diff --git a/.gitignore b/.gitignore
index 598965e1..2ead399d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,6 +24,30 @@ ui_*.h
 Makefile*
 *build-*
 
+# Qt-es
+client/Debug-iphoneos/
+client/.xcode/
+client/.qmake.cache
+client/.qmake.stash
+client/*.pro.user
+client/*.pro.user.*
+client/*.qbs.user
+client/*.qbs.user.*
+client/*.moc
+client/moc_*.cpp
+client/qrc_*.cpp
+client/ui_*.h
+client/ui_*.cpp
+client/Makefile*
+client/*build-*
+client/AmneziaVPN.xcodeproj
+client/Debug-iphonesimulator/
+client/amneziavpn_plugin_import.cpp
+client/amneziavpn_qml_plugin_import.cpp
+client/qmlcache_loader.cpp
+client/rep_ipc_interface_replica.h
+client/resources_qmlcache.qrc
+
 # QtCreator
 
 *.autosave
@@ -37,6 +61,7 @@ CMakeLists.txt.user*
 
 # MACOS files
 .DS_Store
+client/.DS_Store
 ._.DS_Store
 ._*
 *.dmg
diff --git a/.gitmodules b/.gitmodules
index 0f203480..30d8d61d 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,3 +4,6 @@
 [submodule "client/3rd/wireguard-tools"]
 	path = client/3rd/wireguard-tools
 	url = https://github.com/WireGuard/wireguard-tools/
+[submodule "client/3rd/wireguard-apple"]
+	path = client/3rd/wireguard-apple
+	url = https://github.com/WireGuard/wireguard-apple
diff --git a/client/3rd/OpenSSL/include/openssl/applink.c b/client/3rd/OpenSSL/include/openssl/applink.c
index 238dbff3..903e6d47 100644
--- a/client/3rd/OpenSSL/include/openssl/applink.c
+++ b/client/3rd/OpenSSL/include/openssl/applink.c
@@ -1,4 +1,4 @@
-/*
+  /*
  * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/client/3rd/QtSsh/src/botan/botan.pri b/client/3rd/QtSsh/src/botan/botan.pri
index 3ef7a602..6568e154 100644
--- a/client/3rd/QtSsh/src/botan/botan.pri
+++ b/client/3rd/QtSsh/src/botan/botan.pri
@@ -57,10 +57,16 @@ ios: {
             ARCH_TAG = "ios_armv7"
         }
     }
+  
+  CONFIG(iphonesimulator, iphoneos|iphonesimulator) {
+      INCLUDEPATH += $$PWD/ios/iphone
+      HEADERS += $$PWD/ios/iphone/botan_all.h
+      SOURCES += $$PWD/ios/iphone/botan_all.cpp
+  }
 
-    CONFIG(iphonesimulator, iphoneos|iphonesimulator) {
-        INCLUDEPATH += $$PWD/ios/simulator
-        HEADERS += $$PWD/ios/simulator/botan_all.h
-        SOURCES += $$PWD/ios/simulator/botan_all.cpp
-    }
+#    CONFIG(iphonesimulator, iphoneos|iphonesimulator) {
+#        INCLUDEPATH += $$PWD/ios/simulator
+#        HEADERS += $$PWD/ios/simulator/botan_all.h
+#        SOURCES += $$PWD/ios/simulator/botan_all.cpp
+#    }
 }
diff --git a/client/3rd/wireguard-apple b/client/3rd/wireguard-apple
new file mode 160000
index 00000000..23618f99
--- /dev/null
+++ b/client/3rd/wireguard-apple
@@ -0,0 +1 @@
+Subproject commit 23618f994f17d8ad8f2f65d79b4a1e8a0830b334
diff --git a/client/AmneziaVPN-Swift.h b/client/AmneziaVPN-Swift.h
new file mode 100644
index 00000000..c04ce421
--- /dev/null
+++ b/client/AmneziaVPN-Swift.h
@@ -0,0 +1,247 @@
+#ifndef AmneziaVPN_Swift_h
+#define AmneziaVPN_Swift_h
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wgcc-compat"
+
+#if !defined(__has_include)
+# define __has_include(x) 0
+#endif
+#if !defined(__has_attribute)
+# define __has_attribute(x) 0
+#endif
+#if !defined(__has_feature)
+# define __has_feature(x) 0
+#endif
+#if !defined(__has_warning)
+# define __has_warning(x) 0
+#endif
+
+#if __has_include(<swift/objc-prologue.h>)
+# include <swift/objc-prologue.h>
+#endif
+
+#pragma clang diagnostic ignored "-Wauto-import"
+#include <Foundation/Foundation.h>
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
+
+#if !defined(SWIFT_TYPEDEFS)
+# define SWIFT_TYPEDEFS 1
+# if __has_include(<uchar.h>)
+#  include <uchar.h>
+# elif !defined(__cplusplus)
+typedef uint_least16_t char16_t;
+typedef uint_least32_t char32_t;
+# endif
+typedef float swift_float2  __attribute__((__ext_vector_type__(2)));
+typedef float swift_float3  __attribute__((__ext_vector_type__(3)));
+typedef float swift_float4  __attribute__((__ext_vector_type__(4)));
+typedef double swift_double2  __attribute__((__ext_vector_type__(2)));
+typedef double swift_double3  __attribute__((__ext_vector_type__(3)));
+typedef double swift_double4  __attribute__((__ext_vector_type__(4)));
+typedef int swift_int2  __attribute__((__ext_vector_type__(2)));
+typedef int swift_int3  __attribute__((__ext_vector_type__(3)));
+typedef int swift_int4  __attribute__((__ext_vector_type__(4)));
+typedef unsigned int swift_uint2  __attribute__((__ext_vector_type__(2)));
+typedef unsigned int swift_uint3  __attribute__((__ext_vector_type__(3)));
+typedef unsigned int swift_uint4  __attribute__((__ext_vector_type__(4)));
+#endif
+
+#if !defined(SWIFT_PASTE)
+# define SWIFT_PASTE_HELPER(x, y) x##y
+# define SWIFT_PASTE(x, y) SWIFT_PASTE_HELPER(x, y)
+#endif
+#if !defined(SWIFT_METATYPE)
+# define SWIFT_METATYPE(X) Class
+#endif
+#if !defined(SWIFT_CLASS_PROPERTY)
+# if __has_feature(objc_class_property)
+#  define SWIFT_CLASS_PROPERTY(...) __VA_ARGS__
+# else
+#  define SWIFT_CLASS_PROPERTY(...)
+# endif
+#endif
+
+#if __has_attribute(objc_runtime_name)
+# define SWIFT_RUNTIME_NAME(X) __attribute__((objc_runtime_name(X)))
+#else
+# define SWIFT_RUNTIME_NAME(X)
+#endif
+#if __has_attribute(swift_name)
+# define SWIFT_COMPILE_NAME(X) __attribute__((swift_name(X)))
+#else
+# define SWIFT_COMPILE_NAME(X)
+#endif
+#if __has_attribute(objc_method_family)
+# define SWIFT_METHOD_FAMILY(X) __attribute__((objc_method_family(X)))
+#else
+# define SWIFT_METHOD_FAMILY(X)
+#endif
+#if __has_attribute(noescape)
+# define SWIFT_NOESCAPE __attribute__((noescape))
+#else
+# define SWIFT_NOESCAPE
+#endif
+#if __has_attribute(ns_consumed)
+# define SWIFT_RELEASES_ARGUMENT __attribute__((ns_consumed))
+#else
+# define SWIFT_RELEASES_ARGUMENT
+#endif
+#if __has_attribute(warn_unused_result)
+# define SWIFT_WARN_UNUSED_RESULT __attribute__((warn_unused_result))
+#else
+# define SWIFT_WARN_UNUSED_RESULT
+#endif
+#if __has_attribute(noreturn)
+# define SWIFT_NORETURN __attribute__((noreturn))
+#else
+# define SWIFT_NORETURN
+#endif
+#if !defined(SWIFT_CLASS_EXTRA)
+# define SWIFT_CLASS_EXTRA
+#endif
+#if !defined(SWIFT_PROTOCOL_EXTRA)
+# define SWIFT_PROTOCOL_EXTRA
+#endif
+#if !defined(SWIFT_ENUM_EXTRA)
+# define SWIFT_ENUM_EXTRA
+#endif
+#if !defined(SWIFT_CLASS)
+# if __has_attribute(objc_subclassing_restricted)
+#  define SWIFT_CLASS(SWIFT_NAME) SWIFT_RUNTIME_NAME(SWIFT_NAME) __attribute__((objc_subclassing_restricted)) SWIFT_CLASS_EXTRA
+#  define SWIFT_CLASS_NAMED(SWIFT_NAME) __attribute__((objc_subclassing_restricted)) SWIFT_COMPILE_NAME(SWIFT_NAME) SWIFT_CLASS_EXTRA
+# else
+#  define SWIFT_CLASS(SWIFT_NAME) SWIFT_RUNTIME_NAME(SWIFT_NAME) SWIFT_CLASS_EXTRA
+#  define SWIFT_CLASS_NAMED(SWIFT_NAME) SWIFT_COMPILE_NAME(SWIFT_NAME) SWIFT_CLASS_EXTRA
+# endif
+#endif
+#if !defined(SWIFT_RESILIENT_CLASS)
+# if __has_attribute(objc_class_stub)
+#  define SWIFT_RESILIENT_CLASS(SWIFT_NAME) SWIFT_CLASS(SWIFT_NAME) __attribute__((objc_class_stub))
+#  define SWIFT_RESILIENT_CLASS_NAMED(SWIFT_NAME) __attribute__((objc_class_stub)) SWIFT_CLASS_NAMED(SWIFT_NAME)
+# else
+#  define SWIFT_RESILIENT_CLASS(SWIFT_NAME) SWIFT_CLASS(SWIFT_NAME)
+#  define SWIFT_RESILIENT_CLASS_NAMED(SWIFT_NAME) SWIFT_CLASS_NAMED(SWIFT_NAME)
+# endif
+#endif
+
+#if !defined(SWIFT_PROTOCOL)
+# define SWIFT_PROTOCOL(SWIFT_NAME) SWIFT_RUNTIME_NAME(SWIFT_NAME) SWIFT_PROTOCOL_EXTRA
+# define SWIFT_PROTOCOL_NAMED(SWIFT_NAME) SWIFT_COMPILE_NAME(SWIFT_NAME) SWIFT_PROTOCOL_EXTRA
+#endif
+
+#if !defined(SWIFT_EXTENSION)
+# define SWIFT_EXTENSION(M) SWIFT_PASTE(M##_Swift_, __LINE__)
+#endif
+
+#if !defined(OBJC_DESIGNATED_INITIALIZER)
+# if __has_attribute(objc_designated_initializer)
+#  define OBJC_DESIGNATED_INITIALIZER __attribute__((objc_designated_initializer))
+# else
+#  define OBJC_DESIGNATED_INITIALIZER
+# endif
+#endif
+#if !defined(SWIFT_ENUM_ATTR)
+# if defined(__has_attribute) && __has_attribute(enum_extensibility)
+#  define SWIFT_ENUM_ATTR(_extensibility) __attribute__((enum_extensibility(_extensibility)))
+# else
+#  define SWIFT_ENUM_ATTR(_extensibility)
+# endif
+#endif
+#if !defined(SWIFT_ENUM)
+# define SWIFT_ENUM(_type, _name, _extensibility) enum _name : _type _name; enum SWIFT_ENUM_ATTR(_extensibility) SWIFT_ENUM_EXTRA _name : _type
+# if __has_feature(generalized_swift_name)
+#  define SWIFT_ENUM_NAMED(_type, _name, SWIFT_NAME, _extensibility) enum _name : _type _name SWIFT_COMPILE_NAME(SWIFT_NAME); enum SWIFT_COMPILE_NAME(SWIFT_NAME) SWIFT_ENUM_ATTR(_extensibility) SWIFT_ENUM_EXTRA _name : _type
+# else
+#  define SWIFT_ENUM_NAMED(_type, _name, SWIFT_NAME, _extensibility) SWIFT_ENUM(_type, _name, _extensibility)
+# endif
+#endif
+#if !defined(SWIFT_UNAVAILABLE)
+# define SWIFT_UNAVAILABLE __attribute__((unavailable))
+#endif
+#if !defined(SWIFT_UNAVAILABLE_MSG)
+# define SWIFT_UNAVAILABLE_MSG(msg) __attribute__((unavailable(msg)))
+#endif
+#if !defined(SWIFT_AVAILABILITY)
+# define SWIFT_AVAILABILITY(plat, ...) __attribute__((availability(plat, __VA_ARGS__)))
+#endif
+#if !defined(SWIFT_WEAK_IMPORT)
+# define SWIFT_WEAK_IMPORT __attribute__((weak_import))
+#endif
+#if !defined(SWIFT_DEPRECATED)
+# define SWIFT_DEPRECATED __attribute__((deprecated))
+#endif
+#if !defined(SWIFT_DEPRECATED_MSG)
+# define SWIFT_DEPRECATED_MSG(...) __attribute__((deprecated(__VA_ARGS__)))
+#endif
+#if __has_feature(attribute_diagnose_if_objc)
+# define SWIFT_DEPRECATED_OBJC(Msg) __attribute__((diagnose_if(1, Msg, "warning")))
+#else
+# define SWIFT_DEPRECATED_OBJC(Msg) SWIFT_DEPRECATED_MSG(Msg)
+#endif
+#if !defined(IBSegueAction)
+# define IBSegueAction
+#endif
+#if __has_feature(modules)
+#if __has_warning("-Watimport-in-framework-header")
+#pragma clang diagnostic ignored "-Watimport-in-framework-header"
+#endif
+@import Foundation;
+@import ObjectiveC;
+#endif
+
+#pragma clang diagnostic ignored "-Wproperty-attribute-mismatch"
+#pragma clang diagnostic ignored "-Wduplicate-method-arg"
+#if __has_warning("-Wpragma-clang-attribute")
+# pragma clang diagnostic ignored "-Wpragma-clang-attribute"
+#endif
+#pragma clang diagnostic ignored "-Wunknown-pragmas"
+#pragma clang diagnostic ignored "-Wnullability"
+
+#if __has_attribute(external_source_symbol)
+# pragma push_macro("any")
+# undef any
+# pragma clang attribute push(__attribute__((external_source_symbol(language="Swift", defined_in="AmneziaVPN",generated_declaration))), apply_to=any(function,enum,objc_interface,objc_category,objc_protocol))
+# pragma pop_macro("any")
+#endif
+
+
+@class NSString;
+@class NSData;
+enum ConnectionState : NSInteger;
+@class NSDate;
+@class NSNumber;
+@class VPNIPAddressRange;
+
+SWIFT_CLASS("_TtC10AmneziaVPN18IOSVpnProtocolImpl")
+@interface IOSVpnProtocolImpl : NSObject
+- (nonnull instancetype)initWithBundleID:(NSString * _Nonnull)bundleID privateKey:(NSData * _Nonnull)privateKey deviceIpv4Address:(NSString * _Nonnull)deviceIpv4Address deviceIpv6Address:(NSString * _Nonnull)deviceIpv6Address closure:(void (^ _Nonnull)(enum ConnectionState, NSDate * _Nullable))closure callback:(void (^ _Nonnull)(BOOL))callback OBJC_DESIGNATED_INITIALIZER;
+- (void)connectWithDnsServer:(NSString * _Nonnull)dnsServer serverIpv6Gateway:(NSString * _Nonnull)serverIpv6Gateway serverPublicKey:(NSString * _Nonnull)serverPublicKey presharedKey:(NSString * _Nonnull)presharedKey serverIpv4AddrIn:(NSString * _Nonnull)serverIpv4AddrIn serverPort:(NSInteger)serverPort allowedIPAddressRanges:(NSArray<VPNIPAddressRange *> * _Nonnull)allowedIPAddressRanges ipv6Enabled:(Boolean)enabled reason:(NSInteger)reason failureCallback:(void (^ _Nonnull)(void))failureCallback;
+- (void)disconnect;
+- (void)checkStatusWithCallback:(void (^ _Nonnull)(NSString * _Nonnull, NSString * _Nonnull, NSString * _Nonnull))callback;
+- (nonnull instancetype)init SWIFT_UNAVAILABLE;
++ (nonnull instancetype)new SWIFT_UNAVAILABLE_MSG("-init is unavailable");
+@end
+
+typedef SWIFT_ENUM(NSInteger, ConnectionState, closed) {
+  ConnectionStateError = 0,
+  ConnectionStateConnected = 1,
+  ConnectionStateDisconnected = 2,
+};
+
+
+
+SWIFT_CLASS("_TtC10AmneziaVPN17VPNIPAddressRange")
+@interface VPNIPAddressRange : NSObject
+- (nonnull instancetype)initWithAddress:(NSString * _Nonnull)address networkPrefixLength:(uint8_t)networkPrefixLength isIpv6:(BOOL)isIpv6 OBJC_DESIGNATED_INITIALIZER;
+- (nonnull instancetype)init SWIFT_UNAVAILABLE;
++ (nonnull instancetype)new SWIFT_UNAVAILABLE_MSG("-init is unavailable");
+@end
+
+#if __has_attribute(external_source_symbol)
+# pragma clang attribute pop
+#endif
+#pragma clang diagnostic pop
+#endif /* AmneziaVPN_Swift_h */
+
diff --git a/client/Info.plist b/client/Info.plist
new file mode 100644
index 00000000..03ba3e82
--- /dev/null
+++ b/client/Info.plist
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDisplayName</key>
+	<string>${PRODUCT_NAME}</string>
+	<key>CFBundleExecutable</key>
+	<string>${EXECUTABLE_NAME}</string>
+	<key>CFBundleIconFile</key>
+	<string>${ASSETCATALOG_COMPILER_APPICON_NAME}</string>
+	<key>CFBundleIdentifier</key>
+	<string>${PRODUCT_BUNDLE_IDENTIFIER}</string>
+	<key>CFBundleName</key>
+	<string>${PRODUCT_NAME}</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>${QMAKE_SHORT_VERSION}</string>
+	<key>CFBundleSignature</key>
+	<string>${QMAKE_PKGINFO_TYPEINFO}</string>
+	<key>CFBundleVersion</key>
+	<string>${QMAKE_FULL_VERSION}</string>
+	<key>LSRequiresIPhoneOS</key>
+	<true/>
+	<key>MinimumOSVersion</key>
+	<string>${IPHONEOS_DEPLOYMENT_TARGET}</string>
+	<key>NOTE</key>
+	<string>This file was generated by Qt/QMake.</string>
+	<key>UILaunchStoryboardName</key>
+	<string>LaunchScreen</string>
+	<key>UISupportedInterfaceOrientations</key>
+	<array>
+		<string>UIInterfaceOrientationPortrait</string>
+		<string>UIInterfaceOrientationPortraitUpsideDown</string>
+		<string>UIInterfaceOrientationLandscapeLeft</string>
+		<string>UIInterfaceOrientationLandscapeRight</string>
+	</array>
+</dict>
+</plist>
diff --git a/client/WireGuard-Bridging-Header.h b/client/WireGuard-Bridging-Header.h
new file mode 100644
index 00000000..40b6c89d
--- /dev/null
+++ b/client/WireGuard-Bridging-Header.h
@@ -0,0 +1,29 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "wireguard-go-version.h"
+#include "3rd/wireguard-apple/Sources/WireGuardKitC/WireGuardKitC.h"
+
+#include <stdbool.h>
+#include <stdint.h>
+
+#define WG_KEY_LEN (32)
+#define WG_KEY_LEN_BASE64 (45)
+#define WG_KEY_LEN_HEX (65)
+
+void key_to_base64(char base64[WG_KEY_LEN_BASE64],
+                   const uint8_t key[WG_KEY_LEN]);
+bool key_from_base64(uint8_t key[WG_KEY_LEN], const char* base64);
+
+void key_to_hex(char hex[WG_KEY_LEN_HEX], const uint8_t key[WG_KEY_LEN]);
+bool key_from_hex(uint8_t key[WG_KEY_LEN], const char* hex);
+
+bool key_eq(const uint8_t key1[WG_KEY_LEN], const uint8_t key2[WG_KEY_LEN]);
+
+void write_msg_to_log(const char* tag, const char* msg);
+
+#import "TargetConditionals.h"
+#if TARGET_OS_OSX
+#  include <libproc.h>
+#endif
diff --git a/client/client.pro b/client/client.pro
index 6c20d58c..489edd4f 100644
--- a/client/client.pro
+++ b/client/client.pro
@@ -70,6 +70,10 @@ HEADERS  += \
     utils.h \
     vpnconnection.h \
     protocols/vpnprotocol.h \
+    logger.h \
+    loghandler.h \
+    loglevel.h \
+    constants.h
 
 SOURCES  += \
    configurators/cloak_configurator.cpp \
@@ -120,6 +124,9 @@ SOURCES  += \
     utils.cpp \
     vpnconnection.cpp \
     protocols/vpnprotocol.cpp \
+    logger.cpp \
+    loghandler.cpp
+
 
 RESOURCES += \
     resources.qrc
@@ -128,6 +135,8 @@ TRANSLATIONS = \
     translations/amneziavpn_ru.ts
 
 win32 {
+    DEFINES += MVPN_WINDOWS
+
     OTHER_FILES += platform_win/vpnclient.rc
     RC_FILE = platform_win/vpnclient.rc
 
@@ -163,6 +172,8 @@ win32 {
 }
 
 macx {
+    DEFINES += MVPN_MACOS
+
     ICON   = $$PWD/images/app.icns
 
     HEADERS  += ui/macos_util.h
@@ -175,6 +186,8 @@ macx {
 }
 
 linux:!android {
+    DEFINES += MVPN_LINUX
+
     LIBS += /usr/lib/x86_64-linux-gnu/libcrypto.a
     LIBS += /usr/lib/x86_64-linux-gnu/libssl.a
 }
@@ -200,6 +213,7 @@ win32|macx|linux:!android {
 
 android {
    QT += androidextras
+   DEFINES += MVPN_ANDROID
 
    INCLUDEPATH += platforms/android
 
@@ -251,46 +265,90 @@ android {
 ios {
     message("Client ios build")
     CONFIG += static
+    CONFIG += file_copies
+
+    # For the authentication
+    LIBS += -framework AuthenticationServices
+
+    # For notifications
+    LIBS += -framework UIKit
+    LIBS += -framework Foundation
+    LIBS += -framework StoreKit
+    LIBS += -framework UserNotifications
+
+    DEFINES += MVPN_IOS
+
+    HEADERS += \
+      protocols/ios_vpnprotocol.h \
+      platforms/ios/iosnotificationhandler.h \
+      platforms/ios/json.h \
+      platforms/ios/bigint.h \
+      platforms/ios/bigintipv6addr.h \
+      platforms/ios/ipaddress.h \
+      platforms/ios/ipaddressrange.h
+  
+    SOURCES  += \
+      protocols/ios_vpnprotocol.mm \
+      platforms/ios/iosnotificationhandler.mm \
+      platforms/ios/json.cpp \
+      platforms/ios/iosglue.mm \
+      platforms/ios/ipaddress.cpp \
+      platforms/ios/ipaddressrange.cpp
 
     Q_ENABLE_BITCODE.value = NO
     Q_ENABLE_BITCODE.name = ENABLE_BITCODE
     QMAKE_MAC_XCODE_SETTINGS += Q_ENABLE_BITCODE
 
-    CONFIG(iphoneos, iphoneos|iphonesimulator) {
-        message("Building for iPhone OS")
-        QMAKE_TARGET_BUNDLE_PREFIX = org.amnezia
-        QMAKE_BUNDLE = AmneziaVPN
-        QMAKE_IOS_DEPLOYMENT_TARGET = 12.0
-        QMAKE_APPLE_TARGETED_DEVICE_FAMILY = 1
-        QMAKE_DEVELOPMENT_TEAM = X7UJ388FXK
-        QMAKE_PROVISIONING_PROFILE = f2fefb59-14aa-4aa9-ac14-1d5531b06dcc
-        QMAKE_XCODE_CODE_SIGN_IDENTITY = "Apple Distribution"
-
-        XCODEBUILD_FLAGS += -allowProvisioningUpdates
-
-        DEFINES += iphoneos
-
-        contains(QT_ARCH, arm64) {
-            message("Building for iOS/ARM v8 64-bit architecture")
-            ARCH_TAG = "ios_armv8_64"
-
-            LIBS += $$PWD/3rd/OpenSSL/lib/ios/iphone/libcrypto.a
-            LIBS += $$PWD/3rd/OpenSSL/lib/ios/iphone/libssl.a
-        } else {
-            message("Building for iOS/ARM v7 (32-bit) architecture")
-            ARCH_TAG = "ios_armv7"
-        }
+#    CONFIG(iphoneos, iphoneos|iphonesimulator) {
+  iphoneos {
+    message("Building for iPhone OS")
+    QMAKE_TARGET_BUNDLE_PREFIX = org.amnezia
+    QMAKE_BUNDLE = AmneziaVPN
+    QMAKE_IOS_DEPLOYMENT_TARGET = 12.0
+    QMAKE_APPLE_TARGETED_DEVICE_FAMILY = 1
+    QMAKE_DEVELOPMENT_TEAM = X7UJ388FXK
+    QMAKE_PROVISIONING_PROFILE = f2fefb59-14aa-4aa9-ac14-1d5531b06dcc
+    QMAKE_XCODE_CODE_SIGN_IDENTITY = "Apple Distribution"
+    QMAKE_INFO_PLIST= $$PWD/ios/app/Info.plist
+    
+    XCODEBUILD_FLAGS += -allowProvisioningUpdates
+    
+    DEFINES += iphoneos
+    
+    contains(QT_ARCH, arm64) {
+      message("Building for iOS/ARM v8 64-bit architecture")
+      ARCH_TAG = "ios_armv8_64"
+      
+      LIBS += $$PWD/3rd/OpenSSL/lib/ios/iphone/libcrypto.a
+      LIBS += $$PWD/3rd/OpenSSL/lib/ios/iphone/libssl.a
+    } else {
+      message("Building for iOS/ARM v7 (32-bit) architecture")
+      ARCH_TAG = "ios_armv7"
     }
+  }
+#    }
+  
 
-    CONFIG(iphonesimulator, iphoneos|iphonesimulator) {
-        message("Building for iPhone Simulator")
-        ARCH_TAG = "ios_x86_64"
+#    CONFIG(iphonesimulator, iphoneos|iphonesimulator) {
+#  iphonesimulator {
+#    message("Building for iPhone Simulator")
+#    ARCH_TAG = "ios_x86_64"
+#    
+#    DEFINES += iphonesimulator
+#    
+#    LIBS += $$PWD/3rd/OpenSSL/lib/ios/simulator/libcrypto.a
+#    LIBS += $$PWD/3rd/OpenSSL/lib/ios/simulator/libssl.a
+#  }
+#    }
 
-        DEFINES += iphonesimulator
+    NETWORKEXTENSION=1
+#    ! build_pass: system(ruby $$PWD/scripts/xcode_patcher.rb "$$PWD" "$$OUT_PWD/AmneziaVPN.xcodeproj" "2.0" "2.0.0" "ios" "$$NETWORKEXTENSION"|| echo "Failed to merge xcode with wireguard")
 
-        LIBS += $$PWD/3rd/OpenSSL/lib/ios/simulator/libcrypto.a
-        LIBS += $$PWD/3rd/OpenSSL/lib/ios/simulator/libssl.a
-    }
+
+
+#ruby %{sourceDir}/client/ios/xcode_patcher.rb "%{buildDir}/AmneziaVPN.xcodeproj" "2.0" "2.0.0" "ios" "1"
+    #cd client/ && /Users/md/Qt/5.15.2/ios/bin/qmake -o Makefile /Users/md/amnezia/desktop-client/client/client.pro -spec macx-ios-clang CONFIG+=iphonesimulator CONFIG+=simulator CONFIG+=qml_debug -after
+# %{sourceDir}/client/ios/xcode_patcher.rb %{buildDir}/client/AmneziaVPN.xcodeproj 2.0 2.0.0 ios 1
 }
 
 
diff --git a/client/configurators/vpn_configurator.cpp b/client/configurators/vpn_configurator.cpp
index 0b4d9170..d9887f0a 100644
--- a/client/configurators/vpn_configurator.cpp
+++ b/client/configurators/vpn_configurator.cpp
@@ -18,22 +18,22 @@ Settings &VpnConfigurator::m_settings()
 }
 
 QString VpnConfigurator::genVpnProtocolConfig(const ServerCredentials &credentials,
-    DockerContainer container, const QJsonObject &containerConfig, Protocol proto, ErrorCode *errorCode)
+    DockerContainer container, const QJsonObject &containerConfig, Proto proto, ErrorCode *errorCode)
 {
     switch (proto) {
-    case Protocol::OpenVpn:
+    case Proto::OpenVpn:
         return OpenVpnConfigurator::genOpenVpnConfig(credentials, container, containerConfig, errorCode);
 
-    case Protocol::ShadowSocks:
+    case Proto::ShadowSocks:
         return ShadowSocksConfigurator::genShadowSocksConfig(credentials, container, containerConfig, errorCode);
 
-    case Protocol::Cloak:
+    case Proto::Cloak:
         return CloakConfigurator::genCloakConfig(credentials, container, containerConfig, errorCode);
 
-    case Protocol::WireGuard:
+    case Proto::WireGuard:
         return WireguardConfigurator::genWireguardConfig(credentials, container, containerConfig, errorCode);
 
-    case Protocol::Ikev2:
+    case Proto::Ikev2:
         return Ikev2Configurator::genIkev2Config(credentials, container, containerConfig, errorCode);
 
     default:
@@ -41,23 +41,23 @@ QString VpnConfigurator::genVpnProtocolConfig(const ServerCredentials &credentia
     }
 }
 
-QString VpnConfigurator::processConfigWithLocalSettings(DockerContainer container, Protocol proto, QString config)
+QString VpnConfigurator::processConfigWithLocalSettings(DockerContainer container, Proto proto, QString config)
 {
     config.replace("$PRIMARY_DNS", m_settings().primaryDns());
     config.replace("$SECONDARY_DNS", m_settings().secondaryDns());
 
-    if (proto == Protocol::OpenVpn) {
+    if (proto == Proto::OpenVpn) {
         return OpenVpnConfigurator::processConfigWithLocalSettings(config);
     }
     return config;
 }
 
-QString VpnConfigurator::processConfigWithExportSettings(DockerContainer container, Protocol proto, QString config)
+QString VpnConfigurator::processConfigWithExportSettings(DockerContainer container, Proto proto, QString config)
 {
     config.replace("$PRIMARY_DNS", m_settings().primaryDns());
     config.replace("$SECONDARY_DNS", m_settings().secondaryDns());
 
-    if (proto == Protocol::OpenVpn) {
+    if (proto == Proto::OpenVpn) {
         return OpenVpnConfigurator::processConfigWithExportSettings(config);
     }
     return config;
@@ -66,7 +66,7 @@ QString VpnConfigurator::processConfigWithExportSettings(DockerContainer contain
 void VpnConfigurator::updateContainerConfigAfterInstallation(DockerContainer container, QJsonObject &containerConfig,
     const QString &stdOut)
 {
-    Protocol mainProto = ContainerProps::defaultProtocol(container);
+    Proto mainProto = ContainerProps::defaultProtocol(container);
 
     if (container == DockerContainer::TorWebSite) {
         QJsonObject protocol = containerConfig.value(ProtocolProps::protoToString(mainProto)).toObject();
diff --git a/client/configurators/vpn_configurator.h b/client/configurators/vpn_configurator.h
index 930a6715..b7ced4d6 100644
--- a/client/configurators/vpn_configurator.h
+++ b/client/configurators/vpn_configurator.h
@@ -13,10 +13,10 @@ class VpnConfigurator
 public:
 
     static QString genVpnProtocolConfig(const ServerCredentials &credentials, DockerContainer container,
-        const QJsonObject &containerConfig, Protocol proto, ErrorCode *errorCode = nullptr);
+        const QJsonObject &containerConfig, Proto proto, ErrorCode *errorCode = nullptr);
 
-    static QString processConfigWithLocalSettings(DockerContainer container, Protocol proto, QString config);
-    static QString processConfigWithExportSettings(DockerContainer container, Protocol proto, QString config);
+    static QString processConfigWithLocalSettings(DockerContainer container, Proto proto, QString config);
+    static QString processConfigWithExportSettings(DockerContainer container, Proto proto, QString config);
 
     // workaround for containers which is not support normal configaration
     static void updateContainerConfigAfterInstallation(DockerContainer container,
diff --git a/client/constants.h b/client/constants.h
new file mode 100644
index 00000000..9059eccc
--- /dev/null
+++ b/client/constants.h
@@ -0,0 +1,127 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef CONSTANTS_H
+#define CONSTANTS_H
+
+#include <stdint.h>
+
+namespace Constants {
+
+// Returns true if we are in a production environment.
+bool inProduction();
+void setStaging();
+
+// Number of msecs for the captive-portal block alert.
+constexpr uint32_t CAPTIVE_PORTAL_ALERT_MSEC = 4000;
+
+// Number of msecs for the unsecured network alert.
+constexpr uint32_t UNSECURED_NETWORK_ALERT_MSEC = 4000;
+
+// Number of recent connections to retain.
+constexpr int RECENT_CONNECTIONS_MAX_COUNT = 5;
+
+#if defined(UNIT_TEST)
+#  define CONSTEXPR(type, functionName, releaseValue, debugValue, \
+                    testingValue)                                 \
+    inline type functionName() { return testingValue; }
+#else
+#  define CONSTEXPR(type, functionName, releaseValue, debugValue, \
+                    testingValue)                                 \
+    inline type functionName() {                                  \
+      return inProduction() ? releaseValue : debugValue;          \
+    }
+#endif
+
+// Let's refresh the IP address any 10 minutes (in milliseconds).
+CONSTEXPR(uint32_t, ipAddressTimerMsec, 600000, 10000, 0)
+
+// Let's check the connection status any second.
+CONSTEXPR(uint32_t, checkStatusTimerMsec, 1000, 1000, 0)
+
+// Number of points for the charts.
+CONSTEXPR(int, chartsMaxPoints, 30, 30, 30);
+
+// Any 6 hours, a new check
+CONSTEXPR(uint32_t, releaseMonitorMsec, 21600000, 4000, 0)
+
+// in milliseconds, how often we should fetch the server list and the account.
+CONSTEXPR(uint32_t, scheduleAccountAndServersTimerMsec, 3600000, 4000, 0)
+
+// how often we check the captive portal when the VPN is on.
+CONSTEXPR(uint32_t, captivePortalRequestTimeoutMsec, 10000, 4000, 0)
+
+// How fast the animated icon should move
+CONSTEXPR(uint32_t, statusIconAnimationMsec, 200, 200, 0)
+
+// How often glean pings are sent
+CONSTEXPR(uint32_t, gleanTimeoutMsec, 1200000, 1000, 0)
+
+// How often we check the surveys to be executed (no network requests are done
+// for this check)
+CONSTEXPR(uint32_t, surveyTimerMsec, 300000, 4000, 0)
+
+#undef CONSTEXPR
+
+#define PRODBETAEXPR(type, functionName, prod, beta) \
+  inline type functionName() { return inProduction() ? prod : beta; }
+
+constexpr const char* API_PRODUCTION_URL = "https://vpn.mozilla.org";
+constexpr const char* API_STAGING_URL =
+    "https://stage-vpn.guardian.nonprod.cloudops.mozgcp.net";
+
+constexpr const char* LOGO_URL = ":/ui/resources/logo-dock.png";
+
+PRODBETAEXPR(const char*, fxaUrl, "https://api.accounts.firefox.com",
+             "https://api-accounts.stage.mozaws.net")
+PRODBETAEXPR(
+    const char*, balrogUrl,
+    "https://aus5.mozilla.org/json/1/FirefoxVPN/%1/%2/release/update.json",
+    "https://stage.balrog.nonprod.cloudops.mozgcp.net/json/1/FirefoxVPN/%1/%2/"
+    "release-cdntest/update.json");
+PRODBETAEXPR(
+    const char*, balrogRootCertFingerprint,
+    "97e8ba9cf12fb3de53cc42a4e6577ed64df493c247b414fea036818d3823560e",
+    "3c01446abe9036cea9a09acaa3a520ac628f20a7ae32ce861cb2efb70fa0c745");
+
+#undef PRODBETAEXPR
+
+constexpr const char* PLATFORM_NAME =
+#if defined(MVPN_IOS)
+    "ios"
+#elif defined(MVPN_MACOS)
+    "macos"
+#elif defined(MVPN_LINUX)
+    "linux"
+#elif defined(MVPN_ANDROID)
+    "android"
+#elif defined(MVPN_WINDOWS)
+    "windows"
+#elif defined(UNIT_TEST) || defined(MVPN_DUMMY)
+    "dummy"
+#else
+#  error "Unsupported platform"
+#endif
+    ;
+
+constexpr const char* PLACEHOLDER_USER_DNS = "127.0.0.1";
+
+#if defined(MVPN_ADJUST)
+// These are the two auto-generated token from the Adjust dashboard for the
+// "Subscription Completed" event. We have two since in the Adjust dashboard we
+// have defined two apps for iOS and Android with a event token each.
+constexpr const char* ADJUST_SUBSCRIPTION_COMPLETED =
+#  if defined(MVPN_IOS)
+    "jl72xm"
+#  elif defined(MVPN_ANDROID)
+    "o1mn9m"
+#  else
+    ""
+#  endif
+    ;
+#endif
+
+};  // namespace Constants
+
+#endif  // CONSTANTS_H
diff --git a/client/containers/containers_defs.cpp b/client/containers/containers_defs.cpp
index f6f3415c..63a00e0b 100644
--- a/client/containers/containers_defs.cpp
+++ b/client/containers/containers_defs.cpp
@@ -27,29 +27,29 @@ QString ContainerProps::containerToString(amnezia::DockerContainer c){
     return "amnezia-" + containerKey.toLower();
 }
 
-QVector<amnezia::Protocol> ContainerProps::protocolsForContainer(amnezia::DockerContainer container)
+QVector<amnezia::Proto> ContainerProps::protocolsForContainer(amnezia::DockerContainer container)
 {
     switch (container) {
     case DockerContainer::None:
         return { };
 
     case DockerContainer::OpenVpn:
-        return { Protocol::OpenVpn };
+        return { Proto::OpenVpn };
 
     case DockerContainer::ShadowSocks:
-        return { Protocol::OpenVpn, Protocol::ShadowSocks };
+        return { Proto::OpenVpn, Proto::ShadowSocks };
 
     case DockerContainer::Cloak:
-        return { Protocol::OpenVpn, Protocol::ShadowSocks, Protocol::Cloak };
+        return { Proto::OpenVpn, Proto::ShadowSocks, Proto::Cloak };
 
     case DockerContainer::Ipsec:
-        return { Protocol::Ikev2 /*, Protocol::L2tp */};
+        return { Proto::Ikev2 /*, Protocol::L2tp */};
 
     case DockerContainer::Dns:
         return { };
 
     case DockerContainer::Sftp:
-        return { Protocol::Sftp};
+        return { Proto::Sftp};
 
     default:
         return { defaultProtocol(container) };
@@ -118,21 +118,21 @@ amnezia::ServiceType ContainerProps::containerService(DockerContainer c)
     }
 }
 
-Protocol ContainerProps::defaultProtocol(DockerContainer c)
+Proto ContainerProps::defaultProtocol(DockerContainer c)
 {
     switch (c) {
-    case DockerContainer::None :         return Protocol::Any;
-    case DockerContainer::OpenVpn :      return Protocol::OpenVpn;
-    case DockerContainer::Cloak :        return Protocol::Cloak;
-    case DockerContainer::ShadowSocks :  return Protocol::ShadowSocks;
-    case DockerContainer::WireGuard :    return Protocol::WireGuard;
-    case DockerContainer::Ipsec :        return Protocol::Ikev2;
+    case DockerContainer::None :         return Proto::Any;
+    case DockerContainer::OpenVpn :      return Proto::OpenVpn;
+    case DockerContainer::Cloak :        return Proto::Cloak;
+    case DockerContainer::ShadowSocks :  return Proto::ShadowSocks;
+    case DockerContainer::WireGuard :    return Proto::WireGuard;
+    case DockerContainer::Ipsec :        return Proto::Ikev2;
 
-    case DockerContainer::TorWebSite :   return Protocol::TorWebSite;
-    case DockerContainer::Dns :          return Protocol::Dns;
+    case DockerContainer::TorWebSite :   return Proto::TorWebSite;
+    case DockerContainer::Dns :          return Proto::Dns;
     //case DockerContainer::FileShare :    return Protocol::FileShare;
-    case DockerContainer::Sftp :         return Protocol::Sftp;
-    default:                             return Protocol::Any;
+    case DockerContainer::Sftp :         return Proto::Sftp;
+    default:                             return Proto::Any;
     }
 }
 
@@ -140,7 +140,6 @@ bool ContainerProps::isWorkingOnPlatform(DockerContainer c)
 {
 #ifdef Q_OS_WINDOWS
     return true;
-#elif defined (Q_OS_MAC)
 
 #elif defined (Q_OS_IOS)
     switch (c) {
@@ -148,6 +147,9 @@ bool ContainerProps::isWorkingOnPlatform(DockerContainer c)
     case DockerContainer::OpenVpn: return true;
     default: return false;
     }
+#elif defined (Q_OS_MAC)
+    return false;
+
 #elif defined (Q_OS_ANDROID)
     switch (c) {
     case DockerContainer::WireGuard: return true;
@@ -156,6 +158,7 @@ bool ContainerProps::isWorkingOnPlatform(DockerContainer c)
     }
 
 #elif defined (Q_OS_LINUX)
+    return false;
 
 #else
 return false;
diff --git a/client/containers/containers_defs.h b/client/containers/containers_defs.h
index eced3c32..0fd1ce4a 100644
--- a/client/containers/containers_defs.h
+++ b/client/containers/containers_defs.h
@@ -46,13 +46,13 @@ public:
     Q_INVOKABLE static QMap<DockerContainer, QString> containerDescriptions();
 
     // these protocols will be displayed in container settings
-    Q_INVOKABLE static QVector<Protocol> protocolsForContainer(DockerContainer container);
+    Q_INVOKABLE static QVector<Proto> protocolsForContainer(DockerContainer container);
 
     Q_INVOKABLE static ServiceType containerService(DockerContainer c);
 
     // binding between Docker container and main protocol of given container
     // it may be changed fot future containers :)
-    Q_INVOKABLE static Protocol defaultProtocol(DockerContainer c);
+    Q_INVOKABLE static Proto defaultProtocol(DockerContainer c);
 
     Q_INVOKABLE static bool isWorkingOnPlatform(DockerContainer c);
 };
diff --git a/client/core/privileged_process.cpp b/client/core/privileged_process.cpp
index 3852236f..82a114de 100644
--- a/client/core/privileged_process.cpp
+++ b/client/core/privileged_process.cpp
@@ -1,5 +1,6 @@
 #include "privileged_process.h"
 
+#ifndef Q_OS_IOS
 PrivilegedProcess::PrivilegedProcess() :
     IpcProcessInterfaceReplica()
 {
@@ -25,3 +26,4 @@ void PrivilegedProcess::waitForFinished(int msecs)
 
     loop->exec();
 }
+#endif // Q_OS_IOS
diff --git a/client/core/privileged_process.h b/client/core/privileged_process.h
index bf85fed1..62829bc5 100644
--- a/client/core/privileged_process.h
+++ b/client/core/privileged_process.h
@@ -20,11 +20,11 @@ public:
 
 };
 
-#endif // PRIVILEGED_PROCESS_H
-
 #else // defined Q_OS_IOS
 class IpcProcessInterfaceReplica {};
 class PrivilegedProcess {};
-#endif
+#endif // Q_OS_IOS
+
+#endif // PRIVILEGED_PROCESS_H
 
 
diff --git a/client/core/servercontroller.cpp b/client/core/servercontroller.cpp
index 06479316..1e4c9c8d 100644
--- a/client/core/servercontroller.cpp
+++ b/client/core/servercontroller.cpp
@@ -454,7 +454,7 @@ ErrorCode ServerController::updateContainer(const ServerCredentials &credentials
 
 QJsonObject ServerController::createContainerInitialConfig(DockerContainer container, int port, TransportProto tp)
 {
-    Protocol mainProto = ContainerProps::defaultProtocol(container);
+    Proto mainProto = ContainerProps::defaultProtocol(container);
 
     QJsonObject config {
         { config_key::container, ContainerProps::containerToString(container) }
@@ -621,11 +621,11 @@ ErrorCode ServerController::startupContainerWorker(const ServerCredentials &cred
 
 ServerController::Vars ServerController::genVarsForScript(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &config)
 {
-    const QJsonObject &openvpnConfig = config.value(ProtocolProps::protoToString(Protocol::OpenVpn)).toObject();
-    const QJsonObject &cloakConfig = config.value(ProtocolProps::protoToString(Protocol::Cloak)).toObject();
-    const QJsonObject &ssConfig = config.value(ProtocolProps::protoToString(Protocol::ShadowSocks)).toObject();
-    const QJsonObject &wireguarConfig = config.value(ProtocolProps::protoToString(Protocol::WireGuard)).toObject();
-    const QJsonObject &sftpConfig = config.value(ProtocolProps::protoToString(Protocol::Sftp)).toObject();
+    const QJsonObject &openvpnConfig = config.value(ProtocolProps::protoToString(Proto::OpenVpn)).toObject();
+    const QJsonObject &cloakConfig = config.value(ProtocolProps::protoToString(Proto::Cloak)).toObject();
+    const QJsonObject &ssConfig = config.value(ProtocolProps::protoToString(Proto::ShadowSocks)).toObject();
+    const QJsonObject &wireguarConfig = config.value(ProtocolProps::protoToString(Proto::WireGuard)).toObject();
+    const QJsonObject &sftpConfig = config.value(ProtocolProps::protoToString(Proto::Sftp)).toObject();
     //
 
     Vars vars;
@@ -694,7 +694,7 @@ ServerController::Vars ServerController::genVarsForScript(const ServerCredential
 
 
     // Sftp vars
-    vars.append({{"$SFTP_PORT", sftpConfig.value(config_key::port).toString(QString::number(ProtocolProps::defaultPort(Protocol::Sftp))) }});
+    vars.append({{"$SFTP_PORT", sftpConfig.value(config_key::port).toString(QString::number(ProtocolProps::defaultPort(Proto::Sftp))) }});
     vars.append({{"$SFTP_USER", sftpConfig.value(config_key::userName).toString() }});
     vars.append({{"$SFTP_PASSWORD", sftpConfig.value(config_key::password).toString() }});
 
diff --git a/client/ios/app/AmneziaVPNLaunchScreen.storyboard b/client/ios/app/AmneziaVPNLaunchScreen.storyboard
new file mode 100644
index 00000000..92f79f7e
--- /dev/null
+++ b/client/ios/app/AmneziaVPNLaunchScreen.storyboard
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<document type="com.apple.InterfaceBuilder3.CocoaTouch.Storyboard.XIB" version="3.0" toolsVersion="17506" targetRuntime="iOS.CocoaTouch" propertyAccessControl="none" useAutolayout="YES" launchScreen="YES" useTraitCollections="YES" useSafeAreas="YES" colorMatched="YES" initialViewController="01J-lp-oVM">
+    <device id="ipad12_9rounded" orientation="portrait" layout="fullscreen" appearance="light"/>
+    <dependencies>
+        <deployment identifier="iOS"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.IBCocoaTouchPlugin" version="17505"/>
+        <capability name="Safe area layout guides" minToolsVersion="9.0"/>
+        <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
+    </dependencies>
+    <scenes>
+        <!--View Controller-->
+        <scene sceneID="EHf-IW-A2E">
+            <objects>
+                <viewController id="01J-lp-oVM" sceneMemberID="viewController">
+                    <view key="view" contentMode="scaleToFill" id="gZ9-gc-3t5">
+                        <rect key="frame" x="0.0" y="0.0" width="1024" height="1366"/>
+                        <autoresizingMask key="autoresizingMask" flexibleMaxX="YES" flexibleMaxY="YES"/>
+                        <subviews>
+                            <imageView clipsSubviews="YES" userInteractionEnabled="NO" contentMode="scaleAspectFit" horizontalHuggingPriority="251" verticalHuggingPriority="251" image="launch.png" translatesAutoresizingMaskIntoConstraints="NO" id="q5g-aV-39U">
+                                <rect key="frame" x="467" y="638" width="90" height="90"/>
+                                <constraints>
+                                    <constraint firstAttribute="width" constant="90" id="VFp-nz-h8O"/>
+                                    <constraint firstAttribute="height" constant="90" id="ZUg-Ud-mgE"/>
+                                </constraints>
+                            </imageView>
+                        </subviews>
+                        <viewLayoutGuide key="safeArea" id="Whf-X3-AA4"/>
+                        <color key="backgroundColor" white="0.0" alpha="1" colorSpace="custom" customColorSpace="genericGamma22GrayColorSpace"/>
+                        <constraints>
+                            <constraint firstItem="q5g-aV-39U" firstAttribute="centerX" secondItem="gZ9-gc-3t5" secondAttribute="centerX" id="Ayw-bo-LVF"/>
+                            <constraint firstItem="q5g-aV-39U" firstAttribute="centerY" secondItem="gZ9-gc-3t5" secondAttribute="centerY" id="YHd-Kc-J0u"/>
+                        </constraints>
+                    </view>
+                </viewController>
+                <placeholder placeholderIdentifier="IBFirstResponder" id="iYj-Kq-Ea1" userLabel="First Responder" sceneMemberID="firstResponder"/>
+            </objects>
+            <point key="canvasLocation" x="53" y="375"/>
+        </scene>
+    </scenes>
+    <resources>
+        <image name="launch.png" width="1024" height="1024"/>
+    </resources>
+</document>
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/Contents.json b/client/ios/app/Images.xcassets/AppIcon.appiconset/Contents.json
new file mode 100644
index 00000000..3b3bcf28
--- /dev/null
+++ b/client/ios/app/Images.xcassets/AppIcon.appiconset/Contents.json
@@ -0,0 +1,116 @@
+{
+  "images" : [
+    {
+      "filename" : "icon-ios-20@2x.png",
+      "idiom" : "iphone",
+      "scale" : "2x",
+      "size" : "20x20"
+    },
+    {
+      "filename" : "icon-ios-20@3x.png",
+      "idiom" : "iphone",
+      "scale" : "3x",
+      "size" : "20x20"
+    },
+    {
+      "filename" : "icon-ios-29@2x-1.png",
+      "idiom" : "iphone",
+      "scale" : "2x",
+      "size" : "29x29"
+    },
+    {
+      "filename" : "icon-ios-29@3x.png",
+      "idiom" : "iphone",
+      "scale" : "3x",
+      "size" : "29x29"
+    },
+    {
+      "filename" : "icon-ios-40@2x-1.png",
+      "idiom" : "iphone",
+      "scale" : "2x",
+      "size" : "40x40"
+    },
+    {
+      "filename" : "icon-ios-40@3x.png",
+      "idiom" : "iphone",
+      "scale" : "3x",
+      "size" : "40x40"
+    },
+    {
+      "filename" : "icon-ios-60@2x.png",
+      "idiom" : "iphone",
+      "scale" : "2x",
+      "size" : "60x60"
+    },
+    {
+      "filename" : "icon-ios-60@3x.png",
+      "idiom" : "iphone",
+      "scale" : "3x",
+      "size" : "60x60"
+    },
+    {
+      "filename" : "icon-ios-20@1x.png",
+      "idiom" : "ipad",
+      "scale" : "1x",
+      "size" : "20x20"
+    },
+    {
+      "filename" : "icon-ios-20@2x-1.png",
+      "idiom" : "ipad",
+      "scale" : "2x",
+      "size" : "20x20"
+    },
+    {
+      "filename" : "icon-ios-29@1x.png",
+      "idiom" : "ipad",
+      "scale" : "1x",
+      "size" : "29x29"
+    },
+    {
+      "filename" : "icon-ios-29@2x.png",
+      "idiom" : "ipad",
+      "scale" : "2x",
+      "size" : "29x29"
+    },
+    {
+      "filename" : "icon-ios-40@1x.png",
+      "idiom" : "ipad",
+      "scale" : "1x",
+      "size" : "40x40"
+    },
+    {
+      "filename" : "icon-ios-40@2x.png",
+      "idiom" : "ipad",
+      "scale" : "2x",
+      "size" : "40x40"
+    },
+    {
+      "filename" : "icon-ios-76@1x.png",
+      "idiom" : "ipad",
+      "scale" : "1x",
+      "size" : "76x76"
+    },
+    {
+      "filename" : "icon-ios-76@2x.png",
+      "idiom" : "ipad",
+      "scale" : "2x",
+      "size" : "76x76"
+    },
+    {
+      "filename" : "icon-ios-83.5@2x.png",
+      "idiom" : "ipad",
+      "scale" : "2x",
+      "size" : "83.5x83.5"
+    },
+    {
+      "filename" : "icon-ios-1024@1x.png",
+      "idiom" : "ios-marketing",
+      "scale" : "1x",
+      "size" : "1024x1024"
+    }
+  ],
+  "info" : {
+    "author" : "xcode",
+    "version" : 1
+  }
+}
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-1024@1x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-1024@1x.png
new file mode 100644
index 00000000..1933ed99
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-1024@1x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@1x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@1x.png
new file mode 100644
index 00000000..c6c1b888
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@1x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@2x-1.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@2x-1.png
new file mode 100644
index 00000000..9c9a8f01
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@2x-1.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@2x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@2x.png
new file mode 100644
index 00000000..9c9a8f01
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@2x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@3x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@3x.png
new file mode 100644
index 00000000..5f43b0d4
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-20@3x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@1x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@1x.png
new file mode 100644
index 00000000..b8fa9934
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@1x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@2x-1.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@2x-1.png
new file mode 100644
index 00000000..7e27a54d
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@2x-1.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@2x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@2x.png
new file mode 100644
index 00000000..7e27a54d
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@2x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@3x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@3x.png
new file mode 100644
index 00000000..d408007f
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-29@3x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@1x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@1x.png
new file mode 100644
index 00000000..2f241c64
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@1x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@2x-1.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@2x-1.png
new file mode 100644
index 00000000..bae292db
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@2x-1.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@2x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@2x.png
new file mode 100644
index 00000000..bae292db
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@2x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@3x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@3x.png
new file mode 100644
index 00000000..8cc41427
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-40@3x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-60@2x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-60@2x.png
new file mode 100644
index 00000000..8cc41427
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-60@2x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-60@3x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-60@3x.png
new file mode 100644
index 00000000..a60b8ff7
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-60@3x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-76@1x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-76@1x.png
new file mode 100644
index 00000000..ddf46a91
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-76@1x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-76@2x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-76@2x.png
new file mode 100644
index 00000000..f26844e1
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-76@2x.png differ
diff --git a/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-83.5@2x.png b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-83.5@2x.png
new file mode 100644
index 00000000..03a92fae
Binary files /dev/null and b/client/ios/app/Images.xcassets/AppIcon.appiconset/icon-ios-83.5@2x.png differ
diff --git a/client/ios/app/Images.xcassets/Contents.json b/client/ios/app/Images.xcassets/Contents.json
new file mode 100644
index 00000000..73c00596
--- /dev/null
+++ b/client/ios/app/Images.xcassets/Contents.json
@@ -0,0 +1,6 @@
+{
+  "info" : {
+    "author" : "xcode",
+    "version" : 1
+  }
+}
diff --git a/client/ios/app/Info.plist b/client/ios/app/Info.plist
new file mode 100644
index 00000000..3c0f289e
--- /dev/null
+++ b/client/ios/app/Info.plist
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleAllowMixedLocalizations</key>
+	<true/>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>$(DEVELOPMENT_LANGUAGE)</string>
+	<key>CFBundleDisplayName</key>
+	<string>AmneziaVPN</string>
+	<key>CFBundleExecutable</key>
+	<string>$(EXECUTABLE_NAME)</string>
+	<key>CFBundleIcons</key>
+	<dict/>
+	<key>CFBundleIcons~ipad</key>
+	<dict/>
+	<key>CFBundleIdentifier</key>
+	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>${APP_DISPLAY_NAME}</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>$(MARKETING_VERSION)</string>
+	<key>CFBundleVersion</key>
+	<string>$(CURRENT_PROJECT_VERSION)</string>
+	<key>ITSAppUsesNonExemptEncryption</key>
+	<false/>
+	<key>LSRequiresIPhoneOS</key>
+	<true/>
+	<key>LSSupportsOpeningDocumentsInPlace</key>
+	<false/>
+	<key>UILaunchStoryboardName</key>
+	<string>AmneziaVPNLaunchScreen</string>
+	<key>UIRequiresFullScreen</key>
+	<true/>
+	<key>UISupportedInterfaceOrientations</key>
+	<array>
+		<string>UIInterfaceOrientationPortraitUpsideDown</string>
+		<string>UIInterfaceOrientationPortrait</string>
+	</array>
+	<key>UISupportedInterfaceOrientations~ipad</key>
+	<array/>
+	<key>UIUserInterfaceStyle</key>
+	<string>Light</string>
+</dict>
+</plist>
diff --git a/client/ios/app/launch.png b/client/ios/app/launch.png
new file mode 100644
index 00000000..33bb9d7d
Binary files /dev/null and b/client/ios/app/launch.png differ
diff --git a/client/ios/app/main.entitlements b/client/ios/app/main.entitlements
new file mode 100644
index 00000000..fa993a87
--- /dev/null
+++ b/client/ios/app/main.entitlements
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.developer.networking.networkextension</key>
+	<array>
+		<string>packet-tunnel-provider</string>
+	</array>
+	<key>com.apple.security.application-groups</key>
+	<array>
+		<string>group.ru.kotit.AmneziaVPN.udev</string>
+	</array>
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+    <key>keychain-access-groups</key>
+    <array>
+        <string>$(AppIdentifierPrefix)group.ru.kotit.AmneziaVPN.udev</string>
+    </array>
+</dict>
+</plist>
diff --git a/client/ios/networkextension/AmneziaVPNNetworkExtension.entitlements b/client/ios/networkextension/AmneziaVPNNetworkExtension.entitlements
new file mode 100644
index 00000000..efcee280
--- /dev/null
+++ b/client/ios/networkextension/AmneziaVPNNetworkExtension.entitlements
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.developer.networking.networkextension</key>
+	<array>
+		<string>packet-tunnel-provider</string>
+	</array>
+	<key>com.apple.security.application-groups</key>
+	<array>
+		<string>group.ru.kotit.AmneziaVPN.udev</string>
+	</array>
+    <key>keychain-access-groups</key>
+    <array>
+        <string>$(AppIdentifierPrefix)group.ru.kotit.AmneziaVPN.udev</string>
+    </array>
+</dict>
+</plist>
diff --git a/client/ios/xcode.xconfig b/client/ios/xcode.xconfig
new file mode 100644
index 00000000..1b4f1000
--- /dev/null
+++ b/client/ios/xcode.xconfig
@@ -0,0 +1,13 @@
+DEVELOPMENT_TEAM = <X7UJ388FXK>
+
+# MacOS configuration
+GROUP_ID_MACOS = <>
+APP_ID_MACOS = <>
+NETEXT_ID_MACOS = <>
+LOGIN_ID_MACOS = <>
+NATIVEMESSAGING_ID_MACOS = <>
+
+# IOS configuration
+GROUP_ID_IOS = group.org.mozilla.ios.Guardian
+APP_ID_IOS = org.mozilla.ios.FirefoxVPN
+NETEXT_ID_IOS = org.mozilla.ios.FirefoxVPN.network-extension
diff --git a/client/ios/xcode_patcher.rb b/client/ios/xcode_patcher.rb
new file mode 100644
index 00000000..b44b0b56
--- /dev/null
+++ b/client/ios/xcode_patcher.rb
@@ -0,0 +1,598 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+require 'xcodeproj'
+
+class XCodeprojPatcher
+  attr :project
+  attr :p_root
+  attr :target_main
+  attr :target_extension
+
+#  @@project_root
+#  def self.project_root
+#    @@project_root
+#  end
+
+  def run(project_root, file, shortVersion, fullVersion, platform, networkExtension, webExtension, configHash, adjust_sdk_token)
+    @p_root = project_root
+    open_project file
+    open_target_main
+
+    die 'IOS requires networkExtension mode' if not networkExtension and platform == 'ios'
+
+    group = @project.main_group.new_group('Configuration')
+    @configFile = group.new_file('ios/xcode.xconfig')
+
+    setup_target_main shortVersion, fullVersion, platform, networkExtension, configHash, adjust_sdk_token
+
+    if platform == 'macos'
+      setup_target_loginitem shortVersion, fullVersion, configHash
+      setup_target_nativemessaging shortVersion, fullVersion, configHash if webExtension
+    end
+
+    if networkExtension
+      setup_target_extension shortVersion, fullVersion, platform, configHash
+      setup_target_gobridge
+    else
+      setup_target_wireguardgo
+      setup_target_wireguardtools
+    end
+
+    setup_target_balrog if platform == 'macos'
+
+    @project.save
+  end
+
+  def open_project(file)
+    @project = Xcodeproj::Project.open(file)
+    puts 'Failed to open the project file: ' + file if @project.nil?
+    die 'Failed to open the project file: ' + file if @project.nil?
+  end
+
+  def open_target_main
+    @target_main = @project.targets.find { |target| target.to_s == 'AmneziaVPN' }
+    return @target_main if not @target_main.nil?
+
+    puts 'Unable to open AmneziaVPN target'
+    die 'Unable to open AmneziaVPN target'
+  end
+
+  def setup_target_main(shortVersion, fullVersion, platform, networkExtension, configHash, adjust_sdk_token)
+    @target_main.build_configurations.each do |config|
+      config.base_configuration_reference = @configFile
+
+      config.build_settings['LD_RUNPATH_SEARCH_PATHS'] ||= '"$(inherited) @executable_path/../Frameworks"'
+      config.build_settings['SWIFT_VERSION'] ||= '5.0'
+      config.build_settings['CLANG_ENABLE_MODULES'] ||= 'YES'
+      config.build_settings['SWIFT_OBJC_BRIDGING_HEADER'] ||= p_root + "/" + 'macos/app/WireGuard-Bridging-Header.h'
+      config.build_settings['FRAMEWORK_SEARCH_PATHS'] ||= [
+        "$(inherited)",
+        "$(PROJECT_DIR)/3rd"
+      ]
+
+      # Versions and names
+      config.build_settings['MARKETING_VERSION'] ||= shortVersion
+      config.build_settings['CURRENT_PROJECT_VERSION'] ||= fullVersion
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] = configHash['APP_ID_MACOS'] if platform == 'macos'
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] = configHash['APP_ID_IOS'] if platform == 'ios'
+      config.build_settings['PRODUCT_NAME'] = 'Mozilla VPN'
+
+      # other config
+      config.build_settings['INFOPLIST_FILE'] ||= p_root + "/" + platform + '/app/Info.plist'
+      if platform == 'ios'
+        config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= p_root + "/" + 'ios/app/main.entitlements'
+        if adjust_sdk_token != ""
+          config.build_settings['ADJUST_SDK_TOKEN'] = adjust_sdk_token
+        end
+      elsif networkExtension
+        config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= p_root + "/" + 'macos/app/app.entitlements'
+      else
+        config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= p_root + "/" + 'macos/app/daemon.entitlements'
+      end
+
+      config.build_settings['CODE_SIGN_IDENTITY'] ||= 'Apple Development'
+      config.build_settings['ENABLE_BITCODE'] ||= 'NO' if platform == 'ios'
+      config.build_settings['SDKROOT'] = 'iphoneos' if platform == 'ios'
+      config.build_settings['SWIFT_PRECOMPILE_BRIDGING_HEADER'] = 'NO' if platform == 'ios'
+
+      groupId = "";
+      if (platform == 'macos')
+        groupId = configHash['DEVELOPMENT_TEAM'] + "." + configHash['GROUP_ID_MACOS']
+        config.build_settings['APP_ID_MACOS'] ||= configHash['APP_ID_MACOS']
+      else
+        groupId = configHash['GROUP_ID_IOS']
+        config.build_settings['GROUP_ID_IOS'] ||= configHash['GROUP_ID_IOS']
+      end
+
+      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= [
+        'GROUP_ID=\"' + groupId + '\"',
+        "VPN_NE_BUNDLEID=\\\"" + (platform == 'macos' ? configHash['NETEXT_ID_MACOS'] : configHash['NETEXT_ID_IOS']) + "\\\"",
+      ]
+
+      if config.name == 'Release'
+        config.build_settings['SWIFT_OPTIMIZATION_LEVEL'] ||= '-Onone'
+      end
+    end
+
+    if networkExtension
+      # WireGuard group
+      group = @project.main_group.new_group('WireGuard')
+
+      [
+        'macos/gobridge/wireguard-go-version.h',
+        '3rd/wireguard-apple/Sources/Shared/Keychain.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/IPAddressRange.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/InterfaceConfiguration.swift',
+        '3rd/wireguard-apple/Sources/Shared/Model/NETunnelProviderProtocol+Extension.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/TunnelConfiguration.swift',
+        '3rd/wireguard-apple/Sources/Shared/Model/TunnelConfiguration+WgQuickConfig.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/Endpoint.swift',
+        '3rd/wireguard-apple/Sources/Shared/Model/String+ArrayConversion.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/PeerConfiguration.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/DNSServer.swift',
+        '3rd/wireguard-apple/Sources/WireGuardApp/LocalizationHelper.swift',
+        '3rd/wireguard-apple/Sources/Shared/FileManager+Extension.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKitC/x25519.c',
+        '3rd/wireguard-apple/Sources/WireGuardKit/PrivateKey.swift',
+      ].each { |filename|
+        file = group.new_file(p_root + "/" + filename)
+        @target_main.add_file_references([file])
+      }
+
+      # @target_main + swift integration
+      group = @project.main_group.new_group('SwiftIntegration')
+
+      [
+        'platforms/ios/ioscontroller.swift',
+        'platforms/ios/ioslogger.swift',
+      ].each { |filename|
+        file = group.new_file(p_root + "/" + filename)
+        @target_main.add_file_references([file])
+      }
+    end
+
+    if (platform == 'ios' && adjust_sdk_token != "")
+      frameworks_group = @project.groups.find { |group| group.display_name == 'Frameworks' }
+      frameworks_build_phase = @target_main.build_phases.find { |build_phase| build_phase.to_s == 'FrameworksBuildPhase' }
+      embed_frameworks_build_phase = @target_main.build_phases.find { |build_phase| build_phase.to_s == 'Embed Frameworks' }
+
+      framework_ref = frameworks_group.new_file('3rd/AdjustSdk.framework')
+      frameworks_build_phase.add_file_reference(framework_ref)
+
+      framework_file = embed_frameworks_build_phase.add_file_reference(framework_ref)
+      framework_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy', 'CodeSignOnCopy'] }
+
+      framework_ref = frameworks_group.new_file('AdServices.framework')
+      frameworks_build_phase.add_file_reference(framework_ref)
+
+      framework_ref = frameworks_group.new_file('iAd.framework')
+      frameworks_build_phase.add_file_reference(framework_ref)
+    end
+  end
+
+  def setup_target_extension(shortVersion, fullVersion, platform, configHash)
+    @target_extension = @project.new_target(:app_extension, 'WireGuardNetworkExtension', platform == 'macos' ? :osx : :ios)
+
+    @target_extension.build_configurations.each do |config|
+      config.base_configuration_reference = @configFile
+
+      config.build_settings['LD_RUNPATH_SEARCH_PATHS'] ||= '"$(inherited) @executable_path/../Frameworks"'
+      config.build_settings['SWIFT_VERSION'] ||= '5.0'
+      config.build_settings['CLANG_ENABLE_MODULES'] ||= 'YES'
+      config.build_settings['SWIFT_OBJC_BRIDGING_HEADER'] ||= p_root + "/" + 'macos/networkextension/WireGuardNetworkExtension-Bridging-Header.h'
+      config.build_settings['SWIFT_PRECOMPILE_BRIDGING_HEADER'] = 'NO'
+
+      # Versions and names
+      config.build_settings['MARKETING_VERSION'] ||= shortVersion
+      config.build_settings['CURRENT_PROJECT_VERSION'] ||= fullVersion
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] ||= configHash['NETEXT_ID_MACOS'] if platform == 'macos'
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] ||= configHash['NETEXT_ID_IOS'] if platform == 'ios'
+      config.build_settings['PRODUCT_NAME'] = 'WireGuardNetworkExtension'
+
+      # other configs
+      config.build_settings['INFOPLIST_FILE'] ||= p_root + "/" + 'macos/networkextension/Info.plist'
+      config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= p_root + "/" + platform + '/networkextension/AmneziaVPNNetworkExtension.entitlements'
+      config.build_settings['CODE_SIGN_IDENTITY'] = 'Apple Development'
+
+      if platform == 'ios'
+        config.build_settings['ENABLE_BITCODE'] ||= 'NO'
+        config.build_settings['SDKROOT'] = 'iphoneos'
+
+        config.build_settings['OTHER_LDFLAGS'] ||= [
+          "-stdlib=libc++",
+          "-Wl,-rpath,@executable_path/Frameworks",
+          "-framework",
+          "AssetsLibrary",
+          "-framework",
+          "MobileCoreServices",
+          "-lm",
+          "-framework",
+          "UIKit",
+          "-lz",
+          "-framework",
+          "OpenGLES",
+        ]
+      end
+
+      groupId = "";
+      if (platform == 'macos')
+        groupId = configHash['DEVELOPMENT_TEAM'] + "." + configHash['GROUP_ID_MACOS']
+      else
+        groupId = configHash['GROUP_ID_IOS']
+      end
+
+      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= [
+        # This is needed to compile the iosglue without Qt.
+        'NETWORK_EXTENSION=1',
+        'GROUP_ID=\"' + groupId + '\"',
+      ]
+
+      if config.name == 'Release'
+        config.build_settings['SWIFT_OPTIMIZATION_LEVEL'] ||= '-Onone'
+      end
+
+    end
+
+    group = @project.main_group.new_group('WireGuardExtension')
+    [
+      '3rd/wireguard-apple/Sources/WireGuardKit/WireGuardAdapter.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/DNSResolver.swift',
+      '3rd/wireguard-apple/Sources/WireGuardNetworkExtension/ErrorNotifier.swift',
+      '3rd/wireguard-apple/Sources/Shared/Keychain.swift',
+      '3rd/wireguard-apple/Sources/Shared/Model/TunnelConfiguration+WgQuickConfig.swift',
+      '3rd/wireguard-apple/Sources/Shared/Model/NETunnelProviderProtocol+Extension.swift',
+      '3rd/wireguard-apple/Sources/Shared/Model/String+ArrayConversion.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/TunnelConfiguration.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/IPAddressRange.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/Endpoint.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/DNSServer.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/InterfaceConfiguration.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/PeerConfiguration.swift',
+      '3rd/wireguard-apple/Sources/Shared/FileManager+Extension.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKitC/x25519.c',
+      '3rd/wireguard-apple/Sources/WireGuardKit/Array+ConcurrentMap.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/IPAddress+AddrInfo.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/PrivateKey.swift',
+    ].each { |filename|
+      file = group.new_file(p_root + "/" + filename)
+      @target_extension.add_file_references([file])
+    }
+    # @target_extension + swift integration
+    group = @project.main_group.new_group('SwiftIntegration')
+
+    [
+      'platforms/ios/iostunnel.swift',
+      'platforms/ios/iosglue.mm',
+      'platforms/ios/ioslogger.swift',
+    ].each { |filename|
+      file = group.new_file(p_root + "/" + filename)
+      @target_extension.add_file_references([file])
+    }
+
+    frameworks_group = @project.groups.find { |group| group.display_name == 'Frameworks' }
+    frameworks_build_phase = @target_extension.build_phases.find { |build_phase| build_phase.to_s == 'FrameworksBuildPhase' }
+
+    frameworks_build_phase.clear
+
+    framework_ref = frameworks_group.new_file('libwg-go.a')
+    frameworks_build_phase.add_file_reference(framework_ref)
+
+    framework_ref = frameworks_group.new_file('NetworkExtension.framework')
+    frameworks_build_phase.add_file_reference(framework_ref)
+
+    # This fails: @target_main.add_dependency @target_extension
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = @target_extension.uuid
+    container_proxy.remote_info = @target_extension.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = @target_extension.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+
+    copy_appex = @target_main.new_copy_files_build_phase
+    copy_appex.name = 'Copy Network-Extension plugin'
+    copy_appex.symbol_dst_subfolder_spec = :plug_ins
+
+    appex_file = copy_appex.add_file_reference @target_extension.product_reference
+    appex_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+  end
+
+  def setup_target_gobridge
+    target_gobridge = legacy_target = @project.new(Xcodeproj::Project::PBXLegacyTarget)
+
+    target_gobridge.build_working_directory = p_root + "/" + 'macos/gobridge'
+    target_gobridge.build_tool_path = 'make'
+    target_gobridge.pass_build_settings_in_environment = '1'
+    target_gobridge.build_arguments_string = '$(ACTION)'
+    target_gobridge.name = 'WireGuardGoBridge'
+    target_gobridge.product_name = 'WireGuardGoBridge'
+
+    @project.targets << target_gobridge
+    @target_extension.add_dependency target_gobridge
+  end
+
+  def setup_target_balrog
+    target_balrog = legacy_target = @project.new(Xcodeproj::Project::PBXLegacyTarget)
+
+    target_balrog.build_working_directory = p_root + "/" + 'balrog'
+    target_balrog.build_tool_path = 'make'
+    target_balrog.pass_build_settings_in_environment = '1'
+    target_balrog.build_arguments_string = '$(ACTION)'
+    target_balrog.name = 'WireGuardBalrog'
+    target_balrog.product_name = 'WireGuardBalrog'
+
+    @project.targets << target_balrog
+
+    frameworks_group = @project.groups.find { |group| group.display_name == 'Frameworks' }
+    frameworks_build_phase = @target_main.build_phases.find { |build_phase| build_phase.to_s == 'FrameworksBuildPhase' }
+
+    framework_ref = frameworks_group.new_file('balrog/balrog.a')
+    frameworks_build_phase.add_file_reference(framework_ref)
+
+    # This fails: @target_main.add_dependency target_balrog
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = target_balrog.uuid
+    container_proxy.remote_info = target_balrog.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = target_balrog.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+  end
+
+  def setup_target_wireguardtools
+    target_wireguardtools = legacy_target = @project.new(Xcodeproj::Project::PBXLegacyTarget)
+
+    target_wireguardtools.build_working_directory = p_root + "/" + '3rd/wireguard-tools/src'
+    target_wireguardtools.build_tool_path = 'make'
+    target_wireguardtools.pass_build_settings_in_environment = '1'
+    target_wireguardtools.build_arguments_string = '$(ACTION)'
+    target_wireguardtools.name = 'WireGuardTools'
+    target_wireguardtools.product_name = 'WireGuardTools'
+
+    @project.targets << target_wireguardtools
+
+    # This fails: @target_main.add_dependency target_wireguardtools
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = target_wireguardtools.uuid
+    container_proxy.remote_info = target_wireguardtools.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = target_wireguardtools.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+
+    copy_wireguardTools = @target_main.new_copy_files_build_phase
+    copy_wireguardTools.name = 'Copy wireguard-tools'
+    copy_wireguardTools.symbol_dst_subfolder_spec = :wrapper
+    copy_wireguardTools.dst_path = 'Contents/Resources/utils'
+
+    group = @project.main_group.new_group('WireGuardTools')
+    file = group.new_file '3rd/wireguard-tools/src/wg'
+
+    wireguardTools_file = copy_wireguardTools.add_file_reference file
+    wireguardTools_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+  end
+
+  def setup_target_wireguardgo
+    target_wireguardgo = legacy_target = @project.new(Xcodeproj::Project::PBXLegacyTarget)
+
+    target_wireguardgo.build_working_directory = p_root + "/" + '3rd/wireguard-go'
+    target_wireguardgo.build_tool_path = 'make'
+    target_wireguardgo.pass_build_settings_in_environment = '1'
+    target_wireguardgo.build_arguments_string = '$(ACTION)'
+    target_wireguardgo.name = 'WireGuardGo'
+    target_wireguardgo.product_name = 'WireGuardGo'
+
+    @project.targets << target_wireguardgo
+
+    # This fails: @target_main.add_dependency target_wireguardgo
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = target_wireguardgo.uuid
+    container_proxy.remote_info = target_wireguardgo.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = target_wireguardgo.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+
+    copy_wireguardGo = @target_main.new_copy_files_build_phase
+    copy_wireguardGo.name = 'Copy wireguard-go'
+    copy_wireguardGo.symbol_dst_subfolder_spec = :wrapper
+    copy_wireguardGo.dst_path = 'Contents/Resources/utils'
+
+    group = @project.main_group.new_group('WireGuardGo')
+    file = group.new_file '3rd/wireguard-go/wireguard-go'
+
+    wireguardGo_file = copy_wireguardGo.add_file_reference file
+    wireguardGo_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+  end
+
+  def setup_target_loginitem(shortVersion, fullVersion, configHash)
+    return
+    @target_loginitem = @project.new_target(:application, 'AmneziaVPNLoginItem', :osx)
+
+    @target_loginitem.build_configurations.each do |config|
+      config.base_configuration_reference = @configFile
+
+      config.build_settings['LD_RUNPATH_SEARCH_PATHS'] ||= '"$(inherited) @executable_path/../Frameworks"'
+
+      # Versions and names
+      config.build_settings['MARKETING_VERSION'] ||= shortVersion
+      config.build_settings['CURRENT_PROJECT_VERSION'] ||= fullVersion
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] ||= configHash['LOGIN_ID_MACOS']
+      config.build_settings['PRODUCT_NAME'] = 'AmneziaVPNLoginItem'
+
+      # other configs
+      config.build_settings['INFOPLIST_FILE'] ||= 'macos/loginitem/Info.plist'
+      config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= p_root + "/" + 'macos/loginitem/AmneziaVPNLoginItem.entitlements'
+      config.build_settings['CODE_SIGN_IDENTITY'] = 'Apple Development'
+      config.build_settings['SKIP_INSTALL'] = 'YES'
+
+      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= [
+        'APP_ID=\"' + configHash['APP_ID_MACOS'] + '\"',
+      ]
+
+      if config.name == 'Release'
+        config.build_settings['SWIFT_OPTIMIZATION_LEVEL'] ||= '-Onone'
+      end
+    end
+
+    group = @project.main_group.new_group('LoginItem')
+    [
+      'macos/loginitem/main.m',
+    ].each { |filename|
+      file = group.new_file(filename)
+      @target_loginitem.add_file_references([file])
+    }
+
+    # This fails: @target_main.add_dependency @target_loginitem
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = @target_loginitem.uuid
+    container_proxy.remote_info = @target_loginitem.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = @target_loginitem.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+
+    copy_app = @target_main.new_copy_files_build_phase
+    copy_app.name = 'Copy LoginItem'
+    copy_app.symbol_dst_subfolder_spec = :wrapper
+    copy_app.dst_path = 'Contents/Library/LoginItems'
+
+    app_file = copy_app.add_file_reference @target_loginitem.product_reference
+    app_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+  end
+
+  def setup_target_nativemessaging(shortVersion, fullVersion, configHash)
+    @target_nativemessaging = @project.new_target(:application, 'AmneziaVPNNativeMessaging', :osx)
+
+    @target_nativemessaging.build_configurations.each do |config|
+      config.base_configuration_reference = @configFile
+
+      config.build_settings['LD_RUNPATH_SEARCH_PATHS'] ||= '"$(inherited) @executable_path/../Frameworks"'
+
+      # Versions and names
+      config.build_settings['MARKETING_VERSION'] ||= shortVersion
+      config.build_settings['CURRENT_PROJECT_VERSION'] ||= fullVersion
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] ||= configHash['NATIVEMESSAGING_ID_MACOS']
+      config.build_settings['PRODUCT_NAME'] = 'AmneziaVPNNativeMessaging'
+
+      # other configs
+      config.build_settings['INFOPLIST_FILE'] ||= p_root + "/" + 'macos/nativeMessaging/Info.plist'
+      config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= p_root + "/" + 'macos/nativeMessaging/AmneziaVPNNativeMessaging.entitlements'
+      config.build_settings['CODE_SIGN_IDENTITY'] = 'Apple Development'
+      config.build_settings['SKIP_INSTALL'] = 'YES'
+    end
+
+    group = @project.main_group.new_group('NativeMessaging')
+    [
+      'extension/app/constants.h',
+      'extension/app/handler.cpp',
+      'extension/app/handler.h',
+      'extension/app/json.hpp',
+      'extension/app/logger.cpp',
+      'extension/app/logger.h',
+      'extension/app/main.cpp',
+      'extension/app/vpnconnection.cpp',
+      'extension/app/vpnconnection.h',
+    ].each { |filename|
+      file = group.new_file(p_root + "/" + filename)
+      @target_nativemessaging.add_file_references([file])
+    }
+
+    # This fails: @target_main.add_dependency @target_nativemessaging
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = @target_nativemessaging.uuid
+    container_proxy.remote_info = @target_nativemessaging.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = @target_nativemessaging.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+
+    copy_app = @target_main.new_copy_files_build_phase
+    copy_app.name = 'Copy LoginItem'
+    copy_app.symbol_dst_subfolder_spec = :wrapper
+    copy_app.dst_path = 'Contents/Library/NativeMessaging'
+
+    app_file = copy_app.add_file_reference @target_nativemessaging.product_reference
+    app_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+
+    copy_nativeMessagingManifest = @target_main.new_copy_files_build_phase
+    copy_nativeMessagingManifest.name = 'Copy native messaging manifest'
+    copy_nativeMessagingManifest.symbol_dst_subfolder_spec = :wrapper
+    copy_nativeMessagingManifest.dst_path = 'Contents/Resources/utils'
+
+    group = @project.main_group.new_group('WireGuardHelper')
+    file = group.new_file 'extension/app/manifests/macos/mozillavpn.json'
+
+    nativeMessagingManifest_file = copy_nativeMessagingManifest.add_file_reference file
+    nativeMessagingManifest_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+  end
+
+  def die(msg)
+   print $msg
+   exit 1
+  end
+end
+
+if ARGV.length < 4 || (ARGV[4] != "ios" && ARGV[4] != "macos")
+  puts "Usage: <script> project_file shortVersion fullVersion ios/macos"
+  exit 1
+end
+
+if !File.exist?("ios/xcode.xconfig")
+  puts "xcode.xconfig file is required! See the template file."
+  exit 1
+end
+
+config = Hash.new
+configFile = File.read("ios/xcode.xconfig").split("\n")
+configFile.each { |line|
+  next if line[0] == "#"
+
+  if line.include? "="
+    keys = line.split("=")
+    config[keys[0].strip] = keys[1].strip
+  end
+}
+
+platform = "macos"
+platform = "ios" if ARGV[4] == "ios"
+networkExtension = true
+webExtension = false
+adjustToken = ""
+
+r = XCodeprojPatcher.new
+r.run ARGV[0], ARGV[1], ARGV[2], ARGV[3], platform, networkExtension, webExtension, config, adjustToken
+exit 0
diff --git a/client/logger.cpp b/client/logger.cpp
new file mode 100644
index 00000000..06a7c6c8
--- /dev/null
+++ b/client/logger.cpp
@@ -0,0 +1,59 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "logger.h"
+#include "loghandler.h"
+
+Logger::Logger(const QString& module, const QString& className)
+    : Logger(QStringList({module}), className) {}
+
+Logger::Logger(const QStringList& modules, const QString& className)
+    : m_modules(modules), m_className(className) {}
+
+Logger::Log Logger::error() { return Log(this, LogLevel::Error); }
+Logger::Log Logger::warning() { return Log(this, LogLevel::Warning); }
+Logger::Log Logger::info() { return Log(this, LogLevel::Info); }
+Logger::Log Logger::debug() { return Log(this, LogLevel::Debug); }
+
+Logger::Log::Log(Logger* logger, LogLevel logLevel)
+    : m_logger(logger), m_logLevel(logLevel), m_data(new Data()) {}
+
+Logger::Log::~Log() {
+  LogHandler::messageHandler(m_logLevel, m_logger->modules(),
+                             m_logger->className(), m_data->m_buffer.trimmed());
+  delete m_data;
+}
+
+#define CREATE_LOG_OP_REF(x)                  \
+  Logger::Log& Logger::Log::operator<<(x t) { \
+    m_data->m_ts << t << ' ';                 \
+    return *this;                             \
+  }
+
+CREATE_LOG_OP_REF(uint64_t);
+CREATE_LOG_OP_REF(const char*);
+CREATE_LOG_OP_REF(const QString&);
+CREATE_LOG_OP_REF(const QByteArray&);
+CREATE_LOG_OP_REF(void*);
+
+#undef CREATE_LOG_OP_REF
+
+Logger::Log& Logger::Log::operator<<(const QStringList& t) {
+  m_data->m_ts << '[' << t.join(",") << ']' << ' ';
+  return *this;
+}
+
+Logger::Log& Logger::Log::operator<<(QTextStreamFunction t) {
+  m_data->m_ts << t;
+  return *this;
+}
+
+// static
+QString Logger::sensitive(const QString& input) {
+#ifdef QT_DEBUG
+  return input;
+#else
+  return QString(input.length(), 'X');
+#endif
+}
diff --git a/client/logger.h b/client/logger.h
new file mode 100644
index 00000000..87bae4ce
--- /dev/null
+++ b/client/logger.h
@@ -0,0 +1,88 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef LOGGER_H
+#define LOGGER_H
+
+#include "loglevel.h"
+
+#include <QString>
+#include <QTextStream>
+
+constexpr const char* LOG_CAPTIVEPORTAL = "captiveportal";
+constexpr const char* LOG_CONTROLLER = "controller";
+constexpr const char* LOG_IAP = "iap";
+constexpr const char* LOG_INSPECTOR = "inspector";
+constexpr const char* LOG_MAIN = "main";
+constexpr const char* LOG_MODEL = "model";
+constexpr const char* LOG_NETWORKING = "networking";
+constexpr const char* LOG_SERVER = "server";
+
+#if defined(MVPN_LINUX) || defined(MVPN_ANDROID)
+constexpr const char* LOG_LINUX = "linux";
+#endif
+
+#ifdef MVPN_WINDOWS
+constexpr const char* LOG_WINDOWS = "windows";
+#endif
+
+#if __APPLE__ || defined(MVPN_WASM)
+constexpr const char* LOG_MACOS = "macos";
+constexpr const char* LOG_IOS = "ios";
+#endif
+
+#if defined(MVPN_ANDROID) || defined(UNIT_TEST)
+constexpr const char* LOG_ANDROID = "android";
+#endif
+
+class Logger {
+ public:
+  Logger(const QString& module, const QString& className);
+  Logger(const QStringList& modules, const QString& className);
+
+  const QStringList& modules() const { return m_modules; }
+  const QString& className() const { return m_className; }
+
+  class Log {
+   public:
+    Log(Logger* logger, LogLevel level);
+    ~Log();
+
+    Log& operator<<(uint64_t t);
+    Log& operator<<(const char* t);
+    Log& operator<<(const QString& t);
+    Log& operator<<(const QStringList& t);
+    Log& operator<<(const QByteArray& t);
+    Log& operator<<(QTextStreamFunction t);
+    Log& operator<<(void* t);
+
+   private:
+    Logger* m_logger;
+    LogLevel m_logLevel;
+
+    struct Data {
+      Data() : m_ts(&m_buffer, QIODevice::WriteOnly) {}
+
+      QString m_buffer;
+      QTextStream m_ts;
+    };
+
+    Data* m_data;
+  };
+
+  Log error();
+  Log warning();
+  Log info();
+  Log debug();
+
+  // Use this to log sensitive data such as IP address, session tokens, and so
+  // on.
+  QString sensitive(const QString& input);
+
+ private:
+  QStringList m_modules;
+  QString m_className;
+};
+
+#endif  // LOGGER_H
diff --git a/client/loghandler.cpp b/client/loghandler.cpp
new file mode 100644
index 00000000..cce3c234
--- /dev/null
+++ b/client/loghandler.cpp
@@ -0,0 +1,346 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "loghandler.h"
+#include "constants.h"
+#include "logger.h"
+
+#include <QDate>
+#include <QDir>
+#include <QFile>
+#include <QFileInfo>
+#include <QMessageLogContext>
+#include <QMutexLocker>
+#include <QProcessEnvironment>
+#include <QStandardPaths>
+#include <QString>
+#include <QTextStream>
+
+#ifdef MVPN_ANDROID
+#  include <android/log.h>
+#endif
+
+constexpr qint64 LOG_MAX_FILE_SIZE = 204800;
+constexpr const char* LOG_FILENAME = "mozillavpn.txt";
+
+namespace {
+QMutex s_mutex;
+QString s_location =
+    QStandardPaths::writableLocation(QStandardPaths::AppDataLocation);
+LogHandler* s_instance = nullptr;
+
+LogLevel qtTypeToLogLevel(QtMsgType type) {
+  switch (type) {
+    case QtDebugMsg:
+      return Debug;
+    case QtInfoMsg:
+      return Info;
+    case QtWarningMsg:
+      return Warning;
+    case QtCriticalMsg:
+      [[fallthrough]];
+    case QtFatalMsg:
+      return Error;
+    default:
+      return Debug;
+  }
+}
+
+}  // namespace
+
+// static
+LogHandler* LogHandler::instance() {
+  QMutexLocker lock(&s_mutex);
+  return maybeCreate(lock);
+}
+
+// static
+void LogHandler::messageQTHandler(QtMsgType type,
+                                  const QMessageLogContext& context,
+                                  const QString& message) {
+  QMutexLocker lock(&s_mutex);
+  maybeCreate(lock)->addLog(Log(qtTypeToLogLevel(type), context.file,
+                                context.function, context.line, message),
+                            lock);
+}
+
+// static
+void LogHandler::messageHandler(LogLevel logLevel, const QStringList& modules,
+                                const QString& className,
+                                const QString& message) {
+  QMutexLocker lock(&s_mutex);
+  maybeCreate(lock)->addLog(Log(logLevel, modules, className, message), lock);
+}
+
+// static
+LogHandler* LogHandler::maybeCreate(const QMutexLocker& proofOfLock) {
+  if (!s_instance) {
+    LogLevel minLogLevel = Debug;  // TODO: in prod, we should log >= warning
+    QStringList modules;
+    QProcessEnvironment pe = QProcessEnvironment::systemEnvironment();
+    if (pe.contains("MOZVPN_LEVEL")) {
+      QString level = pe.value("MOZVPN_LEVEL");
+      if (level == "info")
+        minLogLevel = Info;
+      else if (level == "warning")
+        minLogLevel = Warning;
+      else if (level == "error")
+        minLogLevel = Error;
+    }
+
+    if (pe.contains("MOZVPN_LOG")) {
+      QStringList parts = pe.value("MOZVPN_LOG").split(",");
+      for (const QString& part : parts) {
+        modules.append(part.trimmed());
+      }
+    }
+
+    s_instance = new LogHandler(minLogLevel, modules, proofOfLock);
+  }
+
+  return s_instance;
+}
+
+// static
+void LogHandler::prettyOutput(QTextStream& out, const LogHandler::Log& log) {
+  out << "[" << log.m_dateTime.toString("dd.MM.yyyy hh:mm:ss.zzz") << "] ";
+
+  switch (log.m_logLevel) {
+    case Debug:
+      out << "Debug: ";
+      break;
+    case Info:
+      out << "Info: ";
+      break;
+    case Warning:
+      out << "Warning: ";
+      break;
+    case Error:
+      out << "Error: ";
+      break;
+    default:
+      out << "?!?: ";
+      break;
+  }
+
+  if (log.m_fromQT) {
+    out << log.m_message;
+
+    if (!log.m_file.isEmpty() || !log.m_function.isEmpty()) {
+      out << " (";
+
+      if (!log.m_file.isEmpty()) {
+        int pos = log.m_file.lastIndexOf("/");
+        out << log.m_file.right(log.m_file.length() - pos - 1);
+
+        if (log.m_line >= 0) {
+          out << ":" << log.m_line;
+        }
+
+        if (!log.m_function.isEmpty()) {
+          out << ", ";
+        }
+      }
+
+      if (!log.m_function.isEmpty()) {
+        out << log.m_function;
+      }
+
+      out << ")";
+    }
+  } else {
+    out << "(" << log.m_modules.join("|") << " - " << log.m_className << ") "
+        << log.m_message;
+  }
+
+  out << Qt::endl;
+}
+
+// static
+void LogHandler::enableDebug() {
+  QMutexLocker lock(&s_mutex);
+  maybeCreate(lock)->m_showDebug = true;
+}
+
+LogHandler::LogHandler(LogLevel minLogLevel, const QStringList& modules,
+                       const QMutexLocker& proofOfLock)
+    : m_minLogLevel(minLogLevel), m_modules(modules) {
+  Q_UNUSED(proofOfLock);
+
+#if defined(QT_DEBUG) || defined(MVPN_WASM)
+  m_showDebug = true;
+#endif
+
+  if (!s_location.isEmpty()) {
+    openLogFile(proofOfLock);
+  }
+}
+
+void LogHandler::addLog(const Log& log, const QMutexLocker& proofOfLock) {
+  if (!matchLogLevel(log, proofOfLock)) {
+    return;
+  }
+
+  if (!matchModule(log, proofOfLock)) {
+    return;
+  }
+
+  if (m_output) {
+    prettyOutput(*m_output, log);
+  }
+
+  if ((log.m_logLevel != LogLevel::Debug) || m_showDebug) {
+    QTextStream out(stderr);
+    prettyOutput(out, log);
+  }
+
+  QByteArray buffer;
+  {
+    QTextStream out(&buffer);
+    prettyOutput(out, log);
+  }
+
+  emit logEntryAdded(buffer);
+
+#if defined(MVPN_ANDROID) && defined(QT_DEBUG)
+  const char* str = buffer.constData();
+  if (str) {
+    __android_log_write(ANDROID_LOG_DEBUG, "mozillavpn", str);
+  }
+#endif
+}
+
+bool LogHandler::matchModule(const Log& log,
+                             const QMutexLocker& proofOfLock) const {
+  Q_UNUSED(proofOfLock);
+
+  // Let's include QT logs always.
+  if (log.m_fromQT) {
+    return true;
+  }
+
+  // If no modules has been specified, let's include all.
+  if (m_modules.isEmpty()) {
+    return true;
+  }
+
+  for (const QString& module : log.m_modules) {
+    if (m_modules.contains(module)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+bool LogHandler::matchLogLevel(const Log& log,
+                               const QMutexLocker& proofOfLock) const {
+  Q_UNUSED(proofOfLock);
+  return log.m_logLevel >= m_minLogLevel;
+}
+
+// static
+void LogHandler::writeLogs(QTextStream& out) {
+  QMutexLocker lock(&s_mutex);
+
+  if (!s_instance || !s_instance->m_logFile) {
+    return;
+  }
+
+  QString logFileName = s_instance->m_logFile->fileName();
+  s_instance->closeLogFile(lock);
+
+  {
+    QFile file(logFileName);
+    if (!file.open(QIODevice::ReadOnly | QIODevice::Text)) {
+      return;
+    }
+
+    out << file.readAll();
+  }
+
+  s_instance->openLogFile(lock);
+}
+
+// static
+void LogHandler::cleanupLogs() {
+  QMutexLocker lock(&s_mutex);
+  cleanupLogFile(lock);
+}
+
+// static
+void LogHandler::cleanupLogFile(const QMutexLocker& proofOfLock) {
+  if (!s_instance || !s_instance->m_logFile) {
+    return;
+  }
+
+  QString logFileName = s_instance->m_logFile->fileName();
+  s_instance->closeLogFile(proofOfLock);
+
+  {
+    QFile file(logFileName);
+    file.remove();
+  }
+
+  s_instance->openLogFile(proofOfLock);
+}
+
+// static
+void LogHandler::setLocation(const QString& path) {
+  QMutexLocker lock(&s_mutex);
+  s_location = path;
+
+  if (s_instance && s_instance->m_logFile) {
+    cleanupLogFile(lock);
+  }
+}
+
+void LogHandler::openLogFile(const QMutexLocker& proofOfLock) {
+  Q_UNUSED(proofOfLock);
+  Q_ASSERT(!m_logFile);
+  Q_ASSERT(!m_output);
+
+  QDir appDataLocation(s_location);
+  if (!appDataLocation.exists()) {
+    QDir tmp(s_location);
+    tmp.cdUp();
+    if (!tmp.exists()) {
+      return;
+    }
+    if (!tmp.mkdir(appDataLocation.dirName())) {
+      return;
+    }
+  }
+
+  QString logFileName = appDataLocation.filePath(LOG_FILENAME);
+  m_logFile = new QFile(logFileName);
+  if (m_logFile->size() > LOG_MAX_FILE_SIZE) {
+    m_logFile->remove();
+  }
+
+  if (!m_logFile->open(QIODevice::WriteOnly | QIODevice::Append |
+                       QIODevice::Text)) {
+    delete m_logFile;
+    m_logFile = nullptr;
+    return;
+  }
+
+  m_output = new QTextStream(m_logFile);
+
+  addLog(Log(Debug, QStringList{LOG_MAIN}, "LogHandler",
+             QString("Log file: %1").arg(logFileName)),
+         proofOfLock);
+}
+
+void LogHandler::closeLogFile(const QMutexLocker& proofOfLock) {
+  Q_UNUSED(proofOfLock);
+
+  if (m_logFile) {
+    delete m_output;
+    m_output = nullptr;
+
+    delete m_logFile;
+    m_logFile = nullptr;
+  }
+}
diff --git a/client/loghandler.h b/client/loghandler.h
new file mode 100644
index 00000000..653027c8
--- /dev/null
+++ b/client/loghandler.h
@@ -0,0 +1,102 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef LOGHANDLER_H
+#define LOGHANDLER_H
+
+#include "loglevel.h"
+
+#include <QDateTime>
+#include <QObject>
+#include <QVector>
+
+class QFile;
+class QMutexLocker;
+class QTextStream;
+
+class LogHandler final : public QObject {
+  Q_OBJECT
+
+ public:
+  struct Log {
+    Log() = default;
+
+    Log(LogLevel logLevel, const QStringList& modules, const QString& className,
+        const QString& message)
+        : m_logLevel(logLevel),
+          m_dateTime(QDateTime::currentDateTime()),
+          m_modules(modules),
+          m_className(className),
+          m_message(message),
+          m_fromQT(false) {}
+
+    Log(LogLevel logLevel, const QString& file, const QString& function,
+        uint32_t line, const QString& message)
+        : m_logLevel(logLevel),
+          m_dateTime(QDateTime::currentDateTime()),
+          m_file(file),
+          m_function(function),
+          m_message(message),
+          m_line(line),
+          m_fromQT(true) {}
+
+    LogLevel m_logLevel = LogLevel::Debug;
+    QDateTime m_dateTime;
+    QString m_file;
+    QString m_function;
+    QStringList m_modules;
+    QString m_className;
+    QString m_message;
+    int32_t m_line = -1;
+    bool m_fromQT = false;
+  };
+
+  static LogHandler* instance();
+
+  static void messageQTHandler(QtMsgType type,
+                               const QMessageLogContext& context,
+                               const QString& message);
+
+  static void messageHandler(LogLevel logLevel, const QStringList& modules,
+                             const QString& className, const QString& message);
+
+  static void prettyOutput(QTextStream& out, const LogHandler::Log& log);
+
+  static void writeLogs(QTextStream& out);
+
+  static void cleanupLogs();
+
+  static void setLocation(const QString& path);
+
+  static void enableDebug();
+
+ signals:
+  void logEntryAdded(const QByteArray& log);
+
+ private:
+  LogHandler(LogLevel m_minLogLevel, const QStringList& modules,
+             const QMutexLocker& proofOfLock);
+
+  static LogHandler* maybeCreate(const QMutexLocker& proofOfLock);
+
+  void addLog(const Log& log, const QMutexLocker& proofOfLock);
+
+  bool matchLogLevel(const Log& log, const QMutexLocker& proofOfLock) const;
+  bool matchModule(const Log& log, const QMutexLocker& proofOfLock) const;
+
+  void openLogFile(const QMutexLocker& proofOfLock);
+
+  void closeLogFile(const QMutexLocker& proofOfLock);
+
+  static void cleanupLogFile(const QMutexLocker& proofOfLock);
+
+  const LogLevel m_minLogLevel;
+  const QStringList m_modules;
+  bool m_showDebug = false;
+
+  QFile* m_logFile = nullptr;
+  QTextStream* m_output = nullptr;
+};
+
+#endif  // LOGHANDLER_H
diff --git a/client/loglevel.h b/client/loglevel.h
new file mode 100644
index 00000000..0bdec85b
--- /dev/null
+++ b/client/loglevel.h
@@ -0,0 +1,15 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef LOGLEVEL_H
+#define LOGLEVEL_H
+
+enum LogLevel {
+  Debug,
+  Info,
+  Warning,
+  Error,
+};
+
+#endif  // LOGLEVEL_H
diff --git a/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/128.png b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/128.png
new file mode 100644
index 00000000..e5e082bd
Binary files /dev/null and b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/128.png differ
diff --git a/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/128@2x.png b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/128@2x.png
new file mode 100644
index 00000000..424e25c8
Binary files /dev/null and b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/128@2x.png differ
diff --git a/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/16.png b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/16.png
new file mode 100644
index 00000000..c825b409
Binary files /dev/null and b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/16.png differ
diff --git a/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/16@2x.png b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/16@2x.png
new file mode 100644
index 00000000..ce79c416
Binary files /dev/null and b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/16@2x.png differ
diff --git a/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/256.png b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/256.png
new file mode 100644
index 00000000..1e533c14
Binary files /dev/null and b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/256.png differ
diff --git a/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/256@2x.png b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/256@2x.png
new file mode 100644
index 00000000..9a674e3f
Binary files /dev/null and b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/256@2x.png differ
diff --git a/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/32.png b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/32.png
new file mode 100644
index 00000000..580451a8
Binary files /dev/null and b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/32.png differ
diff --git a/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/32@2x.png b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/32@2x.png
new file mode 100644
index 00000000..2ef376fc
Binary files /dev/null and b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/32@2x.png differ
diff --git a/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/512.png b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/512.png
new file mode 100644
index 00000000..11dcfc16
Binary files /dev/null and b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/512.png differ
diff --git a/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/512@2x.png b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/512@2x.png
new file mode 100644
index 00000000..7afbfdd1
Binary files /dev/null and b/client/macos/app/Images-beta.xcassets/AppIcon.appiconset/512@2x.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/128.png b/client/macos/app/Images.xcassets/AppIcon.appiconset/128.png
new file mode 100644
index 00000000..1be4f3f5
Binary files /dev/null and b/client/macos/app/Images.xcassets/AppIcon.appiconset/128.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/128@2x.png b/client/macos/app/Images.xcassets/AppIcon.appiconset/128@2x.png
new file mode 100644
index 00000000..7ebd9732
Binary files /dev/null and b/client/macos/app/Images.xcassets/AppIcon.appiconset/128@2x.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/16.png b/client/macos/app/Images.xcassets/AppIcon.appiconset/16.png
new file mode 100644
index 00000000..8eec5064
Binary files /dev/null and b/client/macos/app/Images.xcassets/AppIcon.appiconset/16.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/16@2x.png b/client/macos/app/Images.xcassets/AppIcon.appiconset/16@2x.png
new file mode 100644
index 00000000..d3085f40
Binary files /dev/null and b/client/macos/app/Images.xcassets/AppIcon.appiconset/16@2x.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/256.png b/client/macos/app/Images.xcassets/AppIcon.appiconset/256.png
new file mode 100644
index 00000000..95708591
Binary files /dev/null and b/client/macos/app/Images.xcassets/AppIcon.appiconset/256.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/256@2x.png b/client/macos/app/Images.xcassets/AppIcon.appiconset/256@2x.png
new file mode 100644
index 00000000..d3b06078
Binary files /dev/null and b/client/macos/app/Images.xcassets/AppIcon.appiconset/256@2x.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/32.png b/client/macos/app/Images.xcassets/AppIcon.appiconset/32.png
new file mode 100644
index 00000000..4f12879d
Binary files /dev/null and b/client/macos/app/Images.xcassets/AppIcon.appiconset/32.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/32@2x.png b/client/macos/app/Images.xcassets/AppIcon.appiconset/32@2x.png
new file mode 100644
index 00000000..d837424b
Binary files /dev/null and b/client/macos/app/Images.xcassets/AppIcon.appiconset/32@2x.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/512.png b/client/macos/app/Images.xcassets/AppIcon.appiconset/512.png
new file mode 100644
index 00000000..0c636cfe
Binary files /dev/null and b/client/macos/app/Images.xcassets/AppIcon.appiconset/512.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/512@2x.png b/client/macos/app/Images.xcassets/AppIcon.appiconset/512@2x.png
new file mode 100644
index 00000000..018f668e
Binary files /dev/null and b/client/macos/app/Images.xcassets/AppIcon.appiconset/512@2x.png differ
diff --git a/client/macos/app/Images.xcassets/AppIcon.appiconset/Contents.json b/client/macos/app/Images.xcassets/AppIcon.appiconset/Contents.json
new file mode 100644
index 00000000..93a6772e
--- /dev/null
+++ b/client/macos/app/Images.xcassets/AppIcon.appiconset/Contents.json
@@ -0,0 +1,68 @@
+{
+  "images" : [
+    {
+      "filename" : "16.png",
+      "idiom" : "mac",
+      "scale" : "1x",
+      "size" : "16x16"
+    },
+    {
+      "filename" : "16@2x.png",
+      "idiom" : "mac",
+      "scale" : "2x",
+      "size" : "16x16"
+    },
+    {
+      "filename" : "32.png",
+      "idiom" : "mac",
+      "scale" : "1x",
+      "size" : "32x32"
+    },
+    {
+      "filename" : "32@2x.png",
+      "idiom" : "mac",
+      "scale" : "2x",
+      "size" : "32x32"
+    },
+    {
+      "filename" : "128.png",
+      "idiom" : "mac",
+      "scale" : "1x",
+      "size" : "128x128"
+    },
+    {
+      "filename" : "128@2x.png",
+      "idiom" : "mac",
+      "scale" : "2x",
+      "size" : "128x128"
+    },
+    {
+      "filename" : "256.png",
+      "idiom" : "mac",
+      "scale" : "1x",
+      "size" : "256x256"
+    },
+    {
+      "filename" : "256@2x.png",
+      "idiom" : "mac",
+      "scale" : "2x",
+      "size" : "256x256"
+    },
+    {
+      "filename" : "512.png",
+      "idiom" : "mac",
+      "scale" : "1x",
+      "size" : "512x512"
+    },
+    {
+      "filename" : "512@2x.png",
+      "idiom" : "mac",
+      "scale" : "2x",
+      "size" : "512x512"
+    }
+  ],
+  "info" : {
+    "author" : "xcode",
+    "version" : 1
+  }
+}
diff --git a/client/macos/app/Images.xcassets/Contents.json b/client/macos/app/Images.xcassets/Contents.json
new file mode 100644
index 00000000..73c00596
--- /dev/null
+++ b/client/macos/app/Images.xcassets/Contents.json
@@ -0,0 +1,6 @@
+{
+  "info" : {
+    "author" : "xcode",
+    "version" : 1
+  }
+}
diff --git a/client/macos/app/Info.plist b/client/macos/app/Info.plist
new file mode 100644
index 00000000..c5372ec1
--- /dev/null
+++ b/client/macos/app/Info.plist
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>$(DEVELOPMENT_LANGUAGE)</string>
+
+	<key>CFBundleAllowMixedLocalizations</key>
+	<true/>
+
+	<key>CFBundleExecutable</key>
+	<string>${EXECUTABLE_NAME}</string>
+
+	<key>CFBundleIdentifier</key>
+	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+
+	<key>CFBundleName</key>
+	<string>$(PRODUCT_NAME)</string>
+
+	<key>CFBundlePackageType</key>
+	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
+
+	<key>CFBundleShortVersionString</key>
+	<string>$(MARKETING_VERSION)</string>
+
+	<key>CFBundleVersion</key>
+	<string>$(CURRENT_PROJECT_VERSION)</string>
+
+	<key>ITSAppUsesNonExemptEncryption</key>
+	<false/>
+
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.utilities</string>
+
+	<key>LSMinimumSystemVersion</key>
+	<string>${MACOSX_DEPLOYMENT_TARGET}</string>
+
+	<key>LSMultipleInstancesProhibited</key>
+	<true/>
+
+	<key>NSPrincipalClass</key>
+	<string>NSApplication</string>
+
+	<key>NSSupportsAutomaticGraphicsSwitching</key>
+	<true/>
+</dict>
+</plist>
diff --git a/client/macos/app/WireGuard-Bridging-Header.h b/client/macos/app/WireGuard-Bridging-Header.h
new file mode 100644
index 00000000..40b6c89d
--- /dev/null
+++ b/client/macos/app/WireGuard-Bridging-Header.h
@@ -0,0 +1,29 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "wireguard-go-version.h"
+#include "3rd/wireguard-apple/Sources/WireGuardKitC/WireGuardKitC.h"
+
+#include <stdbool.h>
+#include <stdint.h>
+
+#define WG_KEY_LEN (32)
+#define WG_KEY_LEN_BASE64 (45)
+#define WG_KEY_LEN_HEX (65)
+
+void key_to_base64(char base64[WG_KEY_LEN_BASE64],
+                   const uint8_t key[WG_KEY_LEN]);
+bool key_from_base64(uint8_t key[WG_KEY_LEN], const char* base64);
+
+void key_to_hex(char hex[WG_KEY_LEN_HEX], const uint8_t key[WG_KEY_LEN]);
+bool key_from_hex(uint8_t key[WG_KEY_LEN], const char* hex);
+
+bool key_eq(const uint8_t key1[WG_KEY_LEN], const uint8_t key2[WG_KEY_LEN]);
+
+void write_msg_to_log(const char* tag, const char* msg);
+
+#import "TargetConditionals.h"
+#if TARGET_OS_OSX
+#  include <libproc.h>
+#endif
diff --git a/client/macos/app/app.entitlements b/client/macos/app/app.entitlements
new file mode 100644
index 00000000..1eaae6ec
--- /dev/null
+++ b/client/macos/app/app.entitlements
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>$(DEVELOPMENT_TEAM).$(APP_ID_MACOS)</string>
+
+	<key>com.apple.developer.networking.networkextension</key>
+	<array>
+		<string>packet-tunnel-provider</string>
+	</array>
+
+	<key>keychain-access-groups</key>
+	<array>
+		<string>$(DEVELOPMENT_TEAM).*</string>
+	</array>
+
+	<key>com.apple.developer.team-identifier</key>
+	<string>$(DEVELOPMENT_TEAM)</string>
+
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+
+	<key>com.apple.security.application-groups</key>
+	<array>
+		<string>$(DEVELOPMENT_TEAM).$(GROUP_ID_MACOS)</string>
+	</array>
+
+	<key>com.apple.security.network.client</key>
+	<true/>
+
+	<key>com.apple.security.network.server</key>
+	<true/>
+</dict>
+</plist>
diff --git a/client/macos/app/daemon.entitlements b/client/macos/app/daemon.entitlements
new file mode 100644
index 00000000..73f09a67
--- /dev/null
+++ b/client/macos/app/daemon.entitlements
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>$(DEVELOPMENT_TEAM).$(APP_ID_MACOS)</string>
+
+	<key>keychain-access-groups</key>
+	<array>
+		<string>$(DEVELOPMENT_TEAM).*</string>
+	</array>
+
+	<key>com.apple.developer.team-identifier</key>
+	<string>$(DEVELOPMENT_TEAM)</string>
+
+	<key>com.apple.security.application-groups</key>
+	<array>
+		<string>$(DEVELOPMENT_TEAM).$(GROUP_ID_MACOS)</string>
+	</array>
+
+	<key>com.apple.security.network.client</key>
+	<true/>
+
+	<key>com.apple.security.network.server</key>
+	<true/>
+</dict>
+</plist>
diff --git a/client/macos/gobridge/.gitignore b/client/macos/gobridge/.gitignore
new file mode 100644
index 00000000..5d25f8f5
--- /dev/null
+++ b/client/macos/gobridge/.gitignore
@@ -0,0 +1,3 @@
+.cache/
+.tmp/
+out/
diff --git a/client/macos/gobridge/api.go b/client/macos/gobridge/api.go
new file mode 100644
index 00000000..b6b4d311
--- /dev/null
+++ b/client/macos/gobridge/api.go
@@ -0,0 +1,225 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2018-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ */
+
+package main
+
+// #include <stdlib.h>
+// #include <sys/types.h>
+// static void callLogger(void *func, void *ctx, int level, const char *msg)
+// {
+// 	((void(*)(void *, int, const char *))func)(ctx, level, msg);
+// }
+import "C"
+
+import (
+	"fmt"
+	"math"
+	"os"
+	"os/signal"
+	"runtime"
+	"runtime/debug"
+	"strings"
+	"time"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
+)
+
+var loggerFunc unsafe.Pointer
+var loggerCtx unsafe.Pointer
+
+type CLogger int
+
+func cstring(s string) *C.char {
+	b, err := unix.BytePtrFromString(s)
+	if err != nil {
+		b := [1]C.char{}
+		return &b[0]
+	}
+	return (*C.char)(unsafe.Pointer(b))
+}
+
+func (l CLogger) Printf(format string, args ...interface{}) {
+	if uintptr(loggerFunc) == 0 {
+		return
+	}
+	C.callLogger(loggerFunc, loggerCtx, C.int(l), cstring(fmt.Sprintf(format, args...)))
+}
+
+type tunnelHandle struct {
+	*device.Device
+	*device.Logger
+}
+
+var tunnelHandles = make(map[int32]tunnelHandle)
+
+func init() {
+	signals := make(chan os.Signal)
+	signal.Notify(signals, unix.SIGUSR2)
+	go func() {
+		buf := make([]byte, os.Getpagesize())
+		for {
+			select {
+			case <-signals:
+				n := runtime.Stack(buf, true)
+				buf[n] = 0
+				if uintptr(loggerFunc) != 0 {
+					C.callLogger(loggerFunc, loggerCtx, 0, (*C.char)(unsafe.Pointer(&buf[0])))
+				}
+			}
+		}
+	}()
+}
+
+//export wgSetLogger
+func wgSetLogger(context, loggerFn uintptr) {
+	loggerCtx = unsafe.Pointer(context)
+	loggerFunc = unsafe.Pointer(loggerFn)
+}
+
+//export wgTurnOn
+func wgTurnOn(settings *C.char, tunFd int32) int32 {
+	logger := &device.Logger{
+		Verbosef: CLogger(0).Printf,
+		Errorf:   CLogger(1).Printf,
+	}
+	dupTunFd, err := unix.Dup(int(tunFd))
+	if err != nil {
+		logger.Errorf("Unable to dup tun fd: %v", err)
+		return -1
+	}
+
+	err = unix.SetNonblock(dupTunFd, true)
+	if err != nil {
+		logger.Errorf("Unable to set tun fd as non blocking: %v", err)
+		unix.Close(dupTunFd)
+		return -1
+	}
+	tun, err := tun.CreateTUNFromFile(os.NewFile(uintptr(dupTunFd), "/dev/tun"), 0)
+	if err != nil {
+		logger.Errorf("Unable to create new tun device from fd: %v", err)
+		unix.Close(dupTunFd)
+		return -1
+	}
+	logger.Verbosef("Attaching to interface")
+	dev := device.NewDevice(tun, conn.NewStdNetBind(), logger)
+
+	err = dev.IpcSet(C.GoString(settings))
+	if err != nil {
+		logger.Errorf("Unable to set IPC settings: %v", err)
+		unix.Close(dupTunFd)
+					dev.Close()
+		return -1
+	}
+
+	dev.Up()
+	logger.Verbosef("Device started")
+
+	var i int32
+	for i = 0; i < math.MaxInt32; i++ {
+		if _, exists := tunnelHandles[i]; !exists {
+			break
+		}
+	}
+	if i == math.MaxInt32 {
+		unix.Close(dupTunFd)
+					dev.Close()
+		return -1
+	}
+	tunnelHandles[i] = tunnelHandle{dev, logger}
+	return i
+}
+
+//export wgTurnOff
+func wgTurnOff(tunnelHandle int32) {
+	dev, ok := tunnelHandles[tunnelHandle]
+	if !ok {
+		return
+	}
+	delete(tunnelHandles, tunnelHandle)
+	dev.Close()
+}
+
+//export wgSetConfig
+func wgSetConfig(tunnelHandle int32, settings *C.char) int64 {
+	dev, ok := tunnelHandles[tunnelHandle]
+	if !ok {
+		return 0
+	}
+	err := dev.IpcSet(C.GoString(settings))
+	if err != nil {
+		dev.Errorf("Unable to set IPC settings: %v", err)
+		if ipcErr, ok := err.(*device.IPCError); ok {
+			return ipcErr.ErrorCode()
+		}
+		return -1
+	}
+	return 0
+}
+
+//export wgGetConfig
+func wgGetConfig(tunnelHandle int32) *C.char {
+	device, ok := tunnelHandles[tunnelHandle]
+	if !ok {
+		return nil
+	}
+	settings, err := device.IpcGet()
+	if err != nil {
+		return nil
+	}
+	return C.CString(settings)
+}
+
+//export wgBumpSockets
+func wgBumpSockets(tunnelHandle int32) {
+	dev, ok := tunnelHandles[tunnelHandle]
+	if !ok {
+		return
+	}
+	go func() {
+		for i := 0; i < 10; i++ {
+			err := dev.BindUpdate()
+			if err == nil {
+				dev.SendKeepalivesToPeersWithCurrentKeypair()
+				return
+			}
+			dev.Errorf("Unable to update bind, try %d: %v", i+1, err)
+			time.Sleep(time.Second / 2)
+		}
+		dev.Errorf("Gave up trying to update bind; tunnel is likely dysfunctional")
+	}()
+}
+
+//export wgDisableSomeRoamingForBrokenMobileSemantics
+func wgDisableSomeRoamingForBrokenMobileSemantics(tunnelHandle int32) {
+	dev, ok := tunnelHandles[tunnelHandle]
+	if !ok {
+		return
+	}
+	dev.DisableSomeRoamingForBrokenMobileSemantics()
+}
+
+//export wgVersion
+func wgVersion() *C.char {
+	info, ok := debug.ReadBuildInfo()
+	if !ok {
+		return C.CString("unknown")
+	}
+	for _, dep := range info.Deps {
+		if dep.Path == "golang.zx2c4.com/wireguard" {
+			parts := strings.Split(dep.Version, "-")
+			if len(parts) == 3 && len(parts[2]) == 12 {
+				return C.CString(parts[2][:7])
+			}
+			return C.CString(dep.Version)
+		}
+	}
+	return C.CString("unknown")
+}
+
+func main() {}
diff --git a/client/macos/gobridge/dummy.c b/client/macos/gobridge/dummy.c
new file mode 100644
index 00000000..d15abba5
--- /dev/null
+++ b/client/macos/gobridge/dummy.c
@@ -0,0 +1 @@
+// Empty
diff --git a/client/macos/gobridge/go.mod b/client/macos/gobridge/go.mod
new file mode 100644
index 00000000..8ec48163
--- /dev/null
+++ b/client/macos/gobridge/go.mod
@@ -0,0 +1,8 @@
+module golang.zx2c4.com/wireguard/apple
+
+go 1.16
+
+require (
+	golang.org/x/sys v0.0.0-20210308170721-88b6017d0656
+	golang.zx2c4.com/wireguard v0.0.0-20210307162820-f4695db51c39
+)
diff --git a/client/macos/gobridge/go.sum b/client/macos/gobridge/go.sum
new file mode 100644
index 00000000..89d522bb
--- /dev/null
+++ b/client/macos/gobridge/go.sum
@@ -0,0 +1,19 @@
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 h1:/ZScEX8SfEmUGRHs0gxpqteO5nfNW6axyZbBdw9A12g=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxWRVUAQwMI9fVrssnTfw=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210305215415-5cdee2b1b5a0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210308170721-88b6017d0656 h1:FuBaiPCiXkq4v+JY5JEGPU/HwEZwpVyDbu/KBz9fU+4=
+golang.org/x/sys v0.0.0-20210308170721-88b6017d0656/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.zx2c4.com/wireguard v0.0.0-20210307162820-f4695db51c39 h1:yv331J9aB1fuvxzneUKsRnWyhwK+aj495rADUXSP7Uk=
+golang.zx2c4.com/wireguard v0.0.0-20210307162820-f4695db51c39/go.mod h1:ojGPy+9W6ZSM8anL+xC67fvh8zPQJwA6KpFOHyDWLX4=
diff --git a/client/macos/gobridge/goruntime-boottime-over-monotonic.diff b/client/macos/gobridge/goruntime-boottime-over-monotonic.diff
new file mode 100644
index 00000000..2f7f54ed
--- /dev/null
+++ b/client/macos/gobridge/goruntime-boottime-over-monotonic.diff
@@ -0,0 +1,61 @@
+From 516dc0c15ff1ab781e0677606b5be72919251b3e Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 9 Dec 2020 14:07:06 +0100
+Subject: [PATCH] runtime: use libc_mach_continuous_time in nanotime on Darwin
+
+This makes timers account for having expired while a computer was
+asleep, which is quite common on mobile devices. Note that
+continuous_time absolute_time, except that it takes into account
+time spent in suspend.
+
+Fixes #24595
+
+Change-Id: Ia3282e8bd86f95ad2b76427063e60a005563f4eb
+---
+ src/runtime/sys_darwin.go      | 2 +-
+ src/runtime/sys_darwin_amd64.s | 2 +-
+ src/runtime/sys_darwin_arm64.s | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/runtime/sys_darwin.go b/src/runtime/sys_darwin.go
+index 4a3f2fc453..4a69403b32 100644
+--- a/src/runtime/sys_darwin.go
++++ b/src/runtime/sys_darwin.go
+@@ -440,7 +440,7 @@ func setNonblock(fd int32) {
+ //go:cgo_import_dynamic libc_usleep usleep "/usr/lib/libSystem.B.dylib"
+ 
+ //go:cgo_import_dynamic libc_mach_timebase_info mach_timebase_info "/usr/lib/libSystem.B.dylib"
+-//go:cgo_import_dynamic libc_mach_absolute_time mach_absolute_time "/usr/lib/libSystem.B.dylib"
++//go:cgo_import_dynamic libc_mach_continuous_time mach_continuous_time "/usr/lib/libSystem.B.dylib"
+ //go:cgo_import_dynamic libc_clock_gettime clock_gettime "/usr/lib/libSystem.B.dylib"
+ //go:cgo_import_dynamic libc_sigaction sigaction "/usr/lib/libSystem.B.dylib"
+ //go:cgo_import_dynamic libc_pthread_sigmask pthread_sigmask "/usr/lib/libSystem.B.dylib"
+diff --git a/src/runtime/sys_darwin_amd64.s b/src/runtime/sys_darwin_amd64.s
+index 630fb5df64..4499c88802 100644
+--- a/src/runtime/sys_darwin_amd64.s
++++ b/src/runtime/sys_darwin_amd64.s
+@@ -114,7 +114,7 @@ TEXT runtime·nanotime_trampoline(SB),NOSPLIT,$0
+ 	PUSHQ	BP
+ 	MOVQ	SP, BP
+ 	MOVQ	DI, BX
+-	CALL	libc_mach_absolute_time(SB)
++	CALL	libc_mach_continuous_time(SB)
+ 	MOVQ	AX, 0(BX)
+ 	MOVL	timebase<>+machTimebaseInfo_numer(SB), SI
+ 	MOVL	timebase<>+machTimebaseInfo_denom(SB), DI // atomic read
+diff --git a/src/runtime/sys_darwin_arm64.s b/src/runtime/sys_darwin_arm64.s
+index 96d2ed1076..f046545395 100644
+--- a/src/runtime/sys_darwin_arm64.s
++++ b/src/runtime/sys_darwin_arm64.s
+@@ -143,7 +143,7 @@ GLOBL timebase<>(SB),NOPTR,$(machTimebaseInfo__size)
+ 
+ TEXT runtime·nanotime_trampoline(SB),NOSPLIT,$40
+ 	MOVD	R0, R19
+-	BL	libc_mach_absolute_time(SB)
++	BL	libc_mach_continuous_time(SB)
+ 	MOVD	R0, 0(R19)
+ 	MOVW	timebase<>+machTimebaseInfo_numer(SB), R20
+ 	MOVD	$timebase<>+machTimebaseInfo_denom(SB), R21
+-- 
+2.30.1
+
diff --git a/client/macos/gobridge/module.modulemap b/client/macos/gobridge/module.modulemap
new file mode 100644
index 00000000..2ca39160
--- /dev/null
+++ b/client/macos/gobridge/module.modulemap
@@ -0,0 +1,5 @@
+module WireGuardKitGo {
+    umbrella header "wireguard.h"
+    link "wg-go"
+    export *
+}
diff --git a/client/macos/gobridge/wireguard-go-version.h b/client/macos/gobridge/wireguard-go-version.h
new file mode 100644
index 00000000..4e60b97e
--- /dev/null
+++ b/client/macos/gobridge/wireguard-go-version.h
@@ -0,0 +1 @@
+#define WIREGUARD_GO_VERSION "0.0.0"
diff --git a/client/macos/gobridge/wireguard.h b/client/macos/gobridge/wireguard.h
new file mode 100644
index 00000000..b442173f
--- /dev/null
+++ b/client/macos/gobridge/wireguard.h
@@ -0,0 +1,23 @@
+/* SPDX-License-Identifier: GPL-2.0
+ *
+ * Copyright (C) 2018-2020 WireGuard LLC. All Rights Reserved.
+ */
+
+#ifndef WIREGUARD_H
+#define WIREGUARD_H
+
+#include <sys/types.h>
+#include <stdint.h>
+#include <stdbool.h>
+
+typedef void (*logger_fn_t)(void* context, int level, const char* msg);
+extern void wgSetLogger(void* context, logger_fn_t logger_fn);
+extern int wgTurnOn(const char* settings, int32_t tun_fd);
+extern void wgTurnOff(int handle);
+extern int64_t wgSetConfig(int handle, const char* settings);
+extern char* wgGetConfig(int handle);
+extern void wgBumpSockets(int handle);
+extern void wgDisableSomeRoamingForBrokenMobileSemantics(int handle);
+extern const char* wgVersion();
+
+#endif
diff --git a/client/macos/nativemessaging/AmneziaVPNNativeMessaging.entitlements b/client/macos/nativemessaging/AmneziaVPNNativeMessaging.entitlements
new file mode 100644
index 00000000..ee95ab7e
--- /dev/null
+++ b/client/macos/nativemessaging/AmneziaVPNNativeMessaging.entitlements
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+</dict>
+</plist>
diff --git a/client/macos/nativemessaging/Info.plist b/client/macos/nativemessaging/Info.plist
new file mode 100644
index 00000000..af6d59c5
--- /dev/null
+++ b/client/macos/nativemessaging/Info.plist
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleExecutable</key>
+	<string>${EXECUTABLE_NAME}</string>
+	<key>CFBundleIconFile</key>
+	<string></string>
+	<key>CFBundleIdentifier</key>
+	<string>${PRODUCT_BUNDLE_IDENTIFIER}</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>$(PRODUCT_NAME)</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>$(MARKETING_VERSION)</string>
+	<key>CFBundleVersion</key>
+	<string>$(CURRENT_PROJECT_VERSION)</string>
+	<key>ITSAppUsesNonExemptEncryption</key>
+	<false/>
+	<key>LSMinimumSystemVersion</key>
+	<string>${MACOSX_DEPLOYMENT_TARGET}</string>
+	<key>NSPrincipalClass</key>
+	<string>NSApplication</string>
+	<key>LSBackgroundOnly</key>
+	<true/>
+</dict>
+</plist>
diff --git a/client/macos/networkextension/AmneziaVPNNetworkExtension.entitlements b/client/macos/networkextension/AmneziaVPNNetworkExtension.entitlements
new file mode 100644
index 00000000..7e89a6d5
--- /dev/null
+++ b/client/macos/networkextension/AmneziaVPNNetworkExtension.entitlements
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>$(DEVELOPMENT_TEAM).$(NETEXT_ID_MACOS)</string>
+
+	<key>com.apple.developer.networking.networkextension</key>
+	<array>
+		<string>packet-tunnel-provider</string>
+	</array>
+
+	<key>keychain-access-groups</key>
+	<array>
+		<string>$(DEVELOPMENT_TEAM).*</string>
+	</array>
+
+	<key>com.apple.developer.team-identifier</key>
+	<string>$(DEVELOPMENT_TEAM)</string>
+
+	<key>com.apple.developer.system-extension.install</key>
+	<true/>
+
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+
+	<key>com.apple.security.application-groups</key>
+	<array>
+		<string>$(DEVELOPMENT_TEAM).$(GROUP_ID_MACOS)</string>
+	</array>
+
+	<key>com.apple.security.network.client</key>
+	<true/>
+
+	<key>com.apple.security.network.server</key>
+	<true/>
+</dict>
+</plist>
diff --git a/client/macos/networkextension/Info.plist b/client/macos/networkextension/Info.plist
new file mode 100644
index 00000000..96d82459
--- /dev/null
+++ b/client/macos/networkextension/Info.plist
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>$(DEVELOPMENT_LANGUAGE)</string>
+	<key>CFBundleDisplayName</key>
+	<string>AmneziaVPNNetworkExtension</string>
+	<key>CFBundleExecutable</key>
+	<string>$(EXECUTABLE_NAME)</string>
+	<key>CFBundleIdentifier</key>
+	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>$(PRODUCT_NAME)</string>
+	<key>CFBundlePackageType</key>
+	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
+	<key>CFBundleShortVersionString</key>
+	<string>$(MARKETING_VERSION)</string>
+	<key>CFBundleVersion</key>
+	<string>$(CURRENT_PROJECT_VERSION)</string>
+	<key>ITSAppUsesNonExemptEncryption</key>
+	<false/>
+	<key>LSMinimumSystemVersion</key>
+	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
+	<key>NSExtension</key>
+	<dict>
+		<key>NSExtensionPointIdentifier</key>
+		<string>com.apple.networkextension.packet-tunnel</string>
+		<key>NSExtensionPrincipalClass</key>
+		<string>$(PRODUCT_MODULE_NAME).PacketTunnelProvider</string>
+	</dict>
+</dict>
+</plist>
diff --git a/client/macos/networkextension/WireGuardNetworkExtension-Bridging-Header.h b/client/macos/networkextension/WireGuardNetworkExtension-Bridging-Header.h
new file mode 100644
index 00000000..bac84dfe
--- /dev/null
+++ b/client/macos/networkextension/WireGuardNetworkExtension-Bridging-Header.h
@@ -0,0 +1,25 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "macos/gobridge/wireguard.h"
+#include "wireguard-go-version.h"
+#include "3rd/wireguard-apple/Sources/WireGuardKitC/WireGuardKitC.h"
+
+#include <stdbool.h>
+#include <stdint.h>
+
+#define WG_KEY_LEN (32)
+#define WG_KEY_LEN_BASE64 (45)
+#define WG_KEY_LEN_HEX (65)
+
+void key_to_base64(char base64[WG_KEY_LEN_BASE64],
+                   const uint8_t key[WG_KEY_LEN]);
+bool key_from_base64(uint8_t key[WG_KEY_LEN], const char* base64);
+
+void key_to_hex(char hex[WG_KEY_LEN_HEX], const uint8_t key[WG_KEY_LEN]);
+bool key_from_hex(uint8_t key[WG_KEY_LEN], const char* hex);
+
+bool key_eq(const uint8_t key1[WG_KEY_LEN], const uint8_t key2[WG_KEY_LEN]);
+
+void write_msg_to_log(const char* tag, const char* msg);
diff --git a/client/main.cpp b/client/main.cpp
index 19c505d8..817e885f 100644
--- a/client/main.cpp
+++ b/client/main.cpp
@@ -116,15 +116,15 @@ int main(int argc, char *argv[])
 
     app.setQuitOnLastWindowClosed(false);
 
-    qRegisterMetaType<VpnProtocol::ConnectionState>("VpnProtocol::ConnectionState");
+    qRegisterMetaType<VpnProtocol::VpnConnectionState>("VpnProtocol::VpnConnectionState");
     qRegisterMetaType<ServerCredentials>("ServerCredentials");
 
     qRegisterMetaType<DockerContainer>("DockerContainer");
     qRegisterMetaType<TransportProto>("TransportProto");
-    qRegisterMetaType<Protocol>("Protocol");
+    qRegisterMetaType<Proto>("Proto");
     qRegisterMetaType<ServiceType>("ServiceType");
     qRegisterMetaType<Page>("Page");
-    qRegisterMetaType<VpnProtocol::ConnectionState>("ConnectionState");
+    qRegisterMetaType<VpnProtocol::VpnConnectionState>("ConnectionState");
 
     qRegisterMetaType<PageProtocolLogicBase *>("PageProtocolLogicBase *");
 
@@ -160,7 +160,7 @@ int main(int argc, char *argv[])
     engine->rootContext()->setContextProperty("NewServerProtocolsLogic", uiLogic->newServerProtocolsLogic());
     engine->rootContext()->setContextProperty("ServerListLogic", uiLogic->serverListLogic());
     engine->rootContext()->setContextProperty("ServerSettingsLogic", uiLogic->serverSettingsLogic());
-    engine->rootContext()->setContextProperty("ServerContainersLogic", uiLogic->serverVpnProtocolsLogic());
+    engine->rootContext()->setContextProperty("ServerContainersLogic", uiLogic->serverprotocolsLogic());
     engine->rootContext()->setContextProperty("ShareConnectionLogic", uiLogic->shareConnectionLogic());
     engine->rootContext()->setContextProperty("SitesLogic", uiLogic->sitesLogic());
     engine->rootContext()->setContextProperty("StartPageLogic", uiLogic->startPageLogic());
diff --git a/client/platforms/android/android_controller.h b/client/platforms/android/android_controller.h
index 97b088c7..a4734414 100644
--- a/client/platforms/android/android_controller.h
+++ b/client/platforms/android/android_controller.h
@@ -39,7 +39,7 @@ public:
     void setVpnConfig(const QJsonObject &newVpnConfig);
 
 signals:
-    void connectionStateChanged(VpnProtocol::ConnectionState state);
+    void connectionStateChanged(VpnProtocol::VpnConnectionState state);
 
     // This signal is emitted when the controller is initialized. Note that the
     // VPN tunnel can be already active. In this case, "connected" should be set
diff --git a/client/platforms/ios/WireGuard-Bridging-Header.h b/client/platforms/ios/WireGuard-Bridging-Header.h
new file mode 100644
index 00000000..40b6c89d
--- /dev/null
+++ b/client/platforms/ios/WireGuard-Bridging-Header.h
@@ -0,0 +1,29 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "wireguard-go-version.h"
+#include "3rd/wireguard-apple/Sources/WireGuardKitC/WireGuardKitC.h"
+
+#include <stdbool.h>
+#include <stdint.h>
+
+#define WG_KEY_LEN (32)
+#define WG_KEY_LEN_BASE64 (45)
+#define WG_KEY_LEN_HEX (65)
+
+void key_to_base64(char base64[WG_KEY_LEN_BASE64],
+                   const uint8_t key[WG_KEY_LEN]);
+bool key_from_base64(uint8_t key[WG_KEY_LEN], const char* base64);
+
+void key_to_hex(char hex[WG_KEY_LEN_HEX], const uint8_t key[WG_KEY_LEN]);
+bool key_from_hex(uint8_t key[WG_KEY_LEN], const char* hex);
+
+bool key_eq(const uint8_t key1[WG_KEY_LEN], const uint8_t key2[WG_KEY_LEN]);
+
+void write_msg_to_log(const char* tag, const char* msg);
+
+#import "TargetConditionals.h"
+#if TARGET_OS_OSX
+#  include <libproc.h>
+#endif
diff --git a/client/platforms/ios/bigint.h b/client/platforms/ios/bigint.h
new file mode 100644
index 00000000..ce45cf69
--- /dev/null
+++ b/client/platforms/ios/bigint.h
@@ -0,0 +1,127 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef BIGINT_H
+#define BIGINT_H
+
+#include <QVector>
+
+// This BigInt implementation is meant to be used for IPv6 addresses. It
+// doesn't support dynamic resize: when the max size is reached, the value
+// overflows. If you need to change the size, use `resize()`.
+
+class BigInt final {
+ public:
+  explicit BigInt(uint8_t bytes) {
+    m_value.resize(bytes);
+    memset(m_value.data(), 0, bytes);
+  }
+
+  BigInt(const BigInt& other) { m_value = other.m_value; }
+
+  const uint8_t* value() const { return m_value.data(); }
+
+  uint8_t size() const { return m_value.size(); }
+
+  // Assign operator.
+
+  BigInt& operator=(const BigInt& other) {
+    m_value = other.m_value;
+    return *this;
+  }
+
+  // Comparison operators.
+
+  bool operator==(const BigInt& other) const {
+    return m_value == other.m_value;
+  }
+
+  bool operator!=(const BigInt& other) const { return !(*this == other); }
+
+  bool operator<(const BigInt& other) const { return cmp(other) < 0; }
+
+  bool operator>(const BigInt& other) const { return cmp(other) > 0; }
+
+  bool operator<=(const BigInt& other) const { return cmp(other) <= 0; }
+
+  bool operator>=(const BigInt& other) const { return cmp(other) >= 0; }
+
+  // math operators (only some of them are implemented)
+
+  BigInt& operator++() {
+    for (int i = size() - 1; i >= 0; --i) {
+      if (m_value[i] < UINT8_MAX) {
+        ++m_value[i];
+        return *this;
+      }
+      m_value[i] = 0;
+    }
+
+    // overflow
+    memset(m_value.data(), 0, size());
+    return *this;
+  }
+
+  BigInt& operator+=(const BigInt& other) {
+    Q_ASSERT(other.size() == size());
+
+    uint8_t carry = 0;
+    for (int i = m_value.size() - 1; i >= 0; --i) {
+      uint16_t total = carry + m_value[i] + other.m_value[i];
+      m_value[i] = (uint8_t)(total & UINT8_MAX);
+      carry = (uint8_t)((total & 0xFF00) >> 8);
+    }
+
+    return *this;
+  }
+
+  // Shift operators
+
+  BigInt operator>>(int shift) {
+    BigInt x(size());
+    x = *this;
+
+    for (int i = 0; i < shift; i++) {
+      BigInt a(size());
+      a = x;
+
+      a.m_value[size() - 1] = x.m_value[size() - 1] >> 1;
+      for (int j = size() - 2; j >= 0; j--) {
+        a.m_value[j] = x.m_value[j] >> 1;
+        if ((x.m_value[j] & 1) != 0) {
+          a.m_value[j + 1] |= 128;  // Set most significant bit or a uint8_t
+        }
+      }
+
+      x = a;
+    }
+
+    return x;
+  }
+
+  void setValueAt(uint8_t value, uint8_t pos) {
+    Q_ASSERT(pos < size());
+    m_value[pos] = value;
+  }
+
+  uint8_t valueAt(uint8_t pos) const {
+    Q_ASSERT(size() > pos);
+    return m_value[pos];
+  }
+
+ private:
+  int cmp(const BigInt& other) const {
+    Q_ASSERT(size() == other.size());
+    for (int i = 0; i < size(); i++) {
+      int diff = (m_value[i] - other.m_value[i]);
+      if (diff != 0) return diff;
+    }
+    return 0;
+  }
+
+ private:
+  QVector<uint8_t> m_value;
+};
+
+#endif  // BIGINT_H
diff --git a/client/platforms/ios/bigintipv6addr.h b/client/platforms/ios/bigintipv6addr.h
new file mode 100644
index 00000000..a277de6d
--- /dev/null
+++ b/client/platforms/ios/bigintipv6addr.h
@@ -0,0 +1,86 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef BIGINTIPV6ADDR_H
+#define BIGINTIPV6ADDR_H
+
+#include "bigint.h"
+
+#include <QHostAddress>
+
+class BigIntIPv6Addr final {
+ public:
+  BigIntIPv6Addr() : m_value(16) {}
+
+  explicit BigIntIPv6Addr(const Q_IPV6ADDR& a) : m_value(16) {
+    for (int i = 0; i < 16; ++i) m_value.setValueAt(a[i], i);
+  }
+
+  BigIntIPv6Addr(const BigIntIPv6Addr& other) : m_value(16) { *this = other; }
+
+  Q_IPV6ADDR value() const {
+    Q_IPV6ADDR addr;
+    for (int i = 0; i < 16; ++i) addr[i] = m_value.valueAt(i);
+    return addr;
+  }
+
+  // Assign operator.
+
+  BigIntIPv6Addr& operator=(const BigIntIPv6Addr& other) {
+    m_value = other.m_value;
+    return *this;
+  }
+
+  // Comparison operators.
+
+  bool operator==(const BigIntIPv6Addr& other) const {
+    return m_value == other.m_value;
+  }
+
+  bool operator!=(const BigIntIPv6Addr& other) const {
+    return m_value != other.m_value;
+  }
+
+  bool operator<(const BigIntIPv6Addr& other) const {
+    return m_value < other.m_value;
+  }
+
+  bool operator>(const BigIntIPv6Addr& other) const {
+    return m_value > other.m_value;
+  }
+
+  bool operator<=(const BigIntIPv6Addr& other) const {
+    return m_value <= other.m_value;
+  }
+
+  bool operator>=(const BigIntIPv6Addr& other) const {
+    return m_value >= other.m_value;
+  }
+
+  // math operators (only some of them are implemented)
+
+  BigIntIPv6Addr& operator++() {
+    ++m_value;
+    return *this;
+  }
+
+  BigIntIPv6Addr& operator+=(const BigIntIPv6Addr& b) {
+    m_value += b.m_value;
+    return *this;
+  }
+
+  // Shift operators
+
+  BigIntIPv6Addr operator>>(int shift) {
+    BigIntIPv6Addr x;
+
+    x.m_value = m_value >> shift;
+    return x;
+  }
+
+ private:
+  BigInt m_value;
+};
+
+#endif  // BIGINTIPV6ADDR_H
diff --git a/client/platforms/ios/iosadjusthelper.h b/client/platforms/ios/iosadjusthelper.h
new file mode 100644
index 00000000..25c52fbd
--- /dev/null
+++ b/client/platforms/ios/iosadjusthelper.h
@@ -0,0 +1,16 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef IOSADJUSTHELPER_H
+#define IOSADJUSTHELPER_H
+
+#include <QString>
+
+class IOSAdjustHelper final {
+ public:
+  static void initialize();
+  static void trackEvent(const QString& eventToken);
+};
+
+#endif  // IOSADJUSTHELPER_H
diff --git a/client/platforms/ios/iosadjusthelper.mm b/client/platforms/ios/iosadjusthelper.mm
new file mode 100644
index 00000000..8133525c
--- /dev/null
+++ b/client/platforms/ios/iosadjusthelper.mm
@@ -0,0 +1,37 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "iosadjusthelper.h"
+#include "logger.h"
+#include "constants.h"
+
+#import <AdjustSdk/Adjust.h>
+
+namespace {
+
+Logger logger(LOG_IOS, "IOSAdjustHelper");
+
+}  // namespace
+
+void IOSAdjustHelper::initialize() {
+
+  NSString *adjustToken = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"ADJUST_SDK_TOKEN"];
+
+  if(adjustToken.length) {
+    NSString *environment = Constants::inProduction() ? ADJEnvironmentProduction : ADJEnvironmentSandbox;
+    ADJConfig *adjustConfig = [ADJConfig configWithAppToken:adjustToken
+                                                environment:environment];
+    [adjustConfig setLogLevel:ADJLogLevelDebug];
+    [Adjust appDidLaunch:adjustConfig];
+  }
+}
+
+void IOSAdjustHelper::trackEvent(const QString& eventToken) {
+  NSString *adjustToken = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"ADJUST_SDK_TOKEN"];
+
+  if(adjustToken.length) {
+    ADJEvent *event = [ADJEvent eventWithEventToken:eventToken.toNSString()];
+    [Adjust trackEvent:event];
+  }
+}
diff --git a/client/platforms/ios/iosauthenticationlistener.h b/client/platforms/ios/iosauthenticationlistener.h
new file mode 100644
index 00000000..02b83211
--- /dev/null
+++ b/client/platforms/ios/iosauthenticationlistener.h
@@ -0,0 +1,23 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef IOSAUTHENTICATIONLISTENER_H
+#define IOSAUTHENTICATIONLISTENER_H
+
+#include "authenticationlistener.h"
+
+#include <QObject>
+
+class IOSAuthenticationListener final : public AuthenticationListener {
+  Q_DISABLE_COPY_MOVE(IOSAuthenticationListener)
+
+ public:
+  IOSAuthenticationListener(QObject* parent);
+  ~IOSAuthenticationListener();
+
+  void start(const QString& codeChallenge, const QString& codeChallengeMethod,
+             const QString& emailAddress) override;
+};
+
+#endif  // IOSAUTHENTICATIONLISTENER_H
diff --git a/client/platforms/ios/iosauthenticationlistener.mm b/client/platforms/ios/iosauthenticationlistener.mm
new file mode 100644
index 00000000..ec5d2847
--- /dev/null
+++ b/client/platforms/ios/iosauthenticationlistener.mm
@@ -0,0 +1,139 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "iosauthenticationlistener.h"
+#include "leakdetector.h"
+#include "logger.h"
+#include "mozillavpn.h"
+#include "qmlengineholder.h"
+
+#include <QApplication>
+#include <QUrl>
+#include <QUrlQuery>
+#include <QtGui/qpa/qplatformnativeinterface.h>
+#include <QtGui>
+#include <QWindow>
+#include <QQmlApplicationEngine>
+
+#import <UIKit/UIKit.h>
+#import <AuthenticationServices/ASWebAuthenticationSession.h>
+
+namespace {
+
+Logger logger({LOG_IOS, LOG_MAIN}, "IOSAuthenticationListener");
+
+ASWebAuthenticationSession* session = nullptr;
+
+}  // namespace
+
+#if __IPHONE_OS_VERSION_MAX_ALLOWED >= 130000
+@interface ContextProvider : NSObject <ASWebAuthenticationPresentationContextProviding> {
+  UIView* m_view;
+}
+@end
+
+@implementation ContextProvider
+
+- (id)initWithUIView:(UIView*)uiView {
+  self = [super init];
+  if (self) {
+    m_view = uiView;
+  }
+  return self;
+}
+
+#  pragma mark - ASWebAuthenticationPresentationContextProviding
+- (nonnull ASPresentationAnchor)presentationAnchorForWebAuthenticationSession:
+    (nonnull ASWebAuthenticationSession*)session API_AVAILABLE(ios(13.0)) {
+  return m_view.window;
+}
+
+@end
+#endif
+
+IOSAuthenticationListener::IOSAuthenticationListener(QObject* parent)
+    : AuthenticationListener(parent) {
+  MVPN_COUNT_CTOR(IOSAuthenticationListener);
+}
+
+IOSAuthenticationListener::~IOSAuthenticationListener() {
+  MVPN_COUNT_DTOR(IOSAuthenticationListener);
+}
+
+void IOSAuthenticationListener::start(const QString& codeChallenge,
+                                      const QString& codeChallengeMethod,
+                                      const QString& emailAddress) {
+  logger.debug() << "IOSAuthenticationListener initialize";
+
+  QUrl url(createAuthenticationUrl(AmneziaVPN::AuthenticationInBrowser, codeChallenge,
+                                   codeChallengeMethod, emailAddress));
+  QUrlQuery query(url.query());
+  query.addQueryItem("platform", "ios");
+  url.setQuery(query);
+
+#ifdef QT_DEBUG
+  logger.debug() << "Authentication URL:" << url.toString();
+#endif
+
+  if (session) {
+    [session dealloc];
+    session = nullptr;
+  }
+
+  session = [[ASWebAuthenticationSession alloc]
+            initWithURL:url.toNSURL()
+      callbackURLScheme:@"mozilla-vpn"
+      completionHandler:^(NSURL* _Nullable callbackURL, NSError* _Nullable error) {
+        [session dealloc];
+        session = nullptr;
+
+        if (error) {
+          logger.error() << "Authentication failed:"
+                         << QString::fromNSString([error localizedDescription]);
+          logger.error() << "Code:" << [error code];
+          logger.error() << "Suggestion:"
+                         << QString::fromNSString([error localizedRecoverySuggestion]);
+          logger.error() << "Reason:" << QString::fromNSString([error localizedFailureReason]);
+
+          if ([error code] == ASWebAuthenticationSessionErrorCodeCanceledLogin) {
+            emit abortedByUser();
+          } else {
+            emit failed(ErrorHandler::RemoteServiceError);
+          }
+
+          return;
+        }
+
+        QUrl callbackUrl = QUrl::fromNSURL(callbackURL);
+        logger.debug() << "Authentication completed";
+
+        Q_ASSERT(callbackUrl.hasQuery());
+
+        QUrlQuery callbackUrlQuery(callbackUrl.query());
+        Q_ASSERT(callbackUrlQuery.hasQueryItem("code"));
+        QString code = callbackUrlQuery.queryItemValue("code");
+        emit completed(code);
+      }];
+
+#if __IPHONE_OS_VERSION_MAX_ALLOWED >= 130000
+  QObject* rootObject = QmlEngineHolder::instance()->engine()->rootObjects().first();
+  QWindow* window = qobject_cast<QWindow*>(rootObject);
+  Q_ASSERT(window);
+
+  UIView* view = static_cast<UIView*>(
+      QGuiApplication::platformNativeInterface()->nativeResourceForWindow("uiview", window));
+
+  if (@available(iOS 13, *)) {
+    session.presentationContextProvider = [[ContextProvider alloc] initWithUIView:view];
+  }
+#endif
+
+  if (![session start]) {
+    [session dealloc];
+    session = nullptr;
+
+    logger.error() << "Authentication failed: session doesn't start.";
+    emit failed(ErrorHandler::RemoteServiceError);
+  }
+}
diff --git a/client/platforms/ios/ioscontroller.h b/client/platforms/ios/ioscontroller.h
new file mode 100644
index 00000000..da18d5fe
--- /dev/null
+++ b/client/platforms/ios/ioscontroller.h
@@ -0,0 +1,39 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef IOSCONTROLLER_H
+#define IOSCONTROLLER_H
+
+#include "vpnprotocol.h"
+
+#include <QObject>
+
+class IOSVPNProtocol final : public VpnProtocol {
+  Q_DISABLE_COPY_MOVE(IOSVPNProtocol)
+
+ public:
+  IOSController();
+  ~IOSController();
+
+  void initialize(const Device* device, const Keys* keys) override;
+
+  void activate(const QList<Server>& serverList, const Device* device,
+                const Keys* keys,
+                const QList<IPAddressRange>& allowedIPAddressRanges,
+                const QList<QString>& vpnDisabledApps,
+                const QHostAddress& dnsServer, Reason reason) override;
+
+  void deactivate(Reason reason) override;
+
+  void checkStatus() override;
+
+  void getBackendLogs(std::function<void(const QString&)>&& callback) override;
+
+  void cleanupBackendLogs() override;
+
+ private:
+  bool m_checkingStatus = false;
+};
+
+#endif  // IOSCONTROLLER_H
diff --git a/client/platforms/ios/ioscontroller.mm b/client/platforms/ios/ioscontroller.mm
new file mode 100644
index 00000000..a90f24eb
--- /dev/null
+++ b/client/platforms/ios/ioscontroller.mm
@@ -0,0 +1,240 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "ioscontroller.h"
+#include "Mozilla_VPN-Swift.h"
+#include "device.h"
+#include "ipaddressrange.h"
+#include "keys.h"
+#include "leakdetector.h"
+#include "logger.h"
+#include "mozillavpn.h"
+#include "server.h"
+#include "settingsholder.h"
+
+#include <QByteArray>
+#include <QFile>
+#include <QHostAddress>
+
+namespace {
+
+Logger logger({LOG_IOS, LOG_CONTROLLER}, "IOSController");
+
+// Our Swift singleton.
+IOSControllerImpl* impl = nullptr;
+
+}  // namespace
+
+IOSController::IOSController() {
+  MVPN_COUNT_CTOR(IOSController);
+
+  logger.debug() << "created";
+
+  Q_ASSERT(!impl);
+}
+
+IOSController::~IOSController() {
+  MVPN_COUNT_DTOR(IOSController);
+
+  logger.debug() << "deallocated";
+
+  if (impl) {
+    [impl dealloc];
+    impl = nullptr;
+  }
+}
+
+void IOSController::initialize(const Device* device, const Keys* keys) {
+  Q_ASSERT(!impl);
+  Q_UNUSED(device);
+
+  logger.debug() << "Initializing Swift Controller";
+
+  static bool creating = false;
+  // No nested creation!
+  Q_ASSERT(creating == false);
+  creating = true;
+
+  QByteArray key = QByteArray::fromBase64(keys->privateKey().toLocal8Bit());
+
+  impl = [[IOSControllerImpl alloc] initWithBundleID:@VPN_NE_BUNDLEID
+      privateKey:key.toNSData()
+      deviceIpv4Address:device->ipv4Address().toNSString()
+      deviceIpv6Address:device->ipv6Address().toNSString()
+      closure:^(ConnectionState state, NSDate* date) {
+        logger.debug() << "Creation completed with connection state:" << state;
+        creating = false;
+
+        switch (state) {
+          case ConnectionStateError: {
+            [impl dealloc];
+            impl = nullptr;
+            emit initialized(false, false, QDateTime());
+            return;
+          }
+          case ConnectionStateConnected: {
+            Q_ASSERT(date);
+            QDateTime qtDate(QDateTime::fromNSDate(date));
+            emit initialized(true, true, qtDate);
+            return;
+          }
+          case ConnectionStateDisconnected:
+            // Just in case we are connecting, let's call disconnect.
+            [impl disconnect];
+            emit initialized(true, false, QDateTime());
+            return;
+        }
+      }
+      callback:^(BOOL a_connected) {
+        logger.debug() << "State changed: " << a_connected;
+        if (a_connected) {
+          emit connected();
+          return;
+        }
+
+        emit disconnected();
+      }];
+}
+
+void IOSController::activate(const QList<Server>& serverList, const Device* device,
+                             const Keys* keys, const QList<IPAddressRange>& allowedIPAddressRanges,
+                             const QList<QString>& vpnDisabledApps, const QHostAddress& dnsServer,
+                             Reason reason) {
+  Q_UNUSED(device);
+  Q_UNUSED(keys);
+
+  Q_ASSERT(serverList.length() == 1);
+  const Server& server = serverList[0];
+
+  // This feature is not supported on macos/ios yet.
+  Q_ASSERT(vpnDisabledApps.isEmpty());
+
+  logger.debug() << "IOSController activating" << server.hostname();
+
+  if (!impl) {
+    logger.error() << "Controller not correctly initialized";
+    emit disconnected();
+    return;
+  }
+
+  NSMutableArray<VPNIPAddressRange*>* allowedIPAddressRangesNS =
+      [NSMutableArray<VPNIPAddressRange*> arrayWithCapacity:allowedIPAddressRanges.length()];
+  for (const IPAddressRange& i : allowedIPAddressRanges) {
+    VPNIPAddressRange* range =
+        [[VPNIPAddressRange alloc] initWithAddress:i.ipAddress().toNSString()
+                               networkPrefixLength:i.range()
+                                            isIpv6:i.type() == IPAddressRange::IPv6];
+    [allowedIPAddressRangesNS addObject:[range autorelease]];
+  }
+
+  [impl connectWithDnsServer:dnsServer.toString().toNSString()
+           serverIpv6Gateway:server.ipv6Gateway().toNSString()
+             serverPublicKey:server.publicKey().toNSString()
+            serverIpv4AddrIn:server.ipv4AddrIn().toNSString()
+                  serverPort:server.choosePort()
+      allowedIPAddressRanges:allowedIPAddressRangesNS
+                 ipv6Enabled:SettingsHolder::instance()->ipv6Enabled()
+                      reason:reason
+             failureCallback:^() {
+               logger.error() << "IOSSWiftController - connection failed";
+               emit disconnected();
+             }];
+}
+
+void IOSController::deactivate(Reason reason) {
+  logger.debug() << "IOSController deactivated";
+
+  if (reason != ReasonNone) {
+    logger.debug() << "We do not need to disable the VPN for switching or connection check.";
+    emit disconnected();
+    return;
+  }
+
+  if (!impl) {
+    logger.error() << "Controller not correctly initialized";
+    emit disconnected();
+    return;
+  }
+
+  [impl disconnect];
+}
+
+void IOSController::checkStatus() {
+  logger.debug() << "Checking status";
+
+  if (m_checkingStatus) {
+    logger.warning() << "We are still waiting for the previous status.";
+    return;
+  }
+
+  if (!impl) {
+    logger.error() << "Controller not correctly initialized";
+    return;
+  }
+
+  m_checkingStatus = true;
+
+  [impl checkStatusWithCallback:^(NSString* serverIpv4Gateway, NSString* deviceIpv4Address,
+                                  NSString* configString) {
+    QString config = QString::fromNSString(configString);
+
+    m_checkingStatus = false;
+
+    if (config.isEmpty()) {
+      return;
+    }
+
+    uint64_t txBytes = 0;
+    uint64_t rxBytes = 0;
+
+    QStringList lines = config.split("\n");
+    for (const QString& line : lines) {
+      if (line.startsWith("tx_bytes=")) {
+        txBytes = line.split("=")[1].toULongLong();
+      } else if (line.startsWith("rx_bytes=")) {
+        rxBytes = line.split("=")[1].toULongLong();
+      }
+
+      if (txBytes && rxBytes) {
+        break;
+      }
+    }
+
+    logger.debug() << "ServerIpv4Gateway:" << QString::fromNSString(serverIpv4Gateway)
+                   << "DeviceIpv4Address:" << QString::fromNSString(deviceIpv4Address)
+                   << "RxBytes:" << rxBytes << "TxBytes:" << txBytes;
+    emit statusUpdated(QString::fromNSString(serverIpv4Gateway),
+                       QString::fromNSString(deviceIpv4Address), txBytes, rxBytes);
+  }];
+}
+
+void IOSController::getBackendLogs(std::function<void(const QString&)>&& a_callback) {
+  std::function<void(const QString&)> callback = std::move(a_callback);
+
+  QString groupId(GROUP_ID);
+  NSURL* groupPath = [[NSFileManager defaultManager]
+      containerURLForSecurityApplicationGroupIdentifier:groupId.toNSString()];
+
+  NSURL* path = [groupPath URLByAppendingPathComponent:@"networkextension.log"];
+
+  QFile file(QString::fromNSString([path path]));
+  if (!file.open(QIODevice::ReadOnly)) {
+    callback("Network extension log file missing or unreadable.");
+    return;
+  }
+
+  QByteArray content = file.readAll();
+  callback(content);
+}
+
+void IOSController::cleanupBackendLogs() {
+  QString groupId(GROUP_ID);
+  NSURL* groupPath = [[NSFileManager defaultManager]
+      containerURLForSecurityApplicationGroupIdentifier:groupId.toNSString()];
+
+  NSURL* path = [groupPath URLByAppendingPathComponent:@"networkextension.log"];
+
+  QFile file(QString::fromNSString([path path]));
+  file.remove();
+}
diff --git a/client/platforms/ios/ioscontroller.swift b/client/platforms/ios/ioscontroller.swift
new file mode 100644
index 00000000..40bb7006
--- /dev/null
+++ b/client/platforms/ios/ioscontroller.swift
@@ -0,0 +1,289 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import Foundation
+import NetworkExtension
+
+let vpnName = "Mozilla VPN"
+var vpnBundleID = "";
+
+@objc class VPNIPAddressRange : NSObject {
+    public var address: NSString = ""
+    public var networkPrefixLength: UInt8 = 0
+    public var isIpv6: Bool = false
+
+    @objc init(address: NSString, networkPrefixLength: UInt8, isIpv6: Bool) {
+        super.init()
+
+        self.address = address
+        self.networkPrefixLength = networkPrefixLength
+        self.isIpv6 = isIpv6
+    }
+}
+
+public class IOSControllerImpl : NSObject {
+
+    private var tunnel: NETunnelProviderManager? = nil
+    private var stateChangeCallback: ((Bool) -> Void?)? = nil
+    private var privateKey : PrivateKey? = nil
+    private var deviceIpv4Address: String? = nil
+    private var deviceIpv6Address: String? = nil
+
+    @objc enum ConnectionState: Int { case Error, Connected, Disconnected }
+
+    @objc init(bundleID: String, privateKey: Data, deviceIpv4Address: String, deviceIpv6Address: String, closure: @escaping (ConnectionState, Date?) -> Void, callback: @escaping (Bool) -> Void) {
+        super.init()
+
+        Logger.configureGlobal(tagged: "APP", withFilePath: "")
+
+        vpnBundleID = bundleID;
+        precondition(!vpnBundleID.isEmpty)
+
+        stateChangeCallback = callback
+        self.privateKey = PrivateKey(rawValue: privateKey)
+        self.deviceIpv4Address = deviceIpv4Address
+        self.deviceIpv6Address = deviceIpv6Address
+
+        NotificationCenter.default.addObserver(self, selector: #selector(self.vpnStatusDidChange(notification:)), name: Notification.Name.NEVPNStatusDidChange, object: nil)
+
+        NETunnelProviderManager.loadAllFromPreferences { [weak self] managers, error in
+            if let error = error {
+                Logger.global?.log(message: "Loading from preference failed: \(error)")
+                closure(ConnectionState.Error, nil)
+                return
+            }
+
+            if self == nil {
+                Logger.global?.log(message: "We are shutting down.")
+                return
+            }
+
+            let nsManagers = managers ?? []
+            Logger.global?.log(message: "We have received \(nsManagers.count) managers.")
+
+            let tunnel = nsManagers.first(where: IOSControllerImpl.isOurManager(_:))
+            if tunnel == nil {
+                Logger.global?.log(message: "Creating the tunnel")
+                self!.tunnel = NETunnelProviderManager()
+                closure(ConnectionState.Disconnected, nil)
+                return
+            }
+
+            Logger.global?.log(message: "Tunnel already exists")
+
+            self!.tunnel = tunnel
+            if tunnel?.connection.status == .connected {
+                closure(ConnectionState.Connected, tunnel?.connection.connectedDate)
+            } else {
+                closure(ConnectionState.Disconnected, nil)
+            }
+        }
+    }
+
+    @objc private func vpnStatusDidChange(notification: Notification) {
+        guard let session = (notification.object as? NETunnelProviderSession), tunnel?.connection == session else { return }
+
+        switch session.status {
+        case .connected:
+            Logger.global?.log(message: "STATE CHANGED: connected")
+        case .connecting:
+            Logger.global?.log(message: "STATE CHANGED: connecting")
+        case .disconnected:
+            Logger.global?.log(message: "STATE CHANGED: disconnected")
+        case .disconnecting:
+            Logger.global?.log(message: "STATE CHANGED: disconnecting")
+        case .invalid:
+            Logger.global?.log(message: "STATE CHANGED: invalid")
+        case .reasserting:
+            Logger.global?.log(message: "STATE CHANGED: reasserting")
+        default:
+            Logger.global?.log(message: "STATE CHANGED: unknown status")
+        }
+
+        // We care about "unknown" state changes.
+        if (session.status != .connected && session.status != .disconnected) {
+            return
+        }
+
+        stateChangeCallback?(session.status == .connected)
+    }
+
+    private static func isOurManager(_ manager: NETunnelProviderManager) -> Bool {
+        guard
+            let proto = manager.protocolConfiguration,
+            let tunnelProto = proto as? NETunnelProviderProtocol
+        else {
+            Logger.global?.log(message: "Ignoring manager because the proto is invalid.")
+            return false
+        }
+
+        if (tunnelProto.providerBundleIdentifier == nil) {
+            Logger.global?.log(message: "Ignoring manager because the bundle identifier is null.")
+            return false
+        }
+
+        if (tunnelProto.providerBundleIdentifier != vpnBundleID) {
+            Logger.global?.log(message: "Ignoring manager because the bundle identifier doesn't match.")
+            return false;
+        }
+
+        Logger.global?.log(message: "Found the manager with the correct bundle identifier: \(tunnelProto.providerBundleIdentifier!)")
+        return true
+    }
+
+    @objc func connect(dnsServer: String, serverIpv6Gateway: String, serverPublicKey: String, serverIpv4AddrIn: String, serverPort: Int,  allowedIPAddressRanges: Array<VPNIPAddressRange>, ipv6Enabled: Bool, reason: Int, failureCallback: @escaping () -> Void) {
+        Logger.global?.log(message: "Connecting")
+        assert(tunnel != nil)
+
+        // Let's remove the previous config if it exists.
+        (tunnel!.protocolConfiguration as? NETunnelProviderProtocol)?.destroyConfigurationReference()
+
+        let keyData = PublicKey(base64Key: serverPublicKey)!
+        let dnsServerIP = IPv4Address(dnsServer)
+        let ipv6GatewayIP = IPv6Address(serverIpv6Gateway)
+
+        var peerConfiguration = PeerConfiguration(publicKey: keyData)
+        peerConfiguration.endpoint = Endpoint(from: serverIpv4AddrIn + ":\(serverPort )")
+        peerConfiguration.allowedIPs = []
+
+        allowedIPAddressRanges.forEach {
+            if (!$0.isIpv6) {
+                peerConfiguration.allowedIPs.append(IPAddressRange(address: IPv4Address($0.address as String)!, networkPrefixLength: $0.networkPrefixLength))
+            } else if (ipv6Enabled) {
+                peerConfiguration.allowedIPs.append(IPAddressRange(address: IPv6Address($0.address as String)!, networkPrefixLength: $0.networkPrefixLength))
+            }
+        }
+
+        var peerConfigurations: [PeerConfiguration] = []
+        peerConfigurations.append(peerConfiguration)
+
+        var interface = InterfaceConfiguration(privateKey: privateKey!)
+
+        if let ipv4Address = IPAddressRange(from: deviceIpv4Address!),
+           let ipv6Address = IPAddressRange(from: deviceIpv6Address!) {
+            interface.addresses = [ipv4Address]
+            if (ipv6Enabled) {
+                interface.addresses.append(ipv6Address)
+            }
+        }
+        interface.dns = [ DNSServer(address: dnsServerIP!)]
+
+        if (ipv6Enabled) {
+            interface.dns.append(DNSServer(address: ipv6GatewayIP!))
+        }
+
+        let config = TunnelConfiguration(name: vpnName, interface: interface, peers: peerConfigurations)
+
+        self.configureTunnel(config: config, reason: reason, failureCallback: failureCallback)
+    }
+
+    func configureTunnel(config: TunnelConfiguration, reason: Int, failureCallback: @escaping () -> Void) {
+        let proto = NETunnelProviderProtocol(tunnelConfiguration: config)
+        proto!.providerBundleIdentifier = vpnBundleID
+
+        tunnel!.protocolConfiguration = proto
+        tunnel!.localizedDescription = vpnName
+        tunnel!.isEnabled = true
+
+        tunnel!.saveToPreferences { [unowned self] saveError in
+            if let error = saveError {
+                Logger.global?.log(message: "Connect Tunnel Save Error: \(error)")
+                failureCallback()
+                return
+            }
+
+            Logger.global?.log(message: "Saving the tunnel succeeded")
+
+            self.tunnel!.loadFromPreferences { error in
+                if let error = error {
+                    Logger.global?.log(message: "Connect Tunnel Load Error: \(error)")
+                    failureCallback()
+                    return
+                }
+
+                Logger.global?.log(message: "Loading the tunnel succeeded")
+
+                do {
+                    if (reason == 1 /* ReasonSwitching */) {
+                        let settings = config.asWgQuickConfig()
+                        let settingsData = settings.data(using: .utf8)!
+                        try (self.tunnel!.connection as? NETunnelProviderSession)?
+                                .sendProviderMessage(settingsData) { data in
+                            guard let data = data,
+                                let configString = String(data: data, encoding: .utf8)
+                            else {
+                                Logger.global?.log(message: "Failed to convert response to string")
+                                return
+                            }
+                        }
+                    } else {
+                        try (self.tunnel!.connection as? NETunnelProviderSession)?.startTunnel()
+                    }
+                } catch let error {
+                    Logger.global?.log(message: "Something went wrong: \(error)")
+                    failureCallback()
+                    return
+                }
+            }
+        }
+    }
+
+    @objc func disconnect() {
+        Logger.global?.log(message: "Disconnecting")
+        assert(tunnel != nil)
+        (tunnel!.connection as? NETunnelProviderSession)?.stopTunnel()
+    }
+
+    @objc func checkStatus(callback: @escaping (String, String, String) -> Void) {
+        Logger.global?.log(message: "Check status")
+        assert(tunnel != nil)
+
+        let proto = tunnel!.protocolConfiguration as? NETunnelProviderProtocol
+        if proto == nil {
+            callback("", "", "")
+            return
+        }
+
+        let tunnelConfiguration = proto?.asTunnelConfiguration()
+        if tunnelConfiguration == nil {
+            callback("", "", "")
+            return
+        }
+
+        let serverIpv4Gateway = tunnelConfiguration?.interface.dns[0].address
+        if serverIpv4Gateway == nil {
+            callback("", "", "")
+            return
+        }
+
+        let deviceIpv4Address = tunnelConfiguration?.interface.addresses[0].address
+        if deviceIpv4Address == nil {
+            callback("", "", "")
+            return
+        }
+
+        guard let session = tunnel?.connection as? NETunnelProviderSession
+        else {
+            callback("", "", "")
+            return
+        }
+
+        do {
+            try session.sendProviderMessage(Data([UInt8(0)])) { [callback] data in
+                guard let data = data,
+                      let configString = String(data: data, encoding: .utf8)
+                else {
+                    Logger.global?.log(message: "Failed to convert data to string")
+                    callback("", "", "")
+                    return
+                }
+
+                callback("\(serverIpv4Gateway!)", "\(deviceIpv4Address!)", configString)
+            }
+        } catch {
+            Logger.global?.log(message: "Failed to retrieve data from session")
+            callback("", "", "")
+        }
+    }
+}
diff --git a/client/platforms/ios/iosdatamigration.h b/client/platforms/ios/iosdatamigration.h
new file mode 100644
index 00000000..2c76792f
--- /dev/null
+++ b/client/platforms/ios/iosdatamigration.h
@@ -0,0 +1,15 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef IOSDATAMIGRATION_H
+#define IOSDATAMIGRATION_H
+
+#include <QString>
+
+class IOSDataMigration final {
+ public:
+  static void migrate();
+};
+
+#endif  // IOSDATAMIGRATION_H
diff --git a/client/platforms/ios/iosdatamigration.mm b/client/platforms/ios/iosdatamigration.mm
new file mode 100644
index 00000000..8342bb19
--- /dev/null
+++ b/client/platforms/ios/iosdatamigration.mm
@@ -0,0 +1,172 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "iosdatamigration.h"
+#include "device.h"
+#include "logger.h"
+#include "mozillavpn.h"
+#include "user.h"
+
+#include <QByteArray>
+#include <QJsonArray>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QJsonValue>
+
+#import <Foundation/Foundation.h>
+
+namespace {
+Logger logger(LOG_IOS, "IOSDataMigration");
+
+void migrateUserDefaultData() {
+  AmneziaVPN* vpn = AmneziaVPN::instance();
+  Q_ASSERT(vpn);
+
+  NSUserDefaults* sud = [NSUserDefaults standardUserDefaults];
+  if (!sud) {
+    return;
+  }
+
+  NSData* userData = [sud dataForKey:@"user"];
+  if (userData) {
+    QByteArray json = QByteArray::fromNSData(userData);
+    if (!json.isEmpty()) {
+      logger.debug() << "User data to be migrated";
+      vpn->accountChecked(json);
+    }
+  }
+
+  NSData* deviceData = [sud dataForKey:@"device"];
+  if (deviceData) {
+    QByteArray json = QByteArray::fromNSData(deviceData);
+    logger.debug() << "Device data to be migrated";
+    // Nothing has to be done here because the device data is part of the user data.
+  }
+
+  NSData* serversData = [sud dataForKey:@"vpnServers"];
+  if (serversData) {
+    QByteArray json = QByteArray::fromNSData(serversData);
+    if (!json.isEmpty()) {
+      logger.debug() << "Server list data to be migrated";
+
+      // We need to wrap the server list in a object to make it similar to the REST API response.
+      QJsonDocument serverList = QJsonDocument::fromJson(json);
+      if (!serverList.isArray()) {
+        logger.error() << "Server list should be an array!";
+        return;
+      }
+
+      QJsonObject countriesObj;
+      countriesObj.insert("countries", QJsonValue(serverList.array()));
+
+      QJsonDocument doc;
+      doc.setObject(countriesObj);
+      if (!vpn->setServerList(doc.toJson())) {
+        logger.error() << "Server list cannot be imported";
+        return;
+      }
+    }
+  }
+
+  NSData* selectedCityData = [sud dataForKey:@"selectedCity"];
+  if (selectedCityData) {
+    QByteArray json = QByteArray::fromNSData(selectedCityData);
+    logger.debug() << "SelectedCity data to be migrated" << json;
+    // Nothing has to be done here because the device data is part of the user data.
+
+    QJsonDocument doc = QJsonDocument::fromJson(json);
+    if (!doc.isObject()) {
+      logger.error() << "SelectedCity should be an object";
+      return;
+    }
+
+    QJsonObject obj = doc.object();
+    QJsonValue code = obj.value("flagCode");
+    if (!code.isString()) {
+      logger.error() << "SelectedCity code should be a string";
+      return;
+    }
+
+    QJsonValue name = obj.value("code");
+    if (!name.isString()) {
+      logger.error() << "SelectedCity name should be a string";
+      return;
+    }
+
+    ServerData serverData;
+    if (vpn->serverCountryModel()->pickIfExists(code.toString(), name.toString(), serverData)) {
+      logger.debug() << "ServerCity found";
+      serverData.writeSettings();
+    }
+  }
+}
+
+void migrateKeychainData() {
+  NSData* service = [@"org.mozilla.guardian.credentials" dataUsingEncoding:NSUTF8StringEncoding];
+
+  NSMutableDictionary* query = [[NSMutableDictionary alloc] init];
+
+  [query setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass];
+  [query setObject:service forKey:(id)kSecAttrService];
+  [query setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnData];
+  [query setObject:(id)kSecMatchLimitOne forKey:(id)kSecMatchLimit];
+
+  NSData* dataNS = NULL;
+  OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef*)(void*)&dataNS);
+  [query release];
+
+  if (status != noErr) {
+    logger.error() << "No credentials found";
+    return;
+  }
+
+  QByteArray data = QByteArray::fromNSData(dataNS);
+  logger.debug() << "Credentials:" << logger.sensitive(data);
+
+  QJsonDocument json = QJsonDocument::fromJson(data);
+  if (!json.isObject()) {
+    logger.error() << "JSON object expected";
+    return;
+  }
+
+  QJsonObject obj = json.object();
+  QJsonValue deviceKeyValue = obj.value("deviceKeys");
+  if (!deviceKeyValue.isObject()) {
+    logger.error() << "JSON object should have a deviceKeys object";
+    return;
+  }
+
+  QJsonObject deviceKeyObj = deviceKeyValue.toObject();
+  QJsonValue publicKey = deviceKeyObj.value("publicKey");
+  if (!publicKey.isString()) {
+    logger.error() << "JSON deviceKey object should contain a publicKey value as string";
+    return;
+  }
+
+  QJsonValue privateKey = deviceKeyObj.value("privateKey");
+  if (!privateKey.isString()) {
+    logger.error() << "JSON deviceKey object should contain a privateKey value as string";
+    return;
+  }
+
+  QJsonValue token = obj.value("verificationToken");
+  if (!token.isString()) {
+    logger.error() << "JSON object should contain a verificationToken value s string";
+    return;
+  }
+
+  AmneziaVPN::instance()->deviceAdded(Device::currentDeviceName(), publicKey.toString(),
+                                      privateKey.toString());
+
+  AmneziaVPN::instance()->setToken(token.toString());
+}
+}
+
+// static
+void IOSDataMigration::migrate() {
+  logger.debug() << "IOS Data Migration";
+
+  migrateKeychainData();
+  migrateUserDefaultData();
+}
diff --git a/client/platforms/ios/iosglue.mm b/client/platforms/ios/iosglue.mm
new file mode 100644
index 00000000..854dfbfb
--- /dev/null
+++ b/client/platforms/ios/iosglue.mm
@@ -0,0 +1,249 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This file contains all the C functions needed by the Wireguard swift code.
+
+#include <stdlib.h>
+#include <string.h>
+
+#ifndef NETWORK_EXTENSION
+//#  include "logger.h"
+#else
+#  import <Foundation/Foundation.h>
+#  import <os/log.h>
+#endif
+
+#define MAX_LOG_FILE_SIZE 204800
+
+// Key base64/hex functions
+// ------------------------
+
+#define WG_KEY_LEN (32)
+#define WG_KEY_LEN_BASE64 (45)
+#define WG_KEY_LEN_HEX (65)
+
+#define EXPORT __attribute__((visibility("default")))
+
+extern "C" {
+EXPORT void key_to_base64(char base64[WG_KEY_LEN_BASE64], const uint8_t key[WG_KEY_LEN]);
+EXPORT bool key_from_base64(uint8_t key[WG_KEY_LEN], const char* base64);
+
+EXPORT void key_to_hex(char hex[WG_KEY_LEN_HEX], const uint8_t key[WG_KEY_LEN]);
+EXPORT bool key_from_hex(uint8_t key[WG_KEY_LEN], const char* hex);
+
+EXPORT bool key_eq(const uint8_t key1[WG_KEY_LEN], const uint8_t key2[WG_KEY_LEN]);
+
+EXPORT void write_msg_to_log(const char* tag, const char* msg);
+}
+
+EXPORT void key_to_base64(char base64[WG_KEY_LEN_BASE64], const uint8_t key[WG_KEY_LEN]) {
+  const char range[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+  const char padchar = '=';
+  int padlen = 0;
+
+  char* out = base64;
+  const uint8_t* in = key;
+
+  for (int i = 0; i < WG_KEY_LEN;) {
+    int chunk = 0;
+    chunk |= int(in[i++]) << 16;
+    if (i == WG_KEY_LEN) {
+      padlen = 2;
+    } else {
+      chunk |= int(in[i++]) << 8;
+      if (i == WG_KEY_LEN) {
+        padlen = 1;
+      } else {
+        chunk |= int(in[i++]);
+      }
+    }
+
+    int j = (chunk & 0x00fc0000) >> 18;
+    int k = (chunk & 0x0003f000) >> 12;
+    int l = (chunk & 0x00000fc0) >> 6;
+    int m = (chunk & 0x0000003f);
+
+    *out++ = range[j];
+    *out++ = range[k];
+
+    if (padlen > 1) {
+      *out++ = padchar;
+    } else {
+      *out++ = range[l];
+    }
+    if (padlen > 0) {
+      *out++ = padchar;
+    } else {
+      *out++ = range[m];
+    }
+  }
+
+  base64[WG_KEY_LEN_BASE64 - 1] = 0;
+}
+
+EXPORT bool key_from_base64(uint8_t key[WG_KEY_LEN], const char* base64) {
+  if (strlen(base64) != WG_KEY_LEN_BASE64 - 1 || base64[WG_KEY_LEN_BASE64 - 2] != '=') {
+    return false;
+  }
+
+  unsigned int buf = 0;
+  int nbits = 0;
+  uint8_t* out = key;
+  int offset = 0;
+  for (int i = 0; i < WG_KEY_LEN_BASE64; ++i) {
+    int ch = base64[i];
+    int d;
+
+    if (ch >= 'A' && ch <= 'Z') {
+      d = ch - 'A';
+    } else if (ch >= 'a' && ch <= 'z') {
+      d = ch - 'a' + 26;
+    } else if (ch >= '0' && ch <= '9') {
+      d = ch - '0' + 52;
+    } else if (ch == '+') {
+      d = 62;
+    } else if (ch == '/') {
+      d = 63;
+    } else {
+      d = -1;
+    }
+
+    if (d != -1) {
+      buf = (buf << 6) | d;
+      nbits += 6;
+      if (nbits >= 8) {
+        nbits -= 8;
+        out[offset++] = buf >> nbits;
+        buf &= (1 << nbits) - 1;
+      }
+    }
+  }
+
+  return true;
+}
+
+inline char toHex(uint8_t value) { return "0123456789abcdef"[value & 0xF]; }
+
+inline int fromHex(uint8_t c) {
+  return ((c >= '0') && (c <= '9'))
+             ? int(c - '0')
+             : ((c >= 'A') && (c <= 'F')) ? int(c - 'A' + 10)
+                                          : ((c >= 'a') && (c <= 'f')) ? int(c - 'a' + 10) : -1;
+}
+
+EXPORT void key_to_hex(char hex[WG_KEY_LEN_HEX], const uint8_t key[WG_KEY_LEN]) {
+  char* hexData = hex;
+  const unsigned char* data = (const unsigned char*)key;
+  for (int i = 0, o = 0; i < WG_KEY_LEN; ++i) {
+    hexData[o++] = toHex(data[i] >> 4);
+    hexData[o++] = toHex(data[i] & 0xf);
+  }
+
+  hex[WG_KEY_LEN_HEX - 1] = 0;
+}
+
+EXPORT bool key_from_hex(uint8_t key[WG_KEY_LEN], const char* hex) {
+  if (strlen(hex) != WG_KEY_LEN_HEX - 1) {
+    return false;
+  }
+
+  bool odd_digit = true;
+  unsigned char* result = (unsigned char*)key + WG_KEY_LEN;
+  for (int i = WG_KEY_LEN_HEX - 1; i >= 0; --i) {
+    int tmp = fromHex((unsigned char)(hex[i]));
+    if (tmp == -1) {
+      continue;
+    }
+
+    if (odd_digit) {
+      --result;
+      *result = tmp;
+      odd_digit = false;
+    } else {
+      *result |= tmp << 4;
+      odd_digit = true;
+    }
+  }
+
+  return true;
+}
+
+EXPORT bool key_eq(const uint8_t key1[WG_KEY_LEN], const uint8_t key2[WG_KEY_LEN]) {
+  for (int i = 0; i < WG_KEY_LEN; i++) {
+    if (key1[i] != key2[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+
+// Logging functions
+// -----------------
+
+#ifndef NETWORK_EXTENSION
+namespace {
+//Logger logger(LOG_IOS, "IOSSGlue");
+}
+#endif
+
+EXPORT void write_msg_to_log(const char* tag, const char* msg) {
+#ifndef NETWORK_EXTENSION
+//  logger.debug() << "Swift log - tag:" << tag << "msg: " << msg;
+#else
+  os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_DEBUG, "tag: %s - msg: %s", tag, msg);
+
+  @autoreleasepool {
+    NSString* groupId = [NSString stringWithUTF8String:GROUP_ID];
+    NSURL* groupPath =
+        [[NSFileManager defaultManager] containerURLForSecurityApplicationGroupIdentifier:groupId];
+
+    NSURL* pathUrl = [groupPath URLByAppendingPathComponent:@"networkextension.log"];
+    NSString* path = [pathUrl path];
+
+    if (![[NSFileManager defaultManager] fileExistsAtPath:path]) {
+      [[NSFileManager defaultManager] createFileAtPath:path contents:nil attributes:nil];
+    } else {
+      NSError* error = nil;
+
+      NSDictionary* fileAttributes = [[NSFileManager defaultManager] attributesOfItemAtPath:path
+                                                                                      error:&error];
+
+      if (error) {
+        return;
+      }
+
+      NSNumber* fileSizeNumber = [fileAttributes objectForKey:NSFileSize];
+      long long fileSize = [fileSizeNumber longLongValue];
+
+      if (fileSize > MAX_LOG_FILE_SIZE) {
+        [[NSFileManager defaultManager] removeItemAtPath:path error:&error];
+        [[NSFileManager defaultManager] createFileAtPath:path contents:nil attributes:nil];
+      }
+    }
+
+    NSError* error = nil;
+    NSFileHandle* fh = [NSFileHandle fileHandleForWritingToURL:pathUrl error:&error];
+    if (!fh) {
+      return;
+    }
+
+    NSString* dateString = [NSDateFormatter localizedStringFromDate:[NSDate date]
+                                                          dateStyle:NSDateFormatterShortStyle
+                                                          timeStyle:NSDateFormatterFullStyle];
+
+    NSString* str = [NSString stringWithFormat:@" - %s\n", msg];
+    NSData* data =
+        [[dateString stringByAppendingString:str] dataUsingEncoding:NSUTF8StringEncoding];
+
+    @try {
+      [fh seekToEndOfFile];
+      [fh writeData:data];
+    } @catch (NSException* exception) {
+    }
+
+    [fh closeFile];
+  }
+
+#endif
+}
diff --git a/client/platforms/ios/iosiaphandler.h b/client/platforms/ios/iosiaphandler.h
new file mode 100644
index 00000000..9ac3df80
--- /dev/null
+++ b/client/platforms/ios/iosiaphandler.h
@@ -0,0 +1,30 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef IOSIAPHANDLER_H
+#define IOSIAPHANDLER_H
+
+#include "iaphandler.h"
+
+class IOSIAPHandler final : public IAPHandler {
+  Q_OBJECT
+  Q_DISABLE_COPY_MOVE(IOSIAPHandler)
+
+ public:
+  explicit IOSIAPHandler(QObject* parent);
+  ~IOSIAPHandler();
+
+ public slots:
+  void productRegistered(void* product);
+  void processCompletedTransactions(const QStringList& ids);
+
+ protected:
+  void nativeRegisterProducts() override;
+  void nativeStartSubscription(Product* product) override;
+
+ private:
+  void* m_delegate = nullptr;
+};
+
+#endif  // IOSIAPHANDLER_H
diff --git a/client/platforms/ios/iosiaphandler.mm b/client/platforms/ios/iosiaphandler.mm
new file mode 100644
index 00000000..12a66e49
--- /dev/null
+++ b/client/platforms/ios/iosiaphandler.mm
@@ -0,0 +1,369 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "platforms/ios/iosiaphandler.h"
+#include "constants.h"
+#include "iosutils.h"
+#include "leakdetector.h"
+#include "logger.h"
+#include "mozillavpn.h"
+#include "networkrequest.h"
+#include "settingsholder.h"
+
+#include <QCoreApplication>
+#include <QJsonArray>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QJsonValue>
+#include <QScopeGuard>
+
+#import <Foundation/Foundation.h>
+#import <StoreKit/StoreKit.h>
+
+namespace {
+Logger logger(LOG_IAP, "IOSIAPHandler");
+}  // namespace
+
+@interface IOSIAPHandlerDelegate
+    : NSObject <SKRequestDelegate, SKProductsRequestDelegate, SKPaymentTransactionObserver> {
+  IOSIAPHandler* m_handler;
+}
+@end
+
+@implementation IOSIAPHandlerDelegate
+
+- (id)initWithObject:(IOSIAPHandler*)handler {
+  self = [super init];
+  if (self) {
+    m_handler = handler;
+  }
+  return self;
+}
+
+- (void)productsRequest:(nonnull SKProductsRequest*)request
+     didReceiveResponse:(nonnull SKProductsResponse*)response {
+  logger.debug() << "Registration completed";
+
+  if (response.invalidProductIdentifiers) {
+    NSArray<NSString*>* products = response.invalidProductIdentifiers;
+    logger.error() << "Registration failure" << [products count];
+
+    for (unsigned long i = 0, count = [products count]; i < count; ++i) {
+      NSString* identifier = [products objectAtIndex:i];
+      QMetaObject::invokeMethod(m_handler, "unknownProductRegistered", Qt::QueuedConnection,
+                                Q_ARG(QString, QString::fromNSString(identifier)));
+    }
+  }
+
+  NSArray<SKProduct*>* products = response.products;
+  if (products) {
+    logger.debug() << "Products registered" << [products count];
+
+    for (unsigned long i = 0, count = [products count]; i < count; ++i) {
+      SKProduct* product = [[products objectAtIndex:i] retain];
+      QMetaObject::invokeMethod(m_handler, "productRegistered", Qt::QueuedConnection,
+                                Q_ARG(void*, product));
+    }
+  }
+
+  QMetaObject::invokeMethod(m_handler, "productsRegistrationCompleted", Qt::QueuedConnection);
+
+  [request release];
+}
+
+- (void)paymentQueue:(nonnull SKPaymentQueue*)queue
+    updatedTransactions:(nonnull NSArray<SKPaymentTransaction*>*)transactions {
+  logger.debug() << "payment queue:" << [transactions count];
+
+  QStringList completedTransactionIds;
+  bool failedTransactions = false;
+  bool canceledTransactions = false;
+  bool completedTransactions = false;
+
+  for (SKPaymentTransaction* transaction in transactions) {
+    switch (transaction.transactionState) {
+      case SKPaymentTransactionStateFailed:
+        logger.error() << "transaction failed";
+
+        if (transaction.error.code == SKErrorPaymentCancelled) {
+          canceledTransactions = true;
+        } else {
+          failedTransactions = true;
+        }
+        break;
+
+      case SKPaymentTransactionStateRestored:
+        [[fallthrough]];
+      case SKPaymentTransactionStatePurchased: {
+        QString identifier = QString::fromNSString(transaction.transactionIdentifier);
+        QDateTime date = QDateTime::fromNSDate(transaction.transactionDate);
+        logger.debug() << "transaction purchased - identifier: " << identifier
+                       << "- date:" << date.toString();
+
+        if (transaction.transactionState == SKPaymentTransactionStateRestored) {
+          SKPaymentTransaction* originalTransaction = transaction.originalTransaction;
+          if (originalTransaction) {
+            QString originalIdentifier =
+                QString::fromNSString(originalTransaction.transactionIdentifier);
+            QDateTime originalDate = QDateTime::fromNSDate(originalTransaction.transactionDate);
+            logger.debug() << "original transaction identifier: " << originalIdentifier
+                           << "- date:" << originalDate.toString();
+          }
+        }
+
+        completedTransactions = true;
+
+        SettingsHolder* settingsHolder = SettingsHolder::instance();
+        if (settingsHolder->hasSubscriptionTransaction(identifier)) {
+          logger.warning() << "This transaction has already been processed. Let's ignore it.";
+        } else {
+          completedTransactionIds.append(identifier);
+        }
+
+        break;
+      }
+      case SKPaymentTransactionStatePurchasing:
+        logger.debug() << "transaction purchasing";
+        break;
+      case SKPaymentTransactionStateDeferred:
+        logger.debug() << "transaction deferred";
+        break;
+      default:
+        logger.warning() << "transaction unknwon state";
+        break;
+    }
+  }
+
+  if (!completedTransactions && !canceledTransactions && !failedTransactions) {
+    // Nothing completed, nothing restored, nothing failed. Just purchasing transactions.
+    return;
+  }
+
+  if (canceledTransactions) {
+    logger.debug() << "Subscription canceled";
+    QMetaObject::invokeMethod(m_handler, "stopSubscription", Qt::QueuedConnection);
+    QMetaObject::invokeMethod(m_handler, "subscriptionCanceled", Qt::QueuedConnection);
+  } else if (failedTransactions) {
+    logger.error() << "Subscription failed";
+    QMetaObject::invokeMethod(m_handler, "stopSubscription", Qt::QueuedConnection);
+    QMetaObject::invokeMethod(m_handler, "subscriptionCanceled", Qt::QueuedConnection);
+  } else if (completedTransactionIds.isEmpty()) {
+    Q_ASSERT(completedTransactions);
+    logger.debug() << "Subscription completed - but all the transactions are known";
+    QMetaObject::invokeMethod(m_handler, "stopSubscription", Qt::QueuedConnection);
+    QMetaObject::invokeMethod(m_handler, "subscriptionCanceled", Qt::QueuedConnection);
+  } else if (AmneziaVPN::instance()->userAuthenticated()) {
+    Q_ASSERT(completedTransactions);
+    logger.debug() << "Subscription completed. Let's start the validation";
+    QMetaObject::invokeMethod(m_handler, "processCompletedTransactions", Qt::QueuedConnection,
+                              Q_ARG(QStringList, completedTransactionIds));
+  } else {
+    Q_ASSERT(completedTransactions);
+    logger.debug() << "Subscription completed - but the user is not authenticated yet";
+    QMetaObject::invokeMethod(m_handler, "stopSubscription", Qt::QueuedConnection);
+    QMetaObject::invokeMethod(m_handler, "subscriptionCanceled", Qt::QueuedConnection);
+  }
+
+  for (SKPaymentTransaction* transaction in transactions) {
+    switch (transaction.transactionState) {
+      case SKPaymentTransactionStateFailed:
+        [[fallthrough]];
+      case SKPaymentTransactionStateRestored:
+        [[fallthrough]];
+      case SKPaymentTransactionStatePurchased:
+        [queue finishTransaction:transaction];
+        break;
+      default:
+        break;
+    }
+  }
+}
+
+- (void)requestDidFinish:(SKRequest*)request {
+  logger.debug() << "Receipt refreshed correctly";
+  QMetaObject::invokeMethod(m_handler, "stopSubscription", Qt::QueuedConnection);
+  QMetaObject::invokeMethod(m_handler, "processCompletedTransactions", Qt::QueuedConnection,
+                            Q_ARG(QStringList, QStringList()));
+}
+
+- (void)request:(SKRequest*)request didFailWithError:(NSError*)error {
+  logger.error() << "Failed to refresh the receipt"
+                 << QString::fromNSString(error.localizedDescription);
+  QMetaObject::invokeMethod(m_handler, "stopSubscription", Qt::QueuedConnection);
+  QMetaObject::invokeMethod(m_handler, "subscriptionFailed", Qt::QueuedConnection);
+}
+
+@end
+
+IOSIAPHandler::IOSIAPHandler(QObject* parent) : IAPHandler(parent) {
+  MVPN_COUNT_CTOR(IOSIAPHandler);
+
+  m_delegate = [[IOSIAPHandlerDelegate alloc] initWithObject:this];
+  [[SKPaymentQueue defaultQueue]
+      addTransactionObserver:static_cast<IOSIAPHandlerDelegate*>(m_delegate)];
+}
+
+IOSIAPHandler::~IOSIAPHandler() {
+  MVPN_COUNT_DTOR(IOSIAPHandler);
+
+  IOSIAPHandlerDelegate* delegate = static_cast<IOSIAPHandlerDelegate*>(m_delegate);
+  [[SKPaymentQueue defaultQueue] removeTransactionObserver:delegate];
+
+  [delegate dealloc];
+  m_delegate = nullptr;
+}
+
+void IOSIAPHandler::nativeRegisterProducts() {
+  NSSet<NSString*>* productIdentifiers = [NSSet<NSString*> set];
+  for (const Product& product : m_products) {
+    productIdentifiers = [productIdentifiers setByAddingObject:product.m_name.toNSString()];
+  }
+
+  logger.debug() << "We are about to register" << [productIdentifiers count] << "products";
+
+  SKProductsRequest* productsRequest =
+      [[SKProductsRequest alloc] initWithProductIdentifiers:productIdentifiers];
+
+  IOSIAPHandlerDelegate* delegate = static_cast<IOSIAPHandlerDelegate*>(m_delegate);
+  productsRequest.delegate = delegate;
+  [productsRequest start];
+}
+
+void IOSIAPHandler::nativeStartSubscription(Product* product) {
+  Q_ASSERT(product->m_extra);
+  SKProduct* skProduct = static_cast<SKProduct*>(product->m_extra);
+  SKPayment* payment = [SKPayment paymentWithProduct:skProduct];
+  [[SKPaymentQueue defaultQueue] addPayment:payment];
+}
+
+void IOSIAPHandler::productRegistered(void* a_product) {
+  SKProduct* product = static_cast<SKProduct*>(a_product);
+
+  Q_ASSERT(m_productsRegistrationState == eRegistering);
+
+  logger.debug() << "Product registered";
+
+  NSString* nsProductIdentifier = [product productIdentifier];
+  QString productIdentifier = QString::fromNSString(nsProductIdentifier);
+
+  Product* productData = findProduct(productIdentifier);
+  Q_ASSERT(productData);
+
+  logger.debug() << "Id:" << productIdentifier;
+  logger.debug() << "Title:" << QString::fromNSString([product localizedTitle]);
+  logger.debug() << "Description:" << QString::fromNSString([product localizedDescription]);
+
+  QString priceValue;
+  {
+    NSNumberFormatter* numberFormatter = [[NSNumberFormatter alloc] init];
+    [numberFormatter setFormatterBehavior:NSNumberFormatterBehavior10_4];
+    [numberFormatter setNumberStyle:(NSNumberFormatterStyle)NSNumberFormatterCurrencyStyle];
+    [numberFormatter setLocale:product.priceLocale];
+
+    NSString* price = [numberFormatter stringFromNumber:product.price];
+    priceValue = QString::fromNSString(price);
+    [numberFormatter release];
+  }
+
+  logger.debug() << "Price:" << priceValue;
+
+  QString monthlyPriceValue;
+  NSDecimalNumber* monthlyPriceNS = nullptr;
+  {
+    NSNumberFormatter* numberFormatter = [[NSNumberFormatter alloc] init];
+    [numberFormatter setFormatterBehavior:NSNumberFormatterBehavior10_4];
+    [numberFormatter setNumberStyle:(NSNumberFormatterStyle)NSNumberFormatterCurrencyStyle];
+    [numberFormatter setLocale:product.priceLocale];
+
+    int32_t mounthCount = productTypeToMonthCount(productData->m_type);
+    Q_ASSERT(mounthCount >= 1);
+
+    if (mounthCount == 1) {
+      monthlyPriceNS = product.price;
+    } else {
+      NSDecimalNumber* divider = [[NSDecimalNumber alloc] initWithDouble:(double)mounthCount];
+      monthlyPriceNS = [product.price decimalNumberByDividingBy:divider];
+      [divider release];
+    }
+
+    NSString* price = [numberFormatter stringFromNumber:monthlyPriceNS];
+    monthlyPriceValue = QString::fromNSString(price);
+
+    [numberFormatter release];
+  }
+
+  logger.debug() << "Monthly Price:" << monthlyPriceValue;
+
+  productData->m_price = priceValue;
+  productData->m_monthlyPrice = monthlyPriceValue;
+  productData->m_nonLocalizedMonthlyPrice = [monthlyPriceNS doubleValue];
+  productData->m_extra = product;
+}
+
+void IOSIAPHandler::processCompletedTransactions(const QStringList& ids) {
+  logger.debug() << "process completed transactions";
+
+  if (m_subscriptionState != eActive) {
+    logger.warning() << "Random transaction to be completed. Let's ignore it";
+    return;
+  }
+
+  QString receipt = IOSUtils::IAPReceipt();
+  if (receipt.isEmpty()) {
+    logger.warning() << "Empty receipt found";
+    emit subscriptionFailed();
+    return;
+  }
+
+  NetworkRequest* request = NetworkRequest::createForIOSPurchase(this, receipt);
+
+  connect(request, &NetworkRequest::requestFailed,
+          [this](QNetworkReply::NetworkError error, const QByteArray& data) {
+            logger.error() << "Purchase request failed" << error;
+
+            if (m_subscriptionState != eActive) {
+              logger.warning() << "We have been canceled in the meantime";
+              return;
+            }
+
+            stopSubscription();
+
+            QJsonDocument json = QJsonDocument::fromJson(data);
+            if (!json.isObject()) {
+              AmneziaVPN::instance()->errorHandle(ErrorHandler::toErrorType(error));
+              emit subscriptionFailed();
+              return;
+            }
+
+            QJsonObject obj = json.object();
+            QJsonValue errorValue = obj.value("errno");
+            if (!errorValue.isDouble()) {
+              AmneziaVPN::instance()->errorHandle(ErrorHandler::toErrorType(error));
+              emit subscriptionFailed();
+              return;
+            }
+
+            int errorNumber = errorValue.toInt();
+            if (errorNumber != 145) {
+              AmneziaVPN::instance()->errorHandle(ErrorHandler::toErrorType(error));
+              emit subscriptionFailed();
+              return;
+            }
+
+            emit alreadySubscribed();
+          });
+
+  connect(request, &NetworkRequest::requestCompleted, [this, ids](const QByteArray&) {
+    logger.debug() << "Purchase request completed";
+    SettingsHolder::instance()->addSubscriptionTransactions(ids);
+
+    if (m_subscriptionState != eActive) {
+      logger.warning() << "We have been canceled in the meantime";
+      return;
+    }
+
+    stopSubscription();
+    emit subscriptionCompleted();
+  });
+}
diff --git a/client/platforms/ios/ioslogger.swift b/client/platforms/ios/ioslogger.swift
new file mode 100644
index 00000000..deb2285e
--- /dev/null
+++ b/client/platforms/ios/ioslogger.swift
@@ -0,0 +1,53 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import Foundation
+import os.log
+
+public class Logger {
+    static var global: Logger?
+
+    var tag: String
+
+    init(tagged tag: String) {
+        self.tag = tag
+    }
+
+    deinit {}
+
+    func log(message: String) {
+        write_msg_to_log(tag, message.trimmingCharacters(in: .newlines))
+    }
+
+    func writeLog(to targetFile: String) -> Bool {
+        return true;
+    }
+
+    static func configureGlobal(tagged tag: String, withFilePath filePath: String?) {
+        if Logger.global != nil {
+            return
+        }
+
+        Logger.global = Logger(tagged: tag)
+
+        var appVersion = Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "Unknown version"
+
+        if let appBuild = Bundle.main.infoDictionary?["CFBundleVersion"] as? String {
+            appVersion += " (\(appBuild))"
+        }
+
+        let goBackendVersion = WIREGUARD_GO_VERSION
+        Logger.global?.log(message: "App version: \(appVersion); Go backend version: \(goBackendVersion)")
+    }
+}
+
+func wg_log(_ type: OSLogType, staticMessage msg: StaticString) {
+    os_log(msg, log: OSLog.default, type: type)
+    Logger.global?.log(message: "\(msg)")
+}
+
+func wg_log(_ type: OSLogType, message msg: String) {
+    os_log("%{public}s", log: OSLog.default, type: type, msg)
+    Logger.global?.log(message: msg)
+}
diff --git a/client/platforms/ios/iosnotificationhandler.h b/client/platforms/ios/iosnotificationhandler.h
new file mode 100644
index 00000000..2845016a
--- /dev/null
+++ b/client/platforms/ios/iosnotificationhandler.h
@@ -0,0 +1,28 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef IOSNOTIFICATIONHANDLER_H
+#define IOSNOTIFICATIONHANDLER_H
+
+#include "ui/notificationhandler.h"
+
+#include <QObject>
+
+class IOSNotificationHandler final : public NotificationHandler {
+  Q_DISABLE_COPY_MOVE(IOSNotificationHandler)
+
+ public:
+  IOSNotificationHandler(QObject* parent);
+  ~IOSNotificationHandler();
+
+ protected:
+  void notify(Message type, const QString& title, const QString& message,
+              int timerMsec) override;
+
+ private:
+  void* m_delegate = nullptr;
+};
+
+
+#endif  // IOSNOTIFICATIONHANDLER_H
diff --git a/client/platforms/ios/iosnotificationhandler.mm b/client/platforms/ios/iosnotificationhandler.mm
new file mode 100644
index 00000000..a83cd70b
--- /dev/null
+++ b/client/platforms/ios/iosnotificationhandler.mm
@@ -0,0 +1,89 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "platforms/ios/iosnotificationhandler.h"
+
+#import <UserNotifications/UserNotifications.h>
+#import <Foundation/Foundation.h>
+#import <UIKit/UIKit.h>
+
+@interface IOSNotificationDelegate
+    : UIResponder <UIApplicationDelegate, UNUserNotificationCenterDelegate> {
+  IOSNotificationHandler* m_iosNotificationHandler;
+}
+@end
+
+@implementation IOSNotificationDelegate
+
+- (id)initWithObject:(IOSNotificationHandler*)notification {
+  self = [super init];
+  if (self) {
+    m_iosNotificationHandler = notification;
+  }
+  return self;
+}
+
+- (void)userNotificationCenter:(UNUserNotificationCenter*)center
+       willPresentNotification:(UNNotification*)notification
+         withCompletionHandler:
+             (void (^)(UNNotificationPresentationOptions options))completionHandler {
+  Q_UNUSED(center)
+  completionHandler(UNNotificationPresentationOptionAlert);
+}
+
+- (void)userNotificationCenter:(UNUserNotificationCenter*)center
+    didReceiveNotificationResponse:(UNNotificationResponse*)response
+             withCompletionHandler:(void (^)())completionHandler {
+  Q_UNUSED(center)
+  Q_UNUSED(response)
+  completionHandler();
+}
+@end
+
+IOSNotificationHandler::IOSNotificationHandler(QObject* parent) : NotificationHandler(parent) {
+
+  UNUserNotificationCenter* center = [UNUserNotificationCenter currentNotificationCenter];
+  [center requestAuthorizationWithOptions:(UNAuthorizationOptionSound | UNAuthorizationOptionAlert |
+                                           UNAuthorizationOptionBadge)
+                        completionHandler:^(BOOL granted, NSError* _Nullable error) {
+                          Q_UNUSED(granted);
+                          if (!error) {
+                            m_delegate = [[IOSNotificationDelegate alloc] initWithObject:this];
+                          }
+                        }];
+}
+
+IOSNotificationHandler::~IOSNotificationHandler() { }
+
+void IOSNotificationHandler::notify(NotificationHandler::Message type, const QString& title,
+                                    const QString& message, int timerMsec) {
+  Q_UNUSED(type);
+
+  if (!m_delegate) {
+    return;
+  }
+
+  UNMutableNotificationContent* content = [[UNMutableNotificationContent alloc] init];
+  content.title = title.toNSString();
+  content.body = message.toNSString();
+  content.sound = [UNNotificationSound defaultSound];
+
+  int timerSec = timerMsec / 1000;
+  UNTimeIntervalNotificationTrigger* trigger =
+      [UNTimeIntervalNotificationTrigger triggerWithTimeInterval:timerSec repeats:NO];
+
+  UNNotificationRequest* request = [UNNotificationRequest requestWithIdentifier:@"mozillavpn"
+                                                                        content:content
+                                                                        trigger:trigger];
+
+  UNUserNotificationCenter* center = [UNUserNotificationCenter currentNotificationCenter];
+  center.delegate = id(m_delegate);
+
+  [center addNotificationRequest:request
+           withCompletionHandler:^(NSError* _Nullable error) {
+             if (error) {
+               NSLog(@"Local Notification failed");
+             }
+           }];
+}
diff --git a/client/platforms/ios/iostunnel.swift b/client/platforms/ios/iostunnel.swift
new file mode 100644
index 00000000..a316d054
--- /dev/null
+++ b/client/platforms/ios/iostunnel.swift
@@ -0,0 +1,147 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2020 WireGuard LLC. All Rights Reserved.
+
+import Foundation
+import NetworkExtension
+import os
+
+class PacketTunnelProvider: NEPacketTunnelProvider {
+
+    private lazy var wgAdapter: WireGuardAdapter = {
+        return WireGuardAdapter(with: self) { logLevel, message in
+            wg_log(logLevel.osLogLevel, message: message)
+        }
+    }()
+
+    override func startTunnel(options: [String: NSObject]?, completionHandler: @escaping (Error?) -> Void) {
+        let activationAttemptId = options?["activationAttemptId"] as? String
+        let errorNotifier = ErrorNotifier(activationAttemptId: activationAttemptId)
+
+        Logger.configureGlobal(tagged: "NET", withFilePath: FileManager.logFileURL?.path)
+
+        wg_log(.info, message: "Starting tunnel from the " + (activationAttemptId == nil ? "OS directly, rather than the app" : "app"))
+
+        guard let tunnelProviderProtocol = self.protocolConfiguration as? NETunnelProviderProtocol,
+              let tunnelConfiguration = tunnelProviderProtocol.asTunnelConfiguration() else {
+            errorNotifier.notify(PacketTunnelProviderError.savedProtocolConfigurationIsInvalid)
+            completionHandler(PacketTunnelProviderError.savedProtocolConfigurationIsInvalid)
+            return
+        }
+
+        // Start the tunnel
+        wgAdapter.start(tunnelConfiguration: tunnelConfiguration) { adapterError in
+            guard let adapterError = adapterError else {
+                let interfaceName = self.wgAdapter.interfaceName ?? "unknown"
+
+                wg_log(.info, message: "Tunnel interface is \(interfaceName)")
+
+                completionHandler(nil)
+                return
+            }
+
+            switch adapterError {
+            case .cannotLocateTunnelFileDescriptor:
+                wg_log(.error, staticMessage: "Starting tunnel failed: could not determine file descriptor")
+                errorNotifier.notify(PacketTunnelProviderError.couldNotDetermineFileDescriptor)
+                completionHandler(PacketTunnelProviderError.couldNotDetermineFileDescriptor)
+
+            case .dnsResolution(let dnsErrors):
+                let hostnamesWithDnsResolutionFailure = dnsErrors.map { $0.address }
+                    .joined(separator: ", ")
+                wg_log(.error, message: "DNS resolution failed for the following hostnames: \(hostnamesWithDnsResolutionFailure)")
+                errorNotifier.notify(PacketTunnelProviderError.dnsResolutionFailure)
+                completionHandler(PacketTunnelProviderError.dnsResolutionFailure)
+
+            case .setNetworkSettings(let error):
+                wg_log(.error, message: "Starting tunnel failed with setTunnelNetworkSettings returning \(error.localizedDescription)")
+                errorNotifier.notify(PacketTunnelProviderError.couldNotSetNetworkSettings)
+                completionHandler(PacketTunnelProviderError.couldNotSetNetworkSettings)
+
+            case .startWireGuardBackend(let errorCode):
+                wg_log(.error, message: "Starting tunnel failed with wgTurnOn returning \(errorCode)")
+                errorNotifier.notify(PacketTunnelProviderError.couldNotStartBackend)
+                completionHandler(PacketTunnelProviderError.couldNotStartBackend)
+
+            case .invalidState:
+                // Must never happen
+                fatalError()
+            }
+        }
+    }
+
+    override func stopTunnel(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
+        wg_log(.info, staticMessage: "Stopping tunnel")
+
+        wgAdapter.stop { error in
+            ErrorNotifier.removeLastErrorFile()
+
+            if let error = error {
+                wg_log(.error, message: "Failed to stop WireGuard adapter: \(error.localizedDescription)")
+            }
+            completionHandler()
+
+            #if os(macOS)
+            // HACK: This is a filthy hack to work around Apple bug 32073323 (dup'd by us as 47526107).
+            // Remove it when they finally fix this upstream and the fix has been rolled out to
+            // sufficient quantities of users.
+            exit(0)
+            #endif
+        }
+    }
+
+    override func handleAppMessage(_ messageData: Data, completionHandler: ((Data?) -> Void)? = nil) {
+        guard let completionHandler = completionHandler else { return }
+
+        if messageData.count == 1 && messageData[0] == 0 {
+            wgAdapter.getRuntimeConfiguration { settings in
+                var data: Data?
+                if let settings = settings {
+                    data = settings.data(using: .utf8)!
+                }
+                completionHandler(data)
+            }
+        } else if messageData.count >= 1 {
+            // Updates the tunnel configuration and responds with the active configuration
+            wg_log(.info, message: "Switching tunnel configuration")
+            guard let configString = String(data: messageData, encoding: .utf8)
+            else {
+                completionHandler(nil)
+                return
+            }
+
+            do {
+              let tunnelConfiguration = try TunnelConfiguration(fromWgQuickConfig: configString)
+              wgAdapter.update(tunnelConfiguration: tunnelConfiguration) { error in
+                if let error = error {
+                  wg_log(.error, message: "Failed to switch tunnel configuration: \(error.localizedDescription)")
+                  completionHandler(nil)
+                  return
+                }
+
+                self.wgAdapter.getRuntimeConfiguration { settings in
+                  var data: Data?
+                  if let settings = settings {
+                      data = settings.data(using: .utf8)!
+                  }
+                  completionHandler(data)
+                }
+              }
+            } catch {
+              completionHandler(nil)
+            }
+        } else {
+            completionHandler(nil)
+        }
+    }
+}
+
+extension WireGuardLogLevel {
+    var osLogLevel: OSLogType {
+        switch self {
+        case .verbose:
+            return .debug
+        case .error:
+            return .error
+        }
+    }
+}
diff --git a/client/platforms/ios/iosutils.h b/client/platforms/ios/iosutils.h
new file mode 100644
index 00000000..6a73012b
--- /dev/null
+++ b/client/platforms/ios/iosutils.h
@@ -0,0 +1,17 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef IOSUTILS_H
+#define IOSUTILS_H
+
+#include <QString>
+
+class IOSUtils final {
+ public:
+  static QString computerName();
+
+  static QString IAPReceipt();
+};
+
+#endif  // IOSUTILS_H
diff --git a/client/platforms/ios/iosutils.mm b/client/platforms/ios/iosutils.mm
new file mode 100644
index 00000000..0e50fb6b
--- /dev/null
+++ b/client/platforms/ios/iosutils.mm
@@ -0,0 +1,63 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "iosutils.h"
+#include "logger.h"
+
+#include <QDateTime>
+#include <QString>
+
+#import <UIKit/UIKit.h>
+
+namespace {
+Logger logger(LOG_IOS, "IOSUtils");
+}
+
+// static
+QString IOSUtils::computerName() {
+  NSString* name = [[UIDevice currentDevice] name];
+  return QString::fromNSString(name);
+}
+
+// static
+QString IOSUtils::IAPReceipt() {
+  logger.debug() << "Retrieving IAP receipt";
+
+  NSURL* receiptURL = [[NSBundle mainBundle] appStoreReceiptURL];
+  NSData* receipt = [NSData dataWithContentsOfURL:receiptURL];
+
+  // All the following is for debug only.
+  NSString* path = [receiptURL path];
+  Q_ASSERT(path);
+
+  logger.debug() << "Receipt URL:" << QString::fromNSString(path);
+
+  NSFileManager* fileManager = [NSFileManager defaultManager];
+  Q_ASSERT(fileManager);
+
+  NSDictionary* fileAttributes = [fileManager attributesOfItemAtPath:path error:NULL];
+  if (fileAttributes) {
+    NSNumber* fileSize = [fileAttributes objectForKey:NSFileSize];
+    if (fileSize) {
+      logger.debug() << "File size:" << [fileSize unsignedLongLongValue];
+    }
+
+    NSString* fileOwner = [fileAttributes objectForKey:NSFileOwnerAccountName];
+    if (fileOwner) {
+      logger.debug() << "Owner:" << QString::fromNSString(fileOwner);
+    }
+
+    NSDate* fileModDate = [fileAttributes objectForKey:NSFileModificationDate];
+    if (fileModDate) {
+      logger.debug() << "Modification date:" << QDateTime::fromNSDate(fileModDate).toString();
+    }
+  }
+
+  if (!receipt) {
+    return QString();
+  }
+
+  NSString* encodedReceipt = [receipt base64EncodedStringWithOptions:0];
+  return QString::fromNSString(encodedReceipt);
+}
diff --git a/client/platforms/ios/iosvpnprotocol.swift b/client/platforms/ios/iosvpnprotocol.swift
new file mode 100644
index 00000000..ce0363e7
--- /dev/null
+++ b/client/platforms/ios/iosvpnprotocol.swift
@@ -0,0 +1,308 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import Foundation
+import NetworkExtension
+
+let vpnName = "AmneziaVPN"
+var vpnBundleID = "";
+
+@objc class VPNIPAddressRange : NSObject {
+    public var address: NSString = ""
+    public var networkPrefixLength: UInt8 = 0
+    public var isIpv6: Bool = false
+
+    @objc init(address: NSString, networkPrefixLength: UInt8, isIpv6: Bool) {
+        super.init()
+
+        self.address = address
+        self.networkPrefixLength = networkPrefixLength
+        self.isIpv6 = isIpv6
+    }
+}
+
+public class IOSVpnProtocolImpl : NSObject {
+
+    private var tunnel: NETunnelProviderManager? = nil
+    private var stateChangeCallback: ((Bool) -> Void?)? = nil
+    private var privateKey : PrivateKey? = nil
+    private var deviceIpv4Address: String? = nil
+    private var deviceIpv6Address: String? = nil
+
+    @objc enum IOSConnectionState: Int { case Error, Connected, Disconnected }
+
+    @objc init(bundleID: String, privateKey: Data, deviceIpv4Address: String, deviceIpv6Address: String, closure: @escaping (IOSConnectionState, Date?) -> Void, callback: @escaping (Bool) -> Void) {
+        super.init()
+
+        Logger.configureGlobal(tagged: "APP", withFilePath: "")
+
+        vpnBundleID = bundleID;
+        precondition(!vpnBundleID.isEmpty)
+
+        stateChangeCallback = callback
+        self.privateKey = PrivateKey(rawValue: privateKey)
+        self.deviceIpv4Address = deviceIpv4Address
+        self.deviceIpv6Address = deviceIpv6Address
+
+        NotificationCenter.default.addObserver(self, selector: #selector(self.vpnStatusDidChange(notification:)), name: Notification.Name.NEVPNStatusDidChange, object: nil)
+
+        NETunnelProviderManager.loadAllFromPreferences { [weak self] managers, error in
+            if let error = error {
+                Logger.global?.log(message: "Loading from preference failed: \(error)")
+                closure(IOSConnectionState.Error, nil)
+                return
+            }
+
+            if self == nil {
+                Logger.global?.log(message: "We are shutting down.")
+                return
+            }
+
+            let nsManagers = managers ?? []
+            Logger.global?.log(message: "We have received \(nsManagers.count) managers.")
+            print("We have received \(nsManagers.count) managers.")
+
+            let tunnel = nsManagers.first(where: IOSVpnProtocolImpl.isOurManager(_:))
+            if tunnel == nil {
+                Logger.global?.log(message: "Creating the tunnel")
+                print("Creating the tunnel")
+                self!.tunnel = NETunnelProviderManager()
+                closure(IOSConnectionState.Disconnected, nil)
+                return
+            }
+
+            Logger.global?.log(message: "Tunnel already exists")
+            print("Tunnel already exists")
+
+            self!.tunnel = tunnel
+            if tunnel?.connection.status == .connected {
+                closure(IOSConnectionState.Connected, tunnel?.connection.connectedDate)
+            } else {
+                closure(IOSConnectionState.Disconnected, nil)
+            }
+        }
+    }
+
+    @objc private func vpnStatusDidChange(notification: Notification) {
+        guard let session = (notification.object as? NETunnelProviderSession), tunnel?.connection == session else { return }
+
+        switch session.status {
+        case .connected:
+            Logger.global?.log(message: "STATE CHANGED: connected")
+            print("STATE CHANGED: connected")
+        case .connecting:
+            Logger.global?.log(message: "STATE CHANGED: connecting")
+            print("STATE CHANGED: connecting")
+        case .disconnected:
+            Logger.global?.log(message: "STATE CHANGED: disconnected")
+            print("STATE CHANGED: disconnected")
+        case .disconnecting:
+            Logger.global?.log(message: "STATE CHANGED: disconnecting")
+            print("STATE CHANGED: disconnecting")
+        case .invalid:
+            Logger.global?.log(message: "STATE CHANGED: invalid")
+            print("STATE CHANGED: invalid")
+        case .reasserting:
+            Logger.global?.log(message: "STATE CHANGED: reasserting")
+            print("STATE CHANGED: reasserting")
+        default:
+            Logger.global?.log(message: "STATE CHANGED: unknown status")
+            print("STATE CHANGED: unknown status")
+        }
+
+        // We care about "unknown" state changes.
+        if (session.status != .connected && session.status != .disconnected) {
+            return
+        }
+
+        stateChangeCallback?(session.status == .connected)
+    }
+
+    private static func isOurManager(_ manager: NETunnelProviderManager) -> Bool {
+        guard
+            let proto = manager.protocolConfiguration,
+            let tunnelProto = proto as? NETunnelProviderProtocol
+        else {
+            Logger.global?.log(message: "Ignoring manager because the proto is invalid.")
+            return false
+        }
+
+        if (tunnelProto.providerBundleIdentifier == nil) {
+            Logger.global?.log(message: "Ignoring manager because the bundle identifier is null.")
+            return false
+        }
+
+        if (tunnelProto.providerBundleIdentifier != vpnBundleID) {
+            Logger.global?.log(message: "Ignoring manager because the bundle identifier doesn't match.")
+            return false;
+        }
+
+        Logger.global?.log(message: "Found the manager with the correct bundle identifier: \(tunnelProto.providerBundleIdentifier!)")
+        print("Found the manager with the correct bundle identifier: \(tunnelProto.providerBundleIdentifier!)")
+        return true
+    }
+
+    @objc func connect(dnsServer: String, serverIpv6Gateway: String, serverPublicKey: String, presharedKey: String, serverIpv4AddrIn: String, serverPort: Int,  allowedIPAddressRanges: Array<VPNIPAddressRange>, ipv6Enabled: Bool, reason: Int, failureCallback: @escaping () -> Void) {
+        Logger.global?.log(message: "Connecting")
+        assert(tunnel != nil)
+
+        // Let's remove the previous config if it exists.
+        (tunnel?.protocolConfiguration as? NETunnelProviderProtocol)?.destroyConfigurationReference()
+
+        let keyData = PublicKey(base64Key: serverPublicKey)!
+        let dnsServerIP = IPv4Address(dnsServer)
+        let ipv6GatewayIP = IPv6Address(serverIpv6Gateway)
+
+        var peerConfiguration = PeerConfiguration(publicKey: keyData)
+        peerConfiguration.preSharedKey = PreSharedKey(base64Key: presharedKey)
+        peerConfiguration.endpoint = Endpoint(from: serverIpv4AddrIn + ":\(serverPort )")
+        peerConfiguration.allowedIPs = []
+
+        allowedIPAddressRanges.forEach {
+            if (!$0.isIpv6) {
+                peerConfiguration.allowedIPs.append(IPAddressRange(address: IPv4Address($0.address as String)!, networkPrefixLength: $0.networkPrefixLength))
+            } else if (ipv6Enabled) {
+                peerConfiguration.allowedIPs.append(IPAddressRange(address: IPv6Address($0.address as String)!, networkPrefixLength: $0.networkPrefixLength))
+            }
+        }
+
+        var peerConfigurations: [PeerConfiguration] = []
+        peerConfigurations.append(peerConfiguration)
+
+        var interface = InterfaceConfiguration(privateKey: privateKey!)
+
+        if let ipv4Address = IPAddressRange(from: deviceIpv4Address!),
+           let ipv6Address = IPAddressRange(from: deviceIpv6Address!) {
+            interface.addresses = [ipv4Address]
+            if (ipv6Enabled) {
+                interface.addresses.append(ipv6Address)
+            }
+        }
+        interface.dns = [ DNSServer(address: dnsServerIP!)]
+        interface.mtu = 1412 // 1280
+
+        if (ipv6Enabled) {
+            interface.dns.append(DNSServer(address: ipv6GatewayIP!))
+        }
+
+        let config = TunnelConfiguration(name: vpnName, interface: interface, peers: peerConfigurations)
+
+        self.configureTunnel(config: config, reason: reason, failureCallback: failureCallback)
+    }
+
+    func configureTunnel(config: TunnelConfiguration, reason: Int, failureCallback: @escaping () -> Void) {
+        guard let proto = NETunnelProviderProtocol(tunnelConfiguration: config) else {
+            failureCallback()
+            return
+        }
+        proto.providerBundleIdentifier = vpnBundleID
+
+        tunnel!.protocolConfiguration = proto
+        tunnel!.localizedDescription = vpnName
+        tunnel!.isEnabled = true
+
+        tunnel!.saveToPreferences { [unowned self] saveError in
+            if let error = saveError {
+                Logger.global?.log(message: "Connect Tunnel Save Error: \(error)")
+                failureCallback()
+                return
+            }
+
+            Logger.global?.log(message: "Saving the tunnel succeeded")
+
+            self.tunnel!.loadFromPreferences { error in
+                if let error = error {
+                    Logger.global?.log(message: "Connect Tunnel Load Error: \(error)")
+                    failureCallback()
+                    return
+                }
+
+                Logger.global?.log(message: "Loading the tunnel succeeded")
+                print("Loading the tunnel succeeded")
+
+                do {
+                    if (reason == 1 /* ReasonSwitching */) {
+                        let settings = config.asWgQuickConfig()
+                        let settingsData = settings.data(using: .utf8)!
+                        try (self.tunnel!.connection as? NETunnelProviderSession)?
+                                .sendProviderMessage(settingsData) { data in
+                            guard let data = data,
+                                let configString = String(data: data, encoding: .utf8)
+                            else {
+                                Logger.global?.log(message: "Failed to convert response to string")
+                                return
+                            }
+                            print("Config sent to NE: \(configString)")
+                        }
+                    } else {
+                        print("starting tunnel")
+                        try (self.tunnel!.connection as? NETunnelProviderSession)?.startTunnel()
+                    }
+                } catch let error {
+                    Logger.global?.log(message: "Something went wrong: \(error)")
+                    failureCallback()
+                    return
+                }
+            }
+        }
+    }
+
+    @objc func disconnect() {
+        Logger.global?.log(message: "Disconnecting")
+        assert(tunnel != nil)
+        (tunnel!.connection as? NETunnelProviderSession)?.stopTunnel()
+    }
+
+    @objc func checkStatus(callback: @escaping (String, String, String) -> Void) {
+        Logger.global?.log(message: "Check status")
+        assert(tunnel != nil)
+
+        let proto = tunnel!.protocolConfiguration as? NETunnelProviderProtocol
+        if proto == nil {
+            callback("", "", "")
+            return
+        }
+
+        let tunnelConfiguration = proto?.asTunnelConfiguration()
+        if tunnelConfiguration == nil {
+            callback("", "", "")
+            return
+        }
+
+        let serverIpv4Gateway = tunnelConfiguration?.interface.dns[0].address
+        if serverIpv4Gateway == nil {
+            callback("", "", "")
+            return
+        }
+
+        let deviceIpv4Address = tunnelConfiguration?.interface.addresses[0].address
+        if deviceIpv4Address == nil {
+            callback("", "", "")
+            return
+        }
+
+        guard let session = tunnel?.connection as? NETunnelProviderSession
+        else {
+            callback("", "", "")
+            return
+        }
+
+        do {
+            try session.sendProviderMessage(Data([UInt8(0)])) { [callback] data in
+                guard let data = data,
+                      let configString = String(data: data, encoding: .utf8)
+                else {
+                    Logger.global?.log(message: "Failed to convert data to string")
+                    callback("", "", "")
+                    return
+                }
+
+                callback("\(serverIpv4Gateway!)", "\(deviceIpv4Address!)", configString)
+            }
+        } catch {
+            Logger.global?.log(message: "Failed to retrieve data from session")
+            callback("", "", "")
+        }
+    }
+}
diff --git a/client/platforms/ios/ipaddress.cpp b/client/platforms/ios/ipaddress.cpp
new file mode 100644
index 00000000..501701c1
--- /dev/null
+++ b/client/platforms/ios/ipaddress.cpp
@@ -0,0 +1,313 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "ipaddress.h"
+#include "bigintipv6addr.h"
+
+#include <QtMath>
+
+namespace {
+
+quint32 s_allIpV4Ones = static_cast<quint32>(qPow(2, 32) - 1);
+
+BigIntIPv6Addr s_allIPv6Ones;
+bool s_ipv6Initialized = false;
+
+void maybeInitialize() {
+  if (s_ipv6Initialized) return;
+
+  s_ipv6Initialized = true;
+
+  Q_IPV6ADDR allOnes;
+  memset((void*)&allOnes, static_cast<quint8>(qPow(2, 8) - 1), sizeof(allOnes));
+
+  s_allIPv6Ones = BigIntIPv6Addr(allOnes);
+}
+
+}  // namespace
+
+// static
+IPAddress IPAddress::create(const QString& ip) {
+  if (ip.contains("/")) {
+    QPair<QHostAddress, int> p = QHostAddress::parseSubnet(ip);
+
+    if (p.first.protocol() == QAbstractSocket::IPv4Protocol) {
+      if (p.second < 32) {
+        return IPAddress(p.first, p.second);
+      }
+      return IPAddress(p.first);
+    }
+
+    if (p.first.protocol() == QAbstractSocket::IPv6Protocol) {
+      if (p.second < 128) {
+        return IPAddress(p.first, p.second);
+      }
+      return IPAddress(p.first);
+    }
+
+    Q_ASSERT(false);
+  }
+
+  return IPAddress(QHostAddress(ip));
+}
+
+IPAddress::IPAddress() {
+  maybeInitialize();
+}
+
+IPAddress::IPAddress(const IPAddress& other) {
+  maybeInitialize();
+  *this = other;
+}
+
+IPAddress& IPAddress::operator=(const IPAddress& other) {
+  if (this == &other) return *this;
+
+  m_address = other.m_address;
+  m_prefixLength = other.m_prefixLength;
+  m_netmask = other.m_netmask;
+  m_hostmask = other.m_hostmask;
+  m_broadcastAddress = other.m_broadcastAddress;
+
+  return *this;
+}
+
+IPAddress::IPAddress(const QHostAddress& address)
+    : m_address(address), m_broadcastAddress(address) {
+  maybeInitialize();
+
+  if (address.protocol() == QAbstractSocket::IPv4Protocol) {
+    m_prefixLength = 32;
+    m_netmask = QHostAddress(s_allIpV4Ones);
+    m_hostmask = QHostAddress((quint32)(0));
+  } else {
+    Q_ASSERT(address.protocol() == QAbstractSocket::IPv6Protocol);
+    m_prefixLength = 128;
+
+    m_netmask = QHostAddress(s_allIPv6Ones.value());
+
+    {
+      Q_IPV6ADDR ipv6;
+      memset((void*)&ipv6, 0, sizeof(ipv6));
+      m_hostmask = QHostAddress(ipv6);
+    }
+  }
+}
+
+IPAddress::IPAddress(const QHostAddress& address, int prefixLength)
+    : m_address(address), m_prefixLength(prefixLength) {
+  maybeInitialize();
+
+  if (address.protocol() == QAbstractSocket::IPv4Protocol) {
+    Q_ASSERT(prefixLength >= 0 && prefixLength <= 32);
+    m_netmask = QHostAddress(s_allIpV4Ones ^ (s_allIpV4Ones >> prefixLength));
+    m_hostmask = QHostAddress(m_netmask.toIPv4Address() ^ s_allIpV4Ones);
+    m_broadcastAddress =
+        QHostAddress(address.toIPv4Address() | m_hostmask.toIPv4Address());
+  } else {
+    Q_ASSERT(address.protocol() == QAbstractSocket::IPv6Protocol);
+    Q_ASSERT(prefixLength >= 0 && prefixLength <= 128);
+
+    Q_IPV6ADDR netmask;
+    {
+      BigIntIPv6Addr tmp = (s_allIPv6Ones >> prefixLength);
+      for (int i = 0; i < 16; ++i)
+        netmask[i] = s_allIPv6Ones.value()[i] ^ tmp.value()[i];
+    }
+    m_netmask = QHostAddress(netmask);
+
+    {
+      Q_IPV6ADDR tmp;
+      for (int i = 0; i < 16; ++i)
+        tmp[i] = netmask[i] ^ s_allIPv6Ones.value()[i];
+      m_hostmask = QHostAddress(tmp);
+    }
+
+    {
+      Q_IPV6ADDR ipv6Address = address.toIPv6Address();
+      Q_IPV6ADDR ipv6Hostname = m_hostmask.toIPv6Address();
+      for (int i = 0; i < 16; ++i) ipv6Address[i] |= ipv6Hostname[i];
+      m_broadcastAddress = QHostAddress(ipv6Address);
+    }
+  }
+}
+
+IPAddress::~IPAddress() { }
+
+QAbstractSocket::NetworkLayerProtocol IPAddress::type() const {
+  return m_address.protocol();
+}
+
+bool IPAddress::overlaps(const IPAddress& other) const {
+  return other.contains(m_address) || other.contains(m_broadcastAddress) ||
+         contains(other.m_address) || contains(other.m_broadcastAddress);
+}
+
+bool IPAddress::contains(const QHostAddress& address) const {
+  if (address.protocol() != m_address.protocol()) {
+    return false;
+  }
+
+  if (address.protocol() == QAbstractSocket::IPv4Protocol) {
+    return (m_address.toIPv4Address() <= address.toIPv4Address()) &&
+           (address.toIPv4Address() <= m_broadcastAddress.toIPv4Address());
+  }
+
+  Q_ASSERT(address.protocol() == QAbstractSocket::IPv6Protocol);
+  return (BigIntIPv6Addr(m_address.toIPv6Address()) <=
+          BigIntIPv6Addr(address.toIPv6Address())) &&
+         (BigIntIPv6Addr(address.toIPv6Address()) <=
+          BigIntIPv6Addr(m_broadcastAddress.toIPv6Address()));
+}
+
+bool IPAddress::operator==(const IPAddress& other) const {
+  return m_address == other.m_address && m_netmask == other.m_netmask;
+}
+
+bool IPAddress::subnetOf(const IPAddress& other) const {
+  if (other.m_address.protocol() != m_address.protocol()) {
+    return false;
+  }
+
+  if (m_address.protocol() == QAbstractSocket::IPv4Protocol) {
+    return other.m_address.toIPv4Address() <= m_address.toIPv4Address() &&
+           other.m_broadcastAddress.toIPv4Address() >=
+               m_broadcastAddress.toIPv4Address();
+  }
+
+  Q_ASSERT(m_address.protocol() == QAbstractSocket::IPv6Protocol);
+  return BigIntIPv6Addr(other.m_address.toIPv6Address()) <=
+             BigIntIPv6Addr(m_address.toIPv6Address()) &&
+         BigIntIPv6Addr(other.m_broadcastAddress.toIPv6Address()) >=
+             BigIntIPv6Addr(m_broadcastAddress.toIPv6Address());
+}
+
+QList<IPAddress> IPAddress::subnets() const {
+  QList<IPAddress> list;
+
+  if (m_address.protocol() == QAbstractSocket::IPv4Protocol) {
+    if (m_prefixLength == 32) {
+      list.append(*this);
+      return list;
+    }
+
+    quint64 start = m_address.toIPv4Address();
+    quint64 end = quint64(m_broadcastAddress.toIPv4Address()) + 1;
+    quint64 step = ((quint64)m_hostmask.toIPv4Address() + 1) >> 1;
+
+    while (start < end) {
+      int newPrefixLength = m_prefixLength + 1;
+      if (newPrefixLength == 32) {
+        list.append(IPAddress(QHostAddress(static_cast<quint32>(start))));
+      } else {
+        list.append(IPAddress(QHostAddress(static_cast<quint32>(start)),
+                              m_prefixLength + 1));
+      }
+      start += step;
+    }
+
+    return list;
+  }
+
+  Q_ASSERT(m_address.protocol() == QAbstractSocket::IPv6Protocol);
+
+  if (m_prefixLength == 128) {
+    list.append(*this);
+    return list;
+  }
+
+  BigInt start(17);
+  {
+    Q_IPV6ADDR addr = m_address.toIPv6Address();
+    for (int i = 0; i < 16; ++i) {
+      start.setValueAt(addr[i], i + 1);
+    }
+  }
+
+  BigInt end(17);
+  {
+    Q_IPV6ADDR addr = m_broadcastAddress.toIPv6Address();
+    for (int i = 0; i < 16; ++i) {
+      end.setValueAt(addr[i], i + 1);
+    }
+    ++end;
+  }
+
+  BigInt step(17);
+  {
+    Q_IPV6ADDR addr = m_hostmask.toIPv6Address();
+    for (int i = 0; i < 16; ++i) {
+      step.setValueAt(addr[i], i + 1);
+    }
+    step = (++step) >> 1;
+  }
+
+  while (start < end) {
+    int newPrefixLength = m_prefixLength + 1;
+    Q_IPV6ADDR startIPv6;
+    for (int i = 0; i < 16; ++i) {
+      startIPv6[i] = start.valueAt(i + 1);
+    }
+
+    if (newPrefixLength == 128) {
+      list.append(IPAddress(QHostAddress(startIPv6)));
+    } else {
+      list.append(IPAddress(QHostAddress(startIPv6), m_prefixLength + 1));
+    }
+    start += step;
+  }
+
+  return list;
+}
+
+// static
+QList<IPAddress> IPAddress::excludeAddresses(
+    const QList<IPAddress>& sourceList, const QList<IPAddress>& excludeList) {
+  QList<IPAddress> results = sourceList;
+
+  for (const IPAddress& exclude : excludeList) {
+    QList<IPAddress> newResults;
+
+    for (const IPAddress& ip : results) {
+      if (ip.overlaps(exclude)) {
+        QList<IPAddress> range = ip.excludeAddresses(exclude);
+        newResults.append(range);
+      } else {
+        newResults.append(ip);
+      }
+    }
+
+    results = newResults;
+  }
+
+  return results;
+}
+
+QList<IPAddress> IPAddress::excludeAddresses(const IPAddress& ip) const {
+  QList<IPAddress> sn = subnets();
+  Q_ASSERT(sn.length() >= 2);
+
+  QList<IPAddress> result;
+  while (sn[0] != ip && sn[1] != ip) {
+    if (ip.subnetOf(sn[0])) {
+      result.append(sn[1]);
+      sn = sn[0].subnets();
+    } else if (ip.subnetOf(sn[1])) {
+      result.append(sn[0]);
+      sn = sn[1].subnets();
+    } else {
+      Q_ASSERT(false);
+    }
+  }
+
+  if (sn[0] == ip) {
+    result.append(sn[1]);
+  } else if (sn[1] == ip) {
+    result.append(sn[0]);
+  } else {
+    Q_ASSERT(false);
+  }
+
+  return result;
+}
diff --git a/client/platforms/ios/ipaddress.h b/client/platforms/ios/ipaddress.h
new file mode 100644
index 00000000..f41ecd69
--- /dev/null
+++ b/client/platforms/ios/ipaddress.h
@@ -0,0 +1,59 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef IPADDRESS_H
+#define IPADDRESS_H
+
+#include <QHostAddress>
+
+class IPAddress final {
+ public:
+  static IPAddress create(const QString& ip);
+  static QList<IPAddress> excludeAddresses(const QList<IPAddress>& sourceList,
+                                           const QList<IPAddress>& excludeList);
+
+  IPAddress();
+  IPAddress(const IPAddress& other);
+  IPAddress& operator=(const IPAddress& other);
+  ~IPAddress();
+
+  QString toString() const {
+    return QString("%1/%2").arg(m_address.toString()).arg(m_prefixLength);
+  }
+
+  const QHostAddress& address() const { return m_address; }
+  int prefixLength() const { return m_prefixLength; }
+  const QHostAddress& netmask() const { return m_netmask; }
+  const QHostAddress& hostmask() const { return m_hostmask; }
+  const QHostAddress& broadcastAddress() const { return m_broadcastAddress; }
+
+  bool overlaps(const IPAddress& other) const;
+
+  bool contains(const QHostAddress& address) const;
+
+  bool operator==(const IPAddress& other) const;
+  bool operator!=(const IPAddress& other) const { return !operator==(other); }
+
+  bool subnetOf(const IPAddress& other) const;
+
+  QList<IPAddress> subnets() const;
+
+  QList<IPAddress> excludeAddresses(const IPAddress& ip) const;
+
+  QAbstractSocket::NetworkLayerProtocol type() const;
+
+ private:
+  IPAddress(const QHostAddress& address);
+  IPAddress(const QHostAddress& address, int prefixLength);
+
+ private:
+  QHostAddress m_address;
+  int m_prefixLength;
+
+  QHostAddress m_netmask;
+  QHostAddress m_hostmask;
+  QHostAddress m_broadcastAddress;
+};
+
+#endif  // IPADDRESS_H
diff --git a/client/platforms/ios/ipaddressrange.cpp b/client/platforms/ios/ipaddressrange.cpp
new file mode 100644
index 00000000..8810a73c
--- /dev/null
+++ b/client/platforms/ios/ipaddressrange.cpp
@@ -0,0 +1,60 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "ipaddressrange.h"
+#include "ipaddress.h"
+
+IPAddressRange::IPAddressRange(const QString& ipAddress, uint32_t range,
+                               IPAddressType type)
+    : m_ipAddress(ipAddress), m_range(range), m_type(type) {}
+
+IPAddressRange::IPAddressRange(const QString& prefix) {
+  QStringList split = prefix.split('/');
+  m_ipAddress = split[0];
+  if (m_ipAddress.contains(':')) {
+    // Probably IPv6
+    m_type = IPv6;
+    m_range = 128;
+  } else {
+    // Assume IPv4
+    m_type = IPv4;
+    m_range = 32;
+  }
+  if (split.count() > 1) {
+    m_range = split[1].toUInt();
+  }
+}
+
+IPAddressRange::IPAddressRange(const IPAddressRange& other) {
+  *this = other;
+}
+
+IPAddressRange& IPAddressRange::operator=(const IPAddressRange& other) {
+  if (this == &other) return *this;
+
+  m_ipAddress = other.m_ipAddress;
+  m_range = other.m_range;
+  m_type = other.m_type;
+
+  return *this;
+}
+
+bool IPAddressRange::operator==(const IPAddressRange& other) const {
+  if (this == &other) return true;
+
+  return m_ipAddress == other.m_ipAddress && m_range == other.m_range &&
+         m_type == other.m_type;
+}
+
+IPAddressRange::~IPAddressRange() { }
+
+// static
+QList<IPAddressRange> IPAddressRange::fromIPAddressList(
+    const QList<IPAddress>& list) {
+  QList<IPAddressRange> result;
+  for (const IPAddress& ip : list) {
+    result.append(IPAddressRange(ip.toString()));
+  }
+  return result;
+}
diff --git a/client/platforms/ios/ipaddressrange.h b/client/platforms/ios/ipaddressrange.h
new file mode 100644
index 00000000..db1733ae
--- /dev/null
+++ b/client/platforms/ios/ipaddressrange.h
@@ -0,0 +1,42 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef IPADDRESSRANGE_H
+#define IPADDRESSRANGE_H
+
+#include <QObject>
+#include <QString>
+
+class IPAddress;
+
+class IPAddressRange final {
+ public:
+  enum IPAddressType {
+    IPv4,
+    IPv6,
+  };
+
+  static QList<IPAddressRange> fromIPAddressList(const QList<IPAddress>& list);
+
+  IPAddressRange(const QString& prefix);
+  IPAddressRange(const QString& ipAddress, uint32_t range, IPAddressType type);
+  IPAddressRange(const IPAddressRange& other);
+  IPAddressRange& operator=(const IPAddressRange& other);
+  bool operator==(const IPAddressRange& other) const;
+  ~IPAddressRange();
+
+  const QString& ipAddress() const { return m_ipAddress; }
+  uint32_t range() const { return m_range; }
+  IPAddressType type() const { return m_type; }
+  const QString toString() const {
+    return QString("%1/%2").arg(m_ipAddress).arg(m_range);
+  }
+
+ private:
+  QString m_ipAddress;
+  uint32_t m_range;
+  IPAddressType m_type;
+};
+
+#endif  // IPADDRESSRANGE_H
diff --git a/client/platforms/ios/json.cpp b/client/platforms/ios/json.cpp
new file mode 100644
index 00000000..0cf2a0af
--- /dev/null
+++ b/client/platforms/ios/json.cpp
@@ -0,0 +1,732 @@
+/**
+ * QtJson - A simple class for parsing JSON data into a QVariant hierarchies and vice-versa.
+ * Copyright (C) 2011  Eeli Reilin
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/**
+ * \file json.cpp
+ */
+
+#include <QDateTime>
+#include <QStringList>
+#include "json.h"
+
+namespace QtJson {
+    static QString dateFormat, dateTimeFormat;
+    static bool prettySerialize = false;
+
+    static QString sanitizeString(QString str);
+    static QByteArray join(const QList<QByteArray> &list, const QByteArray &sep);
+    static QVariant parseValue(const QString &json, int &index, bool &success);
+    static QVariant parseObject(const QString &json, int &index, bool &success);
+    static QVariant parseArray(const QString &json, int &index, bool &success);
+    static QVariant parseString(const QString &json, int &index, bool &success);
+    static QVariant parseNumber(const QString &json, int &index);
+    static int lastIndexOfNumber(const QString &json, int index);
+    static void eatWhitespace(const QString &json, int &index);
+    static int lookAhead(const QString &json, int index);
+    static int nextToken(const QString &json, int &index);
+
+    template<typename T>
+    QByteArray serializeMap(const T &map, bool &success, int _level = 0) {
+        QByteArray newline;
+        QByteArray tabs;
+        QByteArray tabsFields;
+        if (prettySerialize && !map.isEmpty()) {
+            newline = "\n";
+            for (uint l=1; l<_level; l++) {
+                tabs += "    ";
+            }
+            tabsFields = tabs + "    ";
+        }
+
+        QByteArray str = "{" + newline;
+        QList<QByteArray> pairs;
+        for (typename T::const_iterator it = map.begin(), itend = map.end(); it != itend; ++it) {
+            bool otherSuccess = true;
+            QByteArray serializedValue = serialize(it.value(), otherSuccess, _level);
+            if (serializedValue.isNull()) {
+                success = false;
+                break;
+            }
+            pairs << tabsFields + sanitizeString(it.key()).toUtf8() + ":" + (prettySerialize ? " " : "") + serializedValue;
+        }
+
+        str += join(pairs, "," + newline) + newline;
+        str += tabs + "}";
+        return str;
+    }
+
+    void insert(QVariant &v, const QString &key, const QVariant &value);
+    void append(QVariant &v, const QVariant &value);
+
+    template<typename T>
+    void cloneMap(QVariant &json, const T &map) {
+    for (typename T::const_iterator it = map.begin(), itend = map.end(); it != itend; ++it) {
+        insert(json, it.key(), (*it));
+    }
+    }
+
+    template<typename T>
+    void cloneList(QVariant &json, const T &list) {
+    for (typename T::const_iterator it = list.begin(), itend = list.end(); it != itend; ++it) {
+        append(json, (*it));
+    }
+    }
+
+    /**
+     * parse
+     */
+    QVariant parse(const QString &json) {
+        bool success = true;
+        return parse(json, success);
+    }
+
+    /**
+     * parse
+     */
+    QVariant parse(const QString &json, bool &success) {
+        success = true;
+
+        // Return an empty QVariant if the JSON data is either null or empty
+        if (!json.isNull() || !json.isEmpty()) {
+            QString data = json;
+            // We'll start from index 0
+            int index = 0;
+
+            // Parse the first value
+            QVariant value = parseValue(data, index, success);
+
+            // Return the parsed value
+            return value;
+        } else {
+            // Return the empty QVariant
+            return QVariant();
+        }
+    }
+
+    /**
+     * clone
+     */
+    QVariant clone(const QVariant &data) {
+    QVariant v;
+
+    if (data.type() == QVariant::Map) {
+        cloneMap(v, data.toMap());
+    } else if (data.type() == QVariant::Hash) {
+        cloneMap(v, data.toHash());
+    } else if (data.type() == QVariant::List) {
+        cloneList(v, data.toList());
+    } else if (data.type() == QVariant::StringList) {
+        cloneList(v, data.toStringList());
+    } else {
+        v = QVariant(data);
+    }
+
+    return v;
+    }
+
+    /**
+     * insert value (map case)
+     */
+    void insert(QVariant &v, const QString &key, const QVariant &value) {
+    if (!v.canConvert<QVariantMap>()) v = QVariantMap();
+    QVariantMap *p = (QVariantMap *)v.data();
+    p->insert(key, clone(value));
+    }
+
+    /**
+     * append value (list case)
+     */
+    void append(QVariant &v, const QVariant &value) {
+    if (!v.canConvert<QVariantList>()) v = QVariantList();
+    QVariantList *p = (QVariantList *)v.data();
+    p->append(value);
+    }
+
+    QByteArray serialize(const QVariant &data) {
+        bool success = true;
+        return serialize(data, success);
+    }
+
+    QByteArray serialize(const QVariant &data, bool &success, int _level /*= 0*/) {
+        QByteArray newline;
+        QByteArray tabs;
+        QByteArray tabsFields;
+        if (prettySerialize) {
+            newline = "\n";
+            for (uint l=0; l<_level; l++) {
+                tabs += "    ";
+            }
+            tabsFields = tabs + "    ";
+        }
+
+        QByteArray str;
+        success = true;
+
+        if (!data.isValid()) { // invalid or null?
+            str = "null";
+        } else if ((data.type() == QVariant::List) ||
+                   (data.type() == QVariant::StringList)) { // variant is a list?
+            QList<QByteArray> values;
+            const QVariantList list = data.toList();
+            Q_FOREACH(const QVariant& v, list) {
+                bool otherSuccess = true;
+                QByteArray serializedValue = serialize(v, otherSuccess, _level+1);
+                if (serializedValue.isNull()) {
+                    success = false;
+                    break;
+                }
+                values << tabsFields + serializedValue;
+            }
+
+            if (!values.isEmpty()) {
+                str = "[" + newline + join( values, "," + newline ) + newline + tabs + "]";
+            } else {
+                str = "[]";
+            }
+        } else if (data.type() == QVariant::Hash) { // variant is a hash?
+            str = serializeMap<>(data.toHash(), success, _level+1);
+        } else if (data.type() == QVariant::Map) { // variant is a map?
+            str = serializeMap<>(data.toMap(), success, _level+1);
+        } else if ((data.type() == QVariant::String) ||
+                   (data.type() == QVariant::ByteArray)) {// a string or a byte array?
+            str = sanitizeString(data.toString()).toUtf8();
+        } else if (data.type() == QVariant::Double) { // double?
+            double value = data.toDouble(&success);
+            if (success) {
+                str = QByteArray::number(value, 'g');
+                if (!str.contains(".") && ! str.contains("e")) {
+                    str += ".0";
+                }
+            }
+        } else if (data.type() == QVariant::Bool) { // boolean value?
+            str = data.toBool() ? "true" : "false";
+        } else if (data.type() == QVariant::ULongLong) { // large unsigned number?
+            str = QByteArray::number(data.value<qulonglong>());
+        } else if (data.canConvert<qlonglong>()) { // any signed number?
+            str = QByteArray::number(data.value<qlonglong>());
+        } else if (data.canConvert<long>()) { //TODO: this code is never executed because all smaller types can be converted to qlonglong
+            str = QString::number(data.value<long>()).toUtf8();
+        } else if (data.type() == QVariant::DateTime) { // datetime value?
+            str = sanitizeString(dateTimeFormat.isEmpty()
+                                 ? data.toDateTime().toString()
+                                 : data.toDateTime().toString(dateTimeFormat)).toUtf8();
+        } else if (data.type() == QVariant::Date) { // date value?
+            str = sanitizeString(dateTimeFormat.isEmpty()
+                                 ? data.toDate().toString()
+                                 : data.toDate().toString(dateFormat)).toUtf8();
+        } else if (data.canConvert<QString>()) { // can value be converted to string?
+            // this will catch QUrl, ... (all other types which can be converted to string)
+            str = sanitizeString(data.toString()).toUtf8();
+        } else {
+            success = false;
+        }
+
+        if (success) {
+            return str;
+        }
+        return QByteArray();
+    }
+
+    QString serializeStr(const QVariant &data) {
+        return QString::fromUtf8(serialize(data));
+    }
+
+    QString serializeStr(const QVariant &data, bool &success) {
+        return QString::fromUtf8(serialize(data, success));
+    }
+
+
+    /**
+     * \enum JsonToken
+     */
+    enum JsonToken {
+        JsonTokenNone = 0,
+        JsonTokenCurlyOpen = 1,
+        JsonTokenCurlyClose = 2,
+        JsonTokenSquaredOpen = 3,
+        JsonTokenSquaredClose = 4,
+        JsonTokenColon = 5,
+        JsonTokenComma = 6,
+        JsonTokenString = 7,
+        JsonTokenNumber = 8,
+        JsonTokenTrue = 9,
+        JsonTokenFalse = 10,
+        JsonTokenNull = 11
+    };
+
+    static QString sanitizeString(QString str) {
+        str.replace(QLatin1String("\\"), QLatin1String("\\\\"));
+        str.replace(QLatin1String("\""), QLatin1String("\\\""));
+        str.replace(QLatin1String("\b"), QLatin1String("\\b"));
+        str.replace(QLatin1String("\f"), QLatin1String("\\f"));
+        str.replace(QLatin1String("\n"), QLatin1String("\\n"));
+        str.replace(QLatin1String("\r"), QLatin1String("\\r"));
+        str.replace(QLatin1String("\t"), QLatin1String("\\t"));
+        return QString(QLatin1String("\"%1\"")).arg(str);
+    }
+
+    static QByteArray join(const QList<QByteArray> &list, const QByteArray &sep) {
+        QByteArray res;
+        Q_FOREACH(const QByteArray &i, list) {
+            if (!res.isEmpty()) {
+                res += sep;
+            }
+            res += i;
+        }
+        return res;
+    }
+
+    /**
+     * parseValue
+     */
+    static QVariant parseValue(const QString &json, int &index, bool &success) {
+        // Determine what kind of data we should parse by
+        // checking out the upcoming token
+        switch(lookAhead(json, index)) {
+            case JsonTokenString:
+                return parseString(json, index, success);
+            case JsonTokenNumber:
+                return parseNumber(json, index);
+            case JsonTokenCurlyOpen:
+                return parseObject(json, index, success);
+            case JsonTokenSquaredOpen:
+                return parseArray(json, index, success);
+            case JsonTokenTrue:
+                nextToken(json, index);
+                return QVariant(true);
+            case JsonTokenFalse:
+                nextToken(json, index);
+                return QVariant(false);
+            case JsonTokenNull:
+                nextToken(json, index);
+                return QVariant();
+            case JsonTokenNone:
+                break;
+        }
+
+        // If there were no tokens, flag the failure and return an empty QVariant
+        success = false;
+        return QVariant();
+    }
+
+    /**
+     * parseObject
+     */
+    static QVariant parseObject(const QString &json, int &index, bool &success) {
+        QVariantMap map;
+        int token;
+
+        // Get rid of the whitespace and increment index
+        nextToken(json, index);
+
+        // Loop through all of the key/value pairs of the object
+        bool done = false;
+        while (!done) {
+            // Get the upcoming token
+            token = lookAhead(json, index);
+
+            if (token == JsonTokenNone) {
+                success = false;
+                return QVariantMap();
+            } else if (token == JsonTokenComma) {
+                nextToken(json, index);
+            } else if (token == JsonTokenCurlyClose) {
+                nextToken(json, index);
+                return map;
+            } else {
+                // Parse the key/value pair's name
+                QString name = parseString(json, index, success).toString();
+
+                if (!success) {
+                    return QVariantMap();
+                }
+
+                // Get the next token
+                token = nextToken(json, index);
+
+                // If the next token is not a colon, flag the failure
+                // return an empty QVariant
+                if (token != JsonTokenColon) {
+                    success = false;
+                    return QVariant(QVariantMap());
+                }
+
+                // Parse the key/value pair's value
+                QVariant value = parseValue(json, index, success);
+
+                if (!success) {
+                    return QVariantMap();
+                }
+
+                // Assign the value to the key in the map
+                map[name] = value;
+            }
+        }
+
+        // Return the map successfully
+        return QVariant(map);
+    }
+
+    /**
+     * parseArray
+     */
+    static QVariant parseArray(const QString &json, int &index, bool &success) {
+        QVariantList list;
+
+        nextToken(json, index);
+
+        bool done = false;
+        while(!done) {
+            int token = lookAhead(json, index);
+
+            if (token == JsonTokenNone) {
+                success = false;
+                return QVariantList();
+            } else if (token == JsonTokenComma) {
+                nextToken(json, index);
+            } else if (token == JsonTokenSquaredClose) {
+                nextToken(json, index);
+                break;
+            } else {
+                QVariant value = parseValue(json, index, success);
+                if (!success) {
+                    return QVariantList();
+                }
+                list.push_back(value);
+            }
+        }
+
+        return QVariant(list);
+    }
+
+    /**
+     * parseString
+     */
+    static QVariant parseString(const QString &json, int &index, bool &success) {
+        QString s;
+        QChar c;
+
+        eatWhitespace(json, index);
+
+        c = json[index++];
+
+        bool complete = false;
+        while(!complete) {
+            if (index == json.size()) {
+                break;
+            }
+
+            c = json[index++];
+
+            if (c == '\"') {
+                complete = true;
+                break;
+            } else if (c == '\\') {
+                if (index == json.size()) {
+                    break;
+                }
+
+                c = json[index++];
+
+                if (c == '\"') {
+                    s.append('\"');
+                } else if (c == '\\') {
+                    s.append('\\');
+                } else if (c == '/') {
+                    s.append('/');
+                } else if (c == 'b') {
+                    s.append('\b');
+                } else if (c == 'f') {
+                    s.append('\f');
+                } else if (c == 'n') {
+                    s.append('\n');
+                } else if (c == 'r') {
+                    s.append('\r');
+                } else if (c == 't') {
+                    s.append('\t');
+                } else if (c == 'u') {
+                    int remainingLength = json.size() - index;
+                    if (remainingLength >= 4) {
+                        QString unicodeStr = json.mid(index, 4);
+
+                        int symbol = unicodeStr.toInt(0, 16);
+
+                        s.append(QChar(symbol));
+
+                        index += 4;
+                    } else {
+                        break;
+                    }
+                }
+            } else {
+                s.append(c);
+            }
+        }
+
+        if (!complete) {
+            success = false;
+            return QVariant();
+        }
+
+        return QVariant(s);
+    }
+
+    /**
+     * parseNumber
+     */
+    static QVariant parseNumber(const QString &json, int &index) {
+        eatWhitespace(json, index);
+
+        int lastIndex = lastIndexOfNumber(json, index);
+        int charLength = (lastIndex - index) + 1;
+        QString numberStr;
+
+        numberStr = json.mid(index, charLength);
+
+        index = lastIndex + 1;
+        bool ok;
+
+        if (numberStr.contains('.')) {
+            return QVariant(numberStr.toDouble(NULL));
+        } else if (numberStr.startsWith('-')) {
+            int i = numberStr.toInt(&ok);
+            if (!ok) {
+                qlonglong ll = numberStr.toLongLong(&ok);
+                return ok ? ll : QVariant(numberStr);
+            }
+            return i;
+        } else {
+            uint u = numberStr.toUInt(&ok);
+            if (!ok) {
+                qulonglong ull = numberStr.toULongLong(&ok);
+                return ok ? ull : QVariant(numberStr);
+            }
+            return u;
+        }
+    }
+
+    /**
+     * lastIndexOfNumber
+     */
+    static int lastIndexOfNumber(const QString &json, int index) {
+        int lastIndex;
+
+        for(lastIndex = index; lastIndex < json.size(); lastIndex++) {
+            if (QString("0123456789+-.eE").indexOf(json[lastIndex]) == -1) {
+                break;
+            }
+        }
+
+        return lastIndex -1;
+    }
+
+    /**
+     * eatWhitespace
+     */
+    static void eatWhitespace(const QString &json, int &index) {
+        for(; index < json.size(); index++) {
+            if (QString(" \t\n\r").indexOf(json[index]) == -1) {
+                break;
+            }
+        }
+    }
+
+    /**
+     * lookAhead
+     */
+    static int lookAhead(const QString &json, int index) {
+        int saveIndex = index;
+        return nextToken(json, saveIndex);
+    }
+
+    /**
+     * nextToken
+     */
+    static int nextToken(const QString &json, int &index) {
+        eatWhitespace(json, index);
+
+        if (index == json.size()) {
+            return JsonTokenNone;
+        }
+
+        QChar c = json[index];
+        index++;
+        switch(c.toLatin1()) {
+            case '{': return JsonTokenCurlyOpen;
+            case '}': return JsonTokenCurlyClose;
+            case '[': return JsonTokenSquaredOpen;
+            case ']': return JsonTokenSquaredClose;
+            case ',': return JsonTokenComma;
+            case '"': return JsonTokenString;
+            case '0': case '1': case '2': case '3': case '4':
+            case '5': case '6': case '7': case '8': case '9':
+            case '-': return JsonTokenNumber;
+            case ':': return JsonTokenColon;
+        }
+        index--; // ^ WTF?
+
+        int remainingLength = json.size() - index;
+
+        // True
+        if (remainingLength >= 4) {
+            if (json[index] == 't' && json[index + 1] == 'r' &&
+                json[index + 2] == 'u' && json[index + 3] == 'e') {
+                index += 4;
+                return JsonTokenTrue;
+            }
+        }
+
+        // False
+        if (remainingLength >= 5) {
+            if (json[index] == 'f' && json[index + 1] == 'a' &&
+                json[index + 2] == 'l' && json[index + 3] == 's' &&
+                json[index + 4] == 'e') {
+                index += 5;
+                return JsonTokenFalse;
+            }
+        }
+
+        // Null
+        if (remainingLength >= 4) {
+            if (json[index] == 'n' && json[index + 1] == 'u' &&
+                json[index + 2] == 'l' && json[index + 3] == 'l') {
+                index += 4;
+                return JsonTokenNull;
+            }
+        }
+
+        return JsonTokenNone;
+    }
+
+    void setDateTimeFormat(const QString &format) {
+        dateTimeFormat = format;
+    }
+
+    void setDateFormat(const QString &format) {
+        dateFormat = format;
+    }
+
+    QString getDateTimeFormat() {
+        return dateTimeFormat;
+    }
+
+    QString getDateFormat() {
+        return dateFormat;
+    }
+
+    void setPrettySerialize(bool enabled) {
+        prettySerialize = enabled;
+    }
+
+    bool isPrettySerialize() {
+        return prettySerialize;
+    }
+
+
+
+    QQueue<BuilderJsonObject *> BuilderJsonObject::created_list;
+
+    BuilderJsonObject::BuilderJsonObject() {
+        // clean objects previous "created"
+        while (!BuilderJsonObject::created_list.isEmpty()) {
+            delete BuilderJsonObject::created_list.dequeue();
+        }
+    }
+
+    BuilderJsonObject::BuilderJsonObject(JsonObject &json) {
+        BuilderJsonObject();
+
+        obj = json;
+    }
+
+    BuilderJsonObject *BuilderJsonObject::set(const QString &key, const QVariant &value) {
+        obj[key] = value;
+
+        return this;
+    }
+
+    BuilderJsonObject *BuilderJsonObject::set(const QString &key, BuilderJsonObject *builder) {
+        return set(key, builder->create());
+    }
+
+    BuilderJsonObject *BuilderJsonObject::set(const QString &key, BuilderJsonArray *builder) {
+        return set(key, builder->create());
+    }
+
+    JsonObject BuilderJsonObject::create() {
+        BuilderJsonObject::created_list.enqueue(this);
+
+        return obj;
+    }
+
+
+    QQueue<BuilderJsonArray *> BuilderJsonArray::created_list;
+
+    BuilderJsonArray::BuilderJsonArray() {
+        // clean objects previous "created"
+        while (!BuilderJsonArray::created_list.isEmpty()) {
+            delete BuilderJsonArray::created_list.dequeue();
+        }
+    }
+
+    BuilderJsonArray::BuilderJsonArray(JsonArray &json) {
+        BuilderJsonArray();
+
+        array = json;
+    }
+
+    BuilderJsonArray *BuilderJsonArray::add(const QVariant &element) {
+        array.append(element);
+
+        return this;
+    }
+
+    BuilderJsonArray *BuilderJsonArray::add(BuilderJsonObject *builder) {
+        return add(builder->create());
+    }
+
+    BuilderJsonArray *BuilderJsonArray::add(BuilderJsonArray *builder) {
+        return add(builder->create());
+    }
+
+    JsonArray BuilderJsonArray::create() {
+        BuilderJsonArray::created_list.enqueue(this);
+
+        return array;
+    }
+
+
+
+
+    BuilderJsonObject *objectBuilder() {
+        return new BuilderJsonObject();
+    }
+
+    BuilderJsonObject *objectBuilder(JsonObject &json) {
+        return new BuilderJsonObject(json);
+    }
+
+    BuilderJsonArray *arrayBuilder() {
+        return new BuilderJsonArray();
+    }
+
+    BuilderJsonArray *arrayBuilder(JsonArray &json) {
+        return new BuilderJsonArray(json);
+    }
+
+} //end namespace
diff --git a/client/platforms/ios/json.h b/client/platforms/ios/json.h
new file mode 100644
index 00000000..bd37c381
--- /dev/null
+++ b/client/platforms/ios/json.h
@@ -0,0 +1,265 @@
+/**
+ * QtJson - A simple class for parsing JSON data into a QVariant hierarchies and vice-versa.
+ * Copyright (C) 2011  Eeli Reilin
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/**
+ * \file json.h
+ */
+
+#ifndef JSON_H
+#define JSON_H
+
+#include <QVariant>
+#include <QString>
+#include <QQueue>
+
+
+/**
+ * \namespace QtJson
+ * \brief A JSON data parser
+ *
+ * Json parses a JSON data into a QVariant hierarchy.
+ */
+namespace QtJson {
+    typedef QVariantMap JsonObject;
+    typedef QVariantList JsonArray;
+
+    /**
+     * Clone a JSON object (makes a deep copy)
+     *
+     * \param data The JSON object
+     */
+    QVariant clone(const QVariant &data);
+
+    /**
+     * Insert value to JSON object (QVariantMap)
+     *
+     * \param v The JSON object
+     * \param key The key
+     * \param value The value
+     */
+    void insert(QVariant &v, const QString &key, const QVariant &value);
+
+    /**
+     * Append value to JSON array (QVariantList)
+     *
+     * \param v The JSON array
+     * \param value The value
+     */
+    void append(QVariant &v, const QVariant &value);
+
+    /**
+     * Parse a JSON string
+     *
+     * \param json The JSON data
+     */
+    QVariant parse(const QString &json);
+
+    /**
+     * Parse a JSON string
+     *
+     * \param json The JSON data
+     * \param success The success of the parsing
+     */
+    QVariant parse(const QString &json, bool &success);
+
+    /**
+     * This method generates a textual JSON representation
+     *
+     * \param data The JSON data generated by the parser.
+     *
+     * \return QByteArray Textual JSON representation in UTF-8
+     */
+    QByteArray serialize(const QVariant &data);
+
+    /**
+     * This method generates a textual JSON representation
+     *
+     * \param data The JSON data generated by the parser.
+     * \param success The success of the serialization
+     *
+     * \return QByteArray Textual JSON representation in UTF-8
+     */
+    QByteArray serialize(const QVariant &data, bool &success, int _level = 0);
+
+    /**
+     * This method generates a textual JSON representation
+     *
+     * \param data The JSON data generated by the parser.
+     *
+     * \return QString Textual JSON representation
+     */
+    QString serializeStr(const QVariant &data);
+
+    /**
+     * This method generates a textual JSON representation
+     *
+     * \param data The JSON data generated by the parser.
+     * \param success The success of the serialization
+     *
+     * \return QString Textual JSON representation
+     */
+    QString serializeStr(const QVariant &data, bool &success, int _level = 0);
+
+    /**
+     * This method sets date(time) format to be used for QDateTime::toString
+     * If QString is empty, Qt::TextDate is used.
+     *
+     * \param format The JSON data generated by the parser.
+     */
+    void setDateTimeFormat(const QString& format);
+    void setDateFormat(const QString& format);
+
+    /**
+     * This method gets date(time) format to be used for QDateTime::toString
+     * If QString is empty, Qt::TextDate is used.
+     */
+    QString getDateTimeFormat();
+    QString getDateFormat();
+
+    /**
+     * @brief setPrettySerialize enable/disabled pretty-print when serialize() a json
+     * @param enabled
+     */
+    void setPrettySerialize(bool enabled);
+
+    /**
+     * @brief isPrettySerialize check if is enabled pretty-print when serialize() a json
+     * @return
+     */
+    bool isPrettySerialize();
+
+
+
+
+    /**
+     * QVariant based Json object
+     */
+    class Object : public QVariant {
+        template<typename T>
+        Object& insertKey(Object* ptr, const QString& key) {
+            T* p = (T*)ptr->data();
+            if (!p->contains(key)) p->insert(key, QVariant());
+            return *reinterpret_cast<Object*>(&p->operator[](key));
+        }
+        template<typename T>
+        void removeKey(Object *ptr, const QString& key) {
+            T* p = (T*)ptr->data();
+            p->remove(key);
+        }
+    public:
+        Object() : QVariant() {}
+        Object(const Object& ref) : QVariant(ref) {}
+
+        Object& operator=(const QVariant& rhs) {
+            /** It maybe more robust when running under Qt versions below 4.7 */
+            QObject * obj = qvariant_cast<QObject *>(rhs);
+            //  setValue(rhs);
+            setValue(obj);
+            return *this;
+        }
+        Object& operator[](const QString& key) {
+            if (type() == QVariant::Map)
+                return insertKey<QVariantMap>(this, key);
+            else if (type() == QVariant::Hash)
+                return insertKey<QVariantHash>(this, key);
+
+            setValue(QVariantMap());
+
+            return insertKey<QVariantMap>(this, key);
+        }
+        const Object& operator[](const QString& key) const {
+            return const_cast<Object*>(this)->operator[](key);
+        }
+        void remove(const QString& key) {
+            if (type() == QVariant::Map)
+                removeKey<QVariantMap>(this, key);
+            else if (type() == QVariant::Hash)
+                removeKey<QVariantHash>(this, key);
+        }
+    };
+
+
+    class BuilderJsonArray;
+
+    /**
+     * @brief The BuilderJsonObject class
+     */
+    class BuilderJsonObject {
+
+        public:
+            BuilderJsonObject();
+            BuilderJsonObject(JsonObject &json);
+
+            BuilderJsonObject *set(const QString &key, const QVariant &value);
+            BuilderJsonObject *set(const QString &key, BuilderJsonObject *builder);
+            BuilderJsonObject *set(const QString &key, BuilderJsonArray *builder);
+            JsonObject create();
+
+        private:
+            static QQueue<BuilderJsonObject *> created_list;
+
+            JsonObject obj;
+    };
+
+    /**
+     * @brief The BuilderJsonArray class
+     */
+    class BuilderJsonArray {
+
+        public:
+            BuilderJsonArray();
+            BuilderJsonArray(JsonArray &json);
+
+            BuilderJsonArray *add(const QVariant &element);
+            BuilderJsonArray *add(BuilderJsonObject *builder);
+            BuilderJsonArray *add(BuilderJsonArray *builder);
+            JsonArray create();
+
+        private:
+            static QQueue<BuilderJsonArray *> created_list;
+
+            JsonArray array;
+    };
+
+
+    /**
+     * @brief Create a BuilderJsonObject
+     * @return
+     */
+    BuilderJsonObject *objectBuilder();
+
+    /**
+     * @brief Create a BuilderJsonObject starting from copy of another json
+     * @return
+     */
+    BuilderJsonObject *objectBuilder(JsonObject &json);
+
+    /**
+     * @brief Create a BuilderJsonArray
+     * @return
+     */
+    BuilderJsonArray *arrayBuilder();
+
+    /**
+     * @brief Create a BuilderJsonArray starting from copy of another json
+     * @return
+     */
+    BuilderJsonArray *arrayBuilder(JsonArray &json);
+}
+
+#endif //JSON_H
\ No newline at end of file
diff --git a/client/platforms/macos/daemon/dnsutilsmacos.cpp b/client/platforms/macos/daemon/dnsutilsmacos.cpp
new file mode 100644
index 00000000..b4e61620
--- /dev/null
+++ b/client/platforms/macos/daemon/dnsutilsmacos.cpp
@@ -0,0 +1,222 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "dnsutilsmacos.h"
+#include "leakdetector.h"
+#include "logger.h"
+
+#include <QScopeGuard>
+
+#include <systemconfiguration/scpreferences.h>
+#include <systemconfiguration/scdynamicstore.h>
+
+namespace {
+Logger logger(LOG_MACOS, "DnsUtilsMacos");
+}
+
+DnsUtilsMacos::DnsUtilsMacos(QObject* parent) : DnsUtils(parent) {
+  MVPN_COUNT_CTOR(DnsUtilsMacos);
+
+  m_scStore = SCDynamicStoreCreate(kCFAllocatorSystemDefault,
+                                   CFSTR("mozillavpn"), nullptr, nullptr);
+  if (m_scStore == nullptr) {
+    logger.error() << "Failed to create system configuration store ref";
+  }
+
+  logger.debug() << "DnsUtilsMacos created.";
+}
+
+DnsUtilsMacos::~DnsUtilsMacos() {
+  MVPN_COUNT_DTOR(DnsUtilsMacos);
+  restoreResolvers();
+  logger.debug() << "DnsUtilsMacos destroyed.";
+}
+
+static QString cfParseString(CFTypeRef ref) {
+  if (CFGetTypeID(ref) != CFStringGetTypeID()) {
+    return QString();
+  }
+
+  CFStringRef stringref = (CFStringRef)ref;
+  CFRange range;
+  range.location = 0;
+  range.length = CFStringGetLength(stringref);
+  if (range.length <= 0) {
+    return QString();
+  }
+
+  UniChar* buf = (UniChar*)malloc(range.length * sizeof(UniChar));
+  if (!buf) {
+    return QString();
+  }
+  auto guard = qScopeGuard([&] { free(buf); });
+
+  CFStringGetCharacters(stringref, range, buf);
+  return QString::fromUtf16(buf, range.length);
+}
+
+static QStringList cfParseStringList(CFTypeRef ref) {
+  if (CFGetTypeID(ref) != CFArrayGetTypeID()) {
+    return QStringList();
+  }
+
+  CFArrayRef array = (CFArrayRef)ref;
+  QStringList result;
+  for (CFIndex i = 0; i < CFArrayGetCount(array); i++) {
+    CFTypeRef value = CFArrayGetValueAtIndex(array, i);
+    result.append(cfParseString(value));
+  }
+
+  return result;
+}
+
+static void cfDictSetString(CFMutableDictionaryRef dict, CFStringRef name,
+                            const QString& value) {
+  if (value.isNull()) {
+    return;
+  }
+  CFStringRef cfValue = CFStringCreateWithCString(
+      kCFAllocatorSystemDefault, qUtf8Printable(value), kCFStringEncodingUTF8);
+  CFDictionarySetValue(dict, name, cfValue);
+  CFRelease(cfValue);
+}
+
+static void cfDictSetStringList(CFMutableDictionaryRef dict, CFStringRef name,
+                                const QStringList& valueList) {
+  if (valueList.isEmpty()) {
+    return;
+  }
+
+  CFMutableArrayRef array;
+  array = CFArrayCreateMutable(kCFAllocatorSystemDefault, 0,
+                               &kCFTypeArrayCallBacks);
+  if (array == nullptr) {
+    return;
+  }
+
+  for (const QString& rstring : valueList) {
+    CFStringRef cfAddr = CFStringCreateWithCString(kCFAllocatorSystemDefault,
+                                                   qUtf8Printable(rstring),
+                                                   kCFStringEncodingUTF8);
+    CFArrayAppendValue(array, cfAddr);
+    CFRelease(cfAddr);
+  }
+  CFDictionarySetValue(dict, name, array);
+  CFRelease(array);
+}
+
+bool DnsUtilsMacos::updateResolvers(const QString& ifname,
+                                    const QList<QHostAddress>& resolvers) {
+  Q_UNUSED(ifname);
+
+  // Get the list of current network services.
+  CFArrayRef netServices = SCDynamicStoreCopyKeyList(
+      m_scStore, CFSTR("Setup:/Network/Service/[0-9A-F-]+"));
+  if (netServices == nullptr) {
+    return false;
+  }
+  auto serviceGuard = qScopeGuard([&] { CFRelease(netServices); });
+
+  // Prepare the DNS configuration.
+  CFMutableDictionaryRef dnsConfig = CFDictionaryCreateMutable(
+      kCFAllocatorSystemDefault, 0, &kCFCopyStringDictionaryKeyCallBacks,
+      &kCFTypeDictionaryValueCallBacks);
+  auto configGuard = qScopeGuard([&] { CFRelease(dnsConfig); });
+  QStringList list;
+  for (const QHostAddress& addr : resolvers) {
+    list.append(addr.toString());
+  }
+  cfDictSetStringList(dnsConfig, kSCPropNetDNSServerAddresses, list);
+  cfDictSetString(dnsConfig, kSCPropNetDNSDomainName, "lan");
+
+  // Backup each network service's DNS config, and replace it with ours.
+  for (CFIndex i = 0; i < CFArrayGetCount(netServices); i++) {
+    QString service = cfParseString(CFArrayGetValueAtIndex(netServices, i));
+    QString uuid = service.section('/', 3, 3);
+    if (uuid.isEmpty()) {
+      continue;
+    }
+    backupService(uuid);
+
+    logger.debug() << "Setting DNS config for" << uuid;
+    CFStringRef dnsPath = CFStringCreateWithFormat(
+        kCFAllocatorSystemDefault, nullptr,
+        CFSTR("Setup:/Network/Service/%s/DNS"), qPrintable(uuid));
+    if (!dnsPath) {
+      continue;
+    }
+    SCDynamicStoreSetValue(m_scStore, dnsPath, dnsConfig);
+    CFRelease(dnsPath);
+  }
+  return true;
+}
+
+bool DnsUtilsMacos::restoreResolvers() {
+  for (const QString& uuid : m_prevServices.keys()) {
+    CFStringRef path = CFStringCreateWithFormat(
+        kCFAllocatorSystemDefault, nullptr,
+        CFSTR("Setup:/Network/Service/%s/DNS"), qPrintable(uuid));
+
+    logger.debug() << "Restoring DNS config for" << uuid;
+    const DnsBackup& backup = m_prevServices[uuid];
+    if (backup.isValid()) {
+      CFMutableDictionaryRef config;
+      config = CFDictionaryCreateMutable(kCFAllocatorSystemDefault, 0,
+                                         &kCFCopyStringDictionaryKeyCallBacks,
+                                         &kCFTypeDictionaryValueCallBacks);
+
+      cfDictSetString(config, kSCPropNetDNSDomainName, backup.m_domain);
+      cfDictSetStringList(config, kSCPropNetDNSSearchDomains, backup.m_search);
+      cfDictSetStringList(config, kSCPropNetDNSServerAddresses,
+                          backup.m_servers);
+      cfDictSetStringList(config, kSCPropNetDNSSortList, backup.m_sortlist);
+      SCDynamicStoreSetValue(m_scStore, path, config);
+      CFRelease(config);
+    } else {
+      SCDynamicStoreRemoveValue(m_scStore, path);
+    }
+    CFRelease(path);
+  }
+
+  m_prevServices.clear();
+  return true;
+}
+
+void DnsUtilsMacos::backupService(const QString& uuid) {
+  DnsBackup backup;
+  CFStringRef path = CFStringCreateWithFormat(
+      kCFAllocatorSystemDefault, nullptr,
+      CFSTR("Setup:/Network/Service/%s/DNS"), qPrintable(uuid));
+  CFDictionaryRef config =
+      (CFDictionaryRef)SCDynamicStoreCopyValue(m_scStore, path);
+  auto serviceGuard = qScopeGuard([&] {
+    if (config) {
+      CFRelease(config);
+    }
+    CFRelease(path);
+  });
+
+  // Parse the DNS protocol entry and save it for later.
+  if (config) {
+    CFTypeRef value;
+    value = CFDictionaryGetValue(config, kSCPropNetDNSDomainName);
+    if (value) {
+      backup.m_domain = cfParseString(value);
+    }
+    value = CFDictionaryGetValue(config, kSCPropNetDNSServerAddresses);
+    if (value) {
+      backup.m_servers = cfParseStringList(value);
+    }
+    value = CFDictionaryGetValue(config, kSCPropNetDNSSearchDomains);
+    if (value) {
+      backup.m_search = cfParseStringList(value);
+    }
+    value = CFDictionaryGetValue(config, kSCPropNetDNSSortList);
+    if (value) {
+      backup.m_sortlist = cfParseStringList(value);
+    }
+  }
+
+  m_prevServices[uuid] = backup;
+}
diff --git a/client/platforms/macos/daemon/dnsutilsmacos.h b/client/platforms/macos/daemon/dnsutilsmacos.h
new file mode 100644
index 00000000..a916b9f4
--- /dev/null
+++ b/client/platforms/macos/daemon/dnsutilsmacos.h
@@ -0,0 +1,51 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef DNSUTILSMACOS_H
+#define DNSUTILSMACOS_H
+
+#include "dnsutils.h"
+
+#include <QHostAddress>
+#include <QMap>
+#include <QString>
+
+#include <systemconfiguration/scdynamicstore.h>
+#include <systemconfiguration/systemconfiguration.h>
+
+class DnsUtilsMacos final : public DnsUtils {
+  Q_OBJECT
+  Q_DISABLE_COPY_MOVE(DnsUtilsMacos)
+
+ public:
+  explicit DnsUtilsMacos(QObject* parent);
+  virtual ~DnsUtilsMacos();
+  bool updateResolvers(const QString& ifname,
+                       const QList<QHostAddress>& resolvers) override;
+  bool restoreResolvers() override;
+
+ private:
+  void backupResolvers();
+  void backupService(const QString& uuid);
+
+ private:
+  class DnsBackup {
+   public:
+    DnsBackup() {}
+    bool isValid() const {
+      return !m_domain.isEmpty() || !m_search.isEmpty() ||
+             !m_servers.isEmpty() || !m_sortlist.isEmpty();
+    }
+
+    QString m_domain;
+    QStringList m_search;
+    QStringList m_servers;
+    QStringList m_sortlist;
+  };
+
+  SCDynamicStoreRef m_scStore = nullptr;
+  QMap<QString, DnsBackup> m_prevServices;
+};
+
+#endif  // DNSUTILSMACOS_H
diff --git a/client/platforms/macos/daemon/iputilsmacos.cpp b/client/platforms/macos/daemon/iputilsmacos.cpp
new file mode 100644
index 00000000..e5356f3f
--- /dev/null
+++ b/client/platforms/macos/daemon/iputilsmacos.cpp
@@ -0,0 +1,180 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "iputilsmacos.h"
+#include "leakdetector.h"
+#include "logger.h"
+#include "macosdaemon.h"
+#include "daemon/wireguardutils.h"
+
+#include <QHostAddress>
+#include <QScopeGuard>
+
+#include <arpa/inet.h>
+#include <net/if.h>
+#include <net/if_var.h>
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+constexpr uint32_t ETH_MTU = 1500;
+constexpr uint32_t WG_MTU_OVERHEAD = 80;
+
+namespace {
+Logger logger(LOG_MACOS, "IPUtilsMacos");
+}
+
+IPUtilsMacos::IPUtilsMacos(QObject* parent) : IPUtils(parent) {
+  MVPN_COUNT_CTOR(IPUtilsMacos);
+  logger.debug() << "IPUtilsMacos created.";
+}
+
+IPUtilsMacos::~IPUtilsMacos() {
+  MVPN_COUNT_DTOR(IPUtilsMacos);
+  logger.debug() << "IPUtilsMacos destroyed.";
+}
+
+bool IPUtilsMacos::addInterfaceIPs(const InterfaceConfig& config) {
+  if (!addIP4AddressToDevice(config)) {
+    return false;
+  }
+  if (config.m_ipv6Enabled) {
+    if (!addIP6AddressToDevice(config)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+bool IPUtilsMacos::setMTUAndUp(const InterfaceConfig& config) {
+  Q_UNUSED(config);
+  QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
+  struct ifreq ifr;
+
+  // Create socket file descriptor to perform the ioctl operations on
+  int sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);
+  if (sockfd < 0) {
+    logger.error() << "Failed to create ioctl socket.";
+    return false;
+  }
+  auto guard = qScopeGuard([&] { close(sockfd); });
+
+  // MTU
+  strncpy(ifr.ifr_name, qPrintable(ifname), IFNAMSIZ);
+  ifr.ifr_mtu = ETH_MTU - WG_MTU_OVERHEAD;
+  int ret = ioctl(sockfd, SIOCSIFMTU, &ifr);
+  if (ret) {
+    logger.error() << "Failed to set MTU:" << strerror(errno);
+    return false;
+  }
+
+  // Get the interface flags
+  strncpy(ifr.ifr_name, qPrintable(ifname), IFNAMSIZ);
+  ret = ioctl(sockfd, SIOCGIFFLAGS, &ifr);
+  if (ret) {
+    logger.error() << "Failed to get interface flags:" << strerror(errno);
+    return false;
+  }
+
+  // Up
+  ifr.ifr_flags |= (IFF_UP | IFF_RUNNING);
+  ret = ioctl(sockfd, SIOCSIFFLAGS, &ifr);
+  if (ret) {
+    logger.error() << "Failed to set device up:" << strerror(errno);
+    return false;
+  }
+
+  return true;
+}
+
+bool IPUtilsMacos::addIP4AddressToDevice(const InterfaceConfig& config) {
+  Q_UNUSED(config);
+  QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
+  struct ifaliasreq ifr;
+  struct sockaddr_in* ifrAddr = (struct sockaddr_in*)&ifr.ifra_addr;
+  struct sockaddr_in* ifrMask = (struct sockaddr_in*)&ifr.ifra_mask;
+  struct sockaddr_in* ifrBcast = (struct sockaddr_in*)&ifr.ifra_broadaddr;
+
+  // Name the interface and set family
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifra_name, qPrintable(ifname), IFNAMSIZ);
+
+  // Get the device address to add to interface
+  QPair<QHostAddress, int> parsedAddr =
+      QHostAddress::parseSubnet(config.m_deviceIpv4Address);
+  QByteArray _deviceAddr = parsedAddr.first.toString().toLocal8Bit();
+  char* deviceAddr = _deviceAddr.data();
+  ifrAddr->sin_family = AF_INET;
+  ifrAddr->sin_len = sizeof(struct sockaddr_in);
+  inet_pton(AF_INET, deviceAddr, &ifrAddr->sin_addr);
+
+  // Set the netmask to /32
+  ifrMask->sin_family = AF_INET;
+  ifrMask->sin_len = sizeof(struct sockaddr_in);
+  memset(&ifrMask->sin_addr, 0xff, sizeof(ifrMask->sin_addr));
+
+  // Set the broadcast address.
+  ifrBcast->sin_family = AF_INET;
+  ifrBcast->sin_len = sizeof(struct sockaddr_in);
+  ifrBcast->sin_addr.s_addr =
+      (ifrAddr->sin_addr.s_addr | ~ifrMask->sin_addr.s_addr);
+
+  // Create an IPv4 socket to perform the ioctl operations on
+  int sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);
+  if (sockfd < 0) {
+    logger.error() << "Failed to create ioctl socket.";
+    return false;
+  }
+  auto guard = qScopeGuard([&] { close(sockfd); });
+
+  // Set ifr to interface
+  int ret = ioctl(sockfd, SIOCAIFADDR, &ifr);
+  if (ret) {
+    logger.error() << "Failed to set IPv4: " << deviceAddr
+                   << "error:" << strerror(errno);
+    return false;
+  }
+  return true;
+}
+
+bool IPUtilsMacos::addIP6AddressToDevice(const InterfaceConfig& config) {
+  Q_UNUSED(config);
+  QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
+  struct in6_aliasreq ifr6;
+
+  // Name the interface and set family
+  memset(&ifr6, 0, sizeof(ifr6));
+  strncpy(ifr6.ifra_name, qPrintable(ifname), IFNAMSIZ);
+  ifr6.ifra_addr.sin6_family = AF_INET6;
+  ifr6.ifra_addr.sin6_len = sizeof(ifr6.ifra_addr);
+  ifr6.ifra_lifetime.ia6t_vltime = ifr6.ifra_lifetime.ia6t_pltime = 0xffffffff;
+  ifr6.ifra_prefixmask.sin6_family = AF_INET6;
+  ifr6.ifra_prefixmask.sin6_len = sizeof(ifr6.ifra_prefixmask);
+  memset(&ifr6.ifra_prefixmask.sin6_addr, 0xff, sizeof(struct in6_addr));
+
+  // Get the device address to add to interface
+  QPair<QHostAddress, int> parsedAddr =
+      QHostAddress::parseSubnet(config.m_deviceIpv6Address);
+  QByteArray _deviceAddr = parsedAddr.first.toString().toLocal8Bit();
+  char* deviceAddr = _deviceAddr.data();
+  inet_pton(AF_INET6, deviceAddr, &ifr6.ifra_addr.sin6_addr);
+
+  // Create IPv4 socket to perform the ioctl operations on
+  int sockfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP);
+  if (sockfd < 0) {
+    logger.error() << "Failed to create ioctl socket.";
+    return false;
+  }
+  auto guard = qScopeGuard([&] { close(sockfd); });
+
+  // Set ifr to interface
+  int ret = ioctl(sockfd, SIOCAIFADDR_IN6, &ifr6);
+  if (ret) {
+    logger.error() << "Failed to set IPv6: " << deviceAddr
+                   << "error:" << strerror(errno);
+    return false;
+  }
+  return true;
+}
diff --git a/client/platforms/macos/daemon/iputilsmacos.h b/client/platforms/macos/daemon/iputilsmacos.h
new file mode 100644
index 00000000..048e6965
--- /dev/null
+++ b/client/platforms/macos/daemon/iputilsmacos.h
@@ -0,0 +1,28 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef IPUTILSMACOS_H
+#define IPUTILSMACOS_H
+
+#include "daemon/iputils.h"
+
+#include <arpa/inet.h>
+
+class IPUtilsMacos final : public IPUtils {
+ public:
+  IPUtilsMacos(QObject* parent);
+  ~IPUtilsMacos();
+  bool addInterfaceIPs(const InterfaceConfig& config) override;
+  bool setMTUAndUp(const InterfaceConfig& config) override;
+  void setIfname(const QString& ifname) { m_ifname = ifname; }
+
+ private:
+  bool addIP4AddressToDevice(const InterfaceConfig& config);
+  bool addIP6AddressToDevice(const InterfaceConfig& config);
+
+ private:
+  QString m_ifname;
+};
+
+#endif  // IPUTILSMACOS_H
diff --git a/client/platforms/macos/daemon/macosdaemon.cpp b/client/platforms/macos/daemon/macosdaemon.cpp
new file mode 100644
index 00000000..64155e1b
--- /dev/null
+++ b/client/platforms/macos/daemon/macosdaemon.cpp
@@ -0,0 +1,74 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "macosdaemon.h"
+#include "leakdetector.h"
+#include "logger.h"
+#include "wgquickprocess.h"
+
+#include <QCoreApplication>
+#include <QDir>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QJsonValue>
+#include <QLocalSocket>
+#include <QProcess>
+#include <QSettings>
+#include <QTextStream>
+#include <QtGlobal>
+
+namespace {
+Logger logger(LOG_MACOS, "MacOSDaemon");
+MacOSDaemon* s_daemon = nullptr;
+}  // namespace
+
+MacOSDaemon::MacOSDaemon() : Daemon(nullptr) {
+  MVPN_COUNT_CTOR(MacOSDaemon);
+
+  logger.debug() << "Daemon created";
+
+  m_wgutils = new WireguardUtilsMacos(this);
+  m_dnsutils = new DnsUtilsMacos(this);
+  m_iputils = new IPUtilsMacos(this);
+
+  Q_ASSERT(s_daemon == nullptr);
+  s_daemon = this;
+}
+
+MacOSDaemon::~MacOSDaemon() {
+  MVPN_COUNT_DTOR(MacOSDaemon);
+
+  logger.debug() << "Daemon released";
+
+  Q_ASSERT(s_daemon == this);
+  s_daemon = nullptr;
+}
+
+// static
+MacOSDaemon* MacOSDaemon::instance() {
+  Q_ASSERT(s_daemon);
+  return s_daemon;
+}
+
+QByteArray MacOSDaemon::getStatus() {
+  logger.debug() << "Status request";
+
+  bool connected = m_connections.contains(0);
+  QJsonObject obj;
+  obj.insert("type", "status");
+  obj.insert("connected", connected);
+
+  if (connected) {
+    const ConnectionState& state = m_connections.value(0).m_config;
+    WireguardUtils::peerStatus status =
+        m_wgutils->getPeerStatus(state.m_config.m_serverPublicKey);
+    obj.insert("serverIpv4Gateway", state.m_config.m_serverIpv4Gateway);
+    obj.insert("deviceIpv4Address", state.m_config.m_deviceIpv4Address);
+    obj.insert("date", state.m_date.toString());
+    obj.insert("txBytes", QJsonValue(status.txBytes));
+    obj.insert("rxBytes", QJsonValue(status.rxBytes));
+  }
+
+  return QJsonDocument(obj).toJson(QJsonDocument::Compact);
+}
diff --git a/client/platforms/macos/daemon/macosdaemon.h b/client/platforms/macos/daemon/macosdaemon.h
new file mode 100644
index 00000000..74db2da4
--- /dev/null
+++ b/client/platforms/macos/daemon/macosdaemon.h
@@ -0,0 +1,37 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef MACOSDAEMON_H
+#define MACOSDAEMON_H
+
+#include "daemon.h"
+#include "dnsutilsmacos.h"
+#include "iputilsmacos.h"
+#include "wireguardutilsmacos.h"
+
+class MacOSDaemon final : public Daemon {
+  friend class IPUtilsMacos;
+
+ public:
+  MacOSDaemon();
+  ~MacOSDaemon();
+
+  static MacOSDaemon* instance();
+
+  QByteArray getStatus() override;
+
+ protected:
+  WireguardUtils* wgutils() const override { return m_wgutils; }
+  bool supportDnsUtils() const override { return true; }
+  DnsUtils* dnsutils() override { return m_dnsutils; }
+  bool supportIPUtils() const override { return true; }
+  IPUtils* iputils() override { return m_iputils; }
+
+ private:
+  WireguardUtilsMacos* m_wgutils = nullptr;
+  DnsUtilsMacos* m_dnsutils = nullptr;
+  IPUtilsMacos* m_iputils = nullptr;
+};
+
+#endif  // MACOSDAEMON_H
diff --git a/client/platforms/macos/daemon/macosdaemonserver.cpp b/client/platforms/macos/daemon/macosdaemonserver.cpp
new file mode 100644
index 00000000..f0bd33d6
--- /dev/null
+++ b/client/platforms/macos/daemon/macosdaemonserver.cpp
@@ -0,0 +1,60 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "macosdaemonserver.h"
+#include "commandlineparser.h"
+#include "daemon/daemonlocalserver.h"
+#include "leakdetector.h"
+#include "logger.h"
+#include "macosdaemon.h"
+#include "mozillavpn.h"
+#include "signalhandler.h"
+
+#include <QCoreApplication>
+
+namespace {
+Logger logger(LOG_MACOS, "MacOSDaemonServer");
+}
+
+MacOSDaemonServer::MacOSDaemonServer(QObject* parent)
+    : Command(parent, "macosdaemon", "Activate the macos daemon") {
+  MVPN_COUNT_CTOR(MacOSDaemonServer);
+}
+
+MacOSDaemonServer::~MacOSDaemonServer() { MVPN_COUNT_DTOR(MacOSDaemonServer); }
+
+int MacOSDaemonServer::run(QStringList& tokens) {
+  Q_ASSERT(!tokens.isEmpty());
+  QString appName = tokens[0];
+
+  QCoreApplication app(CommandLineParser::argc(), CommandLineParser::argv());
+
+  QCoreApplication::setApplicationName("Mozilla VPN Daemon");
+  QCoreApplication::setApplicationVersion(APP_VERSION);
+
+  if (tokens.length() > 1) {
+    QList<CommandLineParser::Option*> options;
+    return CommandLineParser::unknownOption(this, appName, tokens[1], options,
+                                            false);
+  }
+
+  MacOSDaemon daemon;
+
+  DaemonLocalServer server(qApp);
+  if (!server.initialize()) {
+    logger.error() << "Failed to initialize the server";
+    return 1;
+  }
+
+  // Signal handling for a proper shutdown.
+  SignalHandler sh;
+  QObject::connect(&sh, &SignalHandler::quitRequested,
+                   []() { MacOSDaemon::instance()->deactivate(); });
+  QObject::connect(&sh, &SignalHandler::quitRequested, &app,
+                   &QCoreApplication::quit, Qt::QueuedConnection);
+
+  return app.exec();
+}
+
+static Command::RegistrationProxy<MacOSDaemonServer> s_commandMacOSDaemon;
diff --git a/client/platforms/macos/daemon/macosdaemonserver.h b/client/platforms/macos/daemon/macosdaemonserver.h
new file mode 100644
index 00000000..5447b275
--- /dev/null
+++ b/client/platforms/macos/daemon/macosdaemonserver.h
@@ -0,0 +1,18 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef MACOSDAEMONSERVER_H
+#define MACOSDAEMONSERVER_H
+
+#include "command.h"
+
+class MacOSDaemonServer final : public Command {
+ public:
+  explicit MacOSDaemonServer(QObject* parent);
+  ~MacOSDaemonServer();
+
+  int run(QStringList& tokens) override;
+};
+
+#endif  // MACOSDAEMONSERVER_H
diff --git a/client/platforms/macos/daemon/macosroutemonitor.cpp b/client/platforms/macos/daemon/macosroutemonitor.cpp
new file mode 100644
index 00000000..822886e7
--- /dev/null
+++ b/client/platforms/macos/daemon/macosroutemonitor.cpp
@@ -0,0 +1,354 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "macosroutemonitor.h"
+#include "leakdetector.h"
+#include "logger.h"
+
+#include <QCoreApplication>
+
+#include <QHostAddress>
+#include <QScopeGuard>
+#include <QTimer>
+#include <QProcess>
+
+#include <arpa/inet.h>
+#include <errno.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <net/if_dl.h>
+#include <net/if_types.h>
+#include <net/route.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <unistd.h>
+
+namespace {
+Logger logger(LOG_MACOS, "MacosRouteMonitor");
+
+template <typename T>
+static T* sockaddr_cast(QByteArray& data) {
+  const struct sockaddr* sa = (const struct sockaddr*)data.constData();
+  Q_ASSERT(sa->sa_len <= data.length());
+  if (data.length() >= (int)sizeof(T)) {
+    return (T*)data.data();
+  }
+  return nullptr;
+}
+
+}  // namespace
+
+MacosRouteMonitor::MacosRouteMonitor(const QString& ifname, QObject* parent)
+    : QObject(parent), m_ifname(ifname) {
+  MVPN_COUNT_CTOR(MacosRouteMonitor);
+  logger.debug() << "MacosRouteMonitor created.";
+
+  m_rtsock = socket(PF_ROUTE, SOCK_RAW, 0);
+  if (m_rtsock < 0) {
+    logger.error() << "Failed to create routing socket:" << strerror(errno);
+    return;
+  }
+
+  // Disable replies to our own messages.
+  int off = 0;
+  setsockopt(m_rtsock, SOL_SOCKET, SO_USELOOPBACK, &off, sizeof(off));
+
+  m_notifier = new QSocketNotifier(m_rtsock, QSocketNotifier::Read, this);
+  connect(m_notifier, &QSocketNotifier::activated, this,
+          &MacosRouteMonitor::rtsockReady);
+}
+
+MacosRouteMonitor::~MacosRouteMonitor() {
+  MVPN_COUNT_DTOR(MacosRouteMonitor);
+  if (m_rtsock >= 0) {
+    close(m_rtsock);
+  }
+  logger.debug() << "MacosRouteMonitor destroyed.";
+}
+
+void MacosRouteMonitor::handleRtmAdd(const struct rt_msghdr* rtm,
+                                     const QByteArray& payload) {
+  QList<QByteArray> addrlist = parseAddrList(payload);
+
+  // Ignore routing changes on the tunnel interfaces
+  if ((rtm->rtm_addrs & RTA_DST) && (rtm->rtm_addrs & RTA_GATEWAY)) {
+    if (m_ifname == addrToString(addrlist[1])) {
+      return;
+    }
+  }
+
+  QStringList list;
+  for (auto addr : addrlist) {
+    list.append(addrToString(addr));
+  }
+  logger.debug() << "Route added by" << rtm->rtm_pid
+                 << QString("addrs(%1):").arg(rtm->rtm_addrs) << list.join(" ");
+}
+
+void MacosRouteMonitor::handleRtmDelete(const struct rt_msghdr* rtm,
+                                        const QByteArray& payload) {
+  QList<QByteArray> addrlist = parseAddrList(payload);
+
+  // Ignore routing changes on the tunnel interfaces
+  if ((rtm->rtm_addrs & RTA_DST) && (rtm->rtm_addrs & RTA_GATEWAY)) {
+    if (m_ifname == addrToString(addrlist[1])) {
+      return;
+    }
+  }
+
+  QStringList list;
+  for (auto addr : addrlist) {
+    list.append(addrToString(addr));
+  }
+  logger.debug() << "Route deleted by" << rtm->rtm_pid
+                 << QString("addrs(%1):").arg(rtm->rtm_addrs) << list.join(" ");
+}
+
+void MacosRouteMonitor::handleRtmChange(const struct rt_msghdr* rtm,
+                                        const QByteArray& payload) {
+  QList<QByteArray> addrlist = parseAddrList(payload);
+
+  // Ignore routing changes on the tunnel interfaces
+  if ((rtm->rtm_addrs & RTA_DST) && (rtm->rtm_addrs & RTA_GATEWAY)) {
+    if (m_ifname == addrToString(addrlist[1])) {
+      return;
+    }
+  }
+
+  QStringList list;
+  for (auto addr : addrlist) {
+    list.append(addrToString(addr));
+  }
+  logger.debug() << "Route chagned by" << rtm->rtm_pid
+                 << QString("addrs(%1):").arg(rtm->rtm_addrs) << list.join(" ");
+}
+
+void MacosRouteMonitor::handleIfaceInfo(const struct if_msghdr* ifm,
+                                        const QByteArray& payload) {
+  QList<QByteArray> addrlist = parseAddrList(payload);
+
+  if (ifm->ifm_index != if_nametoindex(qPrintable(m_ifname))) {
+    return;
+  }
+  m_ifflags = ifm->ifm_flags;
+
+  QStringList list;
+  for (auto addr : addrlist) {
+    list.append(addrToString(addr));
+  }
+  logger.debug() << "Interface " << ifm->ifm_index
+                 << "chagned flags:" << ifm->ifm_flags
+                 << QString("addrs(%1):").arg(ifm->ifm_addrs) << list.join(" ");
+}
+
+void MacosRouteMonitor::rtsockReady() {
+  char buf[1024];
+  ssize_t len = recv(m_rtsock, buf, sizeof(buf), MSG_DONTWAIT);
+  if (len <= 0) {
+    return;
+  }
+
+#ifndef RTMSG_NEXT
+#  define RTMSG_NEXT(_rtm_) \
+    (struct rt_msghdr*)((char*)(_rtm_) + (_rtm_)->rtm_msglen)
+#endif
+
+  struct rt_msghdr* rtm = (struct rt_msghdr*)buf;
+  struct rt_msghdr* end = (struct rt_msghdr*)(&buf[len]);
+  while (rtm < end) {
+    // Ensure the message fits within the buffer
+    if (RTMSG_NEXT(rtm) > end) {
+      break;
+    }
+
+    // Handle the routing message.
+    QByteArray message((char*)rtm, rtm->rtm_msglen);
+    switch (rtm->rtm_type) {
+      case RTM_ADD:
+        message.remove(0, sizeof(struct rt_msghdr));
+        handleRtmAdd(rtm, message);
+        break;
+      case RTM_DELETE:
+        message.remove(0, sizeof(struct rt_msghdr));
+        handleRtmDelete(rtm, message);
+        break;
+      case RTM_CHANGE:
+        message.remove(0, sizeof(struct rt_msghdr));
+        handleRtmChange(rtm, message);
+        break;
+      case RTM_IFINFO:
+        message.remove(0, sizeof(struct if_msghdr));
+        handleIfaceInfo((struct if_msghdr*)rtm, message);
+        break;
+      default:
+        logger.debug() << "Unknown routing message:" << rtm->rtm_type;
+        break;
+    }
+
+    rtm = RTMSG_NEXT(rtm);
+  }
+}
+
+void MacosRouteMonitor::rtmAppendAddr(struct rt_msghdr* rtm, size_t maxlen,
+                                      int rtaddr, const void* sa) {
+  size_t sa_len = ((struct sockaddr*)sa)->sa_len;
+  Q_ASSERT((rtm->rtm_addrs & rtaddr) == 0);
+  if ((rtm->rtm_msglen + sa_len) > maxlen) {
+    return;
+  }
+
+  memcpy((char*)rtm + rtm->rtm_msglen, sa, sa_len);
+  rtm->rtm_addrs |= rtaddr;
+  rtm->rtm_msglen += sa_len;
+  if (rtm->rtm_msglen % sizeof(uint32_t)) {
+    rtm->rtm_msglen += sizeof(uint32_t) - (rtm->rtm_msglen % sizeof(uint32_t));
+  }
+}
+
+bool MacosRouteMonitor::rtmSendRoute(int action, const IPAddressRange& prefix) {
+  constexpr size_t rtm_max_size = sizeof(struct rt_msghdr) +
+                                  sizeof(struct sockaddr_in6) * 2 +
+                                  sizeof(struct sockaddr_dl);
+  char buf[rtm_max_size];
+  struct rt_msghdr* rtm = (struct rt_msghdr*)buf;
+
+  memset(rtm, 0, rtm_max_size);
+  rtm->rtm_msglen = sizeof(struct rt_msghdr);
+  rtm->rtm_version = RTM_VERSION;
+  rtm->rtm_type = action;
+  rtm->rtm_index = if_nametoindex(qPrintable(m_ifname));
+  rtm->rtm_flags = RTF_STATIC | RTF_UP;
+  rtm->rtm_addrs = 0;
+  rtm->rtm_pid = 0;
+  rtm->rtm_seq = m_rtseq++;
+  rtm->rtm_errno = 0;
+  rtm->rtm_inits = 0;
+  memset(&rtm->rtm_rmx, 0, sizeof(rtm->rtm_rmx));
+
+  // Append RTA_DST
+  if (prefix.type() == IPAddressRange::IPv6) {
+    struct sockaddr_in6 sin6;
+    Q_IPV6ADDR dst = QHostAddress(prefix.ipAddress()).toIPv6Address();
+    memset(&sin6, 0, sizeof(sin6));
+    sin6.sin6_family = AF_INET6;
+    sin6.sin6_len = sizeof(sin6);
+    memcpy(&sin6.sin6_addr, &dst, 16);
+    rtmAppendAddr(rtm, rtm_max_size, RTA_DST, &sin6);
+  } else {
+    struct sockaddr_in sin;
+    quint32 dst = QHostAddress(prefix.ipAddress()).toIPv4Address();
+    memset(&sin, 0, sizeof(sin));
+    sin.sin_family = AF_INET;
+    sin.sin_len = sizeof(sin);
+    sin.sin_addr.s_addr = htonl(dst);
+    rtmAppendAddr(rtm, rtm_max_size, RTA_DST, &sin);
+  }
+
+  // Append RTA_GATEWAY
+  if (action != RTM_DELETE) {
+    struct sockaddr_dl sdl;
+    memset(&sdl, 0, sizeof(sdl));
+    sdl.sdl_family = AF_LINK;
+    sdl.sdl_len = offsetof(struct sockaddr_dl, sdl_data) + m_ifname.length();
+    sdl.sdl_index = rtm->rtm_index;
+    sdl.sdl_type = IFT_OTHER;
+    sdl.sdl_nlen = m_ifname.length();
+    sdl.sdl_alen = 0;
+    sdl.sdl_slen = 0;
+    memcpy(&sdl.sdl_data, qPrintable(m_ifname), sdl.sdl_nlen);
+    rtmAppendAddr(rtm, rtm_max_size, RTA_GATEWAY, &sdl);
+  }
+
+  // Append RTA_NETMASK
+  int plen = prefix.range();
+  if (prefix.type() == IPAddressRange::IPv6) {
+    struct sockaddr_in6 sin6;
+    memset(&sin6, 0, sizeof(sin6));
+    sin6.sin6_family = AF_INET6;
+    sin6.sin6_len = sizeof(sin6);
+    memset(&sin6.sin6_addr.s6_addr, 0xff, plen / 8);
+    if (plen % 8) {
+      sin6.sin6_addr.s6_addr[plen / 8] = 0xFF ^ (0xFF >> (plen % 8));
+    }
+    rtmAppendAddr(rtm, rtm_max_size, RTA_NETMASK, &sin6);
+  } else if (prefix.type() == IPAddressRange::IPv4) {
+    struct sockaddr_in sin;
+    memset(&sin, 0, sizeof(sin));
+    sin.sin_family = AF_INET;
+    sin.sin_len = sizeof(struct sockaddr_in);
+    sin.sin_addr.s_addr = 0xffffffff;
+    if (plen < 32) {
+      sin.sin_addr.s_addr ^= htonl(0xffffffff >> plen);
+    }
+    rtmAppendAddr(rtm, rtm_max_size, RTA_NETMASK, &sin);
+  }
+
+  // Send the routing message to the kernel.
+  int len = write(m_rtsock, rtm, rtm->rtm_msglen);
+  if (len == rtm->rtm_msglen) {
+    return true;
+  }
+  if ((action == RTM_ADD) && (errno == EEXIST)) {
+    return true;
+  }
+  if ((action == RTM_DELETE) && (errno == ESRCH)) {
+    return true;
+  }
+  logger.warning() << "Failed to send routing message:" << strerror(errno);
+  return false;
+}
+
+bool MacosRouteMonitor::insertRoute(const IPAddressRange& prefix) {
+  return rtmSendRoute(RTM_ADD, prefix);
+}
+
+bool MacosRouteMonitor::deleteRoute(const IPAddressRange& prefix) {
+  return rtmSendRoute(RTM_DELETE, prefix);
+}
+
+// static
+QList<QByteArray> MacosRouteMonitor::parseAddrList(const QByteArray& payload) {
+  QList<QByteArray> list;
+  int offset = 0;
+  constexpr int minlen = offsetof(struct sockaddr, sa_len) + sizeof(u_short);
+
+  while ((offset + minlen) <= payload.length()) {
+    struct sockaddr* sa = (struct sockaddr*)(payload.constData() + offset);
+    int paddedSize = sa->sa_len;
+    if (!paddedSize || (paddedSize % sizeof(uint32_t))) {
+      paddedSize += sizeof(uint32_t) - (paddedSize % sizeof(uint32_t));
+    }
+    if ((offset + paddedSize) > payload.length()) {
+      break;
+    }
+    list.append(payload.mid(offset, paddedSize));
+    offset += paddedSize;
+  }
+  return list;
+}
+
+// static
+QString MacosRouteMonitor::addrToString(const struct sockaddr* sa) {
+  if (sa->sa_family == AF_INET) {
+    const struct sockaddr_in* sin = (const struct sockaddr_in*)sa;
+    return QString(inet_ntoa(sin->sin_addr));
+  }
+  if (sa->sa_family == AF_INET6) {
+    const struct sockaddr_in6* sin6 = (const struct sockaddr_in6*)sa;
+    char buf[INET6_ADDRSTRLEN];
+    return QString(inet_ntop(AF_INET6, &sin6->sin6_addr, buf, sizeof(buf)));
+  }
+  if (sa->sa_family == AF_LINK) {
+    const struct sockaddr_dl* sdl = (const struct sockaddr_dl*)sa;
+    return QString(link_ntoa(sdl));
+  }
+  return QString("unknown(af=%1)").arg(sa->sa_family);
+}
+
+// static
+QString MacosRouteMonitor::addrToString(const QByteArray& data) {
+  const struct sockaddr* sa = (const struct sockaddr*)data.constData();
+  Q_ASSERT(sa->sa_len <= data.length());
+  return addrToString(sa);
+}
diff --git a/client/platforms/macos/daemon/macosroutemonitor.h b/client/platforms/macos/daemon/macosroutemonitor.h
new file mode 100644
index 00000000..a912f972
--- /dev/null
+++ b/client/platforms/macos/daemon/macosroutemonitor.h
@@ -0,0 +1,54 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef MACOSROUTEMONITOR_H
+#define MACOSROUTEMONITOR_H
+
+#include "ipaddressrange.h"
+
+#include <QByteArray>
+#include <QList>
+#include <QObject>
+#include <QSocketNotifier>
+
+struct if_msghdr;
+struct rt_msghdr;
+struct sockaddr;
+
+class MacosRouteMonitor final : public QObject {
+  Q_OBJECT
+
+ public:
+  MacosRouteMonitor(const QString& ifname, QObject* parent = nullptr);
+  ~MacosRouteMonitor();
+
+  bool insertRoute(const IPAddressRange& prefix);
+  bool deleteRoute(const IPAddressRange& prefix);
+  int interfaceFlags() { return m_ifflags; }
+
+ private:
+  void handleRtmAdd(const struct rt_msghdr* msg, const QByteArray& payload);
+  void handleRtmDelete(const struct rt_msghdr* msg, const QByteArray& payload);
+  void handleRtmChange(const struct rt_msghdr* msg, const QByteArray& payload);
+  void handleIfaceInfo(const struct if_msghdr* msg, const QByteArray& payload);
+  bool rtmSendRoute(int action, const IPAddressRange& prefix);
+  static void rtmAppendAddr(struct rt_msghdr* rtm, size_t maxlen, int rtaddr,
+                            const void* sa);
+  static QList<QByteArray> parseAddrList(const QByteArray& data);
+
+ private slots:
+  void rtsockReady();
+
+ private:
+  static QString addrToString(const struct sockaddr* sa);
+  static QString addrToString(const QByteArray& data);
+
+  QString m_ifname;
+  int m_ifflags = 0;
+  int m_rtsock = -1;
+  int m_rtseq = 0;
+  QSocketNotifier* m_notifier = nullptr;
+};
+
+#endif  // MACOSROUTEMONITOR_H
diff --git a/client/platforms/macos/daemon/wireguardutilsmacos.cpp b/client/platforms/macos/daemon/wireguardutilsmacos.cpp
new file mode 100644
index 00000000..017e1e41
--- /dev/null
+++ b/client/platforms/macos/daemon/wireguardutilsmacos.cpp
@@ -0,0 +1,309 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "wireguardutilsmacos.h"
+#include "leakdetector.h"
+#include "logger.h"
+
+#include <QByteArray>
+#include <QDir>
+#include <QFile>
+#include <QLocalSocket>
+#include <QTimer>
+
+#include <errno.h>
+
+constexpr const int WG_TUN_PROC_TIMEOUT = 5000;
+constexpr const char* WG_RUNTIME_DIR = "/var/run/wireguard";
+
+namespace {
+Logger logger(LOG_MACOS, "WireguardUtilsMacos");
+Logger logwireguard(LOG_MACOS, "WireguardGo");
+};  // namespace
+
+WireguardUtilsMacos::WireguardUtilsMacos(QObject* parent)
+    : WireguardUtils(parent), m_tunnel(this) {
+  MVPN_COUNT_CTOR(WireguardUtilsMacos);
+  logger.debug() << "WireguardUtilsMacos created.";
+
+  connect(&m_tunnel, SIGNAL(readyReadStandardOutput()), this,
+          SLOT(tunnelStdoutReady()));
+  connect(&m_tunnel, SIGNAL(errorOccurred(QProcess::ProcessError)), this,
+          SLOT(tunnelErrorOccurred(QProcess::ProcessError)));
+}
+
+WireguardUtilsMacos::~WireguardUtilsMacos() {
+  MVPN_COUNT_DTOR(WireguardUtilsMacos);
+  logger.debug() << "WireguardUtilsMacos destroyed.";
+}
+
+void WireguardUtilsMacos::tunnelStdoutReady() {
+  for (;;) {
+    QByteArray line = m_tunnel.readLine();
+    if (line.length() <= 0) {
+      break;
+    }
+    logwireguard.debug() << QString::fromUtf8(line);
+  }
+}
+
+void WireguardUtilsMacos::tunnelErrorOccurred(QProcess::ProcessError error) {
+  logger.warning() << "Tunnel process encountered an error:" << error;
+  emit backendFailure();
+}
+
+bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
+  Q_UNUSED(config);
+  if (m_tunnel.state() != QProcess::NotRunning) {
+    logger.warning() << "Unable to start: tunnel process already running";
+    return false;
+  }
+
+  QDir wgRuntimeDir(WG_RUNTIME_DIR);
+  if (!wgRuntimeDir.exists()) {
+    wgRuntimeDir.mkpath(".");
+  }
+
+  QProcessEnvironment pe = QProcessEnvironment::systemEnvironment();
+  QString wgNameFile = wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name");
+  pe.insert("WG_TUN_NAME_FILE", wgNameFile);
+#ifdef QT_DEBUG
+  pe.insert("LOG_LEVEL", "debug");
+#endif
+  m_tunnel.setProcessEnvironment(pe);
+
+  QDir appPath(QCoreApplication::applicationDirPath());
+  appPath.cdUp();
+  appPath.cd("Resources");
+  appPath.cd("utils");
+  QStringList wgArgs = {"-f", "utun"};
+  m_tunnel.start(appPath.filePath("wireguard-go"), wgArgs);
+  if (!m_tunnel.waitForStarted(WG_TUN_PROC_TIMEOUT)) {
+    logger.error() << "Unable to start tunnel process due to timeout";
+    m_tunnel.kill();
+    return false;
+  }
+
+  m_ifname = waitForTunnelName(wgNameFile);
+  if (m_ifname.isNull()) {
+    logger.error() << "Unable to read tunnel interface name";
+    m_tunnel.kill();
+    return false;
+  }
+  logger.debug() << "Created wireguard interface" << m_ifname;
+
+  // Start the routing table monitor.
+  m_rtmonitor = new MacosRouteMonitor(m_ifname, this);
+
+  // Send a UAPI command to configure the interface
+  QString message("set=1\n");
+  QByteArray privateKey = QByteArray::fromBase64(config.m_privateKey.toUtf8());
+  QTextStream out(&message);
+  out << "private_key=" << QString(privateKey.toHex()) << "\n";
+  out << "replace_peers=true\n";
+  int err = uapiErrno(uapiCommand(message));
+  if (err != 0) {
+    logger.error() << "Interface configuration failed:" << strerror(err);
+  }
+  return (err == 0);
+}
+
+bool WireguardUtilsMacos::deleteInterface() {
+  if (m_rtmonitor) {
+    delete m_rtmonitor;
+    m_rtmonitor = nullptr;
+  }
+
+  if (m_tunnel.state() == QProcess::NotRunning) {
+    return false;
+  }
+
+  // Attempt to terminate gracefully.
+  m_tunnel.terminate();
+  if (!m_tunnel.waitForFinished(WG_TUN_PROC_TIMEOUT)) {
+    m_tunnel.kill();
+    m_tunnel.waitForFinished(WG_TUN_PROC_TIMEOUT);
+  }
+
+  // Garbage collect.
+  QDir wgRuntimeDir(WG_RUNTIME_DIR);
+  QFile::remove(wgRuntimeDir.filePath(QString(WG_INTERFACE) + ".name"));
+  return true;
+}
+
+// dummy implementations for now
+bool WireguardUtilsMacos::updatePeer(const InterfaceConfig& config) {
+  QByteArray publicKey =
+      QByteArray::fromBase64(qPrintable(config.m_serverPublicKey));
+
+  // Update/create the peer config
+  QString message;
+  QTextStream out(&message);
+  out << "set=1\n";
+  out << "public_key=" << QString(publicKey.toHex()) << "\n";
+  if (!config.m_serverIpv4AddrIn.isNull()) {
+    out << "endpoint=" << config.m_serverIpv4AddrIn << ":";
+  } else if (!config.m_serverIpv6AddrIn.isNull()) {
+    out << "endpoint=[" << config.m_serverIpv6AddrIn << "]:";
+  } else {
+    logger.warning() << "Failed to create peer with no endpoints";
+    return false;
+  }
+  out << config.m_serverPort << "\n";
+
+  out << "replace_allowed_ips=true\n";
+  for (const IPAddressRange& ip : config.m_allowedIPAddressRanges) {
+    out << "allowed_ip=" << ip.toString() << "\n";
+  }
+
+  int err = uapiErrno(uapiCommand(message));
+  if (err != 0) {
+    logger.error() << "Peer configuration failed:" << strerror(err);
+  }
+  return (err == 0);
+}
+
+bool WireguardUtilsMacos::deletePeer(const QString& pubkey) {
+  QByteArray publicKey = QByteArray::fromBase64(qPrintable(pubkey));
+
+  QString message;
+  QTextStream out(&message);
+  out << "set=1\n";
+  out << "public_key=" << QString(publicKey.toHex()) << "\n";
+  out << "remove=true\n";
+
+  int err = uapiErrno(uapiCommand(message));
+  if (err != 0) {
+    logger.error() << "Peer deletion failed:" << strerror(err);
+  }
+  return (err == 0);
+}
+
+WireguardUtils::peerStatus WireguardUtilsMacos::getPeerStatus(
+    const QString& pubkey) {
+  peerStatus status = {0, 0};
+  QString hexkey = QByteArray::fromBase64(pubkey.toUtf8()).toHex();
+  QString reply = uapiCommand("get=1");
+  bool match = false;
+
+  for (const QString& line : reply.split('\n')) {
+    int eq = line.indexOf('=');
+    if (eq <= 0) {
+      continue;
+    }
+    QString name = line.left(eq);
+    QString value = line.mid(eq + 1);
+
+    if (name == "public_key") {
+      match = (value == hexkey);
+      continue;
+    } else if (!match) {
+      continue;
+    }
+
+    if (name == "tx_bytes") {
+      status.txBytes = value.toDouble();
+    }
+    if (name == "rx_bytes") {
+      status.rxBytes = value.toDouble();
+    }
+  }
+
+  return status;
+}
+
+bool WireguardUtilsMacos::updateRoutePrefix(const IPAddressRange& prefix,
+                                            int hopindex) {
+  Q_UNUSED(hopindex);
+  if (!m_rtmonitor) {
+    return false;
+  }
+  return m_rtmonitor->insertRoute(prefix);
+}
+
+bool WireguardUtilsMacos::deleteRoutePrefix(const IPAddressRange& prefix,
+                                            int hopindex) {
+  Q_UNUSED(hopindex);
+  if (!m_rtmonitor) {
+    return false;
+  }
+  return m_rtmonitor->deleteRoute(prefix);
+}
+
+QString WireguardUtilsMacos::uapiCommand(const QString& command) {
+  QLocalSocket socket;
+  QTimer uapiTimeout;
+  QDir wgRuntimeDir(WG_RUNTIME_DIR);
+  QString wgSocketFile = wgRuntimeDir.filePath(m_ifname + ".sock");
+
+  uapiTimeout.setSingleShot(true);
+  uapiTimeout.start(WG_TUN_PROC_TIMEOUT);
+
+  socket.connectToServer(wgSocketFile, QIODevice::ReadWrite);
+  if (!socket.waitForConnected(WG_TUN_PROC_TIMEOUT)) {
+    logger.error() << "QLocalSocket::waitForConnected() failed:"
+                   << socket.errorString();
+    return QString();
+  }
+
+  // Send the message to the UAPI socket.
+  QByteArray message = command.toLocal8Bit();
+  while (!message.endsWith("\n\n")) {
+    message.append('\n');
+  }
+  socket.write(message);
+
+  QByteArray reply;
+  while (!reply.contains("\n\n")) {
+    if (!uapiTimeout.isActive()) {
+      logger.error() << "UAPI command timed out";
+      return QString();
+    }
+    QCoreApplication::processEvents(QEventLoop::AllEvents, 100);
+    reply.append(socket.readAll());
+  }
+
+  return QString::fromUtf8(reply).trimmed();
+}
+
+// static
+int WireguardUtilsMacos::uapiErrno(const QString& reply) {
+  for (const QString& line : reply.split("\n")) {
+    int eq = line.indexOf('=');
+    if (eq <= 0) {
+      continue;
+    }
+    if (line.left(eq) == "errno") {
+      return line.mid(eq + 1).toInt();
+    }
+  }
+  return EINVAL;
+}
+
+QString WireguardUtilsMacos::waitForTunnelName(const QString& filename) {
+  QTimer timeout;
+  timeout.setSingleShot(true);
+  timeout.start(WG_TUN_PROC_TIMEOUT);
+
+  QFile file(filename);
+  while ((m_tunnel.state() == QProcess::Running) && timeout.isActive()) {
+    QCoreApplication::processEvents(QEventLoop::AllEvents, 100);
+    if (!file.open(QIODevice::ReadOnly | QIODevice::Text)) {
+      continue;
+    }
+    QString ifname = QString::fromLocal8Bit(file.readLine()).trimmed();
+    file.close();
+
+    // Test-connect to the UAPI socket.
+    QLocalSocket sock;
+    QDir wgRuntimeDir(WG_RUNTIME_DIR);
+    QString sockName = wgRuntimeDir.filePath(ifname + ".sock");
+    sock.connectToServer(sockName, QIODevice::ReadWrite);
+    if (sock.waitForConnected(100)) {
+      return ifname;
+    }
+  }
+
+  return QString();
+}
diff --git a/client/platforms/macos/daemon/wireguardutilsmacos.h b/client/platforms/macos/daemon/wireguardutilsmacos.h
new file mode 100644
index 00000000..810d04a7
--- /dev/null
+++ b/client/platforms/macos/daemon/wireguardutilsmacos.h
@@ -0,0 +1,52 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef WIREGUARDUTILSMACOS_H
+#define WIREGUARDUTILSMACOS_H
+
+#include "daemon/wireguardutils.h"
+#include "macosroutemonitor.h"
+
+#include <QObject>
+#include <QProcess>
+
+class WireguardUtilsMacos final : public WireguardUtils {
+  Q_OBJECT
+
+ public:
+  WireguardUtilsMacos(QObject* parent);
+  ~WireguardUtilsMacos();
+
+  bool interfaceExists() override {
+    return m_tunnel.state() == QProcess::Running;
+  }
+  QString interfaceName() override { return m_ifname; }
+  bool addInterface(const InterfaceConfig& config) override;
+  bool deleteInterface() override;
+
+  bool updatePeer(const InterfaceConfig& config) override;
+  bool deletePeer(const QString& pubkey) override;
+  peerStatus getPeerStatus(const QString& pubkey) override;
+
+  bool updateRoutePrefix(const IPAddressRange& prefix, int hopindex) override;
+  bool deleteRoutePrefix(const IPAddressRange& prefix, int hopindex) override;
+
+ signals:
+  void backendFailure();
+
+ private slots:
+  void tunnelStdoutReady();
+  void tunnelErrorOccurred(QProcess::ProcessError error);
+
+ private:
+  QString uapiCommand(const QString& command);
+  static int uapiErrno(const QString& command);
+  QString waitForTunnelName(const QString& filename);
+
+  QString m_ifname;
+  QProcess m_tunnel;
+  MacosRouteMonitor* m_rtmonitor = nullptr;
+};
+
+#endif  // WIREGUARDUTILSMACOS_H
diff --git a/client/platforms/macos/macoscryptosettings.mm b/client/platforms/macos/macoscryptosettings.mm
new file mode 100644
index 00000000..a6c694e7
--- /dev/null
+++ b/client/platforms/macos/macoscryptosettings.mm
@@ -0,0 +1,136 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "cryptosettings.h"
+#include "logger.h"
+
+#include <QRandomGenerator>
+
+constexpr const NSString* SERVICE = @"Mozilla VPN";
+
+#import <Foundation/Foundation.h>
+
+namespace {
+
+Logger logger({LOG_MACOS, LOG_MAIN}, "MacOSCryptoSettings");
+
+bool initialized = false;
+QByteArray key;
+
+}  // anonymous
+
+// static
+void CryptoSettings::resetKey() {
+  logger.debug() << "Reset the key in the keychain";
+
+  NSData* service = [SERVICE dataUsingEncoding:NSUTF8StringEncoding];
+
+  NSString* appId = [[NSBundle mainBundle] bundleIdentifier];
+
+  NSMutableDictionary* query = [[NSMutableDictionary alloc] init];
+
+  [query setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass];
+  [query setObject:service forKey:(id)kSecAttrGeneric];
+  [query setObject:service forKey:(id)kSecAttrAccount];
+  [query setObject:appId forKey:(id)kSecAttrService];
+
+  SecItemDelete((CFDictionaryRef)query);
+
+  [query release];
+
+  initialized = false;
+}
+
+// static
+bool CryptoSettings::getKey(uint8_t output[CRYPTO_SETTINGS_KEY_SIZE]) {
+#if defined(MVPN_IOS) || defined(MVPN_MACOS_NETWORKEXTENSION) || defined(MVPN_MACOS_DAEMON)
+  if (!initialized) {
+    initialized = true;
+
+    logger.debug() << "Retrieving the key from the keychain";
+
+    NSData* service = [SERVICE dataUsingEncoding:NSUTF8StringEncoding];
+
+    NSString* appId = [[NSBundle mainBundle] bundleIdentifier];
+    NSMutableDictionary* query = [[NSMutableDictionary alloc] init];
+
+    [query setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass];
+    [query setObject:service forKey:(id)kSecAttrGeneric];
+    [query setObject:service forKey:(id)kSecAttrAccount];
+    [query setObject:appId forKey:(id)kSecAttrService];
+
+    [query setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnData];
+    [query setObject:(id)kSecMatchLimitOne forKey:(id)kSecMatchLimit];
+
+    NSData* keyData = NULL;
+    OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef*)(void*)&keyData);
+    [query release];
+
+    if (status == noErr) {
+      key = QByteArray::fromNSData(keyData);
+
+      logger.debug() << "Key found with length:" << key.length();
+      if (key.length() == CRYPTO_SETTINGS_KEY_SIZE) {
+        memcpy(output, key.data(), CRYPTO_SETTINGS_KEY_SIZE);
+        return true;
+      }
+    }
+
+    logger.warning() << "Key not found. Let's create it. Error:" << status;
+    key = QByteArray(CRYPTO_SETTINGS_KEY_SIZE, 0x00);
+    QRandomGenerator* rg = QRandomGenerator::system();
+    for (int i = 0; i < CRYPTO_SETTINGS_KEY_SIZE; ++i) {
+      key[i] = rg->generate() & 0xFF;
+    }
+
+    query = [[NSMutableDictionary alloc] init];
+
+    [query setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass];
+    [query setObject:service forKey:(id)kSecAttrGeneric];
+    [query setObject:service forKey:(id)kSecAttrAccount];
+    [query setObject:appId forKey:(id)kSecAttrService];
+
+    SecItemDelete((CFDictionaryRef)query);
+
+    keyData = key.toNSData();
+    [query setObject:keyData forKey:(id)kSecValueData];
+
+    status = SecItemAdd((CFDictionaryRef)query, NULL);
+
+    if (status != noErr) {
+      logger.error() << "Failed to store the key. Error:" << status;
+      key = QByteArray();
+    }
+
+    [query release];
+  }
+
+  if (key.length() == CRYPTO_SETTINGS_KEY_SIZE) {
+    memcpy(output, key.data(), CRYPTO_SETTINGS_KEY_SIZE);
+    return true;
+  }
+
+  logger.error() << "Invalid key";
+#else
+  Q_UNUSED(output);
+#endif
+
+  return false;
+}
+
+// static
+CryptoSettings::Version CryptoSettings::getSupportedVersion() {
+  logger.debug() << "Get supported settings method";
+
+#if defined(MVPN_IOS) || defined(MVPN_MACOS_NETWORKEXTENSION) || defined(MVPN_MACOS_DAEMON)
+  uint8_t key[CRYPTO_SETTINGS_KEY_SIZE];
+  if (getKey(key)) {
+    logger.debug() << "Encryption supported!";
+    return CryptoSettings::EncryptionChachaPolyV1;
+  }
+#endif
+
+  logger.debug() << "No encryption";
+  return CryptoSettings::NoEncryption;
+}
diff --git a/client/platforms/macos/macosmenubar.cpp b/client/platforms/macos/macosmenubar.cpp
new file mode 100644
index 00000000..77694556
--- /dev/null
+++ b/client/platforms/macos/macosmenubar.cpp
@@ -0,0 +1,106 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "macosmenubar.h"
+#include "leakdetector.h"
+#include "logger.h"
+#include "mozillavpn.h"
+#include "qmlengineholder.h"
+#ifdef MVPN_MACOS
+#  include "platforms/macos/macosutils.h"
+#endif
+
+#include <QAction>
+#include <QMenu>
+#include <QMenuBar>
+
+namespace {
+Logger logger(LOG_MACOS, "MacOSManuBar");
+MacOSMenuBar* s_instance = nullptr;
+}  // namespace
+
+MacOSMenuBar::MacOSMenuBar() {
+  MVPN_COUNT_CTOR(MacOSMenuBar);
+
+  Q_ASSERT(!s_instance);
+  s_instance = this;
+}
+
+MacOSMenuBar::~MacOSMenuBar() {
+  MVPN_COUNT_DTOR(MacOSMenuBar);
+
+  Q_ASSERT(s_instance == this);
+  s_instance = nullptr;
+}
+
+// static
+MacOSMenuBar* MacOSMenuBar::instance() {
+  Q_ASSERT(s_instance);
+  return s_instance;
+}
+
+void MacOSMenuBar::initialize() {
+  logger.debug() << "Creating menubar";
+
+  AmneziaVPN* vpn = AmneziaVPN::instance();
+
+  m_menuBar = new QMenuBar(nullptr);
+
+  //% "File"
+  QMenu* fileMenu = m_menuBar->addMenu(qtTrId("menubar.file.title"));
+
+  // Do not use qtTrId here!
+  QAction* quit =
+      fileMenu->addAction("quit", vpn->controller(), &Controller::quit);
+  quit->setMenuRole(QAction::QuitRole);
+
+  // Do not use qtTrId here!
+  m_aboutAction =
+      fileMenu->addAction("about.vpn", vpn, &AmneziaVPN::requestAbout);
+  m_aboutAction->setMenuRole(QAction::AboutRole);
+  m_aboutAction->setVisible(vpn->state() == AmneziaVPN::StateMain);
+
+  // Do not use qtTrId here!
+  m_preferencesAction =
+      fileMenu->addAction("preferences", vpn, &AmneziaVPN::requestSettings);
+  m_preferencesAction->setMenuRole(QAction::PreferencesRole);
+  m_preferencesAction->setVisible(vpn->state() == AmneziaVPN::StateMain);
+
+  m_closeAction = fileMenu->addAction("close", []() {
+    QmlEngineHolder::instance()->hideWindow();
+#ifdef MVPN_MACOS
+    MacOSUtils::hideDockIcon();
+#endif
+  });
+  m_closeAction->setShortcut(QKeySequence::Close);
+
+  m_helpMenu = m_menuBar->addMenu("");
+
+  retranslate();
+};
+
+void MacOSMenuBar::controllerStateChanged() {
+  AmneziaVPN* vpn = AmneziaVPN::instance();
+  m_preferencesAction->setVisible(vpn->state() == AmneziaVPN::StateMain);
+  m_aboutAction->setVisible(vpn->state() == AmneziaVPN::StateMain);
+}
+
+void MacOSMenuBar::retranslate() {
+  logger.debug() << "Retranslate";
+
+  //% "Close"
+  m_closeAction->setText(qtTrId("menubar.file.close"));
+
+  //% "Help"
+  m_helpMenu->setTitle(qtTrId("menubar.help.title"));
+  for (QAction* action : m_helpMenu->actions()) {
+    m_helpMenu->removeAction(action);
+  }
+
+  AmneziaVPN* vpn = AmneziaVPN::instance();
+  vpn->helpModel()->forEach([&](const char* nameId, int id) {
+    m_helpMenu->addAction(qtTrId(nameId),
+                          [help = vpn->helpModel(), id]() { help->open(id); });
+  });
+}
diff --git a/client/platforms/macos/macosmenubar.h b/client/platforms/macos/macosmenubar.h
new file mode 100644
index 00000000..a95ecd39
--- /dev/null
+++ b/client/platforms/macos/macosmenubar.h
@@ -0,0 +1,42 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef MACOSMENUBAR_H
+#define MACOSMENUBAR_H
+
+#include <QObject>
+
+class QAction;
+class QMenu;
+class QMenuBar;
+
+class MacOSMenuBar final : public QObject {
+  Q_OBJECT
+  Q_DISABLE_COPY_MOVE(MacOSMenuBar)
+
+ public:
+  MacOSMenuBar();
+  ~MacOSMenuBar();
+
+  static MacOSMenuBar* instance();
+
+  void initialize();
+
+  void retranslate();
+
+  QMenuBar* menuBar() const { return m_menuBar; }
+
+ public slots:
+  void controllerStateChanged();
+
+ private:
+  QMenuBar* m_menuBar = nullptr;
+
+  QAction* m_aboutAction = nullptr;
+  QAction* m_preferencesAction = nullptr;
+  QAction* m_closeAction = nullptr;
+  QMenu* m_helpMenu = nullptr;
+};
+
+#endif  // MACOSMENUBAR_H
diff --git a/client/platforms/macos/macosnetworkwatcher.h b/client/platforms/macos/macosnetworkwatcher.h
new file mode 100644
index 00000000..a35a096d
--- /dev/null
+++ b/client/platforms/macos/macosnetworkwatcher.h
@@ -0,0 +1,25 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef MACOSNETWORKWATCHER_H
+#define MACOSNETWORKWATCHER_H
+
+#include "networkwatcherimpl.h"
+
+class MacOSNetworkWatcher final : public NetworkWatcherImpl {
+ public:
+  MacOSNetworkWatcher(QObject* parent);
+  ~MacOSNetworkWatcher();
+
+  void initialize() override;
+
+  void start() override;
+
+  void checkInterface();
+
+ private:
+  void* m_delegate = nullptr;
+};
+
+#endif  // MACOSNETWORKWATCHER_H
diff --git a/client/platforms/macos/macosnetworkwatcher.mm b/client/platforms/macos/macosnetworkwatcher.mm
new file mode 100644
index 00000000..21b10710
--- /dev/null
+++ b/client/platforms/macos/macosnetworkwatcher.mm
@@ -0,0 +1,131 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "macosnetworkwatcher.h"
+#include "leakdetector.h"
+#include "logger.h"
+
+#import <CoreWLAN/CoreWLAN.h>
+
+namespace {
+Logger logger(LOG_MACOS, "MacOSNetworkWatcher");
+}
+
+@interface MacOSNetworkWatcherDelegate : NSObject <CWEventDelegate> {
+  MacOSNetworkWatcher* m_watcher;
+}
+@end
+
+@implementation MacOSNetworkWatcherDelegate
+
+- (id)initWithObject:(MacOSNetworkWatcher*)watcher {
+  self = [super init];
+  if (self) {
+    m_watcher = watcher;
+  }
+  return self;
+}
+
+- (void)bssidDidChangeForWiFiInterfaceWithName:(NSString*)interfaceName {
+  logger.debug() << "BSSID changed!" << QString::fromNSString(interfaceName);
+
+  if (m_watcher) {
+    m_watcher->checkInterface();
+  }
+}
+
+@end
+
+MacOSNetworkWatcher::MacOSNetworkWatcher(QObject* parent) : NetworkWatcherImpl(parent) {
+  MVPN_COUNT_CTOR(MacOSNetworkWatcher);
+}
+
+MacOSNetworkWatcher::~MacOSNetworkWatcher() {
+  MVPN_COUNT_DTOR(MacOSNetworkWatcher);
+
+  if (m_delegate) {
+    CWWiFiClient* client = CWWiFiClient.sharedWiFiClient;
+    if (!client) {
+      logger.debug() << "Unable to retrieve the CWWiFiClient shared instance";
+      return;
+    }
+
+    [client stopMonitoringAllEventsAndReturnError:nullptr];
+    [static_cast<MacOSNetworkWatcherDelegate*>(m_delegate) dealloc];
+    m_delegate = nullptr;
+  }
+}
+
+void MacOSNetworkWatcher::initialize() {
+  // Nothing to do here
+}
+
+void MacOSNetworkWatcher::start() {
+  NetworkWatcherImpl::start();
+
+  checkInterface();
+
+  if (m_delegate) {
+    logger.debug() << "Delegate already registered";
+    return;
+  }
+
+  CWWiFiClient* client = CWWiFiClient.sharedWiFiClient;
+  if (!client) {
+    logger.error() << "Unable to retrieve the CWWiFiClient shared instance";
+    return;
+  }
+
+  logger.debug() << "Registering delegate";
+  m_delegate = [[MacOSNetworkWatcherDelegate alloc] initWithObject:this];
+  [client setDelegate:static_cast<MacOSNetworkWatcherDelegate*>(m_delegate)];
+  [client startMonitoringEventWithType:CWEventTypeBSSIDDidChange error:nullptr];
+}
+
+void MacOSNetworkWatcher::checkInterface() {
+  logger.debug() << "Checking interface";
+
+  if (!isActive()) {
+    logger.debug() << "Feature disabled";
+    return;
+  }
+
+  CWWiFiClient* client = CWWiFiClient.sharedWiFiClient;
+  if (!client) {
+    logger.debug() << "Unable to retrieve the CWWiFiClient shared instance";
+    return;
+  }
+
+  CWInterface* interface = [client interface];
+  if (!interface) {
+    logger.debug() << "No default wifi interface";
+    return;
+  }
+
+  if (![interface powerOn]) {
+    logger.debug() << "The interface is off";
+    return;
+  }
+
+  NSString* ssidNS = [interface ssid];
+  if (!ssidNS) {
+    logger.debug() << "WiFi is not in used";
+    return;
+  }
+
+  QString ssid = QString::fromNSString(ssidNS);
+  if (ssid.isEmpty()) {
+    logger.debug() << "WiFi doesn't have a valid SSID";
+    return;
+  }
+
+  CWSecurity security = [interface security];
+  if (security == kCWSecurityNone || security == kCWSecurityWEP) {
+    logger.debug() << "Unsecured network found!";
+    emit unsecuredNetwork(ssid, ssid);
+    return;
+  }
+
+  logger.debug() << "Secure WiFi interface";
+}
diff --git a/client/platforms/macos/macospingsender.cpp b/client/platforms/macos/macospingsender.cpp
new file mode 100644
index 00000000..04090435
--- /dev/null
+++ b/client/platforms/macos/macospingsender.cpp
@@ -0,0 +1,122 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "macospingsender.h"
+#include "leakdetector.h"
+#include "logger.h"
+
+#include <QSocketNotifier>
+
+#include <arpa/inet.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/ip_icmp.h>
+#include <unistd.h>
+
+namespace {
+
+Logger logger({LOG_MACOS, LOG_NETWORKING}, "MacOSPingSender");
+
+int identifier() { return (getpid() & 0xFFFF); }
+
+};  // namespace
+
+MacOSPingSender::MacOSPingSender(const QString& source, QObject* parent)
+    : PingSender(parent) {
+  MVPN_COUNT_CTOR(MacOSPingSender);
+
+  if (getuid()) {
+    m_socket = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
+  } else {
+    m_socket = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+  }
+  if (m_socket < 0) {
+    logger.error() << "Socket creation failed";
+    return;
+  }
+
+  struct sockaddr_in addr;
+  bzero(&addr, sizeof(addr));
+  addr.sin_family = AF_INET;
+  addr.sin_len = sizeof(addr);
+
+  if (inet_aton(source.toLocal8Bit().constData(), &addr.sin_addr) == 0) {
+    logger.error() << "source address error";
+    return;
+  }
+
+  if (bind(m_socket, (struct sockaddr*)&addr, sizeof(addr)) != 0) {
+    logger.error() << "bind error:" << strerror(errno);
+    return;
+  }
+
+  m_notifier = new QSocketNotifier(m_socket, QSocketNotifier::Read, this);
+  connect(m_notifier, &QSocketNotifier::activated, this,
+          &MacOSPingSender::socketReady);
+}
+
+MacOSPingSender::~MacOSPingSender() {
+  MVPN_COUNT_DTOR(MacOSPingSender);
+  if (m_socket >= 0) {
+    close(m_socket);
+  }
+}
+
+void MacOSPingSender::sendPing(const QString& dest, quint16 sequence) {
+  struct sockaddr_in addr;
+  bzero(&addr, sizeof(addr));
+  addr.sin_family = AF_INET;
+  addr.sin_len = sizeof(addr);
+
+  if (inet_aton(dest.toLocal8Bit().constData(), &addr.sin_addr) == 0) {
+    logger.error() << "DNS lookup failed";
+    return;
+  }
+
+  struct icmp packet;
+  bzero(&packet, sizeof packet);
+  packet.icmp_type = ICMP_ECHO;
+  packet.icmp_id = identifier();
+  packet.icmp_seq = htons(sequence);
+  packet.icmp_cksum = inetChecksum(&packet, sizeof(packet));
+
+  if (sendto(m_socket, (char*)&packet, sizeof(packet), 0,
+             (struct sockaddr*)&addr, sizeof(addr)) != sizeof(packet)) {
+    logger.error() << "ping sending failed:" << strerror(errno);
+    return;
+  }
+}
+
+void MacOSPingSender::socketReady() {
+  struct msghdr msg;
+  bzero(&msg, sizeof(msg));
+
+  struct sockaddr_in addr;
+  msg.msg_name = (caddr_t)&addr;
+  msg.msg_namelen = sizeof(addr);
+
+  struct iovec iov;
+  msg.msg_iov = &iov;
+  msg.msg_iovlen = 1;
+
+  u_char packet[IP_MAXPACKET];
+  iov.iov_base = packet;
+  iov.iov_len = IP_MAXPACKET;
+
+  ssize_t rc = recvmsg(m_socket, &msg, MSG_DONTWAIT);
+  if (rc <= 0) {
+    logger.error() << "Recvmsg failed";
+    return;
+  }
+
+  struct ip* ip = (struct ip*)packet;
+  int hlen = ip->ip_hl << 2;
+  struct icmp* icmp = (struct icmp*)(((char*)packet) + hlen);
+
+  if (icmp->icmp_type == ICMP_ECHOREPLY && icmp->icmp_id == identifier()) {
+    emit recvPing(htons(icmp->icmp_seq));
+  }
+}
diff --git a/client/platforms/macos/macospingsender.h b/client/platforms/macos/macospingsender.h
new file mode 100644
index 00000000..cc54c613
--- /dev/null
+++ b/client/platforms/macos/macospingsender.h
@@ -0,0 +1,30 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef MACOSPINGSENDER_H
+#define MACOSPINGSENDER_H
+
+#include "pingsender.h"
+
+class QSocketNotifier;
+
+class MacOSPingSender final : public PingSender {
+  Q_OBJECT
+  Q_DISABLE_COPY_MOVE(MacOSPingSender)
+
+ public:
+  MacOSPingSender(const QString& source, QObject* parent = nullptr);
+  ~MacOSPingSender();
+
+  void sendPing(const QString& dest, quint16 sequence) override;
+
+ private slots:
+  void socketReady();
+
+ private:
+  QSocketNotifier* m_notifier = nullptr;
+  int m_socket = -1;
+};
+
+#endif  // MACOSPINGSENDER_H
diff --git a/client/platforms/macos/macosstartatbootwatcher.cpp b/client/platforms/macos/macosstartatbootwatcher.cpp
new file mode 100644
index 00000000..e8c504a3
--- /dev/null
+++ b/client/platforms/macos/macosstartatbootwatcher.cpp
@@ -0,0 +1,28 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "macosstartatbootwatcher.h"
+#include "leakdetector.h"
+#include "logger.h"
+#include "macosutils.h"
+
+namespace {
+Logger logger(LOG_MACOS, "MacOSStartAtBootWatcher");
+}
+
+MacOSStartAtBootWatcher::MacOSStartAtBootWatcher(bool startAtBoot) {
+  MVPN_COUNT_CTOR(MacOSStartAtBootWatcher);
+
+  logger.debug() << "StartAtBoot watcher";
+  MacOSUtils::enableLoginItem(startAtBoot);
+}
+
+MacOSStartAtBootWatcher::~MacOSStartAtBootWatcher() {
+  MVPN_COUNT_DTOR(MacOSStartAtBootWatcher);
+}
+
+void MacOSStartAtBootWatcher::startAtBootChanged(bool startAtBoot) {
+  logger.debug() << "StartAtBoot changed:" << startAtBoot;
+  MacOSUtils::enableLoginItem(startAtBoot);
+}
diff --git a/client/platforms/macos/macosstartatbootwatcher.h b/client/platforms/macos/macosstartatbootwatcher.h
new file mode 100644
index 00000000..18fd540a
--- /dev/null
+++ b/client/platforms/macos/macosstartatbootwatcher.h
@@ -0,0 +1,22 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef MACOSSTARTATBOOTWATCHER_H
+#define MACOSSTARTATBOOTWATCHER_H
+
+#include <QObject>
+
+class MacOSStartAtBootWatcher final : public QObject {
+  Q_OBJECT
+  Q_DISABLE_COPY_MOVE(MacOSStartAtBootWatcher)
+
+ public:
+  explicit MacOSStartAtBootWatcher(bool startAtBoot);
+  ~MacOSStartAtBootWatcher();
+
+ public slots:
+  void startAtBootChanged(bool value);
+};
+
+#endif  // MACOSSTARTATBOOTWATCHER_H
diff --git a/client/platforms/macos/macosutils.h b/client/platforms/macos/macosutils.h
new file mode 100644
index 00000000..7ef16be5
--- /dev/null
+++ b/client/platforms/macos/macosutils.h
@@ -0,0 +1,23 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef MACOSUTILS_H
+#define MACOSUTILS_H
+
+#include <QObject>
+#include <QString>
+
+class MacOSUtils final {
+ public:
+  static QString computerName();
+
+  static void enableLoginItem(bool startAtBoot);
+
+  static void setDockClickHandler();
+
+  static void hideDockIcon();
+  static void showDockIcon();
+};
+
+#endif  // MACOSUTILS_H
diff --git a/client/platforms/macos/macosutils.mm b/client/platforms/macos/macosutils.mm
new file mode 100644
index 00000000..7fd7c86e
--- /dev/null
+++ b/client/platforms/macos/macosutils.mm
@@ -0,0 +1,91 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "macosutils.h"
+#include "logger.h"
+#include "models/helpmodel.h"
+#include "qmlengineholder.h"
+
+#include <objc/message.h>
+#include <objc/objc.h>
+
+#include <QFile>
+#include <QMenuBar>
+
+#import <Cocoa/Cocoa.h>
+#import <ServiceManagement/ServiceManagement.h>
+
+namespace {
+Logger logger(LOG_MACOS, "MacOSUtils");
+}
+
+// static
+QString MacOSUtils::computerName() {
+  NSString* name = [[NSHost currentHost] localizedName];
+  return QString::fromNSString(name);
+}
+
+// static
+void MacOSUtils::enableLoginItem(bool startAtBoot) {
+  logger.debug() << "Enabling login-item";
+
+  NSString* appId = [[NSBundle mainBundle] bundleIdentifier];
+  NSString* loginItemAppId =
+      QString("%1.login-item").arg(QString::fromNSString(appId)).toNSString();
+  CFStringRef cfs = (__bridge CFStringRef)loginItemAppId;
+
+  Boolean ok = SMLoginItemSetEnabled(cfs, startAtBoot ? YES : NO);
+  logger.debug() << "Result: " << ok;
+}
+
+namespace {
+
+bool dockClickHandler(id self, SEL cmd, ...) {
+  Q_UNUSED(self);
+  Q_UNUSED(cmd);
+
+  logger.debug() << "Dock icon clicked.";
+  QmlEngineHolder::instance()->showWindow();
+  return FALSE;
+}
+
+}  // namespace
+
+// static
+void MacOSUtils::setDockClickHandler() {
+  NSApplication* app = [NSApplication sharedApplication];
+  if (!app) {
+    logger.debug() << "No sharedApplication";
+    return;
+  }
+
+  id delegate = [app delegate];
+  if (!delegate) {
+    logger.debug() << "No delegate";
+    return;
+  }
+
+  Class delegateClass = [delegate class];
+  if (!delegateClass) {
+    logger.debug() << "No delegate class";
+    return;
+  }
+
+  SEL shouldHandle = sel_registerName("applicationShouldHandleReopen:hasVisibleWindows:");
+  if (class_getInstanceMethod(delegateClass, shouldHandle)) {
+    if (!class_replaceMethod(delegateClass, shouldHandle, (IMP)dockClickHandler, "B@:")) {
+      logger.error() << "Failed to replace the dock click handler";
+    }
+  } else if (!class_addMethod(delegateClass, shouldHandle, (IMP)dockClickHandler, "B@:")) {
+    logger.error() << "Failed to register the dock click handler";
+  }
+}
+
+void MacOSUtils::hideDockIcon() {
+  [NSApp setActivationPolicy:NSApplicationActivationPolicyAccessory];
+}
+
+void MacOSUtils::showDockIcon() {
+  [NSApp setActivationPolicy:NSApplicationActivationPolicyRegular];
+}
diff --git a/client/protocols/android_vpnprotocol.cpp b/client/protocols/android_vpnprotocol.cpp
index 41818dd5..66e2eaf5 100644
--- a/client/protocols/android_vpnprotocol.cpp
+++ b/client/protocols/android_vpnprotocol.cpp
@@ -20,7 +20,7 @@
 #include "platforms/android/android_controller.h"
 
 
-AndroidVpnProtocol::AndroidVpnProtocol(Protocol protocol, const QJsonObject &configuration, QObject* parent)
+AndroidVpnProtocol::AndroidVpnProtocol(Proto protocol, const QJsonObject &configuration, QObject* parent)
     : VpnProtocol(configuration, parent),
       m_protocol(protocol)
 {
diff --git a/client/protocols/android_vpnprotocol.h b/client/protocols/android_vpnprotocol.h
index ede6ffd8..cdcff2c6 100644
--- a/client/protocols/android_vpnprotocol.h
+++ b/client/protocols/android_vpnprotocol.h
@@ -16,7 +16,7 @@ class AndroidVpnProtocol : public VpnProtocol
     Q_OBJECT
 
 public:
-    explicit AndroidVpnProtocol(Protocol protocol, const QJsonObject& configuration, QObject* parent = nullptr);
+    explicit AndroidVpnProtocol(Proto protocol, const QJsonObject& configuration, QObject* parent = nullptr);
     virtual ~AndroidVpnProtocol() override = default;
 
     ErrorCode start() override;
@@ -31,7 +31,7 @@ protected:
 
 
 private:
-    Protocol m_protocol;
+    Proto m_protocol;
 
 };
 
diff --git a/client/protocols/ikev2_vpn_protocol.cpp b/client/protocols/ikev2_vpn_protocol.cpp
index 42e34ee8..8f5d4cd3 100644
--- a/client/protocols/ikev2_vpn_protocol.cpp
+++ b/client/protocols/ikev2_vpn_protocol.cpp
@@ -241,7 +241,7 @@ void Ikev2Protocol::newConnectionStateEventReceived(UINT unMsg, tagRASCONNSTATE
 
 void Ikev2Protocol::readIkev2Configuration(const QJsonObject &configuration)
 {
-    m_config = configuration.value(ProtocolProps::key_proto_config_data(Protocol::Ikev2)).toObject();
+    m_config = configuration.value(ProtocolProps::key_proto_config_data(Proto::Ikev2)).toObject();
 }
 
 ErrorCode Ikev2Protocol::start()
diff --git a/client/protocols/ios_vpnprotocol.h b/client/protocols/ios_vpnprotocol.h
new file mode 100644
index 00000000..d66a89a7
--- /dev/null
+++ b/client/protocols/ios_vpnprotocol.h
@@ -0,0 +1,51 @@
+#ifndef IOS_VPNPROTOCOL_H
+#define IOS_VPNPROTOCOL_H
+
+#include "vpnprotocol.h"
+#include "protocols/protocols_defs.h"
+
+using namespace amnezia;
+
+
+class IOSVpnProtocol : public VpnProtocol
+{
+    Q_OBJECT
+
+public:
+    explicit IOSVpnProtocol(amnezia::Proto proto, const QJsonObject& configuration, QObject* parent = nullptr);
+    static IOSVpnProtocol* instance();
+    
+    virtual ~IOSVpnProtocol() = default;
+
+    bool initialize();
+
+    virtual ErrorCode start() override;
+    virtual void stop() override;
+
+    void resume_start();
+
+    void checkStatus();
+
+    void setNotificationText(const QString& title, const QString& message,
+                             int timerSec);
+    void setFallbackConnectedNotification();
+
+    void getBackendLogs(std::function<void(const QString&)>&& callback);
+
+    void cleanupBackendLogs();
+
+signals:
+
+protected slots:
+
+protected:
+
+private:
+    Proto m_protocol;
+    bool m_serviceConnected = false;
+    bool m_checkingStatus = false;
+    std::function<void(const QString&)> m_logCallback;
+};
+
+
+#endif // IOS_VPNPROTOCOL_H
diff --git a/client/protocols/ios_vpnprotocol.mm b/client/protocols/ios_vpnprotocol.mm
new file mode 100644
index 00000000..6e5246cb
--- /dev/null
+++ b/client/protocols/ios_vpnprotocol.mm
@@ -0,0 +1,298 @@
+#include <QDebug>
+#include <QHostAddress>
+#include <QJsonArray>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QRandomGenerator>
+#include <QTextCodec>
+#include <QTimer>
+#include <QFile>
+
+#include <QByteArray>
+
+#include "json.h"
+
+#include "ipaddressrange.h"
+#include "ios_vpnprotocol.h"
+#include "core/errorstrings.h"
+#include "AmneziaVPN-Swift.h"
+
+namespace
+{
+IOSVpnProtocol* s_instance = nullptr;
+IOSVpnProtocolImpl* m_controller = nullptr;
+}
+
+IOSVpnProtocol::IOSVpnProtocol(Proto proto, const QJsonObject &configuration, QObject* parent)
+: VpnProtocol(configuration, parent),
+m_protocol(proto) {}
+
+IOSVpnProtocol* IOSVpnProtocol::instance() {
+    return s_instance;
+}
+
+bool IOSVpnProtocol::initialize()
+{
+    qDebug() << "Initializing Swift Controller";
+    
+    static bool creating = false;
+    // No nested creation!
+    Q_ASSERT(creating == false);
+    creating = true;
+    
+    if (!m_controller) {
+        bool ok;
+        QtJson::JsonObject result = QtJson::parse(QJsonDocument(m_rawConfig).toJson(), ok).toMap();
+        
+        if(!ok) {
+            qDebug() << QString("An error occurred during parsing");
+            return false;
+        }
+        
+        QString vpnProto = result["protocol"].toString();
+        qDebug() << "protocol: " << vpnProto;
+        qDebug() << "config data => ";
+        QtJson::JsonObject config = result["wireguard_config_data"].toMap();
+        
+        QString privateKey = config["client_priv_key"].toString();
+        QByteArray key = QByteArray::fromBase64(privateKey.toLocal8Bit());
+        
+        qDebug() << "  - " << "client_priv_key: " << config["client_priv_key"].toString();
+        qDebug() << "  - " << "client_pub_key: " << config["client_pub_key"].toString();
+        qDebug() << "  - " << "interface config: " << config["config"].toString();
+        
+        QString addr = config["config"].toString().split("\n").takeAt(1).split(" = ").takeLast();
+        QString dns = config["config"].toString().split("\n").takeAt(2).split(" = ").takeLast();
+        QString privkey = config["config"].toString().split("\n").takeAt(3).split(" = ").takeLast();
+        QString pubkey = config["config"].toString().split("\n").takeAt(6).split(" = ").takeLast();
+        QString presharedkey = config["config"].toString().split("\n").takeAt(7).split(" = ").takeLast();
+        QString allowedips = config["config"].toString().split("\n").takeAt(8).split(" = ").takeLast();
+        QString endpoint = config["config"].toString().split("\n").takeAt(9).split(" = ").takeLast();
+        QString keepalive = config["config"].toString().split("\n").takeAt(10).split(" = ").takeLast();
+        qDebug() << "  - " << "[Interface] address: " << addr;
+        qDebug() << "  - " << "[Interface] dns: " << dns;
+        qDebug() << "  - " << "[Interface] private key: " << privkey;
+        qDebug() << "  - " << "[Peer] public key: " << pubkey;
+        qDebug() << "  - " << "[Peer] preshared key: " << presharedkey;
+        qDebug() << "  - " << "[Peer] allowed ips: " << allowedips;
+        qDebug() << "  - " << "[Peer] endpoint: " << endpoint;
+        qDebug() << "  - " << "[Peer] keepalive: " << keepalive;
+        
+        qDebug() << "  - " << "hostName: " << config["hostName"].toString();
+        qDebug() << "  - " << "psk_key: " << config["psk_key"].toString();
+        qDebug() << "  - " << "server_pub_key: " << config["server_pub_key"].toString();
+        
+        
+        
+        m_controller = [[IOSVpnProtocolImpl alloc] initWithBundleID:@VPN_NE_BUNDLEID
+                                                         privateKey:key.toNSData()
+                                                  deviceIpv4Address:addr.toNSString()
+                                                  deviceIpv6Address:@"::/0"
+        closure:^(ConnectionState state, NSDate* date) {
+            qDebug() << "Creation completed with connection state:" << state;
+            creating = false;
+            
+            switch (state) {
+                case ConnectionStateError: {
+                    [m_controller dealloc];
+                    m_controller = nullptr;
+                    emit connectionStateChanged(VpnConnectionState::Error);
+                    return;
+                }
+                case ConnectionStateConnected: {
+                    Q_ASSERT(date);
+                    QDateTime qtDate(QDateTime::fromNSDate(date));
+                    emit connectionStateChanged(VpnConnectionState::Connected);
+                    return;
+                }
+                case ConnectionStateDisconnected:
+                    // Just in case we are connecting, let's call disconnect.
+                    [m_controller disconnect];
+                    emit connectionStateChanged(VpnConnectionState::Disconnected);
+                    return;
+            }
+        }
+        callback:^(BOOL a_connected) {
+            qDebug() << "State changed: " << a_connected;
+            if (a_connected) {
+                emit connectionStateChanged(Connected);
+                return;
+            }
+//            emit connectionStateChanged(Disconnected);
+        }];
+    }
+    return true;
+}
+
+ErrorCode IOSVpnProtocol::start()
+{
+    bool ok;
+    QtJson::JsonObject result = QtJson::parse(QJsonDocument(m_rawConfig).toJson(), ok).toMap();
+    
+    if(!ok) {
+        qDebug() << QString("An error occurred during config parsing");
+        return InternalError;
+    }
+    QString protocol = result["protocol"].toString();
+    QtJson::JsonObject config = result["wireguard_config_data"].toMap();
+    
+    QString clientPrivateKey = config["client_priv_key"].toString();
+    QByteArray key = QByteArray::fromBase64(clientPrivateKey.toLocal8Bit());
+    QString clientPubKey = config["client_pub_key"].toString();
+    
+    QString addr = config["config"].toString().split("\n").takeAt(1).split(" = ").takeLast();
+    QStringList dnsServersList = config["config"].toString().split("\n").takeAt(2).split(" = ").takeLast().split(", ");
+    QString privkey = config["config"].toString().split("\n").takeAt(3).split(" = ").takeLast();
+    QString pubkey = config["config"].toString().split("\n").takeAt(6).split(" = ").takeLast();
+    QString presharedkey = config["config"].toString().split("\n").takeAt(7).split(" = ").takeLast();
+    QStringList allowedIPList = config["config"].toString().split("\n").takeAt(8).split(" = ").takeLast().split(", ");
+    QString endpoint = config["config"].toString().split("\n").takeAt(9).split(" = ").takeLast();
+    QString serverAddr = config["config"].toString().split("\n").takeAt(9).split(" = ").takeLast().split(":").takeFirst();
+    QString port = config["config"].toString().split("\n").takeAt(9).split(" = ").takeLast().split(":").takeLast();
+    QString keepalive = config["config"].toString().split("\n").takeAt(10).split(" = ").takeLast();
+    
+    QString hostname = config["hostName"].toString();
+    QString pskKey = config["psk_key"].toString();
+    QString serverPubKey = config["server_pub_key"].toString();
+    
+    qDebug() << "IOSVPNProtocol starts for" << hostname;
+    qDebug() << "DNS:" << dnsServersList.takeFirst().toNSString();
+    qDebug() << "serverPublicKey:" << serverPubKey.toNSString();
+    qDebug() << "serverIpv4AddrIn:" << serverAddr.toNSString();
+    qDebug() << "serverPort:" << (uint32_t)port.toInt();
+    qDebug() << "allowed ip list" << allowedIPList;
+    
+    NSMutableArray<VPNIPAddressRange*>* allowedIPAddressRangesNS =
+        [NSMutableArray<VPNIPAddressRange*> arrayWithCapacity:allowedIPList.length()];
+    for (const IPAddressRange item : allowedIPList) {
+        VPNIPAddressRange* range =
+            [[VPNIPAddressRange alloc] initWithAddress:item.ipAddress().toNSString()
+                                   networkPrefixLength:item.range()
+                                                isIpv6:item.type() == IPAddressRange::IPv6];
+        [allowedIPAddressRangesNS addObject:[range autorelease]];
+    }
+    
+    [m_controller connectWithDnsServer:dnsServersList.takeFirst().toNSString()
+                     serverIpv6Gateway:@"FE80::1"
+                       serverPublicKey:serverPubKey.toNSString()
+                          presharedKey:pskKey.toNSString()
+                      serverIpv4AddrIn:serverAddr.toNSString()
+                            serverPort:port.toInt()
+                allowedIPAddressRanges:allowedIPAddressRangesNS
+                           ipv6Enabled:NO
+                                reason:0
+                       failureCallback:^() {
+        qDebug() << "IOSVPNProtocol - connection failed";
+        emit connectionStateChanged(Disconnected);
+    }];
+    return NoError;
+}
+
+void IOSVpnProtocol::stop()
+{
+    if (!m_controller) {
+        qDebug() << "Not correctly initialized";
+        emit connectionStateChanged(Disconnected);
+        return;
+    }
+    
+    [m_controller disconnect];
+}
+
+void IOSVpnProtocol::resume_start()
+{
+    
+}
+
+void IOSVpnProtocol::checkStatus()
+{
+    qDebug() << "Checking status";
+    
+    if (m_checkingStatus) {
+        qDebug() << "We are still waiting for the previous status.";
+        return;
+    }
+    
+    if (!m_controller) {
+        qDebug() << "Not correctly initialized";
+        return;
+    }
+    
+    m_checkingStatus = true;
+    
+    [m_controller checkStatusWithCallback:^(NSString* serverIpv4Gateway, NSString* deviceIpv4Address,
+                                            NSString* configString) {
+        QString config = QString::fromNSString(configString);
+        
+        m_checkingStatus = false;
+        
+        if (config.isEmpty()) {
+            return;
+        }
+        
+        uint64_t txBytes = 0;
+        uint64_t rxBytes = 0;
+        
+        QStringList lines = config.split("\n");
+        for (const QString& line : lines) {
+            if (line.startsWith("tx_bytes=")) {
+                txBytes = line.split("=")[1].toULongLong();
+            } else if (line.startsWith("rx_bytes=")) {
+                rxBytes = line.split("=")[1].toULongLong();
+            }
+            
+            if (txBytes && rxBytes) {
+                break;
+            }
+        }
+        
+        qDebug() << "ServerIpv4Gateway:" << QString::fromNSString(serverIpv4Gateway)
+                    << "DeviceIpv4Address:" << QString::fromNSString(deviceIpv4Address)
+                    << "RxBytes:" << rxBytes << "TxBytes:" << txBytes;
+        emit bytesChanged(rxBytes, txBytes);
+        
+    }];
+}
+
+void IOSVpnProtocol::setNotificationText(const QString &title, const QString &message, int timerSec)
+{
+    // TODO: add user notifications?
+}
+
+void IOSVpnProtocol::setFallbackConnectedNotification()
+{
+    // TODO: add default user notifications?
+}
+
+void IOSVpnProtocol::getBackendLogs(std::function<void (const QString &)> &&callback)
+{
+    std::function<void(const QString&)> a_callback = std::move(callback);
+
+    QString groupId(GROUP_ID);
+    NSURL* groupPath = [[NSFileManager defaultManager]
+        containerURLForSecurityApplicationGroupIdentifier:groupId.toNSString()];
+
+    NSURL* path = [groupPath URLByAppendingPathComponent:@"networkextension.log"];
+
+    QFile file(QString::fromNSString([path path]));
+    if (!file.open(QIODevice::ReadOnly)) {
+      a_callback("Network extension log file missing or unreadable.");
+      return;
+    }
+
+    QByteArray content = file.readAll();
+    a_callback(content);
+}
+
+void IOSVpnProtocol::cleanupBackendLogs()
+{
+    QString groupId(GROUP_ID);
+    NSURL* groupPath = [[NSFileManager defaultManager]
+        containerURLForSecurityApplicationGroupIdentifier:groupId.toNSString()];
+
+    NSURL* path = [groupPath URLByAppendingPathComponent:@"networkextension.log"];
+
+    QFile file(QString::fromNSString([path path]));
+    file.remove();
+}
+
diff --git a/client/protocols/openvpnovercloakprotocol.cpp b/client/protocols/openvpnovercloakprotocol.cpp
index f2ac4512..01afb4ca 100644
--- a/client/protocols/openvpnovercloakprotocol.cpp
+++ b/client/protocols/openvpnovercloakprotocol.cpp
@@ -78,7 +78,7 @@ ErrorCode OpenVpnOverCloakProtocol::start()
     m_ckProcess.waitForStarted();
 
     if (m_ckProcess.state() == QProcess::ProcessState::Running) {
-        setConnectionState(ConnectionState::Connecting);
+        setConnectionState(VpnConnectionState::Connecting);
 
         return OpenVpnProtocol::start();
     }
@@ -113,5 +113,5 @@ QString OpenVpnOverCloakProtocol::cloakExecPath()
 
 void OpenVpnOverCloakProtocol::readCloakConfiguration(const QJsonObject &configuration)
 {
-    m_cloakConfig = configuration.value(ProtocolProps::key_proto_config_data(Protocol::Cloak)).toObject();
+    m_cloakConfig = configuration.value(ProtocolProps::key_proto_config_data(Proto::Cloak)).toObject();
 }
diff --git a/client/protocols/openvpnprotocol.cpp b/client/protocols/openvpnprotocol.cpp
index df57e365..75e56674 100644
--- a/client/protocols/openvpnprotocol.cpp
+++ b/client/protocols/openvpnprotocol.cpp
@@ -86,8 +86,8 @@ void OpenVpnProtocol::killOpenVpnProcess()
 
 void OpenVpnProtocol::readOpenVpnConfiguration(const QJsonObject &configuration)
 {
-    if (configuration.contains(ProtocolProps::key_proto_config_data(Protocol::OpenVpn))) {
-        QJsonObject jConfig = configuration.value(ProtocolProps::key_proto_config_data(Protocol::OpenVpn)).toObject();
+    if (configuration.contains(ProtocolProps::key_proto_config_data(Proto::OpenVpn))) {
+        QJsonObject jConfig = configuration.value(ProtocolProps::key_proto_config_data(Proto::OpenVpn)).toObject();
 
         m_configFile.open();
         m_configFile.write(jConfig.value(config_key::config).toString().toUtf8());
@@ -167,7 +167,7 @@ ErrorCode OpenVpnProtocol::start()
         return lastError();
     }
 
-    setConnectionState(ConnectionState::Connecting);
+    setConnectionState(VpnConnectionState::Connecting);
 
     m_openVpnProcess = IpcClient::CreatePrivilegedProcess();
 
@@ -201,7 +201,7 @@ ErrorCode OpenVpnProtocol::start()
     });
 
     connect(m_openVpnProcess.data(), &PrivilegedProcess::finished, this, [&]() {
-        setConnectionState(ConnectionState::Disconnected);
+        setConnectionState(VpnConnectionState::Disconnected);
     });
 
     m_openVpnProcess->start();
diff --git a/client/protocols/protocols_defs.cpp b/client/protocols/protocols_defs.cpp
index 30f1a2f1..93578d12 100644
--- a/client/protocols/protocols_defs.cpp
+++ b/client/protocols/protocols_defs.cpp
@@ -2,7 +2,7 @@
 
 using namespace amnezia;
 
-QDebug operator<<(QDebug debug, const amnezia::ProtocolEnumNS::Protocol &p)
+QDebug operator<<(QDebug debug, const amnezia::ProtocolEnumNS::Proto &p)
 {
     QDebugStateSaver saver(debug);
     debug.nospace() << ProtocolProps::protoToString(p);
@@ -10,29 +10,29 @@ QDebug operator<<(QDebug debug, const amnezia::ProtocolEnumNS::Protocol &p)
     return debug;
 }
 
-amnezia::Protocol ProtocolProps::protoFromString(QString proto){
-    QMetaEnum metaEnum = QMetaEnum::fromType<Protocol>();
+amnezia::Proto ProtocolProps::protoFromString(QString proto){
+    QMetaEnum metaEnum = QMetaEnum::fromType<Proto>();
     for (int i = 0; i < metaEnum.keyCount(); ++i) {
-        Protocol p = static_cast<Protocol>(i);
+        Proto p = static_cast<Proto>(i);
         if (proto == protoToString(p)) return p;
     }
-    return Protocol::Any;
+    return Proto::Any;
 }
 
-QString ProtocolProps::protoToString(amnezia::Protocol p){
-    if (p == Protocol::Any) return "";
+QString ProtocolProps::protoToString(amnezia::Proto p){
+    if (p == Proto::Any) return "";
 
-    QMetaEnum metaEnum = QMetaEnum::fromType<Protocol>();
+    QMetaEnum metaEnum = QMetaEnum::fromType<Proto>();
     QString protoKey = metaEnum.valueToKey(static_cast<int>(p));
     return protoKey.toLower();
 }
 
-QList<amnezia::Protocol> ProtocolProps::allProtocols()
+QList<amnezia::Proto> ProtocolProps::allProtocols()
 {
-    QMetaEnum metaEnum = QMetaEnum::fromType<Protocol>();
-    QList<Protocol> all;
+    QMetaEnum metaEnum = QMetaEnum::fromType<Proto>();
+    QList<Proto> all;
     for (int i = 0; i < metaEnum.keyCount(); ++i) {
-        all.append(static_cast<Protocol>(i));
+        all.append(static_cast<Proto>(i));
     }
 
     return all;
@@ -48,7 +48,7 @@ TransportProto ProtocolProps::transportProtoFromString(QString p)
     return TransportProto::Udp;
 }
 
-QString ProtocolProps::transportProtoToString(TransportProto proto, Protocol p)
+QString ProtocolProps::transportProtoToString(TransportProto proto, Proto p)
 {
     QMetaEnum metaEnum = QMetaEnum::fromType<TransportProto>();
     QString protoKey = metaEnum.valueToKey(static_cast<int>(proto));
@@ -66,124 +66,124 @@ QString ProtocolProps::transportProtoToString(TransportProto proto, Protocol p)
 }
 
 
-QMap<amnezia::Protocol, QString> ProtocolProps::protocolHumanNames()
+QMap<amnezia::Proto, QString> ProtocolProps::protocolHumanNames()
 {
     return {
-        {Protocol::OpenVpn, "OpenVPN"},
-        {Protocol::ShadowSocks, "ShadowSocks"},
-        {Protocol::Cloak, "Cloak"},
-        {Protocol::WireGuard, "WireGuard"},
-        {Protocol::Ikev2, "IKEv2"},
-        {Protocol::L2tp, "L2TP"},
+        {Proto::OpenVpn, "OpenVPN"},
+        {Proto::ShadowSocks, "ShadowSocks"},
+        {Proto::Cloak, "Cloak"},
+        {Proto::WireGuard, "WireGuard"},
+        {Proto::Ikev2, "IKEv2"},
+        {Proto::L2tp, "L2TP"},
 
-        {Protocol::TorWebSite, "Web site in TOR network"},
-        {Protocol::Dns, "DNS Service"},
-        {Protocol::FileShare, "File Sharing Service"},
-        {Protocol::Sftp, QObject::tr("Sftp service")}
+        {Proto::TorWebSite, "Web site in TOR network"},
+        {Proto::Dns, "DNS Service"},
+        {Proto::FileShare, "File Sharing Service"},
+        {Proto::Sftp, QObject::tr("Sftp service")}
     };
 }
 
-QMap<amnezia::Protocol, QString> ProtocolProps::protocolDescriptions()
+QMap<amnezia::Proto, QString> ProtocolProps::protocolDescriptions()
 {
     return {};
 }
 
-amnezia::ServiceType ProtocolProps::protocolService(Protocol p)
+amnezia::ServiceType ProtocolProps::protocolService(Proto p)
 {
     switch (p) {
-    case Protocol::Any :          return ServiceType::None;
-    case Protocol::OpenVpn :      return ServiceType::Vpn;
-    case Protocol::Cloak :        return ServiceType::Vpn;
-    case Protocol::ShadowSocks :  return ServiceType::Vpn;
-    case Protocol::WireGuard :    return ServiceType::Vpn;
-    case Protocol::TorWebSite :      return ServiceType::Other;
-    case Protocol::Dns :          return ServiceType::Other;
-    case Protocol::FileShare :    return ServiceType::Other;
+    case Proto::Any :          return ServiceType::None;
+    case Proto::OpenVpn :      return ServiceType::Vpn;
+    case Proto::Cloak :        return ServiceType::Vpn;
+    case Proto::ShadowSocks :  return ServiceType::Vpn;
+    case Proto::WireGuard :    return ServiceType::Vpn;
+    case Proto::TorWebSite :      return ServiceType::Other;
+    case Proto::Dns :          return ServiceType::Other;
+    case Proto::FileShare :    return ServiceType::Other;
     default:                      return ServiceType::Other;
     }
 }
 
-int ProtocolProps::defaultPort(Protocol p)
+int ProtocolProps::defaultPort(Proto p)
 {
     switch (p) {
-    case Protocol::Any :          return -1;
-    case Protocol::OpenVpn :      return 1194;
-    case Protocol::Cloak :        return 443;
-    case Protocol::ShadowSocks :  return 6789;
-    case Protocol::WireGuard :    return 51820;
-    case Protocol::Ikev2 :        return -1;
-    case Protocol::L2tp :         return -1;
+    case Proto::Any :          return -1;
+    case Proto::OpenVpn :      return 1194;
+    case Proto::Cloak :        return 443;
+    case Proto::ShadowSocks :  return 6789;
+    case Proto::WireGuard :    return 51820;
+    case Proto::Ikev2 :        return -1;
+    case Proto::L2tp :         return -1;
 
-    case Protocol::TorWebSite :   return -1;
-    case Protocol::Dns :          return 53;
-    case Protocol::FileShare :    return 139;
-    case Protocol::Sftp :         return 222;
+    case Proto::TorWebSite :   return -1;
+    case Proto::Dns :          return 53;
+    case Proto::FileShare :    return 139;
+    case Proto::Sftp :         return 222;
     default:                      return -1;
     }
 }
 
-bool ProtocolProps::defaultPortChangeable(Protocol p)
+bool ProtocolProps::defaultPortChangeable(Proto p)
 {
     switch (p) {
-    case Protocol::Any :          return false;
-    case Protocol::OpenVpn :      return true;
-    case Protocol::Cloak :        return true;
-    case Protocol::ShadowSocks :  return true;
-    case Protocol::WireGuard :    return true;
-    case Protocol::Ikev2 :        return false;
-    case Protocol::L2tp :         return false;
+    case Proto::Any :          return false;
+    case Proto::OpenVpn :      return true;
+    case Proto::Cloak :        return true;
+    case Proto::ShadowSocks :  return true;
+    case Proto::WireGuard :    return true;
+    case Proto::Ikev2 :        return false;
+    case Proto::L2tp :         return false;
 
 
-    case Protocol::TorWebSite :   return true;
-    case Protocol::Dns :          return false;
-    case Protocol::FileShare :    return false;
+    case Proto::TorWebSite :   return true;
+    case Proto::Dns :          return false;
+    case Proto::FileShare :    return false;
     default:                      return -1;
     }
 }
 
-TransportProto ProtocolProps::defaultTransportProto(Protocol p)
+TransportProto ProtocolProps::defaultTransportProto(Proto p)
 {
     switch (p) {
-    case Protocol::Any :          return TransportProto::Udp;
-    case Protocol::OpenVpn :      return TransportProto::Udp;
-    case Protocol::Cloak :        return TransportProto::Tcp;
-    case Protocol::ShadowSocks :  return TransportProto::Tcp;
-    case Protocol::WireGuard :    return TransportProto::Udp;
-    case Protocol::Ikev2 :        return TransportProto::Udp;
-    case Protocol::L2tp :         return TransportProto::Udp;
+    case Proto::Any :          return TransportProto::Udp;
+    case Proto::OpenVpn :      return TransportProto::Udp;
+    case Proto::Cloak :        return TransportProto::Tcp;
+    case Proto::ShadowSocks :  return TransportProto::Tcp;
+    case Proto::WireGuard :    return TransportProto::Udp;
+    case Proto::Ikev2 :        return TransportProto::Udp;
+    case Proto::L2tp :         return TransportProto::Udp;
     // non-vpn
-    case Protocol::TorWebSite :   return TransportProto::Tcp;
-    case Protocol::Dns :          return TransportProto::Udp;
-    case Protocol::FileShare :    return TransportProto::Udp;
-    case Protocol::Sftp :         return TransportProto::Tcp;
+    case Proto::TorWebSite :   return TransportProto::Tcp;
+    case Proto::Dns :          return TransportProto::Udp;
+    case Proto::FileShare :    return TransportProto::Udp;
+    case Proto::Sftp :         return TransportProto::Tcp;
     }
 }
 
-bool ProtocolProps::defaultTransportProtoChangeable(Protocol p)
+bool ProtocolProps::defaultTransportProtoChangeable(Proto p)
 {
     switch (p) {
-    case Protocol::Any :          return false;
-    case Protocol::OpenVpn :      return true;
-    case Protocol::Cloak :        return false;
-    case Protocol::ShadowSocks :  return false;
-    case Protocol::WireGuard :    return false;
-    case Protocol::Ikev2 :        return false;
-    case Protocol::L2tp :         return false;
+    case Proto::Any :          return false;
+    case Proto::OpenVpn :      return true;
+    case Proto::Cloak :        return false;
+    case Proto::ShadowSocks :  return false;
+    case Proto::WireGuard :    return false;
+    case Proto::Ikev2 :        return false;
+    case Proto::L2tp :         return false;
     // non-vpn
-    case Protocol::TorWebSite :   return false;
-    case Protocol::Dns :          return false;
-    case Protocol::FileShare :    return false;
-    case Protocol::Sftp :         return false;
+    case Proto::TorWebSite :   return false;
+    case Proto::Dns :          return false;
+    case Proto::FileShare :    return false;
+    case Proto::Sftp :         return false;
     default:                      return false;
     }
 }
 
-QString ProtocolProps::key_proto_config_data(Protocol p)
+QString ProtocolProps::key_proto_config_data(Proto p)
 {
     return protoToString(p) + "_config_data";
 }
 
-QString ProtocolProps::key_proto_config_path(Protocol p)
+QString ProtocolProps::key_proto_config_path(Proto p)
 {
     return protoToString(p) + "_config_path";
 }
diff --git a/client/protocols/protocols_defs.h b/client/protocols/protocols_defs.h
index 6715604d..6f8a201e 100644
--- a/client/protocols/protocols_defs.h
+++ b/client/protocols/protocols_defs.h
@@ -24,7 +24,7 @@ constexpr char containers[] = "containers";
 constexpr char container[] = "container";
 constexpr char defaultContainer[] = "defaultContainer";
 
-constexpr char protocol[] = "protocol";
+constexpr char vpnproto[] = "protocol";
 constexpr char protocols[] = "protocols";
 
 constexpr char remote[] = "remote";
@@ -121,7 +121,7 @@ enum TransportProto {
 };
 Q_ENUM_NS(TransportProto)
 
-enum Protocol {
+enum Proto {
     Any = 0,
     OpenVpn,
     ShadowSocks,
@@ -136,7 +136,7 @@ enum Protocol {
     FileShare,
     Sftp
 };
-Q_ENUM_NS(Protocol)
+Q_ENUM_NS(Proto)
 
 enum ServiceType {
     None = 0,
@@ -153,29 +153,29 @@ class ProtocolProps : public QObject
     Q_OBJECT
 
 public:
-    Q_INVOKABLE static QList<Protocol> allProtocols();
+    Q_INVOKABLE static QList<Proto> allProtocols();
 
     // spelling may differ for various protocols - TCP for OpenVPN, tcp for others
     Q_INVOKABLE static TransportProto transportProtoFromString(QString p);
-    Q_INVOKABLE static QString transportProtoToString(TransportProto proto, Protocol p = Protocol::Any);
+    Q_INVOKABLE static QString transportProtoToString(TransportProto proto, Proto p = Proto::Any);
 
-    Q_INVOKABLE static Protocol protoFromString(QString p);
-    Q_INVOKABLE static QString protoToString(Protocol p);
+    Q_INVOKABLE static Proto protoFromString(QString p);
+    Q_INVOKABLE static QString protoToString(Proto p);
 
-    Q_INVOKABLE static QMap<Protocol, QString> protocolHumanNames();
-    Q_INVOKABLE static QMap<Protocol, QString> protocolDescriptions();
+    Q_INVOKABLE static QMap<Proto, QString> protocolHumanNames();
+    Q_INVOKABLE static QMap<Proto, QString> protocolDescriptions();
 
-    Q_INVOKABLE static ServiceType protocolService(Protocol p);
+    Q_INVOKABLE static ServiceType protocolService(Proto p);
 
-    Q_INVOKABLE static int defaultPort(Protocol p);
-    Q_INVOKABLE static bool defaultPortChangeable(Protocol p);
+    Q_INVOKABLE static int defaultPort(Proto p);
+    Q_INVOKABLE static bool defaultPortChangeable(Proto p);
 
-    Q_INVOKABLE static TransportProto defaultTransportProto(Protocol p);
-    Q_INVOKABLE static bool defaultTransportProtoChangeable(Protocol p);
+    Q_INVOKABLE static TransportProto defaultTransportProto(Proto p);
+    Q_INVOKABLE static bool defaultTransportProtoChangeable(Proto p);
 
 
-    Q_INVOKABLE static QString key_proto_config_data(Protocol p);
-    Q_INVOKABLE static QString key_proto_config_path(Protocol p);
+    Q_INVOKABLE static QString key_proto_config_data(Proto p);
+    Q_INVOKABLE static QString key_proto_config_path(Proto p);
 
 };
 
@@ -207,6 +207,6 @@ static void declareQmlProtocolEnum() {
 
 } // namespace amnezia
 
-QDebug operator<<(QDebug debug, const amnezia::Protocol &p);
+QDebug operator<<(QDebug debug, const amnezia::Proto &p);
 
 #endif // PROTOCOLS_DEFS_H
diff --git a/client/protocols/shadowsocksvpnprotocol.cpp b/client/protocols/shadowsocksvpnprotocol.cpp
index 702a35d8..e2465c1f 100644
--- a/client/protocols/shadowsocksvpnprotocol.cpp
+++ b/client/protocols/shadowsocksvpnprotocol.cpp
@@ -75,7 +75,7 @@ ErrorCode ShadowSocksVpnProtocol::start()
     m_ssProcess.waitForStarted();
 
     if (m_ssProcess.state() == QProcess::ProcessState::Running) {
-        setConnectionState(ConnectionState::Connecting);
+        setConnectionState(VpnConnectionState::Connecting);
 
         return OpenVpnProtocol::start();
     }
@@ -112,5 +112,5 @@ QString ShadowSocksVpnProtocol::shadowSocksExecPath()
 
 void ShadowSocksVpnProtocol::readShadowSocksConfiguration(const QJsonObject &configuration)
 {
-    m_shadowSocksConfig = configuration.value(ProtocolProps::key_proto_config_data(Protocol::ShadowSocks)).toObject();
+    m_shadowSocksConfig = configuration.value(ProtocolProps::key_proto_config_data(Proto::ShadowSocks)).toObject();
 }
diff --git a/client/protocols/vpnprotocol.cpp b/client/protocols/vpnprotocol.cpp
index 34589e3c..5cea3a3b 100644
--- a/client/protocols/vpnprotocol.cpp
+++ b/client/protocols/vpnprotocol.cpp
@@ -15,7 +15,7 @@
 
 VpnProtocol::VpnProtocol(const QJsonObject &configuration, QObject* parent)
     : QObject(parent),
-      m_connectionState(ConnectionState::Unknown),
+      m_connectionState(VpnConnectionState::Unknown),
       m_rawConfig(configuration),
       m_timeoutTimer(new QTimer(this)),
       m_receivedBytes(0),
@@ -29,7 +29,7 @@ void VpnProtocol::setLastError(ErrorCode lastError)
 {
     m_lastError = lastError;
     if (lastError){
-        setConnectionState(ConnectionState::Error);
+        setConnectionState(VpnConnectionState::Error);
     }
     qCritical().noquote() << "VpnProtocol error, code" << m_lastError << errorString(m_lastError);
 }
@@ -57,7 +57,7 @@ void VpnProtocol::stopTimeoutTimer()
     m_timeoutTimer->stop();
 }
 
-VpnProtocol::ConnectionState VpnProtocol::connectionState() const
+VpnProtocol::VpnConnectionState VpnProtocol::connectionState() const
 {
     return m_connectionState;
 }
@@ -70,19 +70,19 @@ void VpnProtocol::setBytesChanged(quint64 receivedBytes, quint64 sentBytes)
     m_sentBytes = sentBytes;
 }
 
-void VpnProtocol::setConnectionState(VpnProtocol::ConnectionState state)
+void VpnProtocol::setConnectionState(VpnProtocol::VpnConnectionState state)
 {
     qDebug() << "VpnProtocol::setConnectionState" << textConnectionState(state);
 
     if (m_connectionState == state) {
         return;
     }
-    if (m_connectionState == ConnectionState::Disconnected && state == ConnectionState::Disconnecting) {
+    if (m_connectionState == VpnConnectionState::Disconnected && state == VpnConnectionState::Disconnecting) {
         return;
     }
 
     m_connectionState = state;
-    if (m_connectionState == ConnectionState::Disconnected) {
+    if (m_connectionState == VpnConnectionState::Disconnected) {
         m_receivedBytes = 0;
         m_sentBytes = 0;
     }
@@ -116,17 +116,17 @@ QString VpnProtocol::routeGateway() const
     return m_routeGateway;
 }
 
-QString VpnProtocol::textConnectionState(ConnectionState connectionState)
+QString VpnProtocol::textConnectionState(VpnConnectionState connectionState)
 {
     switch (connectionState) {
-    case ConnectionState::Unknown: return tr("Unknown");
-    case ConnectionState::Disconnected: return tr("Disconnected");
-    case ConnectionState::Preparing: return tr("Preparing");
-    case ConnectionState::Connecting: return tr("Connecting...");
-    case ConnectionState::Connected: return tr("Connected");
-    case ConnectionState::Disconnecting: return tr("Disconnecting...");
-    case ConnectionState::Reconnecting: return tr("Reconnecting...");
-    case ConnectionState::Error: return tr("Error");
+    case VpnConnectionState::Unknown: return tr("Unknown");
+    case VpnConnectionState::Disconnected: return tr("Disconnected");
+    case VpnConnectionState::Preparing: return tr("Preparing");
+    case VpnConnectionState::Connecting: return tr("Connecting...");
+    case VpnConnectionState::Connected: return tr("Connected");
+    case VpnConnectionState::Disconnecting: return tr("Disconnecting...");
+    case VpnConnectionState::Reconnecting: return tr("Reconnecting...");
+    case VpnConnectionState::Error: return tr("Error");
     default:
         ;
     }
@@ -141,10 +141,10 @@ QString VpnProtocol::textConnectionState() const
 
 bool VpnProtocol::isConnected() const
 {
-    return m_connectionState == ConnectionState::Connected;
+    return m_connectionState == VpnConnectionState::Connected;
 }
 
 bool VpnProtocol::isDisconnected() const
 {
-    return m_connectionState == ConnectionState::Disconnected;
+    return m_connectionState == VpnConnectionState::Disconnected;
 }
diff --git a/client/protocols/vpnprotocol.h b/client/protocols/vpnprotocol.h
index 6db5e29e..4b6876d5 100644
--- a/client/protocols/vpnprotocol.h
+++ b/client/protocols/vpnprotocol.h
@@ -20,10 +20,10 @@ public:
     explicit VpnProtocol(const QJsonObject& configuration, QObject* parent = nullptr);
     virtual ~VpnProtocol() override = default;
 
-    enum ConnectionState {Unknown, Disconnected, Preparing, Connecting, Connected, Disconnecting, Reconnecting, Error};
-    Q_ENUM(ConnectionState)
+    enum VpnConnectionState {Unknown, Disconnected, Preparing, Connecting, Connected, Disconnecting, Reconnecting, Error};
+    Q_ENUM(VpnConnectionState)
 
-    static QString textConnectionState(ConnectionState connectionState);
+    static QString textConnectionState(VpnConnectionState connectionState);
 
     virtual ErrorCode prepare() { return ErrorCode::NoError; }
 
@@ -32,7 +32,7 @@ public:
     virtual ErrorCode start() = 0;
     virtual void stop() = 0;
 
-    ConnectionState connectionState() const;
+    VpnConnectionState connectionState() const;
     ErrorCode lastError() const;
     QString textConnectionState() const;
     void setLastError(ErrorCode lastError);
@@ -44,7 +44,7 @@ public:
 
 signals:
     void bytesChanged(quint64 receivedBytes, quint64 sentBytes);
-    void connectionStateChanged(VpnProtocol::ConnectionState state);
+    void connectionStateChanged(VpnProtocol::VpnConnectionState state);
     void timeoutTimerEvent();
     void protocolError(amnezia::ErrorCode e);
 
@@ -52,13 +52,14 @@ public slots:
     virtual void onTimeout(); // todo: remove?
 
     void setBytesChanged(quint64 receivedBytes, quint64 sentBytes);
-    void setConnectionState(VpnProtocol::ConnectionState state);
+    void setConnectionState(VpnProtocol::VpnConnectionState state);
 
 protected:
     void startTimeoutTimer();
     void stopTimeoutTimer();
 
-    ConnectionState m_connectionState;
+    VpnConnectionState m_connectionState;
+
     QString m_routeGateway;
     QString m_vpnLocalAddress;
     QString m_vpnGateway;
diff --git a/client/protocols/wireguardprotocol.cpp b/client/protocols/wireguardprotocol.cpp
index d08843e7..d650cb3f 100644
--- a/client/protocols/wireguardprotocol.cpp
+++ b/client/protocols/wireguardprotocol.cpp
@@ -61,7 +61,7 @@ void WireguardProtocol::stop()
 
     connect(m_wireguardStopProcess.data(), &PrivilegedProcess::errorOccurred, this, [this](QProcess::ProcessError error) {
         qDebug() << "WireguardProtocol::WireguardProtocol Stop errorOccurred" << error;
-        setConnectionState(ConnectionState::Disconnected);
+        setConnectionState(VpnConnectionState::Disconnected);
     });
 
     connect(m_wireguardStopProcess.data(), &PrivilegedProcess::stateChanged, this, [this](QProcess::ProcessState newState) {
@@ -79,7 +79,7 @@ void WireguardProtocol::stop()
 
 void WireguardProtocol::readWireguardConfiguration(const QJsonObject &configuration)
 {
-    QJsonObject jConfig = configuration.value(ProtocolProps::key_proto_config_data(Protocol::WireGuard)).toObject();
+    QJsonObject jConfig = configuration.value(ProtocolProps::key_proto_config_data(Proto::WireGuard)).toObject();
 
     if (!m_configFile.open(QIODevice::WriteOnly | QIODevice::Truncate)) {
         qCritical() << "Failed to save wireguard config to" << m_configFile.fileName();
@@ -93,7 +93,7 @@ void WireguardProtocol::readWireguardConfiguration(const QJsonObject &configurat
     m_configFileName = m_configFile.fileName();
 
     qDebug().noquote() << QString("Set config data") << m_configFileName;
-    qDebug().noquote() << QString("Set config data") << configuration.value(ProtocolProps::key_proto_config_data(Protocol::WireGuard)).toString().toUtf8();
+    qDebug().noquote() << QString("Set config data") << configuration.value(ProtocolProps::key_proto_config_data(Proto::WireGuard)).toString().toUtf8();
 
 }
 
@@ -151,7 +151,7 @@ ErrorCode WireguardProtocol::start()
         return lastError();
     }
 
-    setConnectionState(ConnectionState::Connecting);
+    setConnectionState(VpnConnectionState::Connecting);
 
     m_wireguardStartProcess = IpcClient::CreatePrivilegedProcess();
 
@@ -178,7 +178,7 @@ ErrorCode WireguardProtocol::start()
 
     connect(m_wireguardStartProcess.data(), &PrivilegedProcess::errorOccurred, this, [this](QProcess::ProcessError error) {
         qDebug() << "WireguardProtocol::WireguardProtocol errorOccurred" << error;
-        setConnectionState(ConnectionState::Disconnected);
+        setConnectionState(VpnConnectionState::Disconnected);
     });
 
     connect(m_wireguardStartProcess.data(), &PrivilegedProcess::stateChanged, this, [this](QProcess::ProcessState newState) {
@@ -186,7 +186,7 @@ ErrorCode WireguardProtocol::start()
     });
 
     connect(m_wireguardStartProcess.data(), &PrivilegedProcess::finished, this, [this]() {
-        setConnectionState(ConnectionState::Connected);
+        setConnectionState(VpnConnectionState::Connected);
     });
 
     connect(m_wireguardStartProcess.data(), &PrivilegedProcess::readyRead, this, [this]() {
diff --git a/client/scripts/commons.sh b/client/scripts/commons.sh
new file mode 100644
index 00000000..13ff5703
--- /dev/null
+++ b/client/scripts/commons.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+printv() {
+  if [ -t 1 ]; then
+    NCOLORS=$(tput colors)
+
+    if test -n "$NCOLORS" && test "$NCOLORS" -ge 8; then
+      NORMAL="$(tput sgr0)"
+      RED="$(tput setaf 1)"
+      GREEN="$(tput setaf 2)"
+      YELLOW="$(tput setaf 3)"
+    fi
+  fi
+
+  if [[ $2 = 'G' ]]; then
+    # shellcheck disable=SC2086
+    echo $1 -e "${GREEN}$3${NORMAL}"
+  elif [[ $2 = 'Y' ]]; then
+    # shellcheck disable=SC2086
+    echo $1 -e "${YELLOW}$3${NORMAL}"
+  elif [[ $2 = 'N' ]]; then
+    # shellcheck disable=SC2086
+    echo $1 -e "$3"
+  else
+    # shellcheck disable=SC2086
+    echo $1 -e "${RED}$3${NORMAL}"
+  fi
+}
+
+print() {
+  printv '' "$1" "$2"
+}
+
+printn() {
+  printv "-n" "$1" "$2"
+}
+
+error() {
+  printv '' R "$1"
+}
+
+die() {
+  if [[ "$1" ]]; then
+    error "$1"
+  else
+    error Failed
+  fi
+
+  exit 1
+}
+
diff --git a/client/scripts/ios_compile.sh b/client/scripts/ios_compile.sh
new file mode 100755
index 00000000..fcce7649
--- /dev/null
+++ b/client/scripts/ios_compile.sh
@@ -0,0 +1,226 @@
+#!/bin/bash
+
+
+. $(dirname $0)/commons.sh
+
+if [ -f .env ]; then
+  . .env
+fi
+
+RELEASE=1
+OS=
+NETWORKEXTENSION=
+ADJUST_SDK_TOKEN=
+ADJUST="CONFIG-=adjust"
+
+helpFunction() {
+  print G "Usage:"
+  print N "\t$0 <ios> [-d|--debug] [-n|--networkextension] [-a|--adjusttoken <adjust_token>]"
+  print N ""
+  print N "By default, the project is compiled in release mode. Use -d or --debug for a debug build."
+  print N "Use -n or --networkextension to force the network-extension component for MacOS too."
+  print N ""
+  print N "If MVPN_IOS_ADJUST_TOKEN env is found, this will be used at compilation time."
+  print N ""
+  print G "Config variables:"
+  print N "\tQT_MACOS_BIN=</path/of/the/qt/bin/folder/for/macos>"
+  print N "\tQT_IOS_BIN=</path/of/the/qt/bin/folder/for/ios>"
+  print N "\tMVPN_IOS_ADJUST_TOKEN=<token>"
+  print N ""
+  exit 0
+}
+
+print N "This script compiles AmneziaVPN for MacOS/iOS"
+print N ""
+
+while [[ $# -gt 0 ]]; do
+  key="$1"
+
+  case $key in
+  -a | --adjusttoken)
+    ADJUST_SDK_TOKEN="$2"
+    shift
+    shift
+    ;;
+  -d | --debug)
+    RELEASE=
+    shift
+    ;;
+  -n | --networkextension)
+    NETWORKEXTENSION=1
+    shift
+    ;;
+  -h | --help)
+    helpFunction
+    ;;
+  *)
+    if [[ "$OS" ]]; then
+      helpFunction
+    fi
+
+    OS=$1
+    shift
+    ;;
+  esac
+done
+
+fetch() {
+  if command -v "wget" &>/dev/null; then
+    wget -nc -O "$2" "$1"
+    return
+  fi
+
+  if command -v "curl" &>/dev/null; then
+    curl "$1" -o "$2" -s -L
+    return
+  fi
+
+  die "You must have 'wget' or 'curl' installed."
+}
+
+sha256() {
+  if command -v "sha256sum" &>/dev/null; then
+    sha256sum "$1"
+    return 0
+  fi
+
+  if command -v "openssl" &>/dev/null; then
+    openssl dgst -sha256 "$1"
+    return 0
+  fi
+
+  die "You must have 'sha256sum' or 'openssl' installed."
+}
+
+if [[ "$OS" != "macos" ]] && [[ "$OS" != "ios" ]] && [[ "$OS" != "macostest" ]]; then
+  helpFunction
+fi
+
+if ! [[ "$ADJUST_SDK_TOKEN" ]] && [[ "$MVPN_IOS_ADJUST_TOKEN" ]]; then
+  print Y "Using the MVPN_IOS_ADJUST_TOKEN value for the adjust token"
+  ADJUST_SDK_TOKEN=$MVPN_IOS_ADJUST_TOKEN
+fi
+
+if [[ "$OS" == "ios" ]]; then
+  # Network-extension is the default for IOS
+  NETWORKEXTENSION=1
+fi
+
+if ! [ -d "ios" ] || ! [ -d "macos" ]; then
+  die "This script must be executed at the root of the repository."
+fi
+
+QMAKE=qmake
+if [ "$OS" = "macos" ] && ! [ "$QT_MACOS_BIN" = "" ]; then
+  QMAKE=$QT_MACOS_BIN/qmake
+elif [ "$OS" = "macostest" ] && ! [ "$QT_MACOS_BIN" = "" ]; then
+  QMAKE=$QT_MACOS_BIN/qmake
+elif [ "$OS" = "ios" ] && ! [ "$QT_IOS_BIN" = "" ]; then
+  QMAKE=$QT_IOS_BIN/qmake
+fi
+
+$QMAKE -v &>/dev/null || die "qmake doesn't exist or it fails"
+
+printn Y "Retrieve the wireguard-go version... "
+(cd macos/gobridge && go list -m golang.zx2c4.com/wireguard | sed -n 's/.*v\([0-9.]*\).*/#define WIREGUARD_GO_VERSION "\1"/p') > macos/gobridge/wireguard-go-version.h
+print G "done."
+
+printn Y "Cleaning the existing project... "
+rm -rf mozillavpn.xcodeproj/ || die "Failed to remove things"
+print G "done."
+
+#print Y "Importing translation files..."
+#git submodule update --remote --depth 1 i18n || die "Failed to fetch newest translation files"
+#python scripts/importLanguages.py $([[ "$OS" = "macos" ]] && echo "-m" || echo "") || die "Failed to import languages"
+#
+#print Y "Generating glean samples..."
+#python scripts/generate_glean.py || die "Failed to generate glean samples"
+
+printn Y "Extract the project version... "
+SHORTVERSION=$(cat version.pri | grep VERSION | grep defined | cut -d= -f2 | tr -d \ )
+FULLVERSION=$(echo $SHORTVERSION | cut -d. -f1).$(date +"%Y%m%d%H%M")
+print G "$SHORTVERSION - $FULLVERSION"
+
+MACOS_FLAGS="
+  QTPLUGIN+=qsvg
+  CONFIG-=static
+  CONFIG+=balrog
+  MVPN_MACOS=1
+"
+
+MACOSTEST_FLAGS="
+  QTPLUGIN+=qsvg
+  CONFIG-=static
+  CONFIG+=DUMMY
+"
+
+IOS_FLAGS="
+  MVPN_IOS=1
+  Q_OS_IOS=1
+"
+
+printn Y "Mode: "
+if [[ "$RELEASE" ]]; then
+  print G "release"
+  MODE="CONFIG-=debug CONFIG+=release CONFIG-=debug_and_release"
+else
+  print G "debug"
+  MODE="CONFIG+=debug CONFIG-=release CONFIG-=debug_and_release"
+fi
+
+OSRUBY=$OS
+printn Y "OS: "
+print G "$OS"
+if [ "$OS" = "macos" ]; then
+  PLATFORM=$MACOS_FLAGS
+elif [ "$OS" = "macostest" ]; then
+  OSRUBY=macos
+  PLATFORM=$MACOSTEST_FLAGS
+elif [ "$OS" = "ios" ]; then
+  PLATFORM=$IOS_FLAGS
+  if [[ "$ADJUST_SDK_TOKEN"  ]]; then
+    printn Y "ADJUST_SDK_TOKEN: "
+    print G "$ADJUST_SDK_TOKEN"
+    ADJUST="CONFIG+=adjust"
+  fi
+else
+  die "Why we are here?"
+fi
+
+VPNMODE=
+printn Y "VPN mode: "
+if [[ "$NETWORKEXTENSION" ]]; then
+  print G network-extension
+  VPNMODE="CONFIG+=networkextension"
+else
+  print G daemon
+fi
+
+printn Y "Web-Extension: "
+WEMODE=
+if [ "$OS" = "macos" ]; then
+  print G web-extension
+  WEMODE="CONFIG+=webextension"
+else
+  print G none
+fi
+
+print Y "Creating the xcode project via qmake..."
+$QMAKE \
+  VERSION=$SHORTVERSION \
+  BUILD_ID=$FULLVERSION \
+  -spec macx-xcode \
+  $MODE \
+  $VPNMODE \
+  $WEMODE \
+  $PLATFORM \
+  $ADJUST \
+  ./client.pro || die "Compilation failed"
+
+print Y "Patching the xcode project..."
+ruby scripts/xcode_patcher.rb "AmneziaVPN.xcodeproj" "$SHORTVERSION" "$FULLVERSION" "$OSRUBY" "$NETWORKEXTENSION" "$ADJUST_SDK_TOKEN" || die "Failed to merge xcode with wireguard"
+print G "done."
+
+print Y "Opening in XCode..."
+open AmneziaVPN.xcodeproj
+print G "All done!"
diff --git a/client/scripts/xcode_patcher.rb b/client/scripts/xcode_patcher.rb
new file mode 100644
index 00000000..d950c886
--- /dev/null
+++ b/client/scripts/xcode_patcher.rb
@@ -0,0 +1,664 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+require 'xcodeproj'
+
+class XCodeprojPatcher
+  attr :project
+  attr :target_main
+  attr :target_extension
+
+  def run(file, shortVersion, fullVersion, platform, networkExtension, configHash, adjust_sdk_token)
+    open_project file
+    open_target_main
+
+    die 'IOS requires networkExtension mode' if not networkExtension and platform == 'ios'
+
+    group = @project.main_group.new_group('Configuration')
+    @configFile = group.new_file('xcode.xconfig')
+
+    setup_target_main shortVersion, fullVersion, platform, networkExtension, configHash, adjust_sdk_token
+
+#    if platform == 'macos'
+#      setup_target_loginitem shortVersion, fullVersion, configHash
+#      setup_target_nativemessaging shortVersion, fullVersion, configHash
+#    end
+
+
+    if networkExtension
+      setup_target_extension shortVersion, fullVersion, platform, configHash
+      setup_target_gobridge
+    else
+      setup_target_wireguardgo
+      setup_target_wireguardtools
+    end
+
+    setup_target_balrog if platform == 'macos'
+
+    @project.save
+  end
+
+  def open_project(file)
+    @project = Xcodeproj::Project.open(file)
+    die 'Failed to open the project file: ' + file if @project.nil?
+  end
+
+  def open_target_main
+    @target_main = @project.targets.find { |target| target.to_s == 'AmneziaVPN' }
+    return @target_main if not @target_main.nil?
+
+    die 'Unable to open AmneziaVPN target'
+  end
+
+  def setup_target_main(shortVersion, fullVersion, platform, networkExtension, configHash, adjust_sdk_token)
+    @target_main.build_configurations.each do |config|
+      config.base_configuration_reference = @configFile
+
+      config.build_settings['LD_RUNPATH_SEARCH_PATHS'] ||= '"$(inherited) @executable_path/../Frameworks"'
+      config.build_settings['SWIFT_VERSION'] ||= '5.0'
+      config.build_settings['CLANG_ENABLE_MODULES'] ||= 'YES'
+      config.build_settings['SWIFT_OBJC_BRIDGING_HEADER'] ||= 'macos/app/WireGuard-Bridging-Header.h'
+      config.build_settings['FRAMEWORK_SEARCH_PATHS'] ||= [
+        "$(inherited)",
+        "$(PROJECT_DIR)/3rd"
+      ]
+
+      # Versions and names
+      config.build_settings['MARKETING_VERSION'] ||= shortVersion
+      config.build_settings['CURRENT_PROJECT_VERSION'] ||= fullVersion
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] = configHash['APP_ID_MACOS'] if platform == 'macos'
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] = configHash['APP_ID_IOS'] if platform == 'ios'
+      config.build_settings['PRODUCT_NAME'] = 'AmneziaVPN'
+
+      # other config
+      config.build_settings['INFOPLIST_FILE'] ||= platform + '/app/Info.plist'
+      if platform == 'ios'
+        config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= 'ios/app/main.entitlements'
+        if adjust_sdk_token != ""
+          config.build_settings['ADJUST_SDK_TOKEN'] = adjust_sdk_token
+        end
+      elsif networkExtension
+        config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= 'macos/app/app.entitlements'
+      else
+        config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= 'macos/app/daemon.entitlements'
+      end
+
+      config.build_settings['CODE_SIGN_IDENTITY'] ||= 'Apple Development'
+      config.build_settings['ENABLE_BITCODE'] ||= 'NO' if platform == 'ios'
+      config.build_settings['SDKROOT'] = 'iphoneos' if platform == 'ios'
+      config.build_settings['SWIFT_PRECOMPILE_BRIDGING_HEADER'] = 'NO' if platform == 'ios'
+
+      groupId = "";
+      if (platform == 'macos')
+        groupId = configHash['DEVELOPMENT_TEAM'] + "." + configHash['GROUP_ID_MACOS']
+        config.build_settings['APP_ID_MACOS'] ||= configHash['APP_ID_MACOS']
+      else
+        groupId = configHash['GROUP_ID_IOS']
+        config.build_settings['GROUP_ID_IOS'] ||= configHash['GROUP_ID_IOS']
+        # Force xcode to not set QT_LIBRARY_SUFFIX to "_debug", which causes crash
+        config.build_settings['QT_LIBRARY_SUFFIX'] = ""
+      end
+
+      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= [
+        'GROUP_ID=\"' + groupId + '\"',
+        "VPN_NE_BUNDLEID=\\\"" + (platform == 'macos' ? configHash['NETEXT_ID_MACOS'] : configHash['NETEXT_ID_IOS']) + "\\\"",
+      ]
+
+      if config.name == 'Release'
+        config.build_settings['SWIFT_OPTIMIZATION_LEVEL'] ||= '-Onone'
+      end
+    end
+
+    if networkExtension
+      # WireGuard group
+      group = @project.main_group.new_group('WireGuard')
+
+      [
+        'macos/gobridge/wireguard-go-version.h',
+        '3rd/wireguard-apple/Sources/Shared/Keychain.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/IPAddressRange.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/InterfaceConfiguration.swift',
+        '3rd/wireguard-apple/Sources/Shared/Model/NETunnelProviderProtocol+Extension.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/TunnelConfiguration.swift',
+        '3rd/wireguard-apple/Sources/Shared/Model/TunnelConfiguration+WgQuickConfig.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/Endpoint.swift',
+        '3rd/wireguard-apple/Sources/Shared/Model/String+ArrayConversion.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/PeerConfiguration.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKit/DNSServer.swift',
+        '3rd/wireguard-apple/Sources/WireGuardApp/LocalizationHelper.swift',
+        '3rd/wireguard-apple/Sources/Shared/FileManager+Extension.swift',
+        '3rd/wireguard-apple/Sources/WireGuardKitC/x25519.c',
+        '3rd/wireguard-apple/Sources/WireGuardKit/PrivateKey.swift',
+      ].each { |filename|
+        file = group.new_file(filename)
+        @target_main.add_file_references([file])
+      }
+
+      # @target_main + swift integration
+      group = @project.main_group.new_group('SwiftMainIntegration')
+
+      [
+        'platforms/ios/iosvpnprotocol.swift',
+        'platforms/ios/ioslogger.swift',
+      ].each { |filename|
+        file = group.new_file(filename)
+        @target_main.add_file_references([file])
+      }
+    end
+
+    if (platform == 'ios' && adjust_sdk_token != "")
+      frameworks_group = @project.groups.find { |group| group.display_name == 'Frameworks' }
+      frameworks_build_phase = @target_main.build_phases.find { |build_phase| build_phase.to_s == 'FrameworksBuildPhase' }
+
+      framework_ref = frameworks_group.new_file('AdServices.framework')
+      build_file = frameworks_build_phase.add_file_reference(framework_ref)
+      build_file.settings = { 'ATTRIBUTES' => ['Weak'] }
+
+      framework_ref = frameworks_group.new_file('iAd.framework')
+      frameworks_build_phase.add_file_reference(framework_ref)
+
+      # Adjust SDK
+      group = @project.main_group.new_group('AdjustSDK')
+
+      [
+        '3rd/adjust-ios-sdk/Adjust/ADJActivityHandler.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJActivityKind.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJActivityPackage.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJActivityState.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJAdjustFactory.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJAdRevenue.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJAttribution.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJAttributionHandler.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJBackoffStrategy.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJAdditions/NSData+ADJAdditions.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJAdditions/NSNumber+ADJAdditions.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJAdditions/NSString+ADJAdditions.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJConfig.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJEvent.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJEventFailure.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJEventSuccess.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJLinkResolution.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJLogger.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJPackageBuilder.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJPackageHandler.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJPackageParams.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJRequestHandler.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJResponseData.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJSdkClickHandler.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJSessionFailure.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJSessionParameters.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJSessionSuccess.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJSubscription.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJThirdPartySharing.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJTimerCycle.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJTimerOnce.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJUrlStrategy.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJUserDefaults.h',
+        '3rd/adjust-ios-sdk/Adjust/Adjust.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJUtil.h',
+        '3rd/adjust-ios-sdk/Adjust/ADJActivityHandler.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJActivityKind.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJActivityPackage.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJActivityState.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJAdjustFactory.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJAdRevenue.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJAttribution.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJAttributionHandler.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJBackoffStrategy.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJAdditions/NSData+ADJAdditions.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJAdditions/NSNumber+ADJAdditions.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJAdditions/NSString+ADJAdditions.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJConfig.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJEvent.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJEventFailure.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJEventSuccess.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJLinkResolution.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJLogger.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJPackageBuilder.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJPackageHandler.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJPackageParams.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJRequestHandler.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJResponseData.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJSdkClickHandler.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJSessionFailure.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJSessionParameters.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJSessionSuccess.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJSubscription.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJThirdPartySharing.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJTimerCycle.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJTimerOnce.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJUrlStrategy.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJUserDefaults.m',
+        '3rd/adjust-ios-sdk/Adjust/Adjust.m',
+        '3rd/adjust-ios-sdk/Adjust/ADJUtil.m',
+      ].each { |filename|
+        file = group.new_file(filename)
+        file_reference = @target_main.add_file_references([file], '-fobjc-arc')
+      }
+    end
+  end
+
+  def setup_target_extension(shortVersion, fullVersion, platform, configHash)
+    @target_extension = @project.new_target(:app_extension, 'WireGuardNetworkExtension', platform == 'macos' ? :osx : :ios)
+
+    @target_extension.build_configurations.each do |config|
+      config.base_configuration_reference = @configFile
+
+      config.build_settings['LD_RUNPATH_SEARCH_PATHS'] ||= '"$(inherited) @executable_path/../Frameworks"'
+      config.build_settings['SWIFT_VERSION'] ||= '5.0'
+      config.build_settings['CLANG_ENABLE_MODULES'] ||= 'YES'
+      config.build_settings['SWIFT_OBJC_BRIDGING_HEADER'] ||= 'macos/networkextension/WireGuardNetworkExtension-Bridging-Header.h'
+      config.build_settings['SWIFT_PRECOMPILE_BRIDGING_HEADER'] = 'NO'
+      config.build_settings['APPLICATION_EXTENSION_API_ONLY'] = 'YES'
+
+      # Versions and names
+      config.build_settings['MARKETING_VERSION'] ||= shortVersion
+      config.build_settings['CURRENT_PROJECT_VERSION'] ||= fullVersion
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] ||= configHash['NETEXT_ID_MACOS'] if platform == 'macos'
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] ||= configHash['NETEXT_ID_IOS'] if platform == 'ios'
+      config.build_settings['PRODUCT_NAME'] = 'WireGuardNetworkExtension'
+
+      # other configs
+      config.build_settings['INFOPLIST_FILE'] ||= 'macos/networkextension/Info.plist'
+      config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= platform + '/networkextension/AmneziaVPNNetworkExtension.entitlements'
+      config.build_settings['CODE_SIGN_IDENTITY'] = 'Apple Development'
+
+      if platform == 'ios'
+        config.build_settings['ENABLE_BITCODE'] ||= 'NO'
+        config.build_settings['SDKROOT'] = 'iphoneos'
+
+        config.build_settings['OTHER_LDFLAGS'] ||= [
+          "-stdlib=libc++",
+          "-Wl,-rpath,@executable_path/Frameworks",
+          "-framework",
+          "AssetsLibrary",
+          "-framework",
+          "MobileCoreServices",
+          "-lm",
+          "-framework",
+          "UIKit",
+          "-lz",
+          "-framework",
+          "OpenGLES",
+        ]
+      end
+
+      groupId = "";
+      if (platform == 'macos')
+        groupId = configHash['DEVELOPMENT_TEAM'] + "." + configHash['GROUP_ID_MACOS']
+      else
+        groupId = configHash['GROUP_ID_IOS']
+      end
+
+      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= [
+        # This is needed to compile the iosglue without Qt.
+        'NETWORK_EXTENSION=1',
+        'GROUP_ID=\"' + groupId + '\"',
+      ]
+
+      if config.name == 'Release'
+        config.build_settings['SWIFT_OPTIMIZATION_LEVEL'] ||= '-Onone'
+      end
+
+    end
+
+    group = @project.main_group.new_group('WireGuardExtension')
+    [
+      '3rd/wireguard-apple/Sources/WireGuardKit/WireGuardAdapter.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/PacketTunnelSettingsGenerator.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/DNSResolver.swift',
+      '3rd/wireguard-apple/Sources/WireGuardNetworkExtension/ErrorNotifier.swift',
+      '3rd/wireguard-apple/Sources/Shared/Keychain.swift',
+      '3rd/wireguard-apple/Sources/Shared/Model/TunnelConfiguration+WgQuickConfig.swift',
+      '3rd/wireguard-apple/Sources/Shared/Model/NETunnelProviderProtocol+Extension.swift',
+      '3rd/wireguard-apple/Sources/Shared/Model/String+ArrayConversion.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/TunnelConfiguration.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/IPAddressRange.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/Endpoint.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/DNSServer.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/InterfaceConfiguration.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/PeerConfiguration.swift',
+      '3rd/wireguard-apple/Sources/Shared/FileManager+Extension.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKitC/x25519.c',
+      '3rd/wireguard-apple/Sources/WireGuardKit/Array+ConcurrentMap.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/IPAddress+AddrInfo.swift',
+      '3rd/wireguard-apple/Sources/WireGuardKit/PrivateKey.swift',
+    ].each { |filename|
+      file = group.new_file(filename)
+      @target_extension.add_file_references([file])
+    }
+    # @target_extension + swift integration
+    group = @project.main_group.new_group('SwiftExtensionIntegration')
+
+    [
+      'platforms/ios/iostunnel.swift',
+      'platforms/ios/iosglue.mm',
+      'platforms/ios/ioslogger.swift',
+    ].each { |filename|
+      file = group.new_file(filename)
+      @target_extension.add_file_references([file])
+    }
+
+    frameworks_group = @project.groups.find { |group| group.display_name == 'Frameworks' }
+    frameworks_build_phase = @target_extension.build_phases.find { |build_phase| build_phase.to_s == 'FrameworksBuildPhase' }
+
+    frameworks_build_phase.clear
+
+    framework_ref = frameworks_group.new_file('libwg-go.a')
+    frameworks_build_phase.add_file_reference(framework_ref)
+
+    framework_ref = frameworks_group.new_file('NetworkExtension.framework')
+    frameworks_build_phase.add_file_reference(framework_ref)
+
+    # This fails: @target_main.add_dependency @target_extension
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = @target_extension.uuid
+    container_proxy.remote_info = @target_extension.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = @target_extension.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+
+    copy_appex = @target_main.new_copy_files_build_phase
+    copy_appex.name = 'Copy Network-Extension plugin'
+    copy_appex.symbol_dst_subfolder_spec = :plug_ins
+
+    appex_file = copy_appex.add_file_reference @target_extension.product_reference
+    appex_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+  end
+
+  def setup_target_gobridge
+    target_gobridge = legacy_target = @project.new(Xcodeproj::Project::PBXLegacyTarget)
+
+    target_gobridge.build_working_directory = 'macos/gobridge'
+    target_gobridge.build_tool_path = 'make'
+    target_gobridge.pass_build_settings_in_environment = '1'
+    target_gobridge.build_arguments_string = '$(ACTION)'
+    target_gobridge.name = 'WireGuardGoBridge'
+    target_gobridge.product_name = 'WireGuardGoBridge'
+
+    @project.targets << target_gobridge
+    @target_extension.add_dependency target_gobridge
+  end
+
+  def setup_target_balrog
+    target_balrog = legacy_target = @project.new(Xcodeproj::Project::PBXLegacyTarget)
+
+    target_balrog.build_working_directory = 'balrog'
+    target_balrog.build_tool_path = 'make'
+    target_balrog.pass_build_settings_in_environment = '1'
+    target_balrog.build_arguments_string = '$(ACTION)'
+    target_balrog.name = 'WireGuardBalrog'
+    target_balrog.product_name = 'WireGuardBalrog'
+
+    @project.targets << target_balrog
+
+    frameworks_group = @project.groups.find { |group| group.display_name == 'Frameworks' }
+    frameworks_build_phase = @target_main.build_phases.find { |build_phase| build_phase.to_s == 'FrameworksBuildPhase' }
+
+    framework_ref = frameworks_group.new_file('balrog/balrog.a')
+    frameworks_build_phase.add_file_reference(framework_ref)
+
+    # This fails: @target_main.add_dependency target_balrog
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = target_balrog.uuid
+    container_proxy.remote_info = target_balrog.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = target_balrog.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+  end
+
+  def setup_target_wireguardtools
+    target_wireguardtools = legacy_target = @project.new(Xcodeproj::Project::PBXLegacyTarget)
+
+    target_wireguardtools.build_working_directory = '3rd/wireguard-tools/src'
+    target_wireguardtools.build_tool_path = 'make'
+    target_wireguardtools.pass_build_settings_in_environment = '1'
+    target_wireguardtools.build_arguments_string = '$(ACTION)'
+    target_wireguardtools.name = 'WireGuardTools'
+    target_wireguardtools.product_name = 'WireGuardTools'
+
+    @project.targets << target_wireguardtools
+
+    # This fails: @target_main.add_dependency target_wireguardtools
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = target_wireguardtools.uuid
+    container_proxy.remote_info = target_wireguardtools.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = target_wireguardtools.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+
+    copy_wireguardTools = @target_main.new_copy_files_build_phase
+    copy_wireguardTools.name = 'Copy wireguard-tools'
+    copy_wireguardTools.symbol_dst_subfolder_spec = :wrapper
+    copy_wireguardTools.dst_path = 'Contents/Resources/utils'
+
+    group = @project.main_group.new_group('WireGuardTools')
+    file = group.new_file '3rd/wireguard-tools/src/wg'
+
+    wireguardTools_file = copy_wireguardTools.add_file_reference file
+    wireguardTools_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+  end
+
+  def setup_target_wireguardgo
+    target_wireguardgo = legacy_target = @project.new(Xcodeproj::Project::PBXLegacyTarget)
+
+    target_wireguardgo.build_working_directory = '3rd/wireguard-go'
+    target_wireguardgo.build_tool_path = 'make'
+    target_wireguardgo.pass_build_settings_in_environment = '1'
+    target_wireguardgo.build_arguments_string = '$(ACTION)'
+    target_wireguardgo.name = 'WireGuardGo'
+    target_wireguardgo.product_name = 'WireGuardGo'
+
+    @project.targets << target_wireguardgo
+
+    # This fails: @target_main.add_dependency target_wireguardgo
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = target_wireguardgo.uuid
+    container_proxy.remote_info = target_wireguardgo.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = target_wireguardgo.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+
+    copy_wireguardGo = @target_main.new_copy_files_build_phase
+    copy_wireguardGo.name = 'Copy wireguard-go'
+    copy_wireguardGo.symbol_dst_subfolder_spec = :wrapper
+    copy_wireguardGo.dst_path = 'Contents/Resources/utils'
+
+    group = @project.main_group.new_group('WireGuardGo')
+    file = group.new_file '3rd/wireguard-go/wireguard-go'
+
+    wireguardGo_file = copy_wireguardGo.add_file_reference file
+    wireguardGo_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+  end
+
+  def setup_target_loginitem(shortVersion, fullVersion, configHash)
+    @target_loginitem = @project.new_target(:application, 'AmneziaVPNLoginItem', :osx)
+
+    @target_loginitem.build_configurations.each do |config|
+      config.base_configuration_reference = @configFile
+
+      config.build_settings['LD_RUNPATH_SEARCH_PATHS'] ||= '"$(inherited) @executable_path/../Frameworks"'
+
+      # Versions and names
+      config.build_settings['MARKETING_VERSION'] ||= shortVersion
+      config.build_settings['CURRENT_PROJECT_VERSION'] ||= fullVersion
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] ||= configHash['LOGIN_ID_MACOS']
+      config.build_settings['PRODUCT_NAME'] = 'AmneziaVPNLoginItem'
+
+      # other configs
+      config.build_settings['INFOPLIST_FILE'] ||= 'macos/loginitem/Info.plist'
+      config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= 'macos/loginitem/MozillaVPNLoginItem.entitlements'
+      config.build_settings['CODE_SIGN_IDENTITY'] = 'Apple Development'
+      config.build_settings['SKIP_INSTALL'] = 'YES'
+
+      config.build_settings['GCC_PREPROCESSOR_DEFINITIONS'] ||= [
+        'APP_ID=\"' + configHash['APP_ID_MACOS'] + '\"',
+      ]
+
+      if config.name == 'Release'
+        config.build_settings['SWIFT_OPTIMIZATION_LEVEL'] ||= '-Onone'
+      end
+    end
+
+    group = @project.main_group.new_group('LoginItem')
+    [
+      'macos/loginitem/main.m',
+    ].each { |filename|
+      file = group.new_file(filename)
+      @target_loginitem.add_file_references([file])
+    }
+
+    # This fails: @target_main.add_dependency @target_loginitem
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = @target_loginitem.uuid
+    container_proxy.remote_info = @target_loginitem.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = @target_loginitem.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+
+    copy_app = @target_main.new_copy_files_build_phase
+    copy_app.name = 'Copy LoginItem'
+    copy_app.symbol_dst_subfolder_spec = :wrapper
+    copy_app.dst_path = 'Contents/Library/LoginItems'
+
+    app_file = copy_app.add_file_reference @target_loginitem.product_reference
+    app_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+  end
+
+  def setup_target_nativemessaging(shortVersion, fullVersion, configHash)
+    @target_nativemessaging = @project.new_target(:application, 'AmneziaVPNNativeMessaging', :osx)
+
+    @target_nativemessaging.build_configurations.each do |config|
+      config.base_configuration_reference = @configFile
+
+      config.build_settings['LD_RUNPATH_SEARCH_PATHS'] ||= '"$(inherited) @executable_path/../Frameworks"'
+
+      # Versions and names
+      config.build_settings['MARKETING_VERSION'] ||= shortVersion
+      config.build_settings['CURRENT_PROJECT_VERSION'] ||= fullVersion
+      config.build_settings['PRODUCT_BUNDLE_IDENTIFIER'] ||= configHash['NATIVEMESSAGING_ID_MACOS']
+      config.build_settings['PRODUCT_NAME'] = 'AmneziaVPNNativeMessaging'
+
+      # other configs
+      config.build_settings['INFOPLIST_FILE'] ||= 'macos/nativeMessaging/Info.plist'
+      config.build_settings['CODE_SIGN_ENTITLEMENTS'] ||= 'macos/nativeMessaging/MozillaVPNNativeMessaging.entitlements'
+      config.build_settings['CODE_SIGN_IDENTITY'] = 'Apple Development'
+      config.build_settings['SKIP_INSTALL'] = 'YES'
+    end
+
+    group = @project.main_group.new_group('NativeMessaging')
+    [
+      'extension/app/constants.h',
+      'extension/app/handler.cpp',
+      'extension/app/handler.h',
+      'extension/app/json.hpp',
+      'extension/app/logger.cpp',
+      'extension/app/logger.h',
+      'extension/app/main.cpp',
+      'extension/app/vpnconnection.cpp',
+      'extension/app/vpnconnection.h',
+    ].each { |filename|
+      file = group.new_file(filename)
+      @target_nativemessaging.add_file_references([file])
+    }
+
+    # This fails: @target_main.add_dependency @target_nativemessaging
+    container_proxy = @project.new(Xcodeproj::Project::PBXContainerItemProxy)
+    container_proxy.container_portal = @project.root_object.uuid
+    container_proxy.proxy_type = Xcodeproj::Constants::PROXY_TYPES[:native_target]
+    container_proxy.remote_global_id_string = @target_nativemessaging.uuid
+    container_proxy.remote_info = @target_nativemessaging.name
+
+    dependency = @project.new(Xcodeproj::Project::PBXTargetDependency)
+    dependency.name = @target_nativemessaging.name
+    dependency.target = @target_main
+    dependency.target_proxy = container_proxy
+
+    @target_main.dependencies << dependency
+
+    copy_app = @target_main.new_copy_files_build_phase
+    copy_app.name = 'Copy LoginItem'
+    copy_app.symbol_dst_subfolder_spec = :wrapper
+    copy_app.dst_path = 'Contents/Library/NativeMessaging'
+
+    app_file = copy_app.add_file_reference @target_nativemessaging.product_reference
+    app_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+
+    copy_nativeMessagingManifest = @target_main.new_copy_files_build_phase
+    copy_nativeMessagingManifest.name = 'Copy native messaging manifest'
+    copy_nativeMessagingManifest.symbol_dst_subfolder_spec = :wrapper
+    copy_nativeMessagingManifest.dst_path = 'Contents/Resources/utils'
+
+    group = @project.main_group.new_group('WireGuardHelper')
+    file = group.new_file 'extension/app/manifests/macos/mozillavpn.json'
+
+    nativeMessagingManifest_file = copy_nativeMessagingManifest.add_file_reference file
+    nativeMessagingManifest_file.settings = { "ATTRIBUTES" => ['RemoveHeadersOnCopy'] }
+  end
+
+  def die(msg)
+   print $msg
+   exit 1
+  end
+end
+
+if ARGV.length < 4 || (ARGV[3] != "ios" && ARGV[3] != "macos")
+  puts "Usage: <script> project_file shortVersion fullVersion ios/macos"
+  exit 1
+end
+
+if !File.exist?("xcode.xconfig")
+  puts "xcode.xconfig file is required! See the template file."
+  exit 1
+end
+
+config = Hash.new
+configFile = File.read("xcode.xconfig").split("\n")
+configFile.each { |line|
+  next if line[0] == "#"
+
+  if line.include? "="
+    keys = line.split("=")
+    config[keys[0].strip] = keys[1].strip
+  end
+}
+
+platform = "macos"
+platform = "ios" if ARGV[3] == "ios"
+networkExtension = true if ARGV[4] == "1"
+adjust_sdk_token = ARGV[5]
+
+r = XCodeprojPatcher.new
+r.run ARGV[0], ARGV[1], ARGV[2], platform, networkExtension, config, adjust_sdk_token
+exit 0
diff --git a/client/settings.cpp b/client/settings.cpp
index cf001fbe..ef4952dd 100644
--- a/client/settings.cpp
+++ b/client/settings.cpp
@@ -151,13 +151,13 @@ void Settings::removeContainerConfig(int serverIndex, DockerContainer container)
     setContainers(serverIndex, c);
 }
 
-QJsonObject Settings::protocolConfig(int serverIndex, DockerContainer container, Protocol proto)
+QJsonObject Settings::protocolConfig(int serverIndex, DockerContainer container, Proto proto)
 {
     const QJsonObject &c = containerConfig(serverIndex, container);
     return c.value(ProtocolProps::protoToString(proto)).toObject();
 }
 
-void Settings::setProtocolConfig(int serverIndex, DockerContainer container, Protocol proto, const QJsonObject &config)
+void Settings::setProtocolConfig(int serverIndex, DockerContainer container, Proto proto, const QJsonObject &config)
 {
     QJsonObject c = containerConfig(serverIndex, container);
     c.insert(ProtocolProps::protoToString(proto), config);
@@ -165,11 +165,11 @@ void Settings::setProtocolConfig(int serverIndex, DockerContainer container, Pro
     setContainerConfig(serverIndex, container, c);
 }
 
-void Settings::clearLastConnectionConfig(int serverIndex, DockerContainer container, Protocol proto)
+void Settings::clearLastConnectionConfig(int serverIndex, DockerContainer container, Proto proto)
 {
     // recursively remove
-    if (proto == Protocol::Any) {
-        for (Protocol p: ContainerProps::protocolsForContainer(container)) {
+    if (proto == Proto::Any) {
+        for (Proto p: ContainerProps::protocolsForContainer(container)) {
             clearLastConnectionConfig(serverIndex, container, p);
         }
         return;
diff --git a/client/settings.h b/client/settings.h
index 02c6e534..e70ce487 100644
--- a/client/settings.h
+++ b/client/settings.h
@@ -52,10 +52,10 @@ public:
     void setContainerConfig(int serverIndex, DockerContainer container, const QJsonObject &config);
     void removeContainerConfig(int serverIndex, DockerContainer container);
 
-    QJsonObject protocolConfig(int serverIndex, DockerContainer container, Protocol proto);
-    void setProtocolConfig(int serverIndex, DockerContainer container, Protocol proto, const QJsonObject &config);
+    QJsonObject protocolConfig(int serverIndex, DockerContainer container, Proto proto);
+    void setProtocolConfig(int serverIndex, DockerContainer container, Proto proto, const QJsonObject &config);
 
-    void clearLastConnectionConfig(int serverIndex, DockerContainer container, Protocol proto = Protocol::Any);
+    void clearLastConnectionConfig(int serverIndex, DockerContainer container, Proto proto = Proto::Any);
 
     bool haveAuthData(int serverIndex) const;
     QString nextAvailableServerName() const;
diff --git a/client/ui/models/protocols_model.cpp b/client/ui/models/protocols_model.cpp
index 7fe66dd0..76e5c623 100644
--- a/client/ui/models/protocols_model.cpp
+++ b/client/ui/models/protocols_model.cpp
@@ -28,7 +28,7 @@ QVariant ProtocolsModel::data(const QModelIndex &index, int role) const
         return QVariant();
     }
 
-    Protocol p = ProtocolProps::allProtocols().at(index.row());
+    Proto p = ProtocolProps::allProtocols().at(index.row());
     if (role == NameRole) {
         return ProtocolProps::protocolHumanNames().value(p);
     }
diff --git a/client/ui/notificationhandler.cpp b/client/ui/notificationhandler.cpp
index 8092c191..81f6430a 100644
--- a/client/ui/notificationhandler.cpp
+++ b/client/ui/notificationhandler.cpp
@@ -56,7 +56,7 @@ NotificationHandler::~NotificationHandler() {
     s_instance = nullptr;
 }
 
-void NotificationHandler::setConnectionState(VpnProtocol::ConnectionState state)
+void NotificationHandler::setConnectionState(VpnProtocol::VpnConnectionState state)
 {
     if (state != VpnProtocol::Connected && state != VpnProtocol::Disconnected) {
         return;
@@ -66,14 +66,14 @@ void NotificationHandler::setConnectionState(VpnProtocol::ConnectionState state)
     QString message;
 
     switch (state) {
-    case VpnProtocol::ConnectionState::Connected:
+    case VpnProtocol::VpnConnectionState::Connected:
         m_connected = true;
 
         title = tr("AmneziaVPN");
         message = tr("VPN Connected");
         break;
 
-    case VpnProtocol::ConnectionState::Disconnected:
+    case VpnProtocol::VpnConnectionState::Disconnected:
         if (m_connected) {
             m_connected = false;
             title = tr("AmneziaVPN");
diff --git a/client/ui/notificationhandler.h b/client/ui/notificationhandler.h
index 7b276d5c..b87e9575 100644
--- a/client/ui/notificationhandler.h
+++ b/client/ui/notificationhandler.h
@@ -31,7 +31,7 @@ public:
     void messageClickHandle();
 
 public slots:
-    virtual void setConnectionState(VpnProtocol::ConnectionState state);
+    virtual void setConnectionState(VpnProtocol::VpnConnectionState state);
 
 signals:
     void notificationShown(const QString& title, const QString& message);
diff --git a/client/ui/pages_logic/NewServerProtocolsLogic.cpp b/client/ui/pages_logic/NewServerProtocolsLogic.cpp
index 0deac81b..cabe1bc0 100644
--- a/client/ui/pages_logic/NewServerProtocolsLogic.cpp
+++ b/client/ui/pages_logic/NewServerProtocolsLogic.cpp
@@ -18,7 +18,7 @@ void NewServerProtocolsLogic::onUpdatePage()
 void NewServerProtocolsLogic::onPushButtonConfigureClicked(DockerContainer c, int port, TransportProto tp)
 {
     QMap<DockerContainer, QJsonObject> containers;
-    Protocol mainProto = ContainerProps::defaultProtocol(c);
+    Proto mainProto = ContainerProps::defaultProtocol(c);
 
     QJsonObject config {
         { config_key::container, ContainerProps::containerToString(c) },
diff --git a/client/ui/pages_logic/ServerContainersLogic.cpp b/client/ui/pages_logic/ServerContainersLogic.cpp
index 22afaa30..dbcc3b61 100644
--- a/client/ui/pages_logic/ServerContainersLogic.cpp
+++ b/client/ui/pages_logic/ServerContainersLogic.cpp
@@ -29,7 +29,7 @@ void ServerContainersLogic::onUpdatePage()
     emit updatePage();
 }
 
-void ServerContainersLogic::onPushButtonProtoSettingsClicked(DockerContainer c, Protocol p)
+void ServerContainersLogic::onPushButtonProtoSettingsClicked(DockerContainer c, Proto p)
 {
     qDebug()<< "ServerContainersLogic::onPushButtonProtoSettingsClicked" << c << p;
     uiLogic()->selectedDockerContainer = c;
diff --git a/client/ui/pages_logic/ServerContainersLogic.h b/client/ui/pages_logic/ServerContainersLogic.h
index 5f49d35b..a49882fa 100644
--- a/client/ui/pages_logic/ServerContainersLogic.h
+++ b/client/ui/pages_logic/ServerContainersLogic.h
@@ -12,7 +12,7 @@ class ServerContainersLogic : public PageLogicBase
 public:
     Q_INVOKABLE void onUpdatePage() override;
 
-    Q_INVOKABLE void onPushButtonProtoSettingsClicked(DockerContainer c, Protocol p);
+    Q_INVOKABLE void onPushButtonProtoSettingsClicked(DockerContainer c, Proto p);
     Q_INVOKABLE void onPushButtonDefaultClicked(DockerContainer c);
     Q_INVOKABLE void onPushButtonShareClicked(DockerContainer c);
     Q_INVOKABLE void onPushButtonRemoveClicked(DockerContainer c);
diff --git a/client/ui/pages_logic/ServerSettingsLogic.cpp b/client/ui/pages_logic/ServerSettingsLogic.cpp
index ddbabf00..50c62f35 100644
--- a/client/ui/pages_logic/ServerSettingsLogic.cpp
+++ b/client/ui/pages_logic/ServerSettingsLogic.cpp
@@ -128,5 +128,5 @@ void ServerSettingsLogic::onLineEditDescriptionEditingFinished()
 void ServerSettingsLogic::onPushButtonShareFullClicked()
 {
     uiLogic()->shareConnectionLogic()->updateSharingPage(uiLogic()->selectedServerIndex, DockerContainer::None);
-    emit uiLogic()->goToShareProtocolPage(Protocol::Any);
+    emit uiLogic()->goToShareProtocolPage(Proto::Any);
 }
diff --git a/client/ui/pages_logic/ShareConnectionLogic.cpp b/client/ui/pages_logic/ShareConnectionLogic.cpp
index ef7aec91..ffc71232 100644
--- a/client/ui/pages_logic/ShareConnectionLogic.cpp
+++ b/client/ui/pages_logic/ShareConnectionLogic.cpp
@@ -70,7 +70,7 @@ void ShareConnectionLogic::onPushButtonShareAmneziaGenerateClicked()
         containerConfig.insert(config_key::container, ContainerProps::containerToString(uiLogic()->selectedDockerContainer));
 
         ErrorCode e = ErrorCode::NoError;
-        for (Protocol p: ContainerProps::protocolsForContainer(uiLogic()->selectedDockerContainer)) {
+        for (Proto p: ContainerProps::protocolsForContainer(uiLogic()->selectedDockerContainer)) {
             QJsonObject protoConfig = m_settings.protocolConfig(uiLogic()->selectedServerIndex, uiLogic()->selectedDockerContainer, p);
 
             QString cfg = VpnConfigurator::genVpnProtocolConfig(credentials, uiLogic()->selectedDockerContainer, containerConfig, p, &e);
@@ -115,7 +115,7 @@ void ShareConnectionLogic::onPushButtonShareOpenVpnGenerateClicked()
 
     ErrorCode e = ErrorCode::NoError;
     QString cfg = OpenVpnConfigurator::genOpenVpnConfig(credentials, uiLogic()->selectedDockerContainer, containerConfig, &e);
-    cfg = VpnConfigurator::processConfigWithExportSettings(uiLogic()->selectedDockerContainer, Protocol::OpenVpn, cfg);
+    cfg = VpnConfigurator::processConfigWithExportSettings(uiLogic()->selectedDockerContainer, Proto::OpenVpn, cfg);
 
     set_textEditShareOpenVpnCodeText(QJsonDocument::fromJson(cfg.toUtf8()).object()[config_key::config].toString());
 }
@@ -126,7 +126,7 @@ void ShareConnectionLogic::onPushButtonShareShadowSocksGenerateClicked()
     DockerContainer container = uiLogic()->selectedDockerContainer;
     ServerCredentials credentials = m_settings.serverCredentials(serverIndex);
 
-    QJsonObject protoConfig = m_settings.protocolConfig(serverIndex, container, Protocol::ShadowSocks);
+    QJsonObject protoConfig = m_settings.protocolConfig(serverIndex, container, Proto::ShadowSocks);
     QString cfg = protoConfig.value(config_key::last_config).toString();
 
     if (cfg.isEmpty()) {
@@ -168,7 +168,7 @@ void ShareConnectionLogic::onPushButtonShareCloakGenerateClicked()
     DockerContainer container = uiLogic()->selectedDockerContainer;
     ServerCredentials credentials = m_settings.serverCredentials(serverIndex);
 
-    QJsonObject protoConfig = m_settings.protocolConfig(serverIndex, container, Protocol::Cloak);
+    QJsonObject protoConfig = m_settings.protocolConfig(serverIndex, container, Proto::Cloak);
     QString cfg = protoConfig.value(config_key::last_config).toString();
 
     if (cfg.isEmpty()) {
@@ -195,7 +195,7 @@ void ShareConnectionLogic::onPushButtonShareWireGuardGenerateClicked()
 
     ErrorCode e = ErrorCode::NoError;
     QString cfg = WireguardConfigurator::genWireguardConfig(credentials, container, containerConfig, &e);
-    cfg = VpnConfigurator::processConfigWithExportSettings(container, Protocol::WireGuard, cfg);
+    cfg = VpnConfigurator::processConfigWithExportSettings(container, Proto::WireGuard, cfg);
     cfg = QJsonDocument::fromJson(cfg.toUtf8()).object()[config_key::config].toString();
 
     set_textEditShareWireGuardCodeText(cfg);
@@ -215,7 +215,7 @@ void ShareConnectionLogic::onPushButtonShareIkev2GenerateClicked()
     Ikev2Configurator::ConnectionData connData = Ikev2Configurator::prepareIkev2Config(credentials, container);
 
     QString cfg = Ikev2Configurator::genIkev2Config(connData);
-    cfg = VpnConfigurator::processConfigWithExportSettings(container, Protocol::Ikev2, cfg);
+    cfg = VpnConfigurator::processConfigWithExportSettings(container, Proto::Ikev2, cfg);
     cfg = QJsonDocument::fromJson(cfg.toUtf8()).object()[config_key::cert].toString();
 
     set_textEditShareIkev2CertText(cfg);
diff --git a/client/ui/pages_logic/VpnLogic.cpp b/client/ui/pages_logic/VpnLogic.cpp
index 90b07f88..1d66547d 100644
--- a/client/ui/pages_logic/VpnLogic.cpp
+++ b/client/ui/pages_logic/VpnLogic.cpp
@@ -77,7 +77,7 @@ void VpnLogic::onBytesChanged(quint64 receivedData, quint64 sentData)
     set_labelSpeedSentText(VpnConnection::bytesPerSecToText(sentData));
 }
 
-void VpnLogic::onConnectionStateChanged(VpnProtocol::ConnectionState state)
+void VpnLogic::onConnectionStateChanged(VpnProtocol::VpnConnectionState state)
 {
     qDebug() << "VpnLogic::onConnectionStateChanged" << VpnProtocol::textConnectionState(state);
 
diff --git a/client/ui/pages_logic/VpnLogic.h b/client/ui/pages_logic/VpnLogic.h
index 95d39e1b..d077ba90 100644
--- a/client/ui/pages_logic/VpnLogic.h
+++ b/client/ui/pages_logic/VpnLogic.h
@@ -48,7 +48,7 @@ public slots:
     void onDisconnect();
 
     void onBytesChanged(quint64 receivedBytes, quint64 sentBytes);
-    void onConnectionStateChanged(VpnProtocol::ConnectionState state);
+    void onConnectionStateChanged(VpnProtocol::VpnConnectionState state);
     void onVpnProtocolError(amnezia::ErrorCode errorCode);
 
 signals:
diff --git a/client/ui/pages_logic/WizardLogic.cpp b/client/ui/pages_logic/WizardLogic.cpp
index af245c1e..7936524d 100644
--- a/client/ui/pages_logic/WizardLogic.cpp
+++ b/client/ui/pages_logic/WizardLogic.cpp
@@ -22,7 +22,7 @@ QMap<DockerContainer, QJsonObject> WizardLogic::getInstallConfigsFromWizardPage(
 {
     QJsonObject cloakConfig {
         { config_key::container, ContainerProps::containerToString(DockerContainer::Cloak) },
-        { ProtocolProps::protoToString(Protocol::Cloak), QJsonObject {
+        { ProtocolProps::protoToString(Proto::Cloak), QJsonObject {
                 { config_key::site, lineEditHighWebsiteMaskingText() }}
         }
     };
diff --git a/client/ui/pages_logic/protocols/CloakLogic.cpp b/client/ui/pages_logic/protocols/CloakLogic.cpp
index 22d86efb..2e341383 100644
--- a/client/ui/pages_logic/protocols/CloakLogic.cpp
+++ b/client/ui/pages_logic/protocols/CloakLogic.cpp
@@ -52,12 +52,12 @@ QJsonObject CloakLogic::getProtocolConfigFromPage(QJsonObject oldConfig)
 
 void CloakLogic::onPushButtonSaveClicked()
 {
-    QJsonObject protocolConfig = m_settings.protocolConfig(uiLogic()->selectedServerIndex, uiLogic()->selectedDockerContainer, Protocol::Cloak);
+    QJsonObject protocolConfig = m_settings.protocolConfig(uiLogic()->selectedServerIndex, uiLogic()->selectedDockerContainer, Proto::Cloak);
     protocolConfig = getProtocolConfigFromPage(protocolConfig);
 
     QJsonObject containerConfig = m_settings.containerConfig(uiLogic()->selectedServerIndex, uiLogic()->selectedDockerContainer);
     QJsonObject newContainerConfig = containerConfig;
-    newContainerConfig.insert(ProtocolProps::protoToString(Protocol::Cloak), protocolConfig);
+    newContainerConfig.insert(ProtocolProps::protoToString(Proto::Cloak), protocolConfig);
 
     UiLogic::PageFunc page_func;
     page_func.setEnabledFunc = [this] (bool enabled) -> void {
diff --git a/client/ui/pages_logic/protocols/OpenVpnLogic.cpp b/client/ui/pages_logic/protocols/OpenVpnLogic.cpp
index e81249cf..98115f29 100644
--- a/client/ui/pages_logic/protocols/OpenVpnLogic.cpp
+++ b/client/ui/pages_logic/protocols/OpenVpnLogic.cpp
@@ -81,12 +81,12 @@ void OpenVpnLogic::updateProtocolPage(const QJsonObject &openvpnConfig, DockerCo
 
 void OpenVpnLogic::onPushButtonProtoOpenVpnSaveClicked()
 {
-    QJsonObject protocolConfig = m_settings.protocolConfig(uiLogic()->selectedServerIndex, uiLogic()->selectedDockerContainer, Protocol::OpenVpn);
+    QJsonObject protocolConfig = m_settings.protocolConfig(uiLogic()->selectedServerIndex, uiLogic()->selectedDockerContainer, Proto::OpenVpn);
     protocolConfig = getProtocolConfigFromPage(protocolConfig);
 
     QJsonObject containerConfig = m_settings.containerConfig(uiLogic()->selectedServerIndex, uiLogic()->selectedDockerContainer);
     QJsonObject newContainerConfig = containerConfig;
-    newContainerConfig.insert(ProtocolProps::protoToString(Protocol::OpenVpn), protocolConfig);
+    newContainerConfig.insert(ProtocolProps::protoToString(Proto::OpenVpn), protocolConfig);
 
     UiLogic::PageFunc page_proto_openvpn;
     page_proto_openvpn.setEnabledFunc = [this] (bool enabled) -> void {
diff --git a/client/ui/pages_logic/protocols/ShadowSocksLogic.cpp b/client/ui/pages_logic/protocols/ShadowSocksLogic.cpp
index a19e8a2f..9aa8d0f3 100644
--- a/client/ui/pages_logic/protocols/ShadowSocksLogic.cpp
+++ b/client/ui/pages_logic/protocols/ShadowSocksLogic.cpp
@@ -46,12 +46,12 @@ QJsonObject ShadowSocksLogic::getProtocolConfigFromPage(QJsonObject oldConfig)
 
 void ShadowSocksLogic::onPushButtonSaveClicked()
 {
-    QJsonObject protocolConfig = m_settings.protocolConfig(uiLogic()->selectedServerIndex, uiLogic()->selectedDockerContainer, Protocol::ShadowSocks);
+    QJsonObject protocolConfig = m_settings.protocolConfig(uiLogic()->selectedServerIndex, uiLogic()->selectedDockerContainer, Proto::ShadowSocks);
     //protocolConfig = getShadowSocksConfigFromPage(protocolConfig);
 
     QJsonObject containerConfig = m_settings.containerConfig(uiLogic()->selectedServerIndex, uiLogic()->selectedDockerContainer);
     QJsonObject newContainerConfig = containerConfig;
-    newContainerConfig.insert(ProtocolProps::protoToString(Protocol::ShadowSocks), protocolConfig);
+    newContainerConfig.insert(ProtocolProps::protoToString(Proto::ShadowSocks), protocolConfig);
     UiLogic::PageFunc page_proto_shadowsocks;
     page_proto_shadowsocks.setEnabledFunc = [this] (bool enabled) -> void {
         set_pageEnabled(enabled);
diff --git a/client/ui/systemtray_notificationhandler.cpp b/client/ui/systemtray_notificationhandler.cpp
index 01d531d6..9b10f0de 100644
--- a/client/ui/systemtray_notificationhandler.cpp
+++ b/client/ui/systemtray_notificationhandler.cpp
@@ -74,7 +74,7 @@ SystemTrayNotificationHandler::SystemTrayNotificationHandler(QObject* parent) :
 SystemTrayNotificationHandler::~SystemTrayNotificationHandler() {
 }
 
-void SystemTrayNotificationHandler::setConnectionState(VpnProtocol::ConnectionState state)
+void SystemTrayNotificationHandler::setConnectionState(VpnProtocol::VpnConnectionState state)
 {
     setTrayState(state);
     NotificationHandler::setConnectionState(state);
@@ -96,7 +96,7 @@ void SystemTrayNotificationHandler::onTrayActivated(QSystemTrayIcon::ActivationR
 #endif
 }
 
-void SystemTrayNotificationHandler::setTrayState(VpnProtocol::ConnectionState state)
+void SystemTrayNotificationHandler::setTrayState(VpnProtocol::VpnConnectionState state)
 {
     qDebug() << "SystemTrayNotificationHandler::setTrayState" << state;
     QString resourcesPath = ":/images/tray/%1";
diff --git a/client/ui/systemtray_notificationhandler.h b/client/ui/systemtray_notificationhandler.h
index dd1c6483..46563bde 100644
--- a/client/ui/systemtray_notificationhandler.h
+++ b/client/ui/systemtray_notificationhandler.h
@@ -17,7 +17,7 @@ public:
     explicit SystemTrayNotificationHandler(QObject* parent);
     ~SystemTrayNotificationHandler();
 
-    void setConnectionState(VpnProtocol::ConnectionState state) override;
+    void setConnectionState(VpnProtocol::VpnConnectionState state) override;
 
 protected:
     virtual void notify(Message type, const QString& title,
@@ -26,7 +26,7 @@ protected:
 private:
     void showHideWindow();
 
-    void setTrayState(VpnProtocol::ConnectionState state);
+    void setTrayState(VpnProtocol::VpnConnectionState state);
     void onTrayActivated(QSystemTrayIcon::ActivationReason reason);
 
     void setTrayIcon(const QString &iconPath);
diff --git a/client/ui/uilogic.cpp b/client/ui/uilogic.cpp
index 98f325f7..f3cbed04 100644
--- a/client/ui/uilogic.cpp
+++ b/client/ui/uilogic.cpp
@@ -88,21 +88,21 @@ UiLogic::UiLogic(QObject *parent) :
     m_newServerProtocolsLogic = new NewServerProtocolsLogic(this);
     m_serverListLogic = new ServerListLogic(this);
     m_serverSettingsLogic = new ServerSettingsLogic(this);
-    m_serverVpnProtocolsLogic = new ServerContainersLogic(this);
+    m_serverprotocolsLogic = new ServerContainersLogic(this);
     m_shareConnectionLogic = new ShareConnectionLogic(this);
     m_sitesLogic = new SitesLogic(this);
     m_startPageLogic = new StartPageLogic(this);
     m_vpnLogic = new VpnLogic(this);
     m_wizardLogic = new WizardLogic(this);
 
-    m_protocolLogicMap.insert(Protocol::OpenVpn, new OpenVpnLogic(this));
-    m_protocolLogicMap.insert(Protocol::ShadowSocks, new ShadowSocksLogic(this));
-    m_protocolLogicMap.insert(Protocol::Cloak, new CloakLogic(this));
-    //m_protocolLogicMap->insert(Protocol::WireGuard, new WireguardLogic(this));
+    m_protocolLogicMap.insert(Proto::OpenVpn, new OpenVpnLogic(this));
+    m_protocolLogicMap.insert(Proto::ShadowSocks, new ShadowSocksLogic(this));
+    m_protocolLogicMap.insert(Proto::Cloak, new CloakLogic(this));
+    //m_protocolLogicMap->insert(Proto::WireGuard, new WireguardLogic(this));
 
-    m_protocolLogicMap.insert(Protocol::Dns, new OtherProtocolsLogic(this));
-    m_protocolLogicMap.insert(Protocol::Sftp, new OtherProtocolsLogic(this));
-    m_protocolLogicMap.insert(Protocol::TorWebSite, new OtherProtocolsLogic(this));
+    m_protocolLogicMap.insert(Proto::Dns, new OtherProtocolsLogic(this));
+    m_protocolLogicMap.insert(Proto::Sftp, new OtherProtocolsLogic(this));
+    m_protocolLogicMap.insert(Proto::TorWebSite, new OtherProtocolsLogic(this));
 
 }
 
@@ -110,7 +110,7 @@ UiLogic::~UiLogic()
 {
     emit hide();
 
-    if (m_vpnConnection->connectionState() != VpnProtocol::ConnectionState::Disconnected) {
+    if (m_vpnConnection->connectionState() != VpnProtocol::VpnConnectionState::Disconnected) {
         m_vpnConnection->disconnectFromVpn();
         for (int i = 0; i < 50; i++) {
             qApp->processEvents(QEventLoop::ExcludeUserInputEvents);
@@ -176,7 +176,7 @@ void UiLogic::initalizeUiLogic()
     selectedServerIndex = m_settings.defaultServerIndex();
     //goToPage(Page::ServerContainers, true, false);
     //goToPage(Page::NewServerProtocols, true, false);
-    //onGotoProtocolPage(Protocol::OpenVpn);
+    //onGotoProtocolPage(Proto::OpenVpn);
 
 
     //ui->pushButton_general_settings_exit->hide();
@@ -241,7 +241,7 @@ void UiLogic::onUpdateAllPages()
          (PageLogicBase *) m_newServerProtocolsLogic,
          (PageLogicBase *) m_serverListLogic,
          (PageLogicBase *) m_serverSettingsLogic,
-         (PageLogicBase *) m_serverVpnProtocolsLogic,
+         (PageLogicBase *) m_serverprotocolsLogic,
          (PageLogicBase *) m_shareConnectionLogic,
          (PageLogicBase *) m_sitesLogic,
          (PageLogicBase *) m_startPageLogic,
@@ -615,7 +615,8 @@ ErrorCode UiLogic::doInstallAction(const std::function<ErrorCode()> &action,
     return ErrorCode::NoError;
 }
 
-PageProtocolLogicBase *UiLogic::protocolLogic(Protocol p) {
+PageProtocolLogicBase *UiLogic::protocolLogic(Proto p)
+{
     PageProtocolLogicBase *logic = m_protocolLogicMap.value(p);
     if (logic) return logic;
     else {
diff --git a/client/ui/uilogic.h b/client/ui/uilogic.h
index 15f3f1ef..9eefb381 100644
--- a/client/ui/uilogic.h
+++ b/client/ui/uilogic.h
@@ -92,8 +92,8 @@ public:
     Q_INVOKABLE QString containerDesc(int container);
 
     Q_INVOKABLE void onGotoPage(PageEnumNS::Page p, bool reset = true, bool slide = true) { emit goToPage(p, reset, slide); }
-    Q_INVOKABLE void onGotoProtocolPage(Protocol p, bool reset = true, bool slide = true) { emit goToProtocolPage(p, reset, slide); }
-    Q_INVOKABLE void onGotoShareProtocolPage(Protocol p, bool reset = true, bool slide = true) { emit goToShareProtocolPage(p, reset, slide); }
+    Q_INVOKABLE void onGotoProtocolPage(Proto p, bool reset = true, bool slide = true) { emit goToProtocolPage(p, reset, slide); }
+    Q_INVOKABLE void onGotoShareProtocolPage(Proto p, bool reset = true, bool slide = true) { emit goToShareProtocolPage(p, reset, slide); }
 
     Q_INVOKABLE void onGotoCurrentProtocolsPage();
 
@@ -110,8 +110,8 @@ signals:
     void dialogConnectErrorTextChanged();
 
     void goToPage(PageEnumNS::Page page, bool reset = true, bool slide = true);
-    void goToProtocolPage(Protocol protocol, bool reset = true, bool slide = true);
-    void goToShareProtocolPage(Protocol protocol, bool reset = true, bool slide = true);
+    void goToProtocolPage(Proto protocol, bool reset = true, bool slide = true);
+    void goToShareProtocolPage(Proto protocol, bool reset = true, bool slide = true);
 
     void closePage();
     void setStartPage(PageEnumNS::Page page, bool slide = true);
@@ -128,7 +128,6 @@ private slots:
     // containers - INOUT arg
     void installServer(QMap<DockerContainer, QJsonObject> &containers);
 
-
 private:
     PageEnumNS::Page currentPage();
     struct ProgressFunc {
@@ -172,14 +171,14 @@ public:
     NewServerProtocolsLogic *newServerProtocolsLogic()      { return m_newServerProtocolsLogic; }
     ServerListLogic *serverListLogic()                      { return m_serverListLogic; }
     ServerSettingsLogic *serverSettingsLogic()              { return m_serverSettingsLogic; }
-    ServerContainersLogic *serverVpnProtocolsLogic()        { return m_serverVpnProtocolsLogic; }
+    ServerContainersLogic *serverprotocolsLogic()        { return m_serverprotocolsLogic; }
     ShareConnectionLogic *shareConnectionLogic()            { return m_shareConnectionLogic; }
     SitesLogic *sitesLogic()                                { return m_sitesLogic; }
     StartPageLogic *startPageLogic()                        { return m_startPageLogic; }
     VpnLogic *vpnLogic()                                    { return m_vpnLogic; }
     WizardLogic *wizardLogic()                              { return m_wizardLogic; }
 
-    Q_INVOKABLE PageProtocolLogicBase *protocolLogic(Protocol p);
+    Q_INVOKABLE PageProtocolLogicBase *protocolLogic(Proto p);
 
     QObject *qmlRoot() const;
     void setQmlRoot(QObject *newQmlRoot);
@@ -196,14 +195,14 @@ private:
     NewServerProtocolsLogic *m_newServerProtocolsLogic;
     ServerListLogic *m_serverListLogic;
     ServerSettingsLogic *m_serverSettingsLogic;
-    ServerContainersLogic *m_serverVpnProtocolsLogic;
+    ServerContainersLogic *m_serverprotocolsLogic;
     ShareConnectionLogic *m_shareConnectionLogic;
     SitesLogic *m_sitesLogic;
     StartPageLogic *m_startPageLogic;
     VpnLogic *m_vpnLogic;
     WizardLogic *m_wizardLogic;
 
-    QMap<Protocol, PageProtocolLogicBase *> m_protocolLogicMap;
+    QMap<Proto, PageProtocolLogicBase *> m_protocolLogicMap;
 
     VpnConnection* m_vpnConnection;
     QThread m_vpnConnectionThread;
diff --git a/client/version.pri b/client/version.pri
new file mode 100644
index 00000000..4611134d
--- /dev/null
+++ b/client/version.pri
@@ -0,0 +1,5 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+!defined(VERSION, var):VERSION = 1
diff --git a/client/vpnconnection.cpp b/client/vpnconnection.cpp
index 8730be88..5837ce58 100644
--- a/client/vpnconnection.cpp
+++ b/client/vpnconnection.cpp
@@ -16,6 +16,10 @@
 #include "protocols/android_vpnprotocol.h"
 #endif
 
+#ifdef Q_OS_IOS
+#include <protocols/ios_vpnprotocol.h>
+#endif
+
 #include "ipc.h"
 #include "core/ipcclient.h"
 
@@ -39,7 +43,7 @@ void VpnConnection::onBytesChanged(quint64 receivedBytes, quint64 sentBytes)
     emit bytesChanged(receivedBytes, sentBytes);
 }
 
-void VpnConnection::onConnectionStateChanged(VpnProtocol::ConnectionState state)
+void VpnConnection::onConnectionStateChanged(VpnProtocol::VpnConnectionState state)
 {
     if (IpcClient::Interface()) {
         if (state == VpnProtocol::Connected){
@@ -125,10 +129,10 @@ ErrorCode VpnConnection::lastError() const
     return m_vpnProtocol.data()->lastError();
 }
 
-QMap<Protocol, QString> VpnConnection::getLastVpnConfig(const QJsonObject &containerConfig)
+QMap<Proto, QString> VpnConnection::getLastVpnConfig(const QJsonObject &containerConfig)
 {
-    QMap<Protocol, QString> configs;
-    for (Protocol proto: ProtocolProps::allProtocols()) {
+    QMap<Proto, QString> configs;
+    for (Proto proto: ProtocolProps::allProtocols()) {
 
         QString cfg = containerConfig.value(ProtocolProps::protoToString(proto)).toObject().value(config_key::last_config).toString();
 
@@ -138,7 +142,7 @@ QMap<Protocol, QString> VpnConnection::getLastVpnConfig(const QJsonObject &conta
 }
 
 QString VpnConnection::createVpnConfigurationForProto(int serverIndex,
-    const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig, Protocol proto,
+    const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig, Proto proto,
     ErrorCode *errorCode)
 {
     ErrorCode e = ErrorCode::NoError;
@@ -187,7 +191,7 @@ QJsonObject VpnConnection::createVpnConfiguration(int serverIndex,
     QJsonObject vpnConfiguration;
 
 
-    for (ProtocolEnumNS::Protocol proto : ContainerProps::protocolsForContainer(container)) {
+    for (ProtocolEnumNS::Proto proto : ContainerProps::protocolsForContainer(container)) {
         QJsonObject vpnConfigData = QJsonDocument::fromJson(
             createVpnConfigurationForProto(
                 serverIndex, credentials, container, containerConfig, proto, &e).toUtf8()).
@@ -201,8 +205,8 @@ QJsonObject VpnConnection::createVpnConfiguration(int serverIndex,
         vpnConfiguration.insert(ProtocolProps::key_proto_config_data(proto), vpnConfigData);
     }
 
-    Protocol proto = ContainerProps::defaultProtocol(container);
-    vpnConfiguration[config_key::protocol] = ProtocolProps::protoToString(proto);
+    Proto proto = ContainerProps::defaultProtocol(container);
+    vpnConfiguration[config_key::vpnproto] = ProtocolProps::protoToString(proto);
 
     return vpnConfiguration;
 }
@@ -213,7 +217,7 @@ void VpnConnection::connectToVpn(int serverIndex,
     qDebug() << QString("СonnectToVpn, Server index is %1, container is %2, route mode is")
                 .arg(serverIndex).arg(ContainerProps::containerToString(container)) << m_settings.routeMode();
 
-    #if !defined (Q_OS_ANDROID) && !defined (Q_OS_IOS)
+#if !defined (Q_OS_ANDROID) && !defined (Q_OS_IOS)
     if (!m_IpcClient) {
         m_IpcClient = new IpcClient;
     }
@@ -229,7 +233,6 @@ void VpnConnection::connectToVpn(int serverIndex,
 #endif
 
     m_remoteAddress = credentials.hostName;
-
     emit connectionStateChanged(VpnProtocol::Connecting);
 
     if (m_vpnProtocol) {
@@ -242,32 +245,39 @@ void VpnConnection::connectToVpn(int serverIndex,
     }
 
     ErrorCode e = ErrorCode::NoError;
+
     m_vpnConfiguration = createVpnConfiguration(serverIndex, credentials, container, containerConfig);
     if (e) {
         emit connectionStateChanged(VpnProtocol::Error);
         return;
     }
-
-
-#ifndef Q_OS_ANDROID
+    
+#if !defined (Q_OS_ANDROID) && !defined (Q_OS_IOS)
     m_vpnProtocol.reset(VpnProtocol::factory(container, m_vpnConfiguration));
     if (!m_vpnProtocol) {
         emit VpnProtocol::Error;
         return;
     }
-
     m_vpnProtocol->prepare();
-
-#else
-    Protocol proto = ContainerProps::defaultProtocol(container);
+#elif defined Q_OS_ANDROID
+    Proto proto = ContainerProps::defaultProtocol(container);
     AndroidVpnProtocol *androidVpnProtocol = new AndroidVpnProtocol(proto, m_vpnConfiguration);
     connect(AndroidController::instance(), &AndroidController::connectionStateChanged, androidVpnProtocol, &AndroidVpnProtocol::setConnectionState);
 
     m_vpnProtocol.reset(androidVpnProtocol);
+#elif defined Q_OS_IOS
+    Proto proto = ContainerProps::defaultProtocol(container);
+    IOSVpnProtocol *iosVpnProtocol = new IOSVpnProtocol(proto, m_vpnConfiguration);
+    if (!iosVpnProtocol->initialize()) {
+         qDebug() << QString("Init failed") ;
+         emit VpnProtocol::Error;
+         return;
+    }
+    m_vpnProtocol.reset(iosVpnProtocol);
 #endif
 
     connect(m_vpnProtocol.data(), &VpnProtocol::protocolError, this, &VpnConnection::vpnProtocolError);
-    connect(m_vpnProtocol.data(), SIGNAL(connectionStateChanged(VpnProtocol::ConnectionState)), this, SLOT(onConnectionStateChanged(VpnProtocol::ConnectionState)));
+    connect(m_vpnProtocol.data(), SIGNAL(connectionStateChanged(VpnProtocol::VpnConnectionState)), this, SLOT(onConnectionStateChanged(VpnProtocol::VpnConnectionState)));
     connect(m_vpnProtocol.data(), SIGNAL(bytesChanged(quint64, quint64)), this, SLOT(onBytesChanged(quint64, quint64)));
 
     ServerController::disconnectFromHost(credentials);
@@ -301,7 +311,7 @@ void VpnConnection::disconnectFromVpn()
     // qDebug() << "Disconnect from VPN 2";
 }
 
-VpnProtocol::ConnectionState VpnConnection::connectionState()
+VpnProtocol::VpnConnectionState VpnConnection::connectionState()
 {
     if (!m_vpnProtocol) return VpnProtocol::Disconnected;
     return m_vpnProtocol->connectionState();
diff --git a/client/vpnconnection.h b/client/vpnconnection.h
index 9d0c3337..a6f0e13a 100644
--- a/client/vpnconnection.h
+++ b/client/vpnconnection.h
@@ -25,9 +25,9 @@ public:
 
     ErrorCode lastError() const;
 
-    static QMap<Protocol, QString> getLastVpnConfig(const QJsonObject &containerConfig);
+    static QMap<Proto, QString> getLastVpnConfig(const QJsonObject &containerConfig);
     QString createVpnConfigurationForProto(int serverIndex,
-        const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig, Protocol proto,
+        const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig, Proto proto,
         ErrorCode *errorCode = nullptr);
 
     QJsonObject createVpnConfiguration(int serverIndex,
@@ -39,7 +39,7 @@ public:
     bool isConnected() const;
     bool isDisconnected() const;
 
-    VpnProtocol::ConnectionState connectionState();
+    VpnProtocol::VpnConnectionState connectionState();
     QSharedPointer<VpnProtocol> vpnProtocol() const;
 
     void addRoutes(const QStringList &ips);
@@ -56,14 +56,14 @@ public slots:
 
 signals:
     void bytesChanged(quint64 receivedBytes, quint64 sentBytes);
-    void connectionStateChanged(VpnProtocol::ConnectionState state);
+    void connectionStateChanged(VpnProtocol::VpnConnectionState state);
     void vpnProtocolError(amnezia::ErrorCode error);
 
     void serviceIsNotReady();
 
 protected slots:
     void onBytesChanged(quint64 receivedBytes, quint64 sentBytes);
-    void onConnectionStateChanged(VpnProtocol::ConnectionState state);
+    void onConnectionStateChanged(VpnProtocol::VpnConnectionState state);
 
 protected:
     QSharedPointer<VpnProtocol> m_vpnProtocol;
diff --git a/client/xcode.xconfig b/client/xcode.xconfig
new file mode 100644
index 00000000..01eb90fe
--- /dev/null
+++ b/client/xcode.xconfig
@@ -0,0 +1,5 @@
+DEVELOPMENT_TEAM = X7UJ388FXK
+
+GROUP_ID_IOS = group.ru.kotit.AmneziaVPN.udev
+APP_ID_IOS = ru.kotit.AmneziaVPN
+NETEXT_ID_IOS = ru.kotit.AmneziaVPN.network-extension