Changing for Error 207

Changing description and title for Error 207

.clang-format

@@ -0,0 +1,39 @@
+BasedOnStyle: WebKit
+AccessModifierOffset: '-4'
+AlignAfterOpenBracket: Align
+AlignConsecutiveMacros: 'true'
+AlignTrailingComments: 'true'
+AllowAllArgumentsOnNextLine: 'true'
+AllowAllParametersOfDeclarationOnNextLine: 'true'
+AllowShortBlocksOnASingleLine: 'false'
+AllowShortCaseLabelsOnASingleLine: 'true'
+AllowShortEnumsOnASingleLine: 'false'
+AllowShortFunctionsOnASingleLine: None
+AlwaysBreakTemplateDeclarations: 'No'
+BreakBeforeBinaryOperators: NonAssignment
+BreakBeforeBraces: Custom
+BraceWrapping:
+    AfterClass: true
+    AfterControlStatement: false
+    AfterEnum: false
+    AfterFunction: true
+    AfterNamespace: true
+    AfterObjCDeclaration: false
+    AfterStruct: true
+    AfterUnion: false
+    BeforeCatch: false
+    BeforeElse: false
+    IndentBraces: false
+BreakConstructorInitializers: BeforeColon
+ColumnLimit: '120'
+CommentPragmas: '"^!|^:"'
+ConstructorInitializerAllOnOneLineOrOnePerLine: 'true'
+ConstructorInitializerIndentWidth: '4'
+ContinuationIndentWidth: '8'
+IndentPPDirectives: BeforeHash
+NamespaceIndentation: All
+PenaltyExcessCharacter: '10'
+PointerAlignment: Right
+SortIncludes: 'true'
+SpaceAfterTemplateKeyword: 'false'
+Standard: Auto

.clang-format-ignore

@@ -0,0 +1,20 @@
+/client/3rd
+/client/3rd-prebuild
+/client/android
+/client/cmake
+/client/core/serialization
+/client/daemon
+/client/fonts
+/client/images
+/client/ios
+/client/mozilla
+/client/platforms/dummy
+/client/platforms/linux
+/client/platforms/macos
+/client/platforms/windows
+/client/server_scripts
+/client/translations
+/deploy
+/docs
+/metadata
+/service/src

.github/workflows/deploy.yml

@@ -16,7 +16,10 @@ jobs:
       QT_VERSION: 6.6.2
       QIF_VERSION: 4.7
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
+      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
+      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
+      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
 
     steps:
     - name: 'Install Qt'
@@ -83,7 +86,10 @@ jobs:
       QIF_VERSION: 4.7
       BUILD_ARCH: 64
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
+      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
+      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
+      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
 
     steps:
     - name: 'Get sources'
@@ -146,7 +152,10 @@ jobs:
       CC: cc
       CXX: c++
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
+      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
+      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
+      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
 
     steps:
     - name: 'Setup xcode'
@@ -208,7 +217,11 @@ jobs:
         export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/ios/bin"
         export QT_MACOS_ROOT_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos"
         export PATH=$PATH:~/go/bin
-        sh deploy/build_ios.sh
+        sh deploy/build_ios.sh | \
+          sed -e '/-Xcc -DPROD_AGW_PUBLIC_KEY/,/-Xcc/ { /-Xcc/!d; }' -e '/-Xcc -DPROD_AGW_PUBLIC_KEY/d' | \
+          sed -e '/-Xcc -DDEV_AGW_PUBLIC_KEY/,/-Xcc/ { /-Xcc/!d; }' -e '/-Xcc -DDEV_AGW_PUBLIC_KEY/d' | \
+          sed -e '/-DPROD_AGW_PUBLIC_KEY/,/-D/ { /-D/!d; }' -e '/-DPROD_AGW_PUBLIC_KEY/d' | \
+          sed -e '/-DDEV_AGW_PUBLIC_KEY/,/-D/ { /-D/!d; }' -e '/-DDEV_AGW_PUBLIC_KEY/d'
       env:
         IOS_TRUST_CERT_BASE64: ${{ secrets.IOS_TRUST_CERT_BASE64 }}
         IOS_SIGNING_CERT_BASE64: ${{ secrets.IOS_SIGNING_CERT_BASE64 }}
@@ -238,13 +251,16 @@ jobs:
       QT_VERSION: 6.4.3
       QIF_VERSION: 4.6
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
+      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
+      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
+      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
 
     steps:
     - name: 'Setup xcode'
       uses: maxim-lobanov/setup-xcode@v1
       with:
-        xcode-version: '14.3.1'
+        xcode-version: '15.4.0'
 
     - name: 'Install Qt'
       uses: jurplel/install-qt-action@v3
@@ -301,10 +317,13 @@ jobs:
 
     env:
       ANDROID_BUILD_PLATFORM: android-34
-      QT_VERSION: 6.7.2
+      QT_VERSION: 6.7.3
       QT_MODULES: 'qtremoteobjects qt5compat qtimageformats qtshadertools'
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
+      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
+      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
+      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
 
     steps:
     - name: 'Install desktop Qt'
@@ -316,7 +335,8 @@ jobs:
         arch: 'linux_gcc_64'
         modules: ${{ env.QT_MODULES }}
         dir: ${{ runner.temp }}
-        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+        py7zrversion: '==0.22.*'
+        extra: '--base ${{ env.QT_MIRROR }}'
 
     - name: 'Install android_x86_64 Qt'
       uses: jurplel/install-qt-action@v4
@@ -327,7 +347,8 @@ jobs:
         arch: 'android_x86_64'
         modules: ${{ env.QT_MODULES }}
         dir: ${{ runner.temp }}
-        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+        py7zrversion: '==0.22.*'
+        extra: '--base ${{ env.QT_MIRROR }}'
 
     - name: 'Install android_x86 Qt'
       uses: jurplel/install-qt-action@v4
@@ -338,7 +359,8 @@ jobs:
         arch: 'android_x86'
         modules: ${{ env.QT_MODULES }}
         dir: ${{ runner.temp }}
-        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+        py7zrversion: '==0.22.*'
+        extra: '--base ${{ env.QT_MIRROR }}'
 
     - name: 'Install android_armv7 Qt'
       uses: jurplel/install-qt-action@v4
@@ -349,7 +371,8 @@ jobs:
         arch: 'android_armv7'
         modules: ${{ env.QT_MODULES }}
         dir: ${{ runner.temp }}
-        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+        py7zrversion: '==0.22.*'
+        extra: '--base ${{ env.QT_MIRROR }}'
 
     - name: 'Install android_arm64_v8a Qt'
       uses: jurplel/install-qt-action@v4
@@ -360,7 +383,8 @@ jobs:
         arch: 'android_arm64_v8a'
         modules: ${{ env.QT_MODULES }}
         dir: ${{ runner.temp }}
-        extra: '--external 7z --base ${{ env.QT_MIRROR }}'
+        py7zrversion: '==0.22.*'
+        extra: '--base ${{ env.QT_MIRROR }}'
 
     - name: 'Grant execute permission for qt-cmake'
       shell: bash

.github/workflows/tag-deploy.yml

@@ -16,7 +16,10 @@ jobs:
       QT_VERSION: 6.4.1
       QIF_VERSION: 4.5
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
+      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
+      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
+      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
 
     steps:
     - name: 'Install desktop Qt'

.gitmodules

@@ -1,6 +1,3 @@
-[submodule "client/3rd/OpenVPNAdapter"]
-	path = client/3rd/OpenVPNAdapter
-	url = https://github.com/amnezia-vpn/OpenVPNAdapter.git
 [submodule "client/3rd/qtkeychain"]
 	path = client/3rd/qtkeychain
 	url = https://github.com/frankosterfeld/qtkeychain.git

CMakeLists.txt

@@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 
 set(PROJECT AmneziaVPN)
 
-project(${PROJECT} VERSION 4.8.1.1
+project(${PROJECT} VERSION 4.8.4.3
         DESCRIPTION "AmneziaVPN"
         HOMEPAGE_URL "https://amnezia.org/"
 )
@@ -11,7 +11,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")
 
 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 63)
+set(APP_ANDROID_VERSION_CODE 2080)
 
 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
     set(MZ_PLATFORM_NAME "linux")

README.md

@@ -1,30 +1,31 @@
 # Amnezia VPN
-## _The best client for self-hosted VPN_
+
+### _The best client for self-hosted VPN_
+
 
 [![Build Status](https://github.com/amnezia-vpn/amnezia-client/actions/workflows/deploy.yml/badge.svg?branch=dev)](https://github.com/amnezia-vpn/amnezia-client/actions/workflows/deploy.yml?query=branch:dev)
 [![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/amnezia-vpn/amnezia-client)
 
-Amnezia is an open-source VPN client, with a key feature that enables you to deploy your own VPN server on your server.
+### [English]([https://github.com/amnezia-vpn/amnezia-client/blob/dev/README_RU.md](https://github.com/amnezia-vpn/amnezia-client/tree/dev?tab=readme-ov-file#)) | [Русский](https://github.com/amnezia-vpn/amnezia-client/blob/dev/README_RU.md)
 
-![Image](https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/uipic4.png)
 
-<br>
+[Amnezia](https://amnezia.org) is an open-source VPN client, with a key feature that enables you to deploy your own VPN server on your server.
 
-<a href="https://github.com/amnezia-vpn/amnezia-client/releases/download/4.7.0.0/AmneziaVPN_4.7.0.0_x64.exe"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/win.png" width="150" style="max-width: 100%;"></a> 
-<a href="https://github.com/amnezia-vpn/amnezia-client/releases/download/4.7.0.0/AmneziaVPN_4.7.0.0.dmg"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/mac.png" width="150" style="max-width: 100%;"></a> 
-<a href="https://github.com/amnezia-vpn/amnezia-client/releases/download/4.7.0.0/AmneziaVPN_Linux_4.7.0.0.tar.zip"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/lin.png" width="150" style="max-width: 100%;"></a>
-<a href="https://github.com/amnezia-vpn/amnezia-client/releases/tag/4.7.0.0"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/andr.png" width="150" style="max-width: 100%;"></a>
+[![Image](https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/uipic4.png)](https://amnezia.org)
 
-<br>
+### [Website](https://amnezia.org) | [Alt website link](https://storage.googleapis.com/amnezia/amnezia.org) | [Documentation](https://docs.amnezia.org) | [Troubleshooting](https://docs.amnezia.org/troubleshooting)
 
-<a href="https://play.google.com/store/search?q=amnezia+vpn&c=apps"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/play.png" width="150" style="max-width: 100%;"></a>
-<a href="https://apps.apple.com/us/app/amneziavpn/id1600529900"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/apl.png" width="150" style="max-width: 100%;"></a>
+> [!TIP]
+> If the [Amnezia website](https://amnezia.org) is blocked in your region, you can use an [Alternative website link](https://storage.googleapis.com/amnezia/amnezia.org ).
 
+<a href="https://amnezia.org/downloads"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/download-website.svg" width="150" style="max-width: 100%; margin-right: 10px"></a>
+<a href="https://storage.googleapis.com/amnezia/q9p19109"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/download-alt.svg" width="150" style="max-width: 100%;"></a>
 
 [All releases](https://github.com/amnezia-vpn/amnezia-client/releases)
 
-<br>
+<br/>
 
+<a href="https://www.testiny.io"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/testiny.png" height="28px"></a>
 
 ## Features
 
@@ -37,7 +38,8 @@ Amnezia is an open-source VPN client, with a key feature that enables you to dep
 
 ## Links
 
-- [https://amnezia.org](https://amnezia.org) - project website  
+- [https://amnezia.org](https://amnezia.org) - Project website | [Alternative link (mirror)](https://storage.googleapis.com/kldscp/amnezia.org)
+- [https://docs.amnezia.org](https://docs.amnezia.org) - Documentation
 - [https://www.reddit.com/r/AmneziaVPN](https://www.reddit.com/r/AmneziaVPN) - Reddit  
 - [https://t.me/amnezia_vpn_en](https://t.me/amnezia_vpn_en) - Telegram support channel (English) 
 - [https://t.me/amnezia_vpn_ir](https://t.me/amnezia_vpn_ir) - Telegram support channel (Farsi) 
@@ -183,11 +185,11 @@ GPL v3.0
 
 Patreon: [https://www.patreon.com/amneziavpn](https://www.patreon.com/amneziavpn)
 
-Bitcoin: bc1q26eevjcg9j0wuyywd2e3uc9cs2w58lpkpjxq6p <br>
+Bitcoin: bc1qmhtgcf9637rl3kqyy22r2a8wa8laka4t9rx2mf <br>
 USDT BEP20: 0x6abD576765a826f87D1D95183438f9408C901bE4 <br>
 USDT TRC20: TELAitazF1MZGmiNjTcnxDjEiH5oe7LC9d <br>
-XMR: 48spms39jt1L2L5vyw2RQW6CXD6odUd4jFu19GZcDyKKQV9U88wsJVjSbL4CfRys37jVMdoaWVPSvezCQPhHXUW5UKLqUp3  
-
+XMR: 48spms39jt1L2L5vyw2RQW6CXD6odUd4jFu19GZcDyKKQV9U88wsJVjSbL4CfRys37jVMdoaWVPSvezCQPhHXUW5UKLqUp3 <br> 
+TON: UQDpU1CyKRmg7L8mNScKk9FRc2SlESuI7N-Hby4nX-CcVmns
 ## Acknowledgments
 
 This project is tested with BrowserStack.

README_RU.md

@@ -0,0 +1,181 @@
+# Amnezia VPN
+
+### _Лучший клиент для создания VPN на собственном сервере_
+
+[![Build Status](https://github.com/amnezia-vpn/amnezia-client/actions/workflows/deploy.yml/badge.svg?branch=dev)](https://github.com/amnezia-vpn/amnezia-client/actions/workflows/deploy.yml?query=branch:dev)
+[![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/amnezia-vpn/amnezia-client)
+
+### [English](https://github.com/amnezia-vpn/amnezia-client/blob/dev/README.md) | Русский
+[AmneziaVPN](https://amnezia.org) — это open source VPN-клиент, ключевая особенность которого заключается в возможности развернуть собственный VPN на вашем сервере.
+
+[![Image](https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/uipic4.png)](https://amnezia.org)
+
+### [Сайт](https://amnezia.org) | [Зеркало сайта](https://storage.googleapis.com/amnezia/amnezia.org) | [Документация](https://docs.amnezia.org) | [Решение проблем](https://docs.amnezia.org/troubleshooting)
+
+> [!TIP]
+> Если [сайт Amnezia](https://amnezia.org) заблокирован в вашем регионе, вы можете воспользоваться [ссылкой на зеркало](https://storage.googleapis.com/amnezia/amnezia.org).
+
+<a href="https://storage.googleapis.com/amnezia/q9p19109"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/download-website-ru.svg" width="150" style="max-width: 100%; margin-right: 10px"></a>
+
+
+[Все релизы](https://github.com/amnezia-vpn/amnezia-client/releases)
+
+<br/>
+
+<a href="https://www.testiny.io"><img src="https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/testiny.png" height="28px"></a>
+
+## Особенности
+
+- Простой в использовании — введите IP-адрес, SSH-логин и пароль, и Amnezia автоматически установит VPN-контейнеры Docker на ваш сервер и подключится к VPN.
+- Классические VPN-протоколы: OpenVPN, WireGuard и IKEv2.
+- Протоколы с маскировкой трафика (обфускацией): OpenVPN с плагином [Cloak](https://github.com/cbeuw/Cloak), Shadowsocks (OpenVPN over Shadowsocks), [AmneziaWG](https://docs.amnezia.org/documentation/amnezia-wg/) and XRay.
+- Поддержка Split Tunneling — добавляйте любые сайты или приложения в список, чтобы включить VPN только для них.
+- Поддерживает платформы: Windows, macOS, Linux, Android, iOS.
+- Поддержка конфигурации протокола AmneziaWG на [бета-прошивке Keenetic](https://docs.keenetic.com/ua/air/kn-1611/en/6319-latest-development-release.html#UUID-186c4108-5afd-c10b-f38a-cdff6c17fab3_section-idm33192196168192-improved).
+
+## Ссылки
+
+- [https://amnezia.org](https://amnezia.org) - Веб-сайт проекта | [Альтернативная ссылка (зеркало)](https://storage.googleapis.com/kldscp/amnezia.org)
+- [https://docs.amnezia.org](https://docs.amnezia.org) - Документация
+- [https://www.reddit.com/r/AmneziaVPN](https://www.reddit.com/r/AmneziaVPN) - Reddit  
+- [https://t.me/amnezia_vpn_en](https://t.me/amnezia_vpn_en) - Канал поддержки в Telegram (Английский)
+- [https://t.me/amnezia_vpn_ir](https://t.me/amnezia_vpn_ir) - Канал поддержки в Telegram (Фарси)
+- [https://t.me/amnezia_vpn_mm](https://t.me/amnezia_vpn_mm) - Канал поддержки в Telegram (Мьянма) 
+- [https://t.me/amnezia_vpn](https://t.me/amnezia_vpn) - Канал поддержки в Telegram  (Русский)
+- [https://vpnpay.io/en/amnezia-premium/](https://vpnpay.io/en/amnezia-premium/) - Amnezia Premium | [Зеркало](https://storage.googleapis.com/kldscp/vpnpay.io/ru/amnezia-premium\)
+
+## Технологии
+
+AmneziaVPN использует несколько проектов с открытым исходным кодом:
+
+- [OpenSSL](https://www.openssl.org/)
+- [OpenVPN](https://openvpn.net/)
+- [Shadowsocks](https://shadowsocks.org/)
+- [Qt](https://www.qt.io/)
+- [LibSsh](https://libssh.org)
+- и другие...
+
+## Проверка исходного кода
+После клонирования репозитория обязательно загрузите все подмодули.
+
+```bash
+git submodule update --init --recursive
+```
+
+
+## Разработка
+Хотите внести свой вклад? Добро пожаловать!
+
+### Помощь с переводами
+
+Загрузите самые актуальные файлы перевода.
+
+Перейдите на [вкладку "Actions"](https://github.com/amnezia-vpn/amnezia-client/actions?query=is%3Asuccess+branch%3Adev), нажмите на первую строку. Затем прокрутите вниз до раздела "Artifacts" и скачайте "AmneziaVPN_translations".
+
+Распакуйте этот файл. Каждый файл с расширением *.ts содержит строки для соответствующего языка.
+
+Переведите или исправьте строки в одном или нескольких файлах *.ts и загрузите их обратно в этот репозиторий в папку ``client/translations``. Это можно сделать через веб-интерфейс или любым другим знакомым вам способом.
+
+### Сборка исходного кода и деплой
+Проверьте папку deploy для скриптов сборки.
+
+### Как собрать iOS-приложение из исходного кода на MacOS
+1. Убедитесь, что у вас установлен Xcode версии 14 или выше.
+2. Для генерации проекта Xcode используется QT. Требуется версия QT 6.6.2. Установите QT для MacOS здесь или через QT Online Installer. Необходимые модули:
+- MacOS
+- iOS
+- Модуль совместимости с Qt 5
+- Qt Shader Tools
+- Дополнительные библиотеки:
+ - Qt Image Formats
+ - Qt Multimedia
+ - Qt Remote Objects
+
+   
+3. Установите CMake, если это необходимо. Рекомендуемая версия — 3.25. Скачать CMake можно здесь.
+4. Установите Go версии >= v1.16. Если Go ещё не установлен, скачайте его с  [официального сайта](https://golang.org/dl/) или используйте Homebrew. Установите gomobile:
+
+```bash
+export PATH=$PATH:~/go/bin
+go install golang.org/x/mobile/cmd/gomobile@latest
+gomobile init
+```
+
+5. Соберите проект:
+```bash
+export QT_BIN_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/ios/bin"
+export QT_MACOS_ROOT_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/macos"
+export QT_IOS_BIN=$QT_BIN_DIR
+export PATH=$PATH:~/go/bin
+mkdir build-ios
+$QT_IOS_BIN/qt-cmake . -B build-ios -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR
+```
+Замените <PATH-TO-QT-FOLDER> и <QT-VERSION> на ваши значения.
+
+Если появляется ошибка gomobile: command not found, убедитесь, что PATH настроен на папку bin, где установлен gomobile:
+```bash
+export PATH=$(PATH):/path/to/GOPATH/bin
+```
+
+6. Откройте проект в Xcode. Теперь вы можете тестировать, архивировать или публиковать приложение.
+   
+Если сборка завершится с ошибкой:
+```
+make: *** 
+[$(PROJECTDIR)/client/build/AmneziaVPN.build/Debug-iphoneos/wireguard-go-bridge/goroot/.prepared] 
+Error 1
+```
+Добавьте пользовательскую переменную PATH в настройки сборки для целей AmneziaVPN и WireGuardNetworkExtension с ключом `PATH` и значением `${PATH}/path/to/bin/folder/with/go/executable`, e.g. `${PATH}:/usr/local/go/bin`.
+
+Если ошибка повторяется на Mac с M1, установите версию CMake для архитектуры ARM:
+```
+arch -arm64 brew install cmake
+```
+
+ При первой попытке сборка может завершиться с ошибкой source files not found. Это происходит из-за параллельной компиляции зависимостей в XCode. Просто перезапустите сборку.
+
+
+## Как собрать Android-приложение
+Сборка тестировалась на MacOS. Требования:
+- JDK 11
+- Android SDK 33
+- CMake 3.25.0
+  
+Установите QT, QT Creator и Android Studio.
+Настройте QT Creator:
+
+- В меню QT Creator перейдите в  `QT Creator` -> `Preferences` -> `Devices` ->`Android`.
+- Укажите путь к JDK 11.
+- Укажите путь к Android SDK (`$ANDROID_HOME`)
+
+Если вы сталкиваетесь с ошибками, связанными с отсутствием SDK или сообщением «SDK manager not running», их нельзя исправить просто корректировкой путей. Если у вас есть несколько свободных гигабайт на диске, вы можете позволить Qt Creator установить все необходимые компоненты, выбрав пустую папку для расположения Android SDK и нажав кнопку **Set Up SDK**. Учтите: это установит второй Android SDK и NDK на вашем компьютере!
+
+Убедитесь, что настроена правильная версия CMake: перейдите в **Qt Creator -> Preferences** и в боковом меню выберите пункт **Kits**. В центральной части окна, на вкладке **Kits**, найдите запись для инструмента **CMake Tool**. Если выбранная по умолчанию версия CMake ниже 3.25.0, установите на свою систему CMake версии 3.25.0 или выше, а затем выберите опцию **System CMake at <путь>** из выпадающего списка. Если этот пункт отсутствует, это может означать, что вы еще не установили CMake, или Qt Creator не смог найти путь к нему. В таком случае в окне **Preferences** перейдите в боковое меню **CMake**, затем во вкладку **Tools** в центральной части окна и нажмите кнопку **Add**, чтобы указать путь к установленному CMake.
+
+Убедитесь, что для вашего проекта выбрана Android Platform SDK 33: в главном окне на боковой панели выберите пункт **Projects**, и слева вы увидите раздел **Build & Run**, показывающий различные целевые Android-платформы. Вы можете выбрать любую из них, так как настройка проекта Amnezia VPN разработана таким образом, чтобы все Android-цели могли быть собраны. Перейдите в подраздел **Build** и прокрутите центральную часть окна до раздела **Build Steps**. Нажмите **Details** в заголовке **Build Android APK** (кнопка **Details** может быть скрыта, если окно Qt Creator не запущено в полноэкранном режиме!). Вот здесь выберите **android-33** в качестве Android Build Platform SDK.
+
+### Разработка Android-компонентов
+
+После сборки QT Creator копирует проект в отдельную папку, например, `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>`. Для разработки Android-компонентов откройте сгенерированный проект в Android Studio, указав папку `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>/client/android-build` в качестве корневой.
+Изменения в сгенерированном проекте нужно вручную перенести в репозиторий. После этого можно коммитить изменения.
+Если возникают проблемы со сборкой в QT Creator после работы в Android Studio, выполните команду `./gradlew clean` в корневой папке сгенерированного проекта (`<path>/client/android-build/.`).
+
+
+## Лицензия
+
+GPL v3.0
+
+## Донаты
+
+Patreon: [https://www.patreon.com/amneziavpn](https://www.patreon.com/amneziavpn)
+
+Bitcoin: bc1qmhtgcf9637rl3kqyy22r2a8wa8laka4t9rx2mf <br>
+USDT BEP20: 0x6abD576765a826f87D1D95183438f9408C901bE4 <br>
+USDT TRC20: TELAitazF1MZGmiNjTcnxDjEiH5oe7LC9d <br>
+XMR: 48spms39jt1L2L5vyw2RQW6CXD6odUd4jFu19GZcDyKKQV9U88wsJVjSbL4CfRys37jVMdoaWVPSvezCQPhHXUW5UKLqUp3 <br> 
+TON: UQDpU1CyKRmg7L8mNScKk9FRc2SlESuI7N-Hby4nX-CcVmns
+
+## Благодарности
+
+Этот проект тестируется с помощью BrowserStack.
+Мы выражаем благодарность [BrowserStack](https://www.browserstack.com) за поддержку нашего проекта.

client/3rd/SingleApplication/singleapplication.cmake

@@ -1,25 +0,0 @@
-include_directories(${CMAKE_CURRENT_LIST_DIR})
-
-find_package(Qt6 REQUIRED COMPONENTS 
-    Core Network
-)
-set(LIBS ${LIBS} Qt6::Core Qt6::Network)
-
-
-set(HEADERS ${HEADERS}
-    ${CMAKE_CURRENT_LIST_DIR}/singleapplication.h 
-    ${CMAKE_CURRENT_LIST_DIR}/singleapplication_p.h
-)
-
-set(SOURCES ${SOURCES}
-    ${CMAKE_CURRENT_LIST_DIR}/singleapplication.cpp 
-    ${CMAKE_CURRENT_LIST_DIR}/singleapplication_p.cpp
-)
-
-if(WIN32)
-    if(MSVC)
-        set(LIBS ${LIBS} Advapi32.lib)
-    elseif ("${CMAKE_CXX_COMPILER_ID}" STREQUAL "GNU")
-        set(LIBS ${LIBS} advapi32)
-    endif()    
-endif()

client/3rd/SingleApplication/singleapplication.cpp

@@ -1,274 +0,0 @@
-// The MIT License (MIT)
-//
-// Copyright (c) Itay Grudev 2015 - 2020
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-
-#include <QtCore/QElapsedTimer>
-#include <QtCore/QByteArray>
-#include <QtCore/QSharedMemory>
-
-#include "singleapplication.h"
-#include "singleapplication_p.h"
-
-/**
- * @brief Constructor. Checks and fires up LocalServer or closes the program
- * if another instance already exists
- * @param argc
- * @param argv
- * @param allowSecondary Whether to enable secondary instance support
- * @param options Optional flags to toggle specific behaviour
- * @param timeout Maximum time blocking functions are allowed during app load
- */
-SingleApplication::SingleApplication( int &argc, char *argv[], bool allowSecondary, Options options, int timeout, const QString &userData )
-    : app_t( argc, argv ), d_ptr( new SingleApplicationPrivate( this ) )
-{
-    Q_D( SingleApplication );
-
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
-    // On Android and iOS since the library is not supported fallback to
-    // standard QApplication behaviour by simply returning at this point.
-    qWarning() << "SingleApplication is not supported on Android and iOS systems.";
-    return;
-#endif
-
-    // Store the current mode of the program
-    d->options = options;
-
-    // Add any unique user data
-    if ( ! userData.isEmpty() )
-        d->addAppData( userData );
-
-    // Generating an application ID used for identifying the shared memory
-    // block and QLocalServer
-    d->genBlockServerName();
-
-    // To mitigate QSharedMemory issues with large amount of processes
-    // attempting to attach at the same time
-    SingleApplicationPrivate::randomSleep();
-
-#ifdef Q_OS_UNIX
-    // By explicitly attaching it and then deleting it we make sure that the
-    // memory is deleted even after the process has crashed on Unix.
-    d->memory = new QSharedMemory( d->blockServerName );
-    d->memory->attach();
-    delete d->memory;
-#endif
-    // Guarantee thread safe behaviour with a shared memory block.
-    d->memory = new QSharedMemory( d->blockServerName );
-
-    // Create a shared memory block
-    if( d->memory->create( sizeof( InstancesInfo ) )){
-        // Initialize the shared memory block
-        if( ! d->memory->lock() ){
-          qCritical() << "SingleApplication: Unable to lock memory block after create.";
-          abortSafely();
-        }
-        d->initializeMemoryBlock();
-    } else {
-        if( d->memory->error() == QSharedMemory::AlreadyExists ){
-          // Attempt to attach to the memory segment
-          if( ! d->memory->attach() ){
-              qCritical() << "SingleApplication: Unable to attach to shared memory block.";
-              abortSafely();
-          }
-          if( ! d->memory->lock() ){
-            qCritical() << "SingleApplication: Unable to lock memory block after attach.";
-            abortSafely();
-          }
-        } else {
-          qCritical() << "SingleApplication: Unable to create block.";
-          abortSafely();
-        }
-    }
-
-    auto *inst = static_cast<InstancesInfo*>( d->memory->data() );
-    QElapsedTimer time;
-    time.start();
-
-    // Make sure the shared memory block is initialised and in consistent state
-    while( true ){
-      // If the shared memory block's checksum is valid continue
-      if( d->blockChecksum() == inst->checksum ) break;
-
-      // If more than 5s have elapsed, assume the primary instance crashed and
-      // assume it's position
-      if( time.elapsed() > 5000 ){
-          qWarning() << "SingleApplication: Shared memory block has been in an inconsistent state from more than 5s. Assuming primary instance failure.";
-          d->initializeMemoryBlock();
-      }
-
-      // Otherwise wait for a random period and try again. The random sleep here
-      // limits the probability of a collision between two racing apps and
-      // allows the app to initialise faster
-      if( ! d->memory->unlock() ){
-        qDebug() << "SingleApplication: Unable to unlock memory for random wait.";
-        qDebug() << d->memory->errorString();
-      }
-      SingleApplicationPrivate::randomSleep();
-      if( ! d->memory->lock() ){
-        qCritical() << "SingleApplication: Unable to lock memory after random wait.";
-        abortSafely();
-      }
-    }
-
-    if( inst->primary == false ){
-        d->startPrimary();
-        if( ! d->memory->unlock() ){
-          qDebug() << "SingleApplication: Unable to unlock memory after primary start.";
-          qDebug() << d->memory->errorString();
-        }
-        return;
-    }
-
-    // Check if another instance can be started
-    if( allowSecondary ){
-        d->startSecondary();
-        if( d->options & Mode::SecondaryNotification ){
-            d->connectToPrimary( timeout, SingleApplicationPrivate::SecondaryInstance );
-        }
-        if( ! d->memory->unlock() ){
-          qDebug() << "SingleApplication: Unable to unlock memory after secondary start.";
-          qDebug() << d->memory->errorString();
-        }
-        return;
-    }
-
-    if( ! d->memory->unlock() ){
-      qDebug() << "SingleApplication: Unable to unlock memory at end of execution.";
-      qDebug() << d->memory->errorString();
-    }
-
-    d->connectToPrimary( timeout, SingleApplicationPrivate::NewInstance );
-
-    delete d;
-
-    ::exit( EXIT_SUCCESS );
-}
-
-SingleApplication::~SingleApplication()
-{
-    Q_D( SingleApplication );
-    delete d;
-}
-
-/**
- * Checks if the current application instance is primary.
- * @return Returns true if the instance is primary, false otherwise.
- */
-bool SingleApplication::isPrimary() const
-{
-    Q_D( const SingleApplication );
-    return d->server != nullptr;
-}
-
-/**
- * Checks if the current application instance is secondary.
- * @return Returns true if the instance is secondary, false otherwise.
- */
-bool SingleApplication::isSecondary() const
-{
-    Q_D( const SingleApplication );
-    return d->server == nullptr;
-}
-
-/**
- * Allows you to identify an instance by returning unique consecutive instance
- * ids. It is reset when the first (primary) instance of your app starts and
- * only incremented afterwards.
- * @return Returns a unique instance id.
- */
-quint32 SingleApplication::instanceId() const
-{
-    Q_D( const SingleApplication );
-    return d->instanceNumber;
-}
-
-/**
- * Returns the OS PID (Process Identifier) of the process running the primary
- * instance. Especially useful when SingleApplication is coupled with OS.
- * specific APIs.
- * @return Returns the primary instance PID.
- */
-qint64 SingleApplication::primaryPid() const
-{
-    Q_D( const SingleApplication );
-    return d->primaryPid();
-}
-
-/**
- * Returns the username the primary instance is running as.
- * @return Returns the username the primary instance is running as.
- */
-QString SingleApplication::primaryUser() const
-{
-    Q_D( const SingleApplication );
-    return d->primaryUser();
-}
-
-/**
- * Returns the username the current instance is running as.
- * @return Returns the username the current instance is running as.
- */
-QString SingleApplication::currentUser() const
-{
-    return SingleApplicationPrivate::getUsername();
-}
-
-/**
- * Sends message to the Primary Instance.
- * @param message The message to send.
- * @param timeout the maximum timeout in milliseconds for blocking functions.
- * @return true if the message was sent successfuly, false otherwise.
- */
-bool SingleApplication::sendMessage( const QByteArray &message, int timeout )
-{
-    Q_D( SingleApplication );
-
-    // Nobody to connect to
-    if( isPrimary() ) return false;
-
-    // Make sure the socket is connected
-    if( ! d->connectToPrimary( timeout,  SingleApplicationPrivate::Reconnect ) )
-      return false;
-
-    d->socket->write( message );
-    bool dataWritten = d->socket->waitForBytesWritten( timeout );
-    d->socket->flush();
-    return dataWritten;
-}
-
-/**
- * Cleans up the shared memory block and exits with a failure.
- * This function halts program execution.
- */
-void SingleApplication::abortSafely()
-{
-    Q_D( SingleApplication );
-
-    qCritical() << "SingleApplication: " << d->memory->error() << d->memory->errorString();
-    delete d;
-    ::exit( EXIT_FAILURE );
-}
-
-QStringList SingleApplication::userData() const
-{
-    Q_D( const SingleApplication );
-    return d->appData();
-}

client/3rd/SingleApplication/singleapplication.h

@@ -1,154 +0,0 @@
-// The MIT License (MIT)
-//
-// Copyright (c) Itay Grudev 2015 - 2018
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-
-#ifndef SINGLE_APPLICATION_H
-#define SINGLE_APPLICATION_H
-
-#include <QtCore/QtGlobal>
-#include <QtNetwork/QLocalSocket>
-
-#ifndef QAPPLICATION_CLASS
-  #define QAPPLICATION_CLASS QApplication
-#endif
-
-#include QT_STRINGIFY(QAPPLICATION_CLASS)
-
-class SingleApplicationPrivate;
-
-/**
- * @brief The SingleApplication class handles multiple instances of the same
- * Application
- * @see QCoreApplication
- */
-class SingleApplication : public QAPPLICATION_CLASS
-{
-    Q_OBJECT
-
-    using app_t = QAPPLICATION_CLASS;
-
-public:
-    /**
-     * @brief Mode of operation of SingleApplication.
-     * Whether the block should be user-wide or system-wide and whether the
-     * primary instance should be notified when a secondary instance had been
-     * started.
-     * @note Operating system can restrict the shared memory blocks to the same
-     * user, in which case the User/System modes will have no effect and the
-     * block will be user wide.
-     * @enum
-     */
-    enum Mode {
-        User                    = 1 << 0,
-        System                  = 1 << 1,
-        SecondaryNotification   = 1 << 2,
-        ExcludeAppVersion       = 1 << 3,
-        ExcludeAppPath          = 1 << 4
-    };
-    Q_DECLARE_FLAGS(Options, Mode)
-
-    /**
-     * @brief Intitializes a SingleApplication instance with argc command line
-     * arguments in argv
-     * @arg {int &} argc - Number of arguments in argv
-     * @arg {const char *[]} argv - Supplied command line arguments
-     * @arg {bool} allowSecondary - Whether to start the instance as secondary
-     * if there is already a primary instance.
-     * @arg {Mode} mode - Whether for the SingleApplication block to be applied
-     * User wide or System wide.
-     * @arg {int} timeout - Timeout to wait in milliseconds.
-     * @note argc and argv may be changed as Qt removes arguments that it
-     * recognizes
-     * @note Mode::SecondaryNotification only works if set on both the primary
-     * instance and the secondary instance.
-     * @note The timeout is just a hint for the maximum time of blocking
-     * operations. It does not guarantee that the SingleApplication
-     * initialisation will be completed in given time, though is a good hint.
-     * Usually 4*timeout would be the worst case (fail) scenario.
-     * @see See the corresponding QAPPLICATION_CLASS constructor for reference
-     */
-    explicit SingleApplication( int &argc, char *argv[], bool allowSecondary = false, Options options = Mode::User, int timeout = 1000, const QString &userData = {} );
-    ~SingleApplication() override;
-
-    /**
-     * @brief Returns if the instance is the primary instance
-     * @returns {bool}
-     */
-    bool isPrimary() const;
-
-    /**
-     * @brief Returns if the instance is a secondary instance
-     * @returns {bool}
-     */
-    bool isSecondary() const;
-
-    /**
-     * @brief Returns a unique identifier for the current instance
-     * @returns {qint32}
-     */
-    quint32 instanceId() const;
-
-    /**
-     * @brief Returns the process ID (PID) of the primary instance
-     * @returns {qint64}
-     */
-    qint64 primaryPid() const;
-
-    /**
-     * @brief Returns the username of the user running the primary instance
-     * @returns {QString}
-     */
-    QString primaryUser() const;
-
-    /**
-     * @brief Returns the username of the current user
-     * @returns {QString}
-     */
-    QString currentUser() const;
-
-    /**
-     * @brief Sends a message to the primary instance. Returns true on success.
-     * @param {int} timeout - Timeout for connecting
-     * @returns {bool}
-     * @note sendMessage() will return false if invoked from the primary
-     * instance.
-     */
-    bool sendMessage( const QByteArray &message, int timeout = 100 );
-
-    /**
-     * @brief Get the set user data.
-     * @returns {QStringList}
-     */
-    QStringList userData() const;
-
-Q_SIGNALS:
-    void instanceStarted();
-    void receivedMessage( quint32 instanceId, QByteArray message );
-
-private:
-    SingleApplicationPrivate *d_ptr;
-    Q_DECLARE_PRIVATE(SingleApplication)
-    void abortSafely();
-};
-
-Q_DECLARE_OPERATORS_FOR_FLAGS(SingleApplication::Options)
-
-#endif // SINGLE_APPLICATION_H

client/3rd/SingleApplication/singleapplication.pri

@@ -1,15 +0,0 @@
-QT += core network
-CONFIG += c++11
-
-HEADERS +=  \
-    $$PWD/singleapplication.h \
-    $$PWD/singleapplication_p.h
-SOURCES += $$PWD/singleapplication.cpp \
-    $$PWD/singleapplication_p.cpp
-
-INCLUDEPATH += $$PWD
-
-win32 {
-    msvc:LIBS += Advapi32.lib
-    gcc:LIBS += -ladvapi32
-}

client/3rd/SingleApplication/singleapplication_p.cpp

@@ -1,486 +0,0 @@
-// The MIT License (MIT)
-//
-// Copyright (c) Itay Grudev 2015 - 2020
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-
-//
-//  W A R N I N G !!!
-//  -----------------
-//
-// This file is not part of the SingleApplication API. It is used purely as an
-// implementation detail. This header file may change from version to
-// version without notice, or may even be removed.
-//
-
-#include <cstdlib>
-#include <cstddef>
-
-#include <QtCore/QDir>
-#include <QtCore/QThread>
-#include <QtCore/QByteArray>
-#include <QtCore/QDataStream>
-#include <QtCore/QElapsedTimer>
-#include <QtCore/QCryptographicHash>
-#include <QtNetwork/QLocalServer>
-#include <QtNetwork/QLocalSocket>
-
-#if QT_VERSION >= QT_VERSION_CHECK(5, 10, 0)
-#include <QtCore/QRandomGenerator>
-#else
-#include <QtCore/QDateTime>
-#endif
-
-#include "singleapplication.h"
-#include "singleapplication_p.h"
-
-#ifdef Q_OS_UNIX
-    #include <unistd.h>
-    #include <sys/types.h>
-    #include <pwd.h>
-#endif
-
-#ifdef Q_OS_WIN
-    #ifndef NOMINMAX
-        #define NOMINMAX 1
-    #endif
-    #include <windows.h>
-    #include <lmcons.h>
-#endif
-
-SingleApplicationPrivate::SingleApplicationPrivate( SingleApplication *q_ptr )
-    : q_ptr( q_ptr )
-{
-    server = nullptr;
-    socket = nullptr;
-    memory = nullptr;
-    instanceNumber = 0;
-}
-
-SingleApplicationPrivate::~SingleApplicationPrivate()
-{
-    if( socket != nullptr ){
-        socket->close();
-        delete socket;
-    }
-
-    if( memory != nullptr ){
-        memory->lock();
-        auto *inst = static_cast<InstancesInfo*>(memory->data());
-        if( server != nullptr ){
-            server->close();
-            delete server;
-            inst->primary = false;
-            inst->primaryPid = -1;
-            inst->primaryUser[0] =  '\0';
-            inst->checksum = blockChecksum();
-        }
-        memory->unlock();
-
-        delete memory;
-    }
-}
-
-QString SingleApplicationPrivate::getUsername()
-{
-#ifdef Q_OS_WIN
-      wchar_t username[UNLEN + 1];
-      // Specifies size of the buffer on input
-      DWORD usernameLength = UNLEN + 1;
-      if( GetUserNameW( username, &usernameLength ) )
-          return QString::fromWCharArray( username );
-#if QT_VERSION < QT_VERSION_CHECK(5, 10, 0)
-      return QString::fromLocal8Bit( qgetenv( "USERNAME" ) );
-#else
-      return qEnvironmentVariable( "USERNAME" );
-#endif
-#endif
-#ifdef Q_OS_UNIX
-      QString username;
-      uid_t uid = geteuid();
-      struct passwd *pw = getpwuid( uid );
-      if( pw )
-          username = QString::fromLocal8Bit( pw->pw_name );
-      if ( username.isEmpty() ){
-#if QT_VERSION < QT_VERSION_CHECK(5, 10, 0)
-          username = QString::fromLocal8Bit( qgetenv( "USER" ) );
-#else
-          username = qEnvironmentVariable( "USER" );
-#endif
-      }
-      return username;
-#endif
-}
-
-void SingleApplicationPrivate::genBlockServerName()
-{
-    QCryptographicHash appData( QCryptographicHash::Sha256 );
-    appData.addData( "SingleApplication", 17 );
-    appData.addData( SingleApplication::app_t::applicationName().toUtf8() );
-    appData.addData( SingleApplication::app_t::organizationName().toUtf8() );
-    appData.addData( SingleApplication::app_t::organizationDomain().toUtf8() );
-
-    if ( ! appDataList.isEmpty() )
-        appData.addData( appDataList.join( "" ).toUtf8() );
-
-    if( ! (options & SingleApplication::Mode::ExcludeAppVersion) ){
-        appData.addData( SingleApplication::app_t::applicationVersion().toUtf8() );
-    }
-
-    if( ! (options & SingleApplication::Mode::ExcludeAppPath) ){
-#ifdef Q_OS_WIN
-        appData.addData( SingleApplication::app_t::applicationFilePath().toLower().toUtf8() );
-#else
-        appData.addData( SingleApplication::app_t::applicationFilePath().toUtf8() );
-#endif
-    }
-
-    // User level block requires a user specific data in the hash
-    if( options & SingleApplication::Mode::User ){
-        appData.addData( getUsername().toUtf8() );
-    }
-
-    // Replace the backslash in RFC 2045 Base64 [a-zA-Z0-9+/=] to comply with
-    // server naming requirements.
-    blockServerName = appData.result().toBase64().replace("/", "_");
-}
-
-void SingleApplicationPrivate::initializeMemoryBlock() const
-{
-    auto *inst = static_cast<InstancesInfo*>( memory->data() );
-    inst->primary = false;
-    inst->secondary = 0;
-    inst->primaryPid = -1;
-    inst->primaryUser[0] =  '\0';
-    inst->checksum = blockChecksum();
-}
-
-void SingleApplicationPrivate::startPrimary()
-{
-    // Reset the number of connections
-    auto *inst = static_cast <InstancesInfo*>( memory->data() );
-
-    inst->primary = true;
-    inst->primaryPid = QCoreApplication::applicationPid();
-    qstrncpy( inst->primaryUser, getUsername().toUtf8().data(), sizeof(inst->primaryUser) );
-    inst->checksum = blockChecksum();
-    instanceNumber = 0;
-    // Successful creation means that no main process exists
-    // So we start a QLocalServer to listen for connections
-    QLocalServer::removeServer( blockServerName );
-    server = new QLocalServer();
-
-    // Restrict access to the socket according to the
-    // SingleApplication::Mode::User flag on User level or no restrictions
-    if( options & SingleApplication::Mode::User ){
-        server->setSocketOptions( QLocalServer::UserAccessOption );
-    } else {
-        server->setSocketOptions( QLocalServer::WorldAccessOption );
-    }
-
-    server->listen( blockServerName );
-    QObject::connect(
-        server,
-        &QLocalServer::newConnection,
-        this,
-        &SingleApplicationPrivate::slotConnectionEstablished
-    );
-}
-
-void SingleApplicationPrivate::startSecondary()
-{
-  auto *inst = static_cast <InstancesInfo*>( memory->data() );
-
-  inst->secondary += 1;
-  inst->checksum = blockChecksum();
-  instanceNumber = inst->secondary;
-}
-
-bool SingleApplicationPrivate::connectToPrimary( int msecs, ConnectionType connectionType )
-{
-    QElapsedTimer time;
-    time.start();
-
-    // Connect to the Local Server of the Primary Instance if not already
-    // connected.
-    if( socket == nullptr ){
-        socket = new QLocalSocket();
-    }
-
-    if( socket->state() == QLocalSocket::ConnectedState ) return true;
-
-    if( socket->state() != QLocalSocket::ConnectedState ){
-
-        while( true ){
-            randomSleep();
-
-          if( socket->state() != QLocalSocket::ConnectingState )
-            socket->connectToServer( blockServerName );
-
-          if( socket->state() == QLocalSocket::ConnectingState ){
-              socket->waitForConnected( static_cast<int>(msecs - time.elapsed()) );
-          }
-
-          // If connected break out of the loop
-          if( socket->state() == QLocalSocket::ConnectedState ) break;
-
-          // If elapsed time since start is longer than the method timeout return
-          if( time.elapsed() >= msecs ) return false;
-        }
-    }
-
-    // Initialisation message according to the SingleApplication protocol
-    QByteArray initMsg;
-    QDataStream writeStream(&initMsg, QIODevice::WriteOnly);
-
-#if (QT_VERSION >= QT_VERSION_CHECK(5, 6, 0))
-    writeStream.setVersion(QDataStream::Qt_5_6);
-#endif
-
-    writeStream << blockServerName.toLatin1();
-    writeStream << static_cast<quint8>(connectionType);
-    writeStream << instanceNumber;
-#if QT_VERSION >= QT_VERSION_CHECK(6, 0, 0)
-    quint16 checksum = qChecksum(QByteArray(initMsg, static_cast<quint32>(initMsg.length())));
-#else
-    quint16 checksum = qChecksum(initMsg.constData(), static_cast<quint32>(initMsg.length()));
-#endif
-    writeStream << checksum;
-
-    // The header indicates the message length that follows
-    QByteArray header;
-    QDataStream headerStream(&header, QIODevice::WriteOnly);
-
-#if (QT_VERSION >= QT_VERSION_CHECK(5, 6, 0))
-    headerStream.setVersion(QDataStream::Qt_5_6);
-#endif
-    headerStream << static_cast <quint64>( initMsg.length() );
-
-    socket->write( header );
-    socket->write( initMsg );
-    bool result = socket->waitForBytesWritten( static_cast<int>(msecs - time.elapsed()) );
-    socket->flush();
-    return result;
-}
-
-quint16 SingleApplicationPrivate::blockChecksum() const
-{
-#if QT_VERSION >= QT_VERSION_CHECK(6, 0, 0)
-    quint16 checksum = qChecksum(QByteArray(static_cast<const char*>(memory->constData()), offsetof(InstancesInfo, checksum)));
-#else
-    quint16 checksum = qChecksum(static_cast<const char*>(memory->constData()), offsetof(InstancesInfo, checksum));
-#endif
-    return checksum;
-}
-
-qint64 SingleApplicationPrivate::primaryPid() const
-{
-    qint64 pid;
-
-    memory->lock();
-    auto *inst = static_cast<InstancesInfo*>( memory->data() );
-    pid = inst->primaryPid;
-    memory->unlock();
-
-    return pid;
-}
-
-QString SingleApplicationPrivate::primaryUser() const
-{
-    QByteArray username;
-
-    memory->lock();
-    auto *inst = static_cast<InstancesInfo*>( memory->data() );
-    username = inst->primaryUser;
-    memory->unlock();
-
-    return QString::fromUtf8( username );
-}
-
-/**
- * @brief Executed when a connection has been made to the LocalServer
- */
-void SingleApplicationPrivate::slotConnectionEstablished()
-{
-    QLocalSocket *nextConnSocket = server->nextPendingConnection();
-    connectionMap.insert(nextConnSocket, ConnectionInfo());
-
-    QObject::connect(nextConnSocket, &QLocalSocket::aboutToClose,
-        [nextConnSocket, this](){
-            auto &info = connectionMap[nextConnSocket];
-            Q_EMIT this->slotClientConnectionClosed( nextConnSocket, info.instanceId );
-        }
-    );
-
-    QObject::connect(nextConnSocket, &QLocalSocket::disconnected, nextConnSocket, &QLocalSocket::deleteLater);
-
-    QObject::connect(nextConnSocket, &QLocalSocket::destroyed,
-        [nextConnSocket, this](){
-            connectionMap.remove(nextConnSocket);
-        }
-    );
-
-    QObject::connect(nextConnSocket, &QLocalSocket::readyRead,
-        [nextConnSocket, this](){
-            auto &info = connectionMap[nextConnSocket];
-            switch(info.stage){
-            case StageHeader:
-                readInitMessageHeader(nextConnSocket);
-                break;
-            case StageBody:
-                readInitMessageBody(nextConnSocket);
-                break;
-            case StageConnected:
-                Q_EMIT this->slotDataAvailable( nextConnSocket, info.instanceId );
-                break;
-            default:
-                break;
-            };
-        }
-    );
-}
-
-void SingleApplicationPrivate::readInitMessageHeader( QLocalSocket *sock )
-{
-    if (!connectionMap.contains( sock )){
-        return;
-    }
-
-    if( sock->bytesAvailable() < ( qint64 )sizeof( quint64 ) ){
-        return;
-    }
-
-    QDataStream headerStream( sock );
-
-#if (QT_VERSION >= QT_VERSION_CHECK(5, 6, 0))
-    headerStream.setVersion( QDataStream::Qt_5_6 );
-#endif
-
-    // Read the header to know the message length
-    quint64 msgLen = 0;
-    headerStream >> msgLen;
-    ConnectionInfo &info = connectionMap[sock];
-    info.stage = StageBody;
-    info.msgLen = msgLen;
-
-    if ( sock->bytesAvailable() >= (qint64) msgLen ){
-        readInitMessageBody( sock );
-    }
-}
-
-void SingleApplicationPrivate::readInitMessageBody( QLocalSocket *sock )
-{
-    Q_Q(SingleApplication);
-
-    if (!connectionMap.contains( sock )){
-        return;
-    }
-
-    ConnectionInfo &info = connectionMap[sock];
-    if( sock->bytesAvailable() < ( qint64 )info.msgLen ){
-        return;
-    }
-
-    // Read the message body
-    QByteArray msgBytes = sock->read(info.msgLen);
-    QDataStream readStream(msgBytes);
-
-#if (QT_VERSION >= QT_VERSION_CHECK(5, 6, 0))
-    readStream.setVersion( QDataStream::Qt_5_6 );
-#endif
-
-    // server name
-    QByteArray latin1Name;
-    readStream >> latin1Name;
-
-    // connection type
-    ConnectionType connectionType = InvalidConnection;
-    quint8 connTypeVal = InvalidConnection;
-    readStream >> connTypeVal;
-    connectionType = static_cast <ConnectionType>( connTypeVal );
-
-    // instance id
-    quint32 instanceId = 0;
-    readStream >> instanceId;
-
-    // checksum
-    quint16 msgChecksum = 0;
-    readStream >> msgChecksum;
-
-#if QT_VERSION >= QT_VERSION_CHECK(6, 0, 0)
-    const quint16 actualChecksum = qChecksum(QByteArray(msgBytes, static_cast<quint32>(msgBytes.length() - sizeof(quint16))));
-#else
-    const quint16 actualChecksum = qChecksum(msgBytes.constData(), static_cast<quint32>(msgBytes.length() - sizeof(quint16)));
-#endif
-
-    bool isValid = readStream.status() == QDataStream::Ok &&
-                   QLatin1String(latin1Name) == blockServerName &&
-                   msgChecksum == actualChecksum;
-
-    if( !isValid ){
-        sock->close();
-        return;
-    }
-
-    info.instanceId = instanceId;
-    info.stage = StageConnected;
-
-    if( connectionType == NewInstance ||
-        ( connectionType == SecondaryInstance &&
-          options & SingleApplication::Mode::SecondaryNotification ) )
-    {
-        Q_EMIT q->instanceStarted();
-    }
-
-    if (sock->bytesAvailable() > 0){
-        Q_EMIT this->slotDataAvailable( sock, instanceId );
-    }
-}
-
-void SingleApplicationPrivate::slotDataAvailable( QLocalSocket *dataSocket, quint32 instanceId )
-{
-    Q_Q(SingleApplication);
-    Q_EMIT q->receivedMessage( instanceId, dataSocket->readAll() );
-}
-
-void SingleApplicationPrivate::slotClientConnectionClosed( QLocalSocket *closedSocket, quint32 instanceId )
-{
-    if( closedSocket->bytesAvailable() > 0 )
-        Q_EMIT slotDataAvailable( closedSocket, instanceId  );
-}
-
-void SingleApplicationPrivate::randomSleep()
-{
-#if QT_VERSION >= QT_VERSION_CHECK( 5, 10, 0 )
-    QThread::msleep( QRandomGenerator::global()->bounded( 8u, 18u ));
-#else
-    qsrand( QDateTime::currentMSecsSinceEpoch() % std::numeric_limits<uint>::max() );
-    QThread::msleep( 8 + static_cast <unsigned long>( static_cast <float>( qrand() ) / RAND_MAX * 10 ));
-#endif
-}
-
-void SingleApplicationPrivate::addAppData(const QString &data)
-{
-    appDataList.push_back(data);
-}
-
-QStringList SingleApplicationPrivate::appData() const
-{
-    return appDataList;
-}

client/3rd/SingleApplication/singleapplication_p.h

@@ -1,104 +0,0 @@
-// The MIT License (MIT)
-//
-// Copyright (c) Itay Grudev 2015 - 2020
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-
-//
-//  W A R N I N G !!!
-//  -----------------
-//
-// This file is not part of the SingleApplication API. It is used purely as an
-// implementation detail. This header file may change from version to
-// version without notice, or may even be removed.
-//
-
-#ifndef SINGLEAPPLICATION_P_H
-#define SINGLEAPPLICATION_P_H
-
-#include <QtCore/QSharedMemory>
-#include <QtNetwork/QLocalServer>
-#include <QtNetwork/QLocalSocket>
-#include "singleapplication.h"
-
-struct InstancesInfo {
-    bool primary;
-    quint32 secondary;
-    qint64 primaryPid;
-    char primaryUser[128];
-    quint16 checksum; // Must be the last field
-};
-
-struct ConnectionInfo {
-    qint64 msgLen = 0;
-    quint32 instanceId = 0;
-    quint8 stage = 0;
-};
-
-class SingleApplicationPrivate : public QObject {
-Q_OBJECT
-public:
-    enum ConnectionType : quint8 {
-        InvalidConnection = 0,
-        NewInstance = 1,
-        SecondaryInstance = 2,
-        Reconnect = 3
-    };
-    enum ConnectionStage : quint8 {
-        StageHeader = 0,
-        StageBody = 1,
-        StageConnected = 2,
-    };
-    Q_DECLARE_PUBLIC(SingleApplication)
-
-    SingleApplicationPrivate( SingleApplication *q_ptr );
-    ~SingleApplicationPrivate() override;
-
-    static QString getUsername();
-    void genBlockServerName();
-    void initializeMemoryBlock() const;
-    void startPrimary();
-    void startSecondary();
-    bool connectToPrimary( int msecs, ConnectionType connectionType );
-    quint16 blockChecksum() const;
-    qint64 primaryPid() const;
-    QString primaryUser() const;
-    void readInitMessageHeader(QLocalSocket *socket);
-    void readInitMessageBody(QLocalSocket *socket);
-    static void randomSleep();
-    void addAppData(const QString &data);
-    QStringList appData() const;
-
-    SingleApplication *q_ptr;
-    QSharedMemory *memory;
-    QLocalSocket *socket;
-    QLocalServer *server;
-    quint32 instanceNumber;
-    QString blockServerName;
-    SingleApplication::Options options;
-    QMap<QLocalSocket*, ConnectionInfo> connectionMap;
-    QStringList appDataList;
-
-public Q_SLOTS:
-    void slotConnectionEstablished();
-    void slotDataAvailable( QLocalSocket*, quint32 );
-    void slotClientConnectionClosed( QLocalSocket*, quint32 );
-};
-
-#endif // SINGLEAPPLICATION_P_H

client/CMakeLists.txt

@@ -25,14 +25,11 @@ execute_process(
 add_definitions(-DGIT_COMMIT_HASH="${GIT_COMMIT_HASH}")
 
 add_definitions(-DPROD_AGW_PUBLIC_KEY="$ENV{PROD_AGW_PUBLIC_KEY}")
-add_definitions(-DPROD_PROXY_STORAGE_KEY="$ENV{PROD_PROXY_STORAGE_KEY}")
+add_definitions(-DPROD_S3_ENDPOINT="$ENV{PROD_S3_ENDPOINT}")
 
 add_definitions(-DDEV_AGW_PUBLIC_KEY="$ENV{DEV_AGW_PUBLIC_KEY}")
 add_definitions(-DDEV_AGW_ENDPOINT="$ENV{DEV_AGW_ENDPOINT}")
-
-if(IOS)
-    set(PACKAGES ${PACKAGES} Multimedia)
-endif()
+add_definitions(-DDEV_S3_ENDPOINT="$ENV{DEV_S3_ENDPOINT}")
 
 if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
     set(PACKAGES ${PACKAGES} Widgets)
@@ -47,10 +44,6 @@ set(LIBS ${LIBS}
     Qt6::Core5Compat Qt6::Concurrent
 )
 
-if(IOS)
-    set(LIBS ${LIBS} Qt6::Multimedia)
-endif()
-
 if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
     set(LIBS ${LIBS} Qt6::Widgets)
 endif()
@@ -95,11 +88,6 @@ configure_file(${CMAKE_CURRENT_LIST_DIR}/translations/translations.qrc.in ${CMAK
 qt6_add_resources(QRC ${I18NQRC} ${CMAKE_CURRENT_BINARY_DIR}/translations.qrc)
 # -- i18n end
 
-if(IOS)
-    execute_process(COMMAND bash ${CMAKE_CURRENT_LIST_DIR}/ios/scripts/openvpn.sh args
-        WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR})
-endif()
-
 set(IS_CI ${CI})
 if(IS_CI)
     message("Detected CI env")
@@ -109,8 +97,8 @@ if(IS_CI)
     endif()
 endif()
 
-
 include(${CMAKE_CURRENT_LIST_DIR}/cmake/3rdparty.cmake)
+include(${CMAKE_CURRENT_LIST_DIR}/cmake/sources.cmake)
 
 include_directories(
     ${CMAKE_CURRENT_LIST_DIR}/../ipc
@@ -119,165 +107,22 @@ include_directories(
     ${CMAKE_CURRENT_BINARY_DIR}
 )
 
-configure_file(${CMAKE_CURRENT_LIST_DIR}/../version.h.in ${CMAKE_CURRENT_BINARY_DIR}/version.h)
-
-set(HEADERS ${HEADERS}
-    ${CMAKE_CURRENT_LIST_DIR}/migrations.h
-    ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc.h
-    ${CMAKE_CURRENT_LIST_DIR}/amnezia_application.h
-    ${CMAKE_CURRENT_LIST_DIR}/containers/containers_defs.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/defs.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/errorstrings.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/scripts_registry.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/server_defs.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/controllers/apiController.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/controllers/serverController.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/controllers/vpnConfigurationController.h
-    ${CMAKE_CURRENT_LIST_DIR}/protocols/protocols_defs.h
-    ${CMAKE_CURRENT_LIST_DIR}/protocols/qml_register_protocols.h
-    ${CMAKE_CURRENT_LIST_DIR}/ui/pages.h
-    ${CMAKE_CURRENT_LIST_DIR}/ui/qautostart.h
-    ${CMAKE_CURRENT_LIST_DIR}/protocols/vpnprotocol.h
-    ${CMAKE_CURRENT_BINARY_DIR}/version.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/sshclient.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/networkUtilities.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/serialization/serialization.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/serialization/transfer.h
-    ${CMAKE_CURRENT_LIST_DIR}/core/enums/apiEnums.h
-    ${CMAKE_CURRENT_LIST_DIR}/../common/logger/logger.h
-)
-
-# Mozilla headres
-set(HEADERS ${HEADERS}
-    ${CMAKE_CURRENT_LIST_DIR}/mozilla/models/server.h
-    ${CMAKE_CURRENT_LIST_DIR}/mozilla/shared/ipaddress.h
-    ${CMAKE_CURRENT_LIST_DIR}/mozilla/shared/leakdetector.h
-    ${CMAKE_CURRENT_LIST_DIR}/mozilla/controllerimpl.h
-    ${CMAKE_CURRENT_LIST_DIR}/mozilla/localsocketcontroller.h
-)
-
 include_directories(mozilla)
 include_directories(mozilla/shared)
 include_directories(mozilla/models)
 
-if(NOT IOS)
-    set(HEADERS ${HEADERS}
-        ${CMAKE_CURRENT_LIST_DIR}/platforms/ios/QRCodeReaderBase.h
-    )
-endif()
-
-if(NOT ANDROID)
-    set(HEADERS ${HEADERS}
-        ${CMAKE_CURRENT_LIST_DIR}/ui/notificationhandler.h
-    )
-endif()
-
-set(SOURCES ${SOURCES}
-    ${CMAKE_CURRENT_LIST_DIR}/migrations.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/amnezia_application.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/containers/containers_defs.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/errorstrings.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/scripts_registry.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/server_defs.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/controllers/apiController.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/controllers/serverController.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/controllers/vpnConfigurationController.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/protocols/protocols_defs.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/ui/qautostart.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/protocols/vpnprotocol.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/sshclient.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/networkUtilities.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/serialization/outbound.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/serialization/inbound.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/serialization/ss.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/serialization/ssd.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/serialization/vless.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/serialization/trojan.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/serialization/vmess.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/core/serialization/vmess_new.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/../common/logger/logger.cpp
-)
-
-# Mozilla sources
-set(SOURCES ${SOURCES}
-    ${CMAKE_CURRENT_LIST_DIR}/mozilla/models/server.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/mozilla/shared/ipaddress.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/mozilla/shared/leakdetector.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/mozilla/localsocketcontroller.cpp
-)
+configure_file(${CMAKE_CURRENT_LIST_DIR}/../version.h.in ${CMAKE_CURRENT_BINARY_DIR}/version.h)
 
 if(CMAKE_BUILD_TYPE STREQUAL "Debug")
     target_compile_definitions(${PROJECT} PRIVATE "MZ_DEBUG")
 endif()
 
-if(NOT IOS)
-    set(SOURCES ${SOURCES}
-        ${CMAKE_CURRENT_LIST_DIR}/platforms/ios/QRCodeReaderBase.cpp
-    )
-endif()
-
-if(NOT ANDROID)
-    set(SOURCES ${SOURCES}
-        ${CMAKE_CURRENT_LIST_DIR}/ui/notificationhandler.cpp
-    )
-endif()
-
-file(GLOB COMMON_FILES_H CONFIGURE_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/*.h)
-file(GLOB COMMON_FILES_CPP CONFIGURE_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/*.cpp)
-
-file(GLOB_RECURSE PAGE_LOGIC_H CONFIGURE_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/ui/pages_logic/*.h)
-file(GLOB_RECURSE PAGE_LOGIC_CPP CONFIGURE_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/ui/pages_logic/*.cpp)
-
-file(GLOB CONFIGURATORS_H CONFIGURE_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/configurators/*.h)
-file(GLOB CONFIGURATORS_CPP CONFIGURE_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/configurators/*.cpp)
-
-file(GLOB UI_MODELS_H CONFIGURE_DEPENDS
-    ${CMAKE_CURRENT_LIST_DIR}/ui/models/*.h
-    ${CMAKE_CURRENT_LIST_DIR}/ui/models/protocols/*.h
-    ${CMAKE_CURRENT_LIST_DIR}/ui/models/services/*.h
-)
-file(GLOB UI_MODELS_CPP CONFIGURE_DEPENDS
-    ${CMAKE_CURRENT_LIST_DIR}/ui/models/*.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/ui/models/protocols/*.cpp
-    ${CMAKE_CURRENT_LIST_DIR}/ui/models/services/*.cpp
-)
-
-file(GLOB UI_CONTROLLERS_H CONFIGURE_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/ui/controllers/*.h)
-file(GLOB UI_CONTROLLERS_CPP CONFIGURE_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/ui/controllers/*.cpp)
-
-set(HEADERS ${HEADERS}
-    ${COMMON_FILES_H}
-    ${PAGE_LOGIC_H}
-    ${CONFIGURATORS_H}
-    ${UI_MODELS_H}
-    ${UI_CONTROLLERS_H}
-)
-set(SOURCES ${SOURCES}
-    ${COMMON_FILES_CPP}
-    ${PAGE_LOGIC_CPP}
-    ${CONFIGURATORS_CPP}
-    ${UI_MODELS_CPP}
-    ${UI_CONTROLLERS_CPP}
-)
-
 if(WIN32)
     configure_file(
         ${CMAKE_CURRENT_LIST_DIR}/platforms/windows/amneziavpn.rc.in
         ${CMAKE_CURRENT_BINARY_DIR}/amneziavpn.rc
     )
 
-    set(HEADERS ${HEADERS}
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/ikev2_vpn_protocol_windows.h
-    )
-
-    set(SOURCES ${SOURCES}
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/ikev2_vpn_protocol_windows.cpp
-    )
-
-    set(RESOURCES ${RESOURCES}
-        ${CMAKE_CURRENT_BINARY_DIR}/amneziavpn.rc
-    )
-
     set(LIBS ${LIBS}
         user32
         rasapi32
@@ -321,30 +166,6 @@ endif()
 if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
     message("Client desktop build")
     add_compile_definitions(AMNEZIA_DESKTOP)
-
-    set(HEADERS ${HEADERS}
-        ${CMAKE_CURRENT_LIST_DIR}/core/ipcclient.h
-        ${CMAKE_CURRENT_LIST_DIR}/core/privileged_process.h
-        ${CMAKE_CURRENT_LIST_DIR}/ui/systemtray_notificationhandler.h
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/openvpnprotocol.h
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/openvpnovercloakprotocol.h
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/shadowsocksvpnprotocol.h
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/wireguardprotocol.h
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/xrayprotocol.h
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/awgprotocol.h
-    )
-
-    set(SOURCES ${SOURCES}
-        ${CMAKE_CURRENT_LIST_DIR}/core/ipcclient.cpp
-        ${CMAKE_CURRENT_LIST_DIR}/core/privileged_process.cpp
-        ${CMAKE_CURRENT_LIST_DIR}/ui/systemtray_notificationhandler.cpp
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/openvpnprotocol.cpp
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/openvpnovercloakprotocol.cpp
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/shadowsocksvpnprotocol.cpp
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/wireguardprotocol.cpp
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/xrayprotocol.cpp
-        ${CMAKE_CURRENT_LIST_DIR}/protocols/awgprotocol.cpp
-    )
 endif()
 
 if(ANDROID)

client/amnezia_application.cpp

@@ -2,6 +2,8 @@
 
 #include <QClipboard>
 #include <QFontDatabase>
+#include <QLocalServer>
+#include <QLocalSocket>
 #include <QMimeData>
 #include <QQuickItem>
 #include <QQuickStyle>
@@ -12,29 +14,15 @@
 #include <QTranslator>
 
 #include "logger.h"
+#include "ui/controllers/pageController.h"
 #include "ui/models/installedAppsModel.h"
 #include "version.h"
 
 #include "platforms/ios/QRCodeReaderBase.h"
-#if defined(Q_OS_ANDROID)
-    #include "core/installedAppsImageProvider.h"
-    #include "platforms/android/android_controller.h"
-#endif
 
 #include "protocols/qml_register_protocols.h"
 
-#if defined(Q_OS_IOS)
-    #include "platforms/ios/ios_controller.h"
-    #include <AmneziaVPN-Swift.h>
-#endif
-
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
 AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_CLASS(argc, argv)
-#else
-AmneziaApplication::AmneziaApplication(int &argc, char *argv[], bool allowSecondary, SingleApplication::Options options, int timeout,
-                                       const QString &userData)
-    : SingleApplication(argc, argv, allowSecondary, options, timeout, userData)
-#endif
 {
     setQuitOnLastWindowClosed(false);
 
@@ -88,78 +76,12 @@ void AmneziaApplication::init()
     m_vpnConnection->moveToThread(&m_vpnConnectionThread);
     m_vpnConnectionThread.start();
 
-    initModels();
-    loadTranslator();
-    initControllers();
-
-#ifdef Q_OS_ANDROID
-    if (!AndroidController::initLogging()) {
-        qFatal("Android logging initialization failed");
-    }
-    AndroidController::instance()->setSaveLogs(m_settings->isSaveLogs());
-    connect(m_settings.get(), &Settings::saveLogsChanged, AndroidController::instance(), &AndroidController::setSaveLogs);
-
-    AndroidController::instance()->setScreenshotsEnabled(m_settings->isScreenshotsEnabled());
-    connect(m_settings.get(), &Settings::screenshotsEnabledChanged, AndroidController::instance(), &AndroidController::setScreenshotsEnabled);
-
-    connect(m_settings.get(), &Settings::serverRemoved, AndroidController::instance(), &AndroidController::resetLastServer);
-
-    connect(m_settings.get(), &Settings::settingsCleared, []() { AndroidController::instance()->resetLastServer(-1); });
-
-    connect(AndroidController::instance(), &AndroidController::initConnectionState, this, [this](Vpn::ConnectionState state) {
-        m_connectionController->onConnectionStateChanged(state);
-        if (m_vpnConnection)
-            m_vpnConnection->restoreConnection();
-    });
-    if (!AndroidController::instance()->initialize()) {
-        qFatal("Android controller initialization failed");
-    }
-
-    connect(AndroidController::instance(), &AndroidController::importConfigFromOutside, [this](QString data) {
-        m_pageController->goToPageHome();
-        m_importController->extractConfigFromData(data);
-        m_pageController->goToPageViewConfig();
-    });
-
-    m_engine->addImageProvider(QLatin1String("installedAppImage"), new InstalledAppsImageProvider);
-#endif
-
-#ifdef Q_OS_IOS
-    IosController::Instance()->initialize();
-    connect(IosController::Instance(), &IosController::importConfigFromOutside, [this](QString data) {
-        m_pageController->goToPageHome();
-        m_importController->extractConfigFromData(data);
-        m_pageController->goToPageViewConfig();
-    });
-
-    connect(IosController::Instance(), &IosController::importBackupFromOutside, [this](QString filePath) {
-        m_pageController->goToPageHome();
-        m_pageController->goToPageSettingsBackup();
-        m_settingsController->importBackupFromOutside(filePath);
-    });
-
-    QTimer::singleShot(0, this, [this]() { AmneziaVPN::toggleScreenshots(m_settings->isScreenshotsEnabled()); });
-
-    connect(m_settings.get(), &Settings::screenshotsEnabledChanged, [](bool enabled) { AmneziaVPN::toggleScreenshots(enabled); });
-#endif
-
-#ifndef Q_OS_ANDROID
-    m_notificationHandler.reset(NotificationHandler::create(nullptr));
-
-    connect(m_vpnConnection.get(), &VpnConnection::connectionStateChanged, m_notificationHandler.get(),
-            &NotificationHandler::setConnectionState);
-
-    connect(m_notificationHandler.get(), &NotificationHandler::raiseRequested, m_pageController.get(), &PageController::raiseMainWindow);
-    connect(m_notificationHandler.get(), &NotificationHandler::connectRequested, m_connectionController.get(),
-            static_cast<void (ConnectionController::*)()>(&ConnectionController::openConnection));
-    connect(m_notificationHandler.get(), &NotificationHandler::disconnectRequested, m_connectionController.get(),
-            &ConnectionController::closeConnection);
-    connect(this, &AmneziaApplication::translationsUpdated, m_notificationHandler.get(), &NotificationHandler::onTranslationsUpdated);
-#endif
+    m_coreController.reset(new CoreController(m_vpnConnection, m_settings, m_engine));
 
     m_engine->addImportPath("qrc:/ui/qml/Modules/");
     m_engine->load(url);
-    m_systemController->setQmlRoot(m_engine->rootObjects().value(0));
+
+    m_coreController->setQmlRoot();
 
     bool enabled = m_settings->isSaveLogs();
 #ifndef Q_OS_ANDROID
@@ -171,23 +93,13 @@ void AmneziaApplication::init()
 #endif
     Logger::setServiceLogsEnabled(enabled);
 
-#ifdef Q_OS_WIN
+#ifdef Q_OS_WIN //TODO
     if (m_parser.isSet("a"))
-        m_pageController->showOnStartup();
+        m_coreController->pageController()->showOnStartup();
     else
-        emit m_pageController->raiseMainWindow();
+        emit m_coreController->pageController()->raiseMainWindow();
 #else
-    m_pageController->showOnStartup();
-#endif
-
-        // TODO - fix
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    if (isPrimary()) {
-        QObject::connect(this, &SingleApplication::instanceStarted, m_pageController.get(), [this]() {
-            qDebug() << "Secondary instance started, showing this window instead";
-            emit m_pageController->raiseMainWindow();
-        });
-    }
+    m_coreController->pageController()->showOnStartup();
 #endif
 
 // Android TextArea clipboard workaround
@@ -244,33 +156,6 @@ void AmneziaApplication::loadFonts()
     QFontDatabase::addApplicationFont(":/fonts/pt-root-ui_vf.ttf");
 }
 
-void AmneziaApplication::loadTranslator()
-{
-    auto locale = m_settings->getAppLanguage();
-    m_translator.reset(new QTranslator());
-    updateTranslator(locale);
-}
-
-void AmneziaApplication::updateTranslator(const QLocale &locale)
-{
-    if (!m_translator->isEmpty()) {
-        QCoreApplication::removeTranslator(m_translator.get());
-    }
-
-    QString strFileName = QString(":/translations/amneziavpn") + QLatin1String("_") + locale.name() + ".qm";
-    if (m_translator->load(strFileName)) {
-        if (QCoreApplication::installTranslator(m_translator.get())) {
-            m_settings->setAppLanguage(locale);
-        }
-    } else {
-        m_settings->setAppLanguage(QLocale::English);
-    }
-
-    m_engine->retranslate();
-
-    emit translationsUpdated();
-}
-
 bool AmneziaApplication::parseCommands()
 {
     m_parser.setApplicationDescription(APPLICATION_NAME);
@@ -294,165 +179,36 @@ bool AmneziaApplication::parseCommands()
     return true;
 }
 
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+void AmneziaApplication::startLocalServer()
+{
+    const QString serverName("AmneziaVPNInstance");
+    QLocalServer::removeServer(serverName);
+
+    QLocalServer *server = new QLocalServer(this);
+    server->listen(serverName);
+
+    QObject::connect(server, &QLocalServer::newConnection, this, [server, this]() {
+        if (server) {
+            QLocalSocket *clientConnection = server->nextPendingConnection();
+            clientConnection->deleteLater();
+        }
+        emit m_coreController->pageController()->raiseMainWindow(); //TODO
+    });
+}
+#endif
+
 QQmlApplicationEngine *AmneziaApplication::qmlEngine() const
 {
     return m_engine;
 }
 
-void AmneziaApplication::initModels()
+QNetworkAccessManager *AmneziaApplication::networkManager()
 {
-    m_containersModel.reset(new ContainersModel(this));
-    m_engine->rootContext()->setContextProperty("ContainersModel", m_containersModel.get());
-
-    m_defaultServerContainersModel.reset(new ContainersModel(this));
-    m_engine->rootContext()->setContextProperty("DefaultServerContainersModel", m_defaultServerContainersModel.get());
-
-    m_serversModel.reset(new ServersModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ServersModel", m_serversModel.get());
-    connect(m_serversModel.get(), &ServersModel::containersUpdated, m_containersModel.get(), &ContainersModel::updateModel);
-    connect(m_serversModel.get(), &ServersModel::defaultServerContainersUpdated, m_defaultServerContainersModel.get(),
-            &ContainersModel::updateModel);
-    m_serversModel->resetModel();
-
-    m_languageModel.reset(new LanguageModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("LanguageModel", m_languageModel.get());
-    connect(m_languageModel.get(), &LanguageModel::updateTranslations, this, &AmneziaApplication::updateTranslator);
-    connect(this, &AmneziaApplication::translationsUpdated, m_languageModel.get(), &LanguageModel::translationsUpdated);
-
-    m_sitesModel.reset(new SitesModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("SitesModel", m_sitesModel.get());
-
-    m_appSplitTunnelingModel.reset(new AppSplitTunnelingModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("AppSplitTunnelingModel", m_appSplitTunnelingModel.get());
-
-    m_protocolsModel.reset(new ProtocolsModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ProtocolsModel", m_protocolsModel.get());
-
-    m_openVpnConfigModel.reset(new OpenVpnConfigModel(this));
-    m_engine->rootContext()->setContextProperty("OpenVpnConfigModel", m_openVpnConfigModel.get());
-
-    m_shadowSocksConfigModel.reset(new ShadowSocksConfigModel(this));
-    m_engine->rootContext()->setContextProperty("ShadowSocksConfigModel", m_shadowSocksConfigModel.get());
-
-    m_cloakConfigModel.reset(new CloakConfigModel(this));
-    m_engine->rootContext()->setContextProperty("CloakConfigModel", m_cloakConfigModel.get());
-
-    m_wireGuardConfigModel.reset(new WireGuardConfigModel(this));
-    m_engine->rootContext()->setContextProperty("WireGuardConfigModel", m_wireGuardConfigModel.get());
-
-    m_awgConfigModel.reset(new AwgConfigModel(this));
-    m_engine->rootContext()->setContextProperty("AwgConfigModel", m_awgConfigModel.get());
-
-    m_xrayConfigModel.reset(new XrayConfigModel(this));
-    m_engine->rootContext()->setContextProperty("XrayConfigModel", m_xrayConfigModel.get());
-
-#ifdef Q_OS_WINDOWS
-    m_ikev2ConfigModel.reset(new Ikev2ConfigModel(this));
-    m_engine->rootContext()->setContextProperty("Ikev2ConfigModel", m_ikev2ConfigModel.get());
-#endif
-
-    m_sftpConfigModel.reset(new SftpConfigModel(this));
-    m_engine->rootContext()->setContextProperty("SftpConfigModel", m_sftpConfigModel.get());
-
-    m_socks5ConfigModel.reset(new Socks5ProxyConfigModel(this));
-    m_engine->rootContext()->setContextProperty("Socks5ProxyConfigModel", m_socks5ConfigModel.get());
-
-    m_clientManagementModel.reset(new ClientManagementModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ClientManagementModel", m_clientManagementModel.get());
-    connect(m_clientManagementModel.get(), &ClientManagementModel::adminConfigRevoked, m_serversModel.get(),
-            &ServersModel::clearCachedProfile);
-
-    m_apiServicesModel.reset(new ApiServicesModel(this));
-    m_engine->rootContext()->setContextProperty("ApiServicesModel", m_apiServicesModel.get());
-
-    m_apiCountryModel.reset(new ApiCountryModel(this));
-    m_engine->rootContext()->setContextProperty("ApiCountryModel", m_apiCountryModel.get());
-    connect(m_serversModel.get(), &ServersModel::updateApiLanguageModel, this, [this]() {
-        m_apiCountryModel->updateModel(m_serversModel->getProcessedServerData("apiAvailableCountries").toJsonArray(),
-                                       m_serversModel->getProcessedServerData("apiServerCountryCode").toString());
-    });
-    connect(m_serversModel.get(), &ServersModel::updateApiServicesModel, this,
-            [this]() { m_apiServicesModel->updateModel(m_serversModel->getProcessedServerData("apiConfig").toJsonObject()); });
+    return m_nam;
 }
 
-void AmneziaApplication::initControllers()
+QClipboard *AmneziaApplication::getClipboard()
 {
-    m_connectionController.reset(
-            new ConnectionController(m_serversModel, m_containersModel, m_clientManagementModel, m_vpnConnection, m_settings));
-    m_engine->rootContext()->setContextProperty("ConnectionController", m_connectionController.get());
-
-    connect(m_connectionController.get(), qOverload<const QString &>(&ConnectionController::connectionErrorOccurred), this,
-            [this](const QString &errorMessage) {
-                emit m_pageController->showErrorMessage(errorMessage);
-                emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
-            });
-
-    connect(m_connectionController.get(), qOverload<ErrorCode>(&ConnectionController::connectionErrorOccurred), this,
-            [this](ErrorCode errorCode) {
-                emit m_pageController->showErrorMessage(errorCode);
-                emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
-            });
-
-    connect(m_connectionController.get(), &ConnectionController::connectButtonClicked, m_connectionController.get(),
-            &ConnectionController::toggleConnection, Qt::QueuedConnection);
-
-    m_pageController.reset(new PageController(m_serversModel, m_settings));
-    m_engine->rootContext()->setContextProperty("PageController", m_pageController.get());
-
-    m_installController.reset(new InstallController(m_serversModel, m_containersModel, m_protocolsModel, m_clientManagementModel,
-                                                    m_apiServicesModel, m_settings));
-    m_engine->rootContext()->setContextProperty("InstallController", m_installController.get());
-    connect(m_installController.get(), &InstallController::passphraseRequestStarted, m_pageController.get(),
-            &PageController::showPassphraseRequestDrawer);
-    connect(m_pageController.get(), &PageController::passphraseRequestDrawerClosed, m_installController.get(),
-            &InstallController::setEncryptedPassphrase);
-    connect(m_installController.get(), &InstallController::currentContainerUpdated, m_connectionController.get(),
-            &ConnectionController::onCurrentContainerUpdated);
-
-    connect(m_installController.get(), &InstallController::updateServerFromApiFinished, this, [this]() {
-        disconnect(m_reloadConfigErrorOccurredConnection);
-        emit m_connectionController->configFromApiUpdated();
-    });
-
-    connect(m_connectionController.get(), &ConnectionController::updateApiConfigFromGateway, this, [this]() {
-        m_reloadConfigErrorOccurredConnection = connect(
-                m_installController.get(), qOverload<ErrorCode>(&InstallController::installationErrorOccurred), this,
-                [this]() { emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected); },
-                static_cast<Qt::ConnectionType>(Qt::AutoConnection || Qt::SingleShotConnection));
-        m_installController->updateServiceFromApi(m_serversModel->getDefaultServerIndex(), "", "");
-    });
-
-    connect(m_connectionController.get(), &ConnectionController::updateApiConfigFromTelegram, this, [this]() {
-        m_reloadConfigErrorOccurredConnection = connect(
-                m_installController.get(), qOverload<ErrorCode>(&InstallController::installationErrorOccurred), this,
-                [this]() { emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected); },
-                static_cast<Qt::ConnectionType>(Qt::AutoConnection || Qt::SingleShotConnection));
-        m_serversModel->removeApiConfig(m_serversModel->getDefaultServerIndex());
-        m_installController->updateServiceFromTelegram(m_serversModel->getDefaultServerIndex());
-    });
-
-    connect(this, &AmneziaApplication::translationsUpdated, m_connectionController.get(), &ConnectionController::onTranslationsUpdated);
-
-    m_importController.reset(new ImportController(m_serversModel, m_containersModel, m_settings));
-    m_engine->rootContext()->setContextProperty("ImportController", m_importController.get());
-
-    m_exportController.reset(new ExportController(m_serversModel, m_containersModel, m_clientManagementModel, m_settings));
-    m_engine->rootContext()->setContextProperty("ExportController", m_exportController.get());
-
-    m_settingsController.reset(
-            new SettingsController(m_serversModel, m_containersModel, m_languageModel, m_sitesModel, m_appSplitTunnelingModel, m_settings));
-    m_engine->rootContext()->setContextProperty("SettingsController", m_settingsController.get());
-    if (m_settingsController->isAutoConnectEnabled() && m_serversModel->getDefaultServerIndex() >= 0) {
-        QTimer::singleShot(1000, this, [this]() { m_connectionController->openConnection(); });
-    }
-    connect(m_settingsController.get(), &SettingsController::amneziaDnsToggled, m_serversModel.get(), &ServersModel::toggleAmneziaDns);
-
-    m_sitesController.reset(new SitesController(m_settings, m_vpnConnection, m_sitesModel));
-    m_engine->rootContext()->setContextProperty("SitesController", m_sitesController.get());
-
-    m_appSplitTunnelingController.reset(new AppSplitTunnelingController(m_settings, m_appSplitTunnelingModel));
-    m_engine->rootContext()->setContextProperty("AppSplitTunnelingController", m_appSplitTunnelingController.get());
-
-    m_systemController.reset(new SystemController(m_settings));
-    m_engine->rootContext()->setContextProperty("SystemController", m_systemController.get());
+    return this->clipboard();
 }

client/amnezia_application.h

@@ -11,135 +11,55 @@
 #else
     #include <QApplication>
 #endif
+#include <QClipboard>
 
+#include "core/controllers/coreController.h"
 #include "settings.h"
 #include "vpnconnection.h"
 
-#include "ui/controllers/connectionController.h"
-#include "ui/controllers/exportController.h"
-#include "ui/controllers/importController.h"
-#include "ui/controllers/installController.h"
-#include "ui/controllers/pageController.h"
-#include "ui/controllers/settingsController.h"
-#include "ui/controllers/sitesController.h"
-#include "ui/controllers/systemController.h"
-#include "ui/controllers/appSplitTunnelingController.h"
-#include "ui/models/containers_model.h"
-#include "ui/models/languageModel.h"
-#include "ui/models/protocols/cloakConfigModel.h"
-#ifndef Q_OS_ANDROID
-    #include "ui/notificationhandler.h"
-#endif
-#ifdef Q_OS_WINDOWS
-    #include "ui/models/protocols/ikev2ConfigModel.h"
-#endif
-#include "ui/models/protocols/awgConfigModel.h"
-#include "ui/models/protocols/openvpnConfigModel.h"
-#include "ui/models/protocols/shadowsocksConfigModel.h"
-#include "ui/models/protocols/wireguardConfigModel.h"
-#include "ui/models/protocols/xrayConfigModel.h"
-#include "ui/models/protocols_model.h"
-#include "ui/models/servers_model.h"
-#include "ui/models/services/sftpConfigModel.h"
-#include "ui/models/services/socks5ProxyConfigModel.h"
-#include "ui/models/sites_model.h"
-#include "ui/models/clientManagementModel.h"
-#include "ui/models/appSplitTunnelingModel.h"
-#include "ui/models/apiServicesModel.h"
-#include "ui/models/apiCountryModel.h"
-
 #define amnApp (static_cast<AmneziaApplication *>(QCoreApplication::instance()))
 
 #if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
     #define AMNEZIA_BASE_CLASS QGuiApplication
 #else
-    #define AMNEZIA_BASE_CLASS SingleApplication
-    #define QAPPLICATION_CLASS QApplication
-    #include "singleapplication.h"
+    #define AMNEZIA_BASE_CLASS QApplication
 #endif
 
 class AmneziaApplication : public AMNEZIA_BASE_CLASS
 {
     Q_OBJECT
 public:
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
     AmneziaApplication(int &argc, char *argv[]);
-#else
-    AmneziaApplication(int &argc, char *argv[], bool allowSecondary = false,
-                       SingleApplication::Options options = SingleApplication::User, int timeout = 1000,
-                       const QString &userData = {});
-#endif
     virtual ~AmneziaApplication();
 
     void init();
     void registerTypes();
     void loadFonts();
-    void loadTranslator();
-    void updateTranslator(const QLocale &locale);
     bool parseCommands();
 
-    QQmlApplicationEngine *qmlEngine() const;
-    QNetworkAccessManager *manager() { return m_nam; }
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    void startLocalServer();
+#endif
 
-signals:
-    void translationsUpdated();
+    QQmlApplicationEngine *qmlEngine() const;
+    QNetworkAccessManager *networkManager();
+    QClipboard *getClipboard();
 
 private:
-    void initModels();
-    void initControllers();
-
     QQmlApplicationEngine *m_engine {};
     std::shared_ptr<Settings> m_settings;
 
+    QScopedPointer<CoreController> m_coreController;
+
     QSharedPointer<ContainerProps> m_containerProps;
     QSharedPointer<ProtocolProps> m_protocolProps;
 
-    QSharedPointer<QTranslator> m_translator;
     QCommandLineParser m_parser;
 
-    QSharedPointer<ContainersModel> m_containersModel;
-    QSharedPointer<ContainersModel> m_defaultServerContainersModel;
-    QSharedPointer<ServersModel> m_serversModel;
-    QSharedPointer<LanguageModel> m_languageModel;
-    QSharedPointer<ProtocolsModel> m_protocolsModel;
-    QSharedPointer<SitesModel> m_sitesModel;
-    QSharedPointer<AppSplitTunnelingModel> m_appSplitTunnelingModel;
-    QSharedPointer<ClientManagementModel> m_clientManagementModel;
-    QSharedPointer<ApiServicesModel> m_apiServicesModel;
-    QSharedPointer<ApiCountryModel> m_apiCountryModel;
-
-    QScopedPointer<OpenVpnConfigModel> m_openVpnConfigModel;
-    QScopedPointer<ShadowSocksConfigModel> m_shadowSocksConfigModel;
-    QScopedPointer<CloakConfigModel> m_cloakConfigModel;
-    QScopedPointer<XrayConfigModel> m_xrayConfigModel;    
-    QScopedPointer<WireGuardConfigModel> m_wireGuardConfigModel;
-    QScopedPointer<AwgConfigModel> m_awgConfigModel;
-#ifdef Q_OS_WINDOWS
-    QScopedPointer<Ikev2ConfigModel> m_ikev2ConfigModel;
-#endif
-
-    QScopedPointer<SftpConfigModel> m_sftpConfigModel;
-    QScopedPointer<Socks5ProxyConfigModel> m_socks5ConfigModel;
-
     QSharedPointer<VpnConnection> m_vpnConnection;
     QThread m_vpnConnectionThread;
-#ifndef Q_OS_ANDROID
-    QScopedPointer<NotificationHandler> m_notificationHandler;
-#endif
-
-    QScopedPointer<ConnectionController> m_connectionController;
-    QScopedPointer<PageController> m_pageController;
-    QScopedPointer<InstallController> m_installController;
-    QScopedPointer<ImportController> m_importController;
-    QScopedPointer<ExportController> m_exportController;
-    QScopedPointer<SettingsController> m_settingsController;
-    QScopedPointer<SitesController> m_sitesController;
-    QScopedPointer<SystemController> m_systemController;
-    QScopedPointer<AppSplitTunnelingController> m_appSplitTunnelingController;
 
     QNetworkAccessManager *m_nam;
-
-    QMetaObject::Connection m_reloadConfigErrorOccurredConnection;
 };
 
 #endif // AMNEZIA_APPLICATION_H

client/android/AndroidManifest.xml

@@ -20,7 +20,7 @@
 
     <uses-permission android:name="android.permission.INTERNET" />
     <!-- To request network state -->
-    <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" android:maxSdkVersion="30" />
+    <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
     <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" android:maxSdkVersion="28" />
     <uses-permission android:name="android.permission.CAMERA" />
     <uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
@@ -91,6 +91,13 @@
             android:exported="false"
             android:theme="@style/Translucent" />
 
+        <activity android:name=".TvFilePicker"
+            android:excludeFromRecents="true"
+            android:launchMode="singleTask"
+            android:taskAffinity=""
+            android:exported="false"
+            android:theme="@style/Translucent" />
+
         <activity
             android:name=".ImportConfigActivity"
             android:excludeFromRecents="true"

client/android/gradle.properties

@@ -33,7 +33,7 @@ android.library.defaults.buildfeatures.androidresources=false
 # For development copy and set local values for these parameters in local.properties
 #androidCompileSdkVersion=android-34
 #androidBuildToolsVersion=34.0.0
-#qtMinSdkVersion=24
+#qtMinSdkVersion=26
 #qtTargetSdkVersion=34
 #androidNdkVersion=26.1.10909125
 #qtTargetAbiList=x86_64

client/android/protocolApi/src/main/kotlin/Protocol.kt

@@ -1,6 +1,5 @@
 package org.amnezia.vpn.protocol
 
-import android.annotation.SuppressLint
 import android.content.Context
 import android.net.IpPrefix
 import android.net.VpnService
@@ -8,9 +7,6 @@ import android.net.VpnService.Builder
 import android.os.Build
 import android.system.OsConstants
 import androidx.annotation.RequiresApi
-import java.io.File
-import java.io.FileOutputStream
-import java.util.zip.ZipFile
 import kotlinx.coroutines.flow.MutableStateFlow
 import org.amnezia.vpn.util.Log
 import org.amnezia.vpn.util.net.InetNetwork

client/android/res/mipmap-anydpi-v26/ic_banner.xml

@@ -1,5 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<adaptive-icon xmlns:android="http://schemas.android.com/apk/res/android">
-    <background android:drawable="@color/ic_banner_background"/>
-    <foreground android:drawable="@mipmap/ic_banner_foreground"/>
-</adaptive-icon>

client/android/res/values-ru/strings.xml

@@ -23,4 +23,6 @@
     <string name="notificationSettingsDialogTitle">Настройки уведомлений</string>
     <string name="notificationSettingsDialogMessage">Для показа уведомлений необходимо включить уведомления в системных настройках</string>
     <string name="openNotificationSettings">Открыть настройки уведомлений</string>
+
+    <string name="tvNoFileBrowser">Пожалуйста, установите приложение для просмотра файлов</string>
 </resources>

client/android/res/values/ic_banner_background.xml

@@ -1,4 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<resources>
-    <color name="ic_banner_background">#1E1E1F</color>
-</resources>

client/android/res/values/strings.xml

@@ -23,4 +23,6 @@
     <string name="notificationSettingsDialogTitle">Notification settings</string>
     <string name="notificationSettingsDialogMessage">To show notifications, you must enable notifications in the system settings</string>
     <string name="openNotificationSettings">Open notification settings</string>
+
+    <string name="tvNoFileBrowser">Please install a file management utility to browse files</string>
 </resources>

client/android/src/org/amnezia/vpn/AmneziaActivity.kt

@@ -4,6 +4,7 @@ import android.Manifest
 import android.annotation.SuppressLint
 import android.app.AlertDialog
 import android.app.NotificationManager
+import android.content.ActivityNotFoundException
 import android.content.BroadcastReceiver
 import android.content.ComponentName
 import android.content.Intent
@@ -12,6 +13,7 @@ import android.content.Intent.FLAG_ACTIVITY_LAUNCHED_FROM_HISTORY
 import android.content.ServiceConnection
 import android.content.pm.PackageManager
 import android.graphics.Bitmap
+import android.net.Uri
 import android.net.VpnService
 import android.os.Build
 import android.os.Bundle
@@ -20,7 +22,13 @@ import android.os.IBinder
 import android.os.Looper
 import android.os.Message
 import android.os.Messenger
+import android.os.ParcelFileDescriptor
+import android.os.SystemClock
+import android.provider.OpenableColumns
 import android.provider.Settings
+import android.view.MotionEvent
+import android.view.View
+import android.view.ViewGroup
 import android.view.WindowManager.LayoutParams
 import android.webkit.MimeTypeMap
 import android.widget.Toast
@@ -29,6 +37,7 @@ import androidx.annotation.RequiresApi
 import androidx.core.content.ContextCompat
 import java.io.IOException
 import kotlin.LazyThreadSafetyMode.NONE
+import kotlin.coroutines.CoroutineContext
 import kotlin.text.RegexOption.IGNORE_CASE
 import AppListProvider
 import kotlinx.coroutines.CompletableDeferred
@@ -70,6 +79,7 @@ class AmneziaActivity : QtActivity() {
     private var isInBoundState = false
     private var notificationStateReceiver: BroadcastReceiver? = null
     private lateinit var vpnServiceMessenger: IpcMessenger
+    private var pfd: ParcelFileDescriptor? = null
 
     private val actionResultHandlers = mutableMapOf<Int, ActivityResultHandler>()
     private val permissionRequestHandlers = mutableMapOf<Int, PermissionRequestHandler>()
@@ -158,7 +168,7 @@ class AmneziaActivity : QtActivity() {
      */
     override fun onCreate(savedInstanceState: Bundle?) {
         super.onCreate(savedInstanceState)
-        Log.d(TAG, "Create Amnezia activity: $intent")
+        Log.d(TAG, "Create Amnezia activity")
         loadLibs()
         window.apply {
             addFlags(LayoutParams.FLAG_DRAWS_SYSTEM_BAR_BACKGROUNDS)
@@ -200,7 +210,7 @@ class AmneziaActivity : QtActivity() {
                     NotificationManager.ACTION_APP_BLOCK_STATE_CHANGED
                 )
             ) {
-                Log.d(
+                Log.v(
                     TAG, "Notification state changed: ${it?.action}, blocked = " +
                         "${it?.getBooleanExtra(NotificationManager.EXTRA_BLOCKED_STATE, false)}"
                 )
@@ -214,7 +224,7 @@ class AmneziaActivity : QtActivity() {
 
     override fun onNewIntent(intent: Intent?) {
         super.onNewIntent(intent)
-        Log.d(TAG, "onNewIntent: $intent")
+        Log.v(TAG, "onNewIntent: $intent")
         intent?.let(::processIntent)
     }
 
@@ -403,7 +413,7 @@ class AmneziaActivity : QtActivity() {
     @MainThread
     private fun startVpn(vpnConfig: String) {
         getVpnProto(vpnConfig)?.let { proto ->
-            Log.d(TAG, "Proto from config: $proto, current proto: $vpnProto")
+            Log.v(TAG, "Proto from config: $proto, current proto: $vpnProto")
             if (isServiceConnected) {
                 if (proto.serviceClass == vpnProto?.serviceClass) {
                     vpnProto = proto
@@ -513,21 +523,25 @@ class AmneziaActivity : QtActivity() {
                 type = "text/*"
                 putExtra(Intent.EXTRA_TITLE, fileName)
             }.also {
-                startActivityForResult(it, CREATE_FILE_ACTION_CODE, ActivityResultHandler(
-                    onSuccess = {
-                        it?.data?.let { uri ->
-                            Log.d(TAG, "Save file to $uri")
-                            try {
-                                contentResolver.openOutputStream(uri)?.use { os ->
-                                    os.bufferedWriter().use { it.write(data) }
+                try {
+                    startActivityForResult(it, CREATE_FILE_ACTION_CODE, ActivityResultHandler(
+                        onSuccess = {
+                            it?.data?.let { uri ->
+                                Log.v(TAG, "Save file to $uri")
+                                try {
+                                    contentResolver.openOutputStream(uri)?.use { os ->
+                                        os.bufferedWriter().use { it.write(data) }
+                                    }
+                                } catch (e: IOException) {
+                                    Log.e(TAG, "Failed to save file $uri: $e")
+                                    // todo: send error to Qt
                                 }
-                            } catch (e: IOException) {
-                                Log.e(TAG, "Failed to save file $uri: $e")
-                                // todo: send error to Qt
                             }
                         }
-                    }
-                ))
+                    ))
+                } catch (_: ActivityNotFoundException) {
+                    Toast.makeText(this@AmneziaActivity, "Unsupported", Toast.LENGTH_LONG).show()
+                }
             }
         }
     }
@@ -536,46 +550,115 @@ class AmneziaActivity : QtActivity() {
     fun openFile(filter: String?) {
         Log.v(TAG, "Open file with filter: $filter")
         mainScope.launch {
-            val mimeTypes = if (!filter.isNullOrEmpty()) {
-                val extensionRegex = "\\*\\.([a-z0-9]+)".toRegex(IGNORE_CASE)
-                val mime = MimeTypeMap.getSingleton()
-                extensionRegex.findAll(filter).map {
-                    it.groups[1]?.value?.let { mime.getMimeTypeFromExtension(it) } ?: "*/*"
-                }.toSet()
-            } else emptySet()
+            val intent = if (!isOnTv()) {
+                val mimeTypes = if (!filter.isNullOrEmpty()) {
+                    val extensionRegex = "\\*\\.([a-z0-9]+)".toRegex(IGNORE_CASE)
+                    val mime = MimeTypeMap.getSingleton()
+                    extensionRegex.findAll(filter).map {
+                        it.groups[1]?.value?.let { mime.getMimeTypeFromExtension(it) } ?: "*/*"
+                    }.toSet()
+                } else emptySet()
 
-            Intent(Intent.ACTION_OPEN_DOCUMENT).apply {
-                addCategory(Intent.CATEGORY_OPENABLE)
-                Log.v(TAG, "File mimyType filter: $mimeTypes")
-                if ("*/*" in mimeTypes) {
-                    type = "*/*"
-                } else {
-                    when (mimeTypes.size) {
-                        1 -> type = mimeTypes.first()
+                Intent(Intent.ACTION_OPEN_DOCUMENT).apply {
+                    addCategory(Intent.CATEGORY_OPENABLE)
+                    Log.v(TAG, "File mimyType filter: $mimeTypes")
+                    if ("*/*" in mimeTypes) {
+                        type = "*/*"
+                    } else {
+                        when (mimeTypes.size) {
+                            1 -> type = mimeTypes.first()
 
-                        in 2..Int.MAX_VALUE -> {
-                            type = "*/*"
-                            putExtra(EXTRA_MIME_TYPES, mimeTypes.toTypedArray())
+                            in 2..Int.MAX_VALUE -> {
+                                type = "*/*"
+                                putExtra(EXTRA_MIME_TYPES, mimeTypes.toTypedArray())
+                            }
+
+                            else -> type = "*/*"
                         }
-
-                        else -> type = "*/*"
                     }
                 }
-            }.also {
-                startActivityForResult(it, OPEN_FILE_ACTION_CODE, ActivityResultHandler(
+            } else {
+                Intent(this@AmneziaActivity, TvFilePicker::class.java)
+            }
+
+            try {
+                startActivityForResult(intent, OPEN_FILE_ACTION_CODE, ActivityResultHandler(
                     onAny = {
-                        val uri = it?.data?.toString() ?: ""
-                        Log.d(TAG, "Open file: $uri")
+                        if (isOnTv() && it?.hasExtra("activityNotFound") == true) {
+                            showNoFileBrowserAlertDialog()
+                        }
+                        val uri = it?.data?.apply {
+                            grantUriPermission(packageName, this, Intent.FLAG_GRANT_READ_URI_PERMISSION)
+                        }?.toString() ?: ""
+                        Log.v(TAG, "Open file: $uri")
                         mainScope.launch {
                             qtInitialized.await()
                             QtAndroidController.onFileOpened(uri)
                         }
                     }
                 ))
+            } catch (_: ActivityNotFoundException) {
+                showNoFileBrowserAlertDialog()
+                mainScope.launch {
+                    qtInitialized.await()
+                    QtAndroidController.onFileOpened("")
+                }
             }
         }
     }
 
+    private fun showNoFileBrowserAlertDialog() {
+        AlertDialog.Builder(this)
+            .setMessage(R.string.tvNoFileBrowser)
+            .setCancelable(false)
+            .setPositiveButton(android.R.string.ok) { _, _ ->
+                try {
+                    startActivity(Intent(Intent.ACTION_VIEW, Uri.parse("market://webstoreredirect")))
+                } catch (_: Throwable) {}
+            }
+            .show()
+    }
+
+    @Suppress("unused")
+    fun getFd(fileName: String): Int {
+        Log.v(TAG, "Get fd for $fileName")
+        return blockingCall {
+            try {
+                pfd = contentResolver.openFileDescriptor(Uri.parse(fileName), "r")
+                pfd?.fd ?: -1
+            } catch (e: Exception) {
+                Log.e(TAG, "Failed to get fd: $e")
+                -1
+            }
+        }
+    }
+
+    @Suppress("unused")
+    fun closeFd() {
+        Log.v(TAG, "Close fd")
+        mainScope.launch {
+            pfd?.close()
+            pfd = null
+        }
+    }
+
+    @Suppress("unused")
+    fun getFileName(uri: String): String {
+        Log.v(TAG, "Get file name for uri: $uri")
+        return blockingCall {
+            try {
+                contentResolver.query(Uri.parse(uri), arrayOf(OpenableColumns.DISPLAY_NAME), null, null, null)?.use { cursor ->
+                    if (cursor.moveToFirst() && !cursor.isNull(0)) {
+                        return@blockingCall cursor.getString(0) ?: ""
+                    }
+                }
+            } catch (e: Exception) {
+                Log.e(TAG, "Failed to get file name: $e")
+            }
+            ""
+        }
+    }
+
     @Suppress("unused")
     @SuppressLint("UnsupportedChromeOsCameraSystemFeature")
     fun isCameraPresent(): Boolean = applicationContext.packageManager.hasSystemFeature(PackageManager.FEATURE_CAMERA)
@@ -720,9 +803,121 @@ class AmneziaActivity : QtActivity() {
         }
     }
 
+    // method to workaround Qt's problem with calling the keyboard on TVs
+    @Suppress("unused")
+    fun sendTouch(x: Float, y: Float) {
+        Log.v(TAG, "Send touch: $x, $y")
+        blockingCall {
+            findQtWindow(window.decorView)?.let {
+                Log.v(TAG, "Send touch to $it")
+                it.dispatchTouchEvent(createEvent(x, y, SystemClock.uptimeMillis(), MotionEvent.ACTION_DOWN))
+                it.dispatchTouchEvent(createEvent(x, y, SystemClock.uptimeMillis(), MotionEvent.ACTION_UP))
+            }
+        }
+    }
+
+    private fun findQtWindow(view: View): View? {
+        Log.v(TAG, "findQtWindow: process $view")
+        if (view::class.simpleName == "QtWindow") return view
+        else if (view is ViewGroup) {
+            for (i in 0 until view.childCount) {
+                val result = findQtWindow(view.getChildAt(i))
+                if (result != null) return result
+            }
+            return null
+        } else return null
+    }
+
+    private fun createEvent(x: Float, y: Float, eventTime: Long, action: Int): MotionEvent =
+        MotionEvent.obtain(
+            eventTime,
+            eventTime,
+            action,
+            1,
+            arrayOf(MotionEvent.PointerProperties().apply {
+                id = 0
+                toolType = MotionEvent.TOOL_TYPE_FINGER
+            }),
+            arrayOf(MotionEvent.PointerCoords().apply {
+                this.x = x
+                this.y = y
+                pressure = 1f
+                size = 1f
+            }),
+            0, 0, 1.0f, 1.0f, 0, 0, 0,0
+        )
+
+    // workaround for a bug in Qt that causes the mouse click event not to be handled
+    // also disable right-click, as it causes the application to crash
+    private var lastButtonState = 0
+    private fun MotionEvent.fixCopy(): MotionEvent = MotionEvent.obtain(
+        downTime,
+        eventTime,
+        action,
+        pointerCount,
+        (0 until pointerCount).map { i ->
+            MotionEvent.PointerProperties().apply {
+                getPointerProperties(i, this)
+            }
+        }.toTypedArray(),
+        (0 until pointerCount).map { i ->
+            MotionEvent.PointerCoords().apply {
+                getPointerCoords(i, this)
+            }
+        }.toTypedArray(),
+        metaState,
+        MotionEvent.BUTTON_PRIMARY,
+        xPrecision,
+        yPrecision,
+        deviceId,
+        edgeFlags,
+        source,
+        flags
+    )
+
+    private fun handleMouseEvent(ev: MotionEvent, superDispatch: (MotionEvent?) -> Boolean): Boolean {
+        when (ev.action) {
+            MotionEvent.ACTION_DOWN -> {
+                lastButtonState = ev.buttonState
+                if (ev.buttonState == MotionEvent.BUTTON_SECONDARY) return true
+            }
+
+            MotionEvent.ACTION_UP -> {
+                when (lastButtonState) {
+                    MotionEvent.BUTTON_SECONDARY -> return true
+                    MotionEvent.BUTTON_PRIMARY -> {
+                        val modEvent = ev.fixCopy()
+                        return superDispatch(modEvent).apply { modEvent.recycle() }
+                    }
+                }
+            }
+        }
+        return superDispatch(ev)
+    }
+
+    override fun dispatchTouchEvent(ev: MotionEvent?): Boolean {
+        Log.v(TAG, "dispatchTouch: $ev")
+        if (ev != null && ev.getToolType(0) == MotionEvent.TOOL_TYPE_MOUSE) {
+            return handleMouseEvent(ev) { super.dispatchTouchEvent(it) }
+        }
+        return super.dispatchTouchEvent(ev)
+    }
+
+    override fun dispatchTrackballEvent(ev: MotionEvent?): Boolean {
+        ev?.let { return handleMouseEvent(ev) { super.dispatchTrackballEvent(it) }}
+        return super.dispatchTrackballEvent(ev)
+    }
+
     /**
      * Utils methods
      */
+    private fun <T> blockingCall(
+        context: CoroutineContext = Dispatchers.Main.immediate,
+        block: suspend () -> T
+    ) = runBlocking {
+        mainScope.async(context) { block() }.await()
+    }
+
     companion object {
         private fun actionCodeToString(actionCode: Int): String =
             when (actionCode) {

client/android/src/org/amnezia/vpn/AmneziaVpnService.kt

@@ -22,6 +22,7 @@ import androidx.annotation.MainThread
 import androidx.core.app.ServiceCompat
 import androidx.core.content.ContextCompat
 import androidx.core.content.getSystemService
+import java.net.UnknownHostException
 import java.util.concurrent.ConcurrentHashMap
 import kotlin.LazyThreadSafetyMode.NONE
 import kotlinx.coroutines.CoroutineExceptionHandler
@@ -127,6 +128,8 @@ open class AmneziaVpnService : VpnService() {
 
             is LoadLibraryException -> onError("${e.message}. Caused: ${e.cause?.message}")
 
+            is UnknownHostException -> onError("Unknown host")
+
             else -> throw e
         }
     }
@@ -297,7 +300,7 @@ open class AmneziaVpnService : VpnService() {
             arrayOf(ACTION_CONNECT, ACTION_DISCONNECT), ContextCompat.RECEIVER_NOT_EXPORTED
         ) {
             it?.action?.let { action ->
-                Log.d(TAG, "Broadcast request received: $action")
+                Log.v(TAG, "Broadcast request received: $action")
                 when (action) {
                     ACTION_CONNECT -> connect()
                     ACTION_DISCONNECT -> disconnect()
@@ -314,7 +317,7 @@ open class AmneziaVpnService : VpnService() {
                 )
             ) {
                 val state = it?.getBooleanExtra(NotificationManager.EXTRA_BLOCKED_STATE, false)
-                Log.d(TAG, "Notification state changed: ${it?.action}, blocked = $state")
+                Log.v(TAG, "Notification state changed: ${it?.action}, blocked = $state")
                 if (state == false) {
                     enableNotification()
                 } else {
@@ -447,7 +450,7 @@ open class AmneziaVpnService : VpnService() {
             serviceNotification.isNotificationEnabled() &&
             getSystemService<PowerManager>()?.isInteractive != false
         ) {
-            Log.d(TAG, "Launch traffic stats update")
+            Log.v(TAG, "Launch traffic stats update")
             trafficStats.reset()
             startTrafficStatsUpdateJob()
         }

client/android/src/org/amnezia/vpn/AuthActivity.kt

@@ -66,7 +66,7 @@ class AuthActivity : FragmentActivity() {
             object : BiometricPrompt.AuthenticationCallback() {
                 override fun onAuthenticationSucceeded(result: AuthenticationResult) {
                     super.onAuthenticationSucceeded(result)
-                    Log.d(TAG, "Authentication succeeded")
+                    Log.v(TAG, "Authentication succeeded")
                     QtAndroidController.onAuthResult(true)
                     finish()
                 }

client/android/src/org/amnezia/vpn/ImportConfigActivity.kt

@@ -29,20 +29,20 @@ class ImportConfigActivity : ComponentActivity() {
 
     override fun onCreate(savedInstanceState: Bundle?) {
         super.onCreate(savedInstanceState)
-        Log.d(TAG, "Create Import Config Activity: $intent")
+        Log.v(TAG, "Create Import Config Activity: $intent")
         intent?.let(::readConfig)
     }
 
     override fun onNewIntent(intent: Intent) {
         super.onNewIntent(intent)
-        Log.d(TAG, "onNewIntent: $intent")
+        Log.v(TAG, "onNewIntent: $intent")
         intent.let(::readConfig)
     }
 
     private fun readConfig(intent: Intent) {
         when (intent.action) {
             ACTION_SEND -> {
-                Log.d(TAG, "Process SEND action, type: ${intent.type}")
+                Log.v(TAG, "Process SEND action, type: ${intent.type}")
                 when (intent.type) {
                     "application/octet-stream" -> {
                         intent.getUriCompat()?.let { uri ->
@@ -60,7 +60,7 @@ class ImportConfigActivity : ComponentActivity() {
             }
 
             ACTION_VIEW -> {
-                Log.d(TAG, "Process VIEW action, scheme: ${intent.scheme}")
+                Log.v(TAG, "Process VIEW action, scheme: ${intent.scheme}")
                 when (intent.scheme) {
                     "file", "content" -> {
                         intent.data?.let { uri ->

client/android/src/org/amnezia/vpn/ServiceNotification.kt

@@ -62,7 +62,7 @@ class ServiceNotification(private val context: Context) {
     fun buildNotification(serverName: String?, protocol: String?, state: ProtocolState): Notification {
         val speedString = if (state == CONNECTED) zeroSpeed else null
 
-        Log.d(TAG, "Build notification: $serverName, $state")
+        Log.v(TAG, "Build notification: $serverName, $state")
 
         return notificationBuilder
             .setSmallIcon(R.drawable.ic_amnezia_round)
@@ -88,17 +88,15 @@ class ServiceNotification(private val context: Context) {
     fun isNotificationEnabled(): Boolean {
         if (!context.isNotificationPermissionGranted()) return false
         if (!notificationManager.areNotificationsEnabled()) return false
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
-            return notificationManager.getNotificationChannel(NOTIFICATION_CHANNEL_ID)
-                ?.let { it.importance != NotificationManager.IMPORTANCE_NONE } ?: true
-        }
-        return true
+        return notificationManager.getNotificationChannel(NOTIFICATION_CHANNEL_ID)?.let {
+            it.importance != NotificationManager.IMPORTANCE_NONE
+        } ?: true
     }
 
     @SuppressLint("MissingPermission")
     fun updateNotification(serverName: String?, protocol: String?, state: ProtocolState) {
         if (context.isNotificationPermissionGranted()) {
-            Log.d(TAG, "Update notification: $serverName, $state")
+            Log.v(TAG, "Update notification: $serverName, $state")
             notificationManager.notify(NOTIFICATION_ID, buildNotification(serverName, protocol, state))
         }
     }

client/android/src/org/amnezia/vpn/TvFilePicker.kt

@@ -0,0 +1,45 @@
+package org.amnezia.vpn
+
+import android.content.ActivityNotFoundException
+import android.content.Intent
+import android.os.Bundle
+import androidx.activity.ComponentActivity
+import androidx.activity.result.contract.ActivityResultContracts
+import org.amnezia.vpn.util.Log
+
+private const val TAG = "TvFilePicker"
+
+class TvFilePicker : ComponentActivity() {
+
+    private val fileChooseResultLauncher = registerForActivityResult(ActivityResultContracts.GetContent()) {
+        setResult(RESULT_OK, Intent().apply { data = it })
+        finish()
+    }
+
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+        Log.v(TAG, "onCreate")
+        getFile()
+    }
+
+    override fun onNewIntent(intent: Intent) {
+        super.onNewIntent(intent)
+        Log.v(TAG, "onNewIntent")
+        getFile()
+    }
+
+    private fun getFile() {
+        try {
+            Log.v(TAG, "getFile")
+            fileChooseResultLauncher.launch("*/*")
+        } catch (_: ActivityNotFoundException) {
+            Log.w(TAG, "Activity not found")
+            setResult(RESULT_CANCELED, Intent().apply { putExtra("activityNotFound", true) })
+            finish()
+        } catch (e: Exception) {
+            Log.e(TAG, "Failed to get file: $e")
+            setResult(RESULT_CANCELED)
+            finish()
+        }
+    }
+}

client/android/utils/src/main/kotlin/LibraryLoader.kt

@@ -46,7 +46,7 @@ object LibraryLoader {
             System.loadLibrary(libraryName)
             return
         } catch (_: UnsatisfiedLinkError) {
-            Log.d(TAG, "Failed to load library, try to extract it from apk")
+            Log.w(TAG, "Failed to load library, try to extract it from apk")
         }
         var tempFile: File? = null
         try {

client/android/utils/src/main/kotlin/Log.kt

@@ -1,8 +1,6 @@
 package org.amnezia.vpn.util
 
 import android.content.Context
-import android.icu.text.DateFormat
-import android.icu.text.SimpleDateFormat
 import android.os.Build
 import android.os.Process
 import java.io.File
@@ -12,8 +10,6 @@ import java.nio.channels.FileChannel
 import java.nio.channels.FileLock
 import java.time.LocalDateTime
 import java.time.format.DateTimeFormatter
-import java.util.Date
-import java.util.Locale
 import java.util.concurrent.locks.ReentrantLock
 import org.amnezia.vpn.util.Log.Priority.D
 import org.amnezia.vpn.util.Log.Priority.E
@@ -41,11 +37,7 @@ private const val LOG_MAX_FILE_SIZE = 1024 * 1024
  * |                   |              | create a report and/or terminate the process |
  */
 object Log {
-    private val dateTimeFormat: Any =
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) DateTimeFormatter.ofPattern(DATE_TIME_PATTERN)
-        else object : ThreadLocal<DateFormat>() {
-            override fun initialValue(): DateFormat = SimpleDateFormat(DATE_TIME_PATTERN, Locale.US)
-        }
+    private val dateTimeFormat: DateTimeFormatter = DateTimeFormatter.ofPattern(DATE_TIME_PATTERN)
 
     private lateinit var logDir: File
     private val logFile: File by lazy { File(logDir, LOG_FILE_NAME) }
@@ -143,12 +135,7 @@ object Log {
     }
 
     private fun formatLogMsg(tag: String, msg: String, priority: Priority): String {
-        val date = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
-            LocalDateTime.now().format(dateTimeFormat as DateTimeFormatter)
-        } else {
-            @Suppress("UNCHECKED_CAST")
-            (dateTimeFormat as ThreadLocal<DateFormat>).get()?.format(Date())
-        }
+        val date = LocalDateTime.now().format(dateTimeFormat)
         return "$date ${Process.myPid()} ${Process.myTid()} $priority [${Thread.currentThread().name}] " +
             "$tag: $msg\n"
     }

client/android/utils/src/main/kotlin/net/NetworkState.kt

@@ -42,18 +42,12 @@ class NetworkState(
     private val networkCallback: NetworkCallback by lazy(NONE) {
         object : NetworkCallback() {
             override fun onAvailable(network: Network) {
-                Log.d(TAG, "onAvailable: $network")
+                Log.v(TAG, "onAvailable: $network")
             }
 
             override fun onCapabilitiesChanged(network: Network, networkCapabilities: NetworkCapabilities) {
-                Log.d(TAG, "onCapabilitiesChanged: $network, $networkCapabilities")
-                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
-                    checkNetworkState(network, networkCapabilities)
-                } else {
-                    handler.post {
-                        checkNetworkState(network, networkCapabilities)
-                    }
-                }
+                Log.v(TAG, "onCapabilitiesChanged: $network, $networkCapabilities")
+                checkNetworkState(network, networkCapabilities)
             }
 
             private fun checkNetworkState(network: Network, networkCapabilities: NetworkCapabilities) {
@@ -73,11 +67,11 @@ class NetworkState(
             }
 
             override fun onBlockedStatusChanged(network: Network, blocked: Boolean) {
-                Log.d(TAG, "onBlockedStatusChanged: $network, $blocked")
+                Log.v(TAG, "onBlockedStatusChanged: $network, $blocked")
             }
 
             override fun onLost(network: Network) {
-                Log.d(TAG, "onLost: $network")
+                Log.v(TAG, "onLost: $network")
             }
         }
     }
@@ -87,7 +81,7 @@ class NetworkState(
         Log.d(TAG, "Bind network listener")
         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.S) {
             connectivityManager.registerBestMatchingNetworkCallback(networkRequest, networkCallback, handler)
-        } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+        } else {
             val numberAttempts = 300
             var attemptCount = 0
             while(true) {
@@ -108,8 +102,6 @@ class NetworkState(
                     }
                 }
             }
-        } else {
-            connectivityManager.requestNetwork(networkRequest, networkCallback)
         }
         isListenerBound = true
     }

client/android/wireguard/src/main/kotlin/org/amnezia/vpn/protocol/wireguard/Wireguard.kt

@@ -1,11 +1,12 @@
 package org.amnezia.vpn.protocol.wireguard
 
 import android.net.VpnService.Builder
-import java.io.IOException
-import java.util.Locale
+import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.Job
+import kotlinx.coroutines.cancel
 import kotlinx.coroutines.delay
-import kotlinx.coroutines.withContext
+import kotlinx.coroutines.launch
 import org.amnezia.awg.GoBackend
 import org.amnezia.vpn.protocol.Protocol
 import org.amnezia.vpn.protocol.ProtocolState.CONNECTED
@@ -27,6 +28,8 @@ open class Wireguard : Protocol() {
 
     private var tunnelHandle: Int = -1
     protected open val ifName: String = "amn0"
+    private lateinit var scope: CoroutineScope
+    private var statusJob: Job? = null
 
     override val statistics: Statistics
         get() {
@@ -49,46 +52,17 @@ open class Wireguard : Protocol() {
 
     override fun internalInit() {
         if (!isInitialized) loadSharedLibrary(context, "wg-go")
+        if (this::scope.isInitialized) {
+            scope.cancel()
+        }
+        scope = CoroutineScope(Dispatchers.IO)
     }
 
     override suspend fun startVpn(config: JSONObject, vpnBuilder: Builder, protect: (Int) -> Boolean) {
         val wireguardConfig = parseConfig(config)
-        val startTime = System.currentTimeMillis()
         start(wireguardConfig, vpnBuilder, protect)
-        waitForConnection(startTime)
-        state.value = CONNECTED
     }
 
-    private suspend fun waitForConnection(startTime: Long) {
-        Log.d(TAG, "Waiting for connection")
-        withContext(Dispatchers.IO) {
-            val time = String.format(Locale.ROOT,"%.3f", startTime / 1000.0)
-            try {
-                delay(1000)
-                var log = getLogcat(time)
-                Log.d(TAG, "First waiting log: $log")
-                // check that there is a connection log,
-                // to avoid infinite connection
-                if (!log.contains("Attaching to interface")) {
-                    Log.w(TAG, "Logs do not contain a connection log")
-                    return@withContext
-                }
-                while (!log.contains("Received handshake response")) {
-                    delay(1000)
-                    log = getLogcat(time)
-                }
-            } catch (e: IOException) {
-                Log.e(TAG, "Failed to get logcat: $e")
-            }
-        }
-    }
-
-    private fun getLogcat(time: String): String =
-        ProcessBuilder("logcat", "--buffer=main", "--format=raw", "*:S AmneziaWG/awg0", "-t", time)
-            .redirectErrorStream(true)
-            .start()
-            .inputStream.reader().readText()
-
     protected open fun parseConfig(config: JSONObject): WireguardConfig {
         val configData = config.getJSONObject("wireguard_config_data")
         return WireguardConfig.build {
@@ -178,6 +152,43 @@ open class Wireguard : Protocol() {
             tunnelHandle = -1
             throw VpnStartException("Protect VPN interface: permission not granted or revoked")
         }
+        launchStatusJob()
+    }
+
+    private fun launchStatusJob() {
+        Log.d(TAG, "Launch status job")
+        statusJob = scope.launch {
+            while (true) {
+                val lastHandshake = getLastHandshake()
+                Log.v(TAG, "lastHandshake=$lastHandshake")
+                if (lastHandshake == 0L) {
+                    delay(1000)
+                    continue
+                }
+                if (lastHandshake == -2L || lastHandshake > 0L) state.value = CONNECTED
+                else if (lastHandshake == -1L) state.value = DISCONNECTED
+                statusJob = null
+                break
+            }
+        }
+    }
+
+    private fun getLastHandshake(): Long {
+        if (tunnelHandle == -1) {
+            Log.e(TAG, "Trying to get config of a non-existent tunnel")
+            return -1
+        }
+        val config = GoBackend.awgGetConfig(tunnelHandle)
+        if (config == null) {
+            Log.e(TAG, "Failed to get tunnel config")
+            return -2
+        }
+        val lastHandshake = config.lines().find { it.startsWith("last_handshake_time_sec=") }?.substring(24)?.toLong()
+        if (lastHandshake == null) {
+            Log.e(TAG, "Failed to get last_handshake_time_sec")
+            return -2
+        }
+        return lastHandshake
     }
 
     override fun stopVpn() {
@@ -185,6 +196,8 @@ open class Wireguard : Protocol() {
             Log.w(TAG, "Tunnel already down")
             return
         }
+        statusJob?.cancel()
+        statusJob = null
         val handleToClose = tunnelHandle
         tunnelHandle = -1
         GoBackend.awgTurnOff(handleToClose)

client/android/xray/src/main/kotlin/Xray.kt

@@ -130,8 +130,8 @@ class Xray : Protocol() {
             LibXray.initXray(assetsPath)
             val geoDir = File(assetsPath, "geo").absolutePath
             val configPath = File(context.cacheDir, "config.json")
-            Log.d(TAG, "xray.location.asset: $geoDir")
-            Log.d(TAG, "config: $configPath")
+            Log.v(TAG, "xray.location.asset: $geoDir")
+            Log.v(TAG, "config: $configPath")
             try {
                 configPath.writeText(configJson)
             } catch (e: IOException) {

client/cmake/3rdparty.cmake

@@ -2,10 +2,6 @@ set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/..)
 
 set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/Modules;${CMAKE_MODULE_PATH}")
 
-if(NOT IOS AND NOT ANDROID)
-   include(${CLIENT_ROOT_DIR}/3rd/SingleApplication/singleapplication.cmake)
-endif()
-
 add_subdirectory(${CLIENT_ROOT_DIR}/3rd/SortFilterProxyModel)
 set(LIBS ${LIBS} SortFilterProxyModel)
 include(${CLIENT_ROOT_DIR}/cmake/QSimpleCrypto.cmake)

client/cmake/android.cmake

@@ -1,6 +1,6 @@
 message("Client android ${CMAKE_ANDROID_ARCH_ABI} build")
 
-set(APP_ANDROID_MIN_SDK 24)
+set(APP_ANDROID_MIN_SDK 26)
 set(ANDROID_PLATFORM "android-${APP_ANDROID_MIN_SDK}" CACHE STRING
     "The minimum API level supported by the application or library" FORCE)
 

client/cmake/ios.cmake

@@ -76,11 +76,7 @@ set_target_properties(${PROJECT} PROPERTIES
     XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
     XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/Frameworks"
     XCODE_EMBED_APP_EXTENSIONS networkextension
-    XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
-    XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY[variant=Debug] "Apple Development"
-    XCODE_ATTRIBUTE_CODE_SIGN_STYLE Manual
-    XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER "match AppStore org.amnezia.AmneziaVPN"
-    XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER[variant=Debug] "match Development org.amnezia.AmneziaVPN"
+    XCODE_ATTRIBUTE_CODE_SIGN_STYLE Automatic
 )
 set_target_properties(${PROJECT} PROPERTIES
     XCODE_ATTRIBUTE_SWIFT_VERSION "5.0"
@@ -126,9 +122,9 @@ add_subdirectory(ios/networkextension)
 add_dependencies(${PROJECT} networkextension)
 
 set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
-    "${CMAKE_CURRENT_SOURCE_DIR}/3rd/OpenVPNAdapter/build/Release-iphoneos/OpenVPNAdapter.framework"
+    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework"
 )
 
-set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd/OpenVPNAdapter/build/Release-iphoneos)
-target_link_libraries("networkextension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd/OpenVPNAdapter/build/Release-iphoneos/OpenVPNAdapter.framework")
+set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/)
+target_link_libraries("networkextension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework")
 

client/cmake/sources.cmake

@@ -0,0 +1,191 @@
+set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/..)
+
+set(HEADERS ${HEADERS}
+    ${CLIENT_ROOT_DIR}/migrations.h
+    ${CLIENT_ROOT_DIR}/../ipc/ipc.h
+    ${CLIENT_ROOT_DIR}/amnezia_application.h
+    ${CLIENT_ROOT_DIR}/containers/containers_defs.h
+    ${CLIENT_ROOT_DIR}/core/defs.h
+    ${CLIENT_ROOT_DIR}/core/errorstrings.h
+    ${CLIENT_ROOT_DIR}/core/scripts_registry.h
+    ${CLIENT_ROOT_DIR}/core/server_defs.h
+    ${CLIENT_ROOT_DIR}/core/api/apiDefs.h
+    ${CLIENT_ROOT_DIR}/core/qrCodeUtils.h
+    ${CLIENT_ROOT_DIR}/core/controllers/coreController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/gatewayController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/serverController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/vpnConfigurationController.h
+    ${CLIENT_ROOT_DIR}/protocols/protocols_defs.h
+    ${CLIENT_ROOT_DIR}/protocols/qml_register_protocols.h
+    ${CLIENT_ROOT_DIR}/ui/pages.h
+    ${CLIENT_ROOT_DIR}/ui/qautostart.h
+    ${CLIENT_ROOT_DIR}/protocols/vpnprotocol.h
+    ${CMAKE_CURRENT_BINARY_DIR}/version.h
+    ${CLIENT_ROOT_DIR}/core/sshclient.h
+    ${CLIENT_ROOT_DIR}/core/networkUtilities.h
+    ${CLIENT_ROOT_DIR}/core/serialization/serialization.h
+    ${CLIENT_ROOT_DIR}/core/serialization/transfer.h
+    ${CLIENT_ROOT_DIR}/../common/logger/logger.h
+    ${CLIENT_ROOT_DIR}/utils/qmlUtils.h
+    ${CLIENT_ROOT_DIR}/core/api/apiUtils.h
+)
+
+# Mozilla headres
+set(HEADERS ${HEADERS}
+    ${CLIENT_ROOT_DIR}/mozilla/models/server.h
+    ${CLIENT_ROOT_DIR}/mozilla/shared/ipaddress.h
+    ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.h
+    ${CLIENT_ROOT_DIR}/mozilla/controllerimpl.h
+    ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.h
+)
+
+if(NOT IOS)
+    set(HEADERS ${HEADERS}
+        ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.h
+    )
+endif()
+
+if(NOT ANDROID)
+    set(HEADERS ${HEADERS}
+        ${CLIENT_ROOT_DIR}/ui/notificationhandler.h
+    )
+endif()
+
+set(SOURCES ${SOURCES}
+    ${CLIENT_ROOT_DIR}/migrations.cpp
+    ${CLIENT_ROOT_DIR}/amnezia_application.cpp
+    ${CLIENT_ROOT_DIR}/containers/containers_defs.cpp
+    ${CLIENT_ROOT_DIR}/core/errorstrings.cpp
+    ${CLIENT_ROOT_DIR}/core/scripts_registry.cpp
+    ${CLIENT_ROOT_DIR}/core/server_defs.cpp
+    ${CLIENT_ROOT_DIR}/core/qrCodeUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/coreController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/gatewayController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/serverController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/vpnConfigurationController.cpp
+    ${CLIENT_ROOT_DIR}/protocols/protocols_defs.cpp
+    ${CLIENT_ROOT_DIR}/ui/qautostart.cpp
+    ${CLIENT_ROOT_DIR}/protocols/vpnprotocol.cpp
+    ${CLIENT_ROOT_DIR}/core/sshclient.cpp
+    ${CLIENT_ROOT_DIR}/core/networkUtilities.cpp
+    ${CLIENT_ROOT_DIR}/core/serialization/outbound.cpp
+    ${CLIENT_ROOT_DIR}/core/serialization/inbound.cpp
+    ${CLIENT_ROOT_DIR}/core/serialization/ss.cpp
+    ${CLIENT_ROOT_DIR}/core/serialization/ssd.cpp
+    ${CLIENT_ROOT_DIR}/core/serialization/vless.cpp
+    ${CLIENT_ROOT_DIR}/core/serialization/trojan.cpp
+    ${CLIENT_ROOT_DIR}/core/serialization/vmess.cpp
+    ${CLIENT_ROOT_DIR}/core/serialization/vmess_new.cpp
+    ${CLIENT_ROOT_DIR}/../common/logger/logger.cpp
+    ${CLIENT_ROOT_DIR}/utils/qmlUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/api/apiUtils.cpp
+)
+
+# Mozilla sources
+set(SOURCES ${SOURCES}
+    ${CLIENT_ROOT_DIR}/mozilla/models/server.cpp
+    ${CLIENT_ROOT_DIR}/mozilla/shared/ipaddress.cpp
+    ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.cpp
+    ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
+)
+
+if(NOT IOS)
+    set(SOURCES ${SOURCES}
+        ${CLIENT_ROOT_DIR}/platforms/ios/QRCodeReaderBase.cpp
+    )
+endif()
+
+if(NOT ANDROID)
+    set(SOURCES ${SOURCES}
+        ${CLIENT_ROOT_DIR}/ui/notificationhandler.cpp
+    )
+endif()
+
+file(GLOB COMMON_FILES_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/*.h)
+file(GLOB COMMON_FILES_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/*.cpp)
+
+file(GLOB_RECURSE PAGE_LOGIC_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/ui/pages_logic/*.h)
+file(GLOB_RECURSE PAGE_LOGIC_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/ui/pages_logic/*.cpp)
+
+file(GLOB CONFIGURATORS_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/configurators/*.h)
+file(GLOB CONFIGURATORS_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/configurators/*.cpp)
+
+file(GLOB UI_MODELS_H CONFIGURE_DEPENDS
+    ${CLIENT_ROOT_DIR}/ui/models/*.h
+    ${CLIENT_ROOT_DIR}/ui/models/protocols/*.h
+    ${CLIENT_ROOT_DIR}/ui/models/services/*.h
+    ${CLIENT_ROOT_DIR}/ui/models/api/*.h
+)
+file(GLOB UI_MODELS_CPP CONFIGURE_DEPENDS
+    ${CLIENT_ROOT_DIR}/ui/models/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/models/protocols/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/models/services/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/models/api/*.cpp
+)
+
+file(GLOB UI_CONTROLLERS_H CONFIGURE_DEPENDS
+    ${CLIENT_ROOT_DIR}/ui/controllers/*.h
+    ${CLIENT_ROOT_DIR}/ui/controllers/api/*.h
+)
+file(GLOB UI_CONTROLLERS_CPP CONFIGURE_DEPENDS
+    ${CLIENT_ROOT_DIR}/ui/controllers/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/controllers/api/*.cpp
+)
+
+set(HEADERS ${HEADERS}
+    ${COMMON_FILES_H}
+    ${PAGE_LOGIC_H}
+    ${CONFIGURATORS_H}
+    ${UI_MODELS_H}
+    ${UI_CONTROLLERS_H}
+)
+set(SOURCES ${SOURCES}
+    ${COMMON_FILES_CPP}
+    ${PAGE_LOGIC_CPP}
+    ${CONFIGURATORS_CPP}
+    ${UI_MODELS_CPP}
+    ${UI_CONTROLLERS_CPP}
+)
+
+if(WIN32)
+    set(HEADERS ${HEADERS}
+        ${CLIENT_ROOT_DIR}/protocols/ikev2_vpn_protocol_windows.h
+    )
+
+    set(SOURCES ${SOURCES}
+        ${CLIENT_ROOT_DIR}/protocols/ikev2_vpn_protocol_windows.cpp
+    )
+
+    set(RESOURCES ${RESOURCES}
+        ${CMAKE_CURRENT_BINARY_DIR}/amneziavpn.rc
+    )
+endif()
+
+if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
+    message("Client desktop build")
+    add_compile_definitions(AMNEZIA_DESKTOP)
+
+    set(HEADERS ${HEADERS}
+        ${CLIENT_ROOT_DIR}/core/ipcclient.h
+        ${CLIENT_ROOT_DIR}/core/privileged_process.h
+        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.h
+        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.h
+        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.h
+        ${CLIENT_ROOT_DIR}/protocols/shadowsocksvpnprotocol.h
+        ${CLIENT_ROOT_DIR}/protocols/wireguardprotocol.h
+        ${CLIENT_ROOT_DIR}/protocols/xrayprotocol.h
+        ${CLIENT_ROOT_DIR}/protocols/awgprotocol.h
+    )
+
+    set(SOURCES ${SOURCES}
+        ${CLIENT_ROOT_DIR}/core/ipcclient.cpp
+        ${CLIENT_ROOT_DIR}/core/privileged_process.cpp
+        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.cpp
+        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.cpp
+        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.cpp
+        ${CLIENT_ROOT_DIR}/protocols/shadowsocksvpnprotocol.cpp
+        ${CLIENT_ROOT_DIR}/protocols/wireguardprotocol.cpp
+        ${CLIENT_ROOT_DIR}/protocols/xrayprotocol.cpp
+        ${CLIENT_ROOT_DIR}/protocols/awgprotocol.cpp
+    )
+endif()

client/configurators/wireguard_configurator.cpp

@@ -3,6 +3,7 @@
 #include <QDebug>
 #include <QJsonDocument>
 #include <QProcess>
+#include <QRegularExpression>
 #include <QString>
 #include <QTemporaryDir>
 #include <QTemporaryFile>
@@ -19,13 +20,17 @@
 #include "settings.h"
 #include "utilities.h"
 
-WireguardConfigurator::WireguardConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                                             bool isAwg, QObject *parent)
+WireguardConfigurator::WireguardConfigurator(std::shared_ptr<Settings> settings,
+                                             const QSharedPointer<ServerController> &serverController, bool isAwg,
+                                             QObject *parent)
     : ConfiguratorBase(settings, serverController, parent), m_isAwg(isAwg)
 {
-    m_serverConfigPath = m_isAwg ? amnezia::protocols::awg::serverConfigPath : amnezia::protocols::wireguard::serverConfigPath;
-    m_serverPublicKeyPath = m_isAwg ? amnezia::protocols::awg::serverPublicKeyPath : amnezia::protocols::wireguard::serverPublicKeyPath;
-    m_serverPskKeyPath = m_isAwg ? amnezia::protocols::awg::serverPskKeyPath : amnezia::protocols::wireguard::serverPskKeyPath;
+    m_serverConfigPath =
+            m_isAwg ? amnezia::protocols::awg::serverConfigPath : amnezia::protocols::wireguard::serverConfigPath;
+    m_serverPublicKeyPath =
+            m_isAwg ? amnezia::protocols::awg::serverPublicKeyPath : amnezia::protocols::wireguard::serverPublicKeyPath;
+    m_serverPskKeyPath =
+            m_isAwg ? amnezia::protocols::awg::serverPskKeyPath : amnezia::protocols::wireguard::serverPskKeyPath;
     m_configTemplate = m_isAwg ? ProtocolScriptType::awg_template : ProtocolScriptType::wireguard_template;
 
     m_protocolName = m_isAwg ? config_key::awg : config_key::wireguard;
@@ -63,9 +68,31 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::genClientKeys()
     return connData;
 }
 
+QList<QHostAddress> WireguardConfigurator::getIpsFromConf(const QString &input)
+{
+    QRegularExpression regex("AllowedIPs = (\\d+\\.\\d+\\.\\d+\\.\\d+)");
+    QRegularExpressionMatchIterator matchIterator = regex.globalMatch(input);
+
+    QList<QHostAddress> ips;
+
+    while (matchIterator.hasNext()) {
+        QRegularExpressionMatch match = matchIterator.next();
+        const QString address_string { match.captured(1) };
+        const QHostAddress address { address_string };
+        if (address.isNull()) {
+            qWarning() << "Couldn't recognize the ip address: " << address_string;
+        } else {
+            ips << address;
+        }
+    }
+
+    return ips;
+}
+
 WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardConfig(const ServerCredentials &credentials,
                                                                                     DockerContainer container,
-                                                                                    const QJsonObject &containerConfig, ErrorCode &errorCode)
+                                                                                    const QJsonObject &containerConfig,
+                                                                                    ErrorCode &errorCode)
 {
     WireguardConfigurator::ConnectionData connData = WireguardConfigurator::genClientKeys();
     connData.host = credentials.hostName;
@@ -76,65 +103,45 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon
         return connData;
     }
 
-    // Get list of already created clients (only IP addresses)
-    QString nextIpNumber;
-    {
-        QString script = QString("cat %1 | grep AllowedIPs").arg(m_serverConfigPath);
-        QString stdOut;
-        auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-            stdOut += data + "\n";
-            return ErrorCode::NoError;
-        };
+    QString getIpsScript = QString("cat %1 | grep AllowedIPs").arg(m_serverConfigPath);
+    QString stdOut;
+    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
+        stdOut += data + "\n";
+        return ErrorCode::NoError;
+    };
 
-        errorCode = m_serverController->runContainerScript(credentials, container, script, cbReadStdOut);
-        if (errorCode != ErrorCode::NoError) {
-            return connData;
-        }
+    errorCode = m_serverController->runContainerScript(credentials, container, getIpsScript, cbReadStdOut);
+    if (errorCode != ErrorCode::NoError) {
+        return connData;
+    }
+    auto ips = getIpsFromConf(stdOut);
 
-        stdOut.replace("AllowedIPs = ", "");
-        stdOut.replace("/32", "");
-        QStringList ips = stdOut.split("\n", Qt::SkipEmptyParts);
-
-        // remove extra IPs from each line for case when user manually edited the wg0.conf
-        // and added there more IPs for route his itnernal networks, like:
-        //     ...
-        //     AllowedIPs = 10.8.1.6/32, 192.168.1.0/24, 192.168.2.0/24, ...
-        //     ...
-        // without this code - next IP would be 1 if last item in 'ips' has format above
-        QStringList vpnIps;
-        for (const auto &ip : ips) {
-          vpnIps.append(ip.split(",", Qt::SkipEmptyParts).first().trimmed());
-        }
-        ips = vpnIps;
-
-        // Calc next IP address
-        if (ips.isEmpty()) {
-            nextIpNumber = "2";
+    QHostAddress nextIp = [&] {
+        QHostAddress result;
+        QHostAddress lastIp;
+        if (ips.empty()) {
+            lastIp.setAddress(containerConfig.value(m_protocolName)
+                                      .toObject()
+                                      .value(config_key::subnet_address)
+                                      .toString(protocols::wireguard::defaultSubnetAddress));
         } else {
-            int next = ips.last().split(".").last().toInt() + 1;
-            if (next > 254) {
-                errorCode = ErrorCode::AddressPoolError;
-                return connData;
-            }
-            nextIpNumber = QString::number(next);
+            lastIp = ips.last();
         }
-    }
-
-    QString subnetIp = containerConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress);
-    {
-        QStringList l = subnetIp.split(".", Qt::SkipEmptyParts);
-        if (l.isEmpty()) {
-            errorCode = ErrorCode::AddressPoolError;
-            return connData;
+        quint8 lastOctet = static_cast<quint8>(lastIp.toIPv4Address());
+        switch (lastOctet) {
+        case 254: result.setAddress(lastIp.toIPv4Address() + 3); break;
+        case 255: result.setAddress(lastIp.toIPv4Address() + 2); break;
+        default: result.setAddress(lastIp.toIPv4Address() + 1); break;
         }
-        l.removeLast();
-        l.append(nextIpNumber);
 
-        connData.clientIP = l.join(".");
-    }
+        return result;
+    }();
+
+    connData.clientIP = nextIp.toString();
 
     // Get keys
-    connData.serverPubKey = m_serverController->getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, errorCode);
+    connData.serverPubKey =
+            m_serverController->getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, errorCode);
     connData.serverPubKey.replace("\n", "");
     if (errorCode != ErrorCode::NoError) {
         return connData;
@@ -161,10 +168,12 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon
         return connData;
     }
 
-    QString script = QString("sudo docker exec -i $CONTAINER_NAME bash -c 'wg syncconf wg0 <(wg-quick strip %1)'").arg(m_serverConfigPath);
+    QString script = QString("sudo docker exec -i $CONTAINER_NAME bash -c 'wg syncconf wg0 <(wg-quick strip %1)'")
+                             .arg(m_serverConfigPath);
 
     errorCode = m_serverController->runScript(
-            credentials, m_serverController->replaceVars(script, m_serverController->genVarsForScript(credentials, container)));
+            credentials,
+            m_serverController->replaceVars(script, m_serverController->genVarsForScript(credentials, container)));
 
     return connData;
 }
@@ -173,8 +182,8 @@ QString WireguardConfigurator::createConfig(const ServerCredentials &credentials
                                             const QJsonObject &containerConfig, ErrorCode &errorCode)
 {
     QString scriptData = amnezia::scriptData(m_configTemplate, container);
-    QString config =
-            m_serverController->replaceVars(scriptData, m_serverController->genVarsForScript(credentials, container, containerConfig));
+    QString config = m_serverController->replaceVars(
+            scriptData, m_serverController->genVarsForScript(credentials, container, containerConfig));
 
     ConnectionData connData = prepareWireguardConfig(credentials, container, containerConfig, errorCode);
     if (errorCode != ErrorCode::NoError) {
@@ -208,16 +217,16 @@ QString WireguardConfigurator::createConfig(const ServerCredentials &credentials
     return QJsonDocument(jConfig).toJson();
 }
 
-QString WireguardConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                              QString &protocolConfigString)
+QString WireguardConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns,
+                                                              const bool isApiConfig, QString &protocolConfigString)
 {
     processConfigWithDnsSettings(dns, protocolConfigString);
 
     return protocolConfigString;
 }
 
-QString WireguardConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                               QString &protocolConfigString)
+QString WireguardConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns,
+                                                               const bool isApiConfig, QString &protocolConfigString)
 {
     processConfigWithDnsSettings(dns, protocolConfigString);
 

client/configurators/wireguard_configurator.h

@@ -1,6 +1,7 @@
 #ifndef WIREGUARD_CONFIGURATOR_H
 #define WIREGUARD_CONFIGURATOR_H
 
+#include <QHostAddress>
 #include <QObject>
 #include <QProcessEnvironment>
 
@@ -12,8 +13,8 @@ class WireguardConfigurator : public ConfiguratorBase
 {
     Q_OBJECT
 public:
-    WireguardConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, bool isAwg,
-                          QObject *parent = nullptr);
+    WireguardConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
+                          bool isAwg, QObject *parent = nullptr);
 
     struct ConnectionData
     {
@@ -26,15 +27,18 @@ public:
         QString port;
     };
 
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                         ErrorCode &errorCode);
+    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
+                         const QJsonObject &containerConfig, ErrorCode &errorCode);
 
-    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig, QString &protocolConfigString);
-    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig, QString &protocolConfigString);
+    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
+                                           QString &protocolConfigString);
+    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
+                                            QString &protocolConfigString);
 
     static ConnectionData genClientKeys();
 
 private:
+    QList<QHostAddress> getIpsFromConf(const QString &input);
     ConnectionData prepareWireguardConfig(const ServerCredentials &credentials, DockerContainer container,
                                           const QJsonObject &containerConfig, ErrorCode &errorCode);
 

client/configurators/xray_configurator.cpp

@@ -3,38 +3,169 @@
 #include <QFile>
 #include <QJsonDocument>
 #include <QJsonObject>
+#include <QUuid>
+#include "logger.h"
 
 #include "containers/containers_defs.h"
 #include "core/controllers/serverController.h"
 #include "core/scripts_registry.h"
 
+namespace {
+Logger logger("XrayConfigurator");
+}
+
 XrayConfigurator::XrayConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
     : ConfiguratorBase(settings, serverController, parent)
 {
 }
 
-QString XrayConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                       ErrorCode &errorCode)
+QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentials, DockerContainer container,
+                                               const QJsonObject &containerConfig, ErrorCode &errorCode)
 {
-    QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::xray_template, container),
-                                                     m_serverController->genVarsForScript(credentials, container, containerConfig));
-
-    QString xrayPublicKey =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::PublicKeyPath, errorCode);
-    xrayPublicKey.replace("\n", "");
-
-    QString xrayUuid = m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::uuidPath, errorCode);
-    xrayUuid.replace("\n", "");
-
-    QString xrayShortId =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::shortidPath, errorCode);
-    xrayShortId.replace("\n", "");
-
+    // Generate new UUID for client
+    QString clientId = QUuid::createUuid().toString(QUuid::WithoutBraces);
+    
+    // Get current server config
+    QString currentConfig = m_serverController->getTextFileFromContainer(
+        container, credentials, amnezia::protocols::xray::serverConfigPath, errorCode);
+    
     if (errorCode != ErrorCode::NoError) {
+        logger.error() << "Failed to get server config file";
         return "";
     }
 
-    config.replace("$XRAY_CLIENT_ID", xrayUuid);
+    // Parse current config as JSON
+    QJsonDocument doc = QJsonDocument::fromJson(currentConfig.toUtf8());
+    if (doc.isNull() || !doc.isObject()) {
+        logger.error() << "Failed to parse server config JSON";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QJsonObject serverConfig = doc.object();
+    
+    // Validate server config structure
+    if (!serverConfig.contains("inbounds")) {
+        logger.error() << "Server config missing 'inbounds' field";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QJsonArray inbounds = serverConfig["inbounds"].toArray();
+    if (inbounds.isEmpty()) {
+        logger.error() << "Server config has empty 'inbounds' array";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+    
+    QJsonObject inbound = inbounds[0].toObject();
+    if (!inbound.contains("settings")) {
+        logger.error() << "Inbound missing 'settings' field";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QJsonObject settings = inbound["settings"].toObject();
+    if (!settings.contains("clients")) {
+        logger.error() << "Settings missing 'clients' field";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QJsonArray clients = settings["clients"].toArray();
+    
+    // Create configuration for new client
+    QJsonObject clientConfig {
+        {"id", clientId},
+        {"flow", "xtls-rprx-vision"}
+    };
+    
+    clients.append(clientConfig);
+    
+    // Update config
+    settings["clients"] = clients;
+    inbound["settings"] = settings;
+    inbounds[0] = inbound;
+    serverConfig["inbounds"] = inbounds;
+    
+    // Save updated config to server
+    QString updatedConfig = QJsonDocument(serverConfig).toJson();
+    errorCode = m_serverController->uploadTextFileToContainer(
+        container, 
+        credentials, 
+        updatedConfig,
+        amnezia::protocols::xray::serverConfigPath,
+        libssh::ScpOverwriteMode::ScpOverwriteExisting
+    );
+    if (errorCode != ErrorCode::NoError) {
+        logger.error() << "Failed to upload updated config";
+        return "";
+    }
+
+    // Restart container
+    QString restartScript = QString("sudo docker restart $CONTAINER_NAME");
+    errorCode = m_serverController->runScript(
+        credentials, 
+        m_serverController->replaceVars(restartScript, m_serverController->genVarsForScript(credentials, container))
+    );
+
+    if (errorCode != ErrorCode::NoError) {
+        logger.error() << "Failed to restart container";
+        return "";
+    }
+
+    return clientId;
+}
+
+QString XrayConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
+                                       const QJsonObject &containerConfig, ErrorCode &errorCode)
+{
+    // Get client ID from prepareServerConfig
+    QString xrayClientId = prepareServerConfig(credentials, container, containerConfig, errorCode);
+    if (errorCode != ErrorCode::NoError || xrayClientId.isEmpty()) {
+        logger.error() << "Failed to prepare server config";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::xray_template, container),
+                                                     m_serverController->genVarsForScript(credentials, container, containerConfig));
+    
+    if (config.isEmpty()) {
+        logger.error() << "Failed to get config template";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    QString xrayPublicKey =
+            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::PublicKeyPath, errorCode);
+    if (errorCode != ErrorCode::NoError || xrayPublicKey.isEmpty()) {
+        logger.error() << "Failed to get public key";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+    xrayPublicKey.replace("\n", "");
+    
+    QString xrayShortId =
+            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::shortidPath, errorCode);
+    if (errorCode != ErrorCode::NoError || xrayShortId.isEmpty()) {
+        logger.error() << "Failed to get short ID";
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+    xrayShortId.replace("\n", "");
+
+    // Validate all required variables are present
+    if (!config.contains("$XRAY_CLIENT_ID") || !config.contains("$XRAY_PUBLIC_KEY") || !config.contains("$XRAY_SHORT_ID")) {
+        logger.error() << "Config template missing required variables:"
+                      << "XRAY_CLIENT_ID:" << !config.contains("$XRAY_CLIENT_ID")
+                      << "XRAY_PUBLIC_KEY:" << !config.contains("$XRAY_PUBLIC_KEY")
+                      << "XRAY_SHORT_ID:" << !config.contains("$XRAY_SHORT_ID");
+        errorCode = ErrorCode::InternalError;
+        return "";
+    }
+
+    config.replace("$XRAY_CLIENT_ID", xrayClientId);
     config.replace("$XRAY_PUBLIC_KEY", xrayPublicKey);
     config.replace("$XRAY_SHORT_ID", xrayShortId);
 

client/configurators/xray_configurator.h

@@ -14,6 +14,10 @@ public:
 
     QString createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
                          ErrorCode &errorCode);
+
+private:
+    QString prepareServerConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
+                                ErrorCode &errorCode);
 };
 
 #endif // XRAY_CONFIGURATOR_H

client/containers/containers_defs.cpp

@@ -110,22 +110,19 @@ QMap<DockerContainer, QString> ContainerProps::containerDescriptions()
                QObject::tr("OpenVPN is the most popular VPN protocol, with flexible configuration options. It uses its "
                            "own security protocol with SSL/TLS for key exchange.") },
              { DockerContainer::ShadowSocks,
-               QObject::tr("Shadowsocks - masks VPN traffic, making it similar to normal web traffic, but it "
-                           "may be recognized by analysis systems in some highly censored regions.") },
+               QObject::tr("Shadowsocks masks VPN traffic, making it resemble normal web traffic, but it may still be detected by certain analysis systems.") },
              { DockerContainer::Cloak,
                QObject::tr("OpenVPN over Cloak - OpenVPN with VPN masquerading as web traffic and protection against "
-                           "active-probing detection. Ideal for bypassing blocking in regions with the highest levels "
-                           "of censorship.") },
+                           "active-probing detection. It is very resistant to detection, but offers low speed.") },
              { DockerContainer::WireGuard,
-               QObject::tr("WireGuard - New popular VPN protocol with high performance, high speed and low power "
-                           "consumption. Recommended for regions with low levels of censorship.") },
+               QObject::tr("WireGuard - popular VPN protocol with high performance, high speed and low power "
+                           "consumption.") },
              { DockerContainer::Awg,
-               QObject::tr("AmneziaWG - Special protocol from Amnezia, based on WireGuard. It's fast like WireGuard, "
-                           "but very resistant to blockages. "
-                           "Recommended for regions with high levels of censorship.") },
+               QObject::tr("AmneziaWG is a special protocol from Amnezia based on WireGuard. "
+                           "It provides high connection speed and ensures stable operation even in the most challenging network conditions.") },
              { DockerContainer::Xray,
-               QObject::tr("XRay with REALITY - Suitable for countries with the highest level of internet censorship. "
-                           "Traffic masking as web traffic at the TLS level, and protection against detection by active probing methods.") },
+               QObject::tr("XRay with REALITY masks VPN traffic as web traffic and protects against active probing. "
+                           "It is highly resistant to detection and offers high speed.") },
              { DockerContainer::Ipsec,
                QObject::tr("IKEv2/IPsec -  Modern stable protocol, a bit faster than others, restores connection after "
                            "signal loss. It has native support on the latest versions of Android and iOS.") },
@@ -144,20 +141,20 @@ QMap<DockerContainer, QString> ContainerProps::containerDetailedDescriptions()
     return {
         { DockerContainer::OpenVpn,
           QObject::tr(
-                      "OpenVPN stands as one of the most popular and time-tested VPN protocols available.\n"
-                      "It employs its unique security protocol, "
-                      "leveraging the strength of SSL/TLS for encryption and key exchange. "
-                      "Furthermore, OpenVPN's support for a multitude of authentication methods makes it versatile and adaptable, "
-                      "catering to a wide range of devices and operating systems. "
-                      "Due to its open-source nature, OpenVPN benefits from extensive scrutiny by the global community, "
-                      "which continually reinforces its security. "
-                      "With a strong balance of performance, security, and compatibility, "
-                      "OpenVPN remains a top choice for privacy-conscious individuals and businesses alike.\n\n"
-                      "* Available in the AmneziaVPN across all platforms\n"
-                      "* Normal power consumption on mobile devices\n"
-                      "* Flexible customisation to suit user needs to work with different operating systems and devices\n"
-                      "* Recognised by DPI analysis systems and therefore susceptible to blocking\n"
-                      "* Can operate over both TCP and UDP network protocols.") },
+                  "OpenVPN stands as one of the most popular and time-tested VPN protocols available.\n"
+                  "It employs its unique security protocol, "
+                  "leveraging the strength of SSL/TLS for encryption and key exchange. "
+                  "Furthermore, OpenVPN's support for a multitude of authentication methods makes it versatile and adaptable, "
+                  "catering to a wide range of devices and operating systems. "
+                  "Due to its open-source nature, OpenVPN benefits from extensive scrutiny by the global community, "
+                  "which continually reinforces its security. "
+                  "With a strong balance of performance, security, and compatibility, "
+                  "OpenVPN remains a top choice for privacy-conscious individuals and businesses alike.\n\n"
+                  "* Available in the AmneziaVPN across all platforms\n"
+                  "* Normal power consumption on mobile devices\n"
+                  "* Flexible customisation to suit user needs to work with different operating systems and devices\n"
+                  "* Recognised by DPI systems and therefore susceptible to blocking\n"
+                  "* Can operate over both TCP and UDP network protocols.") },
         { DockerContainer::ShadowSocks,
           QObject::tr("Shadowsocks, inspired by the SOCKS5 protocol, safeguards the connection using the AEAD cipher. "
                       "Although Shadowsocks is designed to be discreet and challenging to identify, it isn't identical to a standard HTTPS connection."
@@ -169,28 +166,26 @@ QMap<DockerContainer, QString> ContainerProps::containerDetailedDescriptions()
                       "* Works over TCP network protocol.") },
         { DockerContainer::Cloak,
           QObject::tr("This is a combination of the OpenVPN protocol and the Cloak plugin designed specifically for "
-                      "protecting against blocking.\n\n"
+                      "protecting against detection.\n\n"
                       "OpenVPN provides a secure VPN connection by encrypting all internet traffic between the client "
                       "and the server.\n\n"
-                      "Cloak protects OpenVPN from detection and blocking. \n\n"
+                      "Cloak protects OpenVPN from detection. \n\n"
                       "Cloak can modify packet metadata so that it completely masks VPN traffic as normal web traffic, "
                       "and also protects the VPN from detection by Active Probing. This makes it very resistant to "
                       "being detected\n\n"
                       "Immediately after receiving the first data packet, Cloak authenticates the incoming connection. "
                       "If authentication fails, the plugin masks the server as a fake website and your VPN becomes "
                       "invisible to analysis systems.\n\n"
-                      "If there is a extreme level of Internet censorship in your region, we advise you to use only "
-                      "OpenVPN over Cloak from the first connection\n\n"
                       "* Available in the AmneziaVPN across all platforms\n"
                       "* High power consumption on mobile devices\n"
                       "* Flexible settings\n"
-                      "* Not recognised by DPI analysis systems\n"
+                      "* Not recognised by detection systems\n"
                       "* Works over TCP network protocol, 443 port.\n") },
         { DockerContainer::WireGuard,
           QObject::tr("A relatively new popular VPN protocol with a simplified architecture.\n"
                       "WireGuard provides stable VPN connection and high performance on all devices. It uses hard-coded encryption "
                       "settings. WireGuard compared to OpenVPN has lower latency and better data transfer throughput.\n"
-                      "WireGuard is very susceptible to blocking due to its distinct packet signatures. "
+                      "WireGuard is very susceptible to detection and blocking due to its distinct packet signatures. "
                       "Unlike some other VPN protocols that employ obfuscation techniques, "
                       "the consistent signature patterns of WireGuard packets can be more easily identified and "
                       "thus blocked by advanced Deep Packet Inspection (DPI) systems and other network monitoring tools.\n\n"
@@ -213,18 +208,18 @@ QMap<DockerContainer, QString> ContainerProps::containerDetailedDescriptions()
                       "* Available in the AmneziaVPN across all platforms\n"
                       "* Low power consumption\n"
                       "* Minimum number of settings\n"
-                      "* Not recognised by DPI analysis systems, resistant to blocking\n"
+                      "* Not recognised by traffic analysis systems\n"
                       "* Works over UDP network protocol.") },
         { DockerContainer::Xray,
-          QObject::tr("The REALITY protocol, a pioneering development by the creators of XRay, "
-                      "is specifically designed to counteract the highest levels of internet censorship through its novel approach to evasion.\n"
-                      "It uniquely identifies censors during the TLS handshake phase, seamlessly operating as a proxy for legitimate clients while diverting censors to genuine websites like google.com, "
-                      "thus presenting an authentic TLS certificate and data. \n"
-                      "This advanced capability differentiates REALITY from similar technologies by its ability to disguise web traffic as coming from random, "
-                      "legitimate sites without the need for specific configurations. \n"
-                      "Unlike older protocols such as VMess, VLESS, and the XTLS-Vision transport, "
-                      "REALITY's innovative \"friend or foe\" recognition at the TLS handshake enhances security and circumvents detection by sophisticated DPI systems employing active probing techniques. "
-                      "This makes REALITY a robust solution for maintaining internet freedom in environments with stringent censorship.")
+                QObject::tr("The REALITY protocol, a pioneering development by the creators of XRay, "
+                            "is designed to provide the highest level of protection against detection through its innovative approach to security and privacy.\n"
+                            "It uniquely identifies attackers during the TLS handshake phase, seamlessly operating as a proxy for legitimate clients while diverting attackers to genuine websites, "
+                            "thus presenting an authentic TLS certificate and data. \n"
+                            "This advanced capability differentiates REALITY from similar technologies by its ability to disguise web traffic as coming from random, "
+                            "legitimate sites without the need for specific configurations. \n"
+                            "Unlike older protocols such as VMess, VLESS, and the XTLS-Vision transport, "
+                            "REALITY's innovative \"friend or foe\" recognition at the TLS handshake enhances security. "
+                            "This makes REALITY a robust solution for maintaining internet freedom.")
         },
         { DockerContainer::Ipsec,
           QObject::tr("IKEv2, paired with the IPSec encryption layer, stands as a modern and stable VPN protocol.\n"
@@ -332,9 +327,7 @@ QStringList ContainerProps::fixedPortsForContainer(DockerContainer c)
 bool ContainerProps::isEasySetupContainer(DockerContainer container)
 {
     switch (container) {
-    case DockerContainer::WireGuard: return true;
     case DockerContainer::Awg: return true;
-    // case DockerContainer::Cloak: return true;
     default: return false;
     }
 }
@@ -342,9 +335,7 @@ bool ContainerProps::isEasySetupContainer(DockerContainer container)
 QString ContainerProps::easySetupHeader(DockerContainer container)
 {
     switch (container) {
-    case DockerContainer::WireGuard: return tr("Low");
-    case DockerContainer::Awg: return tr("High");
-    // case DockerContainer::Cloak: return tr("Extreme");
+    case DockerContainer::Awg: return tr("Automatic");
     default: return "";
     }
 }
@@ -352,10 +343,8 @@ QString ContainerProps::easySetupHeader(DockerContainer container)
 QString ContainerProps::easySetupDescription(DockerContainer container)
 {
     switch (container) {
-    case DockerContainer::WireGuard: return tr("I just want to increase the level of my privacy.");
-    case DockerContainer::Awg: return tr("I want to bypass censorship. This option recommended in most cases.");
-    // case DockerContainer::Cloak:
-    //     return tr("Most VPN protocols are blocked. Recommended if other options are not working.");
+    case DockerContainer::Awg: return tr("AmneziaWG protocol will be installed. "
+                                         "It provides high connection speed and ensures stable operation even in the most challenging network conditions.");
     default: return "";
     }
 }
@@ -363,9 +352,7 @@ QString ContainerProps::easySetupDescription(DockerContainer container)
 int ContainerProps::easySetupOrder(DockerContainer container)
 {
     switch (container) {
-    case DockerContainer::WireGuard: return 3;
-    case DockerContainer::Awg: return 2;
-    // case DockerContainer::Cloak: return 1;
+    case DockerContainer::Awg: return 1;
     default: return 0;
     }
 }
@@ -384,9 +371,9 @@ bool ContainerProps::isShareable(DockerContainer container)
 QJsonObject ContainerProps::getProtocolConfigFromContainer(const Proto protocol, const QJsonObject &containerConfig)
 {
     QString protocolConfigString = containerConfig.value(ProtocolProps::protoToString(protocol))
-                                           .toObject()
-                                           .value(config_key::last_config)
-                                           .toString();
+    .toObject()
+            .value(config_key::last_config)
+            .toString();
 
     return QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();
 }

client/core/api/apiDefs.h

@@ -0,0 +1,51 @@
+#ifndef APIDEFS_H
+#define APIDEFS_H
+
+#include <QString>
+
+namespace apiDefs
+{
+    enum ConfigType {
+        AmneziaFreeV2 = 0,
+        AmneziaFreeV3,
+        AmneziaPremiumV1,
+        AmneziaPremiumV2,
+        SelfHosted
+    };
+
+    enum ConfigSource {
+        Telegram = 1,
+        AmneziaGateway
+    };
+
+    namespace key
+    {
+        constexpr QLatin1String configVersion("config_version");
+
+        constexpr QLatin1String apiConfig("api_config");
+        constexpr QLatin1String stackType("stack_type");
+        constexpr QLatin1String serviceType("service_type");
+
+        constexpr QLatin1String vpnKey("vpn_key");
+
+        constexpr QLatin1String installationUuid("installation_uuid");
+        constexpr QLatin1String workerLastUpdated("worker_last_updated");
+        constexpr QLatin1String lastDownloaded("last_downloaded");
+        constexpr QLatin1String sourceType("source_type");
+
+        constexpr QLatin1String serverCountryCode("server_country_code");
+        constexpr QLatin1String serverCountryName("server_country_name");
+
+        constexpr QLatin1String osVersion("os_version");
+
+        constexpr QLatin1String availableCountries("available_countries");
+        constexpr QLatin1String activeDeviceCount("active_device_count");
+        constexpr QLatin1String maxDeviceCount("max_device_count");
+        constexpr QLatin1String subscriptionEndDate("subscription_end_date");
+        constexpr QLatin1String issuedConfigs("issued_configs");
+    }
+
+    const int requestTimeoutMsecs = 12 * 1000; // 12 secs
+}
+
+#endif // APIDEFS_H

client/core/api/apiUtils.cpp

@@ -0,0 +1,87 @@
+#include "apiUtils.h"
+
+#include <QDateTime>
+#include <QJsonObject>
+
+bool apiUtils::isSubscriptionExpired(const QString &subscriptionEndDate)
+{
+    QDateTime now = QDateTime::currentDateTime();
+    QDateTime endDate = QDateTime::fromString(subscriptionEndDate, Qt::ISODateWithMs);
+    return endDate < now;
+}
+
+bool apiUtils::isServerFromApi(const QJsonObject &serverConfigObject)
+{
+    auto configVersion = serverConfigObject.value(apiDefs::key::configVersion).toInt();
+    switch (configVersion) {
+    case apiDefs::ConfigSource::Telegram: return true;
+    case apiDefs::ConfigSource::AmneziaGateway: return true;
+    default: return false;
+    }
+}
+
+apiDefs::ConfigType apiUtils::getConfigType(const QJsonObject &serverConfigObject)
+{
+    auto configVersion = serverConfigObject.value(apiDefs::key::configVersion).toInt();
+    switch (configVersion) {
+    case apiDefs::ConfigSource::Telegram: {
+    };
+    case apiDefs::ConfigSource::AmneziaGateway: {
+        constexpr QLatin1String stackPremium("prem");
+        constexpr QLatin1String stackFree("free");
+
+        constexpr QLatin1String servicePremium("amnezia-premium");
+        constexpr QLatin1String serviceFree("amnezia-free");
+
+        auto apiConfigObject = serverConfigObject.value(apiDefs::key::apiConfig).toObject();
+        auto stackType = apiConfigObject.value(apiDefs::key::stackType).toString();
+        auto serviceType = apiConfigObject.value(apiDefs::key::serviceType).toString();
+
+        if (serviceType == servicePremium || stackType == stackPremium) {
+            return apiDefs::ConfigType::AmneziaPremiumV2;
+        } else if (serviceType == serviceFree || stackType == stackFree) {
+            return apiDefs::ConfigType::AmneziaFreeV3;
+        }
+    }
+    default: {
+        return apiDefs::ConfigType::SelfHosted;
+    }
+    };
+}
+
+apiDefs::ConfigSource apiUtils::getConfigSource(const QJsonObject &serverConfigObject)
+{
+    return static_cast<apiDefs::ConfigSource>(serverConfigObject.value(apiDefs::key::configVersion).toInt());
+}
+
+amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &sslErrors, QNetworkReply *reply)
+{
+    const int httpStatusCodeConflict = 409;
+    const int httpStatusCodeNotFound = 404;
+
+    if (!sslErrors.empty()) {
+        qDebug().noquote() << sslErrors;
+        return amnezia::ErrorCode::ApiConfigSslError;
+    } else if (reply->error() == QNetworkReply::NoError) {
+        return amnezia::ErrorCode::NoError;
+    } else if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError
+               || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
+        return amnezia::ErrorCode::ApiConfigTimeoutError;
+    } else {
+        QString err = reply->errorString();
+        int httpStatusCode = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
+        qDebug() << QString::fromUtf8(reply->readAll());
+        qDebug() << reply->error();
+        qDebug() << err;
+        qDebug() << httpStatusCode;
+        if (httpStatusCode == httpStatusCodeConflict) {
+            return amnezia::ErrorCode::ApiConfigLimitError;
+        } else if (httpStatusCode == httpStatusCodeNotFound) {
+            return amnezia::ErrorCode::ApiNotFoundError;
+        }
+        return amnezia::ErrorCode::ApiConfigDownloadError;
+    }
+
+    qDebug() << "something went wrong";
+    return amnezia::ErrorCode::InternalError;
+}

client/core/api/apiUtils.h

@@ -0,0 +1,22 @@
+#ifndef APIUTILS_H
+#define APIUTILS_H
+
+#include <QNetworkReply>
+#include <QObject>
+
+#include "apiDefs.h"
+#include "core/defs.h"
+
+namespace apiUtils
+{
+    bool isServerFromApi(const QJsonObject &serverConfigObject);
+
+    bool isSubscriptionExpired(const QString &subscriptionEndDate);
+
+    apiDefs::ConfigType getConfigType(const QJsonObject &serverConfigObject);
+    apiDefs::ConfigSource getConfigSource(const QJsonObject &serverConfigObject);
+
+    amnezia::ErrorCode checkNetworkReplyErrors(const QList<QSslError> &sslErrors, QNetworkReply *reply);
+}
+
+#endif // APIUTILS_H

client/core/controllers/apiController.cpp

@@ -1,423 +0,0 @@
-#include "apiController.h"
-
-#include <QEventLoop>
-#include <QNetworkAccessManager>
-#include <QNetworkReply>
-#include <QtConcurrent>
-
-#include "QBlockCipher.h"
-#include "QRsa.h"
-
-#include "amnezia_application.h"
-#include "configurators/wireguard_configurator.h"
-#include "core/enums/apiEnums.h"
-#include "version.h"
-
-namespace
-{
-    namespace configKey
-    {
-        constexpr char cloak[] = "cloak";
-        constexpr char awg[] = "awg";
-
-        constexpr char apiEdnpoint[] = "api_endpoint";
-        constexpr char accessToken[] = "api_key";
-        constexpr char certificate[] = "certificate";
-        constexpr char publicKey[] = "public_key";
-        constexpr char protocol[] = "protocol";
-
-        constexpr char uuid[] = "installation_uuid";
-        constexpr char osVersion[] = "os_version";
-        constexpr char appVersion[] = "app_version";
-
-        constexpr char userCountryCode[] = "user_country_code";
-        constexpr char serverCountryCode[] = "server_country_code";
-        constexpr char serviceType[] = "service_type";
-
-        constexpr char aesKey[] = "aes_key";
-        constexpr char aesIv[] = "aes_iv";
-        constexpr char aesSalt[] = "aes_salt";
-
-        constexpr char apiPayload[] = "api_payload";
-        constexpr char keyPayload[] = "key_payload";
-    }
-
-    const QStringList proxyStorageUrl = { "" };
-
-    ErrorCode checkErrors(const QList<QSslError> &sslErrors, QNetworkReply *reply)
-    {
-        if (!sslErrors.empty()) {
-            qDebug().noquote() << sslErrors;
-            return ErrorCode::ApiConfigSslError;
-        } else if (reply->error() == QNetworkReply::NoError) {
-            return ErrorCode::NoError;
-        } else if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError
-                   || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
-            return ErrorCode::ApiConfigTimeoutError;
-        } else {
-            QString err = reply->errorString();
-            qDebug() << QString::fromUtf8(reply->readAll());
-            qDebug() << reply->error();
-            qDebug() << err;
-            qDebug() << reply->attribute(QNetworkRequest::HttpStatusCodeAttribute);
-            return ErrorCode::ApiConfigDownloadError;
-        }
-    }
-}
-
-ApiController::ApiController(const QString &gatewayEndpoint, bool isDevEnvironment, QObject *parent)
-    : QObject(parent), m_gatewayEndpoint(gatewayEndpoint), m_isDevEnvironment(isDevEnvironment)
-{
-}
-
-void ApiController::fillServerConfig(const QString &protocol, const ApiController::ApiPayloadData &apiPayloadData,
-                                     const QByteArray &apiResponseBody, QJsonObject &serverConfig)
-{
-    QString data = QJsonDocument::fromJson(apiResponseBody).object().value(config_key::config).toString();
-
-    data.replace("vpn://", "");
-    QByteArray ba = QByteArray::fromBase64(data.toUtf8(), QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
-
-    if (ba.isEmpty()) {
-        emit errorOccurred(ErrorCode::ApiConfigEmptyError);
-        return;
-    }
-
-    QByteArray ba_uncompressed = qUncompress(ba);
-    if (!ba_uncompressed.isEmpty()) {
-        ba = ba_uncompressed;
-    }
-
-    QString configStr = ba;
-    if (protocol == configKey::cloak) {
-        configStr.replace("<key>", "<key>\n");
-        configStr.replace("$OPENVPN_PRIV_KEY", apiPayloadData.certRequest.privKey);
-    } else if (protocol == configKey::awg) {
-        configStr.replace("$WIREGUARD_CLIENT_PRIVATE_KEY", apiPayloadData.wireGuardClientPrivKey);
-        auto serverConfig = QJsonDocument::fromJson(configStr.toUtf8()).object();
-        auto containers = serverConfig.value(config_key::containers).toArray();
-        if (containers.isEmpty()) {
-            return; // todo process error
-        }
-        auto container = containers.at(0).toObject();
-        QString containerName = ContainerProps::containerTypeToString(DockerContainer::Awg);
-        auto containerConfig = container.value(containerName).toObject();
-        auto protocolConfig = QJsonDocument::fromJson(containerConfig.value(config_key::last_config).toString().toUtf8()).object();
-        containerConfig[config_key::junkPacketCount] = protocolConfig.value(config_key::junkPacketCount);
-        containerConfig[config_key::junkPacketMinSize] = protocolConfig.value(config_key::junkPacketMinSize);
-        containerConfig[config_key::junkPacketMaxSize] = protocolConfig.value(config_key::junkPacketMaxSize);
-        containerConfig[config_key::initPacketJunkSize] = protocolConfig.value(config_key::initPacketJunkSize);
-        containerConfig[config_key::responsePacketJunkSize] = protocolConfig.value(config_key::responsePacketJunkSize);
-        containerConfig[config_key::initPacketMagicHeader] = protocolConfig.value(config_key::initPacketMagicHeader);
-        containerConfig[config_key::responsePacketMagicHeader] = protocolConfig.value(config_key::responsePacketMagicHeader);
-        containerConfig[config_key::underloadPacketMagicHeader] = protocolConfig.value(config_key::underloadPacketMagicHeader);
-        containerConfig[config_key::transportPacketMagicHeader] = protocolConfig.value(config_key::transportPacketMagicHeader);
-        container[containerName] = containerConfig;
-        containers.replace(0, container);
-        serverConfig[config_key::containers] = containers;
-        configStr = QString(QJsonDocument(serverConfig).toJson());
-    }
-
-    QJsonObject apiConfig = QJsonDocument::fromJson(configStr.toUtf8()).object();
-    serverConfig[config_key::dns1] = apiConfig.value(config_key::dns1);
-    serverConfig[config_key::dns2] = apiConfig.value(config_key::dns2);
-    serverConfig[config_key::containers] = apiConfig.value(config_key::containers);
-    serverConfig[config_key::hostName] = apiConfig.value(config_key::hostName);
-
-    if (apiConfig.value(config_key::configVersion).toInt() == ApiConfigSources::AmneziaGateway) {
-        serverConfig[config_key::configVersion] = apiConfig.value(config_key::configVersion);
-        serverConfig[config_key::description] = apiConfig.value(config_key::description);
-        serverConfig[config_key::name] = apiConfig.value(config_key::name);
-    }
-
-    auto defaultContainer = apiConfig.value(config_key::defaultContainer).toString();
-    serverConfig[config_key::defaultContainer] = defaultContainer;
-
-    return;
-}
-
-QStringList ApiController::getProxyUrls()
-{
-    QNetworkRequest request;
-    request.setTransferTimeout(7000);
-    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
-
-    QEventLoop wait;
-    QList<QSslError> sslErrors;
-    QNetworkReply *reply;
-
-    for (const auto &proxyStorageUrl : proxyStorageUrl) {
-        request.setUrl(proxyStorageUrl);
-        reply = amnApp->manager()->get(request);
-
-        connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
-        connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
-        wait.exec();
-
-        if (reply->error() == QNetworkReply::NetworkError::NoError) {
-            break;
-        }
-        reply->deleteLater();
-    }
-
-    auto encryptedResponseBody = reply->readAll();
-    reply->deleteLater();
-
-    EVP_PKEY *privateKey = nullptr;
-    QByteArray responseBody;
-    try {
-        QByteArray key = PROD_PROXY_STORAGE_KEY;
-        QSimpleCrypto::QRsa rsa;
-        privateKey = rsa.getPrivateKeyFromByteArray(key, "");
-        responseBody = rsa.decrypt(encryptedResponseBody, privateKey, RSA_PKCS1_PADDING);
-    } catch (...) {
-        qCritical() << "error loading private key from environment variables or decrypting payload";
-        return {};
-    }
-
-    auto endpointsArray = QJsonDocument::fromJson(responseBody).array();
-
-    QStringList endpoints;
-    for (const auto &endpoint : endpointsArray) {
-        endpoints.push_back(endpoint.toString());
-    }
-    return endpoints;
-}
-
-ApiController::ApiPayloadData ApiController::generateApiPayloadData(const QString &protocol)
-{
-    ApiController::ApiPayloadData apiPayload;
-    if (protocol == configKey::cloak) {
-        apiPayload.certRequest = OpenVpnConfigurator::createCertRequest();
-    } else if (protocol == configKey::awg) {
-        auto connData = WireguardConfigurator::genClientKeys();
-        apiPayload.wireGuardClientPubKey = connData.clientPubKey;
-        apiPayload.wireGuardClientPrivKey = connData.clientPrivKey;
-    }
-    return apiPayload;
-}
-
-QJsonObject ApiController::fillApiPayload(const QString &protocol, const ApiController::ApiPayloadData &apiPayloadData)
-{
-    QJsonObject obj;
-    if (protocol == configKey::cloak) {
-        obj[configKey::certificate] = apiPayloadData.certRequest.request;
-    } else if (protocol == configKey::awg) {
-        obj[configKey::publicKey] = apiPayloadData.wireGuardClientPubKey;
-    }
-
-    obj[configKey::osVersion] = QSysInfo::productType();
-    obj[configKey::appVersion] = QString(APP_VERSION);
-
-    return obj;
-}
-
-void ApiController::updateServerConfigFromApi(const QString &installationUuid, const int serverIndex, QJsonObject serverConfig)
-{
-#ifdef Q_OS_IOS
-    IosController::Instance()->requestInetAccess();
-    QThread::msleep(10);
-#endif
-
-    if (serverConfig.value(config_key::configVersion).toInt()) {
-        QNetworkRequest request;
-        request.setTransferTimeout(7000);
-        request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
-        request.setRawHeader("Authorization", "Api-Key " + serverConfig.value(configKey::accessToken).toString().toUtf8());
-        QString endpoint = serverConfig.value(configKey::apiEdnpoint).toString();
-        request.setUrl(endpoint);
-
-        QString protocol = serverConfig.value(configKey::protocol).toString();
-
-        ApiPayloadData apiPayloadData = generateApiPayloadData(protocol);
-
-        QJsonObject apiPayload = fillApiPayload(protocol, apiPayloadData);
-        apiPayload[configKey::uuid] = installationUuid;
-
-        QByteArray requestBody = QJsonDocument(apiPayload).toJson();
-
-        QNetworkReply *reply = amnApp->manager()->post(request, requestBody);
-
-        QObject::connect(reply, &QNetworkReply::finished, [this, reply, protocol, apiPayloadData, serverIndex, serverConfig]() mutable {
-            if (reply->error() == QNetworkReply::NoError) {
-                auto apiResponseBody = reply->readAll();
-                fillServerConfig(protocol, apiPayloadData, apiResponseBody, serverConfig);
-                emit finished(serverConfig, serverIndex);
-            } else {
-                if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError
-                    || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
-                    emit errorOccurred(ErrorCode::ApiConfigTimeoutError);
-                } else {
-                    QString err = reply->errorString();
-                    qDebug() << QString::fromUtf8(reply->readAll());
-                    qDebug() << reply->error();
-                    qDebug() << err;
-                    qDebug() << reply->attribute(QNetworkRequest::HttpStatusCodeAttribute);
-                    emit errorOccurred(ErrorCode::ApiConfigDownloadError);
-                }
-            }
-
-            reply->deleteLater();
-        });
-
-        QObject::connect(reply, &QNetworkReply::errorOccurred,
-                         [this, reply](QNetworkReply::NetworkError error) { qDebug() << reply->errorString() << error; });
-        connect(reply, &QNetworkReply::sslErrors, [this, reply](const QList<QSslError> &errors) {
-            qDebug().noquote() << errors;
-            emit errorOccurred(ErrorCode::ApiConfigSslError);
-        });
-    }
-}
-
-ErrorCode ApiController::getServicesList(QByteArray &responseBody)
-{
-#ifdef Q_OS_IOS
-    IosController::Instance()->requestInetAccess();
-    QThread::msleep(10);
-#endif
-
-    QNetworkRequest request;
-    request.setTransferTimeout(7000);
-    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
-
-    request.setUrl(QString("%1v1/services").arg(m_gatewayEndpoint));
-
-    QNetworkReply *reply;
-    reply = amnApp->manager()->get(request);
-
-    QEventLoop wait;
-    QObject::connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
-
-    QList<QSslError> sslErrors;
-    connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
-    wait.exec();
-
-    if (reply->error() == QNetworkReply::NetworkError::TimeoutError || reply->error() == QNetworkReply::NetworkError::OperationCanceledError) {
-        m_proxyUrls = getProxyUrls();
-        for (const QString &proxyUrl : m_proxyUrls) {
-            request.setUrl(QString("%1v1/services").arg(proxyUrl));
-            reply = amnApp->manager()->get(request);
-
-            QObject::connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
-            connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
-            wait.exec();
-            if (reply->error() != QNetworkReply::NetworkError::TimeoutError
-                && reply->error() != QNetworkReply::NetworkError::OperationCanceledError) {
-                break;
-            }
-            reply->deleteLater();
-        }
-    }
-
-    responseBody = reply->readAll();
-    auto errorCode = checkErrors(sslErrors, reply);
-    reply->deleteLater();
-    return errorCode;
-}
-
-ErrorCode ApiController::getConfigForService(const QString &installationUuid, const QString &userCountryCode, const QString &serviceType,
-                                             const QString &protocol, const QString &serverCountryCode, QJsonObject &serverConfig)
-{
-#ifdef Q_OS_IOS
-    IosController::Instance()->requestInetAccess();
-    QThread::msleep(10);
-#endif
-
-    QNetworkAccessManager manager;
-    QNetworkRequest request;
-    request.setTransferTimeout(7000);
-    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
-
-    request.setUrl(QString("%1v1/config").arg(m_gatewayEndpoint));
-
-    ApiPayloadData apiPayloadData = generateApiPayloadData(protocol);
-
-    QJsonObject apiPayload = fillApiPayload(protocol, apiPayloadData);
-    apiPayload[configKey::userCountryCode] = userCountryCode;
-    if (!serverCountryCode.isEmpty()) {
-        apiPayload[configKey::serverCountryCode] = serverCountryCode;
-    }
-    apiPayload[configKey::serviceType] = serviceType;
-    apiPayload[configKey::uuid] = installationUuid;
-
-    QSimpleCrypto::QBlockCipher blockCipher;
-    QByteArray key = blockCipher.generatePrivateSalt(32);
-    QByteArray iv = blockCipher.generatePrivateSalt(32);
-    QByteArray salt = blockCipher.generatePrivateSalt(8);
-
-    QJsonObject keyPayload;
-    keyPayload[configKey::aesKey] = QString(key.toBase64());
-    keyPayload[configKey::aesIv] = QString(iv.toBase64());
-    keyPayload[configKey::aesSalt] = QString(salt.toBase64());
-
-    QByteArray encryptedKeyPayload;
-    QByteArray encryptedApiPayload;
-    try {
-        QSimpleCrypto::QRsa rsa;
-
-        EVP_PKEY *publicKey = nullptr;
-        try {
-            QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
-            QSimpleCrypto::QRsa rsa;
-            publicKey = rsa.getPublicKeyFromByteArray(key);
-        } catch (...) {
-            qCritical() << "error loading public key from environment variables";
-            return ErrorCode::ApiMissingAgwPublicKey;
-        }
-
-        encryptedKeyPayload = rsa.encrypt(QJsonDocument(keyPayload).toJson(), publicKey, RSA_PKCS1_PADDING);
-        EVP_PKEY_free(publicKey);
-
-        encryptedApiPayload = blockCipher.encryptAesBlockCipher(QJsonDocument(apiPayload).toJson(), key, iv, "", salt);
-    } catch (...) { // todo change error handling in QSimpleCrypto?
-        qCritical() << "error when encrypting the request body";
-    }
-
-    QJsonObject requestBody;
-    requestBody[configKey::keyPayload] = QString(encryptedKeyPayload.toBase64());
-    requestBody[configKey::apiPayload] = QString(encryptedApiPayload.toBase64());
-
-    QNetworkReply *reply = manager.post(request, QJsonDocument(requestBody).toJson());
-
-    QEventLoop wait;
-    connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
-
-    QList<QSslError> sslErrors;
-    connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
-    wait.exec();
-
-    if (reply->error() == QNetworkReply::NetworkError::TimeoutError || reply->error() == QNetworkReply::NetworkError::OperationCanceledError) {
-        if (m_proxyUrls.isEmpty()) {
-            m_proxyUrls = getProxyUrls();
-        }
-        for (const QString &proxyUrl : m_proxyUrls) {
-            request.setUrl(QString("%1v1/config").arg(proxyUrl));
-            reply = manager.post(request, QJsonDocument(requestBody).toJson());
-
-            QObject::connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
-            connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
-            wait.exec();
-            if (reply->error() != QNetworkReply::NetworkError::TimeoutError
-                && reply->error() != QNetworkReply::NetworkError::OperationCanceledError) {
-                break;
-            }
-            reply->deleteLater();
-        }
-    }
-
-    auto errorCode = checkErrors(sslErrors, reply);
-    if (errorCode) {
-        return errorCode;
-    }
-
-    auto encryptedResponseBody = reply->readAll();
-    reply->deleteLater();
-    try {
-        auto responseBody = blockCipher.decryptAesBlockCipher(encryptedResponseBody, key, iv, "", salt);
-        fillServerConfig(protocol, apiPayloadData, responseBody, serverConfig);
-    } catch (...) { // todo change error handling in QSimpleCrypto?
-        qCritical() << "error when decrypting the request body";
-    }
-
-    return errorCode;
-}

client/core/controllers/apiController.h

@@ -1,50 +0,0 @@
-#ifndef APICONTROLLER_H
-#define APICONTROLLER_H
-
-#include <QObject>
-
-#include "configurators/openvpn_configurator.h"
-
-#ifdef Q_OS_IOS
-    #include "platforms/ios/ios_controller.h"
-#endif
-
-class ApiController : public QObject
-{
-    Q_OBJECT
-
-public:
-    explicit ApiController(const QString &gatewayEndpoint, bool isDevEnvironment, QObject *parent = nullptr);
-
-public slots:
-    void updateServerConfigFromApi(const QString &installationUuid, const int serverIndex, QJsonObject serverConfig);
-
-    ErrorCode getServicesList(QByteArray &responseBody);
-    ErrorCode getConfigForService(const QString &installationUuid, const QString &userCountryCode, const QString &serviceType,
-                                  const QString &protocol, const QString &serverCountryCode, QJsonObject &serverConfig);
-
-signals:
-    void errorOccurred(ErrorCode errorCode);
-    void finished(const QJsonObject &config, const int serverIndex);
-
-private:
-    struct ApiPayloadData
-    {
-        OpenVpnConfigurator::ConnectionData certRequest;
-
-        QString wireGuardClientPrivKey;
-        QString wireGuardClientPubKey;
-    };
-
-    ApiPayloadData generateApiPayloadData(const QString &protocol);
-    QJsonObject fillApiPayload(const QString &protocol, const ApiController::ApiPayloadData &apiPayloadData);
-    void fillServerConfig(const QString &protocol, const ApiController::ApiPayloadData &apiPayloadData, const QByteArray &apiResponseBody,
-                          QJsonObject &serverConfig);
-    QStringList getProxyUrls();
-
-    QString m_gatewayEndpoint;
-    QStringList m_proxyUrls;
-    bool m_isDevEnvironment = false;
-};
-
-#endif // APICONTROLLER_H

client/core/controllers/coreController.cpp

@@ -0,0 +1,345 @@
+#include "coreController.h"
+
+#include <QTranslator>
+
+#if defined(Q_OS_ANDROID)
+    #include "core/installedAppsImageProvider.h"
+    #include "platforms/android/android_controller.h"
+#endif
+
+#if defined(Q_OS_IOS)
+    #include "platforms/ios/ios_controller.h"
+    #include <AmneziaVPN-Swift.h>
+#endif
+
+CoreController::CoreController(const QSharedPointer<VpnConnection> &vpnConnection, const std::shared_ptr<Settings> &settings,
+                               QQmlApplicationEngine *engine, QObject *parent)
+    : QObject(parent), m_vpnConnection(vpnConnection), m_settings(settings), m_engine(engine)
+{
+    initModels();
+    initControllers();
+    initSignalHandlers();
+
+    initAndroidController();
+    initAppleController();
+
+    initNotificationHandler();
+
+    auto locale = m_settings->getAppLanguage();
+    m_translator.reset(new QTranslator());
+    updateTranslator(locale);
+}
+
+void CoreController::initModels()
+{
+    m_containersModel.reset(new ContainersModel(this));
+    m_engine->rootContext()->setContextProperty("ContainersModel", m_containersModel.get());
+
+    m_defaultServerContainersModel.reset(new ContainersModel(this));
+    m_engine->rootContext()->setContextProperty("DefaultServerContainersModel", m_defaultServerContainersModel.get());
+
+    m_serversModel.reset(new ServersModel(m_settings, this));
+    m_engine->rootContext()->setContextProperty("ServersModel", m_serversModel.get());
+
+    m_languageModel.reset(new LanguageModel(m_settings, this));
+    m_engine->rootContext()->setContextProperty("LanguageModel", m_languageModel.get());
+
+    m_sitesModel.reset(new SitesModel(m_settings, this));
+    m_engine->rootContext()->setContextProperty("SitesModel", m_sitesModel.get());
+
+    m_appSplitTunnelingModel.reset(new AppSplitTunnelingModel(m_settings, this));
+    m_engine->rootContext()->setContextProperty("AppSplitTunnelingModel", m_appSplitTunnelingModel.get());
+
+    m_protocolsModel.reset(new ProtocolsModel(m_settings, this));
+    m_engine->rootContext()->setContextProperty("ProtocolsModel", m_protocolsModel.get());
+
+    m_openVpnConfigModel.reset(new OpenVpnConfigModel(this));
+    m_engine->rootContext()->setContextProperty("OpenVpnConfigModel", m_openVpnConfigModel.get());
+
+    m_shadowSocksConfigModel.reset(new ShadowSocksConfigModel(this));
+    m_engine->rootContext()->setContextProperty("ShadowSocksConfigModel", m_shadowSocksConfigModel.get());
+
+    m_cloakConfigModel.reset(new CloakConfigModel(this));
+    m_engine->rootContext()->setContextProperty("CloakConfigModel", m_cloakConfigModel.get());
+
+    m_wireGuardConfigModel.reset(new WireGuardConfigModel(this));
+    m_engine->rootContext()->setContextProperty("WireGuardConfigModel", m_wireGuardConfigModel.get());
+
+    m_awgConfigModel.reset(new AwgConfigModel(this));
+    m_engine->rootContext()->setContextProperty("AwgConfigModel", m_awgConfigModel.get());
+
+    m_xrayConfigModel.reset(new XrayConfigModel(this));
+    m_engine->rootContext()->setContextProperty("XrayConfigModel", m_xrayConfigModel.get());
+
+#ifdef Q_OS_WINDOWS
+    m_ikev2ConfigModel.reset(new Ikev2ConfigModel(this));
+    m_engine->rootContext()->setContextProperty("Ikev2ConfigModel", m_ikev2ConfigModel.get());
+#endif
+
+    m_sftpConfigModel.reset(new SftpConfigModel(this));
+    m_engine->rootContext()->setContextProperty("SftpConfigModel", m_sftpConfigModel.get());
+
+    m_socks5ConfigModel.reset(new Socks5ProxyConfigModel(this));
+    m_engine->rootContext()->setContextProperty("Socks5ProxyConfigModel", m_socks5ConfigModel.get());
+
+    m_clientManagementModel.reset(new ClientManagementModel(m_settings, this));
+    m_engine->rootContext()->setContextProperty("ClientManagementModel", m_clientManagementModel.get());
+
+    m_apiServicesModel.reset(new ApiServicesModel(this));
+    m_engine->rootContext()->setContextProperty("ApiServicesModel", m_apiServicesModel.get());
+
+    m_apiCountryModel.reset(new ApiCountryModel(this));
+    m_engine->rootContext()->setContextProperty("ApiCountryModel", m_apiCountryModel.get());
+
+    m_apiAccountInfoModel.reset(new ApiAccountInfoModel(this));
+    m_engine->rootContext()->setContextProperty("ApiAccountInfoModel", m_apiAccountInfoModel.get());
+
+    m_apiDevicesModel.reset(new ApiDevicesModel(m_settings, this));
+    m_engine->rootContext()->setContextProperty("ApiDevicesModel", m_apiDevicesModel.get());
+}
+
+void CoreController::initControllers()
+{
+    m_connectionController.reset(
+            new ConnectionController(m_serversModel, m_containersModel, m_clientManagementModel, m_vpnConnection, m_settings));
+    m_engine->rootContext()->setContextProperty("ConnectionController", m_connectionController.get());
+
+    m_pageController.reset(new PageController(m_serversModel, m_settings));
+    m_engine->rootContext()->setContextProperty("PageController", m_pageController.get());
+
+    m_focusController.reset(new FocusController(m_engine, this));
+    m_engine->rootContext()->setContextProperty("FocusController", m_focusController.get());
+
+    m_installController.reset(new InstallController(m_serversModel, m_containersModel, m_protocolsModel, m_clientManagementModel, m_settings));
+    m_engine->rootContext()->setContextProperty("InstallController", m_installController.get());
+
+    connect(m_installController.get(), &InstallController::currentContainerUpdated, m_connectionController.get(),
+            &ConnectionController::onCurrentContainerUpdated); // TODO remove this
+
+    m_importController.reset(new ImportController(m_serversModel, m_containersModel, m_settings));
+    m_engine->rootContext()->setContextProperty("ImportController", m_importController.get());
+
+    m_exportController.reset(new ExportController(m_serversModel, m_containersModel, m_clientManagementModel, m_settings));
+    m_engine->rootContext()->setContextProperty("ExportController", m_exportController.get());
+
+    m_settingsController.reset(
+            new SettingsController(m_serversModel, m_containersModel, m_languageModel, m_sitesModel, m_appSplitTunnelingModel, m_settings));
+    m_engine->rootContext()->setContextProperty("SettingsController", m_settingsController.get());
+
+    m_sitesController.reset(new SitesController(m_settings, m_vpnConnection, m_sitesModel));
+    m_engine->rootContext()->setContextProperty("SitesController", m_sitesController.get());
+
+    m_appSplitTunnelingController.reset(new AppSplitTunnelingController(m_settings, m_appSplitTunnelingModel));
+    m_engine->rootContext()->setContextProperty("AppSplitTunnelingController", m_appSplitTunnelingController.get());
+
+    m_systemController.reset(new SystemController(m_settings));
+    m_engine->rootContext()->setContextProperty("SystemController", m_systemController.get());
+
+    m_apiSettingsController.reset(
+            new ApiSettingsController(m_serversModel, m_apiAccountInfoModel, m_apiCountryModel, m_apiDevicesModel, m_settings));
+    m_engine->rootContext()->setContextProperty("ApiSettingsController", m_apiSettingsController.get());
+
+    m_apiConfigsController.reset(new ApiConfigsController(m_serversModel, m_apiServicesModel, m_settings));
+    m_engine->rootContext()->setContextProperty("ApiConfigsController", m_apiConfigsController.get());
+}
+
+void CoreController::initAndroidController()
+{
+#ifdef Q_OS_ANDROID
+    if (!AndroidController::initLogging()) {
+        qFatal("Android logging initialization failed");
+    }
+    AndroidController::instance()->setSaveLogs(m_settings->isSaveLogs());
+    connect(m_settings.get(), &Settings::saveLogsChanged, AndroidController::instance(), &AndroidController::setSaveLogs);
+
+    AndroidController::instance()->setScreenshotsEnabled(m_settings->isScreenshotsEnabled());
+    connect(m_settings.get(), &Settings::screenshotsEnabledChanged, AndroidController::instance(), &AndroidController::setScreenshotsEnabled);
+
+    connect(m_settings.get(), &Settings::serverRemoved, AndroidController::instance(), &AndroidController::resetLastServer);
+
+    connect(m_settings.get(), &Settings::settingsCleared, []() { AndroidController::instance()->resetLastServer(-1); });
+
+    connect(AndroidController::instance(), &AndroidController::initConnectionState, this, [this](Vpn::ConnectionState state) {
+        m_connectionController->onConnectionStateChanged(state);
+        if (m_vpnConnection)
+            m_vpnConnection->restoreConnection();
+    });
+    if (!AndroidController::instance()->initialize()) {
+        qFatal("Android controller initialization failed");
+    }
+
+    connect(AndroidController::instance(), &AndroidController::importConfigFromOutside, this, [this](QString data) {
+        emit m_pageController->goToPageHome();
+        m_importController->extractConfigFromData(data);
+        data.clear();
+        emit m_pageController->goToPageViewConfig();
+    });
+
+    m_engine->addImageProvider(QLatin1String("installedAppImage"), new InstalledAppsImageProvider);
+#endif
+}
+
+void CoreController::initAppleController()
+{
+#ifdef Q_OS_IOS
+    IosController::Instance()->initialize();
+    connect(IosController::Instance(), &IosController::importConfigFromOutside, this, [this](QString data) {
+        emit m_pageController->goToPageHome();
+        m_importController->extractConfigFromData(data);
+        emit m_pageController->goToPageViewConfig();
+    });
+
+    connect(IosController::Instance(), &IosController::importBackupFromOutside, this, [this](QString filePath) {
+        emit m_pageController->goToPageHome();
+        m_pageController->goToPageSettingsBackup();
+        emit m_settingsController->importBackupFromOutside(filePath);
+    });
+
+    QTimer::singleShot(0, this, [this]() { AmneziaVPN::toggleScreenshots(m_settings->isScreenshotsEnabled()); });
+
+    connect(m_settings.get(), &Settings::screenshotsEnabledChanged, [](bool enabled) { AmneziaVPN::toggleScreenshots(enabled); });
+#endif
+}
+
+void CoreController::initSignalHandlers()
+{
+    initErrorMessagesHandler();
+
+    initApiCountryModelUpdateHandler();
+    initContainerModelUpdateHandler();
+    initAdminConfigRevokedHandler();
+    initPassphraseRequestHandler();
+    initTranslationsUpdatedHandler();
+    initAutoConnectHandler();
+    initAmneziaDnsToggledHandler();
+    initPrepareConfigHandler();
+}
+
+void CoreController::initNotificationHandler()
+{
+#ifndef Q_OS_ANDROID
+    m_notificationHandler.reset(NotificationHandler::create(nullptr));
+
+    connect(m_vpnConnection.get(), &VpnConnection::connectionStateChanged, m_notificationHandler.get(),
+            &NotificationHandler::setConnectionState);
+
+    connect(m_notificationHandler.get(), &NotificationHandler::raiseRequested, m_pageController.get(), &PageController::raiseMainWindow);
+    connect(m_notificationHandler.get(), &NotificationHandler::connectRequested, m_connectionController.get(),
+            static_cast<void (ConnectionController::*)()>(&ConnectionController::openConnection));
+    connect(m_notificationHandler.get(), &NotificationHandler::disconnectRequested, m_connectionController.get(),
+            &ConnectionController::closeConnection);
+    connect(this, &CoreController::translationsUpdated, m_notificationHandler.get(), &NotificationHandler::onTranslationsUpdated);
+#endif
+}
+
+void CoreController::updateTranslator(const QLocale &locale)
+{
+    if (!m_translator->isEmpty()) {
+        QCoreApplication::removeTranslator(m_translator.get());
+    }
+
+    QString strFileName = QString(":/translations/amneziavpn") + QLatin1String("_") + locale.name() + ".qm";
+    if (m_translator->load(strFileName)) {
+        if (QCoreApplication::installTranslator(m_translator.get())) {
+            m_settings->setAppLanguage(locale);
+        }
+    } else {
+        m_settings->setAppLanguage(QLocale::English);
+    }
+
+    m_engine->retranslate();
+
+    emit translationsUpdated();
+}
+
+void CoreController::initErrorMessagesHandler()
+{
+    connect(m_connectionController.get(), &ConnectionController::connectionErrorOccurred, this, [this](ErrorCode errorCode) {
+        emit m_pageController->showErrorMessage(errorCode);
+        emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
+    });
+
+    connect(m_apiConfigsController.get(), &ApiConfigsController::errorOccurred, m_pageController.get(),
+            qOverload<ErrorCode>(&PageController::showErrorMessage));
+}
+
+void CoreController::setQmlRoot()
+{
+    m_systemController->setQmlRoot(m_engine->rootObjects().value(0));
+}
+
+void CoreController::initApiCountryModelUpdateHandler()
+{
+    // TODO
+    connect(m_serversModel.get(), &ServersModel::updateApiCountryModel, this, [this]() {
+        m_apiCountryModel->updateModel(m_serversModel->getProcessedServerData("apiAvailableCountries").toJsonArray(),
+                                       m_serversModel->getProcessedServerData("apiServerCountryCode").toString());
+    });
+    connect(m_serversModel.get(), &ServersModel::updateApiServicesModel, this,
+            [this]() { m_apiServicesModel->updateModel(m_serversModel->getProcessedServerData("apiConfig").toJsonObject()); });
+}
+
+void CoreController::initContainerModelUpdateHandler()
+{
+    connect(m_serversModel.get(), &ServersModel::containersUpdated, m_containersModel.get(), &ContainersModel::updateModel);
+    connect(m_serversModel.get(), &ServersModel::defaultServerContainersUpdated, m_defaultServerContainersModel.get(),
+            &ContainersModel::updateModel);
+    m_serversModel->resetModel();
+}
+
+void CoreController::initAdminConfigRevokedHandler()
+{
+    connect(m_clientManagementModel.get(), &ClientManagementModel::adminConfigRevoked, m_serversModel.get(),
+            &ServersModel::clearCachedProfile);
+}
+
+void CoreController::initPassphraseRequestHandler()
+{
+    connect(m_installController.get(), &InstallController::passphraseRequestStarted, m_pageController.get(),
+            &PageController::showPassphraseRequestDrawer);
+    connect(m_pageController.get(), &PageController::passphraseRequestDrawerClosed, m_installController.get(),
+            &InstallController::setEncryptedPassphrase);
+}
+
+void CoreController::initTranslationsUpdatedHandler()
+{
+    connect(m_languageModel.get(), &LanguageModel::updateTranslations, this, &CoreController::updateTranslator);
+    connect(this, &CoreController::translationsUpdated, m_languageModel.get(), &LanguageModel::translationsUpdated);
+    connect(this, &CoreController::translationsUpdated, m_connectionController.get(), &ConnectionController::onTranslationsUpdated);
+}
+
+void CoreController::initAutoConnectHandler()
+{
+    if (m_settingsController->isAutoConnectEnabled() && m_serversModel->getDefaultServerIndex() >= 0) {
+        QTimer::singleShot(1000, this, [this]() { m_connectionController->openConnection(); });
+    }
+}
+
+void CoreController::initAmneziaDnsToggledHandler()
+{
+    connect(m_settingsController.get(), &SettingsController::amneziaDnsToggled, m_serversModel.get(), &ServersModel::toggleAmneziaDns);
+}
+
+void CoreController::initPrepareConfigHandler()
+{
+    connect(m_connectionController.get(), &ConnectionController::prepareConfig, this, [this]() {
+        emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Preparing);
+
+        if (!m_apiConfigsController->isConfigValid()) {
+            emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
+            return;
+        }
+
+        if (!m_installController->isConfigValid()) {
+            emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
+            return;
+        }
+
+        m_connectionController->openConnection();
+    });
+}
+
+QSharedPointer<PageController> CoreController::pageController() const
+{
+    return m_pageController;
+}

client/core/controllers/coreController.h

@@ -0,0 +1,136 @@
+#ifndef CORECONTROLLER_H
+#define CORECONTROLLER_H
+
+#include <QObject>
+#include <QQmlContext>
+#include <QThread>
+
+#include "ui/controllers/api/apiConfigsController.h"
+#include "ui/controllers/api/apiSettingsController.h"
+#include "ui/controllers/appSplitTunnelingController.h"
+#include "ui/controllers/connectionController.h"
+#include "ui/controllers/exportController.h"
+#include "ui/controllers/focusController.h"
+#include "ui/controllers/importController.h"
+#include "ui/controllers/installController.h"
+#include "ui/controllers/pageController.h"
+#include "ui/controllers/settingsController.h"
+#include "ui/controllers/sitesController.h"
+#include "ui/controllers/systemController.h"
+
+#include "ui/models/containers_model.h"
+#include "ui/models/languageModel.h"
+#include "ui/models/protocols/cloakConfigModel.h"
+#ifdef Q_OS_WINDOWS
+    #include "ui/models/protocols/ikev2ConfigModel.h"
+#endif
+#include "ui/models/api/apiAccountInfoModel.h"
+#include "ui/models/api/apiCountryModel.h"
+#include "ui/models/api/apiDevicesModel.h"
+#include "ui/models/api/apiServicesModel.h"
+#include "ui/models/appSplitTunnelingModel.h"
+#include "ui/models/clientManagementModel.h"
+#include "ui/models/protocols/awgConfigModel.h"
+#include "ui/models/protocols/openvpnConfigModel.h"
+#include "ui/models/protocols/shadowsocksConfigModel.h"
+#include "ui/models/protocols/wireguardConfigModel.h"
+#include "ui/models/protocols/xrayConfigModel.h"
+#include "ui/models/protocols_model.h"
+#include "ui/models/servers_model.h"
+#include "ui/models/services/sftpConfigModel.h"
+#include "ui/models/services/socks5ProxyConfigModel.h"
+#include "ui/models/sites_model.h"
+
+#ifndef Q_OS_ANDROID
+    #include "ui/notificationhandler.h"
+#endif
+
+class CoreController : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit CoreController(const QSharedPointer<VpnConnection> &vpnConnection, const std::shared_ptr<Settings> &settings,
+                            QQmlApplicationEngine *engine, QObject *parent = nullptr);
+
+    QSharedPointer<PageController> pageController() const;
+    void setQmlRoot();
+
+signals:
+    void translationsUpdated();
+
+private:
+    void initModels();
+    void initControllers();
+    void initAndroidController();
+    void initAppleController();
+    void initSignalHandlers();
+
+    void initNotificationHandler();
+
+    void updateTranslator(const QLocale &locale);
+
+    void initErrorMessagesHandler();
+
+    void initApiCountryModelUpdateHandler();
+    void initContainerModelUpdateHandler();
+    void initAdminConfigRevokedHandler();
+    void initPassphraseRequestHandler();
+    void initTranslationsUpdatedHandler();
+    void initAutoConnectHandler();
+    void initAmneziaDnsToggledHandler();
+    void initPrepareConfigHandler();
+
+    QQmlApplicationEngine *m_engine {}; // TODO use parent child system here?
+    std::shared_ptr<Settings> m_settings;
+    QSharedPointer<VpnConnection> m_vpnConnection;
+    QSharedPointer<QTranslator> m_translator;
+
+#ifndef Q_OS_ANDROID
+    QScopedPointer<NotificationHandler> m_notificationHandler;
+#endif
+
+    QMetaObject::Connection m_reloadConfigErrorOccurredConnection;
+
+    QScopedPointer<ConnectionController> m_connectionController;
+    QScopedPointer<FocusController> m_focusController;
+    QSharedPointer<PageController> m_pageController; // TODO
+    QScopedPointer<InstallController> m_installController;
+    QScopedPointer<ImportController> m_importController;
+    QScopedPointer<ExportController> m_exportController;
+    QScopedPointer<SettingsController> m_settingsController;
+    QScopedPointer<SitesController> m_sitesController;
+    QScopedPointer<SystemController> m_systemController;
+    QScopedPointer<AppSplitTunnelingController> m_appSplitTunnelingController;
+
+    QScopedPointer<ApiSettingsController> m_apiSettingsController;
+    QScopedPointer<ApiConfigsController> m_apiConfigsController;
+
+    QSharedPointer<ContainersModel> m_containersModel;
+    QSharedPointer<ContainersModel> m_defaultServerContainersModel;
+    QSharedPointer<ServersModel> m_serversModel;
+    QSharedPointer<LanguageModel> m_languageModel;
+    QSharedPointer<ProtocolsModel> m_protocolsModel;
+    QSharedPointer<SitesModel> m_sitesModel;
+    QSharedPointer<AppSplitTunnelingModel> m_appSplitTunnelingModel;
+    QSharedPointer<ClientManagementModel> m_clientManagementModel;
+
+    QSharedPointer<ApiServicesModel> m_apiServicesModel;
+    QSharedPointer<ApiCountryModel> m_apiCountryModel;
+    QSharedPointer<ApiAccountInfoModel> m_apiAccountInfoModel;
+    QSharedPointer<ApiDevicesModel> m_apiDevicesModel;
+
+    QScopedPointer<OpenVpnConfigModel> m_openVpnConfigModel;
+    QScopedPointer<ShadowSocksConfigModel> m_shadowSocksConfigModel;
+    QScopedPointer<CloakConfigModel> m_cloakConfigModel;
+    QScopedPointer<XrayConfigModel> m_xrayConfigModel;
+    QScopedPointer<WireGuardConfigModel> m_wireGuardConfigModel;
+    QScopedPointer<AwgConfigModel> m_awgConfigModel;
+#ifdef Q_OS_WINDOWS
+    QScopedPointer<Ikev2ConfigModel> m_ikev2ConfigModel;
+#endif
+    QScopedPointer<SftpConfigModel> m_sftpConfigModel;
+    QScopedPointer<Socks5ProxyConfigModel> m_socks5ConfigModel;
+};
+
+#endif // CORECONTROLLER_H

client/core/controllers/gatewayController.cpp

@@ -0,0 +1,316 @@
+#include "gatewayController.h"
+
+#include <algorithm>
+#include <random>
+
+#include <QJsonArray>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QNetworkReply>
+
+#include "QBlockCipher.h"
+#include "QRsa.h"
+
+#include "amnezia_application.h"
+#include "core/api/apiUtils.h"
+#include "utilities.h"
+
+namespace
+{
+    namespace configKey
+    {
+        constexpr char aesKey[] = "aes_key";
+        constexpr char aesIv[] = "aes_iv";
+        constexpr char aesSalt[] = "aes_salt";
+
+        constexpr char apiPayload[] = "api_payload";
+        constexpr char keyPayload[] = "key_payload";
+    }
+
+    constexpr QLatin1String errorResponsePattern1("No active configuration found for");
+    constexpr QLatin1String errorResponsePattern2("No non-revoked public key found for");
+    constexpr QLatin1String errorResponsePattern3("Account not found.");
+}
+
+GatewayController::GatewayController(const QString &gatewayEndpoint, bool isDevEnvironment, int requestTimeoutMsecs, QObject *parent)
+    : QObject(parent), m_gatewayEndpoint(gatewayEndpoint), m_isDevEnvironment(isDevEnvironment), m_requestTimeoutMsecs(requestTimeoutMsecs)
+{
+}
+
+ErrorCode GatewayController::get(const QString &endpoint, QByteArray &responseBody)
+{
+#ifdef Q_OS_IOS
+    IosController::Instance()->requestInetAccess();
+    QThread::msleep(10);
+#endif
+
+    QNetworkRequest request;
+    request.setTransferTimeout(m_requestTimeoutMsecs);
+    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
+
+    request.setUrl(QString(endpoint).arg(m_gatewayEndpoint));
+
+    QNetworkReply *reply;
+    reply = amnApp->networkManager()->get(request);
+
+    QEventLoop wait;
+    QObject::connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
+
+    QList<QSslError> sslErrors;
+    connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
+    wait.exec();
+
+    responseBody = reply->readAll();
+
+    if (sslErrors.isEmpty() && shouldBypassProxy(reply, responseBody, false)) {
+        auto requestFunction = [&request, &responseBody](const QString &url) {
+            request.setUrl(url);
+            return amnApp->networkManager()->get(request);
+        };
+
+        auto replyProcessingFunction = [&responseBody, &reply, &sslErrors, this](QNetworkReply *nestedReply,
+                                                                                 const QList<QSslError> &nestedSslErrors) {
+            responseBody = nestedReply->readAll();
+            if (!sslErrors.isEmpty() || !shouldBypassProxy(nestedReply, responseBody, false)) {
+                sslErrors = nestedSslErrors;
+                reply = nestedReply;
+                return true;
+            }
+            return false;
+        };
+
+        bypassProxy(endpoint, reply, requestFunction, replyProcessingFunction);
+    }
+
+    auto errorCode = apiUtils::checkNetworkReplyErrors(sslErrors, reply);
+    reply->deleteLater();
+
+    return errorCode;
+}
+
+ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject apiPayload, QByteArray &responseBody)
+{
+#ifdef Q_OS_IOS
+    IosController::Instance()->requestInetAccess();
+    QThread::msleep(10);
+#endif
+
+    QNetworkRequest request;
+    request.setTransferTimeout(m_requestTimeoutMsecs);
+    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
+
+    request.setUrl(endpoint.arg(m_gatewayEndpoint));
+
+    QSimpleCrypto::QBlockCipher blockCipher;
+    QByteArray key = blockCipher.generatePrivateSalt(32);
+    QByteArray iv = blockCipher.generatePrivateSalt(32);
+    QByteArray salt = blockCipher.generatePrivateSalt(8);
+
+    QJsonObject keyPayload;
+    keyPayload[configKey::aesKey] = QString(key.toBase64());
+    keyPayload[configKey::aesIv] = QString(iv.toBase64());
+    keyPayload[configKey::aesSalt] = QString(salt.toBase64());
+
+    QByteArray encryptedKeyPayload;
+    QByteArray encryptedApiPayload;
+    try {
+        QSimpleCrypto::QRsa rsa;
+
+        EVP_PKEY *publicKey = nullptr;
+        try {
+            QByteArray rsaKey = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
+            QSimpleCrypto::QRsa rsa;
+            publicKey = rsa.getPublicKeyFromByteArray(rsaKey);
+        } catch (...) {
+            Utils::logException();
+            qCritical() << "error loading public key from environment variables";
+            return ErrorCode::ApiMissingAgwPublicKey;
+        }
+
+        encryptedKeyPayload = rsa.encrypt(QJsonDocument(keyPayload).toJson(), publicKey, RSA_PKCS1_PADDING);
+        EVP_PKEY_free(publicKey);
+
+        encryptedApiPayload = blockCipher.encryptAesBlockCipher(QJsonDocument(apiPayload).toJson(), key, iv, "", salt);
+    } catch (...) { // todo change error handling in QSimpleCrypto?
+        Utils::logException();
+        qCritical() << "error when encrypting the request body";
+        return ErrorCode::ApiConfigDecryptionError;
+    }
+
+    QJsonObject requestBody;
+    requestBody[configKey::keyPayload] = QString(encryptedKeyPayload.toBase64());
+    requestBody[configKey::apiPayload] = QString(encryptedApiPayload.toBase64());
+
+    QNetworkReply *reply = amnApp->networkManager()->post(request, QJsonDocument(requestBody).toJson());
+
+    QEventLoop wait;
+    connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
+
+    QList<QSslError> sslErrors;
+    connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
+    wait.exec();
+
+    QByteArray encryptedResponseBody = reply->readAll();
+
+    if (sslErrors.isEmpty() && shouldBypassProxy(reply, encryptedResponseBody, true, key, iv, salt)) {
+        auto requestFunction = [&request, &encryptedResponseBody, &requestBody](const QString &url) {
+            request.setUrl(url);
+            return amnApp->networkManager()->post(request, QJsonDocument(requestBody).toJson());
+        };
+
+        auto replyProcessingFunction = [&encryptedResponseBody, &reply, &sslErrors, &key, &iv, &salt,
+                                        this](QNetworkReply *nestedReply, const QList<QSslError> &nestedSslErrors) {
+            encryptedResponseBody = nestedReply->readAll();
+            reply = nestedReply;
+            if (!sslErrors.isEmpty() || shouldBypassProxy(nestedReply, encryptedResponseBody, true, key, iv, salt)) {
+                sslErrors = nestedSslErrors;
+                return false;
+            }
+            return true;
+        };
+
+        bypassProxy(endpoint, reply, requestFunction, replyProcessingFunction);
+    }
+
+    auto errorCode = apiUtils::checkNetworkReplyErrors(sslErrors, reply);
+    reply->deleteLater();
+    if (errorCode) {
+        return errorCode;
+    }
+
+    try {
+        responseBody = blockCipher.decryptAesBlockCipher(encryptedResponseBody, key, iv, "", salt);
+        return ErrorCode::NoError;
+    } catch (...) { // todo change error handling in QSimpleCrypto?
+        Utils::logException();
+        qCritical() << "error when decrypting the request body";
+        return ErrorCode::ApiConfigDecryptionError;
+    }
+}
+
+QStringList GatewayController::getProxyUrls()
+{
+    QNetworkRequest request;
+    request.setTransferTimeout(m_requestTimeoutMsecs);
+    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
+
+    QEventLoop wait;
+    QList<QSslError> sslErrors;
+    QNetworkReply *reply;
+
+    QStringList proxyStorageUrls;
+    if (m_isDevEnvironment) {
+        proxyStorageUrls = QString(DEV_S3_ENDPOINT).split(", ");
+    } else {
+        proxyStorageUrls = QString(PROD_S3_ENDPOINT).split(", ");
+    }
+
+    QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
+
+    for (const auto &proxyStorageUrl : proxyStorageUrls) {
+        request.setUrl(proxyStorageUrl);
+        reply = amnApp->networkManager()->get(request);
+
+        connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
+        connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
+        wait.exec();
+
+        if (reply->error() == QNetworkReply::NetworkError::NoError) {
+            auto encryptedResponseBody = reply->readAll();
+            reply->deleteLater();
+
+            EVP_PKEY *privateKey = nullptr;
+            QByteArray responseBody;
+            try {
+                if (!m_isDevEnvironment) {
+                    QCryptographicHash hash(QCryptographicHash::Sha512);
+                    hash.addData(key);
+                    QByteArray hashResult = hash.result().toHex();
+
+                    QByteArray key = QByteArray::fromHex(hashResult.left(64));
+                    QByteArray iv = QByteArray::fromHex(hashResult.mid(64, 32));
+
+                    QByteArray ba = QByteArray::fromBase64(encryptedResponseBody);
+
+                    QSimpleCrypto::QBlockCipher blockCipher;
+                    responseBody = blockCipher.decryptAesBlockCipher(ba, key, iv);
+                } else {
+                    responseBody = encryptedResponseBody;
+                }
+            } catch (...) {
+                Utils::logException();
+                qCritical() << "error loading private key from environment variables or decrypting payload" << encryptedResponseBody;
+                continue;
+            }
+
+            auto endpointsArray = QJsonDocument::fromJson(responseBody).array();
+
+            QStringList endpoints;
+            for (const auto &endpoint : endpointsArray) {
+                endpoints.push_back(endpoint.toString());
+            }
+            return endpoints;
+        } else {
+            reply->deleteLater();
+        }
+    }
+    return {};
+}
+
+bool GatewayController::shouldBypassProxy(QNetworkReply *reply, const QByteArray &responseBody, bool checkEncryption, const QByteArray &key,
+                                          const QByteArray &iv, const QByteArray &salt)
+{
+    if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
+        qDebug() << "Timeout occurred";
+        return true;
+    } else if (responseBody.contains("html")) {
+        qDebug() << "The response contains an html tag";
+        return true;
+    } else if (reply->error() == QNetworkReply::NetworkError::ContentNotFoundError) {
+        if (responseBody.contains(errorResponsePattern1) || responseBody.contains(errorResponsePattern2)
+            || responseBody.contains(errorResponsePattern3)) {
+            return false;
+        } else {
+            return true;
+        }
+    } else if (reply->error() != QNetworkReply::NetworkError::NoError) {
+        return true;
+    } else if (checkEncryption) {
+        try {
+            QSimpleCrypto::QBlockCipher blockCipher;
+            static_cast<void>(blockCipher.decryptAesBlockCipher(responseBody, key, iv, "", salt));
+        } catch (...) {
+            qDebug() << "Failed to decrypt the data";
+            return true;
+        }
+    }
+    return false;
+}
+
+void GatewayController::bypassProxy(const QString &endpoint, QNetworkReply *reply,
+                                    std::function<QNetworkReply *(const QString &url)> requestFunction,
+                                    std::function<bool(QNetworkReply *reply, const QList<QSslError> &sslErrors)> replyProcessingFunction)
+{
+    QStringList proxyUrls = getProxyUrls();
+    std::random_device randomDevice;
+    std::mt19937 generator(randomDevice());
+    std::shuffle(proxyUrls.begin(), proxyUrls.end(), generator);
+
+    QEventLoop wait;
+    QList<QSslError> sslErrors;
+    QByteArray responseBody;
+
+    for (const QString &proxyUrl : proxyUrls) {
+        qDebug() << "Go to the next endpoint";
+        reply->deleteLater(); // delete the previous reply
+        reply = requestFunction(endpoint.arg(proxyUrl));
+
+        QObject::connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
+        connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
+        wait.exec();
+
+        if (replyProcessingFunction(reply, sslErrors)) {
+            break;
+        }
+    }
+}

client/core/controllers/gatewayController.h

@@ -0,0 +1,35 @@
+#ifndef GATEWAYCONTROLLER_H
+#define GATEWAYCONTROLLER_H
+
+#include <QNetworkReply>
+#include <QObject>
+
+#include "core/defs.h"
+
+#ifdef Q_OS_IOS
+    #include "platforms/ios/ios_controller.h"
+#endif
+
+class GatewayController : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit GatewayController(const QString &gatewayEndpoint, bool isDevEnvironment, int requestTimeoutMsecs, QObject *parent = nullptr);
+
+    amnezia::ErrorCode get(const QString &endpoint, QByteArray &responseBody);
+    amnezia::ErrorCode post(const QString &endpoint, const QJsonObject apiPayload, QByteArray &responseBody);
+
+private:
+    QStringList getProxyUrls();
+    bool shouldBypassProxy(QNetworkReply *reply, const QByteArray &responseBody, bool checkEncryption, const QByteArray &key = "",
+                           const QByteArray &iv = "", const QByteArray &salt = "");
+    void bypassProxy(const QString &endpoint, QNetworkReply *reply, std::function<QNetworkReply *(const QString &url)> requestFunction,
+                     std::function<bool(QNetworkReply *reply, const QList<QSslError> &sslErrors)> replyProcessingFunction);
+
+    int m_requestTimeoutMsecs;
+    QString m_gatewayEndpoint;
+    bool m_isDevEnvironment = false;
+};
+
+#endif // GATEWAYCONTROLLER_H

client/core/controllers/serverController.cpp

@@ -346,7 +346,9 @@ bool ServerController::isReinstallContainerRequired(DockerContainer container, c
     }
 
     if (container == DockerContainer::Awg) {
-        if ((oldProtoConfig.value(config_key::port).toString(protocols::awg::defaultPort)
+        if ((oldProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress)
+             != newProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress))
+            || (oldProtoConfig.value(config_key::port).toString(protocols::awg::defaultPort)
              != newProtoConfig.value(config_key::port).toString(protocols::awg::defaultPort))
             || (oldProtoConfig.value(config_key::junkPacketCount).toString(protocols::awg::defaultJunkPacketCount)
                 != newProtoConfig.value(config_key::junkPacketCount).toString(protocols::awg::defaultJunkPacketCount))
@@ -370,8 +372,10 @@ bool ServerController::isReinstallContainerRequired(DockerContainer container, c
     }
 
     if (container == DockerContainer::WireGuard) {
-        if (oldProtoConfig.value(config_key::port).toString(protocols::wireguard::defaultPort)
-            != newProtoConfig.value(config_key::port).toString(protocols::wireguard::defaultPort))
+        if ((oldProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress)
+             != newProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress))
+            || (oldProtoConfig.value(config_key::port).toString(protocols::wireguard::defaultPort)
+            != newProtoConfig.value(config_key::port).toString(protocols::wireguard::defaultPort)))
             return true;
     }
 
@@ -607,6 +611,8 @@ ServerController::Vars ServerController::genVarsForScript(const ServerCredential
     vars.append({ { "$SFTP_PASSWORD", sftpConfig.value(config_key::password).toString() } });
 
     // Amnezia wireguard vars
+    vars.append({ { "$AWG_SUBNET_IP",
+                    amneziaWireguarConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress) } });
     vars.append({ { "$AWG_SERVER_PORT", amneziaWireguarConfig.value(config_key::port).toString(protocols::awg::defaultPort) } });
 
     vars.append({ { "$JUNK_PACKET_COUNT", amneziaWireguarConfig.value(config_key::junkPacketCount).toString() } });
@@ -751,10 +757,6 @@ ErrorCode ServerController::isServerPortBusy(const ServerCredentials &credential
 
 ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, DockerContainer container)
 {
-    if (credentials.userName == "root") {
-        return ErrorCode::NoError;
-    }
-
     QString stdOut;
     auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
         stdOut += data + "\n";
@@ -768,8 +770,16 @@ ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, D
     const QString scriptData = amnezia::scriptData(SharedScriptType::check_user_in_sudo);
     ErrorCode error = runScript(credentials, replaceVars(scriptData, genVarsForScript(credentials)), cbReadStdOut, cbReadStdErr);
 
-    if (!stdOut.contains("sudo"))
+    if (credentials.userName != "root" && stdOut.contains("sudo:") && !stdOut.contains("uname:") && stdOut.contains("not found"))
+        return ErrorCode::ServerSudoPackageIsNotPreinstalled;
+    if (credentials.userName != "root" && !stdOut.contains("sudo") && !stdOut.contains("wheel"))
         return ErrorCode::ServerUserNotInSudo;
+    if (stdOut.contains("can't cd to") || stdOut.contains("Permission denied") || stdOut.contains("No such file or directory"))
+        return ErrorCode::ServerUserDirectoryNotAccessible;
+    if (stdOut.contains("sudoers") || stdOut.contains("is not allowed to run sudo on"))
+        return ErrorCode::ServerUserNotAllowedInSudoers;
+    if (stdOut.contains("password is required"))
+        return ErrorCode::ServerUserPasswordRequired;
 
     return error;
 }

client/core/controllers/vpnConfigurationController.cpp

@@ -77,8 +77,7 @@ ErrorCode VpnConfigurationsController::createProtocolConfigString(const bool isA
 }
 
 QJsonObject VpnConfigurationsController::createVpnConfiguration(const QPair<QString, QString> &dns, const QJsonObject &serverConfig,
-                                                                const QJsonObject &containerConfig, const DockerContainer container,
-                                                                ErrorCode &errorCode)
+                                                                const QJsonObject &containerConfig, const DockerContainer container)
 {
     QJsonObject vpnConfiguration {};
 
@@ -103,7 +102,8 @@ QJsonObject VpnConfigurationsController::createVpnConfiguration(const QPair<QStr
         if (container == DockerContainer::Awg || container == DockerContainer::WireGuard) {
             // add mtu for old configs
             if (vpnConfigData[config_key::mtu].toString().isEmpty()) {
-                vpnConfigData[config_key::mtu] = container == DockerContainer::Awg ? protocols::awg::defaultMtu : protocols::wireguard::defaultMtu;
+                vpnConfigData[config_key::mtu] =
+                        container == DockerContainer::Awg ? protocols::awg::defaultMtu : protocols::wireguard::defaultMtu;
             }
         }
 

client/core/controllers/vpnConfigurationController.h

@@ -12,7 +12,8 @@ class VpnConfigurationsController : public QObject
 {
     Q_OBJECT
 public:
-    explicit VpnConfigurationsController(const std::shared_ptr<Settings> &settings, QSharedPointer<ServerController> serverController, QObject *parent = nullptr);
+    explicit VpnConfigurationsController(const std::shared_ptr<Settings> &settings, QSharedPointer<ServerController> serverController,
+                                         QObject *parent = nullptr);
 
 public slots:
     ErrorCode createProtocolConfigForContainer(const ServerCredentials &credentials, const DockerContainer container,
@@ -21,7 +22,7 @@ public slots:
                                          const DockerContainer container, const QJsonObject &containerConfig, const Proto protocol,
                                          QString &protocolConfigString);
     QJsonObject createVpnConfiguration(const QPair<QString, QString> &dns, const QJsonObject &serverConfig,
-                                       const QJsonObject &containerConfig, const DockerContainer container, ErrorCode &errorCode);
+                                       const QJsonObject &containerConfig, const DockerContainer container);
 
     static void updateContainerConfigAfterInstallation(const DockerContainer container, QJsonObject &containerConfig, const QString &stdOut);
 signals:

client/core/defs.h

@@ -6,9 +6,6 @@
 
 namespace amnezia
 {
-
-    constexpr const qint16 qrMagicCode = 1984;
-
     struct ServerCredentials
     {
         QString hostName;
@@ -47,6 +44,7 @@ namespace amnezia
         InternalError = 101,
         NotImplementedError = 102,
         AmneziaServiceNotRunning = 103,
+        NotSupportedOnThisPlatform = 104,
 
         // Server errors
         ServerCheckFailed = 200,
@@ -56,6 +54,10 @@ namespace amnezia
         ServerCancelInstallation = 204,
         ServerUserNotInSudo = 205,
         ServerPacketManagerError = 206,
+        ServerSudoPackageIsNotPreinstalled = 207,
+        ServerUserDirectoryNotAccessible = 208,
+        ServerUserNotAllowedInSudoers = 209,
+        ServerUserPasswordRequired = 210,
 
         // Ssh connection errors
         SshRequestDeniedError = 300,
@@ -96,6 +98,8 @@ namespace amnezia
 
         // import and install errors
         ImportInvalidConfigError = 900,
+        ImportOpenConfigError = 901,
+        NoInstalledContainersError = 902,
 
         // Android errors
         AndroidError = 1000,
@@ -107,6 +111,10 @@ namespace amnezia
         ApiConfigTimeoutError = 1103,
         ApiConfigSslError = 1104,
         ApiMissingAgwPublicKey = 1105,
+        ApiConfigDecryptionError = 1106,
+        ApiServicesMissingError = 1107,
+        ApiConfigLimitError = 1108,
+        ApiNotFoundError = 1109,
 
         // QFile errors
         OpenError = 1200,

client/core/enums/apiEnums.h

@@ -1,9 +0,0 @@
-#ifndef APIENUMS_H
-#define APIENUMS_H
-
-enum ApiConfigSources {
-    Telegram = 1,
-    AmneziaGateway
-};
-
-#endif // APIENUMS_H

client/core/errorstrings.cpp

@@ -12,6 +12,7 @@ QString errorString(ErrorCode code) {
     case(ErrorCode::UnknownError): errorMessage = QObject::tr("Unknown error"); break;
     case(ErrorCode::NotImplementedError): errorMessage = QObject::tr("Function not implemented"); break;
     case(ErrorCode::AmneziaServiceNotRunning): errorMessage = QObject::tr("Background service is not running"); break;
+    case(ErrorCode::NotSupportedOnThisPlatform): errorMessage = QObject::tr("The selected protocol is not supported on the current platform"); break;
 
     // Server errors
     case(ErrorCode::ServerCheckFailed): errorMessage = QObject::tr("Server check failed"); break;
@@ -19,8 +20,12 @@ QString errorString(ErrorCode code) {
     case(ErrorCode::ServerContainerMissingError): errorMessage = QObject::tr("Server error: Docker container missing"); break;
     case(ErrorCode::ServerDockerFailedError): errorMessage = QObject::tr("Server error: Docker failed"); break;
     case(ErrorCode::ServerCancelInstallation): errorMessage = QObject::tr("Installation canceled by user"); break;
-    case(ErrorCode::ServerUserNotInSudo): errorMessage = QObject::tr("The user does not have permission to use sudo"); break;
-    case(ErrorCode::ServerPacketManagerError): errorMessage = QObject::tr("Server error: Packet manager error"); break;
+    case(ErrorCode::ServerUserNotInSudo): errorMessage = QObject::tr("The user is not a member of the sudo group"); break;
+    case(ErrorCode::ServerPacketManagerError): errorMessage = QObject::tr("Server error: Package manager error"); break;
+    case(ErrorCode::ServerSudoPackageIsNotPreinstalled): errorMessage = QObject::tr("The sudo package is not pre-installed on the server"); break;
+    case(ErrorCode::ServerUserDirectoryNotAccessible): errorMessage = QObject::tr("The server user's home directory is not accessible"); break;
+    case(ErrorCode::ServerUserNotAllowedInSudoers): errorMessage = QObject::tr("Action not allowed in sudoers"); break;
+    case(ErrorCode::ServerUserPasswordRequired): errorMessage = QObject::tr("The user's password is required"); break;
 
     // Libssh errors
     case(ErrorCode::SshRequestDeniedError): errorMessage = QObject::tr("SSH request was denied"); break;
@@ -50,6 +55,8 @@ QString errorString(ErrorCode code) {
     case (ErrorCode::AddressPoolError): errorMessage = QObject::tr("VPN pool error: no available addresses"); break;
 
     case (ErrorCode::ImportInvalidConfigError): errorMessage = QObject::tr("The config does not contain any containers and credentials for connecting to the server"); break;
+    case (ErrorCode::ImportOpenConfigError): errorMessage = QObject::tr("Unable to open config file"); break;
+    case(ErrorCode::NoInstalledContainersError): errorMessage = QObject::tr("VPN Protocols is not installed.\n Please install VPN container at first"); break;
 
     // Android errors
     case (ErrorCode::AndroidError): errorMessage = QObject::tr("VPN connection error"); break;
@@ -61,7 +68,11 @@ QString errorString(ErrorCode code) {
     case (ErrorCode::ApiConfigSslError): errorMessage = QObject::tr("SSL error occurred"); break;
     case (ErrorCode::ApiConfigTimeoutError): errorMessage = QObject::tr("Server response timeout on api request"); break;
     case (ErrorCode::ApiMissingAgwPublicKey): errorMessage = QObject::tr("Missing AGW public key"); break;
-      
+    case (ErrorCode::ApiConfigDecryptionError): errorMessage = QObject::tr("Failed to decrypt response payload"); break;
+    case (ErrorCode::ApiServicesMissingError): errorMessage = QObject::tr("Missing list of available services"); break;
+    case (ErrorCode::ApiConfigLimitError): errorMessage = QObject::tr("The limit of allowed configurations per subscription has been exceeded"); break;
+    case (ErrorCode::ApiNotFoundError): errorMessage = QObject::tr("Error when retrieving configuration from API"); break;
+
     // QFile errors
     case(ErrorCode::OpenError): errorMessage = QObject::tr("QFile error: The file could not be opened"); break;
     case(ErrorCode::ReadError): errorMessage = QObject::tr("QFile error: An error occurred when reading from the file"); break;

client/core/ipcclient.cpp

@@ -5,12 +5,12 @@ IpcClient *IpcClient::m_instance = nullptr;
 
 IpcClient::IpcClient(QObject *parent) : QObject(parent)
 {
-
 }
 
 IpcClient::~IpcClient()
 {
-    if (m_localSocket) m_localSocket->close();
+    if (m_localSocket)
+        m_localSocket->close();
 }
 
 bool IpcClient::isSocketConnected() const
@@ -25,13 +25,15 @@ IpcClient *IpcClient::Instance()
 
 QSharedPointer<IpcInterfaceReplica> IpcClient::Interface()
 {
-    if (!Instance()) return nullptr;
+    if (!Instance())
+        return nullptr;
     return Instance()->m_ipcClient;
 }
 
 QSharedPointer<IpcProcessTun2SocksReplica> IpcClient::InterfaceTun2Socks()
 {
-    if (!Instance()) return nullptr;
+    if (!Instance())
+        return nullptr;
     return Instance()->m_Tun2SocksClient;
 }
 
@@ -42,15 +44,28 @@ bool IpcClient::init(IpcClient *instance)
     Instance()->m_localSocket = new QLocalSocket(Instance());
     connect(Instance()->m_localSocket.data(), &QLocalSocket::connected, &Instance()->m_ClientNode, []() {
         Instance()->m_ClientNode.addClientSideConnection(Instance()->m_localSocket.data());
+        auto cliNode = Instance()->m_ClientNode.acquire<IpcInterfaceReplica>();
+        cliNode->waitForSource(5000);
+        Instance()->m_ipcClient.reset(cliNode);
+
+        if (!Instance()->m_ipcClient) {
+            qWarning() << "IpcClient is not ready!";
+        }
 
-        Instance()->m_ipcClient.reset(Instance()->m_ClientNode.acquire<IpcInterfaceReplica>());
         Instance()->m_ipcClient->waitForSource(1000);
 
         if (!Instance()->m_ipcClient->isReplicaValid()) {
             qWarning() << "IpcClient replica is not connected!";
         }
 
-        Instance()->m_Tun2SocksClient.reset(Instance()->m_ClientNode.acquire<IpcProcessTun2SocksReplica>());
+        auto t2sNode = Instance()->m_ClientNode.acquire<IpcProcessTun2SocksReplica>();
+        t2sNode->waitForSource(5000);
+        Instance()->m_Tun2SocksClient.reset(t2sNode);
+
+        if (!Instance()->m_Tun2SocksClient) {
+            qWarning() << "IpcClient::m_Tun2SocksClient is not ready!";
+        }
+
         Instance()->m_Tun2SocksClient->waitForSource(1000);
 
         if (!Instance()->m_Tun2SocksClient->isReplicaValid()) {
@@ -58,9 +73,8 @@ bool IpcClient::init(IpcClient *instance)
         }
     });
 
-    connect(Instance()->m_localSocket, &QLocalSocket::disconnected, [instance](){
-        instance->m_isSocketConnected = false;
-    });
+    connect(Instance()->m_localSocket, &QLocalSocket::disconnected,
+            [instance]() { instance->m_isSocketConnected = false; });
 
     Instance()->m_localSocket->connectToServer(amnezia::getIpcServiceUrl());
     Instance()->m_localSocket->waitForConnected();
@@ -77,7 +91,7 @@ bool IpcClient::init(IpcClient *instance)
 
 QSharedPointer<PrivilegedProcess> IpcClient::CreatePrivilegedProcess()
 {
-    if (! Instance()->m_ipcClient || ! Instance()->m_ipcClient->isReplicaValid()) {
+    if (!Instance()->m_ipcClient || !Instance()->m_ipcClient->isReplicaValid()) {
         qWarning() << "IpcClient::createPrivilegedProcess : IpcClient IpcClient replica is not valid";
         return nullptr;
     }
@@ -100,18 +114,15 @@ QSharedPointer<PrivilegedProcess> IpcClient::CreatePrivilegedProcess()
         pd->ipcProcess.reset(priv);
         if (!pd->ipcProcess) {
             qWarning() << "Acquire PrivilegedProcess failed";
-        }
-        else {
+        } else {
             pd->ipcProcess->waitForSource(1000);
             if (!pd->ipcProcess->isReplicaValid()) {
                 qWarning() << "PrivilegedProcess replica is not connected!";
             }
 
-            QObject::connect(pd->ipcProcess.data(), &PrivilegedProcess::destroyed, pd->ipcProcess.data(), [pd](){
-                pd->replicaNode->deleteLater();
-            });
+            QObject::connect(pd->ipcProcess.data(), &PrivilegedProcess::destroyed, pd->ipcProcess.data(),
+                             [pd]() { pd->replicaNode->deleteLater(); });
         }
-
     });
     pd->localSocket->connectToServer(amnezia::getIpcProcessUrl(pid));
     pd->localSocket->waitForConnected();
@@ -119,5 +130,3 @@ QSharedPointer<PrivilegedProcess> IpcClient::CreatePrivilegedProcess()
     auto processReplica = QSharedPointer<PrivilegedProcess>(pd->ipcProcess);
     return processReplica;
 }
-
-

client/core/networkUtilities.h

@@ -5,6 +5,7 @@
 #include <QRegExp>
 #include <QString>
 #include <QHostAddress>
+#include <QNetworkReply>
 
 
 class NetworkUtilities : public QObject
@@ -30,7 +31,6 @@ public:
     static QString ipAddressFromIpWithSubnet(const QString ip);
 
     static QStringList summarizeRoutes(const QStringList &ips, const QString cidr);
-
 };
 
 #endif // NETWORKUTILITIES_H

client/core/qrCodeUtils.cpp

@@ -0,0 +1,35 @@
+#include "qrCodeUtils.h"
+
+#include <QIODevice>
+#include <QList>
+
+QList<QString> qrCodeUtils::generateQrCodeImageSeries(const QByteArray &data)
+{
+    double k = 850;
+
+    quint8 chunksCount = std::ceil(data.size() / k);
+    QList<QString> chunks;
+    for (int i = 0; i < data.size(); i = i + k) {
+        QByteArray chunk;
+        QDataStream s(&chunk, QIODevice::WriteOnly);
+        s << qrCodeUtils::qrMagicCode << chunksCount << (quint8)std::round(i / k) << data.mid(i, k);
+
+        QByteArray ba = chunk.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
+
+        qrcodegen::QrCode qr = qrcodegen::QrCode::encodeText(ba, qrcodegen::QrCode::Ecc::LOW);
+        QString svg = QString::fromStdString(toSvgString(qr, 1));
+        chunks.append(svgToBase64(svg));
+    }
+
+    return chunks;
+}
+
+QString qrCodeUtils::svgToBase64(const QString &image)
+{
+    return "data:image/svg;base64," + QString::fromLatin1(image.toUtf8().toBase64().data());
+}
+
+qrcodegen::QrCode qrCodeUtils::generateQrCode(const QByteArray &data)
+{
+    return qrcodegen::QrCode::encodeText(data, qrcodegen::QrCode::Ecc::LOW);
+}

client/core/qrCodeUtils.h

@@ -0,0 +1,17 @@
+#ifndef QRCODEUTILS_H
+#define QRCODEUTILS_H
+
+#include <QString>
+
+#include "qrcodegen.hpp"
+
+namespace qrCodeUtils
+{
+    constexpr const qint16 qrMagicCode = 1984;
+
+    QList<QString> generateQrCodeImageSeries(const QByteArray &data);
+    qrcodegen::QrCode generateQrCode(const QByteArray &data);
+    QString svgToBase64(const QString &image);
+};
+
+#endif // QRCODEUTILS_H

client/core/serialization/vmess_new.cpp

@@ -104,7 +104,7 @@ QJsonObject Deserialize(const QString &vmessStr, QString *alias, QString *errMes
         server.users.first().security = "auto";
     }
 
-    const static auto getQueryValue = [&query](const QString &key, const QString &defaultValue) {
+    const auto getQueryValue = [&query](const QString &key, const QString &defaultValue) {
         if (query.hasQueryItem(key))
             return query.queryItemValue(key, QUrl::FullyDecoded);
         else

client/daemon/daemon.cpp

@@ -78,7 +78,7 @@ bool Daemon::activate(const InterfaceConfig& config) {
         return false;
       }
 
-      if (supportDnsUtils() && !dnsutils()->restoreResolvers()) {
+      if (!dnsutils()->restoreResolvers()) {
         return false;
       }
 
@@ -114,12 +114,23 @@ bool Daemon::activate(const InterfaceConfig& config) {
 
   // Bring up the wireguard interface if not already done.
   if (!wgutils()->interfaceExists()) {
+    // Create the interface.
     if (!wgutils()->addInterface(config)) {
       logger.error() << "Interface creation failed.";
       return false;
     }
   }
 
+  // Bring the interface up.
+  if (supportIPUtils()) {
+    if (!iputils()->addInterfaceIPs(config)) {
+      return false;
+    }
+    if (!iputils()->setMTUAndUp(config)) {
+      return false;
+    }
+  }
+
   // Configure routing for excluded addresses.
   for (const QString& i : config.m_excludedAddresses) {
     addExclusionRoute(IPAddress(i));
@@ -135,15 +146,6 @@ bool Daemon::activate(const InterfaceConfig& config) {
     return false;
   }
 
-  if (supportIPUtils()) {
-    if (!iputils()->addInterfaceIPs(config)) {
-      return false;
-    }
-    if (!iputils()->setMTUAndUp(config)) {
-      return false;
-    }
-  }
-
   // set routing
   for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
     if (!wgutils()->updateRoutePrefix(ip)) {
@@ -165,10 +167,6 @@ bool Daemon::activate(const InterfaceConfig& config) {
 }
 
 bool Daemon::maybeUpdateResolvers(const InterfaceConfig& config) {
-  if (!supportDnsUtils()) {
-    return true;
-  }
-
   if ((config.m_hopType == InterfaceConfig::MultiHopExit) ||
       (config.m_hopType == InterfaceConfig::SingleHop)) {
     QList<QHostAddress> resolvers;
@@ -423,13 +421,8 @@ bool Daemon::deactivate(bool emitSignals) {
   }
 
   // Cleanup DNS
-  if (supportDnsUtils() && !dnsutils()->restoreResolvers()) {
-    return false;
-  }
-
-  if (!wgutils()->interfaceExists()) {
-    logger.warning() << "Wireguard interface does not exist.";
-    return false;
+  if (!dnsutils()->restoreResolvers()) {
+    logger.warning() << "Failed to restore DNS resolvers.";
   }
 
   // Cleanup peers and routing
@@ -449,13 +442,9 @@ bool Daemon::deactivate(bool emitSignals) {
   }
   m_excludedAddrSet.clear();
 
-  // Delete the interface
-  if (!wgutils()->deleteInterface()) {
-    return false;
-  }
-
   m_connections.clear();
-  return true;
+  // Delete the interface
+  return wgutils()->deleteInterface();  
 }
 
 QString Daemon::logs() {

client/daemon/daemon.h

@@ -8,6 +8,8 @@
 #include <QDateTime>
 #include <QTimer>
 
+#include "daemon/daemonerrors.h"
+#include "daemonerrors.h"
 #include "dnsutils.h"
 #include "interfaceconfig.h"
 #include "iputils.h"
@@ -51,7 +53,7 @@ class Daemon : public QObject {
    */
   void activationFailure();
   void disconnected();
-  void backendFailure();
+  void backendFailure(DaemonError reason = DaemonError::ERROR_FATAL);
 
  private:
   bool maybeUpdateResolvers(const InterfaceConfig& config);
@@ -69,7 +71,6 @@ class Daemon : public QObject {
   virtual WireguardUtils* wgutils() const = 0;
   virtual bool supportIPUtils() const { return false; }
   virtual IPUtils* iputils() { return nullptr; }
-  virtual bool supportDnsUtils() const { return false; }
   virtual DnsUtils* dnsutils() { return nullptr; }
 
   static bool parseStringList(const QJsonObject& obj, const QString& name,

client/daemon/daemonerrors.h

@@ -0,0 +1,17 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#pragma once
+
+#include <cstdint>
+
+enum class DaemonError : uint8_t {
+  ERROR_NONE = 0u,
+  ERROR_FATAL = 1u,
+  ERROR_SPLIT_TUNNEL_INIT_FAILURE = 2u,
+  ERROR_SPLIT_TUNNEL_START_FAILURE = 3u,
+  ERROR_SPLIT_TUNNEL_EXCLUDE_FAILURE = 4u,
+
+  DAEMON_ERROR_MAX = 5u,
+};

client/daemon/daemonlocalserverconnection.cpp

@@ -92,6 +92,17 @@ void DaemonLocalServerConnection::parseCommand(const QByteArray& data) {
 
   logger.debug() << "Command received:" << type;
 
+  // It is expected that sometimes the client will request backend logs
+  // before the first authentication. In these cases we just return empty
+  // logs.
+  if (type == "logs") {
+    QJsonObject obj;
+    obj.insert("type", "logs");
+    obj.insert("logs", "");
+    write(obj);
+    return;
+  }
+
   if (type == "activate") {
     InterfaceConfig config;
     if (!Daemon::parseConfig(obj, config)) {
@@ -115,8 +126,7 @@ void DaemonLocalServerConnection::parseCommand(const QByteArray& data) {
   if (type == "status") {
     QJsonObject obj = Daemon::instance()->getStatus();
     obj.insert("type", "status");
-    m_socket->write(QJsonDocument(obj).toJson(QJsonDocument::Compact));
-    m_socket->write("\n");
+    write(obj);
     return;
   }
 
@@ -124,8 +134,7 @@ void DaemonLocalServerConnection::parseCommand(const QByteArray& data) {
     QJsonObject obj;
     obj.insert("type", "logs");
     obj.insert("logs", Daemon::instance()->logs().replace("\n", "|"));
-    m_socket->write(QJsonDocument(obj).toJson(QJsonDocument::Compact));
-    m_socket->write("\n");
+    write(obj);
     return;
   }
 
@@ -150,9 +159,10 @@ void DaemonLocalServerConnection::disconnected() {
   write(obj);
 }
 
-void DaemonLocalServerConnection::backendFailure() {
+void DaemonLocalServerConnection::backendFailure(DaemonError err) {
   QJsonObject obj;
   obj.insert("type", "backendFailure");
+  obj.insert("errorCode", static_cast<int>(err));
   write(obj);
 }
 

client/daemon/daemonlocalserverconnection.h

@@ -7,6 +7,8 @@
 
 #include <QObject>
 
+#include "daemonerrors.h"
+
 class QLocalSocket;
 
 class DaemonLocalServerConnection final : public QObject {
@@ -23,7 +25,7 @@ class DaemonLocalServerConnection final : public QObject {
 
   void connected(const QString& pubkey);
   void disconnected();
-  void backendFailure();
+  void backendFailure(DaemonError err);
 
   void write(const QJsonObject& obj);
 

client/daemon/wireguardutils.h

@@ -45,9 +45,11 @@ class WireguardUtils : public QObject {
 
   virtual bool updateRoutePrefix(const IPAddress& prefix) = 0;
   virtual bool deleteRoutePrefix(const IPAddress& prefix) = 0;
-
+  
   virtual bool addExclusionRoute(const IPAddress& prefix) = 0;
   virtual bool deleteExclusionRoute(const IPAddress& prefix) = 0;
+
+  virtual bool excludeLocalNetworks(const QList<IPAddress>& addresses) = 0;
 };
 
 #endif  // WIREGUARDUTILS_H

client/images/controls/external-link.svg

@@ -0,0 +1,5 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M18 13V19C18 19.5304 17.7893 20.0391 17.4142 20.4142C17.0391 20.7893 16.5304 21 16 21H5C4.46957 21 3.96086 20.7893 3.58579 20.4142C3.21071 20.0391 3 19.5304 3 19V8C3 7.46957 3.21071 6.96086 3.58579 6.58579C3.96086 6.21071 4.46957 6 5 6H11" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M15 3H21V9" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M10 14L21 3" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/images/controls/monitor.svg

@@ -0,0 +1,5 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M20 3H4C2.89543 3 2 3.89543 2 5V15C2 16.1046 2.89543 17 4 17H20C21.1046 17 22 16.1046 22 15V5C22 3.89543 21.1046 3 20 3Z" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M8 21H16" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M12 17V21" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/ios/networkextension/CMakeLists.txt

@@ -27,12 +27,7 @@ set_target_properties(networkextension PROPERTIES
 
     XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/../../Frameworks"
 
-    XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Distribution"
-    XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY[variant=Debug] "Apple Development"
-
-    XCODE_ATTRIBUTE_CODE_SIGN_STYLE Manual
-    XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER "match AppStore org.amnezia.AmneziaVPN.network-extension"
-    XCODE_ATTRIBUTE_PROVISIONING_PROFILE_SPECIFIER[variant=Debug] "match Development org.amnezia.AmneziaVPN.network-extension"
+    XCODE_ATTRIBUTE_CODE_SIGN_STYLE Automatic
 )
 
 set_target_properties(networkextension PROPERTIES

client/ios/scripts/openvpn.sh

@@ -1,19 +0,0 @@
-XCODEBUILD="/usr/bin/xcodebuild"
-WORKINGDIR=`pwd`
-PATCH="/usr/bin/patch"
-
-  cat $WORKINGDIR/3rd/OpenVPNAdapter/Configuration/Project.xcconfig > $WORKINGDIR/3rd/OpenVPNAdapter/Configuration/amnezia.xcconfig
-  cat << EOF >> $WORKINGDIR/3rd/OpenVPNAdapter/Configuration/amnezia.xcconfig
-  PROJECT_TEMP_DIR = $WORKINGDIR/3rd/OpenVPNAdapter/build/OpenVPNAdapter.build
-  CONFIGURATION_BUILD_DIR = $WORKINGDIR/3rd/OpenVPNAdapter/build/Release-iphoneos
-  BUILT_PRODUCTS_DIR = $WORKINGDIR/3rd/OpenVPNAdapter/build/Release-iphoneos
-EOF
-
-
-  cd 3rd/OpenVPNAdapter
-  if $XCODEBUILD -scheme OpenVPNAdapter -configuration Release -xcconfig Configuration/amnezia.xcconfig -sdk iphoneos -destination 'generic/platform=iOS' -project OpenVPNAdapter.xcodeproj ; then
-    echo "OpenVPNAdapter built successfully"
-  else
-    echo "OpenVPNAdapter build failed"
-  fi
-  cd ../../

client/main.cpp

@@ -15,13 +15,24 @@
     #include "platforms/ios/QtAppDelegate-C-Interface.h"
 #endif
 
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+bool isAnotherInstanceRunning()
+{
+    QLocalSocket socket;
+    socket.connectToServer("AmneziaVPNInstance");
+    if (socket.waitForConnected(500)) {
+        qWarning() << "AmneziaVPN is already running";
+        return true;
+    }
+    return false;
+}
+#endif
+
 int main(int argc, char *argv[])
 {
     Migrations migrationsManager;
     migrationsManager.doMigrations();
 
-    QGuiApplication::setAttribute(Qt::AA_EnableHighDpiScaling, true);
-
 #ifdef Q_OS_WIN
     AllowSetForegroundWindow(ASFW_ANY);
 #endif
@@ -32,16 +43,14 @@ int main(int argc, char *argv[])
     qputenv("ANDROID_OPENSSL_SUFFIX", "_3");
 #endif
 
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
     AmneziaApplication app(argc, argv);
-#else
-    AmneziaApplication app(argc, argv, true,
-                           SingleApplication::Mode::User | SingleApplication::Mode::SecondaryNotification);
 
-    if (!app.isPrimary()) {
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    if (isAnotherInstanceRunning()) {
         QTimer::singleShot(1000, &app, [&]() { app.quit(); });
         return app.exec();
     }
+    app.startLocalServer();
 #endif
 
 // Allow to raise app window if secondary instance launched

client/mozilla/localsocketcontroller.cpp

@@ -1,9 +1,10 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "protocols/protocols_defs.h"
 #include "localsocketcontroller.h"
 
+#include <stdint.h>
+
 #include <QDir>
 #include <QFileInfo>
 #include <QHostAddress>
@@ -17,6 +18,9 @@
 #include "leakdetector.h"
 #include "logger.h"
 #include "models/server.h"
+#include "daemon/daemonerrors.h"
+
+#include "protocols/protocols_defs.h"
 
 // How many times do we try to reconnect.
 constexpr int MAX_CONNECTION_RETRY = 10;
@@ -34,8 +38,8 @@ LocalSocketController::LocalSocketController() {
   m_socket = new QLocalSocket(this);
   connect(m_socket, &QLocalSocket::connected, this,
           &LocalSocketController::daemonConnected);
-  connect(m_socket, &QLocalSocket::disconnected, this,
-          &LocalSocketController::disconnected);
+  connect(m_socket, &QLocalSocket::disconnected, this, 
+          [&] { errorOccurred(QLocalSocket::PeerClosedError); });
   connect(m_socket, &QLocalSocket::errorOccurred, this,
           &LocalSocketController::errorOccurred);
   connect(m_socket, &QLocalSocket::readyRead, this,
@@ -451,8 +455,39 @@ void LocalSocketController::parseCommand(const QByteArray& command) {
   }
 
   if (type == "backendFailure") {
-    qCritical() << "backendFailure";
-    return;
+    if (!obj.contains("errorCode")) {
+      // report a generic error if we dont know what it is.
+      logger.error() << "generic backend failure error";
+      // REPORTERROR(ErrorHandler::ControllerError, "controller");
+      return;
+    }
+    auto errorCode = static_cast<uint8_t>(obj["errorCode"].toInt());
+    if (errorCode >= (uint8_t)DaemonError::DAEMON_ERROR_MAX) {
+      // Also report a generic error if the code is invalid.
+      logger.error() << "invalid backend failure error code";
+      // REPORTERROR(ErrorHandler::ControllerError, "controller");
+      return;
+    }
+    switch (static_cast<DaemonError>(errorCode)) {
+      case DaemonError::ERROR_NONE:
+        [[fallthrough]];
+      case DaemonError::ERROR_FATAL:
+        logger.error() << "generic backend failure error (fatal or error none)";
+        // REPORTERROR(ErrorHandler::ControllerError, "controller");
+        break;
+      case DaemonError::ERROR_SPLIT_TUNNEL_INIT_FAILURE:
+        [[fallthrough]];
+      case DaemonError::ERROR_SPLIT_TUNNEL_START_FAILURE:
+        [[fallthrough]];
+      case DaemonError::ERROR_SPLIT_TUNNEL_EXCLUDE_FAILURE:
+        logger.error() << "split tunnel backend failure error";
+        //REPORTERROR(ErrorHandler::SplitTunnelError, "controller");
+        break;
+      case DaemonError::DAEMON_ERROR_MAX:
+        // We should not get here.
+        Q_ASSERT(false);
+        break;
+    }
   }
 
   if (type == "logs") {

client/platforms/android/android_controller.cpp

@@ -163,9 +163,7 @@ QString AndroidController::openFile(const QString &filter)
     QString fileName;
     connect(this, &AndroidController::fileOpened, this,
             [&fileName, &wait](const QString &uri) {
-                qDebug() << "Android event: file opened; uri:" << uri;
-                fileName = QQmlFile::urlToLocalFileOrQrc(uri);
-                qDebug() << "Android opened filename:" << fileName;
+                fileName = uri;
                 wait.quit();
             },
             static_cast<Qt::ConnectionType>(Qt::QueuedConnection | Qt::SingleShotConnection));
@@ -175,6 +173,25 @@ QString AndroidController::openFile(const QString &filter)
     return fileName;
 }
 
+int AndroidController::getFd(const QString &fileName)
+{
+    return callActivityMethod<jint>("getFd", "(Ljava/lang/String;)I",
+                                    QJniObject::fromString(fileName).object<jstring>());
+}
+
+void AndroidController::closeFd()
+{
+    callActivityMethod("closeFd", "()V");
+}
+
+QString AndroidController::getFileName(const QString &uri)
+{
+    auto fileName = callActivityMethod<jstring, jstring>("getFileName", "(Ljava/lang/String;)Ljava/lang/String;",
+                                                         QJniObject::fromString(uri).object<jstring>());
+    QJniEnvironment env;
+    return AndroidUtils::convertJString(env.jniEnv(), fileName.object<jstring>());
+}
+
 bool AndroidController::isCameraPresent()
 {
     return callActivityMethod<jboolean>("isCameraPresent", "()Z");
@@ -287,6 +304,11 @@ bool AndroidController::requestAuthentication()
     return result;
 }
 
+void AndroidController::sendTouch(float x, float y)
+{
+    callActivityMethod("sendTouch", "(FF)V", x, y);
+}
+
 // Moving log processing to the Android side
 jclass AndroidController::log;
 jmethodID AndroidController::logDebug;

client/platforms/android/android_controller.h

@@ -34,6 +34,9 @@ public:
     void resetLastServer(int serverIndex);
     void saveFile(const QString &fileName, const QString &data);
     QString openFile(const QString &filter);
+    int getFd(const QString &fileName);
+    void closeFd();
+    QString getFileName(const QString &uri);
     bool isCameraPresent();
     bool isOnTv();
     void startQrReaderActivity();
@@ -48,6 +51,7 @@ public:
     bool isNotificationPermissionGranted();
     void requestNotificationPermission();
     bool requestAuthentication();
+    void sendTouch(float x, float y);
 
     static bool initLogging();
     static void messageHandler(QtMsgType type, const QMessageLogContext &context, const QString &message);

client/platforms/ios/HevSocksTunnel.swift

@@ -1,4 +1,5 @@
 import HevSocks5Tunnel
+import NetworkExtension
 
 public enum Socks5Tunnel {
 

client/platforms/ios/ScreenProtection.swift

@@ -14,10 +14,15 @@ extension UIApplication {
   var keyWindows: [UIWindow] {
     connectedScenes
       .compactMap {
+        guard let windowScene = $0 as? UIWindowScene else { return nil }
         if #available(iOS 15.0, *) {
-          ($0 as? UIWindowScene)?.keyWindow
+          guard let keywindow = windowScene.keyWindow else {
+            windowScene.windows.first?.makeKey()
+            return windowScene.windows.first
+          }
+          return keywindow
         } else {
-          ($0 as? UIWindowScene)?.windows.first { $0.isKeyWindow }
+          return windowScene.windows.first { $0.isKeyWindow }
         }
       }
   }

client/platforms/linux/daemon/linuxdaemon.h

@@ -22,7 +22,6 @@ class LinuxDaemon final : public Daemon {
 
  protected:
   WireguardUtils* wgutils() const override { return m_wgutils; }
-  bool supportDnsUtils() const override { return true; }
   DnsUtils* dnsutils() override { return m_dnsutils; }
   bool supportIPUtils() const override { return true; }
   IPUtils* iputils() override { return m_iputils; }

client/platforms/linux/daemon/linuxfirewall.cpp

@@ -196,6 +196,8 @@ QStringList LinuxFirewall::getDNSRules(const QStringList& servers)
         result << QStringLiteral("-o amn0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
         result << QStringLiteral("-o tun0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
         result << QStringLiteral("-o tun0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o tun2+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o tun2+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
     }
     return result;
 }
@@ -277,6 +279,7 @@ void LinuxFirewall::install()
     installAnchor(Both, QStringLiteral("200.allowVPN"), {
                                                             QStringLiteral("-o amn0+ -j ACCEPT"),
                                                             QStringLiteral("-o tun0+ -j ACCEPT"),
+                                                            QStringLiteral("-o tun2+ -j ACCEPT"),
                                                         });
 
     installAnchor(IPv4, QStringLiteral("120.blockNets"), {});

client/platforms/linux/daemon/wireguardutilslinux.cpp

@@ -297,31 +297,6 @@ QList<WireguardUtils::PeerStatus> WireguardUtilsLinux::getPeerStatus() {
     return peerList;
 }
 
-
-void WireguardUtilsLinux::applyFirewallRules(FirewallParams& params)
-{
-    // double-check + ensure our firewall is installed and enabled
-    if (!LinuxFirewall::isInstalled()) LinuxFirewall::install();
-
-    // Note: rule precedence is handled inside IpTablesFirewall
-    LinuxFirewall::ensureRootAnchorPriority();
-
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), params.blockAll);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), params.allowNets);
-    LinuxFirewall::updateAllowNets(params.allowAddrs);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("120.blockNets"), params.blockNets);
-    LinuxFirewall::updateBlockNets(params.blockAddrs);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("200.allowVPN"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv6, QStringLiteral("250.blockIPv6"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("290.allowDHCP"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("300.allowLAN"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), true);
-    LinuxFirewall::updateDNSServers(params.dnsServers);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);
-}
-
 bool WireguardUtilsLinux::updateRoutePrefix(const IPAddress& prefix) {
     if (!m_rtmonitor) {
         return false;
@@ -377,6 +352,26 @@ bool WireguardUtilsLinux::deleteExclusionRoute(const IPAddress& prefix) {
     return m_rtmonitor->deleteExclusionRoute(prefix);
 }
 
+bool WireguardUtilsLinux::excludeLocalNetworks(const QList<IPAddress>& routes) {
+  if (!m_rtmonitor) {
+    return false;
+  }
+
+  // Explicitly discard LAN traffic that makes its way into the tunnel. This
+  // doesn't really exclude the LAN traffic, we just don't take any action to
+  // overrule the routes of other interfaces.
+  bool result = true;
+  for (const auto& prefix : routes) {
+    logger.error() << "Attempting to exclude:" << prefix.toString();
+    if (!m_rtmonitor->insertRoute(prefix)) {
+      result = false;
+    }
+  }
+
+  // TODO: A kill switch would be nice though :)
+  return result;
+}
+
 QString WireguardUtilsLinux::uapiCommand(const QString& command) {
     QLocalSocket socket;
     QTimer uapiTimeout;
@@ -450,3 +445,27 @@ QString WireguardUtilsLinux::waitForTunnelName(const QString& filename) {
 
     return QString();
 }
+
+void WireguardUtilsLinux::applyFirewallRules(FirewallParams& params)
+{
+    // double-check + ensure our firewall is installed and enabled
+    if (!LinuxFirewall::isInstalled()) LinuxFirewall::install();
+
+    // Note: rule precedence is handled inside IpTablesFirewall
+    LinuxFirewall::ensureRootAnchorPriority();
+
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), params.blockAll);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), params.allowNets);
+    LinuxFirewall::updateAllowNets(params.allowAddrs);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("120.blockNets"), params.blockNets);
+    LinuxFirewall::updateBlockNets(params.blockAddrs);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("200.allowVPN"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv6, QStringLiteral("250.blockIPv6"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("290.allowDHCP"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("300.allowLAN"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), true);
+    LinuxFirewall::updateDNSServers(params.dnsServers);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);
+}

client/platforms/linux/daemon/wireguardutilslinux.h

@@ -37,6 +37,9 @@ public:
 
     bool addExclusionRoute(const IPAddress& prefix) override;
     bool deleteExclusionRoute(const IPAddress& prefix) override;
+
+    bool excludeLocalNetworks(const QList<IPAddress>& lanAddressRanges) override;
+
     void applyFirewallRules(FirewallParams& params);
 signals:
     void backendFailure();

client/platforms/macos/daemon/macosdaemon.h

@@ -21,7 +21,6 @@ class MacOSDaemon final : public Daemon {
 
  protected:
   WireguardUtils* wgutils() const override { return m_wgutils; }
-  bool supportDnsUtils() const override { return true; }
   DnsUtils* dnsutils() override { return m_dnsutils; }
   bool supportIPUtils() const override { return true; }
   IPUtils* iputils() override { return m_iputils; }

client/platforms/macos/daemon/macosroutemonitor.cpp

@@ -358,8 +358,8 @@ void MacosRouteMonitor::rtmAppendAddr(struct rt_msghdr* rtm, size_t maxlen,
 }
 
 bool MacosRouteMonitor::rtmSendRoute(int action, const IPAddress& prefix,
-                                     unsigned int ifindex,
-                                     const void* gateway) {
+                                     unsigned int ifindex, const void* gateway,
+                                     int flags) {
   constexpr size_t rtm_max_size = sizeof(struct rt_msghdr) +
                                   sizeof(struct sockaddr_in6) * 2 +
                                   sizeof(struct sockaddr_storage);
@@ -370,7 +370,7 @@ bool MacosRouteMonitor::rtmSendRoute(int action, const IPAddress& prefix,
   rtm->rtm_version = RTM_VERSION;
   rtm->rtm_type = action;
   rtm->rtm_index = ifindex;
-  rtm->rtm_flags = RTF_STATIC | RTF_UP;
+  rtm->rtm_flags = flags | RTF_STATIC | RTF_UP;
   rtm->rtm_addrs = 0;
   rtm->rtm_pid = 0;
   rtm->rtm_seq = m_rtseq++;
@@ -490,7 +490,7 @@ bool MacosRouteMonitor::rtmFetchRoutes(int family) {
   return false;
 }
 
-bool MacosRouteMonitor::insertRoute(const IPAddress& prefix) {
+bool MacosRouteMonitor::insertRoute(const IPAddress& prefix, int flags) {
   struct sockaddr_dl datalink;
   memset(&datalink, 0, sizeof(datalink));
   datalink.sdl_family = AF_LINK;
@@ -502,11 +502,11 @@ bool MacosRouteMonitor::insertRoute(const IPAddress& prefix) {
   datalink.sdl_slen = 0;
   memcpy(&datalink.sdl_data, qPrintable(m_ifname), datalink.sdl_nlen);
 
-  return rtmSendRoute(RTM_ADD, prefix, m_ifindex, &datalink);
+  return rtmSendRoute(RTM_ADD, prefix, m_ifindex, &datalink, flags);
 }
 
-bool MacosRouteMonitor::deleteRoute(const IPAddress& prefix) {
-  return rtmSendRoute(RTM_DELETE, prefix, m_ifindex, nullptr);
+bool MacosRouteMonitor::deleteRoute(const IPAddress& prefix, int flags) {
+  return rtmSendRoute(RTM_DELETE, prefix, m_ifindex, nullptr, flags);
 }
 
 bool MacosRouteMonitor::addExclusionRoute(const IPAddress& prefix) {

client/platforms/macos/daemon/macosroutemonitor.h

@@ -24,8 +24,8 @@ class MacosRouteMonitor final : public QObject {
   MacosRouteMonitor(const QString& ifname, QObject* parent = nullptr);
   ~MacosRouteMonitor();
 
-  bool insertRoute(const IPAddress& prefix);
-  bool deleteRoute(const IPAddress& prefix);
+  bool insertRoute(const IPAddress& prefix, int flags = 0);
+  bool deleteRoute(const IPAddress& prefix, int flags = 0);
   int interfaceFlags() { return m_ifflags; }
 
   bool addExclusionRoute(const IPAddress& prefix);
@@ -37,7 +37,7 @@ class MacosRouteMonitor final : public QObject {
   void handleRtmUpdate(const struct rt_msghdr* msg, const QByteArray& payload);
   void handleIfaceInfo(const struct if_msghdr* msg, const QByteArray& payload);
   bool rtmSendRoute(int action, const IPAddress& prefix, unsigned int ifindex,
-                    const void* gateway);
+                    const void* gateway, int flags = 0);
   bool rtmFetchRoutes(int family);
   static void rtmAppendAddr(struct rt_msghdr* rtm, size_t maxlen, int rtaddr,
                             const void* sa);

client/platforms/macos/daemon/wireguardutilsmacos.cpp

@@ -5,6 +5,7 @@
 #include "wireguardutilsmacos.h"
 
 #include <errno.h>
+#include <net/route.h>
 
 #include <QByteArray>
 #include <QDir>
@@ -130,7 +131,6 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
   }
 
   int err = uapiErrno(uapiCommand(message));
-
   if (err != 0) {
     logger.error() << "Interface configuration failed:" << strerror(err);
   } else {
@@ -211,7 +211,6 @@ bool WireguardUtilsMacos::updatePeer(const InterfaceConfig& config) {
     logger.warning() << "Failed to create peer with no endpoints";
     return false;
   }
-
   out << config.m_serverPort << "\n";
 
   out << "replace_allowed_ips=true\n";
@@ -323,10 +322,10 @@ bool WireguardUtilsMacos::deleteRoutePrefix(const IPAddress& prefix) {
   if (!m_rtmonitor) {
     return false;
   }
-  if (prefix.prefixLength() > 0) {
-    return m_rtmonitor->insertRoute(prefix);
-  }
 
+  if (prefix.prefixLength() > 0) {
+    return m_rtmonitor->deleteRoute(prefix);
+  }
   // Ensure that we do not replace the default route.
   if (prefix.type() == QAbstractSocket::IPv4Protocol) {
     return m_rtmonitor->deleteRoute(IPAddress("0.0.0.0/1")) &&
@@ -346,31 +345,6 @@ bool WireguardUtilsMacos::addExclusionRoute(const IPAddress& prefix) {
   return m_rtmonitor->addExclusionRoute(prefix);
 }
 
-void WireguardUtilsMacos::applyFirewallRules(FirewallParams& params)
-{
-  // double-check + ensure our firewall is installed and enabled. This is necessary as
-  // other software may disable pfctl before re-enabling with their own rules (e.g other VPNs)
-  if (!MacOSFirewall::isInstalled()) MacOSFirewall::install();
-
-  MacOSFirewall::ensureRootAnchorPriority();
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("100.blockAll"), params.blockAll);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), params.allowNets);
-  MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), params.allowNets,
-                                QStringLiteral("allownets"), params.allowAddrs);
-
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("120.blockNets"), params.blockNets);
-  MacOSFirewall::setAnchorTable(QStringLiteral("120.blockNets"), params.blockNets,
-                                QStringLiteral("blocknets"), params.blockAddrs);
-
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("200.allowVPN"), true);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("290.allowDHCP"), true);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("300.allowLAN"), true);
-  MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
-  MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), params.dnsServers);
-}
-
 bool WireguardUtilsMacos::deleteExclusionRoute(const IPAddress& prefix) {
   if (!m_rtmonitor) {
     return false;
@@ -378,6 +352,26 @@ bool WireguardUtilsMacos::deleteExclusionRoute(const IPAddress& prefix) {
   return m_rtmonitor->deleteExclusionRoute(prefix);
 }
 
+bool WireguardUtilsMacos::excludeLocalNetworks(const QList<IPAddress>& routes) {
+  if (!m_rtmonitor) {
+    return false;
+  }
+
+  // Explicitly discard LAN traffic that makes its way into the tunnel. This
+  // doesn't really exclude the LAN traffic, we just don't take any action to
+  // overrule the routes of other interfaces.
+  bool result = true;
+  for (const auto& prefix : routes) {
+    logger.error() << "Attempting to exclude:" << prefix.toString();
+    if (!m_rtmonitor->insertRoute(prefix, RTF_IFSCOPE | RTF_REJECT)) {
+      result = false;
+    }
+  }
+
+  // TODO: A kill switch would be nice though :)
+  return result;
+}
+
 QString WireguardUtilsMacos::uapiCommand(const QString& command) {
   QLocalSocket socket;
   QTimer uapiTimeout;
@@ -454,3 +448,28 @@ QString WireguardUtilsMacos::waitForTunnelName(const QString& filename) {
 
   return QString();
 }
+
+void WireguardUtilsMacos::applyFirewallRules(FirewallParams& params)
+{
+  // double-check + ensure our firewall is installed and enabled. This is necessary as
+  // other software may disable pfctl before re-enabling with their own rules (e.g other VPNs)
+  if (!MacOSFirewall::isInstalled()) MacOSFirewall::install();
+
+  MacOSFirewall::ensureRootAnchorPriority();
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("100.blockAll"), params.blockAll);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), params.allowNets);
+  MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), params.allowNets,
+                                QStringLiteral("allownets"), params.allowAddrs);
+
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("120.blockNets"), params.blockNets);
+  MacOSFirewall::setAnchorTable(QStringLiteral("120.blockNets"), params.blockNets,
+                                QStringLiteral("blocknets"), params.blockAddrs);
+
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("200.allowVPN"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("290.allowDHCP"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("300.allowLAN"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
+  MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), params.dnsServers);
+}

client/platforms/macos/daemon/wireguardutilsmacos.h

@@ -35,6 +35,9 @@ class WireguardUtilsMacos final : public WireguardUtils {
 
   bool addExclusionRoute(const IPAddress& prefix) override;
   bool deleteExclusionRoute(const IPAddress& prefix) override;
+
+  bool excludeLocalNetworks(const QList<IPAddress>& lanAddressRanges) override;
+
   void applyFirewallRules(FirewallParams& params);
 
  signals:

client/platforms/windows/daemon/windowsdaemon.cpp

@@ -5,6 +5,7 @@
 #include "windowsdaemon.h"
 
 #include <Windows.h>
+#include <qassert.h>
 
 #include <QCoreApplication>
 #include <QJsonDocument>
@@ -15,28 +16,34 @@
 #include <QTextStream>
 #include <QtGlobal>
 
+#include "daemon/daemonerrors.h"
 #include "dnsutilswindows.h"
 #include "leakdetector.h"
 #include "logger.h"
-#include "core/networkUtilities.h"
+#include "platforms/windows/daemon/windowsfirewall.h"
+#include "platforms/windows/daemon/windowssplittunnel.h"
 #include "platforms/windows/windowscommons.h"
-#include "platforms/windows/windowsservicemanager.h"
 #include "windowsfirewall.h"
 
+#include "core/networkUtilities.h"
+
 namespace {
 Logger logger("WindowsDaemon");
 }
 
-WindowsDaemon::WindowsDaemon() : Daemon(nullptr), m_splitTunnelManager(this) {
+WindowsDaemon::WindowsDaemon() : Daemon(nullptr) {
   MZ_COUNT_CTOR(WindowsDaemon);
+  m_firewallManager = WindowsFirewall::create(this);
+  Q_ASSERT(m_firewallManager != nullptr);
 
-  m_wgutils = new WireguardUtilsWindows(this);
+  m_wgutils = WireguardUtilsWindows::create(m_firewallManager, this);
   m_dnsutils = new DnsUtilsWindows(this);
+  m_splitTunnelManager = WindowsSplitTunnel::create(m_firewallManager);
 
-  connect(m_wgutils, &WireguardUtilsWindows::backendFailure, this,
+  connect(m_wgutils.get(), &WireguardUtilsWindows::backendFailure, this,
           &WindowsDaemon::monitorBackendFailure);
   connect(this, &WindowsDaemon::activationFailure,
-          []() { WindowsFirewall::instance()->disableKillSwitch(); });
+          [this]() { m_firewallManager->disableKillSwitch(); });
 }
 
 WindowsDaemon::~WindowsDaemon() {
@@ -57,28 +64,42 @@ void WindowsDaemon::prepareActivation(const InterfaceConfig& config, int inetAda
 
 void WindowsDaemon::activateSplitTunnel(const InterfaceConfig& config, int vpnAdapterIndex) {
   if (config.m_vpnDisabledApps.length() > 0) {
-      m_splitTunnelManager.start(m_inetAdapterIndex, vpnAdapterIndex);
-      m_splitTunnelManager.setRules(config.m_vpnDisabledApps);
+      m_splitTunnelManager->start(m_inetAdapterIndex, vpnAdapterIndex);
+      m_splitTunnelManager->excludeApps(config.m_vpnDisabledApps);
   } else {
-      m_splitTunnelManager.stop();
+      m_splitTunnelManager->stop();
   }
 }
 
 bool WindowsDaemon::run(Op op, const InterfaceConfig& config) {
-  if (op == Down) {
-    m_splitTunnelManager.stop();
+  if (!m_splitTunnelManager) {
+    if (config.m_vpnDisabledApps.length() > 0) {
+      // The Client has sent us a list of disabled apps, but we failed
+      // to init the the split tunnel driver.
+      // So let the client know this was not possible
+      emit backendFailure(DaemonError::ERROR_SPLIT_TUNNEL_INIT_FAILURE);
+    }
     return true;
   }
 
-  if (op == Up) {
-    logger.debug() << "Tunnel UP, Starting SplitTunneling";
-    if (!WindowsSplitTunnel::isInstalled()) {
-      logger.warning() << "Split Tunnel Driver not Installed yet, fixing this.";
-      WindowsSplitTunnel::installDriver();
-    }
+  if (op == Down) {
+    m_splitTunnelManager->stop();
+    return true;
   }
-
-  activateSplitTunnel(config);
+  if (config.m_vpnDisabledApps.length() > 0) {
+    if (!m_splitTunnelManager->start(m_inetAdapterIndex)) {
+      emit backendFailure(DaemonError::ERROR_SPLIT_TUNNEL_START_FAILURE);
+    };
+    if (!m_splitTunnelManager->excludeApps(config.m_vpnDisabledApps)) {
+      emit backendFailure(DaemonError::ERROR_SPLIT_TUNNEL_EXCLUDE_FAILURE);
+    };
+    // Now the driver should be running (State == 4)
+    if (!m_splitTunnelManager->isRunning()) {
+      emit backendFailure(DaemonError::ERROR_SPLIT_TUNNEL_START_FAILURE);
+    }
+    return true;
+  }
+  m_splitTunnelManager->stop();
 
   return true;
 }

client/platforms/windows/daemon/windowsdaemon.h

@@ -5,8 +5,11 @@
 #ifndef WINDOWSDAEMON_H
 #define WINDOWSDAEMON_H
 
+#include <qpointer.h>
+
 #include "daemon/daemon.h"
 #include "dnsutilswindows.h"
+#include "windowsfirewall.h"
 #include "windowssplittunnel.h"
 #include "windowstunnelservice.h"
 #include "wireguardutilswindows.h"
@@ -25,8 +28,7 @@ class WindowsDaemon final : public Daemon {
 
  protected:
   bool run(Op op, const InterfaceConfig& config) override;
-  WireguardUtils* wgutils() const override { return m_wgutils; }
-  bool supportDnsUtils() const override { return true; }
+  WireguardUtils* wgutils() const override { return m_wgutils.get(); }
   DnsUtils* dnsutils() override { return m_dnsutils; }
 
  private:
@@ -40,9 +42,10 @@ class WindowsDaemon final : public Daemon {
 
   int m_inetAdapterIndex = -1;
 
-  WireguardUtilsWindows* m_wgutils = nullptr;
+  std::unique_ptr<WireguardUtilsWindows> m_wgutils;
   DnsUtilsWindows* m_dnsutils = nullptr;
-  WindowsSplitTunnel m_splitTunnelManager;
+  std::unique_ptr<WindowsSplitTunnel> m_splitTunnelManager;
+  QPointer<WindowsFirewall> m_firewallManager;
 };
 
 #endif  // WINDOWSDAEMON_H

client/platforms/windows/daemon/windowsfirewall.cpp

@@ -9,11 +9,12 @@
 #include <guiddef.h>
 #include <initguid.h>
 #include <netfw.h>
-//#include <qaccessible.h>
-#include <Ws2tcpip.h>
-
+#include <qaccessible.h>
+#include <qassert.h>
 #include <stdio.h>
 #include <windows.h>
+#include <Ws2tcpip.h>
+#include "winsock.h"
 
 #include <QApplication>
 #include <QFileInfo>
@@ -27,7 +28,6 @@
 #include "leakdetector.h"
 #include "logger.h"
 #include "platforms/windows/windowsutils.h"
-#include "winsock.h"
 
 #define IPV6_ADDRESS_SIZE 16
 
@@ -49,18 +49,13 @@ constexpr uint8_t HIGH_WEIGHT = 13;
 constexpr uint8_t MAX_WEIGHT = 15;
 }  // namespace
 
-WindowsFirewall* WindowsFirewall::instance() {
-  if (s_instance == nullptr) {
-    s_instance = new WindowsFirewall(qApp);
+WindowsFirewall* WindowsFirewall::create(QObject* parent) {
+  if (s_instance != nullptr) {
+    // Only one instance of the firewall is allowed
+//    Q_ASSERT(false);
+    return s_instance;
   }
-  return s_instance;
-}
-
-WindowsFirewall::WindowsFirewall(QObject* parent) : QObject(parent) {
-  MZ_COUNT_CTOR(WindowsFirewall);
-  Q_ASSERT(s_instance == nullptr);
-
-  HANDLE engineHandle = NULL;
+  HANDLE engineHandle = nullptr;
   DWORD result = ERROR_SUCCESS;
   // Use dynamic sessions for efficiency and safety:
   //  -> Filtering policy objects are deleted even when the application crashes/
@@ -71,15 +66,24 @@ WindowsFirewall::WindowsFirewall(QObject* parent) : QObject(parent) {
 
   logger.debug() << "Opening the filter engine.";
 
-  result =
-      FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session, &engineHandle);
+  result = FwpmEngineOpen0(nullptr, RPC_C_AUTHN_WINNT, nullptr, &session,
+                           &engineHandle);
 
   if (result != ERROR_SUCCESS) {
     WindowsUtils::windowsLog("FwpmEngineOpen0 failed");
-    return;
+    return nullptr;
   }
   logger.debug() << "Filter engine opened successfully.";
-  m_sessionHandle = engineHandle;
+  if (!initSublayer()) {
+    return nullptr;
+  }
+  s_instance = new WindowsFirewall(engineHandle, parent);
+  return s_instance;
+}
+
+WindowsFirewall::WindowsFirewall(HANDLE session, QObject* parent)
+    : QObject(parent), m_sessionHandle(session) {
+  MZ_COUNT_CTOR(WindowsFirewall);
 }
 
 WindowsFirewall::~WindowsFirewall() {
@@ -89,15 +93,8 @@ WindowsFirewall::~WindowsFirewall() {
   }
 }
 
-bool WindowsFirewall::init() {
-  if (m_init) {
-    logger.warning() << "Alread initialised FW_WFP layer";
-    return true;
-  }
-  if (m_sessionHandle == INVALID_HANDLE_VALUE) {
-    logger.error() << "Cant Init Sublayer with invalid wfp handle";
-    return false;
-  }
+// static
+bool WindowsFirewall::initSublayer() {
   // If we were not able to aquire a handle, this will fail anyway.
   // We need to open up another handle because of wfp rules:
   // If a wfp resource was created with SESSION_DYNAMIC,
@@ -157,11 +154,10 @@ bool WindowsFirewall::init() {
     return false;
   }
   logger.debug() << "Initialised Sublayer";
-  m_init = true;
   return true;
 }
 
-bool WindowsFirewall::enableKillSwitch(int vpnAdapterIndex) {
+bool WindowsFirewall::enableInterface(int vpnAdapterIndex) {
 // Checks if the FW_Rule was enabled succesfully,
 // disables the whole killswitch and returns false if not.
 #define FW_OK(rule)                                                       \
@@ -184,7 +180,7 @@ bool WindowsFirewall::enableKillSwitch(int vpnAdapterIndex) {
     }                                                                     \
   }
 
-  logger.info() << "Enabling Killswitch Using Adapter:" << vpnAdapterIndex;
+  logger.info() << "Enabling firewall Using Adapter:" << vpnAdapterIndex;
   FW_OK(allowTrafficOfAdapter(vpnAdapterIndex, MED_WEIGHT,
                               "Allow usage of VPN Adapter"));
   FW_OK(allowDHCPTraffic(MED_WEIGHT, "Allow DHCP Traffic"));
@@ -200,6 +196,36 @@ bool WindowsFirewall::enableKillSwitch(int vpnAdapterIndex) {
 #undef FW_OK
 }
 
+// Allow unprotected traffic sent to the following local address ranges.
+bool WindowsFirewall::enableLanBypass(const QList<IPAddress>& ranges) {
+  // Start the firewall transaction
+  auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
+  if (result != ERROR_SUCCESS) {
+    disableKillSwitch();
+    return false;
+  }
+  auto cleanup = qScopeGuard([&] {
+    FwpmTransactionAbort0(m_sessionHandle);
+    disableKillSwitch();
+  });
+
+  // Blocking unprotected traffic
+  for (const IPAddress& prefix : ranges) {
+    if (!allowTrafficTo(prefix, LOW_WEIGHT + 1, "Allow LAN bypass traffic")) {
+      return false;
+    }
+  }
+
+  result = FwpmTransactionCommit0(m_sessionHandle);
+  if (result != ERROR_SUCCESS) {
+    logger.error() << "FwpmTransactionCommit0 failed with error:" << result;
+    return false;
+  }
+
+  cleanup.dismiss();
+  return true;
+}
+
 bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
   // Start the firewall transaction
   auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
@@ -238,10 +264,10 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
 
   if (!config.m_excludedAddresses.empty()) {
     for (const QString& i : config.m_excludedAddresses) {
-      logger.debug() << "range: " << i;
+      logger.debug() << "excludedAddresses range: " << i;
 
-      if (!allowTrafficToRange(i, HIGH_WEIGHT,
-                          "Allow Ecxlude route", config.m_serverPublicKey)) {
+      if (!allowTrafficTo(i, HIGH_WEIGHT,
+                               "Allow Ecxlude route", config.m_serverPublicKey)) {
         return false;
       }
     }
@@ -421,9 +447,59 @@ bool WindowsFirewall::allowTrafficOfAdapter(int networkAdapter, uint8_t weight,
   return true;
 }
 
+bool WindowsFirewall::allowTrafficTo(const IPAddress& addr, int weight,
+                                     const QString& title,
+                                     const QString& peer) {
+  GUID layerKeyOut;
+  GUID layerKeyIn;
+  if (addr.type() == QAbstractSocket::IPv4Protocol) {
+    layerKeyOut = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
+    layerKeyIn = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4;
+  } else {
+    layerKeyOut = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
+    layerKeyIn = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
+  }
+
+  // Match the IP address range.
+  FWPM_FILTER_CONDITION0 cond[1] = {};
+  FWP_RANGE0 ipRange;
+  QByteArray lowIpV6Buffer;
+  QByteArray highIpV6Buffer;
+
+  importAddress(addr.address(), ipRange.valueLow, &lowIpV6Buffer);
+  importAddress(addr.broadcastAddress(), ipRange.valueHigh, &highIpV6Buffer);
+
+  cond[0].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
+  cond[0].matchType = FWP_MATCH_RANGE;
+  cond[0].conditionValue.type = FWP_RANGE_TYPE;
+  cond[0].conditionValue.rangeValue = &ipRange;
+
+  // Assemble the Filter base
+  FWPM_FILTER0 filter;
+  memset(&filter, 0, sizeof(filter));
+  filter.action.type = FWP_ACTION_PERMIT;
+  filter.weight.type = FWP_UINT8;
+  filter.weight.uint8 = weight;
+  filter.subLayerKey = ST_FW_WINFW_BASELINE_SUBLAYER_KEY;
+  filter.numFilterConditions = 1;
+  filter.filterCondition = cond;
+
+  // Send the filters down to the firewall.
+  QString description = "Permit traffic %1 " + addr.toString();
+  filter.layerKey = layerKeyOut;
+  if (!enableFilter(&filter, title, description.arg("to"), peer)) {
+    return false;
+  }
+  filter.layerKey = layerKeyIn;
+  if (!enableFilter(&filter, title, description.arg("from"), peer)) {
+    return false;
+  }
+  return true;
+}
+
 bool WindowsFirewall::allowTrafficTo(const QHostAddress& targetIP, uint port,
-                                          int weight, const QString& title,
-                                          const QString& peer) {
+                                     int weight, const QString& title,
+                                     const QString& peer) {
   bool isIPv4 = targetIP.protocol() == QAbstractSocket::IPv4Protocol;
   GUID layerOut =
       isIPv4 ? FWPM_LAYER_ALE_AUTH_CONNECT_V4 : FWPM_LAYER_ALE_AUTH_CONNECT_V6;
@@ -484,57 +560,6 @@ bool WindowsFirewall::allowTrafficTo(const QHostAddress& targetIP, uint port,
   return true;
 }
 
-bool WindowsFirewall::allowTrafficToRange(const IPAddress& addr, uint8_t weight,
-                                     const QString& title,
-                                     const QString& peer) {
-  QString description("Allow traffic %1 %2 ");
-
-  auto lower = addr.address();
-  auto upper = addr.broadcastAddress();
-
-  const bool isV4 = addr.type() == QAbstractSocket::IPv4Protocol;
-  const GUID layerKeyOut =
-      isV4 ? FWPM_LAYER_ALE_AUTH_CONNECT_V4 : FWPM_LAYER_ALE_AUTH_CONNECT_V6;
-  const GUID layerKeyIn = isV4 ? FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
-                               : FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
-
-  // Assemble the Filter base
-  FWPM_FILTER0 filter;
-  memset(&filter, 0, sizeof(filter));
-  filter.action.type = FWP_ACTION_PERMIT;
-  filter.weight.type = FWP_UINT8;
-  filter.weight.uint8 = weight;
-  filter.subLayerKey = ST_FW_WINFW_BASELINE_SUBLAYER_KEY;
-
-  FWPM_FILTER_CONDITION0 cond[1] = {0};
-  FWP_RANGE0 ipRange;
-  QByteArray lowIpV6Buffer;
-  QByteArray highIpV6Buffer;
-
-  importAddress(lower, ipRange.valueLow, &lowIpV6Buffer);
-  importAddress(upper, ipRange.valueHigh, &highIpV6Buffer);
-
-  cond[0].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
-  cond[0].matchType = FWP_MATCH_RANGE;
-  cond[0].conditionValue.type = FWP_RANGE_TYPE;
-  cond[0].conditionValue.rangeValue = &ipRange;
-
-  filter.numFilterConditions = 1;
-  filter.filterCondition = cond;
-
-  filter.layerKey = layerKeyOut;
-  if (!enableFilter(&filter, title, description.arg("to").arg(addr.toString()),
-                    peer)) {
-    return false;
-  }
-  filter.layerKey = layerKeyIn;
-  if (!enableFilter(&filter, title,
-                    description.arg("from").arg(addr.toString()), peer)) {
-    return false;
-  }
-  return true;
-}
-
 bool WindowsFirewall::allowDHCPTraffic(uint8_t weight, const QString& title) {
   // Allow outbound DHCPv4
   {
@@ -734,7 +759,7 @@ bool WindowsFirewall::blockTrafficTo(const IPAddress& addr, uint8_t weight,
   filter.weight.uint8 = weight;
   filter.subLayerKey = ST_FW_WINFW_BASELINE_SUBLAYER_KEY;
 
-  FWPM_FILTER_CONDITION0 cond[1] = {0};
+  FWPM_FILTER_CONDITION0 cond[1] = {};
   FWP_RANGE0 ipRange;
   QByteArray lowIpV6Buffer;
   QByteArray highIpV6Buffer;

client/platforms/windows/daemon/windowsfirewall.h

@@ -26,18 +26,27 @@ struct FWP_CONDITION_VALUE0_;
 
 class WindowsFirewall final : public QObject {
  public:
-  ~WindowsFirewall();
+  /**
+   * @brief Opens the Windows Filtering Platform, initializes the session,
+   * sublayer. Returns a WindowsFirewall object if successful, otherwise
+   * nullptr. If there is already a WindowsFirewall object, it will be returned.
+   *
+   * @param parent - parent QObject
+   * @return WindowsFirewall* - nullptr if failed to open the Windows Filtering
+   * Platform.
+   */
+  static WindowsFirewall* create(QObject* parent);
+  ~WindowsFirewall() override;
 
-  static WindowsFirewall* instance();
-  bool init();
-
-  bool enableKillSwitch(int vpnAdapterIndex);
+  bool enableInterface(int vpnAdapterIndex);
+  bool enableLanBypass(const QList<IPAddress>& ranges);
   bool enablePeerTraffic(const InterfaceConfig& config);
   bool disablePeerTraffic(const QString& pubkey);
   bool disableKillSwitch();
 
  private:
-  WindowsFirewall(QObject* parent);
+  static bool initSublayer();
+  WindowsFirewall(HANDLE session, QObject* parent);
   HANDLE m_sessionHandle;
   bool m_init = false;
   QList<uint64_t> m_activeRules;
@@ -50,11 +59,10 @@ class WindowsFirewall final : public QObject {
   bool blockTrafficTo(const IPAddress& addr, uint8_t weight,
                       const QString& title, const QString& peer = QString());
   bool blockTrafficOnPort(uint port, uint8_t weight, const QString& title);
+  bool allowTrafficTo(const IPAddress& addr, int weight, const QString& title,
+                      const QString& peer = QString());
   bool allowTrafficTo(const QHostAddress& targetIP, uint port, int weight,
                       const QString& title, const QString& peer = QString());
-  bool allowTrafficToRange(const IPAddress& addr, uint8_t weight,
-                           const QString& title,
-                           const QString& peer);
   bool allowTrafficOfAdapter(int networkAdapter, uint8_t weight,
                              const QString& title);
   bool allowDHCPTraffic(uint8_t weight, const QString& title);

client/platforms/windows/daemon/windowsroutemonitor.cpp

@@ -13,6 +13,12 @@ namespace {
 Logger logger("WindowsRouteMonitor");
 };  // namespace
 
+// Attempt to mark routing entries that we create with a relatively
+// high metric. This ensures that we can skip over routes of our own
+// creation when processing route changes, and ensures that we give
+// way to other routing entries.
+constexpr const ULONG EXCLUSION_ROUTE_METRIC = 0x5e72;
+
 // Called by the kernel on route changes - perform some basic filtering and
 // invoke the routeChanged slot to do the real work.
 static void routeChangeCallback(PVOID context, PMIB_IPFORWARD_ROW2 row,
@@ -20,22 +26,17 @@ static void routeChangeCallback(PVOID context, PMIB_IPFORWARD_ROW2 row,
   WindowsRouteMonitor* monitor = (WindowsRouteMonitor*)context;
   Q_UNUSED(type);
 
-  // Ignore host route changes, and unsupported protocols.
-  if (row->DestinationPrefix.Prefix.si_family == AF_INET6) {
-    if (row->DestinationPrefix.PrefixLength >= 128) {
-      return;
-    }
-  } else if (row->DestinationPrefix.Prefix.si_family == AF_INET) {
-    if (row->DestinationPrefix.PrefixLength >= 32) {
-      return;
-    }
-  } else {
+  // Ignore route changes that we created.
+  if ((row->Protocol == MIB_IPPROTO_NETMGMT) &&
+      (row->Metric == EXCLUSION_ROUTE_METRIC)) {
+    return;
+  }
+  if (monitor->getLuid() == row->InterfaceLuid.Value) {
     return;
   }
 
-  if (monitor->getLuid() != row->InterfaceLuid.Value) {
-    QMetaObject::invokeMethod(monitor, "routeChanged", Qt::QueuedConnection);
-  }
+  // Invoke the route changed signal to do the real work in Qt.
+  QMetaObject::invokeMethod(monitor, "routeChanged", Qt::QueuedConnection);
 }
 
 // Perform prefix matching comparison on IP addresses in host order.
@@ -57,7 +58,8 @@ static int prefixcmp(const void* a, const void* b, size_t bits) {
   return 0;
 }
 
-WindowsRouteMonitor::WindowsRouteMonitor(QObject* parent) : QObject(parent) {
+WindowsRouteMonitor::WindowsRouteMonitor(quint64 luid, QObject* parent)
+    : QObject(parent), m_luid(luid) {
   MZ_COUNT_CTOR(WindowsRouteMonitor);
   logger.debug() << "WindowsRouteMonitor created.";
 
@@ -67,11 +69,13 @@ WindowsRouteMonitor::WindowsRouteMonitor(QObject* parent) : QObject(parent) {
 WindowsRouteMonitor::~WindowsRouteMonitor() {
   MZ_COUNT_DTOR(WindowsRouteMonitor);
   CancelMibChangeNotify2(m_routeHandle);
-  flushExclusionRoutes();
+
+  flushRouteTable(m_exclusionRoutes);
+  flushRouteTable(m_clonedRoutes);
   logger.debug() << "WindowsRouteMonitor destroyed.";
 }
 
-void WindowsRouteMonitor::updateValidInterfaces(int family) {
+void WindowsRouteMonitor::updateInterfaceMetrics(int family) {
   PMIB_IPINTERFACE_TABLE table;
   DWORD result = GetIpInterfaceTable(family, &table);
   if (result != NO_ERROR) {
@@ -82,10 +86,10 @@ void WindowsRouteMonitor::updateValidInterfaces(int family) {
 
   // Flush the list of interfaces that are valid for routing.
   if ((family == AF_INET) || (family == AF_UNSPEC)) {
-    m_validInterfacesIpv4.clear();
+    m_interfaceMetricsIpv4.clear();
   }
   if ((family == AF_INET6) || (family == AF_UNSPEC)) {
-    m_validInterfacesIpv6.clear();
+    m_interfaceMetricsIpv6.clear();
   }
 
   // Rebuild the list of interfaces that are valid for routing.
@@ -101,12 +105,12 @@ void WindowsRouteMonitor::updateValidInterfaces(int family) {
     if (row->Family == AF_INET) {
       logger.debug() << "Interface" << row->InterfaceIndex
                      << "is valid for IPv4 routing";
-      m_validInterfacesIpv4.append(row->InterfaceLuid.Value);
+      m_interfaceMetricsIpv4[row->InterfaceLuid.Value] = row->Metric;
     }
     if (row->Family == AF_INET6) {
       logger.debug() << "Interface" << row->InterfaceIndex
                      << "is valid for IPv6 routing";
-      m_validInterfacesIpv6.append(row->InterfaceLuid.Value);
+      m_interfaceMetricsIpv6[row->InterfaceLuid.Value] = row->Metric;
     }
   }
 }
@@ -126,72 +130,72 @@ void WindowsRouteMonitor::updateExclusionRoute(MIB_IPFORWARD_ROW2* data,
     if (row->InterfaceLuid.Value == m_luid) {
       continue;
     }
-    // Ignore host routes, and shorter potential matches.
-    if (row->DestinationPrefix.PrefixLength >=
-        data->DestinationPrefix.PrefixLength) {
+    if (row->DestinationPrefix.PrefixLength < bestMatch) {
       continue;
     }
-    if (row->DestinationPrefix.PrefixLength < bestMatch) {
+    // Ignore routes of our own creation.
+    if ((row->Protocol == data->Protocol) && (row->Metric == data->Metric)) {
       continue;
     }
 
     // Check if the routing table entry matches the destination.
+    if (!routeContainsDest(&row->DestinationPrefix, &data->DestinationPrefix)) {
+      continue;
+    }
+
+    // Compute the combined interface and routing metric.
+    ULONG routeMetric = row->Metric;
     if (data->DestinationPrefix.Prefix.si_family == AF_INET6) {
-      if (row->DestinationPrefix.Prefix.Ipv6.sin6_family != AF_INET6) {
-        continue;
-      }
-      if (!m_validInterfacesIpv6.contains(row->InterfaceLuid.Value)) {
-        continue;
-      }
-      if (prefixcmp(&data->DestinationPrefix.Prefix.Ipv6.sin6_addr,
-                    &row->DestinationPrefix.Prefix.Ipv6.sin6_addr,
-                    row->DestinationPrefix.PrefixLength) != 0) {
+      if (!m_interfaceMetricsIpv6.contains(row->InterfaceLuid.Value)) {
         continue;
       }
+      routeMetric += m_interfaceMetricsIpv6[row->InterfaceLuid.Value];
     } else if (data->DestinationPrefix.Prefix.si_family == AF_INET) {
-      if (row->DestinationPrefix.Prefix.Ipv4.sin_family != AF_INET) {
-        continue;
-      }
-      if (!m_validInterfacesIpv4.contains(row->InterfaceLuid.Value)) {
-        continue;
-      }
-      if (prefixcmp(&data->DestinationPrefix.Prefix.Ipv4.sin_addr,
-                    &row->DestinationPrefix.Prefix.Ipv4.sin_addr,
-                    row->DestinationPrefix.PrefixLength) != 0) {
+      if (!m_interfaceMetricsIpv4.contains(row->InterfaceLuid.Value)) {
         continue;
       }
+      routeMetric += m_interfaceMetricsIpv4[row->InterfaceLuid.Value];
     } else {
       // Unsupported destination address family.
       continue;
     }
+    if (routeMetric < row->Metric) {
+      routeMetric = ULONG_MAX;
+    }
 
     // Prefer routes with lower metric if we find multiple matches
     // with the same prefix length.
     if ((row->DestinationPrefix.PrefixLength == bestMatch) &&
-        (row->Metric >= bestMetric)) {
+        (routeMetric >= bestMetric)) {
       continue;
     }
 
     // If we got here, then this is the longest prefix match so far.
     memcpy(&nexthop, &row->NextHop, sizeof(SOCKADDR_INET));
-    bestLuid = row->InterfaceLuid.Value;
     bestMatch = row->DestinationPrefix.PrefixLength;
-    bestMetric = row->Metric;
+    bestMetric = routeMetric;
+    if (bestMatch == data->DestinationPrefix.PrefixLength) {
+      bestLuid = 0;  // Don't write to the table if we find an exact match.
+    } else {
+      bestLuid = row->InterfaceLuid.Value;
+    }
   }
 
   // If neither the interface nor next-hop have changed, then do nothing.
-  if ((data->InterfaceLuid.Value) == bestLuid &&
+  if (data->InterfaceLuid.Value == bestLuid &&
       memcmp(&nexthop, &data->NextHop, sizeof(SOCKADDR_INET)) == 0) {
     return;
   }
 
-  // Update the routing table entry.
+  // Delete the previous routing table entry, if any.
   if (data->InterfaceLuid.Value != 0) {
     DWORD result = DeleteIpForwardEntry2(data);
     if ((result != NO_ERROR) && (result != ERROR_NOT_FOUND)) {
       logger.error() << "Failed to delete route:" << result;
     }
   }
+
+  // Update the routing table entry.
   data->InterfaceLuid.Value = bestLuid;
   memcpy(&data->NextHop, &nexthop, sizeof(SOCKADDR_INET));
   if (data->InterfaceLuid.Value != 0) {
@@ -202,10 +206,178 @@ void WindowsRouteMonitor::updateExclusionRoute(MIB_IPFORWARD_ROW2* data,
   }
 }
 
+// static
+bool WindowsRouteMonitor::routeContainsDest(const IP_ADDRESS_PREFIX* route,
+                                            const IP_ADDRESS_PREFIX* dest) {
+  if (route->Prefix.si_family != dest->Prefix.si_family) {
+    return false;
+  }
+  if (route->PrefixLength > dest->PrefixLength) {
+    return false;
+  }
+  if (route->Prefix.si_family == AF_INET) {
+    return prefixcmp(&route->Prefix.Ipv4.sin_addr, &dest->Prefix.Ipv4.sin_addr,
+                     route->PrefixLength) == 0;
+  } else if (route->Prefix.si_family == AF_INET6) {
+    return prefixcmp(&route->Prefix.Ipv6.sin6_addr,
+                     &dest->Prefix.Ipv6.sin6_addr, route->PrefixLength) == 0;
+  } else {
+    return false;
+  }
+}
+
+// static
+QHostAddress WindowsRouteMonitor::prefixToAddress(
+    const IP_ADDRESS_PREFIX* dest) {
+  if (dest->Prefix.si_family == AF_INET6) {
+    return QHostAddress(dest->Prefix.Ipv6.sin6_addr.s6_addr);
+  } else if (dest->Prefix.si_family == AF_INET) {
+    quint32 addr = htonl(dest->Prefix.Ipv4.sin_addr.s_addr);
+    return QHostAddress(addr);
+  } else {
+    return QHostAddress();
+  }
+}
+
+bool WindowsRouteMonitor::isRouteExcluded(const IP_ADDRESS_PREFIX* dest) const {
+  auto i = m_exclusionRoutes.constBegin();
+  while (i != m_exclusionRoutes.constEnd()) {
+    const MIB_IPFORWARD_ROW2* row = i.value();
+    if (routeContainsDest(&row->DestinationPrefix, dest)) {
+      return true;
+    }
+    i++;
+  }
+  return false;
+}
+
+void WindowsRouteMonitor::updateCapturedRoutes(int family) {
+  if (!m_defaultRouteCapture) {
+    return;
+  }
+
+  PMIB_IPFORWARD_TABLE2 table;
+  DWORD error = GetIpForwardTable2(family, &table);
+  if (error != NO_ERROR) {
+    updateCapturedRoutes(family, table);
+    FreeMibTable(table);
+  }
+}
+
+void WindowsRouteMonitor::updateCapturedRoutes(int family, void* ptable) {
+  PMIB_IPFORWARD_TABLE2 table = reinterpret_cast<PMIB_IPFORWARD_TABLE2>(ptable);
+  if (!m_defaultRouteCapture) {
+    return;
+  }
+
+  for (ULONG i = 0; i < table->NumEntries; i++) {
+    MIB_IPFORWARD_ROW2* row = &table->Table[i];
+    // Ignore routes into the VPN interface.
+    if (row->InterfaceLuid.Value == m_luid) {
+      continue;
+    }
+    // Ignore the default route
+    if (row->DestinationPrefix.PrefixLength == 0) {
+      continue;
+    }
+    // Ignore routes of our own creation.
+    if ((row->Protocol == MIB_IPPROTO_NETMGMT) &&
+        (row->Metric == EXCLUSION_ROUTE_METRIC)) {
+      continue;
+    }
+    // Ignore routes which should be excluded.
+    if (isRouteExcluded(&row->DestinationPrefix)) {
+      continue;
+    }
+    QHostAddress destination = prefixToAddress(&row->DestinationPrefix);
+    if (destination.isLoopback() || destination.isBroadcast() ||
+        destination.isLinkLocal() || destination.isMulticast()) {
+      continue;
+    }
+
+    // If we get here, this route should be cloned.
+    IPAddress prefix(destination, row->DestinationPrefix.PrefixLength);
+    MIB_IPFORWARD_ROW2* data = m_clonedRoutes.value(prefix, nullptr);
+    if (data != nullptr) {
+      // Count the number of matching entries in the main table.
+      data->Age++;
+      continue;
+    }
+    logger.debug() << "Capturing route to"
+                   << logger.sensitive(prefix.toString());
+
+    // Clone the route and direct it into the VPN tunnel.
+    data = new MIB_IPFORWARD_ROW2;
+    InitializeIpForwardEntry(data);
+    data->InterfaceLuid.Value = m_luid;
+    data->DestinationPrefix = row->DestinationPrefix;
+    data->NextHop.si_family = data->DestinationPrefix.Prefix.si_family;
+
+    // Set the rest of the flags for a static route.
+    data->ValidLifetime = 0xffffffff;
+    data->PreferredLifetime = 0xffffffff;
+    data->Metric = 0;
+    data->Protocol = MIB_IPPROTO_NETMGMT;
+    data->Loopback = false;
+    data->AutoconfigureAddress = false;
+    data->Publish = false;
+    data->Immortal = false;
+    data->Age = 0;
+
+    // Route this traffic into the VPN tunnel.
+    DWORD result = CreateIpForwardEntry2(data);
+    if (result != NO_ERROR) {
+      logger.error() << "Failed to update route:" << result;
+      delete data;
+    } else {
+      m_clonedRoutes.insert(prefix, data);
+      data->Age++;
+    }
+  }
+
+  // Finally scan for any routes which were removed from the table. We do this
+  // by reusing the age field to count the number of matching entries in the
+  // main table.
+  auto i = m_clonedRoutes.begin();
+  while (i != m_clonedRoutes.end()) {
+    MIB_IPFORWARD_ROW2* data = i.value();
+    if (data->Age > 0) {
+      // Entry is in use, don't delete it.
+      data->Age = 0;
+      i++;
+      continue;
+    }
+    if ((family != AF_UNSPEC) &&
+        (data->DestinationPrefix.Prefix.si_family != family)) {
+      // We are not processing updates to this address family.
+      i++;
+      continue;
+    }
+
+    logger.debug() << "Removing route capture for"
+                   << logger.sensitive(i.key().toString());
+
+    // Otherwise, this route is no longer in use.
+    DWORD result = DeleteIpForwardEntry2(data);
+    if ((result != NO_ERROR) && (result != ERROR_NOT_FOUND)) {
+      logger.error() << "Failed to delete route:" << result;
+    }
+    delete data;
+    i = m_clonedRoutes.erase(i);
+  }
+}
+
 bool WindowsRouteMonitor::addExclusionRoute(const IPAddress& prefix) {
   logger.debug() << "Adding exclusion route for"
                  << logger.sensitive(prefix.toString());
 
+  // Silently ignore non-routeable addresses.
+  QHostAddress addr = prefix.address();
+  if (addr.isLoopback() || addr.isBroadcast() || addr.isLinkLocal() ||
+      addr.isMulticast()) {
+    return true;
+  }
+
   if (m_exclusionRoutes.contains(prefix)) {
     logger.warning() << "Exclusion route already exists";
     return false;
@@ -232,7 +404,7 @@ bool WindowsRouteMonitor::addExclusionRoute(const IPAddress& prefix) {
   // Set the rest of the flags for a static route.
   data->ValidLifetime = 0xffffffff;
   data->PreferredLifetime = 0xffffffff;
-  data->Metric = 0;
+  data->Metric = EXCLUSION_ROUTE_METRIC;
   data->Protocol = MIB_IPPROTO_NETMGMT;
   data->Loopback = false;
   data->AutoconfigureAddress = false;
@@ -254,7 +426,8 @@ bool WindowsRouteMonitor::addExclusionRoute(const IPAddress& prefix) {
     delete data;
     return false;
   }
-  updateValidInterfaces(family);
+  updateInterfaceMetrics(family);
+  updateCapturedRoutes(family, table);
   updateExclusionRoute(data, table);
   FreeMibTable(table);
 
@@ -266,26 +439,28 @@ bool WindowsRouteMonitor::deleteExclusionRoute(const IPAddress& prefix) {
   logger.debug() << "Deleting exclusion route for"
                  << logger.sensitive(prefix.address().toString());
 
-  for (;;) {
-    MIB_IPFORWARD_ROW2* data = m_exclusionRoutes.take(prefix);
-    if (data == nullptr) {
-      break;
-    }
-
-    DWORD result = DeleteIpForwardEntry2(data);
-    if ((result != ERROR_NOT_FOUND) && (result != NO_ERROR)) {
-      logger.error() << "Failed to delete route to"
-                     << logger.sensitive(prefix.toString())
-                     << "result:" << result;
-    }
-    delete data;
+  MIB_IPFORWARD_ROW2* data = m_exclusionRoutes.take(prefix);
+  if (data == nullptr) {
+    return true;
   }
 
+  DWORD result = DeleteIpForwardEntry2(data);
+  if ((result != ERROR_NOT_FOUND) && (result != NO_ERROR)) {
+    logger.error() << "Failed to delete route to"
+                   << logger.sensitive(prefix.toString())
+                   << "result:" << result;
+  }
+
+  // Captured routes might have changed.
+  updateCapturedRoutes(data->DestinationPrefix.Prefix.si_family);
+
+  delete data;
   return true;
 }
 
-void WindowsRouteMonitor::flushExclusionRoutes() {
-  for (auto i = m_exclusionRoutes.begin(); i != m_exclusionRoutes.end(); i++) {
+void WindowsRouteMonitor::flushRouteTable(
+    QHash<IPAddress, MIB_IPFORWARD_ROW2*>& table) {
+  for (auto i = table.begin(); i != table.end(); i++) {
     MIB_IPFORWARD_ROW2* data = i.value();
     DWORD result = DeleteIpForwardEntry2(data);
     if ((result != ERROR_NOT_FOUND) && (result != NO_ERROR)) {
@@ -295,7 +470,17 @@ void WindowsRouteMonitor::flushExclusionRoutes() {
     }
     delete data;
   }
-  m_exclusionRoutes.clear();
+  table.clear();
+}
+
+void WindowsRouteMonitor::setDetaultRouteCapture(bool enable) {
+  m_defaultRouteCapture = enable;
+
+  // Flush any captured routes when disabling the feature.
+  if (!m_defaultRouteCapture) {
+    flushRouteTable(m_clonedRoutes);
+    return;
+  }
 }
 
 void WindowsRouteMonitor::routeChanged() {
@@ -308,7 +493,8 @@ void WindowsRouteMonitor::routeChanged() {
     return;
   }
 
-  updateValidInterfaces(AF_UNSPEC);
+  updateInterfaceMetrics(AF_UNSPEC);
+  updateCapturedRoutes(AF_UNSPEC, table);
   for (MIB_IPFORWARD_ROW2* data : m_exclusionRoutes) {
     updateExclusionRoute(data, table);
   }

client/platforms/windows/daemon/windowsroutemonitor.h

@@ -11,6 +11,8 @@
 #include <winsock2.h>
 #include <ws2ipdef.h>
 
+#include <QHash>
+#include <QMap>
 #include <QObject>
 
 #include "ipaddress.h"
@@ -19,28 +21,41 @@ class WindowsRouteMonitor final : public QObject {
   Q_OBJECT
 
  public:
-  WindowsRouteMonitor(QObject* parent);
+  WindowsRouteMonitor(quint64 luid, QObject* parent);
   ~WindowsRouteMonitor();
 
+  void setDetaultRouteCapture(bool enable);
+
   bool addExclusionRoute(const IPAddress& prefix);
   bool deleteExclusionRoute(const IPAddress& prefix);
-  void flushExclusionRoutes();
+  void flushExclusionRoutes() { return flushRouteTable(m_exclusionRoutes); };
 
-  void setLuid(quint64 luid) { m_luid = luid; }
-  quint64 getLuid() { return m_luid; }
+  quint64 getLuid() const { return m_luid; }
 
  public slots:
   void routeChanged();
 
  private:
+  bool isRouteExcluded(const IP_ADDRESS_PREFIX* dest) const;
+  static bool routeContainsDest(const IP_ADDRESS_PREFIX* route,
+                                const IP_ADDRESS_PREFIX* dest);
+  static QHostAddress prefixToAddress(const IP_ADDRESS_PREFIX* dest);
+
+  void flushRouteTable(QHash<IPAddress, MIB_IPFORWARD_ROW2*>& table);
   void updateExclusionRoute(MIB_IPFORWARD_ROW2* data, void* table);
-  void updateValidInterfaces(int family);
+  void updateInterfaceMetrics(int family);
+  void updateCapturedRoutes(int family);
+  void updateCapturedRoutes(int family, void* table);
 
   QHash<IPAddress, MIB_IPFORWARD_ROW2*> m_exclusionRoutes;
-  QList<quint64> m_validInterfacesIpv4;
-  QList<quint64> m_validInterfacesIpv6;
+  QMap<quint64, ULONG> m_interfaceMetricsIpv4;
+  QMap<quint64, ULONG> m_interfaceMetricsIpv6;
 
-  quint64 m_luid = 0;
+  // Default route cloning
+  bool m_defaultRouteCapture = false;
+  QHash<IPAddress, MIB_IPFORWARD_ROW2*> m_clonedRoutes;
+
+  const quint64 m_luid = 0;
   HANDLE m_routeHandle = INVALID_HANDLE_VALUE;
 };