fixed timeout & add message & fix disabled telemt|mtproxy

* move sudo docker volume rm -f

* fix: remove unnecessary function

---------

Co-authored-by: vkamn <vk@amnezia.org>

.github/workflows/deploy.yml

@@ -23,6 +23,9 @@ jobs:
               - 'recipes/**'
               - 'conanfile.py'
               - '.github/workflows/deploy.yml'
+              - 'cmake/conan_provider.cmake'
+              - 'cmake/platform_settings.cmake'
+              - 'cmake/recipes_bootstrap.cmake'
 
   Bake-Prebuilts-Linux:
     runs-on: ubuntu-latest

CMakeLists.txt

@@ -4,7 +4,7 @@ set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
 set(PROJECT AmneziaVPN)
-set(AMNEZIAVPN_VERSION 4.9.0.1)
+set(AMNEZIAVPN_VERSION 4.9.0.2)
 
 set(QT_CREATOR_SKIP_PACKAGE_MANAGER_SETUP ON CACHE BOOL "" FORCE)
 set(CMAKE_PROJECT_TOP_LEVEL_INCLUDES
@@ -18,9 +18,9 @@ project(${PROJECT} VERSION ${AMNEZIAVPN_VERSION}
         HOMEPAGE_URL "https://amnezia.org/"
 )
 
+# trigger conan to kick off `conan install` globally
+find_package(OpenSSL REQUIRED)
 if (PREBUILTS_ONLY)
-    # trigger conan to kick off `conan install`
-    find_package(OpenSSL REQUIRED)
     return()
 endif()
 
@@ -28,7 +28,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")
 
 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2122)
+set(APP_ANDROID_VERSION_CODE 2123)
 
 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
     set(MZ_PLATFORM_NAME "linux")

client/CMakeLists.txt

@@ -212,11 +212,32 @@ endif()
 
 install(TARGETS ${PROJECT}
     DESTINATION ${CMAKE_INSTALL_BINDIR}
+    RUNTIME_DEPENDENCY_SET client_deps
     COMPONENT AmneziaVPN
 )
-install(FILES $<TARGET_RUNTIME_DLLS:${PROJECT}>
-    DESTINATION ${CMAKE_INSTALL_BINDIR}
+
+if(APPLE)
+    set(RUNTIME_DEPS_DIR ${CMAKE_INSTALL_BINDIR}/AmneziaVPN.app/Contents/Frameworks)
+else()
+    set(RUNTIME_DEPS_DIR ${CMAKE_INSTALL_BINDIR})
+endif()
+
+install(RUNTIME_DEPENDENCY_SET client_deps
+    PRE_EXCLUDE_REGEXES
+        [[api-ms-win-.*]]
+        [[ext-ms-.*]]
+        [[kernel32\.dll]]
+        [[hvsifiletrust\.dll]]
+        [[libc\.so\..*]] [[libgcc_s\.so\..*]] [[libm\.so\..*]] [[libstdc\+\+\.so\..*]]
+        [[.*\.framework]]
+        [[^[Qq]t.*]]
+    POST_EXCLUDE_REGEXES
+        [[^.*[\\/]system32[\\/].*\.dll$]]
+        [[^/lib.*]]
+        [[^/usr/lib.*]]
+    DIRECTORIES ${CONAN_RUNTIME_LIB_DIRS}
     COMPONENT AmneziaVPN
+    DESTINATION "${RUNTIME_DEPS_DIR}"
 )
 
 set(deploy_tool_options "")

client/cmake/ios.cmake

@@ -54,7 +54,6 @@ target_include_directories(${PROJECT} PRIVATE ${Qt6Gui_PRIVATE_INCLUDE_DIRS})
 
 
 set_target_properties(${PROJECT} PROPERTIES
-    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
     MACOSX_BUNDLE_INFO_PLIST ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Info.plist.in
     MACOSX_BUNDLE_ICON_FILE "AppIcon"
     MACOSX_BUNDLE_INFO_STRING "AmneziaVPN"

client/core/controllers/connectionController.cpp

@@ -49,14 +49,92 @@ void ConnectionController::setConnectionState(Vpn::ConnectionState state)
     }
 }
 
-ErrorCode ConnectionController::prepareConnection(const QString &serverId,
-                                                 QJsonObject& vpnConfiguration,
-                                                 DockerContainer& container)
+ErrorCode ConnectionController::defaultContainerForServer(const QString &serverId, DockerContainer &container) const
 {
+    const auto kind = m_serversRepository->serverKind(serverId);
+    switch (kind) {
+    case serverConfigUtils::ConfigType::SelfHostedAdmin: {
+        const auto cfg = m_serversRepository->selfHostedAdminConfig(serverId);
+        if (!cfg.has_value()) {
+            return ErrorCode::InternalError;
+        }
+        container = cfg->defaultContainer;
+        return ErrorCode::NoError;
+    }
+    case serverConfigUtils::ConfigType::SelfHostedUser: {
+        const auto cfg = m_serversRepository->selfHostedUserConfig(serverId);
+        if (!cfg.has_value()) {
+            return ErrorCode::InternalError;
+        }
+        container = cfg->defaultContainer;
+        return ErrorCode::NoError;
+    }
+    case serverConfigUtils::ConfigType::Native: {
+        const auto cfg = m_serversRepository->nativeConfig(serverId);
+        if (!cfg.has_value()) {
+            return ErrorCode::InternalError;
+        }
+        container = cfg->defaultContainer;
+        return ErrorCode::NoError;
+    }
+    case serverConfigUtils::ConfigType::AmneziaPremiumV2:
+    case serverConfigUtils::ConfigType::AmneziaFreeV3:
+    case serverConfigUtils::ConfigType::ExternalPremium: {
+        const auto cfg = m_serversRepository->apiV2Config(serverId);
+        if (!cfg.has_value()) {
+            return ErrorCode::InternalError;
+        }
+        container = cfg->defaultContainer;
+        return ErrorCode::NoError;
+    }
+    case serverConfigUtils::ConfigType::AmneziaPremiumV1:
+    case serverConfigUtils::ConfigType::AmneziaFreeV2:
+        return ErrorCode::LegacyApiV1NotSupportedError;
+    case serverConfigUtils::ConfigType::Invalid:
+    default:
+        return ErrorCode::InternalError;
+    }
+}
+
+ErrorCode ConnectionController::isConnectionSupported(const QString &serverId) const
+{
+    if (serverId.isEmpty()) {
+        return ErrorCode::InternalError;
+    }
+
     if (!isServiceReady()) {
         return ErrorCode::AmneziaServiceNotRunning;
     }
 
+    if (serverConfigUtils::isLegacyApiSubscription(m_serversRepository->serverKind(serverId))) {
+        return ErrorCode::LegacyApiV1NotSupportedError;
+    }
+
+    DockerContainer container = DockerContainer::None;
+    const ErrorCode errorCode = defaultContainerForServer(serverId, container);
+    if (errorCode != ErrorCode::NoError) {
+        return errorCode;
+    }
+
+    if (container == DockerContainer::None) {
+        return ErrorCode::NoInstalledContainersError;
+    }
+
+    if (ContainerUtils::isUnsupportedContainer(container)) {
+        return ErrorCode::LegacyContainerNotSupportedError;
+    }
+
+    if (!isContainerSupported(container)) {
+        return ErrorCode::NotSupportedOnThisPlatform;
+    }
+
+    return ErrorCode::NoError;
+}
+
+ErrorCode ConnectionController::prepareConnection(const QString &serverId,
+                                                 QJsonObject& vpnConfiguration,
+                                                 DockerContainer& container)
+{
     ContainerConfig containerConfigModel;
     QPair<QString, QString> dns;
     QString hostName;
@@ -120,10 +198,6 @@ ErrorCode ConnectionController::prepareConnection(const QString &serverId,
         return ErrorCode::InternalError;
     }
 
-    if (!isContainerSupported(container)) {
-        return ErrorCode::NotSupportedOnThisPlatform;
-    }
-
     vpnConfiguration = createConnectionConfiguration(dns, isApiConfig, hostName, description, configVersion,
                                                      containerConfigModel, container);
 

client/core/controllers/connectionController.h

@@ -34,6 +34,8 @@ public:
                                QJsonObject& vpnConfiguration,
                                DockerContainer& container);
 
+    ErrorCode isConnectionSupported(const QString &serverId) const;
+
     ErrorCode openConnection(const QString &serverId);
 
     void closeConnection();
@@ -73,6 +75,8 @@ signals:
 #endif
 
 private:
+    ErrorCode defaultContainerForServer(const QString &serverId, DockerContainer &container) const;
+
     SecureServersRepository* m_serversRepository;
     SecureAppSettingsRepository* m_appSettingsRepository;
     VpnConnection* m_vpnConnection;

client/core/controllers/coreController.cpp

@@ -191,7 +191,7 @@ void CoreController::initControllers()
     m_languageUiController = new LanguageUiController(m_settingsController, m_languageModel, this);
     setQmlContextProperty("LanguageUiController", m_languageUiController);
 
-    m_settingsUiController = new SettingsUiController(m_settingsController, m_serversController, m_languageUiController, this);
+    m_settingsUiController = new SettingsUiController(m_settingsController, m_serversController, this);
     setQmlContextProperty("SettingsController", m_settingsUiController);
 
     m_pageController = new PageController(m_serversController, m_settingsController, this);

client/core/controllers/coreSignalHandlers.cpp

@@ -33,7 +33,6 @@
 #include "core/controllers/connectionController.h"
 #include "ui/models/clientManagementModel.h"
 #include "ui/controllers/api/apiNewsUiController.h"
-#include "ui/models/api/apiCountryModel.h"
 #include "ui/models/containersModel.h"
 #include "core/utils/containerEnum.h"
 
@@ -156,15 +155,17 @@ void CoreSignalHandlers::initExportControllerHandler()
 void CoreSignalHandlers::initImportControllerHandler()
 {
     connect(m_coreController->m_importCoreController, &ImportController::importFinished, this, [this]() {
-        if (!m_coreController->m_connectionController->isConnected()) {
-            int newServerIndex = m_coreController->m_serversController->getServersCount() - 1;
-            const QString serverId = m_coreController->m_serversController->getServerId(newServerIndex);
-            if (!serverId.isEmpty()) {
-                m_coreController->m_serversController->setDefaultServer(serverId);
-            }
-            if (m_coreController->m_serversUiController) {
-                m_coreController->m_serversUiController->setProcessedServerId(serverId);
-            }
+        if (m_coreController->m_connectionUiController->isConnected()) {
+            return;
+        }
+
+        const int newServerIndex = m_coreController->m_serversController->getServersCount() - 1;
+        const QString serverId = m_coreController->m_serversController->getServerId(newServerIndex);
+        if (!serverId.isEmpty()) {
+            m_coreController->m_serversController->setDefaultServer(serverId);
+        }
+        if (m_coreController->m_serversUiController) {
+            m_coreController->m_serversUiController->setProcessedServerId(serverId);
         }
     });
 }
@@ -176,17 +177,14 @@ void CoreSignalHandlers::initApiCountryModelUpdateHandler()
         if (processedServerId.isEmpty()) {
             return;
         }
-        
-        QJsonArray availableCountries;
-        QString serverCountryCode;
 
         const auto apiV2 = m_coreController->m_serversRepository->apiV2Config(processedServerId);
-        if (apiV2.has_value()) {
-            availableCountries = apiV2->apiConfig.availableCountries;
-            serverCountryCode = apiV2->apiConfig.serverCountryCode;
+        if (!apiV2.has_value()) {
+            return;
         }
-        
-        m_coreController->m_apiCountryModel->updateModel(availableCountries, serverCountryCode);
+
+        m_coreController->m_apiCountryModel->updateModel(apiV2->apiConfig.availableCountries,
+                                                           apiV2->apiConfig.serverCountryCode);
     });
 }
 
@@ -237,13 +235,16 @@ void CoreSignalHandlers::initLanguageHandler()
     connect(m_coreController->m_settingsUiController, &SettingsUiController::resetLanguageToSystem, m_coreController->m_languageUiController, [this]() {
         m_coreController->m_languageUiController->changeLanguage(m_coreController->m_languageUiController->getSystemLanguageEnum());
     });
+    connect(m_coreController->m_settingsUiController, &SettingsUiController::appLanguageChanged, m_coreController->m_languageUiController, [this]() {
+        m_coreController->m_languageUiController->onAppLanguageChanged(m_coreController->m_settingsController->getAppLanguage());
+    });
 }
 
 void CoreSignalHandlers::initAutoConnectHandler()
 {
     if (m_coreController->m_settingsUiController->isAutoConnectEnabled()
         && !m_coreController->m_serversController->getDefaultServerId().isEmpty()) {
-        QTimer::singleShot(1000, this, [this]() { m_coreController->m_connectionUiController->openConnection(); });
+        QTimer::singleShot(1000, this, [this]() { m_coreController->m_connectionUiController->toggleConnection(); });
     }
 }
 
@@ -348,6 +349,9 @@ void CoreSignalHandlers::initUnsupportedConnectDrawerHandler()
 {
     connect(m_coreController->m_subscriptionUiController, &SubscriptionUiController::unsupportedConnectDrawerRequested,
             m_coreController->m_pageController, &PageController::unsupportedConnectDrawerRequested);
+
+    connect(m_coreController->m_connectionUiController, &ConnectionUiController::unsupportedConnectDrawerRequested,
+            m_coreController->m_pageController, &PageController::unsupportedConnectDrawerRequested);
 }
 
 void CoreSignalHandlers::initStrictKillSwitchHandler()

client/core/controllers/selfhosted/importController.cpp

@@ -486,7 +486,7 @@ QJsonObject ImportController::extractOpenVpnConfig(const QString &data) const
     QJsonObject config;
     config[configKey::containers] = arr;
     config[configKey::defaultContainer] = configKey::amneziaOpenvpn;
-    config[configKey::description] = m_appSettingsRepository->nextAvailableServerName();
+    config[configKey::description] = m_serversRepository->nextAvailableServerName();
 
     const static QRegularExpression dnsRegExp("dhcp-option DNS (\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b)");
     QRegularExpressionMatchIterator dnsMatch = dnsRegExp.globalMatch(data);
@@ -645,7 +645,7 @@ QJsonObject ImportController::extractWireGuardConfig(const QString &data, Config
     QJsonObject config;
     config[configKey::containers] = arr;
     config[configKey::defaultContainer] = containerName;
-    config[configKey::description] = m_appSettingsRepository->nextAvailableServerName();
+    config[configKey::description] = m_serversRepository->nextAvailableServerName();
 
     const static QRegularExpression dnsRegExp(
             "DNS = "
@@ -699,7 +699,7 @@ QJsonObject ImportController::extractXrayConfig(const QString &data, ConfigTypes
             ? configKey::amneziaSsxray
             : configKey::amneziaXray;
     if (description.isEmpty()) {
-        config[configKey::description] = m_appSettingsRepository->nextAvailableServerName();
+        config[configKey::description] = m_serversRepository->nextAvailableServerName();
     } else {
         config[configKey::description] = description;
     }

client/core/controllers/selfhosted/installController.cpp

@@ -72,6 +72,16 @@ namespace
         }
         return false;
     }
+
+    QString buildRemoveContainerScript(const amnezia::ScriptVars &vars, bool removeDataVolume)
+    {
+        QString script = SshSession::replaceVars(amnezia::scriptData(SharedScriptType::remove_container), vars);
+        if (removeDataVolume) {
+            script += QLatin1String("\nsudo docker volume rm -f $CONTAINER_NAME-data 2>/dev/null || true");
+            script = SshSession::replaceVars(script, vars);
+        }
+        return script;
+    }
 }
 
 InstallController::InstallController(SecureServersRepository *serversRepository,
@@ -93,7 +103,7 @@ ErrorCode InstallController::setupContainer(const ServerCredentials &credentials
                                             bool isUpdate)
 {
     qDebug().noquote() << "InstallController::setupContainer" << ContainerUtils::containerToString(container);
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode e = ErrorCode::NoError;
 
     e = isUserInSudo(credentials, sshSession);
@@ -120,14 +130,10 @@ ErrorCode InstallController::setupContainer(const ServerCredentials &credentials
         return e;
     qDebug().noquote() << "InstallController::setupContainer prepareHostWorker finished";
 
-    amnezia::ScriptVars removeContainerVars =
+    const amnezia::ScriptVars removeContainerVars =
             amnezia::genBaseVars(credentials, container, QString(), QString());
-    if (!isUpdate) {
-        removeContainerVars.append({ { "$REMOVE_CONTAINER_DATA", QStringLiteral("1") } });
-    }
-    sshSession.runScript(credentials,
-                         sshSession.replaceVars(amnezia::scriptData(SharedScriptType::remove_container),
-                                                removeContainerVars));
+    const bool removeDataVolume = !isUpdate && (container == DockerContainer::MtProxy || container == DockerContainer::Telemt);
+    sshSession.runScript(credentials, buildRemoveContainerScript(removeContainerVars, removeDataVolume));
     qDebug().noquote() << "InstallController::setupContainer removeContainer finished";
 
     qDebug().noquote() << "buildContainerWorker start";
@@ -152,8 +158,8 @@ ErrorCode InstallController::setupContainer(const ServerCredentials &credentials
     return startupContainerWorker(credentials, container, config, sshSession);
 }
 
-ErrorCode InstallController::updateContainer(const QString &serverId, DockerContainer container, const ContainerConfig &oldConfig,
-                                             ContainerConfig &newConfig)
+ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerContainer container, const ContainerConfig &oldConfig,
+                                                ContainerConfig &newConfig)
 {
     if (!isUpdateDockerContainerRequired(container, oldConfig, newConfig)) {
         auto adminConfig = m_serversRepository->selfHostedAdminConfig(serverId);
@@ -162,11 +168,11 @@ ErrorCode InstallController::updateContainer(const QString &serverId, DockerCont
         }
         if (container == DockerContainer::MtProxy) {
             ServerCredentials credentials = adminConfig->credentials();
-            SshSession sshSession(this);
+            SshSession sshSession;
             MtProxyInstaller::uploadClientSettingsSnapshot(sshSession, credentials, container, newConfig);
         } else if (container == DockerContainer::Telemt) {
             ServerCredentials credentials = adminConfig->credentials();
-            SshSession sshSession(this);
+            SshSession sshSession;
             TelemtInstaller::uploadClientSettingsSnapshot(sshSession, credentials, container, newConfig);
         }
         adminConfig->updateContainerConfig(container, newConfig);
@@ -182,10 +188,10 @@ ErrorCode InstallController::updateContainer(const QString &serverId, DockerCont
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     bool reinstallRequired = isReinstallContainerRequired(container, oldConfig, newConfig);
-    qDebug() << "InstallController::updateContainer for container" << container << "reinstall required is" << reinstallRequired;
+    qDebug() << "InstallController::updateServerConfig for container" << container << "reinstall required is" << reinstallRequired;
 
     bool xrayServerSettingsChanged = false;
     if (container == DockerContainer::Xray || container == DockerContainer::SSXray) {
@@ -213,11 +219,11 @@ ErrorCode InstallController::updateContainer(const QString &serverId, DockerCont
     if (errorCode == ErrorCode::NoError && xrayServerSettingsChanged && !skipXrayInboundSync) {
         DnsSettings dnsSettings = { m_appSettingsRepository->primaryDns(), m_appSettingsRepository->secondaryDns() };
         XrayConfigurator xrayConfigurator(&sshSession);
-        qDebug() << "InstallController::updateContainer applying Xray server inbound sync, reinstall="
+        qDebug() << "InstallController::updateServerConfig applying Xray server inbound sync, reinstall="
                  << reinstallRequired;
         errorCode = xrayConfigurator.applyServerSettingsToRemote(credentials, container, newConfig, dnsSettings, false);
         if (errorCode != ErrorCode::NoError) {
-            qDebug() << "InstallController::updateContainer Xray inbound sync failed, error="
+            qDebug() << "InstallController::updateServerConfig Xray inbound sync failed, error="
                      << static_cast<int>(errorCode);
         }
     }
@@ -236,6 +242,41 @@ ErrorCode InstallController::updateContainer(const QString &serverId, DockerCont
     return errorCode;
 }
 
+ErrorCode InstallController::updateClientConfig(const QString &serverId, DockerContainer container, ContainerConfig &newConfig)
+{
+    switch (m_serversRepository->serverKind(serverId)) {
+    case serverConfigUtils::ConfigType::SelfHostedAdmin: {
+        auto config = m_serversRepository->selfHostedAdminConfig(serverId);
+        if (!config.has_value()) {
+            return ErrorCode::InternalError;
+        }
+        config->updateContainerConfig(container, newConfig);
+        m_serversRepository->editServer(serverId, config->toJson(), serverConfigUtils::ConfigType::SelfHostedAdmin);
+        return ErrorCode::NoError;
+    }
+    case serverConfigUtils::ConfigType::SelfHostedUser: {
+        auto config = m_serversRepository->selfHostedUserConfig(serverId);
+        if (!config.has_value()) {
+            return ErrorCode::InternalError;
+        }
+        config->updateContainerConfig(container, newConfig);
+        m_serversRepository->editServer(serverId, config->toJson(), serverConfigUtils::ConfigType::SelfHostedUser);
+        return ErrorCode::NoError;
+    }
+    case serverConfigUtils::ConfigType::Native: {
+        auto config = m_serversRepository->nativeConfig(serverId);
+        if (!config.has_value()) {
+            return ErrorCode::InternalError;
+        }
+        config->updateContainerConfig(container, newConfig);
+        m_serversRepository->editServer(serverId, config->toJson(), serverConfigUtils::ConfigType::Native);
+        return ErrorCode::NoError;
+    }
+    default:
+        return ErrorCode::InternalError;
+    }
+}
+
 void InstallController::clearCachedProfile(const QString &serverId, DockerContainer container)
 {
     if (ContainerUtils::containerService(container) == ServiceType::Other) {
@@ -358,7 +399,7 @@ void InstallController::addEmptyServer(const ServerCredentials &credentials)
     serverConfig.userName = credentials.userName;
     serverConfig.password = credentials.secretData;
     serverConfig.port = credentials.port;
-    serverConfig.description = m_appSettingsRepository->nextAvailableServerName();
+    serverConfig.description = m_serversRepository->nextAvailableServerName();
     serverConfig.displayName = serverConfig.description.isEmpty() ? serverConfig.hostName : serverConfig.description;
     serverConfig.defaultContainer = DockerContainer::None;
 
@@ -794,6 +835,20 @@ ErrorCode InstallController::installDockerWorker(const ServerCredentials &creden
 
     qDebug().noquote() << "InstallController::installDockerWorker" << stdOut;
 
+    if (container == DockerContainer::MtProxy || container == DockerContainer::Telemt) {
+        QString conntrackOut;
+        auto cbConntrack = [&](const QString &data, libssh::Client &) {
+            conntrackOut += data + "\n";
+            return ErrorCode::NoError;
+        };
+        sshSession.runScript(
+                credentials,
+                sshSession.replaceVars(amnezia::scriptData(SharedScriptType::install_conntrack),
+                                       amnezia::genBaseVars(credentials, DockerContainer::None, QString(), QString())),
+                cbConntrack, cbConntrack);
+        qDebug().noquote() << "InstallController::installDockerWorker install_conntrack:" << conntrackOut;
+    }
+
     if (container == DockerContainer::Awg2) {
         QRegularExpression regex(R"(Linux\s+(\d+)\.(\d+)[^\d]*)");
         QRegularExpressionMatch match = regex.match(stdOut);
@@ -929,7 +984,7 @@ ErrorCode InstallController::rebootServer(const QString &serverId)
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     QString script = QString("sudo reboot");
 
@@ -957,7 +1012,7 @@ ErrorCode InstallController::removeAllContainers(const QString &serverId)
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode errorCode = sshSession.runScript(credentials, amnezia::scriptData(SharedScriptType::remove_all_containers));
 
     if (errorCode == ErrorCode::NoError) {
@@ -979,13 +1034,12 @@ ErrorCode InstallController::removeContainer(const QString &serverId, DockerCont
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
-    amnezia::ScriptVars removeContainerVars =
+    SshSession sshSession;
+    const amnezia::ScriptVars removeContainerVars =
             amnezia::genBaseVars(credentials, container, QString(), QString());
-    removeContainerVars.append({ { "$REMOVE_CONTAINER_DATA", QStringLiteral("1") } });
-    ErrorCode errorCode = sshSession.runScript(
-            credentials,
-            sshSession.replaceVars(amnezia::scriptData(SharedScriptType::remove_container), removeContainerVars));
+    const bool removeDataVolume = (container == DockerContainer::MtProxy || container == DockerContainer::Telemt);
+    ErrorCode errorCode =
+            sshSession.runScript(credentials, buildRemoveContainerScript(removeContainerVars, removeDataVolume));
 
     if (errorCode == ErrorCode::NoError) {
         QMap<DockerContainer, ContainerConfig> containers = adminConfig->containers;
@@ -1089,7 +1143,7 @@ ErrorCode InstallController::scanServerForInstalledContainers(const QString &ser
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
@@ -1132,7 +1186,7 @@ ErrorCode InstallController::scanServerForInstalledContainers(const QString &ser
 ErrorCode InstallController::installServer(const ServerCredentials &credentials, DockerContainer container, int port,
                                            TransportProto transportProto, bool &wasContainerInstalled)
 {
-    SshSession sshSession(this);
+    SshSession sshSession;
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
     if (errorCode) {
@@ -1170,7 +1224,7 @@ ErrorCode InstallController::installServer(const ServerCredentials &credentials,
     serverConfig.userName = credentials.userName;
     serverConfig.password = credentials.secretData;
     serverConfig.port = credentials.port;
-    serverConfig.description = m_appSettingsRepository->nextAvailableServerName();
+    serverConfig.description = m_serversRepository->nextAvailableServerName();
 
     for (auto iterator = preparedContainers.begin(); iterator != preparedContainers.end(); iterator++) {
         serverConfig.containers.insert(iterator.key(), iterator.value());
@@ -1201,7 +1255,7 @@ ErrorCode InstallController::installContainer(const QString &serverId, DockerCon
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
@@ -1240,28 +1294,26 @@ ErrorCode InstallController::installContainer(const QString &serverId, DockerCon
     return ErrorCode::NoError;
 }
 
-ErrorCode InstallController::checkSshConnection(const ServerCredentials &credentials, QString &output,
+ErrorCode InstallController::checkSshConnection(ServerCredentials &credentials, QString &output,
                                                 std::function<QString()> passphraseCallback)
 {
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode errorCode = ErrorCode::NoError;
 
-    ServerCredentials processedCredentials = credentials;
-
-    if (processedCredentials.secretData.contains("BEGIN") && processedCredentials.secretData.contains("PRIVATE KEY")) {
+    if (credentials.secretData.contains("BEGIN") && credentials.secretData.contains("PRIVATE KEY")) {
         if (!passphraseCallback) {
             return ErrorCode::SshPrivateKeyError;
         }
 
         QString decryptedPrivateKey;
-        errorCode = sshSession.getDecryptedPrivateKey(processedCredentials, decryptedPrivateKey, passphraseCallback);
+        errorCode = sshSession.getDecryptedPrivateKey(credentials, decryptedPrivateKey, passphraseCallback);
         if (errorCode != ErrorCode::NoError) {
             return errorCode;
         }
-        processedCredentials.secretData = decryptedPrivateKey;
+        credentials.secretData = decryptedPrivateKey;
     }
 
-    output = sshSession.checkSshConnection(processedCredentials, errorCode);
+    output = sshSession.checkSshConnection(credentials, errorCode);
     return errorCode;
 }
 
@@ -1465,7 +1517,7 @@ ErrorCode InstallController::getAlreadyInstalledContainers(const ServerCredentia
             QString transportProtoStr = containerAndPortMatch.captured(3);
             DockerContainer container = ContainerUtils::containerFromString(name);
 
-            if (container == DockerContainer::None) {
+            if (container == DockerContainer::None || ContainerUtils::isUnsupportedContainer(container)) {
                 continue;
             }
 
@@ -1490,7 +1542,7 @@ ErrorCode InstallController::getAlreadyInstalledContainers(const ServerCredentia
             QString transportProtoStr = torOrDnsRegMatch.captured(3);
             DockerContainer container = ContainerUtils::containerFromString(name);
 
-            if (container == DockerContainer::None) {
+            if (container == DockerContainer::None || ContainerUtils::isUnsupportedContainer(container)) {
                 continue;
             }
 
@@ -1526,7 +1578,7 @@ ErrorCode InstallController::setDockerContainerEnabledState(const QString &serve
         return ErrorCode::InternalError;
     }
     const QString containerName = ContainerUtils::containerToString(container);
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString script = enabled ? QStringLiteral("sudo docker start %1").arg(containerName)
                                    : QStringLiteral("sudo docker stop %1").arg(containerName);
     const ErrorCode runError = sshSession.runScript(credentials, script);
@@ -1566,7 +1618,7 @@ ErrorCode InstallController::queryDockerContainerStatus(const QString &serverId,
         stdOut += data;
         return ErrorCode::NoError;
     };
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString script = QStringLiteral(
             "sudo docker inspect --format '{{.State.Status}}' %1 2>/dev/null || echo 'not_found'")
             .arg(containerName);
@@ -1600,7 +1652,7 @@ ErrorCode InstallController::queryMtProxyDiagnostics(const QString &serverId, Do
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     return MtProxyInstaller::queryDiagnostics(sshSession, credentials, container, listenPort, out);
 }
 
@@ -1623,7 +1675,7 @@ QString InstallController::fetchDockerContainerSecret(const QString &serverId, D
         stdOut += data;
         return ErrorCode::NoError;
     };
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString path = QStringLiteral("/data/secret");
     const QString cmd = QStringLiteral("sudo docker exec %1 cat %2").arg(containerName, path);
     const ErrorCode errorCode = sshSession.runScript(credentials, cmd, cbReadStdOut);

client/core/controllers/selfhosted/installController.h

@@ -34,7 +34,12 @@ public:
     ~InstallController();
 
     ErrorCode setupContainer(const ServerCredentials &credentials, DockerContainer container, ContainerConfig &config, bool isUpdate = false);
-    ErrorCode updateContainer(const QString &serverId, DockerContainer container, const ContainerConfig &oldConfig, ContainerConfig &newConfig);
+
+    // Updates server-side container settings (admin self-hosted only): reconfigures the container over SSH.
+    ErrorCode updateServerConfig(const QString &serverId, DockerContainer container, const ContainerConfig &oldConfig, ContainerConfig &newConfig);
+
+    // Updates client-local settings only: rewrites the stored container config for any self-hosted/native server. No SSH.
+    ErrorCode updateClientConfig(const QString &serverId, DockerContainer container, ContainerConfig &newConfig);
 
     ErrorCode rebootServer(const QString &serverId);
     ErrorCode removeAllContainers(const QString &serverId);
@@ -64,7 +69,8 @@ public:
     
     bool isUpdateDockerContainerRequired(DockerContainer container, const ContainerConfig &oldConfig, const ContainerConfig &newConfig);
     
-    ErrorCode checkSshConnection(const ServerCredentials &credentials, QString &output, std::function<QString()> passphraseCallback = nullptr);
+    ErrorCode checkSshConnection(ServerCredentials &credentials, QString &output,
+                                 std::function<QString()> passphraseCallback = nullptr);
     
     bool isServerAlreadyExists(const ServerCredentials &credentials, int &existingServerIndex);
     

client/core/controllers/settingsController.cpp

@@ -363,6 +363,6 @@ void SettingsController::disablePremV1MigrationReminder()
 
 QString SettingsController::nextAvailableServerName() const
 {
-    return m_appSettingsRepository->nextAvailableServerName();
+    return m_serversRepository->nextAvailableServerName();
 }
 

client/core/controllers/updateController.cpp

@@ -13,7 +13,6 @@
 #include "version.h"
 #include "core/controllers/gatewayController.h"
 #include "core/utils/constants/apiKeys.h"
-#include "core/utils/errorStrings.h"
 #include "core/utils/selfhosted/scriptsRegistry.h"
 
 namespace
@@ -109,7 +108,7 @@ void UpdateController::fetchGatewayUrl()
             .then(this, [this, gatewayController](QPair<ErrorCode, QByteArray> result) {
                 auto [err, gatewayResponse] = result;
                 if (err != ErrorCode::NoError) {
-                    logger.error() << errorString(err);
+                    logger.error() << "Gateway request failed, error code:" << static_cast<int>(err);
                     finishUpdateCheck();
                     return;
                 }
@@ -250,17 +249,9 @@ void UpdateController::runInstaller()
             runLinuxInstaller(kInstallerLocalPath);
     #endif
         } else {
-            if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError
-                || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
-                logger.error() << errorString(ErrorCode::ApiConfigTimeoutError);
-            } else {
-                QString err = reply->errorString();
-                logger.error() << QString::fromUtf8(reply->readAll());
-                logger.error() << "Network error code:" << QString::number(static_cast<int>(reply->error()));
-                logger.error() << "Error message:" << err;
-                logger.error() << "HTTP status:" << reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
-                logger.error() << errorString(ErrorCode::ApiConfigDownloadError);
-            }
+            logger.error() << "Installer download failed, network error:" << static_cast<int>(reply->error())
+                           << reply->errorString();
+            logger.error() << "HTTP status:" << reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
         }
         reply->deleteLater();
     });

client/core/installers/mtProxyInstaller.cpp

@@ -71,48 +71,62 @@ ErrorCode MtProxyInstaller::queryDiagnostics(SshSession &sshSession, const Serve
                                              DockerContainer container, int listenPort,
                                              MtProxyContainerDiagnostics &out)
 {
-    out = {};
-    if (container != DockerContainer::MtProxy && container != DockerContainer::Telemt) {
-        return ErrorCode::InternalError;
-    }
-    const QString containerName = ContainerUtils::containerToString(container);
-    const QString script =
-            QStringLiteral(
-                    "PORT_OK=$(sudo docker exec %1 sh -c 'ss -tlnp 2>/dev/null | grep -q :%2 && echo yes || echo no' 2>/dev/null || echo no); "
-                    "TG_OK=$(curl -s --max-time 5 -o /dev/null -w '%%{http_code}' https://core.telegram.org/getProxySecret 2>/dev/null | grep -q '200' && echo yes || echo no); "
-                    "CLIENTS=$(sudo docker exec amnezia-mtproxy sh -c 'curl -s --max-time 3 http://localhost:2398/stats 2>/dev/null | grep -o \"total_special_connections:[0-9]*\" | cut -d: -f2' 2>/dev/null); "
-                    "CONF_TIME=$(sudo docker exec amnezia-mtproxy sh -c 'stat -c \"%%y\" /data/proxy-multi.conf 2>/dev/null | cut -d. -f1' 2>/dev/null || echo unknown); "
-                    "echo \"PORT_OK=${PORT_OK}\"; "
-                    "echo \"TG_OK=${TG_OK}\"; "
-                    "echo \"CLIENTS=${CLIENTS:-0}\"; "
-                    "echo \"CONF_TIME=${CONF_TIME}\"; "
-                    "echo \"STATS=http://localhost:2398/stats\";")
-                    .arg(containerName)
-                    .arg(listenPort);
+    out = { };
+    if (container == DockerContainer::MtProxy || container == DockerContainer::Telemt) {
+        const QString containerName = ContainerUtils::containerToString(container);
+        const bool isTelemt = container == DockerContainer::Telemt;
 
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data;
-        return ErrorCode::NoError;
-    };
-    const ErrorCode errorCode = sshSession.runScript(credentials, script, cbReadStdOut);
-    if (errorCode != ErrorCode::NoError) {
-        return errorCode;
-    }
-    for (const QString &line : stdOut.split('\n', Qt::SkipEmptyParts)) {
-        if (line.startsWith(QLatin1String("PORT_OK="))) {
-            out.portReachable = line.mid(8).trimmed() == QLatin1String("yes");
-        } else if (line.startsWith(QLatin1String("TG_OK="))) {
-            out.upstreamReachable = line.mid(6).trimmed() == QLatin1String("yes");
-        } else if (line.startsWith(QLatin1String("CLIENTS="))) {
-            out.clientsConnected = line.mid(8).trimmed().toInt();
-        } else if (line.startsWith(QLatin1String("CONF_TIME="))) {
-            out.lastConfigRefresh = line.mid(10).trimmed();
-        } else if (line.startsWith(QLatin1String("STATS="))) {
-            out.statsEndpoint = line.mid(6).trimmed();
+        const QString sportFilter = QString::number(listenPort);
+        const QString peersCmd = QStringLiteral("sudo conntrack -L -p tcp --dport ") + sportFilter
+                + QStringLiteral(" 2>/dev/null | grep ESTABLISHED | awk '{for(i=1;i<=NF;i++) if($i ~ /^src=/){print "
+                                 "substr($i,5); break}}'");
+        const QString publicFilter = QStringLiteral(" | grep -vE "
+                                                    "'^(10\\.|127\\.|169\\.254\\.|192\\.168\\.|172\\.(1[6-9]|2[0-9]|3["
+                                                    "01])\\.|::1$|fe80:|f[cd][0-9a-f][0-9a-f]:)'");
+        const QString clientsCmd =
+                QStringLiteral("CLIENTS=$(") + peersCmd + publicFilter + QStringLiteral(" | sort -u | grep -c .); ");
+        const QString confFile =
+                isTelemt ? QStringLiteral("/data/config.toml") : QStringLiteral("/data/proxy-multi.conf");
+        const QString statsUrl = QString();
+
+        const QString script = QStringLiteral("CN=") + containerName + QStringLiteral("; ")
+                + QStringLiteral("PORT_OK=$(sudo ss -tlnp 2>/dev/null | grep -q :") + QString::number(listenPort)
+                + QStringLiteral(" && echo yes || echo no); ")
+                + QStringLiteral("TG_OK=$(curl -s --max-time 5 -o /dev/null -w '%{http_code}' "
+                                 "https://core.telegram.org/getProxySecret 2>/dev/null | grep -q '200' && echo yes || "
+                                 "echo no); ")
+                + clientsCmd + QStringLiteral("CONF_TIME=$(sudo docker exec \"$CN\" sh -c 'stat -c \"%y\" ") + confFile
+                + QStringLiteral(" 2>/dev/null | cut -d. -f1' 2>/dev/null || echo unknown); ")
+                + QStringLiteral("echo \"PORT_OK=${PORT_OK}\"; ") + QStringLiteral("echo \"TG_OK=${TG_OK}\"; ")
+                + QStringLiteral("echo \"CLIENTS=${CLIENTS:-0}\"; ") + QStringLiteral("echo \"CONF_TIME=${CONF_TIME}\"; ")
+                + QStringLiteral("echo \"STATS=") + statsUrl + QStringLiteral("\";");
+
+        QString stdOut;
+        auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
+            stdOut += data;
+            return ErrorCode::NoError;
+        };
+        const ErrorCode errorCode = sshSession.runScript(credentials, script, cbReadStdOut);
+        if (errorCode != ErrorCode::NoError) {
+            return errorCode;
         }
+        for (const QString &line : stdOut.split('\n', Qt::SkipEmptyParts)) {
+            if (line.startsWith(QLatin1String("PORT_OK="))) {
+                out.portReachable = line.mid(8).trimmed() == QLatin1String("yes");
+            } else if (line.startsWith(QLatin1String("TG_OK="))) {
+                out.upstreamReachable = line.mid(6).trimmed() == QLatin1String("yes");
+            } else if (line.startsWith(QLatin1String("CLIENTS="))) {
+                out.clientsConnected = line.mid(8).trimmed().toInt();
+            } else if (line.startsWith(QLatin1String("CONF_TIME="))) {
+                out.lastConfigRefresh = line.mid(10).trimmed();
+            } else if (line.startsWith(QLatin1String("STATS="))) {
+                out.statsEndpoint = line.mid(6).trimmed();
+            }
+        }
+        return ErrorCode::NoError;
     }
-    return ErrorCode::NoError;
+
+    return ErrorCode::InternalError;
 }
 
 void MtProxyInstaller::uploadClientSettingsSnapshot(SshSession &sshSession, const ServerCredentials &credentials,

client/core/models/selfhosted/nativeServerConfig.cpp

@@ -29,6 +29,11 @@ ContainerConfig NativeServerConfig::containerConfig(DockerContainer container) c
     return containers.value(container);
 }
 
+void NativeServerConfig::updateContainerConfig(DockerContainer container, const ContainerConfig &config)
+{
+    containers[container] = config;
+}
+
 QPair<QString, QString> NativeServerConfig::getDnsPair(const QString &primaryDns, const QString &secondaryDns) const
 {
     QString d1 = dns1;

client/core/models/selfhosted/nativeServerConfig.h

@@ -27,6 +27,8 @@ struct NativeServerConfig {
     bool hasContainers() const;
     ContainerConfig containerConfig(DockerContainer container) const;
 
+    void updateContainerConfig(DockerContainer container, const ContainerConfig &config);
+
     QPair<QString, QString> getDnsPair(const QString &primaryDns, const QString &secondaryDns) const;
 
     QJsonObject toJson() const;

client/core/models/selfhosted/selfHostedUserServerConfig.cpp

@@ -43,6 +43,11 @@ ContainerConfig SelfHostedUserServerConfig::containerConfig(DockerContainer cont
     return containers.value(container);
 }
 
+void SelfHostedUserServerConfig::updateContainerConfig(DockerContainer container, const ContainerConfig &config)
+{
+    containers[container] = config;
+}
+
 QPair<QString, QString> SelfHostedUserServerConfig::getDnsPair(const QString &primaryDns,
                                                                const QString &secondaryDns) const
 {

client/core/models/selfhosted/selfHostedUserServerConfig.h

@@ -32,6 +32,8 @@ struct SelfHostedUserServerConfig {
     bool hasContainers() const;
     ContainerConfig containerConfig(DockerContainer container) const;
 
+    void updateContainerConfig(DockerContainer container, const ContainerConfig &config);
+
     QPair<QString, QString> getDnsPair(const QString &primaryDns, const QString &secondaryDns) const;
 
     QJsonObject toJson() const;

client/core/protocols/openVpnProtocol.cpp

@@ -39,33 +39,44 @@ QString OpenVpnProtocol::defaultConfigPath()
     return p;
 }
 
-void OpenVpnProtocol::stop()
+void OpenVpnProtocol::cleanupResources()
 {
-    qDebug() << "OpenVpnProtocol::stop()";
-    setConnectionState(Vpn::ConnectionState::Disconnecting);
-
-    // TODO: need refactoring
-    // sendTermSignal() will even return true while server connected ???
-    if ((m_connectionState == Vpn::ConnectionState::Preparing) || (m_connectionState == Vpn::ConnectionState::Connecting)
-        || (m_connectionState == Vpn::ConnectionState::Connected)
-        || (m_connectionState == Vpn::ConnectionState::Reconnecting)) {
+    if (m_openVpnProcess || openVpnProcessIsRunning()) {
         if (!sendTermSignal()) {
             killOpenVpnProcess();
         }
         QThread::msleep(10);
-        m_managementServer.stop();
     }
+    m_managementServer.stop();
 
 #if defined(Q_OS_WIN) || defined(Q_OS_LINUX) || defined(Q_OS_MACOS)
     IpcClient::withInterface([](QSharedPointer<IpcInterfaceReplica> iface) {
         QRemoteObjectPendingReply<bool> reply = iface->disableKillSwitch();
         if (!reply.waitForFinished(1000) && !reply.returnValue()) {
-            qWarning() << "OpenVpnProtocol::stop(): Failed to disable killswitch";
+            qWarning() << "OpenVpnProtocol::cleanupResources(): Failed to disable killswitch";
         }
     });
 #endif
+}
 
-    setConnectionState(Vpn::ConnectionState::Disconnected);
+void OpenVpnProtocol::stop()
+{
+    qDebug() << "OpenVpnProtocol::stop()";
+
+    const bool wasActive = m_connectionState == Vpn::ConnectionState::Preparing
+            || m_connectionState == Vpn::ConnectionState::Connecting
+            || m_connectionState == Vpn::ConnectionState::Connected
+            || m_connectionState == Vpn::ConnectionState::Reconnecting;
+
+    if (wasActive) {
+        setConnectionState(Vpn::ConnectionState::Disconnecting);
+    }
+
+    cleanupResources();
+
+    if (wasActive || m_connectionState == Vpn::ConnectionState::Disconnecting) {
+        setConnectionState(Vpn::ConnectionState::Disconnected);
+    }
 }
 
 ErrorCode OpenVpnProtocol::prepare()
@@ -168,7 +179,7 @@ void OpenVpnProtocol::updateRouteGateway(QString line)
 
 ErrorCode OpenVpnProtocol::start()
 {
-    OpenVpnProtocol::stop();
+    cleanupResources();
 
     if (!QFileInfo::exists(configPath())) {
         setLastError(ErrorCode::OpenVpnConfigMissing);

client/core/protocols/openVpnProtocol.h

@@ -29,6 +29,7 @@ protected slots:
     void onReadyReadDataFromManagementServer();
 
 private:
+    void cleanupResources();
     QString configPath() const;
     bool openVpnProcessIsRunning() const;
     bool sendTermSignal();

client/core/repositories/secureAppSettingsRepository.cpp

@@ -426,26 +426,6 @@ void SecureAppSettingsRepository::clearSettings()
     emit settingsCleared();
 }
 
-QString SecureAppSettingsRepository::nextAvailableServerName() const
-{
-    int i = 0;
-    bool nameExist = false;
-
-    do {
-        i++;
-        nameExist = false;
-        QJsonArray servers = QJsonDocument::fromJson(value("Servers/serversList").toByteArray()).array();
-        for (const QJsonValue &server : servers) {
-            if (server.toObject().value(configKey::description).toString() == QString("Server") + " " + QString::number(i)) {
-                nameExist = true;
-                break;
-            }
-        }
-    } while (nameExist);
-
-    return QString("Server") + " " + QString::number(i);
-}
-
 void SecureAppSettingsRepository::setInstallationUuid(const QString &uuid)
 {
     m_settings->setValue("Conf/installationUuid", uuid);

client/core/repositories/secureAppSettingsRepository.h

@@ -90,8 +90,6 @@ public:
     bool restoreAppConfig(const QByteArray &cfg);
     void clearSettings();
 
-    QString nextAvailableServerName() const;
-
     QByteArray xraySavedConfigs() const;
     void setXraySavedConfigs(const QByteArray &data);
 

client/core/repositories/secureServersRepository.cpp

@@ -3,6 +3,7 @@
 #include <QJsonArray>
 #include <QJsonDocument>
 #include <QJsonValue>
+#include <QSet>
 #include <QUuid>
 
 #include "core/utils/serverConfigUtils.h"
@@ -32,6 +33,45 @@ QJsonObject embedStorageServerId(const QString &serverId, const QJsonObject &pay
     return o;
 }
 
+QString storedServerDisplayName(const SecureServersRepository *repository, const QString &serverId)
+{
+    using Kind = serverConfigUtils::ConfigType;
+    switch (repository->serverKind(serverId)) {
+    case Kind::SelfHostedAdmin:
+        if (const auto cfg = repository->selfHostedAdminConfig(serverId)) {
+            return cfg->displayName;
+        }
+        break;
+    case Kind::SelfHostedUser:
+        if (const auto cfg = repository->selfHostedUserConfig(serverId)) {
+            return cfg->displayName;
+        }
+        break;
+    case Kind::Native:
+        if (const auto cfg = repository->nativeConfig(serverId)) {
+            return cfg->displayName;
+        }
+        break;
+    case Kind::AmneziaPremiumV2:
+    case Kind::AmneziaFreeV3:
+    case Kind::ExternalPremium:
+        if (const auto cfg = repository->apiV2Config(serverId)) {
+            return cfg->displayName;
+        }
+        break;
+    case Kind::AmneziaPremiumV1:
+    case Kind::AmneziaFreeV2:
+        if (const auto cfg = repository->legacyApiConfig(serverId)) {
+            return cfg->displayName;
+        }
+        break;
+    case Kind::Invalid:
+    default:
+        break;
+    }
+    return {};
+}
+
 } // namespace
 
 SecureServersRepository::SecureServersRepository(SecureQSettings *settings, QObject *parent)
@@ -153,6 +193,28 @@ void SecureServersRepository::clearServers()
     syncToStorage();
 }
 
+QString SecureServersRepository::nextAvailableServerName() const
+{
+    QSet<QString> usedNames;
+    usedNames.reserve(m_orderedServerIds.size());
+
+    for (const QString &serverId : m_orderedServerIds) {
+        const QString displayName = storedServerDisplayName(this, serverId);
+        if (!displayName.isEmpty()) {
+            usedNames.insert(displayName);
+        }
+    }
+
+    int i = 0;
+    QString candidate;
+    do {
+        i++;
+        candidate = QStringLiteral("Server %1").arg(i);
+    } while (usedNames.contains(candidate));
+
+    return candidate;
+}
+
 QString SecureServersRepository::addServer(const QString &serverId, const QJsonObject &serverJson, serverConfigUtils::ConfigType kind)
 {
     const QString id = normalizedOrGeneratedServerId(serverId);

client/core/repositories/secureServersRepository.h

@@ -48,6 +48,8 @@ public:
 
     void clearServers();
 
+    QString nextAvailableServerName() const;
+
     void invalidateCache();
 
 signals:

client/core/utils/constants/protocolConstants.h

@@ -271,6 +271,7 @@ namespace amnezia
             constexpr char workersModeAuto[]       = "auto";
             constexpr char workersModeManual[]     = "manual";
             constexpr int  maxWorkers              = 32;
+            constexpr int  botTagHexLength         = 32;
         }
 
     } // namespace protocols

client/core/utils/containerEnum.h

@@ -15,6 +15,8 @@ namespace amnezia
             Awg2,
             WireGuard,
             OpenVpn,
+            Cloak,
+            ShadowSocks,
             Ipsec,
             Xray,
             SSXray,

client/core/utils/containers/containerUtils.cpp

@@ -21,6 +21,8 @@ QString ContainerUtils::containerToString(DockerContainer c)
 {
     if (c == DockerContainer::None)
         return "none";
+    if (c == DockerContainer::Cloak)
+        return "amnezia-openvpn-cloak";
     if (c == DockerContainer::Awg)
         return "amnezia-awg";
     if (c == DockerContainer::Awg2)
@@ -62,6 +64,8 @@ QMap<DockerContainer, QString> ContainerUtils::containerHumanNames()
 {
     return { { DockerContainer::None, "Not installed" },
              { DockerContainer::OpenVpn, "OpenVPN" },
+             { DockerContainer::ShadowSocks, "OpenVPN over SS" },
+             { DockerContainer::Cloak, "OpenVPN over Cloak" },
              { DockerContainer::WireGuard, "WireGuard" },
              { DockerContainer::Awg, "AmneziaWG" },
              { DockerContainer::Awg2, "AmneziaWG" },
@@ -83,6 +87,10 @@ QMap<DockerContainer, QString> ContainerUtils::containerDescriptions()
     return {              { DockerContainer::OpenVpn,
                QObject::tr("OpenVPN is the most popular VPN protocol, with flexible configuration options. It uses its "
                            "own security protocol with SSL/TLS for key exchange.") },
+             { DockerContainer::ShadowSocks,
+               QObject::tr("This protocol is no longer supported.") },
+             { DockerContainer::Cloak,
+               QObject::tr("This protocol is no longer supported.") },
              { DockerContainer::WireGuard,
                QObject::tr("WireGuard - popular VPN protocol with high performance, high speed and low power "
                            "consumption.") },
@@ -194,6 +202,9 @@ QMap<DockerContainer, QString> ContainerUtils::containerDetailedDescriptions()
 
 ServiceType ContainerUtils::containerService(DockerContainer c)
 {
+    if (isUnsupportedContainer(c)) {
+        return ServiceType::Vpn;
+    }
     return ProtocolUtils::protocolService(defaultProtocol(c));
 }
 
@@ -202,6 +213,8 @@ Proto ContainerUtils::defaultProtocol(DockerContainer c)
     switch (c) {
     case DockerContainer::None: return Proto::Unknown;
     case DockerContainer::OpenVpn: return Proto::OpenVpn;
+    case DockerContainer::Cloak:
+    case DockerContainer::ShadowSocks: return Proto::Unknown;
     case DockerContainer::WireGuard: return Proto::WireGuard;
     case DockerContainer::Awg2: return Proto::Awg;
     case DockerContainer::Awg: return Proto::Awg;
@@ -252,6 +265,8 @@ bool ContainerUtils::isSupportedByCurrentPlatform(DockerContainer c)
     // macOS build using Network Extension – allow OpenVPN for parity with iOS.
     switch (c) {
     case DockerContainer::OpenVpn: return true;
+    case DockerContainer::Cloak: return false;
+    case DockerContainer::ShadowSocks: return false;
     case DockerContainer::WireGuard: return true;
     case DockerContainer::Awg2: return true;
     case DockerContainer::Awg: return true;
@@ -336,6 +351,10 @@ int ContainerUtils::easySetupOrder(DockerContainer container)
 
 bool ContainerUtils::isShareable(DockerContainer container)
 {
+    if (isUnsupportedContainer(container)) {
+        return false;
+    }
+
     switch (container) {
     case DockerContainer::TorWebSite: return false;
     case DockerContainer::Dns: return false;
@@ -352,6 +371,11 @@ bool ContainerUtils::isAwgContainer(DockerContainer container)
     return container == DockerContainer::Awg || container == DockerContainer::Awg2;
 }
 
+bool ContainerUtils::isUnsupportedContainer(DockerContainer container)
+{
+    return container == DockerContainer::Cloak || container == DockerContainer::ShadowSocks;
+}
+
 QJsonObject ContainerUtils::getProtocolConfigFromContainer(const Proto protocol, const QJsonObject &containerConfig)
 {
     QString protocolConfigString = containerConfig.value(ProtocolUtils::protoToString(protocol))

client/core/utils/containers/containerUtils.h

@@ -45,6 +45,8 @@ namespace amnezia
 
         bool isAwgContainer(DockerContainer container);
 
+        bool isUnsupportedContainer(DockerContainer container);
+
         QJsonObject getProtocolConfigFromContainer(const Proto protocol, const QJsonObject &containerConfig);
 
         int installPageOrder(DockerContainer container);

client/core/utils/errorCodes.h

@@ -79,6 +79,7 @@ namespace amnezia
         ImportBackupFileUseRestoreInstead = 903,
         RestoreBackupInvalidError = 904,
         LegacyApiV1NotSupportedError = 905,
+        LegacyContainerNotSupportedError = 906,
 
         // Android errors
         AndroidError = 1000,

client/core/utils/errorStrings.cpp

@@ -69,6 +69,7 @@ QString errorString(ErrorCode code) {
     case (ErrorCode::ImportBackupFileUseRestoreInstead): errorMessage = QObject::tr("Backup files cannot be imported here. Use 'Restore from backup' instead."); break;
     case (ErrorCode::RestoreBackupInvalidError): errorMessage = QObject::tr("Backup file is corrupted or has invalid format"); break;
     case (ErrorCode::LegacyApiV1NotSupportedError): errorMessage = QObject::tr("This legacy Amnezia subscription format is no longer supported"); break;
+    case (ErrorCode::LegacyContainerNotSupportedError): errorMessage = QObject::tr("This protocol is no longer supported. Please select another protocol or remove this container from the server settings."); break;
     case (ErrorCode::ImportOpenConfigError): errorMessage = QObject::tr("Unable to open config file"); break;
     case (ErrorCode::NoInstalledContainersError): errorMessage = QObject::tr("VPN Protocols is not installed.\n Please install VPN container at first"); break;
 

client/core/utils/selfhosted/scriptsRegistry.cpp

@@ -50,6 +50,7 @@ QString amnezia::scriptName(SharedScriptType type)
     switch (type) {
     case SharedScriptType::prepare_host: return QLatin1String("prepare_host.sh");
     case SharedScriptType::install_docker: return QLatin1String("install_docker.sh");
+    case SharedScriptType::install_conntrack: return QLatin1String("install_conntrack.sh");
     case SharedScriptType::build_container: return QLatin1String("build_container.sh");
     case SharedScriptType::remove_container: return QLatin1String("remove_container.sh");
     case SharedScriptType::remove_all_containers: return QLatin1String("remove_all_containers.sh");

client/core/utils/selfhosted/scriptsRegistry.h

@@ -21,6 +21,7 @@ enum SharedScriptType {
     // General scripts
     prepare_host,
     install_docker,
+    install_conntrack,
     build_container,
     remove_container,
     remove_all_containers,

client/ios/networkextension/CMakeLists.txt

@@ -26,6 +26,8 @@ set_target_properties(networkextension PROPERTIES
     XCODE_ATTRIBUTE_TARGETED_DEVICE_FAMILY "1,2"
 
     XCODE_ATTRIBUTE_LD_RUNPATH_SEARCH_PATHS "@executable_path/../../Frameworks"
+
+    XCODE_LINK_BUILD_PHASE_MODE KNOWN_LOCATION
 )
 
 if(DEPLOY)
@@ -114,10 +116,20 @@ target_include_directories(networkextension PRIVATE ${CLIENT_ROOT_DIR})
 target_include_directories(networkextension PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 
 find_package(openvpnadapter REQUIRED)
+# FIXME(ygurov): https://github.com/conan-io/conan/issues/20034
+set_property(TARGET amnezia::openvpnadapter APPEND PROPERTY IMPORTED_CONFIGURATIONS DEBUG)
+set_property(TARGET amnezia::openvpnadapter APPEND PROPERTY IMPORTED_CONFIGURATIONS MINSIZEREL)
+set_property(TARGET amnezia::openvpnadapter APPEND PROPERTY IMPORTED_CONFIGURATIONS RELEASE)
+set_property(TARGET amnezia::openvpnadapter APPEND PROPERTY IMPORTED_CONFIGURATIONS RELWITHDEBINFO)
 target_link_libraries(networkextension PRIVATE amnezia::openvpnadapter)
 
 find_package(awg-apple REQUIRED)
 target_link_libraries(networkextension PRIVATE amnezia::awg-apple)
 
 find_package(hev-socks5-tunnel REQUIRED)
+# FIXME(ygurov): https://github.com/conan-io/conan/issues/20034
+set_property(TARGET heiher::hev-socks5-tunnel APPEND PROPERTY IMPORTED_CONFIGURATIONS DEBUG)
+set_property(TARGET heiher::hev-socks5-tunnel APPEND PROPERTY IMPORTED_CONFIGURATIONS MINSIZEREL)
+set_property(TARGET heiher::hev-socks5-tunnel APPEND PROPERTY IMPORTED_CONFIGURATIONS RELEASE)
+set_property(TARGET heiher::hev-socks5-tunnel APPEND PROPERTY IMPORTED_CONFIGURATIONS RELWITHDEBINFO)
 target_link_libraries(networkextension PRIVATE heiher::hev-socks5-tunnel)

client/server_scripts/install_conntrack.sh

@@ -0,0 +1,10 @@
+if command -v conntrack > /dev/null 2>&1; then echo "conntrack already installed"; exit 0; fi;\
+if which apt-get > /dev/null 2>&1; then pm=$(which apt-get); silent_inst="-yq install --install-recommends"; check_pkgs="-yq update"; conntrack_pkg="conntrack"; dist="debian";\
+elif which dnf > /dev/null 2>&1; then pm=$(which dnf); silent_inst="-yq install"; check_pkgs="-yq check-update"; conntrack_pkg="conntrack-tools"; dist="fedora";\
+elif which yum > /dev/null 2>&1; then pm=$(which yum); silent_inst="-y -q install"; check_pkgs="-y -q check-update"; conntrack_pkg="conntrack-tools"; dist="centos";\
+elif which zypper > /dev/null 2>&1; then pm=$(which zypper); silent_inst="-nq install"; check_pkgs="-nq refresh"; conntrack_pkg="conntrack-tools"; dist="opensuse";\
+elif which pacman > /dev/null 2>&1; then pm=$(which pacman); silent_inst="-S --noconfirm --noprogressbar --quiet"; check_pkgs="-Sup"; conntrack_pkg="conntrack-tools"; dist="archlinux";\
+else echo "Packet manager not found"; exit 0; fi;\
+if [ "$dist" = "debian" ]; then export DEBIAN_FRONTEND=noninteractive; fi;\
+sudo $pm $check_pkgs; sudo $pm $silent_inst $conntrack_pkg;\
+command -v conntrack > /dev/null 2>&1 && echo "conntrack installed" || echo "conntrack install failed"

client/server_scripts/remove_all_containers.sh

@@ -1,5 +1,6 @@
 sudo docker ps -a | grep amnezia | awk '{print $1}' | xargs sudo docker stop;\
 sudo docker ps -a | grep amnezia | awk '{print $1}' | xargs sudo docker rm -fv;\
 sudo docker images -a --format table | grep amnezia | awk '{print $3, $1 ":" $2}' | xargs sudo docker rmi;\
+sudo docker volume ls --format '{{.Name}}' | grep '^amnezia-' | xargs -r sudo docker volume rm -f;\
 sudo docker network ls | grep amnezia-dns-net | awk '{print $1}' | xargs sudo docker network rm;\
 sudo rm -frd /opt/amnezia

client/server_scripts/remove_container.sh

@@ -1,4 +1,3 @@
 sudo docker stop $CONTAINER_NAME;\
 sudo docker rm -fv $CONTAINER_NAME;\
-sudo docker rmi $CONTAINER_NAME;\
-test "$REMOVE_CONTAINER_DATA" = "1" && sudo docker volume rm -f ${CONTAINER_NAME}-data 2>/dev/null || true
+sudo docker rmi $CONTAINER_NAME;

client/server_scripts/serverScripts.qrc

@@ -18,6 +18,7 @@
         <file>dns/Dockerfile</file>
         <file>dns/run_container.sh</file>
         <file>install_docker.sh</file>
+        <file>install_conntrack.sh</file>
         <file>ipsec/configure_container.sh</file>
         <file>ipsec/Dockerfile</file>
         <file>ipsec/mobileconfig.plist</file>

client/ui/controllers/api/subscriptionUiController.cpp

@@ -475,8 +475,7 @@ bool SubscriptionUiController::deactivateExternalDevice(const QString &serverId,
 void SubscriptionUiController::validateConfig()
 {
     const QString serverId = m_serversController->getDefaultServerId();
-    if (!serverId.isEmpty() && m_serversController->isLegacyApiV1Server(serverId)) {
-        emit unsupportedConnectDrawerRequested();
+    if (serverId.isEmpty()) {
         emit configValidated(false);
         return;
     }

client/ui/controllers/connectionUiController.cpp

@@ -8,6 +8,8 @@
 
 #include "amneziaApplication.h"
 #include "core/controllers/serversController.h"
+#include "core/models/containerConfig.h"
+#include "core/utils/containerEnum.h"
 
 ConnectionUiController::ConnectionUiController(ConnectionController* connectionController,
                                                 ServersController* serversController,
@@ -33,7 +35,7 @@ void ConnectionUiController::openConnection()
     ErrorCode errorCode = m_connectionController->openConnection(serverId);
 
     if (errorCode != ErrorCode::NoError) {
-        emit connectionErrorOccurred(errorCode);
+        notifyConnectionBlocked(errorCode);
         return;
     }
 }
@@ -130,10 +132,36 @@ void ConnectionUiController::toggleConnection()
     } else if (isConnected()) {
         closeConnection();
     } else {
+        const QString serverId = m_serversController->getDefaultServerId();
+        if (serverId.isEmpty()) {
+            return;
+        }
+
+        const ErrorCode errorCode = m_connectionController->isConnectionSupported(serverId);
+        if (errorCode != ErrorCode::NoError) {
+            notifyConnectionBlocked(errorCode);
+            return;
+        }
+
         emit prepareConfig();
     }
 }
 
+void ConnectionUiController::notifyConnectionBlocked(ErrorCode errorCode)
+{
+    if (errorCode == ErrorCode::LegacyApiV1NotSupportedError) {
+        emit unsupportedConnectDrawerRequested();
+        return;
+    }
+
+    if (errorCode == ErrorCode::NoInstalledContainersError) {
+        emit noInstalledContainers();
+        return;
+    }
+
+    emit connectionErrorOccurred(errorCode);
+}
+
 bool ConnectionUiController::isConnectionInProgress() const
 {
     return m_isConnectionInProgress;
@@ -143,3 +171,32 @@ bool ConnectionUiController::isConnected() const
 {
     return m_isConnected;
 }
+
+bool ConnectionUiController::isRevokeBlockedDuringActiveConnection(const QString &serverId, int containerIndex,
+                                                                   const QString &clientId) const
+{
+    if (clientId.isEmpty() || (!isConnected() && !isConnectionInProgress())) {
+        return false;
+    }
+
+    if (m_serversController->getDefaultServerId() != serverId) {
+        return false;
+    }
+
+    if (static_cast<int>(m_serversController->getDefaultContainer(serverId)) != containerIndex) {
+        return false;
+    }
+
+    const auto adminConfig = m_serversController->selfHostedAdminConfig(serverId);
+    if (!adminConfig.has_value()) {
+        return false;
+    }
+
+    const QString connectionClientId =
+            adminConfig->containerConfig(static_cast<DockerContainer>(containerIndex)).protocolConfig.clientId();
+    if (connectionClientId.isEmpty()) {
+        return false;
+    }
+
+    return connectionClientId == clientId || connectionClientId.contains(clientId);
+}

client/ui/controllers/connectionUiController.h

@@ -35,6 +35,8 @@ public slots:
     void openConnection();
     void closeConnection();
 
+    bool isRevokeBlockedDuringActiveConnection(const QString &serverId, int containerIndex, const QString &clientId) const;
+
     ErrorCode getLastConnectionError();
     void onConnectionStateChanged(Vpn::ConnectionState state);
 
@@ -48,9 +50,12 @@ signals:
     void connectButtonClicked();
     void preparingConfig();
     void prepareConfig();
+    void unsupportedConnectDrawerRequested();
+    void noInstalledContainers();
 
 private:
     Vpn::ConnectionState getCurrentConnectionState();
+    void notifyConnectionBlocked(ErrorCode errorCode);
 
     ConnectionController* m_connectionController;
     ServersController* m_serversController;

client/ui/controllers/selfhosted/installUiController.cpp

@@ -9,6 +9,7 @@
 #include <QStandardPaths>
 #include <QFutureWatcher>
 #include <QtConcurrent>
+#include <utility>
 
 #include "core/utils/api/apiUtils.h"
 #include "core/controllers/selfhosted/installController.h"
@@ -75,13 +76,7 @@ InstallUiController::InstallUiController(InstallController *installController,
       m_connectionController(connectionController)
 {
     connect(m_installController, &InstallController::configValidated, this, &InstallUiController::configValidated);
-    connect(m_installController, &InstallController::validationErrorOccurred, this, [this](ErrorCode errorCode) {
-        if (errorCode == ErrorCode::NoInstalledContainersError) {
-            emit noInstalledContainers();
-        } else {
-            emit installationErrorOccurred(errorCode);
-        }
-    });
+    connect(m_installController, &InstallController::validationErrorOccurred, this, &InstallUiController::installationErrorOccurred);
 }
 
 InstallUiController::~InstallUiController()
@@ -217,15 +212,13 @@ void InstallUiController::scanServerForInstalledContainers(const QString &server
     emit installationErrorOccurred(errorCode);
 }
 
-void InstallUiController::updateContainer(const QString &serverId, int containerIndex, int protocolIndex, bool closePage)
+bool InstallUiController::buildContainerConfigFromModel(int containerIndex, int protocolIndex, ContainerConfig &containerConfig)
 {
     DockerContainer container = static_cast<DockerContainer>(containerIndex);
-    
     Proto protocolType = static_cast<Proto>(protocolIndex);
-    
-    ContainerConfig containerConfig;
+
     containerConfig.container = container;
-    
+
     switch (protocolType) {
     case Proto::Awg: {
         containerConfig.protocolConfig = m_awgConfigModel->getProtocolConfig();
@@ -271,6 +264,41 @@ void InstallUiController::updateContainer(const QString &serverId, int container
     }
 #endif
     default:
+        return false;
+    }
+    return true;
+}
+
+void InstallUiController::updateClientConfig(const QString &serverId, int containerIndex, int protocolIndex, bool closePage)
+{
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    Proto protocolType = static_cast<Proto>(protocolIndex);
+
+    ContainerConfig containerConfig;
+    if (!buildContainerConfigFromModel(containerIndex, protocolIndex, containerConfig)) {
+        return;
+    }
+
+    ErrorCode errorCode = m_installController->updateClientConfig(serverId, container, containerConfig);
+
+    if (errorCode == ErrorCode::NoError) {
+        ContainerConfig updatedConfig = m_serversController->getContainerConfig(serverId, container);
+        m_protocolModel->updateModel(updatedConfig);
+        updateProtocolConfigModel(serverId, static_cast<int>(container), static_cast<int>(protocolType));
+        emit updateContainerFinished(tr("Settings updated successfully"), closePage);
+        return;
+    }
+
+    emit installationErrorOccurred(errorCode);
+}
+
+void InstallUiController::updateServerConfig(const QString &serverId, int containerIndex, int protocolIndex, bool closePage)
+{
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    Proto protocolType = static_cast<Proto>(protocolIndex);
+
+    ContainerConfig containerConfig;
+    if (!buildContainerConfigFromModel(containerIndex, protocolIndex, containerConfig)) {
         return;
     }
     ContainerConfig oldContainerConfig = m_serversController->getContainerConfig(serverId, container);
@@ -305,13 +333,13 @@ void InstallUiController::updateContainer(const QString &serverId, int container
         QFuture<ErrorCode> future =
                 QtConcurrent::run([installController, serverId, container, oldConfigCopy,
                                    newConfigCopy]() mutable -> ErrorCode {
-                    return installController->updateContainer(serverId, container, oldConfigCopy, newConfigCopy);
+                    return installController->updateServerConfig(serverId, container, oldConfigCopy, newConfigCopy);
                 });
         watcher->setFuture(future);
         return;
     }
 
-    ErrorCode errorCode = m_installController->updateContainer(serverId, container, oldContainerConfig, containerConfig);
+    ErrorCode errorCode = m_installController->updateServerConfig(serverId, container, oldContainerConfig, containerConfig);
 
     if (errorCode == ErrorCode::NoError) {
         ContainerConfig updatedConfig = m_serversController->getContainerConfig(serverId, container);
@@ -332,17 +360,27 @@ void InstallUiController::setContainerEnabled(const QString &serverId, int conta
     }
 
     emit serverIsBusy(true);
-    const ErrorCode errorCode = m_installController->setDockerContainerEnabledState(serverId, container, enabled);
-    emit serverIsBusy(false);
 
-    if (errorCode == ErrorCode::NoError) {
-        const ContainerConfig currentConfig = m_serversController->getContainerConfig(serverId, container);
-        m_protocolModel->updateModel(currentConfig);
-        emit setContainerEnabledFinished(enabled);
-        return;
-    }
+    InstallController *installController = m_installController;
+    auto *watcher = new QFutureWatcher<ErrorCode>(this);
+    QObject::connect(watcher, &QFutureWatcher<ErrorCode>::finished, this,
+                     [this, watcher, serverId, container, enabled]() {
+                         const ErrorCode errorCode = watcher->result();
+                         watcher->deleteLater();
+                         emit serverIsBusy(false);
 
-    emit installationErrorOccurred(errorCode);
+                         if (errorCode == ErrorCode::NoError) {
+                             const ContainerConfig currentConfig = m_serversController->getContainerConfig(serverId, container);
+                             m_protocolModel->updateModel(currentConfig);
+                             emit setContainerEnabledFinished(enabled);
+                             return;
+                         }
+                         emit installationErrorOccurred(errorCode);
+                     });
+    QFuture<ErrorCode> future = QtConcurrent::run([installController, serverId, container, enabled]() -> ErrorCode {
+        return installController->setDockerContainerEnabledState(serverId, container, enabled);
+    });
+    watcher->setFuture(future);
 }
 
 void InstallUiController::refreshContainerStatus(const QString &serverId, int containerIndex)
@@ -352,13 +390,23 @@ void InstallUiController::refreshContainerStatus(const QString &serverId, int co
         return;
     }
 
-    int status = 3;
-    const ErrorCode errorCode = m_installController->queryDockerContainerStatus(serverId, container, status);
-    if (errorCode != ErrorCode::NoError) {
-        emit containerStatusRefreshed(3);
-        return;
-    }
-    emit containerStatusRefreshed(status);
+    using StatusResult = std::pair<int, int>; // {status, errorCode}
+    InstallController *installController = m_installController;
+    auto *watcher = new QFutureWatcher<StatusResult>(this);
+    QObject::connect(watcher, &QFutureWatcher<StatusResult>::finished, this, [this, watcher]() {
+        const StatusResult result = watcher->result();
+        watcher->deleteLater();
+        emit containerStatusRefreshed(result.first, result.second);
+    });
+    QFuture<StatusResult> future = QtConcurrent::run([installController, serverId, container]() -> StatusResult {
+        int status = 3;
+        const ErrorCode errorCode = installController->queryDockerContainerStatus(serverId, container, status);
+        if (errorCode != ErrorCode::NoError) {
+            return { 3, static_cast<int>(errorCode) };
+        }
+        return { status, static_cast<int>(ErrorCode::NoError) };
+    });
+    watcher->setFuture(future);
 }
 
 void InstallUiController::refreshContainerDiagnostics(const QString &serverId, int containerIndex, int port)
@@ -368,14 +416,27 @@ void InstallUiController::refreshContainerDiagnostics(const QString &serverId, i
         return;
     }
 
-    MtProxyContainerDiagnostics diag;
-    const ErrorCode errorCode = m_installController->queryMtProxyDiagnostics(serverId, container, port, diag);
-    if (errorCode != ErrorCode::NoError) {
-        emit containerDiagnosticsRefreshed(false, false, -1, QString(), QString());
-        return;
-    }
-    emit containerDiagnosticsRefreshed(diag.portReachable, diag.upstreamReachable, diag.clientsConnected,
-                                       diag.lastConfigRefresh, diag.statsEndpoint);
+    using DiagResult = std::pair<bool, MtProxyContainerDiagnostics>;
+    InstallController *installController = m_installController;
+    auto *watcher = new QFutureWatcher<DiagResult>(this);
+    QObject::connect(watcher, &QFutureWatcher<DiagResult>::finished, this, [this, watcher]() {
+        const DiagResult result = watcher->result();
+        watcher->deleteLater();
+        if (!result.first) {
+            emit containerDiagnosticsRefreshed(false, false, -1, QString(), QString());
+            return;
+        }
+        const MtProxyContainerDiagnostics &diag = result.second;
+        emit containerDiagnosticsRefreshed(diag.portReachable, diag.upstreamReachable, diag.clientsConnected,
+                                           diag.lastConfigRefresh, diag.statsEndpoint);
+    });
+    QFuture<DiagResult> future =
+            QtConcurrent::run([installController, serverId, container, port]() -> DiagResult {
+                MtProxyContainerDiagnostics diag;
+                const ErrorCode errorCode = installController->queryMtProxyDiagnostics(serverId, container, port, diag);
+                return { errorCode == ErrorCode::NoError, diag };
+            });
+    watcher->setFuture(future);
 }
 
 void InstallUiController::fetchContainerSecret(const QString &serverId, int containerIndex)
@@ -385,8 +446,17 @@ void InstallUiController::fetchContainerSecret(const QString &serverId, int cont
         return;
     }
 
-    const QString secret = m_installController->fetchDockerContainerSecret(serverId, container);
-    emit containerSecretFetched(secret);
+    InstallController *installController = m_installController;
+    auto *watcher = new QFutureWatcher<QString>(this);
+    QObject::connect(watcher, &QFutureWatcher<QString>::finished, this, [this, watcher]() {
+        const QString secret = watcher->result();
+        watcher->deleteLater();
+        emit containerSecretFetched(secret);
+    });
+    QFuture<QString> future = QtConcurrent::run([installController, serverId, container]() -> QString {
+        return installController->fetchDockerContainerSecret(serverId, container);
+    });
+    watcher->setFuture(future);
 }
 
 void InstallUiController::rebootServer(const QString &serverId)

client/ui/controllers/selfhosted/installUiController.h

@@ -64,7 +64,8 @@ public slots:
 
     void scanServerForInstalledContainers(const QString &serverId);
 
-    void updateContainer(const QString &serverId, int containerIndex, int protocolIndex, bool closePage = true);
+    void updateServerConfig(const QString &serverId, int containerIndex, int protocolIndex, bool closePage = true);
+    void updateClientConfig(const QString &serverId, int containerIndex, int protocolIndex, bool closePage = true);
 
     void removeServer(const QString &serverId);
     void rebootServer(const QString &serverId);
@@ -113,7 +114,7 @@ signals:
     void removeAllContainersFinished(const QString &finishedMessage);
     void removeContainerFinished(const QString &finishedMessage);
     void setContainerEnabledFinished(bool enabled);
-    void containerStatusRefreshed(int status);
+    void containerStatusRefreshed(int status, int errorCode);
     void containerDiagnosticsRefreshed(bool portReachable, bool upstreamReachable, int clientsConnected,
                                        const QString &lastConfigRefresh, const QString &statsEndpoint);
     void containerSecretFetched(const QString &secret);
@@ -132,7 +133,6 @@ signals:
     void cachedProfileCleared(const QString &message);
     void apiConfigRemoved(const QString &message);
 
-    void noInstalledContainers();
     void configValidated(bool isValid);
 
 private:
@@ -162,6 +162,8 @@ private:
     QString m_privateKeyPassphrase;
     
     void updateProtocolConfigModel(const QString &serverId, int containerIndex, int protocolIndex);
+
+    bool buildContainerConfigFromModel(int containerIndex, int protocolIndex, ContainerConfig &containerConfig);
 };
 
 #endif // INSTALLUICONTROLLER_H

client/ui/controllers/serversUiController.cpp

@@ -156,7 +156,17 @@ void ServersUiController::updateModel()
 
     m_serversModel->updateModel(m_orderedServerDescriptions, defaultServerId);
 
-    updateContainersModel();
+    if (!m_processedServerId.isEmpty()) {
+        if (isServerFromApi(m_processedServerId)) {
+            const auto &description = serverDescriptionById(m_processedServerId);
+            if (description.isApiV2 && description.isCountrySelectionAvailable
+                && !description.apiAvailableCountries.isEmpty()) {
+                emit updateApiCountryModel();
+            }
+        } else {
+            updateContainersModel();
+        }
+    }
     updateDefaultServerContainersModel();
 
     if (hadServersFromGatewayBefore != hasServersFromGatewayNow) {
@@ -350,19 +360,14 @@ void ServersUiController::setProcessedServerId(const QString &serverId)
         m_processedServerId = normalizedServerId;
 
         if (newIndex >= 0) {
-            updateContainersModel();
-
-            for (const auto &description : m_orderedServerDescriptions) {
-                if (description.serverId != normalizedServerId) {
-                    continue;
+            if (isServerFromApi(m_processedServerId)) {
+                const auto &description = serverDescriptionById(m_processedServerId);
+                if (description.isApiV2 && description.isCountrySelectionAvailable
+                    && !description.apiAvailableCountries.isEmpty()) {
+                    emit updateApiCountryModel();
                 }
-                if (description.isApiV2) {
-                    if (description.isCountrySelectionAvailable && !description.apiAvailableCountries.isEmpty()) {
-                        emit updateApiCountryModel();
-                    }
-                    emit updateApiServicesModel();
-                }
-                break;
+            } else {
+                updateContainersModel();
             }
         }
 

client/ui/controllers/serversUiController.h

@@ -113,7 +113,6 @@ signals:
     void processedContainerIndexChanged(int index);
     void hasServersFromGatewayApiChanged();
     void updateApiCountryModel();
-    void updateApiServicesModel();
 
 public:
     void updateModel();

client/ui/controllers/settingsUiController.cpp

@@ -22,12 +22,10 @@
 
 SettingsUiController::SettingsUiController(SettingsController* settingsController,
                                          ServersController* serversController,
-                                         LanguageUiController* languageUiController,
                                          QObject *parent)
     : QObject(parent),
       m_settingsController(settingsController),
-      m_serversController(serversController),
-      m_languageUiController(languageUiController)
+      m_serversController(serversController)
 {
 #ifdef Q_OS_ANDROID
     connect(AndroidController::instance(), &AndroidController::notificationStateChanged, this, &SettingsUiController::onNotificationStateChanged);
@@ -157,13 +155,13 @@ void SettingsUiController::restoreAppConfigFromData(const QByteArray &data)
 {
     ErrorCode errorCode = m_settingsController->restoreAppConfigFromData(data);
     if (errorCode == ErrorCode::NoError) {
-        emit appLanguageChanged(
-                static_cast<LanguageSettings::AvailableLanguageEnum>(m_languageUiController->getCurrentLanguageIndex()));
+        emit appLanguageChanged();
 
         bool amneziaDnsEnabled = m_settingsController->isAmneziaDnsEnabled();
         emit amneziaDnsToggled(amneziaDnsEnabled);
 
         emit restoreBackupFinished();
+        emit autoStartChanged();
         emit startMinimizedChanged();
     } else {
         emit errorOccurred(errorCode);
@@ -178,6 +176,7 @@ QString SettingsUiController::getAppVersion()
 void SettingsUiController::clearSettings()
 {
     m_settingsController->clearSettings();
+    emit autoStartChanged();
     emit startMinimizedChanged();
     emit resetLanguageToSystem();
 
@@ -206,9 +205,8 @@ bool SettingsUiController::isAutoStartEnabled()
 void SettingsUiController::toggleAutoStart(bool enable)
 {
     m_settingsController->toggleAutoStart(enable);
-    if (!enable) {
-        emit startMinimizedChanged();
-    }
+    emit autoStartChanged();
+    emit startMinimizedChanged();
 }
 
 bool SettingsUiController::isStartMinimizedEnabled()

client/ui/controllers/settingsUiController.h

@@ -5,8 +5,6 @@
 
 #include "core/controllers/settingsController.h"
 #include "core/controllers/serversController.h"
-#include "ui/controllers/languageUiController.h"
-#include "ui/models/languageModel.h"
 #include "core/utils/errorCodes.h"
 #include "core/utils/routeModes.h"
 #include "core/utils/commonStructs.h"
@@ -17,7 +15,6 @@ class SettingsUiController : public QObject
 public:
     explicit SettingsUiController(SettingsController* settingsController,
                                  ServersController* serversController,
-                                 LanguageUiController* languageUiController,
                                  QObject *parent = nullptr);
 
     Q_PROPERTY(QString primaryDns READ getPrimaryDns WRITE setPrimaryDns NOTIFY primaryDnsChanged)
@@ -32,6 +29,7 @@ public:
     Q_PROPERTY(bool isDevGatewayEnv READ isDevGatewayEnv WRITE toggleDevGatewayEnv NOTIFY devGatewayEnvChanged)
 
     Q_PROPERTY(bool isHomeAdLabelVisible READ isHomeAdLabelVisible NOTIFY isHomeAdLabelVisibleChanged)
+    Q_PROPERTY(bool autoStartEnabled READ isAutoStartEnabled NOTIFY autoStartChanged)
     Q_PROPERTY(bool startMinimized READ isStartMinimizedEnabled NOTIFY startMinimizedChanged)
 
 public slots:
@@ -122,7 +120,7 @@ signals:
 
     void loggingDisableByWatcher();
 
-    void appLanguageChanged(const LanguageSettings::AvailableLanguageEnum language);
+    void appLanguageChanged();
     void resetLanguageToSystem();
 
     void onNotificationStateChanged();
@@ -135,12 +133,12 @@ signals:
     void activityResumed();
 
     void isHomeAdLabelVisibleChanged(bool visible);
+    void autoStartChanged();
     void startMinimizedChanged();
 
 private:
     SettingsController* m_settingsController;
     ServersController* m_serversController;
-    LanguageUiController* m_languageUiController;
 };
 
 #endif

client/ui/models/api/apiAccountInfoModel.cpp

@@ -30,7 +30,7 @@ QVariant ApiAccountInfoModel::data(const QModelIndex &index, int role) const
     switch (role) {
     case SubscriptionStatusRole: {
         if (m_accountInfoData.configType == serverConfigUtils::ConfigType::AmneziaFreeV3) {
-            return tr("Active");
+            return QStringLiteral("<p><a style=\"color: #28c840;\">%1</a>").arg(tr("Active"));
         }
 
         return apiUtils::isSubscriptionExpired(m_accountInfoData.subscriptionEndDate)

client/ui/models/clientManagementModel.cpp

@@ -27,6 +27,7 @@ QVariant ClientManagementModel::data(const QModelIndex &index, int role) const
     auto userData = client.value(configKey::userData).toObject();
 
     switch (role) {
+    case ClientIdRole: return client.value(configKey::clientId).toString();
     case ClientNameRole: return userData.value(configKey::clientName).toString();
     case CreationDateRole: return userData.value(configKey::creationDate).toString();
     case LatestHandshakeRole: return userData.value(configKey::latestHandshake).toString();
@@ -62,6 +63,7 @@ void ClientManagementModel::updateClientName(int row, const QString &newName)
 QHash<int, QByteArray> ClientManagementModel::roleNames() const
 {
     QHash<int, QByteArray> roles;
+    roles[ClientIdRole] = "clientId";
     roles[ClientNameRole] = "clientName";
     roles[CreationDateRole] = "creationDate";
     roles[LatestHandshakeRole] = "latestHandshake";

client/ui/models/clientManagementModel.h

@@ -10,7 +10,8 @@ class ClientManagementModel : public QAbstractListModel
 
 public:
     enum Roles {
-        ClientNameRole = Qt::UserRole + 1,
+        ClientIdRole = Qt::UserRole + 1,
+        ClientNameRole,
         CreationDateRole,
         LatestHandshakeRole,
         DataReceivedRole,

client/ui/models/containerProps.h

@@ -23,6 +23,10 @@ public:
     Q_INVOKABLE int containerFromString(const QString &container) const {
         return static_cast<int>(amnezia::ContainerUtils::containerFromString(container));
     }
+
+    Q_INVOKABLE bool isUnsupportedContainer(int containerIndex) const {
+        return amnezia::ContainerUtils::isUnsupportedContainer(static_cast<amnezia::DockerContainer>(containerIndex));
+    }
 };
 
 #endif // CONTAINERPROPS_H

client/ui/models/containersModel.cpp

@@ -67,6 +67,7 @@ QVariant ContainersModel::data(const QModelIndex &index, int role) const
     case IsCurrentlyProcessedRole: return container == static_cast<DockerContainer>(m_processedContainerIndex);
     case IsSupportedRole: return ContainerUtils::isSupportedByCurrentPlatform(container);
     case IsShareableRole: return ContainerUtils::isShareable(container);
+    case IsUnsupportedContainerRole: return ContainerUtils::isUnsupportedContainer(container);
     case IsVpnContainerRole: return ContainerUtils::containerService(container) == ServiceType::Vpn;
     case IsServiceContainerRole: return ContainerUtils::containerService(container) == ServiceType::Other;
     case IsIpsecRole: return container == DockerContainer::Ipsec;
@@ -142,7 +143,8 @@ bool ContainersModel::hasInstalledProtocols()
 
 bool ContainersModel::isInstallationAllowed(DockerContainer container)
 {
-    return container != DockerContainer::Awg;
+    return container != DockerContainer::Awg
+           && !ContainerUtils::isUnsupportedContainer(container);
 }
 
 void ContainersModel::openContainerSettings(int containerIndex)
@@ -176,6 +178,7 @@ QHash<int, QByteArray> ContainersModel::roleNames() const
     roles[IsCurrentlyProcessedRole] = "isCurrentlyProcessed";
     roles[IsSupportedRole] = "isSupported";
     roles[IsShareableRole] = "isShareable";
+    roles[IsUnsupportedContainerRole] = "isUnsupportedContainer";
     roles[IsInstallationAllowedRole] = "isInstallationAllowed";
     roles[InstallPageOrderRole] = "installPageOrder";
     

client/ui/models/containersModel.h

@@ -39,6 +39,8 @@ public:
         IsSupportedRole,
         IsShareableRole,
 
+        IsUnsupportedContainerRole,
+
         InstallPageOrderRole,
         
         // Container type check roles

client/ui/models/services/mtProxyConfigModel.cpp

@@ -398,6 +398,9 @@ bool MtProxyConfigModel::isValidPublicHost(const QString &host) const {
         return NetworkUtilities::checkIPv4Format(t);
     }
     if (a.protocol() == QHostAddress::IPv6Protocol) {
+        if (a.isNull() || a.isLoopback() || a == QHostAddress(QHostAddress::AnyIPv6)) {
+            return false;
+        }
         return true;
     }
     static const QRegularExpression onlyAsciiDigits(QStringLiteral(R"(^\d+$)"));

client/ui/models/services/telemtConfigModel.cpp

@@ -1,7 +1,13 @@
 #include "telemtConfigModel.h"
 
-#include <QRegularExpression>
+#include "ui/models/utils/mtproxy_public_host_input.h"
 
+#include <QHostAddress>
+#include <QRegExp>
+#include <QRegularExpression>
+#include <qqml.h>
+
+#include "core/utils/networkUtilities.h"
 #include "core/utils/qrCodeUtils.h"
 #include "core/utils/constants/configKeys.h"
 #include "core/utils/constants/protocolConstants.h"
@@ -9,7 +15,9 @@
 
 using namespace amnezia;
 
-TelemtConfigModel::TelemtConfigModel(QObject *parent) : QAbstractListModel(parent) {}
+TelemtConfigModel::TelemtConfigModel(QObject *parent) : QAbstractListModel(parent) {
+    qmlRegisterType<PublicHostInputValidator>("TelemtConfig", 1, 0, "PublicHostInputValidator");
+}
 
 void TelemtConfigModel::applyDefaults(TelemtProtocolConfig &c) {
     if (c.port.isEmpty()) {
@@ -49,7 +57,11 @@ bool TelemtConfigModel::setData(const QModelIndex &index, const QVariant &value,
             break;
         }
         case Roles::TagRole: {
-            m_protocolConfig.tag = value.toString();
+            const QString tag = sanitizeMtProxyTagFieldText(value.toString());
+            if (!isValidMtProxyTag(tag)) {
+                return false;
+            }
+            m_protocolConfig.tag = tag;
             break;
         }
         case Roles::IsEnabledRole: {
@@ -57,7 +69,11 @@ bool TelemtConfigModel::setData(const QModelIndex &index, const QVariant &value,
             break;
         }
         case Roles::PublicHostRole: {
-            m_protocolConfig.publicHost = value.toString();
+            const QString h = value.toString().trimmed();
+            if (!isValidPublicHost(h)) {
+                return false;
+            }
+            m_protocolConfig.publicHost = h;
             break;
         }
         case Roles::TransportModeRole: {
@@ -65,7 +81,11 @@ bool TelemtConfigModel::setData(const QModelIndex &index, const QVariant &value,
             break;
         }
         case Roles::TlsDomainRole: {
-            m_protocolConfig.tlsDomain = value.toString();
+            const QString d = value.toString().trimmed();
+            if (!isValidFakeTlsDomain(d)) {
+                return false;
+            }
+            m_protocolConfig.tlsDomain = d;
             break;
         }
         case Roles::AdditionalSecretsRole: {
@@ -85,11 +105,19 @@ bool TelemtConfigModel::setData(const QModelIndex &index, const QVariant &value,
             break;
         }
         case Roles::NatInternalIpRole: {
-            m_protocolConfig.natInternalIp = value.toString();
+            const QString ip = value.toString().trimmed();
+            if (!isValidOptionalIpv4(ip)) {
+                return false;
+            }
+            m_protocolConfig.natInternalIp = ip;
             break;
         }
         case Roles::NatExternalIpRole: {
-            m_protocolConfig.natExternalIp = value.toString();
+            const QString ip = value.toString().trimmed();
+            if (!isValidOptionalIpv4(ip)) {
+                return false;
+            }
+            m_protocolConfig.natExternalIp = ip;
             break;
         }
         case Roles::MaskEnabledRole: {
@@ -379,6 +407,293 @@ QString TelemtConfigModel::workersModeManual() const {
     return QString::fromUtf8(protocols::telemt::workersModeManual);
 }
 
+bool TelemtConfigModel::isValidPublicHost(const QString &host) const {
+    const QString t = host.trimmed();
+    if (t.isEmpty()) {
+        return true;
+    }
+    if (t.length() > 253) {
+        return false;
+    }
+    QHostAddress a(t);
+    if (a.protocol() == QHostAddress::IPv4Protocol) {
+        return NetworkUtilities::checkIPv4Format(t);
+    }
+    if (a.protocol() == QHostAddress::IPv6Protocol) {
+        // Reject unusable special addresses such as "::" (any), loopback and null.
+        if (a.isNull() || a.isLoopback() || a == QHostAddress(QHostAddress::AnyIPv6)) {
+            return false;
+        }
+        return true;
+    }
+    static const QRegularExpression onlyAsciiDigits(QStringLiteral(R"(^\d+$)"));
+    if (onlyAsciiDigits.match(t).hasMatch()) {
+        return false;
+    }
+    return NetworkUtilities::domainRegExp().exactMatch(t);
+}
+
+bool TelemtConfigModel::isPublicHostInputAllowed(const QString &text) const {
+    return mtproxyPublicHostInputAllowed(text);
+}
+
+bool TelemtConfigModel::isPublicHostTypingIncomplete(const QString &text) const {
+    const QString t = text.trimmed();
+    if (isValidPublicHost(t)) {
+        return false;
+    }
+
+    static const QRegularExpression onlyDigitDot(QStringLiteral(R"(^[0-9.]+$)"));
+    if (onlyDigitDot.match(t).hasMatch()) {
+        if (t.endsWith(QLatin1Char('.'))) {
+            return true;
+        }
+        const QStringList parts = t.split(QLatin1Char('.'), Qt::KeepEmptyParts);
+        if (parts.size() < 4) {
+            return true;
+        }
+        for (const QString &part: parts) {
+            if (part.isEmpty()) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    if (t.contains(QLatin1Char(':'))) {
+        if (t.contains(QLatin1String(":::"))) {
+            return false;
+        }
+        if (t.endsWith(QLatin1Char(':'))) {
+            return true;
+        }
+        QHostAddress a(t);
+        if (a.protocol() == QHostAddress::IPv6Protocol) {
+            return false;
+        }
+        if (!t.contains(QLatin1String("::")) && t.count(QLatin1Char(':')) < 7 && !t.contains(QLatin1Char('.'))) {
+            return true;
+        }
+        return false;
+    }
+
+    if (!t.contains(QLatin1Char('.'))) {
+        return true;
+    }
+
+    return false;
+}
+
+bool TelemtConfigModel::isValidMtProxyTag(const QString &tag) const {
+    if (tag.isEmpty()) {
+        return true;
+    }
+    static const QRegularExpression re(
+            QStringLiteral("^([0-9a-fA-F]{%1})$").arg(protocols::telemt::botTagHexLength));
+    return re.match(tag).hasMatch();
+}
+
+bool TelemtConfigModel::isMtProxyTagTypingIncomplete(const QString &text) const {
+    const QString t = text.trimmed();
+    if (t.isEmpty()) {
+        return true;
+    }
+    static const QRegularExpression hexOnly(QStringLiteral(R"(^[0-9a-fA-F]*$)"));
+    if (!hexOnly.match(t).hasMatch()) {
+        return false;
+    }
+    return t.size() < protocols::telemt::botTagHexLength;
+}
+
+int TelemtConfigModel::mtProxyBotTagHexLength() const {
+    return protocols::telemt::botTagHexLength;
+}
+
+bool TelemtConfigModel::isValidFakeTlsDomain(const QString &domain) const {
+    const QString t = domain.trimmed();
+    if (t.isEmpty()) {
+        return true;
+    }
+    if (t.length() > 253) {
+        return false;
+    }
+    QHostAddress addr;
+    if (addr.setAddress(t)) {
+        return false;
+    }
+    static const QRegularExpression onlyAsciiDigits(QStringLiteral(R"(^\d+$)"));
+    if (onlyAsciiDigits.match(t).hasMatch()) {
+        return false;
+    }
+    QRegExp re(NetworkUtilities::domainRegExp());
+    re.setCaseSensitivity(Qt::CaseInsensitive);
+    if (!re.exactMatch(t)) {
+        return false;
+    }
+    // ee + 32 hex (base secret) + hex(UTF-8 domain); keep headroom under typical client limits.
+    if (t.toUtf8().size() > 111) {
+        return false;
+    }
+    return true;
+}
+
+QString TelemtConfigModel::normalizeFakeTlsDomainInput(const QString &input) const {
+    QString t = input.trimmed();
+    if (t.startsWith(QLatin1String("https://"), Qt::CaseInsensitive)) {
+        t = t.mid(8);
+    } else if (t.startsWith(QLatin1String("http://"), Qt::CaseInsensitive)) {
+        t = t.mid(7);
+    }
+    if (const int slash = t.indexOf(QLatin1Char('/')); slash >= 0) {
+        t = t.left(slash);
+    }
+    if (const int at = t.indexOf(QLatin1Char('@')); at >= 0) {
+        t = t.mid(at + 1);
+    }
+    if (const int colon = t.indexOf(QLatin1Char(':')); colon >= 0) {
+        t = t.left(colon);
+    }
+    if (t.startsWith(QLatin1String("www."), Qt::CaseInsensitive)) {
+        const QString rest = t.mid(4);
+        if (rest.contains(QLatin1Char('.'))) {
+            t = rest;
+        }
+    }
+    return t.trimmed();
+}
+
+bool TelemtConfigModel::isFakeTlsDomainTypingIncomplete(const QString &text) const {
+    const QString t = text.trimmed();
+    if (t.isEmpty()) {
+        return true;
+    }
+    if (isValidFakeTlsDomain(t)) {
+        return false;
+    }
+    if (t.contains(QLatin1Char('/')) || t.contains(QLatin1Char(':')) || t.contains(QLatin1Char('@'))
+        || t.contains(QLatin1Char(' '))) {
+        return false;
+    }
+    if (t.contains(QLatin1String(".."))) {
+        return false;
+    }
+    if (!t.contains(QLatin1Char('.'))) {
+        return true;
+    }
+    if (t.endsWith(QLatin1Char('.'))) {
+        return true;
+    }
+    static const QRegularExpression legalPartial(QStringLiteral(R"(^[a-zA-Z0-9.-]*$)"));
+    if (!legalPartial.match(t).hasMatch()) {
+        return false;
+    }
+    return true;
+}
+
+bool TelemtConfigModel::isFakeTlsDomainInputAllowed(const QString &text) const {
+    if (text.length() > 253) {
+        return false;
+    }
+    static const QRegularExpression re(QStringLiteral(R"(^[a-zA-Z0-9.-]*$)"));
+    return re.match(text).hasMatch();
+}
+
+QString TelemtConfigModel::sanitizeFakeTlsDomainFieldText(const QString &input) const {
+    const QString t = normalizeFakeTlsDomainInput(input);
+    QString out;
+    out.reserve(t.size());
+    for (const QChar &c: t) {
+        const ushort u = c.unicode();
+        const bool letter = (u >= 'a' && u <= 'z') || (u >= 'A' && u <= 'Z');
+        const bool digit = (u >= '0' && u <= '9');
+        if (letter || digit || u == '.' || u == '-') {
+            out.append(c);
+        }
+    }
+    if (out.size() > 253) {
+        out.truncate(253);
+    }
+    return out;
+}
+
+QString TelemtConfigModel::sanitizePublicHostFieldText(const QString &input) const {
+    QString out;
+    const int cap = qMin(input.size(), 253);
+    out.reserve(cap);
+    for (const QChar &c: input) {
+        if (out.size() >= 253) {
+            break;
+        }
+        const ushort u = c.unicode();
+        if ((u >= 'a' && u <= 'z') || (u >= 'A' && u <= 'Z') || (u >= '0' && u <= '9') || u == '.' || u == ':' ||
+            u == '-') {
+            out.append(c);
+        }
+    }
+    return out;
+}
+
+QString TelemtConfigModel::sanitizePortFieldText(const QString &input) const {
+    QString out;
+    out.reserve(qMin(input.size(), 5));
+    for (const QChar &c: input) {
+        const ushort u = c.unicode();
+        if (u >= '0' && u <= '9' && out.size() < 5) {
+            out.append(c);
+        }
+    }
+    return out;
+}
+
+QString TelemtConfigModel::sanitizeMtProxyTagFieldText(const QString &input) const {
+    QString trimmed = input.trimmed();
+    if (trimmed.startsWith(QLatin1String("0x"), Qt::CaseInsensitive)) {
+        trimmed = trimmed.mid(2).trimmed();
+    }
+    // Prefer a contiguous 32-hex run (paste from bot message with extra text).
+    static const QRegularExpression runHex(QStringLiteral(R"(([0-9a-fA-F]{32}))"));
+    const QRegularExpressionMatch m = runHex.match(trimmed);
+    if (m.hasMatch()) {
+        return m.captured(1);
+    }
+    const int cap = protocols::telemt::botTagHexLength;
+    QString out;
+    out.reserve(qMin(trimmed.size(), cap));
+    for (const QChar &c: trimmed) {
+        if (out.size() >= cap) {
+            break;
+        }
+        const ushort u = c.unicode();
+        if ((u >= '0' && u <= '9') || (u >= 'a' && u <= 'f') || (u >= 'A' && u <= 'F')) {
+            out.append(c);
+        }
+    }
+    return out;
+}
+
+QString TelemtConfigModel::sanitizeOptionalIpv4FieldText(const QString &input) const {
+    QString out;
+    out.reserve(qMin(input.size(), 15));
+    for (const QChar &c: input) {
+        if (out.size() >= 15) {
+            break;
+        }
+        const ushort u = c.unicode();
+        if ((u >= '0' && u <= '9') || u == '.') {
+            out.append(c);
+        }
+    }
+    return out;
+}
+
+bool TelemtConfigModel::isValidOptionalIpv4(const QString &ip) const {
+    const QString t = ip.trimmed();
+    if (t.isEmpty()) {
+        return true;
+    }
+    return NetworkUtilities::checkIPv4Format(t);
+}
+
 QHash<int, QByteArray> TelemtConfigModel::roleNames() const {
     QHash<int, QByteArray> roles;
 

client/ui/models/services/telemtConfigModel.h

@@ -116,12 +116,44 @@ public slots:
 
     Q_INVOKABLE QString workersModeManual() const;
 
+    Q_INVOKABLE bool isValidPublicHost(const QString &host) const;
+
+    Q_INVOKABLE bool isPublicHostInputAllowed(const QString &text) const;
+
+    Q_INVOKABLE bool isPublicHostTypingIncomplete(const QString &text) const;
+
+    Q_INVOKABLE bool isValidMtProxyTag(const QString &tag) const;
+
+    Q_INVOKABLE bool isMtProxyTagTypingIncomplete(const QString &text) const;
+
+    Q_INVOKABLE int mtProxyBotTagHexLength() const;
+
+    Q_INVOKABLE bool isValidFakeTlsDomain(const QString &domain) const;
+
+    Q_INVOKABLE bool isFakeTlsDomainTypingIncomplete(const QString &text) const;
+
+    Q_INVOKABLE bool isFakeTlsDomainInputAllowed(const QString &text) const;
+
+    Q_INVOKABLE QString sanitizeFakeTlsDomainFieldText(const QString &input) const;
+
+    Q_INVOKABLE QString sanitizePublicHostFieldText(const QString &input) const;
+
+    Q_INVOKABLE QString sanitizePortFieldText(const QString &input) const;
+
+    Q_INVOKABLE QString sanitizeMtProxyTagFieldText(const QString &input) const;
+
+    Q_INVOKABLE QString sanitizeOptionalIpv4FieldText(const QString &input) const;
+
+    Q_INVOKABLE bool isValidOptionalIpv4(const QString &ip) const;
+
 protected:
     QHash<int, QByteArray> roleNames() const override;
 
 private:
     static void applyDefaults(amnezia::TelemtProtocolConfig &c);
 
+    QString normalizeFakeTlsDomainInput(const QString &input) const;
+
     amnezia::DockerContainer m_container = amnezia::DockerContainer::None;
     QJsonObject m_fullConfig;
     amnezia::TelemtProtocolConfig m_protocolConfig;

client/ui/qml/Components/HomeContainersListView.qml

@@ -56,14 +56,17 @@ ListViewType {
                         return
                     }
 
-                    if (checked) {
-                        containersDropDown.closeTriggered()
-                        ServersUiController.setDefaultContainer(ServersUiController.defaultServerId, proxyDefaultServerContainersModel.mapToSource(index))
-                    } else {
-                        ServersUiController.processedContainerIndex = proxyDefaultServerContainersModel.mapToSource(index)
+                    var containerIndex = proxyDefaultServerContainersModel.mapToSource(index)
+
+                    if (!isInstalled) {
+                        ServersUiController.processedContainerIndex = containerIndex
                         PageController.goToPage(PageEnum.PageSetupWizardProtocolSettings)
                         containersDropDown.closeTriggered()
+                        return
                     }
+
+                    containersDropDown.closeTriggered()
+                    ServersUiController.setDefaultContainer(ServersUiController.defaultServerId, containerIndex)
                 }
 
                 MouseArea {

client/ui/qml/Components/SettingsContainersListView.qml

@@ -5,7 +5,6 @@ import QtQuick.Layouts
 import SortFilterProxyModel 0.2
 
 import PageEnum 1.0
-import ContainerProps 1.0
 
 import "../Controls2"
 import "../Controls2/TextTypes"

client/ui/qml/Controls2/ContextMenuType.qml

@@ -6,8 +6,36 @@ Menu {
 
     popupType: Popup.Native
 
-    onAboutToShow: blocker.enabled = true
-    onClosed: blocker.enabled = false
+    property Item inputBlocker: null
+
+    Component {
+        id: inputBlockerComponent
+
+        MouseArea {
+            anchors.fill: parent
+            preventStealing: true
+        }
+    }
+
+    onAboutToShow: {
+        if (!textObj || !textObj.window) {
+            return
+        }
+
+        const contentItem = textObj.window.contentItem
+        if (!inputBlocker) {
+            inputBlocker = inputBlockerComponent.createObject(contentItem)
+        } else {
+            inputBlocker.parent = contentItem
+        }
+    }
+
+    onClosed: {
+        if (inputBlocker) {
+            inputBlocker.destroy()
+            inputBlocker = null
+        }
+    }
 
     MenuItem {
         text: qsTr("C&ut")
@@ -31,11 +59,4 @@ Menu {
         enabled: textObj.length > 0
         onTriggered: textObj.selectAll()
     }
-
-    MouseArea {
-        id: blocker
-        z: 2
-        enabled: false
-        preventStealing: true
-    }
 }

client/ui/qml/Pages2/PageDeinstalling.qml

@@ -25,8 +25,8 @@ PageType {
 
         filters: [
             ValueFilter {
-                roleName: "isCurrentlyProcessed"
-                value: true
+                roleName: "serverId"
+                value: ServersUiController.processedServerId
             }
         ]
     }

client/ui/qml/Pages2/PageProtocolAwgClientSettings.qml

@@ -440,8 +440,7 @@ PageType {
                     return
                 }
 
-                PageController.goToPage(PageEnum.PageSetupWizardInstalling);
-                InstallController.updateContainer(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Awg)
+                InstallController.updateClientConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Awg)
             }
 
             var noButtonFunction = function() {}

client/ui/qml/Pages2/PageProtocolAwgSettings.qml

@@ -561,7 +561,7 @@ PageType {
                         }
 
                         PageController.goToPage(PageEnum.PageSetupWizardInstalling);
-                        InstallController.updateContainer(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Awg)
+                        InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Awg)
                     }
 
                     var noButtonFunction = function() {}

client/ui/qml/Pages2/PageProtocolOpenVpnSettings.qml

@@ -434,7 +434,7 @@ PageType {
                         }
 
                         PageController.goToPage(PageEnum.PageSetupWizardInstalling);
-                        InstallController.updateContainer(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.OpenVpn)
+                        InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.OpenVpn)
                     }
                     var noButtonFunction = function() {
                         if (!GC.isMobile()) {

client/ui/qml/Pages2/PageProtocolWireGuardClientSettings.qml

@@ -128,8 +128,7 @@ PageType {
                             return
                         }
 
-                        PageController.goToPage(PageEnum.PageSetupWizardInstalling);
-                        InstallController.updateContainer(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.WireGuard)
+                        InstallController.updateClientConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.WireGuard)
                     }
                     var noButtonFunction = function() {}
                     showQuestionDrawer(headerText, descriptionText, yesButtonText, noButtonText, yesButtonFunction, noButtonFunction)

client/ui/qml/Pages2/PageProtocolWireGuardSettings.qml

@@ -129,7 +129,7 @@ PageType {
                         }
 
                         PageController.goToPage(PageEnum.PageSetupWizardInstalling);
-                        InstallController.updateContainer(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.WireGuard)
+                        InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.WireGuard)
                     }
                     var noButtonFunction = function() {
                         if (!GC.isMobile()) {

client/ui/qml/Pages2/PageProtocolXrayFlowSettings.qml

@@ -112,7 +112,7 @@ PageType {
                     return
                 }
                 PageController.goToPage(PageEnum.PageSetupWizardInstalling)
-                InstallController.updateContainer(ServersUiController.processedIndex, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
+                InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
             }
             var noButtonFunction = function () {
                 if (typeof GC !== "undefined" && !GC.isMobile()) {

client/ui/qml/Pages2/PageProtocolXraySecuritySettings.qml

@@ -279,7 +279,7 @@ PageType {
                     return
                 }
                 PageController.goToPage(PageEnum.PageSetupWizardInstalling)
-                InstallController.updateContainer(ServersUiController.processedIndex, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
+                InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
             }
             var noButtonFunction = function () {
                 if (typeof GC !== "undefined" && !GC.isMobile()) {

client/ui/qml/Pages2/PageProtocolXraySettings.qml

@@ -17,6 +17,10 @@ import "../Components"
 PageType {
     id: root
 
+    enableTimer: false
+
+    property bool portDirty: false
+
     function formatTransport(value) {
         if (value === "raw") return "RAW (TCP)"
         if (value === "xhttp") return "XHTTP"
@@ -39,8 +43,8 @@ PageType {
         anchors.right: parent.right
         anchors.topMargin: 20 + PageController.safeAreaTopMargin
 
-        onFocusChanged: {
-            if (this.activeFocus) {
+        onActiveFocusChanged: {
+            if (backButton.enabled && backButton.activeFocus) {
                 listView.positionViewAtBeginning()
             }
         }
@@ -60,8 +64,6 @@ PageType {
         delegate: ColumnLayout {
             width: listView.width
 
-            property alias focusItemId: textFieldWithHeaderType.textField
-
             spacing: 0
 
             Text {
@@ -107,13 +109,32 @@ PageType {
                 Layout.rightMargin: 16
                 enabled: listView.enabled
                 headerText: qsTr("Port")
-                textField.text: port
+
+                Binding {
+                    target: textFieldWithHeaderType.textField
+                    property: "text"
+                    value: port
+                    when: !textFieldWithHeaderType.textField.activeFocus
+                    restoreMode: Binding.RestoreNone
+                }
+
                 textField.maximumLength: 5
                 textField.validator: IntValidator {
                     bottom: 1; top: 65535
                 }
+                textField.onActiveFocusChanged: {
+                    if (textField.activeFocus && textField.text === "" && port !== "") {
+                        textField.text = port
+                    }
+                }
+                textField.onTextChanged: {
+                    root.portDirty = (textField.text !== port)
+                }
                 textField.onEditingFinished: {
-                    if (textField.text !== port) port = textField.text
+                    if (textField.text !== port) {
+                        port = textField.text
+                    }
+                    root.portDirty = false
                 }
                 checkEmptyText: true
             }
@@ -172,9 +193,8 @@ PageType {
                 Layout.leftMargin: 16
                 Layout.rightMargin: 16
                 visible: listView.enabled
-                         && (XrayConfigModel.hasUnsavedChanges
-                             || textFieldWithHeaderType.textField.text !== port)
-                enabled: visible && textFieldWithHeaderType.errorText === ""
+                         && (XrayConfigModel.hasUnsavedChanges || root.portDirty)
+                enabled: visible && textFieldWithHeaderType.textField.text !== ""
                 text: qsTr("Save")
                 onClicked: function() {
                     forceActiveFocus()
@@ -193,7 +213,7 @@ PageType {
                         }
 
                         PageController.goToPage(PageEnum.PageSetupWizardInstalling);
-                        InstallController.updateContainer(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
+                        InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
                     }
                     var noButtonFunction = function() {
                         if (!GC.isMobile()) saveButton.forceActiveFocus()

client/ui/qml/Pages2/PageProtocolXrayTransportSettings.qml

@@ -742,7 +742,7 @@ PageType {
                     return
                 }
                 PageController.goToPage(PageEnum.PageSetupWizardInstalling)
-                InstallController.updateContainer(ServersUiController.processedIndex, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
+                InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
             }
             var noButtonFunction = function () {
                 if (typeof GC !== "undefined" && !GC.isMobile()) {

client/ui/qml/Pages2/PageProtocolXrayXPaddingBytesSettings.qml

@@ -95,7 +95,7 @@ PageType {
                     return
                 }
                 PageController.goToPage(PageEnum.PageSetupWizardInstalling)
-                InstallController.updateContainer(ServersUiController.processedIndex, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
+                InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
             }
             var noButtonFunction = function () {
                 if (typeof GC !== "undefined" && !GC.isMobile()) {

client/ui/qml/Pages2/PageProtocolXrayXPaddingSettings.qml

@@ -211,7 +211,7 @@ PageType {
                     return
                 }
                 PageController.goToPage(PageEnum.PageSetupWizardInstalling)
-                InstallController.updateContainer(ServersUiController.processedIndex, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
+                InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
             }
             var noButtonFunction = function () {
                 if (typeof GC !== "undefined" && !GC.isMobile()) {

client/ui/qml/Pages2/PageProtocolXrayXmuxSettings.qml

@@ -208,7 +208,7 @@ PageType {
                     return
                 }
                 PageController.goToPage(PageEnum.PageSetupWizardInstalling)
-                InstallController.updateContainer(ServersUiController.processedIndex, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
+                InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Xray)
             }
             var noButtonFunction = function () {
                 if (typeof GC !== "undefined" && !GC.isMobile()) {

client/ui/qml/Pages2/PageServiceMtProxySettings.qml

@@ -21,6 +21,8 @@ PageType {
     id: root
 
     property int containerStatus: 1
+    // Last status-query error code (0 = none). 305 = SshTimeoutError → server unreachable.
+    property int statusErrorCode: 0
     property bool isUpdating: false
     property bool isCheckingStatus: false
     property bool isFetchingSecret: false
@@ -179,7 +181,7 @@ PageType {
     function mtProxyScheduleUpdate(closePage) {
         var cp = closePage === undefined ? false : closePage
         Qt.callLater(function () {
-            InstallController.updateContainer(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.MtProxy, cp)
+            InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.MtProxy, cp)
         })
     }
 
@@ -261,6 +263,7 @@ PageType {
             isCheckingStatus = false
             isFetchingSecret = false
             busyIndicatorShown = false
+            statusErrorCode = 0
             PageController.disableControls(false)
             PageController.showBusyIndicator(false)
             diagLoading = false
@@ -348,13 +351,18 @@ PageType {
                 enabled ? qsTr("MTProxy started") : qsTr("MTProxy stopped"))
         }
 
-        function onContainerStatusRefreshed(status) {
+        function onContainerStatusRefreshed(status, errorCode) {
             if (!root.visible) {
                 isCheckingStatus = false
                 isFetchingSecret = false
                 return
             }
             containerStatus = status
+            root.statusErrorCode = errorCode
+            if (status === 3 && errorCode !== 0) {
+                PageController.showNotificationMessage(
+                    qsTr("Settings locked: connection timed out (error code %1). Re-open the page to retry.").arg(errorCode))
+            }
 
             root.savedTransportMode = MtProxyConfigModel.getTransportMode()
             root.savedTlsDomain = MtProxyConfigModel.getTlsDomain()
@@ -842,6 +850,8 @@ PageType {
                 width: settingsListView.width
                 spacing: 0
 
+                readonly property bool fieldsEditable: isEnabled && containerStatus === 1 && !root.pageBusy
+
                 function mtProxyActiveSecretForBaseHex(baseHex) {
                     return root.mtProxyClientSecretForTabIndex(baseHex, root.syncedSecretTabIndex,
                         root.savedTlsDomain, MtProxyConfigModel.defaultTlsDomain())
@@ -887,6 +897,21 @@ PageType {
                     }
                 }
 
+                CaptionTextType {
+                    Layout.fillWidth: true
+                    Layout.leftMargin: 16
+                    Layout.rightMargin: 16
+                    Layout.bottomMargin: 8
+                    visible: !fieldsEditable && !root.pageBusy
+                    text: (containerStatus === 1 || containerStatus === 2)
+                          ? qsTr("Enable MTProxy to edit settings")
+                          : (statusErrorCode !== 0
+                             ? qsTr("Settings locked: connection timed out (error code %1). Re-open the page to retry.").arg(statusErrorCode)
+                             : qsTr("Cannot reach the server — settings are unavailable"))
+                    color: AmneziaStyle.color.mutedGray
+                    wrapMode: Text.WordWrap
+                }
+
                 ColumnLayout {
                     Layout.fillWidth: true
                     Layout.topMargin: 16
@@ -921,6 +946,7 @@ PageType {
                             image: "qrc:/images/controls/refresh-cw.svg"
                             imageColor: AmneziaStyle.color.paleGray
                             visible: ServersUiController.isProcessedServerHasWriteAccess()
+                            enabled: fieldsEditable
                             onClicked: {
                                 var secretSnapshot = secret
                                 showQuestionDrawer(
@@ -949,6 +975,7 @@ PageType {
 
                 TextFieldWithHeaderType {
                     id: publicHostTextField
+                    enabled: fieldsEditable
                     Layout.fillWidth: true
                     Layout.leftMargin: 16
                     Layout.rightMargin: 16
@@ -1010,6 +1037,7 @@ PageType {
 
                 TextFieldWithHeaderType {
                     id: portTextField
+                    enabled: fieldsEditable
                     Layout.fillWidth: true
                     Layout.leftMargin: 16
                     Layout.rightMargin: 16
@@ -1017,6 +1045,7 @@ PageType {
                     headerText: qsTr("Server port")
                     textField.placeholderText: MtProxyConfigModel.defaultPort()
                     textField.maximumLength: 5
+                    textField.inputMethodHints: Qt.ImhDigitsOnly
                     textField.validator: IntValidator {
                         bottom: 1
                         top: 65535
@@ -1025,8 +1054,16 @@ PageType {
                         var savedPort = port
                         textField.text = (savedPort === MtProxyConfigModel.defaultPort()) ? "" : savedPort
                     }
+                    textField.onTextChanged: {
+                        var cur = portTextField.textField.text
+                        var clean = MtProxyConfigModel.sanitizePortFieldText(cur)
+                        if (clean !== cur) {
+                            textField.text = clean
+                            textField.cursorPosition = clean.length
+                        }
+                    }
                     textField.onEditingFinished: {
-                        textField.text = textField.text.replace(/^\s+|\s+$/g, '')
+                        textField.text = MtProxyConfigModel.sanitizePortFieldText(textField.text)
                     }
                 }
 
@@ -1055,6 +1092,7 @@ PageType {
 
                 TextFieldWithHeaderType {
                     id: tagTextField
+                    enabled: fieldsEditable
                     Layout.fillWidth: true
                     Layout.leftMargin: 16
                     Layout.rightMargin: 16
@@ -1138,6 +1176,7 @@ PageType {
 
                 DropDownType {
                     id: transportModeDropDown
+                    enabled: fieldsEditable
                     Layout.fillWidth: true
                     Layout.leftMargin: 16
                     Layout.rightMargin: 16
@@ -1173,6 +1212,7 @@ PageType {
 
                 TextFieldWithHeaderType {
                     id: tlsDomainTextField
+                    enabled: fieldsEditable
                     Layout.fillWidth: true
                     Layout.leftMargin: 16
                     Layout.rightMargin: 16
@@ -1180,10 +1220,22 @@ PageType {
                     visible: transportMode === "faketls"
                     headerText: qsTr("FakeTLS domain")
                     textField.placeholderText: root.previousTlsDomain
+                    textField.validator: RegularExpressionValidator {
+                        regularExpression: /^[A-Za-z0-9.-]*$/
+                    }
                     Component.onCompleted: {
                         var savedDomain = tlsDomain
                         textField.text = (savedDomain === MtProxyConfigModel.defaultTlsDomain() || savedDomain === "") ? "" : savedDomain
                     }
+                    textField.onTextChanged: {
+                        var t = tlsDomainTextField.textField.text
+                        if (t === "" || MtProxyConfigModel.isFakeTlsDomainTypingIncomplete(t)
+                            || MtProxyConfigModel.isValidFakeTlsDomain(t)) {
+                            tlsDomainTextField.errorText = ""
+                        } else {
+                            tlsDomainTextField.errorText = qsTr("Enter a valid domain name")
+                        }
+                    }
                     textField.onEditingFinished: {
                         textField.text = textField.text.replace(/^\s+|\s+$/g, '')
                         var domainValue = textField.text === "" ? MtProxyConfigModel.defaultTlsDomain() : textField.text
@@ -1243,6 +1295,7 @@ PageType {
                     Layout.fillWidth: true
                     spacing: 0
                     visible: advancedHeader.expanded
+                    enabled: fieldsEditable
 
                     CaptionTextType {
                         Layout.fillWidth: true
@@ -1560,15 +1613,41 @@ PageType {
                         headerText: qsTr("Workers count")
                         textField.placeholderText: "2"
                         textField.text: workers
-                        textField.maximumLength: 3
+                        textField.maximumLength: 2
+                        textField.inputMethodHints: Qt.ImhDigitsOnly
+                        // Range input like the port field: IntValidator bounds the value and the
+                        // clamp keeps it within 0..maxWorkers on every change (rejects 33+, neg.).
                         textField.validator: IntValidator {
-                            bottom: 1
+                            bottom: 0
                             top: MtProxyConfigModel.maxWorkers()
                         }
+                        textField.onTextChanged: {
+                            var cur = workersTextField.textField.text
+                            if (cur === "") {
+                                return
+                            }
+                            var n = parseInt(cur, 10)
+                            var maxW = MtProxyConfigModel.maxWorkers()
+                            if (isNaN(n) || n < 0) { n = 0 }
+                            if (n > maxW) { n = maxW }
+                            var clamped = String(n)
+                            if (clamped !== cur) {
+                                textField.text = clamped
+                                textField.cursorPosition = clamped.length
+                            }
+                        }
                         textField.onEditingFinished: {
-                            textField.text = textField.text.replace(/^\s+|\s+$/g, '')
-                            if (textField.text !== workers) {
-                                workers = textField.text
+                            var v = workersTextField.textField.text
+                            if (v !== "") {
+                                var m = parseInt(v, 10)
+                                var maxW2 = MtProxyConfigModel.maxWorkers()
+                                if (isNaN(m) || m < 0) { m = 0 }
+                                if (m > maxW2) { m = maxW2 }
+                                v = String(m)
+                                textField.text = v
+                            }
+                            if (v !== workers) {
+                                workers = v
                                 MtProxyConfigModel.setWorkers(workers)
                             }
                         }
@@ -1824,7 +1903,7 @@ PageType {
                     Layout.rightMargin: 16
                     Layout.leftMargin: 16
                     visible: ServersUiController.isProcessedServerHasWriteAccess()
-                    enabled: !root.mtProxyNetworkBlocked
+                    enabled: fieldsEditable && !root.mtProxyNetworkBlocked
                     text: qsTr("Save")
                     clickedFunc: function () {
                         if (root.mtProxyNetworkBlocked) {

client/ui/qml/Pages2/PageServiceSocksProxySettings.qml

@@ -285,7 +285,7 @@ PageType {
                             }
 
                             PageController.goToPage(PageEnum.PageSetupWizardInstalling)
-                            InstallController.updateContainer(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Socks5Proxy)
+                            InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Socks5Proxy)
                             tempPort = portTextField.textField.text
                             tempUsername = usernameTextField.textField.text
                             tempPassword = passwordTextField.textField.text

client/ui/qml/Pages2/PageServiceTelemtSettings.qml

@@ -8,6 +8,7 @@ import PageEnum 1.0
 import ContainerProps 1.0
 import ProtocolEnum 1.0
 import Style 1.0
+import TelemtConfig 1.0
 
 import "./"
 import "../Controls2"
@@ -19,6 +20,7 @@ PageType {
     id: root
 
     property int containerStatus: 1
+    property int statusErrorCode: 0
     property bool isUpdating: false
     property bool isCheckingStatus: false
     property bool isFetchingSecret: false
@@ -41,6 +43,35 @@ PageType {
     property string savedTlsDomain: ""
     property string savedPublicHost: ""
 
+    readonly property var natIpv4InputFormat: /^(\d{1,3}\.){0,3}\d{0,3}$/
+
+    function natIpv4FieldShowInvalidError(text) {
+        var t = text ? String(text).replace(/^\s+|\s+$/g, '') : ""
+        if (t === "")
+            return false
+        if (TelemtConfigModel.isValidOptionalIpv4(t))
+            return false
+        var parts = t.split('.')
+        var j
+        for (j = 0; j < parts.length; j++) {
+            if (parts[j].length > 3)
+                return true
+        }
+        if (parts.length > 4)
+            return true
+        if (t.indexOf('.') < 0 && t.length > 3)
+            return true
+        if (t.endsWith('.'))
+            return false
+        if (parts.length < 4)
+            return false
+        for (var i = 0; i < parts.length; i++) {
+            if (parts[i] === "")
+                return true
+        }
+        return true
+    }
+
     onSavedTransportModeChanged: {
         if (savedTransportMode === "faketls") {
             root.syncedSecretTabIndex = 1
@@ -154,7 +185,7 @@ PageType {
     function telemtScheduleUpdate(closePage) {
         var cp = closePage === undefined ? false : closePage
         Qt.callLater(function () {
-            InstallController.updateContainer(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Telemt, cp)
+            InstallController.updateServerConfig(ServersUiController.processedServerId, ServersUiController.processedContainerIndex, ProtocolEnum.Telemt, cp)
         })
     }
 
@@ -205,6 +236,7 @@ PageType {
             isCheckingStatus = false
             isFetchingSecret = false
             busyIndicatorShown = false
+            statusErrorCode = 0
             PageController.disableControls(false)
             PageController.showBusyIndicator(false)
             diagLoading = false
@@ -294,13 +326,18 @@ PageType {
                 enabled ? qsTr("Telemt started") : qsTr("Telemt stopped"))
         }
 
-        function onContainerStatusRefreshed(status) {
+        function onContainerStatusRefreshed(status, errorCode) {
             if (!root.visible) {
                 isCheckingStatus = false
                 isFetchingSecret = false
                 return
             }
             containerStatus = status
+            root.statusErrorCode = errorCode
+            if (status === 3 && errorCode !== 0) {
+                PageController.showNotificationMessage(
+                    qsTr("Settings locked: connection timed out (error code %1). Re-open the page to retry.").arg(errorCode))
+            }
 
             root.savedTransportMode = TelemtConfigModel.getTransportMode()
             root.savedTlsDomain = TelemtConfigModel.getTlsDomain()
@@ -787,6 +824,8 @@ PageType {
                 width: settingsListView.width
                 spacing: 0
 
+                readonly property bool fieldsEditable: isEnabled && containerStatus === 1 && !root.pageBusy
+
                 function telemtActiveSecretForBaseHex(baseHex) {
                     return root.telemtClientSecretForTabIndex(baseHex, root.syncedSecretTabIndex,
                         root.savedTlsDomain, TelemtConfigModel.defaultTlsDomain())
@@ -820,6 +859,21 @@ PageType {
                     }
                 }
 
+                CaptionTextType {
+                    Layout.fillWidth: true
+                    Layout.leftMargin: 16
+                    Layout.rightMargin: 16
+                    Layout.bottomMargin: 8
+                    visible: !fieldsEditable && !root.pageBusy
+                    text: (containerStatus === 1 || containerStatus === 2)
+                          ? qsTr("Enable Telemt to edit settings")
+                          : (statusErrorCode !== 0
+                             ? qsTr("Settings locked: connection timed out (error code %1). Re-open the page to retry.").arg(statusErrorCode)
+                             : qsTr("Cannot reach the server — settings are unavailable"))
+                    color: AmneziaStyle.color.mutedGray
+                    wrapMode: Text.WordWrap
+                }
+
                 ColumnLayout {
                     Layout.fillWidth: true
                     Layout.topMargin: 16
@@ -854,6 +908,7 @@ PageType {
                             image: "qrc:/images/controls/refresh-cw.svg"
                             imageColor: AmneziaStyle.color.paleGray
                             visible: ServersUiController.isProcessedServerHasWriteAccess()
+                            enabled: fieldsEditable
                             onClicked: {
                                 var secretSnapshot = secret
                                 showQuestionDrawer(
@@ -882,6 +937,7 @@ PageType {
 
                 TextFieldWithHeaderType {
                     id: publicHostTextField
+                    enabled: fieldsEditable
                     Layout.fillWidth: true
                     Layout.leftMargin: 16
                     Layout.rightMargin: 16
@@ -889,8 +945,26 @@ PageType {
                     headerText: qsTr("Public host / IP")
                     textField.placeholderText: ServersUiController.serverHostName(ServersUiController.processedServerId)
                     textField.text: publicHost
+                    textField.maximumLength: 253
+                    textField.validator: PublicHostInputValidator {
+                    }
+                    textField.onTextChanged: {
+                        var t = publicHostTextField.textField.text
+                        if (TelemtConfigModel.isPublicHostTypingIncomplete(t)) {
+                            publicHostTextField.errorText = ""
+                        } else if (!TelemtConfigModel.isValidPublicHost(t)) {
+                            publicHostTextField.errorText = qsTr("Enter a valid IP address or domain name")
+                        } else {
+                            publicHostTextField.errorText = ""
+                        }
+                    }
                     textField.onEditingFinished: {
                         textField.text = textField.text.replace(/^\s+|\s+$/g, '')
+                        if (!TelemtConfigModel.isValidPublicHost(textField.text)) {
+                            publicHostTextField.errorText = qsTr("Enter a valid IP address or domain name")
+                            return
+                        }
+                        publicHostTextField.errorText = ""
                         if (textField.text !== publicHost) {
                             publicHost = textField.text
                             TelemtConfigModel.setPublicHost(publicHost)
@@ -925,6 +999,7 @@ PageType {
 
                 TextFieldWithHeaderType {
                     id: portTextField
+                    enabled: fieldsEditable
                     Layout.fillWidth: true
                     Layout.leftMargin: 16
                     Layout.rightMargin: 16
@@ -932,6 +1007,7 @@ PageType {
                     headerText: qsTr("Server port")
                     textField.placeholderText: TelemtConfigModel.defaultPort()
                     textField.maximumLength: 5
+                    textField.inputMethodHints: Qt.ImhDigitsOnly
                     textField.validator: IntValidator {
                         bottom: 1
                         top: 65535
@@ -940,8 +1016,16 @@ PageType {
                         var savedPort = port
                         textField.text = (savedPort === TelemtConfigModel.defaultPort()) ? "" : savedPort
                     }
+                    textField.onTextChanged: {
+                        var cur = portTextField.textField.text
+                        var clean = TelemtConfigModel.sanitizePortFieldText(cur)
+                        if (clean !== cur) {
+                            textField.text = clean
+                            textField.cursorPosition = clean.length
+                        }
+                    }
                     textField.onEditingFinished: {
-                        textField.text = textField.text.replace(/^\s+|\s+$/g, '')
+                        textField.text = TelemtConfigModel.sanitizePortFieldText(textField.text)
                         var portValue = textField.text === "" ? TelemtConfigModel.defaultPort() : textField.text
                         if (portValue !== port) {
                             port = portValue
@@ -964,18 +1048,49 @@ PageType {
 
                 TextFieldWithHeaderType {
                     id: tagTextField
+                    enabled: fieldsEditable
                     Layout.fillWidth: true
                     Layout.leftMargin: 16
                     Layout.rightMargin: 16
                     Layout.bottomMargin: 16
                     headerText: qsTr("Promoted channel tag (optional)")
-                    textField.placeholderText: qsTr("leave empty if not needed")
+                    textField.placeholderText: qsTr("32 hex chars from @MTProxyBot (e.g. 3b7b2fa9…)")
                     textField.text: tag
-                    textField.maximumLength: 64
+                    textField.maximumLength: TelemtConfigModel.mtProxyBotTagHexLength()
+                    textField.onTextChanged: {
+                        var cur = tagTextField.textField.text
+                        var clean = TelemtConfigModel.sanitizeMtProxyTagFieldText(cur)
+                        if (clean !== cur) {
+                            textField.text = clean
+                            textField.cursorPosition = clean.length
+                            return
+                        }
+                        var tt = tagTextField.textField.text
+                        if (tt === "") {
+                            tagTextField.errorText = ""
+                            return
+                        }
+                        if (TelemtConfigModel.isMtProxyTagTypingIncomplete(tt)) {
+                            tagTextField.errorText = ""
+                            return
+                        }
+                        if (!TelemtConfigModel.isValidMtProxyTag(tt)) {
+                            tagTextField.errorText = qsTr("Proxy tag must be exactly 32 hexadecimal characters (0-9, A-F).")
+                            return
+                        }
+                        tagTextField.errorText = ""
+                    }
                     textField.onEditingFinished: {
-                        textField.text = textField.text.replace(/^\s+|\s+$/g, '')
-                        if (textField.text !== tag) {
-                            tag = textField.text
+                        var raw = textField.text.replace(/^\s+|\s+$/g, '')
+                        var normalized = TelemtConfigModel.sanitizeMtProxyTagFieldText(raw)
+                        textField.text = normalized
+                        if (!TelemtConfigModel.isValidMtProxyTag(normalized)) {
+                            tagTextField.errorText = qsTr("Proxy tag must be exactly 32 hexadecimal characters (0-9, A-F). Leave empty if unused.")
+                            return
+                        }
+                        tagTextField.errorText = ""
+                        if (normalized !== tag) {
+                            tag = normalized
                             TelemtConfigModel.setTag(tag)
                         }
                     }
@@ -1005,17 +1120,27 @@ PageType {
                     }
                 }
 
+                CaptionTextType {
+                    Layout.fillWidth: true
+                    Layout.leftMargin: 16
+                    Layout.rightMargin: 16
+                    Layout.topMargin: 16 * 2
+                    text: qsTr("Transport mode")
+                    color: AmneziaStyle.color.mutedGray
+                    font.pixelSize: 12
+                }
+
                 DropDownType {
                     id: transportModeDropDown
+                    enabled: fieldsEditable
                     Layout.fillWidth: true
-                    Layout.topMargin: 16 * 2
                     Layout.leftMargin: 16
                     Layout.rightMargin: 16
                     Layout.bottomMargin: 16
 
                     drawerParent: root
                     drawerHeight: 0.35
-                    descriptionText: qsTr("Transport mode")
+                    headerText: qsTr("Transport mode")
                     text: transportMode === "faketls" ? qsTr("FakeTLS") : qsTr("Standard MTProto")
 
                     listView: Component {
@@ -1043,6 +1168,7 @@ PageType {
 
                 TextFieldWithHeaderType {
                     id: tlsDomainTextField
+                    enabled: fieldsEditable
                     Layout.fillWidth: true
                     Layout.leftMargin: 16
                     Layout.rightMargin: 16
@@ -1050,13 +1176,30 @@ PageType {
                     visible: transportMode === "faketls"
                     headerText: qsTr("FakeTLS domain")
                     textField.placeholderText: root.previousTlsDomain
+                    textField.validator: RegularExpressionValidator {
+                        regularExpression: /^[A-Za-z0-9.-]*$/
+                    }
                     Component.onCompleted: {
                         var savedDomain = tlsDomain
                         textField.text = (savedDomain === TelemtConfigModel.defaultTlsDomain() || savedDomain === "") ? "" : savedDomain
                     }
+                    textField.onTextChanged: {
+                        var t = tlsDomainTextField.textField.text
+                        if (t === "" || TelemtConfigModel.isFakeTlsDomainTypingIncomplete(t)
+                            || TelemtConfigModel.isValidFakeTlsDomain(t)) {
+                            tlsDomainTextField.errorText = ""
+                        } else {
+                            tlsDomainTextField.errorText = qsTr("Enter a valid domain name")
+                        }
+                    }
                     textField.onEditingFinished: {
                         textField.text = textField.text.replace(/^\s+|\s+$/g, '')
                         var domainValue = textField.text === "" ? TelemtConfigModel.defaultTlsDomain() : textField.text
+                        if (!TelemtConfigModel.isValidFakeTlsDomain(domainValue)) {
+                            tlsDomainTextField.errorText = qsTr("Enter a valid domain name")
+                            return
+                        }
+                        tlsDomainTextField.errorText = ""
                         if (domainValue !== tlsDomain) {
                             tlsDomain = domainValue
                             TelemtConfigModel.setTlsDomain(tlsDomain)
@@ -1108,6 +1251,7 @@ PageType {
                     Layout.fillWidth: true
                     spacing: 0
                     visible: advancedHeader.expanded
+                    enabled: fieldsEditable
 
                     CaptionTextType {
                         Layout.fillWidth: true
@@ -1243,15 +1387,41 @@ PageType {
                         headerText: qsTr("Workers count")
                         textField.placeholderText: "2"
                         textField.text: workers
-                        textField.maximumLength: 3
+                        textField.maximumLength: 2
+                        textField.inputMethodHints: Qt.ImhDigitsOnly
+                        // Range input like the port field: IntValidator bounds the value and the
+                        // clamp keeps it within 0..maxWorkers on every change (rejects 33+, neg.).
                         textField.validator: IntValidator {
-                            bottom: 1
+                            bottom: 0
                             top: TelemtConfigModel.maxWorkers()
                         }
+                        textField.onTextChanged: {
+                            var cur = workersTextField.textField.text
+                            if (cur === "") {
+                                return
+                            }
+                            var n = parseInt(cur, 10)
+                            var maxW = TelemtConfigModel.maxWorkers()
+                            if (isNaN(n) || n < 0) { n = 0 }
+                            if (n > maxW) { n = maxW }
+                            var clamped = String(n)
+                            if (clamped !== cur) {
+                                textField.text = clamped
+                                textField.cursorPosition = clamped.length
+                            }
+                        }
                         textField.onEditingFinished: {
-                            textField.text = textField.text.replace(/^\s+|\s+$/g, '')
-                            if (textField.text !== workers) {
-                                workers = textField.text
+                            var v = workersTextField.textField.text
+                            if (v !== "") {
+                                var m = parseInt(v, 10)
+                                var maxW2 = TelemtConfigModel.maxWorkers()
+                                if (isNaN(m) || m < 0) { m = 0 }
+                                if (m > maxW2) { m = maxW2 }
+                                v = String(m)
+                                textField.text = v
+                            }
+                            if (v !== workers) {
+                                workers = v
                                 TelemtConfigModel.setWorkers(workers)
                             }
                         }
@@ -1288,8 +1458,24 @@ PageType {
                         headerText: qsTr("Internal IP")
                         textField.placeholderText: "172.17.0.2"
                         textField.text: natInternalIp
+                        textField.maximumLength: 15
+                        textField.validator: RegularExpressionValidator {
+                            regularExpression: root.natIpv4InputFormat
+                        }
+                        textField.onTextChanged: {
+                            if (root.natIpv4FieldShowInvalidError(textField.text)) {
+                                natInternalIpTextField.errorText = qsTr("Enter a valid IPv4 address")
+                            } else {
+                                natInternalIpTextField.errorText = ""
+                            }
+                        }
                         textField.onEditingFinished: {
                             textField.text = textField.text.replace(/^\s+|\s+$/g, '')
+                            if (!TelemtConfigModel.isValidOptionalIpv4(textField.text)) {
+                                natInternalIpTextField.errorText = qsTr("Enter a valid IPv4 address")
+                                return
+                            }
+                            natInternalIpTextField.errorText = ""
                             if (textField.text !== natInternalIp) {
                                 natInternalIp = textField.text
                                 TelemtConfigModel.setNatInternalIp(natInternalIp)
@@ -1307,8 +1493,24 @@ PageType {
                         headerText: qsTr("External IP")
                         textField.placeholderText: "1.2.3.4"
                         textField.text: natExternalIp
+                        textField.maximumLength: 15
+                        textField.validator: RegularExpressionValidator {
+                            regularExpression: root.natIpv4InputFormat
+                        }
+                        textField.onTextChanged: {
+                            if (root.natIpv4FieldShowInvalidError(textField.text)) {
+                                natExternalIpTextField.errorText = qsTr("Enter a valid IPv4 address")
+                            } else {
+                                natExternalIpTextField.errorText = ""
+                            }
+                        }
                         textField.onEditingFinished: {
                             textField.text = textField.text.replace(/^\s+|\s+$/g, '')
+                            if (!TelemtConfigModel.isValidOptionalIpv4(textField.text)) {
+                                natExternalIpTextField.errorText = qsTr("Enter a valid IPv4 address")
+                                return
+                            }
+                            natExternalIpTextField.errorText = ""
                             if (textField.text !== natExternalIp) {
                                 natExternalIp = textField.text
                                 TelemtConfigModel.setNatExternalIp(natExternalIp)
@@ -1475,6 +1677,7 @@ PageType {
                     Layout.rightMargin: 16
                     Layout.leftMargin: 16
                     visible: ServersUiController.isProcessedServerHasWriteAccess()
+                    enabled: fieldsEditable
                     text: qsTr("Save")
                     clickedFunc: function () {
                         var portValue = portTextField.textField.text === ""

client/ui/qml/Pages2/PageServiceTorWebsiteSettings.qml

@@ -100,6 +100,12 @@ PageType {
                 onLinkActivated: Qt.openUrlExternally(link)
                 textFormat: Text.RichText
                 text: qsTr("Use <a href=\"https://www.torproject.org/download/\" style=\"color: #FBB26A;\">Tor Browser</a> to open this URL.")
+
+                MouseArea {
+                    anchors.fill: parent
+                    acceptedButtons: Qt.NoButton
+                    cursorShape: parent.hoveredLink ? Qt.PointingHandCursor : Qt.ArrowCursor
+                }
             }
 
             ParagraphTextType {

client/ui/qml/Pages2/PageSettingsApiAvailableCountries.qml

@@ -30,6 +30,16 @@ PageType {
         root.isInAppPurchase = ApiAccountInfoModel.data("isInAppPurchase")
     }
 
+    function selectConnectionCountry(countryIndex, countryCode, countryName) {
+        if (countryIndex === ApiCountryModel.currentIndex) {
+            return
+        }
+
+        PageController.showBusyIndicator(true)
+        SubscriptionUiController.updateServiceFromGateway(ServersUiController.processedServerId, countryCode, countryName)
+        PageController.showBusyIndicator(false)
+    }
+
     Component.onCompleted: {
         root.updateSubscriptionState()
     }
@@ -83,7 +93,7 @@ PageType {
 
         model: ApiCountryModel
 
-        currentIndex: 0
+        currentIndex: ApiCountryModel.currentIndex
 
         ButtonGroup {
             id: containersRadioButtonGroup
@@ -204,15 +214,7 @@ PageType {
                             return
                         }
 
-                        if (index !== ApiCountryModel.currentIndex) {
-                            PageController.showBusyIndicator(true)
-                            var prevIndex = ApiCountryModel.currentIndex
-                            ApiCountryModel.currentIndex = index
-                            if (!SubscriptionUiController.updateServiceFromGateway(ServersUiController.processedServerId, countryCode, countryName)) {
-                                ApiCountryModel.currentIndex = prevIndex
-                            }
-                            PageController.showBusyIndicator(false)
-                        }
+                        root.selectConnectionCountry(index, countryCode, countryName)
                     }
 
                     Keys.onEnterPressed: {

client/ui/qml/Pages2/PageSettingsApplication.qml

@@ -108,9 +108,9 @@ PageType {
                 text: qsTr("Auto start")
                 descriptionText: qsTr("Launch the application every time the device is starts")
 
-                checked: SettingsController.isAutoStartEnabled()
+                checked: SettingsController.autoStartEnabled
                 onToggled: function() {
-                    if (checked !== SettingsController.isAutoStartEnabled()) {
+                    if (checked !== SettingsController.autoStartEnabled) {
                         SettingsController.toggleAutoStart(checked)
                     }
                 }
@@ -154,10 +154,10 @@ PageType {
                 text: qsTr("Start minimized")
                 descriptionText: qsTr("Launch application minimized (works with autostart option turned on)")
 
-                enabled: SettingsController.isAutoStartEnabled()
+                enabled: SettingsController.autoStartEnabled
                 opacity: enabled ? 1.0 : 0.5
 
-                checked: SettingsController.isAutoStartEnabled() && SettingsController.startMinimized
+                checked: SettingsController.autoStartEnabled && SettingsController.startMinimized
                 onToggled: function() {
                     if (checked !== SettingsController.startMinimized) {
                         SettingsController.toggleStartMinimized(checked)
@@ -166,7 +166,7 @@ PageType {
             }
 
             DividerType {
-                visible: !GC.isMobile()
+                visible: !GC.isMobile() && ServersUiController.hasServersFromGatewayApi
             }
 
             SwitcherType {

client/ui/qml/Pages2/PageSettingsServerData.qml

@@ -36,17 +36,6 @@ PageType {
         function onRebootServerFinished(finishedMessage) {
             PageController.showNotificationMessage(finishedMessage)
         }
-
-        function onRemoveAllContainersFinished(finishedMessage) {
-            PageController.closePage() // close deInstalling page
-            PageController.showNotificationMessage(finishedMessage)
-        }
-
-        function onRemoveContainerFinished(finishedMessage) {
-            PageController.closePage() // close deInstalling page
-            PageController.closePage() // close page with remove button
-            PageController.showNotificationMessage(finishedMessage)
-        }
     }
 
     Connections {

client/ui/qml/Pages2/PageSettingsServerProtocol.qml

@@ -17,7 +17,8 @@ import "../Components"
 PageType {
     id: root
 
-    property bool isClearCacheVisible: ServersUiController.isProcessedServerHasWriteAccess() && !ContainersModel.isServiceContainer(ServersUiController.processedContainerIndex)
+    property bool isUnsupportedContainer: ContainerProps.isUnsupportedContainer(ServersUiController.processedContainerIndex)
+    property bool isClearCacheVisible: !isUnsupportedContainer && ServersUiController.isProcessedServerHasWriteAccess() && !ContainersModel.isServiceContainer(ServersUiController.processedContainerIndex)
 
     BackButtonType {
         id: backButton
@@ -52,10 +53,11 @@ PageType {
                 Layout.bottomMargin: 32
 
                 headerText: ContainersModel.getProcessedContainerName() + qsTr(" settings")
+                descriptionText: root.isUnsupportedContainer ? qsTr("This protocol is no longer supported.") : ""
             }
         }
 
-        model: ProtocolsModel
+        model: root.isUnsupportedContainer ? null : ProtocolsModel
 
         delegate: ColumnLayout {
             id: delegateContent

client/ui/qml/Pages2/PageSetupWizardProtocols.qml

@@ -29,6 +29,10 @@ PageType {
             ValueFilter {
                 roleName: "isInstallationAllowed"
                 value: true
+            },
+            ValueFilter {
+                roleName: "isUnsupportedContainer"
+                value: false
             }
         ]
         sorters: RoleSorter {

client/ui/qml/Pages2/PageShare.qml

@@ -382,6 +382,10 @@ PageType {
                             ValueFilter {
                                 roleName: "isShareable"
                                 value: true
+                            },
+                            ValueFilter {
+                                roleName: "isUnsupportedContainer"
+                                value: false
                             }
                         ]
                     }
@@ -396,9 +400,19 @@ PageType {
                         target: serverSelector
 
                         function onServerSelectorIndexChanged() {
-                            var defaultContainer = proxyContainersModel.mapFromSource(ServersUiController.serverDefaultContainer(ServersUiController.processedServerId))
+                            if (!proxyContainersModel.count) {
+                                root.shareButtonEnabled = false
+                                return
+                            }
+
+                            var defaultContainer = proxyContainersModel.mapFromSource(
+                                        ServersUiController.serverDefaultContainer(ServersUiController.processedServerId))
+                            if (defaultContainer < 0) {
+                                defaultContainer = 0
+                            }
+
                             containerSelectorListView.selectedIndex = defaultContainer
-                            containerSelectorListView.positionViewAtIndex(selectedIndex, ListView.Beginning)
+                            containerSelectorListView.positionViewAtIndex(defaultContainer, ListView.Beginning)
                             containerSelectorListView.triggerCurrentItem()
                         }
                     }
@@ -837,11 +851,10 @@ PageType {
                                         var noButtonFunction = function() {
                                         }
 
-                                        var isActiveConfigForCurrentClient = ServersUiController.isDefaultServerCurrentlyProcessed()
-                                                && ServersUiController.serverDefaultContainer(ServersUiController.defaultServerId) === ServersUiController.processedContainerIndex
-
-                                        if ((ConnectionController.isConnectionInProgress || ConnectionController.isConnected)
-                                                && isActiveConfigForCurrentClient) {
+                                        if (ConnectionController.isRevokeBlockedDuringActiveConnection(
+                                                ServersUiController.processedServerId,
+                                                ServersUiController.processedContainerIndex,
+                                                clientId)) {
                                             PageController.showNotificationMessage("Unable to revoke current config during active connection")
                                         } else {
                                             showQuestionDrawer(headerText, descriptionText, yesButtonText, noButtonText, yesButtonFunction, noButtonFunction)

client/ui/qml/Pages2/PageShareConnection.qml

@@ -320,7 +320,7 @@ PageType {
                 Layout.rightMargin: 16
                 visible: isQrCodeVisible
                 horizontalAlignment: Text.AlignHCenter
-                text: qsTr("To read the QR code in the Amnezia app, select \"Add server\" → \"I have data to connect\" → \"QR code, key or settings file\"")
+                text: qsTr("To read the QR code in the Amnezia app, tap + in the main menu → 'QR code'")
             }
         }
     }

client/ui/qml/Pages2/PageStart.qml

@@ -105,6 +105,19 @@ PageType {
         }
     }
 
+    Connections {
+        objectName: "connectionControllerConnections"
+
+        target: ConnectionController
+
+        function onNoInstalledContainers() {
+            PageController.setTriggeredByConnectButton(true)
+
+            ServersUiController.setProcessedServerId(ServersUiController.defaultServerId)
+            PageController.goToPage(PageEnum.PageSetupWizardEasy)
+        }
+    }
+
     Connections {
         objectName: "installControllerConnections"
 
@@ -153,11 +166,19 @@ PageType {
             PageController.showNotificationMessage(finishedMessage)
         }
 
-        function onNoInstalledContainers() {
-            PageController.setTriggeredByConnectButton(true)
+        function onRemoveAllContainersFinished(finishedMessage) {
+            if (tabBarStackView.currentItem.objectName === PageController.getPagePath(PageEnum.PageDeinstalling)) {
+                PageController.closePage()
+            }
+            PageController.showNotificationMessage(finishedMessage)
+        }
 
-            ServersUiController.setProcessedServerId(ServersUiController.defaultServerId)
-            PageController.goToPage(PageEnum.PageSetupWizardEasy)
+        function onRemoveContainerFinished(finishedMessage) {
+            if (tabBarStackView.currentItem.objectName === PageController.getPagePath(PageEnum.PageDeinstalling)) {
+                PageController.closePage()
+            }
+            PageController.closePage()
+            PageController.showNotificationMessage(finishedMessage)
         }
     }
 

client/ui/qml/main2.qml

@@ -234,6 +234,8 @@ Window  {
         DrawerType2 {
             id: privateKeyPassphraseDrawer
 
+            property bool isCloseByUser: false
+
             anchors.fill: parent
             expandedHeight: root.height * 0.35 + PageController.safeAreaBottomMargin + PageController.imeHeight
 
@@ -253,6 +255,11 @@ Window  {
                     }
 
                     function onAboutToHide() {
+                        if (privateKeyPassphraseDrawer.isCloseByUser === false) {
+                            privateKeyPassphraseDrawer.isCloseByUser = true
+                            PageController.passphraseRequestDrawerClosed("")
+                        }
+
                         if (passphrase.textField.text !== "") {
                             PageController.showBusyIndicator(true)
                         }
@@ -293,6 +300,7 @@ Window  {
                     text: qsTr("Save")
 
                     clickedFunc: function() {
+                        privateKeyPassphraseDrawer.isCloseByUser = true
                         privateKeyPassphraseDrawer.closeTriggered()
                         PageController.passphraseRequestDrawerClosed(passphrase.textField.text)
                     }

cmake/platform_settings.cmake

@@ -20,8 +20,7 @@ if(CMAKE_SYSTEM_NAME STREQUAL "Android")
     set(_CONAN_INSTALL_ARGS
         "-c=tools.android:cmake_legacy_toolchain=false"
         "-c=tools.build:sharedlinkflags=['-Wl,-z,max-page-size=16384']"
-        "-c=tools.build:exelinkflags=['-Wl,-z,max-page-size=16384']"
-        "-o=openssl/*:shared=True")
+        "-c=tools.build:exelinkflags=['-Wl,-z,max-page-size=16384']")
     set(CMAKE_ANDROID_STL_TYPE "c++_shared" CACHE STRING "")
 endif()
 
@@ -29,6 +28,12 @@ if (WIN32 OR APPLE)
     set(CMAKE_INSTALL_BINDIR ".")
 endif()
 
+# Apple NE-based apps do not support any dylibs or variations
+# So Qt would use the openssl bundled with system, not application
+if (NOT(CMAKE_SYSTEM_NAME STREQUAL "iOS" OR (APPLE AND MACOS_NE)))
+    list(APPEND _CONAN_INSTALL_ARGS "-o=openssl/*:shared=True")
+endif()
+
 list(PREPEND _CONAN_INSTALL_ARGS "--build=missing")
 list(JOIN _CONAN_INSTALL_ARGS ";" _CONAN_INSTALL_ARGS_JOINED)
 set(CONAN_INSTALL_ARGS ${_CONAN_INSTALL_ARGS_JOINED} CACHE STRING "" FORCE)

recipes/openvpnadapter/conanfile.py

@@ -5,6 +5,7 @@ from conan.errors import ConanInvalidConfiguration
 from conan.tools.scm import Git
 from conan.internal.model.pkg_type import PackageType
 from conan.tools.files import chdir
+from conan.tools.apple import XCRun
 
 import os
 import shutil
@@ -49,7 +50,10 @@ class OpenVPNAdapter(ConanFile):
 
     def build(self):
         with chdir(self, self.source_folder):
-            self.run("xcrun xcodebuild"
+            xcrun = XCRun(self)
+
+            xcodebuild = xcrun.find("xcodebuild")
+            self.run(f"{xcodebuild}"
                 " -project OpenVPNAdapter.xcodeproj"
                 " -scheme OpenVPNAdapter"
                 " -configuration Release"
@@ -57,10 +61,20 @@ class OpenVPNAdapter(ConanFile):
                 f" -sdk {self._sdk}"
                 f' "CONFIGURATION_BUILD_DIR={self.build_folder}"'
                 f' "BUILT_PRODUCTS_DIR={self.build_folder}"'
+                " MACH_O_TYPE=staticlib"
                 " BUILD_LIBRARY_FOR_DISTRIBUTION=YES"
                 " CODE_SIGNING_ALLOWED=NO"
             )
 
+            openvpnadapter = os.path.join(self.build_folder, "OpenVPNAdapter.framework", "OpenVPNAdapter")
+            self.run(f"{xcrun.libtool} -static -o"
+                     f" {openvpnadapter}"
+                     f" {openvpnadapter}"
+                     f' {os.path.join(self.build_folder, "OpenVPNClient.framework", "OpenVPNClient")}'
+                     f' {os.path.join(self.build_folder, "LZ4.framework", "LZ4")}'
+                     f' {os.path.join(self.build_folder, "mbedTLS.framework", "mbedTLS")}'
+            )
+
     def package(self):
         shutil.copytree(os.path.join(self.build_folder, "OpenVPNAdapter.framework"),
                         os.path.join(self.package_folder, "OpenVPNAdapter.framework"))
@@ -70,3 +84,4 @@ class OpenVPNAdapter(ConanFile):
         self.cpp_info.type = PackageType.STATIC
         self.cpp_info.package_framework = True
         self.cpp_info.location = os.path.join(self.package_folder, "OpenVPNAdapter.framework")
+        self.cpp_info.frameworks = ["SystemConfiguration"]

service/server/CMakeLists.txt

@@ -316,12 +316,9 @@ if(CMAKE_BUILD_TYPE STREQUAL "Debug")
 endif()
 
 if(APPLE)
-    if(NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
-        set_target_properties(${PROJECT} PROPERTIES
-            INSTALL_RPATH "@executable_path/../Frameworks"
-            BUILD_WITH_INSTALL_RPATH TRUE
-        )
-    endif()
+    set_target_properties(${PROJECT} PROPERTIES
+        INSTALL_RPATH "@executable_path/../Frameworks"
+    )
 
     find_library(FW_COREFOUNDATION CoreFoundation)
     find_library(FW_SYSTEMCONFIG SystemConfiguration)
@@ -428,11 +425,32 @@ endif()
 # install target
 install(TARGETS ${PROJECT}
     DESTINATION ${CMAKE_INSTALL_BINDIR}
+    RUNTIME_DEPENDENCY_SET service_deps
     COMPONENT AmneziaVPN
 )
-install(FILES $<TARGET_RUNTIME_DLLS:${PROJECT}>
-    DESTINATION ${CMAKE_INSTALL_BINDIR}
+
+if(APPLE)
+    set(RUNTIME_DEPS_DIR ${CMAKE_INSTALL_BINDIR}/../Frameworks)
+else()
+    set(RUNTIME_DEPS_DIR ${CMAKE_INSTALL_BINDIR})
+endif()
+
+install(RUNTIME_DEPENDENCY_SET service_deps
+    PRE_EXCLUDE_REGEXES
+        [[api-ms-win-.*]]
+        [[ext-ms-.*]]
+        [[kernel32\.dll]]
+        [[hvsifiletrust\.dll]]
+        [[libc\.so\..*]] [[libgcc_s\.so\..*]] [[libm\.so\..*]] [[libstdc\+\+\.so\..*]]
+        [[.*\.framework]]
+        [[^[Qq]t.*]]
+    POST_EXCLUDE_REGEXES
+        [[^.*[\\/]system32[\\/].*\.dll$]]
+        [[^/lib.*]]
+        [[^/usr/lib.*]]
+    DIRECTORIES ${CONAN_RUNTIME_LIB_DIRS}
     COMPONENT AmneziaVPN
+    DESTINATION "${RUNTIME_DEPS_DIR}"
 )
 
 qt_generate_deploy_app_script(