Merge branch 'dev' of github.com:amnezia-vpn/amnezia-client into HEAD

Ks znak patch 1

.github/workflows/deploy.yml

@@ -283,7 +283,6 @@ jobs:
       ANDROID_BUILD_PLATFORM: android-34
       QT_VERSION: 6.6.1
       QT_MODULES: 'qtremoteobjects qt5compat qtimageformats qtshadertools'
-      BUILD_AAB: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }}
 
     steps:
     - name: 'Install desktop Qt'
@@ -382,7 +381,7 @@ jobs:
         ANDROID_KEYSTORE_KEY_ALIAS: ${{ secrets.ANDROID_RELEASE_KEYSTORE_KEY_ALIAS }}
         ANDROID_KEYSTORE_KEY_PASS: ${{ secrets.ANDROID_RELEASE_KEYSTORE_KEY_PASS }}
       shell: bash
-      run: ./deploy/build_android.sh ${{ env.BUILD_AAB == 'true' && '--aab' || '' }} --apk all --build-platform ${{ env.ANDROID_BUILD_PLATFORM }}
+      run: ./deploy/build_android.sh --aab --apk all --build-platform ${{ env.ANDROID_BUILD_PLATFORM }}
 
     - name: 'Upload x86_64 apk'
       uses: actions/upload-artifact@v4
@@ -417,7 +416,6 @@ jobs:
         retention-days: 7
 
     - name: 'Upload aab'
-      if: ${{ env.BUILD_AAB == 'true' }}
       uses: actions/upload-artifact@v4
       with:
         name: AmneziaVPN-android

CMakeLists.txt

@@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 
 set(PROJECT AmneziaVPN)
 
-project(${PROJECT} VERSION 4.2.0.1
+project(${PROJECT} VERSION 4.2.1.1
         DESCRIPTION "AmneziaVPN"
         HOMEPAGE_URL "https://amnezia.org/"
 )
@@ -11,7 +11,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")
 
 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 39)
+set(APP_ANDROID_VERSION_CODE 43)
 
 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
     set(MZ_PLATFORM_NAME "linux")

README.md

@@ -18,7 +18,6 @@ Amnezia is an open-source VPN client, with a key feature that enables you to dep
 [https://www.reddit.com/r/AmneziaVPN](https://www.reddit.com/r/AmneziaVPN) - Reddit  
 [https://t.me/amnezia_vpn_en](https://t.me/amnezia_vpn_en) - Telegram support channel (English)  
 [https://t.me/amnezia_vpn](https://t.me/amnezia_vpn) - Telegram support channel (Russian)  
-[https://signal.group/...](https://signal.group/#CjQKIB2gUf8QH_IXnOJMGQWMDjYz9cNfmRQipGWLFiIgc4MwEhAKBONrSiWHvoUFbbD0xwdh) - Signal channel  
 
 ## Tech
 

client/android/awg/src/main/kotlin/AwgConfig.kt

@@ -99,7 +99,7 @@ class AwgConfig private constructor(
         fun setH3(h3: Long) = apply { this.h3 = h3 }
         fun setH4(h4: Long) = apply { this.h4 = h4 }
 
-        override fun build(): AwgConfig = AwgConfig(this)
+        override fun build(): AwgConfig = configBuild().run { AwgConfig(this@Builder) }
     }
 
     companion object {

client/android/cloak/src/main/kotlin/Cloak.kt

@@ -3,6 +3,9 @@ package org.amnezia.vpn.protocol.cloak
 import android.util.Base64
 import net.openvpn.ovpn3.ClientAPI_Config
 import org.amnezia.vpn.protocol.openvpn.OpenVpn
+import org.amnezia.vpn.protocol.openvpn.OpenVpnConfig
+import org.amnezia.vpn.util.net.InetNetwork
+import org.amnezia.vpn.util.net.parseInetAddress
 import org.json.JSONObject
 
 /**
@@ -51,6 +54,13 @@ class Cloak : OpenVpn() {
         return openVpnConfig
     }
 
+    override fun configPluggableTransport(configBuilder: OpenVpnConfig.Builder, config: JSONObject) {
+        // exclude remote server ip from vpn routes
+        val remoteServer = config.getString("hostName")
+        val remoteServerAddress = InetNetwork(parseInetAddress(remoteServer))
+        configBuilder.excludeRoute(remoteServerAddress)
+    }
+
     private fun checkCloakJson(cloakConfigJson: JSONObject): JSONObject {
         cloakConfigJson.put("NumConn", 1)
         cloakConfigJson.put("ProxyMethod", "openvpn")

client/android/openvpn/src/main/kotlin/org/amnezia/vpn/protocol/openvpn/OpenVpn.kt

@@ -2,7 +2,6 @@ package org.amnezia.vpn.protocol.openvpn
 
 import android.content.Context
 import android.net.VpnService.Builder
-import android.os.Build
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.flow.MutableStateFlow
@@ -14,7 +13,6 @@ import org.amnezia.vpn.protocol.ProtocolState
 import org.amnezia.vpn.protocol.ProtocolState.DISCONNECTED
 import org.amnezia.vpn.protocol.Statistics
 import org.amnezia.vpn.protocol.VpnStartException
-import org.amnezia.vpn.util.net.InetNetwork
 import org.amnezia.vpn.util.net.getLocalNetworks
 import org.json.JSONObject
 
@@ -79,16 +77,8 @@ open class OpenVpn : Protocol() {
                 if (evalConfig.error) {
                     throw BadConfigException("OpenVPN config parse error: ${evalConfig.message}")
                 }
-                configBuilder.apply {
-                    // fix for split tunneling
-                    // The exclude split tunneling OpenVpn configuration does not contain a default route.
-                    // It is required for split tunneling in newer versions of Android.
-                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
-                        addRoute(InetNetwork("0.0.0.0", 0))
-                        addRoute(InetNetwork("::", 0))
-                    }
-                    configSplitTunneling(config)
-                }
+                configPluggableTransport(configBuilder, config)
+                configBuilder.configSplitTunneling(config)
 
                 scope.launch {
                     val status = client.connect()
@@ -122,6 +112,8 @@ open class OpenVpn : Protocol() {
         return openVpnConfig
     }
 
+    protected open fun configPluggableTransport(configBuilder: OpenVpnConfig.Builder, config: JSONObject) {}
+
     private fun makeEstablish(vpnBuilder: Builder): (OpenVpnConfig.Builder) -> Int = { configBuilder ->
         val openVpnConfig = configBuilder.build()
         buildVpnInterface(openVpnConfig, vpnBuilder)

client/android/openvpn/src/main/kotlin/org/amnezia/vpn/protocol/openvpn/OpenVpnClient.kt

@@ -91,9 +91,7 @@ class OpenVpnClient(
     // metric is optional and should be ignored if < 0
     override fun tun_builder_exclude_route(address: String, prefix_length: Int, metric: Int, ipv6: Boolean): Boolean {
         Log.d(TAG, "tun_builder_exclude_route: $address, $prefix_length, $metric, $ipv6")
-        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
-            configBuilder.excludeRoute(InetNetwork(address, prefix_length))
-        }
+        configBuilder.excludeRoute(InetNetwork(address, prefix_length))
         return true
     }
 

client/android/openvpn/src/main/kotlin/org/amnezia/vpn/protocol/openvpn/OpenVpnConfig.kt

@@ -11,7 +11,7 @@ class OpenVpnConfig private constructor(
     class Builder : ProtocolConfig.Builder(false) {
         override var mtu: Int = OPENVPN_DEFAULT_MTU
 
-        override fun build(): OpenVpnConfig = OpenVpnConfig(this)
+        override fun build(): OpenVpnConfig = configBuild().run { OpenVpnConfig(this@Builder) }
     }
 
     companion object {

client/android/protocolApi/src/main/kotlin/Protocol.kt

@@ -14,8 +14,6 @@ import java.util.zip.ZipFile
 import kotlinx.coroutines.flow.MutableStateFlow
 import org.amnezia.vpn.util.Log
 import org.amnezia.vpn.util.net.InetNetwork
-import org.amnezia.vpn.util.net.IpRange
-import org.amnezia.vpn.util.net.IpRangeSet
 import org.json.JSONObject
 
 private const val TAG = "Protocol"
@@ -53,40 +51,16 @@ abstract class Protocol {
         val splitTunnelType = config.optInt("splitTunnelType")
         if (splitTunnelType == SPLIT_TUNNEL_DISABLE) return
         val splitTunnelSites = config.getJSONArray("splitTunnelSites")
-        when (splitTunnelType) {
-            SPLIT_TUNNEL_INCLUDE -> {
-                // remove default routes, if any
-                removeRoute(InetNetwork("0.0.0.0", 0))
-                removeRoute(InetNetwork("::", 0))
-                // add routes from config
-                for (i in 0 until splitTunnelSites.length()) {
-                    val address = InetNetwork.parse(splitTunnelSites.getString(i))
-                    addRoute(address)
-                }
-            }
+        val addressHandlerFunc = when (splitTunnelType) {
+            SPLIT_TUNNEL_INCLUDE -> ::includeAddress
+            SPLIT_TUNNEL_EXCLUDE -> ::excludeAddress
 
-            SPLIT_TUNNEL_EXCLUDE -> {
-                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
-                    // exclude routes from config
-                    for (i in 0 until splitTunnelSites.length()) {
-                        val address = InetNetwork.parse(splitTunnelSites.getString(i))
-                        excludeRoute(address)
-                    }
-                } else {
-                    // For older versions of Android, build a list of subnets without excluded addresses
-                    val ipRangeSet = IpRangeSet()
-                    ipRangeSet.remove(IpRange("127.0.0.0", 8))
-                    for (i in 0 until splitTunnelSites.length()) {
-                        val address = InetNetwork.parse(splitTunnelSites.getString(i))
-                        ipRangeSet.remove(IpRange(address))
-                    }
-                    // remove default routes, if any
-                    removeRoute(InetNetwork("0.0.0.0", 0))
-                    removeRoute(InetNetwork("::", 0))
-                    ipRangeSet.subnets().forEach(::addRoute)
-                    addRoute(InetNetwork("2000::", 3))
-                }
-            }
+            else -> throw BadConfigException("Unexpected value of the 'splitTunnelType' parameter: $splitTunnelType")
+        }
+
+        for (i in 0 until splitTunnelSites.length()) {
+            val address = InetNetwork.parse(splitTunnelSites.getString(i))
+            addressHandlerFunc(address)
         }
     }
 

client/android/protocolApi/src/main/kotlin/ProtocolConfig.kt

@@ -5,6 +5,8 @@ import android.os.Build
 import androidx.annotation.RequiresApi
 import java.net.InetAddress
 import org.amnezia.vpn.util.net.InetNetwork
+import org.amnezia.vpn.util.net.IpRange
+import org.amnezia.vpn.util.net.IpRangeSet
 
 open class ProtocolConfig protected constructor(
     val addresses: Set<InetNetwork>,
@@ -12,6 +14,8 @@ open class ProtocolConfig protected constructor(
     val searchDomain: String?,
     val routes: Set<InetNetwork>,
     val excludedRoutes: Set<InetNetwork>,
+    val includedAddresses: Set<InetNetwork>,
+    val excludedAddresses: Set<InetNetwork>,
     val excludedApplications: Set<String>,
     val httpProxy: ProxyInfo?,
     val allowAllAF: Boolean,
@@ -25,6 +29,8 @@ open class ProtocolConfig protected constructor(
         builder.searchDomain,
         builder.routes,
         builder.excludedRoutes,
+        builder.includedAddresses,
+        builder.excludedAddresses,
         builder.excludedApplications,
         builder.httpProxy,
         builder.allowAllAF,
@@ -37,6 +43,8 @@ open class ProtocolConfig protected constructor(
         internal val dnsServers: MutableSet<InetAddress> = hashSetOf()
         internal val routes: MutableSet<InetNetwork> = hashSetOf()
         internal val excludedRoutes: MutableSet<InetNetwork> = hashSetOf()
+        internal val includedAddresses: MutableSet<InetNetwork> = hashSetOf()
+        internal val excludedAddresses: MutableSet<InetNetwork> = hashSetOf()
         internal val excludedApplications: MutableSet<String> = hashSetOf()
 
         internal var searchDomain: String? = null
@@ -71,12 +79,15 @@ open class ProtocolConfig protected constructor(
         fun removeRoute(route: InetNetwork) = apply { this.routes.remove(route) }
         fun clearRoutes() = apply { this.routes.clear() }
 
-        @RequiresApi(Build.VERSION_CODES.TIRAMISU)
         fun excludeRoute(route: InetNetwork) = apply { this.excludedRoutes += route }
-
-        @RequiresApi(Build.VERSION_CODES.TIRAMISU)
         fun excludeRoutes(routes: Collection<InetNetwork>) = apply { this.excludedRoutes += routes }
 
+        fun includeAddress(addr: InetNetwork) = apply { this.includedAddresses += addr }
+        fun includeAddresses(addresses: Collection<InetNetwork>) = apply { this.includedAddresses += addresses }
+
+        fun excludeAddress(addr: InetNetwork) = apply { this.excludedAddresses += addr }
+        fun excludeAddresses(addresses: Collection<InetNetwork>) = apply { this.excludedAddresses += addresses }
+
         fun excludeApplication(application: String) = apply { this.excludedApplications += application }
         fun excludeApplications(applications: Collection<String>) = apply { this.excludedApplications += applications }
 
@@ -91,6 +102,48 @@ open class ProtocolConfig protected constructor(
 
         fun setMtu(mtu: Int) = apply { this.mtu = mtu }
 
+        private fun processSplitTunneling() {
+            if (includedAddresses.isNotEmpty() && excludedAddresses.isNotEmpty()) {
+                throw BadConfigException("Config contains addresses for inclusive and exclusive split tunneling at the same time")
+            }
+
+            if (includedAddresses.isNotEmpty()) {
+                // remove default routes, if any
+                removeRoute(InetNetwork("0.0.0.0", 0))
+                removeRoute(InetNetwork("::", 0))
+                if (Build.VERSION.SDK_INT < Build.VERSION_CODES.TIRAMISU) {
+                    // for older versions of Android, add the default route to the excluded routes
+                    // to correctly build the excluded subnets list later
+                    excludeRoute(InetNetwork("0.0.0.0", 0))
+                }
+                addRoutes(includedAddresses)
+            } else if (excludedAddresses.isNotEmpty()) {
+                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+                    // default routes are required for split tunneling in newer versions of Android
+                    addRoute(InetNetwork("0.0.0.0", 0))
+                    addRoute(InetNetwork("::", 0))
+                }
+                excludeRoutes(excludedAddresses)
+            }
+        }
+
+        private fun processExcludedRoutes() {
+            if (Build.VERSION.SDK_INT < Build.VERSION_CODES.TIRAMISU) {
+                // for older versions of Android, build a list of subnets without excluded routes
+                // and add them to routes
+                val ipRangeSet = IpRangeSet()
+                ipRangeSet.remove(IpRange("127.0.0.0", 8))
+                excludedRoutes.forEach {
+                    ipRangeSet.remove(IpRange(it))
+                }
+                // remove default routes, if any
+                removeRoute(InetNetwork("0.0.0.0", 0))
+                removeRoute(InetNetwork("::", 0))
+                ipRangeSet.subnets().forEach(::addRoute)
+                addRoute(InetNetwork("2000::", 3))
+            }
+        }
+
         private fun validate() {
             val errorMessage = StringBuilder()
 
@@ -103,7 +156,13 @@ open class ProtocolConfig protected constructor(
             if (errorMessage.isNotEmpty()) throw BadConfigException(errorMessage.toString())
         }
 
-        open fun build(): ProtocolConfig = validate().run { ProtocolConfig(this@Builder) }
+        protected fun configBuild() {
+            processSplitTunneling()
+            processExcludedRoutes()
+            validate()
+        }
+
+        open fun build(): ProtocolConfig = configBuild().run { ProtocolConfig(this@Builder) }
     }
 
     companion object {

client/android/src/org/amnezia/vpn/AmneziaActivity.kt

@@ -64,6 +64,7 @@ class AmneziaActivity : QtActivity() {
 
                     ServiceEvent.DISCONNECTED -> {
                         QtAndroidController.onVpnDisconnected()
+                        doUnbindService()
                     }
 
                     ServiceEvent.RECONNECTING -> {

client/android/wireguard/src/main/kotlin/org/amnezia/vpn/protocol/wireguard/Wireguard.kt

@@ -99,7 +99,10 @@ open class Wireguard : Protocol() {
     }
 
     protected fun WireguardConfig.Builder.configWireguard(configData: Map<String, String>) {
-        configData["Address"]?.let { addAddress(InetNetwork.parse(it)) }
+        configData["Address"]?.split(",")?.map { address ->
+            InetNetwork.parse(address.trim())
+        }?.forEach(::addAddress)
+
         configData["DNS"]?.split(",")?.map { dns ->
             parseInetAddress(dns.trim())
         }?.forEach(::addDnsServer)

client/android/wireguard/src/main/kotlin/org/amnezia/vpn/protocol/wireguard/WireguardConfig.kt

@@ -75,7 +75,7 @@ open class WireguardConfig protected constructor(
 
         fun setPrivateKeyHex(privateKeyHex: String) = apply { this.privateKeyHex = privateKeyHex }
 
-        override fun build(): WireguardConfig = WireguardConfig(this)
+        override fun build(): WireguardConfig = configBuild().run { WireguardConfig(this@Builder) }
     }
 
     companion object {

client/containers/containers_defs.cpp

@@ -98,11 +98,11 @@ QMap<DockerContainer, QString> ContainerProps::containerDescriptions()
                QObject::tr("OpenVPN is the most popular VPN protocol, with flexible configuration options. It uses its "
                            "own security protocol with SSL/TLS for key exchange.") },
              { DockerContainer::ShadowSocks,
-               QObject::tr("ShadowSocks - masks VPN traffic, making it similar to normal web traffic, but is "
-                           "recognised by analysis systems in some highly censored regions.") },
+               QObject::tr("ShadowSocks - masks VPN traffic, making it similar to normal web traffic, but it "
+                           "may be recognized by analysis systems in some highly censored regions.") },
              { DockerContainer::Cloak,
                QObject::tr("OpenVPN over Cloak - OpenVPN with VPN masquerading as web traffic and protection against "
-                           "active-probbing detection. Ideal for bypassing blocking in regions with the highest levels "
+                           "active-probing detection. Ideal for bypassing blocking in regions with the highest levels "
                            "of censorship.") },
              { DockerContainer::WireGuard,
                QObject::tr("WireGuard - New popular VPN protocol with high performance, high speed and low power "
@@ -119,7 +119,7 @@ QMap<DockerContainer, QString> ContainerProps::containerDescriptions()
              { DockerContainer::Dns,
                QObject::tr("Replace the current DNS server with your own. This will increase your privacy level.") },
              { DockerContainer::Sftp,
-               QObject::tr("Creates a file vault on your server to securely store and transfer files.") } };
+               QObject::tr("Create a file vault on your server to securely store and transfer files.") } };
 }
 
 QMap<DockerContainer, QString> ContainerProps::containerDetailedDescriptions()
@@ -153,8 +153,8 @@ QMap<DockerContainer, QString> ContainerProps::containerDetailedDescriptions()
                       "* Works over TCP network protocol.") },
         { DockerContainer::Cloak,
           QObject::tr("This is a combination of the OpenVPN protocol and the Cloak plugin designed specifically for "
-                      "blocking protection.\n\n"
-                      "OpenVPN provides a secure VPN connection by encrypting all Internet traffic between the client "
+                      "protecting against blocking.\n\n"
+                      "OpenVPN provides a secure VPN connection by encrypting all internet traffic between the client "
                       "and the server.\n\n"
                       "Cloak protects OpenVPN from detection and blocking. \n\n"
                       "Cloak can modify packet metadata so that it completely masks VPN traffic as normal web traffic, "
@@ -172,7 +172,7 @@ QMap<DockerContainer, QString> ContainerProps::containerDetailedDescriptions()
                       "* Works over TCP network protocol, 443 port.\n") },
         { DockerContainer::WireGuard,
           QObject::tr("A relatively new popular VPN protocol with a simplified architecture.\n"
-                      "Provides stable VPN connection, high performance on all devices. Uses hard-coded encryption "
+                      "WireGuard provides stable VPN connection and high performance on all devices. It uses hard-coded encryption "
                       "settings. WireGuard compared to OpenVPN has lower latency and better data transfer throughput.\n"
                       "WireGuard is very susceptible to blocking due to its distinct packet signatures. "
                       "Unlike some other VPN protocols that employ obfuscation techniques, "

client/core/defs.h

@@ -4,77 +4,92 @@
 #include <QMetaEnum>
 #include <QObject>
 
-namespace amnezia {
-
-constexpr const qint16 qrMagicCode = 1984;
-
-struct ServerCredentials
+namespace amnezia
 {
-    QString hostName;
-    QString userName;
-    QString secretData;
-    int port = 22;
 
-    bool isValid() const { return !hostName.isEmpty() && !userName.isEmpty() && !secretData.isEmpty() && port > 0; }
-};
+    constexpr const qint16 qrMagicCode = 1984;
 
-enum ErrorCode
-{
-    // General error codes
-    NoError = 0,
-    UnknownError,
-    InternalError,
-    NotImplementedError,
+    struct ServerCredentials
+    {
+        QString hostName;
+        QString userName;
+        QString secretData;
+        int port = 22;
 
-    // Server errors
-    ServerCheckFailed,
-    ServerPortAlreadyAllocatedError,
-    ServerContainerMissingError,
-    ServerDockerFailedError,
-    ServerCancelInstallation,
-    ServerUserNotInSudo,
-    ServerPacketManagerError,
+        bool isValid() const
+        {
+            return !hostName.isEmpty() && !userName.isEmpty() && !secretData.isEmpty() && port > 0;
+        }
+    };
 
-    // Ssh connection errors
-    SshRequestDeniedError, SshInterruptedError, SshInternalError,
-    SshPrivateKeyError, SshPrivateKeyFormatError, SshTimeoutError,
+    enum ErrorCode {
+        // General error codes
+        NoError = 0,
+        UnknownError = 100,
+        InternalError = 101,
+        NotImplementedError = 102,
 
-    // Ssh sftp errors
-    SshSftpEofError, SshSftpNoSuchFileError, SshSftpPermissionDeniedError,
-    SshSftpFailureError, SshSftpBadMessageError, SshSftpNoConnectionError,
-    SshSftpConnectionLostError, SshSftpOpUnsupportedError, SshSftpInvalidHandleError,
-    SshSftpNoSuchPathError, SshSftpFileAlreadyExistsError, SshSftpWriteProtectError,
-    SshSftpNoMediaError,
+        // Server errors
+        ServerCheckFailed = 200,
+        ServerPortAlreadyAllocatedError = 201,
+        ServerContainerMissingError = 202,
+        ServerDockerFailedError = 203,
+        ServerCancelInstallation = 204,
+        ServerUserNotInSudo = 205,
+        ServerPacketManagerError = 206,
 
-    // Local errors
-    OpenVpnConfigMissing,
-    OpenVpnManagementServerError,
-    ConfigMissing,
+        // Ssh connection errors
+        SshRequestDeniedError = 300,
+        SshInterruptedError = 301,
+        SshInternalError = 302,
+        SshPrivateKeyError = 303,
+        SshPrivateKeyFormatError = 304,
+        SshTimeoutError = 305,
 
-    // Distro errors
-    OpenVpnExecutableMissing,
-    ShadowSocksExecutableMissing,
-    CloakExecutableMissing,
-    AmneziaServiceConnectionFailed,
-    ExecutableMissing,
+        // Ssh sftp errors
+        SshSftpEofError = 400,
+        SshSftpNoSuchFileError = 401,
+        SshSftpPermissionDeniedError = 402,
+        SshSftpFailureError = 403,
+        SshSftpBadMessageError = 404,
+        SshSftpNoConnectionError = 405,
+        SshSftpConnectionLostError = 406,
+        SshSftpOpUnsupportedError = 407,
+        SshSftpInvalidHandleError = 408,
+        SshSftpNoSuchPathError = 409,
+        SshSftpFileAlreadyExistsError = 410,
+        SshSftpWriteProtectError = 411,
+        SshSftpNoMediaError = 412,
 
-    // VPN errors
-    OpenVpnAdaptersInUseError,
-    OpenVpnUnknownError,
-    OpenVpnTapAdapterError,
-    AddressPoolError,
+        // Local errors
+        OpenVpnConfigMissing = 500,
+        OpenVpnManagementServerError = 501,
+        ConfigMissing = 502,
 
-    // 3rd party utils errors
-    OpenSslFailed,
-    ShadowSocksExecutableCrashed,
-    CloakExecutableCrashed,
+        // Distro errors
+        OpenVpnExecutableMissing = 600,
+        ShadowSocksExecutableMissing = 601,
+        CloakExecutableMissing = 602,
+        AmneziaServiceConnectionFailed = 603,
+        ExecutableMissing = 604,
 
-    // import and install errors
-    ImportInvalidConfigError,
+        // VPN errors
+        OpenVpnAdaptersInUseError = 700,
+        OpenVpnUnknownError = 701,
+        OpenVpnTapAdapterError = 702,
+        AddressPoolError = 703,
 
-    // Android errors
-    AndroidError
-};
+        // 3rd party utils errors
+        OpenSslFailed = 800,
+        ShadowSocksExecutableCrashed = 801,
+        CloakExecutableCrashed = 802,
+
+        // import and install errors
+        ImportInvalidConfigError = 900,
+
+        // Android errors
+        AndroidError = 1000
+    };
 
 } // namespace amnezia
 

client/core/errorstrings.cpp

@@ -2,70 +2,74 @@
 
 using namespace amnezia;
 
-QString errorString(ErrorCode code){
+QString errorString(ErrorCode code) {
+    QString errorMessage;
+
     switch (code) {
 
     // General error codes
-    case(NoError): return QObject::tr("No error");
-    case(UnknownError): return QObject::tr("Unknown Error");
-    case(NotImplementedError): return QObject::tr("Function not implemented");
+    case(NoError): errorMessage = QObject::tr("No error"); break;
+    case(UnknownError): errorMessage = QObject::tr("Unknown Error"); break;
+    case(NotImplementedError): errorMessage = QObject::tr("Function not implemented"); break;
 
     // Server errors
-    case(ServerCheckFailed): return QObject::tr("Server check failed");
-    case(ServerPortAlreadyAllocatedError): return QObject::tr("Server port already used. Check for another software");
-    case(ServerContainerMissingError): return QObject::tr("Server error: Docker container missing");
-    case(ServerDockerFailedError): return QObject::tr("Server error: Docker failed");
-    case(ServerCancelInstallation): return QObject::tr("Installation canceled by user");
-    case(ServerUserNotInSudo): return QObject::tr("The user does not have permission to use sudo");
+    case(ServerCheckFailed): errorMessage = QObject::tr("Server check failed"); break;
+    case(ServerPortAlreadyAllocatedError): errorMessage = QObject::tr("Server port already used. Check for another software"); break;
+    case(ServerContainerMissingError): errorMessage = QObject::tr("Server error: Docker container missing"); break;
+    case(ServerDockerFailedError): errorMessage = QObject::tr("Server error: Docker failed"); break;
+    case(ServerCancelInstallation): errorMessage = QObject::tr("Installation canceled by user"); break;
+    case(ServerUserNotInSudo): errorMessage = QObject::tr("The user does not have permission to use sudo"); break;
 
     // Libssh errors
-    case(SshRequestDeniedError): return QObject::tr("Ssh request was denied");
-    case(SshInterruptedError): return QObject::tr("Ssh request was interrupted");
-    case(SshInternalError): return QObject::tr("Ssh internal error");
-    case(SshPrivateKeyError): return QObject::tr("Invalid private key or invalid passphrase entered");
-    case(SshPrivateKeyFormatError): return QObject::tr("The selected private key format is not supported, use openssh ED25519 key types or PEM key types");
-    case(SshTimeoutError): return QObject::tr("Timeout connecting to server");
+    case(SshRequestDeniedError): errorMessage = QObject::tr("Ssh request was denied"); break;
+    case(SshInterruptedError): errorMessage = QObject::tr("Ssh request was interrupted"); break;
+    case(SshInternalError): errorMessage = QObject::tr("Ssh internal error"); break;
+    case(SshPrivateKeyError): errorMessage = QObject::tr("Invalid private key or invalid passphrase entered"); break;
+    case(SshPrivateKeyFormatError): errorMessage = QObject::tr("The selected private key format is not supported, use openssh ED25519 key types or PEM key types"); break;
+    case(SshTimeoutError): errorMessage = QObject::tr("Timeout connecting to server"); break;
 
     // Libssh sftp errors
-    case(SshSftpEofError): return QObject::tr("Sftp error: End-of-file encountered");
-    case(SshSftpNoSuchFileError): return QObject::tr("Sftp error: File does not exist");
-    case(SshSftpPermissionDeniedError): return QObject::tr("Sftp error: Permission denied");
-    case(SshSftpFailureError): return QObject::tr("Sftp error: Generic failure");
-    case(SshSftpBadMessageError): return QObject::tr("Sftp error: Garbage received from server");
-    case(SshSftpNoConnectionError): return QObject::tr("Sftp error: No connection has been set up");
-    case(SshSftpConnectionLostError): return QObject::tr("Sftp error: There was a connection, but we lost it");
-    case(SshSftpOpUnsupportedError): return QObject::tr("Sftp error: Operation not supported by libssh yet");
-    case(SshSftpInvalidHandleError): return QObject::tr("Sftp error: Invalid file handle");
-    case(SshSftpNoSuchPathError): return QObject::tr("Sftp error: No such file or directory path exists");
-    case(SshSftpFileAlreadyExistsError): return QObject::tr("Sftp error: An attempt to create an already existing file or directory has been made");
-    case(SshSftpWriteProtectError): return QObject::tr("Sftp error: Write-protected filesystem");
-    case(SshSftpNoMediaError): return QObject::tr("Sftp error: No media was in remote drive");
+    case(SshSftpEofError): errorMessage = QObject::tr("Sftp error: End-of-file encountered"); break;
+    case(SshSftpNoSuchFileError): errorMessage = QObject::tr("Sftp error: File does not exist"); break;
+    case(SshSftpPermissionDeniedError): errorMessage = QObject::tr("Sftp error: Permission denied"); break;
+    case(SshSftpFailureError): errorMessage = QObject::tr("Sftp error: Generic failure"); break;
+    case(SshSftpBadMessageError): errorMessage = QObject::tr("Sftp error: Garbage received from server"); break;
+    case(SshSftpNoConnectionError): errorMessage = QObject::tr("Sftp error: No connection has been set up"); break;
+    case(SshSftpConnectionLostError): errorMessage = QObject::tr("Sftp error: There was a connection, but we lost it"); break;
+    case(SshSftpOpUnsupportedError): errorMessage = QObject::tr("Sftp error: Operation not supported by libssh yet"); break;
+    case(SshSftpInvalidHandleError): errorMessage = QObject::tr("Sftp error: Invalid file handle"); break;
+    case(SshSftpNoSuchPathError): errorMessage = QObject::tr("Sftp error: No such file or directory path exists"); break;
+    case(SshSftpFileAlreadyExistsError): errorMessage = QObject::tr("Sftp error: An attempt to create an already existing file or directory has been made"); break;
+    case(SshSftpWriteProtectError): errorMessage = QObject::tr("Sftp error: Write-protected filesystem"); break;
+    case(SshSftpNoMediaError): errorMessage = QObject::tr("Sftp error: No media was in remote drive"); break;
 
     // Local errors
-    case (OpenVpnConfigMissing): return QObject::tr("OpenVPN config missing");
-    case (OpenVpnManagementServerError): return QObject::tr("OpenVPN management server error");
+    case (OpenVpnConfigMissing): errorMessage = QObject::tr("OpenVPN config missing"); break;
+    case (OpenVpnManagementServerError): errorMessage = QObject::tr("OpenVPN management server error"); break;
 
     // Distro errors
-    case (OpenVpnExecutableMissing): return QObject::tr("OpenVPN executable missing");
-    case (ShadowSocksExecutableMissing): return QObject::tr("ShadowSocks (ss-local) executable missing");
-    case (CloakExecutableMissing): return QObject::tr("Cloak (ck-client) executable missing");
-    case (AmneziaServiceConnectionFailed): return QObject::tr("Amnezia helper service error");
-    case (OpenSslFailed): return QObject::tr("OpenSSL failed");
+    case (OpenVpnExecutableMissing): errorMessage = QObject::tr("OpenVPN executable missing"); break;
+    case (ShadowSocksExecutableMissing): errorMessage = QObject::tr("ShadowSocks (ss-local) executable missing"); break;
+    case (CloakExecutableMissing): errorMessage = QObject::tr("Cloak (ck-client) executable missing"); break;
+    case (AmneziaServiceConnectionFailed): errorMessage = QObject::tr("Amnezia helper service error"); break;
+    case (OpenSslFailed): errorMessage = QObject::tr("OpenSSL failed"); break;
 
     // VPN errors
-    case (OpenVpnAdaptersInUseError): return QObject::tr("Can't connect: another VPN connection is active");
-    case (OpenVpnTapAdapterError): return QObject::tr("Can't setup OpenVPN TAP network adapter");
-    case (AddressPoolError): return QObject::tr("VPN pool error: no available addresses");
+    case (OpenVpnAdaptersInUseError): errorMessage = QObject::tr("Can't connect: another VPN connection is active"); break;
+    case (OpenVpnTapAdapterError): errorMessage = QObject::tr("Can't setup OpenVPN TAP network adapter"); break;
+    case (AddressPoolError): errorMessage = QObject::tr("VPN pool error: no available addresses"); break;
 
-    case (ImportInvalidConfigError): return QObject::tr("The config does not contain any containers and credentials for connecting to the server");
+    case (ImportInvalidConfigError): errorMessage = QObject::tr("The config does not contain any containers and credentials for connecting to the server"); break;
 
     // Android errors
-    case (AndroidError): return QObject::tr("VPN connection error");
+    case (AndroidError): errorMessage = QObject::tr("VPN connection error"); break;
 
     case(InternalError):
     default:
-        return QObject::tr("Internal error");
+        errorMessage = QObject::tr("Internal error"); break;
     }
+
+    return QObject::tr("ErrorCode: %1. ").arg(code) + errorMessage;
 }
 
 QDebug operator<<(QDebug debug, const ErrorCode &e)

client/logger.cpp

@@ -29,7 +29,7 @@ void debugMessageHandler(QtMsgType type, const QMessageLogContext& context, cons
     }
 
     // Skip annoying messages from Qt
-    if (msg.startsWith("Unknown property") || msg.startsWith("Could not create pixmap") || msg.startsWith("Populating font")) {
+    if (msg.startsWith("Unknown property") || msg.startsWith("Could not create pixmap") || msg.startsWith("Populating font") || msg.startsWith("stale focus object")) {
         return;
     }
 

client/platforms/ios/MobileUtils.mm

@@ -43,6 +43,7 @@ bool MobileUtils::shareText(const QStringList& filesToSend) {
     UIPopoverPresentationController *popController = activityController.popoverPresentationController;
     if (popController) {
         popController.sourceView = qtController.view;
+        popController.sourceRect = CGRectMake(100, 100, 100, 100);
     }
     
     QEventLoop wait;

client/platforms/ios/ios_controller.mm

@@ -249,8 +249,107 @@ void IosController::vpnStatusDidChange(void *pNotification)
     NETunnelProviderSession *session = (NETunnelProviderSession *)pNotification;
 
     if (session /* && session == TunnelManager.session */ ) {
-       qDebug() << "IosController::vpnStatusDidChange" << iosStatusToState(session.status) << session;
-       emit connectionStateChanged(iosStatusToState(session.status));
+        qDebug() << "IosController::vpnStatusDidChange" << iosStatusToState(session.status) << session;
+       
+        if (session.status == NEVPNStatusDisconnected) {
+            if (@available(iOS 16.0, *)) {
+                [session fetchLastDisconnectErrorWithCompletionHandler:^(NSError * _Nullable error) {
+                    if (error != nil) {
+                        qDebug() << "Disconnect error" << error.domain << error.code << error.localizedDescription;
+                        
+                        if ([error.domain isEqualToString:NEVPNConnectionErrorDomain]) {
+                            switch (error.code) {
+                                case NEVPNConnectionErrorOverslept:
+                                    qDebug() << "Disconnect error info" << "The VPN connection was terminated because the system slept for an extended period of time.";
+                                    break;
+                                case NEVPNConnectionErrorNoNetworkAvailable:
+                                    qDebug() << "Disconnect error info" << "The VPN connection could not be established because the system is not connected to a network.";
+                                    break;
+                                case NEVPNConnectionErrorUnrecoverableNetworkChange:
+                                    qDebug() << "Disconnect error info" << "The VPN connection was terminated because the network conditions changed in such a way that the VPN connection could not be maintained.";
+                                    break;
+                                case NEVPNConnectionErrorConfigurationFailed:
+                                    qDebug() << "Disconnect error info" << "The VPN connection could not be established because the configuration is invalid. ";
+                                    break;
+                                case NEVPNConnectionErrorServerAddressResolutionFailed:
+                                    qDebug() << "Disconnect error info" << "The address of the VPN server could not be determined.";
+                                    break;
+                                case NEVPNConnectionErrorServerNotResponding:
+                                    qDebug() << "Disconnect error info" << "Network communication with the VPN server has failed.";
+                                    break;
+                                case NEVPNConnectionErrorServerDead:
+                                    qDebug() << "Disconnect error info" << "The VPN server is no longer functioning.";
+                                    break;
+                                case NEVPNConnectionErrorAuthenticationFailed:
+                                    qDebug() << "Disconnect error info" << "The user credentials were rejected by the VPN server.";
+                                    break;
+                                case NEVPNConnectionErrorClientCertificateInvalid:
+                                    qDebug() << "Disconnect error info" << "The client certificate is invalid.";
+                                    break;
+                                case NEVPNConnectionErrorClientCertificateNotYetValid:
+                                    qDebug() << "Disconnect error info" << "The client certificate will not be valid until some future point in time.";
+                                    break;
+                                case NEVPNConnectionErrorClientCertificateExpired:
+                                    qDebug() << "Disconnect error info" << "The validity period of the client certificate has passed.";
+                                    break;
+                                case NEVPNConnectionErrorPluginFailed:
+                                    qDebug() << "Disconnect error info" << "The VPN plugin died unexpectedly.";
+                                    break;
+                                case NEVPNConnectionErrorConfigurationNotFound:
+                                    qDebug() << "Disconnect error info" << "The VPN configuration could not be found.";
+                                    break;
+                                case NEVPNConnectionErrorPluginDisabled:
+                                    qDebug() << "Disconnect error info" << "The VPN plugin could not be found or needed to be updated.";
+                                    break;
+                                case NEVPNConnectionErrorNegotiationFailed:
+                                    qDebug() << "Disconnect error info" << "The VPN protocol negotiation failed.";
+                                    break;
+                                case NEVPNConnectionErrorServerDisconnected:
+                                    qDebug() << "Disconnect error info" << "The VPN server terminated the connection.";
+                                    break;
+                                case NEVPNConnectionErrorServerCertificateInvalid:
+                                    qDebug() << "Disconnect error info" << "The server certificate is invalid.";
+                                    break;
+                                case NEVPNConnectionErrorServerCertificateNotYetValid:
+                                    qDebug() << "Disconnect error info" << "The server certificate will not be valid until some future point in time.";
+                                    break;
+                                case NEVPNConnectionErrorServerCertificateExpired:
+                                    qDebug() << "Disconnect error info" << "The validity period of the server certificate has passed.";
+                                    break;
+                                default:
+                                    qDebug() << "Disconnect error info" << "Unknown code.";
+                                    break;
+                            }
+                        }
+                        
+                        NSError *underlyingError = error.userInfo[@"NSUnderlyingError"];
+                        if (underlyingError != nil) {
+                            qDebug() << "Disconnect underlying error" << underlyingError.domain << underlyingError.code << underlyingError.localizedDescription;
+                            
+                            if ([underlyingError.domain isEqualToString:@"NEAgentErrorDomain"]) {
+                                switch (underlyingError.code) {
+                                    case 1:
+                                        qDebug() << "Disconnect underlying error" << "General. Use sysdiagnose.";
+                                        break;
+                                    case 2:
+                                        qDebug() << "Disconnect underlying error" << "Plug-in unavailable. Use sysdiagnose.";
+                                        break;
+                                    default:
+                                        qDebug() << "Disconnect underlying error" << "Unknown code. Use sysdiagnose.";
+                                        break;
+                                }
+                            }
+                        }
+                    } else {
+                        qDebug() << "Disconnect error is absent";
+                    }
+                }];
+            } else {
+                qDebug() << "Disconnect error is unavailable on iOS < 16.0";
+            }
+        }
+        
+        emit connectionStateChanged(iosStatusToState(session.status));
     }
 }
 
@@ -352,6 +451,15 @@ bool IosController::startWireGuard(const QString &config)
 
 void IosController::startTunnel()
 {
+    NSString *protocolName = @"Unknown";
+    
+    NETunnelProviderProtocol *tunnelProtocol = (NETunnelProviderProtocol *)m_currentTunnel.protocolConfiguration;
+    if (tunnelProtocol.providerConfiguration[@"wireguard"] != nil) {
+        protocolName = @"WireGuard";
+    } else if (tunnelProtocol.providerConfiguration[@"ovpn"] != nil) {
+        protocolName = @"OpenVPN";
+    }
+    
     m_rxBytes = 0;
     m_txBytes = 0;
     
@@ -373,7 +481,7 @@ void IosController::startTunnel()
 
             [m_currentTunnel loadFromPreferencesWithCompletionHandler:^(NSError *loadError) {
                     if (loadError) {
-                        qDebug() << "IosController::startOpenVPN : Connect OpenVPN Tunnel Load Error" << loadError.localizedDescription.UTF8String;
+                        qDebug().nospace() << "IosController::start" << protocolName << ": Connect " << protocolName << " Tunnel Load Error" << loadError.localizedDescription.UTF8String;
                         emit connectionStateChanged(Vpn::ConnectionState::Error);
                         return;
                     }
@@ -401,11 +509,11 @@ void IosController::startTunnel()
                     BOOL started = [m_currentTunnel.connection startVPNTunnelWithOptions:nil andReturnError:&startError];
 
                     if (!started || startError) {
-                        qDebug() << "IosController::startOpenVPN : Connect OpenVPN Tunnel Start Error"
+                        qDebug().nospace() << "IosController::start" << protocolName << " : Connect " << protocolName << " Tunnel Start Error"
                             << (startError ? startError.localizedDescription.UTF8String : "");
                         emit connectionStateChanged(Vpn::ConnectionState::Error);
                     } else {
-                        qDebug() << "IosController::startOpenVPN : Starting the tunnel succeeded";
+                        qDebug().nospace() << "IosController::start" << protocolName << " : Starting the tunnel succeeded";
                     }
             }];
         });

client/platforms/ios/ioslogger.swift

@@ -17,41 +17,41 @@ public class Logger {
     deinit {}
 
     func log(message: String) {
-        let suiteName = "group.org.amnezia.AmneziaVPN"
-        let logKey = "logMessages"
-        let sharedDefaults = UserDefaults(suiteName: suiteName)
-        var logs = sharedDefaults?.array(forKey: logKey) as? [String] ?? []
-        logs.append(message)
-        sharedDefaults?.set(logs, forKey: logKey)
+//        let suiteName = "group.org.amnezia.AmneziaVPN"
+//        let logKey = "logMessages"
+//        let sharedDefaults = UserDefaults(suiteName: suiteName)
+//        var logs = sharedDefaults?.array(forKey: logKey) as? [String] ?? []
+//        logs.append(message)
+//        sharedDefaults?.set(logs, forKey: logKey)
     }
 
-    func writeLog(to targetFile: String) -> Bool {
+    private func writeLog(to targetFile: String) -> Bool {
         return true;
     }
 
     static func configureGlobal(tagged tag: String, withFilePath filePath: String?) {
-        if Logger.global != nil {
-            return
-        }
-
-        Logger.global = Logger(tagged: tag)
-
-        var appVersion = Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "Unknown version"
-
-        if let appBuild = Bundle.main.infoDictionary?["CFBundleVersion"] as? String {
-            appVersion += " (\(appBuild))"
-        }
-
-        Logger.global?.log(message: "App version: \(appVersion)")
+//        if Logger.global != nil {
+//            return
+//        }
+//
+//        Logger.global = Logger(tagged: tag)
+//
+//        var appVersion = Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "Unknown version"
+//
+//        if let appBuild = Bundle.main.infoDictionary?["CFBundleVersion"] as? String {
+//            appVersion += " (\(appBuild))"
+//        }
+//
+//        Logger.global?.log(message: "App version: \(appVersion)")
     }
 }
 
 func wg_log(_ type: OSLogType, staticMessage msg: StaticString) {
-    os_log(msg, log: OSLog.default, type: type)
-    Logger.global?.log(message: "\(msg)")
+//    os_log(msg, log: OSLog.default, type: type)
+//    Logger.global?.log(message: "\(msg)")
 }
 
 func wg_log(_ type: OSLogType, message msg: String) {
-    os_log("%{AMNEZIA}s", log: OSLog.default, type: type, msg)
-    Logger.global?.log(message: msg)
+//    os_log("%{AMNEZIA}s", log: OSLog.default, type: type, msg)
+//    Logger.global?.log(message: msg)
 }

client/platforms/linux/daemon/linuxfirewall.cpp

@@ -0,0 +1,518 @@
+// Copyright (c) 2023 Private Internet Access, Inc.
+//
+// This file is part of the Private Internet Access Desktop Client.
+//
+// The Private Internet Access Desktop Client is free software: you can
+// redistribute it and/or modify it under the terms of the GNU General Public
+// License as published by the Free Software Foundation, either version 3 of
+// the License, or (at your option) any later version.
+//
+// The Private Internet Access Desktop Client is distributed in the hope that
+// it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with the Private Internet Access Desktop Client.  If not, see
+// <https://www.gnu.org/licenses/>.
+
+// Copyright (c) 2024 AmneziaVPN
+// This file has been modified for AmneziaVPN
+//
+// This file is based on the work of the Private Internet Access Desktop Client.
+// The original code of the Private Internet Access Desktop Client is copyrighted (c) 2023 Private Internet Access, Inc. and licensed under GPL3.
+//
+// The modified version of this file is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this file. If not, see <https://www.gnu.org/licenses/>.
+
+#include "linuxfirewall.h"
+#include "logger.h"
+#include <QProcess>
+
+#define BRAND_CODE "amn"
+
+namespace {
+Logger logger("LinuxFirewall");
+}  // namespace
+
+namespace
+{
+const QString kAnchorName{BRAND_CODE "vpn"};
+const QString kPacketTag{"0x3211"};
+const QString kCGroupId{"0x567"};
+const QString enabledKeyTemplate = "enabled:%1:%2";
+const QString disabledKeyTemplate = "disabled:%1:%2";
+const QString kVpnGroupName = BRAND_CODE "vpn";
+QHash<QString, LinuxFirewall::FilterCallbackFunc> anchorCallbacks;
+}
+
+QString LinuxFirewall::kRtableName = QStringLiteral("%1rt").arg(kAnchorName);
+QString LinuxFirewall::kOutputChain = QStringLiteral("OUTPUT");
+QString LinuxFirewall::kPostRoutingChain = QStringLiteral("POSTROUTING");
+QString LinuxFirewall::kPreRoutingChain = QStringLiteral("PREROUTING");
+QString LinuxFirewall::kRootChain = QStringLiteral("%1.anchors").arg(kAnchorName);
+QString LinuxFirewall::kFilterTable = QStringLiteral("filter");
+QString LinuxFirewall::kNatTable = QStringLiteral("nat");
+QString LinuxFirewall::kRawTable = QStringLiteral("raw");
+QString LinuxFirewall::kMangleTable = QStringLiteral("mangle");
+
+static QString getCommand(LinuxFirewall::IPVersion ip)
+{
+    return ip == LinuxFirewall::IPv6 ? QStringLiteral("ip6tables") : QStringLiteral("iptables");
+}
+
+int LinuxFirewall::createChain(LinuxFirewall::IPVersion ip, const QString& chain, const QString& tableName)
+{
+    if (ip == Both)
+    {
+        int result4 = createChain(IPv4, chain, tableName);
+        int result6 = createChain(IPv6, chain, tableName);
+        return result4 ? result4 : result6;
+    }
+    const QString cmd = getCommand(ip);
+    return execute(QStringLiteral("%1 -N %2 -t %3 || %1 -F %2 -t %3").arg(cmd, chain, tableName));
+}
+
+int LinuxFirewall::deleteChain(LinuxFirewall::IPVersion ip, const QString& chain, const QString& tableName)
+{
+    if (ip == Both)
+    {
+        int result4 = deleteChain(IPv4, chain, tableName);
+        int result6 = deleteChain(IPv6, chain, tableName);
+        return result4 ? result4 : result6;
+    }
+    const QString cmd = getCommand(ip);
+    return execute(QStringLiteral("if %1 -L %2 -n -t %3 > /dev/null 2> /dev/null ; then %1 -F %2 -t %3 && %1 -X %2 -t %3; fi").arg(cmd, chain, tableName));
+}
+
+int LinuxFirewall::linkChain(LinuxFirewall::IPVersion ip, const QString& chain, const QString& parent, bool mustBeFirst, const QString& tableName)
+{
+    if (ip == Both)
+    {
+        int result4 = linkChain(IPv4, chain, parent, mustBeFirst, tableName);
+        int result6 = linkChain(IPv6, chain, parent, mustBeFirst, tableName);
+        return result4 ? result4 : result6;
+    }
+    const QString cmd = getCommand(ip);
+    if (mustBeFirst)
+    {
+        // This monster shell script does the following:
+        // 1. Check if a rule with the appropriate target exists at the top of the parent chain
+        // 2. If not, insert a jump rule at the top of the parent chain
+        // 3. Look for and delete a single rule with the designated target at an index > 1
+        //    (we can't safely delete all rules at once since rule numbers change)
+        // TODO: occasionally this script results in warnings in logs "Bad rule (does a matching rule exist in the chain?)" - this happens when
+        // the e.g OUTPUT chain is empty but this script attempts to delete things from it anyway. It doesn't cause any problems, but we should still fix at some point..
+        return execute(QStringLiteral("if ! %1 -L %2 -n --line-numbers -t %4 2> /dev/null | awk 'int($1) == 1 && $2 == \"%3\" { found=1 } END { if(found==1) { exit 0 } else { exit 1 } }' ; then %1 -I %2 -j %3 -t %4 && %1 -L %2 -n --line-numbers -t %4 2> /dev/null | awk 'int($1) > 1 && $2 == \"%3\" { print $1; exit }' | xargs %1 -t %4 -D %2 ; fi").arg(cmd, parent, chain, tableName));
+    }
+    else
+        return execute(QStringLiteral("if ! %1 -C %2 -j %3 -t %4 2> /dev/null ; then %1 -A %2 -j %3 -t %4; fi").arg(cmd, parent, chain, tableName));
+}
+
+int LinuxFirewall::unlinkChain(LinuxFirewall::IPVersion ip, const QString& chain, const QString& parent, const QString& tableName)
+{
+    if (ip == Both)
+    {
+        int result4 = unlinkChain(IPv4, chain, parent, tableName);
+        int result6 = unlinkChain(IPv6, chain, parent, tableName);
+        return result4 ? result4 : result6;
+    }
+    const QString cmd = getCommand(ip);
+    return execute(QStringLiteral("if %1 -C %2 -j %3 -t %4 2> /dev/null ; then %1 -D %2 -j %3 -t %4; fi").arg(cmd, parent, chain, tableName));
+}
+
+void LinuxFirewall::ensureRootAnchorPriority(LinuxFirewall::IPVersion ip)
+{
+    linkChain(ip, kRootChain, kOutputChain, true);
+}
+
+void LinuxFirewall::installAnchor(LinuxFirewall::IPVersion ip, const QString& anchor, const QStringList& rules, const QString& tableName,
+                                     const FilterCallbackFunc& enableFunc, const FilterCallbackFunc& disableFunc)
+{
+    if (ip == Both)
+    {
+        installAnchor(IPv4, anchor, rules, tableName, enableFunc, disableFunc);
+        installAnchor(IPv6, anchor, rules, tableName, enableFunc, disableFunc);
+        return;
+    }
+
+    const QString cmd = getCommand(ip);
+    const QString anchorChain = QStringLiteral("%1.a.%2").arg(kAnchorName, anchor);
+    const QString actualChain = QStringLiteral("%1.%2").arg(kAnchorName, anchor);
+
+    // Start by defining a placeholder chain, which stays locked into place
+    // in the root chain without being removed or recreated, ensuring the
+    // intended precedence order.
+    createChain(ip, anchorChain, tableName);
+    linkChain(ip, anchorChain, kRootChain, false, tableName);
+
+    if(enableFunc)
+    {
+        const QString key = enabledKeyTemplate.arg(tableName, anchor);
+        if(!anchorCallbacks.contains(key)) anchorCallbacks[key] = enableFunc;
+    }
+    if(disableFunc)
+    {
+        const QString key = disabledKeyTemplate.arg(tableName, anchor);
+        if(!anchorCallbacks.contains(key)) anchorCallbacks[key] = disableFunc;
+    }
+
+    // Create the actual rule chain, which we'll insert or remove from the
+    // placeholder anchor when needed.
+    createChain(ip, actualChain, tableName);
+    for (const QString& rule : rules)
+        execute(QStringLiteral("%1 -A %2 %3 -t %4").arg(cmd, actualChain, rule, tableName));
+}
+
+void LinuxFirewall::uninstallAnchor(LinuxFirewall::IPVersion ip, const QString& anchor, const QString& tableName)
+{
+    if (ip == Both)
+    {
+        uninstallAnchor(IPv4, anchor, tableName);
+        uninstallAnchor(IPv6, anchor, tableName);
+        return;
+    }
+
+    const QString cmd = getCommand(ip);
+    const QString anchorChain = QStringLiteral("%1.a.%2").arg(kAnchorName, anchor);
+    const QString actualChain = QStringLiteral("%1.%2").arg(kAnchorName, anchor);
+
+    unlinkChain(ip, anchorChain, kRootChain, tableName);
+    deleteChain(ip, anchorChain, tableName);
+    deleteChain(ip, actualChain, tableName);
+}
+
+QStringList LinuxFirewall::getDNSRules(const QStringList& servers)
+{
+    QStringList result;
+    for (const QString& server : servers)
+    {
+        result << QStringLiteral("-o amn0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o amn0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o tun0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o tun0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
+    }
+    return result;
+}
+
+QStringList LinuxFirewall::getAllowRule(const QStringList& servers)
+{
+    QStringList result;
+    for (const QString& server : servers)
+    {
+        result << QStringLiteral("-d %1 -j ACCEPT").arg(server);
+    }
+    return result;
+}
+
+QStringList LinuxFirewall::getBlockRule(const QStringList& servers)
+{
+    QStringList result;
+    for (const QString& server : servers)
+    {
+        result << QStringLiteral("-d %1 -j REJECT").arg(server);
+    }
+    return result;
+}
+
+
+void LinuxFirewall::install()
+{
+    // Clean up any existing rules if they exist.
+    uninstall();
+
+    // Create a root filter chain to hold all our other anchors in order.
+    createChain(Both, kRootChain, kFilterTable);
+
+    // Create a root raw chain
+    createChain(Both, kRootChain, kRawTable);
+
+    // Create a root NAT chain
+    createChain(Both, kRootChain, kNatTable);
+
+    // Create a root Mangle chain
+    createChain(Both, kRootChain, kMangleTable);
+
+    // Install our filter rulesets in each corresponding anchor chain.
+    installAnchor(Both, QStringLiteral("000.allowLoopback"), {
+                                                                 QStringLiteral("-o lo+ -j ACCEPT"),
+                                                             });
+
+    installAnchor(IPv4, QStringLiteral("320.allowDNS"), {});
+
+    installAnchor(Both, QStringLiteral("310.blockDNS"), {
+                                                            QStringLiteral("-p udp --dport 53 -j REJECT"),
+                                                            QStringLiteral("-p tcp --dport 53 -j REJECT"),
+                                                        });
+    installAnchor(IPv4, QStringLiteral("300.allowLAN"), {
+                                                            QStringLiteral("-d 10.0.0.0/8 -j ACCEPT"),
+                                                            QStringLiteral("-d 169.254.0.0/16 -j ACCEPT"),
+                                                            QStringLiteral("-d 172.16.0.0/12 -j ACCEPT"),
+                                                            QStringLiteral("-d 192.168.0.0/16 -j ACCEPT"),
+                                                            QStringLiteral("-d 224.0.0.0/4 -j ACCEPT"),
+                                                            QStringLiteral("-d 255.255.255.255/32 -j ACCEPT"),
+                                                        });
+    installAnchor(IPv6, QStringLiteral("300.allowLAN"), {
+                                                            QStringLiteral("-d fc00::/7 -j ACCEPT"),
+                                                            QStringLiteral("-d fe80::/10 -j ACCEPT"),
+                                                            QStringLiteral("-d ff00::/8 -j ACCEPT"),
+                                                        });
+
+
+    installAnchor(IPv4, QStringLiteral("290.allowDHCP"), {
+                                                             QStringLiteral("-p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT"),
+                                                         });
+    installAnchor(IPv6, QStringLiteral("290.allowDHCP"), {
+                                                             QStringLiteral("-p udp -d ff00::/8 --sport 546 --dport 547 -j ACCEPT"),
+                                                         });
+    installAnchor(IPv6, QStringLiteral("250.blockIPv6"), {
+                                                             QStringLiteral("! -o lo+ -j REJECT"),
+                                                         });
+
+    installAnchor(Both, QStringLiteral("200.allowVPN"), {
+                                                            QStringLiteral("-o amn0+ -j ACCEPT"),
+                                                            QStringLiteral("-o tun0+ -j ACCEPT"),
+                                                        });
+
+    installAnchor(IPv4, QStringLiteral("120.blockNets"), {});
+
+    installAnchor(IPv4, QStringLiteral("110.allowNets"), {});
+
+    installAnchor(Both, QStringLiteral("100.blockAll"), {
+                                                            QStringLiteral("-j REJECT"),
+                                                        });
+    // NAT rules
+    installAnchor(Both, QStringLiteral("100.transIp"), {
+
+                                                           // Only need the original interface, not the IP.
+                                                           // The interface should remain much more stable/unchangeable than the IP
+                                                           // (IP can change when changing networks, but interface only changes if adding/removing NICs)
+                                                           // this is just a stub rule - the real rule is set at run-time
+                                                           // and updates dynamically (via replaceAnchor) when our interface changes
+                                                           // it'll take this form: "-o <interface name> -j MASQUERADE"
+                                                           QStringLiteral("-j MASQUERADE")
+                                                       }, kNatTable);
+
+    // Mangle rules
+    installAnchor(Both, QStringLiteral("100.tagPkts"), {
+                                                           QStringLiteral("-m cgroup --cgroup %1 -j MARK --set-mark %2").arg(kCGroupId, kPacketTag)
+                                                       }, kMangleTable, setupTrafficSplitting, teardownTrafficSplitting);
+
+    // A rule to mitigate CVE-2019-14899 - drop packets addressed to the local
+    // VPN IP but that are not actually received on the VPN interface.
+    // See here: https://seclists.org/oss-sec/2019/q4/122
+    installAnchor(Both, QStringLiteral("100.vpnTunOnly"), {
+                                                              // To be replaced at runtime
+                                                              QStringLiteral("-j ACCEPT")
+                                                          }, kRawTable);
+
+
+    // Insert our fitler root chain at the top of the OUTPUT chain.
+    linkChain(Both, kRootChain, kOutputChain, true, kFilterTable);
+
+    // Insert our NAT root chain at the top of the POSTROUTING chain.
+    linkChain(Both, kRootChain, kPostRoutingChain, true, kNatTable);
+
+    // Insert our Mangle root chain at the top of the OUTPUT chain.
+    linkChain(Both, kRootChain, kOutputChain, true, kMangleTable);
+
+    // Insert our Raw root chain at the top of the PREROUTING chain.
+    linkChain(Both, kRootChain, kPreRoutingChain, true, kRawTable);
+
+    setupTrafficSplitting();
+}
+
+void LinuxFirewall::uninstall()
+{
+    // Filter chain
+    unlinkChain(Both, kRootChain, kOutputChain, kFilterTable);
+    deleteChain(Both, kRootChain, kFilterTable);
+
+    // Raw chain
+    unlinkChain(Both, kRootChain, kPreRoutingChain, kRawTable);
+    deleteChain(Both, kRootChain, kRawTable);
+
+    // NAT chain
+    unlinkChain(Both, kRootChain, kPostRoutingChain, kNatTable);
+    deleteChain(Both, kRootChain, kNatTable);
+
+    // Mangle chain
+    unlinkChain(Both, kRootChain, kOutputChain, kMangleTable);
+    deleteChain(Both, kRootChain, kMangleTable);
+
+    // Remove filter anchors
+    uninstallAnchor(Both, QStringLiteral("000.allowLoopback"));
+    uninstallAnchor(Both, QStringLiteral("400.allowPIA"));
+    uninstallAnchor(IPv4, QStringLiteral("320.allowDNS"));
+    uninstallAnchor(Both, QStringLiteral("310.blockDNS"));
+    uninstallAnchor(Both, QStringLiteral("300.allowLAN"));
+    uninstallAnchor(Both, QStringLiteral("290.allowDHCP"));
+    uninstallAnchor(IPv6, QStringLiteral("250.blockIPv6"));
+    uninstallAnchor(Both, QStringLiteral("200.allowVPN"));
+    uninstallAnchor(IPv4, QStringLiteral("120.blockNets"));
+    uninstallAnchor(IPv4, QStringLiteral("110.allowNets"));
+    uninstallAnchor(Both, QStringLiteral("100.blockAll"));
+
+    // Remove Nat anchors
+    uninstallAnchor(Both, QStringLiteral("100.transIp"), kNatTable);
+
+    // Remove Mangle anchors
+    uninstallAnchor(Both, QStringLiteral("100.tagPkts"), kMangleTable);
+
+    // Remove Raw anchors
+    uninstallAnchor(Both, QStringLiteral("100.vpnTunOnly"), kRawTable);
+
+    teardownTrafficSplitting();
+
+    logger.debug() << "LinuxFirewall::uninstall() complete";
+}
+
+bool LinuxFirewall::isInstalled()
+{
+    return execute(QStringLiteral("iptables -C %1 -j %2 2> /dev/null").arg(kOutputChain, kRootChain)) == 0;
+}
+
+void LinuxFirewall::enableAnchor(LinuxFirewall::IPVersion ip, const QString &anchor, const QString& tableName)
+{
+    if (ip == Both)
+    {
+        enableAnchor(IPv4, anchor, tableName);
+        enableAnchor(IPv6, anchor, tableName);
+        return;
+    }
+    const QString cmd = getCommand(ip);
+    const QString ipStr = ip == IPv6 ? QStringLiteral("(IPv6)") : QStringLiteral("(IPv4)");
+
+    execute(QStringLiteral("if %1 -C %5.a.%2 -j %5.%2 -t %4 2> /dev/null ; then echo '%2%3: ON' ; else echo '%2%3: OFF -> ON' ; %1 -A %5.a.%2 -j %5.%2 -t %4; fi").arg(cmd, anchor, ipStr, tableName, kAnchorName));
+}
+
+void LinuxFirewall::replaceAnchor(LinuxFirewall::IPVersion ip, const QString &anchor, const QString &newRule, const QString& tableName)
+{
+    if (ip == Both)
+    {
+        replaceAnchor(IPv4, anchor, newRule, tableName);
+        replaceAnchor(IPv6, anchor, newRule, tableName);
+        return;
+    }
+    const QString cmd = getCommand(ip);
+    const QString ipStr = ip == IPv6 ? QStringLiteral("(IPv6)") : QStringLiteral("(IPv4)");
+
+    execute(QStringLiteral("%1 -R %7.%2 1 %3 -t %4 ; echo 'Replaced rule %7.%2 %5 with %6'").arg(cmd, anchor, newRule, tableName, ipStr, newRule, kAnchorName));
+}
+
+void LinuxFirewall::disableAnchor(LinuxFirewall::IPVersion ip, const QString &anchor, const QString& tableName)
+{
+    if (ip == Both)
+    {
+        disableAnchor(IPv4, anchor, tableName);
+        disableAnchor(IPv6, anchor, tableName);
+        return;
+    }
+    const QString cmd = getCommand(ip);
+    const QString ipStr = ip == IPv6 ? QStringLiteral("(IPv6)") : QStringLiteral("(IPv4)");
+    execute(QStringLiteral("if ! %1 -C %5.a.%2 -j %5.%2 -t %4 2> /dev/null ; then echo '%2%3: OFF' ; else echo '%2%3: ON -> OFF' ; %1 -F %5.a.%2 -t %4; fi").arg(cmd, anchor, ipStr, tableName, kAnchorName));
+}
+
+bool LinuxFirewall::isAnchorEnabled(LinuxFirewall::IPVersion ip, const QString &anchor, const QString& tableName)
+{
+    const QString cmd = getCommand(ip);
+    return execute(QStringLiteral("%1 -C %4.a.%2 -j %4.%2 -t %3 2> /dev/null").arg(cmd, anchor, tableName, kAnchorName)) == 0;
+}
+
+void LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPVersion ip, const QString &anchor, bool enabled, const QString &tableName)
+{
+    if (enabled)
+    {
+        enableAnchor(ip, anchor, tableName);
+        const QString key = enabledKeyTemplate.arg(tableName, anchor);
+        if(anchorCallbacks.contains(key)) anchorCallbacks[key]();
+    }
+    else
+    {
+        disableAnchor(ip, anchor, tableName);
+        const QString key = disabledKeyTemplate.arg(tableName, anchor);
+        if(anchorCallbacks.contains(key)) anchorCallbacks[key]();
+    }
+}
+
+void LinuxFirewall::updateDNSServers(const QStringList& servers)
+{
+    static QStringList existingServers {};
+
+    existingServers = servers;
+    execute(QStringLiteral("iptables -F %1.320.allowDNS").arg(kAnchorName));
+    for (const QString& rule : getDNSRules(servers))
+        execute(QStringLiteral("iptables -A %1.320.allowDNS %2").arg(kAnchorName, rule));
+}
+
+void LinuxFirewall::updateAllowNets(const QStringList& servers)
+{
+    static QStringList existingServers {};
+
+    existingServers = servers;
+    execute(QStringLiteral("iptables -F %1.110.allowNets").arg(kAnchorName));
+    for (const QString& rule : getAllowRule(servers))
+        execute(QStringLiteral("iptables -A %1.110.allowNets %2").arg(kAnchorName, rule));
+}
+
+void LinuxFirewall::updateBlockNets(const QStringList& servers)
+{
+    static QStringList existingServers {};
+
+    existingServers = servers;
+    execute(QStringLiteral("iptables -F %1.120.blockNets").arg(kAnchorName));
+    for (const QString& rule : getBlockRule(servers))
+        execute(QStringLiteral("iptables -A %1.120.blockNets %2").arg(kAnchorName, rule));
+}
+
+int waitForExitCode(QProcess& process)
+{
+    if (!process.waitForFinished() || process.error() == QProcess::FailedToStart)
+        return -2;
+    else if (process.exitStatus() != QProcess::NormalExit)
+        return -1;
+    else
+        return process.exitCode();
+}
+
+int LinuxFirewall::execute(const QString &command, bool ignoreErrors)
+{
+    QProcess p;
+    p.start(QStringLiteral("/bin/bash"), {QStringLiteral("-c"), command}, QProcess::ReadOnly);
+    p.closeWriteChannel();
+
+    int exitCode = waitForExitCode(p);
+    auto out = p.readAllStandardOutput().trimmed();
+    auto err = p.readAllStandardError().trimmed();
+    if ((exitCode != 0 || !err.isEmpty()) && !ignoreErrors)
+        logger.warning()  << "(" << exitCode << ") $ " << command;
+    else if (false)
+        logger.debug() << "(" << exitCode << ") $ " << command;
+    if (!out.isEmpty())
+        logger.info() << out;
+    if (!err.isEmpty())
+        logger.warning() << err;
+    return exitCode;
+}
+
+void LinuxFirewall::setupTrafficSplitting()
+{
+    auto cGroupDir = "/sys/fs/cgroup/net_cls/" BRAND_CODE "vpnexclusions/";
+    logger.info() << "Should be setting up cgroup in" << cGroupDir << "for traffic splitting";
+    execute(QStringLiteral("if [ ! -d %1 ] ; then mkdir %1 ; sleep 0.1 ; echo %2 > %1/net_cls.classid ; fi").arg(cGroupDir).arg(kCGroupId));
+    // Set a rule with priority 100 (lower priority than local but higher than main/default, 0 is highest priority)
+    execute(QStringLiteral("if ! ip rule list | grep -q %1 ; then ip rule add from all fwmark %1 lookup %2 pri 100 ; fi").arg(kPacketTag, kRtableName));
+}
+
+void LinuxFirewall::teardownTrafficSplitting()
+{
+    logger.info() << "Tearing down cgroup and routing rules";
+    execute(QStringLiteral("if ip rule list | grep -q %1; then ip rule del from all fwmark %1 lookup %2 2> /dev/null ; fi").arg(kPacketTag, kRtableName));
+    execute(QStringLiteral("ip route flush table %1").arg(kRtableName));
+    execute(QStringLiteral("ip route flush cache"));
+}

client/platforms/linux/daemon/linuxfirewall.h

@@ -0,0 +1,107 @@
+// Copyright (c) 2023 Private Internet Access, Inc.
+//
+// This file is part of the Private Internet Access Desktop Client.
+//
+// The Private Internet Access Desktop Client is free software: you can
+// redistribute it and/or modify it under the terms of the GNU General Public
+// License as published by the Free Software Foundation, either version 3 of
+// the License, or (at your option) any later version.
+//
+// The Private Internet Access Desktop Client is distributed in the hope that
+// it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with the Private Internet Access Desktop Client.  If not, see
+// <https://www.gnu.org/licenses/>.
+
+// Copyright (c) 2024 AmneziaVPN
+// This file has been modified for AmneziaVPN
+//
+// This file is based on the work of the Private Internet Access Desktop Client.
+// The original code of the Private Internet Access Desktop Client is copyrighted (c) 2023 Private Internet Access, Inc. and licensed under GPL3.
+//
+// The modified version of this file is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this file. If not, see <https://www.gnu.org/licenses/>.
+
+#ifndef LINUXFIREWALL_H
+#define LINUXFIREWALL_H
+
+
+#include <QString>
+#include <QStringList>
+
+// Descriptor for a set of firewall rules to be appled.
+//
+struct FirewallParams
+{
+    QStringList dnsServers;
+    QVector<QString> excludeApps; // Apps to exclude if VPN exemptions are enabled
+    QStringList allowAddrs;
+    QStringList blockAddrs;
+    // The follow flags indicate which general rulesets are needed. Note that
+    // this is after some sanity filtering, i.e. an allow rule may be listed
+    // as not needed if there were no block rules preceding it. The rulesets
+    // should be thought of as in last-match order.
+
+    bool blockAll;      // Block all traffic by default
+    bool allowVPN;      // Exempt traffic through VPN tunnel
+    bool allowDHCP;     // Exempt DHCP traffic
+    bool blockIPv6;     // Block all IPv6 traffic
+    bool allowLAN;      // Exempt LAN traffic, including IPv6 LAN traffic
+    bool blockDNS;      // Block all DNS traffic except specified DNS servers
+    bool allowPIA;      // Exempt PIA executables
+    bool allowLoopback; // Exempt loopback traffic
+    bool allowHnsd;     // Exempt Handshake DNS traffic
+    bool allowVpnExemptions; // Exempt specified traffic from the tunnel (route it over the physical uplink instead)
+    bool allowNets;
+    bool blockNets;
+};
+
+class LinuxFirewall
+{
+public:
+    enum IPVersion { IPv4, IPv6, Both };
+    // Table names
+    static QString kFilterTable, kNatTable, kMangleTable, kRtableName, kRawTable;
+public:
+    using FilterCallbackFunc = std::function<void()>;
+private:
+    static int createChain(IPVersion ip, const QString& chain, const QString& tableName = kFilterTable);
+    static int deleteChain(IPVersion ip, const QString& chain, const QString& tableName = kFilterTable);
+    static int linkChain(IPVersion ip, const QString& chain, const QString& parent, bool mustBeFirst = false, const QString& tableName = kFilterTable);
+    static int unlinkChain(IPVersion ip, const QString& chain, const QString& parent, const QString& tableName = kFilterTable);
+    static void installAnchor(IPVersion ip, const QString& anchor, const QStringList& rules, const QString& tableName = kFilterTable, const FilterCallbackFunc& enableFunc = {}, const FilterCallbackFunc& disableFunc = {});
+    static void uninstallAnchor(IPVersion ip, const QString& anchor, const QString& tableName = kFilterTable);
+    static QStringList getDNSRules(const QStringList& servers);
+    static QStringList getAllowRule(const QStringList& servers);
+    static QStringList getBlockRule(const QStringList& servers);
+    static void setupTrafficSplitting();
+    static void teardownTrafficSplitting();
+    static int execute(const QString& command, bool ignoreErrors = false);
+private:
+    // Chain names
+    static QString kOutputChain, kRootChain, kPostRoutingChain, kPreRoutingChain;
+
+public:
+    static void install();
+    static void uninstall();
+    static bool isInstalled();
+    static void ensureRootAnchorPriority(IPVersion ip = Both);
+    static void enableAnchor(IPVersion ip, const QString& anchor, const QString& tableName = kFilterTable);
+    static void disableAnchor(IPVersion ip, const QString& anchor, const QString& tableName = kFilterTable);
+    static bool isAnchorEnabled(IPVersion ip, const QString& anchor, const QString& tableName = kFilterTable);
+    static void setAnchorEnabled(IPVersion ip, const QString& anchor, bool enabled, const QString& tableName = kFilterTable);
+    static void replaceAnchor(LinuxFirewall::IPVersion ip, const QString &anchor, const QString &newRule, const QString& tableName);
+    static void updateDNSServers(const QStringList& servers);
+    static void updateAllowNets(const QStringList& servers);
+    static void updateBlockNets(const QStringList& servers);
+};
+
+#endif // LINUXFIREWALL_H

client/platforms/linux/daemon/wireguardutilslinux.cpp

@@ -11,7 +11,9 @@
 #include <QFile>
 #include <QLocalSocket>
 #include <QTimer>
+#include <QThread>
 
+#include "linuxfirewall.h"
 #include "leakdetector.h"
 #include "logger.h"
 
@@ -116,7 +118,27 @@ bool WireguardUtilsLinux::addInterface(const InterfaceConfig& config) {
     int err = uapiErrno(uapiCommand(message));
     if (err != 0) {
         logger.error() << "Interface configuration failed:" << strerror(err);
+    } else {
+        FirewallParams params { };
+        params.dnsServers.append(config.m_dnsServer);
+        if (config.m_allowedIPAddressRanges.at(0).toString() == "0.0.0.0/0"){
+            params.blockAll = true;
+            if (config.m_excludedAddresses.size()) {
+                params.allowNets = true;
+                foreach (auto net, config.m_excludedAddresses) {
+                    params.allowAddrs.append(net.toUtf8());
+                }
+            }
+        } else {
+            params.blockNets = true;
+            foreach (auto net, config.m_allowedIPAddressRanges) {
+                params.blockAddrs.append(net.toString());
+            }
+        }
+
+        applyFirewallRules(params);
     }
+
     return (err == 0);
 }
 
@@ -140,6 +162,9 @@ bool WireguardUtilsLinux::deleteInterface() {
     // Garbage collect.
     QDir wgRuntimeDir(WG_RUNTIME_DIR);
     QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));
+
+    // double-check + ensure our firewall is installed and enabled
+    LinuxFirewall::uninstall();
     return true;
 }
 
@@ -252,6 +277,31 @@ QList<WireguardUtils::PeerStatus> WireguardUtilsLinux::getPeerStatus() {
     return peerList;
 }
 
+
+void WireguardUtilsLinux::applyFirewallRules(FirewallParams& params)
+{
+    // double-check + ensure our firewall is installed and enabled
+    if (!LinuxFirewall::isInstalled()) LinuxFirewall::install();
+
+    // Note: rule precedence is handled inside IpTablesFirewall
+    LinuxFirewall::ensureRootAnchorPriority();
+
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), params.blockAll);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), params.allowNets);
+    LinuxFirewall::updateAllowNets(params.allowAddrs);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("120.blockNets"), params.blockNets);
+    LinuxFirewall::updateBlockNets(params.blockAddrs);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("200.allowVPN"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv6, QStringLiteral("250.blockIPv6"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("290.allowDHCP"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("300.allowLAN"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), true);
+    LinuxFirewall::updateDNSServers(params.dnsServers);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);
+}
+
 bool WireguardUtilsLinux::updateRoutePrefix(const IPAddress& prefix) {
     if (!m_rtmonitor) {
         return false;

client/platforms/linux/daemon/wireguardutilslinux.h

@@ -8,8 +8,11 @@
 #include <QObject>
 #include <QProcess>
 
+
 #include "daemon/wireguardutils.h"
 #include "linuxroutemonitor.h"
+#include "linuxfirewall.h"
+
 
 class WireguardUtilsLinux final : public WireguardUtils {
     Q_OBJECT
@@ -34,7 +37,7 @@ public:
 
     bool addExclusionRoute(const IPAddress& prefix) override;
     bool deleteExclusionRoute(const IPAddress& prefix) override;
-
+    void applyFirewallRules(FirewallParams& params);
 signals:
     void backendFailure();
 

client/platforms/macos/daemon/macosfirewall.cpp

@@ -0,0 +1,199 @@
+// Copyright (c) 2023 Private Internet Access, Inc.
+//
+// This file is part of the Private Internet Access Desktop Client.
+//
+// The Private Internet Access Desktop Client is free software: you can
+// redistribute it and/or modify it under the terms of the GNU General Public
+// License as published by the Free Software Foundation, either version 3 of
+// the License, or (at your option) any later version.
+//
+// The Private Internet Access Desktop Client is distributed in the hope that
+// it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with the Private Internet Access Desktop Client.  If not, see
+// <https://www.gnu.org/licenses/>.
+
+// Copyright (c) 2024 AmneziaVPN
+// This file has been modified for AmneziaVPN
+//
+// This file is based on the work of the Private Internet Access Desktop Client.
+// The original code of the Private Internet Access Desktop Client is copyrighted (c) 2023 Private Internet Access, Inc. and licensed under GPL3.
+//
+// The modified version of this file is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this file. If not, see <https://www.gnu.org/licenses/>.
+
+#include "macosfirewall.h"
+#include "logger.h"
+#include <QProcess>
+#include <QCoreApplication>
+
+#define BRAND_IDENTIFIER "amn"
+
+namespace {
+    Logger logger("MacOSFirewall");
+}  // namespace
+
+#include "macosfirewall.h"
+
+#define ResourceDir qApp->applicationDirPath() + "/pf"
+#define DaemonDataDir qApp->applicationDirPath() + "/pf"
+
+#include <QProcess>
+
+static QString kRootAnchor = QStringLiteral(BRAND_IDENTIFIER);
+static QByteArray kPfWarning = "pfctl: Use of -f option, could result in flushing of rules\npresent in the main ruleset added by the system at startup.\nSee /etc/pf.conf for further details.\n";
+
+int waitForExitCode(QProcess& process)
+{
+    if (!process.waitForFinished() || process.error() == QProcess::FailedToStart)
+        return -2;
+    else if (process.exitStatus() != QProcess::NormalExit)
+        return -1;
+    else
+        return process.exitCode();
+}
+
+int MacOSFirewall::execute(const QString& command, bool ignoreErrors)
+{
+    QProcess p;
+
+    p.start(QStringLiteral("/bin/bash"), { QStringLiteral("-c"), command }, QProcess::ReadOnly);
+    p.closeWriteChannel();
+    int exitCode = waitForExitCode(p);
+    auto out = p.readAllStandardOutput().trimmed();
+
+    auto err = p.readAllStandardError().replace(kPfWarning, "").trimmed();
+    if ((exitCode != 0 || !err.isEmpty()) && !ignoreErrors)
+        logger.info() << "(" << exitCode << ") $ " << command;
+    else if (false)
+        logger.info() << "(" << exitCode << ") $ " << command;
+    if (!out.isEmpty()) logger.info() << out;
+    if (!err.isEmpty()) logger.info() << err;
+    return exitCode;
+}
+
+void MacOSFirewall::installRootAnchors()
+{
+    logger.info() << "Installing PF root anchors";
+
+    // Append our NAT anchors by reading back and re-applying NAT rules only
+    auto insertNatAnchors = QStringLiteral(
+        "( "
+        R"(pfctl -sn | grep -v '%1/*'; )"   // Translation rules (includes both nat and rdr, despite the modifier being 'nat')
+        R"(echo 'nat-anchor "%2/*"'; )"     // PIA's translation anchors
+        R"(echo 'rdr-anchor "%3/*"'; )"
+        R"(echo 'load anchor "%4" from "%5/%6.conf"'; )" // Load the PIA anchors from file
+        ") | pfctl -N -f -").arg(kRootAnchor, kRootAnchor, kRootAnchor, kRootAnchor, ResourceDir, kRootAnchor);
+
+    execute(insertNatAnchors);
+
+    // Append our filter anchor by reading back and re-applying filter rules
+    // only.  pfctl -sr also includes scrub rules, but these will be ignored
+    // due to -R.
+    auto insertFilterAnchor = QStringLiteral(
+        "( "
+        R"(pfctl -sr | grep -v '%1/*'; )"   // Filter rules (everything from pfctl -sr except 'scrub')
+        R"(echo 'anchor "%2/*"'; )"         // PIA's filter anchors
+        R"(echo 'load anchor "%3" from "%4/%5.conf"'; )" // Load the PIA anchors from file
+        " ) | pfctl -R -f -").arg(kRootAnchor, kRootAnchor, kRootAnchor, ResourceDir, kRootAnchor);
+    execute(insertFilterAnchor);
+}
+
+void MacOSFirewall::install()
+{
+    // remove hard-coded (legacy) pia anchor from /etc/pf.conf if it exists
+    execute(QStringLiteral("if grep -Fq '%1' /etc/pf.conf ; then echo \"`cat /etc/pf.conf | grep -vF '%1'`\" > /etc/pf.conf ; fi").arg(kRootAnchor));
+
+    // Clean up any existing rules if they exist.
+    uninstall();
+
+    timespec waitTime{0, 10'000'000};
+    ::nanosleep(&waitTime, nullptr);
+
+    logger.info() << "Installing PF root anchor";
+
+    installRootAnchors();
+    execute(QStringLiteral("pfctl -E 2>&1 | grep -F 'Token : ' | cut -c9- > '%1/pf.token'").arg(DaemonDataDir));
+}
+
+
+void MacOSFirewall::uninstall()
+{
+    logger.info() << "Uninstalling PF root anchor";
+
+    execute(QStringLiteral("pfctl -q -a '%1' -F all").arg(kRootAnchor));
+    execute(QStringLiteral("test -f '%1/pf.token' && pfctl -X `cat '%1/pf.token'` && rm '%1/pf.token'").arg(DaemonDataDir));
+    execute(QStringLiteral("test -f /etc/pf.conf && pfctl -F all -f /etc/pf.conf"));
+}
+
+bool MacOSFirewall::isInstalled()
+{
+    return isPFEnabled() && isRootAnchorLoaded();
+}
+
+bool MacOSFirewall::isPFEnabled()
+{
+    return 0 == execute(QStringLiteral("test -s '%1/pf.token' && pfctl -s References | grep -qFf '%1/pf.token'").arg(DaemonDataDir), true);
+}
+
+void MacOSFirewall::ensureRootAnchorPriority()
+{
+    // We check whether our anchor appears last in the ruleset. If it does not, then remove it and re-add it last (this happens atomically).
+    // Appearing last ensures priority.
+    execute(QStringLiteral("if ! pfctl -sr | tail -1 | grep -qF '%1'; then echo -e \"$(pfctl -sr | grep -vF '%1')\\n\"'anchor \"%1\"' | pfctl -f - ; fi").arg(kRootAnchor));
+}
+
+bool MacOSFirewall::isRootAnchorLoaded()
+{
+    // Our Root anchor is loaded if:
+    // 1. It is is included among the top-level anchors
+    // 2. It is not empty (i.e it contains sub-anchors)
+    return 0 == execute(QStringLiteral("pfctl -sr | grep -q '%1' && pfctl -q -a '%1' -s rules 2> /dev/null | grep -q .").arg(kRootAnchor), true);
+}
+
+void MacOSFirewall::enableAnchor(const QString& anchor)
+{
+    execute(QStringLiteral("if pfctl -q -a '%1/%2' -s rules 2> /dev/null | grep -q . ; then echo '%2: ON' ; else echo '%2: OFF -> ON' ; pfctl -q -a '%1/%2' -F all -f '%3/%1.%2.conf' ; fi").arg(kRootAnchor, anchor, ResourceDir));
+}
+
+void MacOSFirewall::disableAnchor(const QString& anchor)
+{
+    execute(QStringLiteral("if ! pfctl -q -a '%1/%2' -s rules 2> /dev/null | grep -q . ; then echo '%2: OFF' ; else echo '%2: ON -> OFF' ; pfctl -q -a '%1/%2' -F all ; fi").arg(kRootAnchor, anchor));
+}
+
+bool MacOSFirewall::isAnchorEnabled(const QString& anchor)
+{
+    return 0 == execute(QStringLiteral("pfctl -q -a '%1/%2' -s rules 2> /dev/null | grep -q .").arg(kRootAnchor, anchor), true);
+}
+
+void MacOSFirewall::setAnchorEnabled(const QString& anchor, bool enabled)
+{
+    if (enabled)
+        enableAnchor(anchor);
+    else
+        disableAnchor(anchor);
+}
+
+void MacOSFirewall::setAnchorTable(const QString& anchor, bool enabled, const QString& table, const QStringList& items)
+{
+    if (enabled)
+        execute(QStringLiteral("pfctl -q -a '%1/%2' -t '%3' -T replace %4").arg(kRootAnchor, anchor, table, items.join(' ')));
+    else
+        execute(QStringLiteral("pfctl -q -a '%1/%2' -t '%3' -T kill").arg(kRootAnchor, anchor, table), true);
+}
+
+void MacOSFirewall::setAnchorWithRules(const QString& anchor, bool enabled, const QStringList &ruleList)
+{
+    if (!enabled)
+        return (void)execute(QStringLiteral("pfctl -q -a '%1/%2' -F rules").arg(kRootAnchor, anchor), true);
+    else
+        return (void)execute(QStringLiteral("echo -e \"%1\" | pfctl -q -a '%2/%3' -f -").arg(ruleList.join('\n'), kRootAnchor, anchor), true);
+}

client/platforms/macos/daemon/macosfirewall.h

@@ -0,0 +1,90 @@
+// Copyright (c) 2023 Private Internet Access, Inc.
+//
+// This file is part of the Private Internet Access Desktop Client.
+//
+// The Private Internet Access Desktop Client is free software: you can
+// redistribute it and/or modify it under the terms of the GNU General Public
+// License as published by the Free Software Foundation, either version 3 of
+// the License, or (at your option) any later version.
+//
+// The Private Internet Access Desktop Client is distributed in the hope that
+// it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with the Private Internet Access Desktop Client.  If not, see
+// <https://www.gnu.org/licenses/>.
+
+// Copyright (c) 2024 AmneziaVPN
+// This file has been modified for AmneziaVPN
+//
+// This file is based on the work of the Private Internet Access Desktop Client.
+// The original code of the Private Internet Access Desktop Client is copyrighted (c) 2023 Private Internet Access, Inc. and licensed under GPL3.
+//
+// The modified version of this file is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this file. If not, see <https://www.gnu.org/licenses/>.
+
+#ifndef MACOSFIREWALL_H
+#define MACOSFIREWALL_H
+
+#include <QString>
+#include <QStringList>
+
+// Descriptor for a set of firewall rules to be appled.
+//
+struct FirewallParams
+{
+    QStringList dnsServers;
+    QVector<QString> excludeApps; // Apps to exclude if VPN exemptions are enabled
+
+    QStringList allowAddrs;
+    QStringList blockAddrs;
+
+    // The follow flags indicate which general rulesets are needed. Note that
+    // this is after some sanity filtering, i.e. an allow rule may be listed
+    // as not needed if there were no block rules preceding it. The rulesets
+    // should be thought of as in last-match order.
+
+    bool blockAll;      // Block all traffic by default
+    bool blockNets;
+    bool allowNets;
+    bool allowVPN;      // Exempt traffic through VPN tunnel
+    bool allowDHCP;     // Exempt DHCP traffic
+    bool blockIPv6;     // Block all IPv6 traffic
+    bool allowLAN;      // Exempt LAN traffic, including IPv6 LAN traffic
+    bool blockDNS;      // Block all DNS traffic except specified DNS servers
+    bool allowPIA;      // Exempt PIA executables
+    bool allowLoopback; // Exempt loopback traffic
+    bool allowHnsd;     // Exempt Handshake DNS traffic
+    bool allowVpnExemptions; // Exempt specified traffic from the tunnel (route it over the physical uplink instead)
+};
+
+class MacOSFirewall
+{
+
+private:
+    static int execute(const QString &command, bool ignoreErrors = false);
+    static bool isPFEnabled();
+    static bool isRootAnchorLoaded();
+
+public:
+    static void install();
+    static void uninstall();
+    static bool isInstalled();
+    static void enableAnchor(const QString &anchor);
+    static void disableAnchor(const QString &anchor);
+    static bool isAnchorEnabled(const QString &anchor);
+    static void setAnchorEnabled(const QString &anchor, bool enable);
+    static void setAnchorTable(const QString &anchor, bool enabled, const QString &table, const QStringList &items);
+    static void setAnchorWithRules(const QString &anchor, bool enabled, const QStringList &rules);
+    static void ensureRootAnchorPriority();
+    static void installRootAnchors();
+};
+
+#endif // MACOSFIREWALL_H

client/platforms/macos/daemon/wireguardutilsmacos.cpp

@@ -114,9 +114,30 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
   }
 
   int err = uapiErrno(uapiCommand(message));
+
   if (err != 0) {
     logger.error() << "Interface configuration failed:" << strerror(err);
+  } else {
+      FirewallParams params { };
+      params.dnsServers.append(config.m_dnsServer);
+      if (config.m_allowedIPAddressRanges.at(0).toString() == "0.0.0.0/0"){
+        params.blockAll = true;
+        if (config.m_excludedAddresses.size()) {
+            params.allowNets = true;
+            foreach (auto net, config.m_excludedAddresses) {
+                params.allowAddrs.append(net.toUtf8());
+            }
+        }
+      } else {
+        params.blockNets = true;
+        foreach (auto net, config.m_allowedIPAddressRanges) {
+            params.blockAddrs.append(net.toString());
+        }
+      }
+
+      applyFirewallRules(params);
   }
+
   return (err == 0);
 }
 
@@ -140,6 +161,10 @@ bool WireguardUtilsMacos::deleteInterface() {
   // Garbage collect.
   QDir wgRuntimeDir(WG_RUNTIME_DIR);
   QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));
+
+  // double-check + ensure our firewall is installed and enabled
+  MacOSFirewall::uninstall();
+
   return true;
 }
 
@@ -302,6 +327,31 @@ bool WireguardUtilsMacos::addExclusionRoute(const IPAddress& prefix) {
   return m_rtmonitor->addExclusionRoute(prefix);
 }
 
+void WireguardUtilsMacos::applyFirewallRules(FirewallParams& params)
+{
+  // double-check + ensure our firewall is installed and enabled. This is necessary as
+  // other software may disable pfctl before re-enabling with their own rules (e.g other VPNs)
+  if (!MacOSFirewall::isInstalled()) MacOSFirewall::install();
+
+  MacOSFirewall::ensureRootAnchorPriority();
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("100.blockAll"), params.blockAll);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), params.allowNets);
+  MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), params.allowNets,
+                                QStringLiteral("allownets"), params.allowAddrs);
+
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("120.blockNets"), params.blockNets);
+  MacOSFirewall::setAnchorTable(QStringLiteral("120.blockNets"), params.blockNets,
+                                QStringLiteral("blocknets"), params.blockAddrs);
+
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("200.allowVPN"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("290.allowDHCP"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("300.allowLAN"), true);
+  MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
+  MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), params.dnsServers);
+}
+
 bool WireguardUtilsMacos::deleteExclusionRoute(const IPAddress& prefix) {
   if (!m_rtmonitor) {
     return false;

client/platforms/macos/daemon/wireguardutilsmacos.h

@@ -10,6 +10,7 @@
 
 #include "daemon/wireguardutils.h"
 #include "macosroutemonitor.h"
+#include "macosfirewall.h"
 
 class WireguardUtilsMacos final : public WireguardUtils {
   Q_OBJECT
@@ -34,6 +35,7 @@ class WireguardUtilsMacos final : public WireguardUtils {
 
   bool addExclusionRoute(const IPAddress& prefix) override;
   bool deleteExclusionRoute(const IPAddress& prefix) override;
+  void applyFirewallRules(FirewallParams& params);
 
  signals:
   void backendFailure();

client/protocols/openvpnovercloakprotocol.cpp

@@ -66,7 +66,7 @@ ErrorCode OpenVpnOverCloakProtocol::start()
             emit protocolError(amnezia::ErrorCode::CloakExecutableCrashed);
             stop();
         }
-        if (exitCode !=0 ){
+        if (exitCode !=0 ) {
             emit protocolError(amnezia::ErrorCode::InternalError);
             stop();
         }

client/protocols/openvpnprotocol.cpp

@@ -4,6 +4,7 @@
 #include <QRandomGenerator>
 #include <QTcpServer>
 #include <QTcpSocket>
+#include <QNetworkInterface>
 
 #include "logger.h"
 #include "openvpnprotocol.h"
@@ -53,6 +54,11 @@ void OpenVpnProtocol::stop()
         QThread::msleep(10);
         m_managementServer.stop();
     }
+
+#if defined(Q_OS_WIN) || defined(Q_OS_LINUX) || defined(Q_OS_MACOS)
+    IpcClient::Interface()->disableKillSwitch();
+#endif
+
     setConnectionState(Vpn::ConnectionState::Disconnected);
 }
 
@@ -85,13 +91,13 @@ void OpenVpnProtocol::killOpenVpnProcess()
 void OpenVpnProtocol::readOpenVpnConfiguration(const QJsonObject &configuration)
 {
     if (configuration.contains(ProtocolProps::key_proto_config_data(Proto::OpenVpn))) {
+        m_configData = configuration;
         QJsonObject jConfig = configuration.value(ProtocolProps::key_proto_config_data(Proto::OpenVpn)).toObject();
 
         m_configFile.open();
         m_configFile.write(jConfig.value(config_key::config).toString().toUtf8());
         m_configFile.close();
         m_configFileName = m_configFile.fileName();
-
         qDebug().noquote() << QString("Set config data") << m_configFileName;
     }
 }
@@ -138,12 +144,18 @@ uint OpenVpnProtocol::selectMgmtPort()
 
 void OpenVpnProtocol::updateRouteGateway(QString line)
 {
-    // TODO: fix for macos
-    line = line.split("ROUTE_GATEWAY", Qt::SkipEmptyParts).at(1);
-    if (!line.contains("/"))
-        return;
-    m_routeGateway = line.split("/", Qt::SkipEmptyParts).first();
-    m_routeGateway.replace(" ", "");
+    if (line.contains("net_route_v4_best_gw")) {
+        QStringList params = line.split(" ");
+        if (params.size() == 6) {
+            m_routeGateway = params.at(3);
+        }
+    } else {
+        line = line.split("ROUTE_GATEWAY", Qt::SkipEmptyParts).at(1);
+        if (!line.contains("/"))
+            return;
+        m_routeGateway = line.split("/", Qt::SkipEmptyParts).first();
+        m_routeGateway.replace(" ", "");
+    }
     qDebug() << "Set VPN route gateway" << m_routeGateway;
 }
 
@@ -282,7 +294,7 @@ void OpenVpnProtocol::onReadyReadDataFromManagementServer()
             }
         }
 
-        if (line.contains("ROUTE_GATEWAY")) {
+        if (line.contains("ROUTE_GATEWAY") || line.contains("net_route_v4_best_gw")) {
             updateRouteGateway(line);
         }
 
@@ -320,14 +332,28 @@ void OpenVpnProtocol::updateVpnGateway(const QString &line)
     // line looks like
     // PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart
     // 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
-
     QStringList params = line.split(",");
     for (const QString &l : params) {
         if (l.contains("ifconfig")) {
             if (l.split(" ").size() == 3) {
                 m_vpnLocalAddress = l.split(" ").at(1);
                 m_vpnGateway = l.split(" ").at(2);
-
+#ifdef Q_OS_WIN
+                QList<QNetworkInterface> netInterfaces = QNetworkInterface::allInterfaces();
+                for (int i = 0; i < netInterfaces.size(); i++) {
+                    for (int j=0; j < netInterfaces.at(i).addressEntries().size(); j++)
+                    {
+                        if (m_vpnLocalAddress == netInterfaces.at(i).addressEntries().at(j).ip().toString()) {
+                            IpcClient::Interface()->enableKillSwitch(QJsonObject(), netInterfaces.at(i).index());
+                            m_configData.insert("vpnGateway", m_vpnGateway);
+                            IpcClient::Interface()->enablePeerTraffic(m_configData);
+                        }
+                    }
+                }
+#endif
+#if defined(Q_OS_LINUX) || defined(Q_OS_MACOS)
+                IpcClient::Interface()->enableKillSwitch(m_configData, 0);
+#endif
                 qDebug() << QString("Set vpn local address %1, gw %2").arg(m_vpnLocalAddress).arg(vpnGateway());
             }
         }

client/protocols/openvpnprotocol.h

@@ -44,6 +44,7 @@ private:
 
     ManagementServer m_managementServer;
     QString m_configFileName;
+    QJsonObject m_configData;
     QTemporaryFile m_configFile;
 
     uint selectMgmtPort();

client/protocols/wireguardprotocol.cpp

@@ -13,9 +13,6 @@
 WireguardProtocol::WireguardProtocol(const QJsonObject &configuration, QObject *parent)
     : VpnProtocol(configuration, parent)
 {
-    m_configFile.setFileName(QDir::tempPath() + QDir::separator() + serviceName() + ".conf");
-    writeWireguardConfiguration(configuration);
-
     m_impl.reset(new LocalSocketController());
     connect(m_impl.get(), &ControllerImpl::connected, this,
             [this](const QString &pubkey, const QDateTime &connectionTimestamp) {
@@ -50,45 +47,9 @@ ErrorCode WireguardProtocol::stopMzImpl()
     return ErrorCode::NoError;
 }
 
-void WireguardProtocol::writeWireguardConfiguration(const QJsonObject &configuration)
-{
-    QJsonObject jConfig = configuration.value(ProtocolProps::key_proto_config_data(Proto::WireGuard)).toObject();
-
-    if (!m_configFile.open(QIODevice::WriteOnly | QIODevice::Truncate)) {
-        qCritical() << "Failed to save wireguard config to" << m_configFile.fileName();
-        return;
-    }
-
-    m_configFile.write(jConfig.value(config_key::config).toString().toUtf8());
-    m_configFile.close();
-
-
-    m_configFileName = m_configFile.fileName();
-
-    m_isConfigLoaded = true;
-
-    qDebug().noquote() << QString("Set config data") << configPath();
-    qDebug().noquote() << QString("Set config data")
-                       << configuration.value(ProtocolProps::key_proto_config_data(Proto::WireGuard)).toString().toUtf8();
-}
-
-QString WireguardProtocol::configPath() const
-{
-    return m_configFileName;
-}
-
-QString WireguardProtocol::serviceName() const
-{
-    return "AmneziaVPN.WireGuard0";
-}
 
 ErrorCode WireguardProtocol::start()
 {
-    if (!m_isConfigLoaded) {
-        setLastError(ErrorCode::ConfigMissing);
-        return lastError();
-    }
-
     return startMzImpl();
 }
 

client/protocols/wireguardprotocol.h

@@ -26,15 +26,6 @@ public:
     ErrorCode stopMzImpl();
 
 private:
-    QString configPath() const;
-    void writeWireguardConfiguration(const QJsonObject &configuration);
-    QString serviceName() const;
-
-private:
-    QString m_configFileName;
-    QFile m_configFile;
-
-    bool m_isConfigLoaded = false;
 
     QScopedPointer<ControllerImpl> m_impl;
 };

client/translations/amneziavpn_ru.ts

@@ -379,7 +379,7 @@ Already installed containers were found on the server. All installed containers
     <message>
         <location filename="../ui/qml/Pages2/PageProtocolAwgSettings.qml" line="311"/>
         <source>Save and Restart Amnezia</source>
-        <translation>Сохранить и пререзагрузить Amnezia</translation>
+        <translation>Сохранить и перезагрузить Amnezia</translation>
     </message>
 </context>
 <context>
@@ -416,7 +416,7 @@ Already installed containers were found on the server. All installed containers
     <message>
         <location filename="../ui/qml/Pages2/PageProtocolOpenVpnSettings.qml" line="77"/>
         <source>OpenVPN settings</source>
-        <translation>Настройки OpenVPN</translation>
+        <translation>OpenVPN настройки</translation>
     </message>
     <message>
         <location filename="../ui/qml/Pages2/PageProtocolOpenVpnSettings.qml" line="84"/>
@@ -1192,7 +1192,7 @@ Already installed containers were found on the server. All installed containers
     <message>
         <location filename="../ui/qml/Pages2/PageSettingsConnection.qml" line="86"/>
         <source>If AmneziaDNS is not used or installed</source>
-        <translation>Эти серверы будут использоваться, если не включен AmneziaDNS</translation>
+        <translation>Эти адреса будут использоваться, если не включен AmneziaDNS</translation>
     </message>
     <message>
         <location filename="../ui/qml/Pages2/PageSettingsConnection.qml" line="101"/>
@@ -2047,7 +2047,7 @@ and will not be shared or disclosed to the Amnezia or any third parties</source>
     <message>
         <location filename="../ui/qml/Pages2/PageShare.qml" line="598"/>
         <source>Rename</source>
-        <translation type="unfinished"></translation>
+        <translation type="unfinished">Переименовать</translation>
     </message>
     <message>
         <location filename="../ui/qml/Pages2/PageShare.qml" line="627"/>
@@ -2062,12 +2062,12 @@ and will not be shared or disclosed to the Amnezia or any third parties</source>
     <message>
         <location filename="../ui/qml/Pages2/PageShare.qml" line="668"/>
         <source>Revoke</source>
-        <translation type="unfinished"></translation>
+        <translation type="unfinished">Отозвать</translation>
     </message>
     <message>
         <location filename="../ui/qml/Pages2/PageShare.qml" line="671"/>
         <source>Revoke the config for a user - %1?</source>
-        <translation type="unfinished"></translation>
+        <translation type="unfinished">Отозвать доступ для пользователя - %1?</translation>
     </message>
     <message>
         <location filename="../ui/qml/Pages2/PageShare.qml" line="672"/>

client/ui/controllers/exportController.cpp

@@ -327,7 +327,8 @@ void ExportController::updateClientManagementModel(const DockerContainer contain
 
 void ExportController::revokeConfig(const int row, const DockerContainer container, ServerCredentials credentials)
 {
-    ErrorCode errorCode = m_clientManagementModel->revokeClient(row, container, credentials);
+    ErrorCode errorCode = m_clientManagementModel->revokeClient(row, container, credentials,
+                                                                m_serversModel->getCurrentlyProcessedServerIndex());
     if (errorCode != ErrorCode::NoError) {
         emit exportErrorOccurred(errorString(errorCode));
     }

client/ui/models/clientManagementModel.cpp

@@ -296,30 +296,36 @@ ErrorCode ClientManagementModel::renameClient(const int row, const QString &clie
 }
 
 ErrorCode ClientManagementModel::revokeClient(const int row, const DockerContainer container,
-                                              ServerCredentials credentials)
+                                              ServerCredentials credentials, const int serverIndex)
 {
     ErrorCode errorCode = ErrorCode::NoError;
+    auto client = m_clientsTable.at(row).toObject();
+    QString clientId = client.value(configKey::clientId).toString();
 
     if (container == DockerContainer::OpenVpn || container == DockerContainer::ShadowSocks
         || container == DockerContainer::Cloak) {
-        errorCode = revokeOpenVpn(row, container, credentials);
+        errorCode = revokeOpenVpn(row, container, credentials, serverIndex);
     } else if (container == DockerContainer::WireGuard || container == DockerContainer::Awg) {
         errorCode = revokeWireGuard(row, container, credentials);
     }
 
     if (errorCode == ErrorCode::NoError) {
-        auto client = m_clientsTable.at(row).toObject();
-        QString clientId = client.value(configKey::clientId).toString();
-
-        const auto server = m_settings->defaultServer();
+        const auto server = m_settings->server(serverIndex);
         QJsonArray containers = server.value(config_key::containers).toArray();
         for (auto i = 0; i < containers.size(); i++) {
             auto containerConfig = containers.at(i).toObject();
             auto containerType = ContainerProps::containerFromString(containerConfig.value(config_key::container).toString());
-            auto protocolConfig = containerConfig.value(ContainerProps::containerTypeToString(containerType)).toObject();
+            if (containerType == container) {
+                QJsonObject protocolConfig;
+                if (container == DockerContainer::ShadowSocks || container == DockerContainer::Cloak) {
+                    protocolConfig = containerConfig.value(ContainerProps::containerTypeToString(DockerContainer::OpenVpn)).toObject();
+                } else {
+                    protocolConfig = containerConfig.value(ContainerProps::containerTypeToString(containerType)).toObject();
+                }
 
-            if (protocolConfig.value(config_key::last_config).toString().contains(clientId)) {
-                emit adminConfigRevoked(container);
+                if (protocolConfig.value(config_key::last_config).toString().contains(clientId)) {
+                    emit adminConfigRevoked(container);
+                }
             }
         }
     }
@@ -328,7 +334,7 @@ ErrorCode ClientManagementModel::revokeClient(const int row, const DockerContain
 }
 
 ErrorCode ClientManagementModel::revokeOpenVpn(const int row, const DockerContainer container,
-                                               ServerCredentials credentials)
+                                               ServerCredentials credentials, const int serverIndex)
 {
     auto client = m_clientsTable.at(row).toObject();
     QString clientId = client.value(configKey::clientId).toString();
@@ -337,6 +343,7 @@ ErrorCode ClientManagementModel::revokeOpenVpn(const int row, const DockerContai
                                                "cd /opt/amnezia/openvpn ;\\"
                                                "easyrsa revoke %1 ;\\"
                                                "easyrsa gen-crl ;\\"
+                                               "chmod 666 pki/crl.pem ;\\"
                                                "cp pki/crl.pem .'")
                                                .arg(clientId);
 
@@ -356,12 +363,7 @@ ErrorCode ClientManagementModel::revokeOpenVpn(const int row, const DockerContai
     const QByteArray clientsTableString = QJsonDocument(m_clientsTable).toJson();
 
     QString clientsTableFile = QString("/opt/amnezia/%1/clientsTable");
-    if (container == DockerContainer::OpenVpn || container == DockerContainer::ShadowSocks
-        || container == DockerContainer::Cloak) {
-        clientsTableFile = clientsTableFile.arg(ContainerProps::containerTypeToString(DockerContainer::OpenVpn));
-    } else {
-        clientsTableFile = clientsTableFile.arg(ContainerProps::containerTypeToString(container));
-    }
+    clientsTableFile = clientsTableFile.arg(ContainerProps::containerTypeToString(DockerContainer::OpenVpn));
     error = serverController.uploadTextFileToContainer(container, credentials, clientsTableString, clientsTableFile);
     if (error != ErrorCode::NoError) {
         logger.error() << "Failed to upload the clientsTable file to the server";

client/ui/models/clientManagementModel.h

@@ -28,7 +28,7 @@ public slots:
                            ServerCredentials credentials);
     ErrorCode renameClient(const int row, const QString &userName, const DockerContainer container,
                            ServerCredentials credentials, bool addTimeStamp = false);
-    ErrorCode revokeClient(const int index, const DockerContainer container, ServerCredentials credentials);
+    ErrorCode revokeClient(const int index, const DockerContainer container, ServerCredentials credentials, const int serverIndex);
 
 protected:
     QHash<int, QByteArray> roleNames() const override;
@@ -41,7 +41,7 @@ private:
 
     void migration(const QByteArray &clientsTableString);
 
-    ErrorCode revokeOpenVpn(const int row, const DockerContainer container, ServerCredentials credentials);
+    ErrorCode revokeOpenVpn(const int row, const DockerContainer container, ServerCredentials credentials, const int serverIndex);
     ErrorCode revokeWireGuard(const int row, const DockerContainer container, ServerCredentials credentials);
 
     ErrorCode getOpenVpnClients(ServerController &serverController, DockerContainer container, ServerCredentials credentials, int &count);

client/ui/models/protocols/ikev2ConfigModel.cpp

@@ -1,4 +1,4 @@
-#include "ikev2ConfigModel.h".h "
+#include "ikev2ConfigModel.h"
 
 #include "protocols/protocols_defs.h"
 

client/ui/models/servers_model.cpp

@@ -251,10 +251,9 @@ void ServersModel::addServer(const QJsonObject &server)
 
 void ServersModel::editServer(const QJsonObject &server)
 {
-    beginResetModel();
     m_settings->editServer(m_currentlyProcessedServerIndex, server);
-    m_servers = m_settings->serversArray();
-    endResetModel();
+    m_servers.replace(m_currentlyProcessedServerIndex, m_settings->serversArray().at(m_currentlyProcessedServerIndex));
+    emit dataChanged(index(m_currentlyProcessedServerIndex, 0), index(m_currentlyProcessedServerIndex, 0));
     updateContainersModel();
 }
 

client/ui/qautostart.cpp

@@ -124,8 +124,13 @@ void Autostart::setAutostart(bool autostart) {
         if (file.open(QIODevice::ReadWrite)) {
             QTextStream stream(&file);
             stream << "[Desktop Entry]" << Qt::endl;
-            stream << "Exec=" << appPath() << Qt::endl;
+            stream << "Exec=AmneziaVPN" << Qt::endl;
             stream << "Type=Application" << Qt::endl;
+            stream << "Name=AmneziaVPN" << Qt::endl;
+            stream << "Comment=Client of your self-hosted VPN" << Qt::endl;
+            stream << "Icon=/usr/share/pixmaps/AmneziaVPN.png" << Qt::endl;
+            stream << "Categories=Network;Qt;Security;" << Qt::endl;
+            stream << "Terminal=false" << Qt::endl;
         }
     }
 }

client/ui/qml/Components/HomeContainersListView.qml

@@ -30,7 +30,9 @@ ListView {
         target: ServersModel
 
         function onCurrentlyProcessedServerIndexChanged() {
-            menuContent.checkCurrentItem()
+            if (ContainersModel.getDefaultContainer()) {
+                menuContent.checkCurrentItem()
+            }
         }
     }
 
@@ -76,9 +78,8 @@ ListView {
                     }
 
                     if (checked) {
-                        ServersModel.setDefaultContainer(proxyContainersModel.mapToSource(index))
-
                         containersDropDown.menuVisible = false
+                        ServersModel.setDefaultContainer(proxyContainersModel.mapToSource(index))
                     } else {
                         if (!isSupported && isInstalled) {
                             PageController.showErrorMessage(qsTr("The selected protocol is not supported on the current platform"))

client/ui/qml/Components/ShareConnectionDrawer.qml

@@ -25,7 +25,7 @@ DrawerType {
 
     property string configExtension: ".vpn"
     property string configCaption: qsTr("Save AmneziaVPN config")
-    property string configFileName: "amnezia_config.vpn"
+    property string configFileName: "amnezia_config"
 
     width: parent.width
     height: parent.height * 0.9

client/ui/qml/Pages2/PageProtocolOpenVpnSettings.qml

@@ -81,7 +81,7 @@ PageType {
                             Layout.fillWidth: true
                             Layout.topMargin: 32
 
-                            headerText: qsTr("VPN Addresses Subnet")
+                            headerText: qsTr("VPN address subnet")
                             textFieldText: subnetAddress
 
                             textField.onEditingFinished: {

client/ui/qml/Pages2/PageServiceTorWebsiteSettings.qml

@@ -91,7 +91,7 @@ PageType {
 
                 onLinkActivated: Qt.openUrlExternally(link)
                 textFormat: Text.RichText
-                text: qsTr("Use <a href=\"https://www.torproject.org/download/\" style=\"color: #FBB26A;\">Tor Browser</a> to open this url.")
+                text: qsTr("Use <a href=\"https://www.torproject.org/download/\" style=\"color: #FBB26A;\">Tor Browser</a> to open this URL.")
             }
 
             ParagraphTextType {
@@ -100,7 +100,7 @@ PageType {
                 Layout.leftMargin: 16
                 Layout.rightMargin: 16
 
-                text: qsTr("After installation it takes several minutes while your onion site will become available in the Tor Network.")
+                text: qsTr("After creating your onion site, it takes a few minutes for the Tor network to make it available for use.")
             }
 
             ParagraphTextType {

client/ui/qml/Pages2/PageSettingsAbout.qml

@@ -53,7 +53,7 @@ PageType {
                 Layout.leftMargin: 16
                 Layout.rightMargin: 16
 
-                text: qsTr("Support the project with a donation")
+                text: qsTr("Support Amnezia")
                 horizontalAlignment: Text.AlignHCenter
             }
 

client/ui/qml/Pages2/PageSettingsConnection.qml

@@ -83,7 +83,7 @@ PageType {
                 Layout.fillWidth: true
 
                 text: qsTr("DNS servers")
-                descriptionText: qsTr("If AmneziaDNS is not used or installed")
+                descriptionText: qsTr("When AmneziaDNS is not used or installed")
                 rightImageSource: "qrc:/images/controls/chevron-right.svg"
 
                 clickedFunction: function() {
@@ -117,7 +117,7 @@ PageType {
                 Layout.fillWidth: true
 
                 text: qsTr("App-based split tunneling")
-                descriptionText: qsTr("Allows you to use the VPN only for certain applications")
+                descriptionText: qsTr("Allows you to use the VPN only for certain Apps")
                 rightImageSource: "qrc:/images/controls/chevron-right.svg"
 
                 clickedFunction: function() {

client/ui/qml/Pages2/PageSettingsLogging.qml

@@ -66,7 +66,8 @@ PageType {
 
                 ColumnLayout {
                     Layout.alignment: Qt.AlignBaseline
-                    Layout.preferredWidth: root.width / 3
+                    Layout.preferredWidth: GC.isMobile() ? 0 : root.width / 3
+                    visible: !GC.isMobile()
 
                     ImageButtonType {
                         Layout.alignment: Qt.AlignHCenter
@@ -90,7 +91,7 @@ PageType {
 
                 ColumnLayout {
                     Layout.alignment: Qt.AlignBaseline
-                    Layout.preferredWidth: root.width / 3
+                    Layout.preferredWidth: root.width / ( GC.isMobile() ? 2 : 3 )
 
                     ImageButtonType {
                         Layout.alignment: Qt.AlignHCenter
@@ -131,7 +132,7 @@ PageType {
 
                 ColumnLayout {
                     Layout.alignment: Qt.AlignBaseline
-                    Layout.preferredWidth: root.width / 3
+                    Layout.preferredWidth: root.width / ( GC.isMobile() ? 2 : 3 )
 
                     ImageButtonType {
                         Layout.alignment: Qt.AlignHCenter

client/ui/qml/Pages2/PageSettingsSplitTunneling.qml

@@ -56,7 +56,7 @@ PageType {
 
     QtObject {
         id: onlyForwardSites
-        property string name: qsTr("Addresses from the list should be accessed via VPN")
+        property string name: qsTr("Only the sites listed here will be accessed through the VPN")
         property int type: routeMode.onlyForwardSites
     }
     QtObject {
@@ -251,7 +251,7 @@ PageType {
         TextFieldWithHeaderType {
             Layout.fillWidth: true
 
-            textFieldPlaceholderText: qsTr("Site or IP")
+            textFieldPlaceholderText: qsTr("website or IP")
             buttonImageSource: "qrc:/images/controls/plus.svg"
 
             clickedFunc: function() {
@@ -295,7 +295,7 @@ PageType {
                     Layout.fillWidth: true
                     Layout.margins: 16
 
-                    headerText: qsTr("Import/Export Sites")
+                    headerText: qsTr("Import / Export Sites")
                 }
 
                 LabelWithButtonType {

client/ui/qml/Pages2/PageSetupWizardCredentials.qml

@@ -73,7 +73,7 @@ PageType {
                 property bool hidePassword: true
 
                 Layout.fillWidth: true
-                headerText: qsTr("Password / SSH private key")
+                headerText: qsTr("Password or SSH private key")
                 textField.echoMode: hidePassword ? TextInput.Password : TextInput.Normal
                 buttonImageSource: textFieldText !== "" ? (hidePassword ? "qrc:/images/controls/eye.svg" : "qrc:/images/controls/eye-off.svg")
                                                         : ""

client/ui/qml/Pages2/PageSetupWizardEasy.qml

@@ -112,7 +112,7 @@ PageType {
                                 var defaultContainerProto =  ContainerProps.defaultProtocol(dockerContainer)
 
                                 containers.dockerContainer = dockerContainer
-                                containers.containerDefaultPort = ProtocolProps.defaultPort(defaultContainerProto)
+                                containers.containerDefaultPort = ProtocolProps.getPortForInstall(defaultContainerProto)
                                 containers.containerDefaultTransportProto = ProtocolProps.defaultTransportProto(defaultContainerProto)
                             }
                         }

client/vpnconnection.cpp

@@ -253,10 +253,13 @@ QString VpnConnection::createVpnConfigurationForProto(int serverIndex, const Ser
             m_settings->setProtocolConfig(serverIndex, container, proto, protoObject);
         }
 
-        QEventLoop wait;
-        emit m_configurator->newVpnConfigCreated(clientId, QString("Admin [%1]").arg(QSysInfo::prettyProductName()), container, credentials);
-        QObject::connect(m_configurator.get(), &VpnConfigurator::clientModelUpdated, &wait, &QEventLoop::quit);
-        wait.exec();
+        if ((container != DockerContainer::Cloak && container != DockerContainer::ShadowSocks) ||
+                ((container == DockerContainer::Cloak || container == DockerContainer::ShadowSocks) && proto == Proto::OpenVpn)) {
+            QEventLoop wait;
+            emit m_configurator->newVpnConfigCreated(clientId, QString("Admin [%1]").arg(QSysInfo::prettyProductName()), container, credentials);
+            QObject::connect(m_configurator.get(), &VpnConfigurator::clientModelUpdated, &wait, &QEventLoop::quit);
+            wait.exec();
+        }
     }
 
     return configData;

deploy/data/macos/pf/amn.000.allowLoopback.conf

@@ -0,0 +1,3 @@
+# Always allow at least loopback/localhost traffic
+set skip on lo0
+pass quick on lo0 flags any

deploy/data/macos/pf/amn.100.blockAll.conf

@@ -0,0 +1,3 @@
+# Block all traffic by default (can be overridden by later rules)
+block out all flags any no state
+

deploy/data/macos/pf/amn.110.allowNets.conf

@@ -0,0 +1,2 @@
+table <allownets> {}
+pass out to <allownets> flags any no state

deploy/data/macos/pf/amn.120.blockNets.conf

@@ -0,0 +1,2 @@
+table <blocknets> {}
+block out to <blocknets> flags any no state

deploy/data/macos/pf/amn.150.allowExcludedApps.conf

@@ -0,0 +1,2 @@
+# Rules are set at runtime
+

deploy/data/macos/pf/amn.200.allowVPN.conf

@@ -0,0 +1,9 @@
+# Exempt the tunnel interface(s) used by the VPN connection
+
+utunInterfaces = "{                                                                         \
+    utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9,   utun10,         \
+    utun11, utun12, utun13, utun14, utun15, utun16, utun17, utun18, utun19, utun20,         \
+    utun21, utun22, utun23, utun24, utun25, utun26, utun27, utun28, utun29, utun30          \
+}"
+
+pass out on $utunInterfaces flags any no state

deploy/data/macos/pf/amn.250.blockIPv6.conf

@@ -0,0 +1,2 @@
+# Block all outgoing IPv6 traffic (even over the VPN)
+block return out inet6 flags any no state

deploy/data/macos/pf/amn.290.allowDHCP.conf

@@ -0,0 +1,5 @@
+# Allow DHCP
+pass out inet proto udp from port 68 to 255.255.255.255 port 67 no state
+
+# Allow DHCPv6
+pass out inet6 proto udp from port 546 to ff00::/8 port 547 no state

deploy/data/macos/pf/amn.300.allowLAN.conf

@@ -0,0 +1,3 @@
+# Allow LAN IP ranges
+table <lanips> { 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 255.255.255.255/32, fc00::/7, fe80::/10, ff00::/8 }
+pass out to <lanips> flags any no state

deploy/data/macos/pf/amn.310.blockDNS.conf

@@ -0,0 +1,7 @@
+# Block all DNS traffic
+block return out proto { tcp, udp } to port 53 flags any no state
+
+# Allow our DNS servers
+table <dnsaddr> {}
+pass out proto { tcp, udp } to <dnsaddr> port 53 flags any no state
+

deploy/data/macos/pf/amn.350.allowHnsd.conf

@@ -0,0 +1,14 @@
+utunInterfaces = "{                                                                         \
+    utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9,   utun10,         \
+    utun11, utun12, utun13, utun14, utun15, utun16, utun17, utun18, utun19, utun20,         \
+    utun21, utun22, utun23, utun24, utun25, utun26, utun27, utun28, utun29, utun30          \
+}"
+
+hnsdGroup=amnhnsd
+
+# Block everything from handshake group
+# Without this initial block hnsd traffic could possibly travel outside the tunnel (we don't trust the routing table)
+block return out group $hnsdGroup flags any no state
+
+# Next, poke a hole in this block but only for traffic on the tunnel (port 13038 is the handshake control port)
+pass out on $utunInterfaces proto { tcp, udp } to port { 53, 13038 } group $hnsdGroup flags any no state

deploy/data/macos/pf/amn.400.allowPIA.conf

@@ -0,0 +1,2 @@
+# Allow traffic by privileged group (used by daemon)
+pass out proto { tcp, udp } group  { amnvpn } flags any no state

deploy/data/macos/pf/amn.conf

@@ -0,0 +1,16 @@
+# This root anchor file establishes multiple sub-anchors which can be
+# individually turned on or off; they have a numeric prefix in order to
+# produce a well-defined alphabetical order.
+
+anchor "000.allowLoopback"
+anchor "100.blockAll"
+anchor "110.allowNets"
+anchor "120.blockNets"
+anchor "150.allowExcludedApps"
+anchor "200.allowVPN"
+anchor "250.blockIPv6"
+anchor "290.allowDHCP"
+anchor "300.allowLAN"
+anchor "310.blockDNS"
+anchor "350.allowHnsd"
+anchor "400.allowPIA"

ipc/ipc_interface.rep

@@ -1,5 +1,7 @@
 #include <QtCore>
 #include <QString>
+#include <QJsonObject>
+#include "../client/daemon/interfaceconfig.h"
 
 class IpcInterface
 {
@@ -19,8 +21,8 @@ class IpcInterface
     SLOT( void cleanUp() );
     SLOT( void setLogsEnabled(bool enabled) );
 
-    SLOT( bool copyWireguardConfig(const QString &sourcePath) );
-    SLOT( bool isWireguardRunning() );
-    SLOT( bool isWireguardConfigExists(const QString &configPath) );
+    SLOT( bool disableKillSwitch() );
+    SLOT( bool enablePeerTraffic( const QJsonObject &configStr) );
+    SLOT( bool enableKillSwitch( const QJsonObject &excludeAddr, int vpnAdapterIndex) );
 };
 

ipc/ipcserver.cpp

@@ -8,8 +8,18 @@
 #include "router.h"
 #include "logger.h"
 
+#include "../client/protocols/protocols_defs.h"
 #ifdef Q_OS_WIN
 #include "tapcontroller_win.h"
+#include "../client/platforms/windows/daemon/windowsfirewall.h"
+#endif
+
+#ifdef Q_OS_LINUX
+#include "../client/platforms/linux/daemon/linuxfirewall.h"
+#endif
+
+#ifdef Q_OS_MACOS
+#include "../client/platforms/macos/daemon/macosfirewall.h"
 #endif
 
 IpcServer::IpcServer(QObject *parent):
@@ -22,15 +32,14 @@ int IpcServer::createPrivilegedProcess()
     qDebug() << "IpcServer::createPrivilegedProcess";
 #endif
 
+#ifdef Q_OS_WIN
+    WindowsFirewall::instance()->init();
+#endif
+
     m_localpid++;
 
     ProcessDescriptor pd(this);
-//    pd.serverNode->setHostUrl(QUrl(amnezia::getIpcProcessUrl(m_localpid)));
-//    pd.serverNode->enableRemoting(pd.ipcProcess.data());
 
-
-
-    //pd.localServer = QSharedPointer<QLocalServer>(new QLocalServer(this));
     pd.localServer->setSocketOptions(QLocalServer::WorldAccessOption);
 
     if (!pd.localServer->listen(amnezia::getIpcProcessUrl(m_localpid))) {
@@ -165,61 +174,160 @@ void IpcServer::setLogsEnabled(bool enabled)
     }
 }
 
-bool IpcServer::copyWireguardConfig(const QString &sourcePath)
+
+bool IpcServer::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterIndex)
 {
-#ifdef MZ_DEBUG
-    qDebug() << "IpcServer::copyWireguardConfig";
+#ifdef Q_OS_WIN
+    return WindowsFirewall::instance()->enableKillSwitch(vpnAdapterIndex);
 #endif
 
-#ifdef Q_OS_LINUX
-    const QString wireguardConfigPath = "/etc/wireguard/wg99.conf";
-    if (QFile::exists(wireguardConfigPath))
+#if defined(Q_OS_LINUX) || defined(Q_OS_MACOS)
+    int splitTunnelType = configStr.value("splitTunnelType").toInt();
+    QJsonArray splitTunnelSites = configStr.value("splitTunnelSites").toArray();
+    bool blockAll = 0;
+    bool allowNets = 0;
+    bool blockNets = 0;
+    QStringList allownets;
+    QStringList blocknets;
+
+    if (splitTunnelType == 0)
     {
-        QFile::remove(wireguardConfigPath);
+        blockAll = true;
+        allowNets = true;
+        allownets.append(configStr.value(amnezia::config_key::hostName).toString());
+    } else if (splitTunnelType == 1)
+    {
+        blockNets = true;
+        for (auto v : splitTunnelSites) {
+            blocknets.append(v.toString());
+        }
+    } else if (splitTunnelType == 2) {
+        blockAll = true;
+        allowNets = true;
+        allownets.append(configStr.value(amnezia::config_key::hostName).toString());
+        for (auto v : splitTunnelSites) {
+            allownets.append(v.toString());
+        }
     }
-
-    if (!QFile::copy(sourcePath, wireguardConfigPath)) {
-        qDebug() << "WireguardProtocol::WireguardProtocol error occurred while copying wireguard config:";
-        return false;
-    }
-    return true;
-#else
-    return false;
-#endif
-}
-
-bool IpcServer::isWireguardRunning()
-{
-#ifdef MZ_DEBUG
-    qDebug() << "IpcServer::isWireguardRunning";
 #endif
 
 #ifdef Q_OS_LINUX
-    QProcess checkWireguardStatusProcess;
-
-    connect(&checkWireguardStatusProcess, &QProcess::errorOccurred, this, [](QProcess::ProcessError error) {
-        qDebug() << "WireguardProtocol::WireguardProtocol error occurred while checking wireguard status: " << error;
-    });
-
-    checkWireguardStatusProcess.setProgram("/bin/wg");
-    checkWireguardStatusProcess.setArguments(QStringList{"show"});
-    checkWireguardStatusProcess.start();
-    checkWireguardStatusProcess.waitForFinished(10000);
-    QString output = checkWireguardStatusProcess.readAllStandardOutput();
-    if (!output.isEmpty()) {
-        return true;
-    }
-    return false;
-#else
-    return false;
+    // double-check + ensure our firewall is installed and enabled
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), blockAll);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), allowNets);
+    LinuxFirewall::updateAllowNets(allownets);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("120.blockNets"), blockAll);
+    LinuxFirewall::updateBlockNets(blocknets);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("200.allowVPN"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv6, QStringLiteral("250.blockIPv6"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("290.allowDHCP"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("300.allowLAN"), true);
+    QStringList dnsServers;
+    dnsServers.append(configStr.value(amnezia::config_key::dns1).toString());
+    dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
+    dnsServers.append("127.0.0.1");
+    dnsServers.append("127.0.0.53");
+    LinuxFirewall::updateDNSServers(dnsServers);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);
 #endif
+
+#ifdef Q_OS_MACOS
+
+    // double-check + ensure our firewall is installed and enabled. This is necessary as
+    // other software may disable pfctl before re-enabling with their own rules (e.g other VPNs)
+    if (!MacOSFirewall::isInstalled()) MacOSFirewall::install();
+
+    MacOSFirewall::ensureRootAnchorPriority();
+    MacOSFirewall::setAnchorEnabled(QStringLiteral("000.allowLoopback"), true);
+    MacOSFirewall::setAnchorEnabled(QStringLiteral("100.blockAll"), blockAll);
+    MacOSFirewall::setAnchorEnabled(QStringLiteral("110.allowNets"), allowNets);
+    MacOSFirewall::setAnchorTable(QStringLiteral("110.allowNets"), allowNets,
+                                  QStringLiteral("allownets"), allownets);
+
+    MacOSFirewall::setAnchorEnabled(QStringLiteral("120.blockNets"), blockNets);
+    MacOSFirewall::setAnchorTable(QStringLiteral("120.blockNets"), blockNets,
+                                  QStringLiteral("blocknets"), blocknets);
+    MacOSFirewall::setAnchorEnabled(QStringLiteral("200.allowVPN"), true);
+    MacOSFirewall::setAnchorEnabled(QStringLiteral("250.blockIPv6"), true);
+    MacOSFirewall::setAnchorEnabled(QStringLiteral("290.allowDHCP"), true);
+    MacOSFirewall::setAnchorEnabled(QStringLiteral("300.allowLAN"), true);
+
+    QStringList dnsServers;
+    dnsServers.append(configStr.value(amnezia::config_key::dns1).toString());
+    dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
+    MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
+    MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), dnsServers);
+#endif
+
+    return true;
 }
 
-bool IpcServer::isWireguardConfigExists(const QString &configPath)
+bool IpcServer::disableKillSwitch()
 {
-#ifdef MZ_DEBUG
-    qDebug() << "IpcServer::isWireguardConfigExists";
+#ifdef Q_OS_WIN
+    return WindowsFirewall::instance()->disableKillSwitch();
 #endif
 
-    return QFileInfo::exists(configPath);
+#ifdef Q_OS_LINUX
+    LinuxFirewall::uninstall();
+#endif
+
+#ifdef Q_OS_MACOS
+    MacOSFirewall::uninstall();
+#endif
+
+    return true;
+}
+
+bool IpcServer::enablePeerTraffic(const QJsonObject &configStr)
+{
+#ifdef Q_OS_WIN
+    InterfaceConfig config;
+    config.m_dnsServer = configStr.value(amnezia::config_key::dns1).toString();
+    config.m_serverPublicKey = "openvpn";
+    config.m_serverIpv4Gateway = configStr.value("vpnGateway").toString();
+
+    int splitTunnelType = configStr.value("splitTunnelType").toInt();
+    QJsonArray splitTunnelSites = configStr.value("splitTunnelSites").toArray();
+
+    qDebug() << "splitTunnelType " << splitTunnelType << "splitTunnelSites " << splitTunnelSites;
+
+    QStringList AllowedIPAddesses;
+
+    // Use APP split tunnel
+    if (splitTunnelType == 0 || splitTunnelType == 2) {
+            config.m_allowedIPAddressRanges.append(
+                    IPAddress(QHostAddress("0.0.0.0"), 0));
+            config.m_allowedIPAddressRanges.append(
+                IPAddress(QHostAddress("::"), 0));
+    }
+
+    if (splitTunnelType == 1) {
+        for (auto v : splitTunnelSites) {
+            QString ipRange = v.toString();
+            qDebug() << "ipRange " << ipRange;
+            if (ipRange.split('/').size() > 1){
+                config.m_allowedIPAddressRanges.append(
+                    IPAddress(QHostAddress(ipRange.split('/')[0]), atoi(ipRange.split('/')[1].toLocal8Bit())));
+            } else {
+                 config.m_allowedIPAddressRanges.append(
+                    IPAddress(QHostAddress(ipRange), 32));
+
+            }
+        }
+    }
+
+    config.m_excludedAddresses.append(configStr.value(amnezia::config_key::hostName).toString());
+    if (splitTunnelType == 2) {
+        for (auto v : splitTunnelSites) {
+            QString ipRange = v.toString();
+            config.m_excludedAddresses.append(ipRange);
+        }
+    }
+
+    return WindowsFirewall::instance()->enablePeerTraffic(config);
+#endif
+    return true;
 }

ipc/ipcserver.h

@@ -4,6 +4,8 @@
 #include <QLocalServer>
 #include <QObject>
 #include <QRemoteObjectNode>
+#include <QJsonObject>
+#include "../client/daemon/interfaceconfig.h"
 
 #include "ipc.h"
 #include "ipcserverprocess.h"
@@ -25,9 +27,9 @@ public:
     virtual QStringList getTapList() override;
     virtual void cleanUp() override;
     virtual void setLogsEnabled(bool enabled) override;
-    virtual bool copyWireguardConfig(const QString &sourcePath) override;
-    virtual bool isWireguardRunning() override;
-    virtual bool isWireguardConfigExists(const QString &configPath) override;
+    virtual bool enablePeerTraffic(const QJsonObject &configStr) override;
+    virtual bool enableKillSwitch(const QJsonObject &excludeAddr, int vpnAdapterIndex) override;
+    virtual bool disableKillSwitch() override;
 
 private:
     int m_localpid = 0;

service/server/CMakeLists.txt

@@ -182,6 +182,7 @@ if(APPLE)
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/macos/daemon/macosdaemon.h
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/macos/daemon/macosroutemonitor.h
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/macos/daemon/wireguardutilsmacos.h
+        ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/macos/daemon/macosfirewall.h
     )
 
     set(SOURCES ${SOURCES}
@@ -195,6 +196,7 @@ if(APPLE)
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/macos/daemon/macosdaemon.cpp
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/macos/daemon/macosroutemonitor.cpp
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/macos/daemon/wireguardutilsmacos.cpp
+        ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/macos/daemon/macosfirewall.cpp
     )
 endif()
 
@@ -211,6 +213,7 @@ if(LINUX)
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/linux/daemon/dnsutilslinux.h
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/linux/daemon/wireguardutilslinux.h
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/linux/daemon/linuxroutemonitor.h
+        ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/linux/daemon/linuxfirewall.h        
     )
 
     set(SOURCES ${SOURCES}
@@ -223,6 +226,7 @@ if(LINUX)
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/linux/daemon/linuxdaemon.cpp
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/linux/daemon/wireguardutilslinux.cpp
         ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/linux/daemon/linuxroutemonitor.cpp
+        ${CMAKE_CURRENT_SOURCE_DIR}/../../client/platforms/linux/daemon/linuxfirewall.cpp
     )
 endif()