feat: multipeer support mac/linux/windows

* fix: renewal add status logic

* fix: wakeup activity resumed android

CMakeLists.txt

@@ -12,7 +12,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")
 
 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2117)
+set(APP_ANDROID_VERSION_CODE 2118)
 
 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
     set(MZ_PLATFORM_NAME "linux")

README.md

@@ -179,7 +179,7 @@ You may face compiling issues in QT Creator after you've worked in Android Studi
 
 ## License
 
-GPL v3.0
+This project is licensed under the GNU General Public License v3.0 (see LICENSE) and also includes third-party components distributed under their own terms (see THIRD_PARTY_LICENSES.md).
 
 ## Donate
 

THIRD_PARTY_LICENSES.md

@@ -0,0 +1,149 @@
+# Third-Party Licenses
+
+This project is licensed under the GNU General Public License v3.0.
+This file lists third-party software components used by this repository.
+Each component is distributed under its own license as linked below.
+
+---
+
+## QtKeychain
+
+- Source: https://github.com/frankosterfeld/qtkeychain
+- License: BSD License
+- License Text: https://www.gnu.org/licenses/license-list.html#ModifiedBSD
+
+---
+
+## QSimpleCrypto
+
+- Source: https://github.com/n1flh31mur/QSimpleCrypto
+- License: Apache License 2.0
+- License Text: https://github.com/n1flh31mur/QSimpleCrypto/blob/master/LICENSE
+
+---
+
+## SortFilterProxyModel
+
+- Source: https://github.com/oKcerG/SortFilterProxyModel
+- License: MIT License
+- License Text: https://github.com/oKcerG/SortFilterProxyModel/blob/master/LICENSE
+
+---
+
+## QJsonStruct
+
+- Source: https://github.com/Qv2ray/QJsonStruct
+- License: MIT License
+- License Text: https://github.com/Qv2ray/QJsonStruct/blob/master/LICENSE
+
+---
+
+## QR Code Generator (qrcodegen)
+
+- Source: https://github.com/nayuki/QR-Code-generator
+- License: MIT License
+- License Text: https://www.nayuki.io/page/qr-code-generator-library
+
+---
+
+## Qt Gamepad
+
+- Source: https://github.com/qt/qtgamepad
+- License: GNU General Public License v3.0 (GPL-3.0)
+- License Text: https://www.gnu.org/licenses/gpl-3.0.en.html
+
+---
+
+## AmneziaWG Apple (WireGuard)
+
+- Source: https://github.com/amnezia-vpn/amneziawg-apple
+- License: MIT License
+- License Text: https://github.com/amnezia-vpn/amneziawg-apple/blob/master/COPYING
+
+---
+
+## AmneziaWG Android
+
+- Source: https://github.com/amnezia-vpn/amneziawg-go
+- License: MIT License
+- License Text: https://github.com/amnezia-vpn/amneziawg-go/blob/master/LICENSE
+
+---
+
+## Xray Core
+
+- Source: https://github.com/XTLS/Xray-core
+- License: Mozilla Public License 2.0 (MPL-2.0)
+- License Text: https://github.com/XTLS/Xray-core/blob/main/LICENSE
+
+---
+
+## Cloak
+
+- Source: https://github.com/cbeuw/Cloak
+- License: GNU General Public License v3.0 (GPL-3.0)
+- License Text: https://github.com/cbeuw/Cloak/blob/master/LICENSE
+
+---
+
+## Shadowsocks
+
+- Source: https://github.com/shadowsocks/shadowsocks-libev
+- License: GPL-3.0-or-later
+- License Text: http://www.gnu.org/licenses/
+
+---
+
+## OpenSSL
+
+- Source: https://github.com/openssl/openssl
+- License: Apache License 2.0
+- License Text: https://www.openssl.org/source/license.html
+
+---
+
+## libssh
+
+- Source: https://www.libssh.org/
+- License: GNU Lesser General Public License (LGPL)
+- License Text: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
+
+---
+
+## OpenVPNAdapter
+
+- Source: https://github.com/ss-abramchuk/OpenVPNAdapter
+- License: GNU Affero General Public License v3.0 (AGPL-3.0)
+- License Text: https://github.com/ss-abramchuk/OpenVPNAdapter/blob/master/LICENSE
+
+---
+
+## Wintun
+
+- Source: https://www.wintun.net/
+- License: Prebuilt Binaries License
+- License Text: https://github.com/WireGuard/wintun/blob/master/prebuilt-binaries-license.txt
+
+---
+
+## Mullvad Split Tunnel Driver
+
+- Source: https://github.com/mullvad/win-split-tunnel
+- License: GNU General Public License v3.0 (GPL-3.0) and Mozilla Public License Version 2.0
+- License Text: https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-GPL.md https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-MPL.txt
+
+---
+
+## tun2socks
+
+- Source: https://github.com/eycorsican/go-tun2socks
+- License: MIT License
+- License Text: https://github.com/eycorsican/go-tun2socks/blob/master/LICENSE
+
+---
+
+## TAP-Windows Driver
+
+- Source: https://github.com/OpenVPN/tap-windows6
+- License: tap-windows6 license
+- License Text: https://github.com/OpenVPN/tap-windows6/blob/master/COPYING

client/amnezia_application.cpp

@@ -109,6 +109,16 @@ void AmneziaApplication::init()
             // install filter on main window
             if (auto win = qobject_cast<QQuickWindow*>(obj)) {
                 win->installEventFilter(this);
+#ifdef Q_OS_ANDROID
+                QObject::connect(win, &QQuickWindow::sceneGraphError,
+                    [](QQuickWindow::SceneGraphError, const QString &msg) {
+                        qWarning() << "Scene graph error (suppressed):" << msg;
+                    });
+                // Keep graphics context alive across hide/show cycles to avoid
+                // eglSwapBuffers/makeCurrent being called on a context Android has reclaimed.
+                win->setPersistentSceneGraph(true);
+                win->setPersistentGraphics(true);
+#endif
                 win->show();
             }
         },

client/android/src/org/amnezia/vpn/AmneziaActivity.kt

@@ -296,9 +296,25 @@ class AmneziaActivity : QtActivity() {
         hasWindowFocus = hasFocus
         Log.d(TAG, "Window focus changed: hasFocus=$hasFocus")
 
-        // Cancel pending operations if window loses focus
         if (!hasFocus) {
+            // Cancel pending operations if window loses focus
             resumeHandler.removeCallbacksAndMessages(null)
+        } else if (isActivityResumed && Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            window.decorView.apply {
+                invalidate()
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(1f, 1f)
+                    }
+                }, 50)
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(2f, 2f)
+                        requestLayout()
+                        invalidate()
+                    }
+                }, 150)
+            }
         }
     }
 
@@ -337,6 +353,13 @@ class AmneziaActivity : QtActivity() {
     private external fun nativeGamepadKeyEvent(deviceId: Int, keyCode: Int, pressed: Boolean)
 
     override fun onPause() {
+        // Notify Qt to stop rendering BEFORE super.onPause() destroys the EGL surface.
+        // Using a coroutine here would be too late — the surface is gone by the time
+        // the coroutine runs. A direct synchronous call gives Qt's render thread the
+        // best chance to process visible=false before surface destruction.
+        if (qtInitialized.isCompleted) {
+            QtAndroidController.onActivityPaused()
+        }
         super.onPause()
         isActivityResumed = false
         // Cancel all pending operations when activity pauses
@@ -349,6 +372,9 @@ class AmneziaActivity : QtActivity() {
         super.onResume()
         isActivityResumed = true
         Log.d(TAG, "Resume Amnezia activity")
+        if (qtInitialized.isCompleted) {
+            QtAndroidController.onActivityResumed()
+        }
 
         if (pendingOpenFileUri != null && !openFileDeliveryScheduled) {
             val uri = pendingOpenFileUri!!
@@ -816,7 +842,7 @@ class AmneziaActivity : QtActivity() {
     @Suppress("unused")
     fun getFd(fileName: String): Int {
         Log.v(TAG, "Get fd for $fileName")
-        return blockingCall {
+        return blockingCall(Dispatchers.IO) {
             try {
                 pfd = contentResolver.openFileDescriptor(Uri.parse(fileName), "r")
                 pfd?.fd ?: -1

client/android/src/org/amnezia/vpn/qt/QtAndroidController.kt

@@ -31,4 +31,7 @@ object QtAndroidController {
 
     external fun onImeInsetsChanged(heightDp: Int)
     external fun onSystemBarsInsetsChanged(navBarHeightDp: Int, statusBarHeightDp: Int)
+
+    external fun onActivityPaused()
+    external fun onActivityResumed()
 }

client/android/wireguard/src/main/kotlin/org/amnezia/vpn/protocol/wireguard/Wireguard.kt

@@ -88,33 +88,68 @@ open class Wireguard : Protocol() {
             addDnsServer(parseInetAddress(dns.trim()))
         }
 
-        val defRoutes = hashSetOf(
-            InetNetwork("0.0.0.0", 0),
-            InetNetwork("::", 0)
-        )
-        val routes = hashSetOf<InetNetwork>()
-        configData.getJSONArray("allowed_ips").asSequence<String>().map { route ->
-            InetNetwork.parse(route.trim())
-        }.forEach(routes::add)
-        // if the allowed IPs list contains at least one non-default route, disable global split tunneling
-        if (routes.any { it !in defRoutes }) disableSplitTunneling()
-        addRoutes(routes)
-
         configData.optStringOrNull("mtu")?.let { setMtu(it.toInt()) }
-
-        val host = configData.getString("hostName").let { parseInetAddress(it.trim()) }
-        val port = configData.getInt("port")
-        setEndpoint(InetEndpoint(host, port))
+        configData.getString("client_priv_key").let { setPrivateKeyHex(it.base64ToHex()) }
 
         if (configData.optBoolean("isObfuscationEnabled")) {
             setUseProtocolExtension(true)
             configExtensionParameters(configData)
         }
 
-        configData.optStringOrNull("persistent_keep_alive")?.let { setPersistentKeepalive(it.toInt()) }
-        configData.getString("client_priv_key").let { setPrivateKeyHex(it.base64ToHex()) }
-        configData.getString("server_pub_key").let { setPublicKeyHex(it.base64ToHex()) }
-        configData.optStringOrNull("psk_key")?.let { setPreSharedKeyHex(it.base64ToHex()) }
+        val defRoutes = hashSetOf(InetNetwork("0.0.0.0", 0), InetNetwork("::", 0))
+        val peersArray = configData.optJSONArray("peers")
+
+        if (peersArray != null && peersArray.length() > 0) {
+            // Multi-peer: collect union of all peers' allowed IPs for the VPN interface routing table
+            val allRoutes = hashSetOf<InetNetwork>()
+            for (i in 0 until peersArray.length()) {
+                peersArray.getJSONObject(i).getJSONArray("allowed_ips").asSequence<String>()
+                    .map { InetNetwork.parse(it.trim()) }.forEach(allRoutes::add)
+            }
+            if (allRoutes.any { it !in defRoutes }) disableSplitTunneling()
+            addRoutes(allRoutes)
+
+            // Primary peer from first entry
+            val firstPeer = peersArray.getJSONObject(0)
+            val firstAllowedIps = firstPeer.getJSONArray("allowed_ips").asSequence<String>()
+                .map { InetNetwork.parse(it.trim()) }.toList()
+            setPeerAllowedIps(firstAllowedIps)
+            setEndpoint(InetEndpoint(parseInetAddress(firstPeer.getString("hostName").trim()), firstPeer.getInt("port")))
+            firstPeer.optStringOrNull("persistent_keep_alive")?.let { setPersistentKeepalive(it.toInt()) }
+            firstPeer.getString("server_pub_key").let { setPublicKeyHex(it.base64ToHex()) }
+            firstPeer.optStringOrNull("psk_key")?.let { setPreSharedKeyHex(it.base64ToHex()) }
+
+            // Additional peers
+            for (i in 1 until peersArray.length()) {
+                val peerData = peersArray.getJSONObject(i)
+                val peerAllowedIps = peerData.getJSONArray("allowed_ips").asSequence<String>()
+                    .map { InetNetwork.parse(it.trim()) }.toList()
+                addPeer(
+                    PeerConfig(
+                        publicKeyHex = peerData.getString("server_pub_key").base64ToHex(),
+                        preSharedKeyHex = peerData.optStringOrNull("psk_key")?.base64ToHex(),
+                        persistentKeepalive = peerData.optStringOrNull("persistent_keep_alive")?.toInt() ?: 0,
+                        endpoint = InetEndpoint(parseInetAddress(peerData.getString("hostName").trim()), peerData.getInt("port")),
+                        allowedIps = peerAllowedIps
+                    )
+                )
+            }
+        } else {
+            // Single peer (original behavior)
+            val routes = hashSetOf<InetNetwork>()
+            configData.getJSONArray("allowed_ips").asSequence<String>().map { route ->
+                InetNetwork.parse(route.trim())
+            }.forEach(routes::add)
+            if (routes.any { it !in defRoutes }) disableSplitTunneling()
+            addRoutes(routes)
+
+            val host = configData.getString("hostName").let { parseInetAddress(it.trim()) }
+            val port = configData.getInt("port")
+            setEndpoint(InetEndpoint(host, port))
+            configData.optStringOrNull("persistent_keep_alive")?.let { setPersistentKeepalive(it.toInt()) }
+            configData.getString("server_pub_key").let { setPublicKeyHex(it.base64ToHex()) }
+            configData.optStringOrNull("psk_key")?.let { setPreSharedKeyHex(it.base64ToHex()) }
+        }
     }
 
     protected fun WireguardConfig.Builder.configExtensionParameters(configData: JSONObject) {
@@ -201,7 +236,11 @@ open class Wireguard : Protocol() {
             Log.e(TAG, "Failed to get tunnel config")
             return -2
         }
-        val lastHandshake = config.lines().find { it.startsWith("last_handshake_time_sec=") }?.substring(24)?.toLong()
+        // For multi-peer: take the max handshake time across all peers (any connected peer = tunnel active)
+        val lastHandshake = config.lines()
+            .filter { it.startsWith("last_handshake_time_sec=") }
+            .mapNotNull { it.substring(24).toLongOrNull() }
+            .maxOrNull()
         if (lastHandshake == null) {
             Log.e(TAG, "Failed to get last_handshake_time_sec")
             return -2

client/android/wireguard/src/main/kotlin/org/amnezia/vpn/protocol/wireguard/WireguardConfig.kt

@@ -4,9 +4,18 @@ import android.util.Base64
 import org.amnezia.vpn.protocol.BadConfigException
 import org.amnezia.vpn.protocol.ProtocolConfig
 import org.amnezia.vpn.util.net.InetEndpoint
+import org.amnezia.vpn.util.net.InetNetwork
 
 private const val WIREGUARD_DEFAULT_MTU = 1280
 
+data class PeerConfig(
+    val publicKeyHex: String,
+    val preSharedKeyHex: String?,
+    val persistentKeepalive: Int,
+    val endpoint: InetEndpoint,
+    val allowedIps: List<InetNetwork>
+)
+
 open class WireguardConfig protected constructor(
     protocolConfigBuilder: ProtocolConfig.Builder,
     val endpoint: InetEndpoint,
@@ -31,6 +40,8 @@ open class WireguardConfig protected constructor(
     var i3: String?,
     var i4: String?,
     var i5: String?,
+    val peerAllowedIps: List<InetNetwork>?,
+    val additionalPeers: List<PeerConfig>,
 ) : ProtocolConfig(protocolConfigBuilder) {
 
     protected constructor(builder: Builder) : this(
@@ -57,6 +68,8 @@ open class WireguardConfig protected constructor(
         builder.i3,
         builder.i4,
         builder.i5,
+        builder.peerAllowedIps,
+        builder.additionalPeers.toList(),
     )
 
     fun toWgUserspaceString(): String = with(StringBuilder()) {
@@ -103,14 +116,22 @@ open class WireguardConfig protected constructor(
 
     open fun appendPeerLine(sb: StringBuilder) = with(sb) {
         appendLine("public_key=$publicKeyHex")
-        routes.filter { it.include }.forEach { route ->
-            appendLine("allowed_ip=${route.inetNetwork}")
-        }
+        val primaryIps = peerAllowedIps ?: routes.filter { it.include }.map { it.inetNetwork }
+        primaryIps.forEach { net -> appendLine("allowed_ip=$net") }
         appendLine("endpoint=$endpoint")
         if (persistentKeepalive != 0)
             appendLine("persistent_keepalive_interval=$persistentKeepalive")
         if (preSharedKeyHex != null)
             appendLine("preshared_key=$preSharedKeyHex")
+        for (peer in additionalPeers) {
+            appendLine("public_key=${peer.publicKeyHex}")
+            peer.allowedIps.forEach { net -> appendLine("allowed_ip=$net") }
+            appendLine("endpoint=${peer.endpoint}")
+            if (peer.persistentKeepalive != 0)
+                appendLine("persistent_keepalive_interval=${peer.persistentKeepalive}")
+            if (peer.preSharedKeyHex != null)
+                appendLine("preshared_key=${peer.preSharedKeyHex}")
+        }
     }
 
     open class Builder : ProtocolConfig.Builder(true) {
@@ -150,6 +171,9 @@ open class WireguardConfig protected constructor(
         internal var i4: String? = null
         internal var i5: String? = null
 
+        internal var peerAllowedIps: List<InetNetwork>? = null
+        internal val additionalPeers: MutableList<PeerConfig> = mutableListOf()
+
         fun setEndpoint(endpoint: InetEndpoint) = apply { this.endpoint = endpoint }
 
         fun setPersistentKeepalive(persistentKeepalive: Int) = apply { this.persistentKeepalive = persistentKeepalive }
@@ -179,6 +203,9 @@ open class WireguardConfig protected constructor(
         fun setI4(i4: String) = apply { this.i4 = i4 }
         fun setI5(i5: String) = apply { this.i5 = i5 }
 
+        fun setPeerAllowedIps(ips: List<InetNetwork>) = apply { this.peerAllowedIps = ips }
+        fun addPeer(peer: PeerConfig) = apply { this.additionalPeers += peer }
+
         override fun build(): WireguardConfig = configBuild().run { WireguardConfig(this@Builder) }
     }
 

client/core/api/apiDefs.h

@@ -10,8 +10,10 @@ namespace apiDefs
         AmneziaFreeV3,
         AmneziaPremiumV1,
         AmneziaPremiumV2,
+        AmneziaTrialV2,
         SelfHosted,
-        ExternalPremium
+        ExternalPremium,
+        ExternalTrial
     };
 
     enum ConfigSource {
@@ -32,6 +34,7 @@ namespace apiDefs
         constexpr QLatin1String stackType("stack_type");
         constexpr QLatin1String serviceType("service_type");
         constexpr QLatin1String cliVersion("cli_version");
+        constexpr QLatin1String cliName("cli_name");
         constexpr QLatin1String supportedProtocols("supported_protocols");
 
         constexpr QLatin1String vpnKey("vpn_key");

client/core/api/apiUtils.cpp

@@ -58,18 +58,24 @@ apiDefs::ConfigType apiUtils::getConfigType(const QJsonObject &serverConfigObjec
     };
     case apiDefs::ConfigSource::AmneziaGateway: {
         constexpr QLatin1String servicePremium("amnezia-premium");
+        constexpr QLatin1String serviceTrial("amnezia-trial");
         constexpr QLatin1String serviceFree("amnezia-free");
         constexpr QLatin1String serviceExternalPremium("external-premium");
+        constexpr QLatin1String serviceExternalTrial("external-trial");
 
         auto apiConfigObject = serverConfigObject.value(apiDefs::key::apiConfig).toObject();
         auto serviceType = apiConfigObject.value(apiDefs::key::serviceType).toString();
 
         if (serviceType == servicePremium) {
             return apiDefs::ConfigType::AmneziaPremiumV2;
+        } else if (serviceType == serviceTrial) {
+            return apiDefs::ConfigType::AmneziaTrialV2;
         } else if (serviceType == serviceFree) {
             return apiDefs::ConfigType::AmneziaFreeV3;
         } else if (serviceType == serviceExternalPremium) {
             return apiDefs::ConfigType::ExternalPremium;
+        } else if (serviceType == serviceExternalTrial) {
+            return apiDefs::ConfigType::ExternalTrial;
         }
     }
     default: {
@@ -90,6 +96,7 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
     const int httpStatusCodeConflict = 409;
     const int httpStatusCodeNotFound = 404;
     const int httpStatusCodeNotImplemented = 501;
+    const int httpStatusCodeUnprocessableEntity = 422;
 
     if (!sslErrors.empty()) {
         qDebug().noquote() << sslErrors;
@@ -122,6 +129,8 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
             return amnezia::ErrorCode::ApiNotFoundError;
         } else if (httpStatusFromBody == httpStatusCodeNotImplemented) {
             return amnezia::ErrorCode::ApiUpdateRequestError;
+        } else if (httpStatusFromBody == httpStatusCodeUnprocessableEntity) {
+            return amnezia::ErrorCode::ApiSubscriptionExpiredError;
         }
         return amnezia::ErrorCode::ApiConfigDownloadError;
     }
@@ -133,7 +142,8 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
 bool apiUtils::isPremiumServer(const QJsonObject &serverConfigObject)
 {
     static const QSet<apiDefs::ConfigType> premiumTypes = { apiDefs::ConfigType::AmneziaPremiumV1, apiDefs::ConfigType::AmneziaPremiumV2,
-                                                            apiDefs::ConfigType::ExternalPremium };
+                                                            apiDefs::ConfigType::AmneziaTrialV2, apiDefs::ConfigType::ExternalPremium,
+                                                            apiDefs::ConfigType::ExternalTrial };
     return premiumTypes.contains(getConfigType(serverConfigObject));
 }
 
@@ -177,7 +187,9 @@ QString apiUtils::getPremiumV1VpnKey(const QJsonObject &serverConfigObject)
 
 QString apiUtils::getPremiumV2VpnKey(const QJsonObject &serverConfigObject)
 {
-    if (apiUtils::getConfigType(serverConfigObject) != apiDefs::ConfigType::AmneziaPremiumV2) {
+    auto configType = apiUtils::getConfigType(serverConfigObject);
+    if (configType != apiDefs::ConfigType::AmneziaPremiumV2 && configType != apiDefs::ConfigType::AmneziaTrialV2
+        && configType != apiDefs::ConfigType::ExternalPremium && configType != apiDefs::ConfigType::ExternalTrial) {
         return {};
     }
 

client/core/controllers/coreController.cpp

@@ -153,6 +153,8 @@ void CoreController::initControllers()
 
     m_apiConfigsController.reset(new ApiConfigsController(m_serversModel, m_apiServicesModel, m_settings));
     m_engine->rootContext()->setContextProperty("ApiConfigsController", m_apiConfigsController.get());
+    connect(m_apiConfigsController.get(), &ApiConfigsController::subscriptionRefreshNeeded,
+            this, [this]() { m_apiSettingsController->getAccountInfo(false); });
 
     m_apiNewsController.reset(new ApiNewsController(m_newsModel, m_settings, m_serversModel, this));
     m_engine->rootContext()->setContextProperty("ApiNewsController", m_apiNewsController.get());

client/core/controllers/gatewayController.cpp

@@ -46,6 +46,7 @@ namespace
     constexpr int httpStatusCodeConflict = 409;
 
     constexpr int httpStatusCodeNotImplemented = 501;
+    constexpr int httpStatusCodeUnprocessableEntity = 422;
 }
 
 GatewayController::GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
@@ -451,6 +452,8 @@ bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &rep
         }
     } else if (httpStatus == httpStatusCodeConflict) {
         return false;
+    } else if (httpStatus == httpStatusCodeUnprocessableEntity) {
+        return false;
     } else if (replyError != QNetworkReply::NetworkError::NoError) {
         qDebug() << replyError;
         return true;

client/daemon/daemon.cpp

@@ -441,6 +441,37 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
     config.m_specialJunk["I5"] = obj.value("I5").toString();
   }
 
+  if (obj.contains("primaryPeerAllowedIPAddressRanges") &&
+      obj.value("primaryPeerAllowedIPAddressRanges").isArray()) {
+    for (const QJsonValue& ipVal : obj.value("primaryPeerAllowedIPAddressRanges").toArray()) {
+      if (!ipVal.isObject()) continue;
+      QJsonObject ipObj = ipVal.toObject();
+      config.m_primaryPeerAllowedIPRanges.append(
+          IPAddress(QHostAddress(ipObj.value("address").toString()),
+                    ipObj.value("range").toInt()));
+    }
+  }
+
+  if (obj.contains("additionalPeers") && obj.value("additionalPeers").isArray()) {
+    for (const QJsonValue& peerVal : obj.value("additionalPeers").toArray()) {
+      if (!peerVal.isObject()) continue;
+      QJsonObject peerObj = peerVal.toObject();
+      InterfaceConfig::AdditionalPeerConfig peer;
+      peer.m_serverPublicKey = peerObj.value("serverPublicKey").toString();
+      peer.m_serverPskKey = peerObj.value("serverPskKey").toString();
+      peer.m_serverIpv4AddrIn = peerObj.value("serverIpv4AddrIn").toString();
+      peer.m_serverPort = peerObj.value("serverPort").toInt();
+      for (const QJsonValue& ipVal : peerObj.value("allowedIPAddressRanges").toArray()) {
+        if (!ipVal.isObject()) continue;
+        QJsonObject ipObj = ipVal.toObject();
+        peer.m_allowedIPAddressRanges.append(
+            IPAddress(QHostAddress(ipObj.value("address").toString()),
+                      ipObj.value("range").toInt()));
+      }
+      config.m_additionalPeers.append(peer);
+    }
+  }
+
   return true;
 }
 

client/daemon/interfaceconfig.h

@@ -37,6 +37,9 @@ class InterfaceConfig {
   int m_serverPort = 0;
   int m_deviceMTU = 1420;
   QList<IPAddress> m_allowedIPAddressRanges;
+  // For multi-peer: primary peer's own IPs only (used for UAPI allowed_ips).
+  // Empty for single-peer (falls back to m_allowedIPAddressRanges).
+  QList<IPAddress> m_primaryPeerAllowedIPRanges;
   QStringList m_excludedAddresses;
   QStringList m_vpnDisabledApps;
   QStringList m_allowedDnsServers;
@@ -58,6 +61,15 @@ class InterfaceConfig {
   QString m_transportPacketMagicHeader;
   QMap<QString, QString> m_specialJunk;
 
+  struct AdditionalPeerConfig {
+    QString m_serverPublicKey;
+    QString m_serverPskKey;
+    QString m_serverIpv4AddrIn;
+    int m_serverPort = 0;
+    QList<IPAddress> m_allowedIPAddressRanges;
+  };
+  QList<AdditionalPeerConfig> m_additionalPeers;
+
   QJsonObject toJson() const;
   QString toWgConf(
       const QMap<QString, QString>& extra = QMap<QString, QString>()) const;

client/mozilla/localsocketcontroller.cpp

@@ -166,68 +166,96 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
 
   QJsonArray jsAllowedIPAddesses;
 
-  QJsonArray plainAllowedIP = wgConfig.value(amnezia::config_key::allowed_ips).toArray();
-  QJsonArray defaultAllowedIP = { "0.0.0.0/0", "::/0" };
+  auto ipRangeToJson = [](const QString& ipRange) -> QJsonObject {
+    QJsonObject range;
+    const QStringList parts = ipRange.split('/');
+    range.insert("address", parts[0]);
+    range.insert("range", parts.size() > 1 ? parts[1].toInt() : 32);
+    range.insert("isIpv6", ipRange.contains(':'));
+    return range;
+  };
 
-  if (plainAllowedIP != defaultAllowedIP && !plainAllowedIP.isEmpty()) {
-    // Use AllowedIP list from WG config because of higher priority
-    for (auto v : plainAllowedIP) {
-      QString ipRange = v.toString();
-      if (ipRange.split('/').size() > 1){
-          QJsonObject range;
-          range.insert("address", ipRange.split('/')[0]);
-          range.insert("range", atoi(ipRange.split('/')[1].toLocal8Bit()));
-          range.insert("isIpv6", false);
-          jsAllowedIPAddesses.append(range);
-      } else {
-          QJsonObject range;
-          range.insert("address",ipRange);
-          range.insert("range", 32);
-          range.insert("isIpv6", false);
-          jsAllowedIPAddesses.append(range);
+  QJsonArray peersArray = wgConfig.value("peers").toArray();
+  bool isMultiPeer = peersArray.size() > 1;
+
+  if (isMultiPeer) {
+    // Union of all peers' IPs goes into allowedIPAddressRanges (used for route setup).
+    QSet<QString> seenIps;
+    for (const QJsonValue& peerVal : std::as_const(peersArray)) {
+      for (const QJsonValue& ipVal : peerVal.toObject().value(amnezia::config_key::allowed_ips).toArray()) {
+        const QString ipRange = ipVal.toString().trimmed();
+        if (seenIps.contains(ipRange)) continue;
+        seenIps.insert(ipRange);
+        jsAllowedIPAddesses.append(ipRangeToJson(ipRange));
       }
     }
+
+    // Primary peer's own IPs only — used for UAPI allowed_ips to avoid trie conflicts.
+    QJsonArray primaryPeerIpsJson;
+    for (const QJsonValue& ipVal : peersArray[0].toObject().value(amnezia::config_key::allowed_ips).toArray()) {
+      primaryPeerIpsJson.append(ipRangeToJson(ipVal.toString().trimmed()));
+    }
+    json.insert("primaryPeerAllowedIPAddressRanges", primaryPeerIpsJson);
+
+    QJsonArray additionalPeersJson;
+    for (int i = 1; i < peersArray.size(); ++i) {
+      const QJsonObject peerObj = peersArray[i].toObject();
+      QJsonObject additionalPeer;
+      additionalPeer.insert("serverPublicKey", peerObj.value(amnezia::config_key::server_pub_key));
+      additionalPeer.insert("serverPskKey", peerObj.value(amnezia::config_key::psk_key));
+      additionalPeer.insert("serverIpv4AddrIn", peerObj.value(amnezia::config_key::hostName));
+      additionalPeer.insert("serverPort", peerObj.value(amnezia::config_key::port).toInt());
+      QJsonArray additionalPeerIps;
+      for (const QJsonValue& ipVal : peerObj.value(amnezia::config_key::allowed_ips).toArray()) {
+        additionalPeerIps.append(ipRangeToJson(ipVal.toString().trimmed()));
+      }
+      additionalPeer.insert("allowedIPAddressRanges", additionalPeerIps);
+      additionalPeersJson.append(additionalPeer);
+    }
+    json.insert("additionalPeers", additionalPeersJson);
   } else {
+    QJsonArray plainAllowedIP = wgConfig.value(amnezia::config_key::allowed_ips).toArray();
+    QJsonArray defaultAllowedIP = { "0.0.0.0/0", "::/0" };
 
-    // Use APP split tunnel
+    if (plainAllowedIP != defaultAllowedIP && !plainAllowedIP.isEmpty()) {
+      // Use AllowedIP list from WG config because of higher priority
+      for (auto v : plainAllowedIP) {
+        jsAllowedIPAddesses.append(ipRangeToJson(v.toString().trimmed()));
+      }
+    } else {
+      // Use APP split tunnel
       if (splitTunnelType == 0 || splitTunnelType == 2) {
-          QJsonObject range_ipv4;
-          range_ipv4.insert("address", "0.0.0.0");
-          range_ipv4.insert("range", 0);
-          range_ipv4.insert("isIpv6", false);
-          jsAllowedIPAddesses.append(range_ipv4);
+        QJsonObject range_ipv4;
+        range_ipv4.insert("address", "0.0.0.0");
+        range_ipv4.insert("range", 0);
+        range_ipv4.insert("isIpv6", false);
+        jsAllowedIPAddesses.append(range_ipv4);
 
-          QJsonObject range_ipv6;
-          range_ipv6.insert("address", "::");
-          range_ipv6.insert("range", 0);
-          range_ipv6.insert("isIpv6", true);
-          jsAllowedIPAddesses.append(range_ipv6);
+        QJsonObject range_ipv6;
+        range_ipv6.insert("address", "::");
+        range_ipv6.insert("range", 0);
+        range_ipv6.insert("isIpv6", true);
+        jsAllowedIPAddesses.append(range_ipv6);
       }
 
       if (splitTunnelType == 1) {
-          for (auto v : splitTunnelSites) {
-              QString ipRange = v.toString();
-              if (ipRange.split('/').size() > 1){
-                  QJsonObject range;
-                  range.insert("address", ipRange.split('/')[0]);
-                  range.insert("range", atoi(ipRange.split('/')[1].toLocal8Bit()));
-                  range.insert("isIpv6", false);
-                  jsAllowedIPAddesses.append(range);
-              } else {
-                  QJsonObject range;
-                  range.insert("address",ipRange);
-                  range.insert("range", 32);
-                  range.insert("isIpv6", false);
-                  jsAllowedIPAddesses.append(range);
-              }
-          }
+        for (auto v : splitTunnelSites) {
+          jsAllowedIPAddesses.append(ipRangeToJson(v.toString().trimmed()));
+        }
       }
+    }
   }
 
   json.insert("allowedIPAddressRanges", jsAllowedIPAddesses);
 
   QJsonArray jsExcludedAddresses;
-  jsExcludedAddresses.append(wgConfig.value(amnezia::config_key::hostName));
+  if (isMultiPeer) {
+    for (const QJsonValue& peerVal : std::as_const(peersArray)) {
+      jsExcludedAddresses.append(peerVal.toObject().value(amnezia::config_key::hostName));
+    }
+  } else {
+    jsExcludedAddresses.append(wgConfig.value(amnezia::config_key::hostName));
+  }
   if (splitTunnelType == 2) {
     for (auto v : splitTunnelSites) {
           QString ipRange = v.toString();

client/platforms/android/android_controller.cpp

@@ -101,7 +101,9 @@ bool AndroidController::initialize()
         {"onAuthResult", "(Z)V", reinterpret_cast<void *>(onAuthResult)},
         {"decodeQrCode", "(Ljava/lang/String;)Z", reinterpret_cast<bool *>(decodeQrCode)},
         {"onImeInsetsChanged", "(I)V", reinterpret_cast<void *>(onImeInsetsChanged)},
-        {"onSystemBarsInsetsChanged", "(II)V", reinterpret_cast<void *>(onSystemBarsInsetsChanged)}
+        {"onSystemBarsInsetsChanged", "(II)V", reinterpret_cast<void *>(onSystemBarsInsetsChanged)},
+        {"onActivityPaused", "()V", reinterpret_cast<void *>(onActivityPaused)},
+        {"onActivityResumed", "()V", reinterpret_cast<void *>(onActivityResumed)}
     };
 
     QJniEnvironment env;
@@ -558,3 +560,22 @@ void AndroidController::onSystemBarsInsetsChanged(JNIEnv *env, jobject thiz, jin
     emit AndroidController::instance()->systemBarsInsetsChanged(navBarHeightDp, statusBarHeightDp);
 }
 
+// static
+void AndroidController::onActivityPaused(JNIEnv *env, jobject thiz)
+{
+    Q_UNUSED(env);
+    Q_UNUSED(thiz);
+
+    emit AndroidController::instance()->activityPaused();
+}
+
+// static
+void AndroidController::onActivityResumed(JNIEnv *env, jobject thiz)
+{
+    Q_UNUSED(env);
+    Q_UNUSED(thiz);
+
+    emit AndroidController::instance()->activityResumed();
+}
+
+

client/platforms/android/android_controller.h

@@ -75,6 +75,8 @@ signals:
     void authenticationResult(bool result);
     void imeInsetsChanged(int heightDp);
     void systemBarsInsetsChanged(int navBarHeightDp, int statusBarHeightDp);
+    void activityPaused();
+    void activityResumed();
 
 private:
     bool isWaitingStatus = true;
@@ -105,6 +107,8 @@ private:
     static bool decodeQrCode(JNIEnv *env, jobject thiz, jstring data);
     static void onImeInsetsChanged(JNIEnv *env, jobject thiz, jint heightDp);
     static void onSystemBarsInsetsChanged(JNIEnv *env, jobject thiz, jint navBarHeightDp, jint statusBarHeightDp);
+    static void onActivityPaused(JNIEnv *env, jobject thiz);
+    static void onActivityResumed(JNIEnv *env, jobject thiz);
 
     template <typename Ret, typename ...Args>
     static auto callActivityMethod(const char *methodName, const char *signature, Args &&...args);

client/platforms/ios/PacketTunnelProvider+OpenVPN.swift

@@ -126,8 +126,7 @@ extension PacketTunnelProvider {
         }
 
         vpnReachability.startTracking { [weak self] status in
-            guard status == .reachableViaWiFi else { return }
-            self?.ovpnAdapter?.reconnect(afterTimeInterval: 5)
+            self?.handleOpenVPNReachabilityChange(status)
         }
 
         startHandler = completionHandler

client/platforms/ios/PacketTunnelProvider+WireGuard.swift

@@ -20,7 +20,7 @@ extension PacketTunnelProvider {
 
             let tunnelConfiguration = try TunnelConfiguration(fromWgQuickConfig: wgConfigStr)
 
-            if tunnelConfiguration.peers.first!.allowedIPs
+            if tunnelConfiguration.peers.first?.allowedIPs
                 .map({ $0.stringRepresentation })
                 .joined(separator: ", ") == "0.0.0.0/0, ::/0" {
                 if wgConfig.splitTunnelType == 1 {

client/platforms/ios/PacketTunnelProvider+Xray.swift

@@ -21,6 +21,44 @@ extension Constants {
 }
 
 extension PacketTunnelProvider {
+    private func applyXraySplitTunnel(_ xrayConfig: XrayConfig,
+                                      settings: NEPacketTunnelNetworkSettings) {
+        guard let splitTunnelType = xrayConfig.splitTunnelType else {
+            return
+        }
+
+        guard let splitTunnelSites = xrayConfig.splitTunnelSites else {
+            xrayLog(.error, message: "Split tunnel sites are not set")
+            return
+        }
+
+        if splitTunnelType == 1 {
+            var ipv4IncludedRoutes = [NEIPv4Route]()
+
+            for allowedIPString in splitTunnelSites {
+                if let allowedIP = IPAddressRange(from: allowedIPString) {
+                    ipv4IncludedRoutes.append(NEIPv4Route(
+                        destinationAddress: "\(allowedIP.address)",
+                        subnetMask: "\(allowedIP.subnetMask())"))
+                }
+            }
+
+            settings.ipv4Settings?.includedRoutes = ipv4IncludedRoutes
+        } else if splitTunnelType == 2 {
+            var ipv4ExcludedRoutes = [NEIPv4Route]()
+
+            for excludedIPString in splitTunnelSites {
+                if let excludedIP = IPAddressRange(from: excludedIPString) {
+                    ipv4ExcludedRoutes.append(NEIPv4Route(
+                        destinationAddress: "\(excludedIP.address)",
+                        subnetMask: "\(excludedIP.subnetMask())"))
+                }
+            }
+
+            settings.ipv4Settings?.excludedRoutes = ipv4ExcludedRoutes
+        }
+    }
+
     func startXray(completionHandler: @escaping (Error?) -> Void) {
 
         // Xray configuration
@@ -72,6 +110,7 @@ extension PacketTunnelProvider {
             settings.dnsSettings = !dnsArray.isEmpty
             ? NEDNSSettings(servers: dnsArray)
             : NEDNSSettings(servers: ["1.1.1.1"])
+            applyXraySplitTunnel(xrayConfig, settings: settings)
 
             let xrayConfigData = xrayConfig.config.data(using: .utf8)
 

client/platforms/ios/PacketTunnelProvider.swift

@@ -41,10 +41,15 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
     var ovpnAdapter: OpenVPNAdapter?
     private lazy var openVPNPacketFlowAdapter = PacketTunnelFlowAdapter(flow: packetFlow)
     private let pathMonitorQueue = DispatchQueue(label: Constants.processQueueName + ".path-monitor")
+    private let networkChangeQueue = DispatchQueue(label: Constants.processQueueName + ".network-change")
     private let pathMonitor = NWPathMonitor()
     private var didReceiveInitialPathUpdate = false
     private var currentPath: Network.NWPath?
     private var currentPathSignature: String?
+    private var pendingOpenVPNReconnectWorkItem: DispatchWorkItem?
+    private var pendingNetworkChangeWorkItem: DispatchWorkItem?
+    private var isApplyingNetworkChange = false
+    private var lastOpenVPNReachabilityStatus: OpenVPNReachabilityStatus?
 
     var splitTunnelType: Int?
     var splitTunnelSites: [String]?
@@ -78,14 +83,22 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
 
             guard hasMeaningfulChange, let proto = self.protoType else { return }
 
-            // WireGuard/AWG manages network changes internally; avoid restarting the tunnel here.
+            // WireGuard/AWG manages network changes internally in its own adapter.
             if proto == .wireguard {
                 return
             }
 
-            DispatchQueue.main.async {
-                self.handle(networkChange: path) { _ in }
+            if proto == .openvpn {
+                self.scheduleOpenVPNReconnect(reason: "NWPath changed")
+                return
             }
+
+            if self.isApplyingNetworkChange || self.reasserting {
+                xrayLog(.debug, message: "Ignoring path change while xray restart is in progress")
+                return
+            }
+
+            self.scheduleNetworkChangeHandling(for: proto, path: path)
         }
         pathMonitor.start(queue: pathMonitorQueue)
 
@@ -197,6 +210,8 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
             return
         }
 
+        cancelPendingOpenVPNReconnect()
+        cancelPendingNetworkChangeHandling()
         didReceiveInitialPathUpdate = false
         updateActiveInterfaceIndexForCurrentPath()
 
@@ -215,6 +230,9 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
 
   
     override func stopTunnel(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
+        cancelPendingOpenVPNReconnect()
+        cancelPendingNetworkChangeHandling()
+
         guard let protoType else {
             completionHandler()
             return
@@ -259,9 +277,111 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
     }
   
     private func handle(networkChange changePath: Network.NWPath, completion: @escaping (Error?) -> Void) {
+        guard protoType == .xray else {
+            updateActiveInterfaceIndex(for: changePath)
+            completion(nil)
+            return
+        }
+
         updateActiveInterfaceIndex(for: changePath)
-        wg_log(.info, message: "Tunnel restarted.")
-        startTunnel(options: nil, completionHandler: completion)
+        reasserting = true
+        xrayLog(.info, message: "Applying network change to xray tunnel")
+        stopXray { }
+        startXray { [weak self] error in
+            self?.reasserting = false
+            completion(error)
+        }
+    }
+
+    private func scheduleNetworkChangeHandling(for proto: TunnelProtoType, path: Network.NWPath) {
+        guard proto == .xray else { return }
+
+        pendingNetworkChangeWorkItem?.cancel()
+
+        let workItem = DispatchWorkItem { [weak self] in
+            guard let self else { return }
+            self.pendingNetworkChangeWorkItem = nil
+
+            if self.isApplyingNetworkChange || self.reasserting {
+                xrayLog(.debug, message: "Skipping network change while restart is already in progress")
+                return
+            }
+
+            self.isApplyingNetworkChange = true
+            DispatchQueue.main.async {
+                self.handle(networkChange: path) { [weak self] _ in
+                    self?.networkChangeQueue.async {
+                        self?.isApplyingNetworkChange = false
+                    }
+                }
+            }
+        }
+
+        pendingNetworkChangeWorkItem = workItem
+        networkChangeQueue.asyncAfter(deadline: .now() + 1.0, execute: workItem)
+    }
+
+    private func scheduleOpenVPNReconnect(reason: String) {
+        guard protoType == .openvpn else { return }
+
+        pendingOpenVPNReconnectWorkItem?.cancel()
+
+        let workItem = DispatchWorkItem { [weak self] in
+            guard let self else { return }
+            self.pendingOpenVPNReconnectWorkItem = nil
+
+            guard self.protoType == .openvpn else { return }
+
+            if self.reasserting {
+                ovpnLog(.debug, message: "Skipping OpenVPN reconnect while session is already reasserting")
+                return
+            }
+
+            DispatchQueue.main.async { [weak self] in
+                guard let self else { return }
+                guard !self.reasserting else {
+                    ovpnLog(.debug, message: "Skipping OpenVPN reconnect while session is already reasserting")
+                    return
+                }
+
+                ovpnLog(.info, message: "\(reason), reconnecting OpenVPN session")
+                self.ovpnAdapter?.reconnect(afterTimeInterval: 1)
+            }
+        }
+
+        pendingOpenVPNReconnectWorkItem = workItem
+        networkChangeQueue.asyncAfter(deadline: .now() + 1.0, execute: workItem)
+    }
+
+    func handleOpenVPNReachabilityChange(_ status: OpenVPNReachabilityStatus) {
+        defer { lastOpenVPNReachabilityStatus = status }
+
+        guard let previousStatus = lastOpenVPNReachabilityStatus else {
+            return
+        }
+
+        guard previousStatus != status else {
+            return
+        }
+
+        switch status {
+        case .reachableViaWiFi, .reachableViaWWAN:
+            scheduleOpenVPNReconnect(reason: "Reachability changed")
+        default:
+            break
+        }
+    }
+
+    private func cancelPendingOpenVPNReconnect() {
+        pendingOpenVPNReconnectWorkItem?.cancel()
+        pendingOpenVPNReconnectWorkItem = nil
+        lastOpenVPNReachabilityStatus = nil
+    }
+
+    private func cancelPendingNetworkChangeHandling() {
+        pendingNetworkChangeWorkItem?.cancel()
+        pendingNetworkChangeWorkItem = nil
+        isApplyingNetworkChange = false
     }
 }
 
@@ -271,8 +391,14 @@ private extension PacketTunnelProvider {
         signatureComponents.append(path.isExpensive ? "exp" : "noexp")
         signatureComponents.append(path.isConstrained ? "con" : "nocon")
 
-        let preferredTypes: [NWInterface.InterfaceType] = [.wiredEthernet, .wifi, .cellular, .loopback, .other]
-        let sortedInterfaces = path.availableInterfaces.sorted { lhs, rhs in
+        // Ignore loopback and tunnel-style `.other` interfaces so Xray does not
+        // react to its own utun lifecycle as if the physical uplink changed.
+        let preferredTypes: [NWInterface.InterfaceType] = [.wiredEthernet, .wifi, .cellular]
+        let externalInterfaces = path.availableInterfaces.filter { interface in
+            interface.type == .wiredEthernet || interface.type == .wifi || interface.type == .cellular
+        }
+
+        let sortedInterfaces = externalInterfaces.sorted { lhs, rhs in
             if lhs.type == rhs.type {
                 return lhs.index < rhs.index
             }
@@ -293,8 +419,8 @@ private extension PacketTunnelProvider {
             case .wiredEthernet: typeName = "ethernet"
             case .wifi: typeName = "wifi"
             case .cellular: typeName = "cellular"
-            case .loopback: typeName = "loopback"
-            case .other: typeName = "other"
+            case .loopback, .other:
+                continue
             @unknown default: typeName = "unknown"
             }
             signatureComponents.append("\(typeName):\(interface.index)")

client/platforms/ios/WGConfig.swift

@@ -1,5 +1,23 @@
 import Foundation
 
+struct WGPeerConfig: Decodable {
+  let serverPublicKey: String
+  let presharedKey: String?
+  let allowedIPs: [String]
+  let hostName: String
+  let port: Int
+  let persistentKeepAlive: String?
+
+  enum CodingKeys: String, CodingKey {
+    case serverPublicKey = "server_pub_key"
+    case presharedKey = "psk_key"
+    case allowedIPs = "allowed_ips"
+    case hostName
+    case port
+    case persistentKeepAlive = "persistent_keep_alive"
+  }
+}
+
 struct WGConfig: Decodable {
   let initPacketMagicHeader, responsePacketMagicHeader: String?
   let underloadPacketMagicHeader, transportPacketMagicHeader: String?
@@ -19,6 +37,7 @@ struct WGConfig: Decodable {
   var persistentKeepAlive: String
   let splitTunnelType: Int
   let splitTunnelSites: [String]
+  let peers: [WGPeerConfig]?
 
   enum CodingKeys: String, CodingKey {
     case initPacketMagicHeader = "H1", responsePacketMagicHeader = "H2"
@@ -39,6 +58,7 @@ struct WGConfig: Decodable {
     case persistentKeepAlive = "persistent_keep_alive"
     case splitTunnelType
     case splitTunnelSites
+    case peers
   }
 
   var settings: String {
@@ -103,7 +123,7 @@ struct WGConfig: Decodable {
     return settingsLines.joined(separator: "\n")
   }
 
-  var str: String {
+  private var interfaceSection: String {
     """
     [Interface]
     Address = \(clientIP)
@@ -111,9 +131,30 @@ struct WGConfig: Decodable {
     MTU = \(mtu)
     PrivateKey = \(clientPrivateKey)
     \(settings)
+    """
+  }
+
+  var str: String {
+    if let peers = peers, !peers.isEmpty {
+      let peerSections = peers.map { peer -> String in
+        var lines = ["[Peer]", "PublicKey = \(peer.serverPublicKey)"]
+        if let psk = peer.presharedKey, !psk.isEmpty {
+          lines.append("PresharedKey = \(psk)")
+        }
+        lines.append("AllowedIPs = \(peer.allowedIPs.joined(separator: ", "))")
+        lines.append("Endpoint = \(peer.hostName):\(peer.port)")
+        if let ka = peer.persistentKeepAlive {
+          lines.append("PersistentKeepalive = \(ka)")
+        }
+        return lines.joined(separator: "\n")
+      }.joined(separator: "\n")
+      return interfaceSection + "\n" + peerSections
+    }
+    return """
+    \(interfaceSection)
     [Peer]
     PublicKey = \(serverPublicKey)
-    \(presharedKey == nil ? "" : "PresharedKey = \(presharedKey!)")
+    \((presharedKey?.isEmpty ?? true) ? "" : "PresharedKey = \(presharedKey!)")
     AllowedIPs = \(allowedIPs.joined(separator: ", "))
     Endpoint = \(hostName):\(port)
     PersistentKeepalive = \(persistentKeepAlive)
@@ -121,19 +162,21 @@ struct WGConfig: Decodable {
   }
 
   var redux: String {
-    """
+    let peerCount = peers?.count ?? 1
+    let peerInfo = peers.map { peers in
+      peers.enumerated().map { i, peer in
+        "[Peer \(i + 1)] Endpoint = \(peer.hostName):\(peer.port), AllowedIPs = \(peer.allowedIPs.joined(separator: ", "))"
+      }.joined(separator: "\n")
+    } ?? "Endpoint = \(hostName):\(port), AllowedIPs = \(allowedIPs.joined(separator: ", "))"
+    return """
     [Interface]
     Address = \(clientIP)
     DNS = \(dns1), \(dns2)
     MTU = \(mtu)
     PrivateKey = ***
     \(settings)
-    [Peer]
-    PublicKey = ***
-    PresharedKey = ***
-    AllowedIPs = \(allowedIPs.joined(separator: ", "))
-    Endpoint = \(hostName):\(port)
-    PersistentKeepalive = \(persistentKeepAlive)
+    PeerCount = \(peerCount)
+    \(peerInfo)
 
     SplitTunnelType = \(splitTunnelType)
     SplitTunnelSites = \(splitTunnelSites.joined(separator: ", "))

client/platforms/ios/XrayConfig.swift

@@ -3,5 +3,7 @@ import Foundation
 struct XrayConfig: Decodable {
     let dns1: String?
     let dns2: String?
+    let splitTunnelType: Int?
+    let splitTunnelSites: [String]?
     let config: String
 }

client/platforms/ios/ios_controller.mm

@@ -652,6 +652,10 @@ bool IosController::setupWireGuard()
         wgConfig.insert(config_key::persistent_keep_alive, "25");
     }
 
+    if (config.contains("peers") && config["peers"].isArray()) {
+        wgConfig.insert("peers", config["peers"]);
+    }
+
     if (config.contains(config_key::isObfuscationEnabled) && config.value(config_key::isObfuscationEnabled).toBool()) {
         wgConfig.insert(config_key::initPacketMagicHeader, config[config_key::initPacketMagicHeader]);
         wgConfig.insert(config_key::responsePacketMagicHeader, config[config_key::responsePacketMagicHeader]);
@@ -684,6 +688,15 @@ bool IosController::setupXray()
     QJsonObject finalConfig;
     finalConfig.insert(config_key::dns1, m_rawConfig[config_key::dns1].toString());
     finalConfig.insert(config_key::dns2, m_rawConfig[config_key::dns2].toString());
+    finalConfig.insert(config_key::splitTunnelType, m_rawConfig[config_key::splitTunnelType]);
+
+    QJsonArray splitTunnelSites = m_rawConfig[config_key::splitTunnelSites].toArray();
+
+    for(int index = 0; index < splitTunnelSites.count(); index++) {
+        splitTunnelSites[index] = splitTunnelSites[index].toString().remove(" ");
+    }
+
+    finalConfig.insert(config_key::splitTunnelSites, splitTunnelSites);
     finalConfig.insert(config_key::config, xrayConfigStr);
 
     QJsonDocument finalConfigDoc(finalConfig);
@@ -726,7 +739,29 @@ bool IosController::setupAwg()
 
     wgConfig.insert(config_key::hostName, config[config_key::hostName]);
     wgConfig.insert(config_key::port, config[config_key::port]);
-    wgConfig.insert(config_key::client_ip, config[config_key::client_ip]);
+
+    bool isMultiPeer = config.contains("peers") && config["peers"].isArray()
+                       && !config["peers"].toArray().isEmpty();
+
+    if (isMultiPeer) {
+        // Use only the first client IP (peer 1's IP)
+        QString fullClientIp = config[config_key::client_ip].toString();
+        QStringList ipList = fullClientIp.split(",");
+        QString firstClientIp = ipList.isEmpty() ? fullClientIp : ipList.first().trimmed();
+        wgConfig.insert(config_key::client_ip, firstClientIp);
+        // Route all traffic through peer 1
+        QJsonArray allowed_ips { "0.0.0.0/0", "::/0" };
+        wgConfig.insert(config_key::allowed_ips, allowed_ips);
+    } else {
+        wgConfig.insert(config_key::client_ip, config[config_key::client_ip]);
+        if (config.contains(config_key::allowed_ips) && config[config_key::allowed_ips].isArray()) {
+            wgConfig.insert(config_key::allowed_ips, config[config_key::allowed_ips]);
+        } else {
+            QJsonArray allowed_ips { "0.0.0.0/0", "::/0" };
+            wgConfig.insert(config_key::allowed_ips, allowed_ips);
+        }
+    }
+
     wgConfig.insert(config_key::client_priv_key, config[config_key::client_priv_key]);
     wgConfig.insert(config_key::server_pub_key, config[config_key::server_pub_key]);
     wgConfig.insert(config_key::psk_key, config[config_key::psk_key]);
@@ -740,13 +775,6 @@ bool IosController::setupAwg()
 
     wgConfig.insert(config_key::splitTunnelSites, splitTunnelSites);
 
-    if (config.contains(config_key::allowed_ips) && config[config_key::allowed_ips].isArray()) {
-        wgConfig.insert(config_key::allowed_ips, config[config_key::allowed_ips]);
-    } else {
-        QJsonArray allowed_ips { "0.0.0.0/0", "::/0" };
-        wgConfig.insert(config_key::allowed_ips, allowed_ips);
-    }
-
     if (config.contains(config_key::persistent_keep_alive)) {
         wgConfig.insert(config_key::persistent_keep_alive, config[config_key::persistent_keep_alive]);
     } else {

client/platforms/linux/daemon/iputilslinux.cpp

@@ -5,8 +5,12 @@
 #include "iputilslinux.h"
 
 #include <arpa/inet.h>
+#include <linux/if_addr.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
 #include <net/if.h>
 #include <sys/ioctl.h>
+#include <sys/socket.h>
 #include <unistd.h>
 
 #include <QHostAddress>
@@ -71,39 +75,104 @@ bool IPUtilsLinux::setMTUAndUp(const InterfaceConfig& config) {
   return true;
 }
 
-bool IPUtilsLinux::addIP4AddressToDevice(const InterfaceConfig& config) {
-  struct ifreq ifr;
-  struct sockaddr_in* ifrAddr = (struct sockaddr_in*)&ifr.ifr_addr;
+static bool addIPv4AddressNetlink(int ifindex, const QHostAddress& addr,
+                                   int prefixlen) {
+  int nlsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  if (nlsock < 0) return false;
+  auto guard = qScopeGuard([&] { close(nlsock); });
 
-  // Name the interface and set family
-  strncpy(ifr.ifr_name, WG_INTERFACE, IFNAMSIZ);
-  ifr.ifr_addr.sa_family = AF_INET;
+  char buf[512];
+  memset(buf, 0, sizeof(buf));
 
-  // Get the device address to add to interface
-  QPair<QHostAddress, int> parsedAddr =
-      QHostAddress::parseSubnet(config.m_deviceIpv4Address);
-  QByteArray _deviceAddr = parsedAddr.first.toString().toLocal8Bit();
-  char* deviceAddr = _deviceAddr.data();
-  inet_pton(AF_INET, deviceAddr, &ifrAddr->sin_addr);
+  struct nlmsghdr* nlmsg = reinterpret_cast<struct nlmsghdr*>(buf);
+  nlmsg->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
+  nlmsg->nlmsg_type = RTM_NEWADDR;
+  nlmsg->nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_REPLACE | NLM_F_ACK;
+  nlmsg->nlmsg_seq = 1;
+  nlmsg->nlmsg_pid = 0;
 
-  // Create IPv4 socket to perform the ioctl operations on
-  int sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);
-  if (sockfd < 0) {
-    logger.error() << "Failed to create ioctl socket.";
+  struct ifaddrmsg* ifa = static_cast<struct ifaddrmsg*>(NLMSG_DATA(nlmsg));
+  ifa->ifa_family = AF_INET;
+  ifa->ifa_prefixlen = prefixlen;
+  ifa->ifa_flags = IFA_F_PERMANENT;
+  ifa->ifa_scope = RT_SCOPE_UNIVERSE;
+  ifa->ifa_index = ifindex;
+
+  struct in_addr ip4;
+  QByteArray addrBytes = addr.toString().toLocal8Bit();
+  inet_pton(AF_INET, addrBytes.constData(), &ip4);
+
+  auto appendAttr = [](struct nlmsghdr* nlmsg, size_t maxlen, int type,
+                        const void* data, size_t len) {
+    size_t newlen = NLMSG_ALIGN(nlmsg->nlmsg_len) + RTA_SPACE(len);
+    if (newlen > maxlen) return;
+    char* p = reinterpret_cast<char*>(nlmsg) + NLMSG_ALIGN(nlmsg->nlmsg_len);
+    struct rtattr* rta = reinterpret_cast<struct rtattr*>(p);
+    rta->rta_type = type;
+    rta->rta_len = RTA_LENGTH(len);
+    memcpy(RTA_DATA(rta), data, len);
+    nlmsg->nlmsg_len = newlen;
+  };
+
+  appendAttr(nlmsg, sizeof(buf), IFA_LOCAL, &ip4, sizeof(ip4));
+  appendAttr(nlmsg, sizeof(buf), IFA_ADDRESS, &ip4, sizeof(ip4));
+
+  struct sockaddr_nl nladdr;
+  memset(&nladdr, 0, sizeof(nladdr));
+  nladdr.nl_family = AF_NETLINK;
+
+  if (sendto(nlsock, buf, nlmsg->nlmsg_len, 0,
+             reinterpret_cast<struct sockaddr*>(&nladdr),
+             sizeof(nladdr)) < 0) {
     return false;
   }
-  auto guard = qScopeGuard([&] { close(sockfd); });
 
-  // Set ifr to interface
-  int ret = ioctl(sockfd, SIOCSIFADDR, &ifr);
-  if (ret) {
-    logger.error() << "Failed to set IPv4: " << deviceAddr
-                   << "error:" << strerror(errno);
-    return false;
+  char ackbuf[1024];
+  ssize_t acklen = recv(nlsock, ackbuf, sizeof(ackbuf), 0);
+  if (acklen >= static_cast<ssize_t>(sizeof(struct nlmsghdr))) {
+    struct nlmsghdr* ackmsg = reinterpret_cast<struct nlmsghdr*>(ackbuf);
+    if (ackmsg->nlmsg_type == NLMSG_ERROR) {
+      struct nlmsgerr* err = static_cast<struct nlmsgerr*>(NLMSG_DATA(ackmsg));
+      if (err->error != 0) {
+        errno = -err->error;
+        return false;
+      }
+    }
   }
   return true;
 }
 
+bool IPUtilsLinux::addIP4AddressToDevice(const InterfaceConfig& config) {
+  if (config.m_deviceIpv4Address.isEmpty()) return true;
+
+  int ifindex = if_nametoindex(WG_INTERFACE);
+  if (ifindex == 0) {
+    logger.error() << "Failed to get ifindex for" << WG_INTERFACE;
+    return false;
+  }
+
+  bool ok = false;
+  const QStringList addresses =
+      config.m_deviceIpv4Address.split(',', Qt::SkipEmptyParts);
+  for (const QString& entry : addresses) {
+    QPair<QHostAddress, int> parsed =
+        QHostAddress::parseSubnet(entry.trimmed());
+    if (parsed.first.isNull()) {
+      logger.warning() << "Failed to parse IPv4 address:" << entry.trimmed();
+      continue;
+    }
+    if (!addIPv4AddressNetlink(ifindex, parsed.first, parsed.second)) {
+      logger.error() << "Failed to add IPv4" << parsed.first.toString() << "/"
+                     << parsed.second << ":" << strerror(errno);
+    } else {
+      logger.debug() << "Added IPv4" << parsed.first.toString() << "/"
+                     << parsed.second << "to" << WG_INTERFACE;
+      ok = true;
+    }
+  }
+  return ok;
+}
+
 bool IPUtilsLinux::addIP6AddressToDevice(const InterfaceConfig& config) {
   // Set up the ifr and the companion ifr6
   struct in6_ifreq ifr6;

client/platforms/linux/daemon/wireguardutilslinux.cpp

@@ -230,7 +230,10 @@ bool WireguardUtilsLinux::updatePeer(const InterfaceConfig& config) {
 
     out << "replace_allowed_ips=true\n";
     out << "persistent_keepalive_interval=" << WG_KEEPALIVE_PERIOD << "\n";
-    for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
+    const QList<IPAddress>& primaryIPs = config.m_primaryPeerAllowedIPRanges.isEmpty()
+        ? config.m_allowedIPAddressRanges
+        : config.m_primaryPeerAllowedIPRanges;
+    for (const IPAddress& ip : primaryIPs) {
         out << "allowed_ip=" << ip.toString() << "\n";
     }
 
@@ -244,8 +247,38 @@ bool WireguardUtilsLinux::updatePeer(const InterfaceConfig& config) {
     int err = uapiErrno(uapiCommand(message));
     if (err != 0) {
         logger.error() << "Peer configuration failed:" << strerror(err);
+        return false;
     }
-    return (err == 0);
+
+    for (const InterfaceConfig::AdditionalPeerConfig& peer : config.m_additionalPeers) {
+        QByteArray pubKey = QByteArray::fromBase64(peer.m_serverPublicKey.toUtf8());
+        QByteArray pskKey = QByteArray::fromBase64(peer.m_serverPskKey.toUtf8());
+
+        QString peerMsg;
+        QTextStream peerOut(&peerMsg);
+        peerOut << "set=1\n";
+        peerOut << "public_key=" << QString(pubKey.toHex()) << "\n";
+        if (!peer.m_serverPskKey.isEmpty()) {
+            peerOut << "preshared_key=" << QString(pskKey.toHex()) << "\n";
+        }
+        peerOut << "endpoint=" << peer.m_serverIpv4AddrIn << ":" << peer.m_serverPort << "\n";
+        peerOut << "replace_allowed_ips=true\n";
+        peerOut << "persistent_keepalive_interval=" << WG_KEEPALIVE_PERIOD << "\n";
+        for (const IPAddress& ip : peer.m_allowedIPAddressRanges) {
+            peerOut << "allowed_ip=" << ip.toString() << "\n";
+        }
+
+        if ((config.m_hopType != InterfaceConfig::MultiHopExit) && m_rtmonitor) {
+            m_rtmonitor->addExclusionRoute(IPAddress(peer.m_serverIpv4AddrIn));
+        }
+
+        int peerErr = uapiErrno(uapiCommand(peerMsg));
+        if (peerErr != 0) {
+            logger.error() << "Additional peer configuration failed:" << strerror(peerErr);
+        }
+    }
+
+    return true;
 }
 
 bool WireguardUtilsLinux::deletePeer(const InterfaceConfig& config) {

client/platforms/macos/daemon/iputilsmacos.cpp

@@ -80,7 +80,9 @@ bool IPUtilsMacos::setMTUAndUp(const InterfaceConfig& config) {
 }
 
 bool IPUtilsMacos::addIP4AddressToDevice(const InterfaceConfig& config) {
-  Q_UNUSED(config);
+  if (config.m_deviceIpv4Address.isEmpty()) {
+    return true;
+  }
   QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
   struct ifaliasreq ifr;
   struct sockaddr_in* ifrAddr = (struct sockaddr_in*)&ifr.ifra_addr;
@@ -91,25 +93,28 @@ bool IPUtilsMacos::addIP4AddressToDevice(const InterfaceConfig& config) {
   memset(&ifr, 0, sizeof(ifr));
   strncpy(ifr.ifra_name, qPrintable(ifname), IFNAMSIZ);
 
-  // Get the device address to add to interface
-  QPair<QHostAddress, int> parsedAddr =
-      QHostAddress::parseSubnet(config.m_deviceIpv4Address);
-  QByteArray _deviceAddr = parsedAddr.first.toString().toLocal8Bit();
+  // Extract the host IP from CIDR notation (e.g. "10.8.0.2/24" → "10.8.0.2").
+  // parseSubnet() zeroes host bits so we split manually to preserve the host address.
+  QByteArray _deviceAddr = config.m_deviceIpv4Address.split('/').first().toLocal8Bit();
   char* deviceAddr = _deviceAddr.data();
   ifrAddr->sin_family = AF_INET;
   ifrAddr->sin_len = sizeof(struct sockaddr_in);
-  inet_pton(AF_INET, deviceAddr, &ifrAddr->sin_addr);
+  if (inet_pton(AF_INET, deviceAddr, &ifrAddr->sin_addr) != 1) {
+    logger.error() << "Failed to parse IPv4 address:" << deviceAddr;
+    return false;
+  }
 
   // Set the netmask to /32
   ifrMask->sin_family = AF_INET;
   ifrMask->sin_len = sizeof(struct sockaddr_in);
   memset(&ifrMask->sin_addr, 0xff, sizeof(ifrMask->sin_addr));
 
-  // Set the broadcast address.
+  // For P2P (utun) interfaces, ifra_broadaddr is the destination address.
+  // Set it equal to the local address to create only a host route (not a network
+  // route that would cause a routing loop).
   ifrBcast->sin_family = AF_INET;
   ifrBcast->sin_len = sizeof(struct sockaddr_in);
-  ifrBcast->sin_addr.s_addr =
-      (ifrAddr->sin_addr.s_addr | ~ifrMask->sin_addr.s_addr);
+  ifrBcast->sin_addr.s_addr = ifrAddr->sin_addr.s_addr;
 
   // Create an IPv4 socket to perform the ioctl operations on
   int sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);

client/platforms/macos/daemon/wireguardutilsmacos.cpp

@@ -230,7 +230,11 @@ bool WireguardUtilsMacos::updatePeer(const InterfaceConfig& config) {
 
   out << "replace_allowed_ips=true\n";
   out << "persistent_keepalive_interval=" << WG_KEEPALIVE_PERIOD << "\n";
-  for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
+  // For multi-peer use only the primary peer's own IPs to avoid routing trie conflicts.
+  const QList<IPAddress>& primaryIPs = config.m_primaryPeerAllowedIPRanges.isEmpty()
+      ? config.m_allowedIPAddressRanges
+      : config.m_primaryPeerAllowedIPRanges;
+  for (const IPAddress& ip : primaryIPs) {
     out << "allowed_ip=" << ip.toString() << "\n";
   }
 
@@ -244,8 +248,38 @@ bool WireguardUtilsMacos::updatePeer(const InterfaceConfig& config) {
   int err = uapiErrno(uapiCommand(message));
   if (err != 0) {
     logger.error() << "Peer configuration failed:" << strerror(err);
+    return false;
   }
-  return (err == 0);
+
+  for (const InterfaceConfig::AdditionalPeerConfig& peer : config.m_additionalPeers) {
+    QByteArray pubKey = QByteArray::fromBase64(peer.m_serverPublicKey.toUtf8());
+    QByteArray pskKey = QByteArray::fromBase64(peer.m_serverPskKey.toUtf8());
+
+    QString peerMsg;
+    QTextStream peerOut(&peerMsg);
+    peerOut << "set=1\n";
+    peerOut << "public_key=" << QString(pubKey.toHex()) << "\n";
+    if (!peer.m_serverPskKey.isEmpty()) {
+      peerOut << "preshared_key=" << QString(pskKey.toHex()) << "\n";
+    }
+    peerOut << "endpoint=" << peer.m_serverIpv4AddrIn << ":" << peer.m_serverPort << "\n";
+    peerOut << "replace_allowed_ips=true\n";
+    peerOut << "persistent_keepalive_interval=" << WG_KEEPALIVE_PERIOD << "\n";
+    for (const IPAddress& ip : peer.m_allowedIPAddressRanges) {
+      peerOut << "allowed_ip=" << ip.toString() << "\n";
+    }
+
+    if ((config.m_hopType != InterfaceConfig::MultiHopExit) && m_rtmonitor) {
+      m_rtmonitor->addExclusionRoute(IPAddress(peer.m_serverIpv4AddrIn));
+    }
+
+    int peerErr = uapiErrno(uapiCommand(peerMsg));
+    if (peerErr != 0) {
+      logger.error() << "Additional peer configuration failed:" << strerror(peerErr);
+    }
+  }
+
+  return true;
 }
 
 bool WireguardUtilsMacos::deletePeer(const InterfaceConfig& config) {

client/platforms/windows/daemon/wireguardutilswindows.cpp

@@ -181,7 +181,10 @@ bool WireguardUtilsWindows::updatePeer(const InterfaceConfig& config) {
 
   out << "replace_allowed_ips=true\n";
   out << "persistent_keepalive_interval=" << WG_KEEPALIVE_PERIOD << "\n";
-  for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
+  const QList<IPAddress>& primaryIPs = config.m_primaryPeerAllowedIPRanges.isEmpty()
+      ? config.m_allowedIPAddressRanges
+      : config.m_primaryPeerAllowedIPRanges;
+  for (const IPAddress& ip : primaryIPs) {
     out << "allowed_ip=" << ip.toString() << "\n";
   }
 
@@ -193,6 +196,33 @@ bool WireguardUtilsWindows::updatePeer(const InterfaceConfig& config) {
 
   QString reply = m_tunnel.uapiCommand(message);
   logger.debug() << "DATA:" << reply;
+
+  for (const InterfaceConfig::AdditionalPeerConfig& peer : config.m_additionalPeers) {
+    QByteArray pubKey = QByteArray::fromBase64(peer.m_serverPublicKey.toUtf8());
+    QByteArray pskKey = QByteArray::fromBase64(peer.m_serverPskKey.toUtf8());
+
+    QString peerMsg;
+    QTextStream peerOut(&peerMsg);
+    peerOut << "set=1\n";
+    peerOut << "public_key=" << QString(pubKey.toHex()) << "\n";
+    if (!peer.m_serverPskKey.isEmpty()) {
+      peerOut << "preshared_key=" << QString(pskKey.toHex()) << "\n";
+    }
+    peerOut << "endpoint=" << peer.m_serverIpv4AddrIn << ":" << peer.m_serverPort << "\n";
+    peerOut << "replace_allowed_ips=true\n";
+    peerOut << "persistent_keepalive_interval=" << WG_KEEPALIVE_PERIOD << "\n";
+    for (const IPAddress& ip : peer.m_allowedIPAddressRanges) {
+      peerOut << "allowed_ip=" << ip.toString() << "\n";
+    }
+
+    if (m_routeMonitor && config.m_hopType != InterfaceConfig::MultiHopExit) {
+      m_routeMonitor->addExclusionRoute(IPAddress(peer.m_serverIpv4AddrIn));
+    }
+
+    QString peerReply = m_tunnel.uapiCommand(peerMsg);
+    logger.debug() << "Additional peer DATA:" << peerReply;
+  }
+
   return true;
 }
 

client/resources.qrc

@@ -135,6 +135,7 @@
         <file>ui/qml/Components/InstalledAppsDrawer.qml</file>
         <file>ui/qml/Components/QuestionDrawer.qml</file>
         <file>ui/qml/Components/SelectLanguageDrawer.qml</file>
+        <file>ui/qml/Components/SubscriptionExpiredDrawer.qml</file>
         <file>ui/qml/Components/ServersListView.qml</file>
         <file>ui/qml/Components/SettingsContainersListView.qml</file>
         <file>ui/qml/Components/TransportProtoSelector.qml</file>

client/ui/controllers/api/apiConfigsController.cpp

@@ -366,6 +366,8 @@ bool ApiConfigsController::fillAvailableServices()
 {
     QJsonObject apiPayload;
     apiPayload[configKey::osVersion] = QSysInfo::productType();
+    apiPayload[configKey::appVersion] = QString(APP_VERSION);
+    apiPayload[apiDefs::key::cliName] = QString(APPLICATION_NAME);
     apiPayload[apiDefs::key::appLanguage] = m_settings->getAppLanguage().name().split("_").first();
 
     QByteArray responseBody;
@@ -447,7 +449,7 @@ bool ApiConfigsController::importService()
             importSerivceFromAppStore();
             return true;
         }
-    } else {
+    } else if (m_apiServicesModel->getSelectedServiceType() == serviceType::amneziaFree) {
         importServiceFromGateway();
         return true;
     }
@@ -721,6 +723,7 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
     }
 
     bool isTestPurchase = apiConfig.value(apiDefs::key::isTestPurchase).toBool(false);
+    bool wasSubscriptionExpired = m_serversModel->data(serverIndex, ServersModel::IsSubscriptionExpiredRole).toBool();
     QByteArray responseBody;
     ErrorCode errorCode = executeRequest(QString("%1v1/config"), apiPayload, responseBody, isTestPurchase);
 
@@ -747,6 +750,11 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
             newServerConfig.insert(config_key::nameOverriddenByUser, true);
         }
         m_serversModel->editServer(newServerConfig, serverIndex);
+
+        if (wasSubscriptionExpired) {
+            emit subscriptionRefreshNeeded();
+        }
+
         if (reloadServiceConfig) {
             emit reloadServerFromApiFinished(tr("API config reloaded"));
         } else if (newCountryName.isEmpty()) {
@@ -756,7 +764,11 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
         }
         return true;
     } else {
-        emit errorOccurred(errorCode);
+        if (errorCode == ErrorCode::ApiSubscriptionExpiredError) {
+            emit subscriptionExpiredOnServer();
+        } else {
+            emit errorOccurred(errorCode);
+        }
         return false;
     }
 }

client/ui/controllers/api/apiConfigsController.h

@@ -43,6 +43,8 @@ public slots:
 
 signals:
     void errorOccurred(ErrorCode errorCode);
+    void subscriptionExpiredOnServer();
+    void subscriptionRefreshNeeded();
 
     void installServerFromApiFinished(const QString &message);
     void changeApiCountryFinished(const QString &message);

client/ui/controllers/api/apiSettingsController.cpp

@@ -1,6 +1,7 @@
 #include "apiSettingsController.h"
 
 #include <QEventLoop>
+#include <QJsonDocument>
 #include <QTimer>
 
 #include "core/api/apiUtils.h"
@@ -77,6 +78,13 @@ bool ApiSettingsController::getAccountInfo(bool reload)
     QJsonObject accountInfo = QJsonDocument::fromJson(responseBody).object();
     m_apiAccountInfoModel->updateModel(accountInfo, serverConfig);
 
+    QString subscriptionEndDate = accountInfo.value(apiDefs::key::subscriptionEndDate).toString();
+    if (!subscriptionEndDate.isEmpty()) {
+        apiConfig.insert(apiDefs::key::subscriptionEndDate, subscriptionEndDate);
+        serverConfig.insert(configKey::apiConfig, apiConfig);
+        m_serversModel->editServer(serverConfig, processedIndex);
+    }
+
     if (reload) {
         updateApiCountryModel();
         updateApiDevicesModel();
@@ -85,6 +93,42 @@ bool ApiSettingsController::getAccountInfo(bool reload)
     return true;
 }
 
+void ApiSettingsController::getRenewalLink()
+{
+    auto processedIndex = m_serversModel->getProcessedServerIndex();
+    auto serverConfig = m_serversModel->getServerConfig(processedIndex);
+    auto apiConfig = serverConfig.value(configKey::apiConfig).toObject();
+    auto authData = serverConfig.value(configKey::authData).toObject();
+
+    bool isTestPurchase = apiConfig.value(apiDefs::key::isTestPurchase).toBool(false);
+    auto gatewayController = QSharedPointer<GatewayController>::create(m_settings->getGatewayEndpoint(isTestPurchase),
+                                                                       m_settings->isDevGatewayEnv(isTestPurchase),
+                                                                       requestTimeoutMsecs,
+                                                                       m_settings->isStrictKillSwitchEnabled());
+
+    QJsonObject apiPayload;
+    apiPayload[configKey::userCountryCode] = apiConfig.value(configKey::userCountryCode).toString();
+    apiPayload[configKey::serviceType] = apiConfig.value(configKey::serviceType).toString();
+    apiPayload[configKey::authData] = authData;
+    apiPayload[apiDefs::key::cliVersion] = QString(APP_VERSION);
+    apiPayload[apiDefs::key::appLanguage] = m_settings->getAppLanguage().name().split("_").first();
+
+    auto future = gatewayController->postAsync(QString("%1v1/renewal_link"), apiPayload);
+    future.then(this, [this, gatewayController](QPair<ErrorCode, QByteArray> result) {
+        auto [errorCode, responseBody] = result;
+        if (errorCode != ErrorCode::NoError) {
+            emit errorOccurred(errorCode);
+            return;
+        }
+
+        QJsonObject responseJson = QJsonDocument::fromJson(responseBody).object();
+        QString url = responseJson.value("renewal_url").toString();
+        if (!url.isEmpty()) {
+            emit renewalLinkReceived(url);
+        }
+    });
+}
+
 void ApiSettingsController::updateApiCountryModel()
 {
     m_apiCountryModel->updateModel(m_apiAccountInfoModel->getAvailableCountries(), "");

client/ui/controllers/api/apiSettingsController.h

@@ -21,9 +21,11 @@ public slots:
     bool getAccountInfo(bool reload);
     void updateApiCountryModel();
     void updateApiDevicesModel();
+    void getRenewalLink();
 
 signals:
     void errorOccurred(ErrorCode errorCode);
+    void renewalLinkReceived(const QString &url);
 
 private:
     QSharedPointer<ServersModel> m_serversModel;

client/ui/controllers/importController.cpp

@@ -383,24 +383,46 @@ QJsonObject ImportController::extractOpenVpnConfig(const QString &data)
 
 QJsonObject ImportController::extractWireGuardConfig(const QString &data)
 {
-    QMap<QString, QString> configMap;
-    auto configByLines = data.split("\n");
+    QMap<QString, QString> interfaceMap;
+    QList<QMap<QString, QString>> peerList;
+
+    enum class WgSection { None, Interface, Peer };
+    WgSection currentSection = WgSection::None;
+
+    const auto configByLines = data.split("\n");
     for (const QString &line : configByLines) {
-        QString trimmedLine = line.trimmed();
-        if (trimmedLine.startsWith("[") && trimmedLine.endsWith("]")) {
-            continue;
-        } else {
-            QStringList parts = trimmedLine.split(" = ");
+        const QString trimmedLine = line.trimmed();
+        if (trimmedLine == "[Interface]") {
+            currentSection = WgSection::Interface;
+        } else if (trimmedLine == "[Peer]") {
+            currentSection = WgSection::Peer;
+            peerList.append(QMap<QString, QString>());
+        } else if (!trimmedLine.isEmpty() && !trimmedLine.startsWith("#")) {
+            const QStringList parts = trimmedLine.split(" = ");
             if (parts.count() == 2) {
-                configMap[parts.at(0).trimmed()] = parts.at(1).trimmed();
+                const QString key = parts.at(0).trimmed();
+                const QString value = parts.at(1).trimmed();
+                if (currentSection == WgSection::Interface) {
+                    interfaceMap[key] = value;
+                } else if (currentSection == WgSection::Peer && !peerList.isEmpty()) {
+                    peerList.last()[key] = value;
+                }
             }
         }
     }
 
+    if (peerList.isEmpty()) {
+        qDebug() << "No [Peer] section found in WireGuard config";
+        emit importErrorOccurred(ErrorCode::ImportInvalidConfigError, false);
+        return QJsonObject();
+    }
+
+    const QMap<QString, QString> &firstPeerMap = peerList.first();
+
     QJsonObject lastConfig;
     lastConfig[config_key::config] = data;
 
-    auto url { QUrl::fromUserInput(configMap.value("Endpoint")) };
+    auto url { QUrl::fromUserInput(firstPeerMap.value("Endpoint")) };
     QString hostName;
     QString port;
     if (!url.host().isEmpty()) {
@@ -420,35 +442,56 @@ QJsonObject ImportController::extractWireGuardConfig(const QString &data)
     lastConfig[config_key::hostName] = hostName;
     lastConfig[config_key::port] = port.toInt();
 
-    if (!configMap.value("PrivateKey").isEmpty() && !configMap.value("Address").isEmpty() && !configMap.value("PublicKey").isEmpty()) {
-        lastConfig[config_key::client_priv_key] = configMap.value("PrivateKey");
-        lastConfig[config_key::client_ip] = configMap.value("Address");
+    if (!interfaceMap.value("PrivateKey").isEmpty() && !interfaceMap.value("Address").isEmpty() && !firstPeerMap.value("PublicKey").isEmpty()) {
+        lastConfig[config_key::client_priv_key] = interfaceMap.value("PrivateKey");
+        lastConfig[config_key::client_ip] = interfaceMap.value("Address");
 
-        if (!configMap.value("PresharedKey").isEmpty()) {
-            lastConfig[config_key::psk_key] = configMap.value("PresharedKey");
-        } else if (!configMap.value("PreSharedKey").isEmpty()) {
-            lastConfig[config_key::psk_key] = configMap.value("PreSharedKey");
+        if (!firstPeerMap.value("PresharedKey").isEmpty()) {
+            lastConfig[config_key::psk_key] = firstPeerMap.value("PresharedKey");
+        } else if (!firstPeerMap.value("PreSharedKey").isEmpty()) {
+            lastConfig[config_key::psk_key] = firstPeerMap.value("PreSharedKey");
         }
 
-        lastConfig[config_key::server_pub_key] = configMap.value("PublicKey");
+        lastConfig[config_key::server_pub_key] = firstPeerMap.value("PublicKey");
     } else {
         qDebug() << "One of the key parameters is missing (PrivateKey, Address, PublicKey)";
         emit importErrorOccurred(ErrorCode::ImportInvalidConfigError, false);
         return QJsonObject();
     }
 
-    if (!configMap.value("MTU").isEmpty()) {
-        lastConfig[config_key::mtu] = configMap.value("MTU");
+    if (!interfaceMap.value("MTU").isEmpty()) {
+        lastConfig[config_key::mtu] = interfaceMap.value("MTU");
     }
 
-    if (!configMap.value("PersistentKeepalive").isEmpty()) {
-        lastConfig[config_key::persistent_keep_alive] = configMap.value("PersistentKeepalive");
+    if (!firstPeerMap.value("PersistentKeepalive").isEmpty()) {
+        lastConfig[config_key::persistent_keep_alive] = firstPeerMap.value("PersistentKeepalive");
     }
 
-    QJsonArray allowedIpsJsonArray = QJsonArray::fromStringList(configMap.value("AllowedIPs").split(", "));
-
+    QJsonArray allowedIpsJsonArray = QJsonArray::fromStringList(firstPeerMap.value("AllowedIPs").split(", "));
     lastConfig[config_key::allowed_ips] = allowedIpsJsonArray;
 
+    if (peerList.size() > 1) {
+        QJsonArray peersArray;
+        for (const auto &peerMap : std::as_const(peerList)) {
+            QJsonObject peerObj;
+            const auto peerUrl = QUrl::fromUserInput(peerMap.value("Endpoint"));
+            peerObj[config_key::server_pub_key] = peerMap.value("PublicKey");
+            if (!peerMap.value("PresharedKey").isEmpty()) {
+                peerObj[config_key::psk_key] = peerMap.value("PresharedKey");
+            } else if (!peerMap.value("PreSharedKey").isEmpty()) {
+                peerObj[config_key::psk_key] = peerMap.value("PreSharedKey");
+            }
+            peerObj[config_key::hostName] = peerUrl.host();
+            peerObj[config_key::port] = peerUrl.port() != -1 ? peerUrl.port() : QString(protocols::wireguard::defaultPort).toInt();
+            peerObj[config_key::allowed_ips] = QJsonArray::fromStringList(peerMap.value("AllowedIPs").split(", "));
+            if (!peerMap.value("PersistentKeepalive").isEmpty()) {
+                peerObj[config_key::persistent_keep_alive] = peerMap.value("PersistentKeepalive");
+            }
+            peersArray.append(peerObj);
+        }
+        lastConfig["peers"] = peersArray;
+    }
+
     QString protocolName = "wireguard";
     QString protocolVersion;
 
@@ -465,25 +508,25 @@ QJsonObject ImportController::extractWireGuardConfig(const QString &data)
     };
 
     bool hasAllRequiredFields = std::all_of(requiredJunkFields.begin(), requiredJunkFields.end(),
-                                            [&configMap](const QString &field) { return !configMap.value(field).isEmpty(); });
+                                            [&interfaceMap](const QString &field) { return !interfaceMap.value(field).isEmpty(); });
     if (hasAllRequiredFields) {
         for (const QString &field : requiredJunkFields) {
-            lastConfig[field] = configMap.value(field);
+            lastConfig[field] = interfaceMap.value(field);
         }
 
         for (const QString &field : optionalJunkFields) {
-            if (!configMap.value(field).isEmpty()) {
-                lastConfig[field] = configMap.value(field);
+            if (!interfaceMap.value(field).isEmpty()) {
+                lastConfig[field] = interfaceMap.value(field);
             }
         }
 
-        bool hasCookieReplyPacketJunkSize = !configMap.value(config_key::cookieReplyPacketJunkSize).isEmpty();
-        bool hasTransportPacketJunkSize = !configMap.value(config_key::transportPacketJunkSize).isEmpty();
-        bool hasSpecialJunk = !configMap.value(config_key::specialJunk1).isEmpty() ||
-                              !configMap.value(config_key::specialJunk2).isEmpty() ||
-                              !configMap.value(config_key::specialJunk3).isEmpty() ||
-                              !configMap.value(config_key::specialJunk4).isEmpty() ||
-                              !configMap.value(config_key::specialJunk5).isEmpty();
+        bool hasCookieReplyPacketJunkSize = !interfaceMap.value(config_key::cookieReplyPacketJunkSize).isEmpty();
+        bool hasTransportPacketJunkSize = !interfaceMap.value(config_key::transportPacketJunkSize).isEmpty();
+        bool hasSpecialJunk = !interfaceMap.value(config_key::specialJunk1).isEmpty() ||
+                              !interfaceMap.value(config_key::specialJunk2).isEmpty() ||
+                              !interfaceMap.value(config_key::specialJunk3).isEmpty() ||
+                              !interfaceMap.value(config_key::specialJunk4).isEmpty() ||
+                              !interfaceMap.value(config_key::specialJunk5).isEmpty();
 
         if (hasCookieReplyPacketJunkSize && hasTransportPacketJunkSize) {
             protocolVersion = "2";
@@ -494,11 +537,11 @@ QJsonObject ImportController::extractWireGuardConfig(const QString &data)
         m_configType = ConfigTypes::Awg;
     }
 
-    if (!configMap.value("MTU").isEmpty()) {
-        lastConfig[config_key::mtu] = configMap.value("MTU");
+    if (!interfaceMap.value("MTU").isEmpty()) {
+        lastConfig[config_key::mtu] = interfaceMap.value("MTU");
     } else {
-        lastConfig[config_key::mtu] = (protocolName == "awg") 
-                                       ? protocols::awg::defaultMtu 
+        lastConfig[config_key::mtu] = (protocolName == "awg")
+                                       ? protocols::awg::defaultMtu
                                        : protocols::wireguard::defaultMtu;
     }
 

client/ui/controllers/settingsController.cpp

@@ -45,6 +45,8 @@ SettingsController::SettingsController(const QSharedPointer<ServersModel> &serve
         emit safeAreaBottomMarginChanged();
         emit safeAreaTopMarginChanged();
     });
+    connect(AndroidController::instance(), &AndroidController::activityPaused, this, &SettingsController::activityPaused);
+    connect(AndroidController::instance(), &AndroidController::activityResumed, this, &SettingsController::activityResumed);
 #endif
 
     m_isDevModeEnabled = m_settings->isDevGatewayEnv();

client/ui/controllers/settingsController.h

@@ -141,6 +141,9 @@ signals:
     void safeAreaTopMarginChanged();
     void safeAreaBottomMarginChanged();
 
+    void activityPaused();
+    void activityResumed();
+
     void isHomeAdLabelVisibleChanged(bool visible);
     void startMinimizedChanged();
 

client/ui/models/api/apiAccountInfoModel.cpp

@@ -1,5 +1,6 @@
 #include "apiAccountInfoModel.h"
 
+#include <QDateTime>
 #include <QJsonObject>
 
 #include "core/api/apiUtils.h"
@@ -32,7 +33,7 @@ QVariant ApiAccountInfoModel::data(const QModelIndex &index, int role) const
         }
 
         return apiUtils::isSubscriptionExpired(m_accountInfoData.subscriptionEndDate) ? tr("<p><a style=\"color: #EB5757;\">Inactive</a>")
-                                                                                      : tr("Active");
+                                                                                      : tr("<p><a style=\"color: #28c840;\">Active</a>");
     }
     case EndDateRole: {
         if (m_accountInfoData.configType == apiDefs::ConfigType::AmneziaFreeV3) {
@@ -52,7 +53,9 @@ QVariant ApiAccountInfoModel::data(const QModelIndex &index, int role) const
     }
     case IsComponentVisibleRole: {
         return m_accountInfoData.configType == apiDefs::ConfigType::AmneziaPremiumV2
-                || m_accountInfoData.configType == apiDefs::ConfigType::ExternalPremium;
+                || m_accountInfoData.configType == apiDefs::ConfigType::AmneziaTrialV2
+                || m_accountInfoData.configType == apiDefs::ConfigType::ExternalPremium
+                || m_accountInfoData.configType == apiDefs::ConfigType::ExternalTrial;
     }
     case HasExpiredWorkerRole: {
         for (int i = 0; i < m_issuedConfigsInfo.size(); i++) {
@@ -73,6 +76,18 @@ QVariant ApiAccountInfoModel::data(const QModelIndex &index, int role) const
         }
         return false;
     }
+    case IsSubscriptionExpiredRole: {
+        if (m_accountInfoData.configType == apiDefs::ConfigType::AmneziaFreeV3) return false;
+        if (m_accountInfoData.subscriptionEndDate.isEmpty()) return false;
+        return apiUtils::isSubscriptionExpired(m_accountInfoData.subscriptionEndDate);
+    }
+    case IsSubscriptionExpiringSoonRole: {
+        if (m_accountInfoData.configType == apiDefs::ConfigType::AmneziaFreeV3) return false;
+        if (m_accountInfoData.subscriptionEndDate.isEmpty()) return false;
+        if (apiUtils::isSubscriptionExpired(m_accountInfoData.subscriptionEndDate)) return false;
+        QDateTime endDate = QDateTime::fromString(m_accountInfoData.subscriptionEndDate, Qt::ISODateWithMs);
+        return endDate <= QDateTime::currentDateTimeUtc().addDays(10);
+    }
     }
 
     return QVariant();
@@ -164,6 +179,8 @@ QHash<int, QByteArray> ApiAccountInfoModel::roleNames() const
     roles[IsComponentVisibleRole] = "isComponentVisible";
     roles[HasExpiredWorkerRole] = "hasExpiredWorker";
     roles[IsProtocolSelectionSupportedRole] = "isProtocolSelectionSupported";
+    roles[IsSubscriptionExpiredRole] = "isSubscriptionExpired";
+    roles[IsSubscriptionExpiringSoonRole] = "isSubscriptionExpiringSoon";
 
     return roles;
 }

client/ui/models/api/apiAccountInfoModel.h

@@ -19,7 +19,9 @@ public:
         EndDateRole,
         IsComponentVisibleRole,
         HasExpiredWorkerRole,
-        IsProtocolSelectionSupportedRole
+        IsProtocolSelectionSupportedRole,
+        IsSubscriptionExpiredRole,
+        IsSubscriptionExpiringSoonRole
     };
 
     explicit ApiAccountInfoModel(QObject *parent = nullptr);
@@ -31,7 +33,6 @@ public:
 public slots:
     void updateModel(const QJsonObject &accountInfoObject, const QJsonObject &serverConfig);
     QVariant data(const QString &roleString);
-
     QJsonArray getAvailableCountries();
     QJsonArray getIssuedConfigsInfo();
 

client/ui/models/api/apiServicesModel.cpp

@@ -41,6 +41,7 @@ namespace
     {
         constexpr char amneziaFree[] = "amnezia-free";
         constexpr char amneziaPremium[] = "amnezia-premium";
+        constexpr char amneziaTrial[] = "amnezia-trial";
     }
 }
 
@@ -69,7 +70,7 @@ QVariant ApiServicesModel::data(const QModelIndex &index, int role) const
     }
     case CardDescriptionRole: {
         auto speed = apiServiceData.serviceInfo.speed;
-        if (serviceType == serviceType::amneziaPremium) {
+        if (serviceType == serviceType::amneziaPremium || serviceType == serviceType::amneziaTrial) {
             return apiServiceData.serviceInfo.cardDescription.arg(speed);
         } else if (serviceType == serviceType::amneziaFree) {
             QString description = apiServiceData.serviceInfo.cardDescription;
@@ -124,8 +125,10 @@ QVariant ApiServicesModel::data(const QModelIndex &index, int role) const
     case OrderRole: {
         if (serviceType == serviceType::amneziaPremium) {
             return 0;
-        } else if (serviceType == serviceType::amneziaFree) {
+        } else if (serviceType == serviceType::amneziaTrial) {
             return 1;
+        } else if (serviceType == serviceType::amneziaFree) {
+            return 2;
         }
     }
     }

client/ui/models/servers_model.cpp

@@ -179,6 +179,20 @@ QVariant ServersModel::data(const QModelIndex &index, int role) const
     case AdEndpointRole: {
         return apiConfig.value(apiDefs::key::serviceInfo).toObject().value(apiDefs::key::adEndpoint).toString();
     }
+    case IsSubscriptionExpiredRole: {
+        if (configVersion != apiDefs::ConfigSource::AmneziaGateway) return false;
+        QString endDate = apiConfig.value(apiDefs::key::subscriptionEndDate).toString();
+        if (endDate.isEmpty()) return false;
+        return apiUtils::isSubscriptionExpired(endDate);
+    }
+    case IsSubscriptionExpiringSoonRole: {
+        if (configVersion != apiDefs::ConfigSource::AmneziaGateway) return false;
+        QString endDate = apiConfig.value(apiDefs::key::subscriptionEndDate).toString();
+        if (endDate.isEmpty()) return false;
+        if (apiUtils::isSubscriptionExpired(endDate)) return false;
+        QDateTime endDateTime = QDateTime::fromString(endDate, Qt::ISODateWithMs);
+        return endDateTime <= QDateTime::currentDateTimeUtc().addDays(10);
+    }
     }
 
     return QVariant();
@@ -443,6 +457,9 @@ QHash<int, QByteArray> ServersModel::roleNames() const
     roles[AdDescriptionRole] = "adDescription";
     roles[AdEndpointRole] = "adEndpoint";
 
+    roles[IsSubscriptionExpiredRole] = "isSubscriptionExpired";
+    roles[IsSubscriptionExpiringSoonRole] = "isSubscriptionExpiringSoon";
+
     return roles;
 }
 

client/ui/models/servers_model.h

@@ -52,6 +52,9 @@ public:
         AdDescriptionRole,
         AdEndpointRole,
 
+        IsSubscriptionExpiredRole,
+        IsSubscriptionExpiringSoonRole,
+
         HasAmneziaDns
     };
 

client/ui/qml/Components/ServersListView.qml

@@ -126,6 +126,18 @@ ListViewType {
                 }
             }
 
+            CaptionTextType {
+                visible: isServerFromGatewayApi && (isSubscriptionExpired || isSubscriptionExpiringSoon)
+
+                Layout.fillWidth: true
+                Layout.leftMargin: 64
+                Layout.bottomMargin: 8
+
+                text: isSubscriptionExpired ? qsTr("Subscription expired. Please renew.") : qsTr("Subscription expiring soon.")
+                color: isSubscriptionExpired ? AmneziaStyle.color.vibrantRed : AmneziaStyle.color.goldenApricot
+                wrapMode: Text.WordWrap
+            }
+
             DividerType {
                 Layout.fillWidth: true
                 Layout.leftMargin: 0

client/ui/qml/Components/SubscriptionExpiredDrawer.qml

@@ -0,0 +1,93 @@
+pragma ComponentBehavior: Bound
+
+import QtQuick
+import QtQuick.Controls
+import QtQuick.Layouts
+import PageEnum 1.0
+import Style 1.0
+
+import "../Controls2"
+import "../Controls2/TextTypes"
+
+DrawerType2 {
+    id: root
+
+    expandedStateContent: ColumnLayout {
+        id: content
+
+        anchors.top: parent.top
+        anchors.left: parent.left
+        anchors.right: parent.right
+
+        spacing: 0
+
+        onImplicitHeightChanged: {
+            root.expandedHeight = content.implicitHeight + 32 + SettingsController.safeAreaBottomMargin
+        }
+
+        Item {
+            Layout.fillWidth: true
+            Layout.topMargin: 24
+            Layout.rightMargin: 16
+            Layout.leftMargin: 16
+            implicitHeight: titleText.implicitHeight
+
+            Header2TextType {
+                id: titleText
+                anchors.left: parent.left
+                anchors.right: parent.right
+
+                text: qsTr("Amnezia Premium subscription has expired")
+                horizontalAlignment: Text.AlignLeft
+            }
+        }
+
+        ParagraphTextType {
+            Layout.fillWidth: true
+            Layout.topMargin: 8
+            Layout.rightMargin: 16
+            Layout.leftMargin: 16
+
+            text: qsTr("Renew your subscription to continue using VPN")
+            horizontalAlignment: Text.AlignLeft
+        }
+
+        BasicButtonType {
+            Layout.fillWidth: true
+            Layout.topMargin: 16
+            Layout.rightMargin: 16
+            Layout.leftMargin: 16
+
+            text: qsTr("Renew")
+
+            defaultColor: AmneziaStyle.color.paleGray
+            hoveredColor: AmneziaStyle.color.lightGray
+            pressedColor: AmneziaStyle.color.mutedGray
+            textColor: AmneziaStyle.color.midnightBlack
+
+            clickedFunc: function() {
+                ApiSettingsController.getRenewalLink()
+            }
+        }
+
+        BasicButtonType {
+            Layout.alignment: Qt.AlignHCenter
+            Layout.topMargin: 8
+            Layout.bottomMargin: 8
+
+            implicitHeight: 25
+
+            defaultColor: AmneziaStyle.color.transparent
+            hoveredColor: AmneziaStyle.color.translucentWhite
+            pressedColor: AmneziaStyle.color.sheerWhite
+            textColor: AmneziaStyle.color.goldenApricot
+
+            text: qsTr("Support")
+
+            clickedFunc: function() {
+                root.closeTriggered()
+                PageController.goToPage(PageEnum.PageSettingsApiSupport)
+            }
+        }
+    }
+}

client/ui/qml/Controls2/LabelWithButtonType.qml

@@ -1,6 +1,7 @@
 import QtQuick
 import QtQuick.Controls
 import QtQuick.Layouts
+import Qt5Compat.GraphicalEffects
 
 import Style 1.0
 
@@ -37,6 +38,7 @@ Item {
     property int borderFocusedWidth: 1
 
     property string rightImageColor: AmneziaStyle.color.paleGray
+    property string leftImageColor: ""
 
     property bool descriptionOnTop: false
     property bool hideDescription: true
@@ -140,6 +142,14 @@ Item {
 
                 anchors.centerIn: parent
                 source: leftImageSource
+                visible: leftImageColor === ""
+            }
+
+            ColorOverlay {
+                anchors.fill: leftImage
+                source: leftImage
+                color: leftImageColor
+                visible: leftImageColor !== ""
             }
         }
 

client/ui/qml/Pages2/PageSettingsApiAvailableCountries.qml

@@ -18,12 +18,23 @@ PageType {
     id: root
 
     property var processedServer
+    property bool subscriptionExpired: false
+    property bool subscriptionExpiringSoon: false
+    function updateSubscriptionState() {
+        root.subscriptionExpired = ServersModel.getProcessedServerData("isSubscriptionExpired")
+        root.subscriptionExpiringSoon = ServersModel.getProcessedServerData("isSubscriptionExpiringSoon")
+    }
+
+    Component.onCompleted: {
+        root.updateSubscriptionState()
+    }
 
     Connections {
         target: ServersModel
 
         function onProcessedServerChanged() {
             root.processedServer = proxyServersModel.get(0)
+            root.updateSubscriptionState()
         }
     }
 
@@ -76,12 +87,11 @@ PageType {
                 Layout.fillWidth: true
                 Layout.leftMargin: 16
                 Layout.rightMargin: 16
-                Layout.bottomMargin: 10
+                Layout.bottomMargin: 4
 
                 actionButtonImage: "qrc:/images/controls/settings.svg"
 
                 headerText: root.processedServer.name
-                descriptionText: qsTr("Location for connection")
 
                 actionButtonFunction: function() {
                     PageController.showBusyIndicator(true)
@@ -94,6 +104,50 @@ PageType {
                     PageController.goToPage(PageEnum.PageSettingsApiServerInfo)
                 }
             }
+
+            CaptionTextType {
+                visible: root.subscriptionExpired || root.subscriptionExpiringSoon
+
+                Layout.fillWidth: true
+                Layout.leftMargin: 16
+                Layout.rightMargin: 16
+                Layout.topMargin: 4
+
+                text: root.subscriptionExpired ? qsTr("Subscription expired") : qsTr("Subscription expiring soon")
+                color: root.subscriptionExpired ? AmneziaStyle.color.vibrantRed : AmneziaStyle.color.goldenApricot
+            }
+
+            BasicButtonType {
+                visible: root.subscriptionExpired || root.subscriptionExpiringSoon
+
+                Layout.fillWidth: true
+                Layout.leftMargin: 16
+                Layout.rightMargin: 16
+                Layout.topMargin: 8
+                Layout.bottomMargin: 4
+
+                defaultColor: AmneziaStyle.color.paleGray
+                hoveredColor: AmneziaStyle.color.lightGray
+                pressedColor: AmneziaStyle.color.mutedGray
+                textColor: AmneziaStyle.color.midnightBlack
+
+                text: qsTr("Renew subscription")
+
+                clickedFunc: function() {
+                    ApiSettingsController.getRenewalLink()
+                }
+            }
+
+            CaptionTextType {
+                Layout.fillWidth: true
+                Layout.leftMargin: 16
+                Layout.rightMargin: 16
+                Layout.topMargin: (root.subscriptionExpired || root.subscriptionExpiringSoon) ? 8 : 4
+                Layout.bottomMargin: 8
+
+                text: qsTr("Location for connection")
+                color: AmneziaStyle.color.mutedGray
+            }
         }
 
         delegate: ColumnLayout {

client/ui/qml/Pages2/PageSettingsApiServerInfo.qml

@@ -2,6 +2,7 @@ import QtQuick
 import QtQuick.Controls
 import QtQuick.Layouts
 import QtQuick.Dialogs
+import Qt5Compat.GraphicalEffects
 
 import SortFilterProxyModel 0.2
 
@@ -52,6 +53,26 @@ PageType {
 
     property var processedServer
 
+    property bool isSubscriptionExpired: false
+    property bool isSubscriptionExpiringSoon: false
+
+    function updateSubscriptionState() {
+        root.isSubscriptionExpired = ApiAccountInfoModel.data("isSubscriptionExpired")
+        root.isSubscriptionExpiringSoon = ApiAccountInfoModel.data("isSubscriptionExpiringSoon")
+    }
+
+    Component.onCompleted: {
+        root.updateSubscriptionState()
+    }
+
+    Connections {
+        target: ApiAccountInfoModel
+
+        function onModelReset() {
+            root.updateSubscriptionState()
+        }
+    }
+
     Connections {
         target: ServersModel
 
@@ -108,12 +129,66 @@ PageType {
                 actionButtonImage: "qrc:/images/controls/edit-3.svg"
 
                 headerText: root.processedServer.name
-                descriptionText: ApiAccountInfoModel.data("serviceDescription")
 
                 actionButtonFunction: function() {
                     serverNameEditDrawer.openTriggered()
                 }
             }
+
+            Text {
+                visible: root.isSubscriptionExpired || root.isSubscriptionExpiringSoon
+
+                Layout.fillWidth: true
+                Layout.leftMargin: 16
+                Layout.rightMargin: 16
+                Layout.topMargin: 4
+
+                text: root.isSubscriptionExpired
+                    ? qsTr("Subscription expired")
+                    : qsTr("Subscription expiring soon")
+
+                color: root.isSubscriptionExpired
+                    ? AmneziaStyle.color.vibrantRed
+                    : AmneziaStyle.color.goldenApricot
+
+                font.pixelSize: 14
+                font.weight: Font.Medium
+                wrapMode: Text.WordWrap
+            }
+
+            ParagraphTextType {
+                visible: ApiAccountInfoModel.data("serviceDescription") !== ""
+
+                Layout.fillWidth: true
+                Layout.leftMargin: 16
+                Layout.rightMargin: 16
+                Layout.topMargin: 16
+                Layout.bottomMargin: root.isSubscriptionExpired || root.isSubscriptionExpiringSoon ? 0 : 10
+
+                text: ApiAccountInfoModel.data("serviceDescription")
+                color: AmneziaStyle.color.mutedGray
+            }
+
+            BasicButtonType {
+                visible: root.isSubscriptionExpired || root.isSubscriptionExpiringSoon
+
+                Layout.fillWidth: true
+                Layout.leftMargin: 16
+                Layout.rightMargin: 16
+                Layout.topMargin: 8
+                Layout.bottomMargin: 8
+
+                text: qsTr("Renew subscription")
+
+                defaultColor: AmneziaStyle.color.paleGray
+                hoveredColor: AmneziaStyle.color.lightGray
+                pressedColor: AmneziaStyle.color.mutedGray
+                textColor: AmneziaStyle.color.midnightBlack
+
+                clickedFunc: function() {
+                    ApiSettingsController.getRenewalLink()
+                }
+            }
         }
 
         delegate: ColumnLayout {
@@ -151,6 +226,54 @@ PageType {
 
             readonly property bool isVisibleForAmneziaFree: ApiAccountInfoModel.data("isComponentVisible")
 
+            Item {
+                visible: !root.isSubscriptionExpired && !root.isSubscriptionExpiringSoon
+
+                Layout.fillWidth: true
+                implicitHeight: renewRow.implicitHeight + 32
+
+                MouseArea {
+                    anchors.fill: parent
+                    cursorShape: Qt.PointingHandCursor
+                    onClicked: ApiSettingsController.getRenewalLink()
+                }
+
+                Row {
+                    id: renewRow
+                    anchors.centerIn: parent
+                    spacing: 12
+
+                    Item {
+                        width: renewIcon.implicitWidth
+                        height: renewIcon.implicitHeight
+                        anchors.verticalCenter: parent.verticalCenter
+
+                        Image {
+                            id: renewIcon
+                            source: "qrc:/images/controls/refresh-cw.svg"
+                        }
+
+                        ColorOverlay {
+                            anchors.fill: renewIcon
+                            source: renewIcon
+                            color: AmneziaStyle.color.goldenApricot
+                        }
+                    }
+
+                    Text {
+                        text: qsTr("Renew subscription")
+                        color: AmneziaStyle.color.goldenApricot
+                        font.pixelSize: 18
+                        font.weight: Font.Medium
+                        anchors.verticalCenter: parent.verticalCenter
+                    }
+                }
+            }
+
+            DividerType {
+                visible: !root.isSubscriptionExpired && !root.isSubscriptionExpiringSoon
+            }
+
             SwitcherType {
                 id: switcher
 
@@ -177,10 +300,14 @@ PageType {
                 }
             }
 
+            DividerType {
+                visible: footer.isVisibleForAmneziaFree
+            }
+
             WarningType {
                 id: warning
 
-                Layout.topMargin: 32
+                Layout.topMargin: 24
                 Layout.rightMargin: 16
                 Layout.leftMargin: 16
                 Layout.fillWidth: true
@@ -204,7 +331,7 @@ PageType {
                 id: vpnKey
 
                 Layout.fillWidth: true
-                Layout.topMargin: warning.visible ? 16 : 32
+                Layout.topMargin: warning.visible ? 16 : 0
 
                 visible: footer.isVisibleForAmneziaFree
 

client/ui/qml/Pages2/PageSetupWizardApiServiceInfo.qml

@@ -1,226 +1,226 @@
-import QtQuick
-import QtQuick.Controls
-import QtQuick.Layouts
-import QtQuick.Dialogs
-
-import PageEnum 1.0
-import Style 1.0
-
-import "./"
-import "../Controls2"
-import "../Controls2/TextTypes"
-import "../Config"
-import "../Components"
-
-PageType {
-    id: root
-
-    BackButtonType {
-        id: backButton
-
-        anchors.top: parent.top
-        anchors.left: parent.left
-        anchors.right: parent.right
-        anchors.topMargin: 20 + SettingsController.safeAreaTopMargin
-
-        onFocusChanged: {
-            if (this.activeFocus) {
-                listView.positionViewAtBeginning()
-            }
-        }
-    }
-
-    ListViewType {
-        id: listView
-
-        anchors.top: backButton.bottom
-        anchors.bottom: parent.bottom
-        anchors.right: parent.right
-        anchors.left: parent.left
-
-        header: ColumnLayout {
-            width: listView.width
-
-            BaseHeaderType {
-                Layout.fillWidth: true
-                Layout.topMargin: 8
-                Layout.rightMargin: 16
-                Layout.leftMargin: 16
-                Layout.bottomMargin: 32
-
-                headerText: ApiServicesModel.getSelectedServiceData("name")
-                descriptionText: ApiServicesModel.getSelectedServiceData("serviceDescription")
-            }
-        }
-
-        model: inputFields
-        spacing: 0
-
-        delegate: ColumnLayout {
-            width: listView.width
-
-            LabelWithImageType {
-                Layout.fillWidth: true
-                Layout.margins: 16
-
-                imageSource: imagePath
-                leftText: lText
-                rightText: rText
-
-                visible: isVisible
-            }
-        }
-
-        footer: ColumnLayout {
-            width: listView.width
-
-            spacing: 0
-
-            ParagraphTextType {
-                Layout.fillWidth: true
-                Layout.rightMargin: 16
-                Layout.leftMargin: 16
-
-                onLinkActivated: function(link) {
-                    Qt.openUrlExternally(link)
-                }
-                textFormat: Text.RichText
-                text: {
-                    var text = ApiServicesModel.getSelectedServiceData("features")
-                    return text.replace("%1", LanguageModel.getCurrentSiteUrl("free")).replace("/free", "") // todo link should come from gateway
-                }
-
-                MouseArea {
-                    anchors.fill: parent
-                    acceptedButtons: Qt.NoButton
-                    cursorShape: parent.hoveredLink ? Qt.PointingHandCursor : Qt.ArrowCursor
-                }
-            }
-
-            ParagraphTextType {
-                Layout.fillWidth: true
-                Layout.topMargin: 16
-                Layout.leftMargin: 16
-                Layout.rightMargin: 16
-
-                visible: (Qt.platform.os === "ios" || IsMacOsNeBuild) && ApiServicesModel.getSelectedServiceType() === "amnezia-premium"
-
-                horizontalAlignment: Text.AlignHCenter
-                textFormat: Text.PlainText
-                color: AmneziaStyle.color.mutedGray
-                font.pixelSize: 12
-
-                text: qsTr("Charged to your Apple ID at confirmation. Renews automatically unless auto-renew is turned off at least 24 hours before period end. Manage in Apple ID settings.")
-            }
-
-            BasicButtonType {
-                id: continueButton
-
-                Layout.fillWidth: true
-                Layout.topMargin: 32
-                Layout.bottomMargin: 16
-                Layout.leftMargin: 16
-                Layout.rightMargin: 16
-
-                text: ApiServicesModel.getSelectedServiceType() === "amnezia-premium" ? qsTr("Subscribe Now") : qsTr("Connect")
-
-                clickedFunc: function() {
-                    PageController.showBusyIndicator(true)
-                    var result = ApiConfigsController.importService()
-                    PageController.showBusyIndicator(false)
-
-                    if (!result) {
-                        var endpoint = ApiServicesModel.getStoreEndpoint()
-                        Qt.openUrlExternally(endpoint)
-                        PageController.closePage()
-                        PageController.closePage()
-                    }
-                }
-            }
-
-            ParagraphTextType {
-                Layout.fillWidth: true
-                Layout.topMargin: 16
-                Layout.leftMargin: 16
-                Layout.rightMargin: 16
-                Layout.bottomMargin: 32
-
-                visible: (Qt.platform.os === "ios" || IsMacOsNeBuild) && ApiServicesModel.getSelectedServiceType() === "amnezia-premium"
-
-                horizontalAlignment: Text.AlignHCenter
-                textFormat: Text.RichText
-                color: AmneziaStyle.color.mutedGray
-                font.pixelSize: 12
-
-                text: {
-                    var termsUrl = "https://www.apple.com/legal/internet-services/itunes/dev/stdeula/"
-                    var privacyUrl = LanguageModel.getCurrentSiteUrl("policy")
-                    return qsTr("By continuing, you agree to the <a href=\"%1\" style=\"color: #FBB26A;\">Terms of Use</a> and <a href=\"%2\" style=\"color: #FBB26A;\">Privacy Policy</a>").arg(termsUrl).arg(privacyUrl)
-                }
-
-                onLinkActivated: function(link) {
-                    Qt.openUrlExternally(link)
-                }
-
-                MouseArea {
-                    anchors.fill: parent
-                    acceptedButtons: Qt.NoButton
-                    cursorShape: parent.hoveredLink ? Qt.PointingHandCursor : Qt.ArrowCursor
-                }
-            }
-        }
-    }
-
-    property list<QtObject> inputFields: [
-        region,
-        price,
-        timeLimit,
-        speed,
-        features
-    ]
-
-    QtObject {
-        id: region
-
-        readonly property string imagePath: "qrc:/images/controls/map-pin.svg"
-        readonly property string lText: qsTr("For the region")
-        readonly property string rText: ApiServicesModel.getSelectedServiceData("region")
-        property bool isVisible: true
-    }
-
-    QtObject {
-        id: price
-
-        readonly property string imagePath: "qrc:/images/controls/tag.svg"
-        readonly property string lText: qsTr("Price")
-        readonly property string rText: ApiServicesModel.getSelectedServiceData("price")
-        property bool isVisible: true
-    }
-
-    QtObject {
-        id: timeLimit
-
-        readonly property string imagePath: "qrc:/images/controls/history.svg"
-        readonly property string lText: qsTr("Work period")
-        readonly property string rText: ApiServicesModel.getSelectedServiceData("timeLimit")
-        property bool isVisible: rText !== ""
-    }
-
-    QtObject {
-        id: speed
-
-        readonly property string imagePath: "qrc:/images/controls/gauge.svg"
-        readonly property string lText: qsTr("Speed")
-        readonly property string rText: ApiServicesModel.getSelectedServiceData("speed")
-        property bool isVisible: true
-    }
-
-    QtObject {
-        id: features
-
-        readonly property string imagePath: "qrc:/images/controls/info.svg"
-        readonly property string lText: qsTr("Features")
-        readonly property string rText: ""
-        property bool isVisible: true
-    }
-}
+import QtQuick
+import QtQuick.Controls
+import QtQuick.Layouts
+import QtQuick.Dialogs
+
+import PageEnum 1.0
+import Style 1.0
+
+import "./"
+import "../Controls2"
+import "../Controls2/TextTypes"
+import "../Config"
+import "../Components"
+
+PageType {
+    id: root
+
+    BackButtonType {
+        id: backButton
+
+        anchors.top: parent.top
+        anchors.left: parent.left
+        anchors.right: parent.right
+        anchors.topMargin: 20 + SettingsController.safeAreaTopMargin
+
+        onFocusChanged: {
+            if (this.activeFocus) {
+                listView.positionViewAtBeginning()
+            }
+        }
+    }
+
+    ListViewType {
+        id: listView
+
+        anchors.top: backButton.bottom
+        anchors.bottom: parent.bottom
+        anchors.right: parent.right
+        anchors.left: parent.left
+
+        header: ColumnLayout {
+            width: listView.width
+
+            BaseHeaderType {
+                Layout.fillWidth: true
+                Layout.topMargin: 8
+                Layout.rightMargin: 16
+                Layout.leftMargin: 16
+                Layout.bottomMargin: 32
+
+                headerText: ApiServicesModel.getSelectedServiceData("name")
+                descriptionText: ApiServicesModel.getSelectedServiceData("serviceDescription")
+            }
+        }
+
+        model: inputFields
+        spacing: 0
+
+        delegate: ColumnLayout {
+            width: listView.width
+
+            LabelWithImageType {
+                Layout.fillWidth: true
+                Layout.margins: 16
+
+                imageSource: imagePath
+                leftText: lText
+                rightText: rText
+
+                visible: isVisible
+            }
+        }
+
+        footer: ColumnLayout {
+            width: listView.width
+
+            spacing: 0
+
+            ParagraphTextType {
+                Layout.fillWidth: true
+                Layout.rightMargin: 16
+                Layout.leftMargin: 16
+
+                onLinkActivated: function(link) {
+                    Qt.openUrlExternally(link)
+                }
+                textFormat: Text.RichText
+                text: {
+                    var text = ApiServicesModel.getSelectedServiceData("features")
+                    return text.replace("%1", LanguageModel.getCurrentSiteUrl("free")).replace("/free", "") // todo link should come from gateway
+                }
+
+                MouseArea {
+                    anchors.fill: parent
+                    acceptedButtons: Qt.NoButton
+                    cursorShape: parent.hoveredLink ? Qt.PointingHandCursor : Qt.ArrowCursor
+                }
+            }
+
+            ParagraphTextType {
+                Layout.fillWidth: true
+                Layout.topMargin: 16
+                Layout.leftMargin: 16
+                Layout.rightMargin: 16
+
+                visible: (Qt.platform.os === "ios" || IsMacOsNeBuild) && ApiServicesModel.getSelectedServiceType() === "amnezia-premium"
+
+                horizontalAlignment: Text.AlignHCenter
+                textFormat: Text.PlainText
+                color: AmneziaStyle.color.mutedGray
+                font.pixelSize: 12
+
+                text: qsTr("Charged to your Apple ID at confirmation. Renews automatically unless auto-renew is turned off at least 24 hours before period end. Manage in Apple ID settings.")
+            }
+
+            BasicButtonType {
+                id: continueButton
+
+                Layout.fillWidth: true
+                Layout.topMargin: 32
+                Layout.bottomMargin: 16
+                Layout.leftMargin: 16
+                Layout.rightMargin: 16
+
+                text: ApiServicesModel.getSelectedServiceType() === "amnezia-premium" ? qsTr("Subscribe Now") : (ApiServicesModel.getSelectedServiceType() === "amnezia-trial" ? qsTr("Try Trial") : qsTr("Connect"))
+
+                clickedFunc: function() {
+                    PageController.showBusyIndicator(true)
+                    var result = ApiConfigsController.importService()
+                    PageController.showBusyIndicator(false)
+
+                    if (!result) {
+                        var endpoint = ApiServicesModel.getStoreEndpoint()
+                        Qt.openUrlExternally(endpoint)
+                        PageController.closePage()
+                        PageController.closePage()
+                    }
+                }
+            }
+
+            ParagraphTextType {
+                Layout.fillWidth: true
+                Layout.topMargin: 16
+                Layout.leftMargin: 16
+                Layout.rightMargin: 16
+                Layout.bottomMargin: 32
+
+                visible: (Qt.platform.os === "ios" || IsMacOsNeBuild) && ApiServicesModel.getSelectedServiceType() === "amnezia-premium"
+
+                horizontalAlignment: Text.AlignHCenter
+                textFormat: Text.RichText
+                color: AmneziaStyle.color.mutedGray
+                font.pixelSize: 12
+
+                text: {
+                    var termsUrl = "https://www.apple.com/legal/internet-services/itunes/dev/stdeula/"
+                    var privacyUrl = LanguageModel.getCurrentSiteUrl("policy")
+                    return qsTr("By continuing, you agree to the <a href=\"%1\" style=\"color: #FBB26A;\">Terms of Use</a> and <a href=\"%2\" style=\"color: #FBB26A;\">Privacy Policy</a>").arg(termsUrl).arg(privacyUrl)
+                }
+
+                onLinkActivated: function(link) {
+                    Qt.openUrlExternally(link)
+                }
+
+                MouseArea {
+                    anchors.fill: parent
+                    acceptedButtons: Qt.NoButton
+                    cursorShape: parent.hoveredLink ? Qt.PointingHandCursor : Qt.ArrowCursor
+                }
+            }
+        }
+    }
+
+    property list<QtObject> inputFields: [
+        region,
+        price,
+        timeLimit,
+        speed,
+        features
+    ]
+
+    QtObject {
+        id: region
+
+        readonly property string imagePath: "qrc:/images/controls/map-pin.svg"
+        readonly property string lText: qsTr("For the region")
+        readonly property string rText: ApiServicesModel.getSelectedServiceData("region")
+        property bool isVisible: true
+    }
+
+    QtObject {
+        id: price
+
+        readonly property string imagePath: "qrc:/images/controls/tag.svg"
+        readonly property string lText: qsTr("Price")
+        readonly property string rText: ApiServicesModel.getSelectedServiceData("price")
+        property bool isVisible: true
+    }
+
+    QtObject {
+        id: timeLimit
+
+        readonly property string imagePath: "qrc:/images/controls/history.svg"
+        readonly property string lText: qsTr("Work period")
+        readonly property string rText: ApiServicesModel.getSelectedServiceData("timeLimit")
+        property bool isVisible: rText !== ""
+    }
+
+    QtObject {
+        id: speed
+
+        readonly property string imagePath: "qrc:/images/controls/gauge.svg"
+        readonly property string lText: qsTr("Speed")
+        readonly property string rText: ApiServicesModel.getSelectedServiceData("speed")
+        property bool isVisible: true
+    }
+
+    QtObject {
+        id: features
+
+        readonly property string imagePath: "qrc:/images/controls/info.svg"
+        readonly property string lText: qsTr("Features")
+        readonly property string rText: ""
+        property bool isVisible: true
+    }
+}

client/ui/qml/Pages2/PageSetupWizardCredentials.qml

@@ -79,11 +79,23 @@ PageType {
                 }
 
                 textField.onTextChanged: {
-                    if (headerText == qsTr("Password or SSH private key")) {
+                    if (headerText === qsTr("Password or SSH private key")) {
                         buttonImageSource = textField.text !== "" ? imageSource : ""
                     }
                 }
             }
+
+            WarningType {
+                Layout.fillWidth: true
+                Layout.leftMargin: 16
+                Layout.rightMargin: 16
+                Layout.topMargin: 8
+
+                visible: title === qsTr("Password or SSH private key")
+                backGroundColor: AmneziaStyle.color.translucentWhite
+                iconPath: "qrc:/images/controls/alert-circle.svg"
+                textString: qsTr("SSH key requirements: supported ED25519 or RSA in PEM. Paste the private key including BEGIN/END lines. If your key doesn’t work, generate a compatible one.")
+            }
         }
 
         footer: ColumnLayout {

client/ui/qml/main2.qml

@@ -21,15 +21,27 @@ Window  {
         function onStateChanged() {
             if (Qt.platform.os === "android") {
                 if (Qt.application.state === Qt.ApplicationActive) {
+                    root.visible = true
                     refreshTimer.restart()
-                } else if (Qt.application.state === Qt.ApplicationSuspended || 
-                          Qt.application.state === Qt.ApplicationInactive) {
-                    console.log("QML: Application going to background, state:", Qt.application.state)
                 }
             }
         }
     }
 
+    // Hide the window immediately when Android Activity.onPause() fires so that
+    // Qt's render loop stops before the EGL surface is disconnected.  This
+    // prevents "QRhiGles2: Failed to make context current" and the resulting
+    // black screen that appears after swiping home and returning.
+    Connections {
+        target: SettingsController
+        function onActivityPaused() {
+            if (Qt.platform.os === "android") root.visible = false
+        }
+        function onActivityResumed() {
+            if (Qt.platform.os === "android") root.visible = true
+        }
+    }
+
     Timer {
         id: refreshTimer
         interval: 150
@@ -276,6 +288,34 @@ Window  {
         }
     }
 
+    Item {
+        objectName: "subscriptionExpiredDrawerItem"
+
+        anchors.fill: parent
+
+        SubscriptionExpiredDrawer {
+            id: subscriptionExpiredDrawer
+
+            anchors.fill: parent
+        }
+    }
+
+    Connections {
+        target: ApiConfigsController
+
+        function onSubscriptionExpiredOnServer() {
+            subscriptionExpiredDrawer.openTriggered()
+        }
+    }
+
+    Connections {
+        target: ApiSettingsController
+
+        function onRenewalLinkReceived(url) {
+            Qt.openUrlExternally(url)
+        }
+    }
+
     Item {
         objectName: "busyIndicatorItem"