feat: initial conan support and build process refactoring (#2260)

* feat: initial conan support

* feat: add awg-go and awg-apple recipes

* feat: macos full feature conan build, except ss and cloak

* feat: conan android initial support

* fix: android libssh fixes

* conan: android additional recipes and fixes

* feat: openvpn add support android

* fix: awg android connection establish

* conan: apple full-featured support

* chore: bump min macos version

* chore: get rid of manual deploy recursive copying

* conan: beautify makefile-based recipes

* conan: add geosite.dat and geoip.dat

* conan: use lib linking instead of QT_EXTRA_LIBS for OVPN

* conan: address lack of SONAME of libck-ovpn-plugin.so correctly

* conan: windows initial support

* conan: make awg-windows and wintun be interpret as exes

* conan: fix version for v2ray-rules-dat

* feat: conan and platform bootstrap rework in cmake

* feat: 16kb support for Android

* chore(conan): recipes cleanup

* feat: support of drivers for windows

* feat: support full-featured cmake install

* chore: exclude qtkeychain from the target build

* fix: install for apple systems

* fix: provide flags for cloak plugin for openvpn-pt-android

* chore: bump android deps for 16kb support

* feat(conan): patch cloak to properly provide env for golang

* chore: remove redundant hint from conan find

* feat: linux <-> conan features

* feat: linux initial packaging support

* feat: linux cpack support

* feat: cpack windows full-featured build

* feat: productbuild cpack support

* feat: rework CI/CD for macos

* feat: rework CI/CD for Linux

* fix: libncap automake args

* fix: CI/CD correct QT paths

* fix: windows rework CI/CD

* fix: windows artifact upload

* chore: remove MacOS-old from build targets

* feat: add conan to all mobile and NE builds

* feat: support default amnezia conan remote

* fix: use Release instead of release on Android

* feat: get rid of 3rd-prebuilt

* feat: conan CI/CD upload

* fix: CI/CD change windows toolset versions

* fix: remove MSVC version from CI/CD

* feat: conan CI/CD add Release and Debug build types

* feat: add multiple xcode versions for conan CI/CD

* fix: correct conan CI/CD clang versions

* feat: separate prebuilt baking, and add some for NE

* feat: rework keychain on ios/macos even more

* fix: add desktop Qt for iOS

* feat: add QT_HOST_PATH to build.sh

* fix: add deploy definition to cmake

* fix: android adjustments for toolchains and CI/CD

* fix: add needs for Android CI/CD

* fix: Android CI/CD use android-28

* fix: modernize translations, and CI/CD fixes

* fix: gradle min sdk compilation error

* fix: CI/CD add installers to all jobs

* fix: parse android platform more precisely

* fix: adjust aab path in CI/CD

* feat: CI/CD do not execute artifact build if there is nothing changed

* fix: CI/CD use common jobs even if previous were failed

* fix: Apple CI/CD use set-key-partition-list for keychains

* fix: Apple CI/CD do not specify any keychain (use default)

* fix: build aab as a different step in build script

* chore: beautify build.sh script

* feat: CI/CD build separate APKs per ABI

* fix: Android CI/CD upload artifact in separate steps

* chore: recipes cleanup

* feat: add hints for conan on MacOS

* fix: add main.cpp and tests back to CMakeLists.txt

* chore: xrayProtocol codestyle changes

* fix: openssl set proper X509 request version

* fix: make openvpn protocol rely only on client while configuring

* chore: get rid of old scripts

* chore: readme update describing build process more precisely

* feat: windows build script add multiprocessing capabilities

* chore: bump Qt version in README

* feat: add generator option and use Ninja by default in CI/CD for linux/macos

---------

Co-authored-by: NickVs2015 <nv@amnezia.org>

.clang-format-ignore

@@ -2,7 +2,7 @@
 /client/3rd-prebuild
 /client/android
 /client/cmake
-/client/core/serialization
+/client/core/utils/serialization
 /client/daemon
 /client/fonts
 /client/images

.github/actions/apple-install-cert/action.yml

@@ -0,0 +1,38 @@
+# .github/actions/apple-install-cert/action.yml
+
+name: Setup apple keychain
+description: Creates and configures a temporary build keychain
+
+inputs:
+  keychain-path:
+    description: Path to the keychain
+    required: true
+  keychain-password:
+    description: Password to the keychain
+    required: true
+  cert-base64:
+    description: Base64-encoded certificate
+    required: true
+  cert-password:
+    description: Certificate password
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Create keychain
+      shell: bash
+      env:
+        KEYCHAIN_PATH: ${{ inputs.keychain-path }}
+        KEYCHAIN_PASSWORD: ${{ inputs.keychain-password }}
+        CERT_BASE64: ${{ inputs.cert-base64 }}
+        CERT_PASSWORD: ${{ inputs.cert-password }}
+      run: |
+        CERT_PATH=$(mktemp /tmp/cert_XXXXXX.p12)
+        trap "rm -f '$CERT_PATH'" EXIT
+
+        echo -n "$CERT_BASE64" | base64 --decode -o "$CERT_PATH"
+
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+        security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$CERT_PASSWORD" -A -t cert -f pkcs12
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

.github/actions/apple-setup-keychain/action.yml

@@ -0,0 +1,57 @@
+# .github/actions/apple-setup-keychain/action.yml
+
+name: Setup apple keychain
+description: Creates and configures a temporary build keychain
+
+inputs:
+  keychain-name:
+    description: Name of the keychain
+    required: false
+    default: "ci-amnezia"
+  keychain-password:
+    description: The keychain password
+    required: true
+  lock-timeout:
+    description: A timeout after exceeding which the keychain would be locked
+    required: false
+    default: "0"
+
+outputs:
+  keychain-path:
+    description: "Full path to the keychain created"
+    value: ${{ steps.setup.outputs.keychain-path }}
+  keychain-name:
+    description: "Actual name of the keychain created"
+    value: ${{ steps.setup.outputs.keychain-name }}
+
+runs:
+  using: composite
+  steps:
+    - name: Setup keychain
+      id: setup
+      shell: bash
+      env:
+        KEYCHAIN_NAME: ${{ inputs.keychain-name }}
+        KEYCHAIN_PASSWORD: ${{ inputs.keychain-password }}
+        LOCK_TIMEOUT: ${{ inputs.lock-timeout }}
+      run: |
+        KEYCHAIN_PATH="$HOME/Library/Keychains/$KEYCHAIN_NAME.keychain-db"
+
+        security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+        if [[ "$LOCK_TIMEOUT" == "0" ]]; then
+          security set-keychain-settings "$KEYCHAIN_PATH"
+        else
+          security set-keychain-settings -u -t "$LOCK_TIMEOUT" "$KEYCHAIN_PATH"
+        fi
+
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+        security import "${{ github.action_path }}/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -A
+        security import "${{ github.action_path }}/AppleWWDRCAG3.cer" -k "$KEYCHAIN_PATH" -A
+
+        security list-keychains -d user -s "$KEYCHAIN_PATH"
+        security default-keychain -s "$KEYCHAIN_PATH"
+
+        echo "keychain-name=$KEYCHAIN_NAME" >> $GITHUB_OUTPUT
+        echo "keychain-path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT

.github/actions/apple-setup-provisioning-profile/action.yml

@@ -0,0 +1,31 @@
+# .github/actions/apple-setup-provisioning-profile/action.yml
+
+name: Setup provisioning profiles
+description: Decodes and installs provisioning profiles
+
+inputs:
+  provisioning_profile_base64:
+    description: Base64-encoded provisioning profile
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Setup provisioning profile
+      shell: bash
+      run: |
+        PROFILES_DIR="$HOME/Library/MobileDevice/Provisioning Profiles"
+        TEMP_FILE=$(mktemp)
+
+        echo "${{ inputs.provisioning_profile_base64 }}" | base64 --decode > "$TEMP_FILE"
+
+        PROFILE_UUID=$(grep UUID -A1 -a "$TEMP_FILE" | grep -io "[-A-F0-9]\{36\}")
+        if [[ -z "$PROFILE_UUID" ]]; then
+          echo "Failed to extract UUID from provisioning profile"
+          rm -f "$TEMP_FILE"
+          exit 1
+        fi
+
+        mkdir -p "$PROFILES_DIR"
+        mv "$TEMP_FILE" "$PROFILES_DIR/$PROFILE_UUID.mobileprovision"
+        echo "Installed profile: $PROFILE_UUID"

.github/workflows/tag-deploy.yml

@@ -17,6 +17,7 @@ jobs:
       QIF_VERSION: 4.5
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
       PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
+      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
       DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
       DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}

.github/workflows/tag-upload.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Verify git tag
         run: |
           TAG_NAME=${{ inputs.RELEASE_VERSION }}
-          CMAKE_TAG=$(grep 'project.*VERSION' CMakeLists.txt | sed -E 's/.* ([0-9]+.[0-9]+.[0-9]+.[0-9]+)$/\1/')
+          CMAKE_TAG=$(grep 'set(AMNEZIAVPN_VERSION' CMakeLists.txt | sed -E 's/.*AMNEZIAVPN_VERSION ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/')
           if [[ "$TAG_NAME" == "$CMAKE_TAG" ]]; then
             echo "Git tag ($TAG_NAME) matches CMakeLists.txt version ($CMAKE_TAG)."
           else

.gitignore

@@ -81,6 +81,7 @@ client/.DS_Store
 ._.DS_Store
 ._*
 *.dmg
+deploy/data/macos/pf/amn.400.allowPIA.conf
 
 # tmp files
 *.*~
@@ -140,3 +141,6 @@ ios-ne-build.sh
 macos-ne-build.sh
 macos-signed-build.sh
 macos-with-sign-build.sh
+DeveloperIdApplicationCertificate.p12
+DeveloperIdInstallerCertificate.p12
+

.gitmodules

@@ -4,13 +4,13 @@
 [submodule "client/3rd/SortFilterProxyModel"]
 	path = client/3rd/SortFilterProxyModel
 	url = https://github.com/mitchcurtis/SortFilterProxyModel.git
-[submodule "client/3rd-prebuilt"]
-	path = client/3rd-prebuilt
-	url = https://github.com/amnezia-vpn/3rd-prebuilt
-	branch = feature/special-handshake
 [submodule "client/3rd/amneziawg-apple"]
 	path = client/3rd/amneziawg-apple
 	url = https://github.com/amnezia-vpn/amneziawg-apple
 [submodule "client/3rd/QSimpleCrypto"]
 	path = client/3rd/QSimpleCrypto
 	url = https://github.com/amnezia-vpn/QSimpleCrypto.git
+[submodule "client/3rd/qtgamepad"]
+	path = client/3rd/qtgamepad
+	url = https://github.com/amnezia-vpn/qtgamepad.git
+	branch = 6.6

CMakeLists.txt

@@ -1,18 +1,34 @@
 cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)
 
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
 set(PROJECT AmneziaVPN)
-set(AMNEZIAVPN_VERSION 4.8.11.2)
+set(AMNEZIAVPN_VERSION 4.8.15.4)
+
+set(QT_CREATOR_SKIP_PACKAGE_MANAGER_SETUP ON CACHE BOOL "" FORCE)
+set(CMAKE_PROJECT_TOP_LEVEL_INCLUDES
+    ${CMAKE_SOURCE_DIR}/cmake/platform_settings.cmake
+    ${CMAKE_SOURCE_DIR}/cmake/recipes_bootstrap.cmake
+    ${CMAKE_SOURCE_DIR}/cmake/conan_provider.cmake
+    CACHE STRING "" FORCE)
 
 project(${PROJECT} VERSION ${AMNEZIAVPN_VERSION}
         DESCRIPTION "AmneziaVPN"
         HOMEPAGE_URL "https://amnezia.org/"
 )
 
+if (PREBUILTS_ONLY)
+    # trigger conan to kick off `conan install`
+    find_package(OpenSSL REQUIRED)
+    return()
+endif()
+
 string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")
 
 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2097)
+set(APP_ANDROID_VERSION_CODE 2120)
 
 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
     set(MZ_PLATFORM_NAME "linux")
@@ -29,23 +45,34 @@ elseif(${CMAKE_SYSTEM_NAME} STREQUAL "Emscripten")
 endif()
 
 set(QT_BUILD_TOOLS_WHEN_CROSS_COMPILING ON)
-set(CMAKE_CXX_STANDARD 17)
-set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
-if(APPLE)
-    if(IOS)
-        set(CMAKE_OSX_ARCHITECTURES "arm64")
-    elseif(MACOS_NE)
-        set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64")
+if(APPLE AND NOT IOS)
+    if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+        set(AMN_PF_RULE_IDENTITY "user { root }")
     else()
-        set(CMAKE_OSX_ARCHITECTURES "x86_64")
+        set(AMN_PF_RULE_IDENTITY "group { amnvpn }")
     endif()
+
+    configure_file(
+        "${CMAKE_SOURCE_DIR}/deploy/data/pf-templates/amn.400.allowPIA.conf.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/amn.400.allowPIA.conf"
+        @ONLY
+    )
+
+    file(COPY_FILE
+        "${CMAKE_CURRENT_BINARY_DIR}/amn.400.allowPIA.conf"
+        "${CMAKE_SOURCE_DIR}/deploy/data/macos/pf/amn.400.allowPIA.conf"
+        ONLY_IF_DIFFERENT
+    )
 endif()
 
+
 add_subdirectory(client)
 
 if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
     add_subdirectory(service)
-
-    include(${CMAKE_SOURCE_DIR}/deploy/installer/config.cmake)
+endif()
+
+if ((LINUX AND NOT ANDROID) OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (WIN32))
+    include(${CMAKE_SOURCE_DIR}/cmake/CPack.cmake)
 endif()

README.md

@@ -53,24 +53,14 @@ AmneziaVPN uses several open-source projects to work:
 
 - [OpenSSL](https://www.openssl.org/)
 - [OpenVPN](https://openvpn.net/)
-- [Shadowsocks](https://shadowsocks.org/)
 - [Qt](https://www.qt.io/)
-- [LibSsh](https://libssh.org) - forked from Qt Creator
+- [LibSsh](https://libssh.org)
+- [WireGuard](https://www.wireguard.com/)
+- [Xray-core](https://xtls.github.io/en/)
+- [Conan](https://conan.io/)
 - and more...
 
-## Checking out the source code
-
-Make sure to pull all submodules after checking out the repo.
-
-```bash
-git submodule update --init --recursive
-```
-
-## Development
-
-Want to contribute? Welcome!
-
-### Help with translations
+## Help us with translations
 
 Download the most actual translation files.
 
@@ -83,103 +73,102 @@ Each *.ts file contains strings for one corresponding language.
 Translate or correct some strings in one or multiple *.ts files and commit them back to this repository into the ``client/translations`` folder.
 You can do it via a web-interface or any other method you're familiar with.
 
-### Building sources and deployment
+## Checking out the source code
 
-Check deploy folder for build scripts. 
+Make sure to pull all submodules after checking out the repo.
 
-### How to build an iOS app from source code on MacOS
-
-1. First, make sure you have [XCode](https://developer.apple.com/xcode/) installed, at least version 14 or higher.
-
-2. We use QT to generate the XCode project. We need QT version 6.6.2. Install QT for MacOS [here](https://doc.qt.io/qt-6/macos.html) or [QT Online Installer](https://www.qt.io/download-open-source). Required modules:
-   - MacOS
-   - iOS
-   - Qt 5 Compatibility Module
-   - Qt Shader Tools
-   - Additional Libraries:
-     - Qt Image Formats
-     - Qt Multimedia
-     - Qt Remote Objects 
-
-3. Install CMake if required. We recommend CMake version 3.25. You can install CMake [here](https://cmake.org/download/)
-
-4. You also need to install go >= v1.16. If you don't have it installed already,
-download go from the [official website](https://golang.org/dl/) or use Homebrew. 
-The latest version is recommended. Install gomobile
 ```bash
-export PATH=$PATH:~/go/bin
-go install golang.org/x/mobile/cmd/gomobile@latest
-gomobile init
+git submodule update --init --recursive
 ```
 
-5. Build the project
+## Hacking guide
+
+Want to contribute? Welcome!
+
+### Build requirements
+
+* [`CMake`](https://cmake.org/download/)
+* Compiler and underlying build system, depending on the target:
+  - [Linux] Any of `make` and `gcc`
+  - [Apple] [`Xcode`](https://developer.apple.com/xcode/) or [`Xcode command line tools`](https://developer.apple.com/xcode/)
+  - [Windows] [`Visual Studio 2022`](https://aka.ms/vs/17/release/vs_community.exe) or [`VS 2022 Build Tools`](https://aka.ms/vs/17/release/vs_buildtools.exe)
+  - [Android] [`Android SDK`](#installing-android-sdk) and [`Ninja`](https://ninja-build.org/)
+* [`Qt 6.10+`](https://www.qt.io/download-open-source) with the following modules:
+  - Core module for targeting platform (Desktop/Android/iOS)
+  - Qt 5 Compatibility module
+  - Qt Remote Objects
+* [`Conan`](https://conan.io/downloads) package manager
+  - On MacOS is enough just to use `homebrew` or install it in `.venv` in project root
+  - Other systems must have it in `PATH`
+* (Optional) Installer dependencies:
+  - [Windows/Linux] [`Qt Installer Framework`](https://www.qt.io/download-open-source)
+  - [Windows] [`WIX toolset`](https://github.com/wixtoolset/wix/releases)
+
+### Building the project using scripts
+
+* Run scripts located in `deploy` directory
+* Basically, if dependencies are located in default installation paths, the scripts will find them automatically.
+* If they differ, specify them using the following variables:
+  - `QT_INSTALL_DIR` - Qt root installation folder
+  - `QT_ROOT_PATH`   - Qt framework root directory
+  - `QIF_ROOT_PATH`  - Qt Installer Framework root path
+  - `ANDROID_HOME`   - Path to Android SDK root folder
+  - and others. Check scripts for more
+
+Unix-like:
 ```bash
-export QT_BIN_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/ios/bin"
-export QT_MACOS_ROOT_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/macos"
-export QT_IOS_BIN=$QT_BIN_DIR
-export PATH=$PATH:~/go/bin
-mkdir build-ios
-$QT_IOS_BIN/qt-cmake . -B build-ios -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR
-```
-Replace PATH-TO-QT-FOLDER and QT-VERSION to your environment
+# Build executables for the host platform
+deploy/build.sh
 
+# Or just
+deploy/build.sh
 
-If you get `gomobile: command not found` make sure to set PATH to the location 
-of the bin folder where gomobile was installed. Usually, it's in `GOPATH`.
-```bash
-export PATH=$(PATH):/path/to/GOPATH/bin
+# Build executables and installers for the host platform
+deploy/build.sh --installer all
+
+# Build Android APK and AAB
+deploy/build.sh -t android --aab
+
+# Call for help
+deploy/build.sh -h
 ```
 
-6. Open the XCode project. You can then run /test/archive/ship the app.
+Windows:
+```batch
+:: Build executables for Windows
+deploy/build.bat
 
-If the build fails with the following error
-```
-make: *** 
-[$(PROJECTDIR)/client/build/AmneziaVPN.build/Debug-iphoneos/wireguard-go-bridge/goroot/.prepared] 
-Error 1
-```
-Add a user-defined variable to both AmneziaVPN and WireGuardNetworkExtension targets' build settings with
-key `PATH` and value `${PATH}/path/to/bin/folder/with/go/executable`, e.g. `${PATH}:/usr/local/go/bin`.
+:: Build executables with IFW installer for Windows
+deploy/build.bat --installer ifw
 
-if the above error persists on your M1 Mac, then most probably you need to install arch based CMake 
-```
-arch -arm64 brew install cmake
+:: Build executables with IFW and WIX installer for Windows
+deploy/build.bat --installer ifw --installer wix
+
+:: Or just
+deploy/build.bat --installer all
 ```
 
-Build might fail with the "source files not found" error the first time you try it, because the modern XCode build system compiles dependencies in parallel, and some dependencies end up being built after the ones that
-require them. In this case, simply restart the build.
+### Developing the project in IDEs
 
-## How to build the Android app
+* Basically, you can use any IDE that handles CMake and Qt kits properly to run configure and build steps, and to navigate through the code nicely. For example:
+  - `Qt Creator`
+  - `Visual Studio Code` with `Qt Extension Pack`
+  - and so on
 
-_Tested on Mac OS_
+* To use `Xcode`, you have to configure project first by using `cmake`. The easiest way to do it is to use `Qt Creator` for configuration. Then open `AmneziaVPN.xcodeproj` file from the build folder by using `Xcode`. Note that none of the files changed are saved - the files actually getting changed in build directory. Copy them manually if necessary
 
-The Android app has the following requirements:
-* JDK 11
-* Android platform SDK 33
-* CMake 3.25.0
+* `Android studio` could be used in the same way - just configure the project by using `cmake` manually or by using `Qt Creator`. Open `<build-dir>/client/android-build` in `Android studio` then. Do not forget to copy the changes - everything you do is saved under the build directory actually.
 
-After you have installed QT, QT Creator, and Android Studio, you need to configure QT Creator correctly.
+### Installing Android SDK
 
-- Click in the top menu bar on `QT Creator` -> `Preferences` -> `Devices` and select the tab `Android`.
-- Set path to JDK 11
-- Set path to Android SDK (`$ANDROID_HOME`)
-
-In case you get errors regarding missing SDK or 'SDK manager not running', you cannot fix them by correcting the paths. If you have some spare GBs on your disk, you can let QT Creator install all requirements by choosing an empty folder for `Android SDK location` and clicking on `Set Up SDK`. Be aware: This will install a second Android SDK and NDK on your machine! 
-Double-check that the right CMake version is configured:  Click on `QT Creator` -> `Preferences` and click on the side menu on `Kits`. Under the center content view's `Kits` tab, you'll find an entry for `CMake Tool`. If the default selected CMake version is lower than 3.25.0, install on your system CMake >= 3.25.0 and choose `System CMake at <path>` from the drop-down list. If this entry is missing, you either have not installed CMake yet or QT Creator hasn't found the path to it. In that case, click in the preferences window on the side menu item `CMake`, then on the tab `Tools` in the center content view, and finally on the button `Add` to set the path to your installed CMake. 
-Please make sure that you have selected Android Platform SDK 33 for your project: click in the main view's side menu on `Projects`, and on the left, you'll see a section `Build & Run` showing different Android build targets. You can select any of them, Amnezia VPN's project setup is designed in a way that all Android targets will be built. Click on the targets submenu item `Build` and scroll in the center content view to `Build Steps`. Click on `Details` at the end of the headline `Build Android APK` (the `Details` button might be hidden in case the QT Creator Window is not running in full screen!). Here we are: Choose `android-33` as `Android Build Platform SDK`.
-
-That's it! You should be ready to compile the project from QT Creator!
-
-### Development flow
-
-After you've hit the build button, QT-Creator copies the whole project to a folder in the repository parent directory. The folder should look something like `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>`.
-If you want to develop Amnezia VPNs Android components written in Kotlin, such as components using system APIs, you need to import the generated project in Android Studio with `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>/client/android-build` as the projects root directory. While you should be able to compile the generated project from Android Studio, you cannot work directly in the repository's Android project. So whenever you are confident with your work in the generated project, you'll need to copy and paste the affected files to the corresponding path in the repository's Android project so that you can add and commit your changes!
-
-You may face compiling issues in QT Creator after you've worked in Android Studio on the generated project. Just do a `./gradlew clean` in the generated project's root directory (`<path>/client/android-build/.`) and you should be good to go.
+* Android SDK could be installed using the following methods:
+  - Using `Qt Creator`. Use `Preferences`->`SDKs`
+  - Using `Android studio`. By default it installs necessary `SDKs` automatically during the installation
+  - Manually by using `sdk-manager`. Check [this](https://developer.android.com/tools) page for details
 
 ## License
 
-GPL v3.0
+This project is licensed under the GNU General Public License v3.0 (see LICENSE) and also includes third-party components distributed under their own terms (see THIRD_PARTY_LICENSES.md).
 
 ## Donate
 

README_RU.md

@@ -50,23 +50,14 @@ AmneziaVPN использует несколько проектов с откр
 
 - [OpenSSL](https://www.openssl.org/)
 - [OpenVPN](https://openvpn.net/)
-- [Shadowsocks](https://shadowsocks.org/)
 - [Qt](https://www.qt.io/)
 - [LibSsh](https://libssh.org)
+- [WireGuard](https://www.wireguard.com/)
+- [Xray-core](https://xtls.github.io/en/)
+- [Conan](https://conan.io/)
 - и другие...
 
-## Проверка исходного кода
-После клонирования репозитория обязательно загрузите все подмодули.
-
-```bash
-git submodule update --init --recursive
-```
-
-
-## Разработка
-Хотите внести свой вклад? Добро пожаловать!
-
-### Помощь с переводами
+## Помощь с переводами
 
 Загрузите самые актуальные файлы перевода.
 
@@ -76,90 +67,98 @@ git submodule update --init --recursive
 
 Переведите или исправьте строки в одном или нескольких файлах *.ts и загрузите их обратно в этот репозиторий в папку ``client/translations``. Это можно сделать через веб-интерфейс или любым другим знакомым вам способом.
 
-### Сборка исходного кода и деплой
-Проверьте папку deploy для скриптов сборки.
+## Проверка исходного кода
 
-### Как собрать iOS-приложение из исходного кода на MacOS
-1. Убедитесь, что у вас установлен Xcode версии 14 или выше.
-2. Для генерации проекта Xcode используется QT. Требуется версия QT 6.6.2. Установите QT для MacOS здесь или через QT Online Installer. Необходимые модули:
-- MacOS
-- iOS
-- Модуль совместимости с Qt 5
-- Qt Shader Tools
-- Дополнительные библиотеки:
- - Qt Image Formats
- - Qt Multimedia
- - Qt Remote Objects
-
-   
-3. Установите CMake, если это необходимо. Рекомендуемая версия — 3.25. Скачать CMake можно здесь.
-4. Установите Go версии >= v1.16. Если Go ещё не установлен, скачайте его с  [официального сайта](https://golang.org/dl/) или используйте Homebrew. Установите gomobile:
+После клонирования репозитория обязательно загрузите все подмодули.
 
 ```bash
-export PATH=$PATH:~/go/bin
-go install golang.org/x/mobile/cmd/gomobile@latest
-gomobile init
+git submodule update --init --recursive
 ```
 
-5. Соберите проект:
+## Руководство по разработке
+
+Хотите внести свой вклад? Добро пожаловать!
+
+### Требования для сборки
+
+* [`CMake`](https://cmake.org/download/)
+* Компилятор и система сборки, в зависимости от таргета:
+  - [Linux] Любые `make` и `gcc`
+  - [Apple] [`Xcode`](https://developer.apple.com/xcode/) или [`Xcode command line tools`](https://developer.apple.com/xcode/)
+  - [Windows] [`Visual Studio 2022`](https://aka.ms/vs/17/release/vs_community.exe) или [`VS 2022 Build Tools`](https://aka.ms/vs/17/release/vs_buildtools.exe)
+  - [Android] [`Android SDK`](#установка-android-sdk) и [`Ninja`](https://ninja-build.org/)
+* [`Qt 6.10+`](https://www.qt.io/download-open-source) со следующими модулями:
+  - Основные модули для таргета (Desktop/Android/iOS)
+  - Qt 5 Compatibility module
+  - Qt Remote Objects
+* Пакетный менеджер [`Conan`](https://conan.io/downloads)
+  - На MacOS достаточно использовать `homebrew` или установить в `.venv` в корень проекта 
+  - Для остальных систем необходимо прописать пути в `PATH`
+* (Необязательно) Заивисимости для установщиков:
+  - [Windows/Linux] [`Qt Installer Framework`](https://www.qt.io/download-open-source)
+  - [Windows] [`WIX toolset`](https://github.com/wixtoolset/wix/releases)
+
+### Сборка проекта через скрипты
+
+* Запустите скрипты, находящиеся в папке `deploy`
+* Если все зависимости установлены в стандартных локациях, скрипт найдёт их самостоятельно
+* Если пути отличаются, их нужно явно указать используя:
+  - `QT_INSTALL_DIR` - корневая папка установки Qt
+  - `QT_ROOT_PATH`   - корневая папка Qt Framework
+  - `QIF_ROOT_PATH`  - корневая папка Qt Installer Framework
+  - `ANDROID_HOME`   - путь к Android SDK
+  - и другие. Их можно получить из вышеуказанных скриптов
+
+Unix-like:
 ```bash
-export QT_BIN_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/ios/bin"
-export QT_MACOS_ROOT_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/macos"
-export QT_IOS_BIN=$QT_BIN_DIR
-export PATH=$PATH:~/go/bin
-mkdir build-ios
-$QT_IOS_BIN/qt-cmake . -B build-ios -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR
-```
-Замените <PATH-TO-QT-FOLDER> и <QT-VERSION> на ваши значения.
+# Build executables for the host platform
+deploy/build.sh
 
-Если появляется ошибка gomobile: command not found, убедитесь, что PATH настроен на папку bin, где установлен gomobile:
-```bash
-export PATH=$(PATH):/path/to/GOPATH/bin
+# Or just
+deploy/build.sh
+
+# Build executables and installers for the host platform
+deploy/build.sh --installer all
+
+# Build Android APK and AAB
+deploy/build.sh -t android --aab
+
+# Call for help
+deploy/build.sh -h
 ```
 
-6. Откройте проект в Xcode. Теперь вы можете тестировать, архивировать или публиковать приложение.
-   
-Если сборка завершится с ошибкой:
-```
-make: *** 
-[$(PROJECTDIR)/client/build/AmneziaVPN.build/Debug-iphoneos/wireguard-go-bridge/goroot/.prepared] 
-Error 1
-```
-Добавьте пользовательскую переменную PATH в настройки сборки для целей AmneziaVPN и WireGuardNetworkExtension с ключом `PATH` и значением `${PATH}/path/to/bin/folder/with/go/executable`, e.g. `${PATH}:/usr/local/go/bin`.
+Windows:
+```batch
+:: Build executables for Windows
+deploy/build.bat
 
-Если ошибка повторяется на Mac с M1, установите версию CMake для архитектуры ARM:
-```
-arch -arm64 brew install cmake
+:: Build executables with IFW installer for Windows
+deploy/build.bat --installer ifw
+
+:: Build executables with IFW and WIX installer for Windows
+deploy/build.bat --installer ifw --installer wix
+
+:: Or just
+deploy/build.bat --installer all
 ```
 
- При первой попытке сборка может завершиться с ошибкой source files not found. Это происходит из-за параллельной компиляции зависимостей в XCode. Просто перезапустите сборку.
+### Разработка в IDE
 
+* Можно использовать любые IDE которые умеют работать с CMake и находить Qt Kits. Например:
+  - `Qt Creator`
+  - `Visual Studio Code` with `Qt Extension Pack`
+  - и так далее
 
-## Как собрать Android-приложение
-Сборка тестировалась на MacOS. Требования:
-- JDK 11
-- Android SDK 33
-- CMake 3.25.0
-  
-Установите QT, QT Creator и Android Studio.
-Настройте QT Creator:
+* Для использования `Xcode` нужно сконфигурировать проект с помощью `cmake`. Самый простой способ это сделать - использовать `Qt Creator` для конфигурации. Затем, нужно открыть файл `AmneziaVPN.xcodeproj` из папки сборки с помощью `Xcode`. Учтите, что никакие файлы фактически не сохраняются - они сохраняются в директории сборки. Если требуется, скопируйте файлы вручную
 
-- В меню QT Creator перейдите в  `QT Creator` -> `Preferences` -> `Devices` ->`Android`.
-- Укажите путь к JDK 11.
-- Укажите путь к Android SDK (`$ANDROID_HOME`)
+* `Android studio` может быть использована подобным вышеуказанному способу - нужно использовать `cmake` вручную или через `Qt Creator` для конфигурации. Далее, откройте `<build-dir>/client/android-build` в `Android studio`. Не забудьте скопировать изменённые файлы в папку с исходным кодом - все файлы, изменённые в IDE, сохраняются фактически в папке сборки.
 
-Если вы сталкиваетесь с ошибками, связанными с отсутствием SDK или сообщением «SDK manager not running», их нельзя исправить просто корректировкой путей. Если у вас есть несколько свободных гигабайт на диске, вы можете позволить Qt Creator установить все необходимые компоненты, выбрав пустую папку для расположения Android SDK и нажав кнопку **Set Up SDK**. Учтите: это установит второй Android SDK и NDK на вашем компьютере!
-
-Убедитесь, что настроена правильная версия CMake: перейдите в **Qt Creator -> Preferences** и в боковом меню выберите пункт **Kits**. В центральной части окна, на вкладке **Kits**, найдите запись для инструмента **CMake Tool**. Если выбранная по умолчанию версия CMake ниже 3.25.0, установите на свою систему CMake версии 3.25.0 или выше, а затем выберите опцию **System CMake at <путь>** из выпадающего списка. Если этот пункт отсутствует, это может означать, что вы еще не установили CMake, или Qt Creator не смог найти путь к нему. В таком случае в окне **Preferences** перейдите в боковое меню **CMake**, затем во вкладку **Tools** в центральной части окна и нажмите кнопку **Add**, чтобы указать путь к установленному CMake.
-
-Убедитесь, что для вашего проекта выбрана Android Platform SDK 33: в главном окне на боковой панели выберите пункт **Projects**, и слева вы увидите раздел **Build & Run**, показывающий различные целевые Android-платформы. Вы можете выбрать любую из них, так как настройка проекта Amnezia VPN разработана таким образом, чтобы все Android-цели могли быть собраны. Перейдите в подраздел **Build** и прокрутите центральную часть окна до раздела **Build Steps**. Нажмите **Details** в заголовке **Build Android APK** (кнопка **Details** может быть скрыта, если окно Qt Creator не запущено в полноэкранном режиме!). Вот здесь выберите **android-33** в качестве Android Build Platform SDK.
-
-### Разработка Android-компонентов
-
-После сборки QT Creator копирует проект в отдельную папку, например, `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>`. Для разработки Android-компонентов откройте сгенерированный проект в Android Studio, указав папку `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>/client/android-build` в качестве корневой.
-Изменения в сгенерированном проекте нужно вручную перенести в репозиторий. После этого можно коммитить изменения.
-Если возникают проблемы со сборкой в QT Creator после работы в Android Studio, выполните команду `./gradlew clean` в корневой папке сгенерированного проекта (`<path>/client/android-build/.`).
+### Установка Android SDK
 
+* Android SDK может быть установлен следующими способами:
+  - Используя `Qt Creator`, через настройки в пунктах `Preferences`->`SDKs`
+  - Используя `Android studio`. По умолчанию необходимые `SDK` устанавливаются автоматически.
+  - Вручную, используя `sdk-manager`. Подробности можно найти [здесь](https://developer.android.com/tools)
 
 ## Лицензия
 

THIRD_PARTY_LICENSES.md

@@ -0,0 +1,149 @@
+# Third-Party Licenses
+
+This project is licensed under the GNU General Public License v3.0.
+This file lists third-party software components used by this repository.
+Each component is distributed under its own license as linked below.
+
+---
+
+## QtKeychain
+
+- Source: https://github.com/frankosterfeld/qtkeychain
+- License: BSD License
+- License Text: https://www.gnu.org/licenses/license-list.html#ModifiedBSD
+
+---
+
+## QSimpleCrypto
+
+- Source: https://github.com/n1flh31mur/QSimpleCrypto
+- License: Apache License 2.0
+- License Text: https://github.com/n1flh31mur/QSimpleCrypto/blob/master/LICENSE
+
+---
+
+## SortFilterProxyModel
+
+- Source: https://github.com/oKcerG/SortFilterProxyModel
+- License: MIT License
+- License Text: https://github.com/oKcerG/SortFilterProxyModel/blob/master/LICENSE
+
+---
+
+## QJsonStruct
+
+- Source: https://github.com/Qv2ray/QJsonStruct
+- License: MIT License
+- License Text: https://github.com/Qv2ray/QJsonStruct/blob/master/LICENSE
+
+---
+
+## QR Code Generator (qrcodegen)
+
+- Source: https://github.com/nayuki/QR-Code-generator
+- License: MIT License
+- License Text: https://www.nayuki.io/page/qr-code-generator-library
+
+---
+
+## Qt Gamepad
+
+- Source: https://github.com/qt/qtgamepad
+- License: GNU General Public License v3.0 (GPL-3.0)
+- License Text: https://www.gnu.org/licenses/gpl-3.0.en.html
+
+---
+
+## AmneziaWG Apple (WireGuard)
+
+- Source: https://github.com/amnezia-vpn/amneziawg-apple
+- License: MIT License
+- License Text: https://github.com/amnezia-vpn/amneziawg-apple/blob/master/COPYING
+
+---
+
+## AmneziaWG Android
+
+- Source: https://github.com/amnezia-vpn/amneziawg-go
+- License: MIT License
+- License Text: https://github.com/amnezia-vpn/amneziawg-go/blob/master/LICENSE
+
+---
+
+## Xray Core
+
+- Source: https://github.com/XTLS/Xray-core
+- License: Mozilla Public License 2.0 (MPL-2.0)
+- License Text: https://github.com/XTLS/Xray-core/blob/main/LICENSE
+
+---
+
+## Cloak
+
+- Source: https://github.com/cbeuw/Cloak
+- License: GNU General Public License v3.0 (GPL-3.0)
+- License Text: https://github.com/cbeuw/Cloak/blob/master/LICENSE
+
+---
+
+## Shadowsocks
+
+- Source: https://github.com/shadowsocks/shadowsocks-libev
+- License: GPL-3.0-or-later
+- License Text: http://www.gnu.org/licenses/
+
+---
+
+## OpenSSL
+
+- Source: https://github.com/openssl/openssl
+- License: Apache License 2.0
+- License Text: https://www.openssl.org/source/license.html
+
+---
+
+## libssh
+
+- Source: https://www.libssh.org/
+- License: GNU Lesser General Public License (LGPL)
+- License Text: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
+
+---
+
+## OpenVPNAdapter
+
+- Source: https://github.com/ss-abramchuk/OpenVPNAdapter
+- License: GNU Affero General Public License v3.0 (AGPL-3.0)
+- License Text: https://github.com/ss-abramchuk/OpenVPNAdapter/blob/master/LICENSE
+
+---
+
+## Wintun
+
+- Source: https://www.wintun.net/
+- License: Prebuilt Binaries License
+- License Text: https://github.com/WireGuard/wintun/blob/master/prebuilt-binaries-license.txt
+
+---
+
+## Mullvad Split Tunnel Driver
+
+- Source: https://github.com/mullvad/win-split-tunnel
+- License: GNU General Public License v3.0 (GPL-3.0) and Mozilla Public License Version 2.0
+- License Text: https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-GPL.md https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-MPL.txt
+
+---
+
+## tun2socks
+
+- Source: https://github.com/eycorsican/go-tun2socks
+- License: MIT License
+- License Text: https://github.com/eycorsican/go-tun2socks/blob/master/LICENSE
+
+---
+
+## TAP-Windows Driver
+
+- Source: https://github.com/OpenVPN/tap-windows6
+- License: tap-windows6 license
+- License Text: https://github.com/OpenVPN/tap-windows6/blob/master/COPYING

client/CMakeLists.txt

@@ -25,6 +25,7 @@ add_definitions(-DGIT_COMMIT_HASH="${GIT_COMMIT_HASH}")
 
 add_definitions(-DPROD_AGW_PUBLIC_KEY="$ENV{PROD_AGW_PUBLIC_KEY}")
 add_definitions(-DPROD_S3_ENDPOINT="$ENV{PROD_S3_ENDPOINT}")
+add_definitions(-DFALLBACK_S3_ENDPOINT="$ENV{FALLBACK_S3_ENDPOINT}")
 
 add_definitions(-DDEV_AGW_PUBLIC_KEY="$ENV{DEV_AGW_PUBLIC_KEY}")
 add_definitions(-DDEV_AGW_ENDPOINT="$ENV{DEV_AGW_ENDPOINT}")
@@ -56,17 +57,20 @@ target_include_directories(${PROJECT} PUBLIC
     $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
 )
 
-if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
     qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_interface.rep)
     qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_process_interface.rep)
-    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_process_tun2socks.rep)
 endif()
 
-qt6_add_resources(QRC ${QRC} ${CMAKE_CURRENT_LIST_DIR}/resources.qrc)
+qt6_add_resources(QRC ${QRC}
+    ${CMAKE_CURRENT_LIST_DIR}/images/images.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/images/flagKit.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/client_scripts/clientScripts.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/ui/qml/qml.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/server_scripts/serverScripts.qrc
+)
 
 # -- i18n begin
-set(CMAKE_AUTORCC ON)
-
 set(AMNEZIAVPN_TS_FILES
     ${CMAKE_CURRENT_LIST_DIR}/translations/amneziavpn_ru_RU.ts
     ${CMAKE_CURRENT_LIST_DIR}/translations/amneziavpn_zh_CN.ts
@@ -78,19 +82,10 @@ set(AMNEZIAVPN_TS_FILES
     ${CMAKE_CURRENT_LIST_DIR}/translations/amneziavpn_hi_IN.ts
 )
 
-file(GLOB_RECURSE AMNEZIAVPN_TS_SOURCES *.qrc *.cpp *.h *.ui)
-
-qt_create_translation(AMNEZIAVPN_QM_FILES ${AMNEZIAVPN_TS_SOURCES} ${AMNEZIAVPN_TS_FILES})
-
-set(QM_FILE_LIST "")
-foreach(FILE ${AMNEZIAVPN_QM_FILES})
-    get_filename_component(QM_FILE_NAME ${FILE} NAME)
-    list(APPEND QM_FILE_LIST "<file>${QM_FILE_NAME}</file>")
-endforeach()
-string(REPLACE ";" "" QM_FILE_LIST ${QM_FILE_LIST})
-
-configure_file(${CMAKE_CURRENT_LIST_DIR}/translations/translations.qrc.in ${CMAKE_CURRENT_BINARY_DIR}/translations.qrc)
-qt6_add_resources(QRC ${I18NQRC} ${CMAKE_CURRENT_BINARY_DIR}/translations.qrc)
+qt6_add_translations(${PROJECT}
+    TS_FILES ${AMNEZIAVPN_TS_FILES}
+    RESOURCE_PREFIX "/translations"
+)
 # -- i18n end
 
 set(IS_CI ${CI})
@@ -169,6 +164,10 @@ if(APPLE)
     set(CMAKE_XCODE_GENERATE_SCHEME FALSE)
     set(CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM ${BUILD_VPN_DEVELOPMENT_TEAM})
     set(CMAKE_XCODE_ATTRIBUTE_GROUP_ID_IOS ${BUILD_IOS_GROUP_IDENTIFIER})
+    
+    if (BUILD_VPN_KEYCHAIN)
+        set(CMAKE_XCODE_ATTRIBUTE_OTHER_CODE_SIGN_FLAGS "--keychain ${BUILD_VPN_KEYCHAIN}")
+    endif()
 endif()
 
 if(LINUX AND NOT ANDROID)
@@ -194,38 +193,71 @@ elseif(APPLE)
     include(cmake/macos.cmake)
 endif()
 
+if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
+    add_subdirectory(tests)
+endif()
+
+list(APPEND SOURCES ${CMAKE_CURRENT_LIST_DIR}/main.cpp)
+
 target_link_libraries(${PROJECT} PRIVATE ${LIBS})
 target_compile_definitions(${PROJECT} PRIVATE "MZ_$<UPPER_CASE:${MZ_PLATFORM_NAME}>")
 
-# deploy artifacts required to run the application to the debug build folder
-if(WIN32)
-    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
-        set(DEPLOY_PLATFORM_PATH "windows/x64")
-    else()
-        set(DEPLOY_PLATFORM_PATH "windows/x32")
-    endif()
-elseif(LINUX)
-    set(DEPLOY_PLATFORM_PATH "linux/client")
-elseif(APPLE AND NOT IOS)
-    set(DEPLOY_PLATFORM_PATH "macos")
-endif()
-
-if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
-    add_custom_command(
-        TARGET ${PROJECT} POST_BUILD
-        COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
-        ${CMAKE_SOURCE_DIR}/deploy/data/${DEPLOY_PLATFORM_PATH}
-        $<TARGET_FILE_DIR:${PROJECT}>
-        COMMAND_EXPAND_LISTS
-    )
-    add_custom_command(
-        TARGET ${PROJECT} POST_BUILD
-        COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
-        ${CMAKE_SOURCE_DIR}/client/3rd-prebuilt/deploy-prebuilt/${DEPLOY_PLATFORM_PATH}
-        $<TARGET_FILE_DIR:${PROJECT}>
-        COMMAND_EXPAND_LISTS
-    )
-endif()
-
 target_sources(${PROJECT} PRIVATE ${SOURCES} ${HEADERS} ${RESOURCES} ${QRC} ${I18NQRC})
-qt_finalize_target(${PROJECT})
+
+# Finalize the executable so Qt can gather/deploy QML modules and plugins correctly (Android needs this).
+if(COMMAND qt_import_qml_plugins)
+    qt_import_qml_plugins(${PROJECT})
+endif()
+if(COMMAND qt_finalize_executable)
+    qt_finalize_executable(${PROJECT})
+else()
+    qt_finalize_target(${PROJECT})
+endif()
+
+install(TARGETS ${PROJECT}
+    DESTINATION ${CMAKE_INSTALL_BINDIR}
+    COMPONENT AmneziaVPN
+)
+install(FILES $<TARGET_RUNTIME_DLLS:${PROJECT}>
+    DESTINATION ${CMAKE_INSTALL_BINDIR}
+    COMPONENT AmneziaVPN
+)
+
+set(deploy_tool_options "")
+if(WIN32)
+    set(deploy_tool_options "--force-openssl --force")
+endif()
+
+qt_generate_deploy_qml_app_script(
+    TARGET ${PROJECT}
+    OUTPUT_SCRIPT QT_DEPLOY_SCRIPT
+    NO_UNSUPPORTED_PLATFORM_ERROR
+    DEPLOY_TOOL_OPTIONS ${deploy_tool_options}
+)
+install(SCRIPT ${QT_DEPLOY_SCRIPT}
+    COMPONENT AmneziaVPN
+)
+
+if (APPLE AND NOT IOS AND NOT MACOS_NE)
+    list(APPEND OVPN_SCRIPTS "${CMAKE_SOURCE_DIR}/deploy/data/macos/update-resolv-conf.sh")
+endif()
+if (LINUX AND NOT ANDROID)
+    list(APPEND OVPN_SCRIPTS "${CMAKE_SOURCE_DIR}/deploy/data/linux/update-resolv-conf.sh")
+endif()
+
+if(OVPN_SCRIPTS)
+    add_custom_command(TARGET ${PROJECT} POST_BUILD
+        COMMAND ${CMAKE_COMMAND} -E copy_if_different
+        ${OVPN_SCRIPTS}
+        "$<TARGET_FILE_DIR:${PROJECT}>"
+    )
+
+    install(FILES ${OVPN_SCRIPTS}
+        DESTINATION ${CMAKE_INSTALL_BINDIR}
+        COMPONENT AmneziaVPN
+        PERMISSIONS
+            OWNER_READ OWNER_EXECUTE
+            GROUP_READ GROUP_EXECUTE
+            WORLD_READ WORLD_EXECUTE
+    )
+endif()

client/amneziaApplication.cpp

@@ -1,4 +1,4 @@
-#include "amnezia_application.h"
+#include "amneziaApplication.h"
 
 #include <QClipboard>
 #include <QFontDatabase>
@@ -13,22 +13,29 @@
 #include <QTimer>
 #include <QTranslator>
 #include <QEvent>
+#include <QDir>
+#include <QSettings>
+#include <QtQuick/QQuickWindow>  
+#include <QWindow>     
 
+#include "core/protocols/qmlRegisterProtocols.h"
 #include "logger.h"
-#include "ui/controllers/pageController.h"
+#include "ui/controllers/qml/pageController.h"
 #include "ui/models/installedAppsModel.h"
 #include "version.h"
 
 #include "platforms/ios/QRCodeReaderBase.h"
+         
 
-#include "protocols/qml_register_protocols.h"
-#include <QtQuick/QQuickWindow>  // for QQuickWindow
-#include <QWindow>              // for qobject_cast<QWindow*>
+bool AmneziaApplication::m_forceQuit = false;
 
 AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_CLASS(argc, argv),
       m_optAutostart({QStringLiteral("a"), QStringLiteral("autostart")}, QStringLiteral("System autostart")),
-      m_optCleanup  ({QStringLiteral("c"), QStringLiteral("cleanup")}, QStringLiteral("Cleanup logs"))
+      m_optCleanup  ({QStringLiteral("c"), QStringLiteral("cleanup")}, QStringLiteral("Cleanup logs")),
+      m_optConnect  ({QStringLiteral("connect")}, QStringLiteral("Connect to server by index on startup"), QStringLiteral("index")),
+      m_optImport   ({QStringLiteral("import")}, QStringLiteral("Import configuration from data string"), QStringLiteral("data"))
 {
+    setDesktopFileName(QStringLiteral(APPLICATION_NAME));
     setQuitOnLastWindowClosed(false);
 
     // Fix config file permissions
@@ -47,20 +54,46 @@ AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_C
     QFile::setPermissions(configLoc2, QFileDevice::ReadOwner | QFileDevice::WriteOwner);
 #endif
 
-    m_settings = std::shared_ptr<Settings>(new Settings);
+    m_settings = new SecureQSettings(ORGANIZATION_NAME, APPLICATION_NAME, this);
     m_nam = new QNetworkAccessManager(this);
 }
 
 AmneziaApplication::~AmneziaApplication()
 {
+#ifdef AMNEZIA_DESKTOP
+    if (m_vpnConnection && m_vpnConnectionThread.isRunning()) {
+        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectSlots", Qt::BlockingQueuedConnection);
+        
+        QMetaObject::invokeMethod(m_vpnConnection.get(), "disconnectFromVpn", Qt::BlockingQueuedConnection);
+    }
+#endif
+
+    m_vpnConnectionThread.requestInterruption();
     m_vpnConnectionThread.quit();
 
+    if (!m_vpnConnectionThread.wait(3000)) {
+        m_vpnConnectionThread.terminate();
+        m_vpnConnectionThread.wait(500);
+    }
+
     if (m_engine) {
-        QObject::disconnect(m_engine, 0, 0, 0);
         delete m_engine;
     }
 }
 
+#ifdef Q_OS_ANDROID
+namespace {
+    static void clearQtCaches()
+    {
+        const QString cacheRoot = QStandardPaths::writableLocation(QStandardPaths::CacheLocation);
+        if (!cacheRoot.isEmpty()) {
+            QDir(cacheRoot + "/QtShaderCache").removeRecursively();
+            QDir(cacheRoot + "/qmlcache").removeRecursively();
+        }
+    }
+}
+#endif
+
 void AmneziaApplication::init()
 {
     m_engine = new QQmlApplicationEngine;
@@ -76,6 +109,16 @@ void AmneziaApplication::init()
             // install filter on main window
             if (auto win = qobject_cast<QQuickWindow*>(obj)) {
                 win->installEventFilter(this);
+#ifdef Q_OS_ANDROID
+                QObject::connect(win, &QQuickWindow::sceneGraphError,
+                    [](QQuickWindow::SceneGraphError, const QString &msg) {
+                        qWarning() << "Scene graph error (suppressed):" << msg;
+                    });
+                // Keep graphics context alive across hide/show cycles to avoid
+                // eglSwapBuffers/makeCurrent being called on a context Android has reclaimed.
+                win->setPersistentSceneGraph(true);
+                win->setPersistentGraphics(true);
+#endif
                 win->show();
             }
         },
@@ -89,27 +132,27 @@ void AmneziaApplication::init()
     m_engine->rootContext()->setContextProperty("IsMacOsNeBuild", false);
 #endif
 
-    m_vpnConnection.reset(new VpnConnection(m_settings));
+    m_vpnConnection.reset(new VpnConnection(nullptr, nullptr));
     m_vpnConnection->moveToThread(&m_vpnConnectionThread);
     m_vpnConnectionThread.start();
 
     m_coreController.reset(new CoreController(m_vpnConnection, m_settings, m_engine));
 
     m_engine->addImportPath("qrc:/ui/qml/Modules/");
+
+    if (m_parser.isSet(m_optImport)) {
+        const QString data = m_parser.value(m_optImport);
+        if (!data.isEmpty()) {
+            if (m_coreController) {
+                m_coreController->importConfigFromData(data);
+            }
+        }
+    }
+
     m_engine->load(url);
 
     m_coreController->setQmlRoot();
 
-    bool enabled = m_settings->isSaveLogs();
-#ifndef Q_OS_ANDROID
-    if (enabled) {
-        if (!Logger::init(false)) {
-            qWarning() << "Initialization of debug subsystem failed";
-        }
-    }
-#endif
-    Logger::setServiceLogsEnabled(enabled);
-
 #ifdef Q_OS_WIN //TODO
     if (m_parser.isSet(m_optAutostart))
         m_coreController->pageController()->showOnStartup();
@@ -135,6 +178,18 @@ void AmneziaApplication::init()
         }
     });
 #endif
+
+    if (m_parser.isSet(m_optConnect)) {
+        bool ok = false;
+        int idx = m_parser.value(m_optConnect).toInt(&ok);
+        if (ok) {
+            QTimer::singleShot(0, this, [this, idx]() {
+                if (m_coreController) {
+                    m_coreController->openConnectionByIndex(idx);
+                }
+            });
+        }
+    }
 }
 
 void AmneziaApplication::registerTypes()
@@ -142,13 +197,11 @@ void AmneziaApplication::registerTypes()
     qRegisterMetaType<ServerCredentials>("ServerCredentials");
 
     qRegisterMetaType<DockerContainer>("DockerContainer");
+    using namespace amnezia::ProtocolEnumNS;
     qRegisterMetaType<TransportProto>("TransportProto");
     qRegisterMetaType<Proto>("Proto");
     qRegisterMetaType<ServiceType>("ServiceType");
 
-    declareQmlProtocolEnum();
-    declareQmlContainerEnum();
-
     qmlRegisterType<QRCodeReader>("QRCodeReader", 1, 0, "QRCodeReader");
 
     m_containerProps.reset(new ContainerProps());
@@ -162,6 +215,7 @@ void AmneziaApplication::registerTypes()
 
     qmlRegisterType<InstalledAppsModel>("InstalledAppsModel", 1, 0, "InstalledAppsModel");
 
+    amnezia::declareQmlProtocolEnum();
     Vpn::declareQmlVpnConnectionStateEnum();
     PageLoader::declareQmlPageEnum();
 }
@@ -181,6 +235,8 @@ bool AmneziaApplication::parseCommands()
 
     m_parser.addOption(m_optAutostart);
     m_parser.addOption(m_optCleanup);
+    m_parser.addOption(m_optConnect);
+    m_parser.addOption(m_optImport);
     
     m_parser.process(*this);
 
@@ -217,8 +273,12 @@ bool AmneziaApplication::eventFilter(QObject *watched, QEvent *event)
 #if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
         quit();
 #else
-        if (m_coreController && m_coreController->pageController()) {
-            m_coreController->pageController()->hideMainWindow();
+        if (m_forceQuit) {
+            quit();
+        } else {
+            if (m_coreController && m_coreController->pageController()) {
+                m_coreController->pageController()->hideMainWindow();
+            }
         }
 #endif
         return true; // eat the close
@@ -227,6 +287,12 @@ bool AmneziaApplication::eventFilter(QObject *watched, QEvent *event)
     return QObject::eventFilter(watched, event);
 }
 
+void AmneziaApplication::forceQuit()
+{
+    m_forceQuit = true;
+    quit();
+}
+
 QQmlApplicationEngine *AmneziaApplication::qmlEngine() const
 {
     return m_engine;

client/amneziaApplication.h

@@ -14,8 +14,10 @@
 #include <QClipboard>
 
 #include "core/controllers/coreController.h"
-#include "settings.h"
-#include "vpnconnection.h"
+#include "secureQSettings.h"
+#include "vpnConnection.h"
+#include "ui/models/containerProps.h"
+#include "ui/models/protocolProps.h"
 
 #define amnApp (static_cast<AmneziaApplication *>(QCoreApplication::instance()))
 
@@ -45,9 +47,13 @@ public:
     QNetworkAccessManager *networkManager();
     QClipboard *getClipboard();
 
+public slots:
+    void forceQuit();
+
 private:
+    static bool m_forceQuit;
     QQmlApplicationEngine *m_engine {};
-    std::shared_ptr<Settings> m_settings;
+    SecureQSettings* m_settings;
 
     QScopedPointer<CoreController> m_coreController;
 
@@ -58,6 +64,8 @@ private:
 
     QCommandLineOption m_optAutostart;
     QCommandLineOption m_optCleanup;
+    QCommandLineOption m_optConnect;
+    QCommandLineOption m_optImport;
 
     QSharedPointer<VpnConnection> m_vpnConnection;
     QThread m_vpnConnectionThread;

client/android/build.gradle.kts

@@ -39,6 +39,7 @@ android {
 
         // keeps language resources for only the locales specified below
         resourceConfigurations += listOf("en", "ru", "b+zh+Hans")
+        ndk.abiFilters += qtTargetAbiList.split(",")
     }
 
     sourceSets {
@@ -52,50 +53,12 @@ android {
         }
     }
 
-    signingConfigs {
-        register("release") {
-            storeFile = providers.environmentVariable("ANDROID_KEYSTORE_PATH").orNull?.let { file(it) }
-            storePassword = providers.environmentVariable("ANDROID_KEYSTORE_KEY_PASS").orNull
-            keyAlias = providers.environmentVariable("ANDROID_KEYSTORE_KEY_ALIAS").orNull
-            keyPassword = providers.environmentVariable("ANDROID_KEYSTORE_KEY_PASS").orNull
-        }
-    }
-
     buildTypes {
         release {
             // exclude coroutine debug resource from release build
             packaging {
                 resources.excludes += "DebugProbesKt.bin"
             }
-            signingConfig = signingConfigs["release"]
-        }
-
-        create("fdroid") {
-            initWith(getByName("release"))
-            signingConfig = null
-            matchingFallbacks += "release"
-        }
-    }
-
-    splits {
-        abi {
-            isEnable = true
-            reset()
-            include(*qtTargetAbiList.split(',').toTypedArray())
-            isUniversalApk = false
-        }
-    }
-
-    // fix for Qt Creator to allow deploying the application to a device
-    // to enable this fix, add the line outputBaseName=android-build to local.properties
-    if (outputBaseName.isNotEmpty()) {
-        applicationVariants.all {
-            outputs.map { it as BaseVariantOutputImpl }
-                .forEach { output ->
-                    if (output.outputFileName.endsWith(".apk")) {
-                        output.outputFileName = "$outputBaseName-${buildType.name}.apk"
-                    }
-                }
         }
     }
 
@@ -111,7 +74,6 @@ dependencies {
     implementation(project(":wireguard"))
     implementation(project(":awg"))
     implementation(project(":openvpn"))
-    implementation(project(":cloak"))
     implementation(project(":xray"))
     implementation(libs.androidx.core)
     implementation(libs.androidx.activity)

client/android/cloak/build.gradle.kts

@@ -1,18 +0,0 @@
-plugins {
-    id(libs.plugins.android.library.get().pluginId)
-    id(libs.plugins.kotlin.android.get().pluginId)
-}
-
-kotlin {
-    jvmToolchain(17)
-}
-
-android {
-    namespace = "org.amnezia.vpn.protocol.cloak"
-}
-
-dependencies {
-    compileOnly(project(":utils"))
-    compileOnly(project(":protocolApi"))
-    implementation(project(":openvpn"))
-}

client/android/cloak/src/main/kotlin/Cloak.kt

@@ -1,45 +0,0 @@
-package org.amnezia.vpn.protocol.cloak
-
-import android.util.Base64
-import net.openvpn.ovpn3.ClientAPI_Config
-import org.amnezia.vpn.protocol.openvpn.OpenVpn
-import org.amnezia.vpn.util.LibraryLoader.loadSharedLibrary
-import org.json.JSONObject
-
-class Cloak : OpenVpn() {
-
-    override fun internalInit() {
-        super.internalInit()
-        if (!isInitialized) loadSharedLibrary(context, "ck-ovpn-plugin")
-    }
-
-    override fun parseConfig(config: JSONObject): ClientAPI_Config {
-        val openVpnConfig = ClientAPI_Config()
-
-        val openVpnConfigStr = config.getJSONObject("openvpn_config_data").getString("config")
-        val cloakConfigJson = checkCloakJson(config.getJSONObject("cloak_config_data"))
-        val cloakConfigStr = Base64.encodeToString(cloakConfigJson.toString().toByteArray(), Base64.DEFAULT)
-
-        val configStr = "$openVpnConfigStr\n<cloak>\n$cloakConfigStr\n</cloak>\n"
-
-        openVpnConfig.usePluggableTransports = true
-        openVpnConfig.content = configStr
-        return openVpnConfig
-    }
-
-    private fun checkCloakJson(cloakConfigJson: JSONObject): JSONObject {
-        cloakConfigJson.put("NumConn", 1)
-        cloakConfigJson.put("ProxyMethod", "openvpn")
-        if (cloakConfigJson.has("port")) {
-            val port = cloakConfigJson["port"]
-            cloakConfigJson.remove("port")
-            cloakConfigJson.put("RemotePort", port)
-        }
-        if (cloakConfigJson.has("remote")) {
-            val remote = cloakConfigJson["remote"]
-            cloakConfigJson.remove("remote")
-            cloakConfigJson.put("RemoteHost", remote)
-        }
-        return cloakConfigJson
-    }
-}

client/android/gradle/libs.versions.toml

@@ -1,11 +1,11 @@
 [versions]
-agp = "8.5.2"
+agp = "8.6.1"
 kotlin = "1.9.24"
 androidx-core = "1.13.1"
 androidx-activity = "1.9.1"
 androidx-annotation = "1.8.2"
 androidx-biometric = "1.2.0-alpha05"
-androidx-camera = "1.3.4"
+androidx-camera = "1.5.3"
 androidx-fragment = "1.8.2"
 androidx-security-crypto = "1.1.0-alpha06"
 androidx-datastore = "1.1.1"

client/android/openvpn/src/main/kotlin/org/amnezia/vpn/protocol/openvpn/OpenVpn.kt

@@ -93,7 +93,7 @@ open class OpenVpn : Protocol() {
         openVpnClient = null
     }
 
-    override fun reconnectVpn(vpnBuilder: Builder) {
+    override fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean) {
         openVpnClient?.let {
             it.establish = makeEstablish(vpnBuilder)
             it.reconnect(0)

client/android/protocolApi/src/main/kotlin/Protocol.kt

@@ -42,7 +42,7 @@ abstract class Protocol {
 
     abstract fun stopVpn()
 
-    abstract fun reconnectVpn(vpnBuilder: Builder)
+    abstract fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean)
 
     protected fun ProtocolConfig.Builder.configSplitTunneling(config: JSONObject) {
         if (!allowSplitTunneling) {

client/android/settings.gradle.kts

@@ -26,7 +26,6 @@ plugins {
     id("settings-property-delegate")
 }
 
-rootProject.name = "AmneziaVPN"
 rootProject.buildFileName = "build.gradle.kts"
 
 include(":qt")
@@ -35,7 +34,6 @@ include(":protocolApi")
 include(":wireguard")
 include(":awg")
 include(":openvpn")
-include(":cloak")
 include(":xray")
 include(":xray:libXray")
 
@@ -48,15 +46,7 @@ val qtMinSdkVersion: String by gradleProperties
 // set default values for all modules
 configure<SettingsExtension> {
     buildToolsVersion = androidBuildToolsVersion
-    compileSdk = androidCompileSdkVersion.substringAfter('-').toInt()
+    compileSdk = androidCompileSdkVersion.split('-')[1].toInt()
     minSdk = qtMinSdkVersion.toInt()
     ndkVersion = androidNdkVersion
 }
-
-// stop Gradle running by androiddeployqt
-gradle.taskGraph.whenReady {
-    if (providers.environmentVariable("ANDROIDDEPLOYQT_RUN").isPresent
-        && !providers.systemProperty("explicitRun").isPresent) {
-        allTasks.forEach { it.enabled = false }
-    }
-}

client/android/src/org/amnezia/vpn/AmneziaActivity.kt

@@ -26,6 +26,8 @@ import android.os.ParcelFileDescriptor
 import android.os.SystemClock
 import android.provider.OpenableColumns
 import android.provider.Settings
+import android.view.InputDevice
+import android.view.KeyEvent
 import android.view.MotionEvent
 import android.view.View
 import android.view.ViewGroup
@@ -73,6 +75,8 @@ private const val OPEN_FILE_ACTION_CODE = 3
 private const val CHECK_NOTIFICATION_PERMISSION_ACTION_CODE = 4
 
 private const val PREFS_NOTIFICATION_PERMISSION_ASKED = "NOTIFICATION_PERMISSION_ASKED"
+private const val OPEN_FILE_AFTER_RESUME_DELAY_MS = 400L
+private const val KEY_PENDING_OPEN_FILE_URI = "pending_open_file_uri"
 
 class AmneziaActivity : QtActivity() {
 
@@ -89,6 +93,12 @@ class AmneziaActivity : QtActivity() {
     private val actionResultHandlers = mutableMapOf<Int, ActivityResultHandler>()
     private val permissionRequestHandlers = mutableMapOf<Int, PermissionRequestHandler>()
 
+    private var isActivityResumed = false
+    private var hasWindowFocus = false
+    private val resumeHandler = Handler(Looper.getMainLooper())
+    private var pendingOpenFileUri: String? = null
+    private var openFileDeliveryScheduled = false
+
     private val vpnServiceEventHandler: Handler by lazy(NONE) {
         object : Handler(Looper.getMainLooper()) {
             override fun handleMessage(msg: Message) {
@@ -190,17 +200,21 @@ class AmneziaActivity : QtActivity() {
                 doBindService()
             }
         )
+        pendingOpenFileUri = savedInstanceState?.getString(KEY_PENDING_OPEN_FILE_URI)
+        openFileDeliveryScheduled = false
         registerBroadcastReceivers()
         intent?.let(::processIntent)
         runBlocking { vpnProto = proto.await() }
     }
 
+    override fun onSaveInstanceState(outState: Bundle) {
+        super.onSaveInstanceState(outState)
+        pendingOpenFileUri?.let { outState.putString(KEY_PENDING_OPEN_FILE_URI, it) }
+    }
+
     private fun loadLibs() {
         listOf(
-            "rsapss",
-            "crypto_3",
-            "ssl_3",
-            "ssh"
+            "rsapss"
         ).forEach {
             loadSharedLibrary(this.applicationContext, it)
         }
@@ -260,6 +274,11 @@ class AmneziaActivity : QtActivity() {
     }
 
     override fun onStop() {
+        isActivityResumed = false
+        hasWindowFocus = false
+        // Cancel all pending operations when activity stops
+        resumeHandler.removeCallbacksAndMessages(null)
+        openFileDeliveryScheduled = false
         Log.d(TAG, "Stop Amnezia activity")
         doUnbindService()
         mainScope.launch {
@@ -269,23 +288,128 @@ class AmneziaActivity : QtActivity() {
         super.onStop()
     }
 
+    override fun onWindowFocusChanged(hasFocus: Boolean) {
+        super.onWindowFocusChanged(hasFocus)
+        hasWindowFocus = hasFocus
+        Log.d(TAG, "Window focus changed: hasFocus=$hasFocus")
+
+        if (!hasFocus) {
+            // Cancel pending operations if window loses focus
+            resumeHandler.removeCallbacksAndMessages(null)
+        } else if (isActivityResumed && Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            window.decorView.apply {
+                invalidate()
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(1f, 1f)
+                    }
+                }, 50)
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(2f, 2f)
+                        requestLayout()
+                        invalidate()
+                    }
+                }, 150)
+            }
+        }
+    }
+
+    override fun dispatchKeyEvent(event: KeyEvent): Boolean {
+        val keyCode = event.keyCode
+        val pressed = event.action == KeyEvent.ACTION_DOWN
+
+        when (keyCode) {
+            KeyEvent.KEYCODE_BUTTON_A,
+            KeyEvent.KEYCODE_BUTTON_B,
+            KeyEvent.KEYCODE_BUTTON_X,
+            KeyEvent.KEYCODE_BUTTON_Y,
+            KeyEvent.KEYCODE_BUTTON_START,
+            KeyEvent.KEYCODE_BUTTON_SELECT -> {
+                    nativeGamepadKeyEvent(0, keyCode, pressed)
+                    return true
+            }
+            KeyEvent.KEYCODE_DPAD_CENTER,
+            KeyEvent.KEYCODE_DPAD_UP,
+            KeyEvent.KEYCODE_DPAD_DOWN,
+            KeyEvent.KEYCODE_DPAD_LEFT,
+            KeyEvent.KEYCODE_DPAD_RIGHT -> {
+                    val syntheticKeyCode = if (keyCode == KeyEvent.KEYCODE_DPAD_CENTER) KeyEvent.KEYCODE_ENTER else keyCode
+                    val synthetic = KeyEvent(
+                        event.downTime, event.eventTime, event.action, syntheticKeyCode,
+                        event.repeatCount, event.metaState, -1, event.scanCode,
+                        event.flags, InputDevice.SOURCE_KEYBOARD
+                    )
+                    return super.dispatchKeyEvent(synthetic)
+            }
+        }
+
+        return super.dispatchKeyEvent(event)
+    }
+
+    private external fun nativeGamepadKeyEvent(deviceId: Int, keyCode: Int, pressed: Boolean)
+
+    override fun onPause() {
+        // Notify Qt to stop rendering BEFORE super.onPause() destroys the EGL surface.
+        // Using a coroutine here would be too late — the surface is gone by the time
+        // the coroutine runs. A direct synchronous call gives Qt's render thread the
+        // best chance to process visible=false before surface destruction.
+        if (qtInitialized.isCompleted) {
+            QtAndroidController.onActivityPaused()
+        }
+        super.onPause()
+        isActivityResumed = false
+        // Cancel all pending operations when activity pauses
+        resumeHandler.removeCallbacksAndMessages(null)
+        openFileDeliveryScheduled = false
+        Log.d(TAG, "Pause Amnezia activity")
+    }
+
     override fun onResume() {
         super.onResume()
+        isActivityResumed = true
+        Log.d(TAG, "Resume Amnezia activity")
+        if (qtInitialized.isCompleted) {
+            QtAndroidController.onActivityResumed()
+        }
+
+        if (pendingOpenFileUri != null && !openFileDeliveryScheduled) {
+            val uri = pendingOpenFileUri!!
+            openFileDeliveryScheduled = true
+            resumeHandler.postDelayed({
+                if (!isFinishing && !isDestroyed) {
+                    pendingOpenFileUri = null
+                    openFileDeliveryScheduled = false
+                    mainScope.launch {
+                        qtInitialized.await()
+                        QtAndroidController.onFileOpened(uri)
+                    }
+                }
+            }, OPEN_FILE_AFTER_RESUME_DELAY_MS)
+        }
+
         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
             window.decorView.apply {
                 invalidate()
 
-                postDelayed({
-                    sendTouch(1f, 1f)
+                resumeHandler.postDelayed({
+                    // Check if activity is still resumed and has focus before executing
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(1f, 1f)
+                    }
                 }, 100)
-                
-                postDelayed({
-                    sendTouch(2f, 2f)
+
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(2f, 2f)
+                    }
                 }, 200)
-                
-                postDelayed({
-                    requestLayout()
-                    invalidate()
+
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        requestLayout()
+                        invalidate()
+                    }
                 }, 250)
             }
         }
@@ -314,6 +438,11 @@ class AmneziaActivity : QtActivity() {
                 addFlags(LayoutParams.FLAG_DRAWS_SYSTEM_BAR_BACKGROUNDS)
                 statusBarColor = getColor(R.color.black)
             }
+
+            WindowInsetsControllerCompat(window, window.decorView).apply {
+                isAppearanceLightStatusBars = false
+                isAppearanceLightNavigationBars = false
+            }
         }
     }
 
@@ -321,31 +450,35 @@ class AmneziaActivity : QtActivity() {
         ViewCompat.setOnApplyWindowInsetsListener(window.decorView) { view, windowInsets ->
             val imeInsets = windowInsets.getInsets(WindowInsetsCompat.Type.ime())
             val imeVisible = windowInsets.isVisible(WindowInsetsCompat.Type.ime())
-            
+
             val imeHeight = if (imeVisible) imeInsets.bottom else 0
 
             val density = resources.displayMetrics.density
             val imeHeightDp = (imeHeight / density).toInt()
-            
+
             // Also track system bars (navigation bar, status bar) changes
             val systemBarsInsets = windowInsets.getInsets(WindowInsetsCompat.Type.systemBars())
             val navBarHeight = systemBarsInsets.bottom
             val navBarHeightDp = (navBarHeight / density).toInt()
             val statusBarHeight = systemBarsInsets.top
             val statusBarHeightDp = (statusBarHeight / density).toInt()
-            
+
             mainScope.launch {
                 qtInitialized.await()
                 QtAndroidController.onImeInsetsChanged(imeHeightDp)
                 QtAndroidController.onSystemBarsInsetsChanged(navBarHeightDp, statusBarHeightDp)
             }
-            
+
             // Return windowInsets instead of CONSUMED to allow proper handling
             windowInsets
         }
     }
 
     override fun onDestroy() {
+        isActivityResumed = false
+        hasWindowFocus = false
+        // Cancel all pending operations when activity is destroyed
+        resumeHandler.removeCallbacksAndMessages(null)
         Log.d(TAG, "Destroy Amnezia activity")
         unregisterBroadcastReceiver(notificationStateReceiver)
         notificationStateReceiver = null
@@ -671,9 +804,13 @@ class AmneziaActivity : QtActivity() {
                             grantUriPermission(packageName, this, Intent.FLAG_GRANT_READ_URI_PERMISSION)
                         }?.toString() ?: ""
                         Log.v(TAG, "Open file: $uri")
-                        mainScope.launch {
-                            qtInitialized.await()
-                            QtAndroidController.onFileOpened(uri)
+                        if (uri.isNotEmpty()) {
+                            pendingOpenFileUri = uri
+                        } else {
+                            mainScope.launch {
+                                qtInitialized.await()
+                                QtAndroidController.onFileOpened(uri)
+                            }
                         }
                     }
                 ))
@@ -702,7 +839,7 @@ class AmneziaActivity : QtActivity() {
     @Suppress("unused")
     fun getFd(fileName: String): Int {
         Log.v(TAG, "Get fd for $fileName")
-        return blockingCall {
+        return blockingCall(Dispatchers.IO) {
             try {
                 pfd = contentResolver.openFileDescriptor(Uri.parse(fileName), "r")
                 pfd?.fd ?: -1

client/android/src/org/amnezia/vpn/AmneziaVpnService.kt

@@ -565,7 +565,7 @@ open class AmneziaVpnService : VpnService() {
         protocolState.value = RECONNECTING
 
         connectionJob = connectionScope.launch {
-            vpnProto?.protocol?.reconnectVpn(Builder())
+            vpnProto?.protocol?.reconnectVpn(Builder(), ::protect)
         }
     }
 

client/android/src/org/amnezia/vpn/TvFilePicker.kt

@@ -1,7 +1,10 @@
 package org.amnezia.vpn
 
 import android.content.ActivityNotFoundException
+import android.content.Context
 import android.content.Intent
+import android.content.pm.PackageManager
+import android.os.Build
 import android.os.Bundle
 import androidx.activity.ComponentActivity
 import androidx.activity.result.contract.ActivityResultContracts
@@ -11,8 +14,29 @@ private const val TAG = "TvFilePicker"
 
 class TvFilePicker : ComponentActivity() {
 
-    private val fileChooseResultLauncher = registerForActivityResult(ActivityResultContracts.GetContent()) {
-        setResult(RESULT_OK, Intent().apply { data = it })
+    private val fileChooseResultLauncher = registerForActivityResult(object : ActivityResultContracts.OpenDocument() {
+        override fun createIntent(context: Context, input: Array<String>): Intent {
+            val intent = super.createIntent(context, input)
+
+            val activitiesToResolveIntent = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+                context.packageManager.queryIntentActivities(intent, PackageManager.ResolveInfoFlags.of(PackageManager.MATCH_DEFAULT_ONLY.toLong()))
+            } else {
+                @Suppress("DEPRECATION")
+                context.packageManager.queryIntentActivities(intent, PackageManager.MATCH_DEFAULT_ONLY)
+            }
+            if (activitiesToResolveIntent.all {
+                    val name = it.activityInfo.packageName
+                    name.startsWith("com.google.android.tv.frameworkpackagestubs") || name.startsWith("com.android.tv.frameworkpackagestubs")
+                }) {
+                throw ActivityNotFoundException()
+            }
+            return intent
+        }
+    }) {
+        setResult(RESULT_OK, Intent().apply {
+            data = it
+            addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION)
+        })
         finish()
     }
 
@@ -31,7 +55,7 @@ class TvFilePicker : ComponentActivity() {
     private fun getFile() {
         try {
             Log.v(TAG, "getFile")
-            fileChooseResultLauncher.launch("*/*")
+            fileChooseResultLauncher.launch(arrayOf("*/*"))
         } catch (_: ActivityNotFoundException) {
             Log.w(TAG, "Activity not found")
             setResult(RESULT_CANCELED, Intent().apply { putExtra("activityNotFound", true) })

client/android/src/org/amnezia/vpn/VpnProto.kt

@@ -2,7 +2,6 @@ package org.amnezia.vpn
 
 import org.amnezia.vpn.protocol.Protocol
 import org.amnezia.vpn.protocol.awg.Awg
-import org.amnezia.vpn.protocol.cloak.Cloak
 import org.amnezia.vpn.protocol.openvpn.OpenVpn
 import org.amnezia.vpn.protocol.wireguard.Wireguard
 import org.amnezia.vpn.protocol.xray.Xray
@@ -36,14 +35,6 @@ enum class VpnProto(
         override fun createProtocol(): Protocol = OpenVpn()
     },
 
-    CLOAK(
-        "Cloak",
-        "org.amnezia.vpn:amneziaOpenVpnService",
-        OpenVpnService::class.java
-    ) {
-        override fun createProtocol(): Protocol = Cloak()
-    },
-
     XRAY(
         "XRay",
         "org.amnezia.vpn:amneziaXrayService",
@@ -72,4 +63,4 @@ enum class VpnProto(
     companion object {
         fun get(protocolName: String): VpnProto = VpnProto.valueOf(protocolName.uppercase())
     }
-}
+}

client/android/src/org/amnezia/vpn/qt/QtAndroidController.kt

@@ -31,4 +31,7 @@ object QtAndroidController {
 
     external fun onImeInsetsChanged(heightDp: Int)
     external fun onSystemBarsInsetsChanged(navBarHeightDp: Int, statusBarHeightDp: Int)
+
+    external fun onActivityPaused()
+    external fun onActivityResumed()
 }

client/android/wireguard/src/main/kotlin/org/amnezia/vpn/protocol/wireguard/Wireguard.kt

@@ -12,6 +12,7 @@ import org.amnezia.vpn.protocol.Protocol
 import org.amnezia.vpn.protocol.ProtocolState.CONNECTED
 import org.amnezia.vpn.protocol.ProtocolState.DISCONNECTED
 import org.amnezia.vpn.protocol.Statistics
+import org.amnezia.vpn.protocol.VpnException
 import org.amnezia.vpn.protocol.VpnStartException
 import org.amnezia.vpn.util.LibraryLoader.loadSharedLibrary
 import org.amnezia.vpn.util.Log
@@ -27,6 +28,7 @@ private const val TAG = "Wireguard"
 open class Wireguard : Protocol() {
 
     private var tunnelHandle: Int = -1
+    private var config: WireguardConfig? = null // save config for reconnect
     protected open val ifName: String = "amn0"
     private lateinit var scope: CoroutineScope
     private var statusJob: Job? = null
@@ -61,6 +63,7 @@ open class Wireguard : Protocol() {
     override suspend fun startVpn(config: JSONObject, vpnBuilder: Builder, protect: (Int) -> Boolean) {
         val wireguardConfig = parseConfig(config)
         start(wireguardConfig, vpnBuilder, protect)
+        this.config = wireguardConfig
     }
 
     protected open fun parseConfig(config: JSONObject): WireguardConfig {
@@ -122,23 +125,24 @@ open class Wireguard : Protocol() {
         configData.optStringOrNull("S2")?.let { setS2(it.toInt()) }
         configData.optStringOrNull("S3")?.let { setS3(it.toInt()) }
         configData.optStringOrNull("S4")?.let { setS4(it.toInt()) }
-        configData.optStringOrNull("H1")?.let { setH1(it.toLong()) }
-        configData.optStringOrNull("H2")?.let { setH2(it.toLong()) }
-        configData.optStringOrNull("H3")?.let { setH3(it.toLong()) }
-        configData.optStringOrNull("H4")?.let { setH4(it.toLong()) }
+        configData.optStringOrNull("H1")?.trim()?.let { if (it.isNotEmpty()) setH1(it) }
+        configData.optStringOrNull("H2")?.trim()?.let { if (it.isNotEmpty()) setH2(it) }
+        configData.optStringOrNull("H3")?.trim()?.let { if (it.isNotEmpty()) setH3(it) }
+        configData.optStringOrNull("H4")?.trim()?.let { if (it.isNotEmpty()) setH4(it) }
         configData.optStringOrNull("I1")?.let { setI1(it) }
         configData.optStringOrNull("I2")?.let { setI2(it) }
         configData.optStringOrNull("I3")?.let { setI3(it) }
         configData.optStringOrNull("I4")?.let { setI4(it) }
         configData.optStringOrNull("I5")?.let { setI5(it) }
-        configData.optStringOrNull("J1")?.let { setJ1(it) }
-        configData.optStringOrNull("J2")?.let { setJ2(it) }
-        configData.optStringOrNull("J3")?.let { setJ3(it) }
-        configData.optStringOrNull("Itime")?.let { setItime(it.toInt()) }
     }
 
-    private fun start(config: WireguardConfig, vpnBuilder: Builder, protect: (Int) -> Boolean) {
-        if (tunnelHandle != -1) {
+    private fun start(
+        config: WireguardConfig,
+        vpnBuilder: Builder,
+        protect: (Int) -> Boolean,
+        stopExistingVpn: Boolean = false
+    ) {
+        if (!stopExistingVpn && tunnelHandle != -1) {
             Log.w(TAG, "Tunnel already up")
             return
         }
@@ -146,6 +150,9 @@ open class Wireguard : Protocol() {
         buildVpnInterface(config, vpnBuilder)
 
         vpnBuilder.establish().use { tunFd ->
+            if (stopExistingVpn && tunnelHandle != -1) {
+                turnOffVpn()
+            }
             if (tunFd == null) {
                 throw VpnStartException("Create VPN interface: permission not granted or revoked")
             }
@@ -202,20 +209,25 @@ open class Wireguard : Protocol() {
         return lastHandshake
     }
 
-    override fun stopVpn() {
-        if (tunnelHandle == -1) {
-            Log.w(TAG, "Tunnel already down")
-            return
-        }
+    private fun turnOffVpn() {
         statusJob?.cancel()
         statusJob = null
         val handleToClose = tunnelHandle
         tunnelHandle = -1
         GoBackend.awgTurnOff(handleToClose)
+    }
+
+    override fun stopVpn() {
+        if (tunnelHandle == -1) {
+            Log.w(TAG, "Tunnel already down")
+            return
+        }
+        turnOffVpn()
         state.value = DISCONNECTED
     }
 
-    override fun reconnectVpn(vpnBuilder: Builder) {
-        state.value = CONNECTED
+    override fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean) {
+        val config = this.config ?: throw VpnException("Reconnect config is empty")
+        start(config, vpnBuilder, protect, true)
     }
 }

client/android/wireguard/src/main/kotlin/org/amnezia/vpn/protocol/wireguard/WireguardConfig.kt

@@ -22,19 +22,15 @@ open class WireguardConfig protected constructor(
     val s2: Int?,
     val s3: Int?,
     val s4: Int?,
-    val h1: Long?,
-    val h2: Long?,
-    val h3: Long?,
-    val h4: Long?,
+    val h1: String?,
+    val h2: String?,
+    val h3: String?,
+    val h4: String?,
     var i1: String?,
     var i2: String?,
     var i3: String?,
     var i4: String?,
     var i5: String?,
-    var j1: String?,
-    var j2: String?,
-    var j3: String?,
-    var itime: Int?
 ) : ProtocolConfig(protocolConfigBuilder) {
 
     protected constructor(builder: Builder) : this(
@@ -61,10 +57,6 @@ open class WireguardConfig protected constructor(
         builder.i3,
         builder.i4,
         builder.i5,
-        builder.j1,
-        builder.j2,
-        builder.j3,
-        builder.itime
     )
 
     fun toWgUserspaceString(): String = with(StringBuilder()) {
@@ -94,10 +86,6 @@ open class WireguardConfig protected constructor(
             i3?.let { appendLine("i3=$it") }
             i4?.let { appendLine("i4=$it") }
             i5?.let { appendLine("i5=$it") }
-            j1?.let { appendLine("j1=$it") }
-            j2?.let { appendLine("j2=$it") }
-            j3?.let { appendLine("j3=$it") }
-            itime?.let { appendLine("itime=$it") }
         }
     }
 
@@ -152,19 +140,15 @@ open class WireguardConfig protected constructor(
         internal var s2: Int? = null
         internal var s3: Int? = null
         internal var s4: Int? = null
-        internal var h1: Long? = null
-        internal var h2: Long? = null
-        internal var h3: Long? = null
-        internal var h4: Long? = null
+        internal var h1: String? = null
+        internal var h2: String? = null
+        internal var h3: String? = null
+        internal var h4: String? = null
         internal var i1: String? = null
         internal var i2: String? = null
         internal var i3: String? = null
         internal var i4: String? = null
         internal var i5: String? = null
-        internal var j1: String? = null
-        internal var j2: String? = null
-        internal var j3: String? = null
-        internal var itime: Int? = null
 
         fun setEndpoint(endpoint: InetEndpoint) = apply { this.endpoint = endpoint }
 
@@ -185,19 +169,15 @@ open class WireguardConfig protected constructor(
         fun setS2(s2: Int) = apply { this.s2 = s2 }
         fun setS3(s3: Int) = apply { this.s3 = s3 }
         fun setS4(s4: Int) = apply { this.s4 = s4 }
-        fun setH1(h1: Long) = apply { this.h1 = h1 }
-        fun setH2(h2: Long) = apply { this.h2 = h2 }
-        fun setH3(h3: Long) = apply { this.h3 = h3 }
-        fun setH4(h4: Long) = apply { this.h4 = h4 }
+        fun setH1(h1: String) = apply { this.h1 = h1 }
+        fun setH2(h2: String) = apply { this.h2 = h2 }
+        fun setH3(h3: String) = apply { this.h3 = h3 }
+        fun setH4(h4: String) = apply { this.h4 = h4 }
         fun setI1(i1: String) = apply { this.i1 = i1 }
         fun setI2(i2: String) = apply { this.i2 = i2 }
         fun setI3(i3: String) = apply { this.i3 = i3 }
         fun setI4(i4: String) = apply { this.i4 = i4 }
         fun setI5(i5: String) = apply { this.i5 = i5 }
-        fun setJ1(j1: String) = apply { this.j1 = j1 }
-        fun setJ2(j2: String) = apply { this.j2 = j2 }
-        fun setJ3(j3: String) = apply { this.j3 = j3 }
-        fun setItime(itime: Int) = apply { this.itime = itime }
 
         override fun build(): WireguardConfig = configBuild().run { WireguardConfig(this@Builder) }
     }

client/android/xray/src/main/kotlin/Xray.kt

@@ -4,6 +4,9 @@ import android.content.Context
 import android.net.VpnService.Builder
 import java.io.File
 import java.io.IOException
+import java.net.InetAddress
+import java.net.ServerSocket
+import java.util.UUID
 import go.Seq
 import org.amnezia.vpn.protocol.BadConfigException
 import org.amnezia.vpn.protocol.Protocol
@@ -19,11 +22,32 @@ import org.amnezia.vpn.util.Log
 import org.amnezia.vpn.util.net.InetNetwork
 import org.amnezia.vpn.util.net.ip
 import org.amnezia.vpn.util.net.parseInetAddress
+import org.json.JSONArray
 import org.json.JSONObject
 
 private const val TAG = "Xray"
 private const val LIBXRAY_TAG = "libXray"
 
+private fun findSocksInboundIndex(inbounds: JSONArray): Int {
+    for (i in 0 until inbounds.length()) {
+        val o = inbounds.optJSONObject(i) ?: continue
+        if (o.optString("protocol").equals("socks", ignoreCase = true)) {
+            return i
+        }
+    }
+    return -1
+}
+
+private fun acquireFreeLocalPort(): Int {
+    try {
+        ServerSocket(0, 1, InetAddress.getByName("127.0.0.1")).use { return it.localPort }
+    } catch (e: Exception) {
+        throw VpnStartException(
+            "Failed to acquire free TCP port on 127.0.0.1 for SOCKS inbound: ${e.message}"
+        )
+    }
+}
+
 class Xray : Protocol() {
 
     private var isRunning: Boolean = false
@@ -53,9 +77,13 @@ class Xray : Protocol() {
             return
         }
 
-        val xrayJsonConfig = config.optJSONObject("xray_config_data")
+        val xrayConfigData = config.optJSONObject("xray_config_data")
             ?: config.optJSONObject("ssxray_config_data")
             ?: throw BadConfigException("config_data not found")
+        val xrayJsonConfig = JSONObject(xrayConfigData.optString("config"))
+
+        // Inject SOCKS5 auth before starting xray. Re-uses existing credentials if present.
+        ensureInboundAuth(xrayJsonConfig)
         val xrayConfig = parseConfig(config, xrayJsonConfig)
 
         (xrayJsonConfig.optJSONObject("log") ?: JSONObject().also { xrayJsonConfig.put("log", it) })
@@ -97,9 +125,22 @@ class Xray : Protocol() {
                 if (it.isNotBlank()) setMtu(it.toInt())
             }
 
-            val socksConfig = xrayJsonConfig.getJSONArray("inbounds")[0] as JSONObject
+            val inbounds = xrayJsonConfig.getJSONArray("inbounds")
+            val socksIdx = findSocksInboundIndex(inbounds)
+            if (socksIdx < 0) {
+                throw BadConfigException("socks inbound not found")
+            }
+            val socksConfig = inbounds.getJSONObject(socksIdx)
             socksConfig.getInt("port").let { setSocksPort(it) }
 
+            val socksSettings = socksConfig.optJSONObject("settings")
+            val accounts = socksSettings?.optJSONArray("accounts")
+            if (accounts != null && accounts.length() > 0) {
+                val account = accounts.getJSONObject(0)
+                setSocksUser(account.optString("user"))
+                setSocksPass(account.optString("pass"))
+            }
+
             configSplitTunneling(config)
             configAppSplitTunneling(config)
         }
@@ -157,22 +198,54 @@ class Xray : Protocol() {
         state.value = DISCONNECTED
     }
 
-    override fun reconnectVpn(vpnBuilder: Builder) {
+    override fun reconnectVpn(vpnBuilder: Builder, protect: (Int) -> Boolean) {
         state.value = CONNECTED
     }
 
     private fun runTun2Socks(config: XrayConfig, fd: Int) {
+        val proxyUrl = "socks5://${config.socksUser}:${config.socksPass}@127.0.0.1:${config.socksPort}"
         val tun2SocksConfig = Tun2SocksConfig().apply {
             mtu = config.mtu.toLong()
-            proxy = "socks5://127.0.0.1:${config.socksPort}"
+            proxy = proxyUrl
             device = "fd://$fd"
-            logLevel = "warning"
+            logLevel = "warn"
         }
         LibXray.startTun2Socks(tun2SocksConfig, fd.toLong()).isNotNullOrBlank { err ->
             throw VpnStartException("Failed to start tun2socks: $err")
         }
     }
 
+    // Ensures SOCKS5 auth is present on the socks inbound settings.
+    // Re-uses existing credentials if already configured; otherwise generates random ones.
+    private fun ensureInboundAuth(xrayConfig: JSONObject) {
+        val inbounds = xrayConfig.optJSONArray("inbounds") ?: return
+        val socksIdx = findSocksInboundIndex(inbounds)
+        if (socksIdx < 0) return
+
+        val inbound = inbounds.getJSONObject(socksIdx)
+        inbound.put("port", acquireFreeLocalPort())
+        val settings = inbound.optJSONObject("settings") ?: JSONObject().also { inbound.put("settings", it) }
+        val accounts = settings.optJSONArray("accounts")
+        if (accounts != null && accounts.length() > 0) {
+            val account = accounts.getJSONObject(0)
+            if (account.optString("user").isNotEmpty() && account.optString("pass").isNotEmpty()) {
+                // Ensure auth mode is enforced even for imported configs that had accounts
+                // but auth: "noauth" (or no auth field).
+                settings.put("auth", "password")
+                inbound.put("settings", settings)
+                inbounds.put(socksIdx, inbound)
+                return
+            }
+        }
+
+        val user = UUID.randomUUID().toString().replace("-", "").substring(0, 16)
+        val pass = UUID.randomUUID().toString().replace("-", "")
+        settings.put("auth", "password")
+        settings.put("accounts", JSONArray().put(JSONObject().put("user", user).put("pass", pass)))
+        inbound.put("settings", settings)
+        inbounds.put(socksIdx, inbound)
+    }
+
     companion object {
         val instance: Xray by lazy { Xray() }
     }

client/android/xray/src/main/kotlin/XrayConfig.kt

@@ -9,12 +9,16 @@ private const val XRAY_DEFAULT_MAX_MEMORY: Long = 50 shl 20 // 50 MB
 class XrayConfig protected constructor(
     protocolConfigBuilder: ProtocolConfig.Builder,
     val socksPort: Int,
+    val socksUser: String,
+    val socksPass: String,
     val maxMemory: Long,
 ) : ProtocolConfig(protocolConfigBuilder) {
 
     protected constructor(builder: Builder) : this(
         builder,
         builder.socksPort,
+        builder.socksUser,
+        builder.socksPass,
         builder.maxMemory
     )
 
@@ -22,6 +26,12 @@ class XrayConfig protected constructor(
         internal var socksPort: Int = 0
             private set
 
+        internal var socksUser: String = ""
+            private set
+
+        internal var socksPass: String = ""
+            private set
+
         internal var maxMemory: Long = XRAY_DEFAULT_MAX_MEMORY
             private set
 
@@ -29,6 +39,10 @@ class XrayConfig protected constructor(
 
         fun setSocksPort(port: Int) = apply { socksPort = port }
 
+        fun setSocksUser(user: String) = apply { socksUser = user }
+
+        fun setSocksPass(pass: String) = apply { socksPass = pass }
+
         fun setMaxMemory(maxMemory: Long) = apply { this.maxMemory = maxMemory }
 
         override fun build(): XrayConfig = configBuild().run { XrayConfig(this@Builder) }

client/client_scripts/clientScripts.qrc

@@ -0,0 +1,6 @@
+<RCC>
+    <qresource prefix="/client_scripts">
+        <file>linux_installer.sh</file>
+        <file>mac_installer.sh</file>
+    </qresource>
+</RCC>

client/client_scripts/linux_installer.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+EXTRACT_DIR="$1"
+INSTALLER_PATH="$2"
+
+# Create and clean extract directory
+rm -rf "$EXTRACT_DIR"
+mkdir -p "$EXTRACT_DIR"
+
+# Extract TAR archive
+tar -xf "$INSTALLER_PATH" -C "$EXTRACT_DIR"
+if [ $? -ne 0 ]; then
+    echo 'Failed to extract TAR archive'
+    exit 1
+fi
+
+# Find and run installer
+INSTALLER=$(find "$EXTRACT_DIR" -type f -executable)
+if [ -z "$INSTALLER" ]; then
+    echo 'Installer not found'
+    exit 1
+fi
+
+"$INSTALLER"
+EXIT_CODE=$?
+
+# Cleanup
+rm -rf "$EXTRACT_DIR"
+exit $EXIT_CODE 

client/client_scripts/mac_installer.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+EXTRACT_DIR="$1"
+INSTALLER_PATH="$2"
+
+set -e
+
+echo "[AmneziaVPN] Installer package: $INSTALLER_PATH"
+
+if [ ! -f "$INSTALLER_PATH" ]; then
+    echo "[AmneziaVPN] ERROR: Installer package not found: $INSTALLER_PATH"
+    exit 1
+fi
+
+PKG_PATH="$INSTALLER_PATH"
+echo "[AmneziaVPN] Using PKG: $PKG_PATH"
+
+# Optional: basic signature/gatekeeper checks (non-fatal)
+if command -v pkgutil >/dev/null 2>&1; then
+    pkgutil --check-signature "$PKG_PATH" || true
+fi
+if command -v spctl >/dev/null 2>&1; then
+    spctl -a -vvv -t install "$PKG_PATH" || true
+fi
+
+# Run installer with admin privileges via AppleScript (prompts for password)
+echo "[AmneziaVPN] Running installer..."
+OSA_CMD='do shell script "/usr/sbin/installer -pkg '"$PKG_PATH"' -target /" with administrator privileges'
+osascript -e "$OSA_CMD"
+
+STATUS=$?
+if [ $STATUS -ne 0 ]; then
+    echo "[AmneziaVPN] ERROR: installer exited with status $STATUS"
+    exit $STATUS
+fi
+
+echo "[AmneziaVPN] Cleaning up..."
+rm -f "$INSTALLER_PATH" || true
+rm -rf "$EXTRACT_DIR" 2>/dev/null || true
+
+echo "[AmneziaVPN] Installation completed successfully"
+exit 0

client/cmake/3rdparty.cmake

@@ -8,90 +8,41 @@ include(${CLIENT_ROOT_DIR}/cmake/QSimpleCrypto.cmake)
 
 include(${CLIENT_ROOT_DIR}/3rd/qrcodegen/qrcodegen.cmake)
 
-set(LIBSSH_ROOT_DIR "${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/libssh/")
-set(OPENSSL_ROOT_DIR "${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/")
-
-set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/lib")
-
-if(WIN32)
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/windows/include")
-    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/x86_64/ssh.lib")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/x86_64")
-        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win64/libssl.lib")
-        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win64/libcrypto.lib")
-    else()
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/x86/ssh.lib")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/x86")
-        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libssl.lib")
-        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libcrypto.lib")
-    endif()
-elseif(APPLE AND NOT IOS)
-    if(MACOS_NE)
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libssh.a")
-        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libz.a")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/universal2")
-    else()
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libssh.a")
-        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libz.a")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/x86_64")
-    endif()
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/macos/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libcrypto.a")
-elseif(IOS)
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/ios/arm64")
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/ios/arm64/libssh.a")
-    set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/ios/arm64/libz.a")
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/ios/iphone/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/ios/iphone/lib/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/ios/iphone/lib/libcrypto.a")
-elseif(ANDROID)
-    set(abi ${CMAKE_ANDROID_ARCH_ABI})
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/android/${abi}")
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/android/${abi}/libssh.so")
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/android/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/android/${abi}/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/android/${abi}/libcrypto.a")
-    set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/android/${abi}")
-elseif(LINUX)
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/linux/x86_64")
-    set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/linux/x86_64/libz.a")
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/linux/x86_64/libssh.a")
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/linux/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/linux/x86_64/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/linux/x86_64/libcrypto.a")
-endif()
-    
-file(COPY ${OPENSSL_LIB_SSL_PATH} ${OPENSSL_LIB_CRYPTO_PATH}
-        DESTINATION ${OPENSSL_LIBRARIES_DIR})
-
-set(OPENSSL_USE_STATIC_LIBS TRUE)
-  
-set(LIBS ${LIBS} 
-    ${LIBSSH_LIB_PATH} 
-    ${ZLIB_LIB_PATH}
-)
-  
-set(LIBS ${LIBS}
-    ${OPENSSL_LIB_SSL_PATH}
-    ${OPENSSL_LIB_CRYPTO_PATH}
-)
-
 add_compile_definitions(_WINSOCKAPI_)
 
 set(BUILD_SHARED_LIBS OFF CACHE BOOL "" FORCE)
 set(BUILD_WITH_QT6 ON)
-add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain)
+add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain EXCLUDE_FROM_ALL)
+
+if(ANDROID)
+    # Use qtgamepad from amnezia-vpn/qtgamepad repository
+    # Only if Qt6CorePrivate is available (required by qtgamepad)
+    find_package(Qt6CorePrivate CONFIG QUIET)
+    if(Qt6CorePrivate_FOUND)
+        add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtgamepad)
+        # Link both the C++ module and QML plugin
+        if(TARGET GamepadLegacy)
+            target_link_libraries(${PROJECT} PRIVATE GamepadLegacy)
+        endif()
+        if(TARGET GamepadLegacyQuickPrivate)
+            target_link_libraries(${PROJECT} PRIVATE GamepadLegacyQuickPrivate)
+        endif()
+        message(STATUS "Gamepad support enabled for Android")
+    else()
+        message(STATUS "Qt6CorePrivate not found. Gamepad support disabled for Android.")
+    endif()
+endif()
+
 set(LIBS ${LIBS} qt6keychain)
 
 include_directories(
-    ${OPENSSL_INCLUDE_DIR}
-    ${LIBSSH_INCLUDE_DIR}/include
-    ${LIBSSH_ROOT_DIR}/include
-    ${CLIENT_ROOT_DIR}/3rd/libssh/include
     ${CLIENT_ROOT_DIR}/3rd/QSimpleCrypto/src/include
     ${CLIENT_ROOT_DIR}/3rd/qtkeychain/qtkeychain
     ${CMAKE_CURRENT_BINARY_DIR}/3rd/qtkeychain
-    ${CMAKE_CURRENT_BINARY_DIR}/3rd/libssh/include
 )
+
+find_package(OpenSSL REQUIRED)
+list(APPEND LIBS OpenSSL::SSL OpenSSL::Crypto)
+
+find_package(libssh REQUIRED)
+list(APPEND LIBS ssh::ssh)

client/cmake/android.cmake

@@ -20,36 +20,36 @@ set(QT_ANDROID_MULTI_ABI_FORWARD_VARS "QT_NO_GLOBAL_APK_TARGET_PART_OF_ALL;CMAKE
 
 # We need to include qtprivate api's
 # As QAndroidBinder is not yet implemented with a public api
-set(LIBS ${LIBS} Qt6::CorePrivate -ljnigraphics)
+# Check if Qt6::CorePrivate is available (may not be in all Qt versions/configurations)
+if(TARGET Qt6::CorePrivate)
+    set(LIBS ${LIBS} Qt6::CorePrivate)
+endif()
+set(LIBS ${LIBS} -ljnigraphics)
 
 link_directories(${CMAKE_CURRENT_SOURCE_DIR}/platforms/android)
 
 set(HEADERS ${HEADERS}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_controller.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_utils.h
-    ${CMAKE_CURRENT_SOURCE_DIR}/protocols/android_vpnprotocol.h
-    ${CMAKE_CURRENT_SOURCE_DIR}/core/installedAppsImageProvider.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/protocols/androidVpnProtocol.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/utils/installedAppsImageProvider.h
 )
 
 set(SOURCES ${SOURCES}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_controller.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_utils.cpp
-    ${CMAKE_CURRENT_SOURCE_DIR}/protocols/android_vpnprotocol.cpp
-    ${CMAKE_CURRENT_SOURCE_DIR}/core/installedAppsImageProvider.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/protocols/androidVpnProtocol.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/utils/installedAppsImageProvider.cpp
 )
 
-foreach(abi IN ITEMS ${QT_ANDROID_ABIS})
-    set_property(TARGET ${PROJECT} PROPERTY QT_ANDROID_EXTRA_LIBS
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/amneziawg/android/${abi}/libwg-go.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libck-ovpn-plugin.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libovpn3.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libovpnutil.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/librsapss.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/android/${abi}/libcrypto_3.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/android/${abi}/libssl_3.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/libssh/android/${abi}/libssh.so
-    )
-endforeach()
 
-file(COPY ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/xray/android/libxray.aar
-        DESTINATION ${CMAKE_CURRENT_SOURCE_DIR}/android/xray/libXray)
+find_package(awg-android REQUIRED)
+set(LIBS ${LIBS} amnezia::awg-android)
+set_property(TARGET ${PROJECT} APPEND PROPERTY QT_ANDROID_EXTRA_LIBS ${AMNEZIA_ANDROID_LIBWG_PATH} ${AMNEZIA_ANDROID_LIBWG_QUICK_PATH})
+
+find_package(amnezia-libxray REQUIRED)
+file(COPY ${AMNEZIA_LIBXRAY_PATH} DESTINATION ${CMAKE_CURRENT_SOURCE_DIR}/android/xray/libXray)
+
+find_package(openvpn-pt-android REQUIRED)
+set(LIBS ${LIBS} amnezia::openvpn-pt-android)
+set_property(TARGET ${PROJECT} APPEND PROPERTY QT_ANDROID_EXTRA_LIBS ${OPENVPN_PT_ANDROID_LIBCK_OVPN_PLUGIN_PATH})

client/cmake/ios.cmake

@@ -1,8 +1,6 @@
 message("Client iOS build")
-set(CMAKE_OSX_DEPLOYMENT_TARGET 13.0)
 set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
 
-
 enable_language(OBJC)
 enable_language(OBJCXX)
 enable_language(Swift)
@@ -34,6 +32,7 @@ set(HEADERS ${HEADERS}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate-C-Interface.h
 )
 set_source_files_properties(${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h PROPERTIES OBJECTIVE_CPP_HEADER TRUE)
@@ -46,6 +45,7 @@ set(SOURCES ${SOURCES}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosglue.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QRCodeReaderBase.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/AmneziaSceneDelegateHooks.mm
 )
 
@@ -119,6 +119,7 @@ target_sources(${PROJECT} PRIVATE
     ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
     ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
     ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/StoreKit2Helper.swift
 )
 
 target_sources(${PROJECT} PRIVATE
@@ -129,17 +130,8 @@ target_sources(${PROJECT} PRIVATE
 
 set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
     ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/AmneziaVPNLaunchScreen.storyboard
-    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
     ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
 )
 
 add_subdirectory(ios/networkextension)
 add_dependencies(${PROJECT} networkextension)
-
-set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
-    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework"
-)
-
-set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/)
-target_link_libraries("networkextension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework")
-

client/cmake/macos.cmake

@@ -23,16 +23,13 @@ set_target_properties(${PROJECT} PROPERTIES
     MACOSX_BUNDLE_SHORT_VERSION_STRING "${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH}"
     MACOSX_BUNDLE_BUNDLE_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
 )
-set(CMAKE_OSX_ARCHITECTURES "x86_64" CACHE INTERNAL "" FORCE)
-set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)
-
 
 set(HEADERS ${HEADERS}
-    ${CMAKE_CURRENT_SOURCE_DIR}/ui/macos_util.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/ui/utils/macosUtil.h
 )
 
 set(SOURCES ${SOURCES}
-    ${CMAKE_CURRENT_SOURCE_DIR}/ui/macos_util.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/ui/utils/macosUtil.mm
 )
 
 

client/cmake/macos_ne.cmake

@@ -1,7 +1,6 @@
 message("Client ==> MacOS NE build")
 
 set_target_properties(${PROJECT} PROPERTIES MACOSX_BUNDLE TRUE)
-set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)
 
 set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
 
@@ -35,6 +34,7 @@ set(HEADERS ${HEADERS}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate-C-Interface.h
 )
@@ -45,6 +45,7 @@ set(SOURCES ${SOURCES}
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/ios_controller_wrapper.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosnotificationhandler.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/StoreKitController.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/iosglue.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QRCodeReaderBase.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/ios/QtAppDelegate.mm
@@ -129,6 +130,7 @@ target_sources(${PROJECT} PRIVATE
     ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
     ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
     ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/StoreKit2Helper.swift
 )
 
 target_sources(${PROJECT} PRIVATE
@@ -137,7 +139,6 @@ target_sources(${PROJECT} PRIVATE
 )
 
 set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
-    ${CMAKE_CURRENT_SOURCE_DIR}/macos/app/Images.xcassets
     ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
 )
 
@@ -150,19 +151,6 @@ message(${QtCore_location})
 
 get_filename_component(QT_BIN_DIR_DETECTED "${QtCore_location}/../../../../../bin" ABSOLUTE)
 
-set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
-    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework"
-)
-
-set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos)
-target_link_libraries("AmneziaVPNNetworkExtension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework")
-
 add_custom_command(TARGET ${PROJECT} POST_BUILD
-    COMMAND ${CMAKE_COMMAND} -E make_directory
-            $<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks
-    COMMAND /usr/bin/find "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework" -name "*.sha256" -delete
-    COMMAND /usr/bin/codesign --force --sign "Apple Distribution"
-            "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework/Versions/Current/OpenVPNAdapter"
     COMMAND ${QT_BIN_DIR_DETECTED}/macdeployqt $<TARGET_BUNDLE_DIR:AmneziaVPN> -appstore-compliant -qmldir=${CMAKE_CURRENT_SOURCE_DIR}
-    COMMENT "Signing OpenVPNAdapter framework"
 )

client/cmake/sources.cmake

@@ -1,33 +1,69 @@
 set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/..)
 
 set(HEADERS ${HEADERS}
-    ${CLIENT_ROOT_DIR}/migrations.h
+    ${CLIENT_ROOT_DIR}/core/utils/migrations.h
     ${CLIENT_ROOT_DIR}/../ipc/ipc.h
-    ${CLIENT_ROOT_DIR}/amnezia_application.h
-    ${CLIENT_ROOT_DIR}/containers/containers_defs.h
-    ${CLIENT_ROOT_DIR}/core/defs.h
-    ${CLIENT_ROOT_DIR}/core/errorstrings.h
-    ${CLIENT_ROOT_DIR}/core/scripts_registry.h
-    ${CLIENT_ROOT_DIR}/core/server_defs.h
-    ${CLIENT_ROOT_DIR}/core/api/apiDefs.h
-    ${CLIENT_ROOT_DIR}/core/qrCodeUtils.h
+    ${CLIENT_ROOT_DIR}/amneziaApplication.h
+    ${CLIENT_ROOT_DIR}/core/utils/errorCodes.h
+    ${CLIENT_ROOT_DIR}/core/utils/routeModes.h
+    ${CLIENT_ROOT_DIR}/core/utils/commonStructs.h
+    ${CLIENT_ROOT_DIR}/core/utils/containerEnum.h
+    ${CLIENT_ROOT_DIR}/core/utils/protocolEnum.h
+    ${CLIENT_ROOT_DIR}/core/utils/containers/containerUtils.h
+    ${CLIENT_ROOT_DIR}/core/protocols/protocolUtils.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/configKeys.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/protocolConstants.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/apiKeys.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/apiConstants.h
+    ${CLIENT_ROOT_DIR}/core/utils/api/apiEnums.h
+    ${CLIENT_ROOT_DIR}/core/utils/errorStrings.h
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/scriptsRegistry.h
+    ${CLIENT_ROOT_DIR}/core/utils/qrCodeUtils.h
     ${CLIENT_ROOT_DIR}/core/controllers/coreController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/coreSignalHandlers.h
     ${CLIENT_ROOT_DIR}/core/controllers/gatewayController.h
-    ${CLIENT_ROOT_DIR}/core/controllers/serverController.h
-    ${CLIENT_ROOT_DIR}/core/controllers/vpnConfigurationController.h
-    ${CLIENT_ROOT_DIR}/protocols/protocols_defs.h
-    ${CLIENT_ROOT_DIR}/protocols/qml_register_protocols.h
-    ${CLIENT_ROOT_DIR}/ui/pages.h
-    ${CLIENT_ROOT_DIR}/ui/qautostart.h
-    ${CLIENT_ROOT_DIR}/protocols/vpnprotocol.h
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshSession.h
+    ${CLIENT_ROOT_DIR}/core/controllers/serversController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/usersController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/installController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/importController.h
+    ${CLIENT_ROOT_DIR}/core/installers/installerBase.h
+    ${CLIENT_ROOT_DIR}/core/installers/awgInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/wireguardInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/openvpnInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/xrayInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/torInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/sftpInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/socks5Installer.h
+    ${CLIENT_ROOT_DIR}/core/controllers/appSplitTunnelingController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/ipSplitTunnelingController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/allowedDnsController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/connectionController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/settingsController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/api/servicesCatalogController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/api/subscriptionController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/api/newsController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/updateController.h
+    ${CLIENT_ROOT_DIR}/core/repositories/secureServersRepository.h
+    ${CLIENT_ROOT_DIR}/core/repositories/secureAppSettingsRepository.h
+    ${CLIENT_ROOT_DIR}/core/protocols/qmlRegisterProtocols.h
+    ${CLIENT_ROOT_DIR}/ui/utils/pages.h
+    ${CLIENT_ROOT_DIR}/ui/utils/qAutoStart.h
+    ${CLIENT_ROOT_DIR}/core/protocols/vpnProtocol.h
     ${CMAKE_CURRENT_BINARY_DIR}/version.h
-    ${CLIENT_ROOT_DIR}/core/sshclient.h
-    ${CLIENT_ROOT_DIR}/core/networkUtilities.h
-    ${CLIENT_ROOT_DIR}/core/serialization/serialization.h
-    ${CLIENT_ROOT_DIR}/core/serialization/transfer.h
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshClient.h
+    ${CLIENT_ROOT_DIR}/core/utils/networkUtilities.h
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/serialization.h
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/transfer.h
     ${CLIENT_ROOT_DIR}/../common/logger/logger.h
-    ${CLIENT_ROOT_DIR}/utils/qmlUtils.h
-    ${CLIENT_ROOT_DIR}/core/api/apiUtils.h
+    ${CLIENT_ROOT_DIR}/ui/utils/qmlUtils.h
+    ${CLIENT_ROOT_DIR}/core/utils/api/apiUtils.h
+    ${CLIENT_ROOT_DIR}/core/utils/osSignalHandler.h
+    ${CLIENT_ROOT_DIR}/core/utils/utilities.h
+    ${CLIENT_ROOT_DIR}/core/utils/managementServer.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants.h
 )
 
 # Mozilla headres
@@ -36,7 +72,6 @@ set(HEADERS ${HEADERS}
     ${CLIENT_ROOT_DIR}/mozilla/shared/ipaddress.h
     ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.h
     ${CLIENT_ROOT_DIR}/mozilla/controllerimpl.h
-    ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.h
 )
 
 if(NOT IOS AND NOT MACOS_NE)
@@ -47,38 +82,65 @@ endif()
 
 if(NOT ANDROID)
     set(HEADERS ${HEADERS}
-        ${CLIENT_ROOT_DIR}/ui/notificationhandler.h
+        ${CLIENT_ROOT_DIR}/ui/utils/notificationHandler.h
     )
 endif()
 
 set(SOURCES ${SOURCES}
-    ${CLIENT_ROOT_DIR}/migrations.cpp
-    ${CLIENT_ROOT_DIR}/amnezia_application.cpp
-    ${CLIENT_ROOT_DIR}/containers/containers_defs.cpp
-    ${CLIENT_ROOT_DIR}/core/errorstrings.cpp
-    ${CLIENT_ROOT_DIR}/core/scripts_registry.cpp
-    ${CLIENT_ROOT_DIR}/core/server_defs.cpp
-    ${CLIENT_ROOT_DIR}/core/qrCodeUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/migrations.cpp
+    ${CLIENT_ROOT_DIR}/amneziaApplication.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/errorStrings.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/containers/containerUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/protocols/protocolUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/scriptsRegistry.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/qrCodeUtils.cpp
     ${CLIENT_ROOT_DIR}/core/controllers/coreController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/coreSignalHandlers.cpp
     ${CLIENT_ROOT_DIR}/core/controllers/gatewayController.cpp
-    ${CLIENT_ROOT_DIR}/core/controllers/serverController.cpp
-    ${CLIENT_ROOT_DIR}/core/controllers/vpnConfigurationController.cpp
-    ${CLIENT_ROOT_DIR}/protocols/protocols_defs.cpp
-    ${CLIENT_ROOT_DIR}/ui/qautostart.cpp
-    ${CLIENT_ROOT_DIR}/protocols/vpnprotocol.cpp
-    ${CLIENT_ROOT_DIR}/core/sshclient.cpp
-    ${CLIENT_ROOT_DIR}/core/networkUtilities.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/outbound.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/inbound.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/ss.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/ssd.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/vless.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/trojan.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/vmess.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/vmess_new.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshSession.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/serversController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/usersController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/installController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/importController.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/installerBase.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/awgInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/wireguardInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/openvpnInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/xrayInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/torInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/sftpInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/socks5Installer.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/appSplitTunnelingController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/ipSplitTunnelingController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/allowedDnsController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/connectionController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/settingsController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/api/servicesCatalogController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/api/subscriptionController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/api/newsController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/updateController.cpp
+    ${CLIENT_ROOT_DIR}/core/repositories/secureServersRepository.cpp
+    ${CLIENT_ROOT_DIR}/core/repositories/secureAppSettingsRepository.cpp
+    ${CLIENT_ROOT_DIR}/ui/utils/qAutoStart.cpp
+    ${CLIENT_ROOT_DIR}/core/protocols/vpnProtocol.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshClient.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/networkUtilities.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/outbound.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/inbound.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/ss.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/ssd.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/vless.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/trojan.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/vmess.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/vmess_new.cpp
     ${CLIENT_ROOT_DIR}/../common/logger/logger.cpp
-    ${CLIENT_ROOT_DIR}/utils/qmlUtils.cpp
-    ${CLIENT_ROOT_DIR}/core/api/apiUtils.cpp
+    ${CLIENT_ROOT_DIR}/ui/utils/qmlUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/api/apiUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/osSignalHandler.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/utilities.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/managementServer.cpp
 )
 
 # Mozilla sources
@@ -86,7 +148,6 @@ set(SOURCES ${SOURCES}
     ${CLIENT_ROOT_DIR}/mozilla/models/server.cpp
     ${CLIENT_ROOT_DIR}/mozilla/shared/ipaddress.cpp
     ${CLIENT_ROOT_DIR}/mozilla/shared/leakdetector.cpp
-    ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
 )
 
 if(NOT IOS AND NOT MACOS_NE)
@@ -100,29 +161,41 @@ if(APPLE AND NOT IOS)
     list(APPEND HEADERS
         ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.h
         ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.h
-        ${CLIENT_ROOT_DIR}/ui/macos_util.h
+        ${CLIENT_ROOT_DIR}/ui/utils/macosUtil.h
     )
     list(APPEND SOURCES
         ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.mm
         ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.mm
-        ${CLIENT_ROOT_DIR}/ui/macos_util.mm
+        ${CLIENT_ROOT_DIR}/ui/utils/macosUtil.mm
     )
 endif()
 
 if(NOT ANDROID)
     set(SOURCES ${SOURCES}
-        ${CLIENT_ROOT_DIR}/ui/notificationhandler.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/notificationHandler.cpp
     )
 endif()
 
-file(GLOB COMMON_FILES_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/*.h)
-file(GLOB COMMON_FILES_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/*.cpp)
+set(COMMON_FILES_H
+    ${CLIENT_ROOT_DIR}/amneziaApplication.h
+    ${CLIENT_ROOT_DIR}/secureQSettings.h
+    ${CLIENT_ROOT_DIR}/vpnConnection.h
+)
+
+set(COMMON_FILES_CPP
+    ${CLIENT_ROOT_DIR}/amneziaApplication.cpp
+    ${CLIENT_ROOT_DIR}/secureQSettings.cpp
+    ${CLIENT_ROOT_DIR}/vpnConnection.cpp
+)
 
 file(GLOB_RECURSE PAGE_LOGIC_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/ui/pages_logic/*.h)
 file(GLOB_RECURSE PAGE_LOGIC_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/ui/pages_logic/*.cpp)
 
-file(GLOB CONFIGURATORS_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/configurators/*.h)
-file(GLOB CONFIGURATORS_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/configurators/*.cpp)
+file(GLOB CONFIGURATORS_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/configurators/*.h)
+file(GLOB CONFIGURATORS_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/configurators/*.cpp)
+
+file(GLOB_RECURSE CORE_MODELS_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/models/*.h)
+file(GLOB_RECURSE CORE_MODELS_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/models/*.cpp)
 
 file(GLOB UI_MODELS_H CONFIGURE_DEPENDS
     ${CLIENT_ROOT_DIR}/ui/models/*.h
@@ -140,16 +213,21 @@ file(GLOB UI_MODELS_CPP CONFIGURE_DEPENDS
 file(GLOB UI_CONTROLLERS_H CONFIGURE_DEPENDS
     ${CLIENT_ROOT_DIR}/ui/controllers/*.h
     ${CLIENT_ROOT_DIR}/ui/controllers/api/*.h
+    ${CLIENT_ROOT_DIR}/ui/controllers/qml/*.h
+    ${CLIENT_ROOT_DIR}/ui/controllers/selfhosted/*.h
 )
 file(GLOB UI_CONTROLLERS_CPP CONFIGURE_DEPENDS
     ${CLIENT_ROOT_DIR}/ui/controllers/*.cpp
     ${CLIENT_ROOT_DIR}/ui/controllers/api/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/controllers/qml/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/controllers/selfhosted/*.cpp
 )
 
 set(HEADERS ${HEADERS}
     ${COMMON_FILES_H}
     ${PAGE_LOGIC_H}
     ${CONFIGURATORS_H}
+    ${CORE_MODELS_H}
     ${UI_MODELS_H}
     ${UI_CONTROLLERS_H}
 )
@@ -157,17 +235,18 @@ set(SOURCES ${SOURCES}
     ${COMMON_FILES_CPP}
     ${PAGE_LOGIC_CPP}
     ${CONFIGURATORS_CPP}
+    ${CORE_MODELS_CPP}
     ${UI_MODELS_CPP}
     ${UI_CONTROLLERS_CPP}
 )
 
 if(WIN32)
     set(HEADERS ${HEADERS}
-        ${CLIENT_ROOT_DIR}/protocols/ikev2_vpn_protocol_windows.h
+        ${CLIENT_ROOT_DIR}/core/protocols/ikev2VpnProtocolWindows.h
     )
 
     set(SOURCES ${SOURCES}
-        ${CLIENT_ROOT_DIR}/protocols/ikev2_vpn_protocol_windows.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/ikev2VpnProtocolWindows.cpp
     )
 
     set(RESOURCES ${RESOURCES}
@@ -175,31 +254,38 @@ if(WIN32)
     )
 endif()
 
-if(WIN32 OR (APPLE AND NOT IOS) OR (LINUX AND NOT ANDROID))
+if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
     message("Client desktop build")
     add_compile_definitions(AMNEZIA_DESKTOP)
 
     set(HEADERS ${HEADERS}
-        ${CLIENT_ROOT_DIR}/core/ipcclient.h
-        ${CLIENT_ROOT_DIR}/core/privileged_process.h
-        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.h
-        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/shadowsocksvpnprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/wireguardprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/xrayprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/awgprotocol.h
+        ${CLIENT_ROOT_DIR}/core/utils/ipcClient.h
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.h
+        ${CLIENT_ROOT_DIR}/core/protocols/openVpnProtocol.h
+        ${CLIENT_ROOT_DIR}/core/protocols/wireGuardProtocol.h
+        ${CLIENT_ROOT_DIR}/core/protocols/xrayProtocol.h
+        ${CLIENT_ROOT_DIR}/core/protocols/awgProtocol.h
+        ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.h
     )
 
     set(SOURCES ${SOURCES}
-        ${CLIENT_ROOT_DIR}/core/ipcclient.cpp
-        ${CLIENT_ROOT_DIR}/core/privileged_process.cpp
-        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.cpp
-        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/shadowsocksvpnprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/wireguardprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/xrayprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/awgprotocol.cpp
+        ${CLIENT_ROOT_DIR}/core/utils/ipcClient.cpp
+        ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/openVpnProtocol.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/wireGuardProtocol.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/xrayProtocol.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/awgProtocol.cpp
+    )
+endif()
+
+if(APPLE AND MACOS_NE)
+    # Include only the tray notification handler in NE builds
+    set(HEADERS ${HEADERS}
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.h
+    )
+
+    set(SOURCES ${SOURCES}
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.cpp
     )
 endif()

client/configurators/awg_configurator.cpp

@@ -1,61 +0,0 @@
-#include "awg_configurator.h"
-#include "protocols/protocols_defs.h"
-
-#include <QJsonDocument>
-#include <QJsonObject>
-
-AwgConfigurator::AwgConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : WireguardConfigurator(settings, serverController, true, parent)
-{
-}
-
-QString AwgConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                      ErrorCode &errorCode)
-{
-    QString config = WireguardConfigurator::createConfig(credentials, container, containerConfig, errorCode);
-
-    QJsonObject jsonConfig = QJsonDocument::fromJson(config.toUtf8()).object();
-    QString awgConfig = jsonConfig.value(config_key::config).toString();
-
-    QMap<QString, QString> configMap;
-    auto configLines = awgConfig.split("\n");
-    for (auto &line : configLines) {
-        auto trimmedLine = line.trimmed();
-        if (trimmedLine.startsWith("[") && trimmedLine.endsWith("]")) {
-            continue;
-        } else {
-            QStringList parts = trimmedLine.split(" = ");
-            if (parts.count() == 2) {
-                configMap.insert(parts[0].trimmed(), parts[1].trimmed());
-            }
-        }
-    }
-
-    jsonConfig[config_key::junkPacketCount] = configMap.value(config_key::junkPacketCount);
-    jsonConfig[config_key::junkPacketMinSize] = configMap.value(config_key::junkPacketMinSize);
-    jsonConfig[config_key::junkPacketMaxSize] = configMap.value(config_key::junkPacketMaxSize);
-    jsonConfig[config_key::initPacketJunkSize] = configMap.value(config_key::initPacketJunkSize);
-    jsonConfig[config_key::responsePacketJunkSize] = configMap.value(config_key::responsePacketJunkSize);
-    jsonConfig[config_key::initPacketMagicHeader] = configMap.value(config_key::initPacketMagicHeader);
-    jsonConfig[config_key::responsePacketMagicHeader] = configMap.value(config_key::responsePacketMagicHeader);
-    jsonConfig[config_key::underloadPacketMagicHeader] = configMap.value(config_key::underloadPacketMagicHeader);
-    jsonConfig[config_key::transportPacketMagicHeader] = configMap.value(config_key::transportPacketMagicHeader);
-
-    // jsonConfig[config_key::cookieReplyPacketJunkSize] = configMap.value(config_key::cookieReplyPacketJunkSize);
-    // jsonConfig[config_key::transportPacketJunkSize] = configMap.value(config_key::transportPacketJunkSize);
-
-    // jsonConfig[config_key::specialJunk1] = configMap.value(amnezia::config_key::specialJunk1);
-    // jsonConfig[config_key::specialJunk2] = configMap.value(amnezia::config_key::specialJunk2);
-    // jsonConfig[config_key::specialJunk3] = configMap.value(amnezia::config_key::specialJunk3);
-    // jsonConfig[config_key::specialJunk4] = configMap.value(amnezia::config_key::specialJunk4);
-    // jsonConfig[config_key::specialJunk5] = configMap.value(amnezia::config_key::specialJunk5);
-    // jsonConfig[config_key::controlledJunk1] = configMap.value(amnezia::config_key::controlledJunk1);
-    // jsonConfig[config_key::controlledJunk2] = configMap.value(amnezia::config_key::controlledJunk2);
-    // jsonConfig[config_key::controlledJunk3] = configMap.value(amnezia::config_key::controlledJunk3);
-    // jsonConfig[config_key::specialHandshakeTimeout] = configMap.value(amnezia::config_key::specialHandshakeTimeout);
-
-    jsonConfig[config_key::mtu] =
-            containerConfig.value(ProtocolProps::protoToString(Proto::Awg)).toObject().value(config_key::mtu).toString(protocols::awg::defaultMtu);
-
-    return QJsonDocument(jsonConfig).toJson();
-}

client/configurators/awg_configurator.h

@@ -1,18 +0,0 @@
-#ifndef AWGCONFIGURATOR_H
-#define AWGCONFIGURATOR_H
-
-#include <QObject>
-
-#include "wireguard_configurator.h"
-
-class AwgConfigurator : public WireguardConfigurator
-{
-    Q_OBJECT
-public:
-    AwgConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-};
-
-#endif // AWGCONFIGURATOR_H

client/configurators/cloak_configurator.cpp

@@ -1,51 +0,0 @@
-#include "cloak_configurator.h"
-
-#include <QFile>
-#include <QJsonDocument>
-#include <QJsonObject>
-
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-
-CloakConfigurator::CloakConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
-{
-}
-
-QString CloakConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                        ErrorCode &errorCode)
-{
-    QString cloakPublicKey =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::cloak::ckPublicKeyPath, errorCode);
-    cloakPublicKey.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    QString cloakBypassUid =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::cloak::ckBypassUidKeyPath, errorCode);
-    cloakBypassUid.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    QJsonObject config;
-    config.insert("Transport", "direct");
-    config.insert("ProxyMethod", "openvpn");
-    config.insert("EncryptionMethod", "aes-gcm");
-    config.insert("UID", cloakBypassUid);
-    config.insert("PublicKey", cloakPublicKey);
-    config.insert("ServerName", "$FAKE_WEB_SITE_ADDRESS");
-    config.insert("NumConn", 1);
-    config.insert("BrowserSig", "chrome");
-    config.insert("StreamTimeout", 300);
-    config.insert("RemoteHost", credentials.hostName);
-    config.insert("RemotePort", "$CLOAK_SERVER_PORT");
-
-    QString textCfg = m_serverController->replaceVars(QJsonDocument(config).toJson(),
-                                                      m_serverController->genVarsForScript(credentials, container, containerConfig));
-
-    return textCfg;
-}

client/configurators/cloak_configurator.h

@@ -1,20 +0,0 @@
-#ifndef CLOAK_CONFIGURATOR_H
-#define CLOAK_CONFIGURATOR_H
-
-#include <QObject>
-
-#include "configurator_base.h"
-
-using namespace amnezia;
-
-class CloakConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    CloakConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-};
-
-#endif // CLOAK_CONFIGURATOR_H

client/configurators/configurator_base.cpp

@@ -1,26 +0,0 @@
-#include "configurator_base.h"
-
-ConfiguratorBase::ConfiguratorBase(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : QObject { parent }, m_settings(settings), m_serverController(serverController)
-{
-}
-
-QString ConfiguratorBase::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                         QString &protocolConfigString)
-{
-    processConfigWithDnsSettings(dns, protocolConfigString);
-    return protocolConfigString;
-}
-
-QString ConfiguratorBase::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                          QString &protocolConfigString)
-{
-    processConfigWithDnsSettings(dns, protocolConfigString);
-    return protocolConfigString;
-}
-
-void ConfiguratorBase::processConfigWithDnsSettings(const QPair<QString, QString> &dns, QString &protocolConfigString)
-{
-    protocolConfigString.replace("$PRIMARY_DNS", dns.first);
-    protocolConfigString.replace("$SECONDARY_DNS", dns.second);
-}

client/configurators/configurator_base.h

@@ -1,33 +0,0 @@
-#ifndef CONFIGURATORBASE_H
-#define CONFIGURATORBASE_H
-
-#include <QObject>
-
-#include "containers/containers_defs.h"
-#include "core/defs.h"
-#include "core/controllers/serverController.h"
-#include "settings.h"
-
-class ConfiguratorBase : public QObject
-{
-    Q_OBJECT
-public:
-    explicit ConfiguratorBase(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    virtual QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                 const QJsonObject &containerConfig, ErrorCode &errorCode) = 0;
-
-    virtual QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                   QString &protocolConfigString);
-    virtual QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                    QString &protocolConfigString);
-
-protected:
-    void processConfigWithDnsSettings(const QPair<QString, QString> &dns, QString &protocolConfigString);
-
-    std::shared_ptr<Settings> m_settings;
-    QSharedPointer<ServerController> m_serverController;
-
-};
-
-#endif // CONFIGURATORBASE_H

client/configurators/ikev2_configurator.h

@@ -1,35 +0,0 @@
-#ifndef IKEV2_CONFIGURATOR_H
-#define IKEV2_CONFIGURATOR_H
-
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class Ikev2Configurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    Ikev2Configurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    struct ConnectionData {
-        QByteArray clientCert; // p12 client cert
-        QByteArray caCert; // p12 server cert
-        QString clientId;
-        QString password; // certificate password
-        QString host; // host ip
-    };
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    QString genIkev2Config(const ConnectionData &connData);
-    QString genMobileConfig(const ConnectionData &connData);
-    QString genStrongSwanConfig(const ConnectionData &connData);
-
-    ConnectionData prepareIkev2Config(const ServerCredentials &credentials,
-        DockerContainer container, ErrorCode &errorCode);
-};
-
-#endif // IKEV2_CONFIGURATOR_H

client/configurators/openvpn_configurator.h

@@ -1,43 +0,0 @@
-#ifndef OPENVPN_CONFIGURATOR_H
-#define OPENVPN_CONFIGURATOR_H
-
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class OpenVpnConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    OpenVpnConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    struct ConnectionData
-    {
-        QString clientId;
-        QString request;    // certificate request
-        QString privKey;    // client private key
-        QString clientCert; // client signed certificate
-        QString caCert;     // server certificate
-        QString taKey;      // tls-auth key
-        QString host;       // host ip
-    };
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                           QString &protocolConfigString);
-    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                            QString &protocolConfigString);
-
-    static ConnectionData createCertRequest();
-
-private:
-    ConnectionData prepareOpenVpnConfig(const ServerCredentials &credentials, DockerContainer container,
-                                        ErrorCode &errorCode);
-    ErrorCode signCert(DockerContainer container, const ServerCredentials &credentials, QString clientId);
-};
-
-#endif // OPENVPN_CONFIGURATOR_H

client/configurators/shadowsocks_configurator.cpp

@@ -1,40 +0,0 @@
-#include "shadowsocks_configurator.h"
-
-#include <QFile>
-#include <QJsonDocument>
-#include <QJsonObject>
-
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-
-ShadowSocksConfigurator::ShadowSocksConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                                                 QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
-{
-}
-
-QString ShadowSocksConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                              const QJsonObject &containerConfig, ErrorCode &errorCode)
-{
-    QString ssKey =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::shadowsocks::ssKeyPath, errorCode);
-    ssKey.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    QJsonObject config;
-    config.insert("server", credentials.hostName);
-    config.insert("server_port", "$SHADOWSOCKS_SERVER_PORT");
-    config.insert("local_port", "$SHADOWSOCKS_LOCAL_PORT");
-    config.insert("password", ssKey);
-    config.insert("timeout", 60);
-    config.insert("method", "$SHADOWSOCKS_CIPHER");
-
-    QString textCfg = m_serverController->replaceVars(QJsonDocument(config).toJson(),
-                                                      m_serverController->genVarsForScript(credentials, container, containerConfig));
-
-    // qDebug().noquote() << textCfg;
-    return textCfg;
-}

client/configurators/shadowsocks_configurator.h

@@ -1,19 +0,0 @@
-#ifndef SHADOWSOCKS_CONFIGURATOR_H
-#define SHADOWSOCKS_CONFIGURATOR_H
-
-#include <QObject>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class ShadowSocksConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    ShadowSocksConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-};
-
-#endif // SHADOWSOCKS_CONFIGURATOR_H

client/configurators/ssh_configurator.cpp

@@ -1,112 +0,0 @@
-#include "ssh_configurator.h"
-
-#include <QDebug>
-#include <QObject>
-#include <QProcess>
-#include <QString>
-#include <QTemporaryDir>
-#include <QTemporaryFile>
-#include <QThread>
-#include <qtimer.h>
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
-    #include <QGuiApplication>
-#else
-    #include <QApplication>
-#endif
-
-#include "core/server_defs.h"
-#include "utilities.h"
-
-SshConfigurator::SshConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
-{
-}
-
-QString SshConfigurator::convertOpenSShKey(const QString &key)
-{
-#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
-    QProcess p;
-    p.setProcessChannelMode(QProcess::MergedChannels);
-
-    QTemporaryFile tmp;
-    #ifdef QT_DEBUG
-    tmp.setAutoRemove(false);
-    #endif
-    tmp.open();
-    tmp.write(key.toUtf8());
-    tmp.close();
-
-    // ssh-keygen -p -P "" -N "" -m pem -f id_ssh
-
-    #ifdef Q_OS_WIN
-    p.setProcessEnvironment(prepareEnv());
-    p.setProgram("cmd.exe");
-    p.setNativeArguments(QString("/C \"ssh-keygen.exe -p -P \"\" -N \"\" -m pem -f \"%1\"\"").arg(tmp.fileName()));
-    #else
-    p.setProgram("ssh-keygen");
-    p.setArguments(QStringList() << "-p"
-                                 << "-P"
-                                 << ""
-                                 << "-N"
-                                 << ""
-                                 << "-m"
-                                 << "pem"
-                                 << "-f" << tmp.fileName());
-    #endif
-
-    p.start();
-    p.waitForFinished();
-
-    qDebug().noquote() << "OpenVpnConfigurator::convertOpenSShKey" << p.exitCode() << p.exitStatus() << p.readAll();
-
-    tmp.open();
-
-    return tmp.readAll();
-#else
-    return key;
-#endif
-}
-
-// DEAD CODE.
-void SshConfigurator::openSshTerminal(const ServerCredentials &credentials)
-{
-#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
-    QProcess *p = new QProcess();
-    p->setProcessChannelMode(QProcess::SeparateChannels);
-
-    #ifdef Q_OS_WIN
-    p->setProcessEnvironment(prepareEnv());
-    p->setProgram(qApp->applicationDirPath() + "\\cygwin\\putty.exe");
-
-    if (credentials.secretData.contains("PRIVATE KEY")) {
-        // todo: connect by key
-        //        p->setNativeArguments(QString("%1@%2")
-        //            .arg(credentials.userName).arg(credentials.hostName).arg(credentials.secretData));
-    } else {
-        p->setNativeArguments(QString("%1@%2 -pw %3").arg(credentials.userName).arg(credentials.hostName).arg(credentials.secretData));
-    }
-    #else
-    p->setProgram("/bin/bash");
-    #endif
-
-    p->startDetached();
-#endif
-}
-
-QProcessEnvironment SshConfigurator::prepareEnv()
-{
-    QProcessEnvironment env = QProcessEnvironment::systemEnvironment();
-    QString pathEnvVar = env.value("PATH");
-
-#ifdef Q_OS_WIN
-    pathEnvVar.clear();
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\cygwin;");
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\openvpn;");
-#elif defined(Q_OS_MACX) && !defined(MACOS_NE)
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "/Contents/MacOS");
-#endif
-
-    env.insert("PATH", pathEnvVar);
-    // qDebug().noquote() << "ENV PATH" << pathEnvVar;
-    return env;
-}

client/configurators/ssh_configurator.h

@@ -1,22 +0,0 @@
-#ifndef SSH_CONFIGURATOR_H
-#define SSH_CONFIGURATOR_H
-
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class SshConfigurator : ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    SshConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QProcessEnvironment prepareEnv();
-    QString convertOpenSShKey(const QString &key);
-    void openSshTerminal(const ServerCredentials &credentials);
-
-};
-
-#endif // SSH_CONFIGURATOR_H

client/configurators/wireguard_configurator.cpp

@@ -1,234 +0,0 @@
-#include "wireguard_configurator.h"
-
-#include <QDebug>
-#include <QJsonDocument>
-#include <QProcess>
-#include <QRegularExpression>
-#include <QString>
-#include <QTemporaryDir>
-#include <QTemporaryFile>
-
-#include <openssl/pem.h>
-#include <openssl/rand.h>
-#include <openssl/rsa.h>
-#include <openssl/x509.h>
-
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
-#include "core/server_defs.h"
-#include "settings.h"
-#include "utilities.h"
-
-WireguardConfigurator::WireguardConfigurator(std::shared_ptr<Settings> settings,
-                                             const QSharedPointer<ServerController> &serverController, bool isAwg,
-                                             QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent), m_isAwg(isAwg)
-{
-    m_serverConfigPath =
-            m_isAwg ? amnezia::protocols::awg::serverConfigPath : amnezia::protocols::wireguard::serverConfigPath;
-    m_serverPublicKeyPath =
-            m_isAwg ? amnezia::protocols::awg::serverPublicKeyPath : amnezia::protocols::wireguard::serverPublicKeyPath;
-    m_serverPskKeyPath =
-            m_isAwg ? amnezia::protocols::awg::serverPskKeyPath : amnezia::protocols::wireguard::serverPskKeyPath;
-    m_configTemplate = m_isAwg ? ProtocolScriptType::awg_template : ProtocolScriptType::wireguard_template;
-
-    m_protocolName = m_isAwg ? config_key::awg : config_key::wireguard;
-    m_defaultPort = m_isAwg ? protocols::wireguard::defaultPort : protocols::awg::defaultPort;
-}
-
-WireguardConfigurator::ConnectionData WireguardConfigurator::genClientKeys()
-{
-    // TODO review
-    constexpr size_t EDDSA_KEY_LENGTH = 32;
-
-    ConnectionData connData;
-
-    unsigned char buff[EDDSA_KEY_LENGTH];
-    int ret = RAND_priv_bytes(buff, EDDSA_KEY_LENGTH);
-    if (ret <= 0)
-        return connData;
-
-    EVP_PKEY *pKey = EVP_PKEY_new();
-    q_check_ptr(pKey);
-    pKey = EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL, &buff[0], EDDSA_KEY_LENGTH);
-
-    size_t keySize = EDDSA_KEY_LENGTH;
-
-    // save private key
-    unsigned char priv[EDDSA_KEY_LENGTH];
-    EVP_PKEY_get_raw_private_key(pKey, priv, &keySize);
-    connData.clientPrivKey = QByteArray::fromRawData((char *)priv, keySize).toBase64();
-
-    // save public key
-    unsigned char pub[EDDSA_KEY_LENGTH];
-    EVP_PKEY_get_raw_public_key(pKey, pub, &keySize);
-    connData.clientPubKey = QByteArray::fromRawData((char *)pub, keySize).toBase64();
-
-    return connData;
-}
-
-QList<QHostAddress> WireguardConfigurator::getIpsFromConf(const QString &input)
-{
-    QRegularExpression regex("AllowedIPs = (\\d+\\.\\d+\\.\\d+\\.\\d+)");
-    QRegularExpressionMatchIterator matchIterator = regex.globalMatch(input);
-
-    QList<QHostAddress> ips;
-
-    while (matchIterator.hasNext()) {
-        QRegularExpressionMatch match = matchIterator.next();
-        const QString address_string { match.captured(1) };
-        const QHostAddress address { address_string };
-        if (address.isNull()) {
-            qWarning() << "Couldn't recognize the ip address: " << address_string;
-        } else {
-            ips << address;
-        }
-    }
-
-    return ips;
-}
-
-WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardConfig(const ServerCredentials &credentials,
-                                                                                    DockerContainer container,
-                                                                                    const QJsonObject &containerConfig,
-                                                                                    ErrorCode &errorCode)
-{
-    WireguardConfigurator::ConnectionData connData = WireguardConfigurator::genClientKeys();
-    connData.host = credentials.hostName;
-    connData.port = containerConfig.value(m_protocolName).toObject().value(config_key::port).toString(m_defaultPort);
-
-    if (connData.clientPrivKey.isEmpty() || connData.clientPubKey.isEmpty()) {
-        errorCode = ErrorCode::InternalError;
-        return connData;
-    }
-
-    QString getIpsScript = QString("cat %1 | grep AllowedIPs").arg(m_serverConfigPath);
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    errorCode = m_serverController->runContainerScript(credentials, container, getIpsScript, cbReadStdOut);
-    if (errorCode != ErrorCode::NoError) {
-        return connData;
-    }
-    auto ips = getIpsFromConf(stdOut);
-
-    QHostAddress nextIp = [&] {
-        QHostAddress result;
-        QHostAddress lastIp;
-        if (ips.empty()) {
-            lastIp.setAddress(containerConfig.value(m_protocolName)
-                                      .toObject()
-                                      .value(config_key::subnet_address)
-                                      .toString(protocols::wireguard::defaultSubnetAddress));
-        } else {
-            lastIp = ips.last();
-        }
-        quint8 lastOctet = static_cast<quint8>(lastIp.toIPv4Address());
-        switch (lastOctet) {
-        case 254: result.setAddress(lastIp.toIPv4Address() + 3); break;
-        case 255: result.setAddress(lastIp.toIPv4Address() + 2); break;
-        default: result.setAddress(lastIp.toIPv4Address() + 1); break;
-        }
-
-        return result;
-    }();
-
-    connData.clientIP = nextIp.toString();
-
-    // Get keys
-    connData.serverPubKey =
-            m_serverController->getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, errorCode);
-    connData.serverPubKey.replace("\n", "");
-    if (errorCode != ErrorCode::NoError) {
-        return connData;
-    }
-
-    connData.pskKey = m_serverController->getTextFileFromContainer(container, credentials, m_serverPskKeyPath, errorCode);
-    connData.pskKey.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return connData;
-    }
-
-    // Add client to config
-    QString configPart = QString("[Peer]\n"
-                                 "PublicKey = %1\n"
-                                 "PresharedKey = %2\n"
-                                 "AllowedIPs = %3/32\n\n")
-                                 .arg(connData.clientPubKey, connData.pskKey, connData.clientIP);
-
-    errorCode = m_serverController->uploadTextFileToContainer(container, credentials, configPart, m_serverConfigPath,
-                                                              libssh::ScpOverwriteMode::ScpAppendToExisting);
-
-    if (errorCode != ErrorCode::NoError) {
-        return connData;
-    }
-
-    QString script = QString("sudo docker exec -i $CONTAINER_NAME bash -c 'wg syncconf wg0 <(wg-quick strip %1)'")
-                             .arg(m_serverConfigPath);
-
-    errorCode = m_serverController->runScript(
-            credentials,
-            m_serverController->replaceVars(script, m_serverController->genVarsForScript(credentials, container)));
-
-    return connData;
-}
-
-QString WireguardConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                            const QJsonObject &containerConfig, ErrorCode &errorCode)
-{
-    QString scriptData = amnezia::scriptData(m_configTemplate, container);
-    QString config = m_serverController->replaceVars(
-            scriptData, m_serverController->genVarsForScript(credentials, container, containerConfig));
-
-    ConnectionData connData = prepareWireguardConfig(credentials, container, containerConfig, errorCode);
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    config.replace("$WIREGUARD_CLIENT_PRIVATE_KEY", connData.clientPrivKey);
-    config.replace("$WIREGUARD_CLIENT_IP", connData.clientIP);
-    config.replace("$WIREGUARD_SERVER_PUBLIC_KEY", connData.serverPubKey);
-    config.replace("$WIREGUARD_PSK", connData.pskKey);
-
-    const QJsonObject &wireguarConfig = containerConfig.value(ProtocolProps::protoToString(Proto::WireGuard)).toObject();
-    QJsonObject jConfig;
-    jConfig[config_key::config] = config;
-
-    jConfig[config_key::hostName] = connData.host;
-    jConfig[config_key::port] = connData.port.toInt();
-    jConfig[config_key::client_priv_key] = connData.clientPrivKey;
-    jConfig[config_key::client_ip] = connData.clientIP;
-    jConfig[config_key::client_pub_key] = connData.clientPubKey;
-    jConfig[config_key::psk_key] = connData.pskKey;
-    jConfig[config_key::server_pub_key] = connData.serverPubKey;
-    jConfig[config_key::mtu] = wireguarConfig.value(config_key::mtu).toString(protocols::wireguard::defaultMtu);
-
-    jConfig[config_key::persistent_keep_alive] = "25";
-    QJsonArray allowedIps { "0.0.0.0/0", "::/0" };
-    jConfig[config_key::allowed_ips] = allowedIps;
-
-    jConfig[config_key::clientId] = connData.clientPubKey;
-
-    return QJsonDocument(jConfig).toJson();
-}
-
-QString WireguardConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns,
-                                                              const bool isApiConfig, QString &protocolConfigString)
-{
-    processConfigWithDnsSettings(dns, protocolConfigString);
-
-    return protocolConfigString;
-}
-
-QString WireguardConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns,
-                                                               const bool isApiConfig, QString &protocolConfigString)
-{
-    processConfigWithDnsSettings(dns, protocolConfigString);
-
-    return protocolConfigString;
-}

client/configurators/wireguard_configurator.h

@@ -1,54 +0,0 @@
-#ifndef WIREGUARD_CONFIGURATOR_H
-#define WIREGUARD_CONFIGURATOR_H
-
-#include <QHostAddress>
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-#include "core/scripts_registry.h"
-
-class WireguardConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    WireguardConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                          bool isAwg, QObject *parent = nullptr);
-
-    struct ConnectionData
-    {
-        QString clientPrivKey; // client private key
-        QString clientPubKey;  // client public key
-        QString clientIP;      // internal client IP address
-        QString serverPubKey;  // tls-auth key
-        QString pskKey;        // preshared key
-        QString host;          // host ip
-        QString port;
-    };
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                           QString &protocolConfigString);
-    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                            QString &protocolConfigString);
-
-    static ConnectionData genClientKeys();
-
-private:
-    QList<QHostAddress> getIpsFromConf(const QString &input);
-    ConnectionData prepareWireguardConfig(const ServerCredentials &credentials, DockerContainer container,
-                                          const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    bool m_isAwg;
-    QString m_serverConfigPath;
-    QString m_serverPublicKeyPath;
-    QString m_serverPskKeyPath;
-    amnezia::ProtocolScriptType m_configTemplate;
-    QString m_protocolName;
-    QString m_defaultPort;
-};
-
-#endif // WIREGUARD_CONFIGURATOR_H

client/configurators/xray_configurator.h

@@ -1,23 +0,0 @@
-#ifndef XRAY_CONFIGURATOR_H
-#define XRAY_CONFIGURATOR_H
-
-#include <QObject>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class XrayConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    XrayConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                         ErrorCode &errorCode);
-
-private:
-    QString prepareServerConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                ErrorCode &errorCode);
-};
-
-#endif // XRAY_CONFIGURATOR_H

client/containers/containers_defs.h

@@ -1,89 +0,0 @@
-#ifndef CONTAINERS_DEFS_H
-#define CONTAINERS_DEFS_H
-
-#include <QObject>
-#include <QQmlEngine>
-
-#include "../protocols/protocols_defs.h"
-
-using namespace amnezia;
-
-namespace amnezia
-{
-
-    namespace ContainerEnumNS
-    {
-        Q_NAMESPACE
-        enum DockerContainer {
-            None = 0,
-            Awg,
-            WireGuard,
-            OpenVpn,
-            Cloak,
-            ShadowSocks,
-            Ipsec,
-            Xray,
-            SSXray,
-
-            // non-vpn
-            TorWebSite,
-            Dns,
-            Sftp,
-            Socks5Proxy
-        };
-        Q_ENUM_NS(DockerContainer)
-    } // namespace ContainerEnumNS
-
-    using namespace ContainerEnumNS;
-    using namespace ProtocolEnumNS;
-
-    class ContainerProps : public QObject
-    {
-        Q_OBJECT
-
-    public:
-        Q_INVOKABLE static amnezia::DockerContainer containerFromString(const QString &container);
-        Q_INVOKABLE static QString containerToString(amnezia::DockerContainer container);
-        Q_INVOKABLE static QString containerTypeToString(amnezia::DockerContainer c);
-
-        Q_INVOKABLE static QList<amnezia::DockerContainer> allContainers();
-
-        Q_INVOKABLE static QMap<amnezia::DockerContainer, QString> containerHumanNames();
-        Q_INVOKABLE static QMap<amnezia::DockerContainer, QString> containerDescriptions();
-        Q_INVOKABLE static QMap<amnezia::DockerContainer, QString> containerDetailedDescriptions();
-
-        // these protocols will be displayed in container settings
-        Q_INVOKABLE static QVector<amnezia::Proto> protocolsForContainer(amnezia::DockerContainer container);
-
-        Q_INVOKABLE static amnezia::ServiceType containerService(amnezia::DockerContainer c);
-
-        // binding between Docker container and main protocol of given container
-        // it may be changed fot future containers :)
-        Q_INVOKABLE static amnezia::Proto defaultProtocol(amnezia::DockerContainer c);
-
-        Q_INVOKABLE static bool isSupportedByCurrentPlatform(amnezia::DockerContainer c);
-        Q_INVOKABLE static QStringList fixedPortsForContainer(amnezia::DockerContainer c);
-
-        static bool isEasySetupContainer(amnezia::DockerContainer container);
-        static QString easySetupHeader(amnezia::DockerContainer container);
-        static QString easySetupDescription(amnezia::DockerContainer container);
-        static int easySetupOrder(amnezia::DockerContainer container);
-
-        static bool isShareable(amnezia::DockerContainer container);
-
-        static QJsonObject getProtocolConfigFromContainer(const amnezia::Proto protocol, const QJsonObject &containerConfig);
-
-        static int installPageOrder(amnezia::DockerContainer container);
-    };
-
-    static void declareQmlContainerEnum()
-    {
-        qmlRegisterUncreatableMetaObject(ContainerEnumNS::staticMetaObject, "ContainerEnum", 1, 0, "ContainerEnum",
-                                         "Error: only enums");
-    }
-
-} // namespace amnezia
-
-QDebug operator<<(QDebug debug, const amnezia::DockerContainer &c);
-
-#endif // CONTAINERS_DEFS_H

client/core/configurators/awgConfigurator.cpp

@@ -0,0 +1,109 @@
+#include "awgConfigurator.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocols/awgProtocolConfig.h"
+
+#include <QJsonDocument>
+#include <QJsonObject>
+
+using namespace amnezia;
+
+AwgConfigurator::AwgConfigurator(SshSession* sshSession, QObject *parent)
+    : WireguardConfigurator(sshSession, true, parent)
+{
+}
+
+ProtocolConfig AwgConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &containerConfig,
+                                              const DnsSettings &dnsSettings,
+                                              ErrorCode &errorCode)
+{
+    const AwgServerConfig* serverConfig = nullptr;
+    const AwgClientConfig* clientConfig = nullptr;
+    
+    if (auto* awgProtocolConfig = containerConfig.getAwgProtocolConfig()) {
+        serverConfig = &awgProtocolConfig->serverConfig;
+        if (awgProtocolConfig->clientConfig.has_value()) {
+            clientConfig = &awgProtocolConfig->clientConfig.value();
+        }
+    }
+    
+    ProtocolConfig wireguardConfig = WireguardConfigurator::createConfig(credentials, container, containerConfig, dnsSettings, errorCode);
+    if (errorCode != ErrorCode::NoError) {
+        return AwgProtocolConfig{};
+    }
+    
+    WireGuardProtocolConfig* wgConfig = wireguardConfig.as<WireGuardProtocolConfig>();
+    if (!wgConfig || !wgConfig->clientConfig.has_value()) {
+        errorCode = ErrorCode::InternalError;
+        return AwgProtocolConfig{};
+    }
+    
+    QString awgConfig = wgConfig->clientConfig->nativeConfig;
+
+    QMap<QString, QString> configMap;
+    auto configLines = awgConfig.split("\n");
+    for (auto &line : configLines) {
+        auto trimmedLine = line.trimmed();
+        if (trimmedLine.startsWith("[") && trimmedLine.endsWith("]")) {
+            continue;
+        } else {
+            QStringList parts = trimmedLine.split(" = ");
+            if (parts.count() == 2) {
+                configMap.insert(parts[0].trimmed(), parts[1].trimmed());
+            }
+        }
+    }
+
+    AwgProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    }
+    
+    AwgClientConfig newClientConfig;
+    newClientConfig.nativeConfig = awgConfig;
+    newClientConfig.hostName = wgConfig->clientConfig->hostName;
+    newClientConfig.port = wgConfig->clientConfig->port;
+    newClientConfig.clientIp = wgConfig->clientConfig->clientIp;
+    newClientConfig.clientPrivateKey = wgConfig->clientConfig->clientPrivateKey;
+    newClientConfig.clientPublicKey = wgConfig->clientConfig->clientPublicKey;
+    newClientConfig.serverPublicKey = wgConfig->clientConfig->serverPublicKey;
+    newClientConfig.presharedKey = wgConfig->clientConfig->presharedKey;
+    newClientConfig.clientId = wgConfig->clientConfig->clientId;
+    newClientConfig.allowedIps = wgConfig->clientConfig->allowedIps;
+    newClientConfig.persistentKeepAlive = wgConfig->clientConfig->persistentKeepAlive;
+    
+    QString mtu = protocols::awg::defaultMtu;
+    if (clientConfig && !clientConfig->mtu.isEmpty()) {
+        mtu = clientConfig->mtu;
+    }
+    newClientConfig.mtu = mtu;
+    
+    newClientConfig.junkPacketCount = configMap.value(configKey::junkPacketCount);
+    newClientConfig.junkPacketMinSize = configMap.value(configKey::junkPacketMinSize);
+    newClientConfig.junkPacketMaxSize = configMap.value(configKey::junkPacketMaxSize);
+    newClientConfig.initPacketJunkSize = configMap.value(configKey::initPacketJunkSize);
+    newClientConfig.responsePacketJunkSize = configMap.value(configKey::responsePacketJunkSize);
+    newClientConfig.initPacketMagicHeader = configMap.value(configKey::initPacketMagicHeader);
+    newClientConfig.responsePacketMagicHeader = configMap.value(configKey::responsePacketMagicHeader);
+    newClientConfig.underloadPacketMagicHeader = configMap.value(configKey::underloadPacketMagicHeader);
+    newClientConfig.transportPacketMagicHeader = configMap.value(configKey::transportPacketMagicHeader);
+    newClientConfig.specialJunk1 = configMap.value(configKey::specialJunk1);
+    newClientConfig.specialJunk2 = configMap.value(configKey::specialJunk2);
+    newClientConfig.specialJunk3 = configMap.value(configKey::specialJunk3);
+    newClientConfig.specialJunk4 = configMap.value(configKey::specialJunk4);
+    newClientConfig.specialJunk5 = configMap.value(configKey::specialJunk5);
+    
+    if (container == DockerContainer::Awg2) {
+        newClientConfig.cookieReplyPacketJunkSize = configMap.value(configKey::cookieReplyPacketJunkSize);
+        newClientConfig.transportPacketJunkSize = configMap.value(configKey::transportPacketJunkSize);
+    }
+    
+    newClientConfig.isObfuscationEnabled = false;
+    
+    protocolConfig.setClientConfig(newClientConfig);
+    
+    return protocolConfig;
+}

client/core/configurators/awgConfigurator.h

@@ -0,0 +1,20 @@
+#ifndef AWGCONFIGURATOR_H
+#define AWGCONFIGURATOR_H
+
+#include <QObject>
+
+#include "wireguardConfigurator.h"
+
+class AwgConfigurator : public WireguardConfigurator
+{
+    Q_OBJECT
+public:
+    AwgConfigurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+};
+
+#endif // AWGCONFIGURATOR_H

client/core/configurators/configuratorBase.cpp

@@ -0,0 +1,50 @@
+#include "configuratorBase.h"
+
+#include "core/configurators/awgConfigurator.h"
+#include "core/configurators/ikev2Configurator.h"
+#include "core/configurators/openVpnConfigurator.h"
+#include "core/configurators/wireguardConfigurator.h"
+#include "core/configurators/xrayConfigurator.h"
+
+using namespace amnezia;
+
+ConfiguratorBase::ConfiguratorBase(SshSession* sshSession, QObject *parent)
+    : QObject { parent }, m_sshSession(sshSession)
+{
+}
+
+QScopedPointer<ConfiguratorBase> ConfiguratorBase::create(Proto protocol,
+                                                          SshSession* sshSession)
+{
+    switch (protocol) {
+    case Proto::OpenVpn: return QScopedPointer<ConfiguratorBase>(new OpenVpnConfigurator(sshSession));
+    case Proto::WireGuard: return QScopedPointer<ConfiguratorBase>(new WireguardConfigurator(sshSession, false));
+    case Proto::Awg: return QScopedPointer<ConfiguratorBase>(new AwgConfigurator(sshSession));
+    case Proto::Ikev2: return QScopedPointer<ConfiguratorBase>(new Ikev2Configurator(sshSession));
+    case Proto::Xray: return QScopedPointer<ConfiguratorBase>(new XrayConfigurator(sshSession));
+    case Proto::SSXray: return QScopedPointer<ConfiguratorBase>(new XrayConfigurator(sshSession));
+    default: return QScopedPointer<ConfiguratorBase>();
+    }
+}
+
+ProtocolConfig ConfiguratorBase::processConfigWithLocalSettings(const ConnectionSettings &settings,
+                                                                 ProtocolConfig protocolConfig)
+{
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
+    return protocolConfig;
+}
+
+ProtocolConfig ConfiguratorBase::processConfigWithExportSettings(const ExportSettings &settings,
+                                                                 ProtocolConfig protocolConfig)
+{
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
+    return protocolConfig;
+}
+
+void ConfiguratorBase::applyDnsToNativeConfig(const DnsSettings &dns, ProtocolConfig &protocolConfig)
+{
+    QString config = protocolConfig.nativeConfig();
+    config.replace("$PRIMARY_DNS", dns.primaryDns);
+    config.replace("$SECONDARY_DNS", dns.secondaryDns);
+    protocolConfig.setNativeConfig(config);
+}

client/core/configurators/configuratorBase.h

@@ -0,0 +1,43 @@
+#ifndef CONFIGURATORBASE_H
+#define CONFIGURATORBASE_H
+
+#include <QObject>
+#include <QScopedPointer>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocolConfig.h"
+
+class SshSession;
+
+class ConfiguratorBase : public QObject
+{
+    Q_OBJECT
+public:
+    explicit ConfiguratorBase(SshSession* sshSession, QObject *parent = nullptr);
+
+    static QScopedPointer<ConfiguratorBase> create(amnezia::Proto protocol,
+                                                   SshSession* sshSession);
+
+    virtual amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                        const amnezia::ContainerConfig &containerConfig,
+                                        const amnezia::DnsSettings &dnsSettings,
+                                        amnezia::ErrorCode &errorCode) = 0;
+
+    virtual amnezia::ProtocolConfig processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                                   amnezia::ProtocolConfig protocolConfig);
+    virtual amnezia::ProtocolConfig processConfigWithExportSettings(const amnezia::ExportSettings &settings,
+                                                                     amnezia::ProtocolConfig protocolConfig);
+
+protected:
+    void applyDnsToNativeConfig(const amnezia::DnsSettings &dns, amnezia::ProtocolConfig &protocolConfig);
+
+    SshSession* m_sshSession;
+};
+
+#endif // CONFIGURATORBASE_H

client/core/configurators/ikev2Configurator.cpp

@@ -1,4 +1,4 @@
-#include "ikev2_configurator.h"
+#include "ikev2Configurator.h"
 
 #include <QDebug>
 #include <QJsonDocument>
@@ -8,14 +8,16 @@
 #include <QTemporaryFile>
 #include <QUuid>
 
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
-#include "core/server_defs.h"
-#include "utilities.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/utilities.h"
+#include "core/models/protocols/ikev2ProtocolConfig.h"
 
-Ikev2Configurator::Ikev2Configurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
+Ikev2Configurator::Ikev2Configurator(SshSession* sshSession, QObject *parent)
+    : ConfiguratorBase(sshSession, parent)
 {
 }
 
@@ -25,7 +27,6 @@ Ikev2Configurator::ConnectionData Ikev2Configurator::prepareIkev2Config(const Se
     Ikev2Configurator::ConnectionData connData;
     connData.host = credentials.hostName;
     connData.clientId = Utils::getRandomString(16);
-    connData.password = Utils::getRandomString(16);
     connData.password = "";
 
     QString certFileName = "/opt/amnezia/ikev2/clients/" + connData.clientId + ".p12";
@@ -39,14 +40,14 @@ Ikev2Configurator::ConnectionData Ikev2Configurator::prepareIkev2Config(const Se
                                        "--extKeyUsage serverAuth,clientAuth -8 \"%1\"")
                                        .arg(connData.clientId);
 
-    errorCode = m_serverController->runContainerScript(credentials, container, scriptCreateCert);
+    errorCode = m_sshSession->runContainerScript(credentials, container, scriptCreateCert);
 
     QString scriptExportCert =
             QString("pk12util -W \"%1\" -d sql:/etc/ipsec.d -n \"%2\" -o \"%3\"").arg(connData.password).arg(connData.clientId).arg(certFileName);
-    errorCode = m_serverController->runContainerScript(credentials, container, scriptExportCert);
+    errorCode = m_sshSession->runContainerScript(credentials, container, scriptExportCert);
 
-    connData.clientCert = m_serverController->getTextFileFromContainer(container, credentials, certFileName, errorCode);
-    connData.caCert = m_serverController->getTextFileFromContainer(container, credentials, "/etc/ipsec.d/ca_cert_base64.p12", errorCode);
+    connData.clientCert = m_sshSession->getTextFileFromContainer(container, credentials, certFileName, errorCode);
+    connData.caCert = m_sshSession->getTextFileFromContainer(container, credentials, "/etc/ipsec.d/ca_cert_base64.p12", errorCode);
 
     qDebug() << "Ikev2Configurator::ConnectionData client cert size:" << connData.clientCert.size();
     qDebug() << "Ikev2Configurator::ConnectionData ca cert size:" << connData.caCert.size();
@@ -54,26 +55,51 @@ Ikev2Configurator::ConnectionData Ikev2Configurator::prepareIkev2Config(const Se
     return connData;
 }
 
-QString Ikev2Configurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                        ErrorCode &errorCode)
+ProtocolConfig Ikev2Configurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &containerConfig,
+                                               const DnsSettings &dnsSettings,
+                                               ErrorCode &errorCode)
 {
-    Q_UNUSED(containerConfig)
+    const Ikev2ServerConfig* serverConfig = nullptr;
+    if (auto* ikev2Config = containerConfig.protocolConfig.as<Ikev2ProtocolConfig>()) {
+        serverConfig = &ikev2Config->serverConfig;
+    }
 
     ConnectionData connData = prepareIkev2Config(credentials, container, errorCode);
     if (errorCode != ErrorCode::NoError) {
-        return "";
+        return Ikev2ProtocolConfig{};
     }
 
-    return genIkev2Config(connData);
+    QString configJson = genIkev2Config(connData);
+    QJsonDocument doc = QJsonDocument::fromJson(configJson.toUtf8());
+    QJsonObject configObj = doc.object();
+
+    Ikev2ProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    } else {
+        protocolConfig.serverConfig.hostName = connData.host;
+    }
+    
+    Ikev2ClientConfig clientConfig;
+    clientConfig.nativeConfig = configJson;
+    clientConfig.hostName = connData.host;
+    clientConfig.userName = connData.clientId;
+    clientConfig.cert = QString(connData.clientCert.toBase64());
+    clientConfig.password = connData.password;
+    clientConfig.clientId = connData.clientId;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
 }
 
 QString Ikev2Configurator::genIkev2Config(const ConnectionData &connData)
 {
     QJsonObject config;
-    config[config_key::hostName] = connData.host;
-    config[config_key::userName] = connData.clientId;
-    config[config_key::cert] = QString(connData.clientCert.toBase64());
-    config[config_key::password] = connData.password;
+    config[configKey::hostName] = connData.host;
+    config[configKey::userName] = connData.clientId;
+    config[configKey::cert] = QString(connData.clientCert.toBase64());
+    config[configKey::password] = connData.password;
 
     return QJsonDocument(config).toJson();
 }

client/core/configurators/ikev2Configurator.h

@@ -0,0 +1,39 @@
+#ifndef IKEV2_CONFIGURATOR_H
+#define IKEV2_CONFIGURATOR_H
+
+#include <QObject>
+#include <QProcessEnvironment>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+
+class Ikev2Configurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    Ikev2Configurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    struct ConnectionData {
+        QByteArray clientCert; // p12 client cert
+        QByteArray caCert; // p12 server cert
+        QString clientId;
+        QString password; // certificate password
+        QString host; // host ip
+    };
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+
+    QString genIkev2Config(const ConnectionData &connData);
+    QString genMobileConfig(const ConnectionData &connData);
+    QString genStrongSwanConfig(const ConnectionData &connData);
+
+    ConnectionData prepareIkev2Config(const amnezia::ServerCredentials &credentials,
+        amnezia::DockerContainer container, amnezia::ErrorCode &errorCode);
+};
+
+#endif // IKEV2_CONFIGURATOR_H

client/core/configurators/openVpnConfigurator.cpp

@@ -1,8 +1,9 @@
-#include "openvpn_configurator.h"
+#include "openVpnConfigurator.h"
 
 #include <QDebug>
 #include <QJsonDocument>
 #include <QJsonObject>
+#include <QRegularExpression>
 #include <QProcess>
 #include <QString>
 #include <QTemporaryDir>
@@ -13,26 +14,34 @@
     #include <QApplication>
 #endif
 
-#include "core/networkUtilities.h"
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
-#include "settings.h"
-#include "utilities.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/utils/networkUtilities.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/utilities.h"
+#include "core/models/protocols/openVpnProtocolConfig.h"
+
+using namespace amnezia;
 
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
 
-OpenVpnConfigurator::OpenVpnConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                                         QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
+OpenVpnConfigurator::OpenVpnConfigurator(SshSession* sshSession, QObject *parent)
+    : ConfiguratorBase(sshSession, parent)
 {
 }
 
 OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(const ServerCredentials &credentials,
-                                                                              DockerContainer container, ErrorCode &errorCode)
+                                                                              DockerContainer container, 
+                                                                              const DnsSettings &dnsSettings,
+                                                                              ErrorCode &errorCode)
 {
     OpenVpnConfigurator::ConnectionData connData = OpenVpnConfigurator::createCertRequest();
     connData.host = credentials.hostName;
@@ -44,26 +53,26 @@ OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(co
 
     QString reqFileName = QString("%1/%2.req").arg(amnezia::protocols::openvpn::clientsDirPath).arg(connData.clientId);
 
-    errorCode = m_serverController->uploadTextFileToContainer(container, credentials, connData.request, reqFileName);
+    errorCode = m_sshSession->uploadTextFileToContainer(container, credentials, connData.request, reqFileName);
     if (errorCode != ErrorCode::NoError) {
         return connData;
     }
 
-    errorCode = signCert(container, credentials, connData.clientId);
+    errorCode = signCert(container, credentials, dnsSettings, connData.clientId);
     if (errorCode != ErrorCode::NoError) {
         return connData;
     }
 
     connData.caCert =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::caCertPath, errorCode);
-    connData.clientCert = m_serverController->getTextFileFromContainer(
+            m_sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::caCertPath, errorCode);
+    connData.clientCert = m_sshSession->getTextFileFromContainer(
             container, credentials, QString("%1/%2.crt").arg(amnezia::protocols::openvpn::clientCertPath).arg(connData.clientId), errorCode);
 
     if (errorCode != ErrorCode::NoError) {
         return connData;
     }
 
-    connData.taKey = m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::taKeyPath, errorCode);
+    connData.taKey = m_sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::taKeyPath, errorCode);
 
     if (connData.caCert.isEmpty() || connData.clientCert.isEmpty() || connData.taKey.isEmpty()) {
         errorCode = ErrorCode::SshScpFailureError;
@@ -72,15 +81,23 @@ OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(co
     return connData;
 }
 
-QString OpenVpnConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                          const QJsonObject &containerConfig, ErrorCode &errorCode)
+ProtocolConfig OpenVpnConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
+                                                  const ContainerConfig &containerConfig,
+                                                  const DnsSettings &dnsSettings,
+                                                  ErrorCode &errorCode)
 {
-    QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::openvpn_template, container),
-                                                     m_serverController->genVarsForScript(credentials, container, containerConfig));
+    const OpenVpnServerConfig* serverConfig = nullptr;
+    if (auto* openVpnProtocolConfig = containerConfig.getOpenVpnProtocolConfig()) {
+        serverConfig = &openVpnProtocolConfig->serverConfig;
+    }
+    
+    amnezia::ScriptVars vars = amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns);
+    vars.append(amnezia::genProtocolVarsForContainer(container, containerConfig));
+    QString config = m_sshSession->replaceVars(amnezia::scriptData(ProtocolScriptType::openvpn_template, container), vars);
 
-    ConnectionData connData = prepareOpenVpnConfig(credentials, container, errorCode);
+    ConnectionData connData = prepareOpenVpnConfig(credentials, container, dnsSettings, errorCode);
     if (errorCode != ErrorCode::NoError) {
-        return "";
+        return OpenVpnProtocolConfig{};
     }
 
     auto sanitizeStaticKey = [](const QString &key) {
@@ -116,42 +133,45 @@ QString OpenVpnConfigurator::createConfig(const ServerCredentials &credentials,
     config.replace("block-outside-dns", "");
 #endif
 
-    QJsonObject jConfig;
-    jConfig[config_key::config] = config;
-
-    jConfig[config_key::clientId] = connData.clientId;
-
-    return QJsonDocument(jConfig).toJson();
+    OpenVpnProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    }
+    
+    OpenVpnClientConfig clientConfig;
+    clientConfig.nativeConfig = config;
+    clientConfig.clientId = connData.clientId;
+    clientConfig.blockOutsideDns = false;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
 }
 
-QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                            QString &protocolConfigString)
+ProtocolConfig OpenVpnConfigurator::processConfigWithLocalSettings(const ConnectionSettings &settings,
+                                                                   ProtocolConfig protocolConfig)
 {
-    processConfigWithDnsSettings(dns, protocolConfigString);
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
 
-    QJsonObject json = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();
-    QString config = json[config_key::config].toString();
+    QString config = protocolConfig.nativeConfig();
 
-    if (!isApiConfig) {
+    if (!settings.isApiConfig) {
         QRegularExpression regex("redirect-gateway.*");
         config.replace(regex, "");
 
-        // We don't use secondary DNS if primary DNS is AmneziaDNS
-        if (dns.first.contains(protocols::dns::amneziaDnsIp)) {
-            QRegularExpression dnsRegex("dhcp-option DNS " + dns.second);
+        if (settings.dns.primaryDns.contains(protocols::dns::amneziaDnsIp)) {
+            QRegularExpression dnsRegex("dhcp-option DNS " + settings.dns.secondaryDns);
             config.replace(dnsRegex, "");
         }
 
-        if (!m_settings->isSitesSplitTunnelingEnabled()) {
+        if (!settings.splitTunneling.isSitesSplitTunnelingEnabled) {
             config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");
             config.append("block-ipv6\n");
-        } else if (m_settings->routeMode() == Settings::VpnOnlyForwardSites) {
-
-               // no redirect-gateway
-        } else if (m_settings->routeMode() == Settings::VpnAllExceptSites) {
+        } else if (settings.splitTunneling.routeMode == RouteMode::VpnOnlyForwardSites) {
+            // no redirect-gateway
+        } else if (settings.splitTunneling.routeMode == RouteMode::VpnAllExceptSites) {
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
             config.append("\nredirect-gateway ipv6 !ipv4 bypass-dhcp\n");
-            // Prevent ipv6 leak
 #endif
             config.append("block-ipv6\n");
         }
@@ -162,64 +182,57 @@ QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString,
 #endif
 
 #if (defined(MZ_MACOS) || defined(MZ_LINUX))
-    QString dnsConf = QString("\nscript-security 2\n"
-                              "up %1/update-resolv-conf.sh\n"
-                              "down %1/update-resolv-conf.sh\n")
-                              .arg(qApp->applicationDirPath());
-
-    config.append(dnsConf);
+    config.append(QString("\nscript-security 2\n"
+                         "up %1/update-resolv-conf.sh\n"
+                         "down %1/update-resolv-conf.sh\n")
+                  .arg(qApp->applicationDirPath()));
 #endif
 
-    json[config_key::config] = config;
-    return QJsonDocument(json).toJson();
+    protocolConfig.setNativeConfig(config);
+    return protocolConfig;
 }
 
-QString OpenVpnConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                             QString &protocolConfigString)
+ProtocolConfig OpenVpnConfigurator::processConfigWithExportSettings(const ExportSettings &settings,
+                                                                    ProtocolConfig protocolConfig)
 {
-    processConfigWithDnsSettings(dns, protocolConfigString);
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
 
-    QJsonObject json = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();
-    QString config = json[config_key::config].toString();
+    QString config = protocolConfig.nativeConfig();
 
     QRegularExpression regex("redirect-gateway.*");
     config.replace(regex, "");
 
-    // We don't use secondary DNS if primary DNS is AmneziaDNS
-    if (dns.first.contains(protocols::dns::amneziaDnsIp)) {
-        QRegularExpression dnsRegex("dhcp-option DNS " + dns.second);
+    if (settings.dns.primaryDns.contains(protocols::dns::amneziaDnsIp)) {
+        QRegularExpression dnsRegex("dhcp-option DNS " + settings.dns.secondaryDns);
         config.replace(dnsRegex, "");
     }
 
     config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");
-
-    // Prevent ipv6 leak
     config.append("block-ipv6\n");
-
-    // remove block-outside-dns for all exported configs
     config.replace("block-outside-dns", "");
 
-    json[config_key::config] = config;
-    return QJsonDocument(json).toJson();
+    protocolConfig.setNativeConfig(config);
+    return protocolConfig;
 }
 
-ErrorCode OpenVpnConfigurator::signCert(DockerContainer container, const ServerCredentials &credentials, QString clientId)
+ErrorCode OpenVpnConfigurator::signCert(DockerContainer container, const ServerCredentials &credentials, 
+                                        const DnsSettings &dnsSettings, QString clientId)
 {
     QString script_import = QString("sudo docker exec -i %1 bash -c \"cd /opt/amnezia/openvpn && "
                                     "easyrsa import-req %2/%3.req %3\"")
-                                    .arg(ContainerProps::containerToString(container))
+                                    .arg(ContainerUtils::containerToString(container))
                                     .arg(amnezia::protocols::openvpn::clientsDirPath)
                                     .arg(clientId);
 
     QString script_sign = QString("sudo docker exec -i %1 bash -c \"export EASYRSA_BATCH=1; cd /opt/amnezia/openvpn && "
                                   "easyrsa sign-req client %2\"")
-                                  .arg(ContainerProps::containerToString(container))
+                                  .arg(ContainerUtils::containerToString(container))
                                   .arg(clientId);
 
     QStringList scriptList { script_import, script_sign };
-    QString script = m_serverController->replaceVars(scriptList.join("\n"), m_serverController->genVarsForScript(credentials, container));
+    QString script = m_sshSession->replaceVars(scriptList.join("\n"), amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns));
 
-    return m_serverController->runScript(credentials, script);
+    return m_sshSession->runScript(credentials, script);
 }
 
 OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::createCertRequest()
@@ -228,7 +241,7 @@ OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::createCertRequest()
     connData.clientId = Utils::getRandomString(32);
 
     int ret = 0;
-    int nVersion = 1;
+    int nVersion = 0;
 
     QByteArray clientIdUtf8 = connData.clientId.toUtf8();
 

client/core/configurators/openVpnConfigurator.h

@@ -0,0 +1,49 @@
+#ifndef OPENVPN_CONFIGURATOR_H
+#define OPENVPN_CONFIGURATOR_H
+
+#include <QObject>
+#include <QProcessEnvironment>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+
+class OpenVpnConfigurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    OpenVpnConfigurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    struct ConnectionData
+    {
+        QString clientId;
+        QString request;    // certificate request
+        QString privKey;    // client private key
+        QString clientCert; // client signed certificate
+        QString caCert;     // server certificate
+        QString taKey;      // tls-auth key
+        QString host;       // host ip
+    };
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                               const amnezia::ContainerConfig &containerConfig,
+                               const amnezia::DnsSettings &dnsSettings,
+                               amnezia::ErrorCode &errorCode) override;
+
+    amnezia::ProtocolConfig processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                           amnezia::ProtocolConfig protocolConfig) override;
+    amnezia::ProtocolConfig processConfigWithExportSettings(const amnezia::ExportSettings &settings,
+                                                            amnezia::ProtocolConfig protocolConfig) override;
+
+    static ConnectionData createCertRequest();
+
+private:
+    ConnectionData prepareOpenVpnConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                       const amnezia::DnsSettings &dnsSettings,
+                                       amnezia::ErrorCode &errorCode);
+    amnezia::ErrorCode signCert(amnezia::DockerContainer container, const amnezia::ServerCredentials &credentials, 
+                      const amnezia::DnsSettings &dnsSettings, QString clientId);
+};
+
+#endif // OPENVPN_CONFIGURATOR_H

client/core/configurators/wireguardConfigurator.cpp

@@ -0,0 +1,288 @@
+#include "wireguardConfigurator.h"
+
+#include <QDebug>
+#include <QJsonDocument>
+#include <QProcess>
+#include <QRegularExpression>
+#include <QString>
+#include <QTemporaryDir>
+#include <QTemporaryFile>
+
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/utils/utilities.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocols/wireGuardProtocolConfig.h"
+#include "core/models/protocols/awgProtocolConfig.h"
+#include <QJsonArray>
+
+using namespace amnezia;
+
+WireguardConfigurator::WireguardConfigurator(SshSession* sshSession, bool isAwg,
+                                             QObject *parent)
+    : ConfiguratorBase(sshSession, parent), m_isAwg(isAwg)
+{
+    m_serverConfigPath =
+            m_isAwg ? amnezia::protocols::awg::serverConfigPath : amnezia::protocols::wireguard::serverConfigPath;
+    m_serverPublicKeyPath =
+            m_isAwg ? amnezia::protocols::awg::serverPublicKeyPath : amnezia::protocols::wireguard::serverPublicKeyPath;
+    m_serverPskKeyPath =
+            m_isAwg ? amnezia::protocols::awg::serverPskKeyPath : amnezia::protocols::wireguard::serverPskKeyPath;
+    m_configTemplate = m_isAwg ? ProtocolScriptType::awg_template : ProtocolScriptType::wireguard_template;
+
+    m_protocolName = m_isAwg ? configKey::awg : configKey::wireguard;
+    m_defaultPort = m_isAwg ? protocols::awg::defaultPort : protocols::wireguard::defaultPort;
+}
+
+WireguardConfigurator::ConnectionData WireguardConfigurator::genClientKeys()
+{
+    // TODO review
+    constexpr size_t EDDSA_KEY_LENGTH = 32;
+
+    ConnectionData connData;
+
+    unsigned char buff[EDDSA_KEY_LENGTH];
+    int ret = RAND_priv_bytes(buff, EDDSA_KEY_LENGTH);
+    if (ret <= 0)
+        return connData;
+
+    EVP_PKEY *pKey = EVP_PKEY_new();
+    q_check_ptr(pKey);
+    pKey = EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL, &buff[0], EDDSA_KEY_LENGTH);
+
+    size_t keySize = EDDSA_KEY_LENGTH;
+
+    // save private key
+    unsigned char priv[EDDSA_KEY_LENGTH];
+    EVP_PKEY_get_raw_private_key(pKey, priv, &keySize);
+    connData.clientPrivKey = QByteArray::fromRawData((char *)priv, keySize).toBase64();
+
+    // save public key
+    unsigned char pub[EDDSA_KEY_LENGTH];
+    EVP_PKEY_get_raw_public_key(pKey, pub, &keySize);
+    connData.clientPubKey = QByteArray::fromRawData((char *)pub, keySize).toBase64();
+
+    return connData;
+}
+
+QList<QHostAddress> WireguardConfigurator::getIpsFromConf(const QString &input)
+{
+    QRegularExpression regex("AllowedIPs = (\\d+\\.\\d+\\.\\d+\\.\\d+)");
+    QRegularExpressionMatchIterator matchIterator = regex.globalMatch(input);
+
+    QList<QHostAddress> ips;
+
+    while (matchIterator.hasNext()) {
+        QRegularExpressionMatch match = matchIterator.next();
+        const QString address_string { match.captured(1) };
+        const QHostAddress address { address_string };
+        if (address.isNull()) {
+            qWarning() << "Couldn't recognize the ip address: " << address_string;
+        } else {
+            ips << address;
+        }
+    }
+
+    return ips;
+}
+
+WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardConfig(const ServerCredentials &credentials,
+                                                                                    DockerContainer container,
+                                                                                    const WireGuardServerConfig* serverConfig,
+                                                                                    const AwgServerConfig* awgServerConfig,
+                                                                                    const DnsSettings &dnsSettings,
+                                                                                    ErrorCode &errorCode)
+{
+    WireguardConfigurator::ConnectionData connData = WireguardConfigurator::genClientKeys();
+    connData.host = credentials.hostName;
+    
+    QString portStr = m_defaultPort;
+    if (serverConfig && !serverConfig->port.isEmpty()) {
+        portStr = serverConfig->port;
+    } else if (awgServerConfig && !awgServerConfig->port.isEmpty()) {
+        portStr = awgServerConfig->port;
+    }
+    connData.port = portStr;
+
+    if (connData.clientPrivKey.isEmpty() || connData.clientPubKey.isEmpty()) {
+        errorCode = ErrorCode::InternalError;
+        return connData;
+    }
+
+    QString configPath = m_serverConfigPath;
+    if (container == DockerContainer::Awg) {
+        configPath = amnezia::protocols::awg::serverLegacyConfigPath;
+    }
+    QString getIpsScript = QString("cat %1 | grep AllowedIPs").arg(configPath);
+    QString stdOut;
+    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
+        stdOut += data + "\n";
+        return ErrorCode::NoError;
+    };
+
+    errorCode = m_sshSession->runContainerScript(credentials, container, getIpsScript, cbReadStdOut);
+    if (errorCode != ErrorCode::NoError) {
+        return connData;
+    }
+    auto ips = getIpsFromConf(stdOut);
+
+    QHostAddress nextIp = [&] {
+        QHostAddress result;
+        QHostAddress lastIp;
+        QString subnetAddress = protocols::wireguard::defaultSubnetAddress;
+        if (serverConfig && !serverConfig->subnetAddress.isEmpty()) {
+            subnetAddress = serverConfig->subnetAddress;
+        } else if (awgServerConfig && !awgServerConfig->subnetAddress.isEmpty()) {
+            subnetAddress = awgServerConfig->subnetAddress;
+        }
+        if (ips.empty()) {
+            lastIp.setAddress(subnetAddress);
+        } else {
+            lastIp = ips.last();
+        }
+        quint8 lastOctet = static_cast<quint8>(lastIp.toIPv4Address());
+        switch (lastOctet) {
+        case 254: result.setAddress(lastIp.toIPv4Address() + 3); break;
+        case 255: result.setAddress(lastIp.toIPv4Address() + 2); break;
+        default: result.setAddress(lastIp.toIPv4Address() + 1); break;
+        }
+
+        return result;
+    }();
+
+    connData.clientIP = nextIp.toString();
+
+    // Get keys
+    connData.serverPubKey =
+            m_sshSession->getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, errorCode);
+    connData.serverPubKey.replace("\n", "");
+    if (errorCode != ErrorCode::NoError) {
+        return connData;
+    }
+
+    connData.pskKey = m_sshSession->getTextFileFromContainer(container, credentials, m_serverPskKeyPath, errorCode);
+    connData.pskKey.replace("\n", "");
+
+    if (errorCode != ErrorCode::NoError) {
+        return connData;
+    }
+
+    // Add client to config
+    QString configPart = QString("[Peer]\n"
+                                 "PublicKey = %1\n"
+                                 "PresharedKey = %2\n"
+                                 "AllowedIPs = %3/32\n\n")
+                                 .arg(connData.clientPubKey, connData.pskKey, connData.clientIP);
+
+    errorCode = m_sshSession->uploadTextFileToContainer(container, credentials, configPart, configPath,
+                                                              libssh::ScpOverwriteMode::ScpAppendToExisting);
+
+    if (errorCode != ErrorCode::NoError) {
+        return connData;
+    }
+
+    bool isAwg = (container == DockerContainer::Awg2);
+    QString bin = isAwg ? QStringLiteral("awg") : QStringLiteral("wg");
+    QString iface = isAwg ? QStringLiteral("awg0") : QStringLiteral("wg0");
+    QString script = QString(
+        "sudo docker exec -i $CONTAINER_NAME bash -c '%1 syncconf %2 <(%1-quick strip %3)'").arg(bin, iface, configPath);
+
+    errorCode = m_sshSession->runScript(
+            credentials,
+            m_sshSession->replaceVars(script, amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns)));
+
+    return connData;
+}
+
+ProtocolConfig WireguardConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
+                                                    const ContainerConfig &containerConfig,
+                                                    const DnsSettings &dnsSettings,
+                                                    ErrorCode &errorCode)
+{
+    const WireGuardServerConfig* wireguardServerConfig = nullptr;
+    const WireGuardClientConfig* wireguardClientConfig = nullptr;
+    const AwgServerConfig* awgServerConfig = nullptr;
+    const AwgClientConfig* awgClientConfig = nullptr;
+    
+    if (auto* wireGuardProtocolConfig = containerConfig.getWireGuardProtocolConfig()) {
+        wireguardServerConfig = &wireGuardProtocolConfig->serverConfig;
+        if (wireGuardProtocolConfig->clientConfig.has_value()) {
+            wireguardClientConfig = &wireGuardProtocolConfig->clientConfig.value();
+        }
+    } else if (auto* awgProtocolConfig = containerConfig.getAwgProtocolConfig()) {
+        awgServerConfig = &awgProtocolConfig->serverConfig;
+        if (awgProtocolConfig->clientConfig.has_value()) {
+            awgClientConfig = &awgProtocolConfig->clientConfig.value();
+        }
+    }
+    
+    amnezia::ScriptVars vars = amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns);
+    vars.append(amnezia::genProtocolVarsForContainer(container, containerConfig));
+    QString scriptData = amnezia::scriptData(m_configTemplate, container);
+    QString config = m_sshSession->replaceVars(scriptData, vars);
+
+    ConnectionData connData = prepareWireguardConfig(credentials, container, wireguardServerConfig, awgServerConfig, dnsSettings, errorCode);
+    if (errorCode != ErrorCode::NoError) {
+        return WireGuardProtocolConfig{};
+    }
+
+    config.replace("$WIREGUARD_CLIENT_PRIVATE_KEY", connData.clientPrivKey);
+    config.replace("$WIREGUARD_CLIENT_IP", connData.clientIP);
+    config.replace("$WIREGUARD_SERVER_PUBLIC_KEY", connData.serverPubKey);
+    config.replace("$WIREGUARD_PSK", connData.pskKey);
+
+    QString mtu = protocols::wireguard::defaultMtu;
+    if (wireguardClientConfig && !wireguardClientConfig->mtu.isEmpty()) {
+        mtu = wireguardClientConfig->mtu;
+    } else if (awgClientConfig && !awgClientConfig->mtu.isEmpty()) {
+        mtu = awgClientConfig->mtu;
+    }
+    
+    WireGuardProtocolConfig protocolConfig;
+    if (wireguardServerConfig) {
+        protocolConfig.serverConfig = *wireguardServerConfig;
+    }
+    
+    WireGuardClientConfig clientConfig;
+    clientConfig.nativeConfig = config;
+    clientConfig.hostName = connData.host;
+    clientConfig.port = connData.port.toInt();
+    clientConfig.clientIp = connData.clientIP;
+    clientConfig.clientPrivateKey = connData.clientPrivKey;
+    clientConfig.clientPublicKey = connData.clientPubKey;
+    clientConfig.serverPublicKey = connData.serverPubKey;
+    clientConfig.presharedKey = connData.pskKey;
+    clientConfig.clientId = connData.clientPubKey;
+    clientConfig.allowedIps = QStringList { "0.0.0.0/0", "::/0" };
+    clientConfig.persistentKeepAlive = "25";
+    clientConfig.mtu = mtu;
+    clientConfig.isObfuscationEnabled = false;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
+}
+
+ProtocolConfig WireguardConfigurator::processConfigWithLocalSettings(const ConnectionSettings &settings,
+                                                                     ProtocolConfig protocolConfig)
+{
+    return ConfiguratorBase::processConfigWithLocalSettings(settings, protocolConfig);
+}
+
+ProtocolConfig WireguardConfigurator::processConfigWithExportSettings(const ExportSettings &settings,
+                                                                      ProtocolConfig protocolConfig)
+{
+    return ConfiguratorBase::processConfigWithExportSettings(settings, protocolConfig);
+}

client/core/configurators/wireguardConfigurator.h

@@ -0,0 +1,61 @@
+#ifndef WIREGUARD_CONFIGURATOR_H
+#define WIREGUARD_CONFIGURATOR_H
+
+#include <QHostAddress>
+#include <QObject>
+#include <QProcessEnvironment>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+
+class WireguardConfigurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    WireguardConfigurator(SshSession* sshSession,
+                          bool isAwg, QObject *parent = nullptr);
+
+    struct ConnectionData
+    {
+        QString clientPrivKey; // client private key
+        QString clientPubKey;  // client public key
+        QString clientIP;      // internal client IP address
+        QString serverPubKey;  // tls-auth key
+        QString pskKey;        // preshared key
+        QString host;          // host ip
+        QString port;
+    };
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+
+    amnezia::ProtocolConfig processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                           amnezia::ProtocolConfig protocolConfig) override;
+    amnezia::ProtocolConfig processConfigWithExportSettings(const amnezia::ExportSettings &settings,
+                                                            amnezia::ProtocolConfig protocolConfig) override;
+
+    static ConnectionData genClientKeys();
+
+private:
+    QList<QHostAddress> getIpsFromConf(const QString &input);
+    ConnectionData prepareWireguardConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                          const amnezia::WireGuardServerConfig* serverConfig,
+                                          const amnezia::AwgServerConfig* awgServerConfig,
+                                          const amnezia::DnsSettings &dnsSettings,
+                                          amnezia::ErrorCode &errorCode);
+
+    bool m_isAwg;
+    QString m_serverConfigPath;
+    QString m_serverPublicKeyPath;
+    QString m_serverPskKeyPath;
+    amnezia::ProtocolScriptType m_configTemplate;
+    QString m_protocolName;
+    QString m_defaultPort;
+};
+
+#endif // WIREGUARD_CONFIGURATOR_H

client/core/configurators/xrayConfigurator.cpp

@@ -1,32 +1,43 @@
-#include "xray_configurator.h"
+#include "xrayConfigurator.h"
 
 #include <QFile>
 #include <QJsonDocument>
 #include <QJsonObject>
+#include <QJsonArray>
 #include <QUuid>
 #include "logger.h"
 
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocols/xrayProtocolConfig.h"
 
 namespace {
 Logger logger("XrayConfigurator");
 }
 
-XrayConfigurator::XrayConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
+XrayConfigurator::XrayConfigurator(SshSession* sshSession, QObject *parent)
+    : ConfiguratorBase(sshSession, parent)
 {
 }
 
 QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentials, DockerContainer container,
-                                               const QJsonObject &containerConfig, ErrorCode &errorCode)
+                                               const ContainerConfig &containerConfig,
+                                               const DnsSettings &dnsSettings,
+                                               ErrorCode &errorCode)
 {
     // Generate new UUID for client
     QString clientId = QUuid::createUuid().toString(QUuid::WithoutBraces);
     
     // Get current server config
-    QString currentConfig = m_serverController->getTextFileFromContainer(
+    QString currentConfig = m_sshSession->getTextFileFromContainer(
         container, credentials, amnezia::protocols::xray::serverConfigPath, errorCode);
     
     if (errorCode != ErrorCode::NoError) {
@@ -45,13 +56,13 @@ QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentia
     QJsonObject serverConfig = doc.object();
     
     // Validate server config structure
-    if (!serverConfig.contains("inbounds")) {
+    if (!serverConfig.contains(amnezia::protocols::xray::inbounds)) {
         logger.error() << "Server config missing 'inbounds' field";
         errorCode = ErrorCode::InternalError;
         return "";
     }
 
-    QJsonArray inbounds = serverConfig["inbounds"].toArray();
+    QJsonArray inbounds = serverConfig[amnezia::protocols::xray::inbounds].toArray();
     if (inbounds.isEmpty()) {
         logger.error() << "Server config has empty 'inbounds' array";
         errorCode = ErrorCode::InternalError;
@@ -59,38 +70,38 @@ QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentia
     }
     
     QJsonObject inbound = inbounds[0].toObject();
-    if (!inbound.contains("settings")) {
+    if (!inbound.contains(amnezia::protocols::xray::settings)) {
         logger.error() << "Inbound missing 'settings' field";
         errorCode = ErrorCode::InternalError;
         return "";
     }
 
-    QJsonObject settings = inbound["settings"].toObject();
-    if (!settings.contains("clients")) {
+    QJsonObject settings = inbound[amnezia::protocols::xray::settings].toObject();
+    if (!settings.contains(amnezia::protocols::xray::clients)) {
         logger.error() << "Settings missing 'clients' field";
         errorCode = ErrorCode::InternalError;
         return "";
     }
 
-    QJsonArray clients = settings["clients"].toArray();
+    QJsonArray clients = settings[amnezia::protocols::xray::clients].toArray();
     
     // Create configuration for new client
     QJsonObject clientConfig {
-        {"id", clientId},
-        {"flow", "xtls-rprx-vision"}
+        {amnezia::protocols::xray::id, clientId},
+        {amnezia::protocols::xray::flow, "xtls-rprx-vision"}
     };
     
     clients.append(clientConfig);
     
     // Update config
-    settings["clients"] = clients;
-    inbound["settings"] = settings;
+    settings[amnezia::protocols::xray::clients] = clients;
+    inbound[amnezia::protocols::xray::settings] = settings;
     inbounds[0] = inbound;
-    serverConfig["inbounds"] = inbounds;
+    serverConfig[amnezia::protocols::xray::inbounds] = inbounds;
     
     // Save updated config to server
     QString updatedConfig = QJsonDocument(serverConfig).toJson();
-    errorCode = m_serverController->uploadTextFileToContainer(
+    errorCode = m_sshSession->uploadTextFileToContainer(
         container, 
         credentials, 
         updatedConfig,
@@ -104,9 +115,9 @@ QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentia
 
     // Restart container
     QString restartScript = QString("sudo docker restart $CONTAINER_NAME");
-    errorCode = m_serverController->runScript(
+    errorCode = m_sshSession->runScript(
         credentials, 
-        m_serverController->replaceVars(restartScript, m_serverController->genVarsForScript(credentials, container))
+        m_sshSession->replaceVars(restartScript, amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns))
     );
 
     if (errorCode != ErrorCode::NoError) {
@@ -117,57 +128,75 @@ QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentia
     return clientId;
 }
 
-QString XrayConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                       const QJsonObject &containerConfig, ErrorCode &errorCode)
+ProtocolConfig XrayConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
+                                               const ContainerConfig &containerConfig,
+                                               const DnsSettings &dnsSettings,
+                                               ErrorCode &errorCode)
 {
-    // Get client ID from prepareServerConfig
-    QString xrayClientId = prepareServerConfig(credentials, container, containerConfig, errorCode);
+    const XrayServerConfig* serverConfig = nullptr;
+    if (auto* xrayConfig = containerConfig.protocolConfig.as<XrayProtocolConfig>()) {
+        serverConfig = &xrayConfig->serverConfig;
+    }
+    
+    QString xrayClientId = prepareServerConfig(credentials, container, containerConfig, dnsSettings, errorCode);
     if (errorCode != ErrorCode::NoError || xrayClientId.isEmpty()) {
         logger.error() << "Failed to prepare server config";
         errorCode = ErrorCode::InternalError;
-        return "";
+        return XrayProtocolConfig{};
     }
 
-    QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::xray_template, container),
-                                                     m_serverController->genVarsForScript(credentials, container, containerConfig));
+    amnezia::ScriptVars vars = amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns);
+    vars.append(amnezia::genProtocolVarsForContainer(container, containerConfig));
+    QString config = m_sshSession->replaceVars(amnezia::scriptData(ProtocolScriptType::xray_template, container), vars);
     
     if (config.isEmpty()) {
         logger.error() << "Failed to get config template";
         errorCode = ErrorCode::InternalError;
-        return "";
+        return XrayProtocolConfig{};
     }
 
     QString xrayPublicKey =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::PublicKeyPath, errorCode);
+            m_sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::PublicKeyPath, errorCode);
     if (errorCode != ErrorCode::NoError || xrayPublicKey.isEmpty()) {
         logger.error() << "Failed to get public key";
         errorCode = ErrorCode::InternalError;
-        return "";
+        return XrayProtocolConfig{};
     }
     xrayPublicKey.replace("\n", "");
     
     QString xrayShortId =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::shortidPath, errorCode);
+            m_sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::shortidPath, errorCode);
     if (errorCode != ErrorCode::NoError || xrayShortId.isEmpty()) {
         logger.error() << "Failed to get short ID";
         errorCode = ErrorCode::InternalError;
-        return "";
+        return XrayProtocolConfig{};
     }
     xrayShortId.replace("\n", "");
 
-    // Validate all required variables are present
     if (!config.contains("$XRAY_CLIENT_ID") || !config.contains("$XRAY_PUBLIC_KEY") || !config.contains("$XRAY_SHORT_ID")) {
         logger.error() << "Config template missing required variables:"
                       << "XRAY_CLIENT_ID:" << !config.contains("$XRAY_CLIENT_ID")
                       << "XRAY_PUBLIC_KEY:" << !config.contains("$XRAY_PUBLIC_KEY")
                       << "XRAY_SHORT_ID:" << !config.contains("$XRAY_SHORT_ID");
         errorCode = ErrorCode::InternalError;
-        return "";
+        return XrayProtocolConfig{};
     }
 
     config.replace("$XRAY_CLIENT_ID", xrayClientId);
     config.replace("$XRAY_PUBLIC_KEY", xrayPublicKey);
     config.replace("$XRAY_SHORT_ID", xrayShortId);
 
-    return config;
+    XrayProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    }
+    
+    XrayClientConfig clientConfig;
+    clientConfig.nativeConfig = config;
+    clientConfig.localPort = "";
+    clientConfig.id = xrayClientId;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
 }

client/core/configurators/xrayConfigurator.h

@@ -0,0 +1,27 @@
+#ifndef XRAY_CONFIGURATOR_H
+#define XRAY_CONFIGURATOR_H
+
+#include <QObject>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+
+class XrayConfigurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    XrayConfigurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container, const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+
+private:
+    QString prepareServerConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container, const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode);
+};
+
+#endif // XRAY_CONFIGURATOR_H

client/core/controllers/allowedDnsController.cpp

@@ -0,0 +1,54 @@
+#include "allowedDnsController.h"
+
+AllowedDnsController::AllowedDnsController(SecureAppSettingsRepository* appSettingsRepository)
+    : m_appSettingsRepository(appSettingsRepository)
+{
+    fillDnsServers();
+}
+
+bool AllowedDnsController::addDns(const QString &ip)
+{
+    if (m_dnsServers.contains(ip)) {
+        return false;
+    }
+
+    m_dnsServers.append(ip);
+    m_appSettingsRepository->setAllowedDnsServers(m_dnsServers);
+    return true;
+}
+
+void AllowedDnsController::addDnsList(const QStringList &dnsServers, bool replaceExisting)
+{
+    if (replaceExisting) {
+        m_dnsServers.clear();
+    }
+    
+    for (const QString &ip : dnsServers) {
+        if (!m_dnsServers.contains(ip)) {
+            m_dnsServers.append(ip);
+        }
+    }
+    
+    m_appSettingsRepository->setAllowedDnsServers(m_dnsServers);
+}
+
+void AllowedDnsController::removeDns(int index)
+{
+    if (index < 0 || index >= m_dnsServers.size()) {
+        return;
+    }
+
+    m_dnsServers.removeAt(index);
+    m_appSettingsRepository->setAllowedDnsServers(m_dnsServers);
+}
+
+QStringList AllowedDnsController::getCurrentDnsServers() const
+{
+    return m_dnsServers;
+}
+
+void AllowedDnsController::fillDnsServers()
+{
+    m_dnsServers = m_appSettingsRepository->getAllowedDnsServers();
+}
+

client/core/controllers/allowedDnsController.h

@@ -0,0 +1,26 @@
+#ifndef ALLOWEDDNSCONTROLLER_H
+#define ALLOWEDDNSCONTROLLER_H
+
+#include <QStringList>
+
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class AllowedDnsController
+{
+public:
+    explicit AllowedDnsController(SecureAppSettingsRepository* appSettingsRepository);
+
+    bool addDns(const QString &ip);
+    void addDnsList(const QStringList &dnsServers, bool replaceExisting);
+    void removeDns(int index);
+    QStringList getCurrentDnsServers() const;
+
+private:
+    void fillDnsServers();
+
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    QStringList m_dnsServers;
+};
+
+#endif // ALLOWEDDNSCONTROLLER_H
+

client/core/controllers/api/newsController.cpp

@@ -0,0 +1,72 @@
+#include "newsController.h"
+
+#include "core/controllers/gatewayController.h"
+#include "core/utils/api/apiEnums.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/constants/apiConstants.h"
+#include "core/utils/constants/configKeys.h"
+#include <QtConcurrent/QtConcurrent>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QSharedPointer>
+
+using namespace amnezia;
+
+NewsController::NewsController(SecureAppSettingsRepository* appSettingsRepository,
+                               ServersController* serversController)
+    : m_appSettingsRepository(appSettingsRepository), m_serversController(serversController)
+{
+}
+
+QFuture<QPair<ErrorCode, QJsonArray>> NewsController::fetchNews()
+{
+    if (!m_serversController) {
+        qWarning() << "ServersController is null, skip fetchNews";
+        return QtFuture::makeReadyFuture(qMakePair(ErrorCode::InternalError, QJsonArray()));
+    }
+    
+    const auto stacks = m_serversController->gatewayStacks();
+    if (stacks.isEmpty()) {
+        qDebug() << "No Gateway stacks, skip fetchNews";
+        return QtFuture::makeReadyFuture(qMakePair(ErrorCode::NoError, QJsonArray()));
+    }
+
+    auto gatewayController = QSharedPointer<GatewayController>::create(
+        m_appSettingsRepository->getGatewayEndpoint(),
+        m_appSettingsRepository->isDevGatewayEnv(),
+        apiDefs::requestTimeoutMsecs,
+        m_appSettingsRepository->isStrictKillSwitchEnabled());
+    
+    QJsonObject payload;
+    payload.insert("locale", m_appSettingsRepository->getAppLanguage().name().split("_").first());
+
+    const QJsonObject stacksJson = stacks.toJson();
+    if (stacksJson.contains(apiDefs::key::userCountryCode)) {
+        payload.insert(apiDefs::key::userCountryCode, stacksJson.value(apiDefs::key::userCountryCode));
+    }
+    if (stacksJson.contains(apiDefs::key::serviceType)) {
+        payload.insert(apiDefs::key::serviceType, stacksJson.value(apiDefs::key::serviceType));
+    }
+
+    auto future = gatewayController->postAsync(QString("%1v1/news"), payload);
+    return future.then([gatewayController](QPair<ErrorCode, QByteArray> result) -> QPair<ErrorCode, QJsonArray> {
+        auto [errorCode, responseBody] = result;
+        if (errorCode != ErrorCode::NoError) {
+            return qMakePair(errorCode, QJsonArray());
+        }
+
+        QJsonDocument doc = QJsonDocument::fromJson(responseBody);
+        QJsonArray newsArray;
+        if (doc.isArray()) {
+            newsArray = doc.array();
+        } else if (doc.isObject()) {
+            QJsonObject obj = doc.object();
+            if (obj.value("news").isArray()) {
+                newsArray = obj.value("news").toArray();
+            }
+        }
+
+        return qMakePair(ErrorCode::NoError, newsArray);
+    });
+}
+

client/core/controllers/api/newsController.h

@@ -0,0 +1,28 @@
+#ifndef NEWSCONTROLLER_H
+#define NEWSCONTROLLER_H
+
+#include <QFuture>
+#include <QJsonArray>
+#include <QPair>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/controllers/serversController.h"
+
+class NewsController
+{
+public:
+    explicit NewsController(SecureAppSettingsRepository* appSettingsRepository,
+                           ServersController* serversController);
+
+    QFuture<QPair<ErrorCode, QJsonArray>> fetchNews();
+
+private:
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    ServersController* m_serversController;
+};
+
+#endif // NEWSCONTROLLER_H
+

client/core/controllers/api/servicesCatalogController.cpp

@@ -0,0 +1,248 @@
+#include "servicesCatalogController.h"
+
+#include <QJsonDocument>
+#include <QSysInfo>
+#include <QJsonArray>
+#include <QEventLoop>
+#include <QDebug>
+#include <QCoreApplication>
+#include <QHash>
+#include <QSet>
+#include <limits>
+
+#include "core/controllers/gatewayController.h"
+#include "core/utils/api/apiEnums.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/constants/apiConstants.h"
+#include "version.h"
+
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
+#include "platforms/ios/ios_controller.h"
+#endif
+
+namespace
+{
+    namespace configKey
+    {
+        constexpr char serviceDescription[] = "service_description";
+        constexpr char subscriptionPlans[] = "subscription_plans";
+        constexpr char storeProductId[] = "store_product_id";
+        constexpr char priceLabel[] = "price_label";
+        constexpr char subtitle[] = "subtitle";
+        constexpr char isTrial[] = "is_trial";
+        constexpr char minPriceLabel[] = "min_price_label";
+    }
+
+    namespace serviceType
+    {
+        constexpr char amneziaPremium[] = "amnezia-premium";
+    }
+
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
+    struct StoreKitPlanQuote {
+        QString displayPrice;
+        double priceAmount = 0.0;
+        double subscriptionBillingMonths = 0.0;
+        QString displayPricePerMonth;
+    };
+
+    constexpr double oneMonthThreshold = 1.0 + 1e-6;
+    constexpr double monthsFallbackThreshold = 1e-6;
+    constexpr double monthlyPriceEpsilon = 1e-9;
+
+    QStringList collectPremiumStoreProductIds(const QJsonArray &services)
+    {
+        QStringList productIds;
+        QSet<QString> seenProductIds;
+        for (const QJsonValue &serviceValue : services) {
+            const QJsonObject serviceObject = serviceValue.toObject();
+            if (serviceObject.value(apiDefs::key::serviceType).toString() != serviceType::amneziaPremium) {
+                continue;
+            }
+            const QJsonArray subscriptionPlans =
+                    serviceObject.value(configKey::serviceDescription).toObject().value(configKey::subscriptionPlans).toArray();
+            for (const QJsonValue &planValue : subscriptionPlans) {
+                if (!planValue.isObject()) {
+                    continue;
+                }
+                const QString storeProductId = planValue.toObject().value(configKey::storeProductId).toString();
+                if (storeProductId.isEmpty() || seenProductIds.contains(storeProductId)) {
+                    continue;
+                }
+                seenProductIds.insert(storeProductId);
+                productIds.append(storeProductId);
+            }
+        }
+        return productIds;
+    }
+
+    QHash<QString, StoreKitPlanQuote> buildStoreKitQuoteMap(const QList<QVariantMap> &fetchedProducts)
+    {
+        QHash<QString, StoreKitPlanQuote> quotesByProductId;
+        quotesByProductId.reserve(fetchedProducts.size());
+
+        for (const QVariantMap &productInfo : fetchedProducts) {
+            const QString productId = productInfo.value(QStringLiteral("productId")).toString();
+            if (productId.isEmpty()) {
+                continue;
+            }
+
+            QString displayPrice = productInfo.value(QStringLiteral("displayPrice")).toString();
+            if (displayPrice.isEmpty()) {
+                const QString price = productInfo.value(QStringLiteral("price")).toString();
+                const QString currencyCode = productInfo.value(QStringLiteral("currencyCode")).toString();
+                displayPrice = currencyCode.isEmpty() ? price : (price + QLatin1Char(' ') + currencyCode);
+            }
+
+            StoreKitPlanQuote quote;
+            quote.displayPrice = displayPrice;
+            quote.priceAmount = productInfo.value(QStringLiteral("priceAmount")).toDouble();
+            quote.subscriptionBillingMonths = productInfo.value(QStringLiteral("subscriptionBillingMonths")).toDouble();
+            quote.displayPricePerMonth = productInfo.value(QStringLiteral("displayPricePerMonth")).toString();
+            quotesByProductId.insert(productId, quote);
+        }
+
+        return quotesByProductId;
+    }
+
+    void mergeStoreKitPricesIntoPremiumPlans(QJsonObject &data)
+    {
+        QJsonArray services = data.value(apiDefs::key::services).toArray();
+        if (services.isEmpty()) {
+            return;
+        }
+
+        const QStringList productIds = collectPremiumStoreProductIds(services);
+        if (productIds.isEmpty()) {
+            qInfo().noquote() << "[IAP] No store_product_id in premium plans; skip StoreKit merge into services payload";
+            return;
+        }
+
+        QList<QVariantMap> fetchedProducts;
+        QEventLoop loop;
+        IosController::Instance()->fetchProducts(productIds,
+                                                 [&](const QList<QVariantMap> &products, const QStringList &invalidIds,
+                                                     const QString &errorString) {
+                                                     if (!errorString.isEmpty()) {
+                                                         qWarning().noquote() << "[IAP] StoreKit merge fetch:" << errorString;
+                                                     }
+                                                     if (!invalidIds.isEmpty()) {
+                                                         qWarning().noquote() << "[IAP] Unknown App Store product ids:" << invalidIds;
+                                                     }
+                                                     fetchedProducts = products;
+                                                     loop.quit();
+                                                 });
+        loop.exec();
+
+        const QHash<QString, StoreKitPlanQuote> quotesByProductId = buildStoreKitQuoteMap(fetchedProducts);
+
+        for (int serviceIndex = 0; serviceIndex < services.size(); ++serviceIndex) {
+            QJsonObject serviceObject = services.at(serviceIndex).toObject();
+            if (serviceObject.value(apiDefs::key::serviceType).toString() != serviceType::amneziaPremium) {
+                continue;
+            }
+
+            QJsonObject descriptionObject = serviceObject.value(configKey::serviceDescription).toObject();
+            const QJsonArray sourcePlans = descriptionObject.value(configKey::subscriptionPlans).toArray();
+
+            QJsonArray mergedPlans;
+            double minMonthlyAmount = std::numeric_limits<double>::infinity();
+            QString minMonthlyDisplay;
+
+            for (const QJsonValue &planValue : sourcePlans) {
+                if (!planValue.isObject()) {
+                    continue;
+                }
+
+                QJsonObject planObject = planValue.toObject();
+                const QString storeProductId = planObject.value(configKey::storeProductId).toString();
+                if (storeProductId.isEmpty()) {
+                    continue;
+                }
+
+                const auto quoteIterator = quotesByProductId.constFind(storeProductId);
+                if (quoteIterator == quotesByProductId.cend()) {
+                    continue;
+                }
+
+                const bool isTrialPlan = planObject.value(configKey::isTrial).toBool();
+                const StoreKitPlanQuote &quote = *quoteIterator;
+                planObject.insert(configKey::priceLabel, quote.displayPrice);
+
+                const double months = quote.subscriptionBillingMonths;
+                if (!isTrialPlan && months > oneMonthThreshold && !quote.displayPricePerMonth.isEmpty()) {
+                    planObject.insert(
+                            configKey::subtitle,
+                            QCoreApplication::translate("ServicesCatalogController", "%1/mo",
+                                                        "IAP: price per month in plan subtitle")
+                                    .arg(quote.displayPricePerMonth));
+                }
+
+                if (!isTrialPlan && quote.priceAmount > 0.0) {
+                    const double monthsForMin = months > monthsFallbackThreshold ? months : 1.0;
+                    const double monthly = quote.priceAmount / monthsForMin;
+                    if (monthly < minMonthlyAmount - monthlyPriceEpsilon) {
+                        minMonthlyAmount = monthly;
+                        minMonthlyDisplay = !quote.displayPricePerMonth.isEmpty() ? quote.displayPricePerMonth : quote.displayPrice;
+                    }
+                }
+
+                mergedPlans.append(planObject);
+            }
+
+            descriptionObject.insert(configKey::subscriptionPlans, mergedPlans);
+            if (minMonthlyAmount < std::numeric_limits<double>::infinity() && !minMonthlyDisplay.isEmpty()) {
+                descriptionObject.insert(configKey::minPriceLabel,
+                                         QCoreApplication::translate("ServicesCatalogController", "from %1 per month",
+                                                                     "IAP: card footer minimum monthly price from StoreKit")
+                                                 .arg(minMonthlyDisplay));
+            }
+            serviceObject.insert(configKey::serviceDescription, descriptionObject);
+            services.replace(serviceIndex, serviceObject);
+        }
+        data.insert(apiDefs::key::services, services);
+    }
+#endif
+}
+
+ServicesCatalogController::ServicesCatalogController(SecureAppSettingsRepository* appSettingsRepository)
+    : m_appSettingsRepository(appSettingsRepository)
+{
+}
+
+ErrorCode ServicesCatalogController::fillAvailableServices(QJsonObject &servicesData)
+{
+    QJsonObject apiPayload;
+    apiPayload[apiDefs::key::osVersion] = QSysInfo::productType();
+    apiPayload[apiDefs::key::appVersion] = QString(APP_VERSION);
+    apiPayload[apiDefs::key::cliName] = QString(APPLICATION_NAME);
+    apiPayload[apiDefs::key::appLanguage] = m_appSettingsRepository->getAppLanguage().name().split("_").first();
+
+    QByteArray responseBody;
+    ErrorCode errorCode = executeRequest(QString("%1v1/services"), apiPayload, responseBody);
+    if (errorCode == ErrorCode::NoError) {
+        if (!responseBody.contains(apiDefs::key::services.data())) {
+            errorCode = ErrorCode::ApiServicesMissingError;
+        }
+    }
+
+    if (errorCode != ErrorCode::NoError) {
+        return errorCode;
+    }
+
+    servicesData = QJsonDocument::fromJson(responseBody).object();
+
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
+    mergeStoreKitPricesIntoPremiumPlans(servicesData);
+#endif
+
+    return ErrorCode::NoError;
+}
+
+ErrorCode ServicesCatalogController::executeRequest(const QString &endpoint, const QJsonObject &apiPayload, QByteArray &responseBody)
+{
+    GatewayController gatewayController(m_appSettingsRepository->getGatewayEndpoint(), m_appSettingsRepository->isDevGatewayEnv(), apiDefs::requestTimeoutMsecs,
+                                        m_appSettingsRepository->isStrictKillSwitchEnabled());
+    return gatewayController.post(endpoint, apiPayload, responseBody);
+}
+

client/core/controllers/api/servicesCatalogController.h

@@ -0,0 +1,26 @@
+#ifndef SERVICESCATALOGCONTROLLER_H
+#define SERVICESCATALOGCONTROLLER_H
+
+#include <QJsonObject>
+#include <QByteArray>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class ServicesCatalogController
+{
+public:
+    explicit ServicesCatalogController(SecureAppSettingsRepository* appSettingsRepository);
+
+    ErrorCode fillAvailableServices(QJsonObject &servicesData);
+
+private:
+    ErrorCode executeRequest(const QString &endpoint, const QJsonObject &apiPayload, QByteArray &responseBody);
+
+    SecureAppSettingsRepository* m_appSettingsRepository;
+};
+
+#endif // SERVICESCATALOGCONTROLLER_H
+

client/core/controllers/api/subscriptionController.h

@@ -0,0 +1,122 @@
+#ifndef SUBSCRIPTIONCONTROLLER_H
+#define SUBSCRIPTIONCONTROLLER_H
+
+#include <QJsonObject>
+#include <QByteArray>
+#include <QFuture>
+#include <QList>
+#include <QVariantMap>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/models/serverConfig.h"
+
+class ServersController;
+
+class SubscriptionController
+{
+public:
+    struct ProtocolData
+    {
+        QString certRequest;
+        QString certPrivKey;
+        QString wireGuardClientPrivKey;
+        QString wireGuardClientPubKey;
+        QString xrayUuid;
+    };
+
+    struct GatewayRequestData
+    {
+        QString osVersion;
+        QString appVersion;
+        QString appLanguage;
+        QString installationUuid;
+        QString userCountryCode;
+        QString serverCountryCode;
+        QString serviceType;
+        QString serviceProtocol;
+        QJsonObject authData;
+
+        QJsonObject toJsonObject() const;
+    };
+
+    explicit SubscriptionController(SecureServersRepository* serversRepository,
+                                     SecureAppSettingsRepository* appSettingsRepository);
+
+    ProtocolData generateProtocolData(const QString &protocol);
+    void appendProtocolDataToApiPayload(const QString &protocol, const ProtocolData &protocolData, QJsonObject &apiPayload);
+    ErrorCode fillServerConfig(const QJsonObject &serverConfigJson, ServerConfig &serverConfig);
+
+    ErrorCode importServiceFromGateway(const QString &userCountryCode, const QString &serviceType,
+                                      const QString &serviceProtocol, const ProtocolData &protocolData,
+                                      ServerConfig &serverConfig);
+    ErrorCode importTrialFromGateway(const QString &userCountryCode, const QString &serviceType,
+                                     const QString &serviceProtocol, const QString &email,
+                                     ServerConfig &serverConfig);
+
+    ErrorCode importServiceFromAppStore(const QString &userCountryCode, const QString &serviceType,
+                                        const QString &serviceProtocol, const ProtocolData &protocolData,
+                                        const QString &transactionId, bool isTestPurchase,
+                                        ServerConfig &serverConfig,
+                                        int *duplicateServerIndex = nullptr);
+
+    ErrorCode updateServiceFromGateway(int serverIndex, const QString &newCountryCode, bool isConnectEvent);
+
+    ErrorCode deactivateDevice(int serverIndex);
+
+    ErrorCode deactivateExternalDevice(int serverIndex, const QString &uuid, const QString &serverCountryCode);
+
+    ErrorCode exportNativeConfig(int serverIndex, const QString &serverCountryCode, QString &nativeConfig);
+
+    ErrorCode revokeNativeConfig(int serverIndex, const QString &serverCountryCode);
+
+    ErrorCode updateServiceFromTelegram(int serverIndex);
+
+    ErrorCode prepareVpnKeyExport(int serverIndex, QString &vpnKey);
+
+    ErrorCode validateAndUpdateConfig(int serverIndex, bool hasInstalledContainers);
+
+    void removeApiConfig(int serverIndex);
+
+    void setCurrentProtocol(int serverIndex, const QString &protocolName);
+    bool isVlessProtocol(int serverIndex) const;
+
+    ErrorCode getAccountInfo(int serverIndex, QJsonObject &accountInfo);
+    QFuture<QPair<ErrorCode, QString>> getRenewalLink(int serverIndex);
+
+    struct AppStoreRestoreResult
+    {
+        bool hasInstalledConfig = false;
+        bool duplicateConfigAlreadyPresent = false;
+        int duplicateCount = 0;
+        int duplicateServerIndex = -1;
+        ErrorCode errorCode = ErrorCode::NoError;
+    };
+
+    ErrorCode processAppStorePurchase(const QString &userCountryCode, const QString &serviceType,
+                                     const QString &serviceProtocol, const QString &productId,
+                                     ServerConfig &serverConfig,
+                                     int *duplicateServerIndex = nullptr);
+
+    AppStoreRestoreResult processAppStoreRestore(const QString &userCountryCode, const QString &serviceType,
+                                                  const QString &serviceProtocol);
+
+private:
+    ErrorCode executeRequest(const QString &endpoint, const QJsonObject &apiPayload, QByteArray &responseBody, bool isTestPurchase = false);
+    bool isApiKeyExpired(int serverIndex) const;
+    
+    ErrorCode extractServerConfigJsonFromResponse(const QByteArray &apiResponseBody, const QString &protocol, 
+                                                   const ProtocolData &protocolData, QJsonObject &serverConfigJson);
+    void updateApiConfigInJson(QJsonObject &serverConfigJson, const QString &serviceType, 
+                                const QString &serviceProtocol, const QString &userCountryCode,
+                                const QByteArray &apiResponseBody);
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+};
+
+#endif // SUBSCRIPTIONCONTROLLER_H
+

client/core/controllers/appSplitTunnelingController.cpp

@@ -0,0 +1,70 @@
+#include "appSplitTunnelingController.h"
+
+AppSplitTunnelingController::AppSplitTunnelingController(SecureAppSettingsRepository* appSettingsRepository)
+    : m_appSettingsRepository(appSettingsRepository)
+{
+    m_currentRouteMode = m_appSettingsRepository->appsRouteMode();
+    if (m_currentRouteMode == AppsRouteMode::VpnAllApps) { // for old split tunneling configs
+        m_currentRouteMode = AppsRouteMode::VpnAllExceptApps;
+        m_apps = m_appSettingsRepository->vpnApps(m_currentRouteMode);
+        m_appSettingsRepository->setAppsRouteMode(AppsRouteMode::VpnAllExceptApps);
+    } else {
+        m_apps = m_appSettingsRepository->vpnApps(m_currentRouteMode);
+    }
+}
+
+bool AppSplitTunnelingController::addApp(const amnezia::InstalledAppInfo &appInfo)
+{
+    if (m_apps.contains(appInfo)) {
+        return false;
+    }
+
+    m_apps.append(appInfo);
+    m_appSettingsRepository->setVpnApps(m_currentRouteMode, m_apps);
+
+    return true;
+}
+
+void AppSplitTunnelingController::removeApp(int index)
+{
+    if (index < 0 || index >= m_apps.size()) {
+        return;
+    }
+
+    m_apps.removeAt(index);
+    m_appSettingsRepository->setVpnApps(m_currentRouteMode, m_apps);
+}
+
+void AppSplitTunnelingController::clearAppsList()
+{
+    m_apps.clear();
+    m_appSettingsRepository->setVpnApps(m_currentRouteMode, m_apps);
+}
+
+void AppSplitTunnelingController::setRouteMode(AppsRouteMode routeMode)
+{
+    m_currentRouteMode = routeMode;
+    m_apps = m_appSettingsRepository->vpnApps(m_currentRouteMode);
+    m_appSettingsRepository->setAppsRouteMode(routeMode);
+}
+
+void AppSplitTunnelingController::toggleSplitTunneling(bool enabled)
+{
+    m_appSettingsRepository->setAppsSplitTunnelingEnabled(enabled);
+}
+
+AppsRouteMode AppSplitTunnelingController::getRouteMode() const
+{
+    return m_currentRouteMode;
+}
+
+bool AppSplitTunnelingController::isSplitTunnelingEnabled() const
+{
+    return m_appSettingsRepository->isAppsSplitTunnelingEnabled();
+}
+
+QVector<amnezia::InstalledAppInfo> AppSplitTunnelingController::getApps() const
+{
+    return m_apps;
+}
+

client/core/controllers/appSplitTunnelingController.h

@@ -0,0 +1,32 @@
+#ifndef APPSPLITTUNNELINGCONTROLLER_H
+#define APPSPLITTUNNELINGCONTROLLER_H
+
+#include <QVector>
+
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class AppSplitTunnelingController
+{
+public:
+    explicit AppSplitTunnelingController(SecureAppSettingsRepository* appSettingsRepository);
+
+    bool addApp(const amnezia::InstalledAppInfo &appInfo);
+    void removeApp(int index);
+    void clearAppsList();
+    void setRouteMode(AppsRouteMode routeMode);
+    void toggleSplitTunneling(bool enabled);
+
+    AppsRouteMode getRouteMode() const;
+    bool isSplitTunnelingEnabled() const;
+    QVector<amnezia::InstalledAppInfo> getApps() const;
+
+private:
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    AppsRouteMode m_currentRouteMode;
+    QVector<amnezia::InstalledAppInfo> m_apps;
+};
+
+#endif // APPSPLITTUNNELINGCONTROLLER_H
+

client/core/controllers/connectionController.cpp

@@ -0,0 +1,183 @@
+#include "connectionController.h"
+
+#include <QJsonDocument>
+
+#include "core/configurators/configuratorBase.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/utils/utilities.h"
+#include "core/utils/networkUtilities.h"
+#include "version.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/models/serverConfig.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocolConfig.h"
+
+using namespace amnezia;
+using namespace ProtocolUtils;
+
+ConnectionController::ConnectionController(SecureServersRepository* serversRepository,
+                                         SecureAppSettingsRepository* appSettingsRepository,
+                                         VpnConnection* vpnConnection,
+                                         QObject* parent)
+    : QObject(parent),
+      m_serversRepository(serversRepository),
+      m_appSettingsRepository(appSettingsRepository),
+      m_vpnConnection(vpnConnection)
+{
+    connect(m_vpnConnection, &VpnConnection::connectionStateChanged, this, &ConnectionController::connectionStateChanged);
+    connect(this, &ConnectionController::openConnectionRequested, m_vpnConnection, &VpnConnection::connectToVpn, Qt::QueuedConnection);
+    connect(this, &ConnectionController::closeConnectionRequested, m_vpnConnection, &VpnConnection::disconnectFromVpn, Qt::QueuedConnection);
+    connect(this, &ConnectionController::setConnectionStateRequested, m_vpnConnection, &VpnConnection::setConnectionState, Qt::QueuedConnection);
+    connect(this, &ConnectionController::killSwitchModeChangedRequested, m_vpnConnection, &VpnConnection::onKillSwitchModeChanged, Qt::QueuedConnection);
+#ifdef Q_OS_ANDROID
+    connect(this, &ConnectionController::restoreConnectionRequested, m_vpnConnection, &VpnConnection::restoreConnection, Qt::QueuedConnection);
+#endif
+}
+
+bool ConnectionController::isConnected() const
+{
+    return m_vpnConnection && m_vpnConnection->connectionState() == Vpn::ConnectionState::Connected;
+}
+
+void ConnectionController::setConnectionState(Vpn::ConnectionState state)
+{
+    if (m_vpnConnection) {
+        emit setConnectionStateRequested(state);
+    }
+}
+
+ErrorCode ConnectionController::prepareConnection(int serverIndex,
+                                                 QJsonObject& vpnConfiguration,
+                                                 DockerContainer& container)
+{
+    if (!isServiceReady()) {
+        return ErrorCode::AmneziaServiceNotRunning;
+    }
+
+    ServerConfig serverConfigModel = m_serversRepository->server(serverIndex);
+    container = serverConfigModel.defaultContainer();
+
+    if (!isContainerSupported(container)) {
+        return ErrorCode::NotSupportedOnThisPlatform;
+    }
+
+    ContainerConfig containerConfigModel = m_serversRepository->containerConfig(serverIndex, container);
+
+    auto dns = serverConfigModel.getDnsPair(m_appSettingsRepository->useAmneziaDns(),
+                                            m_appSettingsRepository->primaryDns(),
+                                            m_appSettingsRepository->secondaryDns());
+
+    vpnConfiguration = createConnectionConfiguration(dns, serverConfigModel, containerConfigModel, container);
+
+    return ErrorCode::NoError;
+}
+
+ErrorCode ConnectionController::openConnection(int serverIndex)
+{
+    QJsonObject vpnConfiguration;
+    DockerContainer container;
+
+    ErrorCode errorCode = prepareConnection(serverIndex, vpnConfiguration, container);
+    if (errorCode != ErrorCode::NoError) {
+        return errorCode;
+    }
+
+    emit openConnectionRequested(serverIndex, container, vpnConfiguration);
+    return ErrorCode::NoError;
+}
+
+void ConnectionController::closeConnection()
+{
+    if (m_vpnConnection) {
+        emit closeConnectionRequested();
+    }
+}
+
+#ifdef Q_OS_ANDROID
+void ConnectionController::restoreConnection()
+{
+    if (m_vpnConnection) {
+        emit restoreConnectionRequested();
+    }
+}
+#endif
+
+void ConnectionController::onKillSwitchModeChanged(bool enabled)
+{
+    if (m_vpnConnection) {
+        emit killSwitchModeChangedRequested(enabled);
+    }
+}
+
+ErrorCode ConnectionController::lastConnectionError() const
+{
+    return m_vpnConnection->lastError();
+}
+
+QJsonObject ConnectionController::createConnectionConfiguration(const QPair<QString, QString> &dns,
+                                                              const ServerConfig &serverConfig,
+                                                              const ContainerConfig &containerConfig,
+                                                              DockerContainer container)
+{
+    QJsonObject vpnConfiguration {};
+
+    if (ContainerUtils::containerService(container) == ServiceType::Other) {
+        return vpnConfiguration;
+    }
+
+    Proto proto = ContainerUtils::defaultProtocol(container);
+
+    ConnectionSettings connectionSettings = {
+        { dns.first, dns.second },
+        serverConfig.isApiConfig(),
+        {
+            m_appSettingsRepository->isSitesSplitTunnelingEnabled(),
+            m_appSettingsRepository->routeMode()
+        }
+    };
+
+    auto configurator = ConfiguratorBase::create(proto, nullptr);
+    ProtocolConfig processedConfig = configurator->processConfigWithLocalSettings(connectionSettings,
+                                                                                  containerConfig.protocolConfig);
+
+    QJsonObject vpnConfigData = processedConfig.getClientConfigJson();
+    if (ContainerUtils::isAwgContainer(container) || container == DockerContainer::WireGuard) {
+        if (vpnConfigData[configKey::mtu].toString().isEmpty()) {
+            vpnConfigData[configKey::mtu] =
+                    ContainerUtils::isAwgContainer(container) ? protocols::awg::defaultMtu :
+                    protocols::wireguard::defaultMtu;
+        }
+    }
+
+    vpnConfiguration.insert(ProtocolUtils::key_proto_config_data(proto), vpnConfigData);
+    vpnConfiguration[configKey::vpnProto] = ProtocolUtils::protoToString(proto);
+
+    vpnConfiguration[configKey::dns1] = dns.first;
+    vpnConfiguration[configKey::dns2] = dns.second;
+
+    vpnConfiguration[configKey::hostName] = serverConfig.hostName();
+    vpnConfiguration[configKey::description] = serverConfig.description();
+
+    vpnConfiguration[configKey::configVersion] = serverConfig.configVersion();
+
+    return vpnConfiguration;
+}
+
+bool ConnectionController::isServiceReady() const
+{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+    return Utils::processIsRunning(Utils::executable(SERVICE_NAME, false), true);
+#else
+    return true;
+#endif
+}
+
+bool ConnectionController::isContainerSupported(DockerContainer container) const
+{
+    return ContainerUtils::isSupportedByCurrentPlatform(container);
+}

client/core/controllers/connectionController.h

@@ -0,0 +1,78 @@
+#ifndef CONNECTIONCONTROLLER_H
+#define CONNECTIONCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QPair>
+#include <memory>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/protocols/vpnProtocol.h"
+#include "vpnConnection.h"
+
+using namespace amnezia;
+
+class ConnectionController : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit ConnectionController(SecureServersRepository* serversRepository,
+                                 SecureAppSettingsRepository* appSettingsRepository,
+                                 VpnConnection* vpnConnection,
+                                 QObject* parent = nullptr);
+    ~ConnectionController() = default;
+
+    ErrorCode prepareConnection(int serverIndex,
+                               QJsonObject& vpnConfiguration,
+                               DockerContainer& container);
+
+    ErrorCode openConnection(int serverIndex);
+
+    void closeConnection();
+
+#ifdef Q_OS_ANDROID
+    void restoreConnection();
+#endif
+
+    void onKillSwitchModeChanged(bool enabled);
+
+    ErrorCode lastConnectionError() const;
+
+    bool isConnected() const;
+    void setConnectionState(Vpn::ConnectionState state);
+
+    QJsonObject createConnectionConfiguration(const QPair<QString, QString> &dns,
+                                             const ServerConfig &serverConfig,
+                                             const ContainerConfig &containerConfig,
+                                             DockerContainer container);
+
+    bool isServiceReady() const;
+
+    bool isContainerSupported(DockerContainer container) const;
+
+signals:
+    void connectionStateChanged(Vpn::ConnectionState state);
+    void openConnectionRequested(int serverIndex, DockerContainer container, const QJsonObject &vpnConfiguration);
+    void closeConnectionRequested();
+    void setConnectionStateRequested(Vpn::ConnectionState state);
+    void killSwitchModeChangedRequested(bool enabled);
+
+#ifdef Q_OS_ANDROID
+    void restoreConnectionRequested();
+#endif
+
+private:
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    VpnConnection* m_vpnConnection;
+};
+
+#endif

client/core/controllers/coreController.cpp

@@ -2,9 +2,18 @@
 
 #include <QDirIterator>
 #include <QTranslator>
+#include <QTimer>
+
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/controllers/selfhosted/installController.h"
+#include "core/controllers/selfhosted/importController.h"
+#include "core/controllers/coreSignalHandlers.h"
+#include "core/models/serverConfig.h"
+#include "logger.h"
+#include "secureQSettings.h"
 
 #if defined(Q_OS_ANDROID)
-    #include "core/installedAppsImageProvider.h"
+    #include "core/utils/installedAppsImageProvider.h"
     #include "platforms/android/android_controller.h"
 #endif
 
@@ -13,152 +22,200 @@
     #include <AmneziaVPN-Swift.h>
 #endif
 
-CoreController::CoreController(const QSharedPointer<VpnConnection> &vpnConnection, const std::shared_ptr<Settings> &settings,
+CoreController::CoreController(const QSharedPointer<VpnConnection> &vpnConnection, SecureQSettings* settings,
                                QQmlApplicationEngine *engine, QObject *parent)
     : QObject(parent), m_vpnConnection(vpnConnection), m_settings(settings), m_engine(engine)
 {
+    initRepositories();
+    initCoreControllers();
     initModels();
     initControllers();
     initSignalHandlers();
 
     initAndroidController();
     initAppleController();
+    initLogging();
 
-    initNotificationHandler();
+    m_translator = new QTranslator(this);
+    if (m_appSettingsRepository) {
+        updateTranslator(m_appSettingsRepository->getAppLanguage());
+    }
+}
 
-    m_translator.reset(new QTranslator());
-    updateTranslator(m_settings->getAppLanguage());
+void CoreController::setQmlContextProperty(const QString &name, QObject *value)
+{
+    if (m_engine) {
+        m_engine->rootContext()->setContextProperty(name, value);
+    }
 }
 
 void CoreController::initModels()
 {
-    m_containersModel.reset(new ContainersModel(this));
-    m_engine->rootContext()->setContextProperty("ContainersModel", m_containersModel.get());
+    m_containersModel = new ContainersModel(this);
+    setQmlContextProperty("ContainersModel", m_containersModel);
 
-    m_defaultServerContainersModel.reset(new ContainersModel(this));
-    m_engine->rootContext()->setContextProperty("DefaultServerContainersModel", m_defaultServerContainersModel.get());
+    m_defaultServerContainersModel = new ContainersModel(this);
+    setQmlContextProperty("DefaultServerContainersModel", m_defaultServerContainersModel);
 
-    m_serversModel.reset(new ServersModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ServersModel", m_serversModel.get());
+    m_serversModel = new ServersModel(this);
+    setQmlContextProperty("ServersModel", m_serversModel);
 
-    m_languageModel.reset(new LanguageModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("LanguageModel", m_languageModel.get());
+    m_languageModel = new LanguageModel(this);
+    setQmlContextProperty("LanguageModel", m_languageModel);
 
-    m_sitesModel.reset(new SitesModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("SitesModel", m_sitesModel.get());
+    m_ipSplitTunnelingModel = new IpSplitTunnelingModel(this);
+    setQmlContextProperty("IpSplitTunnelingModel", m_ipSplitTunnelingModel);
 
-    m_allowedDnsModel.reset(new AllowedDnsModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("AllowedDnsModel", m_allowedDnsModel.get());
+    m_allowedDnsModel = new AllowedDnsModel(this);
+    setQmlContextProperty("AllowedDnsModel", m_allowedDnsModel);
 
-    m_appSplitTunnelingModel.reset(new AppSplitTunnelingModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("AppSplitTunnelingModel", m_appSplitTunnelingModel.get());
+    m_appSplitTunnelingModel = new AppSplitTunnelingModel(this);
+    setQmlContextProperty("AppSplitTunnelingModel", m_appSplitTunnelingModel);
 
-    m_protocolsModel.reset(new ProtocolsModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ProtocolsModel", m_protocolsModel.get());
+    m_protocolsModel = new ProtocolsModel(this);
+    setQmlContextProperty("ProtocolsModel", m_protocolsModel);
 
-    m_openVpnConfigModel.reset(new OpenVpnConfigModel(this));
-    m_engine->rootContext()->setContextProperty("OpenVpnConfigModel", m_openVpnConfigModel.get());
+    m_openVpnConfigModel = new OpenVpnConfigModel(this);
+    setQmlContextProperty("OpenVpnConfigModel", m_openVpnConfigModel);
 
-    m_shadowSocksConfigModel.reset(new ShadowSocksConfigModel(this));
-    m_engine->rootContext()->setContextProperty("ShadowSocksConfigModel", m_shadowSocksConfigModel.get());
+    m_wireGuardConfigModel = new WireGuardConfigModel(this);
+    setQmlContextProperty("WireGuardConfigModel", m_wireGuardConfigModel);
 
-    m_cloakConfigModel.reset(new CloakConfigModel(this));
-    m_engine->rootContext()->setContextProperty("CloakConfigModel", m_cloakConfigModel.get());
+    m_awgConfigModel = new AwgConfigModel(this);
+    setQmlContextProperty("AwgConfigModel", m_awgConfigModel);
 
-    m_wireGuardConfigModel.reset(new WireGuardConfigModel(this));
-    m_engine->rootContext()->setContextProperty("WireGuardConfigModel", m_wireGuardConfigModel.get());
+    m_xrayConfigModel = new XrayConfigModel(this);
+    setQmlContextProperty("XrayConfigModel", m_xrayConfigModel);
 
-    m_awgConfigModel.reset(new AwgConfigModel(this));
-    m_engine->rootContext()->setContextProperty("AwgConfigModel", m_awgConfigModel.get());
-
-    m_xrayConfigModel.reset(new XrayConfigModel(this));
-    m_engine->rootContext()->setContextProperty("XrayConfigModel", m_xrayConfigModel.get());
+    m_torConfigModel = new TorConfigModel(this);
+    setQmlContextProperty("TorConfigModel", m_torConfigModel);
 
 #ifdef Q_OS_WINDOWS
-    m_ikev2ConfigModel.reset(new Ikev2ConfigModel(this));
-    m_engine->rootContext()->setContextProperty("Ikev2ConfigModel", m_ikev2ConfigModel.get());
+    m_ikev2ConfigModel = new Ikev2ConfigModel(this);
+    setQmlContextProperty("Ikev2ConfigModel", m_ikev2ConfigModel);
 #endif
 
-    m_sftpConfigModel.reset(new SftpConfigModel(this));
-    m_engine->rootContext()->setContextProperty("SftpConfigModel", m_sftpConfigModel.get());
+    m_sftpConfigModel = new SftpConfigModel(this);
+    setQmlContextProperty("SftpConfigModel", m_sftpConfigModel);
 
-    m_socks5ConfigModel.reset(new Socks5ProxyConfigModel(this));
-    m_engine->rootContext()->setContextProperty("Socks5ProxyConfigModel", m_socks5ConfigModel.get());
+    m_socks5ConfigModel = new Socks5ProxyConfigModel(this);
+    setQmlContextProperty("Socks5ProxyConfigModel", m_socks5ConfigModel);
 
-    m_clientManagementModel.reset(new ClientManagementModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ClientManagementModel", m_clientManagementModel.get());
+    m_clientManagementModel = new ClientManagementModel(this);
+    setQmlContextProperty("ClientManagementModel", m_clientManagementModel);
 
-    m_apiServicesModel.reset(new ApiServicesModel(this));
-    m_engine->rootContext()->setContextProperty("ApiServicesModel", m_apiServicesModel.get());
+    m_apiServicesModel = new ApiServicesModel(this);
+    setQmlContextProperty("ApiServicesModel", m_apiServicesModel);
 
-    m_apiCountryModel.reset(new ApiCountryModel(this));
-    m_engine->rootContext()->setContextProperty("ApiCountryModel", m_apiCountryModel.get());
+    m_apiCountryModel = new ApiCountryModel(this);
+    setQmlContextProperty("ApiCountryModel", m_apiCountryModel);
 
-    m_apiAccountInfoModel.reset(new ApiAccountInfoModel(this));
-    m_engine->rootContext()->setContextProperty("ApiAccountInfoModel", m_apiAccountInfoModel.get());
+    m_apiSubscriptionPlansModel = new ApiSubscriptionPlansModel(this);
+    setQmlContextProperty("ApiSubscriptionPlansModel", m_apiSubscriptionPlansModel);
 
-    m_apiDevicesModel.reset(new ApiDevicesModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ApiDevicesModel", m_apiDevicesModel.get());
+    m_apiBenefitsModel = new ApiBenefitsModel(this);
+    setQmlContextProperty("ApiBenefitsModel", m_apiBenefitsModel);
 
-    m_newsModel.reset(new NewsModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("NewsModel", m_newsModel.get());
+    m_apiAccountInfoModel = new ApiAccountInfoModel(this);
+    setQmlContextProperty("ApiAccountInfoModel", m_apiAccountInfoModel);
+
+    m_apiDevicesModel = new ApiDevicesModel(this);
+    setQmlContextProperty("ApiDevicesModel", m_apiDevicesModel);
+
+    m_newsModel = new NewsModel(m_appSettingsRepository, this);
+    setQmlContextProperty("NewsModel", m_newsModel);
+}
+
+void CoreController::initRepositories()
+{
+    m_serversRepository = new SecureServersRepository(m_settings, this);
+    m_appSettingsRepository = new SecureAppSettingsRepository(m_settings, this);
+
+    if (m_vpnConnection) {
+        m_vpnConnection->setRepositories(m_serversRepository, m_appSettingsRepository);
+    }
+}
+
+void CoreController::initCoreControllers()
+{
+    m_serversController = new ServersController(m_serversRepository, m_appSettingsRepository, this);
+    m_appSplitTunnelingController = new AppSplitTunnelingController(m_appSettingsRepository);
+    m_usersController = new UsersController(m_serversRepository, this);
+    m_ipSplitTunnelingController = new IpSplitTunnelingController(m_appSettingsRepository, this);
+    m_allowedDnsController = new AllowedDnsController(m_appSettingsRepository);
+    m_servicesCatalogController = new ServicesCatalogController(m_appSettingsRepository);
+    m_subscriptionController = new SubscriptionController(m_serversRepository, m_appSettingsRepository);
+    m_newsController = new NewsController(m_appSettingsRepository, m_serversController);
+    m_updateController = new UpdateController(m_appSettingsRepository, this);
+    
+    m_installController = new InstallController(m_serversRepository, m_appSettingsRepository, this);
+    m_exportController = new ExportController(m_serversRepository, m_appSettingsRepository, this);
+    m_importCoreController = new ImportController(m_serversRepository, m_appSettingsRepository, this);
+    m_connectionController = new ConnectionController(m_serversRepository, m_appSettingsRepository, m_vpnConnection.get(), this);
+    m_settingsController = new SettingsController(m_serversRepository, m_appSettingsRepository, this);
 }
 
 void CoreController::initControllers()
 {
-    m_connectionController.reset(
-            new ConnectionController(m_serversModel, m_containersModel, m_clientManagementModel, m_vpnConnection, m_settings));
-    m_engine->rootContext()->setContextProperty("ConnectionController", m_connectionController.get());
+    m_connectionUiController = new ConnectionUiController(m_connectionController, m_serversController, this);
+    setQmlContextProperty("ConnectionController", m_connectionUiController);
 
-    m_pageController.reset(new PageController(m_serversModel, m_settings));
-    m_engine->rootContext()->setContextProperty("PageController", m_pageController.get());
+    if (m_engine) {
+        m_focusController = new FocusController(m_engine, this);
+        setQmlContextProperty("FocusController", m_focusController);
+    }
 
-    m_focusController.reset(new FocusController(m_engine, this));
-    m_engine->rootContext()->setContextProperty("FocusController", m_focusController.get());
+    m_installUiController = new InstallUiController(m_installController, m_serversController, m_settingsController, m_protocolsModel, m_usersController, 
+                                                     m_awgConfigModel, m_wireGuardConfigModel, m_openVpnConfigModel, m_xrayConfigModel, m_torConfigModel,
+#ifdef Q_OS_WINDOWS
+                                                     m_ikev2ConfigModel,
+#endif
+                                                     m_sftpConfigModel, m_socks5ConfigModel, this);
+    setQmlContextProperty("InstallController", m_installUiController);
 
-    m_installController.reset(new InstallController(m_serversModel, m_containersModel, m_protocolsModel, m_clientManagementModel, m_settings));
-    m_engine->rootContext()->setContextProperty("InstallController", m_installController.get());
+    m_importController = new ImportUiController(m_importCoreController, this);
+    setQmlContextProperty("ImportController", m_importController);
 
-    connect(m_installController.get(), &InstallController::currentContainerUpdated, m_connectionController.get(),
-            &ConnectionController::onCurrentContainerUpdated); // TODO remove this
+    m_exportUiController = new ExportUiController(m_exportController, this);
+    setQmlContextProperty("ExportController", m_exportUiController);
 
-    connect(m_installController.get(), &InstallController::profileCleared,
-            m_protocolsModel.get(), &ProtocolsModel::updateModel);
+    m_languageUiController = new LanguageUiController(m_settingsController, m_languageModel, this);
+    setQmlContextProperty("LanguageUiController", m_languageUiController);
 
-    m_importController.reset(new ImportController(m_serversModel, m_containersModel, m_settings));
-    m_engine->rootContext()->setContextProperty("ImportController", m_importController.get());
+    m_settingsUiController = new SettingsUiController(m_settingsController, m_serversController, m_languageUiController, this);
+    setQmlContextProperty("SettingsController", m_settingsUiController);
 
-    m_exportController.reset(new ExportController(m_serversModel, m_containersModel, m_clientManagementModel, m_settings));
-    m_engine->rootContext()->setContextProperty("ExportController", m_exportController.get());
+    m_pageController = new PageController(m_serversController, m_settingsController, this);
+    setQmlContextProperty("PageController", m_pageController);
 
-    m_settingsController.reset(
-            new SettingsController(m_serversModel, m_containersModel, m_languageModel, m_sitesModel, m_appSplitTunnelingModel, m_settings));
-    m_engine->rootContext()->setContextProperty("SettingsController", m_settingsController.get());
+    m_serversUiController = new ServersUiController(m_serversController, m_settingsController, m_serversModel, m_containersModel, m_defaultServerContainersModel, this);
+    setQmlContextProperty("ServersUiController", m_serversUiController);
 
-    m_sitesController.reset(new SitesController(m_settings, m_vpnConnection, m_sitesModel));
-    m_engine->rootContext()->setContextProperty("SitesController", m_sitesController.get());
+    m_ipSplitTunnelingUiController = new IpSplitTunnelingUiController(m_ipSplitTunnelingController, m_ipSplitTunnelingModel, this);
+    setQmlContextProperty("IpSplitTunnelingController", m_ipSplitTunnelingUiController);
 
-    m_allowedDnsController.reset(new AllowedDnsController(m_settings, m_allowedDnsModel));
-    m_engine->rootContext()->setContextProperty("AllowedDnsController", m_allowedDnsController.get());
+    m_allowedDnsUiController = new AllowedDnsUiController(m_allowedDnsController, m_allowedDnsModel, this);
+    setQmlContextProperty("AllowedDnsController", m_allowedDnsUiController);
 
-    m_appSplitTunnelingController.reset(new AppSplitTunnelingController(m_settings, m_appSplitTunnelingModel));
-    m_engine->rootContext()->setContextProperty("AppSplitTunnelingController", m_appSplitTunnelingController.get());
+    m_appSplitTunnelingUiController = new AppSplitTunnelingUiController(m_appSplitTunnelingController, m_appSplitTunnelingModel, this);
+    setQmlContextProperty("AppSplitTunnelingController", m_appSplitTunnelingUiController);
 
-    m_systemController.reset(new SystemController(m_settings));
-    m_engine->rootContext()->setContextProperty("SystemController", m_systemController.get());
+    m_systemController = new SystemController(this);
+    setQmlContextProperty("SystemController", m_systemController);
 
-    m_apiSettingsController.reset(
-            new ApiSettingsController(m_serversModel, m_apiAccountInfoModel, m_apiCountryModel, m_apiDevicesModel, m_settings));
-    m_engine->rootContext()->setContextProperty("ApiSettingsController", m_apiSettingsController.get());
+    m_servicesCatalogUiController = new ServicesCatalogUiController(m_servicesCatalogController, m_apiServicesModel, this);
+    setQmlContextProperty("ServicesCatalogUiController", m_servicesCatalogUiController);
 
-    m_apiConfigsController.reset(new ApiConfigsController(m_serversModel, m_apiServicesModel, m_settings));
-    m_engine->rootContext()->setContextProperty("ApiConfigsController", m_apiConfigsController.get());
+    m_subscriptionUiController = new SubscriptionUiController(m_serversController, m_apiServicesModel, m_servicesCatalogController, m_subscriptionController,
+                                                              m_apiSubscriptionPlansModel, m_apiBenefitsModel, m_apiAccountInfoModel,
+                                                              m_apiCountryModel, m_apiDevicesModel, m_settingsController, this);
+    setQmlContextProperty("SubscriptionUiController", m_subscriptionUiController);
 
-    m_apiPremV1MigrationController.reset(new ApiPremV1MigrationController(m_serversModel, m_settings, this));
-    m_engine->rootContext()->setContextProperty("ApiPremV1MigrationController", m_apiPremV1MigrationController.get());
+    m_apiNewsUiController = new ApiNewsUiController(m_newsModel, m_newsController, this);
+    setQmlContextProperty("ApiNewsController", m_apiNewsUiController);
 
-    m_apiNewsController.reset(new ApiNewsController(m_newsModel, m_settings, m_serversModel, this));
-    m_engine->rootContext()->setContextProperty("ApiNewsController", m_apiNewsController.get());
+    m_updateUiController = new UpdateUiController(m_updateController, this);
+    setQmlContextProperty("UpdateController", m_updateUiController);
 }
 
 void CoreController::initAndroidController()
@@ -167,33 +224,16 @@ void CoreController::initAndroidController()
     if (!AndroidController::initLogging()) {
         qFatal("Android logging initialization failed");
     }
-    AndroidController::instance()->setSaveLogs(m_settings->isSaveLogs());
-    connect(m_settings.get(), &Settings::saveLogsChanged, AndroidController::instance(), &AndroidController::setSaveLogs);
+    AndroidController::instance()->setSaveLogs(m_appSettingsRepository->isSaveLogs());
+    AndroidController::instance()->setScreenshotsEnabled(m_appSettingsRepository->isScreenshotsEnabled());
 
-    AndroidController::instance()->setScreenshotsEnabled(m_settings->isScreenshotsEnabled());
-    connect(m_settings.get(), &Settings::screenshotsEnabledChanged, AndroidController::instance(), &AndroidController::setScreenshotsEnabled);
-
-    connect(m_settings.get(), &Settings::serverRemoved, AndroidController::instance(), &AndroidController::resetLastServer);
-
-    connect(m_settings.get(), &Settings::settingsCleared, []() { AndroidController::instance()->resetLastServer(-1); });
-
-    connect(AndroidController::instance(), &AndroidController::initConnectionState, this, [this](Vpn::ConnectionState state) {
-        m_connectionController->onConnectionStateChanged(state);
-        if (m_vpnConnection)
-            m_vpnConnection->restoreConnection();
-    });
     if (!AndroidController::instance()->initialize()) {
         qFatal("Android controller initialization failed");
     }
 
-    connect(AndroidController::instance(), &AndroidController::importConfigFromOutside, this, [this](QString data) {
-        emit m_pageController->goToPageHome();
-        m_importController->extractConfigFromData(data);
-        data.clear();
-        emit m_pageController->goToPageViewConfig();
-    });
-
-    m_engine->addImageProvider(QLatin1String("installedAppImage"), new InstalledAppsImageProvider);
+    if (m_engine) {
+        m_engine->addImageProvider(QLatin1String("installedAppImage"), new InstalledAppsImageProvider);
+    }
 #endif
 }
 
@@ -201,65 +241,36 @@ void CoreController::initAppleController()
 {
 #ifdef Q_OS_IOS
     IosController::Instance()->initialize();
-    connect(IosController::Instance(), &IosController::importConfigFromOutside, this, [this](QString data) {
-        emit m_pageController->goToPageHome();
-        m_importController->extractConfigFromData(data);
-        emit m_pageController->goToPageViewConfig();
-    });
+    QTimer::singleShot(0, this, [this]() { AmneziaVPN::toggleScreenshots(m_appSettingsRepository->isScreenshotsEnabled()); });
+#endif
+}
 
-    connect(IosController::Instance(), &IosController::importBackupFromOutside, this, [this](QString filePath) {
-        emit m_pageController->goToPageHome();
-        m_pageController->goToPageSettingsBackup();
-        emit m_settingsController->importBackupFromOutside(filePath);
-    });
-
-    QTimer::singleShot(0, this, [this]() { AmneziaVPN::toggleScreenshots(m_settings->isScreenshotsEnabled()); });
-
-    connect(m_settings.get(), &Settings::screenshotsEnabledChanged, [](bool enabled) { AmneziaVPN::toggleScreenshots(enabled); });
+void CoreController::initLogging()
+{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    bool enabled = m_appSettingsRepository->isSaveLogs();
+    if (enabled) {
+        if (!Logger::init(false)) {
+            qWarning() << "Initialization of debug subsystem failed";
+        }
+    }
+    Logger::setServiceLogsEnabled(enabled);
 #endif
 }
 
 void CoreController::initSignalHandlers()
 {
-    initErrorMessagesHandler();
-
-    initApiCountryModelUpdateHandler();
-    initContainerModelUpdateHandler();
-    initAdminConfigRevokedHandler();
-    initPassphraseRequestHandler();
-    initTranslationsUpdatedHandler();
-    initAutoConnectHandler();
-    initAmneziaDnsToggledHandler();
-    initPrepareConfigHandler();
-    initImportPremiumV2VpnKeyHandler();
-    initShowMigrationDrawerHandler();
-    initStrictKillSwitchHandler();
-}
-
-void CoreController::initNotificationHandler()
-{
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    m_notificationHandler.reset(NotificationHandler::create(nullptr));
-
-    connect(m_vpnConnection.get(), &VpnConnection::connectionStateChanged, m_notificationHandler.get(),
-            &NotificationHandler::setConnectionState);
-
-    connect(m_notificationHandler.get(), &NotificationHandler::raiseRequested, m_pageController.get(), &PageController::raiseMainWindow);
-    connect(m_notificationHandler.get(), &NotificationHandler::connectRequested, m_connectionController.get(),
-            static_cast<void (ConnectionController::*)()>(&ConnectionController::openConnection));
-    connect(m_notificationHandler.get(), &NotificationHandler::disconnectRequested, m_connectionController.get(),
-            &ConnectionController::closeConnection);
-    connect(this, &CoreController::translationsUpdated, m_notificationHandler.get(), &NotificationHandler::onTranslationsUpdated);
-
-    auto* trayHandler = qobject_cast<SystemTrayNotificationHandler*>(m_notificationHandler.get());
-    connect(this, &CoreController::websiteUrlChanged, trayHandler, &SystemTrayNotificationHandler::updateWebsiteUrl);
-#endif    
+    m_signalHandlers = new CoreSignalHandlers(this, this);
+    m_signalHandlers->initAllHandlers();
+    
+    // Trigger initial update after handlers are connected
+    m_serversUiController->updateModel();
 }
 
 void CoreController::updateTranslator(const QLocale &locale)
 {
     if (!m_translator->isEmpty()) {
-        QCoreApplication::removeTranslator(m_translator.get());
+        QCoreApplication::removeTranslator(m_translator);
     }
 
     QStringList availableTranslations;
@@ -280,134 +291,52 @@ void CoreController::updateTranslator(const QLocale &locale)
     }
 
     if (m_translator->load(strFileName)) {
-        if (QCoreApplication::installTranslator(m_translator.get())) {
-            m_settings->setAppLanguage(locale);
-        }
+        QCoreApplication::installTranslator(m_translator);
     } else {
-        m_settings->setAppLanguage(QLocale::English);
+        if (m_translator->load(QString(":/translations/amneziavpn_en.qm"))) {
+            QCoreApplication::installTranslator(m_translator);
+        }
     }
 
-    m_engine->retranslate();
+    if (m_engine) {
+        m_engine->retranslate();
+    }
 
     emit translationsUpdated();
-    emit websiteUrlChanged(m_languageModel->getCurrentSiteUrl());
-}
-
-void CoreController::initErrorMessagesHandler()
-{
-    connect(m_connectionController.get(), &ConnectionController::connectionErrorOccurred, this, [this](ErrorCode errorCode) {
-        emit m_pageController->showErrorMessage(errorCode);
-        emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
-    });
-
-    connect(m_apiConfigsController.get(), &ApiConfigsController::errorOccurred, m_pageController.get(),
-            qOverload<ErrorCode>(&PageController::showErrorMessage));
+    if (m_languageUiController) {
+        emit websiteUrlChanged(m_languageUiController->getCurrentSiteUrl());
+    }
 }
 
 void CoreController::setQmlRoot()
 {
-    m_systemController->setQmlRoot(m_engine->rootObjects().value(0));
-}
-
-void CoreController::initApiCountryModelUpdateHandler()
-{
-    connect(m_serversModel.get(), &ServersModel::updateApiCountryModel, this, [this]() {
-        m_apiCountryModel->updateModel(m_serversModel->getProcessedServerData("apiAvailableCountries").toJsonArray(),
-                                       m_serversModel->getProcessedServerData("apiServerCountryCode").toString());
-    });
-}
-
-void CoreController::initContainerModelUpdateHandler()
-{
-    connect(m_serversModel.get(), &ServersModel::containersUpdated, m_containersModel.get(), &ContainersModel::updateModel);
-    connect(m_serversModel.get(), &ServersModel::defaultServerContainersUpdated, m_defaultServerContainersModel.get(),
-            &ContainersModel::updateModel);
-    connect(m_serversModel.get(), &ServersModel::gatewayStacksExpanded, this, [this]() {
-        if (m_serversModel->hasServersFromGatewayApi()) {
-            m_apiNewsController->fetchNews();
-        }
-    });
-    m_serversModel->resetModel();
-}
-
-void CoreController::initAdminConfigRevokedHandler()
-{
-    connect(m_clientManagementModel.get(), &ClientManagementModel::adminConfigRevoked, m_serversModel.get(),
-            &ServersModel::clearCachedProfile);
-}
-
-void CoreController::initPassphraseRequestHandler()
-{
-    connect(m_installController.get(), &InstallController::passphraseRequestStarted, m_pageController.get(),
-            &PageController::showPassphraseRequestDrawer);
-    connect(m_pageController.get(), &PageController::passphraseRequestDrawerClosed, m_installController.get(),
-            &InstallController::setEncryptedPassphrase);
-}
-
-void CoreController::initTranslationsUpdatedHandler()
-{
-    connect(m_languageModel.get(), &LanguageModel::updateTranslations, this, &CoreController::updateTranslator);
-    connect(this, &CoreController::translationsUpdated, m_languageModel.get(), &LanguageModel::translationsUpdated);
-    connect(this, &CoreController::translationsUpdated, m_connectionController.get(), &ConnectionController::onTranslationsUpdated);
-}
-
-void CoreController::initAutoConnectHandler()
-{
-    if (m_settingsController->isAutoConnectEnabled() && m_serversModel->getDefaultServerIndex() >= 0) {
-        QTimer::singleShot(1000, this, [this]() { m_connectionController->openConnection(); });
+    if (m_engine && m_systemController) {
+        m_systemController->setQmlRoot(m_engine->rootObjects().value(0));
     }
 }
 
-void CoreController::initAmneziaDnsToggledHandler()
-{
-    connect(m_settingsController.get(), &SettingsController::amneziaDnsToggled, m_serversModel.get(), &ServersModel::toggleAmneziaDns);
-}
-
-void CoreController::initPrepareConfigHandler()
-{
-    connect(m_connectionController.get(), &ConnectionController::prepareConfig, this, [this]() {
-        emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Preparing);
-
-        if (!m_apiConfigsController->isConfigValid()) {
-            emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
-            return;
-        }
-
-        if (!m_installController->isConfigValid()) {
-            emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
-            return;
-        }
-
-        m_connectionController->openConnection();
-    });
-}
-
-void CoreController::initImportPremiumV2VpnKeyHandler()
-{
-    connect(m_apiPremV1MigrationController.get(), &ApiPremV1MigrationController::importPremiumV2VpnKey, this, [this](const QString &vpnKey) {
-        m_importController->extractConfigFromData(vpnKey);
-        m_importController->importConfig();
-
-        emit m_apiPremV1MigrationController->migrationFinished();
-    });
-}
-
-void CoreController::initShowMigrationDrawerHandler()
-{
-    QTimer::singleShot(1000, this, [this]() {
-        if (m_apiPremV1MigrationController->isPremV1MigrationReminderActive() && m_apiPremV1MigrationController->hasConfigsToMigration()) {
-            m_apiPremV1MigrationController->showMigrationDrawer();
-        }
-    });
-}
-
-void CoreController::initStrictKillSwitchHandler()
-{
-    connect(m_settingsController.get(), &SettingsController::strictKillSwitchEnabledChanged, m_vpnConnection.get(),
-            &VpnConnection::onKillSwitchModeChanged);
-}
-
-QSharedPointer<PageController> CoreController::pageController() const
+PageController* CoreController::pageController() const
 {
     return m_pageController;
 }
+
+void CoreController::openConnectionByIndex(int serverIndex)
+{
+    if (m_serversModel) {
+        m_serversModel->setProcessedServerIndex(serverIndex);
+    }
+    if (m_serversController) {
+        m_serversController->setDefaultServerIndex(serverIndex);
+    }
+    m_connectionUiController->toggleConnection();
+}
+
+void CoreController::importConfigFromData(const QString &data)
+{
+    if (!m_importController)
+        return;
+
+    if (m_importController->extractConfigFromData(data)) {
+        m_importController->importConfig();
+    }
+}

client/core/controllers/coreController.h

@@ -6,149 +6,212 @@
 #include <QThread>
 
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    #include "ui/systemtray_notificationhandler.h"
+    #include "ui/utils/systemTrayNotificationHandler.h"
 #endif
 
-#include "ui/controllers/api/apiConfigsController.h"
-#include "ui/controllers/api/apiSettingsController.h"
-#include "ui/controllers/api/apiPremV1MigrationController.h"
-#include "ui/controllers/api/apiNewsController.h"
-#include "ui/controllers/appSplitTunnelingController.h"
-#include "ui/controllers/allowedDnsController.h"
-#include "ui/controllers/connectionController.h"
-#include "ui/controllers/exportController.h"
-#include "ui/controllers/focusController.h"
-#include "ui/controllers/importController.h"
-#include "ui/controllers/installController.h"
-#include "ui/controllers/pageController.h"
-#include "ui/controllers/settingsController.h"
-#include "ui/controllers/sitesController.h"
+#include "ui/controllers/api/subscriptionUiController.h"
+#include "ui/controllers/api/apiNewsUiController.h"
+#include "ui/controllers/appSplitTunnelingUiController.h"
+#include "ui/controllers/allowedDnsUiController.h"
+#include "ui/controllers/connectionUiController.h"
+#include "ui/controllers/selfhosted/exportUiController.h"
+#include "core/controllers/selfhosted/exportController.h"
+#include "ui/controllers/qml/focusController.h"
+#include "ui/controllers/importUiController.h"
+#include "core/controllers/selfhosted/importController.h"
+#include "ui/controllers/selfhosted/installUiController.h"
+#include "ui/controllers/qml/pageController.h"
+#include "ui/controllers/settingsUiController.h"
+#include "ui/controllers/serversUiController.h"
+#include "ui/controllers/ipSplitTunnelingUiController.h"
 #include "ui/controllers/systemController.h"
+#include "ui/controllers/languageUiController.h"
+#include "ui/controllers/updateUiController.h"
+#include "ui/controllers/api/servicesCatalogUiController.h"
 
-#include "ui/models/allowed_dns_model.h"
-#include "ui/models/containers_model.h"
+#include "core/controllers/serversController.h"
+#include "core/controllers/selfhosted/usersController.h"
+#include "core/controllers/appSplitTunnelingController.h"
+#include "core/controllers/ipSplitTunnelingController.h"
+#include "core/controllers/allowedDnsController.h"
+#include "core/controllers/api/servicesCatalogController.h"
+#include "core/controllers/api/subscriptionController.h"
+#include "core/controllers/api/newsController.h"
+#include "core/controllers/selfhosted/installController.h"
+#include "core/controllers/settingsController.h"
+#include "core/controllers/connectionController.h"
+#include "core/controllers/updateController.h"
+
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "secureQSettings.h"
+
+#include "ui/models/allowedDnsModel.h"
+#include "ui/models/containersModel.h"
 #include "ui/models/languageModel.h"
-#include "ui/models/protocols/cloakConfigModel.h"
 #ifdef Q_OS_WINDOWS
     #include "ui/models/protocols/ikev2ConfigModel.h"
 #endif
 #include "ui/models/api/apiAccountInfoModel.h"
+#include "ui/models/api/apiBenefitsModel.h"
 #include "ui/models/api/apiCountryModel.h"
 #include "ui/models/api/apiDevicesModel.h"
 #include "ui/models/api/apiServicesModel.h"
+#include "ui/models/api/apiSubscriptionPlansModel.h"
 #include "ui/models/appSplitTunnelingModel.h"
 #include "ui/models/clientManagementModel.h"
 #include "ui/models/protocols/awgConfigModel.h"
 #include "ui/models/protocols/openvpnConfigModel.h"
-#include "ui/models/protocols/shadowsocksConfigModel.h"
 #include "ui/models/protocols/wireguardConfigModel.h"
 #include "ui/models/protocols/xrayConfigModel.h"
-#include "ui/models/protocols_model.h"
-#include "ui/models/servers_model.h"
+#include "ui/models/protocolsModel.h"
+#include "ui/models/services/torConfigModel.h"
+#include "ui/models/serversModel.h"
 #include "ui/models/services/sftpConfigModel.h"
 #include "ui/models/services/socks5ProxyConfigModel.h"
-#include "ui/models/sites_model.h"
+#include "ui/models/ipSplitTunnelingModel.h"
 #include "ui/models/newsModel.h"
 
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    #include "ui/notificationhandler.h"
+    #include "ui/utils/notificationHandler.h"
 #endif
 
+class CoreSignalHandlers;
+class TestMultipleImports;
+class TestAdminSelfHostedExport;
+class TestServerEdit;
+class TestDefaultServerChange;
+class TestServerEdgeCases;
+class TestSignalOrder;
+class TestServersModelSync;
+class TestGatewayStacks;
+class TestComplexOperations;
+class TestSettingsSignals;
+class TestUiServersModelAndController;
+class TestSelfHostedServerSetup;
+
 class CoreController : public QObject
 {
     Q_OBJECT
+    friend class CoreSignalHandlers;
+    friend class TestMultipleImports;
+    friend class TestAdminSelfHostedExport;
+    friend class TestServerEdit;
+    friend class TestDefaultServerChange;
+    friend class TestServerEdgeCases;
+    friend class TestSignalOrder;
+    friend class TestServersModelSync;
+    friend class TestGatewayStacks;
+    friend class TestComplexOperations;
+    friend class TestSettingsSignals;
+    friend class TestUiServersModelAndController;
+    friend class TestSelfHostedServerSetup;
 
 public:
-    explicit CoreController(const QSharedPointer<VpnConnection> &vpnConnection, const std::shared_ptr<Settings> &settings,
+    explicit CoreController(const QSharedPointer<VpnConnection> &vpnConnection, SecureQSettings* settings,
                             QQmlApplicationEngine *engine, QObject *parent = nullptr);
 
-    QSharedPointer<PageController> pageController() const;
+    PageController* pageController() const;
     void setQmlRoot();
 
+    void openConnectionByIndex(int serverIndex);
+    void importConfigFromData(const QString &data);
+    void updateTranslator(const QLocale &locale);
+
 signals:
     void translationsUpdated();
     void websiteUrlChanged(const QString &newUrl);
 
 private:
+    void initRepositories();
+    void initCoreControllers();
     void initModels();
     void initControllers();
     void initAndroidController();
     void initAppleController();
+    void initLogging();
     void initSignalHandlers();
-
-    void initNotificationHandler();
-
-    void updateTranslator(const QLocale &locale);
-
-    void initErrorMessagesHandler();
-
-    void initApiCountryModelUpdateHandler();
-    void initContainerModelUpdateHandler();
-    void initAdminConfigRevokedHandler();
-    void initPassphraseRequestHandler();
-    void initTranslationsUpdatedHandler();
-    void initAutoConnectHandler();
-    void initAmneziaDnsToggledHandler();
-    void initPrepareConfigHandler();
-    void initImportPremiumV2VpnKeyHandler();
-    void initShowMigrationDrawerHandler();
-    void initStrictKillSwitchHandler();
+    void setQmlContextProperty(const QString &name, QObject *value);
 
     QQmlApplicationEngine *m_engine {}; // TODO use parent child system here?
-    std::shared_ptr<Settings> m_settings;
+    SecureQSettings* m_settings;
     QSharedPointer<VpnConnection> m_vpnConnection;
-    QSharedPointer<QTranslator> m_translator;
+    QTranslator* m_translator;
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
 
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    QScopedPointer<NotificationHandler> m_notificationHandler;
+    NotificationHandler* m_notificationHandler;
 #endif
 
     QMetaObject::Connection m_reloadConfigErrorOccurredConnection;
 
-    QScopedPointer<ConnectionController> m_connectionController;
-    QScopedPointer<FocusController> m_focusController;
-    QSharedPointer<PageController> m_pageController; // TODO
-    QScopedPointer<InstallController> m_installController;
-    QScopedPointer<ImportController> m_importController;
-    QScopedPointer<ExportController> m_exportController;
-    QScopedPointer<SettingsController> m_settingsController;
-    QScopedPointer<SitesController> m_sitesController;
-    QScopedPointer<SystemController> m_systemController;
-    QScopedPointer<AppSplitTunnelingController> m_appSplitTunnelingController;
-    QScopedPointer<AllowedDnsController> m_allowedDnsController;
+    ConnectionUiController* m_connectionUiController;
+    FocusController* m_focusController;
+    PageController* m_pageController;
+    InstallUiController* m_installUiController;
+    ImportUiController* m_importController;
+    ImportController* m_importCoreController;
+    ExportUiController* m_exportUiController;
+    SettingsUiController* m_settingsUiController;
+    ServersUiController* m_serversUiController;
+    IpSplitTunnelingUiController* m_ipSplitTunnelingUiController;
+    SystemController* m_systemController;
+    AppSplitTunnelingUiController* m_appSplitTunnelingUiController;
+    AllowedDnsUiController* m_allowedDnsUiController;
+    LanguageUiController* m_languageUiController;
+    UpdateUiController* m_updateUiController;
 
-    QScopedPointer<ApiSettingsController> m_apiSettingsController;
-    QScopedPointer<ApiConfigsController> m_apiConfigsController;
-    QScopedPointer<ApiPremV1MigrationController> m_apiPremV1MigrationController;
-    QScopedPointer<ApiNewsController> m_apiNewsController;
+    SubscriptionUiController* m_subscriptionUiController;
+    ApiNewsUiController* m_apiNewsUiController;
+    
+    ServicesCatalogUiController* m_servicesCatalogUiController;
 
-    QSharedPointer<ContainersModel> m_containersModel;
-    QSharedPointer<ContainersModel> m_defaultServerContainersModel;
-    QSharedPointer<ServersModel> m_serversModel;
-    QSharedPointer<LanguageModel> m_languageModel;
-    QSharedPointer<ProtocolsModel> m_protocolsModel;
-    QSharedPointer<SitesModel> m_sitesModel;
-    QSharedPointer<NewsModel> m_newsModel;
-    QSharedPointer<AllowedDnsModel> m_allowedDnsModel;
-    QSharedPointer<AppSplitTunnelingModel> m_appSplitTunnelingModel;
-    QSharedPointer<ClientManagementModel> m_clientManagementModel;
+    ServersController* m_serversController;
+    UsersController* m_usersController;
+    AppSplitTunnelingController* m_appSplitTunnelingController;
+    IpSplitTunnelingController* m_ipSplitTunnelingController;
+    AllowedDnsController* m_allowedDnsController;
+    ServicesCatalogController* m_servicesCatalogController;
+    SubscriptionController* m_subscriptionController;
+    NewsController* m_newsController;
+    UpdateController* m_updateController;
+    InstallController* m_installController;
+    ExportController* m_exportController;
+    ConnectionController* m_connectionController;
+    SettingsController* m_settingsController;
 
-    QSharedPointer<ApiServicesModel> m_apiServicesModel;
-    QSharedPointer<ApiCountryModel> m_apiCountryModel;
-    QSharedPointer<ApiAccountInfoModel> m_apiAccountInfoModel;
-    QSharedPointer<ApiDevicesModel> m_apiDevicesModel;
+    ContainersModel* m_containersModel;
+    ContainersModel* m_defaultServerContainersModel;
+    ServersModel* m_serversModel;
+    LanguageModel* m_languageModel;
+    ProtocolsModel* m_protocolsModel;
+    IpSplitTunnelingModel* m_ipSplitTunnelingModel;
+    NewsModel* m_newsModel;
+    AllowedDnsModel* m_allowedDnsModel;
+    AppSplitTunnelingModel* m_appSplitTunnelingModel;
+    ClientManagementModel* m_clientManagementModel;
 
-    QScopedPointer<OpenVpnConfigModel> m_openVpnConfigModel;
-    QScopedPointer<ShadowSocksConfigModel> m_shadowSocksConfigModel;
-    QScopedPointer<CloakConfigModel> m_cloakConfigModel;
-    QScopedPointer<XrayConfigModel> m_xrayConfigModel;
-    QScopedPointer<WireGuardConfigModel> m_wireGuardConfigModel;
-    QScopedPointer<AwgConfigModel> m_awgConfigModel;
+    ApiServicesModel* m_apiServicesModel;
+    ApiSubscriptionPlansModel* m_apiSubscriptionPlansModel;
+    ApiBenefitsModel* m_apiBenefitsModel;
+    ApiCountryModel* m_apiCountryModel;
+    ApiAccountInfoModel* m_apiAccountInfoModel;
+    ApiDevicesModel* m_apiDevicesModel;
+
+    OpenVpnConfigModel* m_openVpnConfigModel;
+    XrayConfigModel* m_xrayConfigModel;
+    TorConfigModel* m_torConfigModel;
+    WireGuardConfigModel* m_wireGuardConfigModel;
+    AwgConfigModel* m_awgConfigModel;
 #ifdef Q_OS_WINDOWS
-    QScopedPointer<Ikev2ConfigModel> m_ikev2ConfigModel;
+    Ikev2ConfigModel* m_ikev2ConfigModel;
 #endif
-    QScopedPointer<SftpConfigModel> m_sftpConfigModel;
-    QScopedPointer<Socks5ProxyConfigModel> m_socks5ConfigModel;
+    SftpConfigModel* m_sftpConfigModel;
+    Socks5ProxyConfigModel* m_socks5ConfigModel;
+
+    CoreSignalHandlers* m_signalHandlers;
 };
 
 #endif // CORECONTROLLER_H

client/core/controllers/coreSignalHandlers.cpp

@@ -0,0 +1,430 @@
+#include "coreSignalHandlers.h"
+
+#include <QTimer>
+
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/controllers/coreController.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "vpnConnection.h"
+#include "ui/controllers/qml/pageController.h"
+#include "ui/controllers/connectionUiController.h"
+#include "ui/controllers/settingsUiController.h"
+#include "ui/controllers/serversUiController.h"
+#include "ui/controllers/ipSplitTunnelingUiController.h"
+#include "ui/controllers/allowedDnsUiController.h"
+#include "ui/controllers/appSplitTunnelingUiController.h"
+#include "ui/controllers/languageUiController.h"
+#include "ui/controllers/selfhosted/installUiController.h"
+#include "ui/controllers/importUiController.h"
+#include "ui/controllers/api/subscriptionUiController.h"
+#include "ui/controllers/updateUiController.h"
+#include "ui/models/serversModel.h"
+#include "core/controllers/serversController.h"
+#include "core/controllers/ipSplitTunnelingController.h"
+#include "core/controllers/appSplitTunnelingController.h"
+#include "core/controllers/selfhosted/usersController.h"
+#include "core/controllers/settingsController.h"
+#include "core/controllers/selfhosted/installController.h"
+#include "core/controllers/selfhosted/exportController.h"
+#include "core/controllers/connectionController.h"
+#include "ui/models/clientManagementModel.h"
+#include "ui/controllers/api/apiNewsUiController.h"
+#include "ui/models/api/apiCountryModel.h"
+#include "ui/models/containersModel.h"
+#include "core/utils/containerEnum.h"
+
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    #include "ui/utils/notificationHandler.h"
+    #include "ui/utils/systemTrayNotificationHandler.h"
+#endif
+
+#ifdef Q_OS_ANDROID
+    #include "platforms/android/android_controller.h"
+#endif
+
+#ifdef Q_OS_IOS
+    #include "platforms/ios/ios_controller.h"
+    #include <AmneziaVPN-Swift.h>
+#endif
+
+CoreSignalHandlers::CoreSignalHandlers(CoreController* coreController, QObject* parent)
+    : QObject(parent),
+      m_coreController(coreController)
+{
+}
+
+void CoreSignalHandlers::initAllHandlers()
+{
+    initErrorMessagesHandler();
+    initSettingsSplitTunnelingHandler();
+    initInstallControllerHandler();
+    initExportControllerHandler();
+    initImportControllerHandler();
+    initApiCountryModelUpdateHandler();
+    initSubscriptionRefreshHandler();
+    initContainerModelUpdateHandler();
+    initAdminConfigRevokedHandler();
+    initPassphraseRequestHandler();
+    initTranslationsUpdatedHandler();
+    initLanguageHandler();
+    initAutoConnectHandler();
+    initAmneziaDnsToggledHandler();
+    initServersModelUpdateHandler();
+    initClientManagementModelUpdateHandler();
+    initSitesModelUpdateHandler();
+    initAllowedDnsModelUpdateHandler();
+    initAppSplitTunnelingModelUpdateHandler();
+    initPrepareConfigHandler();
+    initStrictKillSwitchHandler();
+    initAndroidSettingsHandler();
+    initAndroidConnectionHandler();
+    initIosImportHandler();
+    initIosSettingsHandler();
+    initNotificationHandler();
+    initUpdateFoundHandler();
+}
+
+void CoreSignalHandlers::initErrorMessagesHandler()
+{
+    connect(m_coreController->m_connectionUiController, &ConnectionUiController::connectionErrorOccurred, this, [this](ErrorCode errorCode) {
+        emit m_coreController->m_pageController->showErrorMessage(errorCode);
+        m_coreController->m_connectionController->setConnectionState(Vpn::ConnectionState::Disconnected);
+    });
+
+    connect(m_coreController->m_subscriptionUiController, &SubscriptionUiController::errorOccurred, m_coreController->m_pageController,
+            qOverload<ErrorCode>(&PageController::showErrorMessage));
+
+    connect(m_coreController->m_settingsUiController, &SettingsUiController::errorOccurred, m_coreController->m_pageController,
+            qOverload<ErrorCode>(&PageController::showErrorMessage));
+}
+
+void CoreSignalHandlers::initSettingsSplitTunnelingHandler()
+{
+    connect(m_coreController->m_settingsController, &SettingsController::siteSplitTunnelingRouteModeChanged, this, [this](RouteMode mode) {
+        m_coreController->m_ipSplitTunnelingController->setRouteMode(mode);
+    });
+    connect(m_coreController->m_settingsController, &SettingsController::siteSplitTunnelingToggled, this, [this](bool enabled) {
+        m_coreController->m_ipSplitTunnelingController->toggleSplitTunneling(enabled);
+    });
+    connect(m_coreController->m_settingsController, &SettingsController::appSplitTunnelingRouteModeChanged, this, [this](AppsRouteMode mode) {
+        m_coreController->m_appSplitTunnelingController->setRouteMode(mode);
+    });
+    connect(m_coreController->m_settingsController, &SettingsController::appSplitTunnelingToggled, this, [this](bool enabled) {
+        m_coreController->m_appSplitTunnelingController->toggleSplitTunneling(enabled);
+    });
+    connect(m_coreController->m_settingsController, &SettingsController::appSplitTunnelingClearAppsList, this, [this]() {
+        m_coreController->m_appSplitTunnelingController->clearAppsList();
+    });
+}
+
+void CoreSignalHandlers::initInstallControllerHandler()
+{
+    connect(m_coreController->m_installController, &InstallController::serverIsBusy, m_coreController->m_installUiController, &InstallUiController::serverIsBusy);
+    connect(m_coreController->m_installUiController, &InstallUiController::cancelInstallation, m_coreController->m_installController, &InstallController::cancelInstallation);
+    connect(m_coreController->m_installUiController, &InstallUiController::currentContainerUpdated, m_coreController->m_connectionUiController,
+            &ConnectionUiController::onCurrentContainerUpdated);
+    connect(m_coreController->m_serversUiController, &ServersUiController::processedServerIndexChanged,
+        m_coreController->m_installUiController, [this](int index) {
+        if (index >= 0) {
+            m_coreController->m_installUiController->clearProcessedServerCredentials();
+        }
+    });
+}
+
+void CoreSignalHandlers::initExportControllerHandler()
+{
+    connect(m_coreController->m_exportController, &ExportController::appendClientRequested, this,
+            [this](int serverIndex, const QString &clientId, const QString &clientName, DockerContainer container) {
+                m_coreController->m_usersController->appendClient(serverIndex, clientId, clientName, container);
+            });
+    connect(m_coreController->m_exportController, &ExportController::updateClientsRequested, this,
+            [this](int serverIndex, DockerContainer container) {
+                m_coreController->m_usersController->updateClients(serverIndex, container);
+            });
+    connect(m_coreController->m_exportController, &ExportController::revokeClientRequested, this,
+            [this](int serverIndex, int row, DockerContainer container) {
+                m_coreController->m_usersController->revokeClient(serverIndex, row, container);
+            });
+    connect(m_coreController->m_exportController, &ExportController::renameClientRequested, this,
+            [this](int serverIndex, int row, const QString &clientName, DockerContainer container) {
+                m_coreController->m_usersController->renameClient(serverIndex, row, clientName, container);
+            });
+}
+
+void CoreSignalHandlers::initImportControllerHandler()
+{
+    connect(m_coreController->m_importCoreController, &ImportController::importFinished, this, [this]() {
+        if (!m_coreController->m_connectionController->isConnected()) {
+            int newServerIndex = m_coreController->m_serversController->getServersCount() - 1;
+            m_coreController->m_serversController->setDefaultServerIndex(newServerIndex);
+            if (m_coreController->m_serversUiController) {
+                m_coreController->m_serversUiController->setProcessedServerIndex(newServerIndex);
+            }
+        }
+    });
+}
+
+void CoreSignalHandlers::initApiCountryModelUpdateHandler()
+{
+    connect(m_coreController->m_serversUiController, &ServersUiController::updateApiCountryModel, this, [this]() {
+        int processedIndex = m_coreController->m_serversUiController->getProcessedServerIndex();
+        if (processedIndex < 0 || processedIndex >= m_coreController->m_serversRepository->serversCount()) {
+            return;
+        }
+        
+        ServerConfig server = m_coreController->m_serversRepository->server(processedIndex);
+        QJsonArray availableCountries;
+        QString serverCountryCode;
+        
+        if (server.isApiV2()) {
+            const ApiV2ServerConfig* apiV2 = server.as<ApiV2ServerConfig>();
+            if (apiV2) {
+                availableCountries = apiV2->apiConfig.availableCountries;
+                serverCountryCode = apiV2->apiConfig.serverCountryCode;
+            }
+        }
+        
+        m_coreController->m_apiCountryModel->updateModel(availableCountries, serverCountryCode);
+    });
+}
+
+void CoreSignalHandlers::initSubscriptionRefreshHandler()
+{
+    connect(m_coreController->m_subscriptionUiController, &SubscriptionUiController::subscriptionRefreshNeeded, this, [this]() {
+        const int defaultServerIndex = m_coreController->m_serversController->getDefaultServerIndex();
+        if (defaultServerIndex >= 0) {
+            m_coreController->m_subscriptionUiController->getAccountInfo(defaultServerIndex, false);
+        }
+    });
+}
+
+void CoreSignalHandlers::initContainerModelUpdateHandler()
+{
+    connect(m_coreController->m_serversController, &ServersController::gatewayStacksExpanded, this, [this]() {
+        if (m_coreController->m_serversUiController->hasServersFromGatewayApi()) {
+            m_coreController->m_apiNewsUiController->fetchNews(false);
+        }
+    });
+}
+
+void CoreSignalHandlers::initAdminConfigRevokedHandler()
+{
+    connect(m_coreController->m_installController, &InstallController::clientRevocationRequested, this,
+            [this](int serverIndex, const ContainerConfig &containerConfig, DockerContainer container) {
+                m_coreController->m_usersController->revokeClient(serverIndex, containerConfig, container);
+            });
+
+    connect(m_coreController->m_installController, &InstallController::clientAppendRequested, this,
+            [this](int serverIndex, const QString &clientId, const QString &clientName, DockerContainer container) {
+                m_coreController->m_usersController->appendClient(serverIndex, clientId, clientName, container);
+            });
+
+    connect(m_coreController->m_usersController, &UsersController::adminConfigRevoked, m_coreController->m_serversController,
+            &ServersController::clearCachedProfile);
+}
+
+void CoreSignalHandlers::initPassphraseRequestHandler()
+{
+    connect(m_coreController->m_installUiController, &InstallUiController::passphraseRequestStarted, m_coreController->m_pageController,
+            &PageController::showPassphraseRequestDrawer);
+    connect(m_coreController->m_pageController, &PageController::passphraseRequestDrawerClosed, m_coreController->m_installUiController,
+            &InstallUiController::setEncryptedPassphrase);
+}
+
+void CoreSignalHandlers::initTranslationsUpdatedHandler()
+{
+    connect(m_coreController->m_languageUiController, &LanguageUiController::updateTranslations, m_coreController, &CoreController::updateTranslator);
+    connect(m_coreController, &CoreController::translationsUpdated, m_coreController->m_languageUiController, &LanguageUiController::translationsUpdated);
+    connect(m_coreController, &CoreController::translationsUpdated, m_coreController->m_connectionUiController, &ConnectionUiController::onTranslationsUpdated);
+}
+
+void CoreSignalHandlers::initLanguageHandler()
+{
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::appLanguageChanged, m_coreController->m_languageUiController, &LanguageUiController::onAppLanguageChanged);
+    connect(m_coreController->m_settingsUiController, &SettingsUiController::resetLanguageToSystem, m_coreController->m_languageUiController, [this]() {
+        m_coreController->m_languageUiController->changeLanguage(m_coreController->m_languageUiController->getSystemLanguageEnum());
+    });
+}
+
+void CoreSignalHandlers::initAutoConnectHandler()
+{
+    if (m_coreController->m_settingsUiController->isAutoConnectEnabled() && m_coreController->m_serversController->getDefaultServerIndex() >= 0) {
+        QTimer::singleShot(1000, this, [this]() { m_coreController->m_connectionUiController->openConnection(); });
+    }
+}
+
+void CoreSignalHandlers::initAmneziaDnsToggledHandler()
+{
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::useAmneziaDnsChanged, m_coreController->m_serversUiController, &ServersUiController::updateModel);
+}
+
+void CoreSignalHandlers::initServersModelUpdateHandler()
+{
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverAdded,
+            m_coreController->m_serversUiController, &ServersUiController::updateModel);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverEdited,
+            m_coreController->m_serversUiController, &ServersUiController::updateModel);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverRemoved,
+            m_coreController->m_serversUiController, &ServersUiController::updateModel);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::defaultServerChanged,
+            m_coreController->m_serversUiController, &ServersUiController::onDefaultServerChanged);
+    
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverAdded,
+            m_coreController->m_serversController, &ServersController::recomputeGatewayStacks);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverEdited,
+            m_coreController->m_serversController, &ServersController::recomputeGatewayStacks);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverRemoved,
+            m_coreController->m_serversController, &ServersController::recomputeGatewayStacks);
+    
+    connect(m_coreController->m_settingsUiController, &SettingsUiController::restoreBackupFinished,
+            m_coreController->m_serversUiController, &ServersUiController::updateModel);
+}
+
+void CoreSignalHandlers::initClientManagementModelUpdateHandler()
+{
+    connect(m_coreController->m_usersController, &UsersController::clientsUpdated,
+            m_coreController->m_clientManagementModel, &ClientManagementModel::updateModel);
+    connect(m_coreController->m_usersController, &UsersController::clientRenamed,
+            m_coreController->m_clientManagementModel, &ClientManagementModel::updateClientName);
+}
+
+void CoreSignalHandlers::initSitesModelUpdateHandler()
+{
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::sitesChanged, m_coreController->m_ipSplitTunnelingUiController, &IpSplitTunnelingUiController::updateModel);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::sitesSplitTunnelingEnabledChanged, m_coreController->m_ipSplitTunnelingUiController, &IpSplitTunnelingUiController::updateModel);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::routeModeChanged, m_coreController->m_ipSplitTunnelingUiController, &IpSplitTunnelingUiController::updateModel);
+}
+
+void CoreSignalHandlers::initAllowedDnsModelUpdateHandler()
+{
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::allowedDnsServersChanged, m_coreController->m_allowedDnsUiController, &AllowedDnsUiController::updateModel);
+}
+
+void CoreSignalHandlers::initAppSplitTunnelingModelUpdateHandler()
+{
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::appsChanged, m_coreController->m_appSplitTunnelingUiController, &AppSplitTunnelingUiController::updateModel);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::appsSplitTunnelingEnabledChanged, m_coreController->m_appSplitTunnelingUiController, &AppSplitTunnelingUiController::updateModel);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::appsRouteModeChanged, m_coreController->m_appSplitTunnelingUiController, &AppSplitTunnelingUiController::updateModel);
+}
+
+void CoreSignalHandlers::initPrepareConfigHandler()
+{
+    connect(m_coreController->m_connectionUiController, &ConnectionUiController::prepareConfig, this, [this]() {
+        m_coreController->m_connectionController->setConnectionState(Vpn::ConnectionState::Preparing);
+
+        m_coreController->m_subscriptionUiController->validateConfig();
+    });
+
+    connect(m_coreController->m_subscriptionUiController, &SubscriptionUiController::configValidated, this, [this](bool isValid) {
+        if (!isValid) {
+            m_coreController->m_connectionController->setConnectionState(Vpn::ConnectionState::Disconnected);
+            return;
+        }
+
+        m_coreController->m_installUiController->validateConfig();
+    });
+
+    connect(m_coreController->m_installUiController, &InstallUiController::configValidated, this, [this](bool isValid) {
+        if (!isValid) {
+            m_coreController->m_connectionController->setConnectionState(Vpn::ConnectionState::Disconnected);
+            return;
+        }
+
+        m_coreController->m_connectionUiController->openConnection();
+    });
+}
+
+void CoreSignalHandlers::initStrictKillSwitchHandler()
+{
+    connect(m_coreController->m_settingsUiController, &SettingsUiController::strictKillSwitchEnabledChanged, m_coreController->m_connectionController,
+            &ConnectionController::onKillSwitchModeChanged);
+}
+
+void CoreSignalHandlers::initAndroidSettingsHandler()
+{
+#ifdef Q_OS_ANDROID
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::saveLogsChanged, AndroidController::instance(), &AndroidController::setSaveLogs);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::screenshotsEnabledChanged, AndroidController::instance(), &AndroidController::setScreenshotsEnabled);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverRemoved, AndroidController::instance(), &AndroidController::resetLastServer);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::settingsCleared, []() { AndroidController::instance()->resetLastServer(-1); });
+#endif
+}
+
+void CoreSignalHandlers::initAndroidConnectionHandler()
+{
+#ifdef Q_OS_ANDROID
+    connect(AndroidController::instance(), &AndroidController::initConnectionState, this, [this](Vpn::ConnectionState state) {
+        m_coreController->m_connectionUiController->onConnectionStateChanged(state);
+        m_coreController->m_connectionController->restoreConnection();
+    });
+    connect(AndroidController::instance(), &AndroidController::importConfigFromOutside, this, [this](QString data) {
+        emit m_coreController->m_pageController->goToPageHome();
+        m_coreController->m_importController->extractConfigFromData(data);
+        data.clear();
+        emit m_coreController->m_pageController->goToPageViewConfig();
+    });
+#endif
+}
+
+void CoreSignalHandlers::initIosImportHandler()
+{
+#ifdef Q_OS_IOS
+    connect(IosController::Instance(), &IosController::importConfigFromOutside, this, [this](QString data) {
+        emit m_coreController->m_pageController->goToPageHome();
+        m_coreController->m_importController->extractConfigFromData(data);
+        emit m_coreController->m_pageController->goToPageViewConfig();
+    });
+    connect(IosController::Instance(), &IosController::importBackupFromOutside, this, [this](QString filePath) {
+        emit m_coreController->m_pageController->goToPageHome();
+        m_coreController->m_pageController->goToPageSettingsBackup();
+        emit m_coreController->m_settingsUiController->importBackupFromOutside(filePath);
+    });
+#endif
+}
+
+void CoreSignalHandlers::initIosSettingsHandler()
+{
+#ifdef Q_OS_IOS
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::screenshotsEnabledChanged, [](bool enabled) { AmneziaVPN::toggleScreenshots(enabled); });
+#endif
+}
+
+void CoreSignalHandlers::initNotificationHandler()
+{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    m_coreController->m_notificationHandler = NotificationHandler::create(m_coreController);
+
+    connect(m_coreController->m_connectionController, &ConnectionController::connectionStateChanged, m_coreController->m_notificationHandler,
+            &NotificationHandler::setConnectionState);
+
+    connect(m_coreController->m_notificationHandler, &NotificationHandler::raiseRequested, m_coreController->m_pageController, &PageController::raiseMainWindow);
+    connect(m_coreController->m_notificationHandler, &NotificationHandler::connectRequested, m_coreController->m_connectionUiController,
+            static_cast<void (ConnectionUiController::*)()>(&ConnectionUiController::openConnection));
+    connect(m_coreController->m_notificationHandler, &NotificationHandler::disconnectRequested, m_coreController->m_connectionUiController,
+            &ConnectionUiController::closeConnection);
+    connect(m_coreController, &CoreController::translationsUpdated, m_coreController->m_notificationHandler, &NotificationHandler::onTranslationsUpdated);
+
+    auto* trayHandler = qobject_cast<SystemTrayNotificationHandler*>(m_coreController->m_notificationHandler);
+    connect(m_coreController, &CoreController::websiteUrlChanged, trayHandler, &SystemTrayNotificationHandler::updateWebsiteUrl);
+#endif    
+}
+
+void CoreSignalHandlers::initUpdateFoundHandler()
+{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    connect(m_coreController->m_apiNewsUiController, &ApiNewsUiController::fetchNewsFinished, m_coreController->m_updateUiController,
+            &UpdateUiController::checkForUpdates);
+
+    connect(m_coreController->m_updateUiController, &UpdateUiController::updateFound, this, [this]() {
+        const QString version = m_coreController->m_updateUiController->getVersion();
+        const QString updateId = version.isEmpty() ? QStringLiteral("update") : QStringLiteral("update-%1").arg(version);
+        m_coreController->m_newsModel->setUpdateNotification(
+                updateId, m_coreController->m_updateUiController->getHeaderText(), m_coreController->m_updateUiController->getChangelogText());
+        emit m_coreController->m_pageController->showChangelogDrawer();
+    });
+#endif
+}
+

client/core/controllers/coreSignalHandlers.h

@@ -0,0 +1,49 @@
+#ifndef CORESIGNALHANDLERS_H
+#define CORESIGNALHANDLERS_H
+
+#include <QObject>
+#include "core/controllers/coreController.h"
+
+class CoreSignalHandlers : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit CoreSignalHandlers(CoreController* coreController, QObject* parent = nullptr);
+
+    void initAllHandlers();
+
+private:
+    void initErrorMessagesHandler();
+    void initSettingsSplitTunnelingHandler();
+    void initInstallControllerHandler();
+    void initExportControllerHandler();
+    void initImportControllerHandler();
+    void initApiCountryModelUpdateHandler();
+    void initSubscriptionRefreshHandler();
+    void initContainerModelUpdateHandler();
+    void initAdminConfigRevokedHandler();
+    void initPassphraseRequestHandler();
+    void initTranslationsUpdatedHandler();
+    void initLanguageHandler();
+    void initAutoConnectHandler();
+    void initAmneziaDnsToggledHandler();
+    void initServersModelUpdateHandler();
+    void initClientManagementModelUpdateHandler();
+    void initSitesModelUpdateHandler();
+    void initAllowedDnsModelUpdateHandler();
+    void initAppSplitTunnelingModelUpdateHandler();
+    void initPrepareConfigHandler();
+    void initStrictKillSwitchHandler();
+    void initAndroidSettingsHandler();
+    void initAndroidConnectionHandler();
+    void initIosImportHandler();
+    void initIosSettingsHandler();
+    void initNotificationHandler();
+    void initUpdateFoundHandler();
+
+    CoreController* m_coreController;
+};
+
+#endif // CORESIGNALHANDLERS_H
+

client/core/controllers/gatewayController.cpp

@@ -1,8 +1,10 @@
 #include "gatewayController.h"
 
 #include <algorithm>
+#include <functional>
 #include <random>
 
+#include <QCryptographicHash>
 #include <QJsonArray>
 #include <QJsonDocument>
 #include <QJsonObject>
@@ -13,32 +15,33 @@
 #include "QBlockCipher.h"
 #include "QRsa.h"
 
-#include "amnezia_application.h"
-#include "core/api/apiUtils.h"
-#include "core/networkUtilities.h"
-#include "utilities.h"
+#include "amneziaApplication.h"
+#include "core/utils/api/apiUtils.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/networkUtilities.h"
+#include "core/utils/utilities.h"
 
 #ifdef AMNEZIA_DESKTOP
-    #include "core/ipcclient.h"
+    #include "core/utils/ipcClient.h"
 #endif
 
 namespace
 {
-    namespace configKey
-    {
-        constexpr char aesKey[] = "aes_key";
-        constexpr char aesIv[] = "aes_iv";
-        constexpr char aesSalt[] = "aes_salt";
-
-        constexpr char apiPayload[] = "api_payload";
-        constexpr char keyPayload[] = "key_payload";
-    }
-
     constexpr QLatin1String errorResponsePattern1("No active configuration found for");
     constexpr QLatin1String errorResponsePattern2("No non-revoked public key found for");
     constexpr QLatin1String errorResponsePattern3("Account not found.");
 
     constexpr QLatin1String updateRequestResponsePattern("client version update is required");
+
+    constexpr int httpStatusCodeNotFound = 404;
+    constexpr int httpStatusCodeConflict = 409;
+    constexpr int httpStatusCodeNotImplemented = 501;
+    constexpr int httpStatusCodePaymentRequired = 402;
+    constexpr int httpStatusCodeUnprocessableEntity = 422;
+
+    constexpr QLatin1String unprocessableSubscriptionMessage("Failed to retrieve subscription information. Is it activated?");
+
+    constexpr int proxyStorageRequestTimeoutMsecs = 3000;
 }
 
 GatewayController::GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
@@ -72,7 +75,11 @@ GatewayController::EncryptedRequestData GatewayController::prepareRequest(const
         QString host = QUrl(encRequestData.request.url()).host();
         QString ip = NetworkUtilities::getIPAddress(host);
         if (!ip.isEmpty()) {
-            IpcClient::Interface()->addKillSwitchAllowedRange(QStringList { ip });
+            IpcClient::withInterface([&](QSharedPointer<IpcInterfaceReplica> iface) {
+                QRemoteObjectPendingReply<bool> reply = iface->addKillSwitchAllowedRange(QStringList { ip });
+                if (!reply.waitForFinished(1000) || !reply.returnValue())
+                    qWarning() << "GatewayController::prepareRequest(): Failed to execute remote addKillSwitchAllowedRange call";
+            });
         }
     }
 #endif
@@ -83,9 +90,9 @@ GatewayController::EncryptedRequestData GatewayController::prepareRequest(const
     encRequestData.salt = blockCipher.generatePrivateSalt(8);
 
     QJsonObject keyPayload;
-    keyPayload[configKey::aesKey] = QString(encRequestData.key.toBase64());
-    keyPayload[configKey::aesIv] = QString(encRequestData.iv.toBase64());
-    keyPayload[configKey::aesSalt] = QString(encRequestData.salt.toBase64());
+    keyPayload[apiDefs::key::aesKey] = QString(encRequestData.key.toBase64());
+    keyPayload[apiDefs::key::aesIv] = QString(encRequestData.iv.toBase64());
+    keyPayload[apiDefs::key::aesSalt] = QString(encRequestData.salt.toBase64());
 
     QByteArray encryptedKeyPayload;
     QByteArray encryptedApiPayload;
@@ -107,7 +114,8 @@ GatewayController::EncryptedRequestData GatewayController::prepareRequest(const
         encryptedKeyPayload = rsa.encrypt(QJsonDocument(keyPayload).toJson(), publicKey, RSA_PKCS1_PADDING);
         EVP_PKEY_free(publicKey);
 
-        encryptedApiPayload = blockCipher.encryptAesBlockCipher(QJsonDocument(apiPayload).toJson(), encRequestData.key, encRequestData.iv, "", encRequestData.salt);
+        encryptedApiPayload = blockCipher.encryptAesBlockCipher(QJsonDocument(apiPayload).toJson(), encRequestData.key, encRequestData.iv,
+                                                                "", encRequestData.salt);
     } catch (...) {
         Utils::logException();
         qCritical() << "error when encrypting the request body";
@@ -116,13 +124,33 @@ GatewayController::EncryptedRequestData GatewayController::prepareRequest(const
     }
 
     QJsonObject requestBody;
-    requestBody[configKey::keyPayload] = QString(encryptedKeyPayload.toBase64());
-    requestBody[configKey::apiPayload] = QString(encryptedApiPayload.toBase64());
+    requestBody[apiDefs::key::keyPayload] = QString(encryptedKeyPayload.toBase64());
+    requestBody[apiDefs::key::apiPayload] = QString(encryptedApiPayload.toBase64());
 
     encRequestData.requestBody = QJsonDocument(requestBody).toJson();
     return encRequestData;
 }
 
+GatewayController::DecryptionResult GatewayController::tryDecryptResponseBody(const QByteArray &encryptedResponseBody,
+                                                                              QNetworkReply::NetworkError replyError, const QByteArray &key,
+                                                                              const QByteArray &iv, const QByteArray &salt)
+{
+    DecryptionResult result;
+    result.decryptedBody = encryptedResponseBody;
+    result.isDecryptionSuccessful = false;
+
+    try {
+        QSimpleCrypto::QBlockCipher blockCipher;
+        result.decryptedBody = blockCipher.decryptAesBlockCipher(encryptedResponseBody, key, iv, "", salt);
+        result.isDecryptionSuccessful = true;
+    } catch (...) {
+        result.decryptedBody = encryptedResponseBody;
+        result.isDecryptionSuccessful = false;
+    }
+
+    return result;
+}
+
 ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject apiPayload, QByteArray &responseBody)
 {
     EncryptedRequestData encRequestData = prepareRequest(endpoint, apiPayload);
@@ -137,7 +165,7 @@ ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject api
 
     QList<QSslError> sslErrors;
     connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
-    wait.exec();
+    wait.exec(QEventLoop::ExcludeUserInputEvents);
 
     QByteArray encryptedResponseBody = reply->readAll();
     QString replyErrorString = reply->errorString();
@@ -146,19 +174,27 @@ ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject api
 
     reply->deleteLater();
 
-    if (sslErrors.isEmpty() && shouldBypassProxy(replyError, encryptedResponseBody, true, encRequestData.key, encRequestData.iv, encRequestData.salt)) {
+    auto decryptionResult =
+            tryDecryptResponseBody(encryptedResponseBody, replyError, encRequestData.key, encRequestData.iv, encRequestData.salt);
+
+    if (sslErrors.isEmpty() && shouldBypassProxy(replyError, decryptionResult.decryptedBody, decryptionResult.isDecryptionSuccessful)) {
         auto requestFunction = [&encRequestData, &encryptedResponseBody](const QString &url) {
             encRequestData.request.setUrl(url);
             return amnApp->networkManager()->post(encRequestData.request, encRequestData.requestBody);
         };
 
         auto replyProcessingFunction = [&encryptedResponseBody, &replyErrorString, &replyError, &httpStatusCode, &sslErrors, &encRequestData,
-                                        this](QNetworkReply *reply, const QList<QSslError> &nestedSslErrors) {
+                                        &decryptionResult, this](QNetworkReply *reply, const QList<QSslError> &nestedSslErrors) {
             encryptedResponseBody = reply->readAll();
             replyErrorString = reply->errorString();
             replyError = reply->error();
             httpStatusCode = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
-            if (!sslErrors.isEmpty() || shouldBypassProxy(replyError, encryptedResponseBody, true, encRequestData.key, encRequestData.iv, encRequestData.salt)) {
+
+            decryptionResult =
+                    tryDecryptResponseBody(encryptedResponseBody, replyError, encRequestData.key, encRequestData.iv, encRequestData.salt);
+
+            if (!sslErrors.isEmpty()
+                || shouldBypassProxy(replyError, decryptionResult.decryptedBody, decryptionResult.isDecryptionSuccessful)) {
                 sslErrors = nestedSslErrors;
                 return false;
             }
@@ -170,20 +206,19 @@ ErrorCode GatewayController::post(const QString &endpoint, const QJsonObject api
         bypassProxy(endpoint, serviceType, userCountryCode, requestFunction, replyProcessingFunction);
     }
 
-    auto errorCode = apiUtils::checkNetworkReplyErrors(sslErrors, replyErrorString, replyError, httpStatusCode, encryptedResponseBody);
+    auto errorCode =
+            apiUtils::checkNetworkReplyErrors(sslErrors, replyErrorString, replyError, httpStatusCode, decryptionResult.decryptedBody);
     if (errorCode) {
         return errorCode;
     }
 
-    try {
-        QSimpleCrypto::QBlockCipher blockCipher;
-        responseBody = blockCipher.decryptAesBlockCipher(encryptedResponseBody, encRequestData.key, encRequestData.iv, "", encRequestData.salt);
-        return ErrorCode::NoError;
-    } catch (...) { // todo change error handling in QSimpleCrypto?
-        Utils::logException();
+    if (!decryptionResult.isDecryptionSuccessful) {
         qCritical() << "error when decrypting the request body";
         return ErrorCode::ApiConfigDecryptionError;
     }
+
+    responseBody = decryptionResult.decryptedBody;
+    return ErrorCode::NoError;
 }
 
 QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString &endpoint, const QJsonObject apiPayload)
@@ -202,11 +237,9 @@ QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString
 
     auto sslErrors = QSharedPointer<QList<QSslError>>::create();
 
-    connect(reply, &QNetworkReply::sslErrors, [sslErrors](const QList<QSslError> &errors) {
-        *sslErrors = errors;
-    });
+    connect(reply, &QNetworkReply::sslErrors, [sslErrors](const QList<QSslError> &errors) { *sslErrors = errors; });
 
-    connect(reply, &QNetworkReply::finished, reply, [=]() {
+    connect(reply, &QNetworkReply::finished, reply, [promise, sslErrors, encRequestData, endpoint, apiPayload, reply, this]() mutable {
         QByteArray encryptedResponseBody = reply->readAll();
         QString replyErrorString = reply->errorString();
         auto replyError = reply->error();
@@ -214,23 +247,81 @@ QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString
 
         reply->deleteLater();
 
-        auto errorCode = apiUtils::checkNetworkReplyErrors(*sslErrors, replyErrorString, replyError, httpStatusCode, encryptedResponseBody);
-        if (errorCode) {
-            promise->addResult(qMakePair(errorCode, QByteArray()));
-            promise->finish();
-            return;
-        }
+        auto decryptionResult =
+                tryDecryptResponseBody(encryptedResponseBody, replyError, encRequestData.key, encRequestData.iv, encRequestData.salt);
 
-        QSimpleCrypto::QBlockCipher blockCipher;
-        try {
-            QByteArray responseBody = blockCipher.decryptAesBlockCipher(encryptedResponseBody, encRequestData.key, encRequestData.iv, "", encRequestData.salt);
-            promise->addResult(qMakePair(ErrorCode::NoError, responseBody));
-            promise->finish();
-        } catch (...) {
-            Utils::logException();
-            qCritical() << "error when decrypting the request body";
-            promise->addResult(qMakePair(ErrorCode::ApiConfigDecryptionError, QByteArray()));
+        auto processResponse = [promise, encRequestData](const GatewayController::DecryptionResult &decryptionResult,
+                                                         const QList<QSslError> &sslErrors, QNetworkReply::NetworkError replyError,
+                                                         const QString &replyErrorString, int httpStatusCode) {
+            auto errorCode = apiUtils::checkNetworkReplyErrors(sslErrors, replyErrorString, replyError, httpStatusCode,
+                                                               decryptionResult.decryptedBody);
+            if (errorCode) {
+                promise->addResult(qMakePair(errorCode, QByteArray()));
+                promise->finish();
+                return;
+            }
+
+            if (!decryptionResult.isDecryptionSuccessful) {
+                Utils::logException();
+                qCritical() << "error when decrypting the request body";
+                promise->addResult(qMakePair(ErrorCode::ApiConfigDecryptionError, QByteArray()));
+                promise->finish();
+                return;
+            }
+
+            promise->addResult(qMakePair(ErrorCode::NoError, decryptionResult.decryptedBody));
             promise->finish();
+        };
+
+        if (sslErrors->isEmpty() && shouldBypassProxy(replyError, decryptionResult.decryptedBody, decryptionResult.isDecryptionSuccessful)) {
+            auto serviceType = apiPayload.value(apiDefs::key::serviceType).toString("");
+            auto userCountryCode = apiPayload.value(apiDefs::key::userCountryCode).toString("");
+
+            QStringList primaryBaseUrls;
+            QStringList fallbackBaseUrls;
+            if (m_isDevEnvironment) {
+                primaryBaseUrls = QString(DEV_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
+            } else {
+                primaryBaseUrls = QString(PROD_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
+                fallbackBaseUrls = QString(FALLBACK_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
+            }
+            std::random_device randomDevice;
+            std::mt19937 generator(randomDevice());
+            std::shuffle(primaryBaseUrls.begin(), primaryBaseUrls.end(), generator);
+            std::shuffle(fallbackBaseUrls.begin(), fallbackBaseUrls.end(), generator);
+
+            auto appendStorageUrls = [&serviceType, &userCountryCode](const QStringList &baseUrls, QStringList &target) {
+                if (!serviceType.isEmpty()) {
+                    for (const auto &baseUrl : baseUrls) {
+                        QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
+                        target.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals) + ".json");
+                    }
+                }
+                for (const auto &baseUrl : baseUrls) {
+                    target.push_back(baseUrl + "endpoints.json");
+                }
+            };
+
+            QStringList proxyStorageUrls;
+            appendStorageUrls(primaryBaseUrls, proxyStorageUrls);
+            appendStorageUrls(fallbackBaseUrls, proxyStorageUrls);
+
+            getProxyUrlsAsync(proxyStorageUrls, 0, [this, encRequestData, endpoint, processResponse](const QStringList &proxyUrls) {
+                getProxyUrlAsync(proxyUrls, 0, [this, encRequestData, endpoint, processResponse](const QString &proxyUrl) {
+                    bypassProxyAsync(endpoint, proxyUrl, encRequestData,
+                                     [processResponse, this](const QByteArray &decryptedBody, bool isDecryptionSuccessful,
+                                                             const QList<QSslError> &sslErrors, QNetworkReply::NetworkError replyError,
+                                                             const QString &replyErrorString, int httpStatusCode) {
+                                         GatewayController::DecryptionResult result;
+                                         result.decryptedBody = decryptedBody;
+                                         result.isDecryptionSuccessful = isDecryptionSuccessful;
+                                         processResponse(result, sslErrors, replyError, replyErrorString, httpStatusCode);
+                                     });
+                });
+            });
+
+        } else {
+            processResponse(decryptionResult, *sslErrors, replyError, replyErrorString, httpStatusCode);
         }
     });
 
@@ -240,31 +331,48 @@ QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString
 QStringList GatewayController::getProxyUrls(const QString &serviceType, const QString &userCountryCode)
 {
     QNetworkRequest request;
-    request.setTransferTimeout(m_requestTimeoutMsecs);
+    request.setTransferTimeout(proxyStorageRequestTimeoutMsecs);
     request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
 
     QEventLoop wait;
     QList<QSslError> sslErrors;
     QNetworkReply *reply;
 
-    QStringList baseUrls;
+    QStringList primaryBaseUrls;
+    QStringList fallbackBaseUrls;
     if (m_isDevEnvironment) {
-        baseUrls = QString(DEV_S3_ENDPOINT).split(", ");
+        primaryBaseUrls = QString(DEV_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
     } else {
-        baseUrls = QString(PROD_S3_ENDPOINT).split(", ");
+        primaryBaseUrls = QString(PROD_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
+        fallbackBaseUrls = QString(FALLBACK_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
     }
 
+    std::random_device randomDevice;
+    std::mt19937 generator(randomDevice());
+    std::shuffle(primaryBaseUrls.begin(), primaryBaseUrls.end(), generator);
+    std::shuffle(fallbackBaseUrls.begin(), fallbackBaseUrls.end(), generator);
+
     QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
 
-    QStringList proxyStorageUrls;
-    if (!serviceType.isEmpty()) {
-        for (const auto &baseUrl : baseUrls) {
-            QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
-            proxyStorageUrls.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals) + ".json");
+    auto appendStorageUrls = [&serviceType, &userCountryCode](const QStringList &baseUrls, QStringList &target) {
+        if (!serviceType.isEmpty()) {
+            for (const auto &baseUrl : baseUrls) {
+                QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
+                target.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals) + ".json");
+            }
         }
-    }
-    for (const auto &baseUrl : baseUrls) {
-        proxyStorageUrls.push_back(baseUrl + "endpoints.json");
+        for (const auto &baseUrl : baseUrls) {
+            target.push_back(baseUrl + "endpoints.json");
+        }
+    };
+
+    QStringList proxyStorageUrls;
+    appendStorageUrls(primaryBaseUrls, proxyStorageUrls);
+    appendStorageUrls(fallbackBaseUrls, proxyStorageUrls);
+
+    if (proxyStorageUrls.empty()) {
+        qDebug() << "empty storage endpoint list";
+        return {};
     }
 
     for (const auto &proxyStorageUrl : proxyStorageUrls) {
@@ -273,7 +381,7 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
 
         connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
         connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
-        wait.exec();
+        wait.exec(QEventLoop::ExcludeUserInputEvents);
 
         if (reply->error() == QNetworkReply::NetworkError::NoError) {
             auto encryptedResponseBody = reply->readAll();
@@ -323,17 +431,35 @@ QStringList GatewayController::getProxyUrls(const QString &serviceType, const QS
     return {};
 }
 
-bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &responseBody,
-                                          bool checkEncryption, const QByteArray &key, const QByteArray &iv, const QByteArray &salt)
+bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &decryptedResponseBody,
+                                          bool isDecryptionSuccessful)
 {
+    const QByteArray &responseBody = decryptedResponseBody;
+
+    int apiHttpStatus = -1;
+    QString apiErrorMessage;
+    if (isDecryptionSuccessful) {
+        QJsonDocument jsonDoc = QJsonDocument::fromJson(responseBody);
+        if (jsonDoc.isObject()) {
+            QJsonObject jsonObj = jsonDoc.object();
+            apiHttpStatus = jsonObj.value("http_status").toInt(-1);
+            apiErrorMessage = jsonObj.value(QStringLiteral("message")).toString().trimmed();
+        }
+    } else {
+        qDebug() << "failed to decrypt the data";
+        return true;
+    }
+
     if (replyError == QNetworkReply::NetworkError::OperationCanceledError || replyError == QNetworkReply::NetworkError::TimeoutError) {
         qDebug() << "timeout occurred";
         qDebug() << replyError;
         return true;
-    } else if (responseBody.contains("html")) {
+    } 
+    if (responseBody.contains("html")) {
         qDebug() << "the response contains an html tag";
         return true;
-    } else if (replyError == QNetworkReply::NetworkError::ContentNotFoundError) {
+    } 
+    if (apiHttpStatus == httpStatusCodeNotFound) {
         if (responseBody.contains(errorResponsePattern1) || responseBody.contains(errorResponsePattern2)
             || responseBody.contains(errorResponsePattern3)) {
             return false;
@@ -341,24 +467,27 @@ bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &rep
             qDebug() << replyError;
             return true;
         }
-    } else if (replyError == QNetworkReply::NetworkError::OperationNotImplementedError) {
+    } 
+    if (apiHttpStatus == httpStatusCodeNotImplemented) {
         if (responseBody.contains(updateRequestResponsePattern)) {
             return false;
         } else {
             qDebug() << replyError;
             return true;
         }
-    } else if (replyError != QNetworkReply::NetworkError::NoError) {
+    } 
+    if (apiHttpStatus == httpStatusCodeConflict) {
+        return false;
+    } 
+    if (apiHttpStatus == httpStatusCodePaymentRequired) {
+        return false;
+    } 
+    if (apiHttpStatus == httpStatusCodeUnprocessableEntity) {
+        return apiErrorMessage != unprocessableSubscriptionMessage;
+    } 
+    if (replyError != QNetworkReply::NetworkError::NoError) {
         qDebug() << replyError;
         return true;
-    } else if (checkEncryption) {
-        try {
-            QSimpleCrypto::QBlockCipher blockCipher;
-            static_cast<void>(blockCipher.decryptAesBlockCipher(responseBody, key, iv, "", salt));
-        } catch (...) {
-            qDebug() << "failed to decrypt the data";
-            return true;
-        }
     }
     return false;
 }
@@ -385,7 +514,7 @@ void GatewayController::bypassProxy(const QString &endpoint, const QString &serv
 
         QObject::connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
         connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
-        wait.exec();
+        wait.exec(QEventLoop::ExcludeUserInputEvents);
 
         auto result = replyProcessingFunction(reply, sslErrors);
         reply->deleteLater();
@@ -407,7 +536,7 @@ void GatewayController::bypassProxy(const QString &endpoint, const QString &serv
 
             connect(reply, &QNetworkReply::finished, &wait, &QEventLoop::quit);
             connect(reply, &QNetworkReply::sslErrors, [this, &sslErrors](const QList<QSslError> &errors) { sslErrors = errors; });
-            wait.exec();
+            wait.exec(QEventLoop::ExcludeUserInputEvents);
 
             if (reply->error() == QNetworkReply::NetworkError::NoError) {
                 reply->deleteLater();
@@ -435,3 +564,139 @@ void GatewayController::bypassProxy(const QString &endpoint, const QString &serv
         }
     }
 }
+
+void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, const int currentProxyStorageIndex,
+                                          std::function<void(const QStringList &)> onComplete)
+{
+    if (currentProxyStorageIndex >= proxyStorageUrls.size()) {
+        onComplete({});
+        return;
+    }
+
+    QNetworkRequest request;
+    request.setTransferTimeout(proxyStorageRequestTimeoutMsecs);
+    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
+    request.setUrl(proxyStorageUrls[currentProxyStorageIndex]);
+
+    QNetworkReply *reply = amnApp->networkManager()->get(request);
+
+    // connect(reply, &QNetworkReply::sslErrors, this, [state](const QList<QSslError> &e) { *(state->sslErrors) = e; });
+
+    connect(reply, &QNetworkReply::finished, this, [this, proxyStorageUrls, currentProxyStorageIndex, onComplete, reply]() {
+        if (reply->error() == QNetworkReply::NoError) {
+            QByteArray encrypted = reply->readAll();
+            reply->deleteLater();
+
+            QByteArray responseBody;
+            try {
+                QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;
+                if (!m_isDevEnvironment) {
+                    QCryptographicHash hash(QCryptographicHash::Sha512);
+                    hash.addData(key);
+                    QByteArray h = hash.result().toHex();
+
+                    QByteArray decKey = QByteArray::fromHex(h.left(64));
+                    QByteArray iv = QByteArray::fromHex(h.mid(64, 32));
+                    QByteArray ba = QByteArray::fromBase64(encrypted);
+
+                    QSimpleCrypto::QBlockCipher cipher;
+                    responseBody = cipher.decryptAesBlockCipher(ba, decKey, iv);
+                } else {
+                    responseBody = encrypted;
+                }
+            } catch (...) {
+                Utils::logException();
+                qCritical() << "error decrypting payload";
+                QMetaObject::invokeMethod(
+                        this, [=]() { getProxyUrlsAsync(proxyStorageUrls, currentProxyStorageIndex + 1, onComplete); }, Qt::QueuedConnection);
+                return;
+            }
+
+            QJsonArray endpointsArray = QJsonDocument::fromJson(responseBody).array();
+            QStringList endpoints;
+            for (const QJsonValue &endpoint : endpointsArray)
+                endpoints.push_back(endpoint.toString());
+
+            QStringList shuffled = endpoints;
+            std::random_device randomDevice;
+            std::mt19937 generator(randomDevice());
+            std::shuffle(shuffled.begin(), shuffled.end(), generator);
+
+            onComplete(shuffled);
+            return;
+        }
+
+        int httpStatusCode = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
+        qDebug() << httpStatusCode;
+        qDebug() << "go to the next storage endpoint";
+        reply->deleteLater();
+        QMetaObject::invokeMethod(
+                this, [=]() { getProxyUrlsAsync(proxyStorageUrls, currentProxyStorageIndex + 1, onComplete); }, Qt::QueuedConnection);
+    });
+}
+
+void GatewayController::getProxyUrlAsync(const QStringList proxyUrls, const int currentProxyIndex,
+                                         std::function<void(const QString &)> onComplete)
+{
+    if (currentProxyIndex >= proxyUrls.size()) {
+        onComplete("");
+        return;
+    }
+
+    QNetworkRequest request;
+    request.setTransferTimeout(1000);
+    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
+    request.setUrl(proxyUrls[currentProxyIndex] + "lmbd-health");
+
+    QNetworkReply *reply = amnApp->networkManager()->get(request);
+
+    // connect(reply, &QNetworkReply::sslErrors, this, [state](const QList<QSslError> &e) {
+    //     *(state->sslErrors) = e;
+    // });
+
+    connect(reply, &QNetworkReply::finished, this, [this, proxyUrls, currentProxyIndex, onComplete, reply]() {
+        reply->deleteLater();
+
+        if (reply->error() == QNetworkReply::NoError) {
+            m_proxyUrl = proxyUrls[currentProxyIndex];
+            onComplete(m_proxyUrl);
+            return;
+        }
+
+        qDebug() << "go to the next proxy endpoint";
+        QMetaObject::invokeMethod(this, [=]() { getProxyUrlAsync(proxyUrls, currentProxyIndex + 1, onComplete); }, Qt::QueuedConnection);
+    });
+}
+
+void GatewayController::bypassProxyAsync(
+        const QString &endpoint, const QString &proxyUrl, EncryptedRequestData encRequestData,
+        std::function<void(const QByteArray &, bool, const QList<QSslError> &, QNetworkReply::NetworkError, const QString &, int)> onComplete)
+{
+    auto sslErrors = QSharedPointer<QList<QSslError>>::create();
+    if (proxyUrl.isEmpty()) {
+        onComplete(QByteArray(), false, *sslErrors, QNetworkReply::InternalServerError, "empty proxy url", 0);
+        return;
+    }
+
+    QNetworkRequest request = encRequestData.request;
+    request.setUrl(endpoint.arg(proxyUrl));
+
+    QNetworkReply *reply = amnApp->networkManager()->post(request, encRequestData.requestBody);
+
+    connect(reply, &QNetworkReply::sslErrors, this, [sslErrors](const QList<QSslError> &errors) { *sslErrors = errors; });
+
+    connect(reply, &QNetworkReply::finished, this, [sslErrors, onComplete, encRequestData, reply, this]() {
+        QByteArray encryptedResponseBody = reply->readAll();
+        QString replyErrorString = reply->errorString();
+        auto replyError = reply->error();
+        int httpStatusCode = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
+
+        reply->deleteLater();
+
+        auto decryptionResult =
+                tryDecryptResponseBody(encryptedResponseBody, replyError, encRequestData.key, encRequestData.iv, encRequestData.salt);
+
+        onComplete(decryptionResult.decryptedBody, decryptionResult.isDecryptionSuccessful, *sslErrors, replyError, replyErrorString,
+                   httpStatusCode);
+    });
+}

client/core/controllers/gatewayController.h

@@ -5,8 +5,12 @@
 #include <QNetworkReply>
 #include <QObject>
 #include <QPair>
+#include <QPromise>
+#include <QSharedPointer>
 
-#include "core/defs.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
 
 #ifdef Q_OS_IOS
     #include "platforms/ios/ios_controller.h"
@@ -24,7 +28,8 @@ public:
     QFuture<QPair<amnezia::ErrorCode, QByteArray>> postAsync(const QString &endpoint, const QJsonObject apiPayload);
 
 private:
-    struct EncryptedRequestData {
+    struct EncryptedRequestData
+    {
         QNetworkRequest request;
         QByteArray requestBody;
         QByteArray key;
@@ -33,15 +38,29 @@ private:
         amnezia::ErrorCode errorCode;
     };
 
+    struct DecryptionResult
+    {
+        QByteArray decryptedBody;
+        bool isDecryptionSuccessful;
+    };
+
     EncryptedRequestData prepareRequest(const QString &endpoint, const QJsonObject &apiPayload);
-    
+    DecryptionResult tryDecryptResponseBody(const QByteArray &encryptedResponseBody, QNetworkReply::NetworkError replyError,
+                                            const QByteArray &key, const QByteArray &iv, const QByteArray &salt);
+
     QStringList getProxyUrls(const QString &serviceType, const QString &userCountryCode);
-    bool shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &responseBody, bool checkEncryption,
-                           const QByteArray &key = "", const QByteArray &iv = "", const QByteArray &salt = "");
+    bool shouldBypassProxy(const QNetworkReply::NetworkError &replyError, const QByteArray &decryptedResponseBody, bool isDecryptionSuccessful);
     void bypassProxy(const QString &endpoint, const QString &serviceType, const QString &userCountryCode,
                      std::function<QNetworkReply *(const QString &url)> requestFunction,
                      std::function<bool(QNetworkReply *reply, const QList<QSslError> &sslErrors)> replyProcessingFunction);
 
+    void getProxyUrlsAsync(const QStringList proxyStorageUrls, const int currentProxyStorageIndex,
+                           std::function<void(const QStringList &)> onComplete);
+    void getProxyUrlAsync(const QStringList proxyUrls, const int currentProxyIndex, std::function<void(const QString &)> onComplete);
+    void bypassProxyAsync(
+            const QString &endpoint, const QString &proxyUrl, EncryptedRequestData encRequestData,
+            std::function<void(const QByteArray &, bool, const QList<QSslError> &, QNetworkReply::NetworkError, const QString &, int)> onComplete);
+
     int m_requestTimeoutMsecs;
     QString m_gatewayEndpoint;
     bool m_isDevEnvironment = false;

client/core/controllers/ipSplitTunnelingController.cpp

@@ -0,0 +1,245 @@
+#include "ipSplitTunnelingController.h"
+#include "core/utils/networkUtilities.h"
+#include <QJsonObject>
+
+IpSplitTunnelingController::IpSplitTunnelingController(SecureAppSettingsRepository* appSettingsRepository, QObject* parent)
+    : QObject(parent),
+      m_appSettingsRepository(appSettingsRepository)
+{
+    m_currentRouteMode = m_appSettingsRepository->routeMode();
+    if (m_currentRouteMode == RouteMode::VpnAllSites) { // for old split tunneling configs
+        m_appSettingsRepository->setRouteMode(RouteMode::VpnOnlyForwardSites);
+        m_currentRouteMode = RouteMode::VpnOnlyForwardSites;
+    }
+    fillSites();
+}
+
+bool IpSplitTunnelingController::addSiteInternal(const QString &hostname, const QString &ip)
+{
+    QVariantMap existing = m_appSettingsRepository->vpnSites(m_currentRouteMode);
+    if (existing.contains(hostname) && ip.isEmpty()) {
+        return false;
+    }
+
+    for (int i = 0; i < m_sites.size(); i++) {
+        if (m_sites[i].first == hostname && (m_sites[i].second.isEmpty() && !ip.isEmpty())) {
+            m_sites[i].second = ip;
+            m_appSettingsRepository->addVpnSite(m_currentRouteMode, hostname, ip);
+            return true;
+        } else if (m_sites[i].first == hostname && (m_sites[i].second == ip)) {
+            return false;
+        }
+    }
+    m_sites.append(qMakePair(hostname, ip));
+    m_appSettingsRepository->addVpnSite(m_currentRouteMode, hostname, ip);
+    return true;
+}
+
+void IpSplitTunnelingController::addSites(const QMap<QString, QString> &sites, bool replaceExisting)
+{
+    if (replaceExisting) {
+        m_sites.clear();
+    }
+    for (auto it = sites.constBegin(); it != sites.constEnd(); ++it) {
+        const QString &hostname = it.key();
+        const QString &ip = it.value();
+        bool found = false;
+        for (int i = 0; i < m_sites.size(); i++) {
+            if (m_sites[i].first == hostname) {
+                if (!ip.isEmpty()) {
+                    m_sites[i].second = ip;
+                }
+                found = true;
+                break;
+            }
+        }
+        if (!found) {
+            m_sites.append(qMakePair(hostname, ip));
+        }
+    }
+    if (replaceExisting) {
+        m_appSettingsRepository->removeAllVpnSites(m_currentRouteMode);
+    }
+    m_appSettingsRepository->addVpnSites(m_currentRouteMode, sites);
+}
+
+bool IpSplitTunnelingController::addSite(const QString &hostname)
+{
+    QString normalizedHostname = normalizeHostname(hostname);
+    
+    if (!validateHostname(normalizedHostname)) {
+        return false;
+    }
+    
+    if (NetworkUtilities::ipAddressWithSubnetRegExp().exactMatch(normalizedHostname)) {
+        processSite(normalizedHostname, "");
+        return true;
+    }
+    
+    if (addSiteInternal(normalizedHostname, "")) {
+        QHostInfo::lookupHost(normalizedHostname, this, SLOT(onHostResolved(QHostInfo)));
+        return true;
+    }
+    
+    return false;
+}
+
+bool IpSplitTunnelingController::removeSite(const QString &hostname)
+{
+    for (int i = 0; i < m_sites.size(); i++) {
+        if (m_sites[i].first == hostname) {
+            m_sites.removeAt(i);
+            m_appSettingsRepository->removeVpnSite(m_currentRouteMode, hostname);
+            return true;
+        }
+    }
+    return false;
+}
+
+void IpSplitTunnelingController::removeSites()
+{
+    m_sites.clear();
+    m_appSettingsRepository->removeAllVpnSites(m_currentRouteMode);
+}
+
+void IpSplitTunnelingController::setRouteMode(RouteMode routeMode)
+{
+    m_currentRouteMode = routeMode;
+    fillSites();
+    m_appSettingsRepository->setRouteMode(routeMode);
+}
+
+void IpSplitTunnelingController::toggleSplitTunneling(bool enabled)
+{
+    m_appSettingsRepository->setSitesSplitTunnelingEnabled(enabled);
+}
+
+RouteMode IpSplitTunnelingController::getRouteMode() const
+{
+    return m_currentRouteMode;
+}
+
+bool IpSplitTunnelingController::isSplitTunnelingEnabled() const
+{
+    return m_appSettingsRepository->isSitesSplitTunnelingEnabled();
+}
+
+QVector<QPair<QString, QString>> IpSplitTunnelingController::getCurrentSites() const
+{
+    return m_sites;
+}
+
+void IpSplitTunnelingController::fillSites()
+{
+    QVariantMap sitesMap = m_appSettingsRepository->vpnSites(m_currentRouteMode);
+    m_sites.clear();
+    for (auto it = sitesMap.begin(); it != sitesMap.end(); ++it) {
+        m_sites.append(qMakePair(it.key(), it.value().toString()));
+    }
+}
+
+QString IpSplitTunnelingController::normalizeHostname(const QString &hostname) const
+{
+    QString normalized = hostname;
+    normalized.replace("https://", "");
+    normalized.replace("http://", "");
+    normalized.replace("ftp://", "");
+    normalized = normalized.split("/", Qt::SkipEmptyParts).first();
+    return normalized;
+}
+
+bool IpSplitTunnelingController::validateHostname(const QString &hostname) const
+{
+    if (hostname.isEmpty()) {
+        return false;
+    }
+    if (!hostname.contains(".") && !NetworkUtilities::ipAddressWithSubnetRegExp().exactMatch(hostname)) {
+        return false;
+    }
+    return true;
+}
+
+
+void IpSplitTunnelingController::onHostResolved(const QHostInfo &hostInfo)
+{
+    const QList<QHostAddress> &addresses = hostInfo.addresses();
+    QString hostname = hostInfo.hostName();
+    
+    for (const QHostAddress &addr : addresses) {
+        if (addr.protocol() == QAbstractSocket::NetworkLayerProtocol::IPv4Protocol) {
+            processSiteAfterResolve(hostname, addr.toString());
+            break;
+        }
+    }
+}
+
+void IpSplitTunnelingController::processSiteAfterResolve(const QString &hostname, const QString &ip)
+{
+    for (int i = 0; i < m_sites.size(); i++) {
+        if (m_sites[i].first == hostname && m_sites[i].second.isEmpty()) {
+            m_sites[i].second = ip;
+            m_appSettingsRepository->addVpnSite(m_currentRouteMode, hostname, ip);
+            break;
+        }
+    }
+}
+
+void IpSplitTunnelingController::processSite(const QString &hostname, const QString &ip)
+{
+    addSiteInternal(hostname, ip);
+}
+
+bool IpSplitTunnelingController::importSitesFromJson(const QByteArray& jsonData, bool replaceExisting, QString &errorMessage)
+{
+    QJsonParseError parseError;
+    QJsonDocument jsonDocument = QJsonDocument::fromJson(jsonData, &parseError);
+    
+    if (parseError.error != QJsonParseError::NoError) {
+        errorMessage = tr("Failed to parse JSON data: %1").arg(parseError.errorString());
+        return false;
+    }
+    
+    if (!jsonDocument.isArray()) {
+        errorMessage = tr("The JSON data is not an array");
+        return false;
+    }
+    
+    QJsonArray jsonArray = jsonDocument.array();
+    QMap<QString, QString> sites;
+    
+    for (auto jsonValue : jsonArray) {
+        QJsonObject jsonObject = jsonValue.toObject();
+        QString hostname = jsonObject.value("hostname").toString("");
+        QString ip = jsonObject.value("ip").toString("");
+        
+        QString normalizedHostname = normalizeHostname(hostname);
+        
+        if (!validateHostname(normalizedHostname)) {
+            qDebug() << normalizedHostname << " not look like ip adress or domain name";
+            continue;
+        }
+        
+        sites.insert(normalizedHostname, ip);
+    }
+    
+    addSites(sites, replaceExisting);
+    
+    return true;
+}
+
+QByteArray IpSplitTunnelingController::exportSitesToJson() const
+{
+    QVector<QPair<QString, QString>> sites = getCurrentSites();
+    QJsonArray jsonArray;
+    
+    for (const auto &site : sites) {
+        QJsonObject jsonObject;
+        jsonObject["hostname"] = site.first;
+        jsonObject["ip"] = site.second;
+        jsonArray.append(jsonObject);
+    }
+    
+    QJsonDocument jsonDocument(jsonArray);
+    return jsonDocument.toJson();
+}
+

client/core/controllers/ipSplitTunnelingController.h

@@ -0,0 +1,58 @@
+#ifndef IPSPLITTUNNELINGCONTROLLER_H
+#define IPSPLITTUNNELINGCONTROLLER_H
+
+#include <QObject>
+#include <QVector>
+#include <QMap>
+#include <QPair>
+#include <QStringList>
+#include <QJsonDocument>
+#include <QJsonArray>
+#include <QHostInfo>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+using namespace amnezia;
+
+class IpSplitTunnelingController : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit IpSplitTunnelingController(SecureAppSettingsRepository* appSettingsRepository, QObject* parent = nullptr);
+
+    bool addSite(const QString &hostname);
+    void addSites(const QMap<QString, QString> &sites, bool replaceExisting);
+    bool removeSite(const QString &hostname);
+    void removeSites();
+    void setRouteMode(RouteMode routeMode);
+    void toggleSplitTunneling(bool enabled);
+
+    RouteMode getRouteMode() const;
+    bool isSplitTunnelingEnabled() const;
+    QVector<QPair<QString, QString>> getCurrentSites() const;
+
+    bool importSitesFromJson(const QByteArray& jsonData, bool replaceExisting, QString &errorMessage);
+    QByteArray exportSitesToJson() const;
+
+private slots:
+    void onHostResolved(const QHostInfo &hostInfo);
+
+private:
+    void fillSites();
+    bool addSiteInternal(const QString &hostname, const QString &ip);
+    QString normalizeHostname(const QString &hostname) const;
+    bool validateHostname(const QString &hostname) const;
+    void processSiteAfterResolve(const QString &hostname, const QString &ip);
+    void processSite(const QString &hostname, const QString &ip);
+
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    RouteMode m_currentRouteMode;
+    QVector<QPair<QString, QString>> m_sites;
+};
+
+#endif // IPSPLITTUNNELINGCONTROLLER_H
+

client/core/controllers/selfhosted/exportController.cpp

@@ -0,0 +1,337 @@
+#include "exportController.h"
+
+#include <QJsonArray>
+#include <QJsonDocument>
+
+#include "core/configurators/configuratorBase.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/networkUtilities.h"
+#include "core/utils/qrCodeUtils.h"
+#include "core/utils/serialization/serialization.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/models/serverConfig.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocolConfig.h"
+
+using namespace amnezia;
+
+ExportController::ExportController(SecureServersRepository* serversRepository,
+                                   SecureAppSettingsRepository* appSettingsRepository,
+                                   QObject *parent)
+    : QObject(parent),
+      m_serversRepository(serversRepository),
+      m_appSettingsRepository(appSettingsRepository)
+{
+}
+
+ExportController::ExportResult ExportController::generateFullAccessConfig(int serverIndex)
+{
+    ExportResult result;
+
+    ServerConfig serverConfig = m_serversRepository->server(serverIndex);
+    serverConfig.visit([](auto& arg) {
+        for (auto it = arg.containers.begin(); it != arg.containers.end(); ++it) {
+            it.value().protocolConfig.clearClientConfig();
+        }
+    });
+
+    QJsonObject serverJson = serverConfig.toJson();
+    QByteArray compressedConfig = QJsonDocument(serverJson).toJson();
+    compressedConfig = qCompress(compressedConfig, 8);
+    result.config = generateVpnUrl(compressedConfig);
+    result.qrCodes = generateQrCodesFromConfig(compressedConfig);
+
+    return result;
+}
+
+ExportController::ExportResult ExportController::generateConnectionConfig(int serverIndex, int containerIndex, const QString &clientName)
+{
+    ExportResult result;
+
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    ServerCredentials credentials = m_serversRepository->serverCredentials(serverIndex);
+    ContainerConfig containerConfig = m_serversRepository->containerConfig(serverIndex, container);
+
+    if (ContainerUtils::containerService(container) != ServiceType::Other) {
+        SshSession sshSession;
+        Proto protocol = ContainerUtils::defaultProtocol(container);
+
+        DnsSettings dnsSettings = {
+            m_appSettingsRepository->primaryDns(),
+            m_appSettingsRepository->secondaryDns()
+        };
+
+        auto configurator = ConfiguratorBase::create(protocol, &sshSession);
+        ProtocolConfig newProtocolConfig = configurator->createConfig(credentials, container, containerConfig, dnsSettings, result.errorCode);
+        if (result.errorCode != ErrorCode::NoError) {
+            return result;
+        }
+
+        containerConfig.protocolConfig = newProtocolConfig;
+        
+        QString clientId = newProtocolConfig.clientId();
+        if (!clientId.isEmpty()) {
+            emit appendClientRequested(serverIndex, clientId, clientName, container);
+        }
+    }
+
+    ServerConfig serverConfig = m_serversRepository->server(serverIndex);
+    serverConfig.visit([container, containerConfig](auto& arg) {
+        arg.containers.clear();
+        arg.containers[container] = containerConfig;
+        arg.defaultContainer = container;
+    });
+
+    if (serverConfig.isSelfHosted()) {
+        SelfHostedServerConfig* selfHosted = serverConfig.as<SelfHostedServerConfig>();
+        if (selfHosted) {
+            selfHosted->userName.reset();
+            selfHosted->password.reset();
+            selfHosted->port.reset();
+        }
+    }
+
+    auto dns = serverConfig.getDnsPair(m_appSettingsRepository->useAmneziaDns(),
+                                       m_appSettingsRepository->primaryDns(),
+                                       m_appSettingsRepository->secondaryDns());
+    serverConfig.visit([&dns](auto& arg) {
+        arg.dns1 = dns.first;
+        arg.dns2 = dns.second;
+    });
+
+    QJsonObject serverJson = serverConfig.toJson();
+    QByteArray compressedConfig = QJsonDocument(serverJson).toJson();
+    compressedConfig = qCompress(compressedConfig, 8);
+    result.config = generateVpnUrl(compressedConfig);
+    result.qrCodes = generateQrCodesFromConfig(compressedConfig);
+
+    return result;
+}
+
+ExportController::NativeConfigResult ExportController::generateNativeConfig(int serverIndex, DockerContainer container,
+                                                                             const ContainerConfig &containerConfig,
+                                                                             const QString &clientName)
+{
+    NativeConfigResult result;
+
+    if (ContainerUtils::containerService(container) == ServiceType::Other) {
+        return result;
+    }
+
+    Proto protocol = ContainerUtils::defaultProtocol(container);
+
+    ServerCredentials credentials = m_serversRepository->serverCredentials(serverIndex);
+    ServerConfig serverConfig = m_serversRepository->server(serverIndex);
+    auto dns = serverConfig.getDnsPair(m_appSettingsRepository->useAmneziaDns(),
+                                       m_appSettingsRepository->primaryDns(),
+                                       m_appSettingsRepository->secondaryDns());
+
+    ContainerConfig modifiedContainerConfig = containerConfig;
+    modifiedContainerConfig.container = container;
+
+    DnsSettings dnsSettings = {
+        m_appSettingsRepository->primaryDns(),
+        m_appSettingsRepository->secondaryDns()
+    };
+
+    SshSession sshSession;
+    auto configurator = ConfiguratorBase::create(protocol, &sshSession);
+
+    ProtocolConfig newProtocolConfig = configurator->createConfig(credentials, container, modifiedContainerConfig, dnsSettings, result.errorCode);
+    if (result.errorCode != ErrorCode::NoError) {
+        return result;
+    }
+
+    ExportSettings exportSettings = { { dns.first, dns.second } };
+    ProtocolConfig processedConfig = configurator->processConfigWithExportSettings(exportSettings, newProtocolConfig);
+
+    if (protocol == Proto::OpenVpn || protocol == Proto::WireGuard || protocol == Proto::Awg) {
+        result.jsonNativeConfig[configKey::config] = processedConfig.nativeConfig();
+    } else {
+        result.jsonNativeConfig = QJsonDocument::fromJson(processedConfig.nativeConfig().toUtf8()).object();
+    }
+
+    if (protocol == Proto::OpenVpn || protocol == Proto::WireGuard || protocol == Proto::Awg || protocol == Proto::Xray) {
+        QString clientId = newProtocolConfig.clientId();
+        if (!clientId.isEmpty()) {
+            emit appendClientRequested(serverIndex, clientId, clientName, container);
+        }
+    }
+    return result;
+}
+
+ExportController::ExportResult ExportController::generateOpenVpnConfig(int serverIndex, const QString &clientName)
+{
+    ExportResult result;
+
+    DockerContainer container = DockerContainer::OpenVpn;
+    ContainerConfig containerConfig = m_serversRepository->containerConfig(serverIndex, container);
+
+    auto nativeResult = generateNativeConfig(serverIndex, container, containerConfig, clientName);
+    if (nativeResult.errorCode != ErrorCode::NoError) {
+        result.errorCode = nativeResult.errorCode;
+        return result;
+    }
+
+    QStringList lines = nativeResult.jsonNativeConfig.value(configKey::config).toString().replace("\r", "").split("\n");
+    for (const QString &line : std::as_const(lines)) {
+        result.config.append(line + "\n");
+    }
+
+    result.qrCodes = generateQrCodesFromConfig(result.config.toUtf8());
+    return result;
+}
+
+ExportController::ExportResult ExportController::generateWireGuardConfig(int serverIndex, const QString &clientName)
+{
+    ExportResult result;
+
+    ContainerConfig containerConfig = m_serversRepository->containerConfig(serverIndex, DockerContainer::WireGuard);
+
+    auto nativeResult = generateNativeConfig(serverIndex, DockerContainer::WireGuard, containerConfig, clientName);
+    if (nativeResult.errorCode != ErrorCode::NoError) {
+        result.errorCode = nativeResult.errorCode;
+        return result;
+    }
+
+    QStringList lines = nativeResult.jsonNativeConfig.value(configKey::config).toString().replace("\r", "").split("\n");
+    for (const QString &line : std::as_const(lines)) {
+        result.config.append(line + "\n");
+    }
+
+    result.qrCodes << generateSingleQrCode(result.config.toUtf8());
+    return result;
+}
+
+ExportController::ExportResult ExportController::generateAwgConfig(int serverIndex, int containerIndex, const QString &clientName)
+{
+    ExportResult result;
+
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    if (container != DockerContainer::Awg && container != DockerContainer::Awg2) {
+        result.errorCode = ErrorCode::InternalError;
+        return result;
+    }
+    ContainerConfig containerConfig = m_serversRepository->containerConfig(serverIndex, container);
+
+    auto nativeResult = generateNativeConfig(serverIndex, container, containerConfig, clientName);
+    if (nativeResult.errorCode != ErrorCode::NoError) {
+        result.errorCode = nativeResult.errorCode;
+        return result;
+    }
+
+    QStringList lines = nativeResult.jsonNativeConfig.value(configKey::config).toString().replace("\r", "").split("\n");
+    for (const QString &line : std::as_const(lines)) {
+        result.config.append(line + "\n");
+    }
+
+    result.qrCodes << generateSingleQrCode(result.config.toUtf8());
+    return result;
+}
+
+
+ExportController::ExportResult ExportController::generateXrayConfig(int serverIndex, const QString &clientName)
+{
+    ExportResult result;
+
+    ContainerConfig containerConfig = m_serversRepository->containerConfig(serverIndex, DockerContainer::Xray);
+
+    auto nativeResult = generateNativeConfig(serverIndex, DockerContainer::Xray, containerConfig, clientName);
+    if (nativeResult.errorCode != ErrorCode::NoError) {
+        result.errorCode = nativeResult.errorCode;
+        return result;
+    }
+
+    QStringList lines = QString(QJsonDocument(nativeResult.jsonNativeConfig).toJson()).replace("\r", "").split("\n");
+    for (const QString &line : std::as_const(lines)) {
+        result.config.append(line + "\n");
+    }
+
+    // Parse the Xray data to extract VLESS parameters and generate string
+    QJsonObject xrayConfig = nativeResult.jsonNativeConfig;
+    QJsonArray outbounds = xrayConfig.value(amnezia::protocols::xray::outbounds).toArray();
+
+    if (outbounds.isEmpty()) {
+        result.errorCode = ErrorCode::InternalError;
+        return result;
+    }
+
+    QJsonObject outbound = outbounds[0].toObject();
+    QJsonObject settings = outbound.value(amnezia::protocols::xray::settings).toObject();
+    QJsonObject streamSettings = outbound.value(amnezia::protocols::xray::streamSettings).toObject();
+
+    QJsonArray vnext = settings.value(amnezia::protocols::xray::vnext).toArray();
+    if (vnext.isEmpty()) {
+        result.errorCode = ErrorCode::InternalError;
+        return result;
+    }
+
+    QJsonObject server = vnext[0].toObject();
+    QJsonArray users = server.value(amnezia::protocols::xray::users).toArray();
+    if (users.isEmpty()) {
+        result.errorCode = ErrorCode::InternalError;
+        return result;
+    }
+
+    QJsonObject user = users[0].toObject();
+
+    amnezia::serialization::VlessServerObject vlessServer;
+    vlessServer.address = server.value(amnezia::protocols::xray::address).toString();
+    vlessServer.port = server.value(amnezia::protocols::xray::port).toInt();
+    vlessServer.id = user.value(amnezia::protocols::xray::id).toString();
+    vlessServer.flow = user.value(amnezia::protocols::xray::flow).toString("xtls-rprx-vision");
+    vlessServer.encryption = user.value(amnezia::protocols::xray::encryption).toString("none");
+
+    vlessServer.network = streamSettings.value(amnezia::protocols::xray::network).toString("tcp");
+    vlessServer.security = streamSettings.value(amnezia::protocols::xray::security).toString("reality");
+
+    if (vlessServer.security == "reality") {
+        QJsonObject realitySettings = streamSettings.value(amnezia::protocols::xray::realitySettings).toObject();
+        vlessServer.serverName = realitySettings.value(amnezia::protocols::xray::serverName).toString();
+        vlessServer.publicKey = realitySettings.value(amnezia::protocols::xray::publicKey).toString();
+        vlessServer.shortId = realitySettings.value(amnezia::protocols::xray::shortId).toString();
+        vlessServer.fingerprint = realitySettings.value(amnezia::protocols::xray::fingerprint).toString("chrome");
+        vlessServer.spiderX = realitySettings.value(amnezia::protocols::xray::spiderX).toString("");
+    }
+
+    result.nativeConfigString = amnezia::serialization::vless::Serialize(vlessServer, "AmneziaVPN");
+
+    return result;
+}
+
+void ExportController::updateClientManagementModel(int serverIndex, int containerIndex)
+{
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    emit updateClientsRequested(serverIndex, container);
+}
+
+void ExportController::revokeConfig(int row, int serverIndex, int containerIndex)
+{
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    emit revokeClientRequested(serverIndex, row, container);
+}
+
+void ExportController::renameClient(int row, const QString &clientName, int serverIndex, int containerIndex)
+{
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    emit renameClientRequested(serverIndex, row, clientName, container);
+}
+
+QString ExportController::generateVpnUrl(const QByteArray &compressedConfig)
+{
+    return QString("vpn://%1").arg(QString(compressedConfig.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals)));
+}
+
+QList<QString> ExportController::generateQrCodesFromConfig(const QByteArray &data)
+{
+    return qrCodeUtils::generateQrCodeImageSeries(data);
+}
+
+QString ExportController::generateSingleQrCode(const QByteArray &data)
+{
+    auto qr = qrCodeUtils::generateQrCode(data);
+    return qrCodeUtils::svgToBase64(QString::fromStdString(toSvgString(qr, 1)));
+}

client/core/controllers/selfhosted/exportController.h

@@ -0,0 +1,77 @@
+#ifndef EXPORTCONTROLLER_H
+#define EXPORTCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QList>
+#include <QString>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class SshSession;
+class VpnConfigurationsController;
+
+using namespace amnezia;
+
+class ExportController : public QObject
+{
+    Q_OBJECT
+
+public:
+    struct ExportResult
+    {
+        ErrorCode errorCode = ErrorCode::NoError;
+        QString config;
+        QString nativeConfigString;
+        QList<QString> qrCodes;
+    };
+
+    explicit ExportController(SecureServersRepository* serversRepository,
+                              SecureAppSettingsRepository* appSettingsRepository,
+                              QObject *parent = nullptr);
+
+    ExportResult generateFullAccessConfig(int serverIndex);
+    ExportResult generateConnectionConfig(int serverIndex, int containerIndex, const QString &clientName);
+    ExportResult generateOpenVpnConfig(int serverIndex, const QString &clientName);
+    ExportResult generateWireGuardConfig(int serverIndex, const QString &clientName);
+    ExportResult generateAwgConfig(int serverIndex, int containerIndex, const QString &clientName);
+    ExportResult generateXrayConfig(int serverIndex, const QString &clientName);
+
+signals:
+    void appendClientRequested(int serverIndex, const QString &clientId, const QString &clientName, DockerContainer container);
+    void updateClientsRequested(int serverIndex, DockerContainer container);
+    void revokeClientRequested(int serverIndex, int row, DockerContainer container);
+    void renameClientRequested(int serverIndex, int row, const QString &clientName, DockerContainer container);
+
+public slots:
+    void updateClientManagementModel(int serverIndex, int containerIndex);
+    void revokeConfig(int row, int serverIndex, int containerIndex);
+    void renameClient(int row, const QString &clientName, int serverIndex, int containerIndex);
+
+private:
+    struct NativeConfigResult
+    {
+        ErrorCode errorCode = ErrorCode::NoError;
+        QJsonObject jsonNativeConfig;
+    };
+
+    NativeConfigResult generateNativeConfig(int serverIndex, DockerContainer container,
+                                            const ContainerConfig &containerConfig,
+                                            const QString &clientName);
+
+    QString generateVpnUrl(const QByteArray &compressedConfig);
+    QList<QString> generateQrCodesFromConfig(const QByteArray &data);
+    QString generateSingleQrCode(const QByteArray &data);
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+};
+
+#endif // EXPORTCONTROLLER_H

client/core/controllers/selfhosted/importController.cpp

@@ -0,0 +1,762 @@
+#include "importController.h"
+
+#include <QDataStream>
+#include <QDebug>
+#include <QJsonArray>
+#include <QJsonDocument>
+#include <QJsonParseError>
+#include <QMap>
+#include <QRandomGenerator>
+#include <QRegularExpression>
+#include <QRegularExpressionMatch>
+#include <QRegularExpressionMatchIterator>
+#include <QUrl>
+#include <algorithm>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/api/apiEnums.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/constants/apiConstants.h"
+#include "core/utils/api/apiUtils.h"
+#include "core/utils/serialization/serialization.h"
+#include "core/utils/utilities.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/utils/qrCodeUtils.h"
+#include "core/models/serverConfig.h"
+
+using namespace amnezia;
+using namespace ProtocolUtils;
+
+namespace
+{
+    ConfigTypes checkConfigFormat(const QString &config)
+    {
+        const QString openVpnConfigPatternCli = "client";
+        const QString openVpnConfigPatternDriver1 = "dev tun";
+        const QString openVpnConfigPatternDriver2 = "dev tap";
+
+        const QString wireguardConfigPatternSectionInterface = "[Interface]";
+        const QString wireguardConfigPatternSectionPeer = "[Peer]";
+
+        const QString xrayConfigPatternInbound = "inbounds";
+        const QString xrayConfigPatternOutbound = "outbounds";
+
+        const QString amneziaConfigPattern = "containers";
+        const QString amneziaConfigPatternHostName = "hostName";
+        const QString amneziaConfigPatternUserName = "userName";
+        const QString amneziaConfigPatternPassword = "password";
+        const QString amneziaFreeConfigPattern = "api_key";
+        const QString amneziaPremiumConfigPattern = "auth_data";
+        const QString backupPattern = "Servers/serversList";
+
+        if (config.contains(backupPattern)) {
+            return ConfigTypes::Backup;
+        } else if (config.contains(amneziaConfigPattern) || config.contains(amneziaFreeConfigPattern)
+                   || config.contains(amneziaPremiumConfigPattern)
+                   || (config.contains(amneziaConfigPatternHostName) && config.contains(amneziaConfigPatternUserName)
+                       && config.contains(amneziaConfigPatternPassword))) {
+            return ConfigTypes::Amnezia;
+        } else if (config.contains(wireguardConfigPatternSectionInterface) && config.contains(wireguardConfigPatternSectionPeer)) {
+            return ConfigTypes::WireGuard;
+        } else if ((config.contains(xrayConfigPatternInbound)) && (config.contains(xrayConfigPatternOutbound))) {
+            return ConfigTypes::Xray;
+        } else if (config.contains(openVpnConfigPatternCli)
+                   && (config.contains(openVpnConfigPatternDriver1) || config.contains(openVpnConfigPatternDriver2))) {
+            return ConfigTypes::OpenVpn;
+        }
+        return ConfigTypes::Invalid;
+    }
+} // namespace
+
+ImportController::ImportController(SecureServersRepository* serversRepository,
+                                   SecureAppSettingsRepository* appSettingsRepository,
+                                   QObject *parent)
+    : QObject(parent),
+      m_serversRepository(serversRepository),
+      m_appSettingsRepository(appSettingsRepository)
+{
+}
+
+ImportController::ImportResult ImportController::extractConfigFromData(const QString &data, const QString &configFileName)
+{
+    ImportResult result;
+    result.configFileName = configFileName;
+    result.maliciousWarningText.clear();
+
+    QString config = data;
+    QString prefix;
+    QString errormsg;
+    ConfigTypes configType = ConfigTypes::Invalid;
+
+    if (config.startsWith("vless://")) {
+        configType = ConfigTypes::Xray;
+        result.config = extractXrayConfig(
+                Utils::JsonToString(serialization::vless::Deserialize(config, &prefix, &errormsg), QJsonDocument::JsonFormat::Compact),
+                configType, prefix);
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    if (config.startsWith("vmess://") && config.contains("@")) {
+        configType = ConfigTypes::Xray;
+        result.config = extractXrayConfig(
+                Utils::JsonToString(serialization::vmess_new::Deserialize(config, &prefix, &errormsg), QJsonDocument::JsonFormat::Compact),
+                configType, prefix);
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    if (config.startsWith("vmess://")) {
+        configType = ConfigTypes::Xray;
+        result.config = extractXrayConfig(
+                Utils::JsonToString(serialization::vmess::Deserialize(config, &prefix, &errormsg), QJsonDocument::JsonFormat::Compact),
+                configType, prefix);
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    if (config.startsWith("trojan://")) {
+        configType = ConfigTypes::Xray;
+        result.config = extractXrayConfig(
+                Utils::JsonToString(serialization::trojan::Deserialize(config, &prefix, &errormsg), QJsonDocument::JsonFormat::Compact),
+                configType, prefix);
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    if (config.startsWith("ss://") && !config.contains("plugin=")) {
+        configType = ConfigTypes::ShadowSocks;
+        result.config = extractXrayConfig(
+                Utils::JsonToString(serialization::ss::Deserialize(config, &prefix, &errormsg), QJsonDocument::JsonFormat::Compact),
+                configType, prefix);
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    if (config.startsWith("ssd://")) {
+        QStringList tmp;
+        QList<std::pair<QString, QJsonObject>> servers = serialization::ssd::Deserialize(config, &prefix, &tmp);
+        configType = ConfigTypes::ShadowSocks;
+        // Took only first config from list
+        if (!servers.isEmpty()) {
+            result.config = extractXrayConfig(servers.first().first, configType);
+        }
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    configType = checkConfigFormat(config);
+    if (configType == ConfigTypes::Invalid) {
+        config.replace("vpn://", "");
+        QByteArray ba = QByteArray::fromBase64(config.toUtf8(), QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
+        QByteArray baUncompressed = qUncompress(ba);
+        if (!baUncompressed.isEmpty()) {
+            ba = baUncompressed;
+        }
+
+        config = ba;
+        configType = checkConfigFormat(config);
+    }
+
+    result.configType = configType;
+
+    switch (configType) {
+    case ConfigTypes::OpenVpn: {
+        result.config = extractOpenVpnConfig(config);
+        if (!result.config.empty()) {
+            checkForMaliciousStrings(result.config, result.maliciousWarningText);
+            return result;
+        }
+        result.errorCode = ErrorCode::ImportInvalidConfigError;
+        return result;
+    }
+    case ConfigTypes::Awg:
+    case ConfigTypes::WireGuard: {
+        result.config = extractWireGuardConfig(config, result.configType);
+        result.isNativeWireGuardConfig = (result.configType == ConfigTypes::WireGuard);
+        if (!result.config.empty()) {
+            return result;
+        }
+        result.errorCode = ErrorCode::ImportInvalidConfigError;
+        return result;
+    }
+    case ConfigTypes::Xray: {
+        result.config = extractXrayConfig(config, configType);
+        if (!result.config.empty()) {
+            return result;
+        }
+        result.errorCode = ErrorCode::ImportInvalidConfigError;
+        return result;
+    }
+    case ConfigTypes::Amnezia: {
+        result.config = QJsonDocument::fromJson(config.toUtf8()).object();
+
+        if (apiUtils::isServerFromApi(result.config)) {
+            auto apiConfig = result.config.value(apiDefs::key::apiConfig).toObject();
+            apiConfig[apiDefs::key::vpnKey] = data;
+            result.config[apiDefs::key::apiConfig] = apiConfig;
+        }
+
+        processAmneziaConfig(result.config);
+        if (!result.config.empty()) {
+            checkForMaliciousStrings(result.config, result.maliciousWarningText);
+            return result;
+        }
+        result.errorCode = ErrorCode::ImportInvalidConfigError;
+        return result;
+    }
+    case ConfigTypes::Backup: {
+        result.errorCode = ErrorCode::ImportBackupFileUseRestoreInstead;
+        return result;
+    }
+    case ConfigTypes::Invalid: {
+        result.errorCode = ErrorCode::ImportInvalidConfigError;
+        result.configFileName.clear();
+        return result;
+    }
+    }
+    
+    result.errorCode = ErrorCode::ImportInvalidConfigError;
+    return result;
+}
+
+ImportController::ImportResult ImportController::extractConfigFromQr(const QByteArray &data)
+{
+    ImportResult result;
+
+    QString dataStr = QString::fromUtf8(data);
+    ConfigTypes configType = checkConfigFormat(dataStr);
+    if (configType != ConfigTypes::Invalid) {
+        return extractConfigFromData(dataStr, "");
+    }
+
+    QJsonObject dataObj = QJsonDocument::fromJson(data).object();
+    if (!dataObj.isEmpty()) {
+        result.config = dataObj;
+        result.configType = ConfigTypes::Amnezia;
+        return result;
+    }
+
+    QByteArray ba_uncompressed = qUncompress(data);
+    if (!ba_uncompressed.isEmpty()) {
+        result.config = QJsonDocument::fromJson(ba_uncompressed).object();
+        if (result.config.isEmpty()) {
+            result.errorCode = ErrorCode::ImportInvalidConfigError;
+            return result;
+        }
+        result.configType = ConfigTypes::Amnezia;
+        return result;
+    }
+
+    QByteArray ba = QByteArray::fromBase64(data, QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
+    QByteArray baUncompressed = qUncompress(ba);
+
+    if (!baUncompressed.isEmpty()) {
+        ba = baUncompressed;
+    }
+
+    if (!ba.isEmpty()) {
+        result.config = QJsonDocument::fromJson(ba).object();
+        if (result.config.isEmpty()) {
+            result.errorCode = ErrorCode::ImportInvalidConfigError;
+            return result;
+        }
+        result.configType = ConfigTypes::Amnezia;
+        return result;
+    }
+
+    result.errorCode = ErrorCode::ImportInvalidConfigError;
+    return result;
+}
+
+void ImportController::startDecodingQr()
+{
+    m_qrCodeChunks.clear();
+    m_totalQrCodeChunksCount = 0;
+    m_receivedQrCodeChunksCount = 0;
+    m_isQrCodeProcessed = true;
+}
+
+ImportController::QrParseResult ImportController::parseQrCodeChunk(const QString &code)
+{
+    QrParseResult parseResult;
+    parseResult.chunksReceived = m_receivedQrCodeChunksCount;
+    parseResult.chunksTotal = m_totalQrCodeChunksCount;
+
+    if (!m_isQrCodeProcessed) {
+        return parseResult;
+    }
+
+    QByteArray ba = QByteArray::fromBase64(code.toUtf8(), QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
+    QDataStream s(&ba, QIODevice::ReadOnly);
+    qint16 magic;
+    s >> magic;
+
+    if (magic == qrCodeUtils::qrMagicCode) {
+        quint8 chunksCount;
+        s >> chunksCount;
+        if (m_totalQrCodeChunksCount != chunksCount) {
+            m_qrCodeChunks.clear();
+        }
+
+        m_totalQrCodeChunksCount = chunksCount;
+
+        quint8 chunkId;
+        s >> chunkId;
+        s >> m_qrCodeChunks[chunkId];
+        m_receivedQrCodeChunksCount = m_qrCodeChunks.size();
+        parseResult.chunksReceived = m_receivedQrCodeChunksCount;
+        parseResult.chunksTotal = m_totalQrCodeChunksCount;
+
+        if (m_qrCodeChunks.size() == m_totalQrCodeChunksCount) {
+            QByteArray data;
+            for (int i = 0; i < m_totalQrCodeChunksCount; ++i) {
+                data.append(m_qrCodeChunks.value(i));
+            }
+
+            ImportResult result = extractConfigFromQr(data);
+            if (result.errorCode == ErrorCode::NoError) {
+                parseResult.success = true;
+                parseResult.importResult = result;
+                m_isQrCodeProcessed = false;
+            } else {
+                m_qrCodeChunks.clear();
+                m_totalQrCodeChunksCount = 0;
+                m_receivedQrCodeChunksCount = 0;
+            }
+        }
+    } else {
+        ImportResult result = extractConfigFromQr(code.toUtf8());
+        if (result.errorCode != ErrorCode::NoError) {
+            result = extractConfigFromQr(ba);
+        }
+        if (result.errorCode == ErrorCode::NoError) {
+            parseResult.success = true;
+            parseResult.importResult = result;
+            m_isQrCodeProcessed = false;
+        }
+    }
+
+    return parseResult;
+}
+
+bool ImportController::isQrDecodingActive() const
+{
+    return m_isQrCodeProcessed;
+}
+
+int ImportController::qrChunksReceived() const
+{
+    return m_receivedQrCodeChunksCount;
+}
+
+int ImportController::qrChunksTotal() const
+{
+    return m_totalQrCodeChunksCount;
+}
+
+void ImportController::importConfig(const QJsonObject &config)
+{
+    ServerCredentials credentials;
+    credentials.hostName = config.value(configKey::hostName).toString();
+    credentials.port = config.value(configKey::port).toInt();
+    credentials.userName = config.value(configKey::userName).toString();
+    credentials.secretData = config.value(configKey::password).toString();
+
+    if (credentials.isValid() || config.contains(configKey::containers)) {
+        ServerConfig serverConfig = ServerConfig::fromJson(config);
+        m_serversRepository->addServer(serverConfig);
+        emit importFinished();
+    } else if (config.contains(configKey::configVersion)) {
+        quint16 crc = qChecksum(QJsonDocument(config).toJson());
+        if (m_serversRepository->hasServerWithCrc(crc)) {
+            emit importErrorOccurred(ErrorCode::ApiConfigAlreadyAdded, true);
+        } else {
+            QJsonObject configWithCrc = config;
+            configWithCrc.insert(configKey::crc, crc);
+            ServerConfig serverConfig = ServerConfig::fromJson(configWithCrc);
+            m_serversRepository->addServer(serverConfig);
+            emit importFinished();
+        }
+    } else {
+        qDebug() << "Failed to import profile";
+        qDebug().noquote() << QJsonDocument(config).toJson();
+        emit importErrorOccurred(ErrorCode::ImportInvalidConfigError, false);
+    }
+}
+
+QJsonObject ImportController::processNativeWireGuardConfig(const QJsonObject &config)
+{
+    QJsonObject result = config;
+    auto containers = result.value(configKey::containers).toArray();
+    if (!containers.isEmpty()) {
+        auto container = containers.at(0).toObject();
+        auto serverProtocolConfig = container.value(ContainerUtils::containerTypeToProtocolString(DockerContainer::WireGuard)).toObject();
+        auto clientProtocolConfig = QJsonDocument::fromJson(serverProtocolConfig.value(configKey::lastConfig).toString().toUtf8()).object();
+
+        QString junkPacketCount = QString::number(QRandomGenerator::global()->bounded(4, 7));
+        QString junkPacketMinSize = QString::number(10);
+        QString junkPacketMaxSize = QString::number(50);
+        clientProtocolConfig[configKey::junkPacketCount] = junkPacketCount;
+        clientProtocolConfig[configKey::junkPacketMinSize] = junkPacketMinSize;
+        clientProtocolConfig[configKey::junkPacketMaxSize] = junkPacketMaxSize;
+        clientProtocolConfig[configKey::initPacketJunkSize] = "0";
+        clientProtocolConfig[configKey::responsePacketJunkSize] = "0";
+        clientProtocolConfig[configKey::initPacketMagicHeader] = "1";
+        clientProtocolConfig[configKey::responsePacketMagicHeader] = "2";
+        clientProtocolConfig[configKey::underloadPacketMagicHeader] = "3";
+        clientProtocolConfig[configKey::transportPacketMagicHeader] = "4";
+
+        clientProtocolConfig[configKey::cookieReplyPacketJunkSize] = "0";
+        clientProtocolConfig[configKey::transportPacketJunkSize] = "0";
+
+        clientProtocolConfig[configKey::specialJunk1] = protocols::awg::defaultSpecialJunk1;
+
+        clientProtocolConfig[configKey::isObfuscationEnabled] = true;
+
+        serverProtocolConfig[configKey::lastConfig] = QString(QJsonDocument(clientProtocolConfig).toJson());
+        container[configKey::wireguard] = serverProtocolConfig;
+        containers.replace(0, container);
+        result[configKey::containers] = containers;
+    }
+    return result;
+}
+
+ConfigTypes ImportController::checkConfigFormat(const QString &config) const
+{
+    return ::checkConfigFormat(config);
+}
+
+QJsonObject ImportController::extractOpenVpnConfig(const QString &data) const
+{
+    QJsonObject openVpnConfig;
+    openVpnConfig[configKey::config] = data;
+
+    QJsonObject lastConfig;
+    lastConfig[configKey::lastConfig] = QString(QJsonDocument(openVpnConfig).toJson());
+    lastConfig[configKey::isThirdPartyConfig] = true;
+
+    QJsonObject containers;
+    containers.insert(configKey::container, QJsonValue(configKey::amneziaOpenvpn));
+    containers.insert(configKey::openvpn, QJsonValue(lastConfig));
+
+    QJsonArray arr;
+    arr.push_back(containers);
+
+    QString hostName;
+    const static QRegularExpression hostNameRegExp("remote\\s+([^\\s]+)");
+    QRegularExpressionMatch hostNameMatch = hostNameRegExp.match(data);
+    if (hostNameMatch.hasMatch()) {
+        hostName = hostNameMatch.captured(1);
+    }
+
+    QJsonObject config;
+    config[configKey::containers] = arr;
+    config[configKey::defaultContainer] = configKey::amneziaOpenvpn;
+    config[configKey::description] = m_appSettingsRepository->nextAvailableServerName();
+
+    const static QRegularExpression dnsRegExp("dhcp-option DNS (\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b)");
+    QRegularExpressionMatchIterator dnsMatch = dnsRegExp.globalMatch(data);
+    if (dnsMatch.hasNext()) {
+        config[configKey::dns1] = dnsMatch.next().captured(1);
+    }
+    if (dnsMatch.hasNext()) {
+        config[configKey::dns2] = dnsMatch.next().captured(1);
+    }
+
+    config[configKey::hostName] = hostName;
+
+    return config;
+}
+
+QJsonObject ImportController::extractWireGuardConfig(const QString &data, ConfigTypes &configType) const
+{
+    QMap<QString, QString> configMap;
+    auto configByLines = data.split("\n");
+    for (const QString &line : configByLines) {
+        QString trimmedLine = line.trimmed();
+        if (trimmedLine.startsWith("[") && trimmedLine.endsWith("]")) {
+            continue;
+        } else {
+            QStringList parts = trimmedLine.split(" = ");
+            if (parts.count() == 2) {
+                configMap[parts.at(0).trimmed()] = parts.at(1).trimmed();
+            }
+        }
+    }
+
+    QJsonObject lastConfig;
+    lastConfig[configKey::config] = data;
+
+    auto url { QUrl::fromUserInput(configMap.value(protocols::wireguard::Endpoint)) };
+    QString hostName;
+    QString port;
+    if (!url.host().isEmpty()) {
+        hostName = url.host();
+    } else {
+        qDebug() << "Key parameter" << protocols::wireguard::Endpoint << "is missing or has an invalid format";
+        return QJsonObject();
+    }
+
+    if (url.port() != -1) {
+        port = QString::number(url.port());
+    } else {
+        port = protocols::wireguard::defaultPort;
+    }
+
+    lastConfig[configKey::hostName] = hostName;
+    lastConfig[configKey::port] = port.toInt();
+
+    if (!configMap.value(protocols::wireguard::PrivateKey).isEmpty()
+            && !configMap.value(protocols::wireguard::Address).isEmpty()
+            && !configMap.value(protocols::wireguard::PublicKey).isEmpty()) {
+        lastConfig[configKey::clientPrivKey] = configMap.value(protocols::wireguard::PrivateKey);
+        lastConfig[configKey::clientIp] = configMap.value(protocols::wireguard::Address);
+
+        if (!configMap.value(protocols::wireguard::PresharedKey).isEmpty()) {
+            lastConfig[configKey::pskKey] = configMap.value(protocols::wireguard::PresharedKey);
+        } else if (!configMap.value(protocols::wireguard::PreSharedKey).isEmpty()) {
+            lastConfig[configKey::pskKey] = configMap.value(protocols::wireguard::PreSharedKey);
+        }
+
+        lastConfig[configKey::serverPubKey] = configMap.value(protocols::wireguard::PublicKey);
+    } else {
+        qDebug() << "One of the key parameters is missing (PrivateKey, Address, PublicKey)";
+        return QJsonObject();
+    }
+
+    if (!configMap.value(protocols::wireguard::MTU).isEmpty()) {
+        lastConfig[configKey::mtu] = configMap.value(protocols::wireguard::MTU);
+    }
+
+    if (!configMap.value(protocols::wireguard::PersistentKeepalive).isEmpty()) {
+        lastConfig[configKey::persistentKeepAlive] = configMap.value(protocols::wireguard::PersistentKeepalive);
+    }
+
+    QJsonArray allowedIpsJsonArray = QJsonArray::fromStringList(
+                configMap.value(protocols::wireguard::AllowedIPs).split(", "));
+
+    lastConfig[configKey::allowedIps] = allowedIpsJsonArray;
+
+    QString protocolName = configKey::wireguard;
+    QString protocolVersion;
+    ConfigTypes detectedType = ConfigTypes::WireGuard;
+
+    const QStringList requiredJunkFields = { configKey::junkPacketCount,           configKey::junkPacketMinSize,
+                                             configKey::junkPacketMaxSize,         configKey::initPacketJunkSize,
+                                             configKey::responsePacketJunkSize,    configKey::initPacketMagicHeader,
+                                             configKey::responsePacketMagicHeader, configKey::underloadPacketMagicHeader,
+                                             configKey::transportPacketMagicHeader };
+
+    const QStringList optionalJunkFields = { configKey::cookieReplyPacketJunkSize,
+                                             configKey::transportPacketJunkSize,
+                                             configKey::specialJunk1,    configKey::specialJunk2,    configKey::specialJunk3,
+                                             configKey::specialJunk4,    configKey::specialJunk5
+    };
+
+    bool hasAllRequiredFields = std::all_of(requiredJunkFields.begin(), requiredJunkFields.end(),
+                                            [&configMap](const QString &field) { return !configMap.value(field).isEmpty(); });
+    if (hasAllRequiredFields) {
+        for (const QString &field : requiredJunkFields) {
+            lastConfig[field] = configMap.value(field);
+        }
+
+        for (const QString &field : optionalJunkFields) {
+            if (!configMap.value(field).isEmpty()) {
+                lastConfig[field] = configMap.value(field);
+            }
+        }
+
+        bool hasCookieReplyPacketJunkSize = !configMap.value(configKey::cookieReplyPacketJunkSize).isEmpty();
+        bool hasTransportPacketJunkSize = !configMap.value(configKey::transportPacketJunkSize).isEmpty();
+        bool hasSpecialJunk = !configMap.value(configKey::specialJunk1).isEmpty() ||
+                              !configMap.value(configKey::specialJunk2).isEmpty() ||
+                              !configMap.value(configKey::specialJunk3).isEmpty() ||
+                              !configMap.value(configKey::specialJunk4).isEmpty() ||
+                              !configMap.value(configKey::specialJunk5).isEmpty();
+
+        if (hasCookieReplyPacketJunkSize && hasTransportPacketJunkSize) {
+            protocolVersion = "2";
+        } else if (hasSpecialJunk && !hasCookieReplyPacketJunkSize && !hasTransportPacketJunkSize) {
+            protocolVersion = "1.5";
+        }
+        protocolName = configKey::awg;
+        detectedType = ConfigTypes::Awg;
+    }
+
+    if (!configMap.value(protocols::wireguard::MTU).isEmpty()) {
+        lastConfig[configKey::mtu] = configMap.value(protocols::wireguard::MTU);
+    } else {
+        lastConfig[configKey::mtu] = (protocolName == configKey::awg) 
+                                       ? protocols::awg::defaultMtu 
+                                       : protocols::wireguard::defaultMtu;
+    }
+
+    QJsonObject wireguardConfig;
+    wireguardConfig[configKey::lastConfig] = QString(QJsonDocument(lastConfig).toJson());
+    wireguardConfig[configKey::isThirdPartyConfig] = true;
+    wireguardConfig[configKey::port] = port;
+    wireguardConfig[configKey::transportProto] = protocols::openvpn::defaultTransportProto;
+    if (protocolName == configKey::awg && !protocolVersion.isEmpty()) {
+        wireguardConfig[configKey::protocolVersion] = protocolVersion;
+    }
+
+    QJsonObject containers;
+    QString containerName = (protocolName == configKey::awg) ? configKey::amneziaAwg : configKey::amneziaWireguard;
+    containers.insert(configKey::container, QJsonValue(containerName));
+    containers.insert(protocolName, QJsonValue(wireguardConfig));
+
+    QJsonArray arr;
+    arr.push_back(containers);
+
+    QJsonObject config;
+    config[configKey::containers] = arr;
+    config[configKey::defaultContainer] = containerName;
+    config[configKey::description] = m_appSettingsRepository->nextAvailableServerName();
+
+    const static QRegularExpression dnsRegExp(
+            "DNS = "
+            "(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b).*(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b)");
+    QRegularExpressionMatch dnsMatch = dnsRegExp.match(data);
+    if (dnsMatch.hasMatch()) {
+        config[configKey::dns1] = dnsMatch.captured(1);
+        config[configKey::dns2] = dnsMatch.captured(2);
+    }
+
+    config[configKey::hostName] = hostName;
+
+    configType = detectedType;
+    return config;
+}
+
+QJsonObject ImportController::extractXrayConfig(const QString &data, ConfigTypes configType, const QString &description) const
+{
+    QJsonParseError parserErr;
+    QJsonDocument jsonConf = QJsonDocument::fromJson(data.toLocal8Bit(), &parserErr);
+
+    QJsonObject xrayVpnConfig;
+    xrayVpnConfig[configKey::config] = jsonConf.toJson().constData();
+    QJsonObject lastConfig;
+    lastConfig[configKey::lastConfig] = jsonConf.toJson().constData();
+    lastConfig[configKey::isThirdPartyConfig] = true;
+
+    QJsonObject containers;
+    if (configType == ConfigTypes::ShadowSocks) {
+        containers.insert(configKey::ssxray, QJsonValue(lastConfig));
+        containers.insert(configKey::container, QJsonValue(configKey::amneziaSsxray));
+    } else {
+        containers.insert(configKey::container, QJsonValue(configKey::amneziaXray));
+        containers.insert(configKey::xray, QJsonValue(lastConfig));
+    }
+
+    QJsonArray arr;
+    arr.push_back(containers);
+
+    QString hostName;
+
+    const static QRegularExpression hostNameRegExp("\"address\":\\s*\"([^\"]+)");
+    QRegularExpressionMatch hostNameMatch = hostNameRegExp.match(data);
+    if (hostNameMatch.hasMatch()) {
+        hostName = hostNameMatch.captured(1);
+    }
+
+    QJsonObject config;
+    config[configKey::containers] = arr;
+    config[configKey::defaultContainer] = (configType == ConfigTypes::ShadowSocks)
+            ? configKey::amneziaSsxray
+            : configKey::amneziaXray;
+    if (description.isEmpty()) {
+        config[configKey::description] = m_appSettingsRepository->nextAvailableServerName();
+    } else {
+        config[configKey::description] = description;
+    }
+    config[configKey::hostName] = hostName;
+
+    return config;
+}
+
+void ImportController::checkForMaliciousStrings(const QJsonObject &serverConfig, QString &warningText) const
+{
+    const QJsonArray &containers = serverConfig.value(configKey::containers).toArray();
+    for (const QJsonValue &container : containers) {
+        auto containerConfig = container.toObject();
+        auto containerName = containerConfig[configKey::container].toString();
+        if (containerName == ContainerUtils::containerToString(DockerContainer::OpenVpn)) {
+
+            QString protocolConfig =
+                    containerConfig[ProtocolUtils::protoToString(Proto::OpenVpn)].toObject()[configKey::lastConfig].toString();
+            QString protocolConfigJson = QJsonDocument::fromJson(protocolConfig.toUtf8()).object()[configKey::config].toString();
+
+            // https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/script-options.rst
+            QStringList dangerousTags {
+                "up", "tls-verify", "ipchange", "client-connect", "route-up", "route-pre-down", "client-disconnect", "down", "learn-address", "auth-user-pass-verify"
+            };
+
+            QStringList maliciousStrings;
+            QStringList lines = protocolConfigJson.split('\n', Qt::SkipEmptyParts);
+
+            for (const QString &rawLine : lines) {
+                QString line = rawLine.trimmed();
+
+                QString command = line.section(' ', 0, 0, QString::SectionSkipEmpty);
+                if (dangerousTags.contains(command, Qt::CaseInsensitive)) {
+                    maliciousStrings << rawLine;
+                }
+            }
+
+            warningText = "This configuration contains an OpenVPN setup. OpenVPN configurations can include malicious "
+                         "scripts, so only add it if you fully trust the provider of this config. ";
+
+            if (!maliciousStrings.isEmpty()) {
+                warningText += "<br>In the imported configuration, potentially dangerous lines were found:";
+                for (const auto &string : maliciousStrings) {
+                    warningText += QString("<br><i>%1</i>").arg(string);
+                }
+            }
+        }
+    }
+}
+
+void ImportController::processAmneziaConfig(QJsonObject &config) const
+{
+    auto containers = config.value(configKey::containers).toArray();
+    for (auto i = 0; i < containers.size(); i++) {
+        auto container = containers.at(i).toObject();
+        auto dockerContainer = ContainerUtils::containerFromString(container.value(configKey::container).toString());
+        if (ContainerUtils::isAwgContainer(dockerContainer) || dockerContainer == DockerContainer::WireGuard) {
+            auto containerConfig = container.value(ContainerUtils::containerTypeToProtocolString(dockerContainer)).toObject();
+            auto protocolConfig = containerConfig.value(configKey::lastConfig).toString();
+            if (protocolConfig.isEmpty()) {
+                return;
+            }
+
+            QJsonObject jsonConfig = QJsonDocument::fromJson(protocolConfig.toUtf8()).object();
+            jsonConfig[configKey::mtu] =
+                    ContainerUtils::isAwgContainer(dockerContainer) ? protocols::awg::defaultMtu : protocols::wireguard::defaultMtu;
+
+            containerConfig[configKey::lastConfig] = QString(QJsonDocument(jsonConfig).toJson());
+
+            container[ContainerUtils::containerTypeToProtocolString(dockerContainer)] = containerConfig;
+            containers.replace(i, container);
+            config.insert(configKey::containers, containers);
+        }
+    }
+}
+

client/core/controllers/selfhosted/importController.h

@@ -0,0 +1,91 @@
+#ifndef IMPORTCONTROLLER_H
+#define IMPORTCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QByteArray>
+#include <QMap>
+
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+
+namespace
+{
+    enum class ConfigTypes {
+        Amnezia,
+        OpenVpn,
+        WireGuard,
+        Awg,
+        Xray,
+        ShadowSocks,
+        Backup,
+        Invalid
+    };
+}
+
+using namespace amnezia;
+
+class ImportController : public QObject
+{
+    Q_OBJECT
+
+public:
+    struct ImportResult
+    {
+        ErrorCode errorCode = ErrorCode::NoError;
+        QJsonObject config;
+        QString configFileName;
+        QString maliciousWarningText;
+        ConfigTypes configType = ConfigTypes::Invalid;
+        bool isNativeWireGuardConfig = false;
+    };
+
+    explicit ImportController(SecureServersRepository* serversRepository,
+                              SecureAppSettingsRepository* appSettingsRepository,
+                              QObject *parent = nullptr);
+
+    struct QrParseResult {
+        bool success = false;
+        ImportResult importResult;
+        int chunksReceived = 0;
+        int chunksTotal = 0;
+    };
+
+    ImportResult extractConfigFromData(const QString &data, const QString &configFileName = "");
+    ImportResult extractConfigFromQr(const QByteArray &data);
+
+    void startDecodingQr();
+    QrParseResult parseQrCodeChunk(const QString &code);
+    bool isQrDecodingActive() const;
+    int qrChunksReceived() const;
+    int qrChunksTotal() const;
+
+    void importConfig(const QJsonObject &config);
+    QJsonObject processNativeWireGuardConfig(const QJsonObject &config);
+
+signals:
+    void importFinished();
+    void importErrorOccurred(ErrorCode errorCode, bool goToPageHome);
+    void restoreAppConfig(const QByteArray &data);
+
+private:
+    ConfigTypes checkConfigFormat(const QString &config) const;
+    QJsonObject extractOpenVpnConfig(const QString &data) const;
+    QJsonObject extractWireGuardConfig(const QString &data, ConfigTypes &configType) const;
+    QJsonObject extractXrayConfig(const QString &data, ConfigTypes configType, const QString &description = "") const;
+    void checkForMaliciousStrings(const QJsonObject &serverConfig, QString &warningText) const;
+    void processAmneziaConfig(QJsonObject &config) const;
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+
+    QMap<int, QByteArray> m_qrCodeChunks;
+    bool m_isQrCodeProcessed = false;
+    int m_totalQrCodeChunksCount = 0;
+    int m_receivedQrCodeChunksCount = 0;
+};
+
+#endif // IMPORTCONTROLLER_H

client/core/controllers/selfhosted/installController.h

@@ -0,0 +1,117 @@
+#ifndef INSTALLCONTROLLER_H
+#define INSTALLCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QScopedPointer>
+#include <QSharedPointer>
+#include <QProcess>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/models/containerConfig.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class SshSession;
+class InstallerBase;
+
+using namespace amnezia;
+
+class InstallController : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit InstallController(SecureServersRepository* serversRepository,
+                              SecureAppSettingsRepository* appSettingsRepository,
+                              QObject *parent = nullptr);
+    ~InstallController();
+
+    ErrorCode setupContainer(const ServerCredentials &credentials, DockerContainer container, ContainerConfig &config, bool isUpdate = false);
+    ErrorCode updateContainer(int serverIndex, DockerContainer container, const ContainerConfig &oldConfig, ContainerConfig &newConfig);
+
+    ErrorCode rebootServer(int serverIndex);
+    ErrorCode removeAllContainers(int serverIndex);
+    ErrorCode removeContainer(int serverIndex, DockerContainer container);
+
+    ContainerConfig generateConfig(DockerContainer container, int port, TransportProto transportProto);
+    ErrorCode getAlreadyInstalledContainers(const ServerCredentials &credentials, QMap<DockerContainer, ContainerConfig> &installedContainers, SshSession &sshSession);
+    
+    ErrorCode scanServerForInstalledContainers(int serverIndex);
+    
+    ErrorCode installContainer(const ServerCredentials &credentials, DockerContainer container, int port, TransportProto transportProto, ContainerConfig &config);
+
+    ErrorCode installServer(const ServerCredentials &credentials, DockerContainer container, int port, TransportProto transportProto,
+                                         bool &wasContainerInstalled);
+    ErrorCode installContainer(int serverIndex, DockerContainer container, int port, TransportProto transportProto,
+                                               bool &wasContainerInstalled);
+    
+    bool isUpdateDockerContainerRequired(DockerContainer container, const ContainerConfig &oldConfig, const ContainerConfig &newConfig);
+    
+    ErrorCode checkSshConnection(const ServerCredentials &credentials, QString &output, std::function<QString()> passphraseCallback = nullptr);
+    
+    bool isServerAlreadyExists(const ServerCredentials &credentials, int &existingServerIndex);
+    
+    ErrorCode mountSftpDrive(const ServerCredentials &credentials, const QString &port, const QString &password, const QString &username);
+    void stopAllSftpMounts();
+
+    void cancelInstallation();
+
+    void clearCachedProfile(int serverIndex, DockerContainer container);
+
+    ErrorCode validateAndPrepareConfig(int serverIndex);
+
+    void validateConfig(int serverIndex);
+
+signals:
+    void configValidated(bool isValid);
+    void validationErrorOccurred(ErrorCode errorCode);
+
+    void serverIsBusy(const bool isBusy);
+    void cancelInstallationRequested();
+    void clientRevocationRequested(int serverIndex, const ContainerConfig &containerConfig, DockerContainer container);
+    void clientAppendRequested(int serverIndex, const QString &clientId, const QString &clientName, DockerContainer container);
+
+private:
+    ErrorCode installDockerWorker(const ServerCredentials &credentials, DockerContainer container, SshSession &sshSession);
+    ErrorCode prepareHostWorker(const ServerCredentials &credentials, DockerContainer container, SshSession &sshSession);
+    ErrorCode buildContainerWorker(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &config, SshSession &sshSession);
+    ErrorCode runContainerWorker(const ServerCredentials &credentials, DockerContainer container, ContainerConfig &config, SshSession &sshSession);
+    ErrorCode configureContainerWorker(const ServerCredentials &credentials, DockerContainer container, ContainerConfig &config, SshSession &sshSession);
+    ErrorCode startupContainerWorker(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &config, SshSession &sshSession);
+
+    ErrorCode isServerPortBusy(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &config, SshSession &sshSession);
+    ErrorCode isUserInSudo(const ServerCredentials &credentials, SshSession &sshSession);
+    ErrorCode isServerDpkgBusy(const ServerCredentials &credentials, SshSession &sshSession);
+    ErrorCode setupServerFirewall(const ServerCredentials &credentials, SshSession &sshSession);
+    bool isReinstallContainerRequired(DockerContainer container, const ContainerConfig &oldConfig, const ContainerConfig &newConfig);
+
+    ErrorCode prepareContainerConfig(DockerContainer container, const ServerCredentials &credentials, ContainerConfig &containerConfig, SshSession &sshSession);
+
+    ErrorCode processContainerForAdmin(DockerContainer container, ContainerConfig &containerConfig,
+                                       const ServerCredentials &credentials, SshSession &sshSession,
+                                       int serverIndex, const QString &clientName);
+
+    void adminAppendRequested(int serverIndex, DockerContainer container,
+                              const ContainerConfig &containerConfig, const QString &clientName);
+
+    static void updateContainerConfigAfterInstallation(DockerContainer container, ContainerConfig &containerConfig, const QString &stdOut);
+
+    QScopedPointer<InstallerBase> createInstaller(DockerContainer container);
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    bool m_cancelInstallation = false;
+    
+#ifndef Q_OS_IOS
+    QList<QSharedPointer<QProcess>> m_sftpMountProcesses;
+#endif
+};
+
+#endif // INSTALLCONTROLLER_H
+