OpenVPN import fix

* Fix ListViewType scrolling on country selection page

* Disable highlightFollowsCurrentItem for country selection page

* Fix scrolling on container DropDown

* Fix ListView height

* Fix listview layout in DropDownType

* Remove unnecessary MouseArea from country selection page

.github/workflows/deploy.yml

@@ -10,7 +10,7 @@ env:
 
 jobs:
   Build-Linux-Ubuntu:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     env:
       QT_VERSION: 6.6.2
@@ -190,7 +190,7 @@ jobs:
     - name: 'Install go'
       uses: actions/setup-go@v5
       with:
-        go-version: '1.22.1'
+        go-version: '1.24'
         cache: false
 
     - name: 'Setup gomobile'

.github/workflows/tag-upload.yml

@@ -1,64 +1,41 @@
 name: 'Upload a new version'
 
 on:
-  push:
-    tags:
-    - '[0-9]+.[0-9]+.[0-9]+.[0-9]+'
+  workflow_dispatch:
+    inputs:
+      RELEASE_VERSION:
+        description: 'Release version (e.g. 1.2.3.4)'
+        required: true
+        type: string
 
 jobs:
-  upload:
+  Upload-S3:
     runs-on: ubuntu-latest
-    name: upload
     steps:
-      - name: Checkout CMakeLists.txt
+      - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.ref_name }}
+          ref: ${{ inputs.RELEASE_VERSION }}
           sparse-checkout: |
             CMakeLists.txt
+            deploy/deploy_s3.sh
           sparse-checkout-cone-mode: false
 
       - name: Verify git tag
         run: |
-          GIT_TAG=${{ github.ref_name }}
+          TAG_NAME=${{ inputs.RELEASE_VERSION }}
           CMAKE_TAG=$(grep 'project.*VERSION' CMakeLists.txt | sed -E 's/.* ([0-9]+.[0-9]+.[0-9]+.[0-9]+)$/\1/')
-
-          if [[ "$GIT_TAG" == "$CMAKE_TAG" ]]; then
-            echo "Git tag ($GIT_TAG) and version in CMakeLists.txt ($CMAKE_TAG) are the same. Continuing..."
+          if [[ "$TAG_NAME" == "$CMAKE_TAG" ]]; then
+            echo "Git tag ($TAG_NAME) matches CMakeLists.txt version ($CMAKE_TAG)."
           else
-            echo "Git tag ($GIT_TAG) and version in CMakeLists.txt ($CMAKE_TAG) are not the same! Cancelling..."
+            echo "::error::Mismatch: Git tag ($TAG_NAME) != CMakeLists.txt version ($CMAKE_TAG). Exiting with error..."
             exit 1
           fi
 
-      - name: Download artifacts from the "${{ github.ref_name }}" tag
-        uses: robinraju/release-downloader@v1.8
+      - name: Setup Rclone
+        uses: AnimMouse/setup-rclone@v1
         with:
-          tag: ${{ github.ref_name }}
-          fileName: "AmneziaVPN_(Linux_|)${{ github.ref_name }}*"
-          out-file-path: ${{ github.ref_name }}
+          rclone_config: ${{ secrets.RCLONE_CONFIG }}
 
-      - name: Upload beta version
-        uses: jakejarvis/s3-sync-action@master
-        if: contains(github.event.base_ref, 'dev')
-        with:
-          args: --include "AmneziaVPN*" --delete
-        env:
-          AWS_S3_BUCKET: updates
-          AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_SECRET_ACCESS_KEY }}
-          AWS_S3_ENDPOINT: https://${{ vars.CF_ACCOUNT_ID }}.r2.cloudflarestorage.com
-          SOURCE_DIR: ${{ github.ref_name }}
-          DEST_DIR: beta/${{ github.ref_name }}
-
-      - name: Upload stable version
-        uses: jakejarvis/s3-sync-action@master
-        if: contains(github.event.base_ref, 'master')
-        with:
-          args: --include "AmneziaVPN*" --delete
-        env:
-          AWS_S3_BUCKET: updates
-          AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_SECRET_ACCESS_KEY }}
-          AWS_S3_ENDPOINT: https://${{ vars.CF_ACCOUNT_ID }}.r2.cloudflarestorage.com
-          SOURCE_DIR: ${{ github.ref_name }}
-          DEST_DIR: stable/${{ github.ref_name }}
+      - name: Send dist to S3
+        run: bash deploy/deploy_s3.sh ${{ inputs.RELEASE_VERSION }}

CMakeLists.txt

@@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 
 set(PROJECT AmneziaVPN)
 
-project(${PROJECT} VERSION 4.8.4.0
+project(${PROJECT} VERSION 4.8.6.0
         DESCRIPTION "AmneziaVPN"
         HOMEPAGE_URL "https://amnezia.org/"
 )
@@ -11,7 +11,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")
 
 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2077)
+set(APP_ANDROID_VERSION_CODE 2083)
 
 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
     set(MZ_PLATFORM_NAME "linux")

README_RU.md

@@ -6,11 +6,11 @@
 [![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/amnezia-vpn/amnezia-client)
 
 ### [English](https://github.com/amnezia-vpn/amnezia-client/blob/dev/README.md) | Русский
-[AmneziaVPN](https://amnezia.org) — это open sourse VPN-клиент, ключевая особенность которого заключается в возможности развернуть собственный VPN на вашем сервере.
+[AmneziaVPN](https://amnezia.org) — это open source VPN-клиент, ключевая особенность которого заключается в возможности развернуть собственный VPN на вашем сервере.
 
 [![Image](https://github.com/amnezia-vpn/amnezia-client/blob/dev/metadata/img-readme/uipic4.png)](https://amnezia.org)
 
-### [Сайт](https://amnezia.org) | [Зеркало на сайт](https://storage.googleapis.com/amnezia/amnezia.org) | [Документация](https://docs.amnezia.org) | [Решение проблем](https://docs.amnezia.org/troubleshooting)
+### [Сайт](https://amnezia.org) | [Зеркало сайта](https://storage.googleapis.com/amnezia/amnezia.org) | [Документация](https://docs.amnezia.org) | [Решение проблем](https://docs.amnezia.org/troubleshooting)
 
 > [!TIP]
 > Если [сайт Amnezia](https://amnezia.org) заблокирован в вашем регионе, вы можете воспользоваться [ссылкой на зеркало](https://storage.googleapis.com/amnezia/amnezia.org).
@@ -30,7 +30,7 @@
 - Классические VPN-протоколы: OpenVPN, WireGuard и IKEv2.
 - Протоколы с маскировкой трафика (обфускацией): OpenVPN с плагином [Cloak](https://github.com/cbeuw/Cloak), Shadowsocks (OpenVPN over Shadowsocks), [AmneziaWG](https://docs.amnezia.org/documentation/amnezia-wg/) and XRay.
 - Поддержка Split Tunneling — добавляйте любые сайты или приложения в список, чтобы включить VPN только для них.
-- Поддерживает платформы: Windows, MacOS, Linux, Android, iOS.
+- Поддерживает платформы: Windows, macOS, Linux, Android, iOS.
 - Поддержка конфигурации протокола AmneziaWG на [бета-прошивке Keenetic](https://docs.keenetic.com/ua/air/kn-1611/en/6319-latest-development-release.html#UUID-186c4108-5afd-c10b-f38a-cdff6c17fab3_section-idm33192196168192-improved).
 
 ## Ссылки
@@ -38,10 +38,10 @@
 - [https://amnezia.org](https://amnezia.org) - Веб-сайт проекта | [Альтернативная ссылка (зеркало)](https://storage.googleapis.com/kldscp/amnezia.org)
 - [https://docs.amnezia.org](https://docs.amnezia.org) - Документация
 - [https://www.reddit.com/r/AmneziaVPN](https://www.reddit.com/r/AmneziaVPN) - Reddit  
-- [https://t.me/amnezia_vpn_en](https://t.me/amnezia_vpn_en) - Канал поддржки в Telegram (Английский)
-- [https://t.me/amnezia_vpn_ir](https://t.me/amnezia_vpn_ir) - Канал поддржки в Telegram (Фарси)
-- [https://t.me/amnezia_vpn_mm](https://t.me/amnezia_vpn_mm) - Канал поддржки в Telegram (Мьянма) 
-- [https://t.me/amnezia_vpn](https://t.me/amnezia_vpn) - Канал поддржки в Telegram  (Русский)
+- [https://t.me/amnezia_vpn_en](https://t.me/amnezia_vpn_en) - Канал поддержки в Telegram (Английский)
+- [https://t.me/amnezia_vpn_ir](https://t.me/amnezia_vpn_ir) - Канал поддержки в Telegram (Фарси)
+- [https://t.me/amnezia_vpn_mm](https://t.me/amnezia_vpn_mm) - Канал поддержки в Telegram (Мьянма) 
+- [https://t.me/amnezia_vpn](https://t.me/amnezia_vpn) - Канал поддержки в Telegram  (Русский)
 - [https://vpnpay.io/en/amnezia-premium/](https://vpnpay.io/en/amnezia-premium/) - Amnezia Premium | [Зеркало](https://storage.googleapis.com/kldscp/vpnpay.io/ru/amnezia-premium\)
 
 ## Технологии
@@ -80,8 +80,8 @@ git submodule update --init --recursive
 Проверьте папку deploy для скриптов сборки.
 
 ### Как собрать iOS-приложение из исходного кода на MacOS
-1. Убедитесь, что у вас установлен XCode версии 14 или выше.
-2. Для генерации проекта XCode используется QT. Требуется версия QT 6.6.2. Установите QT для MacOS здесь или через QT Online Installer. Необходимые модули:
+1. Убедитесь, что у вас установлен Xcode версии 14 или выше.
+2. Для генерации проекта Xcode используется QT. Требуется версия QT 6.6.2. Установите QT для MacOS здесь или через QT Online Installer. Необходимые модули:
 - MacOS
 - iOS
 - Модуль совместимости с Qt 5
@@ -117,7 +117,7 @@ $QT_IOS_BIN/qt-cmake . -B build-ios -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR
 export PATH=$(PATH):/path/to/GOPATH/bin
 ```
 
-6. Откройте проект в XCode. Теперь вы можете тестировать, архивировать или публиковать приложение.
+6. Откройте проект в Xcode. Теперь вы можете тестировать, архивировать или публиковать приложение.
    
 Если сборка завершится с ошибкой:
 ```

client/CMakeLists.txt

@@ -31,10 +31,6 @@ add_definitions(-DDEV_AGW_PUBLIC_KEY="$ENV{DEV_AGW_PUBLIC_KEY}")
 add_definitions(-DDEV_AGW_ENDPOINT="$ENV{DEV_AGW_ENDPOINT}")
 add_definitions(-DDEV_S3_ENDPOINT="$ENV{DEV_S3_ENDPOINT}")
 
-if(IOS)
-    set(PACKAGES ${PACKAGES} Multimedia)
-endif()
-
 if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
     set(PACKAGES ${PACKAGES} Widgets)
 endif()
@@ -48,10 +44,6 @@ set(LIBS ${LIBS}
     Qt6::Core5Compat Qt6::Concurrent
 )
 
-if(IOS)
-    set(LIBS ${LIBS} Qt6::Multimedia)
-endif()
-
 if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
     set(LIBS ${LIBS} Qt6::Widgets)
 endif()

client/configurators/openvpn_configurator.cpp

@@ -13,10 +13,10 @@
     #include <QApplication>
 #endif
 
+#include "core/networkUtilities.h"
 #include "containers/containers_defs.h"
 #include "core/controllers/serverController.h"
 #include "core/scripts_registry.h"
-#include "core/server_defs.h"
 #include "settings.h"
 #include "utilities.h"
 
@@ -24,6 +24,7 @@
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
+
 OpenVpnConfigurator::OpenVpnConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
                                          QObject *parent)
     : ConfiguratorBase(settings, serverController, parent)
@@ -122,12 +123,14 @@ QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString,
 
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
             // Prevent ipv6 leak
-            config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
+            if (NetworkUtilities::checkIpv6Enabled()) {
+                config.append("ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1\n");
+            }
 #endif
             config.append("block-ipv6\n");
         } else if (m_settings->routeMode() == Settings::VpnOnlyForwardSites) {
 
-            // no redirect-gateway
+               // no redirect-gateway
         } else if (m_settings->routeMode() == Settings::VpnAllExceptSites) {
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
             config.append("\nredirect-gateway ipv6 !ipv4 bypass-dhcp\n");

client/configurators/wireguard_configurator.cpp

@@ -3,6 +3,7 @@
 #include <QDebug>
 #include <QJsonDocument>
 #include <QProcess>
+#include <QRegularExpression>
 #include <QString>
 #include <QTemporaryDir>
 #include <QTemporaryFile>
@@ -19,13 +20,17 @@
 #include "settings.h"
 #include "utilities.h"
 
-WireguardConfigurator::WireguardConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                                             bool isAwg, QObject *parent)
+WireguardConfigurator::WireguardConfigurator(std::shared_ptr<Settings> settings,
+                                             const QSharedPointer<ServerController> &serverController, bool isAwg,
+                                             QObject *parent)
     : ConfiguratorBase(settings, serverController, parent), m_isAwg(isAwg)
 {
-    m_serverConfigPath = m_isAwg ? amnezia::protocols::awg::serverConfigPath : amnezia::protocols::wireguard::serverConfigPath;
-    m_serverPublicKeyPath = m_isAwg ? amnezia::protocols::awg::serverPublicKeyPath : amnezia::protocols::wireguard::serverPublicKeyPath;
-    m_serverPskKeyPath = m_isAwg ? amnezia::protocols::awg::serverPskKeyPath : amnezia::protocols::wireguard::serverPskKeyPath;
+    m_serverConfigPath =
+            m_isAwg ? amnezia::protocols::awg::serverConfigPath : amnezia::protocols::wireguard::serverConfigPath;
+    m_serverPublicKeyPath =
+            m_isAwg ? amnezia::protocols::awg::serverPublicKeyPath : amnezia::protocols::wireguard::serverPublicKeyPath;
+    m_serverPskKeyPath =
+            m_isAwg ? amnezia::protocols::awg::serverPskKeyPath : amnezia::protocols::wireguard::serverPskKeyPath;
     m_configTemplate = m_isAwg ? ProtocolScriptType::awg_template : ProtocolScriptType::wireguard_template;
 
     m_protocolName = m_isAwg ? config_key::awg : config_key::wireguard;
@@ -63,9 +68,31 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::genClientKeys()
     return connData;
 }
 
+QList<QHostAddress> WireguardConfigurator::getIpsFromConf(const QString &input)
+{
+    QRegularExpression regex("AllowedIPs = (\\d+\\.\\d+\\.\\d+\\.\\d+)");
+    QRegularExpressionMatchIterator matchIterator = regex.globalMatch(input);
+
+    QList<QHostAddress> ips;
+
+    while (matchIterator.hasNext()) {
+        QRegularExpressionMatch match = matchIterator.next();
+        const QString address_string { match.captured(1) };
+        const QHostAddress address { address_string };
+        if (address.isNull()) {
+            qWarning() << "Couldn't recognize the ip address: " << address_string;
+        } else {
+            ips << address;
+        }
+    }
+
+    return ips;
+}
+
 WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardConfig(const ServerCredentials &credentials,
                                                                                     DockerContainer container,
-                                                                                    const QJsonObject &containerConfig, ErrorCode &errorCode)
+                                                                                    const QJsonObject &containerConfig,
+                                                                                    ErrorCode &errorCode)
 {
     WireguardConfigurator::ConnectionData connData = WireguardConfigurator::genClientKeys();
     connData.host = credentials.hostName;
@@ -76,65 +103,45 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon
         return connData;
     }
 
-    // Get list of already created clients (only IP addresses)
-    QString nextIpNumber;
-    {
-        QString script = QString("cat %1 | grep AllowedIPs").arg(m_serverConfigPath);
-        QString stdOut;
-        auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-            stdOut += data + "\n";
-            return ErrorCode::NoError;
-        };
+    QString getIpsScript = QString("cat %1 | grep AllowedIPs").arg(m_serverConfigPath);
+    QString stdOut;
+    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
+        stdOut += data + "\n";
+        return ErrorCode::NoError;
+    };
 
-        errorCode = m_serverController->runContainerScript(credentials, container, script, cbReadStdOut);
-        if (errorCode != ErrorCode::NoError) {
-            return connData;
-        }
+    errorCode = m_serverController->runContainerScript(credentials, container, getIpsScript, cbReadStdOut);
+    if (errorCode != ErrorCode::NoError) {
+        return connData;
+    }
+    auto ips = getIpsFromConf(stdOut);
 
-        stdOut.replace("AllowedIPs = ", "");
-        stdOut.replace("/32", "");
-        QStringList ips = stdOut.split("\n", Qt::SkipEmptyParts);
-
-        // remove extra IPs from each line for case when user manually edited the wg0.conf
-        // and added there more IPs for route his itnernal networks, like:
-        //     ...
-        //     AllowedIPs = 10.8.1.6/32, 192.168.1.0/24, 192.168.2.0/24, ...
-        //     ...
-        // without this code - next IP would be 1 if last item in 'ips' has format above
-        QStringList vpnIps;
-        for (const auto &ip : ips) {
-          vpnIps.append(ip.split(",", Qt::SkipEmptyParts).first().trimmed());
-        }
-        ips = vpnIps;
-
-        // Calc next IP address
-        if (ips.isEmpty()) {
-            nextIpNumber = "2";
+    QHostAddress nextIp = [&] {
+        QHostAddress result;
+        QHostAddress lastIp;
+        if (ips.empty()) {
+            lastIp.setAddress(containerConfig.value(m_protocolName)
+                                      .toObject()
+                                      .value(config_key::subnet_address)
+                                      .toString(protocols::wireguard::defaultSubnetAddress));
         } else {
-            int next = ips.last().split(".").last().toInt() + 1;
-            if (next > 254) {
-                errorCode = ErrorCode::AddressPoolError;
-                return connData;
-            }
-            nextIpNumber = QString::number(next);
+            lastIp = ips.last();
         }
-    }
-
-    QString subnetIp = containerConfig.value(m_protocolName).toObject().value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress);
-    {
-        QStringList l = subnetIp.split(".", Qt::SkipEmptyParts);
-        if (l.isEmpty()) {
-            errorCode = ErrorCode::AddressPoolError;
-            return connData;
+        quint8 lastOctet = static_cast<quint8>(lastIp.toIPv4Address());
+        switch (lastOctet) {
+        case 254: result.setAddress(lastIp.toIPv4Address() + 3); break;
+        case 255: result.setAddress(lastIp.toIPv4Address() + 2); break;
+        default: result.setAddress(lastIp.toIPv4Address() + 1); break;
         }
-        l.removeLast();
-        l.append(nextIpNumber);
 
-        connData.clientIP = l.join(".");
-    }
+        return result;
+    }();
+
+    connData.clientIP = nextIp.toString();
 
     // Get keys
-    connData.serverPubKey = m_serverController->getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, errorCode);
+    connData.serverPubKey =
+            m_serverController->getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, errorCode);
     connData.serverPubKey.replace("\n", "");
     if (errorCode != ErrorCode::NoError) {
         return connData;
@@ -161,10 +168,12 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon
         return connData;
     }
 
-    QString script = QString("sudo docker exec -i $CONTAINER_NAME bash -c 'wg syncconf wg0 <(wg-quick strip %1)'").arg(m_serverConfigPath);
+    QString script = QString("sudo docker exec -i $CONTAINER_NAME bash -c 'wg syncconf wg0 <(wg-quick strip %1)'")
+                             .arg(m_serverConfigPath);
 
     errorCode = m_serverController->runScript(
-            credentials, m_serverController->replaceVars(script, m_serverController->genVarsForScript(credentials, container)));
+            credentials,
+            m_serverController->replaceVars(script, m_serverController->genVarsForScript(credentials, container)));
 
     return connData;
 }
@@ -173,8 +182,8 @@ QString WireguardConfigurator::createConfig(const ServerCredentials &credentials
                                             const QJsonObject &containerConfig, ErrorCode &errorCode)
 {
     QString scriptData = amnezia::scriptData(m_configTemplate, container);
-    QString config =
-            m_serverController->replaceVars(scriptData, m_serverController->genVarsForScript(credentials, container, containerConfig));
+    QString config = m_serverController->replaceVars(
+            scriptData, m_serverController->genVarsForScript(credentials, container, containerConfig));
 
     ConnectionData connData = prepareWireguardConfig(credentials, container, containerConfig, errorCode);
     if (errorCode != ErrorCode::NoError) {
@@ -208,16 +217,16 @@ QString WireguardConfigurator::createConfig(const ServerCredentials &credentials
     return QJsonDocument(jConfig).toJson();
 }
 
-QString WireguardConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                              QString &protocolConfigString)
+QString WireguardConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns,
+                                                              const bool isApiConfig, QString &protocolConfigString)
 {
     processConfigWithDnsSettings(dns, protocolConfigString);
 
     return protocolConfigString;
 }
 
-QString WireguardConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                               QString &protocolConfigString)
+QString WireguardConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns,
+                                                               const bool isApiConfig, QString &protocolConfigString)
 {
     processConfigWithDnsSettings(dns, protocolConfigString);
 

client/configurators/wireguard_configurator.h

@@ -1,6 +1,7 @@
 #ifndef WIREGUARD_CONFIGURATOR_H
 #define WIREGUARD_CONFIGURATOR_H
 
+#include <QHostAddress>
 #include <QObject>
 #include <QProcessEnvironment>
 
@@ -12,8 +13,8 @@ class WireguardConfigurator : public ConfiguratorBase
 {
     Q_OBJECT
 public:
-    WireguardConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, bool isAwg,
-                          QObject *parent = nullptr);
+    WireguardConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
+                          bool isAwg, QObject *parent = nullptr);
 
     struct ConnectionData
     {
@@ -26,15 +27,18 @@ public:
         QString port;
     };
 
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                         ErrorCode &errorCode);
+    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
+                         const QJsonObject &containerConfig, ErrorCode &errorCode);
 
-    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig, QString &protocolConfigString);
-    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig, QString &protocolConfigString);
+    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
+                                           QString &protocolConfigString);
+    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
+                                            QString &protocolConfigString);
 
     static ConnectionData genClientKeys();
 
 private:
+    QList<QHostAddress> getIpsFromConf(const QString &input);
     ConnectionData prepareWireguardConfig(const ServerCredentials &credentials, DockerContainer container,
                                           const QJsonObject &containerConfig, ErrorCode &errorCode);
 

client/core/api/apiDefs.h

@@ -10,7 +10,8 @@ namespace apiDefs
         AmneziaFreeV3,
         AmneziaPremiumV1,
         AmneziaPremiumV2,
-        SelfHosted
+        SelfHosted,
+        ExternalPremium
     };
 
     enum ConfigSource {
@@ -43,6 +44,13 @@ namespace apiDefs
         constexpr QLatin1String maxDeviceCount("max_device_count");
         constexpr QLatin1String subscriptionEndDate("subscription_end_date");
         constexpr QLatin1String issuedConfigs("issued_configs");
+
+        constexpr QLatin1String supportInfo("support_info");
+        constexpr QLatin1String email("email");
+        constexpr QLatin1String billingEmail("billing_email");
+        constexpr QLatin1String website("website");
+        constexpr QLatin1String websiteName("website_name");
+        constexpr QLatin1String telegram("telegram");
     }
 
     const int requestTimeoutMsecs = 12 * 1000; // 12 secs

client/core/api/apiUtils.cpp

@@ -32,15 +32,17 @@ apiDefs::ConfigType apiUtils::getConfigType(const QJsonObject &serverConfigObjec
 
         constexpr QLatin1String servicePremium("amnezia-premium");
         constexpr QLatin1String serviceFree("amnezia-free");
+        constexpr QLatin1String serviceExternalPremium("external-premium");
 
         auto apiConfigObject = serverConfigObject.value(apiDefs::key::apiConfig).toObject();
-        auto stackType = apiConfigObject.value(apiDefs::key::stackType).toString();
         auto serviceType = apiConfigObject.value(apiDefs::key::serviceType).toString();
 
-        if (serviceType == servicePremium || stackType == stackPremium) {
+        if (serviceType == servicePremium) {
             return apiDefs::ConfigType::AmneziaPremiumV2;
-        } else if (serviceType == serviceFree || stackType == stackFree) {
+        } else if (serviceType == serviceFree) {
             return apiDefs::ConfigType::AmneziaFreeV3;
+        } else if (serviceType == serviceExternalPremium) {
+            return apiDefs::ConfigType::ExternalPremium;
         }
     }
     default: {
@@ -66,6 +68,7 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
         return amnezia::ErrorCode::NoError;
     } else if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError
                || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
+        qDebug() << reply->error();
         return amnezia::ErrorCode::ApiConfigTimeoutError;
     } else {
         QString err = reply->errorString();
@@ -85,3 +88,10 @@ amnezia::ErrorCode apiUtils::checkNetworkReplyErrors(const QList<QSslError> &ssl
     qDebug() << "something went wrong";
     return amnezia::ErrorCode::InternalError;
 }
+
+bool apiUtils::isPremiumServer(const QJsonObject &serverConfigObject)
+{
+    static const QSet<apiDefs::ConfigType> premiumTypes = { apiDefs::ConfigType::AmneziaPremiumV1, apiDefs::ConfigType::AmneziaPremiumV2,
+                                                            apiDefs::ConfigType::ExternalPremium };
+    return premiumTypes.contains(getConfigType(serverConfigObject));
+}

client/core/api/apiUtils.h

@@ -13,6 +13,8 @@ namespace apiUtils
 
     bool isSubscriptionExpired(const QString &subscriptionEndDate);
 
+    bool isPremiumServer(const QJsonObject &serverConfigObject);
+
     apiDefs::ConfigType getConfigType(const QJsonObject &serverConfigObject);
     apiDefs::ConfigSource getConfigSource(const QJsonObject &serverConfigObject);
 

client/core/controllers/coreController.cpp

@@ -1,5 +1,6 @@
 #include "coreController.h"
 
+#include <QDirIterator>
 #include <QTranslator>
 
 #if defined(Q_OS_ANDROID)
@@ -20,6 +21,9 @@ CoreController::CoreController(const QSharedPointer<VpnConnection> &vpnConnectio
     initControllers();
     initSignalHandlers();
 
+    initAndroidController();
+    initAppleController();
+
     initNotificationHandler();
 
     auto locale = m_settings->getAppLanguage();
@@ -44,6 +48,9 @@ void CoreController::initModels()
     m_sitesModel.reset(new SitesModel(m_settings, this));
     m_engine->rootContext()->setContextProperty("SitesModel", m_sitesModel.get());
 
+    m_allowedDnsModel.reset(new AllowedDnsModel(m_settings, this));
+    m_engine->rootContext()->setContextProperty("AllowedDnsModel", m_allowedDnsModel.get());
+
     m_appSplitTunnelingModel.reset(new AppSplitTunnelingModel(m_settings, this));
     m_engine->rootContext()->setContextProperty("AppSplitTunnelingModel", m_appSplitTunnelingModel.get());
 
@@ -90,6 +97,9 @@ void CoreController::initModels()
 
     m_apiAccountInfoModel.reset(new ApiAccountInfoModel(this));
     m_engine->rootContext()->setContextProperty("ApiAccountInfoModel", m_apiAccountInfoModel.get());
+
+    m_apiDevicesModel.reset(new ApiDevicesModel(m_settings, this));
+    m_engine->rootContext()->setContextProperty("ApiDevicesModel", m_apiDevicesModel.get());
 }
 
 void CoreController::initControllers()
@@ -123,13 +133,17 @@ void CoreController::initControllers()
     m_sitesController.reset(new SitesController(m_settings, m_vpnConnection, m_sitesModel));
     m_engine->rootContext()->setContextProperty("SitesController", m_sitesController.get());
 
+    m_allowedDnsController.reset(new AllowedDnsController(m_settings, m_allowedDnsModel));
+    m_engine->rootContext()->setContextProperty("AllowedDnsController", m_allowedDnsController.get());
+
     m_appSplitTunnelingController.reset(new AppSplitTunnelingController(m_settings, m_appSplitTunnelingModel));
     m_engine->rootContext()->setContextProperty("AppSplitTunnelingController", m_appSplitTunnelingController.get());
 
     m_systemController.reset(new SystemController(m_settings));
     m_engine->rootContext()->setContextProperty("SystemController", m_systemController.get());
 
-    m_apiSettingsController.reset(new ApiSettingsController(m_serversModel, m_apiAccountInfoModel, m_apiCountryModel, m_settings));
+    m_apiSettingsController.reset(
+            new ApiSettingsController(m_serversModel, m_apiAccountInfoModel, m_apiCountryModel, m_apiDevicesModel, m_settings));
     m_engine->rootContext()->setContextProperty("ApiSettingsController", m_apiSettingsController.get());
 
     m_apiConfigsController.reset(new ApiConfigsController(m_serversModel, m_apiServicesModel, m_settings));
@@ -206,6 +220,7 @@ void CoreController::initSignalHandlers()
     initAutoConnectHandler();
     initAmneziaDnsToggledHandler();
     initPrepareConfigHandler();
+    initStrictKillSwitchHandler();
 }
 
 void CoreController::initNotificationHandler()
@@ -231,7 +246,23 @@ void CoreController::updateTranslator(const QLocale &locale)
         QCoreApplication::removeTranslator(m_translator.get());
     }
 
-    QString strFileName = QString(":/translations/amneziavpn") + QLatin1String("_") + locale.name() + ".qm";
+    QStringList availableTranslations;
+    QDirIterator it(":/translations", QStringList("amneziavpn_*.qm"), QDir::Files);
+    while (it.hasNext()) {
+        availableTranslations << it.next();
+    }
+
+    // This code allow to load translation for the language only, without country code
+    const QString lang = locale.name().split("_").first();
+    const QString translationFilePrefix = QString(":/translations/amneziavpn_") + lang;
+    QString strFileName = QString(":/translations/amneziavpn_%1.qm").arg(locale.name());
+    for (const QString &translation : availableTranslations) {
+        if (translation.contains(translationFilePrefix)) {
+            strFileName = translation;
+            break;
+        }
+    }
+
     if (m_translator->load(strFileName)) {
         if (QCoreApplication::installTranslator(m_translator.get())) {
             m_settings->setAppLanguage(locale);
@@ -332,6 +363,12 @@ void CoreController::initPrepareConfigHandler()
     });
 }
 
+void CoreController::initStrictKillSwitchHandler()
+{
+    connect(m_settingsController.get(), &SettingsController::strictKillSwitchEnabledChanged, 
+            m_vpnConnection.get(), &VpnConnection::onKillSwitchModeChanged);
+}
+
 QSharedPointer<PageController> CoreController::pageController() const
 {
     return m_pageController;

client/core/controllers/coreController.h

@@ -8,6 +8,7 @@
 #include "ui/controllers/api/apiConfigsController.h"
 #include "ui/controllers/api/apiSettingsController.h"
 #include "ui/controllers/appSplitTunnelingController.h"
+#include "ui/controllers/allowedDnsController.h"
 #include "ui/controllers/connectionController.h"
 #include "ui/controllers/exportController.h"
 #include "ui/controllers/focusController.h"
@@ -18,6 +19,7 @@
 #include "ui/controllers/sitesController.h"
 #include "ui/controllers/systemController.h"
 
+#include "ui/models/allowed_dns_model.h"
 #include "ui/models/containers_model.h"
 #include "ui/models/languageModel.h"
 #include "ui/models/protocols/cloakConfigModel.h"
@@ -25,8 +27,9 @@
     #include "ui/models/protocols/ikev2ConfigModel.h"
 #endif
 #include "ui/models/api/apiAccountInfoModel.h"
-#include "ui/models/api/apiServicesModel.h"
 #include "ui/models/api/apiCountryModel.h"
+#include "ui/models/api/apiDevicesModel.h"
+#include "ui/models/api/apiServicesModel.h"
 #include "ui/models/appSplitTunnelingModel.h"
 #include "ui/models/clientManagementModel.h"
 #include "ui/models/protocols/awgConfigModel.h"
@@ -79,6 +82,7 @@ private:
     void initAutoConnectHandler();
     void initAmneziaDnsToggledHandler();
     void initPrepareConfigHandler();
+    void initStrictKillSwitchHandler();
 
     QQmlApplicationEngine *m_engine {}; // TODO use parent child system here?
     std::shared_ptr<Settings> m_settings;
@@ -101,6 +105,7 @@ private:
     QScopedPointer<SitesController> m_sitesController;
     QScopedPointer<SystemController> m_systemController;
     QScopedPointer<AppSplitTunnelingController> m_appSplitTunnelingController;
+    QScopedPointer<AllowedDnsController> m_allowedDnsController;
 
     QScopedPointer<ApiSettingsController> m_apiSettingsController;
     QScopedPointer<ApiConfigsController> m_apiConfigsController;
@@ -111,12 +116,14 @@ private:
     QSharedPointer<LanguageModel> m_languageModel;
     QSharedPointer<ProtocolsModel> m_protocolsModel;
     QSharedPointer<SitesModel> m_sitesModel;
+    QSharedPointer<AllowedDnsModel> m_allowedDnsModel;
     QSharedPointer<AppSplitTunnelingModel> m_appSplitTunnelingModel;
     QSharedPointer<ClientManagementModel> m_clientManagementModel;
 
     QSharedPointer<ApiServicesModel> m_apiServicesModel;
     QSharedPointer<ApiCountryModel> m_apiCountryModel;
     QSharedPointer<ApiAccountInfoModel> m_apiAccountInfoModel;
+    QSharedPointer<ApiDevicesModel> m_apiDevicesModel;
 
     QScopedPointer<OpenVpnConfigModel> m_openVpnConfigModel;
     QScopedPointer<ShadowSocksConfigModel> m_shadowSocksConfigModel;

client/core/controllers/gatewayController.cpp

@@ -7,6 +7,7 @@
 #include <QJsonDocument>
 #include <QJsonObject>
 #include <QNetworkReply>
+#include <QUrl>
 
 #include "QBlockCipher.h"
 #include "QRsa.h"
@@ -14,6 +15,11 @@
 #include "amnezia_application.h"
 #include "core/api/apiUtils.h"
 #include "utilities.h"
+#include "core/networkUtilities.h"
+
+#ifdef AMNEZIA_DESKTOP
+    #include "core/ipcclient.h"
+#endif
 
 namespace
 {
@@ -26,6 +32,10 @@ namespace
         constexpr char apiPayload[] = "api_payload";
         constexpr char keyPayload[] = "key_payload";
     }
+
+    constexpr QLatin1String errorResponsePattern1("No active configuration found for");
+    constexpr QLatin1String errorResponsePattern2("No non-revoked public key found for");
+    constexpr QLatin1String errorResponsePattern3("Account not found.");
 }
 
 GatewayController::GatewayController(const QString &gatewayEndpoint, bool isDevEnvironment, int requestTimeoutMsecs, QObject *parent)
@@ -46,6 +56,17 @@ ErrorCode GatewayController::get(const QString &endpoint, QByteArray &responseBo
 
     request.setUrl(QString(endpoint).arg(m_gatewayEndpoint));
 
+    // bypass killSwitch exceptions for API-gateway
+#ifdef AMNEZIA_DESKTOP
+    {
+        QString host = QUrl(request.url()).host();
+        QString ip = NetworkUtilities::getIPAddress(host);
+        if (!ip.isEmpty()) {
+            IpcClient::Interface()->addKillSwitchAllowedRange(QStringList{ip});
+        }
+    }
+#endif
+
     QNetworkReply *reply;
     reply = amnApp->networkManager()->get(request);
 
@@ -97,6 +118,17 @@ ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject api
 
     request.setUrl(endpoint.arg(m_gatewayEndpoint));
 
+    // bypass killSwitch exceptions for API-gateway
+#ifdef AMNEZIA_DESKTOP
+    {
+        QString host = QUrl(request.url()).host();
+        QString ip = NetworkUtilities::getIPAddress(host);
+        if (!ip.isEmpty()) {
+            IpcClient::Interface()->addKillSwitchAllowedRange(QStringList{ip});
+        }
+    }
+#endif
+
     QSimpleCrypto::QBlockCipher blockCipher;
     QByteArray key = blockCipher.generatePrivateSalt(32);
     QByteArray iv = blockCipher.generatePrivateSalt(32);
@@ -148,7 +180,7 @@ ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject api
 
     QByteArray encryptedResponseBody = reply->readAll();
 
-    if (sslErrors.isEmpty() && shouldBypassProxy(reply, encryptedResponseBody, false)) {
+    if (sslErrors.isEmpty() && shouldBypassProxy(reply, encryptedResponseBody, true, key, iv, salt)) {
         auto requestFunction = [&request, &encryptedResponseBody, &requestBody](const QString &url) {
             request.setUrl(url);
             return amnApp->networkManager()->post(request, QJsonDocument(requestBody).toJson());
@@ -157,12 +189,12 @@ ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject api
         auto replyProcessingFunction = [&encryptedResponseBody, &reply, &sslErrors, &key, &iv, &salt,
                                         this](QNetworkReply *nestedReply, const QList<QSslError> &nestedSslErrors) {
             encryptedResponseBody = nestedReply->readAll();
-            if (!sslErrors.isEmpty() || !shouldBypassProxy(nestedReply, encryptedResponseBody, true, key, iv, salt)) {
+            reply = nestedReply;
+            if (!sslErrors.isEmpty() || shouldBypassProxy(nestedReply, encryptedResponseBody, true, key, iv, salt)) {
                 sslErrors = nestedSslErrors;
-                reply = nestedReply;
-                return true;
+                return false;
             }
-            return false;
+            return true;
         };
 
         bypassProxy(endpoint, reply, requestFunction, replyProcessingFunction);
@@ -194,16 +226,16 @@ QStringList GatewayController::getProxyUrls()
     QList<QSslError> sslErrors;
     QNetworkReply *reply;
 
-    QStringList proxyStorageUrl;
+    QStringList proxyStorageUrls;
     if (m_isDevEnvironment) {
-        proxyStorageUrl = QStringList { DEV_S3_ENDPOINT };
+        proxyStorageUrls = QString(DEV_S3_ENDPOINT).split(", ");
     } else {
-        proxyStorageUrl = QStringList { PROD_S3_ENDPOINT };
+        proxyStorageUrls = QString(PROD_S3_ENDPOINT).split(", ");
     }
 
     QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
 
-    for (const auto &proxyStorageUrl : proxyStorageUrl) {
+    for (const auto &proxyStorageUrl : proxyStorageUrls) {
         request.setUrl(proxyStorageUrl);
         reply = amnApp->networkManager()->get(request);
 
@@ -212,62 +244,77 @@ QStringList GatewayController::getProxyUrls()
         wait.exec();
 
         if (reply->error() == QNetworkReply::NetworkError::NoError) {
-            break;
-        }
-        reply->deleteLater();
-    }
+            auto encryptedResponseBody = reply->readAll();
+            reply->deleteLater();
 
-    auto encryptedResponseBody = reply->readAll();
-    reply->deleteLater();
+            EVP_PKEY *privateKey = nullptr;
+            QByteArray responseBody;
+            try {
+                if (!m_isDevEnvironment) {
+                    QCryptographicHash hash(QCryptographicHash::Sha512);
+                    hash.addData(key);
+                    QByteArray hashResult = hash.result().toHex();
 
-    EVP_PKEY *privateKey = nullptr;
-    QByteArray responseBody;
-    try {
-        if (!m_isDevEnvironment) {
-            QCryptographicHash hash(QCryptographicHash::Sha512);
-            hash.addData(key);
-            QByteArray hashResult = hash.result().toHex();
+                    QByteArray key = QByteArray::fromHex(hashResult.left(64));
+                    QByteArray iv = QByteArray::fromHex(hashResult.mid(64, 32));
 
-            QByteArray key = QByteArray::fromHex(hashResult.left(64));
-            QByteArray iv = QByteArray::fromHex(hashResult.mid(64, 32));
+                    QByteArray ba = QByteArray::fromBase64(encryptedResponseBody);
 
-            QByteArray ba = QByteArray::fromBase64(encryptedResponseBody);
+                    QSimpleCrypto::QBlockCipher blockCipher;
+                    responseBody = blockCipher.decryptAesBlockCipher(ba, key, iv);
+                } else {
+                    responseBody = encryptedResponseBody;
+                }
+            } catch (...) {
+                Utils::logException();
+                qCritical() << "error loading private key from environment variables or decrypting payload" << encryptedResponseBody;
+                continue;
+            }
 
-            QSimpleCrypto::QBlockCipher blockCipher;
-            responseBody = blockCipher.decryptAesBlockCipher(ba, key, iv);
+            auto endpointsArray = QJsonDocument::fromJson(responseBody).array();
+
+            QStringList endpoints;
+            for (const auto &endpoint : endpointsArray) {
+                endpoints.push_back(endpoint.toString());
+            }
+            return endpoints;
         } else {
-            responseBody = encryptedResponseBody;
+            apiUtils::checkNetworkReplyErrors(sslErrors, reply);
+            qDebug() << "go to the next storage endpoint";
+
+            reply->deleteLater();
         }
-    } catch (...) {
-        Utils::logException();
-        qCritical() << "error loading private key from environment variables or decrypting payload" << encryptedResponseBody;
-        return {};
     }
-
-    auto endpointsArray = QJsonDocument::fromJson(responseBody).array();
-
-    QStringList endpoints;
-    for (const auto &endpoint : endpointsArray) {
-        endpoints.push_back(endpoint.toString());
-    }
-    return endpoints;
+    return {};
 }
 
 bool GatewayController::shouldBypassProxy(QNetworkReply *reply, const QByteArray &responseBody, bool checkEncryption, const QByteArray &key,
                                           const QByteArray &iv, const QByteArray &salt)
 {
     if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
-        qDebug() << "Timeout occurred";
+        qDebug() << "timeout occurred";
+        qDebug() << reply->error();
         return true;
     } else if (responseBody.contains("html")) {
-        qDebug() << "The response contains an html tag";
+        qDebug() << "the response contains an html tag";
+        return true;
+    } else if (reply->error() == QNetworkReply::NetworkError::ContentNotFoundError) {
+        if (responseBody.contains(errorResponsePattern1) || responseBody.contains(errorResponsePattern2)
+            || responseBody.contains(errorResponsePattern3)) {
+            return false;
+        } else {
+            qDebug() << reply->error();
+            return true;
+        }
+    } else if (reply->error() != QNetworkReply::NetworkError::NoError) {
+        qDebug() << reply->error();
         return true;
     } else if (checkEncryption) {
         try {
             QSimpleCrypto::QBlockCipher blockCipher;
             static_cast<void>(blockCipher.decryptAesBlockCipher(responseBody, key, iv, "", salt));
         } catch (...) {
-            qDebug() << "Failed to decrypt the data";
+            qDebug() << "failed to decrypt the data";
             return true;
         }
     }
@@ -288,7 +335,7 @@ void GatewayController::bypassProxy(const QString &endpoint, QNetworkReply *repl
     QByteArray responseBody;
 
     for (const QString &proxyUrl : proxyUrls) {
-        qDebug() << "Go to the next endpoint";
+        qDebug() << "go to the next proxy endpoint";
         reply->deleteLater(); // delete the previous reply
         reply = requestFunction(endpoint.arg(proxyUrl));
 
@@ -296,7 +343,7 @@ void GatewayController::bypassProxy(const QString &endpoint, QNetworkReply *repl
         connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
         wait.exec();
 
-        if (!replyProcessingFunction(reply, sslErrors)) {
+        if (replyProcessingFunction(reply, sslErrors)) {
             break;
         }
     }

client/core/controllers/serverController.cpp

@@ -439,15 +439,22 @@ ErrorCode ServerController::buildContainerWorker(const ServerCredentials &creden
         stdOut += data + "\n";
         return ErrorCode::NoError;
     };
+    auto cbReadStdErr = [&](const QString &data, libssh::Client &) {
+        stdOut += data + "\n";
+        return ErrorCode::NoError;
+    };
 
-    errorCode =
+    ErrorCode error =
             runScript(credentials,
                       replaceVars(amnezia::scriptData(SharedScriptType::build_container), genVarsForScript(credentials, container, config)),
-                      cbReadStdOut);
-    if (errorCode)
-        return errorCode;
+                      cbReadStdOut, cbReadStdErr);
+    
+    if (stdOut.contains("doesn't work on cgroups v2"))
+        return ErrorCode::ServerDockerOnCgroupsV2;
+    if (stdOut.contains("cgroup mountpoint does not exist"))
+        return ErrorCode::ServerCgroupMountpoint;
 
-    return errorCode;
+    return error;
 }
 
 ErrorCode ServerController::runContainerWorker(const ServerCredentials &credentials, DockerContainer container, QJsonObject &config)
@@ -709,7 +716,7 @@ ErrorCode ServerController::isServerPortBusy(const ServerCredentials &credential
     QString transportProto = containerConfig.value(config_key::transport_proto).toString(defaultTransportProto);
 
     // TODO reimplement with netstat
-    QString script = QString("which lsof &>/dev/null || true && sudo lsof -i -P -n 2>/dev/null | grep -E ':%1 ").arg(port);
+    QString script = QString("which lsof > /dev/null 2>&1 || true && sudo lsof -i -P -n 2>/dev/null | grep -E ':%1 ").arg(port);
     for (auto &port : fixedPorts) {
         script = script.append("|:%1").arg(port);
     }
@@ -757,10 +764,6 @@ ErrorCode ServerController::isServerPortBusy(const ServerCredentials &credential
 
 ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, DockerContainer container)
 {
-    if (credentials.userName == "root") {
-        return ErrorCode::NoError;
-    }
-
     QString stdOut;
     auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
         stdOut += data + "\n";
@@ -774,8 +777,16 @@ ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, D
     const QString scriptData = amnezia::scriptData(SharedScriptType::check_user_in_sudo);
     ErrorCode error = runScript(credentials, replaceVars(scriptData, genVarsForScript(credentials)), cbReadStdOut, cbReadStdErr);
 
-    if (!stdOut.contains("sudo"))
+    if (credentials.userName != "root" && stdOut.contains("sudo:") && !stdOut.contains("uname:") && stdOut.contains("not found"))
+        return ErrorCode::ServerSudoPackageIsNotPreinstalled;
+    if (credentials.userName != "root" && !stdOut.contains("sudo") && !stdOut.contains("wheel"))
         return ErrorCode::ServerUserNotInSudo;
+    if (stdOut.contains("can't cd to") || stdOut.contains("Permission denied") || stdOut.contains("No such file or directory"))
+        return ErrorCode::ServerUserDirectoryNotAccessible;
+    if (stdOut.contains("sudoers") || stdOut.contains("is not allowed to run sudo on"))
+        return ErrorCode::ServerUserNotAllowedInSudoers;
+    if (stdOut.contains("password is required"))
+        return ErrorCode::ServerUserPasswordRequired;
 
     return error;
 }

client/core/defs.h

@@ -54,6 +54,12 @@ namespace amnezia
         ServerCancelInstallation = 204,
         ServerUserNotInSudo = 205,
         ServerPacketManagerError = 206,
+        ServerSudoPackageIsNotPreinstalled = 207,
+        ServerUserDirectoryNotAccessible = 208,
+        ServerUserNotAllowedInSudoers = 209,
+        ServerUserPasswordRequired = 210,
+        ServerDockerOnCgroupsV2 = 211,
+        ServerCgroupMountpoint = 212,
 
         // Ssh connection errors
         SshRequestDeniedError = 300,

client/core/errorstrings.cpp

@@ -20,8 +20,14 @@ QString errorString(ErrorCode code) {
     case(ErrorCode::ServerContainerMissingError): errorMessage = QObject::tr("Server error: Docker container missing"); break;
     case(ErrorCode::ServerDockerFailedError): errorMessage = QObject::tr("Server error: Docker failed"); break;
     case(ErrorCode::ServerCancelInstallation): errorMessage = QObject::tr("Installation canceled by user"); break;
-    case(ErrorCode::ServerUserNotInSudo): errorMessage = QObject::tr("The user does not have permission to use sudo"); break;
-    case(ErrorCode::ServerPacketManagerError): errorMessage = QObject::tr("Server error: Packet manager error"); break;
+    case(ErrorCode::ServerUserNotInSudo): errorMessage = QObject::tr("The user is not a member of the sudo group"); break;
+    case(ErrorCode::ServerPacketManagerError): errorMessage = QObject::tr("Server error: Package manager error"); break;
+    case(ErrorCode::ServerSudoPackageIsNotPreinstalled): errorMessage = QObject::tr("The sudo package is not pre-installed on the server"); break;
+    case(ErrorCode::ServerUserDirectoryNotAccessible): errorMessage = QObject::tr("The server user's home directory is not accessible"); break;
+    case(ErrorCode::ServerUserNotAllowedInSudoers): errorMessage = QObject::tr("Action not allowed in sudoers"); break;
+    case(ErrorCode::ServerUserPasswordRequired): errorMessage = QObject::tr("The user's password is required"); break;
+    case(ErrorCode::ServerDockerOnCgroupsV2): errorMessage = QObject::tr("Docker error: runc doesn't work on cgroups v2"); break;
+    case(ErrorCode::ServerCgroupMountpoint): errorMessage = QObject::tr("Server error: cgroup mountpoint does not exist"); break;
 
     // Libssh errors
     case(ErrorCode::SshRequestDeniedError): errorMessage = QObject::tr("SSH request was denied"); break;

client/core/networkUtilities.cpp

@@ -12,6 +12,7 @@
     #include <winsock.h>
     #include <QNetworkInterface>
     #include "qendian.h"
+    #include <QSettings>
 #endif
 #ifdef Q_OS_LINUX
     #include <arpa/inet.h>
@@ -185,6 +186,17 @@ int NetworkUtilities::AdapterIndexTo(const QHostAddress& dst) {
     return 0;
 }
 
+bool NetworkUtilities::checkIpv6Enabled() {
+#ifdef Q_OS_WIN
+    QSettings RegHLM("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters",
+                     QSettings::NativeFormat);
+    int ret = RegHLM.value("DisabledComponents", 0).toInt();
+    qDebug() << "Check for Windows disabled IPv6 return " << ret;
+    return (ret != 255);
+#endif
+    return true;
+}
+
 #ifdef Q_OS_WIN
 DWORD GetAdaptersAddressesWrapper(const ULONG Family,
                                   const ULONG Flags,

client/core/networkUtilities.h

@@ -16,6 +16,7 @@ public:
     static QString getStringBetween(const QString &s, const QString &a, const QString &b);
     static bool checkIPv4Format(const QString &ip);
     static bool checkIpSubnetFormat(const QString &ip);
+    static bool checkIpv6Enabled();
     static QString getGatewayAndIface();
     // Returns the Interface Index that could Route to dst
     static int AdapterIndexTo(const QHostAddress& dst);
@@ -29,7 +30,6 @@ public:
 
     static QString netMaskFromIpWithSubnet(const QString ip);
     static QString ipAddressFromIpWithSubnet(const QString ip);
-
     static QStringList summarizeRoutes(const QStringList &ips, const QString cidr);
 };
 

client/daemon/daemon.cpp

@@ -371,6 +371,9 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
   if (!parseStringList(obj, "vpnDisabledApps", config.m_vpnDisabledApps)) {
     return false;
   }
+  if (!parseStringList(obj, "allowedDnsServers", config.m_allowedDnsServers)) {
+    return false;
+  }
 
   config.m_killSwitchEnabled = QVariant(obj.value("killSwitchOption").toString()).toBool();
 

client/daemon/interfaceconfig.cpp

@@ -48,6 +48,13 @@ QJsonObject InterfaceConfig::toJson() const {
   }
   json.insert("excludedAddresses", jsExcludedAddresses);
 
+
+  QJsonArray jsAllowedDnsServers;
+  for (const QString& i : m_allowedDnsServers) {
+    jsAllowedDnsServers.append(QJsonValue(i));
+  }
+  json.insert("allowedDnsServers", jsAllowedDnsServers);
+
   QJsonArray disabledApps;
   for (const QString& i : m_vpnDisabledApps) {
     disabledApps.append(QJsonValue(i));

client/daemon/interfaceconfig.h

@@ -6,6 +6,7 @@
 #define INTERFACECONFIG_H
 
 #include <QList>
+#include <QMap>
 #include <QString>
 
 #include "ipaddress.h"
@@ -37,6 +38,7 @@ class InterfaceConfig {
   QList<IPAddress> m_allowedIPAddressRanges;
   QStringList m_excludedAddresses;
   QStringList m_vpnDisabledApps;
+  QStringList m_allowedDnsServers;
   bool m_killSwitchEnabled;
 #if defined(MZ_ANDROID) || defined(MZ_IOS)
   QString m_installationId;

client/images/controls/monitor.svg

@@ -0,0 +1,5 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M20 3H4C2.89543 3 2 3.89543 2 5V15C2 16.1046 2.89543 17 4 17H20C21.1046 17 22 16.1046 22 15V5C22 3.89543 21.1046 3 20 3Z" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M8 21H16" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M12 17V21" stroke="#D7D8DB" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

client/mozilla/localsocketcontroller.cpp

@@ -123,6 +123,7 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
 
   int appSplitTunnelType = rawConfig.value(amnezia::config_key::appSplitTunnelType).toInt();
   QJsonArray splitTunnelApps = rawConfig.value(amnezia::config_key::splitTunnelApps).toArray();
+  QJsonArray allowedDns = rawConfig.value(amnezia::config_key::allowedDnsServers).toArray();
 
   QJsonObject wgConfig = rawConfig.value(protocolName + "_config_data").toObject();
 
@@ -226,6 +227,8 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) {
 
   json.insert("vpnDisabledApps", splitTunnelApps);
 
+  json.insert("allowedDnsServers", allowedDns);
+
   json.insert(amnezia::config_key::killSwitchOption, rawConfig.value(amnezia::config_key::killSwitchOption));
 
   if (protocolName == amnezia::config_key::awg) {

client/platforms/ios/ScreenProtection.swift

@@ -14,10 +14,15 @@ extension UIApplication {
   var keyWindows: [UIWindow] {
     connectedScenes
       .compactMap {
+        guard let windowScene = $0 as? UIWindowScene else { return nil }
         if #available(iOS 15.0, *) {
-          ($0 as? UIWindowScene)?.keyWindow
+          guard let keywindow = windowScene.keyWindow else {
+            windowScene.windows.first?.makeKey()
+            return windowScene.windows.first
+          }
+          return keywindow
         } else {
-          ($0 as? UIWindowScene)?.windows.first { $0.isKeyWindow }
+          return windowScene.windows.first { $0.isKeyWindow }
         }
       }
   }

client/platforms/linux/daemon/iputilslinux.cpp

@@ -31,7 +31,9 @@ IPUtilsLinux::~IPUtilsLinux() {
 }
 
 bool IPUtilsLinux::addInterfaceIPs(const InterfaceConfig& config) {
-  return addIP4AddressToDevice(config) && addIP6AddressToDevice(config);
+  bool ret = addIP4AddressToDevice(config);
+  addIP6AddressToDevice(config);
+  return ret;
 }
 
 bool IPUtilsLinux::setMTUAndUp(const InterfaceConfig& config) {

client/platforms/linux/daemon/linuxfirewall.cpp

@@ -455,9 +455,6 @@ void LinuxFirewall::updateDNSServers(const QStringList& servers)
 
 void LinuxFirewall::updateAllowNets(const QStringList& servers)
 {
-    static QStringList existingServers {};
-
-    existingServers = servers;
     execute(QStringLiteral("iptables -F %1.110.allowNets").arg(kAnchorName));
     for (const QString& rule : getAllowRule(servers))
         execute(QStringLiteral("iptables -A %1.110.allowNets %2").arg(kAnchorName, rule));

client/platforms/linux/daemon/wireguardutilslinux.cpp

@@ -17,6 +17,8 @@
 #include "leakdetector.h"
 #include "logger.h"
 
+#include "killswitch.h"
+
 constexpr const int WG_TUN_PROC_TIMEOUT = 5000;
 constexpr const char* WG_RUNTIME_DIR = "/var/run/amneziawg";
 
@@ -182,7 +184,7 @@ bool WireguardUtilsLinux::deleteInterface() {
     QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));
 
     // double-check + ensure our firewall is installed and enabled
-    LinuxFirewall::uninstall();
+    KillSwitch::instance()->disableKillSwitch();
     return true;
 }
 

client/platforms/macos/daemon/wireguardutilsmacos.cpp

@@ -16,6 +16,8 @@
 #include "leakdetector.h"
 #include "logger.h"
 
+#include "killswitch.h"
+
 constexpr const int WG_TUN_PROC_TIMEOUT = 5000;
 constexpr const char* WG_RUNTIME_DIR = "/var/run/amneziawg";
 
@@ -180,7 +182,7 @@ bool WireguardUtilsMacos::deleteInterface() {
   QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));
 
   // double-check + ensure our firewall is installed and enabled
-  MacOSFirewall::uninstall();
+  KillSwitch::instance()->disableKillSwitch();
 
   return true;
 }

client/platforms/windows/daemon/windowsfirewall.cpp

@@ -29,6 +29,8 @@
 #include "logger.h"
 #include "platforms/windows/windowsutils.h"
 
+#include "killswitch.h"
+
 #define IPV6_ADDRESS_SIZE 16
 
 // ID for the Firewall Sublayer
@@ -180,16 +182,29 @@ bool WindowsFirewall::enableInterface(int vpnAdapterIndex) {
     }                                                                     \
   }
 
-  logger.info() << "Enabling firewall Using Adapter:" << vpnAdapterIndex;
+  logger.info() << "Enabling Killswitch Using Adapter:" << vpnAdapterIndex;
+  if (vpnAdapterIndex < 0)
+  {
+    IPAddress allv4("0.0.0.0/0");
+    if (!blockTrafficTo(allv4, MED_WEIGHT,
+                        "Block Internet", "killswitch")) {
+        return false;
+    }
+    IPAddress allv6("::/0");
+    if (!blockTrafficTo(allv6, MED_WEIGHT,
+                        "Block Internet", "killswitch")) {
+      return false;
+    }
+  } else
   FW_OK(allowTrafficOfAdapter(vpnAdapterIndex, MED_WEIGHT,
-                              "Allow usage of VPN Adapter"));
+                                  "Allow usage of VPN Adapter"));
   FW_OK(allowDHCPTraffic(MED_WEIGHT, "Allow DHCP Traffic"));
-  FW_OK(allowHyperVTraffic(MED_WEIGHT, "Allow Hyper-V Traffic"));
+  FW_OK(allowHyperVTraffic(MAX_WEIGHT, "Allow Hyper-V Traffic"));
   FW_OK(allowTrafficForAppOnAll(getCurrentPath(), MAX_WEIGHT,
                                 "Allow all for AmneziaVPN.exe"));
   FW_OK(blockTrafficOnPort(53, MED_WEIGHT, "Block all DNS"));
-  FW_OK(
-      allowLoopbackTraffic(MED_WEIGHT, "Allow Loopback traffic on device %1"));
+  FW_OK(allowLoopbackTraffic(MED_WEIGHT,
+                             "Allow Loopback traffic on device %1"));
 
   logger.debug() << "Killswitch on! Rules:" << m_activeRules.length();
   return true;
@@ -226,6 +241,37 @@ bool WindowsFirewall::enableLanBypass(const QList<IPAddress>& ranges) {
   return true;
 }
 
+// Allow unprotected traffic sent to the following address ranges.
+bool WindowsFirewall::allowTrafficRange(const QStringList& ranges) {
+  // Start the firewall transaction
+  auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
+  if (result != ERROR_SUCCESS) {
+    disableKillSwitch();
+    return false;
+  }
+  auto cleanup = qScopeGuard([&] {
+      FwpmTransactionAbort0(m_sessionHandle);
+      disableKillSwitch();
+  });
+
+  for (const QString& addr : ranges) {
+    logger.debug() << "Allow killswitch exclude: " << addr;
+    if (!allowTrafficTo(QHostAddress(addr), LOW_WEIGHT + 1, "Allow killswitch bypass traffic")) {
+      return false;
+    }
+  }
+
+  result = FwpmTransactionCommit0(m_sessionHandle);
+  if (result != ERROR_SUCCESS) {
+    logger.error() << "FwpmTransactionCommit0 failed with error:" << result;
+    return false;
+  }
+
+  cleanup.dismiss();
+  return true;
+}
+
+
 bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
   // Start the firewall transaction
   auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
@@ -262,12 +308,20 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
     }
   }
 
+  for (const QString& dns : config.m_allowedDnsServers) {
+    logger.debug() << "Allow DNS: " << dns;
+    if (!allowTrafficTo(QHostAddress(dns), 53, HIGH_WEIGHT,
+                        "Allow DNS-Server", config.m_serverPublicKey)) {
+      return false;
+    }
+  }
+
   if (!config.m_excludedAddresses.empty()) {
     for (const QString& i : config.m_excludedAddresses) {
       logger.debug() << "excludedAddresses range: " << i;
 
       if (!allowTrafficTo(i, HIGH_WEIGHT,
-                               "Allow Ecxlude route", config.m_serverPublicKey)) {
+                          "Allow Ecxlude route", config.m_serverPublicKey)) {
         return false;
       }
     }
@@ -313,37 +367,41 @@ bool WindowsFirewall::disablePeerTraffic(const QString& pubkey) {
 }
 
 bool WindowsFirewall::disableKillSwitch() {
-  auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
-  auto cleanup = qScopeGuard([&] {
+  return KillSwitch::instance()->disableKillSwitch();
+}
+
+bool WindowsFirewall::allowAllTraffic() {
+    auto result = FwpmTransactionBegin(m_sessionHandle, NULL);
+    auto cleanup = qScopeGuard([&] {
+        if (result != ERROR_SUCCESS) {
+            FwpmTransactionAbort0(m_sessionHandle);
+        }
+    });
     if (result != ERROR_SUCCESS) {
-      FwpmTransactionAbort0(m_sessionHandle);
+      logger.error() << "FwpmTransactionBegin0 failed. Return value:.\n"
+                     << result;
+      return false;
     }
-  });
-  if (result != ERROR_SUCCESS) {
-    logger.error() << "FwpmTransactionBegin0 failed. Return value:.\n"
-                   << result;
-    return false;
-  }
 
-  for (const auto& filterID : m_peerRules.values()) {
-    FwpmFilterDeleteById0(m_sessionHandle, filterID);
-  }
+    for (const auto& filterID : m_peerRules.values()) {
+      FwpmFilterDeleteById0(m_sessionHandle, filterID);
+    }
 
-  for (const auto& filterID : qAsConst(m_activeRules)) {
-    FwpmFilterDeleteById0(m_sessionHandle, filterID);
-  }
+    for (const auto& filterID : qAsConst(m_activeRules)) {
+      FwpmFilterDeleteById0(m_sessionHandle, filterID);
+    }
 
-  // Commit!
-  result = FwpmTransactionCommit0(m_sessionHandle);
-  if (result != ERROR_SUCCESS) {
-    logger.error() << "FwpmTransactionCommit0 failed. Return value:.\n"
-                   << result;
-    return false;
-  }
-  m_peerRules.clear();
-  m_activeRules.clear();
-  logger.debug() << "Firewall Disabled!";
-  return true;
+           // Commit!
+    result = FwpmTransactionCommit0(m_sessionHandle);
+    if (result != ERROR_SUCCESS) {
+      logger.error() << "FwpmTransactionCommit0 failed. Return value:.\n"
+                     << result;
+      return false;
+    }
+    m_peerRules.clear();
+    m_activeRules.clear();
+    logger.debug() << "Firewall Disabled!";
+    return true;
 }
 
 bool WindowsFirewall::allowTrafficForAppOnAll(const QString& exePath,

client/platforms/windows/daemon/windowsfirewall.h

@@ -43,6 +43,8 @@ class WindowsFirewall final : public QObject {
   bool enablePeerTraffic(const InterfaceConfig& config);
   bool disablePeerTraffic(const QString& pubkey);
   bool disableKillSwitch();
+  bool allowAllTraffic();
+  bool allowTrafficRange(const QStringList& ranges);
 
  private:
   static bool initSublayer();

client/platforms/windows/daemon/wireguardutilswindows.cpp

@@ -14,8 +14,6 @@
 
 #include "leakdetector.h"
 #include "logger.h"
-#include "platforms/windows/windowscommons.h"
-#include "windowsdaemon.h"
 #include "windowsfirewall.h"
 
 #pragma comment(lib, "iphlpapi.lib")
@@ -269,6 +267,13 @@ bool WireguardUtilsWindows::updateRoutePrefix(const IPAddress& prefix) {
   if (result == ERROR_OBJECT_ALREADY_EXISTS) {
     return true;
   }
+
+  // Case for ipv6 route with disabled ipv6
+  if (prefix.address().protocol() == QAbstractSocket::IPv6Protocol
+      && result == ERROR_NOT_FOUND) {
+    return true;
+  }
+
   if (result != NO_ERROR) {
     logger.error() << "Failed to create route to"
                    << prefix.toString()

client/protocols/openvpnprotocol.cpp

@@ -171,6 +171,11 @@ ErrorCode OpenVpnProtocol::start()
         return lastError();
     }
 
+#if defined(Q_OS_LINUX) || defined(Q_OS_MACOS)
+    IpcClient::Interface()->addKillSwitchAllowedRange(QStringList(NetworkUtilities::getIPAddress(
+            m_configData.value(amnezia::config_key::hostName).toString())));
+#endif
+
     // Detect default gateway
 #ifdef Q_OS_MAC
     QProcess p;

client/protocols/protocols_defs.h

@@ -95,6 +95,8 @@ namespace amnezia
         constexpr char splitTunnelApps[] = "splitTunnelApps";
         constexpr char appSplitTunnelType[] = "appSplitTunnelType";
 
+        constexpr char allowedDnsServers[] = "allowedDnsServers";
+
         constexpr char killSwitchOption[] = "killSwitchOption";
 
         constexpr char crc[] = "crc";

client/resources.qrc

@@ -129,6 +129,7 @@
         <file>ui/qml/Components/SettingsContainersListView.qml</file>
         <file>ui/qml/Components/ShareConnectionDrawer.qml</file>
         <file>ui/qml/Components/TransportProtoSelector.qml</file>
+        <file>ui/qml/Components/AddSitePanel.qml</file>
         <file>ui/qml/Config/GlobalConfig.qml</file>
         <file>ui/qml/Config/qmldir</file>
         <file>ui/qml/Controls2/BackButtonType.qml</file>
@@ -143,7 +144,9 @@
         <file>ui/qml/Controls2/DropDownType.qml</file>
         <file>ui/qml/Controls2/FlickableType.qml</file>
         <file>ui/qml/Controls2/Header2Type.qml</file>
-        <file>ui/qml/Controls2/HeaderType.qml</file>
+        <file>ui/qml/Controls2/BaseHeaderType.qml</file>
+        <file>ui/qml/Controls2/HeaderTypeWithButton.qml</file>
+        <file>ui/qml/Controls2/HeaderTypeWithSwitcher.qml</file>
         <file>ui/qml/Controls2/HorizontalRadioButton.qml</file>
         <file>ui/qml/Controls2/ImageButtonType.qml</file>
         <file>ui/qml/Controls2/LabelWithButtonType.qml</file>
@@ -199,6 +202,8 @@
         <file>ui/qml/Pages2/PageSettingsBackup.qml</file>
         <file>ui/qml/Pages2/PageSettingsConnection.qml</file>
         <file>ui/qml/Pages2/PageSettingsDns.qml</file>
+        <file>ui/qml/Pages2/PageSettingsKillSwitch.qml</file>
+        <file>ui/qml/Pages2/PageSettingsKillSwitchExceptions.qml</file>
         <file>ui/qml/Pages2/PageSettingsLogging.qml</file>
         <file>ui/qml/Pages2/PageSettingsServerData.qml</file>
         <file>ui/qml/Pages2/PageSettingsServerInfo.qml</file>
@@ -229,6 +234,8 @@
         <file>ui/qml/Pages2/PageSettingsApiSupport.qml</file>
         <file>ui/qml/Pages2/PageSettingsApiInstructions.qml</file>
         <file>ui/qml/Pages2/PageSettingsApiNativeConfigs.qml</file>
+        <file>ui/qml/Pages2/PageSettingsApiDevices.qml</file>
+        <file>images/controls/monitor.svg</file>
     </qresource>
     <qresource prefix="/countriesFlags">
         <file>images/flagKit/ZW.svg</file>

client/secure_qsettings.cpp

@@ -1,7 +1,7 @@
 #include "secure_qsettings.h"
 
-#include "QAead.h"
-#include "QBlockCipher.h"
+#include "../client/3rd/QSimpleCrypto/src/include/QAead.h"
+#include "../client/3rd/QSimpleCrypto/src/include/QBlockCipher.h"
 #include "utilities.h"
 #include <QDataStream>
 #include <QDebug>

client/secure_qsettings.h

@@ -6,7 +6,7 @@
 #include <QObject>
 #include <QSettings>
 
-#include "keychain.h"
+#include "../client/3rd/qtkeychain/qtkeychain/keychain.h"
 
 class SecureQSettings : public QObject
 {

client/server_scripts/check_user_in_sudo.sh

@@ -1,2 +1,13 @@
-CUR_USER=$(whoami);\
-groups $CUR_USER
+if which apt-get > /dev/null 2>&1; then pm=$(which apt-get); opt="--version";\
+elif which dnf > /dev/null 2>&1; then pm=$(which dnf); opt="--version";\
+elif which yum > /dev/null 2>&1; then pm=$(which yum); opt="--version";\
+elif which pacman > /dev/null 2>&1; then pm=$(which pacman); opt="--version";\
+else pm="uname"; opt="-a";\
+fi;\
+CUR_USER=$(whoami 2>/dev/null || echo $HOME | sed 's/.*\///');\
+echo $LANG | grep -qE '^(en_US.UTF-8|C.UTF-8|C)$' || export LC_ALL=C;\
+sudo -K;\
+cd ~;\
+if [ "$CUR_USER" = "root" ] || ( groups "$CUR_USER" | grep -E '\<(sudo|wheel)\>' ); then \
+  sudo -nu $CUR_USER $pm $opt > /dev/null; sudo -n $pm $opt > /dev/null;\
+fi

client/server_scripts/prepare_host.sh

@@ -1,4 +1,4 @@
-CUR_USER=$(whoami);\
+CUR_USER=$(whoami 2>/dev/null || echo $HOME | sed 's/.*\///');\
 sudo mkdir -p $DOCKERFILE_FOLDER;\
 sudo chown $CUR_USER $DOCKERFILE_FOLDER;\
 if ! sudo docker network ls | grep -q amnezia-dns-net; then sudo docker network create \

client/settings.cpp

@@ -443,6 +443,16 @@ void Settings::setKillSwitchEnabled(bool enabled)
     setValue("Conf/killSwitchEnabled", enabled);
 }
 
+bool Settings::isStrictKillSwitchEnabled() const
+{
+    return value("Conf/strictKillSwitchEnabled", false).toBool();
+}
+
+void Settings::setStrictKillSwitchEnabled(bool enabled)
+{
+    setValue("Conf/strictKillSwitchEnabled", enabled);
+}
+
 QString Settings::getInstallationUuid(const bool needCreate)
 {
     auto uuid = value("Conf/installationUuid", "").toString();
@@ -548,3 +558,13 @@ void Settings::disableHomeAdLabel()
 {
     setValue("Conf/homeAdLabelVisible", false);
 }
+
+QStringList Settings::allowedDnsServers() const
+{
+    return value("Conf/allowedDnsServers").toStringList();
+}
+
+void Settings::setAllowedDnsServers(const QStringList &servers)
+{
+    setValue("Conf/allowedDnsServers", servers);
+}

client/settings.h

@@ -213,6 +213,10 @@ public:
 
     bool isKillSwitchEnabled() const;
     void setKillSwitchEnabled(bool enabled);
+
+    bool isStrictKillSwitchEnabled() const;
+    void setStrictKillSwitchEnabled(bool enabled);
+
     QString getInstallationUuid(const bool needCreate);
 
     void resetGatewayEndpoint();
@@ -225,6 +229,9 @@ public:
     bool isHomeAdLabelVisible();
     void disableHomeAdLabel();
 
+    QStringList allowedDnsServers() const;
+    void setAllowedDnsServers(const QStringList &servers);
+
 signals:
     void saveLogsChanged(bool enabled);
     void screenshotsEnabledChanged(bool enabled);

client/ui/controllers/allowedDnsController.cpp

@@ -0,0 +1,101 @@
+#include "allowedDnsController.h"
+
+#include <QFile>
+#include <QStandardPaths>
+#include <QJsonDocument>
+#include <QJsonArray>
+#include <QJsonObject>
+
+#include "systemController.h"
+#include "core/networkUtilities.h"
+#include "core/defs.h"
+
+AllowedDnsController::AllowedDnsController(const std::shared_ptr<Settings> &settings,
+                                           const QSharedPointer<AllowedDnsModel> &allowedDnsModel,
+                                           QObject *parent)
+    : QObject(parent), m_settings(settings), m_allowedDnsModel(allowedDnsModel)
+{
+}
+
+void AllowedDnsController::addDns(QString ip)
+{
+    if (ip.isEmpty()) {
+        return;
+    }
+
+    if (!NetworkUtilities::ipAddressRegExp().match(ip).hasMatch()) {
+        emit errorOccurred(tr("The address does not look like a valid IP address"));
+        return;
+    }
+
+    if (m_allowedDnsModel->addDns(ip)) {
+        emit finished(tr("New DNS server added: %1").arg(ip));
+    } else {
+        emit errorOccurred(tr("DNS server already exists: %1").arg(ip));
+    }
+}
+
+void AllowedDnsController::removeDns(int index)
+{
+    auto modelIndex = m_allowedDnsModel->index(index);
+    auto ip = m_allowedDnsModel->data(modelIndex, AllowedDnsModel::Roles::IpRole).toString();
+    m_allowedDnsModel->removeDns(modelIndex);
+
+    emit finished(tr("DNS server removed: %1").arg(ip));
+}
+
+void AllowedDnsController::importDns(const QString &fileName, bool replaceExisting)
+{
+    QByteArray jsonData;
+    if (!SystemController::readFile(fileName, jsonData)) {
+        emit errorOccurred(tr("Can't open file: %1").arg(fileName));
+        return;
+    }
+
+    QJsonDocument jsonDocument = QJsonDocument::fromJson(jsonData);
+    if (jsonDocument.isNull()) {
+        emit errorOccurred(tr("Failed to parse JSON data from file: %1").arg(fileName));
+        return;
+    }
+
+    if (!jsonDocument.isArray()) {
+        emit errorOccurred(tr("The JSON data is not an array in file: %1").arg(fileName));
+        return;
+    }
+
+    auto jsonArray = jsonDocument.array();
+    QStringList dnsServers;
+
+    for (auto jsonValue : jsonArray) {
+        auto ip = jsonValue.toString();
+        
+        if (!NetworkUtilities::ipAddressRegExp().match(ip).hasMatch()) {
+            qDebug() << ip << " is not a valid IP address";
+            continue;
+        }
+        
+        dnsServers.append(ip);
+    }
+
+    m_allowedDnsModel->addDnsList(dnsServers, replaceExisting);
+
+    emit finished(tr("Import completed"));
+}
+
+void AllowedDnsController::exportDns(const QString &fileName)
+{
+    auto dnsServers = m_allowedDnsModel->getCurrentDnsServers();
+
+    QJsonArray jsonArray;
+
+    for (const auto &ip : dnsServers) {
+        jsonArray.append(ip);
+    }
+
+    QJsonDocument jsonDocument(jsonArray);
+    QByteArray jsonData = jsonDocument.toJson();
+
+    SystemController::saveFile(fileName, jsonData);
+
+    emit finished(tr("Export completed"));
+} 

client/ui/controllers/allowedDnsController.h

@@ -0,0 +1,35 @@
+#ifndef ALLOWEDDNSCONTROLLER_H
+#define ALLOWEDDNSCONTROLLER_H
+
+#include <QObject>
+
+#include "settings.h"
+#include "ui/models/allowed_dns_model.h"
+
+class AllowedDnsController : public QObject
+{
+    Q_OBJECT
+public:
+    explicit AllowedDnsController(const std::shared_ptr<Settings> &settings,
+                                  const QSharedPointer<AllowedDnsModel> &allowedDnsModel,
+                                  QObject *parent = nullptr);
+
+public slots:
+    void addDns(QString ip);
+    void removeDns(int index);
+
+    void importDns(const QString &fileName, bool replaceExisting);
+    void exportDns(const QString &fileName);
+
+signals:
+    void errorOccurred(const QString &errorMessage);
+    void finished(const QString &message);
+
+    void saveFile(const QString &fileName, const QString &data);
+
+private:
+    std::shared_ptr<Settings> m_settings;
+    QSharedPointer<AllowedDnsModel> m_allowedDnsModel;
+};
+
+#endif // ALLOWEDDNSCONTROLLER_H 

client/ui/controllers/api/apiConfigsController.cpp

@@ -1,7 +1,7 @@
 #include "apiConfigsController.h"
 
-#include <QEventLoop>
 #include <QClipboard>
+#include <QEventLoop>
 
 #include "amnezia_application.h"
 #include "configurators/wireguard_configurator.h"
@@ -19,7 +19,7 @@ namespace
         constexpr char cloak[] = "cloak";
         constexpr char awg[] = "awg";
 
-        constexpr char apiEdnpoint[] = "api_endpoint";
+        constexpr char apiEndpoint[] = "api_endpoint";
         constexpr char accessToken[] = "api_key";
         constexpr char certificate[] = "certificate";
         constexpr char publicKey[] = "public_key";
@@ -269,54 +269,37 @@ bool ApiConfigsController::updateServiceFromGateway(const int serverIndex, const
 
 bool ApiConfigsController::updateServiceFromTelegram(const int serverIndex)
 {
-    auto serverConfig = m_serversModel->getServerConfig(serverIndex);
-    auto installationUuid = m_settings->getInstallationUuid(true);
-
 #ifdef Q_OS_IOS
     IosController::Instance()->requestInetAccess();
     QThread::msleep(10);
 #endif
 
-    if (serverConfig.value(config_key::configVersion).toInt()) {
-        QNetworkRequest request;
-        request.setTransferTimeout(apiDefs::requestTimeoutMsecs);
-        request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
-        request.setRawHeader("Authorization", "Api-Key " + serverConfig.value(configKey::accessToken).toString().toUtf8());
-        QString endpoint = serverConfig.value(configKey::apiEdnpoint).toString();
-        request.setUrl(endpoint);
+    GatewayController gatewayController(m_settings->getGatewayEndpoint(), m_settings->isDevGatewayEnv(), apiDefs::requestTimeoutMsecs);
 
-        QString protocol = serverConfig.value(configKey::protocol).toString();
+    auto serverConfig = m_serversModel->getServerConfig(serverIndex);
+    auto installationUuid = m_settings->getInstallationUuid(true);
 
-        ApiPayloadData apiPayloadData = generateApiPayloadData(protocol);
+    QString serviceProtocol = serverConfig.value(configKey::protocol).toString();
+    ApiPayloadData apiPayloadData = generateApiPayloadData(serviceProtocol);
 
-        QJsonObject apiPayload = fillApiPayload(protocol, apiPayloadData);
-        apiPayload[configKey::uuid] = installationUuid;
+    QJsonObject apiPayload = fillApiPayload(serviceProtocol, apiPayloadData);
+    apiPayload[configKey::uuid] = installationUuid;
+    apiPayload[configKey::accessToken] = serverConfig.value(configKey::accessToken).toString();
+    apiPayload[configKey::apiEndpoint] = serverConfig.value(configKey::apiEndpoint).toString();
 
-        QByteArray requestBody = QJsonDocument(apiPayload).toJson();
+    QByteArray responseBody;
+    ErrorCode errorCode = gatewayController.post(QString("%1v1/proxy_config"), apiPayload, responseBody);
 
-        QNetworkReply *reply = amnApp->networkManager()->post(request, requestBody);
+    if (errorCode == ErrorCode::NoError) {
+        fillServerConfig(serviceProtocol, apiPayloadData, responseBody, serverConfig);
 
-        QEventLoop wait;
-        connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
-
-        QList<QSslError> sslErrors;
-        connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
-        wait.exec();
-
-        auto errorCode = apiUtils::checkNetworkReplyErrors(sslErrors, reply);
-        if (errorCode != ErrorCode::NoError) {
-            reply->deleteLater();
-            emit errorOccurred(errorCode);
-            return false;
-        }
-
-        auto apiResponseBody = reply->readAll();
-        reply->deleteLater();
-        fillServerConfig(protocol, apiPayloadData, apiResponseBody, serverConfig);
         m_serversModel->editServer(serverConfig, serverIndex);
         emit updateServerFromApiFinished();
+        return true;
+    } else {
+        emit errorOccurred(errorCode);
+        return false;
     }
-    return true;
 }
 
 bool ApiConfigsController::deactivateDevice()
@@ -327,7 +310,7 @@ bool ApiConfigsController::deactivateDevice()
     auto serverConfigObject = m_serversModel->getServerConfig(serverIndex);
     auto apiConfigObject = serverConfigObject.value(configKey::apiConfig).toObject();
 
-    if (apiUtils::getConfigType(serverConfigObject) != apiDefs::ConfigType::AmneziaPremiumV2) {
+    if (!apiUtils::isPremiumServer(serverConfigObject)) {
         return true;
     }
 
@@ -354,6 +337,43 @@ bool ApiConfigsController::deactivateDevice()
     return true;
 }
 
+bool ApiConfigsController::deactivateExternalDevice(const QString &uuid, const QString &serverCountryCode)
+{
+    GatewayController gatewayController(m_settings->getGatewayEndpoint(), m_settings->isDevGatewayEnv(), apiDefs::requestTimeoutMsecs);
+
+    auto serverIndex = m_serversModel->getProcessedServerIndex();
+    auto serverConfigObject = m_serversModel->getServerConfig(serverIndex);
+    auto apiConfigObject = serverConfigObject.value(configKey::apiConfig).toObject();
+
+    if (!apiUtils::isPremiumServer(serverConfigObject)) {
+        return true;
+    }
+
+    QString protocol = apiConfigObject.value(configKey::serviceProtocol).toString();
+    ApiPayloadData apiPayloadData = generateApiPayloadData(protocol);
+
+    QJsonObject apiPayload = fillApiPayload(protocol, apiPayloadData);
+    apiPayload[configKey::userCountryCode] = apiConfigObject.value(configKey::userCountryCode);
+    apiPayload[configKey::serverCountryCode] = serverCountryCode;
+    apiPayload[configKey::serviceType] = apiConfigObject.value(configKey::serviceType);
+    apiPayload[configKey::authData] = serverConfigObject.value(configKey::authData);
+    apiPayload[configKey::uuid] = uuid;
+
+    QByteArray responseBody;
+    ErrorCode errorCode = gatewayController.post(QString("%1v1/revoke_config"), apiPayload, responseBody);
+    if (errorCode != ErrorCode::NoError && errorCode != ErrorCode::ApiNotFoundError) {
+        emit errorOccurred(errorCode);
+        return false;
+    }
+
+    if (uuid == m_settings->getInstallationUuid(true)) {
+        serverConfigObject.remove(config_key::containers);
+        m_serversModel->editServer(serverConfigObject, serverIndex);
+    }
+
+    return true;
+}
+
 bool ApiConfigsController::isConfigValid()
 {
     int serverIndex = m_serversModel->getDefaultServerIndex();
@@ -369,7 +389,7 @@ bool ApiConfigsController::isConfigValid()
         return updateServiceFromGateway(serverIndex, "", "");
     } else if (configSource && m_serversModel->isApiKeyExpired(serverIndex)) {
         qDebug() << "attempt to update api config by expires_at event";
-        if (configSource == apiDefs::ConfigSource::Telegram) {
+        if (configSource == apiDefs::ConfigSource::AmneziaGateway) {
             return updateServiceFromGateway(serverIndex, "", "");
         } else {
             m_serversModel->removeApiConfig(serverIndex);

client/ui/controllers/api/apiConfigsController.h

@@ -31,6 +31,7 @@ public slots:
                                   bool reloadServiceConfig = false);
     bool updateServiceFromTelegram(const int serverIndex);
     bool deactivateDevice();
+    bool deactivateExternalDevice(const QString &uuid, const QString &serverCountryCode);
 
     bool isConfigValid();
 

client/ui/controllers/api/apiSettingsController.cpp

@@ -25,11 +25,13 @@ namespace
 ApiSettingsController::ApiSettingsController(const QSharedPointer<ServersModel> &serversModel,
                                              const QSharedPointer<ApiAccountInfoModel> &apiAccountInfoModel,
                                              const QSharedPointer<ApiCountryModel> &apiCountryModel,
+                                             const QSharedPointer<ApiDevicesModel> &apiDevicesModel,
                                              const std::shared_ptr<Settings> &settings, QObject *parent)
     : QObject(parent),
       m_serversModel(serversModel),
       m_apiAccountInfoModel(apiAccountInfoModel),
       m_apiCountryModel(apiCountryModel),
+      m_apiDevicesModel(apiDevicesModel),
       m_settings(settings)
 {
 }
@@ -60,7 +62,7 @@ bool ApiSettingsController::getAccountInfo(bool reload)
 
     QByteArray responseBody;
 
-    if (apiUtils::getConfigType(serverConfig) == apiDefs::ConfigType::AmneziaPremiumV2) {
+    if (apiUtils::isPremiumServer(serverConfig)) {
         ErrorCode errorCode = gatewayController.post(QString("%1v1/account_info"), apiPayload, responseBody);
         if (errorCode != ErrorCode::NoError) {
             emit errorOccurred(errorCode);
@@ -73,6 +75,7 @@ bool ApiSettingsController::getAccountInfo(bool reload)
 
     if (reload) {
         updateApiCountryModel();
+        updateApiDevicesModel();
     }
 
     return true;
@@ -83,3 +86,8 @@ void ApiSettingsController::updateApiCountryModel()
     m_apiCountryModel->updateModel(m_apiAccountInfoModel->getAvailableCountries(), "");
     m_apiCountryModel->updateIssuedConfigsInfo(m_apiAccountInfoModel->getIssuedConfigsInfo());
 }
+
+void ApiSettingsController::updateApiDevicesModel()
+{
+    m_apiDevicesModel->updateModel(m_apiAccountInfoModel->getIssuedConfigsInfo());
+}

client/ui/controllers/api/apiSettingsController.h

@@ -5,6 +5,7 @@
 
 #include "ui/models/api/apiAccountInfoModel.h"
 #include "ui/models/api/apiCountryModel.h"
+#include "ui/models/api/apiDevicesModel.h"
 #include "ui/models/servers_model.h"
 
 class ApiSettingsController : public QObject
@@ -12,13 +13,14 @@ class ApiSettingsController : public QObject
     Q_OBJECT
 public:
     ApiSettingsController(const QSharedPointer<ServersModel> &serversModel, const QSharedPointer<ApiAccountInfoModel> &apiAccountInfoModel,
-                          const QSharedPointer<ApiCountryModel> &apiCountryModel, const std::shared_ptr<Settings> &settings,
-                          QObject *parent = nullptr);
+                          const QSharedPointer<ApiCountryModel> &apiCountryModel, const QSharedPointer<ApiDevicesModel> &apiDevicesModel,
+                          const std::shared_ptr<Settings> &settings, QObject *parent = nullptr);
     ~ApiSettingsController();
 
 public slots:
     bool getAccountInfo(bool reload);
     void updateApiCountryModel();
+    void updateApiDevicesModel();
 
 signals:
     void errorOccurred(ErrorCode errorCode);
@@ -27,6 +29,7 @@ private:
     QSharedPointer<ServersModel> m_serversModel;
     QSharedPointer<ApiAccountInfoModel> m_apiAccountInfoModel;
     QSharedPointer<ApiCountryModel> m_apiCountryModel;
+    QSharedPointer<ApiDevicesModel> m_apiDevicesModel;
 
     std::shared_ptr<Settings> m_settings;
 };

client/ui/controllers/importController.cpp

@@ -27,8 +27,6 @@ namespace
     ConfigTypes checkConfigFormat(const QString &config)
     {
         const QString openVpnConfigPatternCli = "client";
-        const QString openVpnConfigPatternProto1 = "proto tcp";
-        const QString openVpnConfigPatternProto2 = "proto udp";
         const QString openVpnConfigPatternDriver1 = "dev tun";
         const QString openVpnConfigPatternDriver2 = "dev tap";
 
@@ -53,14 +51,13 @@ namespace
                    || (config.contains(amneziaConfigPatternHostName) && config.contains(amneziaConfigPatternUserName)
                        && config.contains(amneziaConfigPatternPassword))) {
             return ConfigTypes::Amnezia;
-        } else if (config.contains(openVpnConfigPatternCli)
-                   && (config.contains(openVpnConfigPatternProto1) || config.contains(openVpnConfigPatternProto2))
-                   && (config.contains(openVpnConfigPatternDriver1) || config.contains(openVpnConfigPatternDriver2))) {
-            return ConfigTypes::OpenVpn;
         } else if (config.contains(wireguardConfigPatternSectionInterface) && config.contains(wireguardConfigPatternSectionPeer)) {
             return ConfigTypes::WireGuard;
         } else if ((config.contains(xrayConfigPatternInbound)) && (config.contains(xrayConfigPatternOutbound))) {
             return ConfigTypes::Xray;
+        } else if (config.contains(openVpnConfigPatternCli)
+                   && (config.contains(openVpnConfigPatternDriver1) || config.contains(openVpnConfigPatternDriver2))) {
+            return ConfigTypes::OpenVpn;
         }
         return ConfigTypes::Invalid;
     }
@@ -97,6 +94,8 @@ bool ImportController::extractConfigFromFile(const QString &fileName)
 
 bool ImportController::extractConfigFromData(QString data)
 {
+    m_maliciousWarningText.clear();
+
     QString config = data;
     QString prefix;
     QString errormsg;
@@ -345,7 +344,7 @@ QJsonObject ImportController::extractOpenVpnConfig(const QString &data)
     arr.push_back(containers);
 
     QString hostName;
-    const static QRegularExpression hostNameRegExp("remote (.*) [0-9]*");
+    const static QRegularExpression hostNameRegExp("remote\\s+([^\\s]+)");
     QRegularExpressionMatch hostNameMatch = hostNameRegExp.match(data);
     if (hostNameMatch.hasMatch()) {
         hostName = hostNameMatch.captured(1);
@@ -657,35 +656,47 @@ void ImportController::checkForMaliciousStrings(const QJsonObject &serverConfig)
     const QJsonArray &containers = serverConfig[config_key::containers].toArray();
     for (const QJsonValue &container : containers) {
         auto containerConfig = container.toObject();
-        auto containerName = containerConfig[config_key::container].toString();
-        if ((containerName == ContainerProps::containerToString(DockerContainer::OpenVpn))
-            || (containerName == ContainerProps::containerToString(DockerContainer::Cloak))
-            || (containerName == ContainerProps::containerToString(DockerContainer::ShadowSocks))) {
-            QString protocolConfig =
-                    containerConfig[ProtocolProps::protoToString(Proto::OpenVpn)].toObject()[config_key::last_config].toString();
-            QString protocolConfigJson = QJsonDocument::fromJson(protocolConfig.toUtf8()).object()[config_key::config].toString();
+        QString containerName = containerConfig[config_key::container].toString();
 
-            const QRegularExpression regExp { "(\\w+-\\w+|\\w+)" };
-            const size_t dangerousTagsMaxCount = 3;
+        if (containerName == ContainerProps::containerToString(DockerContainer::OpenVpn)
+            || containerName == ContainerProps::containerToString(DockerContainer::Cloak)
+            || containerName == ContainerProps::containerToString(DockerContainer::ShadowSocks))
+        {
+            QString protoCfgB64 = containerConfig[ProtocolProps::protoToString(Proto::OpenVpn)]
+                                          .toObject()[config_key::last_config].toString();
+            QString cfgJson = QJsonDocument::fromJson(protoCfgB64.toUtf8())
+                                      .object()[config_key::config].toString();
+
+            QStringList lines = cfgJson.replace("\r", "").split('\n');
+
+            const size_t dangerousTagsMaxCount = 1;
 
             // https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/script-options.rst
-            QStringList dangerousTags {
-                "up", "tls-verify", "ipchange", "client-connect", "route-up", "route-pre-down", "client-disconnect", "down", "learn-address", "auth-user-pass-verify"
+            const QStringList dangerousTags {
+                "up", "tls-verify", "ipchange", "client-connect",
+                "route-up", "route-pre-down", "client-disconnect",
+                "down", "learn-address", "auth-user-pass-verify"
             };
+            const QStringList allowedTags { "up", "down" };
 
-            QStringList maliciousStrings;
-            QStringList lines = protocolConfigJson.replace("\r", "").split("\n");
-            for (const QString &l : lines) {
-                QRegularExpressionMatch match = regExp.match(l);
-                if (dangerousTags.contains(match.captured(0))) {
-                    maliciousStrings << l;
+            QStringList found;
+            for (QString line : lines) {
+                line = line.trimmed();
+                if (line.isEmpty() || line.startsWith('#') || line.startsWith(';'))
+                    continue;
+                QString tag = line.section(QRegularExpression("\\s+"), 0, 0);
+                if (dangerousTags.contains(tag) && !allowedTags.contains(tag)) {
+                    found << line;
                 }
             }
 
-            if (maliciousStrings.size() >= dangerousTagsMaxCount) {
-                m_maliciousWarningText = tr("In the imported configuration, potentially dangerous lines were found:");
-                for (const auto &string : maliciousStrings) {
-                    m_maliciousWarningText.push_back(QString("<br><i>%1</i>").arg(string));
+            m_maliciousWarningText = tr("This configuration contains an OpenVPN setup. OpenVPN configurations can include malicious "
+                                        "scripts, so only add it if you fully trust the provider of this config. ");
+
+            if (found.size() >= dangerousTagsMaxCount) {
+                m_maliciousWarningText += tr("<br>Potentially dangerous directives found:");
+                for (auto &l : found) {
+                    m_maliciousWarningText += QString("<br><i>%1</i>").arg(l);
                 }
             }
         }

client/ui/controllers/pageController.h

@@ -31,12 +31,15 @@ namespace PageLoader
         PageSettingsLogging,
         PageSettingsSplitTunneling,
         PageSettingsAppSplitTunneling,
+        PageSettingsKillSwitch,
         PageSettingsApiServerInfo,
         PageSettingsApiAvailableCountries,
         PageSettingsApiSupport,
         PageSettingsApiInstructions,
         PageSettingsApiNativeConfigs,
-
+        PageSettingsApiDevices,
+        PageSettingsKillSwitchExceptions,
+        
         PageServiceSftpSettings,
         PageServiceTorWebsiteSettings,
         PageServiceDnsSettings,

client/ui/controllers/settingsController.cpp

@@ -245,6 +245,23 @@ bool SettingsController::isKillSwitchEnabled()
 void SettingsController::toggleKillSwitch(bool enable)
 {
     m_settings->setKillSwitchEnabled(enable);
+    emit killSwitchEnabledChanged();
+    if (enable == false) {
+        emit strictKillSwitchEnabledChanged(false);
+    } else {
+        emit strictKillSwitchEnabledChanged(isStrictKillSwitchEnabled());
+    }
+}
+
+bool SettingsController::isStrictKillSwitchEnabled()
+{
+    return m_settings->isStrictKillSwitchEnabled();
+}
+
+void SettingsController::toggleStrictKillSwitch(bool enable)
+{
+    m_settings->setStrictKillSwitchEnabled(enable);
+    emit strictKillSwitchEnabledChanged(enable);
 }
 
 bool SettingsController::isNotificationPermissionGranted()

client/ui/controllers/settingsController.h

@@ -24,6 +24,8 @@ public:
     Q_PROPERTY(QString secondaryDns READ getSecondaryDns WRITE setSecondaryDns NOTIFY secondaryDnsChanged)
     Q_PROPERTY(bool isLoggingEnabled READ isLoggingEnabled WRITE toggleLogging NOTIFY loggingStateChanged)
     Q_PROPERTY(bool isNotificationPermissionGranted READ isNotificationPermissionGranted NOTIFY onNotificationStateChanged)
+    Q_PROPERTY(bool isKillSwitchEnabled READ isKillSwitchEnabled WRITE toggleKillSwitch NOTIFY killSwitchEnabledChanged)
+    Q_PROPERTY(bool strictKillSwitchEnabled READ isStrictKillSwitchEnabled WRITE toggleStrictKillSwitch NOTIFY strictKillSwitchEnabledChanged)
 
     Q_PROPERTY(bool isDevModeEnabled READ isDevModeEnabled NOTIFY devModeEnabled)
     Q_PROPERTY(QString gatewayEndpoint READ getGatewayEndpoint WRITE setGatewayEndpoint NOTIFY gatewayEndpointChanged)
@@ -75,6 +77,9 @@ public slots:
     bool isKillSwitchEnabled();
     void toggleKillSwitch(bool enable);
 
+    bool isStrictKillSwitchEnabled();
+    void toggleStrictKillSwitch(bool enable);
+
     bool isNotificationPermissionGranted();
     void requestNotificationPermission();
 
@@ -98,6 +103,8 @@ signals:
     void primaryDnsChanged();
     void secondaryDnsChanged();
     void loggingStateChanged();
+    void killSwitchEnabledChanged();
+    void strictKillSwitchEnabledChanged(bool enabled);
 
     void restoreBackupFinished();
     void changeSettingsFinished(const QString &finishedMessage);

client/ui/controllers/sitesController.cpp

@@ -44,7 +44,6 @@ void SitesController::addSite(QString hostname)
             QMetaObject::invokeMethod(m_vpnConnection.get(), "addRoutes", Qt::QueuedConnection,
                                       Q_ARG(QStringList, QStringList() << hostname));
         }
-        QMetaObject::invokeMethod(m_vpnConnection.get(), "flushDns", Qt::QueuedConnection);
     };
 
     const auto &resolveCallback = [this, processSite](const QHostInfo &hostInfo) {
@@ -75,7 +74,6 @@ void SitesController::removeSite(int index)
 
     QMetaObject::invokeMethod(m_vpnConnection.get(), "deleteRoutes", Qt::QueuedConnection,
                               Q_ARG(QStringList, QStringList() << hostname));
-    QMetaObject::invokeMethod(m_vpnConnection.get(), "flushDns", Qt::QueuedConnection);
 
     emit finished(tr("Site removed: %1").arg(hostname));
 }
@@ -124,7 +122,6 @@ void SitesController::importSites(const QString &fileName, bool replaceExisting)
     m_sitesModel->addSites(sites, replaceExisting);
 
     QMetaObject::invokeMethod(m_vpnConnection.get(), "addRoutes", Qt::QueuedConnection, Q_ARG(QStringList, ips));
-    QMetaObject::invokeMethod(m_vpnConnection.get(), "flushDns", Qt::QueuedConnection);
 
     emit finished(tr("Import completed"));
 }

client/ui/models/allowed_dns_model.cpp

@@ -0,0 +1,86 @@
+#include "allowed_dns_model.h"
+
+AllowedDnsModel::AllowedDnsModel(std::shared_ptr<Settings> settings, QObject *parent)
+    : QAbstractListModel(parent), m_settings(settings)
+{
+    fillDnsServers();
+}
+
+int AllowedDnsModel::rowCount(const QModelIndex &parent) const
+{
+    Q_UNUSED(parent)
+    return m_dnsServers.size();
+}
+
+QVariant AllowedDnsModel::data(const QModelIndex &index, int role) const
+{
+    if (!index.isValid() || index.row() < 0 || index.row() >= static_cast<int>(rowCount()))
+        return QVariant();
+
+    switch (role) {
+    case IpRole:
+        return m_dnsServers.at(index.row());
+    default:
+        return QVariant();
+    }
+}
+
+bool AllowedDnsModel::addDns(const QString &ip)
+{
+    if (m_dnsServers.contains(ip)) {
+        return false;
+    }
+
+    beginInsertRows(QModelIndex(), rowCount(), rowCount());
+    m_dnsServers.append(ip);
+    m_settings->setAllowedDnsServers(m_dnsServers);
+    endInsertRows();
+    return true;
+}
+
+void AllowedDnsModel::addDnsList(const QStringList &dnsServers, bool replaceExisting)
+{
+    beginResetModel();
+    
+    if (replaceExisting) {
+        m_dnsServers.clear();
+    }
+    
+    for (const QString &ip : dnsServers) {
+        if (!m_dnsServers.contains(ip)) {
+            m_dnsServers.append(ip);
+        }
+    }
+    
+    m_settings->setAllowedDnsServers(m_dnsServers);
+    endResetModel();
+}
+
+void AllowedDnsModel::removeDns(QModelIndex index)
+{
+    if (!index.isValid() || index.row() >= m_dnsServers.size()) {
+        return;
+    }
+
+    beginRemoveRows(QModelIndex(), index.row(), index.row());
+    m_dnsServers.removeAt(index.row());
+    m_settings->setAllowedDnsServers(m_dnsServers);
+    endRemoveRows();
+}
+
+QStringList AllowedDnsModel::getCurrentDnsServers()
+{
+    return m_dnsServers;
+}
+
+QHash<int, QByteArray> AllowedDnsModel::roleNames() const
+{
+    QHash<int, QByteArray> roles;
+    roles[IpRole] = "ip";
+    return roles;
+}
+
+void AllowedDnsModel::fillDnsServers()
+{
+    m_dnsServers = m_settings->allowedDnsServers();
+}

client/ui/models/allowed_dns_model.h

@@ -0,0 +1,37 @@
+#ifndef ALLOWEDDNSMODEL_H
+#define ALLOWEDDNSMODEL_H
+
+#include <QAbstractListModel>
+#include "settings.h"
+
+class AllowedDnsModel : public QAbstractListModel
+{
+    Q_OBJECT
+
+public:
+    enum Roles {
+        IpRole = Qt::UserRole + 1
+    };
+
+    explicit AllowedDnsModel(std::shared_ptr<Settings> settings, QObject *parent = nullptr);
+
+    int rowCount(const QModelIndex &parent = QModelIndex()) const override;
+    QVariant data(const QModelIndex &index, int role = Qt::DisplayRole) const override;
+
+public slots:
+    bool addDns(const QString &ip);
+    void addDnsList(const QStringList &dnsServers, bool replaceExisting);
+    void removeDns(QModelIndex index);
+    QStringList getCurrentDnsServers();
+
+protected:
+    QHash<int, QByteArray> roleNames() const override;
+
+private:
+    void fillDnsServers();
+
+    std::shared_ptr<Settings> m_settings;
+    QStringList m_dnsServers;
+};
+
+#endif // ALLOWEDDNSMODEL_H

client/ui/models/api/apiAccountInfoModel.cpp

@@ -48,15 +48,32 @@ QVariant ApiAccountInfoModel::data(const QModelIndex &index, int role) const
     }
     case ServiceDescriptionRole: {
         if (m_accountInfoData.configType == apiDefs::ConfigType::AmneziaPremiumV2) {
-            return tr("Classic VPN for comfortable work, downloading large files and watching videos. Works for any sites. Speed up to 200 "
-                      "Mb/s");
+            return tr("Classic VPN for seamless work, downloading large files, and watching videos. Access all websites and online "
+                      "resources. "
+                      "Speeds up to 200 Mbps");
         } else if (m_accountInfoData.configType == apiDefs::ConfigType::AmneziaFreeV3) {
             return tr("Free unlimited access to a basic set of websites such as Facebook, Instagram, Twitter (X), Discord, Telegram and "
                       "more. YouTube is not included in the free plan.");
+        } else {
+            return "";
         }
     }
     case IsComponentVisibleRole: {
-        return m_accountInfoData.configType == apiDefs::ConfigType::AmneziaPremiumV2;
+        return m_accountInfoData.configType == apiDefs::ConfigType::AmneziaPremiumV2
+                || m_accountInfoData.configType == apiDefs::ConfigType::ExternalPremium;
+    }
+    case HasExpiredWorkerRole: {
+        for (int i = 0; i < m_issuedConfigsInfo.size(); i++) {
+            QJsonObject issuedConfigObject = m_issuedConfigsInfo.at(i).toObject();
+
+            auto lastDownloaded = QDateTime::fromString(issuedConfigObject.value(apiDefs::key::lastDownloaded).toString());
+            auto workerLastUpdated = QDateTime::fromString(issuedConfigObject.value(apiDefs::key::workerLastUpdated).toString());
+
+            if (lastDownloaded < workerLastUpdated) {
+                return true;
+            }
+        }
+        return false;
     }
     }
 
@@ -80,6 +97,8 @@ void ApiAccountInfoModel::updateModel(const QJsonObject &accountInfoObject, cons
 
     m_accountInfoData = accountInfoData;
 
+    m_supportInfo = accountInfoObject.value(apiDefs::key::supportInfo).toObject();
+
     endResetModel();
 }
 
@@ -108,12 +127,27 @@ QJsonArray ApiAccountInfoModel::getIssuedConfigsInfo()
 
 QString ApiAccountInfoModel::getTelegramBotLink()
 {
-    if (m_accountInfoData.configType == apiDefs::ConfigType::AmneziaFreeV3) {
-        return tr("amnezia_free_support_bot");
-    } else if (m_accountInfoData.configType == apiDefs::ConfigType::AmneziaPremiumV2) {
-        return tr("amnezia_premium_support_bot");
-    }
-    return "";
+    return m_supportInfo.value(apiDefs::key::telegram).toString();
+}
+
+QString ApiAccountInfoModel::getEmailLink()
+{
+    return m_supportInfo.value(apiDefs::key::email).toString();
+}
+
+QString ApiAccountInfoModel::getBillingEmailLink()
+{
+    return m_supportInfo.value(apiDefs::key::billingEmail).toString();
+}
+
+QString ApiAccountInfoModel::getSiteLink()
+{
+    return m_supportInfo.value(apiDefs::key::websiteName).toString();
+}
+
+QString ApiAccountInfoModel::getFullSiteLink()
+{
+    return m_supportInfo.value(apiDefs::key::website).toString();
 }
 
 QHash<int, QByteArray> ApiAccountInfoModel::roleNames() const
@@ -124,6 +158,7 @@ QHash<int, QByteArray> ApiAccountInfoModel::roleNames() const
     roles[ConnectedDevicesRole] = "connectedDevices";
     roles[ServiceDescriptionRole] = "serviceDescription";
     roles[IsComponentVisibleRole] = "isComponentVisible";
+    roles[HasExpiredWorkerRole] = "hasExpiredWorker";
 
     return roles;
 }

client/ui/models/api/apiAccountInfoModel.h

@@ -17,7 +17,8 @@ public:
         ConnectedDevicesRole,
         ServiceDescriptionRole,
         EndDateRole,
-        IsComponentVisibleRole
+        IsComponentVisibleRole,
+        HasExpiredWorkerRole
     };
 
     explicit ApiAccountInfoModel(QObject *parent = nullptr);
@@ -32,7 +33,12 @@ public slots:
 
     QJsonArray getAvailableCountries();
     QJsonArray getIssuedConfigsInfo();
+
     QString getTelegramBotLink();
+    QString getEmailLink();
+    QString getBillingEmailLink();
+    QString getSiteLink();
+    QString getFullSiteLink();
 
 protected:
     QHash<int, QByteArray> roleNames() const override;
@@ -50,6 +56,7 @@ private:
     AccountInfoData m_accountInfoData;
     QJsonArray m_availableCountries;
     QJsonArray m_issuedConfigsInfo;
+    QJsonObject m_supportInfo;
 };
 
 #endif // APIACCOUNTINFOMODEL_H

client/ui/models/api/apiCountryModel.cpp

@@ -44,6 +44,9 @@ QVariant ApiCountryModel::data(const QModelIndex &index, int role) const
     case IsIssuedRole: {
         return isIssued;
     }
+    case IsWorkerExpiredRole: {
+        return issuedConfigInfo.lastDownloaded < issuedConfigInfo.workerLastUpdated;
+    }
     }
 
     return QVariant();
@@ -114,5 +117,6 @@ QHash<int, QByteArray> ApiCountryModel::roleNames() const
     roles[CountryCodeRole] = "countryCode";
     roles[CountryImageCodeRole] = "countryImageCode";
     roles[IsIssuedRole] = "isIssued";
+    roles[IsWorkerExpiredRole] = "isWorkerExpired";
     return roles;
 }

client/ui/models/api/apiCountryModel.h

@@ -14,7 +14,8 @@ public:
         CountryNameRole = Qt::UserRole + 1,
         CountryCodeRole,
         CountryImageCodeRole,
-        IsIssuedRole
+        IsIssuedRole,
+        IsWorkerExpiredRole
     };
 
     explicit ApiCountryModel(QObject *parent = nullptr);

client/ui/models/api/apiDevicesModel.cpp

@@ -0,0 +1,90 @@
+#include "apiDevicesModel.h"
+
+#include <QJsonObject>
+
+#include "core/api/apiDefs.h"
+#include "logger.h"
+
+namespace
+{
+    Logger logger("ApiDevicesModel");
+
+    constexpr QLatin1String gatewayAccount("gateway_account");
+}
+
+ApiDevicesModel::ApiDevicesModel(std::shared_ptr<Settings> settings, QObject *parent) : m_settings(settings), QAbstractListModel(parent)
+{
+}
+
+int ApiDevicesModel::rowCount(const QModelIndex &parent) const
+{
+    Q_UNUSED(parent)
+    return m_issuedConfigs.size();
+}
+
+QVariant ApiDevicesModel::data(const QModelIndex &index, int role) const
+{
+    if (!index.isValid() || index.row() < 0 || index.row() >= static_cast<int>(rowCount()))
+        return QVariant();
+
+    IssuedConfigInfo issuedConfigInfo = m_issuedConfigs.at(index.row());
+
+    switch (role) {
+    case OsVersionRole: {
+        return issuedConfigInfo.osVersion;
+    }
+    case SupportTagRole: {
+        return issuedConfigInfo.installationUuid;
+    }
+    case CountryCodeRole: {
+        return issuedConfigInfo.countryCode;
+    }
+    case LastUpdateRole: {
+        return QDateTime::fromString(issuedConfigInfo.lastDownloaded, Qt::ISODate).toLocalTime().toString("d MMM yyyy");
+    }
+    case IsCurrentDeviceRole: {
+        return issuedConfigInfo.installationUuid == m_settings->getInstallationUuid(false);
+    }
+    }
+
+    return QVariant();
+}
+
+void ApiDevicesModel::updateModel(const QJsonArray &issuedConfigs)
+{
+    beginResetModel();
+
+    m_issuedConfigs.clear();
+    for (int i = 0; i < issuedConfigs.size(); i++) {
+        IssuedConfigInfo issuedConfigInfo;
+        QJsonObject issuedConfigObject = issuedConfigs.at(i).toObject();
+
+        if (issuedConfigObject.value(apiDefs::key::sourceType).toString() != gatewayAccount) {
+            continue;
+        }
+
+        issuedConfigInfo.installationUuid = issuedConfigObject.value(apiDefs::key::installationUuid).toString();
+        issuedConfigInfo.workerLastUpdated = issuedConfigObject.value(apiDefs::key::workerLastUpdated).toString();
+        issuedConfigInfo.lastDownloaded = issuedConfigObject.value(apiDefs::key::lastDownloaded).toString();
+        issuedConfigInfo.sourceType = issuedConfigObject.value(apiDefs::key::sourceType).toString();
+        issuedConfigInfo.osVersion = issuedConfigObject.value(apiDefs::key::osVersion).toString();
+
+        issuedConfigInfo.countryName = issuedConfigObject.value(apiDefs::key::serverCountryName).toString();
+        issuedConfigInfo.countryCode = issuedConfigObject.value(apiDefs::key::serverCountryCode).toString();
+
+        m_issuedConfigs.push_back(issuedConfigInfo);
+    }
+
+    endResetModel();
+}
+
+QHash<int, QByteArray> ApiDevicesModel::roleNames() const
+{
+    QHash<int, QByteArray> roles;
+    roles[OsVersionRole] = "osVersion";
+    roles[SupportTagRole] = "supportTag";
+    roles[CountryCodeRole] = "countryCode";
+    roles[LastUpdateRole] = "lastUpdate";
+    roles[IsCurrentDeviceRole] = "isCurrentDevice";
+    return roles;
+}

client/ui/models/api/apiDevicesModel.h

@@ -0,0 +1,52 @@
+#ifndef APIDEVICESMODEL_H
+#define APIDEVICESMODEL_H
+
+#include <QAbstractListModel>
+#include <QJsonArray>
+#include <QVector>
+
+#include "settings.h"
+
+class ApiDevicesModel : public QAbstractListModel
+{
+    Q_OBJECT
+
+public:
+    enum Roles {
+        OsVersionRole = Qt::UserRole + 1,
+        SupportTagRole,
+        CountryCodeRole,
+        LastUpdateRole,
+        IsCurrentDeviceRole
+    };
+
+    explicit ApiDevicesModel(std::shared_ptr<Settings> settings, QObject *parent = nullptr);
+
+    int rowCount(const QModelIndex &parent = QModelIndex()) const override;
+
+    QVariant data(const QModelIndex &index, int role = Qt::DisplayRole) const override;
+
+public slots:
+    void updateModel(const QJsonArray &issuedConfigs);
+
+protected:
+    QHash<int, QByteArray> roleNames() const override;
+
+private:
+    struct IssuedConfigInfo
+    {
+        QString installationUuid;
+        QString workerLastUpdated;
+        QString lastDownloaded;
+        QString sourceType;
+        QString osVersion;
+
+        QString countryName;
+        QString countryCode;
+    };
+
+    QVector<IssuedConfigInfo> m_issuedConfigs;
+
+    std::shared_ptr<Settings> m_settings;
+};
+#endif // APIDEVICESMODEL_H

client/ui/models/api/apiServicesModel.cpp

@@ -65,8 +65,8 @@ QVariant ApiServicesModel::data(const QModelIndex &index, int role) const
     case CardDescriptionRole: {
         auto speed = apiServiceData.serviceInfo.speed;
         if (serviceType == serviceType::amneziaPremium) {
-            return tr("Amnezia Premium is VPN for comfortable work, downloading large files and watching videos in 8K resolution. "
-                      "Works for any sites with no restrictions. Speed up to %1 MBit/s. Unlimited traffic.")
+            return tr("Amnezia Premium is classic VPN for seamless work, downloading large files, and watching videos. "
+                      "Access all websites and online resources. Speeds up to %1 Mbps.")
                     .arg(speed);
         } else if (serviceType == serviceType::amneziaFree) {
             QString description = tr("AmneziaFree provides free unlimited access to a basic set of web sites, such as Facebook, Instagram, Twitter (X), Discord, Telegram, and others. YouTube is not included in the free plan.");
@@ -79,8 +79,8 @@ QVariant ApiServicesModel::data(const QModelIndex &index, int role) const
     }
     case ServiceDescriptionRole: {
         if (serviceType == serviceType::amneziaPremium) {
-            return tr("Amnezia Premium is VPN for comfortable work, downloading large files and watching videos in 8K resolution. "
-                      "Works for any sites with no restrictions.");
+            return tr("Amnezia Premium is classic VPN for for seamless work, downloading large files, and watching videos. "
+                      "Access all websites and online resources.");
         } else {
             return tr("AmneziaFree provides free unlimited access to a basic set of web sites, such as Facebook, Instagram, Twitter (X), Discord, Telegram, and others. YouTube is not included in the free plan.");
         }

client/ui/models/languageModel.cpp

@@ -1,13 +1,11 @@
 #include "languageModel.h"
 
-LanguageModel::LanguageModel(std::shared_ptr<Settings> settings, QObject *parent)
-    : m_settings(settings), QAbstractListModel(parent)
+LanguageModel::LanguageModel(std::shared_ptr<Settings> settings, QObject *parent) : m_settings(settings), QAbstractListModel(parent)
 {
     QMetaEnum metaEnum = QMetaEnum::fromType<LanguageSettings::AvailableLanguageEnum>();
     for (int i = 0; i < metaEnum.keyCount(); i++) {
-        m_availableLanguages.push_back(
-            LanguageModelData {getLocalLanguageName(static_cast<LanguageSettings::AvailableLanguageEnum>(i)),
-                              static_cast<LanguageSettings::AvailableLanguageEnum>(i) });
+        m_availableLanguages.push_back(LanguageModelData { getLocalLanguageName(static_cast<LanguageSettings::AvailableLanguageEnum>(i)),
+                                                           static_cast<LanguageSettings::AvailableLanguageEnum>(i) });
     }
 }
 
@@ -50,8 +48,7 @@ QString LanguageModel::getLocalLanguageName(const LanguageSettings::AvailableLan
     case LanguageSettings::AvailableLanguageEnum::Burmese: strLanguage = "မြန်မာဘာသာ"; break;
     case LanguageSettings::AvailableLanguageEnum::Urdu: strLanguage = "اُرْدُوْ"; break;
     case LanguageSettings::AvailableLanguageEnum::Hindi: strLanguage = "हिन्दी"; break;
-    default:
-        break;
+    default: break;
     }
 
     return strLanguage;
@@ -104,11 +101,12 @@ QString LanguageModel::getCurrentLanguageName()
     return m_availableLanguages[getCurrentLanguageIndex()].name;
 }
 
-QString LanguageModel::getCurrentSiteUrl()
+QString LanguageModel::getCurrentSiteUrl(const QString &path)
 {
     auto language = static_cast<LanguageSettings::AvailableLanguageEnum>(getCurrentLanguageIndex());
     switch (language) {
-    case LanguageSettings::AvailableLanguageEnum::Russian: return "https://storage.googleapis.com/amnezia/amnezia.org";
-    default: return "https://amnezia.org";
+    case LanguageSettings::AvailableLanguageEnum::Russian:
+        return "https://storage.googleapis.com/amnezia/amnezia.org" + (path.isEmpty() ? "" : (QString("?m-path=/%1").arg(path)));
+    default: return QString("https://amnezia.org") + (path.isEmpty() ? "" : (QString("/%1").arg(path)));
     }
 }

client/ui/models/languageModel.h

@@ -59,7 +59,7 @@ public slots:
     int getCurrentLanguageIndex();
     int getLineHeightAppend();
     QString getCurrentLanguageName();
-    QString getCurrentSiteUrl();
+    QString getCurrentSiteUrl(const QString &path = "");
 
 signals:
     void updateTranslations(const QLocale &locale);

client/ui/qml/Components/AdLabel.qml

@@ -29,7 +29,7 @@ Rectangle {
         cursorShape: Qt.PointingHandCursor
 
         onClicked: function() {
-            Qt.openUrlExternally(LanguageModel.getCurrentSiteUrl() + "/premium")
+            Qt.openUrlExternally(LanguageModel.getCurrentSiteUrl("premium"))
         }
     }
 
@@ -54,7 +54,7 @@ Rectangle {
             Layout.rightMargin: 10
             Layout.leftMargin: 10
 
-            text: qsTr("Amnezia Premium - for access to any website")
+            text: qsTr("Amnezia Premium - for access to all websites and online resources")
             color: AmneziaStyle.color.pearlGray
 
             lineHeight: 18

client/ui/qml/Components/AddSitePanel.qml

@@ -0,0 +1,73 @@
+import QtQuick
+import QtQuick.Controls
+import QtQuick.Layouts
+
+import Style 1.0
+import "../Controls2"
+import "../Controls2/TextTypes"
+
+Item {
+    id: root
+
+    property bool enabled: true
+    property string placeholderText: ""
+    property alias textField: searchField.textField
+
+    signal addClicked(string text)
+    signal moreClicked()
+
+    implicitWidth: 360
+    implicitHeight: 96
+
+    Rectangle {
+        id: background
+        anchors.fill: parent
+        color: "#0E0F12"
+        opacity: 0.85
+        z: -1
+    }
+
+    RowLayout {
+        id: addSiteButton
+
+        enabled: root.enabled
+        spacing: 2
+
+        anchors {
+            fill: parent
+            topMargin: 16
+            leftMargin: 16
+            rightMargin: 16
+            bottomMargin: 24
+        }
+
+        TextFieldWithHeaderType {
+            id: searchField
+
+            Layout.fillWidth: true
+            rightButtonClickedOnEnter: true
+
+            textField.placeholderText: root.placeholderText
+            buttonImageSource: "qrc:/images/controls/plus.svg"
+
+            clickedFunc: function() {
+                root.addClicked(textField.text)
+                textField.text = ""
+            }
+        }
+
+        ImageButtonType {
+            id: addSiteButtonImage
+            implicitWidth: 56
+            implicitHeight: 56
+
+            image: "qrc:/images/controls/more-vertical.svg"
+            imageColor: AmneziaStyle.color.paleGray
+
+            onClicked: root.moreClicked()
+
+            Keys.onReturnPressed: addSiteButtonImage.clicked()
+            Keys.onEnterPressed: addSiteButtonImage.clicked()
+        }
+    }
+} 

client/ui/qml/Components/HomeContainersListView.qml

@@ -18,7 +18,8 @@ ListView {
     property var selectedText
 
     width: rootWidth
-    height: contentItem.height
+    anchors.top: parent.top
+    anchors.bottom: parent.bottom
 
     clip: true
     snapMode: ListView.SnapToItem

client/ui/qml/Controls2/BaseHeaderType.qml

@@ -0,0 +1,45 @@
+import QtQuick
+import QtQuick.Layouts
+
+import Style 1.0
+
+import "TextTypes"
+
+Item {
+    id: root
+
+    property string headerText
+    property int headerTextMaximumLineCount: 2
+    property int headerTextElide: Qt.ElideRight
+    property string descriptionText
+    property alias headerRow: headerRow
+
+    implicitWidth: content.implicitWidth
+    implicitHeight: content.implicitHeight
+
+    ColumnLayout {
+        id: content
+        anchors.fill: parent
+
+        RowLayout {
+            id: headerRow
+            
+            Header1TextType {
+                id: header
+                Layout.fillWidth: true
+                text: root.headerText
+                maximumLineCount: root.headerTextMaximumLineCount
+                elide: root.headerTextElide
+            }
+        }
+
+        ParagraphTextType {
+            id: description
+            Layout.topMargin: 16
+            Layout.fillWidth: true
+            text: root.descriptionText
+            color: AmneziaStyle.color.mutedGray
+            visible: root.descriptionText !== ""
+        }
+    }
+} 

client/ui/qml/Controls2/DropDownType.qml

@@ -239,6 +239,7 @@ Item {
                     sourceComponent: root.listView
 
                     Layout.fillHeight: true
+                    Layout.fillWidth: true
                 }
             }
         }

client/ui/qml/Controls2/HeaderType.qml

@@ -1,86 +0,0 @@
-import QtQuick
-import QtQuick.Layouts
-
-import Style 1.0
-
-import "TextTypes"
-
-Item {
-    id: root
-
-    property string actionButtonImage
-    property var actionButtonFunction
-
-    property alias actionButton: headerActionButton
-
-    property string headerText
-    property int headerTextMaximumLineCount: 2
-    property int headerTextElide: Qt.ElideRight
-
-    property string descriptionText
-
-    implicitWidth: content.implicitWidth
-    implicitHeight: content.implicitHeight
-
-    ColumnLayout {
-        id: content
-        anchors.fill: parent
-
-        RowLayout {
-            Header1TextType {
-                id: header
-
-                Layout.fillWidth: true
-
-                text: root.headerText
-                maximumLineCount: root.headerTextMaximumLineCount
-                elide: root.headerTextElide
-            }
-
-            ImageButtonType {
-                id: headerActionButton
-
-                implicitWidth: 40
-                implicitHeight: 40
-
-                Layout.alignment: Qt.AlignRight
-
-                image: root.actionButtonImage
-                imageColor: AmneziaStyle.color.paleGray
-
-                visible: image ? true : false
-
-                onClicked: {
-                    if (actionButtonFunction && typeof actionButtonFunction === "function") {
-                        actionButtonFunction()
-                    }
-                }
-            }
-        }
-
-        ParagraphTextType {
-            id: description
-
-            Layout.topMargin: 16
-            Layout.fillWidth: true
-
-            text: root.descriptionText
-
-            color: AmneziaStyle.color.mutedGray
-
-            visible: root.descriptionText !== ""
-        }
-    }
-
-    Keys.onEnterPressed: {
-        if (actionButtonFunction && typeof actionButtonFunction === "function") {
-            actionButtonFunction()
-        }
-    }
-
-    Keys.onReturnPressed: {
-        if (actionButtonFunction && typeof actionButtonFunction === "function") {
-            actionButtonFunction()
-        }
-    }
-}

client/ui/qml/Controls2/HeaderTypeWithButton.qml

@@ -0,0 +1,44 @@
+import QtQuick
+import QtQuick.Layouts
+
+import Style 1.0
+
+BaseHeaderType {
+    id: root
+
+    property string actionButtonImage
+    property var actionButtonFunction
+    property alias actionButton: headerActionButton
+
+    Component.onCompleted: {
+        headerRow.children.push(headerActionButton)
+    }
+
+    ImageButtonType {
+        id: headerActionButton
+        implicitWidth: 40
+        implicitHeight: 40
+        Layout.alignment: Qt.AlignRight
+        image: root.actionButtonImage
+        imageColor: AmneziaStyle.color.paleGray
+        visible: image ? true : false
+
+        onClicked: {
+            if (actionButtonFunction && typeof actionButtonFunction === "function") {
+                actionButtonFunction()
+            }
+        }
+    }
+
+    Keys.onEnterPressed: {
+        if (actionButtonFunction && typeof actionButtonFunction === "function") {
+            actionButtonFunction()
+        }
+    }
+
+    Keys.onReturnPressed: {
+        if (actionButtonFunction && typeof actionButtonFunction === "function") {
+            actionButtonFunction()
+        }
+    }
+} 

client/ui/qml/Controls2/HeaderTypeWithSwitcher.qml

@@ -0,0 +1,28 @@
+import QtQuick
+import QtQuick.Layouts
+
+import Style 1.0
+
+BaseHeaderType {
+    id: root
+
+    property var switcherFunction
+    property bool showSwitcher: false
+    property alias switcher: headerSwitcher
+
+    Component.onCompleted: {
+        headerRow.children.push(headerSwitcher)
+    }
+
+    SwitcherType {
+        id: headerSwitcher
+        Layout.alignment: Qt.AlignRight
+        visible: root.showSwitcher
+
+        onToggled: {
+            if (switcherFunction && typeof switcherFunction === "function") {
+                switcherFunction(checked)
+            }
+        }
+    }
+} 

client/ui/qml/Controls2/VerticalRadioButton.qml

@@ -20,7 +20,11 @@ RadioButton {
     property string selectedColor: AmneziaStyle.color.transparent
 
     property string textColor: AmneziaStyle.color.paleGray
+    property string textDisabledColor: AmneziaStyle.color.mutedGray
     property string selectedTextColor: AmneziaStyle.color.goldenApricot
+    property string selectedTextDisabledColor: AmneziaStyle.color.burntOrange
+    property string descriptionColor: AmneziaStyle.color.mutedGray
+    property string descriptionDisabledColor: AmneziaStyle.color.charcoalGray
 
     property string borderFocusedColor: AmneziaStyle.color.paleGray
     property int borderFocusedWidth: 1
@@ -30,6 +34,12 @@ RadioButton {
 
     property bool isFocusable: true
 
+    
+    property string radioButtonInnerCirclePressedSource: "qrc:/images/controls/radio-button-inner-circle-pressed.png"
+    property string radioButtonInnerCircleSource: "qrc:/images/controls/radio-button-inner-circle.png"
+    property string radioButtonPressedSource: "qrc:/images/controls/radio-button-pressed.svg"
+    property string radioButtonDefaultSource: "qrc:/images/controls/radio-button.svg"
+
     Keys.onTabPressed: {
         FocusController.nextKeyTabItem()
     }
@@ -94,14 +104,15 @@ RadioButton {
                 if (showImage) {
                     return imageSource
                 } else if (root.pressed) {
-                    return "qrc:/images/controls/radio-button-inner-circle-pressed.png"
+                    return root.radioButtonInnerCirclePressedSource
                 } else if (root.checked) {
-                    return "qrc:/images/controls/radio-button-inner-circle.png"
+                    return root.radioButtonInnerCircleSource
                 }
 
                 return ""
             }
 
+            opacity: root.enabled ? 1.0 : 0.3
             anchors.centerIn: parent
 
             width: 24
@@ -113,12 +124,13 @@ RadioButton {
                 if (showImage) {
                     return ""
                 } else if (root.pressed || root.checked) {
-                    return "qrc:/images/controls/radio-button-pressed.svg"
+                    return root.radioButtonPressedSource
                 } else {
-                    return "qrc:/images/controls/radio-button.svg"
+                    return root.radioButtonDefaultSource
                 }
             }
 
+            opacity: root.enabled ? 1.0 : 0.3
             anchors.centerIn: parent
 
             width: 24
@@ -148,10 +160,11 @@ RadioButton {
                 elide: root.textElide
 
                 color: {
-                    if (root.checked) {
-                        return selectedTextColor
+                    if (root.enabled) {
+                        return root.checked ? selectedTextColor : textColor
+                    } else {
+                        return root.checked ? selectedTextDisabledColor : textDisabledColor
                     }
-                    return textColor
                 }
 
                 Layout.fillWidth: true
@@ -164,7 +177,7 @@ RadioButton {
             CaptionTextType {
                 id: description
 
-                color: AmneziaStyle.color.mutedGray
+                color: root.enabled ? root.descriptionColor : root.descriptionDisabledColor
                 text: root.descriptionText
 
                 visible: root.descriptionText !== ""
@@ -177,6 +190,7 @@ RadioButton {
     MouseArea {
         anchors.fill: root
         cursorShape: Qt.PointingHandCursor
+        preventStealing: false
         enabled: false
     }
 }

client/ui/qml/Modules/Style/AmneziaStyle.qml

@@ -27,5 +27,6 @@ QtObject {
         readonly property color mistyGray: Qt.rgba(215/255, 216/255, 219/255, 0.8)
         readonly property color cloudyGray: Qt.rgba(215/255, 216/255, 219/255, 0.65)
         readonly property color pearlGray: '#EAEAEC'
+        readonly property color translucentRichBrown: Qt.rgba(99/255, 51/255, 3/255, 0.26)
     }
 }

client/ui/qml/Pages2/PageDeinstalling.qml

@@ -56,7 +56,7 @@ PageType {
                         anchors.rightMargin: 16
                         anchors.leftMargin: 16
 
-                        HeaderType {
+                        BaseHeaderType {
                             Layout.fillWidth: true
                             Layout.topMargin: 20
 

client/ui/qml/Pages2/PageDevMenu.qml

@@ -39,7 +39,7 @@ PageType {
         header: ColumnLayout {
             width: listView.width
 
-            HeaderType {
+            BaseHeaderType {
                 id: header
 
                 Layout.fillWidth: true

client/ui/qml/Pages2/PageProtocolAwgClientSettings.qml

@@ -91,7 +91,7 @@ PageType {
 
                 spacing: 0
 
-                HeaderType {
+                BaseHeaderType {
                     Layout.fillWidth: true
 
                     headerText: qsTr("AmneziaWG settings")

client/ui/qml/Pages2/PageProtocolAwgSettings.qml

@@ -91,7 +91,7 @@ PageType {
 
                 spacing: 0
 
-                HeaderType {
+                BaseHeaderType {
                     Layout.fillWidth: true
 
                     headerText: qsTr("AmneziaWG settings")

client/ui/qml/Pages2/PageProtocolCloakSettings.qml

@@ -76,7 +76,7 @@ PageType {
 
                         spacing: 0
 
-                        HeaderType {
+                        BaseHeaderType {
                             Layout.fillWidth: true
 
                             headerText: qsTr("Cloak settings")

client/ui/qml/Pages2/PageProtocolOpenVpnSettings.qml

@@ -75,7 +75,7 @@ PageType {
 
                         spacing: 0
 
-                        HeaderType {
+                        BaseHeaderType {
                             Layout.fillWidth: true
 
                             headerText: qsTr("OpenVPN settings")

client/ui/qml/Pages2/PageProtocolRaw.qml

@@ -32,7 +32,7 @@ PageType {
             id: backButton
         }
 
-        HeaderType {
+        BaseHeaderType {
             Layout.fillWidth: true
             Layout.leftMargin: 16
             Layout.rightMargin: 16

client/ui/qml/Pages2/PageProtocolShadowSocksSettings.qml

@@ -78,7 +78,7 @@ PageType {
 
                         spacing: 0
 
-                        HeaderType {
+                        BaseHeaderType {
                             Layout.fillWidth: true
 
                             headerText: qsTr("Shadowsocks settings")

client/ui/qml/Pages2/PageProtocolWireGuardClientSettings.qml

@@ -85,7 +85,7 @@ PageType {
 
                         spacing: 0
 
-                        HeaderType {
+                        BaseHeaderType {
                             Layout.fillWidth: true
 
                             headerText: qsTr("WG settings")

client/ui/qml/Pages2/PageProtocolWireGuardSettings.qml

@@ -77,7 +77,7 @@ PageType {
 
                         spacing: 0
 
-                        HeaderType {
+                        BaseHeaderType {
                             Layout.fillWidth: true
                             headerText: qsTr("WG settings")
                         }

client/ui/qml/Pages2/PageProtocolXraySettings.qml

@@ -75,7 +75,7 @@ PageType {
 
                         spacing: 0
 
-                        HeaderType {
+                        BaseHeaderType {
                             Layout.fillWidth: true
                             headerText: qsTr("XRay settings")
                         }

client/ui/qml/Pages2/PageServiceDnsSettings.qml

@@ -43,7 +43,7 @@ PageType {
             anchors.left: parent.left
             anchors.right: parent.right
 
-            HeaderType {
+            BaseHeaderType {
                 id: header
 
                 Layout.fillWidth: true

client/ui/qml/Pages2/PageServiceSftpSettings.qml

@@ -85,7 +85,7 @@ PageType {
 
                         spacing: 0
 
-                        HeaderType {
+                        BaseHeaderType {
                             Layout.fillWidth: true
                             Layout.leftMargin: 16
                             Layout.rightMargin: 16

client/ui/qml/Pages2/PageServiceSocksProxySettings.qml

@@ -77,7 +77,7 @@ PageType {
 
                     spacing: 0
 
-                    HeaderType {
+                    BaseHeaderType {
                         Layout.fillWidth: true
                         Layout.leftMargin: 16
                         Layout.rightMargin: 16
@@ -217,7 +217,7 @@ PageType {
                                 }
                             }
 
-                            HeaderType {
+                            BaseHeaderType {
                                 Layout.fillWidth: true
 
                                 headerText: qsTr("SOCKS5 settings")

client/ui/qml/Pages2/PageServiceTorWebsiteSettings.qml

@@ -54,7 +54,7 @@ PageType {
 
             spacing: 0
 
-            HeaderType {
+            BaseHeaderType {
                 Layout.fillWidth: true
                 Layout.leftMargin: 16
                 Layout.rightMargin: 16

client/ui/qml/Pages2/PageSettings.qml

@@ -29,7 +29,7 @@ PageType {
 
             spacing: 0
 
-            HeaderType {
+            BaseHeaderType {
                 id: header
                 Layout.fillWidth: true
                 Layout.topMargin: 24

client/ui/qml/Pages2/PageSettingsAbout.qml

@@ -252,7 +252,7 @@ PageType {
                 text: qsTr("Privacy Policy")
 
                 clickedFunc: function() {
-                    Qt.openUrlExternally(LanguageModel.getCurrentSiteUrl() + "/policy")
+                    Qt.openUrlExternally(LanguageModel.getCurrentSiteUrl("policy"))
                 }
             }
         }

client/ui/qml/Pages2/PageSettingsApiAvailableCountries.qml

@@ -69,7 +69,7 @@ PageType {
                 Layout.topMargin: 20
             }
 
-            HeaderType {
+            HeaderTypeWithButton {
                 id: headerContent
                 objectName: "headerContent"
 
@@ -81,7 +81,7 @@ PageType {
                 actionButtonImage: "qrc:/images/controls/settings.svg"
 
                 headerText: root.processedServer.name
-                descriptionText: qsTr("Locations for connection")
+                descriptionText: qsTr("Location for connection")
 
                 actionButtonFunction: function() {
                     PageController.showBusyIndicator(true)
@@ -135,12 +135,6 @@ PageType {
                         }
                     }
 
-                    MouseArea {
-                        anchors.fill: containerRadioButton
-                        cursorShape: Qt.PointingHandCursor
-                        enabled: false
-                    }
-
                     Keys.onEnterPressed: {
                         if (checkable) {
                             checked = true