add rus translate

Remove tab bar/PageStart changes that were not needed for QR pairing (restore
dev baseline). Quiet iOS pairing scanner console output while keeping a few
failure logs. Record the dead-code audit status in docs/plans.

.clang-format-ignore

@@ -2,7 +2,7 @@
 /client/3rd-prebuild
 /client/android
 /client/cmake
-/client/core/serialization
+/client/core/utils/serialization
 /client/daemon
 /client/fonts
 /client/images

.github/actions/apple-install-cert/action.yml

@@ -0,0 +1,38 @@
+# .github/actions/apple-install-cert/action.yml
+
+name: Setup apple keychain
+description: Creates and configures a temporary build keychain
+
+inputs:
+  keychain-path:
+    description: Path to the keychain
+    required: true
+  keychain-password:
+    description: Password to the keychain
+    required: true
+  cert-base64:
+    description: Base64-encoded certificate
+    required: true
+  cert-password:
+    description: Certificate password
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Create keychain
+      shell: bash
+      env:
+        KEYCHAIN_PATH: ${{ inputs.keychain-path }}
+        KEYCHAIN_PASSWORD: ${{ inputs.keychain-password }}
+        CERT_BASE64: ${{ inputs.cert-base64 }}
+        CERT_PASSWORD: ${{ inputs.cert-password }}
+      run: |
+        CERT_PATH=$(mktemp /tmp/cert_XXXXXX.p12)
+        trap "rm -f '$CERT_PATH'" EXIT
+
+        echo -n "$CERT_BASE64" | base64 --decode -o "$CERT_PATH"
+
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+        security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$CERT_PASSWORD" -A -t cert -f pkcs12
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

.github/actions/apple-setup-keychain/action.yml

@@ -0,0 +1,57 @@
+# .github/actions/apple-setup-keychain/action.yml
+
+name: Setup apple keychain
+description: Creates and configures a temporary build keychain
+
+inputs:
+  keychain-name:
+    description: Name of the keychain
+    required: false
+    default: "ci-amnezia"
+  keychain-password:
+    description: The keychain password
+    required: true
+  lock-timeout:
+    description: A timeout after exceeding which the keychain would be locked
+    required: false
+    default: "0"
+
+outputs:
+  keychain-path:
+    description: "Full path to the keychain created"
+    value: ${{ steps.setup.outputs.keychain-path }}
+  keychain-name:
+    description: "Actual name of the keychain created"
+    value: ${{ steps.setup.outputs.keychain-name }}
+
+runs:
+  using: composite
+  steps:
+    - name: Setup keychain
+      id: setup
+      shell: bash
+      env:
+        KEYCHAIN_NAME: ${{ inputs.keychain-name }}
+        KEYCHAIN_PASSWORD: ${{ inputs.keychain-password }}
+        LOCK_TIMEOUT: ${{ inputs.lock-timeout }}
+      run: |
+        KEYCHAIN_PATH="$HOME/Library/Keychains/$KEYCHAIN_NAME.keychain-db"
+
+        security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+        if [[ "$LOCK_TIMEOUT" == "0" ]]; then
+          security set-keychain-settings "$KEYCHAIN_PATH"
+        else
+          security set-keychain-settings -u -t "$LOCK_TIMEOUT" "$KEYCHAIN_PATH"
+        fi
+
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+        security import "${{ github.action_path }}/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -A
+        security import "${{ github.action_path }}/AppleWWDRCAG3.cer" -k "$KEYCHAIN_PATH" -A
+
+        security list-keychains -d user -s "$KEYCHAIN_PATH"
+        security default-keychain -s "$KEYCHAIN_PATH"
+
+        echo "keychain-name=$KEYCHAIN_NAME" >> $GITHUB_OUTPUT
+        echo "keychain-path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT

.github/actions/apple-setup-provisioning-profile/action.yml

@@ -0,0 +1,31 @@
+# .github/actions/apple-setup-provisioning-profile/action.yml
+
+name: Setup provisioning profiles
+description: Decodes and installs provisioning profiles
+
+inputs:
+  provisioning_profile_base64:
+    description: Base64-encoded provisioning profile
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Setup provisioning profile
+      shell: bash
+      run: |
+        PROFILES_DIR="$HOME/Library/MobileDevice/Provisioning Profiles"
+        TEMP_FILE=$(mktemp)
+
+        echo "${{ inputs.provisioning_profile_base64 }}" | base64 --decode > "$TEMP_FILE"
+
+        PROFILE_UUID=$(grep UUID -A1 -a "$TEMP_FILE" | grep -io "[-A-F0-9]\{36\}")
+        if [[ -z "$PROFILE_UUID" ]]; then
+          echo "Failed to extract UUID from provisioning profile"
+          rm -f "$TEMP_FILE"
+          exit 1
+        fi
+
+        mkdir -p "$PROFILES_DIR"
+        mv "$TEMP_FILE" "$PROFILES_DIR/$PROFILE_UUID.mobileprovision"
+        echo "Installed profile: $PROFILE_UUID"

.github/workflows/tag-deploy.yml

@@ -17,6 +17,7 @@ jobs:
       QIF_VERSION: 4.5
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
       PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
+      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
       DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
       DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}

.github/workflows/tag-upload.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Verify git tag
         run: |
           TAG_NAME=${{ inputs.RELEASE_VERSION }}
-          CMAKE_TAG=$(grep 'project.*VERSION' CMakeLists.txt | sed -E 's/.* ([0-9]+.[0-9]+.[0-9]+.[0-9]+)$/\1/')
+          CMAKE_TAG=$(grep 'set(AMNEZIAVPN_VERSION' CMakeLists.txt | sed -E 's/.*AMNEZIAVPN_VERSION ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/')
           if [[ "$TAG_NAME" == "$CMAKE_TAG" ]]; then
             echo "Git tag ($TAG_NAME) matches CMakeLists.txt version ($CMAKE_TAG)."
           else

.gitignore

@@ -9,6 +9,7 @@ deploy/build_32/*
 deploy/build_64/*
 winbuild*.bat
 .cache/
+.vscode/
 
 
 # Qt-es
@@ -80,6 +81,7 @@ client/.DS_Store
 ._.DS_Store
 ._*
 *.dmg
+deploy/data/macos/pf/amn.400.allowPIA.conf
 
 # tmp files
 *.*~
@@ -139,3 +141,6 @@ ios-ne-build.sh
 macos-ne-build.sh
 macos-signed-build.sh
 macos-with-sign-build.sh
+DeveloperIdApplicationCertificate.p12
+DeveloperIdInstallerCertificate.p12
+

.gitmodules

@@ -4,13 +4,13 @@
 [submodule "client/3rd/SortFilterProxyModel"]
 	path = client/3rd/SortFilterProxyModel
 	url = https://github.com/mitchcurtis/SortFilterProxyModel.git
-[submodule "client/3rd-prebuilt"]
-	path = client/3rd-prebuilt
-	url = https://github.com/amnezia-vpn/3rd-prebuilt
-	branch = feature/special-handshake
 [submodule "client/3rd/amneziawg-apple"]
 	path = client/3rd/amneziawg-apple
 	url = https://github.com/amnezia-vpn/amneziawg-apple
 [submodule "client/3rd/QSimpleCrypto"]
 	path = client/3rd/QSimpleCrypto
 	url = https://github.com/amnezia-vpn/QSimpleCrypto.git
+[submodule "client/3rd/qtgamepad"]
+	path = client/3rd/qtgamepad
+	url = https://github.com/amnezia-vpn/qtgamepad.git
+	branch = 6.6

CMakeLists.txt

@@ -1,18 +1,34 @@
 cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
 set(PROJECT AmneziaVPN)
-set(AMNEZIAVPN_VERSION 4.8.9.2)
+set(AMNEZIAVPN_VERSION 4.9.0.2)
+
+set(QT_CREATOR_SKIP_PACKAGE_MANAGER_SETUP ON CACHE BOOL "" FORCE)
+set(CMAKE_PROJECT_TOP_LEVEL_INCLUDES
+    ${CMAKE_SOURCE_DIR}/cmake/platform_settings.cmake
+    ${CMAKE_SOURCE_DIR}/cmake/recipes_bootstrap.cmake
+    ${CMAKE_SOURCE_DIR}/cmake/conan_provider.cmake
+    CACHE STRING "" FORCE)
 
 project(${PROJECT} VERSION ${AMNEZIAVPN_VERSION}
         DESCRIPTION "AmneziaVPN"
         HOMEPAGE_URL "https://amnezia.org/"
 )
 
+if (PREBUILTS_ONLY)
+    # trigger conan to kick off `conan install`
+    find_package(OpenSSL REQUIRED)
+    return()
+endif()
+
 string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")
 
 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2092)
+set(APP_ANDROID_VERSION_CODE 2120)
 
 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
     set(MZ_PLATFORM_NAME "linux")
@@ -29,23 +45,34 @@ elseif(${CMAKE_SYSTEM_NAME} STREQUAL "Emscripten")
 endif()
 
 set(QT_BUILD_TOOLS_WHEN_CROSS_COMPILING ON)
-set(CMAKE_CXX_STANDARD 17)
-set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
-if(APPLE)
-    if(IOS)
-        set(CMAKE_OSX_ARCHITECTURES "arm64")
-    elseif(MACOS_NE)
-        set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64")
+if(APPLE AND NOT IOS)
+    if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+        set(AMN_PF_RULE_IDENTITY "user { root }")
     else()
-        set(CMAKE_OSX_ARCHITECTURES "x86_64")
+        set(AMN_PF_RULE_IDENTITY "group { amnvpn }")
     endif()
+
+    configure_file(
+        "${CMAKE_SOURCE_DIR}/deploy/data/pf-templates/amn.400.allowPIA.conf.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/amn.400.allowPIA.conf"
+        @ONLY
+    )
+
+    file(COPY_FILE
+        "${CMAKE_CURRENT_BINARY_DIR}/amn.400.allowPIA.conf"
+        "${CMAKE_SOURCE_DIR}/deploy/data/macos/pf/amn.400.allowPIA.conf"
+        ONLY_IF_DIFFERENT
+    )
 endif()
 
+
 add_subdirectory(client)
 
 if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
     add_subdirectory(service)
-
-    include(${CMAKE_SOURCE_DIR}/deploy/installer/config.cmake)
+endif()
+
+if ((LINUX AND NOT ANDROID) OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (WIN32))
+    include(${CMAKE_SOURCE_DIR}/cmake/CPack.cmake)
 endif()

README.md

@@ -53,24 +53,14 @@ AmneziaVPN uses several open-source projects to work:
 
 - [OpenSSL](https://www.openssl.org/)
 - [OpenVPN](https://openvpn.net/)
-- [Shadowsocks](https://shadowsocks.org/)
 - [Qt](https://www.qt.io/)
-- [LibSsh](https://libssh.org) - forked from Qt Creator
+- [LibSsh](https://libssh.org)
+- [WireGuard](https://www.wireguard.com/)
+- [Xray-core](https://xtls.github.io/en/)
+- [Conan](https://conan.io/)
 - and more...
 
-## Checking out the source code
-
-Make sure to pull all submodules after checking out the repo.
-
-```bash
-git submodule update --init --recursive
-```
-
-## Development
-
-Want to contribute? Welcome!
-
-### Help with translations
+## Help us with translations
 
 Download the most actual translation files.
 
@@ -83,103 +73,102 @@ Each *.ts file contains strings for one corresponding language.
 Translate or correct some strings in one or multiple *.ts files and commit them back to this repository into the ``client/translations`` folder.
 You can do it via a web-interface or any other method you're familiar with.
 
-### Building sources and deployment
+## Checking out the source code
 
-Check deploy folder for build scripts. 
+Make sure to pull all submodules after checking out the repo.
 
-### How to build an iOS app from source code on MacOS
-
-1. First, make sure you have [XCode](https://developer.apple.com/xcode/) installed, at least version 14 or higher.
-
-2. We use QT to generate the XCode project. We need QT version 6.6.2. Install QT for MacOS [here](https://doc.qt.io/qt-6/macos.html) or [QT Online Installer](https://www.qt.io/download-open-source). Required modules:
-   - MacOS
-   - iOS
-   - Qt 5 Compatibility Module
-   - Qt Shader Tools
-   - Additional Libraries:
-     - Qt Image Formats
-     - Qt Multimedia
-     - Qt Remote Objects 
-
-3. Install CMake if required. We recommend CMake version 3.25. You can install CMake [here](https://cmake.org/download/)
-
-4. You also need to install go >= v1.16. If you don't have it installed already,
-download go from the [official website](https://golang.org/dl/) or use Homebrew. 
-The latest version is recommended. Install gomobile
 ```bash
-export PATH=$PATH:~/go/bin
-go install golang.org/x/mobile/cmd/gomobile@latest
-gomobile init
+git submodule update --init --recursive
 ```
 
-5. Build the project
+## Hacking guide
+
+Want to contribute? Welcome!
+
+### Build requirements
+
+* [`CMake`](https://cmake.org/download/)
+* Compiler and underlying build system, depending on the target:
+  - [Linux] Any of `make` and `gcc`
+  - [Apple] [`Xcode`](https://developer.apple.com/xcode/) or [`Xcode command line tools`](https://developer.apple.com/xcode/)
+  - [Windows] [`Visual Studio 2022`](https://aka.ms/vs/17/release/vs_community.exe) or [`VS 2022 Build Tools`](https://aka.ms/vs/17/release/vs_buildtools.exe)
+  - [Android] [`Android SDK`](#installing-android-sdk) and [`Ninja`](https://ninja-build.org/)
+* [`Qt 6.10+`](https://www.qt.io/download-open-source) with the following modules:
+  - Core module for targeting platform (Desktop/Android/iOS)
+  - Qt 5 Compatibility module
+  - Qt Remote Objects
+* [`Conan`](https://conan.io/downloads) package manager
+  - On MacOS is enough just to use `homebrew` or install it in `.venv` in project root
+  - Other systems must have it in `PATH`
+* (Optional) Installer dependencies:
+  - [Windows/Linux] [`Qt Installer Framework`](https://www.qt.io/download-open-source)
+  - [Windows] [`WIX toolset`](https://github.com/wixtoolset/wix/releases)
+
+### Building the project using scripts
+
+* Run scripts located in `deploy` directory
+* Basically, if dependencies are located in default installation paths, the scripts will find them automatically.
+* If they differ, specify them using the following variables:
+  - `QT_INSTALL_DIR` - Qt root installation folder
+  - `QT_ROOT_PATH`   - Qt framework root directory
+  - `QIF_ROOT_PATH`  - Qt Installer Framework root path
+  - `ANDROID_HOME`   - Path to Android SDK root folder
+  - and others. Check scripts for more
+
+Unix-like:
 ```bash
-export QT_BIN_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/ios/bin"
-export QT_MACOS_ROOT_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/macos"
-export QT_IOS_BIN=$QT_BIN_DIR
-export PATH=$PATH:~/go/bin
-mkdir build-ios
-$QT_IOS_BIN/qt-cmake . -B build-ios -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR
-```
-Replace PATH-TO-QT-FOLDER and QT-VERSION to your environment
+# Build executables for the host platform
+deploy/build.sh
 
+# Or just
+deploy/build.sh
 
-If you get `gomobile: command not found` make sure to set PATH to the location 
-of the bin folder where gomobile was installed. Usually, it's in `GOPATH`.
-```bash
-export PATH=$(PATH):/path/to/GOPATH/bin
+# Build executables and installers for the host platform
+deploy/build.sh --installer all
+
+# Build Android APK and AAB
+deploy/build.sh -t android --aab
+
+# Call for help
+deploy/build.sh -h
 ```
 
-6. Open the XCode project. You can then run /test/archive/ship the app.
+Windows:
+```batch
+:: Build executables for Windows
+deploy/build.bat
 
-If the build fails with the following error
-```
-make: *** 
-[$(PROJECTDIR)/client/build/AmneziaVPN.build/Debug-iphoneos/wireguard-go-bridge/goroot/.prepared] 
-Error 1
-```
-Add a user-defined variable to both AmneziaVPN and WireGuardNetworkExtension targets' build settings with
-key `PATH` and value `${PATH}/path/to/bin/folder/with/go/executable`, e.g. `${PATH}:/usr/local/go/bin`.
+:: Build executables with IFW installer for Windows
+deploy/build.bat --installer ifw
 
-if the above error persists on your M1 Mac, then most probably you need to install arch based CMake 
-```
-arch -arm64 brew install cmake
+:: Build executables with IFW and WIX installer for Windows
+deploy/build.bat --installer ifw --installer wix
+
+:: Or just
+deploy/build.bat --installer all
 ```
 
-Build might fail with the "source files not found" error the first time you try it, because the modern XCode build system compiles dependencies in parallel, and some dependencies end up being built after the ones that
-require them. In this case, simply restart the build.
+### Developing the project in IDEs
 
-## How to build the Android app
+* Basically, you can use any IDE that handles CMake and Qt kits properly to run configure and build steps, and to navigate through the code nicely. For example:
+  - `Qt Creator`
+  - `Visual Studio Code` with `Qt Extension Pack`
+  - and so on
 
-_Tested on Mac OS_
+* To use `Xcode`, you have to configure project first by using `cmake`. The easiest way to do it is to use `Qt Creator` for configuration. Then open `AmneziaVPN.xcodeproj` file from the build folder by using `Xcode`. Note that none of the files changed are saved - the files actually getting changed in build directory. Copy them manually if necessary
 
-The Android app has the following requirements:
-* JDK 11
-* Android platform SDK 33
-* CMake 3.25.0
+* `Android studio` could be used in the same way - just configure the project by using `cmake` manually or by using `Qt Creator`. Open `<build-dir>/client/android-build` in `Android studio` then. Do not forget to copy the changes - everything you do is saved under the build directory actually.
 
-After you have installed QT, QT Creator, and Android Studio, you need to configure QT Creator correctly.
+### Installing Android SDK
 
-- Click in the top menu bar on `QT Creator` -> `Preferences` -> `Devices` and select the tab `Android`.
-- Set path to JDK 11
-- Set path to Android SDK (`$ANDROID_HOME`)
-
-In case you get errors regarding missing SDK or 'SDK manager not running', you cannot fix them by correcting the paths. If you have some spare GBs on your disk, you can let QT Creator install all requirements by choosing an empty folder for `Android SDK location` and clicking on `Set Up SDK`. Be aware: This will install a second Android SDK and NDK on your machine! 
-Double-check that the right CMake version is configured:  Click on `QT Creator` -> `Preferences` and click on the side menu on `Kits`. Under the center content view's `Kits` tab, you'll find an entry for `CMake Tool`. If the default selected CMake version is lower than 3.25.0, install on your system CMake >= 3.25.0 and choose `System CMake at <path>` from the drop-down list. If this entry is missing, you either have not installed CMake yet or QT Creator hasn't found the path to it. In that case, click in the preferences window on the side menu item `CMake`, then on the tab `Tools` in the center content view, and finally on the button `Add` to set the path to your installed CMake. 
-Please make sure that you have selected Android Platform SDK 33 for your project: click in the main view's side menu on `Projects`, and on the left, you'll see a section `Build & Run` showing different Android build targets. You can select any of them, Amnezia VPN's project setup is designed in a way that all Android targets will be built. Click on the targets submenu item `Build` and scroll in the center content view to `Build Steps`. Click on `Details` at the end of the headline `Build Android APK` (the `Details` button might be hidden in case the QT Creator Window is not running in full screen!). Here we are: Choose `android-33` as `Android Build Platform SDK`.
-
-That's it! You should be ready to compile the project from QT Creator!
-
-### Development flow
-
-After you've hit the build button, QT-Creator copies the whole project to a folder in the repository parent directory. The folder should look something like `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>`.
-If you want to develop Amnezia VPNs Android components written in Kotlin, such as components using system APIs, you need to import the generated project in Android Studio with `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>/client/android-build` as the projects root directory. While you should be able to compile the generated project from Android Studio, you cannot work directly in the repository's Android project. So whenever you are confident with your work in the generated project, you'll need to copy and paste the affected files to the corresponding path in the repository's Android project so that you can add and commit your changes!
-
-You may face compiling issues in QT Creator after you've worked in Android Studio on the generated project. Just do a `./gradlew clean` in the generated project's root directory (`<path>/client/android-build/.`) and you should be good to go.
+* Android SDK could be installed using the following methods:
+  - Using `Qt Creator`. Use `Preferences`->`SDKs`
+  - Using `Android studio`. By default it installs necessary `SDKs` automatically during the installation
+  - Manually by using `sdk-manager`. Check [this](https://developer.android.com/tools) page for details
 
 ## License
 
-GPL v3.0
+This project is licensed under the GNU General Public License v3.0 (see LICENSE) and also includes third-party components distributed under their own terms (see THIRD_PARTY_LICENSES.md).
 
 ## Donate
 

README_RU.md

@@ -50,23 +50,14 @@ AmneziaVPN использует несколько проектов с откр
 
 - [OpenSSL](https://www.openssl.org/)
 - [OpenVPN](https://openvpn.net/)
-- [Shadowsocks](https://shadowsocks.org/)
 - [Qt](https://www.qt.io/)
 - [LibSsh](https://libssh.org)
+- [WireGuard](https://www.wireguard.com/)
+- [Xray-core](https://xtls.github.io/en/)
+- [Conan](https://conan.io/)
 - и другие...
 
-## Проверка исходного кода
-После клонирования репозитория обязательно загрузите все подмодули.
-
-```bash
-git submodule update --init --recursive
-```
-
-
-## Разработка
-Хотите внести свой вклад? Добро пожаловать!
-
-### Помощь с переводами
+## Помощь с переводами
 
 Загрузите самые актуальные файлы перевода.
 
@@ -76,90 +67,98 @@ git submodule update --init --recursive
 
 Переведите или исправьте строки в одном или нескольких файлах *.ts и загрузите их обратно в этот репозиторий в папку ``client/translations``. Это можно сделать через веб-интерфейс или любым другим знакомым вам способом.
 
-### Сборка исходного кода и деплой
-Проверьте папку deploy для скриптов сборки.
+## Проверка исходного кода
 
-### Как собрать iOS-приложение из исходного кода на MacOS
-1. Убедитесь, что у вас установлен Xcode версии 14 или выше.
-2. Для генерации проекта Xcode используется QT. Требуется версия QT 6.6.2. Установите QT для MacOS здесь или через QT Online Installer. Необходимые модули:
-- MacOS
-- iOS
-- Модуль совместимости с Qt 5
-- Qt Shader Tools
-- Дополнительные библиотеки:
- - Qt Image Formats
- - Qt Multimedia
- - Qt Remote Objects
-
-   
-3. Установите CMake, если это необходимо. Рекомендуемая версия — 3.25. Скачать CMake можно здесь.
-4. Установите Go версии >= v1.16. Если Go ещё не установлен, скачайте его с  [официального сайта](https://golang.org/dl/) или используйте Homebrew. Установите gomobile:
+После клонирования репозитория обязательно загрузите все подмодули.
 
 ```bash
-export PATH=$PATH:~/go/bin
-go install golang.org/x/mobile/cmd/gomobile@latest
-gomobile init
+git submodule update --init --recursive
 ```
 
-5. Соберите проект:
+## Руководство по разработке
+
+Хотите внести свой вклад? Добро пожаловать!
+
+### Требования для сборки
+
+* [`CMake`](https://cmake.org/download/)
+* Компилятор и система сборки, в зависимости от таргета:
+  - [Linux] Любые `make` и `gcc`
+  - [Apple] [`Xcode`](https://developer.apple.com/xcode/) или [`Xcode command line tools`](https://developer.apple.com/xcode/)
+  - [Windows] [`Visual Studio 2022`](https://aka.ms/vs/17/release/vs_community.exe) или [`VS 2022 Build Tools`](https://aka.ms/vs/17/release/vs_buildtools.exe)
+  - [Android] [`Android SDK`](#установка-android-sdk) и [`Ninja`](https://ninja-build.org/)
+* [`Qt 6.10+`](https://www.qt.io/download-open-source) со следующими модулями:
+  - Основные модули для таргета (Desktop/Android/iOS)
+  - Qt 5 Compatibility module
+  - Qt Remote Objects
+* Пакетный менеджер [`Conan`](https://conan.io/downloads)
+  - На MacOS достаточно использовать `homebrew` или установить в `.venv` в корень проекта 
+  - Для остальных систем необходимо прописать пути в `PATH`
+* (Необязательно) Заивисимости для установщиков:
+  - [Windows/Linux] [`Qt Installer Framework`](https://www.qt.io/download-open-source)
+  - [Windows] [`WIX toolset`](https://github.com/wixtoolset/wix/releases)
+
+### Сборка проекта через скрипты
+
+* Запустите скрипты, находящиеся в папке `deploy`
+* Если все зависимости установлены в стандартных локациях, скрипт найдёт их самостоятельно
+* Если пути отличаются, их нужно явно указать используя:
+  - `QT_INSTALL_DIR` - корневая папка установки Qt
+  - `QT_ROOT_PATH`   - корневая папка Qt Framework
+  - `QIF_ROOT_PATH`  - корневая папка Qt Installer Framework
+  - `ANDROID_HOME`   - путь к Android SDK
+  - и другие. Их можно получить из вышеуказанных скриптов
+
+Unix-like:
 ```bash
-export QT_BIN_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/ios/bin"
-export QT_MACOS_ROOT_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/macos"
-export QT_IOS_BIN=$QT_BIN_DIR
-export PATH=$PATH:~/go/bin
-mkdir build-ios
-$QT_IOS_BIN/qt-cmake . -B build-ios -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR
-```
-Замените <PATH-TO-QT-FOLDER> и <QT-VERSION> на ваши значения.
+# Build executables for the host platform
+deploy/build.sh
 
-Если появляется ошибка gomobile: command not found, убедитесь, что PATH настроен на папку bin, где установлен gomobile:
-```bash
-export PATH=$(PATH):/path/to/GOPATH/bin
+# Or just
+deploy/build.sh
+
+# Build executables and installers for the host platform
+deploy/build.sh --installer all
+
+# Build Android APK and AAB
+deploy/build.sh -t android --aab
+
+# Call for help
+deploy/build.sh -h
 ```
 
-6. Откройте проект в Xcode. Теперь вы можете тестировать, архивировать или публиковать приложение.
-   
-Если сборка завершится с ошибкой:
-```
-make: *** 
-[$(PROJECTDIR)/client/build/AmneziaVPN.build/Debug-iphoneos/wireguard-go-bridge/goroot/.prepared] 
-Error 1
-```
-Добавьте пользовательскую переменную PATH в настройки сборки для целей AmneziaVPN и WireGuardNetworkExtension с ключом `PATH` и значением `${PATH}/path/to/bin/folder/with/go/executable`, e.g. `${PATH}:/usr/local/go/bin`.
+Windows:
+```batch
+:: Build executables for Windows
+deploy/build.bat
 
-Если ошибка повторяется на Mac с M1, установите версию CMake для архитектуры ARM:
-```
-arch -arm64 brew install cmake
+:: Build executables with IFW installer for Windows
+deploy/build.bat --installer ifw
+
+:: Build executables with IFW and WIX installer for Windows
+deploy/build.bat --installer ifw --installer wix
+
+:: Or just
+deploy/build.bat --installer all
 ```
 
- При первой попытке сборка может завершиться с ошибкой source files not found. Это происходит из-за параллельной компиляции зависимостей в XCode. Просто перезапустите сборку.
+### Разработка в IDE
 
+* Можно использовать любые IDE которые умеют работать с CMake и находить Qt Kits. Например:
+  - `Qt Creator`
+  - `Visual Studio Code` with `Qt Extension Pack`
+  - и так далее
 
-## Как собрать Android-приложение
-Сборка тестировалась на MacOS. Требования:
-- JDK 11
-- Android SDK 33
-- CMake 3.25.0
-  
-Установите QT, QT Creator и Android Studio.
-Настройте QT Creator:
+* Для использования `Xcode` нужно сконфигурировать проект с помощью `cmake`. Самый простой способ это сделать - использовать `Qt Creator` для конфигурации. Затем, нужно открыть файл `AmneziaVPN.xcodeproj` из папки сборки с помощью `Xcode`. Учтите, что никакие файлы фактически не сохраняются - они сохраняются в директории сборки. Если требуется, скопируйте файлы вручную
 
-- В меню QT Creator перейдите в  `QT Creator` -> `Preferences` -> `Devices` ->`Android`.
-- Укажите путь к JDK 11.
-- Укажите путь к Android SDK (`$ANDROID_HOME`)
+* `Android studio` может быть использована подобным вышеуказанному способу - нужно использовать `cmake` вручную или через `Qt Creator` для конфигурации. Далее, откройте `<build-dir>/client/android-build` в `Android studio`. Не забудьте скопировать изменённые файлы в папку с исходным кодом - все файлы, изменённые в IDE, сохраняются фактически в папке сборки.
 
-Если вы сталкиваетесь с ошибками, связанными с отсутствием SDK или сообщением «SDK manager not running», их нельзя исправить просто корректировкой путей. Если у вас есть несколько свободных гигабайт на диске, вы можете позволить Qt Creator установить все необходимые компоненты, выбрав пустую папку для расположения Android SDK и нажав кнопку **Set Up SDK**. Учтите: это установит второй Android SDK и NDK на вашем компьютере!
-
-Убедитесь, что настроена правильная версия CMake: перейдите в **Qt Creator -> Preferences** и в боковом меню выберите пункт **Kits**. В центральной части окна, на вкладке **Kits**, найдите запись для инструмента **CMake Tool**. Если выбранная по умолчанию версия CMake ниже 3.25.0, установите на свою систему CMake версии 3.25.0 или выше, а затем выберите опцию **System CMake at <путь>** из выпадающего списка. Если этот пункт отсутствует, это может означать, что вы еще не установили CMake, или Qt Creator не смог найти путь к нему. В таком случае в окне **Preferences** перейдите в боковое меню **CMake**, затем во вкладку **Tools** в центральной части окна и нажмите кнопку **Add**, чтобы указать путь к установленному CMake.
-
-Убедитесь, что для вашего проекта выбрана Android Platform SDK 33: в главном окне на боковой панели выберите пункт **Projects**, и слева вы увидите раздел **Build & Run**, показывающий различные целевые Android-платформы. Вы можете выбрать любую из них, так как настройка проекта Amnezia VPN разработана таким образом, чтобы все Android-цели могли быть собраны. Перейдите в подраздел **Build** и прокрутите центральную часть окна до раздела **Build Steps**. Нажмите **Details** в заголовке **Build Android APK** (кнопка **Details** может быть скрыта, если окно Qt Creator не запущено в полноэкранном режиме!). Вот здесь выберите **android-33** в качестве Android Build Platform SDK.
-
-### Разработка Android-компонентов
-
-После сборки QT Creator копирует проект в отдельную папку, например, `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>`. Для разработки Android-компонентов откройте сгенерированный проект в Android Studio, указав папку `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>/client/android-build` в качестве корневой.
-Изменения в сгенерированном проекте нужно вручную перенести в репозиторий. После этого можно коммитить изменения.
-Если возникают проблемы со сборкой в QT Creator после работы в Android Studio, выполните команду `./gradlew clean` в корневой папке сгенерированного проекта (`<path>/client/android-build/.`).
+### Установка Android SDK
 
+* Android SDK может быть установлен следующими способами:
+  - Используя `Qt Creator`, через настройки в пунктах `Preferences`->`SDKs`
+  - Используя `Android studio`. По умолчанию необходимые `SDK` устанавливаются автоматически.
+  - Вручную, используя `sdk-manager`. Подробности можно найти [здесь](https://developer.android.com/tools)
 
 ## Лицензия
 

THIRD_PARTY_LICENSES.md

@@ -0,0 +1,149 @@
+# Third-Party Licenses
+
+This project is licensed under the GNU General Public License v3.0.
+This file lists third-party software components used by this repository.
+Each component is distributed under its own license as linked below.
+
+---
+
+## QtKeychain
+
+- Source: https://github.com/frankosterfeld/qtkeychain
+- License: BSD License
+- License Text: https://www.gnu.org/licenses/license-list.html#ModifiedBSD
+
+---
+
+## QSimpleCrypto
+
+- Source: https://github.com/n1flh31mur/QSimpleCrypto
+- License: Apache License 2.0
+- License Text: https://github.com/n1flh31mur/QSimpleCrypto/blob/master/LICENSE
+
+---
+
+## SortFilterProxyModel
+
+- Source: https://github.com/oKcerG/SortFilterProxyModel
+- License: MIT License
+- License Text: https://github.com/oKcerG/SortFilterProxyModel/blob/master/LICENSE
+
+---
+
+## QJsonStruct
+
+- Source: https://github.com/Qv2ray/QJsonStruct
+- License: MIT License
+- License Text: https://github.com/Qv2ray/QJsonStruct/blob/master/LICENSE
+
+---
+
+## QR Code Generator (qrcodegen)
+
+- Source: https://github.com/nayuki/QR-Code-generator
+- License: MIT License
+- License Text: https://www.nayuki.io/page/qr-code-generator-library
+
+---
+
+## Qt Gamepad
+
+- Source: https://github.com/qt/qtgamepad
+- License: GNU General Public License v3.0 (GPL-3.0)
+- License Text: https://www.gnu.org/licenses/gpl-3.0.en.html
+
+---
+
+## AmneziaWG Apple (WireGuard)
+
+- Source: https://github.com/amnezia-vpn/amneziawg-apple
+- License: MIT License
+- License Text: https://github.com/amnezia-vpn/amneziawg-apple/blob/master/COPYING
+
+---
+
+## AmneziaWG Android
+
+- Source: https://github.com/amnezia-vpn/amneziawg-go
+- License: MIT License
+- License Text: https://github.com/amnezia-vpn/amneziawg-go/blob/master/LICENSE
+
+---
+
+## Xray Core
+
+- Source: https://github.com/XTLS/Xray-core
+- License: Mozilla Public License 2.0 (MPL-2.0)
+- License Text: https://github.com/XTLS/Xray-core/blob/main/LICENSE
+
+---
+
+## Cloak
+
+- Source: https://github.com/cbeuw/Cloak
+- License: GNU General Public License v3.0 (GPL-3.0)
+- License Text: https://github.com/cbeuw/Cloak/blob/master/LICENSE
+
+---
+
+## Shadowsocks
+
+- Source: https://github.com/shadowsocks/shadowsocks-libev
+- License: GPL-3.0-or-later
+- License Text: http://www.gnu.org/licenses/
+
+---
+
+## OpenSSL
+
+- Source: https://github.com/openssl/openssl
+- License: Apache License 2.0
+- License Text: https://www.openssl.org/source/license.html
+
+---
+
+## libssh
+
+- Source: https://www.libssh.org/
+- License: GNU Lesser General Public License (LGPL)
+- License Text: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
+
+---
+
+## OpenVPNAdapter
+
+- Source: https://github.com/ss-abramchuk/OpenVPNAdapter
+- License: GNU Affero General Public License v3.0 (AGPL-3.0)
+- License Text: https://github.com/ss-abramchuk/OpenVPNAdapter/blob/master/LICENSE
+
+---
+
+## Wintun
+
+- Source: https://www.wintun.net/
+- License: Prebuilt Binaries License
+- License Text: https://github.com/WireGuard/wintun/blob/master/prebuilt-binaries-license.txt
+
+---
+
+## Mullvad Split Tunnel Driver
+
+- Source: https://github.com/mullvad/win-split-tunnel
+- License: GNU General Public License v3.0 (GPL-3.0) and Mozilla Public License Version 2.0
+- License Text: https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-GPL.md https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-MPL.txt
+
+---
+
+## tun2socks
+
+- Source: https://github.com/eycorsican/go-tun2socks
+- License: MIT License
+- License Text: https://github.com/eycorsican/go-tun2socks/blob/master/LICENSE
+
+---
+
+## TAP-Windows Driver
+
+- Source: https://github.com/OpenVPN/tap-windows6
+- License: tap-windows6 license
+- License Text: https://github.com/OpenVPN/tap-windows6/blob/master/COPYING

client/CMakeLists.txt

@@ -25,6 +25,7 @@ add_definitions(-DGIT_COMMIT_HASH="${GIT_COMMIT_HASH}")
 
 add_definitions(-DPROD_AGW_PUBLIC_KEY="$ENV{PROD_AGW_PUBLIC_KEY}")
 add_definitions(-DPROD_S3_ENDPOINT="$ENV{PROD_S3_ENDPOINT}")
+add_definitions(-DFALLBACK_S3_ENDPOINT="$ENV{FALLBACK_S3_ENDPOINT}")
 
 add_definitions(-DDEV_AGW_PUBLIC_KEY="$ENV{DEV_AGW_PUBLIC_KEY}")
 add_definitions(-DDEV_AGW_ENDPOINT="$ENV{DEV_AGW_ENDPOINT}")
@@ -56,17 +57,20 @@ target_include_directories(${PROJECT} PUBLIC
     $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
 )
 
-if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
     qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_interface.rep)
     qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_process_interface.rep)
-    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_process_tun2socks.rep)
 endif()
 
-qt6_add_resources(QRC ${QRC} ${CMAKE_CURRENT_LIST_DIR}/resources.qrc)
+qt6_add_resources(QRC ${QRC}
+    ${CMAKE_CURRENT_LIST_DIR}/images/images.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/images/flagKit.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/client_scripts/clientScripts.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/ui/qml/qml.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/server_scripts/serverScripts.qrc
+)
 
 # -- i18n begin
-set(CMAKE_AUTORCC ON)
-
 set(AMNEZIAVPN_TS_FILES
     ${CMAKE_CURRENT_LIST_DIR}/translations/amneziavpn_ru_RU.ts
     ${CMAKE_CURRENT_LIST_DIR}/translations/amneziavpn_zh_CN.ts
@@ -78,19 +82,10 @@ set(AMNEZIAVPN_TS_FILES
     ${CMAKE_CURRENT_LIST_DIR}/translations/amneziavpn_hi_IN.ts
 )
 
-file(GLOB_RECURSE AMNEZIAVPN_TS_SOURCES *.qrc *.cpp *.h *.ui)
-
-qt_create_translation(AMNEZIAVPN_QM_FILES ${AMNEZIAVPN_TS_SOURCES} ${AMNEZIAVPN_TS_FILES})
-
-set(QM_FILE_LIST "")
-foreach(FILE ${AMNEZIAVPN_QM_FILES})
-    get_filename_component(QM_FILE_NAME ${FILE} NAME)
-    list(APPEND QM_FILE_LIST "<file>${QM_FILE_NAME}</file>")
-endforeach()
-string(REPLACE ";" "" QM_FILE_LIST ${QM_FILE_LIST})
-
-configure_file(${CMAKE_CURRENT_LIST_DIR}/translations/translations.qrc.in ${CMAKE_CURRENT_BINARY_DIR}/translations.qrc)
-qt6_add_resources(QRC ${I18NQRC} ${CMAKE_CURRENT_BINARY_DIR}/translations.qrc)
+qt6_add_translations(${PROJECT}
+    TS_FILES ${AMNEZIAVPN_TS_FILES}
+    RESOURCE_PREFIX "/translations"
+)
 # -- i18n end
 
 set(IS_CI ${CI})
@@ -169,6 +164,10 @@ if(APPLE)
     set(CMAKE_XCODE_GENERATE_SCHEME FALSE)
     set(CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM ${BUILD_VPN_DEVELOPMENT_TEAM})
     set(CMAKE_XCODE_ATTRIBUTE_GROUP_ID_IOS ${BUILD_IOS_GROUP_IDENTIFIER})
+    
+    if (BUILD_VPN_KEYCHAIN)
+        set(CMAKE_XCODE_ATTRIBUTE_OTHER_CODE_SIGN_FLAGS "--keychain ${BUILD_VPN_KEYCHAIN}")
+    endif()
 endif()
 
 if(LINUX AND NOT ANDROID)
@@ -194,38 +193,71 @@ elseif(APPLE)
     include(cmake/macos.cmake)
 endif()
 
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
+    add_subdirectory(tests)
+endif()
+
+list(APPEND SOURCES ${CMAKE_CURRENT_LIST_DIR}/main.cpp)
+
 target_link_libraries(${PROJECT} PRIVATE ${LIBS})
 target_compile_definitions(${PROJECT} PRIVATE "MZ_$<UPPER_CASE:${MZ_PLATFORM_NAME}>")
 
-# deploy artifacts required to run the application to the debug build folder
-if(WIN32)
-    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
-        set(DEPLOY_PLATFORM_PATH "windows/x64")
-    else()
-        set(DEPLOY_PLATFORM_PATH "windows/x32")
-    endif()
-elseif(LINUX)
-    set(DEPLOY_PLATFORM_PATH "linux/client")
-elseif(APPLE AND NOT IOS)
-    set(DEPLOY_PLATFORM_PATH "macos")
-endif()
-
-if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
-    add_custom_command(
-        TARGET ${PROJECT} POST_BUILD
-        COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
-        ${CMAKE_SOURCE_DIR}/deploy/data/${DEPLOY_PLATFORM_PATH}
-        $<TARGET_FILE_DIR:${PROJECT}>
-        COMMAND_EXPAND_LISTS
-    )
-    add_custom_command(
-        TARGET ${PROJECT} POST_BUILD
-        COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
-        ${CMAKE_SOURCE_DIR}/client/3rd-prebuilt/deploy-prebuilt/${DEPLOY_PLATFORM_PATH}
-        $<TARGET_FILE_DIR:${PROJECT}>
-        COMMAND_EXPAND_LISTS
-    )
-endif()
-
 target_sources(${PROJECT} PRIVATE ${SOURCES} ${HEADERS} ${RESOURCES} ${QRC} ${I18NQRC})
-qt_finalize_target(${PROJECT})
+
+# Finalize the executable so Qt can gather/deploy QML modules and plugins correctly (Android needs this).
+if(COMMAND qt_import_qml_plugins)
+    qt_import_qml_plugins(${PROJECT})
+endif()
+if(COMMAND qt_finalize_executable)
+    qt_finalize_executable(${PROJECT})
+else()
+    qt_finalize_target(${PROJECT})
+endif()
+
+install(TARGETS ${PROJECT}
+    DESTINATION ${CMAKE_INSTALL_BINDIR}
+    COMPONENT AmneziaVPN
+)
+install(FILES $<TARGET_RUNTIME_DLLS:${PROJECT}>
+    DESTINATION ${CMAKE_INSTALL_BINDIR}
+    COMPONENT AmneziaVPN
+)
+
+set(deploy_tool_options "")
+if(WIN32)
+    set(deploy_tool_options "--force-openssl --force")
+endif()
+
+qt_generate_deploy_qml_app_script(
+    TARGET ${PROJECT}
+    OUTPUT_SCRIPT QT_DEPLOY_SCRIPT
+    NO_UNSUPPORTED_PLATFORM_ERROR
+    DEPLOY_TOOL_OPTIONS ${deploy_tool_options}
+)
+install(SCRIPT ${QT_DEPLOY_SCRIPT}
+    COMPONENT AmneziaVPN
+)
+
+if (APPLE AND NOT IOS AND NOT MACOS_NE)
+    list(APPEND OVPN_SCRIPTS "${CMAKE_SOURCE_DIR}/deploy/data/macos/update-resolv-conf.sh")
+endif()
+if (LINUX AND NOT ANDROID)
+    list(APPEND OVPN_SCRIPTS "${CMAKE_SOURCE_DIR}/deploy/data/linux/update-resolv-conf.sh")
+endif()
+
+if(OVPN_SCRIPTS)
+    add_custom_command(TARGET ${PROJECT} POST_BUILD
+        COMMAND ${CMAKE_COMMAND} -E copy_if_different
+        ${OVPN_SCRIPTS}
+        "$<TARGET_FILE_DIR:${PROJECT}>"
+    )
+
+    install(FILES ${OVPN_SCRIPTS}
+        DESTINATION ${CMAKE_INSTALL_BINDIR}
+        COMPONENT AmneziaVPN
+        PERMISSIONS
+            OWNER_READ OWNER_EXECUTE
+            GROUP_READ GROUP_EXECUTE
+            WORLD_READ WORLD_EXECUTE
+    )
+endif()

client/amneziaApplication.cpp

@@ -1,4 +1,4 @@
-#include "amnezia_application.h"
+#include "amneziaApplication.h"
 
 #include <QClipboard>
 #include <QFontDatabase>
@@ -13,20 +13,29 @@
 #include <QTimer>
 #include <QTranslator>
 #include <QEvent>
+#include <QDir>
+#include <QSettings>
+#include <QtQuick/QQuickWindow>  
+#include <QWindow>     
 
+#include "core/protocols/qmlRegisterProtocols.h"
 #include "logger.h"
-#include "ui/controllers/pageController.h"
+#include "ui/controllers/qml/pageController.h"
 #include "ui/models/installedAppsModel.h"
 #include "version.h"
 
 #include "platforms/ios/QRCodeReaderBase.h"
+         
 
-#include "protocols/qml_register_protocols.h"
-#include <QtQuick/QQuickWindow>  // for QQuickWindow
-#include <QWindow>              // for qobject_cast<QWindow*>
+bool AmneziaApplication::m_forceQuit = false;
 
-AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_CLASS(argc, argv)
+AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_CLASS(argc, argv),
+      m_optAutostart({QStringLiteral("a"), QStringLiteral("autostart")}, QStringLiteral("System autostart")),
+      m_optCleanup  ({QStringLiteral("c"), QStringLiteral("cleanup")}, QStringLiteral("Cleanup logs")),
+      m_optConnect  ({QStringLiteral("connect")}, QStringLiteral("Connect to server by index on startup"), QStringLiteral("index")),
+      m_optImport   ({QStringLiteral("import")}, QStringLiteral("Import configuration from data string"), QStringLiteral("data"))
 {
+    setDesktopFileName(QStringLiteral(APPLICATION_NAME));
     setQuitOnLastWindowClosed(false);
 
     // Fix config file permissions
@@ -45,17 +54,19 @@ AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_C
     QFile::setPermissions(configLoc2, QFileDevice::ReadOwner | QFileDevice::WriteOwner);
 #endif
 
-    m_settings = std::shared_ptr<Settings>(new Settings);
+    m_settings = new SecureQSettings(ORGANIZATION_NAME, APPLICATION_NAME, this);
     m_nam = new QNetworkAccessManager(this);
 }
 
 AmneziaApplication::~AmneziaApplication()
 {
-    if (m_vpnConnection) {
-        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectFromVpn", Qt::QueuedConnection);
-        QThread::msleep(2000);
-        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectSlots", Qt::QueuedConnection);
+#ifdef AMNEZIA_DESKTOP
+    if (m_vpnConnection && m_vpnConnectionThread.isRunning()) {
+        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectSlots", Qt::BlockingQueuedConnection);
+        
+        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectFromVpn", Qt::BlockingQueuedConnection);
     }
+#endif
 
     m_vpnConnectionThread.requestInterruption();
     m_vpnConnectionThread.quit();
@@ -66,11 +77,23 @@ AmneziaApplication::~AmneziaApplication()
     }
 
     if (m_engine) {
-        QObject::disconnect(m_engine, 0, 0, 0);
         delete m_engine;
     }
 }
 
+#ifdef Q_OS_ANDROID
+namespace {
+    static void clearQtCaches()
+    {
+        const QString cacheRoot = QStandardPaths::writableLocation(QStandardPaths::CacheLocation);
+        if (!cacheRoot.isEmpty()) {
+            QDir(cacheRoot + "/QtShaderCache").removeRecursively();
+            QDir(cacheRoot + "/qmlcache").removeRecursively();
+        }
+    }
+}
+#endif
+
 void AmneziaApplication::init()
 {
     m_engine = new QQmlApplicationEngine;
@@ -86,6 +109,19 @@ void AmneziaApplication::init()
             // install filter on main window
             if (auto win = qobject_cast<QQuickWindow*>(obj)) {
                 win->installEventFilter(this);
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+                win->setDefaultAlphaBuffer(true);
+#endif
+#ifdef Q_OS_ANDROID
+                QObject::connect(win, &QQuickWindow::sceneGraphError,
+                    [](QQuickWindow::SceneGraphError, const QString &msg) {
+                        qWarning() << "Scene graph error (suppressed):" << msg;
+                    });
+                // Keep graphics context alive across hide/show cycles to avoid
+                // eglSwapBuffers/makeCurrent being called on a context Android has reclaimed.
+                win->setPersistentSceneGraph(true);
+                win->setPersistentGraphics(true);
+#endif
                 win->show();
             }
         },
@@ -99,29 +135,29 @@ void AmneziaApplication::init()
     m_engine->rootContext()->setContextProperty("IsMacOsNeBuild", false);
 #endif
 
-    m_vpnConnection.reset(new VpnConnection(m_settings));
+    m_vpnConnection.reset(new VpnConnection(nullptr, nullptr));
     m_vpnConnection->moveToThread(&m_vpnConnectionThread);
     m_vpnConnectionThread.start();
 
     m_coreController.reset(new CoreController(m_vpnConnection, m_settings, m_engine));
 
     m_engine->addImportPath("qrc:/ui/qml/Modules/");
+
+    if (m_parser.isSet(m_optImport)) {
+        const QString data = m_parser.value(m_optImport);
+        if (!data.isEmpty()) {
+            if (m_coreController) {
+                m_coreController->importConfigFromData(data);
+            }
+        }
+    }
+
     m_engine->load(url);
 
     m_coreController->setQmlRoot();
 
-    bool enabled = m_settings->isSaveLogs();
-#ifndef Q_OS_ANDROID
-    if (enabled) {
-        if (!Logger::init(false)) {
-            qWarning() << "Initialization of debug subsystem failed";
-        }
-    }
-#endif
-    Logger::setServiceLogsEnabled(enabled);
-
 #ifdef Q_OS_WIN //TODO
-    if (m_parser.isSet("a"))
+    if (m_parser.isSet(m_optAutostart))
         m_coreController->pageController()->showOnStartup();
     else
         emit m_coreController->pageController()->raiseMainWindow();
@@ -145,6 +181,18 @@ void AmneziaApplication::init()
         }
     });
 #endif
+
+    if (m_parser.isSet(m_optConnect)) {
+        bool ok = false;
+        int idx = m_parser.value(m_optConnect).toInt(&ok);
+        if (ok) {
+            QTimer::singleShot(0, this, [this, idx]() {
+                if (m_coreController) {
+                    m_coreController->openConnectionByIndex(idx);
+                }
+            });
+        }
+    }
 }
 
 void AmneziaApplication::registerTypes()
@@ -152,13 +200,11 @@ void AmneziaApplication::registerTypes()
     qRegisterMetaType<ServerCredentials>("ServerCredentials");
 
     qRegisterMetaType<DockerContainer>("DockerContainer");
+    using namespace amnezia::ProtocolEnumNS;
     qRegisterMetaType<TransportProto>("TransportProto");
     qRegisterMetaType<Proto>("Proto");
     qRegisterMetaType<ServiceType>("ServiceType");
 
-    declareQmlProtocolEnum();
-    declareQmlContainerEnum();
-
     qmlRegisterType<QRCodeReader>("QRCodeReader", 1, 0, "QRCodeReader");
 
     m_containerProps.reset(new ContainerProps());
@@ -172,6 +218,7 @@ void AmneziaApplication::registerTypes()
 
     qmlRegisterType<InstalledAppsModel>("InstalledAppsModel", 1, 0, "InstalledAppsModel");
 
+    amnezia::declareQmlProtocolEnum();
     Vpn::declareQmlVpnConnectionStateEnum();
     PageLoader::declareQmlPageEnum();
 }
@@ -189,15 +236,14 @@ bool AmneziaApplication::parseCommands()
     m_parser.addHelpOption();
     m_parser.addVersionOption();
 
-    QCommandLineOption c_autostart { { "a", "autostart" }, "System autostart" };
-    m_parser.addOption(c_autostart);
-
-    QCommandLineOption c_cleanup { { "c", "cleanup" }, "Cleanup logs" };
-    m_parser.addOption(c_cleanup);
+    m_parser.addOption(m_optAutostart);
+    m_parser.addOption(m_optCleanup);
+    m_parser.addOption(m_optConnect);
+    m_parser.addOption(m_optImport);
     
     m_parser.process(*this);
 
-    if (m_parser.isSet(c_cleanup)) {
+    if (m_parser.isSet(m_optCleanup)) {
         Logger::cleanUp();
         QTimer::singleShot(100, this, [this] { quit(); });
         exec();
@@ -230,8 +276,12 @@ bool AmneziaApplication::eventFilter(QObject *watched, QEvent *event)
 #if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
         quit();
 #else
-        if (m_coreController && m_coreController->pageController()) {
-            m_coreController->pageController()->hideMainWindow();
+        if (m_forceQuit) {
+            quit();
+        } else {
+            if (m_coreController && m_coreController->pageController()) {
+                m_coreController->pageController()->hideMainWindow();
+            }
         }
 #endif
         return true; // eat the close
@@ -240,6 +290,12 @@ bool AmneziaApplication::eventFilter(QObject *watched, QEvent *event)
     return QObject::eventFilter(watched, event);
 }
 
+void AmneziaApplication::forceQuit()
+{
+    m_forceQuit = true;
+    quit();
+}
+
 QQmlApplicationEngine *AmneziaApplication::qmlEngine() const
 {
     return m_engine;

client/amneziaApplication.h

@@ -14,8 +14,10 @@
 #include <QClipboard>
 
 #include "core/controllers/coreController.h"
-#include "settings.h"
-#include "vpnconnection.h"
+#include "secureQSettings.h"
+#include "vpnConnection.h"
+#include "ui/models/containerProps.h"
+#include "ui/models/protocolProps.h"
 
 #define amnApp (static_cast<AmneziaApplication *>(QCoreApplication::instance()))
 
@@ -45,9 +47,13 @@ public:
     QNetworkAccessManager *networkManager();
     QClipboard *getClipboard();
 
+public slots:
+    void forceQuit();
+
 private:
+    static bool m_forceQuit;
     QQmlApplicationEngine *m_engine {};
-    std::shared_ptr<Settings> m_settings;
+    SecureQSettings* m_settings;
 
     QScopedPointer<CoreController> m_coreController;
 
@@ -56,6 +62,11 @@ private:
 
     QCommandLineParser m_parser;
 
+    QCommandLineOption m_optAutostart;
+    QCommandLineOption m_optCleanup;
+    QCommandLineOption m_optConnect;
+    QCommandLineOption m_optImport;
+
     QSharedPointer<VpnConnection> m_vpnConnection;
     QThread m_vpnConnectionThread;
 

client/android/AndroidManifest.xml

@@ -45,7 +45,8 @@
             android:configChanges="uiMode|screenSize|smallestScreenSize|screenLayout|orientation|density
                 |fontScale|layoutDirection|locale|keyboard|keyboardHidden|navigation|mcc|mnc"
             android:launchMode="singleInstance"
-            android:windowSoftInputMode="stateUnchanged|adjustResize"
+            android:windowSoftInputMode="adjustResize|stateUnchanged"
+            android:enableOnBackInvokedCallback="false"
             android:exported="true">
 
             <intent-filter>
@@ -214,4 +215,4 @@
             <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/qtprovider_paths" />
         </provider>
     </application>
-</manifest>
+</manifest>

client/android/build.gradle.kts

@@ -39,6 +39,7 @@ android {
 
         // keeps language resources for only the locales specified below
         resourceConfigurations += listOf("en", "ru", "b+zh+Hans")
+        ndk.abiFilters += qtTargetAbiList.split(",")
     }
 
     sourceSets {
@@ -52,50 +53,12 @@ android {
         }
     }
 
-    signingConfigs {
-        register("release") {
-            storeFile = providers.environmentVariable("ANDROID_KEYSTORE_PATH").orNull?.let { file(it) }
-            storePassword = providers.environmentVariable("ANDROID_KEYSTORE_KEY_PASS").orNull
-            keyAlias = providers.environmentVariable("ANDROID_KEYSTORE_KEY_ALIAS").orNull
-            keyPassword = providers.environmentVariable("ANDROID_KEYSTORE_KEY_PASS").orNull
-        }
-    }
-
     buildTypes {
         release {
             // exclude coroutine debug resource from release build
             packaging {
                 resources.excludes += "DebugProbesKt.bin"
             }
-            signingConfig = signingConfigs["release"]
-        }
-
-        create("fdroid") {
-            initWith(getByName("release"))
-            signingConfig = null
-            matchingFallbacks += "release"
-        }
-    }
-
-    splits {
-        abi {
-            isEnable = true
-            reset()
-            include(*qtTargetAbiList.split(',').toTypedArray())
-            isUniversalApk = false
-        }
-    }
-
-    // fix for Qt Creator to allow deploying the application to a device
-    // to enable this fix, add the line outputBaseName=android-build to local.properties
-    if (outputBaseName.isNotEmpty()) {
-        applicationVariants.all {
-            outputs.map { it as BaseVariantOutputImpl }
-                .forEach { output ->
-                    if (output.outputFileName.endsWith(".apk")) {
-                        output.outputFileName = "$outputBaseName-${buildType.name}.apk"
-                    }
-                }
         }
     }
 
@@ -111,7 +74,6 @@ dependencies {
     implementation(project(":wireguard"))
     implementation(project(":awg"))
     implementation(project(":openvpn"))
-    implementation(project(":cloak"))
     implementation(project(":xray"))
     implementation(libs.androidx.core)
     implementation(libs.androidx.activity)

client/android/cloak/build.gradle.kts

@@ -1,18 +0,0 @@
-plugins {
-    id(libs.plugins.android.library.get().pluginId)
-    id(libs.plugins.kotlin.android.get().pluginId)
-}
-
-kotlin {
-    jvmToolchain(17)
-}
-
-android {
-    namespace = "org.amnezia.vpn.protocol.cloak"
-}
-
-dependencies {
-    compileOnly(project(":utils"))
-    compileOnly(project(":protocolApi"))
-    implementation(project(":openvpn"))
-}

client/android/cloak/src/main/kotlin/Cloak.kt

@@ -1,45 +0,0 @@
-package org.amnezia.vpn.protocol.cloak
-
-import android.util.Base64
-import net.openvpn.ovpn3.ClientAPI_Config
-import org.amnezia.vpn.protocol.openvpn.OpenVpn
-import org.amnezia.vpn.util.LibraryLoader.loadSharedLibrary
-import org.json.JSONObject
-
-class Cloak : OpenVpn() {
-
-    override fun internalInit() {
-        super.internalInit()
-        if (!isInitialized) loadSharedLibrary(context, "ck-ovpn-plugin")
-    }
-
-    override fun parseConfig(config: JSONObject): ClientAPI_Config {
-        val openVpnConfig = ClientAPI_Config()
-
-        val openVpnConfigStr = config.getJSONObject("openvpn_config_data").getString("config")
-        val cloakConfigJson = checkCloakJson(config.getJSONObject("cloak_config_data"))
-        val cloakConfigStr = Base64.encodeToString(cloakConfigJson.toString().toByteArray(), Base64.DEFAULT)
-
-        val configStr = "$openVpnConfigStr\n<cloak>\n$cloakConfigStr\n</cloak>\n"
-
-        openVpnConfig.usePluggableTransports = true
-        openVpnConfig.content = configStr
-        return openVpnConfig
-    }
-
-    private fun checkCloakJson(cloakConfigJson: JSONObject): JSONObject {
-        cloakConfigJson.put("NumConn", 1)
-        cloakConfigJson.put("ProxyMethod", "openvpn")
-        if (cloakConfigJson.has("port")) {
-            val port = cloakConfigJson["port"]
-            cloakConfigJson.remove("port")
-            cloakConfigJson.put("RemotePort", port)
-        }
-        if (cloakConfigJson.has("remote")) {
-            val remote = cloakConfigJson["remote"]
-            cloakConfigJson.remove("remote")
-            cloakConfigJson.put("RemoteHost", remote)
-        }
-        return cloakConfigJson
-    }
-}

client/android/gradle/libs.versions.toml

@@ -1,11 +1,11 @@
 [versions]
-agp = "8.5.2"
+agp = "8.6.1"
 kotlin = "1.9.24"
 androidx-core = "1.13.1"
 androidx-activity = "1.9.1"
 androidx-annotation = "1.8.2"
 androidx-biometric = "1.2.0-alpha05"
-androidx-camera = "1.3.4"
+androidx-camera = "1.5.3"
 androidx-fragment = "1.8.2"
 androidx-security-crypto = "1.1.0-alpha06"
 androidx-datastore = "1.1.1"

client/android/openvpn/src/main/kotlin/org/amnezia/vpn/protocol/openvpn/OpenVpn.kt

@@ -93,7 +93,7 @@ open class OpenVpn : Protocol() {
         openVpnClient = null
     }
 
-    override fun reconnectVpn(vpnBuilder: Builder) {
+    override fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean) {
         openVpnClient?.let {
             it.establish = makeEstablish(vpnBuilder)
             it.reconnect(0)

client/android/protocolApi/src/main/kotlin/Protocol.kt

@@ -42,7 +42,7 @@ abstract class Protocol {
 
     abstract fun stopVpn()
 
-    abstract fun reconnectVpn(vpnBuilder: Builder)
+    abstract fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean)
 
     protected fun ProtocolConfig.Builder.configSplitTunneling(config: JSONObject) {
         if (!allowSplitTunneling) {

client/android/res/drawable/ic_pairing_back.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
+    android:width="24dp"
+    android:height="24dp"
+    android:viewportWidth="24"
+    android:viewportHeight="24">
+    <path
+        android:fillColor="#FFE8E8EC"
+        android:pathData="M20,11H7.83l5.59,-5.59L12,4l-8,8 8,8 1.41,-1.41L7.83,13H20v-2z" />
+</vector>

client/android/res/drawable/torch_fab_bg.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<shape xmlns:android="http://schemas.android.com/apk/res/android"
+    android:shape="oval">
+    <solid android:color="#38FFFFFF" />
+</shape>

client/android/res/layout/camera_preview.xml

@@ -8,4 +8,75 @@
         android:layout_width="match_parent"
         android:layout_height="match_parent" />
 
+    <org.amnezia.vpn.PairingQrScanOverlayView
+        android:id="@+id/pairingScanOverlay"
+        android:layout_width="match_parent"
+        android:layout_height="match_parent"
+        android:visibility="gone" />
+
+    <LinearLayout
+        android:id="@+id/pairingChrome"
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:layout_gravity="top"
+        android:background="@android:color/transparent"
+        android:orientation="horizontal"
+        android:paddingStart="8dp"
+        android:paddingTop="28dp"
+        android:paddingEnd="16dp"
+        android:paddingBottom="12dp"
+        android:visibility="gone">
+
+        <ImageButton
+            android:id="@+id/pairingBack"
+            android:layout_width="48dp"
+            android:layout_height="48dp"
+            android:layout_gravity="top"
+            android:background="?android:attr/selectableItemBackgroundBorderless"
+            android:contentDescription="@string/pairing_qr_camera_back"
+            android:padding="12dp"
+            android:scaleType="fitCenter"
+            android:src="@drawable/ic_pairing_back" />
+
+        <LinearLayout
+            android:layout_width="0dp"
+            android:layout_height="wrap_content"
+            android:layout_marginStart="4dp"
+            android:layout_weight="1"
+            android:orientation="vertical">
+
+            <TextView
+                android:id="@+id/pairingTitle"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:text="@string/pairing_qr_camera_title"
+                android:textColor="#FFE8E8EC"
+                android:textSize="20sp"
+                android:textStyle="bold" />
+
+            <TextView
+                android:id="@+id/pairingSubtitle"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:layout_marginTop="8dp"
+                android:text="@string/pairing_qr_camera_subtitle"
+                android:textColor="#FFB8B8C0"
+                android:textSize="14sp" />
+        </LinearLayout>
+    </LinearLayout>
+
+    <TextView
+        android:id="@+id/torchButton"
+        android:layout_width="56dp"
+        android:layout_height="56dp"
+        android:layout_gravity="bottom|center_horizontal"
+        android:layout_marginBottom="32dp"
+        android:background="@drawable/torch_fab_bg"
+        android:clickable="true"
+        android:focusable="true"
+        android:gravity="center"
+        android:text="🔦"
+        android:textSize="26sp"
+        android:contentDescription="@string/camera_torch" />
+
 </FrameLayout>

client/android/res/values-ru/strings.xml

@@ -24,5 +24,13 @@
     <string name="notificationSettingsDialogMessage">Для показа уведомлений необходимо включить уведомления в системных настройках</string>
     <string name="openNotificationSettings">Открыть настройки уведомлений</string>
 
+    <string name="cameraPermissionDialogTitle">Доступ к камере</string>
+    <string name="cameraPermissionDialogMessage">Чтобы отсканировать QR-код для добавления устройства, Amnezia VPN нужен доступ к камере.</string>
+    <string name="cameraPermissionContinue">Продолжить</string>
+    <string name="camera_torch">Фонарик</string>
+    <string name="pairing_qr_camera_title">Добавить устройство по QR</string>
+    <string name="pairing_qr_camera_subtitle">Отсканируйте QR сессии на устройстве, которое хотите добавить. Перед отправкой подписки будет подтверждение.</string>
+    <string name="pairing_qr_camera_back">Назад</string>
+
     <string name="tvNoFileBrowser">Пожалуйста, установите приложение для просмотра файлов</string>
 </resources>

client/android/res/values/strings.xml

@@ -24,5 +24,13 @@
     <string name="notificationSettingsDialogMessage">To show notifications, you must enable notifications in the system settings</string>
     <string name="openNotificationSettings">Open notification settings</string>
 
+    <string name="cameraPermissionDialogTitle">Camera access</string>
+    <string name="cameraPermissionDialogMessage">To scan a QR code for device pairing, Amnezia VPN needs access to the camera.</string>
+    <string name="cameraPermissionContinue">Continue</string>
+    <string name="camera_torch">Flashlight</string>
+    <string name="pairing_qr_camera_title">Add device via QR</string>
+    <string name="pairing_qr_camera_subtitle">Scan the session QR shown on the device you want to add. You will confirm before the subscription is sent.</string>
+    <string name="pairing_qr_camera_back">Back</string>
+
     <string name="tvNoFileBrowser">Please install a file management utility to browse files</string>
 </resources>

client/android/res/values/styles.xml

@@ -6,6 +6,9 @@
         <item name="android:colorBackground">@color/black</item>
         <item name="android:windowActionBar">false</item>
         <item name="android:windowNoTitle">true</item>
+        <item name="android:windowLayoutInDisplayCutoutMode">shortEdges</item>
+        <item name="android:enforceNavigationBarContrast">false</item>
+        <item name="android:enforceStatusBarContrast">false</item>
     </style>
     <style name="Translucent" parent="NoActionBar">
         <item name="android:windowBackground">@android:color/transparent</item>

client/android/settings.gradle.kts

@@ -26,7 +26,6 @@ plugins {
     id("settings-property-delegate")
 }
 
-rootProject.name = "AmneziaVPN"
 rootProject.buildFileName = "build.gradle.kts"
 
 include(":qt")
@@ -35,7 +34,6 @@ include(":protocolApi")
 include(":wireguard")
 include(":awg")
 include(":openvpn")
-include(":cloak")
 include(":xray")
 include(":xray:libXray")
 
@@ -48,15 +46,7 @@ val qtMinSdkVersion: String by gradleProperties
 // set default values for all modules
 configure<SettingsExtension> {
     buildToolsVersion = androidBuildToolsVersion
-    compileSdk = androidCompileSdkVersion.substringAfter('-').toInt()
+    compileSdk = androidCompileSdkVersion.split('-')[1].toInt()
     minSdk = qtMinSdkVersion.toInt()
     ndkVersion = androidNdkVersion
 }
-
-// stop Gradle running by androiddeployqt
-gradle.taskGraph.whenReady {
-    if (providers.environmentVariable("ANDROIDDEPLOYQT_RUN").isPresent
-        && !providers.systemProperty("explicitRun").isPresent) {
-        allTasks.forEach { it.enabled = false }
-    }
-}

client/android/src/org/amnezia/vpn/AmneziaActivity.kt

@@ -26,6 +26,8 @@ import android.os.ParcelFileDescriptor
 import android.os.SystemClock
 import android.provider.OpenableColumns
 import android.provider.Settings
+import android.view.InputDevice
+import android.view.KeyEvent
 import android.view.MotionEvent
 import android.view.View
 import android.view.ViewGroup
@@ -35,6 +37,14 @@ import android.widget.Toast
 import androidx.annotation.MainThread
 import androidx.annotation.RequiresApi
 import androidx.core.content.ContextCompat
+import androidx.core.graphics.Insets
+import androidx.core.view.OnApplyWindowInsetsListener
+import androidx.core.view.ViewCompat
+import androidx.core.view.WindowInsetsCompat
+import androidx.core.view.WindowInsetsControllerCompat
+import androidx.lifecycle.Lifecycle
+import androidx.lifecycle.LifecycleOwner
+import androidx.lifecycle.LifecycleRegistry
 import java.io.IOException
 import kotlin.LazyThreadSafetyMode.NONE
 import kotlin.coroutines.CoroutineContext
@@ -66,10 +76,18 @@ private const val CHECK_VPN_PERMISSION_ACTION_CODE = 1
 private const val CREATE_FILE_ACTION_CODE = 2
 private const val OPEN_FILE_ACTION_CODE = 3
 private const val CHECK_NOTIFICATION_PERMISSION_ACTION_CODE = 4
+private const val CHECK_CAMERA_PERMISSION_ACTION_CODE = 5
 
 private const val PREFS_NOTIFICATION_PERMISSION_ASKED = "NOTIFICATION_PERMISSION_ASKED"
+private const val OPEN_FILE_AFTER_RESUME_DELAY_MS = 400L
+private const val KEY_PENDING_OPEN_FILE_URI = "pending_open_file_uri"
 
-class AmneziaActivity : QtActivity() {
+class AmneziaActivity : QtActivity(), LifecycleOwner {
+
+    private val lifecycleRegistry = LifecycleRegistry(this)
+
+    override val lifecycle: Lifecycle
+        get() = lifecycleRegistry
 
     private lateinit var mainScope: CoroutineScope
     private val qtInitialized = CompletableDeferred<Unit>()
@@ -84,6 +102,14 @@ class AmneziaActivity : QtActivity() {
     private val actionResultHandlers = mutableMapOf<Int, ActivityResultHandler>()
     private val permissionRequestHandlers = mutableMapOf<Int, PermissionRequestHandler>()
 
+    private var isActivityResumed = false
+    private var hasWindowFocus = false
+    private val resumeHandler = Handler(Looper.getMainLooper())
+    private var pendingOpenFileUri: String? = null
+    private var openFileDeliveryScheduled = false
+
+    private var lastPairingQrReaderStartUptimeMs: Long = 0L
+
     private val vpnServiceEventHandler: Handler by lazy(NONE) {
         object : Handler(Looper.getMainLooper()) {
             override fun handleMessage(msg: Message) {
@@ -170,10 +196,9 @@ class AmneziaActivity : QtActivity() {
         super.onCreate(savedInstanceState)
         Log.d(TAG, "Create Amnezia activity")
         loadLibs()
-        window.apply {
-            addFlags(LayoutParams.FLAG_DRAWS_SYSTEM_BAR_BACKGROUNDS)
-            statusBarColor = getColor(R.color.black)
-        }
+
+        // Configure window for edge-to-edge display
+        configureWindowForEdgeToEdge()
         mainScope = CoroutineScope(SupervisorJob() + Dispatchers.Main.immediate)
         val proto = mainScope.async(Dispatchers.IO) {
             VpnStateStore.getVpnState().vpnProto
@@ -186,17 +211,22 @@ class AmneziaActivity : QtActivity() {
                 doBindService()
             }
         )
+        pendingOpenFileUri = savedInstanceState?.getString(KEY_PENDING_OPEN_FILE_URI)
+        openFileDeliveryScheduled = false
         registerBroadcastReceivers()
         intent?.let(::processIntent)
         runBlocking { vpnProto = proto.await() }
+        lifecycleRegistry.handleLifecycleEvent(Lifecycle.Event.ON_CREATE)
+    }
+
+    override fun onSaveInstanceState(outState: Bundle) {
+        super.onSaveInstanceState(outState)
+        pendingOpenFileUri?.let { outState.putString(KEY_PENDING_OPEN_FILE_URI, it) }
     }
 
     private fun loadLibs() {
         listOf(
-            "rsapss",
-            "crypto_3",
-            "ssl_3",
-            "ssh"
+            "rsapss"
         ).forEach {
             loadSharedLibrary(this.applicationContext, it)
         }
@@ -244,6 +274,7 @@ class AmneziaActivity : QtActivity() {
 
     override fun onStart() {
         super.onStart()
+        lifecycleRegistry.handleLifecycleEvent(Lifecycle.Event.ON_START)
         Log.d(TAG, "Start Amnezia activity")
         mainScope.launch {
             qtInitialized.await()
@@ -256,20 +287,219 @@ class AmneziaActivity : QtActivity() {
     }
 
     override fun onStop() {
+        isActivityResumed = false
+        hasWindowFocus = false
+        // Cancel all pending operations when activity stops
+        resumeHandler.removeCallbacksAndMessages(null)
+        openFileDeliveryScheduled = false
         Log.d(TAG, "Stop Amnezia activity")
         doUnbindService()
         mainScope.launch {
             qtInitialized.await()
             QtAndroidController.onServiceDisconnected()
         }
+        lifecycleRegistry.handleLifecycleEvent(Lifecycle.Event.ON_STOP)
         super.onStop()
     }
 
+    override fun onWindowFocusChanged(hasFocus: Boolean) {
+        super.onWindowFocusChanged(hasFocus)
+        hasWindowFocus = hasFocus
+        Log.d(TAG, "Window focus changed: hasFocus=$hasFocus")
+
+        if (!hasFocus) {
+            // Cancel pending operations if window loses focus
+            resumeHandler.removeCallbacksAndMessages(null)
+        } else if (isActivityResumed && Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            window.decorView.apply {
+                invalidate()
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(1f, 1f)
+                    }
+                }, 50)
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(2f, 2f)
+                        requestLayout()
+                        invalidate()
+                    }
+                }, 150)
+            }
+        }
+    }
+
+    override fun dispatchKeyEvent(event: KeyEvent): Boolean {
+        val keyCode = event.keyCode
+        val pressed = event.action == KeyEvent.ACTION_DOWN
+
+        when (keyCode) {
+            KeyEvent.KEYCODE_BUTTON_A,
+            KeyEvent.KEYCODE_BUTTON_B,
+            KeyEvent.KEYCODE_BUTTON_X,
+            KeyEvent.KEYCODE_BUTTON_Y,
+            KeyEvent.KEYCODE_BUTTON_START,
+            KeyEvent.KEYCODE_BUTTON_SELECT -> {
+                    nativeGamepadKeyEvent(0, keyCode, pressed)
+                    return true
+            }
+            KeyEvent.KEYCODE_DPAD_CENTER,
+            KeyEvent.KEYCODE_DPAD_UP,
+            KeyEvent.KEYCODE_DPAD_DOWN,
+            KeyEvent.KEYCODE_DPAD_LEFT,
+            KeyEvent.KEYCODE_DPAD_RIGHT -> {
+                    val syntheticKeyCode = if (keyCode == KeyEvent.KEYCODE_DPAD_CENTER) KeyEvent.KEYCODE_ENTER else keyCode
+                    val synthetic = KeyEvent(
+                        event.downTime, event.eventTime, event.action, syntheticKeyCode,
+                        event.repeatCount, event.metaState, -1, event.scanCode,
+                        event.flags, InputDevice.SOURCE_KEYBOARD
+                    )
+                    return super.dispatchKeyEvent(synthetic)
+            }
+        }
+
+        return super.dispatchKeyEvent(event)
+    }
+
+    private external fun nativeGamepadKeyEvent(deviceId: Int, keyCode: Int, pressed: Boolean)
+
+    override fun onPause() {
+        // Notify Qt to stop rendering BEFORE super.onPause() destroys the EGL surface.
+        // Using a coroutine here would be too late — the surface is gone by the time
+        // the coroutine runs. A direct synchronous call gives Qt's render thread the
+        // best chance to process visible=false before surface destruction.
+        if (qtInitialized.isCompleted) {
+            QtAndroidController.onActivityPaused()
+        }
+        lifecycleRegistry.handleLifecycleEvent(Lifecycle.Event.ON_PAUSE)
+        super.onPause()
+        isActivityResumed = false
+        // Cancel all pending operations when activity pauses
+        resumeHandler.removeCallbacksAndMessages(null)
+        openFileDeliveryScheduled = false
+        Log.d(TAG, "Pause Amnezia activity")
+    }
+
+    override fun onResume() {
+        super.onResume()
+        lifecycleRegistry.handleLifecycleEvent(Lifecycle.Event.ON_RESUME)
+        isActivityResumed = true
+        Log.d(TAG, "Resume Amnezia activity")
+        if (qtInitialized.isCompleted) {
+            QtAndroidController.onActivityResumed()
+        }
+
+        if (pendingOpenFileUri != null && !openFileDeliveryScheduled) {
+            val uri = pendingOpenFileUri!!
+            openFileDeliveryScheduled = true
+            resumeHandler.postDelayed({
+                if (!isFinishing && !isDestroyed) {
+                    pendingOpenFileUri = null
+                    openFileDeliveryScheduled = false
+                    mainScope.launch {
+                        qtInitialized.await()
+                        QtAndroidController.onFileOpened(uri)
+                    }
+                }
+            }, OPEN_FILE_AFTER_RESUME_DELAY_MS)
+        }
+
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            window.decorView.apply {
+                invalidate()
+
+                resumeHandler.postDelayed({
+                    // Check if activity is still resumed and has focus before executing
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(1f, 1f)
+                    }
+                }, 100)
+
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(2f, 2f)
+                    }
+                }, 200)
+
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        requestLayout()
+                        invalidate()
+                    }
+                }, 250)
+            }
+        }
+    }
+
+    private fun configureWindowForEdgeToEdge() {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            window.apply {
+                addFlags(LayoutParams.FLAG_DRAWS_SYSTEM_BAR_BACKGROUNDS)
+                addFlags(LayoutParams.FLAG_LAYOUT_NO_LIMITS)
+                statusBarColor = android.graphics.Color.TRANSPARENT
+                navigationBarColor = android.graphics.Color.TRANSPARENT
+            }
+
+            WindowInsetsControllerCompat(window, window.decorView).apply {
+                isAppearanceLightStatusBars = false
+                isAppearanceLightNavigationBars = false
+            }
+
+            // Workaround for Android 14 (API 34+) IME adjustResize bug
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+                setupImeInsetsListener()
+            }
+        } else {
+            window.apply {
+                addFlags(LayoutParams.FLAG_DRAWS_SYSTEM_BAR_BACKGROUNDS)
+                statusBarColor = getColor(R.color.black)
+            }
+
+            WindowInsetsControllerCompat(window, window.decorView).apply {
+                isAppearanceLightStatusBars = false
+                isAppearanceLightNavigationBars = false
+            }
+        }
+    }
+
+    private fun setupImeInsetsListener() {
+        ViewCompat.setOnApplyWindowInsetsListener(window.decorView) { view, windowInsets ->
+            val imeInsets = windowInsets.getInsets(WindowInsetsCompat.Type.ime())
+            val imeVisible = windowInsets.isVisible(WindowInsetsCompat.Type.ime())
+
+            val imeHeight = if (imeVisible) imeInsets.bottom else 0
+
+            val density = resources.displayMetrics.density
+            val imeHeightDp = (imeHeight / density).toInt()
+
+            // Also track system bars (navigation bar, status bar) changes
+            val systemBarsInsets = windowInsets.getInsets(WindowInsetsCompat.Type.systemBars())
+            val navBarHeight = systemBarsInsets.bottom
+            val navBarHeightDp = (navBarHeight / density).toInt()
+            val statusBarHeight = systemBarsInsets.top
+            val statusBarHeightDp = (statusBarHeight / density).toInt()
+
+            mainScope.launch {
+                qtInitialized.await()
+                QtAndroidController.onImeInsetsChanged(imeHeightDp)
+                QtAndroidController.onSystemBarsInsetsChanged(navBarHeightDp, statusBarHeightDp)
+            }
+
+            // Return windowInsets instead of CONSUMED to allow proper handling
+            windowInsets
+        }
+    }
+
     override fun onDestroy() {
+        isActivityResumed = false
+        hasWindowFocus = false
+        // Cancel all pending operations when activity is destroyed
+        resumeHandler.removeCallbacksAndMessages(null)
         Log.d(TAG, "Destroy Amnezia activity")
         unregisterBroadcastReceiver(notificationStateReceiver)
         notificationStateReceiver = null
         mainScope.cancel()
+        lifecycleRegistry.handleLifecycleEvent(Lifecycle.Event.ON_DESTROY)
         super.onDestroy()
     }
 
@@ -591,9 +821,13 @@ class AmneziaActivity : QtActivity() {
                             grantUriPermission(packageName, this, Intent.FLAG_GRANT_READ_URI_PERMISSION)
                         }?.toString() ?: ""
                         Log.v(TAG, "Open file: $uri")
-                        mainScope.launch {
-                            qtInitialized.await()
-                            QtAndroidController.onFileOpened(uri)
+                        if (uri.isNotEmpty()) {
+                            pendingOpenFileUri = uri
+                        } else {
+                            mainScope.launch {
+                                qtInitialized.await()
+                                QtAndroidController.onFileOpened(uri)
+                            }
                         }
                     }
                 ))
@@ -622,7 +856,7 @@ class AmneziaActivity : QtActivity() {
     @Suppress("unused")
     fun getFd(fileName: String): Int {
         Log.v(TAG, "Get fd for $fileName")
-        return blockingCall {
+        return blockingCall(Dispatchers.IO) {
             try {
                 pfd = contentResolver.openFileDescriptor(Uri.parse(fileName), "r")
                 pfd?.fd ?: -1
@@ -663,9 +897,106 @@ class AmneziaActivity : QtActivity() {
     @SuppressLint("UnsupportedChromeOsCameraSystemFeature")
     fun isCameraPresent(): Boolean = applicationContext.packageManager.hasSystemFeature(PackageManager.FEATURE_CAMERA)
 
+    @Suppress("unused")
+    fun isCameraPermissionGranted(): Boolean =
+        ContextCompat.checkSelfPermission(this, Manifest.permission.CAMERA) == PackageManager.PERMISSION_GRANTED
+
+    @Suppress("unused")
+    fun requestCameraPermissionForQrPairing() {
+        if (isCameraPermissionGranted()) {
+            mainScope.launch {
+                qtInitialized.await()
+                QtAndroidController.onCameraPermissionResult(true)
+            }
+            return
+        }
+        runOnUiThread {
+            AlertDialog.Builder(this)
+                .setTitle(R.string.cameraPermissionDialogTitle)
+                .setMessage(R.string.cameraPermissionDialogMessage)
+                .setNegativeButton(R.string.cancel) { _, _ ->
+                    mainScope.launch {
+                        qtInitialized.await()
+                        QtAndroidController.onCameraPermissionResult(false)
+                    }
+                }
+                .setPositiveButton(R.string.cameraPermissionContinue) { _, _ ->
+                    requestPermission(
+                        Manifest.permission.CAMERA,
+                        CHECK_CAMERA_PERMISSION_ACTION_CODE,
+                        PermissionRequestHandler(
+                            onSuccess = {
+                                mainScope.launch {
+                                    qtInitialized.await()
+                                    QtAndroidController.onCameraPermissionResult(true)
+                                }
+                            },
+                            onFail = {
+                                mainScope.launch {
+                                    qtInitialized.await()
+                                    QtAndroidController.onCameraPermissionResult(false)
+                                }
+                            },
+                            onAny = {}
+                        )
+                    )
+                }
+                .show()
+        }
+    }
+
+    @Suppress("unused")
+    fun openApplicationDetailsSettings() {
+        try {
+            Intent(Settings.ACTION_APPLICATION_DETAILS_SETTINGS).apply {
+                data = Uri.fromParts("package", packageName, null)
+                startActivity(this)
+            }
+        } catch (e: ActivityNotFoundException) {
+            Log.e(TAG, "openApplicationDetailsSettings: $e")
+        }
+    }
+
     @Suppress("unused")
     fun isOnTv(): Boolean = applicationContext.packageManager.hasSystemFeature(PackageManager.FEATURE_LEANBACK)
 
+    @Suppress("unused")
+    fun isEdgeToEdgeEnabled(): Boolean = Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE
+
+    @Suppress("unused")
+    fun getStatusBarHeight(): Int {
+        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.UPSIDE_DOWN_CAKE) return 0
+
+        val resourceId = resources.getIdentifier("status_bar_height", "dimen", "android")
+        val heightPx = if (resourceId > 0) {
+            resources.getDimensionPixelSize(resourceId)
+        } else {
+            0
+        }
+
+        // Convert physical pixels to device-independent pixels for QML
+        val density = resources.displayMetrics.density
+        val heightDp = (heightPx / density).toInt()
+        return heightDp
+    }
+
+    @Suppress("unused")
+    fun getNavigationBarHeight(): Int {
+        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.UPSIDE_DOWN_CAKE) return 0
+
+        val resourceId = resources.getIdentifier("navigation_bar_height", "dimen", "android")
+        val heightPx = if (resourceId > 0) {
+            resources.getDimensionPixelSize(resourceId)
+        } else {
+            0
+        }
+
+        // Convert physical pixels to device-independent pixels for QML
+        val density = resources.displayMetrics.density
+        val heightDp = (heightPx / density).toInt()
+        return heightDp
+    }
+
     @Suppress("unused")
     fun startQrCodeReader() {
         Log.v(TAG, "Start camera")
@@ -674,6 +1005,19 @@ class AmneziaActivity : QtActivity() {
         }
     }
 
+    @Suppress("unused")
+    fun startPairingQrCodeReader() {
+        val now = SystemClock.uptimeMillis()
+        if (now - lastPairingQrReaderStartUptimeMs < 1200L) {
+            return
+        }
+        lastPairingQrReaderStartUptimeMs = now
+        Intent(this, CameraActivity::class.java).also {
+            it.putExtra(CameraActivity.EXTRA_PAIRING_QR_CAMERA, true)
+            startActivity(it)
+        }
+    }
+
     @Suppress("unused")
     fun setSaveLogs(enabled: Boolean) {
         Log.v(TAG, "Set save logs: $enabled")
@@ -925,6 +1269,7 @@ class AmneziaActivity : QtActivity() {
                 CREATE_FILE_ACTION_CODE -> "CREATE_FILE"
                 OPEN_FILE_ACTION_CODE -> "OPEN_FILE"
                 CHECK_NOTIFICATION_PERMISSION_ACTION_CODE -> "CHECK_NOTIFICATION_PERMISSION"
+                CHECK_CAMERA_PERMISSION_ACTION_CODE -> "CHECK_CAMERA_PERMISSION"
                 else -> actionCode.toString()
             }
     }

client/android/src/org/amnezia/vpn/AmneziaVpnService.kt

@@ -565,7 +565,7 @@ open class AmneziaVpnService : VpnService() {
         protocolState.value = RECONNECTING
 
         connectionJob = connectionScope.launch {
-            vpnProto?.protocol?.reconnectVpn(Builder())
+            vpnProto?.protocol?.reconnectVpn(Builder(), ::protect)
         }
     }
 

client/android/src/org/amnezia/vpn/AppListProvider.kt

@@ -38,15 +38,15 @@ object AppListProvider {
     }
 }
 
-private class App(pi: PackageInfo, pm: PackageManager, ai: ApplicationInfo = pi.applicationInfo) : Comparable<App> {
+private class App(pi: PackageInfo, pm: PackageManager, ai: ApplicationInfo? = pi.applicationInfo) : Comparable<App> {
     val name: String?
     val packageName: String = pi.packageName
-    val icon: Boolean = ai.icon != 0
+    val icon: Boolean = (ai?.icon ?: 0) != 0
     val isLaunchable: Boolean = pm.getLaunchIntentForPackage(packageName) != null
 
     init {
-        val name = ai.loadLabel(pm).toString()
-        this.name = if (name != packageName) name else null
+        val name = ai?.loadLabel(pm)?.toString()
+        this.name = name?.takeIf { it != packageName }
     }
 
     override fun compareTo(other: App): Int {

client/android/src/org/amnezia/vpn/CameraActivity.kt

@@ -2,47 +2,384 @@ package org.amnezia.vpn
 
 import android.Manifest
 import android.annotation.SuppressLint
+import android.content.Intent
 import android.content.pm.PackageManager
+import android.graphics.Color
+import android.graphics.drawable.GradientDrawable
 import android.os.Bundle
 import android.view.MotionEvent.ACTION_DOWN
 import android.view.MotionEvent.ACTION_UP
+import android.graphics.RectF
+import android.view.Gravity
+import android.view.View
+import android.widget.FrameLayout
 import android.widget.Toast
 import androidx.activity.ComponentActivity
+import androidx.activity.OnBackPressedCallback
 import androidx.activity.result.contract.ActivityResultContracts.RequestPermission
+import androidx.camera.core.Camera
 import androidx.camera.core.CameraSelector
 import androidx.camera.core.ExperimentalGetImage
 import androidx.camera.core.FocusMeteringAction
 import androidx.camera.core.FocusMeteringAction.FLAG_AE
 import androidx.camera.core.FocusMeteringAction.FLAG_AF
 import androidx.camera.core.ImageAnalysis
+import androidx.camera.core.ImageProxy
 import androidx.camera.core.Preview
 import androidx.camera.lifecycle.ProcessCameraProvider
+import androidx.camera.view.PreviewView
+import androidx.camera.view.TransformExperimental
+import androidx.camera.view.transform.CoordinateTransform
+import androidx.camera.view.transform.ImageProxyTransformFactory
+import androidx.camera.view.transform.OutputTransform
 import androidx.core.content.ContextCompat
+import androidx.core.view.ViewCompat
+import androidx.core.view.WindowCompat
+import androidx.core.view.WindowInsetsCompat
+import androidx.lifecycle.Observer
+import com.google.mlkit.vision.barcode.BarcodeScanner
 import com.google.mlkit.vision.barcode.BarcodeScannerOptions.Builder
 import com.google.mlkit.vision.barcode.BarcodeScanning
-import com.google.mlkit.vision.barcode.ZoomSuggestionOptions
 import com.google.mlkit.vision.barcode.common.Barcode
 import com.google.mlkit.vision.common.InputImage
 import org.amnezia.vpn.databinding.CameraPreviewBinding
 import org.amnezia.vpn.qt.QtAndroidController
 import org.amnezia.vpn.util.Log
+import java.util.concurrent.ExecutorService
+import java.util.concurrent.Executors
+import java.util.concurrent.atomic.AtomicBoolean
+import java.util.concurrent.atomic.AtomicReference
+import kotlin.math.roundToInt
 
 private const val TAG = "CameraActivity"
 
+@OptIn(TransformExperimental::class)
 class CameraActivity : ComponentActivity() {
 
+    companion object {
+        const val EXTRA_PAIRING_QR_CAMERA = "org.amnezia.vpn.extra.PAIRING_QR_CAMERA"
+    }
+
     private lateinit var viewBinding: CameraPreviewBinding
-    private lateinit var cameraProvider: ProcessCameraProvider
+    private var cameraProvider: ProcessCameraProvider? = null
+    private var boundCamera: Camera? = null
+    private var boundImageAnalysis: ImageAnalysis? = null
+    private var torchOn: Boolean = false
+
+    private var imageAnalysisExecutor: ExecutorService? = null
+
+    private val qrHandledOrClosing = AtomicBoolean(false)
+
+    private var pairingQrDeliveredToQt = false
+
+    private var pairingQrUserDismissedCamera = false
+
+    private var barcodeScanner: BarcodeScanner? = null
+
+    private val cachedPreviewOutputTransform = AtomicReference<OutputTransform?>(null)
+
+    private var previewTransformLayoutListener: View.OnLayoutChangeListener? = null
+
+    private var previewStreamStateObserver: Observer<PreviewView.StreamState>? = null
+
+    @Volatile
+    private var pairingGeomHeaderBottomPx = 0f
+
+    @Volatile
+    private var pairingGeomStatusBarTopPx = 0f
+
+    @Volatile
+    private var pairingGeomDensity = 1f
 
     @ExperimentalGetImage
     override fun onCreate(savedInstanceState: Bundle?) {
         super.onCreate(savedInstanceState)
         viewBinding = CameraPreviewBinding.inflate(layoutInflater)
         setContentView(viewBinding.root)
+        viewBinding.viewFinder.scaleType = PreviewView.ScaleType.FILL_CENTER
+
+        if (intent.getBooleanExtra(EXTRA_PAIRING_QR_CAMERA, false)) {
+            WindowCompat.setDecorFitsSystemWindows(window, false)
+            val density = resources.displayMetrics.density
+            val padH = (8 * density).toInt()
+            val padTopBase = (28 * density).toInt()
+            val padBottom = (12 * density).toInt()
+            ViewCompat.setOnApplyWindowInsetsListener(viewBinding.pairingChrome) { v, windowInsets ->
+                val bars = windowInsets.getInsets(WindowInsetsCompat.Type.statusBars())
+                v.setPadding(padH, padTopBase + bars.top, (16 * density).toInt(), padBottom)
+                v.post { onPairingLayoutGeometryChanged() }
+                windowInsets
+            }
+            viewBinding.pairingScanOverlay.visibility = View.VISIBLE
+            viewBinding.pairingChrome.visibility = View.VISIBLE
+            viewBinding.root.addOnLayoutChangeListener { _, _, _, _, _, _, _, _, _ ->
+                viewBinding.root.post { onPairingLayoutGeometryChanged() }
+            }
+            viewBinding.root.post {
+                onPairingLayoutGeometryChanged()
+                applyPairingTorchButtonChrome()
+            }
+        }
+
+        viewBinding.pairingBack.setOnClickListener { releaseCameraAndFinish() }
+
+        onBackPressedDispatcher.addCallback(
+            this,
+            object : OnBackPressedCallback(true) {
+                override fun handleOnBackPressed() {
+                    releaseCameraAndFinish()
+                }
+            }
+        )
+
+        viewBinding.torchButton.setOnClickListener {
+            torchOn = !torchOn
+            try {
+                boundCamera?.cameraControl?.enableTorch(torchOn)
+            } catch (e: Exception) {
+                Log.e(TAG, "Torch: $e")
+            }
+            if (intent.getBooleanExtra(EXTRA_PAIRING_QR_CAMERA, false)) {
+                applyPairingTorchButtonChrome()
+            }
+        }
 
         checkPermissions(onSuccess = ::startCamera, onFail = ::finish)
     }
 
+    override fun onNewIntent(intent: Intent) {
+        super.onNewIntent(intent)
+        setIntent(intent)
+        if (!intent.getBooleanExtra(EXTRA_PAIRING_QR_CAMERA, false)) {
+            return
+        }
+        if (!::viewBinding.isInitialized) {
+            return
+        }
+        cleanupCameraResources()
+        qrHandledOrClosing.set(false)
+        pairingQrDeliveredToQt = false
+        pairingQrUserDismissedCamera = false
+        torchOn = false
+        viewBinding.pairingScanOverlay.visibility = View.VISIBLE
+        viewBinding.pairingChrome.visibility = View.VISIBLE
+        viewBinding.root.post {
+            onPairingLayoutGeometryChanged()
+            applyPairingTorchButtonChrome()
+        }
+        checkPermissions(onSuccess = ::startCamera, onFail = ::finish)
+    }
+
+    override fun onDestroy() {
+        cleanupCameraResources()
+        val pairing = intent.getBooleanExtra(EXTRA_PAIRING_QR_CAMERA, false)
+        if (pairing && !pairingQrDeliveredToQt && !pairingQrUserDismissedCamera) {
+            try {
+                QtAndroidController.onPairingQrCameraClosed()
+            } catch (t: Throwable) {
+                Log.e(TAG, "onPairingQrCameraClosed: $t")
+            }
+        }
+        super.onDestroy()
+    }
+
+    /** Idempotent: safe from back, successful decode, or process death. */
+    private fun cleanupCameraResources() {
+        qrHandledOrClosing.set(true)
+        try {
+            boundImageAnalysis?.clearAnalyzer()
+        } catch (_: Exception) {
+        }
+        boundImageAnalysis = null
+        try {
+            barcodeScanner?.close()
+        } catch (_: Exception) {
+        }
+        barcodeScanner = null
+        try {
+            boundCamera?.cameraControl?.enableTorch(false)
+        } catch (_: Exception) {
+        }
+        boundCamera = null
+        try {
+            cameraProvider?.unbindAll()
+        } catch (_: Exception) {
+        }
+        imageAnalysisExecutor?.let { ex ->
+            try {
+                ex.shutdown()
+            } catch (_: Exception) {
+            }
+        }
+        imageAnalysisExecutor = null
+        previewTransformLayoutListener?.let { listener ->
+            if (::viewBinding.isInitialized) {
+                viewBinding.viewFinder.removeOnLayoutChangeListener(listener)
+            }
+        }
+        previewTransformLayoutListener = null
+        previewStreamStateObserver?.let { obs ->
+            if (::viewBinding.isInitialized) {
+                viewBinding.viewFinder.previewStreamState.removeObserver(obs)
+            }
+        }
+        previewStreamStateObserver = null
+        cachedPreviewOutputTransform.set(null)
+    }
+
+    private fun refreshCachedPreviewOutputTransform() {
+        if (!::viewBinding.isInitialized) {
+            return
+        }
+        val vf = viewBinding.viewFinder
+        try {
+            val out = vf.outputTransform
+            cachedPreviewOutputTransform.set(out)
+        } catch (t: Throwable) {
+            Log.e(TAG, "refreshCachedPreviewOutputTransform: $t")
+            cachedPreviewOutputTransform.set(null)
+        }
+    }
+
+    private fun scheduleCachedPreviewOutputTransformRefresh() {
+        if (!::viewBinding.isInitialized) {
+            return
+        }
+        viewBinding.viewFinder.post { refreshCachedPreviewOutputTransform() }
+    }
+
+    private fun onPairingLayoutGeometryChanged() {
+        if (!::viewBinding.isInitialized || !intent.getBooleanExtra(EXTRA_PAIRING_QR_CAMERA, false)) {
+            return
+        }
+        val root = viewBinding.root
+        val chrome = viewBinding.pairingChrome
+        val w = root.width
+        val h = root.height
+        if (w <= 0 || h <= 0) {
+            return
+        }
+        val density = resources.displayMetrics.density
+        val headerBottom = if (chrome.visibility == View.VISIBLE) chrome.bottom.toFloat() else 0f
+        val insets = ViewCompat.getRootWindowInsets(root)
+        val statusTop = insets?.getInsets(WindowInsetsCompat.Type.statusBars())?.top?.toFloat() ?: 0f
+        val safeBottom = insets?.getInsets(WindowInsetsCompat.Type.systemBars())?.bottom?.toFloat() ?: 0f
+
+        pairingGeomHeaderBottomPx = headerBottom
+        pairingGeomStatusBarTopPx = statusTop
+        pairingGeomDensity = density
+
+        viewBinding.pairingScanOverlay.setPairingHeaderBottomPx(headerBottom)
+
+        val hole = PairingQrScanGeometry.pairingIosStyleHoleRectF(w, h, headerBottom, statusTop, density)
+        val torchCy = PairingQrScanGeometry.pairingIosStyleTorchCenterYPx(
+            hole.bottom,
+            h.toFloat(),
+            headerBottom,
+            safeBottom,
+            density
+        )
+        val torchSizePx = (56f * density).roundToInt().coerceAtLeast(1)
+        val topMargin = (torchCy - torchSizePx / 2f).roundToInt().coerceAtLeast(0)
+        val wantGravity = Gravity.TOP or Gravity.CENTER_HORIZONTAL
+        viewBinding.torchButton.post {
+            if (!::viewBinding.isInitialized || !intent.getBooleanExtra(EXTRA_PAIRING_QR_CAMERA, false)) {
+                return@post
+            }
+            val btn = viewBinding.torchButton
+            val lp = btn.layoutParams as FrameLayout.LayoutParams
+            if (lp.gravity == wantGravity && lp.topMargin == topMargin && lp.bottomMargin == 0) {
+                return@post
+            }
+            lp.gravity = wantGravity
+            lp.topMargin = topMargin
+            lp.bottomMargin = 0
+            btn.layoutParams = lp
+        }
+    }
+
+    private fun applyPairingTorchButtonChrome() {
+        if (!::viewBinding.isInitialized || !intent.getBooleanExtra(EXTRA_PAIRING_QR_CAMERA, false)) {
+            return
+        }
+        val btn = viewBinding.torchButton
+        val d = resources.displayMetrics.density
+        val alpha = if (torchOn) (0.42f * 255f).toInt() else (0.22f * 255f).toInt()
+        val bg = GradientDrawable().apply {
+            shape = GradientDrawable.OVAL
+            setColor(Color.argb(alpha, 255, 255, 255))
+            if (torchOn) {
+                setStroke((2f * d).roundToInt(), Color.rgb(255, 191, 115))
+            } else {
+                setStroke(0, 0)
+            }
+        }
+        btn.background = bg
+    }
+
+    private fun pairingHoleRectInImageSpace(
+        viewFinder: PreviewView,
+        imageProxy: ImageProxy,
+        imageWidth: Int,
+        imageHeight: Int
+    ): RectF {
+        val vw = viewFinder.width
+        val vh = viewFinder.height
+        fun geomFallback(): RectF =
+            PairingQrScanGeometry.pairingIosStyleHoleInImageCoords(
+                vw,
+                vh,
+                pairingGeomHeaderBottomPx,
+                pairingGeomStatusBarTopPx,
+                pairingGeomDensity,
+                imageWidth,
+                imageHeight
+            )
+        if (vw <= 0 || vh <= 0 || imageWidth <= 0 || imageHeight <= 0) {
+            return geomFallback()
+        }
+        return try {
+            val previewOut = cachedPreviewOutputTransform.get()
+            if (previewOut == null) {
+                geomFallback()
+            } else {
+                val imageFactory = ImageProxyTransformFactory().apply {
+                    setUsingRotationDegrees(true)
+                }
+                val imageOut = imageFactory.getOutputTransform(imageProxy)
+                val holeView = PairingQrScanGeometry.pairingIosStyleHoleRectF(
+                    vw,
+                    vh,
+                    pairingGeomHeaderBottomPx,
+                    pairingGeomStatusBarTopPx,
+                    pairingGeomDensity
+                )
+                if (holeView.width() <= 0f || holeView.height() <= 0f) {
+                    return geomFallback()
+                }
+                val hole = RectF(holeView)
+                CoordinateTransform(previewOut, imageOut).mapRect(hole)
+                hole
+            }
+        } catch (t: Throwable) {
+            Log.e(TAG, "pairingHoleRectInImageSpace: $t")
+            geomFallback()
+        }
+    }
+
+    private fun releaseCameraAndFinish() {
+        if (intent.getBooleanExtra(EXTRA_PAIRING_QR_CAMERA, false)) {
+            pairingQrUserDismissedCamera = true
+            try {
+                QtAndroidController.onPairingQrCameraUserDismissed()
+            } catch (t: Throwable) {
+                Log.e(TAG, "onPairingQrCameraUserDismissed: $t")
+            }
+        }
+        cleanupCameraResources()
+        finish()
+    }
+
     private fun checkPermissions(onSuccess: () -> Unit, onFail: () -> Unit) {
         if (checkSelfPermission(Manifest.permission.CAMERA) == PackageManager.PERMISSION_GRANTED) {
             onSuccess()
@@ -67,26 +404,41 @@ class CameraActivity : ComponentActivity() {
 
         cameraProviderFuture.addListener({
             cameraProvider = cameraProviderFuture.get()
-            bindPreview()
-            bindImageAnalysis()
+            bindCameraUseCases()
         }, ContextCompat.getMainExecutor(this))
     }
 
     @SuppressLint("ClickableViewAccessibility")
-    private fun bindPreview() {
+    @ExperimentalGetImage
+    private fun bindCameraUseCases() {
+        val provider = cameraProvider ?: return
+        imageAnalysisExecutor?.shutdown()
+        imageAnalysisExecutor = Executors.newSingleThreadExecutor()
+
         val viewFinder = viewBinding.viewFinder
         val preview = Preview.Builder().build().also {
             it.setSurfaceProvider(viewFinder.surfaceProvider)
         }
 
-        val camera = cameraProvider.bindToLifecycle(this, CameraSelector.DEFAULT_BACK_CAMERA, preview)
+        val imageAnalysis = ImageAnalysis.Builder()
+            .setBackpressureStrategy(ImageAnalysis.STRATEGY_KEEP_ONLY_LATEST)
+            .build()
+
+        val camera = provider.bindToLifecycle(
+            this,
+            CameraSelector.DEFAULT_BACK_CAMERA,
+            preview,
+            imageAnalysis
+        )
+        boundCamera = camera
+        boundImageAnalysis = imageAnalysis
 
         viewFinder.setOnTouchListener { _, motionEvent ->
             when (motionEvent.action) {
                 ACTION_DOWN -> true
                 ACTION_UP -> {
                     val point = viewFinder
-                        .meteringPointFactory.createPoint(motionEvent.x, motionEvent.x)
+                        .meteringPointFactory.createPoint(motionEvent.x, motionEvent.y)
 
                     val action = FocusMeteringAction
                         .Builder(point, FLAG_AF or FLAG_AE).build()
@@ -98,58 +450,121 @@ class CameraActivity : ComponentActivity() {
                 else -> false
             }
         }
-    }
 
-    @ExperimentalGetImage
-    private fun bindImageAnalysis() {
-        val imageAnalysis = ImageAnalysis.Builder().build()
+        if (intent.getBooleanExtra(EXTRA_PAIRING_QR_CAMERA, false)) {
+            previewTransformLayoutListener?.let { viewFinder.removeOnLayoutChangeListener(it) }
+            val layoutListener = View.OnLayoutChangeListener { _, _, _, _, _, _, _, _, _ ->
+                viewFinder.post {
+                    scheduleCachedPreviewOutputTransformRefresh()
+                    onPairingLayoutGeometryChanged()
+                }
+            }
+            previewTransformLayoutListener = layoutListener
+            viewFinder.addOnLayoutChangeListener(layoutListener)
+            previewStreamStateObserver?.let { viewFinder.previewStreamState.removeObserver(it) }
+            val streamObserver = Observer<PreviewView.StreamState> { state ->
+                if (state == PreviewView.StreamState.STREAMING) {
+                    viewFinder.post {
+                        scheduleCachedPreviewOutputTransformRefresh()
+                        onPairingLayoutGeometryChanged()
+                    }
+                }
+            }
+            previewStreamStateObserver = streamObserver
+            viewFinder.previewStreamState.observe(this, streamObserver)
+            scheduleCachedPreviewOutputTransformRefresh()
+        }
 
-        val camera = cameraProvider.bindToLifecycle(this, CameraSelector.DEFAULT_BACK_CAMERA, imageAnalysis)
+        try {
+            barcodeScanner?.close()
+        } catch (_: Exception) {
+        }
 
-        val barcodeScanner = BarcodeScanning.getClient(
+        barcodeScanner = BarcodeScanning.getClient(
             Builder()
                 .setBarcodeFormats(Barcode.FORMAT_QR_CODE)
-                .setZoomSuggestionOptions(
-                    ZoomSuggestionOptions.Builder { zoomLevel ->
-                        camera.cameraControl.setZoomRatio(zoomLevel)
-                        true
-                    }.apply {
-                        camera.cameraInfo.zoomState.value?.maxZoomRatio?.let { maxZoomRation ->
-                            setMaxSupportedZoomRatio(maxZoomRation)
-                        }
-                    }.build()
-                ).build()
+                .build()
         )
 
-        // optimization
         val checkedBarcodes = hashSetOf<String>()
+        val analysisExecutor = imageAnalysisExecutor!!
+        val mainExecutor = ContextCompat.getMainExecutor(this)
+        val pairingQrMode = intent.getBooleanExtra(EXTRA_PAIRING_QR_CAMERA, false)
 
-        imageAnalysis.setAnalyzer(ContextCompat.getMainExecutor(this)) { imageProxy ->
-            imageProxy.image?.let { InputImage.fromMediaImage(it, imageProxy.imageInfo.rotationDegrees) }
-                ?.let { image ->
-                    barcodeScanner.process(image).addOnSuccessListener { barcodes ->
-                        barcodes.firstOrNull()?.let { barcode ->
-                            barcode.displayValue?.let { code ->
-                                if (code.isNotEmpty() && code !in checkedBarcodes) {
-                                    if (QtAndroidController.decodeQrCode(code)) {
-                                        barcodeScanner.close()
+        imageAnalysis.setAnalyzer(analysisExecutor) { imageProxy ->
+            if (qrHandledOrClosing.get()) {
+                imageProxy.close()
+                return@setAnalyzer
+            }
+            val mediaImage = imageProxy.image
+            if (mediaImage == null) {
+                imageProxy.close()
+                return@setAnalyzer
+            }
+            val image = InputImage.fromMediaImage(mediaImage, imageProxy.imageInfo.rotationDegrees)
+            val viewW = viewFinder.width
+            val viewH = viewFinder.height
+            val pairingRoi = if (pairingQrMode) {
+                pairingHoleRectInImageSpace(viewFinder, imageProxy, image.width, image.height)
+            } else {
+                null
+            }
+            val scanner = barcodeScanner ?: run {
+                imageProxy.close()
+                return@setAnalyzer
+            }
+            scanner.process(image)
+                .addOnSuccessListener(mainExecutor) { barcodes ->
+                    if (qrHandledOrClosing.get()) {
+                        return@addOnSuccessListener
+                    }
+                    val barcode = if (pairingQrMode) {
+                        val roi = pairingRoi
+                            ?: PairingQrScanGeometry.pairingIosStyleHoleInImageCoords(
+                                viewW,
+                                viewH,
+                                pairingGeomHeaderBottomPx,
+                                pairingGeomStatusBarTopPx,
+                                pairingGeomDensity,
+                                image.width,
+                                image.height
+                            )
+                        barcodes.firstOrNull {
+                            PairingQrScanGeometry.barcodeMatchesPairingHole(
+                                roi,
+                                image.width,
+                                image.height,
+                                it
+                            )
+                        }
+                    } else {
+                        barcodes.firstOrNull()
+                    }
+                    barcode?.displayValue?.let { code ->
+                            if (code.isNotEmpty() && code !in checkedBarcodes) {
+                                checkedBarcodes.add(code)
+                                if (QtAndroidController.decodeQrCode(code)) {
+                                    if (qrHandledOrClosing.compareAndSet(false, true)) {
+                                        if (pairingQrMode) {
+                                            pairingQrDeliveredToQt = true
+                                        }
                                         stopCamera()
                                     }
-                                    checkedBarcodes.add(code)
                                 }
                             }
-                        }
-                    }.addOnFailureListener {
-                        Log.e(TAG, "Processing QR code image failed: ${it.message}")
-                    }.addOnCompleteListener {
-                        imageProxy.close()
                     }
                 }
+                .addOnFailureListener(mainExecutor) {
+                    Log.e(TAG, "Processing QR code image failed: ${it.message}")
+                }
+                .addOnCompleteListener(mainExecutor) {
+                    imageProxy.close()
+                }
         }
     }
 
     private fun stopCamera() {
-        cameraProvider.unbindAll()
+        cleanupCameraResources()
         finish()
     }
 }

client/android/src/org/amnezia/vpn/PairingQrScanBracketPaths.kt

@@ -0,0 +1,101 @@
+package org.amnezia.vpn
+
+import android.graphics.Path
+import android.graphics.RectF
+import kotlin.math.PI
+import kotlin.math.atan2
+import kotlin.math.max
+import kotlin.math.min
+
+object PairingQrScanBracketPaths {
+
+    private fun Path.addCornerMinorArc(
+        cx: Float,
+        cy: Float,
+        r: Float,
+        sx: Float,
+        sy: Float,
+        ex: Float,
+        ey: Float
+    ) {
+        var asRad = atan2((sy - cy).toDouble(), (sx - cx).toDouble())
+        var aeRad = atan2((ey - cy).toDouble(), (ex - cx).toDouble())
+        while (aeRad - asRad > PI) {
+            aeRad -= 2.0 * PI
+        }
+        while (aeRad - asRad < -PI) {
+            aeRad += 2.0 * PI
+        }
+        val minor = aeRad - asRad
+        val startDeg = Math.toDegrees(asRad).toFloat()
+        val sweepDeg = Math.toDegrees(minor).toFloat()
+        addArc(RectF(cx - r, cy - r, cx + r, cy + r), startDeg, sweepDeg)
+    }
+
+    fun bracketStrokePath(corner: Int, x0: Float, y0: Float, s: Float, R: Float, L: Float, t: Float): Path {
+        val r = max(1.5f, R - t * 0.5f)
+        val p = Path()
+        val yy = y0 + t * 0.5f
+        val yyb = y0 + s - t * 0.5f
+        val xx = x0 + t * 0.5f
+        val xxb = x0 + s - t * 0.5f
+
+        when (corner) {
+            0 -> {
+                val cTLx = x0 + R
+                val cTLy = y0 + R
+                val sTLx = x0 + R
+                val sTLy = yy
+                val eTLx = xx
+                val eTLy = y0 + R
+                p.moveTo(x0 + R + L, yy)
+                p.lineTo(sTLx, sTLy)
+                p.addCornerMinorArc(cTLx, cTLy, r, sTLx, sTLy, eTLx, eTLy)
+                val yEndTL = min(y0 + R + L, y0 + s - R - t * 0.5f)
+                p.lineTo(xx, max(yEndTL, y0 + R + 2f))
+            }
+            1 -> {
+                val cTRx = x0 + s - R
+                val cTRy = y0 + R
+                val sTRx = x0 + s - R
+                val sTRy = yy
+                val eTRx = xxb
+                val eTRy = y0 + R
+                p.moveTo(x0 + s - R - L, yy)
+                p.lineTo(sTRx, sTRy)
+                p.addCornerMinorArc(cTRx, cTRy, r, sTRx, sTRy, eTRx, eTRy)
+                val yEndTR = min(y0 + R + L, y0 + s - R - t * 0.5f)
+                p.lineTo(xxb, max(yEndTR, y0 + R + 2f))
+            }
+            2 -> {
+                val cBLx = x0 + R
+                val cBLy = y0 + s - R
+                val sBLx = x0 + R
+                val sBLy = yyb
+                val eBLx = xx
+                val eBLy = y0 + s - R
+                p.moveTo(x0 + R + L, yyb)
+                p.lineTo(sBLx, sBLy)
+                p.addCornerMinorArc(cBLx, cBLy, r, sBLx, sBLy, eBLx, eBLy)
+                val yEndTopRef = max(min(y0 + R + L, y0 + s - R - t * 0.5f), y0 + R + 2f)
+                val yLegBL = y0 + s + y0 - yEndTopRef
+                p.lineTo(xx, yLegBL)
+            }
+            3 -> {
+                val cBRx = x0 + s - R
+                val cBRy = y0 + s - R
+                val sBRx = x0 + s - R
+                val sBRy = yyb
+                val eBRx = xxb
+                val eBRy = y0 + s - R
+                p.moveTo(x0 + s - R - L, yyb)
+                p.lineTo(sBRx, sBRy)
+                p.addCornerMinorArc(cBRx, cBRy, r, sBRx, sBRy, eBRx, eBRy)
+                val yEndTopRef = max(min(y0 + R + L, y0 + s - R - t * 0.5f), y0 + R + 2f)
+                val yLegBR = y0 + s + y0 - yEndTopRef
+                p.lineTo(xxb, yLegBR)
+            }
+        }
+        return p
+    }
+}

client/android/src/org/amnezia/vpn/PairingQrScanGeometry.kt

@@ -0,0 +1,152 @@
+package org.amnezia.vpn
+
+import android.graphics.Rect
+import android.graphics.RectF
+import com.google.mlkit.vision.barcode.common.Barcode
+import kotlin.math.floor
+import kotlin.math.max
+import kotlin.math.min
+
+object PairingQrScanGeometry {
+    fun viewRectToInputImageRectFillCenter(
+        viewW: Int,
+        viewH: Int,
+        imageW: Int,
+        imageH: Int,
+        viewRect: RectF
+    ): RectF {
+        val scale = max(viewW / imageW.toFloat(), viewH / imageH.toFloat())
+        val drawLeft = (viewW - imageW * scale) / 2f
+        val drawTop = (viewH - imageH * scale) / 2f
+        return RectF(
+            (viewRect.left - drawLeft) / scale,
+            (viewRect.top - drawTop) / scale,
+            (viewRect.right - drawLeft) / scale,
+            (viewRect.bottom - drawTop) / scale
+        )
+    }
+
+    fun pairingIosStyleHoleCornerRadiusPx(sidePx: Float, density: Float): Float {
+        val d = density
+        var holeR = min(28f * d, max(10f * d, sidePx * 0.056f))
+        val half = 0.5f * sidePx
+        holeR = min(holeR, max(6f * d, half - 2f * d))
+        return max(holeR, 1f)
+    }
+
+    fun barcodeBoxOverlapFraction(roi: RectF, box: Rect): Float {
+        val bf = RectF(box)
+        val inter = RectF(roi)
+        if (!inter.intersect(bf)) return 0f
+        val interArea = inter.width() * inter.height()
+        val boxArea = bf.width() * bf.height()
+        return if (boxArea <= 0f) 0f else interArea / boxArea
+    }
+
+    fun barcodeMatchesPairingHole(
+        roiInImageSpace: RectF,
+        imageW: Int,
+        imageH: Int,
+        barcode: Barcode,
+        minOverlapFraction: Float = PAIRING_SEND_MIN_OVERLAP_BBOX_FALLBACK
+    ): Boolean {
+        if (imageW <= 0 || imageH <= 0) {
+            return false
+        }
+        val roi = RectF(roiInImageSpace)
+        val iw = imageW.toFloat()
+        val ih = imageH.toFloat()
+        roi.left = max(0f, roi.left)
+        roi.top = max(0f, roi.top)
+        roi.right = min(iw, roi.right)
+        roi.bottom = min(ih, roi.bottom)
+        if (roi.width() <= 0f || roi.height() <= 0f) {
+            return false
+        }
+
+        val corners = barcode.cornerPoints
+        if (corners != null && corners.size >= 4) {
+            for (p in corners) {
+                if (!roi.contains(p.x.toFloat(), p.y.toFloat())) {
+                    return false
+                }
+            }
+            return true
+        }
+
+        val box = barcode.boundingBox ?: return false
+        val cx = box.centerX().toFloat()
+        val cy = box.centerY().toFloat()
+        if (!roi.contains(cx, cy)) {
+            return false
+        }
+        return barcodeBoxOverlapFraction(roi, box) >= minOverlapFraction
+    }
+
+    private const val PAIRING_SEND_MIN_OVERLAP_BBOX_FALLBACK = 0.72f
+
+    fun pairingIosStyleHoleRectF(
+        viewW: Int,
+        viewH: Int,
+        headerBottomPx: Float,
+        statusBarTopPx: Float,
+        density: Float
+    ): RectF {
+        val w = viewW.toFloat()
+        val h = viewH.toFloat()
+        val d = density
+        if (w < 32f || h < 32f) {
+            return RectF()
+        }
+        var hdrBottom = headerBottomPx
+        if (hdrBottom < 8f * d) {
+            hdrBottom = 132f * d + statusBarTopPx
+        }
+        val sqSz = floor(min(w, h) * 0.72).toFloat()
+        var sqX = (w - sqSz) / 2f
+        var sqY = (h - sqSz) / 2f
+        sqY = max(sqY, hdrBottom + 8f * d)
+        val kBottomBand = 80f * d
+        val maxHoleBottom = h - kBottomBand
+        if (sqY + sqSz > maxHoleBottom) {
+            sqY = maxHoleBottom - sqSz
+            sqY = max(sqY, hdrBottom + 8f * d)
+        }
+        sqX = max(8f * d, min(sqX, w - sqSz - 8f * d))
+        sqY = max(hdrBottom + 4f * d, min(sqY, h - sqSz - 8f * d))
+        return RectF(sqX, sqY, sqX + sqSz, sqY + sqSz)
+    }
+
+    fun pairingIosStyleTorchCenterYPx(
+        holeBottomPx: Float,
+        bandBottomPx: Float,
+        headerBottomPx: Float,
+        safeBottomPx: Float,
+        density: Float
+    ): Float {
+        val torchH = 56f * density
+        val d = density
+        var torchCy = (holeBottomPx + bandBottomPx) * 0.5f
+        val minC = holeBottomPx + torchH * 0.5f + 6f * d
+        val maxC = bandBottomPx - torchH * 0.5f - max(6f * d, safeBottomPx)
+        torchCy = max(minC, min(maxC, torchCy))
+        if (minC > maxC) {
+            torchCy = (minC + maxC) * 0.5f
+        }
+        val hdr = headerBottomPx + torchH * 0.5f + 10f * d
+        return max(torchCy, hdr)
+    }
+
+    fun pairingIosStyleHoleInImageCoords(
+        viewW: Int,
+        viewH: Int,
+        headerBottomPx: Float,
+        statusBarTopPx: Float,
+        density: Float,
+        imageW: Int,
+        imageH: Int
+    ): RectF {
+        val hv = pairingIosStyleHoleRectF(viewW, viewH, headerBottomPx, statusBarTopPx, density)
+        return viewRectToInputImageRectFillCenter(viewW, viewH, imageW, imageH, hv)
+    }
+}

client/android/src/org/amnezia/vpn/PairingQrScanOverlayView.kt

@@ -0,0 +1,115 @@
+package org.amnezia.vpn
+
+import android.content.Context
+import android.graphics.Canvas
+import android.graphics.Paint
+import android.graphics.Path
+import android.graphics.RectF
+import android.util.AttributeSet
+import android.view.MotionEvent
+import android.view.View
+import androidx.core.view.ViewCompat
+import androidx.core.view.WindowInsetsCompat
+import kotlin.math.max
+
+class PairingQrScanOverlayView @JvmOverloads constructor(
+    context: Context,
+    attrs: AttributeSet? = null,
+    defStyleAttr: Int = 0
+) : View(context, attrs, defStyleAttr) {
+
+    init {
+        isClickable = false
+        isFocusable = false
+    }
+
+    @Suppress("ClickableViewAccessibility")
+    override fun onTouchEvent(event: MotionEvent): Boolean = false
+
+    private val dimPaint = Paint(Paint.ANTI_ALIAS_FLAG).apply {
+        color = 0x8C000000.toInt()
+        style = Paint.Style.FILL
+    }
+
+    private val bracketPaint = Paint(Paint.ANTI_ALIAS_FLAG).apply {
+        color = 0xFFE8E8EC.toInt()
+        style = Paint.Style.STROKE
+        strokeCap = Paint.Cap.ROUND
+        strokeJoin = Paint.Join.ROUND
+    }
+
+    private var hole = RectF()
+
+    private val bracketPaths = arrayOfNulls<Path>(4)
+
+    private val dimPath = Path()
+
+    private var pairingHeaderBottomPx = 0f
+
+    fun setPairingHeaderBottomPx(px: Float) {
+        if (pairingHeaderBottomPx == px) {
+            return
+        }
+        pairingHeaderBottomPx = px
+        recomputePairingHole()
+        invalidate()
+    }
+
+    private fun recomputePairingHole() {
+        val w = width
+        val h = height
+        if (w <= 0 || h <= 0) {
+            return
+        }
+        val topInset = ViewCompat.getRootWindowInsets(this)
+            ?.getInsets(WindowInsetsCompat.Type.statusBars())?.top?.toFloat() ?: 0f
+        val d = resources.displayMetrics.density
+        hole = PairingQrScanGeometry.pairingIosStyleHoleRectF(w, h, pairingHeaderBottomPx, topInset, d)
+        rebuildBracketPaths()
+    }
+
+    private fun rebuildBracketPaths() {
+        val s = hole.width()
+        if (s <= 0f) {
+            bracketPaths.fill(null)
+            return
+        }
+        val x0 = hole.left
+        val y0 = hole.top
+        val t = bracketPaint.strokeWidth
+        val d = resources.displayMetrics.density
+        val l = max(28f * d, s * 0.13f)
+        val r = PairingQrScanGeometry.pairingIosStyleHoleCornerRadiusPx(s, d)
+        for (i in 0..3) {
+            bracketPaths[i] = PairingQrScanBracketPaths.bracketStrokePath(i, x0, y0, s, r, l, t)
+        }
+    }
+
+    override fun onSizeChanged(w: Int, h: Int, oldw: Int, oldh: Int) {
+        super.onSizeChanged(w, h, oldw, oldh)
+        bracketPaint.strokeWidth = max(3f, 5f * resources.displayMetrics.density)
+        recomputePairingHole()
+    }
+
+    override fun onDraw(canvas: Canvas) {
+        super.onDraw(canvas)
+        val w = width.toFloat()
+        val h = height.toFloat()
+        val side = hole.width()
+        if (side > 0f) {
+            val d = resources.displayMetrics.density
+            val rx = PairingQrScanGeometry.pairingIosStyleHoleCornerRadiusPx(side, d)
+            dimPath.rewind()
+            dimPath.fillType = Path.FillType.EVEN_ODD
+            dimPath.addRect(0f, 0f, w, h, Path.Direction.CW)
+            dimPath.addRoundRect(hole, rx, rx, Path.Direction.CW)
+            canvas.drawPath(dimPath, dimPaint)
+        } else {
+            canvas.drawRect(0f, 0f, w, h, dimPaint)
+        }
+
+        for (i in 0..3) {
+            bracketPaths[i]?.let { canvas.drawPath(it, bracketPaint) }
+        }
+    }
+}

client/android/src/org/amnezia/vpn/TvFilePicker.kt

@@ -1,7 +1,10 @@
 package org.amnezia.vpn
 
 import android.content.ActivityNotFoundException
+import android.content.Context
 import android.content.Intent
+import android.content.pm.PackageManager
+import android.os.Build
 import android.os.Bundle
 import androidx.activity.ComponentActivity
 import androidx.activity.result.contract.ActivityResultContracts
@@ -11,8 +14,29 @@ private const val TAG = "TvFilePicker"
 
 class TvFilePicker : ComponentActivity() {
 
-    private val fileChooseResultLauncher = registerForActivityResult(ActivityResultContracts.GetContent()) {
-        setResult(RESULT_OK, Intent().apply { data = it })
+    private val fileChooseResultLauncher = registerForActivityResult(object : ActivityResultContracts.OpenDocument() {
+        override fun createIntent(context: Context, input: Array<String>): Intent {
+            val intent = super.createIntent(context, input)
+
+            val activitiesToResolveIntent = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+                context.packageManager.queryIntentActivities(intent, PackageManager.ResolveInfoFlags.of(PackageManager.MATCH_DEFAULT_ONLY.toLong()))
+            } else {
+                @Suppress("DEPRECATION")
+                context.packageManager.queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY)
+            }
+            if (activitiesToResolveIntent.all {
+                    val name = it.activityInfo.packageName
+                    name.startsWith("com.google.android.tv.frameworkpackagestubs") || name.startsWith("com.android.tv.frameworkpackagestubs")
+                }) {
+                throw ActivityNotFoundException()
+            }
+            return intent
+        }
+    }) {
+        setResult(RESULT_OK, Intent().apply {
+            data = it
+            addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION)
+        })
         finish()
     }
 
@@ -31,7 +55,7 @@ class TvFilePicker : ComponentActivity() {
     private fun getFile() {
         try {
             Log.v(TAG, "getFile")
-            fileChooseResultLauncher.launch("*/*")
+            fileChooseResultLauncher.launch(arrayOf("*/*"))
         } catch (_: ActivityNotFoundException) {
             Log.w(TAG, "Activity not found")
             setResult(RESULT_CANCELED, Intent().apply { putExtra("activityNotFound", true) })

client/android/src/org/amnezia/vpn/VpnProto.kt

@@ -2,7 +2,6 @@ package org.amnezia.vpn
 
 import org.amnezia.vpn.protocol.Protocol
 import org.amnezia.vpn.protocol.awg.Awg
-import org.amnezia.vpn.protocol.cloak.Cloak
 import org.amnezia.vpn.protocol.openvpn.OpenVpn
 import org.amnezia.vpn.protocol.wireguard.Wireguard
 import org.amnezia.vpn.protocol.xray.Xray
@@ -36,14 +35,6 @@ enum class VpnProto(
         override fun createProtocol(): Protocol = OpenVpn()
     },
 
-    CLOAK(
-        "Cloak",
-        "org.amnezia.vpn:amneziaOpenVpnService",
-        OpenVpnService::class.java
-    ) {
-        override fun createProtocol(): Protocol = Cloak()
-    },
-
     XRAY(
         "XRay",
         "org.amnezia.vpn:amneziaXrayService",
@@ -72,4 +63,4 @@ enum class VpnProto(
     companion object {
         fun get(protocolName: String): VpnProto = VpnProto.valueOf(protocolName.uppercase())
     }
-}
+}

client/android/src/org/amnezia/vpn/qt/QtAndroidController.kt

@@ -28,4 +28,16 @@ object QtAndroidController {
     external fun onAuthResult(result: Boolean)
 
     external fun decodeQrCode(data: String): Boolean
+
+    external fun onImeInsetsChanged(heightDp: Int)
+    external fun onSystemBarsInsetsChanged(navBarHeightDp: Int, statusBarHeightDp: Int)
+
+    external fun onActivityPaused()
+    external fun onActivityResumed()
+
+    external fun onCameraPermissionResult(granted: Boolean)
+
+    external fun onPairingQrCameraClosed()
+
+    external fun onPairingQrCameraUserDismissed()
 }

client/android/wireguard/src/main/kotlin/org/amnezia/vpn/protocol/wireguard/Wireguard.kt

@@ -12,6 +12,7 @@ import org.amnezia.vpn.protocol.Protocol
 import org.amnezia.vpn.protocol.ProtocolState.CONNECTED
 import org.amnezia.vpn.protocol.ProtocolState.DISCONNECTED
 import org.amnezia.vpn.protocol.Statistics
+import org.amnezia.vpn.protocol.VpnException
 import org.amnezia.vpn.protocol.VpnStartException
 import org.amnezia.vpn.util.LibraryLoader.loadSharedLibrary
 import org.amnezia.vpn.util.Log
@@ -27,6 +28,7 @@ private const val TAG = "Wireguard"
 open class Wireguard : Protocol() {
 
     private var tunnelHandle: Int = -1
+    private var config: WireguardConfig? = null // save config for reconnect
     protected open val ifName: String = "amn0"
     private lateinit var scope: CoroutineScope
     private var statusJob: Job? = null
@@ -61,6 +63,7 @@ open class Wireguard : Protocol() {
     override suspend fun startVpn(config: JSONObject, vpnBuilder: Builder, protect: (Int) -> Boolean) {
         val wireguardConfig = parseConfig(config)
         start(wireguardConfig, vpnBuilder, protect)
+        this.config = wireguardConfig
     }
 
     protected open fun parseConfig(config: JSONObject): WireguardConfig {
@@ -122,23 +125,24 @@ open class Wireguard : Protocol() {
         configData.optStringOrNull("S2")?.let { setS2(it.toInt()) }
         configData.optStringOrNull("S3")?.let { setS3(it.toInt()) }
         configData.optStringOrNull("S4")?.let { setS4(it.toInt()) }
-        configData.optStringOrNull("H1")?.let { setH1(it.toLong()) }
-        configData.optStringOrNull("H2")?.let { setH2(it.toLong()) }
-        configData.optStringOrNull("H3")?.let { setH3(it.toLong()) }
-        configData.optStringOrNull("H4")?.let { setH4(it.toLong()) }
+        configData.optStringOrNull("H1")?.trim()?.let { if (it.isNotEmpty()) setH1(it) }
+        configData.optStringOrNull("H2")?.trim()?.let { if (it.isNotEmpty()) setH2(it) }
+        configData.optStringOrNull("H3")?.trim()?.let { if (it.isNotEmpty()) setH3(it) }
+        configData.optStringOrNull("H4")?.trim()?.let { if (it.isNotEmpty()) setH4(it) }
         configData.optStringOrNull("I1")?.let { setI1(it) }
         configData.optStringOrNull("I2")?.let { setI2(it) }
         configData.optStringOrNull("I3")?.let { setI3(it) }
         configData.optStringOrNull("I4")?.let { setI4(it) }
         configData.optStringOrNull("I5")?.let { setI5(it) }
-        configData.optStringOrNull("J1")?.let { setJ1(it) }
-        configData.optStringOrNull("J2")?.let { setJ2(it) }
-        configData.optStringOrNull("J3")?.let { setJ3(it) }
-        configData.optStringOrNull("Itime")?.let { setItime(it.toInt()) }
     }
 
-    private fun start(config: WireguardConfig, vpnBuilder: Builder, protect: (Int) -> Boolean) {
-        if (tunnelHandle != -1) {
+    private fun start(
+        config: WireguardConfig,
+        vpnBuilder: Builder,
+        protect: (Int) -> Boolean,
+        stopExistingVpn: Boolean = false
+    ) {
+        if (!stopExistingVpn && tunnelHandle != -1) {
             Log.w(TAG, "Tunnel already up")
             return
         }
@@ -146,6 +150,9 @@ open class Wireguard : Protocol() {
         buildVpnInterface(config, vpnBuilder)
 
         vpnBuilder.establish().use { tunFd ->
+            if (stopExistingVpn && tunnelHandle != -1) {
+                turnOffVpn()
+            }
             if (tunFd == null) {
                 throw VpnStartException("Create VPN interface: permission not granted or revoked")
             }
@@ -202,20 +209,25 @@ open class Wireguard : Protocol() {
         return lastHandshake
     }
 
-    override fun stopVpn() {
-        if (tunnelHandle == -1) {
-            Log.w(TAG, "Tunnel already down")
-            return
-        }
+    private fun turnOffVpn() {
         statusJob?.cancel()
         statusJob = null
         val handleToClose = tunnelHandle
         tunnelHandle = -1
         GoBackend.awgTurnOff(handleToClose)
+    }
+
+    override fun stopVpn() {
+        if (tunnelHandle == -1) {
+            Log.w(TAG, "Tunnel already down")
+            return
+        }
+        turnOffVpn()
         state.value = DISCONNECTED
     }
 
-    override fun reconnectVpn(vpnBuilder: Builder) {
-        state.value = CONNECTED
+    override fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean) {
+        val config = this.config ?: throw VpnException("Reconnect config is empty")
+        start(config, vpnBuilder, protect, true)
     }
 }

client/android/wireguard/src/main/kotlin/org/amnezia/vpn/protocol/wireguard/WireguardConfig.kt

@@ -22,19 +22,15 @@ open class WireguardConfig protected constructor(
     val s2: Int?,
     val s3: Int?,
     val s4: Int?,
-    val h1: Long?,
-    val h2: Long?,
-    val h3: Long?,
-    val h4: Long?,
+    val h1: String?,
+    val h2: String?,
+    val h3: String?,
+    val h4: String?,
     var i1: String?,
     var i2: String?,
     var i3: String?,
     var i4: String?,
     var i5: String?,
-    var j1: String?,
-    var j2: String?,
-    var j3: String?,
-    var itime: Int?
 ) : ProtocolConfig(protocolConfigBuilder) {
 
     protected constructor(builder: Builder) : this(
@@ -61,10 +57,6 @@ open class WireguardConfig protected constructor(
         builder.i3,
         builder.i4,
         builder.i5,
-        builder.j1,
-        builder.j2,
-        builder.j3,
-        builder.itime
     )
 
     fun toWgUserspaceString(): String = with(StringBuilder()) {
@@ -94,10 +86,6 @@ open class WireguardConfig protected constructor(
             i3?.let { appendLine("i3=$it") }
             i4?.let { appendLine("i4=$it") }
             i5?.let { appendLine("i5=$it") }
-            j1?.let { appendLine("j1=$it") }
-            j2?.let { appendLine("j2=$it") }
-            j3?.let { appendLine("j3=$it") }
-            itime?.let { appendLine("itime=$it") }
         }
     }
 
@@ -152,19 +140,15 @@ open class WireguardConfig protected constructor(
         internal var s2: Int? = null
         internal var s3: Int? = null
         internal var s4: Int? = null
-        internal var h1: Long? = null
-        internal var h2: Long? = null
-        internal var h3: Long? = null
-        internal var h4: Long? = null
+        internal var h1: String? = null
+        internal var h2: String? = null
+        internal var h3: String? = null
+        internal var h4: String? = null
         internal var i1: String? = null
         internal var i2: String? = null
         internal var i3: String? = null
         internal var i4: String? = null
         internal var i5: String? = null
-        internal var j1: String? = null
-        internal var j2: String? = null
-        internal var j3: String? = null
-        internal var itime: Int? = null
 
         fun setEndpoint(endpoint: InetEndpoint) = apply { this.endpoint = endpoint }
 
@@ -185,19 +169,15 @@ open class WireguardConfig protected constructor(
         fun setS2(s2: Int) = apply { this.s2 = s2 }
         fun setS3(s3: Int) = apply { this.s3 = s3 }
         fun setS4(s4: Int) = apply { this.s4 = s4 }
-        fun setH1(h1: Long) = apply { this.h1 = h1 }
-        fun setH2(h2: Long) = apply { this.h2 = h2 }
-        fun setH3(h3: Long) = apply { this.h3 = h3 }
-        fun setH4(h4: Long) = apply { this.h4 = h4 }
+        fun setH1(h1: String) = apply { this.h1 = h1 }
+        fun setH2(h2: String) = apply { this.h2 = h2 }
+        fun setH3(h3: String) = apply { this.h3 = h3 }
+        fun setH4(h4: String) = apply { this.h4 = h4 }
         fun setI1(i1: String) = apply { this.i1 = i1 }
         fun setI2(i2: String) = apply { this.i2 = i2 }
         fun setI3(i3: String) = apply { this.i3 = i3 }
         fun setI4(i4: String) = apply { this.i4 = i4 }
         fun setI5(i5: String) = apply { this.i5 = i5 }
-        fun setJ1(j1: String) = apply { this.j1 = j1 }
-        fun setJ2(j2: String) = apply { this.j2 = j2 }
-        fun setJ3(j3: String) = apply { this.j3 = j3 }
-        fun setItime(itime: Int) = apply { this.itime = itime }
 
         override fun build(): WireguardConfig = configBuild().run { WireguardConfig(this@Builder) }
     }

client/android/xray/src/main/kotlin/Xray.kt

@@ -4,6 +4,9 @@ import android.content.Context
 import android.net.VpnService.Builder
 import java.io.File
 import java.io.IOException
+import java.net.InetAddress
+import java.net.ServerSocket
+import java.util.UUID
 import go.Seq
 import org.amnezia.vpn.protocol.BadConfigException
 import org.amnezia.vpn.protocol.Protocol
@@ -19,11 +22,32 @@ import org.amnezia.vpn.util.Log
 import org.amnezia.vpn.util.net.InetNetwork
 import org.amnezia.vpn.util.net.ip
 import org.amnezia.vpn.util.net.parseInetAddress
+import org.json.JSONArray
 import org.json.JSONObject
 
 private const val TAG = "Xray"
 private const val LIBXRAY_TAG = "libXray"
 
+private fun findSocksInboundIndex(inbounds: JSONArray): Int {
+    for (i in 0 until inbounds.length()) {
+        val o = inbounds.optJSONObject(i) ?: continue
+        if (o.optString("protocol").equals("socks", ignoreCase = true)) {
+            return i
+        }
+    }
+    return -1
+}
+
+private fun acquireFreeLocalPort(): Int {
+    try {
+        ServerSocket(0, 1, InetAddress.getByName("127.0.0.1")).use { return it.localPort }
+    } catch (e: Exception) {
+        throw VpnStartException(
+            "Failed to acquire free TCP port on 127.0.0.1 for SOCKS inbound: ${e.message}"
+        )
+    }
+}
+
 class Xray : Protocol() {
 
     private var isRunning: Boolean = false
@@ -53,9 +77,13 @@ class Xray : Protocol() {
             return
         }
 
-        val xrayJsonConfig = config.optJSONObject("xray_config_data")
+        val xrayConfigData = config.optJSONObject("xray_config_data")
             ?: config.optJSONObject("ssxray_config_data")
             ?: throw BadConfigException("config_data not found")
+        val xrayJsonConfig = JSONObject(xrayConfigData.optString("config"))
+
+        // Inject SOCKS5 auth before starting xray. Re-uses existing credentials if present.
+        ensureInboundAuth(xrayJsonConfig)
         val xrayConfig = parseConfig(config, xrayJsonConfig)
 
         (xrayJsonConfig.optJSONObject("log") ?: JSONObject().also { xrayJsonConfig.put("log", it) })
@@ -97,9 +125,22 @@ class Xray : Protocol() {
                 if (it.isNotBlank()) setMtu(it.toInt())
             }
 
-            val socksConfig = xrayJsonConfig.getJSONArray("inbounds")[0] as JSONObject
+            val inbounds = xrayJsonConfig.getJSONArray("inbounds")
+            val socksIdx = findSocksInboundIndex(inbounds)
+            if (socksIdx < 0) {
+                throw BadConfigException("socks inbound not found")
+            }
+            val socksConfig = inbounds.getJSONObject(socksIdx)
             socksConfig.getInt("port").let { setSocksPort(it) }
 
+            val socksSettings = socksConfig.optJSONObject("settings")
+            val accounts = socksSettings?.optJSONArray("accounts")
+            if (accounts != null && accounts.length() > 0) {
+                val account = accounts.getJSONObject(0)
+                setSocksUser(account.optString("user"))
+                setSocksPass(account.optString("pass"))
+            }
+
             configSplitTunneling(config)
             configAppSplitTunneling(config)
         }
@@ -157,22 +198,54 @@ class Xray : Protocol() {
         state.value = DISCONNECTED
     }
 
-    override fun reconnectVpn(vpnBuilder: Builder) {
+    override fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean) {
         state.value = CONNECTED
     }
 
     private fun runTun2Socks(config: XrayConfig, fd: Int) {
+        val proxyUrl = "socks5://${config.socksUser}:${config.socksPass}@127.0.0.1:${config.socksPort}"
         val tun2SocksConfig = Tun2SocksConfig().apply {
             mtu = config.mtu.toLong()
-            proxy = "socks5://127.0.0.1:${config.socksPort}"
+            proxy = proxyUrl
             device = "fd://$fd"
-            logLevel = "warning"
+            logLevel = "warn"
         }
         LibXray.startTun2Socks(tun2SocksConfig, fd.toLong()).isNotNullOrBlank { err ->
             throw VpnStartException("Failed to start tun2socks: $err")
         }
     }
 
+    // Ensures SOCKS5 auth is present on the socks inbound settings.
+    // Re-uses existing credentials if already configured; otherwise generates random ones.
+    private fun ensureInboundAuth(xrayConfig: JSONObject) {
+        val inbounds = xrayConfig.optJSONArray("inbounds") ?: return
+        val socksIdx = findSocksInboundIndex(inbounds)
+        if (socksIdx < 0) return
+
+        val inbound = inbounds.getJSONObject(socksIdx)
+        inbound.put("port", acquireFreeLocalPort())
+        val settings = inbound.optJSONObject("settings") ?: JSONObject().also { inbound.put("settings", it) }
+        val accounts = settings.optJSONArray("accounts")
+        if (accounts != null && accounts.length() > 0) {
+            val account = accounts.getJSONObject(0)
+            if (account.optString("user").isNotEmpty() && account.optString("pass").isNotEmpty()) {
+                // Ensure auth mode is enforced even for imported configs that had accounts
+                // but auth: "noauth" (or no auth field).
+                settings.put("auth", "password")
+                inbound.put("settings", settings)
+                inbounds.put(socksIdx, inbound)
+                return
+            }
+        }
+
+        val user = UUID.randomUUID().toString().replace("-", "").substring(0, 16)
+        val pass = UUID.randomUUID().toString().replace("-", "")
+        settings.put("auth", "password")
+        settings.put("accounts", JSONArray().put(JSONObject().put("user", user).put("pass", pass)))
+        inbound.put("settings", settings)
+        inbounds.put(socksIdx, inbound)
+    }
+
     companion object {
         val instance: Xray by lazy { Xray() }
     }

client/android/xray/src/main/kotlin/XrayConfig.kt

@@ -9,12 +9,16 @@ private const val XRAY_DEFAULT_MAX_MEMORY: Long = 50 shl 20 // 50 MB
 class XrayConfig protected constructor(
     protocolConfigBuilder: ProtocolConfig.Builder,
     val socksPort: Int,
+    val socksUser: String,
+    val socksPass: String,
     val maxMemory: Long,
 ) : ProtocolConfig(protocolConfigBuilder) {
 
     protected constructor(builder: Builder) : this(
         builder,
         builder.socksPort,
+        builder.socksUser,
+        builder.socksPass,
         builder.maxMemory
     )
 
@@ -22,6 +26,12 @@ class XrayConfig protected constructor(
         internal var socksPort: Int = 0
             private set
 
+        internal var socksUser: String = ""
+            private set
+
+        internal var socksPass: String = ""
+            private set
+
         internal var maxMemory: Long = XRAY_DEFAULT_MAX_MEMORY
             private set
 
@@ -29,6 +39,10 @@ class XrayConfig protected constructor(
 
         fun setSocksPort(port: Int) = apply { socksPort = port }
 
+        fun setSocksUser(user: String) = apply { socksUser = user }
+
+        fun setSocksPass(pass: String) = apply { socksPass = pass }
+
         fun setMaxMemory(maxMemory: Long) = apply { this.maxMemory = maxMemory }
 
         override fun build(): XrayConfig = configBuild().run { XrayConfig(this@Builder) }

client/client_scripts/clientScripts.qrc

@@ -0,0 +1,5 @@
+<RCC>
+    <qresource prefix="/client_scripts">
+        <file>mac_installer.sh</file>
+    </qresource>
+</RCC>

client/client_scripts/mac_installer.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+EXTRACT_DIR="$1"
+INSTALLER_PATH="$2"
+
+set -e
+
+echo "[AmneziaVPN] Installer package: $INSTALLER_PATH"
+
+if [ ! -f "$INSTALLER_PATH" ]; then
+    echo "[AmneziaVPN] ERROR: Installer package not found: $INSTALLER_PATH"
+    exit 1
+fi
+
+PKG_PATH="$INSTALLER_PATH"
+echo "[AmneziaVPN] Using PKG: $PKG_PATH"
+
+# Optional: basic signature/gatekeeper checks (non-fatal)
+if command -v pkgutil >/dev/null 2>&1; then
+    pkgutil --check-signature "$PKG_PATH" || true
+fi
+if command -v spctl >/dev/null 2>&1; then
+    spctl -a -vvv -t install "$PKG_PATH" || true
+fi
+
+# Run installer with admin privileges via AppleScript (prompts for password)
+echo "[AmneziaVPN] Running installer..."
+OSA_CMD='do shell script "/usr/sbin/installer -pkg '"$PKG_PATH"' -target /" with administrator privileges'
+osascript -e "$OSA_CMD"
+
+STATUS=$?
+if [ $STATUS -ne 0 ]; then
+    echo "[AmneziaVPN] ERROR: installer exited with status $STATUS"
+    exit $STATUS
+fi
+
+echo "[AmneziaVPN] Cleaning up..."
+rm -f "$INSTALLER_PATH" || true
+rm -rf "$EXTRACT_DIR" 2>/dev/null || true
+
+echo "[AmneziaVPN] Installation completed successfully"
+exit 0

client/cmake/3rdparty.cmake

@@ -8,90 +8,41 @@ include(${CLIENT_ROOT_DIR}/cmake/QSimpleCrypto.cmake)
 
 include(${CLIENT_ROOT_DIR}/3rd/qrcodegen/qrcodegen.cmake)
 
-set(LIBSSH_ROOT_DIR "${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/libssh/")
-set(OPENSSL_ROOT_DIR "${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/")
-
-set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/lib")
-
-if(WIN32)
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/windows/include")
-    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/x86_64/ssh.lib")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/x86_64")
-        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win64/libssl.lib")
-        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win64/libcrypto.lib")
-    else()
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/x86/ssh.lib")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/x86")
-        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libssl.lib")
-        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libcrypto.lib")
-    endif()
-elseif(APPLE AND NOT IOS)
-    if(MACOS_NE)
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libssh.a")
-        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libz.a")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/universal2")
-    else()
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libssh.a")
-        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libz.a")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/x86_64")
-    endif()
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/macos/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libcrypto.a")
-elseif(IOS)
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/ios/arm64")
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/ios/arm64/libssh.a")
-    set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/ios/arm64/libz.a")
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/ios/iphone/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/ios/iphone/lib/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/ios/iphone/lib/libcrypto.a")
-elseif(ANDROID)
-    set(abi ${CMAKE_ANDROID_ARCH_ABI})
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/android/${abi}")
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/android/${abi}/libssh.so")
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/android/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/android/${abi}/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/android/${abi}/libcrypto.a")
-    set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/android/${abi}")
-elseif(LINUX)
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/linux/x86_64")
-    set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/linux/x86_64/libz.a")
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/linux/x86_64/libssh.a")
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/linux/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/linux/x86_64/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/linux/x86_64/libcrypto.a")
-endif()
-    
-file(COPY ${OPENSSL_LIB_SSL_PATH} ${OPENSSL_LIB_CRYPTO_PATH}
-        DESTINATION ${OPENSSL_LIBRARIES_DIR})
-
-set(OPENSSL_USE_STATIC_LIBS TRUE)
-  
-set(LIBS ${LIBS} 
-    ${LIBSSH_LIB_PATH} 
-    ${ZLIB_LIB_PATH}
-)
-  
-set(LIBS ${LIBS}
-    ${OPENSSL_LIB_SSL_PATH}
-    ${OPENSSL_LIB_CRYPTO_PATH}
-)
-
 add_compile_definitions(_WINSOCKAPI_)
 
 set(BUILD_SHARED_LIBS OFF CACHE BOOL "" FORCE)
 set(BUILD_WITH_QT6 ON)
-add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain)
+add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain EXCLUDE_FROM_ALL)
+
+if(ANDROID)
+    # Use qtgamepad from amnezia-vpn/qtgamepad repository
+    # Only if Qt6CorePrivate is available (required by qtgamepad)
+    find_package(Qt6CorePrivate CONFIG QUIET)
+    if(Qt6CorePrivate_FOUND)
+        add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtgamepad)
+        # Link both the C++ module and QML plugin
+        if(TARGET GamepadLegacy)
+            target_link_libraries(${PROJECT} PRIVATE GamepadLegacy)
+        endif()
+        if(TARGET GamepadLegacyQuickPrivate)
+            target_link_libraries(${PROJECT} PRIVATE GamepadLegacyQuickPrivate)
+        endif()
+        message(STATUS "Gamepad support enabled for Android")
+    else()
+        message(STATUS "Qt6CorePrivate not found. Gamepad support disabled for Android.")
+    endif()
+endif()
+
 set(LIBS ${LIBS} qt6keychain)
 
 include_directories(
-    ${OPENSSL_INCLUDE_DIR}
-    ${LIBSSH_INCLUDE_DIR}/include
-    ${LIBSSH_ROOT_DIR}/include
-    ${CLIENT_ROOT_DIR}/3rd/libssh/include
     ${CLIENT_ROOT_DIR}/3rd/QSimpleCrypto/src/include
     ${CLIENT_ROOT_DIR}/3rd/qtkeychain/qtkeychain
     ${CMAKE_CURRENT_BINARY_DIR}/3rd/qtkeychain
-    ${CMAKE_CURRENT_BINARY_DIR}/3rd/libssh/include
 )
+
+find_package(OpenSSL REQUIRED)
+list(APPEND LIBS OpenSSL::SSL OpenSSL::Crypto)
+
+find_package(libssh REQUIRED)
+list(APPEND LIBS ssh::ssh)

client/cmake/android.cmake

@@ -1,6 +1,6 @@
 message("Client android ${CMAKE_ANDROID_ARCH_ABI} build")
 
-set(APP_ANDROID_MIN_SDK 26)
+set(APP_ANDROID_MIN_SDK 28)
 set(ANDROID_PLATFORM "android-${APP_ANDROID_MIN_SDK}" CACHE STRING
     "The minimum API level supported by the application or library" FORCE)
 
@@ -11,8 +11,8 @@ set_target_properties(${PROJECT} PROPERTIES
     QT_ANDROID_VERSION_NAME ${CMAKE_PROJECT_VERSION}
     QT_ANDROID_VERSION_CODE ${APP_ANDROID_VERSION_CODE}
     QT_ANDROID_MIN_SDK_VERSION ${APP_ANDROID_MIN_SDK}
-    QT_ANDROID_TARGET_SDK_VERSION 34
-    QT_ANDROID_SDK_BUILD_TOOLS_REVISION 34.0.0
+    QT_ANDROID_TARGET_SDK_VERSION 36
+    QT_ANDROID_SDK_BUILD_TOOLS_REVISION 36.0.0
     QT_ANDROID_PACKAGE_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/android
 )
 
@@ -20,36 +20,36 @@ set(QT_ANDROID_MULTI_ABI_FORWARD_VARS "QT_NO_GLOBAL_APK_TARGET_PART_OF_ALL;CMAKE
 
 # We need to include qtprivate api's
 # As QAndroidBinder is not yet implemented with a public api
-set(LIBS ${LIBS} Qt6::CorePrivate -ljnigraphics)
+# Check if Qt6::CorePrivate is available (may not be in all Qt versions/configurations)
+if(TARGET Qt6::CorePrivate)
+    set(LIBS ${LIBS} Qt6::CorePrivate)
+endif()
+set(LIBS ${LIBS} -ljnigraphics)
 
 link_directories(${CMAKE_CURRENT_SOURCE_DIR}/platforms/android)
 
 set(HEADERS ${HEADERS}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_controller.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_utils.h
-    ${CMAKE_CURRENT_SOURCE_DIR}/protocols/android_vpnprotocol.h
-    ${CMAKE_CURRENT_SOURCE_DIR}/core/installedAppsImageProvider.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/protocols/androidVpnProtocol.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/utils/installedAppsImageProvider.h
 )
 
 set(SOURCES ${SOURCES}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_controller.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_utils.cpp
-    ${CMAKE_CURRENT_SOURCE_DIR}/protocols/android_vpnprotocol.cpp
-    ${CMAKE_CURRENT_SOURCE_DIR}/core/installedAppsImageProvider.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/protocols/androidVpnProtocol.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/utils/installedAppsImageProvider.cpp
 )
 
-foreach(abi IN ITEMS ${QT_ANDROID_ABIS})
-    set_property(TARGET ${PROJECT} PROPERTY QT_ANDROID_EXTRA_LIBS
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/amneziawg/android/${abi}/libwg-go.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libck-ovpn-plugin.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libovpn3.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libovpnutil.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/librsapss.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/android/${abi}/libcrypto_3.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/android/${abi}/libssl_3.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/libssh/android/${abi}/libssh.so
-    )
-endforeach()
 
-file(COPY ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/xray/android/libxray.aar
-        DESTINATION ${CMAKE_CURRENT_SOURCE_DIR}/android/xray/libXray)
+find_package(awg-android REQUIRED)
+set(LIBS ${LIBS} amnezia::awg-android)
+set_property(TARGET ${PROJECT} APPEND PROPERTY QT_ANDROID_EXTRA_LIBS ${AMNEZIA_ANDROID_LIBWG_PATH} ${AMNEZIA_ANDROID_LIBWG_QUICK_PATH})
+
+find_package(amnezia-libxray REQUIRED)
+file(COPY ${AMNEZIA_LIBXRAY_PATH} DESTINATION ${CMAKE_CURRENT_SOURCE_DIR}/android/xray/libXray)
+
+find_package(openvpn-pt-android REQUIRED)
+set(LIBS ${LIBS} amnezia::openvpn-pt-android)
+set_property(TARGET ${PROJECT} APPEND PROPERTY QT_ANDROID_EXTRA_LIBS ${OPENVPN_PT_ANDROID_LIBCK_OVPN_PLUGIN_PATH})

client/cmake/ios.cmake

@@ -1,8 +1,6 @@
 message("Client iOS build")
-set(CMAKE_OSX_DEPLOYMENT_TARGET 13.0)
 set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
 
-
 enable_language(OBJC)
 enable_language(OBJCXX)
 enable_language(Swift)
@@ -30,10 +28,12 @@ set(LIBS ${LIBS}
 
 
 set(HEADERS ${HEADERS}
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosPairingQrOverlayWindow.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate-C-Interface.h
 )
 set_source_files_properties(${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h PROPERTIES OBJECTIVE_CPP_HEADER TRUE)
@@ -45,7 +45,11 @@ set(SOURCES ${SOURCES}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosglue.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QRCodeReaderBase.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosPairingCameraAccess.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosPairingQrOverlayWindow.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/AmneziaSceneDelegateHooks.mm
 )
 
 
@@ -118,6 +122,7 @@ target_sources(${PROJECT} PRIVATE
     ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
     ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
     ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/StoreKit2Helper.swift
 )
 
 target_sources(${PROJECT} PRIVATE
@@ -128,17 +133,8 @@ target_sources(${PROJECT} PRIVATE
 
 set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
     ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/AmneziaVPNLaunchScreen.storyboard
-    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
     ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
 )
 
 add_subdirectory(ios/networkextension)
 add_dependencies(${PROJECT} networkextension)
-
-set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
-    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework"
-)
-
-set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/)
-target_link_libraries("networkextension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework")
-

client/cmake/macos.cmake

@@ -23,16 +23,13 @@ set_target_properties(${PROJECT} PROPERTIES
     MACOSX_BUNDLE_SHORT_VERSION_STRING "${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH}"
     MACOSX_BUNDLE_BUNDLE_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
 )
-set(CMAKE_OSX_ARCHITECTURES "x86_64" CACHE INTERNAL "" FORCE)
-set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)
-
 
 set(HEADERS ${HEADERS}
-    ${CMAKE_CURRENT_SOURCE_DIR}/ui/macos_util.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/ui/utils/macosUtil.h
 )
 
 set(SOURCES ${SOURCES}
-    ${CMAKE_CURRENT_SOURCE_DIR}/ui/macos_util.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/ui/utils/macosUtil.mm
 )
 
 

client/cmake/macos_ne.cmake

@@ -1,7 +1,6 @@
 message("Client ==> MacOS NE build")
 
 set_target_properties(${PROJECT} PROPERTIES MACOSX_BUNDLE TRUE)
-set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)
 
 set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
 
@@ -35,6 +34,7 @@ set(HEADERS ${HEADERS}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate-C-Interface.h
 )
@@ -45,9 +45,11 @@ set(SOURCES ${SOURCES}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosglue.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QRCodeReaderBase.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosPairingCameraAccess_stub.cpp
 )
 
 set(ICON_FILE ${CMAKE_CURRENT_SOURCE_DIR}/images/app.icns)
@@ -129,6 +131,7 @@ target_sources(${PROJECT} PRIVATE
     ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
     ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
     ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/StoreKit2Helper.swift
 )
 
 target_sources(${PROJECT} PRIVATE
@@ -137,7 +140,6 @@ target_sources(${PROJECT} PRIVATE
 )
 
 set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
-    ${CMAKE_CURRENT_SOURCE_DIR}/macos/app/Images.xcassets
     ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
 )
 
@@ -150,19 +152,6 @@ message(${QtCore_location})
 
 get_filename_component(QT_BIN_DIR_DETECTED "${QtCore_location}/../../../../../bin" ABSOLUTE)
 
-set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
-    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework"
-)
-
-set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos)
-target_link_libraries("AmneziaVPNNetworkExtension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework")
-
 add_custom_command(TARGET ${PROJECT} POST_BUILD
-    COMMAND ${CMAKE_COMMAND} -E make_directory
-            $<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks
-    COMMAND /usr/bin/find "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework" -name "*.sha256" -delete
-    COMMAND /usr/bin/codesign --force --sign "Apple Distribution"
-            "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework/Versions/Current/OpenVPNAdapter"
     COMMAND ${QT_BIN_DIR_DETECTED}/macdeployqt $<TARGET_BUNDLE_DIR:AmneziaVPN> -appstore-compliant -qmldir=${CMAKE_CURRENT_SOURCE_DIR}
-    COMMENT "Signing OpenVPNAdapter framework"
 )

client/cmake/sources.cmake

@@ -1,33 +1,73 @@
 set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/..)
 
 set(HEADERS ${HEADERS}
-    ${CLIENT_ROOT_DIR}/migrations.h
+    ${CLIENT_ROOT_DIR}/core/utils/migrations.h
     ${CLIENT_ROOT_DIR}/../ipc/ipc.h
-    ${CLIENT_ROOT_DIR}/amnezia_application.h
-    ${CLIENT_ROOT_DIR}/containers/containers_defs.h
-    ${CLIENT_ROOT_DIR}/core/defs.h
-    ${CLIENT_ROOT_DIR}/core/errorstrings.h
-    ${CLIENT_ROOT_DIR}/core/scripts_registry.h
-    ${CLIENT_ROOT_DIR}/core/server_defs.h
-    ${CLIENT_ROOT_DIR}/core/api/apiDefs.h
-    ${CLIENT_ROOT_DIR}/core/qrCodeUtils.h
+    ${CLIENT_ROOT_DIR}/amneziaApplication.h
+    ${CLIENT_ROOT_DIR}/core/utils/errorCodes.h
+    ${CLIENT_ROOT_DIR}/core/utils/routeModes.h
+    ${CLIENT_ROOT_DIR}/core/utils/commonStructs.h
+    ${CLIENT_ROOT_DIR}/core/utils/containerEnum.h
+    ${CLIENT_ROOT_DIR}/core/utils/protocolEnum.h
+    ${CLIENT_ROOT_DIR}/core/utils/containers/containerUtils.h
+    ${CLIENT_ROOT_DIR}/core/protocols/protocolUtils.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/configKeys.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/protocolConstants.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/apiKeys.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/apiConstants.h
+    ${CLIENT_ROOT_DIR}/core/utils/errorStrings.h
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/scriptsRegistry.h
+    ${CLIENT_ROOT_DIR}/core/utils/qrCodeUtils.h
     ${CLIENT_ROOT_DIR}/core/controllers/coreController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/coreSignalHandlers.h
     ${CLIENT_ROOT_DIR}/core/controllers/gatewayController.h
-    ${CLIENT_ROOT_DIR}/core/controllers/serverController.h
-    ${CLIENT_ROOT_DIR}/core/controllers/vpnConfigurationController.h
-    ${CLIENT_ROOT_DIR}/protocols/protocols_defs.h
-    ${CLIENT_ROOT_DIR}/protocols/qml_register_protocols.h
-    ${CLIENT_ROOT_DIR}/ui/pages.h
-    ${CLIENT_ROOT_DIR}/ui/qautostart.h
-    ${CLIENT_ROOT_DIR}/protocols/vpnprotocol.h
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshSession.h
+    ${CLIENT_ROOT_DIR}/core/controllers/serversController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/usersController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/installController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/importController.h
+    ${CLIENT_ROOT_DIR}/core/installers/installerBase.h
+    ${CLIENT_ROOT_DIR}/core/installers/awgInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/wireguardInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/openvpnInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/xrayInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/torInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/sftpInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/socks5Installer.h
+    ${CLIENT_ROOT_DIR}/core/installers/mtProxyInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/telemtInstaller.h
+    ${CLIENT_ROOT_DIR}/core/controllers/appSplitTunnelingController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/ipSplitTunnelingController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/allowedDnsController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/connectionController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/settingsController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/api/servicesCatalogController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/api/subscriptionController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/api/pairingController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/api/newsController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/updateController.h
+    ${CLIENT_ROOT_DIR}/core/repositories/secureServersRepository.h
+    ${CLIENT_ROOT_DIR}/core/repositories/secureAppSettingsRepository.h
+    ${CLIENT_ROOT_DIR}/core/protocols/qmlRegisterProtocols.h
+    ${CLIENT_ROOT_DIR}/ui/utils/pages.h
+    ${CLIENT_ROOT_DIR}/ui/utils/qAutoStart.h
+    ${CLIENT_ROOT_DIR}/core/protocols/vpnProtocol.h
     ${CMAKE_CURRENT_BINARY_DIR}/version.h
-    ${CLIENT_ROOT_DIR}/core/sshclient.h
-    ${CLIENT_ROOT_DIR}/core/networkUtilities.h
-    ${CLIENT_ROOT_DIR}/core/serialization/serialization.h
-    ${CLIENT_ROOT_DIR}/core/serialization/transfer.h
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshClient.h
+    ${CLIENT_ROOT_DIR}/core/utils/networkUtilities.h
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/serialization.h
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/transfer.h
     ${CLIENT_ROOT_DIR}/../common/logger/logger.h
-    ${CLIENT_ROOT_DIR}/utils/qmlUtils.h
-    ${CLIENT_ROOT_DIR}/core/api/apiUtils.h
+    ${CLIENT_ROOT_DIR}/ui/utils/qmlUtils.h
+    ${CLIENT_ROOT_DIR}/core/utils/api/apiUtils.h
+    ${CLIENT_ROOT_DIR}/core/utils/osSignalHandler.h
+    ${CLIENT_ROOT_DIR}/core/utils/utilities.h
+    ${CLIENT_ROOT_DIR}/core/utils/managementServer.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants.h
+    ${CLIENT_ROOT_DIR}/platforms/ios/iosPairingCameraAccess.h
+    ${CLIENT_ROOT_DIR}/platforms/ios/iosPairingQrOverlayWindow.h
 )
 
 # Mozilla headres
@@ -36,7 +76,6 @@ set(HEADERS ${HEADERS}
     ${CLIENT_ROOT_DIR}/mozilla/shared/ipaddress.h
     ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.h
     ${CLIENT_ROOT_DIR}/mozilla/controllerimpl.h
-    ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.h
 )
 
 if(NOT IOS AND NOT MACOS_NE)
@@ -47,38 +86,69 @@ endif()
 
 if(NOT ANDROID)
     set(HEADERS ${HEADERS}
-        ${CLIENT_ROOT_DIR}/ui/notificationhandler.h
+        ${CLIENT_ROOT_DIR}/ui/utils/notificationHandler.h
     )
 endif()
 
 set(SOURCES ${SOURCES}
-    ${CLIENT_ROOT_DIR}/migrations.cpp
-    ${CLIENT_ROOT_DIR}/amnezia_application.cpp
-    ${CLIENT_ROOT_DIR}/containers/containers_defs.cpp
-    ${CLIENT_ROOT_DIR}/core/errorstrings.cpp
-    ${CLIENT_ROOT_DIR}/core/scripts_registry.cpp
-    ${CLIENT_ROOT_DIR}/core/server_defs.cpp
-    ${CLIENT_ROOT_DIR}/core/qrCodeUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/migrations.cpp
+    ${CLIENT_ROOT_DIR}/amneziaApplication.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/errorStrings.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/containers/containerUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/protocols/protocolUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/scriptsRegistry.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/qrCodeUtils.cpp
     ${CLIENT_ROOT_DIR}/core/controllers/coreController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/coreSignalHandlers.cpp
     ${CLIENT_ROOT_DIR}/core/controllers/gatewayController.cpp
-    ${CLIENT_ROOT_DIR}/core/controllers/serverController.cpp
-    ${CLIENT_ROOT_DIR}/core/controllers/vpnConfigurationController.cpp
-    ${CLIENT_ROOT_DIR}/protocols/protocols_defs.cpp
-    ${CLIENT_ROOT_DIR}/ui/qautostart.cpp
-    ${CLIENT_ROOT_DIR}/protocols/vpnprotocol.cpp
-    ${CLIENT_ROOT_DIR}/core/sshclient.cpp
-    ${CLIENT_ROOT_DIR}/core/networkUtilities.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/outbound.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/inbound.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/ss.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/ssd.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/vless.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/trojan.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/vmess.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/vmess_new.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshSession.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/serversController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/usersController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/installController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/importController.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/installerBase.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/awgInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/wireguardInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/openvpnInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/xrayInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/torInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/sftpInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/socks5Installer.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/mtProxyInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/telemtInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/appSplitTunnelingController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/ipSplitTunnelingController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/allowedDnsController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/connectionController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/settingsController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/api/servicesCatalogController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/api/subscriptionController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/api/pairingController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/api/newsController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/updateController.cpp
+    ${CLIENT_ROOT_DIR}/core/repositories/secureServersRepository.cpp
+    ${CLIENT_ROOT_DIR}/core/repositories/secureAppSettingsRepository.cpp
+    ${CLIENT_ROOT_DIR}/ui/utils/qAutoStart.cpp
+    ${CLIENT_ROOT_DIR}/core/protocols/vpnProtocol.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshClient.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/networkUtilities.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/outbound.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/inbound.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/ss.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/ssd.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/vless.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/trojan.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/vmess.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/vmess_new.cpp
     ${CLIENT_ROOT_DIR}/../common/logger/logger.cpp
-    ${CLIENT_ROOT_DIR}/utils/qmlUtils.cpp
-    ${CLIENT_ROOT_DIR}/core/api/apiUtils.cpp
+    ${CLIENT_ROOT_DIR}/ui/utils/qmlUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/api/apiUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serverConfigUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/osSignalHandler.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/utilities.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/managementServer.cpp
 )
 
 # Mozilla sources
@@ -86,12 +156,12 @@ set(SOURCES ${SOURCES}
     ${CLIENT_ROOT_DIR}/mozilla/models/server.cpp
     ${CLIENT_ROOT_DIR}/mozilla/shared/ipaddress.cpp
     ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.cpp
-    ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
 )
 
 if(NOT IOS AND NOT MACOS_NE)
     set(SOURCES ${SOURCES}
         ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.cpp
+        ${CLIENT_ROOT_DIR}/platforms/ios/iosPairingCameraAccess_stub.cpp
     )
 endif()
 
@@ -100,56 +170,75 @@ if(APPLE AND NOT IOS)
     list(APPEND HEADERS
         ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.h
         ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.h
-        ${CLIENT_ROOT_DIR}/ui/macos_util.h
+        ${CLIENT_ROOT_DIR}/ui/utils/macosUtil.h
     )
     list(APPEND SOURCES
         ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.mm
         ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.mm
-        ${CLIENT_ROOT_DIR}/ui/macos_util.mm
+        ${CLIENT_ROOT_DIR}/ui/utils/macosUtil.mm
     )
 endif()
 
 if(NOT ANDROID)
     set(SOURCES ${SOURCES}
-        ${CLIENT_ROOT_DIR}/ui/notificationhandler.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/notificationHandler.cpp
     )
 endif()
 
-file(GLOB COMMON_FILES_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/*.h)
-file(GLOB COMMON_FILES_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/*.cpp)
+set(COMMON_FILES_H
+    ${CLIENT_ROOT_DIR}/amneziaApplication.h
+    ${CLIENT_ROOT_DIR}/secureQSettings.h
+    ${CLIENT_ROOT_DIR}/vpnConnection.h
+)
+
+set(COMMON_FILES_CPP
+    ${CLIENT_ROOT_DIR}/amneziaApplication.cpp
+    ${CLIENT_ROOT_DIR}/secureQSettings.cpp
+    ${CLIENT_ROOT_DIR}/vpnConnection.cpp
+)
 
 file(GLOB_RECURSE PAGE_LOGIC_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/ui/pages_logic/*.h)
 file(GLOB_RECURSE PAGE_LOGIC_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/ui/pages_logic/*.cpp)
 
-file(GLOB CONFIGURATORS_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/configurators/*.h)
-file(GLOB CONFIGURATORS_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/configurators/*.cpp)
+file(GLOB CONFIGURATORS_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/configurators/*.h)
+file(GLOB CONFIGURATORS_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/configurators/*.cpp)
+
+file(GLOB_RECURSE CORE_MODELS_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/models/*.h)
+file(GLOB_RECURSE CORE_MODELS_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/models/*.cpp)
 
 file(GLOB UI_MODELS_H CONFIGURE_DEPENDS
     ${CLIENT_ROOT_DIR}/ui/models/*.h
     ${CLIENT_ROOT_DIR}/ui/models/protocols/*.h
     ${CLIENT_ROOT_DIR}/ui/models/services/*.h
+    ${CLIENT_ROOT_DIR}/ui/models/utils/*.h
     ${CLIENT_ROOT_DIR}/ui/models/api/*.h
 )
 file(GLOB UI_MODELS_CPP CONFIGURE_DEPENDS
     ${CLIENT_ROOT_DIR}/ui/models/*.cpp
     ${CLIENT_ROOT_DIR}/ui/models/protocols/*.cpp
     ${CLIENT_ROOT_DIR}/ui/models/services/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/models/utils/*.cpp
     ${CLIENT_ROOT_DIR}/ui/models/api/*.cpp
 )
 
 file(GLOB UI_CONTROLLERS_H CONFIGURE_DEPENDS
     ${CLIENT_ROOT_DIR}/ui/controllers/*.h
     ${CLIENT_ROOT_DIR}/ui/controllers/api/*.h
+    ${CLIENT_ROOT_DIR}/ui/controllers/qml/*.h
+    ${CLIENT_ROOT_DIR}/ui/controllers/selfhosted/*.h
 )
 file(GLOB UI_CONTROLLERS_CPP CONFIGURE_DEPENDS
     ${CLIENT_ROOT_DIR}/ui/controllers/*.cpp
     ${CLIENT_ROOT_DIR}/ui/controllers/api/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/controllers/qml/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/controllers/selfhosted/*.cpp
 )
 
 set(HEADERS ${HEADERS}
     ${COMMON_FILES_H}
     ${PAGE_LOGIC_H}
     ${CONFIGURATORS_H}
+    ${CORE_MODELS_H}
     ${UI_MODELS_H}
     ${UI_CONTROLLERS_H}
 )
@@ -157,17 +246,18 @@ set(SOURCES ${SOURCES}
     ${COMMON_FILES_CPP}
     ${PAGE_LOGIC_CPP}
     ${CONFIGURATORS_CPP}
+    ${CORE_MODELS_CPP}
     ${UI_MODELS_CPP}
     ${UI_CONTROLLERS_CPP}
 )
 
 if(WIN32)
     set(HEADERS ${HEADERS}
-        ${CLIENT_ROOT_DIR}/protocols/ikev2_vpn_protocol_windows.h
+        ${CLIENT_ROOT_DIR}/core/protocols/ikev2VpnProtocolWindows.h
     )
 
     set(SOURCES ${SOURCES}
-        ${CLIENT_ROOT_DIR}/protocols/ikev2_vpn_protocol_windows.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/ikev2VpnProtocolWindows.cpp
     )
 
     set(RESOURCES ${RESOURCES}
@@ -175,31 +265,38 @@ if(WIN32)
     )
 endif()
 
-if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
     message("Client desktop build")
     add_compile_definitions(AMNEZIA_DESKTOP)
 
     set(HEADERS ${HEADERS}
-        ${CLIENT_ROOT_DIR}/core/ipcclient.h
-        ${CLIENT_ROOT_DIR}/core/privileged_process.h
-        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.h
-        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/shadowsocksvpnprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/wireguardprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/xrayprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/awgprotocol.h
+        ${CLIENT_ROOT_DIR}/core/utils/ipcClient.h
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.h
+        ${CLIENT_ROOT_DIR}/core/protocols/openVpnProtocol.h
+        ${CLIENT_ROOT_DIR}/core/protocols/wireGuardProtocol.h
+        ${CLIENT_ROOT_DIR}/core/protocols/xrayProtocol.h
+        ${CLIENT_ROOT_DIR}/core/protocols/awgProtocol.h
+        ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.h
     )
 
     set(SOURCES ${SOURCES}
-        ${CLIENT_ROOT_DIR}/core/ipcclient.cpp
-        ${CLIENT_ROOT_DIR}/core/privileged_process.cpp
-        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.cpp
-        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/shadowsocksvpnprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/wireguardprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/xrayprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/awgprotocol.cpp
+        ${CLIENT_ROOT_DIR}/core/utils/ipcClient.cpp
+        ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/openVpnProtocol.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/wireGuardProtocol.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/xrayProtocol.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/awgProtocol.cpp
+    )
+endif()
+
+if(APPLE AND MACOS_NE)
+    # Include only the tray notification handler in NE builds
+    set(HEADERS ${HEADERS}
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.h
+    )
+
+    set(SOURCES ${SOURCES}
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.cpp
     )
 endif()

client/configurators/awg_configurator.cpp

@@ -1,61 +0,0 @@
-#include "awg_configurator.h"
-#include "protocols/protocols_defs.h"
-
-#include <QJsonDocument>
-#include <QJsonObject>
-
-AwgConfigurator::AwgConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : WireguardConfigurator(settings, serverController, true, parent)
-{
-}
-
-QString AwgConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                      ErrorCode &errorCode)
-{
-    QString config = WireguardConfigurator::createConfig(credentials, container, containerConfig, errorCode);
-
-    QJsonObject jsonConfig = QJsonDocument::fromJson(config.toUtf8()).object();
-    QString awgConfig = jsonConfig.value(config_key::config).toString();
-
-    QMap<QString, QString> configMap;
-    auto configLines = awgConfig.split("\n");
-    for (auto &line : configLines) {
-        auto trimmedLine = line.trimmed();
-        if (trimmedLine.startsWith("[") && trimmedLine.endsWith("]")) {
-            continue;
-        } else {
-            QStringList parts = trimmedLine.split(" = ");
-            if (parts.count() == 2) {
-                configMap.insert(parts[0].trimmed(), parts[1].trimmed());
-            }
-        }
-    }
-
-    jsonConfig[config_key::junkPacketCount] = configMap.value(config_key::junkPacketCount);
-    jsonConfig[config_key::junkPacketMinSize] = configMap.value(config_key::junkPacketMinSize);
-    jsonConfig[config_key::junkPacketMaxSize] = configMap.value(config_key::junkPacketMaxSize);
-    jsonConfig[config_key::initPacketJunkSize] = configMap.value(config_key::initPacketJunkSize);
-    jsonConfig[config_key::responsePacketJunkSize] = configMap.value(config_key::responsePacketJunkSize);
-    jsonConfig[config_key::initPacketMagicHeader] = configMap.value(config_key::initPacketMagicHeader);
-    jsonConfig[config_key::responsePacketMagicHeader] = configMap.value(config_key::responsePacketMagicHeader);
-    jsonConfig[config_key::underloadPacketMagicHeader] = configMap.value(config_key::underloadPacketMagicHeader);
-    jsonConfig[config_key::transportPacketMagicHeader] = configMap.value(config_key::transportPacketMagicHeader);
-
-    // jsonConfig[config_key::cookieReplyPacketJunkSize] = configMap.value(config_key::cookieReplyPacketJunkSize);
-    // jsonConfig[config_key::transportPacketJunkSize] = configMap.value(config_key::transportPacketJunkSize);
-
-    // jsonConfig[config_key::specialJunk1] = configMap.value(amnezia::config_key::specialJunk1);
-    // jsonConfig[config_key::specialJunk2] = configMap.value(amnezia::config_key::specialJunk2);
-    // jsonConfig[config_key::specialJunk3] = configMap.value(amnezia::config_key::specialJunk3);
-    // jsonConfig[config_key::specialJunk4] = configMap.value(amnezia::config_key::specialJunk4);
-    // jsonConfig[config_key::specialJunk5] = configMap.value(amnezia::config_key::specialJunk5);
-    // jsonConfig[config_key::controlledJunk1] = configMap.value(amnezia::config_key::controlledJunk1);
-    // jsonConfig[config_key::controlledJunk2] = configMap.value(amnezia::config_key::controlledJunk2);
-    // jsonConfig[config_key::controlledJunk3] = configMap.value(amnezia::config_key::controlledJunk3);
-    // jsonConfig[config_key::specialHandshakeTimeout] = configMap.value(amnezia::config_key::specialHandshakeTimeout);
-
-    jsonConfig[config_key::mtu] =
-            containerConfig.value(ProtocolProps::protoToString(Proto::Awg)).toObject().value(config_key::mtu).toString(protocols::awg::defaultMtu);
-
-    return QJsonDocument(jsonConfig).toJson();
-}

client/configurators/awg_configurator.h

@@ -1,18 +0,0 @@
-#ifndef AWGCONFIGURATOR_H
-#define AWGCONFIGURATOR_H
-
-#include <QObject>
-
-#include "wireguard_configurator.h"
-
-class AwgConfigurator : public WireguardConfigurator
-{
-    Q_OBJECT
-public:
-    AwgConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-};
-
-#endif // AWGCONFIGURATOR_H

client/configurators/cloak_configurator.cpp

@@ -1,51 +0,0 @@
-#include "cloak_configurator.h"
-
-#include <QFile>
-#include <QJsonDocument>
-#include <QJsonObject>
-
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-
-CloakConfigurator::CloakConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
-{
-}
-
-QString CloakConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                        ErrorCode &errorCode)
-{
-    QString cloakPublicKey =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::cloak::ckPublicKeyPath, errorCode);
-    cloakPublicKey.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    QString cloakBypassUid =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::cloak::ckBypassUidKeyPath, errorCode);
-    cloakBypassUid.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    QJsonObject config;
-    config.insert("Transport", "direct");
-    config.insert("ProxyMethod", "openvpn");
-    config.insert("EncryptionMethod", "aes-gcm");
-    config.insert("UID", cloakBypassUid);
-    config.insert("PublicKey", cloakPublicKey);
-    config.insert("ServerName", "$FAKE_WEB_SITE_ADDRESS");
-    config.insert("NumConn", 1);
-    config.insert("BrowserSig", "chrome");
-    config.insert("StreamTimeout", 300);
-    config.insert("RemoteHost", credentials.hostName);
-    config.insert("RemotePort", "$CLOAK_SERVER_PORT");
-
-    QString textCfg = m_serverController->replaceVars(QJsonDocument(config).toJson(),
-                                                      m_serverController->genVarsForScript(credentials, container, containerConfig));
-
-    return textCfg;
-}

client/configurators/cloak_configurator.h

@@ -1,20 +0,0 @@
-#ifndef CLOAK_CONFIGURATOR_H
-#define CLOAK_CONFIGURATOR_H
-
-#include <QObject>
-
-#include "configurator_base.h"
-
-using namespace amnezia;
-
-class CloakConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    CloakConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-};
-
-#endif // CLOAK_CONFIGURATOR_H

client/configurators/configurator_base.cpp

@@ -1,26 +0,0 @@
-#include "configurator_base.h"
-
-ConfiguratorBase::ConfiguratorBase(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : QObject { parent }, m_settings(settings), m_serverController(serverController)
-{
-}
-
-QString ConfiguratorBase::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                         QString &protocolConfigString)
-{
-    processConfigWithDnsSettings(dns, protocolConfigString);
-    return protocolConfigString;
-}
-
-QString ConfiguratorBase::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                          QString &protocolConfigString)
-{
-    processConfigWithDnsSettings(dns, protocolConfigString);
-    return protocolConfigString;
-}
-
-void ConfiguratorBase::processConfigWithDnsSettings(const QPair<QString, QString> &dns, QString &protocolConfigString)
-{
-    protocolConfigString.replace("$PRIMARY_DNS", dns.first);
-    protocolConfigString.replace("$SECONDARY_DNS", dns.second);
-}

client/configurators/configurator_base.h

@@ -1,33 +0,0 @@
-#ifndef CONFIGURATORBASE_H
-#define CONFIGURATORBASE_H
-
-#include <QObject>
-
-#include "containers/containers_defs.h"
-#include "core/defs.h"
-#include "core/controllers/serverController.h"
-#include "settings.h"
-
-class ConfiguratorBase : public QObject
-{
-    Q_OBJECT
-public:
-    explicit ConfiguratorBase(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    virtual QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                 const QJsonObject &containerConfig, ErrorCode &errorCode) = 0;
-
-    virtual QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                   QString &protocolConfigString);
-    virtual QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                    QString &protocolConfigString);
-
-protected:
-    void processConfigWithDnsSettings(const QPair<QString, QString> &dns, QString &protocolConfigString);
-
-    std::shared_ptr<Settings> m_settings;
-    QSharedPointer<ServerController> m_serverController;
-
-};
-
-#endif // CONFIGURATORBASE_H

client/configurators/ikev2_configurator.h

@@ -1,35 +0,0 @@
-#ifndef IKEV2_CONFIGURATOR_H
-#define IKEV2_CONFIGURATOR_H
-
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class Ikev2Configurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    Ikev2Configurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    struct ConnectionData {
-        QByteArray clientCert; // p12 client cert
-        QByteArray caCert; // p12 server cert
-        QString clientId;
-        QString password; // certificate password
-        QString host; // host ip
-    };
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    QString genIkev2Config(const ConnectionData &connData);
-    QString genMobileConfig(const ConnectionData &connData);
-    QString genStrongSwanConfig(const ConnectionData &connData);
-
-    ConnectionData prepareIkev2Config(const ServerCredentials &credentials,
-        DockerContainer container, ErrorCode &errorCode);
-};
-
-#endif // IKEV2_CONFIGURATOR_H

client/configurators/openvpn_configurator.h

@@ -1,43 +0,0 @@
-#ifndef OPENVPN_CONFIGURATOR_H
-#define OPENVPN_CONFIGURATOR_H
-
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class OpenVpnConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    OpenVpnConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    struct ConnectionData
-    {
-        QString clientId;
-        QString request;    // certificate request
-        QString privKey;    // client private key
-        QString clientCert; // client signed certificate
-        QString caCert;     // server certificate
-        QString taKey;      // tls-auth key
-        QString host;       // host ip
-    };
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                           QString &protocolConfigString);
-    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                            QString &protocolConfigString);
-
-    static ConnectionData createCertRequest();
-
-private:
-    ConnectionData prepareOpenVpnConfig(const ServerCredentials &credentials, DockerContainer container,
-                                        ErrorCode &errorCode);
-    ErrorCode signCert(DockerContainer container, const ServerCredentials &credentials, QString clientId);
-};
-
-#endif // OPENVPN_CONFIGURATOR_H

client/configurators/shadowsocks_configurator.cpp

@@ -1,40 +0,0 @@
-#include "shadowsocks_configurator.h"
-
-#include <QFile>
-#include <QJsonDocument>
-#include <QJsonObject>
-
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-
-ShadowSocksConfigurator::ShadowSocksConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                                                 QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
-{
-}
-
-QString ShadowSocksConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                              const QJsonObject &containerConfig, ErrorCode &errorCode)
-{
-    QString ssKey =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::shadowsocks::ssKeyPath, errorCode);
-    ssKey.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    QJsonObject config;
-    config.insert("server", credentials.hostName);
-    config.insert("server_port", "$SHADOWSOCKS_SERVER_PORT");
-    config.insert("local_port", "$SHADOWSOCKS_LOCAL_PORT");
-    config.insert("password", ssKey);
-    config.insert("timeout", 60);
-    config.insert("method", "$SHADOWSOCKS_CIPHER");
-
-    QString textCfg = m_serverController->replaceVars(QJsonDocument(config).toJson(),
-                                                      m_serverController->genVarsForScript(credentials, container, containerConfig));
-
-    // qDebug().noquote() << textCfg;
-    return textCfg;
-}

client/configurators/shadowsocks_configurator.h

@@ -1,19 +0,0 @@
-#ifndef SHADOWSOCKS_CONFIGURATOR_H
-#define SHADOWSOCKS_CONFIGURATOR_H
-
-#include <QObject>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class ShadowSocksConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    ShadowSocksConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-};
-
-#endif // SHADOWSOCKS_CONFIGURATOR_H

client/configurators/ssh_configurator.cpp

@@ -1,112 +0,0 @@
-#include "ssh_configurator.h"
-
-#include <QDebug>
-#include <QObject>
-#include <QProcess>
-#include <QString>
-#include <QTemporaryDir>
-#include <QTemporaryFile>
-#include <QThread>
-#include <qtimer.h>
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
-    #include <QGuiApplication>
-#else
-    #include <QApplication>
-#endif
-
-#include "core/server_defs.h"
-#include "utilities.h"
-
-SshConfigurator::SshConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
-{
-}
-
-QString SshConfigurator::convertOpenSShKey(const QString &key)
-{
-#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
-    QProcess p;
-    p.setProcessChannelMode(QProcess::MergedChannels);
-
-    QTemporaryFile tmp;
-    #ifdef QT_DEBUG
-    tmp.setAutoRemove(false);
-    #endif
-    tmp.open();
-    tmp.write(key.toUtf8());
-    tmp.close();
-
-    // ssh-keygen -p -P "" -N "" -m pem -f id_ssh
-
-    #ifdef Q_OS_WIN
-    p.setProcessEnvironment(prepareEnv());
-    p.setProgram("cmd.exe");
-    p.setNativeArguments(QString("/C \"ssh-keygen.exe -p -P \"\" -N \"\" -m pem -f \"%1\"\"").arg(tmp.fileName()));
-    #else
-    p.setProgram("ssh-keygen");
-    p.setArguments(QStringList() << "-p"
-                                 << "-P"
-                                 << ""
-                                 << "-N"
-                                 << ""
-                                 << "-m"
-                                 << "pem"
-                                 << "-f" << tmp.fileName());
-    #endif
-
-    p.start();
-    p.waitForFinished();
-
-    qDebug().noquote() << "OpenVpnConfigurator::convertOpenSShKey" << p.exitCode() << p.exitStatus() << p.readAll();
-
-    tmp.open();
-
-    return tmp.readAll();
-#else
-    return key;
-#endif
-}
-
-// DEAD CODE.
-void SshConfigurator::openSshTerminal(const ServerCredentials &credentials)
-{
-#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
-    QProcess *p = new QProcess();
-    p->setProcessChannelMode(QProcess::SeparateChannels);
-
-    #ifdef Q_OS_WIN
-    p->setProcessEnvironment(prepareEnv());
-    p->setProgram(qApp->applicationDirPath() + "\\cygwin\\putty.exe");
-
-    if (credentials.secretData.contains("PRIVATE KEY")) {
-        // todo: connect by key
-        //        p->setNativeArguments(QString("%1@%2")
-        //            .arg(credentials.userName).arg(credentials.hostName).arg(credentials.secretData));
-    } else {
-        p->setNativeArguments(QString("%1@%2 -pw %3").arg(credentials.userName).arg(credentials.hostName).arg(credentials.secretData));
-    }
-    #else
-    p->setProgram("/bin/bash");
-    #endif
-
-    p->startDetached();
-#endif
-}
-
-QProcessEnvironment SshConfigurator::prepareEnv()
-{
-    QProcessEnvironment env = QProcessEnvironment::systemEnvironment();
-    QString pathEnvVar = env.value("PATH");
-
-#ifdef Q_OS_WIN
-    pathEnvVar.clear();
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\cygwin;");
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\openvpn;");
-#elif defined(Q_OS_MACX) && !defined(MACOS_NE)
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "/Contents/MacOS");
-#endif
-
-    env.insert("PATH", pathEnvVar);
-    // qDebug().noquote() << "ENV PATH" << pathEnvVar;
-    return env;
-}

client/configurators/ssh_configurator.h

@@ -1,22 +0,0 @@
-#ifndef SSH_CONFIGURATOR_H
-#define SSH_CONFIGURATOR_H
-
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class SshConfigurator : ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    SshConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QProcessEnvironment prepareEnv();
-    QString convertOpenSShKey(const QString &key);
-    void openSshTerminal(const ServerCredentials &credentials);
-
-};
-
-#endif // SSH_CONFIGURATOR_H

client/configurators/wireguard_configurator.cpp

@@ -1,234 +0,0 @@
-#include "wireguard_configurator.h"
-
-#include <QDebug>
-#include <QJsonDocument>
-#include <QProcess>
-#include <QRegularExpression>
-#include <QString>
-#include <QTemporaryDir>
-#include <QTemporaryFile>
-
-#include <openssl/pem.h>
-#include <openssl/rand.h>
-#include <openssl/rsa.h>
-#include <openssl/x509.h>
-
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
-#include "core/server_defs.h"
-#include "settings.h"
-#include "utilities.h"
-
-WireguardConfigurator::WireguardConfigurator(std::shared_ptr<Settings> settings,
-                                             const QSharedPointer<ServerController> &serverController, bool isAwg,
-                                             QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent), m_isAwg(isAwg)
-{
-    m_serverConfigPath =
-            m_isAwg ? amnezia::protocols::awg::serverConfigPath : amnezia::protocols::wireguard::serverConfigPath;
-    m_serverPublicKeyPath =
-            m_isAwg ? amnezia::protocols::awg::serverPublicKeyPath : amnezia::protocols::wireguard::serverPublicKeyPath;
-    m_serverPskKeyPath =
-            m_isAwg ? amnezia::protocols::awg::serverPskKeyPath : amnezia::protocols::wireguard::serverPskKeyPath;
-    m_configTemplate = m_isAwg ? ProtocolScriptType::awg_template : ProtocolScriptType::wireguard_template;
-
-    m_protocolName = m_isAwg ? config_key::awg : config_key::wireguard;
-    m_defaultPort = m_isAwg ? protocols::wireguard::defaultPort : protocols::awg::defaultPort;
-}
-
-WireguardConfigurator::ConnectionData WireguardConfigurator::genClientKeys()
-{
-    // TODO review
-    constexpr size_t EDDSA_KEY_LENGTH = 32;
-
-    ConnectionData connData;
-
-    unsigned char buff[EDDSA_KEY_LENGTH];
-    int ret = RAND_priv_bytes(buff, EDDSA_KEY_LENGTH);
-    if (ret <= 0)
-        return connData;
-
-    EVP_PKEY *pKey = EVP_PKEY_new();
-    q_check_ptr(pKey);
-    pKey = EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL, &buff[0], EDDSA_KEY_LENGTH);
-
-    size_t keySize = EDDSA_KEY_LENGTH;
-
-    // save private key
-    unsigned char priv[EDDSA_KEY_LENGTH];
-    EVP_PKEY_get_raw_private_key(pKey, priv, &keySize);
-    connData.clientPrivKey = QByteArray::fromRawData((char *)priv, keySize).toBase64();
-
-    // save public key
-    unsigned char pub[EDDSA_KEY_LENGTH];
-    EVP_PKEY_get_raw_public_key(pKey, pub, &keySize);
-    connData.clientPubKey = QByteArray::fromRawData((char *)pub, keySize).toBase64();
-
-    return connData;
-}
-
-QList<QHostAddress> WireguardConfigurator::getIpsFromConf(const QString &input)
-{
-    QRegularExpression regex("AllowedIPs = (\\d+\\.\\d+\\.\\d+\\.\\d+)");
-    QRegularExpressionMatchIterator matchIterator = regex.globalMatch(input);
-
-    QList<QHostAddress> ips;
-
-    while (matchIterator.hasNext()) {
-        QRegularExpressionMatch match = matchIterator.next();
-        const QString address_string { match.captured(1) };
-        const QHostAddress address { address_string };
-        if (address.isNull()) {
-            qWarning() << "Couldn't recognize the ip address: " << address_string;
-        } else {
-            ips << address;
-        }
-    }
-
-    return ips;
-}
-
-WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardConfig(const ServerCredentials &credentials,
-                                                                                    DockerContainer container,
-                                                                                    const QJsonObject &containerConfig,
-                                                                                    ErrorCode &errorCode)
-{
-    WireguardConfigurator::ConnectionData connData = WireguardConfigurator::genClientKeys();
-    connData.host = credentials.hostName;
-    connData.port = containerConfig.value(m_protocolName).toObject().value(config_key::port).toString(m_defaultPort);
-
-    if (connData.clientPrivKey.isEmpty() || connData.clientPubKey.isEmpty()) {
-        errorCode = ErrorCode::InternalError;
-        return connData;
-    }
-
-    QString getIpsScript = QString("cat %1 | grep AllowedIPs").arg(m_serverConfigPath);
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    errorCode = m_serverController->runContainerScript(credentials, container, getIpsScript, cbReadStdOut);
-    if (errorCode != ErrorCode::NoError) {
-        return connData;
-    }
-    auto ips = getIpsFromConf(stdOut);
-
-    QHostAddress nextIp = [&] {
-        QHostAddress result;
-        QHostAddress lastIp;
-        if (ips.empty()) {
-            lastIp.setAddress(containerConfig.value(m_protocolName)
-                                      .toObject()
-                                      .value(config_key::subnet_address)
-                                      .toString(protocols::wireguard::defaultSubnetAddress));
-        } else {
-            lastIp = ips.last();
-        }
-        quint8 lastOctet = static_cast<quint8>(lastIp.toIPv4Address());
-        switch (lastOctet) {
-        case 254: result.setAddress(lastIp.toIPv4Address() + 3); break;
-        case 255: result.setAddress(lastIp.toIPv4Address() + 2); break;
-        default: result.setAddress(lastIp.toIPv4Address() + 1); break;
-        }
-
-        return result;
-    }();
-
-    connData.clientIP = nextIp.toString();
-
-    // Get keys
-    connData.serverPubKey =
-            m_serverController->getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, errorCode);
-    connData.serverPubKey.replace("\n", "");
-    if (errorCode != ErrorCode::NoError) {
-        return connData;
-    }
-
-    connData.pskKey = m_serverController->getTextFileFromContainer(container, credentials, m_serverPskKeyPath, errorCode);
-    connData.pskKey.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return connData;
-    }
-
-    // Add client to config
-    QString configPart = QString("[Peer]\n"
-                                 "PublicKey = %1\n"
-                                 "PresharedKey = %2\n"
-                                 "AllowedIPs = %3/32\n\n")
-                                 .arg(connData.clientPubKey, connData.pskKey, connData.clientIP);
-
-    errorCode = m_serverController->uploadTextFileToContainer(container, credentials, configPart, m_serverConfigPath,
-                                                              libssh::ScpOverwriteMode::ScpAppendToExisting);
-
-    if (errorCode != ErrorCode::NoError) {
-        return connData;
-    }
-
-    QString script = QString("sudo docker exec -i $CONTAINER_NAME bash -c 'wg syncconf wg0 <(wg-quick strip %1)'")
-                             .arg(m_serverConfigPath);
-
-    errorCode = m_serverController->runScript(
-            credentials,
-            m_serverController->replaceVars(script, m_serverController->genVarsForScript(credentials, container)));
-
-    return connData;
-}
-
-QString WireguardConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                            const QJsonObject &containerConfig, ErrorCode &errorCode)
-{
-    QString scriptData = amnezia::scriptData(m_configTemplate, container);
-    QString config = m_serverController->replaceVars(
-            scriptData, m_serverController->genVarsForScript(credentials, container, containerConfig));
-
-    ConnectionData connData = prepareWireguardConfig(credentials, container, containerConfig, errorCode);
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    config.replace("$WIREGUARD_CLIENT_PRIVATE_KEY", connData.clientPrivKey);
-    config.replace("$WIREGUARD_CLIENT_IP", connData.clientIP);
-    config.replace("$WIREGUARD_SERVER_PUBLIC_KEY", connData.serverPubKey);
-    config.replace("$WIREGUARD_PSK", connData.pskKey);
-
-    const QJsonObject &wireguarConfig = containerConfig.value(ProtocolProps::protoToString(Proto::WireGuard)).toObject();
-    QJsonObject jConfig;
-    jConfig[config_key::config] = config;
-
-    jConfig[config_key::hostName] = connData.host;
-    jConfig[config_key::port] = connData.port.toInt();
-    jConfig[config_key::client_priv_key] = connData.clientPrivKey;
-    jConfig[config_key::client_ip] = connData.clientIP;
-    jConfig[config_key::client_pub_key] = connData.clientPubKey;
-    jConfig[config_key::psk_key] = connData.pskKey;
-    jConfig[config_key::server_pub_key] = connData.serverPubKey;
-    jConfig[config_key::mtu] = wireguarConfig.value(config_key::mtu).toString(protocols::wireguard::defaultMtu);
-
-    jConfig[config_key::persistent_keep_alive] = "25";
-    QJsonArray allowedIps { "0.0.0.0/0", "::/0" };
-    jConfig[config_key::allowed_ips] = allowedIps;
-
-    jConfig[config_key::clientId] = connData.clientPubKey;
-
-    return QJsonDocument(jConfig).toJson();
-}
-
-QString WireguardConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns,
-                                                              const bool isApiConfig, QString &protocolConfigString)
-{
-    processConfigWithDnsSettings(dns, protocolConfigString);
-
-    return protocolConfigString;
-}
-
-QString WireguardConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns,
-                                                               const bool isApiConfig, QString &protocolConfigString)
-{
-    processConfigWithDnsSettings(dns, protocolConfigString);
-
-    return protocolConfigString;
-}

client/configurators/wireguard_configurator.h

@@ -1,54 +0,0 @@
-#ifndef WIREGUARD_CONFIGURATOR_H
-#define WIREGUARD_CONFIGURATOR_H
-
-#include <QHostAddress>
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-#include "core/scripts_registry.h"
-
-class WireguardConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    WireguardConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                          bool isAwg, QObject *parent = nullptr);
-
-    struct ConnectionData
-    {
-        QString clientPrivKey; // client private key
-        QString clientPubKey;  // client public key
-        QString clientIP;      // internal client IP address
-        QString serverPubKey;  // tls-auth key
-        QString pskKey;        // preshared key
-        QString host;          // host ip
-        QString port;
-    };
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                           QString &protocolConfigString);
-    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                            QString &protocolConfigString);
-
-    static ConnectionData genClientKeys();
-
-private:
-    QList<QHostAddress> getIpsFromConf(const QString &input);
-    ConnectionData prepareWireguardConfig(const ServerCredentials &credentials, DockerContainer container,
-                                          const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    bool m_isAwg;
-    QString m_serverConfigPath;
-    QString m_serverPublicKeyPath;
-    QString m_serverPskKeyPath;
-    amnezia::ProtocolScriptType m_configTemplate;
-    QString m_protocolName;
-    QString m_defaultPort;
-};
-
-#endif // WIREGUARD_CONFIGURATOR_H

client/configurators/xray_configurator.cpp

@@ -1,173 +0,0 @@
-#include "xray_configurator.h"
-
-#include <QFile>
-#include <QJsonDocument>
-#include <QJsonObject>
-#include <QUuid>
-#include "logger.h"
-
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
-
-namespace {
-Logger logger("XrayConfigurator");
-}
-
-XrayConfigurator::XrayConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
-{
-}
-
-QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentials, DockerContainer container,
-                                               const QJsonObject &containerConfig, ErrorCode &errorCode)
-{
-    // Generate new UUID for client
-    QString clientId = QUuid::createUuid().toString(QUuid::WithoutBraces);
-    
-    // Get current server config
-    QString currentConfig = m_serverController->getTextFileFromContainer(
-        container, credentials, amnezia::protocols::xray::serverConfigPath, errorCode);
-    
-    if (errorCode != ErrorCode::NoError) {
-        logger.error() << "Failed to get server config file";
-        return "";
-    }
-
-    // Parse current config as JSON
-    QJsonDocument doc = QJsonDocument::fromJson(currentConfig.toUtf8());
-    if (doc.isNull() || !doc.isObject()) {
-        logger.error() << "Failed to parse server config JSON";
-        errorCode = ErrorCode::InternalError;
-        return "";
-    }
-
-    QJsonObject serverConfig = doc.object();
-    
-    // Validate server config structure
-    if (!serverConfig.contains("inbounds")) {
-        logger.error() << "Server config missing 'inbounds' field";
-        errorCode = ErrorCode::InternalError;
-        return "";
-    }
-
-    QJsonArray inbounds = serverConfig["inbounds"].toArray();
-    if (inbounds.isEmpty()) {
-        logger.error() << "Server config has empty 'inbounds' array";
-        errorCode = ErrorCode::InternalError;
-        return "";
-    }
-    
-    QJsonObject inbound = inbounds[0].toObject();
-    if (!inbound.contains("settings")) {
-        logger.error() << "Inbound missing 'settings' field";
-        errorCode = ErrorCode::InternalError;
-        return "";
-    }
-
-    QJsonObject settings = inbound["settings"].toObject();
-    if (!settings.contains("clients")) {
-        logger.error() << "Settings missing 'clients' field";
-        errorCode = ErrorCode::InternalError;
-        return "";
-    }
-
-    QJsonArray clients = settings["clients"].toArray();
-    
-    // Create configuration for new client
-    QJsonObject clientConfig {
-        {"id", clientId},
-        {"flow", "xtls-rprx-vision"}
-    };
-    
-    clients.append(clientConfig);
-    
-    // Update config
-    settings["clients"] = clients;
-    inbound["settings"] = settings;
-    inbounds[0] = inbound;
-    serverConfig["inbounds"] = inbounds;
-    
-    // Save updated config to server
-    QString updatedConfig = QJsonDocument(serverConfig).toJson();
-    errorCode = m_serverController->uploadTextFileToContainer(
-        container, 
-        credentials, 
-        updatedConfig,
-        amnezia::protocols::xray::serverConfigPath,
-        libssh::ScpOverwriteMode::ScpOverwriteExisting
-    );
-    if (errorCode != ErrorCode::NoError) {
-        logger.error() << "Failed to upload updated config";
-        return "";
-    }
-
-    // Restart container
-    QString restartScript = QString("sudo docker restart $CONTAINER_NAME");
-    errorCode = m_serverController->runScript(
-        credentials, 
-        m_serverController->replaceVars(restartScript, m_serverController->genVarsForScript(credentials, container))
-    );
-
-    if (errorCode != ErrorCode::NoError) {
-        logger.error() << "Failed to restart container";
-        return "";
-    }
-
-    return clientId;
-}
-
-QString XrayConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                       const QJsonObject &containerConfig, ErrorCode &errorCode)
-{
-    // Get client ID from prepareServerConfig
-    QString xrayClientId = prepareServerConfig(credentials, container, containerConfig, errorCode);
-    if (errorCode != ErrorCode::NoError || xrayClientId.isEmpty()) {
-        logger.error() << "Failed to prepare server config";
-        errorCode = ErrorCode::InternalError;
-        return "";
-    }
-
-    QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::xray_template, container),
-                                                     m_serverController->genVarsForScript(credentials, container, containerConfig));
-    
-    if (config.isEmpty()) {
-        logger.error() << "Failed to get config template";
-        errorCode = ErrorCode::InternalError;
-        return "";
-    }
-
-    QString xrayPublicKey =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::PublicKeyPath, errorCode);
-    if (errorCode != ErrorCode::NoError || xrayPublicKey.isEmpty()) {
-        logger.error() << "Failed to get public key";
-        errorCode = ErrorCode::InternalError;
-        return "";
-    }
-    xrayPublicKey.replace("\n", "");
-    
-    QString xrayShortId =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::shortidPath, errorCode);
-    if (errorCode != ErrorCode::NoError || xrayShortId.isEmpty()) {
-        logger.error() << "Failed to get short ID";
-        errorCode = ErrorCode::InternalError;
-        return "";
-    }
-    xrayShortId.replace("\n", "");
-
-    // Validate all required variables are present
-    if (!config.contains("$XRAY_CLIENT_ID") || !config.contains("$XRAY_PUBLIC_KEY") || !config.contains("$XRAY_SHORT_ID")) {
-        logger.error() << "Config template missing required variables:"
-                      << "XRAY_CLIENT_ID:" << !config.contains("$XRAY_CLIENT_ID")
-                      << "XRAY_PUBLIC_KEY:" << !config.contains("$XRAY_PUBLIC_KEY")
-                      << "XRAY_SHORT_ID:" << !config.contains("$XRAY_SHORT_ID");
-        errorCode = ErrorCode::InternalError;
-        return "";
-    }
-
-    config.replace("$XRAY_CLIENT_ID", xrayClientId);
-    config.replace("$XRAY_PUBLIC_KEY", xrayPublicKey);
-    config.replace("$XRAY_SHORT_ID", xrayShortId);
-
-    return config;
-}

client/configurators/xray_configurator.h

@@ -1,23 +0,0 @@
-#ifndef XRAY_CONFIGURATOR_H
-#define XRAY_CONFIGURATOR_H
-
-#include <QObject>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class XrayConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    XrayConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                         ErrorCode &errorCode);
-
-private:
-    QString prepareServerConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                ErrorCode &errorCode);
-};
-
-#endif // XRAY_CONFIGURATOR_H

client/containers/containers_defs.h

@@ -1,89 +0,0 @@
-#ifndef CONTAINERS_DEFS_H
-#define CONTAINERS_DEFS_H
-
-#include <QObject>
-#include <QQmlEngine>
-
-#include "../protocols/protocols_defs.h"
-
-using namespace amnezia;
-
-namespace amnezia
-{
-
-    namespace ContainerEnumNS
-    {
-        Q_NAMESPACE
-        enum DockerContainer {
-            None = 0,
-            Awg,
-            WireGuard,
-            OpenVpn,
-            Cloak,
-            ShadowSocks,
-            Ipsec,
-            Xray,
-            SSXray,
-
-            // non-vpn
-            TorWebSite,
-            Dns,
-            Sftp,
-            Socks5Proxy
-        };
-        Q_ENUM_NS(DockerContainer)
-    } // namespace ContainerEnumNS
-
-    using namespace ContainerEnumNS;
-    using namespace ProtocolEnumNS;
-
-    class ContainerProps : public QObject
-    {
-        Q_OBJECT
-
-    public:
-        Q_INVOKABLE static amnezia::DockerContainer containerFromString(const QString &container);
-        Q_INVOKABLE static QString containerToString(amnezia::DockerContainer container);
-        Q_INVOKABLE static QString containerTypeToString(amnezia::DockerContainer c);
-
-        Q_INVOKABLE static QList<amnezia::DockerContainer> allContainers();
-
-        Q_INVOKABLE static QMap<amnezia::DockerContainer, QString> containerHumanNames();
-        Q_INVOKABLE static QMap<amnezia::DockerContainer, QString> containerDescriptions();
-        Q_INVOKABLE static QMap<amnezia::DockerContainer, QString> containerDetailedDescriptions();
-
-        // these protocols will be displayed in container settings
-        Q_INVOKABLE static QVector<amnezia::Proto> protocolsForContainer(amnezia::DockerContainer container);
-
-        Q_INVOKABLE static amnezia::ServiceType containerService(amnezia::DockerContainer c);
-
-        // binding between Docker container and main protocol of given container
-        // it may be changed fot future containers :)
-        Q_INVOKABLE static amnezia::Proto defaultProtocol(amnezia::DockerContainer c);
-
-        Q_INVOKABLE static bool isSupportedByCurrentPlatform(amnezia::DockerContainer c);
-        Q_INVOKABLE static QStringList fixedPortsForContainer(amnezia::DockerContainer c);
-
-        static bool isEasySetupContainer(amnezia::DockerContainer container);
-        static QString easySetupHeader(amnezia::DockerContainer container);
-        static QString easySetupDescription(amnezia::DockerContainer container);
-        static int easySetupOrder(amnezia::DockerContainer container);
-
-        static bool isShareable(amnezia::DockerContainer container);
-
-        static QJsonObject getProtocolConfigFromContainer(const amnezia::Proto protocol, const QJsonObject &containerConfig);
-
-        static int installPageOrder(amnezia::DockerContainer container);
-    };
-
-    static void declareQmlContainerEnum()
-    {
-        qmlRegisterUncreatableMetaObject(ContainerEnumNS::staticMetaObject, "ContainerEnum", 1, 0, "ContainerEnum",
-                                         "Error: only enums");
-    }
-
-} // namespace amnezia
-
-QDebug operator<<(QDebug debug, const amnezia::DockerContainer &c);
-
-#endif // CONTAINERS_DEFS_H

client/core/api/apiDefs.h

@@ -1,72 +0,0 @@
-#ifndef APIDEFS_H
-#define APIDEFS_H
-
-#include <QString>
-
-namespace apiDefs
-{
-    enum ConfigType {
-        AmneziaFreeV2 = 0,
-        AmneziaFreeV3,
-        AmneziaPremiumV1,
-        AmneziaPremiumV2,
-        SelfHosted,
-        ExternalPremium
-    };
-
-    enum ConfigSource {
-        Telegram = 1,
-        AmneziaGateway
-    };
-
-    namespace key
-    {
-        constexpr QLatin1String configVersion("config_version");
-        constexpr QLatin1String apiEndpoint("api_endpoint");
-        constexpr QLatin1String apiKey("api_key");
-        constexpr QLatin1String description("description");
-        constexpr QLatin1String name("name");
-        constexpr QLatin1String protocol("protocol");
-
-        constexpr QLatin1String apiConfig("api_config");
-        constexpr QLatin1String stackType("stack_type");
-        constexpr QLatin1String serviceType("service_type");
-        constexpr QLatin1String cliVersion("cli_version");
-        constexpr QLatin1String supportedProtocols("supported_protocols");
-
-        constexpr QLatin1String vpnKey("vpn_key");
-        constexpr QLatin1String config("config");
-        constexpr QLatin1String configs("configs");
-
-        constexpr QLatin1String installationUuid("installation_uuid");
-        constexpr QLatin1String workerLastUpdated("worker_last_updated");
-        constexpr QLatin1String lastDownloaded("last_downloaded");
-        constexpr QLatin1String sourceType("source_type");
-
-        constexpr QLatin1String serverCountryCode("server_country_code");
-        constexpr QLatin1String serverCountryName("server_country_name");
-
-        constexpr QLatin1String osVersion("os_version");
-
-        constexpr QLatin1String availableCountries("available_countries");
-        constexpr QLatin1String activeDeviceCount("active_device_count");
-        constexpr QLatin1String maxDeviceCount("max_device_count");
-        constexpr QLatin1String subscriptionEndDate("subscription_end_date");
-        constexpr QLatin1String issuedConfigs("issued_configs");
-
-        constexpr QLatin1String supportInfo("support_info");
-        constexpr QLatin1String email("email");
-        constexpr QLatin1String billingEmail("billing_email");
-        constexpr QLatin1String website("website");
-        constexpr QLatin1String websiteName("website_name");
-        constexpr QLatin1String telegram("telegram");
-
-        constexpr QLatin1String id("id");
-        constexpr QLatin1String orderId("order_id");
-        constexpr QLatin1String migrationCode("migration_code");
-    }
-
-    const int requestTimeoutMsecs = 12 * 1000; // 12 secs
-}
-
-#endif // APIDEFS_H

client/core/api/apiUtils.cpp

@@ -1,164 +0,0 @@
-#include "apiUtils.h"
-
-#include <QDateTime>
-#include <QJsonObject>
-
-namespace
-{
-    const QByteArray AMNEZIA_CONFIG_SIGNATURE = QByteArray::fromHex("000000ff");
-
-    QString escapeUnicode(const QString &input)
-    {
-        QString output;
-        for (QChar c : input) {
-            if (c.unicode() < 0x20 || c.unicode() > 0x7E) {
-                output += QString("\\u%1").arg(QString::number(c.unicode(), 16).rightJustified(4, '0'));
-            } else {
-                output += c;
-            }
-        }
-        return output;
-    }
-}
-
-bool apiUtils::isSubscriptionExpired(const QString &subscriptionEndDate)
-{
-    QDateTime now = QDateTime::currentDateTime();
-    QDateTime endDate = QDateTime::fromString(subscriptionEndDate, Qt::ISODateWithMs);
-    return endDate < now;
-}
-
-bool apiUtils::isServerFromApi(const QJsonObject &serverConfigObject)
-{
-    auto configVersion = serverConfigObject.value(apiDefs::key::configVersion).toInt();
-    switch (configVersion) {
-    case apiDefs::ConfigSource::Telegram: return true;
-    case apiDefs::ConfigSource::AmneziaGateway: return true;
-    default: return false;
-    }
-}
-
-apiDefs::ConfigType apiUtils::getConfigType(const QJsonObject &serverConfigObject)
-{
-    auto configVersion = serverConfigObject.value(apiDefs::key::configVersion).toInt();
-
-    switch (configVersion) {
-    case apiDefs::ConfigSource::Telegram: {
-        constexpr QLatin1String freeV2Endpoint(FREE_V2_ENDPOINT);
-        constexpr QLatin1String premiumV1Endpoint(PREM_V1_ENDPOINT);
-
-        auto apiEndpoint = serverConfigObject.value(apiDefs::key::apiEndpoint).toString();
-
-        if (apiEndpoint.contains(premiumV1Endpoint)) {
-            return apiDefs::ConfigType::AmneziaPremiumV1;
-        } else if (apiEndpoint.contains(freeV2Endpoint)) {
-            return apiDefs::ConfigType::AmneziaFreeV2;
-        }
-    };
-    case apiDefs::ConfigSource::AmneziaGateway: {
-        constexpr QLatin1String servicePremium("amnezia-premium");
-        constexpr QLatin1String serviceFree("amnezia-free");
-        constexpr QLatin1String serviceExternalPremium("external-premium");
-
-        auto apiConfigObject = serverConfigObject.value(apiDefs::key::apiConfig).toObject();
-        auto serviceType = apiConfigObject.value(apiDefs::key::serviceType).toString();
-
-        if (serviceType == servicePremium) {
-            return apiDefs::ConfigType::AmneziaPremiumV2;
-        } else if (serviceType == serviceFree) {
-            return apiDefs::ConfigType::AmneziaFreeV3;
-        } else if (serviceType == serviceExternalPremium) {
-            return apiDefs::ConfigType::ExternalPremium;
-        }
-    }
-    default: {
-        return apiDefs::ConfigType::SelfHosted;
-    }
-    };
-}
-
-apiDefs::ConfigSource apiUtils::getConfigSource(const QJsonObject &serverConfigObject)
-{
-    return static_cast<apiDefs::ConfigSource>(serverConfigObject.value(apiDefs::key::configVersion).toInt());
-}
-
-amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &sslErrors, QNetworkReply *reply)
-{
-    const int httpStatusCodeConflict = 409;
-    const int httpStatusCodeNotFound = 404;
-
-    if (!sslErrors.empty()) {
-        qDebug().noquote() << sslErrors;
-        return amnezia::ErrorCode::ApiConfigSslError;
-    } else if (reply->error() == QNetworkReply::NoError) {
-        return amnezia::ErrorCode::NoError;
-    } else if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError
-               || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
-        qDebug() << reply->error();
-        return amnezia::ErrorCode::ApiConfigTimeoutError;
-    } else if (reply->error() == QNetworkReply::NetworkError::OperationNotImplementedError) {
-        qDebug() << reply->error();
-        return amnezia::ErrorCode::ApiUpdateRequestError;
-    } else {
-        QString err = reply->errorString();
-        int httpStatusCode = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
-        qDebug() << QString::fromUtf8(reply->readAll());
-        qDebug() << reply->error();
-        qDebug() << err;
-        qDebug() << httpStatusCode;
-        if (httpStatusCode == httpStatusCodeConflict) {
-            return amnezia::ErrorCode::ApiConfigLimitError;
-        } else if (httpStatusCode == httpStatusCodeNotFound) {
-            return amnezia::ErrorCode::ApiNotFoundError;
-        }
-        return amnezia::ErrorCode::ApiConfigDownloadError;
-    }
-
-    qDebug() << "something went wrong";
-    return amnezia::ErrorCode::InternalError;
-}
-
-bool apiUtils::isPremiumServer(const QJsonObject &serverConfigObject)
-{
-    static const QSet<apiDefs::ConfigType> premiumTypes = { apiDefs::ConfigType::AmneziaPremiumV1, apiDefs::ConfigType::AmneziaPremiumV2,
-                                                            apiDefs::ConfigType::ExternalPremium };
-    return premiumTypes.contains(getConfigType(serverConfigObject));
-}
-
-QString apiUtils::getPremiumV1VpnKey(const QJsonObject &serverConfigObject)
-{
-    if (apiUtils::getConfigType(serverConfigObject) != apiDefs::ConfigType::AmneziaPremiumV1) {
-        return {};
-    }
-
-    QList<QPair<QString, QVariant>> orderedFields;
-    orderedFields.append(qMakePair(apiDefs::key::name, serverConfigObject[apiDefs::key::name].toString()));
-    orderedFields.append(qMakePair(apiDefs::key::description, serverConfigObject[apiDefs::key::description].toString()));
-    orderedFields.append(qMakePair(apiDefs::key::configVersion, serverConfigObject[apiDefs::key::configVersion].toDouble()));
-    orderedFields.append(qMakePair(apiDefs::key::protocol, serverConfigObject[apiDefs::key::protocol].toString()));
-    orderedFields.append(qMakePair(apiDefs::key::apiEndpoint, serverConfigObject[apiDefs::key::apiEndpoint].toString()));
-    orderedFields.append(qMakePair(apiDefs::key::apiKey, serverConfigObject[apiDefs::key::apiKey].toString()));
-
-    QString vpnKeyStr = "{";
-    for (int i = 0; i < orderedFields.size(); ++i) {
-        const auto &pair = orderedFields[i];
-        if (pair.second.typeId() == QMetaType::Type::QString) {
-            vpnKeyStr += "\"" + pair.first + "\": \"" + pair.second.toString() + "\"";
-        } else if (pair.second.typeId() == QMetaType::Type::Double || pair.second.typeId() == QMetaType::Type::Int) {
-            vpnKeyStr += "\"" + pair.first + "\": " + QString::number(pair.second.toDouble(), 'f', 1);
-        }
-
-        if (i < orderedFields.size() - 1) {
-            vpnKeyStr += ", ";
-        }
-    }
-    vpnKeyStr += "}";
-
-    QByteArray vpnKeyCompressed = escapeUnicode(vpnKeyStr).toUtf8();
-    vpnKeyCompressed = qCompress(vpnKeyCompressed, 6);
-    vpnKeyCompressed = vpnKeyCompressed.mid(4);
-
-    QByteArray signedData = AMNEZIA_CONFIG_SIGNATURE + vpnKeyCompressed;
-
-    return QString("vpn://%1").arg(QString(signedData.toBase64(QByteArray::Base64UrlEncoding)));
-}

client/core/api/apiUtils.h

@@ -1,26 +0,0 @@
-#ifndef APIUTILS_H
-#define APIUTILS_H
-
-#include <QNetworkReply>
-#include <QObject>
-
-#include "apiDefs.h"
-#include "core/defs.h"
-
-namespace apiUtils
-{
-    bool isServerFromApi(const QJsonObject &serverConfigObject);
-
-    bool isSubscriptionExpired(const QString &subscriptionEndDate);
-
-    bool isPremiumServer(const QJsonObject &serverConfigObject);
-
-    apiDefs::ConfigType getConfigType(const QJsonObject &serverConfigObject);
-    apiDefs::ConfigSource getConfigSource(const QJsonObject &serverConfigObject);
-
-    amnezia::ErrorCode checkNetworkReplyErrors(const QList<QSslError> &sslErrors, QNetworkReply *reply);
-
-    QString getPremiumV1VpnKey(const QJsonObject &serverConfigObject);
-}
-
-#endif // APIUTILS_H

client/core/configurators/awgConfigurator.cpp

@@ -0,0 +1,109 @@
+#include "awgConfigurator.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocols/awgProtocolConfig.h"
+
+#include <QJsonDocument>
+#include <QJsonObject>
+
+using namespace amnezia;
+
+AwgConfigurator::AwgConfigurator(SshSession* sshSession, QObject *parent)
+    : WireguardConfigurator(sshSession, true, parent)
+{
+}
+
+ProtocolConfig AwgConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &containerConfig,
+                                              const DnsSettings &dnsSettings,
+                                              ErrorCode &errorCode)
+{
+    const AwgServerConfig* serverConfig = nullptr;
+    const AwgClientConfig* clientConfig = nullptr;
+    
+    if (auto* awgProtocolConfig = containerConfig.getAwgProtocolConfig()) {
+        serverConfig = &awgProtocolConfig->serverConfig;
+        if (awgProtocolConfig->clientConfig.has_value()) {
+            clientConfig = &awgProtocolConfig->clientConfig.value();
+        }
+    }
+    
+    ProtocolConfig wireguardConfig = WireguardConfigurator::createConfig(credentials, container, containerConfig, dnsSettings, errorCode);
+    if (errorCode != ErrorCode::NoError) {
+        return AwgProtocolConfig{};
+    }
+    
+    WireGuardProtocolConfig* wgConfig = wireguardConfig.as<WireGuardProtocolConfig>();
+    if (!wgConfig || !wgConfig->clientConfig.has_value()) {
+        errorCode = ErrorCode::InternalError;
+        return AwgProtocolConfig{};
+    }
+    
+    QString awgConfig = wgConfig->clientConfig->nativeConfig;
+
+    QMap<QString, QString> configMap;
+    auto configLines = awgConfig.split("\n");
+    for (auto &line : configLines) {
+        auto trimmedLine = line.trimmed();
+        if (trimmedLine.startsWith("[") && trimmedLine.endsWith("]")) {
+            continue;
+        } else {
+            QStringList parts = trimmedLine.split(" = ");
+            if (parts.count() == 2) {
+                configMap.insert(parts[0].trimmed(), parts[1].trimmed());
+            }
+        }
+    }
+
+    AwgProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    }
+    
+    AwgClientConfig newClientConfig;
+    newClientConfig.nativeConfig = awgConfig;
+    newClientConfig.hostName = wgConfig->clientConfig->hostName;
+    newClientConfig.port = wgConfig->clientConfig->port;
+    newClientConfig.clientIp = wgConfig->clientConfig->clientIp;
+    newClientConfig.clientPrivateKey = wgConfig->clientConfig->clientPrivateKey;
+    newClientConfig.clientPublicKey = wgConfig->clientConfig->clientPublicKey;
+    newClientConfig.serverPublicKey = wgConfig->clientConfig->serverPublicKey;
+    newClientConfig.presharedKey = wgConfig->clientConfig->presharedKey;
+    newClientConfig.clientId = wgConfig->clientConfig->clientId;
+    newClientConfig.allowedIps = wgConfig->clientConfig->allowedIps;
+    newClientConfig.persistentKeepAlive = wgConfig->clientConfig->persistentKeepAlive;
+    
+    QString mtu = protocols::awg::defaultMtu;
+    if (clientConfig && !clientConfig->mtu.isEmpty()) {
+        mtu = clientConfig->mtu;
+    }
+    newClientConfig.mtu = mtu;
+    
+    newClientConfig.junkPacketCount = configMap.value(configKey::junkPacketCount);
+    newClientConfig.junkPacketMinSize = configMap.value(configKey::junkPacketMinSize);
+    newClientConfig.junkPacketMaxSize = configMap.value(configKey::junkPacketMaxSize);
+    newClientConfig.initPacketJunkSize = configMap.value(configKey::initPacketJunkSize);
+    newClientConfig.responsePacketJunkSize = configMap.value(configKey::responsePacketJunkSize);
+    newClientConfig.initPacketMagicHeader = configMap.value(configKey::initPacketMagicHeader);
+    newClientConfig.responsePacketMagicHeader = configMap.value(configKey::responsePacketMagicHeader);
+    newClientConfig.underloadPacketMagicHeader = configMap.value(configKey::underloadPacketMagicHeader);
+    newClientConfig.transportPacketMagicHeader = configMap.value(configKey::transportPacketMagicHeader);
+    newClientConfig.specialJunk1 = configMap.value(configKey::specialJunk1);
+    newClientConfig.specialJunk2 = configMap.value(configKey::specialJunk2);
+    newClientConfig.specialJunk3 = configMap.value(configKey::specialJunk3);
+    newClientConfig.specialJunk4 = configMap.value(configKey::specialJunk4);
+    newClientConfig.specialJunk5 = configMap.value(configKey::specialJunk5);
+    
+    if (container == DockerContainer::Awg2) {
+        newClientConfig.cookieReplyPacketJunkSize = configMap.value(configKey::cookieReplyPacketJunkSize);
+        newClientConfig.transportPacketJunkSize = configMap.value(configKey::transportPacketJunkSize);
+    }
+    
+    newClientConfig.isObfuscationEnabled = false;
+    
+    protocolConfig.setClientConfig(newClientConfig);
+    
+    return protocolConfig;
+}

client/core/configurators/awgConfigurator.h

@@ -0,0 +1,20 @@
+#ifndef AWGCONFIGURATOR_H
+#define AWGCONFIGURATOR_H
+
+#include <QObject>
+
+#include "wireguardConfigurator.h"
+
+class AwgConfigurator : public WireguardConfigurator
+{
+    Q_OBJECT
+public:
+    AwgConfigurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+};
+
+#endif // AWGCONFIGURATOR_H

client/core/configurators/configuratorBase.cpp

@@ -0,0 +1,50 @@
+#include "configuratorBase.h"
+
+#include "core/configurators/awgConfigurator.h"
+#include "core/configurators/ikev2Configurator.h"
+#include "core/configurators/openVpnConfigurator.h"
+#include "core/configurators/wireguardConfigurator.h"
+#include "core/configurators/xrayConfigurator.h"
+
+using namespace amnezia;
+
+ConfiguratorBase::ConfiguratorBase(SshSession* sshSession, QObject *parent)
+    : QObject { parent }, m_sshSession(sshSession)
+{
+}
+
+QScopedPointer<ConfiguratorBase> ConfiguratorBase::create(Proto protocol,
+                                                          SshSession* sshSession)
+{
+    switch (protocol) {
+    case Proto::OpenVpn: return QScopedPointer<ConfiguratorBase>(new OpenVpnConfigurator(sshSession));
+    case Proto::WireGuard: return QScopedPointer<ConfiguratorBase>(new WireguardConfigurator(sshSession, false));
+    case Proto::Awg: return QScopedPointer<ConfiguratorBase>(new AwgConfigurator(sshSession));
+    case Proto::Ikev2: return QScopedPointer<ConfiguratorBase>(new Ikev2Configurator(sshSession));
+    case Proto::Xray: return QScopedPointer<ConfiguratorBase>(new XrayConfigurator(sshSession));
+    case Proto::SSXray: return QScopedPointer<ConfiguratorBase>(new XrayConfigurator(sshSession));
+    default: return QScopedPointer<ConfiguratorBase>();
+    }
+}
+
+ProtocolConfig ConfiguratorBase::processConfigWithLocalSettings(const ConnectionSettings &settings,
+                                                                 ProtocolConfig protocolConfig)
+{
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
+    return protocolConfig;
+}
+
+ProtocolConfig ConfiguratorBase::processConfigWithExportSettings(const ExportSettings &settings,
+                                                                 ProtocolConfig protocolConfig)
+{
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
+    return protocolConfig;
+}
+
+void ConfiguratorBase::applyDnsToNativeConfig(const DnsSettings &dns, ProtocolConfig &protocolConfig)
+{
+    QString config = protocolConfig.nativeConfig();
+    config.replace("$PRIMARY_DNS", dns.primaryDns);
+    config.replace("$SECONDARY_DNS", dns.secondaryDns);
+    protocolConfig.setNativeConfig(config);
+}

client/core/configurators/configuratorBase.h

@@ -0,0 +1,43 @@
+#ifndef CONFIGURATORBASE_H
+#define CONFIGURATORBASE_H
+
+#include <QObject>
+#include <QScopedPointer>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocolConfig.h"
+
+class SshSession;
+
+class ConfiguratorBase : public QObject
+{
+    Q_OBJECT
+public:
+    explicit ConfiguratorBase(SshSession* sshSession, QObject *parent = nullptr);
+
+    static QScopedPointer<ConfiguratorBase> create(amnezia::Proto protocol,
+                                                   SshSession* sshSession);
+
+    virtual amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                        const amnezia::ContainerConfig &containerConfig,
+                                        const amnezia::DnsSettings &dnsSettings,
+                                        amnezia::ErrorCode &errorCode) = 0;
+
+    virtual amnezia::ProtocolConfig processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                                   amnezia::ProtocolConfig protocolConfig);
+    virtual amnezia::ProtocolConfig processConfigWithExportSettings(const amnezia::ExportSettings &settings,
+                                                                     amnezia::ProtocolConfig protocolConfig);
+
+protected:
+    void applyDnsToNativeConfig(const amnezia::DnsSettings &dns, amnezia::ProtocolConfig &protocolConfig);
+
+    SshSession* m_sshSession;
+};
+
+#endif // CONFIGURATORBASE_H

client/core/configurators/ikev2Configurator.cpp

@@ -1,4 +1,4 @@
-#include "ikev2_configurator.h"
+#include "ikev2Configurator.h"
 
 #include <QDebug>
 #include <QJsonDocument>
@@ -8,14 +8,16 @@
 #include <QTemporaryFile>
 #include <QUuid>
 
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
-#include "core/server_defs.h"
-#include "utilities.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/utilities.h"
+#include "core/models/protocols/ikev2ProtocolConfig.h"
 
-Ikev2Configurator::Ikev2Configurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
+Ikev2Configurator::Ikev2Configurator(SshSession* sshSession, QObject *parent)
+    : ConfiguratorBase(sshSession, parent)
 {
 }
 
@@ -25,7 +27,6 @@ Ikev2Configurator::ConnectionData Ikev2Configurator::prepareIkev2Config(const Se
     Ikev2Configurator::ConnectionData connData;
     connData.host = credentials.hostName;
     connData.clientId = Utils::getRandomString(16);
-    connData.password = Utils::getRandomString(16);
     connData.password = "";
 
     QString certFileName = "/opt/amnezia/ikev2/clients/" + connData.clientId + ".p12";
@@ -39,14 +40,14 @@ Ikev2Configurator::ConnectionData Ikev2Configurator::prepareIkev2Config(const Se
                                        "--extKeyUsage serverAuth,clientAuth -8 \"%1\"")
                                        .arg(connData.clientId);
 
-    errorCode = m_serverController->runContainerScript(credentials, container, scriptCreateCert);
+    errorCode = m_sshSession->runContainerScript(credentials, container, scriptCreateCert);
 
     QString scriptExportCert =
             QString("pk12util -W \"%1\" -d sql:/etc/ipsec.d -n \"%2\" -o \"%3\"").arg(connData.password).arg(connData.clientId).arg(certFileName);
-    errorCode = m_serverController->runContainerScript(credentials, container, scriptExportCert);
+    errorCode = m_sshSession->runContainerScript(credentials, container, scriptExportCert);
 
-    connData.clientCert = m_serverController->getTextFileFromContainer(container, credentials, certFileName, errorCode);
-    connData.caCert = m_serverController->getTextFileFromContainer(container, credentials, "/etc/ipsec.d/ca_cert_base64.p12", errorCode);
+    connData.clientCert = m_sshSession->getTextFileFromContainer(container, credentials, certFileName, errorCode);
+    connData.caCert = m_sshSession->getTextFileFromContainer(container, credentials, "/etc/ipsec.d/ca_cert_base64.p12", errorCode);
 
     qDebug() << "Ikev2Configurator::ConnectionData client cert size:" << connData.clientCert.size();
     qDebug() << "Ikev2Configurator::ConnectionData ca cert size:" << connData.caCert.size();
@@ -54,26 +55,51 @@ Ikev2Configurator::ConnectionData Ikev2Configurator::prepareIkev2Config(const Se
     return connData;
 }
 
-QString Ikev2Configurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                        ErrorCode &errorCode)
+ProtocolConfig Ikev2Configurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &containerConfig,
+                                               const DnsSettings &dnsSettings,
+                                               ErrorCode &errorCode)
 {
-    Q_UNUSED(containerConfig)
+    const Ikev2ServerConfig* serverConfig = nullptr;
+    if (auto* ikev2Config = containerConfig.protocolConfig.as<Ikev2ProtocolConfig>()) {
+        serverConfig = &ikev2Config->serverConfig;
+    }
 
     ConnectionData connData = prepareIkev2Config(credentials, container, errorCode);
     if (errorCode != ErrorCode::NoError) {
-        return "";
+        return Ikev2ProtocolConfig{};
     }
 
-    return genIkev2Config(connData);
+    QString configJson = genIkev2Config(connData);
+    QJsonDocument doc = QJsonDocument::fromJson(configJson.toUtf8());
+    QJsonObject configObj = doc.object();
+
+    Ikev2ProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    } else {
+        protocolConfig.serverConfig.hostName = connData.host;
+    }
+    
+    Ikev2ClientConfig clientConfig;
+    clientConfig.nativeConfig = configJson;
+    clientConfig.hostName = connData.host;
+    clientConfig.userName = connData.clientId;
+    clientConfig.cert = QString(connData.clientCert.toBase64());
+    clientConfig.password = connData.password;
+    clientConfig.clientId = connData.clientId;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
 }
 
 QString Ikev2Configurator::genIkev2Config(const ConnectionData &connData)
 {
     QJsonObject config;
-    config[config_key::hostName] = connData.host;
-    config[config_key::userName] = connData.clientId;
-    config[config_key::cert] = QString(connData.clientCert.toBase64());
-    config[config_key::password] = connData.password;
+    config[configKey::hostName] = connData.host;
+    config[configKey::userName] = connData.clientId;
+    config[configKey::cert] = QString(connData.clientCert.toBase64());
+    config[configKey::password] = connData.password;
 
     return QJsonDocument(config).toJson();
 }

client/core/configurators/ikev2Configurator.h

@@ -0,0 +1,39 @@
+#ifndef IKEV2_CONFIGURATOR_H
+#define IKEV2_CONFIGURATOR_H
+
+#include <QObject>
+#include <QProcessEnvironment>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+
+class Ikev2Configurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    Ikev2Configurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    struct ConnectionData {
+        QByteArray clientCert; // p12 client cert
+        QByteArray caCert; // p12 server cert
+        QString clientId;
+        QString password; // certificate password
+        QString host; // host ip
+    };
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+
+    QString genIkev2Config(const ConnectionData &connData);
+    QString genMobileConfig(const ConnectionData &connData);
+    QString genStrongSwanConfig(const ConnectionData &connData);
+
+    ConnectionData prepareIkev2Config(const amnezia::ServerCredentials &credentials,
+        amnezia::DockerContainer container, amnezia::ErrorCode &errorCode);
+};
+
+#endif // IKEV2_CONFIGURATOR_H

client/core/configurators/openVpnConfigurator.cpp

@@ -1,8 +1,9 @@
-#include "openvpn_configurator.h"
+#include "openVpnConfigurator.h"
 
 #include <QDebug>
 #include <QJsonDocument>
 #include <QJsonObject>
+#include <QRegularExpression>
 #include <QProcess>
 #include <QString>
 #include <QTemporaryDir>
@@ -13,26 +14,34 @@
     #include <QApplication>
 #endif
 
-#include "core/networkUtilities.h"
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
-#include "settings.h"
-#include "utilities.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/utils/networkUtilities.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/utilities.h"
+#include "core/models/protocols/openVpnProtocolConfig.h"
+
+using namespace amnezia;
 
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
 
-OpenVpnConfigurator::OpenVpnConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                                         QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
+OpenVpnConfigurator::OpenVpnConfigurator(SshSession* sshSession, QObject *parent)
+    : ConfiguratorBase(sshSession, parent)
 {
 }
 
 OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(const ServerCredentials &credentials,
-                                                                              DockerContainer container, ErrorCode &errorCode)
+                                                                              DockerContainer container, 
+                                                                              const DnsSettings &dnsSettings,
+                                                                              ErrorCode &errorCode)
 {
     OpenVpnConfigurator::ConnectionData connData = OpenVpnConfigurator::createCertRequest();
     connData.host = credentials.hostName;
@@ -44,26 +53,26 @@ OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(co
 
     QString reqFileName = QString("%1/%2.req").arg(amnezia::protocols::openvpn::clientsDirPath).arg(connData.clientId);
 
-    errorCode = m_serverController->uploadTextFileToContainer(container, credentials, connData.request, reqFileName);
+    errorCode = m_sshSession->uploadTextFileToContainer(container, credentials, connData.request, reqFileName);
     if (errorCode != ErrorCode::NoError) {
         return connData;
     }
 
-    errorCode = signCert(container, credentials, connData.clientId);
+    errorCode = signCert(container, credentials, dnsSettings, connData.clientId);
     if (errorCode != ErrorCode::NoError) {
         return connData;
     }
 
     connData.caCert =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::caCertPath, errorCode);
-    connData.clientCert = m_serverController->getTextFileFromContainer(
+            m_sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::caCertPath, errorCode);
+    connData.clientCert = m_sshSession->getTextFileFromContainer(
             container, credentials, QString("%1/%2.crt").arg(amnezia::protocols::openvpn::clientCertPath).arg(connData.clientId), errorCode);
 
     if (errorCode != ErrorCode::NoError) {
         return connData;
     }
 
-    connData.taKey = m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::taKeyPath, errorCode);
+    connData.taKey = m_sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::taKeyPath, errorCode);
 
     if (connData.caCert.isEmpty() || connData.clientCert.isEmpty() || connData.taKey.isEmpty()) {
         errorCode = ErrorCode::SshScpFailureError;
@@ -72,23 +81,49 @@ OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(co
     return connData;
 }
 
-QString OpenVpnConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                          const QJsonObject &containerConfig, ErrorCode &errorCode)
+ProtocolConfig OpenVpnConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
+                                                  const ContainerConfig &containerConfig,
+                                                  const DnsSettings &dnsSettings,
+                                                  ErrorCode &errorCode)
 {
-    QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::openvpn_template, container),
-                                                     m_serverController->genVarsForScript(credentials, container, containerConfig));
-
-    ConnectionData connData = prepareOpenVpnConfig(credentials, container, errorCode);
-    if (errorCode != ErrorCode::NoError) {
-        return "";
+    const OpenVpnServerConfig* serverConfig = nullptr;
+    if (auto* openVpnProtocolConfig = containerConfig.getOpenVpnProtocolConfig()) {
+        serverConfig = &openVpnProtocolConfig->serverConfig;
     }
+    
+    amnezia::ScriptVars vars = amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns);
+    vars.append(amnezia::genProtocolVarsForContainer(container, containerConfig));
+    QString config = m_sshSession->replaceVars(amnezia::scriptData(ProtocolScriptType::openvpn_template, container), vars);
+
+    ConnectionData connData = prepareOpenVpnConfig(credentials, container, dnsSettings, errorCode);
+    if (errorCode != ErrorCode::NoError) {
+        return OpenVpnProtocolConfig{};
+    }
+
+    auto sanitizeStaticKey = [](const QString &key) {
+        QStringList lines = key.split('\n');
+        QStringList filtered;
+        filtered.reserve(lines.size());
+        for (const QString &line : lines) {
+            const QString trimmed = line.trimmed();
+            if (trimmed.startsWith('#')) {
+                continue;
+            }
+            filtered.append(line);
+        }
+        QString result = filtered.join('\n');
+        if (!result.endsWith('\n')) {
+            result.append('\n');
+        }
+        return result;
+    };
 
     config.replace("$OPENVPN_CA_CERT", connData.caCert);
     config.replace("$OPENVPN_CLIENT_CERT", connData.clientCert);
     config.replace("$OPENVPN_PRIV_KEY", connData.privKey);
 
     if (config.contains("$OPENVPN_TA_KEY")) {
-        config.replace("$OPENVPN_TA_KEY", connData.taKey);
+        config.replace("$OPENVPN_TA_KEY", sanitizeStaticKey(connData.taKey));
     } else {
         config.replace("<tls-auth>", "");
         config.replace("</tls-auth>", "");
@@ -98,42 +133,45 @@ QString OpenVpnConfigurator::createConfig(const ServerCredentials &credentials,
     config.replace("block-outside-dns", "");
 #endif
 
-    QJsonObject jConfig;
-    jConfig[config_key::config] = config;
-
-    jConfig[config_key::clientId] = connData.clientId;
-
-    return QJsonDocument(jConfig).toJson();
+    OpenVpnProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    }
+    
+    OpenVpnClientConfig clientConfig;
+    clientConfig.nativeConfig = config;
+    clientConfig.clientId = connData.clientId;
+    clientConfig.blockOutsideDns = false;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
 }
 
-QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                            QString &protocolConfigString)
+ProtocolConfig OpenVpnConfigurator::processConfigWithLocalSettings(const ConnectionSettings &settings,
+                                                                   ProtocolConfig protocolConfig)
 {
-    processConfigWithDnsSettings(dns, protocolConfigString);
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
 
-    QJsonObject json = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();
-    QString config = json[config_key::config].toString();
+    QString config = protocolConfig.nativeConfig();
 
-    if (!isApiConfig) {
+    if (!settings.isApiConfig) {
         QRegularExpression regex("redirect-gateway.*");
         config.replace(regex, "");
-        
-        // We don't use secondary DNS if primary DNS is AmneziaDNS
-        if (dns.first.contains(protocols::dns::amneziaDnsIp)) {
-            QRegularExpression dnsRegex("dhcp-option DNS " + dns.second);
+
+        if (settings.dns.primaryDns.contains(protocols::dns::amneziaDnsIp)) {
+            QRegularExpression dnsRegex("dhcp-option DNS " + settings.dns.secondaryDns);
             config.replace(dnsRegex, "");
         }
 
-        if (!m_settings->isSitesSplitTunnelingEnabled()) {
+        if (!settings.splitTunneling.isSitesSplitTunnelingEnabled) {
             config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");
             config.append("block-ipv6\n");
-        } else if (m_settings->routeMode() == Settings::VpnOnlyForwardSites) {
-
-               // no redirect-gateway
-        } else if (m_settings->routeMode() == Settings::VpnAllExceptSites) {
+        } else if (settings.splitTunneling.routeMode == RouteMode::VpnOnlyForwardSites) {
+            // no redirect-gateway
+        } else if (settings.splitTunneling.routeMode == RouteMode::VpnAllExceptSites) {
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
             config.append("\nredirect-gateway ipv6 !ipv4 bypass-dhcp\n");
-            // Prevent ipv6 leak
 #endif
             config.append("block-ipv6\n");
         }
@@ -144,64 +182,57 @@ QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString,
 #endif
 
 #if (defined(MZ_MACOS) || defined(MZ_LINUX))
-    QString dnsConf = QString("\nscript-security 2\n"
-                              "up %1/update-resolv-conf.sh\n"
-                              "down %1/update-resolv-conf.sh\n")
-                              .arg(qApp->applicationDirPath());
-
-    config.append(dnsConf);
+    config.append(QString("\nscript-security 2\n"
+                         "up %1/update-resolv-conf.sh\n"
+                         "down %1/update-resolv-conf.sh\n")
+                  .arg(qApp->applicationDirPath()));
 #endif
 
-    json[config_key::config] = config;
-    return QJsonDocument(json).toJson();
+    protocolConfig.setNativeConfig(config);
+    return protocolConfig;
 }
 
-QString OpenVpnConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                             QString &protocolConfigString)
+ProtocolConfig OpenVpnConfigurator::processConfigWithExportSettings(const ExportSettings &settings,
+                                                                    ProtocolConfig protocolConfig)
 {
-    processConfigWithDnsSettings(dns, protocolConfigString);
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
 
-    QJsonObject json = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();
-    QString config = json[config_key::config].toString();
+    QString config = protocolConfig.nativeConfig();
 
     QRegularExpression regex("redirect-gateway.*");
     config.replace(regex, "");
 
-    // We don't use secondary DNS if primary DNS is AmneziaDNS
-    if (dns.first.contains(protocols::dns::amneziaDnsIp)) {
-        QRegularExpression dnsRegex("dhcp-option DNS " + dns.second);
+    if (settings.dns.primaryDns.contains(protocols::dns::amneziaDnsIp)) {
+        QRegularExpression dnsRegex("dhcp-option DNS " + settings.dns.secondaryDns);
         config.replace(dnsRegex, "");
     }
 
     config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");
-
-    // Prevent ipv6 leak
     config.append("block-ipv6\n");
-
-    // remove block-outside-dns for all exported configs
     config.replace("block-outside-dns", "");
 
-    json[config_key::config] = config;
-    return QJsonDocument(json).toJson();
+    protocolConfig.setNativeConfig(config);
+    return protocolConfig;
 }
 
-ErrorCode OpenVpnConfigurator::signCert(DockerContainer container, const ServerCredentials &credentials, QString clientId)
+ErrorCode OpenVpnConfigurator::signCert(DockerContainer container, const ServerCredentials &credentials, 
+                                        const DnsSettings &dnsSettings, QString clientId)
 {
     QString script_import = QString("sudo docker exec -i %1 bash -c \"cd /opt/amnezia/openvpn && "
                                     "easyrsa import-req %2/%3.req %3\"")
-                                    .arg(ContainerProps::containerToString(container))
+                                    .arg(ContainerUtils::containerToString(container))
                                     .arg(amnezia::protocols::openvpn::clientsDirPath)
                                     .arg(clientId);
 
     QString script_sign = QString("sudo docker exec -i %1 bash -c \"export EASYRSA_BATCH=1; cd /opt/amnezia/openvpn && "
                                   "easyrsa sign-req client %2\"")
-                                  .arg(ContainerProps::containerToString(container))
+                                  .arg(ContainerUtils::containerToString(container))
                                   .arg(clientId);
 
     QStringList scriptList { script_import, script_sign };
-    QString script = m_serverController->replaceVars(scriptList.join("\n"), m_serverController->genVarsForScript(credentials, container));
+    QString script = m_sshSession->replaceVars(scriptList.join("\n"), amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns));
 
-    return m_serverController->runScript(credentials, script);
+    return m_sshSession->runScript(credentials, script);
 }
 
 OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::createCertRequest()
@@ -210,7 +241,7 @@ OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::createCertRequest()
     connData.clientId = Utils::getRandomString(32);
 
     int ret = 0;
-    int nVersion = 1;
+    int nVersion = 0;
 
     QByteArray clientIdUtf8 = connData.clientId.toUtf8();
 

client/core/configurators/openVpnConfigurator.h

@@ -0,0 +1,49 @@
+#ifndef OPENVPN_CONFIGURATOR_H
+#define OPENVPN_CONFIGURATOR_H
+
+#include <QObject>
+#include <QProcessEnvironment>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+
+class OpenVpnConfigurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    OpenVpnConfigurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    struct ConnectionData
+    {
+        QString clientId;
+        QString request;    // certificate request
+        QString privKey;    // client private key
+        QString clientCert; // client signed certificate
+        QString caCert;     // server certificate
+        QString taKey;      // tls-auth key
+        QString host;       // host ip
+    };
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                               const amnezia::ContainerConfig &containerConfig,
+                               const amnezia::DnsSettings &dnsSettings,
+                               amnezia::ErrorCode &errorCode) override;
+
+    amnezia::ProtocolConfig processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                           amnezia::ProtocolConfig protocolConfig) override;
+    amnezia::ProtocolConfig processConfigWithExportSettings(const amnezia::ExportSettings &settings,
+                                                            amnezia::ProtocolConfig protocolConfig) override;
+
+    static ConnectionData createCertRequest();
+
+private:
+    ConnectionData prepareOpenVpnConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                       const amnezia::DnsSettings &dnsSettings,
+                                       amnezia::ErrorCode &errorCode);
+    amnezia::ErrorCode signCert(amnezia::DockerContainer container, const amnezia::ServerCredentials &credentials, 
+                      const amnezia::DnsSettings &dnsSettings, QString clientId);
+};
+
+#endif // OPENVPN_CONFIGURATOR_H

client/core/configurators/wireguardConfigurator.cpp

@@ -0,0 +1,288 @@
+#include "wireguardConfigurator.h"
+
+#include <QDebug>
+#include <QJsonDocument>
+#include <QProcess>
+#include <QRegularExpression>
+#include <QString>
+#include <QTemporaryDir>
+#include <QTemporaryFile>
+
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/utils/utilities.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocols/wireGuardProtocolConfig.h"
+#include "core/models/protocols/awgProtocolConfig.h"
+#include <QJsonArray>
+
+using namespace amnezia;
+
+WireguardConfigurator::WireguardConfigurator(SshSession* sshSession, bool isAwg,
+                                             QObject *parent)
+    : ConfiguratorBase(sshSession, parent), m_isAwg(isAwg)
+{
+    m_serverConfigPath =
+            m_isAwg ? amnezia::protocols::awg::serverConfigPath : amnezia::protocols::wireguard::serverConfigPath;
+    m_serverPublicKeyPath =
+            m_isAwg ? amnezia::protocols::awg::serverPublicKeyPath : amnezia::protocols::wireguard::serverPublicKeyPath;
+    m_serverPskKeyPath =
+            m_isAwg ? amnezia::protocols::awg::serverPskKeyPath : amnezia::protocols::wireguard::serverPskKeyPath;
+    m_configTemplate = m_isAwg ? ProtocolScriptType::awg_template : ProtocolScriptType::wireguard_template;
+
+    m_protocolName = m_isAwg ? configKey::awg : configKey::wireguard;
+    m_defaultPort = m_isAwg ? protocols::awg::defaultPort : protocols::wireguard::defaultPort;
+}
+
+WireguardConfigurator::ConnectionData WireguardConfigurator::genClientKeys()
+{
+    // TODO review
+    constexpr size_t EDDSA_KEY_LENGTH = 32;
+
+    ConnectionData connData;
+
+    unsigned char buff[EDDSA_KEY_LENGTH];
+    int ret = RAND_priv_bytes(buff, EDDSA_KEY_LENGTH);
+    if (ret <= 0)
+        return connData;
+
+    EVP_PKEY *pKey = EVP_PKEY_new();
+    q_check_ptr(pKey);
+    pKey = EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL, &buff[0], EDDSA_KEY_LENGTH);
+
+    size_t keySize = EDDSA_KEY_LENGTH;
+
+    // save private key
+    unsigned char priv[EDDSA_KEY_LENGTH];
+    EVP_PKEY_get_raw_private_key(pKey, priv, &keySize);
+    connData.clientPrivKey = QByteArray::fromRawData((char *)priv, keySize).toBase64();
+
+    // save public key
+    unsigned char pub[EDDSA_KEY_LENGTH];
+    EVP_PKEY_get_raw_public_key(pKey, pub, &keySize);
+    connData.clientPubKey = QByteArray::fromRawData((char *)pub, keySize).toBase64();
+
+    return connData;
+}
+
+QList<QHostAddress> WireguardConfigurator::getIpsFromConf(const QString &input)
+{
+    QRegularExpression regex("AllowedIPs = (\\d+\\.\\d+\\.\\d+\\.\\d+)");
+    QRegularExpressionMatchIterator matchIterator = regex.globalMatch(input);
+
+    QList<QHostAddress> ips;
+
+    while (matchIterator.hasNext()) {
+        QRegularExpressionMatch match = matchIterator.next();
+        const QString address_string { match.captured(1) };
+        const QHostAddress address { address_string };
+        if (address.isNull()) {
+            qWarning() << "Couldn't recognize the ip address: " << address_string;
+        } else {
+            ips << address;
+        }
+    }
+
+    return ips;
+}
+
+WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardConfig(const ServerCredentials &credentials,
+                                                                                    DockerContainer container,
+                                                                                    const WireGuardServerConfig* serverConfig,
+                                                                                    const AwgServerConfig* awgServerConfig,
+                                                                                    const DnsSettings &dnsSettings,
+                                                                                    ErrorCode &errorCode)
+{
+    WireguardConfigurator::ConnectionData connData = WireguardConfigurator::genClientKeys();
+    connData.host = credentials.hostName;
+    
+    QString portStr = m_defaultPort;
+    if (serverConfig && !serverConfig->port.isEmpty()) {
+        portStr = serverConfig->port;
+    } else if (awgServerConfig && !awgServerConfig->port.isEmpty()) {
+        portStr = awgServerConfig->port;
+    }
+    connData.port = portStr;
+
+    if (connData.clientPrivKey.isEmpty() || connData.clientPubKey.isEmpty()) {
+        errorCode = ErrorCode::InternalError;
+        return connData;
+    }
+
+    QString configPath = m_serverConfigPath;
+    if (container == DockerContainer::Awg) {
+        configPath = amnezia::protocols::awg::serverLegacyConfigPath;
+    }
+    QString getIpsScript = QString("cat %1 | grep AllowedIPs").arg(configPath);
+    QString stdOut;
+    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
+        stdOut += data + "\n";
+        return ErrorCode::NoError;
+    };
+
+    errorCode = m_sshSession->runContainerScript(credentials, container, getIpsScript, cbReadStdOut);
+    if (errorCode != ErrorCode::NoError) {
+        return connData;
+    }
+    auto ips = getIpsFromConf(stdOut);
+
+    QHostAddress nextIp = [&] {
+        QHostAddress result;
+        QHostAddress lastIp;
+        QString subnetAddress = protocols::wireguard::defaultSubnetAddress;
+        if (serverConfig && !serverConfig->subnetAddress.isEmpty()) {
+            subnetAddress = serverConfig->subnetAddress;
+        } else if (awgServerConfig && !awgServerConfig->subnetAddress.isEmpty()) {
+            subnetAddress = awgServerConfig->subnetAddress;
+        }
+        if (ips.empty()) {
+            lastIp.setAddress(subnetAddress);
+        } else {
+            lastIp = ips.last();
+        }
+        quint8 lastOctet = static_cast<quint8>(lastIp.toIPv4Address());
+        switch (lastOctet) {
+        case 254: result.setAddress(lastIp.toIPv4Address() + 3); break;
+        case 255: result.setAddress(lastIp.toIPv4Address() + 2); break;
+        default: result.setAddress(lastIp.toIPv4Address() + 1); break;
+        }
+
+        return result;
+    }();
+
+    connData.clientIP = nextIp.toString();
+
+    // Get keys
+    connData.serverPubKey =
+            m_sshSession->getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, errorCode);
+    connData.serverPubKey.replace("\n", "");
+    if (errorCode != ErrorCode::NoError) {
+        return connData;
+    }
+
+    connData.pskKey = m_sshSession->getTextFileFromContainer(container, credentials, m_serverPskKeyPath, errorCode);
+    connData.pskKey.replace("\n", "");
+
+    if (errorCode != ErrorCode::NoError) {
+        return connData;
+    }
+
+    // Add client to config
+    QString configPart = QString("[Peer]\n"
+                                 "PublicKey = %1\n"
+                                 "PresharedKey = %2\n"
+                                 "AllowedIPs = %3/32\n\n")
+                                 .arg(connData.clientPubKey, connData.pskKey, connData.clientIP);
+
+    errorCode = m_sshSession->uploadTextFileToContainer(container, credentials, configPart, configPath,
+                                                              libssh::ScpOverwriteMode::ScpAppendToExisting);
+
+    if (errorCode != ErrorCode::NoError) {
+        return connData;
+    }
+
+    bool isAwg = (container == DockerContainer::Awg2);
+    QString bin = isAwg ? QStringLiteral("awg") : QStringLiteral("wg");
+    QString iface = isAwg ? QStringLiteral("awg0") : QStringLiteral("wg0");
+    QString script = QString(
+        "sudo docker exec -i $CONTAINER_NAME bash -c '%1 syncconf %2 <(%1-quick strip %3)'").arg(bin, iface, configPath);
+
+    errorCode = m_sshSession->runScript(
+            credentials,
+            m_sshSession->replaceVars(script, amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns)));
+
+    return connData;
+}
+
+ProtocolConfig WireguardConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
+                                                    const ContainerConfig &containerConfig,
+                                                    const DnsSettings &dnsSettings,
+                                                    ErrorCode &errorCode)
+{
+    const WireGuardServerConfig* wireguardServerConfig = nullptr;
+    const WireGuardClientConfig* wireguardClientConfig = nullptr;
+    const AwgServerConfig* awgServerConfig = nullptr;
+    const AwgClientConfig* awgClientConfig = nullptr;
+    
+    if (auto* wireGuardProtocolConfig = containerConfig.getWireGuardProtocolConfig()) {
+        wireguardServerConfig = &wireGuardProtocolConfig->serverConfig;
+        if (wireGuardProtocolConfig->clientConfig.has_value()) {
+            wireguardClientConfig = &wireGuardProtocolConfig->clientConfig.value();
+        }
+    } else if (auto* awgProtocolConfig = containerConfig.getAwgProtocolConfig()) {
+        awgServerConfig = &awgProtocolConfig->serverConfig;
+        if (awgProtocolConfig->clientConfig.has_value()) {
+            awgClientConfig = &awgProtocolConfig->clientConfig.value();
+        }
+    }
+    
+    amnezia::ScriptVars vars = amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns);
+    vars.append(amnezia::genProtocolVarsForContainer(container, containerConfig));
+    QString scriptData = amnezia::scriptData(m_configTemplate, container);
+    QString config = m_sshSession->replaceVars(scriptData, vars);
+
+    ConnectionData connData = prepareWireguardConfig(credentials, container, wireguardServerConfig, awgServerConfig, dnsSettings, errorCode);
+    if (errorCode != ErrorCode::NoError) {
+        return WireGuardProtocolConfig{};
+    }
+
+    config.replace("$WIREGUARD_CLIENT_PRIVATE_KEY", connData.clientPrivKey);
+    config.replace("$WIREGUARD_CLIENT_IP", connData.clientIP);
+    config.replace("$WIREGUARD_SERVER_PUBLIC_KEY", connData.serverPubKey);
+    config.replace("$WIREGUARD_PSK", connData.pskKey);
+
+    QString mtu = protocols::wireguard::defaultMtu;
+    if (wireguardClientConfig && !wireguardClientConfig->mtu.isEmpty()) {
+        mtu = wireguardClientConfig->mtu;
+    } else if (awgClientConfig && !awgClientConfig->mtu.isEmpty()) {
+        mtu = awgClientConfig->mtu;
+    }
+    
+    WireGuardProtocolConfig protocolConfig;
+    if (wireguardServerConfig) {
+        protocolConfig.serverConfig = *wireguardServerConfig;
+    }
+    
+    WireGuardClientConfig clientConfig;
+    clientConfig.nativeConfig = config;
+    clientConfig.hostName = connData.host;
+    clientConfig.port = connData.port.toInt();
+    clientConfig.clientIp = connData.clientIP;
+    clientConfig.clientPrivateKey = connData.clientPrivKey;
+    clientConfig.clientPublicKey = connData.clientPubKey;
+    clientConfig.serverPublicKey = connData.serverPubKey;
+    clientConfig.presharedKey = connData.pskKey;
+    clientConfig.clientId = connData.clientPubKey;
+    clientConfig.allowedIps = QStringList { "0.0.0.0/0", "::/0" };
+    clientConfig.persistentKeepAlive = "25";
+    clientConfig.mtu = mtu;
+    clientConfig.isObfuscationEnabled = false;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
+}
+
+ProtocolConfig WireguardConfigurator::processConfigWithLocalSettings(const ConnectionSettings &settings,
+                                                                     ProtocolConfig protocolConfig)
+{
+    return ConfiguratorBase::processConfigWithLocalSettings(settings, protocolConfig);
+}
+
+ProtocolConfig WireguardConfigurator::processConfigWithExportSettings(const ExportSettings &settings,
+                                                                      ProtocolConfig protocolConfig)
+{
+    return ConfiguratorBase::processConfigWithExportSettings(settings, protocolConfig);
+}

client/core/configurators/wireguardConfigurator.h

@@ -0,0 +1,61 @@
+#ifndef WIREGUARD_CONFIGURATOR_H
+#define WIREGUARD_CONFIGURATOR_H
+
+#include <QHostAddress>
+#include <QObject>
+#include <QProcessEnvironment>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+
+class WireguardConfigurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    WireguardConfigurator(SshSession* sshSession,
+                          bool isAwg, QObject *parent = nullptr);
+
+    struct ConnectionData
+    {
+        QString clientPrivKey; // client private key
+        QString clientPubKey;  // client public key
+        QString clientIP;      // internal client IP address
+        QString serverPubKey;  // tls-auth key
+        QString pskKey;        // preshared key
+        QString host;          // host ip
+        QString port;
+    };
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+
+    amnezia::ProtocolConfig processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                           amnezia::ProtocolConfig protocolConfig) override;
+    amnezia::ProtocolConfig processConfigWithExportSettings(const amnezia::ExportSettings &settings,
+                                                            amnezia::ProtocolConfig protocolConfig) override;
+
+    static ConnectionData genClientKeys();
+
+private:
+    QList<QHostAddress> getIpsFromConf(const QString &input);
+    ConnectionData prepareWireguardConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                          const amnezia::WireGuardServerConfig* serverConfig,
+                                          const amnezia::AwgServerConfig* awgServerConfig,
+                                          const amnezia::DnsSettings &dnsSettings,
+                                          amnezia::ErrorCode &errorCode);
+
+    bool m_isAwg;
+    QString m_serverConfigPath;
+    QString m_serverPublicKeyPath;
+    QString m_serverPskKeyPath;
+    amnezia::ProtocolScriptType m_configTemplate;
+    QString m_protocolName;
+    QString m_defaultPort;
+};
+
+#endif // WIREGUARD_CONFIGURATOR_H

client/core/configurators/xrayConfigurator.cpp

@@ -0,0 +1,533 @@
+#include "xrayConfigurator.h"
+
+#include <QFile>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QJsonArray>
+#include <QUuid>
+#include "logger.h"
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocols/xrayProtocolConfig.h"
+
+namespace {
+    Logger logger("XrayConfigurator");
+
+    QString normalizeXhttpMode(const QString &m) {
+        const QString t = m.trimmed();
+        if (t.isEmpty() || t.compare(QLatin1String("Auto"), Qt::CaseInsensitive) == 0) {
+            return QStringLiteral("auto");
+        }
+        if (t.compare(QLatin1String("Packet-up"), Qt::CaseInsensitive) == 0)
+            return QStringLiteral("packet-up");
+        if (t.compare(QLatin1String("Stream-up"), Qt::CaseInsensitive) == 0)
+            return QStringLiteral("stream-up");
+        if (t.compare(QLatin1String("Stream-one"), Qt::CaseInsensitive) == 0)
+            return QStringLiteral("stream-one");
+        return t.toLower();
+    }
+
+    // Xray-core: empty → path; "None" in UI → omit (core default path)
+    QString normalizeSessionSeqPlacement(const QString &p)
+    {
+        if (p.isEmpty() || p.compare(QLatin1String("None"), Qt::CaseInsensitive) == 0)
+            return {};
+        return p.toLower();
+    }
+
+    QString normalizeUplinkDataPlacement(const QString &p)
+    {
+        if (p.isEmpty() || p.compare(QLatin1String("Body"), Qt::CaseInsensitive) == 0)
+            return QStringLiteral("body");
+        if (p.compare(QLatin1String("Auto"), Qt::CaseInsensitive) == 0)
+            return QStringLiteral("auto");
+        if (p.compare(QLatin1String("Query"), Qt::CaseInsensitive) == 0)
+            // "Query" is not valid for uplink payload in splithttp; closest documented mode
+            return QStringLiteral("header");
+        return p.toLower();
+    }
+
+    // splithttp: cookie | header | query | queryInHeader (not "body")
+    QString normalizeXPaddingPlacement(const QString &p)
+    {
+        QString t = p.trimmed();
+        if (t.isEmpty())
+            return QString::fromLatin1(amnezia::protocols::xray::defaultXPaddingPlacement).toLower();
+        if (t.compare(QLatin1String("Body"), Qt::CaseInsensitive) == 0)
+            return QStringLiteral("queryInHeader");
+        if (t.contains(QLatin1String("queryInHeader"), Qt::CaseInsensitive)
+            || t.compare(QLatin1String("Query in header"), Qt::CaseInsensitive) == 0)
+            return QStringLiteral("queryInHeader");
+        return t.toLower();
+    }
+
+    // splithttp: repeat-x | tokenish
+    QString normalizeXPaddingMethod(const QString &m)
+    {
+        QString t = m.trimmed();
+        if (t.isEmpty() || t.compare(QLatin1String("Repeat-x"), Qt::CaseInsensitive) == 0)
+            return QStringLiteral("repeat-x");
+        if (t.compare(QLatin1String("Tokenish"), Qt::CaseInsensitive) == 0)
+            return QStringLiteral("tokenish");
+        if (t.compare(QLatin1String("Random"), Qt::CaseInsensitive) == 0
+            || t.compare(QLatin1String("Zero"), Qt::CaseInsensitive) == 0)
+            return QStringLiteral("repeat-x");
+        return t.toLower();
+    }
+
+    void putIntRangeIfAny(QJsonObject &obj, const char *key, QString minV, QString maxV, const char *fallbackMin,
+                          const char *fallbackMax)
+    {
+        if (minV.isEmpty() && maxV.isEmpty())
+            return;
+        if (minV.isEmpty())
+            minV = QString::fromLatin1(fallbackMin);
+        if (maxV.isEmpty())
+            maxV = QString::fromLatin1(fallbackMax);
+        QJsonObject r;
+        r[QStringLiteral("from")] = minV.toInt();
+        r[QStringLiteral("to")] = maxV.toInt();
+        obj[QString::fromUtf8(key)] = r;
+    }
+
+    // Desktop applies this in XrayProtocol::start(); iOS/Android pass JSON straight to libxray — same fixes here.
+    void sanitizeXrayNativeConfig(amnezia::ProtocolConfig &pc)
+    {
+        QString c = pc.nativeConfig();
+        if (c.isEmpty()) {
+            return;
+        }
+        bool changed = false;
+        if (c.contains(QLatin1String("Mozilla/5.0"), Qt::CaseInsensitive)) {
+            c.replace(QLatin1String("Mozilla/5.0"), QString::fromLatin1(amnezia::protocols::xray::defaultFingerprint),
+                      Qt::CaseInsensitive);
+            changed = true;
+        }
+        const QString legacyListen = QString::fromLatin1(amnezia::protocols::xray::defaultLocalAddr);
+        const QString listenOk = QString::fromLatin1(amnezia::protocols::xray::defaultLocalListenAddr);
+        if (c.contains(legacyListen)) {
+            c.replace(legacyListen, listenOk);
+            changed = true;
+        }
+        if (changed) {
+            pc.setNativeConfig(c);
+        }
+    }
+} // namespace
+
+XrayConfigurator::XrayConfigurator(SshSession* sshSession, QObject *parent)
+    : ConfiguratorBase(sshSession, parent)
+{
+}
+
+amnezia::ProtocolConfig XrayConfigurator::processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                                         amnezia::ProtocolConfig protocolConfig)
+{
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
+    sanitizeXrayNativeConfig(protocolConfig);
+    return protocolConfig;
+}
+
+QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentials, DockerContainer container,
+                                               const ContainerConfig &containerConfig,
+                                               const DnsSettings &dnsSettings,
+                                               ErrorCode &errorCode)
+{
+    // Generate new UUID for client
+    QString clientId = QUuid::createUuid().toString(QUuid::WithoutBraces);
+
+    // Get flow value from settings (default xtls-rprx-vision)
+    QString flowValue = "xtls-rprx-vision";
+    if (const auto *xrayCfg = containerConfig.protocolConfig.as<XrayProtocolConfig>()) {
+        if (!xrayCfg->serverConfig.flow.isEmpty()) {
+            flowValue = xrayCfg->serverConfig.flow;
+        }
+    }
+
+    // Get current server config
+    QString currentConfig = m_sshSession->getTextFileFromContainer(
+        container, credentials, amnezia::protocols::xray::serverConfigPath, errorCode);
+
+    if (errorCode != ErrorCode::NoError) {
+        logger.error() << "Failed to get server config file";
+        return "";
+    }
+
+    // Parse current config as JSON
+    QJsonDocument doc = QJsonDocument::fromJson(currentConfig.toUtf8());
+    if (doc.isNull() || !doc.isObject()) {
+        logger.error() << "Failed to parse server config JSON";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QJsonObject serverConfig = doc.object();
+
+    // Validate server config structure
+    if (!serverConfig.contains(amnezia::protocols::xray::inbounds)) {
+        logger.error() << "Server config missing 'inbounds' field";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QJsonArray inbounds = serverConfig[amnezia::protocols::xray::inbounds].toArray();
+    if (inbounds.isEmpty()) {
+        logger.error() << "Server config has empty 'inbounds' array";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QJsonObject inbound = inbounds[0].toObject();
+    if (!inbound.contains(amnezia::protocols::xray::settings)) {
+        logger.error() << "Inbound missing 'settings' field";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QJsonObject settings = inbound[amnezia::protocols::xray::settings].toObject();
+    if (!settings.contains(amnezia::protocols::xray::clients)) {
+        logger.error() << "Settings missing 'clients' field";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QJsonArray clients = settings[amnezia::protocols::xray::clients].toArray();
+
+    // Create configuration for new client
+    QJsonObject clientConfig {
+        {amnezia::protocols::xray::id, clientId},
+    };
+    clientConfig[amnezia::protocols::xray::id] = clientId;
+    if (!flowValue.isEmpty()) {
+        clientConfig[amnezia::protocols::xray::flow] = flowValue;
+    }
+
+    clients.append(clientConfig);
+
+    // Update config
+    settings[amnezia::protocols::xray::clients] = clients;
+    inbound[amnezia::protocols::xray::settings] = settings;
+    inbounds[0] = inbound;
+    serverConfig[amnezia::protocols::xray::inbounds] = inbounds;
+
+    // Save updated config to server
+    QString updatedConfig = QJsonDocument(serverConfig).toJson();
+    errorCode = m_sshSession->uploadTextFileToContainer(
+        container,
+        credentials,
+        updatedConfig,
+        amnezia::protocols::xray::serverConfigPath,
+        libssh::ScpOverwriteMode::ScpOverwriteExisting
+    );
+    if (errorCode != ErrorCode::NoError) {
+        logger.error() << "Failed to upload updated config";
+        return "";
+    }
+
+    // Restart container
+    QString restartScript = QString("sudo docker restart $CONTAINER_NAME");
+    errorCode = m_sshSession->runScript(
+        credentials,
+        m_sshSession->replaceVars(restartScript, amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns))
+    );
+
+    if (errorCode != ErrorCode::NoError) {
+        logger.error() << "Failed to restart container";
+        return "";
+    }
+
+    return clientId;
+}
+
+QJsonObject XrayConfigurator::buildStreamSettings(const XrayServerConfig &srv, const QString &clientId) const
+{
+    QJsonObject streamSettings;
+    const auto &xhttp = srv.xhttp;
+    const auto &mkcp = srv.mkcp;
+    namespace px = amnezia::protocols::xray;
+
+    QString networkValue = QStringLiteral("tcp");
+    if (srv.transport == QLatin1String("xhttp"))
+        networkValue = QStringLiteral("xhttp");
+    else if (srv.transport == QLatin1String("mkcp"))
+        networkValue = QStringLiteral("kcp");
+    streamSettings[px::network] = networkValue;
+
+    streamSettings[px::security] = srv.security;
+
+    if (srv.security == QLatin1String("tls")) {
+        QJsonObject tlsSettings;
+        const QString sniEff = srv.sni.isEmpty() ? QString::fromLatin1(px::defaultSni) : srv.sni;
+        tlsSettings[px::serverName] = sniEff;
+        const QString alpnEff = srv.alpn.isEmpty() ? QString::fromLatin1(px::defaultAlpn) : srv.alpn;
+        QJsonArray alpnArray;
+        for (const QString &a : alpnEff.split(QLatin1Char(','))) {
+            const QString t = a.trimmed();
+            if (!t.isEmpty())
+                alpnArray.append(t);
+        }
+        if (!alpnArray.isEmpty())
+            tlsSettings[QStringLiteral("alpn")] = alpnArray;
+        const QString fpEff = srv.fingerprint.isEmpty() ? QString::fromLatin1(px::defaultFingerprint) : srv.fingerprint;
+        tlsSettings[px::fingerprint] = fpEff;
+        streamSettings[QStringLiteral("tlsSettings")] = tlsSettings;
+    }
+
+    if (srv.security == QLatin1String("reality")) {
+        QJsonObject realSettings;
+        const QString fpEff = srv.fingerprint.isEmpty() ? QString::fromLatin1(px::defaultFingerprint) : srv.fingerprint;
+        realSettings[px::fingerprint] = fpEff;
+        const QString sniEff = srv.sni.isEmpty() ? QString::fromLatin1(px::defaultSni) : srv.sni;
+        realSettings[px::serverName] = sniEff;
+        streamSettings[px::realitySettings] = realSettings;
+    }
+
+    // XHTTP — JSON must match Xray-core SplitHTTPConfig (flat xPadding fields, see transport_internet.go)
+    if (srv.transport == QLatin1String("xhttp")) {
+        QJsonObject xo;
+        const QString hostEff = xhttp.host.isEmpty() ? QString::fromLatin1(px::defaultXhttpHost) : xhttp.host;
+        xo[QStringLiteral("host")] = hostEff;
+        if (!xhttp.path.isEmpty())
+            xo[QStringLiteral("path")] = xhttp.path;
+        xo[QStringLiteral("mode")] = normalizeXhttpMode(xhttp.mode);
+
+        if (xhttp.headersTemplate.compare(QLatin1String("HTTP"), Qt::CaseInsensitive) == 0) {
+            QJsonObject headers;
+            headers[QStringLiteral("Host")] = hostEff;
+            xo[QStringLiteral("headers")] = headers;
+        }
+
+        const QString methodEff =
+                xhttp.uplinkMethod.isEmpty() ? QString::fromLatin1(px::defaultXhttpUplinkMethod) : xhttp.uplinkMethod;
+        xo[QStringLiteral("uplinkHTTPMethod")] = methodEff.toUpper();
+
+        xo[QStringLiteral("noGRPCHeader")] = xhttp.disableGrpc;
+        xo[QStringLiteral("noSSEHeader")] = xhttp.disableSse;
+
+        const QString sessPl = normalizeSessionSeqPlacement(xhttp.sessionPlacement);
+        if (!sessPl.isEmpty())
+            xo[QStringLiteral("sessionPlacement")] = sessPl;
+        const QString seqPl = normalizeSessionSeqPlacement(xhttp.seqPlacement);
+        if (!seqPl.isEmpty())
+            xo[QStringLiteral("seqPlacement")] = seqPl;
+        if (!xhttp.sessionKey.isEmpty())
+            xo[QStringLiteral("sessionKey")] = xhttp.sessionKey;
+        if (!xhttp.seqKey.isEmpty())
+            xo[QStringLiteral("seqKey")] = xhttp.seqKey;
+
+        xo[QStringLiteral("uplinkDataPlacement")] = normalizeUplinkDataPlacement(xhttp.uplinkDataPlacement);
+        if (!xhttp.uplinkDataKey.isEmpty())
+            xo[QStringLiteral("uplinkDataKey")] = xhttp.uplinkDataKey;
+
+        const QString ucs = xhttp.uplinkChunkSize.isEmpty() ? QString::fromLatin1(px::defaultXhttpUplinkChunkSize)
+                                                            : xhttp.uplinkChunkSize;
+        if (!ucs.isEmpty() && ucs != QLatin1String("0")) {
+            const int v = ucs.toInt();
+            QJsonObject chunkR;
+            chunkR[QStringLiteral("from")] = v;
+            chunkR[QStringLiteral("to")] = v;
+            xo[QStringLiteral("uplinkChunkSize")] = chunkR;
+        }
+
+        if (!xhttp.scMaxBufferedPosts.isEmpty())
+            xo[QStringLiteral("scMaxBufferedPosts")] = xhttp.scMaxBufferedPosts.toLongLong();
+
+        putIntRangeIfAny(xo, "scMaxEachPostBytes", xhttp.scMaxEachPostBytesMin, xhttp.scMaxEachPostBytesMax,
+                         px::defaultXhttpScMaxEachPostBytesMin, px::defaultXhttpScMaxEachPostBytesMax);
+        putIntRangeIfAny(xo, "scMinPostsIntervalMs", xhttp.scMinPostsIntervalMsMin, xhttp.scMinPostsIntervalMsMax,
+                         px::defaultXhttpScMinPostsIntervalMsMin, px::defaultXhttpScMinPostsIntervalMsMax);
+        putIntRangeIfAny(xo, "scStreamUpServerSecs", xhttp.scStreamUpServerSecsMin, xhttp.scStreamUpServerSecsMax,
+                         px::defaultXhttpScStreamUpServerSecsMin, px::defaultXhttpScStreamUpServerSecsMax);
+
+        const auto &pad = xhttp.xPadding;
+        xo[QStringLiteral("xPaddingObfsMode")] = pad.obfsMode;
+        if (pad.obfsMode) {
+            if (!pad.bytesMin.isEmpty() || !pad.bytesMax.isEmpty()) {
+                QJsonObject br;
+                br[QStringLiteral("from")] = pad.bytesMin.isEmpty() ? 1 : pad.bytesMin.toInt();
+                br[QStringLiteral("to")] = pad.bytesMax.isEmpty() ? (pad.bytesMin.isEmpty() ? 256 : pad.bytesMin.toInt())
+                                                                  : pad.bytesMax.toInt();
+                xo[QStringLiteral("xPaddingBytes")] = br;
+            }
+            xo[QStringLiteral("xPaddingKey")] = pad.key.isEmpty() ? QStringLiteral("x_padding") : pad.key;
+            xo[QStringLiteral("xPaddingHeader")] = pad.header.isEmpty() ? QStringLiteral("X-Padding") : pad.header;
+            xo[QStringLiteral("xPaddingPlacement")] = normalizeXPaddingPlacement(
+                    pad.placement.isEmpty() ? QString::fromLatin1(px::defaultXPaddingPlacement) : pad.placement);
+            xo[QStringLiteral("xPaddingMethod")] = normalizeXPaddingMethod(
+                    pad.method.isEmpty() ? QString::fromLatin1(px::defaultXPaddingMethod) : pad.method);
+        }
+
+        // xmux: Xray has no "enabled" flag; omit object when UI disables multiplex tuning.
+        if (xhttp.xmux.enabled) {
+            QJsonObject mux;
+            auto addMuxRange = [&](const char *key, const QString &a, const QString &b) {
+                if (a.isEmpty() && b.isEmpty())
+                    return;
+                QJsonObject r;
+                r[QStringLiteral("from")] = a.isEmpty() ? 0 : a.toInt();
+                r[QStringLiteral("to")] = b.isEmpty() ? 0 : b.toInt();
+                mux[QString::fromUtf8(key)] = r;
+            };
+            addMuxRange("maxConcurrency", xhttp.xmux.maxConcurrencyMin, xhttp.xmux.maxConcurrencyMax);
+            addMuxRange("maxConnections", xhttp.xmux.maxConnectionsMin, xhttp.xmux.maxConnectionsMax);
+            addMuxRange("cMaxReuseTimes", xhttp.xmux.cMaxReuseTimesMin, xhttp.xmux.cMaxReuseTimesMax);
+            addMuxRange("hMaxRequestTimes", xhttp.xmux.hMaxRequestTimesMin, xhttp.xmux.hMaxRequestTimesMax);
+            addMuxRange("hMaxReusableSecs", xhttp.xmux.hMaxReusableSecsMin, xhttp.xmux.hMaxReusableSecsMax);
+            if (!xhttp.xmux.hKeepAlivePeriod.isEmpty())
+                mux[QStringLiteral("hKeepAlivePeriod")] = xhttp.xmux.hKeepAlivePeriod.toLongLong();
+            if (!mux.isEmpty())
+                xo[QStringLiteral("xmux")] = mux;
+        }
+
+        streamSettings[QStringLiteral("xhttpSettings")] = xo;
+    }
+
+    if (srv.transport == QLatin1String("mkcp")) {
+        QJsonObject kcpObj;
+        const QString ttiEff = mkcp.tti.isEmpty() ? QString::fromLatin1(px::defaultMkcpTti) : mkcp.tti;
+        const QString upEff = mkcp.uplinkCapacity.isEmpty() ? QString::fromLatin1(px::defaultMkcpUplinkCapacity)
+                                                            : mkcp.uplinkCapacity;
+        const QString downEff = mkcp.downlinkCapacity.isEmpty() ? QString::fromLatin1(px::defaultMkcpDownlinkCapacity)
+                                                                : mkcp.downlinkCapacity;
+        const QString rbufEff = mkcp.readBufferSize.isEmpty() ? QString::fromLatin1(px::defaultMkcpReadBufferSize)
+                                                              : mkcp.readBufferSize;
+        const QString wbufEff = mkcp.writeBufferSize.isEmpty() ? QString::fromLatin1(px::defaultMkcpWriteBufferSize)
+                                                               : mkcp.writeBufferSize;
+        kcpObj[QStringLiteral("tti")] = ttiEff.toInt();
+        kcpObj[QStringLiteral("uplinkCapacity")] = upEff.toInt();
+        kcpObj[QStringLiteral("downlinkCapacity")] = downEff.toInt();
+        kcpObj[QStringLiteral("readBufferSize")] = rbufEff.toInt();
+        kcpObj[QStringLiteral("writeBufferSize")] = wbufEff.toInt();
+        kcpObj[QStringLiteral("congestion")] = mkcp.congestion;
+        streamSettings[QStringLiteral("kcpSettings")] = kcpObj;
+    }
+
+    return streamSettings;
+}
+
+ProtocolConfig XrayConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
+                                              const ContainerConfig &containerConfig,
+                                              const DnsSettings &dnsSettings,
+                                              ErrorCode &errorCode)
+{
+    const XrayServerConfig *serverConfig = nullptr;
+    if (const auto *xrayCfg = containerConfig.protocolConfig.as<XrayProtocolConfig>()) {
+        serverConfig = &xrayCfg->serverConfig;
+    }
+
+    if (!serverConfig) {
+        logger.error() << "No XrayProtocolConfig found";
+        errorCode = ErrorCode::InternalError;
+        return XrayProtocolConfig{};
+    }
+
+    const XrayServerConfig &srv = *serverConfig;
+
+    QString xrayClientId = prepareServerConfig(credentials, container, containerConfig, dnsSettings, errorCode);
+    if (errorCode != ErrorCode::NoError || xrayClientId.isEmpty()) {
+        logger.error() << "Failed to prepare server config";
+        if (errorCode == ErrorCode::NoError) {
+            errorCode = ErrorCode::InternalError;
+        }
+        return XrayProtocolConfig{};
+    }
+
+    // Fetch server keys (Reality only)
+    QString xrayPublicKey;
+    QString xrayShortId;
+
+    if (srv.security == "reality") {
+        xrayPublicKey = m_sshSession->getTextFileFromContainer(container, credentials,
+                                                               amnezia::protocols::xray::PublicKeyPath, errorCode);
+        if (errorCode != ErrorCode::NoError || xrayPublicKey.isEmpty()) {
+            logger.error() << "Failed to get public key";
+            if (errorCode == ErrorCode::NoError) {
+                errorCode = ErrorCode::InternalError;
+            }
+            return XrayProtocolConfig{};
+        }
+        xrayPublicKey.replace("\n", "");
+
+        xrayShortId = m_sshSession->getTextFileFromContainer(container, credentials,
+                                                             amnezia::protocols::xray::shortidPath, errorCode);
+        if (errorCode != ErrorCode::NoError || xrayShortId.isEmpty()) {
+            logger.error() << "Failed to get short ID";
+            if (errorCode == ErrorCode::NoError) {
+                errorCode = ErrorCode::InternalError;
+            }
+            return XrayProtocolConfig{};
+        }
+        xrayShortId.replace("\n", "");
+    }
+
+    // Build outbound
+    QJsonObject userObj;
+    userObj[amnezia::protocols::xray::id] = xrayClientId;
+    userObj[amnezia::protocols::xray::encryption] = "none";
+    if (!srv.flow.isEmpty()) {
+        userObj[amnezia::protocols::xray::flow] = srv.flow;
+    }
+
+    QJsonObject vnextEntry;
+    vnextEntry[amnezia::protocols::xray::address] = credentials.hostName;
+    vnextEntry[amnezia::protocols::xray::port] = srv.port.toInt();
+    vnextEntry[amnezia::protocols::xray::users] = QJsonArray { userObj };
+
+    QJsonObject outboundSettings;
+    outboundSettings[amnezia::protocols::xray::vnext] = QJsonArray { vnextEntry };
+
+    QJsonObject outbound;
+    outbound["protocol"] = "vless";
+    outbound[amnezia::protocols::xray::settings] = outboundSettings;
+
+    // Build streamSettings
+    QJsonObject streamObj = buildStreamSettings(srv, xrayClientId);
+
+    // Inject Reality keys
+    if (srv.security == "reality") {
+        QJsonObject rs = streamObj[amnezia::protocols::xray::realitySettings].toObject();
+        rs[amnezia::protocols::xray::publicKey] = xrayPublicKey;
+        rs[amnezia::protocols::xray::shortId] = xrayShortId;
+        rs[amnezia::protocols::xray::spiderX] = "";
+        streamObj[amnezia::protocols::xray::realitySettings] = rs;
+    }
+
+    outbound[amnezia::protocols::xray::streamSettings] = streamObj;
+
+    // Build full client config
+    QJsonObject inboundObj;
+    inboundObj["listen"] = amnezia::protocols::xray::defaultLocalListenAddr;
+    inboundObj[amnezia::protocols::xray::port] = amnezia::protocols::xray::defaultLocalProxyPort;
+    inboundObj["protocol"] = "socks";
+    inboundObj[amnezia::protocols::xray::settings] = QJsonObject { { "udp", true } };
+
+    QJsonObject clientJson;
+    clientJson["log"] = QJsonObject { { "loglevel", "error" } };
+    clientJson[amnezia::protocols::xray::inbounds] = QJsonArray { inboundObj };
+    clientJson[amnezia::protocols::xray::outbounds] = QJsonArray { outbound };
+
+    QString config = QString::fromUtf8(QJsonDocument(clientJson).toJson(QJsonDocument::Compact));
+
+    // Return
+    XrayProtocolConfig protocolConfig;
+    protocolConfig.serverConfig = srv;
+
+    XrayClientConfig clientConfig;
+    clientConfig.nativeConfig = config;
+    qDebug() << "config:" << config;
+    clientConfig.localPort = QString(amnezia::protocols::xray::defaultLocalProxyPort);
+    clientConfig.id = xrayClientId;
+
+    protocolConfig.setClientConfig(clientConfig);
+
+    return protocolConfig;
+}

client/core/configurators/xrayConfigurator.h

@@ -0,0 +1,36 @@
+#ifndef XRAY_CONFIGURATOR_H
+#define XRAY_CONFIGURATOR_H
+
+#include <QObject>
+#include <QJsonObject>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/models/protocols/xrayProtocolConfig.h"
+
+class XrayConfigurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    XrayConfigurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container, const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+
+    amnezia::ProtocolConfig processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                           amnezia::ProtocolConfig protocolConfig) override;
+
+private:
+    QString prepareServerConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container, const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode);
+
+    // Builds the native xray "streamSettings" JSON object from XrayServerConfig
+    QJsonObject buildStreamSettings(const amnezia::XrayServerConfig &srv,
+                                    const QString &clientId) const;
+};
+
+#endif // XRAY_CONFIGURATOR_H

client/core/controllers/allowedDnsController.cpp

@@ -0,0 +1,54 @@
+#include "allowedDnsController.h"
+
+AllowedDnsController::AllowedDnsController(SecureAppSettingsRepository* appSettingsRepository)
+    : m_appSettingsRepository(appSettingsRepository)
+{
+    fillDnsServers();
+}
+
+bool AllowedDnsController::addDns(const QString &ip)
+{
+    if (m_dnsServers.contains(ip)) {
+        return false;
+    }
+
+    m_dnsServers.append(ip);
+    m_appSettingsRepository->setAllowedDnsServers(m_dnsServers);
+    return true;
+}
+
+void AllowedDnsController::addDnsList(const QStringList &dnsServers, bool replaceExisting)
+{
+    if (replaceExisting) {
+        m_dnsServers.clear();
+    }
+    
+    for (const QString &ip : dnsServers) {
+        if (!m_dnsServers.contains(ip)) {
+            m_dnsServers.append(ip);
+        }
+    }
+    
+    m_appSettingsRepository->setAllowedDnsServers(m_dnsServers);
+}
+
+void AllowedDnsController::removeDns(int index)
+{
+    if (index < 0 || index >= m_dnsServers.size()) {
+        return;
+    }
+
+    m_dnsServers.removeAt(index);
+    m_appSettingsRepository->setAllowedDnsServers(m_dnsServers);
+}
+
+QStringList AllowedDnsController::getCurrentDnsServers() const
+{
+    return m_dnsServers;
+}
+
+void AllowedDnsController::fillDnsServers()
+{
+    m_dnsServers = m_appSettingsRepository->getAllowedDnsServers();
+}
+

client/core/controllers/allowedDnsController.h

@@ -0,0 +1,26 @@
+#ifndef ALLOWEDDNSCONTROLLER_H
+#define ALLOWEDDNSCONTROLLER_H
+
+#include <QStringList>
+
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class AllowedDnsController
+{
+public:
+    explicit AllowedDnsController(SecureAppSettingsRepository* appSettingsRepository);
+
+    bool addDns(const QString &ip);
+    void addDnsList(const QStringList &dnsServers, bool replaceExisting);
+    void removeDns(int index);
+    QStringList getCurrentDnsServers() const;
+
+private:
+    void fillDnsServers();
+
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    QStringList m_dnsServers;
+};
+
+#endif // ALLOWEDDNSCONTROLLER_H
+

client/core/controllers/api/newsController.cpp

@@ -0,0 +1,113 @@
+#include "newsController.h"
+
+#include "core/controllers/gatewayController.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/constants/apiConstants.h"
+#include <QtConcurrent/QtConcurrent>
+#include <QJsonArray>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QSet>
+#include <QSharedPointer>
+
+using namespace amnezia;
+
+NewsController::NewsController(SecureAppSettingsRepository *appSettingsRepository,
+                               SecureServersRepository *serversRepository)
+    : m_appSettingsRepository(appSettingsRepository),
+      m_serversRepository(serversRepository)
+{
+}
+
+QJsonObject NewsController::getServicesList() const
+{
+    if (!m_serversRepository) {
+        return {};
+    }
+    QSet<QString> userCountryCodes;
+    QSet<QString> serviceTypes;
+    const QVector<QString> ids = m_serversRepository->orderedServerIds();
+    for (const QString &id : ids) {
+        const auto apiV2 = m_serversRepository->apiV2Config(id);
+        if (!apiV2.has_value()) {
+            continue;
+        }
+        if (!apiV2->apiConfig.userCountryCode.isEmpty()) {
+            userCountryCodes.insert(apiV2->apiConfig.userCountryCode);
+        }
+        const QString serviceType = apiV2->serviceType();
+        if (!serviceType.isEmpty()) {
+            serviceTypes.insert(serviceType);
+        }
+    }
+    if (userCountryCodes.isEmpty() && serviceTypes.isEmpty()) {
+        return {};
+    }
+    QJsonObject json;
+
+    QJsonArray userCountryCodesArray;
+    for (const QString &code : userCountryCodes) {
+        userCountryCodesArray.append(code);
+    }
+    json[apiDefs::key::userCountryCode] = userCountryCodesArray;
+
+    QJsonArray serviceTypesArray;
+    for (const QString &type : serviceTypes) {
+        serviceTypesArray.append(type);
+    }
+    json[apiDefs::key::serviceType] = serviceTypesArray;
+
+    return json;
+}
+
+QFuture<QPair<ErrorCode, QJsonArray>> NewsController::fetchNews()
+{
+    if (!m_serversRepository) {
+        qWarning() << "SecureServersRepository is null, skip fetchNews";
+        return QtFuture::makeReadyFuture(qMakePair(ErrorCode::InternalError, QJsonArray()));
+    }
+
+    const QJsonObject services = getServicesList();
+    if (services.isEmpty()) {
+        qDebug() << "No Gateway stacks, skip fetchNews";
+        return QtFuture::makeReadyFuture(qMakePair(ErrorCode::NoError, QJsonArray()));
+    }
+
+    auto gatewayController = QSharedPointer<GatewayController>::create(
+            m_appSettingsRepository->getGatewayEndpoint(),
+            m_appSettingsRepository->isDevGatewayEnv(),
+            apiDefs::requestTimeoutMsecs,
+            m_appSettingsRepository->isStrictKillSwitchEnabled());
+
+    QJsonObject payload;
+    payload.insert("locale", m_appSettingsRepository->getAppLanguage().name().split("_").first());
+
+    if (services.contains(apiDefs::key::userCountryCode)) {
+        payload.insert(apiDefs::key::userCountryCode, services.value(apiDefs::key::userCountryCode));
+    }
+    if (services.contains(apiDefs::key::serviceType)) {
+        payload.insert(apiDefs::key::serviceType, services.value(apiDefs::key::serviceType));
+    }
+
+    auto future = gatewayController->postAsync(QString("%1v1/news"), payload, nullptr, gatewayController);
+    return future.then([gatewayController](QPair<ErrorCode, QByteArray> result) -> QPair<ErrorCode, QJsonArray> {
+        auto [errorCode, responseBody] = result;
+        if (errorCode != ErrorCode::NoError) {
+            return qMakePair(errorCode, QJsonArray());
+        }
+
+        QJsonDocument doc = QJsonDocument::fromJson(responseBody);
+        QJsonArray newsArray;
+        if (doc.isArray()) {
+            newsArray = doc.array();
+        } else if (doc.isObject()) {
+            QJsonObject obj = doc.object();
+            if (obj.value("news").isArray()) {
+                newsArray = obj.value("news").toArray();
+            }
+        }
+
+        return qMakePair(ErrorCode::NoError, newsArray);
+    });
+}

client/core/controllers/api/newsController.h

@@ -0,0 +1,30 @@
+#ifndef NEWSCONTROLLER_H
+#define NEWSCONTROLLER_H
+
+#include <QFuture>
+#include <QJsonArray>
+#include <QJsonObject>
+#include <QPair>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/repositories/secureServersRepository.h"
+
+class NewsController
+{
+public:
+    explicit NewsController(SecureAppSettingsRepository* appSettingsRepository,
+                           SecureServersRepository* serversRepository);
+
+    QFuture<QPair<ErrorCode, QJsonArray>> fetchNews();
+
+private:
+    QJsonObject getServicesList() const;
+
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    SecureServersRepository* m_serversRepository;
+};
+
+#endif // NEWSCONTROLLER_H

client/core/controllers/api/pairingController.cpp

@@ -0,0 +1,204 @@
+#include "pairingController.h"
+
+#include <QJsonDocument>
+#include <QSysInfo>
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/utils/api/apiUtils.h"
+#include "core/utils/constants/apiConstants.h"
+#include "core/utils/constants/apiKeys.h"
+#include "version.h"
+
+using namespace amnezia;
+
+namespace
+{
+constexpr qsizetype kPairingMaxQrUuidChars = 128;
+constexpr qsizetype kPairingMaxVpnConfigChars = 256 * 1024;
+constexpr qsizetype kPairingMaxApiKeyChars = 8192;
+constexpr qsizetype kPairingMaxServiceTypeChars = 64;
+constexpr qsizetype kPairingMaxUserCountryCodeChars = 32;
+
+ErrorCode applyGatewayOrOpenApiGenerateError(const QJsonObject &obj, PairingController::QrPairingConfigPayload &outPayload)
+{
+    ErrorCode apiStatus = apiUtils::errorCodeFromGatewayJsonHttpStatus(obj);
+    if (apiStatus != ErrorCode::NoError) {
+        return apiStatus;
+    }
+
+    const QString config = obj.value(apiDefs::key::config).toString();
+    if (!config.isEmpty()) {
+        outPayload.config = config;
+        outPayload.serviceInfo = obj.value(apiDefs::key::serviceInfo).toObject();
+        outPayload.supportedProtocols = obj.value(apiDefs::key::supportedProtocols).toArray();
+        return ErrorCode::NoError;
+    }
+
+    if (obj.contains(QStringLiteral("detail"))) {
+        return ErrorCode::ApiConfigEmptyError;
+    }
+
+    const QString msg = obj.value(QStringLiteral("message")).toString();
+    if (msg.contains(QStringLiteral("timeout"), Qt::CaseInsensitive)) {
+        return ErrorCode::ApiConfigTimeoutError;
+    }
+    if (msg.contains(QStringLiteral("Too Many"), Qt::CaseInsensitive)) {
+        return ErrorCode::ApiPairingRateLimitedError;
+    }
+    if (msg.contains(QStringLiteral("Unavailable"), Qt::CaseInsensitive)) {
+        return ErrorCode::ApiPairingServiceUnavailableError;
+    }
+    if (!msg.isEmpty()) {
+        return ErrorCode::ApiConfigDownloadError;
+    }
+
+    return ErrorCode::ApiConfigEmptyError;
+}
+
+ErrorCode applyGatewayOrOpenApiScanError(const QJsonObject &obj)
+{
+    const QString msgProbe = obj.value(QStringLiteral("message")).toString();
+    if (msgProbe.contains(QStringLiteral("limit"), Qt::CaseInsensitive)
+        && (msgProbe.contains(QStringLiteral("device"), Qt::CaseInsensitive)
+            || msgProbe.contains(QStringLiteral("maximum"), Qt::CaseInsensitive)
+            || msgProbe.contains(QStringLiteral("max"), Qt::CaseInsensitive))) {
+        return ErrorCode::ApiConfigLimitError;
+    }
+
+    ErrorCode apiStatus = apiUtils::errorCodeFromGatewayJsonHttpStatus(obj);
+    if (apiStatus != ErrorCode::NoError) {
+        return apiStatus;
+    }
+
+    if (obj.value(QStringLiteral("message")).toString() == QLatin1String("OK")) {
+        return ErrorCode::NoError;
+    }
+
+    if (obj.contains(QStringLiteral("detail"))) {
+        return ErrorCode::ApiPairingForbiddenError;
+    }
+
+    const QString msg = obj.value(QStringLiteral("message")).toString();
+    if (msg.contains(QStringLiteral("QR session"), Qt::CaseInsensitive)
+        && (msg.contains(QStringLiteral("not found"), Qt::CaseInsensitive)
+            || msg.contains(QStringLiteral("expired"), Qt::CaseInsensitive))) {
+        return ErrorCode::ApiPairingSessionExpiredError;
+    }
+    if (msg.contains(QStringLiteral("not found"), Qt::CaseInsensitive) || msg.contains(QStringLiteral("expired"), Qt::CaseInsensitive)) {
+        return ErrorCode::ApiNotFoundError;
+    }
+    if (msg.contains(QStringLiteral("Conflict"), Qt::CaseInsensitive) || msg.contains(QStringLiteral("already"), Qt::CaseInsensitive)) {
+        return ErrorCode::ApiPairingConflictError;
+    }
+    if (msg.contains(QStringLiteral("Too Many"), Qt::CaseInsensitive)) {
+        return ErrorCode::ApiPairingRateLimitedError;
+    }
+    if (msg.contains(QStringLiteral("Unavailable"), Qt::CaseInsensitive)) {
+        return ErrorCode::ApiPairingServiceUnavailableError;
+    }
+    if (!msg.isEmpty()) {
+        return ErrorCode::ApiConfigDownloadError;
+    }
+
+    return ErrorCode::ApiConfigEmptyError;
+}
+
+ErrorCode interpretGenerateQrJson(const QJsonObject &obj, PairingController::QrPairingConfigPayload &outPayload)
+{
+    return applyGatewayOrOpenApiGenerateError(obj, outPayload);
+}
+
+ErrorCode interpretScanQrJson(const QJsonObject &obj)
+{
+    return applyGatewayOrOpenApiScanError(obj);
+}
+} // namespace
+
+ErrorCode PairingController::parseGenerateQrResponseBody(const QByteArray &responseBody, QrPairingConfigPayload &outPayload)
+{
+    outPayload = QrPairingConfigPayload {};
+    const QJsonObject obj = QJsonDocument::fromJson(responseBody).object();
+    return interpretGenerateQrJson(obj, outPayload);
+}
+
+ErrorCode PairingController::parseScanQrResponseBody(const QByteArray &responseBody, QString *outOptionalDisplayName)
+{
+    if (outOptionalDisplayName) {
+        outOptionalDisplayName->clear();
+    }
+    const QJsonObject obj = QJsonDocument::fromJson(responseBody).object();
+    const ErrorCode err = interpretScanQrJson(obj);
+    if (err != ErrorCode::NoError) {
+        return err;
+    }
+    if (outOptionalDisplayName) {
+        const QString deviceName = obj.value(QStringLiteral("device_name")).toString().trimmed();
+        if (!deviceName.isEmpty()) {
+            *outOptionalDisplayName = deviceName;
+        }
+    }
+    return ErrorCode::NoError;
+}
+
+ErrorCode PairingController::validatePairingScanFields(const QString &qrUuid, const QString &vpnConfig, const QString &apiKey,
+                                                       const QString &serviceType, const QString &userCountryCode)
+{
+    if (qrUuid.size() > kPairingMaxQrUuidChars) {
+        return ErrorCode::ApiConfigEmptyError;
+    }
+    if (vpnConfig.size() > kPairingMaxVpnConfigChars) {
+        return ErrorCode::ApiPairingPayloadTooLargeError;
+    }
+    if (apiKey.size() > kPairingMaxApiKeyChars) {
+        return ErrorCode::ApiPairingPayloadTooLargeError;
+    }
+    const QString st = serviceType.trimmed();
+    const QString cc = userCountryCode.trimmed();
+    if (st.isEmpty() || cc.isEmpty()) {
+        return ErrorCode::ApiPairingMissingMetadataError;
+    }
+    if (st.size() > kPairingMaxServiceTypeChars || cc.size() > kPairingMaxUserCountryCodeChars) {
+        return ErrorCode::ApiPairingPayloadTooLargeError;
+    }
+    return ErrorCode::NoError;
+}
+
+PairingController::PairingController(SecureAppSettingsRepository *appSettingsRepository)
+    : m_appSettingsRepository(appSettingsRepository)
+{
+}
+
+int PairingController::pairingLongPollTimeoutMsecs() const
+{
+    return 60 * 1000;
+}
+
+QJsonObject PairingController::buildGenerateQrPayload(const QString &qrUuid) const
+{
+    QJsonObject o;
+    o[apiDefs::key::qrUuid] = qrUuid;
+    o[apiDefs::key::installationUuid] = m_appSettingsRepository->getInstallationUuid(true);
+    o[apiDefs::key::appVersion] = QString(APP_VERSION);
+    o[apiDefs::key::osVersion] = QSysInfo::productType();
+    return o;
+}
+
+QJsonObject PairingController::buildScanQrPayload(const QString &qrUuid, const QString &vpnConfig, const QJsonObject &serviceInfo,
+                                                    const QJsonArray &supportedProtocols, const QString &apiKey,
+                                                    const QString &serviceType, const QString &userCountryCode) const
+{
+    QJsonObject auth;
+    auth[apiDefs::key::apiKey] = apiKey;
+
+    QJsonObject o;
+    o[apiDefs::key::qrUuid] = qrUuid;
+    o[apiDefs::key::config] = vpnConfig;
+    o[apiDefs::key::serviceInfo] = serviceInfo;
+    o[apiDefs::key::supportedProtocols] = supportedProtocols;
+    o[apiDefs::key::authData] = auth;
+    o[apiDefs::key::installationUuid] = m_appSettingsRepository->getInstallationUuid(true);
+    o[apiDefs::key::appVersion] = QString(APP_VERSION);
+    o[apiDefs::key::osVersion] = QSysInfo::productType();
+    o[apiDefs::key::serviceType] = serviceType.trimmed();
+    o[apiDefs::key::userCountryCode] = userCountryCode.trimmed();
+    return o;
+}

client/core/controllers/api/pairingController.h

@@ -0,0 +1,41 @@
+#ifndef PAIRINGCONTROLLER_H
+#define PAIRINGCONTROLLER_H
+
+#include <QJsonArray>
+#include <QJsonObject>
+#include <QString>
+
+#include "core/utils/errorCodes.h"
+
+class SecureAppSettingsRepository;
+
+class PairingController
+{
+public:
+    struct QrPairingConfigPayload
+    {
+        QString config;
+        QJsonObject serviceInfo;
+        QJsonArray supportedProtocols;
+    };
+
+    explicit PairingController(SecureAppSettingsRepository *appSettingsRepository);
+
+    int pairingLongPollTimeoutMsecs() const;
+
+    QJsonObject buildGenerateQrPayload(const QString &qrUuid) const;
+    QJsonObject buildScanQrPayload(const QString &qrUuid, const QString &vpnConfig, const QJsonObject &serviceInfo,
+                                   const QJsonArray &supportedProtocols, const QString &apiKey, const QString &serviceType,
+                                   const QString &userCountryCode) const;
+
+    static amnezia::ErrorCode parseGenerateQrResponseBody(const QByteArray &responseBody, QrPairingConfigPayload &outPayload);
+    static amnezia::ErrorCode parseScanQrResponseBody(const QByteArray &responseBody, QString *outOptionalDisplayName = nullptr);
+
+    static amnezia::ErrorCode validatePairingScanFields(const QString &qrUuid, const QString &vpnConfig, const QString &apiKey,
+                                                        const QString &serviceType, const QString &userCountryCode);
+
+private:
+    SecureAppSettingsRepository *m_appSettingsRepository;
+};
+
+#endif // PAIRINGCONTROLLER_H

client/core/controllers/api/servicesCatalogController.cpp

@@ -0,0 +1,248 @@
+#include "servicesCatalogController.h"
+
+#include <QJsonDocument>
+#include <QSysInfo>
+#include <QJsonArray>
+#include <QEventLoop>
+#include <QDebug>
+#include <QCoreApplication>
+#include <QHash>
+#include <QSet>
+#include <limits>
+
+#include "core/controllers/gatewayController.h"
+#include "core/utils/serverConfigUtils.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/constants/apiConstants.h"
+#include "version.h"
+
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
+#include "platforms/ios/ios_controller.h"
+#endif
+
+namespace
+{
+    namespace configKey
+    {
+        constexpr char serviceDescription[] = "service_description";
+        constexpr char subscriptionPlans[] = "subscription_plans";
+        constexpr char storeProductId[] = "store_product_id";
+        constexpr char priceLabel[] = "price_label";
+        constexpr char subtitle[] = "subtitle";
+        constexpr char isTrial[] = "is_trial";
+        constexpr char minPriceLabel[] = "min_price_label";
+    }
+
+    namespace serviceType
+    {
+        constexpr char amneziaPremium[] = "amnezia-premium";
+    }
+
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
+    struct StoreKitPlanQuote {
+        QString displayPrice;
+        double priceAmount = 0.0;
+        double subscriptionBillingMonths = 0.0;
+        QString displayPricePerMonth;
+    };
+
+    constexpr double oneMonthThreshold = 1.0 + 1e-6;
+    constexpr double monthsFallbackThreshold = 1e-6;
+    constexpr double monthlyPriceEpsilon = 1e-9;
+
+    QStringList collectPremiumStoreProductIds(const QJsonArray &services)
+    {
+        QStringList productIds;
+        QSet<QString> seenProductIds;
+        for (const QJsonValue &serviceValue : services) {
+            const QJsonObject serviceObject = serviceValue.toObject();
+            if (serviceObject.value(apiDefs::key::serviceType).toString() != serviceType::amneziaPremium) {
+                continue;
+            }
+            const QJsonArray subscriptionPlans =
+                    serviceObject.value(configKey::serviceDescription).toObject().value(configKey::subscriptionPlans).toArray();
+            for (const QJsonValue &planValue : subscriptionPlans) {
+                if (!planValue.isObject()) {
+                    continue;
+                }
+                const QString storeProductId = planValue.toObject().value(configKey::storeProductId).toString();
+                if (storeProductId.isEmpty() || seenProductIds.contains(storeProductId)) {
+                    continue;
+                }
+                seenProductIds.insert(storeProductId);
+                productIds.append(storeProductId);
+            }
+        }
+        return productIds;
+    }
+
+    QHash<QString, StoreKitPlanQuote> buildStoreKitQuoteMap(const QList<QVariantMap> &fetchedProducts)
+    {
+        QHash<QString, StoreKitPlanQuote> quotesByProductId;
+        quotesByProductId.reserve(fetchedProducts.size());
+
+        for (const QVariantMap &productInfo : fetchedProducts) {
+            const QString productId = productInfo.value(QStringLiteral("productId")).toString();
+            if (productId.isEmpty()) {
+                continue;
+            }
+
+            QString displayPrice = productInfo.value(QStringLiteral("displayPrice")).toString();
+            if (displayPrice.isEmpty()) {
+                const QString price = productInfo.value(QStringLiteral("price")).toString();
+                const QString currencyCode = productInfo.value(QStringLiteral("currencyCode")).toString();
+                displayPrice = currencyCode.isEmpty() ? price : (price + QLatin1Char(' ') + currencyCode);
+            }
+
+            StoreKitPlanQuote quote;
+            quote.displayPrice = displayPrice;
+            quote.priceAmount = productInfo.value(QStringLiteral("priceAmount")).toDouble();
+            quote.subscriptionBillingMonths = productInfo.value(QStringLiteral("subscriptionBillingMonths")).toDouble();
+            quote.displayPricePerMonth = productInfo.value(QStringLiteral("displayPricePerMonth")).toString();
+            quotesByProductId.insert(productId, quote);
+        }
+
+        return quotesByProductId;
+    }
+
+    void mergeStoreKitPricesIntoPremiumPlans(QJsonObject &data)
+    {
+        QJsonArray services = data.value(apiDefs::key::services).toArray();
+        if (services.isEmpty()) {
+            return;
+        }
+
+        const QStringList productIds = collectPremiumStoreProductIds(services);
+        if (productIds.isEmpty()) {
+            qInfo().noquote() << "[IAP] No store_product_id in premium plans; skip StoreKit merge into services payload";
+            return;
+        }
+
+        QList<QVariantMap> fetchedProducts;
+        QEventLoop loop;
+        IosController::Instance()->fetchProducts(productIds,
+                                                 [&](const QList<QVariantMap> &products, const QStringList &invalidIds,
+                                                     const QString &errorString) {
+                                                     if (!errorString.isEmpty()) {
+                                                         qWarning().noquote() << "[IAP] StoreKit merge fetch:" << errorString;
+                                                     }
+                                                     if (!invalidIds.isEmpty()) {
+                                                         qWarning().noquote() << "[IAP] Unknown App Store product ids:" << invalidIds;
+                                                     }
+                                                     fetchedProducts = products;
+                                                     loop.quit();
+                                                 });
+        loop.exec();
+
+        const QHash<QString, StoreKitPlanQuote> quotesByProductId = buildStoreKitQuoteMap(fetchedProducts);
+
+        for (int serviceIndex = 0; serviceIndex < services.size(); ++serviceIndex) {
+            QJsonObject serviceObject = services.at(serviceIndex).toObject();
+            if (serviceObject.value(apiDefs::key::serviceType).toString() != serviceType::amneziaPremium) {
+                continue;
+            }
+
+            QJsonObject descriptionObject = serviceObject.value(configKey::serviceDescription).toObject();
+            const QJsonArray sourcePlans = descriptionObject.value(configKey::subscriptionPlans).toArray();
+
+            QJsonArray mergedPlans;
+            double minMonthlyAmount = std::numeric_limits<double>::infinity();
+            QString minMonthlyDisplay;
+
+            for (const QJsonValue &planValue : sourcePlans) {
+                if (!planValue.isObject()) {
+                    continue;
+                }
+
+                QJsonObject planObject = planValue.toObject();
+                const QString storeProductId = planObject.value(configKey::storeProductId).toString();
+                if (storeProductId.isEmpty()) {
+                    continue;
+                }
+
+                const auto quoteIterator = quotesByProductId.constFind(storeProductId);
+                if (quoteIterator == quotesByProductId.cend()) {
+                    continue;
+                }
+
+                const bool isTrialPlan = planObject.value(configKey::isTrial).toBool();
+                const StoreKitPlanQuote &quote = *quoteIterator;
+                planObject.insert(configKey::priceLabel, quote.displayPrice);
+
+                const double months = quote.subscriptionBillingMonths;
+                if (!isTrialPlan && months > oneMonthThreshold && !quote.displayPricePerMonth.isEmpty()) {
+                    planObject.insert(
+                            configKey::subtitle,
+                            QCoreApplication::translate("ServicesCatalogController", "%1/mo",
+                                                        "IAP: price per month in plan subtitle")
+                                    .arg(quote.displayPricePerMonth));
+                }
+
+                if (!isTrialPlan && quote.priceAmount > 0.0) {
+                    const double monthsForMin = months > monthsFallbackThreshold ? months : 1.0;
+                    const double monthly = quote.priceAmount / monthsForMin;
+                    if (monthly < minMonthlyAmount - monthlyPriceEpsilon) {
+                        minMonthlyAmount = monthly;
+                        minMonthlyDisplay = !quote.displayPricePerMonth.isEmpty() ? quote.displayPricePerMonth : quote.displayPrice;
+                    }
+                }
+
+                mergedPlans.append(planObject);
+            }
+
+            descriptionObject.insert(configKey::subscriptionPlans, mergedPlans);
+            if (minMonthlyAmount < std::numeric_limits<double>::infinity() && !minMonthlyDisplay.isEmpty()) {
+                descriptionObject.insert(configKey::minPriceLabel,
+                                         QCoreApplication::translate("ServicesCatalogController", "from %1 per month",
+                                                                     "IAP: card footer minimum monthly price from StoreKit")
+                                                 .arg(minMonthlyDisplay));
+            }
+            serviceObject.insert(configKey::serviceDescription, descriptionObject);
+            services.replace(serviceIndex, serviceObject);
+        }
+        data.insert(apiDefs::key::services, services);
+    }
+#endif
+}
+
+ServicesCatalogController::ServicesCatalogController(SecureAppSettingsRepository* appSettingsRepository)
+    : m_appSettingsRepository(appSettingsRepository)
+{
+}
+
+ErrorCode ServicesCatalogController::fillAvailableServices(QJsonObject &servicesData)
+{
+    QJsonObject apiPayload;
+    apiPayload[apiDefs::key::osVersion] = QSysInfo::productType();
+    apiPayload[apiDefs::key::appVersion] = QString(APP_VERSION);
+    apiPayload[apiDefs::key::cliName] = QString(APPLICATION_NAME);
+    apiPayload[apiDefs::key::appLanguage] = m_appSettingsRepository->getAppLanguage().name().split("_").first();
+
+    QByteArray responseBody;
+    ErrorCode errorCode = executeRequest(QString("%1v1/services"), apiPayload, responseBody);
+    if (errorCode == ErrorCode::NoError) {
+        if (!responseBody.contains(apiDefs::key::services.data())) {
+            errorCode = ErrorCode::ApiServicesMissingError;
+        }
+    }
+
+    if (errorCode != ErrorCode::NoError) {
+        return errorCode;
+    }
+
+    servicesData = QJsonDocument::fromJson(responseBody).object();
+
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
+    mergeStoreKitPricesIntoPremiumPlans(servicesData);
+#endif
+
+    return ErrorCode::NoError;
+}
+
+ErrorCode ServicesCatalogController::executeRequest(const QString &endpoint, const QJsonObject &apiPayload, QByteArray &responseBody)
+{
+    GatewayController gatewayController(m_appSettingsRepository->getGatewayEndpoint(), m_appSettingsRepository->isDevGatewayEnv(), apiDefs::requestTimeoutMsecs,
+                                        m_appSettingsRepository->isStrictKillSwitchEnabled());
+    return gatewayController.post(endpoint, apiPayload, responseBody);
+}
+

client/core/controllers/api/servicesCatalogController.h

@@ -0,0 +1,26 @@
+#ifndef SERVICESCATALOGCONTROLLER_H
+#define SERVICESCATALOGCONTROLLER_H
+
+#include <QJsonObject>
+#include <QByteArray>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class ServicesCatalogController
+{
+public:
+    explicit ServicesCatalogController(SecureAppSettingsRepository* appSettingsRepository);
+
+    ErrorCode fillAvailableServices(QJsonObject &servicesData);
+
+private:
+    ErrorCode executeRequest(const QString &endpoint, const QJsonObject &apiPayload, QByteArray &responseBody);
+
+    SecureAppSettingsRepository* m_appSettingsRepository;
+};
+
+#endif // SERVICESCATALOGCONTROLLER_H
+

client/core/controllers/api/subscriptionController.h

@@ -0,0 +1,120 @@
+#ifndef SUBSCRIPTIONCONTROLLER_H
+#define SUBSCRIPTIONCONTROLLER_H
+
+#include <QJsonArray>
+#include <QJsonObject>
+#include <QByteArray>
+#include <QFuture>
+#include <QList>
+#include <QVariantMap>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class ServersController;
+
+class SubscriptionController
+{
+public:
+    struct ProtocolData
+    {
+        QString certRequest;
+        QString certPrivKey;
+        QString wireGuardClientPrivKey;
+        QString wireGuardClientPubKey;
+        QString xrayUuid;
+    };
+
+    struct GatewayRequestData
+    {
+        QString osVersion;
+        QString appVersion;
+        QString appLanguage;
+        QString installationUuid;
+        QString userCountryCode;
+        QString serverCountryCode;
+        QString serviceType;
+        QString serviceProtocol;
+        QJsonObject authData;
+
+        QJsonObject toJsonObject() const;
+    };
+
+    explicit SubscriptionController(SecureServersRepository* serversRepository,
+                                     SecureAppSettingsRepository* appSettingsRepository);
+
+    ProtocolData generateProtocolData(const QString &protocol);
+    void appendProtocolDataToApiPayload(const QString &protocol, const ProtocolData &protocolData, QJsonObject &apiPayload);
+
+    ErrorCode importServiceFromGateway(const QString &userCountryCode, const QString &serviceType,
+                                      const QString &serviceProtocol, const ProtocolData &protocolData);
+    ErrorCode importTrialFromGateway(const QString &userCountryCode, const QString &serviceType,
+                                     const QString &serviceProtocol, const QString &email);
+
+    ErrorCode importServerFromQrPairingResponse(const QString &vpnConfigKey, const QJsonObject &serviceInfo,
+                                                const QJsonArray &supportedProtocols, int *duplicateServerIndex = nullptr);
+
+    ErrorCode importServiceFromAppStore(const QString &userCountryCode, const QString &serviceType,
+                                        const QString &serviceProtocol, const ProtocolData &protocolData,
+                                        const QString &transactionId, bool isTestPurchase,
+                                        int *duplicateServerIndex = nullptr);
+
+    ErrorCode updateServiceFromGateway(const QString &serverId, const QString &newCountryCode, bool isConnectEvent);
+
+    ErrorCode deactivateDevice(const QString &serverId);
+
+    ErrorCode deactivateExternalDevice(const QString &serverId, const QString &uuid, const QString &serverCountryCode);
+
+    ErrorCode exportNativeConfig(const QString &serverId, const QString &serverCountryCode, QString &nativeConfig);
+
+    ErrorCode revokeNativeConfig(const QString &serverId, const QString &serverCountryCode);
+
+    ErrorCode prepareVpnKeyExport(const QString &serverId, QString &vpnKey);
+
+    ErrorCode validateAndUpdateConfig(const QString &serverId, bool hasInstalledContainers);
+
+    void removeApiConfig(const QString &serverId);
+
+    bool removeServer(const QString &serverId);
+
+    void setCurrentProtocol(const QString &serverId, const QString &protocolName);
+    bool isVlessProtocol(const QString &serverId) const;
+
+    ErrorCode getAccountInfo(const QString &serverId, QJsonObject &accountInfo);
+    QFuture<QPair<ErrorCode, QString>> getRenewalLink(const QString &serverId);
+
+    struct AppStoreRestoreResult
+    {
+        bool hasInstalledConfig = false;
+        bool duplicateConfigAlreadyPresent = false;
+        int duplicateCount = 0;
+        int duplicateServerIndex = -1;
+        ErrorCode errorCode = ErrorCode::NoError;
+    };
+
+    ErrorCode processAppStorePurchase(const QString &userCountryCode, const QString &serviceType,
+                                     const QString &serviceProtocol, const QString &productId,
+                                     int *duplicateServerIndex = nullptr);
+
+    AppStoreRestoreResult processAppStoreRestore(const QString &userCountryCode, const QString &serviceType,
+                                                  const QString &serviceProtocol);
+
+private:
+    ErrorCode executeRequest(const QString &endpoint, const QJsonObject &apiPayload, QByteArray &responseBody, bool isTestPurchase = false);
+    bool isApiKeyExpired(const QString &serverId) const;
+    
+    ErrorCode extractServerConfigJsonFromResponse(const QByteArray &apiResponseBody, const QString &protocol, 
+                                                   const ProtocolData &protocolData, QJsonObject &serverConfigJson);
+    void updateApiConfigInJson(QJsonObject &serverConfigJson, const QString &serviceType, 
+                                const QString &serviceProtocol, const QString &userCountryCode,
+                                const QByteArray &apiResponseBody);
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+};
+
+#endif // SUBSCRIPTIONCONTROLLER_H
+

client/core/controllers/appSplitTunnelingController.cpp

@@ -0,0 +1,70 @@
+#include "appSplitTunnelingController.h"
+
+AppSplitTunnelingController::AppSplitTunnelingController(SecureAppSettingsRepository* appSettingsRepository)
+    : m_appSettingsRepository(appSettingsRepository)
+{
+    m_currentRouteMode = m_appSettingsRepository->appsRouteMode();
+    if (m_currentRouteMode == AppsRouteMode::VpnAllApps) { // for old split tunneling configs
+        m_currentRouteMode = AppsRouteMode::VpnAllExceptApps;
+        m_apps = m_appSettingsRepository->vpnApps(m_currentRouteMode);
+        m_appSettingsRepository->setAppsRouteMode(AppsRouteMode::VpnAllExceptApps);
+    } else {
+        m_apps = m_appSettingsRepository->vpnApps(m_currentRouteMode);
+    }
+}
+
+bool AppSplitTunnelingController::addApp(const amnezia::InstalledAppInfo &appInfo)
+{
+    if (m_apps.contains(appInfo)) {
+        return false;
+    }
+
+    m_apps.append(appInfo);
+    m_appSettingsRepository->setVpnApps(m_currentRouteMode, m_apps);
+
+    return true;
+}
+
+void AppSplitTunnelingController::removeApp(int index)
+{
+    if (index < 0 || index >= m_apps.size()) {
+        return;
+    }
+
+    m_apps.removeAt(index);
+    m_appSettingsRepository->setVpnApps(m_currentRouteMode, m_apps);
+}
+
+void AppSplitTunnelingController::clearAppsList()
+{
+    m_apps.clear();
+    m_appSettingsRepository->setVpnApps(m_currentRouteMode, m_apps);
+}
+
+void AppSplitTunnelingController::setRouteMode(AppsRouteMode routeMode)
+{
+    m_currentRouteMode = routeMode;
+    m_apps = m_appSettingsRepository->vpnApps(m_currentRouteMode);
+    m_appSettingsRepository->setAppsRouteMode(routeMode);
+}
+
+void AppSplitTunnelingController::toggleSplitTunneling(bool enabled)
+{
+    m_appSettingsRepository->setAppsSplitTunnelingEnabled(enabled);
+}
+
+AppsRouteMode AppSplitTunnelingController::getRouteMode() const
+{
+    return m_currentRouteMode;
+}
+
+bool AppSplitTunnelingController::isSplitTunnelingEnabled() const
+{
+    return m_appSettingsRepository->isAppsSplitTunnelingEnabled();
+}
+
+QVector<amnezia::InstalledAppInfo> AppSplitTunnelingController::getApps() const
+{
+    return m_apps;
+}
+