkDomains.constBegin();
-       iterator != m_linkDomains.constEnd(); ++iterator) {
-    if (!iterator.value().contains(root)) {
-      continue;
-    }
-    QList<DnsLinkDomain> newlist = iterator.value();
-    newlist.removeAll(root);
-    setLinkDomains(iterator.key(), newlist);
-  }
-
-  /* Add a root search domain for the new interface. */
-  QList<DnsLinkDomain> newlist = {root};
-  setLinkDomains(m_ifindex, newlist);
-  delete call;
-}
-
-static DnsMetatypeRegistrationProxy s_dnsMetatypeProxy;
@@ -5,11 +5,11 @@
 #ifndef DNSUTILSLINUX_H
 #define DNSUTILSLINUX_H

-#include <QDBusInterface>
-#include <QDBusPendingCallWatcher>
+#include <QHostAddress>
+#include <QList>
+#include <QString>

 #include "daemon/dnsutils.h"
-#include "dbustypeslinux.h"

 class DnsUtilsLinux final : public DnsUtils {
  Q_OBJECT
@@ -23,19 +23,14 @@ class DnsUtilsLinux final : public DnsUtils {
  bool restoreResolvers() override;

 private:
-  void setLinkDNS(int ifindex, const QList<QHostAddress>& resolvers);
-  void setLinkDomains(int ifindex, const QList<DnsLinkDomain>& domains);
-  void setLinkDefaultRoute(int ifindex, bool enable);
-  void updateLinkDomains();
-
- private slots:
-  void dnsCallCompleted(QDBusPendingCallWatcher*);
-  void dnsDomainsReceived(QDBusPendingCallWatcher*);
+  void writeResolvConf(const QList<QHostAddress>& resolvers);
+  void restoreResolvConf();

 private:
-  int m_ifindex = 0;
-  QMap<int, DnsLinkDomainList> m_linkDomains;
-  QDBusInterface* m_resolver = nullptr;
+
+  QString m_resolvConfOriginal;
+  QString m_resolvConfSavedContent;
+  QString m_stateFilePath;
 };

-#endif  // DNSUTILSLINUX_H
+#endif
@@ -32,6 +32,7 @@

 #include "linuxfirewall.h"
 #include "logger.h"
+#include <QHostAddress>
 #include <QProcess>

 #define BRAND_CODE "amn"
@@ -108,7 +109,7 @@ int LinuxFirewall::linkChain(LinuxFirewall::IPVersion ip, const QString& chain,
        //    (we can't safely delete all rules at once since rule numbers change)
        // TODO: occasionally this script results in warnings in logs "Bad rule (does a matching rule exist in the chain?)" - this happens when
        // the e.g OUTPUT chain is empty but this script attempts to delete things from it anyway. It doesn't cause any problems, but we should still fix at some point..
-        return execute(QStringLiteral("if ! %1 -L %2 -n --line-numbers -t %4 2> /dev/null | awk 'int($1) == 1 && $2 == \"%3\" { found=1 } END { if(found==1) { exit 0 } else { exit 1 } }' ; then %1 -I %2 -j %3 -t %4 && %1 -L %2 -n --line-numbers -t %4 2> /dev/null | awk 'int($1) > 1 && $2 == \"%3\" { print $1; exit }' | xargs %1 -t %4 -D %2 ; fi").arg(cmd, parent, chain, tableName));
+        return execute(QStringLiteral("if ! %1 -L %2 -n --line-numbers -t %4 2> /dev/null | awk 'int($1) == 1 && $2 == \"%3\" { found=1 } END { if(found==1) { exit 0 } else { exit 1 } }' ; then %1 -I %2 -j %3 -t %4 && %1 -L %2 -n --line-numbers -t %4 2> /dev/null | awk 'int($1) > 1 && $2 == \"%3\" { print $1; exit }' | xargs -r %1 -t %4 -D %2 ; fi").arg(cmd, parent, chain, tableName));
    }
    else
        return execute(QStringLiteral("if ! %1 -C %2 -j %3 -t %4 2> /dev/null ; then %1 -A %2 -j %3 -t %4; fi").arg(cmd, parent, chain, tableName));
@@ -192,12 +193,8 @@ QStringList LinuxFirewall::getDNSRules(const QStringList& servers)
    QStringList result;
    for (const QString& server : servers)
    {
-        result << QStringLiteral("-o amn0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
-        result << QStringLiteral("-o amn0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
-        result << QStringLiteral("-o tun0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
-        result << QStringLiteral("-o tun0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
-        result << QStringLiteral("-o tun2+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
-        result << QStringLiteral("-o tun2+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-d %1 -p udp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
    }
    return result;
 }
@@ -245,7 +242,7 @@ void LinuxFirewall::install()
                                                                 QStringLiteral("-o lo+ -j ACCEPT"),
                                                             });

-    installAnchor(IPv4, QStringLiteral("320.allowDNS"), {});
+    installAnchor(Both, QStringLiteral("320.allowDNS"), {});

    installAnchor(Both, QStringLiteral("310.blockDNS"), {
                                                            QStringLiteral("-p udp --dport 53 -j REJECT"),
@@ -289,6 +286,7 @@ void LinuxFirewall::install()
    installAnchor(Both, QStringLiteral("100.blockAll"), {
                                                            QStringLiteral("-j REJECT"),
                                                        });
+    installAnchor(Both, QStringLiteral("400.allowPIA"), {});
    // NAT rules
    installAnchor(Both, QStringLiteral("100.transIp"), {

@@ -351,7 +349,7 @@ void LinuxFirewall::uninstall()
    // Remove filter anchors
    uninstallAnchor(Both, QStringLiteral("000.allowLoopback"));
    uninstallAnchor(Both, QStringLiteral("400.allowPIA"));
-    uninstallAnchor(IPv4, QStringLiteral("320.allowDNS"));
+    uninstallAnchor(Both, QStringLiteral("320.allowDNS"));
    uninstallAnchor(Both, QStringLiteral("310.blockDNS"));
    uninstallAnchor(Both, QStringLiteral("300.allowLAN"));
    uninstallAnchor(Both, QStringLiteral("290.allowDHCP"));
@@ -372,6 +370,8 @@ void LinuxFirewall::uninstall()

    teardownTrafficSplitting();

+    anchorCallbacks.clear();
+
    logger.debug() << "LinuxFirewall::uninstall() complete";
 }

@@ -445,12 +445,17 @@ void LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPVersion ip, const QString

 void LinuxFirewall::updateDNSServers(const QStringList& servers)
 {
-    static QStringList existingServers {};
-
-    existingServers = servers;
    execute(QStringLiteral("iptables -F %1.320.allowDNS").arg(kAnchorName));
-    for (const QString& rule : getDNSRules(servers))
-        execute(QStringLiteral("iptables -A %1.320.allowDNS %2").arg(kAnchorName, rule));
+    execute(QStringLiteral("ip6tables -F %1.320.allowDNS").arg(kAnchorName));
+
+    for (const QString& server : servers) {
+        if (server.isEmpty()) continue;
+        const QString cmd = (QHostAddress(server).protocol() == QAbstractSocket::IPv6Protocol)
+                                ? QStringLiteral("ip6tables")
+                                : QStringLiteral("iptables");
+        execute(QStringLiteral("%1 -A %2.320.allowDNS -d %3 -p udp --dport 53 -j ACCEPT").arg(cmd, kAnchorName, server));
+        execute(QStringLiteral("%1 -A %2.320.allowDNS -d %3 -p tcp --dport 53 -j ACCEPT").arg(cmd, kAnchorName, server));
+    }
 }

 void LinuxFirewall::updateAllowNets(const QStringList& servers)
@@ -495,13 +500,20 @@ int LinuxFirewall::execute(const QString &command, bool ignoreErrors)
        logger.debug() << "(" << exitCode << ") $ " << command;
    if (!out.isEmpty())
        logger.info() << out;
-    if (!err.isEmpty())
+    if (!err.isEmpty() && !ignoreErrors)
        logger.warning() << err;
    return exitCode;
 }

 void LinuxFirewall::setupTrafficSplitting()
 {
+    execute(QStringLiteral("grep -q '%1' /etc/iproute2/rt_tables || printf '200\\t%1\\n' >> /etc/iproute2/rt_tables").arg(kRtableName));
+
+    execute(QStringLiteral(
+        "if [ ! -d /sys/fs/cgroup/net_cls ] ; then "
+        "mkdir -p /sys/fs/cgroup/net_cls && "
+        "mount -t cgroup -o net_cls cgroup /sys/fs/cgroup/net_cls ; fi"));
+
    auto cGroupDir = "/sys/fs/cgroup/net_cls/" BRAND_CODE "vpnexclusions/";
    logger.info() << "Should be setting up cgroup in" << cGroupDir << "for traffic splitting";
    execute(QStringLiteral("if [ ! -d %1 ] ; then mkdir %1 ; sleep 0.1 ; echo %2 > %1/net_cls.classid ; fi").arg(cGroupDir).arg(kCGroupId));
@@ -513,6 +525,7 @@ void LinuxFirewall::teardownTrafficSplitting()
 {
    logger.info() << "Tearing down cgroup and routing rules";
    execute(QStringLiteral("if ip rule list | grep -q %1; then ip rule del from all fwmark %1 lookup %2 2> /dev/null ; fi").arg(kPacketTag, kRtableName));
-    execute(QStringLiteral("ip route flush table %1").arg(kRtableName));
+    execute(QStringLiteral("ip route flush table %1").arg(kRtableName), true);
    execute(QStringLiteral("ip route flush cache"));
+    execute(QStringLiteral("sed -i '/%1/d' /etc/iproute2/rt_tables").arg(kRtableName));
 }
@@ -164,8 +164,13 @@ bool LinuxRouteMonitor::rtmSendRoute(int action, int flags, int type,
    }

    if (rtm->rtm_type == RTN_THROW) {
+    QString gateway = NetworkUtilities::getGatewayAndIface().first;
+    if (gateway.isEmpty()) {
+        logger.warning() << "No default gateway available, skipping exclusion route";
+        return false;
+    }
    struct in_addr ip4;
-    inet_pton(AF_INET, NetworkUtilities::getGatewayAndIface().first.toUtf8(), &ip4);
+    inet_pton(AF_INET, gateway.toUtf8(), &ip4);
    nlmsg_append_attr(nlmsg, sizeof(buf), RTA_GATEWAY, &ip4, sizeof(ip4));
    nlmsg_append_attr32(nlmsg, sizeof(buf), RTA_PRIORITY, 0);
    rtm->rtm_type = RTN_UNICAST;
@@ -80,7 +80,7 @@ bool WireguardUtilsLinux::addInterface(const InterfaceConfig& config) {

    QDir appPath(QCoreApplication::applicationDirPath());
    QStringList wgArgs = {"-f", "amn0"};
-    m_tunnel.start(appPath.filePath("amneziawg-go"), wgArgs);
+    m_tunnel.start(appPath.filePath("../../client/bin/wireguard-go"), wgArgs);
    if (!m_tunnel.waitForStarted(WG_TUN_PROC_TIMEOUT)) {
        logger.error() << "Unable to start tunnel process due to timeout";
        m_tunnel.kill();
@@ -44,6 +44,9 @@ void LinuxNetworkWatcher::initialize() {
  connect(m_worker, &LinuxNetworkWatcherWorker::wakeup, this,
          &NetworkWatcherImpl::wakeup);

+  connect(m_worker, &LinuxNetworkWatcherWorker::networkChanged, this,
+          [this]() { emit networkChanged(""); });
+
  // Let's wait a few seconds to allow the UI to be fully loaded and shown.
  // This is not strictly needed, but it's better for user experience because
  // it makes the UI faster to appear, plus it gives a bit of delay between the
@@ -4,6 +4,7 @@

 #include "linuxnetworkwatcherworker.h"

+#include <QTimer>
 #include <QtDBus/QtDBus>

 #include "leakdetector.h"
@@ -37,6 +38,7 @@
 enum NMState {
    NM_STATE_UNKNOWN = 0,
    NM_STATE_ASLEEP = 10,
+    NM_STATE_DISABLED = 10,
    NM_STATE_DISCONNECTED = 20,
    NM_STATE_DISCONNECTING = 30,
    NM_STATE_CONNECTING = 40,
@@ -122,6 +124,12 @@ void LinuxNetworkWatcherWorker::initialize() {
        SLOT(propertyChanged(QString, QVariantMap, QStringList)));
  }

+  QVariant currentState = nm.property("State");
+  if (currentState.isValid()) {
+    m_previousNMState = currentState.toUInt();
+    logger.debug() << "Initial NM state:" << m_previousNMState;
+  }
+
  QDBusConnection::systemBus().connect(DBUS_NETWORKMANAGER,
                                       DBUS_NETWORKMANAGER_PATH,
                                       DBUS_NETWORKMANAGER,
@@ -199,10 +207,13 @@ void LinuxNetworkWatcherWorker::checkDevices() {

 void LinuxNetworkWatcherWorker::NMStateChanged(quint32 state)
 {
-  if (state == NM_STATE_ASLEEP) {
-    emit wakeup();
-  }
+    logger.debug() << "NMStateChanged " << state;

-  logger.debug() << "NMStateChanged " << state;
-}
+    if (state == NM_STATE_ASLEEP || state == NM_STATE_DISABLED) {
+        emit wakeup();
+    } else if (state >= NM_STATE_CONNECTED_SITE && m_previousNMState < NM_STATE_CONNECTED_SITE) {
+        emit networkChanged();
+    }

+    m_previousNMState = state;
+}
@@ -24,6 +24,7 @@ class LinuxNetworkWatcherWorker final : public QObject {
 signals:
  void unsecuredNetwork(const QString& networkName, const QString& networkId);
  void wakeup();
+  void networkChanged();

 public slots:
  void initialize();
@@ -34,10 +35,12 @@ class LinuxNetworkWatcherWorker final : public QObject {
  void NMStateChanged(quint32 state);

 private:
+
  // We collect the list of DBus wifi network device paths during the
  // initialization. When a property of them changes, we check if the access
  // point is active and unsecure.
  QStringList m_devicePaths;
+  quint32 m_previousNMState = 0;
 };

 #endif  // LINUXNETWORKWATCHERWORKER_H
@@ -79,7 +79,7 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {

  QDir appPath(QCoreApplication::applicationDirPath());
  QStringList wgArgs = {"-f", "utun"};
-  m_tunnel.start(appPath.filePath("amneziawg-go"), wgArgs);
+  m_tunnel.start(appPath.filePath("wireguard-go"), wgArgs);
  if (!m_tunnel.waitForStarted(WG_TUN_PROC_TIMEOUT)) {
    logger.error() << "Unable to start tunnel process due to timeout";
    m_tunnel.kill();
@@ -190,7 +190,7 @@ namespace amnezia

            constexpr char defaultPort[] = "51820";

-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS) || defined(MACOS_NE)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
            constexpr char defaultMtu[] = "1280";
 #else
            constexpr char defaultMtu[] = "1376";
@@ -210,7 +210,7 @@ namespace amnezia
        namespace awg
        {
            constexpr char defaultPort[] = "55424";
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS) || defined(MACOS_NE)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
            constexpr char defaultMtu[] = "1280";
 #else
            constexpr char defaultMtu[] = "1376";
@@ -4,7 +4,7 @@
 #include "core/errorstrings.h"
 #include "vpnprotocol.h"

-#if defined(Q_OS_WINDOWS) || (defined(Q_OS_MACX) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)) || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) and !defined MACOS_NE || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
    #include "openvpnovercloakprotocol.h"
    #include "openvpnprotocol.h"
    #include "shadowsocksvpnprotocol.h"
@@ -114,7 +114,7 @@ VpnProtocol *VpnProtocol::factory(DockerContainer container, const QJsonObject &
 #if defined(Q_OS_WINDOWS)
    case DockerContainer::Ipsec: return new Ikev2Protocol(configuration);
 #endif
-#if defined(Q_OS_WINDOWS) || (defined(Q_OS_MACX) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)) || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_MACX) and !defined MACOS_NE || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
    case DockerContainer::OpenVpn: return new OpenVpnProtocol(configuration);
    case DockerContainer::Cloak: return new OpenVpnOverCloakProtocol(configuration);
    case DockerContainer::ShadowSocks: return new ShadowSocksVpnProtocol(configuration);
@@ -124,14 +124,14 @@ ErrorCode XrayProtocol::startTun2Socks()
    m_tun2socksProcess->setProgram(PermittedProcess::Tun2Socks);
    m_tun2socksProcess->setArguments({"-device", QString("tun://%1").arg(tunName), "-proxy", "socks5://127.0.0.1:10808" });

-    connect(m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::readyReadStandardError, this, [this]() {
-        auto readAllStandardError = m_tun2socksProcess->readAllStandardError();
-        if (!readAllStandardError.waitForFinished()) {
+    connect(m_tun2socksProcess.data(), &IpcProcessInterfaceReplica::readyReadStandardOutput, this, [this]() {
+        auto readAllStandardOutput = m_tun2socksProcess->readAllStandardOutput();
+        if (!readAllStandardOutput.waitForFinished()) {
            qWarning() << "Failed to read output from tun2socks";
            return;
        }

-        const QString line = readAllStandardError.returnValue();
+        const QString line = readAllStandardOutput.returnValue();

        if (!line.contains("[TCP]") && !line.contains("[UDP]"))
            qDebug() << "[tun2socks]:" << line;
@@ -135,6 +135,7 @@
        <file>ui/qml/Components/InstalledAppsDrawer.qml</file>
        <file>ui/qml/Components/QuestionDrawer.qml</file>
        <file>ui/qml/Components/SelectLanguageDrawer.qml</file>
+        <file>ui/qml/Components/SubscriptionExpiredDrawer.qml</file>
        <file>ui/qml/Components/ServersListView.qml</file>
        <file>ui/qml/Components/SettingsContainersListView.qml</file>
        <file>ui/qml/Components/TransportProtoSelector.qml</file>
@@ -35,13 +35,12 @@ SecureQSettings::SecureQSettings(const QString &organization, const QString &app
            }
        }
        m_settings.setValue("Conf/encrypted", true);
-        m_settings.sync();
    }
 }

 QVariant SecureQSettings::value(const QString &key, const QVariant &defaultValue) const
 {
-    QMutexLocker locker(&mutex);
+    QMutexLocker locker(&m_mutex);

    if (m_cache.contains(key)) {
        return m_cache.value(key);
@@ -85,7 +84,7 @@ QVariant SecureQSettings::value(const QString &key, const QVariant &defaultValue

 void SecureQSettings::setValue(const QString &key, const QVariant &value)
 {
-    QMutexLocker locker(&mutex);
+    QMutexLocker locker(&m_mutex);

    if (encryptionRequired() && encryptedKeys.contains(key)) {
        if (!getEncKey().isEmpty() && !getEncIv().isEmpty()) {
@@ -107,26 +106,20 @@ void SecureQSettings::setValue(const QString &key, const QVariant &value)
    }

    m_cache.insert(key, value);
-    sync();
 }

 void SecureQSettings::remove(const QString &key)
 {
-    QMutexLocker locker(&mutex);
+    QMutexLocker locker(&m_mutex);

    m_settings.remove(key);
    m_cache.remove(key);
-
-    sync();
-}
-
-void SecureQSettings::sync()
-{
-    m_settings.sync();
 }

 QByteArray SecureQSettings::backupAppConfig() const
 {
+    QMutexLocker locker(&m_mutex);
+
    QJsonObject cfg;

    const auto needToBackup = [this](const auto &key) {
@@ -161,6 +154,8 @@ QByteArray SecureQSettings::backupAppConfig() const

 bool SecureQSettings::restoreAppConfig(const QByteArray &json)
 {
+    QMutexLocker locker(&m_mutex);
+
    QJsonObject cfg = QJsonDocument::fromJson(json).object();
    if (cfg.isEmpty())
        return false;
@@ -173,10 +168,16 @@ bool SecureQSettings::restoreAppConfig(const QByteArray &json)
        setValue(key, cfg.value(key).toVariant());
    }

-    sync();
    return true;
 }

+void SecureQSettings::clearSettings()
+{
+    QMutexLocker locker(&m_mutex);
+    m_settings.clear();
+    m_cache.clear();
+}
+
 QByteArray SecureQSettings::encryptText(const QByteArray &value) const
 {
    QSimpleCrypto::QBlockCipher cipher;
@@ -294,11 +295,3 @@ void SecureQSettings::setSecTag(const QString &tag, const QByteArray &data)
        qCritical() << "SecureQSettings::setSecTag Error:" << job->errorString();
    }
 }
-
-void SecureQSettings::clearSettings()
-{
-    QMutexLocker locker(&mutex);
-    m_settings.clear();
-    m_cache.clear();
-    sync();
-}
@@ -16,14 +16,16 @@ public:
    explicit SecureQSettings(const QString &organization, const QString &application = QString(),
                             QObject *parent = nullptr);

-    Q_INVOKABLE QVariant value(const QString &key, const QVariant &defaultValue = QVariant()) const;
-    Q_INVOKABLE void setValue(const QString &key, const QVariant &value);
+    QVariant value(const QString &key, const QVariant &defaultValue = QVariant()) const;
+    void setValue(const QString &key, const QVariant &value);
    void remove(const QString &key);
-    void sync();

    QByteArray backupAppConfig() const;
    bool restoreAppConfig(const QByteArray &json);

+    void clearSettings();
+
+private:
    QByteArray encryptText(const QByteArray &value) const;
    QByteArray decryptText(const QByteArray &ba) const;

@@ -35,9 +37,6 @@ public:
    static QByteArray getSecTag(const QString &tag);
    static void setSecTag(const QString &tag, const QByteArray &data);

-    void clearSettings();
-
-private:
    QSettings m_settings;

    mutable QHash<QString, QVariant> m_cache;
@@ -53,7 +52,7 @@ private:

    const QByteArray magicString { "EncData" }; // Magic keyword used for mark encrypted QByteArray

-    mutable QMutex mutex;
+    mutable QRecursiveMutex m_mutex;
 };

 #endif // SECUREQSETTINGS_H
@@ -21,10 +21,10 @@ Settings::Settings(QObject *parent) : QObject(parent), m_settings(ORGANIZATION_N
 {
    // Import old settings
    if (serversCount() == 0) {
-        QString user = value("Server/userName").toString();
-        QString password = value("Server/password").toString();
-        QString serverName = value("Server/serverName").toString();
-        int port = value("Server/serverPort").toInt();
+        QString user = m_settings.value("Server/userName").toString();
+        QString password = m_settings.value("Server/password").toString();
+        QString serverName = m_settings.value("Server/serverName").toString();
+        int port = m_settings.value("Server/serverPort").toInt();

        if (!user.isEmpty() && !password.isEmpty() && !serverName.isEmpty()) {
            QJsonObject server;
@@ -222,7 +222,7 @@ QString Settings::nextAvailableServerName() const

 void Settings::setSaveLogs(bool enabled)
 {
-    setValue("Conf/saveLogs", enabled);
+    m_settings.setValue("Conf/saveLogs", enabled);
 #ifndef Q_OS_ANDROID
    if (!isSaveLogs()) {
        Logger::deInit();
@@ -242,12 +242,12 @@ void Settings::setSaveLogs(bool enabled)

 QDateTime Settings::getLogEnableDate()
 {
-    return value("Conf/logEnableDate").toDateTime();
+    return m_settings.value("Conf/logEnableDate").toDateTime();
 }

 void Settings::setLogEnableDate(QDateTime date)
 {
-    setValue("Conf/logEnableDate", date);
+    m_settings.setValue("Conf/logEnableDate", date);
 }

 QString Settings::routeModeString(RouteMode mode) const
@@ -261,17 +261,17 @@ QString Settings::routeModeString(RouteMode mode) const

 Settings::RouteMode Settings::routeMode() const
 {
-    return static_cast<RouteMode>(value("Conf/routeMode", 0).toInt());
+    return static_cast<RouteMode>(m_settings.value("Conf/routeMode", 0).toInt());
 }

 bool Settings::isSitesSplitTunnelingEnabled() const
 {
-    return value("Conf/sitesSplitTunnelingEnabled", false).toBool();
+    return m_settings.value("Conf/sitesSplitTunnelingEnabled", false).toBool();
 }

 void Settings::setSitesSplitTunnelingEnabled(bool enabled)
 {
-    setValue("Conf/sitesSplitTunnelingEnabled", enabled);
+    m_settings.setValue("Conf/sitesSplitTunnelingEnabled", enabled);
 }

 bool Settings::addVpnSite(RouteMode mode, const QString &site, const QString &ip)
@@ -359,12 +359,12 @@ void Settings::removeAllVpnSites(RouteMode mode)

 QString Settings::primaryDns() const
 {
-    return value("Conf/primaryDns", cloudFlareNs1).toString();
+    return m_settings.value("Conf/primaryDns", cloudFlareNs1).toString();
 }

 QString Settings::secondaryDns() const
 {
-    return value("Conf/secondaryDns", cloudFlareNs2).toString();
+    return m_settings.value("Conf/secondaryDns", cloudFlareNs2).toString();
 }

 void Settings::clearSettings()
@@ -386,18 +386,18 @@ QString Settings::appsRouteModeString(AppsRouteMode mode) const

 Settings::AppsRouteMode Settings::getAppsRouteMode() const
 {
-    return static_cast<AppsRouteMode>(value("Conf/appsRouteMode", 0).toInt());
+    return static_cast<AppsRouteMode>(m_settings.value("Conf/appsRouteMode", 0).toInt());
 }

 void Settings::setAppsRouteMode(AppsRouteMode mode)
 {
-    setValue("Conf/appsRouteMode", mode);
+    m_settings.setValue("Conf/appsRouteMode", mode);
 }

 QVector<InstalledAppInfo> Settings::getVpnApps(AppsRouteMode mode) const
 {
    QVector<InstalledAppInfo> apps;
-    auto appsArray = value("Conf/" + appsRouteModeString(mode)).toJsonArray();
+    auto appsArray = m_settings.value("Conf/" + appsRouteModeString(mode)).toJsonArray();
    for (const auto &app : appsArray) {
        InstalledAppInfo appInfo;
        appInfo.appName = app.toObject().value("appName").toString();
@@ -419,43 +419,42 @@ void Settings::setVpnApps(AppsRouteMode mode, const QVector<InstalledAppInfo> &a
        appInfo.insert("appPath", app.appPath);
        appsArray.push_back(appInfo);
    }
-    setValue("Conf/" + appsRouteModeString(mode), appsArray);
-    m_settings.sync();
+    m_settings.setValue("Conf/" + appsRouteModeString(mode), appsArray);
 }

 bool Settings::isAppsSplitTunnelingEnabled() const
 {
-    return value("Conf/appsSplitTunnelingEnabled", false).toBool();
+    return m_settings.value("Conf/appsSplitTunnelingEnabled", false).toBool();
 }

 void Settings::setAppsSplitTunnelingEnabled(bool enabled)
 {
-    setValue("Conf/appsSplitTunnelingEnabled", enabled);
+    m_settings.setValue("Conf/appsSplitTunnelingEnabled", enabled);
 }

 bool Settings::isKillSwitchEnabled() const
 {
-    return value("Conf/killSwitchEnabled", true).toBool();
+    return m_settings.value("Conf/killSwitchEnabled", true).toBool();
 }

 void Settings::setKillSwitchEnabled(bool enabled)
 {
-    setValue("Conf/killSwitchEnabled", enabled);
+    m_settings.setValue("Conf/killSwitchEnabled", enabled);
 }

 bool Settings::isStrictKillSwitchEnabled() const
 {
-    return value("Conf/strictKillSwitchEnabled", false).toBool();
+    return m_settings.value("Conf/strictKillSwitchEnabled", false).toBool();
 }

 void Settings::setStrictKillSwitchEnabled(bool enabled)
 {
-    setValue("Conf/strictKillSwitchEnabled", enabled);
+    m_settings.setValue("Conf/strictKillSwitchEnabled", enabled);
 }

 QString Settings::getInstallationUuid(const bool needCreate)
 {
-    auto uuid = value("Conf/installationUuid", "").toString();
+    auto uuid = m_settings.value("Conf/installationUuid", "").toString();
    if (needCreate && uuid.isEmpty()) {
        uuid = QUuid::createUuid().toString();

@@ -476,7 +475,7 @@ QString Settings::getInstallationUuid(const bool needCreate)

 void Settings::setInstallationUuid(const QString &uuid)
 {
-    setValue("Conf/installationUuid", uuid);
+    m_settings.setValue("Conf/installationUuid", uuid);
 }

 ServerCredentials Settings::defaultServerCredentials() const
@@ -497,28 +496,6 @@ ServerCredentials Settings::serverCredentials(int index) const
    return credentials;
 }

-QVariant Settings::value(const QString &key, const QVariant &defaultValue) const
-{
-    QVariant returnValue;
-    if (QThread::currentThread() == QCoreApplication::instance()->thread()) {
-        returnValue = m_settings.value(key, defaultValue);
-    } else {
-        QMetaObject::invokeMethod(&m_settings, "value", Qt::BlockingQueuedConnection, Q_RETURN_ARG(QVariant, returnValue),
-                                  Q_ARG(const QString &, key), Q_ARG(const QVariant &, defaultValue));
-    }
-    return returnValue;
-}
-
-void Settings::setValue(const QString &key, const QVariant &value)
-{
-    if (QThread::currentThread() == QCoreApplication::instance()->thread()) {
-        m_settings.setValue(key, value);
-    } else {
-        QMetaObject::invokeMethod(&m_settings, "setValue", Qt::BlockingQueuedConnection, Q_ARG(const QString &, key),
-                                  Q_ARG(const QVariant &, value));
-    }
-}
-
 void Settings::resetGatewayEndpoint()
 {
    m_gatewayEndpoint = gatewayEndpoint;
@@ -541,50 +518,50 @@ QString Settings::getGatewayEndpoint(bool isTestPurchase)

 bool Settings::isDevGatewayEnv(bool isTestPurchase)
 {
-    return isTestPurchase ? true : value("Conf/devGatewayEnv", false).toBool();
+    return isTestPurchase ? true : m_settings.value("Conf/devGatewayEnv", false).toBool();
 }

 void Settings::toggleDevGatewayEnv(bool enabled)
 {
-    setValue("Conf/devGatewayEnv", enabled);
+    m_settings.setValue("Conf/devGatewayEnv", enabled);
 }

 bool Settings::isHomeAdLabelVisible()
 {
-    return value("Conf/homeAdLabelVisible", true).toBool();
+    return m_settings.value("Conf/homeAdLabelVisible", true).toBool();
 }

 void Settings::disableHomeAdLabel()
 {
-    setValue("Conf/homeAdLabelVisible", false);
+    m_settings.setValue("Conf/homeAdLabelVisible", false);
 }

 bool Settings::isPremV1MigrationReminderActive()
 {
-    return value("Conf/premV1MigrationReminderActive", true).toBool();
+    return m_settings.value("Conf/premV1MigrationReminderActive", true).toBool();
 }

 void Settings::disablePremV1MigrationReminder()
 {
-    setValue("Conf/premV1MigrationReminderActive", false);
+    m_settings.setValue("Conf/premV1MigrationReminderActive", false);
 }

 QStringList Settings::allowedDnsServers() const
 {
-    return value("Conf/allowedDnsServers").toStringList();
+    return m_settings.value("Conf/allowedDnsServers").toStringList();
 }

 void Settings::setAllowedDnsServers(const QStringList &servers)
 {
-    setValue("Conf/allowedDnsServers", servers);
+    m_settings.setValue("Conf/allowedDnsServers", servers);
 }

 QStringList Settings::readNewsIds() const
 {
-    return value("News/readIds").toStringList();
+    return m_settings.value("News/readIds").toStringList();
 }

 void Settings::setReadNewsIds(const QStringList &ids)
 {
-    setValue("News/readIds", ids);
+    m_settings.setValue("News/readIds", ids);
 }
@@ -29,11 +29,11 @@ public:

    QJsonArray serversArray() const
    {
-        return QJsonDocument::fromJson(value("Servers/serversList").toByteArray()).array();
+        return QJsonDocument::fromJson(m_settings.value("Servers/serversList").toByteArray()).array();
    }
    void setServersArray(const QJsonArray &servers)
    {
-        setValue("Servers/serversList", QJsonDocument(servers).toJson());
+        m_settings.setValue("Servers/serversList", QJsonDocument(servers).toJson());
    }

    // Servers section
@@ -45,11 +45,11 @@ public:

    int defaultServerIndex() const
    {
-        return value("Servers/defaultServerIndex", 0).toInt();
+        return m_settings.value("Servers/defaultServerIndex", 0).toInt();
    }
    void setDefaultServer(int index)
    {
-        setValue("Servers/defaultServerIndex", index);
+        m_settings.setValue("Servers/defaultServerIndex", index);
    }
    QJsonObject defaultServer() const
    {
@@ -78,34 +78,34 @@ public:
    // App settings section
    bool isAutoConnect() const
    {
-        return value("Conf/autoConnect", false).toBool();
+        return m_settings.value("Conf/autoConnect", false).toBool();
    }
    void setAutoConnect(bool enabled)
    {
-        setValue("Conf/autoConnect", enabled);
+        m_settings.setValue("Conf/autoConnect", enabled);
    }

    bool isStartMinimized() const
    {
-        return value("Conf/startMinimized", false).toBool();
+        return m_settings.value("Conf/startMinimized", false).toBool();
    }
    void setStartMinimized(bool enabled)
    {
-        setValue("Conf/startMinimized", enabled);
+        m_settings.setValue("Conf/startMinimized", enabled);
    }

    bool isNewsNotifications() const
    {
-        return value("Conf/newsNotifications", true).toBool();
+        return m_settings.value("Conf/newsNotifications", true).toBool();
    }
    void setNewsNotifications(bool enabled)
    {
-        setValue("Conf/newsNotifications", enabled);
+        m_settings.setValue("Conf/newsNotifications", enabled);
    }

    bool isSaveLogs() const
    {
-        return value("Conf/saveLogs", false).toBool();
+        return m_settings.value("Conf/saveLogs", false).toBool();
    }
    void setSaveLogs(bool enabled);

@@ -122,19 +122,18 @@ public:
    QString routeModeString(RouteMode mode) const;

    RouteMode routeMode() const;
-    void setRouteMode(RouteMode mode) { setValue("Conf/routeMode", mode); }
+    void setRouteMode(RouteMode mode) { m_settings.setValue("Conf/routeMode", mode); }

    bool isSitesSplitTunnelingEnabled() const;
    void setSitesSplitTunnelingEnabled(bool enabled);

    QVariantMap vpnSites(RouteMode mode) const
    {
-        return value("Conf/" + routeModeString(mode)).toMap();
+        return m_settings.value("Conf/" + routeModeString(mode)).toMap();
    }
    void setVpnSites(RouteMode mode, const QVariantMap &sites)
    {
-        setValue("Conf/" + routeModeString(mode), sites);
-        m_settings.sync();
+        m_settings.setValue("Conf/" + routeModeString(mode), sites);
    }
    bool addVpnSite(RouteMode mode, const QString &site, const QString &ip = "");
    void addVpnSites(RouteMode mode, const QMap<QString, QString> &sites); // map <site, ip>
@@ -147,11 +146,11 @@ public:

    bool useAmneziaDns() const
    {
-        return value("Conf/useAmneziaDns", true).toBool();
+        return m_settings.value("Conf/useAmneziaDns", true).toBool();
    }
    void setUseAmneziaDns(bool enabled)
    {
-        setValue("Conf/useAmneziaDns", enabled);
+        m_settings.setValue("Conf/useAmneziaDns", enabled);
    }

    QString primaryDns() const;
@@ -160,13 +159,13 @@ public:
    // QString primaryDns() const { return m_primaryDns; }
    void setPrimaryDns(const QString &primaryDns)
    {
-        setValue("Conf/primaryDns", primaryDns);
+        m_settings.setValue("Conf/primaryDns", primaryDns);
    }

    // QString secondaryDns() const { return m_secondaryDns; }
    void setSecondaryDns(const QString &secondaryDns)
    {
-        setValue("Conf/secondaryDns", secondaryDns);
+        m_settings.setValue("Conf/secondaryDns", secondaryDns);
    }

    //    static constexpr char openNicNs5[] = "94.103.153.176";
@@ -188,16 +187,16 @@ public:
    };
    void setAppLanguage(QLocale locale)
    {
-        setValue("Conf/appLanguage", locale.name());
+        m_settings.setValue("Conf/appLanguage", locale.name());
    };

    bool isScreenshotsEnabled() const
    {
-        return value("Conf/screenshotsEnabled", true).toBool();
+        return m_settings.value("Conf/screenshotsEnabled", true).toBool();
    }
    void setScreenshotsEnabled(bool enabled)
    {
-        setValue("Conf/screenshotsEnabled", enabled);
+        m_settings.setValue("Conf/screenshotsEnabled", enabled);
        emit screenshotsEnabledChanged(enabled);
    }

@@ -255,9 +254,6 @@ signals:
    void settingsCleared();

 private:
-    QVariant value(const QString &key, const QVariant &defaultValue = QVariant()) const;
-    void setValue(const QString &key, const QVariant &value);
-
    void setInstallationUuid(const QString &uuid);

    mutable SecureQSettings m_settings;
@@ -199,7 +199,7 @@
    <message>
        <location filename="../ui/models/api/apiServicesModel.cpp" line="116"/>
        <source>%1 $</source>
-        <translation type="unfinished"></translation>
+        <translation>%1 $</translation>
    </message>
    <message>
        <location filename="../ui/models/api/apiServicesModel.cpp" line="118"/>
@@ -672,32 +672,32 @@ Thank you for staying with us!</source>
        <translation>Порт</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="418"/>
+        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="422"/>
        <source>Save</source>
        <translation>Сохранить</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="427"/>
+        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="431"/>
        <source>Save settings?</source>
        <translation>Сохранить настройки?</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="428"/>
+        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="432"/>
        <source>Only the settings for this device will be changed</source>
        <translation>Будут изменены настройки только для этого устройства</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="429"/>
+        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="433"/>
        <source>Continue</source>
        <translation>Продолжить</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="430"/>
+        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="434"/>
        <source>Cancel</source>
        <translation>Отменить</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="434"/>
+        <location filename="../ui/qml/Pages2/PageProtocolAwgClientSettings.qml" line="438"/>
        <source>Unable change settings while there is an active connection</source>
        <translation>Невозможно изменить настройки во время активного соединения</translation>
    </message>
@@ -1651,7 +1651,7 @@ Thank you for staying with us!</source>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsAbout.qml" line="204"/>
        <source>mailto:support@amnezia.org</source>
-        <translation></translation>
+        <translation>mailto:support@amnezia.org</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsAbout.qml" line="211"/>
@@ -1775,72 +1775,72 @@ Thank you for staying with us!</source>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="22"/>
        <source>Windows</source>
-        <translation></translation>
+        <translation>Windows</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="29"/>
        <source>macOS</source>
-        <translation></translation>
+        <translation>macOS</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="36"/>
        <source>Android</source>
-        <translation></translation>
+        <translation>Android</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="43"/>
        <source>AndroidTV</source>
-        <translation></translation>
+        <translation>Android TV</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="50"/>
        <source>iOS</source>
-        <translation></translation>
+        <translation>iOS</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="57"/>
        <source>Linux</source>
-        <translation></translation>
+        <translation>Linux</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="64"/>
        <source>Routers</source>
-        <translation></translation>
+        <translation>Маршрутизаторы</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="23"/>
        <source>documentation/instructions/connect-amnezia-premium#windows</source>
-        <translation></translation>
+        <translation>documentation/instructions/connect-amnezia-premium#windows</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="30"/>
        <source>documentation/instructions/connect-amnezia-premium#macos</source>
-        <translation></translation>
+        <translation>documentation/instructions/connect-amnezia-premium#macos</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="37"/>
        <source>documentation/instructions/connect-amnezia-premium#android</source>
-        <translation></translation>
+        <translation>documentation/instructions/connect-amnezia-premium#android</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="44"/>
        <source>documentation/instructions/android_tv_connect/</source>
-        <translation></translation>
+        <translation>documentation/instructions/android_tv_connect/</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="51"/>
        <source>documentation/instructions/connect-amnezia-premium#ios</source>
-        <translation></translation>
+        <translation>documentation/instructions/connect-amnezia-premium#ios</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="58"/>
        <source>documentation/instructions/connect-amnezia-premium#linux</source>
-        <translation></translation>
+        <translation>documentation/instructions/connect-amnezia-premium#linux</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="65"/>
        <source>documentation/instructions/connect-amnezia-premium#routers</source>
-        <translation></translation>
+        <translation>documentation/instructions/connect-amnezia-premium#routers</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiInstructions.qml" line="101"/>
@@ -2111,7 +2111,7 @@ Thank you for staying with us!</source>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiSupport.qml" line="22"/>
        <source>Telegram</source>
-        <translation></translation>
+        <translation>Telegram</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiSupport.qml" line="30"/>
@@ -2141,7 +2141,7 @@ Thank you for staying with us!</source>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiSupport.qml" line="110"/>
        <source>Support tag</source>
-        <translation></translation>
+        <translation>Идентификатор поддержки</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApiSupport.qml" line="120"/>
@@ -2272,12 +2272,12 @@ Thank you for staying with us!</source>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApplication.qml" line="180"/>
        <source>News Notification</source>
-        <translation type="unfinished"></translation>
+        <translation>Уведомления о новостях</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApplication.qml" line="181"/>
-        <source>Show notification icon when has unread news</source>
-        <translation type="unfinished"></translation>
+        <source>Show a notification icon for unread news</source>
+        <translation>Показывать значок уведомления, если есть непрочитанные новости</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSettingsApplication.qml" line="221"/>
@@ -3115,17 +3115,17 @@ Thank you for staying with us!</source>
    <message>
        <location filename="../ui/qml/Pages2/PageSetupWizardApiServiceInfo.qml" line="113"/>
        <source>Charged to your Apple ID at confirmation. Renews automatically unless auto-renew is turned off at least 24 hours before period end. Manage in Apple ID settings.</source>
-        <translation type="unfinished"></translation>
+        <translation>Списание с Apple ID при подтверждении. Продление автоматическое, если автопродление не отключено минимум за 24 часа до окончания периода. Управление в настройках Apple ID.</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSetupWizardApiServiceInfo.qml" line="125"/>
        <source>Subscribe Now</source>
-        <translation type="unfinished"></translation>
+        <translation>Подписаться сейчас</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSetupWizardApiServiceInfo.qml" line="158"/>
        <source>By continuing, you agree to the &lt;a href=&quot;%1&quot; style=&quot;color: #FBB26A;&quot;&gt;Terms of Use&lt;/a&gt; and &lt;a href=&quot;%2&quot; style=&quot;color: #FBB26A;&quot;&gt;Privacy Policy&lt;/a&gt;</source>
-        <translation type="unfinished"></translation>
+        <translation>Продолжая, вы соглашаетесь с &lt;a href=&quot;%1&quot; style=&quot;color: #FBB26A;&quot;&gt;Условиями использования&lt;/a&gt; и &lt;a href=&quot;%2&quot; style=&quot;color: #FBB26A;&quot;&gt;Политикой конфиденциальности&lt;/a&gt;</translation>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageSetupWizardApiServiceInfo.qml" line="186"/>
@@ -3697,7 +3697,7 @@ Thank you for staying with us!</source>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageShare.qml" line="270"/>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="566"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="572"/>
        <source>Users</source>
        <translation>Пользователи</translation>
    </message>
@@ -3707,72 +3707,72 @@ Thank you for staying with us!</source>
        <translation>Имя пользователя</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="582"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="588"/>
        <source>Search</source>
        <translation>Поиск</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="711"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="717"/>
        <source>Creation date: %1</source>
        <translation>Дата создания: %1</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="723"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="729"/>
        <source>Latest handshake: %1</source>
        <translation>Последнее рукопожатие: %1</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="735"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="741"/>
        <source>Data received: %1</source>
        <translation>Получено данных: %1</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="747"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="753"/>
        <source>Data sent: %1</source>
        <translation>Отправлено данных: %1</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="757"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="763"/>
        <source>Allowed IPs: %1</source>
        <translation>Разрешенные подсети: %1</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="772"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="778"/>
        <source>Rename</source>
        <translation>Переименовать</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="797"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="803"/>
        <source>Client name</source>
        <translation>Имя клиента</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="808"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="814"/>
        <source>Save</source>
        <translation>Сохранить</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="844"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="850"/>
        <source>Revoke</source>
        <translation>Отозвать</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="847"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="853"/>
        <source>Revoke the config for a user - %1?</source>
        <translation>Отозвать конфигурацию для пользователя - %1?</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="848"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="854"/>
        <source>The user will no longer be able to connect to your server.</source>
        <translation>Пользователь больше не сможет подключаться к вашему серверу.</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="849"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="855"/>
        <source>Continue</source>
        <translation>Продолжить</translation>
    </message>
    <message>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="850"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="856"/>
        <source>Cancel</source>
        <translation>Отменить</translation>
    </message>
@@ -3795,7 +3795,7 @@ Thank you for staying with us!</source>
    </message>
    <message>
        <location filename="../ui/qml/Pages2/PageShare.qml" line="220"/>
-        <location filename="../ui/qml/Pages2/PageShare.qml" line="548"/>
+        <location filename="../ui/qml/Pages2/PageShare.qml" line="554"/>
        <source>Share</source>
        <translation>Поделиться</translation>
    </message>
@@ -4241,7 +4241,7 @@ Thank you for staying with us!</source>
    <message>
        <location filename="../core/errorstrings.cpp" line="32"/>
        <source>Server error: Linux kernel is too old</source>
-        <translation type="unfinished"></translation>
+        <translation>Ошибка сервера: ядро Linux слишком старое</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="35"/>
@@ -5020,47 +5020,47 @@ FileZilla или другие SFTP-клиенты, а также смонтир
 <context>
    <name>SitesController</name>
    <message>
-        <location filename="../ui/controllers/sitesController.cpp" line="24"/>
+        <location filename="../ui/controllers/sitesController.cpp" line="22"/>
        <source>Hostname not look like ip adress or domain name</source>
        <translation>Имя хоста не похоже на IP-адрес или доменное имя</translation>
    </message>
    <message>
-        <location filename="../ui/controllers/sitesController.cpp" line="66"/>
+        <location filename="../ui/controllers/sitesController.cpp" line="52"/>
        <source>New site added: %1</source>
        <translation>Добавлен новый сайт: %1</translation>
    </message>
    <message>
-        <location filename="../ui/controllers/sitesController.cpp" line="78"/>
+        <location filename="../ui/controllers/sitesController.cpp" line="61"/>
        <source>Site removed: %1</source>
        <translation>Сайт удален: %1</translation>
    </message>
    <message>
-        <location filename="../ui/controllers/sitesController.cpp" line="85"/>
+        <location filename="../ui/controllers/sitesController.cpp" line="68"/>
        <source>Site list cleared!</source>
        <translation>Список сайтов очищен!</translation>
    </message>
    <message>
-        <location filename="../ui/controllers/sitesController.cpp" line="92"/>
+        <location filename="../ui/controllers/sitesController.cpp" line="75"/>
        <source>Can&apos;t open file: %1</source>
        <translation>Невозможно открыть файл: %1</translation>
    </message>
    <message>
-        <location filename="../ui/controllers/sitesController.cpp" line="98"/>
+        <location filename="../ui/controllers/sitesController.cpp" line="81"/>
        <source>Failed to parse JSON data from file: %1</source>
        <translation>Не удалось разобрать JSON-данные из файла: %1</translation>
    </message>
    <message>
-        <location filename="../ui/controllers/sitesController.cpp" line="103"/>
+        <location filename="../ui/controllers/sitesController.cpp" line="86"/>
        <source>The JSON data is not an array in file: %1</source>
        <translation>JSON-данные не являются массивом в файле: %1</translation>
    </message>
    <message>
-        <location filename="../ui/controllers/sitesController.cpp" line="133"/>
+        <location filename="../ui/controllers/sitesController.cpp" line="114"/>
        <source>Import completed</source>
        <translation>Импорт завершен</translation>
    </message>
    <message>
-        <location filename="../ui/controllers/sitesController.cpp" line="152"/>
+        <location filename="../ui/controllers/sitesController.cpp" line="133"/>
        <source>Export completed</source>
        <translation>Экспорт завершен</translation>
    </message>
@@ -366,6 +366,8 @@ bool ApiConfigsController::fillAvailableServices()
 {
    QJsonObject apiPayload;
    apiPayload[configKey::osVersion] = QSysInfo::productType();
+    apiPayload[configKey::appVersion] = QString(APP_VERSION);
+    apiPayload[apiDefs::key::cliName] = QString(APPLICATION_NAME);
    apiPayload[apiDefs::key::appLanguage] = m_settings->getAppLanguage().name().split("_").first();

    QByteArray responseBody;
@@ -447,7 +449,7 @@ bool ApiConfigsController::importService()
            importSerivceFromAppStore();
            return true;
        }
-    } else {
+    } else if (m_apiServicesModel->getSelectedServiceType() == serviceType::amneziaFree) {
        importServiceFromGateway();
        return true;
    }
@@ -721,6 +723,7 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
    }

    bool isTestPurchase = apiConfig.value(apiDefs::key::isTestPurchase).toBool(false);
+    bool wasSubscriptionExpired = m_serversModel->data(serverIndex, ServersModel::IsSubscriptionExpiredRole).toBool();
    QByteArray responseBody;
    ErrorCode errorCode = executeRequest(QString("%1v1/config"), apiPayload, responseBody, isTestPurchase);

@@ -747,6 +750,11 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
            newServerConfig.insert(config_key::nameOverriddenByUser, true);
        }
        m_serversModel->editServer(newServerConfig, serverIndex);
+
+        if (wasSubscriptionExpired) {
+            emit subscriptionRefreshNeeded();
+        }
+
        if (reloadServiceConfig) {
            emit reloadServerFromApiFinished(tr("API config reloaded"));
        } else if (newCountryName.isEmpty()) {
@@ -756,7 +764,11 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
        }
        return true;
    } else {
-        emit errorOccurred(errorCode);
+        if (errorCode == ErrorCode::ApiSubscriptionExpiredError) {
+            emit subscriptionExpiredOnServer();
+        } else {
+            emit errorOccurred(errorCode);
+        }
        return false;
    }
 }
@@ -43,6 +43,8 @@ public slots:

 signals:
    void errorOccurred(ErrorCode errorCode);
+    void subscriptionExpiredOnServer();
+    void subscriptionRefreshNeeded();

    void installServerFromApiFinished(const QString &message);
    void changeApiCountryFinished(const QString &message);
@@ -1,6 +1,7 @@
 #include "apiSettingsController.h"

 #include <QEventLoop>
+#include <QJsonDocument>
 #include <QTimer>

 #include "core/api/apiUtils.h"
@@ -77,6 +78,13 @@ bool ApiSettingsController::getAccountInfo(bool reload)
    QJsonObject accountInfo = QJsonDocument::fromJson(responseBody).object();
    m_apiAccountInfoModel->updateModel(accountInfo, serverConfig);

+    QString subscriptionEndDate = accountInfo.value(apiDefs::key::subscriptionEndDate).toString();
+    if (!subscriptionEndDate.isEmpty()) {
+        apiConfig.insert(apiDefs::key::subscriptionEndDate, subscriptionEndDate);
+        serverConfig.insert(configKey::apiConfig, apiConfig);
+        m_serversModel->editServer(serverConfig, processedIndex);
+    }
+
    if (reload) {
        updateApiCountryModel();
        updateApiDevicesModel();
@@ -85,6 +93,42 @@ bool ApiSettingsController::getAccountInfo(bool reload)
    return true;
 }

+void ApiSettingsController::getRenewalLink()
+{
+    auto processedIndex = m_serversModel->getProcessedServerIndex();
+    auto serverConfig = m_serversModel->getServerConfig(processedIndex);
+    auto apiConfig = serverConfig.value(configKey::apiConfig).toObject();
+    auto authData = serverConfig.value(configKey::authData).toObject();
+
+    bool isTestPurchase = apiConfig.value(apiDefs::key::isTestPurchase).toBool(false);
+    auto gatewayController = QSharedPointer<GatewayController>::create(m_settings->getGatewayEndpoint(isTestPurchase),
+                                                                       m_settings->isDevGatewayEnv(isTestPurchase),
+                                                                       requestTimeoutMsecs,
+                                                                       m_settings->isStrictKillSwitchEnabled());
+
+    QJsonObject apiPayload;
+    apiPayload[configKey::userCountryCode] = apiConfig.value(configKey::userCountryCode).toString();
+    apiPayload[configKey::serviceType] = apiConfig.value(configKey::serviceType).toString();
+    apiPayload[configKey::authData] = authData;
+    apiPayload[apiDefs::key::cliVersion] = QString(APP_VERSION);
+    apiPayload[apiDefs::key::appLanguage] = m_settings->getAppLanguage().name().split("_").first();
+
+    auto future = gatewayController->postAsync(QString("%1v1/renewal_link"), apiPayload);
+    future.then(this, [this, gatewayController](QPair<ErrorCode, QByteArray> result) {
+        auto [errorCode, responseBody] = result;
+        if (errorCode != ErrorCode::NoError) {
+            emit errorOccurred(errorCode);
+            return;
+        }
+
+        QJsonObject responseJson = QJsonDocument::fromJson(responseBody).object();
+        QString url = responseJson.value("renewal_url").toString();
+        if (!url.isEmpty()) {
+            emit renewalLinkReceived(url);
+        }
+    });
+}
+
 void ApiSettingsController::updateApiCountryModel()
 {
    m_apiCountryModel->updateModel(m_apiAccountInfoModel->getAvailableCountries(), "");
@@ -21,9 +21,11 @@ public slots:
    bool getAccountInfo(bool reload);
    void updateApiCountryModel();
    void updateApiDevicesModel();
+    void getRenewalLink();

 signals:
    void errorOccurred(ErrorCode errorCode);
+    void renewalLinkReceived(const QString &url);

 private:
    QSharedPointer<ServersModel> m_serversModel;
@@ -1,5 +1,11 @@
 #include "connectionController.h"

+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
+    #include <QGuiApplication>
+#else
+    #include <QApplication>
+#endif
+
 #include "utilities.h"
 #include "core/controllers/vpnConfigurationController.h"
 #include "version.h"
@@ -27,7 +33,7 @@ ConnectionController::ConnectionController(const QSharedPointer<ServersModel> &s

 void ConnectionController::openConnection()
 {
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(Q_OS_TVOS) && !defined(MACOS_NE)
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
    if (!Utils::processIsRunning(Utils::executable(SERVICE_NAME, false), true))
    {
        emit connectionErrorOccurred(ErrorCode::AmneziaServiceNotRunning);
@@ -7,7 +7,6 @@
 #include <QFileInfo>
 #include <QImage>
 #include <QStandardPaths>
-
 #include "core/controllers/vpnConfigurationController.h"
 #include "core/qrCodeUtils.h"
 #include "core/serialization/serialization.h"
@@ -170,8 +169,7 @@ void ExportController::generateWireGuardConfig(const QString &clientName)
        m_config.append(line + "\n");
    }

-    auto qr = qrCodeUtils::generateQrCode(m_config.toUtf8());
-    m_qrCodes << qrCodeUtils::svgToBase64(QString::fromStdString(toSvgString(qr, 1)));
+    m_qrCodes = qrCodeUtils::generateQrCodeImageSeries(m_config.toUtf8());

    emit exportConfigChanged();
 }
@@ -191,8 +189,7 @@ void ExportController::generateAwgConfig(const QString &clientName)
        m_config.append(line + "\n");
    }

-    auto qr = qrCodeUtils::generateQrCode(m_config.toUtf8());
-    m_qrCodes << qrCodeUtils::svgToBase64(QString::fromStdString(toSvgString(qr, 1)));
+    m_qrCodes = qrCodeUtils::generateQrCodeImageSeries(m_config.toUtf8());

    emit exportConfigChanged();
 }
@@ -19,7 +19,7 @@
 #ifdef Q_OS_ANDROID
    #include "platforms/android/android_controller.h"
 #endif
-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS) || defined(MACOS_NE)
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
    #include <CoreFoundation/CoreFoundation.h>
 #endif

@@ -604,14 +604,14 @@ bool ImportController::decodeQrCode(const QString &code)
 }
 #endif

-#if defined Q_OS_ANDROID || defined Q_OS_IOS || defined(Q_OS_TVOS)
+#if defined Q_OS_ANDROID || defined Q_OS_IOS
 void ImportController::startDecodingQr()
 {
    m_qrCodeChunks.clear();
    m_totalQrCodeChunksCount = 0;
    m_receivedQrCodeChunksCount = 0;

-    #if defined(Q_OS_IOS) || defined(Q_OS_TVOS) || defined(MACOS_NE)
+    #if defined(Q_OS_IOS) || defined(MACOS_NE)
    m_isQrCodeProcessed = true;
    #endif
    #if defined Q_OS_ANDROID
@@ -38,7 +38,7 @@ public slots:
    QString getConfigFileName();
    QString getMaliciousWarningText();

-#if defined Q_OS_ANDROID || defined Q_OS_IOS || defined(Q_OS_TVOS)
+#if defined Q_OS_ANDROID || defined Q_OS_IOS
    void startDecodingQr();
    bool parseQrCodeChunk(const QString &code);

@@ -70,7 +70,7 @@ private:

    void processAmneziaConfig(QJsonObject &config);

-#if defined Q_OS_ANDROID || defined Q_OS_IOS || defined(Q_OS_TVOS)
+#if defined Q_OS_ANDROID || defined Q_OS_IOS
    void stopDecodingQr();
 #endif

@@ -83,7 +83,7 @@ private:
    ConfigTypes m_configType;
    QString m_maliciousWarningText;

-#if defined Q_OS_ANDROID || defined Q_OS_IOS || defined(Q_OS_TVOS)
+#if defined Q_OS_ANDROID || defined Q_OS_IOS
    QMap<int, QByteArray> m_qrCodeChunks;
    bool m_isQrCodeProcessed;
    int m_totalQrCodeChunksCount;
@@ -83,8 +83,8 @@ void InstallController::install(DockerContainer container, int port, TransportPr

                int s1 = QRandomGenerator::global()->bounded(15, 150);
                int s2 = QRandomGenerator::global()->bounded(15, 150);
-                int s3 = QRandomGenerator::global()->bounded(0, 64);
-                int s4 = QRandomGenerator::global()->bounded(0, 20);
+                int s3 = QRandomGenerator::global()->bounded(1, 64);
+                int s4 = QRandomGenerator::global()->bounded(1, 20);

                // Ensure all values are unique and don't create equal packet sizes
                QSet<int> usedValues;
@@ -97,12 +97,12 @@ void InstallController::install(DockerContainer container, int port, TransportPr

                while (usedValues.contains(s3) || s1 + AwgConstant::messageInitiationSize == s3 + AwgConstant::messageCookieReplySize
                       || s2 + AwgConstant::messageResponseSize == s3 + AwgConstant::messageCookieReplySize) {
-                    s3 = QRandomGenerator::global()->bounded(0, 64);
+                    s3 = QRandomGenerator::global()->bounded(1, 64);
                }
                usedValues.insert(s3);

                while (usedValues.contains(s4)) {
-                    s4 = QRandomGenerator::global()->bounded(0, 20);
+                    s4 = QRandomGenerator::global()->bounded(1, 20);
                }

                QString initPacketJunkSize = QString::number(s1);
@@ -987,79 +987,94 @@ void InstallController::addEmptyServer()
    emit installServerFinished(tr("Server added successfully"));
 }

-bool InstallController::isConfigValid()
+void InstallController::validateConfig()
 {
    int serverIndex = m_serversModel->getDefaultServerIndex();
    QJsonObject serverConfigObject = m_serversModel->getServerConfig(serverIndex);

    if (apiUtils::isServerFromApi(serverConfigObject)) {
-        return true;
+        emit configValidated(true);
+        return;
    }

    if (!m_serversModel->data(serverIndex, ServersModel::Roles::HasInstalledContainers).toBool()) {
        emit noInstalledContainers();
-        return false;
+        emit configValidated(false);
+        return;
    }

    DockerContainer container = qvariant_cast<DockerContainer>(m_serversModel->data(serverIndex, ServersModel::Roles::DefaultContainerRole));

    if (container == DockerContainer::None) {
        emit installationErrorOccurred(ErrorCode::NoInstalledContainersError);
-        return false;
+        emit configValidated(false);
+        return;
    }

-    QSharedPointer<ServerController> serverController(new ServerController(m_settings));
-    VpnConfigurationsController vpnConfigurationController(m_settings, serverController);
-
    QJsonObject containerConfig = m_containersModel->getContainerConfig(container);
    ServerCredentials credentials = m_serversModel->getServerCredentials(serverIndex);
+    QSharedPointer<ServerController> serverController(new ServerController(m_settings));

-    QFutureWatcher<ErrorCode> watcher;
+    auto isProtocolConfigExists = [](const QJsonObject &containerConfig, const DockerContainer container) {
+        for (Proto protocol : ContainerProps::protocolsForContainer(container)) {
+            QString protocolConfig =
+                    containerConfig.value(ProtocolProps::protoToString(protocol)).toObject().value(config_key::last_config).toString();

-    QFuture<ErrorCode> future = QtConcurrent::run([this, container, &credentials, &containerConfig, &serverController]() {
-        ErrorCode errorCode = ErrorCode::NoError;
-
-        auto isProtocolConfigExists = [](const QJsonObject &containerConfig, const DockerContainer container) {
-            for (Proto protocol : ContainerProps::protocolsForContainer(container)) {
-                QString protocolConfig =
-                        containerConfig.value(ProtocolProps::protoToString(protocol)).toObject().value(config_key::last_config).toString();
-
-                if (protocolConfig.isEmpty()) {
-                    return false;
-                }
-            }
-            return true;
-        };
-
-        if (!isProtocolConfigExists(containerConfig, container)) {
-            VpnConfigurationsController vpnConfigurationController(m_settings, serverController);
-            errorCode = vpnConfigurationController.createProtocolConfigForContainer(credentials, container, containerConfig);
-            if (errorCode != ErrorCode::NoError) {
-                return errorCode;
-            }
-            m_serversModel->updateContainerConfig(container, containerConfig);
-
-            errorCode = m_clientManagementModel->appendClient(container, credentials, containerConfig,
-                                                              QString("Admin [%1]").arg(QSysInfo::prettyProductName()), serverController);
-            if (errorCode != ErrorCode::NoError) {
-                return errorCode;
+            if (protocolConfig.isEmpty()) {
+                return false;
            }
        }
-        return errorCode;
-    });
+        return true;
+    };

-    QEventLoop wait;
-    connect(&watcher, &QFutureWatcher<ErrorCode>::finished, &wait, &QEventLoop::quit);
-    watcher.setFuture(future);
-    wait.exec();
-
-    ErrorCode errorCode = watcher.result();
-
-    if (errorCode != ErrorCode::NoError) {
-        emit installationErrorOccurred(errorCode);
-        return false;
+    if (isProtocolConfigExists(containerConfig, container)) {
+        emit configValidated(true);
+        return;
    }
-    return true;
+
+    struct ValidationResult {
+        ErrorCode errorCode = ErrorCode::NoError;
+        QJsonObject containerConfig;
+    };
+
+    QFuture<ValidationResult> future =
+            QtConcurrent::run([settings = m_settings, serverController, credentials, containerConfig, container]() mutable {
+                ValidationResult result;
+                result.containerConfig = containerConfig;
+
+                VpnConfigurationsController vpnConfigurationController(settings, serverController);
+                result.errorCode = vpnConfigurationController.createProtocolConfigForContainer(credentials, container,
+                                                                                               result.containerConfig);
+                return result;
+            });
+
+    auto *watcher = new QFutureWatcher<ValidationResult>(this);
+    connect(watcher, &QFutureWatcher<ValidationResult>::finished, this,
+            [this, watcher, container, credentials, serverController]() {
+                auto result = watcher->result();
+                watcher->deleteLater();
+
+                if (result.errorCode != ErrorCode::NoError) {
+                    emit installationErrorOccurred(result.errorCode);
+                    emit configValidated(false);
+                    return;
+                }
+
+                m_serversModel->updateContainerConfig(container, result.containerConfig);
+
+                ErrorCode appendError = m_clientManagementModel->appendClient(
+                        container, credentials, result.containerConfig,
+                        QString("Admin [%1]").arg(QSysInfo::prettyProductName()), serverController);
+
+                if (appendError != ErrorCode::NoError) {
+                    emit installationErrorOccurred(appendError);
+                    emit configValidated(false);
+                    return;
+                }
+
+                emit configValidated(true);
+            });
+    watcher->setFuture(future);
 }

 bool InstallController::isUpdateDockerContainerRequired(const DockerContainer container, const QJsonObject &oldConfig,
@@ -1070,7 +1085,7 @@ bool InstallController::isUpdateDockerContainerRequired(const DockerContainer co
    const QJsonObject &oldProtoConfig = oldConfig.value(ProtocolProps::protoToString(mainProto)).toObject();
    const QJsonObject &newProtoConfig = newConfig.value(ProtocolProps::protoToString(mainProto)).toObject();

-    if (container == DockerContainer::Awg2) {
+    if (ContainerProps::isAwgContainer(container)) {
        const AwgConfig oldConfig(oldProtoConfig);
        const AwgConfig newConfig(newProtoConfig);

@@ -2,9 +2,7 @@
 #define INSTALLCONTROLLER_H

 #include <QObject>
-#if !defined(Q_OS_IOS) && !defined(Q_OS_TVOS)
-    #include <QProcess>
-#endif
+#include <QProcess>

 #include "containers/containers_defs.h"
 #include "core/defs.h"
@@ -52,9 +50,10 @@ public slots:

    void addEmptyServer();

-    bool isConfigValid();
+    void validateConfig();

 signals:
+    void configValidated(bool isValid);
    void installContainerFinished(const QString &finishMessage, bool isServiceInstall);
    void installServerFinished(const QString &finishMessage);

@@ -113,7 +112,7 @@ private:

    QString m_privateKeyPassphrase;

-#if !defined(Q_OS_IOS) && !defined(Q_OS_TVOS)
+#ifndef Q_OS_IOS
    QList<QSharedPointer<QProcess>> m_sftpMountProcesses;
 #endif
 };
@@ -1,12 +1,11 @@
 #include "pageController.h"
 #include "utils/converter.h"
 #include "core/errorstrings.h"
-#include <QCoreApplication>
 #if defined(MACOS_NE)
 #include "platforms/ios/ios_controller.h"
 #endif

-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS) || defined(MACOS_NE)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
    #include <QGuiApplication>
 #else
    #include <QApplication>
@@ -15,7 +14,7 @@
 #ifdef Q_OS_ANDROID
    #include "platforms/android/android_controller.h"
 #endif
-#if defined(Q_OS_MACX) && !defined(Q_OS_TVOS)
+#if defined Q_OS_MAC
    #include "ui/macos_util.h"
 #endif

@@ -28,7 +27,7 @@ PageController::PageController(const QSharedPointer<ServersModel> &serversModel,
    AndroidController::instance()->setNavigationBarColor(initialPageNavigationBarColor);
 #endif

-#if defined(Q_OS_MACX) && !defined(Q_OS_TVOS)
+#if defined Q_OS_MACX
    connect(this, &PageController::raiseMainWindow, []() {
        setDockIconVisible(true);
    });
@@ -65,7 +64,7 @@ QString PageController::getPagePath(PageLoader::PageEnum page)
 void PageController::closeWindow()
 {
 // On mobile platforms, quit app on close; on desktop, just hide window
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
    qApp->quit();
 #else
    emit hideMainWindow();
@@ -119,7 +118,7 @@ void PageController::showOnStartup()
    } else {
 #if defined(Q_OS_WIN) || (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID))
        emit hideMainWindow();
-#elif defined(Q_OS_MACX) && !defined(Q_OS_TVOS)
+#elif defined(Q_OS_MACX)
        setDockIconVisible(false);
 #endif
    }
@@ -12,7 +12,7 @@
    #include "platforms/android/android_controller.h"
 #endif

-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS) || defined(MACOS_NE)
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
    #include <AmneziaVPN-Swift.h>
 #endif

@@ -45,6 +45,8 @@ SettingsController::SettingsController(const QSharedPointer<ServersModel> &serve
        emit safeAreaBottomMarginChanged();
        emit safeAreaTopMarginChanged();
    });
+    connect(AndroidController::instance(), &AndroidController::activityPaused, this, &SettingsController::activityPaused);
+    connect(AndroidController::instance(), &AndroidController::activityResumed, this, &SettingsController::activityResumed);
 #endif

    m_isDevModeEnabled = m_settings->isDevGatewayEnv();
@@ -57,8 +59,6 @@ QString getPlatformName()
    return "Windows";
 #elif defined(Q_OS_ANDROID)
    return "Android";
-#elif defined(Q_OS_TVOS)
-    return "tvOS";
 #elif defined(Q_OS_LINUX)
    return "Linux";
 #elif defined(Q_OS_MACX)
@@ -111,7 +111,7 @@ bool SettingsController::isLoggingEnabled()
 void SettingsController::toggleLogging(bool enable)
 {
    m_settings->setSaveLogs(enable);
-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#if defined(Q_OS_IOS)
    AmneziaVPN::toggleLogging(enable);
 #endif
    if (enable == true) {
@@ -160,6 +160,7 @@ void SettingsController::clearLogs()

    qInfo().noquote() << QString("Started %1 version %2 %3").arg(APPLICATION_NAME, APP_VERSION, GIT_COMMIT_HASH);
    qInfo().noquote() << QString("%1 (%2)").arg(QSysInfo::prettyProductName(), QSysInfo::currentCpuArchitecture());
+    qInfo().noquote() << QString("SSL backend: %1").arg(QSslSocket::sslLibraryVersionString());
 }

 void SettingsController::backupAppConfig(const QString &fileName)
@@ -179,12 +180,11 @@ void SettingsController::backupAppConfig(const QString &fileName)

 void SettingsController::restoreAppConfig(const QString &fileName)
 {
-    QFile file(fileName);
-
-    file.open(QIODevice::ReadOnly);
-
-    QByteArray data = file.readAll();
-
+    QByteArray data;
+    if (!SystemController::readFile(fileName, data)) {
+        emit changeSettingsErrorOccurred(tr("Can't open file: %1").arg(fileName));
+        return;
+    }
    restoreAppConfigFromData(data);
 }

@@ -194,7 +194,7 @@ void SettingsController::restoreAppConfigFromData(const QByteArray &data)
    if (ok) {
        QJsonObject newConfigData = QJsonDocument::fromJson(data).object();

-#if defined(Q_OS_WINDOWS) || defined(Q_OS_LINUX) || (defined(Q_OS_MACX) && !defined(Q_OS_TVOS))
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_LINUX) || defined(Q_OS_MACX)
        bool autoStart = false;
        if (newConfigData.contains("Conf/autoStart")) {
            autoStart = newConfigData["Conf/autoStart"].toBool();
@@ -231,7 +231,7 @@ void SettingsController::restoreAppConfigFromData(const QByteArray &data)
        m_sitesModel->setRouteMode(siteSplitTunnelingRouteMode);
        m_sitesModel->toggleSplitTunneling(siteSplittunnelingEnabled);

-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
        m_settings->setAutoConnect(false);
        m_settings->setStartMinimized(false);
        m_settings->setKillSwitchEnabled(false);
@@ -270,7 +270,7 @@ void SettingsController::clearSettings()

    emit changeSettingsFinished(tr("All settings have been reset to default values"));

-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS) || defined(MACOS_NE)
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
    AmneziaVPN::clearSettings();
 #endif
 }
@@ -141,6 +141,9 @@ signals:
    void safeAreaTopMarginChanged();
    void safeAreaBottomMarginChanged();

+    void activityPaused();
+    void activityResumed();
+
    void isHomeAdLabelVisibleChanged(bool visible);
    void startMinimizedChanged();

@@ -7,10 +7,8 @@
 #include "systemController.h"
 #include "core/networkUtilities.h"

-SitesController::SitesController(const std::shared_ptr<Settings> &settings,
-                                 const QSharedPointer<VpnConnection> &vpnConnection,
-                                 const QSharedPointer<SitesModel> &sitesModel, QObject *parent)
-    : QObject(parent), m_settings(settings), m_vpnConnection(vpnConnection), m_sitesModel(sitesModel)
+SitesController::SitesController(const std::shared_ptr<Settings> &settings, const QSharedPointer<SitesModel> &sitesModel, QObject *parent)
+    : QObject(parent), m_settings(settings), m_sitesModel(sitesModel)
 {
 }

@@ -34,32 +32,20 @@ void SitesController::addSite(QString hostname)
        hostname = hostname.split("/", Qt::SkipEmptyParts).first();
    }

-    const auto &processSite = [this](const QString &hostname, const QString &ip) {
-        m_sitesModel->addSite(hostname, ip);
-
-        if (!ip.isEmpty()) {
-            QMetaObject::invokeMethod(m_vpnConnection.get(), "addRoutes", Qt::QueuedConnection,
-                                      Q_ARG(QStringList, QStringList() << ip));
-        } else if (NetworkUtilities::ipAddressWithSubnetRegExp().exactMatch(hostname)) {
-            QMetaObject::invokeMethod(m_vpnConnection.get(), "addRoutes", Qt::QueuedConnection,
-                                      Q_ARG(QStringList, QStringList() << hostname));
-        }
-    };
-
-    const auto &resolveCallback = [this, processSite](const QHostInfo &hostInfo) {
+    const auto &resolveCallback = [this](const QHostInfo &hostInfo) {
        const QList<QHostAddress> &addresses = hostInfo.addresses();
        for (const QHostAddress &addr : hostInfo.addresses()) {
            if (addr.protocol() == QAbstractSocket::NetworkLayerProtocol::IPv4Protocol) {
-                processSite(hostInfo.hostName(), addr.toString());
+                m_sitesModel->addSite(hostInfo.hostName(), addr.toString());
                break;
            }
        }
    };

    if (NetworkUtilities::ipAddressWithSubnetRegExp().exactMatch(hostname)) {
-        processSite(hostname, "");
+        m_sitesModel->addSite(hostname, "");
    } else {
-        processSite(hostname, "");
+        m_sitesModel->addSite(hostname, "");
        QHostInfo::lookupHost(hostname, this, resolveCallback);
    }

@@ -72,9 +58,6 @@ void SitesController::removeSite(int index)
    auto hostname = m_sitesModel->data(modelIndex, SitesModel::Roles::UrlRole).toString();
    m_sitesModel->removeSite(modelIndex);

-    QMetaObject::invokeMethod(m_vpnConnection.get(), "deleteRoutes", Qt::QueuedConnection,
-                              Q_ARG(QStringList, QStringList() << hostname));
-
    emit finished(tr("Site removed: %1").arg(hostname));
 }

@@ -128,8 +111,6 @@ void SitesController::importSites(const QString &fileName, bool replaceExisting)

    m_sitesModel->addSites(sites, replaceExisting);

-    QMetaObject::invokeMethod(m_vpnConnection.get(), "addRoutes", Qt::QueuedConnection, Q_ARG(QStringList, ips));
-
    emit finished(tr("Import completed"));
 }

@@ -11,9 +11,8 @@ class SitesController : public QObject
 {
    Q_OBJECT
 public:
-    explicit SitesController(const std::shared_ptr<Settings> &settings,
-                             const QSharedPointer<VpnConnection> &vpnConnection,
-                             const QSharedPointer<SitesModel> &sitesModel, QObject *parent = nullptr);
+    explicit SitesController(const std::shared_ptr<Settings> &settings, const QSharedPointer<SitesModel> &sitesModel,
+                             QObject *parent = nullptr);

 public slots:
    void addSite(QString hostname);
@@ -31,8 +30,6 @@ signals:

 private:
    std::shared_ptr<Settings> m_settings;
-
-    QSharedPointer<VpnConnection> m_vpnConnection;
    QSharedPointer<SitesModel> m_sitesModel;
 };

@@ -14,7 +14,7 @@
    #include "platforms/android/android_controller.h"
 #endif

-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS) || defined(MACOS_NE)
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
    #include "platforms/ios/ios_controller.h"
    #include <CoreFoundation/CoreFoundation.h>
 #endif
@@ -31,7 +31,7 @@ void SystemController::saveFile(const QString &fileName, const QString &data)
    return;
 #endif

-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#ifdef Q_OS_IOS
    QUrl fileUrl = QDir::tempPath() + "/" + fileName;
    QFile file(fileUrl.toString());
 #else
@@ -43,7 +43,7 @@ void SystemController::saveFile(const QString &fileName, const QString &data)
    file.write(data.toUtf8());
    file.close();

-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#ifdef Q_OS_IOS
    QStringList filesToSend;
    filesToSend.append(fileUrl.toString());
    // todo check if save successful
@@ -98,7 +98,7 @@ QString SystemController::getFileName(const QString &acceptLabel, const QString
    return AndroidController::instance()->openFile(nameFilter);
 #endif

-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#ifdef Q_OS_IOS

    fileName = IosController::Instance()->openFile();
    if (fileName.isEmpty()) {
@@ -1,5 +1,6 @@
 #include "apiAccountInfoModel.h"

+#include <QDateTime>
 #include <QJsonObject>

 #include "core/api/apiUtils.h"
@@ -32,7 +33,7 @@ QVariant ApiAccountInfoModel::data(const QModelIndex &index, int role) const
        }

        return apiUtils::isSubscriptionExpired(m_accountInfoData.subscriptionEndDate) ? tr("<p><a style=\"color: #EB5757;\">Inactive</a>")
-                                                                                      : tr("Active");
+                                                                                      : tr("<p><a style=\"color: #28c840;\">Active</a>");
    }
    case EndDateRole: {
        if (m_accountInfoData.configType == apiDefs::ConfigType::AmneziaFreeV3) {
@@ -52,7 +53,9 @@ QVariant ApiAccountInfoModel::data(const QModelIndex &index, int role) const
    }
    case IsComponentVisibleRole: {
        return m_accountInfoData.configType == apiDefs::ConfigType::AmneziaPremiumV2
-                || m_accountInfoData.configType == apiDefs::ConfigType::ExternalPremium;
+                || m_accountInfoData.configType == apiDefs::ConfigType::AmneziaTrialV2
+                || m_accountInfoData.configType == apiDefs::ConfigType::ExternalPremium
+                || m_accountInfoData.configType == apiDefs::ConfigType::ExternalTrial;
    }
    case HasExpiredWorkerRole: {
        for (int i = 0; i < m_issuedConfigsInfo.size(); i++) {
@@ -73,6 +76,18 @@ QVariant ApiAccountInfoModel::data(const QModelIndex &index, int role) const
        }
        return false;
    }
+    case IsSubscriptionExpiredRole: {
+        if (m_accountInfoData.configType == apiDefs::ConfigType::AmneziaFreeV3) return false;
+        if (m_accountInfoData.subscriptionEndDate.isEmpty()) return false;
+        return apiUtils::isSubscriptionExpired(m_accountInfoData.subscriptionEndDate);
+    }
+    case IsSubscriptionExpiringSoonRole: {
+        if (m_accountInfoData.configType == apiDefs::ConfigType::AmneziaFreeV3) return false;
+        if (m_accountInfoData.subscriptionEndDate.isEmpty()) return false;
+        if (apiUtils::isSubscriptionExpired(m_accountInfoData.subscriptionEndDate)) return false;
+        QDateTime endDate = QDateTime::fromString(m_accountInfoData.subscriptionEndDate, Qt::ISODateWithMs);
+        return endDate <= QDateTime::currentDateTimeUtc().addDays(10);
+    }
    }

    return QVariant();
@@ -164,6 +179,8 @@ QHash<int, QByteArray> ApiAccountInfoModel::roleNames() const
    roles[IsComponentVisibleRole] = "isComponentVisible";
    roles[HasExpiredWorkerRole] = "hasExpiredWorker";
    roles[IsProtocolSelectionSupportedRole] = "isProtocolSelectionSupported";
+    roles[IsSubscriptionExpiredRole] = "isSubscriptionExpired";
+    roles[IsSubscriptionExpiringSoonRole] = "isSubscriptionExpiringSoon";

    return roles;
 }
@@ -19,7 +19,9 @@ public:
        EndDateRole,
        IsComponentVisibleRole,
        HasExpiredWorkerRole,
-        IsProtocolSelectionSupportedRole
+        IsProtocolSelectionSupportedRole,
+        IsSubscriptionExpiredRole,
+        IsSubscriptionExpiringSoonRole
    };

    explicit ApiAccountInfoModel(QObject *parent = nullptr);
@@ -31,7 +33,6 @@ public:
 public slots:
    void updateModel(const QJsonObject &accountInfoObject, const QJsonObject &serverConfig);
    QVariant data(const QString &roleString);
-
    QJsonArray getAvailableCountries();
    QJsonArray getIssuedConfigsInfo();

@@ -41,6 +41,7 @@ namespace
    {
        constexpr char amneziaFree[] = "amnezia-free";
        constexpr char amneziaPremium[] = "amnezia-premium";
+        constexpr char amneziaTrial[] = "amnezia-trial";
    }
 }

@@ -69,7 +70,7 @@ QVariant ApiServicesModel::data(const QModelIndex &index, int role) const
    }
    case CardDescriptionRole: {
        auto speed = apiServiceData.serviceInfo.speed;
-        if (serviceType == serviceType::amneziaPremium) {
+        if (serviceType == serviceType::amneziaPremium || serviceType == serviceType::amneziaTrial) {
            return apiServiceData.serviceInfo.cardDescription.arg(speed);
        } else if (serviceType == serviceType::amneziaFree) {
            QString description = apiServiceData.serviceInfo.cardDescription;
@@ -124,8 +125,10 @@ QVariant ApiServicesModel::data(const QModelIndex &index, int role) const
    case OrderRole: {
        if (serviceType == serviceType::amneziaPremium) {
            return 0;
-        } else if (serviceType == serviceType::amneziaFree) {
+        } else if (serviceType == serviceType::amneziaTrial) {
            return 1;
+        } else if (serviceType == serviceType::amneziaFree) {
+            return 2;
        }
    }
    }
@@ -141,10 +141,12 @@ void AwgConfigModel::updateModel(const QJsonObject &config)
            serverProtocolConfig.value(config_key::initPacketJunkSize).toString(protocols::awg::defaultInitPacketJunkSize);
    m_serverProtocolConfig[config_key::responsePacketJunkSize] =
            serverProtocolConfig.value(config_key::responsePacketJunkSize).toString(protocols::awg::defaultResponsePacketJunkSize);
-    m_serverProtocolConfig[config_key::cookieReplyPacketJunkSize] =
-            serverProtocolConfig.value(config_key::cookieReplyPacketJunkSize).toString(protocols::awg::defaultCookieReplyPacketJunkSize);
-    m_serverProtocolConfig[config_key::transportPacketJunkSize] =
-            serverProtocolConfig.value(config_key::transportPacketJunkSize).toString(protocols::awg::defaultTransportPacketJunkSize);
+    if (protocolVersion == protocols::awg::awgV2) {
+        m_serverProtocolConfig[config_key::cookieReplyPacketJunkSize] =
+                serverProtocolConfig.value(config_key::cookieReplyPacketJunkSize).toString(protocols::awg::defaultCookieReplyPacketJunkSize);
+        m_serverProtocolConfig[config_key::transportPacketJunkSize] =
+                serverProtocolConfig.value(config_key::transportPacketJunkSize).toString(protocols::awg::defaultTransportPacketJunkSize);
+    }
    m_serverProtocolConfig[config_key::initPacketMagicHeader] =
            serverProtocolConfig.value(config_key::initPacketMagicHeader).toString(protocols::awg::defaultInitPacketMagicHeader);
    m_serverProtocolConfig[config_key::responsePacketMagicHeader] =
@@ -179,6 +179,20 @@ QVariant ServersModel::data(const QModelIndex &index, int role) const
    case AdEndpointRole: {
        return apiConfig.value(apiDefs::key::serviceInfo).toObject().value(apiDefs::key::adEndpoint).toString();
    }
+    case IsSubscriptionExpiredRole: {
+        if (configVersion != apiDefs::ConfigSource::AmneziaGateway) return false;
+        QString endDate = apiConfig.value(apiDefs::key::subscriptionEndDate).toString();
+        if (endDate.isEmpty()) return false;
+        return apiUtils::isSubscriptionExpired(endDate);
+    }
+    case IsSubscriptionExpiringSoonRole: {
+        if (configVersion != apiDefs::ConfigSource::AmneziaGateway) return false;
+        QString endDate = apiConfig.value(apiDefs::key::subscriptionEndDate).toString();
+        if (endDate.isEmpty()) return false;
+        if (apiUtils::isSubscriptionExpired(endDate)) return false;
+        QDateTime endDateTime = QDateTime::fromString(endDate, Qt::ISODateWithMs);
+        return endDateTime <= QDateTime::currentDateTimeUtc().addDays(10);
+    }
    }

    return QVariant();
@@ -443,6 +457,9 @@ QHash<int, QByteArray> ServersModel::roleNames() const
    roles[AdDescriptionRole] = "adDescription";
    roles[AdEndpointRole] = "adEndpoint";

+    roles[IsSubscriptionExpiredRole] = "isSubscriptionExpired";
+    roles[IsSubscriptionExpiringSoonRole] = "isSubscriptionExpiringSoon";
+
    return roles;
 }

@@ -52,6 +52,9 @@ public:
        AdDescriptionRole,
        AdEndpointRole,

+        IsSubscriptionExpiredRole,
+        IsSubscriptionExpiringSoonRole,
+
        HasAmneziaDns
    };

@@ -5,7 +5,7 @@
 #include <QDebug>
 #include "notificationhandler.h"

-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#if defined(Q_OS_IOS)
 #  include "platforms/ios/iosnotificationhandler.h"
 #else
 #  include "systemtray_notificationhandler.h"
@@ -14,7 +14,7 @@

 // static
 NotificationHandler* NotificationHandler::create(QObject* parent) {
-#if defined(Q_OS_IOS) || defined(Q_OS_TVOS)
+#if defined(Q_OS_IOS)
    return new IOSNotificationHandler(parent);
 #else
    return new SystemTrayNotificationHandler(parent);
@@ -58,7 +58,7 @@ QString Autostart::appPath() {
    return QCoreApplication::applicationFilePath() + " --autostart";
 }

-#elif defined(Q_OS_MACX) && !defined(Q_OS_TVOS)
+#elif defined Q_OS_MACX

 bool Autostart::isAutostart() {
    QProcess process;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
NickVs2015	89b94d2588	fix: resolve flush error and fix comment	2026-04-11 00:12:58 +03:00
NickVs2015	9166e17a23	fix: add support system with nscd service	2026-04-10 23:08:32 +03:00
NickVs2015	37d2b8716d	fix: infinite reconnection when NM up	2026-04-10 23:06:16 +03:00
NickVs2015	92b168100a	fix: Linux killswitch changes	2026-04-10 23:06:16 +03:00
NickVs2015	0f6db8a238	fix: Linux dns without dbus	2026-04-10 23:06:16 +03:00
NickVs2015	7c075625d2	fix: revert wireguardutilslinux	2026-04-03 20:21:00 +03:00
NickVs2015	c6a40b09c9	fix: reconnect	2026-04-03 20:11:28 +03:00
NickVs2015	560c4070b4	fix: add NM_STATE_DISABLED and check getGatewayAndIface more carefully	2026-04-03 08:47:15 +03:00
NickVs2015	f6806459fd	fix: restore reconnect time	2026-04-02 10:26:16 +03:00
NickVs2015	646b1561f8	revert: restore linuxfirewall.cpp	2026-04-01 00:57:11 +03:00
NickVs2015	6d1e10a2e3	feat: catch state changed via check gateway	2026-04-01 00:43:46 +03:00
NickVs2015	af0d561c5c	fix: add dns load/unload	2026-03-31 23:14:17 +03:00
NickVs2015	214b18f65f	fix: improve reeconnection	2026-03-31 14:08:04 +03:00
NickVs2015	bd554fb730	fix: Dbus error, fix race conditional	2026-03-31 10:35:04 +03:00
NickVs2015	316e64122e	fix: add linux reconnection	2026-03-26 22:31:26 +03:00
NickVs2015	bf3d11e5c4	feat: renewal new status logic (#2409 ) * fix: renewal add status logic * fix: wakeup activity resumed android	2026-03-25 19:48:32 +08:00
NickVs2015	9a0222aee3	fix: ui fixes for renewal subscription (#2406 )	2026-03-25 12:34:42 +08:00
NickVs2015	f0f0f7c5be	feat: add subscription renewal (#2389 ) * feat: add renewal subsribe * fix: after review	2026-03-24 22:45:02 +08:00
NickVs2015	36b1a863bf	fix: black screen resume / pause (#2400 )	2026-03-24 22:13:31 +08:00
yyy-amnezia	4103c5bbcf	refactor: extract and simplify OpenVPN reachability and network change handling logic (#2402 )	2026-03-24 22:12:59 +08:00
vkamn	fa69da6d56	chore: send app version in services request (#2403 )	2026-03-24 20:25:04 +08:00
yyy-amnezia	aaf2c9ddeb	feat: add Xray split tunnel support for iOS PacketTunnelProvider (#2332 )	2026-03-24 16:07:36 +08:00
Mitternacht822	dbbc7119ec	feat: add warning info for ssh keys (#2252 ) * fix: fixed da typo * feat: added warning about available ssh keys info	2026-03-24 16:06:40 +08:00
vkamn	c57162c4cc	feat: add base amnezia trial support (#2366 ) * feat: add base amnezia trial support * feat: add external-trial	2026-03-24 10:29:51 +08:00
NickVs2015	40e39895c9	fix openfile deadlock (#2373 )	2026-03-21 11:46:46 +08:00
vkamn	ec3ab2a03c	chore: update licnese file (#2376 )	2026-03-20 21:04:13 +08:00
yyy-amnezia	ddecfcad26	fix: apple platform network switch fix (#2359 ) * Apple platform network switch fix * macos_ne exclusion fixed	2026-03-20 20:51:36 +08:00
NickVs2015	67bd880cdf	fix: swap buffers error (#2347 )	2026-03-16 13:03:20 +08:00
vkamn	477afb9d85	chore: bump version (#2336 )	2026-03-10 22:22:37 +08:00
NickVs2015	f969fcdbb8	fix: restore dpad functionality ATV (#2335 )	2026-03-10 22:19:55 +08:00
vkamn	b0ca16d861	chore: bump version (#2331 )	2026-03-09 18:29:56 +08:00
NickVs2015	9963359948	fix: disable gamepad for GP (#2321 )	2026-03-09 17:39:50 +08:00
vkamn	ca639d293d	chore: bump version (#2319 )	2026-03-06 23:11:03 +08:00
NickVs2015	83d045af64	fix: GP requrements (#2312 )	2026-03-06 17:05:16 +08:00
NickVs2015	aea8ff4961	fix: add handle handleContextCreationFailure (#2309 )	2026-03-03 22:04:45 +08:00
vkamn	1892db4375	fix: remove nested qeventloop from isConfigValid (also rename to validateConfig) (#2305 ) * fix: remove nested qeventloop from isConfigValid (also rename to validateConfig) * chore: bump version	2026-03-03 20:58:32 +08:00
NickVs2015	c86a641e05	fix: add suppord android 9 gamepad and remote control (#2302 )	2026-03-03 15:14:51 +08:00
vkamn	befb2bf19a	chore: bump version (#2295 )	2026-02-27 23:33:37 +08:00
vkamn	7ad6bc340c	chore: add translations for ru (#2285 ) * chore: add translations for ru * chore: text fixes	2026-02-27 20:00:31 +08:00
vkamn	9164e38c34	fix: restore backup android (#2291 ) * fix: fixed restore backup on android * chore: add resume helper for android * chore: add ResumeHelper.runWhenActive call after all native android dialogs * fix: add permission for tv file picker * fix: add file picker handler in kotlin --------- Co-authored-by: NickVs2015 <nv@amnezia.org>	2026-02-27 18:43:36 +08:00
vkamn	8f7559f01b	chore: revert PR #2222 (#2290 )	2026-02-27 14:29:25 +08:00
vkamn	af56200735	fix: fixed adding s3 s4 when updating the server conf for awg lagacy (#2289 )	2026-02-27 14:11:40 +08:00
vkamn	3874050fae	fix: again fixed s3, s4 ranges (#2288 )	2026-02-27 13:37:49 +08:00
vkamn	3087163e34	fix: fixed s3, s4 ranges (#2283 )	2026-02-26 22:31:41 +08:00
Mitternacht822	1fa152845c	fix: generate native awg config as qr series (#2221 )	2026-02-26 22:31:18 +08:00
vkamn	50e23ef233	fix: awg config update (#2281 ) * fix: fixed client config update for awg container * chore: bump version	2026-02-26 22:12:58 +08:00
Yaroslav Gurov	ea648466de	chore: remove redundant VpnConnection usage from SitesController (#2278 )	2026-02-26 17:55:08 +08:00
Yaroslav Gurov	b782775016	fix: change event looping to mutexes for settings and secureqsettings (#2270 )	2026-02-26 11:41:08 +08:00
NickVs2015	89a7fe1081	fix: fixed remote control for ATV (#2277 )	2026-02-26 11:40:16 +08:00
Yaroslav Gurov	e8bb096025	fix: ios wrong awg blob (#2272 )	2026-02-24 17:56:17 +07:00
Mitternacht822	fd5c7c8322	fix: copy LICENSE to build as LICENSE.txt for WiX CPack (#2265 ) * fix(installer): copy LICENSE to build as LICENSE.txt for WiX CPack * fix: fixed a typo * fix: fixed a typo	2026-02-24 14:07:48 +08:00
Yaroslav Gurov	e798d0f503	feat: update amneziawg-android dependencies (#2269 )	2026-02-24 00:54:55 +08:00
Yaroslav Gurov	bbb0abb596	feat: update xray (#2267 )	2026-02-24 00:27:29 +08:00
vkamn	0925aec86a	chore: bump version (#2264 )	2026-02-23 18:01:59 +08:00
Yaroslav Gurov	b084c4c284	fix: ios connection status stuck (#2263 )	2026-02-23 18:00:13 +08:00
vkamn	87288ebccd	chore: bump version (#2262 )	2026-02-23 17:16:24 +08:00
vkamn	fcd7eadf4c	chore: bump version (#2261 )	2026-02-23 15:38:27 +08:00
Mitternacht822	0373338fb7	fix: randomized baseUrls traversal order in GatewayController::getProxyUrls (#2247 )	2026-02-23 15:33:35 +08:00
Yaroslav Gurov	42f070fe9d	fix: handle Android disconnected status properly (#2255 )	2026-02-23 15:31:15 +08:00