Update Package.swift

App: version bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2025-07-16 07:16:01 +08:00 · 2023-02-15 14:20:52 +01:00 · 2023-02-15 14:20:35 +01:00 · 2023-02-15 14:20:30 +01:00 · 2023-02-14 16:09:14 +01:00 · 2023-02-08 13:08:40 -03:00
259 changed files with 13232 additions and 2489 deletions
--- a/.gitignore
+++ b/.gitignore
@ -31,6 +31,10 @@ xcuserdata
 *.hmap
 *.ipa

+# Swift Package Manager
+.swiftpm
+.build/
+
 # Fastlane
 *.app.dSYM.zip
 *.mobileprovision
@ -41,7 +45,7 @@ Preview.html
 output

 # Wireguard specific
-WireGuard/WireGuard/Config/Developer.xcconfig
+Sources/WireGuardApp/Config/Developer.xcconfig

 # Vim
 .*.sw*
--- a/WireGuard/.swiftlint.yml
+++ b/WireGuard/.swiftlint.yml
@ -7,6 +7,7 @@ disabled_rules:
 - type_body_length
 - function_body_length
 - nesting
+ - inclusive_language
 opt_in_rules:
 - empty_count
 - empty_string
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in
--- a/MOBILECONFIG.md
+++ b/MOBILECONFIG.md
@ -136,5 +136,5 @@ Here's an example WireGuard configuration payload dictionary:

 Configurations added via .mobileconfig will not be migrated into keychain until the WireGuard application is opened once.

-[wg-quick(8)]: https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
-[wg(8)]: https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
+[wg-quick(8)]: https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
+[wg(8)]: https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
--- a/Package.swift
+++ b/Package.swift
@ -0,0 +1,40 @@
+// swift-tools-version:5.3
+// The swift-tools-version declares the minimum version of Swift required to build this package.
+
+import PackageDescription
+
+let package = Package(
+    name: "WireGuardKit",
+    platforms: [
+        .macOS(.v14),
+        .iOS(.v17)
+    ],
+    products: [
+        .library(name: "WireGuardKit", targets: ["WireGuardKit"])
+    ],
+    dependencies: [],
+    targets: [
+        .target(
+            name: "WireGuardKit",
+            dependencies: ["WireGuardKitGo", "WireGuardKitC"]
+        ),
+        .target(
+            name: "WireGuardKitC",
+            dependencies: [],
+            publicHeadersPath: "."
+        ),
+        .target(
+            name: "WireGuardKitGo",
+            dependencies: [],
+            exclude: [
+                "goruntime-boottime-over-monotonic.diff",
+                "go.mod",
+                "go.sum",
+                "api-apple.go",
+                "Makefile"
+            ],
+            publicHeadersPath: ".",
+            linkerSettings: [.linkedLibrary("wg-go")]
+        )
+    ]
+)
--- a/README.md
+++ b/README.md
@ -1,22 +1,24 @@
 # [WireGuard](https://www.wireguard.com/) for iOS and macOS

+This project contains an application for iOS and for macOS, as well as many components shared between the two of them. You may toggle between the two platforms by selecting the target from within Xcode.
+
 ## Building

- Clone this repo recursively:
+- Clone this repo:

 ```
-$ git clone --recursive https://git.zx2c4.com/wireguard-ios
-$ cd wireguard-ios
+$ git clone https://git.zx2c4.com/wireguard-apple
+$ cd wireguard-apple
 ```

 - Rename and populate developer team ID file:

 ```
-$ cp WireGuard/WireGuard/Config/Developer.xcconfig.template WireGuard/WireGuard/Config/Developer.xcconfig
-$ vim WireGuard/WireGuard/Config/Developer.xcconfig
+$ cp Sources/WireGuardApp/Config/Developer.xcconfig.template Sources/WireGuardApp/Config/Developer.xcconfig
+$ vim Sources/WireGuardApp/Config/Developer.xcconfig
 ```

- Install swiftlint and go:
+- Install swiftlint and go 1.19:

 ```
 $ brew install swiftlint go
@ -25,11 +27,57 @@ $ brew install swiftlint go
 - Open project in Xcode:

 ```
-$ open ./WireGuard/WireGuard.xcodeproj
+$ open WireGuard.xcodeproj
 ```

 - Flip switches, press buttons, and make whirling noises until Xcode builds it.

+## WireGuardKit integration
+
+1. Open your Xcode project and add the Swift package with the following URL:
+   
+   ```
+   https://git.zx2c4.com/wireguard-apple
+   ```
+   
+2. `WireGuardKit` links against `wireguard-go-bridge` library, but it cannot build it automatically
+   due to Swift package manager limitations. So it needs a little help from a developer. 
+   Please follow the instructions below to create a build target(s) for `wireguard-go-bridge`.
+   
+   - In Xcode, click File -> New -> Target. Switch to "Other" tab and choose "External Build 
+     System".
+   - Type in `WireGuardGoBridge<PLATFORM>` under the "Product name", replacing the `<PLATFORM>` 
+     placeholder with the name of the platform. For example, when targeting macOS use `macOS`, or 
+     when targeting iOS use `iOS`.
+     Make sure the build tool is set to: `/usr/bin/make` (default).
+   - In the appeared "Info" tab of a newly created target, type in the "Directory" path under 
+     the "External Build Tool Configuration":
+     
+     ```
+     ${BUILD_DIR%Build/*}SourcePackages/checkouts/wireguard-apple/Sources/WireGuardKitGo
+     ```
+     
+   - Switch to "Build Settings" and find `SDKROOT`.
+     Type in `macosx` if you target macOS, or type in `iphoneos` if you target iOS.
+   
+3. Go to Xcode project settings and locate your network extension target and switch to 
+   "Build Phases" tab.
+   
+   - Locate "Dependencies" section and hit "+" to add `WireGuardGoBridge<PLATFORM>` replacing 
+     the `<PLATFORM>` placeholder with the name of platform matching the network extension 
+     deployment target (i.e macOS or iOS).
+     
+   - Locate the "Link with binary libraries" section and hit "+" to add `WireGuardKit`.
+   
+4. In Xcode project settings, locate your main bundle app and switch to "Build Phases" tab. 
+   Locate the "Link with binary libraries" section and hit "+" to add `WireGuardKit`.
+   
+5. iOS only: Locate Bitcode settings under your application target, Build settings -> Enable Bitcode, 
+   change the corresponding value to "No".
+   
+Note that if you ship your app for both iOS and macOS, make sure to repeat the steps 2-4 twice, 
+once per platform.
+
 ## MIT License

 Permission is hereby granted, free of charge, to any person obtaining a copy of
--- a/WireGuard/Shared/FileManager+Extension.swift
+++ b/WireGuard/Shared/FileManager+Extension.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation
 import os.log
@ -35,6 +35,10 @@ extension FileManager {
        return sharedFolderURL?.appendingPathComponent("last-error.txt")
    }

+    static var loginHelperTimestampURL: URL? {
+        return sharedFolderURL?.appendingPathComponent("login-helper-timestamp.bin")
+    }
+
    static func deleteFile(at url: URL) -> Bool {
        do {
            try FileManager.default.removeItem(at: url)
--- a/WireGuard/Shared/Keychain.swift
+++ b/WireGuard/Shared/Keychain.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation
 import Security
@ -7,9 +7,8 @@ import Security
 class Keychain {
    static func openReference(called ref: Data) -> String? {
        var result: CFTypeRef?
-        let ret =  SecItemCopyMatching([kSecClass as String: kSecClassGenericPassword,
-                                        kSecValuePersistentRef as String: ref,
-                                        kSecReturnData as String: true] as CFDictionary,
+        let ret = SecItemCopyMatching([kSecValuePersistentRef: ref,
+                                        kSecReturnData: true] as CFDictionary,
                                       &result)
        if ret != errSecSuccess || result == nil {
            wg_log(.error, message: "Unable to open config from keychain: \(ret)")
@ -21,29 +20,30 @@ class Keychain {

    static func makeReference(containing value: String, called name: String, previouslyReferencedBy oldRef: Data? = nil) -> Data? {
        var ret: OSStatus
-        guard var id = Bundle.main.bundleIdentifier else {
+        guard var bundleIdentifier = Bundle.main.bundleIdentifier else {
            wg_log(.error, staticMessage: "Unable to determine bundle identifier")
            return nil
        }
-        if id.hasSuffix(".network-extension") {
-            id.removeLast(".network-extension".count)
+        if bundleIdentifier.hasSuffix(".network-extension") {
+            bundleIdentifier.removeLast(".network-extension".count)
        }
-        var items: [String: Any] = [kSecClass as String: kSecClassGenericPassword,
-                                    kSecAttrLabel as String: "WireGuard Tunnel: " + name,
-                                    kSecAttrAccount as String: name + ": " + UUID().uuidString,
-                                    kSecAttrDescription as String: "wg-quick(8) config",
-                                    kSecAttrService as String: id,
-                                    kSecValueData as String: value.data(using: .utf8) as Any,
-                                    kSecReturnPersistentRef as String: true]
+        let itemLabel = "WireGuard Tunnel: \(name)"
+        var items: [CFString: Any] = [kSecClass: kSecClassGenericPassword,
+                                    kSecAttrLabel: itemLabel,
+                                    kSecAttrAccount: name + ": " + UUID().uuidString,
+                                    kSecAttrDescription: "wg-quick(8) config",
+                                    kSecAttrService: bundleIdentifier,
+                                    kSecValueData: value.data(using: .utf8) as Any,
+                                    kSecReturnPersistentRef: true]

        #if os(iOS)
-        items[kSecAttrAccessGroup as String] = FileManager.appGroupId
-        items[kSecAttrAccessible as String] = kSecAttrAccessibleAfterFirstUnlock
+        items[kSecAttrAccessGroup] = FileManager.appGroupId
+        items[kSecAttrAccessible] = kSecAttrAccessibleAfterFirstUnlock
        #elseif os(macOS)
-        items[kSecAttrSynchronizable as String] = false
-        items[kSecAttrAccessible as String] = kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
+        items[kSecAttrSynchronizable] = false
+        items[kSecAttrAccessible] = kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly

-        guard let extensionPath = Bundle.main.builtInPlugInsURL?.appendingPathComponent("WireGuardNetworkExtension.appex").path else {
+        guard let extensionPath = Bundle.main.builtInPlugInsURL?.appendingPathComponent("WireGuardNetworkExtension.appex", isDirectory: true).path else {
            wg_log(.error, staticMessage: "Unable to determine app extension path")
            return nil
        }
@ -60,14 +60,12 @@ class Keychain {
            return nil
        }
        var access: SecAccess?
-        ret = SecAccessCreate((items[kSecAttrLabel as String] as? String)! as CFString,
-                              [extensionApp!, mainApp!] as CFArray,
-                              &access)
+        ret = SecAccessCreate(itemLabel as CFString, [extensionApp!, mainApp!] as CFArray, &access)
        if ret != errSecSuccess || access == nil {
            wg_log(.error, message: "Unable to create keychain ACL object: \(ret)")
            return nil
        }
-        items[kSecAttrAccess as String] = access!
+        items[kSecAttrAccess] = access!
        #else
        #error("Unimplemented")
        #endif
@ -85,7 +83,7 @@ class Keychain {
    }

    static func deleteReference(called ref: Data) {
-        let ret = SecItemDelete([kSecValuePersistentRef as String: ref] as CFDictionary)
+        let ret = SecItemDelete([kSecValuePersistentRef: ref] as CFDictionary)
        if ret != errSecSuccess {
            wg_log(.error, message: "Unable to delete config from keychain: \(ret)")
        }
@ -93,10 +91,10 @@ class Keychain {

    static func deleteReferences(except whitelist: Set<Data>) {
        var result: CFTypeRef?
-        let ret = SecItemCopyMatching([kSecClass as String: kSecClassGenericPassword,
-                                       kSecAttrService as String: Bundle.main.bundleIdentifier as Any,
-                                       kSecMatchLimit as String: kSecMatchLimitAll,
-                                       kSecReturnPersistentRef as String: true] as CFDictionary,
+        let ret = SecItemCopyMatching([kSecClass: kSecClassGenericPassword,
+                                       kSecAttrService: Bundle.main.bundleIdentifier as Any,
+                                       kSecMatchLimit: kSecMatchLimitAll,
+                                       kSecReturnPersistentRef: true] as CFDictionary,
                                      &result)
        if ret != errSecSuccess || result == nil {
            return
@ -110,8 +108,7 @@ class Keychain {
    }

    static func verifyReference(called ref: Data) -> Bool {
-        return SecItemCopyMatching([kSecClass as String: kSecClassGenericPassword,
-                                    kSecValuePersistentRef as String: ref] as CFDictionary,
-                                   nil) == errSecSuccess
+        return SecItemCopyMatching([kSecValuePersistentRef: ref] as CFDictionary,
+                                   nil) != errSecItemNotFound
    }
 }
--- a/WireGuard/Shared/Logging/Logger.swift
+++ b/WireGuard/Shared/Logging/Logger.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation
 import os.log
@ -49,8 +49,8 @@ public class Logger {
        if let appBuild = Bundle.main.infoDictionary?["CFBundleVersion"] as? String {
            appVersion += " (\(appBuild))"
        }
-        let goBackendVersion = WIREGUARD_GO_VERSION
-        Logger.global?.log(message: "App version: \(appVersion); Go backend version: \(goBackendVersion)")
+
+        Logger.global?.log(message: "App version: \(appVersion)")
    }
 }

--- a/WireGuard/Shared/Logging/ringlogger.c
+++ b/WireGuard/Shared/Logging/ringlogger.c
@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: MIT
 *
- * Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+ * Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 */

 #include <string.h>
@ -107,7 +107,7 @@ err:
 	return ret;
 }

-uint32_t view_lines_from_cursor(const struct log *input_log, uint32_t cursor, void(*cb)(const char *, uint64_t))
+uint32_t view_lines_from_cursor(const struct log *input_log, uint32_t cursor, void *ctx, void(*cb)(const char *, uint64_t, void *))
 {
 	struct log *log;
 	uint32_t l, i = cursor;
@ -132,7 +132,7 @@ uint32_t view_lines_from_cursor(const struct log *input_log, uint32_t cursor, vo
 			else
 				break;
 		}
-		cb(line->line, line->time_ns);
+		cb(line->line, line->time_ns, ctx);
 		cursor = (i + 1) % MAX_LINES;
 	}
 	free(log);
--- a/WireGuard/Shared/Logging/ringlogger.h
+++ b/WireGuard/Shared/Logging/ringlogger.h
@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: MIT
 *
- * Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+ * Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 */

 #ifndef RINGLOGGER_H
@ -11,7 +11,7 @@
 struct log;
 void write_msg_to_log(struct log *log, const char *tag, const char *msg);
 int write_log_to_file(const char *file_name, const struct log *input_log);
-uint32_t view_lines_from_cursor(const struct log *input_log, uint32_t cursor, void(*)(const char *, uint64_t));
+uint32_t view_lines_from_cursor(const struct log *input_log, uint32_t cursor, void *ctx, void(*)(const char *, uint64_t, void *));
 struct log *open_log(const char *file_name);
 void close_log(struct log *log);

--- a/WireGuard/Shared/Logging/test_ringlogger.c
+++ b/WireGuard/Shared/Logging/test_ringlogger.c
--- a/Sources/Shared/Model/NETunnelProviderProtocol+Extension.swift
+++ b/Sources/Shared/Model/NETunnelProviderProtocol+Extension.swift
@ -0,0 +1,106 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import NetworkExtension
+
+enum PacketTunnelProviderError: String, Error {
+    case savedProtocolConfigurationIsInvalid
+    case dnsResolutionFailure
+    case couldNotStartBackend
+    case couldNotDetermineFileDescriptor
+    case couldNotSetNetworkSettings
+}
+
+extension NETunnelProviderProtocol {
+    convenience init?(tunnelConfiguration: TunnelConfiguration, previouslyFrom old: NEVPNProtocol? = nil) {
+        self.init()
+
+        guard let name = tunnelConfiguration.name else { return nil }
+        guard let appId = Bundle.main.bundleIdentifier else { return nil }
+        providerBundleIdentifier = "\(appId).network-extension"
+        passwordReference = Keychain.makeReference(containing: tunnelConfiguration.asWgQuickConfig(), called: name, previouslyReferencedBy: old?.passwordReference)
+        if passwordReference == nil {
+            return nil
+        }
+        #if os(macOS)
+        providerConfiguration = ["UID": getuid()]
+        #endif
+
+        let endpoints = tunnelConfiguration.peers.compactMap { $0.endpoint }
+        if endpoints.count == 1 {
+            serverAddress = endpoints[0].stringRepresentation
+        } else if endpoints.isEmpty {
+            serverAddress = "Unspecified"
+        } else {
+            serverAddress = "Multiple endpoints"
+        }
+    }
+
+    func asTunnelConfiguration(called name: String? = nil) -> TunnelConfiguration? {
+        if let passwordReference = passwordReference,
+            let config = Keychain.openReference(called: passwordReference) {
+            return try? TunnelConfiguration(fromWgQuickConfig: config, called: name)
+        }
+        if let oldConfig = providerConfiguration?["WgQuickConfig"] as? String {
+            return try? TunnelConfiguration(fromWgQuickConfig: oldConfig, called: name)
+        }
+        return nil
+    }
+
+    func destroyConfigurationReference() {
+        guard let ref = passwordReference else { return }
+        Keychain.deleteReference(called: ref)
+    }
+
+    func verifyConfigurationReference() -> Bool {
+        guard let ref = passwordReference else { return false }
+        return Keychain.verifyReference(called: ref)
+    }
+
+    @discardableResult
+    func migrateConfigurationIfNeeded(called name: String) -> Bool {
+        /* This is how we did things before we switched to putting items
+         * in the keychain. But it's still useful to keep the migration
+         * around so that .mobileconfig files are easier.
+         */
+        if let oldConfig = providerConfiguration?["WgQuickConfig"] as? String {
+            #if os(macOS)
+            providerConfiguration = ["UID": getuid()]
+            #elseif os(iOS)
+            providerConfiguration = nil
+            #else
+            #error("Unimplemented")
+            #endif
+            guard passwordReference == nil else { return true }
+            wg_log(.info, message: "Migrating tunnel configuration '\(name)'")
+            passwordReference = Keychain.makeReference(containing: oldConfig, called: name)
+            return true
+        }
+        #if os(macOS)
+        if passwordReference != nil && providerConfiguration?["UID"] == nil && verifyConfigurationReference() {
+            providerConfiguration = ["UID": getuid()]
+            return true
+        }
+        #elseif os(iOS)
+        /* Update the stored reference from the old iOS 14 one to the canonical iOS 15 one.
+         * The iOS 14 ones are 96 bits, while the iOS 15 ones are 160 bits. We do this so
+         * that we can have fast set exclusion in deleteReferences safely. */
+        if passwordReference != nil && passwordReference!.count == 12 {
+            var result: CFTypeRef?
+            let ret = SecItemCopyMatching([kSecValuePersistentRef: passwordReference!,
+                                           kSecReturnPersistentRef: true] as CFDictionary,
+                                           &result)
+            if ret != errSecSuccess || result == nil {
+                return false
+            }
+            guard let newReference = result as? Data else { return false }
+            if !newReference.elementsEqual(passwordReference!) {
+                wg_log(.info, message: "Migrating iOS 14-style keychain reference to iOS 15-style keychain reference for '\(name)'")
+                passwordReference = newReference
+                return true
+            }
+        }
+        #endif
+        return false
+    }
+}
--- a/WireGuard/Shared/Model/String+ArrayConversion.swift
+++ b/WireGuard/Shared/Model/String+ArrayConversion.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation

--- a/WireGuard/Shared/Model/TunnelConfiguration+WgQuickConfig.swift
+++ b/WireGuard/Shared/Model/TunnelConfiguration+WgQuickConfig.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation

@ -39,7 +39,7 @@ extension TunnelConfiguration {
        var interfaceConfiguration: InterfaceConfiguration?
        var peerConfigurations = [PeerConfiguration]()

-        let lines = wgQuickConfig.split(separator: "\n")
+        let lines = wgQuickConfig.split { $0.isNewline }

        var parserState = ParserState.notInASection
        var attributes = [String: String]()
@ -111,7 +111,7 @@ extension TunnelConfiguration {
        }

        let peerPublicKeysArray = peerConfigurations.map { $0.publicKey }
-        let peerPublicKeysSet = Set<Data>(peerPublicKeysArray)
+        let peerPublicKeysSet = Set<PublicKey>(peerPublicKeysArray)
        if peerPublicKeysArray.count != peerPublicKeysSet.count {
            throw ParseError.multiplePeersWithSamePublicKey
        }
@ -125,9 +125,7 @@ extension TunnelConfiguration {

    func asWgQuickConfig() -> String {
        var output = "[Interface]\n"
-        if let privateKey = interface.privateKey.base64Key() {
-            output.append("PrivateKey = \(privateKey)\n")
-        }
+        output.append("PrivateKey = \(interface.privateKey.base64Key)\n")
        if let listenPort = interface.listenPort {
            output.append("ListenPort = \(listenPort)\n")
        }
@ -135,8 +133,10 @@ extension TunnelConfiguration {
            let addressString = interface.addresses.map { $0.stringRepresentation }.joined(separator: ", ")
            output.append("Address = \(addressString)\n")
        }
-        if !interface.dns.isEmpty {
-            let dnsString = interface.dns.map { $0.stringRepresentation }.joined(separator: ", ")
+        if !interface.dns.isEmpty || !interface.dnsSearch.isEmpty {
+            var dnsLine = interface.dns.map { $0.stringRepresentation }
+            dnsLine.append(contentsOf: interface.dnsSearch)
+            let dnsString = dnsLine.joined(separator: ", ")
            output.append("DNS = \(dnsString)\n")
        }
        if let mtu = interface.mtu {
@ -145,10 +145,8 @@ extension TunnelConfiguration {

        for peer in peers {
            output.append("\n[Peer]\n")
-            if let publicKey = peer.publicKey.base64Key() {
-                output.append("PublicKey = \(publicKey)\n")
-            }
-            if let preSharedKey = peer.preSharedKey?.base64Key() {
+            output.append("PublicKey = \(peer.publicKey.base64Key)\n")
+            if let preSharedKey = peer.preSharedKey?.base64Key {
                output.append("PresharedKey = \(preSharedKey)\n")
            }
            if !peer.allowedIPs.isEmpty {
@ -170,7 +168,7 @@ extension TunnelConfiguration {
        guard let privateKeyString = attributes["privatekey"] else {
            throw ParseError.interfaceHasNoPrivateKey
        }
-        guard let privateKey = Data(base64Key: privateKeyString), privateKey.count == TunnelConfiguration.keyLength else {
+        guard let privateKey = PrivateKey(base64Key: privateKeyString) else {
            throw ParseError.interfaceHasInvalidPrivateKey(privateKeyString)
        }
        var interface = InterfaceConfiguration(privateKey: privateKey)
@ -192,13 +190,16 @@ extension TunnelConfiguration {
        }
        if let dnsString = attributes["dns"] {
            var dnsServers = [DNSServer]()
+            var dnsSearch = [String]()
            for dnsServerString in dnsString.splitToArray(trimmingCharacters: .whitespacesAndNewlines) {
-                guard let dnsServer = DNSServer(from: dnsServerString) else {
-                    throw ParseError.interfaceHasInvalidDNS(dnsServerString)
+                if let dnsServer = DNSServer(from: dnsServerString) {
+                    dnsServers.append(dnsServer)
+                } else {
+                    dnsSearch.append(dnsServerString)
                }
-                dnsServers.append(dnsServer)
            }
            interface.dns = dnsServers
+            interface.dnsSearch = dnsSearch
        }
        if let mtuString = attributes["mtu"] {
            guard let mtu = UInt16(mtuString) else {
@ -213,12 +214,12 @@ extension TunnelConfiguration {
        guard let publicKeyString = attributes["publickey"] else {
            throw ParseError.peerHasNoPublicKey
        }
-        guard let publicKey = Data(base64Key: publicKeyString), publicKey.count == TunnelConfiguration.keyLength else {
+        guard let publicKey = PublicKey(base64Key: publicKeyString) else {
            throw ParseError.peerHasInvalidPublicKey(publicKeyString)
        }
        var peer = PeerConfiguration(publicKey: publicKey)
        if let preSharedKeyString = attributes["presharedkey"] {
-            guard let preSharedKey = Data(base64Key: preSharedKeyString), preSharedKey.count == TunnelConfiguration.keyLength else {
+            guard let preSharedKey = PreSharedKey(base64Key: preSharedKeyString) else {
                throw ParseError.peerHasInvalidPreSharedKey(preSharedKeyString)
            }
            peer.preSharedKey = preSharedKey
--- a/Sources/Shared/NotificationToken.swift
+++ b/Sources/Shared/NotificationToken.swift
@ -0,0 +1,33 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import Foundation
+
+/// This source file contains bits of code from:
+/// https://oleb.net/blog/2018/01/notificationcenter-removeobserver/
+
+/// Wraps the observer token received from
+/// `NotificationCenter.addObserver(forName:object:queue:using:)`
+/// and unregisters it in deinit.
+final class NotificationToken {
+    let notificationCenter: NotificationCenter
+    let token: Any
+
+    init(notificationCenter: NotificationCenter = .default, token: Any) {
+        self.notificationCenter = notificationCenter
+        self.token = token
+    }
+
+    deinit {
+        notificationCenter.removeObserver(token)
+    }
+}
+
+extension NotificationCenter {
+    /// Convenience wrapper for addObserver(forName:object:queue:using:)
+    /// that returns our custom `NotificationToken`.
+    func observe(name: NSNotification.Name?, object obj: Any?, queue: OperationQueue?, using block: @escaping (Notification) -> Void) -> NotificationToken {
+        let token = addObserver(forName: name, object: obj, queue: queue, using: block)
+        return NotificationToken(notificationCenter: self, token: token)
+    }
+}
--- a/Sources/WireGuardApp/Base.lproj/InfoPlist.strings
+++ b/Sources/WireGuardApp/Base.lproj/InfoPlist.strings
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 // iOS permission prompts

--- a/Sources/WireGuardApp/Base.lproj/Localizable.strings
+++ b/Sources/WireGuardApp/Base.lproj/Localizable.strings
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 // Generic alert action names

@ -17,6 +17,7 @@
 "tunnelsListSelectAllButtonTitle" = "Select All";
 "tunnelsListDeleteButtonTitle" = "Delete";
 "tunnelsListSelectedTitle (%d)" = "%d selected";
+"tunnelListCaptionOnDemand" = "On-Demand";

 // Tunnels list menu

@ -37,8 +38,8 @@
 "alertBadConfigImportMessage (%@)" = "The file ‘%@’ does not contain a valid WireGuard configuration";

 "deleteTunnelsConfirmationAlertButtonTitle" = "Delete";
-"deleteTunnelConfirmationAlertButtonMessage (%d)" = "Delete %d tunnel";
-"deleteTunnelsConfirmationAlertButtonMessage (%d)" = "Delete %d tunnels";
+"deleteTunnelConfirmationAlertButtonMessage (%d)" = "Delete %d tunnel?";
+"deleteTunnelsConfirmationAlertButtonMessage (%d)" = "Delete %d tunnels?";

 // Tunnel detail and edit UI

@ -55,6 +56,11 @@
 "tunnelStatusRestarting" = "Restarting";
 "tunnelStatusWaiting" = "Waiting";

+"tunnelStatusAddendumOnDemand" = " (On-Demand)";
+"tunnelStatusOnDemandDisabled" = "On-Demand Disabled";
+"tunnelStatusAddendumOnDemandEnabled" = ", On-Demand Enabled";
+"tunnelStatusAddendumOnDemandDisabled" = ", On-Demand Disabled";
+
 "macToggleStatusButtonActivate" = "Activate";
 "macToggleStatusButtonActivating" = "Activating…";
 "macToggleStatusButtonDeactivate" = "Deactivate";
@ -62,6 +68,9 @@
 "macToggleStatusButtonReasserting" = "Reactivating…";
 "macToggleStatusButtonRestarting" = "Restarting…";
 "macToggleStatusButtonWaiting" = "Waiting…";
+"macToggleStatusButtonEnableOnDemand" = "Enable On-Demand";
+"macToggleStatusButtonDisableOnDemand" = "Disable On-Demand";
+"macToggleStatusButtonDisableOnDemandDeactivate" = "Disable On-Demand and Deactivate";

 "tunnelSectionTitleInterface" = "Interface";

@ -109,8 +118,9 @@
 "tunnelOnDemandSectionTitleAddSSIDs" = "Add SSIDs";
 "tunnelOnDemandAddMessageAddConnectedSSID (%@)" = "Add connected: %@";
 "tunnelOnDemandAddMessageAddNewSSID" = "Add new";
+"tunnelOnDemandSSIDTextFieldPlaceholder" = "SSID";

-"tunnelOnDemandKey" = "On demand";
+"tunnelOnDemandKey" = "On-demand";
 "tunnelOnDemandOptionOff" = "Off";
 "tunnelOnDemandOptionWiFiOnly" = "Wi-Fi only";
 "tunnelOnDemandOptionWiFiOrCellular" = "Wi-Fi or cellular";
@ -209,10 +219,14 @@
 "settingsSectionTitleExportConfigurations" = "Export configurations";
 "settingsExportZipButtonTitle" = "Export zip archive";

-"settingsSectionTitleTunnelLog" = "Tunnel log";
-"settingsExportLogFileButtonTitle" = "Export log file";
+"settingsSectionTitleTunnelLog" = "Log";
+"settingsViewLogButtonTitle" = "View log";

-// Settings alerts
+// Log view
+
+"logViewTitle" = "Log";
+
+// Log alerts

 "alertUnableToRemovePreviousLogTitle" = "Log export failed";
 "alertUnableToRemovePreviousLogMessage" = "The pre-existing log could not be cleared";
@ -251,8 +265,6 @@
 "alertTunnelActivationFileDescriptorFailureMessage" = "Unable to determine TUN device file descriptor.";
 "alertTunnelActivationSetNetworkSettingsMessage" = "Unable to apply network settings to tunnel object.";

-"alertTunnelActivationFailureOnDemandAddendum" = " This tunnel has Activate On Demand enabled, so this tunnel might be re-activated automatically by the OS. You may turn off Activate On Demand in this app by editing the tunnel configuration.";
-
 "alertTunnelDNSFailureTitle" = "DNS resolution failure";
 "alertTunnelDNSFailureMessage" = "One or more endpoint domains could not be resolved.";

@ -287,19 +299,42 @@
 "alertSystemErrorMessageTunnelConfigurationReadWriteFailed" = "Reading or writing the configuration failed.";
 "alertSystemErrorMessageTunnelConfigurationUnknown" = "Unknown system error.";

-// Mac status bar menu / pulldown menu
+// Mac status bar menu / pulldown menu / main menu

 "macMenuNetworks (%@)" = "Networks: %@";
 "macMenuNetworksNone" = "Networks: None";

 "macMenuTitle" = "WireGuard";
-"macMenuManageTunnels" = "Manage tunnels";
-"macMenuImportTunnels" = "Import tunnel(s) from file…";
-"macMenuAddEmptyTunnel" = "Add empty tunnel…";
-"macMenuExportLog" = "Export log to file…";
-"macMenuExportTunnels" = "Export tunnels to zip…";
+"macTunnelsMenuTitle" = "Tunnels";
+"macMenuManageTunnels" = "Manage Tunnels";
+"macMenuImportTunnels" = "Import Tunnel(s) from File…";
+"macMenuAddEmptyTunnel" = "Add Empty Tunnel…";
+"macMenuViewLog" = "View Log";
+"macMenuExportTunnels" = "Export Tunnels to Zip…";
 "macMenuAbout" = "About WireGuard";
-"macMenuQuit" = "Quit";
+"macMenuQuit" = "Quit WireGuard";
+
+"macMenuHideApp" = "Hide WireGuard";
+"macMenuHideOtherApps" = "Hide Others";
+"macMenuShowAllApps" = "Show All";
+
+"macMenuFile" = "File";
+"macMenuCloseWindow" = "Close Window";
+
+"macMenuEdit" = "Edit";
+"macMenuCut" = "Cut";
+"macMenuCopy" = "Copy";
+"macMenuPaste" = "Paste";
+"macMenuSelectAll" = "Select All";
+
+"macMenuTunnel" = "Tunnel";
+"macMenuToggleStatus" = "Toggle Status";
+"macMenuEditTunnel" = "Edit…";
+"macMenuDeleteSelected" = "Delete Selected";
+
+"macMenuWindow" = "Window";
+"macMenuMinimize" = "Minimize";
+"macMenuZoom" = "Zoom";

 // Mac manage tunnels window

@ -310,18 +345,21 @@
 "macDeleteTunnelConfirmationAlertInfo" = "You cannot undo this action.";
 "macDeleteTunnelConfirmationAlertButtonTitleDelete" = "Delete";
 "macDeleteTunnelConfirmationAlertButtonTitleCancel" = "Cancel";
+"macDeleteTunnelConfirmationAlertButtonTitleDeleting" = "Deleting…";

 "macButtonImportTunnels" = "Import tunnel(s) from file";
 "macSheetButtonImport" = "Import";

-"macNameFieldExportLog" = "Export log to";
+"macNameFieldExportLog" = "Save log to:";
 "macSheetButtonExportLog" = "Save";

-"macNameFieldExportZip" = "Export tunnels to";
+"macNameFieldExportZip" = "Export tunnels to:";
 "macSheetButtonExportZip" = "Save";

 "macButtonDeleteTunnels (%d)" = "Delete %d tunnels";

+"macButtonEdit" = "Edit";
+
 // Mac detail/edit view fields

 "macFieldKey (%@)" = "%@:";
@ -378,12 +416,39 @@

 // Mac alert

+"macConfirmAndQuitAlertMessage" = "Do you want to close the tunnels manager or quit WireGuard entirely?";
+"macConfirmAndQuitAlertInfo" = "If you close the tunnels manager, WireGuard will continue to be available from the menu bar icon.";
+"macConfirmAndQuitInfoWithActiveTunnel (%@)" = "If you close the tunnels manager, WireGuard will continue to be available from the menu bar icon.\n\nNote that if you quit WireGuard entirely the currently active tunnel ('%@') will still remain active until you deactivate it from this application or through the Network panel in System Preferences.";
+"macConfirmAndQuitAlertQuitWireGuard" = "Quit WireGuard";
+"macConfirmAndQuitAlertCloseWindow" = "Close Tunnels Manager";
+
 "macAppExitingWithActiveTunnelMessage" = "WireGuard is exiting with an active tunnel";
 "macAppExitingWithActiveTunnelInfo" = "The tunnel will remain active after exiting. You may disable it by reopening this application or through the Network panel in System Preferences.";
-"macPrivacyNoticeMessage" = "Privacy notice: be sure you trust this configuration file";
-"macPrivacyNoticeInfo" = "You will be prompted by the system to allow or disallow adding a VPN configuration. While this application does not send any information to the WireGuard project, information is by design sent to the servers specified inside of the configuration file you have just added, which configures your computer to use those servers as a VPN. Be certain that you trust this configuration before clicking “Allow” in the following dialog.";

 // Mac tooltip

 "macToolTipEditTunnel" = "Edit tunnel (⌘E)";
 "macToolTipToggleStatus" = "Toggle status (⌘T)";
+
+// Mac log view
+
+"macLogColumnTitleTime" = "Time";
+"macLogColumnTitleLogMessage" = "Log message";
+"macLogButtonTitleClose" = "Close";
+"macLogButtonTitleSave" = "Save…";
+
+// Mac unusable tunnel view
+
+"macUnusableTunnelMessage" = "The configuration for this tunnel cannot be found in the keychain.";
+"macUnusableTunnelInfo" = "In case this tunnel was created by another user, only that user can view, edit, or activate this tunnel.";
+"macUnusableTunnelButtonTitleDeleteTunnel" = "Delete tunnel";
+
+// Mac App Store updating alert
+
+"macAppStoreUpdatingAlertMessage" = "App Store would like to update WireGuard";
+"macAppStoreUpdatingAlertInfoWithOnDemand (%@)" = "Please disable on-demand for tunnel ‘%@’, deactivate it, and then continue updating in App Store.";
+"macAppStoreUpdatingAlertInfoWithoutOnDemand (%@)" = "Please deactivate tunnel ‘%@’ and then continue updating in App Store.";
+
+// Donation
+
+"donateLink" = "♥ Donate to the WireGuard Project";
--- a/Sources/WireGuardApp/Config/Config.xcconfig
+++ b/Sources/WireGuardApp/Config/Config.xcconfig
--- a/Sources/WireGuardApp/Config/Developer.xcconfig.template
+++ b/Sources/WireGuardApp/Config/Developer.xcconfig.template
--- a/Sources/WireGuardApp/Config/Version.xcconfig
+++ b/Sources/WireGuardApp/Config/Version.xcconfig
@ -0,0 +1,2 @@
+VERSION_NAME = 1.0.16
+VERSION_ID = 27
--- a/Sources/WireGuardApp/LocalizationHelper.swift
+++ b/Sources/WireGuardApp/LocalizationHelper.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation

--- a/Sources/WireGuardApp/Resources/DocumentIcons/wireguard_doc_logo_22x29.png
+++ b/Sources/WireGuardApp/Resources/DocumentIcons/wireguard_doc_logo_22x29.png
--- a/Sources/WireGuardApp/Resources/DocumentIcons/wireguard_doc_logo_320x320.png
+++ b/Sources/WireGuardApp/Resources/DocumentIcons/wireguard_doc_logo_320x320.png
--- a/Sources/WireGuardApp/Resources/DocumentIcons/wireguard_doc_logo_44x58.png
+++ b/Sources/WireGuardApp/Resources/DocumentIcons/wireguard_doc_logo_44x58.png
--- a/Sources/WireGuardApp/Resources/DocumentIcons/wireguard_doc_logo_64x64.png
+++ b/Sources/WireGuardApp/Resources/DocumentIcons/wireguard_doc_logo_64x64.png
--- a/Sources/WireGuardApp/Tunnel/ActivateOnDemandOption.swift
+++ b/Sources/WireGuardApp/Tunnel/ActivateOnDemandOption.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import NetworkExtension

@ -42,50 +42,63 @@ extension ActivateOnDemandOption {
            }
        }
        tunnelProviderManager.onDemandRules = rules
-        tunnelProviderManager.isOnDemandEnabled = self != .off
+        tunnelProviderManager.isOnDemandEnabled = (rules != nil) && tunnelProviderManager.isOnDemandEnabled
    }

    init(from tunnelProviderManager: NETunnelProviderManager) {
-        let rules = tunnelProviderManager.onDemandRules ?? []
-        let activateOnDemandOption: ActivateOnDemandOption
+        if let onDemandRules = tunnelProviderManager.onDemandRules {
+            self = ActivateOnDemandOption.create(from: onDemandRules)
+        } else {
+            self = .off
+        }
+    }
+
+    private static func create(from rules: [NEOnDemandRule]) -> ActivateOnDemandOption {
        switch rules.count {
        case 0:
-            activateOnDemandOption = .off
+            return .off
        case 1:
            let rule = rules[0]
-            precondition(rule.action == .connect)
-            activateOnDemandOption = .anyInterface(.anySSID)
+            guard rule.action == .connect else { return .off }
+            return .anyInterface(.anySSID)
        case 2:
-            let connectRule = rules.first(where: { $0.action == .connect })!
-            let disconnectRule = rules.first(where: { $0.action == .disconnect })!
+            guard let connectRule = rules.first(where: { $0.action == .connect }) else {
+                wg_log(.error, message: "Unexpected onDemandRules set on tunnel provider manager: \(rules.count) rules found but no connect rule.")
+                return .off
+            }
+            guard let disconnectRule = rules.first(where: { $0.action == .disconnect }) else {
+                wg_log(.error, message: "Unexpected onDemandRules set on tunnel provider manager: \(rules.count) rules found but no disconnect rule.")
+                return .off
+            }
            if connectRule.interfaceTypeMatch == .wiFi && disconnectRule.interfaceTypeMatch == nonWiFiInterfaceType {
-                activateOnDemandOption = .wiFiInterfaceOnly(.anySSID)
+                return .wiFiInterfaceOnly(.anySSID)
            } else if connectRule.interfaceTypeMatch == nonWiFiInterfaceType && disconnectRule.interfaceTypeMatch == .wiFi {
-                activateOnDemandOption = .nonWiFiInterfaceOnly
+                return .nonWiFiInterfaceOnly
            } else {
-                fatalError("Unexpected onDemandRules set on tunnel provider manager")
+                wg_log(.error, message: "Unexpected onDemandRules set on tunnel provider manager: \(rules.count) rules found but interface types are inconsistent.")
+                return .off
            }
        case 3:
-            let ssidRule = rules.first(where: { $0.interfaceTypeMatch == .wiFi && $0.ssidMatch != nil })!
-            let nonWiFiRule = rules.first(where: { $0.interfaceTypeMatch == nonWiFiInterfaceType })!
+            guard let ssidRule = rules.first(where: { $0.interfaceTypeMatch == .wiFi && $0.ssidMatch != nil }) else { return .off }
+            guard let nonWiFiRule = rules.first(where: { $0.interfaceTypeMatch == nonWiFiInterfaceType }) else { return .off }
            let ssids = ssidRule.ssidMatch!
            switch (ssidRule.action, nonWiFiRule.action) {
            case (.connect, .connect):
-                activateOnDemandOption = .anyInterface(.onlySpecificSSIDs(ssids))
+                return .anyInterface(.onlySpecificSSIDs(ssids))
            case (.connect, .disconnect):
-                activateOnDemandOption = .wiFiInterfaceOnly(.onlySpecificSSIDs(ssids))
+                return .wiFiInterfaceOnly(.onlySpecificSSIDs(ssids))
            case (.disconnect, .connect):
-                activateOnDemandOption = .anyInterface(.exceptSpecificSSIDs(ssids))
+                return .anyInterface(.exceptSpecificSSIDs(ssids))
            case (.disconnect, .disconnect):
-                activateOnDemandOption = .wiFiInterfaceOnly(.exceptSpecificSSIDs(ssids))
+                return .wiFiInterfaceOnly(.exceptSpecificSSIDs(ssids))
            default:
-                fatalError("Unexpected SSID onDemandRules set on tunnel provider manager")
+                wg_log(.error, message: "Unexpected onDemandRules set on tunnel provider manager: \(rules.count) rules found")
+                return .off
            }
        default:
-            fatalError("Unexpected number of onDemandRules set on tunnel provider manager")
+            wg_log(.error, message: "Unexpected number of onDemandRules set on tunnel provider manager: \(rules.count) rules found")
+            return .off
        }
-
-        self = activateOnDemandOption
    }
 }

--- a/Sources/WireGuardApp/Tunnel/MockTunnels.swift
+++ b/Sources/WireGuardApp/Tunnel/MockTunnels.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import NetworkExtension

@ -26,11 +26,11 @@ class MockTunnels {
    static func createMockTunnels() -> [NETunnelProviderManager] {
        return tunnelNames.map { tunnelName -> NETunnelProviderManager in

-            var interface = InterfaceConfiguration(privateKey: Curve25519.generatePrivateKey())
+            var interface = InterfaceConfiguration(privateKey: PrivateKey())
            interface.addresses = [IPAddressRange(from: String(format: address, Int.random(in: 1 ... 10), Int.random(in: 1 ... 254)))!]
            interface.dns = dnsServers.map { DNSServer(from: $0)! }

-            var peer = PeerConfiguration(publicKey: Curve25519.generatePublicKey(fromPrivateKey: Curve25519.generatePrivateKey()))
+            var peer = PeerConfiguration(publicKey: PrivateKey().publicKey)
            peer.endpoint = Endpoint(from: endpoint)
            peer.allowedIPs = [IPAddressRange(from: allowedIPs)!]

--- a/Sources/WireGuardApp/Tunnel/TunnelConfiguration+UapiConfig.swift
+++ b/Sources/WireGuardApp/Tunnel/TunnelConfiguration+UapiConfig.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation

@ -67,13 +67,14 @@ extension TunnelConfiguration {
        }

        let peerPublicKeysArray = peerConfigurations.map { $0.publicKey }
-        let peerPublicKeysSet = Set<Data>(peerPublicKeysArray)
+        let peerPublicKeysSet = Set<PublicKey>(peerPublicKeysArray)
        if peerPublicKeysArray.count != peerPublicKeysSet.count {
            throw ParseError.multiplePeersWithSamePublicKey
        }

        interfaceConfiguration?.addresses = base?.interface.addresses ?? []
        interfaceConfiguration?.dns = base?.interface.dns ?? []
+        interfaceConfiguration?.dnsSearch = base?.interface.dnsSearch ?? []
        interfaceConfiguration?.mtu = base?.interface.mtu

        if let interfaceConfiguration = interfaceConfiguration {
@ -87,7 +88,7 @@ extension TunnelConfiguration {
        guard let privateKeyString = attributes["private_key"] else {
            throw ParseError.interfaceHasNoPrivateKey
        }
-        guard let privateKey = Data(hexKey: privateKeyString), privateKey.count == TunnelConfiguration.keyLength else {
+        guard let privateKey = PrivateKey(hexKey: privateKeyString) else {
            throw ParseError.interfaceHasInvalidPrivateKey(privateKeyString)
        }
        var interface = InterfaceConfiguration(privateKey: privateKey)
@ -106,18 +107,18 @@ extension TunnelConfiguration {
        guard let publicKeyString = attributes["public_key"] else {
            throw ParseError.peerHasNoPublicKey
        }
-        guard let publicKey = Data(hexKey: publicKeyString), publicKey.count == TunnelConfiguration.keyLength else {
+        guard let publicKey = PublicKey(hexKey: publicKeyString) else {
            throw ParseError.peerHasInvalidPublicKey(publicKeyString)
        }
        var peer = PeerConfiguration(publicKey: publicKey)
        if let preSharedKeyString = attributes["preshared_key"] {
-            guard let preSharedKey = Data(hexKey: preSharedKeyString), preSharedKey.count == TunnelConfiguration.keyLength else {
+            guard let preSharedKey = PreSharedKey(hexKey: preSharedKeyString) else {
                throw ParseError.peerHasInvalidPreSharedKey(preSharedKeyString)
            }
            // TODO(zx2c4): does the compiler optimize this away?
            var accumulator: UInt8 = 0
-            for index in 0..<preSharedKey.count {
-                accumulator |= preSharedKey[index]
+            for index in 0..<preSharedKey.rawValue.count {
+                accumulator |= preSharedKey.rawValue[index]
            }
            if accumulator != 0 {
                peer.preSharedKey = preSharedKey
--- a/Sources/WireGuardApp/Tunnel/TunnelErrors.swift
+++ b/Sources/WireGuardApp/Tunnel/TunnelErrors.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import NetworkExtension

@ -56,10 +56,10 @@ enum TunnelsManagerActivationError: WireGuardAppError {

    var alertText: AlertText {
        switch self {
-        case .activationFailed(let wasOnDemandEnabled):
-            return (tr("alertTunnelActivationFailureTitle"), tr("alertTunnelActivationFailureMessage") + (wasOnDemandEnabled ? tr("alertTunnelActivationFailureOnDemandAddendum") : ""))
-        case .activationFailedWithExtensionError(let title, let message, let wasOnDemandEnabled):
-            return (title, message + (wasOnDemandEnabled ? tr("alertTunnelActivationFailureOnDemandAddendum") : ""))
+        case .activationFailed:
+            return (tr("alertTunnelActivationFailureTitle"), tr("alertTunnelActivationFailureMessage"))
+        case .activationFailedWithExtensionError(let title, let message, _):
+            return (title, message)
        }
    }
 }
--- a/Sources/WireGuardApp/Tunnel/TunnelStatus.swift
+++ b/Sources/WireGuardApp/Tunnel/TunnelStatus.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation
 import NetworkExtension
@ -27,6 +27,8 @@ import NetworkExtension
            self = .reasserting
        case .invalid:
            self = .inactive
+        @unknown default:
+            fatalError()
        }
    }
 }
@ -54,6 +56,8 @@ extension NEVPNStatus: CustomDebugStringConvertible {
        case .disconnecting: return "disconnecting"
        case .reasserting: return "reasserting"
        case .invalid: return "invalid"
+        @unknown default:
+            fatalError()
        }
    }
 }
--- a/Sources/WireGuardApp/Tunnel/TunnelsManager.swift
+++ b/Sources/WireGuardApp/Tunnel/TunnelsManager.swift
@ -1,18 +1,18 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation
 import NetworkExtension
 import os.log

-protocol TunnelsManagerListDelegate: class {
+protocol TunnelsManagerListDelegate: AnyObject {
    func tunnelAdded(at index: Int)
    func tunnelModified(at index: Int)
    func tunnelMoved(from oldIndex: Int, to newIndex: Int)
    func tunnelRemoved(at index: Int, tunnel: TunnelContainer)
 }

-protocol TunnelsManagerActivationDelegate: class {
+protocol TunnelsManagerActivationDelegate: AnyObject {
    func tunnelActivationAttemptFailed(tunnel: TunnelContainer, error: TunnelsManagerActivationAttemptError) // startTunnel wasn't called or failed
    func tunnelActivationAttemptSucceeded(tunnel: TunnelContainer) // startTunnel succeeded
    func tunnelActivationFailed(tunnel: TunnelContainer, error: TunnelsManagerActivationError) // status didn't change to connected
@ -23,9 +23,9 @@ class TunnelsManager {
    private var tunnels: [TunnelContainer]
    weak var tunnelsListDelegate: TunnelsManagerListDelegate?
    weak var activationDelegate: TunnelsManagerActivationDelegate?
-    private var statusObservationToken: AnyObject?
-    private var waiteeObservationToken: AnyObject?
-    private var configurationsObservationToken: AnyObject?
+    private var statusObservationToken: NotificationToken?
+    private var waiteeObservationToken: NSKeyValueObservation?
+    private var configurationsObservationToken: NotificationToken?

    init(tunnelProviders: [NETunnelProviderManager]) {
        tunnels = tunnelProviders.map { TunnelContainer(tunnel: $0) }.sorted { TunnelsManager.tunnelNameIsLessThan($0.name, $1.name) }
@ -33,7 +33,7 @@ class TunnelsManager {
        startObservingTunnelConfigurations()
    }

-    static func create(completionHandler: @escaping (WireGuardResult<TunnelsManager>) -> Void) {
+    static func create(completionHandler: @escaping (Result<TunnelsManager, TunnelsManagerError>) -> Void) {
        #if targetEnvironment(simulator)
        completionHandler(.success(TunnelsManager(tunnelProviders: MockTunnels.createMockTunnels())))
        #else
@ -46,19 +46,39 @@ class TunnelsManager {

            var tunnelManagers = managers ?? []
            var refs: Set<Data> = []
+            var tunnelNames: Set<String> = []
            for (index, tunnelManager) in tunnelManagers.enumerated().reversed() {
-                let proto = tunnelManager.protocolConfiguration as? NETunnelProviderProtocol
-                if proto?.migrateConfigurationIfNeeded(called: tunnelManager.localizedDescription ?? "unknown") ?? false {
+                if let tunnelName = tunnelManager.localizedDescription {
+                    tunnelNames.insert(tunnelName)
+                }
+                guard let proto = tunnelManager.protocolConfiguration as? NETunnelProviderProtocol else { continue }
+                if proto.migrateConfigurationIfNeeded(called: tunnelManager.localizedDescription ?? "unknown") {
                    tunnelManager.saveToPreferences { _ in }
                }
-                if let ref = proto?.verifyConfigurationReference() {
+                #if os(iOS)
+                let passwordRef = proto.verifyConfigurationReference() ? proto.passwordReference : nil
+                #elseif os(macOS)
+                let passwordRef: Data?
+                if proto.providerConfiguration?["UID"] as? uid_t == getuid() {
+                    passwordRef = proto.verifyConfigurationReference() ? proto.passwordReference : nil
+                } else {
+                    passwordRef = proto.passwordReference // To handle multiple users in macOS, we skip verifying
+                }
+                #else
+                #error("Unimplemented")
+                #endif
+                if let ref = passwordRef {
                    refs.insert(ref)
                } else {
+                    wg_log(.info, message: "Removing orphaned tunnel with non-verifying keychain entry: \(tunnelManager.localizedDescription ?? "<unknown>")")
                    tunnelManager.removeFromPreferences { _ in }
                    tunnelManagers.remove(at: index)
                }
            }
            Keychain.deleteReferences(except: refs)
+            #if os(iOS)
+            RecentTunnelsTracker.cleanupTunnels(except: tunnelNames)
+            #endif
            completionHandler(.success(TunnelsManager(tunnelProviders: tunnelManagers)))
        }
        #endif
@ -71,14 +91,14 @@ class TunnelsManager {
            let loadedTunnelProviders = managers ?? []

            for (index, currentTunnel) in self.tunnels.enumerated().reversed() {
-                if !loadedTunnelProviders.contains(where: { $0.tunnelConfiguration == currentTunnel.tunnelConfiguration }) {
+                if !loadedTunnelProviders.contains(where: { $0.isEquivalentTo(currentTunnel) }) {
                    // Tunnel was deleted outside the app
                    self.tunnels.remove(at: index)
                    self.tunnelsListDelegate?.tunnelRemoved(at: index, tunnel: currentTunnel)
                }
            }
            for loadedTunnelProvider in loadedTunnelProviders {
-                if let matchingTunnel = self.tunnels.first(where: { $0.tunnelConfiguration == loadedTunnelProvider.tunnelConfiguration }) {
+                if let matchingTunnel = self.tunnels.first(where: { loadedTunnelProvider.isEquivalentTo($0) }) {
                    matchingTunnel.tunnelProvider = loadedTunnelProvider
                    matchingTunnel.refreshStatus()
                } else {
@ -97,7 +117,7 @@ class TunnelsManager {
        }
    }

-    func add(tunnelConfiguration: TunnelConfiguration, onDemandOption: ActivateOnDemandOption = .off, completionHandler: @escaping (WireGuardResult<TunnelContainer>) -> Void) {
+    func add(tunnelConfiguration: TunnelConfiguration, onDemandOption: ActivateOnDemandOption = .off, completionHandler: @escaping (Result<TunnelContainer, TunnelsManagerError>) -> Void) {
        let tunnelName = tunnelConfiguration.name ?? ""
        if tunnelName.isEmpty {
            completionHandler(.failure(TunnelsManagerError.tunnelNameEmpty))
@ -118,10 +138,10 @@ class TunnelsManager {
        let activeTunnel = tunnels.first { $0.status == .active || $0.status == .activating }

        tunnelProviderManager.saveToPreferences { [weak self] error in
-            guard error == nil else {
-                wg_log(.error, message: "Add: Saving configuration failed: \(error!)")
+            if let error = error {
+                wg_log(.error, message: "Add: Saving configuration failed: \(error)")
                (tunnelProviderManager.protocolConfiguration as? NETunnelProviderProtocol)?.destroyConfigurationReference()
-                completionHandler(.failure(TunnelsManagerError.systemErrorOnAddTunnel(systemError: error!)))
+                completionHandler(.failure(TunnelsManagerError.systemErrorOnAddTunnel(systemError: error)))
                return
            }

@ -149,7 +169,20 @@ class TunnelsManager {
    }

    func addMultiple(tunnelConfigurations: [TunnelConfiguration], completionHandler: @escaping (UInt, TunnelsManagerError?) -> Void) {
-        addMultiple(tunnelConfigurations: ArraySlice(tunnelConfigurations), numberSuccessful: 0, lastError: nil, completionHandler: completionHandler)
+        // Temporarily pause observation of changes to VPN configurations to prevent the feedback
+        // loop that causes `reload()` to be called on each newly added tunnel, which significantly
+        // impacts performance.
+        configurationsObservationToken = nil
+
+        self.addMultiple(tunnelConfigurations: ArraySlice(tunnelConfigurations), numberSuccessful: 0, lastError: nil) { [weak self] numSucceeded, error in
+            completionHandler(numSucceeded, error)
+
+            // Restart observation of changes to VPN configrations.
+            self?.startObservingTunnelConfigurations()
+
+            // Force reload all configurations to make sure that all tunnels are up to date.
+            self?.reload()
+        }
    }

    private func addMultiple(tunnelConfigurations: ArraySlice<TunnelConfiguration>, numberSuccessful: UInt, lastError: TunnelsManagerError?, completionHandler: @escaping (UInt, TunnelsManagerError?) -> Void) {
@ -160,14 +193,23 @@ class TunnelsManager {
        let tail = tunnelConfigurations.dropFirst()
        add(tunnelConfiguration: head) { [weak self, tail] result in
            DispatchQueue.main.async {
-                let numberSuccessful = numberSuccessful + (result.isSuccess ? 1 : 0)
-                let lastError = lastError ?? (result.error as? TunnelsManagerError)
-                self?.addMultiple(tunnelConfigurations: tail, numberSuccessful: numberSuccessful, lastError: lastError, completionHandler: completionHandler)
+                var numberSuccessfulCount = numberSuccessful
+                var lastError: TunnelsManagerError?
+                switch result {
+                case .failure(let error):
+                    lastError = error
+                case .success:
+                    numberSuccessfulCount = numberSuccessful + 1
+                }
+                self?.addMultiple(tunnelConfigurations: tail, numberSuccessful: numberSuccessfulCount, lastError: lastError, completionHandler: completionHandler)
            }
        }
    }

-    func modify(tunnel: TunnelContainer, tunnelConfiguration: TunnelConfiguration, onDemandOption: ActivateOnDemandOption, completionHandler: @escaping (TunnelsManagerError?) -> Void) {
+    func modify(tunnel: TunnelContainer, tunnelConfiguration: TunnelConfiguration,
+                onDemandOption: ActivateOnDemandOption,
+                shouldEnsureOnDemandEnabled: Bool = false,
+                completionHandler: @escaping (TunnelsManagerError?) -> Void) {
        let tunnelName = tunnelConfiguration.name ?? ""
        if tunnelName.isEmpty {
            completionHandler(TunnelsManagerError.tunnelNameEmpty)
@ -175,7 +217,22 @@ class TunnelsManager {
        }

        let tunnelProviderManager = tunnel.tunnelProvider
-        let isNameChanged = tunnelName != tunnelProviderManager.localizedDescription
+
+        let isIntroducingOnDemandRules = (tunnelProviderManager.onDemandRules ?? []).isEmpty && onDemandOption != .off
+        if isIntroducingOnDemandRules && tunnel.status != .inactive && tunnel.status != .deactivating {
+            tunnel.onDeactivated = { [weak self] in
+                self?.modify(tunnel: tunnel, tunnelConfiguration: tunnelConfiguration,
+                             onDemandOption: onDemandOption, shouldEnsureOnDemandEnabled: true,
+                             completionHandler: completionHandler)
+            }
+            self.startDeactivation(of: tunnel)
+            return
+        } else {
+            tunnel.onDeactivated = nil
+        }
+
+        let oldName = tunnelProviderManager.localizedDescription ?? ""
+        let isNameChanged = tunnelName != oldName
        if isNameChanged {
            guard !tunnels.contains(where: { $0.name == tunnelName }) else {
                completionHandler(TunnelsManagerError.tunnelAlreadyExistsWithThatName)
@ -191,14 +248,17 @@ class TunnelsManager {
        }
        tunnelProviderManager.isEnabled = true

-        let isActivatingOnDemand = !tunnelProviderManager.isOnDemandEnabled && onDemandOption != .off
+        let isActivatingOnDemand = !tunnelProviderManager.isOnDemandEnabled && shouldEnsureOnDemandEnabled
        onDemandOption.apply(on: tunnelProviderManager)
+        if shouldEnsureOnDemandEnabled {
+            tunnelProviderManager.isOnDemandEnabled = true
+        }

        tunnelProviderManager.saveToPreferences { [weak self] error in
-            guard error == nil else {
-                //TODO: the passwordReference for the old one has already been removed at this point and we can't easily roll back!
-                wg_log(.error, message: "Modify: Saving configuration failed: \(error!)")
-                completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error!))
+            if let error = error {
+                // TODO: the passwordReference for the old one has already been removed at this point and we can't easily roll back!
+                wg_log(.error, message: "Modify: Saving configuration failed: \(error)")
+                completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error))
                return
            }
            guard let self = self else { return }
@ -207,6 +267,9 @@ class TunnelsManager {
                self.tunnels.sort { TunnelsManager.tunnelNameIsLessThan($0.name, $1.name) }
                let newIndex = self.tunnels.firstIndex(of: tunnel)!
                self.tunnelsListDelegate?.tunnelMoved(from: oldIndex, to: newIndex)
+                #if os(iOS)
+                RecentTunnelsTracker.handleTunnelRenamed(oldName: oldName, newName: tunnelName)
+                #endif
            }
            self.tunnelsListDelegate?.tunnelModified(at: self.tunnels.firstIndex(of: tunnel)!)

@ -223,12 +286,12 @@ class TunnelsManager {
                // Without this, the tunnel stopes getting updates on the tunnel status from iOS.
                tunnelProviderManager.loadFromPreferences { error in
                    tunnel.isActivateOnDemandEnabled = tunnelProviderManager.isOnDemandEnabled
-                    guard error == nil else {
-                        wg_log(.error, message: "Modify: Re-loading after saving configuration failed: \(error!)")
-                        completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error!))
-                        return
+                    if let error = error {
+                        wg_log(.error, message: "Modify: Re-loading after saving configuration failed: \(error)")
+                        completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error))
+                    } else {
+                        completionHandler(nil)
                    }
-                    completionHandler(nil)
                }
            } else {
                completionHandler(nil)
@ -238,12 +301,19 @@ class TunnelsManager {

    func remove(tunnel: TunnelContainer, completionHandler: @escaping (TunnelsManagerError?) -> Void) {
        let tunnelProviderManager = tunnel.tunnelProvider
+        #if os(macOS)
+        if tunnel.isTunnelAvailableToUser {
+            (tunnelProviderManager.protocolConfiguration as? NETunnelProviderProtocol)?.destroyConfigurationReference()
+        }
+        #elseif os(iOS)
        (tunnelProviderManager.protocolConfiguration as? NETunnelProviderProtocol)?.destroyConfigurationReference()
-
+        #else
+        #error("Unimplemented")
+        #endif
        tunnelProviderManager.removeFromPreferences { [weak self] error in
-            guard error == nil else {
-                wg_log(.error, message: "Remove: Saving configuration failed: \(error!)")
-                completionHandler(TunnelsManagerError.systemErrorOnRemoveTunnel(systemError: error!))
+            if let error = error {
+                wg_log(.error, message: "Remove: Saving configuration failed: \(error)")
+                completionHandler(TunnelsManagerError.systemErrorOnRemoveTunnel(systemError: error))
                return
            }
            if let self = self, let index = self.tunnels.firstIndex(of: tunnel) {
@ -251,11 +321,28 @@ class TunnelsManager {
                self.tunnelsListDelegate?.tunnelRemoved(at: index, tunnel: tunnel)
            }
            completionHandler(nil)
+
+            #if os(iOS)
+            RecentTunnelsTracker.handleTunnelRemoved(tunnelName: tunnel.name)
+            #endif
        }
    }

    func removeMultiple(tunnels: [TunnelContainer], completionHandler: @escaping (TunnelsManagerError?) -> Void) {
-        removeMultiple(tunnels: ArraySlice(tunnels), completionHandler: completionHandler)
+        // Temporarily pause observation of changes to VPN configurations to prevent the feedback
+        // loop that causes `reload()` to be called for each removed tunnel, which significantly
+        // impacts performance.
+        configurationsObservationToken = nil
+
+        removeMultiple(tunnels: ArraySlice(tunnels)) { [weak self] error in
+            completionHandler(error)
+
+            // Restart observation of changes to VPN configrations.
+            self?.startObservingTunnelConfigurations()
+
+            // Force reload all configurations to make sure that all tunnels are up to date.
+            self?.reload()
+        }
    }

    private func removeMultiple(tunnels: ArraySlice<TunnelContainer>, completionHandler: @escaping (TunnelsManagerError?) -> Void) {
@ -275,6 +362,41 @@ class TunnelsManager {
        }
    }

+    func setOnDemandEnabled(_ isOnDemandEnabled: Bool, on tunnel: TunnelContainer, completionHandler: @escaping (TunnelsManagerError?) -> Void) {
+        let tunnelProviderManager = tunnel.tunnelProvider
+        let isCurrentlyEnabled = (tunnelProviderManager.isOnDemandEnabled && tunnelProviderManager.isEnabled)
+        guard isCurrentlyEnabled != isOnDemandEnabled else {
+            completionHandler(nil)
+            return
+        }
+        let isActivatingOnDemand = !tunnelProviderManager.isOnDemandEnabled && isOnDemandEnabled
+        tunnelProviderManager.isOnDemandEnabled = isOnDemandEnabled
+        tunnelProviderManager.isEnabled = true
+        tunnelProviderManager.saveToPreferences { error in
+            if let error = error {
+                wg_log(.error, message: "Modify On-Demand: Saving configuration failed: \(error)")
+                completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error))
+                return
+            }
+            if isActivatingOnDemand {
+                // If we're enabling on-demand, we want to make sure the tunnel is enabled.
+                // If not enabled, the OS will not turn the tunnel on/off based on our rules.
+                tunnelProviderManager.loadFromPreferences { error in
+                    // isActivateOnDemandEnabled will get changed in reload(), but no harm in setting it here too
+                    tunnel.isActivateOnDemandEnabled = tunnelProviderManager.isOnDemandEnabled
+                    if let error = error {
+                        wg_log(.error, message: "Modify On-Demand: Re-loading after saving configuration failed: \(error)")
+                        completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error))
+                        return
+                    }
+                    completionHandler(nil)
+                }
+            } else {
+                completionHandler(nil)
+            }
+        }
+    }
+
    func numberOfTunnels() -> Int {
        return tunnels.count
    }
@ -283,6 +405,10 @@ class TunnelsManager {
        return tunnels[index]
    }

+    func mapTunnels<T>(transform: (TunnelContainer) throws -> T) rethrows -> [T] {
+        return try tunnels.map(transform)
+    }
+
    func index(of tunnel: TunnelContainer) -> Int? {
        return tunnels.firstIndex(of: tunnel)
    }
@ -318,7 +444,17 @@ class TunnelsManager {
            tunnel.status = .waiting
            activateWaitingTunnelOnDeactivation(of: tunnelInOperation)
            if tunnelInOperation.status != .deactivating {
-                startDeactivation(of: tunnelInOperation)
+                if tunnelInOperation.isActivateOnDemandEnabled {
+                    setOnDemandEnabled(false, on: tunnelInOperation) { [weak self] error in
+                        guard error == nil else {
+                            wg_log(.error, message: "Unable to activate tunnel '\(tunnel.name)' because on-demand could not be disabled on active tunnel '\(tunnel.name)'")
+                            return
+                        }
+                        self?.startDeactivation(of: tunnelInOperation)
+                    }
+                } else {
+                    startDeactivation(of: tunnelInOperation)
+                }
            }
            return
        }
@ -328,6 +464,10 @@ class TunnelsManager {
        #else
        tunnel.startActivation(activationDelegate: activationDelegate)
        #endif
+
+        #if os(iOS)
+        RecentTunnelsTracker.handleTunnelActivated(tunnelName: tunnel.name)
+        #endif
    }

    func startDeactivation(of tunnel: TunnelContainer) {
@ -357,7 +497,7 @@ class TunnelsManager {
    }

    private func startObservingTunnelStatuses() {
-        statusObservationToken = NotificationCenter.default.addObserver(forName: .NEVPNStatusDidChange, object: nil, queue: OperationQueue.main) { [weak self] statusChangeNotification in
+        statusObservationToken = NotificationCenter.default.observe(name: .NEVPNStatusDidChange, object: nil, queue: OperationQueue.main) { [weak self] statusChangeNotification in
            guard let self = self,
                let session = statusChangeNotification.object as? NETunnelProviderSession,
                let tunnelProvider = session.manager as? NETunnelProviderManager,
@ -379,6 +519,11 @@ class TunnelsManager {
                }
            }

+            if session.status == .disconnected {
+                tunnel.onDeactivated?()
+                tunnel.onDeactivated = nil
+            }
+
            if tunnel.status == .restarting && session.status == .disconnected {
                tunnel.startActivation(activationDelegate: self.activationDelegate)
                return
@ -389,7 +534,7 @@ class TunnelsManager {
    }

    func startObservingTunnelConfigurations() {
-        configurationsObservationToken = NotificationCenter.default.addObserver(forName: .NEVPNConfigurationChange, object: nil, queue: OperationQueue.main) { [weak self] _ in
+        configurationsObservationToken = NotificationCenter.default.observe(name: .NEVPNConfigurationChange, object: nil, queue: OperationQueue.main) { [weak self] _ in
            DispatchQueue.main.async { [weak self] in
                // We schedule reload() in a subsequent runloop to ensure that the completion handler of loadAllFromPreferences
                // (reload() calls loadAllFromPreferences) is called after the completion handler of the saveToPreferences or
@ -400,8 +545,8 @@ class TunnelsManager {
        }
    }

-    static func tunnelNameIsLessThan(_ a: String, _ b: String) -> Bool {
-        return a.compare(b, options: [.caseInsensitive, .diacriticInsensitive, .widthInsensitive, .numeric]) == .orderedAscending
+    static func tunnelNameIsLessThan(_ lhs: String, _ rhs: String) -> Bool {
+        return lhs.compare(rhs, options: [.caseInsensitive, .diacriticInsensitive, .widthInsensitive, .numeric]) == .orderedAscending
    }
 }

@ -423,6 +568,7 @@ class TunnelContainer: NSObject {
    @objc dynamic var status: TunnelStatus

    @objc dynamic var isActivateOnDemandEnabled: Bool
+    @objc dynamic var hasOnDemandRules: Bool

    var isAttemptingActivation = false {
        didSet {
@ -448,8 +594,14 @@ class TunnelContainer: NSObject {
    var activationAttemptId: String?
    var activationTimer: Timer?
    var deactivationTimer: Timer?
+    var onDeactivated: (() -> Void)?

-    fileprivate var tunnelProvider: NETunnelProviderManager
+    fileprivate var tunnelProvider: NETunnelProviderManager {
+        didSet {
+            isActivateOnDemandEnabled = tunnelProvider.isOnDemandEnabled && tunnelProvider.isEnabled
+            hasOnDemandRules = !(tunnelProvider.onDemandRules ?? []).isEmpty
+        }
+    }

    var tunnelConfiguration: TunnelConfiguration? {
        return tunnelProvider.tunnelConfiguration
@ -459,11 +611,18 @@ class TunnelContainer: NSObject {
        return ActivateOnDemandOption(from: tunnelProvider)
    }

+    #if os(macOS)
+    var isTunnelAvailableToUser: Bool {
+        return (tunnelProvider.protocolConfiguration as? NETunnelProviderProtocol)?.providerConfiguration?["UID"] as? uid_t == getuid()
+    }
+    #endif
+
    init(tunnel: NETunnelProviderManager) {
        name = tunnel.localizedDescription ?? "Unnamed"
        let status = TunnelStatus(from: tunnel.connection.status)
        self.status = status
-        isActivateOnDemandEnabled = tunnel.isOnDemandEnabled
+        isActivateOnDemandEnabled = tunnel.isOnDemandEnabled && tunnel.isEnabled
+        hasOnDemandRules = !(tunnel.onDemandRules ?? []).isEmpty
        tunnelProvider = tunnel
        super.init()
    }
@ -473,7 +632,7 @@ class TunnelContainer: NSObject {
            completionHandler(tunnelConfiguration)
            return
        }
-        guard nil != (try? session.sendProviderMessage(Data(bytes: [ 0 ]), responseHandler: {
+        guard nil != (try? session.sendProviderMessage(Data([ UInt8(0) ]), responseHandler: {
            guard self.status != .inactive, let data = $0, let base = self.tunnelConfiguration, let settings = String(data: data, encoding: .utf8) else {
                completionHandler(self.tunnelConfiguration)
                return
@ -486,11 +645,10 @@ class TunnelContainer: NSObject {
    }

    func refreshStatus() {
-        if status == .restarting {
+        if (status == .restarting) || (status == .waiting && tunnelProvider.connection.status == .disconnected) {
            return
        }
        status = TunnelStatus(from: tunnelProvider.connection.status)
-        isActivateOnDemandEnabled = tunnelProvider.isOnDemandEnabled
    }

    fileprivate func startActivation(recursionCount: UInt = 0, lastError: Error? = nil, activationDelegate: TunnelsManagerActivationDelegate?) {
@ -568,6 +726,7 @@ class TunnelContainer: NSObject {

 extension NETunnelProviderManager {
    private static var cachedConfigKey: UInt8 = 0
+
    var tunnelConfiguration: TunnelConfiguration? {
        if let cached = objc_getAssociatedObject(self, &NETunnelProviderManager.cachedConfigKey) as? TunnelConfiguration {
            return cached
@ -584,4 +743,8 @@ extension NETunnelProviderManager {
        localizedDescription = tunnelConfiguration.name
        objc_setAssociatedObject(self, &NETunnelProviderManager.cachedConfigKey, tunnelConfiguration, objc_AssociationPolicy.OBJC_ASSOCIATION_RETAIN_NONATOMIC)
    }
+
+    func isEquivalentTo(_ tunnel: TunnelContainer) -> Bool {
+        return localizedDescription == tunnel.name && tunnelConfiguration == tunnel.tunnelConfiguration
+    }
 }
--- a/Sources/WireGuardApp/UI/ActivateOnDemandViewModel.swift
+++ b/Sources/WireGuardApp/UI/ActivateOnDemandViewModel.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation

@ -51,20 +51,18 @@ class ActivateOnDemandViewModel {
 extension ActivateOnDemandViewModel {
    convenience init(tunnel: TunnelContainer) {
        self.init()
-        if tunnel.isActivateOnDemandEnabled {
-            switch tunnel.onDemandOption {
-            case .off:
-                break
-            case .wiFiInterfaceOnly(let onDemandSSIDOption):
-                isWiFiInterfaceEnabled = true
-                (ssidOption, selectedSSIDs) = ssidViewModel(from: onDemandSSIDOption)
-            case .nonWiFiInterfaceOnly:
-                isNonWiFiInterfaceEnabled = true
-            case .anyInterface(let onDemandSSIDOption):
-                isWiFiInterfaceEnabled = true
-                isNonWiFiInterfaceEnabled = true
-                (ssidOption, selectedSSIDs) = ssidViewModel(from: onDemandSSIDOption)
-            }
+        switch tunnel.onDemandOption {
+        case .off:
+            break
+        case .wiFiInterfaceOnly(let onDemandSSIDOption):
+            isWiFiInterfaceEnabled = true
+            (ssidOption, selectedSSIDs) = ssidViewModel(from: onDemandSSIDOption)
+        case .nonWiFiInterfaceOnly:
+            isNonWiFiInterfaceEnabled = true
+        case .anyInterface(let onDemandSSIDOption):
+            isWiFiInterfaceEnabled = true
+            isNonWiFiInterfaceEnabled = true
+            (ssidOption, selectedSSIDs) = ssidViewModel(from: onDemandSSIDOption)
        }
    }

--- a/Sources/WireGuardApp/UI/ErrorPresenterProtocol.swift
+++ b/Sources/WireGuardApp/UI/ErrorPresenterProtocol.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 protocol ErrorPresenterProtocol {
    static func showErrorAlert(title: String, message: String, from sourceVC: AnyObject?, onPresented: (() -> Void)?, onDismissal: (() -> Void)?)
--- a/Sources/WireGuardApp/UI/LogViewHelper.swift
+++ b/Sources/WireGuardApp/UI/LogViewHelper.swift
@ -0,0 +1,57 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import Foundation
+
+public class LogViewHelper {
+    var log: OpaquePointer
+    var cursor: UInt32 = UINT32_MAX
+    static let formatOptions: ISO8601DateFormatter.Options = [
+        .withYear, .withMonth, .withDay, .withTime,
+        .withDashSeparatorInDate, .withColonSeparatorInTime, .withSpaceBetweenDateAndTime,
+        .withFractionalSeconds
+    ]
+
+    struct LogEntry {
+        let timestamp: String
+        let message: String
+
+        func text() -> String {
+            return timestamp + " " + message
+        }
+    }
+
+    class LogEntries {
+        var entries: [LogEntry] = []
+    }
+
+    init?(logFilePath: String?) {
+        guard let logFilePath = logFilePath else { return nil }
+        guard let log = open_log(logFilePath) else { return nil }
+        self.log = log
+    }
+
+    deinit {
+        close_log(self.log)
+    }
+
+    func fetchLogEntriesSinceLastFetch(completion: @escaping ([LogViewHelper.LogEntry]) -> Void) {
+        var logEntries = LogEntries()
+        DispatchQueue.global(qos: .userInitiated).async { [weak self] in
+            guard let self = self else { return }
+            let newCursor = view_lines_from_cursor(self.log, self.cursor, &logEntries) { cStr, timestamp, ctx in
+                let message = cStr != nil ? String(cString: cStr!) : ""
+                let date = Date(timeIntervalSince1970: Double(timestamp) / 1000000000)
+                let dateString = ISO8601DateFormatter.string(from: date, timeZone: TimeZone.current, formatOptions: LogViewHelper.formatOptions)
+                if let logEntries = ctx?.bindMemory(to: LogEntries.self, capacity: 1) {
+                    logEntries.pointee.entries.append(LogEntry(timestamp: dateString, message: message))
+                }
+            }
+            DispatchQueue.main.async { [weak self] in
+                guard let self = self else { return }
+                self.cursor = newCursor
+                completion(logEntries.entries)
+            }
+        }
+    }
+}
--- a/Sources/WireGuardApp/UI/PrivateDataConfirmation.swift
+++ b/Sources/WireGuardApp/UI/PrivateDataConfirmation.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation
 import LocalAuthentication
--- a/Sources/WireGuardApp/UI/TunnelImporter.swift
+++ b/Sources/WireGuardApp/UI/TunnelImporter.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation

@ -16,10 +16,10 @@ class TunnelImporter {
            if url.pathExtension.lowercased() == "zip" {
                dispatchGroup.enter()
                ZipImporter.importConfigFiles(from: url) { result in
-                    if let error = result.error {
+                    switch result {
+                    case .failure(let error):
                        lastFileImportErrorText = error.alertText
-                    }
-                    if let configsInZip = result.value {
+                    case .success(let configsInZip):
                        configs.append(contentsOf: configsInZip)
                    }
                    dispatchGroup.leave()
@ -44,10 +44,20 @@ class TunnelImporter {
                        }
                        return
                    }
-                    let tunnelConfiguration = try? TunnelConfiguration(fromWgQuickConfig: fileContents, called: fileBaseName)
+                    var parseError: Error?
+                    var tunnelConfiguration: TunnelConfiguration?
+                    do {
+                        tunnelConfiguration = try TunnelConfiguration(fromWgQuickConfig: fileContents, called: fileBaseName)
+                    } catch let error {
+                        parseError = error
+                    }
                    DispatchQueue.main.async {
-                        if tunnelConfiguration == nil {
-                            lastFileImportErrorText = (title: tr("alertBadConfigImportTitle"), message: tr(format: "alertBadConfigImportMessage (%@)", fileName))
+                        if parseError != nil {
+                            if let parseError = parseError as? WireGuardAppError {
+                                lastFileImportErrorText = parseError.alertText
+                            } else {
+                                lastFileImportErrorText = (title: tr("alertBadConfigImportTitle"), message: tr(format: "alertBadConfigImportMessage (%@)", fileName))
+                            }
                        }
                        configs.append(tunnelConfiguration)
                        dispatchGroup.leave()
--- a/Sources/WireGuardApp/UI/TunnelViewModel.swift
+++ b/Sources/WireGuardApp/UI/TunnelViewModel.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import Foundation

@ -109,9 +109,9 @@ class TunnelViewModel {
                    scratchpad[field] = stringValue
                }
                if field == .privateKey {
-                    if stringValue.count == TunnelViewModel.keyLengthInBase64, let privateKey = Data(base64Key: stringValue), privateKey.count == TunnelConfiguration.keyLength {
-                        let publicKey = Curve25519.generatePublicKey(fromPrivateKey: privateKey).base64Key() ?? ""
-                        scratchpad[.publicKey] = publicKey
+                    if stringValue.count == TunnelViewModel.keyLengthInBase64,
+                       let privateKey = PrivateKey(base64Key: stringValue) {
+                        scratchpad[.publicKey] = privateKey.publicKey.base64Key
                    } else {
                        scratchpad.removeValue(forKey: .publicKey)
                    }
@ -128,8 +128,8 @@ class TunnelViewModel {
        private static func createScratchPad(from config: InterfaceConfiguration, name: String) -> [InterfaceField: String] {
            var scratchpad = [InterfaceField: String]()
            scratchpad[.name] = name
-            scratchpad[.privateKey] = config.privateKey.base64Key() ?? ""
-            scratchpad[.publicKey] = config.publicKey.base64Key() ?? ""
+            scratchpad[.privateKey] = config.privateKey.base64Key
+            scratchpad[.publicKey] = config.privateKey.publicKey.base64Key
            if !config.addresses.isEmpty {
                scratchpad[.addresses] = config.addresses.map { $0.stringRepresentation }.joined(separator: ", ")
            }
@ -139,8 +139,10 @@ class TunnelViewModel {
            if let mtu = config.mtu {
                scratchpad[.mtu] = String(mtu)
            }
-            if !config.dns.isEmpty {
-                scratchpad[.dns] = config.dns.map { $0.stringRepresentation }.joined(separator: ", ")
+            if !config.dns.isEmpty || !config.dnsSearch.isEmpty {
+                var dns = config.dns.map { $0.stringRepresentation }
+                dns.append(contentsOf: config.dnsSearch)
+                scratchpad[.dns] = dns.joined(separator: ", ")
            }
            return scratchpad
        }
@ -158,7 +160,7 @@ class TunnelViewModel {
                fieldsWithError.insert(.privateKey)
                return .error(tr("alertInvalidInterfaceMessagePrivateKeyRequired"))
            }
-            guard let privateKey = Data(base64Key: privateKeyString), privateKey.count == TunnelConfiguration.keyLength else {
+            guard let privateKey = PrivateKey(base64Key: privateKeyString) else {
                fieldsWithError.insert(.privateKey)
                return .error(tr("alertInvalidInterfaceMessagePrivateKeyInvalid"))
            }
@ -194,15 +196,16 @@ class TunnelViewModel {
            }
            if let dnsString = scratchpad[.dns] {
                var dnsServers = [DNSServer]()
+                var dnsSearch = [String]()
                for dnsServerString in dnsString.splitToArray(trimmingCharacters: .whitespacesAndNewlines) {
                    if let dnsServer = DNSServer(from: dnsServerString) {
                        dnsServers.append(dnsServer)
                    } else {
-                        fieldsWithError.insert(.dns)
-                        errorMessages.append(tr("alertInvalidInterfaceMessageDNSInvalid"))
+                        dnsSearch.append(dnsServerString)
                    }
                }
                config.dns = dnsServers
+                config.dnsSearch = dnsSearch
            }

            guard errorMessages.isEmpty else { return .error(errorMessages.first!) }
@ -251,12 +254,12 @@ class TunnelViewModel {
        var scratchpad = [PeerField: String]()
        var fieldsWithError = Set<PeerField>()
        var validatedConfiguration: PeerConfiguration?
-        var publicKey: Data? {
+        var publicKey: PublicKey? {
            if let validatedConfiguration = validatedConfiguration {
                return validatedConfiguration.publicKey
            }
            if let scratchPadPublicKey = scratchpad[.publicKey] {
-                return Data(base64Key: scratchPadPublicKey)
+                return PublicKey(base64Key: scratchPadPublicKey)
            }
            return nil
        }
@ -301,10 +304,8 @@ class TunnelViewModel {

        private static func createScratchPad(from config: PeerConfiguration) -> [PeerField: String] {
            var scratchpad = [PeerField: String]()
-            if let publicKey = config.publicKey.base64Key() {
-                scratchpad[.publicKey] = publicKey
-            }
-            if let preSharedKey = config.preSharedKey?.base64Key() {
+            scratchpad[.publicKey] = config.publicKey.base64Key
+            if let preSharedKey = config.preSharedKey?.base64Key {
                scratchpad[.preSharedKey] = preSharedKey
            }
            if !config.allowedIPs.isEmpty {
@ -337,14 +338,14 @@ class TunnelViewModel {
                fieldsWithError.insert(.publicKey)
                return .error(tr("alertInvalidPeerMessagePublicKeyRequired"))
            }
-            guard let publicKey = Data(base64Key: publicKeyString), publicKey.count == TunnelConfiguration.keyLength else {
+            guard let publicKey = PublicKey(base64Key: publicKeyString) else {
                fieldsWithError.insert(.publicKey)
                return .error(tr("alertInvalidPeerMessagePublicKeyInvalid"))
            }
            var config = PeerConfiguration(publicKey: publicKey)
            var errorMessages = [String]()
            if let preSharedKeyString = scratchpad[.preSharedKey] {
-                if let preSharedKey = Data(base64Key: preSharedKeyString), preSharedKey.count == TunnelConfiguration.keyLength {
+                if let preSharedKey = PreSharedKey(base64Key: preSharedKeyString) {
                    config.preSharedKey = preSharedKey
                } else {
                    fieldsWithError.insert(.preSharedKey)
@ -397,12 +398,13 @@ class TunnelViewModel {

        static let ipv4DefaultRouteString = "0.0.0.0/0"
        static let ipv4DefaultRouteModRFC1918String = [ // Set of all non-private IPv4 IPs
-            "0.0.0.0/5", "8.0.0.0/7", "11.0.0.0/8", "12.0.0.0/6", "16.0.0.0/4", "32.0.0.0/3",
-            "64.0.0.0/2", "128.0.0.0/3", "160.0.0.0/5", "168.0.0.0/6", "172.0.0.0/12",
-            "172.32.0.0/11", "172.64.0.0/10", "172.128.0.0/9", "173.0.0.0/8", "174.0.0.0/7",
-            "176.0.0.0/4", "192.0.0.0/9", "192.128.0.0/11", "192.160.0.0/13", "192.169.0.0/16",
-            "192.170.0.0/15", "192.172.0.0/14", "192.176.0.0/12", "192.192.0.0/10",
-            "193.0.0.0/8", "194.0.0.0/7", "196.0.0.0/6", "200.0.0.0/5", "208.0.0.0/4"
+            "1.0.0.0/8", "2.0.0.0/8", "3.0.0.0/8", "4.0.0.0/6", "8.0.0.0/7", "11.0.0.0/8",
+            "12.0.0.0/6", "16.0.0.0/4", "32.0.0.0/3", "64.0.0.0/2", "128.0.0.0/3",
+            "160.0.0.0/5", "168.0.0.0/6", "172.0.0.0/12", "172.32.0.0/11", "172.64.0.0/10",
+            "172.128.0.0/9", "173.0.0.0/8", "174.0.0.0/7", "176.0.0.0/4", "192.0.0.0/9",
+            "192.128.0.0/11", "192.160.0.0/13", "192.169.0.0/16", "192.170.0.0/15",
+            "192.172.0.0/14", "192.176.0.0/12", "192.192.0.0/10", "193.0.0.0/8",
+            "194.0.0.0/7", "196.0.0.0/6", "200.0.0.0/5", "208.0.0.0/4"
        ]

        static func excludePrivateIPsFieldStates(isSinglePeer: Bool, allowedIPs: Set<String>) -> (shouldAllowExcludePrivateIPsControl: Bool, excludePrivateIPsValue: Bool) {
@ -559,7 +561,7 @@ class TunnelViewModel {
            }

            let peerPublicKeysArray = peerConfigurations.map { $0.publicKey }
-            let peerPublicKeysSet = Set<Data>(peerPublicKeysArray)
+            let peerPublicKeysSet = Set<PublicKey>(peerPublicKeysArray)
            if peerPublicKeysArray.count != peerPublicKeysSet.count {
                return .error(tr("alertInvalidPeerMessagePublicKeyDuplicated"))
            }
--- a/Sources/WireGuardApp/UI/iOS/AppDelegate.swift
+++ b/Sources/WireGuardApp/UI/iOS/AppDelegate.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit
 import os.log
@ -9,12 +9,18 @@ class AppDelegate: UIResponder, UIApplicationDelegate {

    var window: UIWindow?
    var mainVC: MainViewController?
+    var isLaunchedForSpecificAction = false

    func application(_ application: UIApplication, willFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
        Logger.configureGlobal(tagged: "APP", withFilePath: FileManager.logFileURL?.path)

+        if let launchOptions = launchOptions {
+            if launchOptions[.url] != nil || launchOptions[.shortcutItem] != nil {
+                isLaunchedForSpecificAction = true
+            }
+        }
+
        let window = UIWindow(frame: UIScreen.main.bounds)
-        window.backgroundColor = .white
        self.window = window

        let mainVC = MainViewController()
@ -27,16 +33,28 @@ class AppDelegate: UIResponder, UIApplicationDelegate {
    }

    func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey: Any] = [:]) -> Bool {
-        guard let tunnelsManager = mainVC?.tunnelsManager else { return true }
-        TunnelImporter.importFromFile(urls: [url], into: tunnelsManager, sourceVC: mainVC, errorPresenterType: ErrorPresenter.self) {
-            _ = FileManager.deleteFile(at: url)
-        }
+        mainVC?.importFromDisposableFile(url: url)
        return true
    }

    func applicationDidBecomeActive(_ application: UIApplication) {
        mainVC?.refreshTunnelConnectionStatuses()
    }
+
+    func applicationWillResignActive(_ application: UIApplication) {
+        guard let allTunnelNames = mainVC?.allTunnelNames() else { return }
+        application.shortcutItems = QuickActionItem.createItems(allTunnelNames: allTunnelNames)
+    }
+
+    func application(_ application: UIApplication, performActionFor shortcutItem: UIApplicationShortcutItem, completionHandler: @escaping (Bool) -> Void) {
+        guard shortcutItem.type == QuickActionItem.type else {
+            completionHandler(false)
+            return
+        }
+        let tunnelName = shortcutItem.localizedTitle
+        mainVC?.showTunnelDetailForTunnel(named: tunnelName, animated: false, shouldToggleStatus: true)
+        completionHandler(true)
+    }
 }

 extension AppDelegate {
@ -45,7 +63,7 @@ extension AppDelegate {
    }

    func application(_ application: UIApplication, shouldRestoreApplicationState coder: NSCoder) -> Bool {
-        return true
+        return !self.isLaunchedForSpecificAction
    }

    func application(_ application: UIApplication, viewControllerWithRestorationIdentifierPath identifierComponents: [String], coder: NSCoder) -> UIViewController? {
@ -58,7 +76,7 @@ extension AppDelegate {
                }
            } else {
                // Show it when tunnelsManager is available
-                mainVC?.showTunnelDetailForTunnel(named: tunnelName, animated: false)
+                mainVC?.showTunnelDetailForTunnel(named: tunnelName, animated: false, shouldToggleStatus: false)
            }
        }
        return nil
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/Contents.json
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/Contents.json
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_20pt@1x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_20pt@1x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_20pt@2x-1.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_20pt@2x-1.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_20pt@2x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_20pt@2x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_20pt@3x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_20pt@3x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_29pt@1x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_29pt@1x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_29pt@2x-1.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_29pt@2x-1.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_29pt@2x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_29pt@2x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_29pt@3x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_29pt@3x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_40pt@1x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_40pt@1x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_40pt@2x-1.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_40pt@2x-1.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_40pt@2x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_40pt@2x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_40pt@3x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_40pt@3x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_60pt@2x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_60pt@2x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_60pt@3x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_60pt@3x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_76pt@1x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_76pt@1x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_76pt@2x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_76pt@2x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_83.5pt@2x.png
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/AppIcon.appiconset/wireguard_logo_83.5pt@2x.png
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/Contents.json
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/Contents.json
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/wireguard.imageset/Contents.json
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/wireguard.imageset/Contents.json
--- a/Sources/WireGuardApp/UI/iOS/Assets.xcassets/wireguard.imageset/wireguard.pdf
+++ b/Sources/WireGuardApp/UI/iOS/Assets.xcassets/wireguard.imageset/wireguard.pdf
--- a/Sources/WireGuardApp/UI/iOS/Base.lproj/LaunchScreen.storyboard
+++ b/Sources/WireGuardApp/UI/iOS/Base.lproj/LaunchScreen.storyboard
--- a/Sources/WireGuardApp/UI/iOS/ConfirmationAlertPresenter.swift
+++ b/Sources/WireGuardApp/UI/iOS/ConfirmationAlertPresenter.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

--- a/Sources/WireGuardApp/UI/iOS/ErrorPresenter.swift
+++ b/Sources/WireGuardApp/UI/iOS/ErrorPresenter.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit
 import os.log
--- a/Sources/WireGuardApp/UI/iOS/Info.plist
+++ b/Sources/WireGuardApp/UI/iOS/Info.plist
@ -64,6 +64,8 @@
 	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
+	<key>CFBundleDisplayName</key>
+	<string>$(PRODUCT_NAME)</string>
 	<key>CFBundleName</key>
 	<string>$(PRODUCT_NAME)</string>
 	<key>CFBundlePackageType</key>
@ -82,7 +84,6 @@
 	<string>LaunchScreen</string>
 	<key>UIRequiredDeviceCapabilities</key>
 	<array>
-		<string>armv7</string>
 	</array>
 	<key>UISupportedInterfaceOrientations</key>
 	<array>
--- a/Sources/WireGuardApp/UI/iOS/QuickActionItem.swift
+++ b/Sources/WireGuardApp/UI/iOS/QuickActionItem.swift
@ -0,0 +1,25 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import UIKit
+
+class QuickActionItem: UIApplicationShortcutItem {
+    static let type = "WireGuardTunnelActivateAndShow"
+
+    init(tunnelName: String) {
+        super.init(type: QuickActionItem.type, localizedTitle: tunnelName, localizedSubtitle: nil, icon: nil, userInfo: nil)
+    }
+
+    static func createItems(allTunnelNames: [String]) -> [QuickActionItem] {
+        let numberOfItems = 10
+        // Currently, only 4 items shown by iOS, but that can increase in the future.
+        // iOS will discard additional items we give it.
+        var tunnelNames = RecentTunnelsTracker.recentlyActivatedTunnelNames(limit: numberOfItems)
+        let numberOfSlotsRemaining = numberOfItems - tunnelNames.count
+        if numberOfSlotsRemaining > 0 {
+            let moreTunnels = allTunnelNames.filter { !tunnelNames.contains($0) }.prefix(numberOfSlotsRemaining)
+            tunnelNames.append(contentsOf: moreTunnels)
+        }
+        return tunnelNames.map { QuickActionItem(tunnelName: $0) }
+    }
+}
--- a/Sources/WireGuardApp/UI/iOS/RecentTunnelsTracker.swift
+++ b/Sources/WireGuardApp/UI/iOS/RecentTunnelsTracker.swift
@ -0,0 +1,72 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import Foundation
+
+class RecentTunnelsTracker {
+
+    private static let keyRecentlyActivatedTunnelNames = "recentlyActivatedTunnelNames"
+    private static let maxNumberOfTunnels = 10
+
+    private static var userDefaults: UserDefaults? {
+        guard let appGroupId = FileManager.appGroupId else {
+            wg_log(.error, staticMessage: "Cannot obtain app group ID from bundle for tracking recently used tunnels")
+            return nil
+        }
+        guard let userDefaults = UserDefaults(suiteName: appGroupId) else {
+            wg_log(.error, staticMessage: "Cannot obtain shared user defaults for tracking recently used tunnels")
+            return nil
+        }
+        return userDefaults
+    }
+
+    static func handleTunnelActivated(tunnelName: String) {
+        guard let userDefaults = RecentTunnelsTracker.userDefaults else { return }
+        var recentTunnels = userDefaults.stringArray(forKey: keyRecentlyActivatedTunnelNames) ?? []
+        if let existingIndex = recentTunnels.firstIndex(of: tunnelName) {
+            recentTunnels.remove(at: existingIndex)
+        }
+        recentTunnels.insert(tunnelName, at: 0)
+        if recentTunnels.count > maxNumberOfTunnels {
+            recentTunnels.removeLast(recentTunnels.count - maxNumberOfTunnels)
+        }
+        userDefaults.set(recentTunnels, forKey: keyRecentlyActivatedTunnelNames)
+    }
+
+    static func handleTunnelRemoved(tunnelName: String) {
+        guard let userDefaults = RecentTunnelsTracker.userDefaults else { return }
+        var recentTunnels = userDefaults.stringArray(forKey: keyRecentlyActivatedTunnelNames) ?? []
+        if let existingIndex = recentTunnels.firstIndex(of: tunnelName) {
+            recentTunnels.remove(at: existingIndex)
+            userDefaults.set(recentTunnels, forKey: keyRecentlyActivatedTunnelNames)
+        }
+    }
+
+    static func handleTunnelRenamed(oldName: String, newName: String) {
+        guard let userDefaults = RecentTunnelsTracker.userDefaults else { return }
+        var recentTunnels = userDefaults.stringArray(forKey: keyRecentlyActivatedTunnelNames) ?? []
+        if let existingIndex = recentTunnels.firstIndex(of: oldName) {
+            recentTunnels[existingIndex] = newName
+            userDefaults.set(recentTunnels, forKey: keyRecentlyActivatedTunnelNames)
+        }
+    }
+
+    static func cleanupTunnels(except tunnelNamesToKeep: Set<String>) {
+        guard let userDefaults = RecentTunnelsTracker.userDefaults else { return }
+        var recentTunnels = userDefaults.stringArray(forKey: keyRecentlyActivatedTunnelNames) ?? []
+        let oldCount = recentTunnels.count
+        recentTunnels.removeAll { !tunnelNamesToKeep.contains($0) }
+        if oldCount != recentTunnels.count {
+            userDefaults.set(recentTunnels, forKey: keyRecentlyActivatedTunnelNames)
+        }
+    }
+
+    static func recentlyActivatedTunnelNames(limit: Int) -> [String] {
+        guard let userDefaults = RecentTunnelsTracker.userDefaults else { return [] }
+        var recentTunnels = userDefaults.stringArray(forKey: keyRecentlyActivatedTunnelNames) ?? []
+        if limit < recentTunnels.count {
+            recentTunnels.removeLast(recentTunnels.count - limit)
+        }
+        return recentTunnels
+    }
+}
--- a/Sources/WireGuardApp/UI/iOS/UITableViewCell+Reuse.swift
+++ b/Sources/WireGuardApp/UI/iOS/UITableViewCell+Reuse.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

@ -15,7 +15,7 @@ extension UITableView {
    }

    func dequeueReusableCell<T: UITableViewCell>(for indexPath: IndexPath) -> T {
-        //swiftlint:disable:next force_cast
+        // swiftlint:disable:next force_cast
        return dequeueReusableCell(withIdentifier: T.reuseIdentifier, for: indexPath) as! T
    }
 }
--- a/Sources/WireGuardApp/UI/iOS/View/BorderedTextButton.swift
+++ b/Sources/WireGuardApp/UI/iOS/View/BorderedTextButton.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

--- a/Sources/WireGuardApp/UI/iOS/View/ButtonCell.swift
+++ b/Sources/WireGuardApp/UI/iOS/View/ButtonCell.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

@ -9,8 +9,8 @@ class ButtonCell: UITableViewCell {
        set(value) { button.setTitle(value, for: .normal) }
    }
    var hasDestructiveAction: Bool {
-        get { return button.tintColor == .red }
-        set(value) { button.tintColor = value ? .red : buttonStandardTintColor }
+        get { return button.tintColor == .systemRed }
+        set(value) { button.tintColor = value ? .systemRed : buttonStandardTintColor }
    }
    var onTapped: (() -> Void)?

--- a/Sources/WireGuardApp/UI/iOS/View/CheckmarkCell.swift
+++ b/Sources/WireGuardApp/UI/iOS/View/CheckmarkCell.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

--- a/Sources/WireGuardApp/UI/iOS/View/ChevronCell.swift
+++ b/Sources/WireGuardApp/UI/iOS/View/ChevronCell.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

--- a/Sources/WireGuardApp/UI/iOS/View/EditableTextCell.swift
+++ b/Sources/WireGuardApp/UI/iOS/View/EditableTextCell.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

@ -9,6 +9,11 @@ class EditableTextCell: UITableViewCell {
        set(value) { valueTextField.text = value }
    }

+    var placeholder: String? {
+        get { return valueTextField.placeholder }
+        set(value) { valueTextField.placeholder = value }
+    }
+
    let valueTextField: UITextField = {
        let valueTextField = UITextField()
        valueTextField.textAlignment = .left
@ -29,12 +34,13 @@ class EditableTextCell: UITableViewCell {
        valueTextField.delegate = self
        contentView.addSubview(valueTextField)
        valueTextField.translatesAutoresizingMaskIntoConstraints = false
-        let bottomAnchorConstraint = contentView.layoutMarginsGuide.bottomAnchor.constraint(equalToSystemSpacingBelow: valueTextField.bottomAnchor, multiplier: 1)
+        // Reduce the bottom margin by 0.5pt to maintain the default cell height (44pt)
+        let bottomAnchorConstraint = contentView.layoutMarginsGuide.bottomAnchor.constraint(equalTo: valueTextField.bottomAnchor, constant: -0.5)
        bottomAnchorConstraint.priority = .defaultLow
        NSLayoutConstraint.activate([
-            valueTextField.leadingAnchor.constraint(equalToSystemSpacingAfter: contentView.layoutMarginsGuide.leadingAnchor, multiplier: 1),
-            contentView.layoutMarginsGuide.trailingAnchor.constraint(equalToSystemSpacingAfter: valueTextField.trailingAnchor, multiplier: 1),
-            valueTextField.topAnchor.constraint(equalToSystemSpacingBelow: contentView.layoutMarginsGuide.topAnchor, multiplier: 1),
+            valueTextField.leadingAnchor.constraint(equalTo: contentView.layoutMarginsGuide.leadingAnchor),
+            contentView.layoutMarginsGuide.trailingAnchor.constraint(equalTo: valueTextField.trailingAnchor),
+            contentView.layoutMarginsGuide.topAnchor.constraint(equalTo: valueTextField.topAnchor),
            bottomAnchorConstraint
        ])
    }
@ -50,6 +56,7 @@ class EditableTextCell: UITableViewCell {
    override func prepareForReuse() {
        super.prepareForReuse()
        message = ""
+        placeholder = nil
    }
 }

--- a/Sources/WireGuardApp/UI/iOS/View/KeyValueCell.swift
+++ b/Sources/WireGuardApp/UI/iOS/View/KeyValueCell.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

@ -9,7 +9,7 @@ class KeyValueCell: UITableViewCell {
        let keyLabel = UILabel()
        keyLabel.font = UIFont.preferredFont(forTextStyle: .body)
        keyLabel.adjustsFontForContentSizeCategory = true
-        keyLabel.textColor = .black
+        keyLabel.textColor = .label
        keyLabel.textAlignment = .left
        return keyLabel
    }()
@ -23,7 +23,7 @@ class KeyValueCell: UITableViewCell {
    }()

    let valueTextField: UITextField = {
-        let valueTextField = UITextField()
+        let valueTextField = KeyValueCellTextField()
        valueTextField.textAlignment = .right
        valueTextField.isEnabled = false
        valueTextField.font = UIFont.preferredFont(forTextStyle: .body)
@ -31,7 +31,7 @@ class KeyValueCell: UITableViewCell {
        valueTextField.autocapitalizationType = .none
        valueTextField.autocorrectionType = .no
        valueTextField.spellCheckingType = .no
-        valueTextField.textColor = .gray
+        valueTextField.textColor = .secondaryLabel
        return valueTextField
    }()

@ -57,9 +57,9 @@ class KeyValueCell: UITableViewCell {
    var isValueValid = true {
        didSet {
            if isValueValid {
-                keyLabel.textColor = .black
+                keyLabel.textColor = .label
            } else {
-                keyLabel.textColor = .red
+                keyLabel.textColor = .systemRed
            }
        }
    }
@ -99,8 +99,6 @@ class KeyValueCell: UITableViewCell {
        expandToFitValueLabelConstraint.priority = .defaultLow + 1
        expandToFitValueLabelConstraint.isActive = true

-        contentView.addSubview(valueLabelScrollView)
-
        contentView.addSubview(valueLabelScrollView)
        valueLabelScrollView.translatesAutoresizingMaskIntoConstraints = false
        NSLayoutConstraint.activate([
@ -218,3 +216,10 @@ extension KeyValueCell: UITextFieldDelegate {
    }

 }
+
+class KeyValueCellTextField: UITextField {
+    override func placeholderRect(forBounds bounds: CGRect) -> CGRect {
+        // UIKit renders the placeholder label 0.5pt higher
+        return super.placeholderRect(forBounds: bounds).integral.offsetBy(dx: 0, dy: -0.5)
+    }
+}
--- a/Sources/WireGuardApp/UI/iOS/View/SwitchCell.swift
+++ b/Sources/WireGuardApp/UI/iOS/View/SwitchCell.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

@ -16,13 +16,15 @@ class SwitchCell: UITableViewCell {
        get { return switchView.isEnabled }
        set(value) {
            switchView.isEnabled = value
-            textLabel?.textColor = value ? .black : .gray
+            textLabel?.textColor = value ? .label : .secondaryLabel
        }
    }

    var onSwitchToggled: ((Bool) -> Void)?

-    var observationToken: AnyObject?
+    var statusObservationToken: AnyObject?
+    var isOnDemandEnabledObservationToken: AnyObject?
+    var hasOnDemandRulesObservationToken: AnyObject?

    let switchView = UISwitch()

@ -47,6 +49,8 @@ class SwitchCell: UITableViewCell {
        isEnabled = true
        message = ""
        isOn = false
-        observationToken = nil
+        statusObservationToken = nil
+        isOnDemandEnabledObservationToken = nil
+        hasOnDemandRulesObservationToken = nil
    }
 }
--- a/Sources/WireGuardApp/UI/iOS/View/TextCell.swift
+++ b/Sources/WireGuardApp/UI/iOS/View/TextCell.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

@ -28,7 +28,7 @@ class TextCell: UITableViewCell {
    override func prepareForReuse() {
        super.prepareForReuse()
        message = ""
-        setTextColor(.black)
+        setTextColor(.label)
        setTextAlignment(.left)
    }
 }
--- a/Sources/WireGuardApp/UI/iOS/View/TunnelEditKeyValueCell.swift
+++ b/Sources/WireGuardApp/UI/iOS/View/TunnelEditKeyValueCell.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

@ -30,7 +30,7 @@ class TunnelEditEditableKeyValueCell: TunnelEditKeyValueCell {
        super.init(style: style, reuseIdentifier: reuseIdentifier)

        copyableGesture = false
-        valueTextField.textColor = .black
+        valueTextField.textColor = .label
        valueTextField.isEnabled = true
        valueLabelScrollView.isScrollEnabled = false
        valueTextField.widthAnchor.constraint(equalTo: valueLabelScrollView.widthAnchor).isActive = true
--- a/Sources/WireGuardApp/UI/iOS/View/TunnelListCell.swift
+++ b/Sources/WireGuardApp/UI/iOS/View/TunnelListCell.swift
@ -0,0 +1,162 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import UIKit
+
+class TunnelListCell: UITableViewCell {
+    var tunnel: TunnelContainer? {
+        didSet {
+            // Bind to the tunnel's name
+            nameLabel.text = tunnel?.name ?? ""
+            nameObservationToken = tunnel?.observe(\.name) { [weak self] tunnel, _ in
+                self?.nameLabel.text = tunnel.name
+            }
+            // Bind to the tunnel's status
+            update(from: tunnel, animated: false)
+            statusObservationToken = tunnel?.observe(\.status) { [weak self] tunnel, _ in
+                self?.update(from: tunnel, animated: true)
+            }
+            // Bind to tunnel's on-demand settings
+            isOnDemandEnabledObservationToken = tunnel?.observe(\.isActivateOnDemandEnabled) { [weak self] tunnel, _ in
+                self?.update(from: tunnel, animated: true)
+            }
+            hasOnDemandRulesObservationToken = tunnel?.observe(\.hasOnDemandRules) { [weak self] tunnel, _ in
+                self?.update(from: tunnel, animated: true)
+            }
+        }
+    }
+    var onSwitchToggled: ((Bool) -> Void)?
+
+    let nameLabel: UILabel = {
+        let nameLabel = UILabel()
+        nameLabel.font = UIFont.preferredFont(forTextStyle: .body)
+        nameLabel.adjustsFontForContentSizeCategory = true
+        nameLabel.numberOfLines = 0
+        return nameLabel
+    }()
+
+    let onDemandLabel: UILabel = {
+        let label = UILabel()
+        label.text = ""
+        label.font = UIFont.preferredFont(forTextStyle: .caption2)
+        label.adjustsFontForContentSizeCategory = true
+        label.numberOfLines = 1
+        label.textColor = .secondaryLabel
+        return label
+    }()
+
+    let busyIndicator: UIActivityIndicatorView = {
+        let busyIndicator: UIActivityIndicatorView
+        busyIndicator = UIActivityIndicatorView(style: .medium)
+        busyIndicator.hidesWhenStopped = true
+        return busyIndicator
+    }()
+
+    let statusSwitch = UISwitch()
+
+    private var nameObservationToken: NSKeyValueObservation?
+    private var statusObservationToken: NSKeyValueObservation?
+    private var isOnDemandEnabledObservationToken: NSKeyValueObservation?
+    private var hasOnDemandRulesObservationToken: NSKeyValueObservation?
+
+    private var subTitleLabelBottomConstraint: NSLayoutConstraint?
+    private var nameLabelBottomConstraint: NSLayoutConstraint?
+
+    override init(style: UITableViewCell.CellStyle, reuseIdentifier: String?) {
+        super.init(style: style, reuseIdentifier: reuseIdentifier)
+
+        accessoryType = .disclosureIndicator
+
+        for subview in [statusSwitch, busyIndicator, onDemandLabel, nameLabel] {
+            subview.translatesAutoresizingMaskIntoConstraints = false
+            contentView.addSubview(subview)
+        }
+
+        nameLabel.setContentCompressionResistancePriority(.defaultLow, for: .horizontal)
+        onDemandLabel.setContentCompressionResistancePriority(.defaultHigh, for: .horizontal)
+
+        let nameLabelBottomConstraint =
+            contentView.layoutMarginsGuide.bottomAnchor.constraint(equalToSystemSpacingBelow: nameLabel.bottomAnchor, multiplier: 1)
+        nameLabelBottomConstraint.priority = .defaultLow
+
+        NSLayoutConstraint.activate([
+            statusSwitch.centerYAnchor.constraint(equalTo: contentView.centerYAnchor),
+            statusSwitch.trailingAnchor.constraint(equalTo: contentView.layoutMarginsGuide.trailingAnchor),
+            statusSwitch.leadingAnchor.constraint(equalToSystemSpacingAfter: busyIndicator.trailingAnchor, multiplier: 1),
+            statusSwitch.leadingAnchor.constraint(equalToSystemSpacingAfter: onDemandLabel.trailingAnchor, multiplier: 1),
+
+            nameLabel.topAnchor.constraint(equalToSystemSpacingBelow: contentView.layoutMarginsGuide.topAnchor, multiplier: 1),
+            nameLabel.leadingAnchor.constraint(equalToSystemSpacingAfter: contentView.layoutMarginsGuide.leadingAnchor, multiplier: 1),
+            nameLabel.trailingAnchor.constraint(lessThanOrEqualTo: statusSwitch.leadingAnchor),
+            nameLabelBottomConstraint,
+
+            onDemandLabel.centerYAnchor.constraint(equalTo: contentView.centerYAnchor),
+            onDemandLabel.leadingAnchor.constraint(equalToSystemSpacingAfter: nameLabel.trailingAnchor, multiplier: 1),
+
+            busyIndicator.centerYAnchor.constraint(equalTo: contentView.centerYAnchor),
+            busyIndicator.leadingAnchor.constraint(greaterThanOrEqualToSystemSpacingAfter: nameLabel.trailingAnchor, multiplier: 1)
+        ])
+
+        statusSwitch.addTarget(self, action: #selector(switchToggled), for: .valueChanged)
+    }
+
+    required init?(coder aDecoder: NSCoder) {
+        fatalError("init(coder:) has not been implemented")
+    }
+
+    override func prepareForReuse() {
+        super.prepareForReuse()
+        reset(animated: false)
+    }
+
+    override func setEditing(_ editing: Bool, animated: Bool) {
+        super.setEditing(editing, animated: animated)
+        statusSwitch.isEnabled = !editing
+    }
+
+    @objc private func switchToggled() {
+        onSwitchToggled?(statusSwitch.isOn)
+    }
+
+    private func update(from tunnel: TunnelContainer?, animated: Bool) {
+        guard let tunnel = tunnel else {
+            reset(animated: animated)
+            return
+        }
+        let status = tunnel.status
+        let isOnDemandEngaged = tunnel.isActivateOnDemandEnabled
+
+        let shouldSwitchBeOn = ((status != .deactivating && status != .inactive) || isOnDemandEngaged)
+        statusSwitch.setOn(shouldSwitchBeOn, animated: true)
+
+        if isOnDemandEngaged && !(status == .activating || status == .active) {
+            statusSwitch.onTintColor = UIColor.systemYellow
+        } else {
+            statusSwitch.onTintColor = UIColor.systemGreen
+        }
+
+        statusSwitch.isUserInteractionEnabled = (status == .inactive || status == .active)
+
+        if tunnel.hasOnDemandRules {
+            onDemandLabel.text = isOnDemandEngaged ? tr("tunnelListCaptionOnDemand") : ""
+            busyIndicator.stopAnimating()
+            statusSwitch.isUserInteractionEnabled = true
+        } else {
+            onDemandLabel.text = ""
+            if status == .inactive || status == .active {
+                busyIndicator.stopAnimating()
+            } else {
+                busyIndicator.startAnimating()
+            }
+            statusSwitch.isUserInteractionEnabled = (status == .inactive || status == .active)
+        }
+
+    }
+
+    private func reset(animated: Bool) {
+        statusSwitch.thumbTintColor = nil
+        statusSwitch.setOn(false, animated: animated)
+        statusSwitch.isUserInteractionEnabled = false
+        busyIndicator.stopAnimating()
+    }
+}
--- a/Sources/WireGuardApp/UI/iOS/ViewController/LogViewController.swift
+++ b/Sources/WireGuardApp/UI/iOS/ViewController/LogViewController.swift
@ -0,0 +1,147 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import UIKit
+
+class LogViewController: UIViewController {
+
+    let textView: UITextView = {
+        let textView = UITextView()
+        textView.isEditable = false
+        textView.isSelectable = true
+        textView.font = UIFont.preferredFont(forTextStyle: UIFont.TextStyle.body)
+        textView.adjustsFontForContentSizeCategory = true
+        return textView
+    }()
+
+    let busyIndicator: UIActivityIndicatorView = {
+        let busyIndicator = UIActivityIndicatorView(style: .medium)
+        busyIndicator.hidesWhenStopped = true
+        return busyIndicator
+    }()
+
+    let paragraphStyle: NSParagraphStyle = {
+        let paragraphStyle = NSMutableParagraphStyle()
+        paragraphStyle.setParagraphStyle(NSParagraphStyle.default)
+        paragraphStyle.lineHeightMultiple = 1.2
+        return paragraphStyle
+    }()
+
+    var isNextLineHighlighted = false
+
+    var logViewHelper: LogViewHelper?
+    var isFetchingLogEntries = false
+    private var updateLogEntriesTimer: Timer?
+
+    override func loadView() {
+        view = UIView()
+        view.backgroundColor = .systemBackground
+        view.addSubview(textView)
+        textView.translatesAutoresizingMaskIntoConstraints = false
+        NSLayoutConstraint.activate([
+            textView.leadingAnchor.constraint(equalTo: view.leadingAnchor),
+            textView.trailingAnchor.constraint(equalTo: view.trailingAnchor),
+            textView.topAnchor.constraint(equalTo: view.topAnchor),
+            textView.bottomAnchor.constraint(equalTo: view.bottomAnchor)
+        ])
+
+        view.addSubview(busyIndicator)
+        busyIndicator.translatesAutoresizingMaskIntoConstraints = false
+        NSLayoutConstraint.activate([
+            busyIndicator.centerXAnchor.constraint(equalTo: view.centerXAnchor),
+            busyIndicator.centerYAnchor.constraint(equalTo: view.centerYAnchor)
+        ])
+
+        busyIndicator.startAnimating()
+
+        logViewHelper = LogViewHelper(logFilePath: FileManager.logFileURL?.path)
+        startUpdatingLogEntries()
+    }
+
+    override func viewDidLoad() {
+        title = tr("logViewTitle")
+        navigationItem.rightBarButtonItem = UIBarButtonItem(barButtonSystemItem: .save, target: self, action: #selector(saveTapped(sender:)))
+    }
+
+    func updateLogEntries() {
+        guard !isFetchingLogEntries else { return }
+        isFetchingLogEntries = true
+        logViewHelper?.fetchLogEntriesSinceLastFetch { [weak self] fetchedLogEntries in
+            guard let self = self else { return }
+            defer {
+                self.isFetchingLogEntries = false
+            }
+            if self.busyIndicator.isAnimating {
+                self.busyIndicator.stopAnimating()
+            }
+            guard !fetchedLogEntries.isEmpty else { return }
+            let isScrolledToEnd = self.textView.contentSize.height - self.textView.bounds.height - self.textView.contentOffset.y < 1
+
+            let richText = NSMutableAttributedString()
+            let bodyFont = UIFont.preferredFont(forTextStyle: UIFont.TextStyle.body)
+            let captionFont = UIFont.preferredFont(forTextStyle: UIFont.TextStyle.caption1)
+            for logEntry in fetchedLogEntries {
+                let bgColor: UIColor = self.isNextLineHighlighted ? .systemGray3 : .systemBackground
+                let fgColor: UIColor = .label
+                let timestampText = NSAttributedString(string: logEntry.timestamp + "\n", attributes: [.font: captionFont, .backgroundColor: bgColor, .foregroundColor: fgColor, .paragraphStyle: self.paragraphStyle])
+                let messageText = NSAttributedString(string: logEntry.message + "\n", attributes: [.font: bodyFont, .backgroundColor: bgColor, .foregroundColor: fgColor, .paragraphStyle: self.paragraphStyle])
+                richText.append(timestampText)
+                richText.append(messageText)
+                self.isNextLineHighlighted.toggle()
+            }
+            self.textView.textStorage.append(richText)
+            if isScrolledToEnd {
+                let endOfCurrentText = NSRange(location: (self.textView.text as NSString).length, length: 0)
+                self.textView.scrollRangeToVisible(endOfCurrentText)
+            }
+        }
+    }
+
+    func startUpdatingLogEntries() {
+        updateLogEntries()
+        updateLogEntriesTimer?.invalidate()
+        let timer = Timer(timeInterval: 1 /* second */, repeats: true) { [weak self] _ in
+            self?.updateLogEntries()
+        }
+        updateLogEntriesTimer = timer
+        RunLoop.main.add(timer, forMode: .common)
+    }
+
+    @objc func saveTapped(sender: AnyObject) {
+        guard let destinationDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask).first else { return }
+
+        let dateFormatter = ISO8601DateFormatter()
+        dateFormatter.formatOptions = [.withFullDate, .withTime, .withTimeZone] // Avoid ':' in the filename
+        let timeStampString = dateFormatter.string(from: Date())
+        let destinationURL = destinationDir.appendingPathComponent("wireguard-log-\(timeStampString).txt")
+
+        DispatchQueue.global(qos: .userInitiated).async {
+
+            if FileManager.default.fileExists(atPath: destinationURL.path) {
+                let isDeleted = FileManager.deleteFile(at: destinationURL)
+                if !isDeleted {
+                    ErrorPresenter.showErrorAlert(title: tr("alertUnableToRemovePreviousLogTitle"), message: tr("alertUnableToRemovePreviousLogMessage"), from: self)
+                    return
+                }
+            }
+
+            let isWritten = Logger.global?.writeLog(to: destinationURL.path) ?? false
+
+            DispatchQueue.main.async {
+                guard isWritten else {
+                    ErrorPresenter.showErrorAlert(title: tr("alertUnableToWriteLogTitle"), message: tr("alertUnableToWriteLogMessage"), from: self)
+                    return
+                }
+                let activityVC = UIActivityViewController(activityItems: [destinationURL], applicationActivities: nil)
+                if let sender = sender as? UIBarButtonItem {
+                    activityVC.popoverPresentationController?.barButtonItem = sender
+                }
+                activityVC.completionWithItemsHandler = { _, _, _, _ in
+                    // Remove the exported log file after the activity has completed
+                    _ = FileManager.deleteFile(at: destinationURL)
+                }
+                self.present(activityVC, animated: true)
+            }
+        }
+    }
+}
--- a/Sources/WireGuardApp/UI/iOS/ViewController/MainViewController.swift
+++ b/Sources/WireGuardApp/UI/iOS/ViewController/MainViewController.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

@ -11,7 +11,7 @@ class MainViewController: UISplitViewController {

    init() {
        let detailVC = UIViewController()
-        detailVC.view.backgroundColor = .white
+        detailVC.view.backgroundColor = .systemBackground
        let detailNC = UINavigationController(rootViewController: detailVC)

        let masterVC = TunnelsListTableViewController()
@ -42,22 +42,25 @@ class MainViewController: UISplitViewController {
        TunnelsManager.create { [weak self] result in
            guard let self = self else { return }

-            if let error = result.error {
+            switch result {
+            case .failure(let error):
                ErrorPresenter.showErrorAlert(error: error, from: self)
-                return
+            case .success(let tunnelsManager):
+                self.tunnelsManager = tunnelsManager
+                self.tunnelsListVC?.setTunnelsManager(tunnelsManager: tunnelsManager)
+
+                tunnelsManager.activationDelegate = self
+
+                self.onTunnelsManagerReady?(tunnelsManager)
+                self.onTunnelsManagerReady = nil
            }
-            let tunnelsManager: TunnelsManager = result.value!
-
-            self.tunnelsManager = tunnelsManager
-            self.tunnelsListVC?.setTunnelsManager(tunnelsManager: tunnelsManager)
-
-            tunnelsManager.activationDelegate = self
-
-            self.onTunnelsManagerReady?(tunnelsManager)
-            self.onTunnelsManagerReady = nil
        }
    }

+    func allTunnelNames() -> [String]? {
+        guard let tunnelsManager = self.tunnelsManager else { return nil }
+        return tunnelsManager.mapTunnels { $0.name }
+    }
 }

 extension MainViewController: TunnelsManagerActivationDelegate {
@ -85,19 +88,17 @@ extension MainViewController {
        }
    }

-    func showTunnelDetailForTunnel(named tunnelName: String, animated: Bool) {
+    func showTunnelDetailForTunnel(named tunnelName: String, animated: Bool, shouldToggleStatus: Bool) {
        let showTunnelDetailBlock: (TunnelsManager) -> Void = { [weak self] tunnelsManager in
+            guard let self = self else { return }
+            guard let tunnelsListVC = self.tunnelsListVC else { return }
            if let tunnel = tunnelsManager.tunnel(named: tunnelName) {
-                let tunnelDetailVC = TunnelDetailTableViewController(tunnelsManager: tunnelsManager, tunnel: tunnel)
-                let tunnelDetailNC = UINavigationController(rootViewController: tunnelDetailVC)
-                tunnelDetailNC.restorationIdentifier = "DetailNC"
-                if let self = self {
-                    if animated {
-                        self.showDetailViewController(tunnelDetailNC, sender: self)
-                    } else {
-                        UIView.performWithoutAnimation {
-                            self.showDetailViewController(tunnelDetailNC, sender: self)
-                        }
+                tunnelsListVC.showTunnelDetail(for: tunnel, animated: false)
+                if shouldToggleStatus {
+                    if tunnel.status == .inactive {
+                        tunnelsManager.startActivation(of: tunnel)
+                    } else if tunnel.status == .active {
+                        tunnelsManager.startDeactivation(of: tunnel)
                    }
                }
            }
@ -108,6 +109,19 @@ extension MainViewController {
            onTunnelsManagerReady = showTunnelDetailBlock
        }
    }
+
+    func importFromDisposableFile(url: URL) {
+        let importFromFileBlock: (TunnelsManager) -> Void = { [weak self] tunnelsManager in
+            TunnelImporter.importFromFile(urls: [url], into: tunnelsManager, sourceVC: self, errorPresenterType: ErrorPresenter.self) {
+                _ = FileManager.deleteFile(at: url)
+            }
+        }
+        if let tunnelsManager = tunnelsManager {
+            importFromFileBlock(tunnelsManager)
+        } else {
+            onTunnelsManagerReady = importFromFileBlock
+        }
+    }
 }

 extension MainViewController: UISplitViewControllerDelegate {
--- a/Sources/WireGuardApp/UI/iOS/ViewController/QRScanViewController.swift
+++ b/Sources/WireGuardApp/UI/iOS/ViewController/QRScanViewController.swift
@ -1,10 +1,10 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import AVFoundation
 import UIKit

-protocol QRScanViewControllerDelegate: class {
+protocol QRScanViewControllerDelegate: AnyObject {
    func addScannedQRCode(tunnelConfiguration: TunnelConfiguration, qrScanViewController: QRScanViewController, completionHandler: (() -> Void)?)
 }

--- a/Sources/WireGuardApp/UI/iOS/ViewController/SSIDOptionDetailTableViewController.swift
+++ b/Sources/WireGuardApp/UI/iOS/ViewController/SSIDOptionDetailTableViewController.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

--- a/Sources/WireGuardApp/UI/iOS/ViewController/SSIDOptionEditTableViewController.swift
+++ b/Sources/WireGuardApp/UI/iOS/ViewController/SSIDOptionEditTableViewController.swift
@ -1,10 +1,11 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit
 import SystemConfiguration.CaptiveNetwork
+import NetworkExtension

-protocol SSIDOptionEditTableViewControllerDelegate: class {
+protocol SSIDOptionEditTableViewControllerDelegate: AnyObject {
    func ssidOptionSaved(option: ActivateOnDemandViewModel.OnDemandSSIDOption, ssids: [String])
 }

@ -39,9 +40,16 @@ class SSIDOptionEditTableViewController: UITableViewController {
        selectedOption = option
        selectedSSIDs = ssids
        super.init(style: .grouped)
-        connectedSSID = getConnectedSSID()
        loadSections()
-        loadAddSSIDRows()
+        addSSIDRows.removeAll()
+        addSSIDRows.append(.addNewSSID)
+
+        getConnectedSSID { [weak self] ssid in
+            guard let self = self else { return }
+            self.connectedSSID = ssid
+            self.updateCurrentSSIDEntry()
+            self.updateTableViewAddSSIDRows()
+        }
    }

    required init?(coder aDecoder: NSCoder) {
@ -60,6 +68,7 @@ class SSIDOptionEditTableViewController: UITableViewController {
        tableView.register(TextCell.self)
        tableView.isEditing = true
        tableView.allowsSelectionDuringEditing = true
+        tableView.keyboardDismissMode = .onDrag
    }

    func loadSections() {
@ -71,14 +80,14 @@ class SSIDOptionEditTableViewController: UITableViewController {
        }
    }

-    func loadAddSSIDRows() {
-        addSSIDRows.removeAll()
-        if let connectedSSID = connectedSSID {
-            if !selectedSSIDs.contains(connectedSSID) {
-                addSSIDRows.append(.addConnectedSSID(connectedSSID: connectedSSID))
+    func updateCurrentSSIDEntry() {
+        if let connectedSSID = connectedSSID, !selectedSSIDs.contains(connectedSSID) {
+            if let first = addSSIDRows.first, case .addNewSSID = first {
+                addSSIDRows.insert(.addConnectedSSID(connectedSSID: connectedSSID), at: 0)
            }
+        } else if let first = addSSIDRows.first, case .addConnectedSSID = first {
+            addSSIDRows.removeFirst()
        }
-        addSSIDRows.append(.addNewSSID)
    }

    func updateTableViewAddSSIDRows() {
@ -176,7 +185,7 @@ extension SSIDOptionEditTableViewController {
    private func noSSIDsCell(for tableView: UITableView, at indexPath: IndexPath) -> UITableViewCell {
        let cell: TextCell = tableView.dequeueReusableCell(for: indexPath)
        cell.message = tr("tunnelOnDemandNoSSIDs")
-        cell.setTextColor(.gray)
+        cell.setTextColor(.secondaryLabel)
        cell.setTextAlignment(.center)
        return cell
    }
@ -184,12 +193,13 @@ extension SSIDOptionEditTableViewController {
    private func selectedSSIDCell(for tableView: UITableView, at indexPath: IndexPath) -> UITableViewCell {
        let cell: EditableTextCell = tableView.dequeueReusableCell(for: indexPath)
        cell.message = selectedSSIDs[indexPath.row]
+        cell.placeholder = tr("tunnelOnDemandSSIDTextFieldPlaceholder")
        cell.isEditing = true
        cell.onValueBeingEdited = { [weak self, weak cell] text in
            guard let self = self, let cell = cell else { return }
            if let row = self.tableView.indexPath(for: cell)?.row {
                self.selectedSSIDs[row] = text
-                self.loadAddSSIDRows()
+                self.updateCurrentSSIDEntry()
                self.updateTableViewAddSSIDRows()
            }
        }
@ -220,7 +230,7 @@ extension SSIDOptionEditTableViewController {
            } else {
                tableView.reloadRows(at: [indexPath], with: .automatic)
            }
-            loadAddSSIDRows()
+            updateCurrentSSIDEntry()
            updateTableViewAddSSIDRows()
        case .addSSIDs:
            assert(editingStyle == .insert)
@ -240,7 +250,7 @@ extension SSIDOptionEditTableViewController {
            } else {
                tableView.insertRows(at: [indexPath], with: .automatic)
            }
-            loadAddSSIDRows()
+            updateCurrentSSIDEntry()
            updateTableViewAddSSIDRows()
            if newSSID.isEmpty {
                if let selectedSSIDCell = tableView.cellForRow(at: indexPath) as? EditableTextCell {
@ -249,6 +259,16 @@ extension SSIDOptionEditTableViewController {
            }
        }
    }
+
+    private func getConnectedSSID(completionHandler: @escaping (String?) -> Void) {
+        #if targetEnvironment(simulator)
+        completionHandler("Simulator Wi-Fi")
+        #else
+        NEHotspotNetwork.fetchCurrent { hotspotNetwork in
+            completionHandler(hotspotNetwork?.ssid)
+        }
+        #endif
+    }
 }

 extension SSIDOptionEditTableViewController {
@ -266,6 +286,10 @@ extension SSIDOptionEditTableViewController {
        case .ssidOption:
            let previousOption = selectedOption
            selectedOption = ssidOptionFields[indexPath.row]
+            guard previousOption != selectedOption else {
+                tableView.deselectRow(at: indexPath, animated: true)
+                return
+            }
            loadSections()
            if previousOption == .anySSID {
                let indexSet = IndexSet(1 ... 2)
@ -281,15 +305,3 @@ extension SSIDOptionEditTableViewController {
        }
    }
 }
-
-private func getConnectedSSID() -> String? {
-    guard let supportedInterfaces = CNCopySupportedInterfaces() as? [CFString] else { return nil }
-    for interface in supportedInterfaces {
-        if let networkInfo = CNCopyCurrentNetworkInfo(interface) {
-            if let ssid = (networkInfo as NSDictionary)[kCNNetworkInfoKeySSID as String] as? String {
-                return !ssid.isEmpty ? ssid : nil
-            }
-        }
-    }
-    return nil
-}
--- a/Sources/WireGuardApp/UI/iOS/ViewController/SettingsTableViewController.swift
+++ b/Sources/WireGuardApp/UI/iOS/ViewController/SettingsTableViewController.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit
 import os.log
@ -10,14 +10,14 @@ class SettingsTableViewController: UITableViewController {
        case iosAppVersion
        case goBackendVersion
        case exportZipArchive
-        case exportLogFile
+        case viewLog

        var localizedUIString: String {
            switch self {
            case .iosAppVersion: return tr("settingsVersionKeyWireGuardForIOS")
            case .goBackendVersion: return tr("settingsVersionKeyWireGuardGoBackend")
            case .exportZipArchive: return tr("settingsExportZipButtonTitle")
-            case .exportLogFile: return tr("settingsExportLogFileButtonTitle")
+            case .viewLog: return tr("settingsViewLogButtonTitle")
            }
        }
    }
@ -25,7 +25,7 @@ class SettingsTableViewController: UITableViewController {
    let settingsFieldsBySection: [[SettingsFields]] = [
        [.iosAppVersion, .goBackendVersion],
        [.exportZipArchive],
-        [.exportLogFile]
+        [.viewLog]
    ]

    let tunnelsManager: TunnelsManager?
@ -108,41 +108,10 @@ class SettingsTableViewController: UITableViewController {
        }
    }

-    func exportLogForLastActivatedTunnel(sourceView: UIView) {
-        guard let destinationDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask).first else { return }
+    func presentLogView() {
+        let logVC = LogViewController()
+        navigationController?.pushViewController(logVC, animated: true)

-        let dateFormatter = ISO8601DateFormatter()
-        dateFormatter.formatOptions = [.withFullDate, .withTime, .withTimeZone] // Avoid ':' in the filename
-        let timeStampString = dateFormatter.string(from: Date())
-        let destinationURL = destinationDir.appendingPathComponent("wireguard-log-\(timeStampString).txt")
-
-        DispatchQueue.global(qos: .userInitiated).async {
-
-            if FileManager.default.fileExists(atPath: destinationURL.path) {
-                let isDeleted = FileManager.deleteFile(at: destinationURL)
-                if !isDeleted {
-                    ErrorPresenter.showErrorAlert(title: tr("alertUnableToRemovePreviousLogTitle"), message: tr("alertUnableToRemovePreviousLogMessage"), from: self)
-                    return
-                }
-            }
-
-            let isWritten = Logger.global?.writeLog(to: destinationURL.path) ?? false
-
-            DispatchQueue.main.async {
-                guard isWritten else {
-                    ErrorPresenter.showErrorAlert(title: tr("alertUnableToWriteLogTitle"), message: tr("alertUnableToWriteLogMessage"), from: self)
-                    return
-                }
-                let activityVC = UIActivityViewController(activityItems: [destinationURL], applicationActivities: nil)
-                activityVC.popoverPresentationController?.sourceView = sourceView
-                activityVC.popoverPresentationController?.sourceRect = sourceView.bounds
-                activityVC.completionWithItemsHandler = { _, _, _, _ in
-                    // Remove the exported log file after the activity has completed
-                    _ = FileManager.deleteFile(at: destinationURL)
-                }
-                self.present(activityVC, animated: true)
-            }
-        }
    }
 }

@ -175,8 +144,8 @@ extension SettingsTableViewController {
            cell.copyableGesture = false
            cell.key = field.localizedUIString
            if field == .iosAppVersion {
-                var appVersion = Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "Unknown version"
-                if let appBuild = Bundle.main.infoDictionary?["CFBundleVersion"] as? String {
+                var appVersion = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "Unknown version"
+                if let appBuild = Bundle.main.object(forInfoDictionaryKey: "CFBundleVersion") as? String {
                    appVersion += " (\(appBuild))"
                }
                cell.value = appVersion
@ -191,14 +160,14 @@ extension SettingsTableViewController {
                self?.exportConfigurationsAsZipFile(sourceView: cell.button)
            }
            return cell
-        } else {
-            assert(field == .exportLogFile)
+        } else if field == .viewLog {
            let cell: ButtonCell = tableView.dequeueReusableCell(for: indexPath)
            cell.buttonText = field.localizedUIString
            cell.onTapped = { [weak self] in
-                self?.exportLogForLastActivatedTunnel(sourceView: cell.button)
+                self?.presentLogView()
            }
            return cell
        }
+        fatalError()
    }
 }
--- a/Sources/WireGuardApp/UI/iOS/ViewController/TunnelDetailTableViewController.swift
+++ b/Sources/WireGuardApp/UI/iOS/ViewController/TunnelDetailTableViewController.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

@ -120,7 +120,7 @@ class TunnelDetailTableViewController: UITableViewController {
            let editVC = TunnelEditTableViewController(tunnelsManager: self.tunnelsManager, tunnel: self.tunnel)
            editVC.delegate = self
            let editNC = UINavigationController(rootViewController: editVC)
-            editNC.modalPresentationStyle = .formSheet
+            editNC.modalPresentationStyle = .fullScreen
            self.present(editNC, animated: true)
        }
    }
@ -152,8 +152,8 @@ class TunnelDetailTableViewController: UITableViewController {
            }
        }!
        let firstPeerSectionIndex = interfaceSectionIndex + 1
-        var interfaceFieldIsVisible = self.interfaceFieldIsVisible
-        var peerFieldIsVisible = self.peerFieldIsVisible
+        let interfaceFieldIsVisible = self.interfaceFieldIsVisible
+        let peerFieldIsVisible = self.peerFieldIsVisible

        func handleSectionFieldsModified<T>(fields: [T], fieldIsVisible: [Bool], section: Int, changes: [T: TunnelViewModel.Changes.FieldChange]) {
            for (index, field) in fields.enumerated() {
@ -324,8 +324,22 @@ extension TunnelDetailTableViewController {
    private func statusCell(for tableView: UITableView, at indexPath: IndexPath) -> UITableViewCell {
        let cell: SwitchCell = tableView.dequeueReusableCell(for: indexPath)

-        let statusUpdate: (SwitchCell, TunnelStatus) -> Void = { cell, status in
-            let text: String
+        func update(cell: SwitchCell?, with tunnel: TunnelContainer) {
+            guard let cell = cell else { return }
+
+            let status = tunnel.status
+            let isOnDemandEngaged = tunnel.isActivateOnDemandEnabled
+
+            let isSwitchOn = (status == .activating || status == .active || isOnDemandEngaged)
+            cell.switchView.setOn(isSwitchOn, animated: true)
+
+            if isOnDemandEngaged && !(status == .activating || status == .active) {
+                cell.switchView.onTintColor = UIColor.systemYellow
+            } else {
+                cell.switchView.onTintColor = UIColor.systemGreen
+            }
+
+            var text: String
            switch status {
            case .inactive:
                text = tr("tunnelStatusInactive")
@ -342,26 +356,49 @@ extension TunnelDetailTableViewController {
            case .waiting:
                text = tr("tunnelStatusWaiting")
            }
-            cell.textLabel?.text = text
-            DispatchQueue.main.asyncAfter(deadline: .now() + .milliseconds(200)) { [weak cell] in
-                cell?.switchView.isOn = !(status == .deactivating || status == .inactive)
-                cell?.switchView.isUserInteractionEnabled = (status == .inactive || status == .active)
+
+            if tunnel.hasOnDemandRules {
+                text += isOnDemandEngaged ? tr("tunnelStatusAddendumOnDemand") : ""
+                cell.switchView.isUserInteractionEnabled = true
+                cell.isEnabled = true
+            } else {
+                cell.switchView.isUserInteractionEnabled = (status == .inactive || status == .active)
+                cell.isEnabled = (status == .inactive || status == .active)
            }
-            cell.isEnabled = status == .active || status == .inactive
+
+            if tunnel.hasOnDemandRules && !isOnDemandEngaged && status == .inactive {
+                text = tr("tunnelStatusOnDemandDisabled")
+            }
+
+            cell.textLabel?.text = text
        }

-        statusUpdate(cell, tunnel.status)
-        cell.observationToken = tunnel.observe(\.status) { [weak cell] tunnel, _ in
-            guard let cell = cell else { return }
-            statusUpdate(cell, tunnel.status)
+        update(cell: cell, with: tunnel)
+        cell.statusObservationToken = tunnel.observe(\.status) { [weak cell] tunnel, _ in
+            update(cell: cell, with: tunnel)
+        }
+        cell.isOnDemandEnabledObservationToken = tunnel.observe(\.isActivateOnDemandEnabled) { [weak cell] tunnel, _ in
+            update(cell: cell, with: tunnel)
+        }
+        cell.hasOnDemandRulesObservationToken = tunnel.observe(\.hasOnDemandRules) { [weak cell] tunnel, _ in
+            update(cell: cell, with: tunnel)
        }

        cell.onSwitchToggled = { [weak self] isOn in
            guard let self = self else { return }
-            if isOn {
-                self.tunnelsManager.startActivation(of: self.tunnel)
+
+            if self.tunnel.hasOnDemandRules {
+                self.tunnelsManager.setOnDemandEnabled(isOn, on: self.tunnel) { error in
+                    if error == nil && !isOn {
+                        self.tunnelsManager.startDeactivation(of: self.tunnel)
+                    }
+                }
            } else {
-                self.tunnelsManager.startDeactivation(of: self.tunnel)
+                if isOn {
+                    self.tunnelsManager.startActivation(of: self.tunnel)
+                } else {
+                    self.tunnelsManager.startDeactivation(of: self.tunnel)
+                }
            }
        }
        return cell
@ -397,6 +434,7 @@ extension TunnelDetailTableViewController {
            let cell: KeyValueCell = tableView.dequeueReusableCell(for: indexPath)
            cell.key = field.localizedUIString
            cell.value = onDemandViewModel.localizedInterfaceDescription
+            cell.copyableGesture = false
            return cell
        } else {
            assert(field == .ssid)
@ -404,6 +442,7 @@ extension TunnelDetailTableViewController {
                let cell: KeyValueCell = tableView.dequeueReusableCell(for: indexPath)
                cell.key = field.localizedUIString
                cell.value = onDemandViewModel.ssidOption.localizedUIString
+                cell.copyableGesture = false
                return cell
            } else {
                let cell: ChevronCell = tableView.dequeueReusableCell(for: indexPath)
--- a/Sources/WireGuardApp/UI/iOS/ViewController/TunnelEditTableViewController.swift
+++ b/Sources/WireGuardApp/UI/iOS/ViewController/TunnelEditTableViewController.swift
@ -1,9 +1,9 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit

-protocol TunnelEditTableViewControllerDelegate: class {
+protocol TunnelEditTableViewControllerDelegate: AnyObject {
    func tunnelSaved(tunnel: TunnelContainer)
    func tunnelEditingCancelled()
 }
@ -127,10 +127,10 @@ class TunnelEditTableViewController: UITableViewController {
            } else {
                // We're adding a new tunnel
                tunnelsManager.add(tunnelConfiguration: tunnelConfiguration, onDemandOption: onDemandOption) { [weak self] result in
-                    if let error = result.error {
+                    switch result {
+                    case .failure(let error):
                        ErrorPresenter.showErrorAlert(error: error, from: self)
-                    } else {
-                        let tunnel: TunnelContainer = result.value!
+                    case .success(let tunnel):
                        self?.dismiss(animated: true, completion: nil)
                        self?.delegate?.tunnelSaved(tunnel: tunnel)
                    }
@ -214,7 +214,7 @@ extension TunnelEditTableViewController {
        cell.onTapped = { [weak self] in
            guard let self = self else { return }

-            self.tunnelViewModel.interfaceData[.privateKey] = Curve25519.generatePrivateKey().base64Key() ?? ""
+            self.tunnelViewModel.interfaceData[.privateKey] = PrivateKey().base64Key
            if let privateKeyRow = self.interfaceFieldsBySection[indexPath.section].firstIndex(of: .privateKey),
                let publicKeyRow = self.interfaceFieldsBySection[indexPath.section].firstIndex(of: .publicKey) {
                let privateKeyIndex = IndexPath(row: privateKeyRow, section: indexPath.section)
@ -266,7 +266,7 @@ extension TunnelEditTableViewController {
                guard let self = self else { return }
                let isAllowedIPsChanged = self.tunnelViewModel.updateDNSServersInAllowedIPsIfRequired(oldDNSServers: oldValue, newDNSServers: newValue)
                if isAllowedIPsChanged {
-                    let section = self.sections.firstIndex { if case .peer(_) = $0 { return true } else { return false } }
+                    let section = self.sections.firstIndex { if case .peer = $0 { return true } else { return false } }
                    if let section = section, let row = self.peerFields.firstIndex(of: .allowedIPs) {
                        self.tableView.reloadRows(at: [IndexPath(row: row, section: section)], with: .none)
                    }
@ -318,7 +318,7 @@ extension TunnelEditTableViewController {
                let removedSectionIndices = self.deletePeer(peer: peerData)
                let shouldShowExcludePrivateIPs = (self.tunnelViewModel.peersData.count == 1 && self.tunnelViewModel.peersData[0].shouldAllowExcludePrivateIPsControl)

-                //swiftlint:disable:next trailing_closure
+                // swiftlint:disable:next trailing_closure
                tableView.performBatchUpdates({
                    self.tableView.deleteSections(removedSectionIndices, with: .fade)
                    if shouldShowExcludePrivateIPs {
--- a/Sources/WireGuardApp/UI/iOS/ViewController/TunnelsListTableViewController.swift
+++ b/Sources/WireGuardApp/UI/iOS/ViewController/TunnelsListTableViewController.swift
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.

 import UIKit
 import MobileCoreServices
@ -32,7 +32,8 @@ class TunnelsListTableViewController: UIViewController {
    }()

    let busyIndicator: UIActivityIndicatorView = {
-        let busyIndicator = UIActivityIndicatorView(style: .gray)
+        let busyIndicator: UIActivityIndicatorView
+        busyIndicator = UIActivityIndicatorView(style: .medium)
        busyIndicator.hidesWhenStopped = true
        return busyIndicator
    }()
@ -46,7 +47,7 @@ class TunnelsListTableViewController: UIViewController {

    override func loadView() {
        view = UIView()
-        view.backgroundColor = .white
+        view.backgroundColor = .systemBackground

        tableView.dataSource = self
        tableView.delegate = self
@ -178,7 +179,7 @@ class TunnelsListTableViewController: UIViewController {
    func presentViewControllerForTunnelCreation(tunnelsManager: TunnelsManager) {
        let editVC = TunnelEditTableViewController(tunnelsManager: tunnelsManager)
        let editNC = UINavigationController(rootViewController: editVC)
-        editNC.modalPresentationStyle = .formSheet
+        editNC.modalPresentationStyle = .fullScreen
        present(editNC, animated: true)
    }

@ -251,6 +252,24 @@ class TunnelsListTableViewController: UIViewController {
            }
        }
    }
+
+    func showTunnelDetail(for tunnel: TunnelContainer, animated: Bool) {
+        guard let tunnelsManager = tunnelsManager else { return }
+        guard let splitViewController = splitViewController else { return }
+        guard let navController = navigationController else { return }
+
+        let tunnelDetailVC = TunnelDetailTableViewController(tunnelsManager: tunnelsManager,
+                                                             tunnel: tunnel)
+        let tunnelDetailNC = UINavigationController(rootViewController: tunnelDetailVC)
+        tunnelDetailNC.restorationIdentifier = "DetailNC"
+        if splitViewController.isCollapsed && navController.viewControllers.count > 1 {
+            navController.setViewControllers([self, tunnelDetailNC], animated: animated)
+        } else {
+            splitViewController.showDetailViewController(tunnelDetailNC, sender: self, animated: animated)
+        }
+        detailDisplayedTunnel = tunnel
+        self.presentedViewController?.dismiss(animated: false, completion: nil)
+    }
 }

 extension TunnelsListTableViewController: UIDocumentPickerDelegate {
@ -264,9 +283,10 @@ extension TunnelsListTableViewController: QRScanViewControllerDelegate {
    func addScannedQRCode(tunnelConfiguration: TunnelConfiguration, qrScanViewController: QRScanViewController,
                          completionHandler: (() -> Void)?) {
        tunnelsManager?.add(tunnelConfiguration: tunnelConfiguration) { result in
-            if let error = result.error {
+            switch result {
+            case .failure(let error):
                ErrorPresenter.showErrorAlert(error: error, from: qrScanViewController, onDismissal: completionHandler)
-            } else {
+            case .success:
                completionHandler?()
            }
        }
@ -289,10 +309,18 @@ extension TunnelsListTableViewController: UITableViewDataSource {
            cell.tunnel = tunnel
            cell.onSwitchToggled = { [weak self] isOn in
                guard let self = self, let tunnelsManager = self.tunnelsManager else { return }
-                if isOn {
-                    tunnelsManager.startActivation(of: tunnel)
+                if tunnel.hasOnDemandRules {
+                    tunnelsManager.setOnDemandEnabled(isOn, on: tunnel) { error in
+                        if error == nil && !isOn {
+                            tunnelsManager.startDeactivation(of: tunnel)
+                        }
+                    }
                } else {
-                    tunnelsManager.startDeactivation(of: tunnel)
+                    if isOn {
+                        tunnelsManager.startActivation(of: tunnel)
+                    } else {
+                        tunnelsManager.startDeactivation(of: tunnel)
+                    }
                }
            }
        }
@ -308,12 +336,7 @@ extension TunnelsListTableViewController: UITableViewDelegate {
        }
        guard let tunnelsManager = tunnelsManager else { return }
        let tunnel = tunnelsManager.tunnel(at: indexPath.row)
-        let tunnelDetailVC = TunnelDetailTableViewController(tunnelsManager: tunnelsManager,
-                                                             tunnel: tunnel)
-        let tunnelDetailNC = UINavigationController(rootViewController: tunnelDetailVC)
-        tunnelDetailNC.restorationIdentifier = "DetailNC"
-        showDetailViewController(tunnelDetailNC, sender: self) // Shall get propagated up to the split-vc
-        detailDisplayedTunnel = tunnel
+        showTunnelDetail(for: tunnel, animated: true)
    }

    func tableView(_ tableView: UITableView, didDeselectRowAt indexPath: IndexPath) {
@ -375,7 +398,7 @@ extension TunnelsListTableViewController: TunnelsManagerListDelegate {
                (splitViewController.viewControllers[0] as? UINavigationController)?.popToRootViewController(animated: false)
            } else {
                let detailVC = UIViewController()
-                detailVC.view.backgroundColor = .white
+                detailVC.view.backgroundColor = .systemBackground
                let detailNC = UINavigationController(rootViewController: detailVC)
                splitViewController.showDetailViewController(detailNC, sender: self)
            }
@ -386,3 +409,15 @@ extension TunnelsListTableViewController: TunnelsManagerListDelegate {
        }
    }
 }
+
+extension UISplitViewController {
+    func showDetailViewController(_ viewController: UIViewController, sender: Any?, animated: Bool) {
+        if animated {
+            showDetailViewController(viewController, sender: sender)
+        } else {
+            UIView.performWithoutAnimation {
+                showDetailViewController(viewController, sender: sender)
+            }
+        }
+    }
+}
--- a/Sources/WireGuardApp/UI/iOS/WireGuard.entitlements
+++ b/Sources/WireGuardApp/UI/iOS/WireGuard.entitlements
--- a/Sources/WireGuardApp/UI/macOS/AppDelegate.swift
+++ b/Sources/WireGuardApp/UI/macOS/AppDelegate.swift
@ -0,0 +1,236 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import Cocoa
+import ServiceManagement
+
+@NSApplicationMain
+class AppDelegate: NSObject, NSApplicationDelegate {
+
+    var tunnelsManager: TunnelsManager?
+    var tunnelsTracker: TunnelsTracker?
+    var statusItemController: StatusItemController?
+
+    var manageTunnelsRootVC: ManageTunnelsRootViewController?
+    var manageTunnelsWindowObject: NSWindow?
+    var onAppDeactivation: (() -> Void)?
+
+    func applicationWillFinishLaunching(_ notification: Notification) {
+        // To workaround a possible AppKit bug that causes the main menu to become unresponsive sometimes
+        // (especially when launched through Xcode) if we call setActivationPolicy(.regular) in
+        // in applicationDidFinishLaunching, we set it to .prohibited here.
+        // Setting it to .regular would fix that problem too, but at this point, we don't know
+        // whether the app was launched at login or not, so we're not sure whether we should
+        // show the app icon in the dock or not.
+        NSApp.setActivationPolicy(.prohibited)
+    }
+
+    func applicationDidFinishLaunching(_ aNotification: Notification) {
+        Logger.configureGlobal(tagged: "APP", withFilePath: FileManager.logFileURL?.path)
+        registerLoginItem(shouldLaunchAtLogin: true)
+
+        var isLaunchedAtLogin = false
+        if let appleEvent = NSAppleEventManager.shared().currentAppleEvent {
+            isLaunchedAtLogin = LaunchedAtLoginDetector.isLaunchedAtLogin(openAppleEvent: appleEvent)
+        }
+
+        NSApp.mainMenu = MainMenu()
+        setDockIconAndMainMenuVisibility(isVisible: !isLaunchedAtLogin)
+
+        TunnelsManager.create { [weak self] result in
+            guard let self = self else { return }
+
+            switch result {
+            case .failure(let error):
+                ErrorPresenter.showErrorAlert(error: error, from: nil)
+            case .success(let tunnelsManager):
+                let statusMenu = StatusMenu(tunnelsManager: tunnelsManager)
+                statusMenu.windowDelegate = self
+
+                let statusItemController = StatusItemController()
+                statusItemController.statusItem.menu = statusMenu
+
+                let tunnelsTracker = TunnelsTracker(tunnelsManager: tunnelsManager)
+                tunnelsTracker.statusMenu = statusMenu
+                tunnelsTracker.statusItemController = statusItemController
+
+                self.tunnelsManager = tunnelsManager
+                self.tunnelsTracker = tunnelsTracker
+                self.statusItemController = statusItemController
+
+                if !isLaunchedAtLogin {
+                    self.showManageTunnelsWindow(completion: nil)
+                }
+            }
+        }
+    }
+
+    @objc func confirmAndQuit() {
+        let alert = NSAlert()
+        alert.messageText = tr("macConfirmAndQuitAlertMessage")
+        if let currentTunnel = tunnelsTracker?.currentTunnel, currentTunnel.status == .active || currentTunnel.status == .activating {
+            alert.informativeText = tr(format: "macConfirmAndQuitInfoWithActiveTunnel (%@)", currentTunnel.name)
+        } else {
+            alert.informativeText = tr("macConfirmAndQuitAlertInfo")
+        }
+        alert.addButton(withTitle: tr("macConfirmAndQuitAlertCloseWindow"))
+        alert.addButton(withTitle: tr("macConfirmAndQuitAlertQuitWireGuard"))
+
+        NSApp.activate(ignoringOtherApps: true)
+        if let manageWindow = manageTunnelsWindowObject {
+            manageWindow.orderFront(self)
+            alert.beginSheetModal(for: manageWindow) { response in
+                switch response {
+                case .alertFirstButtonReturn:
+                    manageWindow.close()
+                case .alertSecondButtonReturn:
+                    NSApp.terminate(nil)
+                default:
+                    break
+                }
+            }
+        }
+    }
+
+    @objc func quit() {
+        if let manageWindow = manageTunnelsWindowObject, manageWindow.attachedSheet != nil {
+            NSApp.activate(ignoringOtherApps: true)
+            manageWindow.orderFront(self)
+            return
+        }
+        registerLoginItem(shouldLaunchAtLogin: false)
+        guard let currentTunnel = tunnelsTracker?.currentTunnel, currentTunnel.status == .active || currentTunnel.status == .activating else {
+            NSApp.terminate(nil)
+            return
+        }
+        let alert = NSAlert()
+        alert.messageText = tr("macAppExitingWithActiveTunnelMessage")
+        alert.informativeText = tr("macAppExitingWithActiveTunnelInfo")
+        NSApp.activate(ignoringOtherApps: true)
+        if let manageWindow = manageTunnelsWindowObject {
+            manageWindow.orderFront(self)
+            alert.beginSheetModal(for: manageWindow) { _ in
+                NSApp.terminate(nil)
+            }
+        } else {
+            alert.runModal()
+            NSApp.terminate(nil)
+        }
+    }
+
+    func applicationShouldTerminate(_ sender: NSApplication) -> NSApplication.TerminateReply {
+        guard let currentTunnel = tunnelsTracker?.currentTunnel, currentTunnel.status == .active || currentTunnel.status == .activating else {
+            return .terminateNow
+        }
+        guard let appleEvent = NSAppleEventManager.shared().currentAppleEvent else {
+            return .terminateNow
+        }
+        guard MacAppStoreUpdateDetector.isUpdatingFromMacAppStore(quitAppleEvent: appleEvent) else {
+            return .terminateNow
+        }
+        let alert = NSAlert()
+        alert.messageText = tr("macAppStoreUpdatingAlertMessage")
+        if currentTunnel.isActivateOnDemandEnabled {
+            alert.informativeText = tr(format: "macAppStoreUpdatingAlertInfoWithOnDemand (%@)", currentTunnel.name)
+        } else {
+            alert.informativeText = tr(format: "macAppStoreUpdatingAlertInfoWithoutOnDemand (%@)", currentTunnel.name)
+        }
+        NSApp.activate(ignoringOtherApps: true)
+        if let manageWindow = manageTunnelsWindowObject {
+            alert.beginSheetModal(for: manageWindow) { _ in }
+        } else {
+            alert.runModal()
+        }
+        return .terminateCancel
+    }
+
+    func applicationShouldTerminateAfterLastWindowClosed(_ application: NSApplication) -> Bool {
+        DispatchQueue.main.asyncAfter(deadline: .now() + .milliseconds(200)) { [weak self] in
+            self?.setDockIconAndMainMenuVisibility(isVisible: false)
+        }
+        return false
+    }
+
+    private func setDockIconAndMainMenuVisibility(isVisible: Bool, completion: (() -> Void)? = nil) {
+        let currentActivationPolicy = NSApp.activationPolicy()
+        let newActivationPolicy: NSApplication.ActivationPolicy = isVisible ? .regular : .accessory
+        guard currentActivationPolicy != newActivationPolicy else {
+            if newActivationPolicy == .regular {
+                NSApp.activate(ignoringOtherApps: true)
+            }
+            completion?()
+            return
+        }
+        if newActivationPolicy == .regular && NSApp.isActive {
+            // To workaround a possible AppKit bug that causes the main menu to become unresponsive,
+            // we should deactivate the app first and then set the activation policy.
+            // NSApp.deactivate() doesn't always deactivate the app, so we instead use
+            // setActivationPolicy(.prohibited).
+            onAppDeactivation = {
+                NSApp.setActivationPolicy(.regular)
+                NSApp.activate(ignoringOtherApps: true)
+                completion?()
+            }
+            NSApp.setActivationPolicy(.prohibited)
+        } else {
+            NSApp.setActivationPolicy(newActivationPolicy)
+            if newActivationPolicy == .regular {
+                NSApp.activate(ignoringOtherApps: true)
+            }
+            completion?()
+        }
+    }
+
+    func applicationDidResignActive(_ notification: Notification) {
+        onAppDeactivation?()
+        onAppDeactivation = nil
+    }
+}
+
+extension AppDelegate {
+    @objc func aboutClicked() {
+        var appVersion = Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "Unknown"
+        if let appBuild = Bundle.main.infoDictionary?["CFBundleVersion"] as? String {
+            appVersion += " (\(appBuild))"
+        }
+        let appVersionString = [
+            tr(format: "macAppVersion (%@)", appVersion),
+            tr(format: "macGoBackendVersion (%@)", WIREGUARD_GO_VERSION)
+        ].joined(separator: "\n")
+        NSApp.activate(ignoringOtherApps: true)
+        NSApp.orderFrontStandardAboutPanel(options: [
+            .applicationVersion: appVersionString,
+            .version: "",
+            .credits: ""
+        ])
+    }
+}
+
+extension AppDelegate: StatusMenuWindowDelegate {
+    func showManageTunnelsWindow(completion: ((NSWindow?) -> Void)?) {
+        guard let tunnelsManager = tunnelsManager else {
+            completion?(nil)
+            return
+        }
+        if manageTunnelsWindowObject == nil {
+            manageTunnelsRootVC = ManageTunnelsRootViewController(tunnelsManager: tunnelsManager)
+            let window = NSWindow(contentViewController: manageTunnelsRootVC!)
+            window.title = tr("macWindowTitleManageTunnels")
+            window.setContentSize(NSSize(width: 800, height: 480))
+            window.setFrameAutosaveName(NSWindow.FrameAutosaveName("ManageTunnelsWindow")) // Auto-save window position and size
+            manageTunnelsWindowObject = window
+            tunnelsTracker?.manageTunnelsRootVC = manageTunnelsRootVC
+        }
+        setDockIconAndMainMenuVisibility(isVisible: true) { [weak manageTunnelsWindowObject] in
+            manageTunnelsWindowObject?.makeKeyAndOrderFront(self)
+            completion?(manageTunnelsWindowObject)
+        }
+    }
+}
+
+@discardableResult
+func registerLoginItem(shouldLaunchAtLogin: Bool) -> Bool {
+    let appId = Bundle.main.bundleIdentifier!
+    let helperBundleId = "\(appId).login-item-helper"
+    return SMLoginItemSetEnabled(helperBundleId as CFString, shouldLaunchAtLogin)
+}
--- a/Sources/WireGuardApp/UI/macOS/Application.swift
+++ b/Sources/WireGuardApp/UI/macOS/Application.swift
@ -0,0 +1,19 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import Cocoa
+
+class Application: NSApplication {
+
+    private var appDelegate: AppDelegate? // swiftlint:disable:this weak_delegate
+
+    override init() {
+        super.init()
+        appDelegate = AppDelegate() // Keep a strong reference to the app delegate
+        delegate = appDelegate // Set delegate before app.run() gets called in NSApplicationMain()
+    }
+
+    required init?(coder: NSCoder) {
+        fatalError("init(coder:) has not been implemented")
+    }
+}
--- a/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/Contents.json
+++ b/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/Contents.json
@ -65,4 +65,4 @@
    "version" : 1,
    "author" : "xcode"
  }
-}
+}
--- a/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon.png
+++ b/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon.png
--- a/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon128.png
+++ b/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon128.png
--- a/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon16.png
+++ b/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon16.png
--- a/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon256-1.png
+++ b/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon256-1.png
--- a/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon256.png
+++ b/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon256.png
--- a/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon32-1.png
+++ b/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon32-1.png
--- a/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon32.png
+++ b/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon32.png
--- a/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon512-1.png
+++ b/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon512-1.png
--- a/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon512.png
+++ b/Sources/WireGuardApp/UI/macOS/Assets.xcassets/AppIcon.appiconset/WireGuardMacAppIcon512.png
--- a/Show More
+++ b/Show More