Merge branch 'dev' into refactoring/tests

feat: initial conan support and build process refactoring (#2260 )
* feat: initial conan support * feat: add awg-go and awg-apple recipes * feat: macos full feature conan build, except ss and cloak * feat: conan android initial support * fix: android libssh fixes * conan: android additional recipes and fixes * feat: openvpn add support android * fix: awg android connection establish * conan: apple full-featured support * chore: bump min macos version * chore: get rid of manual deploy recursive copying * conan: beautify makefile-based recipes * conan: add geosite.dat and geoip.dat * conan: use lib linking instead of QT_EXTRA_LIBS for OVPN * conan: address lack of SONAME of libck-ovpn-plugin.so correctly * conan: windows initial support * conan: make awg-windows and wintun be interpret as exes * conan: fix version for v2ray-rules-dat * feat: conan and platform bootstrap rework in cmake * feat: 16kb support for Android * chore(conan): recipes cleanup * feat: support of drivers for windows * feat: support full-featured cmake install * chore: exclude qtkeychain from the target build * fix: install for apple systems * fix: provide flags for cloak plugin for openvpn-pt-android * chore: bump android deps for 16kb support * feat(conan): patch cloak to properly provide env for golang * chore: remove redundant hint from conan find * feat: linux <-> conan features * feat: linux initial packaging support * feat: linux cpack support * feat: cpack windows full-featured build * feat: productbuild cpack support * feat: rework CI/CD for macos * feat: rework CI/CD for Linux * fix: libncap automake args * fix: CI/CD correct QT paths * fix: windows rework CI/CD * fix: windows artifact upload * chore: remove MacOS-old from build targets * feat: add conan to all mobile and NE builds * feat: support default amnezia conan remote * fix: use Release instead of release on Android * feat: get rid of 3rd-prebuilt * feat: conan CI/CD upload * fix: CI/CD change windows toolset versions * fix: remove MSVC version from CI/CD * feat: conan CI/CD add Release and Debug build types * feat: add multiple xcode versions for conan CI/CD * fix: correct conan CI/CD clang versions * feat: separate prebuilt baking, and add some for NE * feat: rework keychain on ios/macos even more * fix: add desktop Qt for iOS * feat: add QT_HOST_PATH to build.sh * fix: add deploy definition to cmake * fix: android adjustments for toolchains and CI/CD * fix: add needs for Android CI/CD * fix: Android CI/CD use android-28 * fix: modernize translations, and CI/CD fixes * fix: gradle min sdk compilation error * fix: CI/CD add installers to all jobs * fix: parse android platform more precisely * fix: adjust aab path in CI/CD * feat: CI/CD do not execute artifact build if there is nothing changed * fix: CI/CD use common jobs even if previous were failed * fix: Apple CI/CD use set-key-partition-list for keychains * fix: Apple CI/CD do not specify any keychain (use default) * fix: build aab as a different step in build script * chore: beautify build.sh script * feat: CI/CD build separate APKs per ABI * fix: Android CI/CD upload artifact in separate steps * chore: recipes cleanup * feat: add hints for conan on MacOS * fix: add main.cpp and tests back to CMakeLists.txt * chore: xrayProtocol codestyle changes * fix: openssl set proper X509 request version * fix: make openvpn protocol rely only on client while configuring * chore: get rid of old scripts * chore: readme update describing build process more precisely * feat: windows build script add multiprocessing capabilities * chore: bump Qt version in README * feat: add generator option and use Ninja by default in CI/CD for linux/macos --------- Co-authored-by: NickVs2015 <nv@amnezia.org>
2026-05-08 14:33:23 +00:00 · 2026-05-05 12:46:46 +03:00 · 2026-05-04 22:59:24 +08:00 · 2026-05-04 19:39:07 +08:00 · 2026-05-04 12:37:19 +08:00 · 2026-05-02 12:25:07 +08:00
623 changed files with 37092 additions and 20079 deletions
--- a/.clang-format-ignore
+++ b/.clang-format-ignore
@@ -2,7 +2,7 @@
 /client/3rd-prebuild
 /client/android
 /client/cmake
-/client/core/serialization
+/client/core/utils/serialization
 /client/daemon
 /client/fonts
 /client/images
--- a/.github/actions/apple-install-cert/action.yml
+++ b/.github/actions/apple-install-cert/action.yml
@@ -0,0 +1,38 @@
+# .github/actions/apple-install-cert/action.yml
+
+name: Setup apple keychain
+description: Creates and configures a temporary build keychain
+
+inputs:
+  keychain-path:
+    description: Path to the keychain
+    required: true
+  keychain-password:
+    description: Password to the keychain
+    required: true
+  cert-base64:
+    description: Base64-encoded certificate
+    required: true
+  cert-password:
+    description: Certificate password
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Create keychain
+      shell: bash
+      env:
+        KEYCHAIN_PATH: ${{ inputs.keychain-path }}
+        KEYCHAIN_PASSWORD: ${{ inputs.keychain-password }}
+        CERT_BASE64: ${{ inputs.cert-base64 }}
+        CERT_PASSWORD: ${{ inputs.cert-password }}
+      run: |
+        CERT_PATH=$(mktemp /tmp/cert_XXXXXX.p12)
+        trap "rm -f '$CERT_PATH'" EXIT
+
+        echo -n "$CERT_BASE64" | base64 --decode -o "$CERT_PATH"
+
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+        security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$CERT_PASSWORD" -A -t cert -f pkcs12
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
--- a/.github/actions/apple-setup-keychain/AppleWWDRCAG3.cer
+++ b/.github/actions/apple-setup-keychain/AppleWWDRCAG3.cer
--- a/.github/actions/apple-setup-keychain/DeveloperIDG2CA.cer
+++ b/.github/actions/apple-setup-keychain/DeveloperIDG2CA.cer
--- a/.github/actions/apple-setup-keychain/action.yml
+++ b/.github/actions/apple-setup-keychain/action.yml
@@ -0,0 +1,57 @@
+# .github/actions/apple-setup-keychain/action.yml
+
+name: Setup apple keychain
+description: Creates and configures a temporary build keychain
+
+inputs:
+  keychain-name:
+    description: Name of the keychain
+    required: false
+    default: "ci-amnezia"
+  keychain-password:
+    description: The keychain password
+    required: true
+  lock-timeout:
+    description: A timeout after exceeding which the keychain would be locked
+    required: false
+    default: "0"
+
+outputs:
+  keychain-path:
+    description: "Full path to the keychain created"
+    value: ${{ steps.setup.outputs.keychain-path }}
+  keychain-name:
+    description: "Actual name of the keychain created"
+    value: ${{ steps.setup.outputs.keychain-name }}
+
+runs:
+  using: composite
+  steps:
+    - name: Setup keychain
+      id: setup
+      shell: bash
+      env:
+        KEYCHAIN_NAME: ${{ inputs.keychain-name }}
+        KEYCHAIN_PASSWORD: ${{ inputs.keychain-password }}
+        LOCK_TIMEOUT: ${{ inputs.lock-timeout }}
+      run: |
+        KEYCHAIN_PATH="$HOME/Library/Keychains/$KEYCHAIN_NAME.keychain-db"
+
+        security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+        if [[ "$LOCK_TIMEOUT" == "0" ]]; then
+          security set-keychain-settings "$KEYCHAIN_PATH"
+        else
+          security set-keychain-settings -u -t "$LOCK_TIMEOUT" "$KEYCHAIN_PATH"
+        fi
+
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+        security import "${{ github.action_path }}/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -A
+        security import "${{ github.action_path }}/AppleWWDRCAG3.cer" -k "$KEYCHAIN_PATH" -A
+
+        security list-keychains -d user -s "$KEYCHAIN_PATH"
+        security default-keychain -s "$KEYCHAIN_PATH"
+
+        echo "keychain-name=$KEYCHAIN_NAME" >> $GITHUB_OUTPUT
+        echo "keychain-path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT
--- a/.github/actions/apple-setup-provisioning-profile/action.yml
+++ b/.github/actions/apple-setup-provisioning-profile/action.yml
@@ -0,0 +1,31 @@
+# .github/actions/apple-setup-provisioning-profile/action.yml
+
+name: Setup provisioning profiles
+description: Decodes and installs provisioning profiles
+
+inputs:
+  provisioning_profile_base64:
+    description: Base64-encoded provisioning profile
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Setup provisioning profile
+      shell: bash
+      run: |
+        PROFILES_DIR="$HOME/Library/MobileDevice/Provisioning Profiles"
+        TEMP_FILE=$(mktemp)
+
+        echo "${{ inputs.provisioning_profile_base64 }}" | base64 --decode > "$TEMP_FILE"
+
+        PROFILE_UUID=$(grep UUID -A1 -a "$TEMP_FILE" | grep -io "[-A-F0-9]\{36\}")
+        if [[ -z "$PROFILE_UUID" ]]; then
+          echo "Failed to extract UUID from provisioning profile"
+          rm -f "$TEMP_FILE"
+          exit 1
+        fi
+
+        mkdir -p "$PROFILES_DIR"
+        mv "$TEMP_FILE" "$PROFILES_DIR/$PROFILE_UUID.mobileprovision"
+        echo "Installed profile: $PROFILE_UUID"
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
--- a/.github/workflows/tag-deploy.yml
+++ b/.github/workflows/tag-deploy.yml
@@ -17,6 +17,7 @@ jobs:
      QIF_VERSION: 4.5
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
+      FALLBACK_S3_ENDPOINT: ${{ secrets.FALLBACK_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
      DEV_AGW_ENDPOINT: ${{ secrets.DEV_AGW_ENDPOINT }}
      DEV_S3_ENDPOINT: ${{ secrets.DEV_S3_ENDPOINT }}
--- a/.gitignore
+++ b/.gitignore
@@ -81,6 +81,7 @@ client/.DS_Store
 ._.DS_Store
 ._*
 *.dmg
+deploy/data/macos/pf/amn.400.allowPIA.conf

 # tmp files
 *.*~
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,10 +4,6 @@
 [submodule "client/3rd/SortFilterProxyModel"]
 	path = client/3rd/SortFilterProxyModel
 	url = https://github.com/mitchcurtis/SortFilterProxyModel.git
-[submodule "client/3rd-prebuilt"]
-	path = client/3rd-prebuilt
-	url = https://github.com/amnezia-vpn/3rd-prebuilt
-	branch = feature/special-handshake
 [submodule "client/3rd/amneziawg-apple"]
 	path = client/3rd/amneziawg-apple
 	url = https://github.com/amnezia-vpn/amneziawg-apple
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,18 +1,34 @@
 cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)

+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
 set(PROJECT AmneziaVPN)
-set(AMNEZIAVPN_VERSION 4.8.14.5)
+set(AMNEZIAVPN_VERSION 4.8.15.4)
+
+set(QT_CREATOR_SKIP_PACKAGE_MANAGER_SETUP ON CACHE BOOL "" FORCE)
+set(CMAKE_PROJECT_TOP_LEVEL_INCLUDES
+    ${CMAKE_SOURCE_DIR}/cmake/platform_settings.cmake
+    ${CMAKE_SOURCE_DIR}/cmake/recipes_bootstrap.cmake
+    ${CMAKE_SOURCE_DIR}/cmake/conan_provider.cmake
+    CACHE STRING "" FORCE)

 project(${PROJECT} VERSION ${AMNEZIAVPN_VERSION}
        DESCRIPTION "AmneziaVPN"
        HOMEPAGE_URL "https://amnezia.org/"
 )

+if (PREBUILTS_ONLY)
+    # trigger conan to kick off `conan install`
+    find_package(OpenSSL REQUIRED)
+    return()
+endif()
+
 string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")

 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2117)
+set(APP_ANDROID_VERSION_CODE 2120)

 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
    set(MZ_PLATFORM_NAME "linux")
@@ -29,59 +45,34 @@ elseif(${CMAKE_SYSTEM_NAME} STREQUAL "Emscripten")
 endif()

 set(QT_BUILD_TOOLS_WHEN_CROSS_COMPILING ON)
-set(CMAKE_CXX_STANDARD 17)
-set(CMAKE_CXX_STANDARD_REQUIRED ON)

-if(APPLE)
-    if(IOS)
-        set(CMAKE_OSX_ARCHITECTURES "arm64")
-    elseif(MACOS_NE)
-        set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64")
+if(APPLE AND NOT IOS)
+    if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+        set(AMN_PF_RULE_IDENTITY "user { root }")
    else()
-        set(CMAKE_OSX_ARCHITECTURES "x86_64")
+        set(AMN_PF_RULE_IDENTITY "group { amnvpn }")
    endif()
+
+    configure_file(
+        "${CMAKE_SOURCE_DIR}/deploy/data/pf-templates/amn.400.allowPIA.conf.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/amn.400.allowPIA.conf"
+        @ONLY
+    )
+
+    file(COPY_FILE
+        "${CMAKE_CURRENT_BINARY_DIR}/amn.400.allowPIA.conf"
+        "${CMAKE_SOURCE_DIR}/deploy/data/macos/pf/amn.400.allowPIA.conf"
+        ONLY_IF_DIFFERENT
+    )
 endif()

+
 add_subdirectory(client)

 if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
    add_subdirectory(service)
-
-    include(${CMAKE_SOURCE_DIR}/deploy/installer/config.cmake)
 endif()

-set(AMNEZIA_STAGE_DIR "${CMAKE_BINARY_DIR}/stage")
-
-if(WIN32 AND NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
-    file(TO_CMAKE_PATH "${AMNEZIA_STAGE_DIR}" AMNEZIA_STAGE_DIR_CMAKE)
-
-    set(CPACK_GENERATOR "WIX")
-    set(CPACK_WIX_VERSION 4)
-    set(CPACK_PACKAGE_NAME "AmneziaVPN")
-    set(CPACK_PACKAGE_VENDOR "AmneziaVPN")
-    set(CPACK_PACKAGE_VERSION ${AMNEZIAVPN_VERSION})
-    set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "AmneziaVPN client")
-    set(AMNEZIA_LICENSE_TXT "${CMAKE_BINARY_DIR}/LICENSE.txt")
-    configure_file("${CMAKE_SOURCE_DIR}/LICENSE" "${AMNEZIA_LICENSE_TXT}" COPYONLY)
-    set(CPACK_RESOURCE_FILE_LICENSE "${AMNEZIA_LICENSE_TXT}")
-    set(CPACK_PACKAGE_INSTALL_DIRECTORY "AmneziaVPN")
-    set(CPACK_PACKAGE_DIRECTORY "${CMAKE_BINARY_DIR}")
-    set(CPACK_PACKAGE_EXECUTABLES "AmneziaVPN" "AmneziaVPN")
-    set(CPACK_WIX_UPGRADE_GUID "{2D55AC62-96D6-4692-8C05-0D85BBF95485}")
-    set(CPACK_WIX_PRODUCT_ICON "${CMAKE_SOURCE_DIR}/client/images/app.ico")
-
-    # WiX patches
-    set(_AMNEZIA_WIX_PATCH_SERVICE "${CMAKE_SOURCE_DIR}/deploy/installer/wix/service_install_patch.xml")
-    set(_AMNEZIA_WIX_PATCH_CLOSE_APP "${CMAKE_SOURCE_DIR}/deploy/installer/wix/close_client_patch.xml")
-    file(TO_CMAKE_PATH "${_AMNEZIA_WIX_PATCH_SERVICE}" _AMNEZIA_WIX_PATCH_SERVICE_CMAKE)
-    file(TO_CMAKE_PATH "${_AMNEZIA_WIX_PATCH_CLOSE_APP}" _AMNEZIA_WIX_PATCH_CLOSE_APP_CMAKE)
-    set(CPACK_WIX_PATCH_FILE "${_AMNEZIA_WIX_PATCH_SERVICE_CMAKE};${_AMNEZIA_WIX_PATCH_CLOSE_APP_CMAKE}")
-
-    # WiX v4 Util extension for CloseApplication + namespace for util
-    set(CPACK_WIX_EXTENSIONS "${CPACK_WIX_EXTENSIONS};WixToolset.Util.wixext")
-    set(CPACK_WIX_CUSTOM_XMLNS "util=http://wixtoolset.org/schemas/v4/wxs/util")
-
-    set(CPACK_INSTALLED_DIRECTORIES "${AMNEZIA_STAGE_DIR_CMAKE};/")
-
-    include(CPack)
+if ((LINUX AND NOT ANDROID) OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (WIN32))
+    include(${CMAKE_SOURCE_DIR}/cmake/CPack.cmake)
 endif()
--- a/README.md
+++ b/README.md
@@ -53,24 +53,14 @@ AmneziaVPN uses several open-source projects to work:

 - [OpenSSL](https://www.openssl.org/)
 - [OpenVPN](https://openvpn.net/)
- [Shadowsocks](https://shadowsocks.org/)
 - [Qt](https://www.qt.io/)
- [LibSsh](https://libssh.org) - forked from Qt Creator
+- [LibSsh](https://libssh.org)
+- [WireGuard](https://www.wireguard.com/)
+- [Xray-core](https://xtls.github.io/en/)
+- [Conan](https://conan.io/)
 - and more...

-## Checking out the source code
-
-Make sure to pull all submodules after checking out the repo.
-
-```bash
-git submodule update --init --recursive
-```
-
-## Development
-
-Want to contribute? Welcome!
-
-### Help with translations
+## Help us with translations

 Download the most actual translation files.

@@ -83,103 +73,102 @@ Each *.ts file contains strings for one corresponding language.
 Translate or correct some strings in one or multiple *.ts files and commit them back to this repository into the ``client/translations`` folder.
 You can do it via a web-interface or any other method you're familiar with.

-### Building sources and deployment
+## Checking out the source code

-Check deploy folder for build scripts. 
+Make sure to pull all submodules after checking out the repo.

-### How to build an iOS app from source code on MacOS
-
-1. First, make sure you have [XCode](https://developer.apple.com/xcode/) installed, at least version 14 or higher.
-
-2. We use QT to generate the XCode project. We need QT version 6.6.2. Install QT for MacOS [here](https://doc.qt.io/qt-6/macos.html) or [QT Online Installer](https://www.qt.io/download-open-source). Required modules:
-   - MacOS
-   - iOS
-   - Qt 5 Compatibility Module
-   - Qt Shader Tools
-   - Additional Libraries:
-     - Qt Image Formats
-     - Qt Multimedia
-     - Qt Remote Objects 
-
-3. Install CMake if required. We recommend CMake version 3.25. You can install CMake [here](https://cmake.org/download/)
-
-4. You also need to install go >= v1.16. If you don't have it installed already,
-download go from the [official website](https://golang.org/dl/) or use Homebrew. 
-The latest version is recommended. Install gomobile
 ```bash
-export PATH=$PATH:~/go/bin
-go install golang.org/x/mobile/cmd/gomobile@latest
-gomobile init
+git submodule update --init --recursive
 ```

-5. Build the project
+## Hacking guide
+
+Want to contribute? Welcome!
+
+### Build requirements
+
+* [`CMake`](https://cmake.org/download/)
+* Compiler and underlying build system, depending on the target:
+  - [Linux] Any of `make` and `gcc`
+  - [Apple] [`Xcode`](https://developer.apple.com/xcode/) or [`Xcode command line tools`](https://developer.apple.com/xcode/)
+  - [Windows] [`Visual Studio 2022`](https://aka.ms/vs/17/release/vs_community.exe) or [`VS 2022 Build Tools`](https://aka.ms/vs/17/release/vs_buildtools.exe)
+  - [Android] [`Android SDK`](#installing-android-sdk) and [`Ninja`](https://ninja-build.org/)
+* [`Qt 6.10+`](https://www.qt.io/download-open-source) with the following modules:
+  - Core module for targeting platform (Desktop/Android/iOS)
+  - Qt 5 Compatibility module
+  - Qt Remote Objects
+* [`Conan`](https://conan.io/downloads) package manager
+  - On MacOS is enough just to use `homebrew` or install it in `.venv` in project root
+  - Other systems must have it in `PATH`
+* (Optional) Installer dependencies:
+  - [Windows/Linux] [`Qt Installer Framework`](https://www.qt.io/download-open-source)
+  - [Windows] [`WIX toolset`](https://github.com/wixtoolset/wix/releases)
+
+### Building the project using scripts
+
+* Run scripts located in `deploy` directory
+* Basically, if dependencies are located in default installation paths, the scripts will find them automatically.
+* If they differ, specify them using the following variables:
+  - `QT_INSTALL_DIR` - Qt root installation folder
+  - `QT_ROOT_PATH`   - Qt framework root directory
+  - `QIF_ROOT_PATH`  - Qt Installer Framework root path
+  - `ANDROID_HOME`   - Path to Android SDK root folder
+  - and others. Check scripts for more
+
+Unix-like:
 ```bash
-export QT_BIN_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/ios/bin"
-export QT_MACOS_ROOT_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/macos"
-export QT_IOS_BIN=$QT_BIN_DIR
-export PATH=$PATH:~/go/bin
-mkdir build-ios
-$QT_IOS_BIN/qt-cmake . -B build-ios -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR
-```
-Replace PATH-TO-QT-FOLDER and QT-VERSION to your environment
+# Build executables for the host platform
+deploy/build.sh

+# Or just
+deploy/build.sh

-If you get `gomobile: command not found` make sure to set PATH to the location 
-of the bin folder where gomobile was installed. Usually, it's in `GOPATH`.
-```bash
-export PATH=$(PATH):/path/to/GOPATH/bin
+# Build executables and installers for the host platform
+deploy/build.sh --installer all
+
+# Build Android APK and AAB
+deploy/build.sh -t android --aab
+
+# Call for help
+deploy/build.sh -h
 ```

-6. Open the XCode project. You can then run /test/archive/ship the app.
+Windows:
+```batch
+:: Build executables for Windows
+deploy/build.bat

-If the build fails with the following error
-```
-make: *** 
-[$(PROJECTDIR)/client/build/AmneziaVPN.build/Debug-iphoneos/wireguard-go-bridge/goroot/.prepared] 
-Error 1
-```
-Add a user-defined variable to both AmneziaVPN and WireGuardNetworkExtension targets' build settings with
-key `PATH` and value `${PATH}/path/to/bin/folder/with/go/executable`, e.g. `${PATH}:/usr/local/go/bin`.
+:: Build executables with IFW installer for Windows
+deploy/build.bat --installer ifw

-if the above error persists on your M1 Mac, then most probably you need to install arch based CMake 
-```
-arch -arm64 brew install cmake
+:: Build executables with IFW and WIX installer for Windows
+deploy/build.bat --installer ifw --installer wix
+
+:: Or just
+deploy/build.bat --installer all
 ```

-Build might fail with the "source files not found" error the first time you try it, because the modern XCode build system compiles dependencies in parallel, and some dependencies end up being built after the ones that
-require them. In this case, simply restart the build.
+### Developing the project in IDEs

-## How to build the Android app
+* Basically, you can use any IDE that handles CMake and Qt kits properly to run configure and build steps, and to navigate through the code nicely. For example:
+  - `Qt Creator`
+  - `Visual Studio Code` with `Qt Extension Pack`
+  - and so on

-_Tested on Mac OS_
+* To use `Xcode`, you have to configure project first by using `cmake`. The easiest way to do it is to use `Qt Creator` for configuration. Then open `AmneziaVPN.xcodeproj` file from the build folder by using `Xcode`. Note that none of the files changed are saved - the files actually getting changed in build directory. Copy them manually if necessary

-The Android app has the following requirements:
-* JDK 11
-* Android platform SDK 33
-* CMake 3.25.0
+* `Android studio` could be used in the same way - just configure the project by using `cmake` manually or by using `Qt Creator`. Open `<build-dir>/client/android-build` in `Android studio` then. Do not forget to copy the changes - everything you do is saved under the build directory actually.

-After you have installed QT, QT Creator, and Android Studio, you need to configure QT Creator correctly.
+### Installing Android SDK

- Click in the top menu bar on `QT Creator` -> `Preferences` -> `Devices` and select the tab `Android`.
- Set path to JDK 11
- Set path to Android SDK (`$ANDROID_HOME`)
-
-In case you get errors regarding missing SDK or 'SDK manager not running', you cannot fix them by correcting the paths. If you have some spare GBs on your disk, you can let QT Creator install all requirements by choosing an empty folder for `Android SDK location` and clicking on `Set Up SDK`. Be aware: This will install a second Android SDK and NDK on your machine! 
-Double-check that the right CMake version is configured:  Click on `QT Creator` -> `Preferences` and click on the side menu on `Kits`. Under the center content view's `Kits` tab, you'll find an entry for `CMake Tool`. If the default selected CMake version is lower than 3.25.0, install on your system CMake >= 3.25.0 and choose `System CMake at <path>` from the drop-down list. If this entry is missing, you either have not installed CMake yet or QT Creator hasn't found the path to it. In that case, click in the preferences window on the side menu item `CMake`, then on the tab `Tools` in the center content view, and finally on the button `Add` to set the path to your installed CMake. 
-Please make sure that you have selected Android Platform SDK 33 for your project: click in the main view's side menu on `Projects`, and on the left, you'll see a section `Build & Run` showing different Android build targets. You can select any of them, Amnezia VPN's project setup is designed in a way that all Android targets will be built. Click on the targets submenu item `Build` and scroll in the center content view to `Build Steps`. Click on `Details` at the end of the headline `Build Android APK` (the `Details` button might be hidden in case the QT Creator Window is not running in full screen!). Here we are: Choose `android-33` as `Android Build Platform SDK`.
-
-That's it! You should be ready to compile the project from QT Creator!
-
-### Development flow
-
-After you've hit the build button, QT-Creator copies the whole project to a folder in the repository parent directory. The folder should look something like `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>`.
-If you want to develop Amnezia VPNs Android components written in Kotlin, such as components using system APIs, you need to import the generated project in Android Studio with `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>/client/android-build` as the projects root directory. While you should be able to compile the generated project from Android Studio, you cannot work directly in the repository's Android project. So whenever you are confident with your work in the generated project, you'll need to copy and paste the affected files to the corresponding path in the repository's Android project so that you can add and commit your changes!
-
-You may face compiling issues in QT Creator after you've worked in Android Studio on the generated project. Just do a `./gradlew clean` in the generated project's root directory (`<path>/client/android-build/.`) and you should be good to go.
+* Android SDK could be installed using the following methods:
+  - Using `Qt Creator`. Use `Preferences`->`SDKs`
+  - Using `Android studio`. By default it installs necessary `SDKs` automatically during the installation
+  - Manually by using `sdk-manager`. Check [this](https://developer.android.com/tools) page for details

 ## License

-GPL v3.0
+This project is licensed under the GNU General Public License v3.0 (see LICENSE) and also includes third-party components distributed under their own terms (see THIRD_PARTY_LICENSES.md).

 ## Donate

--- a/README_RU.md
+++ b/README_RU.md
@@ -50,23 +50,14 @@ AmneziaVPN использует несколько проектов с откр

 - [OpenSSL](https://www.openssl.org/)
 - [OpenVPN](https://openvpn.net/)
- [Shadowsocks](https://shadowsocks.org/)
 - [Qt](https://www.qt.io/)
 - [LibSsh](https://libssh.org)
+- [WireGuard](https://www.wireguard.com/)
+- [Xray-core](https://xtls.github.io/en/)
+- [Conan](https://conan.io/)
 - и другие...

-## Проверка исходного кода
-После клонирования репозитория обязательно загрузите все подмодули.
-
-```bash
-git submodule update --init --recursive
-```
-
-
-## Разработка
-Хотите внести свой вклад? Добро пожаловать!
-
-### Помощь с переводами
+## Помощь с переводами

 Загрузите самые актуальные файлы перевода.

@@ -76,90 +67,98 @@ git submodule update --init --recursive

 Переведите или исправьте строки в одном или нескольких файлах *.ts и загрузите их обратно в этот репозиторий в папку ``client/translations``. Это можно сделать через веб-интерфейс или любым другим знакомым вам способом.

-### Сборка исходного кода и деплой
-Проверьте папку deploy для скриптов сборки.
+## Проверка исходного кода

-### Как собрать iOS-приложение из исходного кода на MacOS
-1. Убедитесь, что у вас установлен Xcode версии 14 или выше.
-2. Для генерации проекта Xcode используется QT. Требуется версия QT 6.6.2. Установите QT для MacOS здесь или через QT Online Installer. Необходимые модули:
- MacOS
- iOS
- Модуль совместимости с Qt 5
- Qt Shader Tools
- Дополнительные библиотеки:
- - Qt Image Formats
- - Qt Multimedia
- - Qt Remote Objects
-
-   
-3. Установите CMake, если это необходимо. Рекомендуемая версия — 3.25. Скачать CMake можно здесь.
-4. Установите Go версии >= v1.16. Если Go ещё не установлен, скачайте его с  [официального сайта](https://golang.org/dl/) или используйте Homebrew. Установите gomobile:
+После клонирования репозитория обязательно загрузите все подмодули.

 ```bash
-export PATH=$PATH:~/go/bin
-go install golang.org/x/mobile/cmd/gomobile@latest
-gomobile init
+git submodule update --init --recursive
 ```

-5. Соберите проект:
+## Руководство по разработке
+
+Хотите внести свой вклад? Добро пожаловать!
+
+### Требования для сборки
+
+* [`CMake`](https://cmake.org/download/)
+* Компилятор и система сборки, в зависимости от таргета:
+  - [Linux] Любые `make` и `gcc`
+  - [Apple] [`Xcode`](https://developer.apple.com/xcode/) или [`Xcode command line tools`](https://developer.apple.com/xcode/)
+  - [Windows] [`Visual Studio 2022`](https://aka.ms/vs/17/release/vs_community.exe) или [`VS 2022 Build Tools`](https://aka.ms/vs/17/release/vs_buildtools.exe)
+  - [Android] [`Android SDK`](#установка-android-sdk) и [`Ninja`](https://ninja-build.org/)
+* [`Qt 6.10+`](https://www.qt.io/download-open-source) со следующими модулями:
+  - Основные модули для таргета (Desktop/Android/iOS)
+  - Qt 5 Compatibility module
+  - Qt Remote Objects
+* Пакетный менеджер [`Conan`](https://conan.io/downloads)
+  - На MacOS достаточно использовать `homebrew` или установить в `.venv` в корень проекта 
+  - Для остальных систем необходимо прописать пути в `PATH`
+* (Необязательно) Заивисимости для установщиков:
+  - [Windows/Linux] [`Qt Installer Framework`](https://www.qt.io/download-open-source)
+  - [Windows] [`WIX toolset`](https://github.com/wixtoolset/wix/releases)
+
+### Сборка проекта через скрипты
+
+* Запустите скрипты, находящиеся в папке `deploy`
+* Если все зависимости установлены в стандартных локациях, скрипт найдёт их самостоятельно
+* Если пути отличаются, их нужно явно указать используя:
+  - `QT_INSTALL_DIR` - корневая папка установки Qt
+  - `QT_ROOT_PATH`   - корневая папка Qt Framework
+  - `QIF_ROOT_PATH`  - корневая папка Qt Installer Framework
+  - `ANDROID_HOME`   - путь к Android SDK
+  - и другие. Их можно получить из вышеуказанных скриптов
+
+Unix-like:
 ```bash
-export QT_BIN_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/ios/bin"
-export QT_MACOS_ROOT_DIR="<PATH-TO-QT-FOLDER>/Qt/<QT-VERSION>/macos"
-export QT_IOS_BIN=$QT_BIN_DIR
-export PATH=$PATH:~/go/bin
-mkdir build-ios
-$QT_IOS_BIN/qt-cmake . -B build-ios -GXcode -DQT_HOST_PATH=$QT_MACOS_ROOT_DIR
-```
-Замените <PATH-TO-QT-FOLDER> и <QT-VERSION> на ваши значения.
+# Build executables for the host platform
+deploy/build.sh

-Если появляется ошибка gomobile: command not found, убедитесь, что PATH настроен на папку bin, где установлен gomobile:
-```bash
-export PATH=$(PATH):/path/to/GOPATH/bin
+# Or just
+deploy/build.sh
+
+# Build executables and installers for the host platform
+deploy/build.sh --installer all
+
+# Build Android APK and AAB
+deploy/build.sh -t android --aab
+
+# Call for help
+deploy/build.sh -h
 ```

-6. Откройте проект в Xcode. Теперь вы можете тестировать, архивировать или публиковать приложение.
-   
-Если сборка завершится с ошибкой:
-```
-make: *** 
-[$(PROJECTDIR)/client/build/AmneziaVPN.build/Debug-iphoneos/wireguard-go-bridge/goroot/.prepared] 
-Error 1
-```
-Добавьте пользовательскую переменную PATH в настройки сборки для целей AmneziaVPN и WireGuardNetworkExtension с ключом `PATH` и значением `${PATH}/path/to/bin/folder/with/go/executable`, e.g. `${PATH}:/usr/local/go/bin`.
+Windows:
+```batch
+:: Build executables for Windows
+deploy/build.bat

-Если ошибка повторяется на Mac с M1, установите версию CMake для архитектуры ARM:
-```
-arch -arm64 brew install cmake
+:: Build executables with IFW installer for Windows
+deploy/build.bat --installer ifw
+
+:: Build executables with IFW and WIX installer for Windows
+deploy/build.bat --installer ifw --installer wix
+
+:: Or just
+deploy/build.bat --installer all
 ```

- При первой попытке сборка может завершиться с ошибкой source files not found. Это происходит из-за параллельной компиляции зависимостей в XCode. Просто перезапустите сборку.
+### Разработка в IDE

+* Можно использовать любые IDE которые умеют работать с CMake и находить Qt Kits. Например:
+  - `Qt Creator`
+  - `Visual Studio Code` with `Qt Extension Pack`
+  - и так далее

-## Как собрать Android-приложение
-Сборка тестировалась на MacOS. Требования:
- JDK 11
- Android SDK 33
- CMake 3.25.0
-  
-Установите QT, QT Creator и Android Studio.
-Настройте QT Creator:
+* Для использования `Xcode` нужно сконфигурировать проект с помощью `cmake`. Самый простой способ это сделать - использовать `Qt Creator` для конфигурации. Затем, нужно открыть файл `AmneziaVPN.xcodeproj` из папки сборки с помощью `Xcode`. Учтите, что никакие файлы фактически не сохраняются - они сохраняются в директории сборки. Если требуется, скопируйте файлы вручную

- В меню QT Creator перейдите в  `QT Creator` -> `Preferences` -> `Devices` ->`Android`.
- Укажите путь к JDK 11.
- Укажите путь к Android SDK (`$ANDROID_HOME`)
+* `Android studio` может быть использована подобным вышеуказанному способу - нужно использовать `cmake` вручную или через `Qt Creator` для конфигурации. Далее, откройте `<build-dir>/client/android-build` в `Android studio`. Не забудьте скопировать изменённые файлы в папку с исходным кодом - все файлы, изменённые в IDE, сохраняются фактически в папке сборки.

-Если вы сталкиваетесь с ошибками, связанными с отсутствием SDK или сообщением «SDK manager not running», их нельзя исправить просто корректировкой путей. Если у вас есть несколько свободных гигабайт на диске, вы можете позволить Qt Creator установить все необходимые компоненты, выбрав пустую папку для расположения Android SDK и нажав кнопку **Set Up SDK**. Учтите: это установит второй Android SDK и NDK на вашем компьютере!
-
-Убедитесь, что настроена правильная версия CMake: перейдите в **Qt Creator -> Preferences** и в боковом меню выберите пункт **Kits**. В центральной части окна, на вкладке **Kits**, найдите запись для инструмента **CMake Tool**. Если выбранная по умолчанию версия CMake ниже 3.25.0, установите на свою систему CMake версии 3.25.0 или выше, а затем выберите опцию **System CMake at <путь>** из выпадающего списка. Если этот пункт отсутствует, это может означать, что вы еще не установили CMake, или Qt Creator не смог найти путь к нему. В таком случае в окне **Preferences** перейдите в боковое меню **CMake**, затем во вкладку **Tools** в центральной части окна и нажмите кнопку **Add**, чтобы указать путь к установленному CMake.
-
-Убедитесь, что для вашего проекта выбрана Android Platform SDK 33: в главном окне на боковой панели выберите пункт **Projects**, и слева вы увидите раздел **Build & Run**, показывающий различные целевые Android-платформы. Вы можете выбрать любую из них, так как настройка проекта Amnezia VPN разработана таким образом, чтобы все Android-цели могли быть собраны. Перейдите в подраздел **Build** и прокрутите центральную часть окна до раздела **Build Steps**. Нажмите **Details** в заголовке **Build Android APK** (кнопка **Details** может быть скрыта, если окно Qt Creator не запущено в полноэкранном режиме!). Вот здесь выберите **android-33** в качестве Android Build Platform SDK.
-
-### Разработка Android-компонентов
-
-После сборки QT Creator копирует проект в отдельную папку, например, `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>`. Для разработки Android-компонентов откройте сгенерированный проект в Android Studio, указав папку `build-amnezia-client-Android_Qt_<version>_Clang_<architecture>-<BuildType>/client/android-build` в качестве корневой.
-Изменения в сгенерированном проекте нужно вручную перенести в репозиторий. После этого можно коммитить изменения.
-Если возникают проблемы со сборкой в QT Creator после работы в Android Studio, выполните команду `./gradlew clean` в корневой папке сгенерированного проекта (`<path>/client/android-build/.`).
+### Установка Android SDK

+* Android SDK может быть установлен следующими способами:
+  - Используя `Qt Creator`, через настройки в пунктах `Preferences`->`SDKs`
+  - Используя `Android studio`. По умолчанию необходимые `SDK` устанавливаются автоматически.
+  - Вручную, используя `sdk-manager`. Подробности можно найти [здесь](https://developer.android.com/tools)

 ## Лицензия

--- a/THIRD_PARTY_LICENSES.md
+++ b/THIRD_PARTY_LICENSES.md
@@ -0,0 +1,149 @@
+# Third-Party Licenses
+
+This project is licensed under the GNU General Public License v3.0.
+This file lists third-party software components used by this repository.
+Each component is distributed under its own license as linked below.
+
+---
+
+## QtKeychain
+
+- Source: https://github.com/frankosterfeld/qtkeychain
+- License: BSD License
+- License Text: https://www.gnu.org/licenses/license-list.html#ModifiedBSD
+
+---
+
+## QSimpleCrypto
+
+- Source: https://github.com/n1flh31mur/QSimpleCrypto
+- License: Apache License 2.0
+- License Text: https://github.com/n1flh31mur/QSimpleCrypto/blob/master/LICENSE
+
+---
+
+## SortFilterProxyModel
+
+- Source: https://github.com/oKcerG/SortFilterProxyModel
+- License: MIT License
+- License Text: https://github.com/oKcerG/SortFilterProxyModel/blob/master/LICENSE
+
+---
+
+## QJsonStruct
+
+- Source: https://github.com/Qv2ray/QJsonStruct
+- License: MIT License
+- License Text: https://github.com/Qv2ray/QJsonStruct/blob/master/LICENSE
+
+---
+
+## QR Code Generator (qrcodegen)
+
+- Source: https://github.com/nayuki/QR-Code-generator
+- License: MIT License
+- License Text: https://www.nayuki.io/page/qr-code-generator-library
+
+---
+
+## Qt Gamepad
+
+- Source: https://github.com/qt/qtgamepad
+- License: GNU General Public License v3.0 (GPL-3.0)
+- License Text: https://www.gnu.org/licenses/gpl-3.0.en.html
+
+---
+
+## AmneziaWG Apple (WireGuard)
+
+- Source: https://github.com/amnezia-vpn/amneziawg-apple
+- License: MIT License
+- License Text: https://github.com/amnezia-vpn/amneziawg-apple/blob/master/COPYING
+
+---
+
+## AmneziaWG Android
+
+- Source: https://github.com/amnezia-vpn/amneziawg-go
+- License: MIT License
+- License Text: https://github.com/amnezia-vpn/amneziawg-go/blob/master/LICENSE
+
+---
+
+## Xray Core
+
+- Source: https://github.com/XTLS/Xray-core
+- License: Mozilla Public License 2.0 (MPL-2.0)
+- License Text: https://github.com/XTLS/Xray-core/blob/main/LICENSE
+
+---
+
+## Cloak
+
+- Source: https://github.com/cbeuw/Cloak
+- License: GNU General Public License v3.0 (GPL-3.0)
+- License Text: https://github.com/cbeuw/Cloak/blob/master/LICENSE
+
+---
+
+## Shadowsocks
+
+- Source: https://github.com/shadowsocks/shadowsocks-libev
+- License: GPL-3.0-or-later
+- License Text: http://www.gnu.org/licenses/
+
+---
+
+## OpenSSL
+
+- Source: https://github.com/openssl/openssl
+- License: Apache License 2.0
+- License Text: https://www.openssl.org/source/license.html
+
+---
+
+## libssh
+
+- Source: https://www.libssh.org/
+- License: GNU Lesser General Public License (LGPL)
+- License Text: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
+
+---
+
+## OpenVPNAdapter
+
+- Source: https://github.com/ss-abramchuk/OpenVPNAdapter
+- License: GNU Affero General Public License v3.0 (AGPL-3.0)
+- License Text: https://github.com/ss-abramchuk/OpenVPNAdapter/blob/master/LICENSE
+
+---
+
+## Wintun
+
+- Source: https://www.wintun.net/
+- License: Prebuilt Binaries License
+- License Text: https://github.com/WireGuard/wintun/blob/master/prebuilt-binaries-license.txt
+
+---
+
+## Mullvad Split Tunnel Driver
+
+- Source: https://github.com/mullvad/win-split-tunnel
+- License: GNU General Public License v3.0 (GPL-3.0) and Mozilla Public License Version 2.0
+- License Text: https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-GPL.md https://github.com/mullvad/win-split-tunnel/blob/master/LICENSE-MPL.txt
+
+---
+
+## tun2socks
+
+- Source: https://github.com/eycorsican/go-tun2socks
+- License: MIT License
+- License Text: https://github.com/eycorsican/go-tun2socks/blob/master/LICENSE
+
+---
+
+## TAP-Windows Driver
+
+- Source: https://github.com/OpenVPN/tap-windows6
+- License: tap-windows6 license
+- License Text: https://github.com/OpenVPN/tap-windows6/blob/master/COPYING
--- a/client/3rd-prebuilt
+++ b/client/3rd-prebuilt
--- a/client/CMakeLists.txt
+++ b/client/CMakeLists.txt
@@ -25,6 +25,7 @@ add_definitions(-DGIT_COMMIT_HASH="${GIT_COMMIT_HASH}")

 add_definitions(-DPROD_AGW_PUBLIC_KEY="$ENV{PROD_AGW_PUBLIC_KEY}")
 add_definitions(-DPROD_S3_ENDPOINT="$ENV{PROD_S3_ENDPOINT}")
+add_definitions(-DFALLBACK_S3_ENDPOINT="$ENV{FALLBACK_S3_ENDPOINT}")

 add_definitions(-DDEV_AGW_PUBLIC_KEY="$ENV{DEV_AGW_PUBLIC_KEY}")
 add_definitions(-DDEV_AGW_ENDPOINT="$ENV{DEV_AGW_ENDPOINT}")
@@ -61,11 +62,15 @@ if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
    qt_add_repc_replicas(${PROJECT} ${CMAKE_CURRENT_LIST_DIR}/../ipc/ipc_process_interface.rep)
 endif()

-qt6_add_resources(QRC ${QRC} ${CMAKE_CURRENT_LIST_DIR}/resources.qrc)
+qt6_add_resources(QRC ${QRC}
+    ${CMAKE_CURRENT_LIST_DIR}/images/images.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/images/flagKit.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/client_scripts/clientScripts.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/ui/qml/qml.qrc
+    ${CMAKE_CURRENT_LIST_DIR}/server_scripts/serverScripts.qrc
+)

 # -- i18n begin
-set(CMAKE_AUTORCC ON)
-
 set(AMNEZIAVPN_TS_FILES
    ${CMAKE_CURRENT_LIST_DIR}/translations/amneziavpn_ru_RU.ts
    ${CMAKE_CURRENT_LIST_DIR}/translations/amneziavpn_zh_CN.ts
@@ -77,20 +82,10 @@ set(AMNEZIAVPN_TS_FILES
    ${CMAKE_CURRENT_LIST_DIR}/translations/amneziavpn_hi_IN.ts
 )

-file(GLOB_RECURSE AMNEZIAVPN_TS_SOURCES *.qrc *.cpp *.h *.ui)
-list(FILTER AMNEZIAVPN_TS_SOURCES EXCLUDE REGEX "qtgamepad/examples")
-
-qt_create_translation(AMNEZIAVPN_QM_FILES ${AMNEZIAVPN_TS_SOURCES} ${AMNEZIAVPN_TS_FILES})
-
-set(QM_FILE_LIST "")
-foreach(FILE ${AMNEZIAVPN_QM_FILES})
-    get_filename_component(QM_FILE_NAME ${FILE} NAME)
-    list(APPEND QM_FILE_LIST "<file>${QM_FILE_NAME}</file>")
-endforeach()
-string(REPLACE ";" "" QM_FILE_LIST ${QM_FILE_LIST})
-
-configure_file(${CMAKE_CURRENT_LIST_DIR}/translations/translations.qrc.in ${CMAKE_CURRENT_BINARY_DIR}/translations.qrc)
-qt6_add_resources(QRC ${I18NQRC} ${CMAKE_CURRENT_BINARY_DIR}/translations.qrc)
+qt6_add_translations(${PROJECT}
+    TS_FILES ${AMNEZIAVPN_TS_FILES}
+    RESOURCE_PREFIX "/translations"
+)
 # -- i18n end

 set(IS_CI ${CI})
@@ -169,6 +164,10 @@ if(APPLE)
    set(CMAKE_XCODE_GENERATE_SCHEME FALSE)
    set(CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM ${BUILD_VPN_DEVELOPMENT_TEAM})
    set(CMAKE_XCODE_ATTRIBUTE_GROUP_ID_IOS ${BUILD_IOS_GROUP_IDENTIFIER})
+    
+    if (BUILD_VPN_KEYCHAIN)
+        set(CMAKE_XCODE_ATTRIBUTE_OTHER_CODE_SIGN_FLAGS "--keychain ${BUILD_VPN_KEYCHAIN}")
+    endif()
 endif()

 if(LINUX AND NOT ANDROID)
@@ -194,39 +193,17 @@ elseif(APPLE)
    include(cmake/macos.cmake)
 endif()

-target_link_libraries(${PROJECT} PRIVATE ${LIBS})
-target_compile_definitions(${PROJECT} PRIVATE "MZ_$<UPPER_CASE:${MZ_PLATFORM_NAME}>")
-
-# deploy artifacts required to run the application to the debug build folder
-if(WIN32)
-    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
-        set(DEPLOY_PLATFORM_PATH "windows/x64")
-    else()
-        set(DEPLOY_PLATFORM_PATH "windows/x32")
-    endif()
-elseif(LINUX)
-    set(DEPLOY_PLATFORM_PATH "linux/client")
-elseif(APPLE AND NOT IOS)
-    set(DEPLOY_PLATFORM_PATH "macos")
-endif()
+include(CTest)

 if(NOT IOS AND NOT ANDROID AND NOT MACOS_NE)
-    add_custom_command(
-        TARGET ${PROJECT} POST_BUILD
-        COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
-        ${CMAKE_SOURCE_DIR}/deploy/data/${DEPLOY_PLATFORM_PATH}
-        $<TARGET_FILE_DIR:${PROJECT}>
-        COMMAND_EXPAND_LISTS
-    )
-    add_custom_command(
-        TARGET ${PROJECT} POST_BUILD
-        COMMAND ${CMAKE_COMMAND} -E $<IF:$<CONFIG:Debug>,copy_directory,true>
-        ${CMAKE_SOURCE_DIR}/client/3rd-prebuilt/deploy-prebuilt/${DEPLOY_PLATFORM_PATH}
-        $<TARGET_FILE_DIR:${PROJECT}>
-        COMMAND_EXPAND_LISTS
-    )
+    add_subdirectory(tests)
 endif()

+list(APPEND SOURCES ${CMAKE_CURRENT_LIST_DIR}/main.cpp)
+
+target_link_libraries(${PROJECT} PRIVATE ${LIBS})
+target_compile_definitions(${PROJECT} PRIVATE "MZ_$<UPPER_CASE:${MZ_PLATFORM_NAME}>")
+
 target_sources(${PROJECT} PRIVATE ${SOURCES} ${HEADERS} ${RESOURCES} ${QRC} ${I18NQRC})

 # Finalize the executable so Qt can gather/deploy QML modules and plugins correctly (Android needs this).
@@ -238,3 +215,51 @@ if(COMMAND qt_finalize_executable)
 else()
    qt_finalize_target(${PROJECT})
 endif()
+
+install(TARGETS ${PROJECT}
+    DESTINATION ${CMAKE_INSTALL_BINDIR}
+    COMPONENT AmneziaVPN
+)
+install(FILES $<TARGET_RUNTIME_DLLS:${PROJECT}>
+    DESTINATION ${CMAKE_INSTALL_BINDIR}
+    COMPONENT AmneziaVPN
+)
+
+set(deploy_tool_options "")
+if(WIN32)
+    set(deploy_tool_options "--force-openssl --force")
+endif()
+
+qt_generate_deploy_qml_app_script(
+    TARGET ${PROJECT}
+    OUTPUT_SCRIPT QT_DEPLOY_SCRIPT
+    NO_UNSUPPORTED_PLATFORM_ERROR
+    DEPLOY_TOOL_OPTIONS ${deploy_tool_options}
+)
+install(SCRIPT ${QT_DEPLOY_SCRIPT}
+    COMPONENT AmneziaVPN
+)
+
+if (APPLE AND NOT IOS AND NOT MACOS_NE)
+    list(APPEND OVPN_SCRIPTS "${CMAKE_SOURCE_DIR}/deploy/data/macos/update-resolv-conf.sh")
+endif()
+if (LINUX AND NOT ANDROID)
+    list(APPEND OVPN_SCRIPTS "${CMAKE_SOURCE_DIR}/deploy/data/linux/update-resolv-conf.sh")
+endif()
+
+if(OVPN_SCRIPTS)
+    add_custom_command(TARGET ${PROJECT} POST_BUILD
+        COMMAND ${CMAKE_COMMAND} -E copy_if_different
+        ${OVPN_SCRIPTS}
+        "$<TARGET_FILE_DIR:${PROJECT}>"
+    )
+
+    install(FILES ${OVPN_SCRIPTS}
+        DESTINATION ${CMAKE_INSTALL_BINDIR}
+        COMPONENT AmneziaVPN
+        PERMISSIONS
+            OWNER_READ OWNER_EXECUTE
+            GROUP_READ GROUP_EXECUTE
+            WORLD_READ WORLD_EXECUTE
+    )
+endif()
--- a/client/amnezia_application.cpp
+++ b/client/amnezia_application.cpp
@@ -1,4 +1,4 @@
-#include "amnezia_application.h"
+#include "amneziaApplication.h"

 #include <QClipboard>
 #include <QFontDatabase>
@@ -15,17 +15,17 @@
 #include <QEvent>
 #include <QDir>
 #include <QSettings>
+#include <QtQuick/QQuickWindow>  
+#include <QWindow>     

+#include "core/protocols/qmlRegisterProtocols.h"
 #include "logger.h"
-#include "ui/controllers/pageController.h"
+#include "ui/controllers/qml/pageController.h"
 #include "ui/models/installedAppsModel.h"
 #include "version.h"

 #include "platforms/ios/QRCodeReaderBase.h"
-
-#include "protocols/qml_register_protocols.h"
-#include <QtQuick/QQuickWindow>  // for QQuickWindow
-#include <QWindow>              // for qobject_cast<QWindow*>
+         

 bool AmneziaApplication::m_forceQuit = false;

@@ -54,7 +54,7 @@ AmneziaApplication::AmneziaApplication(int &argc, char *argv[]) : AMNEZIA_BASE_C
    QFile::setPermissions(configLoc2, QFileDevice::ReadOwner | QFileDevice::WriteOwner);
 #endif

-    m_settings = std::shared_ptr<Settings>(new Settings);
+    m_settings = new SecureQSettings(ORGANIZATION_NAME, APPLICATION_NAME, this);
    m_nam = new QNetworkAccessManager(this);
 }

@@ -109,6 +109,16 @@ void AmneziaApplication::init()
            // install filter on main window
            if (auto win = qobject_cast<QQuickWindow*>(obj)) {
                win->installEventFilter(this);
+#ifdef Q_OS_ANDROID
+                QObject::connect(win, &QQuickWindow::sceneGraphError,
+                    [](QQuickWindow::SceneGraphError, const QString &msg) {
+                        qWarning() << "Scene graph error (suppressed):" << msg;
+                    });
+                // Keep graphics context alive across hide/show cycles to avoid
+                // eglSwapBuffers/makeCurrent being called on a context Android has reclaimed.
+                win->setPersistentSceneGraph(true);
+                win->setPersistentGraphics(true);
+#endif
                win->show();
            }
        },
@@ -122,7 +132,7 @@ void AmneziaApplication::init()
    m_engine->rootContext()->setContextProperty("IsMacOsNeBuild", false);
 #endif

-    m_vpnConnection.reset(new VpnConnection(m_settings));
+    m_vpnConnection.reset(new VpnConnection(nullptr, nullptr));
    m_vpnConnection->moveToThread(&m_vpnConnectionThread);
    m_vpnConnectionThread.start();

@@ -143,16 +153,6 @@ void AmneziaApplication::init()

    m_coreController->setQmlRoot();

-    bool enabled = m_settings->isSaveLogs();
-#ifndef Q_OS_ANDROID
-    if (enabled) {
-        if (!Logger::init(false)) {
-            qWarning() << "Initialization of debug subsystem failed";
-        }
-    }
-#endif
-    Logger::setServiceLogsEnabled(enabled);
-
 #ifdef Q_OS_WIN //TODO
    if (m_parser.isSet(m_optAutostart))
        m_coreController->pageController()->showOnStartup();
@@ -197,13 +197,11 @@ void AmneziaApplication::registerTypes()
    qRegisterMetaType<ServerCredentials>("ServerCredentials");

    qRegisterMetaType<DockerContainer>("DockerContainer");
+    using namespace amnezia::ProtocolEnumNS;
    qRegisterMetaType<TransportProto>("TransportProto");
    qRegisterMetaType<Proto>("Proto");
    qRegisterMetaType<ServiceType>("ServiceType");

-    declareQmlProtocolEnum();
-    declareQmlContainerEnum();
-
    qmlRegisterType<QRCodeReader>("QRCodeReader", 1, 0, "QRCodeReader");

    m_containerProps.reset(new ContainerProps());
@@ -217,6 +215,7 @@ void AmneziaApplication::registerTypes()

    qmlRegisterType<InstalledAppsModel>("InstalledAppsModel", 1, 0, "InstalledAppsModel");

+    amnezia::declareQmlProtocolEnum();
    Vpn::declareQmlVpnConnectionStateEnum();
    PageLoader::declareQmlPageEnum();
 }
--- a/client/amnezia_application.h
+++ b/client/amnezia_application.h
@@ -14,8 +14,10 @@
 #include <QClipboard>

 #include "core/controllers/coreController.h"
-#include "settings.h"
-#include "vpnconnection.h"
+#include "secureQSettings.h"
+#include "vpnConnection.h"
+#include "ui/models/containerProps.h"
+#include "ui/models/protocolProps.h"

 #define amnApp (static_cast<AmneziaApplication *>(QCoreApplication::instance()))

@@ -51,7 +53,7 @@ public slots:
 private:
    static bool m_forceQuit;
    QQmlApplicationEngine *m_engine {};
-    std::shared_ptr<Settings> m_settings;
+    SecureQSettings* m_settings;

    QScopedPointer<CoreController> m_coreController;

--- a/client/android/build.gradle.kts
+++ b/client/android/build.gradle.kts
@@ -39,6 +39,7 @@ android {

        // keeps language resources for only the locales specified below
        resourceConfigurations += listOf("en", "ru", "b+zh+Hans")
+        ndk.abiFilters += qtTargetAbiList.split(",")
    }

    sourceSets {
@@ -52,50 +53,12 @@ android {
        }
    }

-    signingConfigs {
-        register("release") {
-            storeFile = providers.environmentVariable("ANDROID_KEYSTORE_PATH").orNull?.let { file(it) }
-            storePassword = providers.environmentVariable("ANDROID_KEYSTORE_KEY_PASS").orNull
-            keyAlias = providers.environmentVariable("ANDROID_KEYSTORE_KEY_ALIAS").orNull
-            keyPassword = providers.environmentVariable("ANDROID_KEYSTORE_KEY_PASS").orNull
-        }
-    }
-
    buildTypes {
        release {
            // exclude coroutine debug resource from release build
            packaging {
                resources.excludes += "DebugProbesKt.bin"
            }
-            signingConfig = signingConfigs["release"]
-        }
-
-        create("fdroid") {
-            initWith(getByName("release"))
-            signingConfig = null
-            matchingFallbacks += "release"
-        }
-    }
-
-    splits {
-        abi {
-            isEnable = true
-            reset()
-            include(*qtTargetAbiList.split(',').toTypedArray())
-            isUniversalApk = false
-        }
-    }
-
-    // fix for Qt Creator to allow deploying the application to a device
-    // to enable this fix, add the line outputBaseName=android-build to local.properties
-    if (outputBaseName.isNotEmpty()) {
-        applicationVariants.all {
-            outputs.map { it as BaseVariantOutputImpl }
-                .forEach { output ->
-                    if (output.outputFileName.endsWith(".apk")) {
-                        output.outputFileName = "$outputBaseName-${buildType.name}.apk"
-                    }
-                }
        }
    }

@@ -111,7 +74,6 @@ dependencies {
    implementation(project(":wireguard"))
    implementation(project(":awg"))
    implementation(project(":openvpn"))
-    implementation(project(":cloak"))
    implementation(project(":xray"))
    implementation(libs.androidx.core)
    implementation(libs.androidx.activity)
--- a/client/android/cloak/build.gradle.kts
+++ b/client/android/cloak/build.gradle.kts
@@ -1,18 +0,0 @@
-plugins {
-    id(libs.plugins.android.library.get().pluginId)
-    id(libs.plugins.kotlin.android.get().pluginId)
-}
-
-kotlin {
-    jvmToolchain(17)
-}
-
-android {
-    namespace = "org.amnezia.vpn.protocol.cloak"
-}
-
-dependencies {
-    compileOnly(project(":utils"))
-    compileOnly(project(":protocolApi"))
-    implementation(project(":openvpn"))
-}
--- a/client/android/cloak/src/main/kotlin/Cloak.kt
+++ b/client/android/cloak/src/main/kotlin/Cloak.kt
@@ -1,45 +0,0 @@
-package org.amnezia.vpn.protocol.cloak
-
-import android.util.Base64
-import net.openvpn.ovpn3.ClientAPI_Config
-import org.amnezia.vpn.protocol.openvpn.OpenVpn
-import org.amnezia.vpn.util.LibraryLoader.loadSharedLibrary
-import org.json.JSONObject
-
-class Cloak : OpenVpn() {
-
-    override fun internalInit() {
-        super.internalInit()
-        if (!isInitialized) loadSharedLibrary(context, "ck-ovpn-plugin")
-    }
-
-    override fun parseConfig(config: JSONObject): ClientAPI_Config {
-        val openVpnConfig = ClientAPI_Config()
-
-        val openVpnConfigStr = config.getJSONObject("openvpn_config_data").getString("config")
-        val cloakConfigJson = checkCloakJson(config.getJSONObject("cloak_config_data"))
-        val cloakConfigStr = Base64.encodeToString(cloakConfigJson.toString().toByteArray(), Base64.DEFAULT)
-
-        val configStr = "$openVpnConfigStr\n<cloak>\n$cloakConfigStr\n</cloak>\n"
-
-        openVpnConfig.usePluggableTransports = true
-        openVpnConfig.content = configStr
-        return openVpnConfig
-    }
-
-    private fun checkCloakJson(cloakConfigJson: JSONObject): JSONObject {
-        cloakConfigJson.put("NumConn", 1)
-        cloakConfigJson.put("ProxyMethod", "openvpn")
-        if (cloakConfigJson.has("port")) {
-            val port = cloakConfigJson["port"]
-            cloakConfigJson.remove("port")
-            cloakConfigJson.put("RemotePort", port)
-        }
-        if (cloakConfigJson.has("remote")) {
-            val remote = cloakConfigJson["remote"]
-            cloakConfigJson.remove("remote")
-            cloakConfigJson.put("RemoteHost", remote)
-        }
-        return cloakConfigJson
-    }
-}
--- a/client/android/gradle/libs.versions.toml
+++ b/client/android/gradle/libs.versions.toml
@@ -1,11 +1,11 @@
 [versions]
-agp = "8.5.2"
+agp = "8.6.1"
 kotlin = "1.9.24"
 androidx-core = "1.13.1"
 androidx-activity = "1.9.1"
 androidx-annotation = "1.8.2"
 androidx-biometric = "1.2.0-alpha05"
-androidx-camera = "1.3.4"
+androidx-camera = "1.5.3"
 androidx-fragment = "1.8.2"
 androidx-security-crypto = "1.1.0-alpha06"
 androidx-datastore = "1.1.1"
--- a/client/android/settings.gradle.kts
+++ b/client/android/settings.gradle.kts
@@ -26,7 +26,6 @@ plugins {
    id("settings-property-delegate")
 }

-rootProject.name = "AmneziaVPN"
 rootProject.buildFileName = "build.gradle.kts"

 include(":qt")
@@ -35,7 +34,6 @@ include(":protocolApi")
 include(":wireguard")
 include(":awg")
 include(":openvpn")
-include(":cloak")
 include(":xray")
 include(":xray:libXray")

@@ -48,15 +46,7 @@ val qtMinSdkVersion: String by gradleProperties
 // set default values for all modules
 configure<SettingsExtension> {
    buildToolsVersion = androidBuildToolsVersion
-    compileSdk = androidCompileSdkVersion.substringAfter('-').toInt()
+    compileSdk = androidCompileSdkVersion.split('-')[1].toInt()
    minSdk = qtMinSdkVersion.toInt()
    ndkVersion = androidNdkVersion
 }
-
-// stop Gradle running by androiddeployqt
-gradle.taskGraph.whenReady {
-    if (providers.environmentVariable("ANDROIDDEPLOYQT_RUN").isPresent
-        && !providers.systemProperty("explicitRun").isPresent) {
-        allTasks.forEach { it.enabled = false }
-    }
-}
--- a/client/android/src/org/amnezia/vpn/AmneziaActivity.kt
+++ b/client/android/src/org/amnezia/vpn/AmneziaActivity.kt
@@ -214,10 +214,7 @@ class AmneziaActivity : QtActivity() {

    private fun loadLibs() {
        listOf(
-            "rsapss",
-            "crypto_3",
-            "ssl_3",
-            "ssh"
+            "rsapss"
        ).forEach {
            loadSharedLibrary(this.applicationContext, it)
        }
@@ -296,9 +293,25 @@ class AmneziaActivity : QtActivity() {
        hasWindowFocus = hasFocus
        Log.d(TAG, "Window focus changed: hasFocus=$hasFocus")

-        // Cancel pending operations if window loses focus
        if (!hasFocus) {
+            // Cancel pending operations if window loses focus
            resumeHandler.removeCallbacksAndMessages(null)
+        } else if (isActivityResumed && Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            window.decorView.apply {
+                invalidate()
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(1f, 1f)
+                    }
+                }, 50)
+                resumeHandler.postDelayed({
+                    if (isActivityResumed && hasWindowFocus && !isFinishing && !isDestroyed) {
+                        sendTouch(2f, 2f)
+                        requestLayout()
+                        invalidate()
+                    }
+                }, 150)
+            }
        }
    }

@@ -337,6 +350,13 @@ class AmneziaActivity : QtActivity() {
    private external fun nativeGamepadKeyEvent(deviceId: Int, keyCode: Int, pressed: Boolean)

    override fun onPause() {
+        // Notify Qt to stop rendering BEFORE super.onPause() destroys the EGL surface.
+        // Using a coroutine here would be too late — the surface is gone by the time
+        // the coroutine runs. A direct synchronous call gives Qt's render thread the
+        // best chance to process visible=false before surface destruction.
+        if (qtInitialized.isCompleted) {
+            QtAndroidController.onActivityPaused()
+        }
        super.onPause()
        isActivityResumed = false
        // Cancel all pending operations when activity pauses
@@ -349,6 +369,9 @@ class AmneziaActivity : QtActivity() {
        super.onResume()
        isActivityResumed = true
        Log.d(TAG, "Resume Amnezia activity")
+        if (qtInitialized.isCompleted) {
+            QtAndroidController.onActivityResumed()
+        }

        if (pendingOpenFileUri != null && !openFileDeliveryScheduled) {
            val uri = pendingOpenFileUri!!
@@ -816,7 +839,7 @@ class AmneziaActivity : QtActivity() {
    @Suppress("unused")
    fun getFd(fileName: String): Int {
        Log.v(TAG, "Get fd for $fileName")
-        return blockingCall {
+        return blockingCall(Dispatchers.IO) {
            try {
                pfd = contentResolver.openFileDescriptor(Uri.parse(fileName), "r")
                pfd?.fd ?: -1
--- a/client/android/src/org/amnezia/vpn/VpnProto.kt
+++ b/client/android/src/org/amnezia/vpn/VpnProto.kt
@@ -2,7 +2,6 @@ package org.amnezia.vpn

 import org.amnezia.vpn.protocol.Protocol
 import org.amnezia.vpn.protocol.awg.Awg
-import org.amnezia.vpn.protocol.cloak.Cloak
 import org.amnezia.vpn.protocol.openvpn.OpenVpn
 import org.amnezia.vpn.protocol.wireguard.Wireguard
 import org.amnezia.vpn.protocol.xray.Xray
@@ -36,14 +35,6 @@ enum class VpnProto(
        override fun createProtocol(): Protocol = OpenVpn()
    },

-    CLOAK(
-        "Cloak",
-        "org.amnezia.vpn:amneziaOpenVpnService",
-        OpenVpnService::class.java
-    ) {
-        override fun createProtocol(): Protocol = Cloak()
-    },
-
    XRAY(
        "XRay",
        "org.amnezia.vpn:amneziaXrayService",
@@ -72,4 +63,4 @@ enum class VpnProto(
    companion object {
        fun get(protocolName: String): VpnProto = VpnProto.valueOf(protocolName.uppercase())
    }
-}
+}
--- a/client/android/src/org/amnezia/vpn/qt/QtAndroidController.kt
+++ b/client/android/src/org/amnezia/vpn/qt/QtAndroidController.kt
@@ -31,4 +31,7 @@ object QtAndroidController {

    external fun onImeInsetsChanged(heightDp: Int)
    external fun onSystemBarsInsetsChanged(navBarHeightDp: Int, statusBarHeightDp: Int)
+
+    external fun onActivityPaused()
+    external fun onActivityResumed()
 }
--- a/client/android/xray/src/main/kotlin/Xray.kt
+++ b/client/android/xray/src/main/kotlin/Xray.kt
@@ -4,6 +4,9 @@ import android.content.Context
 import android.net.VpnService.Builder
 import java.io.File
 import java.io.IOException
+import java.net.InetAddress
+import java.net.ServerSocket
+import java.util.UUID
 import go.Seq
 import org.amnezia.vpn.protocol.BadConfigException
 import org.amnezia.vpn.protocol.Protocol
@@ -19,11 +22,32 @@ import org.amnezia.vpn.util.Log
 import org.amnezia.vpn.util.net.InetNetwork
 import org.amnezia.vpn.util.net.ip
 import org.amnezia.vpn.util.net.parseInetAddress
+import org.json.JSONArray
 import org.json.JSONObject

 private const val TAG = "Xray"
 private const val LIBXRAY_TAG = "libXray"

+private fun findSocksInboundIndex(inbounds: JSONArray): Int {
+    for (i in 0 until inbounds.length()) {
+        val o = inbounds.optJSONObject(i) ?: continue
+        if (o.optString("protocol").equals("socks", ignoreCase = true)) {
+            return i
+        }
+    }
+    return -1
+}
+
+private fun acquireFreeLocalPort(): Int {
+    try {
+        ServerSocket(0, 1, InetAddress.getByName("127.0.0.1")).use { return it.localPort }
+    } catch (e: Exception) {
+        throw VpnStartException(
+            "Failed to acquire free TCP port on 127.0.0.1 for SOCKS inbound: ${e.message}"
+        )
+    }
+}
+
 class Xray : Protocol() {

    private var isRunning: Boolean = false
@@ -53,9 +77,13 @@ class Xray : Protocol() {
            return
        }

-        val xrayJsonConfig = config.optJSONObject("xray_config_data")
+        val xrayConfigData = config.optJSONObject("xray_config_data")
            ?: config.optJSONObject("ssxray_config_data")
            ?: throw BadConfigException("config_data not found")
+        val xrayJsonConfig = JSONObject(xrayConfigData.optString("config"))
+
+        // Inject SOCKS5 auth before starting xray. Re-uses existing credentials if present.
+        ensureInboundAuth(xrayJsonConfig)
        val xrayConfig = parseConfig(config, xrayJsonConfig)

        (xrayJsonConfig.optJSONObject("log") ?: JSONObject().also { xrayJsonConfig.put("log", it) })
@@ -97,9 +125,22 @@ class Xray : Protocol() {
                if (it.isNotBlank()) setMtu(it.toInt())
            }

-            val socksConfig = xrayJsonConfig.getJSONArray("inbounds")[0] as JSONObject
+            val inbounds = xrayJsonConfig.getJSONArray("inbounds")
+            val socksIdx = findSocksInboundIndex(inbounds)
+            if (socksIdx < 0) {
+                throw BadConfigException("socks inbound not found")
+            }
+            val socksConfig = inbounds.getJSONObject(socksIdx)
            socksConfig.getInt("port").let { setSocksPort(it) }

+            val socksSettings = socksConfig.optJSONObject("settings")
+            val accounts = socksSettings?.optJSONArray("accounts")
+            if (accounts != null && accounts.length() > 0) {
+                val account = accounts.getJSONObject(0)
+                setSocksUser(account.optString("user"))
+                setSocksPass(account.optString("pass"))
+            }
+
            configSplitTunneling(config)
            configAppSplitTunneling(config)
        }
@@ -162,9 +203,10 @@ class Xray : Protocol() {
    }

    private fun runTun2Socks(config: XrayConfig, fd: Int) {
+        val proxyUrl = "socks5://${config.socksUser}:${config.socksPass}@127.0.0.1:${config.socksPort}"
        val tun2SocksConfig = Tun2SocksConfig().apply {
            mtu = config.mtu.toLong()
-            proxy = "socks5://127.0.0.1:${config.socksPort}"
+            proxy = proxyUrl
            device = "fd://$fd"
            logLevel = "warn"
        }
@@ -173,6 +215,37 @@ class Xray : Protocol() {
        }
    }

+    // Ensures SOCKS5 auth is present on the socks inbound settings.
+    // Re-uses existing credentials if already configured; otherwise generates random ones.
+    private fun ensureInboundAuth(xrayConfig: JSONObject) {
+        val inbounds = xrayConfig.optJSONArray("inbounds") ?: return
+        val socksIdx = findSocksInboundIndex(inbounds)
+        if (socksIdx < 0) return
+
+        val inbound = inbounds.getJSONObject(socksIdx)
+        inbound.put("port", acquireFreeLocalPort())
+        val settings = inbound.optJSONObject("settings") ?: JSONObject().also { inbound.put("settings", it) }
+        val accounts = settings.optJSONArray("accounts")
+        if (accounts != null && accounts.length() > 0) {
+            val account = accounts.getJSONObject(0)
+            if (account.optString("user").isNotEmpty() && account.optString("pass").isNotEmpty()) {
+                // Ensure auth mode is enforced even for imported configs that had accounts
+                // but auth: "noauth" (or no auth field).
+                settings.put("auth", "password")
+                inbound.put("settings", settings)
+                inbounds.put(socksIdx, inbound)
+                return
+            }
+        }
+
+        val user = UUID.randomUUID().toString().replace("-", "").substring(0, 16)
+        val pass = UUID.randomUUID().toString().replace("-", "")
+        settings.put("auth", "password")
+        settings.put("accounts", JSONArray().put(JSONObject().put("user", user).put("pass", pass)))
+        inbound.put("settings", settings)
+        inbounds.put(socksIdx, inbound)
+    }
+
    companion object {
        val instance: Xray by lazy { Xray() }
    }
--- a/client/android/xray/src/main/kotlin/XrayConfig.kt
+++ b/client/android/xray/src/main/kotlin/XrayConfig.kt
@@ -9,12 +9,16 @@ private const val XRAY_DEFAULT_MAX_MEMORY: Long = 50 shl 20 // 50 MB
 class XrayConfig protected constructor(
    protocolConfigBuilder: ProtocolConfig.Builder,
    val socksPort: Int,
+    val socksUser: String,
+    val socksPass: String,
    val maxMemory: Long,
 ) : ProtocolConfig(protocolConfigBuilder) {

    protected constructor(builder: Builder) : this(
        builder,
        builder.socksPort,
+        builder.socksUser,
+        builder.socksPass,
        builder.maxMemory
    )

@@ -22,6 +26,12 @@ class XrayConfig protected constructor(
        internal var socksPort: Int = 0
            private set

+        internal var socksUser: String = ""
+            private set
+
+        internal var socksPass: String = ""
+            private set
+
        internal var maxMemory: Long = XRAY_DEFAULT_MAX_MEMORY
            private set

@@ -29,6 +39,10 @@ class XrayConfig protected constructor(

        fun setSocksPort(port: Int) = apply { socksPort = port }

+        fun setSocksUser(user: String) = apply { socksUser = user }
+
+        fun setSocksPass(pass: String) = apply { socksPass = pass }
+
        fun setMaxMemory(maxMemory: Long) = apply { this.maxMemory = maxMemory }

        override fun build(): XrayConfig = configBuild().run { XrayConfig(this@Builder) }
--- a/client/client_scripts/clientScripts.qrc
+++ b/client/client_scripts/clientScripts.qrc
@@ -0,0 +1,6 @@
+<RCC>
+    <qresource prefix="/client_scripts">
+        <file>linux_installer.sh</file>
+        <file>mac_installer.sh</file>
+    </qresource>
+</RCC>
--- a/client/client_scripts/linux_installer.sh
+++ b/client/client_scripts/linux_installer.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+EXTRACT_DIR="$1"
+INSTALLER_PATH="$2"
+
+# Create and clean extract directory
+rm -rf "$EXTRACT_DIR"
+mkdir -p "$EXTRACT_DIR"
+
+# Extract TAR archive
+tar -xf "$INSTALLER_PATH" -C "$EXTRACT_DIR"
+if [ $? -ne 0 ]; then
+    echo 'Failed to extract TAR archive'
+    exit 1
+fi
+
+# Find and run installer
+INSTALLER=$(find "$EXTRACT_DIR" -type f -executable)
+if [ -z "$INSTALLER" ]; then
+    echo 'Installer not found'
+    exit 1
+fi
+
+"$INSTALLER"
+EXIT_CODE=$?
+
+# Cleanup
+rm -rf "$EXTRACT_DIR"
+exit $EXIT_CODE 
--- a/client/client_scripts/mac_installer.sh
+++ b/client/client_scripts/mac_installer.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+EXTRACT_DIR="$1"
+INSTALLER_PATH="$2"
+
+set -e
+
+echo "[AmneziaVPN] Installer package: $INSTALLER_PATH"
+
+if [ ! -f "$INSTALLER_PATH" ]; then
+    echo "[AmneziaVPN] ERROR: Installer package not found: $INSTALLER_PATH"
+    exit 1
+fi
+
+PKG_PATH="$INSTALLER_PATH"
+echo "[AmneziaVPN] Using PKG: $PKG_PATH"
+
+# Optional: basic signature/gatekeeper checks (non-fatal)
+if command -v pkgutil >/dev/null 2>&1; then
+    pkgutil --check-signature "$PKG_PATH" || true
+fi
+if command -v spctl >/dev/null 2>&1; then
+    spctl -a -vvv -t install "$PKG_PATH" || true
+fi
+
+# Run installer with admin privileges via AppleScript (prompts for password)
+echo "[AmneziaVPN] Running installer..."
+OSA_CMD='do shell script "/usr/sbin/installer -pkg '"$PKG_PATH"' -target /" with administrator privileges'
+osascript -e "$OSA_CMD"
+
+STATUS=$?
+if [ $STATUS -ne 0 ]; then
+    echo "[AmneziaVPN] ERROR: installer exited with status $STATUS"
+    exit $STATUS
+fi
+
+echo "[AmneziaVPN] Cleaning up..."
+rm -f "$INSTALLER_PATH" || true
+rm -rf "$EXTRACT_DIR" 2>/dev/null || true
+
+echo "[AmneziaVPN] Installation completed successfully"
+exit 0
--- a/client/cmake/3rdparty.cmake
+++ b/client/cmake/3rdparty.cmake
@@ -8,81 +8,11 @@ include(${CLIENT_ROOT_DIR}/cmake/QSimpleCrypto.cmake)

 include(${CLIENT_ROOT_DIR}/3rd/qrcodegen/qrcodegen.cmake)

-set(LIBSSH_ROOT_DIR "${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/libssh/")
-set(OPENSSL_ROOT_DIR "${CLIENT_ROOT_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/")
-
-set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/lib")
-
-if(WIN32)
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/windows/include")
-    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/x86_64/ssh.lib")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/x86_64")
-        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win64/libssl.lib")
-        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win64/libcrypto.lib")
-    else()
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/windows/x86/ssh.lib")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/windows/x86")
-        set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libssl.lib")
-        set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/windows/win32/libcrypto.lib")
-    endif()
-elseif(APPLE AND NOT IOS)
-    if(MACOS_NE)
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libssh.a")
-        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/universal2/libz.a")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/universal2")
-    else()
-        set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libssh.a")
-        set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/macos/x86_64/libz.a")
-        set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/macos/x86_64")
-    endif()
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/macos/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/macos/lib/libcrypto.a")    
-elseif(IOS)
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/ios/arm64")
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/ios/arm64/libssh.a")
-    set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/ios/arm64/libz.a")
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/ios/iphone/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/ios/iphone/lib/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/ios/iphone/lib/libcrypto.a")
-elseif(ANDROID)
-    set(abi ${CMAKE_ANDROID_ARCH_ABI})
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/android/${abi}")
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/android/${abi}/libssh.so")
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/android/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/android/${abi}/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/android/${abi}/libcrypto.a")
-    set(OPENSSL_LIBRARIES_DIR "${OPENSSL_ROOT_DIR}/android/${abi}")
-elseif(LINUX)
-    set(LIBSSH_INCLUDE_DIR "${LIBSSH_ROOT_DIR}/linux/x86_64")
-    set(ZLIB_LIB_PATH "${LIBSSH_ROOT_DIR}/linux/x86_64/libz.a")
-    set(LIBSSH_LIB_PATH "${LIBSSH_ROOT_DIR}/linux/x86_64/libssh.a")
-    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/linux/include")
-    set(OPENSSL_LIB_SSL_PATH "${OPENSSL_ROOT_DIR}/linux/x86_64/libssl.a")
-    set(OPENSSL_LIB_CRYPTO_PATH "${OPENSSL_ROOT_DIR}/linux/x86_64/libcrypto.a")
-endif()
-
-file(COPY ${OPENSSL_LIB_SSL_PATH} ${OPENSSL_LIB_CRYPTO_PATH}
-        DESTINATION ${OPENSSL_LIBRARIES_DIR})
-
-set(OPENSSL_USE_STATIC_LIBS TRUE)
-  
-set(LIBS ${LIBS} 
-    ${LIBSSH_LIB_PATH} 
-    ${ZLIB_LIB_PATH}
-)
-  
-set(LIBS ${LIBS}
-    ${OPENSSL_LIB_SSL_PATH}
-    ${OPENSSL_LIB_CRYPTO_PATH}
-)
-
 add_compile_definitions(_WINSOCKAPI_)

 set(BUILD_SHARED_LIBS OFF CACHE BOOL "" FORCE)
 set(BUILD_WITH_QT6 ON)
-add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain)
+add_subdirectory(${CLIENT_ROOT_DIR}/3rd/qtkeychain EXCLUDE_FROM_ALL)

 if(ANDROID)
    # Use qtgamepad from amnezia-vpn/qtgamepad repository
@@ -106,12 +36,13 @@ endif()
 set(LIBS ${LIBS} qt6keychain)

 include_directories(
-    ${OPENSSL_INCLUDE_DIR}
-    ${LIBSSH_INCLUDE_DIR}/include
-    ${LIBSSH_ROOT_DIR}/include
-    ${CLIENT_ROOT_DIR}/3rd/libssh/include
    ${CLIENT_ROOT_DIR}/3rd/QSimpleCrypto/src/include
    ${CLIENT_ROOT_DIR}/3rd/qtkeychain/qtkeychain
    ${CMAKE_CURRENT_BINARY_DIR}/3rd/qtkeychain
-    ${CMAKE_CURRENT_BINARY_DIR}/3rd/libssh/include
 )
+
+find_package(OpenSSL REQUIRED)
+list(APPEND LIBS OpenSSL::SSL OpenSSL::Crypto)
+
+find_package(libssh REQUIRED)
+list(APPEND LIBS ssh::ssh)
--- a/client/cmake/android.cmake
+++ b/client/cmake/android.cmake
@@ -31,29 +31,25 @@ link_directories(${CMAKE_CURRENT_SOURCE_DIR}/platforms/android)
 set(HEADERS ${HEADERS}
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_controller.h
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_utils.h
-    ${CMAKE_CURRENT_SOURCE_DIR}/protocols/android_vpnprotocol.h
-    ${CMAKE_CURRENT_SOURCE_DIR}/core/installedAppsImageProvider.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/protocols/androidVpnProtocol.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/utils/installedAppsImageProvider.h
 )

 set(SOURCES ${SOURCES}
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_controller.cpp
    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/android/android_utils.cpp
-    ${CMAKE_CURRENT_SOURCE_DIR}/protocols/android_vpnprotocol.cpp
-    ${CMAKE_CURRENT_SOURCE_DIR}/core/installedAppsImageProvider.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/protocols/androidVpnProtocol.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/core/utils/installedAppsImageProvider.cpp
 )

-foreach(abi IN ITEMS ${QT_ANDROID_ABIS})
-    set_property(TARGET ${PROJECT} PROPERTY QT_ANDROID_EXTRA_LIBS
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/amneziawg/android/${abi}/libwg-go.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libck-ovpn-plugin.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libovpn3.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/libovpnutil.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/android/${abi}/librsapss.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/android/${abi}/libcrypto_3.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openssl/android/${abi}/libssl_3.so
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/libssh/android/${abi}/libssh.so
-    )
-endforeach()

-file(COPY ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/xray/android/libxray.aar
-        DESTINATION ${CMAKE_CURRENT_SOURCE_DIR}/android/xray/libXray)
+find_package(awg-android REQUIRED)
+set(LIBS ${LIBS} amnezia::awg-android)
+set_property(TARGET ${PROJECT} APPEND PROPERTY QT_ANDROID_EXTRA_LIBS ${AMNEZIA_ANDROID_LIBWG_PATH} ${AMNEZIA_ANDROID_LIBWG_QUICK_PATH})
+
+find_package(amnezia-libxray REQUIRED)
+file(COPY ${AMNEZIA_LIBXRAY_PATH} DESTINATION ${CMAKE_CURRENT_SOURCE_DIR}/android/xray/libXray)
+
+find_package(openvpn-pt-android REQUIRED)
+set(LIBS ${LIBS} amnezia::openvpn-pt-android)
+set_property(TARGET ${PROJECT} APPEND PROPERTY QT_ANDROID_EXTRA_LIBS ${OPENVPN_PT_ANDROID_LIBCK_OVPN_PLUGIN_PATH})
--- a/client/cmake/ios.cmake
+++ b/client/cmake/ios.cmake
@@ -1,8 +1,6 @@
 message("Client iOS build")
-set(CMAKE_OSX_DEPLOYMENT_TARGET 13.0)
 set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})

-
 enable_language(OBJC)
 enable_language(OBJCXX)
 enable_language(Swift)
@@ -121,6 +119,7 @@ target_sources(${PROJECT} PRIVATE
    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/StoreKit2Helper.swift
 )

 target_sources(${PROJECT} PRIVATE
@@ -131,17 +130,8 @@ target_sources(${PROJECT} PRIVATE

 set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/AmneziaVPNLaunchScreen.storyboard
-    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/Media.xcassets
    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
 )

 add_subdirectory(ios/networkextension)
 add_dependencies(${PROJECT} networkextension)
-
-set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
-    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework"
-)
-
-set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/)
-target_link_libraries("networkextension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-ios/OpenVPNAdapter.framework")
-
--- a/client/cmake/macos.cmake
+++ b/client/cmake/macos.cmake
@@ -23,16 +23,13 @@ set_target_properties(${PROJECT} PROPERTIES
    MACOSX_BUNDLE_SHORT_VERSION_STRING "${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH}"
    MACOSX_BUNDLE_BUNDLE_VERSION "${CMAKE_PROJECT_VERSION_TWEAK}"
 )
-set(CMAKE_OSX_ARCHITECTURES "x86_64" CACHE INTERNAL "" FORCE)
-set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)
-

 set(HEADERS ${HEADERS}
-    ${CMAKE_CURRENT_SOURCE_DIR}/ui/macos_util.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/ui/utils/macosUtil.h
 )

 set(SOURCES ${SOURCES}
-    ${CMAKE_CURRENT_SOURCE_DIR}/ui/macos_util.mm
+    ${CMAKE_CURRENT_SOURCE_DIR}/ui/utils/macosUtil.mm
 )


--- a/client/cmake/macos_ne.cmake
+++ b/client/cmake/macos_ne.cmake
@@ -1,7 +1,6 @@
 message("Client ==> MacOS NE build")

 set_target_properties(${PROJECT} PROPERTIES MACOSX_BUNDLE TRUE)
-set(CMAKE_OSX_DEPLOYMENT_TARGET 10.15)

 set(APPLE_PROJECT_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})

@@ -131,6 +130,7 @@ target_sources(${PROJECT} PRIVATE
    ${CLIENT_ROOT_DIR}/platforms/ios/LogRecord.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/ScreenProtection.swift
    ${CLIENT_ROOT_DIR}/platforms/ios/VPNCController.swift
+    ${CLIENT_ROOT_DIR}/platforms/ios/StoreKit2Helper.swift
 )

 target_sources(${PROJECT} PRIVATE
@@ -139,7 +139,6 @@ target_sources(${PROJECT} PRIVATE
 )

 set_property(TARGET ${PROJECT} APPEND PROPERTY RESOURCE
-    ${CMAKE_CURRENT_SOURCE_DIR}/macos/app/Images.xcassets
    ${CMAKE_CURRENT_SOURCE_DIR}/ios/app/PrivacyInfo.xcprivacy
 )

@@ -152,19 +151,6 @@ message(${QtCore_location})

 get_filename_component(QT_BIN_DIR_DETECTED "${QtCore_location}/../../../../../bin" ABSOLUTE)

-set_property(TARGET ${PROJECT} PROPERTY XCODE_EMBED_FRAMEWORKS
-    "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework"
-)
-
-set(CMAKE_XCODE_ATTRIBUTE_FRAMEWORK_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos)
-target_link_libraries("AmneziaVPNNetworkExtension" PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/3rd-prebuilt/3rd-prebuilt/openvpn/apple/OpenVPNAdapter-macos/OpenVPNAdapter.framework")
-
 add_custom_command(TARGET ${PROJECT} POST_BUILD
-    COMMAND ${CMAKE_COMMAND} -E make_directory
-            $<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks
-    COMMAND /usr/bin/find "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework" -name "*.sha256" -delete
-    COMMAND /usr/bin/codesign --force --sign "Apple Distribution: Privacy Technologies OU"
-            "$<TARGET_BUNDLE_DIR:AmneziaVPN>/Contents/Frameworks/OpenVPNAdapter.framework/Versions/Current/OpenVPNAdapter"
    COMMAND ${QT_BIN_DIR_DETECTED}/macdeployqt $<TARGET_BUNDLE_DIR:AmneziaVPN> -appstore-compliant -qmldir=${CMAKE_CURRENT_SOURCE_DIR}
-    COMMENT "Signing OpenVPNAdapter framework"
 )
--- a/client/cmake/sources.cmake
+++ b/client/cmake/sources.cmake
@@ -1,34 +1,69 @@
 set(CLIENT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/..)

 set(HEADERS ${HEADERS}
-    ${CLIENT_ROOT_DIR}/migrations.h
+    ${CLIENT_ROOT_DIR}/core/utils/migrations.h
    ${CLIENT_ROOT_DIR}/../ipc/ipc.h
-    ${CLIENT_ROOT_DIR}/amnezia_application.h
-    ${CLIENT_ROOT_DIR}/containers/containers_defs.h
-    ${CLIENT_ROOT_DIR}/core/defs.h
-    ${CLIENT_ROOT_DIR}/core/errorstrings.h
-    ${CLIENT_ROOT_DIR}/core/scripts_registry.h
-    ${CLIENT_ROOT_DIR}/core/server_defs.h
-    ${CLIENT_ROOT_DIR}/core/api/apiDefs.h
-    ${CLIENT_ROOT_DIR}/core/qrCodeUtils.h
+    ${CLIENT_ROOT_DIR}/amneziaApplication.h
+    ${CLIENT_ROOT_DIR}/core/utils/errorCodes.h
+    ${CLIENT_ROOT_DIR}/core/utils/routeModes.h
+    ${CLIENT_ROOT_DIR}/core/utils/commonStructs.h
+    ${CLIENT_ROOT_DIR}/core/utils/containerEnum.h
+    ${CLIENT_ROOT_DIR}/core/utils/protocolEnum.h
+    ${CLIENT_ROOT_DIR}/core/utils/containers/containerUtils.h
+    ${CLIENT_ROOT_DIR}/core/protocols/protocolUtils.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/configKeys.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/protocolConstants.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/apiKeys.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants/apiConstants.h
+    ${CLIENT_ROOT_DIR}/core/utils/api/apiEnums.h
+    ${CLIENT_ROOT_DIR}/core/utils/errorStrings.h
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/scriptsRegistry.h
+    ${CLIENT_ROOT_DIR}/core/utils/qrCodeUtils.h
    ${CLIENT_ROOT_DIR}/core/controllers/coreController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/coreSignalHandlers.h
    ${CLIENT_ROOT_DIR}/core/controllers/gatewayController.h
-    ${CLIENT_ROOT_DIR}/core/controllers/serverController.h
-    ${CLIENT_ROOT_DIR}/core/controllers/vpnConfigurationController.h
-    ${CLIENT_ROOT_DIR}/protocols/protocols_defs.h
-    ${CLIENT_ROOT_DIR}/protocols/qml_register_protocols.h
-    ${CLIENT_ROOT_DIR}/ui/pages.h
-    ${CLIENT_ROOT_DIR}/ui/qautostart.h
-    ${CLIENT_ROOT_DIR}/protocols/vpnprotocol.h
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshSession.h
+    ${CLIENT_ROOT_DIR}/core/controllers/serversController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/usersController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/installController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/importController.h
+    ${CLIENT_ROOT_DIR}/core/installers/installerBase.h
+    ${CLIENT_ROOT_DIR}/core/installers/awgInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/wireguardInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/openvpnInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/xrayInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/torInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/sftpInstaller.h
+    ${CLIENT_ROOT_DIR}/core/installers/socks5Installer.h
+    ${CLIENT_ROOT_DIR}/core/controllers/appSplitTunnelingController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/ipSplitTunnelingController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/allowedDnsController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/connectionController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/settingsController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/api/servicesCatalogController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/api/subscriptionController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/api/newsController.h
+    ${CLIENT_ROOT_DIR}/core/controllers/updateController.h
+    ${CLIENT_ROOT_DIR}/core/repositories/secureServersRepository.h
+    ${CLIENT_ROOT_DIR}/core/repositories/secureAppSettingsRepository.h
+    ${CLIENT_ROOT_DIR}/core/protocols/qmlRegisterProtocols.h
+    ${CLIENT_ROOT_DIR}/ui/utils/pages.h
+    ${CLIENT_ROOT_DIR}/ui/utils/qAutoStart.h
+    ${CLIENT_ROOT_DIR}/core/protocols/vpnProtocol.h
    ${CMAKE_CURRENT_BINARY_DIR}/version.h
-    ${CLIENT_ROOT_DIR}/core/sshclient.h
-    ${CLIENT_ROOT_DIR}/core/networkUtilities.h
-    ${CLIENT_ROOT_DIR}/core/serialization/serialization.h
-    ${CLIENT_ROOT_DIR}/core/serialization/transfer.h
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshClient.h
+    ${CLIENT_ROOT_DIR}/core/utils/networkUtilities.h
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/serialization.h
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/transfer.h
    ${CLIENT_ROOT_DIR}/../common/logger/logger.h
-    ${CLIENT_ROOT_DIR}/utils/qmlUtils.h
-    ${CLIENT_ROOT_DIR}/core/api/apiUtils.h
-    ${CLIENT_ROOT_DIR}/core/osSignalHandler.h
+    ${CLIENT_ROOT_DIR}/ui/utils/qmlUtils.h
+    ${CLIENT_ROOT_DIR}/core/utils/api/apiUtils.h
+    ${CLIENT_ROOT_DIR}/core/utils/osSignalHandler.h
+    ${CLIENT_ROOT_DIR}/core/utils/utilities.h
+    ${CLIENT_ROOT_DIR}/core/utils/managementServer.h
+    ${CLIENT_ROOT_DIR}/core/utils/constants.h
 )

 # Mozilla headres
@@ -47,39 +82,65 @@ endif()

 if(NOT ANDROID)
    set(HEADERS ${HEADERS}
-        ${CLIENT_ROOT_DIR}/ui/notificationhandler.h
+        ${CLIENT_ROOT_DIR}/ui/utils/notificationHandler.h
    )
 endif()

 set(SOURCES ${SOURCES}
-    ${CLIENT_ROOT_DIR}/migrations.cpp
-    ${CLIENT_ROOT_DIR}/amnezia_application.cpp
-    ${CLIENT_ROOT_DIR}/containers/containers_defs.cpp
-    ${CLIENT_ROOT_DIR}/core/errorstrings.cpp
-    ${CLIENT_ROOT_DIR}/core/scripts_registry.cpp
-    ${CLIENT_ROOT_DIR}/core/server_defs.cpp
-    ${CLIENT_ROOT_DIR}/core/qrCodeUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/migrations.cpp
+    ${CLIENT_ROOT_DIR}/amneziaApplication.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/errorStrings.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/containers/containerUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/protocols/protocolUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/scriptsRegistry.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/qrCodeUtils.cpp
    ${CLIENT_ROOT_DIR}/core/controllers/coreController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/coreSignalHandlers.cpp
    ${CLIENT_ROOT_DIR}/core/controllers/gatewayController.cpp
-    ${CLIENT_ROOT_DIR}/core/controllers/serverController.cpp
-    ${CLIENT_ROOT_DIR}/core/controllers/vpnConfigurationController.cpp
-    ${CLIENT_ROOT_DIR}/protocols/protocols_defs.cpp
-    ${CLIENT_ROOT_DIR}/ui/qautostart.cpp
-    ${CLIENT_ROOT_DIR}/protocols/vpnprotocol.cpp
-    ${CLIENT_ROOT_DIR}/core/sshclient.cpp
-    ${CLIENT_ROOT_DIR}/core/networkUtilities.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/outbound.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/inbound.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/ss.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/ssd.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/vless.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/trojan.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/vmess.cpp
-    ${CLIENT_ROOT_DIR}/core/serialization/vmess_new.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshSession.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/serversController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/usersController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/installController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/importController.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/installerBase.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/awgInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/wireguardInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/openvpnInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/xrayInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/torInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/sftpInstaller.cpp
+    ${CLIENT_ROOT_DIR}/core/installers/socks5Installer.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/appSplitTunnelingController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/ipSplitTunnelingController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/allowedDnsController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/selfhosted/exportController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/connectionController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/settingsController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/api/servicesCatalogController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/api/subscriptionController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/api/newsController.cpp
+    ${CLIENT_ROOT_DIR}/core/controllers/updateController.cpp
+    ${CLIENT_ROOT_DIR}/core/repositories/secureServersRepository.cpp
+    ${CLIENT_ROOT_DIR}/core/repositories/secureAppSettingsRepository.cpp
+    ${CLIENT_ROOT_DIR}/ui/utils/qAutoStart.cpp
+    ${CLIENT_ROOT_DIR}/core/protocols/vpnProtocol.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/selfhosted/sshClient.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/networkUtilities.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/outbound.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/inbound.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/ss.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/ssd.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/vless.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/trojan.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/vmess.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/serialization/vmess_new.cpp
    ${CLIENT_ROOT_DIR}/../common/logger/logger.cpp
-    ${CLIENT_ROOT_DIR}/utils/qmlUtils.cpp
-    ${CLIENT_ROOT_DIR}/core/api/apiUtils.cpp
-    ${CLIENT_ROOT_DIR}/core/osSignalHandler.cpp
+    ${CLIENT_ROOT_DIR}/ui/utils/qmlUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/api/apiUtils.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/osSignalHandler.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/utilities.cpp
+    ${CLIENT_ROOT_DIR}/core/utils/managementServer.cpp
 )

 # Mozilla sources
@@ -100,29 +161,41 @@ if(APPLE AND NOT IOS)
    list(APPEND HEADERS
        ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.h
        ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.h
-        ${CLIENT_ROOT_DIR}/ui/macos_util.h
+        ${CLIENT_ROOT_DIR}/ui/utils/macosUtil.h
    )
    list(APPEND SOURCES
        ${CLIENT_ROOT_DIR}/platforms/macos/macosutils.mm
        ${CLIENT_ROOT_DIR}/platforms/macos/macosstatusicon.mm
-        ${CLIENT_ROOT_DIR}/ui/macos_util.mm
+        ${CLIENT_ROOT_DIR}/ui/utils/macosUtil.mm
    )
 endif()

 if(NOT ANDROID)
    set(SOURCES ${SOURCES}
-        ${CLIENT_ROOT_DIR}/ui/notificationhandler.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/notificationHandler.cpp
    )
 endif()

-file(GLOB COMMON_FILES_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/*.h)
-file(GLOB COMMON_FILES_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/*.cpp)
+set(COMMON_FILES_H
+    ${CLIENT_ROOT_DIR}/amneziaApplication.h
+    ${CLIENT_ROOT_DIR}/secureQSettings.h
+    ${CLIENT_ROOT_DIR}/vpnConnection.h
+)
+
+set(COMMON_FILES_CPP
+    ${CLIENT_ROOT_DIR}/amneziaApplication.cpp
+    ${CLIENT_ROOT_DIR}/secureQSettings.cpp
+    ${CLIENT_ROOT_DIR}/vpnConnection.cpp
+)

 file(GLOB_RECURSE PAGE_LOGIC_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/ui/pages_logic/*.h)
 file(GLOB_RECURSE PAGE_LOGIC_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/ui/pages_logic/*.cpp)

-file(GLOB CONFIGURATORS_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/configurators/*.h)
-file(GLOB CONFIGURATORS_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/configurators/*.cpp)
+file(GLOB CONFIGURATORS_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/configurators/*.h)
+file(GLOB CONFIGURATORS_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/configurators/*.cpp)
+
+file(GLOB_RECURSE CORE_MODELS_H CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/models/*.h)
+file(GLOB_RECURSE CORE_MODELS_CPP CONFIGURE_DEPENDS ${CLIENT_ROOT_DIR}/core/models/*.cpp)

 file(GLOB UI_MODELS_H CONFIGURE_DEPENDS
    ${CLIENT_ROOT_DIR}/ui/models/*.h
@@ -140,16 +213,21 @@ file(GLOB UI_MODELS_CPP CONFIGURE_DEPENDS
 file(GLOB UI_CONTROLLERS_H CONFIGURE_DEPENDS
    ${CLIENT_ROOT_DIR}/ui/controllers/*.h
    ${CLIENT_ROOT_DIR}/ui/controllers/api/*.h
+    ${CLIENT_ROOT_DIR}/ui/controllers/qml/*.h
+    ${CLIENT_ROOT_DIR}/ui/controllers/selfhosted/*.h
 )
 file(GLOB UI_CONTROLLERS_CPP CONFIGURE_DEPENDS
    ${CLIENT_ROOT_DIR}/ui/controllers/*.cpp
    ${CLIENT_ROOT_DIR}/ui/controllers/api/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/controllers/qml/*.cpp
+    ${CLIENT_ROOT_DIR}/ui/controllers/selfhosted/*.cpp
 )

 set(HEADERS ${HEADERS}
    ${COMMON_FILES_H}
    ${PAGE_LOGIC_H}
    ${CONFIGURATORS_H}
+    ${CORE_MODELS_H}
    ${UI_MODELS_H}
    ${UI_CONTROLLERS_H}
 )
@@ -157,17 +235,18 @@ set(SOURCES ${SOURCES}
    ${COMMON_FILES_CPP}
    ${PAGE_LOGIC_CPP}
    ${CONFIGURATORS_CPP}
+    ${CORE_MODELS_CPP}
    ${UI_MODELS_CPP}
    ${UI_CONTROLLERS_CPP}
 )

 if(WIN32)
    set(HEADERS ${HEADERS}
-        ${CLIENT_ROOT_DIR}/protocols/ikev2_vpn_protocol_windows.h
+        ${CLIENT_ROOT_DIR}/core/protocols/ikev2VpnProtocolWindows.h
    )

    set(SOURCES ${SOURCES}
-        ${CLIENT_ROOT_DIR}/protocols/ikev2_vpn_protocol_windows.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/ikev2VpnProtocolWindows.cpp
    )

    set(RESOURCES ${RESOURCES}
@@ -180,37 +259,33 @@ if(WIN32 OR (APPLE AND NOT IOS AND NOT MACOS_NE) OR (LINUX AND NOT ANDROID))
    add_compile_definitions(AMNEZIA_DESKTOP)

    set(HEADERS ${HEADERS}
-        ${CLIENT_ROOT_DIR}/core/ipcclient.h
-        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.h
-        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/shadowsocksvpnprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/wireguardprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/xrayprotocol.h
-        ${CLIENT_ROOT_DIR}/protocols/awgprotocol.h
+        ${CLIENT_ROOT_DIR}/core/utils/ipcClient.h
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.h
+        ${CLIENT_ROOT_DIR}/core/protocols/openVpnProtocol.h
+        ${CLIENT_ROOT_DIR}/core/protocols/wireGuardProtocol.h
+        ${CLIENT_ROOT_DIR}/core/protocols/xrayProtocol.h
+        ${CLIENT_ROOT_DIR}/core/protocols/awgProtocol.h
        ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.h
    )

    set(SOURCES ${SOURCES}
-        ${CLIENT_ROOT_DIR}/core/ipcclient.cpp
+        ${CLIENT_ROOT_DIR}/core/utils/ipcClient.cpp
        ${CLIENT_ROOT_DIR}/mozilla/localsocketcontroller.cpp
-        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.cpp
-        ${CLIENT_ROOT_DIR}/protocols/openvpnprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/openvpnovercloakprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/shadowsocksvpnprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/wireguardprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/xrayprotocol.cpp
-        ${CLIENT_ROOT_DIR}/protocols/awgprotocol.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/openVpnProtocol.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/wireGuardProtocol.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/xrayProtocol.cpp
+        ${CLIENT_ROOT_DIR}/core/protocols/awgProtocol.cpp
    )
 endif()

 if(APPLE AND MACOS_NE)
    # Include only the tray notification handler in NE builds
    set(HEADERS ${HEADERS}
-        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.h
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.h
    )

    set(SOURCES ${SOURCES}
-        ${CLIENT_ROOT_DIR}/ui/systemtray_notificationhandler.cpp
+        ${CLIENT_ROOT_DIR}/ui/utils/systemTrayNotificationHandler.cpp
    )
 endif()
--- a/client/configurators/awg_configurator.cpp
+++ b/client/configurators/awg_configurator.cpp
@@ -1,59 +0,0 @@
-#include "awg_configurator.h"
-#include "protocols/protocols_defs.h"
-
-#include <QJsonDocument>
-#include <QJsonObject>
-
-AwgConfigurator::AwgConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : WireguardConfigurator(settings, serverController, true, parent)
-{
-}
-
-QString AwgConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                      ErrorCode &errorCode)
-{
-    QString config = WireguardConfigurator::createConfig(credentials, container, containerConfig, errorCode);
-
-    QJsonObject jsonConfig = QJsonDocument::fromJson(config.toUtf8()).object();
-    QString awgConfig = jsonConfig.value(config_key::config).toString();
-
-    QMap<QString, QString> configMap;
-    auto configLines = awgConfig.split("\n");
-    for (auto &line : configLines) {
-        auto trimmedLine = line.trimmed();
-        if (trimmedLine.startsWith("[") && trimmedLine.endsWith("]")) {
-            continue;
-        } else {
-            QStringList parts = trimmedLine.split(" = ");
-            if (parts.count() == 2) {
-                configMap.insert(parts[0].trimmed(), parts[1].trimmed());
-            }
-        }
-    }
-
-    jsonConfig[config_key::junkPacketCount] = configMap.value(config_key::junkPacketCount);
-    jsonConfig[config_key::junkPacketMinSize] = configMap.value(config_key::junkPacketMinSize);
-    jsonConfig[config_key::junkPacketMaxSize] = configMap.value(config_key::junkPacketMaxSize);
-    jsonConfig[config_key::initPacketJunkSize] = configMap.value(config_key::initPacketJunkSize);
-    jsonConfig[config_key::responsePacketJunkSize] = configMap.value(config_key::responsePacketJunkSize);
-    jsonConfig[config_key::initPacketMagicHeader] = configMap.value(config_key::initPacketMagicHeader);
-    jsonConfig[config_key::responsePacketMagicHeader] = configMap.value(config_key::responsePacketMagicHeader);
-    jsonConfig[config_key::underloadPacketMagicHeader] = configMap.value(config_key::underloadPacketMagicHeader);
-    jsonConfig[config_key::transportPacketMagicHeader] = configMap.value(config_key::transportPacketMagicHeader);
-
-    if (container == DockerContainer::Awg2) {
-        jsonConfig[config_key::cookieReplyPacketJunkSize] = configMap.value(config_key::cookieReplyPacketJunkSize);
-        jsonConfig[config_key::transportPacketJunkSize] = configMap.value(config_key::transportPacketJunkSize);
-    }
-
-    jsonConfig[config_key::specialJunk1] = configMap.value(amnezia::config_key::specialJunk1);
-    jsonConfig[config_key::specialJunk2] = configMap.value(amnezia::config_key::specialJunk2);
-    jsonConfig[config_key::specialJunk3] = configMap.value(amnezia::config_key::specialJunk3);
-    jsonConfig[config_key::specialJunk4] = configMap.value(amnezia::config_key::specialJunk4);
-    jsonConfig[config_key::specialJunk5] = configMap.value(amnezia::config_key::specialJunk5);
-
-    jsonConfig[config_key::mtu] =
-            containerConfig.value(ProtocolProps::protoToString(Proto::Awg)).toObject().value(config_key::mtu).toString(protocols::awg::defaultMtu);
-
-    return QJsonDocument(jsonConfig).toJson();
-}
--- a/client/configurators/awg_configurator.h
+++ b/client/configurators/awg_configurator.h
@@ -1,18 +0,0 @@
-#ifndef AWGCONFIGURATOR_H
-#define AWGCONFIGURATOR_H
-
-#include <QObject>
-
-#include "wireguard_configurator.h"
-
-class AwgConfigurator : public WireguardConfigurator
-{
-    Q_OBJECT
-public:
-    AwgConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-};
-
-#endif // AWGCONFIGURATOR_H
--- a/client/configurators/cloak_configurator.cpp
+++ b/client/configurators/cloak_configurator.cpp
@@ -1,51 +0,0 @@
-#include "cloak_configurator.h"
-
-#include <QFile>
-#include <QJsonDocument>
-#include <QJsonObject>
-
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-
-CloakConfigurator::CloakConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
-{
-}
-
-QString CloakConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                        ErrorCode &errorCode)
-{
-    QString cloakPublicKey =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::cloak::ckPublicKeyPath, errorCode);
-    cloakPublicKey.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    QString cloakBypassUid =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::cloak::ckBypassUidKeyPath, errorCode);
-    cloakBypassUid.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    QJsonObject config;
-    config.insert("Transport", "direct");
-    config.insert("ProxyMethod", "openvpn");
-    config.insert("EncryptionMethod", "aes-gcm");
-    config.insert("UID", cloakBypassUid);
-    config.insert("PublicKey", cloakPublicKey);
-    config.insert("ServerName", "$FAKE_WEB_SITE_ADDRESS");
-    config.insert("NumConn", 1);
-    config.insert("BrowserSig", "chrome");
-    config.insert("StreamTimeout", 300);
-    config.insert("RemoteHost", credentials.hostName);
-    config.insert("RemotePort", "$CLOAK_SERVER_PORT");
-
-    QString textCfg = m_serverController->replaceVars(QJsonDocument(config).toJson(),
-                                                      m_serverController->genVarsForScript(credentials, container, containerConfig));
-
-    return textCfg;
-}
--- a/client/configurators/cloak_configurator.h
+++ b/client/configurators/cloak_configurator.h
@@ -1,20 +0,0 @@
-#ifndef CLOAK_CONFIGURATOR_H
-#define CLOAK_CONFIGURATOR_H
-
-#include <QObject>
-
-#include "configurator_base.h"
-
-using namespace amnezia;
-
-class CloakConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    CloakConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-};
-
-#endif // CLOAK_CONFIGURATOR_H
--- a/client/configurators/configurator_base.cpp
+++ b/client/configurators/configurator_base.cpp
@@ -1,26 +0,0 @@
-#include "configurator_base.h"
-
-ConfiguratorBase::ConfiguratorBase(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : QObject { parent }, m_settings(settings), m_serverController(serverController)
-{
-}
-
-QString ConfiguratorBase::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                         QString &protocolConfigString)
-{
-    processConfigWithDnsSettings(dns, protocolConfigString);
-    return protocolConfigString;
-}
-
-QString ConfiguratorBase::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                          QString &protocolConfigString)
-{
-    processConfigWithDnsSettings(dns, protocolConfigString);
-    return protocolConfigString;
-}
-
-void ConfiguratorBase::processConfigWithDnsSettings(const QPair<QString, QString> &dns, QString &protocolConfigString)
-{
-    protocolConfigString.replace("$PRIMARY_DNS", dns.first);
-    protocolConfigString.replace("$SECONDARY_DNS", dns.second);
-}
--- a/client/configurators/configurator_base.h
+++ b/client/configurators/configurator_base.h
@@ -1,33 +0,0 @@
-#ifndef CONFIGURATORBASE_H
-#define CONFIGURATORBASE_H
-
-#include <QObject>
-
-#include "containers/containers_defs.h"
-#include "core/defs.h"
-#include "core/controllers/serverController.h"
-#include "settings.h"
-
-class ConfiguratorBase : public QObject
-{
-    Q_OBJECT
-public:
-    explicit ConfiguratorBase(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    virtual QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                 const QJsonObject &containerConfig, ErrorCode &errorCode) = 0;
-
-    virtual QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                   QString &protocolConfigString);
-    virtual QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                    QString &protocolConfigString);
-
-protected:
-    void processConfigWithDnsSettings(const QPair<QString, QString> &dns, QString &protocolConfigString);
-
-    std::shared_ptr<Settings> m_settings;
-    QSharedPointer<ServerController> m_serverController;
-
-};
-
-#endif // CONFIGURATORBASE_H
--- a/client/configurators/ikev2_configurator.h
+++ b/client/configurators/ikev2_configurator.h
@@ -1,35 +0,0 @@
-#ifndef IKEV2_CONFIGURATOR_H
-#define IKEV2_CONFIGURATOR_H
-
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class Ikev2Configurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    Ikev2Configurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    struct ConnectionData {
-        QByteArray clientCert; // p12 client cert
-        QByteArray caCert; // p12 server cert
-        QString clientId;
-        QString password; // certificate password
-        QString host; // host ip
-    };
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    QString genIkev2Config(const ConnectionData &connData);
-    QString genMobileConfig(const ConnectionData &connData);
-    QString genStrongSwanConfig(const ConnectionData &connData);
-
-    ConnectionData prepareIkev2Config(const ServerCredentials &credentials,
-        DockerContainer container, ErrorCode &errorCode);
-};
-
-#endif // IKEV2_CONFIGURATOR_H
--- a/client/configurators/openvpn_configurator.h
+++ b/client/configurators/openvpn_configurator.h
@@ -1,43 +0,0 @@
-#ifndef OPENVPN_CONFIGURATOR_H
-#define OPENVPN_CONFIGURATOR_H
-
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class OpenVpnConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    OpenVpnConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    struct ConnectionData
-    {
-        QString clientId;
-        QString request;    // certificate request
-        QString privKey;    // client private key
-        QString clientCert; // client signed certificate
-        QString caCert;     // server certificate
-        QString taKey;      // tls-auth key
-        QString host;       // host ip
-    };
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                           QString &protocolConfigString);
-    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                            QString &protocolConfigString);
-
-    static ConnectionData createCertRequest();
-
-private:
-    ConnectionData prepareOpenVpnConfig(const ServerCredentials &credentials, DockerContainer container,
-                                        ErrorCode &errorCode);
-    ErrorCode signCert(DockerContainer container, const ServerCredentials &credentials, QString clientId);
-};
-
-#endif // OPENVPN_CONFIGURATOR_H
--- a/client/configurators/shadowsocks_configurator.cpp
+++ b/client/configurators/shadowsocks_configurator.cpp
@@ -1,40 +0,0 @@
-#include "shadowsocks_configurator.h"
-
-#include <QFile>
-#include <QJsonDocument>
-#include <QJsonObject>
-
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-
-ShadowSocksConfigurator::ShadowSocksConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                                                 QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
-{
-}
-
-QString ShadowSocksConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                              const QJsonObject &containerConfig, ErrorCode &errorCode)
-{
-    QString ssKey =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::shadowsocks::ssKeyPath, errorCode);
-    ssKey.replace("\n", "");
-
-    if (errorCode != ErrorCode::NoError) {
-        return "";
-    }
-
-    QJsonObject config;
-    config.insert("server", credentials.hostName);
-    config.insert("server_port", "$SHADOWSOCKS_SERVER_PORT");
-    config.insert("local_port", "$SHADOWSOCKS_LOCAL_PORT");
-    config.insert("password", ssKey);
-    config.insert("timeout", 60);
-    config.insert("method", "$SHADOWSOCKS_CIPHER");
-
-    QString textCfg = m_serverController->replaceVars(QJsonDocument(config).toJson(),
-                                                      m_serverController->genVarsForScript(credentials, container, containerConfig));
-
-    // qDebug().noquote() << textCfg;
-    return textCfg;
-}
--- a/client/configurators/shadowsocks_configurator.h
+++ b/client/configurators/shadowsocks_configurator.h
@@ -1,19 +0,0 @@
-#ifndef SHADOWSOCKS_CONFIGURATOR_H
-#define SHADOWSOCKS_CONFIGURATOR_H
-
-#include <QObject>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class ShadowSocksConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    ShadowSocksConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-};
-
-#endif // SHADOWSOCKS_CONFIGURATOR_H
--- a/client/configurators/ssh_configurator.cpp
+++ b/client/configurators/ssh_configurator.cpp
@@ -1,112 +0,0 @@
-#include "ssh_configurator.h"
-
-#include <QDebug>
-#include <QObject>
-#include <QProcess>
-#include <QString>
-#include <QTemporaryDir>
-#include <QTemporaryFile>
-#include <QThread>
-#include <qtimer.h>
-#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS) || defined(MACOS_NE)
-    #include <QGuiApplication>
-#else
-    #include <QApplication>
-#endif
-
-#include "core/server_defs.h"
-#include "utilities.h"
-
-SshConfigurator::SshConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
-{
-}
-
-QString SshConfigurator::convertOpenSShKey(const QString &key)
-{
-#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
-    QProcess p;
-    p.setProcessChannelMode(QProcess::MergedChannels);
-
-    QTemporaryFile tmp;
-    #ifdef QT_DEBUG
-    tmp.setAutoRemove(false);
-    #endif
-    tmp.open();
-    tmp.write(key.toUtf8());
-    tmp.close();
-
-    // ssh-keygen -p -P "" -N "" -m pem -f id_ssh
-
-    #ifdef Q_OS_WIN
-    p.setProcessEnvironment(prepareEnv());
-    p.setProgram("cmd.exe");
-    p.setNativeArguments(QString("/C \"ssh-keygen.exe -p -P \"\" -N \"\" -m pem -f \"%1\"\"").arg(tmp.fileName()));
-    #else
-    p.setProgram("ssh-keygen");
-    p.setArguments(QStringList() << "-p"
-                                 << "-P"
-                                 << ""
-                                 << "-N"
-                                 << ""
-                                 << "-m"
-                                 << "pem"
-                                 << "-f" << tmp.fileName());
-    #endif
-
-    p.start();
-    p.waitForFinished();
-
-    qDebug().noquote() << "OpenVpnConfigurator::convertOpenSShKey" << p.exitCode() << p.exitStatus() << p.readAll();
-
-    tmp.open();
-
-    return tmp.readAll();
-#else
-    return key;
-#endif
-}
-
-// DEAD CODE.
-void SshConfigurator::openSshTerminal(const ServerCredentials &credentials)
-{
-#if !defined(Q_OS_IOS) && !defined(MACOS_NE)
-    QProcess *p = new QProcess();
-    p->setProcessChannelMode(QProcess::SeparateChannels);
-
-    #ifdef Q_OS_WIN
-    p->setProcessEnvironment(prepareEnv());
-    p->setProgram(qApp->applicationDirPath() + "\\cygwin\\putty.exe");
-
-    if (credentials.secretData.contains("PRIVATE KEY")) {
-        // todo: connect by key
-        //        p->setNativeArguments(QString("%1@%2")
-        //            .arg(credentials.userName).arg(credentials.hostName).arg(credentials.secretData));
-    } else {
-        p->setNativeArguments(QString("%1@%2 -pw %3").arg(credentials.userName).arg(credentials.hostName).arg(credentials.secretData));
-    }
-    #else
-    p->setProgram("/bin/bash");
-    #endif
-
-    p->startDetached();
-#endif
-}
-
-QProcessEnvironment SshConfigurator::prepareEnv()
-{
-    QProcessEnvironment env = QProcessEnvironment::systemEnvironment();
-    QString pathEnvVar = env.value("PATH");
-
-#ifdef Q_OS_WIN
-    pathEnvVar.clear();
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\cygwin;");
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "\\openvpn;");
-#elif defined(Q_OS_MACX) && !defined(MACOS_NE)
-    pathEnvVar.prepend(QDir::toNativeSeparators(QApplication::applicationDirPath()) + "/Contents/MacOS");
-#endif
-
-    env.insert("PATH", pathEnvVar);
-    // qDebug().noquote() << "ENV PATH" << pathEnvVar;
-    return env;
-}
--- a/client/configurators/ssh_configurator.h
+++ b/client/configurators/ssh_configurator.h
@@ -1,22 +0,0 @@
-#ifndef SSH_CONFIGURATOR_H
-#define SSH_CONFIGURATOR_H
-
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class SshConfigurator : ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    SshConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QProcessEnvironment prepareEnv();
-    QString convertOpenSShKey(const QString &key);
-    void openSshTerminal(const ServerCredentials &credentials);
-
-};
-
-#endif // SSH_CONFIGURATOR_H
--- a/client/configurators/wireguard_configurator.h
+++ b/client/configurators/wireguard_configurator.h
@@ -1,54 +0,0 @@
-#ifndef WIREGUARD_CONFIGURATOR_H
-#define WIREGUARD_CONFIGURATOR_H
-
-#include <QHostAddress>
-#include <QObject>
-#include <QProcessEnvironment>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-#include "core/scripts_registry.h"
-
-class WireguardConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    WireguardConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                          bool isAwg, QObject *parent = nullptr);
-
-    struct ConnectionData
-    {
-        QString clientPrivKey; // client private key
-        QString clientPubKey;  // client public key
-        QString clientIP;      // internal client IP address
-        QString serverPubKey;  // tls-auth key
-        QString pskKey;        // preshared key
-        QString host;          // host ip
-        QString port;
-    };
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container,
-                         const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    QString processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                           QString &protocolConfigString);
-    QString processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                            QString &protocolConfigString);
-
-    static ConnectionData genClientKeys();
-
-private:
-    QList<QHostAddress> getIpsFromConf(const QString &input);
-    ConnectionData prepareWireguardConfig(const ServerCredentials &credentials, DockerContainer container,
-                                          const QJsonObject &containerConfig, ErrorCode &errorCode);
-
-    bool m_isAwg;
-    QString m_serverConfigPath;
-    QString m_serverPublicKeyPath;
-    QString m_serverPskKeyPath;
-    amnezia::ProtocolScriptType m_configTemplate;
-    QString m_protocolName;
-    QString m_defaultPort;
-};
-
-#endif // WIREGUARD_CONFIGURATOR_H
--- a/client/configurators/xray_configurator.h
+++ b/client/configurators/xray_configurator.h
@@ -1,23 +0,0 @@
-#ifndef XRAY_CONFIGURATOR_H
-#define XRAY_CONFIGURATOR_H
-
-#include <QObject>
-
-#include "configurator_base.h"
-#include "core/defs.h"
-
-class XrayConfigurator : public ConfiguratorBase
-{
-    Q_OBJECT
-public:
-    XrayConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent = nullptr);
-
-    QString createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                         ErrorCode &errorCode);
-
-private:
-    QString prepareServerConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                ErrorCode &errorCode);
-};
-
-#endif // XRAY_CONFIGURATOR_H
--- a/client/containers/containers_defs.h
+++ b/client/containers/containers_defs.h
@@ -1,94 +0,0 @@
-#ifndef CONTAINERS_DEFS_H
-#define CONTAINERS_DEFS_H
-
-#include <QObject>
-#include <QQmlEngine>
-
-#include "../protocols/protocols_defs.h"
-
-using namespace amnezia;
-
-namespace amnezia
-{
-
-    namespace ContainerEnumNS
-    {
-        Q_NAMESPACE
-        enum DockerContainer {
-            None = 0,
-            Awg,
-            Awg2,
-            WireGuard,
-            OpenVpn,
-            Cloak,
-            ShadowSocks,
-            Ipsec,
-            Xray,
-            SSXray,
-
-            // non-vpn
-            TorWebSite,
-            Dns,
-            Sftp,
-            Socks5Proxy
-        };
-        Q_ENUM_NS(DockerContainer)
-    } // namespace ContainerEnumNS
-
-    using namespace ContainerEnumNS;
-    using namespace ProtocolEnumNS;
-
-    class ContainerProps : public QObject
-    {
-        Q_OBJECT
-
-    public:
-        Q_INVOKABLE static amnezia::DockerContainer containerFromString(const QString &container);
-        Q_INVOKABLE static QString containerToString(amnezia::DockerContainer container);
-        Q_INVOKABLE static QString containerTypeToString(amnezia::DockerContainer c);
-        Q_INVOKABLE static QString containerTypeToProtocolString(amnezia::DockerContainer c);
-
-        Q_INVOKABLE static QList<amnezia::DockerContainer> allContainers();
-
-        Q_INVOKABLE static QMap<amnezia::DockerContainer, QString> containerHumanNames();
-        Q_INVOKABLE static QMap<amnezia::DockerContainer, QString> containerDescriptions();
-        Q_INVOKABLE static QMap<amnezia::DockerContainer, QString> containerDetailedDescriptions();
-
-        // these protocols will be displayed in container settings
-        Q_INVOKABLE static QVector<amnezia::Proto> protocolsForContainer(amnezia::DockerContainer container);
-
-        Q_INVOKABLE static amnezia::ServiceType containerService(amnezia::DockerContainer c);
-
-        // binding between Docker container and main protocol of given container
-        // it may be changed fot future containers :)
-        Q_INVOKABLE static amnezia::Proto defaultProtocol(amnezia::DockerContainer c);
-
-        Q_INVOKABLE static bool isSupportedByCurrentPlatform(amnezia::DockerContainer c);
-        Q_INVOKABLE static QStringList fixedPortsForContainer(amnezia::DockerContainer c);
-
-        static bool isEasySetupContainer(amnezia::DockerContainer container);
-        static QString easySetupHeader(amnezia::DockerContainer container);
-        static QString easySetupDescription(amnezia::DockerContainer container);
-        static int easySetupOrder(amnezia::DockerContainer container);
-
-        static bool isShareable(amnezia::DockerContainer container);
-
-        static bool isAwgContainer(amnezia::DockerContainer container);
-
-
-        static QJsonObject getProtocolConfigFromContainer(const amnezia::Proto protocol, const QJsonObject &containerConfig);
-
-        static int installPageOrder(amnezia::DockerContainer container);
-    };
-
-    static void declareQmlContainerEnum()
-    {
-        qmlRegisterUncreatableMetaObject(ContainerEnumNS::staticMetaObject, "ContainerEnum", 1, 0, "ContainerEnum",
-                                         "Error: only enums");
-    }
-
-} // namespace amnezia
-
-QDebug operator<<(QDebug debug, const amnezia::DockerContainer &c);
-
-#endif // CONTAINERS_DEFS_H
--- a/client/core/configurators/awgConfigurator.cpp
+++ b/client/core/configurators/awgConfigurator.cpp
@@ -0,0 +1,109 @@
+#include "awgConfigurator.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocols/awgProtocolConfig.h"
+
+#include <QJsonDocument>
+#include <QJsonObject>
+
+using namespace amnezia;
+
+AwgConfigurator::AwgConfigurator(SshSession* sshSession, QObject *parent)
+    : WireguardConfigurator(sshSession, true, parent)
+{
+}
+
+ProtocolConfig AwgConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &containerConfig,
+                                              const DnsSettings &dnsSettings,
+                                              ErrorCode &errorCode)
+{
+    const AwgServerConfig* serverConfig = nullptr;
+    const AwgClientConfig* clientConfig = nullptr;
+    
+    if (auto* awgProtocolConfig = containerConfig.getAwgProtocolConfig()) {
+        serverConfig = &awgProtocolConfig->serverConfig;
+        if (awgProtocolConfig->clientConfig.has_value()) {
+            clientConfig = &awgProtocolConfig->clientConfig.value();
+        }
+    }
+    
+    ProtocolConfig wireguardConfig = WireguardConfigurator::createConfig(credentials, container, containerConfig, dnsSettings, errorCode);
+    if (errorCode != ErrorCode::NoError) {
+        return AwgProtocolConfig{};
+    }
+    
+    WireGuardProtocolConfig* wgConfig = wireguardConfig.as<WireGuardProtocolConfig>();
+    if (!wgConfig || !wgConfig->clientConfig.has_value()) {
+        errorCode = ErrorCode::InternalError;
+        return AwgProtocolConfig{};
+    }
+    
+    QString awgConfig = wgConfig->clientConfig->nativeConfig;
+
+    QMap<QString, QString> configMap;
+    auto configLines = awgConfig.split("\n");
+    for (auto &line : configLines) {
+        auto trimmedLine = line.trimmed();
+        if (trimmedLine.startsWith("[") && trimmedLine.endsWith("]")) {
+            continue;
+        } else {
+            QStringList parts = trimmedLine.split(" = ");
+            if (parts.count() == 2) {
+                configMap.insert(parts[0].trimmed(), parts[1].trimmed());
+            }
+        }
+    }
+
+    AwgProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    }
+    
+    AwgClientConfig newClientConfig;
+    newClientConfig.nativeConfig = awgConfig;
+    newClientConfig.hostName = wgConfig->clientConfig->hostName;
+    newClientConfig.port = wgConfig->clientConfig->port;
+    newClientConfig.clientIp = wgConfig->clientConfig->clientIp;
+    newClientConfig.clientPrivateKey = wgConfig->clientConfig->clientPrivateKey;
+    newClientConfig.clientPublicKey = wgConfig->clientConfig->clientPublicKey;
+    newClientConfig.serverPublicKey = wgConfig->clientConfig->serverPublicKey;
+    newClientConfig.presharedKey = wgConfig->clientConfig->presharedKey;
+    newClientConfig.clientId = wgConfig->clientConfig->clientId;
+    newClientConfig.allowedIps = wgConfig->clientConfig->allowedIps;
+    newClientConfig.persistentKeepAlive = wgConfig->clientConfig->persistentKeepAlive;
+    
+    QString mtu = protocols::awg::defaultMtu;
+    if (clientConfig && !clientConfig->mtu.isEmpty()) {
+        mtu = clientConfig->mtu;
+    }
+    newClientConfig.mtu = mtu;
+    
+    newClientConfig.junkPacketCount = configMap.value(configKey::junkPacketCount);
+    newClientConfig.junkPacketMinSize = configMap.value(configKey::junkPacketMinSize);
+    newClientConfig.junkPacketMaxSize = configMap.value(configKey::junkPacketMaxSize);
+    newClientConfig.initPacketJunkSize = configMap.value(configKey::initPacketJunkSize);
+    newClientConfig.responsePacketJunkSize = configMap.value(configKey::responsePacketJunkSize);
+    newClientConfig.initPacketMagicHeader = configMap.value(configKey::initPacketMagicHeader);
+    newClientConfig.responsePacketMagicHeader = configMap.value(configKey::responsePacketMagicHeader);
+    newClientConfig.underloadPacketMagicHeader = configMap.value(configKey::underloadPacketMagicHeader);
+    newClientConfig.transportPacketMagicHeader = configMap.value(configKey::transportPacketMagicHeader);
+    newClientConfig.specialJunk1 = configMap.value(configKey::specialJunk1);
+    newClientConfig.specialJunk2 = configMap.value(configKey::specialJunk2);
+    newClientConfig.specialJunk3 = configMap.value(configKey::specialJunk3);
+    newClientConfig.specialJunk4 = configMap.value(configKey::specialJunk4);
+    newClientConfig.specialJunk5 = configMap.value(configKey::specialJunk5);
+    
+    if (container == DockerContainer::Awg2) {
+        newClientConfig.cookieReplyPacketJunkSize = configMap.value(configKey::cookieReplyPacketJunkSize);
+        newClientConfig.transportPacketJunkSize = configMap.value(configKey::transportPacketJunkSize);
+    }
+    
+    newClientConfig.isObfuscationEnabled = false;
+    
+    protocolConfig.setClientConfig(newClientConfig);
+    
+    return protocolConfig;
+}
--- a/client/core/configurators/awgConfigurator.h
+++ b/client/core/configurators/awgConfigurator.h
@@ -0,0 +1,20 @@
+#ifndef AWGCONFIGURATOR_H
+#define AWGCONFIGURATOR_H
+
+#include <QObject>
+
+#include "wireguardConfigurator.h"
+
+class AwgConfigurator : public WireguardConfigurator
+{
+    Q_OBJECT
+public:
+    AwgConfigurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+};
+
+#endif // AWGCONFIGURATOR_H
--- a/client/core/configurators/configuratorBase.cpp
+++ b/client/core/configurators/configuratorBase.cpp
@@ -0,0 +1,50 @@
+#include "configuratorBase.h"
+
+#include "core/configurators/awgConfigurator.h"
+#include "core/configurators/ikev2Configurator.h"
+#include "core/configurators/openVpnConfigurator.h"
+#include "core/configurators/wireguardConfigurator.h"
+#include "core/configurators/xrayConfigurator.h"
+
+using namespace amnezia;
+
+ConfiguratorBase::ConfiguratorBase(SshSession* sshSession, QObject *parent)
+    : QObject { parent }, m_sshSession(sshSession)
+{
+}
+
+QScopedPointer<ConfiguratorBase> ConfiguratorBase::create(Proto protocol,
+                                                          SshSession* sshSession)
+{
+    switch (protocol) {
+    case Proto::OpenVpn: return QScopedPointer<ConfiguratorBase>(new OpenVpnConfigurator(sshSession));
+    case Proto::WireGuard: return QScopedPointer<ConfiguratorBase>(new WireguardConfigurator(sshSession, false));
+    case Proto::Awg: return QScopedPointer<ConfiguratorBase>(new AwgConfigurator(sshSession));
+    case Proto::Ikev2: return QScopedPointer<ConfiguratorBase>(new Ikev2Configurator(sshSession));
+    case Proto::Xray: return QScopedPointer<ConfiguratorBase>(new XrayConfigurator(sshSession));
+    case Proto::SSXray: return QScopedPointer<ConfiguratorBase>(new XrayConfigurator(sshSession));
+    default: return QScopedPointer<ConfiguratorBase>();
+    }
+}
+
+ProtocolConfig ConfiguratorBase::processConfigWithLocalSettings(const ConnectionSettings &settings,
+                                                                 ProtocolConfig protocolConfig)
+{
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
+    return protocolConfig;
+}
+
+ProtocolConfig ConfiguratorBase::processConfigWithExportSettings(const ExportSettings &settings,
+                                                                 ProtocolConfig protocolConfig)
+{
+    applyDnsToNativeConfig(settings.dns, protocolConfig);
+    return protocolConfig;
+}
+
+void ConfiguratorBase::applyDnsToNativeConfig(const DnsSettings &dns, ProtocolConfig &protocolConfig)
+{
+    QString config = protocolConfig.nativeConfig();
+    config.replace("$PRIMARY_DNS", dns.primaryDns);
+    config.replace("$SECONDARY_DNS", dns.secondaryDns);
+    protocolConfig.setNativeConfig(config);
+}
--- a/client/core/configurators/configuratorBase.h
+++ b/client/core/configurators/configuratorBase.h
@@ -0,0 +1,43 @@
+#ifndef CONFIGURATORBASE_H
+#define CONFIGURATORBASE_H
+
+#include <QObject>
+#include <QScopedPointer>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocolConfig.h"
+
+class SshSession;
+
+class ConfiguratorBase : public QObject
+{
+    Q_OBJECT
+public:
+    explicit ConfiguratorBase(SshSession* sshSession, QObject *parent = nullptr);
+
+    static QScopedPointer<ConfiguratorBase> create(amnezia::Proto protocol,
+                                                   SshSession* sshSession);
+
+    virtual amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                        const amnezia::ContainerConfig &containerConfig,
+                                        const amnezia::DnsSettings &dnsSettings,
+                                        amnezia::ErrorCode &errorCode) = 0;
+
+    virtual amnezia::ProtocolConfig processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                                   amnezia::ProtocolConfig protocolConfig);
+    virtual amnezia::ProtocolConfig processConfigWithExportSettings(const amnezia::ExportSettings &settings,
+                                                                     amnezia::ProtocolConfig protocolConfig);
+
+protected:
+    void applyDnsToNativeConfig(const amnezia::DnsSettings &dns, amnezia::ProtocolConfig &protocolConfig);
+
+    SshSession* m_sshSession;
+};
+
+#endif // CONFIGURATORBASE_H
--- a/client/core/configurators/ikev2Configurator.cpp
+++ b/client/core/configurators/ikev2Configurator.cpp
@@ -1,4 +1,4 @@
-#include "ikev2_configurator.h"
+#include "ikev2Configurator.h"

 #include <QDebug>
 #include <QJsonDocument>
@@ -8,14 +8,16 @@
 #include <QTemporaryFile>
 #include <QUuid>

-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
-#include "core/server_defs.h"
-#include "utilities.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/utilities.h"
+#include "core/models/protocols/ikev2ProtocolConfig.h"

-Ikev2Configurator::Ikev2Configurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
+Ikev2Configurator::Ikev2Configurator(SshSession* sshSession, QObject *parent)
+    : ConfiguratorBase(sshSession, parent)
 {
 }

@@ -25,7 +27,6 @@ Ikev2Configurator::ConnectionData Ikev2Configurator::prepareIkev2Config(const Se
    Ikev2Configurator::ConnectionData connData;
    connData.host = credentials.hostName;
    connData.clientId = Utils::getRandomString(16);
-    connData.password = Utils::getRandomString(16);
    connData.password = "";

    QString certFileName = "/opt/amnezia/ikev2/clients/" + connData.clientId + ".p12";
@@ -39,14 +40,14 @@ Ikev2Configurator::ConnectionData Ikev2Configurator::prepareIkev2Config(const Se
                                       "--extKeyUsage serverAuth,clientAuth -8 \"%1\"")
                                       .arg(connData.clientId);

-    errorCode = m_serverController->runContainerScript(credentials, container, scriptCreateCert);
+    errorCode = m_sshSession->runContainerScript(credentials, container, scriptCreateCert);

    QString scriptExportCert =
            QString("pk12util -W \"%1\" -d sql:/etc/ipsec.d -n \"%2\" -o \"%3\"").arg(connData.password).arg(connData.clientId).arg(certFileName);
-    errorCode = m_serverController->runContainerScript(credentials, container, scriptExportCert);
+    errorCode = m_sshSession->runContainerScript(credentials, container, scriptExportCert);

-    connData.clientCert = m_serverController->getTextFileFromContainer(container, credentials, certFileName, errorCode);
-    connData.caCert = m_serverController->getTextFileFromContainer(container, credentials, "/etc/ipsec.d/ca_cert_base64.p12", errorCode);
+    connData.clientCert = m_sshSession->getTextFileFromContainer(container, credentials, certFileName, errorCode);
+    connData.caCert = m_sshSession->getTextFileFromContainer(container, credentials, "/etc/ipsec.d/ca_cert_base64.p12", errorCode);

    qDebug() << "Ikev2Configurator::ConnectionData client cert size:" << connData.clientCert.size();
    qDebug() << "Ikev2Configurator::ConnectionData ca cert size:" << connData.caCert.size();
@@ -54,26 +55,51 @@ Ikev2Configurator::ConnectionData Ikev2Configurator::prepareIkev2Config(const Se
    return connData;
 }

-QString Ikev2Configurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig,
-                                        ErrorCode &errorCode)
+ProtocolConfig Ikev2Configurator::createConfig(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &containerConfig,
+                                               const DnsSettings &dnsSettings,
+                                               ErrorCode &errorCode)
 {
-    Q_UNUSED(containerConfig)
+    const Ikev2ServerConfig* serverConfig = nullptr;
+    if (auto* ikev2Config = containerConfig.protocolConfig.as<Ikev2ProtocolConfig>()) {
+        serverConfig = &ikev2Config->serverConfig;
+    }

    ConnectionData connData = prepareIkev2Config(credentials, container, errorCode);
    if (errorCode != ErrorCode::NoError) {
-        return "";
+        return Ikev2ProtocolConfig{};
    }

-    return genIkev2Config(connData);
+    QString configJson = genIkev2Config(connData);
+    QJsonDocument doc = QJsonDocument::fromJson(configJson.toUtf8());
+    QJsonObject configObj = doc.object();
+
+    Ikev2ProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    } else {
+        protocolConfig.serverConfig.hostName = connData.host;
+    }
+    
+    Ikev2ClientConfig clientConfig;
+    clientConfig.nativeConfig = configJson;
+    clientConfig.hostName = connData.host;
+    clientConfig.userName = connData.clientId;
+    clientConfig.cert = QString(connData.clientCert.toBase64());
+    clientConfig.password = connData.password;
+    clientConfig.clientId = connData.clientId;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
 }

 QString Ikev2Configurator::genIkev2Config(const ConnectionData &connData)
 {
    QJsonObject config;
-    config[config_key::hostName] = connData.host;
-    config[config_key::userName] = connData.clientId;
-    config[config_key::cert] = QString(connData.clientCert.toBase64());
-    config[config_key::password] = connData.password;
+    config[configKey::hostName] = connData.host;
+    config[configKey::userName] = connData.clientId;
+    config[configKey::cert] = QString(connData.clientCert.toBase64());
+    config[configKey::password] = connData.password;

    return QJsonDocument(config).toJson();
 }
--- a/client/core/configurators/ikev2Configurator.h
+++ b/client/core/configurators/ikev2Configurator.h
@@ -0,0 +1,39 @@
+#ifndef IKEV2_CONFIGURATOR_H
+#define IKEV2_CONFIGURATOR_H
+
+#include <QObject>
+#include <QProcessEnvironment>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+
+class Ikev2Configurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    Ikev2Configurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    struct ConnectionData {
+        QByteArray clientCert; // p12 client cert
+        QByteArray caCert; // p12 server cert
+        QString clientId;
+        QString password; // certificate password
+        QString host; // host ip
+    };
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+
+    QString genIkev2Config(const ConnectionData &connData);
+    QString genMobileConfig(const ConnectionData &connData);
+    QString genStrongSwanConfig(const ConnectionData &connData);
+
+    ConnectionData prepareIkev2Config(const amnezia::ServerCredentials &credentials,
+        amnezia::DockerContainer container, amnezia::ErrorCode &errorCode);
+};
+
+#endif // IKEV2_CONFIGURATOR_H
--- a/client/core/configurators/openVpnConfigurator.cpp
+++ b/client/core/configurators/openVpnConfigurator.cpp
@@ -1,8 +1,9 @@
-#include "openvpn_configurator.h"
+#include "openVpnConfigurator.h"

 #include <QDebug>
 #include <QJsonDocument>
 #include <QJsonObject>
+#include <QRegularExpression>
 #include <QProcess>
 #include <QString>
 #include <QTemporaryDir>
@@ -13,26 +14,34 @@
    #include <QApplication>
 #endif

-#include "core/networkUtilities.h"
-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
-#include "settings.h"
-#include "utilities.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/utils/networkUtilities.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/utilities.h"
+#include "core/models/protocols/openVpnProtocolConfig.h"
+
+using namespace amnezia;

 #include <openssl/pem.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>


-OpenVpnConfigurator::OpenVpnConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController,
-                                         QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
+OpenVpnConfigurator::OpenVpnConfigurator(SshSession* sshSession, QObject *parent)
+    : ConfiguratorBase(sshSession, parent)
 {
 }

 OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(const ServerCredentials &credentials,
-                                                                              DockerContainer container, ErrorCode &errorCode)
+                                                                              DockerContainer container, 
+                                                                              const DnsSettings &dnsSettings,
+                                                                              ErrorCode &errorCode)
 {
    OpenVpnConfigurator::ConnectionData connData = OpenVpnConfigurator::createCertRequest();
    connData.host = credentials.hostName;
@@ -44,26 +53,26 @@ OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(co

    QString reqFileName = QString("%1/%2.req").arg(amnezia::protocols::openvpn::clientsDirPath).arg(connData.clientId);

-    errorCode = m_serverController->uploadTextFileToContainer(container, credentials, connData.request, reqFileName);
+    errorCode = m_sshSession->uploadTextFileToContainer(container, credentials, connData.request, reqFileName);
    if (errorCode != ErrorCode::NoError) {
        return connData;
    }

-    errorCode = signCert(container, credentials, connData.clientId);
+    errorCode = signCert(container, credentials, dnsSettings, connData.clientId);
    if (errorCode != ErrorCode::NoError) {
        return connData;
    }

    connData.caCert =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::caCertPath, errorCode);
-    connData.clientCert = m_serverController->getTextFileFromContainer(
+            m_sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::caCertPath, errorCode);
+    connData.clientCert = m_sshSession->getTextFileFromContainer(
            container, credentials, QString("%1/%2.crt").arg(amnezia::protocols::openvpn::clientCertPath).arg(connData.clientId), errorCode);

    if (errorCode != ErrorCode::NoError) {
        return connData;
    }

-    connData.taKey = m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::taKeyPath, errorCode);
+    connData.taKey = m_sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::openvpn::taKeyPath, errorCode);

    if (connData.caCert.isEmpty() || connData.clientCert.isEmpty() || connData.taKey.isEmpty()) {
        errorCode = ErrorCode::SshScpFailureError;
@@ -72,15 +81,23 @@ OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::prepareOpenVpnConfig(co
    return connData;
 }

-QString OpenVpnConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                          const QJsonObject &containerConfig, ErrorCode &errorCode)
+ProtocolConfig OpenVpnConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
+                                                  const ContainerConfig &containerConfig,
+                                                  const DnsSettings &dnsSettings,
+                                                  ErrorCode &errorCode)
 {
-    QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::openvpn_template, container),
-                                                     m_serverController->genVarsForScript(credentials, container, containerConfig));
+    const OpenVpnServerConfig* serverConfig = nullptr;
+    if (auto* openVpnProtocolConfig = containerConfig.getOpenVpnProtocolConfig()) {
+        serverConfig = &openVpnProtocolConfig->serverConfig;
+    }
+    
+    amnezia::ScriptVars vars = amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns);
+    vars.append(amnezia::genProtocolVarsForContainer(container, containerConfig));
+    QString config = m_sshSession->replaceVars(amnezia::scriptData(ProtocolScriptType::openvpn_template, container), vars);

-    ConnectionData connData = prepareOpenVpnConfig(credentials, container, errorCode);
+    ConnectionData connData = prepareOpenVpnConfig(credentials, container, dnsSettings, errorCode);
    if (errorCode != ErrorCode::NoError) {
-        return "";
+        return OpenVpnProtocolConfig{};
    }

    auto sanitizeStaticKey = [](const QString &key) {
@@ -116,42 +133,45 @@ QString OpenVpnConfigurator::createConfig(const ServerCredentials &credentials,
    config.replace("block-outside-dns", "");
 #endif

-    QJsonObject jConfig;
-    jConfig[config_key::config] = config;
-
-    jConfig[config_key::clientId] = connData.clientId;
-
-    return QJsonDocument(jConfig).toJson();
+    OpenVpnProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    }
+    
+    OpenVpnClientConfig clientConfig;
+    clientConfig.nativeConfig = config;
+    clientConfig.clientId = connData.clientId;
+    clientConfig.blockOutsideDns = false;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
 }

-QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                            QString &protocolConfigString)
+ProtocolConfig OpenVpnConfigurator::processConfigWithLocalSettings(const ConnectionSettings &settings,
+                                                                   ProtocolConfig protocolConfig)
 {
-    processConfigWithDnsSettings(dns, protocolConfigString);
+    applyDnsToNativeConfig(settings.dns, protocolConfig);

-    QJsonObject json = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();
-    QString config = json[config_key::config].toString();
+    QString config = protocolConfig.nativeConfig();

-    if (!isApiConfig) {
+    if (!settings.isApiConfig) {
        QRegularExpression regex("redirect-gateway.*");
        config.replace(regex, "");

-        // We don't use secondary DNS if primary DNS is AmneziaDNS
-        if (dns.first.contains(protocols::dns::amneziaDnsIp)) {
-            QRegularExpression dnsRegex("dhcp-option DNS " + dns.second);
+        if (settings.dns.primaryDns.contains(protocols::dns::amneziaDnsIp)) {
+            QRegularExpression dnsRegex("dhcp-option DNS " + settings.dns.secondaryDns);
            config.replace(dnsRegex, "");
        }

-        if (!m_settings->isSitesSplitTunnelingEnabled()) {
+        if (!settings.splitTunneling.isSitesSplitTunnelingEnabled) {
            config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");
            config.append("block-ipv6\n");
-        } else if (m_settings->routeMode() == Settings::VpnOnlyForwardSites) {
-
-               // no redirect-gateway
-        } else if (m_settings->routeMode() == Settings::VpnAllExceptSites) {
+        } else if (settings.splitTunneling.routeMode == RouteMode::VpnOnlyForwardSites) {
+            // no redirect-gateway
+        } else if (settings.splitTunneling.routeMode == RouteMode::VpnAllExceptSites) {
 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
            config.append("\nredirect-gateway ipv6 !ipv4 bypass-dhcp\n");
-            // Prevent ipv6 leak
 #endif
            config.append("block-ipv6\n");
        }
@@ -162,64 +182,57 @@ QString OpenVpnConfigurator::processConfigWithLocalSettings(const QPair<QString,
 #endif

 #if (defined(MZ_MACOS) || defined(MZ_LINUX))
-    QString dnsConf = QString("\nscript-security 2\n"
-                              "up %1/update-resolv-conf.sh\n"
-                              "down %1/update-resolv-conf.sh\n")
-                              .arg(qApp->applicationDirPath());
-
-    config.append(dnsConf);
+    config.append(QString("\nscript-security 2\n"
+                         "up %1/update-resolv-conf.sh\n"
+                         "down %1/update-resolv-conf.sh\n")
+                  .arg(qApp->applicationDirPath()));
 #endif

-    json[config_key::config] = config;
-    return QJsonDocument(json).toJson();
+    protocolConfig.setNativeConfig(config);
+    return protocolConfig;
 }

-QString OpenVpnConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns, const bool isApiConfig,
-                                                             QString &protocolConfigString)
+ProtocolConfig OpenVpnConfigurator::processConfigWithExportSettings(const ExportSettings &settings,
+                                                                    ProtocolConfig protocolConfig)
 {
-    processConfigWithDnsSettings(dns, protocolConfigString);
+    applyDnsToNativeConfig(settings.dns, protocolConfig);

-    QJsonObject json = QJsonDocument::fromJson(protocolConfigString.toUtf8()).object();
-    QString config = json[config_key::config].toString();
+    QString config = protocolConfig.nativeConfig();

    QRegularExpression regex("redirect-gateway.*");
    config.replace(regex, "");

-    // We don't use secondary DNS if primary DNS is AmneziaDNS
-    if (dns.first.contains(protocols::dns::amneziaDnsIp)) {
-        QRegularExpression dnsRegex("dhcp-option DNS " + dns.second);
+    if (settings.dns.primaryDns.contains(protocols::dns::amneziaDnsIp)) {
+        QRegularExpression dnsRegex("dhcp-option DNS " + settings.dns.secondaryDns);
        config.replace(dnsRegex, "");
    }

    config.append("\nredirect-gateway def1 ipv6 bypass-dhcp\n");
-
-    // Prevent ipv6 leak
    config.append("block-ipv6\n");
-
-    // remove block-outside-dns for all exported configs
    config.replace("block-outside-dns", "");

-    json[config_key::config] = config;
-    return QJsonDocument(json).toJson();
+    protocolConfig.setNativeConfig(config);
+    return protocolConfig;
 }

-ErrorCode OpenVpnConfigurator::signCert(DockerContainer container, const ServerCredentials &credentials, QString clientId)
+ErrorCode OpenVpnConfigurator::signCert(DockerContainer container, const ServerCredentials &credentials, 
+                                        const DnsSettings &dnsSettings, QString clientId)
 {
    QString script_import = QString("sudo docker exec -i %1 bash -c \"cd /opt/amnezia/openvpn && "
                                    "easyrsa import-req %2/%3.req %3\"")
-                                    .arg(ContainerProps::containerToString(container))
+                                    .arg(ContainerUtils::containerToString(container))
                                    .arg(amnezia::protocols::openvpn::clientsDirPath)
                                    .arg(clientId);

    QString script_sign = QString("sudo docker exec -i %1 bash -c \"export EASYRSA_BATCH=1; cd /opt/amnezia/openvpn && "
                                  "easyrsa sign-req client %2\"")
-                                  .arg(ContainerProps::containerToString(container))
+                                  .arg(ContainerUtils::containerToString(container))
                                  .arg(clientId);

    QStringList scriptList { script_import, script_sign };
-    QString script = m_serverController->replaceVars(scriptList.join("\n"), m_serverController->genVarsForScript(credentials, container));
+    QString script = m_sshSession->replaceVars(scriptList.join("\n"), amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns));

-    return m_serverController->runScript(credentials, script);
+    return m_sshSession->runScript(credentials, script);
 }

 OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::createCertRequest()
@@ -228,7 +241,7 @@ OpenVpnConfigurator::ConnectionData OpenVpnConfigurator::createCertRequest()
    connData.clientId = Utils::getRandomString(32);

    int ret = 0;
-    int nVersion = 1;
+    int nVersion = 0;

    QByteArray clientIdUtf8 = connData.clientId.toUtf8();

--- a/client/core/configurators/openVpnConfigurator.h
+++ b/client/core/configurators/openVpnConfigurator.h
@@ -0,0 +1,49 @@
+#ifndef OPENVPN_CONFIGURATOR_H
+#define OPENVPN_CONFIGURATOR_H
+
+#include <QObject>
+#include <QProcessEnvironment>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+
+class OpenVpnConfigurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    OpenVpnConfigurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    struct ConnectionData
+    {
+        QString clientId;
+        QString request;    // certificate request
+        QString privKey;    // client private key
+        QString clientCert; // client signed certificate
+        QString caCert;     // server certificate
+        QString taKey;      // tls-auth key
+        QString host;       // host ip
+    };
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                               const amnezia::ContainerConfig &containerConfig,
+                               const amnezia::DnsSettings &dnsSettings,
+                               amnezia::ErrorCode &errorCode) override;
+
+    amnezia::ProtocolConfig processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                           amnezia::ProtocolConfig protocolConfig) override;
+    amnezia::ProtocolConfig processConfigWithExportSettings(const amnezia::ExportSettings &settings,
+                                                            amnezia::ProtocolConfig protocolConfig) override;
+
+    static ConnectionData createCertRequest();
+
+private:
+    ConnectionData prepareOpenVpnConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                       const amnezia::DnsSettings &dnsSettings,
+                                       amnezia::ErrorCode &errorCode);
+    amnezia::ErrorCode signCert(amnezia::DockerContainer container, const amnezia::ServerCredentials &credentials, 
+                      const amnezia::DnsSettings &dnsSettings, QString clientId);
+};
+
+#endif // OPENVPN_CONFIGURATOR_H
--- a/client/core/configurators/wireguardConfigurator.cpp
+++ b/client/core/configurators/wireguardConfigurator.cpp
@@ -1,4 +1,4 @@
-#include "wireguard_configurator.h"
+#include "wireguardConfigurator.h"

 #include <QDebug>
 #include <QJsonDocument>
@@ -13,17 +13,26 @@
 #include <openssl/rsa.h>
 #include <openssl/x509.h>

-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
-#include "core/server_defs.h"
-#include "settings.h"
-#include "utilities.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/utils/utilities.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocols/wireGuardProtocolConfig.h"
+#include "core/models/protocols/awgProtocolConfig.h"
+#include <QJsonArray>

-WireguardConfigurator::WireguardConfigurator(std::shared_ptr<Settings> settings,
-                                             const QSharedPointer<ServerController> &serverController, bool isAwg,
+using namespace amnezia;
+
+WireguardConfigurator::WireguardConfigurator(SshSession* sshSession, bool isAwg,
                                             QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent), m_isAwg(isAwg)
+    : ConfiguratorBase(sshSession, parent), m_isAwg(isAwg)
 {
    m_serverConfigPath =
            m_isAwg ? amnezia::protocols::awg::serverConfigPath : amnezia::protocols::wireguard::serverConfigPath;
@@ -33,8 +42,8 @@ WireguardConfigurator::WireguardConfigurator(std::shared_ptr<Settings> settings,
            m_isAwg ? amnezia::protocols::awg::serverPskKeyPath : amnezia::protocols::wireguard::serverPskKeyPath;
    m_configTemplate = m_isAwg ? ProtocolScriptType::awg_template : ProtocolScriptType::wireguard_template;

-    m_protocolName = m_isAwg ? config_key::awg : config_key::wireguard;
-    m_defaultPort = m_isAwg ? protocols::wireguard::defaultPort : protocols::awg::defaultPort;
+    m_protocolName = m_isAwg ? configKey::awg : configKey::wireguard;
+    m_defaultPort = m_isAwg ? protocols::awg::defaultPort : protocols::wireguard::defaultPort;
 }

 WireguardConfigurator::ConnectionData WireguardConfigurator::genClientKeys()
@@ -91,12 +100,21 @@ QList<QHostAddress> WireguardConfigurator::getIpsFromConf(const QString &input)

 WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardConfig(const ServerCredentials &credentials,
                                                                                    DockerContainer container,
-                                                                                    const QJsonObject &containerConfig,
+                                                                                    const WireGuardServerConfig* serverConfig,
+                                                                                    const AwgServerConfig* awgServerConfig,
+                                                                                    const DnsSettings &dnsSettings,
                                                                                    ErrorCode &errorCode)
 {
    WireguardConfigurator::ConnectionData connData = WireguardConfigurator::genClientKeys();
    connData.host = credentials.hostName;
-    connData.port = containerConfig.value(m_protocolName).toObject().value(config_key::port).toString(m_defaultPort);
+    
+    QString portStr = m_defaultPort;
+    if (serverConfig && !serverConfig->port.isEmpty()) {
+        portStr = serverConfig->port;
+    } else if (awgServerConfig && !awgServerConfig->port.isEmpty()) {
+        portStr = awgServerConfig->port;
+    }
+    connData.port = portStr;

    if (connData.clientPrivKey.isEmpty() || connData.clientPubKey.isEmpty()) {
        errorCode = ErrorCode::InternalError;
@@ -114,7 +132,7 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon
        return ErrorCode::NoError;
    };

-    errorCode = m_serverController->runContainerScript(credentials, container, getIpsScript, cbReadStdOut);
+    errorCode = m_sshSession->runContainerScript(credentials, container, getIpsScript, cbReadStdOut);
    if (errorCode != ErrorCode::NoError) {
        return connData;
    }
@@ -123,11 +141,14 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon
    QHostAddress nextIp = [&] {
        QHostAddress result;
        QHostAddress lastIp;
+        QString subnetAddress = protocols::wireguard::defaultSubnetAddress;
+        if (serverConfig && !serverConfig->subnetAddress.isEmpty()) {
+            subnetAddress = serverConfig->subnetAddress;
+        } else if (awgServerConfig && !awgServerConfig->subnetAddress.isEmpty()) {
+            subnetAddress = awgServerConfig->subnetAddress;
+        }
        if (ips.empty()) {
-            lastIp.setAddress(containerConfig.value(m_protocolName)
-                                      .toObject()
-                                      .value(config_key::subnet_address)
-                                      .toString(protocols::wireguard::defaultSubnetAddress));
+            lastIp.setAddress(subnetAddress);
        } else {
            lastIp = ips.last();
        }
@@ -145,13 +166,13 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon

    // Get keys
    connData.serverPubKey =
-            m_serverController->getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, errorCode);
+            m_sshSession->getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, errorCode);
    connData.serverPubKey.replace("\n", "");
    if (errorCode != ErrorCode::NoError) {
        return connData;
    }

-    connData.pskKey = m_serverController->getTextFileFromContainer(container, credentials, m_serverPskKeyPath, errorCode);
+    connData.pskKey = m_sshSession->getTextFileFromContainer(container, credentials, m_serverPskKeyPath, errorCode);
    connData.pskKey.replace("\n", "");

    if (errorCode != ErrorCode::NoError) {
@@ -165,7 +186,7 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon
                                 "AllowedIPs = %3/32\n\n")
                                 .arg(connData.clientPubKey, connData.pskKey, connData.clientIP);

-    errorCode = m_serverController->uploadTextFileToContainer(container, credentials, configPart, configPath,
+    errorCode = m_sshSession->uploadTextFileToContainer(container, credentials, configPart, configPath,
                                                              libssh::ScpOverwriteMode::ScpAppendToExisting);

    if (errorCode != ErrorCode::NoError) {
@@ -178,23 +199,43 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon
    QString script = QString(
        "sudo docker exec -i $CONTAINER_NAME bash -c '%1 syncconf %2 <(%1-quick strip %3)'").arg(bin, iface, configPath);

-    errorCode = m_serverController->runScript(
+    errorCode = m_sshSession->runScript(
            credentials,
-            m_serverController->replaceVars(script, m_serverController->genVarsForScript(credentials, container)));
+            m_sshSession->replaceVars(script, amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns)));

    return connData;
 }

-QString WireguardConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                            const QJsonObject &containerConfig, ErrorCode &errorCode)
+ProtocolConfig WireguardConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
+                                                    const ContainerConfig &containerConfig,
+                                                    const DnsSettings &dnsSettings,
+                                                    ErrorCode &errorCode)
 {
+    const WireGuardServerConfig* wireguardServerConfig = nullptr;
+    const WireGuardClientConfig* wireguardClientConfig = nullptr;
+    const AwgServerConfig* awgServerConfig = nullptr;
+    const AwgClientConfig* awgClientConfig = nullptr;
+    
+    if (auto* wireGuardProtocolConfig = containerConfig.getWireGuardProtocolConfig()) {
+        wireguardServerConfig = &wireGuardProtocolConfig->serverConfig;
+        if (wireGuardProtocolConfig->clientConfig.has_value()) {
+            wireguardClientConfig = &wireGuardProtocolConfig->clientConfig.value();
+        }
+    } else if (auto* awgProtocolConfig = containerConfig.getAwgProtocolConfig()) {
+        awgServerConfig = &awgProtocolConfig->serverConfig;
+        if (awgProtocolConfig->clientConfig.has_value()) {
+            awgClientConfig = &awgProtocolConfig->clientConfig.value();
+        }
+    }
+    
+    amnezia::ScriptVars vars = amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns);
+    vars.append(amnezia::genProtocolVarsForContainer(container, containerConfig));
    QString scriptData = amnezia::scriptData(m_configTemplate, container);
-    QString config = m_serverController->replaceVars(
-            scriptData, m_serverController->genVarsForScript(credentials, container, containerConfig));
+    QString config = m_sshSession->replaceVars(scriptData, vars);

-    ConnectionData connData = prepareWireguardConfig(credentials, container, containerConfig, errorCode);
+    ConnectionData connData = prepareWireguardConfig(credentials, container, wireguardServerConfig, awgServerConfig, dnsSettings, errorCode);
    if (errorCode != ErrorCode::NoError) {
-        return "";
+        return WireGuardProtocolConfig{};
    }

    config.replace("$WIREGUARD_CLIENT_PRIVATE_KEY", connData.clientPrivKey);
@@ -202,40 +243,46 @@ QString WireguardConfigurator::createConfig(const ServerCredentials &credentials
    config.replace("$WIREGUARD_SERVER_PUBLIC_KEY", connData.serverPubKey);
    config.replace("$WIREGUARD_PSK", connData.pskKey);

-    const QJsonObject &wireguarConfig = containerConfig.value(ProtocolProps::protoToString(Proto::WireGuard)).toObject();
-    QJsonObject jConfig;
-    jConfig[config_key::config] = config;
-
-    jConfig[config_key::hostName] = connData.host;
-    jConfig[config_key::port] = connData.port.toInt();
-    jConfig[config_key::client_priv_key] = connData.clientPrivKey;
-    jConfig[config_key::client_ip] = connData.clientIP;
-    jConfig[config_key::client_pub_key] = connData.clientPubKey;
-    jConfig[config_key::psk_key] = connData.pskKey;
-    jConfig[config_key::server_pub_key] = connData.serverPubKey;
-    jConfig[config_key::mtu] = wireguarConfig.value(config_key::mtu).toString(protocols::wireguard::defaultMtu);
-
-    jConfig[config_key::persistent_keep_alive] = "25";
-    QJsonArray allowedIps { "0.0.0.0/0", "::/0" };
-    jConfig[config_key::allowed_ips] = allowedIps;
-
-    jConfig[config_key::clientId] = connData.clientPubKey;
-
-    return QJsonDocument(jConfig).toJson();
+    QString mtu = protocols::wireguard::defaultMtu;
+    if (wireguardClientConfig && !wireguardClientConfig->mtu.isEmpty()) {
+        mtu = wireguardClientConfig->mtu;
+    } else if (awgClientConfig && !awgClientConfig->mtu.isEmpty()) {
+        mtu = awgClientConfig->mtu;
+    }
+    
+    WireGuardProtocolConfig protocolConfig;
+    if (wireguardServerConfig) {
+        protocolConfig.serverConfig = *wireguardServerConfig;
+    }
+    
+    WireGuardClientConfig clientConfig;
+    clientConfig.nativeConfig = config;
+    clientConfig.hostName = connData.host;
+    clientConfig.port = connData.port.toInt();
+    clientConfig.clientIp = connData.clientIP;
+    clientConfig.clientPrivateKey = connData.clientPrivKey;
+    clientConfig.clientPublicKey = connData.clientPubKey;
+    clientConfig.serverPublicKey = connData.serverPubKey;
+    clientConfig.presharedKey = connData.pskKey;
+    clientConfig.clientId = connData.clientPubKey;
+    clientConfig.allowedIps = QStringList { "0.0.0.0/0", "::/0" };
+    clientConfig.persistentKeepAlive = "25";
+    clientConfig.mtu = mtu;
+    clientConfig.isObfuscationEnabled = false;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
 }

-QString WireguardConfigurator::processConfigWithLocalSettings(const QPair<QString, QString> &dns,
-                                                              const bool isApiConfig, QString &protocolConfigString)
+ProtocolConfig WireguardConfigurator::processConfigWithLocalSettings(const ConnectionSettings &settings,
+                                                                     ProtocolConfig protocolConfig)
 {
-    processConfigWithDnsSettings(dns, protocolConfigString);
-
-    return protocolConfigString;
+    return ConfiguratorBase::processConfigWithLocalSettings(settings, protocolConfig);
 }

-QString WireguardConfigurator::processConfigWithExportSettings(const QPair<QString, QString> &dns,
-                                                               const bool isApiConfig, QString &protocolConfigString)
+ProtocolConfig WireguardConfigurator::processConfigWithExportSettings(const ExportSettings &settings,
+                                                                      ProtocolConfig protocolConfig)
 {
-    processConfigWithDnsSettings(dns, protocolConfigString);
-
-    return protocolConfigString;
+    return ConfiguratorBase::processConfigWithExportSettings(settings, protocolConfig);
 }
--- a/client/core/configurators/wireguardConfigurator.h
+++ b/client/core/configurators/wireguardConfigurator.h
@@ -0,0 +1,61 @@
+#ifndef WIREGUARD_CONFIGURATOR_H
+#define WIREGUARD_CONFIGURATOR_H
+
+#include <QHostAddress>
+#include <QObject>
+#include <QProcessEnvironment>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+
+class WireguardConfigurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    WireguardConfigurator(SshSession* sshSession,
+                          bool isAwg, QObject *parent = nullptr);
+
+    struct ConnectionData
+    {
+        QString clientPrivKey; // client private key
+        QString clientPubKey;  // client public key
+        QString clientIP;      // internal client IP address
+        QString serverPubKey;  // tls-auth key
+        QString pskKey;        // preshared key
+        QString host;          // host ip
+        QString port;
+    };
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+
+    amnezia::ProtocolConfig processConfigWithLocalSettings(const amnezia::ConnectionSettings &settings,
+                                                           amnezia::ProtocolConfig protocolConfig) override;
+    amnezia::ProtocolConfig processConfigWithExportSettings(const amnezia::ExportSettings &settings,
+                                                            amnezia::ProtocolConfig protocolConfig) override;
+
+    static ConnectionData genClientKeys();
+
+private:
+    QList<QHostAddress> getIpsFromConf(const QString &input);
+    ConnectionData prepareWireguardConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container,
+                                          const amnezia::WireGuardServerConfig* serverConfig,
+                                          const amnezia::AwgServerConfig* awgServerConfig,
+                                          const amnezia::DnsSettings &dnsSettings,
+                                          amnezia::ErrorCode &errorCode);
+
+    bool m_isAwg;
+    QString m_serverConfigPath;
+    QString m_serverPublicKeyPath;
+    QString m_serverPskKeyPath;
+    amnezia::ProtocolScriptType m_configTemplate;
+    QString m_protocolName;
+    QString m_defaultPort;
+};
+
+#endif // WIREGUARD_CONFIGURATOR_H
--- a/client/core/configurators/xrayConfigurator.cpp
+++ b/client/core/configurators/xrayConfigurator.cpp
@@ -1,32 +1,43 @@
-#include "xray_configurator.h"
+#include "xrayConfigurator.h"

 #include <QFile>
 #include <QJsonDocument>
 #include <QJsonObject>
+#include <QJsonArray>
 #include <QUuid>
 #include "logger.h"

-#include "containers/containers_defs.h"
-#include "core/controllers/serverController.h"
-#include "core/scripts_registry.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocols/xrayProtocolConfig.h"

 namespace {
 Logger logger("XrayConfigurator");
 }

-XrayConfigurator::XrayConfigurator(std::shared_ptr<Settings> settings, const QSharedPointer<ServerController> &serverController, QObject *parent)
-    : ConfiguratorBase(settings, serverController, parent)
+XrayConfigurator::XrayConfigurator(SshSession* sshSession, QObject *parent)
+    : ConfiguratorBase(sshSession, parent)
 {
 }

 QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentials, DockerContainer container,
-                                               const QJsonObject &containerConfig, ErrorCode &errorCode)
+                                               const ContainerConfig &containerConfig,
+                                               const DnsSettings &dnsSettings,
+                                               ErrorCode &errorCode)
 {
    // Generate new UUID for client
    QString clientId = QUuid::createUuid().toString(QUuid::WithoutBraces);
    
    // Get current server config
-    QString currentConfig = m_serverController->getTextFileFromContainer(
+    QString currentConfig = m_sshSession->getTextFileFromContainer(
        container, credentials, amnezia::protocols::xray::serverConfigPath, errorCode);
    
    if (errorCode != ErrorCode::NoError) {
@@ -45,13 +56,13 @@ QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentia
    QJsonObject serverConfig = doc.object();
    
    // Validate server config structure
-    if (!serverConfig.contains("inbounds")) {
+    if (!serverConfig.contains(amnezia::protocols::xray::inbounds)) {
        logger.error() << "Server config missing 'inbounds' field";
        errorCode = ErrorCode::InternalError;
        return "";
    }

-    QJsonArray inbounds = serverConfig["inbounds"].toArray();
+    QJsonArray inbounds = serverConfig[amnezia::protocols::xray::inbounds].toArray();
    if (inbounds.isEmpty()) {
        logger.error() << "Server config has empty 'inbounds' array";
        errorCode = ErrorCode::InternalError;
@@ -59,38 +70,38 @@ QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentia
    }
    
    QJsonObject inbound = inbounds[0].toObject();
-    if (!inbound.contains("settings")) {
+    if (!inbound.contains(amnezia::protocols::xray::settings)) {
        logger.error() << "Inbound missing 'settings' field";
        errorCode = ErrorCode::InternalError;
        return "";
    }

-    QJsonObject settings = inbound["settings"].toObject();
-    if (!settings.contains("clients")) {
+    QJsonObject settings = inbound[amnezia::protocols::xray::settings].toObject();
+    if (!settings.contains(amnezia::protocols::xray::clients)) {
        logger.error() << "Settings missing 'clients' field";
        errorCode = ErrorCode::InternalError;
        return "";
    }

-    QJsonArray clients = settings["clients"].toArray();
+    QJsonArray clients = settings[amnezia::protocols::xray::clients].toArray();
    
    // Create configuration for new client
    QJsonObject clientConfig {
-        {"id", clientId},
-        {"flow", "xtls-rprx-vision"}
+        {amnezia::protocols::xray::id, clientId},
+        {amnezia::protocols::xray::flow, "xtls-rprx-vision"}
    };
    
    clients.append(clientConfig);
    
    // Update config
-    settings["clients"] = clients;
-    inbound["settings"] = settings;
+    settings[amnezia::protocols::xray::clients] = clients;
+    inbound[amnezia::protocols::xray::settings] = settings;
    inbounds[0] = inbound;
-    serverConfig["inbounds"] = inbounds;
+    serverConfig[amnezia::protocols::xray::inbounds] = inbounds;
    
    // Save updated config to server
    QString updatedConfig = QJsonDocument(serverConfig).toJson();
-    errorCode = m_serverController->uploadTextFileToContainer(
+    errorCode = m_sshSession->uploadTextFileToContainer(
        container, 
        credentials, 
        updatedConfig,
@@ -104,9 +115,9 @@ QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentia

    // Restart container
    QString restartScript = QString("sudo docker restart $CONTAINER_NAME");
-    errorCode = m_serverController->runScript(
+    errorCode = m_sshSession->runScript(
        credentials, 
-        m_serverController->replaceVars(restartScript, m_serverController->genVarsForScript(credentials, container))
+        m_sshSession->replaceVars(restartScript, amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns))
    );

    if (errorCode != ErrorCode::NoError) {
@@ -117,57 +128,75 @@ QString XrayConfigurator::prepareServerConfig(const ServerCredentials &credentia
    return clientId;
 }

-QString XrayConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
-                                       const QJsonObject &containerConfig, ErrorCode &errorCode)
+ProtocolConfig XrayConfigurator::createConfig(const ServerCredentials &credentials, DockerContainer container,
+                                               const ContainerConfig &containerConfig,
+                                               const DnsSettings &dnsSettings,
+                                               ErrorCode &errorCode)
 {
-    // Get client ID from prepareServerConfig
-    QString xrayClientId = prepareServerConfig(credentials, container, containerConfig, errorCode);
+    const XrayServerConfig* serverConfig = nullptr;
+    if (auto* xrayConfig = containerConfig.protocolConfig.as<XrayProtocolConfig>()) {
+        serverConfig = &xrayConfig->serverConfig;
+    }
+    
+    QString xrayClientId = prepareServerConfig(credentials, container, containerConfig, dnsSettings, errorCode);
    if (errorCode != ErrorCode::NoError || xrayClientId.isEmpty()) {
        logger.error() << "Failed to prepare server config";
        errorCode = ErrorCode::InternalError;
-        return "";
+        return XrayProtocolConfig{};
    }

-    QString config = m_serverController->replaceVars(amnezia::scriptData(ProtocolScriptType::xray_template, container),
-                                                     m_serverController->genVarsForScript(credentials, container, containerConfig));
+    amnezia::ScriptVars vars = amnezia::genBaseVars(credentials, container, dnsSettings.primaryDns, dnsSettings.secondaryDns);
+    vars.append(amnezia::genProtocolVarsForContainer(container, containerConfig));
+    QString config = m_sshSession->replaceVars(amnezia::scriptData(ProtocolScriptType::xray_template, container), vars);
    
    if (config.isEmpty()) {
        logger.error() << "Failed to get config template";
        errorCode = ErrorCode::InternalError;
-        return "";
+        return XrayProtocolConfig{};
    }

    QString xrayPublicKey =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::PublicKeyPath, errorCode);
+            m_sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::PublicKeyPath, errorCode);
    if (errorCode != ErrorCode::NoError || xrayPublicKey.isEmpty()) {
        logger.error() << "Failed to get public key";
        errorCode = ErrorCode::InternalError;
-        return "";
+        return XrayProtocolConfig{};
    }
    xrayPublicKey.replace("\n", "");
    
    QString xrayShortId =
-            m_serverController->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::shortidPath, errorCode);
+            m_sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::shortidPath, errorCode);
    if (errorCode != ErrorCode::NoError || xrayShortId.isEmpty()) {
        logger.error() << "Failed to get short ID";
        errorCode = ErrorCode::InternalError;
-        return "";
+        return XrayProtocolConfig{};
    }
    xrayShortId.replace("\n", "");

-    // Validate all required variables are present
    if (!config.contains("$XRAY_CLIENT_ID") || !config.contains("$XRAY_PUBLIC_KEY") || !config.contains("$XRAY_SHORT_ID")) {
        logger.error() << "Config template missing required variables:"
                      << "XRAY_CLIENT_ID:" << !config.contains("$XRAY_CLIENT_ID")
                      << "XRAY_PUBLIC_KEY:" << !config.contains("$XRAY_PUBLIC_KEY")
                      << "XRAY_SHORT_ID:" << !config.contains("$XRAY_SHORT_ID");
        errorCode = ErrorCode::InternalError;
-        return "";
+        return XrayProtocolConfig{};
    }

    config.replace("$XRAY_CLIENT_ID", xrayClientId);
    config.replace("$XRAY_PUBLIC_KEY", xrayPublicKey);
    config.replace("$XRAY_SHORT_ID", xrayShortId);

-    return config;
+    XrayProtocolConfig protocolConfig;
+    if (serverConfig) {
+        protocolConfig.serverConfig = *serverConfig;
+    }
+    
+    XrayClientConfig clientConfig;
+    clientConfig.nativeConfig = config;
+    clientConfig.localPort = "";
+    clientConfig.id = xrayClientId;
+    
+    protocolConfig.setClientConfig(clientConfig);
+    
+    return protocolConfig;
 }
--- a/client/core/configurators/xrayConfigurator.h
+++ b/client/core/configurators/xrayConfigurator.h
@@ -0,0 +1,27 @@
+#ifndef XRAY_CONFIGURATOR_H
+#define XRAY_CONFIGURATOR_H
+
+#include <QObject>
+
+#include "configuratorBase.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+
+class XrayConfigurator : public ConfiguratorBase
+{
+    Q_OBJECT
+public:
+    XrayConfigurator(SshSession* sshSession, QObject *parent = nullptr);
+
+    amnezia::ProtocolConfig createConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container, const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode) override;
+
+private:
+    QString prepareServerConfig(const amnezia::ServerCredentials &credentials, amnezia::DockerContainer container, const amnezia::ContainerConfig &containerConfig,
+                                const amnezia::DnsSettings &dnsSettings,
+                                amnezia::ErrorCode &errorCode);
+};
+
+#endif // XRAY_CONFIGURATOR_H
--- a/client/core/controllers/allowedDnsController.cpp
+++ b/client/core/controllers/allowedDnsController.cpp
@@ -0,0 +1,54 @@
+#include "allowedDnsController.h"
+
+AllowedDnsController::AllowedDnsController(SecureAppSettingsRepository* appSettingsRepository)
+    : m_appSettingsRepository(appSettingsRepository)
+{
+    fillDnsServers();
+}
+
+bool AllowedDnsController::addDns(const QString &ip)
+{
+    if (m_dnsServers.contains(ip)) {
+        return false;
+    }
+
+    m_dnsServers.append(ip);
+    m_appSettingsRepository->setAllowedDnsServers(m_dnsServers);
+    return true;
+}
+
+void AllowedDnsController::addDnsList(const QStringList &dnsServers, bool replaceExisting)
+{
+    if (replaceExisting) {
+        m_dnsServers.clear();
+    }
+    
+    for (const QString &ip : dnsServers) {
+        if (!m_dnsServers.contains(ip)) {
+            m_dnsServers.append(ip);
+        }
+    }
+    
+    m_appSettingsRepository->setAllowedDnsServers(m_dnsServers);
+}
+
+void AllowedDnsController::removeDns(int index)
+{
+    if (index < 0 || index >= m_dnsServers.size()) {
+        return;
+    }
+
+    m_dnsServers.removeAt(index);
+    m_appSettingsRepository->setAllowedDnsServers(m_dnsServers);
+}
+
+QStringList AllowedDnsController::getCurrentDnsServers() const
+{
+    return m_dnsServers;
+}
+
+void AllowedDnsController::fillDnsServers()
+{
+    m_dnsServers = m_appSettingsRepository->getAllowedDnsServers();
+}
+
--- a/client/core/controllers/allowedDnsController.h
+++ b/client/core/controllers/allowedDnsController.h
@@ -0,0 +1,26 @@
+#ifndef ALLOWEDDNSCONTROLLER_H
+#define ALLOWEDDNSCONTROLLER_H
+
+#include <QStringList>
+
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class AllowedDnsController
+{
+public:
+    explicit AllowedDnsController(SecureAppSettingsRepository* appSettingsRepository);
+
+    bool addDns(const QString &ip);
+    void addDnsList(const QStringList &dnsServers, bool replaceExisting);
+    void removeDns(int index);
+    QStringList getCurrentDnsServers() const;
+
+private:
+    void fillDnsServers();
+
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    QStringList m_dnsServers;
+};
+
+#endif // ALLOWEDDNSCONTROLLER_H
+
--- a/client/core/controllers/api/newsController.cpp
+++ b/client/core/controllers/api/newsController.cpp
@@ -0,0 +1,72 @@
+#include "newsController.h"
+
+#include "core/controllers/gatewayController.h"
+#include "core/utils/api/apiEnums.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/constants/apiConstants.h"
+#include "core/utils/constants/configKeys.h"
+#include <QtConcurrent/QtConcurrent>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QSharedPointer>
+
+using namespace amnezia;
+
+NewsController::NewsController(SecureAppSettingsRepository* appSettingsRepository,
+                               ServersController* serversController)
+    : m_appSettingsRepository(appSettingsRepository), m_serversController(serversController)
+{
+}
+
+QFuture<QPair<ErrorCode, QJsonArray>> NewsController::fetchNews()
+{
+    if (!m_serversController) {
+        qWarning() << "ServersController is null, skip fetchNews";
+        return QtFuture::makeReadyFuture(qMakePair(ErrorCode::InternalError, QJsonArray()));
+    }
+    
+    const auto stacks = m_serversController->gatewayStacks();
+    if (stacks.isEmpty()) {
+        qDebug() << "No Gateway stacks, skip fetchNews";
+        return QtFuture::makeReadyFuture(qMakePair(ErrorCode::NoError, QJsonArray()));
+    }
+
+    auto gatewayController = QSharedPointer<GatewayController>::create(
+        m_appSettingsRepository->getGatewayEndpoint(),
+        m_appSettingsRepository->isDevGatewayEnv(),
+        apiDefs::requestTimeoutMsecs,
+        m_appSettingsRepository->isStrictKillSwitchEnabled());
+    
+    QJsonObject payload;
+    payload.insert("locale", m_appSettingsRepository->getAppLanguage().name().split("_").first());
+
+    const QJsonObject stacksJson = stacks.toJson();
+    if (stacksJson.contains(apiDefs::key::userCountryCode)) {
+        payload.insert(apiDefs::key::userCountryCode, stacksJson.value(apiDefs::key::userCountryCode));
+    }
+    if (stacksJson.contains(apiDefs::key::serviceType)) {
+        payload.insert(apiDefs::key::serviceType, stacksJson.value(apiDefs::key::serviceType));
+    }
+
+    auto future = gatewayController->postAsync(QString("%1v1/news"), payload);
+    return future.then([gatewayController](QPair<ErrorCode, QByteArray> result) -> QPair<ErrorCode, QJsonArray> {
+        auto [errorCode, responseBody] = result;
+        if (errorCode != ErrorCode::NoError) {
+            return qMakePair(errorCode, QJsonArray());
+        }
+
+        QJsonDocument doc = QJsonDocument::fromJson(responseBody);
+        QJsonArray newsArray;
+        if (doc.isArray()) {
+            newsArray = doc.array();
+        } else if (doc.isObject()) {
+            QJsonObject obj = doc.object();
+            if (obj.value("news").isArray()) {
+                newsArray = obj.value("news").toArray();
+            }
+        }
+
+        return qMakePair(ErrorCode::NoError, newsArray);
+    });
+}
+
--- a/client/core/controllers/api/newsController.h
+++ b/client/core/controllers/api/newsController.h
@@ -0,0 +1,28 @@
+#ifndef NEWSCONTROLLER_H
+#define NEWSCONTROLLER_H
+
+#include <QFuture>
+#include <QJsonArray>
+#include <QPair>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/controllers/serversController.h"
+
+class NewsController
+{
+public:
+    explicit NewsController(SecureAppSettingsRepository* appSettingsRepository,
+                           ServersController* serversController);
+
+    QFuture<QPair<ErrorCode, QJsonArray>> fetchNews();
+
+private:
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    ServersController* m_serversController;
+};
+
+#endif // NEWSCONTROLLER_H
+
--- a/client/core/controllers/api/servicesCatalogController.cpp
+++ b/client/core/controllers/api/servicesCatalogController.cpp
@@ -0,0 +1,248 @@
+#include "servicesCatalogController.h"
+
+#include <QJsonDocument>
+#include <QSysInfo>
+#include <QJsonArray>
+#include <QEventLoop>
+#include <QDebug>
+#include <QCoreApplication>
+#include <QHash>
+#include <QSet>
+#include <limits>
+
+#include "core/controllers/gatewayController.h"
+#include "core/utils/api/apiEnums.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/constants/apiConstants.h"
+#include "version.h"
+
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
+#include "platforms/ios/ios_controller.h"
+#endif
+
+namespace
+{
+    namespace configKey
+    {
+        constexpr char serviceDescription[] = "service_description";
+        constexpr char subscriptionPlans[] = "subscription_plans";
+        constexpr char storeProductId[] = "store_product_id";
+        constexpr char priceLabel[] = "price_label";
+        constexpr char subtitle[] = "subtitle";
+        constexpr char isTrial[] = "is_trial";
+        constexpr char minPriceLabel[] = "min_price_label";
+    }
+
+    namespace serviceType
+    {
+        constexpr char amneziaPremium[] = "amnezia-premium";
+    }
+
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
+    struct StoreKitPlanQuote {
+        QString displayPrice;
+        double priceAmount = 0.0;
+        double subscriptionBillingMonths = 0.0;
+        QString displayPricePerMonth;
+    };
+
+    constexpr double oneMonthThreshold = 1.0 + 1e-6;
+    constexpr double monthsFallbackThreshold = 1e-6;
+    constexpr double monthlyPriceEpsilon = 1e-9;
+
+    QStringList collectPremiumStoreProductIds(const QJsonArray &services)
+    {
+        QStringList productIds;
+        QSet<QString> seenProductIds;
+        for (const QJsonValue &serviceValue : services) {
+            const QJsonObject serviceObject = serviceValue.toObject();
+            if (serviceObject.value(apiDefs::key::serviceType).toString() != serviceType::amneziaPremium) {
+                continue;
+            }
+            const QJsonArray subscriptionPlans =
+                    serviceObject.value(configKey::serviceDescription).toObject().value(configKey::subscriptionPlans).toArray();
+            for (const QJsonValue &planValue : subscriptionPlans) {
+                if (!planValue.isObject()) {
+                    continue;
+                }
+                const QString storeProductId = planValue.toObject().value(configKey::storeProductId).toString();
+                if (storeProductId.isEmpty() || seenProductIds.contains(storeProductId)) {
+                    continue;
+                }
+                seenProductIds.insert(storeProductId);
+                productIds.append(storeProductId);
+            }
+        }
+        return productIds;
+    }
+
+    QHash<QString, StoreKitPlanQuote> buildStoreKitQuoteMap(const QList<QVariantMap> &fetchedProducts)
+    {
+        QHash<QString, StoreKitPlanQuote> quotesByProductId;
+        quotesByProductId.reserve(fetchedProducts.size());
+
+        for (const QVariantMap &productInfo : fetchedProducts) {
+            const QString productId = productInfo.value(QStringLiteral("productId")).toString();
+            if (productId.isEmpty()) {
+                continue;
+            }
+
+            QString displayPrice = productInfo.value(QStringLiteral("displayPrice")).toString();
+            if (displayPrice.isEmpty()) {
+                const QString price = productInfo.value(QStringLiteral("price")).toString();
+                const QString currencyCode = productInfo.value(QStringLiteral("currencyCode")).toString();
+                displayPrice = currencyCode.isEmpty() ? price : (price + QLatin1Char(' ') + currencyCode);
+            }
+
+            StoreKitPlanQuote quote;
+            quote.displayPrice = displayPrice;
+            quote.priceAmount = productInfo.value(QStringLiteral("priceAmount")).toDouble();
+            quote.subscriptionBillingMonths = productInfo.value(QStringLiteral("subscriptionBillingMonths")).toDouble();
+            quote.displayPricePerMonth = productInfo.value(QStringLiteral("displayPricePerMonth")).toString();
+            quotesByProductId.insert(productId, quote);
+        }
+
+        return quotesByProductId;
+    }
+
+    void mergeStoreKitPricesIntoPremiumPlans(QJsonObject &data)
+    {
+        QJsonArray services = data.value(apiDefs::key::services).toArray();
+        if (services.isEmpty()) {
+            return;
+        }
+
+        const QStringList productIds = collectPremiumStoreProductIds(services);
+        if (productIds.isEmpty()) {
+            qInfo().noquote() << "[IAP] No store_product_id in premium plans; skip StoreKit merge into services payload";
+            return;
+        }
+
+        QList<QVariantMap> fetchedProducts;
+        QEventLoop loop;
+        IosController::Instance()->fetchProducts(productIds,
+                                                 [&](const QList<QVariantMap> &products, const QStringList &invalidIds,
+                                                     const QString &errorString) {
+                                                     if (!errorString.isEmpty()) {
+                                                         qWarning().noquote() << "[IAP] StoreKit merge fetch:" << errorString;
+                                                     }
+                                                     if (!invalidIds.isEmpty()) {
+                                                         qWarning().noquote() << "[IAP] Unknown App Store product ids:" << invalidIds;
+                                                     }
+                                                     fetchedProducts = products;
+                                                     loop.quit();
+                                                 });
+        loop.exec();
+
+        const QHash<QString, StoreKitPlanQuote> quotesByProductId = buildStoreKitQuoteMap(fetchedProducts);
+
+        for (int serviceIndex = 0; serviceIndex < services.size(); ++serviceIndex) {
+            QJsonObject serviceObject = services.at(serviceIndex).toObject();
+            if (serviceObject.value(apiDefs::key::serviceType).toString() != serviceType::amneziaPremium) {
+                continue;
+            }
+
+            QJsonObject descriptionObject = serviceObject.value(configKey::serviceDescription).toObject();
+            const QJsonArray sourcePlans = descriptionObject.value(configKey::subscriptionPlans).toArray();
+
+            QJsonArray mergedPlans;
+            double minMonthlyAmount = std::numeric_limits<double>::infinity();
+            QString minMonthlyDisplay;
+
+            for (const QJsonValue &planValue : sourcePlans) {
+                if (!planValue.isObject()) {
+                    continue;
+                }
+
+                QJsonObject planObject = planValue.toObject();
+                const QString storeProductId = planObject.value(configKey::storeProductId).toString();
+                if (storeProductId.isEmpty()) {
+                    continue;
+                }
+
+                const auto quoteIterator = quotesByProductId.constFind(storeProductId);
+                if (quoteIterator == quotesByProductId.cend()) {
+                    continue;
+                }
+
+                const bool isTrialPlan = planObject.value(configKey::isTrial).toBool();
+                const StoreKitPlanQuote &quote = *quoteIterator;
+                planObject.insert(configKey::priceLabel, quote.displayPrice);
+
+                const double months = quote.subscriptionBillingMonths;
+                if (!isTrialPlan && months > oneMonthThreshold && !quote.displayPricePerMonth.isEmpty()) {
+                    planObject.insert(
+                            configKey::subtitle,
+                            QCoreApplication::translate("ServicesCatalogController", "%1/mo",
+                                                        "IAP: price per month in plan subtitle")
+                                    .arg(quote.displayPricePerMonth));
+                }
+
+                if (!isTrialPlan && quote.priceAmount > 0.0) {
+                    const double monthsForMin = months > monthsFallbackThreshold ? months : 1.0;
+                    const double monthly = quote.priceAmount / monthsForMin;
+                    if (monthly < minMonthlyAmount - monthlyPriceEpsilon) {
+                        minMonthlyAmount = monthly;
+                        minMonthlyDisplay = !quote.displayPricePerMonth.isEmpty() ? quote.displayPricePerMonth : quote.displayPrice;
+                    }
+                }
+
+                mergedPlans.append(planObject);
+            }
+
+            descriptionObject.insert(configKey::subscriptionPlans, mergedPlans);
+            if (minMonthlyAmount < std::numeric_limits<double>::infinity() && !minMonthlyDisplay.isEmpty()) {
+                descriptionObject.insert(configKey::minPriceLabel,
+                                         QCoreApplication::translate("ServicesCatalogController", "from %1 per month",
+                                                                     "IAP: card footer minimum monthly price from StoreKit")
+                                                 .arg(minMonthlyDisplay));
+            }
+            serviceObject.insert(configKey::serviceDescription, descriptionObject);
+            services.replace(serviceIndex, serviceObject);
+        }
+        data.insert(apiDefs::key::services, services);
+    }
+#endif
+}
+
+ServicesCatalogController::ServicesCatalogController(SecureAppSettingsRepository* appSettingsRepository)
+    : m_appSettingsRepository(appSettingsRepository)
+{
+}
+
+ErrorCode ServicesCatalogController::fillAvailableServices(QJsonObject &servicesData)
+{
+    QJsonObject apiPayload;
+    apiPayload[apiDefs::key::osVersion] = QSysInfo::productType();
+    apiPayload[apiDefs::key::appVersion] = QString(APP_VERSION);
+    apiPayload[apiDefs::key::cliName] = QString(APPLICATION_NAME);
+    apiPayload[apiDefs::key::appLanguage] = m_appSettingsRepository->getAppLanguage().name().split("_").first();
+
+    QByteArray responseBody;
+    ErrorCode errorCode = executeRequest(QString("%1v1/services"), apiPayload, responseBody);
+    if (errorCode == ErrorCode::NoError) {
+        if (!responseBody.contains(apiDefs::key::services.data())) {
+            errorCode = ErrorCode::ApiServicesMissingError;
+        }
+    }
+
+    if (errorCode != ErrorCode::NoError) {
+        return errorCode;
+    }
+
+    servicesData = QJsonDocument::fromJson(responseBody).object();
+
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
+    mergeStoreKitPricesIntoPremiumPlans(servicesData);
+#endif
+
+    return ErrorCode::NoError;
+}
+
+ErrorCode ServicesCatalogController::executeRequest(const QString &endpoint, const QJsonObject &apiPayload, QByteArray &responseBody)
+{
+    GatewayController gatewayController(m_appSettingsRepository->getGatewayEndpoint(), m_appSettingsRepository->isDevGatewayEnv(), apiDefs::requestTimeoutMsecs,
+                                        m_appSettingsRepository->isStrictKillSwitchEnabled());
+    return gatewayController.post(endpoint, apiPayload, responseBody);
+}
+
--- a/client/core/controllers/api/servicesCatalogController.h
+++ b/client/core/controllers/api/servicesCatalogController.h
@@ -0,0 +1,26 @@
+#ifndef SERVICESCATALOGCONTROLLER_H
+#define SERVICESCATALOGCONTROLLER_H
+
+#include <QJsonObject>
+#include <QByteArray>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class ServicesCatalogController
+{
+public:
+    explicit ServicesCatalogController(SecureAppSettingsRepository* appSettingsRepository);
+
+    ErrorCode fillAvailableServices(QJsonObject &servicesData);
+
+private:
+    ErrorCode executeRequest(const QString &endpoint, const QJsonObject &apiPayload, QByteArray &responseBody);
+
+    SecureAppSettingsRepository* m_appSettingsRepository;
+};
+
+#endif // SERVICESCATALOGCONTROLLER_H
+
--- a/client/core/controllers/api/subscriptionController.cpp
+++ b/client/core/controllers/api/subscriptionController.cpp
--- a/client/core/controllers/api/subscriptionController.h
+++ b/client/core/controllers/api/subscriptionController.h
@@ -0,0 +1,122 @@
+#ifndef SUBSCRIPTIONCONTROLLER_H
+#define SUBSCRIPTIONCONTROLLER_H
+
+#include <QJsonObject>
+#include <QByteArray>
+#include <QFuture>
+#include <QList>
+#include <QVariantMap>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/models/serverConfig.h"
+
+class ServersController;
+
+class SubscriptionController
+{
+public:
+    struct ProtocolData
+    {
+        QString certRequest;
+        QString certPrivKey;
+        QString wireGuardClientPrivKey;
+        QString wireGuardClientPubKey;
+        QString xrayUuid;
+    };
+
+    struct GatewayRequestData
+    {
+        QString osVersion;
+        QString appVersion;
+        QString appLanguage;
+        QString installationUuid;
+        QString userCountryCode;
+        QString serverCountryCode;
+        QString serviceType;
+        QString serviceProtocol;
+        QJsonObject authData;
+
+        QJsonObject toJsonObject() const;
+    };
+
+    explicit SubscriptionController(SecureServersRepository* serversRepository,
+                                     SecureAppSettingsRepository* appSettingsRepository);
+
+    ProtocolData generateProtocolData(const QString &protocol);
+    void appendProtocolDataToApiPayload(const QString &protocol, const ProtocolData &protocolData, QJsonObject &apiPayload);
+    ErrorCode fillServerConfig(const QJsonObject &serverConfigJson, ServerConfig &serverConfig);
+
+    ErrorCode importServiceFromGateway(const QString &userCountryCode, const QString &serviceType,
+                                      const QString &serviceProtocol, const ProtocolData &protocolData,
+                                      ServerConfig &serverConfig);
+    ErrorCode importTrialFromGateway(const QString &userCountryCode, const QString &serviceType,
+                                     const QString &serviceProtocol, const QString &email,
+                                     ServerConfig &serverConfig);
+
+    ErrorCode importServiceFromAppStore(const QString &userCountryCode, const QString &serviceType,
+                                        const QString &serviceProtocol, const ProtocolData &protocolData,
+                                        const QString &transactionId, bool isTestPurchase,
+                                        ServerConfig &serverConfig,
+                                        int *duplicateServerIndex = nullptr);
+
+    ErrorCode updateServiceFromGateway(int serverIndex, const QString &newCountryCode, bool isConnectEvent);
+
+    ErrorCode deactivateDevice(int serverIndex);
+
+    ErrorCode deactivateExternalDevice(int serverIndex, const QString &uuid, const QString &serverCountryCode);
+
+    ErrorCode exportNativeConfig(int serverIndex, const QString &serverCountryCode, QString &nativeConfig);
+
+    ErrorCode revokeNativeConfig(int serverIndex, const QString &serverCountryCode);
+
+    ErrorCode updateServiceFromTelegram(int serverIndex);
+
+    ErrorCode prepareVpnKeyExport(int serverIndex, QString &vpnKey);
+
+    ErrorCode validateAndUpdateConfig(int serverIndex, bool hasInstalledContainers);
+
+    void removeApiConfig(int serverIndex);
+
+    void setCurrentProtocol(int serverIndex, const QString &protocolName);
+    bool isVlessProtocol(int serverIndex) const;
+
+    ErrorCode getAccountInfo(int serverIndex, QJsonObject &accountInfo);
+    QFuture<QPair<ErrorCode, QString>> getRenewalLink(int serverIndex);
+
+    struct AppStoreRestoreResult
+    {
+        bool hasInstalledConfig = false;
+        bool duplicateConfigAlreadyPresent = false;
+        int duplicateCount = 0;
+        int duplicateServerIndex = -1;
+        ErrorCode errorCode = ErrorCode::NoError;
+    };
+
+    ErrorCode processAppStorePurchase(const QString &userCountryCode, const QString &serviceType,
+                                     const QString &serviceProtocol, const QString &productId,
+                                     ServerConfig &serverConfig,
+                                     int *duplicateServerIndex = nullptr);
+
+    AppStoreRestoreResult processAppStoreRestore(const QString &userCountryCode, const QString &serviceType,
+                                                  const QString &serviceProtocol);
+
+private:
+    ErrorCode executeRequest(const QString &endpoint, const QJsonObject &apiPayload, QByteArray &responseBody, bool isTestPurchase = false);
+    bool isApiKeyExpired(int serverIndex) const;
+    
+    ErrorCode extractServerConfigJsonFromResponse(const QByteArray &apiResponseBody, const QString &protocol, 
+                                                   const ProtocolData &protocolData, QJsonObject &serverConfigJson);
+    void updateApiConfigInJson(QJsonObject &serverConfigJson, const QString &serviceType, 
+                                const QString &serviceProtocol, const QString &userCountryCode,
+                                const QByteArray &apiResponseBody);
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+};
+
+#endif // SUBSCRIPTIONCONTROLLER_H
+
--- a/client/core/controllers/appSplitTunnelingController.cpp
+++ b/client/core/controllers/appSplitTunnelingController.cpp
@@ -0,0 +1,70 @@
+#include "appSplitTunnelingController.h"
+
+AppSplitTunnelingController::AppSplitTunnelingController(SecureAppSettingsRepository* appSettingsRepository)
+    : m_appSettingsRepository(appSettingsRepository)
+{
+    m_currentRouteMode = m_appSettingsRepository->appsRouteMode();
+    if (m_currentRouteMode == AppsRouteMode::VpnAllApps) { // for old split tunneling configs
+        m_currentRouteMode = AppsRouteMode::VpnAllExceptApps;
+        m_apps = m_appSettingsRepository->vpnApps(m_currentRouteMode);
+        m_appSettingsRepository->setAppsRouteMode(AppsRouteMode::VpnAllExceptApps);
+    } else {
+        m_apps = m_appSettingsRepository->vpnApps(m_currentRouteMode);
+    }
+}
+
+bool AppSplitTunnelingController::addApp(const amnezia::InstalledAppInfo &appInfo)
+{
+    if (m_apps.contains(appInfo)) {
+        return false;
+    }
+
+    m_apps.append(appInfo);
+    m_appSettingsRepository->setVpnApps(m_currentRouteMode, m_apps);
+
+    return true;
+}
+
+void AppSplitTunnelingController::removeApp(int index)
+{
+    if (index < 0 || index >= m_apps.size()) {
+        return;
+    }
+
+    m_apps.removeAt(index);
+    m_appSettingsRepository->setVpnApps(m_currentRouteMode, m_apps);
+}
+
+void AppSplitTunnelingController::clearAppsList()
+{
+    m_apps.clear();
+    m_appSettingsRepository->setVpnApps(m_currentRouteMode, m_apps);
+}
+
+void AppSplitTunnelingController::setRouteMode(AppsRouteMode routeMode)
+{
+    m_currentRouteMode = routeMode;
+    m_apps = m_appSettingsRepository->vpnApps(m_currentRouteMode);
+    m_appSettingsRepository->setAppsRouteMode(routeMode);
+}
+
+void AppSplitTunnelingController::toggleSplitTunneling(bool enabled)
+{
+    m_appSettingsRepository->setAppsSplitTunnelingEnabled(enabled);
+}
+
+AppsRouteMode AppSplitTunnelingController::getRouteMode() const
+{
+    return m_currentRouteMode;
+}
+
+bool AppSplitTunnelingController::isSplitTunnelingEnabled() const
+{
+    return m_appSettingsRepository->isAppsSplitTunnelingEnabled();
+}
+
+QVector<amnezia::InstalledAppInfo> AppSplitTunnelingController::getApps() const
+{
+    return m_apps;
+}
+
--- a/client/core/controllers/appSplitTunnelingController.h
+++ b/client/core/controllers/appSplitTunnelingController.h
@@ -0,0 +1,32 @@
+#ifndef APPSPLITTUNNELINGCONTROLLER_H
+#define APPSPLITTUNNELINGCONTROLLER_H
+
+#include <QVector>
+
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class AppSplitTunnelingController
+{
+public:
+    explicit AppSplitTunnelingController(SecureAppSettingsRepository* appSettingsRepository);
+
+    bool addApp(const amnezia::InstalledAppInfo &appInfo);
+    void removeApp(int index);
+    void clearAppsList();
+    void setRouteMode(AppsRouteMode routeMode);
+    void toggleSplitTunneling(bool enabled);
+
+    AppsRouteMode getRouteMode() const;
+    bool isSplitTunnelingEnabled() const;
+    QVector<amnezia::InstalledAppInfo> getApps() const;
+
+private:
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    AppsRouteMode m_currentRouteMode;
+    QVector<amnezia::InstalledAppInfo> m_apps;
+};
+
+#endif // APPSPLITTUNNELINGCONTROLLER_H
+
--- a/client/core/controllers/connectionController.cpp
+++ b/client/core/controllers/connectionController.cpp
@@ -0,0 +1,183 @@
+#include "connectionController.h"
+
+#include <QJsonDocument>
+
+#include "core/configurators/configuratorBase.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/utils/utilities.h"
+#include "core/utils/networkUtilities.h"
+#include "version.h"
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/models/serverConfig.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocolConfig.h"
+
+using namespace amnezia;
+using namespace ProtocolUtils;
+
+ConnectionController::ConnectionController(SecureServersRepository* serversRepository,
+                                         SecureAppSettingsRepository* appSettingsRepository,
+                                         VpnConnection* vpnConnection,
+                                         QObject* parent)
+    : QObject(parent),
+      m_serversRepository(serversRepository),
+      m_appSettingsRepository(appSettingsRepository),
+      m_vpnConnection(vpnConnection)
+{
+    connect(m_vpnConnection, &VpnConnection::connectionStateChanged, this, &ConnectionController::connectionStateChanged);
+    connect(this, &ConnectionController::openConnectionRequested, m_vpnConnection, &VpnConnection::connectToVpn, Qt::QueuedConnection);
+    connect(this, &ConnectionController::closeConnectionRequested, m_vpnConnection, &VpnConnection::disconnectFromVpn, Qt::QueuedConnection);
+    connect(this, &ConnectionController::setConnectionStateRequested, m_vpnConnection, &VpnConnection::setConnectionState, Qt::QueuedConnection);
+    connect(this, &ConnectionController::killSwitchModeChangedRequested, m_vpnConnection, &VpnConnection::onKillSwitchModeChanged, Qt::QueuedConnection);
+#ifdef Q_OS_ANDROID
+    connect(this, &ConnectionController::restoreConnectionRequested, m_vpnConnection, &VpnConnection::restoreConnection, Qt::QueuedConnection);
+#endif
+}
+
+bool ConnectionController::isConnected() const
+{
+    return m_vpnConnection && m_vpnConnection->connectionState() == Vpn::ConnectionState::Connected;
+}
+
+void ConnectionController::setConnectionState(Vpn::ConnectionState state)
+{
+    if (m_vpnConnection) {
+        emit setConnectionStateRequested(state);
+    }
+}
+
+ErrorCode ConnectionController::prepareConnection(int serverIndex,
+                                                 QJsonObject& vpnConfiguration,
+                                                 DockerContainer& container)
+{
+    if (!isServiceReady()) {
+        return ErrorCode::AmneziaServiceNotRunning;
+    }
+
+    ServerConfig serverConfigModel = m_serversRepository->server(serverIndex);
+    container = serverConfigModel.defaultContainer();
+
+    if (!isContainerSupported(container)) {
+        return ErrorCode::NotSupportedOnThisPlatform;
+    }
+
+    ContainerConfig containerConfigModel = m_serversRepository->containerConfig(serverIndex, container);
+
+    auto dns = serverConfigModel.getDnsPair(m_appSettingsRepository->useAmneziaDns(),
+                                            m_appSettingsRepository->primaryDns(),
+                                            m_appSettingsRepository->secondaryDns());
+
+    vpnConfiguration = createConnectionConfiguration(dns, serverConfigModel, containerConfigModel, container);
+
+    return ErrorCode::NoError;
+}
+
+ErrorCode ConnectionController::openConnection(int serverIndex)
+{
+    QJsonObject vpnConfiguration;
+    DockerContainer container;
+
+    ErrorCode errorCode = prepareConnection(serverIndex, vpnConfiguration, container);
+    if (errorCode != ErrorCode::NoError) {
+        return errorCode;
+    }
+
+    emit openConnectionRequested(serverIndex, container, vpnConfiguration);
+    return ErrorCode::NoError;
+}
+
+void ConnectionController::closeConnection()
+{
+    if (m_vpnConnection) {
+        emit closeConnectionRequested();
+    }
+}
+
+#ifdef Q_OS_ANDROID
+void ConnectionController::restoreConnection()
+{
+    if (m_vpnConnection) {
+        emit restoreConnectionRequested();
+    }
+}
+#endif
+
+void ConnectionController::onKillSwitchModeChanged(bool enabled)
+{
+    if (m_vpnConnection) {
+        emit killSwitchModeChangedRequested(enabled);
+    }
+}
+
+ErrorCode ConnectionController::lastConnectionError() const
+{
+    return m_vpnConnection->lastError();
+}
+
+QJsonObject ConnectionController::createConnectionConfiguration(const QPair<QString, QString> &dns,
+                                                              const ServerConfig &serverConfig,
+                                                              const ContainerConfig &containerConfig,
+                                                              DockerContainer container)
+{
+    QJsonObject vpnConfiguration {};
+
+    if (ContainerUtils::containerService(container) == ServiceType::Other) {
+        return vpnConfiguration;
+    }
+
+    Proto proto = ContainerUtils::defaultProtocol(container);
+
+    ConnectionSettings connectionSettings = {
+        { dns.first, dns.second },
+        serverConfig.isApiConfig(),
+        {
+            m_appSettingsRepository->isSitesSplitTunnelingEnabled(),
+            m_appSettingsRepository->routeMode()
+        }
+    };
+
+    auto configurator = ConfiguratorBase::create(proto, nullptr);
+    ProtocolConfig processedConfig = configurator->processConfigWithLocalSettings(connectionSettings,
+                                                                                  containerConfig.protocolConfig);
+
+    QJsonObject vpnConfigData = processedConfig.getClientConfigJson();
+    if (ContainerUtils::isAwgContainer(container) || container == DockerContainer::WireGuard) {
+        if (vpnConfigData[configKey::mtu].toString().isEmpty()) {
+            vpnConfigData[configKey::mtu] =
+                    ContainerUtils::isAwgContainer(container) ? protocols::awg::defaultMtu :
+                    protocols::wireguard::defaultMtu;
+        }
+    }
+
+    vpnConfiguration.insert(ProtocolUtils::key_proto_config_data(proto), vpnConfigData);
+    vpnConfiguration[configKey::vpnProto] = ProtocolUtils::protoToString(proto);
+
+    vpnConfiguration[configKey::dns1] = dns.first;
+    vpnConfiguration[configKey::dns2] = dns.second;
+
+    vpnConfiguration[configKey::hostName] = serverConfig.hostName();
+    vpnConfiguration[configKey::description] = serverConfig.description();
+
+    vpnConfiguration[configKey::configVersion] = serverConfig.configVersion();
+
+    return vpnConfiguration;
+}
+
+bool ConnectionController::isServiceReady() const
+{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS) && !defined(MACOS_NE)
+    return Utils::processIsRunning(Utils::executable(SERVICE_NAME, false), true);
+#else
+    return true;
+#endif
+}
+
+bool ConnectionController::isContainerSupported(DockerContainer container) const
+{
+    return ContainerUtils::isSupportedByCurrentPlatform(container);
+}
--- a/client/core/controllers/connectionController.h
+++ b/client/core/controllers/connectionController.h
@@ -0,0 +1,78 @@
+#ifndef CONNECTIONCONTROLLER_H
+#define CONNECTIONCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QPair>
+#include <memory>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/protocols/vpnProtocol.h"
+#include "vpnConnection.h"
+
+using namespace amnezia;
+
+class ConnectionController : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit ConnectionController(SecureServersRepository* serversRepository,
+                                 SecureAppSettingsRepository* appSettingsRepository,
+                                 VpnConnection* vpnConnection,
+                                 QObject* parent = nullptr);
+    ~ConnectionController() = default;
+
+    ErrorCode prepareConnection(int serverIndex,
+                               QJsonObject& vpnConfiguration,
+                               DockerContainer& container);
+
+    ErrorCode openConnection(int serverIndex);
+
+    void closeConnection();
+
+#ifdef Q_OS_ANDROID
+    void restoreConnection();
+#endif
+
+    void onKillSwitchModeChanged(bool enabled);
+
+    ErrorCode lastConnectionError() const;
+
+    bool isConnected() const;
+    void setConnectionState(Vpn::ConnectionState state);
+
+    QJsonObject createConnectionConfiguration(const QPair<QString, QString> &dns,
+                                             const ServerConfig &serverConfig,
+                                             const ContainerConfig &containerConfig,
+                                             DockerContainer container);
+
+    bool isServiceReady() const;
+
+    bool isContainerSupported(DockerContainer container) const;
+
+signals:
+    void connectionStateChanged(Vpn::ConnectionState state);
+    void openConnectionRequested(int serverIndex, DockerContainer container, const QJsonObject &vpnConfiguration);
+    void closeConnectionRequested();
+    void setConnectionStateRequested(Vpn::ConnectionState state);
+    void killSwitchModeChangedRequested(bool enabled);
+
+#ifdef Q_OS_ANDROID
+    void restoreConnectionRequested();
+#endif
+
+private:
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    VpnConnection* m_vpnConnection;
+};
+
+#endif
--- a/client/core/controllers/coreController.cpp
+++ b/client/core/controllers/coreController.cpp
@@ -2,9 +2,18 @@

 #include <QDirIterator>
 #include <QTranslator>
+#include <QTimer>
+
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/controllers/selfhosted/installController.h"
+#include "core/controllers/selfhosted/importController.h"
+#include "core/controllers/coreSignalHandlers.h"
+#include "core/models/serverConfig.h"
+#include "logger.h"
+#include "secureQSettings.h"

 #if defined(Q_OS_ANDROID)
-    #include "core/installedAppsImageProvider.h"
+    #include "core/utils/installedAppsImageProvider.h"
    #include "platforms/android/android_controller.h"
 #endif

@@ -13,149 +22,200 @@
    #include <AmneziaVPN-Swift.h>
 #endif

-CoreController::CoreController(const QSharedPointer<VpnConnection> &vpnConnection, const std::shared_ptr<Settings> &settings,
+CoreController::CoreController(const QSharedPointer<VpnConnection> &vpnConnection, SecureQSettings* settings,
                               QQmlApplicationEngine *engine, QObject *parent)
    : QObject(parent), m_vpnConnection(vpnConnection), m_settings(settings), m_engine(engine)
 {
+    initRepositories();
+    initCoreControllers();
    initModels();
    initControllers();
    initSignalHandlers();

    initAndroidController();
    initAppleController();
+    initLogging();

-    initNotificationHandler();
+    m_translator = new QTranslator(this);
+    if (m_appSettingsRepository) {
+        updateTranslator(m_appSettingsRepository->getAppLanguage());
+    }
+}

-    m_translator.reset(new QTranslator());
-    updateTranslator(m_settings->getAppLanguage());
+void CoreController::setQmlContextProperty(const QString &name, QObject *value)
+{
+    if (m_engine) {
+        m_engine->rootContext()->setContextProperty(name, value);
+    }
 }

 void CoreController::initModels()
 {
-    m_containersModel.reset(new ContainersModel(this));
-    m_engine->rootContext()->setContextProperty("ContainersModel", m_containersModel.get());
+    m_containersModel = new ContainersModel(this);
+    setQmlContextProperty("ContainersModel", m_containersModel);

-    m_defaultServerContainersModel.reset(new ContainersModel(this));
-    m_engine->rootContext()->setContextProperty("DefaultServerContainersModel", m_defaultServerContainersModel.get());
+    m_defaultServerContainersModel = new ContainersModel(this);
+    setQmlContextProperty("DefaultServerContainersModel", m_defaultServerContainersModel);

-    m_serversModel.reset(new ServersModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ServersModel", m_serversModel.get());
+    m_serversModel = new ServersModel(this);
+    setQmlContextProperty("ServersModel", m_serversModel);

-    m_languageModel.reset(new LanguageModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("LanguageModel", m_languageModel.get());
+    m_languageModel = new LanguageModel(this);
+    setQmlContextProperty("LanguageModel", m_languageModel);

-    m_sitesModel.reset(new SitesModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("SitesModel", m_sitesModel.get());
+    m_ipSplitTunnelingModel = new IpSplitTunnelingModel(this);
+    setQmlContextProperty("IpSplitTunnelingModel", m_ipSplitTunnelingModel);

-    m_allowedDnsModel.reset(new AllowedDnsModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("AllowedDnsModel", m_allowedDnsModel.get());
+    m_allowedDnsModel = new AllowedDnsModel(this);
+    setQmlContextProperty("AllowedDnsModel", m_allowedDnsModel);

-    m_appSplitTunnelingModel.reset(new AppSplitTunnelingModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("AppSplitTunnelingModel", m_appSplitTunnelingModel.get());
+    m_appSplitTunnelingModel = new AppSplitTunnelingModel(this);
+    setQmlContextProperty("AppSplitTunnelingModel", m_appSplitTunnelingModel);

-    m_protocolsModel.reset(new ProtocolsModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ProtocolsModel", m_protocolsModel.get());
+    m_protocolsModel = new ProtocolsModel(this);
+    setQmlContextProperty("ProtocolsModel", m_protocolsModel);

-    m_openVpnConfigModel.reset(new OpenVpnConfigModel(this));
-    m_engine->rootContext()->setContextProperty("OpenVpnConfigModel", m_openVpnConfigModel.get());
+    m_openVpnConfigModel = new OpenVpnConfigModel(this);
+    setQmlContextProperty("OpenVpnConfigModel", m_openVpnConfigModel);

-    m_shadowSocksConfigModel.reset(new ShadowSocksConfigModel(this));
-    m_engine->rootContext()->setContextProperty("ShadowSocksConfigModel", m_shadowSocksConfigModel.get());
+    m_wireGuardConfigModel = new WireGuardConfigModel(this);
+    setQmlContextProperty("WireGuardConfigModel", m_wireGuardConfigModel);

-    m_cloakConfigModel.reset(new CloakConfigModel(this));
-    m_engine->rootContext()->setContextProperty("CloakConfigModel", m_cloakConfigModel.get());
+    m_awgConfigModel = new AwgConfigModel(this);
+    setQmlContextProperty("AwgConfigModel", m_awgConfigModel);

-    m_wireGuardConfigModel.reset(new WireGuardConfigModel(this));
-    m_engine->rootContext()->setContextProperty("WireGuardConfigModel", m_wireGuardConfigModel.get());
+    m_xrayConfigModel = new XrayConfigModel(this);
+    setQmlContextProperty("XrayConfigModel", m_xrayConfigModel);

-    m_awgConfigModel.reset(new AwgConfigModel(this));
-    m_engine->rootContext()->setContextProperty("AwgConfigModel", m_awgConfigModel.get());
-
-    m_xrayConfigModel.reset(new XrayConfigModel(this));
-    m_engine->rootContext()->setContextProperty("XrayConfigModel", m_xrayConfigModel.get());
+    m_torConfigModel = new TorConfigModel(this);
+    setQmlContextProperty("TorConfigModel", m_torConfigModel);

 #ifdef Q_OS_WINDOWS
-    m_ikev2ConfigModel.reset(new Ikev2ConfigModel(this));
-    m_engine->rootContext()->setContextProperty("Ikev2ConfigModel", m_ikev2ConfigModel.get());
+    m_ikev2ConfigModel = new Ikev2ConfigModel(this);
+    setQmlContextProperty("Ikev2ConfigModel", m_ikev2ConfigModel);
 #endif

-    m_sftpConfigModel.reset(new SftpConfigModel(this));
-    m_engine->rootContext()->setContextProperty("SftpConfigModel", m_sftpConfigModel.get());
+    m_sftpConfigModel = new SftpConfigModel(this);
+    setQmlContextProperty("SftpConfigModel", m_sftpConfigModel);

-    m_socks5ConfigModel.reset(new Socks5ProxyConfigModel(this));
-    m_engine->rootContext()->setContextProperty("Socks5ProxyConfigModel", m_socks5ConfigModel.get());
+    m_socks5ConfigModel = new Socks5ProxyConfigModel(this);
+    setQmlContextProperty("Socks5ProxyConfigModel", m_socks5ConfigModel);

-    m_clientManagementModel.reset(new ClientManagementModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ClientManagementModel", m_clientManagementModel.get());
+    m_clientManagementModel = new ClientManagementModel(this);
+    setQmlContextProperty("ClientManagementModel", m_clientManagementModel);

-    m_apiServicesModel.reset(new ApiServicesModel(this));
-    m_engine->rootContext()->setContextProperty("ApiServicesModel", m_apiServicesModel.get());
+    m_apiServicesModel = new ApiServicesModel(this);
+    setQmlContextProperty("ApiServicesModel", m_apiServicesModel);

-    m_apiCountryModel.reset(new ApiCountryModel(this));
-    m_engine->rootContext()->setContextProperty("ApiCountryModel", m_apiCountryModel.get());
+    m_apiCountryModel = new ApiCountryModel(this);
+    setQmlContextProperty("ApiCountryModel", m_apiCountryModel);

-    m_apiAccountInfoModel.reset(new ApiAccountInfoModel(this));
-    m_engine->rootContext()->setContextProperty("ApiAccountInfoModel", m_apiAccountInfoModel.get());
+    m_apiSubscriptionPlansModel = new ApiSubscriptionPlansModel(this);
+    setQmlContextProperty("ApiSubscriptionPlansModel", m_apiSubscriptionPlansModel);

-    m_apiDevicesModel.reset(new ApiDevicesModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("ApiDevicesModel", m_apiDevicesModel.get());
+    m_apiBenefitsModel = new ApiBenefitsModel(this);
+    setQmlContextProperty("ApiBenefitsModel", m_apiBenefitsModel);

-    m_newsModel.reset(new NewsModel(m_settings, this));
-    m_engine->rootContext()->setContextProperty("NewsModel", m_newsModel.get());
+    m_apiAccountInfoModel = new ApiAccountInfoModel(this);
+    setQmlContextProperty("ApiAccountInfoModel", m_apiAccountInfoModel);
+
+    m_apiDevicesModel = new ApiDevicesModel(this);
+    setQmlContextProperty("ApiDevicesModel", m_apiDevicesModel);
+
+    m_newsModel = new NewsModel(m_appSettingsRepository, this);
+    setQmlContextProperty("NewsModel", m_newsModel);
+}
+
+void CoreController::initRepositories()
+{
+    m_serversRepository = new SecureServersRepository(m_settings, this);
+    m_appSettingsRepository = new SecureAppSettingsRepository(m_settings, this);
+
+    if (m_vpnConnection) {
+        m_vpnConnection->setRepositories(m_serversRepository, m_appSettingsRepository);
+    }
+}
+
+void CoreController::initCoreControllers()
+{
+    m_serversController = new ServersController(m_serversRepository, m_appSettingsRepository, this);
+    m_appSplitTunnelingController = new AppSplitTunnelingController(m_appSettingsRepository);
+    m_usersController = new UsersController(m_serversRepository, this);
+    m_ipSplitTunnelingController = new IpSplitTunnelingController(m_appSettingsRepository, this);
+    m_allowedDnsController = new AllowedDnsController(m_appSettingsRepository);
+    m_servicesCatalogController = new ServicesCatalogController(m_appSettingsRepository);
+    m_subscriptionController = new SubscriptionController(m_serversRepository, m_appSettingsRepository);
+    m_newsController = new NewsController(m_appSettingsRepository, m_serversController);
+    m_updateController = new UpdateController(m_appSettingsRepository, this);
+    
+    m_installController = new InstallController(m_serversRepository, m_appSettingsRepository, this);
+    m_exportController = new ExportController(m_serversRepository, m_appSettingsRepository, this);
+    m_importCoreController = new ImportController(m_serversRepository, m_appSettingsRepository, this);
+    m_connectionController = new ConnectionController(m_serversRepository, m_appSettingsRepository, m_vpnConnection.get(), this);
+    m_settingsController = new SettingsController(m_serversRepository, m_appSettingsRepository, this);
 }

 void CoreController::initControllers()
 {
-    m_connectionController.reset(
-            new ConnectionController(m_serversModel, m_containersModel, m_clientManagementModel, m_vpnConnection, m_settings));
-    m_engine->rootContext()->setContextProperty("ConnectionController", m_connectionController.get());
+    m_connectionUiController = new ConnectionUiController(m_connectionController, m_serversController, this);
+    setQmlContextProperty("ConnectionController", m_connectionUiController);

-    m_pageController.reset(new PageController(m_serversModel, m_settings));
-    m_engine->rootContext()->setContextProperty("PageController", m_pageController.get());
+    if (m_engine) {
+        m_focusController = new FocusController(m_engine, this);
+        setQmlContextProperty("FocusController", m_focusController);
+    }

-    m_focusController.reset(new FocusController(m_engine, this));
-    m_engine->rootContext()->setContextProperty("FocusController", m_focusController.get());
+    m_installUiController = new InstallUiController(m_installController, m_serversController, m_settingsController, m_protocolsModel, m_usersController, 
+                                                     m_awgConfigModel, m_wireGuardConfigModel, m_openVpnConfigModel, m_xrayConfigModel, m_torConfigModel,
+#ifdef Q_OS_WINDOWS
+                                                     m_ikev2ConfigModel,
+#endif
+                                                     m_sftpConfigModel, m_socks5ConfigModel, this);
+    setQmlContextProperty("InstallController", m_installUiController);

-    m_installController.reset(new InstallController(m_serversModel, m_containersModel, m_protocolsModel, m_clientManagementModel, m_settings));
-    m_engine->rootContext()->setContextProperty("InstallController", m_installController.get());
+    m_importController = new ImportUiController(m_importCoreController, this);
+    setQmlContextProperty("ImportController", m_importController);

-    connect(m_installController.get(), &InstallController::currentContainerUpdated, m_connectionController.get(),
-            &ConnectionController::onCurrentContainerUpdated); // TODO remove this
+    m_exportUiController = new ExportUiController(m_exportController, this);
+    setQmlContextProperty("ExportController", m_exportUiController);

-    connect(m_installController.get(), &InstallController::profileCleared,
-            m_protocolsModel.get(), &ProtocolsModel::updateModel);
+    m_languageUiController = new LanguageUiController(m_settingsController, m_languageModel, this);
+    setQmlContextProperty("LanguageUiController", m_languageUiController);

-    m_importController.reset(new ImportController(m_serversModel, m_containersModel, m_settings));
-    m_engine->rootContext()->setContextProperty("ImportController", m_importController.get());
+    m_settingsUiController = new SettingsUiController(m_settingsController, m_serversController, m_languageUiController, this);
+    setQmlContextProperty("SettingsController", m_settingsUiController);

-    m_exportController.reset(new ExportController(m_serversModel, m_containersModel, m_clientManagementModel, m_settings));
-    m_engine->rootContext()->setContextProperty("ExportController", m_exportController.get());
+    m_pageController = new PageController(m_serversController, m_settingsController, this);
+    setQmlContextProperty("PageController", m_pageController);

-    m_settingsController.reset(
-            new SettingsController(m_serversModel, m_containersModel, m_languageModel, m_sitesModel, m_appSplitTunnelingModel, m_settings));
-    m_engine->rootContext()->setContextProperty("SettingsController", m_settingsController.get());
+    m_serversUiController = new ServersUiController(m_serversController, m_settingsController, m_serversModel, m_containersModel, m_defaultServerContainersModel, this);
+    setQmlContextProperty("ServersUiController", m_serversUiController);

-    m_sitesController.reset(new SitesController(m_settings, m_sitesModel));
-    m_engine->rootContext()->setContextProperty("SitesController", m_sitesController.get());
+    m_ipSplitTunnelingUiController = new IpSplitTunnelingUiController(m_ipSplitTunnelingController, m_ipSplitTunnelingModel, this);
+    setQmlContextProperty("IpSplitTunnelingController", m_ipSplitTunnelingUiController);

-    m_allowedDnsController.reset(new AllowedDnsController(m_settings, m_allowedDnsModel));
-    m_engine->rootContext()->setContextProperty("AllowedDnsController", m_allowedDnsController.get());
+    m_allowedDnsUiController = new AllowedDnsUiController(m_allowedDnsController, m_allowedDnsModel, this);
+    setQmlContextProperty("AllowedDnsController", m_allowedDnsUiController);

-    m_appSplitTunnelingController.reset(new AppSplitTunnelingController(m_settings, m_appSplitTunnelingModel));
-    m_engine->rootContext()->setContextProperty("AppSplitTunnelingController", m_appSplitTunnelingController.get());
+    m_appSplitTunnelingUiController = new AppSplitTunnelingUiController(m_appSplitTunnelingController, m_appSplitTunnelingModel, this);
+    setQmlContextProperty("AppSplitTunnelingController", m_appSplitTunnelingUiController);

-    m_systemController.reset(new SystemController(m_settings));
-    m_engine->rootContext()->setContextProperty("SystemController", m_systemController.get());
+    m_systemController = new SystemController(this);
+    setQmlContextProperty("SystemController", m_systemController);

-    m_apiSettingsController.reset(
-            new ApiSettingsController(m_serversModel, m_apiAccountInfoModel, m_apiCountryModel, m_apiDevicesModel, m_settings));
-    m_engine->rootContext()->setContextProperty("ApiSettingsController", m_apiSettingsController.get());
+    m_servicesCatalogUiController = new ServicesCatalogUiController(m_servicesCatalogController, m_apiServicesModel, this);
+    setQmlContextProperty("ServicesCatalogUiController", m_servicesCatalogUiController);

-    m_apiConfigsController.reset(new ApiConfigsController(m_serversModel, m_apiServicesModel, m_settings));
-    m_engine->rootContext()->setContextProperty("ApiConfigsController", m_apiConfigsController.get());
+    m_subscriptionUiController = new SubscriptionUiController(m_serversController, m_apiServicesModel, m_servicesCatalogController, m_subscriptionController,
+                                                              m_apiSubscriptionPlansModel, m_apiBenefitsModel, m_apiAccountInfoModel,
+                                                              m_apiCountryModel, m_apiDevicesModel, m_settingsController, this);
+    setQmlContextProperty("SubscriptionUiController", m_subscriptionUiController);

-    m_apiNewsController.reset(new ApiNewsController(m_newsModel, m_settings, m_serversModel, this));
-    m_engine->rootContext()->setContextProperty("ApiNewsController", m_apiNewsController.get());
+    m_apiNewsUiController = new ApiNewsUiController(m_newsModel, m_newsController, this);
+    setQmlContextProperty("ApiNewsController", m_apiNewsUiController);
+
+    m_updateUiController = new UpdateUiController(m_updateController, this);
+    setQmlContextProperty("UpdateController", m_updateUiController);
 }

 void CoreController::initAndroidController()
@@ -164,33 +224,16 @@ void CoreController::initAndroidController()
    if (!AndroidController::initLogging()) {
        qFatal("Android logging initialization failed");
    }
-    AndroidController::instance()->setSaveLogs(m_settings->isSaveLogs());
-    connect(m_settings.get(), &Settings::saveLogsChanged, AndroidController::instance(), &AndroidController::setSaveLogs);
+    AndroidController::instance()->setSaveLogs(m_appSettingsRepository->isSaveLogs());
+    AndroidController::instance()->setScreenshotsEnabled(m_appSettingsRepository->isScreenshotsEnabled());

-    AndroidController::instance()->setScreenshotsEnabled(m_settings->isScreenshotsEnabled());
-    connect(m_settings.get(), &Settings::screenshotsEnabledChanged, AndroidController::instance(), &AndroidController::setScreenshotsEnabled);
-
-    connect(m_settings.get(), &Settings::serverRemoved, AndroidController::instance(), &AndroidController::resetLastServer);
-
-    connect(m_settings.get(), &Settings::settingsCleared, []() { AndroidController::instance()->resetLastServer(-1); });
-
-    connect(AndroidController::instance(), &AndroidController::initConnectionState, this, [this](Vpn::ConnectionState state) {
-        m_connectionController->onConnectionStateChanged(state);
-        if (m_vpnConnection)
-            m_vpnConnection->restoreConnection();
-    });
    if (!AndroidController::instance()->initialize()) {
        qFatal("Android controller initialization failed");
    }

-    connect(AndroidController::instance(), &AndroidController::importConfigFromOutside, this, [this](QString data) {
-        emit m_pageController->goToPageHome();
-        m_importController->extractConfigFromData(data);
-        data.clear();
-        emit m_pageController->goToPageViewConfig();
-    });
-
-    m_engine->addImageProvider(QLatin1String("installedAppImage"), new InstalledAppsImageProvider);
+    if (m_engine) {
+        m_engine->addImageProvider(QLatin1String("installedAppImage"), new InstalledAppsImageProvider);
+    }
 #endif
 }

@@ -198,63 +241,36 @@ void CoreController::initAppleController()
 {
 #ifdef Q_OS_IOS
    IosController::Instance()->initialize();
-    connect(IosController::Instance(), &IosController::importConfigFromOutside, this, [this](QString data) {
-        emit m_pageController->goToPageHome();
-        m_importController->extractConfigFromData(data);
-        emit m_pageController->goToPageViewConfig();
-    });
+    QTimer::singleShot(0, this, [this]() { AmneziaVPN::toggleScreenshots(m_appSettingsRepository->isScreenshotsEnabled()); });
+#endif
+}

-    connect(IosController::Instance(), &IosController::importBackupFromOutside, this, [this](QString filePath) {
-        emit m_pageController->goToPageHome();
-        m_pageController->goToPageSettingsBackup();
-        emit m_settingsController->importBackupFromOutside(filePath);
-    });
-
-    QTimer::singleShot(0, this, [this]() { AmneziaVPN::toggleScreenshots(m_settings->isScreenshotsEnabled()); });
-
-    connect(m_settings.get(), &Settings::screenshotsEnabledChanged, [](bool enabled) { AmneziaVPN::toggleScreenshots(enabled); });
+void CoreController::initLogging()
+{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    bool enabled = m_appSettingsRepository->isSaveLogs();
+    if (enabled) {
+        if (!Logger::init(false)) {
+            qWarning() << "Initialization of debug subsystem failed";
+        }
+    }
+    Logger::setServiceLogsEnabled(enabled);
 #endif
 }

 void CoreController::initSignalHandlers()
 {
-    initErrorMessagesHandler();
-
-    initApiCountryModelUpdateHandler();
-    initContainerModelUpdateHandler();
-    initAdminConfigRevokedHandler();
-    initPassphraseRequestHandler();
-    initTranslationsUpdatedHandler();
-    initAutoConnectHandler();
-    initAmneziaDnsToggledHandler();
-    initPrepareConfigHandler();
-    initStrictKillSwitchHandler();
-}
-
-void CoreController::initNotificationHandler()
-{
-#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    m_notificationHandler.reset(NotificationHandler::create(nullptr));
-
-    connect(m_vpnConnection.get(), &VpnConnection::connectionStateChanged, m_notificationHandler.get(),
-            &NotificationHandler::setConnectionState);
-
-    connect(m_notificationHandler.get(), &NotificationHandler::raiseRequested, m_pageController.get(), &PageController::raiseMainWindow);
-    connect(m_notificationHandler.get(), &NotificationHandler::connectRequested, m_connectionController.get(),
-            static_cast<void (ConnectionController::*)()>(&ConnectionController::openConnection));
-    connect(m_notificationHandler.get(), &NotificationHandler::disconnectRequested, m_connectionController.get(),
-            &ConnectionController::closeConnection);
-    connect(this, &CoreController::translationsUpdated, m_notificationHandler.get(), &NotificationHandler::onTranslationsUpdated);
-
-    auto* trayHandler = qobject_cast<SystemTrayNotificationHandler*>(m_notificationHandler.get());
-    connect(this, &CoreController::websiteUrlChanged, trayHandler, &SystemTrayNotificationHandler::updateWebsiteUrl);
-#endif    
+    m_signalHandlers = new CoreSignalHandlers(this, this);
+    m_signalHandlers->initAllHandlers();
+    
+    // Trigger initial update after handlers are connected
+    m_serversUiController->updateModel();
 }

 void CoreController::updateTranslator(const QLocale &locale)
 {
    if (!m_translator->isEmpty()) {
-        QCoreApplication::removeTranslator(m_translator.get());
+        QCoreApplication::removeTranslator(m_translator);
    }

    QStringList availableTranslations;
@@ -275,119 +291,31 @@ void CoreController::updateTranslator(const QLocale &locale)
    }

    if (m_translator->load(strFileName)) {
-        if (QCoreApplication::installTranslator(m_translator.get())) {
-            m_settings->setAppLanguage(locale);
-        }
+        QCoreApplication::installTranslator(m_translator);
    } else {
-        m_settings->setAppLanguage(QLocale::English);
+        if (m_translator->load(QString(":/translations/amneziavpn_en.qm"))) {
+            QCoreApplication::installTranslator(m_translator);
+        }
    }

-    m_engine->retranslate();
+    if (m_engine) {
+        m_engine->retranslate();
+    }

    emit translationsUpdated();
-    emit websiteUrlChanged(m_languageModel->getCurrentSiteUrl());
-}
-
-void CoreController::initErrorMessagesHandler()
-{
-    connect(m_connectionController.get(), &ConnectionController::connectionErrorOccurred, this, [this](ErrorCode errorCode) {
-        emit m_pageController->showErrorMessage(errorCode);
-        emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
-    });
-
-    connect(m_apiConfigsController.get(), &ApiConfigsController::errorOccurred, m_pageController.get(),
-            qOverload<ErrorCode>(&PageController::showErrorMessage));
+    if (m_languageUiController) {
+        emit websiteUrlChanged(m_languageUiController->getCurrentSiteUrl());
+    }
 }

 void CoreController::setQmlRoot()
 {
-    m_systemController->setQmlRoot(m_engine->rootObjects().value(0));
-}
-
-void CoreController::initApiCountryModelUpdateHandler()
-{
-    connect(m_serversModel.get(), &ServersModel::updateApiCountryModel, this, [this]() {
-        m_apiCountryModel->updateModel(m_serversModel->getProcessedServerData("apiAvailableCountries").toJsonArray(),
-                                       m_serversModel->getProcessedServerData("apiServerCountryCode").toString());
-    });
-}
-
-void CoreController::initContainerModelUpdateHandler()
-{
-    connect(m_serversModel.get(), &ServersModel::containersUpdated, m_containersModel.get(), &ContainersModel::updateModel);
-    connect(m_serversModel.get(), &ServersModel::defaultServerContainersUpdated, m_defaultServerContainersModel.get(),
-            &ContainersModel::updateModel);
-    connect(m_serversModel.get(), &ServersModel::gatewayStacksExpanded, this, [this]() {
-        if (m_serversModel->hasServersFromGatewayApi()) {
-            m_apiNewsController->fetchNews(false);
-        }
-    });
-    m_serversModel->resetModel();
-}
-
-void CoreController::initAdminConfigRevokedHandler()
-{
-    connect(m_clientManagementModel.get(), &ClientManagementModel::adminConfigRevoked, m_serversModel.get(),
-            &ServersModel::clearCachedProfile);
-}
-
-void CoreController::initPassphraseRequestHandler()
-{
-    connect(m_installController.get(), &InstallController::passphraseRequestStarted, m_pageController.get(),
-            &PageController::showPassphraseRequestDrawer);
-    connect(m_pageController.get(), &PageController::passphraseRequestDrawerClosed, m_installController.get(),
-            &InstallController::setEncryptedPassphrase);
-}
-
-void CoreController::initTranslationsUpdatedHandler()
-{
-    connect(m_languageModel.get(), &LanguageModel::updateTranslations, this, &CoreController::updateTranslator);
-    connect(this, &CoreController::translationsUpdated, m_languageModel.get(), &LanguageModel::translationsUpdated);
-    connect(this, &CoreController::translationsUpdated, m_connectionController.get(), &ConnectionController::onTranslationsUpdated);
-}
-
-void CoreController::initAutoConnectHandler()
-{
-    if (m_settingsController->isAutoConnectEnabled() && m_serversModel->getDefaultServerIndex() >= 0) {
-        QTimer::singleShot(1000, this, [this]() { m_connectionController->openConnection(); });
+    if (m_engine && m_systemController) {
+        m_systemController->setQmlRoot(m_engine->rootObjects().value(0));
    }
 }

-void CoreController::initAmneziaDnsToggledHandler()
-{
-    connect(m_settingsController.get(), &SettingsController::amneziaDnsToggled, m_serversModel.get(), &ServersModel::toggleAmneziaDns);
-}
-
-void CoreController::initPrepareConfigHandler()
-{
-    connect(m_connectionController.get(), &ConnectionController::prepareConfig, this, [this]() {
-        emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Preparing);
-
-        if (!m_apiConfigsController->isConfigValid()) {
-            emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
-            return;
-        }
-
-        m_installController->validateConfig();
-    });
-
-    connect(m_installController.get(), &InstallController::configValidated, this, [this](bool isValid) {
-        if (!isValid) {
-            emit m_vpnConnection->connectionStateChanged(Vpn::ConnectionState::Disconnected);
-            return;
-        }
-
-        m_connectionController->openConnection();
-    });
-}
-
-void CoreController::initStrictKillSwitchHandler()
-{
-    connect(m_settingsController.get(), &SettingsController::strictKillSwitchEnabledChanged, m_vpnConnection.get(),
-            &VpnConnection::onKillSwitchModeChanged);
-}
-
-QSharedPointer<PageController> CoreController::pageController() const
+PageController* CoreController::pageController() const
 {
    return m_pageController;
 }
@@ -396,9 +324,11 @@ void CoreController::openConnectionByIndex(int serverIndex)
 {
    if (m_serversModel) {
        m_serversModel->setProcessedServerIndex(serverIndex);
-        m_serversModel->setDefaultServerIndex(serverIndex);
    }
-    m_connectionController->toggleConnection();
+    if (m_serversController) {
+        m_serversController->setDefaultServerIndex(serverIndex);
+    }
+    m_connectionUiController->toggleConnection();
 }

 void CoreController::importConfigFromData(const QString &data)
--- a/client/core/controllers/coreController.h
+++ b/client/core/controllers/coreController.h
@@ -6,148 +6,228 @@
 #include <QThread>

 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    #include "ui/systemtray_notificationhandler.h"
+    #include "ui/utils/systemTrayNotificationHandler.h"
 #endif

-#include "ui/controllers/api/apiConfigsController.h"
-#include "ui/controllers/api/apiSettingsController.h"
-#include "ui/controllers/api/apiNewsController.h"
-#include "ui/controllers/appSplitTunnelingController.h"
-#include "ui/controllers/allowedDnsController.h"
-#include "ui/controllers/connectionController.h"
-#include "ui/controllers/exportController.h"
-#include "ui/controllers/focusController.h"
-#include "ui/controllers/importController.h"
-#include "ui/controllers/installController.h"
-#include "ui/controllers/pageController.h"
-#include "ui/controllers/settingsController.h"
-#include "ui/controllers/sitesController.h"
+#include "ui/controllers/api/subscriptionUiController.h"
+#include "ui/controllers/api/apiNewsUiController.h"
+#include "ui/controllers/appSplitTunnelingUiController.h"
+#include "ui/controllers/allowedDnsUiController.h"
+#include "ui/controllers/connectionUiController.h"
+#include "ui/controllers/selfhosted/exportUiController.h"
+#include "core/controllers/selfhosted/exportController.h"
+#include "ui/controllers/qml/focusController.h"
+#include "ui/controllers/importUiController.h"
+#include "core/controllers/selfhosted/importController.h"
+#include "ui/controllers/selfhosted/installUiController.h"
+#include "ui/controllers/qml/pageController.h"
+#include "ui/controllers/settingsUiController.h"
+#include "ui/controllers/serversUiController.h"
+#include "ui/controllers/ipSplitTunnelingUiController.h"
 #include "ui/controllers/systemController.h"
+#include "ui/controllers/languageUiController.h"
+#include "ui/controllers/updateUiController.h"
+#include "ui/controllers/api/servicesCatalogUiController.h"

-#include "ui/models/allowed_dns_model.h"
-#include "ui/models/containers_model.h"
+#include "core/controllers/serversController.h"
+#include "core/controllers/selfhosted/usersController.h"
+#include "core/controllers/appSplitTunnelingController.h"
+#include "core/controllers/ipSplitTunnelingController.h"
+#include "core/controllers/allowedDnsController.h"
+#include "core/controllers/api/servicesCatalogController.h"
+#include "core/controllers/api/subscriptionController.h"
+#include "core/controllers/api/newsController.h"
+#include "core/controllers/selfhosted/installController.h"
+#include "core/controllers/settingsController.h"
+#include "core/controllers/connectionController.h"
+#include "core/controllers/updateController.h"
+
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "secureQSettings.h"
+
+#include "ui/models/allowedDnsModel.h"
+#include "ui/models/containersModel.h"
 #include "ui/models/languageModel.h"
-#include "ui/models/protocols/cloakConfigModel.h"
 #ifdef Q_OS_WINDOWS
    #include "ui/models/protocols/ikev2ConfigModel.h"
 #endif
 #include "ui/models/api/apiAccountInfoModel.h"
+#include "ui/models/api/apiBenefitsModel.h"
 #include "ui/models/api/apiCountryModel.h"
 #include "ui/models/api/apiDevicesModel.h"
 #include "ui/models/api/apiServicesModel.h"
+#include "ui/models/api/apiSubscriptionPlansModel.h"
 #include "ui/models/appSplitTunnelingModel.h"
 #include "ui/models/clientManagementModel.h"
 #include "ui/models/protocols/awgConfigModel.h"
 #include "ui/models/protocols/openvpnConfigModel.h"
-#include "ui/models/protocols/shadowsocksConfigModel.h"
 #include "ui/models/protocols/wireguardConfigModel.h"
 #include "ui/models/protocols/xrayConfigModel.h"
-#include "ui/models/protocols_model.h"
-#include "ui/models/servers_model.h"
+#include "ui/models/protocolsModel.h"
+#include "ui/models/services/torConfigModel.h"
+#include "ui/models/serversModel.h"
 #include "ui/models/services/sftpConfigModel.h"
 #include "ui/models/services/socks5ProxyConfigModel.h"
-#include "ui/models/sites_model.h"
+#include "ui/models/ipSplitTunnelingModel.h"
 #include "ui/models/newsModel.h"

 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    #include "ui/notificationhandler.h"
+    #include "ui/utils/notificationHandler.h"
 #endif

+class CoreSignalHandlers;
+class TestMultipleImports;
+class TestAdminSelfHostedExport;
+class TestServerEdit;
+class TestDefaultServerChange;
+class TestServerEdgeCases;
+class TestSignalOrder;
+class TestServersModelSync;
+class TestGatewayStacks;
+class TestComplexOperations;
+class TestSettingsSignals;
+class TestUiServersModelAndController;
+class TestSelfHostedServerSetup;
+class TestMultipleExports;
+class TestSerialization;
+class TestUiLanguageModelAndController;
+class TestUiSitesModelAndController;
+class TestUiAppSTModelAndController;
+class TestUiAllowedDnsModelAndController;
+class TestUiNewsModelAndController;
+class TestUiApiServicesModelAndController;
+
 class CoreController : public QObject
 {
    Q_OBJECT
+    friend class CoreSignalHandlers;
+    friend class TestMultipleImports;
+    friend class TestAdminSelfHostedExport;
+    friend class TestServerEdit;
+    friend class TestDefaultServerChange;
+    friend class TestServerEdgeCases;
+    friend class TestSignalOrder;
+    friend class TestServersModelSync;
+    friend class TestGatewayStacks;
+    friend class TestComplexOperations;
+    friend class TestSettingsSignals;
+    friend class TestUiServersModelAndController;
+    friend class TestSelfHostedServerSetup;
+    friend class TestMultipleExports;
+    friend class TestSerialization;
+    friend class TestUiLanguageModelAndController;
+    friend class TestUiSitesModelAndController;
+    friend class TestUiAppSTModelAndController;
+    friend class TestUiAllowedDnsModelAndController;
+    friend class TestUiNewsModelAndController;
+    friend class TestUiApiServicesModelAndController;

 public:
-    explicit CoreController(const QSharedPointer<VpnConnection> &vpnConnection, const std::shared_ptr<Settings> &settings,
+    explicit CoreController(const QSharedPointer<VpnConnection> &vpnConnection, SecureQSettings* settings,
                            QQmlApplicationEngine *engine, QObject *parent = nullptr);

-    QSharedPointer<PageController> pageController() const;
+    PageController* pageController() const;
    void setQmlRoot();

    void openConnectionByIndex(int serverIndex);
    void importConfigFromData(const QString &data);
+    void updateTranslator(const QLocale &locale);

 signals:
    void translationsUpdated();
    void websiteUrlChanged(const QString &newUrl);

 private:
+    void initRepositories();
+    void initCoreControllers();
    void initModels();
    void initControllers();
    void initAndroidController();
    void initAppleController();
+    void initLogging();
    void initSignalHandlers();
-
-    void initNotificationHandler();
-
-    void updateTranslator(const QLocale &locale);
-
-    void initErrorMessagesHandler();
-
-    void initApiCountryModelUpdateHandler();
-    void initContainerModelUpdateHandler();
-    void initAdminConfigRevokedHandler();
-    void initPassphraseRequestHandler();
-    void initTranslationsUpdatedHandler();
-    void initAutoConnectHandler();
-    void initAmneziaDnsToggledHandler();
-    void initPrepareConfigHandler();
-    void initStrictKillSwitchHandler();
+    void setQmlContextProperty(const QString &name, QObject *value);

    QQmlApplicationEngine *m_engine {}; // TODO use parent child system here?
-    std::shared_ptr<Settings> m_settings;
+    SecureQSettings* m_settings;
    QSharedPointer<VpnConnection> m_vpnConnection;
-    QSharedPointer<QTranslator> m_translator;
+    QTranslator* m_translator;
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;

 #if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
-    QScopedPointer<NotificationHandler> m_notificationHandler;
+    NotificationHandler* m_notificationHandler;
 #endif

    QMetaObject::Connection m_reloadConfigErrorOccurredConnection;

-    QScopedPointer<ConnectionController> m_connectionController;
-    QScopedPointer<FocusController> m_focusController;
-    QSharedPointer<PageController> m_pageController; // TODO
-    QScopedPointer<InstallController> m_installController;
-    QScopedPointer<ImportController> m_importController;
-    QScopedPointer<ExportController> m_exportController;
-    QScopedPointer<SettingsController> m_settingsController;
-    QScopedPointer<SitesController> m_sitesController;
-    QScopedPointer<SystemController> m_systemController;
-    QScopedPointer<AppSplitTunnelingController> m_appSplitTunnelingController;
-    QScopedPointer<AllowedDnsController> m_allowedDnsController;
+    ConnectionUiController* m_connectionUiController;
+    FocusController* m_focusController;
+    PageController* m_pageController;
+    InstallUiController* m_installUiController;
+    ImportUiController* m_importController;
+    ImportController* m_importCoreController;
+    ExportUiController* m_exportUiController;
+    SettingsUiController* m_settingsUiController;
+    ServersUiController* m_serversUiController;
+    IpSplitTunnelingUiController* m_ipSplitTunnelingUiController;
+    SystemController* m_systemController;
+    AppSplitTunnelingUiController* m_appSplitTunnelingUiController;
+    AllowedDnsUiController* m_allowedDnsUiController;
+    LanguageUiController* m_languageUiController;
+    UpdateUiController* m_updateUiController;

-    QScopedPointer<ApiSettingsController> m_apiSettingsController;
-    QScopedPointer<ApiConfigsController> m_apiConfigsController;
-    QScopedPointer<ApiNewsController> m_apiNewsController;
+    SubscriptionUiController* m_subscriptionUiController;
+    ApiNewsUiController* m_apiNewsUiController;
+    
+    ServicesCatalogUiController* m_servicesCatalogUiController;

-    QSharedPointer<ContainersModel> m_containersModel;
-    QSharedPointer<ContainersModel> m_defaultServerContainersModel;
-    QSharedPointer<ServersModel> m_serversModel;
-    QSharedPointer<LanguageModel> m_languageModel;
-    QSharedPointer<ProtocolsModel> m_protocolsModel;
-    QSharedPointer<SitesModel> m_sitesModel;
-    QSharedPointer<NewsModel> m_newsModel;
-    QSharedPointer<AllowedDnsModel> m_allowedDnsModel;
-    QSharedPointer<AppSplitTunnelingModel> m_appSplitTunnelingModel;
-    QSharedPointer<ClientManagementModel> m_clientManagementModel;
+    ServersController* m_serversController;
+    UsersController* m_usersController;
+    AppSplitTunnelingController* m_appSplitTunnelingController;
+    IpSplitTunnelingController* m_ipSplitTunnelingController;
+    AllowedDnsController* m_allowedDnsController;
+    ServicesCatalogController* m_servicesCatalogController;
+    SubscriptionController* m_subscriptionController;
+    NewsController* m_newsController;
+    UpdateController* m_updateController;
+    InstallController* m_installController;
+    ExportController* m_exportController;
+    ConnectionController* m_connectionController;
+    SettingsController* m_settingsController;

-    QSharedPointer<ApiServicesModel> m_apiServicesModel;
-    QSharedPointer<ApiCountryModel> m_apiCountryModel;
-    QSharedPointer<ApiAccountInfoModel> m_apiAccountInfoModel;
-    QSharedPointer<ApiDevicesModel> m_apiDevicesModel;
+    ContainersModel* m_containersModel;
+    ContainersModel* m_defaultServerContainersModel;
+    ServersModel* m_serversModel;
+    LanguageModel* m_languageModel;
+    ProtocolsModel* m_protocolsModel;
+    IpSplitTunnelingModel* m_ipSplitTunnelingModel;
+    NewsModel* m_newsModel;
+    AllowedDnsModel* m_allowedDnsModel;
+    AppSplitTunnelingModel* m_appSplitTunnelingModel;
+    ClientManagementModel* m_clientManagementModel;

-    QScopedPointer<OpenVpnConfigModel> m_openVpnConfigModel;
-    QScopedPointer<ShadowSocksConfigModel> m_shadowSocksConfigModel;
-    QScopedPointer<CloakConfigModel> m_cloakConfigModel;
-    QScopedPointer<XrayConfigModel> m_xrayConfigModel;
-    QScopedPointer<WireGuardConfigModel> m_wireGuardConfigModel;
-    QScopedPointer<AwgConfigModel> m_awgConfigModel;
+    ApiServicesModel* m_apiServicesModel;
+    ApiSubscriptionPlansModel* m_apiSubscriptionPlansModel;
+    ApiBenefitsModel* m_apiBenefitsModel;
+    ApiCountryModel* m_apiCountryModel;
+    ApiAccountInfoModel* m_apiAccountInfoModel;
+    ApiDevicesModel* m_apiDevicesModel;
+
+    OpenVpnConfigModel* m_openVpnConfigModel;
+    XrayConfigModel* m_xrayConfigModel;
+    TorConfigModel* m_torConfigModel;
+    WireGuardConfigModel* m_wireGuardConfigModel;
+    AwgConfigModel* m_awgConfigModel;
 #ifdef Q_OS_WINDOWS
-    QScopedPointer<Ikev2ConfigModel> m_ikev2ConfigModel;
+    Ikev2ConfigModel* m_ikev2ConfigModel;
 #endif
-    QScopedPointer<SftpConfigModel> m_sftpConfigModel;
-    QScopedPointer<Socks5ProxyConfigModel> m_socks5ConfigModel;
+    SftpConfigModel* m_sftpConfigModel;
+    Socks5ProxyConfigModel* m_socks5ConfigModel;
+
+    CoreSignalHandlers* m_signalHandlers;
 };

 #endif // CORECONTROLLER_H
--- a/client/core/controllers/coreSignalHandlers.cpp
+++ b/client/core/controllers/coreSignalHandlers.cpp
@@ -0,0 +1,430 @@
+#include "coreSignalHandlers.h"
+
+#include <QTimer>
+
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/controllers/coreController.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "vpnConnection.h"
+#include "ui/controllers/qml/pageController.h"
+#include "ui/controllers/connectionUiController.h"
+#include "ui/controllers/settingsUiController.h"
+#include "ui/controllers/serversUiController.h"
+#include "ui/controllers/ipSplitTunnelingUiController.h"
+#include "ui/controllers/allowedDnsUiController.h"
+#include "ui/controllers/appSplitTunnelingUiController.h"
+#include "ui/controllers/languageUiController.h"
+#include "ui/controllers/selfhosted/installUiController.h"
+#include "ui/controllers/importUiController.h"
+#include "ui/controllers/api/subscriptionUiController.h"
+#include "ui/controllers/updateUiController.h"
+#include "ui/models/serversModel.h"
+#include "core/controllers/serversController.h"
+#include "core/controllers/ipSplitTunnelingController.h"
+#include "core/controllers/appSplitTunnelingController.h"
+#include "core/controllers/selfhosted/usersController.h"
+#include "core/controllers/settingsController.h"
+#include "core/controllers/selfhosted/installController.h"
+#include "core/controllers/selfhosted/exportController.h"
+#include "core/controllers/connectionController.h"
+#include "ui/models/clientManagementModel.h"
+#include "ui/controllers/api/apiNewsUiController.h"
+#include "ui/models/api/apiCountryModel.h"
+#include "ui/models/containersModel.h"
+#include "core/utils/containerEnum.h"
+
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    #include "ui/utils/notificationHandler.h"
+    #include "ui/utils/systemTrayNotificationHandler.h"
+#endif
+
+#ifdef Q_OS_ANDROID
+    #include "platforms/android/android_controller.h"
+#endif
+
+#ifdef Q_OS_IOS
+    #include "platforms/ios/ios_controller.h"
+    #include <AmneziaVPN-Swift.h>
+#endif
+
+CoreSignalHandlers::CoreSignalHandlers(CoreController* coreController, QObject* parent)
+    : QObject(parent),
+      m_coreController(coreController)
+{
+}
+
+void CoreSignalHandlers::initAllHandlers()
+{
+    initErrorMessagesHandler();
+    initSettingsSplitTunnelingHandler();
+    initInstallControllerHandler();
+    initExportControllerHandler();
+    initImportControllerHandler();
+    initApiCountryModelUpdateHandler();
+    initSubscriptionRefreshHandler();
+    initContainerModelUpdateHandler();
+    initAdminConfigRevokedHandler();
+    initPassphraseRequestHandler();
+    initTranslationsUpdatedHandler();
+    initLanguageHandler();
+    initAutoConnectHandler();
+    initAmneziaDnsToggledHandler();
+    initServersModelUpdateHandler();
+    initClientManagementModelUpdateHandler();
+    initSitesModelUpdateHandler();
+    initAllowedDnsModelUpdateHandler();
+    initAppSplitTunnelingModelUpdateHandler();
+    initPrepareConfigHandler();
+    initStrictKillSwitchHandler();
+    initAndroidSettingsHandler();
+    initAndroidConnectionHandler();
+    initIosImportHandler();
+    initIosSettingsHandler();
+    initNotificationHandler();
+    initUpdateFoundHandler();
+}
+
+void CoreSignalHandlers::initErrorMessagesHandler()
+{
+    connect(m_coreController->m_connectionUiController, &ConnectionUiController::connectionErrorOccurred, this, [this](ErrorCode errorCode) {
+        emit m_coreController->m_pageController->showErrorMessage(errorCode);
+        m_coreController->m_connectionController->setConnectionState(Vpn::ConnectionState::Disconnected);
+    });
+
+    connect(m_coreController->m_subscriptionUiController, &SubscriptionUiController::errorOccurred, m_coreController->m_pageController,
+            qOverload<ErrorCode>(&PageController::showErrorMessage));
+
+    connect(m_coreController->m_settingsUiController, &SettingsUiController::errorOccurred, m_coreController->m_pageController,
+            qOverload<ErrorCode>(&PageController::showErrorMessage));
+}
+
+void CoreSignalHandlers::initSettingsSplitTunnelingHandler()
+{
+    connect(m_coreController->m_settingsController, &SettingsController::siteSplitTunnelingRouteModeChanged, this, [this](RouteMode mode) {
+        m_coreController->m_ipSplitTunnelingController->setRouteMode(mode);
+    });
+    connect(m_coreController->m_settingsController, &SettingsController::siteSplitTunnelingToggled, this, [this](bool enabled) {
+        m_coreController->m_ipSplitTunnelingController->toggleSplitTunneling(enabled);
+    });
+    connect(m_coreController->m_settingsController, &SettingsController::appSplitTunnelingRouteModeChanged, this, [this](AppsRouteMode mode) {
+        m_coreController->m_appSplitTunnelingController->setRouteMode(mode);
+    });
+    connect(m_coreController->m_settingsController, &SettingsController::appSplitTunnelingToggled, this, [this](bool enabled) {
+        m_coreController->m_appSplitTunnelingController->toggleSplitTunneling(enabled);
+    });
+    connect(m_coreController->m_settingsController, &SettingsController::appSplitTunnelingClearAppsList, this, [this]() {
+        m_coreController->m_appSplitTunnelingController->clearAppsList();
+    });
+}
+
+void CoreSignalHandlers::initInstallControllerHandler()
+{
+    connect(m_coreController->m_installController, &InstallController::serverIsBusy, m_coreController->m_installUiController, &InstallUiController::serverIsBusy);
+    connect(m_coreController->m_installUiController, &InstallUiController::cancelInstallation, m_coreController->m_installController, &InstallController::cancelInstallation);
+    connect(m_coreController->m_installUiController, &InstallUiController::currentContainerUpdated, m_coreController->m_connectionUiController,
+            &ConnectionUiController::onCurrentContainerUpdated);
+    connect(m_coreController->m_serversUiController, &ServersUiController::processedServerIndexChanged,
+        m_coreController->m_installUiController, [this](int index) {
+        if (index >= 0) {
+            m_coreController->m_installUiController->clearProcessedServerCredentials();
+        }
+    });
+}
+
+void CoreSignalHandlers::initExportControllerHandler()
+{
+    connect(m_coreController->m_exportController, &ExportController::appendClientRequested, this,
+            [this](int serverIndex, const QString &clientId, const QString &clientName, DockerContainer container) {
+                m_coreController->m_usersController->appendClient(serverIndex, clientId, clientName, container);
+            });
+    connect(m_coreController->m_exportController, &ExportController::updateClientsRequested, this,
+            [this](int serverIndex, DockerContainer container) {
+                m_coreController->m_usersController->updateClients(serverIndex, container);
+            });
+    connect(m_coreController->m_exportController, &ExportController::revokeClientRequested, this,
+            [this](int serverIndex, int row, DockerContainer container) {
+                m_coreController->m_usersController->revokeClient(serverIndex, row, container);
+            });
+    connect(m_coreController->m_exportController, &ExportController::renameClientRequested, this,
+            [this](int serverIndex, int row, const QString &clientName, DockerContainer container) {
+                m_coreController->m_usersController->renameClient(serverIndex, row, clientName, container);
+            });
+}
+
+void CoreSignalHandlers::initImportControllerHandler()
+{
+    connect(m_coreController->m_importCoreController, &ImportController::importFinished, this, [this]() {
+        if (!m_coreController->m_connectionController->isConnected()) {
+            int newServerIndex = m_coreController->m_serversController->getServersCount() - 1;
+            m_coreController->m_serversController->setDefaultServerIndex(newServerIndex);
+            if (m_coreController->m_serversUiController) {
+                m_coreController->m_serversUiController->setProcessedServerIndex(newServerIndex);
+            }
+        }
+    });
+}
+
+void CoreSignalHandlers::initApiCountryModelUpdateHandler()
+{
+    connect(m_coreController->m_serversUiController, &ServersUiController::updateApiCountryModel, this, [this]() {
+        int processedIndex = m_coreController->m_serversUiController->getProcessedServerIndex();
+        if (processedIndex < 0 || processedIndex >= m_coreController->m_serversRepository->serversCount()) {
+            return;
+        }
+        
+        ServerConfig server = m_coreController->m_serversRepository->server(processedIndex);
+        QJsonArray availableCountries;
+        QString serverCountryCode;
+        
+        if (server.isApiV2()) {
+            const ApiV2ServerConfig* apiV2 = server.as<ApiV2ServerConfig>();
+            if (apiV2) {
+                availableCountries = apiV2->apiConfig.availableCountries;
+                serverCountryCode = apiV2->apiConfig.serverCountryCode;
+            }
+        }
+        
+        m_coreController->m_apiCountryModel->updateModel(availableCountries, serverCountryCode);
+    });
+}
+
+void CoreSignalHandlers::initSubscriptionRefreshHandler()
+{
+    connect(m_coreController->m_subscriptionUiController, &SubscriptionUiController::subscriptionRefreshNeeded, this, [this]() {
+        const int defaultServerIndex = m_coreController->m_serversController->getDefaultServerIndex();
+        if (defaultServerIndex >= 0) {
+            m_coreController->m_subscriptionUiController->getAccountInfo(defaultServerIndex, false);
+        }
+    });
+}
+
+void CoreSignalHandlers::initContainerModelUpdateHandler()
+{
+    connect(m_coreController->m_serversController, &ServersController::gatewayStacksExpanded, this, [this]() {
+        if (m_coreController->m_serversUiController->hasServersFromGatewayApi()) {
+            m_coreController->m_apiNewsUiController->fetchNews(false);
+        }
+    });
+}
+
+void CoreSignalHandlers::initAdminConfigRevokedHandler()
+{
+    connect(m_coreController->m_installController, &InstallController::clientRevocationRequested, this,
+            [this](int serverIndex, const ContainerConfig &containerConfig, DockerContainer container) {
+                m_coreController->m_usersController->revokeClient(serverIndex, containerConfig, container);
+            });
+
+    connect(m_coreController->m_installController, &InstallController::clientAppendRequested, this,
+            [this](int serverIndex, const QString &clientId, const QString &clientName, DockerContainer container) {
+                m_coreController->m_usersController->appendClient(serverIndex, clientId, clientName, container);
+            });
+
+    connect(m_coreController->m_usersController, &UsersController::adminConfigRevoked, m_coreController->m_serversController,
+            &ServersController::clearCachedProfile);
+}
+
+void CoreSignalHandlers::initPassphraseRequestHandler()
+{
+    connect(m_coreController->m_installUiController, &InstallUiController::passphraseRequestStarted, m_coreController->m_pageController,
+            &PageController::showPassphraseRequestDrawer);
+    connect(m_coreController->m_pageController, &PageController::passphraseRequestDrawerClosed, m_coreController->m_installUiController,
+            &InstallUiController::setEncryptedPassphrase);
+}
+
+void CoreSignalHandlers::initTranslationsUpdatedHandler()
+{
+    connect(m_coreController->m_languageUiController, &LanguageUiController::updateTranslations, m_coreController, &CoreController::updateTranslator);
+    connect(m_coreController, &CoreController::translationsUpdated, m_coreController->m_languageUiController, &LanguageUiController::translationsUpdated);
+    connect(m_coreController, &CoreController::translationsUpdated, m_coreController->m_connectionUiController, &ConnectionUiController::onTranslationsUpdated);
+}
+
+void CoreSignalHandlers::initLanguageHandler()
+{
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::appLanguageChanged, m_coreController->m_languageUiController, &LanguageUiController::onAppLanguageChanged);
+    connect(m_coreController->m_settingsUiController, &SettingsUiController::resetLanguageToSystem, m_coreController->m_languageUiController, [this]() {
+        m_coreController->m_languageUiController->changeLanguage(m_coreController->m_languageUiController->getSystemLanguageEnum());
+    });
+}
+
+void CoreSignalHandlers::initAutoConnectHandler()
+{
+    if (m_coreController->m_settingsUiController->isAutoConnectEnabled() && m_coreController->m_serversController->getDefaultServerIndex() >= 0) {
+        QTimer::singleShot(1000, this, [this]() { m_coreController->m_connectionUiController->openConnection(); });
+    }
+}
+
+void CoreSignalHandlers::initAmneziaDnsToggledHandler()
+{
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::useAmneziaDnsChanged, m_coreController->m_serversUiController, &ServersUiController::updateModel);
+}
+
+void CoreSignalHandlers::initServersModelUpdateHandler()
+{
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverAdded,
+            m_coreController->m_serversUiController, &ServersUiController::updateModel);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverEdited,
+            m_coreController->m_serversUiController, &ServersUiController::updateModel);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverRemoved,
+            m_coreController->m_serversUiController, &ServersUiController::updateModel);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::defaultServerChanged,
+            m_coreController->m_serversUiController, &ServersUiController::onDefaultServerChanged);
+    
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverAdded,
+            m_coreController->m_serversController, &ServersController::recomputeGatewayStacks);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverEdited,
+            m_coreController->m_serversController, &ServersController::recomputeGatewayStacks);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverRemoved,
+            m_coreController->m_serversController, &ServersController::recomputeGatewayStacks);
+    
+    connect(m_coreController->m_settingsUiController, &SettingsUiController::restoreBackupFinished,
+            m_coreController->m_serversUiController, &ServersUiController::updateModel);
+}
+
+void CoreSignalHandlers::initClientManagementModelUpdateHandler()
+{
+    connect(m_coreController->m_usersController, &UsersController::clientsUpdated,
+            m_coreController->m_clientManagementModel, &ClientManagementModel::updateModel);
+    connect(m_coreController->m_usersController, &UsersController::clientRenamed,
+            m_coreController->m_clientManagementModel, &ClientManagementModel::updateClientName);
+}
+
+void CoreSignalHandlers::initSitesModelUpdateHandler()
+{
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::sitesChanged, m_coreController->m_ipSplitTunnelingUiController, &IpSplitTunnelingUiController::updateModel);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::sitesSplitTunnelingEnabledChanged, m_coreController->m_ipSplitTunnelingUiController, &IpSplitTunnelingUiController::updateModel);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::routeModeChanged, m_coreController->m_ipSplitTunnelingUiController, &IpSplitTunnelingUiController::updateModel);
+}
+
+void CoreSignalHandlers::initAllowedDnsModelUpdateHandler()
+{
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::allowedDnsServersChanged, m_coreController->m_allowedDnsUiController, &AllowedDnsUiController::updateModel);
+}
+
+void CoreSignalHandlers::initAppSplitTunnelingModelUpdateHandler()
+{
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::appsChanged, m_coreController->m_appSplitTunnelingUiController, &AppSplitTunnelingUiController::updateModel);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::appsSplitTunnelingEnabledChanged, m_coreController->m_appSplitTunnelingUiController, &AppSplitTunnelingUiController::updateModel);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::appsRouteModeChanged, m_coreController->m_appSplitTunnelingUiController, &AppSplitTunnelingUiController::updateModel);
+}
+
+void CoreSignalHandlers::initPrepareConfigHandler()
+{
+    connect(m_coreController->m_connectionUiController, &ConnectionUiController::prepareConfig, this, [this]() {
+        m_coreController->m_connectionController->setConnectionState(Vpn::ConnectionState::Preparing);
+
+        m_coreController->m_subscriptionUiController->validateConfig();
+    });
+
+    connect(m_coreController->m_subscriptionUiController, &SubscriptionUiController::configValidated, this, [this](bool isValid) {
+        if (!isValid) {
+            m_coreController->m_connectionController->setConnectionState(Vpn::ConnectionState::Disconnected);
+            return;
+        }
+
+        m_coreController->m_installUiController->validateConfig();
+    });
+
+    connect(m_coreController->m_installUiController, &InstallUiController::configValidated, this, [this](bool isValid) {
+        if (!isValid) {
+            m_coreController->m_connectionController->setConnectionState(Vpn::ConnectionState::Disconnected);
+            return;
+        }
+
+        m_coreController->m_connectionUiController->openConnection();
+    });
+}
+
+void CoreSignalHandlers::initStrictKillSwitchHandler()
+{
+    connect(m_coreController->m_settingsUiController, &SettingsUiController::strictKillSwitchEnabledChanged, m_coreController->m_connectionController,
+            &ConnectionController::onKillSwitchModeChanged);
+}
+
+void CoreSignalHandlers::initAndroidSettingsHandler()
+{
+#ifdef Q_OS_ANDROID
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::saveLogsChanged, AndroidController::instance(), &AndroidController::setSaveLogs);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::screenshotsEnabledChanged, AndroidController::instance(), &AndroidController::setScreenshotsEnabled);
+    connect(m_coreController->m_serversRepository, &SecureServersRepository::serverRemoved, AndroidController::instance(), &AndroidController::resetLastServer);
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::settingsCleared, []() { AndroidController::instance()->resetLastServer(-1); });
+#endif
+}
+
+void CoreSignalHandlers::initAndroidConnectionHandler()
+{
+#ifdef Q_OS_ANDROID
+    connect(AndroidController::instance(), &AndroidController::initConnectionState, this, [this](Vpn::ConnectionState state) {
+        m_coreController->m_connectionUiController->onConnectionStateChanged(state);
+        m_coreController->m_connectionController->restoreConnection();
+    });
+    connect(AndroidController::instance(), &AndroidController::importConfigFromOutside, this, [this](QString data) {
+        emit m_coreController->m_pageController->goToPageHome();
+        m_coreController->m_importController->extractConfigFromData(data);
+        data.clear();
+        emit m_coreController->m_pageController->goToPageViewConfig();
+    });
+#endif
+}
+
+void CoreSignalHandlers::initIosImportHandler()
+{
+#ifdef Q_OS_IOS
+    connect(IosController::Instance(), &IosController::importConfigFromOutside, this, [this](QString data) {
+        emit m_coreController->m_pageController->goToPageHome();
+        m_coreController->m_importController->extractConfigFromData(data);
+        emit m_coreController->m_pageController->goToPageViewConfig();
+    });
+    connect(IosController::Instance(), &IosController::importBackupFromOutside, this, [this](QString filePath) {
+        emit m_coreController->m_pageController->goToPageHome();
+        m_coreController->m_pageController->goToPageSettingsBackup();
+        emit m_coreController->m_settingsUiController->importBackupFromOutside(filePath);
+    });
+#endif
+}
+
+void CoreSignalHandlers::initIosSettingsHandler()
+{
+#ifdef Q_OS_IOS
+    connect(m_coreController->m_appSettingsRepository, &SecureAppSettingsRepository::screenshotsEnabledChanged, [](bool enabled) { AmneziaVPN::toggleScreenshots(enabled); });
+#endif
+}
+
+void CoreSignalHandlers::initNotificationHandler()
+{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    m_coreController->m_notificationHandler = NotificationHandler::create(m_coreController);
+
+    connect(m_coreController->m_connectionController, &ConnectionController::connectionStateChanged, m_coreController->m_notificationHandler,
+            &NotificationHandler::setConnectionState);
+
+    connect(m_coreController->m_notificationHandler, &NotificationHandler::raiseRequested, m_coreController->m_pageController, &PageController::raiseMainWindow);
+    connect(m_coreController->m_notificationHandler, &NotificationHandler::connectRequested, m_coreController->m_connectionUiController,
+            static_cast<void (ConnectionUiController::*)()>(&ConnectionUiController::openConnection));
+    connect(m_coreController->m_notificationHandler, &NotificationHandler::disconnectRequested, m_coreController->m_connectionUiController,
+            &ConnectionUiController::closeConnection);
+    connect(m_coreController, &CoreController::translationsUpdated, m_coreController->m_notificationHandler, &NotificationHandler::onTranslationsUpdated);
+
+    auto* trayHandler = qobject_cast<SystemTrayNotificationHandler*>(m_coreController->m_notificationHandler);
+    connect(m_coreController, &CoreController::websiteUrlChanged, trayHandler, &SystemTrayNotificationHandler::updateWebsiteUrl);
+#endif    
+}
+
+void CoreSignalHandlers::initUpdateFoundHandler()
+{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    connect(m_coreController->m_apiNewsUiController, &ApiNewsUiController::fetchNewsFinished, m_coreController->m_updateUiController,
+            &UpdateUiController::checkForUpdates);
+
+    connect(m_coreController->m_updateUiController, &UpdateUiController::updateFound, this, [this]() {
+        const QString version = m_coreController->m_updateUiController->getVersion();
+        const QString updateId = version.isEmpty() ? QStringLiteral("update") : QStringLiteral("update-%1").arg(version);
+        m_coreController->m_newsModel->setUpdateNotification(
+                updateId, m_coreController->m_updateUiController->getHeaderText(), m_coreController->m_updateUiController->getChangelogText());
+        emit m_coreController->m_pageController->showChangelogDrawer();
+    });
+#endif
+}
+
--- a/client/core/controllers/coreSignalHandlers.h
+++ b/client/core/controllers/coreSignalHandlers.h
@@ -0,0 +1,49 @@
+#ifndef CORESIGNALHANDLERS_H
+#define CORESIGNALHANDLERS_H
+
+#include <QObject>
+#include "core/controllers/coreController.h"
+
+class CoreSignalHandlers : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit CoreSignalHandlers(CoreController* coreController, QObject* parent = nullptr);
+
+    void initAllHandlers();
+
+private:
+    void initErrorMessagesHandler();
+    void initSettingsSplitTunnelingHandler();
+    void initInstallControllerHandler();
+    void initExportControllerHandler();
+    void initImportControllerHandler();
+    void initApiCountryModelUpdateHandler();
+    void initSubscriptionRefreshHandler();
+    void initContainerModelUpdateHandler();
+    void initAdminConfigRevokedHandler();
+    void initPassphraseRequestHandler();
+    void initTranslationsUpdatedHandler();
+    void initLanguageHandler();
+    void initAutoConnectHandler();
+    void initAmneziaDnsToggledHandler();
+    void initServersModelUpdateHandler();
+    void initClientManagementModelUpdateHandler();
+    void initSitesModelUpdateHandler();
+    void initAllowedDnsModelUpdateHandler();
+    void initAppSplitTunnelingModelUpdateHandler();
+    void initPrepareConfigHandler();
+    void initStrictKillSwitchHandler();
+    void initAndroidSettingsHandler();
+    void initAndroidConnectionHandler();
+    void initIosImportHandler();
+    void initIosSettingsHandler();
+    void initNotificationHandler();
+    void initUpdateFoundHandler();
+
+    CoreController* m_coreController;
+};
+
+#endif // CORESIGNALHANDLERS_H
+
--- a/client/core/controllers/gatewayController.cpp
+++ b/client/core/controllers/gatewayController.cpp
@@ -15,27 +15,18 @@
 #include "QBlockCipher.h"
 #include "QRsa.h"

-#include "amnezia_application.h"
-#include "core/api/apiUtils.h"
-#include "core/networkUtilities.h"
-#include "utilities.h"
+#include "amneziaApplication.h"
+#include "core/utils/api/apiUtils.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/networkUtilities.h"
+#include "core/utils/utilities.h"

 #ifdef AMNEZIA_DESKTOP
-    #include "core/ipcclient.h"
+    #include "core/utils/ipcClient.h"
 #endif

 namespace
 {
-    namespace configKey
-    {
-        constexpr char aesKey[] = "aes_key";
-        constexpr char aesIv[] = "aes_iv";
-        constexpr char aesSalt[] = "aes_salt";
-
-        constexpr char apiPayload[] = "api_payload";
-        constexpr char keyPayload[] = "key_payload";
-    }
-
    constexpr QLatin1String errorResponsePattern1("No active configuration found for");
    constexpr QLatin1String errorResponsePattern2("No non-revoked public key found for");
    constexpr QLatin1String errorResponsePattern3("Account not found.");
@@ -44,8 +35,13 @@ namespace

    constexpr int httpStatusCodeNotFound = 404;
    constexpr int httpStatusCodeConflict = 409;
-
    constexpr int httpStatusCodeNotImplemented = 501;
+    constexpr int httpStatusCodePaymentRequired = 402;
+    constexpr int httpStatusCodeUnprocessableEntity = 422;
+
+    constexpr QLatin1String unprocessableSubscriptionMessage("Failed to retrieve subscription information. Is it activated?");
+
+    constexpr int proxyStorageRequestTimeoutMsecs = 3000;
 }

 GatewayController::GatewayController(const QString &gatewayEndpoint, const bool isDevEnvironment, const int requestTimeoutMsecs,
@@ -94,9 +90,9 @@ GatewayController::EncryptedRequestData GatewayController::prepareRequest(const
    encRequestData.salt = blockCipher.generatePrivateSalt(8);

    QJsonObject keyPayload;
-    keyPayload[configKey::aesKey] = QString(encRequestData.key.toBase64());
-    keyPayload[configKey::aesIv] = QString(encRequestData.iv.toBase64());
-    keyPayload[configKey::aesSalt] = QString(encRequestData.salt.toBase64());
+    keyPayload[apiDefs::key::aesKey] = QString(encRequestData.key.toBase64());
+    keyPayload[apiDefs::key::aesIv] = QString(encRequestData.iv.toBase64());
+    keyPayload[apiDefs::key::aesSalt] = QString(encRequestData.salt.toBase64());

    QByteArray encryptedKeyPayload;
    QByteArray encryptedApiPayload;
@@ -128,8 +124,8 @@ GatewayController::EncryptedRequestData GatewayController::prepareRequest(const
    }

    QJsonObject requestBody;
-    requestBody[configKey::keyPayload] = QString(encryptedKeyPayload.toBase64());
-    requestBody[configKey::apiPayload] = QString(encryptedApiPayload.toBase64());
+    requestBody[apiDefs::key::keyPayload] = QString(encryptedKeyPayload.toBase64());
+    requestBody[apiDefs::key::apiPayload] = QString(encryptedApiPayload.toBase64());

    encRequestData.requestBody = QJsonDocument(requestBody).toJson();
    return encRequestData;
@@ -281,23 +277,34 @@ QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString
            auto serviceType = apiPayload.value(apiDefs::key::serviceType).toString("");
            auto userCountryCode = apiPayload.value(apiDefs::key::userCountryCode).toString("");

-            QStringList baseUrls;
+            QStringList primaryBaseUrls;
+            QStringList fallbackBaseUrls;
            if (m_isDevEnvironment) {
-                baseUrls = QString(DEV_S3_ENDPOINT).split(", ");
+                primaryBaseUrls = QString(DEV_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
            } else {
-                baseUrls = QString(PROD_S3_ENDPOINT).split(", ");
+                primaryBaseUrls = QString(PROD_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
+                fallbackBaseUrls = QString(FALLBACK_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
            }
+            std::random_device randomDevice;
+            std::mt19937 generator(randomDevice());
+            std::shuffle(primaryBaseUrls.begin(), primaryBaseUrls.end(), generator);
+            std::shuffle(fallbackBaseUrls.begin(), fallbackBaseUrls.end(), generator);
+
+            auto appendStorageUrls = [&serviceType, &userCountryCode](const QStringList &baseUrls, QStringList &target) {
+                if (!serviceType.isEmpty()) {
+                    for (const auto &baseUrl : baseUrls) {
+                        QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
+                        target.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals) + ".json");
+                    }
+                }
+                for (const auto &baseUrl : baseUrls) {
+                    target.push_back(baseUrl + "endpoints.json");
+                }
+            };

            QStringList proxyStorageUrls;
-            if (!serviceType.isEmpty()) {
-                for (const auto &baseUrl : baseUrls) {
-                    QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
-                    proxyStorageUrls.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals)
-                                               + ".json");
-                }
-            }
-            for (const auto &baseUrl : baseUrls)
-                proxyStorageUrls.push_back(baseUrl + "endpoints.json");
+            appendStorageUrls(primaryBaseUrls, proxyStorageUrls);
+            appendStorageUrls(fallbackBaseUrls, proxyStorageUrls);

            getProxyUrlsAsync(proxyStorageUrls, 0, [this, encRequestData, endpoint, processResponse](const QStringList &proxyUrls) {
                getProxyUrlAsync(proxyUrls, 0, [this, encRequestData, endpoint, processResponse](const QString &proxyUrl) {
@@ -324,34 +331,48 @@ QFuture<QPair<ErrorCode, QByteArray>> GatewayController::postAsync(const QString
 QStringList GatewayController::getProxyUrls(const QString &serviceType, const QString &userCountryCode)
 {
    QNetworkRequest request;
-    request.setTransferTimeout(m_requestTimeoutMsecs);
+    request.setTransferTimeout(proxyStorageRequestTimeoutMsecs);
    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");

    QEventLoop wait;
    QList<QSslError> sslErrors;
    QNetworkReply *reply;

-    QStringList baseUrls;
+    QStringList primaryBaseUrls;
+    QStringList fallbackBaseUrls;
    if (m_isDevEnvironment) {
-        baseUrls = QString(DEV_S3_ENDPOINT).split(", ");
+        primaryBaseUrls = QString(DEV_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
    } else {
-        baseUrls = QString(PROD_S3_ENDPOINT).split(", ");
+        primaryBaseUrls = QString(PROD_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
+        fallbackBaseUrls = QString(FALLBACK_S3_ENDPOINT).split(", ", Qt::SkipEmptyParts);
    }
+
    std::random_device randomDevice;
    std::mt19937 generator(randomDevice());
-    std::shuffle(baseUrls.begin(), baseUrls.end(), generator);
+    std::shuffle(primaryBaseUrls.begin(), primaryBaseUrls.end(), generator);
+    std::shuffle(fallbackBaseUrls.begin(), fallbackBaseUrls.end(), generator);

    QByteArray key = m_isDevEnvironment ? DEV_AGW_PUBLIC_KEY : PROD_AGW_PUBLIC_KEY;

-    QStringList proxyStorageUrls;
-    if (!serviceType.isEmpty()) {
-        for (const auto &baseUrl : baseUrls) {
-            QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
-            proxyStorageUrls.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals) + ".json");
+    auto appendStorageUrls = [&serviceType, &userCountryCode](const QStringList &baseUrls, QStringList &target) {
+        if (!serviceType.isEmpty()) {
+            for (const auto &baseUrl : baseUrls) {
+                QByteArray path = ("endpoints-" + serviceType + "-" + userCountryCode).toUtf8();
+                target.push_back(baseUrl + path.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals) + ".json");
+            }
        }
-    }
-    for (const auto &baseUrl : baseUrls) {
-        proxyStorageUrls.push_back(baseUrl + "endpoints.json");
+        for (const auto &baseUrl : baseUrls) {
+            target.push_back(baseUrl + "endpoints.json");
+        }
+    };
+
+    QStringList proxyStorageUrls;
+    appendStorageUrls(primaryBaseUrls, proxyStorageUrls);
+    appendStorageUrls(fallbackBaseUrls, proxyStorageUrls);
+
+    if (proxyStorageUrls.empty()) {
+        qDebug() << "empty storage endpoint list";
+        return {};
    }

    for (const auto &proxyStorageUrl : proxyStorageUrls) {
@@ -415,12 +436,14 @@ bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &rep
 {
    const QByteArray &responseBody = decryptedResponseBody;

-    int httpStatus = -1;
+    int apiHttpStatus = -1;
+    QString apiErrorMessage;
    if (isDecryptionSuccessful) {
        QJsonDocument jsonDoc = QJsonDocument::fromJson(responseBody);
        if (jsonDoc.isObject()) {
            QJsonObject jsonObj = jsonDoc.object();
-            httpStatus = jsonObj.value("http_status").toInt(-1);
+            apiHttpStatus = jsonObj.value("http_status").toInt(-1);
+            apiErrorMessage = jsonObj.value(QStringLiteral("message")).toString().trimmed();
        }
    } else {
        qDebug() << "failed to decrypt the data";
@@ -431,10 +454,12 @@ bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &rep
        qDebug() << "timeout occurred";
        qDebug() << replyError;
        return true;
-    } else if (responseBody.contains("html")) {
+    } 
+    if (responseBody.contains("html")) {
        qDebug() << "the response contains an html tag";
        return true;
-    } else if (httpStatus == httpStatusCodeNotFound) {
+    } 
+    if (apiHttpStatus == httpStatusCodeNotFound) {
        if (responseBody.contains(errorResponsePattern1) || responseBody.contains(errorResponsePattern2)
            || responseBody.contains(errorResponsePattern3)) {
            return false;
@@ -442,16 +467,25 @@ bool GatewayController::shouldBypassProxy(const QNetworkReply::NetworkError &rep
            qDebug() << replyError;
            return true;
        }
-    } else if (httpStatus == httpStatusCodeNotImplemented) {
+    } 
+    if (apiHttpStatus == httpStatusCodeNotImplemented) {
        if (responseBody.contains(updateRequestResponsePattern)) {
            return false;
        } else {
            qDebug() << replyError;
            return true;
        }
-    } else if (httpStatus == httpStatusCodeConflict) {
+    } 
+    if (apiHttpStatus == httpStatusCodeConflict) {
        return false;
-    } else if (replyError != QNetworkReply::NetworkError::NoError) {
+    } 
+    if (apiHttpStatus == httpStatusCodePaymentRequired) {
+        return false;
+    } 
+    if (apiHttpStatus == httpStatusCodeUnprocessableEntity) {
+        return apiErrorMessage != unprocessableSubscriptionMessage;
+    } 
+    if (replyError != QNetworkReply::NetworkError::NoError) {
        qDebug() << replyError;
        return true;
    }
@@ -540,7 +574,7 @@ void GatewayController::getProxyUrlsAsync(const QStringList proxyStorageUrls, co
    }

    QNetworkRequest request;
-    request.setTransferTimeout(m_requestTimeoutMsecs);
+    request.setTransferTimeout(proxyStorageRequestTimeoutMsecs);
    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
    request.setUrl(proxyStorageUrls[currentProxyStorageIndex]);

--- a/client/core/controllers/gatewayController.h
+++ b/client/core/controllers/gatewayController.h
@@ -8,7 +8,9 @@
 #include <QPromise>
 #include <QSharedPointer>

-#include "core/defs.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"

 #ifdef Q_OS_IOS
    #include "platforms/ios/ios_controller.h"
--- a/client/core/controllers/ipSplitTunnelingController.cpp
+++ b/client/core/controllers/ipSplitTunnelingController.cpp
@@ -0,0 +1,245 @@
+#include "ipSplitTunnelingController.h"
+#include "core/utils/networkUtilities.h"
+#include <QJsonObject>
+
+IpSplitTunnelingController::IpSplitTunnelingController(SecureAppSettingsRepository* appSettingsRepository, QObject* parent)
+    : QObject(parent),
+      m_appSettingsRepository(appSettingsRepository)
+{
+    m_currentRouteMode = m_appSettingsRepository->routeMode();
+    if (m_currentRouteMode == RouteMode::VpnAllSites) { // for old split tunneling configs
+        m_appSettingsRepository->setRouteMode(RouteMode::VpnOnlyForwardSites);
+        m_currentRouteMode = RouteMode::VpnOnlyForwardSites;
+    }
+    fillSites();
+}
+
+bool IpSplitTunnelingController::addSiteInternal(const QString &hostname, const QString &ip)
+{
+    QVariantMap existing = m_appSettingsRepository->vpnSites(m_currentRouteMode);
+    if (existing.contains(hostname) && ip.isEmpty()) {
+        return false;
+    }
+
+    for (int i = 0; i < m_sites.size(); i++) {
+        if (m_sites[i].first == hostname && (m_sites[i].second.isEmpty() && !ip.isEmpty())) {
+            m_sites[i].second = ip;
+            m_appSettingsRepository->addVpnSite(m_currentRouteMode, hostname, ip);
+            return true;
+        } else if (m_sites[i].first == hostname && (m_sites[i].second == ip)) {
+            return false;
+        }
+    }
+    m_sites.append(qMakePair(hostname, ip));
+    m_appSettingsRepository->addVpnSite(m_currentRouteMode, hostname, ip);
+    return true;
+}
+
+void IpSplitTunnelingController::addSites(const QMap<QString, QString> &sites, bool replaceExisting)
+{
+    if (replaceExisting) {
+        m_sites.clear();
+    }
+    for (auto it = sites.constBegin(); it != sites.constEnd(); ++it) {
+        const QString &hostname = it.key();
+        const QString &ip = it.value();
+        bool found = false;
+        for (int i = 0; i < m_sites.size(); i++) {
+            if (m_sites[i].first == hostname) {
+                if (!ip.isEmpty()) {
+                    m_sites[i].second = ip;
+                }
+                found = true;
+                break;
+            }
+        }
+        if (!found) {
+            m_sites.append(qMakePair(hostname, ip));
+        }
+    }
+    if (replaceExisting) {
+        m_appSettingsRepository->removeAllVpnSites(m_currentRouteMode);
+    }
+    m_appSettingsRepository->addVpnSites(m_currentRouteMode, sites);
+}
+
+bool IpSplitTunnelingController::addSite(const QString &hostname)
+{
+    QString normalizedHostname = normalizeHostname(hostname);
+    
+    if (!validateHostname(normalizedHostname)) {
+        return false;
+    }
+    
+    if (NetworkUtilities::ipAddressWithSubnetRegExp().exactMatch(normalizedHostname)) {
+        processSite(normalizedHostname, "");
+        return true;
+    }
+    
+    if (addSiteInternal(normalizedHostname, "")) {
+        QHostInfo::lookupHost(normalizedHostname, this, SLOT(onHostResolved(QHostInfo)));
+        return true;
+    }
+    
+    return false;
+}
+
+bool IpSplitTunnelingController::removeSite(const QString &hostname)
+{
+    for (int i = 0; i < m_sites.size(); i++) {
+        if (m_sites[i].first == hostname) {
+            m_sites.removeAt(i);
+            m_appSettingsRepository->removeVpnSite(m_currentRouteMode, hostname);
+            return true;
+        }
+    }
+    return false;
+}
+
+void IpSplitTunnelingController::removeSites()
+{
+    m_sites.clear();
+    m_appSettingsRepository->removeAllVpnSites(m_currentRouteMode);
+}
+
+void IpSplitTunnelingController::setRouteMode(RouteMode routeMode)
+{
+    m_currentRouteMode = routeMode;
+    fillSites();
+    m_appSettingsRepository->setRouteMode(routeMode);
+}
+
+void IpSplitTunnelingController::toggleSplitTunneling(bool enabled)
+{
+    m_appSettingsRepository->setSitesSplitTunnelingEnabled(enabled);
+}
+
+RouteMode IpSplitTunnelingController::getRouteMode() const
+{
+    return m_currentRouteMode;
+}
+
+bool IpSplitTunnelingController::isSplitTunnelingEnabled() const
+{
+    return m_appSettingsRepository->isSitesSplitTunnelingEnabled();
+}
+
+QVector<QPair<QString, QString>> IpSplitTunnelingController::getCurrentSites() const
+{
+    return m_sites;
+}
+
+void IpSplitTunnelingController::fillSites()
+{
+    QVariantMap sitesMap = m_appSettingsRepository->vpnSites(m_currentRouteMode);
+    m_sites.clear();
+    for (auto it = sitesMap.begin(); it != sitesMap.end(); ++it) {
+        m_sites.append(qMakePair(it.key(), it.value().toString()));
+    }
+}
+
+QString IpSplitTunnelingController::normalizeHostname(const QString &hostname) const
+{
+    QString normalized = hostname;
+    normalized.replace("https://", "");
+    normalized.replace("http://", "");
+    normalized.replace("ftp://", "");
+    normalized = normalized.split("/", Qt::SkipEmptyParts).first();
+    return normalized;
+}
+
+bool IpSplitTunnelingController::validateHostname(const QString &hostname) const
+{
+    if (hostname.isEmpty()) {
+        return false;
+    }
+    if (!hostname.contains(".") && !NetworkUtilities::ipAddressWithSubnetRegExp().exactMatch(hostname)) {
+        return false;
+    }
+    return true;
+}
+
+
+void IpSplitTunnelingController::onHostResolved(const QHostInfo &hostInfo)
+{
+    const QList<QHostAddress> &addresses = hostInfo.addresses();
+    QString hostname = hostInfo.hostName();
+    
+    for (const QHostAddress &addr : addresses) {
+        if (addr.protocol() == QAbstractSocket::NetworkLayerProtocol::IPv4Protocol) {
+            processSiteAfterResolve(hostname, addr.toString());
+            break;
+        }
+    }
+}
+
+void IpSplitTunnelingController::processSiteAfterResolve(const QString &hostname, const QString &ip)
+{
+    for (int i = 0; i < m_sites.size(); i++) {
+        if (m_sites[i].first == hostname && m_sites[i].second.isEmpty()) {
+            m_sites[i].second = ip;
+            m_appSettingsRepository->addVpnSite(m_currentRouteMode, hostname, ip);
+            break;
+        }
+    }
+}
+
+void IpSplitTunnelingController::processSite(const QString &hostname, const QString &ip)
+{
+    addSiteInternal(hostname, ip);
+}
+
+bool IpSplitTunnelingController::importSitesFromJson(const QByteArray& jsonData, bool replaceExisting, QString &errorMessage)
+{
+    QJsonParseError parseError;
+    QJsonDocument jsonDocument = QJsonDocument::fromJson(jsonData, &parseError);
+    
+    if (parseError.error != QJsonParseError::NoError) {
+        errorMessage = tr("Failed to parse JSON data: %1").arg(parseError.errorString());
+        return false;
+    }
+    
+    if (!jsonDocument.isArray()) {
+        errorMessage = tr("The JSON data is not an array");
+        return false;
+    }
+    
+    QJsonArray jsonArray = jsonDocument.array();
+    QMap<QString, QString> sites;
+    
+    for (auto jsonValue : jsonArray) {
+        QJsonObject jsonObject = jsonValue.toObject();
+        QString hostname = jsonObject.value("hostname").toString("");
+        QString ip = jsonObject.value("ip").toString("");
+        
+        QString normalizedHostname = normalizeHostname(hostname);
+        
+        if (!validateHostname(normalizedHostname)) {
+            qDebug() << normalizedHostname << " not look like ip adress or domain name";
+            continue;
+        }
+        
+        sites.insert(normalizedHostname, ip);
+    }
+    
+    addSites(sites, replaceExisting);
+    
+    return true;
+}
+
+QByteArray IpSplitTunnelingController::exportSitesToJson() const
+{
+    QVector<QPair<QString, QString>> sites = getCurrentSites();
+    QJsonArray jsonArray;
+    
+    for (const auto &site : sites) {
+        QJsonObject jsonObject;
+        jsonObject["hostname"] = site.first;
+        jsonObject["ip"] = site.second;
+        jsonArray.append(jsonObject);
+    }
+    
+    QJsonDocument jsonDocument(jsonArray);
+    return jsonDocument.toJson();
+}
+
--- a/client/core/controllers/ipSplitTunnelingController.h
+++ b/client/core/controllers/ipSplitTunnelingController.h
@@ -0,0 +1,58 @@
+#ifndef IPSPLITTUNNELINGCONTROLLER_H
+#define IPSPLITTUNNELINGCONTROLLER_H
+
+#include <QObject>
+#include <QVector>
+#include <QMap>
+#include <QPair>
+#include <QStringList>
+#include <QJsonDocument>
+#include <QJsonArray>
+#include <QHostInfo>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+using namespace amnezia;
+
+class IpSplitTunnelingController : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit IpSplitTunnelingController(SecureAppSettingsRepository* appSettingsRepository, QObject* parent = nullptr);
+
+    bool addSite(const QString &hostname);
+    void addSites(const QMap<QString, QString> &sites, bool replaceExisting);
+    bool removeSite(const QString &hostname);
+    void removeSites();
+    void setRouteMode(RouteMode routeMode);
+    void toggleSplitTunneling(bool enabled);
+
+    RouteMode getRouteMode() const;
+    bool isSplitTunnelingEnabled() const;
+    QVector<QPair<QString, QString>> getCurrentSites() const;
+
+    bool importSitesFromJson(const QByteArray& jsonData, bool replaceExisting, QString &errorMessage);
+    QByteArray exportSitesToJson() const;
+
+private slots:
+    void onHostResolved(const QHostInfo &hostInfo);
+
+private:
+    void fillSites();
+    bool addSiteInternal(const QString &hostname, const QString &ip);
+    QString normalizeHostname(const QString &hostname) const;
+    bool validateHostname(const QString &hostname) const;
+    void processSiteAfterResolve(const QString &hostname, const QString &ip);
+    void processSite(const QString &hostname, const QString &ip);
+
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    RouteMode m_currentRouteMode;
+    QVector<QPair<QString, QString>> m_sites;
+};
+
+#endif // IPSPLITTUNNELINGCONTROLLER_H
+
--- a/client/core/controllers/selfhosted/exportController.cpp
+++ b/client/core/controllers/selfhosted/exportController.cpp
@@ -0,0 +1,337 @@
+#include "exportController.h"
+
+#include <QJsonArray>
+#include <QJsonDocument>
+
+#include "core/configurators/configuratorBase.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/networkUtilities.h"
+#include "core/utils/qrCodeUtils.h"
+#include "core/utils/serialization/serialization.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/models/serverConfig.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocolConfig.h"
+
+using namespace amnezia;
+
+ExportController::ExportController(SecureServersRepository* serversRepository,
+                                   SecureAppSettingsRepository* appSettingsRepository,
+                                   QObject *parent)
+    : QObject(parent),
+      m_serversRepository(serversRepository),
+      m_appSettingsRepository(appSettingsRepository)
+{
+}
+
+ExportController::ExportResult ExportController::generateFullAccessConfig(int serverIndex)
+{
+    ExportResult result;
+
+    ServerConfig serverConfig = m_serversRepository->server(serverIndex);
+    serverConfig.visit([](auto& arg) {
+        for (auto it = arg.containers.begin(); it != arg.containers.end(); ++it) {
+            it.value().protocolConfig.clearClientConfig();
+        }
+    });
+
+    QJsonObject serverJson = serverConfig.toJson();
+    QByteArray compressedConfig = QJsonDocument(serverJson).toJson();
+    compressedConfig = qCompress(compressedConfig, 8);
+    result.config = generateVpnUrl(compressedConfig);
+    result.qrCodes = generateQrCodesFromConfig(compressedConfig);
+
+    return result;
+}
+
+ExportController::ExportResult ExportController::generateConnectionConfig(int serverIndex, int containerIndex, const QString &clientName)
+{
+    ExportResult result;
+
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    ServerCredentials credentials = m_serversRepository->serverCredentials(serverIndex);
+    ContainerConfig containerConfig = m_serversRepository->containerConfig(serverIndex, container);
+
+    if (ContainerUtils::containerService(container) != ServiceType::Other) {
+        SshSession sshSession;
+        Proto protocol = ContainerUtils::defaultProtocol(container);
+
+        DnsSettings dnsSettings = {
+            m_appSettingsRepository->primaryDns(),
+            m_appSettingsRepository->secondaryDns()
+        };
+
+        auto configurator = ConfiguratorBase::create(protocol, &sshSession);
+        ProtocolConfig newProtocolConfig = configurator->createConfig(credentials, container, containerConfig, dnsSettings, result.errorCode);
+        if (result.errorCode != ErrorCode::NoError) {
+            return result;
+        }
+
+        containerConfig.protocolConfig = newProtocolConfig;
+        
+        QString clientId = newProtocolConfig.clientId();
+        if (!clientId.isEmpty()) {
+            emit appendClientRequested(serverIndex, clientId, clientName, container);
+        }
+    }
+
+    ServerConfig serverConfig = m_serversRepository->server(serverIndex);
+    serverConfig.visit([container, containerConfig](auto& arg) {
+        arg.containers.clear();
+        arg.containers[container] = containerConfig;
+        arg.defaultContainer = container;
+    });
+
+    if (serverConfig.isSelfHosted()) {
+        SelfHostedServerConfig* selfHosted = serverConfig.as<SelfHostedServerConfig>();
+        if (selfHosted) {
+            selfHosted->userName.reset();
+            selfHosted->password.reset();
+            selfHosted->port.reset();
+        }
+    }
+
+    auto dns = serverConfig.getDnsPair(m_appSettingsRepository->useAmneziaDns(),
+                                       m_appSettingsRepository->primaryDns(),
+                                       m_appSettingsRepository->secondaryDns());
+    serverConfig.visit([&dns](auto& arg) {
+        arg.dns1 = dns.first;
+        arg.dns2 = dns.second;
+    });
+
+    QJsonObject serverJson = serverConfig.toJson();
+    QByteArray compressedConfig = QJsonDocument(serverJson).toJson();
+    compressedConfig = qCompress(compressedConfig, 8);
+    result.config = generateVpnUrl(compressedConfig);
+    result.qrCodes = generateQrCodesFromConfig(compressedConfig);
+
+    return result;
+}
+
+ExportController::NativeConfigResult ExportController::generateNativeConfig(int serverIndex, DockerContainer container,
+                                                                             const ContainerConfig &containerConfig,
+                                                                             const QString &clientName)
+{
+    NativeConfigResult result;
+
+    if (ContainerUtils::containerService(container) == ServiceType::Other) {
+        return result;
+    }
+
+    Proto protocol = ContainerUtils::defaultProtocol(container);
+
+    ServerCredentials credentials = m_serversRepository->serverCredentials(serverIndex);
+    ServerConfig serverConfig = m_serversRepository->server(serverIndex);
+    auto dns = serverConfig.getDnsPair(m_appSettingsRepository->useAmneziaDns(),
+                                       m_appSettingsRepository->primaryDns(),
+                                       m_appSettingsRepository->secondaryDns());
+
+    ContainerConfig modifiedContainerConfig = containerConfig;
+    modifiedContainerConfig.container = container;
+
+    DnsSettings dnsSettings = {
+        m_appSettingsRepository->primaryDns(),
+        m_appSettingsRepository->secondaryDns()
+    };
+
+    SshSession sshSession;
+    auto configurator = ConfiguratorBase::create(protocol, &sshSession);
+
+    ProtocolConfig newProtocolConfig = configurator->createConfig(credentials, container, modifiedContainerConfig, dnsSettings, result.errorCode);
+    if (result.errorCode != ErrorCode::NoError) {
+        return result;
+    }
+
+    ExportSettings exportSettings = { { dns.first, dns.second } };
+    ProtocolConfig processedConfig = configurator->processConfigWithExportSettings(exportSettings, newProtocolConfig);
+
+    if (protocol == Proto::OpenVpn || protocol == Proto::WireGuard || protocol == Proto::Awg) {
+        result.jsonNativeConfig[configKey::config] = processedConfig.nativeConfig();
+    } else {
+        result.jsonNativeConfig = QJsonDocument::fromJson(processedConfig.nativeConfig().toUtf8()).object();
+    }
+
+    if (protocol == Proto::OpenVpn || protocol == Proto::WireGuard || protocol == Proto::Awg || protocol == Proto::Xray) {
+        QString clientId = newProtocolConfig.clientId();
+        if (!clientId.isEmpty()) {
+            emit appendClientRequested(serverIndex, clientId, clientName, container);
+        }
+    }
+    return result;
+}
+
+ExportController::ExportResult ExportController::generateOpenVpnConfig(int serverIndex, const QString &clientName)
+{
+    ExportResult result;
+
+    DockerContainer container = DockerContainer::OpenVpn;
+    ContainerConfig containerConfig = m_serversRepository->containerConfig(serverIndex, container);
+
+    auto nativeResult = generateNativeConfig(serverIndex, container, containerConfig, clientName);
+    if (nativeResult.errorCode != ErrorCode::NoError) {
+        result.errorCode = nativeResult.errorCode;
+        return result;
+    }
+
+    QStringList lines = nativeResult.jsonNativeConfig.value(configKey::config).toString().replace("\r", "").split("\n");
+    for (const QString &line : std::as_const(lines)) {
+        result.config.append(line + "\n");
+    }
+
+    result.qrCodes = generateQrCodesFromConfig(result.config.toUtf8());
+    return result;
+}
+
+ExportController::ExportResult ExportController::generateWireGuardConfig(int serverIndex, const QString &clientName)
+{
+    ExportResult result;
+
+    ContainerConfig containerConfig = m_serversRepository->containerConfig(serverIndex, DockerContainer::WireGuard);
+
+    auto nativeResult = generateNativeConfig(serverIndex, DockerContainer::WireGuard, containerConfig, clientName);
+    if (nativeResult.errorCode != ErrorCode::NoError) {
+        result.errorCode = nativeResult.errorCode;
+        return result;
+    }
+
+    QStringList lines = nativeResult.jsonNativeConfig.value(configKey::config).toString().replace("\r", "").split("\n");
+    for (const QString &line : std::as_const(lines)) {
+        result.config.append(line + "\n");
+    }
+
+    result.qrCodes << generateSingleQrCode(result.config.toUtf8());
+    return result;
+}
+
+ExportController::ExportResult ExportController::generateAwgConfig(int serverIndex, int containerIndex, const QString &clientName)
+{
+    ExportResult result;
+
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    if (container != DockerContainer::Awg && container != DockerContainer::Awg2) {
+        result.errorCode = ErrorCode::InternalError;
+        return result;
+    }
+    ContainerConfig containerConfig = m_serversRepository->containerConfig(serverIndex, container);
+
+    auto nativeResult = generateNativeConfig(serverIndex, container, containerConfig, clientName);
+    if (nativeResult.errorCode != ErrorCode::NoError) {
+        result.errorCode = nativeResult.errorCode;
+        return result;
+    }
+
+    QStringList lines = nativeResult.jsonNativeConfig.value(configKey::config).toString().replace("\r", "").split("\n");
+    for (const QString &line : std::as_const(lines)) {
+        result.config.append(line + "\n");
+    }
+
+    result.qrCodes << generateSingleQrCode(result.config.toUtf8());
+    return result;
+}
+
+
+ExportController::ExportResult ExportController::generateXrayConfig(int serverIndex, const QString &clientName)
+{
+    ExportResult result;
+
+    ContainerConfig containerConfig = m_serversRepository->containerConfig(serverIndex, DockerContainer::Xray);
+
+    auto nativeResult = generateNativeConfig(serverIndex, DockerContainer::Xray, containerConfig, clientName);
+    if (nativeResult.errorCode != ErrorCode::NoError) {
+        result.errorCode = nativeResult.errorCode;
+        return result;
+    }
+
+    QStringList lines = QString(QJsonDocument(nativeResult.jsonNativeConfig).toJson()).replace("\r", "").split("\n");
+    for (const QString &line : std::as_const(lines)) {
+        result.config.append(line + "\n");
+    }
+
+    // Parse the Xray data to extract VLESS parameters and generate string
+    QJsonObject xrayConfig = nativeResult.jsonNativeConfig;
+    QJsonArray outbounds = xrayConfig.value(amnezia::protocols::xray::outbounds).toArray();
+
+    if (outbounds.isEmpty()) {
+        result.errorCode = ErrorCode::InternalError;
+        return result;
+    }
+
+    QJsonObject outbound = outbounds[0].toObject();
+    QJsonObject settings = outbound.value(amnezia::protocols::xray::settings).toObject();
+    QJsonObject streamSettings = outbound.value(amnezia::protocols::xray::streamSettings).toObject();
+
+    QJsonArray vnext = settings.value(amnezia::protocols::xray::vnext).toArray();
+    if (vnext.isEmpty()) {
+        result.errorCode = ErrorCode::InternalError;
+        return result;
+    }
+
+    QJsonObject server = vnext[0].toObject();
+    QJsonArray users = server.value(amnezia::protocols::xray::users).toArray();
+    if (users.isEmpty()) {
+        result.errorCode = ErrorCode::InternalError;
+        return result;
+    }
+
+    QJsonObject user = users[0].toObject();
+
+    amnezia::serialization::VlessServerObject vlessServer;
+    vlessServer.address = server.value(amnezia::protocols::xray::address).toString();
+    vlessServer.port = server.value(amnezia::protocols::xray::port).toInt();
+    vlessServer.id = user.value(amnezia::protocols::xray::id).toString();
+    vlessServer.flow = user.value(amnezia::protocols::xray::flow).toString("xtls-rprx-vision");
+    vlessServer.encryption = user.value(amnezia::protocols::xray::encryption).toString("none");
+
+    vlessServer.network = streamSettings.value(amnezia::protocols::xray::network).toString("tcp");
+    vlessServer.security = streamSettings.value(amnezia::protocols::xray::security).toString("reality");
+
+    if (vlessServer.security == "reality") {
+        QJsonObject realitySettings = streamSettings.value(amnezia::protocols::xray::realitySettings).toObject();
+        vlessServer.serverName = realitySettings.value(amnezia::protocols::xray::serverName).toString();
+        vlessServer.publicKey = realitySettings.value(amnezia::protocols::xray::publicKey).toString();
+        vlessServer.shortId = realitySettings.value(amnezia::protocols::xray::shortId).toString();
+        vlessServer.fingerprint = realitySettings.value(amnezia::protocols::xray::fingerprint).toString("chrome");
+        vlessServer.spiderX = realitySettings.value(amnezia::protocols::xray::spiderX).toString("");
+    }
+
+    result.nativeConfigString = amnezia::serialization::vless::Serialize(vlessServer, "AmneziaVPN");
+
+    return result;
+}
+
+void ExportController::updateClientManagementModel(int serverIndex, int containerIndex)
+{
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    emit updateClientsRequested(serverIndex, container);
+}
+
+void ExportController::revokeConfig(int row, int serverIndex, int containerIndex)
+{
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    emit revokeClientRequested(serverIndex, row, container);
+}
+
+void ExportController::renameClient(int row, const QString &clientName, int serverIndex, int containerIndex)
+{
+    DockerContainer container = static_cast<DockerContainer>(containerIndex);
+    emit renameClientRequested(serverIndex, row, clientName, container);
+}
+
+QString ExportController::generateVpnUrl(const QByteArray &compressedConfig)
+{
+    return QString("vpn://%1").arg(QString(compressedConfig.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals)));
+}
+
+QList<QString> ExportController::generateQrCodesFromConfig(const QByteArray &data)
+{
+    return qrCodeUtils::generateQrCodeImageSeries(data);
+}
+
+QString ExportController::generateSingleQrCode(const QByteArray &data)
+{
+    auto qr = qrCodeUtils::generateQrCode(data);
+    return qrCodeUtils::svgToBase64(QString::fromStdString(toSvgString(qr, 1)));
+}
--- a/client/core/controllers/selfhosted/exportController.h
+++ b/client/core/controllers/selfhosted/exportController.h
@@ -0,0 +1,77 @@
+#ifndef EXPORTCONTROLLER_H
+#define EXPORTCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QList>
+#include <QString>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class SshSession;
+class VpnConfigurationsController;
+
+using namespace amnezia;
+
+class ExportController : public QObject
+{
+    Q_OBJECT
+
+public:
+    struct ExportResult
+    {
+        ErrorCode errorCode = ErrorCode::NoError;
+        QString config;
+        QString nativeConfigString;
+        QList<QString> qrCodes;
+    };
+
+    explicit ExportController(SecureServersRepository* serversRepository,
+                              SecureAppSettingsRepository* appSettingsRepository,
+                              QObject *parent = nullptr);
+
+    ExportResult generateFullAccessConfig(int serverIndex);
+    ExportResult generateConnectionConfig(int serverIndex, int containerIndex, const QString &clientName);
+    ExportResult generateOpenVpnConfig(int serverIndex, const QString &clientName);
+    ExportResult generateWireGuardConfig(int serverIndex, const QString &clientName);
+    ExportResult generateAwgConfig(int serverIndex, int containerIndex, const QString &clientName);
+    ExportResult generateXrayConfig(int serverIndex, const QString &clientName);
+
+signals:
+    void appendClientRequested(int serverIndex, const QString &clientId, const QString &clientName, DockerContainer container);
+    void updateClientsRequested(int serverIndex, DockerContainer container);
+    void revokeClientRequested(int serverIndex, int row, DockerContainer container);
+    void renameClientRequested(int serverIndex, int row, const QString &clientName, DockerContainer container);
+
+public slots:
+    void updateClientManagementModel(int serverIndex, int containerIndex);
+    void revokeConfig(int row, int serverIndex, int containerIndex);
+    void renameClient(int row, const QString &clientName, int serverIndex, int containerIndex);
+
+private:
+    struct NativeConfigResult
+    {
+        ErrorCode errorCode = ErrorCode::NoError;
+        QJsonObject jsonNativeConfig;
+    };
+
+    NativeConfigResult generateNativeConfig(int serverIndex, DockerContainer container,
+                                            const ContainerConfig &containerConfig,
+                                            const QString &clientName);
+
+    QString generateVpnUrl(const QByteArray &compressedConfig);
+    QList<QString> generateQrCodesFromConfig(const QByteArray &data);
+    QString generateSingleQrCode(const QByteArray &data);
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+};
+
+#endif // EXPORTCONTROLLER_H
--- a/client/core/controllers/selfhosted/importController.cpp
+++ b/client/core/controllers/selfhosted/importController.cpp
@@ -0,0 +1,762 @@
+#include "importController.h"
+
+#include <QDataStream>
+#include <QDebug>
+#include <QJsonArray>
+#include <QJsonDocument>
+#include <QJsonParseError>
+#include <QMap>
+#include <QRandomGenerator>
+#include <QRegularExpression>
+#include <QRegularExpressionMatch>
+#include <QRegularExpressionMatchIterator>
+#include <QUrl>
+#include <algorithm>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/api/apiEnums.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/constants/apiConstants.h"
+#include "core/utils/api/apiUtils.h"
+#include "core/utils/serialization/serialization.h"
+#include "core/utils/utilities.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/utils/qrCodeUtils.h"
+#include "core/models/serverConfig.h"
+
+using namespace amnezia;
+using namespace ProtocolUtils;
+
+namespace
+{
+    ConfigTypes checkConfigFormat(const QString &config)
+    {
+        const QString openVpnConfigPatternCli = "client";
+        const QString openVpnConfigPatternDriver1 = "dev tun";
+        const QString openVpnConfigPatternDriver2 = "dev tap";
+
+        const QString wireguardConfigPatternSectionInterface = "[Interface]";
+        const QString wireguardConfigPatternSectionPeer = "[Peer]";
+
+        const QString xrayConfigPatternInbound = "inbounds";
+        const QString xrayConfigPatternOutbound = "outbounds";
+
+        const QString amneziaConfigPattern = "containers";
+        const QString amneziaConfigPatternHostName = "hostName";
+        const QString amneziaConfigPatternUserName = "userName";
+        const QString amneziaConfigPatternPassword = "password";
+        const QString amneziaFreeConfigPattern = "api_key";
+        const QString amneziaPremiumConfigPattern = "auth_data";
+        const QString backupPattern = "Servers/serversList";
+
+        if (config.contains(backupPattern)) {
+            return ConfigTypes::Backup;
+        } else if (config.contains(amneziaConfigPattern) || config.contains(amneziaFreeConfigPattern)
+                   || config.contains(amneziaPremiumConfigPattern)
+                   || (config.contains(amneziaConfigPatternHostName) && config.contains(amneziaConfigPatternUserName)
+                       && config.contains(amneziaConfigPatternPassword))) {
+            return ConfigTypes::Amnezia;
+        } else if (config.contains(wireguardConfigPatternSectionInterface) && config.contains(wireguardConfigPatternSectionPeer)) {
+            return ConfigTypes::WireGuard;
+        } else if ((config.contains(xrayConfigPatternInbound)) && (config.contains(xrayConfigPatternOutbound))) {
+            return ConfigTypes::Xray;
+        } else if (config.contains(openVpnConfigPatternCli)
+                   && (config.contains(openVpnConfigPatternDriver1) || config.contains(openVpnConfigPatternDriver2))) {
+            return ConfigTypes::OpenVpn;
+        }
+        return ConfigTypes::Invalid;
+    }
+} // namespace
+
+ImportController::ImportController(SecureServersRepository* serversRepository,
+                                   SecureAppSettingsRepository* appSettingsRepository,
+                                   QObject *parent)
+    : QObject(parent),
+      m_serversRepository(serversRepository),
+      m_appSettingsRepository(appSettingsRepository)
+{
+}
+
+ImportController::ImportResult ImportController::extractConfigFromData(const QString &data, const QString &configFileName)
+{
+    ImportResult result;
+    result.configFileName = configFileName;
+    result.maliciousWarningText.clear();
+
+    QString config = data;
+    QString prefix;
+    QString errormsg;
+    ConfigTypes configType = ConfigTypes::Invalid;
+
+    if (config.startsWith("vless://")) {
+        configType = ConfigTypes::Xray;
+        result.config = extractXrayConfig(
+                Utils::JsonToString(serialization::vless::Deserialize(config, &prefix, &errormsg), QJsonDocument::JsonFormat::Compact),
+                configType, prefix);
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    if (config.startsWith("vmess://") && config.contains("@")) {
+        configType = ConfigTypes::Xray;
+        result.config = extractXrayConfig(
+                Utils::JsonToString(serialization::vmess_new::Deserialize(config, &prefix, &errormsg), QJsonDocument::JsonFormat::Compact),
+                configType, prefix);
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    if (config.startsWith("vmess://")) {
+        configType = ConfigTypes::Xray;
+        result.config = extractXrayConfig(
+                Utils::JsonToString(serialization::vmess::Deserialize(config, &prefix, &errormsg), QJsonDocument::JsonFormat::Compact),
+                configType, prefix);
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    if (config.startsWith("trojan://")) {
+        configType = ConfigTypes::Xray;
+        result.config = extractXrayConfig(
+                Utils::JsonToString(serialization::trojan::Deserialize(config, &prefix, &errormsg), QJsonDocument::JsonFormat::Compact),
+                configType, prefix);
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    if (config.startsWith("ss://") && !config.contains("plugin=")) {
+        configType = ConfigTypes::ShadowSocks;
+        result.config = extractXrayConfig(
+                Utils::JsonToString(serialization::ss::Deserialize(config, &prefix, &errormsg), QJsonDocument::JsonFormat::Compact),
+                configType, prefix);
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    if (config.startsWith("ssd://")) {
+        QStringList tmp;
+        QList<std::pair<QString, QJsonObject>> servers = serialization::ssd::Deserialize(config, &prefix, &tmp);
+        configType = ConfigTypes::ShadowSocks;
+        // Took only first config from list
+        if (!servers.isEmpty()) {
+            result.config = extractXrayConfig(servers.first().first, configType);
+        }
+        if (!result.config.empty()) {
+            result.configType = configType;
+            return result;
+        }
+    }
+
+    configType = checkConfigFormat(config);
+    if (configType == ConfigTypes::Invalid) {
+        config.replace("vpn://", "");
+        QByteArray ba = QByteArray::fromBase64(config.toUtf8(), QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
+        QByteArray baUncompressed = qUncompress(ba);
+        if (!baUncompressed.isEmpty()) {
+            ba = baUncompressed;
+        }
+
+        config = ba;
+        configType = checkConfigFormat(config);
+    }
+
+    result.configType = configType;
+
+    switch (configType) {
+    case ConfigTypes::OpenVpn: {
+        result.config = extractOpenVpnConfig(config);
+        if (!result.config.empty()) {
+            checkForMaliciousStrings(result.config, result.maliciousWarningText);
+            return result;
+        }
+        result.errorCode = ErrorCode::ImportInvalidConfigError;
+        return result;
+    }
+    case ConfigTypes::Awg:
+    case ConfigTypes::WireGuard: {
+        result.config = extractWireGuardConfig(config, result.configType);
+        result.isNativeWireGuardConfig = (result.configType == ConfigTypes::WireGuard);
+        if (!result.config.empty()) {
+            return result;
+        }
+        result.errorCode = ErrorCode::ImportInvalidConfigError;
+        return result;
+    }
+    case ConfigTypes::Xray: {
+        result.config = extractXrayConfig(config, configType);
+        if (!result.config.empty()) {
+            return result;
+        }
+        result.errorCode = ErrorCode::ImportInvalidConfigError;
+        return result;
+    }
+    case ConfigTypes::Amnezia: {
+        result.config = QJsonDocument::fromJson(config.toUtf8()).object();
+
+        if (apiUtils::isServerFromApi(result.config)) {
+            auto apiConfig = result.config.value(apiDefs::key::apiConfig).toObject();
+            apiConfig[apiDefs::key::vpnKey] = data;
+            result.config[apiDefs::key::apiConfig] = apiConfig;
+        }
+
+        processAmneziaConfig(result.config);
+        if (!result.config.empty()) {
+            checkForMaliciousStrings(result.config, result.maliciousWarningText);
+            return result;
+        }
+        result.errorCode = ErrorCode::ImportInvalidConfigError;
+        return result;
+    }
+    case ConfigTypes::Backup: {
+        result.errorCode = ErrorCode::ImportBackupFileUseRestoreInstead;
+        return result;
+    }
+    case ConfigTypes::Invalid: {
+        result.errorCode = ErrorCode::ImportInvalidConfigError;
+        result.configFileName.clear();
+        return result;
+    }
+    }
+    
+    result.errorCode = ErrorCode::ImportInvalidConfigError;
+    return result;
+}
+
+ImportController::ImportResult ImportController::extractConfigFromQr(const QByteArray &data)
+{
+    ImportResult result;
+
+    QString dataStr = QString::fromUtf8(data);
+    ConfigTypes configType = checkConfigFormat(dataStr);
+    if (configType != ConfigTypes::Invalid) {
+        return extractConfigFromData(dataStr, "");
+    }
+
+    QJsonObject dataObj = QJsonDocument::fromJson(data).object();
+    if (!dataObj.isEmpty()) {
+        result.config = dataObj;
+        result.configType = ConfigTypes::Amnezia;
+        return result;
+    }
+
+    QByteArray ba_uncompressed = qUncompress(data);
+    if (!ba_uncompressed.isEmpty()) {
+        result.config = QJsonDocument::fromJson(ba_uncompressed).object();
+        if (result.config.isEmpty()) {
+            result.errorCode = ErrorCode::ImportInvalidConfigError;
+            return result;
+        }
+        result.configType = ConfigTypes::Amnezia;
+        return result;
+    }
+
+    QByteArray ba = QByteArray::fromBase64(data, QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
+    QByteArray baUncompressed = qUncompress(ba);
+
+    if (!baUncompressed.isEmpty()) {
+        ba = baUncompressed;
+    }
+
+    if (!ba.isEmpty()) {
+        result.config = QJsonDocument::fromJson(ba).object();
+        if (result.config.isEmpty()) {
+            result.errorCode = ErrorCode::ImportInvalidConfigError;
+            return result;
+        }
+        result.configType = ConfigTypes::Amnezia;
+        return result;
+    }
+
+    result.errorCode = ErrorCode::ImportInvalidConfigError;
+    return result;
+}
+
+void ImportController::startDecodingQr()
+{
+    m_qrCodeChunks.clear();
+    m_totalQrCodeChunksCount = 0;
+    m_receivedQrCodeChunksCount = 0;
+    m_isQrCodeProcessed = true;
+}
+
+ImportController::QrParseResult ImportController::parseQrCodeChunk(const QString &code)
+{
+    QrParseResult parseResult;
+    parseResult.chunksReceived = m_receivedQrCodeChunksCount;
+    parseResult.chunksTotal = m_totalQrCodeChunksCount;
+
+    if (!m_isQrCodeProcessed) {
+        return parseResult;
+    }
+
+    QByteArray ba = QByteArray::fromBase64(code.toUtf8(), QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
+    QDataStream s(&ba, QIODevice::ReadOnly);
+    qint16 magic;
+    s >> magic;
+
+    if (magic == qrCodeUtils::qrMagicCode) {
+        quint8 chunksCount;
+        s >> chunksCount;
+        if (m_totalQrCodeChunksCount != chunksCount) {
+            m_qrCodeChunks.clear();
+        }
+
+        m_totalQrCodeChunksCount = chunksCount;
+
+        quint8 chunkId;
+        s >> chunkId;
+        s >> m_qrCodeChunks[chunkId];
+        m_receivedQrCodeChunksCount = m_qrCodeChunks.size();
+        parseResult.chunksReceived = m_receivedQrCodeChunksCount;
+        parseResult.chunksTotal = m_totalQrCodeChunksCount;
+
+        if (m_qrCodeChunks.size() == m_totalQrCodeChunksCount) {
+            QByteArray data;
+            for (int i = 0; i < m_totalQrCodeChunksCount; ++i) {
+                data.append(m_qrCodeChunks.value(i));
+            }
+
+            ImportResult result = extractConfigFromQr(data);
+            if (result.errorCode == ErrorCode::NoError) {
+                parseResult.success = true;
+                parseResult.importResult = result;
+                m_isQrCodeProcessed = false;
+            } else {
+                m_qrCodeChunks.clear();
+                m_totalQrCodeChunksCount = 0;
+                m_receivedQrCodeChunksCount = 0;
+            }
+        }
+    } else {
+        ImportResult result = extractConfigFromQr(code.toUtf8());
+        if (result.errorCode != ErrorCode::NoError) {
+            result = extractConfigFromQr(ba);
+        }
+        if (result.errorCode == ErrorCode::NoError) {
+            parseResult.success = true;
+            parseResult.importResult = result;
+            m_isQrCodeProcessed = false;
+        }
+    }
+
+    return parseResult;
+}
+
+bool ImportController::isQrDecodingActive() const
+{
+    return m_isQrCodeProcessed;
+}
+
+int ImportController::qrChunksReceived() const
+{
+    return m_receivedQrCodeChunksCount;
+}
+
+int ImportController::qrChunksTotal() const
+{
+    return m_totalQrCodeChunksCount;
+}
+
+void ImportController::importConfig(const QJsonObject &config)
+{
+    ServerCredentials credentials;
+    credentials.hostName = config.value(configKey::hostName).toString();
+    credentials.port = config.value(configKey::port).toInt();
+    credentials.userName = config.value(configKey::userName).toString();
+    credentials.secretData = config.value(configKey::password).toString();
+
+    if (credentials.isValid() || config.contains(configKey::containers)) {
+        ServerConfig serverConfig = ServerConfig::fromJson(config);
+        m_serversRepository->addServer(serverConfig);
+        emit importFinished();
+    } else if (config.contains(configKey::configVersion)) {
+        quint16 crc = qChecksum(QJsonDocument(config).toJson());
+        if (m_serversRepository->hasServerWithCrc(crc)) {
+            emit importErrorOccurred(ErrorCode::ApiConfigAlreadyAdded, true);
+        } else {
+            QJsonObject configWithCrc = config;
+            configWithCrc.insert(configKey::crc, crc);
+            ServerConfig serverConfig = ServerConfig::fromJson(configWithCrc);
+            m_serversRepository->addServer(serverConfig);
+            emit importFinished();
+        }
+    } else {
+        qDebug() << "Failed to import profile";
+        qDebug().noquote() << QJsonDocument(config).toJson();
+        emit importErrorOccurred(ErrorCode::ImportInvalidConfigError, false);
+    }
+}
+
+QJsonObject ImportController::processNativeWireGuardConfig(const QJsonObject &config)
+{
+    QJsonObject result = config;
+    auto containers = result.value(configKey::containers).toArray();
+    if (!containers.isEmpty()) {
+        auto container = containers.at(0).toObject();
+        auto serverProtocolConfig = container.value(ContainerUtils::containerTypeToProtocolString(DockerContainer::WireGuard)).toObject();
+        auto clientProtocolConfig = QJsonDocument::fromJson(serverProtocolConfig.value(configKey::lastConfig).toString().toUtf8()).object();
+
+        QString junkPacketCount = QString::number(QRandomGenerator::global()->bounded(4, 7));
+        QString junkPacketMinSize = QString::number(10);
+        QString junkPacketMaxSize = QString::number(50);
+        clientProtocolConfig[configKey::junkPacketCount] = junkPacketCount;
+        clientProtocolConfig[configKey::junkPacketMinSize] = junkPacketMinSize;
+        clientProtocolConfig[configKey::junkPacketMaxSize] = junkPacketMaxSize;
+        clientProtocolConfig[configKey::initPacketJunkSize] = "0";
+        clientProtocolConfig[configKey::responsePacketJunkSize] = "0";
+        clientProtocolConfig[configKey::initPacketMagicHeader] = "1";
+        clientProtocolConfig[configKey::responsePacketMagicHeader] = "2";
+        clientProtocolConfig[configKey::underloadPacketMagicHeader] = "3";
+        clientProtocolConfig[configKey::transportPacketMagicHeader] = "4";
+
+        clientProtocolConfig[configKey::cookieReplyPacketJunkSize] = "0";
+        clientProtocolConfig[configKey::transportPacketJunkSize] = "0";
+
+        clientProtocolConfig[configKey::specialJunk1] = protocols::awg::defaultSpecialJunk1;
+
+        clientProtocolConfig[configKey::isObfuscationEnabled] = true;
+
+        serverProtocolConfig[configKey::lastConfig] = QString(QJsonDocument(clientProtocolConfig).toJson());
+        container[configKey::wireguard] = serverProtocolConfig;
+        containers.replace(0, container);
+        result[configKey::containers] = containers;
+    }
+    return result;
+}
+
+ConfigTypes ImportController::checkConfigFormat(const QString &config) const
+{
+    return ::checkConfigFormat(config);
+}
+
+QJsonObject ImportController::extractOpenVpnConfig(const QString &data) const
+{
+    QJsonObject openVpnConfig;
+    openVpnConfig[configKey::config] = data;
+
+    QJsonObject lastConfig;
+    lastConfig[configKey::lastConfig] = QString(QJsonDocument(openVpnConfig).toJson());
+    lastConfig[configKey::isThirdPartyConfig] = true;
+
+    QJsonObject containers;
+    containers.insert(configKey::container, QJsonValue(configKey::amneziaOpenvpn));
+    containers.insert(configKey::openvpn, QJsonValue(lastConfig));
+
+    QJsonArray arr;
+    arr.push_back(containers);
+
+    QString hostName;
+    const static QRegularExpression hostNameRegExp("remote\\s+([^\\s]+)");
+    QRegularExpressionMatch hostNameMatch = hostNameRegExp.match(data);
+    if (hostNameMatch.hasMatch()) {
+        hostName = hostNameMatch.captured(1);
+    }
+
+    QJsonObject config;
+    config[configKey::containers] = arr;
+    config[configKey::defaultContainer] = configKey::amneziaOpenvpn;
+    config[configKey::description] = m_appSettingsRepository->nextAvailableServerName();
+
+    const static QRegularExpression dnsRegExp("dhcp-option DNS (\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b)");
+    QRegularExpressionMatchIterator dnsMatch = dnsRegExp.globalMatch(data);
+    if (dnsMatch.hasNext()) {
+        config[configKey::dns1] = dnsMatch.next().captured(1);
+    }
+    if (dnsMatch.hasNext()) {
+        config[configKey::dns2] = dnsMatch.next().captured(1);
+    }
+
+    config[configKey::hostName] = hostName;
+
+    return config;
+}
+
+QJsonObject ImportController::extractWireGuardConfig(const QString &data, ConfigTypes &configType) const
+{
+    QMap<QString, QString> configMap;
+    auto configByLines = data.split("\n");
+    for (const QString &line : configByLines) {
+        QString trimmedLine = line.trimmed();
+        if (trimmedLine.startsWith("[") && trimmedLine.endsWith("]")) {
+            continue;
+        } else {
+            QStringList parts = trimmedLine.split(" = ");
+            if (parts.count() == 2) {
+                configMap[parts.at(0).trimmed()] = parts.at(1).trimmed();
+            }
+        }
+    }
+
+    QJsonObject lastConfig;
+    lastConfig[configKey::config] = data;
+
+    auto url { QUrl::fromUserInput(configMap.value(protocols::wireguard::Endpoint)) };
+    QString hostName;
+    QString port;
+    if (!url.host().isEmpty()) {
+        hostName = url.host();
+    } else {
+        qDebug() << "Key parameter" << protocols::wireguard::Endpoint << "is missing or has an invalid format";
+        return QJsonObject();
+    }
+
+    if (url.port() != -1) {
+        port = QString::number(url.port());
+    } else {
+        port = protocols::wireguard::defaultPort;
+    }
+
+    lastConfig[configKey::hostName] = hostName;
+    lastConfig[configKey::port] = port.toInt();
+
+    if (!configMap.value(protocols::wireguard::PrivateKey).isEmpty()
+            && !configMap.value(protocols::wireguard::Address).isEmpty()
+            && !configMap.value(protocols::wireguard::PublicKey).isEmpty()) {
+        lastConfig[configKey::clientPrivKey] = configMap.value(protocols::wireguard::PrivateKey);
+        lastConfig[configKey::clientIp] = configMap.value(protocols::wireguard::Address);
+
+        if (!configMap.value(protocols::wireguard::PresharedKey).isEmpty()) {
+            lastConfig[configKey::pskKey] = configMap.value(protocols::wireguard::PresharedKey);
+        } else if (!configMap.value(protocols::wireguard::PreSharedKey).isEmpty()) {
+            lastConfig[configKey::pskKey] = configMap.value(protocols::wireguard::PreSharedKey);
+        }
+
+        lastConfig[configKey::serverPubKey] = configMap.value(protocols::wireguard::PublicKey);
+    } else {
+        qDebug() << "One of the key parameters is missing (PrivateKey, Address, PublicKey)";
+        return QJsonObject();
+    }
+
+    if (!configMap.value(protocols::wireguard::MTU).isEmpty()) {
+        lastConfig[configKey::mtu] = configMap.value(protocols::wireguard::MTU);
+    }
+
+    if (!configMap.value(protocols::wireguard::PersistentKeepalive).isEmpty()) {
+        lastConfig[configKey::persistentKeepAlive] = configMap.value(protocols::wireguard::PersistentKeepalive);
+    }
+
+    QJsonArray allowedIpsJsonArray = QJsonArray::fromStringList(
+                configMap.value(protocols::wireguard::AllowedIPs).split(", "));
+
+    lastConfig[configKey::allowedIps] = allowedIpsJsonArray;
+
+    QString protocolName = configKey::wireguard;
+    QString protocolVersion;
+    ConfigTypes detectedType = ConfigTypes::WireGuard;
+
+    const QStringList requiredJunkFields = { configKey::junkPacketCount,           configKey::junkPacketMinSize,
+                                             configKey::junkPacketMaxSize,         configKey::initPacketJunkSize,
+                                             configKey::responsePacketJunkSize,    configKey::initPacketMagicHeader,
+                                             configKey::responsePacketMagicHeader, configKey::underloadPacketMagicHeader,
+                                             configKey::transportPacketMagicHeader };
+
+    const QStringList optionalJunkFields = { configKey::cookieReplyPacketJunkSize,
+                                             configKey::transportPacketJunkSize,
+                                             configKey::specialJunk1,    configKey::specialJunk2,    configKey::specialJunk3,
+                                             configKey::specialJunk4,    configKey::specialJunk5
+    };
+
+    bool hasAllRequiredFields = std::all_of(requiredJunkFields.begin(), requiredJunkFields.end(),
+                                            [&configMap](const QString &field) { return !configMap.value(field).isEmpty(); });
+    if (hasAllRequiredFields) {
+        for (const QString &field : requiredJunkFields) {
+            lastConfig[field] = configMap.value(field);
+        }
+
+        for (const QString &field : optionalJunkFields) {
+            if (!configMap.value(field).isEmpty()) {
+                lastConfig[field] = configMap.value(field);
+            }
+        }
+
+        bool hasCookieReplyPacketJunkSize = !configMap.value(configKey::cookieReplyPacketJunkSize).isEmpty();
+        bool hasTransportPacketJunkSize = !configMap.value(configKey::transportPacketJunkSize).isEmpty();
+        bool hasSpecialJunk = !configMap.value(configKey::specialJunk1).isEmpty() ||
+                              !configMap.value(configKey::specialJunk2).isEmpty() ||
+                              !configMap.value(configKey::specialJunk3).isEmpty() ||
+                              !configMap.value(configKey::specialJunk4).isEmpty() ||
+                              !configMap.value(configKey::specialJunk5).isEmpty();
+
+        if (hasCookieReplyPacketJunkSize && hasTransportPacketJunkSize) {
+            protocolVersion = "2";
+        } else if (hasSpecialJunk && !hasCookieReplyPacketJunkSize && !hasTransportPacketJunkSize) {
+            protocolVersion = "1.5";
+        }
+        protocolName = configKey::awg;
+        detectedType = ConfigTypes::Awg;
+    }
+
+    if (!configMap.value(protocols::wireguard::MTU).isEmpty()) {
+        lastConfig[configKey::mtu] = configMap.value(protocols::wireguard::MTU);
+    } else {
+        lastConfig[configKey::mtu] = (protocolName == configKey::awg) 
+                                       ? protocols::awg::defaultMtu 
+                                       : protocols::wireguard::defaultMtu;
+    }
+
+    QJsonObject wireguardConfig;
+    wireguardConfig[configKey::lastConfig] = QString(QJsonDocument(lastConfig).toJson());
+    wireguardConfig[configKey::isThirdPartyConfig] = true;
+    wireguardConfig[configKey::port] = port;
+    wireguardConfig[configKey::transportProto] = protocols::openvpn::defaultTransportProto;
+    if (protocolName == configKey::awg && !protocolVersion.isEmpty()) {
+        wireguardConfig[configKey::protocolVersion] = protocolVersion;
+    }
+
+    QJsonObject containers;
+    QString containerName = (protocolName == configKey::awg) ? configKey::amneziaAwg : configKey::amneziaWireguard;
+    containers.insert(configKey::container, QJsonValue(containerName));
+    containers.insert(protocolName, QJsonValue(wireguardConfig));
+
+    QJsonArray arr;
+    arr.push_back(containers);
+
+    QJsonObject config;
+    config[configKey::containers] = arr;
+    config[configKey::defaultContainer] = containerName;
+    config[configKey::description] = m_appSettingsRepository->nextAvailableServerName();
+
+    const static QRegularExpression dnsRegExp(
+            "DNS = "
+            "(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b).*(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b)");
+    QRegularExpressionMatch dnsMatch = dnsRegExp.match(data);
+    if (dnsMatch.hasMatch()) {
+        config[configKey::dns1] = dnsMatch.captured(1);
+        config[configKey::dns2] = dnsMatch.captured(2);
+    }
+
+    config[configKey::hostName] = hostName;
+
+    configType = detectedType;
+    return config;
+}
+
+QJsonObject ImportController::extractXrayConfig(const QString &data, ConfigTypes configType, const QString &description) const
+{
+    QJsonParseError parserErr;
+    QJsonDocument jsonConf = QJsonDocument::fromJson(data.toLocal8Bit(), &parserErr);
+
+    QJsonObject xrayVpnConfig;
+    xrayVpnConfig[configKey::config] = jsonConf.toJson().constData();
+    QJsonObject lastConfig;
+    lastConfig[configKey::lastConfig] = jsonConf.toJson().constData();
+    lastConfig[configKey::isThirdPartyConfig] = true;
+
+    QJsonObject containers;
+    if (configType == ConfigTypes::ShadowSocks) {
+        containers.insert(configKey::ssxray, QJsonValue(lastConfig));
+        containers.insert(configKey::container, QJsonValue(configKey::amneziaSsxray));
+    } else {
+        containers.insert(configKey::container, QJsonValue(configKey::amneziaXray));
+        containers.insert(configKey::xray, QJsonValue(lastConfig));
+    }
+
+    QJsonArray arr;
+    arr.push_back(containers);
+
+    QString hostName;
+
+    const static QRegularExpression hostNameRegExp("\"address\":\\s*\"([^\"]+)");
+    QRegularExpressionMatch hostNameMatch = hostNameRegExp.match(data);
+    if (hostNameMatch.hasMatch()) {
+        hostName = hostNameMatch.captured(1);
+    }
+
+    QJsonObject config;
+    config[configKey::containers] = arr;
+    config[configKey::defaultContainer] = (configType == ConfigTypes::ShadowSocks)
+            ? configKey::amneziaSsxray
+            : configKey::amneziaXray;
+    if (description.isEmpty()) {
+        config[configKey::description] = m_appSettingsRepository->nextAvailableServerName();
+    } else {
+        config[configKey::description] = description;
+    }
+    config[configKey::hostName] = hostName;
+
+    return config;
+}
+
+void ImportController::checkForMaliciousStrings(const QJsonObject &serverConfig, QString &warningText) const
+{
+    const QJsonArray &containers = serverConfig.value(configKey::containers).toArray();
+    for (const QJsonValue &container : containers) {
+        auto containerConfig = container.toObject();
+        auto containerName = containerConfig[configKey::container].toString();
+        if (containerName == ContainerUtils::containerToString(DockerContainer::OpenVpn)) {
+
+            QString protocolConfig =
+                    containerConfig[ProtocolUtils::protoToString(Proto::OpenVpn)].toObject()[configKey::lastConfig].toString();
+            QString protocolConfigJson = QJsonDocument::fromJson(protocolConfig.toUtf8()).object()[configKey::config].toString();
+
+            // https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/script-options.rst
+            QStringList dangerousTags {
+                "up", "tls-verify", "ipchange", "client-connect", "route-up", "route-pre-down", "client-disconnect", "down", "learn-address", "auth-user-pass-verify"
+            };
+
+            QStringList maliciousStrings;
+            QStringList lines = protocolConfigJson.split('\n', Qt::SkipEmptyParts);
+
+            for (const QString &rawLine : lines) {
+                QString line = rawLine.trimmed();
+
+                QString command = line.section(' ', 0, 0, QString::SectionSkipEmpty);
+                if (dangerousTags.contains(command, Qt::CaseInsensitive)) {
+                    maliciousStrings << rawLine;
+                }
+            }
+
+            warningText = "This configuration contains an OpenVPN setup. OpenVPN configurations can include malicious "
+                         "scripts, so only add it if you fully trust the provider of this config. ";
+
+            if (!maliciousStrings.isEmpty()) {
+                warningText += "<br>In the imported configuration, potentially dangerous lines were found:";
+                for (const auto &string : maliciousStrings) {
+                    warningText += QString("<br><i>%1</i>").arg(string);
+                }
+            }
+        }
+    }
+}
+
+void ImportController::processAmneziaConfig(QJsonObject &config) const
+{
+    auto containers = config.value(configKey::containers).toArray();
+    for (auto i = 0; i < containers.size(); i++) {
+        auto container = containers.at(i).toObject();
+        auto dockerContainer = ContainerUtils::containerFromString(container.value(configKey::container).toString());
+        if (ContainerUtils::isAwgContainer(dockerContainer) || dockerContainer == DockerContainer::WireGuard) {
+            auto containerConfig = container.value(ContainerUtils::containerTypeToProtocolString(dockerContainer)).toObject();
+            auto protocolConfig = containerConfig.value(configKey::lastConfig).toString();
+            if (protocolConfig.isEmpty()) {
+                return;
+            }
+
+            QJsonObject jsonConfig = QJsonDocument::fromJson(protocolConfig.toUtf8()).object();
+            jsonConfig[configKey::mtu] =
+                    ContainerUtils::isAwgContainer(dockerContainer) ? protocols::awg::defaultMtu : protocols::wireguard::defaultMtu;
+
+            containerConfig[configKey::lastConfig] = QString(QJsonDocument(jsonConfig).toJson());
+
+            container[ContainerUtils::containerTypeToProtocolString(dockerContainer)] = containerConfig;
+            containers.replace(i, container);
+            config.insert(configKey::containers, containers);
+        }
+    }
+}
+
--- a/client/core/controllers/selfhosted/importController.h
+++ b/client/core/controllers/selfhosted/importController.h
@@ -0,0 +1,91 @@
+#ifndef IMPORTCONTROLLER_H
+#define IMPORTCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QByteArray>
+#include <QMap>
+
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+
+namespace
+{
+    enum class ConfigTypes {
+        Amnezia,
+        OpenVpn,
+        WireGuard,
+        Awg,
+        Xray,
+        ShadowSocks,
+        Backup,
+        Invalid
+    };
+}
+
+using namespace amnezia;
+
+class ImportController : public QObject
+{
+    Q_OBJECT
+
+public:
+    struct ImportResult
+    {
+        ErrorCode errorCode = ErrorCode::NoError;
+        QJsonObject config;
+        QString configFileName;
+        QString maliciousWarningText;
+        ConfigTypes configType = ConfigTypes::Invalid;
+        bool isNativeWireGuardConfig = false;
+    };
+
+    explicit ImportController(SecureServersRepository* serversRepository,
+                              SecureAppSettingsRepository* appSettingsRepository,
+                              QObject *parent = nullptr);
+
+    struct QrParseResult {
+        bool success = false;
+        ImportResult importResult;
+        int chunksReceived = 0;
+        int chunksTotal = 0;
+    };
+
+    ImportResult extractConfigFromData(const QString &data, const QString &configFileName = "");
+    ImportResult extractConfigFromQr(const QByteArray &data);
+
+    void startDecodingQr();
+    QrParseResult parseQrCodeChunk(const QString &code);
+    bool isQrDecodingActive() const;
+    int qrChunksReceived() const;
+    int qrChunksTotal() const;
+
+    void importConfig(const QJsonObject &config);
+    QJsonObject processNativeWireGuardConfig(const QJsonObject &config);
+
+signals:
+    void importFinished();
+    void importErrorOccurred(ErrorCode errorCode, bool goToPageHome);
+    void restoreAppConfig(const QByteArray &data);
+
+private:
+    ConfigTypes checkConfigFormat(const QString &config) const;
+    QJsonObject extractOpenVpnConfig(const QString &data) const;
+    QJsonObject extractWireGuardConfig(const QString &data, ConfigTypes &configType) const;
+    QJsonObject extractXrayConfig(const QString &data, ConfigTypes configType, const QString &description = "") const;
+    void checkForMaliciousStrings(const QJsonObject &serverConfig, QString &warningText) const;
+    void processAmneziaConfig(QJsonObject &config) const;
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+
+    QMap<int, QByteArray> m_qrCodeChunks;
+    bool m_isQrCodeProcessed = false;
+    int m_totalQrCodeChunksCount = 0;
+    int m_receivedQrCodeChunksCount = 0;
+};
+
+#endif // IMPORTCONTROLLER_H
--- a/client/core/controllers/selfhosted/installController.cpp
+++ b/client/core/controllers/selfhosted/installController.cpp
--- a/client/core/controllers/selfhosted/installController.h
+++ b/client/core/controllers/selfhosted/installController.h
@@ -0,0 +1,117 @@
+#ifndef INSTALLCONTROLLER_H
+#define INSTALLCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QScopedPointer>
+#include <QSharedPointer>
+#include <QProcess>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/models/containerConfig.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class SshSession;
+class InstallerBase;
+
+using namespace amnezia;
+
+class InstallController : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit InstallController(SecureServersRepository* serversRepository,
+                              SecureAppSettingsRepository* appSettingsRepository,
+                              QObject *parent = nullptr);
+    ~InstallController();
+
+    ErrorCode setupContainer(const ServerCredentials &credentials, DockerContainer container, ContainerConfig &config, bool isUpdate = false);
+    ErrorCode updateContainer(int serverIndex, DockerContainer container, const ContainerConfig &oldConfig, ContainerConfig &newConfig);
+
+    ErrorCode rebootServer(int serverIndex);
+    ErrorCode removeAllContainers(int serverIndex);
+    ErrorCode removeContainer(int serverIndex, DockerContainer container);
+
+    ContainerConfig generateConfig(DockerContainer container, int port, TransportProto transportProto);
+    ErrorCode getAlreadyInstalledContainers(const ServerCredentials &credentials, QMap<DockerContainer, ContainerConfig> &installedContainers, SshSession &sshSession);
+    
+    ErrorCode scanServerForInstalledContainers(int serverIndex);
+    
+    ErrorCode installContainer(const ServerCredentials &credentials, DockerContainer container, int port, TransportProto transportProto, ContainerConfig &config);
+
+    ErrorCode installServer(const ServerCredentials &credentials, DockerContainer container, int port, TransportProto transportProto,
+                                         bool &wasContainerInstalled);
+    ErrorCode installContainer(int serverIndex, DockerContainer container, int port, TransportProto transportProto,
+                                               bool &wasContainerInstalled);
+    
+    bool isUpdateDockerContainerRequired(DockerContainer container, const ContainerConfig &oldConfig, const ContainerConfig &newConfig);
+    
+    ErrorCode checkSshConnection(const ServerCredentials &credentials, QString &output, std::function<QString()> passphraseCallback = nullptr);
+    
+    bool isServerAlreadyExists(const ServerCredentials &credentials, int &existingServerIndex);
+    
+    ErrorCode mountSftpDrive(const ServerCredentials &credentials, const QString &port, const QString &password, const QString &username);
+    void stopAllSftpMounts();
+
+    void cancelInstallation();
+
+    void clearCachedProfile(int serverIndex, DockerContainer container);
+
+    ErrorCode validateAndPrepareConfig(int serverIndex);
+
+    void validateConfig(int serverIndex);
+
+signals:
+    void configValidated(bool isValid);
+    void validationErrorOccurred(ErrorCode errorCode);
+
+    void serverIsBusy(const bool isBusy);
+    void cancelInstallationRequested();
+    void clientRevocationRequested(int serverIndex, const ContainerConfig &containerConfig, DockerContainer container);
+    void clientAppendRequested(int serverIndex, const QString &clientId, const QString &clientName, DockerContainer container);
+
+private:
+    ErrorCode installDockerWorker(const ServerCredentials &credentials, DockerContainer container, SshSession &sshSession);
+    ErrorCode prepareHostWorker(const ServerCredentials &credentials, DockerContainer container, SshSession &sshSession);
+    ErrorCode buildContainerWorker(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &config, SshSession &sshSession);
+    ErrorCode runContainerWorker(const ServerCredentials &credentials, DockerContainer container, ContainerConfig &config, SshSession &sshSession);
+    ErrorCode configureContainerWorker(const ServerCredentials &credentials, DockerContainer container, ContainerConfig &config, SshSession &sshSession);
+    ErrorCode startupContainerWorker(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &config, SshSession &sshSession);
+
+    ErrorCode isServerPortBusy(const ServerCredentials &credentials, DockerContainer container, const ContainerConfig &config, SshSession &sshSession);
+    ErrorCode isUserInSudo(const ServerCredentials &credentials, SshSession &sshSession);
+    ErrorCode isServerDpkgBusy(const ServerCredentials &credentials, SshSession &sshSession);
+    ErrorCode setupServerFirewall(const ServerCredentials &credentials, SshSession &sshSession);
+    bool isReinstallContainerRequired(DockerContainer container, const ContainerConfig &oldConfig, const ContainerConfig &newConfig);
+
+    ErrorCode prepareContainerConfig(DockerContainer container, const ServerCredentials &credentials, ContainerConfig &containerConfig, SshSession &sshSession);
+
+    ErrorCode processContainerForAdmin(DockerContainer container, ContainerConfig &containerConfig,
+                                       const ServerCredentials &credentials, SshSession &sshSession,
+                                       int serverIndex, const QString &clientName);
+
+    void adminAppendRequested(int serverIndex, DockerContainer container,
+                              const ContainerConfig &containerConfig, const QString &clientName);
+
+    static void updateContainerConfigAfterInstallation(DockerContainer container, ContainerConfig &containerConfig, const QString &stdOut);
+
+    QScopedPointer<InstallerBase> createInstaller(DockerContainer container);
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    bool m_cancelInstallation = false;
+    
+#ifndef Q_OS_IOS
+    QList<QSharedPointer<QProcess>> m_sftpMountProcesses;
+#endif
+};
+
+#endif // INSTALLCONTROLLER_H
+
--- a/client/core/controllers/selfhosted/usersController.cpp
+++ b/client/core/controllers/selfhosted/usersController.cpp
@@ -0,0 +1,807 @@
+#include "usersController.h"
+
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QDateTime>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+#include "logger.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/models/serverConfig.h"
+#include "core/models/containerConfig.h"
+
+using namespace amnezia;
+
+namespace
+{
+    Logger logger("UsersController");
+}
+
+UsersController::UsersController(SecureServersRepository* serversRepository, QObject *parent)
+    : QObject(parent),
+      m_serversRepository(serversRepository)
+{
+}
+
+bool UsersController::isClientExists(const QString &clientId, const QJsonArray &clientsTable)
+{
+    for (const QJsonValue &value : std::as_const(clientsTable)) {
+        if (value.isObject()) {
+            QJsonObject obj = value.toObject();
+            if (obj.contains(configKey::clientId) && obj[configKey::clientId].toString() == clientId) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+int UsersController::clientIndexById(const QString &clientId, const QJsonArray &clientsTable)
+{
+    for (int i = 0; i < clientsTable.size(); ++i) {
+        if (clientsTable.at(i).isObject()) {
+            QJsonObject obj = clientsTable.at(i).toObject();
+            if (obj.contains(configKey::clientId) && obj[configKey::clientId].toString() == clientId) {
+                return i;
+            }
+        }
+    }
+    return -1;
+}
+
+void UsersController::migration(const QByteArray &clientsTableString, QJsonArray &clientsTable)
+{
+    QJsonObject clientsTableObj = QJsonDocument::fromJson(clientsTableString).object();
+
+    for (auto &clientId : clientsTableObj.keys()) {
+        QJsonObject client;
+        client[configKey::clientId] = clientId;
+
+        QJsonObject userData;
+        userData[configKey::clientName] = clientsTableObj.value(clientId).toObject().value(configKey::clientName);
+        client[configKey::userData] = userData;
+
+        clientsTable.push_back(client);
+    }
+}
+
+ErrorCode UsersController::wgShow(const DockerContainer container, const ServerCredentials &credentials,
+                                             SshSession* sshSession, std::vector<WgShowData> &data)
+{
+    if (container != DockerContainer::WireGuard && !ContainerUtils::isAwgContainer(container)) {
+        return ErrorCode::NoError;
+    }
+
+    ErrorCode error = ErrorCode::NoError;
+    QString stdOut;
+    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
+        stdOut += data + "\n";
+        return ErrorCode::NoError;
+    };
+
+    QString showBin = (container == DockerContainer::Awg2)
+                       ? QStringLiteral("awg")
+                       : QStringLiteral("wg");
+    const QString command = QString("sudo docker exec -i $CONTAINER_NAME bash -c '%1 show all'").arg(showBin);
+
+    QString script = sshSession->replaceVars(command, amnezia::genBaseVars(credentials, container, QString(), QString()));
+    error = sshSession->runScript(credentials, script, cbReadStdOut);
+    if (error != ErrorCode::NoError) {
+        logger.error() << QString("Failed to execute %1 show command").arg(showBin);
+        return error;
+    }
+
+    if (stdOut.isEmpty()) {
+        return error;
+    }
+
+    const auto getStrValue = [](const auto str) { return str.mid(str.indexOf(":") + 1).trimmed(); };
+
+    const auto parts = stdOut.split('\n');
+    const auto peerList = parts.filter("peer:");
+    const auto latestHandshakeList = parts.filter("latest handshake:");
+    const auto transferredDataList = parts.filter("transfer:");
+    const auto allowedIpsList = parts.filter("allowed ips:");
+
+    if (allowedIpsList.isEmpty() || latestHandshakeList.isEmpty() || transferredDataList.isEmpty() || peerList.isEmpty()) {
+        return error;
+    }
+
+    const auto changeHandshakeFormat = [](QString &latestHandshake) {
+        const std::vector<std::pair<QString, QString>> replaceMap = { { " days", "d" },    { " hours", "h" }, { " minutes", "m" },
+                                                                      { " seconds", "s" }, { " day", "d" },   { " hour", "h" },
+                                                                      { " minute", "m" },  { " second", "s" } };
+
+        for (const auto &item : replaceMap) {
+            latestHandshake.replace(item.first, item.second);
+        }
+    };
+
+    for (int i = 0; i < peerList.size() && i < transferredDataList.size() && i < latestHandshakeList.size() && i < allowedIpsList.size(); ++i) {
+
+        const auto transferredData = getStrValue(transferredDataList[i]).split(",");
+        auto latestHandshake = getStrValue(latestHandshakeList[i]);
+        auto serverBytesReceived = transferredData.front().trimmed();
+        auto serverBytesSent = transferredData.back().trimmed();
+        auto allowedIps = getStrValue(allowedIpsList[i]);
+
+        changeHandshakeFormat(latestHandshake);
+
+        serverBytesReceived.chop(QStringLiteral(" received").length());
+        serverBytesSent.chop(QStringLiteral(" sent").length());
+
+        data.push_back({ getStrValue(peerList[i]), latestHandshake, serverBytesSent, serverBytesReceived, allowedIps });
+    }
+
+    return error;
+}
+
+ErrorCode UsersController::getOpenVpnClients(const DockerContainer container, const ServerCredentials &credentials,
+                                                        SshSession* sshSession, int &count, QJsonArray &clientsTable)
+{
+    ErrorCode error = ErrorCode::NoError;
+    QString stdOut;
+    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
+        stdOut += data + "\n";
+        return ErrorCode::NoError;
+    };
+
+    const QString getOpenVpnClientsList = "sudo docker exec -i $CONTAINER_NAME bash -c 'ls /opt/amnezia/openvpn/pki/issued'";
+    QString script = sshSession->replaceVars(getOpenVpnClientsList, amnezia::genBaseVars(credentials, container, QString(), QString()));
+    error = sshSession->runScript(credentials, script, cbReadStdOut);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to retrieve the list of issued certificates on the server";
+        return error;
+    }
+
+    if (!stdOut.isEmpty()) {
+        QStringList certsIds = stdOut.split("\n", Qt::SkipEmptyParts);
+        certsIds.removeAll("AmneziaReq.crt");
+
+        for (auto &openvpnCertId : certsIds) {
+            openvpnCertId.replace(".crt", "");
+            if (!isClientExists(openvpnCertId, clientsTable)) {
+                QJsonObject client;
+                client[configKey::clientId] = openvpnCertId;
+
+                QJsonObject userData;
+                userData[configKey::clientName] = QString("Client %1").arg(count);
+                client[configKey::userData] = userData;
+
+                clientsTable.push_back(client);
+
+                count++;
+            }
+        }
+    }
+    return error;
+}
+
+ErrorCode UsersController::getWireGuardClients(const DockerContainer container, const ServerCredentials &credentials,
+                                                          SshSession* sshSession, int &count, QJsonArray &clientsTable)
+{
+    ErrorCode error = ErrorCode::NoError;
+
+    QString configPath;
+    if (container == DockerContainer::Awg) {
+        configPath = QString::fromLatin1(protocols::awg::serverLegacyConfigPath);
+    } else if (container == DockerContainer::Awg2) {
+        configPath = QString::fromLatin1(protocols::awg::serverConfigPath);
+    } else {
+        configPath = QString::fromLatin1(protocols::wireguard::serverConfigPath);
+    }
+    const QString wireguardConfigString = sshSession->getTextFileFromContainer(container, credentials, configPath, error);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to get the wg conf file from the server";
+        return error;
+    }
+
+    auto configLines = wireguardConfigString.split("\n", Qt::SkipEmptyParts);
+    QStringList wireguardKeys;
+    for (const auto &line : configLines) {
+        auto configPair = line.split(" = ", Qt::SkipEmptyParts);
+        if (configPair.front() == "PublicKey") {
+            wireguardKeys.push_back(configPair.back());
+        }
+    }
+
+    for (auto &wireguardKey : wireguardKeys) {
+        if (!isClientExists(wireguardKey, clientsTable)) {
+            QJsonObject client;
+            client[configKey::clientId] = wireguardKey;
+
+            QJsonObject userData;
+            userData[configKey::clientName] = QString("Client %1").arg(count);
+            client[configKey::userData] = userData;
+
+            clientsTable.push_back(client);
+
+            count++;
+        }
+    }
+    return error;
+}
+
+ErrorCode UsersController::getXrayClients(const DockerContainer container, const ServerCredentials& credentials,
+                                                     SshSession* sshSession, int &count, QJsonArray &clientsTable)
+{
+    ErrorCode error = ErrorCode::NoError;
+
+    const QString serverConfigPath = amnezia::protocols::xray::serverConfigPath;
+    const QString configString = sshSession->getTextFileFromContainer(container, credentials, serverConfigPath, error);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to get the xray server config file from the server";
+        return error;
+    }
+
+    QJsonDocument serverConfig = QJsonDocument::fromJson(configString.toUtf8());
+    if (serverConfig.isNull()) {
+        logger.error() << "Failed to parse xray server config JSON";
+        return ErrorCode::InternalError;
+    }
+
+    if (!serverConfig.object().contains(protocols::xray::inbounds) || serverConfig.object()[protocols::xray::inbounds].toArray().isEmpty()) {
+        logger.error() << "Invalid xray server config structure";
+        return ErrorCode::InternalError;
+    }
+
+    const QJsonObject inbound = serverConfig.object()[protocols::xray::inbounds].toArray()[0].toObject();
+    if (!inbound.contains(protocols::xray::settings)) {
+        logger.error() << "Missing settings in xray inbound config";
+        return ErrorCode::InternalError;
+    }
+
+    const QJsonObject settings = inbound[protocols::xray::settings].toObject();
+    if (!settings.contains(protocols::xray::clients)) {
+        logger.error() << "Missing clients in xray settings config"; 
+        return ErrorCode::InternalError;
+    }
+
+    const QJsonArray clients = settings[protocols::xray::clients].toArray();
+    for (const auto &clientValue : clients) {
+        const QJsonObject clientObj = clientValue.toObject();
+        if (!clientObj.contains(protocols::xray::id)) {
+            logger.error() << "Missing id in xray client config";
+            continue;
+        }
+        QString clientId = clientObj[protocols::xray::id].toString();
+        
+        QString xrayDefaultUuid = sshSession->getTextFileFromContainer(container, credentials, amnezia::protocols::xray::uuidPath, error);
+        xrayDefaultUuid.replace("\n", "");
+
+        if (!isClientExists(clientId, clientsTable) && clientId != xrayDefaultUuid) {
+            QJsonObject client;
+            client[configKey::clientId] = clientId;
+
+            QJsonObject userData;
+            userData[configKey::clientName] = QString("Client %1").arg(count);
+            client[configKey::userData] = userData;
+
+            clientsTable.push_back(client);
+            count++;
+        }
+    }
+
+    return error;
+}
+
+ErrorCode UsersController::updateClients(int serverIndex, const DockerContainer container)
+{
+    ErrorCode error = ErrorCode::NoError;
+    SshSession sshSession;
+    ServerCredentials credentials = m_serversRepository->serverCredentials(serverIndex);
+
+    QString clientsTableFile = QString("/opt/amnezia/%1/clientsTable");
+    if (container == DockerContainer::OpenVpn) {
+        clientsTableFile = clientsTableFile.arg(ContainerUtils::containerTypeToString(DockerContainer::OpenVpn));
+    } else {
+        clientsTableFile = clientsTableFile.arg(ContainerUtils::containerTypeToString(container));
+    }
+
+    const QByteArray clientsTableString = sshSession.getTextFileFromContainer(container, credentials, clientsTableFile, error);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to get the clientsTable file from the server";
+        emit clientsUpdated(QJsonArray());
+        return error;
+    }
+
+    m_clientsTable = QJsonDocument::fromJson(clientsTableString).array();
+
+    if (m_clientsTable.isEmpty()) {
+        migration(clientsTableString, m_clientsTable);
+
+        int count = 0;
+
+        if (container == DockerContainer::OpenVpn) {
+            error = getOpenVpnClients(container, credentials, &sshSession, count, m_clientsTable);
+        } else if (container == DockerContainer::WireGuard || ContainerUtils::isAwgContainer(container)) {
+            error = getWireGuardClients(container, credentials, &sshSession, count, m_clientsTable);
+        } else if (container == DockerContainer::Xray) {
+            error = getXrayClients(container, credentials, &sshSession, count, m_clientsTable);
+        }
+        if (error != ErrorCode::NoError) {
+            emit clientsUpdated(QJsonArray());
+            return error;
+        }
+
+        const QByteArray newClientsTableString = QJsonDocument(m_clientsTable).toJson();
+        if (clientsTableString != newClientsTableString) {
+            error = sshSession.uploadTextFileToContainer(container, credentials, newClientsTableString, clientsTableFile);
+            if (error != ErrorCode::NoError) {
+                logger.error() << "Failed to upload the clientsTable file to the server";
+            }
+        }
+    }
+
+    std::vector<WgShowData> data;
+    wgShow(container, credentials, &sshSession, data);
+
+    for (const auto &client : data) {
+        int i = 0;
+        for (const auto &it : std::as_const(m_clientsTable)) {
+            if (it.isObject()) {
+                QJsonObject obj = it.toObject();
+                if (obj.contains(configKey::clientId) && obj[configKey::clientId].toString() == client.clientId) {
+                    QJsonObject userData = obj[configKey::userData].toObject();
+
+                    if (!client.latestHandshake.isEmpty()) {
+                        userData[configKey::latestHandshake] = client.latestHandshake;
+                    }
+
+                    if (!client.dataReceived.isEmpty()) {
+                        userData[configKey::dataReceived] = client.dataReceived;
+                    }
+
+                    if (!client.dataSent.isEmpty()) {
+                        userData[configKey::dataSent] = client.dataSent;
+                    }
+
+                    if (!client.allowedIps.isEmpty()) {
+                        userData[configKey::allowedIps] = client.allowedIps;
+                    }
+
+                    obj[configKey::userData] = userData;
+                    m_clientsTable.replace(i, obj);
+                    break;
+                }
+            }
+            ++i;
+        }
+    }
+
+    emit clientsUpdated(m_clientsTable);
+    return error;
+}
+
+
+ErrorCode UsersController::appendClient(int serverIndex, const QString &clientId, const QString &clientName, const DockerContainer container)
+{
+    ErrorCode error = ErrorCode::NoError;
+    SshSession sshSession;
+    ServerCredentials credentials = m_serversRepository->serverCredentials(serverIndex);
+
+    error = updateClients(serverIndex, container);
+    if (error != ErrorCode::NoError) {
+        return error;
+    }
+
+    int existingIndex = clientIndexById(clientId, m_clientsTable);
+    if (existingIndex >= 0) {
+        return renameClient(serverIndex, existingIndex, clientName, container, true);
+    }
+
+    QJsonObject client;
+    client[configKey::clientId] = clientId;
+
+    QJsonObject userData;
+    userData[configKey::clientName] = clientName;
+    userData[configKey::creationDate] = QDateTime::currentDateTime().toString();
+    client[configKey::userData] = userData;
+    m_clientsTable.push_back(client);
+
+    const QByteArray clientsTableString = QJsonDocument(m_clientsTable).toJson();
+
+    QString clientsTableFile = QString("/opt/amnezia/%1/clientsTable");
+    if (container == DockerContainer::OpenVpn) {
+        clientsTableFile = clientsTableFile.arg(ContainerUtils::containerTypeToString(DockerContainer::OpenVpn));
+    } else {
+        clientsTableFile = clientsTableFile.arg(ContainerUtils::containerTypeToString(container));
+    }
+
+    error = sshSession.uploadTextFileToContainer(container, credentials, clientsTableString, clientsTableFile);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to upload the clientsTable file to the server";
+        return error;
+    }
+
+    emit clientAdded(client);
+    emit clientsUpdated(m_clientsTable);
+    return error;
+}
+
+ErrorCode UsersController::renameClient(int serverIndex, const int row, const QString &clientName,
+                                                   const DockerContainer container, bool addTimeStamp)
+{
+    if (row < 0 || row >= m_clientsTable.size()) {
+        return ErrorCode::InternalError;
+    }
+
+    SshSession sshSession;
+    ServerCredentials credentials = m_serversRepository->serverCredentials(serverIndex);
+
+    auto client = m_clientsTable.at(row).toObject();
+    auto userData = client[configKey::userData].toObject();
+    userData[configKey::clientName] = clientName;
+    if (addTimeStamp) {
+        userData[configKey::creationDate] = QDateTime::currentDateTime().toString();
+    }
+    client[configKey::userData] = userData;
+
+    m_clientsTable.replace(row, client);
+
+    const QByteArray clientsTableString = QJsonDocument(m_clientsTable).toJson();
+
+    QString clientsTableFile = QString("/opt/amnezia/%1/clientsTable");
+    if (container == DockerContainer::OpenVpn) {
+        clientsTableFile = clientsTableFile.arg(ContainerUtils::containerTypeToString(DockerContainer::OpenVpn));
+    } else {
+        clientsTableFile = clientsTableFile.arg(ContainerUtils::containerTypeToString(container));
+    }
+
+    ErrorCode error = sshSession.uploadTextFileToContainer(container, credentials, clientsTableString, clientsTableFile);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to upload the clientsTable file to the server";
+        return error;
+    }
+
+    if (addTimeStamp) {
+        emit clientsUpdated(m_clientsTable);
+    } else {
+        emit clientRenamed(row, clientName);
+    }
+    return error;
+}
+
+ErrorCode UsersController::revokeOpenVpn(const int row, const DockerContainer container, const ServerCredentials &credentials,
+                                                    const int serverIndex, SshSession* sshSession, QJsonArray &clientsTable)
+{
+    if (row < 0 || row >= clientsTable.size()) {
+        return ErrorCode::InternalError;
+    }
+
+    auto client = clientsTable.at(row).toObject();
+    QString clientId = client.value(configKey::clientId).toString();
+
+    const QString getOpenVpnCertData = QString("sudo docker exec -i $CONTAINER_NAME bash -c '"
+                                               "cd /opt/amnezia/openvpn ;\\"
+                                               "easyrsa revoke %1 ;\\"
+                                               "easyrsa gen-crl ;\\"
+                                               "chmod 666 pki/crl.pem ;\\"
+                                               "cp pki/crl.pem .'")
+                                               .arg(clientId);
+
+    const QString script = sshSession->replaceVars(getOpenVpnCertData, amnezia::genBaseVars(credentials, container, QString(), QString()));
+    ErrorCode error = sshSession->runScript(credentials, script);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to revoke the certificate";
+        return error;
+    }
+
+    clientsTable.removeAt(row);
+
+    const QByteArray clientsTableString = QJsonDocument(clientsTable).toJson();
+
+    QString clientsTableFile = QString("/opt/amnezia/%1/clientsTable");
+    clientsTableFile = clientsTableFile.arg(ContainerUtils::containerTypeToString(DockerContainer::OpenVpn));
+    error = sshSession->uploadTextFileToContainer(container, credentials, clientsTableString, clientsTableFile);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to upload the clientsTable file to the server";
+        return error;
+    }
+
+    return ErrorCode::NoError;
+}
+
+ErrorCode UsersController::revokeWireGuard(const int row, const DockerContainer container, const ServerCredentials &credentials,
+                                                      SshSession* sshSession, QJsonArray &clientsTable)
+{
+    if (row < 0 || row >= clientsTable.size()) {
+        return ErrorCode::InternalError;
+    }
+
+    ErrorCode error = ErrorCode::NoError;
+
+    QString configPath;
+    if (container == DockerContainer::Awg) {
+        configPath = QString::fromLatin1(protocols::awg::serverLegacyConfigPath);
+    } else if (container == DockerContainer::Awg2) {
+        configPath = QString::fromLatin1(protocols::awg::serverConfigPath);
+    } else {
+        configPath = QString::fromLatin1(protocols::wireguard::serverConfigPath);
+    }
+    const QString wireguardConfigString = sshSession->getTextFileFromContainer(container, credentials, configPath, error);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to get the wg conf file from the server";
+        return error;
+    }
+
+    auto client = clientsTable.at(row).toObject();
+    QString clientId = client.value(configKey::clientId).toString();
+
+    auto configSections = wireguardConfigString.split("[", Qt::SkipEmptyParts);
+    for (auto &section : configSections) {
+        if (section.contains(clientId)) {
+            configSections.removeOne(section);
+            break;
+        }
+    }
+    QString newWireGuardConfig = configSections.join("[");
+    newWireGuardConfig.insert(0, "[");
+    error = sshSession->uploadTextFileToContainer(container, credentials, newWireGuardConfig, configPath);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to upload the wg conf file to the server";
+        return error;
+    }
+
+    clientsTable.removeAt(row);
+
+    const QByteArray clientsTableString = QJsonDocument(clientsTable).toJson();
+
+    QString clientsTableFile = QString("/opt/amnezia/%1/clientsTable");
+    if (container == DockerContainer::OpenVpn) {
+        clientsTableFile = clientsTableFile.arg(ContainerUtils::containerTypeToString(DockerContainer::OpenVpn));
+    } else {
+        clientsTableFile = clientsTableFile.arg(ContainerUtils::containerTypeToString(container));
+    }
+    error = sshSession->uploadTextFileToContainer(container, credentials, clientsTableString, clientsTableFile);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to upload the clientsTable file to the server";
+        return error;
+    }
+
+    bool isAwg2 = (container == DockerContainer::Awg2);
+    QString command = isAwg2 ? QStringLiteral("awg") : QStringLiteral("wg");
+    QString iface   = isAwg2 ? QStringLiteral("awg0") : QStringLiteral("wg0");
+    QString script  = QString(
+        "sudo docker exec -i $CONTAINER_NAME bash -c '%1 syncconf %2 <(%1-quick strip %3)'"
+    ).arg(command, iface, configPath);
+    error = sshSession->runScript(
+        credentials,
+        sshSession->replaceVars(script, amnezia::genBaseVars(credentials, container, QString(), QString()))
+    );
+    if (error != ErrorCode::NoError) {
+        logger.error() << QString("Failed to execute command '%1 syncconf %2' on the server").arg(command, iface);
+        return error;
+    }
+
+    return ErrorCode::NoError;
+}
+
+ErrorCode UsersController::revokeXray(const int row,
+                                                 const DockerContainer container,
+                                                 const ServerCredentials &credentials,
+                                                 SshSession* sshSession, QJsonArray &clientsTable)
+{
+    if (row < 0 || row >= clientsTable.size()) {
+        return ErrorCode::InternalError;
+    }
+
+    ErrorCode error = ErrorCode::NoError;
+
+    const QString serverConfigPath = amnezia::protocols::xray::serverConfigPath;
+    const QString configString = sshSession->getTextFileFromContainer(container, credentials, serverConfigPath, error);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to get the xray server config file";
+        return error;
+    }
+
+    QJsonDocument serverConfig = QJsonDocument::fromJson(configString.toUtf8());
+    if (serverConfig.isNull()) {
+        logger.error() << "Failed to parse xray server config JSON";
+        return ErrorCode::InternalError;
+    }
+
+    auto client = clientsTable.at(row).toObject();
+    QString clientId = client.value(configKey::clientId).toString();
+
+    QJsonObject configObj = serverConfig.object();
+    if (!configObj.contains(protocols::xray::inbounds)) {
+        logger.error() << "Missing inbounds in xray config";
+        return ErrorCode::InternalError;
+    }
+
+    QJsonArray inbounds = configObj[protocols::xray::inbounds].toArray();
+    if (inbounds.isEmpty()) {
+        logger.error() << "Empty inbounds array in xray config";
+        return ErrorCode::InternalError;
+    }
+
+    QJsonObject inbound = inbounds[0].toObject();
+    if (!inbound.contains(protocols::xray::settings)) {
+        logger.error() << "Missing settings in xray inbound config";
+        return ErrorCode::InternalError;
+    }
+
+    QJsonObject settings = inbound[protocols::xray::settings].toObject();
+    if (!settings.contains(protocols::xray::clients)) {
+        logger.error() << "Missing clients in xray settings";
+        return ErrorCode::InternalError;
+    }
+
+    QJsonArray clients = settings[protocols::xray::clients].toArray();
+    if (clients.isEmpty()) {
+        logger.error() << "Empty clients array in xray config";
+        return ErrorCode::InternalError;
+    }
+
+    for (int i = 0; i < clients.size(); ++i) {
+        QJsonObject clientObj = clients[i].toObject();
+        if (clientObj.contains(protocols::xray::id) && clientObj[protocols::xray::id].toString() == clientId) {
+            clients.removeAt(i);
+            break;
+        }
+    }
+
+    settings[protocols::xray::clients] = clients;
+    inbound[protocols::xray::settings] = settings;
+    inbounds[0] = inbound;
+    configObj[protocols::xray::inbounds] = inbounds;
+
+    error = sshSession->uploadTextFileToContainer(
+        container, 
+        credentials,
+        QJsonDocument(configObj).toJson(),
+        serverConfigPath
+    );
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to upload updated xray config";
+        return error;
+    }
+
+    clientsTable.removeAt(row);
+
+    const QByteArray clientsTableString = QJsonDocument(clientsTable).toJson();
+    QString clientsTableFile = QString("/opt/amnezia/%1/clientsTable")
+        .arg(ContainerUtils::containerTypeToString(container));
+
+    error = sshSession->uploadTextFileToContainer(container, credentials, clientsTableString, clientsTableFile);
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to upload the clientsTable file";
+    }
+
+    QString restartScript = QString("sudo docker restart $CONTAINER_NAME");
+    error = sshSession->runScript(
+        credentials, 
+        sshSession->replaceVars(restartScript, amnezia::genBaseVars(credentials, container, QString(), QString()))
+    );
+    if (error != ErrorCode::NoError) {
+        logger.error() << "Failed to restart xray container";
+        return error;
+    }
+
+    return error;
+}
+
+ErrorCode UsersController::revokeClient(int serverIndex, const int index, const DockerContainer container)
+{
+    if (index < 0 || index >= m_clientsTable.size()) {
+        return ErrorCode::InternalError;
+    }
+
+    SshSession sshSession;
+    ServerCredentials credentials = m_serversRepository->serverCredentials(serverIndex);
+
+    QString clientId = m_clientsTable.at(index).toObject().value(configKey::clientId).toString();
+    ErrorCode errorCode = ErrorCode::NoError;
+
+    switch(container)
+    {
+        case DockerContainer::OpenVpn: {
+            errorCode = revokeOpenVpn(index, container, credentials, serverIndex, &sshSession, m_clientsTable);
+            break;
+        }
+        case DockerContainer::WireGuard:
+        case DockerContainer::Awg:
+        case DockerContainer::Awg2: {
+            errorCode = revokeWireGuard(index, container, credentials, &sshSession, m_clientsTable);
+            break;
+        }
+        case DockerContainer::Xray: {
+            errorCode = revokeXray(index, container, credentials, &sshSession, m_clientsTable);
+            break;
+        }
+        default: {
+            logger.error() << "Internal error: received unexpected container type";
+            return ErrorCode::InternalError;
+        }
+    }
+
+    if (errorCode == ErrorCode::NoError) {
+        ServerConfig serverConfig = m_serversRepository->server(serverIndex);
+        ContainerConfig containerCfg = m_serversRepository->containerConfig(serverIndex, container);
+        QString containerClientId = containerCfg.protocolConfig.clientId();
+
+        if (!clientId.isEmpty() && !containerClientId.isEmpty() && containerClientId.contains(clientId)) {
+            emit adminConfigRevoked(serverIndex, container);
+        }
+
+        emit clientRevoked(index);
+        emit clientsUpdated(m_clientsTable);
+    }
+
+    return errorCode;
+}
+
+ErrorCode UsersController::revokeClient(int serverIndex, const ContainerConfig &containerConfig, const DockerContainer container)
+{
+    SshSession sshSession;
+    ServerCredentials credentials = m_serversRepository->serverCredentials(serverIndex);
+
+    ErrorCode errorCode = ErrorCode::NoError;
+    errorCode = updateClients(serverIndex, container);
+    if (errorCode != ErrorCode::NoError) {
+        return errorCode;
+    }
+
+    Proto protocol = containerConfig.getProtocolType();
+
+    switch(container)
+    {
+        case DockerContainer::OpenVpn:
+        case DockerContainer::WireGuard:
+        case DockerContainer::Awg:
+        case DockerContainer::Awg2:
+        case DockerContainer::Xray: {
+            protocol = ContainerUtils::defaultProtocol(container);
+            break;
+        }
+        default: {
+            logger.error() << "Internal error: received unexpected container type";
+            return ErrorCode::InternalError;
+        }
+    }
+
+    QString clientId = containerConfig.protocolConfig.clientId();
+
+    int row = clientIndexById(clientId, m_clientsTable);
+    if (row < 0) {
+        return errorCode;
+    }
+
+    switch (container)
+    {
+    case DockerContainer::OpenVpn: {
+        errorCode = revokeOpenVpn(row, container, credentials, serverIndex, &sshSession, m_clientsTable);
+        break;
+    }
+    case DockerContainer::WireGuard:
+    case DockerContainer::Awg:
+    case DockerContainer::Awg2: {
+        errorCode = revokeWireGuard(row, container, credentials, &sshSession, m_clientsTable);
+        break;
+    }
+    case DockerContainer::Xray: {
+        errorCode = revokeXray(row, container, credentials, &sshSession, m_clientsTable);
+        break;
+    }
+    default:
+        logger.error() << "Internal error: received unexpected container type";
+        return ErrorCode::InternalError;
+    }
+
+    if (errorCode == ErrorCode::NoError) {
+        emit adminConfigRevoked(serverIndex, container);
+        emit clientRevoked(row);
+        emit clientsUpdated(m_clientsTable);
+    }
+
+    return errorCode;
+}
+
--- a/client/core/controllers/selfhosted/usersController.h
+++ b/client/core/controllers/selfhosted/usersController.h
@@ -0,0 +1,76 @@
+#ifndef USERSCONTROLLER_H
+#define USERSCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QJsonArray>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/selfhosted/sshSession.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/models/containerConfig.h"
+#include "core/models/protocolConfig.h"
+
+class UsersController : public QObject
+{
+    Q_OBJECT
+
+public:
+    struct WgShowData
+    {
+        QString clientId;
+        QString latestHandshake;
+        QString dataReceived;
+        QString dataSent;
+        QString allowedIps;
+    };
+
+    explicit UsersController(SecureServersRepository* serversRepository, QObject *parent = nullptr);
+
+signals:
+    void clientsUpdated(const QJsonArray &clients);
+    void clientAdded(const QJsonObject &client);
+    void clientRenamed(int row, const QString &newName);
+    void clientRevoked(int row);
+    void adminConfigRevoked(int serverIndex, DockerContainer container);
+
+public slots:
+    ErrorCode updateClients(int serverIndex, const DockerContainer container);
+    ErrorCode appendClient(int serverIndex, const QString &clientId, const QString &clientName, const DockerContainer container);
+    ErrorCode renameClient(int serverIndex, const int row, const QString &userName, const DockerContainer container, bool addTimeStamp = false);
+    ErrorCode revokeClient(int serverIndex, const int index, const DockerContainer container);
+    ErrorCode revokeClient(int serverIndex, const ContainerConfig &containerConfig, const DockerContainer container);
+
+private:
+    bool isClientExists(const QString &clientId, const QJsonArray &clientsTable);
+    int clientIndexById(const QString &clientId, const QJsonArray &clientsTable);
+    void migration(const QByteArray &clientsTableString, QJsonArray &clientsTable);
+
+    ErrorCode revokeOpenVpn(const int row, const DockerContainer container, const ServerCredentials &credentials, const int serverIndex,
+                            SshSession* sshSession, QJsonArray &clientsTable);
+    ErrorCode revokeWireGuard(const int row, const DockerContainer container, const ServerCredentials &credentials,
+                              SshSession* sshSession, QJsonArray &clientsTable);
+    ErrorCode revokeXray(const int row, const DockerContainer container, const ServerCredentials &credentials,
+                         SshSession* sshSession, QJsonArray &clientsTable);
+
+    ErrorCode getOpenVpnClients(const DockerContainer container, const ServerCredentials &credentials,
+                                SshSession* sshSession, int &count, QJsonArray &clientsTable);
+    ErrorCode getWireGuardClients(const DockerContainer container, const ServerCredentials &credentials,
+                                  SshSession* sshSession, int &count, QJsonArray &clientsTable);
+    ErrorCode getXrayClients(const DockerContainer container, const ServerCredentials& credentials,
+                             SshSession* sshSession, int &count, QJsonArray &clientsTable);
+
+    ErrorCode wgShow(const DockerContainer container, const ServerCredentials &credentials,
+                     SshSession* sshSession, std::vector<WgShowData> &data);
+
+    SecureServersRepository* m_serversRepository;
+    QJsonArray m_clientsTable;
+};
+
+#endif // USERSCONTROLLER_H
+
--- a/client/core/controllers/serverController.cpp
+++ b/client/core/controllers/serverController.cpp
@@ -1,887 +0,0 @@
-#include "serverController.h"
-
-#include <QCryptographicHash>
-#include <QDir>
-#include <QEventLoop>
-#include <QFile>
-#include <QFileInfo>
-#include <QJsonDocument>
-#include <QJsonObject>
-#include <QLoggingCategory>
-#include <QPointer>
-#include <QTemporaryFile>
-#include <QThread>
-#include <QTimer>
-#include <QtConcurrent>
-
-#include <filesystem>
-#include <fstream>
-#include <iostream>
-#include <sys/stat.h>
-
-#include <chrono>
-#include <thread>
-
-#include "containers/containers_defs.h"
-#include "core/networkUtilities.h"
-#include "core/scripts_registry.h"
-#include "core/server_defs.h"
-#include "logger.h"
-#include "settings.h"
-#include "utilities.h"
-#include "vpnConfigurationController.h"
-
-namespace
-{
-    Logger logger("ServerController");
-}
-
-ServerController::ServerController(std::shared_ptr<Settings> settings, QObject *parent) : m_settings(settings)
-{
-}
-
-ServerController::~ServerController()
-{
-    m_sshClient.disconnectFromHost();
-}
-
-ErrorCode ServerController::runScript(const ServerCredentials &credentials, QString script,
-                                      const std::function<ErrorCode(const QString &, libssh::Client &)> &cbReadStdOut,
-                                      const std::function<ErrorCode(const QString &, libssh::Client &)> &cbReadStdErr)
-{
-
-    auto error = m_sshClient.connectToHost(credentials);
-    if (error != ErrorCode::NoError) {
-        return error;
-    }
-
-    script.replace("\r", "");
-
-    qDebug() << "ServerController::Run script";
-
-    QString totalLine;
-    const QStringList &lines = script.split("\n", Qt::SkipEmptyParts);
-    for (int i = 0; i < lines.count(); i++) {
-        QString currentLine = lines.at(i);
-
-        if (totalLine.isEmpty()) {
-            totalLine = currentLine;
-        } else {
-            totalLine = totalLine + "\n" + currentLine;
-        }
-
-        QString lineToExec;
-        if (currentLine.endsWith("\\")) {
-            continue;
-        } else {
-            lineToExec = totalLine;
-            totalLine.clear();
-        }
-
-        if (lineToExec.startsWith("#")) {
-            continue;
-        }
-
-        qDebug().noquote() << lineToExec;
-
-        error = m_sshClient.executeCommand(lineToExec, cbReadStdOut, cbReadStdErr);
-        if (error != ErrorCode::NoError) {
-            return error;
-        }
-    }
-
-    qDebug().noquote() << "ServerController::runScript finished\n";
-    return ErrorCode::NoError;
-}
-
-ErrorCode ServerController::runContainerScript(const ServerCredentials &credentials, DockerContainer container, QString script,
-                                               const std::function<ErrorCode(const QString &, libssh::Client &)> &cbReadStdOut,
-                                               const std::function<ErrorCode(const QString &, libssh::Client &)> &cbReadStdErr)
-{
-    QString fileName = "/opt/amnezia/" + Utils::getRandomString(16) + ".sh";
-
-    ErrorCode e = uploadTextFileToContainer(container, credentials, script, fileName);
-    if (e)
-        return e;
-
-    QString runner =
-            QString("sudo docker exec -i $CONTAINER_NAME %2 %1 ").arg(fileName, (container == DockerContainer::Socks5Proxy ? "sh" : "bash"));
-    e = runScript(credentials, replaceVars(runner, genVarsForScript(credentials, container)), cbReadStdOut, cbReadStdErr);
-
-    QString remover = QString("sudo docker exec -i $CONTAINER_NAME rm %1 ").arg(fileName);
-    runScript(credentials, replaceVars(remover, genVarsForScript(credentials, container)), cbReadStdOut, cbReadStdErr);
-
-    return e;
-}
-
-ErrorCode ServerController::uploadTextFileToContainer(DockerContainer container, const ServerCredentials &credentials, const QString &file,
-                                                      const QString &path, libssh::ScpOverwriteMode overwriteMode)
-{
-    ErrorCode e = ErrorCode::NoError;
-    QString tmpFileName = QString("/tmp/%1.tmp").arg(Utils::getRandomString(16));
-    e = uploadFileToHost(credentials, file.toUtf8(), tmpFileName);
-    if (e)
-        return e;
-
-    QString stdOut;
-    auto cbReadStd = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    // mkdir
-    QString mkdir = QString("sudo docker exec -i $CONTAINER_NAME mkdir -p  \"$(dirname %1)\"").arg(path);
-
-    e = runScript(credentials, replaceVars(mkdir, genVarsForScript(credentials, container)));
-    if (e)
-        return e;
-
-    if (overwriteMode == libssh::ScpOverwriteMode::ScpOverwriteExisting) {
-        e = runScript(credentials,
-                      replaceVars(QStringLiteral("sudo docker cp %1 $CONTAINER_NAME:/%2").arg(tmpFileName, path),
-                                  genVarsForScript(credentials, container)),
-                      cbReadStd, cbReadStd);
-
-        if (e)
-            return e;
-    } else if (overwriteMode == libssh::ScpOverwriteMode::ScpAppendToExisting) {
-        e = runScript(credentials,
-                      replaceVars(QStringLiteral("sudo docker cp %1 $CONTAINER_NAME:/%2").arg(tmpFileName, tmpFileName),
-                                  genVarsForScript(credentials, container)),
-                      cbReadStd, cbReadStd);
-
-        if (e)
-            return e;
-
-        e = runScript(credentials,
-                      replaceVars(QStringLiteral("sudo docker exec -i $CONTAINER_NAME sh -c \"cat %1 >> %2\"").arg(tmpFileName, path),
-                                  genVarsForScript(credentials, container)),
-                      cbReadStd, cbReadStd);
-
-        if (e)
-            return e;
-    } else
-        return ErrorCode::NotImplementedError;
-
-    if (stdOut.contains("Error") && stdOut.contains("No such container")) {
-        return ErrorCode::ServerContainerMissingError;
-    }
-
-    runScript(credentials, replaceVars(QString("sudo shred -u %1").arg(tmpFileName), genVarsForScript(credentials, container)));
-    return e;
-}
-
-QByteArray ServerController::getTextFileFromContainer(DockerContainer container, const ServerCredentials &credentials, const QString &path,
-                                                      ErrorCode &errorCode)
-{
-
-    errorCode = ErrorCode::NoError;
-
-    QString script = QStringLiteral("sudo docker exec -i %1 sh -c \"xxd -p '%2'\"").arg(ContainerProps::containerToString(container), path);
-
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data;
-        return ErrorCode::NoError;
-    };
-
-    errorCode = runScript(credentials, script, cbReadStdOut);
-    return QByteArray::fromHex(stdOut.toUtf8());
-}
-
-ErrorCode ServerController::uploadFileToHost(const ServerCredentials &credentials, const QByteArray &data, const QString &remotePath,
-                                             libssh::ScpOverwriteMode overwriteMode)
-{
-    auto error = m_sshClient.connectToHost(credentials);
-    if (error != ErrorCode::NoError) {
-        return error;
-    }
-
-    QTemporaryFile localFile;
-    localFile.open();
-    localFile.write(data);
-    localFile.close();
-
-    error = m_sshClient.scpFileCopy(overwriteMode, localFile.fileName(), remotePath, "non_desc");
-
-    if (error != ErrorCode::NoError) {
-        return error;
-    }
-    return ErrorCode::NoError;
-}
-
-ErrorCode ServerController::rebootServer(const ServerCredentials &credentials)
-{
-    QString script = QString("sudo reboot");
-
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data;
-        return ErrorCode::NoError;
-    };
-
-    auto cbReadStdErr = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    return runScript(credentials, script, cbReadStdOut, cbReadStdErr);
-}
-
-ErrorCode ServerController::removeAllContainers(const ServerCredentials &credentials)
-{
-    return runScript(credentials, amnezia::scriptData(SharedScriptType::remove_all_containers));
-}
-
-ErrorCode ServerController::removeContainer(const ServerCredentials &credentials, DockerContainer container)
-{
-    return runScript(credentials,
-                     replaceVars(amnezia::scriptData(SharedScriptType::remove_container), genVarsForScript(credentials, container)));
-}
-
-ErrorCode ServerController::setupContainer(const ServerCredentials &credentials, DockerContainer container, QJsonObject &config, bool isUpdate)
-{
-    qDebug().noquote() << "ServerController::setupContainer" << ContainerProps::containerToString(container);
-    ErrorCode e = ErrorCode::NoError;
-
-    e = isUserInSudo(credentials, container);
-    if (e)
-        return e;
-
-    e = isServerDpkgBusy(credentials, container);
-    if (e)
-        return e;
-
-    e = installDockerWorker(credentials, container);
-    if (e)
-        return e;
-    qDebug().noquote() << "ServerController::setupContainer installDockerWorker finished";
-
-    if (!isUpdate) {
-        e = isServerPortBusy(credentials, container, config);
-        if (e)
-            return e;
-    }
-
-    if (!isUpdate) {
-        e = isServerPortBusy(credentials, container, config);
-        if (e)
-            return e;
-    }
-
-    e = prepareHostWorker(credentials, container, config);
-    if (e)
-        return e;
-    qDebug().noquote() << "ServerController::setupContainer prepareHostWorker finished";
-
-    removeContainer(credentials, container);
-    qDebug().noquote() << "ServerController::setupContainer removeContainer finished";
-
-    qDebug().noquote() << "buildContainerWorker start";
-    e = buildContainerWorker(credentials, container, config);
-    if (e)
-        return e;
-    qDebug().noquote() << "ServerController::setupContainer buildContainerWorker finished";
-
-    e = runContainerWorker(credentials, container, config);
-    if (e)
-        return e;
-    qDebug().noquote() << "ServerController::setupContainer runContainerWorker finished";
-
-    e = configureContainerWorker(credentials, container, config);
-    if (e)
-        return e;
-    qDebug().noquote() << "ServerController::setupContainer configureContainerWorker finished";
-
-    setupServerFirewall(credentials);
-    qDebug().noquote() << "ServerController::setupContainer setupServerFirewall finished";
-
-    return startupContainerWorker(credentials, container, config);
-}
-
-ErrorCode ServerController::updateContainer(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &oldConfig,
-                                            QJsonObject &newConfig)
-{
-    bool reinstallRequired = isReinstallContainerRequired(container, oldConfig, newConfig);
-    qDebug() << "ServerController::updateContainer for container" << container << "reinstall required is" << reinstallRequired;
-
-    if (reinstallRequired) {
-        return setupContainer(credentials, container, newConfig, true);
-    } else {
-        ErrorCode e = configureContainerWorker(credentials, container, newConfig);
-        if (e)
-            return e;
-
-        return startupContainerWorker(credentials, container, newConfig);
-    }
-}
-
-bool ServerController::isReinstallContainerRequired(DockerContainer container, const QJsonObject &oldConfig, const QJsonObject &newConfig)
-{
-    Proto mainProto = ContainerProps::defaultProtocol(container);
-
-    const QJsonObject &oldProtoConfig = oldConfig.value(ProtocolProps::protoToString(mainProto)).toObject();
-    const QJsonObject &newProtoConfig = newConfig.value(ProtocolProps::protoToString(mainProto)).toObject();
-
-    if (container == DockerContainer::OpenVpn) {
-        if (oldProtoConfig.value(config_key::transport_proto).toString(protocols::openvpn::defaultTransportProto)
-            != newProtoConfig.value(config_key::transport_proto).toString(protocols::openvpn::defaultTransportProto))
-            return true;
-
-        if (oldProtoConfig.value(config_key::port).toString(protocols::openvpn::defaultPort)
-            != newProtoConfig.value(config_key::port).toString(protocols::openvpn::defaultPort))
-            return true;
-    }
-
-    if (container == DockerContainer::Cloak) {
-        if (oldProtoConfig.value(config_key::port).toString(protocols::cloak::defaultPort)
-            != newProtoConfig.value(config_key::port).toString(protocols::cloak::defaultPort))
-            return true;
-    }
-
-    if (container == DockerContainer::ShadowSocks) {
-        if (oldProtoConfig.value(config_key::port).toString(protocols::shadowsocks::defaultPort)
-            != newProtoConfig.value(config_key::port).toString(protocols::shadowsocks::defaultPort))
-            return true;
-    }
-
-    if (ContainerProps::isAwgContainer(container)) {
-        if ((oldProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress)
-             != newProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress))
-            || (oldProtoConfig.value(config_key::port).toString(protocols::awg::defaultPort)
-                != newProtoConfig.value(config_key::port).toString(protocols::awg::defaultPort))
-            || (oldProtoConfig.value(config_key::junkPacketCount).toString(protocols::awg::defaultJunkPacketCount)
-                != newProtoConfig.value(config_key::junkPacketCount).toString(protocols::awg::defaultJunkPacketCount))
-            || (oldProtoConfig.value(config_key::junkPacketMinSize).toString(protocols::awg::defaultJunkPacketMinSize)
-                != newProtoConfig.value(config_key::junkPacketMinSize).toString(protocols::awg::defaultJunkPacketMinSize))
-            || (oldProtoConfig.value(config_key::junkPacketMaxSize).toString(protocols::awg::defaultJunkPacketMaxSize)
-                != newProtoConfig.value(config_key::junkPacketMaxSize).toString(protocols::awg::defaultJunkPacketMaxSize))
-            || (oldProtoConfig.value(config_key::initPacketJunkSize).toString(protocols::awg::defaultInitPacketJunkSize)
-                != newProtoConfig.value(config_key::initPacketJunkSize).toString(protocols::awg::defaultInitPacketJunkSize))
-            || (oldProtoConfig.value(config_key::responsePacketJunkSize).toString(protocols::awg::defaultResponsePacketJunkSize)
-                != newProtoConfig.value(config_key::responsePacketJunkSize).toString(protocols::awg::defaultResponsePacketJunkSize))
-            || (oldProtoConfig.value(config_key::initPacketMagicHeader).toString(protocols::awg::defaultInitPacketMagicHeader)
-                != newProtoConfig.value(config_key::initPacketMagicHeader).toString(protocols::awg::defaultInitPacketMagicHeader))
-            || (oldProtoConfig.value(config_key::responsePacketMagicHeader).toString(protocols::awg::defaultResponsePacketMagicHeader)
-                != newProtoConfig.value(config_key::responsePacketMagicHeader).toString(protocols::awg::defaultResponsePacketMagicHeader))
-            || (oldProtoConfig.value(config_key::underloadPacketMagicHeader).toString(protocols::awg::defaultUnderloadPacketMagicHeader)
-                != newProtoConfig.value(config_key::underloadPacketMagicHeader).toString(protocols::awg::defaultUnderloadPacketMagicHeader))
-            || (oldProtoConfig.value(config_key::transportPacketMagicHeader).toString(protocols::awg::defaultTransportPacketMagicHeader))
-                    != newProtoConfig.value(config_key::transportPacketMagicHeader).toString(protocols::awg::defaultTransportPacketMagicHeader)
-            || (oldProtoConfig.value(config_key::cookieReplyPacketJunkSize).toString(protocols::awg::defaultCookieReplyPacketJunkSize)
-                != newProtoConfig.value(config_key::cookieReplyPacketJunkSize).toString(protocols::awg::defaultCookieReplyPacketJunkSize))
-            || (oldProtoConfig.value(config_key::transportPacketJunkSize).toString(protocols::awg::defaultTransportPacketJunkSize)
-                != newProtoConfig.value(config_key::transportPacketJunkSize).toString(protocols::awg::defaultTransportPacketJunkSize)))
-
-            return true;
-    }
-
-    if (container == DockerContainer::WireGuard) {
-        if ((oldProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress)
-             != newProtoConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress))
-            || (oldProtoConfig.value(config_key::port).toString(protocols::wireguard::defaultPort)
-                != newProtoConfig.value(config_key::port).toString(protocols::wireguard::defaultPort)))
-            return true;
-    }
-
-    if (container == DockerContainer::Socks5Proxy) {
-        return true;
-    }
-
-    if (container == DockerContainer::Xray) {
-        if (oldProtoConfig.value(config_key::port).toString(protocols::xray::defaultPort)
-            != newProtoConfig.value(config_key::port).toString(protocols::xray::defaultPort)) {
-            return true;
-        }
-    }
-
-    return false;
-}
-
-ErrorCode ServerController::installDockerWorker(const ServerCredentials &credentials, DockerContainer container)
-{
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &client) {
-        stdOut += data + "\n";
-
-        if (data.contains("Automatically restart Docker daemon?")) {
-            return client.writeResponse("yes");
-        }
-        return ErrorCode::NoError;
-    };
-    auto cbReadStdErr = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    ErrorCode error =
-            runScript(credentials, replaceVars(amnezia::scriptData(SharedScriptType::install_docker), genVarsForScript(credentials)),
-                      cbReadStdOut, cbReadStdErr);
-
-    qDebug().noquote() << "ServerController::installDockerWorker" << stdOut;
-    if (container == DockerContainer::Awg2) {
-        QRegularExpression regex(R"(Linux\s+(\d+)\.(\d+)[^\d]*)");
-        QRegularExpressionMatch match = regex.match(stdOut);
-        if (match.hasMatch()) {
-            int majorVersion = match.captured(1).toInt();
-            int minorVersion = match.captured(2).toInt();
-
-            if (majorVersion < 4 || (majorVersion == 4 && minorVersion < 14)) {
-                return ErrorCode::ServerLinuxKernelTooOld;
-            }
-        }
-    }
-    if (stdOut.contains("lock"))
-        return ErrorCode::ServerPacketManagerError;
-    if (stdOut.contains("command not found"))
-        return ErrorCode::ServerDockerFailedError;
-
-    return error;
-}
-
-ErrorCode ServerController::prepareHostWorker(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &config)
-{
-    // create folder on host
-    return runScript(credentials, replaceVars(amnezia::scriptData(SharedScriptType::prepare_host), genVarsForScript(credentials, container)));
-}
-
-ErrorCode ServerController::buildContainerWorker(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &config)
-{
-    QString dockerFilePath = amnezia::server::getDockerfileFolder(container) + "/Dockerfile";
-    QString scriptString = QString("sudo rm %1").arg(dockerFilePath);
-    ErrorCode errorCode = runScript(credentials, replaceVars(scriptString, genVarsForScript(credentials, container)));
-    if (errorCode)
-        return errorCode;
-
-    errorCode = uploadFileToHost(credentials, amnezia::scriptData(ProtocolScriptType::dockerfile, container).toUtf8(), dockerFilePath);
-
-    if (errorCode)
-        return errorCode;
-
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-    auto cbReadStdErr = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    ErrorCode error =
-            runScript(credentials,
-                      replaceVars(amnezia::scriptData(SharedScriptType::build_container), genVarsForScript(credentials, container, config)),
-                      cbReadStdOut, cbReadStdErr);
-
-    if (stdOut.contains("doesn't work on cgroups v2"))
-        return ErrorCode::ServerDockerOnCgroupsV2;
-    if (stdOut.contains("cgroup mountpoint does not exist"))
-        return ErrorCode::ServerCgroupMountpoint;
-    if (stdOut.contains("have reached") && stdOut.contains("pull rate limit"))
-        return ErrorCode::DockerPullRateLimit;
-
-    return error;
-}
-
-ErrorCode ServerController::runContainerWorker(const ServerCredentials &credentials, DockerContainer container, QJsonObject &config)
-{
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    ErrorCode e = runScript(credentials,
-                            replaceVars(amnezia::scriptData(ProtocolScriptType::run_container, container),
-                                        genVarsForScript(credentials, container, config)),
-                            cbReadStdOut);
-
-    if (stdOut.contains("address already in use"))
-        return ErrorCode::ServerPortAlreadyAllocatedError;
-    if (stdOut.contains("is already in use by container"))
-        return ErrorCode::ServerPortAlreadyAllocatedError;
-    if (stdOut.contains("invalid publish"))
-        return ErrorCode::ServerDockerFailedError;
-
-    return e;
-}
-
-ErrorCode ServerController::configureContainerWorker(const ServerCredentials &credentials, DockerContainer container, QJsonObject &config)
-{
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-    auto cbReadStdErr = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    ErrorCode e = runContainerScript(credentials, container,
-                                     replaceVars(amnezia::scriptData(ProtocolScriptType::configure_container, container),
-                                                 genVarsForScript(credentials, container, config)),
-                                     cbReadStdOut, cbReadStdErr);
-
-    VpnConfigurationsController::updateContainerConfigAfterInstallation(container, config, stdOut);
-
-    return e;
-}
-
-ErrorCode ServerController::startupContainerWorker(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &config)
-{
-    QString script = amnezia::scriptData(ProtocolScriptType::container_startup, container);
-
-    if (script.isEmpty()) {
-        return ErrorCode::NoError;
-    }
-
-    ErrorCode e = uploadTextFileToContainer(container, credentials, replaceVars(script, genVarsForScript(credentials, container, config)),
-                                            "/opt/amnezia/start.sh");
-    if (e)
-        return e;
-
-    return runScript(credentials,
-                     replaceVars("sudo docker exec -d $CONTAINER_NAME sh -c \"chmod a+x /opt/amnezia/start.sh && "
-                                 "/opt/amnezia/start.sh\"",
-                                 genVarsForScript(credentials, container, config)));
-}
-
-ServerController::Vars ServerController::genVarsForScript(const ServerCredentials &credentials, DockerContainer container,
-                                                          const QJsonObject &config)
-{
-    const QJsonObject &openvpnConfig = config.value(ProtocolProps::protoToString(Proto::OpenVpn)).toObject();
-    const QJsonObject &cloakConfig = config.value(ProtocolProps::protoToString(Proto::Cloak)).toObject();
-    const QJsonObject &ssConfig = config.value(ProtocolProps::protoToString(Proto::ShadowSocks)).toObject();
-    const QJsonObject &wireguarConfig = config.value(ProtocolProps::protoToString(Proto::WireGuard)).toObject();
-    const QJsonObject &amneziaWireguarConfig = config.value(ProtocolProps::protoToString(Proto::Awg)).toObject();
-    const QJsonObject &xrayConfig = config.value(ProtocolProps::protoToString(Proto::Xray)).toObject();
-    const QJsonObject &sftpConfig = config.value(ProtocolProps::protoToString(Proto::Sftp)).toObject();
-    const QJsonObject &socks5ProxyConfig = config.value(ProtocolProps::protoToString(Proto::Socks5Proxy)).toObject();
-
-    Vars vars;
-
-    vars.append({ { "$REMOTE_HOST", credentials.hostName } });
-
-    // OpenVPN vars
-    vars.append({ { "$OPENVPN_SUBNET_IP",
-                    openvpnConfig.value(config_key::subnet_address).toString(protocols::openvpn::defaultSubnetAddress) } });
-    vars.append({ { "$OPENVPN_SUBNET_CIDR", openvpnConfig.value(config_key::subnet_cidr).toString(protocols::openvpn::defaultSubnetCidr) } });
-    vars.append({ { "$OPENVPN_SUBNET_MASK", openvpnConfig.value(config_key::subnet_mask).toString(protocols::openvpn::defaultSubnetMask) } });
-
-    vars.append({ { "$OPENVPN_PORT", openvpnConfig.value(config_key::port).toString(protocols::openvpn::defaultPort) } });
-    vars.append({ { "$OPENVPN_TRANSPORT_PROTO",
-                    openvpnConfig.value(config_key::transport_proto).toString(protocols::openvpn::defaultTransportProto) } });
-
-    bool isNcpDisabled = openvpnConfig.value(config_key::ncp_disable).toBool(protocols::openvpn::defaultNcpDisable);
-    vars.append({ { "$OPENVPN_NCP_DISABLE", isNcpDisabled ? protocols::openvpn::ncpDisableString : "" } });
-
-    vars.append({ { "$OPENVPN_CIPHER", openvpnConfig.value(config_key::cipher).toString(protocols::openvpn::defaultCipher) } });
-    vars.append({ { "$OPENVPN_HASH", openvpnConfig.value(config_key::hash).toString(protocols::openvpn::defaultHash) } });
-
-    bool isTlsAuth = openvpnConfig.value(config_key::tls_auth).toBool(protocols::openvpn::defaultTlsAuth);
-    vars.append({ { "$OPENVPN_TLS_AUTH", isTlsAuth ? protocols::openvpn::tlsAuthString : "" } });
-    if (!isTlsAuth) {
-        // erase $OPENVPN_TA_KEY, so it will not set in OpenVpnConfigurator::genOpenVpnConfig
-        vars.append({ { "$OPENVPN_TA_KEY", "" } });
-    }
-
-    vars.append({ { "$OPENVPN_ADDITIONAL_CLIENT_CONFIG",
-                    openvpnConfig.value(config_key::additional_client_config).toString(protocols::openvpn::defaultAdditionalClientConfig) } });
-    vars.append({ { "$OPENVPN_ADDITIONAL_SERVER_CONFIG",
-                    openvpnConfig.value(config_key::additional_server_config).toString(protocols::openvpn::defaultAdditionalServerConfig) } });
-
-    // ShadowSocks vars
-    vars.append({ { "$SHADOWSOCKS_SERVER_PORT", ssConfig.value(config_key::port).toString(protocols::shadowsocks::defaultPort) } });
-    vars.append({ { "$SHADOWSOCKS_LOCAL_PORT",
-                    ssConfig.value(config_key::local_port).toString(protocols::shadowsocks::defaultLocalProxyPort) } });
-    vars.append({ { "$SHADOWSOCKS_CIPHER", ssConfig.value(config_key::cipher).toString(protocols::shadowsocks::defaultCipher) } });
-
-    vars.append({ { "$CONTAINER_NAME", ContainerProps::containerToString(container) } });
-    vars.append({ { "$DOCKERFILE_FOLDER", "/opt/amnezia/" + ContainerProps::containerToString(container) } });
-
-    // Cloak vars
-    vars.append({ { "$CLOAK_SERVER_PORT", cloakConfig.value(config_key::port).toString(protocols::cloak::defaultPort) } });
-    vars.append({ { "$FAKE_WEB_SITE_ADDRESS", cloakConfig.value(config_key::site).toString(protocols::cloak::defaultRedirSite) } });
-
-    // Xray vars
-    vars.append({ { "$XRAY_SITE_NAME", xrayConfig.value(config_key::site).toString(protocols::xray::defaultSite) } });
-    vars.append({ { "$XRAY_SERVER_PORT", xrayConfig.value(config_key::port).toString(protocols::xray::defaultPort) } });
-
-    // Wireguard vars
-    vars.append({ { "$WIREGUARD_SUBNET_IP",
-                    wireguarConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress) } });
-    vars.append({ { "$WIREGUARD_SUBNET_CIDR",
-                    wireguarConfig.value(config_key::subnet_cidr).toString(protocols::wireguard::defaultSubnetCidr) } });
-    vars.append({ { "$WIREGUARD_SUBNET_MASK",
-                    wireguarConfig.value(config_key::subnet_mask).toString(protocols::wireguard::defaultSubnetMask) } });
-
-    vars.append({ { "$WIREGUARD_SERVER_PORT", wireguarConfig.value(config_key::port).toString(protocols::wireguard::defaultPort) } });
-
-    // IPsec vars
-    vars.append({ { "$IPSEC_VPN_L2TP_NET", "192.168.42.0/24" } });
-    vars.append({ { "$IPSEC_VPN_L2TP_POOL", "192.168.42.10-192.168.42.250" } });
-    vars.append({ { "$IPSEC_VPN_L2TP_LOCAL", "192.168.42.1" } });
-
-    vars.append({ { "$IPSEC_VPN_XAUTH_NET", "192.168.43.0/24" } });
-    vars.append({ { "$IPSEC_VPN_XAUTH_POOL", "192.168.43.10-192.168.43.250" } });
-
-    vars.append({ { "$IPSEC_VPN_SHA2_TRUNCBUG", "yes" } });
-
-    vars.append({ { "$IPSEC_VPN_VPN_ANDROID_MTU_FIX", "yes" } });
-    vars.append({ { "$IPSEC_VPN_DISABLE_IKEV2", "no" } });
-    vars.append({ { "$IPSEC_VPN_DISABLE_L2TP", "no" } });
-    vars.append({ { "$IPSEC_VPN_DISABLE_XAUTH", "no" } });
-
-    vars.append({ { "$IPSEC_VPN_C2C_TRAFFIC", "no" } });
-
-    vars.append({ { "$PRIMARY_SERVER_DNS", m_settings->primaryDns() } });
-    vars.append({ { "$SECONDARY_SERVER_DNS", m_settings->secondaryDns() } });
-
-    // Sftp vars
-    vars.append({ { "$SFTP_PORT", sftpConfig.value(config_key::port).toString(QString::number(ProtocolProps::defaultPort(Proto::Sftp))) } });
-    vars.append({ { "$SFTP_USER", sftpConfig.value(config_key::userName).toString() } });
-    vars.append({ { "$SFTP_PASSWORD", sftpConfig.value(config_key::password).toString() } });
-
-    // Amnezia wireguard vars
-    vars.append({ { "$AWG_SUBNET_IP",
-                    amneziaWireguarConfig.value(config_key::subnet_address).toString(protocols::wireguard::defaultSubnetAddress) } });
-    vars.append({ { "$AWG_SERVER_PORT", amneziaWireguarConfig.value(config_key::port).toString(protocols::awg::defaultPort) } });
-
-    vars.append({ { "$JUNK_PACKET_COUNT", amneziaWireguarConfig.value(config_key::junkPacketCount).toString() } });
-    vars.append({ { "$JUNK_PACKET_MIN_SIZE", amneziaWireguarConfig.value(config_key::junkPacketMinSize).toString() } });
-    vars.append({ { "$JUNK_PACKET_MAX_SIZE", amneziaWireguarConfig.value(config_key::junkPacketMaxSize).toString() } });
-    vars.append({ { "$INIT_PACKET_JUNK_SIZE", amneziaWireguarConfig.value(config_key::initPacketJunkSize).toString() } });
-    vars.append({ { "$RESPONSE_PACKET_JUNK_SIZE", amneziaWireguarConfig.value(config_key::responsePacketJunkSize).toString() } });
-    vars.append({ { "$INIT_PACKET_MAGIC_HEADER", amneziaWireguarConfig.value(config_key::initPacketMagicHeader).toString() } });
-    vars.append({ { "$RESPONSE_PACKET_MAGIC_HEADER", amneziaWireguarConfig.value(config_key::responsePacketMagicHeader).toString() } });
-    vars.append({ { "$UNDERLOAD_PACKET_MAGIC_HEADER", amneziaWireguarConfig.value(config_key::underloadPacketMagicHeader).toString() } });
-    vars.append({ { "$TRANSPORT_PACKET_MAGIC_HEADER", amneziaWireguarConfig.value(config_key::transportPacketMagicHeader).toString() } });
-
-    vars.append({ { "$COOKIE_REPLY_PACKET_JUNK_SIZE", amneziaWireguarConfig.value(config_key::cookieReplyPacketJunkSize).toString() } });
-    vars.append({ { "$TRANSPORT_PACKET_JUNK_SIZE", amneziaWireguarConfig.value(config_key::transportPacketJunkSize).toString() } });
-    vars.append({ { "$SPECIAL_JUNK_1", amneziaWireguarConfig.value(config_key::specialJunk1).toString() } });
-    vars.append({ { "$SPECIAL_JUNK_2", amneziaWireguarConfig.value(config_key::specialJunk2).toString() } });
-    vars.append({ { "$SPECIAL_JUNK_3", amneziaWireguarConfig.value(config_key::specialJunk3).toString() } });
-    vars.append({ { "$SPECIAL_JUNK_4", amneziaWireguarConfig.value(config_key::specialJunk4).toString() } });
-    vars.append({ { "$SPECIAL_JUNK_5", amneziaWireguarConfig.value(config_key::specialJunk5).toString() } });
-
-    // Socks5 proxy vars
-    vars.append({ { "$SOCKS5_PROXY_PORT", socks5ProxyConfig.value(config_key::port).toString(protocols::socks5Proxy::defaultPort) } });
-    auto username = socks5ProxyConfig.value(config_key::userName).toString();
-    auto password = socks5ProxyConfig.value(config_key::password).toString();
-    QString socks5user = (!username.isEmpty() && !password.isEmpty()) ? QString("users %1:CL:%2").arg(username, password) : "";
-    vars.append({ { "$SOCKS5_USER", socks5user } });
-    vars.append({ { "$SOCKS5_AUTH_TYPE", socks5user.isEmpty() ? "none" : "strong" } });
-
-    QString serverIp = (!ContainerProps::isAwgContainer(container) && 
-        container != DockerContainer::WireGuard && container != DockerContainer::Xray)
-            ? NetworkUtilities::getIPAddress(credentials.hostName)
-            : credentials.hostName;
-    if (!serverIp.isEmpty()) {
-        vars.append({ { "$SERVER_IP_ADDRESS", serverIp } });
-    } else {
-        qWarning() << "ServerController::genVarsForScript unable to resolve address for credentials.hostName";
-    }
-
-    return vars;
-}
-
-QString ServerController::checkSshConnection(const ServerCredentials &credentials, ErrorCode &errorCode)
-{
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-    auto cbReadStdErr = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    errorCode = runScript(credentials, amnezia::scriptData(SharedScriptType::check_connection), cbReadStdOut, cbReadStdErr);
-
-    return stdOut;
-}
-
-void ServerController::cancelInstallation()
-{
-    m_cancelInstallation = true;
-}
-
-ErrorCode ServerController::setupServerFirewall(const ServerCredentials &credentials)
-{
-    return runScript(credentials, replaceVars(amnezia::scriptData(SharedScriptType::setup_host_firewall), genVarsForScript(credentials)));
-}
-
-QString ServerController::replaceVars(const QString &script, const Vars &vars)
-{
-    QString s = script;
-    for (const QPair<QString, QString> &var : vars) {
-        s.replace(var.first, var.second);
-    }
-    return s;
-}
-
-ErrorCode ServerController::isServerPortBusy(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &config)
-{
-    if (container == DockerContainer::Dns) {
-        return ErrorCode::NoError;
-    }
-
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-    auto cbReadStdErr = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    const Proto protocol = ContainerProps::defaultProtocol(container);
-    const QString containerString = ProtocolProps::protoToString(protocol);
-    const QJsonObject containerConfig = config.value(containerString).toObject();
-
-    QStringList fixedPorts = ContainerProps::fixedPortsForContainer(container);
-
-    QString defaultPort("%1");
-    QString port = containerConfig.value(config_key::port).toString(defaultPort.arg(ProtocolProps::defaultPort(protocol)));
-    QString defaultTransportProto = ProtocolProps::transportProtoToString(ProtocolProps::defaultTransportProto(protocol), protocol);
-    QString transportProto = containerConfig.value(config_key::transport_proto).toString(defaultTransportProto);
-
-    // TODO reimplement with netstat
-    QString script = QString("which lsof > /dev/null 2>&1 || true && sudo lsof -i -P -n 2>/dev/null | grep -E ':%1 ").arg(port);
-    for (auto &port : fixedPorts) {
-        script = script.append("|:%1").arg(port);
-    }
-
-    if (transportProto == "tcpandudp") {
-        QString tcpProtoScript = script;
-        QString udpProtoScript = script;
-        tcpProtoScript.append("' | grep -i tcp");
-        udpProtoScript.append("' | grep -i udp");
-        tcpProtoScript.append(" | grep LISTEN");
-
-        ErrorCode errorCode =
-                runScript(credentials, replaceVars(tcpProtoScript, genVarsForScript(credentials, container)), cbReadStdOut, cbReadStdErr);
-        if (errorCode != ErrorCode::NoError) {
-            return errorCode;
-        }
-
-        errorCode = runScript(credentials, replaceVars(udpProtoScript, genVarsForScript(credentials, container)), cbReadStdOut, cbReadStdErr);
-        if (errorCode != ErrorCode::NoError) {
-            return errorCode;
-        }
-
-        if (!stdOut.isEmpty()) {
-            return ErrorCode::ServerPortAlreadyAllocatedError;
-        }
-        return ErrorCode::NoError;
-    }
-
-    script = script.append("' | grep -i %1").arg(transportProto);
-
-    if (transportProto == "tcp") {
-        script = script.append(" | grep LISTEN");
-    }
-
-    ErrorCode errorCode = runScript(credentials, replaceVars(script, genVarsForScript(credentials, container)), cbReadStdOut, cbReadStdErr);
-    if (errorCode != ErrorCode::NoError) {
-        return errorCode;
-    }
-
-    if (!stdOut.isEmpty()) {
-        return ErrorCode::ServerPortAlreadyAllocatedError;
-    }
-    return ErrorCode::NoError;
-}
-
-ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, DockerContainer container)
-{
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-    auto cbReadStdErr = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    const QString scriptData = amnezia::scriptData(SharedScriptType::check_user_in_sudo);
-    ErrorCode error = runScript(credentials, replaceVars(scriptData, genVarsForScript(credentials)), cbReadStdOut, cbReadStdErr);
-
-    if (credentials.userName != "root" && stdOut.contains("sudo:") && !stdOut.contains("uname:") && stdOut.contains("not found"))
-        return ErrorCode::ServerSudoPackageIsNotPreinstalled;
-    if (credentials.userName != "root" && !stdOut.contains("sudo") && !stdOut.contains("wheel"))
-        return ErrorCode::ServerUserNotInSudo;
-    if (stdOut.contains("can't cd to") || stdOut.contains("Permission denied") || stdOut.contains("No such file or directory"))
-        return ErrorCode::ServerUserDirectoryNotAccessible;
-    if (stdOut.contains("sudoers") || stdOut.contains("is not allowed to run sudo on"))
-        return ErrorCode::ServerUserNotAllowedInSudoers;
-    if (stdOut.contains("password is required"))
-        return ErrorCode::ServerUserPasswordRequired;
-
-    return error;
-}
-
-ErrorCode ServerController::isServerDpkgBusy(const ServerCredentials &credentials, DockerContainer container)
-{
-    m_cancelInstallation = false;
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-    auto cbReadStdErr = [&](const QString &data, libssh::Client &) {
-        stdOut += data + "\n";
-        return ErrorCode::NoError;
-    };
-
-    QFutureWatcher<ErrorCode> watcher;
-
-    QFuture<ErrorCode> future = QtConcurrent::run([this, &stdOut, &cbReadStdOut, &cbReadStdErr, &credentials]() {
-        // max 100 attempts
-        for (int i = 0; i < 30; ++i) {
-            if (m_cancelInstallation) {
-                return ErrorCode::ServerCancelInstallation;
-            }
-            stdOut.clear();
-            runScript(credentials, replaceVars(amnezia::scriptData(SharedScriptType::check_server_is_busy), genVarsForScript(credentials)),
-                      cbReadStdOut, cbReadStdErr);
-
-            if (stdOut.contains("Packet manager not found"))
-                return ErrorCode::ServerPacketManagerError;
-            if (stdOut.contains("fuser not installed") || stdOut.contains("cat not installed"))
-                return ErrorCode::NoError;
-
-            if (stdOut.isEmpty()) {
-                return ErrorCode::NoError;
-            } else {
-#ifdef MZ_DEBUG
-                qDebug().noquote() << stdOut;
-#endif
-                emit serverIsBusy(true);
-                QThread::msleep(10000);
-            }
-        }
-        return ErrorCode::ServerPacketManagerError;
-    });
-
-    QEventLoop wait;
-    QObject::connect(&watcher, &QFutureWatcher<ErrorCode>::finished, &wait, &QEventLoop::quit);
-    watcher.setFuture(future);
-    wait.exec();
-
-    emit serverIsBusy(false);
-
-    return future.result();
-}
-
-ErrorCode ServerController::getDecryptedPrivateKey(const ServerCredentials &credentials, QString &decryptedPrivateKey,
-                                                   const std::function<QString()> &callback)
-{
-    auto error = m_sshClient.getDecryptedPrivateKey(credentials, decryptedPrivateKey, callback);
-    return error;
-}
--- a/client/core/controllers/serverController.h
+++ b/client/core/controllers/serverController.h
@@ -1,87 +0,0 @@
-#ifndef SERVERCONTROLLER_H
-#define SERVERCONTROLLER_H
-
-#include <QJsonObject>
-#include <QObject>
-
-#include "containers/containers_defs.h"
-#include "core/defs.h"
-#include "core/sshclient.h"
-
-class Settings;
-class VpnConfigurator;
-
-using namespace amnezia;
-
-class ServerController : public QObject
-{
-    Q_OBJECT
-public:
-    ServerController(std::shared_ptr<Settings> settings, QObject *parent = nullptr);
-    ~ServerController();
-
-    typedef QList<QPair<QString, QString>> Vars;
-
-    ErrorCode rebootServer(const ServerCredentials &credentials);
-    ErrorCode removeAllContainers(const ServerCredentials &credentials);
-    ErrorCode removeContainer(const ServerCredentials &credentials, DockerContainer container);
-    ErrorCode setupContainer(const ServerCredentials &credentials, DockerContainer container, QJsonObject &config, bool isUpdate = false);
-    ErrorCode updateContainer(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &oldConfig,
-                              QJsonObject &newConfig);
-
-    ErrorCode startupContainerWorker(const ServerCredentials &credentials, DockerContainer container,
-                                     const QJsonObject &config = QJsonObject());
-
-    ErrorCode uploadTextFileToContainer(DockerContainer container, const ServerCredentials &credentials, const QString &file,
-                                        const QString &path,
-                                        libssh::ScpOverwriteMode overwriteMode = libssh::ScpOverwriteMode::ScpOverwriteExisting);
-    QByteArray getTextFileFromContainer(DockerContainer container, const ServerCredentials &credentials, const QString &path,
-                                        ErrorCode &errorCode);
-
-    QString replaceVars(const QString &script, const Vars &vars);
-    Vars genVarsForScript(const ServerCredentials &credentials, DockerContainer container = DockerContainer::None,
-                          const QJsonObject &config = QJsonObject());
-
-    ErrorCode runScript(const ServerCredentials &credentials, QString script,
-                        const std::function<ErrorCode(const QString &, libssh::Client &)> &cbReadStdOut = nullptr,
-                        const std::function<ErrorCode(const QString &, libssh::Client &)> &cbReadStdErr = nullptr);
-
-    ErrorCode runContainerScript(const ServerCredentials &credentials, DockerContainer container, QString script,
-                                 const std::function<ErrorCode(const QString &, libssh::Client &)> &cbReadStdOut = nullptr,
-                                 const std::function<ErrorCode(const QString &, libssh::Client &)> &cbReadStdErr = nullptr);
-
-    QString checkSshConnection(const ServerCredentials &credentials, ErrorCode &errorCode);
-
-    void cancelInstallation();
-
-    ErrorCode getDecryptedPrivateKey(const ServerCredentials &credentials, QString &decryptedPrivateKey,
-                                     const std::function<QString()> &callback);
-
-private:
-    ErrorCode installDockerWorker(const ServerCredentials &credentials, DockerContainer container);
-    ErrorCode prepareHostWorker(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &config = QJsonObject());
-    ErrorCode buildContainerWorker(const ServerCredentials &credentials, DockerContainer container,
-                                   const QJsonObject &config = QJsonObject());
-    ErrorCode runContainerWorker(const ServerCredentials &credentials, DockerContainer container, QJsonObject &config);
-    ErrorCode configureContainerWorker(const ServerCredentials &credentials, DockerContainer container, QJsonObject &config);
-
-    ErrorCode isServerPortBusy(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &config);
-    bool isReinstallContainerRequired(DockerContainer container, const QJsonObject &oldConfig, const QJsonObject &newConfig);
-    ErrorCode isUserInSudo(const ServerCredentials &credentials, DockerContainer container);
-    ErrorCode isServerDpkgBusy(const ServerCredentials &credentials, DockerContainer container);
-
-    ErrorCode uploadFileToHost(const ServerCredentials &credentials, const QByteArray &data, const QString &remotePath,
-                               libssh::ScpOverwriteMode overwriteMode = libssh::ScpOverwriteMode::ScpOverwriteExisting);
-
-    ErrorCode setupServerFirewall(const ServerCredentials &credentials);
-
-    std::shared_ptr<Settings> m_settings;
-    std::shared_ptr<VpnConfigurator> m_configurator;
-
-    bool m_cancelInstallation = false;
-    libssh::Client m_sshClient;
-signals:
-    void serverIsBusy(const bool isBusy);
-};
-
-#endif // SERVERCONTROLLER_H
--- a/client/core/controllers/serversController.cpp
+++ b/client/core/controllers/serversController.cpp
@@ -0,0 +1,205 @@
+#include "serversController.h"
+#include "core/utils/networkUtilities.h"
+#include "core/utils/api/apiEnums.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/constants/apiConstants.h"
+#include "core/utils/protocolEnum.h"
+#include "core/protocols/protocolUtils.h"
+#include "core/utils/constants/configKeys.h"
+#include "core/utils/constants/protocolConstants.h"
+#include "core/models/serverConfig.h"
+#include "core/models/containerConfig.h"
+
+#if defined(Q_OS_IOS) || defined(MACOS_NE)
+    #include <AmneziaVPN-Swift.h>
+#endif
+
+
+ServersController::ServersController(SecureServersRepository* serversRepository, 
+                                      SecureAppSettingsRepository* appSettingsRepository,
+                                      QObject *parent)
+    : QObject(parent), m_serversRepository(serversRepository), m_appSettingsRepository(appSettingsRepository)
+{
+    recomputeGatewayStacks();
+}
+
+void ServersController::addServer(const ServerConfig &server)
+{
+    m_serversRepository->addServer(server);
+}
+
+void ServersController::editServer(int index, const ServerConfig &server)
+{
+    m_serversRepository->editServer(index, server);
+}
+
+void ServersController::removeServer(int index)
+{
+    m_serversRepository->removeServer(index);
+}
+
+void ServersController::setDefaultServerIndex(int index)
+{
+    m_serversRepository->setDefaultServer(index);
+}
+
+void ServersController::setDefaultContainer(int serverIndex, DockerContainer container)
+{
+    m_serversRepository->setDefaultContainer(serverIndex, container);
+}
+
+void ServersController::updateContainerConfig(int serverIndex, DockerContainer container, const ContainerConfig &config)
+{
+    m_serversRepository->setContainerConfig(serverIndex, container, config);
+}
+
+void ServersController::clearCachedProfile(int serverIndex, DockerContainer container)
+{
+    m_serversRepository->clearLastConnectionConfig(serverIndex, container);
+}
+
+QJsonArray ServersController::getServersArray() const
+{
+    QJsonArray result;
+    QVector<ServerConfig> servers = m_serversRepository->servers();
+    for (const ServerConfig& server : servers) {
+        result.append(server.toJson());
+    }
+    return result;
+}
+
+QVector<ServerConfig> ServersController::getServers() const
+{
+    return m_serversRepository->servers();
+}
+
+ContainerConfig ServersController::getContainerConfig(int serverIndex, DockerContainer container) const
+{
+    return m_serversRepository->containerConfig(serverIndex, container);
+}
+
+int ServersController::getDefaultServerIndex() const
+{
+    return m_serversRepository->defaultServerIndex();
+}
+
+int ServersController::getServersCount() const
+{
+    return m_serversRepository->serversCount();
+}
+
+ServerConfig ServersController::getServerConfig(int serverIndex) const
+{
+    return m_serversRepository->server(serverIndex);
+}
+
+ServerCredentials ServersController::getServerCredentials(int serverIndex) const
+{
+    return m_serversRepository->serverCredentials(serverIndex);
+}
+
+QPair<QString, QString> ServersController::getDnsPair(int serverIndex, bool isAmneziaDnsEnabled) const
+{
+    ServerConfig serverConfig = m_serversRepository->server(serverIndex);
+    return serverConfig.getDnsPair(isAmneziaDnsEnabled,
+                                   m_appSettingsRepository->primaryDns(),
+                                   m_appSettingsRepository->secondaryDns());
+}
+
+ServersController::GatewayStacksData ServersController::gatewayStacks() const
+{
+    return m_gatewayStacks;
+}
+
+void ServersController::recomputeGatewayStacks()
+{
+    GatewayStacksData computed;
+    bool hasNewTags = false;
+    QVector<ServerConfig> servers = m_serversRepository->servers();
+
+    for (const ServerConfig& serverConfig : servers) {
+        if (serverConfig.isApiV2()) {
+            const ApiV2ServerConfig* apiV2 = serverConfig.as<ApiV2ServerConfig>();
+            if (!apiV2) continue;
+            const QString userCountryCode = apiV2->apiConfig.userCountryCode;
+            const QString serviceType = apiV2->serviceType();
+
+            if (!userCountryCode.isEmpty()) {
+                if (!m_gatewayStacks.userCountryCodes.contains(userCountryCode)) {
+                    hasNewTags = true;
+                }
+                computed.userCountryCodes.insert(userCountryCode);
+            }
+
+            if (!serviceType.isEmpty()) {
+                if (!m_gatewayStacks.serviceTypes.contains(serviceType)) {
+                    hasNewTags = true;
+                }
+                computed.serviceTypes.insert(serviceType);
+            }
+        }
+    }
+
+    m_gatewayStacks = std::move(computed);
+    if (hasNewTags) {
+        emit gatewayStacksExpanded();
+    }
+}
+
+bool ServersController::GatewayStacksData::operator==(const GatewayStacksData &other) const
+{
+    return userCountryCodes == other.userCountryCodes && serviceTypes == other.serviceTypes;
+}
+
+QJsonObject ServersController::GatewayStacksData::toJson() const
+{
+    QJsonObject json;
+    
+    QJsonArray userCountryCodesArray;
+    for (const QString &code : userCountryCodes) {
+        userCountryCodesArray.append(code);
+    }
+    json[apiDefs::key::userCountryCode] = userCountryCodesArray;
+    
+    QJsonArray serviceTypesArray;
+    for (const QString &type : serviceTypes) {
+        serviceTypesArray.append(type);
+    }
+    json[apiDefs::key::serviceType] = serviceTypesArray;
+    
+    return json;
+}
+
+bool ServersController::isServerFromApiAlreadyExists(const QString &userCountryCode, const QString &serviceType, const QString &serviceProtocol) const
+{
+    QVector<ServerConfig> servers = m_serversRepository->servers();
+    for (const ServerConfig& serverConfig : servers) {
+        if (serverConfig.isApiV2()) {
+            const ApiV2ServerConfig* apiV2 = serverConfig.as<ApiV2ServerConfig>();
+            if (!apiV2) return false;
+            if (apiV2->apiConfig.userCountryCode == userCountryCode
+                && apiV2->serviceType() == serviceType
+                && apiV2->serviceProtocol() == serviceProtocol) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+bool ServersController::hasInstalledContainers(int serverIndex) const
+{
+    ServerConfig serverConfig = m_serversRepository->server(serverIndex);
+    QMap<DockerContainer, ContainerConfig> containers = serverConfig.containers();
+    for (auto it = containers.begin(); it != containers.end(); ++it) {
+        DockerContainer container = it.key();
+        if (ContainerUtils::containerService(container) == ServiceType::Vpn) {
+            return true;
+        }
+        if (container == DockerContainer::SSXray) {
+            return true;
+        }
+    }
+    return false;
+}
+
--- a/client/core/controllers/serversController.h
+++ b/client/core/controllers/serversController.h
@@ -0,0 +1,96 @@
+#ifndef SERVERSCONTROLLER_H
+#define SERVERSCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QJsonArray>
+#include <QSet>
+#include <QVector>
+
+#include <QPair>
+
+#include "core/utils/containerEnum.h"
+#include "core/utils/containers/containerUtils.h"
+#include "core/utils/protocolEnum.h"
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+#include "core/models/serverConfig.h"
+#include "core/models/containerConfig.h"
+
+class SshSession;
+class InstallController;
+
+using namespace amnezia;
+
+/**
+ * @brief Core business logic controller for server operations
+ * 
+ * This controller contains pure business logic for managing servers.
+ */
+class ServersController : public QObject
+{
+    Q_OBJECT
+    
+public:
+    struct GatewayStacksData
+    {
+        QSet<QString> userCountryCodes;
+        QSet<QString> serviceTypes;
+
+        bool isEmpty() const { return userCountryCodes.isEmpty() && serviceTypes.isEmpty(); }
+        bool operator==(const GatewayStacksData &other) const;
+        QJsonObject toJson() const;
+    };
+    
+public:
+    explicit ServersController(SecureServersRepository* serversRepository, 
+                              SecureAppSettingsRepository* appSettingsRepository = nullptr,
+                              QObject *parent = nullptr);
+    ~ServersController() = default;
+
+    // Server management
+    void addServer(const ServerConfig &server);
+    void editServer(int index, const ServerConfig &server);
+    void removeServer(int index);
+    void setDefaultServerIndex(int index);
+
+    // Container management
+    void setDefaultContainer(int serverIndex, DockerContainer container);
+    void updateContainerConfig(int serverIndex, DockerContainer container, const ContainerConfig &config);
+
+    // Cache management
+    void clearCachedProfile(int serverIndex, DockerContainer container);
+
+    // Getters
+    QJsonArray getServersArray() const;
+    QVector<ServerConfig> getServers() const;
+    int getDefaultServerIndex() const;
+    int getServersCount() const;
+    ServerConfig getServerConfig(int serverIndex) const;
+    ServerCredentials getServerCredentials(int serverIndex) const;
+    ContainerConfig getContainerConfig(int serverIndex, DockerContainer container) const;
+    QPair<QString, QString> getDnsPair(int serverIndex, bool isAmneziaDnsEnabled) const;
+    
+    GatewayStacksData gatewayStacks() const;
+
+    // Validation
+    bool isServerFromApiAlreadyExists(const QString &userCountryCode, const QString &serviceType, const QString &serviceProtocol) const;
+    bool hasInstalledContainers(int serverIndex) const;
+
+signals:
+    void gatewayStacksExpanded();
+
+public slots:
+    void recomputeGatewayStacks();
+
+private:
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+    GatewayStacksData m_gatewayStacks;
+};
+
+#endif // SERVERSCONTROLLER_H
+
--- a/client/core/controllers/settingsController.cpp
+++ b/client/core/controllers/settingsController.cpp
@@ -0,0 +1,366 @@
+#include "settingsController.h"
+
+#include <QDateTime>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QOperatingSystemVersion>
+
+#include "version.h"
+#include "ui/utils/qAutoStart.h"
+#include "logger.h"
+#ifdef Q_OS_ANDROID
+    #include "platforms/android/android_controller.h"
+#endif
+
+QString getPlatformName()
+{
+#if defined(Q_OS_WINDOWS)
+    return "Windows";
+#elif defined(Q_OS_ANDROID)
+    return "Android";
+#elif defined(Q_OS_LINUX)
+    return "Linux";
+#elif defined(Q_OS_MACX)
+    return "MacOS";
+#elif defined(Q_OS_IOS)
+    return "iOS";
+#else
+    return "Unknown";
+#endif
+}
+
+SettingsController::SettingsController(SecureServersRepository* serversRepository,
+                                     SecureAppSettingsRepository* appSettingsRepository,
+                                     QObject* parent)
+    : QObject(parent),
+      m_serversRepository(serversRepository),
+      m_appSettingsRepository(appSettingsRepository)
+{
+    m_appVersion = QString("%1 (%2, %3)").arg(QString(APP_VERSION), __DATE__, GIT_COMMIT_HASH);
+    m_isDevModeEnabled = m_appSettingsRepository->isDevGatewayEnv();
+}
+
+void SettingsController::toggleAmneziaDns(bool enable)
+{
+    m_appSettingsRepository->setUseAmneziaDns(enable);
+}
+
+bool SettingsController::isAmneziaDnsEnabled() const
+{
+    return m_appSettingsRepository->useAmneziaDns();
+}
+
+QString SettingsController::getPrimaryDns() const
+{
+    return m_appSettingsRepository->primaryDns();
+}
+
+void SettingsController::setPrimaryDns(const QString &dns)
+{
+    m_appSettingsRepository->setPrimaryDns(dns);
+}
+
+QString SettingsController::getSecondaryDns() const
+{
+    return m_appSettingsRepository->secondaryDns();
+}
+
+void SettingsController::setSecondaryDns(const QString &dns)
+{
+    m_appSettingsRepository->setSecondaryDns(dns);
+}
+
+bool SettingsController::isLoggingEnabled() const
+{
+    return m_appSettingsRepository->isSaveLogs();
+}
+
+void SettingsController::toggleLogging(bool enable)
+{
+    m_appSettingsRepository->setSaveLogs(enable);
+#ifndef Q_OS_ANDROID
+    if (!enable) {
+        Logger::deInit();
+    } else {
+        if (!Logger::init(false)) {
+            qWarning() << "Initialization of debug subsystem failed";
+        }
+    }
+#endif
+    Logger::setServiceLogsEnabled(enable);
+
+    if (enable) {
+        m_appSettingsRepository->setLogEnableDate(QDateTime::currentDateTime());
+    }
+}
+
+void SettingsController::clearLogs()
+{
+#ifdef Q_OS_ANDROID
+    AndroidController::instance()->clearLogs();
+#else
+    Logger::clearLogs(false);
+    Logger::clearServiceLogs();
+#endif
+}
+
+QByteArray SettingsController::backupAppConfig() const
+{
+    QByteArray data = m_appSettingsRepository->backupAppConfig();
+    QJsonDocument doc = QJsonDocument::fromJson(data);
+    QJsonObject config = doc.object();
+
+    config["AppPlatform"] = getPlatform();
+    config["Conf/autoStart"] = isAutoStartEnabled();
+    config["Conf/killSwitchEnabled"] = isKillSwitchEnabled();
+    config["Conf/strictKillSwitchEnabled"] = isStrictKillSwitchEnabled();
+    config["Conf/useAmneziaDns"] = isAmneziaDnsEnabled();
+
+    return QJsonDocument(config).toJson();
+}
+
+ErrorCode SettingsController::restoreAppConfigFromData(const QByteArray &data)
+{
+    if (!m_appSettingsRepository->restoreAppConfig(data)) {
+        return ErrorCode::RestoreBackupInvalidError;
+    }
+
+    m_serversRepository->invalidateCache();
+
+    QJsonObject newConfigData = QJsonDocument::fromJson(data).object();
+
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_LINUX) || defined(Q_OS_MACX)
+    bool autoStart = false;
+    if (newConfigData.contains("Conf/autoStart")) {
+        autoStart = newConfigData["Conf/autoStart"].toBool();
+    }
+    toggleAutoStart(autoStart);
+#endif
+
+#if defined(Q_OS_WINDOWS) || defined(Q_OS_ANDROID)
+    int appSplitTunnelingRouteMode = newConfigData.value("Conf/appsRouteMode").toInt();
+    bool appSplittunnelingEnabled =
+            newConfigData.value("Conf/appsSplitTunnelingEnabled").toVariant().toString().toLower() == "true";
+    emit appSplitTunnelingRouteModeChanged(static_cast<AppsRouteMode>(appSplitTunnelingRouteMode));
+
+    #if defined(Q_OS_WINDOWS)
+        emit appSplitTunnelingRouteModeChanged(AppsRouteMode::VpnAllExceptApps);
+    #endif
+
+    if (newConfigData.contains("AppPlatform")) {
+            if (newConfigData.value("AppPlatform").toString() != getPlatform()) {
+                emit appSplitTunnelingClearAppsList();
+            }
+    }
+    
+    emit appSplitTunnelingToggled(appSplittunnelingEnabled);
+#endif
+
+    int siteSplitTunnelingRouteMode = newConfigData.value("Conf/routeMode").toInt();
+    bool siteSplittunnelingEnabled =
+            newConfigData.value("Conf/sitesSplitTunnelingEnabled").toVariant().toString().toLower() == "true";
+    emit siteSplitTunnelingRouteModeChanged(static_cast<RouteMode>(siteSplitTunnelingRouteMode));
+    emit siteSplitTunnelingToggled(siteSplittunnelingEnabled);
+
+#if defined(Q_OS_ANDROID) || defined(Q_OS_IOS)
+    m_appSettingsRepository->setAutoConnect(false);
+    m_appSettingsRepository->setStartMinimized(false);
+    m_appSettingsRepository->setKillSwitchEnabled(false);
+    m_appSettingsRepository->setStrictKillSwitchEnabled(false);
+#endif
+
+    return ErrorCode::NoError;
+}
+
+QString SettingsController::getAppVersion() const
+{
+    return m_appVersion;
+}
+
+void SettingsController::clearSettings()
+{
+    int serverCount = m_serversRepository->serversCount();
+    
+    m_appSettingsRepository->clearSettings();
+    
+    m_serversRepository->setServersArray(QJsonArray());
+    m_serversRepository->setDefaultServer(0);
+
+    emit siteSplitTunnelingRouteModeChanged(RouteMode::VpnOnlyForwardSites);
+    emit siteSplitTunnelingToggled(false);
+
+    emit appSplitTunnelingRouteModeChanged(AppsRouteMode::VpnAllExceptApps);
+    emit appSplitTunnelingToggled(false);
+
+    toggleAutoStart(false);
+}
+
+bool SettingsController::isAutoConnectEnabled() const
+{
+    return m_appSettingsRepository->isAutoConnect();
+}
+
+void SettingsController::toggleAutoConnect(bool enable)
+{
+    m_appSettingsRepository->setAutoConnect(enable);
+}
+
+bool SettingsController::isAutoStartEnabled() const
+{
+    return Autostart::isAutostart();
+}
+
+void SettingsController::toggleAutoStart(bool enable)
+{
+    Autostart::setAutostart(enable);
+    if (!enable) {
+        toggleStartMinimized(false);
+    }
+}
+
+bool SettingsController::isStartMinimizedEnabled() const
+{
+    return m_appSettingsRepository->isStartMinimized();
+}
+
+void SettingsController::toggleStartMinimized(bool enable)
+{
+    m_appSettingsRepository->setStartMinimized(enable);
+}
+
+bool SettingsController::isScreenshotsEnabled() const
+{
+    return m_appSettingsRepository->isScreenshotsEnabled();
+}
+
+void SettingsController::toggleScreenshotsEnabled(bool enable)
+{
+    m_appSettingsRepository->setScreenshotsEnabled(enable);
+}
+
+bool SettingsController::isNewsNotificationsEnabled() const
+{
+    return m_appSettingsRepository->isNewsNotifications();
+}
+
+void SettingsController::toggleNewsNotificationsEnabled(bool enable)
+{
+    m_appSettingsRepository->setNewsNotifications(enable);
+}
+
+bool SettingsController::isKillSwitchEnabled() const
+{
+    return m_appSettingsRepository->isKillSwitchEnabled();
+}
+
+void SettingsController::toggleKillSwitch(bool enable)
+{
+    m_appSettingsRepository->setKillSwitchEnabled(enable);
+}
+
+bool SettingsController::isStrictKillSwitchEnabled() const
+{
+    return m_appSettingsRepository->isStrictKillSwitchEnabled();
+}
+
+void SettingsController::toggleStrictKillSwitch(bool enable)
+{
+    m_appSettingsRepository->setStrictKillSwitchEnabled(enable);
+}
+
+QString SettingsController::getInstallationUuid(bool createIfNotExists) const
+{
+    return m_appSettingsRepository->getInstallationUuid(createIfNotExists);
+}
+
+void SettingsController::enableDevMode()
+{
+    m_isDevModeEnabled = true;
+}
+
+bool SettingsController::isDevModeEnabled() const
+{
+    return m_isDevModeEnabled;
+}
+
+void SettingsController::resetGatewayEndpoint()
+{
+    m_appSettingsRepository->resetGatewayEndpoint();
+}
+
+void SettingsController::setGatewayEndpoint(const QString &endpoint)
+{
+    m_appSettingsRepository->setGatewayEndpoint(endpoint);
+}
+
+QString SettingsController::getGatewayEndpoint() const
+{
+    return m_appSettingsRepository->isDevGatewayEnv() ? "Dev endpoint" : m_appSettingsRepository->getGatewayEndpoint();
+}
+
+bool SettingsController::isDevGatewayEnv() const
+{
+    return m_appSettingsRepository->isDevGatewayEnv();
+}
+
+void SettingsController::toggleDevGatewayEnv(bool enabled)
+{
+    m_appSettingsRepository->toggleDevGatewayEnv(enabled);
+    if (enabled) {
+        m_appSettingsRepository->setDevGatewayEndpoint();
+    } else {
+        m_appSettingsRepository->resetGatewayEndpoint();
+    }
+}
+
+bool SettingsController::isHomeAdLabelVisible() const
+{
+    return m_appSettingsRepository->isHomeAdLabelVisible();
+}
+
+void SettingsController::disableHomeAdLabel()
+{
+    m_appSettingsRepository->disableHomeAdLabel();
+}
+
+void SettingsController::checkIfNeedDisableLogs()
+{
+    if (m_appSettingsRepository->isSaveLogs()) {
+        m_loggingDisableDate = m_appSettingsRepository->getLogEnableDate().addDays(14);
+        if (m_loggingDisableDate <= QDateTime::currentDateTime()) {
+            toggleLogging(false);
+            clearLogs();
+        }
+    }
+}
+
+QString SettingsController::getPlatform() const
+{
+    return getPlatformName();
+}
+
+QLocale SettingsController::getAppLanguage() const
+{
+    return m_appSettingsRepository->getAppLanguage();
+}
+
+void SettingsController::setAppLanguage(const QLocale &locale)
+{
+    m_appSettingsRepository->setAppLanguage(locale);
+}
+
+bool SettingsController::isPremV1MigrationReminderActive() const
+{
+    return m_appSettingsRepository->isPremV1MigrationReminderActive();
+}
+
+void SettingsController::disablePremV1MigrationReminder()
+{
+    m_appSettingsRepository->disablePremV1MigrationReminder();
+}
+
+QString SettingsController::nextAvailableServerName() const
+{
+    return m_appSettingsRepository->nextAvailableServerName();
+}
+
--- a/client/core/controllers/settingsController.h
+++ b/client/core/controllers/settingsController.h
@@ -0,0 +1,112 @@
+#ifndef SETTINGSCONTROLLER_H
+#define SETTINGSCONTROLLER_H
+
+#include <QObject>
+#include <QJsonObject>
+#include <QByteArray>
+#include <QDateTime>
+
+#include "core/utils/errorCodes.h"
+#include "core/utils/routeModes.h"
+#include "core/utils/commonStructs.h"
+#include "core/repositories/secureServersRepository.h"
+#include "core/repositories/secureAppSettingsRepository.h"
+
+using namespace amnezia;
+
+class SettingsController : public QObject
+{
+    Q_OBJECT
+public:
+    explicit SettingsController(SecureServersRepository* serversRepository,
+                               SecureAppSettingsRepository* appSettingsRepository,
+                               QObject* parent = nullptr);
+    ~SettingsController() = default;
+
+    void toggleAmneziaDns(bool enable);
+    bool isAmneziaDnsEnabled() const;
+
+    QString getPrimaryDns() const;
+    void setPrimaryDns(const QString &dns);
+
+    QString getSecondaryDns() const;
+    void setSecondaryDns(const QString &dns);
+
+    bool isLoggingEnabled() const;
+    void toggleLogging(bool enable);
+
+    void clearLogs();
+
+    QByteArray backupAppConfig() const;
+    ErrorCode restoreAppConfigFromData(const QByteArray &data);
+
+    QString getAppVersion() const;
+
+    void clearSettings();
+
+    bool isAutoConnectEnabled() const;
+    void toggleAutoConnect(bool enable);
+
+    bool isAutoStartEnabled() const;
+    void toggleAutoStart(bool enable);
+
+    bool isStartMinimizedEnabled() const;
+    void toggleStartMinimized(bool enable);
+
+    bool isScreenshotsEnabled() const;
+    void toggleScreenshotsEnabled(bool enable);
+
+    bool isNewsNotificationsEnabled() const;
+    void toggleNewsNotificationsEnabled(bool enable);
+
+    bool isKillSwitchEnabled() const;
+    void toggleKillSwitch(bool enable);
+
+    bool isStrictKillSwitchEnabled() const;
+    void toggleStrictKillSwitch(bool enable);
+
+    QString getInstallationUuid(bool createIfNotExists = true) const;
+
+    void enableDevMode();
+    
+    bool isPremV1MigrationReminderActive() const;
+    void disablePremV1MigrationReminder();
+    
+    QString nextAvailableServerName() const;
+    bool isDevModeEnabled() const;
+
+    void resetGatewayEndpoint();
+    void setGatewayEndpoint(const QString &endpoint);
+    QString getGatewayEndpoint() const;
+    bool isDevGatewayEnv() const;
+    void toggleDevGatewayEnv(bool enabled);
+
+    bool isHomeAdLabelVisible() const;
+    void disableHomeAdLabel();
+
+    void checkIfNeedDisableLogs();
+
+    QLocale getAppLanguage() const;
+    void setAppLanguage(const QLocale &locale);
+
+signals:
+    void siteSplitTunnelingRouteModeChanged(RouteMode mode);
+    void siteSplitTunnelingToggled(bool enabled);
+    void appSplitTunnelingRouteModeChanged(AppsRouteMode mode);
+    void appSplitTunnelingToggled(bool enabled);
+    void appSplitTunnelingClearAppsList();
+
+private:
+    QString getPlatform() const;
+
+    SecureServersRepository* m_serversRepository;
+    SecureAppSettingsRepository* m_appSettingsRepository;
+
+    QString m_appVersion;
+    QDateTime m_loggingDisableDate;
+    bool m_isDevModeEnabled = false;
+};
+
+#endif
+
+
--- a/client/core/controllers/updateController.cpp
+++ b/client/core/controllers/updateController.cpp
@@ -0,0 +1,391 @@
+#include "updateController.h"
+
+#include <QNetworkReply>
+#include <QVersionNumber>
+#include <QUrl>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QSysInfo>
+#include <QTimer>
+
+#include "amneziaApplication.h"
+#include "logger.h"
+#include "version.h"
+#include "core/controllers/gatewayController.h"
+#include "core/utils/constants/apiKeys.h"
+#include "core/utils/errorStrings.h"
+#include "core/utils/selfhosted/scriptsRegistry.h"
+
+namespace
+{
+    Logger logger("UpdateController");
+
+#if defined(Q_OS_WINDOWS)
+    const QLatin1String kInstallerRemoteFileNamePattern("AmneziaVPN_%1_x64.exe");
+    const QString kInstallerLocalPath = QStandardPaths::writableLocation(QStandardPaths::TempLocation) + "/AmneziaVPN_installer.exe";
+#elif defined(Q_OS_MACOS)
+    const QLatin1String kInstallerRemoteFileNamePattern("AmneziaVPN_%1_macos.pkg");
+    const QString kInstallerLocalPath = QStandardPaths::writableLocation(QStandardPaths::TempLocation) + "/AmneziaVPN.pkg";
+#elif defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)
+    const QLatin1String kInstallerRemoteFileNamePattern("AmneziaVPN_%1_linux_x64.tar");
+    const QString kInstallerLocalPath = QStandardPaths::writableLocation(QStandardPaths::TempLocation) + "/AmneziaVPN.tar";
+#endif
+}
+
+UpdateController::UpdateController(SecureAppSettingsRepository* appSettingsRepository, QObject *parent)
+    : QObject(parent), m_appSettingsRepository(appSettingsRepository)
+{
+}
+
+QString UpdateController::getRawChangelogText() const
+{
+    return m_changelogText;
+}
+
+QString UpdateController::getReleaseDate() const
+{
+    return m_releaseDate;
+}
+
+QString UpdateController::getVersion() const
+{
+    return m_version;
+}
+
+void UpdateController::checkForUpdates()
+{
+    if (m_updateCheckRunning || !m_appSettingsRepository) {
+        return;
+    }
+    m_updateCheckRunning = true;
+
+    fetchGatewayUrl();
+}
+
+void UpdateController::finishUpdateCheck()
+{
+    m_updateCheckRunning = false;
+}
+
+void UpdateController::doGetAsync(const QString &endpoint, std::function<void(bool, QByteArray)> onDone)
+{
+    QString fullUrl = m_baseUrl + endpoint;
+    
+    QNetworkRequest req;
+    req.setTransferTimeout(7000);
+    req.setUrl(QUrl(fullUrl));
+
+    QNetworkReply *reply = amnApp->networkManager()->get(req);
+    setupNetworkErrorHandling(reply, endpoint);
+
+    QObject::connect(reply, &QNetworkReply::finished, this, [this, reply, endpoint, onDone]() {
+        const bool ok = (reply->error() == QNetworkReply::NoError);
+        QByteArray data;
+        if (ok) {
+            data = reply->readAll();
+        } else {
+            handleNetworkError(reply, endpoint);
+        }
+        reply->deleteLater();
+        onDone(ok, data);
+    });
+}
+
+void UpdateController::fetchGatewayUrl()
+{
+    auto gatewayController = QSharedPointer<GatewayController>::create(m_appSettingsRepository->getGatewayEndpoint(),
+                                                                       m_appSettingsRepository->isDevGatewayEnv(),
+                                                                       7000,
+                                                                       m_appSettingsRepository->isStrictKillSwitchEnabled());
+
+    QJsonObject apiPayload;
+    apiPayload[apiDefs::key::cliVersion] = QString(APP_VERSION);
+    apiPayload[apiDefs::key::osVersion] = QSysInfo::productType();
+    apiPayload[apiDefs::key::installationUuid] = m_appSettingsRepository->getInstallationUuid(true);
+
+    // Workaround: wait before contacting gateway to avoid rate limit triggered by other requests (news etc.)
+    QTimer::singleShot(1000, this, [this, gatewayController, apiPayload]() {
+        gatewayController->postAsync(QStringLiteral("%1v1/updater_endpoint"), apiPayload)
+            .then(this, [this](QPair<ErrorCode, QByteArray> result) {
+                auto [err, gatewayResponse] = result;
+                if (err != ErrorCode::NoError) {
+                    logger.error() << errorString(err);
+                    finishUpdateCheck();
+                    return;
+                }
+
+                QJsonObject gatewayData = QJsonDocument::fromJson(gatewayResponse).object();
+
+                QString baseUrl = gatewayData.value("url").toString();
+                if (baseUrl.endsWith('/')) {
+                    baseUrl.chop(1);
+                }
+                m_baseUrl = baseUrl;
+
+                fetchVersionInfo();
+            });
+    });
+}
+
+void UpdateController::fetchVersionInfo()
+{
+    doGetAsync("/VERSION", [this](bool ok, QByteArray data) {
+        if (!ok) {
+            finishUpdateCheck();
+            return;
+        }
+        m_version = QString::fromUtf8(data).trimmed();
+        
+        if (!isNewVersionAvailable()) {
+            finishUpdateCheck();
+            return;
+        }
+        fetchChangelog();
+    });
+}
+
+void UpdateController::fetchChangelog()
+{
+    doGetAsync("/CHANGELOG", [this](bool ok, QByteArray data) {
+        if (!ok) {
+            m_changelogText.clear();
+        } else {
+            m_changelogText = QString::fromUtf8(data);
+        }
+        fetchReleaseDate();
+    });
+}
+
+void UpdateController::fetchReleaseDate()
+{
+    doGetAsync("/RELEASE_DATE", [this](bool ok, QByteArray data) {
+        if (ok) {
+            m_releaseDate = QString::fromUtf8(data).trimmed();
+        } else {
+            m_releaseDate = QString();
+        }
+
+        m_downloadUrl = composeDownloadUrl();
+        emit updateFound();
+        finishUpdateCheck();
+    });
+}
+
+bool UpdateController::isNewVersionAvailable() const
+{
+    auto currentVersion = QVersionNumber::fromString(QString(APP_VERSION));
+    auto newVersion = QVersionNumber::fromString(m_version);
+    return newVersion > currentVersion;
+}
+
+void UpdateController::setupNetworkErrorHandling(QNetworkReply* reply, const QString& operation)
+{
+    QObject::connect(reply, &QNetworkReply::errorOccurred, [reply, operation](QNetworkReply::NetworkError error) {
+        logger.error() << QString("Network error occurred while fetching %1: %2 %3")
+                          .arg(operation, reply->errorString(), QString::number(error));
+    });
+    
+    QObject::connect(reply, &QNetworkReply::sslErrors, [operation](const QList<QSslError> &errors) {
+        QStringList errorStrings;
+        for (const QSslError &err : errors) {
+            errorStrings << err.errorString();
+        }
+        logger.error() << QString("SSL errors while fetching %1: %2").arg(operation, errorStrings.join("; "));
+    });
+}
+
+void UpdateController::handleNetworkError(QNetworkReply* reply, const QString& operation)
+{
+    if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError
+        || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
+        logger.error() << errorString(ErrorCode::ApiConfigTimeoutError);
+    } else {
+        QString err = reply->errorString();
+        logger.error() << "Network error code:" << QString::number(static_cast<int>(reply->error()));
+        logger.error() << "Error message:" << err;
+        logger.error() << "HTTP status:" << reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
+        logger.error() << errorString(ErrorCode::ApiConfigDownloadError);
+    }
+}
+
+QString UpdateController::composeDownloadUrl() const
+{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    const QString fileName = QString(kInstallerRemoteFileNamePattern).arg(m_version);
+    return m_baseUrl + "/" + fileName;
+#else
+    return QString();
+#endif
+}
+
+void UpdateController::runInstaller()
+{
+#if !defined(Q_OS_ANDROID) && !defined(Q_OS_IOS)
+    if (m_downloadUrl.isEmpty()) {
+        logger.error() << "Download URL is empty";
+        return;
+    }
+
+    QNetworkRequest request;
+    request.setTransferTimeout(30000);
+    request.setUrl(m_downloadUrl);
+
+    QNetworkReply *reply = amnApp->networkManager()->get(request);
+
+    QObject::connect(reply, &QNetworkReply::finished, [this, reply]() {
+        if (reply->error() == QNetworkReply::NoError) {
+            QFile file(kInstallerLocalPath);
+            if (!file.open(QIODevice::WriteOnly)) {
+                logger.error() << "Failed to open installer file for writing:" << kInstallerLocalPath << "Error:" << file.errorString();
+                reply->deleteLater();
+                return;
+            }
+
+            if (file.write(reply->readAll()) == -1) {
+                logger.error() << "Failed to write installer data to file:" << kInstallerLocalPath << "Error:" << file.errorString();
+                file.close();
+                reply->deleteLater();
+                return;
+            }
+
+            file.close();
+
+    #if defined(Q_OS_WINDOWS)
+            runWindowsInstaller(kInstallerLocalPath);
+    #elif defined(Q_OS_MACOS)
+            runMacInstaller(kInstallerLocalPath);
+    #elif defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)
+            runLinuxInstaller(kInstallerLocalPath);
+    #endif
+        } else {
+            if (reply->error() == QNetworkReply::NetworkError::OperationCanceledError
+                || reply->error() == QNetworkReply::NetworkError::TimeoutError) {
+                logger.error() << errorString(ErrorCode::ApiConfigTimeoutError);
+            } else {
+                QString err = reply->errorString();
+                logger.error() << QString::fromUtf8(reply->readAll());
+                logger.error() << "Network error code:" << QString::number(static_cast<int>(reply->error()));
+                logger.error() << "Error message:" << err;
+                logger.error() << "HTTP status:" << reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
+                logger.error() << errorString(ErrorCode::ApiConfigDownloadError);
+            }
+        }
+        reply->deleteLater();
+    });
+#endif
+}
+
+#if defined(Q_OS_WINDOWS)
+int UpdateController::runWindowsInstaller(const QString &installerPath)
+{
+    qint64 pid;
+    bool success = QProcess::startDetached(installerPath, QStringList(), QString(), &pid);
+
+    if (success) {
+        logger.info() << "Installation process started with PID:" << pid;
+    } else {
+        logger.error() << "Failed to start installation process";
+        return -1;
+    }
+
+    return 0;
+}
+#endif
+
+#if defined(Q_OS_MACOS)
+int UpdateController::runMacInstaller(const QString &installerPath)
+{
+    // Create temporary directory for extraction
+    QTemporaryDir extractDir;
+    extractDir.setAutoRemove(false);
+    if (!extractDir.isValid()) {
+        logger.error() << "Failed to create temporary directory";
+        return -1;
+    }
+    logger.info() << "Temporary directory created:" << extractDir.path();
+
+    // Create script file in the temporary directory
+    QString scriptPath = extractDir.path() + "/mac_installer.sh";
+    QFile scriptFile(scriptPath);
+    if (!scriptFile.open(QIODevice::WriteOnly)) {
+        logger.error() << "Failed to create script file";
+        return -1;
+    }
+
+    // Get script content from registry
+    QString scriptContent = amnezia::scriptData(amnezia::ClientScriptType::mac_installer);
+    if (scriptContent.isEmpty()) {
+        logger.error() << "macOS installer script content is empty";
+        scriptFile.close();
+        return -1;
+    }
+
+    scriptFile.write(scriptContent.toUtf8());
+    scriptFile.close();
+    logger.info() << "Script file created:" << scriptPath;
+
+    // Make script executable
+    QFile::setPermissions(scriptPath, QFile::permissions(scriptPath) | QFile::ExeUser);
+
+    // Start detached process
+    qint64 pid;
+    bool success =
+            QProcess::startDetached("/bin/bash", QStringList() << scriptPath << extractDir.path() << installerPath, extractDir.path(), &pid);
+
+    if (success) {
+        logger.info() << "Installation process started with PID:" << pid;
+    } else {
+        logger.error() << "Failed to start installation process";
+        return -1;
+    }
+
+    return 0;
+}
+#endif
+
+#if defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)
+int UpdateController::runLinuxInstaller(const QString &installerPath)
+{
+    // Create temporary directory for extraction
+    QTemporaryDir extractDir;
+    extractDir.setAutoRemove(false);
+    if (!extractDir.isValid()) {
+        logger.error() << "Failed to create temporary directory";
+        return -1;
+    }
+    logger.info() << "Temporary directory created:" << extractDir.path();
+
+    // Create script file in the temporary directory
+    QString scriptPath = extractDir.path() + "/installer.sh";
+    QFile scriptFile(scriptPath);
+    if (!scriptFile.open(QIODevice::WriteOnly)) {
+        logger.error() << "Failed to create script file";
+        return -1;
+    }
+
+    // Get script content from registry
+    QString scriptContent = amnezia::scriptData(amnezia::ClientScriptType::linux_installer);
+    scriptFile.write(scriptContent.toUtf8());
+    scriptFile.close();
+    logger.info() << "Script file created:" << scriptPath;
+
+    // Make script executable
+    QFile::setPermissions(scriptPath, QFile::permissions(scriptPath) | QFile::ExeUser);
+
+    // Start detached process
+    qint64 pid;
+    bool success =
+            QProcess::startDetached("/bin/bash", QStringList() << scriptPath << extractDir.path() << installerPath, extractDir.path(), &pid);
+
+    if (success) {
+        logger.info() << "Installation process started with PID:" << pid;
+    } else {
+        logger.error() << "Failed to start installation process";
+        return -1;
+    }
+
+    return 0;
+}
+#endif
+
+
--- a/client/core/controllers/updateController.h
+++ b/client/core/controllers/updateController.h
@@ -0,0 +1,57 @@
+#ifndef UPDATECONTROLLER_H
+#define UPDATECONTROLLER_H
+
+#include <functional>
+#include <QObject>
+#include <QNetworkReply>
+
+#include "core/repositories/secureAppSettingsRepository.h"
+
+class UpdateController : public QObject
+{
+    Q_OBJECT
+public:
+    explicit UpdateController(SecureAppSettingsRepository* appSettingsRepository, QObject *parent = nullptr);
+
+    QString getRawChangelogText() const;
+    QString getReleaseDate() const;
+    QString getVersion() const;
+
+public slots:
+    void checkForUpdates();
+    void runInstaller();
+
+signals:
+    void updateFound();
+
+private:
+    void finishUpdateCheck();
+    void fetchGatewayUrl();
+    void fetchVersionInfo();
+    void fetchChangelog();
+    void fetchReleaseDate();
+    void doGetAsync(const QString &endpoint, std::function<void(bool, QByteArray)> onDone);
+    bool isNewVersionAvailable() const;
+    void setupNetworkErrorHandling(QNetworkReply* reply, const QString& operation);
+    void handleNetworkError(QNetworkReply* reply, const QString& operation);
+    QString composeDownloadUrl() const;
+
+    SecureAppSettingsRepository* m_appSettingsRepository;
+
+    QString m_baseUrl;
+    QString m_changelogText;
+    QString m_version;
+    QString m_releaseDate;
+    QString m_downloadUrl;
+    bool m_updateCheckRunning = false;
+
+#if defined(Q_OS_WINDOWS)
+    int runWindowsInstaller(const QString &installerPath);
+#elif defined(Q_OS_MACOS)
+    int runMacInstaller(const QString &installerPath);
+#elif defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)
+    int runLinuxInstaller(const QString &installerPath);
+#endif
+};
+
+#endif // UPDATECONTROLLER_H
--- a/Show More
+++ b/Show More