fix: linux reconnect, DNS rewrite, dbus async, killswitch and NM fixes

- Validate IP/CIDR values from IPC before passing to Linux firewall
- Replace shell interpolation with direct execve in firewall update functions
- Block dangerous OpenVPN/WireGuard arguments in sanitizeArguments()
- Add programId bounds check in IpcServerProcess::setProgram()
- Add SO_PEERCRED peer authentication for IPC connections on Linux

.github/workflows/deploy.yml

@@ -547,7 +547,7 @@ jobs:
 
     env:
       ANDROID_BUILD_PLATFORM: android-36
-      QT_VERSION: 6.10.1
+      QT_VERSION: 6.11.1
       QT_MODULES: 'qtremoteobjects qt5compat qtimageformats qtshadertools'
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
       PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}

CMakeLists.txt

@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 
 set(PROJECT AmneziaVPN)
-set(AMNEZIAVPN_VERSION 4.8.15.4)
+set(AMNEZIAVPN_VERSION 4.8.19.0)
 
 project(${PROJECT} VERSION ${AMNEZIAVPN_VERSION}
         DESCRIPTION "AmneziaVPN"
@@ -12,7 +12,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")
 
 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2120)
+set(APP_ANDROID_VERSION_CODE 2129)
 
 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
     set(MZ_PLATFORM_NAME "linux")

client/android/src/org/amnezia/vpn/AmneziaActivity.kt

@@ -792,6 +792,16 @@ class AmneziaActivity : QtActivity() {
                             else -> type = "*/*"
                         }
                     }
+                    // Force system document picker to avoid third-party file managers
+                    // that may lack storage permissions (common on Android TV devices)
+                    val systemPickerPackage = listOf("com.google.android.documentsui", "com.android.documentsui")
+                        .firstOrNull { pkg ->
+                            try { packageManager.getPackageInfo(pkg, 0); true }
+                            catch (_: PackageManager.NameNotFoundException) { false }
+                        }
+                    if (systemPickerPackage != null) {
+                        `package` = systemPickerPackage
+                    }
                 }
             } else {
                 Intent(this@AmneziaActivity, TvFilePicker::class.java)
@@ -1064,13 +1074,11 @@ class AmneziaActivity : QtActivity() {
     @Suppress("unused")
     fun sendTouch(x: Float, y: Float) {
         Log.v(TAG, "Send touch: $x, $y")
-        blockingCall {
             findQtWindow(window.decorView)?.let {
                 Log.v(TAG, "Send touch to $it")
                 it.dispatchTouchEvent(createEvent(x, y, SystemClock.uptimeMillis(), MotionEvent.ACTION_DOWN))
                 it.dispatchTouchEvent(createEvent(x, y, SystemClock.uptimeMillis(), MotionEvent.ACTION_UP))
             }
-        }
     }
 
     private fun findQtWindow(view: View): View? {

client/core/controllers/gatewayController.cpp

@@ -18,6 +18,7 @@
 #include "amnezia_application.h"
 #include "core/api/apiUtils.h"
 #include "core/networkUtilities.h"
+#include "settings.h"
 #include "utilities.h"
 
 #ifdef AMNEZIA_DESKTOP
@@ -51,15 +52,78 @@ namespace
     constexpr QLatin1String unprocessableSubscriptionMessage("Failed to retrieve subscription information. Is it activated?");
 
     constexpr int proxyStorageRequestTimeoutMsecs = 3000;
+
+    QStringList shuffledProxyUrls(const QStringList &proxyUrls)
+    {
+        QStringList shuffled = proxyUrls;
+        std::random_device randomDevice;
+        std::mt19937 generator(randomDevice());
+        std::shuffle(shuffled.begin(), shuffled.end(), generator);
+        return shuffled;
+    }
+
+    QString getProxyUrlsCacheKey(const QString &serviceType, const QString &userCountryCode)
+    {
+        return QStringLiteral("service_%1_country_%2").arg(serviceType, userCountryCode);
+    }
+
+    bool decryptProxyUrlsPayload(const QByteArray &encryptedPayload, bool isDevEnvironment, QByteArray &decryptedPayload)
+    {
+        try {
+            QByteArray key = isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
+            if (!isDevEnvironment) {
+                QCryptographicHash hash(QCryptographicHash::Sha512);
+                hash.addData(key);
+                QByteArray h = hash.result().toHex();
+
+                QByteArray decKey = QByteArray::fromHex(h.left(64));
+                QByteArray iv = QByteArray::fromHex(h.mid(64, 32));
+                QByteArray ba = QByteArray::fromBase64(encryptedPayload);
+
+                QSimpleCrypto::QBlockCipher cipher;
+                decryptedPayload = cipher.decryptAesBlockCipher(ba, decKey, iv);
+            } else {
+                decryptedPayload = encryptedPayload;
+            }
+            return true;
+        } catch (...) {
+            Utils::logException();
+            return false;
+        }
+    }
+
+    QStringList readCachedProxyUrls(const QByteArray &cachedProxyUrlsEncrypted, bool isDevEnvironment)
+    {
+        if (cachedProxyUrlsEncrypted.isEmpty()) {
+            return {};
+        }
+
+        QByteArray cachedProxyUrlsDecrypted;
+        if (!decryptProxyUrlsPayload(cachedProxyUrlsEncrypted, isDevEnvironment, cachedProxyUrlsDecrypted)) {
+            qCritical() << "error decrypting cached proxy urls payload";
+            return {};
+        }
+
+        QJsonArray endpointsArray = QJsonDocument::fromJson(cachedProxyUrlsDecrypted).array();
+        QStringList endpoints;
+        endpoints.reserve(endpointsArray.size());
+        for (const QJsonValue &endpoint : endpointsArray) {
+            endpoints.push_back(endpoint.toString());
+        }
+
+        return endpoints;
+    }
 }
 
 GatewayController::GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
-                                     const bool isStrictKillSwitchEnabled, QObject *parent)
+                                     const bool isStrictKillSwitchEnabled, const std::shared_ptr<Settings> &settings,
+                                     QObject *parent)
     : QObject(parent),
       m_gatewayEndpoint(gatewayEndpoint),
       m_isDevEnvironment(isDevEnvironment),
       m_requestTimeoutMsecs(requestTimeoutMsecs),
-      m_isStrictKillSwitchEnabled(isStrictKillSwitchEnabled)
+      m_isStrictKillSwitchEnabled(isStrictKillSwitchEnabled),
+      m_settings(settings)
 {
 }
 
@@ -310,8 +374,9 @@ QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString
             QStringList proxyStorageUrls;
             appendStorageUrls(primaryBaseUrls, proxyStorageUrls);
             appendStorageUrls(fallbackBaseUrls, proxyStorageUrls);
+            const QString proxyUrlsCacheKey = getProxyUrlsCacheKey(serviceType, userCountryCode);
 
-            getProxyUrlsAsync(proxyStorageUrls, 0, [this, encRequestData, endpoint, processResponse](const QStringList &proxyUrls) {
+            getProxyUrlsAsync(proxyStorageUrls, 0, proxyUrlsCacheKey, [this, encRequestData, endpoint, processResponse](const QStringList &proxyUrls) {
                 getProxyUrlAsync(proxyUrls, 0, [this, encRequestData, endpoint, processResponse](const QString &proxyUrl) {
                     bypassProxyAsync(endpoint, proxyUrl, encRequestData,
                                      [processResponse, this](const QByteArray &decryptedBody, bool isDecryptionSuccessful,
@@ -357,8 +422,6 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
     std::shuffle(primaryBaseUrls.begin(), primaryBaseUrls.end(), generator);
     std::shuffle(fallbackBaseUrls.begin(), fallbackBaseUrls.end(), generator);
 
-    QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
-
     auto appendStorageUrls = [&serviceType, &userCountryCode](const QStringList &baseUrls, QStringList &target) {
         if (!serviceType.isEmpty()) {
             for (const auto &baseUrl : baseUrls) {
@@ -374,10 +437,12 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
     QStringList proxyStorageUrls;
     appendStorageUrls(primaryBaseUrls, proxyStorageUrls);
     appendStorageUrls(fallbackBaseUrls, proxyStorageUrls);
+    const QString proxyUrlsCacheKey = getProxyUrlsCacheKey(serviceType, userCountryCode);
+    const QByteArray cachedProxyUrlsEncrypted = m_settings->readGatewayProxyUrls(proxyUrlsCacheKey);
 
     if (proxyStorageUrls.empty()) {
         qDebug() << "empty storage endpoint list";
-        return {};
+        return readCachedProxyUrls(cachedProxyUrlsEncrypted, m_isDevEnvironment);
     }
 
     for (const auto &proxyStorageUrl : proxyStorageUrls) {
@@ -392,26 +457,8 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
             auto encryptedResponseBody = reply->readAll();
             reply->deleteLater();
 
-            EVP_PKEY *privateKey = nullptr;
             QByteArray responseBody;
-            try {
-                if (!m_isDevEnvironment) {
-                    QCryptographicHash hash(QCryptographicHash::Sha512);
-                    hash.addData(key);
-                    QByteArray hashResult = hash.result().toHex();
-
-                    QByteArray key = QByteArray::fromHex(hashResult.left(64));
-                    QByteArray iv = QByteArray::fromHex(hashResult.mid(64, 32));
-
-                    QByteArray ba = QByteArray::fromBase64(encryptedResponseBody);
-
-                    QSimpleCrypto::QBlockCipher blockCipher;
-                    responseBody = blockCipher.decryptAesBlockCipher(ba, key, iv);
-                } else {
-                    responseBody = encryptedResponseBody;
-                }
-            } catch (...) {
-                Utils::logException();
+            if (!decryptProxyUrlsPayload(encryptedResponseBody, m_isDevEnvironment, responseBody)) {
                 qCritical() << "error loading private key from environment variables or decrypting payload" << encryptedResponseBody;
                 continue;
             }
@@ -422,6 +469,8 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
             for (const auto &endpoint : endpointsArray) {
                 endpoints.push_back(endpoint.toString());
             }
+            m_settings->writeGatewayProxyUrls(proxyUrlsCacheKey, encryptedResponseBody);
+
             return endpoints;
         } else {
             auto replyError = reply->error();
@@ -433,7 +482,7 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
             reply->deleteLater();
         }
     }
-    return {};
+    return readCachedProxyUrls(cachedProxyUrlsEncrypted, m_isDevEnvironment);
 }
 
 bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &decryptedResponseBody,
@@ -571,10 +620,12 @@ void GatewayController::bypassProxy(const QString &endpoint, const QString &serv
 }
 
 void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, const int currentProxyStorageIndex,
-                                          std::function<void(const QStringList &)> onComplete)
+                                          const QString &proxyUrlsCacheKey, std::function<void(const QStringList &)> onComplete)
 {
+    const QByteArray cachedProxyUrlsEncrypted = m_settings->readGatewayProxyUrls(proxyUrlsCacheKey);
+
     if (currentProxyStorageIndex >= proxyStorageUrls.size()) {
-        onComplete({});
+        onComplete(shuffledProxyUrls(readCachedProxyUrls(cachedProxyUrlsEncrypted, m_isDevEnvironment)));
         return;
     }
 
@@ -587,33 +638,17 @@ void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, co
 
     // connect(reply, &QNetworkReply::sslErrors, this, [state](const QList<QSslError> &e) { *(state->sslErrors) = e; });
 
-    connect(reply, &QNetworkReply::finished, this, [this, proxyStorageUrls, currentProxyStorageIndex, onComplete, reply]() {
+    connect(reply, &QNetworkReply::finished, this,
+            [this, proxyStorageUrls, currentProxyStorageIndex, proxyUrlsCacheKey, onComplete, reply]() {
         if (reply->error() == QNetworkReply::NoError) {
             QByteArray encrypted = reply->readAll();
             reply->deleteLater();
 
             QByteArray responseBody;
-            try {
-                QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
-                if (!m_isDevEnvironment) {
-                    QCryptographicHash hash(QCryptographicHash::Sha512);
-                    hash.addData(key);
-                    QByteArray h = hash.result().toHex();
-
-                    QByteArray decKey = QByteArray::fromHex(h.left(64));
-                    QByteArray iv = QByteArray::fromHex(h.mid(64, 32));
-                    QByteArray ba = QByteArray::fromBase64(encrypted);
-
-                    QSimpleCrypto::QBlockCipher cipher;
-                    responseBody = cipher.decryptAesBlockCipher(ba, decKey, iv);
-                } else {
-                    responseBody = encrypted;
-                }
-            } catch (...) {
-                Utils::logException();
+            if (!decryptProxyUrlsPayload(encrypted, m_isDevEnvironment, responseBody)) {
                 qCritical() << "error decrypting payload";
                 QMetaObject::invokeMethod(
-                        this, [=]() { getProxyUrlsAsync(proxyStorageUrls, currentProxyStorageIndex + 1, onComplete); }, Qt::QueuedConnection);
+                        this, [=]() { getProxyUrlsAsync(proxyStorageUrls, currentProxyStorageIndex + 1, proxyUrlsCacheKey, onComplete); }, Qt::QueuedConnection);
                 return;
             }
 
@@ -621,13 +656,9 @@ void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, co
             QStringList endpoints;
             for (const QJsonValue &endpoint : endpointsArray)
                 endpoints.push_back(endpoint.toString());
+            m_settings->writeGatewayProxyUrls(proxyUrlsCacheKey, encrypted);
 
-            QStringList shuffled = endpoints;
-            std::random_device randomDevice;
-            std::mt19937 generator(randomDevice());
-            std::shuffle(shuffled.begin(), shuffled.end(), generator);
-
-            onComplete(shuffled);
+            onComplete(shuffledProxyUrls(endpoints));
             return;
         }
 
@@ -636,7 +667,7 @@ void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, co
         qDebug() << "go to the next storage endpoint";
         reply->deleteLater();
         QMetaObject::invokeMethod(
-                this, [=]() { getProxyUrlsAsync(proxyStorageUrls, currentProxyStorageIndex + 1, onComplete); }, Qt::QueuedConnection);
+                this, [=]() { getProxyUrlsAsync(proxyStorageUrls, currentProxyStorageIndex + 1, proxyUrlsCacheKey, onComplete); }, Qt::QueuedConnection);
     });
 }
 

client/core/controllers/gatewayController.h

@@ -7,6 +7,9 @@
 #include <QPair>
 #include <QPromise>
 #include <QSharedPointer>
+#include <QString>
+#include <QStringList>
+#include <memory>
 
 #include "core/defs.h"
 
@@ -14,13 +17,16 @@
     #include "platforms/ios/ios_controller.h"
 #endif
 
+class Settings;
+
 class GatewayController : public QObject
 {
     Q_OBJECT
 
 public:
     explicit GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
-                               const bool isStrictKillSwitchEnabled, QObject *parent = nullptr);
+                               const bool isStrictKillSwitchEnabled, const std::shared_ptr<Settings> &settings,
+                               QObject *parent = nullptr);
 
     amnezia::ErrorCode post(const QString &endpoint, const QJsonObject apiPayload, QByteArray &responseBody);
     QFuture<QPair<amnezia::ErrorCode, QByteArray>> postAsync(const QString &endpoint, const QJsonObject apiPayload);
@@ -53,7 +59,7 @@ private:
                      std::function<bool(QNetworkReply *reply, const QList<QSslError> &sslErrors)> replyProcessingFunction);
 
     void getProxyUrlsAsync(const QStringList proxyStorageUrls, const int currentProxyStorageIndex,
-                           std::function<void(const QStringList &)> onComplete);
+                           const QString &proxyUrlsCacheKey, std::function<void(const QStringList &)> onComplete);
     void getProxyUrlAsync(const QStringList proxyUrls, const int currentProxyIndex, std::function<void(const QString &)> onComplete);
     void bypassProxyAsync(
             const QString &endpoint, const QString &proxyUrl, EncryptedRequestData encRequestData,
@@ -63,6 +69,7 @@ private:
     QString m_gatewayEndpoint;
     bool m_isDevEnvironment = false;
     bool m_isStrictKillSwitchEnabled = false;
+    std::shared_ptr<Settings> m_settings;
 
     inline static QString m_proxyUrl;
 };

client/core/networkUtilities.cpp

@@ -292,7 +292,7 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
     return { resGateway, QNetworkInterface::interfaceFromIndex(resIndex) };
 #endif
 #ifdef Q_OS_LINUX
-    constexpr int BUFFER_SIZE = 100;
+    constexpr int BUFFER_SIZE = 8192;
     int     received_bytes = 0, msg_len = 0, route_attribute_len = 0;
     int     sock = -1, msgseq = 0;
     struct  nlmsghdr *nlh, *nlmsg;
@@ -300,7 +300,7 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
     // This struct contain route attributes (route type)
     struct  rtattr *route_attribute;
     char    gateway_address[INET_ADDRSTRLEN], interface[IF_NAMESIZE];
-    char    msgbuf[BUFFER_SIZE], buffer[BUFFER_SIZE];
+    char    msgbuf[100], buffer[BUFFER_SIZE];
     char    *ptr = buffer;
     struct timeval tv;
 
@@ -345,8 +345,8 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
         nlh = (struct nlmsghdr *) ptr;
 
         /* Check if the header is valid */
-        if((NLMSG_OK(nlmsg, received_bytes) == 0) ||
-            (nlmsg->nlmsg_type == NLMSG_ERROR))
+        if((NLMSG_OK(nlh, received_bytes) == 0) ||
+            (nlh->nlmsg_type == NLMSG_ERROR))
         {
             perror("Error in received packet");
             return {};
@@ -361,13 +361,15 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
         }
 
         /* Break if its not a multi part message */
-        if ((nlmsg->nlmsg_flags & NLM_F_MULTI) == 0)
+        if ((nlh->nlmsg_flags & NLM_F_MULTI) == 0)
             break;
     }
-    while ((nlmsg->nlmsg_seq != msgseq) || (nlmsg->nlmsg_pid != getpid()));
+    while ((nlh->nlmsg_seq != msgseq) || (nlh->nlmsg_pid != getpid()));
 
     /* parse response */
-    for ( ; NLMSG_OK(nlh, received_bytes); nlh = NLMSG_NEXT(nlh, received_bytes))
+    int remaining = msg_len + received_bytes;
+    nlh = (struct nlmsghdr *) buffer;
+    for ( ; NLMSG_OK(nlh, remaining); nlh = NLMSG_NEXT(nlh, remaining))
     {
         /* Get the route data */
         route_entry = (struct rtmsg *) NLMSG_DATA(nlh);
@@ -376,6 +378,10 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
         if (route_entry->rtm_table != RT_TABLE_MAIN)
             continue;
 
+        /* Reset per-route to avoid cross-route state pollution */
+        memset(gateway_address, 0, sizeof(gateway_address));
+        memset(interface, 0, sizeof(interface));
+
         route_attribute = (struct rtattr *) RTM_RTA(route_entry);
         route_attribute_len = RTM_PAYLOAD(nlh);
 
@@ -401,6 +407,8 @@ QPair<QString, QNetworkInterface> NetworkUtilities::getGatewayAndIface()
             break;
         }
     }
+    if (!(*gateway_address) || !(*interface))
+        qDebug() << "getGatewayAndIface: no gateway found";
     close(sock);
     return { gateway_address, QNetworkInterface::interfaceFromName(interface) };
 #endif

client/daemon/daemon.cpp

@@ -390,55 +390,55 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
 
   config.m_killSwitchEnabled = QVariant(obj.value("killSwitchOption").toString()).toBool();
 
-  if (!obj.value("Jc").isNull()) {
-    config.m_junkPacketCount = obj.value("Jc").toString();
+  if (const auto jc = obj.value("Jc"); !jc.isUndefined()) {
+    config.m_junkPacketCount = jc.toString();
   }
-  if (!obj.value("Jmin").isNull()) {
-    config.m_junkPacketMinSize = obj.value("Jmin").toString();
+  if (const auto jmin = obj.value("Jmin"); !jmin.isUndefined()) {
+    config.m_junkPacketMinSize = jmin.toString();
   }
-  if (!obj.value("Jmax").isNull()) {
-    config.m_junkPacketMaxSize = obj.value("Jmax").toString();
+  if (const auto jmax = obj.value("Jmax"); !jmax.isUndefined()) {
+    config.m_junkPacketMaxSize = jmax.toString();
   }
-  if (!obj.value("S1").isNull()) {
-    config.m_initPacketJunkSize = obj.value("S1").toString();
+  if (const auto s1 = obj.value("S1"); !s1.isUndefined()) {
+    config.m_initPacketJunkSize = s1.toString();
   }
-  if (!obj.value("S2").isNull()) {
-    config.m_responsePacketJunkSize = obj.value("S2").toString();
+  if (const auto s2 = obj.value("S2"); !s2.isUndefined()) {
+    config.m_responsePacketJunkSize = s2.toString();
   }
-  if (!obj.value("S3").isNull()) {
-    config.m_cookieReplyPacketJunkSize = obj.value("S3").toString();
+  if (const auto s3 = obj.value("S3"); !s3.isUndefined()) {
+    config.m_cookieReplyPacketJunkSize = s3.toString();
   }
-  if (!obj.value("S4").isNull()) {
-    config.m_transportPacketJunkSize = obj.value("S4").toString();
+  if (const auto s4 = obj.value("S4"); !s4.isUndefined()) {
+    config.m_transportPacketJunkSize = s4.toString();
   }
 
-  if (!obj.value("H1").isNull()) {
-    config.m_initPacketMagicHeader = obj.value("H1").toString();
+  if (const auto h1 = obj.value("H1"); !h1.isUndefined()) {
+    config.m_initPacketMagicHeader = h1.toString();
   }
-  if (!obj.value("H2").isNull()) {
-    config.m_responsePacketMagicHeader = obj.value("H2").toString();
+  if (const auto h2 = obj.value("H2"); !h2.isUndefined()) {
+    config.m_responsePacketMagicHeader = h2.toString();
   }
-  if (!obj.value("H3").isNull()) {
-    config.m_underloadPacketMagicHeader = obj.value("H3").toString();
+  if (const auto h3 = obj.value("H3"); !h3.isUndefined()) {
+    config.m_underloadPacketMagicHeader = h3.toString();
   }
-  if (!obj.value("H4").isNull()) {
-    config.m_transportPacketMagicHeader = obj.value("H4").toString();
+  if (const auto h4 = obj.value("H4"); !h4.isUndefined()) {
+    config.m_transportPacketMagicHeader = h4.toString();
   }
 
-  if (!obj.value("I1").isNull()) {
-    config.m_specialJunk["I1"] = obj.value("I1").toString();
+  if (const auto i1 = obj.value("I1"); !i1.isUndefined()) {
+    config.m_specialJunk["I1"] = i1.toString();
   }
-  if (!obj.value("I2").isNull()) {
-    config.m_specialJunk["I2"] = obj.value("I2").toString();
+  if (const auto i2 = obj.value("I2"); !i2.isUndefined()) {
+    config.m_specialJunk["I2"] = i2.toString();
   }
-  if (!obj.value("I3").isNull()) {
-    config.m_specialJunk["I3"] = obj.value("I3").toString();
+  if (const auto i3 = obj.value("I3"); !i3.isUndefined()) {
+    config.m_specialJunk["I3"] = i3.toString();
   }
-  if (!obj.value("I4").isNull()) {
-    config.m_specialJunk["I4"] = obj.value("I4").toString();
+  if (const auto i4 = obj.value("I4"); !i4.isUndefined()) {
+    config.m_specialJunk["I4"] = i4.toString();
   }
-  if (!obj.value("I5").isNull()) {
-    config.m_specialJunk["I5"] = obj.value("I5").toString();
+  if (const auto i5 = obj.value("I5"); !i5.isUndefined()) {
+    config.m_specialJunk["I5"] = i5.toString();
   }
 
   return true;
@@ -613,7 +613,7 @@ void Daemon::checkHandshake() {
       pendingHandshakes++;
     }
   }
-
+  
   // Check again if there were connections that haven't completed a handshake.
   if (pendingHandshakes > 0) {
     m_handshakeTimer.start(HANDSHAKE_POLL_MSEC);

client/platforms/linux/daemon/dnsutilslinux.cpp

@@ -7,8 +7,11 @@
 #include <net/if.h>
 
 #include <QDBusVariant>
+#include <QNetworkInterface>
+#include <QTimer>
 #include <QtDBus/QtDBus>
 
+#include "core/networkUtilities.h"
 #include "leakdetector.h"
 #include "logger.h"
 
@@ -27,24 +30,56 @@ DnsUtilsLinux::DnsUtilsLinux(QObject* parent) : DnsUtils(parent) {
   logger.debug() << "DnsUtilsLinux created.";
 
   QDBusConnection conn = QDBusConnection::systemBus();
-  m_resolver = new QDBusInterface(DBUS_RESOLVE_SERVICE, DBUS_RESOLVE_PATH,
-                                  DBUS_RESOLVE_MANAGER, conn, this);
+  auto* watcher = new QDBusServiceWatcher(
+      DBUS_RESOLVE_SERVICE, conn,
+      QDBusServiceWatcher::WatchForRegistration |
+      QDBusServiceWatcher::WatchForUnregistration, this);
+
+  connect(watcher, &QDBusServiceWatcher::serviceRegistered,
+          this, &DnsUtilsLinux::onResolverRegistered);
+  connect(watcher, &QDBusServiceWatcher::serviceUnregistered,
+          this, &DnsUtilsLinux::onResolverUnregistered);
+
+  if (conn.interface()->isServiceRegistered(DBUS_RESOLVE_SERVICE)) {
+    onResolverRegistered();
+  }
+}
+
+void DnsUtilsLinux::onResolverRegistered() {
+  m_resolver.reset(new QDBusInterface(DBUS_RESOLVE_SERVICE, DBUS_RESOLVE_PATH,
+                                      DBUS_RESOLVE_MANAGER,
+                                      QDBusConnection::systemBus()));
+  logger.debug() << "systemd-resolved available, DNS resolver initialized";
+
+  if (!m_pendingIfname.isEmpty()) {
+    logger.debug() << "Re-applying DNS configuration for" << m_pendingIfname;
+    updateResolvers(m_pendingIfname, m_pendingResolvers);
+  }
+}
+
+void DnsUtilsLinux::onResolverUnregistered() {
+  logger.debug() << "systemd-resolved disappeared, dropping DNS resolver";
+  m_resolver.reset();
 }
 
 DnsUtilsLinux::~DnsUtilsLinux() {
   MZ_COUNT_DTOR(DnsUtilsLinux);
 
-  for (auto iterator = m_linkDomains.constBegin();
-       iterator != m_linkDomains.constEnd(); ++iterator) {
-    QList<QVariant> argumentList;
-    argumentList << QVariant::fromValue(iterator.key());
-    argumentList << QVariant::fromValue(iterator.value());
-    m_resolver->asyncCallWithArgumentList(QStringLiteral("SetLinkDomains"),
-                                          argumentList);
-  }
+  if (m_resolver) {
+    if (m_gatewayIfindex > 0)
+      setLinkDefaultRoute(m_gatewayIfindex, true);
 
-  if (m_ifindex > 0) {
-    m_resolver->asyncCall(QStringLiteral("RevertLink"), m_ifindex);
+    for (auto iterator = m_linkDomains.constBegin();
+         iterator != m_linkDomains.constEnd(); ++iterator) {
+      QList<QVariant> argumentList;
+      argumentList << QVariant::fromValue(iterator.key());
+      argumentList << QVariant::fromValue(iterator.value());
+      m_resolver->asyncCallWithArgumentList(QStringLiteral("SetLinkDomains"),
+                                            argumentList);
+    }
+    if (m_ifindex > 0) {
+      m_resolver->asyncCall(QStringLiteral("RevertLink"), m_ifindex);
+    }
   }
 
   logger.debug() << "DnsUtilsLinux destroyed.";
@@ -52,12 +87,31 @@ DnsUtilsLinux::~DnsUtilsLinux() {
 
 bool DnsUtilsLinux::updateResolvers(const QString& ifname,
                                     const QList<QHostAddress>& resolvers) {
+  if (m_gatewayIfindex > 0) {
+    setLinkDefaultRoute(m_gatewayIfindex, true);
+    m_gatewayIfindex = 0;
+  }
+
   m_ifindex = if_nametoindex(qPrintable(ifname));
   if (m_ifindex <= 0) {
     logger.error() << "Unable to resolve ifindex for" << ifname;
     return false;
   }
 
+  m_pendingIfname = ifname;
+  m_pendingResolvers = resolvers;
+
+  if (!m_resolver) {
+    logger.debug() << "systemd-resolved not ready, queuing DNS configuration";
+    return true;
+  }
+
+  const int gwIdx = NetworkUtilities::getGatewayAndIface().second.index();
+  if (gwIdx > 0 && gwIdx != m_ifindex && gwIdx != m_gatewayIfindex) {
+    m_gatewayIfindex = gwIdx;
+    setLinkDefaultRoute(gwIdx, false);
+  }
+
   setLinkDNS(m_ifindex, resolvers);
   setLinkDefaultRoute(m_ifindex, true);
   updateLinkDomains();
@@ -65,6 +119,14 @@ bool DnsUtilsLinux::updateResolvers(const QString& ifname,
 }
 
 bool DnsUtilsLinux::restoreResolvers() {
+  m_pendingIfname.clear();
+  m_pendingResolvers.clear();
+
+  if (m_gatewayIfindex > 0) {
+    setLinkDefaultRoute(m_gatewayIfindex, true);
+    m_gatewayIfindex = 0;
+  }
+
   for (auto iterator = m_linkDomains.constBegin();
        iterator != m_linkDomains.constEnd(); ++iterator) {
     setLinkDomains(iterator.key(), iterator.value());
@@ -72,7 +134,7 @@ bool DnsUtilsLinux::restoreResolvers() {
   m_linkDomains.clear();
 
   /* Revert the VPN interface's DNS configuration */
-  if (m_ifindex > 0) {
+  if (m_ifindex > 0 && m_resolver) {
     QList<QVariant> argumentList = {QVariant::fromValue(m_ifindex)};
     QDBusPendingReply<> reply = m_resolver->asyncCallWithArgumentList(
         QStringLiteral("RevertLink"), argumentList);
@@ -90,13 +152,14 @@ bool DnsUtilsLinux::restoreResolvers() {
 void DnsUtilsLinux::dnsCallCompleted(QDBusPendingCallWatcher* call) {
   QDBusPendingReply<> reply = *call;
   if (reply.isError()) {
-    logger.error() << "Error received from the DBus service";
+    logger.debug() << "DBus call failed (may be transient after systemd-resolved restart)";
   }
   delete call;
 }
 
 void DnsUtilsLinux::setLinkDNS(int ifindex,
                                const QList<QHostAddress>& resolvers) {
+  if (!m_resolver) return;
   QList<DnsResolver> resolverList;
   char ifnamebuf[IF_NAMESIZE];
   const char* ifname = if_indextoname(ifindex, ifnamebuf);
@@ -121,6 +184,7 @@ void DnsUtilsLinux::setLinkDNS(int ifindex,
 
 void DnsUtilsLinux::setLinkDomains(int ifindex,
                                    const QList<DnsLinkDomain>& domains) {
+  if (!m_resolver) return;
   char ifnamebuf[IF_NAMESIZE];
   const char* ifname = if_indextoname(ifindex, ifnamebuf);
   if (ifname) {
@@ -144,6 +208,7 @@ void DnsUtilsLinux::setLinkDomains(int ifindex,
 }
 
 void DnsUtilsLinux::setLinkDefaultRoute(int ifindex, bool enable) {
+  if (!m_resolver) return;
   QList<QVariant> argumentList;
   argumentList << QVariant::fromValue(ifindex);
   argumentList << QVariant::fromValue(enable);
@@ -156,6 +221,7 @@ void DnsUtilsLinux::setLinkDefaultRoute(int ifindex, bool enable) {
 }
 
 void DnsUtilsLinux::updateLinkDomains() {
+  if (!m_resolver) return;
   /* Get the list of search domains, and remove any others that might conspire
    * to satisfy DNS resolution. Unfortunately, this is a pain because Qt doesn't
    * seem to be able to demarshall complex property types.
@@ -174,11 +240,20 @@ void DnsUtilsLinux::updateLinkDomains() {
 
 void DnsUtilsLinux::dnsDomainsReceived(QDBusPendingCallWatcher* call) {
   QDBusPendingReply<QVariant> reply = *call;
+  call->deleteLater();
   if (reply.isError()) {
-    logger.error() << "Error retrieving the DNS  domains from the DBus service";
-    delete call;
+    // systemd-resolved may still be starting up after a restart — retry a few times
+    if (m_ifindex > 0 && m_domainRetries++ < 5) {
+      logger.debug() << "systemd-resolved not ready yet, retrying DNS setup ("
+                     << m_domainRetries << "/5)";
+      QTimer::singleShot(500, this, &DnsUtilsLinux::updateLinkDomains);
+    } else {
+      logger.warning() << "Failed to configure DNS after 5 retries";
+      m_domainRetries = 0;
+    }
     return;
   }
+  m_domainRetries = 0;
 
   /* Update the state of the DNS domains */
   m_linkDomains.clear();
@@ -204,9 +279,17 @@ void DnsUtilsLinux::dnsDomainsReceived(QDBusPendingCallWatcher* call) {
   }
 
   /* Add a root search domain for the new interface. */
-  QList<DnsLinkDomain> newlist = {root};
-  setLinkDomains(m_ifindex, newlist);
-  delete call;
+  if (m_ifindex > 0) {
+    setLinkDomains(m_ifindex, {root});
+
+    /* Disable DefaultRoute on the physical gateway so systemd-resolved
+     * routes all DNS through the VPN interface. */
+    const int gwIdx = NetworkUtilities::getGatewayAndIface().second.index();
+    if (gwIdx > 0 && gwIdx != m_ifindex && gwIdx != m_gatewayIfindex) {
+      m_gatewayIfindex = gwIdx;
+      setLinkDefaultRoute(gwIdx, false);
+    }
+  }
 }
 
 static DnsMetatypeRegistrationProxy s_dnsMetatypeProxy;

client/platforms/linux/daemon/dnsutilslinux.h

@@ -6,7 +6,12 @@
 #define DNSUTILSLINUX_H
 
 #include <QDBusInterface>
+#include <QScopedPointer>
 #include <QDBusPendingCallWatcher>
+#include <QDBusServiceWatcher>
+#include <QHostAddress>
+#include <QList>
+#include <QString>
 
 #include "daemon/dnsutils.h"
 #include "dbustypeslinux.h"
@@ -29,13 +34,19 @@ class DnsUtilsLinux final : public DnsUtils {
   void updateLinkDomains();
 
  private slots:
+  void onResolverRegistered();
+  void onResolverUnregistered();
   void dnsCallCompleted(QDBusPendingCallWatcher*);
   void dnsDomainsReceived(QDBusPendingCallWatcher*);
 
  private:
   int m_ifindex = 0;
+  int m_gatewayIfindex = 0;
+  int m_domainRetries = 0;
   QMap<int, DnsLinkDomainList> m_linkDomains;
-  QDBusInterface* m_resolver = nullptr;
+  QScopedPointer<QDBusInterface> m_resolver;
+  QString m_pendingIfname;
+  QList<QHostAddress> m_pendingResolvers;
 };
 
 #endif  // DNSUTILSLINUX_H

client/platforms/linux/daemon/linuxfirewall.cpp

@@ -448,16 +448,33 @@ void LinuxFirewall::updateDNSServers(const QStringList& servers)
     static QStringList existingServers {};
 
     existingServers = servers;
-    execute(QStringLiteral("iptables -F %1.320.allowDNS").arg(kAnchorName));
-    for (const QString& rule : getDNSRules(servers))
-        execute(QStringLiteral("iptables -A %1.320.allowDNS %2").arg(kAnchorName, rule));
+    const QString chain = QStringLiteral("%1.320.allowDNS").arg(kAnchorName);
+    executeIptables(QStringLiteral("iptables"), {QStringLiteral("-F"), chain});
+    const QStringList ifaces = {
+        QStringLiteral("amn0+"), QStringLiteral("tun0+"), QStringLiteral("tun2+")
+    };
+    for (const QString& server : servers) {
+        for (const QString& iface : ifaces) {
+            executeIptables(QStringLiteral("iptables"),
+                {QStringLiteral("-A"), chain, QStringLiteral("-o"), iface,
+                 QStringLiteral("-d"), server, QStringLiteral("-p"), QStringLiteral("udp"),
+                 QStringLiteral("--dport"), QStringLiteral("53"), QStringLiteral("-j"), QStringLiteral("ACCEPT")});
+            executeIptables(QStringLiteral("iptables"),
+                {QStringLiteral("-A"), chain, QStringLiteral("-o"), iface,
+                 QStringLiteral("-d"), server, QStringLiteral("-p"), QStringLiteral("tcp"),
+                 QStringLiteral("--dport"), QStringLiteral("53"), QStringLiteral("-j"), QStringLiteral("ACCEPT")});
+        }
+    }
 }
 
 void LinuxFirewall::updateAllowNets(const QStringList& servers)
 {
-    execute(QStringLiteral("iptables -F %1.110.allowNets").arg(kAnchorName));
-    for (const QString& rule : getAllowRule(servers))
-        execute(QStringLiteral("iptables -A %1.110.allowNets %2").arg(kAnchorName, rule));
+    const QString chain = QStringLiteral("%1.110.allowNets").arg(kAnchorName);
+    executeIptables(QStringLiteral("iptables"), {QStringLiteral("-F"), chain});
+    for (const QString& server : servers)
+        executeIptables(QStringLiteral("iptables"),
+            {QStringLiteral("-A"), chain, QStringLiteral("-d"), server,
+             QStringLiteral("-j"), QStringLiteral("ACCEPT")});
 }
 
 void LinuxFirewall::updateBlockNets(const QStringList& servers)
@@ -465,9 +482,12 @@ void LinuxFirewall::updateBlockNets(const QStringList& servers)
     static QStringList existingServers {};
 
     existingServers = servers;
-    execute(QStringLiteral("iptables -F %1.120.blockNets").arg(kAnchorName));
-    for (const QString& rule : getBlockRule(servers))
-        execute(QStringLiteral("iptables -A %1.120.blockNets %2").arg(kAnchorName, rule));
+    const QString chain = QStringLiteral("%1.120.blockNets").arg(kAnchorName);
+    executeIptables(QStringLiteral("iptables"), {QStringLiteral("-F"), chain});
+    for (const QString& server : servers)
+        executeIptables(QStringLiteral("iptables"),
+            {QStringLiteral("-A"), chain, QStringLiteral("-d"), server,
+             QStringLiteral("-j"), QStringLiteral("REJECT")});
 }
 
 int waitForExitCode(QProcess& process)
@@ -500,6 +520,24 @@ int LinuxFirewall::execute(const QString &command, bool ignoreErrors)
     return exitCode;
 }
 
+int LinuxFirewall::executeIptables(const QString &program, const QStringList &args, bool ignoreErrors)
+{
+    QProcess p;
+    p.start(program, args, QProcess::ReadOnly);
+    p.closeWriteChannel();
+
+    int exitCode = waitForExitCode(p);
+    auto out = p.readAllStandardOutput().trimmed();
+    auto err = p.readAllStandardError().trimmed();
+    if ((exitCode != 0 || !err.isEmpty()) && !ignoreErrors)
+        logger.warning() << "(" << exitCode << ") $ " << program << args.join(QLatin1Char(' '));
+    if (!out.isEmpty())
+        logger.info() << out;
+    if (!err.isEmpty())
+        logger.warning() << err;
+    return exitCode;
+}
+
 void LinuxFirewall::setupTrafficSplitting()
 {
     auto cGroupDir = "/sys/fs/cgroup/net_cls/" BRAND_CODE "vpnexclusions/";

client/platforms/linux/daemon/linuxfirewall.h

@@ -85,6 +85,7 @@ private:
     static void setupTrafficSplitting();
     static void teardownTrafficSplitting();
     static int execute(const QString& command, bool ignoreErrors = false);
+    static int executeIptables(const QString& program, const QStringList& args, bool ignoreErrors = false);
 private:
     // Chain names
     static QString kOutputChain, kRootChain, kPostRoutingChain, kPreRoutingChain;

client/platforms/linux/daemon/wireguardutilslinux.cpp

@@ -237,7 +237,11 @@ bool WireguardUtilsLinux::updatePeer(const InterfaceConfig& config) {
     // Exclude the server address, except for multihop exit servers.
     if ((config.m_hopType != InterfaceConfig::MultiHopExit) &&
         (m_rtmonitor != nullptr)) {
-        m_rtmonitor->addExclusionRoute(IPAddress(config.m_serverIpv4AddrIn));
+        if (!config.m_serverIpv4AddrIn.isEmpty() &&
+            !m_rtmonitor->addExclusionRoute(IPAddress(config.m_serverIpv4AddrIn))) {
+            logger.error() << "No gateway — cannot add server exclusion route";
+            return false;
+        }
         m_rtmonitor->addExclusionRoute(IPAddress(config.m_serverIpv6AddrIn));
     }
 

client/settings.cpp

@@ -15,6 +15,7 @@ namespace
     const char cloudFlareNs2[] = "1.0.0.1";
 
     constexpr char gatewayEndpoint[] = "http://gw.amnezia.org:80/";
+    constexpr char proxyUrlsKey[] = "Conf/proxyUrls/";
 }
 
 Settings::Settings(QObject *parent) : QObject(parent), m_settings(ORGANIZATION_NAME, APPLICATION_NAME, this)
@@ -526,6 +527,24 @@ void Settings::toggleDevGatewayEnv(bool enabled)
     m_settings.setValue("Conf/devGatewayEnv", enabled);
 }
 
+QByteArray Settings::readGatewayProxyUrls(const QString &cacheKey) const
+{
+    if (cacheKey.isEmpty()) {
+        return {};
+    }
+
+    return m_settings.value(QString(proxyUrlsKey) + cacheKey).toByteArray();
+}
+
+void Settings::writeGatewayProxyUrls(const QString &cacheKey, const QByteArray &proxyUrlsEncrypted)
+{
+    if (cacheKey.isEmpty()) {
+        return;
+    }
+
+    m_settings.setValue(QString(proxyUrlsKey) + cacheKey, proxyUrlsEncrypted);
+}
+
 bool Settings::isHomeAdLabelVisible()
 {
     return m_settings.value("Conf/homeAdLabelVisible", true).toBool();

client/settings.h

@@ -4,6 +4,7 @@
 #include <QObject>
 #include <QSettings>
 #include <QString>
+#include <QByteArray>
 
 #include <QJsonArray>
 #include <QJsonDocument>
@@ -234,6 +235,8 @@ public:
     QString getGatewayEndpoint(bool isTestPurchase = false);
     bool isDevGatewayEnv(bool isTestPurchase = false);
     void toggleDevGatewayEnv(bool enabled);
+    QByteArray readGatewayProxyUrls(const QString &cacheKey) const;
+    void writeGatewayProxyUrls(const QString &cacheKey, const QByteArray &proxyUrlsEncrypted);
 
     bool isHomeAdLabelVisible();
     void disableHomeAdLabel();

client/ui/controllers/api/apiConfigsController.cpp

@@ -1027,7 +1027,7 @@ bool ApiConfigsController::updateServiceFromTelegram(const int serverIndex)
 #endif
 
     GatewayController gatewayController(m_settings->getGatewayEndpoint(), m_settings->isDevGatewayEnv(), apiDefs::requestTimeoutMsecs,
-                                        m_settings->isStrictKillSwitchEnabled());
+                                        m_settings->isStrictKillSwitchEnabled(), m_settings);
 
     auto serverConfig = m_serversModel->getServerConfig(serverIndex);
     auto installationUuid = m_settings->getInstallationUuid(true);
@@ -1273,6 +1273,6 @@ ErrorCode ApiConfigsController::executeRequest(const QString &endpoint, const QJ
                                                bool isTestPurchase)
 {
     GatewayController gatewayController(m_settings->getGatewayEndpoint(isTestPurchase), m_settings->isDevGatewayEnv(isTestPurchase),
-                                        apiDefs::requestTimeoutMsecs, m_settings->isStrictKillSwitchEnabled());
+                                        apiDefs::requestTimeoutMsecs, m_settings->isStrictKillSwitchEnabled(), m_settings);
     return gatewayController.post(endpoint, apiPayload, responseBody);
 }

client/ui/controllers/api/apiNewsController.cpp

@@ -32,7 +32,8 @@ void ApiNewsController::fetchNews(bool showError)
     }
 
     auto gatewayController = QSharedPointer<GatewayController>::create(m_settings->getGatewayEndpoint(), m_settings->isDevGatewayEnv(),
-                                                                       apiDefs::requestTimeoutMsecs, m_settings->isStrictKillSwitchEnabled());
+                                                                       apiDefs::requestTimeoutMsecs,
+                                                                       m_settings->isStrictKillSwitchEnabled(), m_settings);
     QJsonObject payload;
     payload.insert("locale", m_settings->getAppLanguage().name().split("_").first());
 

client/ui/controllers/api/apiSettingsController.cpp

@@ -71,7 +71,7 @@ bool ApiSettingsController::getAccountInfo(bool reload)
 
     bool isTestPurchase = apiConfig.value(apiDefs::key::isTestPurchase).toBool(false);
     GatewayController gatewayController(m_settings->getGatewayEndpoint(isTestPurchase), m_settings->isDevGatewayEnv(isTestPurchase),
-                                        requestTimeoutMsecs, m_settings->isStrictKillSwitchEnabled());
+                                        requestTimeoutMsecs, m_settings->isStrictKillSwitchEnabled(), m_settings);
 
     QJsonObject apiPayload;
     apiPayload[configKey::userCountryCode] = apiConfig.value(configKey::userCountryCode).toString();
@@ -110,7 +110,7 @@ void ApiSettingsController::getRenewalLink()
     auto gatewayController = QSharedPointer<GatewayController>::create(m_settings->getGatewayEndpoint(isTestPurchase),
                                                                        m_settings->isDevGatewayEnv(isTestPurchase),
                                                                        requestTimeoutMsecs,
-                                                                       m_settings->isStrictKillSwitchEnabled());
+                                                                       m_settings->isStrictKillSwitchEnabled(), m_settings);
 
     QJsonObject apiPayload;
     apiPayload[configKey::userCountryCode] = apiConfig.value(configKey::userCountryCode).toString();

ipc/ipc.h

@@ -3,6 +3,8 @@
 
 #include <QObject>
 #include <QString>
+#include <QRegularExpression>
+#include <QSet>
 
 #include "../client/utilities.h"
 
@@ -15,7 +17,8 @@ enum PermittedProcess {
     OpenVPN,
     Wireguard,
     Tun2Socks,
-    CertUtil
+    CertUtil,
+    _Count
 };
 
 inline QString permittedProcessPath(PermittedProcess pid)
@@ -57,16 +60,56 @@ inline QStringList sanitizeArguments(PermittedProcess proc, const QStringList &a
     QList<Validator> positionalArgs;
 
     switch (proc) {
+    case OpenVPN: {
+        static const QSet<QString> blocked = {
+            QStringLiteral("--script-security"),
+            QStringLiteral("--up"),
+            QStringLiteral("--down"),
+            QStringLiteral("--route-up"),
+            QStringLiteral("--ipchange"),
+            QStringLiteral("--tls-verify"),
+            QStringLiteral("--plugin"),
+            QStringLiteral("--auth-user-pass-verify"),
+            QStringLiteral("--learn-address"),
+            QStringLiteral("--client-connect"),
+            QStringLiteral("--client-disconnect"),
+            QStringLiteral("--management"),
+            QStringLiteral("--management-external-key")
+        };
+        QStringList out;
+        for (int i = 0; i < args.size(); ++i) {
+            if (blocked.contains(args[i])) {
+                qWarning() << "IPC: blocked OpenVPN argument:" << args[i];
+                ++i; // skip following value
+                continue;
+            }
+            out << args[i];
+        }
+        return out;
+    }
+    case Wireguard: {
+        static const QRegularExpression hookRe(
+            QStringLiteral(R"((?i)(PostUp|PreUp|PostDown|PreDown)\s*=)"));
+        QStringList out;
+        for (const QString& a : args) {
+            if (hookRe.match(a).hasMatch()) {
+                qWarning() << "IPC: blocked WireGuard hook argument:" << a;
+                continue;
+            }
+            out << a;
+        }
+        return out;
+    }
     case Tun2Socks:
         namedArgs["-device"] = [](const QString& v) { return v.startsWith("tun://"); };
         namedArgs["-proxy"] = [](const QString& v) { return v.startsWith("socks5://"); };
         break;
-    default:
-        //FIXME
+    case CertUtil:
         return args;
+    default:
+        return {};
     }
 
-
     QStringList sanitized;
 
     for (int i = 0, pos = 0; i < args.size(); i++) {

ipc/ipcserver.cpp

@@ -22,6 +22,27 @@
     #include "tapcontroller_win.h"
 #endif
 
+#ifdef Q_OS_LINUX
+#include <sys/socket.h>
+#include <sys/types.h>
+
+extern uid_t g_allowedUid;
+extern bool g_allowedUidSet;
+
+static bool checkPrivPeerCredentials(QLocalSocket *socket) {
+    struct ucred cred{};
+    socklen_t len = sizeof(cred);
+    if (getsockopt(socket->socketDescriptor(), SOL_SOCKET, SO_PEERCRED, &cred, &len) != 0) {
+        qWarning() << "IpcServer: SO_PEERCRED failed, rejecting privileged process connection";
+        return false;
+    }
+    if (cred.uid == 0) return true;
+    if (g_allowedUidSet && cred.uid == g_allowedUid) return true;
+    qWarning() << "IpcServer: rejected privileged process connection from unauthorized UID" << cred.uid;
+    return false;
+}
+#endif
+
 
 IpcServer::IpcServer(QObject *parent) : IpcInterfaceSource(parent)
 {
@@ -48,8 +69,16 @@ int IpcServer::createPrivilegedProcess()
     // Make sure any connections are handed to QtRO
     QObject::connect(pd.localServer.data(), &QLocalServer::newConnection, this, [pd]() {
         qDebug() << "IpcServer new connection";
+        QLocalSocket *conn = pd.localServer->nextPendingConnection();
+#ifdef Q_OS_LINUX
+        if (!checkPrivPeerCredentials(conn)) {
+            conn->close();
+            conn->deleteLater();
+            return;
+        }
+#endif
         if (pd.serverNode) {
-            pd.serverNode->addHostSideConnection(pd.localServer->nextPendingConnection());
+            pd.serverNode->addHostSideConnection(conn);
             pd.serverNode->enableRemoting(pd.ipcProcess.data());
         }
     });

ipc/ipcserverprocess.cpp

@@ -77,6 +77,11 @@ void IpcServerProcess::setProcessChannelMode(QProcess::ProcessChannelMode mode)
 
 void IpcServerProcess::setProgram(int programId)
 {
+    if (programId <= static_cast<int>(amnezia::PermittedProcess::Invalid) ||
+        programId >= static_cast<int>(amnezia::PermittedProcess::_Count)) {
+        qWarning() << "IPC: invalid programId" << programId << ", ignoring";
+        return;
+    }
     m_program = static_cast<amnezia::PermittedProcess>(programId);
     m_process->setProgram(amnezia::permittedProcessPath(m_program));
     m_process->setArguments({});

service/server/killswitch.cpp

@@ -3,11 +3,43 @@
 
 #include <QApplication>
 #include <QHostAddress>
+#include <QRegularExpression>
 
 #include "../client/protocols/protocols_defs.h"
 #include "qjsonarray.h"
 #include "version.h"
 
+#ifdef Q_OS_LINUX
+static bool isValidIpOrCidr(const QString &value) {
+    static const QRegularExpression re(
+        QStringLiteral(R"(^(\d{1,3}\.){3}\d{1,3}(/\d{1,2})?$)"));
+    if (!re.match(value).hasMatch()) return false;
+    const QStringList ipParts = value.split(QLatin1Char('/'))[0].split(QLatin1Char('.'));
+    for (const QString &part : ipParts) {
+        bool ok;
+        int octet = part.toInt(&ok);
+        if (!ok || octet < 0 || octet > 255) return false;
+    }
+    if (value.contains(QLatin1Char('/'))) {
+        bool ok;
+        int prefix = value.split(QLatin1Char('/'))[1].toInt(&ok);
+        if (!ok || prefix < 0 || prefix > 32) return false;
+    }
+    return true;
+}
+
+static QStringList filterIpList(const QStringList &values) {
+    QStringList safe;
+    for (const QString &v : values) {
+        if (isValidIpOrCidr(v))
+            safe << v;
+        else
+            qWarning() << "IPC: rejected invalid IP/CIDR value:" << v;
+    }
+    return safe;
+}
+#endif
+
 #ifdef Q_OS_WIN
     #include "../client/platforms/windows/daemon/windowsfirewall.h"
     #include "../client/platforms/windows/daemon/windowsdaemon.h"
@@ -159,7 +191,11 @@ bool KillSwitch::disableAllTraffic() {
 
 bool KillSwitch::resetAllowedRange(const QStringList &ranges) {
 
+#ifdef Q_OS_LINUX
+    m_allowedRanges = filterIpList(ranges);
+#else
     m_allowedRanges = ranges;
+#endif
 
 #ifdef Q_OS_LINUX
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), true);
@@ -182,7 +218,12 @@ bool KillSwitch::resetAllowedRange(const QStringList &ranges) {
 }
 
 bool KillSwitch::addAllowedRange(const QStringList &ranges) {
-    for (const QString &range : ranges) {
+#ifdef Q_OS_LINUX
+    const QStringList safeRanges = filterIpList(ranges);
+#else
+    const QStringList &safeRanges = ranges;
+#endif
+    for (const QString &range : safeRanges) {
         if (!range.isEmpty() && !m_allowedRanges.contains(range)) {
             m_allowedRanges.append(range);
         }
@@ -307,9 +348,9 @@ bool KillSwitch::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterIn
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), blockAll);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), allowNets);
-    LinuxFirewall::updateAllowNets(allownets);
+    LinuxFirewall::updateAllowNets(filterIpList(allownets));
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("120.blockNets"), blockAll);
-    LinuxFirewall::updateBlockNets(blocknets);
+    LinuxFirewall::updateBlockNets(filterIpList(blocknets));
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("200.allowVPN"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv6, QStringLiteral("250.blockIPv6"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("290.allowDHCP"), true);
@@ -317,23 +358,35 @@ bool KillSwitch::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterIn
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), true);
     QStringList dnsServers;
 
-    dnsServers.append(configStr.value(amnezia::config_key::dns1).toString());
+    const QString dns1 = configStr.value(amnezia::config_key::dns1).toString();
+    if (isValidIpOrCidr(dns1))
+        dnsServers.append(dns1);
+    else if (!dns1.isEmpty())
+        qWarning() << "IPC: rejected invalid dns1:" << dns1;
 
     // We don't use secondary DNS if primary DNS is AmneziaDNS
-    if (!configStr.value(amnezia::config_key::dns1).toString().contains(amnezia::protocols::dns::amneziaDnsIp)) {
-        dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
+    if (!dns1.contains(amnezia::protocols::dns::amneziaDnsIp)) {
+        const QString dns2 = configStr.value(amnezia::config_key::dns2).toString();
+        if (isValidIpOrCidr(dns2))
+            dnsServers.append(dns2);
+        else if (!dns2.isEmpty())
+            qWarning() << "IPC: rejected invalid dns2:" << dns2;
     }
 
     dnsServers.append("127.0.0.1");
     dnsServers.append("127.0.0.53");
-    
+
     for (auto dns : configStr.value(amnezia::config_key::allowedDnsServers).toArray()) {
         if (!dns.isString()) {
             break;
         }
-        dnsServers.append(dns.toString());
+        const QString dnsStr = dns.toString();
+        if (isValidIpOrCidr(dnsStr))
+            dnsServers.append(dnsStr);
+        else if (!dnsStr.isEmpty())
+            qWarning() << "IPC: rejected invalid allowedDnsServer:" << dnsStr;
     }
-    
+
     LinuxFirewall::updateDNSServers(dnsServers);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);

service/server/localserver.cpp

@@ -17,6 +17,35 @@
     #include "tapcontroller_win.h"
 #endif
 
+#ifdef Q_OS_LINUX
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+uid_t g_allowedUid = static_cast<uid_t>(-1);
+bool g_allowedUidSet = false;
+
+static bool checkPeerCredentials(QLocalSocket *socket) {
+    struct ucred cred{};
+    socklen_t len = sizeof(cred);
+    if (getsockopt(socket->socketDescriptor(), SOL_SOCKET, SO_PEERCRED, &cred, &len) != 0) {
+        qWarning() << "LocalServer: SO_PEERCRED failed, rejecting connection";
+        return false;
+    }
+    if (cred.uid == 0) return true;
+    if (!g_allowedUidSet) {
+        g_allowedUid = cred.uid;
+        g_allowedUidSet = true;
+        qDebug() << "LocalServer: registered session UID" << g_allowedUid;
+    }
+    if (cred.uid != g_allowedUid) {
+        qWarning() << "LocalServer: rejected connection from unauthorized UID" << cred.uid;
+        return false;
+    }
+    return true;
+}
+#endif
+
 namespace {
 Logger logger("WgDaemonServer");
 }
@@ -35,7 +64,15 @@ LocalServer::LocalServer(QObject *parent) : QObject(parent),
 
     QObject::connect(m_server.data(), &QLocalServer::newConnection, this, [this]() {
         qDebug() << "LocalServer new connection";
-        m_serverNode.addHostSideConnection(m_server->nextPendingConnection());
+        QLocalSocket *conn = m_server->nextPendingConnection();
+#ifdef Q_OS_LINUX
+        if (!checkPeerCredentials(conn)) {
+            conn->close();
+            conn->deleteLater();
+            return;
+        }
+#endif
+        m_serverNode.addHostSideConnection(conn);
 
         if (!m_isRemotingEnabled) {
             m_isRemotingEnabled = true;

service/server/router_linux.cpp

@@ -167,22 +167,27 @@ bool RouterLinux::flushDns()
 
     //check what the dns manager use
     if (isServiceActive("nscd.service")) {
-        qDebug() << "Restarting nscd.service";
-        p.start("systemctl", { "restart", "nscd" });
+        qDebug() << "Flushing nscd cache";
+        p.start("nscd", { "--invalidate=hosts" });
     } else if (isServiceActive("systemd-resolved.service")) {
-        qDebug() << "Restarting systemd-resolved.service";
-        p.start("systemctl", { "restart", "systemd-resolved" });
+        qDebug() << "Flushing systemd-resolved DNS cache";
+        p.start("resolvectl", { "flush-caches" });
     } else {
         qDebug() << "No suitable DNS manager found.";
         return false;
     }
 
     p.waitForFinished();
-    QByteArray output(p.readAll());
+    QByteArray output = p.readAll();
+    if ((p.exitStatus() != QProcess::NormalExit) || (p.exitCode() != 0)) {
+        qDebug().noquote() << "Failed to flush DNS: " + output;
+        return false;
+    }
+
     if (output.isEmpty())
         qDebug().noquote() << "Flush dns completed";
     else
-        qDebug().noquote() << "OUTPUT systemctl restart nscd/systemd-resolved: " + output;
+        qDebug().noquote() << "OUTPUT dns flush: " + output;
 
     return true;
 }